[Next] [Previous] [Up] [Top] [Contents]

CHAPTER 29 Secure Shell, SSH

29.3 Control Files

The following table lists the files used by SSH to hold information necessary to verify the host or user and to configure the connection. Not all of these files are necessarily used. This depends on the restrictions you specify for the server options.
Files used by SSH
/etcssh_host_keymachine private key, accessible only by root
ssh_host_key.pubmachine public key. This file has one line of the form:

1024 37 94512...(lots of numbers)...34891 root@this_machine

ssh_random_seedseed for the random number generator, accessible only by root
ssh_known_hostssystem-wide known public host keys of machines. Public keys are put here, one per line, with a format similar to ~/.ssh/authorized_keys: system name, number of bits in modulus, public exponent, modulus, and optional comment field, all separated by spaces. The system name can include aliases and IP addresses separated by commas, e.g. (all on one line)

nyssa,nyssa.acs.ohio-state.edu, 1024 41 50812...(lots of numbers)...72391 root@nyssa

These can be obtained from the /etc/ssh_host_key.pub of each other host. If you have enabled StrictHostKeyChecking in /etc/ssh_config then you must manually add the desired host's public key to this file so that sshd will allow an RSA authenticated connection. Otherwise, if the host's entry is not in this file ssh will add it to the users local file, ~/.ssh/known_hosts. Generate the entries as root on the host, with ssh-keygen.

ssh_configsystem-wide ssh configuration file. Provides defaults for parameters not specified in the users' ~/.ssh/config. See the table below for a list of keywords and default arguments.
sshd_configsshd (ssh server daemon) configuration file. Lines beginning with # and empty lines are comments. Configuration lines have the form: "keywords arguments", where the keywords are case sensitive. See the table below for a list of keywords and default arguments.
sshd.pidprocess id number of the latest sshd.
nologinlimits logins to root user only, if it exists. The contents of this file will be displayed to any user trying to login in.
environmentenvironment variables to set at login. Lines should be of the form "name=value".
hosts.equivlists hosts and users allowed to use rlogin/rsh if RhostsAuthentication or RhostRSAAuthentication is set.
shosts.equivsame as /etc/hosts.equiv, but only for ssh.
sshrccommands to execute when the user logs in before starting the user's shell.


.rhostsprovides .rhosts authentication if enabled by the ssh configuration files.
.shostssame as ~/.rhosts, but only for ssh.
.Xauthorityused by ssh to store the authorization cookie for the X11 server. Ssh verifies that X11 forwarded connections carry this cookie. When the connection is opened the real cookie replaces this one. All X11 displays automatically go through the encrypted channel via a proxy X server created by ssh. Ssh will set the DISPLAY environment variable pointing to the server machine with a display number greater than zero.


known_hosts.used in conjunction with /etc/ssh_known_hosts. This is ignored if StrictHostKeyChecking is enabled
authorized_keyslist of public keys of users that are allowed access to this account without a password. Generate the entries as the user on the host with ssh-keygen and provide a passphrase. Additional security options can be specified here. The user's local public key, kept in ~/.ssh/identity.pub, should be in this authorized_keys file on the remote machine. This file replaces the function of ~/.rhosts when using RSA authentication. It allows the user to login without providing a password. This file has one key per line, each in the form:

1024 37 44765081...(lots of numbers)...86828 frank@other_machine

identitylocal private key of the user.
identity.publocal public key of the user. This should be copied to ~/.ssh/authorized_keys on the remote machine. This file has one line of the form:

1025 35 5574508...lots of numbers)...74727 frank@this_machine

random_seedcontains the seed for the random number generator. It should be read/write only for the user and should not be changed by the user.
configconfiguration file for the user. The format is the same as for the system-wide ssh configuration file, /etc/ssh_config.
environmentenvironment variables to set at login for this user. Similar to /etc/environment and read after that file.
rcsame as /etc/sshrc, but for the individual user.

29.3.1 - Configuration Options

Unix System Administration - 8 AUG 1996
[Next] [Previous] [Up] [Top] [Contents]