diff options
Diffstat (limited to 'sshd_config.0')
| -rw-r--r-- | sshd_config.0 | 43 |
1 files changed, 22 insertions, 21 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index 022c05226..b0160aa87 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
| @@ -238,7 +238,9 @@ DESCRIPTION | |||
| 238 | Specifies the ciphers allowed. Multiple ciphers must be comma- | 238 | Specifies the ciphers allowed. Multiple ciphers must be comma- |
| 239 | separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, | 239 | separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, |
| 240 | then the specified ciphers will be appended to the default set | 240 | then the specified ciphers will be appended to the default set |
| 241 | instead of replacing them. | 241 | instead of replacing them. If the specified value begins with a |
| 242 | M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified ciphers (including wildcards) | ||
| 243 | will be removed from the default set instead of replacing them. | ||
| 242 | 244 | ||
| 243 | The supported ciphers are: | 245 | The supported ciphers are: |
| 244 | 246 | ||
| @@ -378,7 +380,10 @@ DESCRIPTION | |||
| 378 | authentication as a comma-separated pattern list. Alternately if | 380 | authentication as a comma-separated pattern list. Alternately if |
| 379 | the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the | 381 | the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the |
| 380 | specified key types will be appended to the default set instead | 382 | specified key types will be appended to the default set instead |
| 381 | of replacing them. The default for this option is: | 383 | of replacing them. If the specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y |
| 384 | character, then the specified key types (including wildcards) | ||
| 385 | will be removed from the default set instead of replacing them. | ||
| 386 | The default for this option is: | ||
| 382 | 387 | ||
| 383 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 388 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| 384 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 389 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| @@ -503,7 +508,10 @@ DESCRIPTION | |||
| 503 | algorithms must be comma-separated. Alternately if the specified | 508 | algorithms must be comma-separated. Alternately if the specified |
| 504 | value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods | 509 | value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods |
| 505 | will be appended to the default set instead of replacing them. | 510 | will be appended to the default set instead of replacing them. |
| 506 | The supported algorithms are: | 511 | If the specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the |
| 512 | specified methods (including wildcards) will be removed from the | ||
| 513 | default set instead of replacing them. The supported algorithms | ||
| 514 | are: | ||
| 507 | 515 | ||
| 508 | curve25519-sha256 | 516 | curve25519-sha256 |
| 509 | curve25519-sha256@libssh.org | 517 | curve25519-sha256@libssh.org |
| @@ -555,7 +563,9 @@ DESCRIPTION | |||
| 555 | protection. Multiple algorithms must be comma-separated. If the | 563 | protection. Multiple algorithms must be comma-separated. If the |
| 556 | specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified | 564 | specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified |
| 557 | algorithms will be appended to the default set instead of | 565 | algorithms will be appended to the default set instead of |
| 558 | replacing them. | 566 | replacing them. If the specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y |
| 567 | character, then the specified algorithms (including wildcards) | ||
| 568 | will be removed from the default set instead of replacing them. | ||
| 559 | 569 | ||
| 560 | The algorithms that contain "-etm" calculate the MAC after | 570 | The algorithms that contain "-etm" calculate the MAC after |
| 561 | encryption (encrypt-then-mac). These are considered safer and | 571 | encryption (encrypt-then-mac). These are considered safer and |
| @@ -751,7 +761,10 @@ DESCRIPTION | |||
| 751 | authentication as a comma-separated pattern list. Alternately if | 761 | authentication as a comma-separated pattern list. Alternately if |
| 752 | the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the | 762 | the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the |
| 753 | specified key types will be appended to the default set instead | 763 | specified key types will be appended to the default set instead |
| 754 | of replacing them. The default for this option is: | 764 | of replacing them. If the specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y |
| 765 | character, then the specified key types (including wildcards) | ||
| 766 | will be removed from the default set instead of replacing them. | ||
| 767 | The default for this option is: | ||
| 755 | 768 | ||
| 756 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 769 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| 757 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 770 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| @@ -891,18 +904,6 @@ DESCRIPTION | |||
| 891 | If UsePAM is enabled, you will not be able to run sshd(8) as a | 904 | If UsePAM is enabled, you will not be able to run sshd(8) as a |
| 892 | non-root user. The default is no. | 905 | non-root user. The default is no. |
| 893 | 906 | ||
| 894 | UsePrivilegeSeparation | ||
| 895 | Specifies whether sshd(8) separates privileges by creating an | ||
| 896 | unprivileged child process to deal with incoming network traffic. | ||
| 897 | After successful authentication, another process will be created | ||
| 898 | that has the privilege of the authenticated user. The goal of | ||
| 899 | privilege separation is to prevent privilege escalation by | ||
| 900 | containing any corruption within the unprivileged processes. The | ||
| 901 | argument must be yes, no, or sandbox. If UsePrivilegeSeparation | ||
| 902 | is set to sandbox then the pre-authentication unprivileged | ||
| 903 | process is subject to additional restrictions. The default is | ||
| 904 | sandbox. | ||
| 905 | |||
| 906 | VersionAddendum | 907 | VersionAddendum |
| 907 | Optionally specifies additional text to append to the SSH | 908 | Optionally specifies additional text to append to the SSH |
| 908 | protocol banner sent by the server upon connection. The default | 909 | protocol banner sent by the server upon connection. The default |
| @@ -988,12 +989,12 @@ TOKENS | |||
| 988 | %t The key or certificate type. | 989 | %t The key or certificate type. |
| 989 | %u The username. | 990 | %u The username. |
| 990 | 991 | ||
| 991 | AuthorizedKeysCommand accepts the tokens %%, %f, %h, %t, and %u. | 992 | AuthorizedKeysCommand accepts the tokens %%, %f, %h, %k, %t, and %u. |
| 992 | 993 | ||
| 993 | AuthorizedKeysFile accepts the tokens %%, %h, and %u. | 994 | AuthorizedKeysFile accepts the tokens %%, %h, and %u. |
| 994 | 995 | ||
| 995 | AuthorizedPrincipalsCommand accepts the tokens %%, %F, %f, %K, %k, %h, | 996 | AuthorizedPrincipalsCommand accepts the tokens %%, %F, %f, %h, %i, %K, |
| 996 | %i, %s, %T, %t, and %u. | 997 | %k, %s, %T, %t, and %u. |
| 997 | 998 | ||
| 998 | AuthorizedPrincipalsFile accepts the tokens %%, %h, and %u. | 999 | AuthorizedPrincipalsFile accepts the tokens %%, %h, and %u. |
| 999 | 1000 | ||
| @@ -1016,4 +1017,4 @@ AUTHORS | |||
| 1016 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 1017 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
| 1017 | for privilege separation. | 1018 | for privilege separation. |
| 1018 | 1019 | ||
| 1019 | OpenBSD 6.0 November 30, 2016 OpenBSD 6.0 | 1020 | OpenBSD 6.0 March 14, 2017 OpenBSD 6.0 |