diff options
author | Ben Lindstrom <mouring@eviladmin.org> | 2002-06-21 00:59:05 +0000 |
---|---|---|
committer | Ben Lindstrom <mouring@eviladmin.org> | 2002-06-21 00:59:05 +0000 |
commit | 9f04903c50089acde55ef3ea7edd35161c5eac0c (patch) | |
tree | 04d838b67cf4ce7081edc0b833d3db8c5854c34c /sshd.8 | |
parent | 402c6cc68170ee63d07c5ff4a081e113b1628445 (diff) |
- stevesk@cvs.openbsd.org 2002/06/20 19:56:07
[ssh.1 sshd.8]
move configuration file options from ssh.1/sshd.8 to
ssh_config.5/sshd_config.5; ok deraadt@ millert@
Diffstat (limited to 'sshd.8')
-rw-r--r-- | sshd.8 | 641 |
1 files changed, 6 insertions, 635 deletions
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd.8,v 1.183 2002/05/29 03:06:30 stevesk Exp $ | 37 | .\" $OpenBSD: sshd.8,v 1.184 2002/06/20 19:56:07 stevesk Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD 8 | 39 | .Dt SSHD 8 |
40 | .Os | 40 | .Os |
@@ -320,638 +320,8 @@ reads configuration data from | |||
320 | (or the file specified with | 320 | (or the file specified with |
321 | .Fl f | 321 | .Fl f |
322 | on the command line). | 322 | on the command line). |
323 | The file contains keyword-argument pairs, one per line. | 323 | The file format and configuration options are described in |
324 | Lines starting with | 324 | .Xr sshd_config 5 . |
325 | .Ql # | ||
326 | and empty lines are interpreted as comments. | ||
327 | .Pp | ||
328 | The possible | ||
329 | keywords and their meanings are as follows (note that | ||
330 | keywords are case-insensitive and arguments are case-sensitive): | ||
331 | .Bl -tag -width Ds | ||
332 | .It Cm AFSTokenPassing | ||
333 | Specifies whether an AFS token may be forwarded to the server. | ||
334 | Default is | ||
335 | .Dq no . | ||
336 | .It Cm AllowGroups | ||
337 | This keyword can be followed by a list of group name patterns, separated | ||
338 | by spaces. | ||
339 | If specified, login is allowed only for users whose primary | ||
340 | group or supplementary group list matches one of the patterns. | ||
341 | .Ql \&* | ||
342 | and | ||
343 | .Ql ? | ||
344 | can be used as | ||
345 | wildcards in the patterns. | ||
346 | Only group names are valid; a numerical group ID is not recognized. | ||
347 | By default, login is allowed for all groups. | ||
348 | .Pp | ||
349 | .It Cm AllowTcpForwarding | ||
350 | Specifies whether TCP forwarding is permitted. | ||
351 | The default is | ||
352 | .Dq yes . | ||
353 | Note that disabling TCP forwarding does not improve security unless | ||
354 | users are also denied shell access, as they can always install their | ||
355 | own forwarders. | ||
356 | .Pp | ||
357 | .It Cm AllowUsers | ||
358 | This keyword can be followed by a list of user name patterns, separated | ||
359 | by spaces. | ||
360 | If specified, login is allowed only for users names that | ||
361 | match one of the patterns. | ||
362 | .Ql \&* | ||
363 | and | ||
364 | .Ql ? | ||
365 | can be used as | ||
366 | wildcards in the patterns. | ||
367 | Only user names are valid; a numerical user ID is not recognized. | ||
368 | By default, login is allowed for all users. | ||
369 | If the pattern takes the form USER@HOST then USER and HOST | ||
370 | are separately checked, restricting logins to particular | ||
371 | users from particular hosts. | ||
372 | .Pp | ||
373 | .It Cm AuthorizedKeysFile | ||
374 | Specifies the file that contains the public keys that can be used | ||
375 | for user authentication. | ||
376 | .Cm AuthorizedKeysFile | ||
377 | may contain tokens of the form %T which are substituted during connection | ||
378 | set-up. The following tokens are defined: %% is replaced by a literal '%', | ||
379 | %h is replaced by the home directory of the user being authenticated and | ||
380 | %u is replaced by the username of that user. | ||
381 | After expansion, | ||
382 | .Cm AuthorizedKeysFile | ||
383 | is taken to be an absolute path or one relative to the user's home | ||
384 | directory. | ||
385 | The default is | ||
386 | .Dq .ssh/authorized_keys . | ||
387 | .It Cm Banner | ||
388 | In some jurisdictions, sending a warning message before authentication | ||
389 | may be relevant for getting legal protection. | ||
390 | The contents of the specified file are sent to the remote user before | ||
391 | authentication is allowed. | ||
392 | This option is only available for protocol version 2. | ||
393 | By default, no banner is displayed. | ||
394 | .Pp | ||
395 | .It Cm ChallengeResponseAuthentication | ||
396 | Specifies whether challenge response authentication is allowed. | ||
397 | All authentication styles from | ||
398 | .Xr login.conf 5 | ||
399 | are supported. | ||
400 | The default is | ||
401 | .Dq yes . | ||
402 | .It Cm Ciphers | ||
403 | Specifies the ciphers allowed for protocol version 2. | ||
404 | Multiple ciphers must be comma-separated. | ||
405 | The default is | ||
406 | .Pp | ||
407 | .Bd -literal | ||
408 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, | ||
409 | aes192-cbc,aes256-cbc'' | ||
410 | .Ed | ||
411 | .It Cm ClientAliveInterval | ||
412 | Sets a timeout interval in seconds after which if no data has been received | ||
413 | from the client, | ||
414 | .Nm | ||
415 | will send a message through the encrypted | ||
416 | channel to request a response from the client. | ||
417 | The default | ||
418 | is 0, indicating that these messages will not be sent to the client. | ||
419 | This option applies to protocol version 2 only. | ||
420 | .It Cm ClientAliveCountMax | ||
421 | Sets the number of client alive messages (see above) which may be | ||
422 | sent without | ||
423 | .Nm | ||
424 | receiving any messages back from the client. If this threshold is | ||
425 | reached while client alive messages are being sent, | ||
426 | .Nm | ||
427 | will disconnect the client, terminating the session. It is important | ||
428 | to note that the use of client alive messages is very different from | ||
429 | .Cm KeepAlive | ||
430 | (below). The client alive messages are sent through the | ||
431 | encrypted channel and therefore will not be spoofable. The TCP keepalive | ||
432 | option enabled by | ||
433 | .Cm KeepAlive | ||
434 | is spoofable. The client alive mechanism is valuable when the client or | ||
435 | server depend on knowing when a connection has become inactive. | ||
436 | .Pp | ||
437 | The default value is 3. If | ||
438 | .Cm ClientAliveInterval | ||
439 | (above) is set to 15, and | ||
440 | .Cm ClientAliveCountMax | ||
441 | is left at the default, unresponsive ssh clients | ||
442 | will be disconnected after approximately 45 seconds. | ||
443 | .It Cm DenyGroups | ||
444 | This keyword can be followed by a list of group name patterns, separated | ||
445 | by spaces. | ||
446 | Login is disallowed for users whose primary group or supplementary | ||
447 | group list matches one of the patterns. | ||
448 | .Ql \&* | ||
449 | and | ||
450 | .Ql ? | ||
451 | can be used as | ||
452 | wildcards in the patterns. | ||
453 | Only group names are valid; a numerical group ID is not recognized. | ||
454 | By default, login is allowed for all groups. | ||
455 | .Pp | ||
456 | .It Cm DenyUsers | ||
457 | This keyword can be followed by a list of user name patterns, separated | ||
458 | by spaces. | ||
459 | Login is disallowed for user names that match one of the patterns. | ||
460 | .Ql \&* | ||
461 | and | ||
462 | .Ql ? | ||
463 | can be used as wildcards in the patterns. | ||
464 | Only user names are valid; a numerical user ID is not recognized. | ||
465 | By default, login is allowed for all users. | ||
466 | If the pattern takes the form USER@HOST then USER and HOST | ||
467 | are separately checked, restricting logins to particular | ||
468 | users from particular hosts. | ||
469 | .It Cm GatewayPorts | ||
470 | Specifies whether remote hosts are allowed to connect to ports | ||
471 | forwarded for the client. | ||
472 | By default, | ||
473 | .Nm | ||
474 | binds remote port forwardings to the loopback address. This | ||
475 | prevents other remote hosts from connecting to forwarded ports. | ||
476 | .Cm GatewayPorts | ||
477 | can be used to specify that | ||
478 | .Nm | ||
479 | should bind remote port forwardings to the wildcard address, | ||
480 | thus allowing remote hosts to connect to forwarded ports. | ||
481 | The argument must be | ||
482 | .Dq yes | ||
483 | or | ||
484 | .Dq no . | ||
485 | The default is | ||
486 | .Dq no . | ||
487 | .It Cm HostbasedAuthentication | ||
488 | Specifies whether rhosts or /etc/hosts.equiv authentication together | ||
489 | with successful public key client host authentication is allowed | ||
490 | (hostbased authentication). | ||
491 | This option is similar to | ||
492 | .Cm RhostsRSAAuthentication | ||
493 | and applies to protocol version 2 only. | ||
494 | The default is | ||
495 | .Dq no . | ||
496 | .It Cm HostKey | ||
497 | Specifies a file containing a private host key | ||
498 | used by SSH. | ||
499 | The default is | ||
500 | .Pa /etc/ssh/ssh_host_key | ||
501 | for protocol version 1, and | ||
502 | .Pa /etc/ssh/ssh_host_rsa_key | ||
503 | and | ||
504 | .Pa /etc/ssh/ssh_host_dsa_key | ||
505 | for protocol version 2. | ||
506 | Note that | ||
507 | .Nm | ||
508 | will refuse to use a file if it is group/world-accessible. | ||
509 | It is possible to have multiple host key files. | ||
510 | .Dq rsa1 | ||
511 | keys are used for version 1 and | ||
512 | .Dq dsa | ||
513 | or | ||
514 | .Dq rsa | ||
515 | are used for version 2 of the SSH protocol. | ||
516 | .It Cm IgnoreRhosts | ||
517 | Specifies that | ||
518 | .Pa .rhosts | ||
519 | and | ||
520 | .Pa .shosts | ||
521 | files will not be used in | ||
522 | .Cm RhostsAuthentication , | ||
523 | .Cm RhostsRSAAuthentication | ||
524 | or | ||
525 | .Cm HostbasedAuthentication . | ||
526 | .Pp | ||
527 | .Pa /etc/hosts.equiv | ||
528 | and | ||
529 | .Pa /etc/shosts.equiv | ||
530 | are still used. | ||
531 | The default is | ||
532 | .Dq yes . | ||
533 | .It Cm IgnoreUserKnownHosts | ||
534 | Specifies whether | ||
535 | .Nm | ||
536 | should ignore the user's | ||
537 | .Pa $HOME/.ssh/known_hosts | ||
538 | during | ||
539 | .Cm RhostsRSAAuthentication | ||
540 | or | ||
541 | .Cm HostbasedAuthentication . | ||
542 | The default is | ||
543 | .Dq no . | ||
544 | .It Cm KeepAlive | ||
545 | Specifies whether the system should send TCP keepalive messages to the | ||
546 | other side. | ||
547 | If they are sent, death of the connection or crash of one | ||
548 | of the machines will be properly noticed. | ||
549 | However, this means that | ||
550 | connections will die if the route is down temporarily, and some people | ||
551 | find it annoying. | ||
552 | On the other hand, if keepalives are not sent, | ||
553 | sessions may hang indefinitely on the server, leaving | ||
554 | .Dq ghost | ||
555 | users and consuming server resources. | ||
556 | .Pp | ||
557 | The default is | ||
558 | .Dq yes | ||
559 | (to send keepalives), and the server will notice | ||
560 | if the network goes down or the client host crashes. | ||
561 | This avoids infinitely hanging sessions. | ||
562 | .Pp | ||
563 | To disable keepalives, the value should be set to | ||
564 | .Dq no . | ||
565 | .It Cm KerberosAuthentication | ||
566 | Specifies whether Kerberos authentication is allowed. | ||
567 | This can be in the form of a Kerberos ticket, or if | ||
568 | .Cm PasswordAuthentication | ||
569 | is yes, the password provided by the user will be validated through | ||
570 | the Kerberos KDC. | ||
571 | To use this option, the server needs a | ||
572 | Kerberos servtab which allows the verification of the KDC's identity. | ||
573 | Default is | ||
574 | .Dq no . | ||
575 | .It Cm KerberosOrLocalPasswd | ||
