diff options
| author | Colin Watson <cjwatson@debian.org> | 2007-06-12 11:03:36 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2007-06-12 11:03:36 +0000 |
| commit | 086ea76990b1e6287c24b6db74adffd4605eb3b0 (patch) | |
| tree | 4650093038f9f66b02823fb07f49d6a4becd1667 /sshd_config.0 | |
| parent | 4ee72c71e31226c81743439fe1ed2b521b5ddb7e (diff) | |
| parent | 3e2e0ac10674d77618c4c7339e18b83ced247492 (diff) | |
Import OpenSSH 4.6p1.
Diffstat (limited to 'sshd_config.0')
| -rw-r--r-- | sshd_config.0 | 573 |
1 files changed, 573 insertions, 0 deletions
diff --git a/sshd_config.0 b/sshd_config.0 new file mode 100644 index 000000000..c9a09a4ff --- /dev/null +++ b/sshd_config.0 | |||
| @@ -0,0 +1,573 @@ | |||
| 1 | SSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5) | ||
| 2 | |||
| 3 | NAME | ||
| 4 | sshd_config - OpenSSH SSH daemon configuration file | ||
| 5 | |||
| 6 | SYNOPSIS | ||
| 7 | /etc/ssh/sshd_config | ||
| 8 | |||
| 9 | DESCRIPTION | ||
| 10 | sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file | ||
| 11 | specified with -f on the command line). The file contains keyword-argu- | ||
| 12 | ment pairs, one per line. Lines starting with `#' and empty lines are | ||
| 13 | interpreted as comments. Arguments may optionally be enclosed in double | ||
| 14 | quotes (") in order to represent arguments containing spaces. | ||
| 15 | |||
| 16 | The possible keywords and their meanings are as follows (note that key- | ||
| 17 | words are case-insensitive and arguments are case-sensitive): | ||
| 18 | |||
| 19 | AcceptEnv | ||
| 20 | Specifies what environment variables sent by the client will be | ||
| 21 | copied into the session's environ(7). See SendEnv in | ||
| 22 | ssh_config(5) for how to configure the client. Note that envi- | ||
| 23 | ronment passing is only supported for protocol 2. Variables are | ||
| 24 | specified by name, which may contain the wildcard characters `*' | ||
| 25 | and `?'. Multiple environment variables may be separated by | ||
| 26 | whitespace or spread across multiple AcceptEnv directives. Be | ||
| 27 | warned that some environment variables could be used to bypass | ||
| 28 | restricted user environments. For this reason, care should be | ||
| 29 | taken in the use of this directive. The default is not to accept | ||
| 30 | any environment variables. | ||
| 31 | |||
| 32 | AddressFamily | ||
| 33 | Specifies which address family should be used by sshd(8). Valid | ||
| 34 | arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' | ||
| 35 | (use IPv6 only). The default is ``any''. | ||
| 36 | |||
| 37 | AllowGroups | ||
| 38 | This keyword can be followed by a list of group name patterns, | ||
| 39 | separated by spaces. If specified, login is allowed only for | ||
| 40 | users whose primary group or supplementary group list matches one | ||
| 41 | of the patterns. Only group names are valid; a numerical group | ||
| 42 | ID is not recognized. By default, login is allowed for all | ||
| 43 | groups. The allow/deny directives are processed in the following | ||
| 44 | order: DenyUsers, AllowUsers, DenyGroups, and finally | ||
| 45 | AllowGroups. | ||
| 46 | |||
| 47 | See PATTERNS in ssh_config(5) for more information on patterns. | ||
| 48 | |||
| 49 | AllowTcpForwarding | ||
| 50 | Specifies whether TCP forwarding is permitted. The default is | ||
| 51 | ``yes''. Note that disabling TCP forwarding does not improve se- | ||
| 52 | curity unless users are also denied shell access, as they can al- | ||
| 53 | ways install their own forwarders. | ||
| 54 | |||
| 55 | AllowUsers | ||
| 56 | This keyword can be followed by a list of user name patterns, | ||
| 57 | separated by spaces. If specified, login is allowed only for us- | ||
| 58 | er names that match one of the patterns. Only user names are | ||
| 59 | valid; a numerical user ID is not recognized. By default, login | ||
| 60 | is allowed for all users. If the pattern takes the form US- | ||
