diff options
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 120 |
1 files changed, 78 insertions, 42 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index 95c17fc8d..0498495fe 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -16,17 +16,17 @@ DESCRIPTION | |||
16 | 16 | ||
17 | AcceptEnv | 17 | AcceptEnv |
18 | Specifies what environment variables sent by the client will be | 18 | Specifies what environment variables sent by the client will be |
19 | copied into the session's environ(7). See SendEnv in | 19 | copied into the session's environ(7). See SendEnv and SetEnv in |
20 | ssh_config(5) for how to configure the client. The TERM | 20 | ssh_config(5) for how to configure the client. The TERM |
21 | environment variable is always sent whenever the client requests | 21 | environment variable is always accepted whenever the client |
22 | a pseudo-terminal as it is required by the protocol. Variables | 22 | requests a pseudo-terminal as it is required by the protocol. |
23 | are specified by name, which may contain the wildcard characters | 23 | Variables are specified by name, which may contain the wildcard |
24 | M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y. Multiple environment variables may be separated by | 24 | characters M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y. Multiple environment variables may be |
25 | whitespace or spread across multiple AcceptEnv directives. Be | 25 | separated by whitespace or spread across multiple AcceptEnv |
26 | warned that some environment variables could be used to bypass | 26 | directives. Be warned that some environment variables could be |
27 | restricted user environments. For this reason, care should be | 27 | used to bypass restricted user environments. For this reason, |
28 | taken in the use of this directive. The default is not to accept | 28 | care should be taken in the use of this directive. The default |
29 | any environment variables. | 29 | is not to accept any environment variables. |
30 | 30 | ||
31 | AddressFamily | 31 | AddressFamily |
32 | Specifies which address family should be used by sshd(8). Valid | 32 | Specifies which address family should be used by sshd(8). Valid |
@@ -88,7 +88,7 @@ DESCRIPTION | |||
88 | AuthenticationMethods | 88 | AuthenticationMethods |
89 | Specifies the authentication methods that must be successfully | 89 | Specifies the authentication methods that must be successfully |
90 | completed for a user to be granted access. This option must be | 90 | completed for a user to be granted access. This option must be |
91 | followed by one or more comma-separated lists of authentication | 91 | followed by one or more lists of comma-separated authentication |
92 | method names, or by the single string any to indicate the default | 92 | method names, or by the single string any to indicate the default |
93 | behaviour of accepting any single authentication method. If the | 93 | behaviour of accepting any single authentication method. If the |
94 | default is overridden, then successful authentication requires | 94 | default is overridden, then successful authentication requires |
@@ -104,8 +104,8 @@ DESCRIPTION | |||
104 | 104 | ||
105 | For keyboard interactive authentication it is also possible to | 105 | For keyboard interactive authentication it is also possible to |
106 | restrict authentication to a specific device by appending a colon | 106 | restrict authentication to a specific device by appending a colon |
107 | followed by the device identifier bsdauth, pam, or skey, | 107 | followed by the device identifier bsdauth or pam. depending on |
108 | depending on the server configuration. For example, | 108 | the server configuration. For example, |
109 | "keyboard-interactive:bsdauth" would restrict keyboard | 109 | "keyboard-interactive:bsdauth" would restrict keyboard |
110 | interactive authentication to the bsdauth device. | 110 | interactive authentication to the bsdauth device. |
111 | 111 | ||
@@ -120,7 +120,7 @@ DESCRIPTION | |||
120 | 120 | ||
121 | The available authentication methods are: "gssapi-with-mic", | 121 | The available authentication methods are: "gssapi-with-mic", |
122 | "hostbased", "keyboard-interactive", "none" (used for access to | 122 | "hostbased", "keyboard-interactive", "none" (used for access to |
123 | password-less accounts when PermitEmptyPassword is enabled), | 123 | password-less accounts when PermitEmptyPasswords is enabled), |
124 | "password" and "publickey". | 124 | "password" and "publickey". |
125 | 125 | ||
126 | AuthorizedKeysCommand | 126 | AuthorizedKeysCommand |
@@ -382,11 +382,11 @@ DESCRIPTION | |||
382 | 382 | ||
383 | HostbasedAcceptedKeyTypes | 383 | HostbasedAcceptedKeyTypes |
384 | Specifies the key types that will be accepted for hostbased | 384 | Specifies the key types that will be accepted for hostbased |
385 | authentication as a comma-separated pattern list. Alternately if | 385 | authentication as a list of comma-separated patterns. |
386 | the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the | 386 | Alternately if the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, |
387 | specified key types will be appended to the default set instead | 387 | then the specified key types will be appended to the default set |
388 | of replacing them. If the specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y | 388 | instead of replacing them. If the specified value begins with a |
389 | character, then the specified key types (including wildcards) | 389 | M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified key types (including wildcards) |
390 | will be removed from the default set instead of replacing them. | 390 | will be removed from the default set instead of replacing them. |
391 | The default for this option is: | 391 | The default for this option is: |
392 | 392 | ||
@@ -394,9 +394,10 @@ DESCRIPTION | |||
394 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 394 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
395 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 395 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
396 | ssh-ed25519-cert-v01@openssh.com, | 396 | ssh-ed25519-cert-v01@openssh.com, |
397 | rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, | ||
397 | ssh-rsa-cert-v01@openssh.com, | 398 | ssh-rsa-cert-v01@openssh.com, |
398 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 399 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
399 | ssh-ed25519,ssh-rsa | 400 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa |
400 | 401 | ||
401 | The list of available key types may also be obtained using "ssh | 402 | The list of available key types may also be obtained using "ssh |
402 | -Q key". | 403 | -Q key". |
@@ -449,9 +450,10 @@ DESCRIPTION | |||
449 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 450 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
450 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 451 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
451 | ssh-ed25519-cert-v01@openssh.com, | 452 | ssh-ed25519-cert-v01@openssh.com, |
453 | rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, | ||
452 | ssh-rsa-cert-v01@openssh.com, | 454 | ssh-rsa-cert-v01@openssh.com, |
453 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 455 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
454 | ssh-ed25519,ssh-rsa | 456 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa |
455 | 457 | ||
456 | The list of available key types may also be obtained using "ssh | 458 | The list of available key types may also be obtained using "ssh |
457 | -Q key". | 459 | -Q key". |
@@ -478,8 +480,9 @@ DESCRIPTION | |||
478 | If one argument is specified, it is used as the packet class | 480 | If one argument is specified, it is used as the packet class |
479 | unconditionally. If two values are specified, the first is | 481 | unconditionally. If two values are specified, the first is |
480 | automatically selected for interactive sessions and the second | 482 | automatically selected for interactive sessions and the second |
481 | for non-interactive sessions. The default is lowdelay for | 483 | for non-interactive sessions. The default is af21 (Low-Latency |
482 | interactive sessions and throughput for non-interactive sessions. | 484 | Data) for interactive sessions and cs1 (Lower Effort) for non- |
485 | interactive sessions. | ||
483 | 486 | ||
484 | KbdInteractiveAuthentication | 487 | KbdInteractiveAuthentication |
485 | Specifies whether to allow keyboard-interactive authentication. | 488 | Specifies whether to allow keyboard-interactive authentication. |
@@ -651,9 +654,9 @@ DESCRIPTION | |||
651 | HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IPQoS, | 654 | HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IPQoS, |