576 | If set then if password authentication through Kerberos fails then | ||
577 | the password will be validated via any additional local mechanism | ||
578 | such as | ||
579 | .Pa /etc/passwd . | ||
580 | Default is | ||
581 | .Dq yes . | ||
582 | .It Cm KerberosTgtPassing | ||
583 | Specifies whether a Kerberos TGT may be forwarded to the server. | ||
584 | Default is | ||
585 | .Dq no , | ||
586 | as this only works when the Kerberos KDC is actually an AFS kaserver. | ||
587 | .It Cm KerberosTicketCleanup | ||
588 | Specifies whether to automatically destroy the user's ticket cache | ||
589 | file on logout. | ||
590 | Default is | ||
591 | .Dq yes . | ||
592 | .It Cm KeyRegenerationInterval | ||
593 | In protocol version 1, the ephemeral server key is automatically regenerated | ||
594 | after this many seconds (if it has been used). | ||
595 | The purpose of regeneration is to prevent | ||
596 | decrypting captured sessions by later breaking into the machine and | ||
597 | stealing the keys. | ||
598 | The key is never stored anywhere. | ||
599 | If the value is 0, the key is never regenerated. | ||
600 | The default is 3600 (seconds). | ||
601 | .It Cm ListenAddress | ||
602 | Specifies the local addresses | ||
603 | .Nm | ||
604 | should listen on. | ||
605 | The following forms may be used: | ||
606 | .Pp | ||
607 | .Bl -item -offset indent -compact | ||
608 | .It | ||
609 | .Cm ListenAddress | ||
610 | .Sm off | ||
611 | .Ar host No | Ar IPv4_addr No | Ar IPv6_addr | ||
612 | .Sm on | ||
613 | .It | ||
614 | .Cm ListenAddress | ||
615 | .Sm off | ||
616 | .Ar host No | Ar IPv4_addr No : Ar port | ||
617 | .Sm on | ||
618 | .It | ||
619 | .Cm ListenAddress | ||
620 | .Sm off | ||
621 | .Oo | ||
622 | .Ar host No | Ar IPv6_addr Oc : Ar port | ||
623 | .Sm on | ||
624 | .El | ||
625 | .Pp | ||
626 | If | ||
627 | .Ar port | ||
628 | is not specified, | ||
629 | .Nm | ||
630 | will listen on the address and all prior | ||
631 | .Cm Port | ||
632 | options specified. The default is to listen on all local | ||
633 | addresses. Multiple | ||
634 | .Cm ListenAddress | ||
635 | options are permitted. Additionally, any | ||
636 | .Cm Port | ||
637 | options must precede this option for non port qualified addresses. | ||
638 | .It Cm LoginGraceTime | ||
639 | The server disconnects after this time if the user has not | ||
640 | successfully logged in. | ||
641 | If the value is 0, there is no time limit. | ||
642 | The default is 600 (seconds). | ||
643 | .It Cm LogLevel | ||
644 | Gives the verbosity level that is used when logging messages from | ||
645 | .Nm sshd . | ||
646 | The possible values are: | ||
647 | QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. | ||
648 | The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 | ||
649 | and DEBUG3 each specify higher levels of debugging output. | ||
650 | Logging with a DEBUG level violates the privacy of users | ||
651 | and is not recommended. | ||
652 | .It Cm MACs | ||
653 | Specifies the available MAC (message authentication code) algorithms. | ||
654 | The MAC algorithm is used in protocol version 2 | ||
655 | for data integrity protection. | ||
656 | Multiple algorithms must be comma-separated. | ||
657 | The default is | ||
658 | .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . | ||
659 | .It Cm MaxStartups | ||
660 | Specifies the maximum number of concurrent unauthenticated connections to the | ||
661 | .Nm | ||
662 | daemon. | ||
663 | Additional connections will be dropped until authentication succeeds or the | ||
664 | .Cm LoginGraceTime | ||
665 | expires for a connection. | ||
666 | The default is 10. | ||
667 | .Pp | ||
668 | Alternatively, random early drop can be enabled by specifying | ||
669 | the three colon separated values | ||
670 | .Dq start:rate:full | ||
671 | (e.g., "10:30:60"). | ||
672 | .Nm | ||
673 | will refuse connection attempts with a probability of | ||
