diff options
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 76 |
1 files changed, 50 insertions, 26 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index 678ee14b4..95c17fc8d 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -6,9 +6,10 @@ NAME | |||
6 | DESCRIPTION | 6 | DESCRIPTION |
7 | sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file | 7 | sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file |
8 | specified with -f on the command line). The file contains keyword- | 8 | specified with -f on the command line). The file contains keyword- |
9 | argument pairs, one per line. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines | 9 | argument pairs, one per line. For each keyword, the first obtained value |
10 | are interpreted as comments. Arguments may optionally be enclosed in | 10 | will be used. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are interpreted as |
11 | double quotes (") in order to represent arguments containing spaces. | 11 | comments. Arguments may optionally be enclosed in double quotes (") in |
12 | order to represent arguments containing spaces. | ||
12 | 13 | ||
13 | The possible keywords and their meanings are as follows (note that | 14 | The possible keywords and their meanings are as follows (note that |
14 | keywords are case-insensitive and arguments are case-sensitive): | 15 | keywords are case-insensitive and arguments are case-sensitive): |
@@ -422,9 +423,8 @@ DESCRIPTION | |||
422 | 423 | ||
423 | HostKey | 424 | HostKey |
424 | Specifies a file containing a private host key used by SSH. The | 425 | Specifies a file containing a private host key used by SSH. The |
425 | defaults are /etc/ssh/ssh_host_dsa_key, | 426 | defaults are /etc/ssh/ssh_host_ecdsa_key, |
426 | /etc/ssh/ssh_host_ecdsa_key, /etc/ssh/ssh_host_ed25519_key and | 427 | /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key. |
427 | /etc/ssh/ssh_host_rsa_key. | ||
428 | 428 | ||
429 | Note that sshd(8) will refuse to use a file if it is group/world- | 429 | Note that sshd(8) will refuse to use a file if it is group/world- |
430 | accessible and that the HostKeyAlgorithms option restricts which | 430 | accessible and that the HostKeyAlgorithms option restricts which |
@@ -465,8 +465,9 @@ DESCRIPTION | |||
465 | 465 | ||
466 | IgnoreUserKnownHosts | 466 | IgnoreUserKnownHosts |
467 | Specifies whether sshd(8) should ignore the user's | 467 | Specifies whether sshd(8) should ignore the user's |
468 | ~/.ssh/known_hosts during HostbasedAuthentication. The default | 468 | ~/.ssh/known_hosts during HostbasedAuthentication and use only |
469 | is no. | 469 | the system-wide known hosts file /etc/ssh/known_hosts. The |
470 | default is no. | ||
470 | 471 | ||
471 | IPQoS Specifies the IPv4 type-of-service or DSCP class for the | 472 | IPQoS Specifies the IPv4 type-of-service or DSCP class for the |
472 | connection. Accepted values are af11, af12, af13, af21, af22, | 473 | connection. Accepted values are af11, af12, af13, af21, af22, |
@@ -521,6 +522,9 @@ DESCRIPTION | |||
521 | curve25519-sha256@libssh.org | 522 | curve25519-sha256@libssh.org |
522 | diffie-hellman-group1-sha1 | 523 | diffie-hellman-group1-sha1 |
523 | diffie-hellman-group14-sha1 | 524 | diffie-hellman-group14-sha1 |
525 | diffie-hellman-group14-sha256 | ||
526 | diffie-hellman-group16-sha512 | ||
527 | diffie-hellman-group18-sha512 | ||
524 | diffie-hellman-group-exchange-sha1 | 528 | diffie-hellman-group-exchange-sha1 |
525 | diffie-hellman-group-exchange-sha256 | 529 | diffie-hellman-group-exchange-sha256 |
526 | ecdh-sha2-nistp256 | 530 | ecdh-sha2-nistp256 |
@@ -532,7 +536,8 @@ DESCRIPTION | |||
532 | curve25519-sha256,curve25519-sha256@libssh.org, | 536 | curve25519-sha256,curve25519-sha256@libssh.org, |
533 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, | 537 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, |
534 | diffie-hellman-group-exchange-sha256, | 538 | diffie-hellman-group-exchange-sha256, |
535 | diffie-hellman-group14-sha1 | 539 | diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, |
540 | diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 | ||
536 | 541 | ||
537 | The list of available key exchange algorithms may also be | 542 | The list of available key exchange algorithms may also be |
538 | obtained using "ssh -Q kex". | 543 | obtained using "ssh -Q kex". |
@@ -541,13 +546,18 @@ DESCRIPTION | |||
541 | Specifies the local addresses sshd(8) should listen on. The | 546 | Specifies the local addresses sshd(8) should listen on. The |
542 | following forms may be used: | 547 | following forms may be used: |
543 | 548 | ||
544 | ListenAddress host|IPv4_addr|IPv6_addr | 549 | ListenAddress hostname|address [rdomain domain] |
545 | ListenAddress host|IPv4_addr:port | 550 | ListenAddress hostname:port [rdomain domain] |
546 | ListenAddress [host|IPv6_addr]:port | 551 | ListenAddress IPv4_address:port [rdomain domain] |
552 | ListenAddress [hostname|address]:port [rdomain domain] | ||
547 | 553 | ||
548 | If port is not specified, sshd will listen on the address and all | 554 | The optional rdomain qualifier requests sshd(8) listen in an |
549 | Port options specified. The default is to listen on all local | 555 | explicit routing domain. If port is not specified, sshd will |
550 | addresses. Multiple ListenAddress options are permitted. | 556 | listen on the address and all Port options specified. The |
557 | default is to listen on all local addresses on the current | ||
558 | default routing domain. Multiple ListenAddress options are | ||
559 | permitted. For more information on routing domains, see | ||
560 | rdomain(4). | ||
551 | 561 | ||
552 | LoginGraceTime | 562 | LoginGraceTime |
553 | The server disconnects after this time if the user has not | 563 | The server disconnects after this time if the user has not |
@@ -612,10 +622,13 @@ DESCRIPTION | |||
612 | 622 | ||
613 | The arguments to Match are one or more criteria-pattern pairs or | 623 | The arguments to Match are one or more criteria-pattern pairs or |
614 | the single token All which matches all criteria. The available | 624 | the single token All which matches all criteria. The available |
615 | criteria are User, Group, Host, LocalAddress, LocalPort, and | 625 | criteria are User, Group, Host, LocalAddress, LocalPort, RDomain, |
616 | Address. The match patterns may consist of single entries or | 626 | and Address (with RDomain representing the rdomain(4) on which |
617 | comma-separated lists and may use the wildcard and negation | 627 | the connection was received.) |
618 | operators described in the PATTERNS section of ssh_config(5). | 628 | |
629 | The match patterns may consist of single entries or comma- | ||
630 | separated lists and may use the wildcard and negation operators | ||
631 | described in the PATTERNS section of ssh_config(5). | ||
619 | 632 | ||
620 | The patterns in an Address criteria may additionally contain | 633 | The patterns in an Address criteria may additionally contain |
621 | addresses to match in CIDR address/masklen format, such as | 634 | addresses to match in CIDR address/masklen format, such as |
@@ -640,7 +653,7 @@ DESCRIPTION | |||
640 | MaxAuthTries, MaxSessions, PasswordAuthentication, | 653 | MaxAuthTries, MaxSessions, PasswordAuthentication, |
641 | PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY, | 654 | PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY, |
642 | PermitTunnel, PermitUserRC, PubkeyAcceptedKeyTypes, | 655 | PermitTunnel, PermitUserRC, PubkeyAcceptedKeyTypes, |
643 | PubkeyAuthentication, RekeyLimit, RevokedKeys, | 656 | PubkeyAuthentication, RekeyLimit, RevokedKeys, RDomain, |
