About OpenSSH

This section discusses configuration files used by OpenSSH clients and servers, describes how OpenSSH works, and highlights additional OpenSSH resources.

Files

OpenSSH clients and servers rely on many files. Global files are kept in /etc/ssh and user files in ~/.ssh. In the description of each file, the first word indicates whether the client or the server uses the file.

Caution: rhost authentication is a security risk

Although OpenSSH can get authentication information from /etc/hosts.equiv, /etc/shosts.equiv, ~/.rhosts, and ~/.shosts, this chapter does not cover the use of these files because they are security risks. The default settings in the /etc/ssh/sshd_config configuration file prevent their use.

/etc/ssh: Global Files

Global files listed in this section affect all users but can be overridden by files in a user's ~/.ssh directory.

moduli

client and server Contains key exchange information that OpenSSH uses to establish a secure connection. Do not modify this file.

ssh_config

client The global OpenSSH configuration file (page 589). Entries here can be overridden by entries in a user's ~/.ssh/config file.

sshd_config

server The configuration file for sshd (page 593).

ssh_host_dsa_key, ssh_host_dsa_key.pub

server SSH protocol version 2 DSA host keys. Both files should be owned by root. The ssh_host_dsa_key.pub public file should be readable by anyone but writable only by its owner (644 permissions). The ssh_host_dsa_key private file should not be readable or writable by anyone except its owner (600 permissions).

ssh_host_rsa_key, ssh_host_rsa_key.pub

server SSH protocol version 2 RSA host keys. Both files should be owned by root. The ssh_host_rsa_key.pub public file should be readable by anyone but writable only by its owner (644 permissions). The ssh_host_rsa_key private file should not be readable or writable by anyone except its owner (600 permissions).

ssh_known_hosts

client Contains public RSA (by default) keys of hosts that users on the local system can connect to. This file contains information similar to ~/.ssh/known_hosts, except it is set up by the administrator and is available to all users. This file should be owned by root and should be readable by anyone but writable only by its owner (644 permissions).

sshrc

server Contains initialization routines. If ~/.ssh/rc is not present, this script runs after ~/.ssh/environment and before the user's shell starts.

~/.ssh: User Files

OpenSSH creates the ~/.ssh directory and the known_hosts file therein automatically when you connect to a remote system.

authorized_keys

server Enables you to log in on or copy files from/to another system without supplying a password (page 592). No one except the owner should be able to write to this file.

config

client A user's private OpenSSH configuration file (page 589). Entries here override those in /etc/ssh/ssh_config.

environment

server Contains commands that are executed when a user logs in with ssh. Similar in function to ~/.bashrc for a local bash shell.

id_dsa, id_dsa.pub

client User authentication DSA keys generated by ssh-keygen (page 592). Both files should be owned by the user in whose home directory they appear. The id_dsa.pub public file should be readable by anyone but writable only by its owner (644 permissions). The id_dsa private file should not be readable or writable by anyone except its owner (600 permissions).

id_rsa, id_rsa.pub

client User authentication RSA keys generated by ssh-keygen (page 592). Both files should be owned by the user in whose home directory they appear. The id_rsa.pub public file should be readable by anyone but writable only by its owner (644 permissions). The id_rsa private file should not be readable or writable by anyone except its owner (600 permissions).

known_hosts

client Contains public RSA keys (by default) of hosts that the user has connected to. OpenSSH automatically adds entries each time the user connects to a new server (page 584). Refer to "HostKeyAlgorithms" (page 590) for information on using DSA keys.

rc

server Contains initialization routines. This script runs after environment and before the user's shell starts. If this file is not present, OpenSSH runs /etc/ssh/sshrc; if that file does not exist, OpenSSH runs xauth.

How OpenSSH Works

When OpenSSH starts, it first establishes an encrypted connection and then authenticates the user. Once these two tasks are completed, OpenSSH allows the two systems to send information back and forth.

OpenSSH uses two key pairs to negotiate an encrypted session: a host key pair and a session key pair. The host key pair is a set of public/private keys that is established the first time the server system runs sshd (page 592), typically the first time the system boots. The session key pair is a set of public/private keys that changes hourly.

The first time an OpenSSH client connects with an OpenSSH server, you are asked to verify that it is connected to the correct server (see "First-time authentication" on page 584). After verification, the client makes a copy of the server's public host key. On subsequent connections, the client compares the key provided by the server with the key it stored. Although this test is not foolproof, the next one is quite secure.

The client then generates a random key, which it encrypts with both the server's public host key and the session key. The client sends this encrypted key to the server. The server, in turn, uses its private keys to decrypt the encrypted key. This process creates a key that is known only to the client and server and is used to encrypt the rest of the session.

More Information

Local man pages ssh, scp, ssh-keygen, ssh_config, sshd, sshd_config

Web

OpenSSH home page www.openssh.com Search tldp.org for ssh for various HOWTOs and other documents.

Books

Implementing SSH: Strategies for Optimizing the Secure Shell by Dwivedi; John Wiley & Sons (October 2003) SSH, The Secure Shell: The Definitive Guide by Barrett & Silverman; O'Reilly & Associates (February 2001)