652 | KbdInteractiveAuthentication, KerberosAuthentication, LogLevel, | 655 | KbdInteractiveAuthentication, KerberosAuthentication, LogLevel, |
653 | MaxAuthTries, MaxSessions, PasswordAuthentication, | 656 | MaxAuthTries, MaxSessions, PasswordAuthentication, |
654 | PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY, | 657 | PermitEmptyPasswords, PermitListen, PermitOpen, PermitRootLogin, |
655 | PermitTunnel, PermitUserRC, PubkeyAcceptedKeyTypes, | 658 | PermitTTY, PermitTunnel, PermitUserRC, PubkeyAcceptedKeyTypes, |
656 | PubkeyAuthentication, RekeyLimit, RevokedKeys, RDomain, | 659 | PubkeyAuthentication, RekeyLimit, RevokedKeys, RDomain, SetEnv, |
657 | StreamLocalBindMask, StreamLocalBindUnlink, TrustedUserCAKeys, | 660 | StreamLocalBindMask, StreamLocalBindUnlink, TrustedUserCAKeys, |
658 | X11DisplayOffset, X11Forwarding and X11UseLocalHost. | 661 | X11DisplayOffset, X11Forwarding and X11UseLocalHost. |
659 | 662 | ||
@@ -694,6 +697,28 @@ DESCRIPTION | |||
694 | server allows login to accounts with empty password strings. The | 697 | server allows login to accounts with empty password strings. The |
695 | default is no. | 698 | default is no. |
696 | 699 | ||
700 | PermitListen | ||
701 | Specifies the addresses/ports on which a remote TCP port | ||
702 | forwarding may listen. The listen specification must be one of | ||
703 | the following forms: | ||
704 | |||
705 | PermitListen port | ||
706 | PermitListen host:port | ||
707 | |||
708 | Multiple permissions may be specified by separating them with | ||
709 | whitespace. An argument of any can be used to remove all | ||
710 | restrictions and permit any listen requests. An argument of none | ||
711 | can be used to prohibit all listen requests. The host name may | ||
712 | contain wildcards as described in the PATTERNS section in | ||
713 | ssh_config(5). The wildcard M-bM-^@M-^X*M-bM-^@M-^Y can also be used in place of a | ||
714 | port number to allow all ports. By default all port forwarding | ||
715 | listen requests are permitted. Note that the GatewayPorts option | ||
716 | may further restrict which addresses may be listened on. Note | ||
717 | also that ssh(1) will request a listen host of M-bM-^@M-^\localhostM-bM-^@M-^] if no | ||
718 | listen host was specifically requested, and this this name is | ||
719 | treated differently to explicit localhost addresses of | ||
720 | M-bM-^@M-^\127.0.0.1M-bM-^@M-^] and M-bM-^@M-^\::1M-bM-^@M-^]. | ||
721 | |||
697 | PermitOpen | 722 | PermitOpen |
698 | Specifies the destinations to which TCP port forwarding is | 723 | Specifies the destinations to which TCP port forwarding is |
699 | permitted. The forwarding specification must be one of the | 724 | permitted. The forwarding specification must be one of the |
@@ -743,10 +768,12 @@ DESCRIPTION | |||
743 | 768 | ||
744 | PermitUserEnvironment | 769 | PermitUserEnvironment |
745 | Specifies whether ~/.ssh/environment and environment= options in | 770 | Specifies whether ~/.ssh/environment and environment= options in |
746 | ~/.ssh/authorized_keys are processed by sshd(8). The default is | 771 | ~/.ssh/authorized_keys are processed by sshd(8). Valid options |
747 | no. Enabling environment processing may enable users to bypass | 772 | are yes, no or a pattern-list specifying which environment |
748 | access restrictions in some configurations using mechanisms such | 773 | variable names to accept (for example "LANG,LC_*"). The default |
749 | as LD_PRELOAD. | 774 | is no. Enabling environment processing may enable users to |
775 | bypass access restrictions in some configurations using | ||
776 | mechanisms such as LD_PRELOAD. | ||
750 | 777 | ||
751 | PermitUserRC | 778 | PermitUserRC |
752 | Specifies whether any ~/.ssh/rc file is executed. The default is | 779 | Specifies whether any ~/.ssh/rc file is executed. The default is |
@@ -773,11 +800,11 @@ DESCRIPTION | |||
773 | 800 | ||
774 | PubkeyAcceptedKeyTypes | 801 | PubkeyAcceptedKeyTypes |
775 | Specifies the key types that will be accepted for public key | 802 | Specifies the key types that will be accepted for public key |
776 | authentication as a comma-separated pattern list. Alternately if | 803 | authentication as a list of comma-separated patterns. |
777 | the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the | 804 | Alternately if the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, |
