 |
Index for
Section 8 |
|
 |
Alphabetical
listing for S |
|
 |
Bottom of
page |
|
sshd2(8)
NAME
sshd2, sshd - Secure shell daemon
SYNOPSIS
sshd2 [-d debug_level_spec] [-f config_file] [-h host_key_file] [-o
options] [-p port ] [-v] [-g login_grace_time] [-i] [-q]
OPTIONS
-d debug_level_spec
Sends extensive debug information to stderr. The debug_level_spec
argument is a number between 0 and 99, where 99 specifies that all
debug information should be displayed, or it can be a comma-separated
list of assignments, such as ModulePattern=debug_level. This option is
intended only for debugging the server.
-f config_file
Specifies the name of the configuration file. The default is
/etc/ssh2/sshd2_config. If this is specified, the default configuration
file is not read.
-h host_key_file
Specifies the file from which the host key is read. The default file is
/etc/ssh2/hostkey. If the sshd2 daemon is not run as root, the default
host key file will be $HOME$/.ssh2/hostkey.
-o keyword
Specifies configuration keywords. This is useful for specifying
keywords for which there is no separate command-line flag. The -o
option has the same format as a line in the configuration file. Comment
lines are not accepted. Where applicable, the egrep regex format is
used.
-p port
Specifies the port on which the system listens for connections. The
default port is 22.
-v Enables the verbose mode, and displays verbose debugging messages. This
option can also be specified in the configuration file.
-q Enables quiet mode. Nothing is sent to the system log. Normally the
beginning, authentication, and termination of each connection is
logged. This option can also be specified in the configuration file.
-g login_grace_time
Gives the grace time for clients to authenticate themselves. The
default is 600 seconds. If the client fails to authenticate the user
within the specified time, the system disconnects and exits. A value
of zero indicates no limit.
-i Specifies that the sshd2 daemon is being run from the inetd daemon.
DESCRIPTION
The sshd2 Secure Shell daemon runs on the Secure Shell server. It is
normally run as root, and is the server counterpart for ssh2. Together,
these programs replace and extend the rlogin and rsh services, and provide
secure encrypted communication channels between two hosts connected over
an insecure network. They are intended to be easy to install and use.
The sshd2 daemon is normally started at boot time from /etc/rc.local or
its equivalent. It forks a new daemon for each incoming connection. The
forked daemons handle key exchange, encryption, authentication, command
execution, and data exchange.
The sshd2 daemon can be configured using command-line options or a
configuration file. Command-line options override values specified in the
configuration file. The sshd2 daemon reads configuration data from the
/etc/ssh2/sshd2_config file (or the file specified with the -f option on
the command line). The file contains keyword-value pairs, one per line.
Lines starting with the pound (#) sign and empty lines are interpreted
as comments.
Subconfiguration files can also be specified in the main configuration
file. However, if changes are made in the main configuration file, the
sshd2 daemon must be restarted.
LOGIN PROCESS
When a user successfully logs in, the sshd2 daemon takes the following
steps:
1. Changes the process to run with normal user privileges.
2. Sets up basic environment.
3. Reads the /etc/environment file if it exists.
4. Changes to the user's home directory.
5. Runs the user's shell or command.
SSH WITH TCP WRAPPERS
When the sshd2 daemon compiles with TCP wrapper libraries, the hosts.allow
and hosts.deny files control who can connect to ports forwarded by the
sshd2 daemon.
The names in the hosts.allow and hosts.deny files are sshd2, sshdfwd-
<portname>, and sshdfwd-X11 for forwarded ports on which the Secure Shell
client or server is listening.
If a port has a defined name, you must use it.
FILES
/etc/ssh2/sshd2_config
Contains sshd2 daemon configuration information. This file should be
writable by root only and readable by world (though not necessary).
/etc/ssh2/hostkey
Contains the private part of the host key. You can create this file
automatically by running the make install command or manually by using
the ssh-keygen2 command. This file contains vital cryptographic
information, and should only be read or modified by root.
/etc/ssh2/hostkey.pub
Contains the public part of the host key. You can create this file
automatically by running the make install command or manually by using
the ssh-keygen2 command. This file should be writable by root only and
readable by world.
/etc/ssh2/random_seed
Contains a seed for the random number generator. This file should be
accessible only by root.
$HOME/.ssh2/authorization
Contains information on how the server will verify the identity of an
user. See ssh2(1) for more information.
$HOME/.hushlogin
If this file exists, the sshd2 daemon will not print information during
login. (This information is normally the user's last login time,
message of the day, and mail check.)
/etc/nologin
If this file exists, the sshd2 daemon refuses to let anyone except root
log in. The contents of the file are displayed to anyone trying to log
in. The file should be readable by world.
$HOME/.rhosts
Contains a list of remote users who are not required to supply a
password when they use the ssh2 command to log in. Before the user can
log in, the sshd2 daemon requires public host key authentication in
addition to validating the host name retrieved from domain name
servers.
The file must be writable only by the user; it should not be accessible
by others. You can use +@group to specify a netgroup.
This file is also used by the rlogind and rshd daemons.
See .rhosts(4) for more information about the .rhosts file.
$HOME/.shosts
This file is the same as the .rhosts file, except it allows access only
through ssh2.
/etc/hosts.equiv
Contains the names of remote hosts and users that are equivalent to the
local host or user. An equivalent host or user is allowed to use the
ssh2 command to log in to such an account without supplying a password,
provided they have the same user name on both machines. Additionally,
successful host-based authentication is normally required. This file
must be writable only by root and should be readable by world.
You can use +@group to specify a netgroup. Negated entries start with
a minus sign (-).
Note
The only valid use for user names should be in negated entries.
Specified user names in the hosts.equiv file can log in as anybody
including bin, daemon, adm, and other accounts that own critical
binaries and directories.
See hosts.equiv(4) for more information about the hosts.equiv file.
/etc/shosts.equiv
This file is the same as the hosts.equiv file except it allows access
only through ssh2.
$HOME/.ssh2/knownhosts/xxxxyyyy.pub
Contains the public host keys of hosts that users need to log in to
when using host based authentication.
The xxxx is the fully qualified domain name (FQDN) and yyyy is the
public key algorithm. Public key algorithms are ssh-dss and ssh-rsa.
For example, if the FQDN for a host is server1.foo.fi and it has a key
algorithm of ssh-dss, the host key would be server1.foo.fi.ssh-dss.pub
in the knownhosts directory.
A user must add the host name to a $HOME/.shosts file or an
$HOME/.rhosts file. If the user name is the same in both hosts, it is
adequate to put the public host key in /etc/ssh2/knownhosts and add the
host's name to /etc/shosts.equiv (or /etc/hosts.equiv).
/etc/ssh2/knownhosts/xxxxyyyy.pub
Same as the $HOME/.ssh2/knownhosts/xxxxyyyy.pub file, but system-wide.
This file is overridden if the user puts a file with the same name in
the $HOME/.ssh2/knownhosts directory.
LEGAL NOTICES
SSH is a registered trademark of SSH Communication Security Ltd.
SEE ALSO
Commands: rcp(1), rlogin(1), rsh(1), scp2(1), sftp(1), ssh2(1), ssh-
agent2(1), ssh-add2(1), ssh-keygen2(1), telnet(1), sshd2(8), sshd2-check-
conf(8)
Files: sshd2_config(4)
|
Index for
Section 8 |
|
|
Alphabetical
listing for S |
|
 |
Top of
page |
|