diff options
author | jmc@openbsd.org <jmc@openbsd.org> | 2016-10-07 14:41:52 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2016-10-10 14:27:12 +1100 |
commit | aae4dbd4c058d3b1fe1eb5c4e6ddf35827271377 (patch) | |
tree | e51de8435e0d056256d06aae7b45b8e6401bb124 /sshd_config.5 | |
parent | a571dbcc7b7b25371174569b13df5159bc4c6c7a (diff) |
upstream commit
tidy up the formatting in this file. more specifically,
replace .Dq, which looks appalling, with .Cm, where appropriate;
Upstream-ID: ff8e90aa0343d9bb56f40a535e148607973cc738
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 467 |
1 files changed, 212 insertions, 255 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index b5d361e1d..82a3ad14a 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.236 2016/09/28 20:32:42 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.237 2016/10/07 14:41:52 jmc Exp $ |
37 | .Dd $Mdocdate: September 28 2016 $ | 37 | .Dd $Mdocdate: October 7 2016 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -90,19 +90,18 @@ The default is not to accept any environment variables. | |||
90 | Specifies which address family should be used by | 90 | Specifies which address family should be used by |
91 | .Xr sshd 8 . | 91 | .Xr sshd 8 . |
92 | Valid arguments are | 92 | Valid arguments are |
93 | .Dq any , | 93 | .Cm any |
94 | .Dq inet | 94 | (the default), |
95 | .Cm inet | ||
95 | (use IPv4 only), or | 96 | (use IPv4 only), or |
96 | .Dq inet6 | 97 | .Cm inet6 |
97 | (use IPv6 only). | 98 | (use IPv6 only). |
98 | The default is | ||
99 | .Dq any . | ||
100 | .It Cm AllowAgentForwarding | 99 | .It Cm AllowAgentForwarding |
101 | Specifies whether | 100 | Specifies whether |
102 | .Xr ssh-agent 1 | 101 | .Xr ssh-agent 1 |
103 | forwarding is permitted. | 102 | forwarding is permitted. |
104 | The default is | 103 | The default is |
105 | .Dq yes . | 104 | .Cm yes . |
106 | Note that disabling agent forwarding does not improve security | 105 | Note that disabling agent forwarding does not improve security |
107 | unless users are also denied shell access, as they can always install | 106 | unless users are also denied shell access, as they can always install |
108 | their own forwarders. | 107 | their own forwarders. |
@@ -126,40 +125,38 @@ for more information on patterns. | |||
126 | .It Cm AllowStreamLocalForwarding | 125 | .It Cm AllowStreamLocalForwarding |
127 | Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted. | 126 | Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted. |
128 | The available options are | 127 | The available options are |
129 | .Dq yes | 128 | .Cm yes |
129 | (the default) | ||
130 | or | 130 | or |
131 | .Dq all | 131 | .Cm all |
132 | to allow StreamLocal forwarding, | 132 | to allow StreamLocal forwarding, |
133 | .Dq no | 133 | .Cm no |
134 | to prevent all StreamLocal forwarding, | 134 | to prevent all StreamLocal forwarding, |
135 | .Dq local | 135 | .Cm local |
136 | to allow local (from the perspective of | 136 | to allow local (from the perspective of |
137 | .Xr ssh 1 ) | 137 | .Xr ssh 1 ) |
138 | forwarding only or | 138 | forwarding only or |
139 | .Dq remote | 139 | .Cm remote |
140 | to allow remote forwarding only. | 140 | to allow remote forwarding only. |
141 | The default is | ||
142 | .Dq yes . | ||
143 | Note that disabling StreamLocal forwarding does not improve security unless | 141 | Note that disabling StreamLocal forwarding does not improve security unless |
144 | users are also denied shell access, as they can always install their | 142 | users are also denied shell access, as they can always install their |
145 | own forwarders. | 143 | own forwarders. |
146 | .It Cm AllowTcpForwarding | 144 | .It Cm AllowTcpForwarding |
147 | Specifies whether TCP forwarding is permitted. | 145 | Specifies whether TCP forwarding is permitted. |
148 | The available options are | 146 | The available options are |
149 | .Dq yes | 147 | .Cm yes |
148 | (the default) | ||
150 | or | 149 | or |
151 | .Dq all | 150 | .Cm all |
152 | to allow TCP forwarding, | 151 | to allow TCP forwarding, |
153 | .Dq no | 152 | .Cm no |
154 | to prevent all TCP forwarding, | 153 | to prevent all TCP forwarding, |
155 | .Dq local | 154 | .Cm local |
156 | to allow local (from the perspective of | 155 | to allow local (from the perspective of |
157 | .Xr ssh 1 ) | 156 | .Xr ssh 1 ) |
158 | forwarding only or | 157 | forwarding only or |
159 | .Dq remote | 158 | .Cm remote |
160 | to allow remote forwarding only. | 159 | to allow remote forwarding only. |
161 | The default is | ||
162 | .Dq yes . | ||
163 | Note that disabling TCP forwarding does not improve security unless | 160 | Note that disabling TCP forwarding does not improve security unless |
164 | users are also denied shell access, as they can always install their | 161 | users are also denied shell access, as they can always install their |
165 | own forwarders. | 162 | own forwarders. |
@@ -190,52 +187,44 @@ Specifies the authentication methods that must be successfully completed | |||
190 | for a user to be granted access. | 187 | for a user to be granted access. |
191 | This option must be followed by one or more comma-separated lists of | 188 | This option must be followed by one or more comma-separated lists of |
192 | authentication method names, or by the single string | 189 | authentication method names, or by the single string |
193 | .Dq any | 190 | .Cm any |
194 | to indicate the default behaviour of accepting any single authentication | 191 | to indicate the default behaviour of accepting any single authentication |
195 | method. | 192 | method. |
196 | if the default is overridden, then successful authentication requires | 193 | If the default is overridden, then successful authentication requires |
197 | completion of every method in at least one of these lists. | 194 | completion of every method in at least one of these lists. |
198 | .Pp | 195 | .Pp |
199 | For example, an argument of | 196 | For example, |
200 | .Dq publickey,password publickey,keyboard-interactive | 197 | .Qq publickey,password publickey,keyboard-interactive |
201 | would require the user to complete public key authentication, followed by | 198 | would require the user to complete public key authentication, followed by |
202 | either password or keyboard interactive authentication. | 199 | either password or keyboard interactive authentication. |
203 | Only methods that are next in one or more lists are offered at each stage, | 200 | Only methods that are next in one or more lists are offered at each stage, |
204 | so for this example, it would not be possible to attempt password or | 201 | so for this example it would not be possible to attempt password or |
205 | keyboard-interactive authentication before public key. | 202 | keyboard-interactive authentication before public key. |
206 | .Pp | 203 | .Pp |
207 | For keyboard interactive authentication it is also possible to | 204 | For keyboard interactive authentication it is also possible to |
208 | restrict authentication to a specific device by appending a | 205 | restrict authentication to a specific device by appending a |
209 | colon followed by the device identifier | 206 | colon followed by the device identifier |
210 | .Dq bsdauth , | 207 | .Cm bsdauth , |
211 | .Dq pam , | 208 | .Cm pam , |
212 | or | 209 | or |
213 | .Dq skey , | 210 | .Cm skey , |
214 | depending on the server configuration. | 211 | depending on the server configuration. |
215 | For example, | 212 | For example, |
216 | .Dq keyboard-interactive:bsdauth | 213 | .Qq keyboard-interactive:bsdauth |
217 | would restrict keyboard interactive authentication to the | 214 | would restrict keyboard interactive authentication to the |
218 | .Dq bsdauth | 215 | .Cm bsdauth |
219 | device. | 216 | device. |
220 | .Pp | 217 | .Pp |
221 | If the | 218 | If the publickey method is listed more than once, |
222 | .Dq publickey | ||
223 | method is listed more than once, | ||
224 | .Xr sshd 8 | 219 | .Xr sshd 8 |
225 | verifies that keys that have been used successfully are not reused for | 220 | verifies that keys that have been used successfully are not reused for |
226 | subsequent authentications. | 221 | subsequent authentications. |
227 | For example, an | 222 | For example, |
228 | .Cm AuthenticationMethods | 223 | .Qq publickey,publickey |
229 | of | 224 | requires successful authentication using two different public keys. |
230 | .Dq publickey,publickey | ||
231 | will require successful authentication using two different public keys. | ||
232 | .Pp | 225 | .Pp |
233 | Note that each authentication method listed should also be explicitly enabled | 226 | Note that each authentication method listed should also be explicitly enabled |
234 | in the configuration. | 227 | in the configuration. |
235 | The default | ||
236 | .Dq any | ||
237 | is not to require multiple authentication; successful completion | ||
238 | of a single authentication method is sufficient. | ||
239 | .It Cm AuthorizedKeysCommand | 228 | .It Cm AuthorizedKeysCommand |
240 | Specifies a program to be used to look up the user's public keys. | 229 | Specifies a program to be used to look up the user's public keys. |
241 | The program must be owned by root, not writable by group or others and | 230 | The program must be owned by root, not writable by group or others and |
@@ -258,9 +247,13 @@ does not successfully authenticate | |||
258 | and authorize the user then public key authentication continues using the usual | 247 | and authorize the user then public key authentication continues using the usual |
259 | .Cm AuthorizedKeysFile | 248 | .Cm AuthorizedKeysFile |
260 | files. | 249 | files. |
261 | By default, no AuthorizedKeysCommand is run. | 250 | By default, no |
251 | .Cm AuthorizedKeysCommand | ||
252 | is run. | ||
262 | .It Cm AuthorizedKeysCommandUser | 253 | .It Cm AuthorizedKeysCommandUser |
263 | Specifies the user under whose account the AuthorizedKeysCommand is run. | 254 | Specifies the user under whose account the |
255 | .Cm AuthorizedKeysCommand | ||
256 | is run. | ||
264 | It is recommended to use a dedicated user that has no other role on the host | 257 | It is recommended to use a dedicated user that has no other role on the host |
265 | than running authorized keys commands. | 258 | than running authorized keys commands. |
266 | If | 259 | If |
@@ -287,10 +280,10 @@ is taken to be an absolute path or one relative to the user's home | |||
287 | directory. | 280 | directory. |
288 | Multiple files may be listed, separated by whitespace. | 281 | Multiple files may be listed, separated by whitespace. |
289 | Alternately this option may be set to | 282 | Alternately this option may be set to |
290 | .Dq none | 283 | .Cm none |
291 | to skip checking for user keys in files. | 284 | to skip checking for user keys in files. |
292 | The default is | 285 | The default is |
293 | .Dq .ssh/authorized_keys .ssh/authorized_keys2 . | 286 | .Qq .ssh/authorized_keys .ssh/authorized_keys2 . |
294 | .It Cm AuthorizedPrincipalsCommand | 287 | .It Cm AuthorizedPrincipalsCommand |
295 | Specifies a program to be used to generate the list of allowed | 288 | Specifies a program to be used to generate the list of allowed |
296 | certificate principals as per | 289 | certificate principals as per |
@@ -354,7 +347,7 @@ After expansion, | |||
354 | .Cm AuthorizedPrincipalsFile | 347 | .Cm AuthorizedPrincipalsFile |
355 | is taken to be an absolute path or one relative to the user's home directory. | 348 | is taken to be an absolute path or one relative to the user's home directory. |
356 | The default is | 349 | The default is |
357 | .Dq none , | 350 | .Cm none , |
358 | i.e. not to use a principals file \(en in this case, the username | 351 | i.e. not to use a principals file \(en in this case, the username |
359 | of the user must appear in a certificate's principals list for it to be | 352 | of the user must appear in a certificate's principals list for it to be |
360 | accepted. | 353 | accepted. |
@@ -374,7 +367,7 @@ for details). | |||
374 | The contents of the specified file are sent to the remote user before | 367 | The contents of the specified file are sent to the remote user before |
375 | authentication is allowed. | 368 | authentication is allowed. |
376 | If the argument is | 369 | If the argument is |
377 | .Dq none | 370 | .Cm none |
378 | then no banner is displayed. | 371 | then no banner is displayed. |
379 | By default, no banner is displayed. | 372 | By default, no banner is displayed. |
380 | .It Cm ChallengeResponseAuthentication | 373 | .It Cm ChallengeResponseAuthentication |
@@ -382,7 +375,7 @@ Specifies whether challenge-response authentication is allowed (e.g. via | |||
382 | PAM or through authentication styles supported in | 375 | PAM or through authentication styles supported in |
383 | .Xr login.conf 5 ) | 376 | .Xr login.conf 5 ) |
384 | The default is | 377 | The default is |
385 | .Dq yes . | 378 | .Cm yes . |
386 | .It Cm ChrootDirectory | 379 | .It Cm ChrootDirectory |
387 | Specifies the pathname of a directory to | 380 | Specifies the pathname of a directory to |
388 | .Xr chroot 2 | 381 | .Xr chroot 2 |
@@ -417,10 +410,9 @@ nodes such as | |||
417 | and | 410 | and |
418 | .Xr tty 4 | 411 | .Xr tty 4 |
419 | devices. | 412 | devices. |
420 | For file transfer sessions using | 413 | For file transfer sessions using SFTP |
421 | .Dq sftp , | 414 | no additional configuration of the environment is necessary if the in-process |
422 | no additional configuration of the environment is necessary if the | 415 | sftp-server is used, |
423 | in-process sftp server is used, | ||
424 | though sessions which use logging may require | 416 | though sessions which use logging may require |
425 | .Pa /dev/log | 417 | .Pa /dev/log |
426 | inside the chroot directory on some operating systems (see | 418 | inside the chroot directory on some operating systems (see |
@@ -435,7 +427,7 @@ Misconfiguration can lead to unsafe environments which | |||
435 | cannot detect. | 427 | cannot detect. |
436 | .Pp | 428 | .Pp |
437 | The default is | 429 | The default is |
438 | .Dq none , | 430 | .Cm none , |
439 | indicating not to | 431 | indicating not to |
440 | .Xr chroot 2 . | 432 | .Xr chroot 2 . |
441 | .It Cm Ciphers | 433 | .It Cm Ciphers |
@@ -488,23 +480,17 @@ aes128-ctr,aes192-ctr,aes256-ctr, | |||
488 | aes128-gcm@openssh.com,aes256-gcm@openssh.com | 480 | aes128-gcm@openssh.com,aes256-gcm@openssh.com |
489 | .Ed | 481 | .Ed |
490 | .Pp | 482 | .Pp |
491 | The list of available ciphers may also be obtained using the | 483 | The list of available ciphers may also be obtained using |
492 | .Fl Q | 484 | .Qq ssh -Q cipher . |
493 | option of | ||
494 | .Xr ssh 1 | ||
495 | with an argument of | ||
496 | .Dq cipher . | ||
