diff options
author | Colin Watson <cjwatson@debian.org> | 2016-02-29 12:15:15 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2016-03-08 11:51:22 +0000 |
commit | 46961f5704f8e86cea3e99253faad55aef4d8f35 (patch) | |
tree | 0dd97fa4fb649a62b4639fe2674380872b1f3e98 /sshd_config.0 | |
parent | c753fe267efb1b027424fa8706cf0385fc3d14c1 (diff) | |
parent | 85e40e87a75fb80a0bf893ac05a417d6c353537d (diff) |
New upstream release (7.2).
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 128 |
1 files changed, 65 insertions, 63 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index aae7fb6af..8bda6a39f 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -19,17 +19,16 @@ DESCRIPTION | |||
19 | AcceptEnv | 19 | AcceptEnv |
20 | Specifies what environment variables sent by the client will be | 20 | Specifies what environment variables sent by the client will be |
21 | copied into the session's environ(7). See SendEnv in | 21 | copied into the session's environ(7). See SendEnv in |
22 | ssh_config(5) for how to configure the client. Note that | 22 | ssh_config(5) for how to configure the client. The TERM |
23 | environment passing is only supported for protocol 2, and that | 23 | environment variable is always sent whenever the client requests |
24 | the TERM environment variable is always sent whenever the client | 24 | a pseudo-terminal as it is required by the protocol. Variables |
25 | requests a pseudo-terminal as it is required by the protocol. | 25 | are specified by name, which may contain the wildcard characters |
26 | Variables are specified by name, which may contain the wildcard | 26 | M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y. Multiple environment variables may be separated by |
27 | characters M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y. Multiple environment variables may be | 27 | whitespace or spread across multiple AcceptEnv directives. Be |
28 | separated by whitespace or spread across multiple AcceptEnv | 28 | warned that some environment variables could be used to bypass |
29 | directives. Be warned that some environment variables could be | 29 | restricted user environments. For this reason, care should be |
30 | used to bypass restricted user environments. For this reason, | 30 | taken in the use of this directive. The default is not to accept |
31 | care should be taken in the use of this directive. The default | 31 | any environment variables. |
32 | is not to accept any environment variables. | ||
33 | 32 | ||
34 | AddressFamily | 33 | AddressFamily |
35 | Specifies which address family should be used by sshd(8). Valid | 34 | Specifies which address family should be used by sshd(8). Valid |
@@ -115,12 +114,11 @@ DESCRIPTION | |||
115 | AuthenticationMethods of M-bM-^@M-^\publickey,publickeyM-bM-^@M-^] will require | 114 | AuthenticationMethods of M-bM-^@M-^\publickey,publickeyM-bM-^@M-^] will require |
116 | successful authentication using two different public keys. | 115 | successful authentication using two different public keys. |
117 | 116 | ||
118 | This option is only available for SSH protocol 2 and will yield a | 117 | This option will yield a fatal error if enabled if protocol 1 is |
119 | fatal error if enabled if protocol 1 is also enabled. Note that | 118 | also enabled. Note that each authentication method listed should |
120 | each authentication method listed should also be explicitly | 119 | also be explicitly enabled in the configuration. The default is |
121 | enabled in the configuration. The default is not to require | 120 | not to require multiple authentication; successful completion of |
122 | multiple authentication; successful completion of a single | 121 | a single authentication method is sufficient. |
123 | authentication method is sufficient. | ||
124 | 122 | ||
125 | AuthorizedKeysCommand | 123 | AuthorizedKeysCommand |
126 | Specifies a program to be used to look up the user's public keys. | 124 | Specifies a program to be used to look up the user's public keys. |
@@ -162,8 +160,9 @@ DESCRIPTION | |||
162 | replaced by the username of that user. After expansion, | 160 | replaced by the username of that user. After expansion, |
163 | AuthorizedKeysFile is taken to be an absolute path or one | 161 | AuthorizedKeysFile is taken to be an absolute path or one |
164 | relative to the user's home directory. Multiple files may be | 162 | relative to the user's home directory. Multiple files may be |
165 | listed, separated by whitespace. The default is | 163 | listed, separated by whitespace. Alternately this option may be |
166 | M-bM-^@M-^\.ssh/authorized_keys .ssh/authorized_keys2M-bM-^@M-^]. | 164 | set to M-bM-^@M-^\noneM-bM-^@M-^] to skip checking for user keys in files. The |
165 | default is M-bM-^@M-^\.ssh/authorized_keys .ssh/authorized_keys2M-bM-^@M-^]. | ||
167 | 166 | ||
168 | AuthorizedPrincipalsCommand | 167 | AuthorizedPrincipalsCommand |
169 | Specifies a program to be used to generate the list of allowed | 168 | Specifies a program to be used to generate the list of allowed |
@@ -220,8 +219,7 @@ DESCRIPTION | |||
220 | 219 | ||
221 | Banner The contents of the specified file are sent to the remote user | 220 | Banner The contents of the specified file are sent to the remote user |
222 | before authentication is allowed. If the argument is M-bM-^@M-^\noneM-bM-^@M-^] then | 221 | before authentication is allowed. If the argument is M-bM-^@M-^\noneM-bM-^@M-^] then |
223 | no banner is displayed. This option is only available for | 222 | no banner is displayed. By default, no banner is displayed. |
224 | protocol version 2. By default, no banner is displayed. | ||
225 | 223 | ||
226 | ChallengeResponseAuthentication | 224 | ChallengeResponseAuthentication |
227 | Specifies whether challenge-response authentication is allowed | 225 | Specifies whether challenge-response authentication is allowed |
@@ -258,13 +256,13 @@ DESCRIPTION | |||
258 | (especially those outside the jail). Misconfiguration can lead | 256 | (especially those outside the jail). Misconfiguration can lead |
259 | to unsafe environments which sshd(8) cannot detect. | 257 | to unsafe environments which sshd(8) cannot detect. |
260 | 258 | ||
261 | The default is not to chroot(2). | 259 | The default is M-bM-^@M-^\noneM-bM-^@M-^], indicating not to chroot(2). |
262 | 260 | ||
263 | Ciphers | 261 | Ciphers |
264 | Specifies the ciphers allowed for protocol version 2. Multiple | 262 | Specifies the ciphers allowed. Multiple ciphers must be comma- |
265 | ciphers must be comma-separated. If the specified value begins | 263 | separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, |
266 | with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified ciphers will be appended | 264 | then the specified ciphers will be appended to the default set |
267 | to the default set instead of replacing them. | 265 | instead of replacing them. |
268 | 266 | ||
269 | The supported ciphers are: | 267 | The supported ciphers are: |
270 | 268 | ||
@@ -309,15 +307,14 @@ DESCRIPTION | |||
309 | The default value is 3. If ClientAliveInterval (see below) is | 307 | The default value is 3. If ClientAliveInterval (see below) is |
310 | set to 15, and ClientAliveCountMax is left at the default, | 308 | set to 15, and ClientAliveCountMax is left at the default, |
311 | unresponsive SSH clients will be disconnected after approximately | 309 | unresponsive SSH clients will be disconnected after approximately |
312 | 45 seconds. This option applies to protocol version 2 only. | 310 | 45 seconds. |
313 | 311 | ||
314 | ClientAliveInterval | 312 | ClientAliveInterval |
315 | Sets a timeout interval in seconds after which if no data has | 313 | Sets a timeout interval in seconds after which if no data has |
316 | been received from the client, sshd(8) will send a message | 314 | been received from the client, sshd(8) will send a message |
317 | through the encrypted channel to request a response from the | 315 | through the encrypted channel to request a response from the |
318 | client. The default is 0, indicating that these messages will | 316 | client. The default is 0, indicating that these messages will |
319 | not be sent to the client. This option applies to protocol | 317 | not be sent to the client. |
320 | version 2 only. | ||
321 | 318 | ||
322 | Compression | 319 | Compression |
323 | Specifies whether compression is allowed, or delayed until the | 320 | Specifies whether compression is allowed, or delayed until the |
@@ -362,7 +359,7 @@ DESCRIPTION | |||
