Attachment #888 for bug #623




adds RSA or DSA identities to the authentication agent,
.Xr ssh-agent 1 .
When run without arguments, it adds the files
.Pa ~/.ssh/id_rsa ,
.Pa ~/.ssh/id_dsa
and
.Pa ~/.ssh/identity .
Alternative file names can be given on the command line.
If any file requires a passphrase,
.Nm

.El
.Sh FILES
.Bl -tag -width Ds
.It Pa ~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of the user.
.It Pa ~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of the user.
.It Pa ~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user.
.El
.Pp




When executed without arguments,
.Xr ssh-add 1
adds the files
.Pa ~/.ssh/id_rsa ,
.Pa ~/.ssh/id_dsa
and
.Pa ~/.ssh/identity .
If the identity has a passphrase,
.Xr ssh-add 1
asks for the passphrase (using a small X11 application if running

line terminates.
.Sh FILES
.Bl -tag -width Ds
.It Pa ~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of the user.
.It Pa ~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of the user.
.It Pa ~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user.
.It Pa /tmp/ssh-XXXXXXXX/agent.<ppid>
Unix-domain sockets used to contain the connection to the




Normally each user wishing to use SSH
with RSA or DSA authentication runs this once to create the authentication
key in
.Pa ~/.ssh/identity ,
.Pa ~/.ssh/id_dsa
or
.Pa ~/.ssh/id_rsa .
Additionally, the system administrator may use this to generate host keys,
as seen in
.Pa /etc/rc .

that both ends of a connection share common moduli.
.Sh FILES
.Bl -tag -width Ds
.It Pa ~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of the user.
This file should not be readable by anyone but the user.
It is possible to

but it is offered as the default file for the private key.
.Xr ssh 1
will read this file when a login attempt is made.
.It Pa ~/.ssh/identity.pub
Contains the protocol version 1 RSA public key for authentication.
The contents of this file should be added to
.Pa ~/.ssh/authorized_keys
on all machines
where the user wishes to log in using RSA authentication.
There is no need to keep the contents of this file secret.
.It Pa ~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of the user.
This file should not be readable by anyone but the user.
It is possible to

but it is offered as the default file for the private key.
.Xr ssh 1
will read this file when a login attempt is made.
.It Pa ~/.ssh/id_dsa.pub
Contains the protocol version 2 DSA public key for authentication.
The contents of this file should be added to
.Pa ~/.ssh/authorized_keys
on all machines
where the user wishes to log in using public key authentication.
There is no need to keep the contents of this file secret.
.It Pa ~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user.
This file should not be readable by anyone but the user.
It is possible to

but it is offered as the default file for the private key.
.Xr ssh 1
will read this file when a login attempt is made.
.It Pa ~/.ssh/id_rsa.pub
Contains the protocol version 2 RSA public key for authentication.
The contents of this file should be added to
.Pa ~/.ssh/authorized_keys
on all machines
where the user wishes to log in using public key authentication.
There is no need to keep the contents of this file secret.




.Pa /etc/shosts.equiv
on the remote machine, and the user names are
the same on both sides, or if the files
.Pa ~/.rhosts
or
.Pa ~/.shosts
exist in the user's home directory on the
remote machine and contain a line containing the name of the client
machine and the name of the user on that machine, the user is

host key (see
.Pa /etc/ssh/ssh_known_hosts
and
.Pa ~/.ssh/known_hosts
in the
.Sx FILES
section), only then is login permitted.

spoofing, DNS spoofing and routing spoofing.
[Note to the administrator:
.Pa /etc/hosts.equiv ,
.Pa ~/.rhosts ,
and the rlogin/rsh protocol in general, are inherently insecure and should be
disabled if security is desired.]
.Pp

The server knows the public key, and only the user knows the private key.
.Pp
The file
.Pa ~/.ssh/authorized_keys
lists the public keys that are permitted for logging in.
When the user logs in, the
.Nm

The user creates his/her RSA key pair by running
.Xr ssh-keygen 1 .
This stores the private key in
.Pa ~/.ssh/identity
and stores the public key in
.Pa ~/.ssh/identity.pub
in the user's home directory.
The user should then copy the
.Pa identity.pub
to
.Pa ~/.ssh/authorized_keys
in his/her home directory on the remote machine (the
.Pa authorized_keys
file corresponds to the conventional
.Pa ~/.rhosts
file, and has one key
per line, though the lines can be very long).
After this, the user can log in without giving the password.

The public key method is similar to RSA authentication described
in the previous section and allows the RSA or DSA algorithm to be used:
The client uses his private key,
.Pa ~/.ssh/id_dsa
or
.Pa ~/.ssh/id_rsa ,
to sign the session identifier and sends the result to the server.
The server checks whether the matching public key is listed in
.Pa ~/.ssh/authorized_keys
and grants access if both the key is found and the signature is correct.
The session identifier is derived from a shared Diffie-Hellman value
and is only known to the client and the server.

automatically maintains and checks a database containing
identifications for all hosts it has ever been used with.
Host keys are stored in
.Pa ~/.ssh/known_hosts
in the user's home directory.
Additionally, the file
.Pa /etc/ssh/ssh_known_hosts

.Pq Pa /etc/ssh/ssh_config
will be ignored.
The default for the per-user configuration file is
.Pa ~/.ssh/config .
.It Fl f
Requests
.Nm

Selects a file from which the identity (private key) for
RSA or DSA authentication is read.
The default is
.Pa ~/.ssh/identity
for protocol version 1, and
.Pa ~/.ssh/id_rsa
and
.Pa ~/.ssh/id_dsa
for protocol version 2.
Identity files may also be specified on
a per-host basis in the configuration file.

