diff options
author | Colin Watson <cjwatson@debian.org> | 2015-11-29 17:18:35 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2015-11-29 17:32:50 +0000 |
commit | 0b372585c0026f78676f1414510ec9f87a383803 (patch) | |
tree | a3fa6b329a8a5e9841b526f30332d21fc110118a /sshd_config.5 | |
parent | 24ffa45372888d206f21e1864e3911024c6d5e62 (diff) | |
parent | 6d0faf6dc76ac8cc73d6f8e478db7c97f7013a2d (diff) |
New upstream release (7.0p1).
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 106 |
1 files changed, 91 insertions, 15 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index eb6bff85f..92c23bc46 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.204 2015/06/05 03:44:14 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.210 2015/08/06 14:53:21 deraadt Exp $ |
37 | .Dd $Mdocdate: June 5 2015 $ | 37 | .Dd $Mdocdate: August 6 2015 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -458,6 +458,11 @@ The default is not to | |||
458 | .It Cm Ciphers | 458 | .It Cm Ciphers |
459 | Specifies the ciphers allowed for protocol version 2. | 459 | Specifies the ciphers allowed for protocol version 2. |
460 | Multiple ciphers must be comma-separated. | 460 | Multiple ciphers must be comma-separated. |
461 | If the specified value begins with a | ||
462 | .Sq + | ||
463 | character, then the specified ciphers will be appended to the default set | ||
464 | instead of replacing them. | ||
465 | .Pp | ||
461 | The supported ciphers are: | 466 | The supported ciphers are: |
462 | .Pp | 467 | .Pp |
463 | .Bl -item -compact -offset indent | 468 | .Bl -item -compact -offset indent |
@@ -680,9 +685,21 @@ or updated credentials from a compatible client. The default is | |||
680 | .It Cm HostbasedAcceptedKeyTypes | 685 | .It Cm HostbasedAcceptedKeyTypes |
681 | Specifies the key types that will be accepted for hostbased authentication | 686 | Specifies the key types that will be accepted for hostbased authentication |
682 | as a comma-separated pattern list. | 687 | as a comma-separated pattern list. |
683 | The default | 688 | Alternately if the specified value begins with a |
684 | .Dq * | 689 | .Sq + |
685 | will allow all key types. | 690 | character, then the specified key types will be appended to the default set |
691 | instead of replacing them. | ||
692 | The default for this option is: | ||
693 | .Bd -literal -offset 3n | ||
694 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
695 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
696 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
697 | ssh-ed25519-cert-v01@openssh.com, | ||
698 | ssh-rsa-cert-v01@openssh.com, | ||
699 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
700 | ssh-ed25519,ssh-rsa | ||
701 | .Ed | ||
702 | .Pp | ||
686 | The | 703 | The |
687 | .Fl Q | 704 | .Fl Q |
688 | option of | 705 | option of |
@@ -734,9 +751,15 @@ for protocol version 1, and | |||
734 | and | 751 | and |
735 | .Pa /etc/ssh/ssh_host_rsa_key | 752 | .Pa /etc/ssh/ssh_host_rsa_key |
736 | for protocol version 2. | 753 | for protocol version 2. |
754 | .Pp | ||
737 | Note that | 755 | Note that |
738 | .Xr sshd 8 | 756 | .Xr sshd 8 |
739 | will refuse to use a file if it is group/world-accessible. | 757 | will refuse to use a file if it is group/world-accessible |
758 | and that the | ||
759 | .Cm HostKeyAlgorithms | ||
760 | option restricts which of the keys are actually used by | ||
761 | .Xr sshd 8 . | ||
762 | .Pp | ||
740 | It is possible to have multiple host key files. | 763 | It is possible to have multiple host key files. |
741 | .Dq rsa1 | 764 | .Dq rsa1 |
742 | keys are used for version 1 and | 765 | keys are used for version 1 and |
@@ -758,6 +781,26 @@ If | |||
758 | is specified, the location of the socket will be read from the | 781 | is specified, the location of the socket will be read from the |
759 | .Ev SSH_AUTH_SOCK | 782 | .Ev SSH_AUTH_SOCK |
760 | environment variable. | 783 | environment variable. |
784 | .It Cm HostKeyAlgorithms | ||
785 | Specifies the protocol version 2 host key algorithms | ||
786 | that the server offers. | ||
787 | The default for this option is: | ||
788 | .Bd -literal -offset 3n | ||
789 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
790 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
791 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
792 | ssh-ed25519-cert-v01@openssh.com, | ||
793 | ssh-rsa-cert-v01@openssh.com, | ||
794 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
795 | ssh-ed25519,ssh-rsa | ||
796 | .Ed | ||
797 | .Pp | ||
798 | The list of available key types may also be obtained using the | ||
799 | .Fl Q | ||
800 | option of | ||
801 | .Xr ssh 1 | ||
802 | with an argument of | ||
803 | .Dq key . | ||
761 | .It Cm IgnoreRhosts | 804 | .It Cm IgnoreRhosts |
762 | Specifies that | 805 | Specifies that |
763 | .Pa .rhosts | 806 | .Pa .rhosts |
@@ -861,6 +904,10 @@ The default is | |||
861 | .It Cm KexAlgorithms | 904 | .It Cm KexAlgorithms |
862 | Specifies the available KEX (Key Exchange) algorithms. | 905 | Specifies the available KEX (Key Exchange) algorithms. |
863 | Multiple algorithms must be comma-separated. | 906 | Multiple algorithms must be comma-separated. |
907 | Alternately if the specified value begins with a | ||
908 | .Sq + | ||
909 | character, then the specified methods will be appended to the default set | ||
910 | instead of replacing them. | ||
864 | The supported algorithms are: | 911 | The supported algorithms are: |
865 | .Pp | 912 | .Pp |
866 | .Bl -item -compact -offset indent | 913 | .Bl -item -compact -offset indent |
@@ -959,6 +1006,11 @@ Specifies the available MAC (message authentication code) algorithms. | |||
959 | The MAC algorithm is used in protocol version 2 | 1006 | The MAC algorithm is used in protocol version 2 |
960 | for data integrity protection. | 1007 | for data integrity protection. |
961 | Multiple algorithms must be comma-separated. | 1008 | Multiple algorithms must be comma-separated. |
1009 | If the specified value begins with a | ||
1010 | .Sq + | ||
1011 | character, then the specified algorithms will be appended to the default set | ||
1012 | instead of replacing them. | ||
1013 | .Pp | ||
962 | The algorithms that contain | 1014 | The algorithms that contain |
963 | .Dq -etm | 1015 | .Dq -etm |
964 | calculate the MAC after encryption (encrypt-then-mac). | 1016 | calculate the MAC after encryption (encrypt-then-mac). |
@@ -1192,16 +1244,19 @@ Specifies whether root can log in using | |||
1192 | .Xr ssh 1 . | 1244 | .Xr ssh 1 . |
1193 | The argument must be | 1245 | The argument must be |
1194 | .Dq yes , | 1246 | .Dq yes , |
1247 | .Dq prohibit-password , | ||
1195 | .Dq without-password , | 1248 | .Dq without-password , |
1196 | .Dq forced-commands-only , | 1249 | .Dq forced-commands-only , |
1197 | or | 1250 | or |
1198 | .Dq no . | 1251 | .Dq no . |
1199 | The default is | 1252 | The default is |
1200 | .Dq no . | 1253 | .Dq prohibit-password . |
1201 | .Pp | 1254 | .Pp |
1202 | If this option is set to | 1255 | If this option is set to |
1256 | .Dq prohibit-password | ||
1257 | or | ||
1203 | .Dq without-password , | 1258 | .Dq without-password , |
1204 | password authentication is disabled for root. | 1259 | password and keyboard-interactive authentication are disabled for root. |
1205 | .Pp | 1260 | .Pp |
1206 | If this option is set to | 1261 | If this option is set to |
1207 | .Dq forced-commands-only , | 1262 | .Dq forced-commands-only , |
@@ -1319,9 +1374,21 @@ is identical to | |||
1319 | .It Cm PubkeyAcceptedKeyTypes | 1374 | .It Cm PubkeyAcceptedKeyTypes |
1320 | Specifies the key types that will be accepted for public key authentication | 1375 | Specifies the key types that will be accepted for public key authentication |
1321 | as a comma-separated pattern list. | 1376 | as a comma-separated pattern list. |
1322 | The default | 1377 | Alternately if the specified value begins with a |
1323 | .Dq * | 1378 | .Sq + |
1324 | will allow all key types. | 1379 | character, then the specified key types will be appended to the default set |
1380 | instead of replacing them. | ||
1381 | The default for this option is: | ||
1382 | .Bd -literal -offset 3n | ||
1383 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
1384 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
1385 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
1386 | ssh-ed25519-cert-v01@openssh.com, | ||
1387 | ssh-rsa-cert-v01@openssh.com, | ||
1388 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
1389 | ssh-ed25519,ssh-rsa | ||
1390 | .Ed | ||
1391 | .Pp | ||
1325 | The | 1392 | The |
1326 | .Fl Q | 1393 | .Fl Q |
1327 | option of | 1394 | option of |
@@ -1383,7 +1450,7 @@ The default is | |||
1383 | This option applies to protocol version 1 only. | 1450 | This option applies to protocol version 1 only. |
1384 | .It Cm ServerKeyBits | 1451 | .It Cm ServerKeyBits |
1385 | Defines the number of bits in the ephemeral protocol version 1 server key. | 1452 | Defines the number of bits in the ephemeral protocol version 1 server key. |
1386 | The minimum value is 512, and the default is 1024. | 1453 | The default and minimum value is 1024. |
1387 | .It Cm StreamLocalBindMask | 1454 | .It Cm StreamLocalBindMask |
1388 | Sets the octal file creation mode mask | 1455 | Sets the octal file creation mode mask |
1389 | .Pq umask | 1456 | .Pq umask |
@@ -1494,11 +1561,20 @@ For more details on certificates, see the CERTIFICATES section in | |||
1494 | .It Cm UseDNS | 1561 | .It Cm UseDNS |
1495 | Specifies whether | 1562 | Specifies whether |
1496 | .Xr sshd 8 | 1563 | .Xr sshd 8 |
1497 | should look up the remote host name and check that | 1564 | should look up the remote host name, and to check that |
1498 | the resolved host name for the remote IP address maps back to the | 1565 | the resolved host name for the remote IP address maps back to the |
1499 | very same IP address. | 1566 | very same IP address. |
1500 | The default is | 1567 | .Pp |
1501 | .Dq no . | 1568 | If this option is set to |
1569 | .Dq no | ||
1570 | (the default) then only addresses and not host names may be used in | ||
1571 | .Pa ~/.ssh/known_hosts | ||
1572 | .Cm from | ||
1573 | and | ||
1574 | .Xr sshd_config 5 | ||
1575 | .Cm Match | ||
1576 | .Cm Host | ||
1577 | directives. | ||
1502 | .It Cm UseLogin | 1578 | .It Cm UseLogin |
1503 | Specifies whether | 1579 | Specifies whether |
1504 | .Xr login 1 | 1580 | .Xr login 1 |