sshd2, sshd - Secure shell daemon
sshd2 [-d debug_level_spec] [-f config_file] [-h host_key_file] [-o
options] [-p port ] [-v] [-g login_grace_time] [-i] [-q]
Sends extensive debug information to stderr. The debug_level_spec
argument is a number between 0 and 99, where 99 specifies that all
debug information should be displayed, or it can be a comma-separated
list of assignments, such as ModulePattern=debug_level. This option is
intended only for debugging the server.
Specifies the name of the configuration file. The default is
/etc/ssh2/sshd2_config. If this is specified, the default configuration
file is not read.
Specifies the file from which the host key is read. The default file is
/etc/ssh2/hostkey. If the sshd2 daemon is not run as root, the default
host key file will be $HOME$/.ssh2/hostkey.
Specifies configuration keywords. This is useful for specifying key-
words for which there is no separate command-line flag. The -o option
has the same format as a line in the configuration file. Comment lines
are not accepted. Where applicable, the egrep regex format is used.
Specifies the port on which the system listens for connections. The
default port is 22.
-v Enables the verbose mode, and displays verbose debugging messages. This
option can also be specified in the configuration file.
-q Enables quiet mode. Nothing is sent to the system log. Normally the
beginning, authentication, and termination of each connection is
logged. This option can also be specified in the configuration file.
Gives the grace time for clients to authenticate themselves. The
default is 600 seconds. If the client fails to authenticate the user
within the specified time, the system disconnects and exits. A value
of zero indicates no limit.
-i Specifies that the sshd2 daemon is being run from the inetd daemon.
The sshd2 Secure Shell daemon runs on the Secure Shell server. It is nor-
mally run as root, and is the server counterpart for ssh2. Together,
these programs replace and extend the rlogin and rsh services, and provide
secure encrypted communication channels between two hosts connected over
an insecure network. They are intended to be easy to install and use.
The sshd2 daemon is normally started at boot time from /etc/rc.local or
its equivalent. It forks a new daemon for each incoming connection. The
forked daemons handle key exchange, encryption, authentication, command
execution, and data exchange.
The sshd2 daemon can be configured using command-line options or a confi-
guration file. Command-line options override values specified in the confi-
guration file. The sshd2 daemon reads configuration data from the
/etc/ssh2/sshd2_config file (or the file specified with the -f option on
the command line). The file contains keyword-value pairs, one per line.
Lines starting with the pound (#) sign and empty lines are interpreted
Subconfiguration files can also be specified in the main configuration
file. However, if changes are made in the main configuration file, the
sshd2 daemon must be restarted.
When a user successfully logs in, the sshd2 daemon takes the following
1. Changes the process to run with normal user privileges.
2. Sets up basic environment.
3. Reads the /etc/environment file if it exists.
4. Changes to the user's home directory.
5. Runs the user's shell or command.
SSH WITH TCP WRAPPERS
When the sshd2 daemon compiles with TCP wrapper libraries, the hosts.allow
and hosts.deny files control who can connect to ports forwarded by the
The names in the hosts.allow and hosts.deny files are sshd2, sshdfwd-
<<portname>, and sshdfwd-X11 for forwarded ports on which the Secure Shell
client or server is listening.
If a port has a defined name, you must use it.
Contains sshd2 daemon configuration information. This file should be
writable by root only and readable by world (though not necessary).
Contains the private part of the host key. You can create this file
automatically by running the make install command or manually by using
the ssh-keygen2 command. This file contains vital cryptographic infor-
mation, and should only be read or modified by root.
Contains the public part of the host key. You can create this file
automatically by running the make install command or manually by using
the ssh-keygen2 command. This file should be writable by root only and
readable by world.
Contains a seed for the random number generator. This file should be
accessible only by root.
Contains information on how the server will verify the identity of an
user. See ssh2(1) for more information.
If this file exists, the sshd2 daemon will not print information during
login. (This information is normally the user's last login time, mes-
sage of the day, and mail check.)
If this file exists, the sshd2 daemon refuses to let anyone except root
log in. The contents of the file are displayed to anyone trying to log
in. The file should be readable by world.
Contains a list of remote users who are not required to supply a pass-
word when they use the ssh2 command to log in. Before the user can log
in, the sshd2 daemon requires public host key authentication in addi-
tion to validating the host name retrieved from domain name servers.
The file must be writable only by the user; it should not be accessible
by others. You can use +@group to specify a netgroup.
This file is also used by the rlogind and rshd daemons.
See .rhosts(4) for more information about the .rhosts file.
This file is the same as the .rhosts file, except it allows access only
Contains the names of remote hosts and users that are equivalent to the
local host or user. An equivalent host or user is allowed to use the
ssh2 command to log in to such an account without supplying a password,
provided they have the same user name on both machines. Additionally,
successful host-based authentication is normally required. This file
must be writable only by root and should be readable by world.
You can use +@group to specify a netgroup. Negated entries start with
a minus sign (-).
The only valid use for user names should be in negated entries.
Specified user names in the hosts.equiv file can log in as anybody
including bin, daemon, adm, and other accounts that own critical
binaries and directories.
See hosts.equiv(4) for more information about the hosts.equiv file.
This file is the same as the hosts.equiv file except it allows access
only through ssh2.
Contains the public host keys of hosts that users need to log in to
when using host based authentication.
The xxxx is the fully qualified domain name (FQDN) and yyyy is the
public key algorithm. Public key algorithms are ssh-dss and ssh-rsa.
For example, if the FQDN for a host is server1.foo.fi and it has a key
algorithm of ssh-dss, the host key would be server1.foo.fi.ssh-dss.pub
in the knownhosts directory.
A user must add the host name to a $HOME/.shosts file or an
$HOME/.rhosts file. If the user name is the same in both hosts, it is
adequate to put the public host key in /etc/ssh2/knownhosts and add the
host's name to /etc/shosts.equiv (or /etc/hosts.equiv).
Same as the $HOME/.ssh2/knownhosts/xxxxyyyy.pub file, but system-wide.
This file is overridden if the user puts a file with the same name in
the $HOME/.ssh2/knownhosts directory.
SSH is a registered trademark of SSH Communication Security Ltd.
Commands: rcp(1), rlogin(1), rsh(1), scp2(1), sftp(1), ssh2(1), ssh-
agent2(1), ssh-add2(1), ssh-keygen2(1), telnet(1), sshd2(8), sshd2-check-