summaryrefslogtreecommitdiff
path: root/sshd_config.0
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2005-05-30 21:44:32 +0000
committerColin Watson <cjwatson@debian.org>2005-05-30 21:44:32 +0000
commita55bd782aa819b7f5ae716de000f19f4f531850e (patch)
tree12638b19bc0ed9c8d48541d460693ab0fbb58e89 /sshd_config.0
parentfe9489f7e522f780f3fa5c2f28208124d193398c (diff)
parent5d05471f6657646d1d6500c7c43134462c407ee6 (diff)
Import OpenSSH 4.1p1.
Diffstat (limited to 'sshd_config.0')
-rw-r--r--sshd_config.0501
1 files changed, 501 insertions, 0 deletions
diff --git a/sshd_config.0 b/sshd_config.0
new file mode 100644
index 000000000..036c85946
--- /dev/null
+++ b/sshd_config.0
@@ -0,0 +1,501 @@
1SSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5)
2
3NAME
4 sshd_config - OpenSSH SSH daemon configuration file
5
6SYNOPSIS
7 /etc/ssh/sshd_config
8
9DESCRIPTION
10 sshd reads configuration data from /etc/ssh/sshd_config (or the file
11 specified with -f on the command line). The file contains keyword-argu-
12 ment pairs, one per line. Lines starting with `#' and empty lines are
13 interpreted as comments.
14
15 The possible keywords and their meanings are as follows (note that key-
16 words are case-insensitive and arguments are case-sensitive):
17
18 AcceptEnv
19 Specifies what environment variables sent by the client will be
20 copied into the session's environ(7). See SendEnv in
21 ssh_config(5) for how to configure the client. Note that envi-
22 ronment passing is only supported for protocol 2. Variables are
23 specified by name, which may contain the wildcard characters `*'
24 and `?'. Multiple environment variables may be separated by
25 whitespace or spread across multiple AcceptEnv directives. Be
26 warned that some environment variables could be used to bypass
27 restricted user environments. For this reason, care should be
28 taken in the use of this directive. The default is not to accept
29 any environment variables.
30
31 AddressFamily
32 Specifies which address family should be used by sshd. Valid ar-
33 guments are ``any'', ``inet'' (use IPv4 only) or ``inet6'' (use
34 IPv6 only). The default is ``any''.
35
36 AllowGroups
37 This keyword can be followed by a list of group name patterns,
38 separated by spaces. If specified, login is allowed only for
39 users whose primary group or supplementary group list matches one
40 of the patterns. `*' and `?' can be used as wildcards in the
41 patterns. Only group names are valid; a numerical group ID is
42 not recognized. By default, login is allowed for all groups.
43
44 AllowTcpForwarding
45 Specifies whether TCP forwarding is permitted. The default is
46 ``yes''. Note that disabling TCP forwarding does not improve se-
47 curity unless users are also denied shell access, as they can al-
48 ways install their own forwarders.
49
50 AllowUsers
51 This keyword can be followed by a list of user name patterns,
52 separated by spaces. If specified, login is allowed only for us-
53 er names that match one of the patterns. `*' and `?' can be used
54 as wildcards in the patterns. Only user names are valid; a nu-
55 merical user ID is not recognized. By default, login is allowed
56 for all users. If the pattern takes the form USER@HOST then USER
57 and HOST are separately checked, restricting logins to particular
58 users from particular hosts.
59
60 AuthorizedKeysFile
61 Specifies the file that contains the public keys that can be used
62 for user authentication. AuthorizedKeysFile may contain tokens
63 of the form %T which are substituted during connection set-up.
64 The following tokens are defined: %% is replaced by a literal
65 '%', %h is replaced by the home directory of the user being au-
66 thenticated and %u is replaced by the username of that user. Af-
67 ter expansion, AuthorizedKeysFile is taken to be an absolute path
68 or one relative to the user's home directory. The default is
69 ``.ssh/authorized_keys''.
70
71 Banner In some jurisdictions, sending a warning message before authenti-
72 cation may be relevant for getting legal protection. The con-
73 tents of the specified file are sent to the remote user before
74 authentication is allowed. This option is only available for
75 protocol version 2. By default, no banner is displayed.
76
77 ChallengeResponseAuthentication
78 Specifies whether challenge response authentication is allowed.
79 All authentication styles from login.conf(5) are supported. The
80 default is ``yes''.
81
82 Ciphers
83 Specifies the ciphers allowed for protocol version 2. Multiple
84 ciphers must be comma-separated. The supported ciphers are
85 ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
86 ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour'',
87 ``blowfish-cbc'', and ``cast128-cbc''. The default is
88
89 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
90 aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr''
91
92 ClientAliveInterval
93 Sets a timeout interval in seconds after which if no data has
94 been received from the client, sshd will send a message through
95 the encrypted channel to request a response from the client. The
96 default is 0, indicating that these messages will not be sent to
97 the client. This option applies to protocol version 2 only.
98
99 ClientAliveCountMax
100 Sets the number of client alive messages (see above) which may be
101 sent without sshd receiving any messages back from the client.
102 If this threshold is reached while client alive messages are be-
103 ing sent, sshd will disconnect the client, terminating the ses-
104 sion. It is important to note that the use of client alive mes-
105 sages is very different from TCPKeepAlive (below). The client
106 alive messages are sent through the encrypted channel and there-
107 fore will not be spoofable. The TCP keepalive option enabled by
108 TCPKeepAlive is spoofable. The client alive mechanism is valu-
109 able when the client or server depend on knowing when a connec-
110 tion has become inactive.
111
112 The default value is 3. If ClientAliveInterval (above) is set to
113 15, and ClientAliveCountMax is left at the default, unresponsive
114 ssh clients will be disconnected after approximately 45 seconds.
115
116 Compression
117 Specifies whether compression is allowed. The argument must be
118 ``yes'' or ``no''. The default is ``yes''.
119
120 DenyGroups
121 This keyword can be followed by a list of group name patterns,
122 separated by spaces. Login is disallowed for users whose primary
123 group or supplementary group list matches one of the patterns.
124 `*' and `?' can be used as wildcards in the patterns. Only group
125 names are valid; a numerical group ID is not recognized. By de-
126 fault, login is allowed for all groups.
127
128 DenyUsers
129 This keyword can be followed by a list of user name patterns,
130 separated by spaces. Login is disallowed for user names that
131 match one of the patterns. `*' and `?' can be used as wildcards
132 in the patterns. Only user names are valid; a numerical user ID
133 is not recognized. By default, login is allowed for all users.
134 If the pattern takes the form USER@HOST then USER and HOST are
135 separately checked, restricting logins to particular users from
136 particular hosts.
137
138 GatewayPorts
139 Specifies whether remote hosts are allowed to connect to ports
140 forwarded for the client. By default, sshd binds remote port
141 forwardings to the loopback address. This prevents other remote
142 hosts from connecting to forwarded ports. GatewayPorts can be
143 used to specify that sshd should allow remote port forwardings to
144 bind to non-loopback addresses, thus allowing other hosts to con-
145 nect. The argument may be ``no'' to force remote port forward-
146 ings to be available to the local host only, ``yes'' to force re-
147 mote port forwardings to bind to the wildcard address, or
148 ``clientspecified'' to allow the client to select the address to
149 which the forwarding is bound. The default is ``no''.
150
151 GSSAPIAuthentication
152 Specifies whether user authentication based on GSSAPI is allowed.
153 The default is ``no''. Note that this option applies to protocol
154 version 2 only.
155
156 GSSAPICleanupCredentials
157 Specifies whether to automatically destroy the user's credentials
158 cache on logout. The default is ``yes''. Note that this option
159 applies to protocol version 2 only.
160
161 HostbasedAuthentication
162 Specifies whether rhosts or /etc/hosts.equiv authentication to-
163 gether with successful public key client host authentication is
164 allowed (hostbased authentication). This option is similar to
165 RhostsRSAAuthentication and applies to protocol version 2 only.
166 The default is ``no''.
167
168 HostKey
169 Specifies a file containing a private host key used by SSH. The
170 default is /etc/ssh/ssh_host_key for protocol version 1, and
171 /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro-
172 tocol version 2. Note that sshd will refuse to use a file if it
173 is group/world-accessible. It is possible to have multiple host
174 key files. ``rsa1'' keys are used for version 1 and ``dsa'' or
175 ``rsa'' are used for version 2 of the SSH protocol.
176
177 IgnoreRhosts
178 Specifies that .rhosts and .shosts files will not be used in
179 RhostsRSAAuthentication or HostbasedAuthentication.
180
181 /etc/hosts.equiv and /etc/shosts.equiv are still used. The de-
182 fault is ``yes''.
183
184 IgnoreUserKnownHosts
185 Specifies whether sshd should ignore the user's
186 $HOME/.ssh/known_hosts during RhostsRSAAuthentication or
187 HostbasedAuthentication. The default is ``no''.
188
189 KerberosAuthentication
190 Specifies whether the password provided by the user for
191 PasswordAuthentication will be validated through the Kerberos
192 KDC. To use this option, the server needs a Kerberos servtab
193 which allows the verification of the KDC's identity. Default is
194 ``no''.
195
196 KerberosGetAFSToken
197 If AFS is active and the user has a Kerberos 5 TGT, attempt to
198 aquire an AFS token before accessing the user's home directory.
199 Default is ``no''.
200
201 KerberosOrLocalPasswd
202 If set then if password authentication through Kerberos fails
203 then the password will be validated via any additional local
204 mechanism such as /etc/passwd. Default is ``yes''.
205
206 KerberosTicketCleanup
207 Specifies whether to automatically destroy the user's ticket
208 cache file on logout. Default is ``yes''.
209
210 KeyRegenerationInterval
211 In protocol version 1, the ephemeral server key is automatically
212 regenerated after this many seconds (if it has been used). The
213 purpose of regeneration is to prevent decrypting captured ses-
214 sions by later breaking into the machine and stealing the keys.
215 The key is never stored anywhere. If the value is 0, the key is
216 never regenerated. The default is 3600 (seconds).
217
218 ListenAddress
219 Specifies the local addresses sshd should listen on. The follow-
220 ing forms may be used:
221
222 ListenAddress host|IPv4_addr|IPv6_addr
223 ListenAddress host|IPv4_addr:port
224 ListenAddress [host|IPv6_addr]:port
225
226 If port is not specified, sshd will listen on the address and all
227 prior Port options specified. The default is to listen on all
228 local addresses. Multiple ListenAddress options are permitted.
229 Additionally, any Port options must precede this option for non
230 port qualified addresses.
231
232 LoginGraceTime
233 The server disconnects after this time if the user has not suc-
234 cessfully logged in. If the value is 0, there is no time limit.
235 The default is 120 seconds.
236
237 LogLevel
238 Gives the verbosity level that is used when logging messages from
239 sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VER-
240 BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO.
241 DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
242 higher levels of debugging output. Logging with a DEBUG level
243 violates the privacy of users and is not recommended.
244
245 MACs Specifies the available MAC (message authentication code) algo-
246 rithms. The MAC algorithm is used in protocol version 2 for data
247 integrity protection. Multiple algorithms must be comma-separat-
248 ed. The default is ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
249 sha1-96,hmac-md5-96''.
250
251 MaxAuthTries
252 Specifies the maximum number of authentication attempts permitted
253 per connection. Once the number of failures reaches half this
254 value, additional failures are logged. The default is 6.
255
256 MaxStartups
257 Specifies the maximum number of concurrent unauthenticated con-
258 nections to the sshd daemon. Additional connections will be
259 dropped until authentication succeeds or the LoginGraceTime ex-
260 pires for a connection. The default is 10.
261
262 Alternatively, random early drop can be enabled by specifying the
263 three colon separated values ``start:rate:full'' (e.g.,
264 "10:30:60"). sshd will refuse connection attempts with a proba-
265 bility of ``rate/100'' (30%) if there are currently ``start''
266 (10) unauthenticated connections. The probability increases lin-
267 early and all connection attempts are refused if the number of
268 unauthenticated connections reaches ``full'' (60).
269
270 PasswordAuthentication
271 Specifies whether password authentication is allowed. The de-
272 fault is ``yes''.
273
274 PermitEmptyPasswords
275 When password authentication is allowed, it specifies whether the
276 server allows login to accounts with empty password strings. The
277 default is ``no''.
278
279 PermitRootLogin
280 Specifies whether root can log in using ssh(1). The argument
281 must be ``yes'', ``without-password'', ``forced-commands-only''
282 or ``no''. The default is ``yes''.
283
284 If this option is set to ``without-password'' password authenti-
285 cation is disabled for root.
286
287 If this option is set to ``forced-commands-only'' root login with
288 public key authentication will be allowed, but only if the
289 command option has been specified (which may be useful for taking
290 remote backups even if root login is normally not allowed). All
291 other authentication methods are disabled for root.
292
293 If this option is set to ``no'' root is not allowed to log in.
294
295 PermitUserEnvironment
296 Specifies whether ~/.ssh/environment and environment= options in
297 ~/.ssh/authorized_keys are processed by sshd. The default is
298 ``no''. Enabling environment processing may enable users to by-
299 pass access restrictions in some configurations using mechanisms
300 such as LD_PRELOAD.
301
302 PidFile
303 Specifies the file that contains the process ID of the sshd dae-
304 mon. The default is /var/run/sshd.pid.
305
306 Port Specifies the port number that sshd listens on. The default is
307 22. Multiple options of this type are permitted. See also
308 ListenAddress.
309
310 PrintLastLog
311 Specifies whether sshd should print the date and time of the last
312 user login when a user logs in interactively. The default is
313 ``yes''.
314
315 PrintMotd
316 Specifies whether sshd should print /etc/motd when a user logs in
317 interactively. (On some systems it is also printed by the shell,
318 /etc/profile, or equivalent.) The default is ``yes''.
319
320 Protocol
321 Specifies the protocol versions sshd supports. The possible val-
322 ues are ``1'' and ``2''. Multiple versions must be comma-sepa-
323 rated. The default is ``2,1''. Note that the order of the pro-
324 tocol list does not indicate preference, because the client se-
325 lects among multiple protocol versions offered by the server.
326 Specifying ``2,1'' is identical to ``1,2''.
327
328 PubkeyAuthentication
329 Specifies whether public key authentication is allowed. The de-
330 fault is ``yes''. Note that this option applies to protocol ver-
331 sion 2 only.
332
333 RhostsRSAAuthentication
334 Specifies whether rhosts or /etc/hosts.equiv authentication to-
335 gether with successful RSA host authentication is allowed. The
336 default is ``no''. This option applies to protocol version 1 on-
337 ly.
338
339 RSAAuthentication
340 Specifies whether pure RSA authentication is allowed. The de-
341 fault is ``yes''. This option applies to protocol version 1 on-
342 ly.
343
344 ServerKeyBits
345 Defines the number of bits in the ephemeral protocol version 1
346 server key. The minimum value is 512, and the default is 768.
347
348 StrictModes
349 Specifies whether sshd should check file modes and ownership of
350 the user's files and home directory before accepting login. This
351 is normally desirable because novices sometimes accidentally
352 leave their directory or files world-writable. The default is
353 ``yes''.
354
355 Subsystem
356 Configures an external subsystem (e.g., file transfer daemon).
357 Arguments should be a subsystem name and a command to execute up-
358 on subsystem request. The command sftp-server(8) implements the
359 ``sftp'' file transfer subsystem. By default no subsystems are
360 defined. Note that this option applies to protocol version 2 on-
361 ly.
362
363 SyslogFacility
364 Gives the facility code that is used when logging messages from
365 sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, LO-
366 CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de-
367 fault is AUTH.
368
369 TCPKeepAlive
370 Specifies whether the system should send TCP keepalive messages
371 to the other side. If they are sent, death of the connection or
372 crash of one of the machines will be properly noticed. However,
373 this means that connections will die if the route is down tem-
374 porarily, and some people find it annoying. On the other hand,
375 if TCP keepalives are not sent, sessions may hang indefinitely on
376 the server, leaving ``ghost'' users and consuming server re-
377 sources.
378
379 The default is ``yes'' (to send TCP keepalive messages), and the
380 server will notice if the network goes down or the client host
381 crashes. This avoids infinitely hanging sessions.
382
383 To disable TCP keepalive messages, the value should be set to
384 ``no''.
385
386 UseDNS Specifies whether sshd should look up the remote host name and
387 check that the resolved host name for the remote IP address maps
388 back to the very same IP address. The default is ``yes''.
389
390 UseLogin
391 Specifies whether login(1) is used for interactive login ses-
392 sions. The default is ``no''. Note that login(1) is never used
393 for remote command execution. Note also, that if this is en-
394 abled, X11Forwarding will be disabled because login(1) does not
395 know how to handle xauth(1) cookies. If UsePrivilegeSeparation
396 is specified, it will be disabled after authentication.
397
398 UsePAM Enables the Pluggable Authentication Module interface. If set to
399 ``yes'' this will enable PAM authentication using
400 ChallengeResponseAuthentication and PAM account and session mod-
401 ule processing for all authentication types.
402
403 Because PAM challenge-response authentication usually serves an
404 equivalent role to password authentication, you should disable
405 either PasswordAuthentication or ChallengeResponseAuthentication.
406
407 If UsePAM is enabled, you will not be able to run sshd(8) as a
408 non-root user. The default is ``no''.
409
410 UsePrivilegeSeparation
411 Specifies whether sshd separates privileges by creating an un-
412 privileged child process to deal with incoming network traffic.
413 After successful authentication, another process will be created
414 that has the privilege of the authenticated user. The goal of
415 privilege separation is to prevent privilege escalation by con-
416 taining any corruption within the unprivileged processes. The
417 default is ``yes''.
418
419 X11DisplayOffset
420 Specifies the first display number available for sshd's X11 for-
421 warding. This prevents sshd from interfering with real X11
422 servers. The default is 10.
423
424 X11Forwarding
425 Specifies whether X11 forwarding is permitted. The argument must
426 be ``yes'' or ``no''. The default is ``no''.
427
428 When X11 forwarding is enabled, there may be additional exposure
429 to the server and to client displays if the sshd proxy display is
430 configured to listen on the wildcard address (see X11UseLocalhost
431 below), however this is not the default. Additionally, the au-
432 thentication spoofing and authentication data verification and
433 substitution occur on the client side. The security risk of us-
434 ing X11 forwarding is that the client's X11 display server may be
435 exposed to attack when the ssh client requests forwarding (see
436 the warnings for ForwardX11 in ssh_config(5)). A system adminis-
437 trator may have a stance in which they want to protect clients
438 that may expose themselves to attack by unwittingly requesting
439 X11 forwarding, which can warrant a ``no'' setting.
440
441 Note that disabling X11 forwarding does not prevent users from
442 forwarding X11 traffic, as users can always install their own
443 forwarders. X11 forwarding is automatically disabled if UseLogin
444 is enabled.
445
446 X11UseLocalhost
447 Specifies whether sshd should bind the X11 forwarding server to
448 the loopback address or to the wildcard address. By default,
449 sshd binds the forwarding server to the loopback address and sets
450 the hostname part of the DISPLAY environment variable to
451 ``localhost''. This prevents remote hosts from connecting to the
452 proxy display. However, some older X11 clients may not function
453 with this configuration. X11UseLocalhost may be set to ``no'' to
454 specify that the forwarding server should be bound to the wild-
455 card address. The argument must be ``yes'' or ``no''. The de-
456 fault is ``yes''.
457
458 XAuthLocation
459 Specifies the full pathname of the xauth(1) program. The default
460 is /usr/X11R6/bin/xauth.
461
462 Time Formats
463 sshd command-line arguments and configuration file options that specify
464 time may be expressed using a sequence of the form: time[qualifier],
465 where time is a positive integer value and qualifier is one of the fol-
466 lowing:
467
468 <none> seconds
469 s | S seconds
470 m | M minutes
471 h | H hours
472 d | D days
473 w | W weeks
474
475 Each member of the sequence is added together to calculate the total time
476 value.
477
478 Time format examples:
479
480 600 600 seconds (10 minutes)
481 10m 10 minutes
482 1h30m 1 hour 30 minutes (90 minutes)
483
484FILES
485 /etc/ssh/sshd_config
486 Contains configuration data for sshd. This file should be
487 writable by root only, but it is recommended (though not neces-
488 sary) that it be world-readable.
489
490SEE ALSO
491 sshd(8)
492
493AUTHORS
494 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
495 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
496 de Raadt and Dug Song removed many bugs, re-added newer features and cre-
497 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
498 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
499 for privilege separation.
500
501OpenBSD 3.7 September 25, 1999 8
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-01 04:25:57 +0000