Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
SSHD(8)			    System Manager's Manual		       SSHD(8)

NAME
       sshd - OpenSSH daemon

SYNOPSIS
       sshd  [-46DdeiqTt]  [-C connection_spec]	[-c host_certificate_file] [-E
       log_file] [-f config_file] [-g login_grace_time]	[-h host_key_file] [-o
       option] [-p port] [-u len]

DESCRIPTION
       sshd  (OpenSSH  Daemon)	is the daemon program for ssh(1).  It provides
       secure encrypted	communications between two untrusted hosts over	an in-
       secure network.

       sshd  listens  for connections from clients.  It	is normally started at
       boot from /usr/local/etc/rc.d/openssh.  It forks	a new daemon for  each
       incoming	 connection.   The forked daemons handle key exchange, encryp-
       tion, authentication, command execution,	and data exchange.

       sshd can	be configured using command-line options  or  a	 configuration
       file (by	default	sshd_config(5))	; command-line options override	values
       specified in the	configuration file.  sshd  rereads  its	 configuration
       file when it receives a hangup signal, SIGHUP, by executing itself with
       the name	and options it was started with, e.g. /usr/sbin/sshd.

       The options are as follows:

       -4     Forces sshd to use IPv4 addresses	only.

       -6     Forces sshd to use IPv6 addresses	only.

       -C connection_spec
	      Specify the connection parameters	to use	for  the  -T  extended
	      test  mode.  If provided,	any Match directives in	the configura-
	      tion file	that would apply are applied before the	 configuration
	      is  written  to  standard	output.	 The connection	parameters are
	      supplied as keyword=value	pairs and may be supplied in  any  or-
	      der,  either  with  multiple  -C options or as a comma-separated
	      list.  The keywords are ``addr'',	``user'', ``host'', ``laddr'',
	      ``lport'',  and  ``rdomain''  and	 correspond to source address,
	      user, resolved source host name, local address, local port  num-
	      ber and routing domain respectively.

       -c host_certificate_file
	      Specifies	 a  path to a certificate file to identify sshd	during
	      key exchange.  The certificate file must match a host  key  file
	      specified	 using	the -h option or the HostKey configuration di-
	      rective.

       -D     When this	option is specified, sshd will not detach and does not
	      become a daemon.	This allows easy monitoring of sshd.

       -d     Debug  mode.   The server	sends verbose debug output to standard
	      error, and does not put itself in	the  background.   The	server
	      also  will  not  fork(2)	and  will only process one connection.
	      This option is only intended for debugging for the server.  Mul-
	      tiple -d options increase	the debugging level.  Maximum is 3.

       -E log_file
	      Append debug logs	to log_file instead of the system log.

       -e     Write debug logs to standard error instead of the	system log.

       -f config_file
	      Specifies	 the  name  of the configuration file.	The default is
	      /usr/local/etc/ssh/sshd_config.  sshd refuses to start if	 there
	      is no configuration file.

       -g login_grace_time
	      Gives the	grace time for clients to authenticate themselves (de-
	      fault 120	seconds).  If the client  fails	 to  authenticate  the
	      user within this many seconds, the server	disconnects and	exits.
	      A	value of zero indicates	no limit.

       -h host_key_file
	      Specifies	a file from which a host key  is  read.	  This	option
	      must be given if sshd is not run as root (as the normal host key
	      files are	normally not readable by anyone	but  root).   The  de-
	      fault    is    /usr/local/etc/ssh/ssh_host_ecdsa_key,   /usr/lo-
	      cal/etc/ssh/ssh_host_ed25519_key		and	      /usr/lo-
	      cal/etc/ssh/ssh_host_rsa_key.   It  is possible to have multiple
	      host key files for the different host key	algorithms.

       -i     Specifies	that sshd is being run from inetd(8).