| 61 | ER@HOST then USER and HOST are separately checked, restricting | ||
| 62 | logins to particular users from particular hosts. The allow/deny | ||
| 63 | directives are processed in the following order: DenyUsers, | ||
| 64 | AllowUsers, DenyGroups, and finally AllowGroups. | ||
| 65 | |||
| 66 | See PATTERNS in ssh_config(5) for more information on patterns. | ||
| 67 | |||
| 68 | AuthorizedKeysFile | ||
| 69 | Specifies the file that contains the public keys that can be used | ||
| 70 | for user authentication. AuthorizedKeysFile may contain tokens | ||
| 71 | of the form %T which are substituted during connection setup. | ||
| 72 | The following tokens are defined: %% is replaced by a literal | ||
| 73 | '%', %h is replaced by the home directory of the user being au- | ||
| 74 | thenticated, and %u is replaced by the username of that user. | ||
| 75 | After expansion, AuthorizedKeysFile is taken to be an absolute | ||
| 76 | path or one relative to the user's home directory. The default | ||
| 77 | is ``.ssh/authorized_keys''. | ||
| 78 | |||
| 79 | Banner In some jurisdictions, sending a warning message before authenti- | ||
| 80 | cation may be relevant for getting legal protection. The con- | ||
| 81 | tents of the specified file are sent to the remote user before | ||
| 82 | authentication is allowed. This option is only available for | ||
| 83 | protocol version 2. By default, no banner is displayed. | ||
| 84 | |||
| 85 | ChallengeResponseAuthentication | ||
| 86 | Specifies whether challenge-response authentication is allowed. | ||
| 87 | All authentication styles from login.conf(5) are supported. The | ||
| 88 | default is ``yes''. | ||
| 89 | |||
| 90 | Ciphers | ||
| 91 | Specifies the ciphers allowed for protocol version 2. Multiple | ||
| 92 | ciphers must be comma-separated. The supported ciphers are | ||
| 93 | ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', | ||
| 94 | ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'', | ||
| 95 | ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and | ||
| 96 | ``cast128-cbc''. The default is: | ||
| 97 | |||
| 98 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, | ||
| 99 | arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, | ||
| 100 | aes192-ctr,aes256-ctr | ||
| 101 | |||
| 102 | ClientAliveCountMax | ||
| 103 | Sets the number of client alive messages (see below) which may be | ||
| 104 | sent without sshd(8) receiving any messages back from the client. | ||
| 105 | If this threshold is reached while client alive messages are be- | ||
| 106 | ing sent, sshd will disconnect the client, terminating the ses- | ||
| 107 | sion. It is important to note that the use of client alive mes- | ||
| 108 | sages is very different from TCPKeepAlive (below). The client | ||
| 109 | alive messages are sent through the encrypted channel and there- | ||
| 110 | fore will not be spoofable. The TCP keepalive option enabled by | ||
| 111 | TCPKeepAlive is spoofable. The client alive mechanism is valu- | ||
| 112 | able when the client or server depend on knowing when a connec- | ||
| 113 | tion has become inactive. | ||
| 114 | |||
| 115 | The default value is 3. If ClientAliveInterval (see below) is | ||
| 116 | set to 15, and ClientAliveCountMax is left at the default, unre- | ||
| 117 | sponsive SSH clients will be disconnected after approximately 45 | ||
| 118 | seconds. This option applies to protocol version 2 only. | ||
| 119 | |||
| 120 | ClientAliveInterval | ||
| 121 | Sets a timeout interval in seconds after which if no data has | ||
| 122 | been received from the client, sshd(8) will send a message | ||
| 123 | through the encrypted channel to request a response from the | ||
| 124 | client. The default is 0, indicating that these messages will | ||
| 125 | not be sent to the client. This option applies to protocol ver- | ||
| 126 | sion 2 only. | ||
| 127 | |||
| 128 | Compression | ||
