Партнёры:
Хостинг:
NAME
sshd2 - secure shell daemon
SYNOPSIS
sshd2 [-d debug_level_spec] [-f config_file]
[-h host_key_file] [-o options] [-p port] [-v]
[-g login_grace_time] [-i] [-q]
DESCRIPTION
Sshd2 (Secure Shell Daemon) is the daemon program for ssh2.
Together, these programs replace the rlogin and rsh pro-
grams, and provide secure encrypted communications between
two untrusted hosts over an insecure network. The programs
are intended to be as easy to install and use as possible.
Sshd2 is normally started at boot from /etc/rc.local or
equivalent. It forks a new daemon for each incoming connec-
tion. The forked daemons handle key exchange, encryption,
authentication, command execution, and data exchange.
Sshd2 can be configured using command-line options or a con-
figuration file. Command-line options override values
specified in the configuration file.
OPTIONS
-d debug_level_spec
Debug mode. The server sends verbose debug output to
stderr. This option is only intended for debugging for
the server. The debugging level is either a number, or
a comma-separated list of assignments
"ModulePattern=debug_level".
-f configuration_file
Specifies the name of the configuration file. The
default is /etc/ssh2/sshd2_config.
-h host_key_file
Specifies the file from which the host key is read
(default /etc/ssh2/hostkey). If sshd2 is not run as
root, the default host key file will be
$HOME$/.ssh2/hostkey.
-o 'option'
Can be used to give options in the format used in the
configuration files. This is useful for specifying
options for which there is no separate command-line
flag. The option has the same format as a line in the
configuration file. Comment lines are not currently
accepted.
-p port
Specifies the port on which the server listens for con-
nections. The default port is 22.
-v Enable verbose mode. Display verbose debugging mes-
sages. Equal to `-d 2'. This option can also be speci-
fied in the configuration file.
-q Quiet mode. Nothing is sent to the system log. Nor-
mally the beginning, authentication, and termination of
each connection is logged. This option can also be
specified in the configuration file.
-g login_grace_time
Gives the grace time for clients to authenticate them-
selves (the default is 600 seconds). If the client
fails to authenticate the user within this many
seconds, the server disconnects and exits. A value of
zero indicates no limit.
-i Specifies that sshd is being run from inetd.
Sshd2 reads configuration data from /etc/ssh2/sshd2_config
(or the file specified with -f on the command line). The
file contains keyword-value pairs, one per line. Lines
starting with '#' and empty lines are interpreted as com-
ments.
For the format of sshd2_config, see sshd2_config(5).
LOGIN PROCESS
When a user successfully logs in, sshd2 does the following:
1. Changes to run with normal user privileges.
2. Sets up basic environment.
3. Reads /etc/environment if it exists.
4. Changes to the user's home directory.
5. Runs the user's shell or command.
SSH WITH TCP WRAPPERS
When sshd2 is compiled with TCP wrappers libraries, then the
hosts.allow/deny files also control who can connect to ports
forwarded by sshd2.
The program names in the hosts.allow/deny files are sshd2 or
sshd (depending on how you execute sshd2), sshdfwd-
<portname>, sshdfwd-<portnumber>, and sshdfwd-X11 for for-
warded ports the ssh client or server is listening.
If the port has a defined name, you must use it.
FILES
/etc/ssh2/sshd2_config
Contains configuration data for sshd2. This file
should be writable by root only, but it is recommended
(though not necessary) that it be world-readable.
/etc/ssh2/hostkey
Contains the private part of the host key. This file
is normally created automatically by "make install",
but can also be created manually using ssh-keygen2(1).
This file should only be owned by root, readable only
by root, and not accessible to others.
/etc/ssh2/hostkey.pub
Contains the public part of the host key. This file is
normally created automatically by "make install", but
can also be created manually. This file should be
world-readable but writable only by root. Its contents
should match the private part.
/etc/ssh2/random_seed
This file contains a seed for the random number genera-
tor. This file should only be accessible by root.
