diff options
Diffstat (limited to 'sshd.0')
| -rw-r--r-- | sshd.0 | 151 |
1 files changed, 56 insertions, 95 deletions
@@ -4,10 +4,9 @@ NAME sshd M-bM-^@M-^S OpenSSH SSH daemon SYNOPSIS - sshd [-46DdeiqTt] [-b bits] [-C connection_spec] - [-c host_certificate_file] [-E log_file] [-f config_file] - [-g login_grace_time] [-h host_key_file] [-k key_gen_time] - [-o option] [-p port] [-u len] + sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file] + [-E log_file] [-f config_file] [-g login_grace_time] + [-h host_key_file] [-o option] [-p port] [-u len] DESCRIPTION sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these @@ -31,10 +30,6 @@ DESCRIPTION -6 Forces sshd to use IPv6 addresses only. - -b bits - Specifies the number of bits in the ephemeral protocol version 1 - server key (default 1024). - -C connection_spec Specify the connection parameters to use for the -T extended test mode. If provided, any Match directives in the configuration @@ -80,28 +75,12 @@ DESCRIPTION Specifies a file from which a host key is read. This option must be given if sshd is not run as root (as the normal host key files are normally not readable by anyone but root). The default is - /etc/ssh/ssh_host_key for protocol version 1, and - /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key. - /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for - protocol version 2. It is possible to have multiple host key - files for the different protocol versions and host key - algorithms. - - -i Specifies that sshd is being run from inetd(8). If SSH protocol - 1 is enabled, sshd should not normally be run from inetd because - it needs to generate the server key before it can respond to the - client, and this may take some time. Clients may have to wait - too long if the key was regenerated every time. - - -k key_gen_time - Specifies how often the ephemeral protocol version 1 server key - is regenerated (default 3600 seconds, or one hour). The - motivation for regenerating the key fairly often is that the key - is not stored anywhere, and after about an hour it becomes - impossible to recover the key for decrypting intercepted - communications even if the machine is cracked into or physically - seized. A value of zero indicates that the key will never be - regenerated. + /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key, + /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key. It + is possible to have multiple host key files for the different + host key algorithms. + + -i Specifies that sshd is being run from inetd(8). -o option Can be used to give options in the format used in the @@ -138,33 +117,17 @@ DESCRIPTION into the utmp file. -u0 may also be used to prevent sshd from making DNS requests unless the authentication mechanism or configuration requires it. Authentication mechanisms that may - require DNS include RhostsRSAAuthentication, - HostbasedAuthentication, and using a from="pattern-list" option - in a key file. Configuration options that require DNS include - using a USER@HOST pattern in AllowUsers or DenyUsers. + require DNS include HostbasedAuthentication and using a + from="pattern-list" option in a key file. Configuration options + that require DNS include using a USER@HOST pattern in AllowUsers + or DenyUsers. AUTHENTICATION - The OpenSSH SSH daemon supports SSH protocols 1 and 2. The default is to - use protocol 2 only, though this can be changed via the Protocol option - in sshd_config(5). Protocol 1 should not be used and is only offered to - support legacy devices. - - Each host has a host-specific key, used to identify the host. Partial - forward security for protocol 1 is provided through an additional server - key, normally 1024 bits, generated when the server starts. This key is - normally regenerated every hour if it has been used, and is never stored - on disk. Whenever a client connects, the daemon responds with its public - host and server keys. The client compares the RSA host key against its - own database to verify that it has not changed. The client then - generates a 256-bit random number. It encrypts this random number using - both the host key and the server key, and sends the encrypted number to - the server. Both sides then use this random number as a session key - which is used to encrypt all further communications in the session. The - rest of the session is encrypted using a conventional cipher, currently - Blowfish or 3DES, with 3DES being used by default. The client selects - the encryption algorithm to use from those offered by the server. - - For protocol 2, forward security is provided through a Diffie-Hellman key + The OpenSSH SSH daemon supports SSH protocol 2 only. Each host has a + host-specific key, used to identify the host. Whenever a client + connects, the daemon responds with its public host key. The client + compares the host key against its own database to verify that it has not + changed. Forward security is provided through a Diffie-Hellman key agreement. This key agreement results in a shared session key. The rest of the session is encrypted using a symmetric cipher, currently 128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The @@ -271,27 +234,20 @@ AUTHORIZED_KEYS FILE FORMAT key authentication; if this option is not specified, the default is ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2. Each line of the file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are - ignored as comments). Protocol 1 public keys consist of the following - space-separated fields: options, bits, exponent, modulus, comment. - Protocol 2 public key consist of: options, keytype, base64-encoded key, - comment. The options field is optional; its presence is determined by - whether the line starts with a number or not (the options field never - starts with a number). The bits, exponent, modulus, and comment fields - give the RSA key for protocol version 1; the comment field is not used - for anything (but may be convenient for the user to identify the key). - For protocol version 2 the keytype