summaryrefslogtreecommitdiff
path: root/sshd_config.0
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2016-02-29 12:15:15 +0000
committerColin Watson <cjwatson@debian.org>2016-03-08 11:51:22 +0000
commit46961f5704f8e86cea3e99253faad55aef4d8f35 (patch)
tree0dd97fa4fb649a62b4639fe2674380872b1f3e98 /sshd_config.0
parentc753fe267efb1b027424fa8706cf0385fc3d14c1 (diff)
parent85e40e87a75fb80a0bf893ac05a417d6c353537d (diff)
New upstream release (7.2).
Diffstat (limited to 'sshd_config.0')
-rw-r--r--sshd_config.0128
1 files changed, 65 insertions, 63 deletions
diff --git a/sshd_config.0 b/sshd_config.0
index aae7fb6af..8bda6a39f 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -19,17 +19,16 @@ DESCRIPTION
19 AcceptEnv 19 AcceptEnv
20 Specifies what environment variables sent by the client will be 20 Specifies what environment variables sent by the client will be
21 copied into the session's environ(7). See SendEnv in 21 copied into the session's environ(7). See SendEnv in
22 ssh_config(5) for how to configure the client. Note that 22 ssh_config(5) for how to configure the client. The TERM
23 environment passing is only supported for protocol 2, and that 23 environment variable is always sent whenever the client requests
24 the TERM environment variable is always sent whenever the client 24 a pseudo-terminal as it is required by the protocol. Variables
25 requests a pseudo-terminal as it is required by the protocol. 25 are specified by name, which may contain the wildcard characters
26 Variables are specified by name, which may contain the wildcard 26 M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y. Multiple environment variables may be separated by
27 characters M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y. Multiple environment variables may be 27 whitespace or spread across multiple AcceptEnv directives. Be
28 separated by whitespace or spread across multiple AcceptEnv 28 warned that some environment variables could be used to bypass
29 directives. Be warned that some environment variables could be 29 restricted user environments. For this reason, care should be
30 used to bypass restricted user environments. For this reason, 30 taken in the use of this directive. The default is not to accept
31 care should be taken in the use of this directive. The default 31 any environment variables.
32 is not to accept any environment variables.
33 32
34 AddressFamily 33 AddressFamily
35 Specifies which address family should be used by sshd(8). Valid 34 Specifies which address family should be used by sshd(8). Valid
@@ -115,12 +114,11 @@ DESCRIPTION
115 AuthenticationMethods of M-bM-^@M-^\publickey,publickeyM-bM-^@M-^] will require 114 AuthenticationMethods of M-bM-^@M-^\publickey,publickeyM-bM-^@M-^] will require
116 successful authentication using two different public keys. 115 successful authentication using two different public keys.
117 116
118 This option is only available for SSH protocol 2 and will yield a 117 This option will yield a fatal error if enabled if protocol 1 is
119 fatal error if enabled if protocol 1 is also enabled. Note that 118 also enabled. Note that each authentication method listed should
120 each authentication method listed should also be explicitly 119 also be explicitly enabled in the configuration. The default is
121 enabled in the configuration. The default is not to require 120 not to require multiple authentication; successful completion of
122 multiple authentication; successful completion of a single 121 a single authentication method is sufficient.
123 authentication method is sufficient.
124 122
125 AuthorizedKeysCommand 123 AuthorizedKeysCommand
126 Specifies a program to be used to look up the user's public keys. 124 Specifies a program to be used to look up the user's public keys.
@@ -162,8 +160,9 @@ DESCRIPTION
162 replaced by the username of that user. After expansion, 160 replaced by the username of that user. After expansion,
163 AuthorizedKeysFile is taken to be an absolute path or one 161 AuthorizedKeysFile is taken to be an absolute path or one
164 relative to the user's home directory. Multiple files may be 162 relative to the user's home directory. Multiple files may be
165 listed, separated by whitespace. The default is 163 listed, separated by whitespace. Alternately this option may be
166 M-bM-^@M-^\.ssh/authorized_keys .ssh/authorized_keys2M-bM-^@M-^]. 164 set to M-bM-^@M-^\noneM-bM-^@M-^] to skip checking for user keys in files. The
165 default is M-bM-^@M-^\.ssh/authorized_keys .ssh/authorized_keys2M-bM-^@M-^].
