xref: /freebsd/crypto/openssh/sshd.8 (revision f374ba41f55c1a127303d92d830dd58eef2f5243)
1.\"
2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4.\"                    All rights reserved
5.\"
6.\" As far as I am concerned, the code I have written for this software
7.\" can be used freely for any purpose.  Any derived versions of this
8.\" software must be clearly marked as such, and if the derived work is
9.\" incompatible with the protocol description in the RFC file, it must be
10.\" called by a name other than "ssh" or "Secure Shell".
11.\"
12.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
13.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
14.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
15.\"
16.\" Redistribution and use in source and binary forms, with or without
17.\" modification, are permitted provided that the following conditions
18.\" are met:
19.\" 1. Redistributions of source code must retain the above copyright
20.\"    notice, this list of conditions and the following disclaimer.
21.\" 2. Redistributions in binary form must reproduce the above copyright
22.\"    notice, this list of conditions and the following disclaimer in the
23.\"    documentation and/or other materials provided with the distribution.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\"
36.\" $OpenBSD: sshd.8,v 1.322 2023/01/18 01:50:21 millert Exp $
37.Dd $Mdocdate: January 18 2023 $
38.Dt SSHD 8
39.Os
40.Sh NAME
41.Nm sshd
42.Nd OpenSSH daemon
43.Sh SYNOPSIS
44.Nm sshd
45.Bk -words
46.Op Fl 46DdeiqTtV
47.Op Fl C Ar connection_spec
48.Op Fl c Ar host_certificate_file
49.Op Fl E Ar log_file
50.Op Fl f Ar config_file
51.Op Fl g Ar login_grace_time
52.Op Fl h Ar host_key_file
53.Op Fl o Ar option
54.Op Fl p Ar port
55.Op Fl u Ar len
56.Ek
57.Sh DESCRIPTION
58.Nm
59(OpenSSH Daemon) is the daemon program for
60.Xr ssh 1 .
61It provides secure encrypted communications between two untrusted hosts
62over an insecure network.
63.Pp
64.Nm
65listens for connections from clients.
66It is normally started at boot from
67.Pa /etc/rc.d/sshd .
68It forks a new
69daemon for each incoming connection.
70The forked daemons handle
71key exchange, encryption, authentication, command execution,
72and data exchange.
73.Pp
74.Nm
75can be configured using command-line options or a configuration file
76(by default
77.Xr sshd_config 5 ) ;
78command-line options override values specified in the
79configuration file.
80.Nm
81rereads its configuration file when it receives a hangup signal,
82.Dv SIGHUP ,
83by executing itself with the name and options it was started with, e.g.\&
84.Pa /usr/sbin/sshd .
85.Pp
86The options are as follows:
87.Bl -tag -width Ds
88.It Fl 4
89Forces
90.Nm
91to use IPv4 addresses only.
92.It Fl 6
93Forces
94.Nm
95to use IPv6 addresses only.
96.It Fl C Ar connection_spec
97Specify the connection parameters to use for the
98.Fl T
99extended test mode.
100If provided, any
101.Cm Match
102directives in the configuration file that would apply are applied before the
103configuration is written to standard output.
104The connection parameters are supplied as keyword=value pairs and may be
105supplied in any order, either with multiple
106.Fl C
107options or as a comma-separated list.
108The keywords are
109.Dq addr ,
110.Dq user ,
111.Dq host ,
112.Dq laddr ,
113.Dq lport ,
114and
115.Dq rdomain
116and correspond to source address, user, resolved source host name,
117local address, local port number and routing domain respectively.
118.It Fl c Ar host_certificate_file
119Specifies a path to a certificate file to identify
120.Nm
121during key exchange.
122The certificate file must match a host key file specified using the
123.Fl h
124option or the
125.Cm HostKey
126configuration directive.
127.It Fl D
128When this option is specified,
129.Nm
130will not detach and does not become a daemon.
131This allows easy monitoring of
132.Nm sshd .
133.It Fl d
134Debug mode.
135The server sends verbose debug output to standard error,
136and does not put itself in the background.
137The server also will not
138.Xr fork 2
139and will only process one connection.
140This option is only intended for debugging for the server.
141Multiple
142.Fl d
143options increase the debugging level.
