source: trunk/third/ssh/sshd.8.in @ 12646

Revision 12646, 36.2 KB checked in by danw, 26 years ago (diff)
This commit was generated by cvs2svn to compensate for changes in r12645, which included commits to RCS files with non-trunk default branches.
Line 
1.\"  -*- nroff -*-
2.\"
3.\" sshd.8.in
4.\"
5.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
6.\"
7.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8.\"                    All rights reserved
9.\"
10.\" Created: Sat Apr 22 21:55:14 1995 ylo
11.\"
12.\" $Id: sshd.8.in,v 1.1.1.4 1999-03-08 17:43:00 danw Exp $
13.\" $Log: not supported by cvs2svn $
14.\" Revision 1.21  1998/07/08 00:41:22  kivinen
15.\"     Changed to do similar commercial #ifdef processing than other
16.\"     files.
17.\"
18.\" Revision 1.20  1998/06/11 00:11:47  kivinen
19.\"     Documented Allow/DenyUsers user@host format.
20.\"
21.\" Revision 1.19  1998/05/23  20:38:47  kivinen
22.\"     Documented AccountExpireWarningDays, AllowSHosts, DenySHosts,
23.\"     ForcedEmptyPasswdChange, ForcedPasswdChange, and
24.\"     PasswordExpireWarningDays options.
25.\"
26.\" Revision 1.18  1998/05/04  13:37:32  kivinen
27.\"     Fixed layout of authorized key options.
28.\"
29.\" Revision 1.17  1998/04/30 03:58:29  kivinen
30.\"     Documented -V option.
31.\"
32.\" Revision 1.16  1998/03/27 17:05:18  kivinen
33.\"     Documented IgnoreRootRhosts option.
34.\"
35.\" Revision 1.15  1998/01/03 06:42:24  kivinen
36.\"     Added allow/deny groups option documentation..
37.\"
38.\" Revision 1.14  1998/01/02 06:37:48  kivinen
39.\"     Sorted options. Added CheckMail and XAuthLocation options.
40.\"     Added {Allow,Deny}Forwarding{Port,To} options to
41.\"     authorized_keys file. Added SSH WITH TCP WRAPPERS section.
42.\"
43.\" Revision 1.13  1997/06/04 13:53:07  kivinen
44.\"     Added .TP before DenyUsers.
45.\"
46.\" Revision 1.12  1997/05/13 22:30:47  kivinen
47.\"     Fixed default value of AllowTcpForwarding.
48.\"
49.\" Revision 1.11  1997/05/08 03:06:01  kivinen
50.\"     Added \ before all '-characters (it is troff command if it is
51.\"     in the beginning of line).
52.\"
53.\" Revision 1.10  1997/04/27 21:50:16  kivinen
54.\"     Added F-SECURE stuff. Added {Allow,Deny}Forwarding{To,Port}
55.\"     documentation, added {Allow,Deny}Users documentation from
56.\"     Steve Kann <stevek@SteveK.COM>.
57.\"
58.\" Revision 1.9  1997/03/27 03:16:41  kivinen
59.\"     Added kerberos patches from Glenn Machin.
60.\"     Added USELOGIN patches from Brian Cully.
61.\"
62.\" Revision 1.8  1997/03/26 05:29:08  kivinen
63.\"     Documented IdleTimeout option and idle-timeout setting in
64.\"     authorized_keys.
65.\"
66.\" Revision 1.7  1997/03/25 05:43:18  kivinen
67.\"     Updated. Changed ylo's email to @ssh.fi.
68.\"
69.\" Revision 1.6  1997/03/19 17:45:53  kivinen
70.\"     Added TIS authentication code from Andre April
71.\"     <Andre.April@cediti.be>.
72.\"
73.\" Revision 1.5  1996/11/27 15:45:38  ttsalo
74.\"     Added X11DisplayOffset-option
75.\"
76.\" Revision 1.4  1996/11/12 15:56:19  ttsalo
77.\"       Fixed a typo
78.\"
79.\" Revision 1.3  1996/10/29 22:47:36  kivinen
80.\"     Documented ListenAddress.
81.\"
82.\" Revision 1.2  1996/08/13 00:25:15  ylo
83.\"     Documented that $HOME/.ssh/rc is run with user's shell,
84.\"     /etc/sshrc with /bin/sh.
85.\"
86.\" Revision 1.1.1.1  1996/02/18 21:38:13  ylo
87.\"     Imported ssh-1.2.13.
88.\"
89.\" Revision 1.10  1995/10/02  01:31:37  ylo
90.\"     Make substitutions in configure.
91.\"
92.\" Revision 1.9  1995/09/27  02:17:12  ylo
93.\"     Added a section on what happens at login.
94.\"     Other additions.
95.\"
96.\" Revision 1.8  1995/09/22  22:21:36  ylo
97.\"     Added username and netgroups for hosts.equiv and rhosts.
98.\"
99.\" Revision 1.7  1995/09/21  17:14:38  ylo
100.\"     Added /etc/environment and IgnoreRhosts.  Other minor fixes.
101.\"
102.\" Revision 1.6  1995/08/31  09:24:31  ylo
103.\"     Minor cleanup.
104.\"
105.\" Revision 1.5  1995/08/29  22:31:25  ylo
106.\"     Improved manual pages from Andrew Macpherson.
107.\"
108.\" Revision 1.4  1995/08/21  23:29:52  ylo
109.\"     Added documentation for the configuration file.
110.\"
111.\" Revision 1.3  1995/08/18  22:57:27  ylo
112.\"     Removed obsolete XXX stuff.
113.\"
114.\" Revision 1.2  1995/07/13  01:36:06  ylo
115.\"     Removed "Last modified" header.
116.\"     Added cvs log.
117.\"
118.\" $Endlog$
119.\"
120.\"
121.\"
122.\"
123.\" #ifndef F_SECURE_COMMERCIAL
124.TH SSHD 8 "November 8, 1995" "SSH" "SSH"
125.\" #endif F_SECURE_COMMERCIAL
126
127.SH NAME
128sshd \- secure shell daemon
129
130.SH SYNOPSIS
131.na
132.B sshd
133[\c
134.BI \-b \ bits\fR\c
135]
136[\c
137.B \-d \c
138]
139[\c
140.BI \-f \ config_file\fR\c
141]
142[\c
143.BI \-g \ login_grace_time\fR\c
144]
145[\c
146.BI \-h \ host_key_file\fR\c
147]
148[\c
149.B \-i \c
150]
151[\c
152.BI \-k \ key_gen_time\fR\c
153]
154[\c
155.BI \-p \ port\fR\c
156]
157[\c
158.B \-q \c
159]
160[\c
161.BI \-V \ version\fR\c
162]
163.ad
164
165
166.SH DESCRIPTION
167.LP
168.B Sshd
169(Secure Shell Daemon) is the daemon program for
170.BR ssh ".
171Together these programs replace rlogin and rsh programs, and
172provide secure encrypted communications between two untrusted hosts
173over an insecure network.  The programs are intended to be as easy to
174install and use as possible.
175.LP
176.B Sshd
177is the daemon that listens for connections from clients.  It is
178normally started at boot from
179.I /etc/rc.local
180or equivalent.  It forks a new
181daemon for each incoming connection.  The forked daemons handle
182key exchange, encryption, authentication, command execution,
183and data exchange.
184.LP
185Sshd works as follows.  Each host has a host-specific RSA key
186(normally 1024 bits) used to identify the host.  Additionally, when
187the daemon starts, it generates a server RSA key (normally 768 bits).
188This key is normally regenerated every hour if it has been used, and
189is never stored on disk.
190.LP
191Whenever a client connects the daemon, the daemon sends its host
192and server public keys to the client.  The client compares the
193host key against its own database to verify that it has not changed.
194The client then generates a 256 bit random number.  It encrypts this
195random number using both the host key and the server key, and sends
196the encrypted number to the server.  Both sides then start to use this
197random number as a session key which is used to encrypt all further
198communications in the session.  The rest of the session is encrypted
199using a conventional cipher.  Currently,
200.BR \s-1IDEA\s0 ",
201.BR \s-1DES\s0 ",
202.BR \s-1\&3DES\s0 ",
203.BR \s-1ARCFOUR\s0 ", and
204.B \s-1TSS\s0
205(a fast home-grown algorithm) are supported. 
206.B \s-1IDEA\s0
207is used by default.  The client selects the encryption algorithm to use
208from those offered by the server.
209.LP
210Next, the server and the client enter an authentication dialog.  The
211client tries to authenticate itself using \|\s+2.\s0rhosts
212authentication, \|\s+2.\s0rhosts authentication combined with RSA host
213authentication, RSA challenge-response authentication, TIS channenge
214response authentication, or password
215based authentication.
216.LP
217Rhosts authentication is normally disabled
218because it is fundamentally insecure, but can be enabled in the server
219configuration file if desired.  System security is not improved unless
220.BR rshd "(8),
221.BR rlogind "(8),
222.BR rexecd "(8), and
223.B rexd "(8)
224are disabled (thus completely disabling
225.BR rlogin (1)
226and
227.BR rsh (1)
228into that machine).
229.LP
230If the client successfully authenticates itself, a dialog for
231preparing the session is entered.  At this time the client may request
232things like allocating a pseudo-tty, forwarding X11 connections,
233forwarding TCP/IP connections, or forwarding the authentication agent
234connection over the secure channel.
235.LP
236Finally, the client either requests a shell or execution of a command.
237The sides then enter session mode.  In this mode, either side may send
238data at any time, and such data is forwarded to/from the shell or
239command on the server side, and the user terminal in the client side.
240.LP
241When the user program terminates and all forwarded X11 and other
242connections have been closed, the server sends command exit status to
243the client, and both sides exit.
244.LP
245.B Sshd
246can be configured using command-line options or a configuration
247file.  Command-line options override values specified in the
248configuration file.
249.LP
250.B Sshd rereads its configuration file if it is sent the hangup
251signal, SIGHUP.
