diff options
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 347 |
1 files changed, 173 insertions, 174 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index e234efdb4..7800de312 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -1,25 +1,25 @@ | |||
1 | SSHD_CONFIG(5) BSD File Formats Manual SSHD_CONFIG(5) | 1 | SSHD_CONFIG(5) BSD File Formats Manual SSHD_CONFIG(5) |
2 | 2 | ||
3 | ^[[1mNAME^[[0m | 3 | NAME |
4 | ^[[1msshd_config ^[[22mM-bMM-^R OpenSSH SSH daemon configuration file | 4 | sshd_config - OpenSSH SSH daemon configuration file |
5 | 5 | ||
6 | ^[[1mSYNOPSIS^[[0m | 6 | SYNOPSIS |
7 | ^[[4m/etc/ssh/sshd_config^[[0m | 7 | /etc/ssh/sshd_config |
8 | 8 | ||
9 | ^[[1mDESCRIPTION^[[0m | 9 | DESCRIPTION |
10 | ^[[1msshd ^[[22mreads configuration data from ^[[4m/etc/ssh/sshd_config^[[24m (or the file | 10 | sshd reads configuration data from /etc/ssh/sshd_config (or the file |
11 | specified with ^[[1mM-bMM-^Rf ^[[22mon the command line). The file contains keywordM-bM-^@M-^ParguM-bM-^@M-^P | 11 | specified with -f on the command line). The file contains keyword-argu- |
12 | ment pairs, one per line. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are | 12 | ment pairs, one per line. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are |
13 | interpreted as comments. | 13 | interpreted as comments. |
14 | 14 | ||
15 | The possible keywords and their meanings are as follows (note that keyM-bM-^@M-^P | 15 | The possible keywords and their meanings are as follows (note that key- |
16 | words are caseM-bM-^@M-^Pinsensitive and arguments are caseM-bM-^@M-^Psensitive): | 16 | words are case-insensitive and arguments are case-sensitive): |
17 | 17 | ||
18 | ^[[1mAFSTokenPassing^[[0m | 18 | AFSTokenPassing |
19 | Specifies whether an AFS token may be forwarded to the server. | 19 | Specifies whether an AFS token may be forwarded to the server. |
20 | Default is M-bM-^@M-^\noM-bM-^@M-^]. | 20 | Default is M-bM-^@M-^\noM-bM-^@M-^]. |
21 | 21 | ||
22 | ^[[1mAllowGroups^[[0m | 22 | AllowGroups |
23 | This keyword can be followed by a list of group name patterns, | 23 | This keyword can be followed by a list of group name patterns, |
24 | separated by spaces. If specified, login is allowed only for | 24 | separated by spaces. If specified, login is allowed only for |
25 | users whose primary group or supplementary group list matches one | 25 | users whose primary group or supplementary group list matches one |
@@ -27,13 +27,13 @@ SSHD_CONFIG(5) BSD File Formats Manual SSHD_CONFIG(5) | |||
27 | patterns. Only group names are valid; a numerical group ID is | 27 | patterns. Only group names are valid; a numerical group ID is |
28 | not recognized. By default, login is allowed for all groups. | 28 | not recognized. By default, login is allowed for all groups. |
29 | 29 | ||
30 | ^[[1mAllowTcpForwarding^[[0m | 30 | AllowTcpForwarding |
31 | Specifies whether TCP forwarding is permitted. The default is | 31 | Specifies whether TCP forwarding is permitted. The default is |
32 | M-bM-^@M-^\yesM-bM-^@M-^]. Note that disabling TCP forwarding does not improve secuM-bM-^@M-^P | 32 | M-bM-^@M-^\yesM-bM-^@M-^]. Note that disabling TCP forwarding does not improve secu- |
33 | rity unless users are also denied shell access, as they can | 33 | rity unless users are also denied shell access, as they can |
34 | always install their own forwarders. | 34 | always install their own forwarders. |
35 | 35 | ||
36 | ^[[1mAllowUsers^[[0m | 36 | AllowUsers |
37 | This keyword can be followed by a list of user name patterns, | 37 | This keyword can be followed by a list of user name patterns, |
38 | separated by spaces. If specified, login is allowed only for | 38 | separated by spaces. If specified, login is allowed only for |
39 | user names that match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be | 39 | user names that match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be |
@@ -43,64 +43,64 @@ SSHD_CONFIG(5) BSD File Formats Manual SSHD_CONFIG(5) | |||
43 | then USER and HOST are separately checked, restricting logins to | 43 | then USER and HOST are separately checked, restricting logins to |
44 | particular users from particular hosts. | 44 | particular users from particular hosts. |
45 | 45 | ||
46 | ^[[1mAuthorizedKeysFile^[[0m | 46 | AuthorizedKeysFile |
47 | Specifies the file that contains the public keys that can be used | 47 | Specifies the file that contains the public keys that can be used |
48 | for user authentication. ^[[1mAuthorizedKeysFile ^[[22mmay contain tokens | 48 | for user authentication. AuthorizedKeysFile may contain tokens |
49 | of the form %T which are substituted during connection setM-bM-^@M-^Pup. | 49 | of the form %T which are substituted during connection set-up. |
50 | The following tokens are defined: %% is replaced by a literal | 50 | The following tokens are defined: %% is replaced by a literal |
51 | M-bM-^@M-^Y%M-bM-^@M-^Y, %h is replaced by the home directory of the user being | 51 | M-bM-^@M-^Y%M-bM-^@M-^Y, %h is replaced by the home directory of the user being |
52 | authenticated and %u is replaced by the username of that user. | 52 | authenticated and %u is replaced by the username of that user. |
53 | After expansion, ^[[1mAuthorizedKeysFile ^[[22mis taken to be an absolute | 53 | After expansion, AuthorizedKeysFile is taken to be an absolute |
54 | path or one relative to the userM-bM-^@M-^Ys home directory. The default | 54 | path or one relative to the userM-bM-^@M-^Ys home directory. The default |
55 | is M-bM-^@M-^\.ssh/authorized_keysM-bM-^@M-^]. | 55 | is M-bM-^@M-^\.ssh/authorized_keysM-bM-^@M-^]. |
56 | 56 | ||
57 | ^[[1mBanner ^[[22mIn some jurisdictions, sending a warning message before authentiM-bM-^@M-^P | 57 | Banner In some jurisdictions, sending a warning message before authenti- |
58 | cation may be relevant for getting legal protection. The conM-bM-^@M-^P | 58 | cation may be relevant for getting legal protection. The con- |
59 | tents of the specified file are sent to the remote user before | 59 | tents of the specified file are sent to the remote user before |
