1.\" 2.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" All rights reserved 5.\" 6.\" As far as I am concerned, the code I have written for this software 7.\" can be used freely for any purpose. Any derived versions of this 8.\" software must be clearly marked as such, and if the derived work is 9.\" incompatible with the protocol description in the RFC file, it must be 10.\" called by a name other than "ssh" or "Secure Shell". 11.\" 12.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 13.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 14.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 15.\" 16.\" Redistribution and use in source and binary forms, with or without 17.\" modification, are permitted provided that the following conditions 18.\" are met: 19.\" 1. Redistributions of source code must retain the above copyright 20.\" notice, this list of conditions and the following disclaimer. 21.\" 2. Redistributions in binary form must reproduce the above copyright 22.\" notice, this list of conditions and the following disclaimer in the 23.\" documentation and/or other materials provided with the distribution. 24.\" 25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" 36.\" $OpenBSD: sshd.8,v 1.276 2014/07/03 22:40:43 djm Exp $ 37.Dd $Mdocdate: July 3 2014 $ 38.Dt SSHD 8 39.Os 40.Sh NAME 41.Nm sshd 42.Nd OpenSSH SSH daemon 43.Sh SYNOPSIS 44.Nm sshd 45.Bk -words 46.Op Fl 46DdeiqTt 47.Op Fl b Ar bits 48.Op Fl C Ar connection_spec 49.Op Fl c Ar host_certificate_file 50.Op Fl E Ar log_file 51.Op Fl f Ar config_file 52.Op Fl g Ar login_grace_time 53.Op Fl h Ar host_key_file 54.Op Fl k Ar key_gen_time 55.Op Fl o Ar option 56.Op Fl p Ar port 57.Op Fl u Ar len 58.Ek 59.Sh DESCRIPTION 60.Nm 61(OpenSSH Daemon) is the daemon program for 62.Xr ssh 1 . 63Together these programs replace rlogin and rsh, 64and provide secure encrypted communications between two untrusted hosts 65over an insecure network. 66.Pp 67.Nm 68listens for connections from clients. 69It is normally started at boot from 70.Pa /etc/rc.d/sshd . 71It forks a new 72daemon for each incoming connection. 73The forked daemons handle 74key exchange, encryption, authentication, command execution, 75and data exchange. 76.Pp 77.Nm 78can be configured using command-line options or a configuration file 79(by default 80.Xr sshd_config 5 ) ; 81command-line options override values specified in the 82configuration file. 83.Nm 84rereads its configuration file when it receives a hangup signal, 85.Dv SIGHUP , 86by executing itself with the name and options it was started with, e.g.\& 87.Pa /usr/sbin/sshd . 88.Pp 89The options are as follows: 90.Bl -tag -width Ds 91.It Fl 4 92Forces 93.Nm 94to use IPv4 addresses only. 95.It Fl 6 96Forces 97.Nm 98to use IPv6 addresses only. 99.It Fl b Ar bits 100Specifies the number of bits in the ephemeral protocol version 1 101server key (default 1024). 102.It Fl C Ar connection_spec 103Specify the connection parameters to use for the 104.Fl T 105extended test mode. 106If provided, any 107.Cm Match 108directives in the configuration file 109that would apply to the specified user, host, and address will be set before 110the configuration is written to standard output. 111The connection parameters are supplied as keyword=value pairs. 112The keywords are 113.Dq user , 114.Dq host , 115.Dq laddr , 116.Dq lport , 117and 118.Dq addr . 119All are required and may be supplied in any order, either with multiple 120.Fl C 121options or as a comma-separated list. 122.It Fl c Ar host_certificate_file 123Specifies a path to a certificate file to identify 124.Nm 125during key exchange. 126The certificate file must match a host key file specified using the 127.Fl h 128option or the 129.Cm HostKey 130configuration directive. 131.It Fl D 132When this option is specified, 133.Nm 134will not detach and does not become a daemon. 135This allows easy monitoring of 136.Nm sshd . 137.It Fl d 138Debug mode. 139The server sends verbose debug output to standard error, 140and does not put itself in the background. 141The server also will not fork and will only process one connection. 142This option is only intended for debugging for the server. 