252
253.SH OPTIONS
254.TP
255.BI \-b \ bits
256Specifies the number of bits in the server key (default 768).
257.TP
258.B \-d
259Debug mode.  The server sends verbose debug output to the system
260log, and does not put itself in the background.  The server also will
261not fork and will only process one connection.  This option is only
262intended for debugging for the server.
263.TP
264.BI \-f \ configuration_file
265Specifies the name of the configuration file.  The default is
266.IR @ETCDIR@/sshd_config ".
267.TP
268.BI \-g \ login_grace_time
269Gives the grace time for clients to authenticate themselves (default
270600 seconds).  If the client fails to authenticate the user within
271this many seconds, the server disconnects and exits.  A value of zero
272indicates no limit.
273.TP
274.BI \-h \ host_key_file
275Specifies the file from which the host key is read (default
276.IR @ETCDIR@/ssh_host_key). 
277This option must be given if sshd is not run as root (as the normal
278host file is normally not readable by anyone but root).
279.TP
280.B \-i
281Specifies that sshd is being run from inetd.  Sshd is normally not run
282from inetd because it needs to generate the server key before it can
283respond to the client, and this may take tens of seconds.  Clients
284would have to wait too long if the key was regenerated every time.
285However, with small key sizes (e.g.  512) using sshd from inetd may
286be feasible.
287.TP
288.BI \-k \ key_gen_time
289Specifies how often the server key is regenerated (default 3600
290seconds, or one hour).  The motivation for regenerating the key fairly
291often is that the key is not stored anywhere, and after about an hour,
292it becomes impossible to recover the key for decrypting intercepted
293communications even if the machine is cracked into or physically
294seized.  A value of zero indicates that the key will never be regenerated.
295.TP
296.BI \-p \ port
297Specifies the port on which the server listens for connections
298(default 22).
299.TP
300.B \-q
301Quiet mode.  Nothing is sent to the system log.  Normally the beginning,
302authentication, and termination of each connection is logged.
303.TP
304.B \-V
305SSH version 2 compatibility mode. Server assumes that SSH version 2
306daemon has already read the version number string from the client and
307this option gives the version string read from the client.
308
309.SH CONFIGURATION FILE
310
311.B Sshd
312reads configuration data from
313.I @ETCDIR@/sshd_config
314(or the file specified with -f on the command line).  The file
315contains keyword-value pairs, one per line.  Lines starting with \'#\'
316and empty lines are interpreted as comments.
317
318The following keywords are possible. Keywords are case insensitive.
319
320.\"
321.\"
322.\"
323.\"
324.\"
325.\"
326.\"
327.\"
328.\"
329
330.\"
331.\"
332.\"
333.\"
334.\"
335.\"
336.\"
337.\"
338.\"
339.\"
340.\"
341.\"
342.\"
343.\"
344
345.TP
346.B AllowGroups
347This keyword can be followed by any number of group name patterns,
348separated by spaces. If specified, login is allowed only if users
349primary group name matches one of the patterns. \'*\' and \'?\' can be
350used as wildcards in the patterns. By default, logins as all users are
351allowed.
352
353Note that the all other login authentication steps must still be
354sucessfully completed.  AllowGroups and DenyGroups are additional
355restrictions.
356
357.TP
358.B AllowHosts
359This keyword can be followed by any number of host name patterns,
360separated by spaces.  If specified, login is allowed only from hosts
361whose name matches one of the patterns.  \'*\' and \'?\' can be used as
362wildcards in the patterns.  Normal name servers are used to map the
363client's host into a canonical host name.  If the name cannot be
364mapped, its IP-address is used as the host name.  By default all hosts
365are allowed to connect.
366
367Note that
368.B sshd
369can also be configured to use tcp_wrappers using the --with-libwrap
370compile-time configuration option.
371
372.TP
373.B AccountExpireWarningDays
374Specifies when to start print warning messages that the account is
375going to expire. The value is number of days before the account
376expiration. The default value is 14 days, and if set to 0 the warning
377messages are disabled.
378
379.TP
380.B AllowSHosts
381This keyword can be followed by any number of host name patterns,
382separated by spaces. If specified, .shosts (and .rhosts and
383/etc/hosts.equiv) entries are only honoured for hosts whose name
384matches one of the patterns.
385'*' and '?' can be used as wildcards in the patterns.  Normal name
386servers are used to map the client's host into a canonical host name.
387If the name cannot be mapped, its IP-address is used as the host name.
388By default all hosts are allowed to connect.
389
390.TP
391.B AllowTcpForwarding
392Specifies whether tcp forwarding is permitted.  The default is "yes".
393Note that disabling tcp forwarding does not improve security in any
394way, as users can always install their own forwarders.
395
396.TP
397.B AllowUsers
398This keyword can be followed by any number of user name patterns or
399user@host patterns, separated by spaces. Host name may be either the
400dns name or the ip address. If specified, login is allowed only as
401users whose name matches one of the patterns. \'*\' and \'?\' can be
402used as wildcards in the patterns. By default, logins as all users are
403allowed.
