diff options
| author | Colin Watson <cjwatson@debian.org> | 2004-03-01 02:25:32 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2004-03-01 02:25:32 +0000 |
| commit | ea8116a11e3de70036dbc665ccb0d486cf89cac9 (patch) | |
| tree | d73ccdff78d8608e156465af42e6a1b3527fb2d6 /sshd_config.0 | |
| parent | e39b311381a5609cc05acf298c42fba196dc524b (diff) | |
| parent | f5bda272678ec6dccaa5f29379cf60cb855018e8 (diff) | |
Merge 3.8p1 to the trunk. This builds and runs, but I haven't tested it
extensively yet.
ProtocolKeepAlives is now just a compatibility alias for
ServerAliveInterval.
Diffstat (limited to 'sshd_config.0')
| -rw-r--r-- | sshd_config.0 | 280 |
1 files changed, 140 insertions, 140 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index bc266317f..981e91042 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | SSHD_CONFIG(5) BSD File Formats Manual SSHD_CONFIG(5) | 1 | SSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5) |
| 2 | 2 | ||
| 3 | NAME | 3 | NAME |
| 4 | sshd_config - OpenSSH SSH daemon configuration file | 4 | sshd_config - OpenSSH SSH daemon configuration file |
| @@ -9,7 +9,7 @@ SYNOPSIS | |||
| 9 | DESCRIPTION | 9 | DESCRIPTION |
| 10 | sshd reads configuration data from /etc/ssh/sshd_config (or the file | 10 | sshd reads configuration data from /etc/ssh/sshd_config (or the file |
| 11 | specified with -f on the command line). The file contains keyword-argu- | 11 | specified with -f on the command line). The file contains keyword-argu- |
| 12 | ment pairs, one per line. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are | 12 | ment pairs, one per line. Lines starting with `#' and empty lines are |
| 13 | interpreted as comments. | 13 | interpreted as comments. |
| 14 | 14 | ||
| 15 | The possible keywords and their meanings are as follows (note that key- | 15 | The possible keywords and their meanings are as follows (note that key- |
| @@ -19,36 +19,36 @@ DESCRIPTION | |||
| 19 | This keyword can be followed by a list of group name patterns, | 19 | This keyword can be followed by a list of group name patterns, |
| 20 | separated by spaces. If specified, login is allowed only for | 20 | separated by spaces. If specified, login is allowed only for |
| 21 | users whose primary group or supplementary group list matches one | 21 | users whose primary group or supplementary group list matches one |
| 22 | of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards in the | 22 | of the patterns. `*' and `?' can be used as wildcards in the |
| 23 | patterns. Only group names are valid; a numerical group ID is | 23 | patterns. Only group names are valid; a numerical group ID is |
| 24 | not recognized. By default, login is allowed for all groups. | 24 | not recognized. By default, login is allowed for all groups. |
| 25 | 25 | ||
| 26 | AllowTcpForwarding | 26 | AllowTcpForwarding |
| 27 | Specifies whether TCP forwarding is permitted. The default is | 27 | Specifies whether TCP forwarding is permitted. The default is |
| 28 | M-bM-^@M-^\yesM-bM-^@M-^]. Note that disabling TCP forwarding does not improve secu- | 28 | ``yes''. Note that disabling TCP forwarding does not improve se- |
| 29 | rity unless users are also denied shell access, as they can | 29 | curity unless users are also denied shell access, as they can al- |
| 30 | always install their own forwarders. | 30 | ways install their own forwarders. |
| 31 | 31 | ||
| 32 | AllowUsers | 32 | AllowUsers |
| 33 | This keyword can be followed by a list of user name patterns, | 33 | This keyword can be followed by a list of user name patterns, |
| 34 | separated by spaces. If specified, login is allowed only for | 34 | separated by spaces. If specified, login is allowed only for us- |
| 35 | user names that match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be | 35 | er names that match one of the patterns. `*' and `?' can be used |
| 36 | used as wildcards in the patterns. Only user names are valid; a | 36 | as wildcards in the patterns. Only user names are valid; a nu- |
| 37 | numerical user ID is not recognized. By default, login is | 37 | merical user ID is not recognized. By default, login is allowed |
| 38 | allowed for all users. If the pattern takes the form USER@HOST | 38 | for all users. If the pattern takes the form USER@HOST then USER |
| 39 | then USER and HOST are separately checked, restricting logins to | 39 | and HOST are separately checked, restricting logins to particular |
| 40 | particular users from particular hosts. | 40 | users from particular hosts. |
| 41 | 41 | ||
| 42 | AuthorizedKeysFile | 42 | AuthorizedKeysFile |
| 43 | Specifies the file that contains the public keys that can be used | 43 | Specifies the file that contains the public keys that can be used |
| 44 | for user authentication. AuthorizedKeysFile may contain tokens | 44 | for user authentication. AuthorizedKeysFile may contain tokens |
| 45 | of the form %T which are substituted during connection set-up. | 45 | of the form %T which are substituted during connection set-up. |
| 46 | The following tokens are defined: %% is replaced by a literal | 46 | The following tokens are defined: %% is replaced by a literal |
| 47 | M-bM-^@M-^Y%M-bM-^@M-^Y, %h is replaced by the home directory of the user being | 47 | '%', %h is replaced by the home directory of the user being au- |
| 48 | authenticated and %u is replaced by the username of that user. | 48 | thenticated and %u is replaced by the username of that user. Af- |
| 49 | After expansion, AuthorizedKeysFile is taken to be an absolute | 49 | ter expansion, AuthorizedKeysFile is taken to be an absolute path |
| 50 | path or one relative to the userM-bM-^@M-^Ys home directory. The default | 50 | or one relative to the user's home directory. The default is |
| 51 | is M-bM-^@M-^\.ssh/authorized_keysM-bM-^@M-^]. | 51 | ``.ssh/authorized_keys''. |
| 52 | 52 | ||
| 53 | Banner In some jurisdictions, sending a warning message before authenti- | 53 | Banner In some jurisdictions, sending a warning message before authenti- |
| 54 | cation may be relevant for getting legal protection. The con- | 54 | cation may be relevant for getting legal protection. The con- |
| @@ -59,14 +59,14 @@ DESCRIPTION | |||
| 59 | ChallengeResponseAuthentication | 59 | ChallengeResponseAuthentication |
| 60 | Specifies whether challenge response authentication is allowed. | 60 | Specifies whether challenge response authentication is allowed. |
| 61 | All authentication styles from login.conf(5) are supported. The | 61 | All authentication styles from login.conf(5) are supported. The |
| 62 | default is M-bM-^@M-^\yesM-bM-^@M-^]. | 62 | default is ``yes''. |
| 63 | 63 | ||
| 64 | Ciphers | 64 | Ciphers |
| 65 | Specifies the ciphers allowed for protocol version 2. Multiple | 65 | Specifies the ciphers allowed for protocol version 2. Multiple |
| 66 | ciphers must be comma-separated. The default is | 66 | ciphers must be comma-separated. The default is |
| 67 | 67 | ||
| 68 | M-bM-^@M-^XM-bM-^@M-^Xaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, | 68 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
| 69 | aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctrM-bM-^@M-^YM-bM-^@M-^Y | 69 | aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' |
| 70 | 70 | ||
| 71 | ClientAliveInterval | 71 | ClientAliveInterval |
| 72 | Sets a timeout interval in seconds after which if no data has | 72 | Sets a timeout interval in seconds after which if no data has |
| @@ -78,15 +78,15 @@ DESCRIPTION | |||
| 78 | ClientAliveCountMax | 78 | ClientAliveCountMax |
| 79 | Sets the number of client alive messages (see above) which may be | 79 | Sets the number of client alive messages (see above) which may be |
| 80 | sent without sshd receiving any messages back from the client. | 80 | sent without sshd receiving any messages back from the client. |
| 81 | If this threshold is reached while client alive messages are | 81 | If this threshold is reached while client alive messages are be- |
| 82 | being sent, sshd will disconnect the client, terminating the ses- | 82 | ing sent, sshd will disconnect the client, terminating the ses- |
| 83 | sion. It is important to note that the use of client alive mes- | 83 | sion. It is important to note that the use of client alive mes- |
| 84 | sages is very different from KeepAlive (below). The client alive | 84 | sages is very different from TCPKeepAlive (below). The client |
| 85 | messages are sent through the encrypted channel and therefore | 85 | alive messages are sent through the encrypted channel and there- |
| 86 | will not be spoofable. The TCP keepalive option enabled by | 86 | fore will not be spoofable. The TCP keepalive option enabled by |
| 87 | KeepAlive is spoofable. The client alive mechanism is valuable | 87 | TCPKeepAlive is spoofable. The client alive mechanism is valu- |
| 88 | when the client or server depend on knowing when a connection has | 88 | able when the client or server depend on knowing when a connec- |
| 89 | become inactive. | 89 | tion has become inactive. |
| 90 | 90 | ||
| 91 | The default value is 3. If ClientAliveInterval (above) is set to | 91 | The default value is 3. If ClientAliveInterval (above) is set to |
| 92 | 15, and ClientAliveCountMax is left at the default, unresponsive | 92 | 15, and ClientAliveCountMax is left at the default, unresponsive |
| @@ -94,20 +94,20 @@ DESCRIPTION | |||
| 94 | 94 | ||
| 95 | Compression | 95 | Compression |
| 96 | Specifies whether compression is allowed. The argument must be | 96 | Specifies whether compression is allowed. The argument must be |
| 97 | M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. | 97 | ``yes'' or ``no''. The default is ``yes''. |
| 98 | 98 | ||
| 99 | DenyGroups | 99 | DenyGroups |
| 100 | This keyword can be followed by a list of group name patterns, | 100 | This keyword can be followed by a list of group name patterns, |
| 101 | separated by spaces. Login is disallowed for users whose primary | 101 | separated by spaces. Login is disallowed for users whose primary |
| 102 | group or supplementary group list matches one of the patterns. | 102 | group or supplementary group list matches one of the patterns. |
| 103 | M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards in the patterns. Only group | 103 | `*' and `?' can be used as wildcards in the patterns. Only group |
| 104 | names are valid; a numerical group ID is not recognized. By | 104 | names are valid; a numerical group ID is not recognized. By de- |
| 105 | default, login is allowed for all groups. | 105 | fault, login is allowed for all groups. |
| 106 | 106 | ||
| 107 | DenyUsers | 107 | DenyUsers |
| 108 | This keyword can be followed by a list of user name patterns, | 108 | This keyword can be followed by a list of user name patterns, |
| 109 | separated by spaces. Login is disallowed for user names that | 109 | separated by spaces. Login is disallowed for user names that |
| 110 | match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards | 110 | match one of the patterns. `*' and `?' can be used as wildcards |
| 111 | in the patterns. Only user names are valid; a numerical user ID | 111 | in the patterns. Only user names are valid; a numerical user ID |
| 112 | is not recognized. By default, login is allowed for all users. | 112 | is not recognized. By default, login is allowed for all users. |
| 113 | If the pattern takes the form USER@HOST then USER and HOST are | 113 | If the pattern takes the form USER@HOST then USER and HOST are |
| @@ -121,25 +121,25 @@ DESCRIPTION | |||
| 121 | hosts from connecting to forwarded ports. GatewayPorts can be | 121 | hosts from connecting to forwarded ports. GatewayPorts can be |
| 122 | used to specify that sshd should bind remote port forwardings to | 122 | used to specify that sshd should bind remote port forwardings to |
| 123 | the wildcard address, thus allowing remote hosts to connect to | 123 | the wildcard address, thus allowing remote hosts to connect to |
| 124 | forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The | 124 | forwarded ports. The argument must be ``yes'' or ``no''. The |
| 125 | default is M-bM-^@M-^\noM-bM-^@M-^]. | 125 | default is ``no''. |
| 126 | 126 | ||
| 127 | GSSAPIAuthentication | 127 | GSSAPIAuthentication |
| 128 | Specifies whether user authentication based on GSSAPI is allowed. | 128 | Specifies whether user authentication based on GSSAPI is allowed. |
| 129 | The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol | 129 | The default is ``no''. Note that this option applies to protocol |
| 130 | version 2 only. | 130 | version 2 only. |
| 131 | 131 | ||
| 132 | GSSAPICleanupCredentials | 132 | GSSAPICleanupCredentials |
| 133 | Specifies whether to automatically destroy the userM-bM-^@M-^Ys credentials | 133 | Specifies whether to automatically destroy the user's credentials |
| 134 | cache on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option | 134 | cache on logout. The default is ``yes''. Note that this option |
| 135 | applies to protocol version 2 only. | 135 | applies to protocol version 2 only. |
| 136 | 136 | ||
| 137 | HostbasedAuthentication | 137 | HostbasedAuthentication |
| 138 | Specifies whether rhosts or /etc/hosts.equiv authentication | 138 | Specifies whether rhosts or /etc/hosts.equiv authentication to- |
| 139 | together with successful public key client host authentication is | 139 | gether with successful public key client host authentication is |
| 140 | allowed (hostbased authentication). This option is similar to | 140 | allowed (hostbased authentication). This option is similar to |
| 141 | RhostsRSAAuthentication and applies to protocol version 2 only. | 141 | RhostsRSAAuthentication and applies to protocol version 2 only. |
| 142 | The default is M-bM-^@M-^\noM-bM-^@M-^]. | 142 | The default is ``no''. |
| 143 | 143 | ||
| 144 | HostKey | 144 | HostKey |
| 145 | Specifies a file containing a private host key used by SSH. The | 145 | Specifies a file containing a private host key used by SSH. The |
| @@ -147,51 +147,36 @@ DESCRIPTION | |||
| 147 | /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro- | 147 | /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro- |
| 148 | tocol version 2. Note that sshd will refuse to use a file if it | 148 | tocol version 2. Note that sshd will refuse to use a file if it |
