diff options
| author | Colin Watson <cjwatson@debian.org> | 2015-08-19 17:00:17 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2015-08-19 17:00:17 +0100 |
| commit | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 (patch) | |
| tree | 33d2a87dd50fe5894ac6ec4579c83401b7ab00a4 /sshd_config.0 | |
| parent | baccdb349b31c47cd76fb63211f754ed33a9707e (diff) | |
| parent | 7de4b03a6e4071d454b72927ffaf52949fa34545 (diff) | |
Import openssh_6.9p1.orig.tar.gz
Diffstat (limited to 'sshd_config.0')
| -rw-r--r-- | sshd_config.0 | 131 |
1 files changed, 90 insertions, 41 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index be48e1364..641041852 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
| @@ -20,14 +20,16 @@ DESCRIPTION | |||
| 20 | Specifies what environment variables sent by the client will be | 20 | Specifies what environment variables sent by the client will be |
| 21 | copied into the session's environ(7). See SendEnv in | 21 | copied into the session's environ(7). See SendEnv in |
| 22 | ssh_config(5) for how to configure the client. Note that | 22 | ssh_config(5) for how to configure the client. Note that |
| 23 | environment passing is only supported for protocol 2. Variables | 23 | environment passing is only supported for protocol 2, and that |
| 24 | are specified by name, which may contain the wildcard characters | 24 | the TERM environment variable is always sent whenever the client |
| 25 | M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y. Multiple environment variables may be separated by | 25 | requests a pseudo-terminal as it is required by the protocol. |
| 26 | whitespace or spread across multiple AcceptEnv directives. Be | 26 | Variables are specified by name, which may contain the wildcard |
| 27 | warned that some environment variables could be used to bypass | 27 | characters M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y. Multiple environment variables may be |
| 28 | restricted user environments. For this reason, care should be | 28 | separated by whitespace or spread across multiple AcceptEnv |
| 29 | taken in the use of this directive. The default is not to accept | 29 | directives. Be warned that some environment variables could be |
| 30 | any environment variables. | 30 | used to bypass restricted user environments. For this reason, |
| 31 | care should be taken in the use of this directive. The default | ||
| 32 | is not to accept any environment variables. | ||
| 31 | 33 | ||
| 32 | AddressFamily | 34 | AddressFamily |
| 33 | Specifies which address family should be used by sshd(8). Valid | 35 | Specifies which address family should be used by sshd(8). Valid |
| @@ -122,15 +124,25 @@ DESCRIPTION | |||
| 122 | 124 | ||
| 123 | AuthorizedKeysCommand | 125 | AuthorizedKeysCommand |
| 124 | Specifies a program to be used to look up the user's public keys. | 126 | Specifies a program to be used to look up the user's public keys. |
| 125 | The program must be owned by root and not writable by group or | 127 | The program must be owned by root, not writable by group or |
| 126 | others. It will be invoked with a single argument of the | 128 | others and specified by an absolute path. |
| 127 | username being authenticated, and should produce on standard | 129 | |
| 128 | output zero or more lines of authorized_keys output (see | 130 | Arguments to AuthorizedKeysCommand may be provided using the |
| 129 | AUTHORIZED_KEYS in sshd(8)). If a key supplied by | 131 | following tokens, which will be expanded at runtime: %% is |
| 130 | AuthorizedKeysCommand does not successfully authenticate and | 132 | replaced by a literal '%', %u is replaced by the username being |
| 131 | authorize the user then public key authentication continues using | 133 | authenticated, %h is replaced by the home directory of the user |
| 132 | the usual AuthorizedKeysFile files. By default, no | 134 | being authenticated, %t is replaced with the key type offered for |
| 133 | AuthorizedKeysCommand is run. | 135 | authentication, %f is replaced with the fingerprint of the key, |
| 136 | and %k is replaced with the key being offered for authentication. | ||
| 137 | If no arguments are specified then the username of the target | ||
| 138 | user will be supplied. | ||
| 139 | |||
| 140 | The program should produce on standard output zero or more lines | ||
| 141 | of authorized_keys output (see AUTHORIZED_KEYS in sshd(8)). If a | ||
| 142 | key supplied by AuthorizedKeysCommand does not successfully | ||
| 143 | authenticate and authorize the user then public key | ||
| 144 | authentication continues using the usual AuthorizedKeysFile | ||
| 145 | files. By default, no AuthorizedKeysCommand is run. | ||
| 134 | 146 | ||
| 135 | AuthorizedKeysCommandUser | 147 | AuthorizedKeysCommandUser |
| 136 | Specifies the user under whose account the AuthorizedKeysCommand | 148 | Specifies the user under whose account the AuthorizedKeysCommand |
| @@ -153,6 +165,33 @@ DESCRIPTION | |||
| 153 | listed, separated by whitespace. The default is | 165 | listed, separated by whitespace. The default is |
| 154 | M-bM-^@M-^\.ssh/authorized_keys .ssh/authorized_keys2M-bM-^@M-^]. | 166 | M-bM-^@M-^\.ssh/authorized_keys .ssh/authorized_keys2M-bM-^@M-^]. |
| 155 | 167 | ||
| 168 | AuthorizedPrincipalsCommand | ||
| 169 | Specifies a program to be used to generate the list of allowed | ||
| 170 | certificate principals as per AuthorizedPrincipalsFile. The | ||
| 171 | program must be owned by root, not writable by group or others | ||
| 172 | and specified by an absolute path. | ||
| 173 | |||
| 174 | Arguments to AuthorizedPrincipalsCommand may be provided using | ||
| 175 | the following tokens, which will be expanded at runtime: %% is | ||
| 176 | replaced by a literal '%', %u is replaced by the username being | ||
| 177 | authenticated and %h is replaced by the home directory of the | ||
| 178 | user being authenticated. | ||
| 179 | |||
| 180 | The program should produce on standard output zero or more lines | ||
| 181 | of AuthorizedPrincipalsFile output. If either | ||
| 182 | AuthorizedPrincipalsCommand or AuthorizedPrincipalsFile is | ||
| 183 | specified, then certificates offered by the client for | ||
| 184 | authentication must contain a principal that is listed. By | ||
| 185 | default, no AuthorizedPrincipalsCommand is run. | ||
| 186 | |||
| 187 | AuthorizedPrincipalsCommandUser | ||
| 188 | Specifies the user under whose account the | ||
| 189 | AuthorizedPrincipalsCommand is run. It is recommended to use a | ||
| 190 | dedicated user that has no other role on the host than running | ||
| 191 | authorized principals commands. If AuthorizedPrincipalsCommand | ||
| 192 | is specified but AuthorizedPrincipalsCommandUser is not, then | ||
| 193 | sshd(8) will refuse to start. | ||
| 194 | |||
| 156 | AuthorizedPrincipalsFile | 195 | AuthorizedPrincipalsFile |
| 157 | Specifies a file that lists principal names that are accepted for | 196 | Specifies a file that lists principal names that are accepted for |
| 158 | certificate authentication. When using certificates signed by a | 197 | certificate authentication. When using certificates signed by a |
| @@ -344,6 +383,15 @@ DESCRIPTION | |||
| 344 | cache on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option | 383 | cache on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option |
| 345 | applies to protocol version 2 only. | 384 | applies to protocol version 2 only. |
| 346 | 385 | ||
| 386 | GSSAPIStrictAcceptorCheck | ||
| 387 | Determines whether to be strict about the identity of the GSSAPI | ||
| 388 | acceptor a client authenticates against. If set to M-bM-^@M-^\yesM-bM-^@M-^] then | ||
| 389 | the client must authenticate against the host service on the | ||
| 390 | current hostname. If set to M-bM-^@M-^\noM-bM-^@M-^] then the client may | ||
| 391 | authenticate against any service key stored in the machine's | ||
| 392 | default store. This facility is provided to assist with | ||
| 393 | operation on multi homed machines. The default is M-bM-^@M-^\yesM-bM-^@M-^]. | ||
| 394 | |||
| 347 | HostbasedAcceptedKeyTypes | 395 | HostbasedAcceptedKeyTypes |
| 348 | Specifies the key types that will be accepted for hostbased | 396 | Specifies the key types that will be accepted for hostbased |
| 349 | authentication as a comma-separated pattern list. The default | 397 | authentication as a comma-separated pattern list. The default |
| @@ -484,10 +532,8 @@ DESCRIPTION | |||
| 484 | ListenAddress [host|IPv6_addr]:port | 532 | ListenAddress [host|IPv6_addr]:port |
| 485 | 533 | ||
| 486 | If port is not specified, sshd will listen on the address and all | 534 | If port is not specified, sshd will listen on the address and all |
| 487 | prior Port options specified. The default is to listen on all | 535 | Port options specified. The default is to listen on all local |
| 488 | local addresses. Multiple ListenAddress options are permitted. | 536 | addresses. Multiple ListenAddress options are permitted. |
| 489 | Additionally, any Port options must precede this option for non- | ||
| 490 | port qualified addresses. | ||
| 491 | 537 | ||
| 492 | LoginGraceTime | 538 | LoginGraceTime |
| 493 | The server disconnects after this time if the user has not | 539 | The server disconnects after this time if the user has not |
| @@ -628,7 +674,7 @@ DESCRIPTION | |||
| 628 | PermitRootLogin | 674 | PermitRootLogin |
| 629 | Specifies whether root can log in using ssh(1). The argument | 675 | Specifies whether root can log in using ssh(1). The argument |
| 630 | must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^], M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], or | 676 | must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^], M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], or |
| 631 | M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. | 677 | M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| 632 | 678 | ||
| 633 | If this option is set to M-bM-^@M-^\without-passwordM-bM-^@M-^], password | 679 | If this option is set to M-bM-^@M-^\without-passwordM-bM-^@M-^], password |
| 634 | authentication is disabled for root. | 680 | authentication is disabled for root. |
| @@ -667,7 +713,8 @@ DESCRIPTION | |||
| 667 | 713 | ||
| 668 | PidFile | 714 | PidFile |
| 669 | Specifies the file that contains the process ID of the SSH | 715 | Specifies the file that contains the process ID of the SSH |
| 670 | daemon. The default is /var/run/sshd.pid. | 716 | daemon, or M-bM-^@M-^\noneM-bM-^@M-^] to not write one. The default is |
| 717 | /var/run/sshd.pid. | ||
| 671 | 718 | ||
| 672 | Port Specifies the port number that sshd(8) listens on. The default | 719 | Port Specifies the port number that sshd(8) listens on. The default |
| 673 | is 22. Multiple options of this type are permitted. See also | 720 | is 22. Multiple options of this type are permitted. See also |
| @@ -718,13 +765,14 @@ DESCRIPTION | |||
| 718 | applies to protocol version 2 only. | 765 | applies to protocol version 2 only. |
| 719 | 766 | ||
| 720 | RevokedKeys | 767 | RevokedKeys |
| 721 | Specifies revoked public keys. Keys listed in this file will be | 768 | Specifies revoked public keys file, or M-bM-^@M-^\noneM-bM-^@M-^] to not use one. |
| 722 | refused for public key authentication. Note that if this file is | 769 | Keys listed in this file will be refused for public key |
| 723 | not readable, then public key authentication will be refused for | 770 | authentication. Note that if this file is not readable, then |
