summaryrefslogtreecommitdiff
path: root/sshd_config.0
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2003-09-01 18:33:32 +0000
committerColin Watson <cjwatson@debian.org>2003-09-01 18:33:32 +0000
commit58bfa257481a1c6938ada9bbd38801cc45633fb0 (patch)
tree385160ff5c19376a1e1bfd34fcf5c91cff42908e /sshd_config.0
parentae225aa5594655e3fa5685b4dd7f2ae0e1a5e2d7 (diff)
parent58657d96514cd6f16d82add8d6f4adbb36765758 (diff)
Import OpenSSH 3.6p1.
Diffstat (limited to 'sshd_config.0')
-rw-r--r--sshd_config.0469
1 files changed, 469 insertions, 0 deletions
diff --git a/sshd_config.0 b/sshd_config.0
new file mode 100644
index 000000000..e234efdb4
--- /dev/null
+++ b/sshd_config.0
@@ -0,0 +1,469 @@
1SSHD_CONFIG(5) BSD File Formats Manual SSHD_CONFIG(5)
2
3^[[1mNAME^[[0m
4 ^[[1msshd_config ^[[22mM-bMM-^R OpenSSH SSH daemon configuration file
5
6^[[1mSYNOPSIS^[[0m
7 ^[[4m/etc/ssh/sshd_config^[[0m
8
9^[[1mDESCRIPTION^[[0m
10 ^[[1msshd ^[[22mreads configuration data from ^[[4m/etc/ssh/sshd_config^[[24m (or the file
11 specified with ^[[1mM-bMM-^Rf ^[[22mon the command line). The file contains keywordM-bM-^@M-^ParguM-bM-^@M-^P
12 ment pairs, one per line. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are
13 interpreted as comments.
14
15 The possible keywords and their meanings are as follows (note that keyM-bM-^@M-^P
16 words are caseM-bM-^@M-^Pinsensitive and arguments are caseM-bM-^@M-^Psensitive):
17
18 ^[[1mAFSTokenPassing^[[0m
19 Specifies whether an AFS token may be forwarded to the server.
20 Default is M-bM-^@M-^\noM-bM-^@M-^].
21
22 ^[[1mAllowGroups^[[0m
23 This keyword can be followed by a list of group name patterns,
24 separated by spaces. If specified, login is allowed only for
25 users whose primary group or supplementary group list matches one
26 of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards in the
27 patterns. Only group names are valid; a numerical group ID is
28 not recognized. By default, login is allowed for all groups.
29
30 ^[[1mAllowTcpForwarding^[[0m
31 Specifies whether TCP forwarding is permitted. The default is
32 M-bM-^@M-^\yesM-bM-^@M-^]. Note that disabling TCP forwarding does not improve secuM-bM-^@M-^P
33 rity unless users are also denied shell access, as they can
34 always install their own forwarders.
35
36 ^[[1mAllowUsers^[[0m
37 This keyword can be followed by a list of user name patterns,
38 separated by spaces. If specified, login is allowed only for
39 user names that match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be
40 used as wildcards in the patterns. Only user names are valid; a
41 numerical user ID is not recognized. By default, login is
42 allowed for all users. If the pattern takes the form USER@HOST
43 then USER and HOST are separately checked, restricting logins to
44 particular users from particular hosts.
45
46 ^[[1mAuthorizedKeysFile^[[0m
47 Specifies the file that contains the public keys that can be used
48 for user authentication. ^[[1mAuthorizedKeysFile ^[[22mmay contain tokens
49 of the form %T which are substituted during connection setM-bM-^@M-^Pup.
50 The following tokens are defined: %% is replaced by a literal
51 M-bM-^@M-^Y%M-bM-^@M-^Y, %h is replaced by the home directory of the user being
52 authenticated and %u is replaced by the username of that user.
53 After expansion, ^[[1mAuthorizedKeysFile ^[[22mis taken to be an absolute
54 path or one relative to the userM-bM-^@M-^Ys home directory. The default
55 is M-bM-^@M-^\.ssh/authorized_keysM-bM-^@M-^].
