SSHD

Index

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
FILES
COPYRIGHT
SEE ALSO

NAME

sshd - Secure Shell daemon.

SYNOPSIS

sshd [-4] [-6] [-b] [-d level] [-D level] [-f config_file]

[-g login_timeout] [-h host_key_file] [-m file] [-o options]

[-p port] [-q] [-v] [-V]

DESCRIPTION

sshd (Secure Shell server) is the server daemon for ssh(1).

The sshd daemon listens for client connections and starts an independent child process for each new connection.

A script is installed, which you can use to start, stop, and restart the sshd service. Using the script to start the server invokes the following sshd command.

sshd -oPidFile=sshd_PidFile_keyword_value

To run the sshd service directly, log in as root and use full path information:

/usr/sbin/sshd options

Note: Do not use inetd to launch sshd. This is not a supported configuration. Attempting this configuration in FIPS mode results in extremely long connection times for each user connection; this is because sshd needs to run required self tests for each connection.

Authentication

Secure Shell connections require both server and client authentication. The server is automatically configured to use a host key for server authentication. The server installation package checks to see if an existing host key pair is already present. If no host key is found, the package creates a new host key pair and the server uses this pair for host authentication. If a host key already exists in /etc/ssh2, Reflection for Secure IT uses this key. If an OpenSSH host key is found in /etc/ssh, Reflection for Secure IT migrates the key to the correct format and location and uses the migrated key.

Client authentication enables the server to confirm the identity of the client user. To specify which methods the server allows, use the AllowedAuthentications keyword in the server configuration file (/etc/ssh2/sshd2_config). To require one or more authentication methods, use RequiredAuthentications.

If you use Secure Shell public keys to authenticate client users, you need to configure both the client and the server. On the client, generate the key and then add a line for this key to the client identification file (~/.ssh2/identification). This file lists the keys the client presents for authentication. For details see FILES in ssh(1). On the server, copy each client user's public key to that user's Secure Shell directory (~/.ssh2) and add the key to the user's authorization file (~/.ssh2/authorization by default). This file lists the keys the server accepts for user authentication. For details see FILES in sshd(8).

Encryption and Data Integrity Checking

Once a session is established, all data that passes between the client and server is encrypted using a symmetric cipher. The cipher used for a given session is the cipher highest in the client's order of preference that is also supported by the server. You can configure which ciphers the server supports using the Ciphers keyword.

Secure Shell connections use MACs (message authentication codes) to ensure data integrity. The client and server independently compute a hash for each packet of transferred data. If the message has changed in transit, the hash values are different and the packet is rejected. The MAC used for a given session is the MAC highest in the client's order of preference that is also supported by the server. You can configure which MACs the server supports using the MACs keyword.

Server Settings

You can configure sshd using the command-line options described below, and by using configuration files. The default global configuration file is /etc/ssh2/sshd2_config. This file is applied to all connections. You can also configure user-specific and host-specific settings by creating and configuring subconfiguration files. For details, see sshd2_config(5).

Changes you make to the main server configuration file affect new connections immediately; you do not need to restart the server. Existing connections remain active using their original settings; subsequent connections use the new settings. Note: Changes to Port, ListenAddress and FipsMode require a restart.

OPTIONS

-4

Forces connections using IPv4 addresses only. You can also configure IP address requirements using the AddressFamily keyword.

-6

Forces connections using IPv6 addresses only. You can also configure IP address requirements using the AddressFamily keyword.

-b

When this option is specified sshd doesn't detach and doesn't become a daemon. This can be used for monitoring.

-d level

Sets the debug level and sends debug output to stderr. Use 1, 2, 3, or 99. (Values 4-98 are accepted, but are equivalent to 3.) With this option sshd logs information for only one client connection, and terminates after the client connection closes.

Note: Setting logging to 99 can increase your security risk. At this level, information leakage is a concern, as unencrypted protocol information may be written out. Also, the volume of information written may fill up disk space rapidly, potentially causing the host or Reflection for Secure IT to stop responding.

-D level

Sets the debug level and sends debug output to a file. Use 1, 2, 3, or 99. (Values 4-98 are accepted, but are equivalent to 3.) With this option, sshd does not terminate after a client connection closes. This setting can only be used by root.

The output file is located in /etc/ssh2/logs and uses a file name in the form: debugYYMMDD_HHMMSS_uniqueID, where YY=year, MM=month, DD=day, HH=hour, MM=minutes, SS=seconds, and uniqueID is a unique value that ensures that servers started at the same time use different logs.

-f config_file

Specifies an alternate name and location for the server configuration file. The server reads the specified file instead of the default file. (The default configuration file is /etc/ssh2/sshd2_config.)

-g login_timeout

Sets the number of seconds allowed for client authentication. If the client fails to authenticate the user within the specified number of seconds, the server disconnects and exits. Use zero (0) to set no limit.

-m file

Use this option to migrate settings from a F-Secure configuration file or a prior version of Reflection for Secure IT. The specified should be the name of the server configuration file to be migrated.

-h host_key_file

Specifies the filename and location of the private key used to authenticate the server. If the path is not fully qualified, the path is assumed to be relative to /etc/ssh2. The default is /etc/ssh2/hostkey.

-o option

Sets any option that can be configured using a configuration file keyword. For a list of keywords and their meanings, see sshd2_config(5). Options configured on the command line override options configured in the configuration file. Syntax alternatives are shown below. Use quotation marks to contain expressions that include spaces.


-o key1=value
-o key1="sample value"
-o "key1 value"
-o key=value1,value2
-o key="value1, value2"

To configure multiple options, use multiple -o switches.

-o key1=value -o key2=value

-p port

Specifies the port on which the server listens. The default is 22, which is the standard port for Secure Shell connections. The command line value overrides any value set in the configuration file. Only one port is allowed; if you configure multiple ports, the last configured port is used.

-q

Enables quiet mode. In this mode only errors are logged to the system log. (Both -d and -D are ignored if -q is used on the same command line.)

-v

Sets the debug level to verbose mode, which is equivalent to using `-d 2'.

-V

Displays product name and version information and exits. If other options are specified on the command line, they are ignored.

FILES

The server uses system-wide files (in /etc/ssh2) for all connections. Files in user-specific directories (~/.ssh2 by default) apply to connections from individual client users.

System-wide server files

/etc/ssh2/sshd2_config

The global server configuration file. This file must not be writable by group or other. For file format and supported settings see sshd2_config(5). Recommended permissions = 644.

/etc/ssh2/hostkey

The default private key of the public/private key pair used to identify the server to clients. This file should be readable and writable only by root. This file must be limited to user-only read and write access. If permissions are not sufficiently restricted, public key authentication will fail. Recommended permissions = 600.

/etc/ssh2/hostkey.pub

The default public key of the public/private key pair used to authenticate the server to clients. Recommended permissions = 644.

/etc/ssh2/subconfig

Directory for optional user-specific and host-specific subconfiguration files. Recommended permissions = 700.

/etc/ssh2/subconfig/<subconfig_file>

User-specific and host-specific subconfiguration files. For details see SUBCONFIGURATION FILES in sshd2_config(5).

/etc/ssh2/environment

If this file is present, it sets environment variable settings to use for all Secure Shell client connections to this server. (The keyword SettableEnvironmentVars controls which environment variables can be set.) Recommended permissions = 644. Note: Environment variable settings specified in this file override any values configured in standard system files such as /etc/default/login and /etc/environment. If the same environment variable is configured in this global file and also in a user-specific environment file (~/.ssh2/environment), the user-specific value overrides the global value. The pound sign (#) marks comment lines. The syntax is:

environment_variable=value

/etc/nologin

Limits login to root. If this file exists, only root is allowed to login. The text of nologin is displayed to anyone else who attempts to log in.

<piddir>/sshd2_22.pid

Contains the PID of the process listening for incoming connections. The PID directory is determined by your operating system. The port number (22 by default) encoded in this name is determined by the value of the Port keyword. You can specify a different name or location using the PidFile keyword.

/etc/motd

The message-of-the-day file. The text of this file is displayed when a user logs in. The PrintMotd keyword can be used to turn off this display.

/etc/ssh2/radius_config

A user-created file listing one or more RADIUS authentication servers. The file name suggested above is not required. After you create this file, use the RadiusFile keyword to specify your file name. For each RADIUS server, you need to enter the name, port, and shared secret. Recommended permissions = 600. The syntax is:

server1:port1:shared_secret1
server2:port2:shared_secret2

User-specific server files

~/.ssh2: The default directory for user-specific files on the server. (You can specify a different location with the UserConfigDirectory keyword.) Recommended permissions = 700.
~/.ssh2/authorization: The default client authorization file. (You can specify a different file with the AuthorizationFile keyword.) This file is required for Secure Shell public key authentication of client users. Each user must have an authorization file in that user's directory. This file must be limited to user-only write access. If permissions are not sufficiently restricted, public key authentication will fail. Recommended permissions = 600.
: The file contains a list of key files that the server will use during public key authentication. If the key presented by the client doesn't match any of the keys listed in the authorization file, public key authentication fails. Keywords are not case sensitive and the pound sign (#) marks comment lines. The supported keywords are:
: key
: Specifies keys the server will accept for this user. The format for key entries is "key" followed by the name of a file that contains a public key. Keys are assumed to be in the user-specific configuration directory (~/.ssh2 by default) unless you specify an absolute path. For example, the following lines authorize the user to authenticate using either of the specified keys.
: key mykey.pub
: key id_rsa_2048_a.pub
: options
: Use this optional keyword to specify options that apply to the preceding key. All options for a given key must be configured on a single line. White space is allowed. Options must be configured on the line immediately following the line containing the key. The format is:
: Options option_keyword="arg", [option_keyword="arg"],...
: Three Options keywords are supported: command, allow-from, and deny-from.
: command command
: The specified command is executed on the remote host, then the connection is closed. For example, with this configuration, the script "myscript" runs whenever mykey.pub is used for authentication.
: key mykey.pub
: options command="sh myscript"
: allow-from IP-address
: The key is allowed only for connections from the specified IP address. For example, the following configuration allows the specified key to be used only for connections from IP addresses starting with "150." and "10.10.".
: Key /home/joe/.ssh/mykey.pub
: options allow-from="150\..*,10\.10\..*"
: deny-from IP-address
: The key is not allowed for connections from the specified IP address.
: Notes: To configure addresses in any allow or deny list, both IPv4 and IPv6 addresses must be specified. This is particularly important if you are configuring a deny list to ensure that access is blocked. To configure localhost in any allow or deny list, include IP addresses for all external interfaces and also the local loopback address (127.0.0.1 and 0:0:0:0:0:0:0:1).
~/.hushlogin: If this file is present, it suppresses display of the user's last login, the message of the day, and the mail check.
~/.ssh2/environment: If this file is present, it sets environment variables to set for this user at login. (The keyword SettableEnvironmentVars controls which environment variables can be set.) Recommended permissions = 644. Note: Environment variable settings specified in this file override any values configured in standard system files such as /etc/default/login and /etc/environment, and also override settings configured in the global file (/etc/ssh2/environment). The pound sign (#) marks comment lines. The syntax is:
: environment_variable=value