diff options
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 115 |
1 files changed, 79 insertions, 36 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index 1b732197c..1d655a3b8 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -1,7 +1,7 @@ | |||
1 | SSHD_CONFIG(5) File Formats Manual SSHD_CONFIG(5) | 1 | SSHD_CONFIG(5) File Formats Manual SSHD_CONFIG(5) |
2 | 2 | ||
3 | NAME | 3 | NAME |
4 | sshd_config M-bM-^@M-^S OpenSSH SSH daemon configuration file | 4 | sshd_config M-bM-^@M-^S OpenSSH daemon configuration file |
5 | 5 | ||
6 | DESCRIPTION | 6 | DESCRIPTION |
7 | sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file | 7 | sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file |
@@ -45,9 +45,8 @@ DESCRIPTION | |||
45 | users whose primary group or supplementary group list matches one | 45 | users whose primary group or supplementary group list matches one |
46 | of the patterns. Only group names are valid; a numerical group | 46 | of the patterns. Only group names are valid; a numerical group |
47 | ID is not recognized. By default, login is allowed for all | 47 | ID is not recognized. By default, login is allowed for all |
48 | groups. The allow/deny directives are processed in the following | 48 | groups. The allow/deny groups directives are processed in the |
49 | order: DenyUsers, AllowUsers, DenyGroups, and finally | 49 | following order: DenyGroups, AllowGroups. |
50 | AllowGroups. | ||
51 | 50 | ||
52 | See PATTERNS in ssh_config(5) for more information on patterns. | 51 | See PATTERNS in ssh_config(5) for more information on patterns. |
53 | 52 | ||
@@ -79,9 +78,8 @@ DESCRIPTION | |||
79 | USER@HOST then USER and HOST are separately checked, restricting | 78 | USER@HOST then USER and HOST are separately checked, restricting |
80 | logins to particular users from particular hosts. HOST criteria | 79 | logins to particular users from particular hosts. HOST criteria |
81 | may additionally contain addresses to match in CIDR | 80 | may additionally contain addresses to match in CIDR |
82 | address/masklen format. The allow/deny directives are processed | 81 | address/masklen format. The allow/deny users directives are |
83 | in the following order: DenyUsers, AllowUsers, DenyGroups, and | 82 | processed in the following order: DenyUsers, AllowUsers. |
84 | finally AllowGroups. | ||
85 | 83 | ||
86 | See PATTERNS in ssh_config(5) for more information on patterns. | 84 | See PATTERNS in ssh_config(5) for more information on patterns. |
87 | 85 | ||
@@ -295,6 +293,8 @@ DESCRIPTION | |||
295 | The default value is 3. If ClientAliveInterval is set to 15, and | 293 | The default value is 3. If ClientAliveInterval is set to 15, and |
296 | ClientAliveCountMax is left at the default, unresponsive SSH | 294 | ClientAliveCountMax is left at the default, unresponsive SSH |
297 | clients will be disconnected after approximately 45 seconds. | 295 | clients will be disconnected after approximately 45 seconds. |
296 | Setting a zero ClientAliveCountMax disables connection | ||
297 | termination. | ||
298 | 298 | ||
299 | ClientAliveInterval | 299 | ClientAliveInterval |
300 | Sets a timeout interval in seconds after which if no data has | 300 | Sets a timeout interval in seconds after which if no data has |
@@ -314,8 +314,8 @@ DESCRIPTION | |||
314 | group or supplementary group list matches one of the patterns. | 314 | group or supplementary group list matches one of the patterns. |
315 | Only group names are valid; a numerical group ID is not | 315 | Only group names are valid; a numerical group ID is not |
316 | recognized. By default, login is allowed for all groups. The | 316 | recognized. By default, login is allowed for all groups. The |
317 | allow/deny directives are processed in the following order: | 317 | allow/deny groups directives are processed in the following |
318 | DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. | 318 | order: DenyGroups, AllowGroups. |
319 | 319 | ||
320 | See PATTERNS in ssh_config(5) for more information on patterns. | 320 | See PATTERNS in ssh_config(5) for more information on patterns. |
321 | 321 | ||
@@ -328,9 +328,8 @@ DESCRIPTION | |||
328 | then USER and HOST are separately checked, restricting logins to | 328 | then USER and HOST are separately checked, restricting logins to |
329 | particular users from particular hosts. HOST criteria may | 329 | particular users from particular hosts. HOST criteria may |
