SSHD (8)

SYNOPSIS

sshd [\c -b \ bits\fR\c ] [\c -d \c ] [\c -f \ config_file\fR\c ] [\c -g \ login_grace_time\fR\c ] [\c -h \ host_key_file\fR\c ] [\c -i \c ] [\c -k \ key_gen_time\fR\c ] [\c -p \ port\fR\c ] [\c -q \c ] [\c -V \ version\fR\c ]

DESCRIPTION

Sshd (Secure Shell Daemon) is the daemon program for ssh . Together these programs replace rlogin and rsh programs, and provide secure encrypted communications between two untrusted hosts over an insecure network. The programs are intended to be as easy to install and use as possible.

Sshd is the daemon that listens for connections from clients. It is normally started at boot from /etc/rc.local or equivalent. It forks a new daemon for each incoming connection. The forked daemons handle key exchange, encryption, authentication, command execution, and data exchange.

Sshd works as follows. Each host has a host-specific RSA key (normally 1024 bits) used to identify the host. Additionally, when the daemon starts, it generates a server RSA key (normally 768 bits). This key is normally regenerated every hour if it has been used, and is never stored on disk.

Whenever a client connects the daemon, the daemon sends its host and server public keys to the client. The client compares the host key against its own database to verify that it has not changed. The client then generates a 256 bit random number. It encrypts this random number using both the host key and the server key, and sends the encrypted number to the server. Both sides then start to use this random number as a session key which is used to encrypt all further communications in the session. The rest of the session is encrypted using a conventional cipher. Currently, \s-1IDEA\s0 , \s-1DES\s0 , \s-13DES\s0 , \s-1ARCFOUR\s0 , and \s-1TSS\s0 (a fast home-grown algorithm) are supported. \s-1IDEA\s0 is used by default. The client selects the encryption algorithm to use from those offered by the server.

Next, the server and the client enter an authentication dialog. The client tries to authenticate itself using \|\s+2.\s0rhosts authentication, \|\s+2.\s0rhosts authentication combined with RSA host authentication, RSA challenge-response authentication, TIS channenge response authentication, or password based authentication.

Rhosts authentication is normally disabled because it is fundamentally insecure, but can be enabled in the server configuration file if desired. System security is not improved unless rshd (8), rlogind (8), rexecd (8), and rexd "(8) are disabled (thus completely disabling rlogin (1) and rsh (1) into that machine).

If the client successfully authenticates itself, a dialog for preparing the session is entered. At this time the client may request things like allocating a pseudo-tty, forwarding X11 connections, forwarding TCP/IP connections, or forwarding the authentication agent connection over the secure channel.

Finally, the client either requests a shell or execution of a command. The sides then enter session mode. In this mode, either side may send data at any time, and such data is forwarded to/from the shell or command on the server side, and the user terminal in the client side.

When the user program terminates and all forwarded X11 and other connections have been closed, the server sends command exit status to the client, and both sides exit.

Sshd can be configured using command-line options or a configuration file. Command-line options override values specified in the configuration file.

Sshd rereads its configuration file if it is sent the hangup signal, SIGHUP.

OPTIONS

-b \ bits

Specifies the number of bits in the server key (default 768).

-d

Debug mode. The server sends verbose debug output to the system log, and does not put itself in the background. The server also will not fork and will only process one connection. This option is only intended for debugging for the server.

-f \ configuration_file

Specifies the name of the configuration file. The default is /etc/sshd_config .

-g \ login_grace_time

Gives the grace time for clients to authenticate themselves (default 600 seconds). If the client fails to authenticate the user within this many seconds, the server disconnects and exits. A value of zero indicates no limit.

-h \ host_key_file

Specifies the file from which the host key is read (default /etc/ssh_host_key). This option must be given if sshd is not run as root (as the normal host file is normally not readable by anyone but root).

-i

Specifies that sshd is being run from inetd. Sshd is normally not run from inetd because it needs to generate the server key before it can respond to the client, and this may take tens of seconds. Clients would have to wait too long if the key was regenerated every time. However, with small key sizes (e.g. 512) using sshd from inetd may be feasible.

-k \ key_gen_time

Specifies how often the server key is regenerated (default 3600 seconds, or one hour). The motivation for regenerating the key fairly often is that the key is not stored anywhere, and after about an hour, it becomes impossible to recover the key for decrypting intercepted communications even if the machine is cracked into or physically seized. A value of zero indicates that the key will never be regenerated.

-p \ port

Specifies the port on which the server listens for connections (default 22).

-q

Quiet mode. Nothing is sent to the system log. Normally the beginning, authentication, and termination of each connection is logged.

-V

SSH version 2 compatibility mode. Server assumes that SSH version 2 daemon has already read the version number string from the client and this option gives the version string read from the client.

CONFIGURATION FILE

Sshd reads configuration data from /etc/sshd_config (or the file specified with -f on the command line). The file contains keyword-value pairs, one per line. Lines starting with \'#\' and empty lines are interpreted as comments.

The following keywords are possible. Keywords are case insensitive.