Big rename ssh* -> openssh*

1 files changed, 0 insertions, 781 deletions

diff --git a/sshd.8 b/sshd.8
deleted file mode 100644
index 981c5ff7..00000000
--- a/sshd.8
+++ /dev/null
@@ -1,781 +0,0 @@
-.\"  -*- nroff -*-
-.\"
-.\" sshd.8.in
-.\"
-.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
-.\"
-.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-.\"                    All rights reserved
-.\"
-.\" Created: Sat Apr 22 21:55:14 1995 ylo
-.\"
-.\" $Id: sshd.8,v 1.1 1999/10/27 03:42:46 damien Exp $
-.\"
-.Dd September 25, 1999
-.Dt SSHD 8
-.Os
-.Sh NAME
-.Nm sshd
-.Nd secure shell daemon
-.Sh SYNOPSIS
-.Nm sshd
-.Op Fl diq
-.Op Fl b Ar bits
-.Op Fl f Ar config_file
-.Op Fl g Ar login_grace_time
-.Op Fl h Ar host_key_file
-.Op Fl k Ar key_gen_time
-.Op Fl p Ar port
-.Sh DESCRIPTION 
-.Nm
-(Secure Shell Daemon) is the daemon program for 
-.Xr ssh 1 .
-Together these programs replace rlogin and rsh programs, and
-provide secure encrypted communications between two untrusted hosts
-over an insecure network.  The programs are intended to be as easy to
-install and use as possible.
-.Pp
-.Nm
-is the daemon that listens for connections from clients.  It is
-normally started at boot from 
-.Pa /etc/rc .
-It forks a new
-daemon for each incoming connection.  The forked daemons handle
-key exchange, encryption, authentication, command execution,
-and data exchange.
-.Pp
-.Nm
-works as follows.  Each host has a host-specific RSA key
-(normally 1024 bits) used to identify the host.  Additionally, when
-the daemon starts, it generates a server RSA key (normally 768 bits).
-This key is normally regenerated every hour if it has been used, and
-is never stored on disk.
-.Pp
-Whenever a client connects the daemon, the daemon sends its host
-and server public keys to the client.  The client compares the
-host key against its own database to verify that it has not changed.
-The client then generates a 256 bit random number.  It encrypts this
-random number using both the host key and the server key, and sends
-the encrypted number to the server.  Both sides then start to use this
-random number as a session key which is used to encrypt all further
-communications in the session.  The rest of the session is encrypted
-using a conventional cipher, currently Blowfish and 3DES, with 3DES
-being is used by default.  The client selects the encryption algorithm
-to use from those offered by the server.
-.Pp
-Next, the server and the client enter an authentication dialog.  The
-client tries to authenticate itself using
-.Pa .rhosts
-authentication,
-.Pa .rhosts
-authentication combined with RSA host
-authentication, RSA challenge-response authentication, or password
-based authentication.
-.Pp
-Rhosts authentication is normally disabled
-because it is fundamentally insecure, but can be enabled in the server
-configuration file if desired.  System security is not improved unless
-.Xr rshd 8 ,
-.Xr rlogind 8 ,
-.Xr rexecd 8 ,
-and
-.Xr rexd 8
-are disabled (thus completely disabling
-.Xr rlogin 1
-and
-.Xr rsh 1
-into that machine).
-.Pp
-If the client successfully authenticates itself, a dialog for
-preparing the session is entered.  At this time the client may request
-things like allocating a pseudo-tty, forwarding X11 connections,
-forwarding TCP/IP connections, or forwarding the authentication agent
-connection over the secure channel.
-.Pp
-Finally, the client either requests a shell or execution of a command.
-The sides then enter session mode.  In this mode, either side may send
-data at any time, and such data is forwarded to/from the shell or
-command on the server side, and the user terminal in the client side.
-.Pp
-When the user program terminates and all forwarded X11 and other
-connections have been closed, the server sends command exit status to
-the client, and both sides exit.
