summaryrefslogtreecommitdiff
path: root/sshd_config.0
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2005-09-14 11:27:01 +0000
committerColin Watson <cjwatson@debian.org>2005-09-14 11:27:01 +0000
commit16704d57999d987fb8d9ba53379841a79f016d67 (patch)
treeb7ecfbd5be83f191af382f3186c39ba1843ba7a1 /sshd_config.0
parentc8ab8ceacbe4dbdd7afea4e890d92e86282d050e (diff)
parenta55bd782aa819b7f5ae716de000f19f4f531850e (diff)
Import OpenSSH 4.2p1.
Diffstat (limited to 'sshd_config.0')
-rw-r--r--sshd_config.0504
1 files changed, 504 insertions, 0 deletions
diff --git a/sshd_config.0 b/sshd_config.0
new file mode 100644
index 000000000..d821a84b6
--- /dev/null
+++ b/sshd_config.0
@@ -0,0 +1,504 @@
1SSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5)
2
3NAME
4 sshd_config - OpenSSH SSH daemon configuration file
5
6SYNOPSIS
7 /etc/ssh/sshd_config
8
9DESCRIPTION
10 sshd reads configuration data from /etc/ssh/sshd_config (or the file
11 specified with -f on the command line). The file contains keyword-argu-
12 ment pairs, one per line. Lines starting with `#' and empty lines are
13 interpreted as comments.
14
15 The possible keywords and their meanings are as follows (note that key-
16 words are case-insensitive and arguments are case-sensitive):
17
18 AcceptEnv
19 Specifies what environment variables sent by the client will be
20 copied into the session's environ(7). See SendEnv in
21 ssh_config(5) for how to configure the client. Note that envi-
22 ronment passing is only supported for protocol 2. Variables are
23 specified by name, which may contain the wildcard characters `*'
24 and `?'. Multiple environment variables may be separated by
25 whitespace or spread across multiple AcceptEnv directives. Be
26 warned that some environment variables could be used to bypass
27 restricted user environments. For this reason, care should be
28 taken in the use of this directive. The default is not to accept
29 any environment variables.
30
31 AddressFamily
32 Specifies which address family should be used by sshd. Valid ar-
33 guments are ``any'', ``inet'' (use IPv4 only) or ``inet6'' (use
34 IPv6 only). The default is ``any''.
35
36 AllowGroups
37 This keyword can be followed by a list of group name patterns,
38 separated by spaces. If specified, login is allowed only for
39 users whose primary group or supplementary group list matches one
40 of the patterns. `*' and `?' can be used as wildcards in the
41 patterns. Only group names are valid; a numerical group ID is
42 not recognized. By default, login is allowed for all groups.
43
44 AllowTcpForwarding
45 Specifies whether TCP forwarding is permitted. The default is
46 ``yes''. Note that disabling TCP forwarding does not improve se-
47 curity unless users are also denied shell access, as they can al-
48 ways install their own forwarders.
49
50 AllowUsers
51 This keyword can be followed by a list of user name patterns,
52 separated by spaces. If specified, login is allowed only for us-
53 er names that match one of the patterns. `*' and `?' can be used
54 as wildcards in the patterns. Only user names are valid; a nu-
55 merical user ID is not recognized. By default, login is allowed
56 for all users. If the pattern takes the form USER@HOST then USER
57 and HOST are separately checked, restricting logins to particular
58 users from particular hosts.
59
60 AuthorizedKeysFile
61 Specifies the file that contains the public keys that can be used
62 for user authentication. AuthorizedKeysFile may contain tokens
63 of the form %T which are substituted during connection set-up.
64 The following tokens are defined: %% is replaced by a literal
65 '%', %h is replaced by the home directory of the user being au-
66 thenticated and %u is replaced by the username of that user. Af-
67 ter expansion, AuthorizedKeysFile is taken to be an absolute path
68 or one relative to the user's home directory. The default is
69 ``.ssh/authorized_keys''.
70
71 Banner In some jurisdictions, sending a warning message before authenti-
72 cation may be relevant for getting legal protection. The con-
73 tents of the specified file are sent to the remote user before
74 authentication is allowed. This option is only available for
75 protocol version 2. By default, no banner is displayed.
76
77 ChallengeResponseAuthentication
78 Specifies whether challenge response authentication is allowed.
79 All authentication styles from login.conf(5) are supported. The
80 default is ``yes''.
81
82 Ciphers
83 Specifies the ciphers allowed for protocol version 2. Multiple
84 ciphers must be comma-separated. The supported ciphers are
85 ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
86 ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'',
87 ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and
88 ``cast128-cbc''. The default is
89
90 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
91 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
92 aes192-ctr,aes256-ctr''
93
94 ClientAliveCountMax
95 Sets the number of client alive messages (see above) which may be
96 sent without sshd receiving any messages back from the client.
97 If this threshold is reached while client alive messages are be-
98 ing sent, sshd will disconnect the client, terminating the ses-
99 sion. It is important to note that the use of client alive mes-
100 sages is very different from TCPKeepAlive (below). The client
101 alive messages are sent through the encrypted channel and there-
102 fore will not be spoofable. The TCP keepalive option enabled by
103 TCPKeepAlive is spoofable. The client alive mechanism is valu-
104 able when the client or server depend on knowing when a connec-
105 tion has become inactive.
106
107 The default value is 3. If ClientAliveInterval (above) is set to
108 15, and ClientAliveCountMax is left at the default, unresponsive
109 ssh clients will be disconnected after approximately 45 seconds.
110
111 ClientAliveInterval
112 Sets a timeout interval in seconds after which if no data has
113 been received from the client, sshd will send a message through
114 the encrypted channel to request a response from the client. The
115 default is 0, indicating that these messages will not be sent to
116 the client. This option applies to protocol version 2 only.
117
118 Compression
119 Specifies whether compression is allowed, or delayed until the
120 user has authenticated successfully. The argument must be
121 ``yes'', ``delayed'', or ``no''. The default is ``delayed''.
122
123 DenyGroups
124 This keyword can be followed by a list of group name patterns,
125 separated by spaces. Login is disallowed for users whose primary
126 group or supplementary group list matches one of the patterns.
127 `*' and `?' can be used as wildcards in the patterns. Only group
128 names are valid; a numerical group ID is not recognized. By de-
129 fault, login is allowed for all groups.
130
131 DenyUsers
132 This keyword can be followed by a list of user name patterns,
133 separated by spaces. Login is disallowed for user names that
134 match one of the patterns. `*' and `?' can be used as wildcards
135 in the patterns. Only user names are valid; a numerical user ID
136 is not recognized. By default, login is allowed for all users.
137 If the pattern takes the form USER@HOST then USER and HOST are
138 separately checked, restricting logins to particular users from
139 particular hosts.
140
141 GatewayPorts
142 Specifies whether remote hosts are allowed to connect to ports
143 forwarded for the client. By default, sshd binds remote port
144 forwardings to the loopback address. This prevents other remote
145 hosts from connecting to forwarded ports. GatewayPorts can be
146 used to specify that sshd should allow remote port forwardings to
147 bind to non-loopback addresses, thus allowing other hosts to con-
148 nect. The argument may be ``no'' to force remote port forward-
149 ings to be available to the local host only, ``yes'' to force re-
150 mote port forwardings to bind to the wildcard address, or
151 ``clientspecified'' to allow the client to select the address to
152 which the forwarding is bound. The default is ``no''.
153
154 GSSAPIAuthentication
155 Specifies whether user authentication based on GSSAPI is allowed.
156 The default is ``no''. Note that this option applies to protocol
157 version 2 only.
158
159 GSSAPICleanupCredentials
160 Specifies whether to automatically destroy the user's credentials
161 cache on logout. The default is ``yes''. Note that this option
162 applies to protocol version 2 only.
163
164 HostbasedAuthentication
165 Specifies whether rhosts or /etc/hosts.equiv authentication to-
166 gether with successful public key client host authentication is
167 allowed (hostbased authentication). This option is similar to
168 RhostsRSAAuthentication and applies to protocol version 2 only.
169 The default is ``no''.
170
171 HostKey
172 Specifies a file containing a private host key used by SSH. The
173 default is /etc/ssh/ssh_host_key for protocol version 1, and
174 /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro-
175 tocol version 2. Note that sshd will refuse to use a file if it
176 is group/world-accessible. It is possible to have multiple host
177 key files. ``rsa1'' keys are used for version 1 and ``dsa'' or
178 ``rsa'' are used for version 2 of the SSH protocol.
179
180 IgnoreRhosts
181 Specifies that .rhosts and .shosts files will not be used in
182 RhostsRSAAuthentication or HostbasedAuthentication.
183
184 /etc/hosts.equiv and /etc/shosts.equiv are still used. The de-
185 fault is ``yes''.
186
187 IgnoreUserKnownHosts
188 Specifies whether sshd should ignore the user's
189 ~/.ssh/known_hosts during RhostsRSAAuthentication or
190 HostbasedAuthentication. The default is ``no''.
191
192 KerberosAuthentication
193 Specifies whether the password provided by the user for
194 PasswordAuthentication will be validated through the Kerberos
195 KDC. To use this option, the server needs a Kerberos servtab
196 which allows the verification of the KDC's identity. Default is
197 ``no''.
198
199 KerberosGetAFSToken
200 If AFS is active and the user has a Kerberos 5 TGT, attempt to
201 aquire an AFS token before accessing the user's home directory.
202 Default is ``no''.
203
204 KerberosOrLocalPasswd
205 If set then if password authentication through Kerberos fails
206 then the password will be validated via any additional local
207 mechanism such as /etc/passwd. Default is ``yes''.
208
209 KerberosTicketCleanup
210 Specifies whether to automatically destroy the user's ticket
211 cache file on logout. Default is ``yes''.
212
213 KeyRegenerationInterval
214 In protocol version 1, the ephemeral server key is automatically
215 regenerated after this many seconds (if it has been used). The
216 purpose of regeneration is to prevent decrypting captured ses-
217 sions by later breaking into the machine and stealing the keys.
218 The key is never stored anywhere. If the value is 0, the key is
219 never regenerated. The default is 3600 (seconds).
220
221 ListenAddress
222 Specifies the local addresses sshd should listen on. The follow-
223 ing forms may be used:
224
225 ListenAddress host|IPv4_addr|IPv6_addr
226 ListenAddress host|IPv4_addr:port
227 ListenAddress [host|IPv6_addr]:port
228
229 If port is not specified, sshd will listen on the address and all
230 prior Port options specified. The default is to listen on all
231 local addresses. Multiple ListenAddress options are permitted.
232 Additionally, any Port options must precede this option for non
233 port qualified addresses.
234
235 LoginGraceTime
236 The server disconnects after this time if the user has not suc-
237 cessfully logged in. If the value is 0, there is no time limit.
238 The default is 120 seconds.
239
240 LogLevel
241 Gives the verbosity level that is used when logging messages from
242 sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VER-
243 BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO.
244 DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
245 higher levels of debugging output. Logging with a DEBUG level
246 violates the privacy of users and is not recommended.
247
248 MACs Specifies the available MAC (message authentication code) algo-
249 rithms. The MAC algorithm is used in protocol version 2 for data
250 integrity protection. Multiple algorithms must be comma-separat-
251 ed. The default is ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
252 sha1-96,hmac-md5-96''.
253
254 MaxAuthTries
255 Specifies the maximum number of authentication attempts permitted
256 per connection. Once the number of failures reaches half this
257 value, additional failures are logged. The default is 6.
258
259 MaxStartups
260 Specifies the maximum number of concurrent unauthenticated con-
261 nections to the sshd daemon. Additional connections will be
262 dropped until authentication succeeds or the LoginGraceTime ex-
263 pires for a connection. The default is 10.
264
265 Alternatively, random early drop can be enabled by specifying the
266 three colon separated values ``start:rate:full'' (e.g.,
267 "10:30:60"). sshd will refuse connection attempts with a proba-
268 bility of ``rate/100'' (30%) if there are currently ``start''
269 (10) unauthenticated connections. The probability increases lin-
270 early and all connection attempts are refused if the number of
271 unauthenticated connections reaches ``full'' (60).
272
273 PasswordAuthentication
274 Specifies whether password authentication is allowed. The de-
275 fault is ``yes''.
276
277 PermitEmptyPasswords
278 When password authentication is allowed, it specifies whether the
279 server allows login to accounts with empty password strings. The
280 default is ``no''.
281
282 PermitRootLogin
283 Specifies whether root can log in using ssh(1). The argument
284 must be ``yes'', ``without-password'', ``forced-commands-only''
285 or ``no''. The default is ``yes''.
286
287 If this option is set to ``without-password'' password authenti-
288 cation is disabled for root.
289
290 If this option is set to ``forced-commands-only'' root login with
291 public key authentication will be allowed, but only if the
292 command option has been specified (which may be useful for taking
293 remote backups even if root login is normally not allowed). All
294 other authentication methods are disabled for root.
295
296 If this option is set to ``no'' root is not allowed to log in.
297
298 PermitUserEnvironment
299 Specifies whether ~/.ssh/environment and environment= options in
300 ~/.ssh/authorized_keys are processed by sshd. The default is
301 ``no''. Enabling environment processing may enable users to by-
302 pass access restrictions in some configurations using mechanisms
303 such as LD_PRELOAD.
304
305 PidFile
306 Specifies the file that contains the process ID of the sshd dae-
307 mon. The default is /var/run/sshd.pid.
308
309 Port Specifies the port number that sshd listens on. The default is
310 22. Multiple options of this type are permitted. See also
311 ListenAddress.
312
313 PrintLastLog
314 Specifies whether sshd should print the date and time of the last
315 user login when a user logs in interactively. The default is
316 ``yes''.
317
318 PrintMotd
319 Specifies whether sshd should print /etc/motd when a user logs in
320 interactively. (On some systems it is also printed by the shell,
321 /etc/profile, or equivalent.) The default is ``yes''.
322
323 Protocol
324 Specifies the protocol versions sshd supports. The possible val-
325 ues are ``1'' and ``2''. Multiple versions must be comma-sepa-
326 rated. The default is ``2,1''. Note that the order of the pro-
327 tocol list does not indicate preference, because the client se-
328 lects among multiple protocol versions offered by the server.
329 Specifying ``2,1'' is identical to ``1,2''.
330
331 PubkeyAuthentication
332 Specifies whether public key authentication is allowed. The de-
333 fault is ``yes''. Note that this option applies to protocol ver-
334 sion 2 only.
335
336 RhostsRSAAuthentication
337 Specifies whether rhosts or /etc/hosts.equiv authentication to-
338 gether with successful RSA host authentication is allowed. The
339 default is ``no''. This option applies to protocol version 1 on-
340 ly.
341
342 RSAAuthentication
343 Specifies whether pure RSA authentication is allowed. The de-
344 fault is ``yes''. This option applies to protocol version 1 on-
345 ly.
346
347 ServerKeyBits
348 Defines the number of bits in the ephemeral protocol version 1
349 server key. The minimum value is 512, and the default is 768.
350
351 StrictModes
352 Specifies whether sshd should check file modes and ownership of
353 the user's files and home directory before accepting login. This
354 is normally desirable because novices sometimes accidentally
355 leave their directory or files world-writable. The default is
356 ``yes''.
357
358 Subsystem
359 Configures an external subsystem (e.g., file transfer daemon).
360 Arguments should be a subsystem name and a command to execute up-
361 on subsystem request. The command sftp-server(8) implements the
362 ``sftp'' file transfer subsystem. By default no subsystems are
363 defined. Note that this option applies to protocol version 2 on-
364 ly.
365
366 SyslogFacility
367 Gives the facility code that is used when logging messages from
368 sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, LO-
369 CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de-
370 fault is AUTH.
371
372 TCPKeepAlive
373 Specifies whether the system should send TCP keepalive messages
374 to the other side. If they are sent, death of the connection or
375 crash of one of the machines will be properly noticed. However,
376 this means that connections will die if the route is down tem-
377 porarily, and some people find it annoying. On the other hand,
378 if TCP keepalives are not sent, sessions may hang indefinitely on
379 the server, leaving ``ghost'' users and consuming server re-
380 sources.
381
382 The default is ``yes'' (to send TCP keepalive messages), and the
383 server will notice if the network goes down or the client host
384 crashes. This avoids infinitely hanging sessions.
385
386 To disable TCP keepalive messages, the value should be set to
387 ``no''.
388
389 UseDNS Specifies whether sshd should look up the remote host name and
390 check that the resolved host name for the remote IP address maps
391 back to the very same IP address. The default is ``yes''.
