1 | .\" -*- nroff -*- |
---|
2 | .\" |
---|
3 | .\" sshd.8.in |
---|
4 | .\" |
---|
5 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
---|
6 | .\" |
---|
7 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
---|
8 | .\" All rights reserved |
---|
9 | .\" |
---|
10 | .\" Created: Sat Apr 22 21:55:14 1995 ylo |
---|
11 | .\" |
---|
12 | .\" $Id: sshd.8.in,v 1.1.1.4 1999-03-08 17:43:00 danw Exp $ |
---|
13 | .\" $Log: not supported by cvs2svn $ |
---|
14 | .\" Revision 1.21 1998/07/08 00:41:22 kivinen |
---|
15 | .\" Changed to do similar commercial #ifdef processing than other |
---|
16 | .\" files. |
---|
17 | .\" |
---|
18 | .\" Revision 1.20 1998/06/11 00:11:47 kivinen |
---|
19 | .\" Documented Allow/DenyUsers user@host format. |
---|
20 | .\" |
---|
21 | .\" Revision 1.19 1998/05/23 20:38:47 kivinen |
---|
22 | .\" Documented AccountExpireWarningDays, AllowSHosts, DenySHosts, |
---|
23 | .\" ForcedEmptyPasswdChange, ForcedPasswdChange, and |
---|
24 | .\" PasswordExpireWarningDays options. |
---|
25 | .\" |
---|
26 | .\" Revision 1.18 1998/05/04 13:37:32 kivinen |
---|
27 | .\" Fixed layout of authorized key options. |
---|
28 | .\" |
---|
29 | .\" Revision 1.17 1998/04/30 03:58:29 kivinen |
---|
30 | .\" Documented -V option. |
---|
31 | .\" |
---|
32 | .\" Revision 1.16 1998/03/27 17:05:18 kivinen |
---|
33 | .\" Documented IgnoreRootRhosts option. |
---|
34 | .\" |
---|
35 | .\" Revision 1.15 1998/01/03 06:42:24 kivinen |
---|
36 | .\" Added allow/deny groups option documentation.. |
---|
37 | .\" |
---|
38 | .\" Revision 1.14 1998/01/02 06:37:48 kivinen |
---|
39 | .\" Sorted options. Added CheckMail and XAuthLocation options. |
---|
40 | .\" Added {Allow,Deny}Forwarding{Port,To} options to |
---|
41 | .\" authorized_keys file. Added SSH WITH TCP WRAPPERS section. |
---|
42 | .\" |
---|
43 | .\" Revision 1.13 1997/06/04 13:53:07 kivinen |
---|
44 | .\" Added .TP before DenyUsers. |
---|
45 | .\" |
---|
46 | .\" Revision 1.12 1997/05/13 22:30:47 kivinen |
---|
47 | .\" Fixed default value of AllowTcpForwarding. |
---|
48 | .\" |
---|
49 | .\" Revision 1.11 1997/05/08 03:06:01 kivinen |
---|
50 | .\" Added \ before all '-characters (it is troff command if it is |
---|
51 | .\" in the beginning of line). |
---|
52 | .\" |
---|
53 | .\" Revision 1.10 1997/04/27 21:50:16 kivinen |
---|
54 | .\" Added F-SECURE stuff. Added {Allow,Deny}Forwarding{To,Port} |
---|
55 | .\" documentation, added {Allow,Deny}Users documentation from |
---|
56 | .\" Steve Kann <stevek@SteveK.COM>. |
---|
57 | .\" |
---|
58 | .\" Revision 1.9 1997/03/27 03:16:41 kivinen |
---|
59 | .\" Added kerberos patches from Glenn Machin. |
---|
60 | .\" Added USELOGIN patches from Brian Cully. |
---|
61 | .\" |
---|
62 | .\" Revision 1.8 1997/03/26 05:29:08 kivinen |
---|
63 | .\" Documented IdleTimeout option and idle-timeout setting in |
---|
64 | .\" authorized_keys. |
---|
65 | .\" |
---|
66 | .\" Revision 1.7 1997/03/25 05:43:18 kivinen |
---|
67 | .\" Updated. Changed ylo's email to @ssh.fi. |
---|
68 | .\" |
---|
69 | .\" Revision 1.6 1997/03/19 17:45:53 kivinen |
---|
70 | .\" Added TIS authentication code from Andre April |
---|
71 | .\" <Andre.April@cediti.be>. |
---|
72 | .\" |
---|
73 | .\" Revision 1.5 1996/11/27 15:45:38 ttsalo |
---|
74 | .\" Added X11DisplayOffset-option |
---|
75 | .\" |
---|
76 | .\" Revision 1.4 1996/11/12 15:56:19 ttsalo |
---|
77 | .\" Fixed a typo |
---|
78 | .\" |
---|
79 | .\" Revision 1.3 1996/10/29 22:47:36 kivinen |
---|
80 | .\" Documented ListenAddress. |
---|
81 | .\" |
---|
82 | .\" Revision 1.2 1996/08/13 00:25:15 ylo |
---|
83 | .\" Documented that $HOME/.ssh/rc is run with user's shell, |
---|
84 | .\" /etc/sshrc with /bin/sh. |
---|
85 | .\" |
---|
86 | .\" Revision 1.1.1.1 1996/02/18 21:38:13 ylo |
---|
87 | .\" Imported ssh-1.2.13. |
---|
88 | .\" |
---|
89 | .\" Revision 1.10 1995/10/02 01:31:37 ylo |
---|
90 | .\" Make substitutions in configure. |
---|
91 | .\" |
---|
92 | .\" Revision 1.9 1995/09/27 02:17:12 ylo |
---|
93 | .\" Added a section on what happens at login. |
---|
94 | .\" Other additions. |
---|
95 | .\" |
---|
96 | .\" Revision 1.8 1995/09/22 22:21:36 ylo |
---|
97 | .\" Added username and netgroups for hosts.equiv and rhosts. |
---|
98 | .\" |
---|
99 | .\" Revision 1.7 1995/09/21 17:14:38 ylo |
---|
100 | .\" Added /etc/environment and IgnoreRhosts. Other minor fixes. |
---|
101 | .\" |
---|
102 | .\" Revision 1.6 1995/08/31 09:24:31 ylo |
---|
103 | .\" Minor cleanup. |
---|
104 | .\" |
---|
105 | .\" Revision 1.5 1995/08/29 22:31:25 ylo |
---|
106 | .\" Improved manual pages from Andrew Macpherson. |
---|
107 | .\" |
---|
108 | .\" Revision 1.4 1995/08/21 23:29:52 ylo |
---|
109 | .\" Added documentation for the configuration file. |
---|
110 | .\" |
---|
111 | .\" Revision 1.3 1995/08/18 22:57:27 ylo |
---|
112 | .\" Removed obsolete XXX stuff. |
---|
113 | .\" |
---|
114 | .\" Revision 1.2 1995/07/13 01:36:06 ylo |
---|
115 | .\" Removed "Last modified" header. |
---|
116 | .\" Added cvs log. |
---|
117 | .\" |
---|
118 | .\" $Endlog$ |
---|
119 | .\" |
---|
120 | .\" |
---|
121 | .\" |
---|
122 | .\" |
---|
123 | .\" #ifndef F_SECURE_COMMERCIAL |
---|
124 | .TH SSHD 8 "November 8, 1995" "SSH" "SSH" |
---|
125 | .\" #endif F_SECURE_COMMERCIAL |
---|
126 | |
---|
127 | .SH NAME |
---|
128 | sshd \- secure shell daemon |
---|
129 | |
---|
130 | .SH SYNOPSIS |
---|
131 | .na |
---|
132 | .B sshd |
---|
133 | [\c |
---|
134 | .BI \-b \ bits\fR\c |
---|
135 | ] |
---|
136 | [\c |
---|
137 | .B \-d \c |
---|
138 | ] |
---|
139 | [\c |
---|
140 | .BI \-f \ config_file\fR\c |
---|
141 | ] |
---|
142 | [\c |
---|
143 | .BI \-g \ login_grace_time\fR\c |
---|
144 | ] |
---|
145 | [\c |
---|
146 | .BI \-h \ host_key_file\fR\c |
---|
147 | ] |
---|
148 | [\c |
---|
149 | .B \-i \c |
---|
150 | ] |
---|
151 | [\c |
---|
152 | .BI \-k \ key_gen_time\fR\c |
---|
153 | ] |
---|
154 | [\c |
---|
155 | .BI \-p \ port\fR\c |
---|
156 | ] |
---|
157 | [\c |
---|
158 | .B \-q \c |
---|
159 | ] |
---|
160 | [\c |
---|
161 | .BI \-V \ version\fR\c |
---|
162 | ] |
---|
163 | .ad |
---|
164 | |
---|
165 | |
---|
166 | .SH DESCRIPTION |
---|
167 | .LP |
---|
168 | .B Sshd |
---|
169 | (Secure Shell Daemon) is the daemon program for |
---|
170 | .BR ssh ". |
---|
171 | Together these programs replace rlogin and rsh programs, and |
---|
172 | provide secure encrypted communications between two untrusted hosts |
