xref: /freebsd/crypto/openssh/sshd.8 (revision d1d015864103b253b3fcb2f72a0da5b0cfeb31b6)
1.\"
2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4.\"                    All rights reserved
5.\"
6.\" As far as I am concerned, the code I have written for this software
7.\" can be used freely for any purpose.  Any derived versions of this
8.\" software must be clearly marked as such, and if the derived work is
9.\" incompatible with the protocol description in the RFC file, it must be
10.\" called by a name other than "ssh" or "Secure Shell".
11.\"
12.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
13.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
14.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
15.\"
16.\" Redistribution and use in source and binary forms, with or without
17.\" modification, are permitted provided that the following conditions
18.\" are met:
19.\" 1. Redistributions of source code must retain the above copyright
20.\"    notice, this list of conditions and the following disclaimer.
21.\" 2. Redistributions in binary form must reproduce the above copyright
22.\"    notice, this list of conditions and the following disclaimer in the
23.\"    documentation and/or other materials provided with the distribution.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\"
36.\" $OpenBSD: sshd.8,v 1.267 2012/10/04 13:21:50 markus Exp $
37.\" $FreeBSD$
38.Dd October 4, 2012
39.Dt SSHD 8
40.Os
41.Sh NAME
42.Nm sshd
43.Nd OpenSSH SSH daemon
44.Sh SYNOPSIS
45.Nm sshd
46.Bk -words
47.Op Fl 46DdeiqTt
48.Op Fl b Ar bits
49.Op Fl C Ar connection_spec
50.Op Fl c Ar host_certificate_file
51.Op Fl f Ar config_file
52.Op Fl g Ar login_grace_time
53.Op Fl h Ar host_key_file
54.Op Fl k Ar key_gen_time
55.Op Fl o Ar option
56.Op Fl p Ar port
57.Op Fl u Ar len
58.Ek
59.Sh DESCRIPTION
60.Nm
61(OpenSSH Daemon) is the daemon program for
62.Xr ssh 1 .
63Together these programs replace
64.Xr rlogin 1
65and
66.Xr rsh 1 ,
67and provide secure encrypted communications between two untrusted hosts
68over an insecure network.
69.Pp
70.Nm
71listens for connections from clients.
72It is normally started at boot from
73.Pa /etc/rc.d/sshd .
74It forks a new
75daemon for each incoming connection.
76The forked daemons handle
77key exchange, encryption, authentication, command execution,
78and data exchange.
79.Pp
80.Nm
81can be configured using command-line options or a configuration file
82(by default
83.Xr sshd_config 5 ) ;
84command-line options override values specified in the
85configuration file.
86.Nm
87rereads its configuration file when it receives a hangup signal,
88.Dv SIGHUP ,
89by executing itself with the name and options it was started with, e.g.\&
90.Pa /usr/sbin/sshd .
91.Pp
92The options are as follows:
93.Bl -tag -width Ds
94.It Fl 4
95Forces
96.Nm
97to use IPv4 addresses only.
98.It Fl 6
99Forces
100.Nm
101to use IPv6 addresses only.
102.It Fl b Ar bits
103Specifies the number of bits in the ephemeral protocol version 1
104server key (default 1024).
105.It Fl C Ar connection_spec
106Specify the connection parameters to use for the
107.Fl T
108extended test mode.
109If provided, any
110.Cm Match
111directives in the configuration file
112that would apply to the specified user, host, and address will be set before
113the configuration is written to standard output.
114The connection parameters are supplied as keyword=value pairs.
115The keywords are
116.Dq user ,
117.Dq host ,
118.Dq laddr ,
119.Dq lport ,
120and
121.Dq addr .
122All are required and may be supplied in any order, either with multiple
123.Fl C
124options or as a comma-separated list.
125.It Fl c Ar host_certificate_file
126Specifies a path to a certificate file to identify
127.Nm
128during key exchange.
129The certificate file must match a host key file specified using the
130.Fl h
131option or the
132.Cm HostKey
133configuration directive.