Additionally,
.Nm
reads
.Pa ~/.ssh/environment ,
and adds lines of the format
.Dq VARNAME=value
to the environment if the file exists and if users are allowed to

.Xr sshd_config 5 .
.Sh FILES
.Bl -tag -width Ds
.It Pa ~/.ssh/known_hosts
Records host keys for all hosts the user has logged into that are not
in
.Pa /etc/ssh/ssh_known_hosts .
See
.Xr sshd 8 .
.It Pa ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa
Contains the authentication identity of the user.
They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively.
These files

It is possible to specify a passphrase when
generating the key; the passphrase will be used to encrypt the
sensitive part of this file using 3DES.
.It Pa ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub
Contains the public key for authentication (public part of the
identity file in human-readable form).
The contents of the
.Pa ~/.ssh/identity.pub
file should be added to the file
.Pa ~/.ssh/authorized_keys
on all machines
where the user wishes to log in using protocol version 1 RSA authentication.
The contents of the
.Pa ~/.ssh/id_dsa.pub
and
.Pa ~/.ssh/id_rsa.pub
file should be added to
.Pa ~/.ssh/authorized_keys
on all machines
where the user wishes to log in using protocol version 2 DSA/RSA authentication.
These files are not

These files are
never used automatically and are not necessary; they are only provided for
the convenience of the user.
.It Pa ~/.ssh/config
This is the per-user configuration file.
The file format and configuration options are described in
.Xr ssh_config 5 .
Because of the potential for abuse, this file must have strict permissions:
read/write for the user, and not accessible by others.
.It Pa ~/.ssh/authorized_keys
Lists the public keys (RSA/DSA) that can be used for logging in as this user.
The format of this file is described in the
.Xr sshd 8

By default
.Nm
is not setuid root.
.It Pa ~/.rhosts
This file is used in
.Cm RhostsRSAAuthentication
and

If the server machine does not have the client's host key in
.Pa /etc/ssh/ssh_known_hosts ,
it can be stored in
.Pa ~/.ssh/known_hosts .
The easiest way to do this is to
connect back to the client from the server machine using ssh; this
will automatically add the host key to
.Pa ~/.ssh/known_hosts .
.It Pa ~/.shosts
This file is used exactly the same way as
.Pa .rhosts .
The purpose for

See the
.Xr sshd 8
manual page for more information.
.It Pa ~/.ssh/rc
Commands in this file are executed by
.Nm
when the user logs in just before the user's shell (or command) is

See the
.Xr sshd 8
manual page for more information.
.It Pa ~/.ssh/environment
Contains additional definitions for environment variables, see section
.Sx ENVIRONMENT
above.




.Nd OpenSSH SSH client configuration files
.Sh SYNOPSIS
.Bl -tag -width Ds -compact
.It Pa ~/.ssh/config
.It Pa /etc/ssh/ssh_config
.El
.Sh DESCRIPTION

command-line options
.It
user's configuration file
.Pq Pa ~/.ssh/config
.It
system-wide configuration file
.Pq Pa /etc/ssh/ssh_config

Indicates that
.Nm ssh
should hash host names and addresses when they are added to
.Pa ~/.ssh/known_hosts .
These hashed names may be used normally by
.Nm ssh
and

Specifies a file from which the user's RSA or DSA authentication identity
is read.
The default is
.Pa ~/.ssh/identity
for protocol version 1, and
.Pa ~/.ssh/id_rsa
and
.Pa ~/.ssh/id_dsa
for protocol version 2.
Additionally, any identities represented by the authentication agent
will be used for authentication.

.Dq yes ,
.Nm ssh
will never automatically add host keys to the
.Pa ~/.ssh/known_hosts
file, and refuses to connect to hosts whose host key has changed.
This provides maximum protection against trojan horse attacks,
however, can be annoying when the

.It Cm UserKnownHostsFile
Specifies a file to use for the user
host key database instead of
.Pa ~/.ssh/known_hosts .
.It Cm VerifyHostKeyDNS
Specifies whether to verify the remote key using DNS and SSHFP resource
records.

.El
.Sh FILES
.Bl -tag -width Ds
.It Pa ~/.ssh/config
This is the per-user configuration file.
The format of this file is described above.
This file is used by the




prints last login time and
.Pa /etc/motd
(unless prevented in the configuration file or by
.Pa ~/.hushlogin ;
see the
.Sx FILES
section).

Sets up basic environment.
.It
Reads the file
.Pa ~/.ssh/environment ,
if it exists, and users are allowed to change their environment.
See the
.Cm PermitUserEnvironment

Changes to user's home directory.
.It
If
.Pa ~/.ssh/rc
exists, runs it; else if
.Pa /etc/ssh/sshrc
exists, runs

Runs user's shell or command.
.El
.Sh AUTHORIZED_KEYS FILE FORMAT
.Pa ~/.ssh/authorized_keys
is the default file that lists the public keys that are
permitted for RSA authentication in protocol version 1
and for public key authentication (PubkeyAuthentication)

The
.Pa /etc/ssh/ssh_known_hosts
and
.Pa ~/.ssh/known_hosts
files contain host public keys for all known hosts.
The global file should
be prepared by the administrator (optional), and the per-user file is

concurrently for different ports, this contains the process ID of the one
started last).
The content of this file is not sensitive; it can be world-readable.
.It Pa ~/.ssh/authorized_keys
Lists the public keys (RSA or DSA) that can be used to log into the user's account.
This file must be readable by root (which may on some machines imply
it being world-readable if the user's home directory resides on an NFS

.Pa id_rsa.pub
files into this file, as described in
.Xr ssh-keygen 1 .
.It Pa "/etc/ssh/ssh_known_hosts", "~/.ssh/known_hosts"
These files are consulted when using rhosts with RSA host
authentication or protocol version 2 hostbased authentication
to check the public key of the host.

These files should be writable only by root/the owner.
.Pa /etc/ssh/ssh_known_hosts
should be world-readable, and
.Pa ~/.ssh/known_hosts
can, but need not be, world-readable.
.It Pa /etc/motd
See
.Xr motd 5 .
.It Pa ~/.hushlogin
This file is used to suppress printing the last login time and
.Pa /etc/motd ,
if

Access controls that should be enforced by tcp-wrappers are defined here.
Further details are described in
.Xr hosts_access 5 .
.It Pa ~/.rhosts
This file is used during
.Cm RhostsRSAAuthentication
and

Either host or user
name may be of the form +@groupname to specify all hosts or all users
in the group.
.It Pa ~/.shosts
For ssh,
this file is exactly the same as for
.Pa .rhosts .

