il_7293 Old usr/src/man/man1m/sshd.sunssh.1m

   1 '\" te
   2 .\" To view license terms, attribution, and copyright for OpenSSH, the default path is /var/sadm/pkg/SUNWsshdr/install/copyright. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the
   3 .\" installed location.
   4 .\" Portions Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved.
   5 .TH SSHD 1M "Oct 29, 2015"
   6 .SH NAME
   7 sshd \- secure shell daemon
   8 .SH SYNOPSIS
   9 .LP
  10 .nf
  11 \fBsshd\fR [\fB-deiqtD46\fR] [\fB-b\fR \fIbits\fR] [\fB-f\fR \fIconfig_file\fR]
  12      [\fB-g\fR \fIlogin_grace_time\fR] [\fB-h\fR \fIhost_key_file\fR]
  13      [\fB-k\fR \fIkey_gen_time\fR] [\fB-p\fR \fIport\fR] [\fB-V\fR \fIclient_protocol_id\fR]
  14 .fi
  15 
  16 .SH DESCRIPTION
  17 .LP
  18 The \fBsshd\fR (Secure Shell daemon) is the daemon program for \fBssh\fR(1).
  19 Together these programs replace \fBrlogin\fR and \fBrsh\fR, and provide secure
  20 encrypted communications between two untrusted hosts over an insecure network.
  21 The programs are intended to be as easy to install and use as possible.
  22 .sp
  23 .LP
  24 \fBsshd\fR is the daemon that listens for connections from clients. It forks a
  25 new daemon for each incoming connection. The forked daemons handle key
  26 exchange, encryption, authentication, command execution, and data exchange.
  27 .sp
  28 .LP
  29 This implementation of \fBsshd\fR supports both SSH protocol versions 1 and 2
  30 simultaneously. Because of security weaknesses in the v1 protocol, sites should
  31 run only v2, if possible. In the default configuration, only protocol v2 is
  32 enabled for the server. To enable v1 and v2 simultaneously, see the
  33 instructions in \fBsshd_config\fR(4).
  34 .sp
  35 .LP
  36 Support for v1 is provided to help sites with existing \fBssh\fR v1 clients and
  37 servers to transition to v2. v1 might not be supported in a future release.
  38 .SS "SSH Protocol Version 1"
  39 .LP
  40 Each host has a host-specific RSA key (normally 1024 bits) used to identify the
  41 host. Additionally, when the daemon starts, it generates a server RSA key
  42 (normally 768 bits). This key is normally regenerated every hour if it has been
  43 used, and is never stored on disk.
  44 .sp
  45 .LP
  46 Whenever a client connects the daemon responds with its public host and server
  47 keys. The client compares the RSA host key against its own database to verify
  48 that it has not changed. The client then generates a 256-bit random number. It
  49 encrypts this random number using both the host key and the server key, and
  50 sends the encrypted number to the server. Both sides then use this random
  51 number as a session key which is used to encrypt all further communications in
  52 the session. The rest of the session is encrypted using a conventional cipher,
  53 currently Blowfish or 3DES, with 3DES being used by default. The client selects
  54 the encryption algorithm to use from those offered by the server.
  55 .sp
  56 .LP
  57 Next, the server and the client enter an authentication dialog. The client
  58 tries to authenticate itself using \fB\&.rhosts\fR authentication,
  59 \fB\&.rhosts\fR authentication combined with RSA host authentication, RSA
  60 challenge-response authentication, or password-based authentication.
  61 .sp
  62 .LP
  63 Rhosts authentication is normally disabled because it is fundamentally
  64 insecure, but can be enabled in the server configuration file if desired.
  65 System security is not improved unless \fBrshd\fR(1M), \fBrlogind\fR(1M),
  66 \fBrexecd\fR(1M), and \fBrexd\fR(1M) are disabled (thus completely disabling
  67 \fBrlogin\fR(1) and \fBrsh\fR(1) into the machine).
  68 .SS "SSH Protocol Version 2"
  69 .LP
  70 Version 2 works similarly to version 1: Each host has a host-specific DSA/RSA
  71 key. However, when the daemon starts, it does not generate a server key.
  72 Forward security is provided through a Diffie-Hellman key agreement. This key
  73 agreement results in a shared session key. The rest of the session is encrypted
  74 using a symmetric cipher, currently 128-bit AES, Blowfish, 3DES, or AES. The
  75 client selects the encryption algorithm to use from those offered by the
  76 server. Additionally, session integrity is provided through a cryptographic
  77 message authentication code (\fBhmac-sha1\fR or \fBhmac-md5\fR).
  78 .sp
  79 .LP
  80 Protocol version 2 provides a public key based user authentication method
  81 (PubKeyAuthentication) GSS-API based user authentication, conventional password
  82 authentication, and a generic prompt/reply protocol for password-based
  83 authentication.
  84 .SS "Command Execution and Data Forwarding"
  85 .LP
  86 If the client successfully authenticates itself, a dialog for preparing the
  87 session is entered. At this time the client can request things like allocating
  88 a pseudo-tty, forwarding X11 connections, forwarding TCP/IP connections, or
  89 forwarding the authentication agent connection over the secure channel.
  90 .sp
  91 .LP
  92 Finally, the client either requests a shell or execution of a command. The
  93 sides then enter session mode. In this mode, either side may send data at any
  94 time, and such data is forwarded to/from the shell or command on the server
  95 side, and the user terminal on the client side.
  96 .sp
  97 .LP
  98 When the user program terminates and all forwarded X11 and other connections
  99 have been closed, the server sends command exit status to the client, and both
 100 sides exit.
 101 .sp
 102 .LP
 103 \fBsshd\fR can be configured using command-line options or the configuration
 104 file \fB/etc/ssh/ssh_config\fR, described in \fBssh_config\fR(4). Command-line
 105 options override values specified in the configuration file.
 106 .sp
 107 .LP
 108 \fBsshd\fR rereads its configuration file when it receives a hangup signal,
 109 \fBSIGHUP\fR, by executing itself with the name it was started as, that is,
 110 \fB/usr/lib/ssh/sshd\fR.
 111 .SS "Host Access Control"
 112 .LP
 113 The \fBsshd\fR daemon uses TCP Wrappers to restrict access to hosts. It uses
 114 the service name of \fBsshd\fR for \fBhosts_access()\fR. For more information
 115 on TCP Wrappers see \fBtcpd(1M)\fR and \fBhosts_access(3)\fR man pages, which
 116 are part of the \fBSUNWsfman\fR package (they are not SunOS man pages). TCP
 117 wrappers binaries, including \fBlibwrap\fR, are in \fBSUNWtcpd\fR, a required
 118 package for \fBSUNWsshdu\fR, the package containing \fBsshd\fR.
 119 .SH OPTIONS
 120 .LP
 121 The options for \fBsshd\fR are as follows:
 122 .sp
 123 .ne 2
 124 .na
 125 \fB\fB-b\fR \fIbits\fR\fR
 126 .ad
 127 .sp .6
 128 .RS 4n
 129 Specifies the number of bits in the server key (the default is 768).
 130 .RE
 131 
 132 .sp
 133 .ne 2
 134 .na
 135 \fB\fB-d\fR\fR
 136 .ad
 137 .sp .6
 138 .RS 4n
 139 Debug mode. The server sends verbose debug output to the system log, and does
 140 not put itself in the background. The server also will not fork and will only
 141 process one connection. This option is only intended for debugging for the
 142 server. Multiple \fB-d\fR options increase the debugging level. Maximum is 3.
 143 .RE
 144 
 145 .sp
 146 .ne 2
 147 .na
 148 \fB\fB-e\fR\fR
 149 .ad
 150 .sp .6
 151 .RS 4n
 152 When this option is specified, \fBsshd\fR will send the output to standard
 153 error instead of to the system log.
 154 .RE
 155 
 156 .sp
 157 .ne 2
 158 .na
 159 \fB\fB-f\fR \fIconfiguration_file\fR\fR
 160 .ad
 161 .sp .6
 162 .RS 4n
 163 Specifies the name of the configuration file. The default is
 164 \fB/etc/ssh/sshd_config\fR. \fBsshd\fR refuses to start if there is no
 165 configuration file.
 166 .RE
 167 
 168 .sp
 169 .ne 2
 170 .na
 171 \fB\fB-g\fR \fIlogin_grace_time\fR\fR
 172 .ad
 173 .sp .6
 174 .RS 4n
 175 Gives the grace time for clients to authenticate themselves (the default is 300
 176 seconds). If the client fails to authenticate the user within this number of
 177 seconds, the server disconnects and exits. A value of zero indicates no limit.
 178 .RE
 179 
 180 .sp
 181 .ne 2
 182 .na
 183 \fB\fB-h\fR \fIhost_key_file\fR\fR
 184 .ad
 185 .sp .6
 186 .RS 4n
 187 Specifies a file from which a host key is read. This option must be given if
 188 \fBsshd\fR is not run as root (as the normal host key files are normally not
 189 readable by anyone but root). The default is \fB/etc/ssh/ssh_host_key\fR for
 190 protocol version 1, and \fB/etc/ssh/ssh_host_rsa_key\fR and
 191 \fB/etc/ssh/ssh_host_dsa_key\fR for protocol version 2. It is possible to have
 192 multiple host key files for the different protocol versions and host key
 193 algorithms.
 194 .RE
 195 
 196 .sp
 197 .ne 2
 198 .na
 199 \fB\fB-i\fR\fR
 200 .ad
 201 .sp .6
 202 .RS 4n
 203 Specifies that \fBsshd\fR is being run from \fBinetd\fR. \fBsshd\fR is normally
 204 not run from \fBinetd\fR because it needs to generate the server key before it
 205 can respond to the client, and this may take tens of seconds. Clients would
 206 have to wait too long if the key was regenerated every time. However, with
 207 small key sizes (for example, 512) using \fBsshd\fR from \fBinetd\fR may be
 208 reasonable.
 209 .RE
 210 
 211 .sp
 212 .ne 2
 213 .na
 214 \fB\fB-k\fR \fIkey_gen_time\fR\fR
 215 .ad
 216 .sp .6
 217 .RS 4n
 218 (SSHv1-specific) Specifies how often the server key is regenerated (the default
 219 is 3600 seconds, or one hour). The motivation for regenerating the key fairly
 220 often is that the key is not stored anywhere, and after about an hour, it
 221 becomes impossible to recover the key for decrypting intercepted communications
 222 even if the machine is cracked into or physically seized. A value of zero
 223 indicates that the key will never be regenerated.
 224 .RE
 225 
 226 .sp
 227 .ne 2
 228 .na
 229 \fB\fB-o\fR \fIoption\fR\fR
 230 .ad
 231 .sp .6
 232 .RS 4n
 233 Can be used to specify options in the format used in the configuration file.
 234 This is useful for specifying options for which there are no separate
 235 command-line flags.
 236 .RE
 237 
 238 .sp
 239 .ne 2
 240 .na
 241 \fB\fB-p\fR \fIport\fR\fR
 242 .ad
 243 .sp .6
 244 .RS 4n
 245 Specifies the port on which the server listens for connections (the default is
 246 22).
 247 .RE
 248 
 249 .sp
 250 .ne 2
 251 .na
 252 \fB\fB-q\fR\fR
 253 .ad
 254 .sp .6
 255 .RS 4n
 256 Quiet mode. Nothing is sent to the system log. Normally the beginning,
 257 authentication, and termination of each connection is logged.
 258 .RE
 259 
 260 .sp
 261 .ne 2
 262 .na
 263 \fB\fB-t\fR\fR
 264 .ad
 265 .sp .6
 266 .RS 4n
 267 Test mode. Check only the validity of the configuration file and the sanity of
 268 the keys. This is useful for updating sshd reliably as configuration options
 269 might change.
 270 .RE
 271 
 272 .sp
 273 .ne 2
 274 .na
 275 \fB\fB-D\fR\fR
 276 .ad
 277 .sp .6
 278 .RS 4n
 279 When this option is specified \fBsshd\fR does not detach and does not become a
 280 daemon. This allows easy monitoring of \fBsshd\fR.
 281 .RE
 282 
 283 .sp
 284 .ne 2
 285 .na
 286 \fB\fB-4\fR\fR
 287 .ad
 288 .sp .6
 289 .RS 4n
 290 Forces \fBsshd\fR to use IPv4 addresses only.
 291 .RE
 292 
 293 .sp
 294 .ne 2
 295 .na
 296 \fB\fB-6\fR\fR
 297 .ad
 298 .sp .6
 299 .RS 4n
 300 Forces \fBsshd\fR to use IPv6 addresses only.
 301 .RE
 302 
 303 .SH EXTENDED DESCRIPTION
 304 .SS "\fBauthorized_keys\fR File Format"
 305 .LP
 306 The \fB$HOME/.ssh/authorized_keys\fR file lists the public keys that are
 307 permitted for RSA authentication in protocol version 1 and for public key
 308 authentication (\fBPubkeyAuthentication\fR) in protocol version 2. The
 309 \fBAuthorizedKeysFile\fR configuration option can be used to specify an
 310 alternative file.
 311 .sp
 312 .LP
 313 Each line of the file contains one key (empty lines and lines starting with a
 314 hash mark [\fB#\fR] are ignored as comments).
 315 .sp
 316 .LP
 317 For each RSA key for protocol version 1, the file consists of the following
 318 space-separated fields:
 319 .sp
 320 .in +2
 321 .nf
 322 \fIoptions\fR  \fIbits\fR  \fIexponent\fR  \fImodulus\fR  \fIcomment\fR
 323 .fi
 324 .in -2
 325 .sp
 326 
 327 .sp
 328 .LP
 329 For the public key for protocol version 2, the file consists of the following
 330 space-separated fields:
 331 .sp
 332 .in +2
 333 .nf
 334 \fIoptions\fR \fIkey-type\fR \fIbase64-encoding-key\fR \fIcomment\fR
 335 .fi
 336 .in -2
 337 .sp
 338 
 339 .sp
 340 .LP
 341 For protocol version 2, \fIkey-type\fR is one of \fBssh-rsa\fR or
 342 \fBssh-dsa\fR.
 343 .sp
 344 .LP
 345 The options field is optional; its presence is determined by whether the line
 346 starts with a number. (The option field never starts with a number.) The bits,
 347 exponent, and modulus fields give the RSA key; the comment field is a
 348 convenient place for you to identify the key.
 349 .sp
 350 .LP
 351 Lines in this file are usually several hundred bytes long (because of the size
 352 of the key modulus). You will find it very inconvenient to type them in;
 353 instead, copy the public key file and edit it.
 354 .sp
 355 .LP
 356 Permissions of this file must be set so that it is not world or group writable.
 357 See the \fBStrictModes\fR option of \fBsshd_config\fR(4).
 358 .sp
 359 .LP
 360 The options (if present) consist of comma-separated option specifications. No
 361 spaces are permitted, except within double quotes. The following option
 362 specifications are supported:
 363 .sp
 364 .ne 2
 365 .na
 366 \fB\fBfrom="\fIpattern-list\fR"\fR\fR
 367 .ad
 368 .sp .6
 369 .RS 4n
 370 Specifies that, in addition to public key authentication, the canonical name of
 371 the remote host must be present in the comma-separated list of patterns
 372 (`\fB*\fR' and `\fB?\fR' serve as wildcards). The list can also contain negated
 373 patterns by prefixing the patterns with `\fB!\fR'. If the canonical host name
 374 matches a negated pattern, the key is not accepted.
 375 .sp
 376 The purpose of this option is to give you the option of increasing security:
 377 public key authentication by itself does not trust the network or name servers
 378 or anything but the key. However, if someone manages to steal the key,
 379 possession of the key would permit the intruder to log in from anywhere in the
 380 world. This option makes using a stolen key more difficult, because name
 381 servers and routers would have to be compromised, in addition to just the key.
 382 .RE
 383 
 384 .sp
 385 .ne 2
 386 .na
 387 \fB\fBcommand="\fIcommand\fR"\fR\fR
 388 .ad
 389 .sp .6
 390 .RS 4n
 391 Specifies that the \fIcommand\fR is executed whenever this key is used for
 392 authentication. The command supplied by the user (if any) is ignored. The
 393 command is run on a \fBpty\fR if the client requests a \fBpty\fR; otherwise it
 394 is run without a \fBtty\fR. If an 8-bit clean channel is required, one must not
 395 request a \fBpty\fR or should specify \fBno-pty\fR. You can include a quote in
 396 the command by escaping it with a backslash. This option might be useful to
 397 restrict certain public keys from performing a specific operation. An example
 398 is a key that permits remote backups but nothing else. Note that the client can
 399 specify TCP/IP and/or X11 forwarding unless they are explicitly prohibited from
 400 doing so. Also note that this option applies to shell, command, or subsystem
 401 execution.
 402 .RE
 403 
 404 .sp
 405 .ne 2
 406 .na
 407 \fB\fBenvironment="\fINAME\fR=\fIvalue\fR"\fR\fR
 408 .ad
 409 .sp .6
 410 .RS 4n
 411 Specifies that the string \fINAME\fR=\fIvalue\fR is to be added to the
 412 environment when logging in using this key. Environment variables set this way
 413 override other default environment values. Multiple options of this type are
 414 permitted. Environment processing is disabled by default and is controlled via
 415 the \fBPermitUserEnvironment\fR option.
 416 .RE
 417 
 418 .sp
 419 .ne 2
 420 .na
 421 \fB\fBno-port-forwarding\fR\fR
 422 .ad
 423 .sp .6
 424 .RS 4n
 425 Forbids TCP/IP forwarding when this key is used for authentication. Any port
 426 forward requests by the client will return an error. This might be used, for
 427 example, in connection with the \fBcommand\fR option.
 428 .RE
 429 
 430 .sp
 431 .ne 2
 432 .na
 433 \fB\fBno-X11-forwarding\fR\fR
 434 .ad
 435 .sp .6
 436 .RS 4n
 437 Forbids X11 forwarding when this key is used for authentication. Any X11
 438 forward requests by the client will return an error.
 439 .RE
 440 
 441 .sp
 442 .ne 2
 443 .na
 444 \fB\fBno-agent-forwarding\fR\fR
 445 .ad
 446 .sp .6
 447 .RS 4n
 448 Forbids authentication agent forwarding when this key is used for
 449 authentication.
 450 .RE
 451 
 452 .sp
 453 .ne 2
 454 .na
 455 \fB\fBno-pty\fR\fR
 456 .ad
 457 .sp .6
 458 .RS 4n
 459 Prevents \fBtty\fR allocation (a request to allocate a \fBpty\fR will fail).
 460 .RE
 461 
 462 .sp
 463 .ne 2
 464 .na
 465 \fB\fBpermitopen="\fIhost\fR:\fIport\fR"\fR\fR
 466 .ad
 467 .sp .6
 468 .RS 4n
 469 Limit local \fBssh\fR \fB-L\fR port forwarding such that it can connect only to
 470 the specified host and port. IPv6 addresses can be specified with an
 471 alternative syntax: \fIhost\fR/\fIport\fR. You can invoke multiple
 472 \fBpermitopen\fR options, with each instance separated by a comma. No pattern
 473 matching is performed on the specified hostnames. They must be literal domains
 474 or addresses.
 475 .RE
 476 
 477 .SS "\fBssh_known_hosts\fR File Format"
 478 .LP
 479 The \fB/etc/ssh/ssh_known_hosts\fR and \fB$HOME/.ssh/known_hosts\fR files
 480 contain host public keys for all known hosts. The global file should be
 481 prepared by the administrator (optional), and the per-user file is maintained
 482 automatically: whenever the user connects from an unknown host its key is added
 483 to the per-user file.
 484 .sp
 485 .LP
 486 For the RSA key for protocol version 1, these files consist of the following
 487 space-separated fields:
 488 .sp
 489 .in +2
 490 .nf
 491 \fIhostnames\fR  \fIbits\fR  \fIexponent\fR  \fImodulus\fR  \fIcomment\fR
 492 .fi
 493 .in -2
 494 .sp
 495 
 496 .sp
 497 .LP
 498 For the public key for protocol version 2, these files consist of the following
 499 space-separated fields:
 500 .sp
 501 .in +2
 502 .nf
 503 \fIhostnames\fR \fIkey-type\fR \fIbase64-encoding-key\fR \fIcomment\fR
 504 .fi
 505 .in -2
 506 .sp
 507 
 508 .sp
 509 .LP
 510 For protocol version 2, \fIkey-type\fR is one of \fBssh-rsa\fR or
 511 \fBssh-dsa\fR.
