xref: /freebsd/crypto/openssh/sshd.8 (revision a64729f5077d77e13b9497cb33ecb3c82e606ee8)
1.\"
2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4.\"                    All rights reserved
5.\"
6.\" As far as I am concerned, the code I have written for this software
7.\" can be used freely for any purpose.  Any derived versions of this
8.\" software must be clearly marked as such, and if the derived work is
9.\" incompatible with the protocol description in the RFC file, it must be
10.\" called by a name other than "ssh" or "Secure Shell".
11.\"
12.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
13.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
14.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
15.\"
16.\" Redistribution and use in source and binary forms, with or without
17.\" modification, are permitted provided that the following conditions
18.\" are met:
19.\" 1. Redistributions of source code must retain the above copyright
20.\"    notice, this list of conditions and the following disclaimer.
21.\" 2. Redistributions in binary form must reproduce the above copyright
22.\"    notice, this list of conditions and the following disclaimer in the
23.\"    documentation and/or other materials provided with the distribution.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\"
36.\" $OpenBSD: sshd.8,v 1.325 2023/09/19 20:37:07 deraadt Exp $
37.Dd $Mdocdate: September 19 2023 $
38.Dt SSHD 8
39.Os
40.Sh NAME
41.Nm sshd
42.Nd OpenSSH daemon
43.Sh SYNOPSIS
44.Nm sshd
45.Bk -words
46.Op Fl 46DdeGiqTtV
47.Op Fl C Ar connection_spec
48.Op Fl c Ar host_certificate_file
49.Op Fl E Ar log_file
50.Op Fl f Ar config_file
51.Op Fl g Ar login_grace_time
52.Op Fl h Ar host_key_file
53.Op Fl o Ar option
54.Op Fl p Ar port
55.Op Fl u Ar len
56.Ek
57.Sh DESCRIPTION
58.Nm
59(OpenSSH Daemon) is the daemon program for
60.Xr ssh 1 .
61It provides secure encrypted communications between two untrusted hosts
62over an insecure network.
63.Pp
64.Nm
65listens for connections from clients.
66It is normally started at boot from
67.Pa /etc/rc.d/sshd .
68It forks a new
69daemon for each incoming connection.
70The forked daemons handle
71key exchange, encryption, authentication, command execution,
72and data exchange.
73.Pp
74.Nm
75can be configured using command-line options or a configuration file
76(by default
77.Xr sshd_config 5 ) ;
78command-line options override values specified in the
79configuration file.
80.Nm
81rereads its configuration file when it receives a hangup signal,
82.Dv SIGHUP ,
83by executing itself with the name and options it was started with, e.g.\&
84.Pa /usr/sbin/sshd .
85.Pp
86The options are as follows:
87.Bl -tag -width Ds
88.It Fl 4
89Forces
90.Nm
91to use IPv4 addresses only.
92.It Fl 6
93Forces
94.Nm
95to use IPv6 addresses only.
96.It Fl C Ar connection_spec
97Specify the connection parameters to use for the
98.Fl T
99extended test mode.
100If provided, any
101.Cm Match
102directives in the configuration file that would apply are applied before the
103configuration is written to standard output.
104The connection parameters are supplied as keyword=value pairs and may be
105supplied in any order, either with multiple
106.Fl C
107options or as a comma-separated list.
108The keywords are
109.Dq addr ,
110.Dq user ,
111.Dq host ,
112.Dq laddr ,
113.Dq lport ,
114and
115.Dq rdomain
116and correspond to source address, user, resolved source host name,
117local address, local port number and routing domain respectively.
118.It Fl c Ar host_certificate_file
119Specifies a path to a certificate file to identify
120.Nm
121during key exchange.
122The certificate file must match a host key file specified using the
123.Fl h
124option or the
125.Cm HostKey
126configuration directive.
127.It Fl D
128When this option is specified,
129.Nm
130will not detach and does not become a daemon.
131This allows easy monitoring of
132.Nm sshd .
133.It Fl d
134Debug mode.
135The server sends verbose debug output to standard error,
136and does not put itself in the background.
137The server also will not
138.Xr fork 2
139and will only process one connection.
140This option is only intended for debugging for the server.
141Multiple
142.Fl d
143options increase the debugging level.
144Maximum is 3.
145.It Fl E Ar log_file
146Append debug logs to
147.Ar log_file
148instead of the system log.
149.It Fl e
150Write debug logs to standard error instead of the system log.
151.It Fl f Ar config_file
152Specifies the name of the configuration file.
153The default is
154.Pa /etc/ssh/sshd_config .
155.Nm
156refuses to start if there is no configuration file.
157.It Fl G
158Parse and print configuration file.
159Check the validity of the configuration file, output the effective configuration
160to stdout and then exit.
161Optionally,
162.Cm Match
163rules may be applied by specifying the connection parameters using one or more
164.Fl C
165options.
166.It Fl g Ar login_grace_time
167Gives the grace time for clients to authenticate themselves (default
168120 seconds).
169If the client fails to authenticate the user within
170this many seconds, the server disconnects and exits.
171A value of zero indicates no limit.
172.It Fl h Ar host_key_file
173Specifies a file from which a host key is read.
174This option must be given if
175.Nm
176is not run as root (as the normal
177host key files are normally not readable by anyone but root).
178The default is
179.Pa /etc/ssh/ssh_host_ecdsa_key ,
180.Pa /etc/ssh/ssh_host_ed25519_key
181and
182.Pa /etc/ssh/ssh_host_rsa_key .
183It is possible to have multiple host key files for
184the different host key algorithms.
185.It Fl i
186Specifies that
187.Nm
188is being run from
189.Xr inetd 8 .
190.It Fl o Ar option
191Can be used to give options in the format used in the configuration file.
192This is useful for specifying options for which there is no separate
193command-line flag.
194For full details of the options, and their values, see
195.Xr sshd_config 5 .
196.It Fl p Ar port
197Specifies the port on which the server listens for connections
198(default 22).
199Multiple port options are permitted.
200Ports specified in the configuration file with the
201.Cm Port
202option are ignored when a command-line port is specified.
203Ports specified using the
204.Cm ListenAddress
205option override command-line ports.
206.It Fl q
207Quiet mode.
208Nothing is sent to the system log.
209Normally the beginning,
210authentication, and termination of each connection is logged.
211.It Fl T
212Extended test mode.
213Check the validity of the configuration file, output the effective configuration
214to stdout and then exit.
215Optionally,
216.Cm Match
217rules may be applied by specifying the connection parameters using one or more
218.Fl C
219options.
220This is similar to the
221.Fl G
222flag, but it includes the additional testing performed by the
223.Fl t
224flag.
225.It Fl t
226Test mode.
227Only check the validity of the configuration file and sanity of the keys.
228This is useful for updating
229.Nm
230reliably as configuration options may change.
231.It Fl u Ar len
232This option is used to specify the size of the field
233in the
234.Vt utmp
235structure that holds the remote host name.
236If the resolved host name is longer than
237.Ar len ,
238the dotted decimal value will be used instead.
239This allows hosts with very long host names that
240overflow this field to still be uniquely identified.
241Specifying
242.Fl u0
243indicates that only dotted decimal addresses
244should be put into the
245.Pa utmp
246file.
247.Fl u0
248may also be used to prevent
249.Nm
250from making DNS requests unless the authentication
251mechanism or configuration requires it.
252Authentication mechanisms that may require DNS include
253.Cm HostbasedAuthentication
254and using a
255.Cm from="pattern-list"
256option in a key file.
257Configuration options that require DNS include using a
258USER@HOST pattern in
259.Cm AllowUsers
260or
261.Cm DenyUsers .
262.It Fl V
263Display the version number and exit.
264.El
265.Sh AUTHENTICATION
266The OpenSSH SSH daemon supports SSH protocol 2 only.
267Each host has a host-specific key,
268used to identify the host.
269Whenever a client connects, the daemon responds with its public
270host key.
271The client compares the
272host key against its own database to verify that it has not changed.
273Forward secrecy is provided through a Diffie-Hellman key agreement.
274This key agreement results in a shared session key.
275The rest of the session is encrypted using a symmetric cipher.
276The client selects the encryption algorithm
277to use from those offered by the server.
278Additionally, session integrity is provided
279through a cryptographic message authentication code (MAC).
280.Pp
281Finally, the server and the client enter an authentication dialog.
