sshd
OpenSSH SSH daemon
Syntax:
/usr/sbin/sshd [-46DdeGiqTtV] [-C connection_spec] [-c host_certificate_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-o option] [-p port] [-u len]
Runs on:
QNX OS
Options:
Go to the OpenSSH documentation: https://man.openbsd.org/sshd
Description:
The sshd (OpenSSH Daemon) is the daemon program for ssh. Together, these programs provide secure encrypted communications between two untrusted hosts over an insecure network.
This program uses the OpenSSL library for cryptography services.
For more information, refer to sshd in the OpenBSD documentation.
Setting up SSH access to a QNX OS target
The following sections cover how you can enable system access via the SSH daemon and the SFTP server.
Configuration for privilege separation
- a non-writable directory owned by root (to chroot)
- an entry in /etc/passwd for a privilege separation user called sshd
sshd:x:15:6:sshd:/data/var/chroot/sshd:/bin/false
The x in the second field indicates that the password is contained in
/etc/shadow
. However, there should not be a password in this file. The
user ID and group ID are arbitrary which means you can pick any values. They, however,
should be different from other user IDs and group IDs of the system. You use them to
configure the credentials of the privilege separation process. The home directory should be
the same as the directory chosen above and sshd must not be run as this
user. The shell
is not used and can be set to anything.
SSH keys
- the host and then put on each target, or
- the target itself before running sshd for the first time
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ''
ssh-keygen -t ecdsa -b 521 -f ssh_host_ecdsa_key -N ''
Each command creates two files, one with and one without a .pub extension. The file without the .pub extension, which is sensitive and should not be disclosed, is required on the target. Its location is arbitrary, but it should be in a directory owned by the user ID that sshd runs as. Furthermore, the location should be accessible only to sshd and not to processes with different user.
Configuration for sshd
Protocol 2
HostKey /data/var/ssh/ssh_host_ed25519_key
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com
hmac-sha2-256-etm@openssh.com
umac-128-etm@openssh.com
hmac-sha2-512,hmac-sha2-256
umac-128@openssh.com
KexAlgorithms curve25519-sha256@libssh.org
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group-exchange-sha256
AuthorizedKeysFile .ssh/authorized_keys
UsePAM yes
#Disallow sshd's password checking though passwords might
#still be allowed via pam.
PasswordAuthentication no
PermitUserEnvironment yes
PidFile none
Subsystem sftp/system/xbin/sftp-server
The HostKey
entry configures the locations of the
private key files (refer to SSH keys). The Subsystem entry indicates the location of the SFTP server binary if
required.
To allow users to
login over ssh, it may also be necessary to create entries for them in
/etc/passwd and /etc/shadow. A
/etc/profile file is required to establish environment variables
after the users login. For more information about network access to privileged accounts,
refer to Systems without
passwords
.
Running sshd
/system/xbin/sshd -f /system/etc/ssh/sshd_config
Running sshd as non-root
derive_type sshd_type privsep new_type;
Where
sshd_type is the security type sshd is running as
and new_type is the type the child process should run as, with lowered
privilege. If secpolgenerate is in use, everything necessary to use this
feature is added to the policy.Refer to Using Security Policies
in the System Security Guide for more
information.
PAMin the System Security Guide.
Contributing author:
OpenBSD