144Maximum is 3.
145.It Fl E Ar log_file
146Append debug logs to
147.Ar log_file
148instead of the system log.
149.It Fl e
150Write debug logs to standard error instead of the system log.
151.It Fl f Ar config_file
152Specifies the name of the configuration file.
153The default is
154.Pa /etc/ssh/sshd_config .
155.Nm
156refuses to start if there is no configuration file.
157.It Fl g Ar login_grace_time
158Gives the grace time for clients to authenticate themselves (default
159120 seconds).
160If the client fails to authenticate the user within
161this many seconds, the server disconnects and exits.
162A value of zero indicates no limit.
163.It Fl h Ar host_key_file
164Specifies a file from which a host key is read.
165This option must be given if
166.Nm
167is not run as root (as the normal
168host key files are normally not readable by anyone but root).
169The default is
170.Pa /etc/ssh/ssh_host_ecdsa_key ,
171.Pa /etc/ssh/ssh_host_ed25519_key
172and
173.Pa /etc/ssh/ssh_host_rsa_key .
174It is possible to have multiple host key files for
175the different host key algorithms.
176.It Fl i
177Specifies that
178.Nm
179is being run from
180.Xr inetd 8 .
181.It Fl o Ar option
182Can be used to give options in the format used in the configuration file.
183This is useful for specifying options for which there is no separate
184command-line flag.
185For full details of the options, and their values, see
186.Xr sshd_config 5 .
187.It Fl p Ar port
188Specifies the port on which the server listens for connections
189(default 22).
190Multiple port options are permitted.
191Ports specified in the configuration file with the
192.Cm Port
193option are ignored when a command-line port is specified.
194Ports specified using the
195.Cm ListenAddress
196option override command-line ports.
197.It Fl q
198Quiet mode.
199Nothing is sent to the system log.
200Normally the beginning,
201authentication, and termination of each connection is logged.
202.It Fl T
203Extended test mode.
204Check the validity of the configuration file, output the effective configuration
205to stdout and then exit.
206Optionally,
207.Cm Match
208rules may be applied by specifying the connection parameters using one or more
209.Fl C
210options.
211.It Fl t
212Test mode.
213Only check the validity of the configuration file and sanity of the keys.
214This is useful for updating
215.Nm
216reliably as configuration options may change.
217.It Fl u Ar len
218This option is used to specify the size of the field
219in the
220.Vt utmp
221structure that holds the remote host name.
222If the resolved host name is longer than
223.Ar len ,
224the dotted decimal value will be used instead.
225This allows hosts with very long host names that
226overflow this field to still be uniquely identified.
227Specifying
228.Fl u0
229indicates that only dotted decimal addresses
230should be put into the
231.Pa utmp
232file.
233.Fl u0
234may also be used to prevent
235.Nm
236from making DNS requests unless the authentication
237mechanism or configuration requires it.
238Authentication mechanisms that may require DNS include
239.Cm HostbasedAuthentication
240and using a
241.Cm from="pattern-list"
242option in a key file.
243Configuration options that require DNS include using a
244USER@HOST pattern in
245.Cm AllowUsers
246or
247.Cm DenyUsers .
248.It Fl V
249Display the version number and exit.
250.El
251.Sh AUTHENTICATION
252The OpenSSH SSH daemon supports SSH protocol 2 only.
253Each host has a host-specific key,
254used to identify the host.
255Whenever a client connects, the daemon responds with its public
256host key.
257The client compares the
258host key against its own database to verify that it has not changed.
259Forward secrecy is provided through a Diffie-Hellman key agreement.
260This key agreement results in a shared session key.
261The rest of the session is encrypted using a symmetric cipher.
262The client selects the encryption algorithm
263to use from those offered by the server.
264Additionally, session integrity is provided
265through a cryptographic message authentication code (MAC).
266.Pp
267Finally, the server and the client enter an authentication dialog.
268The client tries to authenticate itself using
269host-based authentication,
270public key authentication,
271challenge-response authentication,
272or password authentication.
273.Pp
274Regardless of the authentication type, the account is checked to
275ensure that it is accessible.  An account is not accessible if it is
276locked, listed in
277.Cm DenyUsers
278or its group is listed in
279.Cm DenyGroups
280\&.  The definition of a locked account is system dependent. Some platforms
281have their own account database (eg AIX) and some modify the passwd field (
282.Ql \&*LK\&*
283on Solaris and UnixWare,
284.Ql \&*
285on HP-UX, containing
286.Ql Nologin
287on Tru64,
288a leading
289.Ql \&*LOCKED\&*
290on FreeBSD and a leading
291.Ql \&!
292on most Linuxes).
293If there is a requirement to disable password authentication
294for the account while allowing still public-key, then the passwd field
295should be set to something other than these values (eg
296.Ql NP
297or
298.Ql \&*NP\&*
299).
300.Pp
301If the client successfully authenticates itself, a dialog for
302preparing the session is entered.
303At this time the client may request
304things like allocating a pseudo-tty, forwarding X11 connections,
305forwarding TCP connections, or forwarding the authentication agent
306connection over the secure channel.
307.Pp
308After this, the client either requests an interactive shell or execution
309or a non-interactive command, which
310.Nm
311will execute via the user's shell using its
312.Fl c
313option.
314The sides then enter session mode.
315In this mode, either side may send
316data at any time, and such data is forwarded to/from the shell or
317command on the server side, and the user terminal in the client side.
318.Pp
319When the user program terminates and all forwarded X11 and other
320connections have been closed, the server sends command exit status to
321the client, and both sides exit.
322.Sh LOGIN PROCESS
323When a user successfully logs in,
324.Nm
325does the following:
326.Bl -enum -offset indent
327.It
328If the login is on a tty, and no command has been specified,
329prints last login time and
330.Pa /etc/motd
331(unless prevented in the configuration file or by
332.Pa ~/.hushlogin ;
333see the
334.Sx FILES
335section).
336.It
337If the login is on a tty, records login time.
338.It
339Checks
340.Pa /etc/nologin and
341.Pa /var/run/nologin ;
342if one exists, it prints the contents and quits
343(unless root).
344.It
345Changes to run with normal user privileges.
346.It
347Sets up basic environment.
348.It
349Reads the file
350.Pa ~/.ssh/environment ,
351if it exists, and users are allowed to change their environment.
352See the
353.Cm PermitUserEnvironment
354option in
355.Xr sshd_config 5 .
356.It
357Changes to user's home directory.
358.It
359If
360.Pa ~/.ssh/rc
361exists and the
362.Xr sshd_config 5
363.Cm PermitUserRC
364option is set, runs it; else if
365.Pa /etc/ssh/sshrc
366exists, runs
367it; otherwise runs
368.Xr xauth 1 .
369The
370.Dq rc
371files are given the X11
372authentication protocol and cookie in standard input.
373See
374.Sx SSHRC ,
375below.
376.It
377Runs user's shell or command.
378All commands are run under the user's login shell as specified in the
379system password database.
380.El
381.Sh SSHRC
382If the file
383.Pa ~/.ssh/rc
384exists,
385.Xr sh 1
386runs it after reading the
387environment files but before starting the user's shell or command.
388It must not produce any output on stdout; stderr must be used
389instead.
390If X11 forwarding is in use, it will receive the "proto cookie" pair in
391its standard input (and
392.Ev DISPLAY
393in its environment).
394The script must call
395.Xr xauth 1
396because
397.Nm
398will not run xauth automatically to add X11 cookies.
399.Pp
400The primary purpose of this file is to run any initialization routines
401which may be needed before the user's home directory becomes
402accessible; AFS is a particular example of such an environment.
403.Pp
404This file will probably contain some initialization code followed by
405something similar to:
406.Bd -literal -offset 3n
407if read proto cookie && [ -n "$DISPLAY" ]; then
408	if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
409		# X11UseLocalhost=yes
410		echo add unix:`echo $DISPLAY |
411		    cut -c11-` $proto $cookie
412	else
413		# X11UseLocalhost=no
414		echo add $DISPLAY $proto $cookie
415	fi | xauth -q -
416fi
417.Ed
418.Pp
419If this file does not exist,
420.Pa /etc/ssh/sshrc
421is run, and if that
422does not exist either, xauth is used to add the cookie.
423.Sh AUTHORIZED_KEYS FILE FORMAT
424.Cm AuthorizedKeysFile
425specifies the files containing public keys for
426public key authentication;
427if this option is not specified, the default is
428.Pa ~/.ssh/authorized_keys
429and
430.Pa ~/.ssh/authorized_keys2 .
431Each line of the file contains one
432key (empty lines and lines starting with a
433.Ql #
434are ignored as
435comments).
436Public keys consist of the following space-separated fields:
437options, keytype, base64-encoded key, comment.
438The options field is optional.
439The supported key types are:
440.Pp
441.Bl -item -compact -offset indent
442.It
443sk-ecdsa-sha2-nistp256@openssh.com
444.It
445ecdsa-sha2-nistp256
446.It
447ecdsa-sha2-nistp384
448.It
449ecdsa-sha2-nistp521
450.It
451sk-ssh-ed25519@openssh.com
452.It
453ssh-ed25519
454.It
455ssh-dss
456.It
457ssh-rsa
458.El
459.Pp
460The comment field is not used for anything (but may be convenient for the
461user to identify the key).
462.Pp
463Note that lines in this file can be several hundred bytes long
464(because of the size of the public key encoding) up to a limit of
4658 kilobytes, which permits RSA keys up to 16 kilobits.
466You don't want to type them in; instead, copy the
467.Pa id_dsa.pub ,
468.Pa id_ecdsa.pub ,
469.Pa id_ecdsa_sk.pub ,
470.Pa id_ed25519.pub ,
471.Pa id_ed25519_sk.pub ,
472or the
473.Pa id_rsa.pub
474file and edit it.
475.Pp
476.Nm
477enforces a minimum RSA key modulus size of 1024 bits.
478.Pp
479The options (if present) consist of comma-separated option
480specifications.
481No spaces are permitted, except within double quotes.
482The following option specifications are supported (note
483that option keywords are case-insensitive):
484.Bl -tag -width Ds
485.It Cm agent-forwarding
486Enable authentication agent forwarding previously disabled by the
487.Cm restrict
488option.
489.It Cm cert-authority
490Specifies that the listed key is a certification authority (CA) that is
491trusted to validate signed certificates for user authentication.
492.Pp
493Certificates may encode access restrictions similar to these key options.
494If both certificate restrictions and key options are present, the most
495restrictive union of the two is applied.
496.It Cm command="command"
497Specifies that the command is executed whenever this key is used for
498authentication.
499The command supplied by the user (if any) is ignored.
500The command is run on a pty if the client requests a pty;
501otherwise it is run without a tty.
502If an 8-bit clean channel is required,
503one must not request a pty or should specify
504.Cm no-pty .
505A quote may be included in the command by quoting it with a backslash.
506.Pp
507This option might be useful
508to restrict certain public keys to perform just a specific operation.
509An example might be a key that permits remote backups but nothing else.
510Note that the client may specify TCP and/or X11
511forwarding unless they are explicitly prohibited, e.g. using the
512.Cm restrict
513key option.
514.Pp
515The command originally supplied by the client is available in the
516.Ev SSH_ORIGINAL_COMMAND
517environment variable.
518Note that this option applies to shell, command or subsystem execution.
519Also note that this command may be superseded by a
520.Xr sshd_config 5
521.Cm ForceCommand
522directive.
523.Pp
524If a command is specified and a forced-command is embedded in a certificate
525used for authentication, then the certificate will be accepted only if the
526two commands are identical.
527.It Cm environment="NAME=value"
528Specifies that the string is to be added to the environment when
529logging in using this key.
530Environment variables set this way
531override other default environment values.
532Multiple options of this type are permitted.
533Environment processing is disabled by default and is
534controlled via the
535.Cm PermitUserEnvironment
536option.
537.It Cm expiry-time="timespec"
538Specifies a time after which the key will not be accepted.
539The time may be specified as a YYYYMMDD[Z] date or a YYYYMMDDHHMM[SS][Z] time.
540Dates and times will be interpreted in the system time zone unless suffixed
541by a Z character, in which case they will be interpreted in the UTC time zone.
542.It Cm from="pattern-list"
543Specifies that in addition to public key authentication, either the canonical
544name of the remote host or its IP address must be present in the
545comma-separated list of patterns.
546See PATTERNS in
547.Xr ssh_config 5
548for more information on patterns.
549.Pp
550In addition to the wildcard matching that may be applied to hostnames or
551addresses, a
552.Cm from
553stanza may match IP addresses using CIDR address/masklen notation.
554.Pp
555The purpose of this option is to optionally increase security: public key
556authentication by itself does not trust the network or name servers or
557anything (but the key); however, if somebody somehow steals the key, the key
558permits an intruder to log in from anywhere in the world.
559This additional option makes using a stolen key more difficult (name
560servers and/or routers would have to be compromised in addition to
561just the key).
562.It Cm no-agent-forwarding
563Forbids authentication agent forwarding when this key is used for
564authentication.
565.It Cm no-port-forwarding
566Forbids TCP forwarding when this key is used for authentication.
567Any port forward requests by the client will return an error.
568This might be used, e.g. in connection with the
569.Cm command
570option.
571.It Cm no-pty
572Prevents tty allocation (a request to allocate a pty will fail).
573.It Cm no-user-rc
574Disables execution of
575.Pa ~/.ssh/rc .
576.It Cm no-X11-forwarding
577Forbids X11 forwarding when this key is used for authentication.
578Any X11 forward requests by the client will return an error.
579.It Cm permitlisten="[host:]port"
580Limit remote port forwarding with the
581.Xr ssh 1
582.Fl R
583option such that it may only listen on the specified host (optional) and port.
584IPv6 addresses can be specified by enclosing the address in square brackets.
585Multiple
586.Cm permitlisten
587options may be applied separated by commas.
588Hostnames may include wildcards as described in the PATTERNS section in
589.Xr ssh_config 5 .
590A port specification of
591.Cm *
592matches any port.
593Note that the setting of
594.Cm GatewayPorts
595may further restrict listen addresses.
596Note that
597.Xr ssh 1
598will send a hostname of
599.Dq localhost
600if a listen host was not specified when the forwarding was requested, and
601that this name is treated differently to the explicit localhost addresses
602.Dq 127.0.0.1
603and
604.Dq ::1 .
605.It Cm permitopen="host:port"
606Limit local port forwarding with the
607.Xr ssh 1
608.Fl L
609option such that it may only connect to the specified host and port.
610IPv6 addresses can be specified by enclosing the address in square brackets.
611Multiple
612.Cm permitopen
613options may be applied separated by commas.
614No pattern matching or name lookup is performed on the
615specified hostnames, they must be literal host names and/or addresses.
616A port specification of
617.Cm *
618matches any port.
619.It Cm port-forwarding
620Enable port forwarding previously disabled by the
621.Cm restrict
622option.
623.It Cm principals="principals"
624On a
625.Cm cert-authority
626line, specifies allowed principals for certificate authentication as a
627comma-separated list.
628At least one name from the list must appear in the certificate's
629list of principals for the certificate to be accepted.
630This option is ignored for keys that are not marked as trusted certificate
631signers using the
632.Cm cert-authority
633option.
634.It Cm pty
635Permits tty allocation previously disabled by the
636.Cm restrict
637option.
638.It Cm no-touch-required
639Do not require demonstration of user presence
640for signatures made using this key.
641This option only makes sense for the FIDO authenticator algorithms
642.Cm ecdsa-sk
643and
644.Cm ed25519-sk .
645.It Cm verify-required
646Require that signatures made using this key attest that they verified
647the user, e.g. via a PIN.
648This option only makes sense for the FIDO authenticator algorithms
649.Cm ecdsa-sk
650and
651.Cm ed25519-sk .
652.It Cm restrict
653Enable all restrictions, i.e. disable port, agent and X11 forwarding,
654as well as disabling PTY allocation
655and execution of
656.Pa ~/.ssh/rc .
657If any future restriction capabilities are added to authorized_keys files,
658they will be included in this set.
659.It Cm tunnel="n"
660Force a
661.Xr tun 4
662device on the server.
663Without this option, the next available device will be used if
664the client requests a tunnel.
665.It Cm user-rc
666Enables execution of
667.Pa ~/.ssh/rc
668previously disabled by the
669.Cm restrict
670option.
671.It Cm X11-forwarding
672Permits X11 forwarding previously disabled by the
673.Cm restrict
674option.
675.El
676.Pp
677An example authorized_keys file:
678.Bd -literal -offset 3n
679# Comments are allowed at start of line. Blank lines are allowed.
680# Plain key, no restrictions
681ssh-rsa ...
682# Forced command, disable PTY and all forwarding
683restrict,command="dump /home" ssh-rsa ...
684# Restriction of ssh -L forwarding destinations
685permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-rsa ...
686# Restriction of ssh -R forwarding listeners
687permitlisten="localhost:8080",permitlisten="[::1]:22000" ssh-rsa ...
688# Configuration for tunnel forwarding
689tunnel="0",command="sh /etc/netstart tun0" ssh-rsa ...
690# Override of restriction to allow PTY allocation
691restrict,pty,command="nethack" ssh-rsa ...
692# Allow FIDO key without requiring touch
693no-touch-required sk-ecdsa-sha2-nistp256@openssh.com ...
694# Require user-verification (e.g. PIN or biometric) for FIDO key
695verify-required sk-ecdsa-sha2-nistp256@openssh.com ...
696# Trust CA key, allow touch-less FIDO if requested in certificate
697cert-authority,no-touch-required,principals="user_a" ssh-rsa ...
698.Ed
699.Sh SSH_KNOWN_HOSTS FILE FORMAT
700The
701.Pa /etc/ssh/ssh_known_hosts
702and
703.Pa ~/.ssh/known_hosts
704files contain host public keys for all known hosts.
705The global file should
706be prepared by the administrator (optional), and the per-user file is
707maintained automatically: whenever the user connects to an unknown host,
708its key is added to the per-user file.
709.Pp
710Each line in these files contains the following fields: marker (optional),
711hostnames, keytype, base64-encoded key, comment.
712The fields are separated by spaces.
713.Pp
714The marker is optional, but if it is present then it must be one of
715.Dq @cert-authority ,
716to indicate that the line contains a certification authority (CA) key,
717or
718.Dq @revoked ,
719to indicate that the key contained on the line is revoked and must not ever
720be accepted.
721Only one marker should be used on a key line.
722.Pp
723Hostnames is a comma-separated list of patterns
724.Pf ( Ql *
725and
726.Ql \&?
727act as
728wildcards); each pattern in turn is matched against the host name.
729When
730.Nm sshd
731is authenticating a client, such as when using
732.Cm HostbasedAuthentication ,
733this will be the canonical client host name.
734When
735.Xr ssh 1
736is authenticating a server, this will be the host name
737given by the user, the value of the
738.Xr ssh 1
739.Cm HostkeyAlias
740if it was specified, or the canonical server hostname if the
741.Xr ssh 1
742.Cm CanonicalizeHostname
743option was used.
744.Pp
745A pattern may also be preceded by
746.Ql \&!
747to indicate negation: if the host name matches a negated
748pattern, it is not accepted (by that line) even if it matched another
749pattern on the line.
750A hostname or address may optionally be enclosed within
751.Ql \&[
752and
753.Ql \&]
754brackets then followed by
755.Ql \&:
756and a non-standard port number.
757.Pp
758Alternately, hostnames may be stored in a hashed form which hides host names
759and addresses should the file's contents be disclosed.
760Hashed hostnames start with a
761.Ql |
762character.
763Only one hashed hostname may appear on a single line and none of the above
764negation or wildcard operators may be applied.
765.Pp
766The keytype and base64-encoded key are taken directly from the host key; they
767can be obtained, for example, from
768.Pa /etc/ssh/ssh_host_rsa_key.pub .
769The optional comment field continues to the end of the line, and is not used.
770.Pp
771Lines starting with
772.Ql #
773and empty lines are ignored as comments.
774.Pp
775When performing host authentication, authentication is accepted if any
776matching line has the proper key; either one that matches exactly or,
777if the server has presented a certificate for authentication, the key
778of the certification authority that signed the certificate.
779For a key to be trusted as a certification authority, it must use the
780.Dq @cert-authority
781marker described above.
782.Pp
783The known hosts file also provides a facility to mark keys as revoked,
784for example when it is known that the associated private key has been
785stolen.
786Revoked keys are specified by including the
787.Dq @revoked
788marker at the beginning of the key line, and are never accepted for
789authentication or as certification authorities, but instead will
790produce a warning from
791.Xr ssh 1
792when they are encountered.
793.Pp
794It is permissible (but not
795recommended) to have several lines or different host keys for the same
796names.
797This will inevitably happen when short forms of host names
798from different domains are put in the file.
799It is possible
800that the files contain conflicting information; authentication is
801accepted if valid information can be found from either file.
802.Pp
803Note that the lines in these files are typically hundreds of characters
804long, and you definitely don't want to type in the host keys by hand.
805Rather, generate them by a script,
806.Xr ssh-keyscan 1
807or by taking, for example,
808.Pa /etc/ssh/ssh_host_rsa_key.pub
809and adding the host names at the front.
810.Xr ssh-keygen 1
811also offers some basic automated editing for
812.Pa ~/.ssh/known_hosts
813including removing hosts matching a host name and converting all host
814names to their hashed representations.
815.Pp
816An example ssh_known_hosts file:
817.Bd -literal -offset 3n
818# Comments allowed at start of line
819cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
820# A hashed hostname
821|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
822AAAA1234.....=
823# A revoked key
824@revoked * ssh-rsa AAAAB5W...
825# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
826@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
827.Ed
828.Sh FILES
829.Bl -tag -width Ds -compact
830.It Pa ~/.hushlogin
831This file is used to suppress printing the last login time and
832.Pa /etc/motd ,
833if
834.Cm PrintLastLog
835and
836.Cm PrintMotd ,
837respectively,
838are enabled.
839It does not suppress printing of the banner specified by
840.Cm Banner .
841.Pp
842.It Pa ~/.rhosts
843This file is used for host-based authentication (see
844.Xr ssh 1
845for more information).
846On some machines this file may need to be
847world-readable if the user's home directory is on an NFS partition,
848because
849.Nm
850reads it as root.
851Additionally, this file must be owned by the user,
852and must not have write permissions for anyone else.
853The recommended
854permission for most machines is read/write for the user, and not
855accessible by others.
856.Pp
857.It Pa ~/.shosts
858This file is used in exactly the same way as
859.Pa .rhosts ,
860but allows host-based authentication without permitting login with
861rlogin/rsh.
862.Pp
863.It Pa ~/.ssh/
864This directory is the default location for all user-specific configuration
865and authentication information.
866There is no general requirement to keep the entire contents of this directory
867secret, but the recommended permissions are read/write/execute for the user,
868and not accessible by others.
869.Pp
870.It Pa ~/.ssh/authorized_keys
871Lists the public keys (DSA, ECDSA, Ed25519, RSA)
872that can be used for logging in as this user.
873The format of this file is described above.
874The content of the file is not highly sensitive, but the recommended
875permissions are read/write for the user, and not accessible by others.
876.Pp
877If this file, the
878.Pa ~/.ssh
879directory, or the user's home directory are writable
880by other users, then the file could be modified or replaced by unauthorized
881users.
882In this case,
883.Nm
884will not allow it to be used unless the
885.Cm StrictModes
886option has been set to
887.Dq no .
888.Pp
889.It Pa ~/.ssh/environment
890This file is read into the environment at login (if it exists).
891It can only contain empty lines, comment lines (that start with
892.Ql # ) ,
893and assignment lines of the form name=value.
894The file should be writable
895only by the user; it need not be readable by anyone else.
896Environment processing is disabled by default and is
897controlled via the
898.Cm PermitUserEnvironment
899option.
900.Pp
901.It Pa ~/.ssh/known_hosts
902Contains a list of host keys for all hosts the user has logged into
903that are not already in the systemwide list of known host keys.
904The format of this file is described above.
905This file should be writable only by root/the owner and
906can, but need not be, world-readable.
907.Pp
908.It Pa ~/.ssh/rc
909Contains initialization routines to be run before
910the user's home directory becomes accessible.
911This file should be writable only by the user, and need not be
912readable by anyone else.
913.Pp
914.It Pa /etc/hosts.allow
915.It Pa /etc/hosts.deny
916Access controls that should be enforced by tcp-wrappers are defined here.