362 | SSH_ORIGINAL_COMMAND environment variable. Specifying a command | 359 | SSH_ORIGINAL_COMMAND environment variable. Specifying a command |
363 | of M-bM-^@M-^\internal-sftpM-bM-^@M-^] will force the use of an in-process sftp | 360 | of M-bM-^@M-^\internal-sftpM-bM-^@M-^] will force the use of an in-process sftp |
364 | server that requires no support files when used with | 361 | server that requires no support files when used with |
365 | ChrootDirectory. | 362 | ChrootDirectory. The default is M-bM-^@M-^\noneM-bM-^@M-^]. |
366 | 363 | ||
367 | GatewayPorts | 364 | GatewayPorts |
368 | Specifies whether remote hosts are allowed to connect to ports | 365 | Specifies whether remote hosts are allowed to connect to ports |
@@ -379,13 +376,11 @@ DESCRIPTION | |||
379 | 376 | ||
380 | GSSAPIAuthentication | 377 | GSSAPIAuthentication |
381 | Specifies whether user authentication based on GSSAPI is allowed. | 378 | Specifies whether user authentication based on GSSAPI is allowed. |
382 | The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol | 379 | The default is M-bM-^@M-^\noM-bM-^@M-^]. |
383 | version 2 only. | ||
384 | 380 | ||
385 | GSSAPICleanupCredentials | 381 | GSSAPICleanupCredentials |
386 | Specifies whether to automatically destroy the user's credentials | 382 | Specifies whether to automatically destroy the user's credentials |
387 | cache on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option | 383 | cache on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
388 | applies to protocol version 2 only. | ||
389 | 384 | ||
390 | GSSAPIStrictAcceptorCheck | 385 | GSSAPIStrictAcceptorCheck |
391 | Determines whether to be strict about the identity of the GSSAPI | 386 | Determines whether to be strict about the identity of the GSSAPI |
@@ -416,9 +411,7 @@ DESCRIPTION | |||
416 | HostbasedAuthentication | 411 | HostbasedAuthentication |
417 | Specifies whether rhosts or /etc/hosts.equiv authentication | 412 | Specifies whether rhosts or /etc/hosts.equiv authentication |
418 | together with successful public key client host authentication is | 413 | together with successful public key client host authentication is |
419 | allowed (host-based authentication). This option is similar to | 414 | allowed (host-based authentication). The default is M-bM-^@M-^\noM-bM-^@M-^]. |
420 | RhostsRSAAuthentication and applies to protocol version 2 only. | ||
421 | The default is M-bM-^@M-^\noM-bM-^@M-^]. | ||
422 | 415 | ||
423 | HostbasedUsesNameFromPacketOnly | 416 | HostbasedUsesNameFromPacketOnly |
424 | Specifies whether or not the server will attempt to perform a | 417 | Specifies whether or not the server will attempt to perform a |
@@ -459,8 +452,8 @@ DESCRIPTION | |||
459 | read from the SSH_AUTH_SOCK environment variable. | 452 | read from the SSH_AUTH_SOCK environment variable. |
460 | 453 | ||
461 | HostKeyAlgorithms | 454 | HostKeyAlgorithms |
462 | Specifies the protocol version 2 host key algorithms that the | 455 | Specifies the host key algorithms that the server offers. The |
463 | server offers. The default for this option is: | 456 | default for this option is: |
464 | 457 | ||
465 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 458 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
466 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 459 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
@@ -585,11 +578,11 @@ DESCRIPTION | |||
585 | violates the privacy of users and is not recommended. | 578 | violates the privacy of users and is not recommended. |
586 | 579 | ||
587 | MACs Specifies the available MAC (message authentication code) | 580 | MACs Specifies the available MAC (message authentication code) |
588 | algorithms. The MAC algorithm is used in protocol version 2 for | 581 | algorithms. The MAC algorithm is used for data integrity |
589 | data integrity protection. Multiple algorithms must be comma- | 582 | protection. Multiple algorithms must be comma-separated. If the |
590 | separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, | 583 | specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified |
591 | then the specified algorithms will be appended to the default set | 584 | algorithms will be appended to the default set instead of |