644 | StreamLocalBindMask, StreamLocalBindUnlink, TrustedUserCAKeys, | 657 | StreamLocalBindMask, StreamLocalBindUnlink, TrustedUserCAKeys, |
645 | X11DisplayOffset, X11Forwarding and X11UseLocalHost. | 658 | X11DisplayOffset, X11Forwarding and X11UseLocalHost. |
646 | 659 | ||
@@ -700,12 +713,12 @@ DESCRIPTION | |||
700 | 713 | ||
701 | PermitRootLogin | 714 | PermitRootLogin |
702 | Specifies whether root can log in using ssh(1). The argument | 715 | Specifies whether root can log in using ssh(1). The argument |
703 | must be yes, prohibit-password, without-password, | 716 | must be yes, prohibit-password, forced-commands-only, or no. The |
704 | forced-commands-only, or no. The default is prohibit-password. | 717 | default is prohibit-password. |
705 | 718 | ||
706 | If this option is set to prohibit-password or without-password, | 719 | If this option is set to prohibit-password (or its deprecated |
707 | password and keyboard-interactive authentication are disabled for | 720 | alias, without-password), password and keyboard-interactive |
708 | root. | 721 | authentication are disabled for root. |
709 | 722 | ||
710 | If this option is set to forced-commands-only, root login with | 723 | If this option is set to forced-commands-only, root login with |
711 | public key authentication will be allowed, but only if the | 724 | public key authentication will be allowed, but only if the |
@@ -807,6 +820,13 @@ DESCRIPTION | |||
807 | ssh-keygen(1). For more information on KRLs, see the KEY | 820 | ssh-keygen(1). For more information on KRLs, see the KEY |
808 | REVOCATION LISTS section in ssh-keygen(1). | 821 | REVOCATION LISTS section in ssh-keygen(1). |
809 | 822 | ||
823 | RDomain | ||
824 | Specifies an explicit routing domain that is applied after | ||
825 | authentication has completed. The user session, as well and any | ||
826 | forwarded or listening IP sockets, will be bound to this | ||
827 | rdomain(4). If the routing domain is set to %D, then the domain | ||
828 | in which the incoming connection was received will be applied. | ||
829 | |||
810 | StreamLocalBindMask | 830 | StreamLocalBindMask |
811 | Sets the octal file creation mode mask (umask) used when creating | 831 | Sets the octal file creation mode mask (umask) used when creating |
812 | a Unix-domain socket file for local or remote port forwarding. | 832 | a Unix-domain socket file for local or remote port forwarding. |
@@ -980,6 +1000,8 @@ TOKENS | |||
980 | runtime: | 1000 | runtime: |
981 | 1001 | ||
982 | %% A literal M-bM-^@M-^X%M-bM-^@M-^Y. | 1002 | %% A literal M-bM-^@M-^X%M-bM-^@M-^Y. |
1003 | %D The routing domain in which the incoming connection was | ||
1004 | received. | ||
983 | %F The fingerprint of the CA key. | 1005 | %F The fingerprint of the CA key. |
984 | %f The fingerprint of the key or certificate. | 1006 | %f The fingerprint of the key or certificate. |
985 | %h The home directory of the user. | 1007 | %h The home directory of the user. |
@@ -1002,6 +1024,8 @@ TOKENS | |||
1002 | 1024 | ||
1003 | ChrootDirectory accepts the tokens %%, %h, and %u. | 1025 | ChrootDirectory accepts the tokens %%, %h, and %u. |
1004 | 1026 | ||
1027 | RoutingDomain accepts the token %D. | ||
1028 | |||
1005 | FILES | 1029 | FILES |
1006 | /etc/ssh/sshd_config | 1030 | /etc/ssh/sshd_config |
1007 | Contains configuration data for sshd(8). This file should be | 1031 | Contains configuration data for sshd(8). This file should be |
@@ -1019,4 +1043,4 @@ AUTHORS | |||
1019 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 1043 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
1020 | for privilege separation. | 1044 | for privilege separation. |
1021 | 1045 | ||
1022 | OpenBSD 6.2 September 27, 2017 OpenBSD 6.2 | 1046 | OpenBSD 6.2 February 16, 2018 OpenBSD 6.2 |