.Pa /etc/hosts.equiv .
However, this file may be useful in environments that want to run both
rsh/rlogin and ssh.
.It Pa ~/.ssh/environment
This file is read into the environment at login (if it exists).
It can only contain empty lines, comment lines (that start with
.Ql # ) ,

controlled via the
.Cm PermitUserEnvironment
option.
.It Pa ~/.ssh/rc
If this file exists, it is run with
.Pa /bin/sh
after reading the

readable by anyone else.
.It Pa /etc/ssh/sshrc
Like
.Pa ~/.ssh/rc .
This can be used to specify
machine-specific login-time initializations globally.
This file should be writable only by root, and should be world-readable.

Lines 327-333 The default is Link Here

(-)sshd_config.5 (-1 / +1 lines)
327	Specifies whether	327	Specifies whether
328	.Nm sshd	328	.Nm sshd
329	should ignore the user's	329	should ignore the user's
330	.Pa $HOME/.ssh/known_hosts	330	.Pa ~/.ssh/known_hosts
331	during	331	during
332	.Cm RhostsRSAAuthentication	332	.Cm RhostsRSAAuthentication
333	or	333	or

Return to bug 623

Lines 57-66 Link Here

(-)ssh-add.1 (-6 / +6 lines)
57	adds RSA or DSA identities to the authentication agent,	57	adds RSA or DSA identities to the authentication agent,
58	.Xr ssh-agent 1 .	58	.Xr ssh-agent 1 .
59	When run without arguments, it adds the files	59	When run without arguments, it adds the files
60	.Pa $HOME/.ssh/id_rsa ,	60	.Pa ~/.ssh/id_rsa ,
61	.Pa $HOME/.ssh/id_dsa	61	.Pa ~/.ssh/id_dsa
62	and	62	and
63	.Pa $HOME/.ssh/identity .	63	.Pa ~/.ssh/identity .
64	Alternative file names can be given on the command line.	64	Alternative file names can be given on the command line.
65	If any file requires a passphrase,	65	If any file requires a passphrase,
66	.Nm	66	.Nm
Lines 142-152 agent. Link Here
142	.El	142	.El
143	.Sh FILES	143	.Sh FILES
144	.Bl -tag -width Ds	144	.Bl -tag -width Ds
145	.It Pa $HOME/.ssh/identity	145	.It Pa ~/.ssh/identity
146	Contains the protocol version 1 RSA authentication identity of the user.	146	Contains the protocol version 1 RSA authentication identity of the user.
147	.It Pa $HOME/.ssh/id_dsa	147	.It Pa ~/.ssh/id_dsa
148	Contains the protocol version 2 DSA authentication identity of the user.	148	Contains the protocol version 2 DSA authentication identity of the user.
149	.It Pa $HOME/.ssh/id_rsa	149	.It Pa ~/.ssh/id_rsa
150	Contains the protocol version 2 RSA authentication identity of the user.	150	Contains the protocol version 2 RSA authentication identity of the user.
151	.El	151	.El
152	.Pp	152	.Pp

Lines 111-120 Keys are added using Link Here

(-)ssh-agent.1 (-6 / +6 lines)
111	When executed without arguments,	111	When executed without arguments,
112	.Xr ssh-add 1	112	.Xr ssh-add 1
113	adds the files	113	adds the files
114	.Pa $HOME/.ssh/id_rsa ,	114	.Pa ~/.ssh/id_rsa ,
115	.Pa $HOME/.ssh/id_dsa	115	.Pa ~/.ssh/id_dsa
116	and	116	and
117	.Pa $HOME/.ssh/identity .	117	.Pa ~/.ssh/identity .
118	If the identity has a passphrase,	118	If the identity has a passphrase,
119	.Xr ssh-add 1	119	.Xr ssh-add 1
120	asks for the passphrase (using a small X11 application if running	120	asks for the passphrase (using a small X11 application if running
Lines 179-189 The agent exits automatically when the c Link Here
179	line terminates.	179	line terminates.
180	.Sh FILES	180	.Sh FILES
181	.Bl -tag -width Ds	181	.Bl -tag -width Ds
182	.It Pa $HOME/.ssh/identity	182	.It Pa ~/.ssh/identity
183	Contains the protocol version 1 RSA authentication identity of the user.	183	Contains the protocol version 1 RSA authentication identity of the user.
184	.It Pa $HOME/.ssh/id_dsa	184	.It Pa ~/.ssh/id_dsa
185	Contains the protocol version 2 DSA authentication identity of the user.	185	Contains the protocol version 2 DSA authentication identity of the user.
186	.It Pa $HOME/.ssh/id_rsa	186	.It Pa ~/.ssh/id_rsa
187	Contains the protocol version 2 RSA authentication identity of the user.	187	Contains the protocol version 2 RSA authentication identity of the user.
188	.It Pa /tmp/ssh-XXXXXXXX/agent.<ppid>	188	.It Pa /tmp/ssh-XXXXXXXX/agent.<ppid>
189	Unix-domain sockets used to contain the connection to the	189	Unix-domain sockets used to contain the connection to the

Lines 129-138 section for details. Link Here

(-)ssh-keygen.1 (-12 / +12 lines)
129	Normally each user wishing to use SSH	129	Normally each user wishing to use SSH
130	with RSA or DSA authentication runs this once to create the authentication	130	with RSA or DSA authentication runs this once to create the authentication
131	key in	131	key in
132	.Pa $HOME/.ssh/identity ,	132	.Pa ~/.ssh/identity ,
133	.Pa $HOME/.ssh/id_dsa	133	.Pa ~/.ssh/id_dsa
134	or	134	or
135	.Pa $HOME/.ssh/id_rsa .	135	.Pa ~/.ssh/id_rsa .
136	Additionally, the system administrator may use this to generate host keys,	136	Additionally, the system administrator may use this to generate host keys,
137	as seen in	137	as seen in
138	.Pa /etc/rc .	138	.Pa /etc/rc .
Lines 381-387 It is important that this file contains Link Here
381	that both ends of a connection share common moduli.	381	that both ends of a connection share common moduli.
382	.Sh FILES	382	.Sh FILES
383	.Bl -tag -width Ds	383	.Bl -tag -width Ds
384	.It Pa $HOME/.ssh/identity	384	.It Pa ~/.ssh/identity
385	Contains the protocol version 1 RSA authentication identity of the user.	385	Contains the protocol version 1 RSA authentication identity of the user.
386	This file should not be readable by anyone but the user.	386	This file should not be readable by anyone but the user.
387	It is possible to	387	It is possible to
Lines 392-405 This file is not automatically accessed Link Here
392	but it is offered as the default file for the private key.	392	but it is offered as the default file for the private key.
393	.Xr ssh 1	393	.Xr ssh 1
394	will read this file when a login attempt is made.	394	will read this file when a login attempt is made.
395	.It Pa $HOME/.ssh/identity.pub	395	.It Pa ~/.ssh/identity.pub
396	Contains the protocol version 1 RSA public key for authentication.	396	Contains the protocol version 1 RSA public key for authentication.
397	The contents of this file should be added to	397	The contents of this file should be added to
398	.Pa $HOME/.ssh/authorized_keys	398	.Pa ~/.ssh/authorized_keys
399	on all machines	399	on all machines
400	where the user wishes to log in using RSA authentication.	400	where the user wishes to log in using RSA authentication.
401	There is no need to keep the contents of this file secret.	401	There is no need to keep the contents of this file secret.
402	.It Pa $HOME/.ssh/id_dsa	402	.It Pa ~/.ssh/id_dsa
403	Contains the protocol version 2 DSA authentication identity of the user.	403	Contains the protocol version 2 DSA authentication identity of the user.
404	This file should not be readable by anyone but the user.	404	This file should not be readable by anyone but the user.
405	It is possible to	405	It is possible to
Lines 410-423 This file is not automatically accessed Link Here
410	but it is offered as the default file for the private key.	410	but it is offered as the default file for the private key.
411	.Xr ssh 1	411	.Xr ssh 1
412	will read this file when a login attempt is made.	412	will read this file when a login attempt is made.
413	.It Pa $HOME/.ssh/id_dsa.pub	413	.It Pa ~/.ssh/id_dsa.pub
414	Contains the protocol version 2 DSA public key for authentication.	414	Contains the protocol version 2 DSA public key for authentication.
415	The contents of this file should be added to	415	The contents of this file should be added to
416	.Pa $HOME/.ssh/authorized_keys	416	.Pa ~/.ssh/authorized_keys
417	on all machines	417	on all machines
418	where the user wishes to log in using public key authentication.	418	where the user wishes to log in using public key authentication.
419	There is no need to keep the contents of this file secret.	419	There is no need to keep the contents of this file secret.
420	.It Pa $HOME/.ssh/id_rsa	420	.It Pa ~/.ssh/id_rsa
421	Contains the protocol version 2 RSA authentication identity of the user.	421	Contains the protocol version 2 RSA authentication identity of the user.
422	This file should not be readable by anyone but the user.	422	This file should not be readable by anyone but the user.
423	It is possible to	423	It is possible to
Lines 428-437 This file is not automatically accessed Link Here
428	but it is offered as the default file for the private key.	428	but it is offered as the default file for the private key.
429	.Xr ssh 1	429	.Xr ssh 1
430	will read this file when a login attempt is made.	430	will read this file when a login attempt is made.
431	.It Pa $HOME/.ssh/id_rsa.pub	431	.It Pa ~/.ssh/id_rsa.pub
432	Contains the protocol version 2 RSA public key for authentication.	432	Contains the protocol version 2 RSA public key for authentication.
433	The contents of this file should be added to	433	The contents of this file should be added to
434	.Pa $HOME/.ssh/authorized_keys	434	.Pa ~/.ssh/authorized_keys
435	on all machines	435	on all machines
436	where the user wishes to log in using public key authentication.	436	where the user wishes to log in using public key authentication.
437	There is no need to keep the contents of this file secret.	437	There is no need to keep the contents of this file secret.