592 | instead of replacing them. | 585 | replacing them. |
593 | 586 | ||
594 | The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC after | 587 | The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC after |
595 | encryption (encrypt-then-mac). These are considered safer and | 588 | encryption (encrypt-then-mac). These are considered safer and |
@@ -618,8 +611,9 @@ DESCRIPTION | |||
618 | 611 | ||
619 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, | 612 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, |
620 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, | 613 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, |
614 | hmac-sha1-etm@openssh.com, | ||
621 | umac-64@openssh.com,umac-128@openssh.com, | 615 | umac-64@openssh.com,umac-128@openssh.com, |
622 | hmac-sha2-256,hmac-sha2-512 | 616 | hmac-sha2-256,hmac-sha2-512,hmac-sha1 |
623 | 617 | ||
624 | The list of available MAC algorithms may also be obtained using | 618 | The list of available MAC algorithms may also be obtained using |
625 | the -Q option of ssh(1) with an argument of M-bM-^@M-^\macM-bM-^@M-^]. | 619 | the -Q option of ssh(1) with an argument of M-bM-^@M-^\macM-bM-^@M-^]. |
@@ -651,8 +645,9 @@ DESCRIPTION | |||
651 | AllowAgentForwarding, AllowGroups, AllowStreamLocalForwarding, | 645 | AllowAgentForwarding, AllowGroups, AllowStreamLocalForwarding, |
652 | AllowTcpForwarding, AllowUsers, AuthenticationMethods, | 646 | AllowTcpForwarding, AllowUsers, AuthenticationMethods, |
653 | AuthorizedKeysCommand, AuthorizedKeysCommandUser, | 647 | AuthorizedKeysCommand, AuthorizedKeysCommandUser, |
654 | AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner, | 648 | AuthorizedKeysFile, AuthorizedPrincipalsCommand, |
655 | ChrootDirectory, DenyGroups, DenyUsers, ForceCommand, | 649 | AuthorizedPrincipalsCommandUser, AuthorizedPrincipalsFile, |
650 | Banner, ChrootDirectory, DenyGroups, DenyUsers, ForceCommand, | ||
656 | GatewayPorts, GSSAPIAuthentication, HostbasedAcceptedKeyTypes, | 651 | GatewayPorts, GSSAPIAuthentication, HostbasedAcceptedKeyTypes, |
657 | HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IPQoS, | 652 | HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IPQoS, |
658 | KbdInteractiveAuthentication, KerberosAuthentication, | 653 | KbdInteractiveAuthentication, KerberosAuthentication, |
@@ -670,8 +665,13 @@ DESCRIPTION | |||
670 | value, additional failures are logged. The default is 6. | 665 | value, additional failures are logged. The default is 6. |
671 | 666 | ||
672 | MaxSessions | 667 | MaxSessions |
673 | Specifies the maximum number of open sessions permitted per | 668 | Specifies the maximum number of open shell, login or subsystem |
674 | network connection. The default is 10. | 669 | (e.g. sftp) sessions permitted per network connection. Multiple |
670 | sessions may be established by clients that support connection | ||
671 | multiplexing. Setting MaxSessions to 1 will effectively disable | ||
672 | session multiplexing, whereas setting it to 0 will prevent all | ||
673 | shell, login and subsystem sessions while still permitting | ||
674 | forwarding. The default is 10. | ||
675 | 675 | ||
676 | MaxStartups | 676 | MaxStartups |
677 | Specifies the maximum number of concurrent unauthenticated | 677 | Specifies the maximum number of concurrent unauthenticated |
@@ -775,10 +775,14 @@ DESCRIPTION | |||
775 | Protocol | 775 | Protocol |
776 | Specifies the protocol versions sshd(8) supports. The possible | 776 | Specifies the protocol versions sshd(8) supports. The possible |
777 | values are M-bM-^@M-^X1M-bM-^@M-^Y and M-bM-^@M-^X2M-bM-^@M-^Y. Multiple versions must be comma- | 777 | values are M-bM-^@M-^X1M-bM-^@M-^Y and M-bM-^@M-^X2M-bM-^@M-^Y. Multiple versions must be comma- |
778 | separated. The default is M-bM-^@M-^X2M-bM-^@M-^Y. Note that the order of the | 778 | separated. The default is M-bM-^@M-^X2M-bM-^@M-^Y. Protocol 1 suffers from a number |
779 | protocol list does not indicate preference, because the client | 779 | of cryptographic weaknesses and should not be used. It is only |
780 | selects among multiple protocol versions offered by the server. | 780 | offered to support legacy devices. |
781 | Specifying M-bM-^@M-^\2,1M-bM-^@M-^] is identical to M-bM-^@M-^\1,2M-bM-^@M-^]. | 781 | |
