diff options
| author | Colin Watson <cjwatson@debian.org> | 2005-01-04 13:07:27 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2005-01-04 13:07:27 +0000 |
| commit | fd0f611b70a83d80fe8793af785542ee5541b7cd (patch) | |
| tree | bededd22bb7eeec52e20083237ab7e4113445a16 /sshd_config.5 | |
| parent | c44fe9a5b9d3db96a7249b04d915f17e4a3a3b04 (diff) | |
| parent | ebd2ce335af5861020c79fddb1ae35c03bf036cf (diff) | |
Merge 3.9p1 to the trunk.
Diffstat (limited to 'sshd_config.5')
| -rw-r--r-- | sshd_config.5 | 73 |
1 files changed, 60 insertions, 13 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index e15a225f2..09532fb8d 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
| @@ -34,7 +34,7 @@ | |||
| 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 36 | .\" | 36 | .\" |
| 37 | .\" $OpenBSD: sshd_config.5,v 1.29 2004/03/08 10:18:57 dtucker Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.35 2004/06/26 09:14:40 jmc Exp $ |
| 38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
| 39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
| 40 | .Os | 40 | .Os |
| @@ -61,6 +61,28 @@ The possible | |||
| 61 | keywords and their meanings are as follows (note that | 61 | keywords and their meanings are as follows (note that |
| 62 | keywords are case-insensitive and arguments are case-sensitive): | 62 | keywords are case-insensitive and arguments are case-sensitive): |
| 63 | .Bl -tag -width Ds | 63 | .Bl -tag -width Ds |
| 64 | .It Cm AcceptEnv | ||
| 65 | Specifies what environment variables sent by the client will be copied into | ||
| 66 | the session's | ||
| 67 | .Xr environ 7 . | ||
| 68 | See | ||
| 69 | .Cm SendEnv | ||
| 70 | in | ||
| 71 | .Xr ssh_config 5 | ||
| 72 | for how to configure the client. | ||
| 73 | Note that environment passing is only supported for protocol 2. | ||
| 74 | Variables are specified by name, which may contain the wildcard characters | ||
| 75 | .Ql \&* | ||
| 76 | and | ||
| 77 | .Ql \&? . | ||
| 78 | Multiple environment variables may be separated by whitespace or spread | ||
| 79 | across multiple | ||
| 80 | .Cm AcceptEnv | ||
| 81 | directives. | ||
| 82 | Be warned that some environment variables could be used to bypass restricted | ||
| 83 | user environments. | ||
| 84 | For this reason, care should be taken in the use of this directive. | ||
| 85 | The default is not to accept any environment variables. | ||
| 64 | .It Cm AllowGroups | 86 | .It Cm AllowGroups |
| 65 | This keyword can be followed by a list of group name patterns, separated | 87 | This keyword can be followed by a list of group name patterns, separated |
| 66 | by spaces. | 88 | by spaces. |
| @@ -73,7 +95,6 @@ can be used as | |||
| 73 | wildcards in the patterns. | 95 | wildcards in the patterns. |
| 74 | Only group names are valid; a numerical group ID is not recognized. | 96 | Only group names are valid; a numerical group ID is not recognized. |
| 75 | By default, login is allowed for all groups. | 97 | By default, login is allowed for all groups. |
| 76 | .Pp | ||
| 77 | .It Cm AllowTcpForwarding | 98 | .It Cm AllowTcpForwarding |
| 78 | Specifies whether TCP forwarding is permitted. | 99 | Specifies whether TCP forwarding is permitted. |
| 79 | The default is | 100 | The default is |
| @@ -81,7 +102,6 @@ The default is | |||
| 81 | Note that disabling TCP forwarding does not improve security unless | 102 | Note that disabling TCP forwarding does not improve security unless |
| 82 | users are also denied shell access, as they can always install their | 103 | users are also denied shell access, as they can always install their |
| 83 | own forwarders. | 104 | own forwarders. |
| 84 | .Pp | ||
| 85 | .It Cm AllowUsers | 105 | .It Cm AllowUsers |
| 86 | This keyword can be followed by a list of user name patterns, separated | 106 | This keyword can be followed by a list of user name patterns, separated |
| 87 | by spaces. | 107 | by spaces. |
| @@ -97,7 +117,6 @@ By default, login is allowed for all users. | |||
| 97 | If the pattern takes the form USER@HOST then USER and HOST | 117 | If the pattern takes the form USER@HOST then USER and HOST |
| 98 | are separately checked, restricting logins to particular | 118 | are separately checked, restricting logins to particular |
| 99 | users from particular hosts. | 119 | users from particular hosts. |
| 100 | .Pp | ||
| 101 | .It Cm AuthorizedKeysFile | 120 | .It Cm AuthorizedKeysFile |
| 102 | Specifies the file that contains the public keys that can be used | 121 | Specifies the file that contains the public keys that can be used |
| 103 | for user authentication. | 122 | for user authentication. |
| @@ -120,7 +139,6 @@ The contents of the specified file are sent to the remote user before | |||
