Sshd
(Secure Shell Daemon) is the daemon program for
ssh .
Together these programs replace rlogin and rsh programs, and
provide secure encrypted communications between two untrusted hosts
over an insecure network. The programs are intended to be as easy to
install and use as possible.
Sshd
is the daemon that listens for connections from clients. It is
normally started at boot from
/etc/rc.local
or equivalent. It forks a new
daemon for each incoming connection. The forked daemons handle
key exchange, encryption, authentication, command execution,
and data exchange.
Sshd works as follows. Each host has a host-specific RSA key
(normally 1024 bits) used to identify the host. Additionally, when
the daemon starts, it generates a server RSA key (normally 768 bits).
This key is normally regenerated every hour if it has been used, and
is never stored on disk.
Whenever a client connects the daemon, the daemon sends its host
and server public keys to the client. The client compares the
host key against its own database to verify that it has not changed.
The client then generates a 256 bit random number. It encrypts this
random number using both the host key and the server key, and sends
the encrypted number to the server. Both sides then start to use this
random number as a session key which is used to encrypt all further
communications in the session. The rest of the session is encrypted
using a conventional cipher. Currently,
\s-1IDEA\s0 ,
\s-1DES\s0 ,
\s-13DES\s0 ,
\s-1ARCFOUR\s0 , and
\s-1TSS\s0
(a fast home-grown algorithm) are supported.
\s-1IDEA\s0
is used by default. The client selects the encryption algorithm to use
from those offered by the server.
Next, the server and the client enter an authentication dialog. The
client tries to authenticate itself using \|\s+2.\s0rhosts
authentication, \|\s+2.\s0rhosts authentication combined with RSA host
authentication, RSA challenge-response authentication, TIS channenge
response authentication, or password
based authentication.
Rhosts authentication is normally disabled
because it is fundamentally insecure, but can be enabled in the server
configuration file if desired. System security is not improved unless
rshd (8),
rlogind (8),
rexecd (8), and
rexd "(8)
are disabled (thus completely disabling
rlogin (1)
and
rsh (1)
into that machine).
If the client successfully authenticates itself, a dialog for
preparing the session is entered. At this time the client may request
things like allocating a pseudo-tty, forwarding X11 connections,
forwarding TCP/IP connections, or forwarding the authentication agent
connection over the secure channel.
Finally, the client either requests a shell or execution of a command.
The sides then enter session mode. In this mode, either side may send
data at any time, and such data is forwarded to/from the shell or
command on the server side, and the user terminal in the client side.
When the user program terminates and all forwarded X11 and other
connections have been closed, the server sends command exit status to
the client, and both sides exit.
Sshd
can be configured using command-line options or a configuration
file. Command-line options override values specified in the
configuration file.
Sshd rereads its configuration file if it is sent the hangup
signal, SIGHUP.