60 | authentication is allowed. This option is only available for | 60 | authentication is allowed. This option is only available for |
61 | protocol version 2. By default, no banner is displayed. | 61 | protocol version 2. By default, no banner is displayed. |
62 | 62 | ||
63 | ^[[1mChallengeResponseAuthentication^[[0m | 63 | ChallengeResponseAuthentication |
64 | Specifies whether challenge response authentication is allowed. | 64 | Specifies whether challenge response authentication is allowed. |
65 | All authentication styles from login.conf(5) are supported. The | 65 | All authentication styles from login.conf(5) are supported. The |
66 | default is M-bM-^@M-^\yesM-bM-^@M-^]. | 66 | default is M-bM-^@M-^\yesM-bM-^@M-^]. |
67 | 67 | ||
68 | ^[[1mCiphers^[[0m | 68 | Ciphers |
69 | Specifies the ciphers allowed for protocol version 2. Multiple | 69 | Specifies the ciphers allowed for protocol version 2. Multiple |
70 | ciphers must be commaM-bM-^@M-^Pseparated. The default is | 70 | ciphers must be comma-separated. The default is |
71 | 71 | ||
72 | M-bM-^@M-^XM-bM-^@M-^Xaes128M-bM-^@M-^Pcbc,3desM-bM-^@M-^Pcbc,blowfishM-bM-^@M-^Pcbc,cast128M-bM-^@M-^Pcbc,arcfour, | 72 | M-bM-^@M-^XM-bM-^@M-^Xaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
73 | aes192M-bM-^@M-^Pcbc,aes256M-bM-^@M-^PcbcM-bM-^@M-^YM-bM-^@M-^Y | 73 | aes192-cbc,aes256-cbcM-bM-^@M-^YM-bM-^@M-^Y |
74 | 74 | ||
75 | ^[[1mClientAliveInterval^[[0m | 75 | ClientAliveInterval |
76 | Sets a timeout interval in seconds after which if no data has | 76 | Sets a timeout interval in seconds after which if no data has |
77 | been received from the client, ^[[1msshd ^[[22mwill send a message through | 77 | been received from the client, sshd will send a message through |
78 | the encrypted channel to request a response from the client. The | 78 | the encrypted channel to request a response from the client. The |
79 | default is 0, indicating that these messages will not be sent to | 79 | default is 0, indicating that these messages will not be sent to |
80 | the client. This option applies to protocol version 2 only. | 80 | the client. This option applies to protocol version 2 only. |
81 | 81 | ||
82 | ^[[1mClientAliveCountMax^[[0m | 82 | ClientAliveCountMax |
83 | Sets the number of client alive messages (see above) which may be | 83 | Sets the number of client alive messages (see above) which may be |
84 | sent without ^[[1msshd ^[[22mreceiving any messages back from the client. If | 84 | sent without sshd receiving any messages back from the client. If |
85 | this threshold is reached while client alive messages are being | 85 | this threshold is reached while client alive messages are being |
86 | sent, ^[[1msshd ^[[22mwill disconnect the client, terminating the session. | 86 | sent, sshd will disconnect the client, terminating the session. |
87 | It is important to note that the use of client alive messages is | 87 | It is important to note that the use of client alive messages is |
88 | very different from ^[[1mKeepAlive ^[[22m(below). The client alive messages | 88 | very different from KeepAlive (below). The client alive messages |
89 | are sent through the encrypted channel and therefore will not be | 89 | are sent through the encrypted channel and therefore will not be |
90 | spoofable. The TCP keepalive option enabled by ^[[1mKeepAlive ^[[22mis | 90 | spoofable. The TCP keepalive option enabled by KeepAlive is |
91 | spoofable. The client alive mechanism is valuable when the client | 91 | spoofable. The client alive mechanism is valuable when the client |
92 | or server depend on knowing when a connection has become inacM-bM-^@M-^P | 92 | or server depend on knowing when a connection has become inac- |
93 | tive. | 93 | tive. |
94 | 94 | ||
95 | The default value is 3. If ^[[1mClientAliveInterval ^[[22m(above) is set to | 95 | The default value is 3. If ClientAliveInterval (above) is set to |
96 | 15, and ^[[1mClientAliveCountMax ^[[22mis left at the default, unresponsive | 96 | 15, and ClientAliveCountMax is left at the default, unresponsive |
97 | ssh clients will be disconnected after approximately 45 seconds. | 97 | ssh clients will be disconnected after approximately 45 seconds. |
98 | 98 | ||
99 | ^[[1mCompression^[[0m | 99 | Compression |
100 | Specifies whether compression is allowed. The argument must be | 100 | Specifies whether compression is allowed. The argument must be |
101 | M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. | 101 | M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
102 | 102 | ||
103 | ^[[1mDenyGroups^[[0m | 103 | DenyGroups |
104 | This keyword can be followed by a list of group name patterns, | 104 | This keyword can be followed by a list of group name patterns, |
105 | separated by spaces. Login is disallowed for users whose primary | 105 | separated by spaces. Login is disallowed for users whose primary |
106 | group or supplementary group list matches one of the patterns. | 106 | group or supplementary group list matches one of the patterns. |
@@ -108,7 +108,7 @@ SSHD_CONFIG(5) BSD File Formats Manual SSHD_CONFIG(5) | |||
108 | group names are valid; a numerical group ID is not recognized. | 108 | group names are valid; a numerical group ID is not recognized. |
109 | By default, login is allowed for all groups. | 109 | By default, login is allowed for all groups. |
110 | 110 | ||
111 | ^[[1mDenyUsers^[[0m | 111 | DenyUsers |
112 | This keyword can be followed by a list of user name patterns, | 112 | This keyword can be followed by a list of user name patterns, |
113 | separated by spaces. Login is disallowed for user names that | 113 | separated by spaces. Login is disallowed for user names that |
114 | match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards | 114 | match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards |
@@ -118,50 +118,50 @@ SSHD_CONFIG(5) BSD File Formats Manual SSHD_CONFIG(5) | |||
118 | separately checked, restricting logins to particular users from | 118 | separately checked, restricting logins to particular users from |
119 | particular hosts. | 119 | particular hosts. |
120 | 120 | ||
121 | ^[[1mGatewayPorts^[[0m | 121 | GatewayPorts |
122 | Specifies whether remote hosts are allowed to connect to ports | 122 | Specifies whether remote hosts are allowed to connect to ports |
123 | forwarded for the client. By default, ^[[1msshd ^[[22mbinds remote port | 123 | forwarded for the client. By default, sshd binds remote port |
124 | forwardings to the loopback address. This prevents other remote | 124 | forwardings to the loopback address. This prevents other remote |
125 | hosts from connecting to forwarded ports. ^[[1mGatewayPorts ^[[22mcan be | 125 | hosts from connecting to forwarded ports. GatewayPorts can be |
126 | used to specify that ^[[1msshd ^[[22mshould bind remote port forwardings to | 126 | used to specify that sshd should bind remote port forwardings to |
127 | the wildcard address, thus allowing remote hosts to connect to | 127 | the wildcard address, thus allowing remote hosts to connect to |
128 | forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The | 128 | forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The |
129 | default is M-bM-^@M-^\noM-bM-^@M-^]. | 129 | default is M-bM-^@M-^\noM-bM-^@M-^]. |
130 | 130 | ||
131 | ^[[1mHostbasedAuthentication^[[0m | 131 | HostbasedAuthentication |
132 | Specifies whether rhosts or /etc/hosts.equiv authentication | 132 | Specifies whether rhosts or /etc/hosts.equiv authentication |
133 | together with successful public key client host authentication is | 133 | together with successful public key client host authentication is |
134 | allowed (hostbased authentication). This option is similar to | 134 | allowed (hostbased authentication). This option is similar to |
135 | ^[[1mRhostsRSAAuthentication ^[[22mand applies to protocol version 2 only. | 135 | RhostsRSAAuthentication and applies to protocol version 2 only. |
136 | The default is M-bM-^@M-^\noM-bM-^@M-^]. | 136 | The default is M-bM-^@M-^\noM-bM-^@M-^]. |
137 | 137 | ||
138 | ^[[1mHostKey^[[0m | 138 | HostKey |
139 | Specifies a file containing a private host key used by SSH. The | 139 | Specifies a file containing a private host key used by SSH. The |
140 | default is ^[[4m/etc/ssh/ssh_host_key^[[24m for protocol version 1, and | 140 | default is /etc/ssh/ssh_host_key for protocol version 1, and |
141 | ^[[4m/etc/ssh/ssh_host_rsa_key^[[24m and ^[[4m/etc/ssh/ssh_host_dsa_key^[[24m for proM-bM-^@M-^P | 141 | /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro- |
142 | tocol version 2. Note that ^[[1msshd ^[[22mwill refuse to use a file if it | 142 | tocol version 2. Note that sshd will refuse to use a file if it |
143 | is group/worldM-bM-^@M-^Paccessible. It is possible to have multiple host | 143 | is group/world-accessible. It is possible to have multiple host |
144 | key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] | 144 | key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] |
145 | are used for version 2 of the SSH protocol. | 145 | are used for version 2 of the SSH protocol. |
146 | 146 | ||
147 | ^[[1mIgnoreRhosts^[[0m | 147 | IgnoreRhosts |
148 | Specifies that ^[[4m.rhosts^[[24m and ^[[4m.shosts^[[24m files will not be used in | 148 | Specifies that .rhosts and .shosts files will not be used in |
149 | ^[[1mRhostsAuthentication^[[22m, ^[[1mRhostsRSAAuthentication ^[[22mor | 149 | RhostsAuthentication, RhostsRSAAuthentication or |
150 | ^[[1mHostbasedAuthentication^[[22m. | 150 | HostbasedAuthentication. |
151 | 151 | ||
152 | ^[[4m/etc/hosts.equiv^[[24m and ^[[4m/etc/shosts.equiv^[[24m are still used. The | 152 | /etc/hosts.equiv and /etc/shosts.equiv are still used. The |
153 | default is M-bM-^@M-^\yesM-bM-^@M-^]. | 153 | default is M-bM-^@M-^\yesM-bM-^@M-^]. |
154 | 154 | ||
155 | ^[[1mIgnoreUserKnownHosts^[[0m | 155 | IgnoreUserKnownHosts |
156 | Specifies whether ^[[1msshd ^[[22mshould ignore the userM-bM-^@M-^Ys | 156 | Specifies whether sshd should ignore the userM-bM-^@M-^Ys |
157 | ^[[4m$HOME/.ssh/known_hosts^[[24m during ^[[1mRhostsRSAAuthentication ^[[22mor | 157 | $HOME/.ssh/known_hosts during RhostsRSAAuthentication or |
158 | ^[[1mHostbasedAuthentication^[[22m. The default is M-bM-^@M-^\noM-bM-^@M-^]. | 158 | HostbasedAuthentication. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
159 | 159 | ||
160 | ^[[1mKeepAlive^[[0m | 160 | KeepAlive |
161 | Specifies whether the system should send TCP keepalive messages | 161 | Specifies whether the system should send TCP keepalive messages |
162 | to the other side. If they are sent, death of the connection or | 162 | to the other side. If they are sent, death of the connection or |
163 | crash of one of the machines will be properly noticed. However, | 163 | crash of one of the machines will be properly noticed. However, |
164 | this means that connections will die if the route is down temM-bM-^@M-^P | 164 | this means that connections will die if the route is down tem- |
165 | porarily, and some people find it annoying. On the other hand, | 165 | porarily, and some people find it annoying. On the other hand, |
166 | if keepalives are not sent, sessions may hang indefinitely on the | 166 | if keepalives are not sent, sessions may hang indefinitely on the |
167 | server, leaving M-bM-^@M-^\ghostM-bM-^@M-^] users and consuming server resources. | 167 | server, leaving M-bM-^@M-^\ghostM-bM-^@M-^] users and consuming server resources. |
@@ -172,273 +172,272 @@ SSHD_CONFIG(5) BSD File Formats Manual SSHD_CONFIG(5) | |||
172 | 172 | ||
173 | To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^]. | 173 | To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^]. |
174 | 174 | ||
175 | ^[[1mKerberosAuthentication^[[0m | 175 | KerberosAuthentication |
176 | Specifies whether Kerberos authentication is allowed. This can | 176 | Specifies whether Kerberos authentication is allowed. This can |
177 | be in the form of a Kerberos ticket, or if ^[[1mPasswordAuthentication^[[0m | 177 | be in the form of a Kerberos ticket, or if PasswordAuthentication |
178 | is yes, the password provided by the user will be validated | 178 | is yes, the password provided by the user will be validated |
179 | through the Kerberos KDC. To use this option, the server needs a | 179 | through the Kerberos KDC. To use this option, the server needs a |
180 | Kerberos servtab which allows the verification of the KDCM-bM-^@M-^Ys idenM-bM-^@M-^P | 180 | Kerberos servtab which allows the verification of the KDCM-bM-^@M-^Ys iden- |
181 | tity. Default is M-bM-^@M-^\noM-bM-^@M-^]. | 181 | tity. Default is M-bM-^@M-^\noM-bM-^@M-^]. |
182 | 182 | ||
183 | ^[[1mKerberosOrLocalPasswd^[[0m | 183 | KerberosOrLocalPasswd |
184 | If set then if password authentication through Kerberos fails | 184 | If set then if password authentication through Kerberos fails |
185 | then the password will be validated via any additional local | 185 | then the password will be validated via any additional local |
186 | mechanism such as ^[[4m/etc/passwd^[[24m. Default is M-bM-^@M-^\yesM-bM-^@M-^]. | 186 | mechanism such as /etc/passwd. Default is M-bM-^@M-^\yesM-bM-^@M-^]. |
187 | 187 | ||
188 | ^[[1mKerberosTgtPassing^[[0m | 188 | KerberosTgtPassing |
189 | Specifies whether a Kerberos TGT may be forwarded to the server. | 189 | Specifies whether a Kerberos TGT may be forwarded to the server. |
190 | Default is M-bM-^@M-^\noM-bM-^@M-^], as this only works when the Kerberos KDC is | 190 | Default is M-bM-^@M-^\noM-bM-^@M-^], as this only works when the Kerberos KDC is |
191 | actually an AFS kaserver. | 191 | actually an AFS kaserver. |
192 | 192 | ||
193 | ^[[1mKerberosTicketCleanup^[[0m | 193 | KerberosTicketCleanup |
194 | Specifies whether to automatically destroy the userM-bM-^@M-^Ys ticket | 194 | Specifies whether to automatically destroy the userM-bM-^@M-^Ys ticket |
195 | cache file on logout. Default is M-bM-^@M-^\yesM-bM-^@M-^]. | 195 | cache file on logout. Default is M-bM-^@M-^\yesM-bM-^@M-^]. |
196 | 196 | ||
197 | ^[[1mKeyRegenerationInterval^[[0m | 197 | KeyRegenerationInterval |
198 | In protocol version 1, the ephemeral server key is automatically | 198 | In protocol version 1, the ephemeral server key is automatically |
199 | regenerated after this many seconds (if it has been used). The | 199 | regenerated after this many seconds (if it has been used). The |
200 | purpose of regeneration is to prevent decrypting captured sesM-bM-^@M-^P | 200 | purpose of regeneration is to prevent decrypting captured ses- |
201 | sions by later breaking into the machine and stealing the keys. | 201 | sions by later breaking into the machine and stealing the keys. |
202 | The key is never stored anywhere. If the value is 0, the key is | 202 | The key is never stored anywhere. If the value is 0, the key is |
203 | never regenerated. The default is 3600 (seconds). | 203 | never regenerated. The default is 3600 (seconds). |
204 | 204 | ||
205 | ^[[1mListenAddress^[[0m | 205 | ListenAddress |
206 | Specifies the local addresses ^[[1msshd ^[[22mshould listen on. The followM-bM-^@M-^P | 206 | Specifies the local addresses sshd should listen on. The follow- |
207 | ing forms may be used: | 207 | ing forms may be used: |
208 | 208 | ||
209 | ^[[1mListenAddress ^[[4m^[[22mhost^[[24m|^[[4mIPv4_addr^[[24m|^[[4mIPv6_addr^[[0m | 209 | ListenAddress host|IPv4_addr|IPv6_addr |
210 | ^[[1mListenAddress ^[[4m^[[22mhost^[[24m|^[[4mIPv4_addr^[[24m:^[[4mport^[[0m | 210 | ListenAddress host|IPv4_addr:port |
211 | ^[[1mListenAddress ^[[22m[^[[4mhost^[[24m|^[[4mIPv6_addr^[[24m]:^[[4mport^[[0m | 211 | ListenAddress [host|IPv6_addr]:port |
212 | 212 | ||
213 | If ^[[4mport^[[24m is not specified, ^[[1msshd ^[[22mwill listen on the address and all | 213 | If port is not specified, sshd will listen on the address and all |
214 | prior ^[[1mPort ^[[22moptions specified. The default is to listen on all | 214 | prior Port options specified. The default is to listen on all |
215 | local addresses. Multiple ^[[1mListenAddress ^[[22moptions are permitted. | 215 | local addresses. Multiple ListenAddress options are permitted. |
216 | Additionally, any ^[[1mPort ^[[22moptions must precede this option for non | 216 | Additionally, any Port options must precede this option for non |
217 | port qualified addresses. | 217 | port qualified addresses. |
218 | 218 | ||
219 | ^[[1mLoginGraceTime^[[0m | 219 | LoginGraceTime |
220 | The server disconnects after this time if the user has not sucM-bM-^@M-^P | 220 | The server disconnects after this time if the user has not suc- |
221 | cessfully logged in. If the value is 0, there is no time limit. | 221 | cessfully logged in. If the value is 0, there is no time limit. |
222 | The default is 120 seconds. | 222 | The default is 120 seconds. |
223 | 223 | ||
224 | ^[[1mLogLevel^[[0m | 224 | LogLevel |
225 | Gives the verbosity level that is used when logging messages from | 225 | Gives the verbosity level that is used when logging messages from |
226 | ^[[1msshd^[[22m. The possible values are: QUIET, FATAL, ERROR, INFO, VERM-bM-^@M-^P | 226 | sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VER- |
227 | BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. | 227 | BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. |
228 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify | 228 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify |
229 | higher levels of debugging output. Logging with a DEBUG level | 229 | higher levels of debugging output. Logging with a DEBUG level |
230 | violates the privacy of users and is not recommended. | 230 | violates the privacy of users and is not recommended. |
231 | 231 | ||
232 | ^[[1mMACs ^[[22mSpecifies the available MAC (message authentication code) algoM-bM-^@M-^P | 232 | MACs Specifies the available MAC (message authentication code) algo- |
233 | rithms. The MAC algorithm is used in protocol version 2 for data | 233 | rithms. The MAC algorithm is used in protocol version 2 for data |
234 | integrity protection. Multiple algorithms must be commaM-bM-^@M-^PsepaM-bM-^@M-^P | 234 | integrity protection. Multiple algorithms must be comma-sepa- |