282The client tries to authenticate itself using
283host-based authentication,
284public key authentication,
285challenge-response authentication,
286or password authentication.
287.Pp
288Regardless of the authentication type, the account is checked to
289ensure that it is accessible.  An account is not accessible if it is
290locked, listed in
291.Cm DenyUsers
292or its group is listed in
293.Cm DenyGroups
294\&.  The definition of a locked account is system dependent. Some platforms
295have their own account database (eg AIX) and some modify the passwd field (
296.Ql \&*LK\&*
297on Solaris and UnixWare,
298.Ql \&*
299on HP-UX, containing
300.Ql Nologin
301on Tru64,
302a leading
303.Ql \&*LOCKED\&*
304on FreeBSD and a leading
305.Ql \&!
306on most Linuxes).
307If there is a requirement to disable password authentication
308for the account while allowing still public-key, then the passwd field
309should be set to something other than these values (eg
310.Ql NP
311or
312.Ql \&*NP\&*
313).
314.Pp
315If the client successfully authenticates itself, a dialog for
316preparing the session is entered.
317At this time the client may request
318things like allocating a pseudo-tty, forwarding X11 connections,
319forwarding TCP connections, or forwarding the authentication agent
320connection over the secure channel.
321.Pp
322After this, the client either requests an interactive shell or execution
323of a non-interactive command, which
324.Nm
325will execute via the user's shell using its
326.Fl c
327option.
328The sides then enter session mode.
329In this mode, either side may send
330data at any time, and such data is forwarded to/from the shell or
331command on the server side, and the user terminal in the client side.
332.Pp
333When the user program terminates and all forwarded X11 and other
334connections have been closed, the server sends command exit status to
335the client, and both sides exit.
336.Sh LOGIN PROCESS
337When a user successfully logs in,
338.Nm
339does the following:
340.Bl -enum -offset indent
341.It
342If the login is on a tty, and no command has been specified,
343prints last login time and
344.Pa /etc/motd
345(unless prevented in the configuration file or by
346.Pa ~/.hushlogin ;
347see the
348.Sx FILES
349section).
350.It
351If the login is on a tty, records login time.
352.It
353Checks
354.Pa /etc/nologin and
355.Pa /var/run/nologin ;
356if one exists, it prints the contents and quits
357(unless root).
358.It
359Changes to run with normal user privileges.
360.It
361Sets up basic environment.
362.It
363Reads the file
364.Pa ~/.ssh/environment ,
365if it exists, and users are allowed to change their environment.
366See the
367.Cm PermitUserEnvironment
368option in
369.Xr sshd_config 5 .
370.It
371Changes to user's home directory.
372.It
373If
374.Pa ~/.ssh/rc
375exists and the
376.Xr sshd_config 5
377.Cm PermitUserRC
378option is set, runs it; else if
379.Pa /etc/ssh/sshrc
380exists, runs
381it; otherwise runs
382.Xr xauth 1 .
383The
384.Dq rc
385files are given the X11
386authentication protocol and cookie in standard input.
387See
388.Sx SSHRC ,
389below.
390.It
391Runs user's shell or command.
392All commands are run under the user's login shell as specified in the
393system password database.
394.El
395.Sh SSHRC
396If the file
397.Pa ~/.ssh/rc
398exists,
399.Xr sh 1
400runs it after reading the
401environment files but before starting the user's shell or command.
402It must not produce any output on stdout; stderr must be used
403instead.
404If X11 forwarding is in use, it will receive the "proto cookie" pair in
405its standard input (and
406.Ev DISPLAY
407in its environment).
408The script must call
409.Xr xauth 1
410because
411.Nm
412will not run xauth automatically to add X11 cookies.
413.Pp
414The primary purpose of this file is to run any initialization routines
415which may be needed before the user's home directory becomes
416accessible; AFS is a particular example of such an environment.
417.Pp
418This file will probably contain some initialization code followed by
419something similar to:
420.Bd -literal -offset 3n
421if read proto cookie && [ -n "$DISPLAY" ]; then
422	if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
423		# X11UseLocalhost=yes
424		echo add unix:`echo $DISPLAY |
425		    cut -c11-` $proto $cookie
426	else
427		# X11UseLocalhost=no
428		echo add $DISPLAY $proto $cookie
429	fi | xauth -q -
430fi
431.Ed
432.Pp
433If this file does not exist,
434.Pa /etc/ssh/sshrc
435is run, and if that
436does not exist either, xauth is used to add the cookie.
