This chapter describes the configuration options in Solaris Secure Shell. The following is a list of the reference information in this chapter.A Typical Solaris Secure Shell Session Client and Server Configuration in Solaris Secure Shell Keywords in Solaris Secure Shell Maintaining Known Hosts in Solaris Secure Shell Solaris Secure Shell Packages and Initialization Solaris Secure Shell Files Solaris Secure Shell Commands For procedures to configure Solaris Secure Shell, see Chapter 19, Using Solaris Secure Shell (Tasks). keywordsspecific keyword Solaris Secure Shelladministering administeringSolaris Secure Shelloverview Solaris Secure Shelltypical session daemonssshd The Solaris Secure Shell daemon (sshd) is normally started at boot time when network services are started. The daemon listens for connections from clients. A Solaris Secure Shell session begins when the user runs an ssh, scp, or sftp command. A new sshd daemon is forked for each incoming connection. The forked daemons handle key exchange, encryption, authentication, command execution, and data exchange with the client. These session characteristics are determined by client-side configuration files and server-side configuration files. Command-line arguments can override the settings in the configuration files.The client and server must authenticate themselves to each other. After successful authentication, the user can execute commands remotely and copy data between hosts.configuration filesSolaris Secure ShellThe server-side behavior of the sshd daemon is controlled by keyword settings in the /etc/ssh/sshd_config file. For example, the sshd_config file controls which types of authentication are permitted for accessing the server. The server-side behavior can also be controlled by the command-line options when the sshd daemon is started.clientsconfiguring for Solaris Secure ShellThe behavior on the client side is controlled by Solaris Secure Shell keywords in this order of precedence:Command-line options User's configuration file, ~/.ssh/config System-wide configuration file, /etc/ssh/ssh_config For example, a user can override a system-wide configuration Cipher setting of blowfish by specifying c 3des on the command line. authenticationSolaris Secure Shellprocess Solaris Secure Shellauthentication steps The Solaris Secure Shell protocols, v1 and v2, both support client user/host authentication and server host authentication. Both protocols involve the exchange of session cryptographic keys for the protection of Solaris Secure Shell sessions. Each protocol provides various methods for authentication and key exchange. Some methods are optional. Solaris Secure Shell supports a number of client authentication mechanisms, as shown in Table 19–1. Servers are authenticated by using known host public keys.For the v1 protocol, Solaris Secure Shell supports user authentication with passwords. The protocol also supports user public keys and authentication with trusted host public keys. Server authentication is done with a host public key. For the v1 protocol, all public keys are RSA keys. Session key exchanges involve the use of an ephemeral server key that is periodically regenerated.For the v2 protocol, Solaris Secure Shell supports user authentication and generic interactive authentication, which usually involves passwords. The protocol also supports authentication with user public keys and with trusted host public keys. The keys can be RSA or DSA. Session key exchanges consist of Diffie-Hellman ephemeral key exchanges that are signed in the server authentication step. Additionally, Solaris Secure Shell can use GSS credentials for authentication.GSS-APIcredentials in Solaris Secure ShellTo use GSS-API for authentication in Solaris Secure Shell, the server must have GSS-API acceptor credentials and the client must have GSS-API initiator credentials. Support is available for mech_dh and for mech_krb5.mech_dh mechanismGSS-API credentialsFor mech_dh, the server has GSS-API acceptor credentials if root has run the keylogin command.mech_krb mechanismGSS-API credentialsFor mech_krb5, the server has GSS-API acceptor credentials when the host principal that corresponds to the server has a valid entry in /etc/krb5/krb5.keytab.The client has initiator credentials for mech_dh if one of the following has been done:The keylogin command has been run. The pam_dhkeys module is used in the pam.conf file. The client has initiator credentials for mech_krb5 if one of the following has been done:The kinit command has been run. The pam_krb5 module is used in the pam.conf file. For the use of mech_dh in secure RPC, see Chapter 16, Using Authentication Services (Tasks). For the use of mech_krb5, see Chapter 21, Introduction to the Kerberos Service. For more information on mechanisms, see the mech4 and mech_spnego5 man pages. Solaris Secure Shellcommand execution command executionSolaris Secure Shell Solaris Secure Shelldata forwarding data forwardingSolaris Secure Shell X11 forwardingin Solaris Secure Shell TCPSolaris Secure Shell and pseudo-ttyuse in Solaris Secure Shell componentsSolaris Secure Shell user sessionAfter authentication is complete, the user can use Solaris Secure Shell, generally by requesting a shell or executing a command. Through the ssh command options, the user can make requests. Requests can include allocating a pseudo-tty, forwarding X11 connections or TCP/IP connections, or enabling an ssh-agent authentication program over a secure connection.The basic components of a user session are as follows:The user requests a shell or the execution of a command, which begins the session mode.In this mode, data is sent or received through the terminal on the client side. On the server side, data is sent through the shell or a command. When data transfer is complete, the user program terminates. All X11 forwarding and TCP/IP forwarding is stopped, except for those connections that already exist. Existing X11 connections and TCP/IP connections remain open. The server sends an exit status message to the client. When all connections are closed, such as forwarded ports that had remained open, the client closes the connection to the server. Then, the client exits. The characteristics of a Solaris Secure Shell session are controlled by configuration files. The configuration files can be overridden to a certain degree by options on the command line.Solaris Secure Shellconfiguring clients configuringSolaris Secure Shellclients administeringSolaris Secure Shellclients clientsconfiguring for Solaris Secure Shell ssh_config fileconfiguring Solaris Secure Shell /etc/ssh/ssh_config fileconfiguring Solaris Secure Shell In most cases, the client-side characteristics of a Solaris Secure Shell session are governed by the system-wide configuration file, /etc/ssh/ssh_config. The settings in the ssh_config file can be overridden by the user's configuration file, ~/.ssh/config. In addition, the user can override both configuration files on the command line.The settings in the server's /etc/ssh/sshd_config file determine which client requests are permitted by the server. For a list of server configuration settings, see Keywords in Solaris Secure Shell. For detailed information, see the sshd_config4 man page.The keywords in the client configuration file are listed in Keywords in Solaris Secure Shell. If the keyword has a default value, the value is given. These keywords are described in detail in the ssh1, scp1, sftp1, and ssh_config4 man pages. For a list of keywords in alphabetical order and their equivalent command-line overrides, see Table 20–8. sshd_config filekeywordsspecific keyword Solaris Secure Shellconfiguring server serversconfiguring for Solaris Secure Shell configuringSolaris Secure Shellservers administeringSolaris Secure Shellservers The server-side characteristics of a Solaris Secure Shell session are governed by the /etc/ssh/sshd_config file. The keywords in the server configuration file are listed in Keywords in Solaris Secure Shell. If the keyword has a default value, the value is given. For a full description of the keywords, see the sshd_config4 man page. Solaris Secure Shellkeywords keywordsSolaris Secure Shell sshd_config filekeywords /etc/ssh/ssh_config filekeywords ssh_config filekeywords /etc/ssh/sshd_config filekeywords The following tables list the keywords and their default values, if any. The keywords are in