diff options
author | Colin Watson <cjwatson@debian.org> | 2020-02-21 11:57:14 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2020-02-21 14:27:02 +0000 |
commit | 886e47e745586c34e81cfd5c5fb9b5dbc8e84d04 (patch) | |
tree | dd6c3b4dc64a17c520af7aaf213163f8a0a63e56 /sshd_config.5 | |
parent | ac2b4c0697fcac554041ab95f81736887eadf6ec (diff) | |
parent | a2dabf35ce0228c86a288d11cc847a9d9801604f (diff) |
New upstream release (8.2p1)
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 121 |
1 files changed, 87 insertions, 34 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index ba533af9e..fd205e418 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,13 +33,13 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.290 2019/09/06 14:45:34 naddy Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.307 2020/02/07 03:54:44 dtucker Exp $ |
37 | .Dd $Mdocdate: September 6 2019 $ | 37 | .Dd $Mdocdate: February 7 2020 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
41 | .Nm sshd_config | 41 | .Nm sshd_config |
42 | .Nd OpenSSH SSH daemon configuration file | 42 | .Nd OpenSSH daemon configuration file |
43 | .Sh DESCRIPTION | 43 | .Sh DESCRIPTION |
44 | .Xr sshd 8 | 44 | .Xr sshd 8 |
45 | reads configuration data from | 45 | reads configuration data from |
@@ -135,11 +135,8 @@ If specified, login is allowed only for users whose primary | |||
135 | group or supplementary group list matches one of the patterns. | 135 | group or supplementary group list matches one of the patterns. |
136 | Only group names are valid; a numerical group ID is not recognized. | 136 | Only group names are valid; a numerical group ID is not recognized. |
137 | By default, login is allowed for all groups. | 137 | By default, login is allowed for all groups. |
138 | The allow/deny directives are processed in the following order: | 138 | The allow/deny groups directives are processed in the following order: |
139 | .Cm DenyUsers , | ||
140 | .Cm AllowUsers , | ||
141 | .Cm DenyGroups , | 139 | .Cm DenyGroups , |
142 | and finally | ||
143 | .Cm AllowGroups . | 140 | .Cm AllowGroups . |
144 | .Pp | 141 | .Pp |
145 | See PATTERNS in | 142 | See PATTERNS in |
@@ -195,12 +192,9 @@ are separately checked, restricting logins to particular | |||
195 | users from particular hosts. | 192 | users from particular hosts. |
196 | HOST criteria may additionally contain addresses to match in CIDR | 193 | HOST criteria may additionally contain addresses to match in CIDR |
197 | address/masklen format. | 194 | address/masklen format. |
198 | The allow/deny directives are processed in the following order: | 195 | The allow/deny users directives are processed in the following order: |
199 | .Cm DenyUsers , | 196 | .Cm DenyUsers , |
200 | .Cm AllowUsers , | 197 | .Cm AllowUsers . |
201 | .Cm DenyGroups , | ||
202 | and finally | ||
203 | .Cm AllowGroups . | ||
204 | .Pp | 198 | .Pp |
205 | See PATTERNS in | 199 | See PATTERNS in |
206 | .Xr ssh_config 5 | 200 | .Xr ssh_config 5 |
@@ -546,6 +540,9 @@ is set to 15, and | |||
546 | .Cm ClientAliveCountMax | 540 | .Cm ClientAliveCountMax |
547 | is left at the default, unresponsive SSH clients | 541 | is left at the default, unresponsive SSH clients |
548 | will be disconnected after approximately 45 seconds. | 542 | will be disconnected after approximately 45 seconds. |
543 | Setting a zero | ||
544 | .Cm ClientAliveCountMax | ||
545 | disables connection termination. | ||
549 | .It Cm ClientAliveInterval | 546 | .It Cm ClientAliveInterval |
550 | Sets a timeout interval in seconds after which if no data has been received | 547 | Sets a timeout interval in seconds after which if no data has been received |
551 | from the client, | 548 | from the client, |
@@ -578,11 +575,8 @@ Login is disallowed for users whose primary group or supplementary | |||
578 | group list matches one of the patterns. | 575 | group list matches one of the patterns. |
579 | Only group names are valid; a numerical group ID is not recognized. | 576 | Only group names are valid; a numerical group ID is not recognized. |
580 | By default, login is allowed for all groups. | 577 | By default, login is allowed for all groups. |
581 | The allow/deny directives are processed in the following order: | 578 | The allow/deny groups directives are processed in the following order: |
582 | .Cm DenyUsers , | ||
583 | .Cm AllowUsers , | ||
584 | .Cm DenyGroups , | 579 | .Cm DenyGroups , |
585 | and finally | ||
586 | .Cm AllowGroups . | 580 | .Cm AllowGroups . |
587 | .Pp | 581 | .Pp |
588 | See PATTERNS in | 582 | See PATTERNS in |
@@ -599,12 +593,9 @@ are separately checked, restricting logins to particular | |||
599 | users from particular hosts. | 593 | users from particular hosts. |
600 | HOST criteria may additionally contain addresses to match in CIDR | 594 | HOST criteria may additionally contain addresses to match in CIDR |
601 | address/masklen format. | 595 | address/masklen format. |
602 | The allow/deny directives are processed in the following order: | 596 | The allow/deny users directives are processed in the following order: |
603 | .Cm DenyUsers , | 597 | .Cm DenyUsers , |
604 | .Cm AllowUsers , | 598 | .Cm AllowUsers . |
605 | .Cm DenyGroups , | ||
606 | and finally | ||
607 | .Cm AllowGroups . | ||
608 | .Pp | 599 | .Pp |
609 | See PATTERNS in | 600 | See PATTERNS in |
610 | .Xr ssh_config 5 | 601 | .Xr ssh_config 5 |
@@ -745,15 +736,20 @@ The default for this option is: | |||
745 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 736 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
746 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 737 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
747 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 738 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
739 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
748 | ssh-ed25519-cert-v01@openssh.com, | 740 | ssh-ed25519-cert-v01@openssh.com, |
749 | rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, | 741 | sk-ssh-ed25519-cert-v01@openssh.com, |
742 | rsa-sha2-512-cert-v01@openssh.com, | ||
743 | rsa-sha2-256-cert-v01@openssh.com, | ||
750 | ssh-rsa-cert-v01@openssh.com, | 744 | ssh-rsa-cert-v01@openssh.com, |
751 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 745 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
752 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | 746 | sk-ecdsa-sha2-nistp256@openssh.com, |
747 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
748 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
753 | .Ed | 749 | .Ed |
754 | .Pp | 750 | .Pp |
755 | The list of available key types may also be obtained using | 751 | The list of available key types may also be obtained using |
756 | .Qq ssh -Q key . | 752 | .Qq ssh -Q HostbasedAcceptedKeyTypes . |
757 | .It Cm HostbasedAuthentication | 753 | .It Cm HostbasedAuthentication |
758 | Specifies whether rhosts or /etc/hosts.equiv authentication together | 754 | Specifies whether rhosts or /etc/hosts.equiv authentication together |
759 | with successful public key client host authentication is allowed | 755 | with successful public key client host authentication is allowed |
@@ -823,15 +819,20 @@ The default for this option is: | |||
823 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 819 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
824 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 820 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
825 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 821 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
822 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
826 | ssh-ed25519-cert-v01@openssh.com, | 823 | ssh-ed25519-cert-v01@openssh.com, |
827 | rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, | 824 | sk-ssh-ed25519-cert-v01@openssh.com, |
825 | rsa-sha2-512-cert-v01@openssh.com, | ||
826 | rsa-sha2-256-cert-v01@openssh.com, | ||
828 | ssh-rsa-cert-v01@openssh.com, | 827 | ssh-rsa-cert-v01@openssh.com, |
829 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 828 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
830 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | 829 | sk-ecdsa-sha2-nistp256@openssh.com, |
830 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
831 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
831 | .Ed | 832 | .Ed |
832 | .Pp | 833 | .Pp |
833 | The list of available key types may also be obtained using | 834 | The list of available key types may also be obtained using |
834 | .Qq ssh -Q key . | 835 | .Qq ssh -Q HostKeyAlgorithms . |
835 | .It Cm IgnoreRhosts | 836 | .It Cm IgnoreRhosts |
836 | Specifies that | 837 | Specifies that |
837 | .Pa .rhosts | 838 | .Pa .rhosts |
@@ -856,7 +857,20 @@ during | |||
856 | and use only the system-wide known hosts file | 857 | and use only the system-wide known hosts file |
857 | .Pa /etc/ssh/known_hosts . | 858 | .Pa /etc/ssh/known_hosts . |
858 | The default is | 859 | The default is |
859 | .Cm no . | 860 | .Dq no . |
861 | .It Cm Include | ||
862 | Include the specified configuration file(s). | ||
863 | Multiple pathnames may be specified and each pathname may contain | ||
864 | .Xr glob 7 | ||
865 | wildcards. | ||
866 | Files without absolute paths are assumed to be in | ||
867 | .Pa /etc/ssh . | ||
868 | An | ||
869 | .Cm Include | ||
870 | directive may appear inside a | ||
871 | .Cm Match | ||
872 | block | ||
873 | to perform conditional inclusion. | ||
860 | .It Cm IPQoS | 874 | .It Cm IPQoS |
861 | Specifies the IPv4 type-of-service or DSCP class for the connection. | 875 | Specifies the IPv4 type-of-service or DSCP class for the connection. |
862 | Accepted values are | 876 | Accepted values are |
@@ -881,6 +895,7 @@ Accepted values are | |||
881 | .Cm cs6 , | 895 | .Cm cs6 , |
882 | .Cm cs7 , | 896 | .Cm cs7 , |
883 | .Cm ef , | 897 | .Cm ef , |
898 | .Cm le , | ||
884 | .Cm lowdelay , | 899 | .Cm lowdelay , |
885 | .Cm throughput , | 900 | .Cm throughput , |
886 | .Cm reliability , | 901 | .Cm reliability , |
@@ -974,6 +989,8 @@ ecdh-sha2-nistp256 | |||
974 | ecdh-sha2-nistp384 | 989 | ecdh-sha2-nistp384 |
975 | .It | 990 | .It |
976 | ecdh-sha2-nistp521 | 991 | ecdh-sha2-nistp521 |
992 | .It | ||
993 | sntrup4591761x25519-sha512@tinyssh.org | ||
977 | .El | 994 | .El |
978 | .Pp | 995 | .Pp |
979 | The default is: | 996 | The default is: |
@@ -982,11 +999,11 @@ curve25519-sha256,curve25519-sha256@libssh.org, | |||
982 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, | 999 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, |
983 | diffie-hellman-group-exchange-sha256, | 1000 | diffie-hellman-group-exchange-sha256, |
984 | diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, | 1001 | diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, |
985 | diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 | 1002 | diffie-hellman-group14-sha256 |
986 | .Ed | 1003 | .Ed |
987 | .Pp | 1004 | .Pp |
988 | The list of available key exchange algorithms may also be obtained using | 1005 | The list of available key exchange algorithms may also be obtained using |
989 | .Qq ssh -Q kex . | 1006 | .Qq ssh -Q KexAlgorithms . |
990 | .It Cm ListenAddress | 1007 | .It Cm ListenAddress |
991 | Specifies the local addresses | 1008 | Specifies the local addresses |
992 | .Xr sshd 8 | 1009 | .Xr sshd 8 |
@@ -1199,6 +1216,7 @@ Available keywords are | |||
1199 | .Cm HostbasedAcceptedKeyTypes , | 1216 | .Cm HostbasedAcceptedKeyTypes , |
1200 | .Cm HostbasedAuthentication , | 1217 | .Cm HostbasedAuthentication , |
1201 | .Cm HostbasedUsesNameFromPacketOnly , | 1218 | .Cm HostbasedUsesNameFromPacketOnly , |
1219 | .Cm Include , | ||
1202 | .Cm IPQoS , | 1220 | .Cm IPQoS , |
1203 | .Cm KbdInteractiveAuthentication , | 1221 | .Cm KbdInteractiveAuthentication , |
1204 | .Cm KerberosAuthentication , | 1222 | .Cm KerberosAuthentication , |
@@ -1341,7 +1359,9 @@ An argument of | |||
1341 | can be used to prohibit all forwarding requests. | 1359 | can be used to prohibit all forwarding requests. |
1342 | The wildcard | 1360 | The wildcard |
1343 | .Sq * | 1361 | .Sq * |
