diff options
author | Colin Watson <cjwatson@debian.org> | 2010-08-23 22:56:08 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2010-08-23 22:56:08 +0100 |
commit | 31e30b835fd9695d3b6647cab4867001b092e28f (patch) | |
tree | 138e715c25661825457c7280cd66e3f4853d474c /sshd_config.0 | |
parent | 78eedc2c60ff4718200f9271d8ee4f437da3a0c5 (diff) | |
parent | 43094ebf14c9b16f1ea398bc5b65a7335e947288 (diff) |
merge 5.6p1
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 451 |
1 files changed, 241 insertions, 210 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index 94935c07f..a49953851 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -8,21 +8,21 @@ SYNOPSIS | |||
8 | 8 | ||
9 | DESCRIPTION | 9 | DESCRIPTION |
10 | sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file | 10 | sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file |
11 | specified with -f on the command line). The file contains keyword-argu- | 11 | specified with -f on the command line). The file contains keyword- |
12 | ment pairs, one per line. Lines starting with `#' and empty lines are | 12 | argument pairs, one per line. Lines starting with `#' and empty lines |
13 | interpreted as comments. Arguments may optionally be enclosed in double | 13 | are interpreted as comments. Arguments may optionally be enclosed in |
14 | quotes (") in order to represent arguments containing spaces. | 14 | double quotes (") in order to represent arguments containing spaces. |
15 | 15 | ||
16 | The possible keywords and their meanings are as follows (note that key- | 16 | The possible keywords and their meanings are as follows (note that |
17 | words are case-insensitive and arguments are case-sensitive): | 17 | keywords are case-insensitive and arguments are case-sensitive): |
18 | 18 | ||
19 | AcceptEnv | 19 | AcceptEnv |
20 | Specifies what environment variables sent by the client will be | 20 | Specifies what environment variables sent by the client will be |
21 | copied into the session's environ(7). See SendEnv in | 21 | copied into the session's environ(7). See SendEnv in |
22 | ssh_config(5) for how to configure the client. Note that envi- | 22 | ssh_config(5) for how to configure the client. Note that |
23 | ronment passing is only supported for protocol 2. Variables are | 23 | environment passing is only supported for protocol 2. Variables |
24 | specified by name, which may contain the wildcard characters `*' | 24 | are specified by name, which may contain the wildcard characters |
25 | and `?'. Multiple environment variables may be separated by | 25 | `*' and `?'. Multiple environment variables may be separated by |
26 | whitespace or spread across multiple AcceptEnv directives. Be | 26 | whitespace or spread across multiple AcceptEnv directives. Be |
27 | warned that some environment variables could be used to bypass | 27 | warned that some environment variables could be used to bypass |
28 | restricted user environments. For this reason, care should be | 28 | restricted user environments. For this reason, care should be |
@@ -35,10 +35,10 @@ DESCRIPTION | |||
35 | (use IPv6 only). The default is ``any''. | 35 | (use IPv6 only). The default is ``any''. |
36 | 36 | ||
37 | AllowAgentForwarding | 37 | AllowAgentForwarding |
38 | Specifies whether ssh-agent(1) forwarding is permitted. The de- | 38 | Specifies whether ssh-agent(1) forwarding is permitted. The |
39 | fault is ``yes''. Note that disabling agent forwarding does not | 39 | default is ``yes''. Note that disabling agent forwarding does |
40 | improve security unless users are also denied shell access, as | 40 | not improve security unless users are also denied shell access, |
41 | they can always install their own forwarders. | 41 | as they can always install their own forwarders. |
42 | 42 | ||
43 | AllowGroups | 43 | AllowGroups |
44 | This keyword can be followed by a list of group name patterns, | 44 | This keyword can be followed by a list of group name patterns, |
@@ -54,17 +54,17 @@ DESCRIPTION | |||
54 | 54 | ||
55 | AllowTcpForwarding | 55 | AllowTcpForwarding |
56 | Specifies whether TCP forwarding is permitted. The default is | 56 | Specifies whether TCP forwarding is permitted. The default is |
57 | ``yes''. Note that disabling TCP forwarding does not improve se- | 57 | ``yes''. Note that disabling TCP forwarding does not improve |
58 | curity unless users are also denied shell access, as they can al- | 58 | security unless users are also denied shell access, as they can |
59 | ways install their own forwarders. | 59 | always install their own forwarders. |
60 | 60 | ||
61 | AllowUsers | 61 | AllowUsers |
62 | This keyword can be followed by a list of user name patterns, | 62 | This keyword can be followed by a list of user name patterns, |
63 | separated by spaces. If specified, login is allowed only for us- | 63 | separated by spaces. If specified, login is allowed only for |
64 | er names that match one of the patterns. Only user names are | 64 | user names that match one of the patterns. Only user names are |
65 | valid; a numerical user ID is not recognized. By default, login | 65 | valid; a numerical user ID is not recognized. By default, login |
66 | is allowed for all users. If the pattern takes the form US- | 66 | is allowed for all users. If the pattern takes the form |
67 | ER@HOST then USER and HOST are separately checked, restricting | 67 | USER@HOST then USER and HOST are separately checked, restricting |
68 | logins to particular users from particular hosts. The allow/deny | 68 | logins to particular users from particular hosts. The allow/deny |
69 | directives are processed in the following order: DenyUsers, | 69 | directives are processed in the following order: DenyUsers, |
70 | AllowUsers, DenyGroups, and finally AllowGroups. | 70 | AllowUsers, DenyGroups, and finally AllowGroups. |
@@ -73,14 +73,42 @@ DESCRIPTION | |||
73 | 73 | ||
74 | AuthorizedKeysFile | 74 | AuthorizedKeysFile |
75 | Specifies the file that contains the public keys that can be used | 75 | Specifies the file that contains the public keys that can be used |
76 | for user authentication. AuthorizedKeysFile may contain tokens | 76 | for user authentication. The format is described in the |
77 | of the form %T which are substituted during connection setup. | 77 | AUTHORIZED_KEYS FILE FORMAT section of sshd(8). |
78 | The following tokens are defined: %% is replaced by a literal | 78 | AuthorizedKeysFile may contain tokens of the form %T which are |
79 | '%', %h is replaced by the home directory of the user being au- | 79 | substituted during connection setup. The following tokens are |