 512 .sp
 513 .LP
 514 Hostnames is a comma-separated list of patterns (\fB*\fR and \fB?\fR act as
 515 wildcards); each pattern in turn is matched against the canonical host name
 516 (when authenticating a client) or against the user-supplied name (when
 517 authenticating a server). A pattern can also be preceded by \fB!\fR to indicate
 518 negation: if the host name matches a negated pattern, it is not accepted (by
 519 that line) even if it matched another pattern on the line.
 520 .sp
 521 .LP
 522 Alternately, hostnames can be stored in a hashed form, which hides host names
 523 and addresses should the file's contents be disclosed. Hashed hostnames start
 524 with a vertical bar (\fB|\fR) character. Only one hashed hostname can appear on
 525 a single line and none of the above negation or wildcard operators may be
 526 applied.
 527 .sp
 528 .LP
 529 Bits, exponent, and modulus are taken directly from the RSA host key; they can
 530 be obtained, for example, from \fB/etc/ssh/ssh_host_rsa_key.pub\fR. The
 531 optional comment field continues to the end of the line, and is not used.
 532 .sp
 533 .LP
 534 Lines starting with a hash mark (\fB#\fR) and empty lines are ignored as
 535 comments.
 536 .sp
 537 .LP
 538 When performing host authentication, authentication is accepted if any matching
 539 line has the proper key. It is thus permissible (but not recommended) to have
 540 several lines or different host keys for the same names. This will inevitably
 541 happen when short forms of host names from different domains are put in the
 542 file. It is possible that the files contain conflicting information;
 543 authentication is accepted if valid information can be found from either file.
 544 .sp
 545 .LP
 546 The lines in these files are typically hundreds of characters long. You should
 547 definitely not type in the host keys by hand. Rather, generate them by a script
 548 or by taking \fB/etc/ssh/ssh_host_rsa_key.pub\fR and adding the host names at
 549 the front.
 550 .SH ENVIRONMENT VARIABLES
 551 .LP
 552 \fBsshd\fR sets the following environment variables for commands executed by
 553 \fBssh\fR users:
 554 .sp
 555 .ne 2
 556 .na
 557 \fB\fBDISPLAY\fR\fR
 558 .ad
 559 .sp .6
 560 .RS 4n
 561 Indicates the location of the X11 server. It is automatically set by \fBsshd\fR
 562 to point to a value of the form \fIhostname\fR:\fIn\fR, where \fIhostname\fR
 563 indicates the host where the shell runs, and \fIn\fR is an integer greater than
 564 or equal to 1. \fBssh\fR uses this special value to forward X11 connections
 565 over the secure channel. Unless you have important reasons to do otherwise, you
 566 should not set \fBDISPLAY\fR explicitly, as that will render the X11 connection
 567 insecure and will require you to manually copy any required authorization
 568 cookies.
 569 .RE
 570 
 571 .sp
 572 .ne 2
 573 .na
 574 \fB\fBHOME\fR\fR
 575 .ad
 576 .sp .6
 577 .RS 4n
 578 Set to the path of the user's home directory.
 579 .RE
 580 
 581 .sp
 582 .ne 2
 583 .na
 584 \fB\fBLANG\fR, \fBLC_ALL\fR, \fBLC_COLLATE\fR, \fBLC_CTYPE\fR,
 585 \fBLC_MESSAGES\fR, \fBLC_MONETARY\fR, \fBLC_NUMERIC\fR, \fBLC_TIME\fR\fR
 586 .ad
 587 .sp .6
 588 .RS 4n
 589 A locale setting. The locale defaults to that of \fBsshd\fR (usually the
 590 system-wide default locale), or is negotiated between the client and server
 591 during initial key exchange (as per RFC 4253).
 592 .sp
 593 Following initial key exchange, each of the variables can be overriden in the
 594 following sequence:
 595 .RS +4
 596 .TP
 597 1.
 598 If a locale setting is set in a client's environment and that client
 599 supports "Environment Variable Passing" (see RFC 4254), then the setting will
 600 be passed over to the server side.
 601 .RE
 602 .RS +4
 603 .TP
 604 2.
 605 If the public key authentication method was used to authenticate the server
 606 and the \fBPermitUserEnvironment\fR variable in \fBsshd_config\fR(4) is set to
 607 \fByes\fR on the server side, then the setting can be changed through the use
 608 of the \fBenvironment\fR option in the client's \fBAuthorizedKeysFile\fR file.
 609 .RE
 610 .RS +4
 611 .TP
 612 3.
 613 The setting can be change in the client's \fB~/.ssh/environment\fR file on
 614 the server.
 615 .RE
 616 See \fBPermitUserEnvironment\fR in \fBsshd_config\fR(4) as to when the
 617 \fBAuthorizedKeysFile\fR and \fB~/.ssh/environment\fR files are processed and
 618 used for setting the user environment.
 619 .RE
 620 
 621 .sp
 622 .ne 2
 623 .na
 624 \fB\fBLOGNAME\fR\fR
 625 .ad
 626 .sp .6
 627 .RS 4n
 628 Synonym for \fBUSER\fR. Set for compatibility with systems that use this
 629 variable.
 630 .RE
 631 
 632 .sp
 633 .ne 2
 634 .na
 635 \fB\fBMAIL\fR\fR
 636 .ad
 637 .sp .6
 638 .RS 4n
 639 Set to point to the user's mailbox.
 640 .RE
 641 
 642 .sp
 643 .ne 2
 644 .na
 645 \fB\fBSSH_AUTH_SOCK\fR\fR
 646 .ad
 647 .sp .6
 648 .RS 4n
 649 Indicates the path of a \fBunix-domain\fR socket used to communicate with the
 650 agent.
 651 .RE
 652 
 653 .sp
 654 .ne 2
 655 .na
 656 \fB\fBSSH_CONNECTION\fR\fR
 657 .ad
 658 .sp .6
 659 .RS 4n
 660 Identifies the client and server ends of the connection. The variable contains
 661 four space-separated values: client IP address, client port number, server IP
 662 address and server port number.
 663 .RE
 664 
 665 .sp
 666 .ne 2
 667 .na
 668 \fB\fBSSH_CLIENT\fR\fR
 669 .ad
 670 .sp .6
 671 .RS 4n
 672 Identifies the client end of the connection. The variable contains three
 673 space-separated values: client IP address, client port number, and server port
 674 number.
 675 .RE
 676 
 677 .sp
 678 .ne 2
 679 .na
 680 \fB\fBSSH_TTY\fR\fR
 681 .ad
 682 .sp .6
 683 .RS 4n
 684 Set to the name of the \fBtty\fR (path to the device) associated with the
 685 current shell or command. If the current session has no \fBtty\fR, this
 686 variable is not set.
 687 .RE
 688 
 689 .sp
 690 .ne 2
 691 .na
 692 \fB\fBTZ\fR\fR
 693 .ad
 694 .sp .6
 695 .RS 4n
 696 Indicates the present timezone, if \fBTIMEZONE\fR is set in
 697 \fB/etc/default/login\fR or if \fBTZ\fR was set when the daemon was started.