56
57 ^[[1mBanner ^[[22mIn some jurisdictions, sending a warning message before authentiM-bM-^@M-^P
58 cation may be relevant for getting legal protection. The conM-bM-^@M-^P
59 tents of the specified file are sent to the remote user before
60 authentication is allowed. This option is only available for
61 protocol version 2. By default, no banner is displayed.
62
63 ^[[1mChallengeResponseAuthentication^[[0m
64 Specifies whether challenge response authentication is allowed.
65 All authentication styles from login.conf(5) are supported. The
66 default is M-bM-^@M-^\yesM-bM-^@M-^].
67
68 ^[[1mCiphers^[[0m
69 Specifies the ciphers allowed for protocol version 2. Multiple
70 ciphers must be commaM-bM-^@M-^Pseparated. The default is
71
72 M-bM-^@M-^XM-bM-^@M-^Xaes128M-bM-^@M-^Pcbc,3desM-bM-^@M-^Pcbc,blowfishM-bM-^@M-^Pcbc,cast128M-bM-^@M-^Pcbc,arcfour,
73 aes192M-bM-^@M-^Pcbc,aes256M-bM-^@M-^PcbcM-bM-^@M-^YM-bM-^@M-^Y
74
75 ^[[1mClientAliveInterval^[[0m
76 Sets a timeout interval in seconds after which if no data has
77 been received from the client, ^[[1msshd ^[[22mwill send a message through
78 the encrypted channel to request a response from the client. The
79 default is 0, indicating that these messages will not be sent to
80 the client. This option applies to protocol version 2 only.
81
82 ^[[1mClientAliveCountMax^[[0m
83 Sets the number of client alive messages (see above) which may be
84 sent without ^[[1msshd ^[[22mreceiving any messages back from the client. If
85 this threshold is reached while client alive messages are being
86 sent, ^[[1msshd ^[[22mwill disconnect the client, terminating the session.
87 It is important to note that the use of client alive messages is
88 very different from ^[[1mKeepAlive ^[[22m(below). The client alive messages
89 are sent through the encrypted channel and therefore will not be
90 spoofable. The TCP keepalive option enabled by ^[[1mKeepAlive ^[[22mis
91 spoofable. The client alive mechanism is valuable when the client
92 or server depend on knowing when a connection has become inacM-bM-^@M-^P
93 tive.
94
95 The default value is 3. If ^[[1mClientAliveInterval ^[[22m(above) is set to
96 15, and ^[[1mClientAliveCountMax ^[[22mis left at the default, unresponsive
97 ssh clients will be disconnected after approximately 45 seconds.
98
99 ^[[1mCompression^[[0m
100 Specifies whether compression is allowed. The argument must be
101 M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^].
102
103 ^[[1mDenyGroups^[[0m
104 This keyword can be followed by a list of group name patterns,
105 separated by spaces. Login is disallowed for users whose primary
106 group or supplementary group list matches one of the patterns.
107 M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards in the patterns. Only
108 group names are valid; a numerical group ID is not recognized.
109 By default, login is allowed for all groups.
110
111 ^[[1mDenyUsers^[[0m
112 This keyword can be followed by a list of user name patterns,
113 separated by spaces. Login is disallowed for user names that
114 match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards
115 in the patterns. Only user names are valid; a numerical user ID
116 is not recognized. By default, login is allowed for all users.
117 If the pattern takes the form USER@HOST then USER and HOST are
118 separately checked, restricting logins to particular users from
119 particular hosts.
120
121 ^[[1mGatewayPorts^[[0m
122 Specifies whether remote hosts are allowed to connect to ports
123 forwarded for the client. By default, ^[[1msshd ^[[22mbinds remote port
124 forwardings to the loopback address. This prevents other remote
125 hosts from connecting to forwarded ports. ^[[1mGatewayPorts ^[[22mcan be
126 used to specify that ^[[1msshd ^[[22mshould bind remote port forwardings to
127 the wildcard address, thus allowing remote hosts to connect to
128 forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The
129 default is M-bM-^@M-^\noM-bM-^@M-^].
