1.\" 2.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" All rights reserved 5.\" 6.\" As far as I am concerned, the code I have written for this software 7.\" can be used freely for any purpose. Any derived versions of this 8.\" software must be clearly marked as such, and if the derived work is 9.\" incompatible with the protocol description in the RFC file, it must be 10.\" called by a name other than "ssh" or "Secure Shell". 11.\" 12.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 13.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 14.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 15.\" 16.\" Redistribution and use in source and binary forms, with or without 17.\" modification, are permitted provided that the following conditions 18.\" are met: 19.\" 1. Redistributions of source code must retain the above copyright 20.\" notice, this list of conditions and the following disclaimer. 21.\" 2. Redistributions in binary form must reproduce the above copyright 22.\" notice, this list of conditions and the following disclaimer in the 23.\" documentation and/or other materials provided with the distribution. 24.\" 25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" 36.\" $OpenBSD: sshd.8,v 1.273 2013/12/07 11:58:46 naddy Exp $ 37.\" $FreeBSD$ 38.Dd December 7, 2013 39.Dt SSHD 8 40.Os 41.Sh NAME 42.Nm sshd 43.Nd OpenSSH SSH daemon 44.Sh SYNOPSIS 45.Nm sshd 46.Bk -words 47.Op Fl 46DdeiqTt 48.Op Fl b Ar bits 49.Op Fl C Ar connection_spec 50.Op Fl c Ar host_certificate_file 51.Op Fl E Ar log_file 52.Op Fl f Ar config_file 53.Op Fl g Ar login_grace_time 54.Op Fl h Ar host_key_file 55.Op Fl k Ar key_gen_time 56.Op Fl o Ar option 57.Op Fl p Ar port 58.Op Fl u Ar len 59.Ek 60.Sh DESCRIPTION 61.Nm 62(OpenSSH Daemon) is the daemon program for 63.Xr ssh 1 . 64Together these programs replace 65.Xr rlogin 1 66and 67.Xr rsh 1 , 68and provide secure encrypted communications between two untrusted hosts 69over an insecure network. 70.Pp 71.Nm 72listens for connections from clients. 73It is normally started at boot from 74.Pa /etc/rc.d/sshd . 75It forks a new 76daemon for each incoming connection. 77The forked daemons handle 78key exchange, encryption, authentication, command execution, 79and data exchange. 80.Pp 81.Nm 82can be configured using command-line options or a configuration file 83(by default 84.Xr sshd_config 5 ) ; 85command-line options override values specified in the 86configuration file. 87.Nm 88rereads its configuration file when it receives a hangup signal, 89.Dv SIGHUP , 90by executing itself with the name and options it was started with, e.g.\& 91.Pa /usr/sbin/sshd . 92.Pp 93The options are as follows: 94.Bl -tag -width Ds 95.It Fl 4 96Forces 97.Nm 98to use IPv4 addresses only. 99.It Fl 6 100Forces 101.Nm 102to use IPv6 addresses only. 103.It Fl b Ar bits 104Specifies the number of bits in the ephemeral protocol version 1 105server key (default 1024). 106.It Fl C Ar connection_spec 107Specify the connection parameters to use for the 108.Fl T 109extended test mode. 110If provided, any 111.Cm Match 112directives in the configuration file 113that would apply to the specified user, host, and address will be set before 114the configuration is written to standard output. 115The connection parameters are supplied as keyword=value pairs. 116The keywords are 117.Dq user , 118.Dq host , 119.Dq laddr , 120.Dq lport , 121and 122.Dq addr . 123All are required and may be supplied in any order, either with multiple 124.Fl C 125options or as a comma-separated list. 126.It Fl c Ar host_certificate_file 127Specifies a path to a certificate file to identify 128.Nm 129during key exchange. 130The certificate file must match a host key file specified using the 131.Fl h 132option or the 133.Cm HostKey 134configuration directive. 135.It Fl D 136When this option is specified, 137.Nm 138will not detach and does not become a daemon. 139This allows easy monitoring of 140.Nm sshd . 141.It Fl d 142Debug mode. 143The server sends verbose debug output to standard error, 144and does not put itself in the background. 145The server also will not fork and will only process one connection. 146This option is only intended for debugging for the server. 