-.Pp
-.Nm
-can be configured using command-line options or a configuration
-file.  Command-line options override values specified in the
-configuration file.
-.Pp
-The options are as follows:
-.Bl -tag -width Ds
-.It Fl b Ar bits
-Specifies the number of bits in the server key (default 768).
-.Pp
-.It Fl d
-Debug mode.  The server sends verbose debug output to the system
-log, and does not put itself in the background.  The server also will
-not fork and will only process one connection.  This option is only
-intended for debugging for the server.
-.It Fl f Ar configuration_file
-Specifies the name of the configuration file.  The default is
-.Pa /etc/sshd_config .
-.Nm
-refuses to start if there is no configuration file.
-.It Fl g Ar login_grace_time
-Gives the grace time for clients to authenticate themselves (default
-300 seconds).  If the client fails to authenticate the user within
-this many seconds, the server disconnects and exits.  A value of zero
-indicates no limit.
-.It Fl h Ar host_key_file
-Specifies the file from which the host key is read (default
-.Pa /etc/ssh_host_key ) .
-This option must be given if
-.Nm
-is not run as root (as the normal
-host file is normally not readable by anyone but root).
-.It Fl i
-Specifies that
-.Nm
-is being run from inetd. 
-.Nm
-is normally not run
-from inetd because it needs to generate the server key before it can
-respond to the client, and this may take tens of seconds.  Clients
-would have to wait too long if the key was regenerated every time.
-However, with small key sizes (e.g.  512) using
-.Nm
-from inetd may
-be feasible.
-.It Fl k Ar key_gen_time
-Specifies how often the server key is regenerated (default 3600
-seconds, or one hour).  The motivation for regenerating the key fairly
-often is that the key is not stored anywhere, and after about an hour,
-it becomes impossible to recover the key for decrypting intercepted
-communications even if the machine is cracked into or physically
-seized.  A value of zero indicates that the key will never be regenerated.
-.It Fl p Ar port
-Specifies the port on which the server listens for connections
-(default 22).
-.It Fl q
-Quiet mode.  Nothing is sent to the system log.  Normally the beginning,
-authentication, and termination of each connection is logged.
-.It Fl Q
-Do not print an error message if RSA support is missing.
-.El
-.Sh CONFIGURATION FILE
-.Nm
-reads configuration data from 
-.Pa /etc/sshd_config
-(or the file specified with
-.Fl f
-on the command line).  The file
-contains keyword-value pairs, one per line.  Lines starting with
-.Ql #
-and empty lines are interpreted as comments.
-.Pp
-The following keywords are possible.
-.Bl -tag -width Ds
-.It Cm AFSTokenPassing
-Specifies whether an AFS token may be forwarded to the server. Default is
-.Dq yes .
-.It Cm AllowGroups
-This keyword can be followed by a number of group names, separated
-by spaces.  If specified, login is allowed only for users whose primary
-group matches one of the patterns.
-.Ql \&*
-and
-.Ql ?
-can be used as
-wildcards in the patterns.  Only group names are valid, a numerical group
-id isn't recognized.  By default login is allowed regardless of
-the primary group.
-.Pp
-.It Cm AllowUsers
-This keyword can be followed by a number of user names, separated
-by spaces.  If specified, login is allowed only for users names that
-match one of the patterns.
-.Ql \&*
-and
-.Ql ?
-can be used as
-wildcards in the patterns.  Only user names are valid, a numerical user
-id isn't recognized.  By default login is allowed regardless of
-the user name.
-.Pp
-.It Cm CheckMail
-Specifies whether
-.Nm
-should check for new mail for interactive logins.
-The default is
-.Dq no .
-.It Cm DenyGroups
-This keyword can be followed by a number of group names, separated
-by spaces.  Users whose primary group matches one of the patterns
-aren't allowed to log in.
-.Ql \&*
-and
-.Ql ?
-can be used as
-wildcards in the patterns.  Only group names are valid, a numerical group
-id isn't recognized.  By default login is allowed regardless of
-the primary group.
