sshd2(8) — Maintenance
NAME
sshd2, sshd − Secure Shell daemon
SYNOPSIS
sshd2 [−D debug_level_spec] [−f file] [−h host_key_file] [−o keyword] [−p port #] [−v] [−g login_grace_time] [−i] [−q]
OPTIONS
−D debug_level_spec
Prints extensive debug information to stderr. The debug_level_spec argument is a number between 0 and 99, where 99 specifies that all debug information should be displayed, or a comma-separated list of assignments; for example, ModulePattern=debug_level. This option is intended only for debugging the server.
−f file
Specifies the name of the configuration file. The default is /etc/ssh2/sshd2_config.
−h host_key_file
Specifies the file from which the host key is read. The default file is /etc/ssh2/hostkey. If the sshd2 daemon is not run as root, the default host key file will be $HOME$/.ssh2/hostkey.
−o keyword
Specifies configuration keywords. This is useful for specifying keywords for which there is no separate command-line flag. The −o option has the same format as a line in the configuration file. Comment lines are not accepted.
−p port #
Specifies the port on which the system listens for connections. The default port is 22.
−vDisplays information in verbose mode. This option can also be specified in the configuration file.
−qDisables warning messages. This option can also be specified in the configuration file.
−g login_grace_time
Gives the grace time for clients to authenticate themselves. If the client fails to authenticate the user within this many seconds, the system disconnects and exits. The default is 600 seconds. A value of zero indicates no limit.
−iSpecifies that the sshd2 daemon is being run from the inetd daemon.
DESCRIPTION
The sshd2 Secure Shell daemon. The sshd2 daemon must be running on the Secure Shell server. The sshd2 daemon forks a new daemon for each incoming client connection. The forked daemons handle key exchange, encryption, authentication, command execution, and data exchange.
The sshd2 daemon can be configured using command-line options or in the sshd2_config configuration file. Command-line options override values specified in the configuration file.
The sshd2 daemon is normally run as root. If it is not run as root, it can log in only as the user it is running as, and password authentication might not work if the system uses shadow passwords. An alternative host key file must also be used.
LOGIN PROCESS
When a user successfully logs in, the sshd2 daemon:
1.Changes to run with normal user privileges.
2.Sets up basic environment.
3.Changes to the user’s home directory.
4.Runs the user’s shell.
SSH WITH TCP WRAPPERS
When the sshd2 daemon is compiled with TCP wrapper libraries, the hosts.allow and hosts.deny files control who can connect to ports forwarded by the sshd2 daemon.
The names in the hosts.allow and hosts.deny files are sshd2, sshdfwd-<portname>, and sshdfwd-X11 for forwarded ports on which the Secure Shell client or server is listening.
If a port has a defined name, you must use it.
FILES
/etc/ssh2/sshd2_config
Contains sshd2 daemon configuration information. This file should be writable by root only and readable by world (though not necessary).
/etc/ssh2/hostkey
Contains the private part of the host key. You can create this file by using the ssh-keygen2 command. This file should only be owned by root, readable only by root, and not accessible to others.
/etc/ssh2/hostkey.pub
Contains the public part of the host key. You can create this file by using the ssh-keygen2 command. This file should be writable by root only and readable by world.
/etc/ssh2/random_seed
Contains a seed for the random number generator. This file should be accessible only by root.
$HOME/.ssh2/authorization
Contains information on how the server will verify the identity of an user. See ssh2(1) for more information.
$HOME/.hushlogin
If this file exists, the sshd2 daemon will not print information during login. (This information is normally the user’s last login time, message of the day, and mail check.)
/etc/nologin
If this file exists, the sshd2 daemon refuses to let anyone except root log in. The contents of the file are displayed to anyone trying to log in, and nonroot connections are refused. The file should be readable by world.
$HOME/.rhosts
Contains a list of remote users who are not required to supply a password when they use the ssh2 command to log in. Before the user can log in, the sshd2 daemon requires public host key authentication in addition to validating the host name retrieved from domain name servers.
The file must be writable only by the user; it should not be accessible by others. You can use +@group to specify a netgroup. Negated entries start with a minus sign (-).
This file is also used by the rlogind and rshd daemons.
See .rhosts(4) for more information about the .rhosts file.
$HOME/.shosts
This file is the same as the .rhosts file except that only the sshd2 daemon uses it.
/etc/hosts.equiv
Contains the names of remote hosts and users that are equivalent to the local host or user. An equivalent host or user is allowed to use the ssh2 command to log in to such an account without supplying a password. Additionally, successful host-based authentication is normally required. This file must be writable only by root and should be readable by world.
You can use +@group to specify a netgroup. Negated entries start with a minus sign (-).
Note
The only valid use for user names should be in negated entries. Specified user names in the hosts.equiv file can log in as anybody including bin, daemon, adm, and other accounts that own critical binaries and directories.
This file is also used by the rlogind and rshd daemons.
See hosts.equiv(4) for more information about the hosts.equiv file.
/etc/shosts.equiv
This file is the same as the hosts.equiv file except that only the sshd2 daemon uses it.
$HOME/.ssh2/knownhosts/xxxxyyyy.pub
Contains the public host keys of hosts that users need to log in to when using host based authentication.
The xxxx is the fully qualified domain name (FQDN) and yyyy is the public key algorithm. Public key algorithms are ssh-dss and ssh-rsa. For example, if the FQDN for a host is server1.foo.fi and it has a key algorithm of ssh-dss, the host key would be server1.foo.fi.ssh-dss.pub in the knownhosts directory.
A user must add the host name to a $HOME/.shosts file or an $HOME/.rhosts file.
/etc/ssh2/knownhosts/xxxxyyyy.pub
Same as the $HOME/.ssh2/knownhosts/xxxxyyyy.pub file, but system-wide. This file is overridden if the user puts a file with the same name in the $HOME/.ssh2/knownhosts directory.
LEGAL NOTICES
SSH is a registered trademark of SSH Communication Security Ltd.
SEE ALSO
Commands: rcp(1), rlogin(1), rsh(1), scp2(1), sftp(1), ssh2(1), ssh-agent2(1), ssh-add2(1), sshd2(8)
Files: sshd2_config(4)