| 129 | Specifies whether compression is allowed, or delayed until the | ||
| 130 | user has authenticated successfully. The argument must be | ||
| 131 | ``yes'', ``delayed'', or ``no''. The default is ``delayed''. | ||
| 132 | |||
| 133 | DenyGroups | ||
| 134 | This keyword can be followed by a list of group name patterns, | ||
| 135 | separated by spaces. Login is disallowed for users whose primary | ||
| 136 | group or supplementary group list matches one of the patterns. | ||
| 137 | Only group names are valid; a numerical group ID is not recog- | ||
| 138 | nized. By default, login is allowed for all groups. The al- | ||
| 139 | low/deny directives are processed in the following order: | ||
| 140 | DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. | ||
| 141 | |||
| 142 | See PATTERNS in ssh_config(5) for more information on patterns. | ||
| 143 | |||
| 144 | DenyUsers | ||
| 145 | This keyword can be followed by a list of user name patterns, | ||
| 146 | separated by spaces. Login is disallowed for user names that | ||
| 147 | match one of the patterns. Only user names are valid; a numeri- | ||
| 148 | cal user ID is not recognized. By default, login is allowed for | ||
| 149 | all users. If the pattern takes the form USER@HOST then USER and | ||
| 150 | HOST are separately checked, restricting logins to particular | ||
| 151 | users from particular hosts. The allow/deny directives are pro- | ||
| 152 | cessed in the following order: DenyUsers, AllowUsers, DenyGroups, | ||
| 153 | and finally AllowGroups. | ||
| 154 | |||
| 155 | See PATTERNS in ssh_config(5) for more information on patterns. | ||
| 156 | |||
| 157 | ForceCommand | ||
| 158 | Forces the execution of the command specified by ForceCommand, | ||
| 159 | ignoring any command supplied by the client. The command is in- | ||
| 160 | voked by using the user's login shell with the -c option. This | ||
| 161 | applies to shell, command, or subsystem execution. It is most | ||
| 162 | useful inside a Match block. The command originally supplied by | ||
| 163 | the client is available in the SSH_ORIGINAL_COMMAND environment | ||
| 164 | variable. | ||
| 165 | |||
| 166 | GatewayPorts | ||
| 167 | Specifies whether remote hosts are allowed to connect to ports | ||
| 168 | forwarded for the client. By default, sshd(8) binds remote port | ||
| 169 | forwardings to the loopback address. This prevents other remote | ||
| 170 | hosts from connecting to forwarded ports. GatewayPorts can be | ||
| 171 | used to specify that sshd should allow remote port forwardings to | ||
| 172 | bind to non-loopback addresses, thus allowing other hosts to con- | ||
| 173 | nect. The argument may be ``no'' to force remote port forward- | ||
| 174 | ings to be available to the local host only, ``yes'' to force re- | ||
| 175 | mote port forwardings to bind to the wildcard address, or | ||
| 176 | ``clientspecified'' to allow the client to select the address to | ||
| 177 | which the forwarding is bound. The default is ``no''. | ||
| 178 | |||
| 179 | GSSAPIAuthentication | ||
| 180 | Specifies whether user authentication based on GSSAPI is allowed. | ||
| 181 | The default is ``no''. Note that this option applies to protocol | ||
| 182 | version 2 only. | ||
| 183 | |||
| 184 | GSSAPICleanupCredentials | ||
| 185 | Specifies whether to automatically destroy the user's credentials | ||
| 186 | cache on logout. The default is ``yes''. Note that this option | ||
| 187 | applies to protocol version 2 only. | ||
| 188 | |||
| 189 | HostbasedAuthentication | ||
| 190 | Specifies whether rhosts or /etc/hosts.equiv authentication to- | ||
| 191 | gether with successful public key client host authentication is | ||
| 192 | allowed (host-based authentication). This option is similar to | ||
| 193 | RhostsRSAAuthentication and applies to protocol version 2 only. | ||
| 194 | The default is ``no''. | ||
| 195 | |||
| 196 | HostbasedUsesNameFromPacketOnly | ||