134.It Fl D
135When this option is specified,
136.Nm
137will not detach and does not become a daemon.
138This allows easy monitoring of
139.Nm sshd .
140.It Fl d
141Debug mode.
142The server sends verbose debug output to standard error,
143and does not put itself in the background.
144The server also will not fork and will only process one connection.
145This option is only intended for debugging for the server.
146Multiple
147.Fl d
148options increase the debugging level.
149Maximum is 3.
150.It Fl e
151When this option is specified,
152.Nm
153will send the output to the standard error instead of the system log.
154.It Fl f Ar config_file
155Specifies the name of the configuration file.
156The default is
157.Pa /etc/ssh/sshd_config .
158.Nm
159refuses to start if there is no configuration file.
160.It Fl g Ar login_grace_time
161Gives the grace time for clients to authenticate themselves (default
162120 seconds).
163If the client fails to authenticate the user within
164this many seconds, the server disconnects and exits.
165A value of zero indicates no limit.
166.It Fl h Ar host_key_file
167Specifies a file from which a host key is read.
168This option must be given if
169.Nm
170is not run as root (as the normal
171host key files are normally not readable by anyone but root).
172The default is
173.Pa /etc/ssh/ssh_host_key
174for protocol version 1, and
175.Pa /etc/ssh/ssh_host_dsa_key ,
176.Pa /etc/ssh/ssh_host_ecdsa_key
177and
178.Pa /etc/ssh/ssh_host_rsa_key
179for protocol version 2.
180It is possible to have multiple host key files for
181the different protocol versions and host key algorithms.
182.It Fl i
183Specifies that
184.Nm
185is being run from
186.Xr inetd 8 .
187.Nm
188is normally not run
189from inetd because it needs to generate the server key before it can
190respond to the client, and this may take tens of seconds.
191Clients would have to wait too long if the key was regenerated every time.
192However, with small key sizes (e.g. 512) using
193.Nm
194from inetd may
195be feasible.
196.It Fl k Ar key_gen_time
197Specifies how often the ephemeral protocol version 1 server key is
198regenerated (default 3600 seconds, or one hour).
199The motivation for regenerating the key fairly
200often is that the key is not stored anywhere, and after about an hour
201it becomes impossible to recover the key for decrypting intercepted
202communications even if the machine is cracked into or physically
203seized.
204A value of zero indicates that the key will never be regenerated.
205.It Fl o Ar option
206Can be used to give options in the format used in the configuration file.
207This is useful for specifying options for which there is no separate
208command-line flag.
209For full details of the options, and their values, see
210.Xr sshd_config 5 .
211.It Fl p Ar port
212Specifies the port on which the server listens for connections
213(default 22).
214Multiple port options are permitted.
215Ports specified in the configuration file with the
216.Cm Port
217option are ignored when a command-line port is specified.
218Ports specified using the
219.Cm ListenAddress
220option override command-line ports.
221.It Fl q
222Quiet mode.
223Nothing is sent to the system log.
224Normally the beginning,
225authentication, and termination of each connection is logged.
226.It Fl T
227Extended test mode.
228Check the validity of the configuration file, output the effective configuration
229to stdout and then exit.
230Optionally,
231.Cm Match
232rules may be applied by specifying the connection parameters using one or more
233.Fl C
234options.
235.It Fl t
236Test mode.
237Only check the validity of the configuration file and sanity of the keys.
238This is useful for updating
239.Nm
240reliably as configuration options may change.
241.It Fl u Ar len
242This option is used to specify the size of the field
243in the
244.Li utmp
245structure that holds the remote host name.
246If the resolved host name is longer than
247.Ar len ,
248the dotted decimal value will be used instead.
249This allows hosts with very long host names that
250overflow this field to still be uniquely identified.
251Specifying
252.Fl u0
253indicates that only dotted decimal addresses
254should be put into the
255.Pa utmp
256file.
257.Fl u0
258may also be used to prevent
259.Nm
260from making DNS requests unless the authentication
261mechanism or configuration requires it.
