sshd (OpenSSH Daemon) is the daemon program for
ssh(1). Together these programs replace
rlogin(1) and
rsh(1), and provide secure encrypted communications between two untrusted hosts over an insecure network.
sshd listens for connections from clients. It is normally started at boot from
/etc/rc.d/sshd. It forks a new daemon for each incoming connection. The forked daemons handle key exchange, encryption, authentication, command execution, and data exchange.
sshd can be configured using command-line options or a configuration file (by default
sshd_config(5)); command-line options override values specified in the configuration file.
sshd rereads its configuration file when it receives a hangup signal,
SIGHUP, by executing itself with the name and options it was started with, e.g.
/usr/sbin/sshd.
The options are as follows:
-4
Forces sshd to use IPv4 addresses only.
-6
Forces sshd to use IPv6 addresses only.
-b bits
Specifies the number of bits in the ephemeral protocol version 1 server key (default 1024).
-C connection_spec
Specify the connection parameters to use for the -T extended test mode. If provided, any Match directives in the configuration file that would apply to the specified user, host, and address will be set before the configuration is written to standard output. The connection parameters are supplied as keyword=value pairs. The keywords are “user”, “host”, and “addr”. All are required and may be supplied in any order, either with multiple -C options or as a comma-separated list.
-D
When this option is specified, sshd will not detach and does not become a daemon. This allows easy monitoring of sshd.
-d
Debug mode. The server sends verbose debug output to the system log, and does not put itself in the background. The server also will not fork and will only process one connection. This option is only intended for debugging for the server. Multiple -d options increase the debugging level. Maximum is 3.
-e
When this option is specified, sshd will send the output to the standard error instead of the system log.
-f config_file
Specifies the name of the configuration file. The default is /etc/ssh/sshd_config. sshd refuses to start if there is no configuration file.
-g login_grace_time
Gives the grace time for clients to authenticate themselves (default 120 seconds). If the client fails to authenticate the user within this many seconds, the server disconnects and exits. A value of zero indicates no limit.
-h host_key_file
Specifies a file from which a host key is read. This option must be given if sshd is not run as root (as the normal host key files are normally not readable by anyone but root). The default is /etc/ssh/ssh_host_key for protocol version 1, and /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for protocol version 2. It is possible to have multiple host key files for the different protocol versions and host key algorithms.
-i
Specifies that
sshd is being run from
inetd(8).
sshd is normally not run from inetd because it needs to generate the server key before it can respond to the client, and this may take tens of seconds. Clients would have to wait too long if the key was regenerated every time. However, with small key sizes (e.g. 512) using
sshd from inetd may be feasible.
-k key_gen_time
Specifies how often the ephemeral protocol version 1 server key is regenerated (default 3600 seconds, or one hour). The motivation for regenerating the key fairly often is that the key is not stored anywhere, and after about an hour it becomes impossible to recover the key for decrypting intercepted communications even if the machine is cracked into or physically seized. A value of zero indicates that the key will never be regenerated.
-o option
Can be used to give options in the format used in the configuration file. This is useful for specifying options for which there is no separate command-line flag. For full details of the options, and their values, see
sshd_config(5).
-p port
Specifies the port on which the server listens for connections (default 22). Multiple port options are permitted. Ports specified in the configuration file with the Port option are ignored when a command-line port is specified. Ports specified using the ListenAddress option override command-line ports.
-q
Quiet mode. Nothing is sent to the system log. Normally the beginning, authentication, and termination of each connection is logged.
-T
Extended test mode. Check the validity of the configuration file, output the effective configuration to stdout and then exit. Optionally, Match rules may be applied by specifying the connection parameters using one or more -C options.
-t
Test mode. Only check the validity of the configuration file and sanity of the keys. This is useful for updating sshd reliably as configuration options may change.
-u len
This option is used to specify the size of the field in the utmp structure that holds the remote host name. If the resolved host name is longer than len, the dotted decimal value will be used instead. This allows hosts with very long host names that overflow this field to still be uniquely identified. Specifying -u0 indicates that only dotted decimal addresses should be put into the utmp file. -u0 may also be used to prevent sshd from making DNS requests unless the authentication mechanism or configuration requires it. Authentication mechanisms that may require DNS include RhostsRSAAuthentication, HostbasedAuthentication, and using a from="pattern-list" option in a key file. Configuration options that require DNS include using a USER@HOST pattern in AllowUsers or DenyUsers.