1.\" 2.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" All rights reserved 5.\" 6.\" As far as I am concerned, the code I have written for this software 7.\" can be used freely for any purpose. Any derived versions of this 8.\" software must be clearly marked as such, and if the derived work is 9.\" incompatible with the protocol description in the RFC file, it must be 10.\" called by a name other than "ssh" or "Secure Shell". 11.\" 12.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 13.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 14.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 15.\" 16.\" Redistribution and use in source and binary forms, with or without 17.\" modification, are permitted provided that the following conditions 18.\" are met: 19.\" 1. Redistributions of source code must retain the above copyright 20.\" notice, this list of conditions and the following disclaimer. 21.\" 2. Redistributions in binary form must reproduce the above copyright 22.\" notice, this list of conditions and the following disclaimer in the 23.\" documentation and/or other materials provided with the distribution. 24.\" 25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" 36.\" $OpenBSD: sshd.8,v 1.266 2012/06/18 12:07:07 dtucker Exp $ 37.Dd $Mdocdate: June 18 2012 $ 38.Dt SSHD 8 39.Os 40.Sh NAME 41.Nm sshd 42.Nd OpenSSH SSH daemon 43.Sh SYNOPSIS 44.Nm sshd 45.Bk -words 46.Op Fl 46DdeiqTt 47.Op Fl b Ar bits 48.Op Fl C Ar connection_spec 49.Op Fl c Ar host_certificate_file 50.Op Fl f Ar config_file 51.Op Fl g Ar login_grace_time 52.Op Fl h Ar host_key_file 53.Op Fl k Ar key_gen_time 54.Op Fl o Ar option 55.Op Fl p Ar port 56.Op Fl u Ar len 57.Ek 58.Sh DESCRIPTION 59.Nm 60(OpenSSH Daemon) is the daemon program for 61.Xr ssh 1 . 62Together these programs replace 63.Xr rlogin 1 64and 65.Xr rsh 1 , 66and provide secure encrypted communications between two untrusted hosts 67over an insecure network. 68.Pp 69.Nm 70listens for connections from clients. 71It is normally started at boot from 72.Pa /etc/rc.d/sshd . 73It forks a new 74daemon for each incoming connection. 75The forked daemons handle 76key exchange, encryption, authentication, command execution, 77and data exchange. 78.Pp 79.Nm 80can be configured using command-line options or a configuration file 81(by default 82.Xr sshd_config 5 ) ; 83command-line options override values specified in the 84configuration file. 85.Nm 86rereads its configuration file when it receives a hangup signal, 87.Dv SIGHUP , 88by executing itself with the name and options it was started with, e.g.\& 89.Pa /usr/sbin/sshd . 90.Pp 91The options are as follows: 92.Bl -tag -width Ds 93.It Fl 4 94Forces 95.Nm 96to use IPv4 addresses only. 97.It Fl 6 98Forces 99.Nm 100to use IPv6 addresses only. 101.It Fl b Ar bits 102Specifies the number of bits in the ephemeral protocol version 1 103server key (default 1024). 104.It Fl C Ar connection_spec 105Specify the connection parameters to use for the 106.Fl T 107extended test mode. 108If provided, any 109.Cm Match 110directives in the configuration file 111that would apply to the specified user, host, and address will be set before 112the configuration is written to standard output. 113The connection parameters are supplied as keyword=value pairs. 114The keywords are 115.Dq user , 116.Dq host , 117.Dq laddr , 118.Dq lport , 119and 120.Dq addr . 121All are required and may be supplied in any order, either with multiple 122.Fl C 123options or as a comma-separated list. 124.It Fl c Ar host_certificate_file 125Specifies a path to a certificate file to identify 126.Nm 127during key exchange. 128The certificate file must match a host key file specified using the 129.Fl h 130option or the 131.Cm HostKey 132configuration directive. 133.It Fl D 134When this option is specified, 135.Nm 136will not detach and does not become a daemon. 137This allows easy monitoring of 138.Nm sshd . 139.It Fl d 140Debug mode. 141The server sends verbose debug output to standard error, 142and does not put itself in the background. 143The server also will not fork and will only process one connection. 144This option is only intended for debugging for the server. 