147Multiple 148.Fl d 149options increase the debugging level. 150Maximum is 3. 151.It Fl E Ar log_file 152Append debug logs to 153.Ar log_file 154instead of the system log. 155.It Fl e 156Write debug logs to standard error instead of the system log. 157.It Fl f Ar config_file 158Specifies the name of the configuration file. 159The default is 160.Pa /etc/ssh/sshd_config . 161.Nm 162refuses to start if there is no configuration file. 163.It Fl g Ar login_grace_time 164Gives the grace time for clients to authenticate themselves (default 165120 seconds). 166If the client fails to authenticate the user within 167this many seconds, the server disconnects and exits. 168A value of zero indicates no limit. 169.It Fl h Ar host_key_file 170Specifies a file from which a host key is read. 171This option must be given if 172.Nm 173is not run as root (as the normal 174host key files are normally not readable by anyone but root). 175The default is 176.Pa /etc/ssh/ssh_host_key 177for protocol version 1, and 178.Pa /etc/ssh/ssh_host_dsa_key , 179.Pa /etc/ssh/ssh_host_ecdsa_key . 180.Pa /etc/ssh/ssh_host_ed25519_key 181and 182.Pa /etc/ssh/ssh_host_rsa_key 183for protocol version 2. 184It is possible to have multiple host key files for 185the different protocol versions and host key algorithms. 186.It Fl i 187Specifies that 188.Nm 189is being run from 190.Xr inetd 8 . 191.Nm 192is normally not run 193from inetd because it needs to generate the server key before it can 194respond to the client, and this may take tens of seconds. 195Clients would have to wait too long if the key was regenerated every time. 196However, with small key sizes (e.g. 512) using 197.Nm 198from inetd may 199be feasible. 200.It Fl k Ar key_gen_time 201Specifies how often the ephemeral protocol version 1 server key is 202regenerated (default 3600 seconds, or one hour). 203The motivation for regenerating the key fairly 204often is that the key is not stored anywhere, and after about an hour 205it becomes impossible to recover the key for decrypting intercepted 206communications even if the machine is cracked into or physically 207seized. 208A value of zero indicates that the key will never be regenerated. 209.It Fl o Ar option 210Can be used to give options in the format used in the configuration file. 211This is useful for specifying options for which there is no separate 212command-line flag. 213For full details of the options, and their values, see 214.Xr sshd_config 5 . 215.It Fl p Ar port 216Specifies the port on which the server listens for connections 217(default 22). 218Multiple port options are permitted. 219Ports specified in the configuration file with the 220.Cm Port 221option are ignored when a command-line port is specified. 222Ports specified using the 223.Cm ListenAddress 224option override command-line ports. 225.It Fl q 226Quiet mode. 227Nothing is sent to the system log. 228Normally the beginning, 229authentication, and termination of each connection is logged. 230.It Fl T 231Extended test mode. 232Check the validity of the configuration file, output the effective configuration 233to stdout and then exit. 234Optionally, 235.Cm Match 236rules may be applied by specifying the connection parameters using one or more 237.Fl C 238options. 239.It Fl t 240Test mode. 241Only check the validity of the configuration file and sanity of the keys. 242This is useful for updating 243.Nm 244reliably as configuration options may change. 245.It Fl u Ar len 246This option is used to specify the size of the field 247in the 248.Li utmp 249structure that holds the remote host name. 250If the resolved host name is longer than 251.Ar len , 252the dotted decimal value will be used instead. 253This allows hosts with very long host names that 254overflow this field to still be uniquely identified. 255Specifying 256.Fl u0 257indicates that only dotted decimal addresses 258should be put into the 259.Pa utmp 260file. 261.Fl u0 262may also be used to prevent 263.Nm 264from making DNS requests unless the authentication 265mechanism or configuration requires it. 266Authentication mechanisms that may require DNS include 267.Cm RhostsRSAAuthentication , 268.Cm HostbasedAuthentication , 269and using a 270.Cm from="pattern-list" 271option in a key file. 272Configuration options that require DNS include using a 273USER@HOST pattern in 274.Cm AllowUsers 275or 276.Cm DenyUsers . 277.El 278.Sh AUTHENTICATION 279The OpenSSH SSH daemon supports SSH protocols 1 and 2. 280The default is to use protocol 2 only, 281though this can be changed via the 282.Cm Protocol 283option in 284.Xr sshd_config 5 . 285Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys; 286protocol 1 only supports RSA keys. 287For both protocols, 288each host has a host-specific key, 289normally 2048 bits, 290used to identify the host. 291.Pp 292Forward security for protocol 1 is provided through 293an additional server key, 294normally 768 bits, 295generated when the server starts. 296This key is normally regenerated every hour if it has been used, and 297is never stored on disk. 298Whenever a client connects, the daemon responds with its public 299host and server keys. 300The client compares the 301RSA host key against its own database to verify that it has not changed. 302The client then generates a 256-bit random number. 303It encrypts this 304random number using both the host key and the server key, and sends 305the encrypted number to the server. 306Both sides then use this 307random number as a session key which is used to encrypt all further 308communications in the session. 309The rest of the session is encrypted 310using a conventional cipher, currently Blowfish or 3DES, with 3DES 311being used by default. 312The client selects the encryption algorithm 313to use from those offered by the server. 314.Pp 315For protocol 2, 316forward security is provided through a Diffie-Hellman key agreement. 317This key agreement results in a shared session key. 318The rest of the session is encrypted using a symmetric cipher, currently 319128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. 320The client selects the encryption algorithm 321to use from those offered by the server. 322Additionally, session integrity is provided 323through a cryptographic message authentication code 324(hmac-md5, hmac-sha1, umac-64, umac-128, hmac-ripemd160, 325hmac-sha2-256 or hmac-sha2-512). 326.Pp 327Finally, the server and the client enter an authentication dialog. 328The client tries to authenticate itself using 329host-based authentication, 330public key authentication, 331challenge-response authentication, 332or password authentication. 333.Pp 334Regardless of the authentication type, the account is checked to 335ensure that it is accessible. An account is not accessible if it is 336locked, listed in 337.Cm DenyUsers 338or its group is listed in 339.Cm DenyGroups 340\&. The definition of a locked account is system dependant. Some platforms 341have their own account database (eg AIX) and some modify the passwd field ( 342.Ql \&*LK\&* 343on Solaris and UnixWare, 344.Ql \&* 345on HP-UX, containing 346.Ql Nologin 347on Tru64, 348a leading 349.Ql \&*LOCKED\&* 350on FreeBSD and a leading 351.Ql \&! 352on most Linuxes). 353If there is a requirement to disable password authentication 354for the account while allowing still public-key, then the passwd field 355should be set to something other than these values (eg 356.Ql NP 357or 358.Ql \&*NP\&* 359). 360.Pp 361If the client successfully authenticates itself, a dialog for 362preparing the session is entered. 363At this time the client may request 364things like allocating a pseudo-tty, forwarding X11 connections, 365forwarding TCP connections, or forwarding the authentication agent 366connection over the secure channel. 367.Pp 368After this, the client either requests a shell or execution of a command. 369The sides then enter session mode. 370In this mode, either side may send 371data at any time, and such data is forwarded to/from the shell or 372command on the server side, and the user terminal in the client side. 373.Pp 374When the user program terminates and all forwarded X11 and other 375connections have been closed, the server sends command exit status to 376the client, and both sides exit. 377.Sh LOGIN PROCESS 378When a user successfully logs in, 379.Nm 380does the following: 381.Bl -enum -offset indent 382.It 383If the login is on a tty, and no command has been specified, 384prints last login time and 385.Pa /etc/motd 386(unless prevented in the configuration file or by 387.Pa ~/.hushlogin ; 388see the 389.Sx FILES 390section). 391.It 392If the login is on a tty, records login time. 393.It 394Checks 395.Pa /etc/nologin and 396.Pa /var/run/nologin ; 397if one exists, it prints the contents and quits 398(unless root). 399.It 400Changes to run with normal user privileges. 401.It 402Sets up basic environment. 403.It 404Reads the file 405.Pa ~/.ssh/environment , 406if it exists, and users are allowed to change their environment. 407See the 408.Cm PermitUserEnvironment 409option in 410.Xr sshd_config 5 . 411.It 412Changes to user's home directory. 413.It 414If 415.Pa ~/.ssh/rc 416exists, runs it; else if 417.Pa /etc/ssh/sshrc 418exists, runs 419it; otherwise runs 420.Xr xauth 1 . 421The 422.Dq rc 423files are given the X11 424authentication protocol and cookie in standard input. 425See 426.Sx SSHRC , 427below. 428.It 429Runs user's shell or command. 430.El 431.Sh SSHRC 432If the file 433.Pa ~/.ssh/rc 434exists, 435.Xr sh 1 436runs it after reading the 437environment files but before starting the user's shell or command. 438It must not produce any output on stdout; stderr must be used 439instead. 440If X11 forwarding is in use, it will receive the "proto cookie" pair in 441its standard input (and 442.Ev DISPLAY 443in its environment). 444The script must call 445.Xr xauth 1 446because 447.Nm 448will not run xauth automatically to add X11 cookies. 449.Pp 450The primary purpose of this file is to run any initialization routines 451which may be needed before the user's home directory becomes 452accessible; AFS is a particular example of such an environment. 453.Pp 454This file will probably contain some initialization code followed by 455something similar to: 456.Bd -literal -offset 3n 457if read proto cookie && [ -n "$DISPLAY" ]; then 458 if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then 459 # X11UseLocalhost=yes 460 echo add unix:`echo $DISPLAY | 461 cut -c11-` $proto $cookie 462 else 463 # X11UseLocalhost=no 464 echo add $DISPLAY $proto $cookie 465 fi | xauth -q - 466fi 467.Ed 468.Pp 469If this file does not exist, 470.Pa /etc/ssh/sshrc 471is run, and if that 472does not exist either, xauth is used to add the cookie. 473.Sh AUTHORIZED_KEYS FILE FORMAT 474.Cm AuthorizedKeysFile 475specifies the files containing public keys for 476public key authentication; 477if none is specified, the default is 478.Pa ~/.ssh/authorized_keys 479and 480.Pa ~/.ssh/authorized_keys2 . 481Each line of the file contains one 482key (empty lines and lines starting with a 483.Ql # 484are ignored as 485comments). 486Protocol 1 public keys consist of the following space-separated fields: 487options, bits, exponent, modulus, comment. 488Protocol 2 public key consist of: 489options, keytype, base64-encoded key, comment. 490The options field is optional; 491its presence is determined by whether the line starts 492with a number or not (the options field never starts with a number). 493The bits, exponent, modulus, and comment fields give the RSA key for 494protocol version 1; the 495comment field is not used for anything (but may be convenient for the 496user to identify the key). 497For protocol version 2 the keytype is 498.Dq ecdsa-sha2-nistp256 , 499.Dq ecdsa-sha2-nistp384 , 500.Dq ecdsa-sha2-nistp521 , 501.Dq ssh-ed25519 , 502.Dq ssh-dss 503or 504.Dq ssh-rsa . 505.Pp 506Note that lines in this file are usually several hundred bytes long 507(because of the size of the public key encoding) up to a limit of 5088 kilobytes, which permits DSA keys up to 8 kilobits and RSA 509keys up to 16 kilobits. 510You don't want to type them in; instead, copy the 511.Pa identity.pub , 512.Pa id_dsa.pub , 513.Pa id_ecdsa.pub , 514.Pa id_ed25519.pub , 515or the 516.Pa id_rsa.pub 517file and edit it. 518.Pp 519.Nm 520enforces a minimum RSA key modulus size for protocol 1 521and protocol 2 keys of 768 bits. 522.Pp 523The options (if present) consist of comma-separated option 524specifications. 525No spaces are permitted, except within double quotes. 