Sshd (Secure Shell Daemon) is the daemon program for ssh. Together these programs replace rlogin and rsh programs, and provide secure encrypted communications between two untrusted hosts over an insecure network. The programs are intended to be as easy to install and use as possible.
Sshd is the daemon that listens for connections from clients. It is normally started at boot from /etc/rc.local or equivalent. It forks a new daemon for each incoming connection. The forked daemons handle key exchange, encryption, authentication, command execution, and data exchange.
Sshd works as follows. Each host has a host-specific RSA key (normally 1024 bits) used to identify the host. Additionally, when the daemon starts, it generates a server RSA key (normally 768 bits). This key is normally regenerated every hour if it has been used, and is never stored on disk.
Whenever a client connects the daemon, the daemon sends its host and server public keys to the client. The client compares the host key against its own database to verify that it has not changed. The client then generates a 256 bit random number. It encrypts this random number using both the host key and the server key, and sends the encrypted number to the server. Both sides then start to use this random number as a session key which is used to encrypt all further communications in the session. The rest of the session is encrypted using a conventional cipher. Currently, IDEA , DES , 3DES , ARCFOUR , and TSS (a fast home-grown algorithm) are supported. IDEA is used by default. The client selects the encryption algorithm to use from those offered by the server.
Next, the server and the client enter an authentication dialog. The client tries to authenticate itself using . rhosts authentication, . rhosts authentication combined with RSA host authentication, RSA challenge-response authentication, TIS channenge response authentication, or password based authentication.
Rhosts authentication is normally disabled because it is fundamentally insecure, but can be enabled in the server configuration file if desired. System security is not improved unless rshd(8) , rlogind(8) , rexecd(8) , and rexd "(8) are disabled (thus completely disabling rlogin(1) and rsh(1) into that machine).
If the client successfully authenticates itself, a dialog for preparing the session is entered. At this time the client may request things like allocating a pseudo-tty, forwarding X11 connections, forwarding TCP/IP connections, or forwarding the authentication agent connection over the secure channel.
Finally, the client either requests a shell or execution of a command. The sides then enter session mode. In this mode, either side may send data at any time, and such data is forwarded to/from the shell or command on the server side, and the user terminal in the client side.
When the user program terminates and all forwarded X11 and other connections have been closed, the server sends command exit status to the client, and both sides exit.
Sshd can be configured using command-line options or a configuration file. Command-line options override values specified in the configuration file.
Sshd rereads its configuration file if it is sent the hangup signal, SIGHUP.
Sshd reads configuration data from /etc/sshd_config (or the file specified with -f on the command line). The file contains keyword-value pairs, one per line. Lines starting with '#' and empty lines are interpreted as comments.
The following keywords are possible. Keywords are case insensitive.
Note that sshd can also be configured to use tcp_wrappers using the --with-libwrap compile-time configuration option.