145Multiple 146.Fl d 147options increase the debugging level. 148Maximum is 3. 149.It Fl e 150When this option is specified, 151.Nm 152will send the output to the standard error instead of the system log. 153.It Fl f Ar config_file 154Specifies the name of the configuration file. 155The default is 156.Pa /etc/ssh/sshd_config . 157.Nm 158refuses to start if there is no configuration file. 159.It Fl g Ar login_grace_time 160Gives the grace time for clients to authenticate themselves (default 161120 seconds). 162If the client fails to authenticate the user within 163this many seconds, the server disconnects and exits. 164A value of zero indicates no limit. 165.It Fl h Ar host_key_file 166Specifies a file from which a host key is read. 167This option must be given if 168.Nm 169is not run as root (as the normal 170host key files are normally not readable by anyone but root). 171The default is 172.Pa /etc/ssh/ssh_host_key 173for protocol version 1, and 174.Pa /etc/ssh/ssh_host_dsa_key , 175.Pa /etc/ssh/ssh_host_ecdsa_key 176and 177.Pa /etc/ssh/ssh_host_rsa_key 178for protocol version 2. 179It is possible to have multiple host key files for 180the different protocol versions and host key algorithms. 181.It Fl i 182Specifies that 183.Nm 184is being run from 185.Xr inetd 8 . 186.Nm 187is normally not run 188from inetd because it needs to generate the server key before it can 189respond to the client, and this may take tens of seconds. 190Clients would have to wait too long if the key was regenerated every time. 191However, with small key sizes (e.g. 512) using 192.Nm 193from inetd may 194be feasible. 195.It Fl k Ar key_gen_time 196Specifies how often the ephemeral protocol version 1 server key is 197regenerated (default 3600 seconds, or one hour). 198The motivation for regenerating the key fairly 199often is that the key is not stored anywhere, and after about an hour 200it becomes impossible to recover the key for decrypting intercepted 201communications even if the machine is cracked into or physically 202seized. 203A value of zero indicates that the key will never be regenerated. 204.It Fl o Ar option 205Can be used to give options in the format used in the configuration file. 206This is useful for specifying options for which there is no separate 207command-line flag. 208For full details of the options, and their values, see 209.Xr sshd_config 5 . 210.It Fl p Ar port 211Specifies the port on which the server listens for connections 212(default 22). 213Multiple port options are permitted. 214Ports specified in the configuration file with the 215.Cm Port 216option are ignored when a command-line port is specified. 217Ports specified using the 218.Cm ListenAddress 219option override command-line ports. 220.It Fl q 221Quiet mode. 222Nothing is sent to the system log. 223Normally the beginning, 224authentication, and termination of each connection is logged. 225.It Fl T 226Extended test mode. 227Check the validity of the configuration file, output the effective configuration 228to stdout and then exit. 229Optionally, 230.Cm Match 231rules may be applied by specifying the connection parameters using one or more 232.Fl C 233options. 234.It Fl t 235Test mode. 236Only check the validity of the configuration file and sanity of the keys. 237This is useful for updating 238.Nm 239reliably as configuration options may change. 240.It Fl u Ar len 241This option is used to specify the size of the field 242in the 243.Li utmp 244structure that holds the remote host name. 245If the resolved host name is longer than 246.Ar len , 247the dotted decimal value will be used instead. 248This allows hosts with very long host names that 249overflow this field to still be uniquely identified. 250Specifying 251.Fl u0 252indicates that only dotted decimal addresses 253should be put into the 254.Pa utmp 255file. 256.Fl u0 257may also be used to prevent 258.Nm 259from making DNS requests unless the authentication 260mechanism or configuration requires it. 261Authentication mechanisms that may require DNS include 262.Cm RhostsRSAAuthentication , 263.Cm HostbasedAuthentication , 264and using a 265.Cm from="pattern-list" 266option in a key file. 267Configuration options that require DNS include using a 268USER@HOST pattern in 269.Cm AllowUsers 270or 271.Cm DenyUsers . 