437.Sh AUTHORIZED_KEYS FILE FORMAT
438.Cm AuthorizedKeysFile
439specifies the files containing public keys for
440public key authentication;
441if this option is not specified, the default is
442.Pa ~/.ssh/authorized_keys
443and
444.Pa ~/.ssh/authorized_keys2 .
445Each line of the file contains one
446key (empty lines and lines starting with a
447.Ql #
448are ignored as
449comments).
450Public keys consist of the following space-separated fields:
451options, keytype, base64-encoded key, comment.
452The options field is optional.
453The supported key types are:
454.Pp
455.Bl -item -compact -offset indent
456.It
457sk-ecdsa-sha2-nistp256@openssh.com
458.It
459ecdsa-sha2-nistp256
460.It
461ecdsa-sha2-nistp384
462.It
463ecdsa-sha2-nistp521
464.It
465sk-ssh-ed25519@openssh.com
466.It
467ssh-ed25519
468.It
469ssh-dss
470.It
471ssh-rsa
472.El
473.Pp
474The comment field is not used for anything (but may be convenient for the
475user to identify the key).
476.Pp
477Note that lines in this file can be several hundred bytes long
478(because of the size of the public key encoding) up to a limit of
4798 kilobytes, which permits RSA keys up to 16 kilobits.
480You don't want to type them in; instead, copy the
481.Pa id_dsa.pub ,
482.Pa id_ecdsa.pub ,
483.Pa id_ecdsa_sk.pub ,
484.Pa id_ed25519.pub ,
485.Pa id_ed25519_sk.pub ,
486or the
487.Pa id_rsa.pub
488file and edit it.
489.Pp
490.Nm
491enforces a minimum RSA key modulus size of 1024 bits.
492.Pp
493The options (if present) consist of comma-separated option
494specifications.
495No spaces are permitted, except within double quotes.
496The following option specifications are supported (note
497that option keywords are case-insensitive):
498.Bl -tag -width Ds
499.It Cm agent-forwarding
500Enable authentication agent forwarding previously disabled by the
501.Cm restrict
502option.
503.It Cm cert-authority
504Specifies that the listed key is a certification authority (CA) that is
505trusted to validate signed certificates for user authentication.
506.Pp
507Certificates may encode access restrictions similar to these key options.
508If both certificate restrictions and key options are present, the most
509restrictive union of the two is applied.
510.It Cm command="command"
511Specifies that the command is executed whenever this key is used for
512authentication.
513The command supplied by the user (if any) is ignored.
514The command is run on a pty if the client requests a pty;
515otherwise it is run without a tty.
516If an 8-bit clean channel is required,
517one must not request a pty or should specify
518.Cm no-pty .
519A quote may be included in the command by quoting it with a backslash.
520.Pp
521This option might be useful
522to restrict certain public keys to perform just a specific operation.
523An example might be a key that permits remote backups but nothing else.
524Note that the client may specify TCP and/or X11
525forwarding unless they are explicitly prohibited, e.g. using the
526.Cm restrict
527key option.
528.Pp
529The command originally supplied by the client is available in the
530.Ev SSH_ORIGINAL_COMMAND
531environment variable.
532Note that this option applies to shell, command or subsystem execution.
533Also note that this command may be superseded by a
534.Xr sshd_config 5
535.Cm ForceCommand
536directive.
537.Pp
538If a command is specified and a forced-command is embedded in a certificate
539used for authentication, then the certificate will be accepted only if the
540two commands are identical.
541.It Cm environment="NAME=value"
542Specifies that the string is to be added to the environment when
543logging in using this key.
544Environment variables set this way
545override other default environment values.
546Multiple options of this type are permitted.
547Environment processing is disabled by default and is
548controlled via the
549.Cm PermitUserEnvironment
550option.
551.It Cm expiry-time="timespec"
552Specifies a time after which the key will not be accepted.
553The time may be specified as a YYYYMMDD[Z] date or a YYYYMMDDHHMM[SS][Z] time.
554Dates and times will be interpreted in the system time zone unless suffixed
555by a Z character, in which case they will be interpreted in the UTC time zone.