235 | rated. The default is | 235 | rated. The default is |
236 | M-bM-^@M-^\hmacM-bM-^@M-^Pmd5,hmacM-bM-^@M-^Psha1,hmacM-bM-^@M-^Pripemd160,hmacM-bM-^@M-^Psha1M-bM-^@M-^P96,hmacM-bM-^@M-^Pmd5M-bM-^@M-^P96M-bM-^@M-^]. | 236 | M-bM-^@M-^\hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96M-bM-^@M-^]. |
237 | 237 | ||
238 | ^[[1mMaxStartups^[[0m | 238 | MaxStartups |
239 | Specifies the maximum number of concurrent unauthenticated conM-bM-^@M-^P | 239 | Specifies the maximum number of concurrent unauthenticated con- |
240 | nections to the ^[[1msshd ^[[22mdaemon. Additional connections will be | 240 | nections to the sshd daemon. Additional connections will be |
241 | dropped until authentication succeeds or the ^[[1mLoginGraceTime^[[0m | 241 | dropped until authentication succeeds or the LoginGraceTime |
242 | expires for a connection. The default is 10. | 242 | expires for a connection. The default is 10. |
243 | 243 | ||
244 | Alternatively, random early drop can be enabled by specifying the | 244 | Alternatively, random early drop can be enabled by specifying the |
245 | three colon separated values M-bM-^@M-^\start:rate:fullM-bM-^@M-^] (e.g., | 245 | three colon separated values M-bM-^@M-^\start:rate:fullM-bM-^@M-^] (e.g., |
246 | "10:30:60"). ^[[1msshd ^[[22mwill refuse connection attempts with a probaM-bM-^@M-^P | 246 | "10:30:60"). sshd will refuse connection attempts with a proba- |
247 | bility of M-bM-^@M-^\rate/100M-bM-^@M-^] (30%) if there are currently M-bM-^@M-^\startM-bM-^@M-^] (10) | 247 | bility of M-bM-^@M-^\rate/100M-bM-^@M-^] (30%) if there are currently M-bM-^@M-^\startM-bM-^@M-^] (10) |
248 | unauthenticated connections. The probability increases linearly | 248 | unauthenticated connections. The probability increases linearly |
249 | and all connection attempts are refused if the number of unauM-bM-^@M-^P | 249 | and all connection attempts are refused if the number of unau- |
250 | thenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60). | 250 | thenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60). |
251 | 251 | ||
252 | ^[[1mPAMAuthenticationViaKbdInt^[[0m | 252 | PAMAuthenticationViaKbdInt |
253 | Specifies whether PAM challenge response authentication is | 253 | Specifies whether PAM challenge response authentication is |
254 | allowed. This allows the use of most PAM challenge response | 254 | allowed. This allows the use of most PAM challenge response |
255 | authentication modules, but it will allow password authentication | 255 | authentication modules, but it will allow password authentication |
256 | regardless of whether ^[[1mPasswordAuthentication ^[[22mis enabled. | 256 | regardless of whether PasswordAuthentication is enabled. |
257 | 257 | ||
258 | ^[[1mPasswordAuthentication^[[0m | 258 | PasswordAuthentication |
259 | Specifies whether password authentication is allowed. The | 259 | Specifies whether password authentication is allowed. The |
260 | default is M-bM-^@M-^\yesM-bM-^@M-^]. | 260 | default is M-bM-^@M-^\yesM-bM-^@M-^]. |
261 | 261 | ||
262 | ^[[1mPermitEmptyPasswords^[[0m | 262 | PermitEmptyPasswords |
263 | When password authentication is allowed, it specifies whether the | 263 | When password authentication is allowed, it specifies whether the |
264 | server allows login to accounts with empty password strings. The | 264 | server allows login to accounts with empty password strings. The |
265 | default is M-bM-^@M-^\noM-bM-^@M-^]. | 265 | default is M-bM-^@M-^\noM-bM-^@M-^]. |
266 | 266 | ||
267 | ^[[1mPermitRootLogin^[[0m | 267 | PermitRootLogin |
268 | Specifies whether root can login using ssh(1). The argument must | 268 | Specifies whether root can login using ssh(1). The argument must |
269 | be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\withoutM-bM-^@M-^PpasswordM-bM-^@M-^], M-bM-^@M-^\forcedM-bM-^@M-^PcommandsM-bM-^@M-^PonlyM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. | 269 | be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^], M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. |
270 | The default is M-bM-^@M-^\yesM-bM-^@M-^]. | 270 | The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
271 | 271 | ||
272 | If this option is set to M-bM-^@M-^\withoutM-bM-^@M-^PpasswordM-bM-^@M-^] password authenticaM-bM-^@M-^P | 272 | If this option is set to M-bM-^@M-^\without-passwordM-bM-^@M-^] password authentica- |
273 | tion is disabled for root. | 273 | tion is disabled for root. |
274 | 274 | ||
275 | If this option is set to M-bM-^@M-^\forcedM-bM-^@M-^PcommandsM-bM-^@M-^PonlyM-bM-^@M-^] root login with | 275 | If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^] root login with |
276 | public key authentication will be allowed, but only if the | 276 | public key authentication will be allowed, but only if the |
277 | ^[[4mcommand^[[24m option has been specified (which may be useful for taking | 277 | command option has been specified (which may be useful for taking |
278 | remote backups even if root login is normally not allowed). All | 278 | remote backups even if root login is normally not allowed). All |
279 | other authentication methods are disabled for root. | 279 | other authentication methods are disabled for root. |
280 | 280 | ||
281 | If this option is set to M-bM-^@M-^\noM-bM-^@M-^] root is not allowed to login. | 281 | If this option is set to M-bM-^@M-^\noM-bM-^@M-^] root is not allowed to login. |
282 | 282 | ||
283 | ^[[1mPermitUserEnvironment^[[0m | 283 | PermitUserEnvironment |
284 | Specifies whether ^[[4m~/.ssh/environment^[[24m and ^[[1menvironment= ^[[22moptions in | 284 | Specifies whether ~/.ssh/environment and environment= options in |
285 | ^[[4m~/.ssh/authorized_keys^[[24m are processed by ^[[1msshd^[[22m. The default is | 285 | ~/.ssh/authorized_keys are processed by sshd. The default is |
286 | M-bM-^@M-^\noM-bM-^@M-^]. Enabling environment processing may enable users to bypass | 286 | M-bM-^@M-^\noM-bM-^@M-^]. Enabling environment processing may enable users to bypass |
287 | access restrictions in some configurations using mechanisms such | 287 | access restrictions in some configurations using mechanisms such |
288 | as LD_PRELOAD. | 288 | as LD_PRELOAD. |
289 | 289 | ||
290 | ^[[1mPidFile^[[0m | 290 | PidFile |
291 | Specifies the file that contains the process ID of the ^[[1msshd ^[[22mdaeM-bM-^@M-^P | 291 | Specifies the file that contains the process ID of the sshd dae- |
292 | mon. The default is ^[[4m/var/run/sshd.pid^[[24m. | 292 | mon. The default is /var/run/sshd.pid. |
293 | 293 | ||
294 | ^[[1mPort ^[[22mSpecifies the port number that ^[[1msshd ^[[22mlistens on. The default is | 294 | Port Specifies the port number that sshd listens on. The default is |
295 | 22. Multiple options of this type are permitted. See also | 295 | 22. Multiple options of this type are permitted. See also |
296 | ^[[1mListenAddress^[[22m. | 296 | ListenAddress. |
297 | 297 | ||
298 | ^[[1mPrintLastLog^[[0m | 298 | PrintLastLog |
299 | Specifies whether ^[[1msshd ^[[22mshould print the date and time when the | 299 | Specifies whether sshd should print the date and time when the |
300 | user last logged in. The default is M-bM-^@M-^\yesM-bM-^@M-^]. | 300 | user last logged in. The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
301 | 301 | ||
302 | ^[[1mPrintMotd^[[0m | 302 | PrintMotd |
303 | Specifies whether ^[[1msshd ^[[22mshould print ^[[4m/etc/motd^[[24m when a user logs in | 303 | Specifies whether sshd should print /etc/motd when a user logs in |
304 | interactively. (On some systems it is also printed by the shell, | 304 | interactively. (On some systems it is also printed by the shell, |
305 | ^[[4m/etc/profile^[[24m, or equivalent.) The default is M-bM-^@M-^\yesM-bM-^@M-^]. | 305 | /etc/profile, or equivalent.) The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
306 | 306 | ||
307 | ^[[1mProtocol^[[0m | 307 | Protocol |
308 | Specifies the protocol versions ^[[1msshd ^[[22msupports. The possible valM-bM-^@M-^P | 308 | Specifies the protocol versions sshd supports. The possible val- |
309 | ues are M-bM-^@M-^\1M-bM-^@M-^] and M-bM-^@M-^\2M-bM-^@M-^]. Multiple versions must be commaM-bM-^@M-^Pseparated. | 309 | ues are M-bM-^@M-^\1M-bM-^@M-^] and M-bM-^@M-^\2M-bM-^@M-^]. Multiple versions must be comma-separated. |
310 | The default is M-bM-^@M-^\2,1M-bM-^@M-^]. Note that the order of the protocol list | 310 | The default is M-bM-^@M-^\2,1M-bM-^@M-^]. Note that the order of the protocol list |
311 | does not indicate preference, because the client selects among | 311 | does not indicate preference, because the client selects among |
312 | multiple protocol versions offered by the server. Specifying | 312 | multiple protocol versions offered by the server. Specifying |
313 | M-bM-^@M-^\2,1M-bM-^@M-^] is identical to M-bM-^@M-^\1,2M-bM-^@M-^]. | 313 | M-bM-^@M-^\2,1M-bM-^@M-^] is identical to M-bM-^@M-^\1,2M-bM-^@M-^]. |
314 | 314 | ||
315 | ^[[1mPubkeyAuthentication^[[0m | 315 | PubkeyAuthentication |
316 | Specifies whether public key authentication is allowed. The | 316 | Specifies whether public key authentication is allowed. The |
317 | default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol verM-bM-^@M-^P | 317 | default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol ver- |
318 | sion 2 only. | 318 | sion 2 only. |
319 | 319 | ||
320 | ^[[1mRhostsAuthentication^[[0m | 320 | RhostsAuthentication |
321 | Specifies whether authentication using rhosts or /etc/hosts.equiv | 321 | Specifies whether authentication using rhosts or /etc/hosts.equiv |
322 | files is sufficient. Normally, this method should not be permitM-bM-^@M-^P | 322 | files is sufficient. Normally, this method should not be permit- |
323 | ted because it is insecure. ^[[1mRhostsRSAAuthentication ^[[22mshould be | 323 | ted because it is insecure. RhostsRSAAuthentication should be |
324 | used instead, because it performs RSAM-bM-^@M-^Pbased host authentication | 324 | used instead, because it performs RSA-based host authentication |
325 | in addition to normal rhosts or /etc/hosts.equiv authentication. | 325 | in addition to normal rhosts or /etc/hosts.equiv authentication. |
326 | The default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 | 326 | The default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 |
327 | only. | 327 | only. |
328 | 328 | ||
329 | ^[[1mRhostsRSAAuthentication^[[0m | 329 | RhostsRSAAuthentication |
330 | Specifies whether rhosts or /etc/hosts.equiv authentication | 330 | Specifies whether rhosts or /etc/hosts.equiv authentication |
331 | together with successful RSA host authentication is allowed. The | 331 | together with successful RSA host authentication is allowed. The |
332 | default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only. | 332 | default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only. |
333 | 333 | ||
334 | ^[[1mRSAAuthentication^[[0m | 334 | RSAAuthentication |
335 | Specifies whether pure RSA authentication is allowed. The | 335 | Specifies whether pure RSA authentication is allowed. The |
336 | default is M-bM-^@M-^\yesM-bM-^@M-^]. This option applies to protocol version 1 | 336 | default is M-bM-^@M-^\yesM-bM-^@M-^]. This option applies to protocol version 1 |
337 | only. | 337 | only. |
338 | 338 | ||
339 | ^[[1mServerKeyBits^[[0m | 339 | ServerKeyBits |
340 | Defines the number of bits in the ephemeral protocol version 1 | 340 | Defines the number of bits in the ephemeral protocol version 1 |
341 | server key. The minimum value is 512, and the default is 768. | 341 | server key. The minimum value is 512, and the default is 768. |
342 | 342 | ||
343 | ^[[1mStrictModes^[[0m | 343 | StrictModes |
344 | Specifies whether ^[[1msshd ^[[22mshould check file modes and ownership of | 344 | Specifies whether sshd should check file modes and ownership of |
345 | the userM-bM-^@M-^Ys files and home directory before accepting login. This | 345 | the userM-bM-^@M-^Ys files and home directory before accepting login. This |
346 | is normally desirable because novices sometimes accidentally | 346 | is normally desirable because novices sometimes accidentally |