674 | .Dq rate/100 | ||
675 | (30%) | ||
676 | if there are currently | ||
677 | .Dq start | ||
678 | (10) | ||
679 | unauthenticated connections. | ||
680 | The probability increases linearly and all connection attempts | ||
681 | are refused if the number of unauthenticated connections reaches | ||
682 | .Dq full | ||
683 | (60). | ||
684 | .It Cm PAMAuthenticationViaKbdInt | ||
685 | Specifies whether PAM challenge response authentication is allowed. This | ||
686 | allows the use of most PAM challenge response authentication modules, but | ||
687 | it will allow password authentication regardless of whether | ||
688 | .Cm PasswordAuthentication | ||
689 | is disabled. | ||
690 | The default is | ||
691 | .Dq no . | ||
692 | .It Cm PasswordAuthentication | ||
693 | Specifies whether password authentication is allowed. | ||
694 | The default is | ||
695 | .Dq yes . | ||
696 | .It Cm PermitEmptyPasswords | ||
697 | When password authentication is allowed, it specifies whether the | ||
698 | server allows login to accounts with empty password strings. | ||
699 | The default is | ||
700 | .Dq no . | ||
701 | .It Cm PermitRootLogin | ||
702 | Specifies whether root can login using | ||
703 | .Xr ssh 1 . | ||
704 | The argument must be | ||
705 | .Dq yes , | ||
706 | .Dq without-password , | ||
707 | .Dq forced-commands-only | ||
708 | or | ||
709 | .Dq no . | ||
710 | The default is | ||
711 | .Dq yes . | ||
712 | .Pp | ||
713 | If this option is set to | ||
714 | .Dq without-password | ||
715 | password authentication is disabled for root. | ||
716 | .Pp | ||
717 | If this option is set to | ||
718 | .Dq forced-commands-only | ||
719 | root login with public key authentication will be allowed, | ||
720 | but only if the | ||
721 | .Ar command | ||
722 | option has been specified | ||
723 | (which may be useful for taking remote backups even if root login is | ||
724 | normally not allowed). All other authentication methods are disabled | ||
725 | for root. | ||
726 | .Pp | ||
727 | If this option is set to | ||
728 | .Dq no | ||
729 | root is not allowed to login. | ||
730 | .It Cm PidFile | ||
731 | Specifies the file that contains the process identifier of the | ||
732 | .Nm | ||
733 | daemon. | ||
734 | The default is | ||
735 | .Pa /var/run/sshd.pid . | ||
736 | .It Cm Port | ||
737 | Specifies the port number that | ||
738 | .Nm | ||
739 | listens on. | ||
740 | The default is 22. | ||
741 | Multiple options of this type are permitted. | ||
742 | See also | ||
743 | .Cm ListenAddress . | ||
744 | .It Cm PrintLastLog | ||
745 | Specifies whether | ||
746 | .Nm | ||
747 | should print the date and time when the user last logged in. | ||
748 | The default is | ||
749 | .Dq yes . | ||
750 | .It Cm PrintMotd | ||
751 | Specifies whether | ||
752 | .Nm | ||
753 | should print | ||
754 | .Pa /etc/motd | ||
755 | when a user logs in interactively. | ||
756 | (On some systems it is also printed by the shell, | ||
757 | .Pa /etc/profile , | ||
758 | or equivalent.) | ||
759 | The default is | ||
760 | .Dq yes . | ||
761 | .It Cm Protocol | ||
762 | Specifies the protocol versions | ||
763 | .Nm | ||
764 | should support. | ||
765 | The possible values are | ||
766 | .Dq 1 | ||
767 | and | ||
768 | .Dq 2 . | ||
769 | Multiple versions must be comma-separated. | ||
770 | The default is | ||
771 | .Dq 2,1 . | ||
772 | .It Cm PubkeyAuthentication | ||
773 | Specifies whether public key authentication is allowed. | ||
774 | The default is | ||
775 | .Dq yes . | ||
776 | Note that this option applies to protocol version 2 only. | ||
777 | .It Cm RhostsAuthentication | ||
778 | Specifies whether authentication using rhosts or /etc/hosts.equiv | ||
779 | files is sufficient. | ||
780 | Normally, this method should not be permitted because it is insecure. | ||
781 | .Cm RhostsRSAAuthentication | ||
782 | should be used | ||
783 | instead, because it performs RSA-based host authentication in addition | ||
