In addition to the configuration file sshd_config (see "Configuring the OpenSSH server daemon sshd"), the OpenSSH daemon sshd uses further files, some of which are described below. A complete overview of all files used by sshd can be found in the OpenSSH man pages.
$HOME /.ssh/authorized_keys
This file contains a list of all user public keys which are permitted for RSA authentication (see "Authentication between OpenSSH client ssh and server sshd"). The file must be readable for a user with root authorization and should not be accessible for other users.
Using the AuthorizedKeyFile option in the sshd_config file (see "Configuring the OpenSSH server daemon sshd") you can specify another file to handle this function.
A detailed description of the syntax and options of the $HOME/.ssh/authorized_keys file is provided in the OpenSSH man pages.
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ed25519_key
These files contain the private sections of the host keys and may only be owned by users with root authorization. Only users with root authorization may read these files. The files may not be accessible to anyone else. Note that sshd cannot be started if these files are accessible for the group or for everyone.
/etc/ssh/ssh_host_rsa_key.pub,
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_ecdsa_key.pub
/etc/ssh/ssh_host_ed25519_key.pub
These files contain the public sections of the host keys and should be available for all to read, but it should only be possible for users with root authorization to overwrite them. The public sections of the host keys stored in the files should match the corresponding private sections of the host keys in the files /etc/ssh/ssh_host_rsa_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key and /etc/ssh/ssh_host_ed25519_key.
These files perform no major functions. They merely simplify application for the users by enabling users to copy their contents directly into the ssh_known_hosts files.
The files are generated automatically during installation using ssh-keygen (see the interNet Services User Guide).
/etc/ssh/moduli
This file contains Diffie-Hellman groups which are used for the “Diffie-Hellman Group Exchange”. The file format is described in moduli (5) in the OpenSSH man pages.
/var/empty
chroot directory which is used by sshd during privilege separation in the pre-authentication phase. The directory should not contain any files and must be owned by a user with root authorization. The directory may not be owned by a group or a user without root authorization.
/var/run/sshd.pid
This file contains the process ID of the sshd which listens for connection requests at the port. If multiple sshd daemons are listening at various ports simultaneously, the file contains the ID of the last daemon started. The content of this file is not confidential and may be read by all.
/etc/nologin
If this file exists, sshd only permits users with root authorization to log in. The content of the file is shown to everyone who attempts to log in, the login attempts of users without root authorization being rejected. It should be possible for everyone to read the file.
/etc/hosts.allow, /etc/hosts.deny
This file defines access controls which are performed by TCP wrappers. Further information is available under hosts_access (5) in the OpenSSH man pages.