556.It Cm from="pattern-list"
557Specifies that in addition to public key authentication, either the canonical
558name of the remote host or its IP address must be present in the
559comma-separated list of patterns.
560See PATTERNS in
561.Xr ssh_config 5
562for more information on patterns.
563.Pp
564In addition to the wildcard matching that may be applied to hostnames or
565addresses, a
566.Cm from
567stanza may match IP addresses using CIDR address/masklen notation.
568.Pp
569The purpose of this option is to optionally increase security: public key
570authentication by itself does not trust the network or name servers or
571anything (but the key); however, if somebody somehow steals the key, the key
572permits an intruder to log in from anywhere in the world.
573This additional option makes using a stolen key more difficult (name
574servers and/or routers would have to be compromised in addition to
575just the key).
576.It Cm no-agent-forwarding
577Forbids authentication agent forwarding when this key is used for
578authentication.
579.It Cm no-port-forwarding
580Forbids TCP forwarding when this key is used for authentication.
581Any port forward requests by the client will return an error.
582This might be used, e.g. in connection with the
583.Cm command
584option.
585.It Cm no-pty
586Prevents tty allocation (a request to allocate a pty will fail).
587.It Cm no-user-rc
588Disables execution of
589.Pa ~/.ssh/rc .
590.It Cm no-X11-forwarding
591Forbids X11 forwarding when this key is used for authentication.
592Any X11 forward requests by the client will return an error.
593.It Cm permitlisten="[host:]port"
594Limit remote port forwarding with the
595.Xr ssh 1
596.Fl R
597option such that it may only listen on the specified host (optional) and port.
598IPv6 addresses can be specified by enclosing the address in square brackets.
599Multiple
600.Cm permitlisten
601options may be applied separated by commas.
602Hostnames may include wildcards as described in the PATTERNS section in
603.Xr ssh_config 5 .
604A port specification of
605.Cm *
606matches any port.
607Note that the setting of
608.Cm GatewayPorts
609may further restrict listen addresses.
610Note that
611.Xr ssh 1
612will send a hostname of
613.Dq localhost
614if a listen host was not specified when the forwarding was requested, and
615that this name is treated differently to the explicit localhost addresses
616.Dq 127.0.0.1
617and
618.Dq ::1 .
619.It Cm permitopen="host:port"
620Limit local port forwarding with the
621.Xr ssh 1
622.Fl L
623option such that it may only connect to the specified host and port.
624IPv6 addresses can be specified by enclosing the address in square brackets.
625Multiple
626.Cm permitopen
627options may be applied separated by commas.
628No pattern matching or name lookup is performed on the
629specified hostnames, they must be literal host names and/or addresses.
630A port specification of
631.Cm *
632matches any port.
633.It Cm port-forwarding
634Enable port forwarding previously disabled by the
635.Cm restrict
636option.
637.It Cm principals="principals"
638On a
639.Cm cert-authority
640line, specifies allowed principals for certificate authentication as a
641comma-separated list.
642At least one name from the list must appear in the certificate's
643list of principals for the certificate to be accepted.
644This option is ignored for keys that are not marked as trusted certificate
645signers using the
646.Cm cert-authority
647option.
648.It Cm pty
649Permits tty allocation previously disabled by the
650.Cm restrict
651option.
652.It Cm no-touch-required
653Do not require demonstration of user presence
654for signatures made using this key.
655This option only makes sense for the FIDO authenticator algorithms
656.Cm ecdsa-sk
657and
658.Cm ed25519-sk .
659.It Cm verify-required
660Require that signatures made using this key attest that they verified
661the user, e.g. via a PIN.
662This option only makes sense for the FIDO authenticator algorithms
663.Cm ecdsa-sk
664and
665.Cm ed25519-sk .
666.It Cm restrict
667Enable all restrictions, i.e. disable port, agent and X11 forwarding,
668as well as disabling PTY allocation
669and execution of
670.Pa ~/.ssh/rc .
671If any future restriction capabilities are added to authorized_keys files,
672they will be included in this set.
673.It Cm tunnel="n"
674Force a
675.Xr tun 4
676device on the server.
677Without this option, the next available device will be used if
678the client requests a tunnel.
679.It Cm user-rc
680Enables execution of
681.Pa ~/.ssh/rc
682previously disabled by the
683.Cm restrict
684option.
685.It Cm X11-forwarding
686Permits X11 forwarding previously disabled by the
687.Cm restrict
688option.
689.El
690.Pp
691An example authorized_keys file:
692.Bd -literal -offset 3n
693# Comments are allowed at start of line. Blank lines are allowed.
694# Plain key, no restrictions
695ssh-rsa ...
696# Forced command, disable PTY and all forwarding
697restrict,command="dump /home" ssh-rsa ...
698# Restriction of ssh -L forwarding destinations
699permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-rsa ...
700# Restriction of ssh -R forwarding listeners
701permitlisten="localhost:8080",permitlisten="[::1]:22000" ssh-rsa ...
702# Configuration for tunnel forwarding
703tunnel="0",command="sh /etc/netstart tun0" ssh-rsa ...
704# Override of restriction to allow PTY allocation
705restrict,pty,command="nethack" ssh-rsa ...
706# Allow FIDO key without requiring touch
707no-touch-required sk-ecdsa-sha2-nistp256@openssh.com ...
708# Require user-verification (e.g. PIN or biometric) for FIDO key
709verify-required sk-ecdsa-sha2-nistp256@openssh.com ...
710# Trust CA key, allow touch-less FIDO if requested in certificate
711cert-authority,no-touch-required,principals="user_a" ssh-rsa ...
712.Ed
713.Sh SSH_KNOWN_HOSTS FILE FORMAT
714The
715.Pa /etc/ssh/ssh_known_hosts
716and
717.Pa ~/.ssh/known_hosts
718files contain host public keys for all known hosts.
719The global file should
720be prepared by the administrator (optional), and the per-user file is
721maintained automatically: whenever the user connects to an unknown host,
722its key is added to the per-user file.
723.Pp
724Each line in these files contains the following fields: marker (optional),
725hostnames, keytype, base64-encoded key, comment.
726The fields are separated by spaces.
727.Pp
728The marker is optional, but if it is present then it must be one of
729.Dq @cert-authority ,
730to indicate that the line contains a certification authority (CA) key,
731or
732.Dq @revoked ,
733to indicate that the key contained on the line is revoked and must not ever
734be accepted.
735Only one marker should be used on a key line.
736.Pp
737Hostnames is a comma-separated list of patterns
738.Pf ( Ql *
739and
740.Ql \&?
741act as
742wildcards); each pattern in turn is matched against the host name.
743When
744.Nm sshd
745is authenticating a client, such as when using
746.Cm HostbasedAuthentication ,
747this will be the canonical client host name.
748When
749.Xr ssh 1
750is authenticating a server, this will be the host name
751given by the user, the value of the
752.Xr ssh 1
753.Cm HostkeyAlias
754if it was specified, or the canonical server hostname if the
755.Xr ssh 1
756.Cm CanonicalizeHostname
757option was used.
758.Pp
759A pattern may also be preceded by
760.Ql \&!
761to indicate negation: if the host name matches a negated
762pattern, it is not accepted (by that line) even if it matched another
763pattern on the line.
764A hostname or address may optionally be enclosed within
765.Ql \&[
766and
767.Ql \&]
768brackets then followed by
769.Ql \&:
770and a non-standard port number.
771.Pp
772Alternately, hostnames may be stored in a hashed form which hides host names
773and addresses should the file's contents be disclosed.
774Hashed hostnames start with a
775.Ql |
776character.
777Only one hashed hostname may appear on a single line and none of the above
778negation or wildcard operators may be applied.
779.Pp
780The keytype and base64-encoded key are taken directly from the host key; they
781can be obtained, for example, from
782.Pa /etc/ssh/ssh_host_rsa_key.pub .
783The optional comment field continues to the end of the line, and is not used.
784.Pp
785Lines starting with
786.Ql #
787and empty lines are ignored as comments.
788.Pp
789When performing host authentication, authentication is accepted if any
790matching line has the proper key; either one that matches exactly or,
791if the server has presented a certificate for authentication, the key
792of the certification authority that signed the certificate.
793For a key to be trusted as a certification authority, it must use the
794.Dq @cert-authority
795marker described above.
796.Pp
797The known hosts file also provides a facility to mark keys as revoked,
798for example when it is known that the associated private key has been
799stolen.
800Revoked keys are specified by including the
801.Dq @revoked
802marker at the beginning of the key line, and are never accepted for
803authentication or as certification authorities, but instead will
804produce a warning from
805.Xr ssh 1
806when they are encountered.
807.Pp
808It is permissible (but not
809recommended) to have several lines or different host keys for the same
810names.
811This will inevitably happen when short forms of host names
812from different domains are put in the file.
813It is possible
814that the files contain conflicting information; authentication is
815accepted if valid information can be found from either file.
816.Pp
817Note that the lines in these files are typically hundreds of characters
818long, and you definitely don't want to type in the host keys by hand.
819Rather, generate them by a script,
820.Xr ssh-keyscan 1
821or by taking, for example,
822.Pa /etc/ssh/ssh_host_rsa_key.pub
823and adding the host names at the front.
824.Xr ssh-keygen 1
825also offers some basic automated editing for
826.Pa ~/.ssh/known_hosts
827including removing hosts matching a host name and converting all host
828names to their hashed representations.
829.Pp
830An example ssh_known_hosts file:
831.Bd -literal -offset 3n
832# Comments allowed at start of line
833cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
834# A hashed hostname
835|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
836AAAA1234.....=
837# A revoked key
838@revoked * ssh-rsa AAAAB5W...
839# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
840@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
841.Ed
842.Sh FILES
843.Bl -tag -width Ds -compact
844.It Pa ~/.hushlogin
845This file is used to suppress printing the last login time and
846.Pa /etc/motd ,
847if
848.Cm PrintLastLog
849and
850.Cm PrintMotd ,
851respectively,
852are enabled.
853It does not suppress printing of the banner specified by
854.Cm Banner .
855.Pp
856.It Pa ~/.rhosts
857This file is used for host-based authentication (see
858.Xr ssh 1
859for more information).
860On some machines this file may need to be
861world-readable if the user's home directory is on an NFS partition,
862because
863.Nm
864reads it as root.
865Additionally, this file must be owned by the user,
866and must not have write permissions for anyone else.
867The recommended
868permission for most machines is read/write for the user, and not
869accessible by others.
870.Pp
871.It Pa ~/.shosts
872This file is used in exactly the same way as
873.Pa .rhosts ,
874but allows host-based authentication without permitting login with
875rlogin/rsh.
876.Pp
877.It Pa ~/.ssh/
878This directory is the default location for all user-specific configuration
879and authentication information.
880There is no general requirement to keep the entire contents of this directory
881secret, but the recommended permissions are read/write/execute for the user,
882and not accessible by others.
883.Pp
884.It Pa ~/.ssh/authorized_keys
885Lists the public keys (DSA, ECDSA, Ed25519, RSA)
886that can be used for logging in as this user.
887The format of this file is described above.
888The content of the file is not highly sensitive, but the recommended
889permissions are read/write for the user, and not accessible by others.
890.Pp
891If this file, the
892.Pa ~/.ssh
893directory, or the user's home directory are writable
894by other users, then the file could be modified or replaced by unauthorized
895users.
896In this case,
897.Nm
898will not allow it to be used unless the
899.Cm StrictModes
900option has been set to
901.Dq no .
902.Pp
903.It Pa ~/.ssh/environment
904This file is read into the environment at login (if it exists).
905It can only contain empty lines, comment lines (that start with
906.Ql # ) ,
907and assignment lines of the form name=value.
908The file should be writable
909only by the user; it need not be readable by anyone else.
910Environment processing is disabled by default and is
911controlled via the
912.Cm PermitUserEnvironment
913option.
914.Pp
915.It Pa ~/.ssh/known_hosts
916Contains a list of host keys for all hosts the user has logged into
917that are not already in the systemwide list of known host keys.
918The format of this file is described above.
919This file should be writable only by root/the owner and
920can, but need not be, world-readable.
921.Pp
922.It Pa ~/.ssh/rc
923Contains initialization routines to be run before
924the user's home directory becomes accessible.
925This file should be writable only by the user, and need not be
926readable by anyone else.
927.Pp
928.It Pa /etc/hosts.allow
929.It Pa /etc/hosts.deny
930Access controls that should be enforced by tcp-wrappers are defined here.