| 149 | is group/world-accessible. It is possible to have multiple host | 149 | is group/world-accessible. It is possible to have multiple host |
| 150 | key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] | 150 | key files. ``rsa1'' keys are used for version 1 and ``dsa'' or |
| 151 | are used for version 2 of the SSH protocol. | 151 | ``rsa'' are used for version 2 of the SSH protocol. |
| 152 | 152 | ||
| 153 | IgnoreRhosts | 153 | IgnoreRhosts |
| 154 | Specifies that .rhosts and .shosts files will not be used in | 154 | Specifies that .rhosts and .shosts files will not be used in |
| 155 | RhostsRSAAuthentication or HostbasedAuthentication. | 155 | RhostsRSAAuthentication or HostbasedAuthentication. |
| 156 | 156 | ||
| 157 | /etc/hosts.equiv and /etc/shosts.equiv are still used. The | 157 | /etc/hosts.equiv and /etc/shosts.equiv are still used. The de- |
| 158 | default is M-bM-^@M-^\yesM-bM-^@M-^]. | 158 | fault is ``yes''. |
| 159 | 159 | ||
| 160 | IgnoreUserKnownHosts | 160 | IgnoreUserKnownHosts |
| 161 | Specifies whether sshd should ignore the userM-bM-^@M-^Ys | 161 | Specifies whether sshd should ignore the user's |
| 162 | $HOME/.ssh/known_hosts during RhostsRSAAuthentication or | 162 | $HOME/.ssh/known_hosts during RhostsRSAAuthentication or |
| 163 | HostbasedAuthentication. The default is M-bM-^@M-^\noM-bM-^@M-^]. | 163 | HostbasedAuthentication. The default is ``no''. |
| 164 | |||
| 165 | KeepAlive | ||
| 166 | Specifies whether the system should send TCP keepalive messages | ||
| 167 | to the other side. If they are sent, death of the connection or | ||
| 168 | crash of one of the machines will be properly noticed. However, | ||
| 169 | this means that connections will die if the route is down tem- | ||
| 170 | porarily, and some people find it annoying. On the other hand, | ||
| 171 | if keepalives are not sent, sessions may hang indefinitely on the | ||
| 172 | server, leaving M-bM-^@M-^\ghostM-bM-^@M-^] users and consuming server resources. | ||
| 173 | |||
| 174 | The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send keepalives), and the server will | ||
| 175 | notice if the network goes down or the client host crashes. This | ||
| 176 | avoids infinitely hanging sessions. | ||
| 177 | |||
| 178 | To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^]. | ||
| 179 | 164 | ||
| 180 | KerberosAuthentication | 165 | KerberosAuthentication |
| 181 | Specifies whether the password provided by the user for | 166 | Specifies whether the password provided by the user for |
| 182 | PasswordAuthentication will be validated through the Kerberos | 167 | PasswordAuthentication will be validated through the Kerberos |
| 183 | KDC. To use this option, the server needs a Kerberos servtab | 168 | KDC. To use this option, the server needs a Kerberos servtab |
| 184 | which allows the verification of the KDCM-bM-^@M-^Ys identity. Default is | 169 | which allows the verification of the KDC's identity. Default is |
| 185 | M-bM-^@M-^\noM-bM-^@M-^]. | 170 | ``no''. |
| 186 | 171 | ||
| 187 | KerberosOrLocalPasswd | 172 | KerberosOrLocalPasswd |
| 188 | If set then if password authentication through Kerberos fails | 173 | If set then if password authentication through Kerberos fails |
| 189 | then the password will be validated via any additional local | 174 | then the password will be validated via any additional local |
| 190 | mechanism such as /etc/passwd. Default is M-bM-^@M-^\yesM-bM-^@M-^]. | 175 | mechanism such as /etc/passwd. Default is ``yes''. |
| 191 | 176 | ||
| 192 | KerberosTicketCleanup | 177 | KerberosTicketCleanup |
| 193 | Specifies whether to automatically destroy the userM-bM-^@M-^Ys ticket | 178 | Specifies whether to automatically destroy the user's ticket |
| 194 | cache file on logout. Default is M-bM-^@M-^\yesM-bM-^@M-^]. | 179 | cache file on logout. Default is ``yes''. |
| 195 | 180 | ||
| 196 | KeyRegenerationInterval | 181 | KeyRegenerationInterval |
| 197 | In protocol version 1, the ephemeral server key is automatically | 182 | In protocol version 1, the ephemeral server key is automatically |
| @@ -230,55 +215,55 @@ DESCRIPTION | |||
| 230 | 215 | ||
| 231 | MACs Specifies the available MAC (message authentication code) algo- | 216 | MACs Specifies the available MAC (message authentication code) algo- |
| 232 | rithms. The MAC algorithm is used in protocol version 2 for data | 217 | rithms. The MAC algorithm is used in protocol version 2 for data |
| 233 | integrity protection. Multiple algorithms must be comma-sepa- | 218 | integrity protection. Multiple algorithms must be comma-separat- |
| 234 | rated. The default is | 219 | ed. The default is ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac- |
| 235 | M-bM-^@M-^\hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96M-bM-^@M-^]. | 220 | sha1-96,hmac-md5-96''. |
| 236 | 221 | ||
| 237 | MaxStartups | 222 | MaxStartups |
| 238 | Specifies the maximum number of concurrent unauthenticated con- | 223 | Specifies the maximum number of concurrent unauthenticated con- |
| 239 | nections to the sshd daemon. Additional connections will be | 224 | nections to the sshd daemon. Additional connections will be |
| 240 | dropped until authentication succeeds or the LoginGraceTime | 225 | dropped until authentication succeeds or the LoginGraceTime ex- |
| 241 | expires for a connection. The default is 10. | 226 | pires for a connection. The default is 10. |
| 242 | 227 | ||
| 243 | Alternatively, random early drop can be enabled by specifying the | 228 | Alternatively, random early drop can be enabled by specifying the |
| 244 | three colon separated values M-bM-^@M-^\start:rate:fullM-bM-^@M-^] (e.g., | 229 | three colon separated values ``start:rate:full'' (e.g., |
| 245 | "10:30:60"). sshd will refuse connection attempts with a proba- | 230 | "10:30:60"). sshd will refuse connection attempts with a proba- |
| 246 | bility of M-bM-^@M-^\rate/100M-bM-^@M-^] (30%) if there are currently M-bM-^@M-^\startM-bM-^@M-^] (10) | 231 | bility of ``rate/100'' (30%) if there are currently ``start'' |
| 247 | unauthenticated connections. The probability increases linearly | 232 | (10) unauthenticated connections. The probability increases lin- |
| 248 | and all connection attempts are refused if the number of unau- | 233 | early and all connection attempts are refused if the number of |
| 249 | thenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60). | 234 | unauthenticated connections reaches ``full'' (60). |
| 250 | 235 | ||
| 251 | PasswordAuthentication | 236 | PasswordAuthentication |
| 252 | Specifies whether password authentication is allowed. The | 237 | Specifies whether password authentication is allowed. The de- |
| 253 | default is M-bM-^@M-^\yesM-bM-^@M-^]. | 238 | fault is ``yes''. |
| 254 | 239 | ||
| 255 | PermitEmptyPasswords | 240 | PermitEmptyPasswords |
| 256 | When password authentication is allowed, it specifies whether the | 241 | When password authentication is allowed, it specifies whether the |
| 257 | server allows login to accounts with empty password strings. The | 242 | server allows login to accounts with empty password strings. The |
| 258 | default is M-bM-^@M-^\noM-bM-^@M-^]. | 243 | default is ``no''. |
| 259 | 244 | ||
| 260 | PermitRootLogin | 245 | PermitRootLogin |
| 261 | Specifies whether root can login using ssh(1). The argument must | 246 | Specifies whether root can login using ssh(1). The argument must |
| 262 | be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^], M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. | 247 | be ``yes'', ``without-password'', ``forced-commands-only'' or |
| 263 | The default is M-bM-^@M-^\yesM-bM-^@M-^]. | 248 | ``no''. The default is ``yes''. |
| 264 | 249 | ||
| 265 | If this option is set to M-bM-^@M-^\without-passwordM-bM-^@M-^] password authentica- | 250 | If this option is set to ``without-password'' password authenti- |
| 266 | tion is disabled for root. | 251 | cation is disabled for root. |
| 267 | 252 | ||
| 268 | If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^] root login with | 253 | If this option is set to ``forced-commands-only'' root login with |
| 269 | public key authentication will be allowed, but only if the | 254 | public key authentication will be allowed, but only if the |
| 270 | command option has been specified (which may be useful for taking | 255 | command option has been specified (which may be useful for taking |
| 271 | remote backups even if root login is normally not allowed). All | 256 | remote backups even if root login is normally not allowed). All |
| 272 | other authentication methods are disabled for root. | 257 | other authentication methods are disabled for root. |
| 273 | 258 | ||
| 274 | If this option is set to M-bM-^@M-^\noM-bM-^@M-^] root is not allowed to login. | 259 | If this option is set to ``no'' root is not allowed to login. |
| 275 | 260 | ||
| 276 | PermitUserEnvironment | 261 | PermitUserEnvironment |
| 277 | Specifies whether ~/.ssh/environment and environment= options in | 262 | Specifies whether ~/.ssh/environment and environment= options in |
| 278 | ~/.ssh/authorized_keys are processed by sshd. The default is | 263 | ~/.ssh/authorized_keys are processed by sshd. The default is |
| 279 | M-bM-^@M-^\noM-bM-^@M-^]. Enabling environment processing may enable users to bypass | 264 | ``no''. Enabling environment processing may enable users to by- |
| 280 | access restrictions in some configurations using mechanisms such | 265 | pass access restrictions in some configurations using mechanisms |
| 281 | as LD_PRELOAD. | 266 | such as LD_PRELOAD. |
| 282 | 267 | ||
| 283 | PidFile | 268 | PidFile |
| 284 | Specifies the file that contains the process ID of the sshd dae- | 269 | Specifies the file that contains the process ID of the sshd dae- |
| @@ -290,38 +275,36 @@ DESCRIPTION | |||
| 290 | 275 | ||
| 291 | PrintLastLog | 276 | PrintLastLog |
| 292 | Specifies whether sshd should print the date and time when the | 277 | Specifies whether sshd should print the date and time when the |
| 293 | user last logged in. The default is M-bM-^@M-^\yesM-bM-^@M-^]. | 278 | user last logged in. The default is ``yes''. |
| 294 | 279 | ||
| 295 | PrintMotd | 280 | PrintMotd |
| 296 | Specifies whether sshd should print /etc/motd when a user logs in | 281 | Specifies whether sshd should print /etc/motd when a user logs in |
| 297 | interactively. (On some systems it is also printed by the shell, | 282 | interactively. (On some systems it is also printed by the shell, |
| 298 | /etc/profile, or equivalent.) The default is M-bM-^@M-^\yesM-bM-^@M-^]. | 283 | /etc/profile, or equivalent.) The default is ``yes''. |
| 299 | 284 | ||
| 300 | Protocol | 285 | Protocol |
| 301 | Specifies the protocol versions sshd supports. The possible val- | 286 | Specifies the protocol versions sshd supports. The possible val- |
| 302 | ues are M-bM-^@M-^\1M-bM-^@M-^] and M-bM-^@M-^\2M-bM-^@M-^]. Multiple versions must be comma-separated. | 287 | ues are ``1'' and ``2''. Multiple versions must be comma-sepa- |
| 303 | The default is M-bM-^@M-^\2,1M-bM-^@M-^]. Note that the order of the protocol list | 288 | rated. The default is ``2,1''. Note that the order of the pro- |
| 304 | does not indicate preference, because the client selects among | 289 | tocol list does not indicate preference, because the client se- |
| 305 | multiple protocol versions offered by the server. Specifying | 290 | lects among multiple protocol versions offered by the server. |
| 306 | M-bM-^@M-^\2,1M-bM-^@M-^] is identical to M-bM-^@M-^\1,2M-bM-^@M-^]. | 291 | Specifying ``2,1'' is identical to ``1,2''. |
| 307 | 292 | ||
| 308 | PubkeyAuthentication | 293 | PubkeyAuthentication |
| 309 | Specifies whether public key authentication is allowed. The | 294 | Specifies whether public key authentication is allowed. The de- |
| 310 | default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol ver- | 295 | fault is ``yes''. Note that this option applies to protocol ver- |
| 311 | sion 2 only. RhostsRSAAuthentication should be used instead, | 296 | sion 2 only. |
| 312 | because it performs RSA-based host authentication in addition to | ||
| 313 | normal rhosts or /etc/hosts.equiv authentication. The default is | ||
| 314 | M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only. | ||
| 315 | 297 | ||
| 316 | RhostsRSAAuthentication | 298 | RhostsRSAAuthentication |
| 317 | Specifies whether rhosts or /etc/hosts.equiv authentication | 299 | Specifies whether rhosts or /etc/hosts.equiv authentication to- |
| 318 | together with successful RSA host authentication is allowed. The | 300 | gether with successful RSA host authentication is allowed. The |
| 319 | default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only. | 301 | default is ``no''. This option applies to protocol version 1 on- |
| 302 | ly. | ||
| 320 | 303 | ||
| 321 | RSAAuthentication | 304 | RSAAuthentication |
| 322 | Specifies whether pure RSA authentication is allowed. The | 305 | Specifies whether pure RSA authentication is allowed. The de- |
| 323 | default is M-bM-^@M-^\yesM-bM-^@M-^]. This option applies to protocol version 1 | 306 | fault is ``yes''. This option applies to protocol version 1 on- |
| 324 | only. | 307 | ly. |
| 325 | 308 | ||
| 326 | ServerKeyBits | 309 | ServerKeyBits |
| 327 | Defines the number of bits in the ephemeral protocol version 1 | 310 | Defines the number of bits in the ephemeral protocol version 1 |
| @@ -329,72 +312,89 @@ DESCRIPTION | |||
| 329 | 312 | ||
| 330 | StrictModes | 313 | StrictModes |
| 331 | Specifies whether sshd should check file modes and ownership of | 314 | Specifies whether sshd should check file modes and ownership of |
| 332 | the userM-bM-^@M-^Ys files and home directory before accepting login. This | 315 | the user's files and home directory before accepting login. This |
| 333 | is normally desirable because novices sometimes accidentally | 316 | is normally desirable because novices sometimes accidentally |
| 334 | leave their directory or files world-writable. The default is | 317 | leave their directory or files world-writable. The default is |
| 335 | M-bM-^@M-^\yesM-bM-^@M-^]. | 318 | ``yes''. |
| 336 | 319 | ||
| 337 | Subsystem | 320 | Subsystem |
| 338 | Configures an external subsystem (e.g., file transfer daemon). | 321 | Configures an external subsystem (e.g., file transfer daemon). |
| 339 | Arguments should be a subsystem name and a command to execute | 322 | Arguments should be a subsystem name and a command to execute up- |
| 340 | upon subsystem request. The command sftp-server(8) implements | 323 | on subsystem request. The command sftp-server(8) implements the |
| 341 | the M-bM-^@M-^\sftpM-bM-^@M-^] file transfer subsystem. By default no subsystems are | 324 | ``sftp'' file transfer subsystem. By default no subsystems are |
| 342 | defined. Note that this option applies to protocol version 2 | 325 | defined. Note that this option applies to protocol version 2 on- |
| 343 | only. | 326 | ly. |
| 344 | 327 | ||
| 345 | SyslogFacility | 328 | SyslogFacility |
| 346 | Gives the facility code that is used when logging messages from | 329 | Gives the facility code that is used when logging messages from |
| 347 | sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, | 330 | sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, LO- |
| 348 | LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The | 331 | CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- |
| 349 | default is AUTH. | 332 | fault is AUTH. |
| 333 | |||
| 334 | TCPKeepAlive | ||
| 335 | Specifies whether the system should send TCP keepalive messages | ||
| 336 | to the other side. If they are sent, death of the connection or | ||
| 337 | crash of one of the machines will be properly noticed. However, | ||
| 338 | this means that connections will die if the route is down tem- | ||
| 339 | porarily, and some people find it annoying. On the other hand, | ||
| 340 | if TCP keepalives are not sent, sessions may hang indefinitely on | ||
| 341 | the server, leaving ``ghost'' users and consuming server re- | ||
| 342 | sources. | ||
| 343 | |||
| 344 | The default is ``yes'' (to send TCP keepalive messages), and the | ||
| 345 | server will notice if the network goes down or the client host | ||
| 346 | crashes. This avoids infinitely hanging sessions. | ||
| 347 | |||
| 348 | To disable TCP keepalive messages, the value should be set to | ||
| 349 | ``no''. | ||
| 350 | 350 | ||
| 351 | UseDNS Specifies whether sshd should lookup the remote host name and | 351 | UseDNS Specifies whether sshd should lookup the remote host name and |
| 352 | check that the resolved host name for the remote IP address maps | 352 | check that the resolved host name for the remote IP address maps |
| 353 | back to the very same IP address. The default is M-bM-^@M-^\yesM-bM-^@M-^]. | 353 | back to the very same IP address. The default is ``yes''. |
| 354 | 354 | ||
| 355 | UseLogin | 355 | UseLogin |
| 356 | Specifies whether login(1) is used for interactive login ses- | 356 | Specifies whether login(1) is used for interactive login ses- |
| 357 | sions. The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that login(1) is never used | 357 | sions. The default is ``no''. Note that login(1) is never used |
| 358 | for remote command execution. Note also, that if this is | 358 | for remote command execution. Note also, that if this is en- |
| 359 | enabled, X11Forwarding will be disabled because login(1) does not | 359 | abled, X11Forwarding will be disabled because login(1) does not |
| 360 | know how to handle xauth(1) cookies. If UsePrivilegeSeparation | 360 | know how to handle xauth(1) cookies. If UsePrivilegeSeparation |
| 361 | is specified, it will be disabled after authentication. | 361 | is specified, it will be disabled after authentication. |
| 362 | 362 | ||
| 363 | UsePAM Enables PAM authentication (via challenge-response) and session | 363 | UsePAM Enables PAM authentication (via challenge-response) and session |
| 364 | set up. If you enable this, you should probably disable | 364 | set up. If you enable this, you should probably disable |
| 365 | PasswordAuthentication. If you enable then you will not be able | 365 | PasswordAuthentication. If you enable then you will not be able |
| 366 | to run sshd as a non-root user. | 366 | to run sshd as a non-root user. The default is ``no''. |
| 367 | 367 | ||
| 368 | UsePrivilegeSeparation | 368 | UsePrivilegeSeparation |
| 369 | Specifies whether sshd separates privileges by creating an | 369 | Specifies whether sshd separates privileges by creating an un- |
| 370 | unprivileged child process to deal with incoming network traffic. | 370 | privileged child process to deal with incoming network traffic. |
| 371 | After successful authentication, another process will be created | 371 | After successful authentication, another process will be created |
| 372 | that has the privilege of the authenticated user. The goal of | 372 | that has the privilege of the authenticated user. The goal of |
| 373 | privilege separation is to prevent privilege escalation by con- | 373 | privilege separation is to prevent privilege escalation by con- |
| 374 | taining any corruption within the unprivileged processes. The | 374 | taining any corruption within the unprivileged processes. The |
| 375 | default is M-bM-^@M-^\yesM-bM-^@M-^]. | 375 | default is ``yes''. |
| 376 | 376 | ||
| 377 | X11DisplayOffset | 377 | X11DisplayOffset |
| 378 | Specifies the first display number available for sshdM-bM-^@M-^Ys X11 for- | 378 | Specifies the first display number available for sshd's X11 for- |
| 379 | warding. This prevents sshd from interfering with real X11 | 379 | warding. This prevents sshd from interfering with real X11 |
| 380 | servers. The default is 10. | 380 | servers. The default is 10. |
| 381 | 381 | ||
| 382 | X11Forwarding | 382 | X11Forwarding |
| 383 | Specifies whether X11 forwarding is permitted. The argument must | 383 | Specifies whether X11 forwarding is permitted. The argument must |
| 384 | be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. | 384 | be ``yes'' or ``no''. The default is ``no''. |
| 385 | 385 | ||
| 386 | When X11 forwarding is enabled, there may be additional exposure | 386 | When X11 forwarding is enabled, there may be additional exposure |
| 387 | to the server and to client displays if the sshd proxy display is | 387 | to the server and to client displays if the sshd proxy display is |
| 388 | configured to listen on the wildcard address (see X11UseLocalhost | 388 | configured to listen on the wildcard address (see X11UseLocalhost |
| 389 | below), however this is not the default. Additionally, the | 389 | below), however this is not the default. Additionally, the au- |
| 390 | authentication spoofing and authentication data verification and | 390 | thentication spoofing and authentication data verification and |
| 391 | substitution occur on the client side. The security risk of | 391 | substitution occur on the client side. The security risk of us- |
| 392 | using X11 forwarding is that the clientM-bM-^@M-^Ys X11 display server may | 392 | ing X11 forwarding is that the client's X11 display server may be |
| 393 | be exposed to attack when the ssh client requests forwarding (see | 393 | exposed to attack when the ssh client requests forwarding (see |
| 394 | the warnings for ForwardX11 in ssh_config(5)). A system adminis- | 394 | the warnings for ForwardX11 in ssh_config(5)). A system adminis- |
| 395 | trator may have a stance in which they want to protect clients | 395 | trator may have a stance in which they want to protect clients |
| 396 | that may expose themselves to attack by unwittingly requesting | 396 | that may expose themselves to attack by unwittingly requesting |
| 397 | X11 forwarding, which can warrant a M-bM-^@M-^\noM-bM-^@M-^] setting. | 397 | X11 forwarding, which can warrant a ``no'' setting. |
| 398 | 398 | ||
| 399 | Note that disabling X11 forwarding does not prevent users from | 399 | Note that disabling X11 forwarding does not prevent users from |
| 400 | forwarding X11 traffic, as users can always install their own | 400 | forwarding X11 traffic, as users can always install their own |
| @@ -406,12 +406,12 @@ DESCRIPTION | |||
| 406 | the loopback address or to the wildcard address. By default, | 406 | the loopback address or to the wildcard address. By default, |
| 407 | sshd binds the forwarding server to the loopback address and sets | 407 | sshd binds the forwarding server to the loopback address and sets |
| 408 | the hostname part of the DISPLAY environment variable to | 408 | the hostname part of the DISPLAY environment variable to |
| 409 | M-bM-^@M-^\localhostM-bM-^@M-^]. This prevents remote hosts from connecting to the | 409 | ``localhost''. This prevents remote hosts from connecting to the |
| 410 | proxy display. However, some older X11 clients may not function | 410 | proxy display. However, some older X11 clients may not function |
| 411 | with this configuration. X11UseLocalhost may be set to M-bM-^@M-^\noM-bM-^@M-^] to | 411 | with this configuration. X11UseLocalhost may be set to ``no'' to |
| 412 | specify that the forwarding server should be bound to the wild- | 412 | specify that the forwarding server should be bound to the wild- |
| 413 | card address. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default | 413 | card address. The argument must be ``yes'' or ``no''. The de- |
| 414 | is M-bM-^@M-^\yesM-bM-^@M-^]. | 414 | fault is ``yes''. |
| 415 | 415 | ||
| 416 | XAuthLocation | 416 | XAuthLocation |
| 417 | Specifies the full pathname of the xauth(1) program. The default | 417 | Specifies the full pathname of the xauth(1) program. The default |
| @@ -456,4 +456,4 @@ AUTHORS | |||
| 456 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 456 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
| 457 | for privilege separation. | 457 | for privilege separation. |
| 458 | 458 | ||
| 459 | BSD September 25, 1999 BSD | 459 | OpenBSD 3.4 September 25, 1999 7 |