143Multiple 144.Fl d 145options increase the debugging level. 146Maximum is 3. 147.It Fl E Ar log_file 148Append debug logs to 149.Ar log_file 150instead of the system log. 151.It Fl e 152Write debug logs to standard error instead of the system log. 153.It Fl f Ar config_file 154Specifies the name of the configuration file. 155The default is 156.Pa /etc/ssh/sshd_config . 157.Nm 158refuses to start if there is no configuration file. 159.It Fl g Ar login_grace_time 160Gives the grace time for clients to authenticate themselves (default 161120 seconds). 162If the client fails to authenticate the user within 163this many seconds, the server disconnects and exits. 164A value of zero indicates no limit. 165.It Fl h Ar host_key_file 166Specifies a file from which a host key is read. 167This option must be given if 168.Nm 169is not run as root (as the normal 170host key files are normally not readable by anyone but root). 171The default is 172.Pa /etc/ssh/ssh_host_key 173for protocol version 1, and 174.Pa /etc/ssh/ssh_host_dsa_key , 175.Pa /etc/ssh/ssh_host_ecdsa_key . 176.Pa /etc/ssh/ssh_host_ed25519_key 177and 178.Pa /etc/ssh/ssh_host_rsa_key 179for protocol version 2. 180It is possible to have multiple host key files for 181the different protocol versions and host key algorithms. 182.It Fl i 183Specifies that 184.Nm 185is being run from 186.Xr inetd 8 . 187.Nm 188is normally not run 189from inetd because it needs to generate the server key before it can 190respond to the client, and this may take tens of seconds. 191Clients would have to wait too long if the key was regenerated every time. 192However, with small key sizes (e.g. 512) using 193.Nm 194from inetd may 195be feasible. 196.It Fl k Ar key_gen_time 197Specifies how often the ephemeral protocol version 1 server key is 198regenerated (default 3600 seconds, or one hour). 199The motivation for regenerating the key fairly 200often is that the key is not stored anywhere, and after about an hour 201it becomes impossible to recover the key for decrypting intercepted 202communications even if the machine is cracked into or physically 203seized. 204A value of zero indicates that the key will never be regenerated. 205.It Fl o Ar option 206Can be used to give options in the format used in the configuration file. 207This is useful for specifying options for which there is no separate 208command-line flag. 209For full details of the options, and their values, see 210.Xr sshd_config 5 . 211.It Fl p Ar port 212Specifies the port on which the server listens for connections 213(default 22). 214Multiple port options are permitted. 215Ports specified in the configuration file with the 216.Cm Port 217option are ignored when a command-line port is specified. 218Ports specified using the 219.Cm ListenAddress 220option override command-line ports. 221.It Fl q 222Quiet mode. 223Nothing is sent to the system log. 224Normally the beginning, 225authentication, and termination of each connection is logged. 226.It Fl T 227Extended test mode. 228Check the validity of the configuration file, output the effective configuration 229to stdout and then exit. 230Optionally, 231.Cm Match 232rules may be applied by specifying the connection parameters using one or more 233.Fl C 234options. 235.It Fl t 236Test mode. 237Only check the validity of the configuration file and sanity of the keys. 238This is useful for updating 239.Nm 240reliably as configuration options may change. 241.It Fl u Ar len 242This option is used to specify the size of the field 243in the 244.Li utmp 245structure that holds the remote host name. 246If the resolved host name is longer than 247.Ar len , 248the dotted decimal value will be used instead. 249This allows hosts with very long host names that 250overflow this field to still be uniquely identified. 251Specifying 252.Fl u0 253indicates that only dotted decimal addresses 254should be put into the 255.Pa utmp 256file. 257.Fl u0 258may also be used to prevent 259.Nm 260from making DNS requests unless the authentication 261mechanism or configuration requires it. 262Authentication mechanisms that may require DNS include 263.Cm RhostsRSAAuthentication , 264.Cm HostbasedAuthentication , 265and using a 266.Cm from="pattern-list" 267option in a key file. 268Configuration options that require DNS include using a 269USER@HOST pattern in 270.Cm AllowUsers 271or 272.Cm DenyUsers . 