{"id":353,"date":"2019-10-21T19:56:31","date_gmt":"2019-10-21T17:56:31","guid":{"rendered":"http:\/\/linuxboxen2.dk\/?p=353"},"modified":"2019-10-21T19:56:31","modified_gmt":"2019-10-21T17:56:31","slug":"sshd","status":"publish","type":"post","link":"https:\/\/www.linuxboxen.dk\/?p=353","title":{"rendered":"SSHD"},"content":{"rendered":"

SSHD(8)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 BSD System Manager’s Manual\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 SSHD(8)<\/p>\n

NAME\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 top<\/p>\n

sshd \u2014 OpenSSH SSH daemon<\/p>\n

SYNOPSIS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 top<\/p>\n

sshd [-46DdeiqTt] [-b bits] [-C connection_spec]
\n[-c host_certificate_file] [-E log_file] [-f config_file]
\n[-g login_grace_time] [-h host_key_file] [-k key_gen_time]
\n[-o option] [-p port] [-u len]<\/p>\n

DESCRIPTION\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 top<\/p>\n

sshd (OpenSSH Daemon) is the daemon program for ssh(1).\u00a0 Together these
\nprograms replace rlogin and rsh, and provide secure encrypted communi\u2010
\ncations between two untrusted hosts over an insecure network.<\/p>\n

sshd listens for connections from clients.\u00a0 It is normally started at
\nboot from \/etc\/rc.\u00a0 It forks a new daemon for each incoming connection.
\nThe forked daemons handle key exchange, encryption, authentication,
\ncommand execution, and data exchange.<\/p>\n

sshd can be configured using command-line options or a configuration
\nfile (by default sshd_config(5)); command-line options override values
\nspecified in the configuration file.\u00a0 sshd rereads its configuration
\nfile when it receives a hangup signal, SIGHUP, by executing itself with
\nthe name and options it was started with, e.g. \/usr\/sbin\/sshd.<\/p>\n

The options are as follows:<\/p>\n

-4\u00a0\u00a0\u00a0\u00a0\u00a0 Forces sshd to use IPv4 addresses only.<\/p>\n

-6\u00a0\u00a0\u00a0\u00a0\u00a0 Forces sshd to use IPv6 addresses only.<\/p>\n

-b bits
\nSpecifies the number of bits in the ephemeral protocol version
\n1 server key (default 1024).<\/p>\n

-C connection_spec
\nSpecify the connection parameters to use for the -T extended
\ntest mode.\u00a0 If provided, any Match directives in the configura\u2010
\ntion file that would apply to the specified user, host, and
\naddress will be set before the configuration is written to
\nstandard output.\u00a0 The connection parameters are supplied as
\nkeyword=value pairs.\u00a0 The keywords are \u201cuser\u201d, \u201chost\u201d, \u201claddr\u201d,
\n\u201clport\u201d, and \u201caddr\u201d.\u00a0 All are required and may be supplied in
\nany order, either with multiple -C options or as a comma-sepa\u2010
\nrated list.<\/p>\n

-c host_certificate_file
\nSpecifies a path to a certificate file to identify sshd during
\nkey exchange.\u00a0 The certificate file must match a host key file
\nspecified using the -h option or the HostKey configuration
\ndirective.<\/p>\n

-D\u00a0\u00a0\u00a0\u00a0\u00a0 When this option is specified, sshd will not detach and does
\nnot become a daemon.\u00a0 This allows easy monitoring of sshd.<\/p>\n

-d\u00a0\u00a0\u00a0\u00a0\u00a0 Debug mode.\u00a0 The server sends verbose debug output to standard
\nerror, and does not put itself in the background.\u00a0 The server
\nalso will not fork and will only process one connection.\u00a0 This
\noption is only intended for debugging for the server.\u00a0 Multiple
\n-d options increase the debugging level.\u00a0 Maximum is 3.<\/p>\n

-E log_file
\nAppend debug logs to log_file instead of the system log.<\/p>\n

-e\u00a0\u00a0\u00a0\u00a0\u00a0 Write debug logs to standard error instead of the system log.<\/p>\n

-f config_file
\nSpecifies the name of the configuration file.\u00a0 The default is
\n\/etc\/ssh\/sshd_config.\u00a0 sshd refuses to start if there is no
\nconfiguration file.<\/p>\n

-g login_grace_time
\nGives the grace time for clients to authenticate themselves
\n(default 120 seconds).\u00a0 If the client fails to authenticate the
\nuser within this many seconds, the server disconnects and
\nexits.\u00a0 A value of zero indicates no limit.<\/p>\n