| 197 | Specifies whether or not the server will attempt to perform a re- | ||
| 198 | verse name lookup when matching the name in the ~/.shosts, | ||
| 199 | ~/.rhosts, and /etc/hosts.equiv files during | ||
| 200 | HostbasedAuthentication. A setting of ``yes'' means that sshd(8) | ||
| 201 | uses the name supplied by the client rather than attempting to | ||
| 202 | resolve the name from the TCP connection itself. The default is | ||
| 203 | ``no''. | ||
| 204 | |||
| 205 | HostKey | ||
| 206 | Specifies a file containing a private host key used by SSH. The | ||
| 207 | default is /etc/ssh/ssh_host_key for protocol version 1, and | ||
| 208 | /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro- | ||
| 209 | tocol version 2. Note that sshd(8) will refuse to use a file if | ||
| 210 | it is group/world-accessible. It is possible to have multiple | ||
| 211 | host key files. ``rsa1'' keys are used for version 1 and ``dsa'' | ||
| 212 | or ``rsa'' are used for version 2 of the SSH protocol. | ||
| 213 | |||
| 214 | IgnoreRhosts | ||
| 215 | Specifies that .rhosts and .shosts files will not be used in | ||
| 216 | RhostsRSAAuthentication or HostbasedAuthentication. | ||
| 217 | |||
| 218 | /etc/hosts.equiv and /etc/shosts.equiv are still used. The de- | ||
| 219 | fault is ``yes''. | ||
| 220 | |||
| 221 | IgnoreUserKnownHosts | ||
| 222 | Specifies whether sshd(8) should ignore the user's | ||
| 223 | ~/.ssh/known_hosts during RhostsRSAAuthentication or | ||
| 224 | HostbasedAuthentication. The default is ``no''. | ||
| 225 | |||
| 226 | KerberosAuthentication | ||
| 227 | Specifies whether the password provided by the user for | ||
| 228 | PasswordAuthentication will be validated through the Kerberos | ||
| 229 | KDC. To use this option, the server needs a Kerberos servtab | ||
| 230 | which allows the verification of the KDC's identity. The default | ||
| 231 | is ``no''. | ||
| 232 | |||
| 233 | KerberosGetAFSToken | ||
| 234 | If AFS is active and the user has a Kerberos 5 TGT, attempt to | ||
| 235 | acquire an AFS token before accessing the user's home directory. | ||
| 236 | The default is ``no''. | ||
| 237 | |||
| 238 | KerberosOrLocalPasswd | ||
| 239 | If password authentication through Kerberos fails then the pass- | ||
| 240 | word will be validated via any additional local mechanism such as | ||
| 241 | /etc/passwd. The default is ``yes''. | ||
| 242 | |||
| 243 | KerberosTicketCleanup | ||
| 244 | Specifies whether to automatically destroy the user's ticket | ||
| 245 | cache file on logout. The default is ``yes''. | ||
| 246 | |||
| 247 | KeyRegenerationInterval | ||
| 248 | In protocol version 1, the ephemeral server key is automatically | ||
| 249 | regenerated after this many seconds (if it has been used). The | ||
| 250 | purpose of regeneration is to prevent decrypting captured ses- | ||
| 251 | sions by later breaking into the machine and stealing the keys. | ||
| 252 | The key is never stored anywhere. If the value is 0, the key is | ||
| 253 | never regenerated. The default is 3600 (seconds). | ||
| 254 | |||
| 255 | ListenAddress | ||
| 256 | Specifies the local addresses sshd(8) should listen on. The fol- | ||
| 257 | lowing forms may be used: | ||
| 258 | |||
| 259 | ListenAddress host|IPv4_addr|IPv6_addr | ||
| 260 | ListenAddress host|IPv4_addr:port | ||
| 261 | ListenAddress [host|IPv6_addr]:port | ||
| 262 | |||
| 263 | If port is not specified, sshd will listen on the address and all | ||
| 264 | prior Port options specified. The default is to listen on all | ||
| 265 | local addresses. Multiple ListenAddress options are permitted. | ||
| 266 | Additionally, any Port options must precede this option for non- | ||
| 267 | port qualified addresses. | ||
| 268 | |||
| 269 | LoginGraceTime | ||
| 270 | The server disconnects after this time if the user has not suc- | ||
| 271 | cessfully logged in. If the value is 0, there is no time limit. | ||
| 272 | The default is 120 seconds. | ||