-.Pp
-.It Cm DenyUsers
-This keyword can be followed by a number of user names, separated
-by spaces.  Login is allowed disallowed for user names that match
-one of the patterns.
-.Ql \&*
-and
-.Ql ?
-can be used as
-wildcards in the patterns.  Only user names are valid, a numerical user
-id isn't recognized.  By default login is allowed regardless of
-the user name.
-.Pp
-.It Cm FascistLogging
-Specifies whether to use verbose logging.  Verbose logging violates
-the privacy of users and is not recommended.  The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-.It Cm HostKey
-Specifies the file containing the private host key (default
-.Pa /etc/ssh_host_key ) .
-Note that
-.Nm
-does not start if this file is group/world-accessible.
-.It Cm IgnoreRhosts
-Specifies that rhosts and shosts files will not be used in
-authentication.
-.Pa /etc/hosts.equiv
-and
-.Pa /etc/shosts.equiv 
-are still used.  The default is 
-.Dq no .
-.It Cm KeepAlive
-Specifies whether the system should send keepalive messages to the
-other side.  If they are sent, death of the connection or crash of one
-of the machines will be properly noticed.  However, this means that
-connections will die if the route is down temporarily, and some people
-find it annoying.  On the other hand, if keepalives are not send,
-sessions may hang indefinitely on the server, leaving
-.Dq ghost
-users and consuming server resources.
-.Pp
-The default is
-.Dq yes
-(to send keepalives), and the server will notice
-if the network goes down or the client host reboots.  This avoids
-infinitely hanging sessions.
-.Pp
-To disable keepalives, the value should be set to
-.Dq no
-in both the server and the client configuration files.
-.It Cm KerberosAuthentication
-Specifies whether Kerberos authentication is allowed. This can
-be in the form of a Kerberos ticket, or if
-.Cm PasswordAuthentication
-is yes, the password provided by the user will be validated through
-the Kerberos KDC. Default is
-.Dq yes .
-.It Cm KerberosOrLocalPasswd
-If set then if password authentication through Kerberos fails then
-the password will be validated via any additional local mechanism
-such as
-.Pa /etc/passwd
-or SecurID. Default is
-.Dq yes .
-.It Cm KerberosTgtPassing
-Specifies whether a Kerberos TGT may be forwarded to the server.
-Default is 
-.Dq no ,
-as this only works when the Kerberos KDC is actually an AFS kaserver.
-.It Cm KerberosTicketCleanup
-Specifies whether to automatically destroy the user's ticket cache
-file on logout. Default is
-.Dq yes .
-.It Cm KeyRegenerationInterval
-The server key is automatically regenerated after this many seconds
-(if it has been used).  The purpose of regeneration is to prevent
-decrypting captured sessions by later breaking into the machine and
-stealing the keys.  The key is never stored anywhere.  If the value is
-0, the key is never regenerated.  The default is 3600
-(seconds).
-.It Cm ListenAddress
-Specifies what local address
-.Nm
-should listen on.
-The default is to listen to all local addresses.
-.It Cm LoginGraceTime
-The server disconnects after this time if the user has not
-successfully logged in.  If the value is 0, there is no time limit.
-The default is 600 (seconds).
-.It Cm PasswordAuthentication
-Specifies whether password authentication is allowed.
-The default is
-.Dq yes .
-.It Cm PermitEmptyPasswords
-When password authentication is allowed, it specifies whether the
-server allows login to accounts with empty password strings.  The default
-is
-.Dq yes .
-.It Cm PermitRootLogin
-Specifies whether the root can log in using
-.Xr ssh 1 .
-The argument must be
-.Dq yes ,
-.Dq without-password
-or
-.Dq no .
-The default is
-.Dq yes .
-If this options is set to
-.Dq without-password
-only password authentication is disabled for root.
-.Pp
-Root login with RSA authentication when the
-.Ar command
-option has been
-specified will be allowed regardless of the value of this setting
-(which may be useful for taking remote backups even if root login is
-normally not allowed).
-.It Cm Port
-Specifies the port number that
-.Nm
-listens on.  The default is 22.
-.It Cm PrintMotd
-Specifies whether
-.Nm
-should print 
-.Pa /etc/motd
-when a user logs in interactively.  (On some systems it is also
-printed by the shell,
-.Pa /etc/profile ,
-or equivalent.)  The default is
-.Dq yes .
-.It Cm QuietMode
-Specifies whether the system runs in quiet mode.  In quiet mode,
-nothing is logged in the system log, except fatal errors.  The default
-is
-.Dq no .
-.It Cm RandomSeed
-Obsolete.  Random number generation uses other techniques.
-.It Cm RhostsAuthentication
-Specifies whether authentication using rhosts or /etc/hosts.equiv
-files is sufficient.  Normally, this method should not be permitted
-because it is insecure. 
-.Cm RhostsRSAAuthentication
-should be used
-instead, because it performs RSA-based host authentication in addition
-to normal rhosts or /etc/hosts.equiv authentication.
-The default is
-.Dq no .
-.It Cm RhostsRSAAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
-with successful RSA host authentication is allowed.  The default is
-.Dq yes .
-.It Cm RSAAuthentication
-Specifies whether pure RSA authentication is allowed.  The default is
-.Dq yes .
-.It Cm ServerKeyBits
-Defines the number of bits in the server key.  The minimum value is
-512, and the default is 768.
-.It Cm SkeyAuthentication
-Specifies whether
-.Xr skey 1 
-authentication is allowed.  The default is
-.Dq yes .
-Note that s/key authentication is enabled only if
-.Cm PasswordAuthentication
-is allowed, too.
-.It Cm StrictModes
-Specifies whether
-.Nm
-should check file modes and ownership of the
-user's files and home directory before accepting login.  This
-is normally desirable because novices sometimes accidentally leave their
-directory or files world-writable.  The default is
-.Dq yes .
-.It Cm SyslogFacility
-Gives the facility code that is used when logging messages from
-.Nm sshd .
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
-LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The default is AUTH.
-.It Cm UseLogin
-Specifies whether
-.Xr login 1
-is used. The default is
-.Dq no .
-.It Cm X11Forwarding
-Specifies whether X11 forwarding is permitted.  The default is
-.Dq yes .
-Note that disabling X11 forwarding does not improve security in any
-way, as users can always install their own forwarders.
-.It Cm X11DisplayOffset
-Specifies the first display number available for
-.Nm sshd Ns 's
-X11 forwarding.  This prevents
-.Nm
-from interfering with real X11 servers.
-.El
-.Sh LOGIN PROCESS
-When a user successfully logs in,
-.Nm
-does the following:
-.Bl -enum -offset indent
-.It
-If the login is on a tty, and no command has been specified,
-prints last login time and 
-.Pa /etc/motd
-(unless prevented in the configuration file or by
-.Pa $HOME/.hushlogin ;
-see the
-.Sx FILES 
-section).
-.It
-If the login is on a tty, records login time.
-.It
-Checks
-.Pa /etc/nologin ;
-if it exists, prints contents and quits
-(unless root).
-.It
-Changes to run with normal user privileges.
-.It
-Sets up basic environment.
-.It
-Reads
-.Pa $HOME/.ssh/environment
-if it exists.
-.It
-Changes to user's home directory.
-.It
-If
-.Pa $HOME/.ssh/rc
-exists, runs it; else if
-.Pa /etc/sshrc
-exists, runs
-it; otherwise runs xauth.  The
-.Dq rc
-files are given the X11
-authentication protocol and cookie in standard input.
-.It
-Runs user's shell or command.
-.El
-.Sh AUTHORIZED_KEYS FILE FORMAT
-The 
-.Pa $HOME/.ssh/authorized_keys
-file lists the RSA keys that are
-permitted for RSA authentication.  Each line of the file contains one
-key (empty lines and lines starting with a
-.Ql #
-are ignored as
-comments).  Each line consists of the following fields, separated by
-spaces: options, bits, exponent, modulus, comment.  The options field
-is optional; its presence is determined by whether the line starts
-with a number or not (the option field never starts with a number).
-The bits, exponent, modulus and comment fields give the RSA key; the
-comment field is not used for anything (but may be convenient for the
-user to identify the key).
-.Pp
-Note that lines in this file are usually several hundred bytes long
-(because of the size of the RSA key modulus).  You don't want to type
-them in; instead, copy the 
-.Pa identity.pub
-file and edit it.
-.Pp
-The options (if present) consists of comma-separated option
-specifications.  No spaces are permitted, except within double quotes.
-The following option specifications are supported:
-.Bl -tag -width Ds
-.It Cm from="pattern-list"
-Specifies that in addition to RSA authentication, the canonical name
-of the remote host must be present in the comma-separated list of
-patterns ('*' and '?' serve as wildcards).  The list may also contain
-patterns negated by prefixing them with '!'; if the canonical host
-name matches a negated pattern, the key is not accepted.  The purpose
-of this option is to optionally increase security: RSA authentication
-by itself does not trust the network or name servers or anything (but
-the key); however, if somebody somehow steals the key, the key
-permits an intruder to log in from anywhere in the world.  This
-additional option makes using a stolen key more difficult (name
-servers and/or routers would have to be compromised in addition to
-just the key).
-.It Cm command="command"
-Specifies that the command is executed whenever this key is used for
-authentication.  The command supplied by the user (if any) is ignored.
-The command is run on a pty if the connection requests a pty;
-otherwise it is run without a tty.  A quote may be included in the
-command by quoting it with a backslash.  This option might be useful
-to restrict certain RSA keys to perform just a specific operation.  An
-example might be a key that permits remote backups but nothing
-else.  Notice that the client may specify TCP/IP and/or X11
-forwardings unless they are explicitly prohibited.
-.It Cm environment="NAME=value"
-Specifies that the string is to be added to the environment when
-logging in using this key.  Environment variables set this way
-override other default environment values.  Multiple options of this
-type are permitted.
-.It Cm no-port-forwarding
-Forbids TCP/IP forwarding when this key is used for authentication.
-Any port forward requests by the client will return an error.  This
-might be used, e.g., in connection with the
-.Cm command
-option.
-.It Cm no-X11-forwarding
-Forbids X11 forwarding when this key is used for authentication.
-Any X11 forward requests by the client will return an error.
-.It Cm no-agent-forwarding
-Forbids authentication agent forwarding when this key is used for
-authentication.
-.It Cm no-pty
-Prevents tty allocation (a request to allocate a pty will fail).
-.El
-.Ss Examples
-1024 33 12121.\|.\|.\|312314325 ylo@foo.bar
-.Pp
-from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula
-.Pp
-command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi
-.Sh SSH_KNOWN_HOSTS FILE FORMAT
-The 
-.Pa /etc/ssh_known_hosts
-and 
-.Pa $HOME/.ssh/known_hosts
-files contain host public keys for all known hosts.  The global file should
-be prepared by the admistrator (optional), and the per-user file is
-maintained automatically: whenever the user connects an unknown host
-its key is added to the per-user file.  
-.Pp
-Each line in these files contains the following fields: hostnames,
-bits, exponent, modulus, comment.  The fields are separated by spaces.
-.Pp
-Hostnames is a comma-separated list of patterns ('*' and '?' act as
-wildcards); each pattern in turn is matched against the canonical host
-name (when authenticating a client) or against the user-supplied
-name (when authenticating a server).  A pattern may also be preceded
-by
-.Ql !
-to indicate negation: if the host name matches a negated
-pattern, it is not accepted (by that line) even if it matched another
-pattern on the line.
-.Pp
-Bits, exponent, and modulus are taken directly from the host key; they
-can be obtained, e.g., from
-.Pa /etc/ssh_host_key.pub .
-The optional comment field continues to the end of the line, and is not used.
