diff options
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 41 |
1 files changed, 25 insertions, 16 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index 8bda6a39f..85379dca5 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -80,9 +80,11 @@ DESCRIPTION | |||
80 | valid; a numerical user ID is not recognized. By default, login | 80 | valid; a numerical user ID is not recognized. By default, login |
81 | is allowed for all users. If the pattern takes the form | 81 | is allowed for all users. If the pattern takes the form |
82 | USER@HOST then USER and HOST are separately checked, restricting | 82 | USER@HOST then USER and HOST are separately checked, restricting |
83 | logins to particular users from particular hosts. The allow/deny | 83 | logins to particular users from particular hosts. HOST criteria |
84 | directives are processed in the following order: DenyUsers, | 84 | may additionally contain addresses to match in CIDR |
85 | AllowUsers, DenyGroups, and finally AllowGroups. | 85 | address/masklen format. The allow/deny directives are processed |
86 | in the following order: DenyUsers, AllowUsers, DenyGroups, and | ||
87 | finally AllowGroups. | ||
86 | 88 | ||
87 | See PATTERNS in ssh_config(5) for more information on patterns. | 89 | See PATTERNS in ssh_config(5) for more information on patterns. |
88 | 90 | ||
@@ -90,8 +92,11 @@ DESCRIPTION | |||
90 | Specifies the authentication methods that must be successfully | 92 | Specifies the authentication methods that must be successfully |
91 | completed for a user to be granted access. This option must be | 93 | completed for a user to be granted access. This option must be |
92 | followed by one or more comma-separated lists of authentication | 94 | followed by one or more comma-separated lists of authentication |
93 | method names. Successful authentication requires completion of | 95 | method names, or by the single string M-bM-^@M-^\anyM-bM-^@M-^] to indicate the |
94 | every method in at least one of these lists. | 96 | default behaviour of accepting any single authentication method. |
97 | if the default is overridden, then successful authentication | ||
98 | requires completion of every method in at least one of these | ||
99 | lists. | ||
95 | 100 | ||
96 | For example, an argument of M-bM-^@M-^\publickey,password | 101 | For example, an argument of M-bM-^@M-^\publickey,password |
97 | publickey,keyboard-interactiveM-bM-^@M-^] would require the user to | 102 | publickey,keyboard-interactiveM-bM-^@M-^] would require the user to |
@@ -116,9 +121,9 @@ DESCRIPTION | |||
116 | 121 | ||
117 | This option will yield a fatal error if enabled if protocol 1 is | 122 | This option will yield a fatal error if enabled if protocol 1 is |
118 | also enabled. Note that each authentication method listed should | 123 | also enabled. Note that each authentication method listed should |
119 | also be explicitly enabled in the configuration. The default is | 124 | also be explicitly enabled in the configuration. The default |
120 | not to require multiple authentication; successful completion of | 125 | M-bM-^@M-^\anyM-bM-^@M-^] is not to require multiple authentication; successful |
121 | a single authentication method is sufficient. | 126 | completion of a single authentication method is sufficient. |
122 | 127 | ||
123 | AuthorizedKeysCommand | 128 | AuthorizedKeysCommand |
124 | Specifies a program to be used to look up the user's public keys. | 129 | Specifies a program to be used to look up the user's public keys. |
@@ -339,9 +344,11 @@ DESCRIPTION | |||
339 | numerical user ID is not recognized. By default, login is | 344 | numerical user ID is not recognized. By default, login is |
340 | allowed for all users. If the pattern takes the form USER@HOST | 345 | allowed for all users. If the pattern takes the form USER@HOST |
341 | then USER and HOST are separately checked, restricting logins to | 346 | then USER and HOST are separately checked, restricting logins to |
342 | particular users from particular hosts. The allow/deny | 347 | particular users from particular hosts. HOST criteria may |
343 | directives are processed in the following order: DenyUsers, | 348 | additionally contain addresses to match in CIDR address/masklen |
344 | AllowUsers, DenyGroups, and finally AllowGroups. | 349 | format. The allow/deny directives are processed in the following |
350 | order: DenyUsers, AllowUsers, DenyGroups, and finally | ||
351 | AllowGroups. | ||
345 | 352 | ||
346 | See PATTERNS in ssh_config(5) for more information on patterns. | 353 | See PATTERNS in ssh_config(5) for more information on patterns. |
347 | 354 | ||
@@ -447,7 +454,7 @@ DESCRIPTION | |||
447 | 454 | ||
448 | HostKeyAgent | 455 | HostKeyAgent |
449 | Identifies the UNIX-domain socket used to communicate with an | 456 | Identifies the UNIX-domain socket used to communicate with an |
450 | agent that has access to the private host keys. If | 457 | agent that has access to the private host keys. If the string |
451 | M-bM-^@M-^\SSH_AUTH_SOCKM-bM-^@M-^] is specified, the location of the socket will be | 458 | M-bM-^@M-^\SSH_AUTH_SOCKM-bM-^@M-^] is specified, the location of the socket will be |
452 | read from the SSH_AUTH_SOCK environment variable. | 459 | read from the SSH_AUTH_SOCK environment variable. |
453 | 460 | ||
@@ -708,8 +715,10 @@ DESCRIPTION | |||
708 | Multiple forwards may be specified by separating them with | 715 | Multiple forwards may be specified by separating them with |
709 | whitespace. An argument of M-bM-^@M-^\anyM-bM-^@M-^] can be used to remove all | 716 | whitespace. An argument of M-bM-^@M-^\anyM-bM-^@M-^] can be used to remove all |
710 | restrictions and permit any forwarding requests. An argument of | 717 | restrictions and permit any forwarding requests. An argument of |
711 | M-bM-^@M-^\noneM-bM-^@M-^] can be used to prohibit all forwarding requests. By | 718 | M-bM-^@M-^\noneM-bM-^@M-^] can be used to prohibit all forwarding requests. The |
712 | default all port forwarding requests are permitted. | 719 | wildcard M-bM-^@M-^\*M-bM-^@M-^] can be used for host or port to allow all hosts or |
720 | ports, respectively. By default all port forwarding requests are | ||
721 | permitted. | ||
713 | 722 | ||
714 | PermitRootLogin | 723 | PermitRootLogin |
715 | Specifies whether root can log in using ssh(1). The argument | 724 | Specifies whether root can log in using ssh(1). The argument |
@@ -927,7 +936,7 @@ DESCRIPTION | |||
927 | address maps back to the very same IP address. | 936 | address maps back to the very same IP address. |
928 | 937 | ||
929 | If this option is set to M-bM-^@M-^\noM-bM-^@M-^] (the default) then only addresses | 938 | If this option is set to M-bM-^@M-^\noM-bM-^@M-^] (the default) then only addresses |
930 | and not host names may be used in ~/.ssh/known_hosts from and | 939 | and not host names may be used in ~/.ssh/authorized_keys from and |
931 | sshd_config Match Host directives. | 940 | sshd_config Match Host directives. |
932 | 941 | ||
933 | UseLogin | 942 | UseLogin |
@@ -1051,4 +1060,4 @@ AUTHORS | |||
1051 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 1060 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
1052 | for privilege separation. | 1061 | for privilege separation. |
1053 | 1062 | ||
1054 | OpenBSD 5.9 February 17, 2016 OpenBSD 5.9 | 1063 | OpenBSD 6.0 July 19, 2016 OpenBSD 6.0 |