diff options
| author | Colin Watson <cjwatson@debian.org> | 2016-08-06 10:49:58 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2016-08-06 10:49:58 +0100 |
| commit | a8ed8d256b2e2c05b0c15565a7938028c5192277 (patch) | |
| tree | 87abbdc914a38b43e4e5bb9581ad1f46eabbf88e /sshd_config.0 | |
| parent | f0329aac23c61e1a5197d6d57349a63f459bccb0 (diff) | |
| parent | 99522ba7ec6963a05c04a156bf20e3ba3605987c (diff) | |
Import openssh_7.3p1.orig.tar.gz
Diffstat (limited to 'sshd_config.0')
| -rw-r--r-- | sshd_config.0 | 41 |
1 files changed, 25 insertions, 16 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index 8bda6a39f..85379dca5 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
| @@ -80,9 +80,11 @@ DESCRIPTION | |||
| 80 | valid; a numerical user ID is not recognized. By default, login | 80 | valid; a numerical user ID is not recognized. By default, login |
| 81 | is allowed for all users. If the pattern takes the form | 81 | is allowed for all users. If the pattern takes the form |
| 82 | USER@HOST then USER and HOST are separately checked, restricting | 82 | USER@HOST then USER and HOST are separately checked, restricting |
| 83 | logins to particular users from particular hosts. The allow/deny | 83 | logins to particular users from particular hosts. HOST criteria |
| 84 | directives are processed in the following order: DenyUsers, | 84 | may additionally contain addresses to match in CIDR |
| 85 | AllowUsers, DenyGroups, and finally AllowGroups. | 85 | address/masklen format. The allow/deny directives are processed |
| 86 | in the following order: DenyUsers, AllowUsers, DenyGroups, and | ||
| 87 | finally AllowGroups. | ||
| 86 | 88 | ||
| 87 | See PATTERNS in ssh_config(5) for more information on patterns. | 89 | See PATTERNS in ssh_config(5) for more information on patterns. |
| 88 | 90 | ||
| @@ -90,8 +92,11 @@ DESCRIPTION | |||
| 90 | Specifies the authentication methods that must be successfully | 92 | Specifies the authentication methods that must be successfully |
| 91 | completed for a user to be granted access. This option must be | 93 | completed for a user to be granted access. This option must be |
| 92 | followed by one or more comma-separated lists of authentication | 94 | followed by one or more comma-separated lists of authentication |
| 93 | method names. Successful authentication requires completion of | 95 | method names, or by the single string M-bM-^@M-^\anyM-bM-^@M-^] to indicate the |
| 94 | every method in at least one of these lists. | 96 | default behaviour of accepting any single authentication method. |
| 97 | if the default is overridden, then successful authentication | ||
| 98 | requires completion of every method in at least one of these | ||
| 99 | lists. | ||
| 95 | 100 | ||
| 96 | For example, an argument of M-bM-^@M-^\publickey,password | 101 | For example, an argument of M-bM-^@M-^\publickey,password |
| 97 | publickey,keyboard-interactiveM-bM-^@M-^] would require the user to | 102 | publickey,keyboard-interactiveM-bM-^@M-^] would require the user to |
| @@ -116,9 +121,9 @@ DESCRIPTION | |||
| 116 | 121 | ||
| 117 | This option will yield a fatal error if enabled if protocol 1 is | 122 | This option will yield a fatal error if enabled if protocol 1 is |
| 118 | also enabled. Note that each authentication method listed should | 123 | also enabled. Note that each authentication method listed should |
| 119 | also be explicitly enabled in the configuration. The default is | 124 | also be explicitly enabled in the configuration. The default |
| 120 | not to require multiple authentication; successful completion of | 125 | M-bM-^@M-^\anyM-bM-^@M-^] is not to require multiple authentication; successful |
| 121 | a single authentication method is sufficient. | 126 | completion of a single authentication method is sufficient. |
| 122 | 127 | ||
| 123 | AuthorizedKeysCommand | 128 | AuthorizedKeysCommand |
| 124 | Specifies a program to be used to look up the user's public keys. | 129 | Specifies a program to be used to look up the user's public keys. |