| 273 | |||
| 274 | LogLevel | ||
| 275 | Gives the verbosity level that is used when logging messages from | ||
| 276 | sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, | ||
| 277 | VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. | ||
| 278 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify | ||
| 279 | higher levels of debugging output. Logging with a DEBUG level | ||
| 280 | violates the privacy of users and is not recommended. | ||
| 281 | |||
| 282 | MACs Specifies the available MAC (message authentication code) algo- | ||
| 283 | rithms. The MAC algorithm is used in protocol version 2 for data | ||
| 284 | integrity protection. Multiple algorithms must be comma-separat- | ||
| 285 | ed. The default is: ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac- | ||
| 286 | sha1-96,hmac-md5-96''. | ||
| 287 | |||
| 288 | Match Introduces a conditional block. If all of the criteria on the | ||
| 289 | Match line are satisfied, the keywords on the following lines | ||
| 290 | override those set in the global section of the config file, un- | ||
| 291 | til either another Match line or the end of the file. The argu- | ||
| 292 | ments to Match are one or more criteria-pattern pairs. The | ||
| 293 | available criteria are User, Group, Host, and Address. Only a | ||
| 294 | subset of keywords may be used on the lines following a Match | ||
| 295 | keyword. Available keywords are AllowTcpForwarding, Banner, | ||
| 296 | ForceCommand, GatewayPorts, GSSApiAuthentication, | ||
| 297 | KbdInteractiveAuthentication, KerberosAuthentication, | ||
| 298 | PasswordAuthentication, PermitOpen, RhostsRSAAuthentication, | ||
| 299 | RSAAuthentication, X11DisplayOffset, X11Forwarding, and | ||
| 300 | X11UseLocalHost. | ||
| 301 | |||
| 302 | MaxAuthTries | ||
| 303 | Specifies the maximum number of authentication attempts permitted | ||
| 304 | per connection. Once the number of failures reaches half this | ||
| 305 | value, additional failures are logged. The default is 6. | ||
| 306 | |||
| 307 | MaxStartups | ||
| 308 | Specifies the maximum number of concurrent unauthenticated con- | ||
| 309 | nections to the SSH daemon. Additional connections will be | ||
| 310 | dropped until authentication succeeds or the LoginGraceTime ex- | ||
| 311 | pires for a connection. The default is 10. | ||
| 312 | |||
| 313 | Alternatively, random early drop can be enabled by specifying the | ||
| 314 | three colon separated values ``start:rate:full'' (e.g. | ||
| 315 | "10:30:60"). sshd(8) will refuse connection attempts with a | ||
| 316 | probability of ``rate/100'' (30%) if there are currently | ||
| 317 | ``start'' (10) unauthenticated connections. The probability in- | ||
| 318 | creases linearly and all connection attempts are refused if the | ||
| 319 | number of unauthenticated connections reaches ``full'' (60). | ||
| 320 | |||
| 321 | PasswordAuthentication | ||
| 322 | Specifies whether password authentication is allowed. The de- | ||
| 323 | fault is ``yes''. | ||
| 324 | |||
| 325 | PermitEmptyPasswords | ||
| 326 | When password authentication is allowed, it specifies whether the | ||
| 327 | server allows login to accounts with empty password strings. The | ||
| 328 | default is ``no''. | ||
| 329 | |||
| 330 | PermitOpen | ||
| 331 | Specifies the destinations to which TCP port forwarding is per- | ||
| 332 | mitted. The forwarding specification must be one of the follow- | ||
| 333 | ing forms: | ||
| 334 | |||
| 335 | PermitOpen host:port | ||
| 336 | PermitOpen IPv4_addr:port | ||
| 337 | PermitOpen [IPv6_addr]:port | ||
| 338 | |||
| 339 | Multiple forwards may be specified by separating them with | ||
| 340 | whitespace. An argument of ``any'' can be used to remove all re- | ||
| 341 | strictions and permit any forwarding requests. By default all | ||
| 342 | port forwarding requests are permitted. | ||
| 343 | |||
| 344 | PermitRootLogin | ||
