The sshd (Secure Shell Daemon) service is part of the OpenSSH implementation for Linux that provides authenticated, end-to-end encrypted networked communication. For example, a user on one host can log in to another system without using a password because the sshd service can be configured to use alternate authentication techniques such as exchanging shared-key information.
OpenSSH uses a client/server technology. A client, such as a user running the ssh program, initiates a connection to the sshd server on the target host. Messages in the SSH protocol are exchanged to authenticate the client to the target host and the remote access is then permitted or denied. If permitted, then a TCP/IP connection is built to allow the client to exchange commands and data with an application spawned by the sshd daemon on the target system.
The benefit of the OpenSSH tools is that all communication exchanges are encrypted. Authentication information such as usernames, passwords, and session data is never transmitted in unencrypted form. The is unlike alternatives such as telnet or ftp which exclusively use clear text transmissions.
The openssh-server RPM package provides the /usr/sbin/sshd daemon and its configuration files.
Two versions of the SSH communication protocol exist, version 1 and version 2. Both the client, such as scp, and the sshd server must use the same protocol version. The sshd server supports both protocol versions by default, but each version is configured separately.
Connections between the client and the sshd daemon are made on TCP/IP port 22 by default, using either UDP or TCP protocols. First, the client and server must agree on an encryption method: the sshd sends a list of supported cyphers and the client selects its preference. The server identifies its host using either the /etc/ssh/ssh_host_key (protocol version 1) or one of /etc/ssh/ssh_host_[rd]sa_key (protocol version 2). This allows the client to detect IP spoofing or man-in-the-middle attacks. With the host ID verified, the client then tries one or more authentication methods to establish the system access credentials for the user. Public encryption keys are tried first, with fall back to traditional password challenges. Using the ssh client, the full negotiation can be viewed by adding “-v” switches, like this:
$ ssh -vvv myhost.example.com
The sshd daemon uses the /etc/pam.d/sshd file to determine the necessary authentication rules for its host. A default file is provided by the openssh-server RPM package and is adequate for most sites.
After the user access is authenticated, the sshd(8) daemon then starts the client’s desired application program with the standard input/error/output files (stdin, stderr, stdout) attached to the TCP/IP session.
The features and behavior available with the sshd(8) daemon are controlled by a system-wide configuration /etc/ssh/sshd_config file. A default file is provided with the RPM package but may be edited to suit local requirements. For example, to prevent root logins using ssh, the sshd_config setting may be changed as in this snippet:
# vi /etc/ssh/sshd_config PermitRootLogin no
Service Control
To manage the sshd service on demand, use the service command or run the /etc/init.d/sshd script directly:
# /sbin/service sshd help
Usage: /etc/init.d/sshd {start|stop|restart|reload|condrestart|status} # /etc/init.d/sshd help
Usage: /etc/init.d/sshd {start|stop|restart|reload|condrestart|status} The available commands are:
| Command | Description |
|---|---|
| start | Start the sshd daemon. |
| stop | Stop the sshd daemon. |
| restart | Equivalent to a stop and then a start command sequence. |
| reload | Force the sshd daemon to re-read its configuration files without a service interruption. |
| condrestart | If the sshd daemon is currently running, this is the same as a restart command. If the daemon is not running, no action is taken. Often used in RPM package installation to avoid starting a service not already running. |
| status | If the sshd daemon is running, report its PID (Process ID). If not running, report that, too. |
The sshd daemon is most commonly started by the sshd service or by the xinetd(8) daemon. Providing command-line arguments directly is possible, but not usually done. Instead, additional command line arguments can be supplied to the sshd(8) daemon by creating the /etc/sysconfig/sshd file and defining the ${OPTIONS} variable:
# Additional command line options for sshd OPTIONS="-q"
This example will turn on quiet mode, preventing sshd from logging the beginning, authentication, and ending of each session. Consult the online manual page for sshd for details of the available command line options.
Configuration
To manage the sshd service at boot time, use chkconfig tool:
# /sbin/chkconfig --list sshd sshd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
# /sbin/chkconfig sshd on
# /sbin/chkconfig --list sshd sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
A variety of configuration files are used to tailor the sshd daemon for site-dependent operation. These are described below:
| Configuration File Path | Description |
|---|---|
| /etc/ssh/sshd_config | Required configuration file. Most default values are provided as comments. |
| /etc/ssh/ssh_host_key | Contains host key used for the SSH protocol version 1. Needed only if protocol version 1 is used. |
| /etc/ssh/ssh_host_rsa_key/etc/ssh/ssh_host_dsa_key | Contains host key used for the SSH protocol version 2. Needed only if protocol version 2 is used. |
| /etc/motd | Message of the day file presented to ssh client upon successful login. |
| ~/.hushlogin | If file exists, the /etc/motd file is not displayed by ssh upon a successful login. |
| /etc/nologin | If file exists, its content is displayed by the client and the session is then terminated. Ignored for root logins. |
| ~/.ssh/environment | If file exists and the sshd_config parameter PermitUserEnvironmentis set, then shell environment variables from this file are exported to the SSH session. |
| ~/.ssh/rc/etc/ssh/sshrc | Files are checked in the order shown and first one found is run. If neither is found, the xauth utility is run. |
| ~/.ssh/authorized_keys | Lists the public keys used for RSA session authentication. |
| ~/.ssh/known_hosts/etc/ssh/ssh_known_hosts | Contain host public keys for all known hosts. The per-user file is maintained automatically. The optional global file is maintained by the system administrator. |
| /etc/moduli/etc/ssh/moduli | Contrary to the man page, the file /etc/moduli is not used in this implementation. The file /etc/ssh/moduli contains Diffie-Hellman groups used for the “Diffie-Hellman Group Exchange” protocol negotiation. |
| /var/empty/sshd | chroot directory used during privilege separation prior completion of the authentication phase. Owned by root and not world-writable, this directory typically contains only an etc/localtime file for time and date presentation. |
| /etc/hosts.allow/etc/hosts.deny | Access controls to be enforced by the tcp_wrappers facility. See tcpd for more details. |
| ~/.rhosts | Used for RSA authentication or host-based authentication. List of username/hostname pairs to identify logins not requiring a password exchange. |
| ~/.shosts | Similar to ~/.rhosts, but ignored by the rlogin or rshd utilities. |
| /etc/hosts.equiv | List of hosts where password challenges are not required as long as the username matches on both the client and server hosts. If a line also contains a username, that user on the client machine can log to any server account, even the host root account; this is generally not recommended. |
| /etc/shosts.equiv | Processed identically to the /etc/hosts.equiv file, this file is ignored by the rsh and rshd daemons. |
Configuration file /etc/ssh/sshd_config
Below is a sample Configuration file /etc/ssh/sshd_config.
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials no #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several # problems. UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server