130
131 ^[[1mHostbasedAuthentication^[[0m
132 Specifies whether rhosts or /etc/hosts.equiv authentication
133 together with successful public key client host authentication is
134 allowed (hostbased authentication). This option is similar to
135 ^[[1mRhostsRSAAuthentication ^[[22mand applies to protocol version 2 only.
136 The default is M-bM-^@M-^\noM-bM-^@M-^].
137
138 ^[[1mHostKey^[[0m
139 Specifies a file containing a private host key used by SSH. The
140 default is ^[[4m/etc/ssh/ssh_host_key^[[24m for protocol version 1, and
141 ^[[4m/etc/ssh/ssh_host_rsa_key^[[24m and ^[[4m/etc/ssh/ssh_host_dsa_key^[[24m for proM-bM-^@M-^P
142 tocol version 2. Note that ^[[1msshd ^[[22mwill refuse to use a file if it
143 is group/worldM-bM-^@M-^Paccessible. It is possible to have multiple host
144 key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^]
145 are used for version 2 of the SSH protocol.
146
147 ^[[1mIgnoreRhosts^[[0m
148 Specifies that ^[[4m.rhosts^[[24m and ^[[4m.shosts^[[24m files will not be used in
149 ^[[1mRhostsAuthentication^[[22m, ^[[1mRhostsRSAAuthentication ^[[22mor
150 ^[[1mHostbasedAuthentication^[[22m.
151
152 ^[[4m/etc/hosts.equiv^[[24m and ^[[4m/etc/shosts.equiv^[[24m are still used. The
153 default is M-bM-^@M-^\yesM-bM-^@M-^].
154
155 ^[[1mIgnoreUserKnownHosts^[[0m
156 Specifies whether ^[[1msshd ^[[22mshould ignore the userM-bM-^@M-^Ys
157 ^[[4m$HOME/.ssh/known_hosts^[[24m during ^[[1mRhostsRSAAuthentication ^[[22mor
158 ^[[1mHostbasedAuthentication^[[22m. The default is M-bM-^@M-^\noM-bM-^@M-^].
159
160 ^[[1mKeepAlive^[[0m
161 Specifies whether the system should send TCP keepalive messages
162 to the other side. If they are sent, death of the connection or
163 crash of one of the machines will be properly noticed. However,
164 this means that connections will die if the route is down temM-bM-^@M-^P
165 porarily, and some people find it annoying. On the other hand,
166 if keepalives are not sent, sessions may hang indefinitely on the
167 server, leaving M-bM-^@M-^\ghostM-bM-^@M-^] users and consuming server resources.
168
169 The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send keepalives), and the server will
170 notice if the network goes down or the client host crashes. This
171 avoids infinitely hanging sessions.
172
173 To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^].
174
175 ^[[1mKerberosAuthentication^[[0m
176 Specifies whether Kerberos authentication is allowed. This can
177 be in the form of a Kerberos ticket, or if ^[[1mPasswordAuthentication^[[0m
178 is yes, the password provided by the user will be validated
179 through the Kerberos KDC. To use this option, the server needs a
180 Kerberos servtab which allows the verification of the KDCM-bM-^@M-^Ys idenM-bM-^@M-^P
181 tity. Default is M-bM-^@M-^\noM-bM-^@M-^].
182
183 ^[[1mKerberosOrLocalPasswd^[[0m
184 If set then if password authentication through Kerberos fails
185 then the password will be validated via any additional local
186 mechanism such as ^[[4m/etc/passwd^[[24m. Default is M-bM-^@M-^\yesM-bM-^@M-^].
187
188 ^[[1mKerberosTgtPassing^[[0m
189 Specifies whether a Kerberos TGT may be forwarded to the server.
190 Default is M-bM-^@M-^\noM-bM-^@M-^], as this only works when the Kerberos KDC is
191 actually an AFS kaserver.
192
193 ^[[1mKerberosTicketCleanup^[[0m
194 Specifies whether to automatically destroy the userM-bM-^@M-^Ys ticket
195 cache file on logout. Default is M-bM-^@M-^\yesM-bM-^@M-^].
196
197 ^[[1mKeyRegenerationInterval^[[0m
198 In protocol version 1, the ephemeral server key is automatically
199 regenerated after this many seconds (if it has been used). The
200 purpose of regeneration is to prevent decrypting captured sesM-bM-^@M-^P
201 sions by later breaking into the machine and stealing the keys.
202 The key is never stored anywhere. If the value is 0, the key is
203 never regenerated. The default is 3600 (seconds).
204
205 ^[[1mListenAddress^[[0m
206 Specifies the local addresses ^[[1msshd ^[[22mshould listen on. The followM-bM-^@M-^P
207 ing forms may be used:
208
209 ^[[1mListenAddress ^[[4m^[[22mhost^[[24m|^[[4mIPv4_addr^[[24m|^[[4mIPv6_addr^[[0m
210 ^[[1mListenAddress ^[[4m^[[22mhost^[[24m|^[[4mIPv4_addr^[[24m:^[[4mport^[[0m
211 ^[[1mListenAddress ^[[22m[^[[4mhost^[[24m|^[[4mIPv6_addr^[[24m]:^[[4mport^[[0m
212
213 If ^[[4mport^[[24m is not specified, ^[[1msshd ^[[22mwill listen on the address and all
214 prior ^[[1mPort ^[[22moptions specified. The default is to listen on all
215 local addresses. Multiple ^[[1mListenAddress ^[[22moptions are permitted.
216 Additionally, any ^[[1mPort ^[[22moptions must precede this option for non
217 port qualified addresses.
218
219 ^[[1mLoginGraceTime^[[0m
220 The server disconnects after this time if the user has not sucM-bM-^@M-^P
221 cessfully logged in. If the value is 0, there is no time limit.
222 The default is 120 seconds.
223
224 ^[[1mLogLevel^[[0m
225 Gives the verbosity level that is used when logging messages from
226 ^[[1msshd^[[22m. The possible values are: QUIET, FATAL, ERROR, INFO, VERM-bM-^@M-^P
227 BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO.
228 DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
229 higher levels of debugging output. Logging with a DEBUG level
230 violates the privacy of users and is not recommended.
231
232 ^[[1mMACs ^[[22mSpecifies the available MAC (message authentication code) algoM-bM-^@M-^P
233 rithms. The MAC algorithm is used in protocol version 2 for data
234 integrity protection. Multiple algorithms must be commaM-bM-^@M-^PsepaM-bM-^@M-^P
235 rated. The default is
236 M-bM-^@M-^\hmacM-bM-^@M-^Pmd5,hmacM-bM-^@M-^Psha1,hmacM-bM-^@M-^Pripemd160,hmacM-bM-^@M-^Psha1M-bM-^@M-^P96,hmacM-bM-^@M-^Pmd5M-bM-^@M-^P96M-bM-^@M-^].
237
238 ^[[1mMaxStartups^[[0m
239 Specifies the maximum number of concurrent unauthenticated conM-bM-^@M-^P
240 nections to the ^[[1msshd ^[[22mdaemon. Additional connections will be
241 dropped until authentication succeeds or the ^[[1mLoginGraceTime^[[0m
242 expires for a connection. The default is 10.
243
244 Alternatively, random early drop can be enabled by specifying the
245 three colon separated values M-bM-^@M-^\start:rate:fullM-bM-^@M-^] (e.g.,
246 "10:30:60"). ^[[1msshd ^[[22mwill refuse connection attempts with a probaM-bM-^@M-^P
247 bility of M-bM-^@M-^\rate/100M-bM-^@M-^] (30%) if there are currently M-bM-^@M-^\startM-bM-^@M-^] (10)
248 unauthenticated connections. The probability increases linearly
249 and all connection attempts are refused if the number of unauM-bM-^@M-^P
250 thenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60).
