diff options
author | Colin Watson <cjwatson@debian.org> | 2015-08-19 17:00:17 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2015-08-19 17:00:17 +0100 |
commit | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 (patch) | |
tree | 33d2a87dd50fe5894ac6ec4579c83401b7ab00a4 /sshd_config.0 | |
parent | baccdb349b31c47cd76fb63211f754ed33a9707e (diff) | |
parent | 7de4b03a6e4071d454b72927ffaf52949fa34545 (diff) |
Import openssh_6.9p1.orig.tar.gz
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 131 |
1 files changed, 90 insertions, 41 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index be48e1364..641041852 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -20,14 +20,16 @@ DESCRIPTION | |||
20 | Specifies what environment variables sent by the client will be | 20 | Specifies what environment variables sent by the client will be |
21 | copied into the session's environ(7). See SendEnv in | 21 | copied into the session's environ(7). See SendEnv in |
22 | ssh_config(5) for how to configure the client. Note that | 22 | ssh_config(5) for how to configure the client. Note that |
23 | environment passing is only supported for protocol 2. Variables | 23 | environment passing is only supported for protocol 2, and that |
24 | are specified by name, which may contain the wildcard characters | 24 | the TERM environment variable is always sent whenever the client |
25 | M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y. Multiple environment variables may be separated by | 25 | requests a pseudo-terminal as it is required by the protocol. |
26 | whitespace or spread across multiple AcceptEnv directives. Be | 26 | Variables are specified by name, which may contain the wildcard |
27 | warned that some environment variables could be used to bypass | 27 | characters M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y. Multiple environment variables may be |
28 | restricted user environments. For this reason, care should be | 28 | separated by whitespace or spread across multiple AcceptEnv |
29 | taken in the use of this directive. The default is not to accept | 29 | directives. Be warned that some environment variables could be |
30 | any environment variables. | 30 | used to bypass restricted user environments. For this reason, |
31 | care should be taken in the use of this directive. The default | ||
32 | is not to accept any environment variables. | ||
31 | 33 | ||
32 | AddressFamily | 34 | AddressFamily |
33 | Specifies which address family should be used by sshd(8). Valid | 35 | Specifies which address family should be used by sshd(8). Valid |
@@ -122,15 +124,25 @@ DESCRIPTION | |||
122 | 124 | ||
123 | AuthorizedKeysCommand | 125 | AuthorizedKeysCommand |
124 | Specifies a program to be used to look up the user's public keys. | 126 | Specifies a program to be used to look up the user's public keys. |
125 | The program must be owned by root and not writable by group or | 127 | The program must be owned by root, not writable by group or |
126 | others. It will be invoked with a single argument of the | 128 | others and specified by an absolute path. |
127 | username being authenticated, and should produce on standard | 129 | |
128 | output zero or more lines of authorized_keys output (see | 130 | Arguments to AuthorizedKeysCommand may be provided using the |
129 | AUTHORIZED_KEYS in sshd(8)). If a key supplied by | 131 | following tokens, which will be expanded at runtime: %% is |
130 | AuthorizedKeysCommand does not successfully authenticate and | 132 | replaced by a literal '%', %u is replaced by the username being |
131 | authorize the user then public key authentication continues using | 133 | authenticated, %h is replaced by the home directory of the user |
132 | the usual AuthorizedKeysFile files. By default, no | 134 | being authenticated, %t is replaced with the key type offered for |
133 | AuthorizedKeysCommand is run. | 135 | authentication, %f is replaced with the fingerprint of the key, |
136 | and %k is replaced with the key being offered for authentication. | ||
137 | If no arguments are specified then the username of the target | ||
138 | user will be supplied. | ||
139 | |||
140 | The program should produce on standard output zero or more lines | ||
141 | of authorized_keys output (see AUTHORIZED_KEYS in sshd(8)). If a | ||
142 | key supplied by AuthorizedKeysCommand does not successfully | ||
143 | authenticate and authorize the user then public key | ||
144 | authentication continues using the usual AuthorizedKeysFile | ||
145 | files. By default, no AuthorizedKeysCommand is run. | ||
134 | 146 | ||
135 | AuthorizedKeysCommandUser | 147 | AuthorizedKeysCommandUser |
136 | Specifies the user under whose account the AuthorizedKeysCommand | 148 | Specifies the user under whose account the AuthorizedKeysCommand |
@@ -153,6 +165,33 @@ DESCRIPTION | |||
153 | listed, separated by whitespace. The default is | 165 | listed, separated by whitespace. The default is |
154 | M-bM-^@M-^\.ssh/authorized_keys .ssh/authorized_keys2M-bM-^@M-^]. | 166 | M-bM-^@M-^\.ssh/authorized_keys .ssh/authorized_keys2M-bM-^@M-^]. |
155 | 167 | ||
168 | AuthorizedPrincipalsCommand | ||
169 | Specifies a program to be used to generate the list of allowed | ||
170 | certificate principals as per AuthorizedPrincipalsFile. The | ||
171 | program must be owned by root, not writable by group or others | ||
172 | and specified by an absolute path. | ||
173 | |||
174 | Arguments to AuthorizedPrincipalsCommand may be provided using | ||
175 | the following tokens, which will be expanded at runtime: %% is | ||
176 | replaced by a literal '%', %u is replaced by the username being | ||
177 | authenticated and %h is replaced by the home directory of the | ||
178 | user being authenticated. | ||
179 | |||
180 | The program should produce on standard output zero or more lines | ||
181 | of AuthorizedPrincipalsFile output. If either | ||
182 | AuthorizedPrincipalsCommand or AuthorizedPrincipalsFile is | ||
183 | specified, then certificates offered by the client for | ||
184 | authentication must contain a principal that is listed. By | ||
185 | default, no AuthorizedPrincipalsCommand is run. | ||
186 | |||
187 | AuthorizedPrincipalsCommandUser | ||
188 | Specifies the user under whose account the | ||
189 | AuthorizedPrincipalsCommand is run. It is recommended to use a | ||
190 | dedicated user that has no other role on the host than running | ||
191 | authorized principals commands. If AuthorizedPrincipalsCommand | ||
192 | is specified but AuthorizedPrincipalsCommandUser is not, then | ||
193 | sshd(8) will refuse to start. | ||
194 | |||
156 | AuthorizedPrincipalsFile | 195 | AuthorizedPrincipalsFile |
157 | Specifies a file that lists principal names that are accepted for | 196 | Specifies a file that lists principal names that are accepted for |
158 | certificate authentication. When using certificates signed by a | 197 | certificate authentication. When using certificates signed by a |
@@ -344,6 +383,15 @@ DESCRIPTION | |||
344 | cache on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option | 383 | cache on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option |
345 | applies to protocol version 2 only. | 384 | applies to protocol version 2 only. |
346 | 385 | ||
386 | GSSAPIStrictAcceptorCheck | ||
387 | Determines whether to be strict about the identity of the GSSAPI | ||
388 | acceptor a client authenticates against. If set to M-bM-^@M-^\yesM-bM-^@M-^] then | ||
389 | the client must authenticate against the host service on the | ||
390 | current hostname. If set to M-bM-^@M-^\noM-bM-^@M-^] then the client may | ||
391 | authenticate against any service key stored in the machine's | ||
392 | default store. This facility is provided to assist with | ||
393 | operation on multi homed machines. The default is M-bM-^@M-^\yesM-bM-^@M-^]. | ||
394 | |||
347 | HostbasedAcceptedKeyTypes | 395 | HostbasedAcceptedKeyTypes |
348 | Specifies the key types that will be accepted for hostbased | 396 | Specifies the key types that will be accepted for hostbased |
349 | authentication as a comma-separated pattern list. The default | 397 | authentication as a comma-separated pattern list. The default |
@@ -484,10 +532,8 @@ DESCRIPTION | |||
484 | ListenAddress [host|IPv6_addr]:port | 532 | ListenAddress [host|IPv6_addr]:port |
485 | 533 | ||
486 | If port is not specified, sshd will listen on the address and all | 534 | If port is not specified, sshd will listen on the address and all |
487 | prior Port options specified. The default is to listen on all | 535 | Port options specified. The default is to listen on all local |
488 | local addresses. Multiple ListenAddress options are permitted. | 536 | addresses. Multiple ListenAddress options are permitted. |
489 | Additionally, any Port options must precede this option for non- | ||
490 | port qualified addresses. | ||
491 | 537 | ||
492 | LoginGraceTime | 538 | LoginGraceTime |
493 | The server disconnects after this time if the user has not | 539 | The server disconnects after this time if the user has not |
@@ -628,7 +674,7 @@ DESCRIPTION | |||
628 | PermitRootLogin | 674 | PermitRootLogin |
629 | Specifies whether root can log in using ssh(1). The argument | 675 | Specifies whether root can log in using ssh(1). The argument |
630 | must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^], M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], or | 676 | must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^], M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], or |
631 | M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. | 677 | M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
632 | 678 | ||
633 | If this option is set to M-bM-^@M-^\without-passwordM-bM-^@M-^], password | 679 | If this option is set to M-bM-^@M-^\without-passwordM-bM-^@M-^], password |
634 | authentication is disabled for root. | 680 | authentication is disabled for root. |