 698 .RE
 699 
 700 .sp
 701 .ne 2
 702 .na
 703 \fB\fBHZ\fR\fR
 704 .ad
 705 .sp .6
 706 .RS 4n
 707 If set in \fB/etc/default/login\fR, the daemon sets it to the same value.
 708 .RE
 709 
 710 .sp
 711 .ne 2
 712 .na
 713 \fB\fBSHELL\fR\fR
 714 .ad
 715 .sp .6
 716 .RS 4n
 717 The user's shell, if \fBALTSHELL=YES\fR in \fB/etc/default/login\fR.
 718 .RE
 719 
 720 .sp
 721 .ne 2
 722 .na
 723 \fB\fBPATH\fR\fR
 724 .ad
 725 .sp .6
 726 .RS 4n
 727 Set to the value of \fBPATH\fR or \fBSUPATH\fR (see \fBlogin\fR(1)) in
 728 \fB/etc/default/login\fR, or, if not set, to \fB/usr/bin:/bin\fR.
 729 .RE
 730 
 731 .sp
 732 .ne 2
 733 .na
 734 \fB\fBUSER\fR\fR
 735 .ad
 736 .sp .6
 737 .RS 4n
 738 Set to the name of the user logging in.
 739 .RE
 740 
 741 .sp
 742 .LP
 743 Additionally, \fBsshd\fR reads \fB$HOME/.ssh/environment\fR and adds lines of
 744 the format \fBVARNAME=\fIvalue\fR\fR to the environment.
 745 .SH EXAMPLES
 746 .LP
 747 In the following examples, certain lines might wrap due to line length limits
 748 in your display. You should nevertheless consider the wrapped line as a single
 749 line.
 750 .LP
 751 \fBExample 1 \fR\fBauthorized_key\fR File Entries
 752 .sp
 753 .LP
 754 The following are examples of \fBauthorized_key\fR file entries for protocol 1:
 755 
 756 .sp
 757 .in +2
 758 .nf
 759 1024 33 12121...312314325 ylo@foo.bar
 760 
 761 from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula
 762 
 763 command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi
 764 .fi
 765 .in -2
 766 .sp
 767 
 768 .LP
 769 \fBExample 2 \fR\fBauthorized_key\fR File Entries for Protocol 2
 770 .sp
 771 .LP
 772 The following are examples of \fBauthorized_key\fR file entries for protocol 2:
 773 
 774 .sp
 775 .in +2
 776 .nf
 777 ssh-rsa AAAAB3NzaC1y.....EU88ovYKg4GfclWGCFYTuw8= ylo@foo.bar
 778 from="*.niksula.hut.fi" ssh-rsa AAAAB3NzaC...uw8= ylo@niksula
 779 command="dump /home",no-pty,no-port-forwarding ssh-rsa AA..8= backup.hut.fi
 780 .fi
 781 .in -2
 782 .sp
 783 
 784 .LP
 785 \fBExample 3 \fR\fBssh_known_hosts\fR File Entries for Protocol 1
 786 .sp
 787 .LP
 788 The following are examples of \fBssh_known_hosts\fR file entries for protocol
 789 1:
 790 
 791 .sp
 792 .in +2
 793 .nf
 794 closenet,closenet.hut.fi,...,130.233.208.41 1024 37 159...93 closenet.hut.fi
 795 .fi
 796 .in -2
 797 .sp
 798 
 799 .LP
 800 \fBExample 4 \fR\fBssh_known_hosts\fR File Entries for Protocol 2
 801 .sp
 802 .LP
 803 The following are examples of \fBssh_known_hosts\fR file entries for protocol
 804 2:
 805 
 806 .sp
 807 .in +2
 808 .nf
 809 closenet,closenet.hut.fi,...,130.233.208.41 ssh-rsa AA..8= closenet.hut.fi
 810 .fi
 811 .in -2
 812 .sp
 813 
 814 .SH EXIT STATUS
 815 .LP
 816 The following exit values are returned:
 817 .sp
 818 .ne 2
 819 .na
 820 \fB\fB0\fR\fR
 821 .ad
 822 .RS 13n
 823 Successful completion.
 824 .RE
 825 
 826 .sp
 827 .ne 2
 828 .na
 829 \fB>\fB0\fR\fR
 830 .ad
 831 .RS 13n
 832 An error occurred.
 833 .RE
 834 
 835 .SH FILES
 836 .ne 2
 837 .na
 838 \fB\fB/etc/default/login\fR\fR
 839 .ad
 840 .sp .6
 841 .RS 4n
 842 Contains defaults for several \fBsshd_config\fR parameters, environment
 843 variables, and other environmental factors.
 844 .sp
 845 The following parameters affect environment variables (see \fBlogin\fR(1) and
 846 descriptions of these variables, above):
 847 .RS +4
 848 .TP
 849 .ie t \(bu
 850 .el o
 851 \fBTIMEZONE\fR
 852 .RE
 853 .RS +4
 854 .TP
 855 .ie t \(bu
 856 .el o
 857 \fBHZ\fR
 858 .RE
 859 .RS +4
 860 .TP
 861 .ie t \(bu
 862 .el o
 863 \fBALTSHELL\fR
 864 .RE
 865 .RS +4
 866 .TP
 867 .ie t \(bu
 868 .el o
 869 \fBPATH\fR
 870 .RE
 871 .RS +4
 872 .TP
 873 .ie t \(bu
 874 .el o
 875 \fBSUPATH\fR
 876 .RE
 877 The following \fB/etc/default/login\fR parameters supply default values for
 878 corresponding \fBsshd_config\fR(4) parameters:
 879 .RS +4
 880 .TP
 881 .ie t \(bu
 882 .el o
 883 \fBCONSOLE\fR (see \fBPermitRootLogin\fR in \fBsshd_config\fR(4))
 884 .RE
 885 .RS +4
 886 .TP
 887 .ie t \(bu
 888 .el o
 889 \fBPASSREQ\fR (see \fBPermitEmptyPasswords\fR in \fBsshd_config\fR(4))
 890 .RE
 891 .RS +4
 892 .TP
 893 .ie t \(bu
 894 .el o
 895 \fBTIMEOUT\fR (see \fBLoginGraceTime\fR in \fBsshd_config\fR(4))
 896 .RE
 897 The following \fB/etc/default/login\fR parameters:
 898 .RS +4
 899 .TP
 900 .ie t \(bu
 901 .el o
 902 \fBUMASK\fR
 903 .RE
 904 .RS +4
 905 .TP
 906 .ie t \(bu
 907 .el o
 908 \fBULIMIT\fR
 909 .RE
 910 \&...set the \fBumask\fR(2) and file size limit of, respectively, the shells
 911 and commands spawned by \fBsshd\fR.