       -o option
	      Can be used to give options in the format	used in	the configura-
	      tion  file.   This  is  useful  for specifying options for which
	      there is no separate command-line	flag.  For full	details	of the
	      options, and their values, see sshd_config(5).

       -p port
	      Specifies	 the  port on which the	server listens for connections
	      (default 22).  Multiple port options are permitted.  Ports spec-
	      ified in the configuration file with the Port option are ignored
	      when a command-line port is specified.   Ports  specified	 using
	      the ListenAddress	option override	command-line ports.

       -q     Quiet  mode.   Nothing  is sent to the system log.  Normally the
	      beginning, authentication, and termination of each connection is
	      logged.

       -T     Extended	test  mode.   Check  the validity of the configuration
	      file, output the effective  configuration	 to  stdout  and  then
	      exit.   Optionally, Match	rules may be applied by	specifying the
	      connection parameters using one or more -C options.

       -t     Test mode.  Only check the validity of  the  configuration  file
	      and  sanity of the keys.	This is	useful for updating sshd reli-
	      ably as configuration options may	change.

       -u len This option is used to specify the size of the field in the utmp
	      structure	that holds the remote host name.  If the resolved host
	      name is longer than len, the dotted decimal value	will  be  used
	      instead.	This allows hosts with very long host names that over-
	      flow this	field to still be uniquely identified.	Specifying -u0
	      indicates	 that only dotted decimal addresses should be put into
	      the utmp file.  -u0 may also be used to prevent sshd from	making
	      DNS  requests  unless the	authentication mechanism or configura-
	      tion requires it.	 Authentication	mechanisms  that  may  require
	      DNS  include  HostbasedAuthentication and	using a	from="pattern-
	      list" option in a	key file.  Configuration options that  require
	      DNS   include   using  a	USER@HOST  pattern  in	AllowUsers  or
	      DenyUsers.

AUTHENTICATION
       The OpenSSH SSH daemon supports SSH protocol 2 only.  Each host	has  a
       host-specific  key,  used to identify the host.	Whenever a client con-
       nects, the daemon responds with its public host key.  The  client  com-
       pares  the  host	key against its	own database to	verify that it has not
       changed.	 Forward secrecy is  provided  through	a  Diffie-Hellman  key
       agreement.   This  key  agreement results in a shared session key.  The
       rest of the session is encrypted	using a	symmetric cipher.  The	client
       selects	the  encryption	 algorithm  to	use  from those	offered	by the
       server.	Additionally, session integrity	is provided through a  crypto-
       graphic message authentication code (MAC).

       Finally,	the server and the client enter	an authentication dialog.  The
       client tries to authenticate itself  using  host-based  authentication,
       public  key authentication, challenge-response authentication, or pass-
       word authentication.

       Regardless of the authentication	type, the account is checked to	ensure
       that  it	 is accessible.	 An account is not accessible if it is locked,
       listed in DenyUsers or its group	is listed in DenyGroups	.  The defini-
       tion of a locked	account	is system dependent. Some platforms have their
       own account database (eg	AIX) and some modify the passwd	field (	`*LK*'
       on Solaris and UnixWare,	`*' on HP-UX, containing `Nologin' on Tru64, a
       leading `*LOCKED*' on FreeBSD and a leading `!'	on most	Linuxes).   If
       there  is  a requirement	to disable password authentication for the ac-
       count while allowing still public-key, then the passwd field should  be
       set to something	other than these values	(eg `NP' or `*NP*' ).

       If the client successfully authenticates	itself,	a dialog for preparing
       the session is entered.	At this	time the  client  may  request	things
       like  allocating	 a  pseudo-tty,	forwarding X11 connections, forwarding
       TCP connections,	or forwarding the authentication agent connection over
       the secure channel.

       After  this,  the client	either requests	a shell	or execution of	a com-
       mand.  The sides	then enter session mode.  In this  mode,  either  side
       may send	data at	any time, and such data	is forwarded to/from the shell
       or command on the server	side, and the  user  terminal  in  the	client
       side.

