The OpenSSH SSH daemon supports SSH protocol 2 only. Each host has a host-specific key, used to identify the host. Whenever a client connects, the daemon responds with its public host key. The client compares the host key against its own database to verify that it has not changed. Forward secrecy is provided through a Diffie-Hellman key agreement. This key agreement results in a shared session key. The rest of the session is encrypted using a symmetric cipher. The client selects the encryption algorithm to use from those offered by the server. Additionally, session integrity is provided through a cryptographic message authentication code (MAC).
Finally, the server and the client enter an authentication dialog. The client tries to authenticate itself using host-based authentication, public key authentication, challenge-response authentication, or password authentication.
If the client successfully authenticates itself, a dialog for preparing the session is entered. At this time the client may request things like allocating a pseudo-tty, forwarding X11 connections, forwarding TCP connections, or forwarding the authentication agent connection over the secure channel.
- The OpenSSH SSH client supports SSH protocol 2. The methods available for authentication are: GSSAPI-based authentication, host-based authentication, public key authentication, challenge-response authentication, and password authentication.
- From man ssh: /.ssh/identity /.ssh/iddsa /.ssh/idrsa Contains the private key for authentication. These files contain sensitive data and should be readable by the user but not acces- sible by others (read/write/execute). Ssh will simply ignore a private key file if it is accessible by others.
The ssh program on a host receives its configuration from either the command line or from configuration files /.ssh/config and /etc/ssh/sshconfig. Command-line options take precedence over configuration files. The user-specific configuration file /.ssh/config is used next. Finally, the global /etc/ssh/sshconfig file is used. The first obtained value for each configuration parameter will.
After this, the client either requests a shell or execution of a command. The sides then enter session mode. In this mode, either side may send data at any time, and such data is forwarded to/from the shell or command on the server side, and the user terminal in the client side.
When the user program terminates and all forwarded X11 and other connections have been closed, the server sends command exit status to the client, and both sides exit.
openssh-known-hosts
Openssh Man Page
| -f | treat every non-zero exit from download plugin as an error, see EXIT_IGNORE below. |
| CONFDIR | |
| Configuration directory, defaults to /etc/openssh-known-hosts. Currently there is only a sources subdirectory in it. | |
| PLUGIN_PATH | |
| Plugin search path, defaults to /usr/local/share/openssh-known-hosts/plugins:/usr/share/openssh-known-hosts/plugins. | |
| CACHEDIR | |
| Cache directory, defaults to /var/cache/openssh-known-hosts. | |
| LOCK | Lockfile path, defaults to /var/lock/openssh-known-hosts. |
| OUTFILE | |
| Output file name, defaults to /var/lib/openssh-known-hosts/ssh_known_hosts | |
| PLUGIN | name of the download plugin to use, searched for in PLUGIN_PATH. |
| EXIT_IGNORE | |
| optional space-seperated list of exitcodes which should be ignored. Upon such exit code the previously downloaded version is used. | |
Openssh Client Download