-.Pp
-Lines starting with
-.Ql #
-and empty lines are ignored as comments.
-.Pp
-When performing host authentication, authentication is accepted if any
-matching line has the proper key.  It is thus permissible (but not
-recommended) to have several lines or different host keys for the same
-names.  This will inevitably happen when short forms of host names
-from different domains are put in the file.  It is possible
-that the files contain conflicting information; authentication is
-accepted if valid information can be found from either file.
-.Pp
-Note that the lines in these files are typically hundreds of characters
-long, and you definitely don't want to type in the host keys by hand.
-Rather, generate them by a script
-or by taking 
-.Pa /etc/ssh_host_key.pub
-and adding the host names at the front.
-.Ss Examples
-closenet,closenet.hut.fi,.\|.\|.\|,130.233.208.41 1024 37 159.\|.\|.93 closenet.hut.fi
-.Sh FILES
-.Bl -tag -width Ds
-.It Pa /etc/sshd_config
-Contains configuration data for
-.Nm sshd .
-This file should be writable by root only, but it is recommended
-(though not necessary) that it be world-readable.
-.It Pa /etc/ssh_host_key
-Contains the private part of the host key.
-This file should only be owned by root, readable only by root, and not
-accessible to others.
-Note that
-.Nm
-does not start if this file is group/world-accessible.
-.It Pa /etc/ssh_host_key.pub
-Contains the public part of the host key.
-This file should be world-readable but writable only by
-root.  Its contents should match the private part.  This file is not
-really used for anything; it is only provided for the convenience of
-the user so its contents can be copied to known hosts files.
-These two files are created using
-.Xr ssh-keygen 1 .
-.It Pa /var/run/sshd.pid
-Contains the process ID of the
-.Nm
-listening for connections (if there are several daemons running
-concurrently for different ports, this contains the pid of the one
-started last).  The contents of this file are not sensitive; it can be
-world-readable.
-.It Pa $HOME/.ssh/authorized_keys
-Lists the RSA keys that can be used to log into the user's account.
-This file must be readable by root (which may on some machines imply
-it being world-readable if the user's home directory resides on an NFS
-volume).  It is recommended that it not be accessible by others.  The
-format of this file is described above.
-.It Pa /etc/ssh_known_hosts
-This file is consulted when using rhosts with RSA host
-authentication to check the public key of the host.  The key must be
-listed in this file to be accepted.
-.It Pa $HOME/.ssh/known_hosts
-The client uses this file
-and
-.Pa /etc/ssh_known_hosts
-to verify that the remote host is the one we intended to
-connect. These files should be writable only by root/the owner.
-.Pa /etc/ssh_known_hosts
-should be world-readable, and
-.Pa $HOME/.ssh/known_hosts
-can but need not be world-readable.
-.It Pa /etc/nologin
-If this file exists, 
-.Nm
-refuses to let anyone except root log in.  The contents of the file
-are displayed to anyone trying to log in, and non-root connections are
-refused.  The file should be world-readable.
-.It Pa /etc/hosts.allow, /etc/hosts.deny
-If compiled with
-.Sy LIBWRAP
-support, tcp-wrappers access controls may be defined here as described in
-.Xr hosts_access 5 .
-.It Pa $HOME/.rhosts
-This file contains host-username pairs, separated by a space, one per
-line.  The given user on the corresponding host is permitted to log in
-without password.  The same file is used by rlogind and rshd.
-The file must
-be writable only by the user; it is recommended that it not be
-accessible by others.
-.Pp
-If is also possible to use netgroups in the file.  Either host or user
-name may be of the form +@groupname to specify all hosts or all users
-in the group.
-.It Pa $HOME/.shosts
-For ssh,
-this file is exactly the same as for
-.Pa .rhosts .
-However, this file is
-not used by rlogin and rshd, so using this permits access using SSH only.