Lines 109-117 or Link Here

(-)ssh.1 (-34 / +34 lines)
109	.Pa /etc/shosts.equiv	109	.Pa /etc/shosts.equiv
110	on the remote machine, and the user names are	110	on the remote machine, and the user names are
111	the same on both sides, or if the files	111	the same on both sides, or if the files
112	.Pa $HOME/.rhosts	112	.Pa ~/.rhosts
113	or	113	or
114	.Pa $HOME/.shosts	114	.Pa ~/.shosts
115	exist in the user's home directory on the	115	exist in the user's home directory on the
116	remote machine and contain a line containing the name of the client	116	remote machine and contain a line containing the name of the client
117	machine and the name of the user on that machine, the user is	117	machine and the name of the user on that machine, the user is
Lines 120-126 Additionally, if the server can verify t Link Here
120	host key (see	120	host key (see
121	.Pa /etc/ssh/ssh_known_hosts	121	.Pa /etc/ssh/ssh_known_hosts
122	and	122	and
123	.Pa $HOME/.ssh/known_hosts	123	.Pa ~/.ssh/known_hosts
124	in the	124	in the
125	.Sx FILES	125	.Sx FILES
126	section), only then is login permitted.	126	section), only then is login permitted.
Lines 128-134 This authentication method closes securi Link Here
128	spoofing, DNS spoofing and routing spoofing.	128	spoofing, DNS spoofing and routing spoofing.
129	[Note to the administrator:	129	[Note to the administrator:
130	.Pa /etc/hosts.equiv ,	130	.Pa /etc/hosts.equiv ,
131	.Pa $HOME/.rhosts ,	131	.Pa ~/.rhosts ,
132	and the rlogin/rsh protocol in general, are inherently insecure and should be	132	and the rlogin/rsh protocol in general, are inherently insecure and should be
133	disabled if security is desired.]	133	disabled if security is desired.]
134	.Pp	134	.Pp
Lines 144-150 key pair for authentication purposes. Link Here
144	The server knows the public key, and only the user knows the private key.	144	The server knows the public key, and only the user knows the private key.
145	.Pp	145	.Pp
146	The file	146	The file
147	.Pa $HOME/.ssh/authorized_keys	147	.Pa ~/.ssh/authorized_keys
148	lists the public keys that are permitted for logging in.	148	lists the public keys that are permitted for logging in.
149	When the user logs in, the	149	When the user logs in, the
150	.Nm	150	.Nm
Lines 165-182 implements the RSA authentication protoc Link Here
165	The user creates his/her RSA key pair by running	165	The user creates his/her RSA key pair by running
166	.Xr ssh-keygen 1 .	166	.Xr ssh-keygen 1 .
167	This stores the private key in	167	This stores the private key in
168	.Pa $HOME/.ssh/identity	168	.Pa ~/.ssh/identity
169	and stores the public key in	169	and stores the public key in
170	.Pa $HOME/.ssh/identity.pub	170	.Pa ~/.ssh/identity.pub
171	in the user's home directory.	171	in the user's home directory.
172	The user should then copy the	172	The user should then copy the
173	.Pa identity.pub	173	.Pa identity.pub
174	to	174	to
175	.Pa $HOME/.ssh/authorized_keys	175	.Pa ~/.ssh/authorized_keys
176	in his/her home directory on the remote machine (the	176	in his/her home directory on the remote machine (the
177	.Pa authorized_keys	177	.Pa authorized_keys
178	file corresponds to the conventional	178	file corresponds to the conventional
179	.Pa $HOME/.rhosts	179	.Pa ~/.rhosts
180	file, and has one key	180	file, and has one key
181	per line, though the lines can be very long).	181	per line, though the lines can be very long).
182	After this, the user can log in without giving the password.	182	After this, the user can log in without giving the password.
Lines 206-217 password authentication are tried. Link Here
206	The public key method is similar to RSA authentication described	206	The public key method is similar to RSA authentication described
207	in the previous section and allows the RSA or DSA algorithm to be used:	207	in the previous section and allows the RSA or DSA algorithm to be used:
208	The client uses his private key,	208	The client uses his private key,
209	.Pa $HOME/.ssh/id_dsa	209	.Pa ~/.ssh/id_dsa
210	or	210	or
211	.Pa $HOME/.ssh/id_rsa ,	211	.Pa ~/.ssh/id_rsa ,
212	to sign the session identifier and sends the result to the server.	212	to sign the session identifier and sends the result to the server.
213	The server checks whether the matching public key is listed in	213	The server checks whether the matching public key is listed in
214	.Pa $HOME/.ssh/authorized_keys	214	.Pa ~/.ssh/authorized_keys
215	and grants access if both the key is found and the signature is correct.	215	and grants access if both the key is found and the signature is correct.
216	The session identifier is derived from a shared Diffie-Hellman value	216	The session identifier is derived from a shared Diffie-Hellman value
217	and is only known to the client and the server.	217	and is only known to the client and the server.
Lines 365-371 electronic purse; another is going throu Link Here
365	automatically maintains and checks a database containing	365	automatically maintains and checks a database containing
366	identifications for all hosts it has ever been used with.	366	identifications for all hosts it has ever been used with.
367	Host keys are stored in	367	Host keys are stored in
368	.Pa $HOME/.ssh/known_hosts	368	.Pa ~/.ssh/known_hosts
369	in the user's home directory.	369	in the user's home directory.
370	Additionally, the file	370	Additionally, the file
371	.Pa /etc/ssh/ssh_known_hosts	371	.Pa /etc/ssh/ssh_known_hosts
Lines 522-528 the system-wide configuration file Link Here
522	.Pq Pa /etc/ssh/ssh_config	522	.Pq Pa /etc/ssh/ssh_config
523	will be ignored.	523	will be ignored.
524	The default for the per-user configuration file is	524	The default for the per-user configuration file is
525	.Pa $HOME/.ssh/config .	525	.Pa ~/.ssh/config .
526	.It Fl f	526	.It Fl f
527	Requests	527	Requests
528	.Nm	528	.Nm
Lines 548-558 private RSA key. Link Here
548	Selects a file from which the identity (private key) for	548	Selects a file from which the identity (private key) for
549	RSA or DSA authentication is read.	549	RSA or DSA authentication is read.
550	The default is	550	The default is
551	.Pa $HOME/.ssh/identity	551	.Pa ~/.ssh/identity
552	for protocol version 1, and	552	for protocol version 1, and
553	.Pa $HOME/.ssh/id_rsa	553	.Pa ~/.ssh/id_rsa
554	and	554	and
555	.Pa $HOME/.ssh/id_dsa	555	.Pa ~/.ssh/id_dsa
556	for protocol version 2.	556	for protocol version 2.
557	Identity files may also be specified on	557	Identity files may also be specified on
558	a per-host basis in the configuration file.	558	a per-host basis in the configuration file.
Lines 941-947 Set to the name of the user logging in. Link Here
