SSHD2

NAME

SYNOPSIS

DESCRIPTION

Sshd2 (Secure Shell Daemon) is the daemon program for ssh2. Together these programs replace rlogin and rsh programs, and provide secure encrypted communications between two untrusted hosts over an insecure network. The programs are intended to be as easy to install and use as possible.

Sshd2 is normally started at boot from /etc/rc.local or equivalent. It forks a new daemon for each incoming connection. The forked daemons handle key exchange, encryption, authentication, command execution, and data exchange.

Sshd2 can be configured using command-line options or a configuration file. Command-line options override values specified in the configuration file.

OPTIONS

-d debug_level_spec

Debug mode. The server sends verbose debug output to stderr. This option is only intended for debugging for the server. The debugging level is either a number, or a comma-separated list of assignments "ModulePattern=debug_level".

-f configuration_file

Specifies the name of the configuration file. The default is /etc/ssh2/sshd2_config.

-h host_key_file

Specifies the file from which the host key is read (default /etc/ssh2/hostkey). If sshd2 is not run as root, the default host key file will be $HOME$/.ssh2/hostkey.

-o 'option'

Can be used to give options in the format used in the configuration files. This is useful for specifying options for which there is no separate command-line flag. The option has the same format as a line in the configuration file. Comment lines are not currently accepted.

-p port

Specifies the port on which the server listens for connections (default is 22).

-v

Enable verbose mode. Display verbose debugging messages. Equal to `-d 2'. This option can also be specified in the configuration file.

-q

Quiet mode. Nothing is sent to the system log. Normally the beginning, authentication, and termination of each connection is logged. This option can also be specified in the configuration file.

-g login_grace_time

Gives the grace time for clients to authenticate themselves (default 600 seconds). If the client fails to authenticate the user within this many seconds, the server disconnects and exits. A value of zero indicates no limit. (not yet implemented)

-i

Specifies that sshd is being run from inetd.

CONFIGURATION FILE

Sshd2 reads configuration data from /etc/ssh2/sshd2_config (or the file specified with -f on the command line). The file contains keyword-value pairs, one per line. Lines starting with '#' and empty lines are interpreted as comments.

The following keywords are possible. Keywords are case insensitive.

AllowedAuthentications

This keyword specifies the authentications methods, that are allowed to use. This is comma-separated list consisting of (currently) words password, publickey and hostbased. Each specifies an authentication method. Default is "password,publickey". With RequiredAuthentications, sysadmin can force users to complete several authentications before they are considered authenticated.

AllowHosts

This keyword can be followed by any number of host name patterns, separated by spaces. If specified, login is allowed only from hosts whose name matches one of the patterns. '*' and '?' can be used as wildcards in the patterns. Normal name servers are used to map the client's host into a canonical host name. If the name cannot be mapped, its IP-address is used as the host name. By default all hosts are allowed to connect.

Note that sshd2 can also be configured to use tcp_wrappers using the --with-libwrap compile-time configuration option.

AllowSHosts

This keyword can be followed by any number of host name patterns, separated by spaces. If specified, .shosts (and .rhosts, /etc/hosts.equiv and /etc/shosts.equiv) entries are only honoured for hosts whose name matches one of the patterns. servers are used to map the client's host into a canonical host name. If the name cannot be mapped, its IP-address is used as the host name. By default all hosts are allowed to connect.

AuthorizationFile

Specifies the name of the user's authorization file.

CheckMail

Specifies whether sshd should print information whether you have new mail or not when a user logs in interactively. (On some systems it is also printed by the shell, /etc/profile, or equivalent.) The argument must be "yes" or "no". The default is "yes".

Ciphers

Specifies the ciphers to use for encrypting the session. Currently, des, 3des, blowfish, idea and arcfour and twofish are supported, of which des, 3des, arcfour, blowfish and twofish are in all distributions. Multiple ciphers can be specified as a comma-separated list. Special values to this option are any, anystd, that allows only standard (see below) ciphers, and anycipher that allows either any available cipher or excludes nonencrypting cipher mode none but allows all others. anystdcipher is the same as above, but includes only those ciphers mentioned in the IETF-SecSH-draft (excluding 'none').

DenyHosts

This keyword can be followed by any number of host name patterns, separated by spaces. If specified, login is disallowed from the hosts whose name matches any of the patterns.

DenySHosts

This keyword can be followed by any number of host name patterns, separated by spaces. If specified, .shosts (and .rhosts, /etc/hosts.equiv and /etc/shosts.equiv) entries whose name matches any of the patterns are ignored.

ForcePTTYAllocation

For tty allocation, ie. allocate a tty even if a command is given. The argument must be "yes" or "no". (not yet implemented)

ForwardAgent

Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. The argument must be "yes" or "no".

ForwardX11

Specifies whether X11 connections will be automatically redirected over the secure channel and DISPLAY set. The argument must be "yes" or "no".

HostKeyFile

Specifies the file containing the private host key (default /etc/ssh2/hostkey).

IgnoreRhosts

Specifies that rhosts and shosts files will not be used in "hostbased"-authentication (see AllowedAuthentications). /etc/hosts.equiv and /etc/shosts.equiv are still used. The argument must be "yes" or "no". The default is "no".

KeepAlive

Specifies whether the system should send keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. However, this means that connections will die if the route is down temporarily, and some people find it annoying. On the other hand, if keepalives are not send, sessions may hang indefinitely on the server, leaving "ghost" users and consuming server resources.

The default is "yes" (to send keepalives), and the server will notice if the network goes down or the client host reboots. This avoids infinitely hanging sessions.

To disable keepalives, the value should be set to "no" in both the server and the client configuration files.

ListenAddress

Specifies the ip address of the interface where the sshd2 server socket is bind.

LoginGraceTime

The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. The default is 600 (seconds). (not yet implemented)

MaxConnections

Specifies the maximum number of connections sshd2 will handle simultaneously. This is useful in systems where spamming sshd2 with new connections can cause the system to become unstable or crash. The argument is a positive number. 0 means that number of connections is unlimited (by sshd2).

Note that by using (at least) xinetd you achieve the same effect.

NoDelay

If "yes", enable socket option TCP_NODELAY. The argument must be "yes" or "no". Default is "noR".

PasswordAuthentication

Specifies whether to use password authentication. The argument must be "yes" or "no". Note: This keyword is deprecated. Use AllowedAuthentications and RequiredAuthentications.

PasswordGuesses

Specifies the number of tries that the user has when using password authentication. The default is 3.

PermitEmptyPasswords

When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The argument must be "yes" or "no".

PermitRootLogin

Specifies whether the root can log in using ssh2. May be set to "yes", "nopwd", or "no". The default is "yes", allowing root logins through any of the authentication types allowed for other users. The "nopwd" value disables password-authenticated root logins. The "no" value disables root logins through any of the authentication methods. ("nopwd" and "no" are equivalent unless you have a .rhosts or .shosts in the root home directory and you you haven't set up public key authentication for root.)

Root login with public key authentication when the "command" option has been specified will be allowed regardless of the value of this setting (which may be useful for taking remote backups even if root login is normally not allowed). The default is "yes".The argument must be "yes" or "no".

Port

Specifies the port number that sshd2 listens on. The current default is 22.

PrintMotd

Specifies whether sshd2 should print /etc/motd when a user logs in interactively. The default is "yes". The argument must be "yes" or "no".

PubKeyAuthentication

Specifies whether to try public key authentication. RSAAuthentication is a synonym for this keyword, and it is defined for backwards compatibility with ssh1. The argument must be "yes" or "no". Note: This keyword is deprecated. Use AllowedAuthentications and RequiredAuthentications.

PublicHostKeyFile

Specifies the file containing the public host key (default /etc/ssh2/hostkey.pub). Note: In most cases the order of config parameters isn't an issue. Here it is safe if you specify HostKeyFile first before this parameter.

RandomSeedFile

Specifies the name of the randomseed file.

RequiredAuthentications

Related to AllowedAuthentications, this is used to specify what authentication methods the users must complete before continuing. This parameter has no default. Note: This parameter has to be a subset for AllowedAuthentications. Otherwise, the server denies connection everytime.

QuietMode

Specifies whether the system runs in quiet mode. In quiet mode, nothing is logged in the system log, except fatal errors. The argument must be "yes" or "no".

Ssh1Compatibility

Specifies whether to use SSH1 compatibility code. With this option, sshd1 is executed when the client supports only SSH 1.x protocols. The argument must be "yes" or "no".

Sshd1Path

Specifies the path to sshd1 daemon, which is executed if the client supports only SSH 1.x protocols. The arguments for sshd2 are passed on to sshd1 .

StrictModes

Specifies whether sshd2 should check file modes and ownership of the user's home directory and rhosts files before accepting login. This is normally desirable because novices sometimes accidentally leave their directory or files world-writable. The argument must be "yes" or "no". The default is "yes". (not yet implemented)

SyslogFacility

Gives the facility code that is used when logging messages from sshd2. The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH.

UserConfigDirectory

Specifies where user-specific configuration data should be fetched from. With this the administration can control whatever configuration parameters they wish that are normally the users' domain. This is given as a pattern string, which is expanded by sshd2. %D is the user's home directory, %U is user's login name, %IU is the user's user ID (uid) and %IG is his group ID (gid). The default is %D/.ssh2

UserKnownHosts

Specifies whether user's $HOME/.ssh2/knownhosts/ -directory can be used to fetch hosts public keys when using "hostbased"-authentication. The argument must be "yes" or "no". The default is "yes".

VerboseMode

Verbose mode. Causes sshd2 to print debugging messages about its progress. This is helpful in debugging connection, authentication, and configuration problems.

LOGIN PROCESS

When a user successfully logs in, sshd2 does the following:

1.

Changes to run with normal user privileges.