alphabetical order. The location of keywords on the client is the ssh_config file. Keywords that apply to the server are in the sshd_config file. Some keywords are set in both files. If the keyword applies to only one protocol version, the version is listed.Keyword Default Value Location Protocol AllowGroups keywordsshd_config fileAllowGroups No default. Server AllowTcpForwarding keywordsshd_config fileAllowTcpForwarding no Server AllowUsers keywordsshd_config fileAllowUsers No default. Server AuthorizedKeysFile keywordsshd_config fileAuthorizedKeysFile ~/.ssh/authorized_keys Server Banner keywordsshd_config fileBanner /etc/issue Server Batchmode keywordssh_config fileBatchmode no Client BindAddress keywordssh_config fileBindAddress No default. Client CheckHostIP keywordssh_config fileIP addressesSolaris Secure Shell checkingCheckHostIP yes Client Cipher keywordsshd_config fileCipher encryptionspecifying algorithms in ssh_config fileBlowfish encryption algorithmssh_config file3des encryption algorithmssh_config fileblowfish, 3des Client v1 Ciphers keywordSolaris Secure ShellCiphers 3des-cbc encryption algorithmssh_config fileblowfish-cbc encryption algorithmssh_config fileaes128-cbc encryption algorithmssh_config fileaes128-ctr encryption algorithmssh_config filearcfour encryption algorithmssh_config fileaes128-ctr, aes128-cbc, 3des-cbc, blowfish-cbc, arcfour Both v2 ClearAllForwardings keywordSolaris Secure Shell port forwardingClearAllForwardings No default. Client ClientAliveInterval keywordSolaris Secure Shell port forwardingClientAliveInterval 0 Server v2 ClientAliveCountMax keywordSolaris Secure Shell port forwardingClientAliveCountMax 3 Server v2 Compression keywordSolaris Secure ShellCompression yes Both CompressionLevel keywordssh_config fileCompressionLevel No default. Client ConnectionAttempts keywordssh_config fileConnectionAttempts 1 Client DenyGroups keywordsshd_config fileDenyGroups No default. Server DenyUsers keywordsshd_config fileDenyUsers No default. Server DynamicForward keywordssh_config fileDynamicForward No default. Client EscapeChar keywordssh_config fileEscapeChar ~ Client Keyword Default Value Location Protocol FallBackToRsh keywordssh_config fileFallBackToRsh no Client ForwardAgent keywordSolaris Secure Shell forwarded authenticationForwardAgent no Client ForwardX11 keywordSolaris Secure Shell port forwardingX11 forwardingconfiguring in ssh_config fileForwardX11 no Client GatewayPorts keywordSolaris Secure ShellGatewayPorts no Both GlobalKnownHostsFile keywordssh_config fileGlobalKnownHostsFile2 keywordGlobalKnownHostsFile keywordGlobalKnownHostsFile /etc/ssh/ssh_known_hosts Client GSSAPIAuthentication keywordSolaris Secure ShellGSSAPIAuthentication yes Both v2 GSSAPIDelegateCredentials keywordSolaris Secure ShellGSSAPIDelegateCredentials no Client v2 GSSAPIKeyExchange keywordSolaris Secure ShellGSSAPIKeyExchange yes Both v2 GSSAPIStoreDelegatedCredentials keywordssh_config fileGSSAPIStoreDelegateCredentials no Client v2 Host keywordssh_config fileHost * For more information, see Host-Specific Parameters in Solaris Secure Shell. Client HostbasedAuthentication keywordSolaris Secure ShellHostbasedAuthentication no Both v2 HostbasedUsesNamesFromPacketOnly keywordsshd_config fileHostbasedUsesNamesFromPacketOnly no Server v2 HostKey keywordsshd_config fileHostKey /etc/ssh/ssh_host_key Server v1 HostKey /etc/ssh/host_rsa_key, /etc/ssh/host_dsa_key Server v2 HostKeyAlgorithms keywordssh_config fileHostKeyAlgorithms ssh-rsa, ssh-dss Client v2 HostKeyAlias keywordssh_config fileHostKeyAlias No default. Client v2 IdentityFile keywordssh_config fileIdentityFile ~/.ssh/identity Client v1 IdentityFile ~/.ssh/id_dsa, ~/.ssh/id_rsa Client v2 IgnoreRhosts keywordsshd_config fileIgnoreRhosts yes Server IgnoreUserKnownHosts keywordsshd_config fileIgnoreUserKnownHosts yes Server KbdInteractiveAuthentication keywordSolaris Secure ShellChallengeResponseAuthentication keywordKbdInteractiveAuthentication keywordKbdInteractiveAuthentication yes Both KeepAlive keywordSolaris Secure ShellKeepAlive yes Both KeyRegenerationInterval keywordsshd_config fileKeyRegenerationInterval 3600 (seconds) Server ListenAddress keywordsshd_config