 912 .sp
 913 Finally, two \fB/etc/default/login\fR parameters affect the maximum allowed
 914 login attempts per-connection using interactive user authentication methods
 915 (for example, \fBkeyboard-interactive\fR but not \fBpublickey\fR), as per
 916 \fBlogin\fR(1):
 917 .RS +4
 918 .TP
 919 .ie t \(bu
 920 .el o
 921 \fBRETRIES\fR
 922 .RE
 923 .RS +4
 924 .TP
 925 .ie t \(bu
 926 .el o
 927 \fBSYSLOG_FAILED_LOGINS\fR
 928 .RE
 929 .RE
 930 
 931 .sp
 932 .ne 2
 933 .na
 934 \fB\fB/etc/ssh/sshd_config\fR\fR
 935 .ad
 936 .sp .6
 937 .RS 4n
 938 Contains configuration data for \fBsshd\fR. This file should be writable by
 939 root only, but it is recommended (though not necessary) that it be
 940 world-readable.
 941 .RE
 942 
 943 .sp
 944 .ne 2
 945 .na
 946 \fB\fB/etc/ssh/ssh_host_key\fR\fR
 947 .ad
 948 .br
 949 .na
 950 \fB\fB/etc/ssh/ssh_host_dsa_key\fR\fR
 951 .ad
 952 .br
 953 .na
 954 \fB\fB/etc/ssh/ssh_host_rsa_key\fR\fR
 955 .ad
 956 .sp .6
 957 .RS 4n
 958 Contains the private part of the host key. This file should only be owned by
 959 root, readable only by root, and not accessible to others. \fBsshd\fR does not
 960 start if this file is group/world-accessible.
 961 .RE
 962 
 963 .sp
 964 .ne 2
 965 .na
 966 \fB\fB/etc/ssh/ssh_host_key.pub\fR\fR
 967 .ad
 968 .br
 969 .na
 970 \fB\fB/etc/ssh/ssh_host_dsa_key.pub\fR\fR
 971 .ad
 972 .br
 973 .na
 974 \fB\fB/etc/ssh/ssh_host_rsa_key.pub\fR\fR
 975 .ad
 976 .sp .6
 977 .RS 4n
 978 Contains the public part of the host key. This file should be world-readable
 979 but writable only by root. Its contents should match the private part. This
 980 file is not used for encryption; it is provided only for the convenience of the
 981 user so its contents can be copied to known hosts files. These two files are
 982 created using \fBssh-keygen\fR(1).
 983 .RE
 984 
 985 .sp
 986 .ne 2
 987 .na
 988 \fB\fB/var/run/sshd.pid\fR\fR
 989 .ad
 990 .sp .6
 991 .RS 4n
 992 Contains the process ID of the \fBsshd\fR listening for connections. If there
 993 are several daemons running concurrently for different ports, this contains the
 994 pid of the one started last. The content of this file is not sensitive; it can
 995 be world-readable. You can use the \fBPidFile\fR keyword in \fBsshd_config\fR
 996 to specify a file other than \fB/var/run/sshd.pid\fR. See \fBsshd_config\fR(4).
 997 .RE
 998 
 999 .sp
1000 .ne 2
1001 .na
1002 \fB\fB/etc/ssh/ssh_known_hosts\fR and \fB$HOME/.ssh/known_hosts\fR\fR
1003 .ad
1004 .sp .6
1005 .RS 4n
1006 These files are consulted when using \fBrhosts\fR with public key host
1007 authentication to check the public key of the host. The key must be listed in
1008 one of these files to be accepted. The client uses the same files to verify
1009 that the remote host is the one it intended to connect. These files should be
1010 writable only by root or the owner. \fB/etc/ssh/ssh_known_hosts\fR should be
1011 world-readable, and \fB$HOME/.ssh/known_hosts\fR can but need not be
1012 world-readable.
1013 .RE
1014 
1015 .sp
1016 .ne 2
1017 .na
1018 \fB\fB/etc/nologin\fR\fR
1019 .ad
1020 .sp .6
1021 .RS 4n
1022 If this file exists, \fBsshd\fR refuses to let anyone except root log in. The
1023 contents of the file are displayed to anyone trying to log in, and non-root
1024 connections are refused. The file should be world-readable.
1025 .RE
1026 
1027 .sp
1028 .ne 2
1029 .na
1030 \fB\fB$HOME/.ssh/authorized_keys\fR\fR
1031 .ad
1032 .sp .6
1033 .RS 4n
1034 Lists the public keys (RSA or DSA) that can be used to log into the user's
1035 account. This file must be readable by root. This might, on some machines,
1036 imply that it is world-readable if the user's home directory resides on an NFS
1037 volume. It is recommended that it not be accessible by others. The format of
1038 this file is described above. Users will place the contents of their
1039 \fBidentity.pub\fR, \fBid_dsa.pub\fR and/or \fBid_rsa.pub\fR files into this
1040 file, as described in \fBssh-keygen\fR(1).
1041 .RE
1042 
1043 .sp
1044 .ne 2
1045 .na
1046 \fB\fB$HOME/.rhosts\fR\fR
1047 .ad
1048 .sp .6
1049 .RS 4n
1050 This file contains host-username pairs, separated by a space, one per line. The
1051 given user on the corresponding host is permitted to log in without password.
1052 The same file is used by \fBrlogind\fR and \fBrshd\fR. The file must be
1053 writable only by the user; it is recommended that it not be accessible by
1054 others. It is also possible to use \fBnetgroups\fR in the file. Either host or
1055 user name may be of the form \fB+@\fIgroupname\fR\fR to specify all hosts or
1056 all users in the group.
1057 .RE
1058 
1059 .sp
1060 .ne 2
1061 .na
1062 \fB\fB$HOME/.shosts\fR\fR
1063 .ad
1064 .sp .6
1065 .RS 4n
1066 For \fBssh\fR, this file is exactly the same as for \fB\&.rhosts\fR. However,
1067 this file is not used by \fBrlogin\fR and \fBrshd\fR, so using this permits
1068 access using SSH only.
1069 .RE
1070 
1071 .sp
1072 .ne 2
1073 .na
1074 \fB\fB/etc/hosts.equiv\fR\fR
1075 .ad
1076 .sp .6
1077 .RS 4n
1078 This file is used during \fB\&.rhosts\fR authentication. In its simplest form,
1079 this file contains host names, one per line. Users on these hosts are permitted
1080 to log in without a password, provided they have the same user name on both
1081 machines. The host name can also be followed by a user name; such users are
1082 permitted to log in as any user on this machine (except root). Additionally,
1083 the syntax \fB+@\fIgroup\fR\fR can be used to specify netgroups. Negated
1084 entries start with a hyphen (\fB-\fR).
1085 .sp
1086 If the client host/user is successfully matched in this file, login is
1087 automatically permitted, provided the client and server user names are the
1088 same. Additionally, successful RSA host authentication is normally required.
1089 This file must be writable only by root; it is recommended that it be
1090 world-readable.
1091 .sp
1092 Warning: It is almost never a good idea to use user names in \fBhosts.equiv\fR.
1093 Beware that it really means that the named user(s) can log in as anybody, which
1094 includes \fBbin\fR, \fBdaemon\fR, \fBadm\fR, and other accounts that own
1095 critical binaries and directories. For practical purposes, using a user name
1096 grants the user root access. Probably the only valid use for user names is in
1097 negative entries. This warning also applies to \fBrsh\fR/\fBrlogin\fR.
