summaryrefslogtreecommitdiff
path: root/sshd_config.0
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2005-01-04 12:58:23 +0000
committerColin Watson <cjwatson@debian.org>2005-01-04 12:58:23 +0000
commitebd2ce335af5861020c79fddb1ae35c03bf036cf (patch)
treeec008b93c62e3241ab611d8c949ebc92905c66b4 /sshd_config.0
parente17cc75fe35f62ba52928b5889b5e7aadb62bedb (diff)
parent16f1d21ea191deaaeeba719d01c0ad82aa044653 (diff)
Import OpenSSH 3.9p1.
Diffstat (limited to 'sshd_config.0')
-rw-r--r--sshd_config.0494
1 files changed, 494 insertions, 0 deletions
diff --git a/sshd_config.0 b/sshd_config.0
new file mode 100644
index 000000000..0528a8c44
--- /dev/null
+++ b/sshd_config.0
@@ -0,0 +1,494 @@
1SSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5)
2
3NAME
4 sshd_config - OpenSSH SSH daemon configuration file
5
6SYNOPSIS
7 /etc/ssh/sshd_config
8
9DESCRIPTION
10 sshd reads configuration data from /etc/ssh/sshd_config (or the file
11 specified with -f on the command line). The file contains keyword-argu-
12 ment pairs, one per line. Lines starting with `#' and empty lines are
13 interpreted as comments.
14
15 The possible keywords and their meanings are as follows (note that key-
16 words are case-insensitive and arguments are case-sensitive):
17
18 AcceptEnv
19 Specifies what environment variables sent by the client will be
20 copied into the session's environ(7). See SendEnv in
21 ssh_config(5) for how to configure the client. Note that envi-
22 ronment passing is only supported for protocol 2. Variables are
23 specified by name, which may contain the wildcard characters `*'
24 and `?'. Multiple environment variables may be separated by
25 whitespace or spread across multiple AcceptEnv directives. Be
26 warned that some environment variables could be used to bypass
27 restricted user environments. For this reason, care should be
28 taken in the use of this directive. The default is not to accept
29 any environment variables.
30
31 AllowGroups
32 This keyword can be followed by a list of group name patterns,
33 separated by spaces. If specified, login is allowed only for
34 users whose primary group or supplementary group list matches one
35 of the patterns. `*' and `?' can be used as wildcards in the
36 patterns. Only group names are valid; a numerical group ID is
37 not recognized. By default, login is allowed for all groups.
38
39 AllowTcpForwarding
40 Specifies whether TCP forwarding is permitted. The default is
41 ``yes''. Note that disabling TCP forwarding does not improve se-
42 curity unless users are also denied shell access, as they can al-
43 ways install their own forwarders.
44
45 AllowUsers
46 This keyword can be followed by a list of user name patterns,
47 separated by spaces. If specified, login is allowed only for us-
48 er names that match one of the patterns. `*' and `?' can be used
49 as wildcards in the patterns. Only user names are valid; a nu-
50 merical user ID is not recognized. By default, login is allowed
51 for all users. If the pattern takes the form USER@HOST then USER
52 and HOST are separately checked, restricting logins to particular
53 users from particular hosts.
54
55 AuthorizedKeysFile
56 Specifies the file that contains the public keys that can be used
57 for user authentication. AuthorizedKeysFile may contain tokens
58 of the form %T which are substituted during connection set-up.
59 The following tokens are defined: %% is replaced by a literal
60 '%', %h is replaced by the home directory of the user being au-
61 thenticated and %u is replaced by the username of that user. Af-
62 ter expansion, AuthorizedKeysFile is taken to be an absolute path
63 or one relative to the user's home directory. The default is
64 ``.ssh/authorized_keys''.
65
66 Banner In some jurisdictions, sending a warning message before authenti-
67 cation may be relevant for getting legal protection. The con-
68 tents of the specified file are sent to the remote user before
69 authentication is allowed. This option is only available for
70 protocol version 2. By default, no banner is displayed.
71
72 ChallengeResponseAuthentication
73 Specifies whether challenge response authentication is allowed.
74 All authentication styles from login.conf(5) are supported. The
75 default is ``yes''.
76
77 Ciphers
78 Specifies the ciphers allowed for protocol version 2. Multiple
79 ciphers must be comma-separated. The supported ciphers are
80 ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
81 ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour'',
82 ``blowfish-cbc'', and ``cast128-cbc''. The default is
83
84 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
85 aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr''
86
87 ClientAliveInterval
88 Sets a timeout interval in seconds after which if no data has
89 been received from the client, sshd will send a message through
90 the encrypted channel to request a response from the client. The
91 default is 0, indicating that these messages will not be sent to
92 the client. This option applies to protocol version 2 only.
93
94 ClientAliveCountMax
95 Sets the number of client alive messages (see above) which may be
96 sent without sshd receiving any messages back from the client.
97 If this threshold is reached while client alive messages are be-
98 ing sent, sshd will disconnect the client, terminating the ses-
99 sion. It is important to note that the use of client alive mes-
100 sages is very different from TCPKeepAlive (below). The client
101 alive messages are sent through the encrypted channel and there-
102 fore will not be spoofable. The TCP keepalive option enabled by
103 TCPKeepAlive is spoofable. The client alive mechanism is valu-
104 able when the client or server depend on knowing when a connec-
105 tion has become inactive.
106
107 The default value is 3. If ClientAliveInterval (above) is set to
108 15, and ClientAliveCountMax is left at the default, unresponsive
109 ssh clients will be disconnected after approximately 45 seconds.
110
111 Compression
112 Specifies whether compression is allowed. The argument must be
113 ``yes'' or ``no''. The default is ``yes''.
114
115 DenyGroups
116 This keyword can be followed by a list of group name patterns,
117 separated by spaces. Login is disallowed for users whose primary
118 group or supplementary group list matches one of the patterns.
119 `*' and `?' can be used as wildcards in the patterns. Only group
120 names are valid; a numerical group ID is not recognized. By de-
121 fault, login is allowed for all groups.
122
123 DenyUsers
124 This keyword can be followed by a list of user name patterns,
125 separated by spaces. Login is disallowed for user names that
126 match one of the patterns. `*' and `?' can be used as wildcards
127 in the patterns. Only user names are valid; a numerical user ID
128 is not recognized. By default, login is allowed for all users.
129 If the pattern takes the form USER@HOST then USER and HOST are
130 separately checked, restricting logins to particular users from
131 particular hosts.
132
133 GatewayPorts
134 Specifies whether remote hosts are allowed to connect to ports
135 forwarded for the client. By default, sshd binds remote port
136 forwardings to the loopback address. This prevents other remote
137 hosts from connecting to forwarded ports. GatewayPorts can be
138 used to specify that sshd should bind remote port forwardings to
139 the wildcard address, thus allowing remote hosts to connect to
140 forwarded ports. The argument must be ``yes'' or ``no''. The
141 default is ``no''.
142
143 GSSAPIAuthentication
144 Specifies whether user authentication based on GSSAPI is allowed.
145 The default is ``no''. Note that this option applies to protocol
146 version 2 only.
147
148 GSSAPICleanupCredentials
149 Specifies whether to automatically destroy the user's credentials
150 cache on logout. The default is ``yes''. Note that this option
151 applies to protocol version 2 only.
152
153 HostbasedAuthentication
154 Specifies whether rhosts or /etc/hosts.equiv authentication to-
155 gether with successful public key client host authentication is
156 allowed (hostbased authentication). This option is similar to
157 RhostsRSAAuthentication and applies to protocol version 2 only.
158 The default is ``no''.
159
160 HostKey
161 Specifies a file containing a private host key used by SSH. The
162 default is /etc/ssh/ssh_host_key for protocol version 1, and
163 /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro-
164 tocol version 2. Note that sshd will refuse to use a file if it
165 is group/world-accessible. It is possible to have multiple host
166 key files. ``rsa1'' keys are used for version 1 and ``dsa'' or
167 ``rsa'' are used for version 2 of the SSH protocol.
168
169 IgnoreRhosts
170 Specifies that .rhosts and .shosts files will not be used in
171 RhostsRSAAuthentication or HostbasedAuthentication.
172
173 /etc/hosts.equiv and /etc/shosts.equiv are still used. The de-
174 fault is ``yes''.
175
176 IgnoreUserKnownHosts
177 Specifies whether sshd should ignore the user's
178 $HOME/.ssh/known_hosts during RhostsRSAAuthentication or
179 HostbasedAuthentication. The default is ``no''.
180
181 KerberosAuthentication
182 Specifies whether the password provided by the user for
183 PasswordAuthentication will be validated through the Kerberos
184 KDC. To use this option, the server needs a Kerberos servtab
185 which allows the verification of the KDC's identity. Default is
186 ``no''.
187
188 KerberosGetAFSToken
189 If AFS is active and the user has a Kerberos 5 TGT, attempt to
190 aquire an AFS token before accessing the user's home directory.
191 Default is ``no''.
192
193 KerberosOrLocalPasswd
194 If set then if password authentication through Kerberos fails
195 then the password will be validated via any additional local
196 mechanism such as /etc/passwd. Default is ``yes''.
197
198 KerberosTicketCleanup
199 Specifies whether to automatically destroy the user's ticket
200 cache file on logout. Default is ``yes''.
201
202 KeyRegenerationInterval
203 In protocol version 1, the ephemeral server key is automatically
204 regenerated after this many seconds (if it has been used). The
205 purpose of regeneration is to prevent decrypting captured ses-
206 sions by later breaking into the machine and stealing the keys.
207 The key is never stored anywhere. If the value is 0, the key is
208 never regenerated. The default is 3600 (seconds).
209
210 ListenAddress
211 Specifies the local addresses sshd should listen on. The follow-
212 ing forms may be used:
213
214 ListenAddress host|IPv4_addr|IPv6_addr
215 ListenAddress host|IPv4_addr:port
216 ListenAddress [host|IPv6_addr]:port
217
218 If port is not specified, sshd will listen on the address and all
219 prior Port options specified. The default is to listen on all
220 local addresses. Multiple ListenAddress options are permitted.
221 Additionally, any Port options must precede this option for non
222 port qualified addresses.
223
224 LoginGraceTime
225 The server disconnects after this time if the user has not suc-
226 cessfully logged in. If the value is 0, there is no time limit.
227 The default is 120 seconds.
228
229 LogLevel
230 Gives the verbosity level that is used when logging messages from
231 sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VER-
232 BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO.
233 DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
234 higher levels of debugging output. Logging with a DEBUG level
235 violates the privacy of users and is not recommended.
236
237 MACs Specifies the available MAC (message authentication code) algo-
238 rithms. The MAC algorithm is used in protocol version 2 for data
239 integrity protection. Multiple algorithms must be comma-separat-
240 ed. The default is ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
241 sha1-96,hmac-md5-96''.
242
243 MaxAuthTries
244 Specifies the maximum number of authentication attempts permitted
245 per connection. Once the number of failures reaches half this
246 value, additional failures are logged. The default is 6.
247
248 MaxStartups
249 Specifies the maximum number of concurrent unauthenticated con-
250 nections to the sshd daemon. Additional connections will be
251 dropped until authentication succeeds or the LoginGraceTime ex-
252 pires for a connection. The default is 10.
253
254 Alternatively, random early drop can be enabled by specifying the
255 three colon separated values ``start:rate:full'' (e.g.,
256 "10:30:60"). sshd will refuse connection attempts with a proba-
257 bility of ``rate/100'' (30%) if there are currently ``start''
258 (10) unauthenticated connections. The probability increases lin-
259 early and all connection attempts are refused if the number of
260 unauthenticated connections reaches ``full'' (60).
261
262 PasswordAuthentication
263 Specifies whether password authentication is allowed. The de-
264 fault is ``yes''.
265
266 PermitEmptyPasswords
267 When password authentication is allowed, it specifies whether the
268 server allows login to accounts with empty password strings. The
269 default is ``no''.
270
271 PermitRootLogin
272 Specifies whether root can login using ssh(1). The argument must
273 be ``yes'', ``without-password'', ``forced-commands-only'' or
274 ``no''. The default is ``yes''.
275
276 If this option is set to ``without-password'' password authenti-
277 cation is disabled for root. Note that other authentication
278 methods (e.g., keyboard-interactive/PAM) may still allow root to
279 login using a password.
280
281 If this option is set to ``forced-commands-only'' root login with
282 public key authentication will be allowed, but only if the
283 command option has been specified (which may be useful for taking
284 remote backups even if root login is normally not allowed). All
285 other authentication methods are disabled for root.
286
287 If this option is set to ``no'' root is not allowed to login.
288
289 PermitUserEnvironment
290 Specifies whether ~/.ssh/environment and environment= options in
291 ~/.ssh/authorized_keys are processed by sshd. The default is
292 ``no''. Enabling environment processing may enable users to by-
293 pass access restrictions in some configurations using mechanisms
294 such as LD_PRELOAD.
295
296 PidFile
297 Specifies the file that contains the process ID of the sshd dae-
298 mon. The default is /var/run/sshd.pid.
299
300 Port Specifies the port number that sshd listens on. The default is
301 22. Multiple options of this type are permitted. See also
302 ListenAddress.
303
304 PrintLastLog
305 Specifies whether sshd should print the date and time when the
306 user last logged in. The default is ``yes''.
307
308 PrintMotd
309 Specifies whether sshd should print /etc/motd when a user logs in
310 interactively. (On some systems it is also printed by the shell,
311 /etc/profile, or equivalent.) The default is ``yes''.
312
313 Protocol
314 Specifies the protocol versions sshd supports. The possible val-
315 ues are ``1'' and ``2''. Multiple versions must be comma-sepa-
316 rated. The default is ``2,1''. Note that the order of the pro-
317 tocol list does not indicate preference, because the client se-
318 lects among multiple protocol versions offered by the server.
319 Specifying ``2,1'' is identical to ``1,2''.
320
321 PubkeyAuthentication
322 Specifies whether public key authentication is allowed. The de-
323 fault is ``yes''. Note that this option applies to protocol ver-
324 sion 2 only.
325
326 RhostsRSAAuthentication
327 Specifies whether rhosts or /etc/hosts.equiv authentication to-
328 gether with successful RSA host authentication is allowed. The
329 default is ``no''. This option applies to protocol version 1 on-
330 ly.
331
332 RSAAuthentication
333 Specifies whether pure RSA authentication is allowed. The de-
334 fault is ``yes''. This option applies to protocol version 1 on-
335 ly.
336
337 ServerKeyBits
338 Defines the number of bits in the ephemeral protocol version 1
339 server key. The minimum value is 512, and the default is 768.
340
341 StrictModes
342 Specifies whether sshd should check file modes and ownership of
343 the user's files and home directory before accepting login. This
344 is normally desirable because novices sometimes accidentally
345 leave their directory or files world-writable. The default is
346 ``yes''.
347
348 Subsystem
349 Configures an external subsystem (e.g., file transfer daemon).
350 Arguments should be a subsystem name and a command to execute up-
351 on subsystem request. The command sftp-server(8) implements the
352 ``sftp'' file transfer subsystem. By default no subsystems are
353 defined. Note that this option applies to protocol version 2 on-
354 ly.
355
356 SyslogFacility
357 Gives the facility code that is used when logging messages from
358 sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, LO-
359 CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de-
360 fault is AUTH.
361
362 TCPKeepAlive
363 Specifies whether the system should send TCP keepalive messages
364 to the other side. If they are sent, death of the connection or
365 crash of one of the machines will be properly noticed. However,
366 this means that connections will die if the route is down tem-
367 porarily, and some people find it annoying. On the other hand,
368 if TCP keepalives are not sent, sessions may hang indefinitely on
369 the server, leaving ``ghost'' users and consuming server re-
370 sources.
371
372 The default is ``yes'' (to send TCP keepalive messages), and the
373 server will notice if the network goes down or the client host
374 crashes. This avoids infinitely hanging sessions.
375
376 To disable TCP keepalive messages, the value should be set to
377 ``no''.
378
379 UseDNS Specifies whether sshd should lookup the remote host name and
380 check that the resolved host name for the remote IP address maps
381 back to the very same IP address. The default is ``yes''.
382
383 UseLogin
384 Specifies whether login(1) is used for interactive login ses-
385 sions. The default is ``no''. Note that login(1) is never used
386 for remote command execution. Note also, that if this is en-
387 abled, X11Forwarding will be disabled because login(1) does not
388 know how to handle xauth(1) cookies. If UsePrivilegeSeparation
389 is specified, it will be disabled after authentication.
390
391 UsePAM Enables the Pluggable Authentication Module interface. If set to
392 ``yes'' this will enable PAM authentication using
393 ChallengeResponseAuthentication and PAM account and session mod-
394 ule processing for all authentication types.
395
396 Because PAM challenge-response authentication usually serves an
397 equivalent role to password authentication, you should disable
398 either PasswordAuthentication or ChallengeResponseAuthentication.
399
400 If UsePAM is enabled, you will not be able to run sshd(8) as a
401 non-root user. The default is ``no''.
402
403 UsePrivilegeSeparation
404 Specifies whether sshd separates privileges by creating an un-
405 privileged child process to deal with incoming network traffic.
406 After successful authentication, another process will be created
407 that has the privilege of the authenticated user. The goal of
408 privilege separation is to prevent privilege escalation by con-
409 taining any corruption within the unprivileged processes. The
410 default is ``yes''.
411
412 X11DisplayOffset
413 Specifies the first display number available for sshd's X11 for-
414 warding. This prevents sshd from interfering with real X11
415 servers. The default is 10.
416
417 X11Forwarding
418 Specifies whether X11 forwarding is permitted. The argument must
419 be ``yes'' or ``no''. The default is ``no''.
420
421 When X11 forwarding is enabled, there may be additional exposure
422 to the server and to client displays if the sshd proxy display is
423 configured to listen on the wildcard address (see X11UseLocalhost
424 below), however this is not the default. Additionally, the au-
425 thentication spoofing and authentication data verification and
426 substitution occur on the client side. The security risk of us-
427 ing X11 forwarding is that the client's X11 display server may be
428 exposed to attack when the ssh client requests forwarding (see
429 the warnings for ForwardX11 in ssh_config(5)). A system adminis-
430 trator may have a stance in which they want to protect clients
431 that may expose themselves to attack by unwittingly requesting
432 X11 forwarding, which can warrant a ``no'' setting.
433
434 Note that disabling X11 forwarding does not prevent users from
435 forwarding X11 traffic, as users can always install their own
436 forwarders. X11 forwarding is automatically disabled if UseLogin
437 is enabled.
438
439 X11UseLocalhost
440 Specifies whether sshd should bind the X11 forwarding server to
441 the loopback address or to the wildcard address. By default,
442 sshd binds the forwarding server to the loopback address and sets
443 the hostname part of the DISPLAY environment variable to
444 ``localhost''. This prevents remote hosts from connecting to the
445 proxy display. However, some older X11 clients may not function
446 with this configuration. X11UseLocalhost may be set to ``no'' to
447 specify that the forwarding server should be bound to the wild-
448 card address. The argument must be ``yes'' or ``no''. The de-
449 fault is ``yes''.
450
451 XAuthLocation
452 Specifies the full pathname of the xauth(1) program. The default
453 is /usr/X11R6/bin/xauth.
454
455 Time Formats
456 sshd command-line arguments and configuration file options that specify
457 time may be expressed using a sequence of the form: time[qualifier],
458 where time is a positive integer value and qualifier is one of the fol-
459 lowing:
460
461 <none> seconds
462 s | S seconds
463 m | M minutes
464 h | H hours
465 d | D days
466 w | W weeks
467
468 Each member of the sequence is added together to calculate the total time
469 value.
470
471 Time format examples:
472
473 600 600 seconds (10 minutes)
474 10m 10 minutes
475 1h30m 1 hour 30 minutes (90 minutes)
476
477FILES
478 /etc/ssh/sshd_config
479 Contains configuration data for sshd. This file should be
480 writable by root only, but it is recommended (though not neces-
481 sary) that it be world-readable.
482
483SEE ALSO
484 sshd(8)
485
486AUTHORS
487 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
488 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
489 de Raadt and Dug Song removed many bugs, re-added newer features and cre-
490 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
491 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
492 for privilege separation.
493
494OpenBSD 3.6 September 25, 1999 8
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-01 09:51:39 +0000