262Authentication mechanisms that may require DNS include
263.Cm RhostsRSAAuthentication ,
264.Cm HostbasedAuthentication ,
265and using a
266.Cm from="pattern-list"
267option in a key file.
268Configuration options that require DNS include using a
269USER@HOST pattern in
270.Cm AllowUsers
271or
272.Cm DenyUsers .
273.El
274.Sh AUTHENTICATION
275The OpenSSH SSH daemon supports SSH protocols 1 and 2.
276The default is to use protocol 2 only,
277though this can be changed via the
278.Cm Protocol
279option in
280.Xr sshd_config 5 .
281Protocol 2 supports DSA, ECDSA and RSA keys;
282protocol 1 only supports RSA keys.
283For both protocols,
284each host has a host-specific key,
285normally 2048 bits,
286used to identify the host.
287.Pp
288Forward security for protocol 1 is provided through
289an additional server key,
290normally 768 bits,
291generated when the server starts.
292This key is normally regenerated every hour if it has been used, and
293is never stored on disk.
294Whenever a client connects, the daemon responds with its public
295host and server keys.
296The client compares the
297RSA host key against its own database to verify that it has not changed.
298The client then generates a 256-bit random number.
299It encrypts this
300random number using both the host key and the server key, and sends
301the encrypted number to the server.
302Both sides then use this
303random number as a session key which is used to encrypt all further
304communications in the session.
305The rest of the session is encrypted
306using a conventional cipher, currently Blowfish or 3DES, with 3DES
307being used by default.
308The client selects the encryption algorithm
309to use from those offered by the server.
310.Pp
311For protocol 2,
312forward security is provided through a Diffie-Hellman key agreement.
313This key agreement results in a shared session key.
314The rest of the session is encrypted using a symmetric cipher, currently
315128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
316The client selects the encryption algorithm
317to use from those offered by the server.
318Additionally, session integrity is provided
319through a cryptographic message authentication code
320(hmac-md5, hmac-sha1, umac-64, umac-128, hmac-ripemd160,
321hmac-sha2-256 or hmac-sha2-512).
322.Pp
323Finally, the server and the client enter an authentication dialog.
324The client tries to authenticate itself using
325host-based authentication,
326public key authentication,
327challenge-response authentication,
328or password authentication.
329.Pp
330Regardless of the authentication type, the account is checked to
331ensure that it is accessible.  An account is not accessible if it is
332locked, listed in
333.Cm DenyUsers
334or its group is listed in
335.Cm DenyGroups
336\&.  The definition of a locked account is system dependant. Some platforms
337have their own account database (eg AIX) and some modify the passwd field (
338.Ql \&*LK\&*
339on Solaris and UnixWare,
340.Ql \&*
341on HP-UX, containing
342.Ql Nologin
343on Tru64,
344a leading
345.Ql \&*LOCKED\&*
346on FreeBSD and a leading
347.Ql \&!
348on most Linuxes).
349If there is a requirement to disable password authentication
350for the account while allowing still public-key, then the passwd field
351should be set to something other than these values (eg
352.Ql NP
353or
354.Ql \&*NP\&*
355).
356.Pp
357If the client successfully authenticates itself, a dialog for
358preparing the session is entered.
359At this time the client may request
360things like allocating a pseudo-tty, forwarding X11 connections,
361forwarding TCP connections, or forwarding the authentication agent
362connection over the secure channel.
363.Pp
364After this, the client either requests a shell or execution of a command.
365The sides then enter session mode.
366In this mode, either side may send
367data at any time, and such data is forwarded to/from the shell or
368command on the server side, and the user terminal in the client side.
369.Pp
370When the user program terminates and all forwarded X11 and other
371connections have been closed, the server sends command exit status to
372the client, and both sides exit.
373.Sh LOGIN PROCESS
374When a user successfully logs in,
375.Nm
376does the following:
377.Bl -enum -offset indent
378.It
379If the login is on a tty, and no command has been specified,
380prints last login time and
381.Pa /etc/motd
382(unless prevented in the configuration file or by
383.Pa ~/.hushlogin ;
384see the
385.Sx FILES
386section).
387.It
388If the login is on a tty, records login time.
389.It
390Checks
391.Pa /etc/nologin and
392.Pa /var/run/nologin ;
393if one exists, it prints the contents and quits
394(unless root).
395.It
396Changes to run with normal user privileges.
397.It
398Sets up basic environment.
399.It
400Reads the file
401.Pa ~/.ssh/environment ,
402if it exists, and users are allowed to change their environment.
403See the
404.Cm PermitUserEnvironment
405option in
406.Xr sshd_config 5 .
407.It
408Changes to user's home directory.
409.It
410If
411.Pa ~/.ssh/rc
412exists, runs it; else if
413.Pa /etc/ssh/sshrc
414exists, runs
415it; otherwise runs
416.Xr xauth 1 .
417The
418.Dq rc
419files are given the X11
420authentication protocol and cookie in standard input.
421See
422.Sx SSHRC ,
423below.
424.It
425Runs user's shell or command.
426.El
427.Sh SSHRC
428If the file
429.Pa ~/.ssh/rc
430exists,
431.Xr sh 1
432runs it after reading the
433environment files but before starting the user's shell or command.
434It must not produce any output on stdout; stderr must be used
435instead.
436If X11 forwarding is in use, it will receive the "proto cookie" pair in
437its standard input (and
438.Ev DISPLAY
439in its environment).
440The script must call
441.Xr xauth 1
442because
443.Nm
444will not run xauth automatically to add X11 cookies.
445.Pp
446The primary purpose of this file is to run any initialization routines
447which may be needed before the user's home directory becomes
448accessible; AFS is a particular example of such an environment.
449.Pp
450This file will probably contain some initialization code followed by
451something similar to:
452.Bd -literal -offset 3n
453if read proto cookie && [ -n "$DISPLAY" ]; then
454	if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
455		# X11UseLocalhost=yes
456		echo add unix:`echo $DISPLAY |
457		    cut -c11-` $proto $cookie
458	else
459		# X11UseLocalhost=no
460		echo add $DISPLAY $proto $cookie
461	fi | xauth -q -
462fi
463.Ed
464.Pp
465If this file does not exist,
466.Pa /etc/ssh/sshrc
467is run, and if that
468does not exist either, xauth is used to add the cookie.
469.Sh AUTHORIZED_KEYS FILE FORMAT
470.Cm AuthorizedKeysFile
471specifies the files containing public keys for
472public key authentication;
473if none is specified, the default is
474.Pa ~/.ssh/authorized_keys
475and
476.Pa ~/.ssh/authorized_keys2 .
477Each line of the file contains one
478key (empty lines and lines starting with a
479.Ql #
480are ignored as
481comments).
482Protocol 1 public keys consist of the following space-separated fields:
483options, bits, exponent, modulus, comment.
484Protocol 2 public key consist of:
485options, keytype, base64-encoded key, comment.
486The options field is optional;
487its presence is determined by whether the line starts
488with a number or not (the options field never starts with a number).
489The bits, exponent, modulus, and comment fields give the RSA key for
490protocol version 1; the
491comment field is not used for anything (but may be convenient for the
492user to identify the key).
493For protocol version 2 the keytype is
494.Dq ecdsa-sha2-nistp256 ,
495.Dq ecdsa-sha2-nistp384 ,
496.Dq ecdsa-sha2-nistp521 ,
497.Dq ssh-dss
498or
499.Dq ssh-rsa .
500.Pp
501Note that lines in this file are usually several hundred bytes long
502(because of the size of the public key encoding) up to a limit of
5038 kilobytes, which permits DSA keys up to 8 kilobits and RSA
504keys up to 16 kilobits.
505You don't want to type them in; instead, copy the
506.Pa identity.pub ,
507.Pa id_dsa.pub ,
508.Pa id_ecdsa.pub ,
509or the
510.Pa id_rsa.pub
511file and edit it.
512.Pp
513.Nm
514enforces a minimum RSA key modulus size for protocol 1
515and protocol 2 keys of 768 bits.
516.Pp
517The options (if present) consist of comma-separated option
518specifications.
519No spaces are permitted, except within double quotes.
520The following option specifications are supported (note
521that option keywords are case-insensitive):
522.Bl -tag -width Ds
523.It Cm cert-authority
524Specifies that the listed key is a certification authority (CA) that is
525trusted to validate signed certificates for user authentication.
526.Pp
527Certificates may encode access restrictions similar to these key options.
528If both certificate restrictions and key options are present, the most
529restrictive union of the two is applied.
530.It Cm command="command"
531Specifies that the command is executed whenever this key is used for
532authentication.
533The command supplied by the user (if any) is ignored.
534The command is run on a pty if the client requests a pty;
535otherwise it is run without a tty.
536If an 8-bit clean channel is required,
537one must not request a pty or should specify
538.Cm no-pty .
539A quote may be included in the command by quoting it with a backslash.
540This option might be useful
541to restrict certain public keys to perform just a specific operation.
542An example might be a key that permits remote backups but nothing else.
543Note that the client may specify TCP and/or X11
544forwarding unless they are explicitly prohibited.
545The command originally supplied by the client is available in the
546.Ev SSH_ORIGINAL_COMMAND
547environment variable.
548Note that this option applies to shell, command or subsystem execution.
549Also note that this command may be superseded by either a
550.Xr sshd_config 5
551.Cm ForceCommand
552directive or a command embedded in a certificate.
553.It Cm environment="NAME=value"
554Specifies that the string is to be added to the environment when
555logging in using this key.
556Environment variables set this way
557override other default environment values.
558Multiple options of this type are permitted.
559Environment processing is disabled by default and is
560controlled via the
561.Cm PermitUserEnvironment
562option.
563This option is automatically disabled if
564.Cm UseLogin
565is enabled.
566.It Cm from="pattern-list"
567Specifies that in addition to public key authentication, either the canonical
568name of the remote host or its IP address must be present in the
569comma-separated list of patterns.
570See
571.Sx PATTERNS
572in
573.Xr ssh_config 5
574for more information on patterns.
575.Pp
576In addition to the wildcard matching that may be applied to hostnames or
577addresses, a
578.Cm from
579stanza may match IP addresses using CIDR address/masklen notation.
580.Pp
581The purpose of this option is to optionally increase security: public key
582authentication by itself does not trust the network or name servers or
583anything (but the key); however, if somebody somehow steals the key, the key
584permits an intruder to log in from anywhere in the world.
585This additional option makes using a stolen key more difficult (name
586servers and/or routers would have to be compromised in addition to
587just the key).
588.It Cm no-agent-forwarding
589Forbids authentication agent forwarding when this key is used for
590authentication.
591.It Cm no-port-forwarding
592Forbids TCP forwarding when this key is used for authentication.
593Any port forward requests by the client will return an error.
594This might be used, e.g. in connection with the
595.Cm command
596option.
597.It Cm no-pty
598Prevents tty allocation (a request to allocate a pty will fail).
599.It Cm no-user-rc
600Disables execution of
601.Pa ~/.ssh/rc .
602.It Cm no-X11-forwarding
603Forbids X11 forwarding when this key is used for authentication.
604Any X11 forward requests by the client will return an error.
605.It Cm permitopen="host:port"
606Limit local
607.Li ``ssh -L''
608port forwarding such that it may only connect to the specified host and
609port.
610IPv6 addresses can be specified by enclosing the address in square brackets.
611Multiple
612.Cm permitopen
613options may be applied separated by commas.
614No pattern matching is performed on the specified hostnames,
615they must be literal domains or addresses.
616A port specification of
617.Cm *
618matches any port.
619.It Cm principals="principals"
620On a
621.Cm cert-authority
622line, specifies allowed principals for certificate authentication as a
623comma-separated list.