167 166
168 AuthorizedPrincipalsCommand 167 AuthorizedPrincipalsCommand
169 Specifies a program to be used to generate the list of allowed 168 Specifies a program to be used to generate the list of allowed
@@ -220,8 +219,7 @@ DESCRIPTION
220 219
221 Banner The contents of the specified file are sent to the remote user 220 Banner The contents of the specified file are sent to the remote user
222 before authentication is allowed. If the argument is M-bM-^@M-^\noneM-bM-^@M-^] then 221 before authentication is allowed. If the argument is M-bM-^@M-^\noneM-bM-^@M-^] then
223 no banner is displayed. This option is only available for 222 no banner is displayed. By default, no banner is displayed.
224 protocol version 2. By default, no banner is displayed.
225 223
226 ChallengeResponseAuthentication 224 ChallengeResponseAuthentication
227 Specifies whether challenge-response authentication is allowed 225 Specifies whether challenge-response authentication is allowed
@@ -258,13 +256,13 @@ DESCRIPTION
258 (especially those outside the jail). Misconfiguration can lead 256 (especially those outside the jail). Misconfiguration can lead
259 to unsafe environments which sshd(8) cannot detect. 257 to unsafe environments which sshd(8) cannot detect.
260 258
261 The default is not to chroot(2). 259 The default is M-bM-^@M-^\noneM-bM-^@M-^], indicating not to chroot(2).
262 260
263 Ciphers 261 Ciphers
264 Specifies the ciphers allowed for protocol version 2. Multiple 262 Specifies the ciphers allowed. Multiple ciphers must be comma-
265 ciphers must be comma-separated. If the specified value begins 263 separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character,
266 with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified ciphers will be appended 264 then the specified ciphers will be appended to the default set
267 to the default set instead of replacing them. 265 instead of replacing them.
268 266
269 The supported ciphers are: 267 The supported ciphers are:
270 268
@@ -309,15 +307,14 @@ DESCRIPTION
309 The default value is 3. If ClientAliveInterval (see below) is 307 The default value is 3. If ClientAliveInterval (see below) is
310 set to 15, and ClientAliveCountMax is left at the default, 308 set to 15, and ClientAliveCountMax is left at the default,
311 unresponsive SSH clients will be disconnected after approximately 309 unresponsive SSH clients will be disconnected after approximately
312 45 seconds. This option applies to protocol version 2 only. 310 45 seconds.
313 311
314 ClientAliveInterval 312 ClientAliveInterval
315 Sets a timeout interval in seconds after which if no data has 313 Sets a timeout interval in seconds after which if no data has
316 been received from the client, sshd(8) will send a message 314 been received from the client, sshd(8) will send a message
317 through the encrypted channel to request a response from the 315 through the encrypted channel to request a response from the
318 client. The default is 0, indicating that these messages will 316 client. The default is 0, indicating that these messages will
319 not be sent to the client. This option applies to protocol 317 not be sent to the client.
320 version 2 only.
321 318
322 Compression 319 Compression
323 Specifies whether compression is allowed, or delayed until the 320 Specifies whether compression is allowed, or delayed until the
@@ -362,7 +359,7 @@ DESCRIPTION
362 SSH_ORIGINAL_COMMAND environment variable. Specifying a command 359 SSH_ORIGINAL_COMMAND environment variable. Specifying a command
363 of M-bM-^@M-^\internal-sftpM-bM-^@M-^] will force the use of an in-process sftp 360 of M-bM-^@M-^\internal-sftpM-bM-^@M-^] will force the use of an in-process sftp
364 server that requires no support files when used with 361 server that requires no support files when used with