784 | to normal rhosts or /etc/hosts.equiv authentication. | ||
785 | The default is | ||
786 | .Dq no . | ||
787 | This option applies to protocol version 1 only. | ||
788 | .It Cm RhostsRSAAuthentication | ||
789 | Specifies whether rhosts or /etc/hosts.equiv authentication together | ||
790 | with successful RSA host authentication is allowed. | ||
791 | The default is | ||
792 | .Dq no . | ||
793 | This option applies to protocol version 1 only. | ||
794 | .It Cm RSAAuthentication | ||
795 | Specifies whether pure RSA authentication is allowed. | ||
796 | The default is | ||
797 | .Dq yes . | ||
798 | This option applies to protocol version 1 only. | ||
799 | .It Cm ServerKeyBits | ||
800 | Defines the number of bits in the ephemeral protocol version 1 server key. | ||
801 | The minimum value is 512, and the default is 768. | ||
802 | .It Cm StrictModes | ||
803 | Specifies whether | ||
804 | .Nm | ||
805 | should check file modes and ownership of the | ||
806 | user's files and home directory before accepting login. | ||
807 | This is normally desirable because novices sometimes accidentally leave their | ||
808 | directory or files world-writable. | ||
809 | The default is | ||
810 | .Dq yes . | ||
811 | .It Cm Subsystem | ||
812 | Configures an external subsystem (e.g., file transfer daemon). | ||
813 | Arguments should be a subsystem name and a command to execute upon subsystem | ||
814 | request. | ||
815 | The command | ||
816 | .Xr sftp-server 8 | ||
817 | implements the | ||
818 | .Dq sftp | ||
819 | file transfer subsystem. | ||
820 | By default no subsystems are defined. | ||
821 | Note that this option applies to protocol version 2 only. | ||
822 | .It Cm SyslogFacility | ||
823 | Gives the facility code that is used when logging messages from | ||
824 | .Nm sshd . | ||
825 | The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, | ||
826 | LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. | ||
827 | The default is AUTH. | ||
828 | .It Cm UseLogin | ||
829 | Specifies whether | ||
830 | .Xr login 1 | ||
831 | is used for interactive login sessions. | ||
832 | The default is | ||
833 | .Dq no . | ||
834 | Note that | ||
835 | .Xr login 1 | ||
836 | is never used for remote command execution. | ||
837 | Note also, that if this is enabled, | ||
838 | .Cm X11Forwarding | ||
839 | will be disabled because | ||
840 | .Xr login 1 | ||
841 | does not know how to handle | ||
842 | .Xr xauth 1 | ||
843 | cookies. If | ||
844 | .Cm UsePrivilegeSeparation | ||
845 | is specified, it will be disabled after authentication. | ||
846 | .It Cm UsePrivilegeSeparation | ||
847 | Specifies whether | ||
848 | .Nm | ||
849 | separated privileges by creating an unprivileged child process | ||
850 | to deal with incoming network traffic. After successful authentication, | ||
851 | another process will be created that has the privilege of the authenticated | ||
852 | user. The goal of privilege separation is to prevent privilege | ||
853 | escalation by containing any corruption within the unprivileged processes. | ||
854 | The default is | ||
855 | .Dq yes . | ||
856 | .It Cm VerifyReverseMapping | ||
857 | Specifies whether | ||
858 | .Nm | ||
859 | should try to verify the remote host name and check that | ||
860 | the resolved host name for the remote IP address maps back to the | ||
861 | very same IP address. | ||
862 | The default is | ||
863 | .Dq no . | ||
864 | .It Cm X11DisplayOffset | ||
865 | Specifies the first display number available for | ||
866 | .Nm sshd Ns 's | ||
867 | X11 forwarding. | ||
868 | This prevents | ||
869 | .Nm | ||
870 | from interfering with real X11 servers. | ||
871 | The default is 10. | ||
872 | .It Cm X11Forwarding | ||
873 | Specifies whether X11 forwarding is permitted. | ||
874 | The default is | ||
875 | .Dq no . | ||
876 | Note that disabling X11 forwarding does not improve security in any | ||