273.El 274.Sh AUTHENTICATION 275The OpenSSH SSH daemon supports SSH protocols 1 and 2. 276The default is to use protocol 2 only, 277though this can be changed via the 278.Cm Protocol 279option in 280.Xr sshd_config 5 . 281Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys; 282protocol 1 only supports RSA keys. 283For both protocols, 284each host has a host-specific key, 285normally 2048 bits, 286used to identify the host. 287.Pp 288Forward security for protocol 1 is provided through 289an additional server key, 290normally 768 bits, 291generated when the server starts. 292This key is normally regenerated every hour if it has been used, and 293is never stored on disk. 294Whenever a client connects, the daemon responds with its public 295host and server keys. 296The client compares the 297RSA host key against its own database to verify that it has not changed. 298The client then generates a 256-bit random number. 299It encrypts this 300random number using both the host key and the server key, and sends 301the encrypted number to the server. 302Both sides then use this 303random number as a session key which is used to encrypt all further 304communications in the session. 305The rest of the session is encrypted 306using a conventional cipher, currently Blowfish or 3DES, with 3DES 307being used by default. 308The client selects the encryption algorithm 309to use from those offered by the server. 310.Pp 311For protocol 2, 312forward security is provided through a Diffie-Hellman key agreement. 313This key agreement results in a shared session key. 314The rest of the session is encrypted using a symmetric cipher, currently 315128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. 316The client selects the encryption algorithm 317to use from those offered by the server. 318Additionally, session integrity is provided 319through a cryptographic message authentication code 320(hmac-md5, hmac-sha1, umac-64, umac-128, hmac-ripemd160, 321hmac-sha2-256 or hmac-sha2-512). 322.Pp 323Finally, the server and the client enter an authentication dialog. 324The client tries to authenticate itself using 325host-based authentication, 326public key authentication, 327challenge-response authentication, 328or password authentication. 329.Pp 330Regardless of the authentication type, the account is checked to 331ensure that it is accessible. An account is not accessible if it is 332locked, listed in 333.Cm DenyUsers 334or its group is listed in 335.Cm DenyGroups 336\&. The definition of a locked account is system dependant. Some platforms 337have their own account database (eg AIX) and some modify the passwd field ( 338.Ql \&*LK\&* 339on Solaris and UnixWare, 340.Ql \&* 341on HP-UX, containing 342.Ql Nologin 343on Tru64, 344a leading 345.Ql \&*LOCKED\&* 346on FreeBSD and a leading 347.Ql \&! 348on most Linuxes). 349If there is a requirement to disable password authentication 350for the account while allowing still public-key, then the passwd field 351should be set to something other than these values (eg 352.Ql NP 353or 354.Ql \&*NP\&* 355). 356.Pp 357If the client successfully authenticates itself, a dialog for 358preparing the session is entered. 359At this time the client may request 360things like allocating a pseudo-tty, forwarding X11 connections, 361forwarding TCP connections, or forwarding the authentication agent 362connection over the secure channel. 363.Pp 364After this, the client either requests a shell or execution of a command. 365The sides then enter session mode. 366In this mode, either side may send 367data at any time, and such data is forwarded to/from the shell or 368command on the server side, and the user terminal in the client side. 369.Pp 370When the user program terminates and all forwarded X11 and other 371connections have been closed, the server sends command exit status to 372the client, and both sides exit. 373.Sh LOGIN PROCESS 374When a user successfully logs in, 375.Nm 376does the following: 377.Bl -enum -offset indent 378.It 379If the login is on a tty, and no command has been specified, 380prints last login time and 381.Pa /etc/motd 382(unless prevented in the configuration file or by 383.Pa ~/.hushlogin ; 384see the 385.Sx FILES 386section). 