365 ChrootDirectory. 362 ChrootDirectory. The default is M-bM-^@M-^\noneM-bM-^@M-^].
366 363
367 GatewayPorts 364 GatewayPorts
368 Specifies whether remote hosts are allowed to connect to ports 365 Specifies whether remote hosts are allowed to connect to ports
@@ -379,13 +376,11 @@ DESCRIPTION
379 376
380 GSSAPIAuthentication 377 GSSAPIAuthentication
381 Specifies whether user authentication based on GSSAPI is allowed. 378 Specifies whether user authentication based on GSSAPI is allowed.
382 The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol 379 The default is M-bM-^@M-^\noM-bM-^@M-^].
383 version 2 only.
384 380
385 GSSAPICleanupCredentials 381 GSSAPICleanupCredentials
386 Specifies whether to automatically destroy the user's credentials 382 Specifies whether to automatically destroy the user's credentials
387 cache on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option 383 cache on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^].
388 applies to protocol version 2 only.
389 384
390 GSSAPIStrictAcceptorCheck 385 GSSAPIStrictAcceptorCheck
391 Determines whether to be strict about the identity of the GSSAPI 386 Determines whether to be strict about the identity of the GSSAPI
@@ -416,9 +411,7 @@ DESCRIPTION
416 HostbasedAuthentication 411 HostbasedAuthentication
417 Specifies whether rhosts or /etc/hosts.equiv authentication 412 Specifies whether rhosts or /etc/hosts.equiv authentication
418 together with successful public key client host authentication is 413 together with successful public key client host authentication is
419 allowed (host-based authentication). This option is similar to 414 allowed (host-based authentication). The default is M-bM-^@M-^\noM-bM-^@M-^].
420 RhostsRSAAuthentication and applies to protocol version 2 only.
421 The default is M-bM-^@M-^\noM-bM-^@M-^].
422 415
423 HostbasedUsesNameFromPacketOnly 416 HostbasedUsesNameFromPacketOnly
424 Specifies whether or not the server will attempt to perform a 417 Specifies whether or not the server will attempt to perform a
@@ -459,8 +452,8 @@ DESCRIPTION
459 read from the SSH_AUTH_SOCK environment variable. 452 read from the SSH_AUTH_SOCK environment variable.
460 453
461 HostKeyAlgorithms 454 HostKeyAlgorithms
462 Specifies the protocol version 2 host key algorithms that the 455 Specifies the host key algorithms that the server offers. The
463 server offers. The default for this option is: 456 default for this option is:
464 457
465 ecdsa-sha2-nistp256-cert-v01@openssh.com, 458 ecdsa-sha2-nistp256-cert-v01@openssh.com,
466 ecdsa-sha2-nistp384-cert-v01@openssh.com, 459 ecdsa-sha2-nistp384-cert-v01@openssh.com,
@@ -585,11 +578,11 @@ DESCRIPTION
585 violates the privacy of users and is not recommended. 578 violates the privacy of users and is not recommended.
586 579
587 MACs Specifies the available MAC (message authentication code) 580 MACs Specifies the available MAC (message authentication code)
588 algorithms. The MAC algorithm is used in protocol version 2 for 581 algorithms. The MAC algorithm is used for data integrity
589 data integrity protection. Multiple algorithms must be comma- 582 protection. Multiple algorithms must be comma-separated. If the
590 separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, 583 specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified
591 then the specified algorithms will be appended to the default set 584 algorithms will be appended to the default set instead of
592 instead of replacing them. 585 replacing them.
593 586
594 The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC after 587 The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC after
595 encryption (encrypt-then-mac). These are considered safer and 588 encryption (encrypt-then-mac). These are considered safer and
@@ -618,8 +611,9 @@ DESCRIPTION
618 611
619 umac-64-etm@openssh.com,umac-128-etm@openssh.com, 612 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
620 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, 613 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
614 hmac-sha1-etm@openssh.com,
621 umac-64@openssh.com,umac-128@openssh.com, 615 umac-64@openssh.com,umac-128@openssh.com,
622 hmac-sha2-256,hmac-sha2-512 616 hmac-sha2-256,hmac-sha2-512,hmac-sha1
623 617
624 The list of available MAC algorithms may also be obtained using 618 The list of available MAC algorithms may also be obtained using
625 the -Q option of ssh(1) with an argument of M-bM-^@M-^\macM-bM-^@M-^]. 619 the -Q option of ssh(1) with an argument of M-bM-^@M-^\macM-bM-^@M-^].
@@ -651,8 +645,9 @@ DESCRIPTION
651 AllowAgentForwarding, AllowGroups, AllowStreamLocalForwarding, 645 AllowAgentForwarding, AllowGroups, AllowStreamLocalForwarding,
652 AllowTcpForwarding, AllowUsers, AuthenticationMethods, 646 AllowTcpForwarding, AllowUsers, AuthenticationMethods,
653 AuthorizedKeysCommand, AuthorizedKeysCommandUser, 647 AuthorizedKeysCommand, AuthorizedKeysCommandUser,
654 AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner, 648 AuthorizedKeysFile, AuthorizedPrincipalsCommand,
655 ChrootDirectory, DenyGroups, DenyUsers, ForceCommand, 649 AuthorizedPrincipalsCommandUser, AuthorizedPrincipalsFile,
650 Banner, ChrootDirectory, DenyGroups, DenyUsers, ForceCommand,
656 GatewayPorts, GSSAPIAuthentication, HostbasedAcceptedKeyTypes, 651 GatewayPorts, GSSAPIAuthentication, HostbasedAcceptedKeyTypes,
657 HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IPQoS, 652 HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IPQoS,
658 KbdInteractiveAuthentication, KerberosAuthentication, 653 KbdInteractiveAuthentication, KerberosAuthentication,
@@ -670,8 +665,13 @@ DESCRIPTION
670 value, additional failures are logged. The default is 6. 665 value, additional failures are logged. The default is 6.
671 666
672 MaxSessions 667 MaxSessions
673 Specifies the maximum number of open sessions permitted per 668 Specifies the maximum number of open shell, login or subsystem
674 network connection. The default is 10. 669 (e.g. sftp) sessions permitted per network connection. Multiple
670 sessions may be established by clients that support connection
671 multiplexing. Setting MaxSessions to 1 will effectively disable
672 session multiplexing, whereas setting it to 0 will prevent all
673 shell, login and subsystem sessions while still permitting
674 forwarding. The default is 10.
675 675
676 MaxStartups 676 MaxStartups
677 Specifies the maximum number of concurrent unauthenticated 677 Specifies the maximum number of concurrent unauthenticated
@@ -775,10 +775,14 @@ DESCRIPTION
775 Protocol 775 Protocol
776 Specifies the protocol versions sshd(8) supports. The possible 776 Specifies the protocol versions sshd(8) supports. The possible
777 values are M-bM-^@M-^X1M-bM-^@M-^Y and M-bM-^@M-^X2M-bM-^@M-^Y. Multiple versions must be comma- 777 values are M-bM-^@M-^X1M-bM-^@M-^Y and M-bM-^@M-^X2M-bM-^@M-^Y. Multiple versions must be comma-
778 separated. The default is M-bM-^@M-^X2M-bM-^@M-^Y. Note that the order of the 778 separated. The default is M-bM-^@M-^X2M-bM-^@M-^Y. Protocol 1 suffers from a number
779 protocol list does not indicate preference, because the client 779 of cryptographic weaknesses and should not be used. It is only
780 selects among multiple protocol versions offered by the server. 780 offered to support legacy devices.