1098 .RE
1099 
1100 .sp
1101 .ne 2
1102 .na
1103 \fB\fB/etc/ssh/moduli\fR\fR
1104 .ad
1105 .sp .6
1106 .RS 4n
1107 A private file.
1108 .RE
1109 
1110 .sp
1111 .ne 2
1112 .na
1113 \fB\fB/etc/ssh/shosts.equiv\fR\fR
1114 .ad
1115 .sp .6
1116 .RS 4n
1117 This file is processed exactly as \fB/etc/hosts.equiv\fR. However, this file
1118 might be useful in environments that want to run both \fBrsh\fR/\fBrlogin\fR
1119 and \fBssh\fR.
1120 .RE
1121 
1122 .sp
1123 .ne 2
1124 .na
1125 \fB\fB$HOME/.ssh/environment\fR\fR
1126 .ad
1127 .sp .6
1128 .RS 4n
1129 This file is read into the environment at login (if it exists). It can contain
1130 only empty lines, comment lines (that start with \fB#\fR), and assignment lines
1131 of the form \fB\fIname\fR=\fIvalue\fR\fR. The file should be writable only by
1132 the user; it need not be readable by anyone else. Environment processing is
1133 disabled by default and is controlled by means of the
1134 \fBPermitUserEnvironment\fR option.
1135 .RE
1136 
1137 .sp
1138 .ne 2
1139 .na
1140 \fB\fB$HOME/.ssh/rc\fR\fR
1141 .ad
1142 .sp .6
1143 .RS 4n
1144 If this file exists, it is run with \fB/bin/sh\fR after reading the environment
1145 files but before starting the user's shell or command. If X11 spoofing is in
1146 use, this will receive the \fBproto cookie\fR pair in standard input (and
1147 \fBDISPLAY\fR in environment). This must call \fBxauth\fR in that case.
1148 .sp
1149 The primary purpose of \fB$HOME/.ssh/rc\fR is to run any initialization
1150 routines that might be needed before the user's home directory becomes
1151 accessible; AFS is a particular example of such an environment. If this file
1152 exists, it is run with \fB/bin/sh\fR after reading the environment files, but
1153 before starting the user's shell or command. It must not produce any output on
1154 stdout; stderr must be used instead. If X11 forwarding is in use, it will
1155 receive the \fBproto cookie\fR pair in its standard input and \fBDISPLAY\fR in
1156 its environment. The script must call \fBxauth\fR because \fBsshd\fR will not
1157 run \fBxauth\fR automatically to add X11 cookies.
1158 .sp
1159 This file will probably contain some initialization code followed by something
1160 similar to:
1161 .sp
1162 .in +2
1163 .nf
1164 if read proto cookie && [ -n "$DISPLAY" ]
1165 then
1166   if [ `echo $DISPLAY | cut -c1-10`  =  'localhost:' ]
1167   then
1168     # X11UseLocalhost=yes
1169     echo add unix:`echo $DISPLAY |
1170     cut -c11-` $proto $cookie
1171   else
1172     # X11UseLocalhost=no
1173     echo add $DISPLAY $proto $cookie
1174   fi | xauth -q -
1175 fi
1176 .fi
1177 .in -2
1178 .sp
1179 
1180 If this file does not exist, \fB/etc/ssh/sshrc\fR is run, and if that does not
1181 exist, \fBxauth\fR is used to store the cookie. \fB$HOME/.ssh/rc\fR should be
1182 writable only by the user, and need not be readable by anyone else.
1183 .RE
1184 
1185 .sp
1186 .ne 2
1187 .na
1188 \fB\fB/etc/ssh/sshrc\fR\fR
1189 .ad
1190 .sp .6
1191 .RS 4n
1192 Similar to \fB$HOME/.ssh/rc\fR. This can be used to specify machine-specific
1193 login-time initializations globally. This file should be writable only by root,
1194 and should be world-readable.
1195 .RE
1196 
1197 .SH SECURITY
1198 .LP
1199 \fBsshd\fR supports the use of several user authentication mechanisms: a public
1200 key system where keys are associated with users (through users'
1201 \fBauthorized_keys\fR files), a public key system where keys are associated
1202 with hosts (see the \fBHostbasedAuthentication\fR configuration parameter), a
1203 GSS-API based method (see the \fBGssAuthentication\fR and \fBGssKeyEx\fR
1204 configuration parameters) and three initial authentication methods: \fBnone\fR,
1205 \fBpassword\fR, and a generic prompt/reply protocol,
1206 \fBkeyboard-interactive\fR.
1207 .sp
1208 .LP
1209 \fBsshd\fR negotiates the use of the GSS-API with clients only if it has a
1210 GSS-API acceptor credential for the "host" service. This means that, for
1211 GSS-API based authentication, the server must have a Kerberos V \fBkeytab\fR
1212 entry (see below) or the equivalent for any other GSS-API mechanism that might
1213 be installed.
1214 .sp
1215 .LP
1216 In order for Kerberos authentication to work, a \fBhost/\fR\fI<FQDN>\fR
1217 Kerberos principal must exist for each Fully Qualified Domain Name associated
1218 with the \fBin.sshd\fR server. Each of these \fBhost/\fR\fI<FQDN>\fR principals
1219 must have a \fBkeytab\fR entry in the \fB/etc/krb5/krb5.keytab\fR file on the
1220 \fBin.sshd\fR server. An example principal might be:
1221 .sp
1222 .LP
1223 \fBhost/bigmachine.eng.example.com\fR
1224 .sp
1225 .LP
1226 See \fBkadmin\fR(1M) for instructions on adding a principal to a
1227 \fBkrb5.keytab\fR file. See \fI\fR for a discussion of Kerberos
1228 authentication.
1229 .sp
1230 .LP
1231 GSS-API authorization is covered in \fBgss_auth_rules\fR(5).
1232 .sp
1233 .LP
1234 \fBsshd\fR uses \fBpam\fR(3PAM) for the three initial authentication methods as
1235 well as for account management, session management, and password management for
1236 all authentication methods.
1237 .sp
1238 .LP
1239 Specifically, \fBsshd\fR calls \fBpam_authenticate()\fR for the "none,"
1240 "password" and "keyboard-interactive" SSHv2 \fBuserauth\fR types, as well as
1241 for for the null and password authentication methods for SSHv1. Other SSHv2
1242 authentication methods do not call \fBpam_authenticate()\fR.
1243 \fBpam_acct_mgmt()\fR is called for each authentication method that succeeds.
1244 .sp
1245 .LP
1246 \fBpam_setcred()\fR and \fBpam_open_session()\fR are called when authentication
1247 succeeds and \fBpam_close_session()\fR is called when connections are closed.
