sshd - Secure Shell daemon.
sshd [-4] [-6] [-d level] [-D level] [-f config_file]
[-g login_timeout] [-h host_key_file] [-o options]
[-p port] [-q] [-v] [-V]
sshd (Secure Shell server) is the server daemon for ssh(1).
The sshd daemon listens for client connections and starts an independent child process for each new connection.
A script is installed, which you can use to start, stop, and restart the sshd service. Using the script to start the server invokes the following sshd command.
To run the sshd service directly, log in as root and use full path information:
Note: Do not use inetd to launch sshd. This is not a supported configuration. Attempting this configuration in FIPS mode results in extremely long connection times for each user connection; this is because sshd needs to run required self tests for each connection.
Secure Shell connections require both server and client authentication. The server is automatically configured to use a host key for server authentication. The server installation package checks to see if an existing host key pair is already present. If no host key is found, the package creates a new host key pair and the server uses this pair for host authentication. If a host key already exists in /etc/ssh2, Reflection for Secure IT uses this key. If an OpenSSH host key is found in /etc/ssh, Reflection for Secure IT migrates the key to the correct format and location and uses the migrated key.
Client authentication enables the server to confirm the identity of the client user. To specify which methods the server allows, use the AllowedAuthentications keyword in the server configuration file (/etc/ssh2/sshd2_config. To require one or more authentication methods, use RequiredAuthentications.
If you use Secure Shell public keys to authenticate client users, you need to configure both the client and the server. On the client, generate the key and then add a line for this key to the client identification file ($HOME/.ssh2/identification). This file lists the keys the client presents for authentication. For details see FILES in ssh(1). On the server, copy each client user's public key to that user's Secure Shell directory ($HOME/.ssh2) and add the key to the user's authorization file ($HOME/.ssh2/authorization by default). This file lists the keys the server accepts for user authentication. For details see FILES in sshd(8).
Encryption and Data Integrity Checking
Once a session is established, all data that passes between the client and server is encrypted using a symmetric cipher. The cipher used for a given session is the cipher highest in the client's order of preference that is also supported by the server. You can configure which ciphers the server supports using the Ciphers keyword.
Secure Shell connections use MACs (message authentication codes) to ensure data integrity. The client and server independently compute a hash for each packet of transferred data. If the message has changed in transit, the hash values are different and the packet is rejected. The MAC used for a given session is the MAC highest in the client's order of preference that is also supported by the server. You can configure which MACs the server supports using the MACs keyword.
You can configure sshd using the command-line options described below, and by using configuration files. The default global configuration file is /etc/ssh2/sshd2_config. This file is applied to all connections. You can also configure user-specific and host-specific settings by creating and configuring subconfiguration files. For details, see sshd2_config(5).
Changes you make to the main server configuration file affect new connections immediately; you do not need to restart the server. Existing connections remain active using their original settings; subsequent connections use the new settings.
Note: Changes to Port, ListenAddress, and FipsMode require a restart.
Forces connections using IPv4 addresses only. You can also configure IP address requirements using the AddressFamily keyword.
Forces connections using IPv6 addresses only. You can also configure IP address requirements using the AddressFamily keyword.
Sets the debug level and sends debug output to stderr. Use 1, 2, 3, or 99. (Values 4-98 are accepted, but are equivalent to 3.) With this option sshd logs information for only one client connection, and terminates after the client connection closes.
Sets the debug level and sends debug output to a file. This setting can only be used by root. Use 1, 2, 3, or 99. (Values 4-98 are accepted, but are equivalent to 3.) With this option, sshd does not terminate after a client connection closes.
The output file is located in /etc/ssh2 and uses a file name in the form: debugYYMMDD_HHMMSS, where YY=year, MM=month, DD=day, HH=hour, MM=minutes, and SS=seconds.
Specifies an alternate name and location for the server configuration file. The server reads the specified file instead of the default file. (The default configuration file is /etc/ssh2/sshd2_config.)
Sets the number of seconds allowed for client authentication. If the client fails to authenticate the user within the specified number of seconds, the server disconnects and exits. Use zero (0) to set no limit.
Specifies the filename and location of the private key used to authenticate the server. If the path is not fully qualified, the path is assumed to be relative to /etc/ssh2. The default is /etc/ssh2/hostkey.
Sets any option that can be configured using a configuration file keyword. For a list of keywords and their meanings, see sshd2_config(5). Options configured on the command line override options configured in the configuration file. Syntax alternatives are shown below. Use quotation marks to contain expressions that include spaces.
-o key1="sample value"
-o "key1 value"
-o key="value1, value2"
To configure multiple options, use multiple -o switches.
-o key1=value -o key2=value
Specifies the port on which the server listens. The default is 22, which is the standard port for Secure Shell connections. The command line value overrides any value set in the configuration file. Only one port is allowed; if you configure multiple ports, the last configured port is used.
