summaryrefslogtreecommitdiff
path: root/sshd_config.0
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2003-09-23 18:08:35 +0000
committerColin Watson <cjwatson@debian.org>2003-09-23 18:08:35 +0000
commitd59fd3e421aa81b8e5e118f3f806081df2aca879 (patch)
tree356a4e607edc979c625bb33db63c656d771478bd /sshd_config.0
parent7505658c58e96b8d270f1928a0e1fa7f3e0c266b (diff)
parent45431c9b4677608680cd071768cbf156b316a7e8 (diff)
Merge 3.7.1p2 to the trunk. I have absolutely no idea yet whether this will
work.
Diffstat (limited to 'sshd_config.0')
-rw-r--r--sshd_config.0117
1 files changed, 54 insertions, 63 deletions
diff --git a/sshd_config.0 b/sshd_config.0
index 7800de312..bc266317f 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -15,15 +15,11 @@ DESCRIPTION
15 The possible keywords and their meanings are as follows (note that key- 15 The possible keywords and their meanings are as follows (note that key-
16 words are case-insensitive and arguments are case-sensitive): 16 words are case-insensitive and arguments are case-sensitive):
17 17
18 AFSTokenPassing
19 Specifies whether an AFS token may be forwarded to the server.
20 Default is M-bM-^@M-^\noM-bM-^@M-^].
21
22 AllowGroups 18 AllowGroups
23 This keyword can be followed by a list of group name patterns, 19 This keyword can be followed by a list of group name patterns,
24 separated by spaces. If specified, login is allowed only for 20 separated by spaces. If specified, login is allowed only for
25 users whose primary group or supplementary group list matches one 21 users whose primary group or supplementary group list matches one
26 of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards in the 22 of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards in the
27 patterns. Only group names are valid; a numerical group ID is 23 patterns. Only group names are valid; a numerical group ID is
28 not recognized. By default, login is allowed for all groups. 24 not recognized. By default, login is allowed for all groups.
29 25
@@ -36,7 +32,7 @@ DESCRIPTION
36 AllowUsers 32 AllowUsers
37 This keyword can be followed by a list of user name patterns, 33 This keyword can be followed by a list of user name patterns,
38 separated by spaces. If specified, login is allowed only for 34 separated by spaces. If specified, login is allowed only for
39 user names that match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be 35 user names that match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be
40 used as wildcards in the patterns. Only user names are valid; a 36 used as wildcards in the patterns. Only user names are valid; a
41 numerical user ID is not recognized. By default, login is 37 numerical user ID is not recognized. By default, login is
42 allowed for all users. If the pattern takes the form USER@HOST 38 allowed for all users. If the pattern takes the form USER@HOST
@@ -70,7 +66,7 @@ DESCRIPTION
70 ciphers must be comma-separated. The default is 66 ciphers must be comma-separated. The default is
71 67
72 M-bM-^@M-^XM-bM-^@M-^Xaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 68 M-bM-^@M-^XM-bM-^@M-^Xaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
73 aes192-cbc,aes256-cbcM-bM-^@M-^YM-bM-^@M-^Y 69 aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctrM-bM-^@M-^YM-bM-^@M-^Y
74 70
75 ClientAliveInterval 71 ClientAliveInterval
76 Sets a timeout interval in seconds after which if no data has 72 Sets a timeout interval in seconds after which if no data has
@@ -81,18 +77,18 @@ DESCRIPTION
81 77
82 ClientAliveCountMax 78 ClientAliveCountMax
83 Sets the number of client alive messages (see above) which may be 79 Sets the number of client alive messages (see above) which may be
84 sent without sshd receiving any messages back from the client. If 80 sent without sshd receiving any messages back from the client.
85 this threshold is reached while client alive messages are being 81 If this threshold is reached while client alive messages are
86 sent, sshd will disconnect the client, terminating the session. 82 being sent, sshd will disconnect the client, terminating the ses-
87 It is important to note that the use of client alive messages is 83 sion. It is important to note that the use of client alive mes-
88 very different from KeepAlive (below). The client alive messages 84 sages is very different from KeepAlive (below). The client alive
89 are sent through the encrypted channel and therefore will not be 85 messages are sent through the encrypted channel and therefore
90 spoofable. The TCP keepalive option enabled by KeepAlive is 86 will not be spoofable. The TCP keepalive option enabled by
91 spoofable. The client alive mechanism is valuable when the client 87 KeepAlive is spoofable. The client alive mechanism is valuable
92 or server depend on knowing when a connection has become inac- 88 when the client or server depend on knowing when a connection has
93 tive. 89 become inactive.