---|
173 | over an insecure network. The programs are intended to be as easy to |
---|
174 | install and use as possible. |
---|
175 | .LP |
---|
176 | .B Sshd |
---|
177 | is the daemon that listens for connections from clients. It is |
---|
178 | normally started at boot from |
---|
179 | .I /etc/rc.local |
---|
180 | or equivalent. It forks a new |
---|
181 | daemon for each incoming connection. The forked daemons handle |
---|
182 | key exchange, encryption, authentication, command execution, |
---|
183 | and data exchange. |
---|
184 | .LP |
---|
185 | Sshd works as follows. Each host has a host-specific RSA key |
---|
186 | (normally 1024 bits) used to identify the host. Additionally, when |
---|
187 | the daemon starts, it generates a server RSA key (normally 768 bits). |
---|
188 | This key is normally regenerated every hour if it has been used, and |
---|
189 | is never stored on disk. |
---|
190 | .LP |
---|
191 | Whenever a client connects the daemon, the daemon sends its host |
---|
192 | and server public keys to the client. The client compares the |
---|
193 | host key against its own database to verify that it has not changed. |
---|
194 | The client then generates a 256 bit random number. It encrypts this |
---|
195 | random number using both the host key and the server key, and sends |
---|
196 | the encrypted number to the server. Both sides then start to use this |
---|
197 | random number as a session key which is used to encrypt all further |
---|
198 | communications in the session. The rest of the session is encrypted |
---|
199 | using a conventional cipher. Currently, |
---|
200 | .BR \s-1IDEA\s0 ", |
---|
201 | .BR \s-1DES\s0 ", |
---|
202 | .BR \s-1\&3DES\s0 ", |
---|
203 | .BR \s-1ARCFOUR\s0 ", and |
---|
204 | .B \s-1TSS\s0 |
---|
205 | (a fast home-grown algorithm) are supported. |
---|
206 | .B \s-1IDEA\s0 |
---|
207 | is used by default. The client selects the encryption algorithm to use |
---|
208 | from those offered by the server. |
---|
209 | .LP |
---|
210 | Next, the server and the client enter an authentication dialog. The |
---|
211 | client tries to authenticate itself using \|\s+2.\s0rhosts |
---|
212 | authentication, \|\s+2.\s0rhosts authentication combined with RSA host |
---|
213 | authentication, RSA challenge-response authentication, TIS channenge |
---|
214 | response authentication, or password |
---|
215 | based authentication. |
---|
216 | .LP |
---|
217 | Rhosts authentication is normally disabled |
---|
218 | because it is fundamentally insecure, but can be enabled in the server |
---|
219 | configuration file if desired. System security is not improved unless |
---|
220 | .BR rshd "(8), |
---|
221 | .BR rlogind "(8), |
---|
222 | .BR rexecd "(8), and |
---|
223 | .B rexd "(8) |
---|
224 | are disabled (thus completely disabling |
---|
225 | .BR rlogin (1) |
---|
226 | and |
---|
227 | .BR rsh (1) |
---|
228 | into that machine). |
---|
229 | .LP |
---|
230 | If the client successfully authenticates itself, a dialog for |
---|
231 | preparing the session is entered. At this time the client may request |
---|
232 | things like allocating a pseudo-tty, forwarding X11 connections, |
---|
233 | forwarding TCP/IP connections, or forwarding the authentication agent |
---|
234 | connection over the secure channel. |
---|
235 | .LP |
---|
236 | Finally, the client either requests a shell or execution of a command. |
---|
237 | The sides then enter session mode. In this mode, either side may send |
---|
238 | data at any time, and such data is forwarded to/from the shell or |
---|
239 | command on the server side, and the user terminal in the client side. |
---|
240 | .LP |
---|
241 | When the user program terminates and all forwarded X11 and other |
---|
242 | connections have been closed, the server sends command exit status to |
---|
243 | the client, and both sides exit. |
---|
244 | .LP |
---|
245 | .B Sshd |
---|
246 | can be configured using command-line options or a configuration |
---|
247 | file. Command-line options override values specified in the |
---|
248 | configuration file. |
---|
249 | .LP |
---|
250 | .B Sshd rereads its configuration file if it is sent the hangup |
---|
251 | signal, SIGHUP. |
---|
252 | |
---|
253 | .SH OPTIONS |
---|
254 | .TP |
---|
255 | .BI \-b \ bits |
---|
256 | Specifies the number of bits in the server key (default 768). |
---|
257 | .TP |
---|
258 | .B \-d |
---|
259 | Debug mode. The server sends verbose debug output to the system |
---|
260 | log, and does not put itself in the background. The server also will |
---|
261 | not fork and will only process one connection. This option is only |
---|
262 | intended for debugging for the server. |
---|
263 | .TP |
---|
264 | .BI \-f \ configuration_file |
---|
265 | Specifies the name of the configuration file. The default is |
---|
266 | .IR @ETCDIR@/sshd_config ". |
---|
267 | .TP |
---|
268 | .BI \-g \ login_grace_time |
---|
269 | Gives the grace time for clients to authenticate themselves (default |
---|
270 | 600 seconds). If the client fails to authenticate the user within |
---|
271 | this many seconds, the server disconnects and exits. A value of zero |
---|
272 | indicates no limit. |
---|
273 | .TP |
---|
274 | .BI \-h \ host_key_file |
---|
275 | Specifies the file from which the host key is read (default |
---|
276 | .IR @ETCDIR@/ssh_host_key). |
---|
277 | This option must be given if sshd is not run as root (as the normal |
---|
278 | host file is normally not readable by anyone but root). |
---|
279 | .TP |
---|
280 | .B \-i |
---|
281 | Specifies that sshd is being run from inetd. Sshd is normally not run |
---|
282 | from inetd because it needs to generate the server key before it can |
---|
283 | respond to the client, and this may take tens of seconds. Clients |
---|
284 | would have to wait too long if the key was regenerated every time. |
---|
285 | However, with small key sizes (e.g. 512) using sshd from inetd may |
---|
286 | be feasible. |
---|
287 | .TP |
---|
288 | .BI \-k \ key_gen_time |
---|
289 | Specifies how often the server key is regenerated (default 3600 |
---|
290 | seconds, or one hour). The motivation for regenerating the key fairly |
---|
291 | often is that the key is not stored anywhere, and after about an hour, |
---|
292 | it becomes impossible to recover the key for decrypting intercepted |
---|
293 | communications even if the machine is cracked into or physically |
---|
294 | seized. A value of zero indicates that the key will never be regenerated. |
---|
295 | .TP |
---|
296 | .BI \-p \ port |
---|
297 | Specifies the port on which the server listens for connections |
---|
298 | (default 22). |
---|
299 | .TP |
---|
300 | .B \-q |
---|
301 | Quiet mode. Nothing is sent to the system log. Normally the beginning, |
---|
302 | authentication, and termination of each connection is logged. |
---|
303 | .TP |
---|
304 | .B \-V |
---|
305 | SSH version 2 compatibility mode. Server assumes that SSH version 2 |
---|
306 | daemon has already read the version number string from the client and |
---|
307 | this option gives the version string read from the client. |
---|
308 | |
---|
309 | .SH CONFIGURATION FILE |
---|
310 | |
---|
311 | .B Sshd |
---|
312 | reads configuration data from |
---|
313 | .I @ETCDIR@/sshd_config |
---|
314 | (or the file specified with -f on the command line). The file |
---|
315 | contains keyword-value pairs, one per line. Lines starting with \'#\' |
---|
316 | and empty lines are interpreted as comments. |
---|
317 | |
---|
318 | The following keywords are possible. Keywords are case insensitive. |
---|
319 | |
---|
320 | .\" |
---|
321 | .\" |
---|
322 | .\" |
---|
323 | .\" |
---|
324 | .\" |
---|
325 | .\" |
---|
326 | .\" |
---|
327 | .\" |
---|
328 | .\" |
---|
329 | |
---|
330 | .\" |
---|
331 | .\" |
---|
332 | .\" |
---|
333 | .\" |
---|
334 | .\" |
---|
335 | .\" |
---|
336 | .\" |
---|
337 | .\" |
---|
338 | .\" |
---|
339 | .\" |
---|
340 | .\" |
---|
341 | .\" |
---|
342 | .\" |
---|
343 | .\" |
---|
344 | |
---|
345 | .TP |
---|
346 | .B AllowGroups |
---|
347 | This keyword can be followed by any number of group name patterns, |
---|
348 | separated by spaces. If specified, login is allowed only if users |
---|
349 | primary group name matches one of the patterns. \'*\' and \'?\' can be |
---|
350 | used as wildcards in the patterns. By default, logins as all users are |
---|
351 | allowed. |
---|
352 | |
---|
353 | Note that the all other login authentication steps must still be |
---|
354 | sucessfully completed. AllowGroups and DenyGroups are additional |
---|
355 | restrictions. |
---|
356 | |
---|
357 | .TP |
---|
358 | .B AllowHosts |
---|
359 | This keyword can be followed by any number of host name patterns, |
---|
360 | separated by spaces. If specified, login is allowed only from hosts |
---|
361 | whose name matches one of the patterns. \'*\' and \'?\' can be used as |
---|
362 | wildcards in the patterns. Normal name servers are used to map the |
---|
363 | client's host into a canonical host name. If the name cannot be |
---|
364 | mapped, its IP-address is used as the host name. By default all hosts |
---|
365 | are allowed to connect. |
---|
366 | |
---|
367 | Note that |
---|
368 | .B sshd |
---|
369 | can also be configured to use tcp_wrappers using the --with-libwrap |
---|
370 | compile-time configuration option. |
---|
371 | |
---|
372 | .TP |
---|
373 | .B AccountExpireWarningDays |
---|
374 | Specifies when to start print warning messages that the account is |
---|
375 | going to expire. The value is number of days before the account |
---|
376 | expiration. The default value is 14 days, and if set to 0 the warning |
---|
377 | messages are disabled. |
---|
378 | |
---|
379 | .TP |
---|
380 | .B AllowSHosts |
---|
381 | This keyword can be followed by any number of host name patterns, |
---|
382 | separated by spaces. If specified, .shosts (and .rhosts and |
---|
383 | /etc/hosts.equiv) entries are only honoured for hosts whose name |
---|
384 | matches one of the patterns. |
---|
385 | '*' and '?' can be used as wildcards in the patterns. Normal name |
---|
386 | servers are used to map the client's host into a canonical host name. |
---|
387 | If the name cannot be mapped, its IP-address is used as the host name. |
---|
388 | By default all hosts are allowed to connect. |
---|
389 | |
---|
390 | .TP |
---|
391 | .B AllowTcpForwarding |
---|
392 | Specifies whether tcp forwarding is permitted. The default is "yes". |
---|
393 | Note that disabling tcp forwarding does not improve security in any |
---|
394 | way, as users can always install their own forwarders. |
---|
395 | |
---|
396 | .TP |
---|
397 | .B AllowUsers |
---|
398 | This keyword can be followed by any number of user name patterns or |
---|
399 | user@host patterns, separated by spaces. Host name may be either the |
---|
400 | dns name or the ip address. If specified, login is allowed only as |
---|
401 | users whose name matches one of the patterns. \'*\' and \'?\' can be |
---|
402 | used as wildcards in the patterns. By default, logins as all users are |
---|
403 | allowed. |
---|
404 | |
---|
405 | Note that the all other login authentication steps must still be |
---|
406 | sucessfully completed. AllowUsers and DenyUsers are additional |
---|
407 | restrictions. |
---|
408 | |
---|
409 | .TP |
---|
410 | .B CheckMail |
---|
411 | Specifies whether |
---|
412 | .B sshd |
---|
413 | should print information whether you have new mail or not |
---|
414 | when a user logs in interactively. (On some systems it is also |
---|
415 | printed by the shell, /etc/profile, or equivalent.) The default is |
---|
416 | "yes". |
---|
417 | |
---|
418 | .\" |
---|
419 | .\" |
---|
420 | .\" |
---|
421 | .\" |
---|
422 | .\" |
---|
423 | .\" |
---|
424 | .\" |
---|
425 | .\" |
---|
426 | |
---|
427 | .\" |
---|
428 | .\" |
---|
429 | .\" |
---|
430 | .\" |
---|
431 | .\" |
---|
432 | .\" |
---|
433 | .\" |
---|
434 | .\" |
---|
435 | .\" |
---|
436 | .\" |
---|
437 | .\" |
---|
438 | .\" |
---|
439 | .\" |
---|
440 | .\" |
---|
441 | |
---|
442 | .TP |
---|
443 | .B DenyGroups |
---|
444 | This keyword can be followed by any number of group name patterns, |
---|
445 | separated by spaces. If specified, login is disallowed if users |
---|
446 | primary group name name matches any of the patterns. |
---|
447 | |
---|
448 | .TP |
---|
449 | .B DenyHosts |
---|
450 | This keyword can be followed by any number of host name patterns, |
---|
451 | separated by spaces. If specified, login is disallowed from the hosts |
---|
452 | whose name matches any of the patterns. |
---|
453 | |
---|
454 | .TP |
---|
455 | .B DenySHosts |
---|
456 | This keyword can be followed by any number of host name patterns, |
---|
457 | separated by spaces. If specified, .shosts (and .rhosts and |
