4
4
sshd - OpenSSH SSH daemon
7
sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time]
8
[-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]
7
sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-f config_file]
8
[-g login_grace_time] [-h host_key_file] [-k key_gen_time]
9
[-o option] [-p port] [-u len]
11
12
sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these
12
programs replace rlogin and rsh, and provide secure encrypted communica-
13
tions between two untrusted hosts over an insecure network.
13
programs replace rlogin(1) and rsh(1), and provide secure encrypted com-
14
munications between two untrusted hosts over an insecure network.
15
16
sshd listens for connections from clients. It is normally started at
16
17
boot from /etc/rc. It forks a new daemon for each incoming connection.
33
34
Specifies the number of bits in the ephemeral protocol version 1
34
server key (default 768).
35
server key (default 1024).
38
Specify the connection parameters to use for the -T extended test
39
mode. If provided, any Match directives in the configuration
40
file that would apply to the specified user, host, and address
41
will be set before the configuration is written to standard out-
42
put. The connection parameters are supplied as keyword=value
43
pairs. The keywords are ``user'', ``host'', and ``addr''. All
44
are required and may be supplied in any order, either with multi-
45
ple -C options or as a comma-separated list.
36
47
-D When this option is specified, sshd will not detach and does not
37
48
become a daemon. This allows easy monitoring of sshd.
45
56
-e When this option is specified, sshd will send the output to the
46
57
standard error instead of the system log.
49
60
Specifies the name of the configuration file. The default is
50
61
/etc/ssh/sshd_config. sshd refuses to start if there is no con-
98
109
ginning, authentication, and termination of each connection is
112
-T Extended test mode. Check the validity of the configuration
113
file, output the effective configuration to stdout and then exit.
114
Optionally, Match rules may be applied by specifying the connec-
115
tion parameters using one or more -C options.
101
117
-t Test mode. Only check the validity of the configuration file and
102
118
sanity of the keys. This is useful for updating sshd reliably as
103
119
configuration options may change.
143
159
AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The
144
160
client selects the encryption algorithm to use from those offered by the
145
161
server. Additionally, session integrity is provided through a crypto-
146
graphic message authentication code (hmac-sha1 or hmac-md5).
162
graphic message authentication code (hmac-md5, hmac-sha1, umac-64 or
148
165
Finally, the server and the client enter an authentication dialog. The
149
166
client tries to authenticate itself using host-based authentication, pub-
156
173
tion of a locked account is system dependant. Some platforms have their
157
174
own account database (eg AIX) and some modify the passwd field ( `*LK*'
158
175
on Solaris and UnixWare, `*' on HP-UX, containing `Nologin' on Tru64, a
159
leading `*LOCKED*' on FreeBSD and a leading `!!' on Linux). If there is
160
a requirement to disable password authentication for the account while
161
allowing still public-key, then the passwd field should be set to some-
162
thing other than these values (eg `NP' or `*NP*' ).
176
leading `*LOCKED*' on FreeBSD and a leading `!' on most Linuxes). If
177
there is a requirement to disable password authentication for the account
178
while allowing still public-key, then the passwd field should be set to
179
something other than these values (eg `NP' or `*NP*' ).
164
181
If the client successfully authenticates itself, a dialog for preparing
165
182
the session is entered. At this time the client may request things like
288
305
This option is automatically disabled if UseLogin is enabled.
290
307
from="pattern-list"
291
Specifies that in addition to public key authentication, the
292
canonical name of the remote host must be present in the comma-
293
separated list of patterns. The purpose of this option is to op-
294
tionally increase security: public key authentication by itself
295
does not trust the network or name servers or anything (but the
296
key); however, if somebody somehow steals the key, the key per-
297
mits an intruder to log in from anywhere in the world. This ad-
298
ditional option makes using a stolen key more difficult (name
299
servers and/or routers would have to be compromised in addition
302
See PATTERNS in ssh_config(5) for more information on patterns.
308
Specifies that in addition to public key authentication, either
309
the canonical name of the remote host or its IP address must be
310
present in the comma-separated list of patterns. See PATTERNS in
311
ssh_config(5) for more information on patterns.
313
In addition to the wildcard matching that may be applied to host-
314
names or addresses, a from stanza may match IP addressess using
315
CIDR address/masklen notation.
317
The purpose of this option is to optionally increase security:
318
public key authentication by itself does not trust the network or
319
name servers or anything (but the key); however, if somebody
320
somehow steals the key, the key permits an intruder to log in
321
from anywhere in the world. This additional option makes using a
322
stolen key more difficult (name servers and/or routers would have
323
to be compromised in addition to just the key).
304
325
no-agent-forwarding
305
326
Forbids authentication agent forwarding when this key is used for
313
334
no-pty Prevents tty allocation (a request to allocate a pty will fail).
337
Disables execution of ~/.ssh/rc.
315
339
no-X11-forwarding
316
340
Forbids X11 forwarding when this key is used for authentication.
317
341
Any X11 forward requests by the client will return an error.
416
440
host-based authentication without permitting login with
444
This directory is the default location for all user-specific con-
445
figuration and authentication information. There is no general
446
requirement to keep the entire contents of this directory secret,
447
but the recommended permissions are read/write/execute for the
448
user, and not accessible by others.
419
450
~/.ssh/authorized_keys
420
451
Lists the public keys (RSA/DSA) that can be used for logging in
421
452
as this user. The format of this file is described above. The
477
508
lows host-based authentication without permitting login with
480
/etc/ssh/ssh_known_hosts
481
Systemwide list of known host keys. This file should be prepared
482
by the system administrator to contain the public host keys of
483
all machines in the organization. The format of this file is de-
484
scribed above. This file should be writable only by root/the
485
owner and should be world-readable.
487
511
/etc/ssh/ssh_host_key
488
512
/etc/ssh/ssh_host_dsa_key
489
513
/etc/ssh/ssh_host_rsa_key
502
526
convenience of the user so their contents can be copied to known
503
527
hosts files. These files are created using ssh-keygen(1).
529
/etc/ssh/ssh_known_hosts
530
Systemwide list of known host keys. This file should be prepared
531
by the system administrator to contain the public host keys of
532
all machines in the organization. The format of this file is de-
533
scribed above. This file should be writable only by root/the
534
owner and should be world-readable.
505
536
/etc/ssh/sshd_config
506
537
Contains configuration data for sshd. The file format and con-
507
538
figuration options are described in sshd_config(5).
528
559
scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
529
chroot(2), hosts_access(5), login.conf(5), moduli(5), sshd_config(5),
530
inetd(8), sftp-server(8)
560
ssh-keyscan(1), chroot(2), hosts_access(5), login.conf(5), moduli(5),
561
sshd_config(5), inetd(8), sftp-server(8)
533
564
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
541
572
System security is not improved unless rshd, rlogind, and rexecd are dis-
542
573
abled (thus completely disabling rlogin and rsh into the machine).
544
OpenBSD 4.1 September 25, 1999 9
575
OpenBSD 4.4 July 2, 2008 9