       When  the  user program terminates and all forwarded X11	and other con-
       nections	have been closed, the server sends command exit	status to  the
       client, and both	sides exit.

LOGIN PROCESS
       When a user successfully	logs in, sshd does the following:

       1.     If  the  login  is  on a tty, and	no command has been specified,
	      prints last login	time and /etc/motd (unless  prevented  in  the
	      configuration file or by ~/.hushlogin; see the FILES section).

       2.     If the login is on a tty,	records	login time.

       3.     Checks  /etc/nologin  and	 /var/run/nologin;  if	one exists, it
	      prints the contents and quits (unless root).

       4.     Changes to run with normal user privileges.

       5.     Sets up basic environment.

       6.     Reads the	file ~/.ssh/environment, if it exists, and  users  are
	      allowed to change	their environment.  See	the PermitUserEnviron-
	      ment option in sshd_config(5).

       7.     Changes to user's	home directory.

       8.     If ~/.ssh/rc exists and the sshd_config(5)  PermitUserRC	option
	      is  set,	runs it; else if /usr/local/etc/ssh/sshrc exists, runs
	      it; otherwise runs xauth(1).  The	``rc'' files are given the X11
	      authentication protocol and cookie in standard input.  See SSHRC
	      ,	below.

       9.     Runs user's shell	or command.  All commands are  run  under  the
	      user's login shell as specified in the system password database.

SSHRC
       If  the file ~/.ssh/rc exists, sh(1) runs it after reading the environ-
       ment files but before starting the user's shell or  command.   It  must
       not  produce any	output on stdout; stderr must be used instead.	If X11
       forwarding is in	use, it	will receive the "proto	cookie"	 pair  in  its
       standard	 input (and DISPLAY in its environment).  The script must call
       xauth(1)	because	sshd will not run xauth	automatically to add X11 cook-
       ies.

       The  primary purpose of this file is to run any initialization routines
       which may be needed before the user's home directory  becomes  accessi-
       ble; AFS	is a particular	example	of such	an environment.

       This  file  will	 probably contain some initialization code followed by
       something similar to:

       if read proto cookie && [ -n "$DISPLAY" ]; then
	    if [ `echo $DISPLAY	| cut -c1-10` =	'localhost:' ];	then
		 # X11UseLocalhost=yes
		 echo add unix:`echo $DISPLAY |
		     cut -c11-`	$proto $cookie
	    else
		 # X11UseLocalhost=no
		 echo add $DISPLAY $proto $cookie
	    fi | xauth -q -
       fi

       If this file does not exist, /usr/local/etc/ssh/sshrc is	 run,  and  if
       that does not exist either, xauth is used to add	the cookie.

AUTHORIZED_KEYS	FILE FORMAT
       AuthorizedKeysFile  specifies the files containing public keys for pub-
       lic key authentication; if this option is not specified,	the default is
       ~/.ssh/authorized_keys  and  ~/.ssh/authorized_keys2.  Each line	of the
       file contains one key (empty lines and lines starting with  a  `#'  are
       ignored as comments).  Public keys consist of the following space-sepa-
       rated fields: options, keytype, base64-encoded key, comment.   The  op-
       tions field is optional.	 The supported key types are:

	      sk-ecdsa-sha2-nistp256@openssh.com

	      ecdsa-sha2-nistp256

	      ecdsa-sha2-nistp384

	      ecdsa-sha2-nistp521

	      sk-ssh-ed25519@openssh.com

	      ssh-ed25519

	      ssh-dss

	      ssh-rsa

       The  comment  field is not used for anything (but may be	convenient for
       the user	to identify the	key).

