sshd2(8)sshd2(8)NAME
sshd2, sshd - Secure shell daemon
SYNOPSISsshd2 [-d debug_level_spec] [-f config_file] [-h host_key_file] [-o
options] [-p port ] [-v] [-g login_grace_time] [-i] [-q]
OPTIONS
Sends extensive debug information to stderr. The debug_level_spec
argument is a number between 0 and 99, where 99 specifies that all
debug information should be displayed, or it can be a comma-separated
list of assignments, such as ModulePattern=debug_level. This option is
intended only for debugging the server. Specifies the name of the con‐
figuration file. The default is /etc/ssh2/sshd2_config. If this is
specified, the default configuration file is not read. Specifies the
file from which the host key is read. The default file is
/etc/ssh2/hostkey. If the sshd2 daemon is not run as root, the default
host key file will be $HOME$/.ssh2/hostkey. Specifies configuration
keywords. This is useful for specifying keywords for which there is no
separate command-line flag. The -o option has the same format as a
line in the configuration file. Comment lines are not accepted. Where
applicable, the egrep regex format is used. Specifies the port on
which the system listens for connections. The default port is 22.
Enables the verbose mode, and displays verbose debugging messages. This
option can also be specified in the configuration file. Enables quiet
mode. Nothing is sent to the system log. Normally the beginning,
authentication, and termination of each connection is logged. This
option can also be specified in the configuration file. Gives the
grace time for clients to authenticate themselves. The default is 600
seconds. If the client fails to authenticate the user within the speci‐
fied time, the system disconnects and exits. A value of zero indicates
no limit. Specifies that the sshd2 daemon is being run from the inetd
daemon.
DESCRIPTION
The sshd2 Secure Shell daemon runs on the Secure Shell server. It is
normally run as root, and is the server counterpart for ssh2.
Together, these programs replace and extend the rlogin and rsh ser‐
vices, and provide secure encrypted communication channels between two
hosts connected over an insecure network. They are intended to be
easy to install and use.
The sshd2 daemon is normally started at boot time from /etc/rc.local or
its equivalent. It forks a new daemon for each incoming connection.
The forked daemons handle key exchange, encryption, authentication,
command execution, and data exchange.
The sshd2 daemon can be configured using command-line options or a
configuration file. Command-line options override values specified in
the configuration file. The sshd2 daemon reads configuration data
from the /etc/ssh2/sshd2_config file (or the file specified with the -f
option on the command line). The file contains keyword-value pairs,
one per line. Lines starting with the pound (#) sign and empty lines
are interpreted as comments.
Subconfiguration files can also be specified in the main configu‐
ration file. However, if changes are made in the main configuration
file, the sshd2 daemon must be restarted.
The coredump size is set to zero by ssh.
LOGIN PROCESS
When a user successfully logs in, the sshd2 daemon takes the following
steps: Changes the process to run with normal user privileges. Sets up
basic environment. Reads the /etc/environment file if it exists.
Changes to the user's home directory. Runs the user's shell or com‐
mand.
SSH WITH TCP WRAPPERS
When the sshd2 daemon compiles with TCP wrapper libraries, the
hosts.allow and hosts.deny files control who can connect to ports for‐
warded by the sshd2 daemon.
The names in the hosts.allow and hosts.deny files are sshd2, sshd‐
fwd-<portname>, and sshdfwd-X11 for forwarded ports on which the Secure
Shell client or server is listening.
If a port has a defined name, you must use it.
FILES
Contains sshd2 daemon configuration information. This file should be
writable by root only and readable by world (though not necessary).
Contains the private part of the host key. You can create this file
automatically by running the make install command or manually by using
the ssh-keygen2 command. This file contains vital cryptographic infor‐
mation, and should only be read or modified by root. Contains the pub‐
lic part of the host key. You can create this file automatically by
running the make install command or manually by using the ssh-keygen2
command. This file should be writable by root only and readable by
world. Contains a seed for the random number generator. This file
should be accessible only by root. Contains information on how the
server will verify the identity of an user. See ssh2(1) for more
information. If this file exists, the sshd2 daemon will not print
information during login. (This information is normally the user's last
login time, message of the day, and mail check.) If this file exists,
the sshd2 daemon refuses to let anyone except root log in. The con‐
tents of the file are displayed to anyone trying to log in. The file
should be readable by world. Contains a list of remote users who are
not required to supply a password when they use the ssh2 command to
log in. Before the user can log in, the sshd2 daemon requires public
host key authentication in addition to validating the host name
retrieved from domain name servers.
The file must be writable only by the user; it should not be
accessible by others. You can use +@group to specify a net‐
group.
This file is also used by the rlogind and rshd daemons.
See for more information about the file. This file is the same
as the file, except it allows access only through ssh2. Con‐
tains the names of remote hosts and users that are equivalent to
the local host or user. An equivalent host or user is allowed to
use the ssh2 command to log in to such an account without sup‐
plying a password, provided they have the same user name on both
machines. Additionally, successful host-based authentication is
normally required. This file must be writable only by root and
should be readable by world.
You can use +@group to specify a netgroup. Negated entries
start with a minus sign (-).
Note
The only valid use for user names should be in negated entries.
Specified user names in the hosts.equiv file can log in as any‐
body including bin, daemon, adm, and other accounts that own
critical binaries and directories.
See hosts.equiv(4) for more information about the hosts.equiv
file. This file is the same as the hosts.equiv file except it
allows access only through ssh2. Contains the public host keys
of hosts that users need to log in to when using host based
authentication.
The xxxx is the fully qualified domain name (FQDN) and yyyy is
the public key algorithm. Public key algorithms are ssh-dss and
ssh-rsa. For example, if the FQDN for a host is server1.foo.fi
and it has a key algorithm of ssh-dss, the host key would be
server1.foo.fi.ssh-dss.pub in the knownhosts directory.
A user must add the host name to a $HOME/.shosts file or an
$HOME/.rhosts file. If the user name is the same in both hosts,
it is adequate to put the public host key in /etc/ssh2/known‐
hosts and add the host's name to /etc/shosts.equiv (or
/etc/hosts.equiv). Same as the $HOME/.ssh2/known‐
hosts/xxxxyyyy.pub file, but system-wide. This file is overrid‐
den if the user puts a file with the same name in the
$HOME/.ssh2/knownhosts directory.
LEGAL NOTICES
SSH is a registered trademark of SSH Communication Security Ltd.
SEE ALSO
Commands: rcp(1), rlogin(1), rsh(1), scp2(1), sftp(1), ssh2(1), ssh-
agent2(1), ssh-add2(1), ssh-keygen2(1), telnet(1), sshd2(8),
sshd2-check-conf(8)
Files: sshd2_config(4)sshd2(8)
