summaryrefslogtreecommitdiff
path: root/sshd_config.0
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2018-08-24 12:49:36 +0100
committerColin Watson <cjwatson@debian.org>2018-08-24 12:49:36 +0100
commite6547182a54f0f268ee36e7c99319eeddffbaff2 (patch)
tree417527229ad3f3764ba71ea383f478a168895087 /sshd_config.0
parented6ae9c1a014a08ff5db3d768f01f2e427eeb476 (diff)
parent71508e06fab14bc415a79a08f5535ad7bffa93d9 (diff)
Import openssh_7.8p1.orig.tar.gz
Diffstat (limited to 'sshd_config.0')
-rw-r--r--sshd_config.0120
1 files changed, 78 insertions, 42 deletions
diff --git a/sshd_config.0 b/sshd_config.0
index 95c17fc8d..0498495fe 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -16,17 +16,17 @@ DESCRIPTION
16 16
17 AcceptEnv 17 AcceptEnv
18 Specifies what environment variables sent by the client will be 18 Specifies what environment variables sent by the client will be
19 copied into the session's environ(7). See SendEnv in 19 copied into the session's environ(7). See SendEnv and SetEnv in
20 ssh_config(5) for how to configure the client. The TERM 20 ssh_config(5) for how to configure the client. The TERM
21 environment variable is always sent whenever the client requests 21 environment variable is always accepted whenever the client
22 a pseudo-terminal as it is required by the protocol. Variables 22 requests a pseudo-terminal as it is required by the protocol.
23 are specified by name, which may contain the wildcard characters 23 Variables are specified by name, which may contain the wildcard
24 M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y. Multiple environment variables may be separated by 24 characters M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y. Multiple environment variables may be
25 whitespace or spread across multiple AcceptEnv directives. Be 25 separated by whitespace or spread across multiple AcceptEnv
26 warned that some environment variables could be used to bypass 26 directives. Be warned that some environment variables could be
27 restricted user environments. For this reason, care should be 27 used to bypass restricted user environments. For this reason,
28 taken in the use of this directive. The default is not to accept 28 care should be taken in the use of this directive. The default
29 any environment variables. 29 is not to accept any environment variables.
30 30
31 AddressFamily 31 AddressFamily
32 Specifies which address family should be used by sshd(8). Valid 32 Specifies which address family should be used by sshd(8). Valid
@@ -88,7 +88,7 @@ DESCRIPTION
88 AuthenticationMethods 88 AuthenticationMethods
89 Specifies the authentication methods that must be successfully 89 Specifies the authentication methods that must be successfully
90 completed for a user to be granted access. This option must be 90 completed for a user to be granted access. This option must be
91 followed by one or more comma-separated lists of authentication 91 followed by one or more lists of comma-separated authentication
92 method names, or by the single string any to indicate the default 92 method names, or by the single string any to indicate the default
93 behaviour of accepting any single authentication method. If the 93 behaviour of accepting any single authentication method. If the
94 default is overridden, then successful authentication requires 94 default is overridden, then successful authentication requires
@@ -104,8 +104,8 @@ DESCRIPTION
104 104
105 For keyboard interactive authentication it is also possible to 105 For keyboard interactive authentication it is also possible to
106 restrict authentication to a specific device by appending a colon 106 restrict authentication to a specific device by appending a colon
107 followed by the device identifier bsdauth, pam, or skey, 107 followed by the device identifier bsdauth or pam. depending on
108 depending on the server configuration. For example, 108 the server configuration. For example,
109 "keyboard-interactive:bsdauth" would restrict keyboard 109 "keyboard-interactive:bsdauth" would restrict keyboard
110 interactive authentication to the bsdauth device. 110 interactive authentication to the bsdauth device.
111 111
@@ -120,7 +120,7 @@ DESCRIPTION
120 120
121 The available authentication methods are: "gssapi-with-mic", 121 The available authentication methods are: "gssapi-with-mic",
122 "hostbased", "keyboard-interactive", "none" (used for access to 122 "hostbased", "keyboard-interactive", "none" (used for access to
123 password-less accounts when PermitEmptyPassword is enabled), 123 password-less accounts when PermitEmptyPasswords is enabled),
124 "password" and "publickey". 124 "password" and "publickey".
125 125
126 AuthorizedKeysCommand 126 AuthorizedKeysCommand
@@ -382,11 +382,11 @@ DESCRIPTION
382 382
383 HostbasedAcceptedKeyTypes 383 HostbasedAcceptedKeyTypes
384 Specifies the key types that will be accepted for hostbased 384 Specifies the key types that will be accepted for hostbased
385 authentication as a comma-separated pattern list. Alternately if 385 authentication as a list of comma-separated patterns.
386 the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the 386 Alternately if the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character,
387 specified key types will be appended to the default set instead 387 then the specified key types will be appended to the default set
388 of replacing them. If the specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y 388 instead of replacing them. If the specified value begins with a
389 character, then the specified key types (including wildcards) 389 M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified key types (including wildcards)
390 will be removed from the default set instead of replacing them. 390 will be removed from the default set instead of replacing them.
391 The default for this option is: 391 The default for this option is:
392 392
@@ -394,9 +394,10 @@ DESCRIPTION
394 ecdsa-sha2-nistp384-cert-v01@openssh.com, 394 ecdsa-sha2-nistp384-cert-v01@openssh.com,
395 ecdsa-sha2-nistp521-cert-v01@openssh.com, 395 ecdsa-sha2-nistp521-cert-v01@openssh.com,
396 ssh-ed25519-cert-v01@openssh.com, 396 ssh-ed25519-cert-v01@openssh.com,
397 rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
397 ssh-rsa-cert-v01@openssh.com, 398 ssh-rsa-cert-v01@openssh.com,
398 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 399 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
399 ssh-ed25519,ssh-rsa 400 ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
400 401
401 The list of available key types may also be obtained using "ssh 402 The list of available key types may also be obtained using "ssh
402 -Q key". 403 -Q key".
@@ -449,9 +450,10 @@ DESCRIPTION
449 ecdsa-sha2-nistp384-cert-v01@openssh.com, 450 ecdsa-sha2-nistp384-cert-v01@openssh.com,
450 ecdsa-sha2-nistp521-cert-v01@openssh.com, 451 ecdsa-sha2-nistp521-cert-v01@openssh.com,
451 ssh-ed25519-cert-v01@openssh.com, 452 ssh-ed25519-cert-v01@openssh.com,
453 rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
452 ssh-rsa-cert-v01@openssh.com, 454 ssh-rsa-cert-v01@openssh.com,
453 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 455 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
454 ssh-ed25519,ssh-rsa 456 ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
455 457
456 The list of available key types may also be obtained using "ssh 458 The list of available key types may also be obtained using "ssh
457 -Q key". 459 -Q key".
@@ -478,8 +480,9 @@ DESCRIPTION
478 If one argument is specified, it is used as the packet class 480 If one argument is specified, it is used as the packet class
479 unconditionally. If two values are specified, the first is 481 unconditionally. If two values are specified, the first is
480 automatically selected for interactive sessions and the second 482 automatically selected for interactive sessions and the second
481 for non-interactive sessions. The default is lowdelay for 483 for non-interactive sessions. The default is af21 (Low-Latency
482 interactive sessions and throughput for non-interactive sessions. 484 Data) for interactive sessions and cs1 (Lower Effort) for non-
485 interactive sessions.
483 486
484 KbdInteractiveAuthentication 487 KbdInteractiveAuthentication
485 Specifies whether to allow keyboard-interactive authentication. 488 Specifies whether to allow keyboard-interactive authentication.
@@ -651,9 +654,9 @@ DESCRIPTION
651 HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IPQoS, 654 HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IPQoS,
652 KbdInteractiveAuthentication, KerberosAuthentication, LogLevel, 655 KbdInteractiveAuthentication, KerberosAuthentication, LogLevel,
653 MaxAuthTries, MaxSessions, PasswordAuthentication, 656 MaxAuthTries, MaxSessions, PasswordAuthentication,
654 PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY, 657 PermitEmptyPasswords, PermitListen, PermitOpen, PermitRootLogin,
655 PermitTunnel, PermitUserRC, PubkeyAcceptedKeyTypes, 658 PermitTTY, PermitTunnel, PermitUserRC, PubkeyAcceptedKeyTypes,
656 PubkeyAuthentication, RekeyLimit, RevokedKeys, RDomain, 659 PubkeyAuthentication, RekeyLimit, RevokedKeys, RDomain, SetEnv,
657 StreamLocalBindMask, StreamLocalBindUnlink, TrustedUserCAKeys, 660 StreamLocalBindMask, StreamLocalBindUnlink, TrustedUserCAKeys,
658 X11DisplayOffset, X11Forwarding and X11UseLocalHost. 661 X11DisplayOffset, X11Forwarding and X11UseLocalHost.
659 662
@@ -694,6 +697,28 @@ DESCRIPTION
694 server allows login to accounts with empty password strings. The 697 server allows login to accounts with empty password strings. The
695 default is no. 698 default is no.
696 699
700 PermitListen
701 Specifies the addresses/ports on which a remote TCP port
702 forwarding may listen. The listen specification must be one of
703 the following forms:
704
705 PermitListen port
706 PermitListen host:port
707
708 Multiple permissions may be specified by separating them with
709 whitespace. An argument of any can be used to remove all
710 restrictions and permit any listen requests. An argument of none
711 can be used to prohibit all listen requests. The host name may
712 contain wildcards as described in the PATTERNS section in
713 ssh_config(5). The wildcard M-bM-^@M-^X*M-bM-^@M-^Y can also be used in place of a
714 port number to allow all ports. By default all port forwarding
715 listen requests are permitted. Note that the GatewayPorts option
716 may further restrict which addresses may be listened on. Note
717 also that ssh(1) will request a listen host of M-bM-^@M-^\localhostM-bM-^@M-^] if no
718 listen host was specifically requested, and this this name is
719 treated differently to explicit localhost addresses of
720 M-bM-^@M-^\127.0.0.1M-bM-^@M-^] and M-bM-^@M-^\::1M-bM-^@M-^].
721
697 PermitOpen 722 PermitOpen
698 Specifies the destinations to which TCP port forwarding is 723 Specifies the destinations to which TCP port forwarding is
699 permitted. The forwarding specification must be one of the 724 permitted. The forwarding specification must be one of the
@@ -743,10 +768,12 @@ DESCRIPTION
743 768
744 PermitUserEnvironment 769 PermitUserEnvironment
745 Specifies whether ~/.ssh/environment and environment= options in 770 Specifies whether ~/.ssh/environment and environment= options in
746 ~/.ssh/authorized_keys are processed by sshd(8). The default is 771 ~/.ssh/authorized_keys are processed by sshd(8). Valid options
747 no. Enabling environment processing may enable users to bypass 772 are yes, no or a pattern-list specifying which environment
748 access restrictions in some configurations using mechanisms such 773 variable names to accept (for example "LANG,LC_*"). The default
749 as LD_PRELOAD. 774 is no. Enabling environment processing may enable users to
775 bypass access restrictions in some configurations using
776 mechanisms such as LD_PRELOAD.
750 777
751 PermitUserRC 778 PermitUserRC
752 Specifies whether any ~/.ssh/rc file is executed. The default is 779 Specifies whether any ~/.ssh/rc file is executed. The default is
@@ -773,11 +800,11 @@ DESCRIPTION
773 800
774 PubkeyAcceptedKeyTypes 801 PubkeyAcceptedKeyTypes
775 Specifies the key types that will be accepted for public key 802 Specifies the key types that will be accepted for public key
776 authentication as a comma-separated pattern list. Alternately if 803 authentication as a list of comma-separated patterns.