526The following option specifications are supported (note 527that option keywords are case-insensitive): 528.Bl -tag -width Ds 529.It Cm cert-authority 530Specifies that the listed key is a certification authority (CA) that is 531trusted to validate signed certificates for user authentication. 532.Pp 533Certificates may encode access restrictions similar to these key options. 534If both certificate restrictions and key options are present, the most 535restrictive union of the two is applied. 536.It Cm command="command" 537Specifies that the command is executed whenever this key is used for 538authentication. 539The command supplied by the user (if any) is ignored. 540The command is run on a pty if the client requests a pty; 541otherwise it is run without a tty. 542If an 8-bit clean channel is required, 543one must not request a pty or should specify 544.Cm no-pty . 545A quote may be included in the command by quoting it with a backslash. 546This option might be useful 547to restrict certain public keys to perform just a specific operation. 548An example might be a key that permits remote backups but nothing else. 549Note that the client may specify TCP and/or X11 550forwarding unless they are explicitly prohibited. 551The command originally supplied by the client is available in the 552.Ev SSH_ORIGINAL_COMMAND 553environment variable. 554Note that this option applies to shell, command or subsystem execution. 555Also note that this command may be superseded by either a 556.Xr sshd_config 5 557.Cm ForceCommand 558directive or a command embedded in a certificate. 559.It Cm environment="NAME=value" 560Specifies that the string is to be added to the environment when 561logging in using this key. 562Environment variables set this way 563override other default environment values. 564Multiple options of this type are permitted. 565Environment processing is disabled by default and is 566controlled via the 567.Cm PermitUserEnvironment 568option. 569This option is automatically disabled if 570.Cm UseLogin 571is enabled. 572.It Cm from="pattern-list" 573Specifies that in addition to public key authentication, either the canonical 574name of the remote host or its IP address must be present in the 575comma-separated list of patterns. 576See PATTERNS in 577.Xr ssh_config 5 578for more information on patterns. 579.Pp 580In addition to the wildcard matching that may be applied to hostnames or 581addresses, a 582.Cm from 583stanza may match IP addresses using CIDR address/masklen notation. 584.Pp 585The purpose of this option is to optionally increase security: public key 586authentication by itself does not trust the network or name servers or 587anything (but the key); however, if somebody somehow steals the key, the key 588permits an intruder to log in from anywhere in the world. 589This additional option makes using a stolen key more difficult (name 590servers and/or routers would have to be compromised in addition to 591just the key). 592.It Cm no-agent-forwarding 593Forbids authentication agent forwarding when this key is used for 594authentication. 595.It Cm no-port-forwarding 596Forbids TCP forwarding when this key is used for authentication. 597Any port forward requests by the client will return an error. 598This might be used, e.g. in connection with the 599.Cm command 600option. 601.It Cm no-pty 602Prevents tty allocation (a request to allocate a pty will fail). 603.It Cm no-user-rc 604Disables execution of 605.Pa ~/.ssh/rc . 606.It Cm no-X11-forwarding 607Forbids X11 forwarding when this key is used for authentication. 608Any X11 forward requests by the client will return an error. 609.It Cm permitopen="host:port" 610Limit local 611.Li ``ssh -L'' 612port forwarding such that it may only connect to the specified host and 613port. 614IPv6 addresses can be specified by enclosing the address in square brackets. 615Multiple 616.Cm permitopen 617options may be applied separated by commas. 618No pattern matching is performed on the specified hostnames, 619they must be literal domains or addresses. 620A port specification of 621.Cm * 622matches any port. 623.It Cm principals="principals" 624On a 625.Cm cert-authority 626line, specifies allowed principals for certificate authentication as a 627comma-separated list. 628At least one name from the list must appear in the certificate's 629list of principals for the certificate to be accepted. 