387.It 388If the login is on a tty, records login time. 389.It 390Checks 391.Pa /etc/nologin and 392.Pa /var/run/nologin ; 393if one exists, it prints the contents and quits 394(unless root). 395.It 396Changes to run with normal user privileges. 397.It 398Sets up basic environment. 399.It 400Reads the file 401.Pa ~/.ssh/environment , 402if it exists, and users are allowed to change their environment. 403See the 404.Cm PermitUserEnvironment 405option in 406.Xr sshd_config 5 . 407.It 408Changes to user's home directory. 409.It 410If 411.Pa ~/.ssh/rc 412exists and the 413.Xr sshd_config 5 414.Cm PermitUserRC 415option is set, runs it; else if 416.Pa /etc/ssh/sshrc 417exists, runs 418it; otherwise runs 419.Xr xauth 1 . 420The 421.Dq rc 422files are given the X11 423authentication protocol and cookie (if applicable) in standard input. 424See 425.Sx SSHRC , 426below. 427.It 428Runs user's shell or command. 429.El 430.Sh SSHRC 431If the file 432.Pa ~/.ssh/rc 433exists, 434.Xr sh 1 435runs it after reading the 436environment files but before starting the user's shell or command. 437It must not produce any output on stdout; stderr must be used 438instead. 439If X11 forwarding is in use, it will receive the "proto cookie" pair in 440its standard input (and 441.Ev DISPLAY 442in its environment). 443The script must call 444.Xr xauth 1 445because 446.Nm 447will not run xauth automatically to add X11 cookies. 448.Pp 449The primary purpose of this file is to run any initialization routines 450which may be needed before the user's home directory becomes 451accessible; AFS is a particular example of such an environment. 452.Pp 453This file will probably contain some initialization code followed by 454something similar to: 455.Bd -literal -offset 3n 456if read proto cookie && [ -n "$DISPLAY" ]; then 457 if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then 458 # X11UseLocalhost=yes 459 echo add unix:`echo $DISPLAY | 460 cut -c11-` $proto $cookie 461 else 462 # X11UseLocalhost=no 463 echo add $DISPLAY $proto $cookie 464 fi | xauth -q - 465fi 466.Ed 467.Pp 468If this file does not exist, 469.Pa /etc/ssh/sshrc 470is run, and if that 471does not exist either, xauth is used to add the cookie. 472.Sh AUTHORIZED_KEYS FILE FORMAT 473.Cm AuthorizedKeysFile 474specifies the files containing public keys for 475public key authentication; 476if none is specified, the default is 477.Pa ~/.ssh/authorized_keys 478and 479.Pa ~/.ssh/authorized_keys2 . 480Each line of the file contains one 481key (empty lines and lines starting with a 482.Ql # 483are ignored as 484comments). 485Protocol 1 public keys consist of the following space-separated fields: 486options, bits, exponent, modulus, comment. 487Protocol 2 public key consist of: 488options, keytype, base64-encoded key, comment. 489The options field is optional; 490its presence is determined by whether the line starts 491with a number or not (the options field never starts with a number). 492The bits, exponent, modulus, and comment fields give the RSA key for 493protocol version 1; the 494comment field is not used for anything (but may be convenient for the 495user to identify the key). 496For protocol version 2 the keytype is 497.Dq ecdsa-sha2-nistp256 , 498.Dq ecdsa-sha2-nistp384 , 499.Dq ecdsa-sha2-nistp521 , 500.Dq ssh-ed25519 , 501.Dq ssh-dss 502or 503.Dq ssh-rsa . 504.Pp 505Note that lines in this file are usually several hundred bytes long 506(because of the size of the public key encoding) up to a limit of 5078 kilobytes, which permits DSA keys up to 8 kilobits and RSA 508keys up to 16 kilobits. 509You don't want to type them in; instead, copy the 510.Pa identity.pub , 511.Pa id_dsa.pub , 512.Pa id_ecdsa.pub , 513.Pa id_ed25519.pub , 514or the 515.Pa id_rsa.pub 516file and edit it. 517.Pp 518.Nm 519enforces a minimum RSA key modulus size for protocol 1 520and protocol 2 keys of 768 bits. 521.Pp 522The options (if present) consist of comma-separated option 523specifications. 