blob: 003f291245118f208f9183af7e5cac5cc3279f6e [file] [log] [blame]
Damien Miller32aa1441999-10-29 09:15:49 +10001.\" -*- nroff -*-
2.\"
3.\" sshd.8.in
4.\"
5.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
6.\"
7.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8.\" All rights reserved
9.\"
10.\" Created: Sat Apr 22 21:55:14 1995 ylo
11.\"
Damien Miller30c3d422000-05-09 11:02:59 +100012.\" $Id: sshd.8,v 1.22 2000/05/09 01:03:03 damien Exp $
Damien Miller32aa1441999-10-29 09:15:49 +100013.\"
14.Dd September 25, 1999
15.Dt SSHD 8
16.Os
17.Sh NAME
18.Nm sshd
19.Nd secure shell daemon
20.Sh SYNOPSIS
21.Nm sshd
Damien Miller34132e52000-01-14 15:45:46 +110022.Op Fl diqQ46
Damien Miller32aa1441999-10-29 09:15:49 +100023.Op Fl b Ar bits
24.Op Fl f Ar config_file
25.Op Fl g Ar login_grace_time
26.Op Fl h Ar host_key_file
27.Op Fl k Ar key_gen_time
28.Op Fl p Ar port
Damien Miller95def091999-11-25 00:26:21 +110029.Op Fl V Ar client_protocol_id
Damien Miller22c77262000-04-13 12:26:34 +100030.Sh DESCRIPTION
Damien Miller32aa1441999-10-29 09:15:49 +100031.Nm
Damien Miller22c77262000-04-13 12:26:34 +100032(Secure Shell Daemon) is the daemon program for
Damien Miller32aa1441999-10-29 09:15:49 +100033.Xr ssh 1 .
Damien Miller35dabd02000-05-01 21:10:33 +100034Together these programs replace rlogin and rsh, and
Damien Miller32aa1441999-10-29 09:15:49 +100035provide secure encrypted communications between two untrusted hosts
Damien Miller450a7a12000-03-26 13:04:51 +100036over an insecure network.
37The programs are intended to be as easy to
Damien Miller32aa1441999-10-29 09:15:49 +100038install and use as possible.
39.Pp
40.Nm
Damien Miller450a7a12000-03-26 13:04:51 +100041is the daemon that listens for connections from clients.
Damien Miller22c77262000-04-13 12:26:34 +100042It is normally started at boot from
Damien Miller32aa1441999-10-29 09:15:49 +100043.Pa /etc/rc .
44It forks a new
Damien Miller450a7a12000-03-26 13:04:51 +100045daemon for each incoming connection.
46The forked daemons handle
Damien Miller32aa1441999-10-29 09:15:49 +100047key exchange, encryption, authentication, command execution,
48and data exchange.
Damien Millere247cc42000-05-07 12:03:14 +100049This implementation of
50.Nm
51supports both SSH protocol version 1 and 2 simultaneously.
Damien Miller32aa1441999-10-29 09:15:49 +100052.Nm
Damien Miller450a7a12000-03-26 13:04:51 +100053works as follows.
Damien Millere247cc42000-05-07 12:03:14 +100054.Pp
55.Ss SSH protocol version 1
56.Pp
Damien Miller450a7a12000-03-26 13:04:51 +100057Each host has a host-specific RSA key
58(normally 1024 bits) used to identify the host.
59Additionally, when
Damien Miller32aa1441999-10-29 09:15:49 +100060the daemon starts, it generates a server RSA key (normally 768 bits).
61This key is normally regenerated every hour if it has been used, and
62is never stored on disk.
63.Pp
Damien Miller35dabd02000-05-01 21:10:33 +100064Whenever a client connects the daemon responds with its public
65host and server keys.
Damien Miller450a7a12000-03-26 13:04:51 +100066The client compares the
Damien Millere247cc42000-05-07 12:03:14 +100067RSA host key against its own database to verify that it has not changed.
Damien Miller450a7a12000-03-26 13:04:51 +100068The client then generates a 256 bit random number.
69It encrypts this
Damien Miller32aa1441999-10-29 09:15:49 +100070random number using both the host key and the server key, and sends
Damien Miller450a7a12000-03-26 13:04:51 +100071the encrypted number to the server.
Damien Miller35dabd02000-05-01 21:10:33 +100072Both sides then use this
Damien Miller32aa1441999-10-29 09:15:49 +100073random number as a session key which is used to encrypt all further
Damien Miller450a7a12000-03-26 13:04:51 +100074communications in the session.
75The rest of the session is encrypted
Damien Miller35dabd02000-05-01 21:10:33 +100076using a conventional cipher, currently Blowfish or 3DES, with 3DES
Damien Millerb38eff82000-04-01 11:09:21 +100077being used by default.
Damien Miller450a7a12000-03-26 13:04:51 +100078The client selects the encryption algorithm
Damien Miller32aa1441999-10-29 09:15:49 +100079to use from those offered by the server.
80.Pp
Damien Miller450a7a12000-03-26 13:04:51 +100081Next, the server and the client enter an authentication dialog.
82The client tries to authenticate itself using
Damien Miller32aa1441999-10-29 09:15:49 +100083.Pa .rhosts
84authentication,
85.Pa .rhosts
86authentication combined with RSA host
87authentication, RSA challenge-response authentication, or password
88based authentication.
89.Pp
90Rhosts authentication is normally disabled
91because it is fundamentally insecure, but can be enabled in the server
Damien Miller450a7a12000-03-26 13:04:51 +100092configuration file if desired.
93System security is not improved unless
Damien Miller32aa1441999-10-29 09:15:49 +100094.Xr rshd 8 ,
95.Xr rlogind 8 ,
96.Xr rexecd 8 ,
97and
98.Xr rexd 8
99are disabled (thus completely disabling
100.Xr rlogin 1
101and
102.Xr rsh 1
Damien Miller35dabd02000-05-01 21:10:33 +1000103into the machine).
Damien Miller32aa1441999-10-29 09:15:49 +1000104.Pp
Damien Millere247cc42000-05-07 12:03:14 +1000105.Ss SSH protocol version 2
106.Pp
107Version 2 works similar:
108Each host has a host-specific DSA key used to identify the host.
109However, when the daemon starts, it does not generate a server key.
110Forward security is provided through a Diffie-Hellman key agreement.
111This key agreement results in a shared session key.
112The rest of the session is encrypted
113using a symmetric cipher, currently
114Blowfish, 3DES or CAST128 in CBC mode or Arcfour.
115The client selects the encryption algorithm
116to use from those offered by the server.