1344 | can be used for host or port to allow all hosts or ports, respectively. | 1362 | can be used for host or port to allow all hosts or ports respectively. |
1363 | Otherwise, no pattern matching or address lookups are performed on supplied | ||
1364 | names. | ||
1345 | By default all port forwarding requests are permitted. | 1365 | By default all port forwarding requests are permitted. |
1346 | .It Cm PermitRootLogin | 1366 | .It Cm PermitRootLogin |
1347 | Specifies whether root can log in using | 1367 | Specifies whether root can log in using |
@@ -1482,15 +1502,44 @@ The default for this option is: | |||
1482 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 1502 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
1483 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 1503 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
1484 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 1504 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
1505 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
1485 | ssh-ed25519-cert-v01@openssh.com, | 1506 | ssh-ed25519-cert-v01@openssh.com, |
1486 | rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, | 1507 | sk-ssh-ed25519-cert-v01@openssh.com, |
1508 | rsa-sha2-512-cert-v01@openssh.com, | ||
1509 | rsa-sha2-256-cert-v01@openssh.com, | ||
1487 | ssh-rsa-cert-v01@openssh.com, | 1510 | ssh-rsa-cert-v01@openssh.com, |
1488 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 1511 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
1489 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | 1512 | sk-ecdsa-sha2-nistp256@openssh.com, |
1513 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
1514 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
1490 | .Ed | 1515 | .Ed |
1491 | .Pp | 1516 | .Pp |
1492 | The list of available key types may also be obtained using | 1517 | The list of available key types may also be obtained using |
1493 | .Qq ssh -Q key . | 1518 | .Qq ssh -Q PubkeyAcceptedKeyTypes . |
1519 | .It Cm PubkeyAuthOptions | ||
1520 | Sets one or more public key authentication options. | ||
1521 | Two option keywords are currently supported: | ||
1522 | .Cm none | ||
1523 | (the default; indicating no additional options are enabled) | ||
1524 | and | ||
1525 | .Cm touch-required . | ||
1526 | .Pp | ||
1527 | The | ||
1528 | .Cm touch-required | ||
1529 | option causes public key authentication using a FIDO authenticator algorithm | ||
1530 | (i.e.\& | ||
1531 | .Cm ecdsa-sk | ||
1532 | or | ||
1533 | .Cm ed25519-sk ) | ||
1534 | to always require the signature to attest that a physically present user | ||
1535 | explicitly confirmed the authentication (usually by touching the authenticator). | ||
1536 | By default, | ||
1537 | .Xr sshd 8 | ||
1538 | requires user presence unless overridden with an authorized_keys option. | ||
1539 | The | ||
1540 | .Cm touch-required | ||
1541 | flag disables this override. | ||
1542 | This option has no effect for other, non-authenticator public key types. | ||
1494 | .It Cm PubkeyAuthentication | 1543 | .It Cm PubkeyAuthentication |
1495 | Specifies whether public key authentication is allowed. | 1544 | Specifies whether public key authentication is allowed. |
1496 | The default is | 1545 | The default is |
@@ -1541,6 +1590,10 @@ will be bound to this | |||
1541 | If the routing domain is set to | 1590 | If the routing domain is set to |
1542 | .Cm \&%D , | 1591 | .Cm \&%D , |
1543 | then the domain in which the incoming connection was received will be applied. | 1592 | then the domain in which the incoming connection was received will be applied. |
1593 | .It Cm SecurityKeyProvider | ||
1594 | Specifies a path to a library that will be used when loading | ||
1595 | FIDO authenticator-hosted keys, overriding the default of using | ||
1596 | the built-in USB HID support. | ||
1544 | .It Cm SetEnv | 1597 | .It Cm SetEnv |
1545 | Specifies one or more environment variables to set in child sessions started | 1598 | Specifies one or more environment variables to set in child sessions started |
1546 | by | 1599 | by |