| 345 | Specifies whether root can log in using ssh(1). The argument | ||
| 346 | must be ``yes'', ``without-password'', ``forced-commands-only'', | ||
| 347 | or ``no''. The default is ``yes''. | ||
| 348 | |||
| 349 | If this option is set to ``without-password'', password authenti- | ||
| 350 | cation is disabled for root. | ||
| 351 | |||
| 352 | If this option is set to ``forced-commands-only'', root login | ||
| 353 | with public key authentication will be allowed, but only if the | ||
| 354 | command option has been specified (which may be useful for taking | ||
| 355 | remote backups even if root login is normally not allowed). All | ||
| 356 | other authentication methods are disabled for root. | ||
| 357 | |||
| 358 | If this option is set to ``no'', root is not allowed to log in. | ||
| 359 | |||
| 360 | PermitTunnel | ||
| 361 | Specifies whether tun(4) device forwarding is allowed. The argu- | ||
| 362 | ment must be ``yes'', ``point-to-point'' (layer 3), ``ethernet'' | ||
| 363 | (layer 2), or ``no''. Specifying ``yes'' permits both ``point- | ||
| 364 | to-point'' and ``ethernet''. The default is ``no''. | ||
| 365 | |||
| 366 | PermitUserEnvironment | ||
| 367 | Specifies whether ~/.ssh/environment and environment= options in | ||
| 368 | ~/.ssh/authorized_keys are processed by sshd(8). The default is | ||
| 369 | ``no''. Enabling environment processing may enable users to by- | ||
| 370 | pass access restrictions in some configurations using mechanisms | ||
| 371 | such as LD_PRELOAD. | ||
| 372 | |||
| 373 | PidFile | ||
| 374 | Specifies the file that contains the process ID of the SSH dae- | ||
| 375 | mon. The default is /var/run/sshd.pid. | ||
| 376 | |||
| 377 | Port Specifies the port number that sshd(8) listens on. The default | ||
| 378 | is 22. Multiple options of this type are permitted. See also | ||
| 379 | ListenAddress. | ||
| 380 | |||
| 381 | PrintLastLog | ||
| 382 | Specifies whether sshd(8) should print the date and time of the | ||
| 383 | last user login when a user logs in interactively. The default | ||
| 384 | is ``yes''. | ||
| 385 | |||
| 386 | PrintMotd | ||
| 387 | Specifies whether sshd(8) should print /etc/motd when a user logs | ||
| 388 | in interactively. (On some systems it is also printed by the | ||
| 389 | shell, /etc/profile, or equivalent.) The default is ``yes''. | ||
| 390 | |||
| 391 | Protocol | ||
| 392 | Specifies the protocol versions sshd(8) supports. The possible | ||
| 393 | values are `1' and `2'. Multiple versions must be comma-separat- | ||
| 394 | ed. The default is ``2,1''. Note that the order of the protocol | ||
| 395 | list does not indicate preference, because the client selects | ||
| 396 | among multiple protocol versions offered by the server. Specify- | ||
| 397 | ing ``2,1'' is identical to ``1,2''. | ||
| 398 | |||
| 399 | PubkeyAuthentication | ||
| 400 | Specifies whether public key authentication is allowed. The de- | ||
| 401 | fault is ``yes''. Note that this option applies to protocol ver- | ||
| 402 | sion 2 only. | ||
| 403 | |||
| 404 | RhostsRSAAuthentication | ||
| 405 | Specifies whether rhosts or /etc/hosts.equiv authentication to- | ||
| 406 | gether with successful RSA host authentication is allowed. The | ||
| 407 | default is ``no''. This option applies to protocol version 1 on- | ||
| 408 | ly. | ||
| 409 | |||
| 410 | RSAAuthentication | ||
| 411 | Specifies whether pure RSA authentication is allowed. The de- | ||
| 412 | fault is ``yes''. This option applies to protocol version 1 on- | ||
| 413 | ly. | ||
| 414 | |||
| 415 | ServerKeyBits | ||
| 416 | Defines the number of bits in the ephemeral protocol version 1 | ||
| 417 | server key. The minimum value is 512, and the default is 768. | ||
| 418 | |||
| 419 | StrictModes | ||
| 420 | Specifies whether sshd(8) should check file modes and ownership | ||
| 421 | of the user's files and home directory before accepting login. | ||