-h host_key_file
\nSpecifies a file from which a host key is read.\u00a0 This option
\nmust be given if sshd is not run as root (as the normal host
\nkey files are normally not readable by anyone but root).\u00a0 The
\ndefault is \/etc\/ssh\/ssh_host_key for protocol version 1, and
\n\/etc\/ssh\/ssh_host_dsa_key, \/etc\/ssh\/ssh_host_ecdsa_key.
\n\/etc\/ssh\/ssh_host_ed25519_key and \/etc\/ssh\/ssh_host_rsa_key for
\nprotocol version 2.\u00a0 It is possible to have multiple host key
\nfiles for the different protocol versions and host key algo\u2010
\nrithms.<\/p>\n

-i\u00a0\u00a0\u00a0\u00a0\u00a0 Specifies that sshd is being run from inetd(8).\u00a0 sshd is nor\u2010
\nmally not run from inetd because it needs to generate the
\nserver key before it can respond to the client, and this may
\ntake tens of seconds.\u00a0 Clients would have to wait too long if
\nthe key was regenerated every time.\u00a0 However, with small key
\nsizes (e.g. 512) using sshd from inetd may be feasible.<\/p>\n

-k key_gen_time
\nSpecifies how often the ephemeral protocol version 1 server key
\nis regenerated (default 3600 seconds, or one hour).\u00a0 The moti\u2010
\nvation for regenerating the key fairly often is that the key is
\nnot stored anywhere, and after about an hour it becomes impos\u2010
\nsible to recover the key for decrypting intercepted communica\u2010
\ntions even if the machine is cracked into or physically seized.
\nA value of zero indicates that the key will never be regener\u2010
\nated.<\/p>\n

-o option
\nCan be used to give options in the format used in the configu\u2010
\nration file.\u00a0 This is useful for specifying options for which
\nthere is no separate command-line flag.\u00a0 For full details of
\nthe options, and their values, see sshd_config(5).<\/p>\n

-p port
\nSpecifies the port on which the server listens for connections
\n(default 22).\u00a0 Multiple port options are permitted.\u00a0 Ports
\nspecified in the configuration file with the Port option are
\nignored when a command-line port is specified.\u00a0 Ports specified
\nusing the ListenAddress option override command-line ports.<\/p>\n

-q\u00a0\u00a0\u00a0\u00a0\u00a0 Quiet mode.\u00a0 Nothing is sent to the system log.\u00a0 Normally the
\nbeginning, authentication, and termination of each connection
\nis logged.<\/p>\n

-T\u00a0\u00a0\u00a0\u00a0\u00a0 Extended test mode.\u00a0 Check the validity of the configuration
\nfile, output the effective configuration to stdout and then
\nexit.\u00a0 Optionally, Match rules may be applied by specifying the
\nconnection parameters using one or more -C options.<\/p>\n

-t\u00a0\u00a0\u00a0\u00a0\u00a0 Test mode.\u00a0 Only check the validity of the configuration file
\nand sanity of the keys.\u00a0 This is useful for updating sshd reli\u2010
\nably as configuration options may change.<\/p>\n

-u len\u00a0 This option is used to specify the size of the field in the
\nutmp structure that holds the remote host name.\u00a0 If the
\nresolved host name is longer than len, the dotted decimal value
\nwill be used instead.\u00a0 This allows hosts with very long host
\nnames that overflow this field to still be uniquely identified.
\nSpecifying -u0 indicates that only dotted decimal addresses
\nshould be put into the utmp file.\u00a0 -u0 may also be used to pre\u2010
\nvent sshd from making DNS requests unless the authentication
\nmechanism or configuration requires it.\u00a0 Authentication mecha\u2010
\nnisms that may require DNS include RhostsRSAAuthentication,
\nHostbasedAuthentication, and using a from=”pattern-list” option
\nin a key file.\u00a0 Configuration options that require DNS include
\nusing a\u00a0USER@HOST\u00a0pattern in AllowUsers or DenyUsers.<\/p>\n

AUTHENTICATION\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 top<\/p>\n

The OpenSSH SSH daemon supports SSH protocols 1 and 2.\u00a0 The default is
\nto use protocol 2 only, though this can be changed via the Protocol
\noption in sshd_config(5).\u00a0 Protocol 2 supports DSA, ECDSA, ED25519 and
\nRSA keys; protocol 1 only supports RSA keys.\u00a0 For both protocols, each
\nhost has a host-specific key, normally 2048 bits, used to identify the
\nhost.<\/p>\n