117Additionally, session integrity is provided
Damien Miller30c3d422000-05-09 11:02:59 +1000118through a cryptographic message authentication code
Damien Millere247cc42000-05-07 12:03:14 +1000119(hmac-sha1 or hmac-md5).
120.Pp
121Protocol version 2 provides a public key based
122user authentication method (DSAAuthentication)
123and conventional password authentication.
124.Pp
125.Ss Command execution and data forwarding
126.Pp
Damien Miller32aa1441999-10-29 09:15:49 +1000127If the client successfully authenticates itself, a dialog for
Damien Miller450a7a12000-03-26 13:04:51 +1000128preparing the session is entered.
129At this time the client may request
Damien Miller32aa1441999-10-29 09:15:49 +1000130things like allocating a pseudo-tty, forwarding X11 connections,
131forwarding TCP/IP connections, or forwarding the authentication agent
132connection over the secure channel.
133.Pp
134Finally, the client either requests a shell or execution of a command.
Damien Miller450a7a12000-03-26 13:04:51 +1000135The sides then enter session mode.
136In this mode, either side may send
Damien Miller32aa1441999-10-29 09:15:49 +1000137data at any time, and such data is forwarded to/from the shell or
138command on the server side, and the user terminal in the client side.
139.Pp
140When the user program terminates and all forwarded X11 and other
141connections have been closed, the server sends command exit status to
142the client, and both sides exit.
143.Pp
144.Nm
145can be configured using command-line options or a configuration
Damien Miller450a7a12000-03-26 13:04:51 +1000146file.
147Command-line options override values specified in the
Damien Miller32aa1441999-10-29 09:15:49 +1000148configuration file.
149.Pp
Damien Miller6162d121999-11-21 13:23:52 +1100150.Nm
151rereads its configuration file when it receives a hangup signal,
152.Dv SIGHUP .
153.Pp
Damien Miller32aa1441999-10-29 09:15:49 +1000154The options are as follows:
155.Bl -tag -width Ds
156.It Fl b Ar bits
157Specifies the number of bits in the server key (default 768).
158.Pp
159.It Fl d
Damien Miller450a7a12000-03-26 13:04:51 +1000160Debug mode.
161The server sends verbose debug output to the system
162log, and does not put itself in the background.
163The server also will not fork and will only process one connection.
164This option is only intended for debugging for the server.
Damien Miller32aa1441999-10-29 09:15:49 +1000165.It Fl f Ar configuration_file
Damien Miller450a7a12000-03-26 13:04:51 +1000166Specifies the name of the configuration file.
167The default is
Damien Miller886c63a2000-01-20 23:13:36 +1100168.Pa /etc/sshd_config .
Damien Miller32aa1441999-10-29 09:15:49 +1000169.Nm
170refuses to start if there is no configuration file.
171.It Fl g Ar login_grace_time
172Gives the grace time for clients to authenticate themselves (default
Damien Miller450a7a12000-03-26 13:04:51 +1000173300 seconds).
174If the client fails to authenticate the user within
175this many seconds, the server disconnects and exits.
176A value of zero indicates no limit.
Damien Miller32aa1441999-10-29 09:15:49 +1000177.It Fl h Ar host_key_file
Damien Millere247cc42000-05-07 12:03:14 +1000178Specifies the file from which the RSA host key is read (default
Damien Miller886c63a2000-01-20 23:13:36 +1100179.Pa /etc/ssh_host_key ) .
Damien Miller32aa1441999-10-29 09:15:49 +1000180This option must be given if
181.Nm
182is not run as root (as the normal
183host file is normally not readable by anyone but root).
184.It Fl i
185Specifies that
186.Nm
Damien Miller22c77262000-04-13 12:26:34 +1000187is being run from inetd.
Damien Miller32aa1441999-10-29 09:15:49 +1000188.Nm
189is normally not run
190from inetd because it needs to generate the server key before it can
Damien Miller450a7a12000-03-26 13:04:51 +1000191respond to the client, and this may take tens of seconds.
192Clients would have to wait too long if the key was regenerated every time.
Damien Miller7684ee12000-03-17 23:40:15 +1100193However, with small key sizes (e.g., 512) using
Damien Miller32aa1441999-10-29 09:15:49 +1000194.Nm
195from inetd may
196be feasible.
197.It Fl k Ar key_gen_time
198Specifies how often the server key is regenerated (default 3600
Damien Miller450a7a12000-03-26 13:04:51 +1000199seconds, or one hour).
200The motivation for regenerating the key fairly
Damien Miller32aa1441999-10-29 09:15:49 +1000201often is that the key is not stored anywhere, and after about an hour,
202it becomes impossible to recover the key for decrypting intercepted
203communications even if the machine is cracked into or physically
Damien Miller450a7a12000-03-26 13:04:51 +1000204seized.
205A value of zero indicates that the key will never be regenerated.
Damien Miller32aa1441999-10-29 09:15:49 +1000206.It Fl p Ar port
207Specifies the port on which the server listens for connections
208(default 22).
209.It Fl q
Damien Miller450a7a12000-03-26 13:04:51 +1000210Quiet mode.
211Nothing is sent to the system log.
212Normally the beginning,
Damien Miller32aa1441999-10-29 09:15:49 +1000213authentication, and termination of each connection is logged.
214.It Fl Q
215Do not print an error message if RSA support is missing.
Damien Miller95def091999-11-25 00:26:21 +1100216.It Fl V Ar client_protocol_id
217SSH2 compatibility mode.
Damien Miller35dabd02000-05-01 21:10:33 +1000218When this option is specified
Damien Miller95def091999-11-25 00:26:21 +1100219.Nm
Damien Miller35dabd02000-05-01 21:10:33 +1000220assumes the client has sent the supplied version string
Damien Miller95def091999-11-25 00:26:21 +1100221and skips the
222Protocol Version Identification Exchange.
Damien Miller34132e52000-01-14 15:45:46 +1100223.It Fl 4
224Forces
225.Nm
226to use IPv4 addresses only.
227.It Fl 6
228Forces
229.Nm
230to use IPv6 addresses only.
Damien Miller32aa1441999-10-29 09:15:49 +1000231.El
232.Sh CONFIGURATION FILE
233.Nm
Damien Miller22c77262000-04-13 12:26:34 +1000234reads configuration data from
Damien Miller886c63a2000-01-20 23:13:36 +1100235.Pa /etc/sshd_config
Damien Miller32aa1441999-10-29 09:15:49 +1000236(or the file specified with
237.Fl f
Damien Miller450a7a12000-03-26 13:04:51 +1000238on the command line).
239The file contains keyword-value pairs, one per line.
240Lines starting with
Damien Miller32aa1441999-10-29 09:15:49 +1000241.Ql #
242and empty lines are interpreted as comments.