941	Additionally,	941	Additionally,
942	.Nm	942	.Nm
943	reads	943	reads
944	.Pa $HOME/.ssh/environment ,	944	.Pa ~/.ssh/environment ,
945	and adds lines of the format	945	and adds lines of the format
946	.Dq VARNAME=value	946	.Dq VARNAME=value
947	to the environment if the file exists and if users are allowed to	947	to the environment if the file exists and if users are allowed to
Lines 952-964 option in Link Here
952	.Xr sshd_config 5 .	952	.Xr sshd_config 5 .
953	.Sh FILES	953	.Sh FILES
954	.Bl -tag -width Ds	954	.Bl -tag -width Ds
955	.It Pa $HOME/.ssh/known_hosts	955	.It Pa ~/.ssh/known_hosts
956	Records host keys for all hosts the user has logged into that are not	956	Records host keys for all hosts the user has logged into that are not
957	in	957	in
958	.Pa /etc/ssh/ssh_known_hosts .	958	.Pa /etc/ssh/ssh_known_hosts .
959	See	959	See
960	.Xr sshd 8 .	960	.Xr sshd 8 .
961	.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa	961	.It Pa ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa
962	Contains the authentication identity of the user.	962	Contains the authentication identity of the user.
963	They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively.	963	They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively.
964	These files	964	These files
Lines 970-990 ignores a private key file if it is acce Link Here
970	It is possible to specify a passphrase when	970	It is possible to specify a passphrase when
971	generating the key; the passphrase will be used to encrypt the	971	generating the key; the passphrase will be used to encrypt the
972	sensitive part of this file using 3DES.	972	sensitive part of this file using 3DES.
973	.It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub	973	.It Pa ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub
974	Contains the public key for authentication (public part of the	974	Contains the public key for authentication (public part of the
975	identity file in human-readable form).	975	identity file in human-readable form).
976	The contents of the	976	The contents of the
977	.Pa $HOME/.ssh/identity.pub	977	.Pa ~/.ssh/identity.pub
978	file should be added to the file	978	file should be added to the file
979	.Pa $HOME/.ssh/authorized_keys	979	.Pa ~/.ssh/authorized_keys
980	on all machines	980	on all machines
981	where the user wishes to log in using protocol version 1 RSA authentication.	981	where the user wishes to log in using protocol version 1 RSA authentication.
982	The contents of the	982	The contents of the
983	.Pa $HOME/.ssh/id_dsa.pub	983	.Pa ~/.ssh/id_dsa.pub
984	and	984	and
985	.Pa $HOME/.ssh/id_rsa.pub	985	.Pa ~/.ssh/id_rsa.pub
986	file should be added to	986	file should be added to
987	.Pa $HOME/.ssh/authorized_keys	987	.Pa ~/.ssh/authorized_keys
988	on all machines	988	on all machines
989	where the user wishes to log in using protocol version 2 DSA/RSA authentication.	989	where the user wishes to log in using protocol version 2 DSA/RSA authentication.
990	These files are not	990	These files are not
Lines 992-1004 sensitive and can (but need not) be read Link Here
992	These files are	992	These files are
993	never used automatically and are not necessary; they are only provided for	993	never used automatically and are not necessary; they are only provided for
994	the convenience of the user.	994	the convenience of the user.
995	.It Pa $HOME/.ssh/config	995	.It Pa ~/.ssh/config
996	This is the per-user configuration file.	996	This is the per-user configuration file.
997	The file format and configuration options are described in	997	The file format and configuration options are described in
998	.Xr ssh_config 5 .	998	.Xr ssh_config 5 .
999	Because of the potential for abuse, this file must have strict permissions:	999	Because of the potential for abuse, this file must have strict permissions:
1000	read/write for the user, and not accessible by others.	1000	read/write for the user, and not accessible by others.
1001	.It Pa $HOME/.ssh/authorized_keys	1001	.It Pa ~/.ssh/authorized_keys
1002	Lists the public keys (RSA/DSA) that can be used for logging in as this user.	1002	Lists the public keys (RSA/DSA) that can be used for logging in as this user.
1003	The format of this file is described in the	1003	The format of this file is described in the
1004	.Xr sshd 8	1004	.Xr sshd 8
Lines 1058-1064 be setuid root when that authentication Link Here
1058	By default	1058	By default
1059	.Nm	1059	.Nm
1060	is not setuid root.	1060	is not setuid root.
1061	.It Pa $HOME/.rhosts	1061	.It Pa ~/.rhosts
1062	This file is used in	1062	This file is used in
1063	.Cm RhostsRSAAuthentication	1063	.Cm RhostsRSAAuthentication
1064	and	1064	and
Lines 1088-1099 authentication before permitting log in. Link Here
1088	If the server machine does not have the client's host key in	1088	If the server machine does not have the client's host key in
1089	.Pa /etc/ssh/ssh_known_hosts ,	1089	.Pa /etc/ssh/ssh_known_hosts ,
1090	it can be stored in	1090	it can be stored in
1091	.Pa $HOME/.ssh/known_hosts .	1091	.Pa ~/.ssh/known_hosts .
1092	The easiest way to do this is to	1092	The easiest way to do this is to
1093	connect back to the client from the server machine using ssh; this	1093	connect back to the client from the server machine using ssh; this
1094	will automatically add the host key to	1094	will automatically add the host key to
1095	.Pa $HOME/.ssh/known_hosts .	1095	.Pa ~/.ssh/known_hosts .
1096	.It Pa $HOME/.shosts	1096	.It Pa ~/.shosts
1097	This file is used exactly the same way as	1097	This file is used exactly the same way as
1098	.Pa .rhosts .	1098	.Pa .rhosts .
1099	The purpose for	1099	The purpose for
Lines 1133-1139 when the user logs in just before the us Link Here
1133	See the	1133	See the
1134	.Xr sshd 8	1134	.Xr sshd 8
1135	manual page for more information.	1135	manual page for more information.
1136	.It Pa $HOME/.ssh/rc	1136	.It Pa ~/.ssh/rc
1137	Commands in this file are executed by	1137	Commands in this file are executed by
1138	.Nm	1138	.Nm
1139	when the user logs in just before the user's shell (or command) is	1139	when the user logs in just before the user's shell (or command) is
Lines 1141-1147 started. Link Here
1141	See the	1141	See the
1142	.Xr sshd 8	1142	.Xr sshd 8
1143	manual page for more information.	1143	manual page for more information.
1144	.It Pa $HOME/.ssh/environment	1144	.It Pa ~/.ssh/environment
1145	Contains additional definitions for environment variables, see section	1145	Contains additional definitions for environment variables, see section
1146	.Sx ENVIRONMENT	1146	.Sx ENVIRONMENT
1147	above.	1147	above.

