SSHD(8) System Manager's Manual SSHD(8) sshd - OpenSSH sshd [-46DdeGiqTtV] [-C connection_spec] [-c host_certificate_file] [-E log_file] [-f config_file] [-g login_grace_time] [-h host_key_file] [-o option] [-p port] [-u len] sshd ( OpenSSH) ssh(1). . sshd . /etc/rc. . . sshd ( sshd_config(5)) . sshd SIGHUP /usr/sbin/sshd. : -4 sshd IPv4 . -6 sshd IPv6 . -C connection_spec -T. Match . = -C . "addr" "user" "host" "laddr" "lport" "rdomain" . "invalid-user" ( ) . -c host_certificate_file sshd . -h HostKey. -D sshd . sshd. -d . . fork(2) . . -d . 3. -E log_file log_file . -e . -f config_file . /etc/ssh/sshd_config. sshd . -G . stdout . Match -C . -g login_grace_time ( 120 ). . . -h host_key_file . sshd ( ). /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_rsa_key. . -i sshd inetd(8). -o . . sshd_config(5). -p port ( 22). . Port . ListenAddress . -q . . . -T . stdout . Match -C . -G -t. -t . . sshd . -u len utmp . len . . -u0 utmp. -u0 sshd DNS . DNS HostbasedAuthentication from="pattern-list" . DNS USER@HOST AllowUsers DenyUsers. -V . SSH OpenSSH SSH 2 . . . . Diffie-Hellman. . . . (MAC). . . . DenyUsers DenyGroups. . ( AIX) passwd ( `*LK*' Solaris UnixWare `*' HP-UX `Nologin' Tru64 `*LOCKED*' FreeBSD `!' Linux). passwd ( `NP' `*NP*'). . pseudo- tty X11 TCP . sshd -c. . / . X11 . sshd : 1. tty /etc/motd ( ~/.hushlogin FILES). 2. tty . 3. /etc/nologin ( ). 4. . 5. . 6. ~/.ssh/environment . PermitUserEnvironment sshd_config(5). 7. . 8. ~/.ssh/rc PermitUserRC sshd_config(5) /etc/ssh/sshrc xauth(1). "rc" X11 . SSHRC . 9. . . SSHRC ~/.ssh/rc sh(1) . stdout stderr . X11 "proto cookie" ( DISPLAY ). xauth(1) sshd xauth X11. AFS . : if read proto cookie && [ -n "$DISPLAY" ]; then if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then # X11UseLocalhost=yes echo add unix:`echo $DISPLAY | cut -c11-` $proto $cookie else # X11UseLocalhost=no echo add $DISPLAY $proto $cookie fi | xauth -q - fi /etc/ssh/sshrc xauth . AUTHORIZED_KEYS AuthorizedKeysFile ~/.ssh/authorized_keys ~/.ssh/authorized_keys2. ( `#' ). : base64 . . : sk-ecdsa-sha2-nistp256@openssh.com ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 sk-ssh-ed25519@openssh.com ssh-ed25519 ssh-rsa ( ). ( ) 8 RSA 16 . id_ecdsa.pub id_ecdsa_sk.pub id_ed25519.pub id_ed25519_sk.pub id_rsa.pub . sshd RSA 1024 . ( ) . . ( ): agent-forwarding restrict. cert-authority (CA) . . . command="command" . ( ). pty pty tty. 8 pty no-pty. . . . TCP / X11 restrict. SSH_ORIGINAL_COMMAND. . ForceCommand sshd_config(5). . environment="NAME=value" . . . PermitUserEnvironment. expiry-time="timespec" . YYYYMMDD[Z] YYYYMMDDHHMM[SS][Z]. Z UTC. from="pattern-list" IP . PATTERNS ssh_config(5) . from IP CIDR/ . : ( ) . ( / ). no-agent-forwarding . no-port-forwarding TCP . . command. no-pty tty ( pty). no-user-rc ~/.ssh/rc. no-X11-forwarding X11 . X11 . permitlisten="[host:]port" ssh(1) -R () . IPv6 . permitlisten . PATTERNS ssh_config(5). * . GatewayPorts . ssh(1) "localhost" localhost "127.0.0.1" "::1". permitopen="host:port" ssh(1) -L . IPv6 . permitopen . / . * . port-forwarding restrict. principals="principals" cert-authority . . cert-authority. pty tty restrict. no-touch-required . FIDO ecdsa-sk ed25519-sk. verify-required PIN. FIDO ecdsa-sk ed25519-sk. restrict X11 PTY ~/.ssh/rc. authorized_keys . tunnel="n" tun(4) . . user-rc ~/.ssh/rc restrict. X11-forwarding X11 restrict. authorized_keys : # . . # ssh-rsa ... # PTY restrict,command="dump /home" ssh-rsa ... # ssh -L permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-rsa ... # ssh -R permitlisten="localhost:8080",permitlisten="[::1]:22000" ssh-rsa ... # tunnel="0",command="sh /etc/netstart tun0" ssh-rsa ... # PTY restrict,pty,command="nethack" ssh-rsa ... # FIDO no-touch-required sk-ecdsa-sha2-nistp256@openssh.com ... # ( PIN ) FIDO verify-required sk-ecdsa-sha2-nistp256@openssh.com ... # CA FIDO cert-authority,no-touch-required,principals="user_a" ssh-rsa ... SSH_KNOWN_HOSTS /etc/ssh/ssh_known_hosts ~/.ssh/known_hosts . () : . : () base64 . . "@cert-authority" (CA) "@revoked" . . (`*' `?' ) . sshd HostbasedAuthentication . ssh(1) ssh(1) HostkeyAlias ssh(1) CanonicalizeHostname. `!' : ( ) . `[' `]' `:' . . `|'. . base64 /etc/ssh/ssh_host_rsa_key.pub. . `#' . . "@cert-authority" . . "@revoked" ssh(1) . ( ) . . . . ssh-keyscan(1) /etc/ssh/ssh_host_rsa_key.pub . ssh-keygen(1) ~/.ssh/known_hosts . ssh_known_hosts: # cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....= # |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa AAAA1234.....= # @revoked * ssh-rsa AAAAB5W... # CA *.mydomain.com *.mydomain.org @cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W... ~/.hushlogin /etc/motd PrintLastLog PrintMotd . Banner. ~/.rhosts ( ssh(1) ). NFS sshd . . / . ~/.shosts .rhosts rlogin/rsh. ~/.ssh/ . // . ~/.ssh/authorized_keys (ECDSA, Ed25519, RSA) . . / . ~/.ssh . sshd StrictModes "no". ~/.ssh/environment ( ). ( `#') name=value. . PermitUserEnvironment. ~/.ssh/known_hosts . . / . ~/.ssh/rc . . /etc/hosts.equiv ( ssh(1)). . /etc/ssh/moduli Diffie-Hellman "Diffie-Hellman Group Exchange". moduli(5). . /etc/motd motd(5). /etc/nologin sshd . . . /etc/ssh/shosts.equiv hosts.equiv rlogin/rsh. /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_rsa_key . . sshd /. /etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ed25519_key.pub /etc/ssh/ssh_host_rsa_key.pub . . . . ssh-keygen(1). /etc/ssh/ssh_known_hosts . . . / . /etc/ssh/sshd_config sshd. sshd_config(5). /etc/ssh/sshrc ~/.ssh/rc . . /usr/share/empty.sshd chroot(2) sshd . . /run/sshd.pid sshd ( ). . scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1), chroot(2), login.conf(5), moduli(5), sshd_config(5), inetd(8), sftp-server(8) OpenSSH ssh 1.2.12 Tatu Ylonen. Aaron Campbell Bob Beck Markus Friedl Niels Provos Theo de Raadt Dug Song OpenSSH. Markus Friedl SSH 1.5 2.0. Niels Provos Markus Friedl . 3: https://www.gnu.org/licenses/gpl-3.0.html . . : kde-l10n-ar@kde.org Linux 7.0.8-arch1-1 $Mdocdate: 4 2025 $ Linux 7.0.8-arch1-1