630This option is ignored for keys that are not marked as trusted certificate 631signers using the 632.Cm cert-authority 633option. 634.It Cm tunnel="n" 635Force a 636.Xr tun 4 637device on the server. 638Without this option, the next available device will be used if 639the client requests a tunnel. 640.El 641.Pp 642An example authorized_keys file: 643.Bd -literal -offset 3n 644# Comments allowed at start of line 645ssh-rsa AAAAB3Nza...LiPk== user@example.net 646from="*.sales.example.net,!pc.sales.example.net" ssh-rsa 647AAAAB2...19Q== john@example.net 648command="dump /home",no-pty,no-port-forwarding ssh-dss 649AAAAC3...51R== example.net 650permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss 651AAAAB5...21S== 652tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== 653jane@example.net 654.Ed 655.Sh SSH_KNOWN_HOSTS FILE FORMAT 656The 657.Pa /etc/ssh/ssh_known_hosts 658and 659.Pa ~/.ssh/known_hosts 660files contain host public keys for all known hosts. 661The global file should 662be prepared by the administrator (optional), and the per-user file is 663maintained automatically: whenever the user connects from an unknown host, 664its key is added to the per-user file. 665.Pp 666Each line in these files contains the following fields: markers (optional), 667hostnames, bits, exponent, modulus, comment. 668The fields are separated by spaces. 669.Pp 670The marker is optional, but if it is present then it must be one of 671.Dq @cert-authority , 672to indicate that the line contains a certification authority (CA) key, 673or 674.Dq @revoked , 675to indicate that the key contained on the line is revoked and must not ever 676be accepted. 677Only one marker should be used on a key line. 678.Pp 679Hostnames is a comma-separated list of patterns 680.Pf ( Ql * 681and 682.Ql \&? 683act as 684wildcards); each pattern in turn is matched against the canonical host 685name (when authenticating a client) or against the user-supplied 686name (when authenticating a server). 687A pattern may also be preceded by 688.Ql \&! 689to indicate negation: if the host name matches a negated 690pattern, it is not accepted (by that line) even if it matched another 691pattern on the line. 692A hostname or address may optionally be enclosed within 693.Ql \&[ 694and 695.Ql \&] 696brackets then followed by 697.Ql \&: 698and a non-standard port number. 699.Pp 700Alternately, hostnames may be stored in a hashed form which hides host names 701and addresses should the file's contents be disclosed. 702Hashed hostnames start with a 703.Ql | 704character. 705Only one hashed hostname may appear on a single line and none of the above 706negation or wildcard operators may be applied. 707.Pp 708Bits, exponent, and modulus are taken directly from the RSA host key; they 709can be obtained, for example, from 710.Pa /etc/ssh/ssh_host_key.pub . 711The optional comment field continues to the end of the line, and is not used. 712.Pp 713Lines starting with 714.Ql # 715and empty lines are ignored as comments. 716.Pp 717When performing host authentication, authentication is accepted if any 718matching line has the proper key; either one that matches exactly or, 719if the server has presented a certificate for authentication, the key 720of the certification authority that signed the certificate. 721For a key to be trusted as a certification authority, it must use the 722.Dq @cert-authority 723marker described above. 724.Pp 725The known hosts file also provides a facility to mark keys as revoked, 726for example when it is known that the associated private key has been 727stolen. 728Revoked keys are specified by including the 729.Dq @revoked 730marker at the beginning of the key line, and are never accepted for 731authentication or as certification authorities, but instead will 732produce a warning from 733.Xr ssh 1 734when they are encountered. 735.Pp 736It is permissible (but not 737recommended) to have several lines or different host keys for the same 738names. 