diff options
author | Colin Watson <cjwatson@debian.org> | 2003-09-23 18:08:35 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2003-09-23 18:08:35 +0000 |
commit | d59fd3e421aa81b8e5e118f3f806081df2aca879 (patch) | |
tree | 356a4e607edc979c625bb33db63c656d771478bd /sshd_config.0 | |
parent | 7505658c58e96b8d270f1928a0e1fa7f3e0c266b (diff) | |
parent | 45431c9b4677608680cd071768cbf156b316a7e8 (diff) |
Merge 3.7.1p2 to the trunk. I have absolutely no idea yet whether this will
work.
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 117 |
1 files changed, 54 insertions, 63 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index 7800de312..bc266317f 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -15,15 +15,11 @@ DESCRIPTION | |||
15 | The possible keywords and their meanings are as follows (note that key- | 15 | The possible keywords and their meanings are as follows (note that key- |
16 | words are case-insensitive and arguments are case-sensitive): | 16 | words are case-insensitive and arguments are case-sensitive): |
17 | 17 | ||
18 | AFSTokenPassing | ||
19 | Specifies whether an AFS token may be forwarded to the server. | ||
20 | Default is M-bM-^@M-^\noM-bM-^@M-^]. | ||
21 | |||
22 | AllowGroups | 18 | AllowGroups |
23 | This keyword can be followed by a list of group name patterns, | 19 | This keyword can be followed by a list of group name patterns, |
24 | separated by spaces. If specified, login is allowed only for | 20 | separated by spaces. If specified, login is allowed only for |
25 | users whose primary group or supplementary group list matches one | 21 | users whose primary group or supplementary group list matches one |
26 | of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards in the | 22 | of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards in the |
27 | patterns. Only group names are valid; a numerical group ID is | 23 | patterns. Only group names are valid; a numerical group ID is |
28 | not recognized. By default, login is allowed for all groups. | 24 | not recognized. By default, login is allowed for all groups. |
29 | 25 | ||
@@ -36,7 +32,7 @@ DESCRIPTION | |||
36 | AllowUsers | 32 | AllowUsers |
37 | This keyword can be followed by a list of user name patterns, | 33 | This keyword can be followed by a list of user name patterns, |
38 | separated by spaces. If specified, login is allowed only for | 34 | separated by spaces. If specified, login is allowed only for |
39 | user names that match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be | 35 | user names that match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be |
40 | used as wildcards in the patterns. Only user names are valid; a | 36 | used as wildcards in the patterns. Only user names are valid; a |
41 | numerical user ID is not recognized. By default, login is | 37 | numerical user ID is not recognized. By default, login is |
42 | allowed for all users. If the pattern takes the form USER@HOST | 38 | allowed for all users. If the pattern takes the form USER@HOST |
@@ -70,7 +66,7 @@ DESCRIPTION | |||
70 | ciphers must be comma-separated. The default is | 66 | ciphers must be comma-separated. The default is |
71 | 67 | ||
72 | M-bM-^@M-^XM-bM-^@M-^Xaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, | 68 | M-bM-^@M-^XM-bM-^@M-^Xaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
73 | aes192-cbc,aes256-cbcM-bM-^@M-^YM-bM-^@M-^Y | 69 | aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctrM-bM-^@M-^YM-bM-^@M-^Y |
74 | 70 | ||
75 | ClientAliveInterval | 71 | ClientAliveInterval |
76 | Sets a timeout interval in seconds after which if no data has | 72 | Sets a timeout interval in seconds after which if no data has |
@@ -81,18 +77,18 @@ DESCRIPTION | |||
81 | 77 | ||
82 | ClientAliveCountMax | 78 | ClientAliveCountMax |
83 | Sets the number of client alive messages (see above) which may be | 79 | Sets the number of client alive messages (see above) which may be |
84 | sent without sshd receiving any messages back from the client. If | 80 | sent without sshd receiving any messages back from the client. |
