.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.284 2016/02/17 07:38:19 jmc Exp $
-.Dd $Mdocdate: February 17 2016 $
+.\" $OpenBSD: sshd.8,v 1.285 2016/08/15 12:32:04 naddy Exp $
+.Dd $Mdocdate: August 15 2016 $
.Dt SSHD 8
.Os
.Sh NAME
.Nm sshd
.Bk -words
.Op Fl 46DdeiqTt
-.Op Fl b Ar bits
.Op Fl C Ar connection_spec
.Op Fl c Ar host_certificate_file
.Op Fl E Ar log_file
.Op Fl f Ar config_file
.Op Fl g Ar login_grace_time
.Op Fl h Ar host_key_file
-.Op Fl k Ar key_gen_time
.Op Fl o Ar option
.Op Fl p Ar port
.Op Fl u Ar len
Forces
.Nm
to use IPv6 addresses only.
-.It Fl b Ar bits
-Specifies the number of bits in the ephemeral protocol version 1
-server key (default 1024).
.It Fl C Ar connection_spec
Specify the connection parameters to use for the
.Fl T
is not run as root (as the normal
host key files are normally not readable by anyone but root).
The default is
-.Pa /etc/ssh/ssh_host_key
-for protocol version 1, and
.Pa /etc/ssh/ssh_host_dsa_key ,
-.Pa /etc/ssh/ssh_host_ecdsa_key .
+.Pa /etc/ssh/ssh_host_ecdsa_key ,
.Pa /etc/ssh/ssh_host_ed25519_key
and
-.Pa /etc/ssh/ssh_host_rsa_key
-for protocol version 2.
+.Pa /etc/ssh/ssh_host_rsa_key .
It is possible to have multiple host key files for
-the different protocol versions and host key algorithms.
+the different host key algorithms.
.It Fl i
Specifies that
.Nm
is being run from
.Xr inetd 8 .
-If SSH protocol 1 is enabled,
-.Nm
-should not normally be run
-from inetd because it needs to generate the server key before it can
-respond to the client, and this may take some time.
-Clients may have to wait too long if the key was regenerated every time.
-.It Fl k Ar key_gen_time
-Specifies how often the ephemeral protocol version 1 server key is
-regenerated (default 3600 seconds, or one hour).
-The motivation for regenerating the key fairly
-often is that the key is not stored anywhere, and after about an hour
-it becomes impossible to recover the key for decrypting intercepted
-communications even if the machine is cracked into or physically
-seized.
-A value of zero indicates that the key will never be regenerated.
.It Fl o Ar option
Can be used to give options in the format used in the configuration file.
This is useful for specifying options for which there is no separate
from making DNS requests unless the authentication
mechanism or configuration requires it.
Authentication mechanisms that may require DNS include
-.Cm RhostsRSAAuthentication ,
-.Cm HostbasedAuthentication ,
+.Cm HostbasedAuthentication
and using a
.Cm from="pattern-list"
option in a key file.
.Cm DenyUsers .
.El
.Sh AUTHENTICATION
-The OpenSSH SSH daemon supports SSH protocols 1 and 2.
-The default is to use protocol 2 only,
-though this can be changed via the
-.Cm Protocol
-option in
-.Xr sshd_config 5 .
-Protocol 1 should not be used
-and is only offered to support legacy devices.
-.Pp
+The OpenSSH SSH daemon supports SSH protocol 2 only.
Each host has a host-specific key,
used to identify the host.
-Partial forward security for protocol 1 is provided through
-an additional server key,
-normally 1024 bits,
-generated when the server starts.
-This key is normally regenerated every hour if it has been used, and
-is never stored on disk.
Whenever a client connects, the daemon responds with its public
-host and server keys.
+host key.
The client compares the
-RSA host key against its own database to verify that it has not changed.
-The client then generates a 256-bit random number.
-It encrypts this
-random number using both the host key and the server key, and sends
-the encrypted number to the server.
-Both sides then use this
-random number as a session key which is used to encrypt all further
-communications in the session.
-The rest of the session is encrypted
-using a conventional cipher, currently Blowfish or 3DES, with 3DES
-being used by default.