94 90
95 The default value is 3. If ClientAliveInterval (above) is set to 91 The default value is 3. If ClientAliveInterval (above) is set to
96 15, and ClientAliveCountMax is left at the default, unresponsive 92 15, and ClientAliveCountMax is left at the default, unresponsive
97 ssh clients will be disconnected after approximately 45 seconds. 93 ssh clients will be disconnected after approximately 45 seconds.
98 94
@@ -104,14 +100,14 @@ DESCRIPTION
104 This keyword can be followed by a list of group name patterns, 100 This keyword can be followed by a list of group name patterns,
105 separated by spaces. Login is disallowed for users whose primary 101 separated by spaces. Login is disallowed for users whose primary
106 group or supplementary group list matches one of the patterns. 102 group or supplementary group list matches one of the patterns.
107 M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards in the patterns. Only 103 M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards in the patterns. Only group
108 group names are valid; a numerical group ID is not recognized. 104 names are valid; a numerical group ID is not recognized. By
109 By default, login is allowed for all groups. 105 default, login is allowed for all groups.
110 106
111 DenyUsers 107 DenyUsers
112 This keyword can be followed by a list of user name patterns, 108 This keyword can be followed by a list of user name patterns,
113 separated by spaces. Login is disallowed for user names that 109 separated by spaces. Login is disallowed for user names that
114 match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards 110 match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards
115 in the patterns. Only user names are valid; a numerical user ID 111 in the patterns. Only user names are valid; a numerical user ID
116 is not recognized. By default, login is allowed for all users. 112 is not recognized. By default, login is allowed for all users.
117 If the pattern takes the form USER@HOST then USER and HOST are 113 If the pattern takes the form USER@HOST then USER and HOST are
@@ -128,6 +124,16 @@ DESCRIPTION
128 forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The 124 forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The
129 default is M-bM-^@M-^\noM-bM-^@M-^]. 125 default is M-bM-^@M-^\noM-bM-^@M-^].
130 126
127 GSSAPIAuthentication
128 Specifies whether user authentication based on GSSAPI is allowed.
129 The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol
130 version 2 only.
131
132 GSSAPICleanupCredentials
133 Specifies whether to automatically destroy the userM-bM-^@M-^Ys credentials
134 cache on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option
135 applies to protocol version 2 only.
136
131 HostbasedAuthentication 137 HostbasedAuthentication
132 Specifies whether rhosts or /etc/hosts.equiv authentication 138 Specifies whether rhosts or /etc/hosts.equiv authentication
133 together with successful public key client host authentication is 139 together with successful public key client host authentication is
@@ -146,8 +152,7 @@ DESCRIPTION
146 152
147 IgnoreRhosts 153 IgnoreRhosts
148 Specifies that .rhosts and .shosts files will not be used in 154 Specifies that .rhosts and .shosts files will not be used in
149 RhostsAuthentication, RhostsRSAAuthentication or 155 RhostsRSAAuthentication or HostbasedAuthentication.
150 HostbasedAuthentication.
151 156
152 /etc/hosts.equiv and /etc/shosts.equiv are still used. The 157 /etc/hosts.equiv and /etc/shosts.equiv are still used. The
153 default is M-bM-^@M-^\yesM-bM-^@M-^]. 158 default is M-bM-^@M-^\yesM-bM-^@M-^].
@@ -173,23 +178,17 @@ DESCRIPTION
173 To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^]. 178 To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^].
174 179
175 KerberosAuthentication 180 KerberosAuthentication
176 Specifies whether Kerberos authentication is allowed. This can 181 Specifies whether the password provided by the user for
177 be in the form of a Kerberos ticket, or if PasswordAuthentication 182 PasswordAuthentication will be validated through the Kerberos
178 is yes, the password provided by the user will be validated 183 KDC. To use this option, the server needs a Kerberos servtab
179 through the Kerberos KDC. To use this option, the server needs a 184 which allows the verification of the KDCM-bM-^@M-^Ys identity. Default is
180 Kerberos servtab which allows the verification of the KDCM-bM-^@M-^Ys iden- 185 M-bM-^@M-^\noM-bM-^@M-^].
181 tity. Default is M-bM-^@M-^\noM-bM-^@M-^].
182 186
183 KerberosOrLocalPasswd 187 KerberosOrLocalPasswd
184 If set then if password authentication through Kerberos fails 188 If set then if password authentication through Kerberos fails
185 then the password will be validated via any additional local 189 then the password will be validated via any additional local
186 mechanism such as /etc/passwd. Default is M-bM-^@M-^\yesM-bM-^@M-^]. 190 mechanism such as /etc/passwd. Default is M-bM-^@M-^\yesM-bM-^@M-^].
187 191
188 KerberosTgtPassing
189 Specifies whether a Kerberos TGT may be forwarded to the server.
190 Default is M-bM-^@M-^\noM-bM-^@M-^], as this only works when the Kerberos KDC is
191 actually an AFS kaserver.
192
193 KerberosTicketCleanup 192 KerberosTicketCleanup
194 Specifies whether to automatically destroy the userM-bM-^@M-^Ys ticket 193 Specifies whether to automatically destroy the userM-bM-^@M-^Ys ticket
195 cache file on logout. Default is M-bM-^@M-^\yesM-bM-^@M-^]. 194 cache file on logout. Default is M-bM-^@M-^\yesM-bM-^@M-^].
@@ -211,7 +210,7 @@ DESCRIPTION
211 ListenAddress [host|IPv6_addr]:port 210 ListenAddress [host|IPv6_addr]:port
212 211
213 If port is not specified, sshd will listen on the address and all 212 If port is not specified, sshd will listen on the address and all
214 prior Port options specified. The default is to listen on all 213 prior Port options specified. The default is to listen on all
215 local addresses. Multiple ListenAddress options are permitted. 214 local addresses. Multiple ListenAddress options are permitted.
216 Additionally, any Port options must precede this option for non 215 Additionally, any Port options must precede this option for non
217 port qualified addresses. 216 port qualified addresses.
@@ -249,12 +248,6 @@ DESCRIPTION
249 and all connection attempts are refused if the number of unau- 248 and all connection attempts are refused if the number of unau-
250 thenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60). 249 thenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60).
251 250
252 PAMAuthenticationViaKbdInt
253 Specifies whether PAM challenge response authentication is
254 allowed. This allows the use of most PAM challenge response
255 authentication modules, but it will allow password authentication
256 regardless of whether PasswordAuthentication is enabled.
257
258 PasswordAuthentication 251 PasswordAuthentication
259 Specifies whether password authentication is allowed. The 252 Specifies whether password authentication is allowed. The
260 default is M-bM-^@M-^\yesM-bM-^@M-^]. 253 default is M-bM-^@M-^\yesM-bM-^@M-^].
@@ -275,7 +268,7 @@ DESCRIPTION
275 If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^] root login with 268 If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^] root login with
276 public key authentication will be allowed, but only if the 269 public key authentication will be allowed, but only if the
277 command option has been specified (which may be useful for taking 270 command option has been specified (which may be useful for taking
278 remote backups even if root login is normally not allowed). All 271 remote backups even if root login is normally not allowed). All
279 other authentication methods are disabled for root. 272 other authentication methods are disabled for root.
280 273
281 If this option is set to M-bM-^@M-^\noM-bM-^@M-^] root is not allowed to login. 274 If this option is set to M-bM-^@M-^\noM-bM-^@M-^] root is not allowed to login.
@@ -315,16 +308,10 @@ DESCRIPTION
315 PubkeyAuthentication 308 PubkeyAuthentication
316 Specifies whether public key authentication is allowed. The 309 Specifies whether public key authentication is allowed. The
317 default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol ver- 310 default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol ver-
318 sion 2 only. 311 sion 2 only. RhostsRSAAuthentication should be used instead,
319 312 because it performs RSA-based host authentication in addition to
320 RhostsAuthentication 313 normal rhosts or /etc/hosts.equiv authentication. The default is
321 Specifies whether authentication using rhosts or /etc/hosts.equiv 314 M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only.
322 files is sufficient. Normally, this method should not be permit-
323 ted because it is insecure. RhostsRSAAuthentication should be
324 used instead, because it performs RSA-based host authentication
325 in addition to normal rhosts or /etc/hosts.equiv authentication.