330 | additionally contain addresses to match in CIDR address/masklen | 330 | additionally contain addresses to match in CIDR address/masklen |
331 | format. The allow/deny directives are processed in the following | 331 | format. The allow/deny users directives are processed in the |
332 | order: DenyUsers, AllowUsers, DenyGroups, and finally | 332 | following order: DenyUsers, AllowUsers. |
333 | AllowGroups. | ||
334 | 333 | ||
335 | See PATTERNS in ssh_config(5) for more information on patterns. | 334 | See PATTERNS in ssh_config(5) for more information on patterns. |
336 | 335 | ||
@@ -407,14 +406,19 @@ DESCRIPTION | |||
407 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 406 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
408 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 407 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
409 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 408 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
409 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
410 | ssh-ed25519-cert-v01@openssh.com, | 410 | ssh-ed25519-cert-v01@openssh.com, |
411 | rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, | 411 | sk-ssh-ed25519-cert-v01@openssh.com, |
412 | rsa-sha2-512-cert-v01@openssh.com, | ||
413 | rsa-sha2-256-cert-v01@openssh.com, | ||
412 | ssh-rsa-cert-v01@openssh.com, | 414 | ssh-rsa-cert-v01@openssh.com, |
413 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 415 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
414 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | 416 | sk-ecdsa-sha2-nistp256@openssh.com, |
417 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
418 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
415 | 419 | ||
416 | The list of available key types may also be obtained using "ssh | 420 | The list of available key types may also be obtained using "ssh |
417 | -Q key". | 421 | -Q HostbasedAcceptedKeyTypes". |
418 | 422 | ||
419 | HostbasedAuthentication | 423 | HostbasedAuthentication |
420 | Specifies whether rhosts or /etc/hosts.equiv authentication | 424 | Specifies whether rhosts or /etc/hosts.equiv authentication |
@@ -463,14 +467,19 @@ DESCRIPTION | |||
463 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 467 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
464 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 468 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
465 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 469 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
470 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
466 | ssh-ed25519-cert-v01@openssh.com, | 471 | ssh-ed25519-cert-v01@openssh.com, |
467 | rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, | 472 | sk-ssh-ed25519-cert-v01@openssh.com, |
473 | rsa-sha2-512-cert-v01@openssh.com, | ||
474 | rsa-sha2-256-cert-v01@openssh.com, | ||
468 | ssh-rsa-cert-v01@openssh.com, | 475 | ssh-rsa-cert-v01@openssh.com, |
469 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 476 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
470 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | 477 | sk-ecdsa-sha2-nistp256@openssh.com, |
478 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
479 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
471 | 480 | ||
472 | The list of available key types may also be obtained using "ssh | 481 | The list of available key types may also be obtained using "ssh |
473 | -Q key". | 482 | -Q HostKeyAlgorithms". |
474 | 483 | ||
475 | IgnoreRhosts | 484 | IgnoreRhosts |
476 | Specifies that .rhosts and .shosts files will not be used in | 485 | Specifies that .rhosts and .shosts files will not be used in |
@@ -483,12 +492,19 @@ DESCRIPTION | |||
483 | Specifies whether sshd(8) should ignore the user's | 492 | Specifies whether sshd(8) should ignore the user's |
484 | ~/.ssh/known_hosts during HostbasedAuthentication and use only | 493 | ~/.ssh/known_hosts during HostbasedAuthentication and use only |
485 | the system-wide known hosts file /etc/ssh/known_hosts. The | 494 | the system-wide known hosts file /etc/ssh/known_hosts. The |
486 | default is no. | 495 | default is M-bM-^@M-^\noM-bM-^@M-^]. |
496 | |||
497 | Include | ||
498 | Include the specified configuration file(s). Multiple pathnames | ||
499 | may be specified and each pathname may contain glob(7) wildcards. | ||
500 | Files without absolute paths are assumed to be in /etc/ssh. An | ||