fileListenAddress No default. Server LocalForward keywordssh_config fileLocalForward No default. Client Keyword Default Value Location Protocol LoginGraceTime keywordsshd_config fileLoginGraceTime 600 (seconds) Server LogLevel keywordSolaris Secure ShellLogLevel info Both LookupClientHostname keywordsshd_config fileLookupClientHostname yes Server MACS keywordSolaris Secure ShellMACs hmac-md5 algorithmssh_config filehmac-sha1 encryption algorithmssh_config filehmac-sha1,hmac-md5 Both v2 MaxAuthTries keywordsshd_config fileMaxAuthTries 6 Server MaxAuthTriesLog keywordsshd_config fileMaxAuthTriesLog No default. Server MaxStartups keywordsshd_config fileMaxStartups 10:30:60 Server NoHostAuthenticationForLocalHost keywordssh_config fileNoHostAuthenticationForLocalHost no Client NumberOfPasswordPrompts keywordssh_config fileNumberOfPasswordPrompts 3 Client PAMAuthenticationViaKBDInt keywordsshd_config filePAMAuthenticationViaKBDInt yes Server v2 PasswordAuthentication keywordSolaris Secure ShellPasswordAuthentication yes Both PermitEmptyPasswords keywordsshd_config filePermitEmptyPasswords no Server PermitRootLogin keywordsshd_config filePermitRootLogin no Server PermitUserEnvironment keywordsshd_config filePermitUserEnvironment no Server PreferredAuthentications keywordssh_config filePreferredAuthentications gssapi-keyex, gssapi-with-mic, hostbased, publickey, keyboard-interactive, password Client v2 Port keywordSolaris Secure ShellPort 22 Both PrintMotd keywordsshd_config filePrintMotd no Server Protocol keywordssh_config fileProtocol 2 Both ProxyCommand keywordssh_config fileProxyCommand No default. Client PubkeyAuthentication keywordSolaris Secure ShellDSAAuthentication keywordPubkeyAuthentication keywordPubkeyAuthentication yes Both v2 RemoteForward keywordssh_config fileRemoteForward No default. Client RhostsAuthentication keywordSolaris Secure ShellRhostsAuthentication no Both v1 RhostsRSAAuthentication keywordSolaris Secure ShellRhostsRSAAuthentication no Both v1 RSAAuthentication keywordSolaris Secure ShellRSAAuthentication no Both v1 Keyword Default Value Location Protocol ServerKeyBits keywordsshd_config fileServerKeyBits 768 Server StrictHostKeyChecking keywordssh_config fileStrictHostKeyChecking ask Client StrictModes keywordsshd_config fileStrictModes yes Server Subsystem keywordsshd_config fileSubsystem sftp /usr/lib/ssh/sftp-server Server SyslogFacility keywordsshd_config fileSyslogFacility auth Server UseLogin keywordsshd_config fileUseLogin no Deprecated and ignored. Server User keywordssh_config fileUser No default. Client UserKnownHostsFile keywordssh_config fileUserKnownHostsFile2 keywordUserKnownHostsFile keywordUserKnownHostsFile ~/.ssh/known_hosts Client VerifyReverseMapping keywordssh_config fileVerifyReverseMapping no Server X11Forwarding keywordsshd_config fileX11Forwarding yes Server X11DisplayOffset keywordsshd_config fileX11DisplayOffset 10 Server X11UseLocalHost keywordsshd_config fileX11UseLocalHost yes Server XAuthLocation keywordSolaris Secure Shell port forwardingxauth commandX11 forwardingXAuthLocation No default. Both ssh_config filehost-specific parameters /etc/ssh/ssh_config filehost-specific parameters ssh_config filekeywordsspecific keyword Host keywordssh_config file If it is useful to have different Solaris Secure Shell characteristics for different local hosts, the administrator can define separate sets of parameters in the /etc/ssh/ssh_config file to be applied according to host or regular expression. This task is done by grouping entries in the file by Host keyword. If the Host keyword is not used, the entries in the client configuration file apply to whichever local host a user is working on. Solaris Secure Shelllogin environment variables and variableslogin and Solaris Secure Shell sshd_config fileoverrides of /etc/default/login entries /etc/default/login fileSolaris Secure Shell and login environment variablesSolaris Secure Shell and environment variablesSolaris Secure Shell and When the following Solaris Secure Shell keywords are not set in the sshd_config file, they get their value from equivalent entries in the /etc/default/login file:Entry in /etc/default/login Keyword and Value in sshd_config CONSOLE in Solaris Secure ShellCONSOLE=* PermitRootLogin=without-password #CONSOLE=* PermitRootLogin=yes PASSREQ in Solaris Secure ShellPASSREQ=YES PermitEmptyPasswords=no PASSREQ=NO PermitEmptyPasswords=yes #PASSREQ PermitEmptyPasswords=no TIMEOUT in Solaris Secure ShellTIMEOUT=secs LoginGraceTime=secs #TIMEOUT LoginGraceTime=300 RETRIES in Solaris Secure ShellSYSLOG_FAILED_LOGINSin Solaris Secure ShellRETRIES and SYSLOG_FAILED_LOGINS Apply only to password and keyboard-interactive authentication methods. variablessetting in Solaris Secure ShellWhen the following variables are set by the login command, the sshd daemon uses those values. When the variables are not set, the daemon uses the default value.TIMEZONETZ in Solaris Secure ShellControls the setting of the TZ environment variable. When not set, the sshd daemon uses value of TZ when the daemon was started. ALTSHELLALTSHELL in Solaris Secure ShellControls the setting of the SHELL environment variable. The default is ALTSHELL=YES, where the sshd daemon uses the value of the user's shell. When ALTSHELL=NO, the SHELL value is not set. PATHPATH in Solaris Secure ShellControls the setting of the PATH environment variable. When the value is not set, the default path is /usr/bin. SUPATHSUPATH in Solaris Secure ShellControls the setting of the PATH environment variable for root. When the value is not set, the default path is /usr/sbin:/usr/bin. For more information, see the login1 and sshd1M man pages. /etc/ssh/ssh_known_hosts filecontrolling distributionknown_hosts filecontrolling distributionEach host that needs to communicate securely with another host must have the server's public key stored in the local host's /etc/ssh/ssh_known_hosts file. Although a script could be used to update the /etc/ssh/ssh_known_hosts files, such a practice is heavily discouraged because a script opens a major security vulnerability./etc/ssh/ssh_known_hosts filesecure distributionThe /etc/ssh/ssh_known_hosts file should only be distributed by a secure mechanism as follows:Over a secure connection, such as Solaris Secure Shell, IPsec, or Kerberized ftp from a known and trusted machine At system install time To avoid the possibility of an intruder gaining access by inserting bogus public keys into a known_hosts file, you should use a JumpStart server as the known and trusted source of the ssh_known_hosts file. The ssh_known_hosts file can be distributed during installation. Later, scripts that use the scp command can be used to pull in the latest version. This approach is secure because each host already has the public key from the JumpStart server. packagesSolaris Secure Shell Solaris Secure Shellpackages Solaris Secure Shelladding to system Solaris Secure Shell depends on core Solaris packages and the following packages:SUNWgss – Contains Generic Security Service (GSS) software SUNWtcpd – Contains TCP wrappers SUNWopenssl-libraries – Contains OpenSSL libraries SUNWzlib – Contains the zip compression library The following packages install Solaris Secure Shell:SUNWsshr – Contains client files and utilities for the root (/) directory SUNWsshdr – Contains server files and utilities for the root (/) directory SUNWsshcu – Contains common source files for the /usr directory SUNWsshdu – Contains server files for the /usr directory SUNWsshu – Contains client files and utilities for the /usr directory Upon reboot after installation, the sshd daemon is running. The daemon creates host keys on the system. A Solaris system that runs the sshd daemon is a Solaris Secure Shell server. Solaris Secure Shellfilesfilesfor administering Solaris Secure Shellprivate keysSolaris Secure Shell identity filespublic keysSolaris Secure Shell identity filesidentity files (Solaris Secure Shell)naming conventionsnaming conventionsSolaris Secure Shell identity filesSolaris Secure Shellnaming identity filesThe following table shows the important Solaris Secure Shell files and the suggested file permissions.File Name Description Suggested Permissions and Owner /etc/ssh/sshd_config filedescriptionsshd_config filedescription/etc/ssh/sshd_config Contains configuration data for sshd, the Solaris Secure Shell daemon. -rw-r--r-- root /etc/ssh/ssh_host_key