1248 .sp
1249 .LP
1250 \fBpam_open_session()\fR and \fBpam_close_session()\fR are also called when
1251 SSHv2 channels with \fBpty\fRs are opened and closed.
1252 .sp
1253 .LP
1254 Each SSHv2 \fBuserauth\fR type has its own PAM service name:
1255 .sp
1256 
1257 .sp
1258 .TS
1259 box;
1260 c | c
1261 l | l .
1262 SSHv2 Userauth  PAM Service Name
1263 _
1264 none    sshd-none
1265 _
1266 password        sshd-password
1267 _
1268 keyboard-interactive    sshd-kbdint
1269 _
1270 pubkey  sshd-pubkey
1271 _
1272 hostbased       sshd-hostbased
1273 _
1274 gssapi-with-mic sshd-gssapi
1275 _
1276 gssapi-keyex    sshd-gssapi
1277 .TE
1278 
1279 .sp
1280 .LP
1281 For SSHv1, \fBsshd-v1\fR is always used.
1282 .sp
1283 .LP
1284 If \fBpam_acct_mgmt()\fR returns \fBPAM_NEW_AUTHTOK_REQD\fR (indicating that
1285 the user's authentication tokens have expired), then \fBsshd\fR forces the use
1286 of "keyboard-interactive" \fBuserauth\fR, if version 2 of the protocol is in
1287 use. The "keyboard-interactive" \fBuserauth\fR will call \fBpam_chauthtok()\fR
1288 if \fBpam_acct_mgmt()\fR once again returns \fBPAM_NEW_AUTHTOK_REQD\fR. By this
1289 means, administrators are able to control what authentication methods are
1290 allowed for SSHv2 on a per-user basis.
1291 .SS "Setting up Host-based Authentication"
1292 .LP
1293 To establish host-based authentication, you must perform the following steps:
1294 .RS +4
1295 .TP
1296 .ie t \(bu
1297 .el o
1298 Configure the client.
1299 .RE
1300 .RS +4
1301 .TP
1302 .ie t \(bu
1303 .el o
1304 Configure the server.
1305 .RE
1306 .RS +4
1307 .TP
1308 .ie t \(bu
1309 .el o
1310 Publish known hosts.
1311 .RE
1312 .RS +4
1313 .TP
1314 .ie t \(bu
1315 .el o
1316 Make appropriate entries in \fB/etc/ssh/shosts.equiv\fR and \fB~/.shosts\fR.
1317 .RE
1318 .sp
1319 .LP
1320 These steps are expanded in the following paragraphs.
1321 .RS +4
1322 .TP
1323 .ie t \(bu
1324 .el o
1325 On a client machine, in the system-wide client configuration file,
1326 \fB/etc/ssh/ssh_config\fR, you must have the entry:
1327 .sp
1328 .in +2
1329 .nf
1330 HostbasedAuthentication yes
1331 .fi
1332 .in -2
1333 
1334 See \fBssh_config\fR(4) and \fBssh-keysign\fR(1M).
1335 .RE
1336 .RS +4
1337 .TP
1338 .ie t \(bu
1339 .el o
1340 On the server, in the system-wide server configuration file,
1341 \fB/etc/ssh/sshd_config\fR, you must have the entry:
1342 .sp
1343 .in +2
1344 .nf
1345 HostbasedAuthentication yes
1346 .fi
1347 .in -2
1348 
1349 If per-user \fB\&.shost\fR files are to be allowed (see last step), in the same
1350 file, you must have:
1351 .sp
1352 .in +2
1353 .nf
1354 IgnoreRhosts no
1355 .fi
1356 .in -2
1357 
1358 See \fBsshd_config\fR(4) for a description of these keywords.
1359 .RE
1360 .RS +4
1361 .TP
1362 .ie t \(bu
1363 .el o
1364 To publish known hosts, you must have entries for the clients from which users
1365 will be allowed host-based authentication. Make these entries in either or both
1366 of the system-wide file (\fB/etc/ssh/ssh_known_hosts\fR) or the per-user file
1367 (\fB~/.ssh/known_hosts\fR).
1368 .RE
1369 .RS +4
1370 .TP
1371 .ie t \(bu
1372 .el o
1373 Note that \fBsshd\fR uses \fB\&.shosts\fR, not \fB\&.rhosts\fR. If you want the
1374 functionality provided by \fB\&.rhosts\fR, but do not want to use \fBrlogin\fR
1375 or \fBrsh\fR because of their security shortcomings, you can use
1376 \fB\&.shosts\fR in conjunction with \fBsshd\fR. To use this feature, make
1377 appropriate entries in \fB/etc/ssh/shosts.equiv\fR and \fB~/.shosts\fR, in the
1378 format specified in \fBrhosts\fR(4).
1379 .sp
1380 For the vast majority of network environments, \fB\&.shosts\fR is preferred
1381 over \fB\&.rhosts\fR.
1382 .RE
1383 .SH ATTRIBUTES
1384 .LP
1385 See \fBattributes\fR(5) for descriptions of the following attributes:
1386 .sp
1387 
1388 .sp
1389 .TS
1390 box;
1391 c | c
1392 l | l .
1393 ATTRIBUTE TYPE  ATTRIBUTE VALUE
1394 _
1395 Interface Stability     Evolving
1396 .TE
1397 
1398 .sp
1399 .LP
1400 The interface stability of \fB/etc/ssh/moduli\fR is Private.
1401 .SH SEE ALSO
1402 .LP
1403 \fBlogin\fR(1), \fBscp\fR(1), \fBssh\fR(1), \fBssh-add\fR(1),
1404 \fBssh-agent\fR(1), \fBssh-keygen\fR(1), \fBsvcs\fR(1),
1405 \fBkadmin\fR(1M), \fBsftp-server\fR(1M), \fBssh-keysign\fR(1M),
1406 \fBsvcadm\fR(1M), \fBpam\fR(3PAM), \fBrhosts\fR(4), \fBssh_config\fR(4),
1407 \fBsshd_config\fR(4), \fBattributes\fR(5), \fBgss_auth_rules\fR(5),
1408 \fBkerberos\fR(5), \fBpam_roles\fR(5), \fBsmf\fR(5)
1409 .sp
1410 .LP
1411 \fI\fR
1412 .SH NOTES
1413 .LP
1414 The \fBsshd\fR service is managed by the service management facility,
1415 \fBsmf\fR(5), under the service identifier:
1416 .sp
1417 .in +2
1418 .nf
1419 svc:/network/ssh:default
1420 .fi
1421 .in -2
1422 .sp
1423 
1424 .sp
1425 .LP
1426 Administrative actions on this service, such as enabling, disabling, or
1427 requesting restart, can be performed using \fBsvcadm\fR(1M). The service's
1428 status can be queried using the \fBsvcs\fR(1) command.
1429 .sp
1430 .LP
1431 \fBsshd\fR always sets \fBPAM_RHOST\fR and sets \fBPAM_AUSER\fR in the case of
1432 host-based \fBuserauth\fR. This behavior allows for remote logins to roles
1433 using host-based authentication. See \fBpam_roles\fR(5).