Lines 43-49 Link Here

(-)ssh_config.5 (-9 / +9 lines)
43	.Nd OpenSSH SSH client configuration files	43	.Nd OpenSSH SSH client configuration files
44	.Sh SYNOPSIS	44	.Sh SYNOPSIS
45	.Bl -tag -width Ds -compact	45	.Bl -tag -width Ds -compact
46	.It Pa $HOME/.ssh/config	46	.It Pa ~/.ssh/config
47	.It Pa /etc/ssh/ssh_config	47	.It Pa /etc/ssh/ssh_config
48	.El	48	.El
49	.Sh DESCRIPTION	49	.Sh DESCRIPTION
Lines 55-61 the following order: Link Here
55	command-line options	55	command-line options
56	.It	56	.It
57	user's configuration file	57	user's configuration file
58	.Pq Pa $HOME/.ssh/config	58	.Pq Pa ~/.ssh/config
59	.It	59	.It
60	system-wide configuration file	60	system-wide configuration file
61	.Pq Pa /etc/ssh/ssh_config	61	.Pq Pa /etc/ssh/ssh_config
Lines 411-417 Note that this option applies to protoco Link Here
411	Indicates that	411	Indicates that
412	.Nm ssh	412	.Nm ssh
413	should hash host names and addresses when they are added to	413	should hash host names and addresses when they are added to
414	.Pa $HOME/.ssh/known_hosts .	414	.Pa ~/.ssh/known_hosts .
415	These hashed names may be used normally by	415	These hashed names may be used normally by
416	.Nm ssh	416	.Nm ssh
417	and	417	and
Lines 457-467 specifications). Link Here
457	Specifies a file from which the user's RSA or DSA authentication identity	457	Specifies a file from which the user's RSA or DSA authentication identity
458	is read.	458	is read.
459	The default is	459	The default is
460	.Pa $HOME/.ssh/identity	460	.Pa ~/.ssh/identity
461	for protocol version 1, and	461	for protocol version 1, and
462	.Pa $HOME/.ssh/id_rsa	462	.Pa ~/.ssh/id_rsa
463	and	463	and
464	.Pa $HOME/.ssh/id_dsa	464	.Pa ~/.ssh/id_dsa
465	for protocol version 2.	465	for protocol version 2.
466	Additionally, any identities represented by the authentication agent	466	Additionally, any identities represented by the authentication agent
467	will be used for authentication.	467	will be used for authentication.
Lines 751-757 If this flag is set to Link Here
751	.Dq yes ,	751	.Dq yes ,
752	.Nm ssh	752	.Nm ssh
753	will never automatically add host keys to the	753	will never automatically add host keys to the
754	.Pa $HOME/.ssh/known_hosts	754	.Pa ~/.ssh/known_hosts
755	file, and refuses to connect to hosts whose host key has changed.	755	file, and refuses to connect to hosts whose host key has changed.
756	This provides maximum protection against trojan horse attacks,	756	This provides maximum protection against trojan horse attacks,
757	however, can be annoying when the	757	however, can be annoying when the
Lines 823-829 having to remember to give the user name Link Here
823	.It Cm UserKnownHostsFile	823	.It Cm UserKnownHostsFile
824	Specifies a file to use for the user	824	Specifies a file to use for the user
825	host key database instead of	825	host key database instead of
826	.Pa $HOME/.ssh/known_hosts .	826	.Pa ~/.ssh/known_hosts .
827	.It Cm VerifyHostKeyDNS	827	.It Cm VerifyHostKeyDNS
828	Specifies whether to verify the remote key using DNS and SSHFP resource	828	Specifies whether to verify the remote key using DNS and SSHFP resource
829	records.	829	records.
Lines 856-862 The default is Link Here
856	.El	856	.El
857	.Sh FILES	857	.Sh FILES
858	.Bl -tag -width Ds	858	.Bl -tag -width Ds
859	.It Pa $HOME/.ssh/config	859	.It Pa ~/.ssh/config
860	This is the per-user configuration file.	860	This is the per-user configuration file.
861	The format of this file is described above.	861	The format of this file is described above.
862	This file is used by the	862	This file is used by the