| @@ -339,9 +344,11 @@ DESCRIPTION | |||
| 339 | numerical user ID is not recognized. By default, login is | 344 | numerical user ID is not recognized. By default, login is |
| 340 | allowed for all users. If the pattern takes the form USER@HOST | 345 | allowed for all users. If the pattern takes the form USER@HOST |
| 341 | then USER and HOST are separately checked, restricting logins to | 346 | then USER and HOST are separately checked, restricting logins to |
| 342 | particular users from particular hosts. The allow/deny | 347 | particular users from particular hosts. HOST criteria may |
| 343 | directives are processed in the following order: DenyUsers, | 348 | additionally contain addresses to match in CIDR address/masklen |
| 344 | AllowUsers, DenyGroups, and finally AllowGroups. | 349 | format. The allow/deny directives are processed in the following |
| 350 | order: DenyUsers, AllowUsers, DenyGroups, and finally | ||
| 351 | AllowGroups. | ||
| 345 | 352 | ||
| 346 | See PATTERNS in ssh_config(5) for more information on patterns. | 353 | See PATTERNS in ssh_config(5) for more information on patterns. |
| 347 | 354 | ||
| @@ -447,7 +454,7 @@ DESCRIPTION | |||
| 447 | 454 | ||
| 448 | HostKeyAgent | 455 | HostKeyAgent |
| 449 | Identifies the UNIX-domain socket used to communicate with an | 456 | Identifies the UNIX-domain socket used to communicate with an |
| 450 | agent that has access to the private host keys. If | 457 | agent that has access to the private host keys. If the string |
| 451 | M-bM-^@M-^\SSH_AUTH_SOCKM-bM-^@M-^] is specified, the location of the socket will be | 458 | M-bM-^@M-^\SSH_AUTH_SOCKM-bM-^@M-^] is specified, the location of the socket will be |
| 452 | read from the SSH_AUTH_SOCK environment variable. | 459 | read from the SSH_AUTH_SOCK environment variable. |
| 453 | 460 | ||
| @@ -708,8 +715,10 @@ DESCRIPTION | |||
| 708 | Multiple forwards may be specified by separating them with | 715 | Multiple forwards may be specified by separating them with |
| 709 | whitespace. An argument of M-bM-^@M-^\anyM-bM-^@M-^] can be used to remove all | 716 | whitespace. An argument of M-bM-^@M-^\anyM-bM-^@M-^] can be used to remove all |
| 710 | restrictions and permit any forwarding requests. An argument of | 717 | restrictions and permit any forwarding requests. An argument of |
| 711 | M-bM-^@M-^\noneM-bM-^@M-^] can be used to prohibit all forwarding requests. By | 718 | M-bM-^@M-^\noneM-bM-^@M-^] can be used to prohibit all forwarding requests. The |
| 712 | default all port forwarding requests are permitted. | 719 | wildcard M-bM-^@M-^\*M-bM-^@M-^] can be used for host or port to allow all hosts or |
| 720 | ports, respectively. By default all port forwarding requests are | ||
| 721 | permitted. | ||
| 713 | 722 | ||
| 714 | PermitRootLogin | 723 | PermitRootLogin |
| 715 | Specifies whether root can log in using ssh(1). The argument | 724 | Specifies whether root can log in using ssh(1). The argument |
| @@ -927,7 +936,7 @@ DESCRIPTION | |||
| 927 | address maps back to the very same IP address. | 936 | address maps back to the very same IP address. |
| 928 | 937 | ||
| 929 | If this option is set to M-bM-^@M-^\noM-bM-^@M-^] (the default) then only addresses | 938 | If this option is set to M-bM-^@M-^\noM-bM-^@M-^] (the default) then only addresses |
| 930 | and not host names may be used in ~/.ssh/known_hosts from and | 939 | and not host names may be used in ~/.ssh/authorized_keys from and |
| 931 | sshd_config Match Host directives. | 940 | sshd_config Match Host directives. |
| 932 | 941 | ||
| 933 | UseLogin | 942 | UseLogin |
| @@ -1051,4 +1060,4 @@ AUTHORS | |||
| 1051 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 1060 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
| 1052 | for privilege separation. | 1061 | for privilege separation. |
| 1053 | 1062 | ||
| 1054 | OpenBSD 5.9 February 17, 2016 OpenBSD 5.9 | 1063 | OpenBSD 6.0 July 19, 2016 OpenBSD 6.0 |