624At least one name from the list must appear in the certificate's
625list of principals for the certificate to be accepted.
626This option is ignored for keys that are not marked as trusted certificate
627signers using the
628.Cm cert-authority
629option.
630.It Cm tunnel="n"
631Force a
632.Xr tun 4
633device on the server.
634Without this option, the next available device will be used if
635the client requests a tunnel.
636.El
637.Pp
638An example authorized_keys file:
639.Bd -literal -offset 3n
640# Comments allowed at start of line
641ssh-rsa AAAAB3Nza...LiPk== user@example.net
642from="*.sales.example.net,!pc.sales.example.net" ssh-rsa
643AAAAB2...19Q== john@example.net
644command="dump /home",no-pty,no-port-forwarding ssh-dss
645AAAAC3...51R== example.net
646permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
647AAAAB5...21S==
648tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
649jane@example.net
650.Ed
651.Sh SSH_KNOWN_HOSTS FILE FORMAT
652The
653.Pa /etc/ssh/ssh_known_hosts
654and
655.Pa ~/.ssh/known_hosts
656files contain host public keys for all known hosts.
657The global file should
658be prepared by the administrator (optional), and the per-user file is
659maintained automatically: whenever the user connects from an unknown host,
660its key is added to the per-user file.
661.Pp
662Each line in these files contains the following fields: markers (optional),
663hostnames, bits, exponent, modulus, comment.
664The fields are separated by spaces.
665.Pp
666The marker is optional, but if it is present then it must be one of
667.Dq @cert-authority ,
668to indicate that the line contains a certification authority (CA) key,
669or
670.Dq @revoked ,
671to indicate that the key contained on the line is revoked and must not ever
672be accepted.
673Only one marker should be used on a key line.
674.Pp
675Hostnames is a comma-separated list of patterns
676.Pf ( Ql *
677and
678.Ql \&?
679act as
680wildcards); each pattern in turn is matched against the canonical host
681name (when authenticating a client) or against the user-supplied
682name (when authenticating a server).
683A pattern may also be preceded by
684.Ql \&!
685to indicate negation: if the host name matches a negated
686pattern, it is not accepted (by that line) even if it matched another
687pattern on the line.
688A hostname or address may optionally be enclosed within
689.Ql \&[
690and
691.Ql \&]
692brackets then followed by
693.Ql \&:
694and a non-standard port number.
695.Pp
696Alternately, hostnames may be stored in a hashed form which hides host names
697and addresses should the file's contents be disclosed.
698Hashed hostnames start with a
699.Ql |
700character.
701Only one hashed hostname may appear on a single line and none of the above
702negation or wildcard operators may be applied.
703.Pp
704Bits, exponent, and modulus are taken directly from the RSA host key; they
705can be obtained, for example, from
706.Pa /etc/ssh/ssh_host_key.pub .
707The optional comment field continues to the end of the line, and is not used.
708.Pp
709Lines starting with
710.Ql #
711and empty lines are ignored as comments.
712.Pp
713When performing host authentication, authentication is accepted if any
714matching line has the proper key; either one that matches exactly or,
715if the server has presented a certificate for authentication, the key
716of the certification authority that signed the certificate.
717For a key to be trusted as a certification authority, it must use the
718.Dq @cert-authority
719marker described above.
720.Pp
721The known hosts file also provides a facility to mark keys as revoked,
722for example when it is known that the associated private key has been
723stolen.
724Revoked keys are specified by including the
725.Dq @revoked
726marker at the beginning of the key line, and are never accepted for
727authentication or as certification authorities, but instead will
728produce a warning from
729.Xr ssh 1
730when they are encountered.
731.Pp
732It is permissible (but not
733recommended) to have several lines or different host keys for the same
734names.
735This will inevitably happen when short forms of host names
736from different domains are put in the file.
737It is possible
738that the files contain conflicting information; authentication is
739accepted if valid information can be found from either file.
740.Pp
741Note that the lines in these files are typically hundreds of characters
742long, and you definitely don't want to type in the host keys by hand.