243.Pp
244The following keywords are possible.
245.Bl -tag -width Ds
246.It Cm AFSTokenPassing
Damien Miller450a7a12000-03-26 13:04:51 +1000247Specifies whether an AFS token may be forwarded to the server.
248Default is
Damien Miller32aa1441999-10-29 09:15:49 +1000249.Dq yes .
250.It Cm AllowGroups
251This keyword can be followed by a number of group names, separated
Damien Miller450a7a12000-03-26 13:04:51 +1000252by spaces.
253If specified, login is allowed only for users whose primary
Damien Miller32aa1441999-10-29 09:15:49 +1000254group matches one of the patterns.
255.Ql \&*
256and
257.Ql ?
258can be used as
Damien Miller450a7a12000-03-26 13:04:51 +1000259wildcards in the patterns.
260Only group names are valid, a numerical group ID isn't recognized.
261By default login is allowed regardless of the primary group.
Damien Miller32aa1441999-10-29 09:15:49 +1000262.Pp
263.It Cm AllowUsers
264This keyword can be followed by a number of user names, separated
Damien Miller450a7a12000-03-26 13:04:51 +1000265by spaces.
266If specified, login is allowed only for users names that
Damien Miller32aa1441999-10-29 09:15:49 +1000267match one of the patterns.
268.Ql \&*
269and
270.Ql ?
271can be used as
Damien Miller450a7a12000-03-26 13:04:51 +1000272wildcards in the patterns.
273Only user names are valid, a numerical user ID isn't recognized.
274By default login is allowed regardless of the user name.
Damien Miller32aa1441999-10-29 09:15:49 +1000275.Pp
Damien Miller22c77262000-04-13 12:26:34 +1000276.It Cm Ciphers
277Specifies the ciphers allowed for protocol version 2.
278Multiple ciphers must be comma-separated.
279The default is
Damien Miller30c3d422000-05-09 11:02:59 +1000280.Dq 3des-cbc,blowfish-cbc,arcfour,cast128-cbc .
Damien Miller32aa1441999-10-29 09:15:49 +1000281.It Cm CheckMail
282Specifies whether
283.Nm
284should check for new mail for interactive logins.
285The default is
286.Dq no .
287.It Cm DenyGroups
288This keyword can be followed by a number of group names, separated
Damien Miller450a7a12000-03-26 13:04:51 +1000289by spaces.
290Users whose primary group matches one of the patterns
Damien Miller32aa1441999-10-29 09:15:49 +1000291aren't allowed to log in.
292.Ql \&*
293and
294.Ql ?
295can be used as
Damien Miller450a7a12000-03-26 13:04:51 +1000296wildcards in the patterns.
297Only group names are valid, a numerical group ID isn't recognized.
298By default login is allowed regardless of the primary group.
Damien Miller32aa1441999-10-29 09:15:49 +1000299.Pp
300.It Cm DenyUsers
301This keyword can be followed by a number of user names, separated
Damien Miller450a7a12000-03-26 13:04:51 +1000302by spaces.
303Login is disallowed for user names that match one of the patterns.
Damien Miller32aa1441999-10-29 09:15:49 +1000304.Ql \&*
305and
306.Ql ?
Damien Miller450a7a12000-03-26 13:04:51 +1000307can be used as wildcards in the patterns.
308Only user names are valid, a numerical user ID isn't recognized.
309By default login is allowed regardless of the user name.
Damien Millere247cc42000-05-07 12:03:14 +1000310.It Cm DSAAuthentication
311Specifies whether DSA authentication is allowed.
312The default is
313.Dq yes .
314Note that this option applies to protocol version 2 only.
315.It Cm GatewayPorts
316Specifies whether remote hosts are allowed to connect to ports
317forwarded for the client.
318The argument must be
319.Dq yes
320or
321.Dq no .
322The default is
323.Dq no .
324.It Cm HostDsaKey
325Specifies the file containing the private DSA host key (default
326.Pa /etc/ssh_host_dsa_key )
327used by SSH protocol 2.0.
Damien Miller32aa1441999-10-29 09:15:49 +1000328Note that
329.Nm
Damien Miller30c3d422000-05-09 11:02:59 +1000330disables protocol 2.0 if this file is group/world-accessible.
Damien Millere247cc42000-05-07 12:03:14 +1000331.It Cm HostKey
332Specifies the file containing the private RSA host key (default
333.Pa /etc/ssh_host_key )
334used by SSH protocols 1.3 and 1.5.
335Note that
336.Nm
Damien Miller30c3d422000-05-09 11:02:59 +1000337disables protocols 1.3 and 1.5 if this file is group/world-accessible.
Damien Miller32aa1441999-10-29 09:15:49 +1000338.It Cm IgnoreRhosts
Damien Miller98c7ad62000-03-09 21:27:49 +1100339Specifies that
340.Pa .rhosts
Damien Miller22c77262000-04-13 12:26:34 +1000341and
Damien Miller98c7ad62000-03-09 21:27:49 +1100342.Pa .shosts
343files will not be used in authentication.
Damien Miller32aa1441999-10-29 09:15:49 +1000344.Pa /etc/hosts.equiv
345and
Damien Miller22c77262000-04-13 12:26:34 +1000346.Pa /etc/shosts.equiv
Damien Miller450a7a12000-03-26 13:04:51 +1000347are still used.
Damien Miller22c77262000-04-13 12:26:34 +1000348The default is
Damien Miller98c7ad62000-03-09 21:27:49 +1100349.Dq yes .
Damien Miller32265091999-11-12 11:33:04 +1100350.It Cm IgnoreUserKnownHosts
351Specifies whether
352.Nm
353should ignore the user's
354.Pa $HOME/.ssh/known_hosts
355during
356.Cm RhostsRSAAuthentication .
357The default is
358.Dq no .
Damien Miller32aa1441999-10-29 09:15:49 +1000359.It Cm KeepAlive
360Specifies whether the system should send keepalive messages to the
Damien Miller450a7a12000-03-26 13:04:51 +1000361other side.
362If they are sent, death of the connection or crash of one
363of the machines will be properly noticed.
364However, this means that
Damien Miller32aa1441999-10-29 09:15:49 +1000365connections will die if the route is down temporarily, and some people
Damien Miller450a7a12000-03-26 13:04:51 +1000366find it annoying.
Damien Miller30c3d422000-05-09 11:02:59 +1000367On the other hand, if keepalives are not sent,
Damien Miller32aa1441999-10-29 09:15:49 +1000368sessions may hang indefinitely on the server, leaving
369.Dq ghost
370users and consuming server resources.