80 | thenticated, and %u is replaced by the username of that user. | 80 | defined: %% is replaced by a literal '%', %h is replaced by the |
81 | After expansion, AuthorizedKeysFile is taken to be an absolute | 81 | home directory of the user being authenticated, and %u is |
82 | path or one relative to the user's home directory. The default | 82 | replaced by the username of that user. After expansion, |
83 | is ``.ssh/authorized_keys''. | 83 | AuthorizedKeysFile is taken to be an absolute path or one |
84 | relative to the user's home directory. The default is | ||
85 | ``.ssh/authorized_keys''. | ||
86 | |||
87 | AuthorizedPrincipalsFile | ||
88 | Specifies a file that lists principal names that are accepted for | ||
89 | certificate authentication. When using certificates signed by a | ||
90 | key listed in TrustedUserCAKeys, this file lists names, one of | ||
91 | which must appear in the certificate for it to be accepted for | ||
92 | authentication. Names are listed one per line preceded by key | ||
93 | options (as described in AUTHORIZED_KEYS FILE FORMAT in sshd(8)). | ||
94 | Empty lines and comments starting with `#' are ignored. | ||
95 | |||
96 | AuthorizedPrincipalsFile may contain tokens of the form %T which | ||
97 | are substituted during connection setup. The following tokens | ||
98 | are defined: %% is replaced by a literal '%', %h is replaced by | ||
99 | the home directory of the user being authenticated, and %u is | ||
100 | replaced by the username of that user. After expansion, | ||
101 | AuthorizedPrincipalsFile is taken to be an absolute path or one | ||
102 | relative to the user's home directory. | ||
103 | |||
104 | The default is not to use a principals file - in this case, the | ||
105 | username of the user must appear in a certificate's principals | ||
106 | list for it to be accepted. Note that AuthorizedPrincipalsFile | ||
107 | is only used when authentication proceeds using a CA listed in | ||
108 | TrustedUserCAKeys and is not consulted for certification | ||
109 | authorities trusted via ~/.ssh/authorized_keys, though the | ||
110 | principals= key option offers a similar facility (see sshd(8) for | ||
111 | details). | ||
84 | 112 | ||
85 | Banner The contents of the specified file are sent to the remote user | 113 | Banner The contents of the specified file are sent to the remote user |
86 | before authentication is allowed. If the argument is ``none'' | 114 | before authentication is allowed. If the argument is ``none'' |
@@ -93,27 +121,27 @@ DESCRIPTION | |||
93 | login.conf(5)) The default is ``yes''. | 121 | login.conf(5)) The default is ``yes''. |
94 | 122 | ||
95 | ChrootDirectory | 123 | ChrootDirectory |
96 | Specifies the pathname of a directory to chroot(2) to after au- | 124 | Specifies the pathname of a directory to chroot(2) to after |
97 | thentication. All components of the pathname must be root-owned | 125 | authentication. All components of the pathname must be root- |
98 | directories that are not writable by any other user or group. | 126 | owned directories that are not writable by any other user or |
99 | After the chroot, sshd(8) changes the working directory to the | 127 | group. After the chroot, sshd(8) changes the working directory |
100 | user's home directory. | 128 | to the user's home directory. |
101 | 129 | ||
102 | The pathname may contain the following tokens that are expanded | 130 | The pathname may contain the following tokens that are expanded |
103 | at runtime once the connecting user has been authenticated: %% is | 131 | at runtime once the connecting user has been authenticated: %% is |
104 | replaced by a literal '%', %h is replaced by the home directory | 132 | replaced by a literal '%', %h is replaced by the home directory |
105 | of the user being authenticated, and %u is replaced by the user- | 133 | of the user being authenticated, and %u is replaced by the |
106 | name of that user. | 134 | username of that user. |
107 | 135 | ||
108 | The ChrootDirectory must contain the necessary files and directo- | 136 | The ChrootDirectory must contain the necessary files and |
109 | ries to support the user's session. For an interactive session | 137 | directories to support the user's session. For an interactive |
110 | this requires at least a shell, typically sh(1), and basic /dev | 138 | session this requires at least a shell, typically sh(1), and |
111 | nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), | 139 | basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), |
112 | arandom(4) and tty(4) devices. For file transfer sessions using | 140 | stderr(4), arandom(4) and tty(4) devices. For file transfer |
113 | ``sftp'', no additional configuration of the environment is nec- | 141 | sessions using ``sftp'', no additional configuration of the |
114 | essary if the in-process sftp server is used, though sessions | 142 | environment is necessary if the in-process sftp server is used, |
115 | which use logging do require /dev/log inside the chroot directory | 143 | though sessions which use logging do require /dev/log inside the |
116 | (see sftp-server(8) for details). | 144 | chroot directory (see sftp-server(8) for details). |
117 | 145 | ||
118 | The default is not to chroot(2). | 146 | The default is not to chroot(2). |
119 | 147 | ||
@@ -132,28 +160,28 @@ DESCRIPTION | |||
132 | ClientAliveCountMax | 160 | ClientAliveCountMax |
133 | Sets the number of client alive messages (see below) which may be | 161 | Sets the number of client alive messages (see below) which may be |
134 | sent without sshd(8) receiving any messages back from the client. | 162 | sent without sshd(8) receiving any messages back from the client. |
135 | If this threshold is reached while client alive messages are be- | 163 | If this threshold is reached while client alive messages are |
136 | ing sent, sshd will disconnect the client, terminating the ses- | 164 | being sent, sshd will disconnect the client, terminating the |
137 | sion. It is important to note that the use of client alive mes- | 165 | session. It is important to note that the use of client alive |
138 | sages is very different from TCPKeepAlive (below). The client | 166 | messages is very different from TCPKeepAlive (below). The client |
139 | alive messages are sent through the encrypted channel and there- | 167 | alive messages are sent through the encrypted channel and |
140 | fore will not be spoofable. The TCP keepalive option enabled by | 168 | therefore will not be spoofable. The TCP keepalive option |
141 | TCPKeepAlive is spoofable. The client alive mechanism is valu- | 169 | enabled by TCPKeepAlive is spoofable. The client alive mechanism |
142 | able when the client or server depend on knowing when a connec- | 170 | is valuable when the client or server depend on knowing when a |
143 | tion has become inactive. | 171 | connection has become inactive. |
144 | 172 | ||
145 | The default value is 3. If ClientAliveInterval (see below) is | 173 | The default value is 3. If ClientAliveInterval (see below) is |
146 | set to 15, and ClientAliveCountMax is left at the default, unre- | 174 | set to 15, and ClientAliveCountMax is left at the default, |
147 | sponsive SSH clients will be disconnected after approximately 45 | 175 | unresponsive SSH clients will be disconnected after approximately |
148 | seconds. This option applies to protocol version 2 only. | 176 | 45 seconds. This option applies to protocol version 2 only. |
149 | 177 | ||
150 | ClientAliveInterval | 178 | ClientAliveInterval |
151 | Sets a timeout interval in seconds after which if no data has | 179 | Sets a timeout interval in seconds after which if no data has |
152 | been received from the client, sshd(8) will send a message | 180 | been received from the client, sshd(8) will send a message |
153 | through the encrypted channel to request a response from the | 181 | through the encrypted channel to request a response from the |
154 | client. The default is 0, indicating that these messages will | 182 | client. The default is 0, indicating that these messages will |
155 | not be sent to the client. This option applies to protocol ver- | 183 | not be sent to the client. This option applies to protocol |
156 | sion 2 only. | 184 | version 2 only. |
157 | 185 | ||
158 | Compression | 186 | Compression |
159 | Specifies whether compression is allowed, or delayed until the | 187 | Specifies whether compression is allowed, or delayed until the |
@@ -164,9 +192,9 @@ DESCRIPTION | |||
164 | This keyword can be followed by a list of group name patterns, | 192 | This keyword can be followed by a list of group name patterns, |
165 | separated by spaces. Login is disallowed for users whose primary | 193 | separated by spaces. Login is disallowed for users whose primary |
166 | group or supplementary group list matches one of the patterns. | 194 | group or supplementary group list matches one of the patterns. |
167 | Only group names are valid; a numerical group ID is not recog- | 195 | Only group names are valid; a numerical group ID is not |
168 | nized. By default, login is allowed for all groups. The al- | 196 | recognized. By default, login is allowed for all groups. The |
169 | low/deny directives are processed in the following order: | 197 | allow/deny directives are processed in the following order: |
170 | DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. | 198 | DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. |
171 | 199 | ||
172 | See PATTERNS in ssh_config(5) for more information on patterns. | 200 | See PATTERNS in ssh_config(5) for more information on patterns. |
@@ -174,20 +202,20 @@ DESCRIPTION | |||
174 | DenyUsers | 202 | DenyUsers |
175 | This keyword can be followed by a list of user name patterns, | 203 | This keyword can be followed by a list of user name patterns, |
176 | separated by spaces. Login is disallowed for user names that | 204 | separated by spaces. Login is disallowed for user names that |
177 | match one of the patterns. Only user names are valid; a numeri- | 205 | match one of the patterns. Only user names are valid; a |
178 | cal user ID is not recognized. By default, login is allowed for | 206 | numerical user ID is not recognized. By default, login is |
179 | all users. If the pattern takes the form USER@HOST then USER and | 207 | allowed for all users. If the pattern takes the form USER@HOST |
180 | HOST are separately checked, restricting logins to particular | 208 | then USER and HOST are separately checked, restricting logins to |
181 | users from particular hosts. The allow/deny directives are pro- | 209 | particular users from particular hosts. The allow/deny |
182 | cessed in the following order: DenyUsers, AllowUsers, DenyGroups, | 210 | directives are processed in the following order: DenyUsers, |
183 | and finally AllowGroups. | 211 | AllowUsers, DenyGroups, and finally AllowGroups. |
184 | 212 | ||
185 | See PATTERNS in ssh_config(5) for more information on patterns. | 213 | See PATTERNS in ssh_config(5) for more information on patterns. |
186 | 214 | ||
187 | ForceCommand | 215 | ForceCommand |
188 | Forces the execution of the command specified by ForceCommand, | 216 | Forces the execution of the command specified by ForceCommand, |
189 | ignoring any command supplied by the client and ~/.ssh/rc if pre- | 217 | ignoring any command supplied by the client and ~/.ssh/rc if |
190 | sent. The command is invoked by using the user's login shell | 218 | present. The command is invoked by using the user's login shell |
191 | with the -c option. This applies to shell, command, or subsystem | 219 | with the -c option. This applies to shell, command, or subsystem |
192 | execution. It is most useful inside a Match block. The command | 220 | execution. It is most useful inside a Match block. The command |
193 | originally supplied by the client is available in the | 221 | originally supplied by the client is available in the |
@@ -202,10 +230,10 @@ DESCRIPTION | |||
202 | forwardings to the loopback address. This prevents other remote | 230 | forwardings to the loopback address. This prevents other remote |
203 | hosts from connecting to forwarded ports. GatewayPorts can be | 231 | hosts from connecting to forwarded ports. GatewayPorts can be |
204 | used to specify that sshd should allow remote port forwardings to | 232 | used to specify that sshd should allow remote port forwardings to |
205 | bind to non-loopback addresses, thus allowing other hosts to con- | 233 | bind to non-loopback addresses, thus allowing other hosts to |
206 | nect. The argument may be ``no'' to force remote port forward- | 234 | connect. The argument may be ``no'' to force remote port |
207 | ings to be available to the local host only, ``yes'' to force re- | 235 | forwardings to be available to the local host only, ``yes'' to |
208 | mote port forwardings to bind to the wildcard address, or | 236 | force remote port forwardings to bind to the wildcard address, or |
209 | ``clientspecified'' to allow the client to select the address to | 237 | ``clientspecified'' to allow the client to select the address to |
210 | which the forwarding is bound. The default is ``no''. | 238 | which the forwarding is bound. The default is ``no''. |
211 | 239 | ||
@@ -220,15 +248,15 @@ DESCRIPTION | |||
220 | applies to protocol version 2 only. | 248 | applies to protocol version 2 only. |