524No spaces are permitted, except within double quotes. 525The following option specifications are supported (note 526that option keywords are case-insensitive): 527.Bl -tag -width Ds 528.It Cm cert-authority 529Specifies that the listed key is a certification authority (CA) that is 530trusted to validate signed certificates for user authentication. 531.Pp 532Certificates may encode access restrictions similar to these key options. 533If both certificate restrictions and key options are present, the most 534restrictive union of the two is applied. 535.It Cm command="command" 536Specifies that the command is executed whenever this key is used for 537authentication. 538The command supplied by the user (if any) is ignored. 539The command is run on a pty if the client requests a pty; 540otherwise it is run without a tty. 541If an 8-bit clean channel is required, 542one must not request a pty or should specify 543.Cm no-pty . 544A quote may be included in the command by quoting it with a backslash. 545This option might be useful 546to restrict certain public keys to perform just a specific operation. 547An example might be a key that permits remote backups but nothing else. 548Note that the client may specify TCP and/or X11 549forwarding unless they are explicitly prohibited. 550The command originally supplied by the client is available in the 551.Ev SSH_ORIGINAL_COMMAND 552environment variable. 553Note that this option applies to shell, command or subsystem execution. 554Also note that this command may be superseded by either a 555.Xr sshd_config 5 556.Cm ForceCommand 557directive or a command embedded in a certificate. 558.It Cm environment="NAME=value" 559Specifies that the string is to be added to the environment when 560logging in using this key. 561Environment variables set this way 562override other default environment values. 563Multiple options of this type are permitted. 564Environment processing is disabled by default and is 565controlled via the 566.Cm PermitUserEnvironment 567option. 568This option is automatically disabled if 569.Cm UseLogin 570is enabled. 571.It Cm from="pattern-list" 572Specifies that in addition to public key authentication, either the canonical 573name of the remote host or its IP address must be present in the 574comma-separated list of patterns. 575See PATTERNS in 576.Xr ssh_config 5 577for more information on patterns. 578.Pp 579In addition to the wildcard matching that may be applied to hostnames or 580addresses, a 581.Cm from 582stanza may match IP addresses using CIDR address/masklen notation. 583.Pp 584The purpose of this option is to optionally increase security: public key 585authentication by itself does not trust the network or name servers or 586anything (but the key); however, if somebody somehow steals the key, the key 587permits an intruder to log in from anywhere in the world. 588This additional option makes using a stolen key more difficult (name 589servers and/or routers would have to be compromised in addition to 590just the key). 591.It Cm no-agent-forwarding 592Forbids authentication agent forwarding when this key is used for 593authentication. 594.It Cm no-port-forwarding 595Forbids TCP forwarding when this key is used for authentication. 596Any port forward requests by the client will return an error. 597This might be used, e.g. in connection with the 598.Cm command 599option. 600.It Cm no-pty 601Prevents tty allocation (a request to allocate a pty will fail). 602.It Cm no-user-rc 603Disables execution of 604.Pa ~/.ssh/rc . 605.It Cm no-X11-forwarding 606Forbids X11 forwarding when this key is used for authentication. 607Any X11 forward requests by the client will return an error. 608.It Cm permitopen="host:port" 609Limit local 610.Li ``ssh -L'' 611port forwarding such that it may only connect to the specified host and 612port. 613IPv6 addresses can be specified by enclosing the address in square brackets. 614Multiple 615.Cm permitopen 616options may be applied separated by commas. 617No pattern matching is performed on the specified hostnames, 618they must be literal domains or addresses. 619A port specification of 620.Cm * 621matches any port. 622.It Cm principals="principals" 623On a 624.Cm cert-authority 625line, specifies allowed principals for certificate authentication as a 626comma-separated list. 627At least one name from the list must appear in the certificate's 628list of principals for the certificate to be accepted. 629This option is ignored for keys that are not marked as trusted certificate 630signers using the 631.Cm cert-authority 632option. 633.It Cm tunnel="n" 634Force a 635.Xr tun 4 636device on the server. 637Without this option, the next available device will be used if 638the client requests a tunnel. 639.El 640.Pp 641An example authorized_keys file: 642.Bd -literal -offset 3n 643# Comments allowed at start of line 644ssh-rsa AAAAB3Nza...LiPk== user@example.net 645from="*.sales.example.net,!pc.sales.example.net" ssh-rsa 646AAAAB2...19Q== john@example.net 647command="dump /home",no-pty,no-port-forwarding ssh-dss 648AAAAC3...51R== example.net 649permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss 650AAAAB5...21S== 651tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== 652jane@example.net 653.Ed 654.Sh SSH_KNOWN_HOSTS FILE FORMAT 655The 656.Pa /etc/ssh/ssh_known_hosts 657and 658.Pa ~/.ssh/known_hosts 659files contain host public keys for all known hosts. 660The global file should 661be prepared by the administrator (optional), and the per-user file is 662maintained automatically: whenever the user connects from an unknown host, 663its key is added to the per-user file. 664.Pp 665Each line in these files contains the following fields: markers (optional), 666hostnames, bits, exponent, modulus, comment. 667The fields are separated by spaces. 668.Pp 669The marker is optional, but if it is present then it must be one of 670.Dq @cert-authority , 671to indicate that the line contains a certification authority (CA) key, 672or 673.Dq @revoked , 674to indicate that the key contained on the line is revoked and must not ever 675be accepted. 676Only one marker should be used on a key line. 677.Pp 678Hostnames is a comma-separated list of patterns 679.Pf ( Ql * 680and 681.Ql \&? 682act as 683wildcards); each pattern in turn is matched against the canonical host 684name (when authenticating a client) or against the user-supplied 685name (when authenticating a server). 686A pattern may also be preceded by 687.Ql \&! 688to indicate negation: if the host name matches a negated 689pattern, it is not accepted (by that line) even if it matched another 690pattern on the line. 691A hostname or address may optionally be enclosed within 692.Ql \&[ 693and 694.Ql \&] 695brackets then followed by 696.Ql \&: 697and a non-standard port number. 698.Pp 699Alternately, hostnames may be stored in a hashed form which hides host names 700and addresses should the file's contents be disclosed. 701Hashed hostnames start with a 702.Ql | 703character. 704Only one hashed hostname may appear on a single line and none of the above 705negation or wildcard operators may be applied. 706.Pp 707Bits, exponent, and modulus are taken directly from the RSA host key; they 708can be obtained, for example, from 709.Pa /etc/ssh/ssh_host_key.pub . 710The optional comment field continues to the end of the line, and is not used. 711.Pp 712Lines starting with 713.Ql # 714and empty lines are ignored as comments. 715.Pp 716When performing host authentication, authentication is accepted if any 717matching line has the proper key; either one that matches exactly or, 718if the server has presented a certificate for authentication, the key 719of the certification authority that signed the certificate. 720For a key to be trusted as a certification authority, it must use the 721.Dq @cert-authority 722marker described above. 723.Pp 724The known hosts file also provides a facility to mark keys as revoked, 725for example when it is known that the associated private key has been 726stolen. 727Revoked keys are specified by including the 728.Dq @revoked 729marker at the beginning of the key line, and are never accepted for 730authentication or as certification authorities, but instead will 731produce a warning from 732.Xr ssh 1 733when they are encountered. 