272.El 273.Sh AUTHENTICATION 274The OpenSSH SSH daemon supports SSH protocols 1 and 2. 275The default is to use protocol 2 only, 276though this can be changed via the 277.Cm Protocol 278option in 279.Xr sshd_config 5 . 280Protocol 2 supports DSA, ECDSA and RSA keys; 281protocol 1 only supports RSA keys. 282For both protocols, 283each host has a host-specific key, 284normally 2048 bits, 285used to identify the host. 286.Pp 287Forward security for protocol 1 is provided through 288an additional server key, 289normally 768 bits, 290generated when the server starts. 291This key is normally regenerated every hour if it has been used, and 292is never stored on disk. 293Whenever a client connects, the daemon responds with its public 294host and server keys. 295The client compares the 296RSA host key against its own database to verify that it has not changed. 297The client then generates a 256-bit random number. 298It encrypts this 299random number using both the host key and the server key, and sends 300the encrypted number to the server. 301Both sides then use this 302random number as a session key which is used to encrypt all further 303communications in the session. 304The rest of the session is encrypted 305using a conventional cipher, currently Blowfish or 3DES, with 3DES 306being used by default. 307The client selects the encryption algorithm 308to use from those offered by the server. 309.Pp 310For protocol 2, 311forward security is provided through a Diffie-Hellman key agreement. 312This key agreement results in a shared session key. 313The rest of the session is encrypted using a symmetric cipher, currently 314128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. 315The client selects the encryption algorithm 316to use from those offered by the server. 317Additionally, session integrity is provided 318through a cryptographic message authentication code 319(hmac-md5, hmac-sha1, umac-64, hmac-ripemd160, 320hmac-sha2-256 or hmac-sha2-512). 321.Pp 322Finally, the server and the client enter an authentication dialog. 323The client tries to authenticate itself using 324host-based authentication, 325public key authentication, 326challenge-response authentication, 327or password authentication. 328.Pp 329Regardless of the authentication type, the account is checked to 330ensure that it is accessible. An account is not accessible if it is 331locked, listed in 332.Cm DenyUsers 333or its group is listed in 334.Cm DenyGroups 335\&. The definition of a locked account is system dependant. Some platforms 336have their own account database (eg AIX) and some modify the passwd field ( 337.Ql \&*LK\&* 338on Solaris and UnixWare, 339.Ql \&* 340on HP-UX, containing 341.Ql Nologin 342on Tru64, 343a leading 344.Ql \&*LOCKED\&* 345on FreeBSD and a leading 346.Ql \&! 347on most Linuxes). 348If there is a requirement to disable password authentication 349for the account while allowing still public-key, then the passwd field 350should be set to something other than these values (eg 351.Ql NP 352or 353.Ql \&*NP\&* 354). 355.Pp 356If the client successfully authenticates itself, a dialog for 357preparing the session is entered. 358At this time the client may request 359things like allocating a pseudo-tty, forwarding X11 connections, 360forwarding TCP connections, or forwarding the authentication agent 361connection over the secure channel. 362.Pp 363After this, the client either requests a shell or execution of a command. 364The sides then enter session mode. 365In this mode, either side may send 366data at any time, and such data is forwarded to/from the shell or 367command on the server side, and the user terminal in the client side. 368.Pp 369When the user program terminates and all forwarded X11 and other 370connections have been closed, the server sends command exit status to 371the client, and both sides exit. 372.Sh LOGIN PROCESS 373When a user successfully logs in, 374.Nm 375does the following: 376.Bl -enum -offset indent 377.It 378If the login is on a tty, and no command has been specified, 379prints last login time and 380.Pa /etc/motd 381(unless prevented in the configuration file or by 382.Pa ~/.hushlogin ; 383see the 384.Sx FILES 385section). 386.It 387If the login is on a tty, records login time. 388.It 389Checks 390.Pa /etc/nologin and 391.Pa /var/run/nologin ; 392if one exists, it prints the contents and quits 393(unless root). 394.It 395Changes to run with normal user privileges. 396.It 397Sets up basic environment. 398.It 399Reads the file 400.Pa ~/.ssh/environment , 401if it exists, and users are allowed to change their environment. 402See the 403.Cm PermitUserEnvironment 404option in 405.Xr sshd_config 5 . 406.It 407Changes to user's home directory. 408.It 409If 410.Pa ~/.ssh/rc 411exists, runs it; else if 412.Pa /etc/ssh/sshrc 413exists, runs 414it; otherwise runs 415.Xr xauth 1 . 416The 417.Dq rc 418files are given the X11 419authentication protocol and cookie (if applicable) in standard input. 420See 421.Sx SSHRC , 422below. 423.It 424Runs user's shell or command. 425.El 426.Sh SSHRC 427If the file 428.Pa ~/.ssh/rc 429exists, 430.Xr sh 1 431runs it after reading the 432environment files but before starting the user's shell or command. 433It must not produce any output on stdout; stderr must be used 434instead. 435If X11 forwarding is in use, it will receive the "proto cookie" pair in 436its standard input (and 437.Ev DISPLAY 438in its environment). 439The script must call 440.Xr xauth 1 441because 442.Nm 443will not run xauth automatically to add X11 cookies. 444.Pp 445The primary purpose of this file is to run any initialization routines 446which may be needed before the user's home directory becomes 447accessible; AFS is a particular example of such an environment. 448.Pp 449This file will probably contain some initialization code followed by 450something similar to: 451.Bd -literal -offset 3n 452if read proto cookie && [ -n "$DISPLAY" ]; then 453 if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then 454 # X11UseLocalhost=yes 455 echo add unix:`echo $DISPLAY | 456 cut -c11-` $proto $cookie 457 else 458 # X11UseLocalhost=no 459 echo add $DISPLAY $proto $cookie 460 fi | xauth -q - 461fi 462.Ed 463.Pp 464If this file does not exist, 465.Pa /etc/ssh/sshrc 466is run, and if that 467does not exist either, xauth is used to add the cookie. 468.Sh AUTHORIZED_KEYS FILE FORMAT 469.Cm AuthorizedKeysFile 470specifies the files containing public keys for 471public key authentication; 472if none is specified, the default is 473.Pa ~/.ssh/authorized_keys 474and 475.Pa ~/.ssh/authorized_keys2 . 476Each line of the file contains one 477key (empty lines and lines starting with a 478.Ql # 479are ignored as 480comments). 481Protocol 1 public keys consist of the following space-separated fields: 482options, bits, exponent, modulus, comment. 483Protocol 2 public key consist of: 484options, keytype, base64-encoded key, comment. 485The options field is optional; 486its presence is determined by whether the line starts 487with a number or not (the options field never starts with a number). 488The bits, exponent, modulus, and comment fields give the RSA key for 489protocol version 1; the 490comment field is not used for anything (but may be convenient for the 491user to identify the key). 492For protocol version 2 the keytype is 493.Dq ecdsa-sha2-nistp256 , 494.Dq ecdsa-sha2-nistp384 , 495.Dq ecdsa-sha2-nistp521 , 496.Dq ssh-dss 497or 498.Dq ssh-rsa . 499.Pp 500Note that lines in this file are usually several hundred bytes long 501(because of the size of the public key encoding) up to a limit of 5028 kilobytes, which permits DSA keys up to 8 kilobits and RSA 503keys up to 16 kilobits. 504You don't want to type them in; instead, copy the 505.Pa identity.pub , 506.Pa id_dsa.pub , 507.Pa id_ecdsa.pub , 508or the 509.Pa id_rsa.pub 510file and edit it. 511.Pp 512.Nm 513enforces a minimum RSA key modulus size for protocol 1 514and protocol 2 keys of 768 bits. 515.Pp 516The options (if present) consist of comma-separated option 517specifications. 518No spaces are permitted, except within double quotes. 519The following option specifications are supported (note 520that option keywords are case-insensitive): 521.Bl -tag -width Ds 522.It Cm cert-authority 523Specifies that the listed key is a certification authority (CA) that is 524trusted to validate signed certificates for user authentication. 525.Pp 526Certificates may encode access restrictions similar to these key options. 527If both certificate restrictions and key options are present, the most 528restrictive union of the two is applied. 529.It Cm command="command" 530Specifies that the command is executed whenever this key is used for 531authentication. 532The command supplied by the user (if any) is ignored. 533The command is run on a pty if the client requests a pty; 534otherwise it is run without a tty. 535If an 8-bit clean channel is required, 536one must not request a pty or should specify 537.Cm no-pty . 538A quote may be included in the command by quoting it with a backslash. 539This option might be useful 540to restrict certain public keys to perform just a specific operation. 541An example might be a key that permits remote backups but nothing else. 542Note that the client may specify TCP and/or X11 543forwarding unless they are explicitly prohibited. 544The command originally supplied by the client is available in the 545.Ev SSH_ORIGINAL_COMMAND 546environment variable. 547Note that this option applies to shell, command or subsystem execution. 548Also note that this command may be superseded by either a 549.Xr sshd_config 5 550.Cm ForceCommand 551directive or a command embedded in a certificate. 552.It Cm environment="NAME=value" 553Specifies that the string is to be added to the environment when 554logging in using this key. 555Environment variables set this way 556override other default environment values. 557Multiple options of this type are permitted. 558Environment processing is disabled by default and is 559controlled via the 560.Cm PermitUserEnvironment 561option. 562This option is automatically disabled if 563.Cm UseLogin 564is enabled. 565.It Cm from="pattern-list" 566Specifies that in addition to public key authentication, either the canonical 567name of the remote host or its IP address must be present in the 568comma-separated list of patterns. 569See 570.Sx PATTERNS 571in 572.Xr ssh_config 5 573for more information on patterns. 574.Pp 575In addition to the wildcard matching that may be applied to hostnames or 576addresses, a 577.Cm from 578stanza may match IP addresses using CIDR address/masklen notation. 579.Pp 580The purpose of this option is to optionally increase security: public key 581authentication by itself does not trust the network or name servers or 582anything (but the key); however, if somebody somehow steals the key, the key 583permits an intruder to log in from anywhere in the world. 584This additional option makes using a stolen key more difficult (name 585servers and/or routers would have to be compromised in addition to 586just the key). 587.It Cm no-agent-forwarding 588Forbids authentication agent forwarding when this key is used for 589authentication. 590.It Cm no-port-forwarding 591Forbids TCP forwarding when this key is used for authentication. 592Any port forward requests by the client will return an error. 593This might be used, e.g. in connection with the 594.Cm command 595option. 596.It Cm no-pty 597Prevents tty allocation (a request to allocate a pty will fail). 598.It Cm no-user-rc 599Disables execution of 600.Pa ~/.ssh/rc . 601.It Cm no-X11-forwarding 602Forbids X11 forwarding when this key is used for authentication. 603Any X11 forward requests by the client will return an error. 604.It Cm permitopen="host:port" 605Limit local 606.Li ``ssh -L'' 607port forwarding such that it may only connect to the specified host and 608port. 609IPv6 addresses can be specified by enclosing the address in square brackets. 610Multiple 611.Cm permitopen 612options may be applied separated by commas. 613No pattern matching is performed on the specified hostnames, 614they must be literal domains or addresses. 615A port specification of 616.Cm * 617matches any port. 618.It Cm principals="principals" 619On a 620.Cm cert-authority 621line, specifies allowed principals for certificate authentication as a 622comma-separated list. 623At least one name from the list must appear in the certificate's 624list of principals for the certificate to be accepted. 625This option is ignored for keys that are not marked as trusted certificate 626signers using the 627.Cm cert-authority 628option. 629.It Cm tunnel="n" 630Force a 631.Xr tun 4 632device on the server. 633Without this option, the next available device will be used if 634the client requests a tunnel. 635.El 636.Pp 637An example authorized_keys file: 638.Bd -literal -offset 3n 639# Comments allowed at start of line 640ssh-rsa AAAAB3Nza...LiPk== user@example.net 641from="*.sales.example.net,!pc.sales.example.net" ssh-rsa 642AAAAB2...19Q== john@example.net 643command="dump /home",no-pty,no-port-forwarding ssh-dss 644AAAAC3...51R== example.net 645permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss 646AAAAB5...21S== 647tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== 648jane@example.net 649.Ed 650.Sh SSH_KNOWN_HOSTS FILE FORMAT 651The 652.Pa /etc/ssh/ssh_known_hosts 653and 654.Pa ~/.ssh/known_hosts 655files contain host public keys for all known hosts. 656The global file should 657be prepared by the administrator (optional), and the per-user file is 658maintained automatically: whenever the user connects from an unknown host, 659its key is added to the per-user file. 660.Pp 661Each line in these files contains the following fields: markers (optional), 662hostnames, bits, exponent, modulus, comment. 663The fields are separated by spaces. 664.Pp 665The marker is optional, but if it is present then it must be one of 666.Dq @cert-authority , 667to indicate that the line contains a certification authority (CA) key, 668or 669.Dq @revoked , 670to indicate that the key contained on the line is revoked and must not ever 671be accepted. 672Only one marker should be used on a key line. 673.Pp 674Hostnames is a comma-separated list of patterns 675.Pf ( Ql * 676and 677.Ql \&? 678act as 679wildcards); each pattern in turn is matched against the canonical host 680name (when authenticating a client) or against the user-supplied 681name (when authenticating a server). 682A pattern may also be preceded by 683.Ql \&! 684to indicate negation: if the host name matches a negated 685pattern, it is not accepted (by that line) even if it matched another 686pattern on the line. 687A hostname or address may optionally be enclosed within 688.Ql \&[ 689and 690.Ql \&] 691brackets then followed by 692.Ql \&: 693and a non-standard port number. 694.Pp 695Alternately, hostnames may be stored in a hashed form which hides host names 696and addresses should the file's contents be disclosed. 697Hashed hostnames start with a 698.Ql | 699character. 700Only one hashed hostname may appear on a single line and none of the above 701negation or wildcard operators may be applied. 702.Pp 703Bits, exponent, and modulus are taken directly from the RSA host key; they 704can be obtained, for example, from 705.Pa /etc/ssh/ssh_host_key.pub . 706The optional comment field continues to the end of the line, and is not used. 707.Pp 708Lines starting with 709.Ql # 710and empty lines are ignored as comments. 711.Pp 712When performing host authentication, authentication is accepted if any 713matching line has the proper key; either one that matches exactly or, 714if the server has presented a certificate for authentication, the key 715of the certification authority that signed the certificate. 716For a key to be trusted as a certification authority, it must use the 717.Dq @cert-authority 718marker described above. 719.Pp 720The known hosts file also provides a facility to mark keys as revoked, 721for example when it is known that the associated private key has been 722stolen. 723Revoked keys are specified by including the 724.Dq @revoked 725marker at the beginning of the key line, and are never accepted for 726authentication or as certification authorities, but instead will 727produce a warning from 728.Xr ssh 1 729when they are encountered. 730.Pp 731It is permissible (but not 732recommended) to have several lines or different host keys for the same 733names. 