-The client selects the encryption algorithm
-to use from those offered by the server.
-.Pp
-For protocol 2,
-forward security is provided through a Diffie-Hellman key agreement.
+host key against its own database to verify that it has not changed.
+Forward security is provided through a Diffie-Hellman key agreement.
This key agreement results in a shared session key.
The rest of the session is encrypted using a symmetric cipher, currently
128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
.Ql #
are ignored as
comments).
-Protocol 1 public keys consist of the following space-separated fields:
-options, bits, exponent, modulus, comment.
-Protocol 2 public key consist of:
+Public keys consist of the following space-separated fields:
options, keytype, base64-encoded key, comment.
-The options field is optional;
-its presence is determined by whether the line starts
-with a number or not (the options field never starts with a number).
-The bits, exponent, modulus, and comment fields give the RSA key for
-protocol version 1; the
-comment field is not used for anything (but may be convenient for the
-user to identify the key).
-For protocol version 2 the keytype is
+The options field is optional.
+The keytype is
.Dq ecdsa-sha2-nistp256 ,
.Dq ecdsa-sha2-nistp384 ,
.Dq ecdsa-sha2-nistp521 ,
.Dq ssh-ed25519 ,
.Dq ssh-dss
or
-.Dq ssh-rsa .
+.Dq ssh-rsa ;
+the comment field is not used for anything (but may be convenient for the
+user to identify the key).
.Pp
-Note that lines in this file are usually several hundred bytes long
+Note that lines in this file can be several hundred bytes long
(because of the size of the public key encoding) up to a limit of
8 kilobytes, which permits DSA keys up to 8 kilobits and RSA
keys up to 16 kilobits.
You don't want to type them in; instead, copy the
-.Pa identity.pub ,
.Pa id_dsa.pub ,
.Pa id_ecdsa.pub ,
.Pa id_ed25519.pub ,
file and edit it.
.Pp
.Nm
-enforces a minimum RSA key modulus size for protocol 1
-and protocol 2 keys of 768 bits.
+enforces a minimum RSA key modulus size of 768 bits.
.Pp
The options (if present) consist of comma-separated option
specifications.
its key is added to the per-user file.
.Pp
Each line in these files contains the following fields: markers (optional),
-hostnames, bits, exponent, modulus, comment.
+hostnames, keytype, base64-encoded key, comment.
The fields are separated by spaces.
.Pp
The marker is optional, but if it is present then it must be one of
Only one hashed hostname may appear on a single line and none of the above
negation or wildcard operators may be applied.
.Pp
-Bits, exponent, and modulus are taken directly from the RSA host key; they
+The keytype and base64-encoded key are taken directly from the host key; they
can be obtained, for example, from
-.Pa /etc/ssh/ssh_host_key.pub .
+.Pa /etc/ssh/ssh_host_rsa_key.pub .
The optional comment field continues to the end of the line, and is not used.
.Pp
Lines starting with
long, and you definitely don't want to type in the host keys by hand.
Rather, generate them by a script,
.Xr ssh-keyscan 1
-or by taking
-.Pa /etc/ssh/ssh_host_key.pub
+or by taking, for example,
+.Pa /etc/ssh/ssh_host_rsa_key.pub
and adding the host names at the front.
.Xr ssh-keygen 1
also offers some basic automated editing for
but allows host-based authentication without permitting login with
rlogin/rsh.
.Pp
-.It Pa /etc/ssh/ssh_host_key
.It Pa /etc/ssh/ssh_host_dsa_key
.It Pa /etc/ssh/ssh_host_ecdsa_key
.It Pa /etc/ssh/ssh_host_ed25519_key
.Nm
does not start if these files are group/world-accessible.
.Pp
-.It Pa /etc/ssh/ssh_host_key.pub
.It Pa /etc/ssh/ssh_host_dsa_key.pub
.It Pa /etc/ssh/ssh_host_ecdsa_key.pub
.It Pa /etc/ssh/ssh_host_ed25519_key.pub
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.228 2016/08/12 19:19:04 jca Exp $
-.Dd $Mdocdate: August 12 2016 $
+.\" $OpenBSD: sshd_config.5,v 1.229 2016/08/15 12:32:04 naddy Exp $
+.Dd $Mdocdate: August 15 2016 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
.Dq publickey,publickey
will require successful authentication using two different public keys.