917Further details are described in
918.Xr hosts_access 5 .
919.Pp
920.It Pa /etc/hosts.equiv
921This file is for host-based authentication (see
922.Xr ssh 1 ) .
923It should only be writable by root.
924.Pp
925.It Pa /etc/moduli
926Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
927key exchange method.
928The file format is described in
929.Xr moduli 5 .
930If no usable groups are found in this file then fixed internal groups will
931be used.
932.Pp
933.It Pa /etc/motd
934See
935.Xr motd 5 .
936.Pp
937.It Pa /etc/nologin
938If this file exists,
939.Nm
940refuses to let anyone except root log in.
941The contents of the file
942are displayed to anyone trying to log in, and non-root connections are
943refused.
944The file should be world-readable.
945.Pp
946.It Pa /etc/shosts.equiv
947This file is used in exactly the same way as
948.Pa hosts.equiv ,
949but allows host-based authentication without permitting login with
950rlogin/rsh.
951.Pp
952.It Pa /etc/ssh/ssh_host_ecdsa_key
953.It Pa /etc/ssh/ssh_host_ed25519_key
954.It Pa /etc/ssh/ssh_host_rsa_key
955These files contain the private parts of the host keys.
956These files should only be owned by root, readable only by root, and not
957accessible to others.
958Note that
959.Nm
960does not start if these files are group/world-accessible.
961.Pp
962.It Pa /etc/ssh/ssh_host_ecdsa_key.pub
963.It Pa /etc/ssh/ssh_host_ed25519_key.pub
964.It Pa /etc/ssh/ssh_host_rsa_key.pub
965These files contain the public parts of the host keys.
966These files should be world-readable but writable only by
967root.
968Their contents should match the respective private parts.
969These files are not
970really used for anything; they are provided for the convenience of
971the user so their contents can be copied to known hosts files.
972These files are created using
973.Xr ssh-keygen 1 .
974.Pp
975.It Pa /etc/ssh/ssh_known_hosts
976Systemwide list of known host keys.
977This file should be prepared by the
978system administrator to contain the public host keys of all machines in the
979organization.
980The format of this file is described above.
981This file should be writable only by root/the owner and
982should be world-readable.
983.Pp
984.It Pa /etc/ssh/sshd_config
985Contains configuration data for
986.Nm sshd .
987The file format and configuration options are described in
988.Xr sshd_config 5 .
989.Pp
990.It Pa /etc/ssh/sshrc
991Similar to
992.Pa ~/.ssh/rc ,
993it can be used to specify
994machine-specific login-time initializations globally.
995This file should be writable only by root, and should be world-readable.
996.Pp
997.It Pa /var/empty
998.Xr chroot 2
999directory used by
1000.Nm
1001during privilege separation in the pre-authentication phase.
1002The directory should not contain any files and must be owned by root
1003and not group or world-writable.
1004.Pp
1005.It Pa /var/run/sshd.pid
1006Contains the process ID of the
1007.Nm
1008listening for connections (if there are several daemons running
1009concurrently for different ports, this contains the process ID of the one
1010started last).
1011The content of this file is not sensitive; it can be world-readable.
1012.El
1013.Sh SEE ALSO
1014.Xr scp 1 ,
1015.Xr sftp 1 ,
1016.Xr ssh 1 ,
1017.Xr ssh-add 1 ,
1018.Xr ssh-agent 1 ,
1019.Xr ssh-keygen 1 ,
1020.Xr ssh-keyscan 1 ,
1021.Xr chroot 2 ,
1022.Xr hosts_access 5 ,
1023.Xr login.conf 5 ,
1024.Xr moduli 5 ,
1025.Xr sshd_config 5 ,
1026.Xr inetd 8 ,
1027.Xr sftp-server 8
1028.Sh AUTHORS
1029OpenSSH is a derivative of the original and free
1030ssh 1.2.12 release by Tatu Ylonen.
1031Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
1032Theo de Raadt and Dug Song
1033removed many bugs, re-added newer features and
1034created OpenSSH.
1035Markus Friedl contributed the support for SSH
1036protocol versions 1.5 and 2.0.
1037Niels Provos and Markus Friedl contributed support
1038for privilege separation.
1039