Forward security for protocol 1 is provided through an additional
\nserver key, normally 768 bits, generated when the server starts.\u00a0 This
\nkey is normally regenerated every hour if it has been used, and is
\nnever stored on disk.\u00a0 Whenever a client connects, the daemon responds
\nwith its public host and server keys.\u00a0 The client compares the RSA host
\nkey against its own database to verify that it has not changed.\u00a0 The
\nclient then generates a 256-bit random number.\u00a0 It encrypts this random
\nnumber using both the host key and the server key, and sends the
\nencrypted number to the server.\u00a0 Both sides then use this random number
\nas a session key which is used to encrypt all further communications in
\nthe session.\u00a0 The rest of the session is encrypted using a conventional
\ncipher, currently Blowfish or 3DES, with 3DES being used by default.
\nThe client selects the encryption algorithm to use from those offered
\nby the server.<\/p>\n

For protocol 2, forward security is provided through a Diffie-Hellman
\nkey agreement.\u00a0 This key agreement results in a shared session key.
\nThe rest of the session is encrypted using a symmetric cipher, cur\u2010
\nrently 128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or
\n256-bit AES.\u00a0 The client selects the encryption algorithm to use from
\nthose offered by the server.\u00a0 Additionally, session integrity is pro\u2010
\nvided through a cryptographic message authentication code (hmac-md5,
\nhmac-sha1, umac-64, umac-128, hmac-ripemd160, hmac-sha2-256 or hmac-
\nsha2-512).<\/p>\n

Finally, the server and the client enter an authentication dialog.\u00a0 The
\nclient tries to authenticate itself using host-based authentication,
\npublic key authentication, challenge-response authentication, or pass\u2010
\nword authentication.<\/p>\n

Regardless of the authentication type, the account is checked to ensure
\nthat it is accessible.\u00a0 An account is not accessible if it is locked,
\nlisted in DenyUsers or its group is listed in DenyGroups .\u00a0 The defini\u2010
\ntion of a locked account is system dependant. Some platforms have their
\nown account database (eg AIX) and some modify the passwd field ( \u2018*LK*\u2019
\non Solaris and UnixWare, \u2018*\u2019 on HP-UX, containing \u2018Nologin\u2019 on Tru64, a
\nleading \u2018*LOCKED*\u2019 on FreeBSD and a leading \u2018!\u2019 on most Linuxes).\u00a0 If
\nthere is a requirement to disable password authentication for the
\naccount while allowing still public-key, then the passwd field should
\nbe set to something other than these values (eg \u2018NP\u2019 or \u2018*NP*\u2019 ).<\/p>\n

If the client successfully authenticates itself, a dialog for preparing
\nthe session is entered.\u00a0 At this time the client may request things
\nlike allocating a pseudo-tty, forwarding X11 connections, forwarding
\nTCP connections, or forwarding the authentication agent connection over
\nthe secure channel.<\/p>\n

After this, the client either requests a shell or execution of a com\u2010
\nmand.\u00a0 The sides then enter session mode.\u00a0 In this mode, either side
\nmay send data at any time, and such data is forwarded to\/from the shell
\nor command on the server side, and the user terminal in the client
\nside.<\/p>\n

When the user program terminates and all forwarded X11 and other con\u2010
\nnections have been closed, the server sends command exit status to the
\nclient, and both sides exit.<\/p>\n

LOGIN PROCESS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 top<\/p>\n

When a user successfully logs in, sshd does the following:<\/p>\n

1.\u00a0\u00a0 If the login is on a tty, and no command has been specified,
\nprints last login time and \/etc\/motd (unless prevented in
\nthe configuration file or by ~\/.hushlogin; see the FILES
\nsection).<\/p>\n

2.\u00a0\u00a0 If the login is on a tty, records login time.<\/p>\n

3.\u00a0\u00a0 Checks \/etc\/nologin; if it exists, prints contents and quits
\n(unless root).<\/p>\n

4.\u00a0\u00a0 Changes to run with normal user privileges.<\/p>\n

5.\u00a0\u00a0 Sets up basic environment.<\/p>\n

6.\u00a0\u00a0 Reads the file ~\/.ssh\/environment, if it exists, and users
\nare allowed to change their environment.\u00a0 See the
\nPermitUserEnvironment option in sshd_config(5).<\/p>\n

