diff options
author | Colin Watson <cjwatson@debian.org> | 2010-03-31 00:48:57 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2010-03-31 00:48:57 +0100 |
commit | d1a87e462e1db89f19cd960588d0c6b287cb5ccc (patch) | |
tree | f0d13e1687800f36a3c4322b94ac5230ad17bdbf /sshd_config.5 | |
parent | 964476f91b66c475d5b8fa1e8b28d39a97a1b56e (diff) | |
parent | 004a7fb9c6a00b13dc98f56599918a54a3506d10 (diff) |
merge 5.4p1
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 45 |
1 files changed, 39 insertions, 6 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 6c3ef6947..6e3c69d05 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -34,8 +34,8 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd_config.5,v 1.106 2009/04/21 15:13:17 stevesk Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.120 2010/03/04 23:17:25 djm Exp $ |
38 | .Dd $Mdocdate: April 21 2009 $ | 38 | .Dd $Mdocdate: March 4 2010 $ |
39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -182,16 +182,16 @@ PAM or though authentication styles supported in | |||
182 | The default is | 182 | The default is |
183 | .Dq yes . | 183 | .Dq yes . |
184 | .It Cm ChrootDirectory | 184 | .It Cm ChrootDirectory |
185 | Specifies a path to | 185 | Specifies the pathname of a directory to |
186 | .Xr chroot 2 | 186 | .Xr chroot 2 |
187 | to after authentication. | 187 | to after authentication. |
188 | This path, and all its components, must be root-owned directories that are | 188 | All components of the pathname must be root-owned directories that are |
189 | not writable by any other user or group. | 189 | not writable by any other user or group. |
190 | After the chroot, | 190 | After the chroot, |
191 | .Xr sshd 8 | 191 | .Xr sshd 8 |
192 | changes the working directory to the user's home directory. | 192 | changes the working directory to the user's home directory. |
193 | .Pp | 193 | .Pp |
194 | The path may contain the following tokens that are expanded at runtime once | 194 | The pathname may contain the following tokens that are expanded at runtime once |
195 | the connecting user has been authenticated: %% is replaced by a literal '%', | 195 | the connecting user has been authenticated: %% is replaced by a literal '%', |
196 | %h is replaced by the home directory of the user being authenticated, and | 196 | %h is replaced by the home directory of the user being authenticated, and |
197 | %u is replaced by the username of that user. | 197 | %u is replaced by the username of that user. |
@@ -439,6 +439,14 @@ uses the name supplied by the client rather than | |||
439 | attempting to resolve the name from the TCP connection itself. | 439 | attempting to resolve the name from the TCP connection itself. |
440 | The default is | 440 | The default is |
441 | .Dq no . | 441 | .Dq no . |
442 | .It Cm HostCertificate | ||
443 | Specifies a file containing a public host certificate. | ||
444 | The certificate's public key must match a private host key already specified | ||
445 | by | ||
446 | .Cm HostKey . | ||
447 | The default behaviour of | ||
448 | .Xr sshd 8 | ||
449 | is not to load any certificates. | ||
442 | .It Cm HostKey | 450 | .It Cm HostKey |
443 | Specifies a file containing a private host key | 451 | Specifies a file containing a private host key |
444 | used by SSH. | 452 | used by SSH. |
@@ -642,6 +650,7 @@ Available keywords are | |||
642 | .Cm PermitEmptyPasswords , | 650 | .Cm PermitEmptyPasswords , |
643 | .Cm PermitOpen , | 651 | .Cm PermitOpen , |
644 | .Cm PermitRootLogin , | 652 | .Cm PermitRootLogin , |
653 | .Cm PubkeyAuthentication , | ||
645 | .Cm RhostsRSAAuthentication , | 654 | .Cm RhostsRSAAuthentication , |
646 | .Cm RSAAuthentication , | 655 | .Cm RSAAuthentication , |
647 | .Cm X11DisplayOffset , | 656 | .Cm X11DisplayOffset , |
@@ -820,7 +829,7 @@ and | |||
820 | .Sq 2 . | 829 | .Sq 2 . |
821 | Multiple versions must be comma-separated. | 830 | Multiple versions must be comma-separated. |
822 | The default is | 831 | The default is |
823 | .Dq 2,1 . | 832 | .Sq 2 . |
824 | Note that the order of the protocol list does not indicate preference, | 833 | Note that the order of the protocol list does not indicate preference, |
825 | because the client selects among multiple protocol versions offered | 834 | because the client selects among multiple protocol versions offered |
826 | by the server. | 835 | by the server. |
@@ -833,6 +842,11 @@ Specifies whether public key authentication is allowed. | |||
833 | The default is | 842 | The default is |
834 | .Dq yes . | 843 | .Dq yes . |
835 | Note that this option applies to protocol version 2 only. | 844 | Note that this option applies to protocol version 2 only. |
845 | .It Cm RevokedKeys | ||
846 | Specifies a list of revoked public keys. | ||
847 | Keys listed in this file will be refused for public key authentication. | ||
848 | Note that if this file is not readable, then public key authentication will | ||
849 | be refused for all users. | ||
836 | .It Cm RhostsRSAAuthentication | 850 | .It Cm RhostsRSAAuthentication |
837 | Specifies whether rhosts or /etc/hosts.equiv authentication together | 851 | Specifies whether rhosts or /etc/hosts.equiv authentication together |
838 | with successful RSA host authentication is allowed. | 852 | with successful RSA host authentication is allowed. |
@@ -856,6 +870,9 @@ This is normally desirable because novices sometimes accidentally leave their | |||
856 | directory or files world-writable. | 870 | directory or files world-writable. |
857 | The default is | 871 | The default is |
858 | .Dq yes . | 872 | .Dq yes . |
873 | Note that this does not apply to | ||
874 | .Cm ChrootDirectory , | ||
875 | whose permissions and ownership are checked unconditionally. | ||
859 | .It Cm Subsystem | 876 | .It Cm Subsystem |
860 | Configures an external subsystem (e.g. file transfer daemon). | 877 | Configures an external subsystem (e.g. file transfer daemon). |
861 | Arguments should be a subsystem name and a command (with optional arguments) | 878 | Arguments should be a subsystem name and a command (with optional arguments) |
@@ -905,6 +922,22 @@ This avoids infinitely hanging sessions. | |||
905 | .Pp | 922 | .Pp |
906 | To disable TCP keepalive messages, the value should be set to | 923 | To disable TCP keepalive messages, the value should be set to |
907 | .Dq no . | 924 | .Dq no . |
925 | .It Cm TrustedUserCAKeys | ||
926 | Specifies a file containing public keys of certificate authorities that are | ||
927 | trusted to sign user certificates for authentication. | ||
928 | Keys are listed one per line; empty lines and comments starting with | ||
929 | .Ql # | ||
930 | are allowed. | ||
931 | If a certificate is presented for authentication and has its signing CA key | ||
932 | listed in this file, then it may be used for authentication for any user | ||
933 | listed in the certificate's principals list. | ||
934 | Note that certificates that lack a list of principals will not be permitted | ||
935 | for authentication using | ||
936 | .Cm TrustedUserCAKeys . | ||
937 | For more details on certificates, see the | ||
938 | .Sx CERTIFICATES | ||
939 | section in | ||
940 | .Xr ssh-keygen 1 . | ||
908 | .It Cm UseDNS | 941 | .It Cm UseDNS |
909 | Specifies whether | 942 | Specifies whether |
910 | .Xr sshd 8 | 943 | .Xr sshd 8 |