2.

Sets up basic environment.

3.

Reads /etc/environment if it exists.

4.

Changes to user's home directory.

5.

Runs user's shell or command.

SSH WITH TCP WRAPPERS

When sshd2 is compiled with tcp wrappers libraries, then the host.allow/deny files also controls who can connect to ports forwarded by sshd2.

The program names in the hosts.allow/deny files are sshd2 or sshd (depending on how you execute you sshd2), sshdfwd-<portname>, sshdfwd-<portnumber>, and sshdfwd-X11 for forwarded ports the ssh client or server is listening.

If the port has name defined then you must use it.

FILES

/etc/ssh2/sshd2_config

Contains configuration data for sshd2. This file should be writable by root only, but it is recommended (though not necessary) that it be world-readable.

/etc/ssh2/hostkey

Contains the private part of the host key. This file is normally created automatically by "make install", but can also be created manually using ssh-keygen2(1). This file should only be owned by root, readable only by root, and not accessible to others.

/etc/ssh2/hostkey.pub

Contains the public part of the host key. This file is normally created automatically by "make install", but can also be created manually. This file should be world-readable but writable only by root. Its contents should match the private part.

/etc/ssh2/random_seed

This file contains a seed for the random number generator. This file should only be accessible by root.

$HOME/.ssh2/authorization

contains information on how the server will verify the identity of an user. See ssh2(1) for more information.

$HOME/.hushlogin

If this file exists, sshd2 will not print information during login. (This is normally user's last login time, message of the day and mailcheck.)

/etc/nologin

If this file exists, sshd2 refuses to let anyone except root log in. The contents of the file are displayed to anyone trying to log in, and non-root connections are refused. The file should be world-readable.

$HOME/.rhosts

This file contains host-username pairs, separated by a space, one per line. The given user on the corresponding host is permitted to log in without password. The same file is used by rlogind and rshd. sshd2 differs from rlogind and rshd in that it requires public host key authentication in addition to validating the host name retrieved from domain name servers . The file must be writable only by the user; it is recommended that it not be accessible by others.

It is also possible to use netgroups in the file. Either host or user name may be of the form +@groupname to specify all hosts or all users in the group.

$HOME/.shosts

For ssh2, this file is exactly the same as for .rhosts. However, this file is not used by rlogin and rshd, so using this permits access using ssh2 only.

/etc/hosts.equiv

This file is used during .rhosts authentication. In the simplest form, this file contains host names, one per line. Users on those hosts are permitted to log in without a password, provided they have the same user name on both machines. The host name may also be followed by a user name; such users are permitted to log in as any user on this machine (except root). Additionally, the syntax +@group can be used to specify netgroups. Negated entries start with '-'.

If the client host/user is successfully matched in this file, login is automatically permitted provided the client and server user names are the same. Additionally, successful RSA host authentication is normally required. This file must be writable only by root; it is recommended that it be world-readable.

Warning: It is almost never a good idea to use user names in hosts.equiv. Beware that it really means that the named user(s) can log in as anybody, which includes bin, daemon, adm, and other accounts that own critical binaries and directories. Using a user name practically grants the user root access. The only valid use for user names that I can think of is in negative entries. Note that this warning also applies to rsh/rlogin.

/etc/shosts.equiv

This is processed exactly as /etc/hosts.equiv. However, this file may be useful in environments that want to run both rsh/rlogin and ssh2.

$HOME/.ssh2/knownhosts/xxxxyyyy.pub

These are the public hostkeys of hosts that a user wants to log from using "hostbased"-authentication (equivalent with ssh1's RhostsRSAAuthentication). Also, a user has to set up her/his $HOME/.shosts (which only ssh uses) or $HOME/.rhosts file (insecure, as it is used by the r*-commands also). If username is the same in both hosts, it is adequate to put the public hostkey to /etc/ssh2/knownhosts and add the host's name to /etc/shosts.equiv (or /etc/hosts.equiv).

xxxx denotes the hostname (FQDN) and yyyy the publickey algorithm of the key.

For example, zappa.foo.fi's hostkey algorithm is ssh-dss. The hostkey would be named "zappa.foo.fi.ssh-dss.pub" in the knowhosts-directory.

Possible names for publickey-algorithms are "ssh-dss" and "ssh-rsa" (without the quotes).

/etc/ssh2/knownhosts/xxxxyyyy.pub

As above, but system-wide. These can be overridden by the user by putting a file with the same name to her/his $HOME/.ssh2/knownhosts directory.

INSTALLATION

Sshd2 is normally run as root. If it is not run as root, it can only log in as the user it is running as, and password authentication may not work if the system uses shadow passwords. An alternative host key file must also be used.

AUTHORS

SSH Communications Security Ltd

For more information, see http://www.ssh.com

SEE ALSO

Index

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

CONFIGURATION FILE

LOGIN PROCESS

SSH WITH TCP WRAPPERS

FILES

INSTALLATION

AUTHORS

SEE ALSO