Enables quiet mode. In this mode only errors are logged to the system log. (Both -d and -D are ignored if -q is used on the same command line.)
Sets the debug level to verbose mode, which is equivalent to using `-d 2'.
Displays product name and version information and exits. If other options are specified on the command line, they are ignored.
The server uses system-wide files (in /etc/ssh2) for all connections. Files in user-specific directories ($HOME/.ssh2 by default) apply to connections from individual client users.
System-wide server files
The global server configuration file. This file must not be writable by group or other. For file format and supported settings see sshd2_config(5). Recommended permissions = 644.
The default private key of the public/private key pair used to identify the server to clients. This file should be readable and writable only by root. This file must be limited to user-only read and write access. If permissions are not sufficiently restricted, public key authentication will fail. Recommended permissions = 600.
The default public key of the public/private key pair used to authenticate the server to clients. Recommended permissions = 644.
Directory for optional user-specific and host-specific subconfiguration files. Recommended permissions = 700.
User-specific and host-specific subconfiguration files. For details see SUBCONFIGURATION FILES in sshd2_config(5).
If this file is present, it sets environment variable settings to use for all Secure Shell client connections to this server. (The keyword SettableEnvironmentVars controls which environment variables can be set.) Recommended permissions = 644. Note: Environment variable settings specified in this file override any values configured in standard system files such as /etc/default/login and /etc/environment. If the same environment variable is configured in this global file and also in a user-specific environment file ($HOME/.ssh2/environment), the user-specific value overrides the global value. The pound sign (#) marks comment lines. The syntax is:
Limits login to root. If this file exists, only root is allowed to login. The text of nologin is displayed to anyone else who attempts to log in.
Contains the PID of the process listening for incoming connections. The PID directory is determined by your operating system. The port number (22 by default) encoded in this name is determined by the value of the Port keyword. You can specify a different name or location using the PidFile keyword.
The message-of-the-day file. The text of this file is displayed when a user logs in. The PrintMotd keyword can be used to turn off this display.
A user-created file listing one or more RADIUS authentication servers. The file name suggested above is not required. After you create this file, use the RadiusFile keyword to specify your file name. For each RADIUS server, you need to enter the name, port, and shared secret. Recommended permissions = 600. The syntax is:
User-specific server files
The default directory for user-specific files on the server. (You can specify a different location with the UserConfigDirectory keyword.) Recommended permissions = 700.
The default client authorization file. (You can specify a different file with the AuthorizationFile keyword.) This file is required for Secure Shell public key authentication of client users. Each user must have an authorization file in that user's directory. This file must be limited to user-only write access. If permissions are not sufficiently restricted, public key authentication will fail. Recommended permissions = 600.
The file contains a list of key files that the server will use during public key authentication. If the key presented by the client doesn't match any of the keys listed in the authorization file, public key authentication fails. Keywords are not case sensitive and the pound sign (#) marks comment lines. The supported keywords are:
Specifies keys the server will accept for this user. The format for key entries is "key" followed by the name of a file that contains a public key. Keys are assumed to be in the user-specific configuration directory ($HOME/.ssh2 by default) unless you specify an absolute path. For example, the following lines authorize the user to authenticate using either of the specified keys.
Use this optional keyword to specify options that apply to the preceding key. All options for a given key must be configured on a single line. White space is allowed. Options must be configured on the line immediately following the line containing the key. The format is:
Options option_keyword="arg", [option_keyword="arg"],...
Three Options keywords are supported: command, allow-from, and deny-from
The specified command is executed on the remote host, then the connection is closed. For example, with this configuration, the script "myscript" runs whenever mykey.pub is used for authentication.
options command="sh myscript"
The key is allowed only for connections from the specified IP address. For example, the following configuration allows the specified key to be used only for connections from IP addresses starting with "150." and "10.10.".
The key is not allowed for connections from the specified IP address.
Notes: To configure addresses in any allow or deny list, both IPv4 and IPv6 addresses must be specified. This is particularly important if you are configuring a deny list to ensure that access is blocked. To configure localhost in any allow or deny list, include IP addresses for all external interfaces and also the local loopback address (127.0.0.1 and 0:0:0:0:0:0:0:1).
If this file is present, it suppresses display of the user's last login, the message of the day, and the mail check.
If this file is present, it sets environment variables to set for this user at login. (The keyword SettableEnvironmentVars controls which environment variables can be set.) Recommended permissions = 644. Note: Environment variable settings specified in this file override any values configured in standard system files such as /etc/default/login and /etc/environment, and also override settings configured in the global file (/etc/ssh2/environment). The pound sign (#) marks comment lines. The syntax is:
Copyright (C) 2009 Attachmate Corporation
ssh(1), ssh2_config(5), ssh-keygen(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1), sshd2_config(5)
Additional Reflection for Secure IT documentation is available online from the Attachmate documentation web page:
And from the technical note library: