version 1.11, 2013/11/08 19:18:25 |
version 1.11.4.1, 2015/04/30 06:07:31 |
|
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" |
.\" |
.\" $OpenBSD: sshd.8,v 1.270 2013/06/27 14:05:37 jmc Exp $ |
.\" $OpenBSD: sshd.8,v 1.278 2014/11/15 14:41:03 bentley Exp $ |
.Dd June 27 2013 |
.Dd November 15 2014 |
.Dt SSHD 8 |
.Dt SSHD 8 |
.Os |
.Os |
.Sh NAME |
.Sh NAME |
|
|
.Nm |
.Nm |
(OpenSSH Daemon) is the daemon program for |
(OpenSSH Daemon) is the daemon program for |
.Xr ssh 1 . |
.Xr ssh 1 . |
Together these programs replace |
Together these programs replace rlogin and rsh, |
.Xr rlogin 1 |
|
and |
|
.Xr rsh 1 , |
|
and provide secure encrypted communications between two untrusted hosts |
and provide secure encrypted communications between two untrusted hosts |
over an insecure network. |
over an insecure network. |
.Pp |
.Pp |
|
|
.Pa /etc/ssh/ssh_host_key |
.Pa /etc/ssh/ssh_host_key |
for protocol version 1, and |
for protocol version 1, and |
.Pa /etc/ssh/ssh_host_dsa_key , |
.Pa /etc/ssh/ssh_host_dsa_key , |
.Pa /etc/ssh/ssh_host_ecdsa_key |
.Pa /etc/ssh/ssh_host_ecdsa_key . |
|
.Pa /etc/ssh/ssh_host_ed25519_key |
and |
and |
.Pa /etc/ssh/ssh_host_rsa_key |
.Pa /etc/ssh/ssh_host_rsa_key |
for protocol version 2. |
for protocol version 2. |
Line 282 though this can be changed via the |
|
Line 280 though this can be changed via the |
|
.Cm Protocol |
.Cm Protocol |
option in |
option in |
.Xr sshd_config 5 . |
.Xr sshd_config 5 . |
Protocol 2 supports DSA, ECDSA and RSA keys; |
Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys; |
protocol 1 only supports RSA keys. |
protocol 1 only supports RSA keys. |
For both protocols, |
For both protocols, |
each host has a host-specific key, |
each host has a host-specific key, |
Line 385 Changes to user's home directory. |
|
Line 383 Changes to user's home directory. |
|
.It |
.It |
If |
If |
.Pa ~/.ssh/rc |
.Pa ~/.ssh/rc |
exists, runs it; else if |
exists and the |
|
.Xr sshd_config 5 |
|
.Cm PermitUserRC |
|
option is set, runs it; else if |
.Pa /etc/ssh/sshrc |
.Pa /etc/ssh/sshrc |
exists, runs |
exists, runs |
it; otherwise runs xauth. |
it; otherwise runs xauth. |
Line 469 For protocol version 2 the keytype is |
|
Line 470 For protocol version 2 the keytype is |
|
.Dq ecdsa-sha2-nistp256 , |
.Dq ecdsa-sha2-nistp256 , |
.Dq ecdsa-sha2-nistp384 , |
.Dq ecdsa-sha2-nistp384 , |
.Dq ecdsa-sha2-nistp521 , |
.Dq ecdsa-sha2-nistp521 , |
|
.Dq ssh-ed25519 , |
.Dq ssh-dss |
.Dq ssh-dss |
or |
or |
.Dq ssh-rsa . |
.Dq ssh-rsa . |
Line 481 You don't want to type them in; instead, |
|
Line 483 You don't want to type them in; instead, |
|
.Pa identity.pub , |
.Pa identity.pub , |
.Pa id_dsa.pub , |
.Pa id_dsa.pub , |
.Pa id_ecdsa.pub , |
.Pa id_ecdsa.pub , |
|
.Pa id_ed25519.pub , |
or the |
or the |
.Pa id_rsa.pub |
.Pa id_rsa.pub |
file and edit it. |
file and edit it. |
Line 576 Disables execution of |
|
Line 579 Disables execution of |
|
Forbids X11 forwarding when this key is used for authentication. |
Forbids X11 forwarding when this key is used for authentication. |
Any X11 forward requests by the client will return an error. |
Any X11 forward requests by the client will return an error. |
.It Cm permitopen="host:port" |
.It Cm permitopen="host:port" |
Limit local |
Limit local port forwarding with |
.Li ``ssh -L'' |
.Xr ssh 1 |
port forwarding such that it may only connect to the specified host and |
.Fl L |
port. |
such that it may only connect to the specified host and port. |
IPv6 addresses can be specified by enclosing the address in square brackets. |
IPv6 addresses can be specified by enclosing the address in square brackets. |
Multiple |
Multiple |
.Cm permitopen |
.Cm permitopen |