743Rather, generate them by a script,
744.Xr ssh-keyscan 1
745or by taking
746.Pa /etc/ssh/ssh_host_key.pub
747and adding the host names at the front.
748.Xr ssh-keygen 1
749also offers some basic automated editing for
750.Pa ~/.ssh/known_hosts
751including removing hosts matching a host name and converting all host
752names to their hashed representations.
753.Pp
754An example ssh_known_hosts file:
755.Bd -literal -offset 3n
756# Comments allowed at start of line
757closenet,...,192.0.2.53 1024 37 159...93 closenet.example.net
758cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
759# A hashed hostname
760|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
761AAAA1234.....=
762# A revoked key
763@revoked * ssh-rsa AAAAB5W...
764# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
765@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
766.Ed
767.Sh FILES
768.Bl -tag -width Ds -compact
769.It Pa ~/.hushlogin
770This file is used to suppress printing the last login time and
771.Pa /etc/motd ,
772if
773.Cm PrintLastLog
774and
775.Cm PrintMotd ,
776respectively,
777are enabled.
778It does not suppress printing of the banner specified by
779.Cm Banner .
780.Pp
781.It Pa ~/.rhosts
782This file is used for host-based authentication (see
783.Xr ssh 1
784for more information).
785On some machines this file may need to be
786world-readable if the user's home directory is on an NFS partition,
787because
788.Nm
789reads it as root.
790Additionally, this file must be owned by the user,
791and must not have write permissions for anyone else.
792The recommended
793permission for most machines is read/write for the user, and not
794accessible by others.
795.Pp
796.It Pa ~/.shosts
797This file is used in exactly the same way as
798.Pa .rhosts ,
799but allows host-based authentication without permitting login with
800rlogin/rsh.
801.Pp
802.It Pa ~/.ssh/
803This directory is the default location for all user-specific configuration
804and authentication information.
805There is no general requirement to keep the entire contents of this directory
806secret, but the recommended permissions are read/write/execute for the user,
807and not accessible by others.
808.Pp
809.It Pa ~/.ssh/authorized_keys
810Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in
811as this user.
812The format of this file is described above.
813The content of the file is not highly sensitive, but the recommended
814permissions are read/write for the user, and not accessible by others.
815.Pp
816If this file, the
817.Pa ~/.ssh
818directory, or the user's home directory are writable
819by other users, then the file could be modified or replaced by unauthorized
820users.
821In this case,
822.Nm
823will not allow it to be used unless the
824.Cm StrictModes
825option has been set to
826.Dq no .
827.Pp
828.It Pa ~/.ssh/environment
829This file is read into the environment at login (if it exists).
830It can only contain empty lines, comment lines (that start with
831.Ql # ) ,
832and assignment lines of the form name=value.
833The file should be writable
834only by the user; it need not be readable by anyone else.
835Environment processing is disabled by default and is
836controlled via the
837.Cm PermitUserEnvironment
838option.
839.Pp
840.It Pa ~/.ssh/known_hosts
841Contains a list of host keys for all hosts the user has logged into
842that are not already in the systemwide list of known host keys.
843The format of this file is described above.
844This file should be writable only by root/the owner and
845can, but need not be, world-readable.
846.Pp
847.It Pa ~/.ssh/rc
848Contains initialization routines to be run before
849the user's home directory becomes accessible.
850This file should be writable only by the user, and need not be
851readable by anyone else.
852.Pp
853.It Pa /etc/hosts.allow
854.It Pa /etc/hosts.deny
855Access controls that should be enforced by tcp-wrappers are defined here.
856Further details are described in
857.Xr hosts_access 5 .
858.Pp
859.It Pa /etc/hosts.equiv
860This file is for host-based authentication (see
861.Xr ssh 1 ) .
862It should only be writable by root.
863.Pp
864.It Pa /etc/moduli
865Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
866The file format is described in
867.Xr moduli 5 .
868.Pp
869.It Pa /etc/motd
870See
871.Xr motd 5 .