251
252 ^[[1mPAMAuthenticationViaKbdInt^[[0m
253 Specifies whether PAM challenge response authentication is
254 allowed. This allows the use of most PAM challenge response
255 authentication modules, but it will allow password authentication
256 regardless of whether ^[[1mPasswordAuthentication ^[[22mis enabled.
257
258 ^[[1mPasswordAuthentication^[[0m
259 Specifies whether password authentication is allowed. The
260 default is M-bM-^@M-^\yesM-bM-^@M-^].
261
262 ^[[1mPermitEmptyPasswords^[[0m
263 When password authentication is allowed, it specifies whether the
264 server allows login to accounts with empty password strings. The
265 default is M-bM-^@M-^\noM-bM-^@M-^].
266
267 ^[[1mPermitRootLogin^[[0m
268 Specifies whether root can login using ssh(1). The argument must
269 be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\withoutM-bM-^@M-^PpasswordM-bM-^@M-^], M-bM-^@M-^\forcedM-bM-^@M-^PcommandsM-bM-^@M-^PonlyM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].
270 The default is M-bM-^@M-^\yesM-bM-^@M-^].
271
272 If this option is set to M-bM-^@M-^\withoutM-bM-^@M-^PpasswordM-bM-^@M-^] password authenticaM-bM-^@M-^P
273 tion is disabled for root.
274
275 If this option is set to M-bM-^@M-^\forcedM-bM-^@M-^PcommandsM-bM-^@M-^PonlyM-bM-^@M-^] root login with
276 public key authentication will be allowed, but only if the
277 ^[[4mcommand^[[24m option has been specified (which may be useful for taking
278 remote backups even if root login is normally not allowed). All
279 other authentication methods are disabled for root.
280
281 If this option is set to M-bM-^@M-^\noM-bM-^@M-^] root is not allowed to login.
282
283 ^[[1mPermitUserEnvironment^[[0m
284 Specifies whether ^[[4m~/.ssh/environment^[[24m and ^[[1menvironment= ^[[22moptions in
285 ^[[4m~/.ssh/authorized_keys^[[24m are processed by ^[[1msshd^[[22m. The default is
286 M-bM-^@M-^\noM-bM-^@M-^]. Enabling environment processing may enable users to bypass
287 access restrictions in some configurations using mechanisms such
288 as LD_PRELOAD.
289
290 ^[[1mPidFile^[[0m
291 Specifies the file that contains the process ID of the ^[[1msshd ^[[22mdaeM-bM-^@M-^P
292 mon. The default is ^[[4m/var/run/sshd.pid^[[24m.
293
294 ^[[1mPort ^[[22mSpecifies the port number that ^[[1msshd ^[[22mlistens on. The default is
295 22. Multiple options of this type are permitted. See also
296 ^[[1mListenAddress^[[22m.
297
298 ^[[1mPrintLastLog^[[0m
299 Specifies whether ^[[1msshd ^[[22mshould print the date and time when the
300 user last logged in. The default is M-bM-^@M-^\yesM-bM-^@M-^].
301
302 ^[[1mPrintMotd^[[0m
303 Specifies whether ^[[1msshd ^[[22mshould print ^[[4m/etc/motd^[[24m when a user logs in
304 interactively. (On some systems it is also printed by the shell,
305 ^[[4m/etc/profile^[[24m, or equivalent.) The default is M-bM-^@M-^\yesM-bM-^@M-^].
306
307 ^[[1mProtocol^[[0m
308 Specifies the protocol versions ^[[1msshd ^[[22msupports. The possible valM-bM-^@M-^P
309 ues are M-bM-^@M-^\1M-bM-^@M-^] and M-bM-^@M-^\2M-bM-^@M-^]. Multiple versions must be commaM-bM-^@M-^Pseparated.
310 The default is M-bM-^@M-^\2,1M-bM-^@M-^]. Note that the order of the protocol list
311 does not indicate preference, because the client selects among
312 multiple protocol versions offered by the server. Specifying
313 M-bM-^@M-^\2,1M-bM-^@M-^] is identical to M-bM-^@M-^\1,2M-bM-^@M-^].
314
315 ^[[1mPubkeyAuthentication^[[0m
316 Specifies whether public key authentication is allowed. The
317 default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol verM-bM-^@M-^P
318 sion 2 only.