497 | .It Cm ClientAliveCountMax | 485 | .It Cm ClientAliveCountMax |
498 | Sets the number of client alive messages (see below) which may be | 486 | Sets the number of client alive messages which may be sent without |
499 | sent without | ||
500 | .Xr sshd 8 | 487 | .Xr sshd 8 |
501 | receiving any messages back from the client. | 488 | receiving any messages back from the client. |
502 | If this threshold is reached while client alive messages are being sent, | 489 | If this threshold is reached while client alive messages are being sent, |
503 | sshd will disconnect the client, terminating the session. | 490 | sshd will disconnect the client, terminating the session. |
504 | It is important to note that the use of client alive messages is very | 491 | It is important to note that the use of client alive messages is very |
505 | different from | 492 | different from |
506 | .Cm TCPKeepAlive | 493 | .Cm TCPKeepAlive . |
507 | (below). | ||
508 | The client alive messages are sent through the encrypted channel | 494 | The client alive messages are sent through the encrypted channel |
509 | and therefore will not be spoofable. | 495 | and therefore will not be spoofable. |
510 | The TCP keepalive option enabled by | 496 | The TCP keepalive option enabled by |
@@ -516,7 +502,7 @@ server depend on knowing when a connection has become inactive. | |||
516 | The default value is 3. | 502 | The default value is 3. |
517 | If | 503 | If |
518 | .Cm ClientAliveInterval | 504 | .Cm ClientAliveInterval |
519 | (see below) is set to 15, and | 505 | is set to 15, and |
520 | .Cm ClientAliveCountMax | 506 | .Cm ClientAliveCountMax |
521 | is left at the default, unresponsive SSH clients | 507 | is left at the default, unresponsive SSH clients |
522 | will be disconnected after approximately 45 seconds. | 508 | will be disconnected after approximately 45 seconds. |
@@ -532,14 +518,14 @@ is 0, indicating that these messages will not be sent to the client. | |||
532 | Specifies whether compression is enabled after | 518 | Specifies whether compression is enabled after |
533 | the user has authenticated successfully. | 519 | the user has authenticated successfully. |
534 | The argument must be | 520 | The argument must be |
535 | .Dq yes , | 521 | .Cm yes , |
536 | .Dq delayed | 522 | .Cm delayed |
537 | (a legacy synonym for | 523 | (a legacy synonym for |
538 | .Dq yes ) | 524 | .Cm yes ) |
539 | or | 525 | or |
540 | .Dq no . | 526 | .Cm no . |
541 | The default is | 527 | The default is |
542 | .Dq yes . | 528 | .Cm yes . |
543 | .It Cm DenyGroups | 529 | .It Cm DenyGroups |
544 | This keyword can be followed by a list of group name patterns, separated | 530 | This keyword can be followed by a list of group name patterns, separated |
545 | by spaces. | 531 | by spaces. |
@@ -581,11 +567,11 @@ for more information on patterns. | |||
581 | .It Cm FingerprintHash | 567 | .It Cm FingerprintHash |
582 | Specifies the hash algorithm used when logging key fingerprints. | 568 | Specifies the hash algorithm used when logging key fingerprints. |
583 | Valid options are: | 569 | Valid options are: |
584 | .Dq md5 | 570 | .Cm md5 |
585 | and | 571 | and |
586 | .Dq sha256 . | 572 | .Cm sha256 . |
587 | The default is | 573 | The default is |
588 | .Dq sha256 . | 574 | .Cm sha256 . |
589 | .It Cm ForceCommand | 575 | .It Cm ForceCommand |
590 | Forces the execution of the command specified by | 576 | Forces the execution of the command specified by |
591 | .Cm ForceCommand , | 577 | .Cm ForceCommand , |
@@ -601,12 +587,12 @@ The command originally supplied by the client is available in the | |||
601 | .Ev SSH_ORIGINAL_COMMAND | 587 | .Ev SSH_ORIGINAL_COMMAND |
602 | environment variable. | 588 | environment variable. |
603 | Specifying a command of | 589 | Specifying a command of |
604 | .Dq internal-sftp | 590 | .Cm internal-sftp |
605 | will force the use of an in-process sftp server that requires no support | 591 | will force the use of an in-process SFTP server that requires no support |
606 | files when used with | 592 | files when used with |
607 | .Cm ChrootDirectory . | 593 | .Cm ChrootDirectory . |
608 | The default is | 594 | The default is |
609 | .Dq none . | 595 | .Cm none . |
610 | .It Cm GatewayPorts | 596 | .It Cm GatewayPorts |
611 | Specifies whether remote hosts are allowed to connect to ports | 597 | Specifies whether remote hosts are allowed to connect to ports |
612 | forwarded for the client. | 598 | forwarded for the client. |
@@ -619,38 +605,37 @@ can be used to specify that sshd | |||
619 | should allow remote port forwardings to bind to non-loopback addresses, thus | 605 | should allow remote port forwardings to bind to non-loopback addresses, thus |
620 | allowing other hosts to connect. | 606 | allowing other hosts to connect. |
621 | The argument may be | 607 | The argument may be |
622 | .Dq no | 608 | .Cm no |
623 | to force remote port forwardings to be available to the local host only, | 609 | to force remote port forwardings to be available to the local host only, |
624 | .Dq yes | 610 | .Cm yes |
625 | to force remote port forwardings to bind to the wildcard address, or | 611 | to force remote port forwardings to bind to the wildcard address, or |
626 | .Dq clientspecified | 612 | .Cm clientspecified |
627 | to allow the client to select the address to which the forwarding is bound. | 613 | to allow the client to select the address to which the forwarding is bound. |
628 | The default is | 614 | The default is |
629 | .Dq no . | 615 | .Cm no . |
630 | .It Cm GSSAPIAuthentication | 616 | .It Cm GSSAPIAuthentication |
631 | Specifies whether user authentication based on GSSAPI is allowed. | 617 | Specifies whether user authentication based on GSSAPI is allowed. |
632 | The default is | 618 | The default is |
633 | .Dq no . | 619 | .Cm no . |
634 | .It Cm GSSAPICleanupCredentials | 620 | .It Cm GSSAPICleanupCredentials |
635 | Specifies whether to automatically destroy the user's credentials cache | 621 | Specifies whether to automatically destroy the user's credentials cache |
636 | on logout. | 622 | on logout. |
637 | The default is | 623 | The default is |
638 | .Dq yes . | 624 | .Cm yes . |
639 | .It Cm GSSAPIStrictAcceptorCheck | 625 | .It Cm GSSAPIStrictAcceptorCheck |
640 | Determines whether to be strict about the identity of the GSSAPI acceptor | 626 | Determines whether to be strict about the identity of the GSSAPI acceptor |
641 | a client authenticates against. | 627 | a client authenticates against. |
642 | If set to | 628 | If set to |
643 | .Dq yes | 629 | .Cm yes |
644 | then the client must authenticate against the | 630 | then the client must authenticate against the host |
645 | .Pa host | ||
646 | service on the current hostname. | 631 | service on the current hostname. |
647 | If set to | 632 | If set to |
648 | .Dq no | 633 | .Cm no |
649 | then the client may authenticate against any service key stored in the | 634 | then the client may authenticate against any service key stored in the |
650 | machine's default store. | 635 | machine's default store. |
651 | This facility is provided to assist with operation on multi homed machines. | 636 | This facility is provided to assist with operation on multi homed machines. |
652 | The default is | 637 | The default is |
653 | .Dq yes . | 638 | .Cm yes . |
654 | .It Cm HostbasedAcceptedKeyTypes | 639 | .It Cm HostbasedAcceptedKeyTypes |
