17.5. OpenSSH Configuration Files
OpenSSH has two different sets of configuration files: one for
client programs (ssh,
scp, and sftp) and one for the server daemon
(sshd).
System-wide SSH configuration information is stored in the
/etc/ssh/ directory:
-
moduli —
Contains Diffie-Hellman groups used for the Diffie-Hellman
key exchange which is critical for constructing a secure
transport layer. When keys are exchanged at the beginning
of an SSH session, a shared, secret value is created which
cannot be determined by either party alone. This value is
then used to provide host authentication.
-
ssh_config — The
system-wide default SSH client configuration file. It is
overridden if one is also present in the user's home
directory (~/.ssh/config).
-
sshd_config —
The configuration file for the sshd daemon.
-
ssh_host_dsa_key
— The DSA private key used by the sshd daemon.
-
ssh_host_dsa_key.pub
— The DSA public key used by the sshd daemon.
-
ssh_host_key —
The RSA private key used by the sshd daemon for version 1 of the
SSH protocol.
-
ssh_host_key.pub
— The RSA public key used by the sshd daemon for version 1 of the
SSH protocol.
-
ssh_host_rsa_key
— The RSA private key used by the sshd daemon for version 2 of the
SSH protocol.
-
ssh_host_rsa_key.pub
— The RSA public key used by the sshd for version 2 of the SSH
protocol.
User-specific SSH configuration information is stored in the
user's home directory within the ~/.ssh/ directory:
-
authorized_keys —
This file holds a list of authorized public keys for
servers. When the client connects to a server, the server
authenticates the client by checking its signed public key
stored within this file.
-
id_dsa —
Contains the DSA private key of the user.
-
id_dsa.pub — The
DSA public key of the user.
-
id_rsa — The RSA
private key used by ssh
for version 2 of the SSH protocol.
-
id_rsa.pub — The
RSA public key used by ssh for version 2 of the SSH
protocol
-
identity — The RSA
private key used by ssh for
version 1 of the SSH protocol.
-
identity.pub —
The RSA public key used by ssh for version 1 of the SSH
protocol.
-
known_hosts —
This file contains DSA host keys of SSH servers accessed by
the user. This file is very important for ensuring that the
SSH client is connecting the correct SSH server.
Important
If an SSH server's host key has changed, the client
notifies the user that the connection cannot proceed until
the server's host key is deleted from the known_hosts file using a text
editor. Before doing this, however, contact the system
administrator of the SSH server to verify the server is
not compromised.
Refer to the ssh_config and
sshd_config man pages for
information concerning the various directives available in the
SSH configuration files.