501 | Include directive may appear inside a Match block to perform | ||
502 | conditional inclusion. | ||
487 | 503 | ||
488 | IPQoS Specifies the IPv4 type-of-service or DSCP class for the | 504 | IPQoS Specifies the IPv4 type-of-service or DSCP class for the |
489 | connection. Accepted values are af11, af12, af13, af21, af22, | 505 | connection. Accepted values are af11, af12, af13, af21, af22, |
490 | af23, af31, af32, af33, af41, af42, af43, cs0, cs1, cs2, cs3, | 506 | af23, af31, af32, af33, af41, af42, af43, cs0, cs1, cs2, cs3, |
491 | cs4, cs5, cs6, cs7, ef, lowdelay, throughput, reliability, a | 507 | cs4, cs5, cs6, cs7, ef, le, lowdelay, throughput, reliability, a |
492 | numeric value, or none to use the operating system default. This | 508 | numeric value, or none to use the operating system default. This |
493 | option may take one or two arguments, separated by whitespace. | 509 | option may take one or two arguments, separated by whitespace. |
494 | If one argument is specified, it is used as the packet class | 510 | If one argument is specified, it is used as the packet class |
@@ -548,6 +564,7 @@ DESCRIPTION | |||
548 | ecdh-sha2-nistp256 | 564 | ecdh-sha2-nistp256 |
549 | ecdh-sha2-nistp384 | 565 | ecdh-sha2-nistp384 |
550 | ecdh-sha2-nistp521 | 566 | ecdh-sha2-nistp521 |
567 | sntrup4591761x25519-sha512@tinyssh.org | ||
551 | 568 | ||
552 | The default is: | 569 | The default is: |
553 | 570 | ||
@@ -555,10 +572,10 @@ DESCRIPTION | |||
555 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, | 572 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, |
556 | diffie-hellman-group-exchange-sha256, | 573 | diffie-hellman-group-exchange-sha256, |
557 | diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, | 574 | diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, |
558 | diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 | 575 | diffie-hellman-group14-sha256 |
559 | 576 | ||
560 | The list of available key exchange algorithms may also be | 577 | The list of available key exchange algorithms may also be |
561 | obtained using "ssh -Q kex". | 578 | obtained using "ssh -Q KexAlgorithms". |
562 | 579 | ||
563 | ListenAddress | 580 | ListenAddress |
564 | Specifies the local addresses sshd(8) should listen on. The | 581 | Specifies the local addresses sshd(8) should listen on. The |
@@ -669,14 +686,15 @@ DESCRIPTION | |||
669 | Banner, ChrootDirectory, ClientAliveCountMax, | 686 | Banner, ChrootDirectory, ClientAliveCountMax, |
670 | ClientAliveInterval, DenyGroups, DenyUsers, ForceCommand, | 687 | ClientAliveInterval, DenyGroups, DenyUsers, ForceCommand, |
671 | GatewayPorts, GSSAPIAuthentication, HostbasedAcceptedKeyTypes, | 688 | GatewayPorts, GSSAPIAuthentication, HostbasedAcceptedKeyTypes, |
672 | HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IPQoS, | 689 | HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, |
673 | KbdInteractiveAuthentication, KerberosAuthentication, LogLevel, | 690 | Include, IPQoS, KbdInteractiveAuthentication, |
674 | MaxAuthTries, MaxSessions, PasswordAuthentication, | 691 | KerberosAuthentication, LogLevel, MaxAuthTries, MaxSessions, |
675 | PermitEmptyPasswords, PermitListen, PermitOpen, PermitRootLogin, | 692 | PasswordAuthentication, PermitEmptyPasswords, PermitListen, |
676 | PermitTTY, PermitTunnel, PermitUserRC, PubkeyAcceptedKeyTypes, | 693 | PermitOpen, PermitRootLogin, PermitTTY, PermitTunnel, |
677 | PubkeyAuthentication, RekeyLimit, RevokedKeys, RDomain, SetEnv, | 694 | PermitUserRC, PubkeyAcceptedKeyTypes, PubkeyAuthentication, |
678 | StreamLocalBindMask, StreamLocalBindUnlink, TrustedUserCAKeys, | 695 | RekeyLimit, RevokedKeys, RDomain, SetEnv, StreamLocalBindMask, |
679 | X11DisplayOffset, X11Forwarding and X11UseLocalhost. | 696 | StreamLocalBindUnlink, TrustedUserCAKeys, X11DisplayOffset, |
697 | X11Forwarding and X11UseLocalhost. | ||
680 | 698 | ||
681 | MaxAuthTries | 699 | MaxAuthTries |
682 | Specifies the maximum number of authentication attempts permitted | 700 | Specifies the maximum number of authentication attempts permitted |
@@ -751,8 +769,9 @@ DESCRIPTION | |||
751 | restrictions and permit any forwarding requests. An argument of | 769 | restrictions and permit any forwarding requests. An argument of |
752 | none can be used to prohibit all forwarding requests. The | 770 | none can be used to prohibit all forwarding requests. The |
