1gtlsshd(8) System Manager's Manual gtlsshd(8)
2
6 gtlsshd - Server for shell over TLS
7
10 gtlsshd [options]
11
14 The gtlsshd program receives connections from gtlssh, authenticates the
15 connections, and connects them to a shell or a program as requested.
16 gtlsshd will listen on both SCTP and TCP sockets unless told otherwise.
18 gtlsshd uses openssl public key certificate authentication both direc‐
20 tions. When something connections, it uses standard SSL handling to
21 validate itself to the user with the given key and certificate files.
22 On SSL does its job, it then runs an authentication protocol for the
24 user on top of the SSL connection. The user sends the username, and
25 gtlsshd will use the $HOME/.gtlssh/allowed_certs directory to authenti‐
26 cate a certificate the user presents. If the user doesn't have a cer‐
27 tificate that matches the presented certificate, gtlsshd will attempt a
28 normal password login if that is enabled.
29
31 See "WINDOWS HACKS" in the gtlssh-keygen.1 man page for information
32 about special windows configuration.
33
35 gtlsshd supports two-factor authentication in a number of ways. The
36 certauth gensio supports sending a second authentication token, gtlsshd
37 will pick that up and use it if PAM asks for it. If it's not there but
38 PAM asks for it, it will interactively prompt the user for the token
39 unless --nointeractive is specified.
40 This requires, of course, proper PAM setup. It also direclty supports
42 second authentication tokens with certificates. You can specify a dif‐
43 ferent PAM authentication script for logins done with certificates us‐
44 ing --pam-cert-auth to allow a second factor to be added for just cer‐
45 tificate authentications.
46 You can request that the other end prompt for a second-factor authenti‐
48 cation token and send it along with the password by adding the --do-2fa
49 option. This will cause the other end to always ask for a second fac‐
50 tor.
51
54 -p|--port port
55 Use the given port instead of the default port.
56 -h|--keyfile file
58 Use the given file for the key instead of the default. Defaults
59 to sysconfidr/gtlssh/gtlsshd.key. On unix sysconfdir is gener‐
60 ally /etc. On Windows it is one directory up from the exe‐
61 cutable with /etc appended.
62 -c|--certfile file
64 Set the certificate to use. Defaults to
65 sysconfdir/gtlssh/gtlsshd.crt. On unix sysconfdir is generally
66 /etc. On Windows it is one directory up from the executable
67 with /etc appended.
68 --permit-root
70 Allow root logins. Otherwise root or uid=0 is denied.
71 --allow-password
73 Allow password logins. By default only certificate-based logins
74 are allowed. Passwords are much less secure than certificate
75 logins, so their use is discouraged.
76 --do-2fa
78 Enable 2-factor authentication. This means that 2-factor au‐
79 thentication is enabled in PAM for gtlssh. This will cause the
80 client end to request 2-factor data and transmit it over along
81 with the password. During authentication, it is expected that
82 PAM will request two authentication tokens and the first will be
83 the password (if certificate failed). Note that this is not re‐
84 quired to do 2-factor auth, but is useful to allow gtlssh to
85 read the 2-factor data and transfer it as part of the login
86 data.
87 --pam-cert-auth <name>
89 If the connection is authorized with a certificate, still do a
90 PAM authentication, but use the given name as the program name
91 for PAM to use to find the rules. This will allow 2-factor auth
92 to be done on a certificate login, as the given set of rules can
93 be written to only do the second factor authentication part.
94 --pam-service <name>
96 Use the given name for the pam service, instead of using the
97 program's name.
98 --use-login, --no-use-login
100 Use or do not use the login program to log the user in. Some
101 systems work better with login, others work fine to directly ex‐
102 ecute the shell. The default depends on the system and should
103 be best.
104 --oneshot
106 Do not fork the program at the beginning or when a connection is
107 received. This allows easier debugging of the program.
108 --nodaemon
110 Do not daemonize (double fork) the program.
111 --nointeractive
113 Disable interactive logins. All authentication information must
114 be passed in via the protocol. This is different than gtlssh's
115 view of interactive, which affects how I/O is done. This only
116 affects prompting for credentials interactively.
117 --nosctp
119 Disable SCTP support.
120 --notcp
122 Disable TCP support
123 --other_acc <accepter>
125 Enable the given accepter to receive connections for gtlsshd.
126 This does not disable TCP or SCTP.
127 -P|--pidfile file
129 Create a standard pidfile using the given filename.
130 -4
133 Do IPv4 only.
134 -6 Do IPv6 only. -d|--debug Generate debugging output. Specifying
136 more than once increases the output. This also causes syslog
137 output to go to standard error.
138 --version
140 Print the version number and exit.
141 -h|--help
143 Help output
144
147 gensio(5), gtlssh(1), gtlssh-keygen(1)
148
151 None.
152
155 Corey Minyard <minyard@acm.org>
156Server for shell over TLS 01/02/19 gtlsshd(8)