In addition to the configuration files (see "Configuring the OpenSSH client ssh"), the OpenSSH client ssh also uses other files, and these are described below.
$HOME/.ssh/known_hosts
This file contains the associated host keys for all hosts on which the user has logged on, provided these keys are not contained in the /etc/ssh/ssh_known_hosts file.
The user-specific files $HOME/.ssh/known_hosts can be maintained automatically in the file ssh-config depending on the StrictHostKeyChecking option settings (unknown hosts are entered automatically upon initial contact) or must be supplied manually.
$HOME/.ssh/id_rsa
$HOME/.ssh/id_dsa
$HOME/.ssh/id_ecdsa
$HOME/.ssh/id_ed25519
These files contain the user’s authentication data, i.e. the private DSA or RSA key. The files contain data which is relevant to security and may only be readable for the owner. No other users may have read, write or execution permission for the files. Note that ssh ignores private keys if these are accessible to other users. When generating the key you can specify a passphrase through which the sensitive part of the files is encrypted with AES.
$HOME/.ssh/id_rsa.pub
$HOME/.ssh/id_dsa.pub
$HOME/.ssh/id_ecdsa.pub
$HOME/.ssh/id_ed25519.pub
These files contain the public key for authentication in plaintext, in other words the public part of the files $HOME/.ssh/id_rsa, $HOME/.ssh/id_dsa, $HOME/.ssh/id_ecdsa and $HOME/.ssh/id_ed25519:
The content of the files$HOME/.ssh/id_rsa.pub, $HOME/.ssh/id_dsa.pub,
$HOME/.ssh/id_ecdsa.pub and $HOME/.ssh/id_ed25519.pub should be added to the $HOME/.ssh/authorized_keys file on all computers on which users wish to authenticate themselves via RSA/DSA/ECDSA/Ed25519 and log on.
The $HOME/.ssh/id_rsa.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_ecdsa.pub and $HOME/.ssh/id_ed25519.pub files contain no sensitive data and can (but need not) be readable for everyone. As these files are never used automatically they are not mandatory, but are offered to the user merely to simplify handling.
$HOME/.ssh/authorized_keys
This file contains all public keys (RSA/DSA/ECDSA/Ed25519) which the user can use for the login. The file format is described under sshd (8) in the OpenSSH man pages. In its simplest form, the format of $HOME/.ssh/authorized_keys corresponds to the format of the files $HOME/.ssh/id_rsa.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_ecdsa.pub and $HOME/.ssh/id_ed25519.pub.
Only the user may have write access to this file; read access by third parties is noncritical. Nevertheless, it is recommended to make the file as a whole accessible to the user only (read and write). The file should be inaccessible for all other users.
/etc/ssh/ssh_known_hosts
This file contains a list of all host keys that are known throughout the system. The system administrator should prepare the file to incorporate the public host keys of all available computers in the organization. The file should be readable for everyone.
Each file line contains the following parts which are separated by blanks:
Name(s) of the host; multiple names for the same host are separated by commas when specified
Public key
Comment (optional).
The file format is described under sshd (8) in the OpenSSH man pages.
The client uses this file in addition to the user-specific file $HOME/.ssh/known_hosts to ensure that it is connected to the intended remote host.
/etc/ssh/ssh_host_rsa_key/etc/ssh/ssh_host_dsa_key/etc/ssh/ssh_host_ecdsa_key/etc/ssh/ssh_host_ed25519_key
These files contain the private sections of the host keys and are used for rhosts authentication (Hostbased Authentication):
In the case of rhosts authentication (see "Authentication between OpenSSH client ssh and server sshd"), ssh uses the ssh-keysign (8) utility to access the host key. (ssh-keysign (8) is described in the OpenSSH man pages.) The effective user ID (setuid) of ssh then need not necessarily be the root authorization. By default ssh does not have the root authorization as effective authorization.
$HOME/.rhosts
This file contains a list of the host/user pairs which are permissible for a login and which are required for rhosts authentication. Note that this file is also used by rlogin and rsh and is therefore not secure.
Each line in the $HOME/.rhosts file contains a host name in canonical form (as supplied by the name server) and a user name on this host. The host name and user name are separated by a blank.
If the user’s home directory is located in an NFS partition, it can be that the file must be readable for all on some computers because the server daemon sshd reads the file as root. Furthermore, the user must be the owner of this file, and no other user may have write permission for the file. For most computers the recommended permissions are read/write for the user and no access right for all other users.
By default sshd is set so that is permits rhosts authentication only after RSA host authentication has been successfully completed. If the client’s host key does not exist in the /etc/ssh/ssh_known_hosts file on the server system, it can be stored in the $HOME/.ssh/known_hosts file. This is done most simply by using ssh to set up a connection from the server system to the client. The host key is then automatically stored in $HOME/.ssh/known_hosts.
$HOME/.shosts
This file is used in exactly the same way as $HOME/.rhosts. The $HOME/.shosts file enables rhosts authentication to be used without permitting a login via rlogin or rsh.
/etc/hosts.equiv
This file is used during rhosts authentication. It contains the host names in canonical form. A host name is contained in each line. A complete description can be found under sshd (8) in the OpenSSH man pages. If the client’s host is included in the file and the user name matches on client and server, the login is permitted automatically provided a successful RSA-host authentication is not also required. The RSA-host authentication is usually required.
Only users with root authorization should be able to write to the file.
/etc/ssh/shosts.equiv
This file is used in exactly the same ways as the /etc/hosts.equiv file. /etc/ssh/shosts.equiv can be helpful to permit a login with ssh, but not with rsh or rlogin.
/etc/ssh/sshrc
This file contains commands which ssh performs when logging in the user before the user shell (or the user command) is started (see also the section “Login session and command execution on a remote computer”). A complete description of the /etc/ssh/sshrc file can be found under sshd (8) in the OpenSSH man pages.
$HOME/.ssh/rc
This file contains commands which ssh performs when login in the user before the user shell (or the user command) is started (see also the section “Login session andcommand execution on a remote computer”). A complete description of the /etc/ssh/sshrc file can be found under sshd (8) in the OpenSSH man pages.
$HOME/.ssh/environment
This file contains additional definitions for environment variables.