734This will inevitably happen when short forms of host names 735from different domains are put in the file. 736It is possible 737that the files contain conflicting information; authentication is 738accepted if valid information can be found from either file. 739.Pp 740Note that the lines in these files are typically hundreds of characters 741long, and you definitely don't want to type in the host keys by hand. 742Rather, generate them by a script, 743.Xr ssh-keyscan 1 744or by taking 745.Pa /etc/ssh/ssh_host_key.pub 746and adding the host names at the front. 747.Xr ssh-keygen 1 748also offers some basic automated editing for 749.Pa ~/.ssh/known_hosts 750including removing hosts matching a host name and converting all host 751names to their hashed representations. 752.Pp 753An example ssh_known_hosts file: 754.Bd -literal -offset 3n 755# Comments allowed at start of line 756closenet,...,192.0.2.53 1024 37 159...93 closenet.example.net 757cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....= 758# A hashed hostname 759|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa 760AAAA1234.....= 761# A revoked key 762@revoked * ssh-rsa AAAAB5W... 763# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org 764@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W... 765.Ed 766.Sh FILES 767.Bl -tag -width Ds -compact 768.It Pa ~/.hushlogin 769This file is used to suppress printing the last login time and 770.Pa /etc/motd , 771if 772.Cm PrintLastLog 773and 774.Cm PrintMotd , 775respectively, 776are enabled. 777It does not suppress printing of the banner specified by 778.Cm Banner . 779.Pp 780.It Pa ~/.rhosts 781This file is used for host-based authentication (see 782.Xr ssh 1 783for more information). 784On some machines this file may need to be 785world-readable if the user's home directory is on an NFS partition, 786because 787.Nm 788reads it as root. 789Additionally, this file must be owned by the user, 790and must not have write permissions for anyone else. 791The recommended 792permission for most machines is read/write for the user, and not 793accessible by others. 794.Pp 795.It Pa ~/.shosts 796This file is used in exactly the same way as 797.Pa .rhosts , 798but allows host-based authentication without permitting login with 799rlogin/rsh. 800.Pp 801.It Pa ~/.ssh/ 802This directory is the default location for all user-specific configuration 803and authentication information. 804There is no general requirement to keep the entire contents of this directory 805secret, but the recommended permissions are read/write/execute for the user, 806and not accessible by others. 807.Pp 808.It Pa ~/.ssh/authorized_keys 809Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in 810as this user. 811The format of this file is described above. 812The content of the file is not highly sensitive, but the recommended 813permissions are read/write for the user, and not accessible by others. 814.Pp 815If this file, the 816.Pa ~/.ssh 817directory, or the user's home directory are writable 818by other users, then the file could be modified or replaced by unauthorized 819users. 820In this case, 821.Nm 822will not allow it to be used unless the 823.Cm StrictModes 824option has been set to 825.Dq no . 826.Pp 827.It Pa ~/.ssh/environment 828This file is read into the environment at login (if it exists). 829It can only contain empty lines, comment lines (that start with 830.Ql # ) , 831and assignment lines of the form name=value. 832The file should be writable 833only by the user; it need not be readable by anyone else. 834Environment processing is disabled by default and is 835controlled via the 836.Cm PermitUserEnvironment 837option. 838.Pp 839.It Pa ~/.ssh/known_hosts 840Contains a list of host keys for all hosts the user has logged into 841that are not already in the systemwide list of known host keys. 842The format of this file is described above. 843This file should be writable only by root/the owner and 844can, but need not be, world-readable. 845.Pp 846.It Pa ~/.ssh/rc 847Contains initialization routines to be run before 848the user's home directory becomes accessible. 849This file should be writable only by the user, and need not be 850readable by anyone else. 851.Pp 852.It Pa /etc/hosts.allow 853.It Pa /etc/hosts.deny 854Access controls that should be enforced by tcp-wrappers are defined here. 855Further details are described in 856.Xr hosts_access 5 . 857.Pp 858.It Pa /etc/hosts.equiv 859This file is for host-based authentication (see 860.Xr ssh 1 ) . 861It should only be writable by root. 862.Pp 863.It Pa /etc/ssh/moduli 864Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". 865The file format is described in 866.Xr moduli 5 . 867.Pp 868.It Pa /etc/motd 869See 870.Xr motd 5 . 871.Pp 872.It Pa /etc/nologin 873If this file exists, 874.Nm 875refuses to let anyone except root log in. 876The contents of the file 877are displayed to anyone trying to log in, and non-root connections are 878refused. 879The file should be world-readable. 880.Pp 881.It Pa /etc/ssh/shosts.equiv 882This file is used in exactly the same way as 883.Pa hosts.equiv , 884but allows host-based authentication without permitting login with 885rlogin/rsh. 886.Pp 887.It Pa /etc/ssh/ssh_host_key 888.It Pa /etc/ssh/ssh_host_dsa_key 889.It Pa /etc/ssh/ssh_host_ecdsa_key 890.It Pa /etc/ssh/ssh_host_rsa_key 891These files contain the private parts of the host keys. 892These files should only be owned by root, readable only by root, and not 893accessible to others. 894Note that 895.Nm 896does not start if these files are group/world-accessible. 897.Pp 898.It Pa /etc/ssh/ssh_host_key.pub 899.It Pa /etc/ssh/ssh_host_dsa_key.pub 900.It Pa /etc/ssh/ssh_host_ecdsa_key.pub 901.It Pa /etc/ssh/ssh_host_rsa_key.pub 902These files contain the public parts of the host keys. 903These files should be world-readable but writable only by 904root. 905Their contents should match the respective private parts. 906These files are not 907really used for anything; they are provided for the convenience of 908the user so their contents can be copied to known hosts files. 909These files are created using 910.Xr ssh-keygen 1 . 911.Pp 912.It Pa /etc/ssh/ssh_known_hosts 913Systemwide list of known host keys. 914This file should be prepared by the 915system administrator to contain the public host keys of all machines in the 916organization. 917The format of this file is described above. 918This file should be writable only by root/the owner and 919should be world-readable. 920.Pp 921.It Pa /etc/ssh/sshd_config 922Contains configuration data for 923.Nm sshd . 924The file format and configuration options are described in 925.Xr sshd_config 5 . 926.Pp 927.It Pa /etc/ssh/sshrc 928Similar to 929.Pa ~/.ssh/rc , 930it can be used to specify 931machine-specific login-time initializations globally. 932This file should be writable only by root, and should be world-readable. 933.Pp 934.It Pa /var/empty 935.Xr chroot 2 936directory used by 937.Nm 938during privilege separation in the pre-authentication phase. 939The directory should not contain any files and must be owned by root 940and not group or world-writable. 941.Pp 942.It Pa /var/run/sshd.pid 943Contains the process ID of the 944.Nm 945listening for connections (if there are several daemons running 946concurrently for different ports, this contains the process ID of the one 947started last). 948The content of this file is not sensitive; it can be world-readable. 949.El 950.Sh SEE ALSO 951.Xr scp 1 , 952.Xr sftp 1 , 953.Xr ssh 1 , 954.Xr ssh-add 1 , 955.Xr ssh-agent 1 , 956.Xr ssh-keygen 1 , 957.Xr ssh-keyscan 1 , 958.Xr chroot 2 , 959.Xr hosts_access 5 , 960.Xr login.conf 5 , 961.Xr moduli 5 , 962.Xr sshd_config 5 , 963.Xr inetd 8 , 964.Xr sftp-server 8 965.Sh AUTHORS 966OpenSSH is a derivative of the original and free 967ssh 1.2.12 release by Tatu Ylonen. 968Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 969Theo de Raadt and Dug Song 970removed many bugs, re-added newer features and 971created OpenSSH. 972Markus Friedl contributed the support for SSH 973protocol versions 1.5 and 2.0. 974Niels Provos and Markus Friedl contributed support 975for privilege separation. 976.Sh CAVEATS 977System security is not improved unless 978.Nm rshd , 979.Nm rlogind , 980and 981.Nm rexecd 982are disabled (thus completely disabling 983.Xr rlogin 984and 985.Xr rsh 986into the machine). 987