371.Pp
372The default is
373.Dq yes
374(to send keepalives), and the server will notice
Damien Miller450a7a12000-03-26 13:04:51 +1000375if the network goes down or the client host reboots.
376This avoids infinitely hanging sessions.
Damien Miller32aa1441999-10-29 09:15:49 +1000377.Pp
378To disable keepalives, the value should be set to
379.Dq no
380in both the server and the client configuration files.
381.It Cm KerberosAuthentication
Damien Miller450a7a12000-03-26 13:04:51 +1000382Specifies whether Kerberos authentication is allowed.
383This can be in the form of a Kerberos ticket, or if
Damien Miller32aa1441999-10-29 09:15:49 +1000384.Cm PasswordAuthentication
385is yes, the password provided by the user will be validated through
Damien Miller450a7a12000-03-26 13:04:51 +1000386the Kerberos KDC.
387Default is
Damien Miller32aa1441999-10-29 09:15:49 +1000388.Dq yes .
389.It Cm KerberosOrLocalPasswd
390If set then if password authentication through Kerberos fails then
391the password will be validated via any additional local mechanism
392such as
393.Pa /etc/passwd
Damien Miller450a7a12000-03-26 13:04:51 +1000394or SecurID.
395Default is
Damien Miller32aa1441999-10-29 09:15:49 +1000396.Dq yes .
397.It Cm KerberosTgtPassing
398Specifies whether a Kerberos TGT may be forwarded to the server.
Damien Miller22c77262000-04-13 12:26:34 +1000399Default is
Damien Miller32aa1441999-10-29 09:15:49 +1000400.Dq no ,
401as this only works when the Kerberos KDC is actually an AFS kaserver.
402.It Cm KerberosTicketCleanup
403Specifies whether to automatically destroy the user's ticket cache
Damien Miller450a7a12000-03-26 13:04:51 +1000404file on logout.
405Default is
Damien Miller32aa1441999-10-29 09:15:49 +1000406.Dq yes .
407.It Cm KeyRegenerationInterval
408The server key is automatically regenerated after this many seconds
Damien Miller450a7a12000-03-26 13:04:51 +1000409(if it has been used).
410The purpose of regeneration is to prevent
Damien Miller32aa1441999-10-29 09:15:49 +1000411decrypting captured sessions by later breaking into the machine and
Damien Miller450a7a12000-03-26 13:04:51 +1000412stealing the keys.
413The key is never stored anywhere.
414If the value is 0, the key is never regenerated.
415The default is 3600 (seconds).
Damien Miller32aa1441999-10-29 09:15:49 +1000416.It Cm ListenAddress
417Specifies what local address
418.Nm
419should listen on.
420The default is to listen to all local addresses.
Damien Miller34132e52000-01-14 15:45:46 +1100421Multiple options of this type are permitted.
422Additionally, the
423.Cm Ports
424options must precede this option.
Damien Miller32aa1441999-10-29 09:15:49 +1000425.It Cm LoginGraceTime
426The server disconnects after this time if the user has not
Damien Miller450a7a12000-03-26 13:04:51 +1000427successfully logged in.
428If the value is 0, there is no time limit.
Damien Miller32aa1441999-10-29 09:15:49 +1000429The default is 600 (seconds).
Damien Miller5ce662a1999-11-11 17:57:39 +1100430.It Cm LogLevel
431Gives the verbosity level that is used when logging messages from
432.Nm sshd .
433The possible values are:
Damien Miller95def091999-11-25 00:26:21 +1100434QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG.
Damien Miller5ce662a1999-11-11 17:57:39 +1100435The default is INFO.
436Logging with level DEBUG violates the privacy of users
437and is not recommended.
Damien Miller32aa1441999-10-29 09:15:49 +1000438.It Cm PasswordAuthentication
439Specifies whether password authentication is allowed.
440The default is
441.Dq yes .
Damien Millere247cc42000-05-07 12:03:14 +1000442Note that this option applies to both protocol version 1 and 2.
Damien Miller32aa1441999-10-29 09:15:49 +1000443.It Cm PermitEmptyPasswords
444When password authentication is allowed, it specifies whether the
Damien Miller450a7a12000-03-26 13:04:51 +1000445server allows login to accounts with empty password strings.
446The default is
Damien Miller98c7ad62000-03-09 21:27:49 +1100447.Dq no .
Damien Miller32aa1441999-10-29 09:15:49 +1000448.It Cm PermitRootLogin
449Specifies whether the root can log in using
450.Xr ssh 1 .
451The argument must be
452.Dq yes ,
453.Dq without-password
454or
455.Dq no .
456The default is
457.Dq yes .
458If this options is set to
459.Dq without-password
460only password authentication is disabled for root.
461.Pp
462Root login with RSA authentication when the
463.Ar command
464option has been
465specified will be allowed regardless of the value of this setting
466(which may be useful for taking remote backups even if root login is
467normally not allowed).
Damien Miller6f83b8e2000-05-02 09:23:45 +1000468.It Cm PidFile
469Specifies the file that contains the process identifier of the
470.Nm
471daemon.
472The default is
473.Pa /var/run/sshd.pid .
Damien Miller32aa1441999-10-29 09:15:49 +1000474.It Cm Port
475Specifies the port number that
476.Nm
Damien Miller450a7a12000-03-26 13:04:51 +1000477listens on.
478The default is 22.
Damien Miller34132e52000-01-14 15:45:46 +1100479Multiple options of this type are permitted.
Damien Miller32aa1441999-10-29 09:15:49 +1000480.It Cm PrintMotd
481Specifies whether
482.Nm
Damien Miller22c77262000-04-13 12:26:34 +1000483should print
Damien Miller32aa1441999-10-29 09:15:49 +1000484.Pa /etc/motd
Damien Miller450a7a12000-03-26 13:04:51 +1000485when a user logs in interactively.
486(On some systems it is also printed by the shell,
Damien Miller32aa1441999-10-29 09:15:49 +1000487.Pa /etc/profile ,
Damien Miller450a7a12000-03-26 13:04:51 +1000488or equivalent.)
489The default is
Damien Miller32aa1441999-10-29 09:15:49 +1000490.Dq yes .
Damien Miller22c77262000-04-13 12:26:34 +1000491.It Cm Protocol
492Specifies the protocol versions
493.Nm
494should support.
495The possible values are
496.Dq 1
497and
498.Dq 2 .
499Multiple versions must be comma-separated.
500The default is
501.Dq 1 .
Damien Miller32aa1441999-10-29 09:15:49 +1000502.It Cm RandomSeed
Damien Miller450a7a12000-03-26 13:04:51 +1000503Obsolete.
504Random number generation uses other techniques.