-.Pa /etc/hosts.equiv
-This file is used during
-.Pa .rhosts
-authentication.  In the
-simplest form, this file contains host names, one per line.  Users on
-those hosts are permitted to log in without a password, provided they
-have the same user name on both machines.  The host name may also be
-followed by a user name; such users are permitted to log in as
-.Em any
-user on this machine (except root).  Additionally, the syntax
-.Dq +@group
-can be used to specify netgroups.  Negated entries start with
-.Ql \&- .
-.Pp
-If the client host/user is successfully matched in this file, login is
-automatically permitted provided the client and server user names are the
-same.  Additionally, successful RSA host authentication is normally
-required.  This file must be writable only by root; it is recommended
-that it be world-readable.
-.Pp
-.Sy "Warning: It is almost never a good idea to use user names in"
-.Pa hosts.equiv .
-Beware that it really means that the named user(s) can log in as
-.Em anybody ,
-which includes bin, daemon, adm, and other accounts that own critical
-binaries and directories.  Using a user name practically grants the
-user root access.  The only valid use for user names that I can think
-of is in negative entries.
-.Pp
-Note that this warning also applies to rsh/rlogin.
-.It Pa /etc/shosts.equiv
-This is processed exactly as
-.Pa /etc/hosts.equiv .
-However, this file may be useful in environments that want to run both
-rsh/rlogin and ssh.
-.It Pa $HOME/.ssh/environment
-This file is read into the environment at login (if it exists).  It
-can only contain empty lines, comment lines (that start with
-.Ql # ) ,
-and assignment lines of the form name=value.  The file should be writable
-only by the user; it need not be readable by anyone else.
-.It Pa $HOME/.ssh/rc
-If this file exists, it is run with /bin/sh after reading the
-environment files but before starting the user's shell or command.  If
-X11 spoofing is in use, this will receive the "proto cookie" pair in
-standard input (and
-.Ev DISPLAY
-in environment).  This must call
-.Xr xauth 1
-in that case.
-.Pp
-The primary purpose of this file is to run any initialization routines
-which may be needed before the user's home directory becomes
-accessible; AFS is a particular example of such an environment.
-.Pp
-This file will probably contain some initialization code followed by
-something similar to: "if read proto cookie; then echo add $DISPLAY
-$proto $cookie | xauth -q -; fi".
-.Pp
-If this file does not exist,
-.Pa /etc/sshrc
-is run, and if that
-does not exist either, xauth is used to store the cookie.
-.Pp
-This file should be writable only by the user, and need not be
-readable by anyone else.
-.It Pa /etc/sshrc
-Like
-.Pa $HOME/.ssh/rc .
-This can be used to specify
-machine-specific login-time initializations globally.  This file
-should be writable only by root, and should be world-readable.
-.Sh AUTHOR
-Tatu Ylonen <ylo@cs.hut.fi>
-.Pp
-Information about new releases, mailing lists, and other related
-issues can be found from the SSH WWW home page:
-.Pp
-.Dl http://www.cs.hut.fi/ssh.
-.Pp
-OpenSSH
-is a derivative of the original (free) ssh 1.2.12 release, but with bugs
-removed and newer features re-added.   Rapidly after the 1.2.12 release,
-newer versions bore successively more restrictive licenses.  This version
-of OpenSSH
-.Bl -bullet
-.It
-has all components of a restrictive nature (ie. patents, see
-.Xr ssl 8 )
-directly removed from the source code; any licensed or patented components
-are chosen from
-external libraries.
-.It
-has been updated to support ssh protocol 1.5.
-.It
-contains added support for 
-.Xr kerberos 8
-authentication and ticket passing.
-.It
-supports one-time password authentication with
-.Xr skey 1 .
-.El
-.Pp
-The libraries described in
-.Xr ssl 8
-are required for proper operation.
-.Sh SEE ALSO
-.Xr rlogin 1 ,
-.Xr rsh 1 ,
-.Xr scp 1 ,
-.Xr ssh 1 ,
-.Xr ssh-add 1 ,
-.Xr ssh-agent 1 ,
-.Xr ssh-keygen 1 ,
-.Xr ssl 8