filedescriptionssh_host_key filedescription/etc/ssh/ssh_host_key Contains the host private key (v1). -rw-r--r-- root /etc/ssh/ssh_host_dsa_key filedescriptionssh_host_dsa_key filedescription/etc/ssh/ssh_host_rsa_key filedescriptionssh_host_rsa_key filedescription/etc/ssh/ssh_host_dsa_key or /etc/ssh/ssh_host_rsa_key Contains the host private key (v2). -rw-r--r-- root /etc/ssh_host_key.pub filedescriptionssh_host_key.pub filedescription/etc/ssh_host_dsa_key.pub filedescriptionssh_host_dsa_key.pub filedescription/etc/ssh_host_rsa_key.pub filedescriptionssh_host_rsa_key.pub filedescriptionhost-private-key.pub Contains the host public key, for example, /etc/ssh/ssh_host_rsa_key.pub. Is used to copy the host key to the local known_hosts file. -rw-r--r-- root /var/run/sshd.pid filedescriptionsshd.pid filedescription/var/run/sshd.pid Contains the process ID of the Solaris Secure Shell daemon, sshd. If multiple daemons are running, the file contains the last daemon that was started. -rw-r--r-- root authorized_keys filedescription~/.ssh/authorized_keys filedescription~/.ssh/authorized_keys Holds the public keys of the user who is allowed to log in to the user account. -rw-rw-r-- username /etc/ssh/ssh_known_hosts filedescriptionssh_known_hosts file/etc/ssh/ssh_known_hosts Contains the host public keys for all hosts with which the client can communicate securely. The file is populated by the administrator. -rw-r--r-- root ~/.ssh/known_hosts filedescription.ssh/known_hosts filedescriptionknown_hosts filedescription~/.ssh/known_hosts Contains the host public keys for all hosts with which the client can communicate securely. The file is maintained automatically. Whenever the user connects with an unknown host, the remote host key is added to the file. -rw-r--r-- username /etc/default/login filedescriptiondefault/login filedescription/etc/default/login Provides defaults for the sshd daemon when corresponding sshd_config parameters are not set. -r--r--r-- root /etc/nologin filedescriptionnologin filedescription/etc/nologin If this file exists, the sshd daemon only permits root to log in. The contents of this file are displayed to users who are attempting to log in. -rw-r--r-- root .rhosts filedescription~/.rhosts filedescription~/.rhosts Contains the host-user name pairs that specify the hosts to which the user can log in without a password. This file is also used by the rlogind and rshd daemons. -rw-r--r-- username .shosts filedescription~/.shosts filedescription~/.shosts Contains the host-user name pairs that specify the hosts to which the user can log in without a password. This file is not used by other utilities. For more information, see the sshd1Mman page in the FILES section. -rw-r--r-- username /etc/hosts.equiv filedescriptionhosts.equiv filedescription/etc/hosts.equiv Contains the hosts that are used in .rhosts authentication. This file is also used by the rlogind and rshd daemons. -rw-r--r-- root /etc/ssh/shosts.equiv filedescriptionshosts.equiv filedescription/etc/ssh/shosts.equiv Contains the hosts that are used in host-based authentication. This file is not used by other utilities. -rw-r--r-- root ~/.ssh/environment file description.ssh/environment filedescription~/.ssh/environment Contains initial assignments at login. By default, this file is not read. The PermitUserEnvironment keyword in the sshd_config file must be set to yes for this file to be read. -rw------- username ~/.ssh/rc filedescription.ssh/rc filedescription~/.ssh/rc Contains initialization routines that are run before the user shell starts. For a sample initialization routine, see the sshd man page. -rw------- username /etc/ssh/sshrc filedescriptionsshrc filedescription/etc/ssh/sshrc Contains host-specific initialization routines that are specified by an administrator. -rw-r--r-- root /etc/ssh/ssh_config filedescription/etc/ssh/ssh_config Configures system settings on the client system. -rw-r--r-- root ~/.ssh/config filedescription.ssh/config filedescription~/.ssh/config Configures user settings. Overrides system settings. -rw------- username The following table lists the Solaris Secure Shell files that can be overridden by keywords or command options.File Name