unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OSF1-V5.1-alpha)
Page:
Section:
Apropos / Subsearch:
optional field



sshd2(8)							     sshd2(8)



NAME

  sshd2, sshd -	Secure shell daemon

SYNOPSIS

  sshd2	[-d debug_level_spec] [-f config_file] [-h host_key_file] [-o
  options] [-p port ] [-v] [-g login_grace_time] [-i] [-q]

OPTIONS

  -d debug_level_spec
      Sends extensive debug information	to stderr.  The	debug_level_spec
      argument is a number between 0 and 99, where 99 specifies	that all
      debug information	should be displayed, or	it can be a comma-separated
      list of assignments, such	as ModulePattern=debug_level. This option is
      intended only for	debugging the server.

  -f config_file
      Specifies	the name of the	configuration file.  The default is
      /etc/ssh2/sshd2_config. If this is specified, the	default	configuration
      file is not read.

  -h host_key_file
      Specifies	the file from which the	host key is read. The default file is
      /etc/ssh2/hostkey. If the	sshd2 daemon is	not run	as root, the default
      host key file will be $HOME$/.ssh2/hostkey.

  -o keyword
      Specifies	configuration keywords.	This is	useful for specifying key-
      words for	which there is no separate command-line	flag.  The -o option
      has the same format as a line in the configuration file. Comment lines
      are not accepted.	Where applicable, the egrep regex format is used.

  -p port
      Specifies	the port on which the system listens for connections. The
      default port is 22.

  -v  Enables the verbose mode,	and displays verbose debugging messages. This
      option can also be specified in the configuration	file.

  -q  Enables quiet mode. Nothing is sent to the system	log.  Normally the
      beginning, authentication, and termination of each  connection  is
      logged.  This option can also be specified in the	configuration file.

  -g login_grace_time
      Gives the	grace time for clients to authenticate themselves.  The
      default is 600 seconds. If the client fails to authenticate the user
      within the specified time, the system disconnects	and exits.  A value
      of zero indicates	no limit.

  -i  Specifies	that the sshd2 daemon is being run from	the inetd daemon.


DESCRIPTION

  The sshd2 Secure Shell daemon	runs on	the Secure Shell server. It is nor-
  mally	run as root, and is the	server counterpart for ssh2.   Together,
  these	programs replace and extend the	rlogin and rsh services, and provide
  secure encrypted communication channels between  two	hosts  connected over
  an  insecure network.	 They are intended to be easy to install and use.

  The sshd2 daemon is normally started at boot time from /etc/rc.local or
  its equivalent. It  forks  a new  daemon for each incoming connection.  The
  forked daemons handle	key exchange, encryption,  authentication,  command
  execution,  and data exchange.

  The sshd2 daemon can be configured using command-line	options	or  a confi-
  guration file. Command-line options override values specified	in the confi-
  guration file. The sshd2 daemon  reads  configuration	data  from the
  /etc/ssh2/sshd2_config file (or the file specified with the -f option	on
  the command line).   The file	contains keyword-value pairs, one per line.
  Lines	starting with the pound	(#) sign and empty  lines  are	interpreted
  as comments.

  Subconfiguration files can also be  specified	 in  the  main	configuration
  file.	However, if changes are	made in	the main configuration file, the
  sshd2	daemon must be restarted.

  LOGIN	PROCESS


  When a user successfully logs	in, the	sshd2 daemon takes the following
  steps:

   1.  Changes the process to run with normal user privileges.

   2.  Sets up basic environment.

   3.  Reads the /etc/environment file if it exists.

   4.  Changes to the user's home directory.

   5.  Runs the	user's shell or	command.

  SSH WITH TCP WRAPPERS


  When the sshd2 daemon	compiles with TCP wrapper libraries, the hosts.allow
  and hosts.deny files control who can connect to ports	forwarded by the
  sshd2	daemon.

  The names in the hosts.allow and hosts.deny files are	sshd2, sshdfwd-
  <&lt;portname>, and sshdfwd-X11 for forwarded ports on which the Secure Shell
  client or server is listening.

  If a port has	a defined name,	you must use it.

FILES

  /etc/ssh2/sshd2_config
      Contains sshd2 daemon configuration information. This file should	be
      writable by root only and	readable by world (though not necessary).

  /etc/ssh2/hostkey
      Contains the private part	of the host key.  You can create this file
      automatically by running the make	install	command	or manually by using
      the ssh-keygen2 command. This file contains vital	cryptographic infor-
      mation, and should only be read or modified by root.

  /etc/ssh2/hostkey.pub
      Contains the public part of the host key.	 You can create	this file
      automatically by running the make	install	command	or manually by using
      the ssh-keygen2 command.	This file should be writable by	root only and
      readable by world.

  /etc/ssh2/random_seed
      Contains a seed for the random number generator.	This file should be
      accessible only by root.

  $HOME/.ssh2/authorization
      Contains information on how the server will verify the identity of an
      user.  See ssh2(1) for more information.

  $HOME/.hushlogin
      If this file exists, the sshd2 daemon will not print information during
      login. (This information is normally the user's last login time, mes-
      sage of the day, and mail	check.)

  /etc/nologin
      If this file exists, the sshd2 daemon refuses to let anyone except root
      log in.  The contents of the file	are displayed to anyone	trying to log
      in.  The file should be readable by world.

  $HOME/.rhosts
      Contains a list of remote	users who are not required to  supply a	pass-
      word when	they use the ssh2 command to log in.  Before the user can log
      in, the sshd2 daemon requires public host	key authentication in addi-
      tion to validating the host name retrieved from domain name servers.

      The file must be writable	only by	the user; it should not	be accessible
      by others.  You can use +@group to specify a netgroup.

      This file	is also	used by	the rlogind and	rshd daemons.

      See .rhosts(4) for more information about	the .rhosts file.

  $HOME/.shosts
      This file	is the same as the .rhosts file, except	it allows access only
      through ssh2.

  /etc/hosts.equiv
      Contains the names of remote hosts and users that	are equivalent to the
      local host or user. An equivalent	host or	user is	allowed	to use the
      ssh2 command to log in to	such an	account	without	supplying a password,
      provided they have the same user name on both machines. Additionally,
      successful host-based authentication is normally required.  This file
      must be writable only by root and	should be readable by world.

      You can use +@group to specify a netgroup.  Negated entries start	with
      a	minus sign (-).


				       Note

	 The only valid	use for	user names should be in	negated	entries.
	 Specified user	names in the hosts.equiv file can log in as anybody
	 including bin,	daemon,	adm, and other accounts	that own critical
	 binaries and directories.

      See hosts.equiv(4) for more information about the	hosts.equiv file.

  /etc/shosts.equiv
      This file	is the same as the hosts.equiv file except it allows access
      only through ssh2.

  $HOME/.ssh2/knownhosts/xxxxyyyy.pub
      Contains the public host keys of hosts that users	need to	log in to
      when using host based authentication.

      The xxxx is the fully qualified domain name (FQDN) and yyyy is the
      public key algorithm. Public key algorithms are ssh-dss and ssh-rsa.
      For example, if the FQDN for a host is server1.foo.fi and	it has a key
      algorithm	of ssh-dss, the	host key would be server1.foo.fi.ssh-dss.pub
      in the knownhosts	directory.

      A	user must add the host name to a $HOME/.shosts file or an
      $HOME/.rhosts file. If the user name is the same in both hosts, it is
      adequate to put the public host key in /etc/ssh2/knownhosts and add the
      host's name to /etc/shosts.equiv (or /etc/hosts.equiv).

  /etc/ssh2/knownhosts/xxxxyyyy.pub
      Same as the $HOME/.ssh2/knownhosts/xxxxyyyy.pub file, but	system-wide.
      This file	is overridden if the user puts a file with the same name in
      the $HOME/.ssh2/knownhosts directory.

LEGAL NOTICES

  SSH is a registered trademark	of SSH Communication Security Ltd.

SEE ALSO

  Commands: rcp(1), rlogin(1), rsh(1), scp2(1),	sftp(1), ssh2(1), ssh-
  agent2(1), ssh-add2(1), ssh-keygen2(1), telnet(1), sshd2(8), sshd2-check-
  conf(8)

  Files: sshd2_config(4)