---|
458 | /etc/hosts.equiv) entries whose name matches any of the patterns are |
---|
459 | ignored. |
---|
460 | |
---|
461 | .TP |
---|
462 | .B DenyUsers |
---|
463 | This keyword can be followed by any number of user name patterns or |
---|
464 | user@host patterns, separated by spaces. Host name may be either the |
---|
465 | dns name or the ip address. If specified, login is disallowed as users |
---|
466 | whose name matches any of the patterns. |
---|
467 | |
---|
468 | .TP |
---|
469 | .B FascistLogging |
---|
470 | Specifies whether to use verbose logging. Verbose logging violates |
---|
471 | the privacy of users and is not recommended. The argument must be |
---|
472 | "yes" or "no" (without the quotes). The default is "no". |
---|
473 | |
---|
474 | .TP |
---|
475 | .B ForcedEmptyPasswdChange |
---|
476 | Specifies whether to force password change if the password is empty |
---|
477 | (first login). . The argument must be "yes" or "no" (without the |
---|
478 | quotes). The default is "no". |
---|
479 | |
---|
480 | .TP |
---|
481 | .B ForcedPasswdChange |
---|
482 | Specifies whether to force password change if the password is expired. |
---|
483 | The argument must be |
---|
484 | "yes" or "no" (without the quotes). The default is "yes". |
---|
485 | |
---|
486 | .TP |
---|
487 | .B HostKey |
---|
488 | Specifies the file containing the private host key (default |
---|
489 | .IR @ETCDIR@/ssh_host_key "). |
---|
490 | |
---|
491 | .TP |
---|
492 | .B IdleTimeout time |
---|
493 | Sets idle timeout limit to time in seconds (s or nothing after |
---|
494 | number), in minutes (m), in hours (h), in days (d), or in weeks (w). |
---|
495 | If the connection have been idle (all channels) for that long time the |
---|
496 | child process is killed with SIGHUP, and connection is closed down. |
---|
497 | |
---|
498 | .TP |
---|
499 | .B IgnoreRhosts |
---|
500 | Specifies that rhosts and shosts files will not be used in |
---|
501 | authentication. |
---|
502 | .I /etc/hosts.equiv |
---|
503 | and |
---|
504 | .I @ETCDIR@/shosts.equiv |
---|
505 | are still used. The default is "no". |
---|
506 | |
---|
507 | .TP |
---|
508 | .B IgnoreRootRhosts |
---|
509 | Specifies that rhosts and shosts files will not be used in |
---|
510 | authentication for root. The default is the value of |
---|
511 | .BR IgnoreRhosts . |
---|
512 | |
---|
513 | .TP |
---|
514 | .B KeepAlive |
---|
515 | Specifies whether the system should send keepalive messages to the |
---|
516 | other side. If they are sent, death of the connection or crash of one |
---|
517 | of the machines will be properly noticed. However, this means that |
---|
518 | connections will die if the route is down temporarily, and some people |
---|
519 | find it annoying. On the other hand, if keepalives are not send, |
---|
520 | sessions may hang indefinitely on the server, leaving "ghost" users |
---|
521 | and consuming server resources. |
---|
522 | |
---|
523 | The default is "yes" (to send keepalives), and the server will notice |
---|
524 | if the network goes down or the client host reboots. This avoids |
---|
525 | infinitely hanging sessions. |
---|
526 | |
---|
527 | To disable keepalives, the value should be set to "no" in both the |
---|
528 | server and the client configuration files. |
---|
529 | |
---|
530 | .TP |
---|
531 | .B KerberosAuthentication |
---|
532 | Specifies whether Kerberos V5 authentication is allowed. This can |
---|
533 | be in the form of a Kerberos ticket, or if PasswordAuthentication |
---|
534 | is yes, the password provided by the user will be validated through |
---|
535 | the Kerberos KDC or DCE Security Server. Default is yes. |
---|
536 | |
---|
537 | .TP |
---|
538 | .B KerberosOrLocalPasswd |
---|
539 | If set then if password authentication through Kerberos fails then |
---|
540 | the password will be validated via any additional local mechanism |
---|
541 | such as /etc/passwd or SecurID. Default is no. |
---|
542 | |
---|
543 | .TP |
---|
544 | .B KerberosTgtPassing |
---|
545 | Specifies whether a Kerberos V5 TGT may be forwarded to the server. |
---|
546 | Default is yes. |
---|
547 | |
---|
548 | .TP |
---|
549 | .B KeyRegenerationInterval |
---|
550 | The server key is automatically regenerated after this many seconds |
---|
551 | (if it has been used). The purpose of regeneration is to prevent |
---|
552 | decrypting captured sessions by later breaking into the machine and |
---|
553 | stealing the keys. The key is never stored anywhere. If the value is |
---|
554 | 0, the key is never regenerated. The default is 3600 |
---|
555 | (seconds). |
---|
556 | |
---|
557 | .TP |
---|
558 | .B ListenAddress |
---|
559 | Specifies the ip address of the interface where the sshd server socket |
---|
560 | is bind. |
---|
561 | |
---|
562 | .TP |
---|
563 | .B LoginGraceTime |
---|
564 | The server disconnects after this time if the user has not |
---|
565 | successfully logged in. If the value is 0, there is no time limit. |
---|
566 | The default is 600 (seconds). |
---|
567 | |
---|
568 | .TP |
---|
569 | .B PasswordAuthentication |
---|
570 | Specifies whether password authentication is allowed. |
---|
571 | The default is "yes". |
---|
572 | |
---|
573 | .TP |
---|
574 | .B PasswordExpireWarningDays |
---|
575 | Specifies when to start print warning messages that the password is |
---|
576 | going to expire. The value is number of days before the password |
---|
577 | expiration. The default value is 14 days, and if set to 0 the warning |
---|
578 | messages are disabled. |
---|
579 | |
---|
580 | .TP |
---|
581 | .B PermitEmptyPasswords |
---|
582 | When password authentication is allowed, it specifies whether the |
---|
583 | server allows login to accounts with empty password strings. The default |
---|
584 | is "yes". |
---|
585 | |
---|
586 | .TP |
---|
587 | .B PermitRootLogin |
---|
588 | Specifies whether the root can log in using |
---|
589 | .BR ssh . |
---|
590 | May be set to "yes", "nopwd", or "no". The default is "yes", allowing |
---|
591 | root logins through any of the authentication types allowed for other |
---|
592 | users. The "nopwd" value disables password-authenticated root logins. |
---|
593 | The "no" value disables root logins through any of the authentication |
---|
594 | methods. ("nopwd" and "no" are equivalent unless you have |
---|
595 | a .rhosts, .shosts, or .ssh/authorized_keys file in the root home |
---|
596 | directory.) |
---|
597 | |
---|
598 | Root login with RSA authentication when the "command" option has been |
---|
599 | specified will be allowed regardless of the value of this setting |
---|
600 | (which may be useful for taking remote backups even if root login is |
---|
601 | normally not allowed). |
---|
602 | |
---|
603 | .TP |
---|
604 | .B PidFile |
---|
605 | Specifies the location of the file containing the process ID of the |
---|
606 | master sshd daemon (default: /etc/sshd.pid or /var/run/sshd.pid, |
---|
607 | depending on the system). |
---|
608 | |
---|
609 | .TP |
---|
610 | .B Port |
---|
611 | Specifies the port number that |
---|
612 | .B sshd |
---|
613 | listens on. The default is 22. |
---|
614 | |
---|
615 | .TP |
---|
616 | .B PrintMotd |
---|
617 | Specifies whether |
---|
618 | .B sshd |
---|
619 | should print |
---|
620 | .I /etc/motd |
---|
621 | when a user logs in interactively. (On some systems it is also |
---|
622 | printed by the shell, /etc/profile, or equivalent.) The default is |
---|
623 | "yes". |
---|
624 | |
---|
625 | .TP |
---|
626 | .B QuietMode |
---|
627 | Specifies whether the system runs in quiet mode. In quiet mode, |
---|
628 | nothing is logged in the system log, except fatal errors. The default |
---|
629 | is "no". |
---|
630 | |
---|
631 | .TP |
---|
632 | .B RandomSeed |
---|
633 | Specifies the file containing the random seed for the server; this |
---|
634 | file is created automatically and updated regularly. The default is |
---|
635 | .IR @ETCDIR@/ssh_random_seed ". |
---|
636 | |
---|
637 | .TP |
---|
638 | .B RhostsAuthentication |
---|
639 | Specifies whether authentication using rhosts or /etc/hosts.equiv |
---|
640 | files is sufficient. Normally, this method should not be permitted |
---|
641 | because it is insecure. RhostsRSAAuthentication should be used |
---|
642 | instead, because it performs RSA-based host authentication in addition |
---|
643 | to normal rhosts or /etc/hosts.equiv authentication. |
---|
644 | The default is "no". |
---|
645 | |
---|
646 | .TP |
---|
647 | .B RhostsRSAAuthentication |
---|
648 | Specifies whether rhosts or /etc/hosts.equiv authentication together |
---|
649 | with successful RSA host authentication is allowed. The default is "yes". |
---|
650 | |
---|
651 | .TP |
---|
652 | .B RSAAuthentication |
---|
653 | Specifies whether pure RSA authentication is allowed. The default is "yes". |
---|
654 | |
---|
655 | .TP |
---|
656 | .B ServerKeyBits |
---|
657 | Defines the number of bits in the server key. The minimum value is |
---|
658 | 512, and the default is 768. |
---|
659 | |
---|
660 | .TP |
---|
661 | .B SilentDeny |
---|
662 | Specifies wheter denied (or not allowed) connections are denied |
---|
663 | silently (just close the connection, no logging etc) or are they |
---|
664 | closed cleanly (send error message and log connection attempt). |
---|
665 | |
---|
666 | .TP |
---|
667 | .B StrictModes |
---|
668 | Specifies whether ssh should check file modes and ownership of the |
---|
669 | user's home directory and rhosts files before accepting login. This |
---|
670 | is normally desirable because novices sometimes accidentally leave their |
---|
671 | directory or files world-writable. The default is "yes". |
---|
672 | |
---|
673 | .TP |
---|
674 | .B SyslogFacility |
---|
675 | Gives the facility code that is used when logging messages from |
---|
676 | .B sshd. |
---|
677 | The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, |
---|
678 | LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is DAEMON. |
---|
679 | |
---|
680 | .TP |
---|
681 | .B TISAuthentication |
---|
682 | Specifies wether authentication through TIS |
---|
683 | .B authsrv |
---|
684 | (8) is allowed. The default is "no". |
---|
685 | |
---|
686 | .TP |
---|
687 | .B Umask |
---|
688 | Sets default umask for sshd and its childs. Remember to add 0 in front |
---|
689 | of the number to make it octal. Default is to not set umask at all. |
---|
690 | |
---|
691 | .TP |
---|
692 | .B X11Forwarding |
---|
693 | Specifies whether X11 forwarding is permitted. The default is "yes". |
---|
694 | Note that disabling X11 forwarding does not improve security in any |
---|
695 | way, as users can always install their own forwarders. |
---|
696 | |
---|
697 | .TP |
---|
698 | .B X11DisplayOffset |
---|
699 | Specifies the first display number available for sshd's X11 |
---|
700 | forwarding. This prevents sshd from interfering with real X11 |
---|
701 | servers. |
---|
702 | |
---|
703 | .TP |
---|
704 | .B XAuthLocation |
---|
705 | Specifies the default path to xauth program. |
---|
706 | |
---|
707 | .SH LOGIN PROCESS |
---|
708 | |
---|
709 | When a user successfully logs in, |
---|
710 | .B sshd |
---|
711 | does the following: |
---|
712 | .IP 1. |
---|
713 | If the login is on a tty, and no command has been specified, |
---|
714 | prints last login time and |
---|
715 | .B /etc/motd |
---|
716 | (unless prevented in the configuration file or by |
---|
717 | .IR $HOME/\s+2.\s0hushlogin ; |
---|
718 | see the FILES section). |
---|
719 | .IP 2. |
---|
720 | If the login is on a tty, records login time. |
---|
721 | .IP 3. |
---|
722 | Checks /etc/nologin; if it exists, prints contents and quits |
---|
723 | (unless root). |
---|
724 | .IP 4. |
---|
725 | Changes to run with normal user privileges. |
---|
726 | .IP 5. |
---|
727 | Sets up basic environment. |
---|
728 | .IP 6. |
---|
729 | Reads /etc/environment if it exists. |
---|
730 | .IP 7. |
---|
731 | Reads $HOME/.ssh/environment if it exists. |
---|
732 | .IP 8. |
---|
733 | Changes to user's home directory. |
---|
734 | .IP 9. |
---|
735 | If $HOME/.ssh/rc exists, runs it (with the user's shell); else if |
---|
736 | @ETCDIR@/sshrc exists, runs it (with /bin/sh); otherwise runs xauth. |
---|
737 | The "rc" files are given the X11 authentication protocol and cookie in |
---|
738 | standard input. |
---|
739 | .IP 10. |
---|
740 | Runs user's shell or command. |
---|
741 | .RT |
---|
742 | |
---|
743 | |
---|
744 | .SH AUTHORIZED_KEYS FILE FORMAT |
---|
745 | .LP |
---|
746 | The |
---|
747 | .I \&$HOME/\s+2.\s0ssh/authorized_keys |
---|
748 | file lists the RSA keys that are |
---|
749 | permitted for RSA authentication. Each line of the file contains one |
---|
750 | key (empty lines and lines starting with a \'#\' are ignored as |