| 422 | This is normally desirable because novices sometimes accidentally | ||
| 423 | leave their directory or files world-writable. The default is | ||
| 424 | ``yes''. | ||
| 425 | |||
| 426 | Subsystem | ||
| 427 | Configures an external subsystem (e.g. file transfer daemon). | ||
| 428 | Arguments should be a subsystem name and a command (with optional | ||
| 429 | arguments) to execute upon subsystem request. The command | ||
| 430 | sftp-server(8) implements the ``sftp'' file transfer subsystem. | ||
| 431 | By default no subsystems are defined. Note that this option ap- | ||
| 432 | plies to protocol version 2 only. | ||
| 433 | |||
| 434 | SyslogFacility | ||
| 435 | Gives the facility code that is used when logging messages from | ||
| 436 | sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, | ||
| 437 | LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- | ||
| 438 | fault is AUTH. | ||
| 439 | |||
| 440 | TCPKeepAlive | ||
| 441 | Specifies whether the system should send TCP keepalive messages | ||
| 442 | to the other side. If they are sent, death of the connection or | ||
| 443 | crash of one of the machines will be properly noticed. However, | ||
| 444 | this means that connections will die if the route is down tem- | ||
| 445 | porarily, and some people find it annoying. On the other hand, | ||
| 446 | if TCP keepalives are not sent, sessions may hang indefinitely on | ||
| 447 | the server, leaving ``ghost'' users and consuming server re- | ||
| 448 | sources. | ||
| 449 | |||
| 450 | The default is ``yes'' (to send TCP keepalive messages), and the | ||
| 451 | server will notice if the network goes down or the client host | ||
| 452 | crashes. This avoids infinitely hanging sessions. | ||
| 453 | |||
| 454 | To disable TCP keepalive messages, the value should be set to | ||
| 455 | ``no''. | ||
| 456 | |||
| 457 | UseDNS Specifies whether sshd(8) should look up the remote host name and | ||
| 458 | check that the resolved host name for the remote IP address maps | ||
| 459 | back to the very same IP address. The default is ``yes''. | ||
| 460 | |||
| 461 | UseLogin | ||
| 462 | Specifies whether login(1) is used for interactive login ses- | ||
| 463 | sions. The default is ``no''. Note that login(1) is never used | ||
| 464 | for remote command execution. Note also, that if this is en- | ||
| 465 | abled, X11Forwarding will be disabled because login(1) does not | ||
| 466 | know how to handle xauth(1) cookies. If UsePrivilegeSeparation | ||
| 467 | is specified, it will be disabled after authentication. | ||
| 468 | |||
| 469 | UsePAM Enables the Pluggable Authentication Module interface. If set to | ||
| 470 | ``yes'' this will enable PAM authentication using | ||
| 471 | ChallengeResponseAuthentication and PasswordAuthentication in ad- | ||
| 472 | dition to PAM account and session module processing for all au- | ||
| 473 | thentication types. | ||
| 474 | |||
| 475 | Because PAM challenge-response authentication usually serves an | ||
| 476 | equivalent role to password authentication, you should disable | ||
| 477 | either PasswordAuthentication or ChallengeResponseAuthentication. | ||
| 478 | |||
| 479 | If UsePAM is enabled, you will not be able to run sshd(8) as a | ||
| 480 | non-root user. The default is ``no''. | ||
| 481 | |||
| 482 | UsePrivilegeSeparation | ||
| 483 | Specifies whether sshd(8) separates privileges by creating an un- | ||
| 484 | privileged child process to deal with incoming network traffic. | ||
| 485 | After successful authentication, another process will be created | ||
| 486 | that has the privilege of the authenticated user. The goal of | ||
| 487 | privilege separation is to prevent privilege escalation by con- | ||
| 488 | taining any corruption within the unprivileged processes. The | ||
| 489 | default is ``yes''. | ||
| 490 | |||
| 491 | X11DisplayOffset | ||
| 492 | Specifies the first display number available for sshd(8)'s X11 | ||