7.\u00a0\u00a0 Changes to user’s home directory.<\/p>\n

8.\u00a0\u00a0 If ~\/.ssh\/rc exists and the sshd_config(5) PermitUserRC
\noption is set, runs it; else if \/etc\/ssh\/sshrc exists, runs
\nit; otherwise runs xauth.\u00a0 The \u201crc\u201d files are given the X11
\nauthentication protocol and cookie in standard input.\u00a0 See
\nSSHRC, below.<\/p>\n

9.\u00a0\u00a0 Runs user’s shell or command.<\/p>\n

SSHRC\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 top<\/p>\n

If the file ~\/.ssh\/rc exists, sh(1) runs it after reading the environ\u2010
\nment files but before starting the user’s shell or command.\u00a0 It must
\nnot produce any output on stdout; stderr must be used instead.\u00a0 If X11
\nforwarding is in use, it will receive the “proto cookie” pair in its
\nstandard input (and DISPLAY in its environment).\u00a0 The script must call
\nxauth(1) because sshd will not run xauth automatically to add X11 cook\u2010
\nies.<\/p>\n

The primary purpose of this file is to run any initialization routines
\nwhich may be needed before the user’s home directory becomes accessi\u2010
\nble; AFS is a particular example of such an environment.<\/p>\n

This file will probably contain some initialization code followed by
\nsomething similar to:<\/p>\n

if read proto cookie && [ -n “$DISPLAY” ]; then
\nif [ `echo $DISPLAY | cut -c1-10` = ‘localhost:’ ]; then
\n# X11UseLocalhost=yes
\necho add unix:`echo $DISPLAY |
\ncut -c11-` $proto $cookie
\nelse
\n# X11UseLocalhost=no
\necho add $DISPLAY $proto $cookie
\nfi | xauth -q –
\nfi<\/p>\n

If this file does not exist, \/etc\/ssh\/sshrc is run, and if that does
\nnot exist either, xauth is used to add the cookie.<\/p>\n

AUTHORIZED_KEYS FILE FORMAT\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 top<\/p>\n

AuthorizedKeysFile specifies the files containing public keys for pub\u2010
\nlic key authentication; if none is specified, the default is
\n~\/.ssh\/authorized_keys and ~\/.ssh\/authorized_keys2.\u00a0 Each line of the
\nfile contains one key (empty lines and lines starting with a \u2018#\u2019 are
\nignored as comments).\u00a0 Protocol 1 public keys consist of the following
\nspace-separated fields: options, bits, exponent, modulus, comment.
\nProtocol 2 public key consist of: options, keytype, base64-encoded key,
\ncomment.\u00a0 The options field is optional; its presence is determined by
\nwhether the line starts with a number or not (the options field never
\nstarts with a number).\u00a0 The bits, exponent, modulus, and comment fields
\ngive the RSA key for protocol version 1; the comment field is not used
\nfor anything (but may be convenient for the user to identify the key).
\nFor protocol version 2 the keytype is \u201cecdsa-sha2-nistp256\u201d,
\n\u201cecdsa-sha2-nistp384\u201d, \u201cecdsa-sha2-nistp521\u201d, \u201cssh-ed25519\u201d, \u201cssh-dss\u201d
\nor \u201cssh-rsa\u201d.<\/p>\n

Note that lines in this file are usually several hundred bytes long
\n(because of the size of the public key encoding) up to a limit of 8
\nkilobytes, which permits DSA keys up to 8 kilobits and RSA keys up to
\n16 kilobits.\u00a0 You don’t want to type them in; instead, copy the
\nidentity.pub, id_dsa.pub, id_ecdsa.pub, id_ed25519.pub, or the
\nid_rsa.pub file and edit it.<\/p>\n

sshd enforces a minimum RSA key modulus size for protocol 1 and proto\u2010
\ncol 2 keys of 768 bits.<\/p>\n

The options (if present) consist of comma-separated option specifica\u2010
\ntions.\u00a0 No spaces are permitted, except within double quotes.\u00a0 The fol\u2010
\nlowing option specifications are supported (note that option keywords
\nare case-insensitive):<\/p>\n

cert-authority
\nSpecifies that the listed key is a certification authority (CA)
\nthat is trusted to validate signed certificates for user
\nauthentication.<\/p>\n