85 | this threshold is reached while client alive messages are being | 81 | If this threshold is reached while client alive messages are |
86 | sent, sshd will disconnect the client, terminating the session. | 82 | being sent, sshd will disconnect the client, terminating the ses- |
87 | It is important to note that the use of client alive messages is | 83 | sion. It is important to note that the use of client alive mes- |
88 | very different from KeepAlive (below). The client alive messages | 84 | sages is very different from KeepAlive (below). The client alive |
89 | are sent through the encrypted channel and therefore will not be | 85 | messages are sent through the encrypted channel and therefore |
90 | spoofable. The TCP keepalive option enabled by KeepAlive is | 86 | will not be spoofable. The TCP keepalive option enabled by |
91 | spoofable. The client alive mechanism is valuable when the client | 87 | KeepAlive is spoofable. The client alive mechanism is valuable |
92 | or server depend on knowing when a connection has become inac- | 88 | when the client or server depend on knowing when a connection has |
93 | tive. | 89 | become inactive. |
94 | 90 | ||
95 | The default value is 3. If ClientAliveInterval (above) is set to | 91 | The default value is 3. If ClientAliveInterval (above) is set to |
96 | 15, and ClientAliveCountMax is left at the default, unresponsive | 92 | 15, and ClientAliveCountMax is left at the default, unresponsive |
97 | ssh clients will be disconnected after approximately 45 seconds. | 93 | ssh clients will be disconnected after approximately 45 seconds. |
98 | 94 | ||
@@ -104,14 +100,14 @@ DESCRIPTION | |||
104 | This keyword can be followed by a list of group name patterns, | 100 | This keyword can be followed by a list of group name patterns, |
105 | separated by spaces. Login is disallowed for users whose primary | 101 | separated by spaces. Login is disallowed for users whose primary |
106 | group or supplementary group list matches one of the patterns. | 102 | group or supplementary group list matches one of the patterns. |
107 | M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards in the patterns. Only | 103 | M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards in the patterns. Only group |
108 | group names are valid; a numerical group ID is not recognized. | 104 | names are valid; a numerical group ID is not recognized. By |
109 | By default, login is allowed for all groups. | 105 | default, login is allowed for all groups. |
110 | 106 | ||
111 | DenyUsers | 107 | DenyUsers |
112 | This keyword can be followed by a list of user name patterns, | 108 | This keyword can be followed by a list of user name patterns, |
113 | separated by spaces. Login is disallowed for user names that | 109 | separated by spaces. Login is disallowed for user names that |
114 | match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards | 110 | match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards |
115 | in the patterns. Only user names are valid; a numerical user ID | 111 | in the patterns. Only user names are valid; a numerical user ID |
116 | is not recognized. By default, login is allowed for all users. | 112 | is not recognized. By default, login is allowed for all users. |
117 | If the pattern takes the form USER@HOST then USER and HOST are | 113 | If the pattern takes the form USER@HOST then USER and HOST are |
@@ -128,6 +124,16 @@ DESCRIPTION | |||
128 | forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The | 124 | forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The |
129 | default is M-bM-^@M-^\noM-bM-^@M-^]. | 125 | default is M-bM-^@M-^\noM-bM-^@M-^]. |
130 | 126 | ||
127 | GSSAPIAuthentication | ||
128 | Specifies whether user authentication based on GSSAPI is allowed. | ||
129 | The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol | ||
130 | version 2 only. | ||
131 | |||
132 | GSSAPICleanupCredentials | ||
133 | Specifies whether to automatically destroy the userM-bM-^@M-^Ys credentials | ||
134 | cache on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option | ||
135 | applies to protocol version 2 only. | ||
136 | |||
131 | HostbasedAuthentication | 137 | HostbasedAuthentication |
132 | Specifies whether rhosts or /etc/hosts.equiv authentication | 138 | Specifies whether rhosts or /etc/hosts.equiv authentication |
133 | together with successful public key client host authentication is | 139 | together with successful public key client host authentication is |
@@ -146,8 +152,7 @@ DESCRIPTION | |||
146 | 152 | ||
147 | IgnoreRhosts | 153 | IgnoreRhosts |
148 | Specifies that .rhosts and .shosts files will not be used in | 154 | Specifies that .rhosts and .shosts files will not be used in |
149 | RhostsAuthentication, RhostsRSAAuthentication or | 155 | RhostsRSAAuthentication or HostbasedAuthentication. |
150 | HostbasedAuthentication. | ||
151 | 156 | ||
152 | /etc/hosts.equiv and /etc/shosts.equiv are still used. The | 157 | /etc/hosts.equiv and /etc/shosts.equiv are still used. The |
153 | default is M-bM-^@M-^\yesM-bM-^@M-^]. | 158 | default is M-bM-^@M-^\yesM-bM-^@M-^]. |
@@ -173,23 +178,17 @@ DESCRIPTION | |||
173 | To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^]. | 178 | To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^]. |
174 | 179 | ||
175 | KerberosAuthentication | 180 | KerberosAuthentication |
176 | Specifies whether Kerberos authentication is allowed. This can | 181 | Specifies whether the password provided by the user for |
177 | be in the form of a Kerberos ticket, or if PasswordAuthentication | 182 | PasswordAuthentication will be validated through the Kerberos |
178 | is yes, the password provided by the user will be validated | 183 | KDC. To use this option, the server needs a Kerberos servtab |
179 | through the Kerberos KDC. To use this option, the server needs a | 184 | which allows the verification of the KDCM-bM-^@M-^Ys identity. Default is |
180 | Kerberos servtab which allows the verification of the KDCM-bM-^@M-^Ys iden- | 185 | M-bM-^@M-^\noM-bM-^@M-^]. |
181 | tity. Default is M-bM-^@M-^\noM-bM-^@M-^]. | ||
182 | 186 | ||
183 | KerberosOrLocalPasswd | 187 | KerberosOrLocalPasswd |
184 | If set then if password authentication through Kerberos fails | 188 | If set then if password authentication through Kerberos fails |
185 | then the password will be validated via any additional local | 189 | then the password will be validated via any additional local |
186 | mechanism such as /etc/passwd. Default is M-bM-^@M-^\yesM-bM-^@M-^]. | 190 | mechanism such as /etc/passwd. Default is M-bM-^@M-^\yesM-bM-^@M-^]. |
187 | 191 | ||
188 | KerberosTgtPassing | ||
189 | Specifies whether a Kerberos TGT may be forwarded to the server. | ||
190 | Default is M-bM-^@M-^\noM-bM-^@M-^], as this only works when the Kerberos KDC is | ||
191 | actually an AFS kaserver. | ||
192 | |||
193 | KerberosTicketCleanup | 192 | KerberosTicketCleanup |
194 | Specifies whether to automatically destroy the userM-bM-^@M-^Ys ticket | 193 | Specifies whether to automatically destroy the userM-bM-^@M-^Ys ticket |
195 | cache file on logout. Default is M-bM-^@M-^\yesM-bM-^@M-^]. | 194 | cache file on logout. Default is M-bM-^@M-^\yesM-bM-^@M-^]. |
@@ -211,7 +210,7 @@ DESCRIPTION | |||
211 | ListenAddress [host|IPv6_addr]:port | 210 | ListenAddress [host|IPv6_addr]:port |
212 | 211 | ||
213 | If port is not specified, sshd will listen on the address and all | 212 | If port is not specified, sshd will listen on the address and all |
214 | prior Port options specified. The default is to listen on all | 213 | prior Port options specified. The default is to listen on all |
215 | local addresses. Multiple ListenAddress options are permitted. | 214 | local addresses. Multiple ListenAddress options are permitted. |
216 | Additionally, any Port options must precede this option for non | 215 | Additionally, any Port options must precede this option for non |
217 | port qualified addresses. | 216 | port qualified addresses. |
@@ -249,12 +248,6 @@ DESCRIPTION | |||
249 | and all connection attempts are refused if the number of unau- | 248 | and all connection attempts are refused if the number of unau- |
250 | thenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60). | 249 | thenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60). |
251 | 250 | ||
252 | PAMAuthenticationViaKbdInt | ||
253 | Specifies whether PAM challenge response authentication is | ||
254 | allowed. This allows the use of most PAM challenge response | ||
255 | authentication modules, but it will allow password authentication | ||
256 | regardless of whether PasswordAuthentication is enabled. | ||
257 | |||
258 | PasswordAuthentication | 251 | PasswordAuthentication |
259 | Specifies whether password authentication is allowed. The | 252 | Specifies whether password authentication is allowed. The |
260 | default is M-bM-^@M-^\yesM-bM-^@M-^]. | 253 | default is M-bM-^@M-^\yesM-bM-^@M-^]. |
@@ -275,7 +268,7 @@ DESCRIPTION | |||
275 | If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^] root login with | 268 | If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^] root login with |
276 | public key authentication will be allowed, but only if the | 269 | public key authentication will be allowed, but only if the |
277 | command option has been specified (which may be useful for taking | 270 | command option has been specified (which may be useful for taking |
278 | remote backups even if root login is normally not allowed). All | 271 | remote backups even if root login is normally not allowed). All |
279 | other authentication methods are disabled for root. | 272 | other authentication methods are disabled for root. |
280 | 273 | ||
281 | If this option is set to M-bM-^@M-^\noM-bM-^@M-^] root is not allowed to login. | 274 | If this option is set to M-bM-^@M-^\noM-bM-^@M-^] root is not allowed to login. |
@@ -315,16 +308,10 @@ DESCRIPTION | |||
315 | PubkeyAuthentication | 308 | PubkeyAuthentication |
316 | Specifies whether public key authentication is allowed. The | 309 | Specifies whether public key authentication is allowed. The |
317 | default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol ver- | 310 | default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol ver- |
318 | sion 2 only. | 311 | sion 2 only. RhostsRSAAuthentication should be used instead, |
319 | 312 | because it performs RSA-based host authentication in addition to | |
320 | RhostsAuthentication | 313 | normal rhosts or /etc/hosts.equiv authentication. The default is |
321 | Specifies whether authentication using rhosts or /etc/hosts.equiv | 314 | M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only. |
322 | files is sufficient. Normally, this method should not be permit- | ||
323 | ted because it is insecure. RhostsRSAAuthentication should be | ||
324 | used instead, because it performs RSA-based host authentication | ||
325 | in addition to normal rhosts or /etc/hosts.equiv authentication. | ||
326 | The default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 | ||
327 | only. | ||
328 | 315 | ||
329 | RhostsRSAAuthentication | 316 | RhostsRSAAuthentication |
330 | Specifies whether rhosts or /etc/hosts.equiv authentication | 317 | Specifies whether rhosts or /etc/hosts.equiv authentication |
@@ -361,6 +348,10 @@ DESCRIPTION | |||
361 | LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The | 348 | LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The |
362 | default is AUTH. | 349 | default is AUTH. |
363 | 350 | ||
351 | UseDNS Specifies whether sshd should lookup the remote host name and | ||
352 | check that the resolved host name for the remote IP address maps | ||
353 | back to the very same IP address. The default is M-bM-^@M-^\yesM-bM-^@M-^]. | ||
354 | |||
364 | UseLogin | 355 | UseLogin |
365 | Specifies whether login(1) is used for interactive login ses- | 356 | Specifies whether login(1) is used for interactive login ses- |