392
393 UseLogin
394 Specifies whether login(1) is used for interactive login ses-
395 sions. The default is ``no''. Note that login(1) is never used
396 for remote command execution. Note also, that if this is en-
397 abled, X11Forwarding will be disabled because login(1) does not
398 know how to handle xauth(1) cookies. If UsePrivilegeSeparation
399 is specified, it will be disabled after authentication.
400
401 UsePAM Enables the Pluggable Authentication Module interface. If set to
402 ``yes'' this will enable PAM authentication using
403 ChallengeResponseAuthentication and PAM account and session mod-
404 ule processing for all authentication types.
405
406 Because PAM challenge-response authentication usually serves an
407 equivalent role to password authentication, you should disable
408 either PasswordAuthentication or ChallengeResponseAuthentication.
409
410 If UsePAM is enabled, you will not be able to run sshd(8) as a
411 non-root user. The default is ``no''.
412
413 UsePrivilegeSeparation
414 Specifies whether sshd separates privileges by creating an un-
415 privileged child process to deal with incoming network traffic.
416 After successful authentication, another process will be created
417 that has the privilege of the authenticated user. The goal of
418 privilege separation is to prevent privilege escalation by con-
419 taining any corruption within the unprivileged processes. The
420 default is ``yes''.
421
422 X11DisplayOffset
423 Specifies the first display number available for sshd's X11 for-
424 warding. This prevents sshd from interfering with real X11
425 servers. The default is 10.
426
427 X11Forwarding
428 Specifies whether X11 forwarding is permitted. The argument must
429 be ``yes'' or ``no''. The default is ``no''.
430
431 When X11 forwarding is enabled, there may be additional exposure
432 to the server and to client displays if the sshd proxy display is
433 configured to listen on the wildcard address (see X11UseLocalhost
434 below), however this is not the default. Additionally, the au-
435 thentication spoofing and authentication data verification and
436 substitution occur on the client side. The security risk of us-
437 ing X11 forwarding is that the client's X11 display server may be
438 exposed to attack when the ssh client requests forwarding (see
439 the warnings for ForwardX11 in ssh_config(5)). A system adminis-
440 trator may have a stance in which they want to protect clients
441 that may expose themselves to attack by unwittingly requesting
442 X11 forwarding, which can warrant a ``no'' setting.
443
444 Note that disabling X11 forwarding does not prevent users from
445 forwarding X11 traffic, as users can always install their own
446 forwarders. X11 forwarding is automatically disabled if UseLogin
447 is enabled.
448
449 X11UseLocalhost
450 Specifies whether sshd should bind the X11 forwarding server to
451 the loopback address or to the wildcard address. By default,
452 sshd binds the forwarding server to the loopback address and sets
453 the hostname part of the DISPLAY environment variable to
454 ``localhost''. This prevents remote hosts from connecting to the
455 proxy display. However, some older X11 clients may not function
456 with this configuration. X11UseLocalhost may be set to ``no'' to
457 specify that the forwarding server should be bound to the wild-
458 card address. The argument must be ``yes'' or ``no''. The de-
459 fault is ``yes''.
460
461 XAuthLocation
462 Specifies the full pathname of the xauth(1) program. The default
463 is /usr/X11R6/bin/xauth.
464
465 Time Formats
466 sshd command-line arguments and configuration file options that specify
467 time may be expressed using a sequence of the form: time[qualifier],
468 where time is a positive integer value and qualifier is one of the fol-
469 lowing:
470
471 <none> seconds
472 s | S seconds
473 m | M minutes
474 h | H hours
475 d | D days
476 w | W weeks
477
478 Each member of the sequence is added together to calculate the total time
479 value.
480
481 Time format examples:
482
483 600 600 seconds (10 minutes)
484 10m 10 minutes
485 1h30m 1 hour 30 minutes (90 minutes)
486
487FILES
488 /etc/ssh/sshd_config
489 Contains configuration data for sshd. This file should be
490 writable by root only, but it is recommended (though not neces-
491 sary) that it be world-readable.
492
493SEE ALSO
494 sshd(8)
495
496AUTHORS
497 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
498 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
499 de Raadt and Dug Song removed many bugs, re-added newer features and cre-
500 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
501 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
502 for privilege separation.
503
504OpenBSD 3.8 September 25, 1999 8