Certificates may encode access restrictions similar to these
\nkey options.\u00a0 If both certificate restrictions and key options
\nare present, the most restrictive union of the two is applied.<\/p>\n

command=”command”
\nSpecifies that the command is executed whenever this key is
\nused for authentication.\u00a0 The command supplied by the user (if
\nany) is ignored.\u00a0 The command is run on a pty if the client
\nrequests a pty; otherwise it is run without a tty.\u00a0 If an 8-bit
\nclean channel is required, one must not request a pty or should
\nspecify no-pty.\u00a0 A quote may be included in the command by
\nquoting it with a backslash.\u00a0 This option might be useful to
\nrestrict certain public keys to perform just a specific opera\u2010
\ntion.\u00a0 An example might be a key that permits remote backups
\nbut nothing else.\u00a0 Note that the client may specify TCP and\/or
\nX11 forwarding unless they are explicitly prohibited.\u00a0 The com\u2010
\nmand originally supplied by the client is available in the
\nSSH_ORIGINAL_COMMAND environment variable.\u00a0 Note that this
\noption applies to shell, command or subsystem execution.\u00a0 Also
\nnote that this command may be superseded by either a
\nsshd_config(5) ForceCommand directive or a command embedded in
\na certificate.<\/p>\n

environment=”NAME=value”
\nSpecifies that the string is to be added to the environment
\nwhen logging in using this key.\u00a0 Environment variables set this
\nway override other default environment values.\u00a0 Multiple
\noptions of this type are permitted.\u00a0 Environment processing is
\ndisabled by default and is controlled via the
\nPermitUserEnvironment option.\u00a0 This option is automatically
\ndisabled if UseLogin is enabled.<\/p>\n

from=”pattern-list”
\nSpecifies that in addition to public key authentication, either
\nthe canonical name of the remote host or its IP address must be
\npresent in the comma-separated list of patterns.\u00a0 See PATTERNS
\nin ssh_config(5) for more information on patterns.<\/p>\n

In addition to the wildcard matching that may be applied to
\nhostnames or addresses, a from stanza may match IP addresses
\nusing CIDR address\/masklen notation.<\/p>\n

The purpose of this option is to optionally increase security:
\npublic key authentication by itself does not trust the network
\nor name servers or anything (but the key); however, if somebody
\nsomehow steals the key, the key permits an intruder to log in
\nfrom anywhere in the world.\u00a0 This additional option makes using
\na stolen key more difficult (name servers and\/or routers would
\nhave to be compromised in addition to just the key).<\/p>\n

no-agent-forwarding
\nForbids authentication agent forwarding when this key is used
\nfor authentication.<\/p>\n

no-port-forwarding
\nForbids TCP forwarding when this key is used for authentica\u2010
\ntion.\u00a0 Any port forward requests by the client will return an
\nerror.\u00a0 This might be used, e.g. in connection with the command
\noption.<\/p>\n

no-pty\u00a0 Prevents tty allocation (a request to allocate a pty will
\nfail).<\/p>\n

no-user-rc
\nDisables execution of ~\/.ssh\/rc.<\/p>\n

no-X11-forwarding
\nForbids X11 forwarding when this key is used for authentica\u2010
\ntion.\u00a0 Any X11 forward requests by the client will return an
\nerror.<\/p>\n

permitopen=”host:port”
\nLimit local “ssh -L” port forwarding such that it may only
\nconnect to the specified host and port.\u00a0 IPv6 addresses can be
\nspecified by enclosing the address in square brackets.\u00a0 Multi\u2010
\nple permitopen options may be applied separated by commas.\u00a0 No
\npattern matching is performed on the specified hostnames, they
\nmust be literal domains or addresses.\u00a0 A port specification of
\n* matches any port.<\/p>\n

principals=”principals”
\nOn a cert-authority line, specifies allowed principals for cer\u2010
\ntificate authentication as a comma-separated list.\u00a0 At least
\none name from the list must appear in the certificate’s list of
\nprincipals for the certificate to be accepted.\u00a0 This option is
\nignored for keys that are not marked as trusted certificate
\nsigners using the cert-authority option.<\/p>\n

tunnel=”n”
\nForce a tun(4) device on the server.\u00a0 Without this option, the
\nnext available device will be used if the client requests a
\ntunnel.<\/p>\n

An example authorized_keys file:<\/p>\n

# Comments allowed at start of line
\nssh-rsa AAAAB3Nza…LiPk==\u00a0user@example.net
\nfrom=”*.sales.example.net,!pc.sales.example.net” ssh-rsa
\nAAAAB2…19Q==\u00a0john@example.net
\ncommand=”dump \/home”,no-pty,no-port-forwarding ssh-dss
\nAAAAC3…51R== example.net
\npermitopen=”192.0.2.1:80″,permitopen=”192.0.2.2:25″ ssh-dss
\nAAAAB5…21S==
\ntunnel=”0″,command=”sh \/etc\/netstart tun0″ ssh-rsa AAAA…==
\njane@example.net<\/p>\n

SSH_KNOWN_HOSTS FILE FORMAT\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 top<\/p>\n

The \/etc\/ssh\/ssh_known_hosts and ~\/.ssh\/known_hosts files contain host
\npublic keys for all known hosts.\u00a0 The global file should be prepared by
\nthe administrator (optional), and the per-user file is maintained auto\u2010
\nmatically: whenever the user connects from an unknown host, its key is
\nadded to the per-user file.<\/p>\n

Each line in these files contains the following fields: markers
\n(optional), hostnames, bits, exponent, modulus, comment.\u00a0 The fields
\nare separated by spaces.<\/p>\n

The marker is optional, but if it is present then it must be one of
\n\u201c@cert-authority\u201d, to indicate that the line contains a certification
\nauthority (CA) key, or \u201c@revoked\u201d, to indicate that the key contained
\non the line is revoked and must not ever be accepted.\u00a0 Only one marker
\nshould be used on a key line.<\/p>\n

Hostnames is a comma-separated list of patterns (\u2018*\u2019 and \u2018?\u2019 act as
\nwildcards); each pattern in turn is matched against the canonical host
\nname (when authenticating a client) or against the user-supplied name
\n(when authenticating a server).\u00a0 A pattern may also be preceded by \u2018!\u2019
\nto indicate negation: if the host name matches a negated pattern, it is
\nnot accepted (by that line) even if it matched another pattern on the
\nline.\u00a0 A hostname or address may optionally be enclosed within \u2018[\u2019 and
\n\u2018]\u2019 brackets then followed by \u2018:\u2019 and a non-standard port number.<\/p>\n

Alternately, hostnames may be stored in a hashed form which hides host
\nnames and addresses should the file’s contents be disclosed.\u00a0 Hashed
\nhostnames start with a \u2018|\u2019 character.\u00a0 Only one hashed hostname may
\nappear on a single line and none of the above negation or wildcard
\noperators may be applied.<\/p>\n

Bits, exponent, and modulus are taken directly from the RSA host key;
\nthey can be obtained, for example, from \/etc\/ssh\/ssh_host_key.pub.\u00a0 The
\noptional comment field continues to the end of the line, and is not
\nused.<\/p>\n

Lines starting with \u2018#\u2019 and empty lines are ignored as comments.<\/p>\n

When performing host authentication, authentication is accepted if any
\nmatching line has the proper key; either one that matches exactly or,
\nif the server has presented a certificate for authentication, the key
\nof the certification authority that signed the certificate.\u00a0 For a key
\nto be trusted as a certification authority, it must use the
\n\u201c@cert-authority\u201d marker described above.<\/p>\n

The known hosts file also provides a facility to mark keys as revoked,
\nfor example when it is known that the associated private key has been
\nstolen.\u00a0 Revoked keys are specified by including the \u201c@revoked\u201d marker
\nat the beginning of the key line, and are never accepted for authenti\u2010
\ncation or as certification authorities, but instead will produce a
\nwarning from ssh(1) when they are encountered.<\/p>\n

It is permissible (but not recommended) to have several lines or dif\u2010
\nferent host keys for the same names.\u00a0 This will inevitably happen when
\nshort forms of host names from different domains are put in the file.
\nIt is possible that the files contain conflicting information; authen\u2010
\ntication is accepted if valid information can be found from either
\nfile.<\/p>\n

Note that the lines in these files are typically hundreds of characters
\nlong, and you definitely don’t want to type in the host keys by hand.
\nRather, generate them by a script, ssh-keyscan(1) or by taking
\n\/etc\/ssh\/ssh_host_key.pub and adding the host names at the front.
\nssh-keygen(1) also offers some basic automated editing for
\n~\/.ssh\/known_hosts including removing hosts matching a host name and
\nconverting all host names to their hashed representations.<\/p>\n

An example ssh_known_hosts file:<\/p>\n

# Comments allowed at start of line
\nclosenet,…,192.0.2.53 1024 37 159…93 closenet.example.net
\ncvs.example.net,192.0.2.10 ssh-rsa AAAA1234…..=
\n# A hashed hostname
\n|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
\nAAAA1234…..=
\n# A revoked key
\n@revoked * ssh-rsa AAAAB5W…
\n# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
\n@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W…<\/p>\n

FILES\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 top<\/p>\n

~\/.hushlogin
\nThis file is used to suppress printing the last login time and
\n\/etc\/motd, if PrintLastLog and PrintMotd, respectively, are
\nenabled.\u00a0 It does not suppress printing of the banner specified
\nby Banner.<\/p>\n

~\/.rhosts
\nThis file is used for host-based authentication (see ssh(1) for
\nmore information).\u00a0 On some machines this file may need to be
\nworld-readable if the user’s home directory is on an NFS parti\u2010
\ntion, because sshd reads it as root.\u00a0 Additionally, this file
\nmust be owned by the user, and must not have write permissions
\nfor anyone else.\u00a0 The recommended permission for most machines
\nis read\/write for the user, and not accessible by others.<\/p>\n

~\/.shosts
\nThis file is used in exactly the same way as .rhosts, but
\nallows host-based authentication without permitting login with
\nrlogin\/rsh.<\/p>\n

~\/.ssh\/
\nThis directory is the default location for all user-specific
\nconfiguration and authentication information.\u00a0 There is no gen\u2010
\neral requirement to keep the entire contents of this directory
\nsecret, but the recommended permissions are read\/write\/execute
\nfor the user, and not accessible by others.<\/p>\n

~\/.ssh\/authorized_keys
\nLists the public keys (DSA, ECDSA, ED25519, RSA) that can be
\nused for logging in as this user.\u00a0 The format of this file is
\ndescribed above.\u00a0 The content of the file is not highly sensi\u2010
\ntive, but the recommended permissions are read\/write for the
\nuser, and not accessible by others.<\/p>\n

If this file, the ~\/.ssh directory, or the user’s home direc\u2010
\ntory are writable by other users, then the file could be modi\u2010
\nfied or replaced by unauthorized users.\u00a0 In this case, sshd
\nwill not allow it to be used unless the StrictModes option has
\nbeen set to \u201cno\u201d.<\/p>\n

~\/.ssh\/environment
\nThis file is read into the environment at login (if it exists).
\nIt can only contain empty lines, comment lines (that start with
\n\u2018#\u2019), and assignment lines of the form name=value.\u00a0 The file
\nshould be writable only by the user; it need not be readable by
\nanyone else.\u00a0 Environment processing is disabled by default and
\nis controlled via the PermitUserEnvironment option.<\/p>\n

~\/.ssh\/known_hosts
\nContains a list of host keys for all hosts the user has logged
\ninto that are not already in the systemwide list of known host
\nkeys.\u00a0 The format of this file is described above.\u00a0 This file
\nshould be writable only by root\/the owner and can, but need not
\nbe, world-readable.<\/p>\n

~\/.ssh\/rc
\nContains initialization routines to be run before the user’s
\nhome directory becomes accessible.\u00a0 This file should be
\nwritable only by the user, and need not be readable by anyone
\nelse.<\/p>\n

\/etc\/hosts.equiv
\nThis file is for host-based authentication (see ssh(1)).\u00a0 It
\nshould only be writable by root.<\/p>\n

\/etc\/moduli
\nContains Diffie-Hellman groups used for the “Diffie-Hellman
\nGroup Exchange”.\u00a0 The file format is described in moduli(5).<\/p>\n

\/etc\/motd
\nSee motd(5).<\/p>\n

\/etc\/nologin
\nIf this file exists, sshd refuses to let anyone except root log
\nin.\u00a0 The contents of the file are displayed to anyone trying to
\nlog in, and non-root connections are refused.\u00a0 The file should
\nbe world-readable.<\/p>\n

\/etc\/shosts.equiv
\nThis file is used in exactly the same way as hosts.equiv, but
\nallows host-based authentication without permitting login with
\nrlogin\/rsh.<\/p>\n

\/etc\/ssh\/ssh_host_key
\n\/etc\/ssh\/ssh_host_dsa_key
\n\/etc\/ssh\/ssh_host_ecdsa_key
\n\/etc\/ssh\/ssh_host_ed25519_key
\n\/etc\/ssh\/ssh_host_rsa_key
\nThese files contain the private parts of the host keys.\u00a0 These
\nfiles should only be owned by root, readable only by root, and
\nnot accessible to others.\u00a0 Note that sshd does not start if
\nthese files are group\/world-accessible.<\/p>\n

\/etc\/ssh\/ssh_host_key.pub
\n\/etc\/ssh\/ssh_host_dsa_key.pub
\n\/etc\/ssh\/ssh_host_ecdsa_key.pub
\n\/etc\/ssh\/ssh_host_ed25519_key.pub
\n\/etc\/ssh\/ssh_host_rsa_key.pub
\nThese files contain the public parts of the host keys.\u00a0 These
\nfiles should be world-readable but writable only by root.
\nTheir contents should match the respective private parts.
\nThese files are not really used for anything; they are provided
\nfor the convenience of the user so their contents can be copied
\nto known hosts files.\u00a0 These files are created using
\nssh-keygen(1).<\/p>\n

\/etc\/ssh\/ssh_known_hosts
\nSystemwide list of known host keys.\u00a0 This file should be pre\u2010
\npared by the system administrator to contain the public host
\nkeys of all machines in the organization.\u00a0 The format of this
\nfile is described above.\u00a0 This file should be writable only by
\nroot\/the owner and should be world-readable.<\/p>\n

\/etc\/ssh\/sshd_config
\nContains configuration data for sshd.\u00a0 The file format and con\u2010
\nfiguration options are described in sshd_config(5).<\/p>\n

\/etc\/ssh\/sshrc
\nSimilar to ~\/.ssh\/rc, it can be used to specify machine-spe\u2010
\ncific login-time initializations globally.\u00a0 This file should be
\nwritable only by root, and should be world-readable.<\/p>\n

\/var\/empty
\nchroot(2) directory used by sshd during privilege separation in
\nthe pre-authentication phase.\u00a0 The directory should not contain
\nany files and must be owned by root and not group or world-
\nwritable.<\/p>\n

\/var\/run\/sshd.pid
\nContains the process ID of the sshd listening for connections
\n(if there are several daemons running concurrently for differ\u2010
\nent ports, this contains the process ID of the one started
\nlast).\u00a0 The content of this file is not sensitive; it can be
\nworld-readable.<\/p>\n

SEE ALSO\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 top<\/p>\n

scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
\nssh-keyscan(1), chroot(2), login.conf(5), moduli(5), sshd_config(5),
\ninetd(8), sftp-server(8)<\/p>\n

AUTHORS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 top<\/p>\n

OpenSSH is a derivative of the original and free ssh 1.2.12 release by
\nTatu Ylonen.\u00a0 Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
\nTheo de Raadt and Dug Song removed many bugs, re-added newer features
\nand created OpenSSH.\u00a0 Markus Friedl contributed the support for SSH
\nprotocol versions 1.5 and 2.0.\u00a0 Niels Provos and Markus Friedl
\ncontributed support for privilege separation.<\/p>\n

COLOPHON\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 top<\/p>\n

This page is part of the openssh (Portable OpenSSH) project.\u00a0 Informa\u2010
\ntion about the project can be found at
\nhttp:\/\/www.openssh.com\/portable.html.\u00a0 If you have a bug report for
\nthis manual page, see http:\/\/www.openssh.com\/report.html.\u00a0 This page
\nwas obtained from the tarball openssh-6.7p1.tar.gz fetched from
\nhttp:\/\/ftp.eu.openbsd.org\/pub\/OpenBSD\/OpenSSH\/portable\/ on 2014-12-30.
\nIf you discover any rendering problems in this HTML version of the
\npage, or you believe there is a better or more up-to-date source for
\nthe page, or you have corrections or improvements to the information in
\nthis COLOPHON (which is not part of the original manual page), send a
\nmail to\u00a0man-pages@man7.org<\/p>\n

BSD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 December 31, 2014\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 BSD<\/p>\n","protected":false},"excerpt":{"rendered":"

SSHD(8)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 BSD System Manager’s Manual\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 SSHD(8) NAME\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 top sshd \u2014 OpenSSH SSH daemon SYNOPSIS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 top sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_certificate_file] [-E log_file] [-f config_file] [-g login_grace_time] [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] DESCRIPTION\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 top sshd (OpenSSH Daemon) is the daemon program for ssh(1).\u00a0 Together these programs replace rlogin […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[8],"tags":[],"class_list":["post-353","post","type-post","status-publish","format-standard","hentry","category-shell"],"a3_pvc":{"activated":false,"total_views":0,"today_views":0},"_links":{"self":[{"href":"https:\/\/www.linuxboxen.dk\/index.php?rest_route=\/wp\/v2\/posts\/353","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.linuxboxen.dk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.linuxboxen.dk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.linuxboxen.dk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.linuxboxen.dk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=353"}],"version-history":[{"count":0,"href":"https:\/\/www.linuxboxen.dk\/index.php?rest_route=\/wp\/v2\/posts\/353\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.linuxboxen.dk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=353"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.linuxboxen.dk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=353"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.linuxboxen.dk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}