Damien Miller32aa1441999-10-29 09:15:49 +1000505.It Cm RhostsAuthentication
506Specifies whether authentication using rhosts or /etc/hosts.equiv
Damien Miller450a7a12000-03-26 13:04:51 +1000507files is sufficient.
508Normally, this method should not be permitted because it is insecure.
Damien Miller32aa1441999-10-29 09:15:49 +1000509.Cm RhostsRSAAuthentication
510should be used
511instead, because it performs RSA-based host authentication in addition
512to normal rhosts or /etc/hosts.equiv authentication.
513The default is
514.Dq no .
515.It Cm RhostsRSAAuthentication
516Specifies whether rhosts or /etc/hosts.equiv authentication together
Damien Miller450a7a12000-03-26 13:04:51 +1000517with successful RSA host authentication is allowed.
518The default is
Damien Miller98c7ad62000-03-09 21:27:49 +1100519.Dq no .
Damien Miller32aa1441999-10-29 09:15:49 +1000520.It Cm RSAAuthentication
Damien Miller450a7a12000-03-26 13:04:51 +1000521Specifies whether pure RSA authentication is allowed.
522The default is
Damien Miller32aa1441999-10-29 09:15:49 +1000523.Dq yes .
Damien Millere247cc42000-05-07 12:03:14 +1000524Note that this option applies to protocol version 1 only.
Damien Miller32aa1441999-10-29 09:15:49 +1000525.It Cm ServerKeyBits
Damien Miller450a7a12000-03-26 13:04:51 +1000526Defines the number of bits in the server key.
527The minimum value is 512, and the default is 768.
Damien Miller32aa1441999-10-29 09:15:49 +1000528.It Cm SkeyAuthentication
529Specifies whether
Damien Miller22c77262000-04-13 12:26:34 +1000530.Xr skey 1
Damien Miller450a7a12000-03-26 13:04:51 +1000531authentication is allowed.
532The default is
Damien Miller32aa1441999-10-29 09:15:49 +1000533.Dq yes .
534Note that s/key authentication is enabled only if
535.Cm PasswordAuthentication
536is allowed, too.
537.It Cm StrictModes
538Specifies whether
539.Nm
540should check file modes and ownership of the
Damien Miller450a7a12000-03-26 13:04:51 +1000541user's files and home directory before accepting login.
542This is normally desirable because novices sometimes accidentally leave their
543directory or files world-writable.
544The default is
Damien Miller32aa1441999-10-29 09:15:49 +1000545.Dq yes .
546.It Cm SyslogFacility
547Gives the facility code that is used when logging messages from
548.Nm sshd .
549The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
Damien Miller450a7a12000-03-26 13:04:51 +1000550LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
551The default is AUTH.
Damien Miller32aa1441999-10-29 09:15:49 +1000552.It Cm UseLogin
553Specifies whether
554.Xr login 1
Damien Miller450a7a12000-03-26 13:04:51 +1000555is used.
556The default is
Damien Miller32aa1441999-10-29 09:15:49 +1000557.Dq no .
Damien Miller32aa1441999-10-29 09:15:49 +1000558.It Cm X11DisplayOffset
559Specifies the first display number available for
560.Nm sshd Ns 's
Damien Miller450a7a12000-03-26 13:04:51 +1000561X11 forwarding.
562This prevents
Damien Miller32aa1441999-10-29 09:15:49 +1000563.Nm
564from interfering with real X11 servers.
Damien Miller98c7ad62000-03-09 21:27:49 +1100565The default is 10.
Damien Miller396691a2000-01-20 22:44:08 +1100566.It Cm X11Forwarding
Damien Miller450a7a12000-03-26 13:04:51 +1000567Specifies whether X11 forwarding is permitted.
568The default is
Damien Miller98c7ad62000-03-09 21:27:49 +1100569.Dq no .
Damien Miller396691a2000-01-20 22:44:08 +1100570Note that disabling X11 forwarding does not improve security in any
571way, as users can always install their own forwarders.
Damien Miller32aa1441999-10-29 09:15:49 +1000572.El
573.Sh LOGIN PROCESS
574When a user successfully logs in,
575.Nm
576does the following:
577.Bl -enum -offset indent
578.It
579If the login is on a tty, and no command has been specified,
Damien Miller22c77262000-04-13 12:26:34 +1000580prints last login time and
Damien Miller32aa1441999-10-29 09:15:49 +1000581.Pa /etc/motd
582(unless prevented in the configuration file or by
583.Pa $HOME/.hushlogin ;
584see the
Damien Miller22c77262000-04-13 12:26:34 +1000585.Sx FILES
Damien Miller32aa1441999-10-29 09:15:49 +1000586section).
587.It
588If the login is on a tty, records login time.
589.It
590Checks
591.Pa /etc/nologin ;
592if it exists, prints contents and quits
593(unless root).
594.It
595Changes to run with normal user privileges.
596.It
597Sets up basic environment.
598.It
599Reads
600.Pa $HOME/.ssh/environment
601if it exists.
602.It
603Changes to user's home directory.
604.It
605If
606.Pa $HOME/.ssh/rc
607exists, runs it; else if
Damien Miller886c63a2000-01-20 23:13:36 +1100608.Pa /etc/sshrc
Damien Miller32aa1441999-10-29 09:15:49 +1000609exists, runs
Damien Miller450a7a12000-03-26 13:04:51 +1000610it; otherwise runs xauth.
611The
Damien Miller32aa1441999-10-29 09:15:49 +1000612.Dq rc
613files are given the X11
614authentication protocol and cookie in standard input.
615.It
616Runs user's shell or command.
617.El
618.Sh AUTHORIZED_KEYS FILE FORMAT
Damien Miller22c77262000-04-13 12:26:34 +1000619The
Damien Miller32aa1441999-10-29 09:15:49 +1000620.Pa $HOME/.ssh/authorized_keys
621file lists the RSA keys that are
Damien Millere247cc42000-05-07 12:03:14 +1000622permitted for RSA authentication in SSH protocols 1.3 and 1.5
Damien Miller30c3d422000-05-09 11:02:59 +1000623Similarly, the
Damien Millere247cc42000-05-07 12:03:14 +1000624.Pa $HOME/.ssh/authorized_keys2
625file lists the DSA keys that are
626permitted for DSA authentication in SSH protocol 2.0.
Damien Miller450a7a12000-03-26 13:04:51 +1000627Each line of the file contains one
Damien Miller32aa1441999-10-29 09:15:49 +1000628key (empty lines and lines starting with a
629.Ql #
630are ignored as
Damien Miller450a7a12000-03-26 13:04:51 +1000631comments).
632Each line consists of the following fields, separated by
633spaces: options, bits, exponent, modulus, comment.
634The options field
Damien Miller32aa1441999-10-29 09:15:49 +1000635is optional; its presence is determined by whether the line starts
636with a number or not (the option field never starts with a number).
637The bits, exponent, modulus and comment fields give the RSA key; the
638comment field is not used for anything (but may be convenient for the
639user to identify the key).
640.Pp
641Note that lines in this file are usually several hundred bytes long
Damien Miller450a7a12000-03-26 13:04:51 +1000642(because of the size of the RSA key modulus).
643You don't want to type them in; instead, copy the
Damien Miller32aa1441999-10-29 09:15:49 +1000644.Pa identity.pub
645file and edit it.
646.Pp
647The options (if present) consists of comma-separated option
Damien Miller450a7a12000-03-26 13:04:51 +1000648specifications.
649No spaces are permitted, except within double quotes.
Damien Miller32aa1441999-10-29 09:15:49 +1000650The following option specifications are supported:
651.Bl -tag -width Ds
652.It Cm from="pattern-list"
653Specifies that in addition to RSA authentication, the canonical name
654of the remote host must be present in the comma-separated list of
Damien Miller450a7a12000-03-26 13:04:51 +1000655patterns
656.Pf ( Ql *
657and
658.Ql ?
659serve as wildcards).
660The list may also contain
661patterns negated by prefixing them with
662.Ql ! ;
663if the canonical host name matches a negated pattern, the key is not accepted.
664The purpose
Damien Miller32aa1441999-10-29 09:15:49 +1000665of this option is to optionally increase security: RSA authentication
666by itself does not trust the network or name servers or anything (but
667the key); however, if somebody somehow steals the key, the key
Damien Miller450a7a12000-03-26 13:04:51 +1000668permits an intruder to log in from anywhere in the world.
669This additional option makes using a stolen key more difficult (name
Damien Miller32aa1441999-10-29 09:15:49 +1000670servers and/or routers would have to be compromised in addition to
671just the key).
672.It Cm command="command"
673Specifies that the command is executed whenever this key is used for
Damien Miller450a7a12000-03-26 13:04:51 +1000674authentication.
675The command supplied by the user (if any) is ignored.
Damien Miller32aa1441999-10-29 09:15:49 +1000676The command is run on a pty if the connection requests a pty;
Damien Miller450a7a12000-03-26 13:04:51 +1000677otherwise it is run without a tty.
678A quote may be included in the command by quoting it with a backslash.
679This option might be useful
680to restrict certain RSA keys to perform just a specific operation.
681An example might be a key that permits remote backups but nothing else.
Damien Miller30c3d422000-05-09 11:02:59 +1000682Note that the client may specify TCP/IP and/or X11
683forwarding unless they are explicitly prohibited.
Damien Miller32aa1441999-10-29 09:15:49 +1000684.It Cm environment="NAME=value"
685Specifies that the string is to be added to the environment when
Damien Miller450a7a12000-03-26 13:04:51 +1000686logging in using this key.
687Environment variables set this way
688override other default environment values.
689Multiple options of this type are permitted.
Damien Miller32aa1441999-10-29 09:15:49 +1000690.It Cm no-port-forwarding
691Forbids TCP/IP forwarding when this key is used for authentication.
Damien Miller450a7a12000-03-26 13:04:51 +1000692Any port forward requests by the client will return an error.
693This might be used, e.g., in connection with the
Damien Miller32aa1441999-10-29 09:15:49 +1000694.Cm command
695option.
696.It Cm no-X11-forwarding
697Forbids X11 forwarding when this key is used for authentication.
698Any X11 forward requests by the client will return an error.
699.It Cm no-agent-forwarding
700Forbids authentication agent forwarding when this key is used for
701authentication.
702.It Cm no-pty
703Prevents tty allocation (a request to allocate a pty will fail).
704.El
705.Ss Examples
7061024 33 12121.\|.\|.\|312314325 ylo@foo.bar
707.Pp
708from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula
709.Pp
710command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi
711.Sh SSH_KNOWN_HOSTS FILE FORMAT
Damien Miller22c77262000-04-13 12:26:34 +1000712The
Damien Millere247cc42000-05-07 12:03:14 +1000713.Pa /etc/ssh_known_hosts ,
714.Pa /etc/ssh_known_hosts2 ,
715.Pa $HOME/.ssh/known_hosts ,
Damien Miller22c77262000-04-13 12:26:34 +1000716and
Damien Millere247cc42000-05-07 12:03:14 +1000717.Pa $HOME/.ssh/known_hosts2
Damien Miller450a7a12000-03-26 13:04:51 +1000718files contain host public keys for all known hosts.
719The global file should
720be prepared by the administrator (optional), and the per-user file is
Damien Miller32aa1441999-10-29 09:15:49 +1000721maintained automatically: whenever the user connects an unknown host
Damien Miller450a7a12000-03-26 13:04:51 +1000722its key is added to the per-user file.
Damien Miller32aa1441999-10-29 09:15:49 +1000723.Pp
724Each line in these files contains the following fields: hostnames,
Damien Miller450a7a12000-03-26 13:04:51 +1000725bits, exponent, modulus, comment.
726The fields are separated by spaces.
Damien Miller32aa1441999-10-29 09:15:49 +1000727.Pp
728Hostnames is a comma-separated list of patterns ('*' and '?' act as
729wildcards); each pattern in turn is matched against the canonical host
730name (when authenticating a client) or against the user-supplied
Damien Miller450a7a12000-03-26 13:04:51 +1000731name (when authenticating a server).
732A pattern may also be preceded by
Damien Miller32aa1441999-10-29 09:15:49 +1000733.Ql !
734to indicate negation: if the host name matches a negated
735pattern, it is not accepted (by that line) even if it matched another
736pattern on the line.
737.Pp
Damien Millere247cc42000-05-07 12:03:14 +1000738Bits, exponent, and modulus are taken directly from the RSA host key; they
Damien Miller32aa1441999-10-29 09:15:49 +1000739can be obtained, e.g., from
Damien Miller886c63a2000-01-20 23:13:36 +1100740.Pa /etc/ssh_host_key.pub .
Damien Miller32aa1441999-10-29 09:15:49 +1000741The optional comment field continues to the end of the line, and is not used.
742.Pp
743Lines starting with
744.Ql #
745and empty lines are ignored as comments.
746.Pp
747When performing host authentication, authentication is accepted if any
Damien Miller450a7a12000-03-26 13:04:51 +1000748matching line has the proper key.
749It is thus permissible (but not
Damien Miller32aa1441999-10-29 09:15:49 +1000750recommended) to have several lines or different host keys for the same
Damien Miller450a7a12000-03-26 13:04:51 +1000751names.
752This will inevitably happen when short forms of host names
753from different domains are put in the file.
754It is possible
Damien Miller32aa1441999-10-29 09:15:49 +1000755that the files contain conflicting information; authentication is
756accepted if valid information can be found from either file.
757.Pp
758Note that the lines in these files are typically hundreds of characters
759long, and you definitely don't want to type in the host keys by hand.
760Rather, generate them by a script
Damien Miller22c77262000-04-13 12:26:34 +1000761or by taking
Damien Miller886c63a2000-01-20 23:13:36 +1100762.Pa /etc/ssh_host_key.pub
Damien Miller32aa1441999-10-29 09:15:49 +1000763and adding the host names at the front.
764.Ss Examples
765closenet,closenet.hut.fi,.\|.\|.\|,130.233.208.41 1024 37 159.\|.\|.93 closenet.hut.fi
766.Sh FILES
767.Bl -tag -width Ds
Damien Miller886c63a2000-01-20 23:13:36 +1100768.It Pa /etc/sshd_config
Damien Miller32aa1441999-10-29 09:15:49 +1000769Contains configuration data for
770.Nm sshd .
771This file should be writable by root only, but it is recommended
772(though not necessary) that it be world-readable.
Damien Miller886c63a2000-01-20 23:13:36 +1100773.It Pa /etc/ssh_host_key
Damien Miller32aa1441999-10-29 09:15:49 +1000774Contains the private part of the host key.
775This file should only be owned by root, readable only by root, and not
776accessible to others.
777Note that
778.Nm
779does not start if this file is group/world-accessible.
Damien Miller886c63a2000-01-20 23:13:36 +1100780.It Pa /etc/ssh_host_key.pub
Damien Miller32aa1441999-10-29 09:15:49 +1000781Contains the public part of the host key.
782This file should be world-readable but writable only by
Damien Miller450a7a12000-03-26 13:04:51 +1000783root.
784Its contents should match the private part.
785This file is not
Damien Miller32aa1441999-10-29 09:15:49 +1000786really used for anything; it is only provided for the convenience of
787the user so its contents can be copied to known hosts files.
788These two files are created using
789.Xr ssh-keygen 1 .
Damien Miller886c63a2000-01-20 23:13:36 +1100790.It Pa /var/run/sshd.pid
Damien Miller32aa1441999-10-29 09:15:49 +1000791Contains the process ID of the
792.Nm
793listening for connections (if there are several daemons running
794concurrently for different ports, this contains the pid of the one
Damien Miller450a7a12000-03-26 13:04:51 +1000795started last).
796The contents of this file are not sensitive; it can be world-readable.
Damien Miller32aa1441999-10-29 09:15:49 +1000797.It Pa $HOME/.ssh/authorized_keys
798Lists the RSA keys that can be used to log into the user's account.
799This file must be readable by root (which may on some machines imply
800it being world-readable if the user's home directory resides on an NFS
Damien Miller450a7a12000-03-26 13:04:51 +1000801volume).
802It is recommended that it not be accessible by others.
803The format of this file is described above.
Damien Millere247cc42000-05-07 12:03:14 +1000804Users will place the contents of their
805.Pa identity.pub
806files into this file, as described in
807.Xr ssh-keygen 1 .
808.It Pa $HOME/.ssh/authorized_keys2
809Lists the DSA keys that can be used to log into the user's account.
810This file must be readable by root (which may on some machines imply
811it being world-readable if the user's home directory resides on an NFS
812volume).
813It is recommended that it not be accessible by others.
814The format of this file is described above.
815Users will place the contents of their
816.Pa id_dsa.pub
817files into this file, as described in
818.Xr ssh-keygen 1 .
Damien Miller886c63a2000-01-20 23:13:36 +1100819.It Pa "/etc/ssh_known_hosts" and "$HOME/.ssh/known_hosts"
Damien Miller5ce662a1999-11-11 17:57:39 +1100820These files are consulted when using rhosts with RSA host
Damien Miller450a7a12000-03-26 13:04:51 +1000821authentication to check the public key of the host.
822The key must be listed in one of these files to be accepted.
Damien Miller33e511e1999-11-11 11:43:13 +1100823The client uses the same files
Damien Miller450a7a12000-03-26 13:04:51 +1000824to verify that the remote host is the one we intended to connect.
825These files should be writable only by root/the owner.
Damien Miller886c63a2000-01-20 23:13:36 +1100826.Pa /etc/ssh_known_hosts
Damien Miller32aa1441999-10-29 09:15:49 +1000827should be world-readable, and
828.Pa $HOME/.ssh/known_hosts
829can but need not be world-readable.
830.It Pa /etc/nologin
Damien Miller22c77262000-04-13 12:26:34 +1000831If this file exists,
Damien Miller32aa1441999-10-29 09:15:49 +1000832.Nm
Damien Miller450a7a12000-03-26 13:04:51 +1000833refuses to let anyone except root log in.
834The contents of the file
Damien Miller32aa1441999-10-29 09:15:49 +1000835are displayed to anyone trying to log in, and non-root connections are
Damien Miller450a7a12000-03-26 13:04:51 +1000836refused.
837The file should be world-readable.
Damien Miller32aa1441999-10-29 09:15:49 +1000838.It Pa /etc/hosts.allow, /etc/hosts.deny
839If compiled with
840.Sy LIBWRAP
841support, tcp-wrappers access controls may be defined here as described in
842.Xr hosts_access 5 .
843.It Pa $HOME/.rhosts
844This file contains host-username pairs, separated by a space, one per
Damien Miller450a7a12000-03-26 13:04:51 +1000845line.
846The given user on the corresponding host is permitted to log in
847without password.
848The same file is used by rlogind and rshd.
Damien Miller32aa1441999-10-29 09:15:49 +1000849The file must
850be writable only by the user; it is recommended that it not be
851accessible by others.
852.Pp
Damien Miller450a7a12000-03-26 13:04:51 +1000853If is also possible to use netgroups in the file.
854Either host or user
Damien Miller32aa1441999-10-29 09:15:49 +1000855name may be of the form +@groupname to specify all hosts or all users
856in the group.
857.It Pa $HOME/.shosts
858For ssh,
859this file is exactly the same as for
860.Pa .rhosts .
861However, this file is
862not used by rlogin and rshd, so using this permits access using SSH only.
863.Pa /etc/hosts.equiv
864This file is used during
865.Pa .rhosts
Damien Miller450a7a12000-03-26 13:04:51 +1000866authentication.
867In the simplest form, this file contains host names, one per line.
868Users on
Damien Miller32aa1441999-10-29 09:15:49 +1000869those hosts are permitted to log in without a password, provided they
Damien Miller450a7a12000-03-26 13:04:51 +1000870have the same user name on both machines.
871The host name may also be
Damien Miller32aa1441999-10-29 09:15:49 +1000872followed by a user name; such users are permitted to log in as
873.Em any
Damien Miller450a7a12000-03-26 13:04:51 +1000874user on this machine (except root).
875Additionally, the syntax
Damien Miller32aa1441999-10-29 09:15:49 +1000876.Dq +@group
Damien Miller450a7a12000-03-26 13:04:51 +1000877can be used to specify netgroups.
878Negated entries start with
Damien Miller32aa1441999-10-29 09:15:49 +1000879.Ql \&- .
880.Pp
881If the client host/user is successfully matched in this file, login is
882automatically permitted provided the client and server user names are the
Damien Miller450a7a12000-03-26 13:04:51 +1000883same.
884Additionally, successful RSA host authentication is normally required.
885This file must be writable only by root; it is recommended
Damien Miller32aa1441999-10-29 09:15:49 +1000886that it be world-readable.
887.Pp
888.Sy "Warning: It is almost never a good idea to use user names in"
889.Pa hosts.equiv .
890Beware that it really means that the named user(s) can log in as
891.Em anybody ,
892which includes bin, daemon, adm, and other accounts that own critical
Damien Miller450a7a12000-03-26 13:04:51 +1000893binaries and directories.
894Using a user name practically grants the user root access.
895The only valid use for user names that I can think
Damien Miller32aa1441999-10-29 09:15:49 +1000896of is in negative entries.
897.Pp
898Note that this warning also applies to rsh/rlogin.
Damien Miller886c63a2000-01-20 23:13:36 +1100899.It Pa /etc/shosts.equiv
Damien Miller32aa1441999-10-29 09:15:49 +1000900This is processed exactly as
901.Pa /etc/hosts.equiv .
902However, this file may be useful in environments that want to run both
903rsh/rlogin and ssh.
904.It Pa $HOME/.ssh/environment
Damien Miller450a7a12000-03-26 13:04:51 +1000905This file is read into the environment at login (if it exists).
906It can only contain empty lines, comment lines (that start with
Damien Miller32aa1441999-10-29 09:15:49 +1000907.Ql # ) ,
Damien Miller450a7a12000-03-26 13:04:51 +1000908and assignment lines of the form name=value.
909The file should be writable
Damien Miller32aa1441999-10-29 09:15:49 +1000910only by the user; it need not be readable by anyone else.
911.It Pa $HOME/.ssh/rc
912If this file exists, it is run with /bin/sh after reading the
Damien Miller450a7a12000-03-26 13:04:51 +1000913environment files but before starting the user's shell or command.
914If X11 spoofing is in use, this will receive the "proto cookie" pair in
Damien Miller32aa1441999-10-29 09:15:49 +1000915standard input (and
916.Ev DISPLAY
Damien Miller450a7a12000-03-26 13:04:51 +1000917in environment).
918This must call
Damien Miller32aa1441999-10-29 09:15:49 +1000919.Xr xauth 1
920in that case.
921.Pp
922The primary purpose of this file is to run any initialization routines
923which may be needed before the user's home directory becomes
924accessible; AFS is a particular example of such an environment.
925.Pp
926This file will probably contain some initialization code followed by
927something similar to: "if read proto cookie; then echo add $DISPLAY
928$proto $cookie | xauth -q -; fi".
929.Pp
930If this file does not exist,
Damien Miller886c63a2000-01-20 23:13:36 +1100931.Pa /etc/sshrc
Damien Miller32aa1441999-10-29 09:15:49 +1000932is run, and if that
933does not exist either, xauth is used to store the cookie.
934.Pp
935This file should be writable only by the user, and need not be
936readable by anyone else.
Damien Miller886c63a2000-01-20 23:13:36 +1100937.It Pa /etc/sshrc
Damien Miller32aa1441999-10-29 09:15:49 +1000938Like
939.Pa $HOME/.ssh/rc .
940This can be used to specify
Damien Miller450a7a12000-03-26 13:04:51 +1000941machine-specific login-time initializations globally.
942This file should be writable only by root, and should be world-readable.
Damien Miller32aa1441999-10-29 09:15:49 +1000943.Sh AUTHOR
Damien Miller32aa1441999-10-29 09:15:49 +1000944OpenSSH
Damien Miller98c7ad62000-03-09 21:27:49 +1100945is a derivative of the original (free) ssh 1.2.12 release by Tatu Ylonen,
Damien Miller450a7a12000-03-26 13:04:51 +1000946but with bugs removed and newer features re-added.
947Rapidly after the
Damien Miller98c7ad62000-03-09 21:27:49 +11009481.2.12 release, newer versions of the original ssh bore successively
949more restrictive licenses, and thus demand for a free version was born.
Damien Millere247cc42000-05-07 12:03:14 +1000950.Pp
Damien Miller98c7ad62000-03-09 21:27:49 +1100951This version of OpenSSH
Damien Miller32aa1441999-10-29 09:15:49 +1000952.Bl -bullet
953.It
Damien Millercfabe862000-04-20 23:27:27 +1000954has all components of a restrictive nature (i.e., patents)
Damien Miller32aa1441999-10-29 09:15:49 +1000955directly removed from the source code; any licensed or patented components
956are chosen from
957external libraries.
958.It
Damien Millere247cc42000-05-07 12:03:14 +1000959has been updated to support SSH protocol 1.5 and 2, making it compatible with
960all other SSH clients and servers.
Damien Miller32aa1441999-10-29 09:15:49 +1000961.It
Damien Miller22c77262000-04-13 12:26:34 +1000962contains added support for
Damien Miller32aa1441999-10-29 09:15:49 +1000963.Xr kerberos 8
964authentication and ticket passing.
965.It
966supports one-time password authentication with
967.Xr skey 1 .
968.El
Damien Millere247cc42000-05-07 12:03:14 +1000969.Pp
970OpenSSH has been created by Aaron Campbell, Bob Beck, Markus Friedl,
971Niels Provos, Theo de Raadt, and Dug Song.
972.Pp
973The support for SSH protocol 2 was written by Markus Friedl.
Damien Miller32aa1441999-10-29 09:15:49 +1000974.Sh SEE ALSO
Damien Miller32aa1441999-10-29 09:15:49 +1000975.Xr scp 1 ,
976.Xr ssh 1 ,
977.Xr ssh-add 1 ,
978.Xr ssh-agent 1 ,
979.Xr ssh-keygen 1 ,
Damien Millerb38eff82000-04-01 11:09:21 +1000980.Xr rlogin 1 ,
981.Xr rsh 1