782 | Note that the order of the protocol list does not indicate | ||
783 | preference, because the client selects among multiple protocol | ||
784 | versions offered by the server. Specifying M-bM-^@M-^\2,1M-bM-^@M-^] is identical to | ||
785 | M-bM-^@M-^\1,2M-bM-^@M-^]. | ||
782 | 786 | ||
783 | PubkeyAcceptedKeyTypes | 787 | PubkeyAcceptedKeyTypes |
784 | Specifies the key types that will be accepted for public key | 788 | Specifies the key types that will be accepted for public key |
@@ -799,8 +803,7 @@ DESCRIPTION | |||
799 | 803 | ||
800 | PubkeyAuthentication | 804 | PubkeyAuthentication |
801 | Specifies whether public key authentication is allowed. The | 805 | Specifies whether public key authentication is allowed. The |
802 | default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol | 806 | default is M-bM-^@M-^\yesM-bM-^@M-^]. |
803 | version 2 only. | ||
804 | 807 | ||
805 | RekeyLimit | 808 | RekeyLimit |
806 | Specifies the maximum amount of data that may be transmitted | 809 | Specifies the maximum amount of data that may be transmitted |
@@ -814,8 +817,7 @@ DESCRIPTION | |||
814 | documented in the TIME FORMATS section. The default value for | 817 | documented in the TIME FORMATS section. The default value for |
815 | RekeyLimit is M-bM-^@M-^\default noneM-bM-^@M-^], which means that rekeying is | 818 | RekeyLimit is M-bM-^@M-^\default noneM-bM-^@M-^], which means that rekeying is |
816 | performed after the cipher's default amount of data has been sent | 819 | performed after the cipher's default amount of data has been sent |
817 | or received and no time based rekeying is done. This option | 820 | or received and no time based rekeying is done. |
818 | applies to protocol version 2 only. | ||
819 | 821 | ||
820 | RevokedKeys | 822 | RevokedKeys |
821 | Specifies revoked public keys file, or M-bM-^@M-^\noneM-bM-^@M-^] to not use one. | 823 | Specifies revoked public keys file, or M-bM-^@M-^\noneM-bM-^@M-^] to not use one. |
@@ -882,8 +884,7 @@ DESCRIPTION | |||
882 | M-bM-^@M-^\sftpM-bM-^@M-^] server. This may simplify configurations using | 884 | M-bM-^@M-^\sftpM-bM-^@M-^] server. This may simplify configurations using |
883 | ChrootDirectory to force a different filesystem root on clients. | 885 | ChrootDirectory to force a different filesystem root on clients. |
884 | 886 | ||
885 | By default no subsystems are defined. Note that this option | 887 | By default no subsystems are defined. |
886 | applies to protocol version 2 only. | ||
887 | 888 | ||
888 | SyslogFacility | 889 | SyslogFacility |
889 | Gives the facility code that is used when logging messages from | 890 | Gives the facility code that is used when logging messages from |
@@ -957,9 +958,10 @@ DESCRIPTION | |||
957 | that has the privilege of the authenticated user. The goal of | 958 | that has the privilege of the authenticated user. The goal of |
958 | privilege separation is to prevent privilege escalation by | 959 | privilege separation is to prevent privilege escalation by |
959 | containing any corruption within the unprivileged processes. The | 960 | containing any corruption within the unprivileged processes. The |
960 | default is M-bM-^@M-^\yesM-bM-^@M-^]. If UsePrivilegeSeparation is set to M-bM-^@M-^\sandboxM-bM-^@M-^] | 961 | argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or M-bM-^@M-^\sandboxM-bM-^@M-^]. If |
961 | then the pre-authentication unprivileged process is subject to | 962 | UsePrivilegeSeparation is set to M-bM-^@M-^\sandboxM-bM-^@M-^] then the pre- |
962 | additional restrictions. | 963 | authentication unprivileged process is subject to additional |
964 | restrictions. The default is M-bM-^@M-^\sandboxM-bM-^@M-^]. | ||
963 | 965 | ||
964 | VersionAddendum | 966 | VersionAddendum |
965 | Optionally specifies additional text to append to the SSH | 967 | Optionally specifies additional text to append to the SSH |
@@ -1049,4 +1051,4 @@ AUTHORS | |||
1049 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 1051 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
1050 | for privilege separation. | 1052 | for privilege separation. |
1051 | 1053 | ||
1052 | OpenBSD 5.8 August 14, 2015 OpenBSD 5.8 | 1054 | OpenBSD 5.9 February 17, 2016 OpenBSD 5.9 |