221 | 249 | ||
222 | HostbasedAuthentication | 250 | HostbasedAuthentication |
223 | Specifies whether rhosts or /etc/hosts.equiv authentication to- | 251 | Specifies whether rhosts or /etc/hosts.equiv authentication |
224 | gether with successful public key client host authentication is | 252 | together with successful public key client host authentication is |
225 | allowed (host-based authentication). This option is similar to | 253 | allowed (host-based authentication). This option is similar to |
226 | RhostsRSAAuthentication and applies to protocol version 2 only. | 254 | RhostsRSAAuthentication and applies to protocol version 2 only. |
227 | The default is ``no''. | 255 | The default is ``no''. |
228 | 256 | ||
229 | HostbasedUsesNameFromPacketOnly | 257 | HostbasedUsesNameFromPacketOnly |
230 | Specifies whether or not the server will attempt to perform a re- | 258 | Specifies whether or not the server will attempt to perform a |
231 | verse name lookup when matching the name in the ~/.shosts, | 259 | reverse name lookup when matching the name in the ~/.shosts, |
232 | ~/.rhosts, and /etc/hosts.equiv files during | 260 | ~/.rhosts, and /etc/hosts.equiv files during |
233 | HostbasedAuthentication. A setting of ``yes'' means that sshd(8) | 261 | HostbasedAuthentication. A setting of ``yes'' means that sshd(8) |
234 | uses the name supplied by the client rather than attempting to | 262 | uses the name supplied by the client rather than attempting to |
@@ -236,17 +264,17 @@ DESCRIPTION | |||
236 | ``no''. | 264 | ``no''. |
237 | 265 | ||
238 | HostCertificate | 266 | HostCertificate |
239 | Specifies a file containing a public host certificate. The cer- | 267 | Specifies a file containing a public host certificate. The |
240 | tificate's public key must match a private host key already spec- | 268 | certificate's public key must match a private host key already |
241 | ified by HostKey. The default behaviour of sshd(8) is not to | 269 | specified by HostKey. The default behaviour of sshd(8) is not to |
242 | load any certificates. | 270 | load any certificates. |
243 | 271 | ||
244 | HostKey | 272 | HostKey |
245 | Specifies a file containing a private host key used by SSH. The | 273 | Specifies a file containing a private host key used by SSH. The |
246 | default is /etc/ssh/ssh_host_key for protocol version 1, and | 274 | default is /etc/ssh/ssh_host_key for protocol version 1, and |
247 | /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro- | 275 | /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for |
248 | tocol version 2. Note that sshd(8) will refuse to use a file if | 276 | protocol version 2. Note that sshd(8) will refuse to use a file |
249 | it is group/world-accessible. It is possible to have multiple | 277 | if it is group/world-accessible. It is possible to have multiple |
250 | host key files. ``rsa1'' keys are used for version 1 and ``dsa'' | 278 | host key files. ``rsa1'' keys are used for version 1 and ``dsa'' |
251 | or ``rsa'' are used for version 2 of the SSH protocol. | 279 | or ``rsa'' are used for version 2 of the SSH protocol. |
252 | 280 | ||
@@ -254,8 +282,8 @@ DESCRIPTION | |||
254 | Specifies that .rhosts and .shosts files will not be used in | 282 | Specifies that .rhosts and .shosts files will not be used in |
255 | RhostsRSAAuthentication or HostbasedAuthentication. | 283 | RhostsRSAAuthentication or HostbasedAuthentication. |
256 | 284 | ||
257 | /etc/hosts.equiv and /etc/shosts.equiv are still used. The de- | 285 | /etc/hosts.equiv and /etc/shosts.equiv are still used. The |
258 | fault is ``yes''. | 286 | default is ``yes''. |
259 | 287 | ||
260 | IgnoreUserKnownHosts | 288 | IgnoreUserKnownHosts |
261 | Specifies whether sshd(8) should ignore the user's | 289 | Specifies whether sshd(8) should ignore the user's |
@@ -275,9 +303,9 @@ DESCRIPTION | |||
275 | The default is ``no''. | 303 | The default is ``no''. |
276 | 304 | ||
277 | KerberosOrLocalPasswd | 305 | KerberosOrLocalPasswd |
278 | If password authentication through Kerberos fails then the pass- | 306 | If password authentication through Kerberos fails then the |
279 | word will be validated via any additional local mechanism such as | 307 | password will be validated via any additional local mechanism |
280 | /etc/passwd. The default is ``yes''. | 308 | such as /etc/passwd. The default is ``yes''. |
281 | 309 | ||
282 | KerberosTicketCleanup | 310 | KerberosTicketCleanup |
283 | Specifies whether to automatically destroy the user's ticket | 311 | Specifies whether to automatically destroy the user's ticket |
@@ -286,17 +314,17 @@ DESCRIPTION | |||
286 | KeyRegenerationInterval | 314 | KeyRegenerationInterval |
287 | In protocol version 1, the ephemeral server key is automatically | 315 | In protocol version 1, the ephemeral server key is automatically |
288 | regenerated after this many seconds (if it has been used). The | 316 | regenerated after this many seconds (if it has been used). The |
289 | purpose of regeneration is to prevent decrypting captured ses- | 317 | purpose of regeneration is to prevent decrypting captured |
290 | sions by later breaking into the machine and stealing the keys. | 318 | sessions by later breaking into the machine and stealing the |
291 | The key is never stored anywhere. If the value is 0, the key is | 319 | keys. The key is never stored anywhere. If the value is 0, the |
292 | never regenerated. The default is 3600 (seconds). | 320 | key is never regenerated. The default is 3600 (seconds). |
293 | 321 | ||
294 | ListenAddress | 322 | ListenAddress |
295 | Specifies the local addresses sshd(8) should listen on. The fol- | 323 | Specifies the local addresses sshd(8) should listen on. The |
296 | lowing forms may be used: | 324 | following forms may be used: |
297 | 325 | ||
298 | ListenAddress host|IPv4_addr|IPv6_addr | 326 | ListenAddress host | IPv4_addr | IPv6_addr |
299 | ListenAddress host|IPv4_addr:port | 327 | ListenAddress host | IPv4_addr:port |
300 | ListenAddress [host|IPv6_addr]:port | 328 | ListenAddress [host|IPv6_addr]:port |
301 | 329 | ||
302 | If port is not specified, sshd will listen on the address and all | 330 | If port is not specified, sshd will listen on the address and all |
@@ -306,9 +334,9 @@ DESCRIPTION | |||
306 | port qualified addresses. | 334 | port qualified addresses. |
307 | 335 | ||
308 | LoginGraceTime | 336 | LoginGraceTime |
309 | The server disconnects after this time if the user has not suc- | 337 | The server disconnects after this time if the user has not |
310 | cessfully logged in. If the value is 0, there is no time limit. | 338 | successfully logged in. If the value is 0, there is no time |
311 | The default is 120 seconds. | 339 | limit. The default is 120 seconds. |
312 | 340 | ||
313 | LogLevel | 341 | LogLevel |
314 | Gives the verbosity level that is used when logging messages from | 342 | Gives the verbosity level that is used when logging messages from |
@@ -318,18 +346,18 @@ DESCRIPTION | |||
318 | higher levels of debugging output. Logging with a DEBUG level | 346 | higher levels of debugging output. Logging with a DEBUG level |
319 | violates the privacy of users and is not recommended. | 347 | violates the privacy of users and is not recommended. |
320 | 348 | ||
321 | MACs Specifies the available MAC (message authentication code) algo- | 349 | MACs Specifies the available MAC (message authentication code) |
322 | rithms. The MAC algorithm is used in protocol version 2 for data | 350 | algorithms. The MAC algorithm is used in protocol version 2 for |
323 | integrity protection. Multiple algorithms must be comma-separat- | 351 | data integrity protection. Multiple algorithms must be comma- |
324 | ed. The default is: | 352 | separated. The default is: |
325 | 353 | ||
326 | hmac-md5,hmac-sha1,umac-64@openssh.com, | 354 | hmac-md5,hmac-sha1,umac-64@openssh.com, |
327 | hmac-ripemd160,hmac-sha1-96,hmac-md5-96 | 355 | hmac-ripemd160,hmac-sha1-96,hmac-md5-96 |
328 | 356 | ||
329 | Match Introduces a conditional block. If all of the criteria on the | 357 | Match Introduces a conditional block. If all of the criteria on the |
330 | Match line are satisfied, the keywords on the following lines | 358 | Match line are satisfied, the keywords on the following lines |
331 | override those set in the global section of the config file, un- | 359 | override those set in the global section of the config file, |
332 | til either another Match line or the end of the file. | 360 | until either another Match line or the end of the file. |
333 | 361 | ||
334 | The arguments to Match are one or more criteria-pattern pairs. | 362 | The arguments to Match are one or more criteria-pattern pairs. |
335 | The available criteria are User, Group, Host, and Address. The | 363 | The available criteria are User, Group, Host, and Address. The |
@@ -337,8 +365,8 @@ DESCRIPTION | |||
337 | lists and may use the wildcard and negation operators described | 365 | lists and may use the wildcard and negation operators described |
338 | in the PATTERNS section of ssh_config(5). | 366 | in the PATTERNS section of ssh_config(5). |
339 | 367 | ||
340 | The patterns in an Address criteria may additionally contain ad- | 368 | The patterns in an Address criteria may additionally contain |
341 | dresses to match in CIDR address/masklen format, e.g. | 369 | addresses to match in CIDR address/masklen format, e.g. |
342 | ``192.0.2.0/24'' or ``3ffe:ffff::/32''. Note that the mask | 370 | ``192.0.2.0/24'' or ``3ffe:ffff::/32''. Note that the mask |
343 | length provided must be consistent with the address - it is an | 371 | length provided must be consistent with the address - it is an |
344 | error to specify a mask length that is too long for the address | 372 | error to specify a mask length that is too long for the address |
@@ -347,13 +375,15 @@ DESCRIPTION | |||
347 | 375 | ||
348 | Only a subset of keywords may be used on the lines following a | 376 | Only a subset of keywords may be used on the lines following a |
349 | Match keyword. Available keywords are AllowAgentForwarding, | 377 | Match keyword. Available keywords are AllowAgentForwarding, |
350 | AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand, | 378 | AllowTcpForwarding, AuthorizedKeysFile, AuthorizedPrincipalsFile, |
351 | GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, | 379 | Banner, ChrootDirectory, ForceCommand, GatewayPorts, |
352 | KbdInteractiveAuthentication, KerberosAuthentication, | 380 | GSSAPIAuthentication, HostbasedAuthentication, |
353 | MaxAuthTries, MaxSessions, PasswordAuthentication, | 381 | HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, |
354 | PermitEmptyPasswords, PermitOpen, PermitRootLogin, | 382 | KerberosAuthentication, MaxAuthTries, MaxSessions, |
355 | PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication, | 383 | PasswordAuthentication, PermitEmptyPasswords, PermitOpen, |
356 | X11DisplayOffset, X11Forwarding and X11UseLocalHost. | 384 | PermitRootLogin, PermitTunnel, PubkeyAuthentication, |
385 | RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, | ||
386 | X11Forwarding and X11UseLocalHost. | ||
357 | 387 | ||
358 | MaxAuthTries | 388 | MaxAuthTries |
359 | Specifies the maximum number of authentication attempts permitted | 389 | Specifies the maximum number of authentication attempts permitted |
@@ -361,26 +391,26 @@ DESCRIPTION | |||
361 | value, additional failures are logged. The default is 6. | 391 | value, additional failures are logged. The default is 6. |
362 | 392 | ||
363 | MaxSessions | 393 | MaxSessions |
364 | Specifies the maximum number of open sessions permitted per net- | 394 | Specifies the maximum number of open sessions permitted per |
365 | work connection. The default is 10. | 395 | network connection. The default is 10. |
366 | 396 | ||
367 | MaxStartups | 397 | MaxStartups |
368 | Specifies the maximum number of concurrent unauthenticated con- | 398 | Specifies the maximum number of concurrent unauthenticated |
369 | nections to the SSH daemon. Additional connections will be | 399 | connections to the SSH daemon. Additional connections will be |
370 | dropped until authentication succeeds or the LoginGraceTime ex- | 400 | dropped until authentication succeeds or the LoginGraceTime |
371 | pires for a connection. The default is 10. | 401 | expires for a connection. The default is 10. |
372 | 402 | ||
373 | Alternatively, random early drop can be enabled by specifying the | 403 | Alternatively, random early drop can be enabled by specifying the |
374 | three colon separated values ``start:rate:full'' (e.g. | 404 | three colon separated values ``start:rate:full'' (e.g. |
375 | "10:30:60"). sshd(8) will refuse connection attempts with a | 405 | "10:30:60"). sshd(8) will refuse connection attempts with a |
376 | probability of ``rate/100'' (30%) if there are currently | 406 | probability of ``rate/100'' (30%) if there are currently |
377 | ``start'' (10) unauthenticated connections. The probability in- | 407 | ``start'' (10) unauthenticated connections. The probability |
378 | creases linearly and all connection attempts are refused if the | 408 | increases linearly and all connection attempts are refused if the |
379 | number of unauthenticated connections reaches ``full'' (60). | 409 | number of unauthenticated connections reaches ``full'' (60). |
380 | 410 | ||
381 | PasswordAuthentication | 411 | PasswordAuthentication |
382 | Specifies whether password authentication is allowed. The de- | 412 | Specifies whether password authentication is allowed. The |
383 | fault is ``yes''. | 413 | default is ``yes''. |
384 | 414 | ||
385 | PermitEmptyPasswords | 415 | PermitEmptyPasswords |
386 | When password authentication is allowed, it specifies whether the | 416 | When password authentication is allowed, it specifies whether the |
@@ -388,17 +418,17 @@ DESCRIPTION | |||
388 | default is ``no''. | 418 | default is ``no''. |
389 | 419 | ||
390 | PermitOpen | 420 | PermitOpen |
391 | Specifies the destinations to which TCP port forwarding is per- | 421 | Specifies the destinations to which TCP port forwarding is |
392 | mitted. The forwarding specification must be one of the follow- | 422 | permitted. The forwarding specification must be one of the |
393 | ing forms: | 423 | following forms: |
394 | 424 | ||
395 | PermitOpen host:port | 425 | PermitOpen host:port |
396 | PermitOpen IPv4_addr:port | 426 | PermitOpen IPv4_addr:port |
397 | PermitOpen [IPv6_addr]:port | 427 | PermitOpen [ IPv6_addr ]:port |
398 | 428 | ||
399 | Multiple forwards may be specified by separating them with | 429 | Multiple forwards may be specified by separating them with |
400 | whitespace. An argument of ``any'' can be used to remove all re- | 430 | whitespace. An argument of ``any'' can be used to remove all |
401 | strictions and permit any forwarding requests. By default all | 431 | restrictions and permit any forwarding requests. By default all |
402 | port forwarding requests are permitted. | 432 | port forwarding requests are permitted. |
403 | 433 | ||
404 | PermitRootLogin | 434 | PermitRootLogin |
@@ -406,8 +436,8 @@ DESCRIPTION | |||
406 | must be ``yes'', ``without-password'', ``forced-commands-only'', | 436 | must be ``yes'', ``without-password'', ``forced-commands-only'', |
407 | or ``no''. The default is ``yes''. | 437 | or ``no''. The default is ``yes''. |
408 | 438 | ||
409 | If this option is set to ``without-password'', password authenti- | 439 | If this option is set to ``without-password'', password |
410 | cation is disabled for root. | 440 | authentication is disabled for root. |
411 | 441 | ||
412 | If this option is set to ``forced-commands-only'', root login | 442 | If this option is set to ``forced-commands-only'', root login |
413 | with public key authentication will be allowed, but only if the | 443 | with public key authentication will be allowed, but only if the |
@@ -418,21 +448,21 @@ DESCRIPTION | |||
418 | If this option is set to ``no'', root is not allowed to log in. | 448 | If this option is set to ``no'', root is not allowed to log in. |
419 | 449 | ||
420 | PermitTunnel | 450 | PermitTunnel |
421 | Specifies whether tun(4) device forwarding is allowed. The argu- | 451 | Specifies whether tun(4) device forwarding is allowed. The |
422 | ment must be ``yes'', ``point-to-point'' (layer 3), ``ethernet'' | 452 | argument must be ``yes'', ``point-to-point'' (layer 3), |
423 | (layer 2), or ``no''. Specifying ``yes'' permits both ``point- | 453 | ``ethernet'' (layer 2), or ``no''. Specifying ``yes'' permits |
424 | to-point'' and ``ethernet''. The default is ``no''. | 454 | both ``point-to-point'' and ``ethernet''. The default is ``no''. |
425 | 455 | ||
426 | PermitUserEnvironment | 456 | PermitUserEnvironment |
427 | Specifies whether ~/.ssh/environment and environment= options in | 457 | Specifies whether ~/.ssh/environment and environment= options in |
428 | ~/.ssh/authorized_keys are processed by sshd(8). The default is | 458 | ~/.ssh/authorized_keys are processed by sshd(8). The default is |
429 | ``no''. Enabling environment processing may enable users to by- | 459 | ``no''. Enabling environment processing may enable users to |
430 | pass access restrictions in some configurations using mechanisms | 460 | bypass access restrictions in some configurations using |
431 | such as LD_PRELOAD. | 461 | mechanisms such as LD_PRELOAD. |
432 | 462 | ||
433 | PidFile | 463 | PidFile |
434 | Specifies the file that contains the process ID of the SSH dae- | 464 | Specifies the file that contains the process ID of the SSH |
435 | mon. The default is /var/run/sshd.pid. | 465 | daemon. The default is /var/run/sshd.pid. |
436 | 466 | ||
437 | Port Specifies the port number that sshd(8) listens on. The default | 467 | Port Specifies the port number that sshd(8) listens on. The default |
438 | is 22. Multiple options of this type are permitted. See also | 468 | is 22. Multiple options of this type are permitted. See also |
@@ -450,16 +480,16 @@ DESCRIPTION | |||
450 | 480 | ||
451 | Protocol | 481 | Protocol |
452 | Specifies the protocol versions sshd(8) supports. The possible | 482 | Specifies the protocol versions sshd(8) supports. The possible |
453 | values are `1' and `2'. Multiple versions must be comma-separat- | 483 | values are `1' and `2'. Multiple versions must be comma- |
454 | ed. The default is `2'. Note that the order of the protocol | 484 | separated. The default is `2'. Note that the order of the |
455 | list does not indicate preference, because the client selects | 485 | protocol list does not indicate preference, because the client |
456 | among multiple protocol versions offered by the server. Specify- | 486 | selects among multiple protocol versions offered by the server. |
457 | ing ``2,1'' is identical to ``1,2''. | 487 | Specifying ``2,1'' is identical to ``1,2''. |
458 | 488 | ||
459 | PubkeyAuthentication | 489 | PubkeyAuthentication |
460 | Specifies whether public key authentication is allowed. The de- | 490 | Specifies whether public key authentication is allowed. The |
461 | fault is ``yes''. Note that this option applies to protocol ver- | 491 | default is ``yes''. Note that this option applies to protocol |
462 | sion 2 only. | 492 | version 2 only. |
463 | 493 | ||
464 | RevokedKeys | 494 | RevokedKeys |
465 | Specifies a list of revoked public keys. Keys listed in this | 495 | Specifies a list of revoked public keys. Keys listed in this |
@@ -468,15 +498,15 @@ DESCRIPTION | |||
468 | refused for all users. | 498 | refused for all users. |
469 | 499 | ||
470 | RhostsRSAAuthentication | 500 | RhostsRSAAuthentication |
471 | Specifies whether rhosts or /etc/hosts.equiv authentication to- | 501 | Specifies whether rhosts or /etc/hosts.equiv authentication |
472 | gether with successful RSA host authentication is allowed. The | 502 | together with successful RSA host authentication is allowed. The |
473 | default is ``no''. This option applies to protocol version 1 on- | 503 | default is ``no''. This option applies to protocol version 1 |
474 | ly. | 504 | only. |
475 | 505 | ||
476 | RSAAuthentication | 506 | RSAAuthentication |
477 | Specifies whether pure RSA authentication is allowed. The de- | 507 | Specifies whether pure RSA authentication is allowed. The |
478 | fault is ``yes''. This option applies to protocol version 1 on- | 508 | default is ``yes''. This option applies to protocol version 1 |
479 | ly. | 509 | only. |
480 | 510 | ||
481 | ServerKeyBits | 511 | ServerKeyBits |
482 | Defines the number of bits in the ephemeral protocol version 1 | 512 | Defines the number of bits in the ephemeral protocol version 1 |
@@ -502,24 +532,24 @@ DESCRIPTION | |||
502 | ``sftp'' server. This may simplify configurations using | 532 | ``sftp'' server. This may simplify configurations using |
503 | ChrootDirectory to force a different filesystem root on clients. | 533 | ChrootDirectory to force a different filesystem root on clients. |
504 | 534 | ||
505 | By default no subsystems are defined. Note that this option ap- | 535 | By default no subsystems are defined. Note that this option |
506 | plies to protocol version 2 only. | 536 | applies to protocol version 2 only. |
507 | 537 | ||
508 | SyslogFacility | 538 | SyslogFacility |
509 | Gives the facility code that is used when logging messages from | 539 | Gives the facility code that is used when logging messages from |
510 | sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, | 540 | sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, |
511 | LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- | 541 | LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The |
512 | fault is AUTH. | 542 | default is AUTH. |
513 | 543 | ||
514 | TCPKeepAlive | 544 | TCPKeepAlive |
515 | Specifies whether the system should send TCP keepalive messages | 545 | Specifies whether the system should send TCP keepalive messages |
516 | to the other side. If they are sent, death of the connection or | 546 | to the other side. If they are sent, death of the connection or |
517 | crash of one of the machines will be properly noticed. However, | 547 | crash of one of the machines will be properly noticed. However, |
518 | this means that connections will die if the route is down tem- | 548 | this means that connections will die if the route is down |
519 | porarily, and some people find it annoying. On the other hand, | 549 | temporarily, and some people find it annoying. On the other |
520 | if TCP keepalives are not sent, sessions may hang indefinitely on | 550 | hand, if TCP keepalives are not sent, sessions may hang |
521 | the server, leaving ``ghost'' users and consuming server re- | 551 | indefinitely on the server, leaving ``ghost'' users and consuming |
522 | sources. | 552 | server resources. |
523 | 553 | ||
524 | The default is ``yes'' (to send TCP keepalive messages), and the | 554 | The default is ``yes'' (to send TCP keepalive messages), and the |
525 | server will notice if the network goes down or the client host | 555 | server will notice if the network goes down or the client host |
@@ -529,34 +559,34 @@ DESCRIPTION | |||
529 | ``no''. | 559 | ``no''. |
530 | 560 | ||
531 | TrustedUserCAKeys | 561 | TrustedUserCAKeys |
532 | Specifies a file containing public keys of certificate authori- | 562 | Specifies a file containing public keys of certificate |
533 | ties that are trusted to sign user certificates for authentica- | 563 | authorities that are trusted to sign user certificates for |
534 | tion. Keys are listed one per line; empty lines and comments | 564 | authentication. Keys are listed one per line; empty lines and |
535 | starting with `#' are allowed. If a certificate is presented for | 565 | comments starting with `#' are allowed. If a certificate is |
536 | authentication and has its signing CA key listed in this file, | 566 | presented for authentication and has its signing CA key listed in |
537 | then it may be used for authentication for any user listed in the | 567 | this file, then it may be used for authentication for any user |
538 | certificate's principals list. Note that certificates that lack | 568 | listed in the certificate's principals list. Note that |
539 | a list of principals will not be permitted for authentication us- | 569 | certificates that lack a list of principals will not be permitted |
540 | ing TrustedUserCAKeys. For more details on certificates, see the | 570 | for authentication using TrustedUserCAKeys. For more details on |
541 | CERTIFICATES section in ssh-keygen(1). | 571 | certificates, see the CERTIFICATES section in ssh-keygen(1). |
542 | 572 | ||
543 | UseDNS Specifies whether sshd(8) should look up the remote host name and | 573 | UseDNS Specifies whether sshd(8) should look up the remote host name and |
544 | check that the resolved host name for the remote IP address maps | 574 | check that the resolved host name for the remote IP address maps |
545 | back to the very same IP address. The default is ``yes''. | 575 | back to the very same IP address. The default is ``yes''. |
546 | 576 | ||
547 | UseLogin | 577 | UseLogin |
548 | Specifies whether login(1) is used for interactive login ses- | 578 | Specifies whether login(1) is used for interactive login |
549 | sions. The default is ``no''. Note that login(1) is never used | 579 | sessions. The default is ``no''. Note that login(1) is never |
550 | for remote command execution. Note also, that if this is en- | 580 | used for remote command execution. Note also, that if this is |
551 | abled, X11Forwarding will be disabled because login(1) does not | 581 | enabled, X11Forwarding will be disabled because login(1) does not |
552 | know how to handle xauth(1) cookies. If UsePrivilegeSeparation | 582 | know how to handle xauth(1) cookies. If UsePrivilegeSeparation |
553 | is specified, it will be disabled after authentication. | 583 | is specified, it will be disabled after authentication. |
554 | 584 | ||
555 | UsePAM Enables the Pluggable Authentication Module interface. If set to | 585 | UsePAM Enables the Pluggable Authentication Module interface. If set to |
556 | ``yes'' this will enable PAM authentication using | 586 | ``yes'' this will enable PAM authentication using |
557 | ChallengeResponseAuthentication and PasswordAuthentication in ad- | 587 | ChallengeResponseAuthentication and PasswordAuthentication in |
558 | dition to PAM account and session module processing for all au- | 588 | addition to PAM account and session module processing for all |
559 | thentication types. | 589 | authentication types. |
560 | 590 | ||
