diff options
author | Colin Watson <cjwatson@debian.org> | 2010-01-24 21:19:46 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2010-01-24 21:19:46 +0000 |
commit | 1e4cfeee6c17b02af09418c5afe4a4d71aaaf0c8 (patch) | |
tree | 2b17a8cdc39aef9ad5cd73ecc25b3dfaa6d2267a /sshd_config.0 | |
parent | 7fe2877662d34ef04c67884cfcffce60a6444f18 (diff) | |
parent | 54af7a4ae8d455791a631bdfaade4b64436ae16a (diff) |
Import 5.3p1 tarball
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 634 |
1 files changed, 634 insertions, 0 deletions
diff --git a/sshd_config.0 b/sshd_config.0 new file mode 100644 index 000000000..9e73c5906 --- /dev/null +++ b/sshd_config.0 | |||
@@ -0,0 +1,634 @@ | |||
1 | SSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5) | ||
2 | |||
3 | NAME | ||
4 | sshd_config - OpenSSH SSH daemon configuration file | ||
5 | |||
6 | SYNOPSIS | ||
7 | /etc/ssh/sshd_config | ||
8 | |||
9 | DESCRIPTION | ||
10 | sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file | ||
11 | specified with -f on the command line). The file contains keyword-argu- | ||
12 | ment pairs, one per line. Lines starting with `#' and empty lines are | ||
13 | interpreted as comments. Arguments may optionally be enclosed in double | ||
14 | quotes (") in order to represent arguments containing spaces. | ||
15 | |||
16 | The possible keywords and their meanings are as follows (note that key- | ||
17 | words are case-insensitive and arguments are case-sensitive): | ||
18 | |||
19 | AcceptEnv | ||
20 | Specifies what environment variables sent by the client will be | ||
21 | copied into the session's environ(7). See SendEnv in | ||
22 | ssh_config(5) for how to configure the client. Note that envi- | ||
23 | ronment passing is only supported for protocol 2. Variables are | ||
24 | specified by name, which may contain the wildcard characters `*' | ||
25 | and `?'. Multiple environment variables may be separated by | ||
26 | whitespace or spread across multiple AcceptEnv directives. Be | ||
27 | warned that some environment variables could be used to bypass | ||
28 | restricted user environments. For this reason, care should be | ||
29 | taken in the use of this directive. The default is not to accept | ||
30 | any environment variables. | ||
31 | |||
32 | AddressFamily | ||
33 | Specifies which address family should be used by sshd(8). Valid | ||
34 | arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' | ||
35 | (use IPv6 only). The default is ``any''. | ||
36 | |||
37 | AllowAgentForwarding | ||
38 | Specifies whether ssh-agent(1) forwarding is permitted. The de- | ||
39 | fault is ``yes''. Note that disabling agent forwarding does not | ||
40 | improve security unless users are also denied shell access, as | ||
41 | they can always install their own forwarders. | ||
42 | |||
43 | AllowGroups | ||
44 | This keyword can be followed by a list of group name patterns, | ||
45 | separated by spaces. If specified, login is allowed only for | ||
46 | users whose primary group or supplementary group list matches one | ||
47 | of the patterns. Only group names are valid; a numerical group | ||
48 | ID is not recognized. By default, login is allowed for all | ||
49 | groups. The allow/deny directives are processed in the following | ||
50 | order: DenyUsers, AllowUsers, DenyGroups, and finally | ||
51 | AllowGroups. | ||
52 | |||
53 | See PATTERNS in ssh_config(5) for more information on patterns. | ||
54 | |||
55 | AllowTcpForwarding | ||
56 | Specifies whether TCP forwarding is permitted. The default is | ||
57 | ``yes''. Note that disabling TCP forwarding does not improve se- | ||
58 | curity unless users are also denied shell access, as they can al- | ||
59 | ways install their own forwarders. | ||
60 | |||
61 | AllowUsers | ||
62 | This keyword can be followed by a list of user name patterns, | ||
63 | separated by spaces. If specified, login is allowed only for us- | ||
64 | er names that match one of the patterns. Only user names are | ||
65 | valid; a numerical user ID is not recognized. By default, login | ||
66 | is allowed for all users. If the pattern takes the form US- | ||
67 | ER@HOST then USER and HOST are separately checked, restricting | ||
68 | logins to particular users from particular hosts. The allow/deny | ||
69 | directives are processed in the following order: DenyUsers, | ||
70 | AllowUsers, DenyGroups, and finally AllowGroups. | ||
71 | |||
72 | See PATTERNS in ssh_config(5) for more information on patterns. | ||
73 | |||
74 | AuthorizedKeysFile | ||
75 | Specifies the file that contains the public keys that can be used | ||
76 | for user authentication. AuthorizedKeysFile may contain tokens | ||
77 | of the form %T which are substituted during connection setup. | ||
78 | The following tokens are defined: %% is replaced by a literal | ||
79 | '%', %h is replaced by the home directory of the user being au- | ||
80 | thenticated, and %u is replaced by the username of that user. | ||
81 | After expansion, AuthorizedKeysFile is taken to be an absolute | ||
82 | path or one relative to the user's home directory. The default | ||
83 | is ``.ssh/authorized_keys''. | ||
84 | |||
85 | Banner The contents of the specified file are sent to the remote user | ||
86 | before authentication is allowed. If the argument is ``none'' | ||
87 | then no banner is displayed. This option is only available for | ||
88 | protocol version 2. By default, no banner is displayed. | ||
89 | |||
90 | ChallengeResponseAuthentication | ||
91 | Specifies whether challenge-response authentication is allowed | ||
92 | (e.g. via PAM or though authentication styles supported in | ||
93 | login.conf(5)) The default is ``yes''. | ||
94 | |||
95 | ChrootDirectory | ||
96 | Specifies a path to chroot(2) to after authentication. This | ||
97 | path, and all its components, must be root-owned directories that | ||
98 | are not writable by any other user or group. After the chroot, | ||
99 | sshd(8) changes the working directory to the user's home directo- | ||
100 | ry. | ||
101 | |||
102 | The path may contain the following tokens that are expanded at | ||
103 | runtime once the connecting user has been authenticated: %% is | ||
104 | replaced by a literal '%', %h is replaced by the home directory | ||
105 | of the user being authenticated, and %u is replaced by the user- | ||
106 | name of that user. | ||
107 | |||
108 | The ChrootDirectory must contain the necessary files and directo- | ||
109 | ries to support the user's session. For an interactive session | ||
110 | this requires at least a shell, typically sh(1), and basic /dev | ||
111 | nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), | ||
112 | arandom(4) and tty(4) devices. For file transfer sessions using | ||
113 | ``sftp'', no additional configuration of the environment is nec- | ||
114 | essary if the in-process sftp server is used, though sessions | ||
115 | which use logging do require /dev/log inside the chroot directory | ||
116 | (see sftp-server(8) for details). | ||
117 | |||
118 | The default is not to chroot(2). | ||
119 | |||
120 | Ciphers | ||
121 | Specifies the ciphers allowed for protocol version 2. Multiple | ||
122 | ciphers must be comma-separated. The supported ciphers are | ||
123 | ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', | ||
124 | ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'', | ||
125 | ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and | ||
126 | ``cast128-cbc''. The default is: | ||
127 | |||
128 | aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, | ||
129 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, | ||
130 | aes256-cbc,arcfour | ||
131 | |||
132 | ClientAliveCountMax | ||
133 | Sets the number of client alive messages (see below) which may be | ||
134 | sent without sshd(8) receiving any messages back from the client. | ||
135 | If this threshold is reached while client alive messages are be- | ||
136 | ing sent, sshd will disconnect the client, terminating the ses- | ||
137 | sion. It is important to note that the use of client alive mes- | ||
138 | sages is very different from TCPKeepAlive (below). The client | ||
139 | alive messages are sent through the encrypted channel and there- | ||
140 | fore will not be spoofable. The TCP keepalive option enabled by | ||
141 | TCPKeepAlive is spoofable. The client alive mechanism is valu- | ||
142 | able when the client or server depend on knowing when a connec- | ||
143 | tion has become inactive. | ||
144 | |||
145 | The default value is 3. If ClientAliveInterval (see below) is | ||
146 | set to 15, and ClientAliveCountMax is left at the default, unre- | ||
147 | sponsive SSH clients will be disconnected after approximately 45 | ||
148 | seconds. This option applies to protocol version 2 only. | ||
149 | |||
150 | ClientAliveInterval | ||
151 | Sets a timeout interval in seconds after which if no data has | ||
152 | been received from the client, sshd(8) will send a message | ||
153 | through the encrypted channel to request a response from the | ||
154 | client. The default is 0, indicating that these messages will | ||
155 | not be sent to the client. This option applies to protocol ver- | ||
156 | sion 2 only. | ||
157 | |||
158 | Compression | ||
159 | Specifies whether compression is allowed, or delayed until the | ||
160 | user has authenticated successfully. The argument must be | ||
161 | ``yes'', ``delayed'', or ``no''. The default is ``delayed''. | ||
162 | |||
163 | DenyGroups | ||
164 | This keyword can be followed by a list of group name patterns, | ||
165 | separated by spaces. Login is disallowed for users whose primary | ||
166 | group or supplementary group list matches one of the patterns. | ||
167 | Only group names are valid; a numerical group ID is not recog- | ||
168 | nized. By default, login is allowed for all groups. The al- | ||
169 | low/deny directives are processed in the following order: | ||
170 | DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. | ||
171 | |||
172 | See PATTERNS in ssh_config(5) for more information on patterns. | ||
173 | |||
174 | DenyUsers | ||
175 | This keyword can be followed by a list of user name patterns, | ||
176 | separated by spaces. Login is disallowed for user names that | ||
177 | match one of the patterns. Only user names are valid; a numeri- | ||
178 | cal user ID is not recognized. By default, login is allowed for | ||
179 | all users. If the pattern takes the form USER@HOST then USER and | ||
180 | HOST are separately checked, restricting logins to particular | ||
181 | users from particular hosts. The allow/deny directives are pro- | ||
182 | cessed in the following order: DenyUsers, AllowUsers, DenyGroups, | ||
183 | and finally AllowGroups. | ||
184 | |||
185 | See PATTERNS in ssh_config(5) for more information on patterns. | ||
186 | |||
187 | ForceCommand | ||
188 | Forces the execution of the command specified by ForceCommand, | ||
189 | ignoring any command supplied by the client and ~/.ssh/rc if pre- | ||
190 | sent. The command is invoked by using the user's login shell | ||
191 | with the -c option. This applies to shell, command, or subsystem | ||
192 | execution. It is most useful inside a Match block. The command | ||
193 | originally supplied by the client is available in the | ||
194 | SSH_ORIGINAL_COMMAND environment variable. Specifying a command | ||
195 | of ``internal-sftp'' will force the use of an in-process sftp | ||
196 | server that requires no support files when used with | ||
197 | ChrootDirectory. | ||
198 | |||
199 | GatewayPorts | ||
200 | Specifies whether remote hosts are allowed to connect to ports | ||
201 | forwarded for the client. By default, sshd(8) binds remote port | ||
202 | forwardings to the loopback address. This prevents other remote | ||
203 | hosts from connecting to forwarded ports. GatewayPorts can be | ||
204 | used to specify that sshd should allow remote port forwardings to | ||
205 | bind to non-loopback addresses, thus allowing other hosts to con- | ||
206 | nect. The argument may be ``no'' to force remote port forward- | ||
207 | ings to be available to the local host only, ``yes'' to force re- | ||
208 | mote port forwardings to bind to the wildcard address, or | ||
209 | ``clientspecified'' to allow the client to select the address to | ||
210 | which the forwarding is bound. The default is ``no''. | ||
211 | |||
212 | GSSAPIAuthentication | ||
213 | Specifies whether user authentication based on GSSAPI is allowed. | ||
214 | The default is ``no''. Note that this option applies to protocol | ||
215 | version 2 only. | ||
216 | |||
217 | GSSAPICleanupCredentials | ||
218 | Specifies whether to automatically destroy the user's credentials | ||
219 | cache on logout. The default is ``yes''. Note that this option | ||
220 | applies to protocol version 2 only. | ||
221 | |||
222 | HostbasedAuthentication | ||
223 | Specifies whether rhosts or /etc/hosts.equiv authentication to- | ||
224 | gether with successful public key client host authentication is | ||
225 | allowed (host-based authentication). This option is similar to | ||
226 | RhostsRSAAuthentication and applies to protocol version 2 only. | ||
227 | The default is ``no''. | ||
228 | |||
229 | HostbasedUsesNameFromPacketOnly | ||
230 | Specifies whether or not the server will attempt to perform a re- | ||
231 | verse name lookup when matching the name in the ~/.shosts, | ||
232 | ~/.rhosts, and /etc/hosts.equiv files during | ||
233 | HostbasedAuthentication. A setting of ``yes'' means that sshd(8) | ||
234 | uses the name supplied by the client rather than attempting to | ||
235 | resolve the name from the TCP connection itself. The default is | ||
236 | ``no''. | ||
237 | |||
238 | HostKey | ||
239 | Specifies a file containing a private host key used by SSH. The | ||
240 | default is /etc/ssh/ssh_host_key for protocol version 1, and | ||
241 | /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro- | ||
242 | tocol version 2. Note that sshd(8) will refuse to use a file if | ||
243 | it is group/world-accessible. It is possible to have multiple | ||
244 | host key files. ``rsa1'' keys are used for version 1 and ``dsa'' | ||
245 | or ``rsa'' are used for version 2 of the SSH protocol. | ||
246 | |||
247 | IgnoreRhosts | ||
248 | Specifies that .rhosts and .shosts files will not be used in | ||
249 | RhostsRSAAuthentication or HostbasedAuthentication. | ||
250 | |||
251 | /etc/hosts.equiv and /etc/shosts.equiv are still used. The de- | ||
252 | fault is ``yes''. | ||
253 | |||
254 | IgnoreUserKnownHosts | ||
255 | Specifies whether sshd(8) should ignore the user's | ||
256 | ~/.ssh/known_hosts during RhostsRSAAuthentication or | ||
257 | HostbasedAuthentication. The default is ``no''. | ||
258 | |||
259 | KerberosAuthentication | ||
260 | Specifies whether the password provided by the user for | ||
261 | PasswordAuthentication will be validated through the Kerberos | ||
262 | KDC. To use this option, the server needs a Kerberos servtab | ||
263 | which allows the verification of the KDC's identity. The default | ||
264 | is ``no''. | ||
265 | |||
266 | KerberosGetAFSToken | ||
267 | If AFS is active and the user has a Kerberos 5 TGT, attempt to | ||
268 | acquire an AFS token before accessing the user's home directory. | ||
269 | The default is ``no''. | ||
270 | |||
271 | KerberosOrLocalPasswd | ||
272 | If password authentication through Kerberos fails then the pass- | ||
273 | word will be validated via any additional local mechanism such as | ||
274 | /etc/passwd. The default is ``yes''. | ||
275 | |||
276 | KerberosTicketCleanup | ||
277 | Specifies whether to automatically destroy the user's ticket | ||
278 | cache file on logout. The default is ``yes''. | ||
279 | |||
280 | KeyRegenerationInterval | ||
281 | In protocol version 1, the ephemeral server key is automatically | ||
282 | regenerated after this many seconds (if it has been used). The | ||
283 | purpose of regeneration is to prevent decrypting captured ses- | ||
284 | sions by later breaking into the machine and stealing the keys. | ||
285 | The key is never stored anywhere. If the value is 0, the key is | ||
286 | never regenerated. The default is 3600 (seconds). | ||
287 | |||
288 | ListenAddress | ||
289 | Specifies the local addresses sshd(8) should listen on. The fol- | ||
290 | lowing forms may be used: | ||
291 | |||
292 | ListenAddress host|IPv4_addr|IPv6_addr | ||
293 | ListenAddress host|IPv4_addr:port | ||
294 | ListenAddress [host|IPv6_addr]:port | ||
295 | |||
296 | If port is not specified, sshd will listen on the address and all | ||
297 | prior Port options specified. The default is to listen on all | ||
298 | local addresses. Multiple ListenAddress options are permitted. | ||
299 | Additionally, any Port options must precede this option for non- | ||
300 | port qualified addresses. | ||
301 | |||
302 | LoginGraceTime | ||
303 | The server disconnects after this time if the user has not suc- | ||
304 | cessfully logged in. If the value is 0, there is no time limit. | ||
305 | The default is 120 seconds. | ||
306 | |||
307 | LogLevel | ||
308 | Gives the verbosity level that is used when logging messages from | ||
309 | sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, | ||
310 | VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. | ||
311 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify | ||
312 | higher levels of debugging output. Logging with a DEBUG level | ||
313 | violates the privacy of users and is not recommended. | ||
314 | |||
315 | MACs Specifies the available MAC (message authentication code) algo- | ||
316 | rithms. The MAC algorithm is used in protocol version 2 for data | ||
317 | integrity protection. Multiple algorithms must be comma-separat- | ||
318 | ed. The default is: | ||
319 | |||
320 | hmac-md5,hmac-sha1,umac-64@openssh.com, | ||
321 | hmac-ripemd160,hmac-sha1-96,hmac-md5-96 | ||
322 | |||
323 | Match Introduces a conditional block. If all of the criteria on the | ||
324 | Match line are satisfied, the keywords on the following lines | ||
325 | override those set in the global section of the config file, un- | ||
326 | til either another Match line or the end of the file. | ||
327 | |||
328 | The arguments to Match are one or more criteria-pattern pairs. | ||
329 | The available criteria are User, Group, Host, and Address. The | ||
330 | match patterns may consist of single entries or comma-separated | ||
331 | lists and may use the wildcard and negation operators described | ||
332 | in the PATTERNS section of ssh_config(5). | ||
333 | |||
334 | The patterns in an Address criteria may additionally contain ad- | ||
335 | dresses to match in CIDR address/masklen format, e.g. | ||
336 | ``192.0.2.0/24'' or ``3ffe:ffff::/32''. Note that the mask | ||
337 | length provided must be consistent with the address - it is an | ||
338 | error to specify a mask length that is too long for the address | ||
339 | or one with bits set in this host portion of the address. For | ||
340 | example, ``192.0.2.0/33'' and ``192.0.2.0/8'' respectively. | ||
341 | |||
342 | Only a subset of keywords may be used on the lines following a | ||
343 | Match keyword. Available keywords are AllowAgentForwarding, | ||
344 | AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand, | ||
345 | GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, | ||
346 | KbdInteractiveAuthentication, KerberosAuthentication, | ||
347 | MaxAuthTries, MaxSessions, PasswordAuthentication, | ||
348 | PermitEmptyPasswords, PermitOpen, PermitRootLogin, | ||
349 | RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, | ||
350 | X11Forwarding and X11UseLocalHost. | ||
351 | |||
352 | MaxAuthTries | ||
353 | Specifies the maximum number of authentication attempts permitted | ||
354 | per connection. Once the number of failures reaches half this | ||
355 | value, additional failures are logged. The default is 6. | ||
356 | |||
357 | MaxSessions | ||
358 | Specifies the maximum number of open sessions permitted per net- | ||
359 | work connection. The default is 10. | ||
360 | |||
361 | MaxStartups | ||
362 | Specifies the maximum number of concurrent unauthenticated con- | ||
363 | nections to the SSH daemon. Additional connections will be | ||
364 | dropped until authentication succeeds or the LoginGraceTime ex- | ||
365 | pires for a connection. The default is 10. | ||
366 | |||
367 | Alternatively, random early drop can be enabled by specifying the | ||
368 | three colon separated values ``start:rate:full'' (e.g. | ||
369 | "10:30:60"). sshd(8) will refuse connection attempts with a | ||
370 | probability of ``rate/100'' (30%) if there are currently | ||
371 | ``start'' (10) unauthenticated connections. The probability in- | ||
372 | creases linearly and all connection attempts are refused if the | ||
373 | number of unauthenticated connections reaches ``full'' (60). | ||
374 | |||
375 | PasswordAuthentication | ||
376 | Specifies whether password authentication is allowed. The de- | ||
377 | fault is ``yes''. | ||
378 | |||
379 | PermitEmptyPasswords | ||
380 | When password authentication is allowed, it specifies whether the | ||
381 | server allows login to accounts with empty password strings. The | ||
382 | default is ``no''. | ||
383 | |||
384 | PermitOpen | ||
385 | Specifies the destinations to which TCP port forwarding is per- | ||
386 | mitted. The forwarding specification must be one of the follow- | ||
387 | ing forms: | ||
388 | |||
389 | PermitOpen host:port | ||
390 | PermitOpen IPv4_addr:port | ||
391 | PermitOpen [IPv6_addr]:port | ||
392 | |||
393 | Multiple forwards may be specified by separating them with | ||
394 | whitespace. An argument of ``any'' can be used to remove all re- | ||
395 | strictions and permit any forwarding requests. By default all | ||
396 | port forwarding requests are permitted. | ||
397 | |||
398 | PermitRootLogin | ||
399 | Specifies whether root can log in using ssh(1). The argument | ||
400 | must be ``yes'', ``without-password'', ``forced-commands-only'', | ||
401 | or ``no''. The default is ``yes''. | ||
402 | |||
403 | If this option is set to ``without-password'', password authenti- | ||
404 | cation is disabled for root. | ||
405 | |||
406 | If this option is set to ``forced-commands-only'', root login | ||
407 | with public key authentication will be allowed, but only if the | ||
408 | command option has been specified (which may be useful for taking | ||
409 | remote backups even if root login is normally not allowed). All | ||
410 | other authentication methods are disabled for root. | ||
411 | |||
412 | If this option is set to ``no'', root is not allowed to log in. | ||
413 | |||
414 | PermitTunnel | ||
415 | Specifies whether tun(4) device forwarding is allowed. The argu- | ||
416 | ment must be ``yes'', ``point-to-point'' (layer 3), ``ethernet'' | ||
417 | (layer 2), or ``no''. Specifying ``yes'' permits both ``point- | ||
418 | to-point'' and ``ethernet''. The default is ``no''. | ||
419 | |||
420 | PermitUserEnvironment | ||
421 | Specifies whether ~/.ssh/environment and environment= options in | ||
422 | ~/.ssh/authorized_keys are processed by sshd(8). The default is | ||
423 | ``no''. Enabling environment processing may enable users to by- | ||
424 | pass access restrictions in some configurations using mechanisms | ||
425 | such as LD_PRELOAD. | ||
426 | |||
427 | PidFile | ||
428 | Specifies the file that contains the process ID of the SSH dae- | ||
429 | mon. The default is /var/run/sshd.pid. | ||
430 | |||
431 | Port Specifies the port number that sshd(8) listens on. The default | ||
432 | is 22. Multiple options of this type are permitted. See also | ||
433 | ListenAddress. | ||
434 | |||
435 | PrintLastLog | ||
436 | Specifies whether sshd(8) should print the date and time of the | ||
437 | last user login when a user logs in interactively. The default | ||
438 | is ``yes''. | ||
439 | |||
440 | PrintMotd | ||
441 | Specifies whether sshd(8) should print /etc/motd when a user logs | ||
442 | in interactively. (On some systems it is also printed by the | ||
443 | shell, /etc/profile, or equivalent.) The default is ``yes''. | ||
444 | |||
445 | Protocol | ||
446 | Specifies the protocol versions sshd(8) supports. The possible | ||
447 | values are `1' and `2'. Multiple versions must be comma-separat- | ||
448 | ed. The default is ``2,1''. Note that the order of the protocol | ||
449 | list does not indicate preference, because the client selects | ||
450 | among multiple protocol versions offered by the server. Specify- | ||
451 | ing ``2,1'' is identical to ``1,2''. | ||
452 | |||
453 | PubkeyAuthentication | ||
454 | Specifies whether public key authentication is allowed. The de- | ||
455 | fault is ``yes''. Note that this option applies to protocol ver- | ||
456 | sion 2 only. | ||
457 | |||
458 | RhostsRSAAuthentication | ||
459 | Specifies whether rhosts or /etc/hosts.equiv authentication to- | ||
460 | gether with successful RSA host authentication is allowed. The | ||
461 | default is ``no''. This option applies to protocol version 1 on- | ||
462 | ly. | ||
463 | |||
464 | RSAAuthentication | ||
465 | Specifies whether pure RSA authentication is allowed. The de- | ||
466 | fault is ``yes''. This option applies to protocol version 1 on- | ||
467 | ly. | ||
468 | |||
469 | ServerKeyBits | ||
470 | Defines the number of bits in the ephemeral protocol version 1 | ||
471 | server key. The minimum value is 512, and the default is 1024. | ||
472 | |||
473 | StrictModes | ||
474 | Specifies whether sshd(8) should check file modes and ownership | ||
475 | of the user's files and home directory before accepting login. | ||
476 | This is normally desirable because novices sometimes accidentally | ||
477 | leave their directory or files world-writable. The default is | ||
478 | ``yes''. | ||
479 | |||
480 | Subsystem | ||
481 | Configures an external subsystem (e.g. file transfer daemon). | ||
482 | Arguments should be a subsystem name and a command (with optional | ||
483 | arguments) to execute upon subsystem request. | ||
484 | |||
485 | The command sftp-server(8) implements the ``sftp'' file transfer | ||
486 | subsystem. | ||
487 | |||
488 | Alternately the name ``internal-sftp'' implements an in-process | ||
489 | ``sftp'' server. This may simplify configurations using | ||
490 | ChrootDirectory to force a different filesystem root on clients. | ||
491 | |||
492 | By default no subsystems are defined. Note that this option ap- | ||
493 | plies to protocol version 2 only. | ||
494 | |||
495 | SyslogFacility | ||
496 | Gives the facility code that is used when logging messages from | ||
497 | sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, | ||
498 | LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- | ||
499 | fault is AUTH. | ||
500 | |||
501 | TCPKeepAlive | ||
502 | Specifies whether the system should send TCP keepalive messages | ||
503 | to the other side. If they are sent, death of the connection or | ||
504 | crash of one of the machines will be properly noticed. However, | ||
505 | this means that connections will die if the route is down tem- | ||
506 | porarily, and some people find it annoying. On the other hand, | ||
507 | if TCP keepalives are not sent, sessions may hang indefinitely on | ||
508 | the server, leaving ``ghost'' users and consuming server re- | ||
509 | sources. | ||
510 | |||
511 | The default is ``yes'' (to send TCP keepalive messages), and the | ||
512 | server will notice if the network goes down or the client host | ||
513 | crashes. This avoids infinitely hanging sessions. | ||
514 | |||
515 | To disable TCP keepalive messages, the value should be set to | ||
516 | ``no''. | ||
517 | |||
518 | UseDNS Specifies whether sshd(8) should look up the remote host name and | ||
519 | check that the resolved host name for the remote IP address maps | ||
520 | back to the very same IP address. The default is ``yes''. | ||
521 | |||
522 | UseLogin | ||
523 | Specifies whether login(1) is used for interactive login ses- | ||
524 | sions. The default is ``no''. Note that login(1) is never used | ||
525 | for remote command execution. Note also, that if this is en- | ||
526 | abled, X11Forwarding will be disabled because login(1) does not | ||
527 | know how to handle xauth(1) cookies. If UsePrivilegeSeparation | ||
528 | is specified, it will be disabled after authentication. | ||
529 | |||
530 | UsePAM Enables the Pluggable Authentication Module interface. If set to | ||
531 | ``yes'' this will enable PAM authentication using | ||
532 | ChallengeResponseAuthentication and PasswordAuthentication in ad- | ||
533 | dition to PAM account and session module processing for all au- | ||
534 | thentication types. | ||
535 | |||
536 | Because PAM challenge-response authentication usually serves an | ||
537 | equivalent role to password authentication, you should disable | ||
538 | either PasswordAuthentication or ChallengeResponseAuthentication. | ||
539 | |||
540 | If UsePAM is enabled, you will not be able to run sshd(8) as a | ||
541 | non-root user. The default is ``no''. | ||
542 | |||
543 | UsePrivilegeSeparation | ||
544 | Specifies whether sshd(8) separates privileges by creating an un- | ||
545 | privileged child process to deal with incoming network traffic. | ||