778 | specified key types will be appended to the default set instead | 805 | then the specified key types will be appended to the default set |
779 | of replacing them. If the specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y | 806 | instead of replacing them. If the specified value begins with a |
780 | character, then the specified key types (including wildcards) | 807 | M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified key types (including wildcards) |
781 | will be removed from the default set instead of replacing them. | 808 | will be removed from the default set instead of replacing them. |
782 | The default for this option is: | 809 | The default for this option is: |
783 | 810 | ||
@@ -785,9 +812,10 @@ DESCRIPTION | |||
785 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 812 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
786 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 813 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
787 | ssh-ed25519-cert-v01@openssh.com, | 814 | ssh-ed25519-cert-v01@openssh.com, |
815 | rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, | ||
788 | ssh-rsa-cert-v01@openssh.com, | 816 | ssh-rsa-cert-v01@openssh.com, |
789 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 817 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
790 | ssh-ed25519,ssh-rsa | 818 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa |
791 | 819 | ||
792 | The list of available key types may also be obtained using "ssh | 820 | The list of available key types may also be obtained using "ssh |
793 | -Q key". | 821 | -Q key". |
@@ -827,6 +855,13 @@ DESCRIPTION | |||
827 | rdomain(4). If the routing domain is set to %D, then the domain | 855 | rdomain(4). If the routing domain is set to %D, then the domain |
828 | in which the incoming connection was received will be applied. | 856 | in which the incoming connection was received will be applied. |
829 | 857 | ||
858 | SetEnv Specifies one or more environment variables to set in child | ||
859 | sessions started by sshd(8) as M-bM-^@M-^\NAME=VALUEM-bM-^@M-^]. The environment | ||
860 | value may be quoted (e.g. if it contains whitespace characters). | ||
861 | Environment variables set by SetEnv override the default | ||
862 | environment and any variables specified by the user via AcceptEnv | ||
863 | or PermitUserEnvironment. | ||
864 | |||
830 | StreamLocalBindMask | 865 | StreamLocalBindMask |
831 | Sets the octal file creation mode mask (umask) used when creating | 866 | Sets the octal file creation mode mask (umask) used when creating |
832 | a Unix-domain socket file for local or remote port forwarding. | 867 | a Unix-domain socket file for local or remote port forwarding. |
@@ -1011,18 +1046,19 @@ TOKENS | |||
1011 | %s The serial number of the certificate. | 1046 | %s The serial number of the certificate. |
1012 | %T The type of the CA key. | 1047 | %T The type of the CA key. |
1013 | %t The key or certificate type. | 1048 | %t The key or certificate type. |
1049 | %U The numeric user ID of the target user. | ||
1014 | %u The username. | 1050 | %u The username. |
1015 | 1051 | ||
1016 | AuthorizedKeysCommand accepts the tokens %%, %f, %h, %k, %t, and %u. | 1052 | AuthorizedKeysCommand accepts the tokens %%, %f, %h, %k, %t, %U, and %u. |
1017 | 1053 | ||
1018 | AuthorizedKeysFile accepts the tokens %%, %h, and %u. | 1054 | AuthorizedKeysFile accepts the tokens %%, %h, %U, and %u. |
1019 | 1055 | ||
1020 | AuthorizedPrincipalsCommand accepts the tokens %%, %F, %f, %h, %i, %K, | 1056 | AuthorizedPrincipalsCommand accepts the tokens %%, %F, %f, %h, %i, %K, |
1021 | %k, %s, %T, %t, and %u. | 1057 | %k, %s, %T, %t, %U, and %u. |
1022 | 1058 | ||
1023 | AuthorizedPrincipalsFile accepts the tokens %%, %h, and %u. | 1059 | AuthorizedPrincipalsFile accepts the tokens %%, %h, %U, and %u. |
1024 | 1060 | ||
1025 | ChrootDirectory accepts the tokens %%, %h, and %u. | 1061 | ChrootDirectory accepts the tokens %%, %h, %U, and %u. |
1026 | 1062 | ||
1027 | RoutingDomain accepts the token %D. | 1063 | RoutingDomain accepts the token %D. |
1028 | 1064 | ||
@@ -1043,4 +1079,4 @@ AUTHORS | |||
1043 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 1079 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
1044 | for privilege separation. | 1080 | for privilege separation. |
1045 | 1081 | ||
1046 | OpenBSD 6.2 February 16, 2018 OpenBSD 6.2 | 1082 | OpenBSD 6.4 July 20, 2018 OpenBSD 6.4 |