@@ -667,7 +713,8 @@ DESCRIPTION | |||
667 | 713 | ||
668 | PidFile | 714 | PidFile |
669 | Specifies the file that contains the process ID of the SSH | 715 | Specifies the file that contains the process ID of the SSH |
670 | daemon. The default is /var/run/sshd.pid. | 716 | daemon, or M-bM-^@M-^\noneM-bM-^@M-^] to not write one. The default is |
717 | /var/run/sshd.pid. | ||
671 | 718 | ||
672 | Port Specifies the port number that sshd(8) listens on. The default | 719 | Port Specifies the port number that sshd(8) listens on. The default |
673 | is 22. Multiple options of this type are permitted. See also | 720 | is 22. Multiple options of this type are permitted. See also |
@@ -718,13 +765,14 @@ DESCRIPTION | |||
718 | applies to protocol version 2 only. | 765 | applies to protocol version 2 only. |
719 | 766 | ||
720 | RevokedKeys | 767 | RevokedKeys |
721 | Specifies revoked public keys. Keys listed in this file will be | 768 | Specifies revoked public keys file, or M-bM-^@M-^\noneM-bM-^@M-^] to not use one. |
722 | refused for public key authentication. Note that if this file is | 769 | Keys listed in this file will be refused for public key |
723 | not readable, then public key authentication will be refused for | 770 | authentication. Note that if this file is not readable, then |
724 | all users. Keys may be specified as a text file, listing one | 771 | public key authentication will be refused for all users. Keys |
725 | public key per line, or as an OpenSSH Key Revocation List (KRL) | 772 | may be specified as a text file, listing one public key per line, |
726 | as generated by ssh-keygen(1). For more information on KRLs, see | 773 | or as an OpenSSH Key Revocation List (KRL) as generated by |
727 | the KEY REVOCATION LISTS section in ssh-keygen(1). | 774 | ssh-keygen(1). For more information on KRLs, see the KEY |
775 | REVOCATION LISTS section in ssh-keygen(1). | ||
728 | 776 | ||
729 | RhostsRSAAuthentication | 777 | RhostsRSAAuthentication |
730 | Specifies whether rhosts or /etc/hosts.equiv authentication | 778 | Specifies whether rhosts or /etc/hosts.equiv authentication |
@@ -810,14 +858,15 @@ DESCRIPTION | |||
810 | TrustedUserCAKeys | 858 | TrustedUserCAKeys |
811 | Specifies a file containing public keys of certificate | 859 | Specifies a file containing public keys of certificate |
812 | authorities that are trusted to sign user certificates for | 860 | authorities that are trusted to sign user certificates for |
813 | authentication. Keys are listed one per line; empty lines and | 861 | authentication, or M-bM-^@M-^\noneM-bM-^@M-^] to not use one. Keys are listed one |
814 | comments starting with M-bM-^@M-^X#M-bM-^@M-^Y are allowed. If a certificate is | 862 | per line; empty lines and comments starting with M-bM-^@M-^X#M-bM-^@M-^Y are allowed. |
815 | presented for authentication and has its signing CA key listed in | 863 | If a certificate is presented for authentication and has its |
816 | this file, then it may be used for authentication for any user | 864 | signing CA key listed in this file, then it may be used for |
817 | listed in the certificate's principals list. Note that | 865 | authentication for any user listed in the certificate's |
818 | certificates that lack a list of principals will not be permitted | 866 | principals list. Note that certificates that lack a list of |
819 | for authentication using TrustedUserCAKeys. For more details on | 867 | principals will not be permitted for authentication using |
820 | certificates, see the CERTIFICATES section in ssh-keygen(1). | 868 | TrustedUserCAKeys. For more details on certificates, see the |
869 | CERTIFICATES section in ssh-keygen(1). | ||
821 | 870 | ||
822 | UseDNS Specifies whether sshd(8) should look up the remote host name and | 871 | UseDNS Specifies whether sshd(8) should look up the remote host name and |
823 | check that the resolved host name for the remote IP address maps | 872 | check that the resolved host name for the remote IP address maps |
@@ -901,8 +950,8 @@ DESCRIPTION | |||
901 | default is M-bM-^@M-^\yesM-bM-^@M-^]. | 950 | default is M-bM-^@M-^\yesM-bM-^@M-^]. |
902 | 951 | ||
903 | XAuthLocation | 952 | XAuthLocation |
904 | Specifies the full pathname of the xauth(1) program. The default | 953 | Specifies the full pathname of the xauth(1) program, or M-bM-^@M-^\noneM-bM-^@M-^] to |
905 | is /usr/X11R6/bin/xauth. | 954 | not use one. The default is /usr/X11R6/bin/xauth. |
906 | 955 | ||
907 | TIME FORMATS | 956 | TIME FORMATS |
908 | sshd(8) command-line arguments and configuration file options that | 957 | sshd(8) command-line arguments and configuration file options that |
@@ -943,4 +992,4 @@ AUTHORS | |||
943 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 992 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
944 | for privilege separation. | 993 | for privilege separation. |
945 | 994 | ||
946 | OpenBSD 5.7 February 20, 2015 OpenBSD 5.7 | 995 | OpenBSD 5.7 June 5, 2015 OpenBSD 5.7 |