734.Pp 735It is permissible (but not 736recommended) to have several lines or different host keys for the same 737names. 738This will inevitably happen when short forms of host names 739from different domains are put in the file. 740It is possible 741that the files contain conflicting information; authentication is 742accepted if valid information can be found from either file. 743.Pp 744Note that the lines in these files are typically hundreds of characters 745long, and you definitely don't want to type in the host keys by hand. 746Rather, generate them by a script, 747.Xr ssh-keyscan 1 748or by taking 749.Pa /etc/ssh/ssh_host_key.pub 750and adding the host names at the front. 751.Xr ssh-keygen 1 752also offers some basic automated editing for 753.Pa ~/.ssh/known_hosts 754including removing hosts matching a host name and converting all host 755names to their hashed representations. 756.Pp 757An example ssh_known_hosts file: 758.Bd -literal -offset 3n 759# Comments allowed at start of line 760closenet,...,192.0.2.53 1024 37 159...93 closenet.example.net 761cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....= 762# A hashed hostname 763|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa 764AAAA1234.....= 765# A revoked key 766@revoked * ssh-rsa AAAAB5W... 767# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org 768@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W... 769.Ed 770.Sh FILES 771.Bl -tag -width Ds -compact 772.It Pa ~/.hushlogin 773This file is used to suppress printing the last login time and 774.Pa /etc/motd , 775if 776.Cm PrintLastLog 777and 778.Cm PrintMotd , 779respectively, 780are enabled. 781It does not suppress printing of the banner specified by 782.Cm Banner . 783.Pp 784.It Pa ~/.rhosts 785This file is used for host-based authentication (see 786.Xr ssh 1 787for more information). 788On some machines this file may need to be 789world-readable if the user's home directory is on an NFS partition, 790because 791.Nm 792reads it as root. 793Additionally, this file must be owned by the user, 794and must not have write permissions for anyone else. 795The recommended 796permission for most machines is read/write for the user, and not 797accessible by others. 798.Pp 799.It Pa ~/.shosts 800This file is used in exactly the same way as 801.Pa .rhosts , 802but allows host-based authentication without permitting login with 803rlogin/rsh. 804.Pp 805.It Pa ~/.ssh/ 806This directory is the default location for all user-specific configuration 807and authentication information. 808There is no general requirement to keep the entire contents of this directory 809secret, but the recommended permissions are read/write/execute for the user, 810and not accessible by others. 811.Pp 812.It Pa ~/.ssh/authorized_keys 813Lists the public keys (DSA, ECDSA, ED25519, RSA) 814that can be used for logging in as this user. 815The format of this file is described above. 816The content of the file is not highly sensitive, but the recommended 817permissions are read/write for the user, and not accessible by others. 818.Pp 819If this file, the 820.Pa ~/.ssh 821directory, or the user's home directory are writable 822by other users, then the file could be modified or replaced by unauthorized 823users. 824In this case, 825.Nm 826will not allow it to be used unless the 827.Cm StrictModes 828option has been set to 829.Dq no . 830.Pp 831.It Pa ~/.ssh/environment 832This file is read into the environment at login (if it exists). 833It can only contain empty lines, comment lines (that start with 834.Ql # ) , 835and assignment lines of the form name=value. 836The file should be writable 837only by the user; it need not be readable by anyone else. 838Environment processing is disabled by default and is 839controlled via the 840.Cm PermitUserEnvironment 841option. 842.Pp 843.It Pa ~/.ssh/known_hosts 844Contains a list of host keys for all hosts the user has logged into 845that are not already in the systemwide list of known host keys. 846The format of this file is described above. 