347 | leave their directory or files worldM-bM-^@M-^Pwritable. The default is | 347 | leave their directory or files world-writable. The default is |
348 | M-bM-^@M-^\yesM-bM-^@M-^]. | 348 | M-bM-^@M-^\yesM-bM-^@M-^]. |
349 | 349 | ||
350 | ^[[1mSubsystem^[[0m | 350 | Subsystem |
351 | Configures an external subsystem (e.g., file transfer daemon). | 351 | Configures an external subsystem (e.g., file transfer daemon). |
352 | Arguments should be a subsystem name and a command to execute | 352 | Arguments should be a subsystem name and a command to execute |
353 | upon subsystem request. The command sftpM-bM-^@M-^Pserver(8) implements | 353 | upon subsystem request. The command sftp-server(8) implements |
354 | the M-bM-^@M-^\sftpM-bM-^@M-^] file transfer subsystem. By default no subsystems are | 354 | the M-bM-^@M-^\sftpM-bM-^@M-^] file transfer subsystem. By default no subsystems are |
355 | defined. Note that this option applies to protocol version 2 | 355 | defined. Note that this option applies to protocol version 2 |
356 | only. | 356 | only. |
357 | 357 | ||
358 | ^[[1mSyslogFacility^[[0m | 358 | SyslogFacility |
359 | Gives the facility code that is used when logging messages from | 359 | Gives the facility code that is used when logging messages from |
360 | ^[[1msshd^[[22m. The possible values are: DAEMON, USER, AUTH, LOCAL0, | 360 | sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, |
361 | LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The | 361 | LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The |
362 | default is AUTH. | 362 | default is AUTH. |
363 | 363 | ||
364 | ^[[1mUseLogin^[[0m | 364 | UseLogin |
365 | Specifies whether login(1) is used for interactive login sesM-bM-^@M-^P | 365 | Specifies whether login(1) is used for interactive login ses- |
366 | sions. The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that login(1) is never used | 366 | sions. The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that login(1) is never used |
367 | for remote command execution. Note also, that if this is | 367 | for remote command execution. Note also, that if this is |
368 | enabled, ^[[1mX11Forwarding ^[[22mwill be disabled because login(1) does not | 368 | enabled, X11Forwarding will be disabled because login(1) does not |
369 | know how to handle xauth(1) cookies. If ^[[1mUsePrivilegeSeparation^[[0m | 369 | know how to handle xauth(1) cookies. If UsePrivilegeSeparation |
370 | is specified, it will be disabled after authentication. | 370 | is specified, it will be disabled after authentication. |
371 | 371 | ||
372 | ^[[1mUsePrivilegeSeparation^[[0m | 372 | UsePrivilegeSeparation |
373 | Specifies whether ^[[1msshd ^[[22mseparates privileges by creating an | 373 | Specifies whether sshd separates privileges by creating an |
374 | unprivileged child process to deal with incoming network traffic. | 374 | unprivileged child process to deal with incoming network traffic. |
375 | After successful authentication, another process will be created | 375 | After successful authentication, another process will be created |
376 | that has the privilege of the authenticated user. The goal of | 376 | that has the privilege of the authenticated user. The goal of |
377 | privilege separation is to prevent privilege escalation by conM-bM-^@M-^P | 377 | privilege separation is to prevent privilege escalation by con- |
378 | taining any corruption within the unprivileged processes. The | 378 | taining any corruption within the unprivileged processes. The |
379 | default is M-bM-^@M-^\yesM-bM-^@M-^]. | 379 | default is M-bM-^@M-^\yesM-bM-^@M-^]. |
380 | 380 | ||
381 | ^[[1mVerifyReverseMapping^[[0m | 381 | VerifyReverseMapping |
382 | Specifies whether ^[[1msshd ^[[22mshould try to verify the remote host name | 382 | Specifies whether sshd should try to verify the remote host name |
383 | and check that the resolved host name for the remote IP address | 383 | and check that the resolved host name for the remote IP address |
384 | maps back to the very same IP address. The default is M-bM-^@M-^\noM-bM-^@M-^]. | 384 | maps back to the very same IP address. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
385 | 385 | ||
386 | ^[[1mX11DisplayOffset^[[0m | 386 | X11DisplayOffset |
387 | Specifies the first display number available for ^[[1msshd^[[22mM-bM-^@M-^Ys X11 forM-bM-^@M-^P | 387 | Specifies the first display number available for sshdM-bM-^@M-^Ys X11 for- |
388 | warding. This prevents ^[[1msshd ^[[22mfrom interfering with real X11 | 388 | warding. This prevents sshd from interfering with real X11 |
389 | servers. The default is 10. | 389 | servers. The default is 10. |
390 | 390 | ||
391 | ^[[1mX11Forwarding^[[0m | 391 | X11Forwarding |
392 | Specifies whether X11 forwarding is permitted. The argument must | 392 | Specifies whether X11 forwarding is permitted. The argument must |
393 | be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. | 393 | be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
394 | 394 | ||
395 | When X11 forwarding is enabled, there may be additional exposure | 395 | When X11 forwarding is enabled, there may be additional exposure |
396 | to the server and to client displays if the ^[[1msshd ^[[22mproxy display is | 396 | to the server and to client displays if the sshd proxy display is |
397 | configured to listen on the wildcard address (see ^[[1mX11UseLocalhost^[[0m | 397 | configured to listen on the wildcard address (see X11UseLocalhost |
398 | below), however this is not the default. Additionally, the | 398 | below), however this is not the default. Additionally, the |
399 | authentication spoofing and authentication data verification and | 399 | authentication spoofing and authentication data verification and |
400 | substitution occur on the client side. The security risk of | 400 | substitution occur on the client side. The security risk of |
401 | using X11 forwarding is that the clientM-bM-^@M-^Ys X11 display server may | 401 | using X11 forwarding is that the clientM-bM-^@M-^Ys X11 display server may |