753 | wildcard M-bM-^@M-^X*M-bM-^@M-^Y can be used for host or port to allow all hosts or | 771 | wildcard M-bM-^@M-^X*M-bM-^@M-^Y can be used for host or port to allow all hosts or |
754 | ports, respectively. By default all port forwarding requests are | 772 | ports respectively. Otherwise, no pattern matching or address |
755 | permitted. | 773 | lookups are performed on supplied names. By default all port |
774 | forwarding requests are permitted. | ||
756 | 775 | ||
757 | PermitRootLogin | 776 | PermitRootLogin |
758 | Specifies whether root can log in using ssh(1). The argument | 777 | Specifies whether root can log in using ssh(1). The argument |
@@ -831,14 +850,33 @@ DESCRIPTION | |||
831 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 850 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
832 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 851 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
833 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 852 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
853 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
834 | ssh-ed25519-cert-v01@openssh.com, | 854 | ssh-ed25519-cert-v01@openssh.com, |
835 | rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, | 855 | sk-ssh-ed25519-cert-v01@openssh.com, |
856 | rsa-sha2-512-cert-v01@openssh.com, | ||
857 | rsa-sha2-256-cert-v01@openssh.com, | ||
836 | ssh-rsa-cert-v01@openssh.com, | 858 | ssh-rsa-cert-v01@openssh.com, |
837 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 859 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
838 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | 860 | sk-ecdsa-sha2-nistp256@openssh.com, |
861 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
862 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
839 | 863 | ||
840 | The list of available key types may also be obtained using "ssh | 864 | The list of available key types may also be obtained using "ssh |
841 | -Q key". | 865 | -Q PubkeyAcceptedKeyTypes". |
866 | |||
867 | PubkeyAuthOptions | ||
868 | Sets one or more public key authentication options. Two option | ||
869 | keywords are currently supported: none (the default; indicating | ||
870 | no additional options are enabled) and touch-required. | ||
871 | |||
872 | The touch-required option causes public key authentication using | ||
873 | a FIDO authenticator algorithm (i.e. ecdsa-sk or ed25519-sk) to | ||
874 | always require the signature to attest that a physically present | ||
875 | user explicitly confirmed the authentication (usually by touching | ||
876 | the authenticator). By default, sshd(8) requires user presence | ||
877 | unless overridden with an authorized_keys option. The | ||
878 | touch-required flag disables this override. This option has no | ||
879 | effect for other, non-authenticator public key types. | ||
842 | 880 | ||
843 | PubkeyAuthentication | 881 | PubkeyAuthentication |
844 | Specifies whether public key authentication is allowed. The | 882 | Specifies whether public key authentication is allowed. The |
@@ -875,6 +913,11 @@ DESCRIPTION | |||
875 | rdomain(4). If the routing domain is set to %D, then the domain | 913 | rdomain(4). If the routing domain is set to %D, then the domain |
876 | in which the incoming connection was received will be applied. | 914 | in which the incoming connection was received will be applied. |
877 | 915 | ||
916 | SecurityKeyProvider | ||
917 | Specifies a path to a library that will be used when loading FIDO | ||
918 | authenticator-hosted keys, overriding the default of using the | ||
919 | built-in USB HID support. | ||
920 | |||
878 | SetEnv Specifies one or more environment variables to set in child | 921 | SetEnv Specifies one or more environment variables to set in child |
879 | sessions started by sshd(8) as M-bM-^@M-^\NAME=VALUEM-bM-^@M-^]. The environment | 922 | sessions started by sshd(8) as M-bM-^@M-^\NAME=VALUEM-bM-^@M-^]. The environment |
880 | value may be quoted (e.g. if it contains whitespace characters). | 923 | value may be quoted (e.g. if it contains whitespace characters). |
@@ -1099,4 +1142,4 @@ AUTHORS | |||
1099 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 1142 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
1100 | for privilege separation. | 1143 | for privilege separation. |
1101 | 1144 | ||
1102 | OpenBSD 6.6 September 6, 2019 OpenBSD 6.6 | 1145 | OpenBSD 6.6 February 7, 2020 OpenBSD 6.6 |