Keyword Override Command-Line Override /etc/ssh/ssh_config fileoverridessh_config fileoverride/etc/ssh/ssh_config ssh -F config-filescp -F config-file ~/.ssh/config fileoverride.ssh/config fileoverride~/.ssh/config ssh -F config-file /etc/ssh/ssh_host_key fileoverridessh_host_key fileoverride/etc/ssh/host_rsa_key/etc/ssh/host_dsa_key HostKey ~/.ssh/identity fileoverride.ssh/identity file~/.ssh/identity~/.ssh/id_dsa fileoverride.ssh/id_dsa file~/.ssh/id_dsa ~/.ssh/id_rsa fileoverride.ssh/id_rsa file~/.ssh/id_rsa IdentityFile ssh -i id-filescp -i id-file ~/.ssh/authorized_keys fileoverride~/.ssh/authorized_keys AuthorizedKeysFile /etc/ssh/ssh_known_hosts fileoverride/etc/ssh/ssh_known_hosts GlobalKnownHostsFile ~/.ssh/known_hosts fileoverride.ssh/known_hosts fileoverride~/.ssh/known_hosts UserKnownHostsFileIgnoreUserKnownHosts commandsSolaris Secure Shell commands The following table summarizes the major Solaris Secure Shell commands.Command Description Man Page ssh commanddescriptionssh Logs a user in to a remote machine and securely executes commands on a remote machine. This command is the Solaris Secure Shell replacement for the rlogin and rsh commands. The ssh command enables secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. ssh1 sshd commanddescriptionsshd Is the daemon for Solaris Secure Shell. The daemon listens for connections from clients and enables secure encrypted communications between two untrusted hosts over an insecure network. sshd1M ssh-add commanddescriptionssh-add Adds RSA or DSA identities to the authentication agent, ssh-agent. Identities are also called keys. ssh-add1 ssh-agent commanddescriptionssh-agent environment variablesuse with ssh-agent commandHolds private keys that are used for public key authentication. The ssh-agent program is started at the beginning of an X-session or a login session. All other windows and other programs are started as clients of the ssh-agent program. Through the use of environment variables, the agent can be located and used for authentication when users use the ssh command to log in to other systems. ssh-agent1 ssh-keygen commanddescriptionssh-keygen Generates and manages authentication keys for Solaris Secure Shell. ssh-keygen1 ssh-keyscan commanddescriptionssh-keyscan new featurescommandsssh-keyscanGathers the public keys of a number of Solaris Secure Shell hosts. Aids in building and verifying ssh_known_hosts files. ssh-keyscan1 ssh-keysign commanddescriptionssh-keysign new featurescommandsssh-keysignIs used by the ssh command to access the host keys on the local host. Generates the digital signature that is required during host-based authentication with Solaris Secure Shell v2. The command is invoked by the ssh command, not by the user. ssh-keysign1M scp commanddescriptionscp Securely copies files between hosts on a network over an encrypted ssh transport. Unlike the rcp command, the scp command prompts for passwords or passphrases, if password information is needed for authentication. scp1 sftp commanddescriptionsftp Is an interactive file transfer program that is similar to the ftp command. Unlike the ftp command, the sftp command performs all operations over an encrypted ssh transport. The command connects, logs in to the specified host name, and then enters interactive command mode. sftp1 keywordscommand-line overrides in Solaris Secure Shellssh commandoverriding keyword settingsThe following table lists the command options that override Solaris Secure Shell keywords. The keywords are specified in the ssh_config and sshd_config files.Keyword ssh Command-Line Override scp Command-Line Override BatchMode scp -B BindAddress ssh -b bind-addr scp -a bind-addr Cipher ssh -c cipher scp -c cipher Ciphers ssh -c cipher-spec scp -c cipher-spec Compression ssh -C scp -C DynamicForward ssh -D SOCKS4-port EscapeChar ssh -e escape-char ForwardAgent ssh -A to enablessh -a to disable ForwardX11 ssh -X to enablessh -x to disable GatewayPorts ssh -g IPv4 ssh -4 scp -4 IPv6 ssh -6 scp -6 LocalForward ssh -L localport:remotehost:remoteport MACS ssh -m mac-spec Port ssh -p port scp -P port Protocol ssh -1 for v1 onlyssh -2 for v2 only RemoteForward ssh -R remoteport:localhost:localport