---|
751 | comments). Each line consists of the following fields, separated by |
---|
752 | spaces: options, bits, exponent, modulus, comment. The options field |
---|
753 | is optional; its presence is determined by whether the line starts |
---|
754 | with a number or not (the option field never starts with a number). |
---|
755 | The bits, exponent, modulus and comment fields give the RSA key; the |
---|
756 | comment field is not used for anything (but may be convenient for the |
---|
757 | user to identify the key). |
---|
758 | .LP |
---|
759 | Note that lines in this file are usually several hundred bytes long |
---|
760 | (because of the size of the RSA key modulus). You don't want to type |
---|
761 | them in; instead, copy the |
---|
762 | .I identity.pub |
---|
763 | file and edit it. |
---|
764 | .LP |
---|
765 | The options (if present) consists of comma-separated option |
---|
766 | specifications. No spaces are permitted, except within double quotes. |
---|
767 | Option names are case insensitive. The following option specifications |
---|
768 | are supported: |
---|
769 | .IP |
---|
770 | .ti -.5i |
---|
771 | \fBfrom="pattern-list" \fR |
---|
772 | .br |
---|
773 | Specifies that in addition to RSA authentication, the canonical name |
---|
774 | of the remote host must be present in the comma-separated list of |
---|
775 | patterns (\'*\' and \'?\' serve as wildcards). The list may also contain |
---|
776 | patterns negated by prefixing them with \'!\'; if the canonical host |
---|
777 | name matches a negated pattern, the key is not accepted. The purpose |
---|
778 | of this option is to optionally increase security: RSA authentication |
---|
779 | by itself does not trust the network or name servers or anything (but |
---|
780 | the key); however, if somebody somehow steals the key, the key |
---|
781 | permits an intruder to log in from anywhere in the world. This |
---|
782 | additional option makes using a stolen key more difficult (name |
---|
783 | servers and/or routers would have to be compromised in addition to |
---|
784 | just the key). |
---|
785 | .IP |
---|
786 | .ti -.5i |
---|
787 | \fBcommand="command"\fR |
---|
788 | .br |
---|
789 | Specifies that the command is executed whenever this key is used for |
---|
790 | authentication. The command supplied by the user (if any) is ignored. |
---|
791 | The command is run on a pty if the connection requests a pty; |
---|
792 | otherwise it is run without a tty. A quote may be included in the |
---|
793 | command by quoting it with a backslash. This option might be useful |
---|
794 | to restrict certain RSA keys to perform just a specific operation. An |
---|
795 | example might be a key that permits remote backups but nothing |
---|
796 | else. Notice that the client may specify TCP/IP and/or X11 |
---|
797 | forwardings unless they are explicitly prohibited. |
---|
798 | .IP |
---|
799 | .ti -.5i |
---|
800 | \fBenvironment="NAME=value"\fR |
---|
801 | .br |
---|
802 | Specifies that the string is to be added to the environment when |
---|
803 | logging in using this key. Environment variables set this way |
---|
804 | override other default environment values. Multiple options of this |
---|
805 | type are permitted. |
---|
806 | .IP |
---|
807 | .ti -.5i |
---|
808 | \fBidle-timeout=time\fR |
---|
809 | .br |
---|
810 | Sets idle timeout limit to time in seconds (s or nothing after |
---|
811 | number), in minutes (m), in hours (h), in days (d), or in weeks (w). |
---|
812 | If the connection have been idle (all channels) for that long time the |
---|
813 | child process is killed with SIGHUP, and connection is closed down. |
---|
814 | .IP |
---|
815 | .ti -.5i |
---|
816 | \fBno-port-forwarding\fR |
---|
817 | .br |
---|
818 | Forbids TCP/IP forwarding when this key is used for authentication. |
---|
819 | Any port forward requests by the client will return an error. This |
---|
820 | might be used e.g. in connection with the |
---|
821 | .B command |
---|
822 | option. |
---|
823 | .IP |
---|
824 | .ti -.5i |
---|
825 | \fBno-X11-forwarding\fR |
---|
826 | .br |
---|
827 | Forbids X11 forwarding when this key is used for authentication. |
---|
828 | Any X11 forward requests by the client will return an error. |
---|
829 | .IP |
---|
830 | .ti -.5i |
---|
831 | \fBno-agent-forwarding\fR |
---|
832 | .br |
---|
833 | Forbids authentication agent forwarding when this key is used for |
---|
834 | authentication. |
---|
835 | .IP |
---|
836 | .ti -.5i |
---|
837 | \fBno-pty\fR |
---|
838 | .br |
---|
839 | Prevents tty allocation (a request to allocate a pty will fail). |
---|
840 | |
---|
841 | .\" |
---|
842 | .\" |
---|
843 | .\" |
---|
844 | .\" |
---|
845 | .\" |
---|
846 | .\" |
---|
847 | .\" |
---|
848 | .\" |
---|
849 | .\" |
---|
850 | .\" |
---|
851 | .\" |
---|
852 | .\" |
---|
853 | .\" |
---|
854 | .\" |
---|
855 | .\" |
---|
856 | .\" |
---|
857 | .\" |
---|
858 | .\" |
---|
859 | .\" |
---|
860 | .\" |
---|
861 | .\" |
---|
862 | .\" |
---|
863 | .SS Examples |
---|
864 | .LP |
---|
865 | 1024 33 12121.\|.\|.\|312314325 ylo@foo.bar |
---|
866 | .LP |
---|
867 | from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula |
---|
868 | .LP |
---|
869 | command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi |
---|
870 | .\" |
---|
871 | .\" |
---|
872 | .\" |
---|
873 | .\" |
---|
874 | |
---|
875 | .SH SSH WITH TCP WRAPPERS |
---|
876 | |
---|
877 | When sshd is compiled with tcp wrappers libraries, then the |
---|
878 | host.allow/deny files also controls who can connect to ports forwarded |
---|
879 | by sshd. |
---|
880 | |
---|
881 | The program names in the hosts.allow/deny files are |
---|
882 | .B sshdfwd-\c |
---|
883 | .I <portname>\c |
---|
884 | , |
---|
885 | .B sshdfwd-\c |
---|
886 | .I <portnumber>\c |
---|
887 | , and |
---|
888 | .B sshdfwd-X11 |
---|
889 | for forwarded ports the ssh client or server is listening. |
---|
890 | .LP |
---|
891 | If the port has name defined then you must use it. |
---|
892 | |
---|
893 | .SH SSH_KNOWN_HOSTS FILE FORMAT |
---|
894 | .LP |
---|
895 | The |
---|
896 | .I @ETCDIR@/ssh_known_hosts |
---|
897 | and |
---|
898 | .I \&$HOME/\s+2.\s0ssh/known_hosts |
---|
899 | files contain host public keys for all known hosts. The global file should |
---|
900 | be prepared by the admistrator (optional), and the per-user file is |
---|
901 | maintained automatically: whenever the user connects an unknown host |
