version 1.1.1.22, 2021/04/19 14:38:29 |
version 1.1.1.23, 2021/09/02 11:22:30 |
|
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" |
.\" |
.\" $OpenBSD: sshd.8,v 1.314 2021/04/03 05:46:41 djm Exp $ |
.\" $OpenBSD: sshd.8,v 1.316 2021/07/30 14:28:13 jmc Exp $ |
.Dd $Mdocdate: April 3 2021 $ |
.Dd $Mdocdate: July 30 2021 $ |
.Dt SSHD 8 |
.Dt SSHD 8 |
.Os |
.Os |
.Sh NAME |
.Sh NAME |
|
|
.Nm |
.Nm |
(OpenSSH Daemon) is the daemon program for |
(OpenSSH Daemon) is the daemon program for |
.Xr ssh 1 . |
.Xr ssh 1 . |
Together these programs replace rlogin and rsh, |
It provides secure encrypted communications between two untrusted hosts |
and provide secure encrypted communications between two untrusted hosts |
|
over an insecure network. |
over an insecure network. |
.Pp |
.Pp |
.Nm |
.Nm |
Line 107 supplied in any order, either with multi |
|
Line 106 supplied in any order, either with multi |
|
.Fl C |
.Fl C |
options or as a comma-separated list. |
options or as a comma-separated list. |
The keywords are |
The keywords are |
.Dq addr, |
.Dq addr , |
.Dq user , |
.Dq user , |
.Dq host , |
.Dq host , |
.Dq laddr , |
.Dq laddr , |
Line 135 This allows easy monitoring of |
|
Line 134 This allows easy monitoring of |
|
Debug mode. |
Debug mode. |
The server sends verbose debug output to standard error, |
The server sends verbose debug output to standard error, |
and does not put itself in the background. |
and does not put itself in the background. |
The server also will not fork and will only process one connection. |
The server also will not |
|
.Xr fork 2 |
|
and will only process one connection. |
This option is only intended for debugging for the server. |
This option is only intended for debugging for the server. |
Multiple |
Multiple |
.Fl d |
.Fl d |
|
|
option is set, runs it; else if |
option is set, runs it; else if |
.Pa /etc/ssh/sshrc |
.Pa /etc/ssh/sshrc |
exists, runs |
exists, runs |
it; otherwise runs xauth. |
it; otherwise runs |
|
.Xr xauth 1 . |
The |
The |
.Dq rc |
.Dq rc |
files are given the X11 |
files are given the X11 |
|
|
.Pp |
.Pp |
An example authorized_keys file: |
An example authorized_keys file: |
.Bd -literal -offset 3n |
.Bd -literal -offset 3n |
# Comments allowed at start of line |
# Comments are allowed at start of line. Blank lines are allowed. |
ssh-rsa AAAAB3Nza...LiPk== user@example.net |
# Plain key, no restrictions |
from="*.sales.example.net,!pc.sales.example.net" ssh-rsa |
ssh-rsa ... |
AAAAB2...19Q== john@example.net |
# Forced command, disable PTY and all forwarding |
command="dump /home",no-pty,no-port-forwarding ssh-rsa |
restrict,command="dump /home" ssh-rsa ... |
AAAAC3...51R== example.net |
# Restriction of ssh -L forwarding destinations |
permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-rsa |
permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-rsa ... |
AAAAB5...21S== |
# Restriction of ssh -R forwarding listeners |
permitlisten="localhost:8080",permitopen="localhost:22000" ssh-rsa |
permitlisten="localhost:8080",permitlisten="[::1]:22000" ssh-rsa ... |
AAAAB5...21S== |
# Configuration for tunnel forwarding |
tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== |
tunnel="0",command="sh /etc/netstart tun0" ssh-rsa ... |
jane@example.net |
# Override of restriction to allow PTY allocation |
restrict,command="uptime" ssh-rsa AAAA1C8...32Tv== |
restrict,pty,command="nethack" ssh-rsa ... |
user@example.net |
# Allow FIDO key without requiring touch |
restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5== |
no-touch-required sk-ecdsa-sha2-nistp256@openssh.com ... |
user@example.net |
# Require user-verification (e.g. PIN or biometric) for FIDO key |
no-touch-required sk-ecdsa-sha2-nistp256@openssh.com AAAAInN...Ko== |
verify-required sk-ecdsa-sha2-nistp256@openssh.com ... |
user@example.net |
# Trust CA key, allow touch-less FIDO if requested in certificate |
|
cert-authority,no-touch-required,principals="user_a" ssh-rsa ... |
.Ed |
.Ed |
.Sh SSH_KNOWN_HOSTS FILE FORMAT |
.Sh SSH_KNOWN_HOSTS FILE FORMAT |
The |
The |