739This will inevitably happen when short forms of host names 740from different domains are put in the file. 741It is possible 742that the files contain conflicting information; authentication is 743accepted if valid information can be found from either file. 744.Pp 745Note that the lines in these files are typically hundreds of characters 746long, and you definitely don't want to type in the host keys by hand. 747Rather, generate them by a script, 748.Xr ssh-keyscan 1 749or by taking 750.Pa /etc/ssh/ssh_host_key.pub 751and adding the host names at the front. 752.Xr ssh-keygen 1 753also offers some basic automated editing for 754.Pa ~/.ssh/known_hosts 755including removing hosts matching a host name and converting all host 756names to their hashed representations. 757.Pp 758An example ssh_known_hosts file: 759.Bd -literal -offset 3n 760# Comments allowed at start of line 761closenet,...,192.0.2.53 1024 37 159...93 closenet.example.net 762cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....= 763# A hashed hostname 764|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa 765AAAA1234.....= 766# A revoked key 767@revoked * ssh-rsa AAAAB5W... 768# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org 769@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W... 770.Ed 771.Sh FILES 772.Bl -tag -width Ds -compact 773.It Pa ~/.hushlogin 774This file is used to suppress printing the last login time and 775.Pa /etc/motd , 776if 777.Cm PrintLastLog 778and 779.Cm PrintMotd , 780respectively, 781are enabled. 782It does not suppress printing of the banner specified by 783.Cm Banner . 784.Pp 785.It Pa ~/.rhosts 786This file is used for host-based authentication (see 787.Xr ssh 1 788for more information). 789On some machines this file may need to be 790world-readable if the user's home directory is on an NFS partition, 791because 792.Nm 793reads it as root. 794Additionally, this file must be owned by the user, 795and must not have write permissions for anyone else. 796The recommended 797permission for most machines is read/write for the user, and not 798accessible by others. 799.Pp 800.It Pa ~/.shosts 801This file is used in exactly the same way as 802.Pa .rhosts , 803but allows host-based authentication without permitting login with 804rlogin/rsh. 805.Pp 806.It Pa ~/.ssh/ 807This directory is the default location for all user-specific configuration 808and authentication information. 809There is no general requirement to keep the entire contents of this directory 810secret, but the recommended permissions are read/write/execute for the user, 811and not accessible by others. 812.Pp 813.It Pa ~/.ssh/authorized_keys 814Lists the public keys (DSA, ECDSA, ED25519, RSA) 815that can be used for logging in as this user. 816The format of this file is described above. 817The content of the file is not highly sensitive, but the recommended 818permissions are read/write for the user, and not accessible by others. 819.Pp 820If this file, the 821.Pa ~/.ssh 822directory, or the user's home directory are writable 823by other users, then the file could be modified or replaced by unauthorized 824users. 825In this case, 826.Nm 827will not allow it to be used unless the 828.Cm StrictModes 829option has been set to 830.Dq no . 831.Pp 832.It Pa ~/.ssh/environment 833This file is read into the environment at login (if it exists). 834It can only contain empty lines, comment lines (that start with 835.Ql # ) , 836and assignment lines of the form name=value. 837The file should be writable 838only by the user; it need not be readable by anyone else. 839Environment processing is disabled by default and is 840controlled via the 841.Cm PermitUserEnvironment 842option. 843.Pp 844.It Pa ~/.ssh/known_hosts 845Contains a list of host keys for all hosts the user has logged into 846that are not already in the systemwide list of known host keys. 847The format of this file is described above. 848This file should be writable only by root/the owner and 849can, but need not be, world-readable. 850.Pp 851.It Pa ~/.ssh/rc 852Contains initialization routines to be run before 853the user's home directory becomes accessible. 