777 the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the 804 Alternately if the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character,
778 specified key types will be appended to the default set instead 805 then the specified key types will be appended to the default set
779 of replacing them. If the specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y 806 instead of replacing them. If the specified value begins with a
780 character, then the specified key types (including wildcards) 807 M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified key types (including wildcards)
781 will be removed from the default set instead of replacing them. 808 will be removed from the default set instead of replacing them.
782 The default for this option is: 809 The default for this option is:
783 810
@@ -785,9 +812,10 @@ DESCRIPTION
785 ecdsa-sha2-nistp384-cert-v01@openssh.com, 812 ecdsa-sha2-nistp384-cert-v01@openssh.com,
786 ecdsa-sha2-nistp521-cert-v01@openssh.com, 813 ecdsa-sha2-nistp521-cert-v01@openssh.com,
787 ssh-ed25519-cert-v01@openssh.com, 814 ssh-ed25519-cert-v01@openssh.com,
815 rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
788 ssh-rsa-cert-v01@openssh.com, 816 ssh-rsa-cert-v01@openssh.com,
789 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 817 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
790 ssh-ed25519,ssh-rsa 818 ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
791 819
792 The list of available key types may also be obtained using "ssh 820 The list of available key types may also be obtained using "ssh
793 -Q key". 821 -Q key".
@@ -827,6 +855,13 @@ DESCRIPTION
827 rdomain(4). If the routing domain is set to %D, then the domain 855 rdomain(4). If the routing domain is set to %D, then the domain
828 in which the incoming connection was received will be applied. 856 in which the incoming connection was received will be applied.
829 857
858 SetEnv Specifies one or more environment variables to set in child
859 sessions started by sshd(8) as M-bM-^@M-^\NAME=VALUEM-bM-^@M-^]. The environment
860 value may be quoted (e.g. if it contains whitespace characters).
861 Environment variables set by SetEnv override the default
862 environment and any variables specified by the user via AcceptEnv
863 or PermitUserEnvironment.
864
830 StreamLocalBindMask 865 StreamLocalBindMask
831 Sets the octal file creation mode mask (umask) used when creating 866 Sets the octal file creation mode mask (umask) used when creating
832 a Unix-domain socket file for local or remote port forwarding. 867 a Unix-domain socket file for local or remote port forwarding.
@@ -1011,18 +1046,19 @@ TOKENS
1011 %s The serial number of the certificate. 1046 %s The serial number of the certificate.
1012 %T The type of the CA key. 1047 %T The type of the CA key.
1013 %t The key or certificate type. 1048 %t The key or certificate type.
1049 %U The numeric user ID of the target user.
1014 %u The username. 1050 %u The username.
1015 1051
1016 AuthorizedKeysCommand accepts the tokens %%, %f, %h, %k, %t, and %u. 1052 AuthorizedKeysCommand accepts the tokens %%, %f, %h, %k, %t, %U, and %u.
1017 1053
1018 AuthorizedKeysFile accepts the tokens %%, %h, and %u. 1054 AuthorizedKeysFile accepts the tokens %%, %h, %U, and %u.
1019 1055
1020 AuthorizedPrincipalsCommand accepts the tokens %%, %F, %f, %h, %i, %K, 1056 AuthorizedPrincipalsCommand accepts the tokens %%, %F, %f, %h, %i, %K,
1021 %k, %s, %T, %t, and %u. 1057 %k, %s, %T, %t, %U, and %u.
1022 1058
1023 AuthorizedPrincipalsFile accepts the tokens %%, %h, and %u. 1059 AuthorizedPrincipalsFile accepts the tokens %%, %h, %U, and %u.
1024 1060
1025 ChrootDirectory accepts the tokens %%, %h, and %u. 1061 ChrootDirectory accepts the tokens %%, %h, %U, and %u.
1026 1062
1027 RoutingDomain accepts the token %D. 1063 RoutingDomain accepts the token %D.
1028 1064
@@ -1043,4 +1079,4 @@ AUTHORS
1043 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 1079 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
1044 for privilege separation. 1080 for privilege separation.
1045 1081
1046OpenBSD 6.2 February 16, 2018 OpenBSD 6.2 1082OpenBSD 6.4 July 20, 2018 OpenBSD 6.4