404
405Note that the all other login authentication steps must still be
406sucessfully completed.  AllowUsers and DenyUsers are additional
407restrictions.
408
409.TP
410.B CheckMail
411Specifies whether
412.B sshd
413should print information whether you have new mail or not
414when a user logs in interactively.  (On some systems it is also
415printed by the shell, /etc/profile, or equivalent.)  The default is
416"yes".
417
418.\"
419.\"
420.\"
421.\"
422.\"
423.\"
424.\"
425.\"
426
427.\"
428.\"
429.\"
430.\"
431.\"
432.\"
433.\"
434.\"
435.\"
436.\"
437.\"
438.\"
439.\"
440.\"
441
442.TP
443.B DenyGroups
444This keyword can be followed by any number of group name patterns,
445separated by spaces. If specified, login is disallowed if users
446primary group name name matches any of the patterns.
447
448.TP
449.B DenyHosts
450This keyword can be followed by any number of host name patterns,
451separated by spaces.  If specified, login is disallowed from the hosts
452whose name matches any of the patterns.
453
454.TP
455.B DenySHosts
456This keyword can be followed by any number of host name patterns,
457separated by spaces. If specified, .shosts (and .rhosts and
458/etc/hosts.equiv) entries whose name matches any of the patterns are
459ignored.
460
461.TP
462.B DenyUsers
463This keyword can be followed by any number of user name patterns or
464user@host patterns, separated by spaces. Host name may be either the
465dns name or the ip address. If specified, login is disallowed as users
466whose name matches any of the patterns.
467
468.TP
469.B FascistLogging
470Specifies whether to use verbose logging.  Verbose logging violates
471the privacy of users and is not recommended.  The argument must be
472"yes" or "no" (without the quotes).  The default is "no".
473
474.TP
475.B ForcedEmptyPasswdChange
476Specifies whether to force password change if the password is empty
477(first login). . The argument must be "yes" or "no" (without the
478quotes). The default is "no".
479
480.TP
481.B ForcedPasswdChange
482Specifies whether to force password change if the password is expired.
483The argument must be
484"yes" or "no" (without the quotes).  The default is "yes".
485
486.TP
487.B HostKey
488Specifies the file containing the private host key (default
489.IR @ETCDIR@/ssh_host_key ").
490
491.TP
492.B IdleTimeout time
493Sets idle timeout limit to time in seconds (s or nothing after
494number), in minutes (m), in hours (h), in days (d), or in weeks (w).
495If the connection have been idle (all channels) for that long time the
496child process is killed with SIGHUP, and connection is closed down.
497
498.TP
499.B IgnoreRhosts
500Specifies that rhosts and shosts files will not be used in
501authentication.
502.I /etc/hosts.equiv
503and
504.I @ETCDIR@/shosts.equiv
505are still used.  The default is "no".
506
507.TP
508.B IgnoreRootRhosts
509Specifies that rhosts and shosts files will not be used in
510authentication for root.  The default is the value of
511.BR IgnoreRhosts .
512
513.TP
514.B KeepAlive
515Specifies whether the system should send keepalive messages to the
516other side.  If they are sent, death of the connection or crash of one
517of the machines will be properly noticed.  However, this means that
518connections will die if the route is down temporarily, and some people
519find it annoying.  On the other hand, if keepalives are not send,
520sessions may hang indefinitely on the server, leaving "ghost" users
521and consuming server resources.
522
523The default is "yes" (to send keepalives), and the server will notice
524if the network goes down or the client host reboots.  This avoids
525infinitely hanging sessions.
526
527To disable keepalives, the value should be set to "no" in both the
528server and the client configuration files.
529
530.TP
531.B KerberosAuthentication
532Specifies whether Kerberos V5 authentication is allowed. This can
533be in the form of a Kerberos ticket, or if PasswordAuthentication
534is yes, the password provided by the user will be validated through
535the Kerberos KDC or DCE Security Server. Default is yes.
536
537.TP
538.B KerberosOrLocalPasswd
539If set then if password authentication through Kerberos fails then
540the password will be validated via any additional local mechanism
541such as /etc/passwd or SecurID. Default is no.
542
543.TP
544.B KerberosTgtPassing
545Specifies whether a Kerberos V5 TGT may be forwarded to the server.
546Default is yes.
547
548.TP
549.B KeyRegenerationInterval
550The server key is automatically regenerated after this many seconds
551(if it has been used).  The purpose of regeneration is to prevent
552decrypting captured sessions by later breaking into the machine and
553stealing the keys.  The key is never stored anywhere.  If the value is
5540, the key is never regenerated.  The default is 3600
555(seconds).
556
557.TP
558.B ListenAddress
559Specifies the ip address of the interface where the sshd server socket
560is bind.
561
562.TP
563.B LoginGraceTime
564The server disconnects after this time if the user has not
565successfully logged in.  If the value is 0, there is no time limit.
566The default is 600 (seconds).
567
568.TP
569.B PasswordAuthentication
570Specifies whether password authentication is allowed.
571The default is "yes".
572
573.TP
574.B PasswordExpireWarningDays
575Specifies when to start print warning messages that the password is
576going to expire. The value is number of days before the password
577expiration. The default value is 14 days, and if set to 0 the warning
578messages are disabled.
579
580.TP
581.B PermitEmptyPasswords
582When password authentication is allowed, it specifies whether the
583server allows login to accounts with empty password strings.  The default
584is "yes".
585
586.TP
587.B PermitRootLogin
588Specifies whether the root can log in using
589.BR ssh .
590May be set to "yes", "nopwd", or "no".  The default is "yes", allowing
591root logins through any of the authentication types allowed for other
592users.  The "nopwd" value disables password-authenticated root logins.
593The "no" value disables root logins through any of the authentication
594methods.  ("nopwd" and "no" are equivalent unless you have
595a .rhosts, .shosts, or .ssh/authorized_keys file in the root home
596directory.)
597
598Root login with RSA authentication when the "command" option has been
599specified will be allowed regardless of the value of this setting
600(which may be useful for taking remote backups even if root login is
601normally not allowed).
602
603.TP
604.B PidFile
605Specifies the location of the file containing the process ID of the
606master sshd daemon (default: /etc/sshd.pid or /var/run/sshd.pid,
607depending on the system).
608
609.TP
610.B Port
611Specifies the port number that
612.B sshd
613listens on.  The default is 22.
614
615.TP
616.B PrintMotd
617Specifies whether
618.B sshd
619should print
620.I /etc/motd
621when a user logs in interactively.  (On some systems it is also
622printed by the shell, /etc/profile, or equivalent.)  The default is
623"yes".
624
625.TP
626.B QuietMode
627Specifies whether the system runs in quiet mode.  In quiet mode,
628nothing is logged in the system log, except fatal errors.  The default
629is "no".
630
631.TP
632.B RandomSeed
633Specifies the file containing the random seed for the server; this
634file is created automatically and updated regularly.  The default is
635.IR @ETCDIR@/ssh_random_seed ".
636
637.TP
638.B RhostsAuthentication
639Specifies whether authentication using rhosts or /etc/hosts.equiv
640files is sufficient.  Normally, this method should not be permitted
641because it is insecure.  RhostsRSAAuthentication should be used
642instead, because it performs RSA-based host authentication in addition
643to normal rhosts or /etc/hosts.equiv authentication.
644The default is "no".
645
646.TP
647.B RhostsRSAAuthentication
648Specifies whether rhosts or /etc/hosts.equiv authentication together
649with successful RSA host authentication is allowed.  The default is "yes".
650
651.TP
652.B RSAAuthentication
653Specifies whether pure RSA authentication is allowed.  The default is "yes".
654
655.TP
656.B ServerKeyBits
657Defines the number of bits in the server key.  The minimum value is
658512, and the default is 768.
659
660.TP
661.B SilentDeny
662Specifies wheter denied (or not allowed) connections are denied
663silently (just close the connection, no logging etc) or are they
664closed cleanly (send error message and log connection attempt).
665
666.TP
667.B StrictModes
668Specifies whether ssh should check file modes and ownership of the
669user's home directory and rhosts files before accepting login.  This
670is normally desirable because novices sometimes accidentally leave their
671directory or files world-writable.  The default is "yes".
672
673.TP
674.B SyslogFacility
675Gives the facility code that is used when logging messages from
676.B sshd.
677The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
678LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The default is DAEMON.
679
680.TP
681.B TISAuthentication
682Specifies wether authentication through TIS
683.B authsrv
684(8) is allowed. The default is "no".
685
686.TP
687.B Umask
688Sets default umask for sshd and its childs. Remember to add 0 in front
689of the number to make it octal. Default is to not set umask at all.
690
691.TP
692.B X11Forwarding
693Specifies whether X11 forwarding is permitted.  The default is "yes".
694Note that disabling X11 forwarding does not improve security in any
695way, as users can always install their own forwarders.
696
697.TP
698.B X11DisplayOffset
699Specifies the first display number available for sshd's X11
700forwarding. This prevents sshd from interfering with real X11
701servers.
702
703.TP
704.B XAuthLocation
705Specifies the default path to xauth program.
706
707.SH LOGIN PROCESS
708
709When a user successfully logs in,
710.B sshd
711does the following:
712.IP 1.
713If the login is on a tty, and no command has been specified,
714prints last login time and
715.B /etc/motd
716(unless prevented in the configuration file or by
717.IR $HOME/\s+2.\s0hushlogin ;
718see the FILES section).
719.IP 2.
720If the login is on a tty, records login time.
721.IP 3.
722Checks /etc/nologin; if it exists, prints contents and quits
723(unless root).
724.IP 4.
725Changes to run with normal user privileges.
726.IP 5.
727Sets up basic environment.
728.IP 6.
729Reads /etc/environment if it exists.
730.IP 7.
731Reads $HOME/.ssh/environment if it exists.
732.IP 8.
733Changes to user's home directory.
734.IP 9.
735If $HOME/.ssh/rc exists, runs it (with the user's shell); else if
736@ETCDIR@/sshrc exists, runs it (with /bin/sh); otherwise runs xauth.
737The "rc" files are given the X11 authentication protocol and cookie in
738standard input.
739.IP 10.
740Runs user's shell or command.
741.RT
742
743
744.SH AUTHORIZED_KEYS FILE FORMAT
745.LP
746The
747.I \&$HOME/\s+2.\s0ssh/authorized_keys
748file lists the RSA keys that are
749permitted for RSA authentication.  Each line of the file contains one
750key (empty lines and lines starting with a \'#\' are ignored as
751comments).  Each line consists of the following fields, separated by
752spaces: options, bits, exponent, modulus, comment.  The options field
753is optional; its presence is determined by whether the line starts
754with a number or not (the option field never starts with a number).
755The bits, exponent, modulus and comment fields give the RSA key; the
756comment field is not used for anything (but may be convenient for the
757user to identify the key).
758.LP
759Note that lines in this file are usually several hundred bytes long
760(because of the size of the RSA key modulus).  You don't want to type
761them in; instead, copy the
762.I identity.pub
763file and edit it.
764.LP
765The options (if present) consists of comma-separated option
766specifications.  No spaces are permitted, except within double quotes.
767Option names are case insensitive. The following option specifications
768are supported:
769.IP
770.ti -.5i
771\fBfrom="pattern-list" \fR
772.br
773Specifies that in addition to RSA authentication, the canonical name
774of the remote host must be present in the comma-separated list of
775patterns (\'*\' and \'?\' serve as wildcards).  The list may also contain
776patterns negated by prefixing them with \'!\'; if the canonical host
777name matches a negated pattern, the key is not accepted.  The purpose
778of this option is to optionally increase security: RSA authentication
779by itself does not trust the network or name servers or anything (but
780the key); however, if somebody somehow steals the key, the key
781permits an intruder to log in from anywhere in the world.  This
782additional option makes using a stolen key more difficult (name
783servers and/or routers would have to be compromised in addition to
784just the key).
785.IP
786.ti -.5i
787\fBcommand="command"\fR
788.br
789Specifies that the command is executed whenever this key is used for
790authentication.  The command supplied by the user (if any) is ignored.
791The command is run on a pty if the connection requests a pty;
792otherwise it is run without a tty.  A quote may be included in the
793command by quoting it with a backslash.  This option might be useful
794to restrict certain RSA keys to perform just a specific operation.  An
795example might be a key that permits remote backups but nothing
796else.  Notice that the client may specify TCP/IP and/or X11
797forwardings unless they are explicitly prohibited.
798.IP
799.ti -.5i
800\fBenvironment="NAME=value"\fR
801.br
802Specifies that the string is to be added to the environment when
803logging in using this key.  Environment variables set this way
804override other default environment values.  Multiple options of this
805type are permitted.
806.IP
807.ti -.5i
808\fBidle-timeout=time\fR
809.br
810Sets idle timeout limit to time in seconds (s or nothing after
811number), in minutes (m), in hours (h), in days (d), or in weeks (w).
812If the connection have been idle (all channels) for that long time the
813child process is killed with SIGHUP, and connection is closed down.
814.IP
815.ti -.5i
816\fBno-port-forwarding\fR
817.br
818Forbids TCP/IP forwarding when this key is used for authentication.
819Any port forward requests by the client will return an error.  This
820might be used e.g.  in connection with the
821.B command
822option.
823.IP
824.ti -.5i
825\fBno-X11-forwarding\fR
826.br
827Forbids X11 forwarding when this key is used for authentication.
828Any X11 forward requests by the client will return an error.
829.IP
830.ti -.5i
831\fBno-agent-forwarding\fR
832.br
833Forbids authentication agent forwarding when this key is used for
834authentication.
835.IP
836.ti -.5i
837\fBno-pty\fR
838.br
839Prevents tty allocation (a request to allocate a pty will fail).
840
841.\"
842.\"
843.\"
844.\"
845.\"
846.\"
847.\"
848.\"
849.\"
850.\"
851.\"
852.\"
853.\"
854.\"
855.\"
856.\"
857.\"
858.\"
859.\"
860.\"
861.\"
862.\"
863.SS Examples
864.LP
8651024 33 12121.\|.\|.\|312314325 ylo@foo.bar
866.LP
867from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula
868.LP
869command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi
870.\"
871.\"
872.\"
873.\"
874
875.SH SSH WITH TCP WRAPPERS
876
877When sshd is compiled with tcp wrappers libraries, then the
878host.allow/deny files also controls who can connect to ports forwarded
879by sshd.
880
881The program names in the hosts.allow/deny files are
882.B sshdfwd-\c
883.I <portname>\c
884,
885.B sshdfwd-\c
886.I <portnumber>\c
887, and
888.B sshdfwd-X11
889for forwarded ports the ssh client or server is listening.
890.LP
891If the port has name defined then you must use it.
892
893.SH SSH_KNOWN_HOSTS FILE FORMAT
894.LP
895The
896.I @ETCDIR@/ssh_known_hosts
897and
898.I \&$HOME/\s+2.\s0ssh/known_hosts
899files contain host public keys for all known hosts.  The global file should
900be prepared by the admistrator (optional), and the per-user file is
901maintained automatically: whenever the user connects an unknown host
902its key is added to the per-user file.  The recommended way to create
903.I @ETCDIR@/ssh_known_hosts
904is to use the
905.B make-ssh-known-hosts
906command.
907.LP
908Each line in these files contains the following fields: hostnames,
909bits, exponent, modulus, comment.  The fields are separated by spaces.
910.LP
911Hostnames is a comma-separated list of patterns (\'*\' and \'?\' act as
912wildcards); each pattern in turn is matched against the canonical host
913name (when authenticating a client) or against the user-supplied
914name (when authenticating a server).  A pattern may also be preceded
915by \'!\' to indicate negation: if the host name matches a negated
916pattern, it is not accepted (by that line) even if it matched another
917pattern on the line.
918.LP
919Bits, exponent, and modulus are taken directly from the host key; they
920can be obtained e.g.  from
921.IR @ETCDIR@/ssh_host_key.pub ".
922The optional comment field continues to the end of the line, and is not used.
923.LP
924Lines starting with \'#\' and empty lines are ignored as comments.
925.LP
926When performing host authentication, authentication is accepted if any
927matching line has the proper key.  It is thus permissible (but not
928recommended) to have several lines or different host keys for the same
929names.  This will inevitably happen when short forms of host names
930from different domains are put in the file.  It is possible
931that the files contain conflicting information; authentication is
932accepted if valid information can be found from either file.
933.LP
934Note that the lines in these files are typically hundreds of characters
935long, and you definitely don't want to type in the host keys by hand.
936Rather, generate them by a script (see
937.BR make-ssh-known-hosts (1))
938or by taking
939.I @ETCDIR@/ssh_host_key.pub
940and adding the host names at the front.
941
942.SS Examples
943
944closenet,closenet.hut.fi,.\|.\|.\|,130.233.208.41 1024 37 159.\|.\|.93 closenet.hut.fi
945
946.SH FILES
947.TP
948.I @ETCDIR@/sshd_config
949Contains configuration data for
950.BR sshd . 
951This file should be writable by root only, but it is recommended
952(though not necessary) that it be world-readable.
953.TP
954.I @ETCDIR@/ssh_host_key
955Contains the private part of the host key.  This file is normally
956created automatically by "make install", but can also be created
957manually using
958.BR ssh-keygen (1).
959This file should only be owned by root, readable only by root, and not
960accessible to others.
961.TP
962.I @ETCDIR@/ssh_host_key.pub
963Contains the public part of the host key.  This file is normally
964created automatically by "make install", but can also be created
965manually.  This file should be world-readable but writable only by
966root.  Its contents should match the private part.  This file is not
967really used for anything; it is only provided for the convenience of
968the user so its contents can be copied to known hosts files.
969.TP
970.I @ETCDIR@/ssh_random_seed
971This file contains a seed for the random number generator.  This file
972should only be accessible by root.
973.TP
974.I @PIDDIR@/sshd.pid
975Contains the process id of the
976.B sshd
977listening for connections (if there are several daemons running
978concurrently for different ports, this contains the pid of the one
979started last).  The contents of this file are not sensitive; it can be
980world-readable.
981.TP
982.I \&$HOME/\s+2.\s0ssh/authorized_keys
983Lists the RSA keys that can be used to log into the user's account.
984This file must be readable by root (which may on some machines imply
985it being world-readable if the user's home directory resides on an NFS
986volume).  It is recommended that it not be accessible by others.  The
987format of this file is described above.
988.TP
989.I "@ETCDIR@/ssh_known_hosts\fR and \fI$HOME/\s+2.\s0ssh/known_hosts\fR
990These files are consulted when using rhosts with RSA host
991authentication to check the public key of the host.  The key must be
992listed in one of these files to be accepted.  (The client uses the
993same files to verify that the remote host is the one we intended to
994connect.)  These files should be writable only by root/the owner.
995.I @ETCDIR@/ssh_known_hosts
996should be world-readable, and \fI$HOME/\s+2.\s0ssh/known_hosts\fR can
997but need not be world-readable.
998.TP
999.I /etc/nologin
1000If this file exists,
1001.B sshd
1002refuses to let anyone except root log in.  The contents of the file
1003are displayed to anyone trying to log in, and non-root connections are
1004refused.  The file should be world-readable.
1005.TP
1006.I \&$HOME/\s+2.\s0rhosts
1007This file contains host-username pairs, separated by a space, one per
1008line.  The given user on the corresponding host is permitted to log in
1009without password.  The same file is used by rlogind and rshd.
1010.B Ssh
1011differs from rlogind
1012and rshd in that it requires RSA host authentication in addition to
1013validating the host name retrieved from domain name servers (unless
1014compiled with the \-\-with\-rhosts configuration option).  The file must
1015be writable only by the user; it is recommended that it not be
1016accessible by others.
1017
1018It is also possible to use netgroups in the file.  Either host or user
1019name may be of the form +@groupname to specify all hosts or all users
1020in the group.
1021.TP
1022.I \&$HOME/\s+2.\s0shosts
1023For
1024.B ssh,
1025this file is exactly the same as for \s+2.\s0rhosts.  However, this file is
1026not used by rlogin and rshd, so using this permits access using
1027.B ssh
1028only.
1029.TP
1030.I /etc/hosts.equiv
1031This file is used during \s+2.\s0rhosts authentication.  In the
1032simplest form, this file contains host names, one per line.  Users on
1033those hosts are permitted to log in without a password, provided they
1034have the same user name on both machines.  The host name may also be
1035followed by a user name; such users are permitted to log in as
1036.B any
1037user on this machine (except root).  Additionally, the syntax +@group
1038can be used to specify netgroups.  Negated entries start with \'-\'.
1039
1040If the client host/user is successfully matched in this file, login is
1041automatically permitted provided the client and server user names are the
1042same.  Additionally, successful RSA host authentication is normally
1043required.  This file must be writable only by root; it is recommended
1044that it be world-readable.
1045
1046\fBWarning: It is almost never a good idea to use user names in
1047hosts.equiv.\fR
1048Beware that it really means that the named user(s) can log in as
1049\fBanybody\fR,
1050which includes bin, daemon, adm, and other accounts that own critical
1051binaries and directories.  Using a user name practically grants the
1052user root access.  The only valid use for user names that I can think
1053of is in negative entries.
1054\fBNote that this warning also applies to rsh/rlogin.\fR
1055.TP
1056.I @ETCDIR@/shosts.equiv
1057This is processed exactly as
1058.I /etc/hosts.equiv.
1059However, this file may be useful in environments that want to run both
1060rsh/rlogin and
1061.B ssh.
1062.TP
1063.I /etc/environment
1064This file is read into the environment at login (if it exists).  It
1065can only contain empty lines, comment lines (that start with \'#\'), and
1066assignment lines of the form name=value.  This file is processed in
1067all environments (normal rsh/rlogin only process it on AIX and
1068potentially some other systems).  The file should be writable only by
1069root, and should be world-readable.
1070.TP
1071.I \&$HOME/\s+2.\s0ssh/environment
1072This file is read into the environment after /etc/environment.  It has
1073the same format.  The file should be writable only by the user; it
1074need not be readable by anyone else.
1075.TP
1076.I \&$HOME/\s+2.\s0ssh/rc
1077If this file exists, it is run with the user's shell after reading the
1078environment files but before starting the user's shell or command.  If
1079X11 spoofing is in use, this will receive the "proto cookie" pair in
1080standard input (and DISPLAY in environment).  This must call xauth in
1081that case.
1082
1083The primary purpose of this file is to run any initialization routines
1084which may be needed before the user's home directory becomes
1085accessible; AFS is a particular example of such an environment.
1086
1087This file will probably contain some initialization code followed by
1088something similar to: "if read proto cookie; then echo add $DISPLAY
1089$proto $cookie | xauth -q -; fi".
1090
1091If this file does not exist, @ETCDIR@/sshrc is run, and if that
1092does not exist either, xauth is used to store the cookie.
1093
1094This file should be writable only by the user, and need not be
1095readable by anyone else.
1096.TP
1097.I @ETCDIR@/sshrc
1098Like $HOME/\s+2.\s0ssh/rc, but run with /bin/sh.  This can be used to specify
1099machine-specific login-time initializations globally.  This file
1100should be writable only by root, and should be world-readable.
1101.TP
1102.I @ETCDIR@/sshd_tis.map
1103Establishes a mapping between a local username and its corresponding
1104name in the TIS database. Each line contains the local name followed
1105by a ":" followed by the corresponding name. If the file does not
1106exist or the user is not found, the corresponding name in the TIS
1107database is supposed to be the same.
1108
1109.SH INSTALLATION
1110.LP
1111.B Sshd
1112is normally run as root.  If it is not run as root, it can
1113only log in as the user it is running as, and password authentication
1114may not work if the system uses shadow passwords.  An alternative
1115host key file must also be used.
1116.LP
1117.B Sshd
1118is normally started from
1119.I /etc/rc.local
1120or equivalent at system boot.
1121.LP
1122Considerable work has been put to making
1123.B sshd
1124secure.  However, if you find a security problem, please report it
1125immediately to <ssh-bugs@cs.hut.fi>.
1126
1127.SH AUTHOR
1128.LP
1129Tatu Ylonen <ylo@ssh.fi>
1130.LP
1131Information about new releases, mailing lists, and other related
1132issues can be found from the ssh WWW home page at
1133http://www.cs.hut.fi/ssh.
1134
1135.SH SEE ALSO
1136.LP
1137.BR ssh (1),
1138.BR make-ssh-known-hosts (1),
1139.BR ssh-keygen (1),
1140.BR ssh-agent (1),
1141.BR ssh-add (1),
1142.BR scp (1),
1143.BR rlogin (1),
1144.BR rsh (1)
Note: See TracBrowser for help on using the repository browser.