319
320 ^[[1mRhostsAuthentication^[[0m
321 Specifies whether authentication using rhosts or /etc/hosts.equiv
322 files is sufficient. Normally, this method should not be permitM-bM-^@M-^P
323 ted because it is insecure. ^[[1mRhostsRSAAuthentication ^[[22mshould be
324 used instead, because it performs RSAM-bM-^@M-^Pbased host authentication
325 in addition to normal rhosts or /etc/hosts.equiv authentication.
326 The default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1
327 only.
328
329 ^[[1mRhostsRSAAuthentication^[[0m
330 Specifies whether rhosts or /etc/hosts.equiv authentication
331 together with successful RSA host authentication is allowed. The
332 default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only.
333
334 ^[[1mRSAAuthentication^[[0m
335 Specifies whether pure RSA authentication is allowed. The
336 default is M-bM-^@M-^\yesM-bM-^@M-^]. This option applies to protocol version 1
337 only.
338
339 ^[[1mServerKeyBits^[[0m
340 Defines the number of bits in the ephemeral protocol version 1
341 server key. The minimum value is 512, and the default is 768.
342
343 ^[[1mStrictModes^[[0m
344 Specifies whether ^[[1msshd ^[[22mshould check file modes and ownership of
345 the userM-bM-^@M-^Ys files and home directory before accepting login. This
346 is normally desirable because novices sometimes accidentally
347 leave their directory or files worldM-bM-^@M-^Pwritable. The default is
348 M-bM-^@M-^\yesM-bM-^@M-^].
349
350 ^[[1mSubsystem^[[0m
351 Configures an external subsystem (e.g., file transfer daemon).
352 Arguments should be a subsystem name and a command to execute
353 upon subsystem request. The command sftpM-bM-^@M-^Pserver(8) implements
354 the M-bM-^@M-^\sftpM-bM-^@M-^] file transfer subsystem. By default no subsystems are
355 defined. Note that this option applies to protocol version 2
356 only.
357
358 ^[[1mSyslogFacility^[[0m
359 Gives the facility code that is used when logging messages from
360 ^[[1msshd^[[22m. The possible values are: DAEMON, USER, AUTH, LOCAL0,
361 LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
362 default is AUTH.
363
364 ^[[1mUseLogin^[[0m
365 Specifies whether login(1) is used for interactive login sesM-bM-^@M-^P
366 sions. The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that login(1) is never used
367 for remote command execution. Note also, that if this is
368 enabled, ^[[1mX11Forwarding ^[[22mwill be disabled because login(1) does not
369 know how to handle xauth(1) cookies. If ^[[1mUsePrivilegeSeparation^[[0m
370 is specified, it will be disabled after authentication.
371
372 ^[[1mUsePrivilegeSeparation^[[0m
373 Specifies whether ^[[1msshd ^[[22mseparates privileges by creating an
374 unprivileged child process to deal with incoming network traffic.
375 After successful authentication, another process will be created
376 that has the privilege of the authenticated user. The goal of
377 privilege separation is to prevent privilege escalation by conM-bM-^@M-^P
378 taining any corruption within the unprivileged processes. The
379 default is M-bM-^@M-^\yesM-bM-^@M-^].
380
381 ^[[1mVerifyReverseMapping^[[0m
382 Specifies whether ^[[1msshd ^[[22mshould try to verify the remote host name
383 and check that the resolved host name for the remote IP address
384 maps back to the very same IP address. The default is M-bM-^@M-^\noM-bM-^@M-^].
385
386 ^[[1mX11DisplayOffset^[[0m
387 Specifies the first display number available for ^[[1msshd^[[22mM-bM-^@M-^Ys X11 forM-bM-^@M-^P
388 warding. This prevents ^[[1msshd ^[[22mfrom interfering with real X11
389 servers. The default is 10.
390
391 ^[[1mX11Forwarding^[[0m
392 Specifies whether X11 forwarding is permitted. The argument must
393 be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^].
394
395 When X11 forwarding is enabled, there may be additional exposure
396 to the server and to client displays if the ^[[1msshd ^[[22mproxy display is
397 configured to listen on the wildcard address (see ^[[1mX11UseLocalhost^[[0m
398 below), however this is not the default. Additionally, the
399 authentication spoofing and authentication data verification and
400 substitution occur on the client side. The security risk of
401 using X11 forwarding is that the clientM-bM-^@M-^Ys X11 display server may
402 be exposed to attack when the ssh client requests forwarding (see
403 the warnings for ^[[1mForwardX11 ^[[22min ssh_config(5) ). A system adminisM-bM-^@M-^P
404 trator may have a stance in which they want to protect clients
405 that may expose themselves to attack by unwittingly requesting
406 X11 forwarding, which can warrant a M-bM-^@M-^\noM-bM-^@M-^] setting.
407
408 Note that disabling X11 forwarding does not prevent users from
409 forwarding X11 traffic, as users can always install their own
410 forwarders. X11 forwarding is automatically disabled if ^[[1mUseLogin^[[0m
411 is enabled.
412
413 ^[[1mX11UseLocalhost^[[0m
414 Specifies whether ^[[1msshd ^[[22mshould bind the X11 forwarding server to
415 the loopback address or to the wildcard address. By default,
416 ^[[1msshd ^[[22mbinds the forwarding server to the loopback address and sets
417 the hostname part of the DISPLAY environment variable to
418 M-bM-^@M-^\localhostM-bM-^@M-^]. This prevents remote hosts from connecting to the
419 proxy display. However, some older X11 clients may not function
420 with this configuration. ^[[1mX11UseLocalhost ^[[22mmay be set to M-bM-^@M-^\noM-bM-^@M-^] to
421 specify that the forwarding server should be bound to the wildM-bM-^@M-^P
422 card address. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default
423 is M-bM-^@M-^\yesM-bM-^@M-^].
424
425 ^[[1mXAuthLocation^[[0m
426 Specifies the full pathname of the xauth(1) program. The default
427 is ^[[4m/usr/X11R6/bin/xauth^[[24m.
428
429 ^[[1mTime Formats^[[0m
430
431 ^[[1msshd ^[[22mcommandM-bM-^@M-^Pline arguments and configuration file options that specify
432 time may be expressed using a sequence of the form: ^[[4mtime^[[24m[^[[4mqualifier^[[24m],
433 where ^[[4mtime^[[24m is a positive integer value and ^[[4mqualifier^[[24m is one of the folM-bM-^@M-^P
434 lowing:
435
436 ^[[1m<none> ^[[22mseconds
437 ^[[1ms ^[[22m| ^[[1mS ^[[22mseconds
438 ^[[1mm ^[[22m| ^[[1mM ^[[22mminutes
439 ^[[1mh ^[[22m| ^[[1mH ^[[22mhours
440 ^[[1md ^[[22m| ^[[1mD ^[[22mdays
441 ^[[1mw ^[[22m| ^[[1mW ^[[22mweeks
442
443 Each member of the sequence is added together to calculate the total time
444 value.
445
446 Time format examples:
447
448 600 600 seconds (10 minutes)
449 10m 10 minutes
450 1h30m 1 hour 30 minutes (90 minutes)
451
452^[[1mFILES^[[0m
453 /etc/ssh/sshd_config
454 Contains configuration data for ^[[1msshd^[[22m. This file should be
455 writable by root only, but it is recommended (though not necesM-bM-^@M-^P
456 sary) that it be worldM-bM-^@M-^Preadable.
457
458^[[1mAUTHORS^[[0m
459 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
460 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
461 de Raadt and Dug Song removed many bugs, reM-bM-^@M-^Padded newer features and creM-bM-^@M-^P
462 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
463 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
464 for privilege separation.
465
466^[[1mSEE ALSO^[[0m
467 sshd(8)
468
469BSD September 25, 1999 BSD
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-01 09:23:40 +0000