781 Specifying M-bM-^@M-^\2,1M-bM-^@M-^] is identical to M-bM-^@M-^\1,2M-bM-^@M-^]. 781
782 Note that the order of the protocol list does not indicate
783 preference, because the client selects among multiple protocol
784 versions offered by the server. Specifying M-bM-^@M-^\2,1M-bM-^@M-^] is identical to
785 M-bM-^@M-^\1,2M-bM-^@M-^].
782 786
783 PubkeyAcceptedKeyTypes 787 PubkeyAcceptedKeyTypes
784 Specifies the key types that will be accepted for public key 788 Specifies the key types that will be accepted for public key
@@ -799,8 +803,7 @@ DESCRIPTION
799 803
800 PubkeyAuthentication 804 PubkeyAuthentication
801 Specifies whether public key authentication is allowed. The 805 Specifies whether public key authentication is allowed. The
802 default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol 806 default is M-bM-^@M-^\yesM-bM-^@M-^].
803 version 2 only.
804 807
805 RekeyLimit 808 RekeyLimit
806 Specifies the maximum amount of data that may be transmitted 809 Specifies the maximum amount of data that may be transmitted
@@ -814,8 +817,7 @@ DESCRIPTION
814 documented in the TIME FORMATS section. The default value for 817 documented in the TIME FORMATS section. The default value for
815 RekeyLimit is M-bM-^@M-^\default noneM-bM-^@M-^], which means that rekeying is 818 RekeyLimit is M-bM-^@M-^\default noneM-bM-^@M-^], which means that rekeying is
816 performed after the cipher's default amount of data has been sent 819 performed after the cipher's default amount of data has been sent
817 or received and no time based rekeying is done. This option 820 or received and no time based rekeying is done.
818 applies to protocol version 2 only.
819 821
820 RevokedKeys 822 RevokedKeys
821 Specifies revoked public keys file, or M-bM-^@M-^\noneM-bM-^@M-^] to not use one. 823 Specifies revoked public keys file, or M-bM-^@M-^\noneM-bM-^@M-^] to not use one.
@@ -882,8 +884,7 @@ DESCRIPTION
882 M-bM-^@M-^\sftpM-bM-^@M-^] server. This may simplify configurations using 884 M-bM-^@M-^\sftpM-bM-^@M-^] server. This may simplify configurations using
883 ChrootDirectory to force a different filesystem root on clients. 885 ChrootDirectory to force a different filesystem root on clients.
884 886
885 By default no subsystems are defined. Note that this option 887 By default no subsystems are defined.
886 applies to protocol version 2 only.
887 888
888 SyslogFacility 889 SyslogFacility
889 Gives the facility code that is used when logging messages from 890 Gives the facility code that is used when logging messages from
@@ -957,9 +958,10 @@ DESCRIPTION
957 that has the privilege of the authenticated user. The goal of 958 that has the privilege of the authenticated user. The goal of
958 privilege separation is to prevent privilege escalation by 959 privilege separation is to prevent privilege escalation by
959 containing any corruption within the unprivileged processes. The 960 containing any corruption within the unprivileged processes. The
960 default is M-bM-^@M-^\yesM-bM-^@M-^]. If UsePrivilegeSeparation is set to M-bM-^@M-^\sandboxM-bM-^@M-^] 961 argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or M-bM-^@M-^\sandboxM-bM-^@M-^]. If
961 then the pre-authentication unprivileged process is subject to 962 UsePrivilegeSeparation is set to M-bM-^@M-^\sandboxM-bM-^@M-^] then the pre-
962 additional restrictions. 963 authentication unprivileged process is subject to additional
964 restrictions. The default is M-bM-^@M-^\sandboxM-bM-^@M-^].
963 965
964 VersionAddendum 966 VersionAddendum
965 Optionally specifies additional text to append to the SSH 967 Optionally specifies additional text to append to the SSH
@@ -1049,4 +1051,4 @@ AUTHORS
1049 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 1051 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
1050 for privilege separation. 1052 for privilege separation.
1051 1053
1052OpenBSD 5.8 August 14, 2015 OpenBSD 5.8 1054OpenBSD 5.9 February 17, 2016 OpenBSD 5.9