$HOME/.ssh2/authorization
contains information on how the server will verify the
identity of an user. See ssh2(1) for more information.
$HOME/.hushlogin
If this file exists, sshd2 will not print information
during login. (This is normally user's last login time,
message of the day and mailcheck.)
/etc/nologin
If this file exists, sshd2 refuses to let anyone except
root log in. The contents of the file are displayed to
anyone trying to log in, and non-root connections are
refused. The file should be world-readable.
$HOME/.rhosts
This file contains host-username pairs, separated by a
space, one per line. The given user on the
corresponding host is permitted to log in without pass-
word. The same file is used by rlogind and rshd.
sshd2 differs from rlogind and rshd in that it requires
public host key authentication in addition to validat-
ing the host name retrieved from domain name servers.
The file must be writable only by the user; it is
recommended that it not be accessible by others.
It is also possible to use netgroups in the file.
Either host or user name may be of the form +@groupname
to specify all hosts or all users in the group.
$HOME/.shosts
For ssh2, this file is exactly the same as for .rhosts.
However, this file is not used by rlogin and rshd, so
using this permits access using ssh2 only.
/etc/hosts.equiv
This file is used during .rhosts authentication. In
its simplest form, this file contains host names, one
per line. Users on those hosts are permitted to log in
without a password, provided they have the same user
name on both machines. The host name may also be fol-
lowed by a user name; such users are permitted to log
in as any user on this machine (except root). Addi-
tionally, the syntax +@group can be used to specify
netgroups. Negated entries start with '-'.
If the client host/user is successfully matched in this
file, login is automatically permitted provided the
client and server user names are the same. Addition-
ally, successful host-based authentication is normally
required. This file must be writable only by root; it
is recommended that it be world-readable.
Warning: It is almost never a good idea to use user
names in hosts.equiv. Beware that it really means that
the named user(s) can log in as anybody, including bin,
daemon, adm, and other accounts that own critical
binaries and directories. Using a user name practi-
cally grants the user root access. The only valid use
for user names should be in negative entries. Note
that this warning also applies to rsh/rlogin.
/etc/shosts.equiv
This is processed exactly as /etc/hosts.equiv. However,
this file may be useful in environments that want to
run both rsh/rlogin and ssh2.
$HOME/.ssh2/knownhosts/xxxxyyyy.pub
These are the public host keys of hosts that a user
wants to log in from using "hostbased"-authentication
(equivalent with ssh1's RhostsRSAAuthentication). Also,
a user has to set up her/his $HOME/.shosts (which only
ssh uses) or $HOME/.rhosts file (insecure, as it is
used by the r*-commands also). If username is the same
in both hosts, it is adequate to put the public host
key to /etc/ssh2/knownhosts and add the host's name to
/etc/shosts.equiv (or /etc/hosts.equiv).
xxxx denotes the host name (FQDN) and yyyy denotes the
public key algorithm of the key.
For example, zappa.foo.fi's host key algorithm is ssh-
dss. The hostkey would be named "zappa.foo.fi.ssh-
dss.pub" in the knownhosts directory.
Possible names for public key algorithms are "ssh-dss"
and "ssh-rsa" (without the quotes).
/etc/ssh2/knownhosts/xxxxyyyy.pub
As above, but system-wide. These can be overridden by
the user by putting a file with the same name to
her/his $HOME/.ssh2/knownhosts directory.
INSTALLATION
Sshd2 is normally run as root. If it is not run as root, it
can only log in as the user it is running as, and password
authentication may not work if the system uses shadow pass-
words. An alternative host key file must also be used.
AUTHORS
SSH Communications Security Corp
For more information, see http://www.ssh.com.
SEE ALSO
sshd2_config(5), ssh2(1), ssh-keygen2(1), ssh-agent2(1),
ssh-add2(1), scp2(1), sftp(1) rlogin(1), rsh(1), telnet(1)
|
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |