diff options
author | Colin Watson <cjwatson@debian.org> | 2003-09-23 17:49:41 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2003-09-23 17:49:41 +0000 |
commit | 45431c9b4677608680cd071768cbf156b316a7e8 (patch) | |
tree | 9dd03d2cda2d52d8457ec7ae06902fbe0496e1e0 /sshd_config.0 | |
parent | 6dbe10d82295512af03b81649c26841381318996 (diff) | |
parent | 9221adce6959801664fd4a340c19e6b69107ad0b (diff) |
Import OpenSSH 3.7.1p2.
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 460 |
1 files changed, 460 insertions, 0 deletions
diff --git a/sshd_config.0 b/sshd_config.0 new file mode 100644 index 000000000..643db2640 --- /dev/null +++ b/sshd_config.0 | |||
@@ -0,0 +1,460 @@ | |||
1 | SSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5) | ||
2 | |||
3 | NAME | ||
4 | sshd_config - OpenSSH SSH daemon configuration file | ||
5 | |||
6 | SYNOPSIS | ||
7 | /etc/ssh/sshd_config | ||
8 | |||
9 | DESCRIPTION | ||
10 | sshd reads configuration data from /etc/ssh/sshd_config (or the file | ||
11 | specified with -f on the command line). The file contains keyword-argu- | ||
12 | ment pairs, one per line. Lines starting with `#' and empty lines are | ||
13 | interpreted as comments. | ||
14 | |||
15 | The possible keywords and their meanings are as follows (note that key- | ||
16 | words are case-insensitive and arguments are case-sensitive): | ||
17 | |||
18 | AllowGroups | ||
19 | This keyword can be followed by a list of group name patterns, | ||
20 | separated by spaces. If specified, login is allowed only for | ||
21 | users whose primary group or supplementary group list matches one | ||
22 | of the patterns. `*' and `?' can be used as wildcards in the | ||
23 | patterns. Only group names are valid; a numerical group ID is | ||
24 | not recognized. By default, login is allowed for all groups. | ||
25 | |||
26 | AllowTcpForwarding | ||
27 | Specifies whether TCP forwarding is permitted. The default is | ||
28 | ``yes''. Note that disabling TCP forwarding does not improve se- | ||
29 | curity unless users are also denied shell access, as they can al- | ||
30 | ways install their own forwarders. | ||
31 | |||
32 | AllowUsers | ||
33 | This keyword can be followed by a list of user name patterns, | ||
34 | separated by spaces. If specified, login is allowed only for us- | ||
35 | er names that match one of the patterns. `*' and `?' can be used | ||
36 | as wildcards in the patterns. Only user names are valid; a nu- | ||
37 | merical user ID is not recognized. By default, login is allowed | ||
38 | for all users. If the pattern takes the form USER@HOST then USER | ||
39 | and HOST are separately checked, restricting logins to particular | ||
40 | users from particular hosts. | ||
41 | |||
42 | AuthorizedKeysFile | ||
43 | Specifies the file that contains the public keys that can be used | ||
44 | for user authentication. AuthorizedKeysFile may contain tokens | ||
45 | of the form %T which are substituted during connection set-up. | ||
46 | The following tokens are defined: %% is replaced by a literal | ||
47 | '%', %h is replaced by the home directory of the user being au- | ||
48 | thenticated and %u is replaced by the username of that user. Af- | ||
49 | ter expansion, AuthorizedKeysFile is taken to be an absolute path | ||
50 | or one relative to the user's home directory. The default is | ||
51 | ``.ssh/authorized_keys''. | ||
52 | |||
53 | Banner In some jurisdictions, sending a warning message before authenti- | ||
54 | cation may be relevant for getting legal protection. The con- | ||
55 | tents of the specified file are sent to the remote user before | ||
56 | authentication is allowed. This option is only available for | ||
57 | protocol version 2. By default, no banner is displayed. | ||
58 | |||
59 | ChallengeResponseAuthentication | ||
60 | Specifies whether challenge response authentication is allowed. | ||
61 | All authentication styles from login.conf(5) are supported. The | ||
62 | default is ``yes''. | ||
63 | |||
64 | Ciphers | ||
65 | Specifies the ciphers allowed for protocol version 2. Multiple | ||
66 | ciphers must be comma-separated. The default is | ||
67 | |||
68 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, | ||
69 | aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' | ||
70 | |||
71 | ClientAliveInterval | ||
72 | Sets a timeout interval in seconds after which if no data has | ||
73 | been received from the client, sshd will send a message through | ||
74 | the encrypted channel to request a response from the client. The | ||
75 | default is 0, indicating that these messages will not be sent to | ||
76 | the client. This option applies to protocol version 2 only. | ||
77 | |||
78 | ClientAliveCountMax | ||
79 | Sets the number of client alive messages (see above) which may be | ||
80 | sent without sshd receiving any messages back from the client. | ||
81 | If this threshold is reached while client alive messages are be- | ||
82 | ing sent, sshd will disconnect the client, terminating the ses- | ||
83 | sion. It is important to note that the use of client alive mes- | ||
84 | sages is very different from KeepAlive (below). The client alive | ||
85 | messages are sent through the encrypted channel and therefore | ||
86 | will not be spoofable. The TCP keepalive option enabled by | ||
87 | KeepAlive is spoofable. The client alive mechanism is valuable | ||
88 | when the client or server depend on knowing when a connection has | ||
89 | become inactive. | ||
90 | |||
91 | The default value is 3. If ClientAliveInterval (above) is set to | ||
92 | 15, and ClientAliveCountMax is left at the default, unresponsive | ||
93 | ssh clients will be disconnected after approximately 45 seconds. | ||
94 | |||
95 | Compression | ||
96 | Specifies whether compression is allowed. The argument must be | ||
97 | ``yes'' or ``no''. The default is ``yes''. | ||
98 | |||
99 | DenyGroups | ||
100 | This keyword can be followed by a list of group name patterns, | ||
101 | separated by spaces. Login is disallowed for users whose primary | ||
102 | group or supplementary group list matches one of the patterns. | ||
103 | `*' and `?' can be used as wildcards in the patterns. Only group | ||
104 | names are valid; a numerical group ID is not recognized. By de- | ||
105 | fault, login is allowed for all groups. | ||
106 | |||
107 | DenyUsers | ||
108 | This keyword can be followed by a list of user name patterns, | ||
109 | separated by spaces. Login is disallowed for user names that | ||
110 | match one of the patterns. `*' and `?' can be used as wildcards | ||
111 | in the patterns. Only user names are valid; a numerical user ID | ||
112 | is not recognized. By default, login is allowed for all users. | ||
113 | If the pattern takes the form USER@HOST then USER and HOST are | ||
114 | separately checked, restricting logins to particular users from | ||
115 | particular hosts. | ||
116 | |||
117 | GatewayPorts | ||
118 | Specifies whether remote hosts are allowed to connect to ports | ||
119 | forwarded for the client. By default, sshd binds remote port | ||
120 | forwardings to the loopback address. This prevents other remote | ||
121 | hosts from connecting to forwarded ports. GatewayPorts can be | ||
122 | used to specify that sshd should bind remote port forwardings to | ||
123 | the wildcard address, thus allowing remote hosts to connect to | ||
124 | forwarded ports. The argument must be ``yes'' or ``no''. The | ||
125 | default is ``no''. | ||
126 | |||
127 | GSSAPIAuthentication | ||
128 | Specifies whether user authentication based on GSSAPI is allowed. | ||
129 | The default is ``no''. Note that this option applies to protocol | ||
130 | version 2 only. | ||
131 | |||
132 | GSSAPICleanupCredentials | ||
133 | Specifies whether to automatically destroy the user's credentials | ||
134 | cache on logout. The default is ``yes''. Note that this option | ||
135 | applies to protocol version 2 only. | ||
136 | |||
137 | HostbasedAuthentication | ||
138 | Specifies whether rhosts or /etc/hosts.equiv authentication to- | ||
139 | gether with successful public key client host authentication is | ||
140 | allowed (hostbased authentication). This option is similar to | ||
141 | RhostsRSAAuthentication and applies to protocol version 2 only. | ||
142 | The default is ``no''. | ||
143 | |||
144 | HostKey | ||
145 | Specifies a file containing a private host key used by SSH. The | ||
146 | default is /etc/ssh/ssh_host_key for protocol version 1, and | ||
147 | /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro- | ||
148 | tocol version 2. Note that sshd will refuse to use a file if it | ||
149 | is group/world-accessible. It is possible to have multiple host | ||
150 | key files. ``rsa1'' keys are used for version 1 and ``dsa'' or | ||
151 | ``rsa'' are used for version 2 of the SSH protocol. | ||
152 | |||
153 | IgnoreRhosts | ||
154 | Specifies that .rhosts and .shosts files will not be used in | ||
155 | RhostsRSAAuthentication or HostbasedAuthentication. | ||
156 | |||
157 | /etc/hosts.equiv and /etc/shosts.equiv are still used. The de- | ||
158 | fault is ``yes''. | ||
159 | |||
160 | IgnoreUserKnownHosts | ||
161 | Specifies whether sshd should ignore the user's | ||
162 | $HOME/.ssh/known_hosts during RhostsRSAAuthentication or | ||
163 | HostbasedAuthentication. The default is ``no''. | ||
164 | |||
165 | KeepAlive | ||
166 | Specifies whether the system should send TCP keepalive messages | ||
167 | to the other side. If they are sent, death of the connection or | ||
168 | crash of one of the machines will be properly noticed. However, | ||
169 | this means that connections will die if the route is down tem- | ||
170 | porarily, and some people find it annoying. On the other hand, | ||
171 | if keepalives are not sent, sessions may hang indefinitely on the | ||
172 | server, leaving ``ghost'' users and consuming server resources. | ||
173 | |||
174 | The default is ``yes'' (to send keepalives), and the server will | ||
175 | notice if the network goes down or the client host crashes. This | ||
176 | avoids infinitely hanging sessions. | ||
177 | |||
178 | To disable keepalives, the value should be set to ``no''. | ||
179 | |||
180 | KerberosAuthentication | ||
181 | Specifies whether the password provided by the user for | ||
182 | PasswordAuthentication will be validated through the Kerberos | ||
183 | KDC. To use this option, the server needs a Kerberos servtab | ||
184 | which allows the verification of the KDC's identity. Default is | ||
185 | ``no''. | ||
186 | |||
187 | KerberosOrLocalPasswd | ||
188 | If set then if password authentication through Kerberos fails | ||
189 | then the password will be validated via any additional local | ||
190 | mechanism such as /etc/passwd. Default is ``yes''. | ||
191 | |||
192 | KerberosTicketCleanup | ||
193 | Specifies whether to automatically destroy the user's ticket | ||
194 | cache file on logout. Default is ``yes''. | ||
195 | |||
196 | KeyRegenerationInterval | ||
197 | In protocol version 1, the ephemeral server key is automatically | ||
198 | regenerated after this many seconds (if it has been used). The | ||
199 | purpose of regeneration is to prevent decrypting captured ses- | ||
200 | sions by later breaking into the machine and stealing the keys. | ||
201 | The key is never stored anywhere. If the value is 0, the key is | ||
202 | never regenerated. The default is 3600 (seconds). | ||
203 | |||
204 | ListenAddress | ||
205 | Specifies the local addresses sshd should listen on. The follow- | ||
206 | ing forms may be used: | ||
207 | |||
208 | ListenAddress host|IPv4_addr|IPv6_addr | ||
209 | ListenAddress host|IPv4_addr:port | ||
210 | ListenAddress [host|IPv6_addr]:port | ||
211 | |||
212 | If port is not specified, sshd will listen on the address and all | ||
213 | prior Port options specified. The default is to listen on all | ||
214 | local addresses. Multiple ListenAddress options are permitted. | ||
215 | Additionally, any Port options must precede this option for non | ||
216 | port qualified addresses. | ||
217 | |||
218 | LoginGraceTime | ||
219 | The server disconnects after this time if the user has not suc- | ||
220 | cessfully logged in. If the value is 0, there is no time limit. | ||
221 | The default is 120 seconds. | ||
222 | |||
223 | LogLevel | ||
224 | Gives the verbosity level that is used when logging messages from | ||
225 | sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VER- | ||
226 | BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. | ||
227 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify | ||
228 | higher levels of debugging output. Logging with a DEBUG level | ||
229 | violates the privacy of users and is not recommended. | ||
230 | |||
231 | MACs Specifies the available MAC (message authentication code) algo- | ||
232 | rithms. The MAC algorithm is used in protocol version 2 for data | ||
233 | integrity protection. Multiple algorithms must be comma-separat- | ||
234 | ed. The default is ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac- | ||
235 | sha1-96,hmac-md5-96''. | ||
236 | |||
237 | MaxStartups | ||
238 | Specifies the maximum number of concurrent unauthenticated con- | ||
239 | nections to the sshd daemon. Additional connections will be | ||
240 | dropped until authentication succeeds or the LoginGraceTime ex- | ||
241 | pires for a connection. The default is 10. | ||
242 | |||
243 | Alternatively, random early drop can be enabled by specifying the | ||
244 | three colon separated values ``start:rate:full'' (e.g., | ||
245 | "10:30:60"). sshd will refuse connection attempts with a proba- | ||
246 | bility of ``rate/100'' (30%) if there are currently ``start'' | ||
247 | (10) unauthenticated connections. The probability increases lin- | ||
248 | early and all connection attempts are refused if the number of | ||
249 | unauthenticated connections reaches ``full'' (60). | ||
250 | |||
251 | PasswordAuthentication | ||
252 | Specifies whether password authentication is allowed. The de- | ||
253 | fault is ``yes''. | ||
254 | |||
255 | PermitEmptyPasswords | ||
256 | When password authentication is allowed, it specifies whether the | ||
257 | server allows login to accounts with empty password strings. The | ||
258 | default is ``no''. | ||
259 | |||
260 | PermitRootLogin | ||
261 | Specifies whether root can login using ssh(1). The argument must | ||
262 | be ``yes'', ``without-password'', ``forced-commands-only'' or | ||
263 | ``no''. The default is ``yes''. | ||
264 | |||
265 | If this option is set to ``without-password'' password authenti- | ||
266 | cation is disabled for root. | ||
267 | |||
268 | If this option is set to ``forced-commands-only'' root login with | ||
269 | public key authentication will be allowed, but only if the | ||
270 | command option has been specified (which may be useful for taking | ||
271 | remote backups even if root login is normally not allowed). All | ||
272 | other authentication methods are disabled for root. | ||
273 | |||
274 | If this option is set to ``no'' root is not allowed to login. | ||
275 | |||
276 | PermitUserEnvironment | ||
277 | Specifies whether ~/.ssh/environment and environment= options in | ||
278 | ~/.ssh/authorized_keys are processed by sshd. The default is | ||
279 | ``no''. Enabling environment processing may enable users to by- | ||
280 | pass access restrictions in some configurations using mechanisms | ||
281 | such as LD_PRELOAD. | ||
282 | |||
283 | PidFile | ||
284 | Specifies the file that contains the process ID of the sshd dae- | ||
285 | mon. The default is /var/run/sshd.pid. | ||
286 | |||
287 | Port Specifies the port number that sshd listens on. The default is | ||
288 | 22. Multiple options of this type are permitted. See also | ||
289 | ListenAddress. | ||
290 | |||
291 | PrintLastLog | ||
292 | Specifies whether sshd should print the date and time when the | ||
293 | user last logged in. The default is ``yes''. | ||
294 | |||
295 | PrintMotd | ||
296 | Specifies whether sshd should print /etc/motd when a user logs in | ||
297 | interactively. (On some systems it is also printed by the shell, | ||