| 493 | forwarding. This prevents sshd from interfering with real X11 | ||
| 494 | servers. The default is 10. | ||
| 495 | |||
| 496 | X11Forwarding | ||
| 497 | Specifies whether X11 forwarding is permitted. The argument must | ||
| 498 | be ``yes'' or ``no''. The default is ``no''. | ||
| 499 | |||
| 500 | When X11 forwarding is enabled, there may be additional exposure | ||
| 501 | to the server and to client displays if the sshd(8) proxy display | ||
| 502 | is configured to listen on the wildcard address (see | ||
| 503 | X11UseLocalhost below), though this is not the default. Addi- | ||
| 504 | tionally, the authentication spoofing and authentication data | ||
| 505 | verification and substitution occur on the client side. The se- | ||
| 506 | curity risk of using X11 forwarding is that the client's X11 dis- | ||
| 507 | play server may be exposed to attack when the SSH client requests | ||
| 508 | forwarding (see the warnings for ForwardX11 in ssh_config(5)). A | ||
| 509 | system administrator may have a stance in which they want to pro- | ||
| 510 | tect clients that may expose themselves to attack by unwittingly | ||
| 511 | requesting X11 forwarding, which can warrant a ``no'' setting. | ||
| 512 | |||
| 513 | Note that disabling X11 forwarding does not prevent users from | ||
| 514 | forwarding X11 traffic, as users can always install their own | ||
| 515 | forwarders. X11 forwarding is automatically disabled if UseLogin | ||
| 516 | is enabled. | ||
| 517 | |||
| 518 | X11UseLocalhost | ||
| 519 | Specifies whether sshd(8) should bind the X11 forwarding server | ||
| 520 | to the loopback address or to the wildcard address. By default, | ||
| 521 | sshd binds the forwarding server to the loopback address and sets | ||
| 522 | the hostname part of the DISPLAY environment variable to | ||
| 523 | ``localhost''. This prevents remote hosts from connecting to the | ||
| 524 | proxy display. However, some older X11 clients may not function | ||
| 525 | with this configuration. X11UseLocalhost may be set to ``no'' to | ||
| 526 | specify that the forwarding server should be bound to the wild- | ||
| 527 | card address. The argument must be ``yes'' or ``no''. The de- | ||
| 528 | fault is ``yes''. | ||
| 529 | |||
| 530 | XAuthLocation | ||
| 531 | Specifies the full pathname of the xauth(1) program. The default | ||
| 532 | is /usr/X11R6/bin/xauth. | ||
| 533 | |||
| 534 | TIME FORMATS | ||
| 535 | sshd(8) command-line arguments and configuration file options that speci- | ||
| 536 | fy time may be expressed using a sequence of the form: time[qualifier], | ||
| 537 | where time is a positive integer value and qualifier is one of the fol- | ||
| 538 | lowing: | ||
| 539 | |||
| 540 | <none> seconds | ||
| 541 | s | S seconds | ||
| 542 | m | M minutes | ||
| 543 | h | H hours | ||
| 544 | d | D days | ||
| 545 | w | W weeks | ||
| 546 | |||
| 547 | Each member of the sequence is added together to calculate the total time | ||
| 548 | value. | ||
| 549 | |||
| 550 | Time format examples: | ||
| 551 | |||
| 552 | 600 600 seconds (10 minutes) | ||
| 553 | 10m 10 minutes | ||
| 554 | 1h30m 1 hour 30 minutes (90 minutes) | ||
| 555 | |||
| 556 | FILES | ||
| 557 | /etc/ssh/sshd_config | ||
| 558 | Contains configuration data for sshd(8). This file should be | ||
| 559 | writable by root only, but it is recommended (though not neces- | ||
| 560 | sary) that it be world-readable. | ||
| 561 | |||
| 562 | SEE ALSO | ||
| 563 | sshd(8) | ||
| 564 | |||
| 565 | AUTHORS | ||
| 566 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | ||
| 567 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | ||
| 568 | de Raadt and Dug Song removed many bugs, re-added newer features and cre- | ||
| 569 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | ||
| 570 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | ||
| 571 | for privilege separation. | ||
| 572 | |||
| 573 | OpenBSD 4.1 September 25, 1999 9 | ||