---|
902 | its key is added to the per-user file. The recommended way to create |
---|
903 | .I @ETCDIR@/ssh_known_hosts |
---|
904 | is to use the |
---|
905 | .B make-ssh-known-hosts |
---|
906 | command. |
---|
907 | .LP |
---|
908 | Each line in these files contains the following fields: hostnames, |
---|
909 | bits, exponent, modulus, comment. The fields are separated by spaces. |
---|
910 | .LP |
---|
911 | Hostnames is a comma-separated list of patterns (\'*\' and \'?\' act as |
---|
912 | wildcards); each pattern in turn is matched against the canonical host |
---|
913 | name (when authenticating a client) or against the user-supplied |
---|
914 | name (when authenticating a server). A pattern may also be preceded |
---|
915 | by \'!\' to indicate negation: if the host name matches a negated |
---|
916 | pattern, it is not accepted (by that line) even if it matched another |
---|
917 | pattern on the line. |
---|
918 | .LP |
---|
919 | Bits, exponent, and modulus are taken directly from the host key; they |
---|
920 | can be obtained e.g. from |
---|
921 | .IR @ETCDIR@/ssh_host_key.pub ". |
---|
922 | The optional comment field continues to the end of the line, and is not used. |
---|
923 | .LP |
---|
924 | Lines starting with \'#\' and empty lines are ignored as comments. |
---|
925 | .LP |
---|
926 | When performing host authentication, authentication is accepted if any |
---|
927 | matching line has the proper key. It is thus permissible (but not |
---|
928 | recommended) to have several lines or different host keys for the same |
---|
929 | names. This will inevitably happen when short forms of host names |
---|
930 | from different domains are put in the file. It is possible |
---|
931 | that the files contain conflicting information; authentication is |
---|
932 | accepted if valid information can be found from either file. |
---|
933 | .LP |
---|
934 | Note that the lines in these files are typically hundreds of characters |
---|
935 | long, and you definitely don't want to type in the host keys by hand. |
---|
936 | Rather, generate them by a script (see |
---|
937 | .BR make-ssh-known-hosts (1)) |
---|
938 | or by taking |
---|
939 | .I @ETCDIR@/ssh_host_key.pub |
---|
940 | and adding the host names at the front. |
---|
941 | |
---|
942 | .SS Examples |
---|
943 | |
---|
944 | closenet,closenet.hut.fi,.\|.\|.\|,130.233.208.41 1024 37 159.\|.\|.93 closenet.hut.fi |
---|
945 | |
---|
946 | .SH FILES |
---|
947 | .TP |
---|
948 | .I @ETCDIR@/sshd_config |
---|
949 | Contains configuration data for |
---|
950 | .BR sshd . |
---|
951 | This file should be writable by root only, but it is recommended |
---|
952 | (though not necessary) that it be world-readable. |
---|
953 | .TP |
---|
954 | .I @ETCDIR@/ssh_host_key |
---|
955 | Contains the private part of the host key. This file is normally |
---|
956 | created automatically by "make install", but can also be created |
---|
957 | manually using |
---|
958 | .BR ssh-keygen (1). |
---|
959 | This file should only be owned by root, readable only by root, and not |
---|
960 | accessible to others. |
---|
961 | .TP |
---|
962 | .I @ETCDIR@/ssh_host_key.pub |
---|
963 | Contains the public part of the host key. This file is normally |
---|
964 | created automatically by "make install", but can also be created |
---|
965 | manually. This file should be world-readable but writable only by |
---|
966 | root. Its contents should match the private part. This file is not |
---|
967 | really used for anything; it is only provided for the convenience of |
---|
968 | the user so its contents can be copied to known hosts files. |
---|
969 | .TP |
---|
970 | .I @ETCDIR@/ssh_random_seed |
---|
971 | This file contains a seed for the random number generator. This file |
---|
972 | should only be accessible by root. |
---|
973 | .TP |
---|
974 | .I @PIDDIR@/sshd.pid |
---|
975 | Contains the process id of the |
---|
976 | .B sshd |
---|
977 | listening for connections (if there are several daemons running |
---|
978 | concurrently for different ports, this contains the pid of the one |
---|
979 | started last). The contents of this file are not sensitive; it can be |
---|
980 | world-readable. |
---|
981 | .TP |
---|
982 | .I \&$HOME/\s+2.\s0ssh/authorized_keys |
---|
983 | Lists the RSA keys that can be used to log into the user's account. |
---|
984 | This file must be readable by root (which may on some machines imply |
---|
985 | it being world-readable if the user's home directory resides on an NFS |
---|
986 | volume). It is recommended that it not be accessible by others. The |
---|
987 | format of this file is described above. |
---|
988 | .TP |
---|
989 | .I "@ETCDIR@/ssh_known_hosts\fR and \fI$HOME/\s+2.\s0ssh/known_hosts\fR |
---|
990 | These files are consulted when using rhosts with RSA host |
---|
991 | authentication to check the public key of the host. The key must be |
---|
992 | listed in one of these files to be accepted. (The client uses the |
---|
993 | same files to verify that the remote host is the one we intended to |
---|
994 | connect.) These files should be writable only by root/the owner. |
---|
995 | .I @ETCDIR@/ssh_known_hosts |
---|
996 | should be world-readable, and \fI$HOME/\s+2.\s0ssh/known_hosts\fR can |
---|
997 | but need not be world-readable. |
---|
998 | .TP |
---|
999 | .I /etc/nologin |
---|
1000 | If this file exists, |
---|
1001 | .B sshd |
---|
1002 | refuses to let anyone except root log in. The contents of the file |
---|
1003 | are displayed to anyone trying to log in, and non-root connections are |
---|
1004 | refused. The file should be world-readable. |
---|
1005 | .TP |
---|
1006 | .I \&$HOME/\s+2.\s0rhosts |
---|
1007 | This file contains host-username pairs, separated by a space, one per |
---|
1008 | line. The given user on the corresponding host is permitted to log in |
---|
1009 | without password. The same file is used by rlogind and rshd. |
---|
1010 | .B Ssh |
---|
1011 | differs from rlogind |
---|
1012 | and rshd in that it requires RSA host authentication in addition to |
---|
1013 | validating the host name retrieved from domain name servers (unless |
---|
1014 | compiled with the \-\-with\-rhosts configuration option). The file must |
---|
1015 | be writable only by the user; it is recommended that it not be |
---|
1016 | accessible by others. |
---|
1017 | |
---|