326 The default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1
327 only.
328 315
329 RhostsRSAAuthentication 316 RhostsRSAAuthentication
330 Specifies whether rhosts or /etc/hosts.equiv authentication 317 Specifies whether rhosts or /etc/hosts.equiv authentication
@@ -361,6 +348,10 @@ DESCRIPTION
361 LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The 348 LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
362 default is AUTH. 349 default is AUTH.
363 350
351 UseDNS Specifies whether sshd should lookup the remote host name and
352 check that the resolved host name for the remote IP address maps
353 back to the very same IP address. The default is M-bM-^@M-^\yesM-bM-^@M-^].
354
364 UseLogin 355 UseLogin
365 Specifies whether login(1) is used for interactive login ses- 356 Specifies whether login(1) is used for interactive login ses-
366 sions. The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that login(1) is never used 357 sions. The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that login(1) is never used
@@ -369,6 +360,11 @@ DESCRIPTION
369 know how to handle xauth(1) cookies. If UsePrivilegeSeparation 360 know how to handle xauth(1) cookies. If UsePrivilegeSeparation
370 is specified, it will be disabled after authentication. 361 is specified, it will be disabled after authentication.
371 362
363 UsePAM Enables PAM authentication (via challenge-response) and session
364 set up. If you enable this, you should probably disable
365 PasswordAuthentication. If you enable then you will not be able
366 to run sshd as a non-root user.
367
372 UsePrivilegeSeparation 368 UsePrivilegeSeparation
373 Specifies whether sshd separates privileges by creating an 369 Specifies whether sshd separates privileges by creating an
374 unprivileged child process to deal with incoming network traffic. 370 unprivileged child process to deal with incoming network traffic.
@@ -378,11 +374,6 @@ DESCRIPTION
378 taining any corruption within the unprivileged processes. The 374 taining any corruption within the unprivileged processes. The
379 default is M-bM-^@M-^\yesM-bM-^@M-^]. 375 default is M-bM-^@M-^\yesM-bM-^@M-^].
380 376
381 VerifyReverseMapping
382 Specifies whether sshd should try to verify the remote host name
383 and check that the resolved host name for the remote IP address
384 maps back to the very same IP address. The default is M-bM-^@M-^\noM-bM-^@M-^].
385
386 X11DisplayOffset 377 X11DisplayOffset
387 Specifies the first display number available for sshdM-bM-^@M-^Ys X11 for- 378 Specifies the first display number available for sshdM-bM-^@M-^Ys X11 for-
388 warding. This prevents sshd from interfering with real X11 379 warding. This prevents sshd from interfering with real X11
@@ -400,7 +391,7 @@ DESCRIPTION
400 substitution occur on the client side. The security risk of 391 substitution occur on the client side. The security risk of
401 using X11 forwarding is that the clientM-bM-^@M-^Ys X11 display server may 392 using X11 forwarding is that the clientM-bM-^@M-^Ys X11 display server may
402 be exposed to attack when the ssh client requests forwarding (see 393 be exposed to attack when the ssh client requests forwarding (see
403 the warnings for ForwardX11 in ssh_config(5) ). A system adminis- 394 the warnings for ForwardX11 in ssh_config(5)). A system adminis-
404 trator may have a stance in which they want to protect clients 395 trator may have a stance in which they want to protect clients
405 that may expose themselves to attack by unwittingly requesting 396 that may expose themselves to attack by unwittingly requesting
406 X11 forwarding, which can warrant a M-bM-^@M-^\noM-bM-^@M-^] setting. 397 X11 forwarding, which can warrant a M-bM-^@M-^\noM-bM-^@M-^] setting.
@@ -454,6 +445,9 @@ FILES
454 writable by root only, but it is recommended (though not neces- 445 writable by root only, but it is recommended (though not neces-
455 sary) that it be world-readable. 446 sary) that it be world-readable.
456 447
448SEE ALSO
449 sshd(8)
450
457AUTHORS 451AUTHORS
458 OpenSSH is a derivative of the original and free ssh 1.2.12 release by 452 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
459 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo 453 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
@@ -462,7 +456,4 @@ AUTHORS
462 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 456 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
463 for privilege separation. 457 for privilege separation.
464 458
465SEE ALSO
466 sshd(8)
467
468BSD September 25, 1999 BSD 459BSD September 25, 1999 BSD