2 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 .\" All rights reserved
6 .\" As far as I am concerned, the code I have written for this software
7 .\" can be used freely for any purpose. Any derived versions of this
8 .\" software must be clearly marked as such, and if the derived work is
9 .\" incompatible with the protocol description in the RFC file, it must be
10 .\" called by a name other than "ssh" or "Secure Shell".
12 .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
13 .\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
14 .\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
16 .\" Redistribution and use in source and binary forms, with or without
17 .\" modification, are permitted provided that the following conditions
19 .\" 1. Redistributions of source code must retain the above copyright
20 .\" notice, this list of conditions and the following disclaimer.
21 .\" 2. Redistributions in binary form must reproduce the above copyright
22 .\" notice, this list of conditions and the following disclaimer in the
23 .\" documentation and/or other materials provided with the distribution.
25 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26 .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27 .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28 .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29 .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30 .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31 .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32 .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36 .\" $OpenBSD: sshd.8,v 1.270 2013/06/27 14:05:37 jmc Exp $
37 .Dd $Mdocdate: June 27 2013 $
42 .Nd OpenSSH SSH daemon
48 .Op Fl C Ar connection_spec
49 .Op Fl c Ar host_certificate_file
51 .Op Fl f Ar config_file
52 .Op Fl g Ar login_grace_time
53 .Op Fl h Ar host_key_file
54 .Op Fl k Ar key_gen_time
61 (OpenSSH Daemon) is the daemon program for
63 Together these programs replace
67 and provide secure encrypted communications between two untrusted hosts
68 over an insecure network.
71 listens for connections from clients.
72 It is normally started at boot from
75 daemon for each incoming connection.
76 The forked daemons handle
77 key exchange, encryption, authentication, command execution,
81 can be configured using command-line options or a configuration file
84 command-line options override values specified in the
87 rereads its configuration file when it receives a hangup signal,
89 by executing itself with the name and options it was started with, e.g.\&
92 The options are as follows:
97 to use IPv4 addresses only.
101 to use IPv6 addresses only.
103 Specifies the number of bits in the ephemeral protocol version 1
104 server key (default 1024).
105 .It Fl C Ar connection_spec
106 Specify the connection parameters to use for the
111 directives in the configuration file
112 that would apply to the specified user, host, and address will be set before
113 the configuration is written to standard output.
114 The connection parameters are supplied as keyword=value pairs.
122 All are required and may be supplied in any order, either with multiple
124 options or as a comma-separated list.
125 .It Fl c Ar host_certificate_file
126 Specifies a path to a certificate file to identify
129 The certificate file must match a host key file specified using the
133 configuration directive.
135 When this option is specified,
137 will not detach and does not become a daemon.
138 This allows easy monitoring of
142 The server sends verbose debug output to standard error,
143 and does not put itself in the background.
144 The server also will not fork and will only process one connection.
145 This option is only intended for debugging for the server.
148 options increase the debugging level.
153 instead of the system log.
155 Write debug logs to standard error instead of the system log.
156 .It Fl f Ar config_file
157 Specifies the name of the configuration file.
159 .Pa /etc/ssh/sshd_config .
161 refuses to start if there is no configuration file.
162 .It Fl g Ar login_grace_time
163 Gives the grace time for clients to authenticate themselves (default
165 If the client fails to authenticate the user within
166 this many seconds, the server disconnects and exits.
167 A value of zero indicates no limit.
168 .It Fl h Ar host_key_file
169 Specifies a file from which a host key is read.
170 This option must be given if
172 is not run as root (as the normal
173 host key files are normally not readable by anyone but root).
175 .Pa /etc/ssh/ssh_host_key
176 for protocol version 1, and
177 .Pa /etc/ssh/ssh_host_dsa_key ,
178 .Pa /etc/ssh/ssh_host_ecdsa_key
180 .Pa /etc/ssh/ssh_host_rsa_key
181 for protocol version 2.
182 It is possible to have multiple host key files for
183 the different protocol versions and host key algorithms.
191 from inetd because it needs to generate the server key before it can
192 respond to the client, and this may take tens of seconds.
193 Clients would have to wait too long if the key was regenerated every time.
194 However, with small key sizes (e.g. 512) using
198 .It Fl k Ar key_gen_time
199 Specifies how often the ephemeral protocol version 1 server key is
200 regenerated (default 3600 seconds, or one hour).
201 The motivation for regenerating the key fairly
202 often is that the key is not stored anywhere, and after about an hour
203 it becomes impossible to recover the key for decrypting intercepted
204 communications even if the machine is cracked into or physically
206 A value of zero indicates that the key will never be regenerated.
208 Can be used to give options in the format used in the configuration file.
209 This is useful for specifying options for which there is no separate
211 For full details of the options, and their values, see
214 Specifies the port on which the server listens for connections
216 Multiple port options are permitted.
217 Ports specified in the configuration file with the
219 option are ignored when a command-line port is specified.
220 Ports specified using the
222 option override command-line ports.
225 Nothing is sent to the system log.
226 Normally the beginning,
227 authentication, and termination of each connection is logged.
230 Check the validity of the configuration file, output the effective configuration
231 to stdout and then exit.
234 rules may be applied by specifying the connection parameters using one or more
239 Only check the validity of the configuration file and sanity of the keys.
240 This is useful for updating
242 reliably as configuration options may change.
244 This option is used to specify the size of the field
247 structure that holds the remote host name.
248 If the resolved host name is longer than
250 the dotted decimal value will be used instead.
251 This allows hosts with very long host names that
252 overflow this field to still be uniquely identified.
255 indicates that only dotted decimal addresses
256 should be put into the
260 may also be used to prevent
262 from making DNS requests unless the authentication
263 mechanism or configuration requires it.
264 Authentication mechanisms that may require DNS include
265 .Cm RhostsRSAAuthentication ,
266 .Cm HostbasedAuthentication ,
268 .Cm from="pattern-list"
269 option in a key file.
270 Configuration options that require DNS include using a
277 The OpenSSH SSH daemon supports SSH protocols 1 and 2.
278 The default is to use protocol 2 only,
279 though this can be changed via the
283 Protocol 2 supports DSA, ECDSA and RSA keys;
284 protocol 1 only supports RSA keys.
286 each host has a host-specific key,
288 used to identify the host.
290 Forward security for protocol 1 is provided through
291 an additional server key,
293 generated when the server starts.
294 This key is normally regenerated every hour if it has been used, and
295 is never stored on disk.
296 Whenever a client connects, the daemon responds with its public
297 host and server keys.
298 The client compares the
299 RSA host key against its own database to verify that it has not changed.
300 The client then generates a 256-bit random number.
302 random number using both the host key and the server key, and sends
303 the encrypted number to the server.
304 Both sides then use this
305 random number as a session key which is used to encrypt all further
306 communications in the session.
307 The rest of the session is encrypted
308 using a conventional cipher, currently Blowfish or 3DES, with 3DES
309 being used by default.
310 The client selects the encryption algorithm
311 to use from those offered by the server.
314 forward security is provided through a Diffie-Hellman key agreement.
315 This key agreement results in a shared session key.
316 The rest of the session is encrypted using a symmetric cipher, currently
317 128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
318 The client selects the encryption algorithm
319 to use from those offered by the server.
320 Additionally, session integrity is provided
321 through a cryptographic message authentication code
322 (hmac-md5, hmac-sha1, umac-64, umac-128, hmac-ripemd160,
323 hmac-sha2-256 or hmac-sha2-512).
325 Finally, the server and the client enter an authentication dialog.
326 The client tries to authenticate itself using
327 host-based authentication,
328 public key authentication,
329 challenge-response authentication,
330 or password authentication.
332 Regardless of the authentication type, the account is checked to
333 ensure that it is accessible. An account is not accessible if it is
336 or its group is listed in
338 \&. The definition of a locked account is system dependant. Some platforms
339 have their own account database (eg AIX) and some modify the passwd field (
341 on Solaris and UnixWare,
348 on FreeBSD and a leading
351 If there is a requirement to disable password authentication
352 for the account while allowing still public-key, then the passwd field
353 should be set to something other than these values (eg
359 If the client successfully authenticates itself, a dialog for
360 preparing the session is entered.
361 At this time the client may request
362 things like allocating a pseudo-tty, forwarding X11 connections,
363 forwarding TCP connections, or forwarding the authentication agent
364 connection over the secure channel.
366 After this, the client either requests a shell or execution of a command.
367 The sides then enter session mode.
368 In this mode, either side may send
369 data at any time, and such data is forwarded to/from the shell or
370 command on the server side, and the user terminal in the client side.
372 When the user program terminates and all forwarded X11 and other
373 connections have been closed, the server sends command exit status to
374 the client, and both sides exit.
376 When a user successfully logs in,
379 .Bl -enum -offset indent
381 If the login is on a tty, and no command has been specified,
382 prints last login time and
384 (unless prevented in the configuration file or by
390 If the login is on a tty, records login time.
394 if it exists, prints contents and quits
397 Changes to run with normal user privileges.
399 Sets up basic environment.
402 .Pa ~/.ssh/environment ,
403 if it exists, and users are allowed to change their environment.
405 .Cm PermitUserEnvironment
409 Changes to user's home directory.
413 exists, runs it; else if
416 it; otherwise runs xauth.
419 files are given the X11
420 authentication protocol and cookie in standard input.
425 Runs user's shell or command.
432 runs it after reading the
433 environment files but before starting the user's shell or command.
434 It must not produce any output on stdout; stderr must be used
436 If X11 forwarding is in use, it will receive the "proto cookie" pair in
437 its standard input (and
444 will not run xauth automatically to add X11 cookies.
446 The primary purpose of this file is to run any initialization routines
447 which may be needed before the user's home directory becomes
448 accessible; AFS is a particular example of such an environment.
450 This file will probably contain some initialization code followed by
451 something similar to:
452 .Bd -literal -offset 3n
453 if read proto cookie && [ -n "$DISPLAY" ]; then
454 if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
455 # X11UseLocalhost=yes
456 echo add unix:`echo $DISPLAY |
457 cut -c11-` $proto $cookie
460 echo add $DISPLAY $proto $cookie
465 If this file does not exist,
468 does not exist either, xauth is used to add the cookie.
469 .Sh AUTHORIZED_KEYS FILE FORMAT
470 .Cm AuthorizedKeysFile
471 specifies the files containing public keys for
472 public key authentication;
473 if none is specified, the default is
474 .Pa ~/.ssh/authorized_keys
476 .Pa ~/.ssh/authorized_keys2 .
477 Each line of the file contains one
478 key (empty lines and lines starting with a
482 Protocol 1 public keys consist of the following space-separated fields:
483 options, bits, exponent, modulus, comment.
484 Protocol 2 public key consist of:
485 options, keytype, base64-encoded key, comment.
486 The options field is optional;
487 its presence is determined by whether the line starts
488 with a number or not (the options field never starts with a number).
489 The bits, exponent, modulus, and comment fields give the RSA key for
490 protocol version 1; the
491 comment field is not used for anything (but may be convenient for the
492 user to identify the key).
493 For protocol version 2 the keytype is
494 .Dq ecdsa-sha2-nistp256 ,
495 .Dq ecdsa-sha2-nistp384 ,
496 .Dq ecdsa-sha2-nistp521 ,
501 Note that lines in this file are usually several hundred bytes long
502 (because of the size of the public key encoding) up to a limit of
503 8 kilobytes, which permits DSA keys up to 8 kilobits and RSA
504 keys up to 16 kilobits.
505 You don't want to type them in; instead, copy the
514 enforces a minimum RSA key modulus size for protocol 1
515 and protocol 2 keys of 768 bits.