1018 | It is also possible to use netgroups in the file. Either host or user |
---|
1019 | name may be of the form +@groupname to specify all hosts or all users |
---|
1020 | in the group. |
---|
1021 | .TP |
---|
1022 | .I \&$HOME/\s+2.\s0shosts |
---|
1023 | For |
---|
1024 | .B ssh, |
---|
1025 | this file is exactly the same as for \s+2.\s0rhosts. However, this file is |
---|
1026 | not used by rlogin and rshd, so using this permits access using |
---|
1027 | .B ssh |
---|
1028 | only. |
---|
1029 | .TP |
---|
1030 | .I /etc/hosts.equiv |
---|
1031 | This file is used during \s+2.\s0rhosts authentication. In the |
---|
1032 | simplest form, this file contains host names, one per line. Users on |
---|
1033 | those hosts are permitted to log in without a password, provided they |
---|
1034 | have the same user name on both machines. The host name may also be |
---|
1035 | followed by a user name; such users are permitted to log in as |
---|
1036 | .B any |
---|
1037 | user on this machine (except root). Additionally, the syntax +@group |
---|
1038 | can be used to specify netgroups. Negated entries start with \'-\'. |
---|
1039 | |
---|
1040 | If the client host/user is successfully matched in this file, login is |
---|
1041 | automatically permitted provided the client and server user names are the |
---|
1042 | same. Additionally, successful RSA host authentication is normally |
---|
1043 | required. This file must be writable only by root; it is recommended |
---|
1044 | that it be world-readable. |
---|
1045 | |
---|
1046 | \fBWarning: It is almost never a good idea to use user names in |
---|
1047 | hosts.equiv.\fR |
---|
1048 | Beware that it really means that the named user(s) can log in as |
---|
1049 | \fBanybody\fR, |
---|
1050 | which includes bin, daemon, adm, and other accounts that own critical |
---|
1051 | binaries and directories. Using a user name practically grants the |
---|
1052 | user root access. The only valid use for user names that I can think |
---|
1053 | of is in negative entries. |
---|
1054 | \fBNote that this warning also applies to rsh/rlogin.\fR |
---|
1055 | .TP |
---|
1056 | .I @ETCDIR@/shosts.equiv |
---|
1057 | This is processed exactly as |
---|
1058 | .I /etc/hosts.equiv. |
---|
1059 | However, this file may be useful in environments that want to run both |
---|
1060 | rsh/rlogin and |
---|
1061 | .B ssh. |
---|
1062 | .TP |
---|
1063 | .I /etc/environment |
---|
1064 | This file is read into the environment at login (if it exists). It |
---|
1065 | can only contain empty lines, comment lines (that start with \'#\'), and |
---|
1066 | assignment lines of the form name=value. This file is processed in |
---|
1067 | all environments (normal rsh/rlogin only process it on AIX and |
---|
1068 | potentially some other systems). The file should be writable only by |
---|
1069 | root, and should be world-readable. |
---|
1070 | .TP |
---|
1071 | .I \&$HOME/\s+2.\s0ssh/environment |
---|
1072 | This file is read into the environment after /etc/environment. It has |
---|
1073 | the same format. The file should be writable only by the user; it |
---|
1074 | need not be readable by anyone else. |
---|
1075 | .TP |
---|
1076 | .I \&$HOME/\s+2.\s0ssh/rc |
---|
1077 | If this file exists, it is run with the user's shell after reading the |
---|
1078 | environment files but before starting the user's shell or command. If |
---|
1079 | X11 spoofing is in use, this will receive the "proto cookie" pair in |
---|
1080 | standard input (and DISPLAY in environment). This must call xauth in |
---|
1081 | that case. |
---|
1082 | |
---|
1083 | The primary purpose of this file is to run any initialization routines |
---|
1084 | which may be needed before the user's home directory becomes |
---|
1085 | accessible; AFS is a particular example of such an environment. |
---|
1086 | |
---|
1087 | This file will probably contain some initialization code followed by |
---|
1088 | something similar to: "if read proto cookie; then echo add $DISPLAY |
---|
1089 | $proto $cookie | xauth -q -; fi". |
---|
1090 | |
---|
1091 | If this file does not exist, @ETCDIR@/sshrc is run, and if that |
---|
1092 | does not exist either, xauth is used to store the cookie. |
---|
1093 | |
---|
1094 | This file should be writable only by the user, and need not be |
---|
1095 | readable by anyone else. |
---|
1096 | .TP |
---|
1097 | .I @ETCDIR@/sshrc |
---|
1098 | Like $HOME/\s+2.\s0ssh/rc, but run with /bin/sh. This can be used to specify |
---|
1099 | machine-specific login-time initializations globally. This file |
---|
1100 | should be writable only by root, and should be world-readable. |
---|
1101 | .TP |
---|
1102 | .I @ETCDIR@/sshd_tis.map |
---|
1103 | Establishes a mapping between a local username and its corresponding |
---|
1104 | name in the TIS database. Each line contains the local name followed |
---|
1105 | by a ":" followed by the corresponding name. If the file does not |
---|
1106 | exist or the user is not found, the corresponding name in the TIS |
---|
1107 | database is supposed to be the same. |
---|
1108 | |
---|
1109 | .SH INSTALLATION |
---|
1110 | .LP |
---|
1111 | .B Sshd |
---|
1112 | is normally run as root. If it is not run as root, it can |
---|
1113 | only log in as the user it is running as, and password authentication |
---|
1114 | may not work if the system uses shadow passwords. An alternative |
---|
1115 | host key file must also be used. |
---|
1116 | .LP |
---|
1117 | .B Sshd |
---|
1118 | is normally started from |
---|
1119 | .I /etc/rc.local |
---|
1120 | or equivalent at system boot. |
---|
1121 | .LP |
---|
1122 | Considerable work has been put to making |
---|
1123 | .B sshd |
---|
1124 | secure. However, if you find a security problem, please report it |
---|
1125 | immediately to <ssh-bugs@cs.hut.fi>. |
---|
1126 | |
---|
1127 | .SH AUTHOR |
---|
1128 | .LP |
---|
1129 | Tatu Ylonen <ylo@ssh.fi> |
---|
1130 | .LP |
---|
1131 | Information about new releases, mailing lists, and other related |
---|
1132 | issues can be found from the ssh WWW home page at |
---|
1133 | http://www.cs.hut.fi/ssh. |
---|
1134 | |
---|
1135 | .SH SEE ALSO |
---|
1136 | .LP |
---|
1137 | .BR ssh (1), |
---|
1138 | .BR make-ssh-known-hosts (1), |
---|
1139 | .BR ssh-keygen (1), |
---|
1140 | .BR ssh-agent (1), |
---|
1141 | .BR ssh-add (1), |
---|
1142 | .BR scp (1), |
---|
1143 | .BR rlogin (1), |
---|
1144 | .BR rsh (1) |
---|