366 | sions. The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that login(1) is never used | 357 | sions. The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that login(1) is never used |
@@ -369,6 +360,11 @@ DESCRIPTION | |||
369 | know how to handle xauth(1) cookies. If UsePrivilegeSeparation | 360 | know how to handle xauth(1) cookies. If UsePrivilegeSeparation |
370 | is specified, it will be disabled after authentication. | 361 | is specified, it will be disabled after authentication. |
371 | 362 | ||
363 | UsePAM Enables PAM authentication (via challenge-response) and session | ||
364 | set up. If you enable this, you should probably disable | ||
365 | PasswordAuthentication. If you enable then you will not be able | ||
366 | to run sshd as a non-root user. | ||
367 | |||
372 | UsePrivilegeSeparation | 368 | UsePrivilegeSeparation |
373 | Specifies whether sshd separates privileges by creating an | 369 | Specifies whether sshd separates privileges by creating an |
374 | unprivileged child process to deal with incoming network traffic. | 370 | unprivileged child process to deal with incoming network traffic. |
@@ -378,11 +374,6 @@ DESCRIPTION | |||
378 | taining any corruption within the unprivileged processes. The | 374 | taining any corruption within the unprivileged processes. The |
379 | default is M-bM-^@M-^\yesM-bM-^@M-^]. | 375 | default is M-bM-^@M-^\yesM-bM-^@M-^]. |
380 | 376 | ||
381 | VerifyReverseMapping | ||
382 | Specifies whether sshd should try to verify the remote host name | ||
383 | and check that the resolved host name for the remote IP address | ||
384 | maps back to the very same IP address. The default is M-bM-^@M-^\noM-bM-^@M-^]. | ||
385 | |||
386 | X11DisplayOffset | 377 | X11DisplayOffset |
387 | Specifies the first display number available for sshdM-bM-^@M-^Ys X11 for- | 378 | Specifies the first display number available for sshdM-bM-^@M-^Ys X11 for- |
388 | warding. This prevents sshd from interfering with real X11 | 379 | warding. This prevents sshd from interfering with real X11 |
@@ -400,7 +391,7 @@ DESCRIPTION | |||
400 | substitution occur on the client side. The security risk of | 391 | substitution occur on the client side. The security risk of |
401 | using X11 forwarding is that the clientM-bM-^@M-^Ys X11 display server may | 392 | using X11 forwarding is that the clientM-bM-^@M-^Ys X11 display server may |
402 | be exposed to attack when the ssh client requests forwarding (see | 393 | be exposed to attack when the ssh client requests forwarding (see |
403 | the warnings for ForwardX11 in ssh_config(5) ). A system adminis- | 394 | the warnings for ForwardX11 in ssh_config(5)). A system adminis- |
404 | trator may have a stance in which they want to protect clients | 395 | trator may have a stance in which they want to protect clients |
405 | that may expose themselves to attack by unwittingly requesting | 396 | that may expose themselves to attack by unwittingly requesting |
406 | X11 forwarding, which can warrant a M-bM-^@M-^\noM-bM-^@M-^] setting. | 397 | X11 forwarding, which can warrant a M-bM-^@M-^\noM-bM-^@M-^] setting. |
@@ -454,6 +445,9 @@ FILES | |||
454 | writable by root only, but it is recommended (though not neces- | 445 | writable by root only, but it is recommended (though not neces- |
455 | sary) that it be world-readable. | 446 | sary) that it be world-readable. |
456 | 447 | ||
448 | SEE ALSO | ||
449 | sshd(8) | ||
450 | |||
457 | AUTHORS | 451 | AUTHORS |
458 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | 452 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
459 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | 453 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo |
@@ -462,7 +456,4 @@ AUTHORS | |||
462 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 456 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
463 | for privilege separation. | 457 | for privilege separation. |
464 | 458 | ||
465 | SEE ALSO | ||
466 | sshd(8) | ||
467 | |||
468 | BSD September 25, 1999 BSD | 459 | BSD September 25, 1999 BSD |