Lines 328-334 If the login is on a tty, and no command Link Here

(-)sshd.8 (-14 / +14 lines)
328	prints last login time and	328	prints last login time and
329	.Pa /etc/motd	329	.Pa /etc/motd
330	(unless prevented in the configuration file or by	330	(unless prevented in the configuration file or by
331	.Pa $HOME/.hushlogin ;	331	.Pa ~/.hushlogin ;
332	see the	332	see the
333	.Sx FILES	333	.Sx FILES
334	section).	334	section).
Lines 345-351 Changes to run with normal user privileg Link Here
345	Sets up basic environment.	345	Sets up basic environment.
346	.It	346	.It
347	Reads the file	347	Reads the file
348	.Pa $HOME/.ssh/environment ,	348	.Pa ~/.ssh/environment ,
349	if it exists, and users are allowed to change their environment.	349	if it exists, and users are allowed to change their environment.
350	See the	350	See the
351	.Cm PermitUserEnvironment	351	.Cm PermitUserEnvironment
Lines 355-361 option in Link Here
355	Changes to user's home directory.	355	Changes to user's home directory.
356	.It	356	.It
357	If	357	If
358	.Pa $HOME/.ssh/rc	358	.Pa ~/.ssh/rc
359	exists, runs it; else if	359	exists, runs it; else if
360	.Pa /etc/ssh/sshrc	360	.Pa /etc/ssh/sshrc
361	exists, runs	361	exists, runs
Lines 368-374 authentication protocol and cookie in st Link Here
368	Runs user's shell or command.	368	Runs user's shell or command.
369	.El	369	.El
370	.Sh AUTHORIZED_KEYS FILE FORMAT	370	.Sh AUTHORIZED_KEYS FILE FORMAT
371	.Pa $HOME/.ssh/authorized_keys	371	.Pa ~/.ssh/authorized_keys
372	is the default file that lists the public keys that are	372	is the default file that lists the public keys that are
373	permitted for RSA authentication in protocol version 1	373	permitted for RSA authentication in protocol version 1
374	and for public key authentication (PubkeyAuthentication)	374	and for public key authentication (PubkeyAuthentication)
Lines 506-512 permitopen="10.2.1.55:80",permitopen="10 Link Here
506	The	506	The
507	.Pa /etc/ssh/ssh_known_hosts	507	.Pa /etc/ssh/ssh_known_hosts
508	and	508	and
509	.Pa $HOME/.ssh/known_hosts	509	.Pa ~/.ssh/known_hosts
510	files contain host public keys for all known hosts.	510	files contain host public keys for all known hosts.
511	The global file should	511	The global file should
512	be prepared by the administrator (optional), and the per-user file is	512	be prepared by the administrator (optional), and the per-user file is
Lines 617-623 listening for connections (if there are Link Here
617	concurrently for different ports, this contains the process ID of the one	617	concurrently for different ports, this contains the process ID of the one
618	started last).	618	started last).
619	The content of this file is not sensitive; it can be world-readable.	619	The content of this file is not sensitive; it can be world-readable.
620	.It Pa $HOME/.ssh/authorized_keys	620	.It Pa ~/.ssh/authorized_keys
621	Lists the public keys (RSA or DSA) that can be used to log into the user's account.	621	Lists the public keys (RSA or DSA) that can be used to log into the user's account.
622	This file must be readable by root (which may on some machines imply	622	This file must be readable by root (which may on some machines imply
623	it being world-readable if the user's home directory resides on an NFS	623	it being world-readable if the user's home directory resides on an NFS
Lines 631-637 and/or Link Here
631	.Pa id_rsa.pub	631	.Pa id_rsa.pub
632	files into this file, as described in	632	files into this file, as described in
633	.Xr ssh-keygen 1 .	633	.Xr ssh-keygen 1 .
634	.It Pa "/etc/ssh/ssh_known_hosts", "$HOME/.ssh/known_hosts"	634	.It Pa "/etc/ssh/ssh_known_hosts", "~/.ssh/known_hosts"
635	These files are consulted when using rhosts with RSA host	635	These files are consulted when using rhosts with RSA host
636	authentication or protocol version 2 hostbased authentication	636	authentication or protocol version 2 hostbased authentication
637	to check the public key of the host.	637	to check the public key of the host.
Lines 641-652 to verify that it is connecting to the c Link Here
641	These files should be writable only by root/the owner.	641	These files should be writable only by root/the owner.
642	.Pa /etc/ssh/ssh_known_hosts	642	.Pa /etc/ssh/ssh_known_hosts
643	should be world-readable, and	643	should be world-readable, and
644	.Pa $HOME/.ssh/known_hosts	644	.Pa ~/.ssh/known_hosts
645	can, but need not be, world-readable.	645	can, but need not be, world-readable.
646	.It Pa /etc/motd	646	.It Pa /etc/motd
647	See	647	See
648	.Xr motd 5 .	648	.Xr motd 5 .
649	.It Pa $HOME/.hushlogin	649	.It Pa ~/.hushlogin
650	This file is used to suppress printing the last login time and	650	This file is used to suppress printing the last login time and
651	.Pa /etc/motd ,	651	.Pa /etc/motd ,
652	if	652	if
Lines 669-675 The file should be world-readable. Link Here
669	Access controls that should be enforced by tcp-wrappers are defined here.	669	Access controls that should be enforced by tcp-wrappers are defined here.
670	Further details are described in	670	Further details are described in
671	.Xr hosts_access 5 .	671	.Xr hosts_access 5 .
672	.It Pa $HOME/.rhosts	672	.It Pa ~/.rhosts
673	This file is used during	673	This file is used during
674	.Cm RhostsRSAAuthentication	674	.Cm RhostsRSAAuthentication
675	and	675	and
Lines 687-693 It is also possible to use netgroups in Link Here
687	Either host or user	687	Either host or user
688	name may be of the form +@groupname to specify all hosts or all users	688	name may be of the form +@groupname to specify all hosts or all users
689	in the group.	689	in the group.
690	.It Pa $HOME/.shosts	690	.It Pa ~/.shosts
691	For ssh,	691	For ssh,
692	this file is exactly the same as for	692	this file is exactly the same as for
693	.Pa .rhosts .	693	.Pa .rhosts .
Lines 736-742 This is processed exactly as Link Here
736	.Pa /etc/hosts.equiv .	736	.Pa /etc/hosts.equiv .
737	However, this file may be useful in environments that want to run both	737	However, this file may be useful in environments that want to run both
738	rsh/rlogin and ssh.	738	rsh/rlogin and ssh.
739	.It Pa $HOME/.ssh/environment	739	.It Pa ~/.ssh/environment
740	This file is read into the environment at login (if it exists).	740	This file is read into the environment at login (if it exists).
741	It can only contain empty lines, comment lines (that start with	741	It can only contain empty lines, comment lines (that start with
742	.Ql # ) ,	742	.Ql # ) ,
Lines 747-753 Environment processing is disabled by de Link Here
747	controlled via the	747	controlled via the
748	.Cm PermitUserEnvironment	748	.Cm PermitUserEnvironment
749	option.	749	option.
750	.It Pa $HOME/.ssh/rc	750	.It Pa ~/.ssh/rc
751	If this file exists, it is run with	751	If this file exists, it is run with
752	.Pa /bin/sh	752	.Pa /bin/sh
753	after reading the	753	after reading the
Lines 792-798 This file should be writable only by the Link Here
792	readable by anyone else.	792	readable by anyone else.
793	.It Pa /etc/ssh/sshrc	793	.It Pa /etc/ssh/sshrc
794	Like	794	Like
795	.Pa $HOME/.ssh/rc .	795	.Pa ~/.ssh/rc .
796	This can be used to specify	796	This can be used to specify
797	machine-specific login-time initializations globally.	797	machine-specific login-time initializations globally.
798	This file should be writable only by root, and should be world-readable.	798	This file should be writable only by root, and should be world-readable.