.Pp
-This option will yield a fatal
-error if enabled if protocol 1 is also enabled.
Note that each authentication method listed should also be explicitly enabled
in the configuration.
The default
.It Cm HostKey
Specifies a file containing a private host key
used by SSH.
-The default is
-.Pa /etc/ssh/ssh_host_key
-for protocol version 1, and
+The defaults are
.Pa /etc/ssh/ssh_host_dsa_key ,
.Pa /etc/ssh/ssh_host_ecdsa_key ,
.Pa /etc/ssh/ssh_host_ed25519_key
and
-.Pa /etc/ssh/ssh_host_rsa_key
-for protocol version 2.
+.Pa /etc/ssh/ssh_host_rsa_key .
.Pp
Note that
.Xr sshd 8
.Xr sshd 8 .
.Pp
It is possible to have multiple host key files.
-.Dq rsa1
-keys are used for version 1 and
-.Dq dsa ,
-.Dq ecdsa ,
-.Dq ed25519
-or
-.Dq rsa
-are used for version 2 of the SSH protocol.
It is also possible to specify public host key files instead.
In this case operations on the private key will be delegated
to an
and
.Pa .shosts
files will not be used in
-.Cm RhostsRSAAuthentication
-or
.Cm HostbasedAuthentication .
.Pp
.Pa /etc/hosts.equiv
should ignore the user's
.Pa ~/.ssh/known_hosts
during
-.Cm RhostsRSAAuthentication
-or
.Cm HostbasedAuthentication .
The default is
.Dq no .
.Xr ssh 1
with an argument of
.Dq kex .
-.It Cm KeyRegenerationInterval
-In protocol version 1, the ephemeral server key is automatically regenerated
-after this many seconds (if it has been used).
-The purpose of regeneration is to prevent
-decrypting captured sessions by later breaking into the machine and
-stealing the keys.
-The key is never stored anywhere.
-If the value is 0, the key is never regenerated.
-The default is 3600 (seconds).
.It Cm ListenAddress
Specifies the local addresses
.Xr sshd 8
.Cm PubkeyAuthentication ,
.Cm RekeyLimit ,
.Cm RevokedKeys ,
-.Cm RhostsRSAAuthentication ,
-.Cm RSAAuthentication ,
.Cm StreamLocalBindMask ,
.Cm StreamLocalBindUnlink ,
.Cm TrustedUserCAKeys ,
or equivalent.)
The default is
.Dq yes .
-.It Cm Protocol
-Specifies the protocol versions
-.Xr sshd 8
-supports.
-The possible values are
-.Sq 1
-and
-.Sq 2 .
-Multiple versions must be comma-separated.
-The default is
-.Sq 2 .
-Protocol 1 suffers from a number of cryptographic weaknesses and should
-not be used.
-It is only offered to support legacy devices.
-.Pp
-Note that the order of the protocol list does not indicate preference,
-because the client selects among multiple protocol versions offered
-by the server.
-Specifying
-.Dq 2,1
-is identical to
-.Dq 1,2 .
.It Cm PubkeyAcceptedKeyTypes
Specifies the key types that will be accepted for public key authentication
as a comma-separated pattern list.
.Xr ssh-keygen 1 .
For more information on KRLs, see the KEY REVOCATION LISTS section in
.Xr ssh-keygen 1 .
-.It Cm RhostsRSAAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
-with successful RSA host authentication is allowed.
-The default is
-.Dq no .
-This option applies to protocol version 1 only.
-.It Cm RSAAuthentication
-Specifies whether pure RSA authentication is allowed.
-The default is
-.Dq yes .
-This option applies to protocol version 1 only.
-.It Cm ServerKeyBits
-Defines the number of bits in the ephemeral protocol version 1 server key.
-The default and minimum value is 1024.
.It Cm StreamLocalBindMask
Sets the octal file creation mode mask
.Pq umask
projects / openbsd / commitdiff