is M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^], + ignored as comments). Public keys consist of the following space- + separated fields: options, keytype, base64-encoded key, comment. The + options field is optional. The keytype is M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or - M-bM-^@M-^\ssh-rsaM-bM-^@M-^]. + M-bM-^@M-^\ssh-rsaM-bM-^@M-^]; the comment field is not used for anything (but may be + convenient for the user to identify the key). - Note that lines in this file are usually several hundred bytes long - (because of the size of the public key encoding) up to a limit of 8 - kilobytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 - kilobits. You don't want to type them in; instead, copy the - identity.pub, id_dsa.pub, id_ecdsa.pub, id_ed25519.pub, or the id_rsa.pub - file and edit it. + Note that lines in this file can be several hundred bytes long (because + of the size of the public key encoding) up to a limit of 8 kilobytes, + which permits DSA keys up to 8 kilobits and RSA keys up to 16 kilobits. + You don't want to type them in; instead, copy the id_dsa.pub, + id_ecdsa.pub, id_ed25519.pub, or the id_rsa.pub file and edit it. - sshd enforces a minimum RSA key modulus size for protocol 1 and protocol - 2 keys of 768 bits. + sshd enforces a minimum RSA key modulus size of 768 bits. The options (if present) consist of comma-separated option specifications. No spaces are permitted, except within double quotes. @@ -318,16 +274,23 @@ AUTHORIZED_KEYS FILE FORMAT pty; otherwise it is run without a tty. If an 8-bit clean channel is required, one must not request a pty or should specify no-pty. A quote may be included in the command by quoting it - with a backslash. This option might be useful to restrict - certain public keys to perform just a specific operation. An - example might be a key that permits remote backups but nothing - else. Note that the client may specify TCP and/or X11 forwarding - unless they are explicitly prohibited. The command originally - supplied by the client is available in the SSH_ORIGINAL_COMMAND - environment variable. Note that this option applies to shell, - command or subsystem execution. Also note that this command may - be superseded by either a sshd_config(5) ForceCommand directive - or a command embedded in a certificate. + with a backslash. + + This option might be useful to restrict certain public keys to + perform just a specific operation. An example might be a key + that permits remote backups but nothing else. Note that the + client may specify TCP and/or X11 forwarding unless they are + explicitly prohibited, e.g. using the restrict key option. + + The command originally supplied by the client is available in the + SSH_ORIGINAL_COMMAND environment variable. Note that this option + applies to shell, command or subsystem execution. Also note that + this command may be superseded by a sshd_config(5) ForceCommand + directive. + + If a command is specified and a forced-command is embedded in a + certificate used for authentication, then the certificate will be + accepted only if the two commands are identical. environment="NAME=value" Specifies that the string is to be added to the environment when @@ -335,7 +298,6 @@ AUTHORIZED_KEYS FILE FORMAT override other default environment values. Multiple options of this type are permitted. Environment processing is disabled by default and is controlled via the PermitUserEnvironment option. - This option is automatically disabled if UseLogin is enabled. from="pattern-list" Specifies that in addition to public key authentication, either @@ -440,8 +402,8 @@ SSH_KNOWN_HOSTS FILE FORMAT is added to the per-user file. Each line in these files contains the following fields: markers - (optional), hostnames, bits, exponent, modulus, comment. The fields are - separated by spaces. + (optional), hostnames, keytype, base64-encoded key, comment. The fields + are separated by spaces. The marker is optional, but if it is present then it must be one of M-bM-^@M-^\@cert-authorityM-bM-^@M-^], to indicate that the line contains a certification @@ -464,9 +426,10 @@ SSH_KNOWN_HOSTS FILE FORMAT appear on a single line and none of the above negation or wildcard operators may be applied. - Bits, exponent, and modulus are taken directly from the RSA host key; - they can be obtained, for example, from /etc/ssh/ssh_host_key.pub. The - optional comment field continues to the end of the line, and is not used. + The keytype and base64-encoded key are taken directly from the host key; + they can be obtained, for example, from /etc/ssh/ssh_host_rsa_key.pub. + The optional comment field continues to the end of the line, and is not + used. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are ignored as comments. @@ -493,9 +456,9 @@ SSH_KNOWN_HOSTS FILE FORMAT Note that the lines in these files are typically hundreds of characters long, and you definitely don't want to type in the host keys by hand. - Rather, generate them by a script, ssh-keyscan(1) or by taking - /etc/ssh/ssh_host_key.pub and adding the host names at the front. - ssh-keygen(1) also offers some basic automated editing for + Rather, generate them by a script, ssh-keyscan(1) or by taking, for + example, /etc/ssh/ssh_host_rsa_key.pub and adding the host names at the + front. ssh-keygen(1) also offers some basic automated editing for ~/.ssh/known_hosts including removing hosts matching a host name and converting all host names to their hashed representations. @@ -598,7 +561,6 @@ FILES allows host-based authentication without permitting login with rlogin/rsh. - /etc/ssh/ssh_host_key /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key @@ -608,7 +570,6 @@ FILES not accessible to others. Note that sshd does not start if these files are group/world-accessible. - /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ed25519_key.pub @@ -662,4 +623,4 @@ AUTHORS versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 6.0 February 17, 2016 OpenBSD 6.0 +OpenBSD 6.0 November 30, 2016 OpenBSD 6.0 |