872.Pp
873.It Pa /etc/nologin
874If this file exists,
875.Nm
876refuses to let anyone except root log in.
877The contents of the file
878are displayed to anyone trying to log in, and non-root connections are
879refused.
880The file should be world-readable.
881.Pp
882.It Pa /etc/shosts.equiv
883This file is used in exactly the same way as
884.Pa hosts.equiv ,
885but allows host-based authentication without permitting login with
886rlogin/rsh.
887.Pp
888.It Pa /etc/ssh/ssh_host_key
889.It Pa /etc/ssh/ssh_host_dsa_key
890.It Pa /etc/ssh/ssh_host_ecdsa_key
891.It Pa /etc/ssh/ssh_host_rsa_key
892These files contain the private parts of the host keys.
893These files should only be owned by root, readable only by root, and not
894accessible to others.
895Note that
896.Nm
897does not start if these files are group/world-accessible.
898.Pp
899.It Pa /etc/ssh/ssh_host_key.pub
900.It Pa /etc/ssh/ssh_host_dsa_key.pub
901.It Pa /etc/ssh/ssh_host_ecdsa_key.pub
902.It Pa /etc/ssh/ssh_host_rsa_key.pub
903These files contain the public parts of the host keys.
904These files should be world-readable but writable only by
905root.
906Their contents should match the respective private parts.
907These files are not
908really used for anything; they are provided for the convenience of
909the user so their contents can be copied to known hosts files.
910These files are created using
911.Xr ssh-keygen 1 .
912.Pp
913.It Pa /etc/ssh/ssh_known_hosts
914Systemwide list of known host keys.
915This file should be prepared by the
916system administrator to contain the public host keys of all machines in the
917organization.
918The format of this file is described above.
919This file should be writable only by root/the owner and
920should be world-readable.
921.Pp
922.It Pa /etc/ssh/sshd_config
923Contains configuration data for
924.Nm sshd .
925The file format and configuration options are described in
926.Xr sshd_config 5 .
927.Pp
928.It Pa /etc/ssh/sshrc
929Similar to
930.Pa ~/.ssh/rc ,
931it can be used to specify
932machine-specific login-time initializations globally.
933This file should be writable only by root, and should be world-readable.
934.Pp
935.It Pa /var/empty
936.Xr chroot 2
937directory used by
938.Nm
939during privilege separation in the pre-authentication phase.
940The directory should not contain any files and must be owned by root
941and not group or world-writable.
942.Pp
943.It Pa /var/run/sshd.pid
944Contains the process ID of the
945.Nm
946listening for connections (if there are several daemons running
947concurrently for different ports, this contains the process ID of the one
948started last).
949The content of this file is not sensitive; it can be world-readable.
950.El
951.Sh SEE ALSO
952.Xr scp 1 ,
953.Xr sftp 1 ,
954.Xr ssh 1 ,
955.Xr ssh-add 1 ,
956.Xr ssh-agent 1 ,
957.Xr ssh-keygen 1 ,
958.Xr ssh-keyscan 1 ,
959.Xr chroot 2 ,
960.Xr hosts_access 5 ,
961.Xr login.conf 5 ,
962.Xr moduli 5 ,
963.Xr sshd_config 5 ,
964.Xr inetd 8 ,
965.Xr sftp-server 8
966.Sh AUTHORS
967OpenSSH is a derivative of the original and free
968ssh 1.2.12 release by Tatu Ylonen.
969Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
970Theo de Raadt and Dug Song
971removed many bugs, re-added newer features and
972created OpenSSH.
973Markus Friedl contributed the support for SSH
974protocol versions 1.5 and 2.0.
975Niels Provos and Markus Friedl contributed support
976for privilege separation.
977.Sh CAVEATS
978System security is not improved unless
979.Nm rshd ,
980.Nm rlogind ,
981and
982.Nm rexecd
983are disabled (thus completely disabling
984.Xr rlogin
985and
986.Xr rsh
987into the machine).
988