summaryrefslogtreecommitdiff
path: root/sshd_config.0
diff options
context:
space:
mode:
Diffstat (limited to 'sshd_config.0')
-rw-r--r--sshd_config.043
1 files changed, 22 insertions, 21 deletions
diff --git a/sshd_config.0 b/sshd_config.0
index 022c05226..b0160aa87 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -238,7 +238,9 @@ DESCRIPTION
238 Specifies the ciphers allowed. Multiple ciphers must be comma- 238 Specifies the ciphers allowed. Multiple ciphers must be comma-
239 separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, 239 separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character,
240 then the specified ciphers will be appended to the default set 240 then the specified ciphers will be appended to the default set
241 instead of replacing them. 241 instead of replacing them. If the specified value begins with a
242 M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified ciphers (including wildcards)
243 will be removed from the default set instead of replacing them.
242 244
243 The supported ciphers are: 245 The supported ciphers are:
244 246
@@ -378,7 +380,10 @@ DESCRIPTION
378 authentication as a comma-separated pattern list. Alternately if 380 authentication as a comma-separated pattern list. Alternately if
379 the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the 381 the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the
380 specified key types will be appended to the default set instead 382 specified key types will be appended to the default set instead
381 of replacing them. The default for this option is: 383 of replacing them. If the specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y
384 character, then the specified key types (including wildcards)
385 will be removed from the default set instead of replacing them.
386 The default for this option is:
382 387
383 ecdsa-sha2-nistp256-cert-v01@openssh.com, 388 ecdsa-sha2-nistp256-cert-v01@openssh.com,
384 ecdsa-sha2-nistp384-cert-v01@openssh.com, 389 ecdsa-sha2-nistp384-cert-v01@openssh.com,
@@ -503,7 +508,10 @@ DESCRIPTION
503 algorithms must be comma-separated. Alternately if the specified 508 algorithms must be comma-separated. Alternately if the specified
504 value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods 509 value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods
505 will be appended to the default set instead of replacing them. 510 will be appended to the default set instead of replacing them.
506 The supported algorithms are: 511 If the specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the
512 specified methods (including wildcards) will be removed from the
513 default set instead of replacing them. The supported algorithms
514 are:
507 515
508 curve25519-sha256 516 curve25519-sha256
509 curve25519-sha256@libssh.org 517 curve25519-sha256@libssh.org
@@ -555,7 +563,9 @@ DESCRIPTION
555 protection. Multiple algorithms must be comma-separated. If the 563 protection. Multiple algorithms must be comma-separated. If the
556 specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified 564 specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified
557 algorithms will be appended to the default set instead of 565 algorithms will be appended to the default set instead of
558 replacing them. 566 replacing them. If the specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y
567 character, then the specified algorithms (including wildcards)
568 will be removed from the default set instead of replacing them.
559 569
560 The algorithms that contain "-etm" calculate the MAC after 570 The algorithms that contain "-etm" calculate the MAC after
561 encryption (encrypt-then-mac). These are considered safer and 571 encryption (encrypt-then-mac). These are considered safer and
@@ -751,7 +761,10 @@ DESCRIPTION
751 authentication as a comma-separated pattern list. Alternately if 761 authentication as a comma-separated pattern list. Alternately if
752 the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the 762 the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the
753 specified key types will be appended to the default set instead 763 specified key types will be appended to the default set instead
754 of replacing them. The default for this option is: 764 of replacing them. If the specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y
765 character, then the specified key types (including wildcards)
766 will be removed from the default set instead of replacing them.
767 The default for this option is:
755 768
756 ecdsa-sha2-nistp256-cert-v01@openssh.com, 769 ecdsa-sha2-nistp256-cert-v01@openssh.com,
757 ecdsa-sha2-nistp384-cert-v01@openssh.com, 770 ecdsa-sha2-nistp384-cert-v01@openssh.com,
@@ -891,18 +904,6 @@ DESCRIPTION
891 If UsePAM is enabled, you will not be able to run sshd(8) as a 904 If UsePAM is enabled, you will not be able to run sshd(8) as a
892 non-root user. The default is no. 905 non-root user. The default is no.
893 906
894 UsePrivilegeSeparation
895 Specifies whether sshd(8) separates privileges by creating an
896 unprivileged child process to deal with incoming network traffic.
897 After successful authentication, another process will be created
898 that has the privilege of the authenticated user. The goal of
899 privilege separation is to prevent privilege escalation by
900 containing any corruption within the unprivileged processes. The
901 argument must be yes, no, or sandbox. If UsePrivilegeSeparation
902 is set to sandbox then the pre-authentication unprivileged
903 process is subject to additional restrictions. The default is
904 sandbox.
905
906 VersionAddendum 907 VersionAddendum
907 Optionally specifies additional text to append to the SSH 908 Optionally specifies additional text to append to the SSH
908 protocol banner sent by the server upon connection. The default 909 protocol banner sent by the server upon connection. The default
@@ -988,12 +989,12 @@ TOKENS
988 %t The key or certificate type. 989 %t The key or certificate type.
989 %u The username. 990 %u The username.
990 991
991 AuthorizedKeysCommand accepts the tokens %%, %f, %h, %t, and %u. 992 AuthorizedKeysCommand accepts the tokens %%, %f, %h, %k, %t, and %u.
992 993
993 AuthorizedKeysFile accepts the tokens %%, %h, and %u. 994 AuthorizedKeysFile accepts the tokens %%, %h, and %u.
994 995
995 AuthorizedPrincipalsCommand accepts the tokens %%, %F, %f, %K, %k, %h, 996 AuthorizedPrincipalsCommand accepts the tokens %%, %F, %f, %h, %i, %K,
996 %i, %s, %T, %t, and %u. 997 %k, %s, %T, %t, and %u.
997 998
998 AuthorizedPrincipalsFile accepts the tokens %%, %h, and %u. 999 AuthorizedPrincipalsFile accepts the tokens %%, %h, and %u.
999 1000
@@ -1016,4 +1017,4 @@ AUTHORS
1016 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 1017 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
1017 for privilege separation. 1018 for privilege separation.
1018 1019
1019OpenBSD 6.0 November 30, 2016 OpenBSD 6.0 1020OpenBSD 6.0 March 14, 2017 OpenBSD 6.0