517 The options (if present) consist of comma-separated option
519 No spaces are permitted, except within double quotes.
520 The following option specifications are supported (note
521 that option keywords are case-insensitive):
523 .It Cm cert-authority
524 Specifies that the listed key is a certification authority (CA) that is
525 trusted to validate signed certificates for user authentication.
527 Certificates may encode access restrictions similar to these key options.
528 If both certificate restrictions and key options are present, the most
529 restrictive union of the two is applied.
530 .It Cm command="command"
531 Specifies that the command is executed whenever this key is used for
533 The command supplied by the user (if any) is ignored.
534 The command is run on a pty if the client requests a pty;
535 otherwise it is run without a tty.
536 If an 8-bit clean channel is required,
537 one must not request a pty or should specify
539 A quote may be included in the command by quoting it with a backslash.
540 This option might be useful
541 to restrict certain public keys to perform just a specific operation.
542 An example might be a key that permits remote backups but nothing else.
543 Note that the client may specify TCP and/or X11
544 forwarding unless they are explicitly prohibited.
545 The command originally supplied by the client is available in the
546 .Ev SSH_ORIGINAL_COMMAND
547 environment variable.
548 Note that this option applies to shell, command or subsystem execution.
549 Also note that this command may be superseded by either a
552 directive or a command embedded in a certificate.
553 .It Cm environment="NAME=value"
554 Specifies that the string is to be added to the environment when
555 logging in using this key.
556 Environment variables set this way
557 override other default environment values.
558 Multiple options of this type are permitted.
559 Environment processing is disabled by default and is
561 .Cm PermitUserEnvironment
563 This option is automatically disabled if
566 .It Cm from="pattern-list"
567 Specifies that in addition to public key authentication, either the canonical
568 name of the remote host or its IP address must be present in the
569 comma-separated list of patterns.
572 for more information on patterns.
574 In addition to the wildcard matching that may be applied to hostnames or
577 stanza may match IP addresses using CIDR address/masklen notation.
579 The purpose of this option is to optionally increase security: public key
580 authentication by itself does not trust the network or name servers or
581 anything (but the key); however, if somebody somehow steals the key, the key
582 permits an intruder to log in from anywhere in the world.
583 This additional option makes using a stolen key more difficult (name
584 servers and/or routers would have to be compromised in addition to
586 .It Cm no-agent-forwarding
587 Forbids authentication agent forwarding when this key is used for
589 .It Cm no-port-forwarding
590 Forbids TCP forwarding when this key is used for authentication.
591 Any port forward requests by the client will return an error.
592 This might be used, e.g. in connection with the
596 Prevents tty allocation (a request to allocate a pty will fail).
598 Disables execution of
600 .It Cm no-X11-forwarding
601 Forbids X11 forwarding when this key is used for authentication.
602 Any X11 forward requests by the client will return an error.
603 .It Cm permitopen="host:port"
606 port forwarding such that it may only connect to the specified host and
608 IPv6 addresses can be specified by enclosing the address in square brackets.
611 options may be applied separated by commas.
612 No pattern matching is performed on the specified hostnames,
613 they must be literal domains or addresses.
614 A port specification of
617 .It Cm principals="principals"
620 line, specifies allowed principals for certificate authentication as a
621 comma-separated list.
622 At least one name from the list must appear in the certificate's
623 list of principals for the certificate to be accepted.
624 This option is ignored for keys that are not marked as trusted certificate
631 device on the server.
632 Without this option, the next available device will be used if
633 the client requests a tunnel.
636 An example authorized_keys file:
637 .Bd -literal -offset 3n
638 # Comments allowed at start of line
639 ssh-rsa AAAAB3Nza...LiPk== user@example.net
640 from="*.sales.example.net,!pc.sales.example.net" ssh-rsa
641 AAAAB2...19Q== john@example.net
642 command="dump /home",no-pty,no-port-forwarding ssh-dss
643 AAAAC3...51R== example.net
644 permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
646 tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
649 .Sh SSH_KNOWN_HOSTS FILE FORMAT
651 .Pa /etc/ssh/ssh_known_hosts
653 .Pa ~/.ssh/known_hosts
654 files contain host public keys for all known hosts.
655 The global file should
656 be prepared by the administrator (optional), and the per-user file is
657 maintained automatically: whenever the user connects from an unknown host,
658 its key is added to the per-user file.
660 Each line in these files contains the following fields: markers (optional),
661 hostnames, bits, exponent, modulus, comment.
662 The fields are separated by spaces.
664 The marker is optional, but if it is present then it must be one of
665 .Dq @cert-authority ,
666 to indicate that the line contains a certification authority (CA) key,
669 to indicate that the key contained on the line is revoked and must not ever
671 Only one marker should be used on a key line.
673 Hostnames is a comma-separated list of patterns
678 wildcards); each pattern in turn is matched against the canonical host
679 name (when authenticating a client) or against the user-supplied
680 name (when authenticating a server).
681 A pattern may also be preceded by
683 to indicate negation: if the host name matches a negated
684 pattern, it is not accepted (by that line) even if it matched another
686 A hostname or address may optionally be enclosed within
690 brackets then followed by
692 and a non-standard port number.
694 Alternately, hostnames may be stored in a hashed form which hides host names
695 and addresses should the file's contents be disclosed.
696 Hashed hostnames start with a
699 Only one hashed hostname may appear on a single line and none of the above
700 negation or wildcard operators may be applied.
702 Bits, exponent, and modulus are taken directly from the RSA host key; they
703 can be obtained, for example, from
704 .Pa /etc/ssh/ssh_host_key.pub .
705 The optional comment field continues to the end of the line, and is not used.
709 and empty lines are ignored as comments.
711 When performing host authentication, authentication is accepted if any
712 matching line has the proper key; either one that matches exactly or,
713 if the server has presented a certificate for authentication, the key
714 of the certification authority that signed the certificate.
715 For a key to be trusted as a certification authority, it must use the
717 marker described above.
719 The known hosts file also provides a facility to mark keys as revoked,
720 for example when it is known that the associated private key has been
722 Revoked keys are specified by including the
724 marker at the beginning of the key line, and are never accepted for
725 authentication or as certification authorities, but instead will
726 produce a warning from
728 when they are encountered.
730 It is permissible (but not
731 recommended) to have several lines or different host keys for the same
733 This will inevitably happen when short forms of host names
734 from different domains are put in the file.
736 that the files contain conflicting information; authentication is
737 accepted if valid information can be found from either file.
739 Note that the lines in these files are typically hundreds of characters
740 long, and you definitely don't want to type in the host keys by hand.
741 Rather, generate them by a script,
744 .Pa /etc/ssh/ssh_host_key.pub
745 and adding the host names at the front.
747 also offers some basic automated editing for
748 .Pa ~/.ssh/known_hosts
749 including removing hosts matching a host name and converting all host
750 names to their hashed representations.
752 An example ssh_known_hosts file:
753 .Bd -literal -offset 3n
754 # Comments allowed at start of line
755 closenet,...,192.0.2.53 1024 37 159...93 closenet.example.net
756 cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
758 |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
761 @revoked * ssh-rsa AAAAB5W...
762 # A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
763 @cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
766 .Bl -tag -width Ds -compact
768 This file is used to suppress printing the last login time and
776 It does not suppress printing of the banner specified by
780 This file is used for host-based authentication (see
782 for more information).
783 On some machines this file may need to be
784 world-readable if the user's home directory is on an NFS partition,
788 Additionally, this file must be owned by the user,
789 and must not have write permissions for anyone else.
791 permission for most machines is read/write for the user, and not
792 accessible by others.
795 This file is used in exactly the same way as
797 but allows host-based authentication without permitting login with
801 This directory is the default location for all user-specific configuration
802 and authentication information.
803 There is no general requirement to keep the entire contents of this directory
804 secret, but the recommended permissions are read/write/execute for the user,
805 and not accessible by others.
