summaryrefslogtreecommitdiff
path: root/sshd_config.5
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2015-11-29 17:18:35 +0000
committerColin Watson <cjwatson@debian.org>2015-11-29 17:32:50 +0000
commit0b372585c0026f78676f1414510ec9f87a383803 (patch)
treea3fa6b329a8a5e9841b526f30332d21fc110118a /sshd_config.5
parent24ffa45372888d206f21e1864e3911024c6d5e62 (diff)
parent6d0faf6dc76ac8cc73d6f8e478db7c97f7013a2d (diff)
New upstream release (7.0p1).
Diffstat (limited to 'sshd_config.5')
-rw-r--r--sshd_config.5106
1 files changed, 91 insertions, 15 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index eb6bff85f..92c23bc46 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd_config.5,v 1.204 2015/06/05 03:44:14 djm Exp $ 36.\" $OpenBSD: sshd_config.5,v 1.210 2015/08/06 14:53:21 deraadt Exp $
37.Dd $Mdocdate: June 5 2015 $ 37.Dd $Mdocdate: August 6 2015 $
38.Dt SSHD_CONFIG 5 38.Dt SSHD_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -458,6 +458,11 @@ The default is not to
458.It Cm Ciphers 458.It Cm Ciphers
459Specifies the ciphers allowed for protocol version 2. 459Specifies the ciphers allowed for protocol version 2.
460Multiple ciphers must be comma-separated. 460Multiple ciphers must be comma-separated.
461If the specified value begins with a
462.Sq +
463character, then the specified ciphers will be appended to the default set
464instead of replacing them.
465.Pp
461The supported ciphers are: 466The supported ciphers are:
462.Pp 467.Pp
463.Bl -item -compact -offset indent 468.Bl -item -compact -offset indent
@@ -680,9 +685,21 @@ or updated credentials from a compatible client. The default is
680.It Cm HostbasedAcceptedKeyTypes 685.It Cm HostbasedAcceptedKeyTypes
681Specifies the key types that will be accepted for hostbased authentication 686Specifies the key types that will be accepted for hostbased authentication
682as a comma-separated pattern list. 687as a comma-separated pattern list.
683The default 688Alternately if the specified value begins with a
684.Dq * 689.Sq +
685will allow all key types. 690character, then the specified key types will be appended to the default set
691instead of replacing them.
692The default for this option is:
693.Bd -literal -offset 3n
694ecdsa-sha2-nistp256-cert-v01@openssh.com,
695ecdsa-sha2-nistp384-cert-v01@openssh.com,
696ecdsa-sha2-nistp521-cert-v01@openssh.com,
697ssh-ed25519-cert-v01@openssh.com,
698ssh-rsa-cert-v01@openssh.com,
699ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
700ssh-ed25519,ssh-rsa
701.Ed
702.Pp
686The 703The
687.Fl Q 704.Fl Q
688option of 705option of
@@ -734,9 +751,15 @@ for protocol version 1, and
734and 751and
735.Pa /etc/ssh/ssh_host_rsa_key 752.Pa /etc/ssh/ssh_host_rsa_key
736for protocol version 2. 753for protocol version 2.
754.Pp
737Note that 755Note that
738.Xr sshd 8 756.Xr sshd 8
739will refuse to use a file if it is group/world-accessible. 757will refuse to use a file if it is group/world-accessible
758and that the
759.Cm HostKeyAlgorithms
760option restricts which of the keys are actually used by
761.Xr sshd 8 .
762.Pp
740It is possible to have multiple host key files. 763It is possible to have multiple host key files.
741.Dq rsa1 764.Dq rsa1
742keys are used for version 1 and 765keys are used for version 1 and
@@ -758,6 +781,26 @@ If
758is specified, the location of the socket will be read from the 781is specified, the location of the socket will be read from the
759.Ev SSH_AUTH_SOCK 782.Ev SSH_AUTH_SOCK
760environment variable. 783environment variable.
784.It Cm HostKeyAlgorithms
785Specifies the protocol version 2 host key algorithms
786that the server offers.
787The default for this option is:
788.Bd -literal -offset 3n
789ecdsa-sha2-nistp256-cert-v01@openssh.com,
790ecdsa-sha2-nistp384-cert-v01@openssh.com,
791ecdsa-sha2-nistp521-cert-v01@openssh.com,
792ssh-ed25519-cert-v01@openssh.com,
793ssh-rsa-cert-v01@openssh.com,
794ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
795ssh-ed25519,ssh-rsa
796.Ed
797.Pp
798The list of available key types may also be obtained using the
799.Fl Q
800option of
801.Xr ssh 1
802with an argument of
803.Dq key .
761.It Cm IgnoreRhosts 804.It Cm IgnoreRhosts
762Specifies that 805Specifies that
763.Pa .rhosts 806.Pa .rhosts
@@ -861,6 +904,10 @@ The default is
861.It Cm KexAlgorithms 904.It Cm KexAlgorithms
862Specifies the available KEX (Key Exchange) algorithms. 905Specifies the available KEX (Key Exchange) algorithms.
863Multiple algorithms must be comma-separated. 906Multiple algorithms must be comma-separated.
907Alternately if the specified value begins with a
908.Sq +
909character, then the specified methods will be appended to the default set
910instead of replacing them.
864The supported algorithms are: 911The supported algorithms are:
865.Pp 912.Pp
866.Bl -item -compact -offset indent 913.Bl -item -compact -offset indent
@@ -959,6 +1006,11 @@ Specifies the available MAC (message authentication code) algorithms.
959The MAC algorithm is used in protocol version 2 1006The MAC algorithm is used in protocol version 2
960for data integrity protection. 1007for data integrity protection.
961Multiple algorithms must be comma-separated. 1008Multiple algorithms must be comma-separated.
1009If the specified value begins with a
1010.Sq +
1011character, then the specified algorithms will be appended to the default set
1012instead of replacing them.
1013.Pp
962The algorithms that contain 1014The algorithms that contain
963.Dq -etm 1015.Dq -etm
964calculate the MAC after encryption (encrypt-then-mac). 1016calculate the MAC after encryption (encrypt-then-mac).
@@ -1192,16 +1244,19 @@ Specifies whether root can log in using
1192.Xr ssh 1 . 1244.Xr ssh 1 .
1193The argument must be 1245The argument must be
1194.Dq yes , 1246.Dq yes ,
1247.Dq prohibit-password ,
1195.Dq without-password , 1248.Dq without-password ,
1196.Dq forced-commands-only , 1249.Dq forced-commands-only ,
1197or 1250or
1198.Dq no . 1251.Dq no .
1199The default is 1252The default is
1200.Dq no . 1253.Dq prohibit-password .
1201.Pp 1254.Pp
1202If this option is set to 1255If this option is set to
1256.Dq prohibit-password
1257or
1203.Dq without-password , 1258.Dq without-password ,
1204password authentication is disabled for root. 1259password and keyboard-interactive authentication are disabled for root.
1205.Pp 1260.Pp
1206If this option is set to 1261If this option is set to
1207.Dq forced-commands-only , 1262.Dq forced-commands-only ,
@@ -1319,9 +1374,21 @@ is identical to
1319.It Cm PubkeyAcceptedKeyTypes 1374.It Cm PubkeyAcceptedKeyTypes
1320Specifies the key types that will be accepted for public key authentication 1375Specifies the key types that will be accepted for public key authentication
1321as a comma-separated pattern list. 1376as a comma-separated pattern list.
1322The default 1377Alternately if the specified value begins with a
1323.Dq * 1378.Sq +
1324will allow all key types. 1379character, then the specified key types will be appended to the default set
1380instead of replacing them.
1381The default for this option is:
1382.Bd -literal -offset 3n
1383ecdsa-sha2-nistp256-cert-v01@openssh.com,
1384ecdsa-sha2-nistp384-cert-v01@openssh.com,
1385ecdsa-sha2-nistp521-cert-v01@openssh.com,
1386ssh-ed25519-cert-v01@openssh.com,
1387ssh-rsa-cert-v01@openssh.com,
1388ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1389ssh-ed25519,ssh-rsa
1390.Ed
1391.Pp
1325The 1392The
1326.Fl Q 1393.Fl Q
1327option of 1394option of
@@ -1383,7 +1450,7 @@ The default is
1383This option applies to protocol version 1 only. 1450This option applies to protocol version 1 only.
1384.It Cm ServerKeyBits 1451.It Cm ServerKeyBits
1385Defines the number of bits in the ephemeral protocol version 1 server key. 1452Defines the number of bits in the ephemeral protocol version 1 server key.
1386The minimum value is 512, and the default is 1024. 1453The default and minimum value is 1024.
1387.It Cm StreamLocalBindMask 1454.It Cm StreamLocalBindMask
1388Sets the octal file creation mode mask 1455Sets the octal file creation mode mask
1389.Pq umask 1456.Pq umask
@@ -1494,11 +1561,20 @@ For more details on certificates, see the CERTIFICATES section in
1494.It Cm UseDNS 1561.It Cm UseDNS
1495Specifies whether 1562Specifies whether
1496.Xr sshd 8 1563.Xr sshd 8
1497should look up the remote host name and check that 1564should look up the remote host name, and to check that
1498the resolved host name for the remote IP address maps back to the 1565the resolved host name for the remote IP address maps back to the
1499very same IP address. 1566very same IP address.
1500The default is 1567.Pp
1501.Dq no . 1568If this option is set to
1569.Dq no
1570(the default) then only addresses and not host names may be used in
1571.Pa ~/.ssh/known_hosts
1572.Cm from
1573and
1574.Xr sshd_config 5
1575.Cm Match
1576.Cm Host
1577directives.
1502.It Cm UseLogin 1578.It Cm UseLogin
1503Specifies whether 1579Specifies whether
1504.Xr login 1 1580.Xr login 1