summaryrefslogtreecommitdiff
path: root/sshd_config.5
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2019-10-09 22:59:48 +0100
committerColin Watson <cjwatson@debian.org>2019-10-09 22:59:48 +0100
commit4213eec74e74de6310c27a40c3e9759a08a73996 (patch)
treee97a6dcafc6763aea7c804e4e113c2750cb1400d /sshd_config.5
parent102062f825fb26a74295a1c089c00c4c4c76b68a (diff)
parentcdf1d0a9f5d18535e0a18ff34860e81a6d83aa5c (diff)
Import openssh_8.1p1.orig.tar.gz
Diffstat (limited to 'sshd_config.5')
-rw-r--r--sshd_config.554
1 files changed, 36 insertions, 18 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index b224f2929..9486f2a1c 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd_config.5,v 1.284 2019/03/22 20:58:34 jmc Exp $ 36.\" $OpenBSD: sshd_config.5,v 1.290 2019/09/06 14:45:34 naddy Exp $
37.Dd $Mdocdate: March 22 2019 $ 37.Dd $Mdocdate: September 6 2019 $
38.Dt SSHD_CONFIG 5 38.Dt SSHD_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -277,9 +277,7 @@ is not, then
277will refuse to start. 277will refuse to start.
278.It Cm AuthorizedKeysFile 278.It Cm AuthorizedKeysFile
279Specifies the file that contains the public keys used for user authentication. 279Specifies the file that contains the public keys used for user authentication.
280The format is described in the 280The format is described in the AUTHORIZED_KEYS FILE FORMAT section of
281.Sx AUTHORIZED_KEYS FILE FORMAT
282section of
283.Xr sshd 8 . 281.Xr sshd 8 .
284Arguments to 282Arguments to
285.Cm AuthorizedKeysFile 283.Cm AuthorizedKeysFile
@@ -387,7 +385,7 @@ Specifies which algorithms are allowed for signing of certificates
387by certificate authorities (CAs). 385by certificate authorities (CAs).
388The default is: 386The default is:
389.Bd -literal -offset indent 387.Bd -literal -offset indent
390ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 388ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
391ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa 389ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
392.Ed 390.Ed
393.Pp 391.Pp
@@ -456,14 +454,18 @@ indicating not to
456.It Cm Ciphers 454.It Cm Ciphers
457Specifies the ciphers allowed. 455Specifies the ciphers allowed.
458Multiple ciphers must be comma-separated. 456Multiple ciphers must be comma-separated.
459If the specified value begins with a 457If the specified list begins with a
460.Sq + 458.Sq +
461character, then the specified ciphers will be appended to the default set 459character, then the specified ciphers will be appended to the default set
462instead of replacing them. 460instead of replacing them.
463If the specified value begins with a 461If the specified list begins with a
464.Sq - 462.Sq -
465character, then the specified ciphers (including wildcards) will be removed 463character, then the specified ciphers (including wildcards) will be removed
466from the default set instead of replacing them. 464from the default set instead of replacing them.
465If the specified list begins with a
466.Sq ^
467character, then the specified ciphers will be placed at the head of the
468default set.
467.Pp 469.Pp
468The supported ciphers are: 470The supported ciphers are:
469.Pp 471.Pp
@@ -514,7 +516,7 @@ The TCP keepalive option enabled by
514.Cm TCPKeepAlive 516.Cm TCPKeepAlive
515is spoofable. 517is spoofable.
516The client alive mechanism is valuable when the client or 518The client alive mechanism is valuable when the client or
517server depend on knowing when a connection has become inactive. 519server depend on knowing when a connection has become unresponsive.
518.Pp 520.Pp
519The default value is 3. 521The default value is 3.
520If 522If
@@ -670,14 +672,18 @@ The default is
670.It Cm HostbasedAcceptedKeyTypes 672.It Cm HostbasedAcceptedKeyTypes
671Specifies the key types that will be accepted for hostbased authentication 673Specifies the key types that will be accepted for hostbased authentication
672as a list of comma-separated patterns. 674as a list of comma-separated patterns.
673Alternately if the specified value begins with a 675Alternately if the specified list begins with a
674.Sq + 676.Sq +
675character, then the specified key types will be appended to the default set 677character, then the specified key types will be appended to the default set
676instead of replacing them. 678instead of replacing them.
677If the specified value begins with a 679If the specified list begins with a
678.Sq - 680.Sq -
679character, then the specified key types (including wildcards) will be removed 681character, then the specified key types (including wildcards) will be removed
680from the default set instead of replacing them. 682from the default set instead of replacing them.
683If the specified list begins with a
684.Sq ^
685character, then the specified key types will be placed at the head of the
686default set.
681The default for this option is: 687The default for this option is:
682.Bd -literal -offset 3n 688.Bd -literal -offset 3n
683ecdsa-sha2-nistp256-cert-v01@openssh.com, 689ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -875,14 +881,18 @@ The default is
875.It Cm KexAlgorithms 881.It Cm KexAlgorithms
876Specifies the available KEX (Key Exchange) algorithms. 882Specifies the available KEX (Key Exchange) algorithms.
877Multiple algorithms must be comma-separated. 883Multiple algorithms must be comma-separated.
878Alternately if the specified value begins with a 884Alternately if the specified list begins with a
879.Sq + 885.Sq +
880character, then the specified methods will be appended to the default set 886character, then the specified methods will be appended to the default set
881instead of replacing them. 887instead of replacing them.
882If the specified value begins with a 888If the specified list begins with a
883.Sq - 889.Sq -
884character, then the specified methods (including wildcards) will be removed 890character, then the specified methods (including wildcards) will be removed
885from the default set instead of replacing them. 891from the default set instead of replacing them.
892If the specified list begins with a
893.Sq ^
894character, then the specified methods will be placed at the head of the
895default set.
886The supported algorithms are: 896The supported algorithms are:
887.Pp 897.Pp
888.Bl -item -compact -offset indent 898.Bl -item -compact -offset indent
@@ -992,14 +1002,18 @@ Logging with a DEBUG level violates the privacy of users and is not recommended.
992Specifies the available MAC (message authentication code) algorithms. 1002Specifies the available MAC (message authentication code) algorithms.
993The MAC algorithm is used for data integrity protection. 1003The MAC algorithm is used for data integrity protection.
994Multiple algorithms must be comma-separated. 1004Multiple algorithms must be comma-separated.
995If the specified value begins with a 1005If the specified list begins with a
996.Sq + 1006.Sq +
997character, then the specified algorithms will be appended to the default set 1007character, then the specified algorithms will be appended to the default set
998instead of replacing them. 1008instead of replacing them.
999If the specified value begins with a 1009If the specified list begins with a
1000.Sq - 1010.Sq -
1001character, then the specified algorithms (including wildcards) will be removed 1011character, then the specified algorithms (including wildcards) will be removed
1002from the default set instead of replacing them. 1012from the default set instead of replacing them.
1013If the specified list begins with a
1014.Sq ^
1015character, then the specified algorithms will be placed at the head of the
1016default set.
1003.Pp 1017.Pp
1004The algorithms that contain 1018The algorithms that contain
1005.Qq -etm 1019.Qq -etm
@@ -1157,7 +1171,7 @@ Available keywords are
1157.Cm X11DisplayOffset , 1171.Cm X11DisplayOffset ,
1158.Cm X11Forwarding 1172.Cm X11Forwarding
1159and 1173and
1160.Cm X11UseLocalHost . 1174.Cm X11UseLocalhost .
1161.It Cm MaxAuthTries 1175.It Cm MaxAuthTries
1162Specifies the maximum number of authentication attempts permitted per 1176Specifies the maximum number of authentication attempts permitted per
1163connection. 1177connection.
@@ -1397,14 +1411,18 @@ The default is
1397.It Cm PubkeyAcceptedKeyTypes 1411.It Cm PubkeyAcceptedKeyTypes
1398Specifies the key types that will be accepted for public key authentication 1412Specifies the key types that will be accepted for public key authentication
1399as a list of comma-separated patterns. 1413as a list of comma-separated patterns.
1400Alternately if the specified value begins with a 1414Alternately if the specified list begins with a
1401.Sq + 1415.Sq +
1402character, then the specified key types will be appended to the default set 1416character, then the specified key types will be appended to the default set
1403instead of replacing them. 1417instead of replacing them.
1404If the specified value begins with a 1418If the specified list begins with a
1405.Sq - 1419.Sq -
1406character, then the specified key types (including wildcards) will be removed 1420character, then the specified key types (including wildcards) will be removed
1407from the default set instead of replacing them. 1421from the default set instead of replacing them.
1422If the specified list begins with a
1423.Sq ^
1424character, then the specified key types will be placed at the head of the
1425default set.
1408The default for this option is: 1426The default for this option is:
1409.Bd -literal -offset 3n 1427.Bd -literal -offset 3n
1410ecdsa-sha2-nistp256-cert-v01@openssh.com, 1428ecdsa-sha2-nistp256-cert-v01@openssh.com,