298 | /etc/profile, or equivalent.) The default is ``yes''. | ||
299 | |||
300 | Protocol | ||
301 | Specifies the protocol versions sshd supports. The possible val- | ||
302 | ues are ``1'' and ``2''. Multiple versions must be comma-sepa- | ||
303 | rated. The default is ``2,1''. Note that the order of the pro- | ||
304 | tocol list does not indicate preference, because the client se- | ||
305 | lects among multiple protocol versions offered by the server. | ||
306 | Specifying ``2,1'' is identical to ``1,2''. | ||
307 | |||
308 | PubkeyAuthentication | ||
309 | Specifies whether public key authentication is allowed. The de- | ||
310 | fault is ``yes''. Note that this option applies to protocol ver- | ||
311 | sion 2 only. RhostsRSAAuthentication should be used instead, be- | ||
312 | cause it performs RSA-based host authentication in addition to | ||
313 | normal rhosts or /etc/hosts.equiv authentication. The default is | ||
314 | ``no''. This option applies to protocol version 1 only. | ||
315 | |||
316 | RhostsRSAAuthentication | ||
317 | Specifies whether rhosts or /etc/hosts.equiv authentication to- | ||
318 | gether with successful RSA host authentication is allowed. The | ||
319 | default is ``no''. This option applies to protocol version 1 on- | ||
320 | ly. | ||
321 | |||
322 | RSAAuthentication | ||
323 | Specifies whether pure RSA authentication is allowed. The de- | ||
324 | fault is ``yes''. This option applies to protocol version 1 on- | ||
325 | ly. | ||
326 | |||
327 | ServerKeyBits | ||
328 | Defines the number of bits in the ephemeral protocol version 1 | ||
329 | server key. The minimum value is 512, and the default is 768. | ||
330 | |||
331 | StrictModes | ||
332 | Specifies whether sshd should check file modes and ownership of | ||
333 | the user's files and home directory before accepting login. This | ||
334 | is normally desirable because novices sometimes accidentally | ||
335 | leave their directory or files world-writable. The default is | ||
336 | ``yes''. | ||
337 | |||
338 | Subsystem | ||
339 | Configures an external subsystem (e.g., file transfer daemon). | ||
340 | Arguments should be a subsystem name and a command to execute up- | ||
341 | on subsystem request. The command sftp-server(8) implements the | ||
342 | ``sftp'' file transfer subsystem. By default no subsystems are | ||
343 | defined. Note that this option applies to protocol version 2 on- | ||
344 | ly. | ||
345 | |||
346 | SyslogFacility | ||
347 | Gives the facility code that is used when logging messages from | ||
348 | sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, LO- | ||
349 | CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- | ||
350 | fault is AUTH. | ||
351 | |||
352 | UseDNS Specifies whether sshd should lookup the remote host name and | ||
353 | check that the resolved host name for the remote IP address maps | ||
354 | back to the very same IP address. The default is ``yes''. | ||
355 | |||
356 | UseLogin | ||
357 | Specifies whether login(1) is used for interactive login ses- | ||
358 | sions. The default is ``no''. Note that login(1) is never used | ||
359 | for remote command execution. Note also, that if this is en- | ||
360 | abled, X11Forwarding will be disabled because login(1) does not | ||
361 | know how to handle xauth(1) cookies. If UsePrivilegeSeparation | ||
362 | is specified, it will be disabled after authentication. | ||
363 | |||
364 | UsePAM Enables PAM authentication (via challenge-response) and session | ||
365 | set up. If you enable this, you should probably disable | ||
366 | PasswordAuthentication. If you enable then you will not be able | ||
367 | to run sshd as a non-root user. | ||
368 | |||
369 | UsePrivilegeSeparation | ||
370 | Specifies whether sshd separates privileges by creating an un- | ||
371 | privileged child process to deal with incoming network traffic. | ||
372 | After successful authentication, another process will be created | ||
373 | that has the privilege of the authenticated user. The goal of | ||
374 | privilege separation is to prevent privilege escalation by con- | ||
375 | taining any corruption within the unprivileged processes. The | ||
376 | default is ``yes''. | ||
377 | |||
378 | X11DisplayOffset | ||
379 | Specifies the first display number available for sshd's X11 for- | ||
380 | warding. This prevents sshd from interfering with real X11 | ||
381 | servers. The default is 10. | ||
382 | |||
383 | X11Forwarding | ||
384 | Specifies whether X11 forwarding is permitted. The argument must | ||
385 | be ``yes'' or ``no''. The default is ``no''. | ||
386 | |||
387 | When X11 forwarding is enabled, there may be additional exposure | ||
388 | to the server and to client displays if the sshd proxy display is | ||
389 | configured to listen on the wildcard address (see X11UseLocalhost | ||
390 | below), however this is not the default. Additionally, the au- | ||
391 | thentication spoofing and authentication data verification and | ||
392 | substitution occur on the client side. The security risk of us- | ||
393 | ing X11 forwarding is that the client's X11 display server may be | ||
394 | exposed to attack when the ssh client requests forwarding (see | ||
395 | the warnings for ForwardX11 in ssh_config(5)). A system adminis- | ||
396 | trator may have a stance in which they want to protect clients | ||
397 | that may expose themselves to attack by unwittingly requesting | ||
398 | X11 forwarding, which can warrant a ``no'' setting. | ||
399 | |||
400 | Note that disabling X11 forwarding does not prevent users from | ||
401 | forwarding X11 traffic, as users can always install their own | ||
402 | forwarders. X11 forwarding is automatically disabled if UseLogin | ||
403 | is enabled. | ||
404 | |||
405 | X11UseLocalhost | ||
406 | Specifies whether sshd should bind the X11 forwarding server to | ||
407 | the loopback address or to the wildcard address. By default, | ||
408 | sshd binds the forwarding server to the loopback address and sets | ||
409 | the hostname part of the DISPLAY environment variable to | ||
410 | ``localhost''. This prevents remote hosts from connecting to the | ||
411 | proxy display. However, some older X11 clients may not function | ||
412 | with this configuration. X11UseLocalhost may be set to ``no'' to | ||
413 | specify that the forwarding server should be bound to the wild- | ||
414 | card address. The argument must be ``yes'' or ``no''. The de- | ||
415 | fault is ``yes''. | ||
416 | |||
417 | XAuthLocation | ||
418 | Specifies the full pathname of the xauth(1) program. The default | ||
419 | is /usr/X11R6/bin/xauth. | ||
420 | |||
421 | Time Formats | ||
422 | sshd command-line arguments and configuration file options that specify | ||
423 | time may be expressed using a sequence of the form: time[qualifier], | ||
424 | where time is a positive integer value and qualifier is one of the fol- | ||
425 | lowing: | ||
426 | |||
427 | <none> seconds | ||
428 | s | S seconds | ||
429 | m | M minutes | ||
430 | h | H hours | ||
431 | d | D days | ||
432 | w | W weeks | ||
433 | |||
434 | Each member of the sequence is added together to calculate the total time | ||
435 | value. | ||
436 | |||
437 | Time format examples: | ||
438 | |||
439 | 600 600 seconds (10 minutes) | ||
440 | 10m 10 minutes | ||
441 | 1h30m 1 hour 30 minutes (90 minutes) | ||
442 | |||
443 | FILES | ||
444 | /etc/ssh/sshd_config | ||
445 | Contains configuration data for sshd. This file should be | ||
446 | writable by root only, but it is recommended (though not neces- | ||
447 | sary) that it be world-readable. | ||
448 | |||
449 | SEE ALSO | ||
450 | sshd(8) | ||
451 | |||
452 | AUTHORS | ||
453 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | ||
454 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | ||
455 | de Raadt and Dug Song removed many bugs, re-added newer features and cre- | ||
456 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | ||
457 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | ||
458 | for privilege separation. | ||
459 | |||
460 | OpenBSD 3.4 September 25, 1999 7 | ||