561 | Because PAM challenge-response authentication usually serves an | 591 | Because PAM challenge-response authentication usually serves an |
562 | equivalent role to password authentication, you should disable | 592 | equivalent role to password authentication, you should disable |
@@ -566,12 +596,12 @@ DESCRIPTION | |||
566 | non-root user. The default is ``no''. | 596 | non-root user. The default is ``no''. |
567 | 597 | ||
568 | UsePrivilegeSeparation | 598 | UsePrivilegeSeparation |
569 | Specifies whether sshd(8) separates privileges by creating an un- | 599 | Specifies whether sshd(8) separates privileges by creating an |
570 | privileged child process to deal with incoming network traffic. | 600 | unprivileged child process to deal with incoming network traffic. |
571 | After successful authentication, another process will be created | 601 | After successful authentication, another process will be created |
572 | that has the privilege of the authenticated user. The goal of | 602 | that has the privilege of the authenticated user. The goal of |
573 | privilege separation is to prevent privilege escalation by con- | 603 | privilege separation is to prevent privilege escalation by |
574 | taining any corruption within the unprivileged processes. The | 604 | containing any corruption within the unprivileged processes. The |
575 | default is ``yes''. | 605 | default is ``yes''. |
576 | 606 | ||
577 | X11DisplayOffset | 607 | X11DisplayOffset |
@@ -586,15 +616,16 @@ DESCRIPTION | |||
586 | When X11 forwarding is enabled, there may be additional exposure | 616 | When X11 forwarding is enabled, there may be additional exposure |
587 | to the server and to client displays if the sshd(8) proxy display | 617 | to the server and to client displays if the sshd(8) proxy display |
588 | is configured to listen on the wildcard address (see | 618 | is configured to listen on the wildcard address (see |
589 | X11UseLocalhost below), though this is not the default. Addi- | 619 | X11UseLocalhost below), though this is not the default. |
590 | tionally, the authentication spoofing and authentication data | 620 | Additionally, the authentication spoofing and authentication data |
591 | verification and substitution occur on the client side. The se- | 621 | verification and substitution occur on the client side. The |
592 | curity risk of using X11 forwarding is that the client's X11 dis- | 622 | security risk of using X11 forwarding is that the client's X11 |
593 | play server may be exposed to attack when the SSH client requests | 623 | display server may be exposed to attack when the SSH client |
594 | forwarding (see the warnings for ForwardX11 in ssh_config(5)). A | 624 | requests forwarding (see the warnings for ForwardX11 in |
595 | system administrator may have a stance in which they want to pro- | 625 | ssh_config(5)). A system administrator may have a stance in |
596 | tect clients that may expose themselves to attack by unwittingly | 626 | which they want to protect clients that may expose themselves to |
597 | requesting X11 forwarding, which can warrant a ``no'' setting. | 627 | attack by unwittingly requesting X11 forwarding, which can |
628 | warrant a ``no'' setting. | ||
598 | 629 | ||
599 | Note that disabling X11 forwarding does not prevent users from | 630 | Note that disabling X11 forwarding does not prevent users from |
600 | forwarding X11 traffic, as users can always install their own | 631 | forwarding X11 traffic, as users can always install their own |
@@ -609,19 +640,19 @@ DESCRIPTION | |||
609 | ``localhost''. This prevents remote hosts from connecting to the | 640 | ``localhost''. This prevents remote hosts from connecting to the |
610 | proxy display. However, some older X11 clients may not function | 641 | proxy display. However, some older X11 clients may not function |
611 | with this configuration. X11UseLocalhost may be set to ``no'' to | 642 | with this configuration. X11UseLocalhost may be set to ``no'' to |
612 | specify that the forwarding server should be bound to the wild- | 643 | specify that the forwarding server should be bound to the |
613 | card address. The argument must be ``yes'' or ``no''. The de- | 644 | wildcard address. The argument must be ``yes'' or ``no''. The |
614 | fault is ``yes''. | 645 | default is ``yes''. |
615 | 646 | ||
616 | XAuthLocation | 647 | XAuthLocation |
617 | Specifies the full pathname of the xauth(1) program. The default | 648 | Specifies the full pathname of the xauth(1) program. The default |
618 | is /usr/X11R6/bin/xauth. | 649 | is /usr/X11R6/bin/xauth. |
619 | 650 | ||
620 | TIME FORMATS | 651 | TIME FORMATS |
621 | sshd(8) command-line arguments and configuration file options that speci- | 652 | sshd(8) command-line arguments and configuration file options that |
622 | fy time may be expressed using a sequence of the form: time[qualifier], | 653 | specify time may be expressed using a sequence of the form: time |
623 | where time is a positive integer value and qualifier is one of the fol- | 654 | [qualifier], where time is a positive integer value and qualifier is one |
624 | lowing: | 655 | of the following: |
625 | 656 | ||
626 | <none> seconds | 657 | <none> seconds |
627 | s | S seconds | 658 | s | S seconds |
@@ -642,8 +673,8 @@ TIME FORMATS | |||
642 | FILES | 673 | FILES |
643 | /etc/ssh/sshd_config | 674 | /etc/ssh/sshd_config |
644 | Contains configuration data for sshd(8). This file should be | 675 | Contains configuration data for sshd(8). This file should be |
645 | writable by root only, but it is recommended (though not neces- | 676 | writable by root only, but it is recommended (though not |
646 | sary) that it be world-readable. | 677 | necessary) that it be world-readable. |
647 | 678 | ||
648 | SEE ALSO | 679 | SEE ALSO |
649 | sshd(8) | 680 | sshd(8) |
@@ -651,9 +682,9 @@ SEE ALSO | |||
651 | AUTHORS | 682 | AUTHORS |
652 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | 683 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
653 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | 684 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo |
654 | de Raadt and Dug Song removed many bugs, re-added newer features and cre- | 685 | de Raadt and Dug Song removed many bugs, re-added newer features and |
655 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | 686 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
656 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 687 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
657 | for privilege separation. | 688 | for privilege separation. |
658 | 689 | ||
659 | OpenBSD 4.7 March 4, 2010 10 | 690 | OpenBSD 4.8 June 30, 2010 OpenBSD 4.8 |