34
34
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35
35
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37
.\" $OpenBSD: sshd.8,v 1.234 2006/08/21 08:15:57 dtucker Exp $
38
.Dd September 25, 1999
37
.\" $OpenBSD: sshd.8,v 1.246 2008/07/02 02:24:18 djm Exp $
38
.Dd $Mdocdate: July 2 2008 $
59
60
(OpenSSH Daemon) is the daemon program for
61
Together these programs replace rlogin and rsh, and
62
provide secure encrypted communications between two untrusted hosts
62
Together these programs replace
66
and provide secure encrypted communications between two untrusted hosts
63
67
over an insecure network.
96
100
to use IPv6 addresses only.
98
102
Specifies the number of bits in the ephemeral protocol version 1
99
server key (default 768).
103
server key (default 1024).
104
.It Fl C Ar connection_spec
105
Specify the connection parameters to use for the
110
directives in the configuration file
111
that would apply to the specified user, host, and address will be set before
112
the configuration is written to standard output.
113
The connection parameters are supplied as keyword=value pairs.
119
All are required and may be supplied in any order, either with multiple
121
options or as a comma-separated list.
101
123
When this option is specified,
117
139
When this option is specified,
119
141
will send the output to the standard error instead of the system log.
120
.It Fl f Ar configuration_file
142
.It Fl f Ar config_file
121
143
Specifies the name of the configuration file.
123
145
.Pa /etc/ssh/sshd_config .
193
215
is given then nothing is sent to the system log.
218
Check the validity of the configuration file, output the effective configuration
219
to stdout and then exit.
222
rules may be applied by specifying the connection parameters using one or more
196
227
Only check the validity of the configuration file and sanity of the keys.
276
307
to use from those offered by the server.
277
308
Additionally, session integrity is provided
278
309
through a cryptographic message authentication code
279
(hmac-sha1 or hmac-md5).
310
(hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160).
281
312
Finally, the server and the client enter an authentication dialog.
282
313
The client tries to authenticate itself using
304
335
on FreeBSD and a leading
306
on Linux). If there is a requirement to disable password authentication
338
If there is a requirement to disable password authentication
307
339
for the account while allowing still public-key, then the passwd field
308
340
should be set to something other than these values (eg
504
536
.It Cm from="pattern-list"
505
Specifies that in addition to public key authentication, the canonical name
506
of the remote host must be present in the comma-separated list of
509
of this option is to optionally increase security: public key authentication
510
by itself does not trust the network or name servers or anything (but
511
the key); however, if somebody somehow steals the key, the key
537
Specifies that in addition to public key authentication, either the canonical
538
name of the remote host or its IP address must be present in the
539
comma-separated list of patterns.
544
for more information on patterns.
546
In addition to the wildcard matching that may be applied to hostnames or
549
stanza may match IP addressess using CIDR address/masklen notation.
551
The purpose of this option is to optionally increase security: public key
552
authentication by itself does not trust the network or name servers or
553
anything (but the key); however, if somebody somehow steals the key, the key
512
554
permits an intruder to log in from anywhere in the world.
513
555
This additional option makes using a stolen key more difficult (name
514
556
servers and/or routers would have to be compromised in addition to
521
for more information on patterns.
522
558
.It Cm no-agent-forwarding
523
559
Forbids authentication agent forwarding when this key is used for
681
720
but allows host-based authentication without permitting login with
724
This directory is the default location for all user-specific configuration
725
and authentication information.
726
There is no general requirement to keep the entire contents of this directory
727
secret, but the recommended permissions are read/write/execute for the user,
728
and not accessible by others.
684
730
.It ~/.ssh/authorized_keys
685
731
Lists the public keys (RSA/DSA) that can be used for logging in as this user.
686
732
The format of this file is described above.
761
807
but allows host-based authentication without permitting login with
764
.It /etc/ssh/ssh_known_hosts
765
Systemwide list of known host keys.
766
This file should be prepared by the
767
system administrator to contain the public host keys of all machines in the
769
The format of this file is described above.
770
This file should be writable only by root/the owner and
771
should be world-readable.
773
810
.It /etc/ssh/ssh_host_key
774
811
.It /etc/ssh/ssh_host_dsa_key
775
812
.It /etc/ssh/ssh_host_rsa_key
793
830
These files are created using
794
831
.Xr ssh-keygen 1 .
833
.It /etc/ssh/ssh_known_hosts
834
Systemwide list of known host keys.
835
This file should be prepared by the
836
system administrator to contain the public host keys of all machines in the
838
The format of this file is described above.
839
This file should be writable only by root/the owner and
840
should be world-readable.
796
842
.It /etc/ssh/sshd_config
797
843
Contains configuration data for