sshd - Secure Shell daemon.


sshd [-d level] [-D level] [-f config_file]

[-g login_timeout] [-h host_key_file] [-o options]

[-p port] [-q] [-v] [-V]


sshd (Secure Shell server) is the server daemon for ssh(1).

The sshd daemon listens for client connections and starts an independent child process for each new connection.


Secure Shell connections require both server and client authentication. The server is automatically configured to use a host key for server authentication. The server installation package checks to see if an existing host key pair is already present. If no host key is found, the package creates a new host key pair and the server uses this pair for host authentication. If a host key already exists in /etc/ssh2, Reflection for Secure IT uses this key. If an OpenSSH host key is found in /etc/ssh, Reflection for Secure IT migrates the key to the correct format and location and uses the migrated key.

Client authentication enables the server to confirm the identity of the client user. To specify which methods the server allows, use the AllowedAuthentications keyword in the server configuration file (/etc/ssh2/sshd2_config. To require one or more authentication methods, use RequiredAuthentications.

If you use Secure Shell public keys to authenticate client users, you need to configure both the client and the server. On the client, generate the key and then add a line for this key to the client identification file ($HOME/.ssh2/identification). This file lists the keys the client presents for authentication. For details see FILES in ssh(1). On the server, copy each client user's public key to that user's Secure Shell directory ($HOME/.ssh2) and add the key to the user's authorization file ($HOME/.ssh2/authorization by default). This file lists the keys the server accepts for user authentication. For details see FILES in sshd(8).

Encryption and Data Integrity Checking

Once a session is established, all data that passes between the client and server is encrypted using a symmetric cipher. The client and server agree on a cipher during the key exchange portion of the connection process. The client presents a list of supported ciphers in order of preference. The cipher used for a given session is the first item in this list that is also supported by the server. You can configure which ciphers the server supports using the Ciphers keyword.

Secure Shell connections use MACs (message authentication codes) to ensure data integrity. The client and server independently compute a hash for each packet of transferred data. If the message has changed in transit, the hash values are different and the packet is rejected. The MAC used for a given session is the MAC highest in the client's order of preference that is also supported by the server. You can configure which MACs the server supports using the MACs keyword.

Server Settings

You can configure sshd using the command-line options described below, and by using configuration files. The default global configuration file is /etc/ssh2/sshd2_config. This file is applied to all connections. You can also configure user-specific and host-specific settings by creating and configuring subconfiguration files. For details, see sshd2_config(5).

Changes you make to the main server configuration file affect new connections immediately; you do not need to restart the server. Existing connections remain active using their original settings; subsequent connections use the new settings.

Note: Changes to Port, ListenAddress, and MaxStartups require a restart.


-d level

Sets the debug level and sends debug output to stderr. Use 1, 2, 3, or 99. (Values 4-98 are accepted, but are equivalent to 3.) With this option sshd logs information for only one client connection, and terminates after the client connection closes.

-D level

Sets the debug level and sends debug output to a file. This setting can only be used by root. Use 1, 2, 3, or 99. (Values 4-98 are accepted, but are equivalent to 3.) With this option, sshd does not terminate after a client connection closes.

The output file is located in /etc/ssh2 and uses a file name in the form: debugYYMMDD_HHMMSS, where YY=year, MM=month, DD=day, HH=hour, MM=minutes, and SS=seconds.

-f config_file

Specifies an alternate name and location for the server configuration file. The server reads the specified file instead of the default file. (The default configuration file is /etc/ssh2/sshd2_config.)

-g login_timeout

Sets the number of seconds allowed for client authentication. If the client fails to authenticate the user within the specified number of seconds, the server disconnects and exits. Use zero (0) to set no limit.

-h host_key_file

Specifies the file name and location of the private key used to authenticate the server. If the path is not fully qualified, the path is assumed to be relative to /etc/ssh2. The default is /etc/ssh2/hostkey.

-o option

Sets any option that can be configured using a configuration file keyword. For a list of keywords and their meanings, see sshd2_config(5). Options configured on the command line override options configured in the configuration file. Syntax alternatives are shown below. Use quotation marks to contain expressions that include spaces.

-o key1=value

-o key1="sample value"

-o "key1 value"

To configure multiple options, use multiple -o switches.

-o key1=value -o key2=value

-p port

Specifies the port on which the server listens. The default is 22, which is the standard port for Secure Shell connections. The command line value overrides any value set in the configuration file. Only one port is allowed; if you configure multiple ports, the last configured port is used.


Enables quiet mode. In this mode only errors are logged to the system log. (Both -d and -D are ignored if -q is used on the same command line.)


Sets the debug level to verbose mode, which is equivalent to using `-d 2'.


Displays product name and version information and exits. If other options are specified on the command line, they are ignored.


The server uses system-wide files (in /etc/ssh2) for all connections. Files in user-specific directories ($HOME/.ssh2 by default) apply to connections from individual client users.

System-wide server files


The global server configuration file. This file must not be writable by group or other. For file format and supported settings see sshd2_config(5). Recommended permissions = 644.


The default private key of the public/private key pair used to identify the server to clients. This file should be readable and writable only by root. Recommended permissions = 600.


The default public key of the public/private key pair used to authenticate the server to clients. Recommended permissions = 644.


Directory for optional user-specific and host-specific subconfiguration files. Recommended permissions = 700.


User-specific and host-specific subconfiguration files. For details see SUBCONFIGURATION FILES in sshd2_config(5). Recommended permissions = 600.


Limits login to root. If this file exists, only root is allowed to login. The text of nologin is displayed to anyone else who attempts to log in.


Contains the PID of the process listening for incoming connections. The PID directory is determined by your operating system. The port number (22 by default) encoded in this name is determined by the value of the Port keyword. You can specify a different name or location using the PidFile keyword.


The message-of-the-day file. The text of this file is displayed when a user logs in. The PrintMotd keyword can be used to turn off this display.

User-specific server files


The default directory for user-specific files on the server. (You can specify a different location with the UserConfigDirectory keyword.) Recommended permissions = 700.


The default client authorization file. (You can specify a different file with the AuthorizationFile keyword.) This file is required for Secure Shell public key authentication of client users. Each user must have an authorization file in that user's directory. Recommended permissions = 600.

The file contains a list of key files that the server will use during public key authentication. If the key presented by the client doesn't match any of the keys listed in the authorization file, public key authentication fails. Keywords are not case sensitive and the pound sign (#) marks comment lines. The supported keywords are:


Specifies keys the server will accept for this user. The format for key entries is "key" followed by the name of a file that contains a public key. Keys are assumed to be in the user-specific configuration directory ($HOME/.ssh2 by default) unless you specify an absolute path. For example, the following lines authorize the user to authenticate using either of the specified keys.




Use this optional keyword to specify options that apply to the preceding key. Options must be configured on the line immediately following the line containing the key. The format is:

Options option_keyword="arg"

One option keyword is supported:

command command

The specified command is executed on the remote host, then the connection is closed. For example, with this configuration, the script "myscript" runs whenever is used for authentication.


options command="sh myscript"


If this file is present, it suppresses display of the user's last login, the message of the day, and the mail check.


If this file is present, it sets environment variables at login. (The keyword SettableEnvironmentVars controls which environment variables can be set.) Recommended permissions = 600. The pound sign (#) marks comment lines. The syntax is:



Copyright (C) 2008 Attachmate Corporation


ssh(1), ssh2_config(5), ssh-keygen(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1), sshd2_config(5)

Additional Reflection for Secure IT documentation is available online from the Attachmate documentation web page:

And from the technical note library: