NAME sshd2 - secure shell daemon SYNOPSIS sshd2 [-d debug_level_spec] [-f config_file] [-h host_key_file] [-o options] [-p port] [-v] [-g login_grace_time] [-i] [-q] DESCRIPTION Sshd2 (Secure Shell Daemon) is the daemon program for ssh2. Together, these programs replace the rlogin and rsh pro- grams, and provide secure encrypted communications between two untrusted hosts over an insecure network. The programs are intended to be as easy to install and use as possible. Sshd2 is normally started at boot from /etc/rc.local or equivalent. It forks a new daemon for each incoming connec- tion. The forked daemons handle key exchange, encryption, authentication, command execution, and data exchange. Sshd2 can be configured using command-line options or a con- figuration file. Command-line options override values specified in the configuration file. OPTIONS -d debug_level_spec Debug mode. The server sends verbose debug output to stderr. This option is only intended for debugging for the server. The debugging level is either a number, or a comma-separated list of assignments "ModulePattern=debug_level". -f configuration_file Specifies the name of the configuration file. The default is /etc/ssh2/sshd2_config. -h host_key_file Specifies the file from which the host key is read (default /etc/ssh2/hostkey). If sshd2 is not run as root, the default host key file will be $HOME$/.ssh2/hostkey. -o 'option' Can be used to give options in the format used in the configuration files. This is useful for specifying options for which there is no separate command-line flag. The option has the same format as a line in the configuration file. Comment lines are not currently accepted. -p port Specifies the port on which the server listens for con- nections. The default port is 22. -v Enable verbose mode. Display verbose debugging mes- sages. Equal to `-d 2'. This option can also be speci- fied in the configuration file. -q Quiet mode. Nothing is sent to the system log. Nor- mally the beginning, authentication, and termination of each connection is logged. This option can also be specified in the configuration file. -g login_grace_time Gives the grace time for clients to authenticate them- selves (the default is 600 seconds). If the client fails to authenticate the user within this many seconds, the server disconnects and exits. A value of zero indicates no limit. -i Specifies that sshd is being run from inetd. Sshd2 reads configuration data from /etc/ssh2/sshd2_config (or the file specified with -f on the command line). The file contains keyword-value pairs, one per line. Lines starting with '#' and empty lines are interpreted as com- ments. For the format of sshd2_config, see sshd2_config(5). LOGIN PROCESS When a user successfully logs in, sshd2 does the following: 1. Changes to run with normal user privileges. 2. Sets up basic environment. 3. Reads /etc/environment if it exists. 4. Changes to the user's home directory. 5. Runs the user's shell or command. SSH WITH TCP WRAPPERS When sshd2 is compiled with TCP wrappers libraries, then the hosts.allow/deny files also control who can connect to ports forwarded by sshd2. The program names in the hosts.allow/deny files are sshd2 or sshd (depending on how you execute sshd2), sshdfwd- <portname>, sshdfwd-<portnumber>, and sshdfwd-X11 for for- warded ports the ssh client or server is listening. If the port has a defined name, you must use it. FILES /etc/ssh2/sshd2_config Contains configuration data for sshd2. This file should be writable by root only, but it is recommended (though not necessary) that it be world-readable. /etc/ssh2/hostkey Contains the private part of the host key. This file is normally created automatically by "make install", but can also be created manually using ssh-keygen2(1). This file should only be owned by root, readable only by root, and not accessible to others. /etc/ssh2/hostkey.pub Contains the public part of the host key. This file is normally created automatically by "make install", but can also be created manually. This file should be world-readable but writable only by root. Its contents should match the private part. /etc/ssh2/random_seed This file contains a seed for the random number genera- tor. This file should only be accessible by root. $HOME/.ssh2/authorization contains information on how the server will verify the identity of an user. See ssh2(1) for more information. $HOME/.hushlogin If this file exists, sshd2 will not print information during login. (This is normally user's last login time, message of the day and mailcheck.) /etc/nologin If this file exists, sshd2 refuses to let anyone except root log in. The contents of the file are displayed to anyone trying to log in, and non-root connections are refused. The file should be world-readable. $HOME/.rhosts This file contains host-username pairs, separated by a space, one per line. The given user on the corresponding host is permitted to log in without pass- word. The same file is used by rlogind and rshd. sshd2 differs from rlogind and rshd in that it requires public host key authentication in addition to validat- ing the host name retrieved from domain name servers. The file must be writable only by the user; it is recommended that it not be accessible by others. It is also possible to use netgroups in the file. Either host or user name may be of the form +@groupname to specify all hosts or all users in the group. $HOME/.shosts For ssh2, this file is exactly the same as for .rhosts. However, this file is not used by rlogin and rshd, so using this permits access using ssh2 only. /etc/hosts.equiv This file is used during .rhosts authentication. In its simplest form, this file contains host names, one per line. Users on those hosts are permitted to log in without a password, provided they have the same user name on both machines. The host name may also be fol- lowed by a user name; such users are permitted to log in as any user on this machine (except root). Addi- tionally, the syntax +@group can be used to specify netgroups. Negated entries start with '-'. If the client host/user is successfully matched in this file, login is automatically permitted provided the client and server user names are the same. Addition- ally, successful host-based authentication is normally required. This file must be writable only by root; it is recommended that it be world-readable. Warning: It is almost never a good idea to use user names in hosts.equiv. Beware that it really means that the named user(s) can log in as anybody, including bin, daemon, adm, and other accounts that own critical binaries and directories. Using a user name practi- cally grants the user root access. The only valid use for user names should be in negative entries. Note that this warning also applies to rsh/rlogin. /etc/shosts.equiv This is processed exactly as /etc/hosts.equiv. However, this file may be useful in environments that want to run both rsh/rlogin and ssh2. $HOME/.ssh2/knownhosts/xxxxyyyy.pub These are the public host keys of hosts that a user wants to log in from using "hostbased"-authentication (equivalent with ssh1's RhostsRSAAuthentication). Also, a user has to set up her/his $HOME/.shosts (which only ssh uses) or $HOME/.rhosts file (insecure, as it is used by the r*-commands also). If username is the same in both hosts, it is adequate to put the public host key to /etc/ssh2/knownhosts and add the host's name to /etc/shosts.equiv (or /etc/hosts.equiv). xxxx denotes the host name (FQDN) and yyyy denotes the public key algorithm of the key. For example, zappa.foo.fi's host key algorithm is ssh- dss. The hostkey would be named "zappa.foo.fi.ssh- dss.pub" in the knownhosts directory. Possible names for public key algorithms are "ssh-dss" and "ssh-rsa" (without the quotes). /etc/ssh2/knownhosts/xxxxyyyy.pub As above, but system-wide. These can be overridden by the user by putting a file with the same name to her/his $HOME/.ssh2/knownhosts directory. INSTALLATION Sshd2 is normally run as root. If it is not run as root, it can only log in as the user it is running as, and password authentication may not work if the system uses shadow pass- words. An alternative host key file must also be used. AUTHORS SSH Communications Security Corp For more information, see http://www.ssh.com. SEE ALSO sshd2_config(5), ssh2(1), ssh-keygen2(1), ssh-agent2(1), ssh-add2(1), scp2(1), sftp(1) rlogin(1), rsh(1), telnet(1)
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |