summaryrefslogtreecommitdiff
path: root/sshd_config.0
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2010-03-31 00:48:57 +0100
committerColin Watson <cjwatson@debian.org>2010-03-31 00:48:57 +0100
commitd1a87e462e1db89f19cd960588d0c6b287cb5ccc (patch)
treef0d13e1687800f36a3c4322b94ac5230ad17bdbf /sshd_config.0
parent964476f91b66c475d5b8fa1e8b28d39a97a1b56e (diff)
parent004a7fb9c6a00b13dc98f56599918a54a3506d10 (diff)
merge 5.4p1
Diffstat (limited to 'sshd_config.0')
-rw-r--r--sshd_config.051
1 files changed, 38 insertions, 13 deletions
diff --git a/sshd_config.0 b/sshd_config.0
index 9e73c5906..a9162f18d 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -93,14 +93,14 @@ DESCRIPTION
93 login.conf(5)) The default is ``yes''. 93 login.conf(5)) The default is ``yes''.
94 94
95 ChrootDirectory 95 ChrootDirectory
96 Specifies a path to chroot(2) to after authentication. This 96 Specifies the pathname of a directory to chroot(2) to after au-
97 path, and all its components, must be root-owned directories that 97 thentication. All components of the pathname must be root-owned
98 are not writable by any other user or group. After the chroot, 98 directories that are not writable by any other user or group.
99 sshd(8) changes the working directory to the user's home directo- 99 After the chroot, sshd(8) changes the working directory to the
100 ry. 100 user's home directory.
101 101
102 The path may contain the following tokens that are expanded at 102 The pathname may contain the following tokens that are expanded
103 runtime once the connecting user has been authenticated: %% is 103 at runtime once the connecting user has been authenticated: %% is
104 replaced by a literal '%', %h is replaced by the home directory 104 replaced by a literal '%', %h is replaced by the home directory
105 of the user being authenticated, and %u is replaced by the user- 105 of the user being authenticated, and %u is replaced by the user-
106 name of that user. 106 name of that user.
@@ -235,6 +235,12 @@ DESCRIPTION
235 resolve the name from the TCP connection itself. The default is 235 resolve the name from the TCP connection itself. The default is
236 ``no''. 236 ``no''.
237 237
238 HostCertificate
239 Specifies a file containing a public host certificate. The cer-
240 tificate's public key must match a private host key already spec-
241 ified by HostKey. The default behaviour of sshd(8) is not to
242 load any certificates.
243
238 HostKey 244 HostKey
239 Specifies a file containing a private host key used by SSH. The 245 Specifies a file containing a private host key used by SSH. The
240 default is /etc/ssh/ssh_host_key for protocol version 1, and 246 default is /etc/ssh/ssh_host_key for protocol version 1, and
@@ -346,8 +352,8 @@ DESCRIPTION
346 KbdInteractiveAuthentication, KerberosAuthentication, 352 KbdInteractiveAuthentication, KerberosAuthentication,
347 MaxAuthTries, MaxSessions, PasswordAuthentication, 353 MaxAuthTries, MaxSessions, PasswordAuthentication,
348 PermitEmptyPasswords, PermitOpen, PermitRootLogin, 354 PermitEmptyPasswords, PermitOpen, PermitRootLogin,
349 RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, 355 PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication,
350 X11Forwarding and X11UseLocalHost. 356 X11DisplayOffset, X11Forwarding and X11UseLocalHost.
351 357
352 MaxAuthTries 358 MaxAuthTries
353 Specifies the maximum number of authentication attempts permitted 359 Specifies the maximum number of authentication attempts permitted
@@ -445,7 +451,7 @@ DESCRIPTION
445 Protocol 451 Protocol
446 Specifies the protocol versions sshd(8) supports. The possible 452 Specifies the protocol versions sshd(8) supports. The possible
447 values are `1' and `2'. Multiple versions must be comma-separat- 453 values are `1' and `2'. Multiple versions must be comma-separat-
448 ed. The default is ``2,1''. Note that the order of the protocol 454 ed. The default is `2'. Note that the order of the protocol
449 list does not indicate preference, because the client selects 455 list does not indicate preference, because the client selects
450 among multiple protocol versions offered by the server. Specify- 456 among multiple protocol versions offered by the server. Specify-
451 ing ``2,1'' is identical to ``1,2''. 457 ing ``2,1'' is identical to ``1,2''.
@@ -455,6 +461,12 @@ DESCRIPTION
455 fault is ``yes''. Note that this option applies to protocol ver- 461 fault is ``yes''. Note that this option applies to protocol ver-
456 sion 2 only. 462 sion 2 only.
457 463
464 RevokedKeys
465 Specifies a list of revoked public keys. Keys listed in this
466 file will be refused for public key authentication. Note that if
467 this file is not readable, then public key authentication will be
468 refused for all users.
469
458 RhostsRSAAuthentication 470 RhostsRSAAuthentication
459 Specifies whether rhosts or /etc/hosts.equiv authentication to- 471 Specifies whether rhosts or /etc/hosts.equiv authentication to-
460 gether with successful RSA host authentication is allowed. The 472 gether with successful RSA host authentication is allowed. The
@@ -475,7 +487,8 @@ DESCRIPTION
475 of the user's files and home directory before accepting login. 487 of the user's files and home directory before accepting login.
476 This is normally desirable because novices sometimes accidentally 488 This is normally desirable because novices sometimes accidentally
477 leave their directory or files world-writable. The default is 489 leave their directory or files world-writable. The default is
478 ``yes''. 490 ``yes''. Note that this does not apply to ChrootDirectory, whose
491 permissions and ownership are checked unconditionally.
479 492
480 Subsystem 493 Subsystem
481 Configures an external subsystem (e.g. file transfer daemon). 494 Configures an external subsystem (e.g. file transfer daemon).
@@ -515,6 +528,18 @@ DESCRIPTION
515 To disable TCP keepalive messages, the value should be set to 528 To disable TCP keepalive messages, the value should be set to
516 ``no''. 529 ``no''.
517 530
531 TrustedUserCAKeys
532 Specifies a file containing public keys of certificate authori-
533 ties that are trusted to sign user certificates for authentica-
534 tion. Keys are listed one per line; empty lines and comments
535 starting with `#' are allowed. If a certificate is presented for
536 authentication and has its signing CA key listed in this file,
537 then it may be used for authentication for any user listed in the
538 certificate's principals list. Note that certificates that lack
539 a list of principals will not be permitted for authentication us-
540 ing TrustedUserCAKeys. For more details on certificates, see the
541 CERTIFICATES section in ssh-keygen(1).
542
518 UseDNS Specifies whether sshd(8) should look up the remote host name and 543 UseDNS Specifies whether sshd(8) should look up the remote host name and
519 check that the resolved host name for the remote IP address maps 544 check that the resolved host name for the remote IP address maps
520 back to the very same IP address. The default is ``yes''. 545 back to the very same IP address. The default is ``yes''.
@@ -631,4 +656,4 @@ AUTHORS
631 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 656 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
632 for privilege separation. 657 for privilege separation.
633 658
634OpenBSD 4.6 April 21, 2009 10 659OpenBSD 4.6 March 4, 2010 10