847This file should be writable only by root/the owner and 848can, but need not be, world-readable. 849.Pp 850.It Pa ~/.ssh/rc 851Contains initialization routines to be run before 852the user's home directory becomes accessible. 853This file should be writable only by the user, and need not be 854readable by anyone else. 855.Pp 856.It Pa /etc/hosts.equiv 857This file is for host-based authentication (see 858.Xr ssh 1 ) . 859It should only be writable by root. 860.Pp 861.It Pa /etc/ssh/moduli 862Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". 863The file format is described in 864.Xr moduli 5 . 865.Pp 866.It Pa /etc/motd 867See 868.Xr motd 5 . 869.Pp 870.It Pa /etc/nologin 871If this file exists, 872.Nm 873refuses to let anyone except root log in. 874The contents of the file 875are displayed to anyone trying to log in, and non-root connections are 876refused. 877The file should be world-readable. 878.Pp 879.It Pa /etc/ssh/shosts.equiv 880This file is used in exactly the same way as 881.Pa hosts.equiv , 882but allows host-based authentication without permitting login with 883rlogin/rsh. 884.Pp 885.It Pa /etc/ssh/ssh_host_key 886.It Pa /etc/ssh/ssh_host_dsa_key 887.It Pa /etc/ssh/ssh_host_ecdsa_key 888.It Pa /etc/ssh/ssh_host_ed25519_key 889.It Pa /etc/ssh/ssh_host_rsa_key 890These files contain the private parts of the host keys. 891These files should only be owned by root, readable only by root, and not 892accessible to others. 893Note that 894.Nm 895does not start if these files are group/world-accessible. 896.Pp 897.It Pa /etc/ssh/ssh_host_key.pub 898.It Pa /etc/ssh/ssh_host_dsa_key.pub 899.It Pa /etc/ssh/ssh_host_ecdsa_key.pub 900.It Pa /etc/ssh/ssh_host_ed25519_key.pub 901.It Pa /etc/ssh/ssh_host_rsa_key.pub 902These files contain the public parts of the host keys. 903These files should be world-readable but writable only by 904root. 905Their contents should match the respective private parts. 906These files are not 907really used for anything; they are provided for the convenience of 908the user so their contents can be copied to known hosts files. 909These files are created using 910.Xr ssh-keygen 1 . 911.Pp 912.It Pa /etc/ssh/ssh_known_hosts 913Systemwide list of known host keys. 914This file should be prepared by the 915system administrator to contain the public host keys of all machines in the 916organization. 917The format of this file is described above. 918This file should be writable only by root/the owner and 919should be world-readable. 920.Pp 921.It Pa /etc/ssh/sshd_config 922Contains configuration data for 923.Nm sshd . 924The file format and configuration options are described in 925.Xr sshd_config 5 . 926.Pp 927.It Pa /etc/ssh/sshrc 928Similar to 929.Pa ~/.ssh/rc , 930it can be used to specify 931machine-specific login-time initializations globally. 932This file should be writable only by root, and should be world-readable. 933.Pp 934.It Pa /var/empty 935.Xr chroot 2 936directory used by 937.Nm 938during privilege separation in the pre-authentication phase. 939The directory should not contain any files and must be owned by root 940and not group or world-writable. 941.Pp 942.It Pa /var/run/sshd.pid 943Contains the process ID of the 944.Nm 945listening for connections (if there are several daemons running 946concurrently for different ports, this contains the process ID of the one 947started last). 948The content of this file is not sensitive; it can be world-readable. 949.El 950.Sh SEE ALSO 951.Xr scp 1 , 952.Xr sftp 1 , 953.Xr ssh 1 , 954.Xr ssh-add 1 , 955.Xr ssh-agent 1 , 956.Xr ssh-keygen 1 , 957.Xr ssh-keyscan 1 , 958.Xr chroot 2 , 959.Xr login.conf 5 , 960.Xr moduli 5 , 961.Xr sshd_config 5 , 962.Xr inetd 8 , 963.Xr sftp-server 8 964.Sh AUTHORS 965OpenSSH is a derivative of the original and free 966ssh 1.2.12 release by Tatu Ylonen. 967Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 968Theo de Raadt and Dug Song 969removed many bugs, re-added newer features and 970created OpenSSH. 971Markus Friedl contributed the support for SSH 972protocol versions 1.5 and 2.0. 973Niels Provos and Markus Friedl contributed support 974for privilege separation. 975