Line 780 secret, but the recommended permissions |
|
Line 783 secret, but the recommended permissions |
|
and not accessible by others. |
and not accessible by others. |
.Pp |
.Pp |
.It Pa ~/.ssh/authorized_keys |
.It Pa ~/.ssh/authorized_keys |
Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in |
Lists the public keys (DSA, ECDSA, Ed25519, RSA) |
as this user. |
that can be used for logging in as this user. |
The format of this file is described above. |
The format of this file is described above. |
The content of the file is not highly sensitive, but the recommended |
The content of the file is not highly sensitive, but the recommended |
permissions are read/write for the user, and not accessible by others. |
permissions are read/write for the user, and not accessible by others. |
Line 823 the user's home directory becomes access |
|
Line 826 the user's home directory becomes access |
|
This file should be writable only by the user, and need not be |
This file should be writable only by the user, and need not be |
readable by anyone else. |
readable by anyone else. |
.Pp |
.Pp |
.It Pa /etc/hosts.allow |
|
.It Pa /etc/hosts.deny |
|
Access controls that should be enforced by tcp-wrappers are defined here. |
|
Further details are described in |
|
.Xr hosts_access 5 . |
|
.Pp |
|
.It Pa /etc/hosts.equiv |
.It Pa /etc/hosts.equiv |
This file is for host-based authentication (see |
This file is for host-based authentication (see |
.Xr ssh 1 ) . |
.Xr ssh 1 ) . |
|
|
.It Pa /etc/ssh/ssh_host_key |
.It Pa /etc/ssh/ssh_host_key |
.It Pa /etc/ssh/ssh_host_dsa_key |
.It Pa /etc/ssh/ssh_host_dsa_key |
.It Pa /etc/ssh/ssh_host_ecdsa_key |
.It Pa /etc/ssh/ssh_host_ecdsa_key |
|
.It Pa /etc/ssh/ssh_host_ed25519_key |
.It Pa /etc/ssh/ssh_host_rsa_key |
.It Pa /etc/ssh/ssh_host_rsa_key |
These files contain the private parts of the host keys. |
These files contain the private parts of the host keys. |
These files should only be owned by root, readable only by root, and not |
These files should only be owned by root, readable only by root, and not |
Line 872 does not start if these files are group/ |
|
Line 870 does not start if these files are group/ |
|
.It Pa /etc/ssh/ssh_host_key.pub |
.It Pa /etc/ssh/ssh_host_key.pub |
.It Pa /etc/ssh/ssh_host_dsa_key.pub |
.It Pa /etc/ssh/ssh_host_dsa_key.pub |
.It Pa /etc/ssh/ssh_host_ecdsa_key.pub |
.It Pa /etc/ssh/ssh_host_ecdsa_key.pub |
|
.It Pa /etc/ssh/ssh_host_ed25519_key.pub |
.It Pa /etc/ssh/ssh_host_rsa_key.pub |
.It Pa /etc/ssh/ssh_host_rsa_key.pub |
These files contain the public parts of the host keys. |
These files contain the public parts of the host keys. |
These files should be world-readable but writable only by |
These files should be world-readable but writable only by |
Line 930 The content of this file is not sensitiv |
|
Line 929 The content of this file is not sensitiv |
|
.Xr ssh-keygen 1 , |
.Xr ssh-keygen 1 , |
.Xr ssh-keyscan 1 , |
.Xr ssh-keyscan 1 , |
.Xr chroot 2 , |
.Xr chroot 2 , |
.Xr hosts_access 5 , |
|
.Xr login.conf 5 , |
.Xr login.conf 5 , |
.Xr moduli 5 , |
.Xr moduli 5 , |
.Xr sshd_config 5 , |
.Xr sshd_config 5 , |
Line 947 Markus Friedl contributed the support fo |
|
Line 945 Markus Friedl contributed the support fo |
|
protocol versions 1.5 and 2.0. |
protocol versions 1.5 and 2.0. |
Niels Provos and Markus Friedl contributed support |
Niels Provos and Markus Friedl contributed support |
for privilege separation. |
for privilege separation. |
.Sh CAVEATS |
|
System security is not improved unless |
|
.Nm rshd , |
|
.Nm rlogind , |
|
and |
|
.Nm rexecd |
|
are disabled (thus completely disabling |
|
.Xr rlogin |
|
and |
|
.Xr rsh |
|
into the machine). |
|