877 | way, as users can always install their own forwarders. | ||
878 | X11 forwarding is automatically disabled if | ||
879 | .Cm UseLogin | ||
880 | is enabled. | ||
881 | .It Cm X11UseLocalhost | ||
882 | Specifies whether | ||
883 | .Nm | ||
884 | should bind the X11 forwarding server to the loopback address or to | ||
885 | the wildcard address. By default, | ||
886 | .Nm | ||
887 | binds the forwarding server to the loopback address and sets the | ||
888 | hostname part of the | ||
889 | .Ev DISPLAY | ||
890 | environment variable to | ||
891 | .Dq localhost . | ||
892 | This prevents remote hosts from connecting to the fake display. | ||
893 | However, some older X11 clients may not function with this | ||
894 | configuration. | ||
895 | .Cm X11UseLocalhost | ||
896 | may be set to | ||
897 | .Dq no | ||
898 | to specify that the forwarding server should be bound to the wildcard | ||
899 | address. | ||
900 | The argument must be | ||
901 | .Dq yes | ||
902 | or | ||
903 | .Dq no . | ||
904 | The default is | ||
905 | .Dq yes . | ||
906 | .It Cm XAuthLocation | ||
907 | Specifies the location of the | ||
908 | .Xr xauth 1 | ||
909 | program. | ||
910 | The default is | ||
911 | .Pa /usr/X11R6/bin/xauth . | ||
912 | .El | ||
913 | .Ss Time Formats | ||
914 | .Pp | ||
915 | .Nm | ||
916 | command-line arguments and configuration file options that specify time | ||
917 | may be expressed using a sequence of the form: | ||
918 | .Sm off | ||
919 | .Ar time Oo Ar qualifier Oc , | ||
920 | .Sm on | ||
921 | where | ||
922 | .Ar time | ||
923 | is a positive integer value and | ||
924 | .Ar qualifier | ||
925 | is one of the following: | ||
926 | .Pp | ||
927 | .Bl -tag -width Ds -compact -offset indent | ||
928 | .It Cm <none> | ||
929 | seconds | ||
930 | .It Cm s | Cm S | ||
931 | seconds | ||
932 | .It Cm m | Cm M | ||
933 | minutes | ||
934 | .It Cm h | Cm H | ||
935 | hours | ||
936 | .It Cm d | Cm D | ||
937 | days | ||
938 | .It Cm w | Cm W | ||
939 | weeks | ||
940 | .El | ||
941 | .Pp | ||
942 | Each member of the sequence is added together to calculate | ||
943 | the total time value. | ||
944 | .Pp | ||
945 | Time format examples: | ||
946 | .Pp | ||
947 | .Bl -tag -width Ds -compact -offset indent | ||
948 | .It 600 | ||
949 | 600 seconds (10 minutes) | ||
950 | .It 10m | ||
951 | 10 minutes | ||
952 | .It 1h30m | ||
953 | 1 hour 30 minutes (90 minutes) | ||
954 | .El | ||
955 | .Sh LOGIN PROCESS | 325 | .Sh LOGIN PROCESS |
956 | When a user successfully logs in, | 326 | When a user successfully logs in, |
957 | .Nm | 327 | .Nm |
@@ -1187,8 +557,8 @@ cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= | |||
1187 | .It Pa /etc/ssh/sshd_config | 557 | .It Pa /etc/ssh/sshd_config |
1188 | Contains configuration data for | 558 | Contains configuration data for |
1189 | .Nm sshd . | 559 | .Nm sshd . |
1190 | This file should be writable by root only, but it is recommended | 560 | The file format and configuration options are described in |
1191 | (though not necessary) that it be world-readable. | 561 | .Xr sshd_config 5 . |
1192 | .It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key | 562 | .It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key |
1193 | These three files contain the private parts of the host keys. | 563 | These three files contain the private parts of the host keys. |
1194 | These files should only be owned by root, readable only by root, and not | 564 | These files should only be owned by root, readable only by root, and not |
@@ -1389,6 +759,7 @@ for privilege separation. | |||
1389 | .Xr ssh-keygen 1 , | 759 | .Xr ssh-keygen 1 , |
1390 | .Xr login.conf 5 , | 760 | .Xr login.conf 5 , |
1391 | .Xr moduli 5 , | 761 | .Xr moduli 5 , |
762 | .Xr sshd_config 5 , | ||
1392 | .Xr sftp-server 8 | 763 | .Xr sftp-server 8 |
1393 | .Rs | 764 | .Rs |
1394 | .%A T. Ylonen | 765 | .%A T. Ylonen |