655 | Specifies the key types that will be accepted for hostbased authentication | 640 | Specifies the key types that will be accepted for hostbased authentication |
656 | as a comma-separated pattern list. | 641 | as a comma-separated pattern list. |
@@ -669,17 +654,14 @@ ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | |||
669 | ssh-ed25519,ssh-rsa | 654 | ssh-ed25519,ssh-rsa |
670 | .Ed | 655 | .Ed |
671 | .Pp | 656 | .Pp |
672 | The | 657 | The list of available key types may also be obtained using |
673 | .Fl Q | 658 | .Qq ssh -Q key . |
674 | option of | ||
675 | .Xr ssh 1 | ||
676 | may be used to list supported key types. | ||
677 | .It Cm HostbasedAuthentication | 659 | .It Cm HostbasedAuthentication |
678 | Specifies whether rhosts or /etc/hosts.equiv authentication together | 660 | Specifies whether rhosts or /etc/hosts.equiv authentication together |
679 | with successful public key client host authentication is allowed | 661 | with successful public key client host authentication is allowed |
680 | (host-based authentication). | 662 | (host-based authentication). |
681 | The default is | 663 | The default is |
682 | .Dq no . | 664 | .Cm no . |
683 | .It Cm HostbasedUsesNameFromPacketOnly | 665 | .It Cm HostbasedUsesNameFromPacketOnly |
684 | Specifies whether or not the server will attempt to perform a reverse | 666 | Specifies whether or not the server will attempt to perform a reverse |
685 | name lookup when matching the name in the | 667 | name lookup when matching the name in the |
@@ -690,13 +672,13 @@ and | |||
690 | files during | 672 | files during |
691 | .Cm HostbasedAuthentication . | 673 | .Cm HostbasedAuthentication . |
692 | A setting of | 674 | A setting of |
693 | .Dq yes | 675 | .Cm yes |
694 | means that | 676 | means that |
695 | .Xr sshd 8 | 677 | .Xr sshd 8 |
696 | uses the name supplied by the client rather than | 678 | uses the name supplied by the client rather than |
697 | attempting to resolve the name from the TCP connection itself. | 679 | attempting to resolve the name from the TCP connection itself. |
698 | The default is | 680 | The default is |
699 | .Dq no . | 681 | .Cm no . |
700 | .It Cm HostCertificate | 682 | .It Cm HostCertificate |
701 | Specifies a file containing a public host certificate. | 683 | Specifies a file containing a public host certificate. |
702 | The certificate's public key must match a private host key already specified | 684 | The certificate's public key must match a private host key already specified |
@@ -732,7 +714,7 @@ to an | |||
732 | Identifies the UNIX-domain socket used to communicate | 714 | Identifies the UNIX-domain socket used to communicate |
733 | with an agent that has access to the private host keys. | 715 | with an agent that has access to the private host keys. |
734 | If the string | 716 | If the string |
735 | .Dq SSH_AUTH_SOCK | 717 | .Qq SSH_AUTH_SOCK |
736 | is specified, the location of the socket will be read from the | 718 | is specified, the location of the socket will be read from the |
737 | .Ev SSH_AUTH_SOCK | 719 | .Ev SSH_AUTH_SOCK |
738 | environment variable. | 720 | environment variable. |
@@ -750,12 +732,8 @@ ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | |||
750 | ssh-ed25519,ssh-rsa | 732 | ssh-ed25519,ssh-rsa |
751 | .Ed | 733 | .Ed |
752 | .Pp | 734 | .Pp |
753 | The list of available key types may also be obtained using the | 735 | The list of available key types may also be obtained using |
754 | .Fl Q | 736 | .Qq ssh -Q key . |
755 | option of | ||
756 | .Xr ssh 1 | ||
757 | with an argument of | ||
758 | .Dq key . | ||
759 | .It Cm IgnoreRhosts | 737 | .It Cm IgnoreRhosts |
760 | Specifies that | 738 | Specifies that |
761 | .Pa .rhosts | 739 | .Pa .rhosts |
@@ -769,7 +747,7 @@ and | |||
769 | .Pa /etc/shosts.equiv | 747 | .Pa /etc/shosts.equiv |
770 | are still used. | 748 | are still used. |
771 | The default is | 749 | The default is |
772 | .Dq yes . | 750 | .Cm yes . |
773 | .It Cm IgnoreUserKnownHosts | 751 | .It Cm IgnoreUserKnownHosts |
774 | Specifies whether | 752 | Specifies whether |
775 | .Xr sshd 8 | 753 | .Xr sshd 8 |
@@ -778,55 +756,55 @@ should ignore the user's | |||
778 | during | 756 | during |
779 | .Cm HostbasedAuthentication . | 757 | .Cm HostbasedAuthentication . |
780 | The default is | 758 | The default is |
781 | .Dq no . | 759 | .Cm no . |
782 | .It Cm IPQoS | 760 | .It Cm IPQoS |
783 | Specifies the IPv4 type-of-service or DSCP class for the connection. | 761 | Specifies the IPv4 type-of-service or DSCP class for the connection. |
784 | Accepted values are | 762 | Accepted values are |
785 | .Dq af11 , | 763 | .Cm af11 , |
786 | .Dq af12 , | 764 | .Cm af12 , |
787 | .Dq af13 , | 765 | .Cm af13 , |
788 | .Dq af21 , | 766 | .Cm af21 , |
789 | .Dq af22 , | 767 | .Cm af22 , |
790 | .Dq af23 , | 768 | .Cm af23 , |
791 | .Dq af31 , | 769 | .Cm af31 , |
792 | .Dq af32 , | 770 | .Cm af32 , |
793 | .Dq af33 , | 771 | .Cm af33 , |
794 | .Dq af41 , | 772 | .Cm af41 , |
795 | .Dq af42 , | 773 | .Cm af42 , |
796 | .Dq af43 , | 774 | .Cm af43 , |
797 | .Dq cs0 , | 775 | .Cm cs0 , |
798 | .Dq cs1 , | 776 | .Cm cs1 , |
799 | .Dq cs2 , | 777 | .Cm cs2 , |
800 | .Dq cs3 , | 778 | .Cm cs3 , |
801 | .Dq cs4 , | 779 | .Cm cs4 , |
802 | .Dq cs5 , | 780 | .Cm cs5 , |
803 | .Dq cs6 , | 781 | .Cm cs6 , |
804 | .Dq cs7 , | 782 | .Cm cs7 , |
805 | .Dq ef , | 783 | .Cm ef , |
806 | .Dq lowdelay , | 784 | .Cm lowdelay , |
807 | .Dq throughput , | 785 | .Cm throughput , |
808 | .Dq reliability , | 786 | .Cm reliability , |
809 | or a numeric value. | 787 | or a numeric value. |
810 | This option may take one or two arguments, separated by whitespace. | 788 | This option may take one or two arguments, separated by whitespace. |
811 | If one argument is specified, it is used as the packet class unconditionally. | 789 | If one argument is specified, it is used as the packet class unconditionally. |
812 | If two values are specified, the first is automatically selected for | 790 | If two values are specified, the first is automatically selected for |
813 | interactive sessions and the second for non-interactive sessions. | 791 | interactive sessions and the second for non-interactive sessions. |
814 | The default is | 792 | The default is |
815 | .Dq lowdelay | 793 | .Cm lowdelay |
816 | for interactive sessions and | 794 | for interactive sessions and |
817 | .Dq throughput | 795 | .Cm throughput |
818 | for non-interactive sessions. | 796 | for non-interactive sessions. |
819 | .It Cm KbdInteractiveAuthentication | 797 | .It Cm KbdInteractiveAuthentication |
820 | Specifies whether to allow keyboard-interactive authentication. | 798 | Specifies whether to allow keyboard-interactive authentication. |
821 | The argument to this keyword must be | 799 | The argument to this keyword must be |
822 | .Dq yes | 800 | .Cm yes |
823 | or | 801 | or |
824 | .Dq no . | 802 | .Cm no . |
825 | The default is to use whatever value | 803 | The default is to use whatever value |
826 | .Cm ChallengeResponseAuthentication | 804 | .Cm ChallengeResponseAuthentication |
827 | is set to | 805 | is set to |
828 | (by default | 806 | (by default |
829 | .Dq yes ) . | 807 | .Cm yes ) . |
830 | .It Cm KerberosAuthentication | 808 | .It Cm KerberosAuthentication |
831 | Specifies whether the password provided by the user for | 809 | Specifies whether the password provided by the user for |
832 | .Cm PasswordAuthentication | 810 | .Cm PasswordAuthentication |
@@ -834,24 +812,24 @@ will be validated through the Kerberos KDC. | |||
834 | To use this option, the server needs a | 812 | To use this option, the server needs a |
835 | Kerberos servtab which allows the verification of the KDC's identity. | 813 | Kerberos servtab which allows the verification of the KDC's identity. |
836 | The default is | 814 | The default is |
837 | .Dq no . | 815 | .Cm no . |
838 | .It Cm KerberosGetAFSToken | 816 | .It Cm KerberosGetAFSToken |
839 | If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire | 817 | If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire |
840 | an AFS token before accessing the user's home directory. | 818 | an AFS token before accessing the user's home directory. |
841 | The default is | 819 | The default is |
842 | .Dq no . | 820 | .Cm no . |
843 | .It Cm KerberosOrLocalPasswd | 821 | .It Cm KerberosOrLocalPasswd |
844 | If password authentication through Kerberos fails then | 822 | If password authentication through Kerberos fails then |
845 | the password will be validated via any additional local mechanism | 823 | the password will be validated via any additional local mechanism |
846 | such as | 824 | such as |
847 | .Pa /etc/passwd . | 825 | .Pa /etc/passwd . |
848 | The default is | 826 | The default is |
849 | .Dq yes . | 827 | .Cm yes . |
850 | .It Cm KerberosTicketCleanup | 828 | .It Cm KerberosTicketCleanup |
851 | Specifies whether to automatically destroy the user's ticket cache | 829 | Specifies whether to automatically destroy the user's ticket cache |
852 | file on logout. | 830 | file on logout. |
853 | The default is | 831 | The default is |
854 | .Dq yes . | 832 | .Cm yes . |
855 | .It Cm KexAlgorithms | 833 | .It Cm KexAlgorithms |
856 | Specifies the available KEX (Key Exchange) algorithms. | 834 | Specifies the available KEX (Key Exchange) algorithms. |
857 | Multiple algorithms must be comma-separated. | 835 | Multiple algorithms must be comma-separated. |
@@ -890,12 +868,8 @@ diffie-hellman-group-exchange-sha256, | |||
890 | diffie-hellman-group14-sha1 | 868 | diffie-hellman-group14-sha1 |
891 | .Ed | 869 | .Ed |
892 | .Pp | 870 | .Pp |
893 | The list of available key exchange algorithms may also be obtained using the | 871 | The list of available key exchange algorithms may also be obtained using |
894 | .Fl Q | 872 | .Qq ssh -Q kex . |
895 | option of | ||
896 | .Xr ssh 1 | ||
897 | with an argument of | ||
898 | .Dq kex . | ||
899 | .It Cm ListenAddress | 873 | .It Cm ListenAddress |
900 | Specifies the local addresses | 874 | Specifies the local addresses |
901 | .Xr sshd 8 | 875 | .Xr sshd 8 |
@@ -955,7 +929,7 @@ character, then the specified algorithms will be appended to the default set | |||
955 | instead of replacing them. | 929 | instead of replacing them. |
956 | .Pp | 930 | .Pp |
957 | The algorithms that contain | 931 | The algorithms that contain |
958 | .Dq -etm | 932 | .Qq -etm |
959 | calculate the MAC after encryption (encrypt-then-mac). | 933 | calculate the MAC after encryption (encrypt-then-mac). |
960 | These are considered safer and their use recommended. | 934 | These are considered safer and their use recommended. |
961 | The supported MACs are: | 935 | The supported MACs are: |
@@ -1008,12 +982,8 @@ umac-64@openssh.com,umac-128@openssh.com, | |||
1008 | hmac-sha2-256,hmac-sha2-512,hmac-sha1 | 982 | hmac-sha2-256,hmac-sha2-512,hmac-sha1 |
1009 | .Ed | 983 | .Ed |
1010 | .Pp | 984 | .Pp |
1011 | The list of available MAC algorithms may also be obtained using the | 985 | The list of available MAC algorithms may also be obtained using |
1012 | .Fl Q | 986 | .Qq ssh -Q mac . |
1013 | option of | ||
1014 | .Xr ssh 1 | ||
1015 | with an argument of | ||
1016 | .Dq mac . | ||
1017 | .It Cm Match | 987 | .It Cm Match |
1018 | Introduces a conditional block. | 988 | Introduces a conditional block. |
1019 | If all of the criteria on the | 989 | If all of the criteria on the |
@@ -1042,24 +1012,19 @@ and | |||
1042 | .Cm Address . | 1012 | .Cm Address . |
1043 | The match patterns may consist of single entries or comma-separated | 1013 | The match patterns may consist of single entries or comma-separated |
1044 | lists and may use the wildcard and negation operators described in the | 1014 | lists and may use the wildcard and negation operators described in the |
1045 | PATTERNS section of | 1015 | .Sx PATTERNS |
1016 | section of | ||
1046 | .Xr ssh_config 5 . | 1017 | .Xr ssh_config 5 . |
1047 | .Pp | 1018 | .Pp |
1048 | The patterns in an | 1019 | The patterns in an |
1049 | .Cm Address | 1020 | .Cm Address |
1050 | criteria may additionally contain addresses to match in CIDR | 1021 | criteria may additionally contain addresses to match in CIDR |
1051 | address/masklen format, e.g.\& | 1022 | address/masklen format, |
1052 | .Dq 192.0.2.0/24 | 1023 | such as 192.0.2.0/24 or 2001:db8::/32. |
1053 | or | ||
1054 | .Dq 2001:db8::/32 . | ||
1055 | Note that the mask length provided must be consistent with the address - | 1024 | Note that the mask length provided must be consistent with the address - |
1056 | it is an error to specify a mask length that is too long for the address | 1025 | it is an error to specify a mask length that is too long for the address |
1057 | or one with bits set in this host portion of the address. | 1026 | or one with bits set in this host portion of the address. |
1058 | For example, | 1027 | For example, 192.0.2.0/33 and 192.0.2.0/8, respectively. |
1059 | .Dq 192.0.2.0/33 | ||
1060 | and | ||
1061 | .Dq 192.0.2.0/8 | ||
1062 | respectively. | ||
1063 | .Pp | 1028 | .Pp |
1064 | Only a subset of keywords may be used on the lines following a | 1029 | Only a subset of keywords may be used on the lines following a |
1065 | .Cm Match | 1030 | .Cm Match |
@@ -1138,29 +1103,21 @@ The default is 10:30:100. | |||
1138 | .Pp | 1103 | .Pp |
1139 | Alternatively, random early drop can be enabled by specifying | 1104 | Alternatively, random early drop can be enabled by specifying |
1140 | the three colon separated values | 1105 | the three colon separated values |
1141 | .Dq start:rate:full | 1106 | start:rate:full (e.g. "10:30:60"). |
1142 | (e.g. "10:30:60"). | ||
1143 | .Xr sshd 8 | 1107 | .Xr sshd 8 |
1144 | will refuse connection attempts with a probability of | 1108 | will refuse connection attempts with a probability of rate/100 (30%) |
1145 | .Dq rate/100 | 1109 | if there are currently start (10) unauthenticated connections. |
1146 | (30%) | ||
1147 | if there are currently | ||
1148 | .Dq start | ||
1149 | (10) | ||
1150 | unauthenticated connections. | ||
1151 | The probability increases linearly and all connection attempts | 1110 | The probability increases linearly and all connection attempts |
1152 | are refused if the number of unauthenticated connections reaches | 1111 | are refused if the number of unauthenticated connections reaches full (60). |
1153 | .Dq full | ||
1154 | (60). | ||
1155 | .It Cm PasswordAuthentication | 1112 | .It Cm PasswordAuthentication |
1156 | Specifies whether password authentication is allowed. | 1113 | Specifies whether password authentication is allowed. |
1157 | The default is | 1114 | The default is |
1158 | .Dq yes . | 1115 | .Cm yes . |
1159 | .It Cm PermitEmptyPasswords | 1116 | .It Cm PermitEmptyPasswords |