854This file should be writable only by the user, and need not be 855readable by anyone else. 856.Pp 857.It Pa /etc/hosts.allow 858.It Pa /etc/hosts.deny 859Access controls that should be enforced by tcp-wrappers are defined here. 860Further details are described in 861.Xr hosts_access 5 . 862.Pp 863.It Pa /etc/hosts.equiv 864This file is for host-based authentication (see 865.Xr ssh 1 ) . 866It should only be writable by root. 867.Pp 868.It Pa /etc/moduli 869Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". 870The file format is described in 871.Xr moduli 5 . 872.Pp 873.It Pa /etc/motd 874See 875.Xr motd 5 . 876.Pp 877.It Pa /etc/nologin 878If this file exists, 879.Nm 880refuses to let anyone except root log in. 881The contents of the file 882are displayed to anyone trying to log in, and non-root connections are 883refused. 884The file should be world-readable. 885.Pp 886.It Pa /etc/shosts.equiv 887This file is used in exactly the same way as 888.Pa hosts.equiv , 889but allows host-based authentication without permitting login with 890rlogin/rsh. 891.Pp 892.It Pa /etc/ssh/ssh_host_key 893.It Pa /etc/ssh/ssh_host_dsa_key 894.It Pa /etc/ssh/ssh_host_ecdsa_key 895.It Pa /etc/ssh/ssh_host_ed25519_key 896.It Pa /etc/ssh/ssh_host_rsa_key 897These files contain the private parts of the host keys. 898These files should only be owned by root, readable only by root, and not 899accessible to others. 900Note that 901.Nm 902does not start if these files are group/world-accessible. 903.Pp 904.It Pa /etc/ssh/ssh_host_key.pub 905.It Pa /etc/ssh/ssh_host_dsa_key.pub 906.It Pa /etc/ssh/ssh_host_ecdsa_key.pub 907.It Pa /etc/ssh/ssh_host_ed25519_key.pub 908.It Pa /etc/ssh/ssh_host_rsa_key.pub 909These files contain the public parts of the host keys. 910These files should be world-readable but writable only by 911root. 912Their contents should match the respective private parts. 913These files are not 914really used for anything; they are provided for the convenience of 915the user so their contents can be copied to known hosts files. 916These files are created using 917.Xr ssh-keygen 1 . 918.Pp 919.It Pa /etc/ssh/ssh_known_hosts 920Systemwide list of known host keys. 921This file should be prepared by the 922system administrator to contain the public host keys of all machines in the 923organization. 924The format of this file is described above. 925This file should be writable only by root/the owner and 926should be world-readable. 927.Pp 928.It Pa /etc/ssh/sshd_config 929Contains configuration data for 930.Nm sshd . 931The file format and configuration options are described in 932.Xr sshd_config 5 . 933.Pp 934.It Pa /etc/ssh/sshrc 935Similar to 936.Pa ~/.ssh/rc , 937it can be used to specify 938machine-specific login-time initializations globally. 939This file should be writable only by root, and should be world-readable. 940.Pp 941.It Pa /var/empty 942.Xr chroot 2 943directory used by 944.Nm 945during privilege separation in the pre-authentication phase. 946The directory should not contain any files and must be owned by root 947and not group or world-writable. 948.Pp 949.It Pa /var/run/sshd.pid 950Contains the process ID of the 951.Nm 952listening for connections (if there are several daemons running 953concurrently for different ports, this contains the process ID of the one 954started last). 955The content of this file is not sensitive; it can be world-readable. 956.El 957.Sh SEE ALSO 958.Xr scp 1 , 959.Xr sftp 1 , 960.Xr ssh 1 , 961.Xr ssh-add 1 , 962.Xr ssh-agent 1 , 963.Xr ssh-keygen 1 , 964.Xr ssh-keyscan 1 , 965.Xr chroot 2 , 966.Xr hosts_access 5 , 967.Xr login.conf 5 , 968.Xr moduli 5 , 969.Xr sshd_config 5 , 970.Xr inetd 8 , 971.Xr sftp-server 8 972.Sh AUTHORS 973OpenSSH is a derivative of the original and free 974ssh 1.2.12 release by Tatu Ylonen. 975Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 976Theo de Raadt and Dug Song 977removed many bugs, re-added newer features and 978created OpenSSH. 979Markus Friedl contributed the support for SSH 980protocol versions 1.5 and 2.0. 981Niels Provos and Markus Friedl contributed support 982for privilege separation. 983.Sh CAVEATS 984System security is not improved unless 985.Nm rshd , 986.Nm rlogind , 987and 988.Nm rexecd 989are disabled (thus completely disabling 990.Xr rlogin 991and 992.Xr rsh 993into the machine). 994