summaryrefslogtreecommitdiff
path: root/sshd_config.0
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2013-09-14 15:43:03 +0100
committerColin Watson <cjwatson@debian.org>2013-09-14 15:43:03 +0100
commit8faf8c84430cf3c19705b1d9f8889d256e7fd1fd (patch)
treee6cb74192adb00fda5e4d1457547851d7e0d86af /sshd_config.0
parent328b60656f29db6306994d7498dede386ec2d1c3 (diff)
parentc41345ad7ee5a22689e2c009595e85fa27b4b39a (diff)
merge 6.3p1
Diffstat (limited to 'sshd_config.0')
-rw-r--r--sshd_config.043
1 files changed, 38 insertions, 5 deletions
diff --git a/sshd_config.0 b/sshd_config.0
index 2648db3d4..5f1df7b58 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -90,6 +90,13 @@ DESCRIPTION
90 example, it would not be possible to attempt password or 90 example, it would not be possible to attempt password or
91 keyboard-interactive authentication before public key. 91 keyboard-interactive authentication before public key.
92 92
93 For keyboard interactive authentication it is also possible to
94 restrict authentication to a specific device by appending a colon
95 followed by the device identifier ``bsdauth'', ``pam'', or
96 ``skey'', depending on the server configuration. For example,
97 ``keyboard-interactive:bsdauth'' would restrict keyboard
98 interactive authentication to the ``bsdauth'' device.
99
93 This option is only available for SSH protocol 2 and will yield a 100 This option is only available for SSH protocol 2 and will yield a
94 fatal error if enabled if protocol 1 is also enabled. Note that 101 fatal error if enabled if protocol 1 is also enabled. Note that
95 each authentication method listed should also be explicitly 102 each authentication method listed should also be explicitly
@@ -99,7 +106,8 @@ DESCRIPTION
99 106
100 AuthorizedKeysCommand 107 AuthorizedKeysCommand
101 Specifies a program to be used to look up the user's public keys. 108 Specifies a program to be used to look up the user's public keys.
102 The program will be invoked with a single argument of the 109 The program must be owned by root and not writable by group or
110 others. It will be invoked with a single argument of the
103 username being authenticated, and should produce on standard 111 username being authenticated, and should produce on standard
104 output zero or more lines of authorized_keys output (see 112 output zero or more lines of authorized_keys output (see
105 AUTHORIZED_KEYS in sshd(8)). If a key supplied by 113 AUTHORIZED_KEYS in sshd(8)). If a key supplied by
@@ -322,7 +330,16 @@ DESCRIPTION
322 sshd(8) will refuse to use a file if it is group/world- 330 sshd(8) will refuse to use a file if it is group/world-
323 accessible. It is possible to have multiple host key files. 331 accessible. It is possible to have multiple host key files.
324 ``rsa1'' keys are used for version 1 and ``dsa'', ``ecdsa'' or 332 ``rsa1'' keys are used for version 1 and ``dsa'', ``ecdsa'' or
325 ``rsa'' are used for version 2 of the SSH protocol. 333 ``rsa'' are used for version 2 of the SSH protocol. It is also
334 possible to specify public host key files instead. In this case
335 operations on the private key will be delegated to an
336 ssh-agent(1).
337
338 HostKeyAgent
339 Identifies the UNIX-domain socket used to communicate with an
340 agent that has access to the private host keys. If
341 ``SSH_AUTH_SOCK'' is specified, the location of the socket will
342 be read from the SSH_AUTH_SOCK environment variable.
326 343
327 IgnoreRhosts 344 IgnoreRhosts
328 Specifies that .rhosts and .shosts files will not be used in 345 Specifies that .rhosts and .shosts files will not be used in
@@ -461,8 +478,9 @@ DESCRIPTION
461 KbdInteractiveAuthentication, KerberosAuthentication, 478 KbdInteractiveAuthentication, KerberosAuthentication,
462 MaxAuthTries, MaxSessions, PasswordAuthentication, 479 MaxAuthTries, MaxSessions, PasswordAuthentication,
463 PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTunnel, 480 PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTunnel,
464 PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication, 481 PubkeyAuthentication, RekeyLimit, RhostsRSAAuthentication,
465 X11DisplayOffset, X11Forwarding and X11UseLocalHost. 482 RSAAuthentication, X11DisplayOffset, X11Forwarding and
483 X11UseLocalHost.
466 484
467 MaxAuthTries 485 MaxAuthTries
468 Specifies the maximum number of authentication attempts permitted 486 Specifies the maximum number of authentication attempts permitted
@@ -571,6 +589,21 @@ DESCRIPTION
571 default is ``yes''. Note that this option applies to protocol 589 default is ``yes''. Note that this option applies to protocol
572 version 2 only. 590 version 2 only.
573 591
592 RekeyLimit
593 Specifies the maximum amount of data that may be transmitted
594 before the session key is renegotiated, optionally followed a
595 maximum amount of time that may pass before the session key is
596 renegotiated. The first argument is specified in bytes and may
597 have a suffix of `K', `M', or `G' to indicate Kilobytes,
598 Megabytes, or Gigabytes, respectively. The default is between
599 `1G' and `4G', depending on the cipher. The optional second
600 value is specified in seconds and may use any of the units
601 documented in the TIME FORMATS section. The default value for
602 RekeyLimit is ``default none'', which means that rekeying is
603 performed after the cipher's default amount of data has been sent
604 or received and no time based rekeying is done. This option
605 applies to protocol version 2 only.
606
574 RevokedKeys 607 RevokedKeys
575 Specifies revoked public keys. Keys listed in this file will be 608 Specifies revoked public keys. Keys listed in this file will be
576 refused for public key authentication. Note that if this file is 609 refused for public key authentication. Note that if this file is
@@ -777,4 +810,4 @@ AUTHORS
777 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 810 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
778 for privilege separation. 811 for privilege separation.
779 812
780OpenBSD 5.3 February 6, 2013 OpenBSD 5.3 813OpenBSD 5.4 July 19, 2013 OpenBSD 5.4