       Note that lines in this file can	be several hundred bytes long (because
       of  the	size of	the public key encoding) up to a limit of 8 kilobytes,
       which permits RSA keys up to 16 kilobits.  You don't want to type  them
       in;   instead,  copy  the  id_dsa.pub,  id_ecdsa.pub,  id_ecdsa_sk.pub,
       id_ed25519.pub, id_ed25519_sk.pub, or the id_rsa.pub file and edit it.

       sshd enforces a minimum RSA key modulus size of 1024 bits.

       The options (if present)	consist	of comma-separated  option  specifica-
       tions.  No spaces are permitted,	except within double quotes.  The fol-
       lowing option specifications are	supported (note	that  option  keywords
       are case-insensitive):

       agent-forwarding
	      Enable  authentication  agent  forwarding	previously disabled by
	      the restrict option.

       cert-authority
	      Specifies	that the listed	key is a certification authority  (CA)
	      that is trusted to validate signed certificates for user authen-
	      tication.

	      Certificates may encode access restrictions similar to these key
	      options.	 If  both certificate restrictions and key options are
	      present, the most	restrictive union of the two is	applied.

       command="command"
	      Specifies	that the command is executed whenever this key is used
	      for  authentication.   The command supplied by the user (if any)
	      is ignored.  The command is run on a pty if the client  requests
	      a	 pty;  otherwise  it  is run without a tty.  If	an 8-bit clean
	      channel is required, one must not	request	a pty or should	 spec-
	      ify  no-pty.   A quote may be included in	the command by quoting
	      it with a	backslash.

	      This option might	be useful to restrict certain public  keys  to
	      perform  just  a	specific operation.  An	example	might be a key
	      that permits remote backups but nothing  else.   Note  that  the
	      client may specify TCP and/or X11	forwarding unless they are ex-
	      plicitly prohibited, e.g.	using the restrict key option.

	      The command originally supplied by the client  is	 available  in
	      the  SSH_ORIGINAL_COMMAND	 environment variable.	Note that this
	      option applies to	shell, command or subsystem  execution.	  Also
	      note  that  this	command	 may be	superseded by a	sshd_config(5)
	      ForceCommand directive.

	      If a command is specified	and a forced-command is	embedded in  a
	      certificate  used	 for authentication, then the certificate will
	      be accepted only if the two commands are identical.

       environment="NAME=value"
	      Specifies	that the string	is to be added to the environment when
	      logging  in  using this key.  Environment	variables set this way
	      override other default environment values.  Multiple options  of
	      this  type are permitted.	 Environment processing	is disabled by
	      default and is controlled	via the	PermitUserEnvironment option.

       expiry-time="timespec"
	      Specifies	a time after which the key will	not be accepted.   The
	      time  may	 be specified as a YYYYMMDD date or a YYYYMMDDHHMM[SS]
	      time in the system time-zone.

       from="pattern-list"
	      Specifies	that in	addition to public key authentication,	either
	      the  canonical name of the remote	host or	its IP address must be
	      present in the comma-separated list of patterns.	 See  PATTERNS
	      in ssh_config(5) for more	information on patterns.

	      In  addition  to	the  wildcard  matching	that may be applied to
	      hostnames	or addresses, a	from stanza may	match IP addresses us-
	      ing CIDR address/masklen notation.

	      The  purpose  of this option is to optionally increase security:
	      public key authentication	by itself does not trust  the  network
	      or  name servers or anything (but	the key); however, if somebody
	      somehow steals the key, the key permits an intruder  to  log  in
	      from  anywhere in	the world.  This additional option makes using
	      a	stolen key more	difficult (name	servers	and/or	routers	 would
	      have to be compromised in	addition to just the key).

       no-agent-forwarding
	      Forbids  authentication  agent  forwarding when this key is used
	      for authentication.

       no-port-forwarding
	      Forbids TCP forwarding when this key is used for authentication.
	      Any  port	 forward  requests by the client will return an	error.
	      This might be used, e.g. in connection with the command option.

       no-pty Prevents tty allocation (a request to allocate a pty will	fail).

       no-user-rc
	      Disables execution of ~/.ssh/rc.