| 120 | authentication is allowed. | 139 | authentication is allowed. |
| 121 | This option is only available for protocol version 2. | 140 | This option is only available for protocol version 2. |
| 122 | By default, no banner is displayed. | 141 | By default, no banner is displayed. |
| 123 | .Pp | ||
| 124 | .It Cm ChallengeResponseAuthentication | 142 | .It Cm ChallengeResponseAuthentication |
| 125 | Specifies whether challenge response authentication is allowed. | 143 | Specifies whether challenge response authentication is allowed. |
| 126 | All authentication styles from | 144 | All authentication styles from |
| @@ -131,8 +149,19 @@ The default is | |||
| 131 | .It Cm Ciphers | 149 | .It Cm Ciphers |
| 132 | Specifies the ciphers allowed for protocol version 2. | 150 | Specifies the ciphers allowed for protocol version 2. |
| 133 | Multiple ciphers must be comma-separated. | 151 | Multiple ciphers must be comma-separated. |
| 152 | The supported ciphers are | ||
| 153 | .Dq 3des-cbc , | ||
| 154 | .Dq aes128-cbc , | ||
| 155 | .Dq aes192-cbc , | ||
| 156 | .Dq aes256-cbc , | ||
| 157 | .Dq aes128-ctr , | ||
| 158 | .Dq aes192-ctr , | ||
| 159 | .Dq aes256-ctr , | ||
| 160 | .Dq arcfour , | ||
| 161 | .Dq blowfish-cbc , | ||
| 162 | and | ||
| 163 | .Dq cast128-cbc . | ||
| 134 | The default is | 164 | The default is |
| 135 | .Pp | ||
| 136 | .Bd -literal | 165 | .Bd -literal |
| 137 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, | 166 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
| 138 | aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' | 167 | aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' |
| @@ -193,7 +222,6 @@ can be used as | |||
| 193 | wildcards in the patterns. | 222 | wildcards in the patterns. |
| 194 | Only group names are valid; a numerical group ID is not recognized. | 223 | Only group names are valid; a numerical group ID is not recognized. |
| 195 | By default, login is allowed for all groups. | 224 | By default, login is allowed for all groups. |
| 196 | .Pp | ||
| 197 | .It Cm DenyUsers | 225 | .It Cm DenyUsers |
| 198 | This keyword can be followed by a list of user name patterns, separated | 226 | This keyword can be followed by a list of user name patterns, separated |
| 199 | by spaces. | 227 | by spaces. |
| @@ -386,6 +414,12 @@ for data integrity protection. | |||
| 386 | Multiple algorithms must be comma-separated. | 414 | Multiple algorithms must be comma-separated. |
| 387 | The default is | 415 | The default is |
| 388 | .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . | 416 | .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . |
| 417 | .It Cm MaxAuthTries | ||
| 418 | Specifies the maximum number of authentication attempts permitted per | ||
| 419 | connection. | ||
| 420 | Once the number of failures reaches half this value, | ||
| 421 | additional failures are logged. | ||
| 422 | The default is 6. | ||
| 389 | .It Cm MaxStartups | 423 | .It Cm MaxStartups |
| 390 | Specifies the maximum number of concurrent unauthenticated connections to the | 424 | Specifies the maximum number of concurrent unauthenticated connections to the |
| 391 | .Nm sshd | 425 | .Nm sshd |
| @@ -608,12 +642,25 @@ If | |||
| 608 | .Cm UsePrivilegeSeparation | 642 | .Cm UsePrivilegeSeparation |
| 609 | is specified, it will be disabled after authentication. | 643 | is specified, it will be disabled after authentication. |
| 610 | .It Cm UsePAM | 644 | .It Cm UsePAM |
| 611 | Enables PAM authentication (via challenge-response) and session set up. | 645 | Enables the Pluggable Authentication Module interface. |
| 612 | If you enable this, you should probably disable | 646 | If set to |
| 613 | .Cm PasswordAuthentication . | 647 | .Dq yes |
| 614 | If you enable | 648 | this will enable PAM authentication using |
| 615 | .CM UsePAM | 649 | .Cm ChallengeResponseAuthentication |
| 616 | then you will not be able to run sshd as a non-root user. The default is | 650 | and PAM account and session module processing for all authentication types. |
| 651 | .Pp | ||
| 652 | Because PAM challenge-response authentication usually serves an equivalent | ||
| 653 | role to password authentication, you should disable either | ||
| 654 | .Cm PasswordAuthentication | ||
| 655 | or | ||
| 656 | .Cm ChallengeResponseAuthentication. | ||
| 657 | .Pp | ||
| 658 | If | ||
| 659 | .Cm UsePAM | ||
| 660 | is enabled, you will not be able to run | ||
| 661 | .Xr sshd 8 | ||
| 662 | as a non-root user. | ||
| 663 | The default is | ||
| 617 | .Dq no . | 664 | .Dq no . |
| 618 | .It Cm UsePrivilegeSeparation | 665 | .It Cm UsePrivilegeSeparation |
| 619 | Specifies whether | 666 | Specifies whether |