807 .It Pa ~/.ssh/authorized_keys
808 Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in
810 The format of this file is described above.
811 The content of the file is not highly sensitive, but the recommended
812 permissions are read/write for the user, and not accessible by others.
816 directory, or the user's home directory are writable
817 by other users, then the file could be modified or replaced by unauthorized
821 will not allow it to be used unless the
823 option has been set to
826 .It Pa ~/.ssh/environment
827 This file is read into the environment at login (if it exists).
828 It can only contain empty lines, comment lines (that start with
830 and assignment lines of the form name=value.
831 The file should be writable
832 only by the user; it need not be readable by anyone else.
833 Environment processing is disabled by default and is
835 .Cm PermitUserEnvironment
838 .It Pa ~/.ssh/known_hosts
839 Contains a list of host keys for all hosts the user has logged into
840 that are not already in the systemwide list of known host keys.
841 The format of this file is described above.
842 This file should be writable only by root/the owner and
843 can, but need not be, world-readable.
846 Contains initialization routines to be run before
847 the user's home directory becomes accessible.
848 This file should be writable only by the user, and need not be
849 readable by anyone else.
851 .It Pa /etc/hosts.allow
852 .It Pa /etc/hosts.deny
853 Access controls that should be enforced by tcp-wrappers are defined here.
854 Further details are described in
857 .It Pa /etc/hosts.equiv
858 This file is for host-based authentication (see
860 It should only be writable by root.
863 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
864 The file format is described in
874 refuses to let anyone except root log in.
875 The contents of the file
876 are displayed to anyone trying to log in, and non-root connections are
878 The file should be world-readable.
880 .It Pa /etc/shosts.equiv
881 This file is used in exactly the same way as
883 but allows host-based authentication without permitting login with
886 .It Pa /etc/ssh/ssh_host_key
887 .It Pa /etc/ssh/ssh_host_dsa_key
888 .It Pa /etc/ssh/ssh_host_ecdsa_key
889 .It Pa /etc/ssh/ssh_host_rsa_key
890 These files contain the private parts of the host keys.
891 These files should only be owned by root, readable only by root, and not
892 accessible to others.
895 does not start if these files are group/world-accessible.
897 .It Pa /etc/ssh/ssh_host_key.pub
898 .It Pa /etc/ssh/ssh_host_dsa_key.pub
899 .It Pa /etc/ssh/ssh_host_ecdsa_key.pub
900 .It Pa /etc/ssh/ssh_host_rsa_key.pub
901 These files contain the public parts of the host keys.
902 These files should be world-readable but writable only by
904 Their contents should match the respective private parts.
906 really used for anything; they are provided for the convenience of
907 the user so their contents can be copied to known hosts files.
908 These files are created using
911 .It Pa /etc/ssh/ssh_known_hosts
912 Systemwide list of known host keys.
913 This file should be prepared by the
914 system administrator to contain the public host keys of all machines in the
916 The format of this file is described above.
917 This file should be writable only by root/the owner and
918 should be world-readable.
920 .It Pa /etc/ssh/sshd_config
921 Contains configuration data for
923 The file format and configuration options are described in
926 .It Pa /etc/ssh/sshrc
929 it can be used to specify
930 machine-specific login-time initializations globally.
931 This file should be writable only by root, and should be world-readable.
937 during privilege separation in the pre-authentication phase.
938 The directory should not contain any files and must be owned by root
939 and not group or world-writable.
941 .It Pa /var/run/sshd.pid
942 Contains the process ID of the
944 listening for connections (if there are several daemons running
945 concurrently for different ports, this contains the process ID of the one
947 The content of this file is not sensitive; it can be world-readable.
965 OpenSSH is a derivative of the original and free
966 ssh 1.2.12 release by Tatu Ylonen.
967 Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
968 Theo de Raadt and Dug Song
969 removed many bugs, re-added newer features and
971 Markus Friedl contributed the support for SSH
972 protocol versions 1.5 and 2.0.
973 Niels Provos and Markus Friedl contributed support
974 for privilege separation.
976 System security is not improved unless
981 are disabled (thus completely disabling