       no-X11-forwarding
	      Forbids X11 forwarding when this key is used for authentication.
	      Any X11 forward requests by the client will return an error.

       permitlisten="[host:]port"
	      Limit remote port	forwarding with	the ssh(1) -R option such that
	      it may only listen on the	specified host	(optional)  and	 port.
	      IPv6  addresses  can  be	specified  by enclosing	the address in
	      square brackets.	Multiple permitlisten options may  be  applied
	      separated	 by  commas.   Hostnames  may include wildcards	as de-
	      scribed in the PATTERNS section in ssh_config(5).	 A port	speci-
	      fication	of * matches any port.	Note that the setting of Gate-
	      wayPorts may  further  restrict  listen  addresses.   Note  that
	      ssh(1)  will  send  a hostname of	``localhost'' if a listen host
	      was not specified	when the forwarding was	 requested,  and  that
	      this  name  is treated differently to the	explicit localhost ad-
	      dresses ``127.0.0.1'' and	``::1''.

       permitopen="host:port"
	      Limit local port forwarding with the ssh(1) -L option such  that
	      it  may  only  connect to	the specified host and port.  IPv6 ad-
	      dresses can be specified by  enclosing  the  address  in	square
	      brackets.	  Multiple permitopen options may be applied separated
	      by commas.  No pattern matching or name lookup is	 performed  on
	      the  specified hostnames,	they must be literal host names	and/or
	      addresses.  A port specification of * matches any	port.

       port-forwarding
	      Enable port forwarding previously	disabled by the	 restrict  op-
	      tion.

       principals="principals"
	      On  a cert-authority line, specifies allowed principals for cer-
	      tificate authentication as a comma-separated list.  At least one
	      name  from  the  list  must  appear in the certificate's list of
	      principals for the certificate to	be accepted.  This  option  is
	      ignored  for  keys  that	are  not marked	as trusted certificate
	      signers using the	cert-authority option.

       pty    Permits tty allocation previously	disabled by the	 restrict  op-
	      tion.

       no-touch-required
	      Do  not  require	demonstration  of user presence	for signatures
	      made using this key.  This option	only makes sense for the  FIDO
	      authenticator algorithms ecdsa-sk	and ed25519-sk.

       verify-required
	      Require  that  signatures	 made  using this key attest that they
	      verified the user, e.g. via a PIN.  This option only makes sense
	      for the FIDO authenticator algorithms ecdsa-sk and ed25519-sk.

       restrict
	      Enable  all  restrictions, i.e. disable port, agent and X11 for-
	      warding, as well as disabling PTY	allocation  and	 execution  of
	      ~/.ssh/rc.   If any future restriction capabilities are added to
	      authorized_keys files they will be included in this set.

       tunnel="n"
	      Force a tun(4) device on the server.  Without this  option,  the
	      next available device will be used if the	client requests	a tun-
	      nel.

       user-rc
	      Enables execution	of ~/.ssh/rc previously	disabled  by  the  re-
	      strict option.

       X11-forwarding
	      Permits  X11  forwarding previously disabled by the restrict op-
	      tion.

       An example authorized_keys file:

       # Comments are allowed at start of line.	Blank lines are	allowed.
       # Plain key, no restrictions
       ssh-rsa ...
       # Forced	command, disable PTY and all forwarding
       restrict,command="dump /home" ssh-rsa ...
       # Restriction of	ssh -L forwarding destinations
       permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-rsa ...
       # Restriction of	ssh -R forwarding listeners
       permitlisten="localhost:8080",permitlisten="[::1]:22000"	ssh-rsa	...
       # Configuration for tunnel forwarding
       tunnel="0",command="sh /etc/netstart tun0" ssh-rsa ...
       # Override of restriction to allow PTY allocation
       restrict,pty,command="nethack" ssh-rsa ...
       # Allow FIDO key	without	requiring touch
       no-touch-required sk-ecdsa-sha2-nistp256@openssh.com ...
       # Require user-verification (e.g. PIN or	biometric) for FIDO key
       verify-required sk-ecdsa-sha2-nistp256@openssh.com ...
       # Trust CA key, allow touch-less	FIDO if	requested in certificate
       cert-authority,no-touch-required,principals="user_a" ssh-rsa ...

SSH_KNOWN_HOSTS	FILE FORMAT
       The  /usr/local/etc/ssh/ssh_known_hosts	and  ~/.ssh/known_hosts	 files
       contain	host  public keys for all known	hosts.	The global file	should
       be prepared by the administrator	(optional), and	the per-user  file  is
       maintained  automatically:  whenever  the  user	connects to an unknown
       host, its key is	added to the per-user file.

       Each line in these files	contains the  following	 fields:  marker  (op-
       tional),	 hostnames,  keytype, base64-encoded key, comment.  The	fields
       are separated by	spaces.

       The marker is optional, but if it is present then it  must  be  one  of
       ``@cert-authority'', to indicate	that the line contains a certification
       authority (CA) key, or ``@revoked'', to indicate	that the key contained
       on  the line is revoked and must	not ever be accepted.  Only one	marker
       should be used on a key line.

       Hostnames is a comma-separated list of patterns (`*' and	 `?'   act  as
       wildcards);  each  pattern  in  turn  is	matched	against	the host name.
       When sshd is authenticating a client, such as when  using  HostbasedAu-
       thentication, this will be the canonical	client host name.  When	ssh(1)
       is authenticating a server, this	will be	the host  name	given  by  the
       user,  the value	of the ssh(1) HostkeyAlias if it was specified,	or the
       canonical server	hostname if the	ssh(1) CanonicalizeHostname option was
       used.

       A  pattern  may	also  be preceded by `!'  to indicate negation:	if the
       host name matches a negated pattern, it is not accepted (by that	 line)
       even  if	it matched another pattern on the line.	 A hostname or address
       may optionally be enclosed within `[' and `]' brackets then followed by
       `:' and a non-standard port number.

       Alternately,  hostnames may be stored in	a hashed form which hides host
       names and addresses should the file's contents  be  disclosed.	Hashed
       hostnames start with a `|' character.  Only one hashed hostname may ap-
       pear on a single	line and none of the above negation or wildcard	opera-
       tors may	be applied.

       The  keytype  and  base64-encoded  key are taken	directly from the host
       key;   they   can   be	obtained,   for	  example,    from    /usr/lo-
       cal/etc/ssh/ssh_host_rsa_key.pub.  The optional comment field continues
       to the end of the line, and is not used.

       Lines starting with `#' and empty lines are ignored as comments.

       When performing host authentication, authentication is accepted if  any
       matching	 line  has the proper key; either one that matches exactly or,
       if the server has presented a certificate for authentication,  the  key
       of  the certification authority that signed the certificate.  For a key
       to be trusted as	a certification	authority, it must use the ``@cert-au-
       thority'' marker	described above.

       The  known hosts	file also provides a facility to mark keys as revoked,
       for example when	it is known that the associated	private	key  has  been
       stolen.	 Revoked  keys	are  specified	by  including the ``@revoked''
       marker at the beginning of the key line,	and are	never accepted for au-
       thentication  or	as certification authorities, but instead will produce
       a warning from ssh(1) when they are encountered.

       It is permissible (but not recommended) to have several lines  or  dif-
       ferent  host keys for the same names.  This will	inevitably happen when
       short forms of host names from different	domains	are put	in  the	 file.
       It  is possible that the	files contain conflicting information; authen-
       tication	is accepted if valid information  can  be  found  from	either
       file.

       Note that the lines in these files are typically	hundreds of characters
       long, and you definitely	don't want to type in the host keys  by	 hand.
       Rather, generate	them by	a script, ssh-keyscan(1) or by taking, for ex-
       ample,  /usr/local/etc/ssh/ssh_host_rsa_key.pub	and  adding  the  host
       names  at  the  front.	ssh-keygen(1) also offers some basic automated
       editing for ~/.ssh/known_hosts including	removing hosts matching	a host
       name and	converting all host names to their hashed representations.

       An example ssh_known_hosts file:

       # Comments allowed at start of line
       closenet,...,192.0.2.53 1024 37 159...93	closenet.example.net
       cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
       # A hashed hostname
       |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
       AAAA1234.....=
       # A revoked key
       @revoked	* ssh-rsa AAAAB5W...
       # A CA key, accepted for	any host in *.mydomain.com or *.mydomain.org
       @cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...

FILES
       ~/.hushlogin
	      This  file  is used to suppress printing the last	login time and
	      /etc/motd, if PrintLastLog and PrintMotd,	respectively, are  en-
	      abled.  It does not suppress printing of the banner specified by
	      Banner.

       ~/.rhosts
	      This file	is used	for host-based authentication (see ssh(1)  for
	      more  information).   On	some machines this file	may need to be
	      world-readable if	the user's home	directory is on	an NFS	parti-
	      tion,  because  sshd  reads it as	root.  Additionally, this file
	      must be owned by the user, and must not have  write  permissions
	      for  anyone  else.  The recommended permission for most machines
	      is read/write for	the user, and not accessible by	others.

       ~/.shosts
	      This file	is used	in exactly the same way	as .rhosts, but	allows
	      host-based   authentication   without   permitting   login  with
	      rlogin/rsh.

       ~/.ssh/
	      This directory is	the default  location  for  all	 user-specific
	      configuration  and authentication	information.  There is no gen-
	      eral requirement to keep the entire contents of  this  directory
	      secret,  but  the	recommended permissions	are read/write/execute
	      for the user, and	not accessible by others.

       ~/.ssh/authorized_keys
	      Lists the	public keys (DSA, ECDSA, Ed25519,  RSA)	 that  can  be
	      used  for	 logging  in as	this user.  The	format of this file is
	      described	above.	The content of the file	is not	highly	sensi-
	      tive,  but  the  recommended  permissions	are read/write for the
	      user, and	not accessible by others.

	      If this file, the	~/.ssh directory, or the user's	home directory
	      are  writable by other users, then the file could	be modified or
	      replaced by unauthorized users.  In this case, sshd will not al-
	      low  it to be used unless	the StrictModes	option has been	set to
	      ``no''.

       ~/.ssh/environment
	      This file	is read	into the environment at	login (if it  exists).
	      It  can only contain empty lines,	comment	lines (that start with
	      `#' ) , and assignment lines of the form name=value.   The  file
	      should  be writable only by the user; it need not	be readable by
	      anyone else.  Environment	processing is disabled by default  and
	      is controlled via	the PermitUserEnvironment option.

       ~/.ssh/known_hosts
	      Contains	a  list	of host	keys for all hosts the user has	logged
	      into that	are not	already	in the systemwide list of  known  host
	      keys.   The  format  of this file	is described above.  This file
	      should be	writable only by root/the owner	and can, but need  not
	      be, world-readable.

       ~/.ssh/rc
	      Contains	initialization	routines  to  be run before the	user's
	      home directory becomes accessible.  This file should be writable
	      only by the user,	and need not be	readable by anyone else.

       /etc/hosts.allow

       /etc/hosts.deny
	      Access  controls that should be enforced by tcp-wrappers are de-
	      fined here.  Further details are described in hosts_access(5).

       /etc/hosts.equiv
	      This file	is for host-based authentication (see  ssh(1))	.   It
	      should only be writable by root.