402 | be exposed to attack when the ssh client requests forwarding (see | 402 | be exposed to attack when the ssh client requests forwarding (see |
403 | the warnings for ^[[1mForwardX11 ^[[22min ssh_config(5) ). A system adminisM-bM-^@M-^P | 403 | the warnings for ForwardX11 in ssh_config(5) ). A system adminis- |
404 | trator may have a stance in which they want to protect clients | 404 | trator may have a stance in which they want to protect clients |
405 | that may expose themselves to attack by unwittingly requesting | 405 | that may expose themselves to attack by unwittingly requesting |
406 | X11 forwarding, which can warrant a M-bM-^@M-^\noM-bM-^@M-^] setting. | 406 | X11 forwarding, which can warrant a M-bM-^@M-^\noM-bM-^@M-^] setting. |
407 | 407 | ||
408 | Note that disabling X11 forwarding does not prevent users from | 408 | Note that disabling X11 forwarding does not prevent users from |
409 | forwarding X11 traffic, as users can always install their own | 409 | forwarding X11 traffic, as users can always install their own |
410 | forwarders. X11 forwarding is automatically disabled if ^[[1mUseLogin^[[0m | 410 | forwarders. X11 forwarding is automatically disabled if UseLogin |
411 | is enabled. | 411 | is enabled. |
412 | 412 | ||
413 | ^[[1mX11UseLocalhost^[[0m | 413 | X11UseLocalhost |
414 | Specifies whether ^[[1msshd ^[[22mshould bind the X11 forwarding server to | 414 | Specifies whether sshd should bind the X11 forwarding server to |
415 | the loopback address or to the wildcard address. By default, | 415 | the loopback address or to the wildcard address. By default, |
416 | ^[[1msshd ^[[22mbinds the forwarding server to the loopback address and sets | 416 | sshd binds the forwarding server to the loopback address and sets |
417 | the hostname part of the DISPLAY environment variable to | 417 | the hostname part of the DISPLAY environment variable to |
418 | M-bM-^@M-^\localhostM-bM-^@M-^]. This prevents remote hosts from connecting to the | 418 | M-bM-^@M-^\localhostM-bM-^@M-^]. This prevents remote hosts from connecting to the |
419 | proxy display. However, some older X11 clients may not function | 419 | proxy display. However, some older X11 clients may not function |
420 | with this configuration. ^[[1mX11UseLocalhost ^[[22mmay be set to M-bM-^@M-^\noM-bM-^@M-^] to | 420 | with this configuration. X11UseLocalhost may be set to M-bM-^@M-^\noM-bM-^@M-^] to |
421 | specify that the forwarding server should be bound to the wildM-bM-^@M-^P | 421 | specify that the forwarding server should be bound to the wild- |
422 | card address. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default | 422 | card address. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default |
423 | is M-bM-^@M-^\yesM-bM-^@M-^]. | 423 | is M-bM-^@M-^\yesM-bM-^@M-^]. |
424 | 424 | ||
425 | ^[[1mXAuthLocation^[[0m | 425 | XAuthLocation |
426 | Specifies the full pathname of the xauth(1) program. The default | 426 | Specifies the full pathname of the xauth(1) program. The default |
427 | is ^[[4m/usr/X11R6/bin/xauth^[[24m. | 427 | is /usr/X11R6/bin/xauth. |
428 | |||
429 | ^[[1mTime Formats^[[0m | ||
430 | 428 | ||
431 | ^[[1msshd ^[[22mcommandM-bM-^@M-^Pline arguments and configuration file options that specify | 429 | Time Formats |
432 | time may be expressed using a sequence of the form: ^[[4mtime^[[24m[^[[4mqualifier^[[24m], | 430 | sshd command-line arguments and configuration file options that specify |
433 | where ^[[4mtime^[[24m is a positive integer value and ^[[4mqualifier^[[24m is one of the folM-bM-^@M-^P | 431 | time may be expressed using a sequence of the form: time[qualifier], |
432 | where time is a positive integer value and qualifier is one of the fol- | ||
434 | lowing: | 433 | lowing: |
435 | 434 | ||
436 | ^[[1m<none> ^[[22mseconds | 435 | <none> seconds |
437 | ^[[1ms ^[[22m| ^[[1mS ^[[22mseconds | 436 | s | S seconds |
438 | ^[[1mm ^[[22m| ^[[1mM ^[[22mminutes | 437 | m | M minutes |
439 | ^[[1mh ^[[22m| ^[[1mH ^[[22mhours | 438 | h | H hours |
440 | ^[[1md ^[[22m| ^[[1mD ^[[22mdays | 439 | d | D days |
441 | ^[[1mw ^[[22m| ^[[1mW ^[[22mweeks | 440 | w | W weeks |
442 | 441 | ||
443 | Each member of the sequence is added together to calculate the total time | 442 | Each member of the sequence is added together to calculate the total time |
444 | value. | 443 | value. |
@@ -449,21 +448,21 @@ SSHD_CONFIG(5) BSD File Formats Manual SSHD_CONFIG(5) | |||
449 | 10m 10 minutes | 448 | 10m 10 minutes |
450 | 1h30m 1 hour 30 minutes (90 minutes) | 449 | 1h30m 1 hour 30 minutes (90 minutes) |
451 | 450 | ||
452 | ^[[1mFILES^[[0m | 451 | FILES |
453 | /etc/ssh/sshd_config | 452 | /etc/ssh/sshd_config |
454 | Contains configuration data for ^[[1msshd^[[22m. This file should be | 453 | Contains configuration data for sshd. This file should be |
455 | writable by root only, but it is recommended (though not necesM-bM-^@M-^P | 454 | writable by root only, but it is recommended (though not neces- |
456 | sary) that it be worldM-bM-^@M-^Preadable. | 455 | sary) that it be world-readable. |
457 | 456 | ||
458 | ^[[1mAUTHORS^[[0m | 457 | AUTHORS |
459 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | 458 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
460 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | 459 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo |
461 | de Raadt and Dug Song removed many bugs, reM-bM-^@M-^Padded newer features and creM-bM-^@M-^P | 460 | de Raadt and Dug Song removed many bugs, re-added newer features and cre- |
462 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | 461 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol |
463 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 462 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
464 | for privilege separation. | 463 | for privilege separation. |
465 | 464 | ||
466 | ^[[1mSEE ALSO^[[0m | 465 | SEE ALSO |
467 | sshd(8) | 466 | sshd(8) |
468 | 467 | ||
469 | BSD September 25, 1999 BSD | 468 | BSD September 25, 1999 BSD |