546 | After successful authentication, another process will be created | ||
547 | that has the privilege of the authenticated user. The goal of | ||
548 | privilege separation is to prevent privilege escalation by con- | ||
549 | taining any corruption within the unprivileged processes. The | ||
550 | default is ``yes''. | ||
551 | |||
552 | X11DisplayOffset | ||
553 | Specifies the first display number available for sshd(8)'s X11 | ||
554 | forwarding. This prevents sshd from interfering with real X11 | ||
555 | servers. The default is 10. | ||
556 | |||
557 | X11Forwarding | ||
558 | Specifies whether X11 forwarding is permitted. The argument must | ||
559 | be ``yes'' or ``no''. The default is ``no''. | ||
560 | |||
561 | When X11 forwarding is enabled, there may be additional exposure | ||
562 | to the server and to client displays if the sshd(8) proxy display | ||
563 | is configured to listen on the wildcard address (see | ||
564 | X11UseLocalhost below), though this is not the default. Addi- | ||
565 | tionally, the authentication spoofing and authentication data | ||
566 | verification and substitution occur on the client side. The se- | ||
567 | curity risk of using X11 forwarding is that the client's X11 dis- | ||
568 | play server may be exposed to attack when the SSH client requests | ||
569 | forwarding (see the warnings for ForwardX11 in ssh_config(5)). A | ||
570 | system administrator may have a stance in which they want to pro- | ||
571 | tect clients that may expose themselves to attack by unwittingly | ||
572 | requesting X11 forwarding, which can warrant a ``no'' setting. | ||
573 | |||
574 | Note that disabling X11 forwarding does not prevent users from | ||
575 | forwarding X11 traffic, as users can always install their own | ||
576 | forwarders. X11 forwarding is automatically disabled if UseLogin | ||
577 | is enabled. | ||
578 | |||
579 | X11UseLocalhost | ||
580 | Specifies whether sshd(8) should bind the X11 forwarding server | ||
581 | to the loopback address or to the wildcard address. By default, | ||
582 | sshd binds the forwarding server to the loopback address and sets | ||
583 | the hostname part of the DISPLAY environment variable to | ||
584 | ``localhost''. This prevents remote hosts from connecting to the | ||
585 | proxy display. However, some older X11 clients may not function | ||
586 | with this configuration. X11UseLocalhost may be set to ``no'' to | ||
587 | specify that the forwarding server should be bound to the wild- | ||
588 | card address. The argument must be ``yes'' or ``no''. The de- | ||
589 | fault is ``yes''. | ||
590 | |||
591 | XAuthLocation | ||
592 | Specifies the full pathname of the xauth(1) program. The default | ||
593 | is /usr/X11R6/bin/xauth. | ||
594 | |||
595 | TIME FORMATS | ||
596 | sshd(8) command-line arguments and configuration file options that speci- | ||
597 | fy time may be expressed using a sequence of the form: time[qualifier], | ||
598 | where time is a positive integer value and qualifier is one of the fol- | ||
599 | lowing: | ||
600 | |||
601 | <none> seconds | ||
602 | s | S seconds | ||
603 | m | M minutes | ||
604 | h | H hours | ||
605 | d | D days | ||
606 | w | W weeks | ||
607 | |||
608 | Each member of the sequence is added together to calculate the total time | ||
609 | value. | ||
610 | |||
611 | Time format examples: | ||
612 | |||
613 | 600 600 seconds (10 minutes) | ||
614 | 10m 10 minutes | ||
615 | 1h30m 1 hour 30 minutes (90 minutes) | ||
616 | |||
617 | FILES | ||
618 | /etc/ssh/sshd_config | ||
619 | Contains configuration data for sshd(8). This file should be | ||
620 | writable by root only, but it is recommended (though not neces- | ||
621 | sary) that it be world-readable. | ||
622 | |||
623 | SEE ALSO | ||
624 | sshd(8) | ||
625 | |||
626 | AUTHORS | ||
627 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | ||
628 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | ||
629 | de Raadt and Dug Song removed many bugs, re-added newer features and cre- | ||
630 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | ||
631 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | ||
632 | for privilege separation. | ||
633 | |||
634 | OpenBSD 4.6 April 21, 2009 10 | ||