       /usr/local/usr/local/etc/ssh/moduli
	      Contains	Diffie-Hellman	groups	used  for  the "Diffie-Hellman
	      Group Exchange" key exchange method.  The	 file  format  is  de-
	      scribed  in  moduli(5).	If  no usable groups are found in this
	      file then	fixed internal groups will be used.

       /etc/motd
	      See motd(5).

       /etc/nologin
	      If this file exists, sshd	refuses	to let anyone except root  log
	      in.   The	contents of the	file are displayed to anyone trying to
	      log in, and non-root connections are refused.  The  file	should
	      be world-readable.

       /usr/local/etc/ssh/shosts.equiv
	      This  file  is  used in exactly the same way as hosts.equiv, but
	      allows host-based	authentication without permitting  login  with
	      rlogin/rsh.

       /usr/local/etc/ssh/ssh_host_ecdsa_key

       /usr/local/etc/ssh/ssh_host_ed25519_key

       /usr/local/etc/ssh/ssh_host_rsa_key
	      These  files  contain the	private	parts of the host keys.	 These
	      files should only	be owned by root, readable only	by  root,  and
	      not  accessible  to  others.   Note  that	sshd does not start if
	      these files are group/world-accessible.

       /usr/local/etc/ssh/ssh_host_ecdsa_key.pub

       /usr/local/etc/ssh/ssh_host_ed25519_key.pub

       /usr/local/etc/ssh/ssh_host_rsa_key.pub
	      These files contain the public parts of the  host	 keys.	 These
	      files should be world-readable but writable only by root.	 Their
	      contents should match the	respective private parts.  These files
	      are not really used for anything;	they are provided for the con-
	      venience of the user so their contents can be  copied  to	 known
	      hosts files.  These files	are created using ssh-keygen(1).

       /usr/local/etc/ssh/ssh_known_hosts
	      Systemwide  list	of  known host keys.  This file	should be pre-
	      pared by the system administrator	to  contain  the  public  host
	      keys  of	all  machines in the organization.  The	format of this
	      file is described	above.	This file should be writable  only  by
	      root/the owner and should	be world-readable.

       /usr/local/etc/ssh/sshd_config
	      Contains	configuration data for sshd.  The file format and con-
	      figuration options are described in sshd_config(5).

       /usr/local/etc/ssh/sshrc
	      Similar to ~/.ssh/rc, it can be used to specify machine-specific
	      login-time   initializations  globally.	This  file  should  be
	      writable only by root, and should	be world-readable.

       /var/empty
	      chroot(2)	directory used by sshd during privilege	separation  in
	      the  pre-authentication phase.  The directory should not contain
	      any files	and must be owned by root  and	not  group  or	world-
	      writable.

       /var/run/sshd.pid
	      Contains	the  process  ID of the	sshd listening for connections
	      (if there	are several daemons running concurrently for different
	      ports,  this  contains  the process ID of	the one	started	last).
	      The content of this file is not sensitive; it can	be world-read-
	      able.

SEE ALSO
       scp(1),	sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-
       keyscan(1),  chroot(2),	hosts_access(5),   login.conf(5),   moduli(5),
       sshd_config(5), inetd(8), sftp-server(8)

AUTHORS
       OpenSSH	is a derivative	of the original	and free ssh 1.2.12 release by
       Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus  Friedl,	Niels  Provos,
       Theo  de	 Raadt and Dug Song removed many bugs, re-added	newer features
       and created OpenSSH.  Markus Friedl contributed	the  support  for  SSH
       protocol	versions 1.5 and 2.0.  Niels Provos and	Markus Friedl contrib-
       uted support for	privilege separation.

				 July 30 2021			       SSHD(8)

NAME | SYNOPSIS | DESCRIPTION | AUTHENTICATION | LOGIN PROCESS | SSHRC | AUTHORIZED_KEYS FILE FORMAT | SSH_KNOWN_HOSTS FILE FORMAT | FILES | SEE ALSO | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=sshd&sektion=8&manpath=FreeBSD+Ports+13.0>

home | help