1160 | When password authentication is allowed, it specifies whether the | 1117 | When password authentication is allowed, it specifies whether the |
1161 | server allows login to accounts with empty password strings. | 1118 | server allows login to accounts with empty password strings. |
1162 | The default is | 1119 | The default is |
1163 | .Dq no . | 1120 | .Cm no . |
1164 | .It Cm PermitOpen | 1121 | .It Cm PermitOpen |
1165 | Specifies the destinations to which TCP port forwarding is permitted. | 1122 | Specifies the destinations to which TCP port forwarding is permitted. |
1166 | The forwarding specification must be one of the following forms: | 1123 | The forwarding specification must be one of the following forms: |
@@ -1185,36 +1142,36 @@ The forwarding specification must be one of the following forms: | |||
1185 | .Pp | 1142 | .Pp |
1186 | Multiple forwards may be specified by separating them with whitespace. | 1143 | Multiple forwards may be specified by separating them with whitespace. |
1187 | An argument of | 1144 | An argument of |
1188 | .Dq any | 1145 | .Cm any |
1189 | can be used to remove all restrictions and permit any forwarding requests. | 1146 | can be used to remove all restrictions and permit any forwarding requests. |
1190 | An argument of | 1147 | An argument of |
1191 | .Dq none | 1148 | .Cm none |
1192 | can be used to prohibit all forwarding requests. | 1149 | can be used to prohibit all forwarding requests. |
1193 | The wildcard | 1150 | The wildcard |
1194 | .Dq * | 1151 | .Sq * |
1195 | can be used for host or port to allow all hosts or ports, respectively. | 1152 | can be used for host or port to allow all hosts or ports, respectively. |
1196 | By default all port forwarding requests are permitted. | 1153 | By default all port forwarding requests are permitted. |
1197 | .It Cm PermitRootLogin | 1154 | .It Cm PermitRootLogin |
1198 | Specifies whether root can log in using | 1155 | Specifies whether root can log in using |
1199 | .Xr ssh 1 . | 1156 | .Xr ssh 1 . |
1200 | The argument must be | 1157 | The argument must be |
1201 | .Dq yes , | 1158 | .Cm yes , |
1202 | .Dq prohibit-password , | 1159 | .Cm prohibit-password , |
1203 | .Dq without-password , | 1160 | .Cm without-password , |
1204 | .Dq forced-commands-only , | 1161 | .Cm forced-commands-only , |
1205 | or | 1162 | or |
1206 | .Dq no . | 1163 | .Cm no . |
1207 | The default is | 1164 | The default is |
1208 | .Dq prohibit-password . | 1165 | .Cm prohibit-password . |
1209 | .Pp | 1166 | .Pp |
1210 | If this option is set to | 1167 | If this option is set to |
1211 | .Dq prohibit-password | 1168 | .Cm prohibit-password |
1212 | or | 1169 | or |
1213 | .Dq without-password , | 1170 | .Cm without-password , |
1214 | password and keyboard-interactive authentication are disabled for root. | 1171 | password and keyboard-interactive authentication are disabled for root. |
1215 | .Pp | 1172 | .Pp |
1216 | If this option is set to | 1173 | If this option is set to |
1217 | .Dq forced-commands-only , | 1174 | .Cm forced-commands-only , |
1218 | root login with public key authentication will be allowed, | 1175 | root login with public key authentication will be allowed, |
1219 | but only if the | 1176 | but only if the |
1220 | .Ar command | 1177 | .Ar command |
@@ -1224,33 +1181,33 @@ normally not allowed). | |||
1224 | All other authentication methods are disabled for root. | 1181 | All other authentication methods are disabled for root. |
1225 | .Pp | 1182 | .Pp |
1226 | If this option is set to | 1183 | If this option is set to |
1227 | .Dq no , | 1184 | .Cm no , |
1228 | root is not allowed to log in. | 1185 | root is not allowed to log in. |
1229 | .It Cm PermitTTY | 1186 | .It Cm PermitTTY |
1230 | Specifies whether | 1187 | Specifies whether |
1231 | .Xr pty 4 | 1188 | .Xr pty 4 |
1232 | allocation is permitted. | 1189 | allocation is permitted. |
1233 | The default is | 1190 | The default is |
1234 | .Dq yes . | 1191 | .Cm yes . |
1235 | .It Cm PermitTunnel | 1192 | .It Cm PermitTunnel |
1236 | Specifies whether | 1193 | Specifies whether |
1237 | .Xr tun 4 | 1194 | .Xr tun 4 |
1238 | device forwarding is allowed. | 1195 | device forwarding is allowed. |
1239 | The argument must be | 1196 | The argument must be |
1240 | .Dq yes , | 1197 | .Cm yes , |
1241 | .Dq point-to-point | 1198 | .Cm point-to-point |
1242 | (layer 3), | 1199 | (layer 3), |
1243 | .Dq ethernet | 1200 | .Cm ethernet |
1244 | (layer 2), or | 1201 | (layer 2), or |
1245 | .Dq no . | 1202 | .Cm no . |
1246 | Specifying | 1203 | Specifying |
1247 | .Dq yes | 1204 | .Cm yes |
1248 | permits both | 1205 | permits both |
1249 | .Dq point-to-point | 1206 | .Cm point-to-point |
1250 | and | 1207 | and |
1251 | .Dq ethernet . | 1208 | .Cm ethernet . |
1252 | The default is | 1209 | The default is |
1253 | .Dq no . | 1210 | .Cm no . |
1254 | .Pp | 1211 | .Pp |
1255 | Independent of this setting, the permissions of the selected | 1212 | Independent of this setting, the permissions of the selected |
1256 | .Xr tun 4 | 1213 | .Xr tun 4 |
@@ -1265,7 +1222,7 @@ options in | |||
1265 | are processed by | 1222 | are processed by |
1266 | .Xr sshd 8 . | 1223 | .Xr sshd 8 . |
1267 | The default is | 1224 | The default is |
1268 | .Dq no . | 1225 | .Cm no . |
1269 | Enabling environment processing may enable users to bypass access | 1226 | Enabling environment processing may enable users to bypass access |
1270 | restrictions in some configurations using mechanisms such as | 1227 | restrictions in some configurations using mechanisms such as |
1271 | .Ev LD_PRELOAD . | 1228 | .Ev LD_PRELOAD . |
@@ -1274,11 +1231,11 @@ Specifies whether any | |||
1274 | .Pa ~/.ssh/rc | 1231 | .Pa ~/.ssh/rc |
1275 | file is executed. | 1232 | file is executed. |
1276 | The default is | 1233 | The default is |
1277 | .Dq yes . | 1234 | .Cm yes . |
1278 | .It Cm PidFile | 1235 | .It Cm PidFile |
1279 | Specifies the file that contains the process ID of the | 1236 | Specifies the file that contains the process ID of the |
1280 | SSH daemon, or | 1237 | SSH daemon, or |
1281 | .Dq none | 1238 | .Cm none |
1282 | to not write one. | 1239 | to not write one. |
1283 | The default is | 1240 | The default is |
1284 | .Pa /var/run/sshd.pid . | 1241 | .Pa /var/run/sshd.pid . |
@@ -1296,7 +1253,7 @@ Specifies whether | |||
1296 | should print the date and time of the last user login when a user logs | 1253 | should print the date and time of the last user login when a user logs |
1297 | in interactively. | 1254 | in interactively. |
1298 | The default is | 1255 | The default is |
1299 | .Dq yes . | 1256 | .Cm yes . |
1300 | .It Cm PrintMotd | 1257 | .It Cm PrintMotd |
1301 | Specifies whether | 1258 | Specifies whether |
1302 | .Xr sshd 8 | 1259 | .Xr sshd 8 |
@@ -1307,7 +1264,7 @@ when a user logs in interactively. | |||
1307 | .Pa /etc/profile , | 1264 | .Pa /etc/profile , |
1308 | or equivalent.) | 1265 | or equivalent.) |
1309 | The default is | 1266 | The default is |
1310 | .Dq yes . | 1267 | .Cm yes . |
1311 | .It Cm PubkeyAcceptedKeyTypes | 1268 | .It Cm PubkeyAcceptedKeyTypes |
1312 | Specifies the key types that will be accepted for public key authentication | 1269 | Specifies the key types that will be accepted for public key authentication |
1313 | as a comma-separated pattern list. | 1270 | as a comma-separated pattern list. |
@@ -1326,15 +1283,12 @@ ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | |||
1326 | ssh-ed25519,ssh-rsa | 1283 | ssh-ed25519,ssh-rsa |
1327 | .Ed | 1284 | .Ed |
1328 | .Pp | 1285 | .Pp |
1329 | The | 1286 | The list of available key types may also be obtained using |
1330 | .Fl Q | 1287 | .Qq ssh -Q key . |
1331 | option of | ||
1332 | .Xr ssh 1 | ||
1333 | may be used to list supported key types. | ||
1334 | .It Cm PubkeyAuthentication | 1288 | .It Cm PubkeyAuthentication |
1335 | Specifies whether public key authentication is allowed. | 1289 | Specifies whether public key authentication is allowed. |
1336 | The default is | 1290 | The default is |
1337 | .Dq yes . | 1291 | .Cm yes . |
1338 | .It Cm RekeyLimit | 1292 | .It Cm RekeyLimit |
1339 | Specifies the maximum amount of data that may be transmitted before the | 1293 | Specifies the maximum amount of data that may be transmitted before the |
1340 | session key is renegotiated, optionally followed a maximum amount of | 1294 | session key is renegotiated, optionally followed a maximum amount of |
@@ -1357,12 +1311,12 @@ section. | |||
1357 | The default value for | 1311 | The default value for |
1358 | .Cm RekeyLimit | 1312 | .Cm RekeyLimit |
1359 | is | 1313 | is |
1360 | .Dq default none , | 1314 | .Cm default none , |
1361 | which means that rekeying is performed after the cipher's default amount | 1315 | which means that rekeying is performed after the cipher's default amount |
1362 | of data has been sent or received and no time based rekeying is done. | 1316 | of data has been sent or received and no time based rekeying is done. |
1363 | .It Cm RevokedKeys | 1317 | .It Cm RevokedKeys |
1364 | Specifies revoked public keys file, or | 1318 | Specifies revoked public keys file, or |
1365 | .Dq none | 1319 | .Cm none |
1366 | to not use one. | 1320 | to not use one. |
1367 | Keys listed in this file will be refused for public key authentication. | 1321 | Keys listed in this file will be refused for public key authentication. |
1368 | Note that if this file is not readable, then public key authentication will | 1322 | Note that if this file is not readable, then public key authentication will |
@@ -1394,11 +1348,11 @@ will be unable to forward the port to the Unix-domain socket file. | |||
1394 | This option is only used for port forwarding to a Unix-domain socket file. | 1348 | This option is only used for port forwarding to a Unix-domain socket file. |
1395 | .Pp | 1349 | .Pp |
1396 | The argument must be | 1350 | The argument must be |
1397 | .Dq yes | 1351 | .Cm yes |
1398 | or | 1352 | or |
1399 | .Dq no . | 1353 | .Cm no . |
1400 | The default is | 1354 | The default is |
1401 | .Dq no . | 1355 | .Cm no . |
1402 | .It Cm StrictModes | 1356 | .It Cm StrictModes |
1403 | Specifies whether | 1357 | Specifies whether |
1404 | .Xr sshd 8 | 1358 | .Xr sshd 8 |
@@ -1407,7 +1361,7 @@ user's files and home directory before accepting login. | |||
1407 | This is normally desirable because novices sometimes accidentally leave their | 1361 | This is normally desirable because novices sometimes accidentally leave their |
1408 | directory or files world-writable. | 1362 | directory or files world-writable. |
1409 | The default is | 1363 | The default is |
1410 | .Dq yes . | 1364 | .Cm yes . |
1411 | Note that this does not apply to | 1365 | Note that this does not apply to |
1412 | .Cm ChrootDirectory , | 1366 | .Cm ChrootDirectory , |
1413 | whose permissions and ownership are checked unconditionally. | 1367 | whose permissions and ownership are checked unconditionally. |
@@ -1417,16 +1371,12 @@ Arguments should be a subsystem name and a command (with optional arguments) | |||
1417 | to execute upon subsystem request. | 1371 | to execute upon subsystem request. |
1418 | .Pp | 1372 | .Pp |
1419 | The command | 1373 | The command |
1420 | .Xr sftp-server 8 | 1374 | .Cm sftp-server |
1421 | implements the | 1375 | implements the SFTP file transfer subsystem. |
1422 | .Dq sftp | ||
1423 | file transfer subsystem. | ||
1424 | .Pp | 1376 | .Pp |
1425 | Alternately the name | 1377 | Alternately the name |
1426 | .Dq internal-sftp | 1378 | .Cm internal-sftp |
1427 | implements an in-process | 1379 | implements an in-process SFTP server. |
1428 | .Dq sftp | ||
1429 | server. | ||
1430 | This may simplify configurations using | 1380 | This may simplify configurations using |
1431 | .Cm ChrootDirectory | 1381 | .Cm ChrootDirectory |
1432 | to force a different filesystem root on clients. | 1382 | to force a different filesystem root on clients. |
@@ -1448,21 +1398,21 @@ connections will die if the route is down temporarily, and some people | |||
1448 | find it annoying. | 1398 | find it annoying. |
1449 | On the other hand, if TCP keepalives are not sent, | 1399 | On the other hand, if TCP keepalives are not sent, |
1450 | sessions may hang indefinitely on the server, leaving | 1400 | sessions may hang indefinitely on the server, leaving |
1451 | .Dq ghost | 1401 | .Qq ghost |
1452 | users and consuming server resources. | 1402 | users and consuming server resources. |
1453 | .Pp | 1403 | .Pp |
1454 | The default is | 1404 | The default is |
1455 | .Dq yes | 1405 | .Cm yes |
1456 | (to send TCP keepalive messages), and the server will notice | 1406 | (to send TCP keepalive messages), and the server will notice |
1457 | if the network goes down or the client host crashes. | 1407 | if the network goes down or the client host crashes. |
1458 | This avoids infinitely hanging sessions. | 1408 | This avoids infinitely hanging sessions. |
1459 | .Pp | 1409 | .Pp |
1460 | To disable TCP keepalive messages, the value should be set to | 1410 | To disable TCP keepalive messages, the value should be set to |
1461 | .Dq no . | 1411 | .Cm no . |
1462 | .It Cm TrustedUserCAKeys | 1412 | .It Cm TrustedUserCAKeys |
1463 | Specifies a file containing public keys of certificate authorities that are | 1413 | Specifies a file containing public keys of certificate authorities that are |
1464 | trusted to sign user certificates for authentication, or | 1414 | trusted to sign user certificates for authentication, or |
1465 | .Dq none | 1415 | .Cm none |
1466 | to not use one. | 1416 | to not use one. |
1467 | Keys are listed one per line; empty lines and comments starting with | 1417 | Keys are listed one per line; empty lines and comments starting with |
1468 | .Ql # | 1418 | .Ql # |
@@ -1483,7 +1433,7 @@ the resolved host name for the remote IP address maps back to the | |||
1483 | very same IP address. | 1433 | very same IP address. |
1484 | .Pp | 1434 | .Pp |
1485 | If this option is set to | 1435 | If this option is set to |
1486 | .Dq no | 1436 | .Cm no |
1487 | (the default) then only addresses and not host names may be used in | 1437 | (the default) then only addresses and not host names may be used in |
1488 | .Pa ~/.ssh/authorized_keys | 1438 | .Pa ~/.ssh/authorized_keys |
1489 | .Cm from | 1439 | .Cm from |
@@ -1495,7 +1445,7 @@ directives. | |||
1495 | .It Cm UsePAM | 1445 | .It Cm UsePAM |
1496 | Enables the Pluggable Authentication Module interface. | 1446 | Enables the Pluggable Authentication Module interface. |
1497 | If set to | 1447 | If set to |
1498 | .Dq yes | 1448 | .Cm yes |
1499 | this will enable PAM authentication using | 1449 | this will enable PAM authentication using |
1500 | .Cm ChallengeResponseAuthentication | 1450 | .Cm ChallengeResponseAuthentication |
1501 | and | 1451 | and |
@@ -1515,7 +1465,7 @@ is enabled, you will not be able to run | |||
1515 | .Xr sshd 8 | 1465 | .Xr sshd 8 |
1516 | as a non-root user. | 1466 | as a non-root user. |
1517 | The default is | 1467 | The default is |
1518 | .Dq no . | 1468 | .Cm no . |
1519 | .It Cm UsePrivilegeSeparation | 1469 | .It Cm UsePrivilegeSeparation |
1520 | Specifies whether | 1470 | Specifies whether |
1521 | .Xr sshd 8 | 1471 | .Xr sshd 8 |
@@ -1526,23 +1476,23 @@ the privilege of the authenticated user. | |||
1526 | The goal of privilege separation is to prevent privilege | 1476 | The goal of privilege separation is to prevent privilege |
1527 | escalation by containing any corruption within the unprivileged processes. | 1477 | escalation by containing any corruption within the unprivileged processes. |
1528 | The argument must be | 1478 | The argument must be |
1529 | .Dq yes , | 1479 | .Cm yes , |
1530 | .Dq no , | 1480 | .Cm no , |
1531 | or | 1481 | or |
1532 | .Dq sandbox . | 1482 | .Cm sandbox . |
1533 | If | 1483 | If |
1534 | .Cm UsePrivilegeSeparation | 1484 | .Cm UsePrivilegeSeparation |
1535 | is set to | 1485 | is set to |
1536 | .Dq sandbox | 1486 | .Cm sandbox |
1537 | then the pre-authentication unprivileged process is subject to additional | 1487 | then the pre-authentication unprivileged process is subject to additional |
1538 | restrictions. | 1488 | restrictions. |
1539 | The default is | 1489 | The default is |
1540 | .Dq sandbox . | 1490 | .Cm sandbox . |
1541 | .It Cm VersionAddendum | 1491 | .It Cm VersionAddendum |
1542 | Optionally specifies additional text to append to the SSH protocol banner | 1492 | Optionally specifies additional text to append to the SSH protocol banner |
1543 | sent by the server upon connection. | 1493 | sent by the server upon connection. |
1544 | The default is | 1494 | The default is |
1545 | .Dq none . | 1495 | .Cm none . |
1546 | .It Cm X11DisplayOffset | 1496 | .It Cm X11DisplayOffset |
1547 | Specifies the first display number available for | 1497 | Specifies the first display number available for |
1548 | .Xr sshd 8 Ns 's | 1498 | .Xr sshd 8 Ns 's |
@@ -1552,18 +1502,18 @@ The default is 10. | |||
1552 | .It Cm X11Forwarding | 1502 | .It Cm X11Forwarding |
1553 | Specifies whether X11 forwarding is permitted. | 1503 | Specifies whether X11 forwarding is permitted. |
1554 | The argument must be | 1504 | The argument must be |
1555 | .Dq yes | 1505 | .Cm yes |
1556 | or | 1506 | or |
1557 | .Dq no . | 1507 | .Cm no . |
1558 | The default is | 1508 | The default is |
1559 | .Dq no . | 1509 | .Cm no . |
1560 | .Pp | 1510 | .Pp |
1561 | When X11 forwarding is enabled, there may be additional exposure to | 1511 | When X11 forwarding is enabled, there may be additional exposure to |
1562 | the server and to client displays if the | 1512 | the server and to client displays if the |
1563 | .Xr sshd 8 | 1513 | .Xr sshd 8 |
1564 | proxy display is configured to listen on the wildcard address (see | 1514 | proxy display is configured to listen on the wildcard address (see |
1565 | .Cm X11UseLocalhost | 1515 | .Cm X11UseLocalhost ) , |
1566 | below), though this is not the default. | 1516 | though this is not the default. |
1567 | Additionally, the authentication spoofing and authentication data | 1517 | Additionally, the authentication spoofing and authentication data |
1568 | verification and substitution occur on the client side. | 1518 | verification and substitution occur on the client side. |
1569 | The security risk of using X11 forwarding is that the client's X11 | 1519 | The security risk of using X11 forwarding is that the client's X11 |
@@ -1575,7 +1525,7 @@ in | |||
1575 | A system administrator may have a stance in which they want to | 1525 | A system administrator may have a stance in which they want to |
1576 | protect clients that may expose themselves to attack by unwittingly | 1526 | protect clients that may expose themselves to attack by unwittingly |
1577 | requesting X11 forwarding, which can warrant a | 1527 | requesting X11 forwarding, which can warrant a |
1578 | .Dq no | 1528 | .Cm no |
1579 | setting. | 1529 | setting. |
1580 | .Pp | 1530 | .Pp |
1581 | Note that disabling X11 forwarding does not prevent users from | 1531 | Note that disabling X11 forwarding does not prevent users from |
@@ -1590,26 +1540,26 @@ sshd binds the forwarding server to the loopback address and sets the | |||
1590 | hostname part of the | 1540 | hostname part of the |
1591 | .Ev DISPLAY | 1541 | .Ev DISPLAY |
1592 | environment variable to | 1542 | environment variable to |
1593 | .Dq localhost . | 1543 | .Cm localhost . |
1594 | This prevents remote hosts from connecting to the proxy display. | 1544 | This prevents remote hosts from connecting to the proxy display. |
1595 | However, some older X11 clients may not function with this | 1545 | However, some older X11 clients may not function with this |
1596 | configuration. | 1546 | configuration. |
1597 | .Cm X11UseLocalhost | 1547 | .Cm X11UseLocalhost |
1598 | may be set to | 1548 | may be set to |
1599 | .Dq no | 1549 | .Cm no |
1600 | to specify that the forwarding server should be bound to the wildcard | 1550 | to specify that the forwarding server should be bound to the wildcard |
1601 | address. | 1551 | address. |
1602 | The argument must be | 1552 | The argument must be |
1603 | .Dq yes | 1553 | .Cm yes |
1604 | or | 1554 | or |
1605 | .Dq no . | 1555 | .Cm no . |
1606 | The default is | 1556 | The default is |
1607 | .Dq yes . | 1557 | .Cm yes . |
1608 | .It Cm XAuthLocation | 1558 | .It Cm XAuthLocation |
1609 | Specifies the full pathname of the | 1559 | Specifies the full pathname of the |
1610 | .Xr xauth 1 | 1560 | .Xr xauth 1 |
1611 | program, or | 1561 | program, or |
1612 | .Dq none | 1562 | .Cm none |
1613 | to not use one. | 1563 | to not use one. |
1614 | The default is | 1564 | The default is |
1615 | .Pa /usr/X11R6/bin/xauth . | 1565 | .Pa /usr/X11R6/bin/xauth . |
@@ -1708,15 +1658,22 @@ This file should be writable by root only, but it is recommended | |||
1708 | (though not necessary) that it be world-readable. | 1658 | (though not necessary) that it be world-readable. |
1709 | .El | 1659 | .El |
1710 | .Sh SEE ALSO | 1660 | .Sh SEE ALSO |
1661 | .Xr sftp-server 8 , | ||
1711 | .Xr sshd 8 | 1662 | .Xr sshd 8 |
1712 | .Sh AUTHORS | 1663 | .Sh AUTHORS |
1664 | .An -nosplit | ||
1713 | OpenSSH is a derivative of the original and free | 1665 | OpenSSH is a derivative of the original and free |
1714 | ssh 1.2.12 release by Tatu Ylonen. | 1666 | ssh 1.2.12 release by |
1715 | Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, | 1667 | .An Tatu Ylonen . |
1716 | Theo de Raadt and Dug Song | 1668 | .An Aaron Campbell , Bob Beck , Markus Friedl , Niels Provos , |
1669 | .An Theo de Raadt | ||
1670 | and | ||
1671 | .An Dug Song | ||
1717 | removed many bugs, re-added newer features and | 1672 | removed many bugs, re-added newer features and |
1718 | created OpenSSH. | 1673 | created OpenSSH. |
1719 | Markus Friedl contributed the support for SSH | 1674 | .An Markus Friedl |
1720 | protocol versions 1.5 and 2.0. | 1675 | contributed the support for SSH protocol versions 1.5 and 2.0. |
1721 | Niels Provos and Markus Friedl contributed support | 1676 | .An Niels Provos |
1722 | for privilege separation. | 1677 | and |
1678 | .An Markus Friedl | ||
1679 | contributed support for privilege separation. | ||