931Further details are described in
932.Xr hosts_access 5 .
933.Pp
934.It Pa /etc/hosts.equiv
935This file is for host-based authentication (see
936.Xr ssh 1 ) .
937It should only be writable by root.
938.Pp
939.It Pa /etc/moduli
940Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
941key exchange method.
942The file format is described in
943.Xr moduli 5 .
944If no usable groups are found in this file then fixed internal groups will
945be used.
946.Pp
947.It Pa /etc/motd
948See
949.Xr motd 5 .
950.Pp
951.It Pa /etc/nologin
952If this file exists,
953.Nm
954refuses to let anyone except root log in.
955The contents of the file
956are displayed to anyone trying to log in, and non-root connections are
957refused.
958The file should be world-readable.
959.Pp
960.It Pa /etc/shosts.equiv
961This file is used in exactly the same way as
962.Pa hosts.equiv ,
963but allows host-based authentication without permitting login with
964rlogin/rsh.
965.Pp
966.It Pa /etc/ssh/ssh_host_ecdsa_key
967.It Pa /etc/ssh/ssh_host_ed25519_key
968.It Pa /etc/ssh/ssh_host_rsa_key
969These files contain the private parts of the host keys.
970These files should only be owned by root, readable only by root, and not
971accessible to others.
972Note that
973.Nm
974does not start if these files are group/world-accessible.
975.Pp
976.It Pa /etc/ssh/ssh_host_ecdsa_key.pub
977.It Pa /etc/ssh/ssh_host_ed25519_key.pub
978.It Pa /etc/ssh/ssh_host_rsa_key.pub
979These files contain the public parts of the host keys.
980These files should be world-readable but writable only by
981root.
982Their contents should match the respective private parts.
983These files are not
984really used for anything; they are provided for the convenience of
985the user so their contents can be copied to known hosts files.
986These files are created using
987.Xr ssh-keygen 1 .
988.Pp
989.It Pa /etc/ssh/ssh_known_hosts
990Systemwide list of known host keys.
991This file should be prepared by the
992system administrator to contain the public host keys of all machines in the
993organization.
994The format of this file is described above.
995This file should be writable only by root/the owner and
996should be world-readable.
997.Pp
998.It Pa /etc/ssh/sshd_config
999Contains configuration data for
1000.Nm sshd .
1001The file format and configuration options are described in
1002.Xr sshd_config 5 .
1003.Pp
1004.It Pa /etc/ssh/sshrc
1005Similar to
1006.Pa ~/.ssh/rc ,
1007it can be used to specify
1008machine-specific login-time initializations globally.
1009This file should be writable only by root, and should be world-readable.
1010.Pp
1011.It Pa /var/empty
1012.Xr chroot 2
1013directory used by
1014.Nm
1015during privilege separation in the pre-authentication phase.
1016The directory should not contain any files and must be owned by root
1017and not group or world-writable.
1018.Pp
1019.It Pa /var/run/sshd.pid
1020Contains the process ID of the
1021.Nm
1022listening for connections (if there are several daemons running
1023concurrently for different ports, this contains the process ID of the one
1024started last).
1025The content of this file is not sensitive; it can be world-readable.
1026.El
1027.Sh SEE ALSO
1028.Xr scp 1 ,
1029.Xr sftp 1 ,
1030.Xr ssh 1 ,
1031.Xr ssh-add 1 ,
1032.Xr ssh-agent 1 ,
1033.Xr ssh-keygen 1 ,
1034.Xr ssh-keyscan 1 ,
1035.Xr chroot 2 ,
1036.Xr hosts_access 5 ,
1037.Xr login.conf 5 ,
1038.Xr moduli 5 ,
1039.Xr sshd_config 5 ,
1040.Xr inetd 8 ,
1041.Xr sftp-server 8
1042.Sh AUTHORS
1043OpenSSH is a derivative of the original and free
1044ssh 1.2.12 release by Tatu Ylonen.
1045Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
1046Theo de Raadt and Dug Song
1047removed many bugs, re-added newer features and
1048created OpenSSH.
1049Markus Friedl contributed the support for SSH
1050protocol versions 1.5 and 2.0.
1051Niels Provos and Markus Friedl contributed support
1052for privilege separation.
1053