| 724 | all users. Keys may be specified as a text file, listing one | 771 | public key authentication will be refused for all users. Keys |
| 725 | public key per line, or as an OpenSSH Key Revocation List (KRL) | 772 | may be specified as a text file, listing one public key per line, |
| 726 | as generated by ssh-keygen(1). For more information on KRLs, see | 773 | or as an OpenSSH Key Revocation List (KRL) as generated by |
| 727 | the KEY REVOCATION LISTS section in ssh-keygen(1). | 774 | ssh-keygen(1). For more information on KRLs, see the KEY |
| 775 | REVOCATION LISTS section in ssh-keygen(1). | ||
| 728 | 776 | ||
| 729 | RhostsRSAAuthentication | 777 | RhostsRSAAuthentication |
| 730 | Specifies whether rhosts or /etc/hosts.equiv authentication | 778 | Specifies whether rhosts or /etc/hosts.equiv authentication |
| @@ -810,14 +858,15 @@ DESCRIPTION | |||
| 810 | TrustedUserCAKeys | 858 | TrustedUserCAKeys |
| 811 | Specifies a file containing public keys of certificate | 859 | Specifies a file containing public keys of certificate |
| 812 | authorities that are trusted to sign user certificates for | 860 | authorities that are trusted to sign user certificates for |
| 813 | authentication. Keys are listed one per line; empty lines and | 861 | authentication, or M-bM-^@M-^\noneM-bM-^@M-^] to not use one. Keys are listed one |
| 814 | comments starting with M-bM-^@M-^X#M-bM-^@M-^Y are allowed. If a certificate is | 862 | per line; empty lines and comments starting with M-bM-^@M-^X#M-bM-^@M-^Y are allowed. |
| 815 | presented for authentication and has its signing CA key listed in | 863 | If a certificate is presented for authentication and has its |
| 816 | this file, then it may be used for authentication for any user | 864 | signing CA key listed in this file, then it may be used for |
| 817 | listed in the certificate's principals list. Note that | 865 | authentication for any user listed in the certificate's |
| 818 | certificates that lack a list of principals will not be permitted | 866 | principals list. Note that certificates that lack a list of |
| 819 | for authentication using TrustedUserCAKeys. For more details on | 867 | principals will not be permitted for authentication using |
| 820 | certificates, see the CERTIFICATES section in ssh-keygen(1). | 868 | TrustedUserCAKeys. For more details on certificates, see the |
| 869 | CERTIFICATES section in ssh-keygen(1). | ||
| 821 | 870 | ||
| 822 | UseDNS Specifies whether sshd(8) should look up the remote host name and | 871 | UseDNS Specifies whether sshd(8) should look up the remote host name and |
| 823 | check that the resolved host name for the remote IP address maps | 872 | check that the resolved host name for the remote IP address maps |
| @@ -901,8 +950,8 @@ DESCRIPTION | |||
| 901 | default is M-bM-^@M-^\yesM-bM-^@M-^]. | 950 | default is M-bM-^@M-^\yesM-bM-^@M-^]. |
| 902 | 951 | ||
| 903 | XAuthLocation | 952 | XAuthLocation |
| 904 | Specifies the full pathname of the xauth(1) program. The default | 953 | Specifies the full pathname of the xauth(1) program, or M-bM-^@M-^\noneM-bM-^@M-^] to |
| 905 | is /usr/X11R6/bin/xauth. | 954 | not use one. The default is /usr/X11R6/bin/xauth. |
| 906 | 955 | ||
| 907 | TIME FORMATS | 956 | TIME FORMATS |
| 908 | sshd(8) command-line arguments and configuration file options that | 957 | sshd(8) command-line arguments and configuration file options that |
| @@ -943,4 +992,4 @@ AUTHORS | |||
| 943 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 992 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
| 944 | for privilege separation. | 993 | for privilege separation. |
| 945 | 994 | ||
| 946 | OpenBSD 5.7 February 20, 2015 OpenBSD 5.7 | 995 | OpenBSD 5.7 June 5, 2015 OpenBSD 5.7 |