Files

~/.hushlogin

This file is used to suppress printing the last login time and /etc/motd, if the sshd_config keywords PrintLastLog and PrintMotd, respectively, are enabled. It does not suppress printing of the banner specified by the sshd_config keyword Banner.

~/.rhosts

This file is used for host-based authentication. On some machines, this file might need to be world-readable if the user's home directory is on an NFS partition, because sshd reads it as a superuser. Additionally, this file must be owned by the user and must not have write permissions for anyone else. The recommended permission for most machines is read/write for the user and not accessible by others

~/.shosts

This file is used in exactly the same way as ~/.rhosts, but allows host-based authentication without permitting login with rlogin or rsh.

~/.ssh/

This directory is the default location for all user-specific configuration and authentication information. There is no general requirement to keep the entire contents of this directory secret, but the recommended permissions are read/write/execute for the user, and not accessible by others.

~/.ssh/authorized_keys

Lists the public keys (RSA/DSA/ECDSA) that can be used for logging in as this user. For the format of this file, see Format of the authorized_keys file. The content of this file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others.

If this file, the ~/.ssh/ directory, or the user's home directory are writable by other users, then the file could be modified or replaced by unauthorized users. In this case, sshd will not allow it to be used unless the value for the sshd_config keyword StrictModes has been set to "no".

~/.ssh/environment

If this file exists, it is read into the environment at login. It can only contain empty lines, comment lines (starting with #), and assignment lines of the form name=value. The file must be writable only by the user; it need not be readable by anyone else. Environment processing is disabled by default and is controlled by means of the PermitUserEnvironment option, which is described in PermitUserEnvironment.

~/.ssh/known_hosts

Contains a list of host keys for all hosts the user has logged into that are not already in the system-wide list of known host keys, /etc/ssh/ssh_known_hosts. See ssh_known_hosts file format for further details of the format of this file. This file must be writable only by the owner and can, but need not be, world-readable.

~/.ssh/rc

If this file exists, it is run with /bin/sh after reading the environment files, but before starting the user's shell or command. It must not produce any output on stdout; stderr must be used instead. If X forwarding is in use, it will receive the "proto cookie" pair in its standard input (and DISPLAY in its environment). The script must call xauth, because sshd will not run xauth automatically to add X11 cookies. If you have not configured your system for X11 forwarding, see Steps for configuring the system for X11 forwarding.

The primary purpose of this file is to run any initialization routines which might be needed before the user's home directory becomes accessible; AFS® is a particular example of such an environment.

This file will probably contain some initialization code, followed by lines similar to this example:

if read proto cookie && [ -n "$DISPLAY" ]; then
     if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
           # X11UseLocalhost=yes
           echo add unix:`echo $DISPLAY |
              cut -c11-` $proto $cookie
     else
           # X11UseLocalhost=no
           echo add $DISPLAY $proto $cookie
     fi | xauth -q -
fi

If this file does not exist, /etc/ssh/sshrc is run, and if that does not exist either, xauth is used to add the cookie.

This file should be writable only by the user.

/etc/hosts.allow, /etc/hosts.deny

Not supported on z/OS® UNIX. Access controls that should be enforced by tcp-wrappers are defined in this file.

/etc/hosts.equiv

This file is for host-based authentication. In the simplest form, this file contains host names, one per line. Users on those hosts are permitted to log in without a password, provided they have the same user name on both machines. The host name can also be followed by a user name; such users are permitted to log in as any user on this machine except superuser.

If the client host/user is successfully matched in this file, login is automatically permitted, provided the client and server user names are the same. Additionally, successful public key authentication is typically required. This file must be writable only by a superuser. It is recommended that it be world-readable.

Guideline: Do not use user names in /etc/hosts.equiv. Be aware that the named users can log in as any user, including bin, daemon, adm, and other accounts that own critical binaries and directories. The only valid use for user names is in negative entries.

/etc/nologin

If this file exists, sshd refuses to let anyone except a superuser log in. The contents of the file are displayed to anyone trying to log in and non-superuser connections are refused. The file must be world-readable.

/etc/motd

Contains the message of the day. See the sshd_config keyword PrintMotd for more information.

/etc/ssh/moduli

Contains Diffie-Hellman groups used for the Diffie-Hellman Group Exchange. The file format is described in moduli.

/etc/ssh/sshd_config

Contains configuration data for sshd. The file format and configuration options are described in sshd_config.

/etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key, /etc/ssh/ssh_host_rsa_key

These three files contain the private parts of the host keys. They must only be owned and readable by a superuser. sshd does not start if these files are group-accessible or world-accessible.

/etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/ssh_host_ecdsa_key.pub, /etc/ssh/ssh_host_rsa_key.pub

These three files contain the public parts of the host keys. These files are only provided for the convenience of the user so their contents can be copied to known hosts files. They are created using ssh-keygen. This file must be writable only by a superuser and can, but need not be, world-readable. Their contents must match the respective private parts.

/etc/ssh/shosts.equiv

This file is used in exactly the same way as /etc/hosts.equiv, but allows host-based authentication without permitting login with rlogin or rsh.

/etc/ssh/ssh_known_hosts

System-wide list of known host keys. This file should be prepared by the system administrator to contain the public host keys of all machines in the organization. See ssh_known_hosts file format for further details of the format of this file. This file must be writeable only by the owner and only be world-readable.

/etc/ssh/sshrc

Similar to ~/.ssh/rc, it can be used to specify machine-specific login-time initialization globally. This file should be writable only by a superuser and world-readable.

/etc/ssh/zos_sshd_config

Contains z/OS-specific configuration data for sshd. The file format and configuration options are described in zos_sshd_config.

/var/empty

chroot directory used by sshd during privilege separation in the pre-authentication phase. The directory must not contain any files. It must also be owned by a superuser and not be group-writable or world-writable.

/var/run/sshd.mm.XXXXXXXX

Temporary files created by sshd for compression with privilege separation.

/var/run/sshd.pid

Contains the process ID of the sshd listening for connections (if there are several daemons running concurrently for different ports, this contains the process ID of the one started last). The contents of this file are not sensitive. It can be world-readable. This file is not created if the server is running in debug mode.