summaryrefslogtreecommitdiff
path: root/sshd_config.0
diff options
context:
space:
mode:
Diffstat (limited to 'sshd_config.0')
-rw-r--r--sshd_config.0313
1 files changed, 188 insertions, 125 deletions
diff --git a/sshd_config.0 b/sshd_config.0
index d2c5454e1..c9a09a4ff 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -7,10 +7,11 @@ SYNOPSIS
7 /etc/ssh/sshd_config 7 /etc/ssh/sshd_config
8 8
9DESCRIPTION 9DESCRIPTION
10 sshd reads configuration data from /etc/ssh/sshd_config (or the file 10 sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file
11 specified with -f on the command line). The file contains keyword-argu- 11 specified with -f on the command line). The file contains keyword-argu-
12 ment pairs, one per line. Lines starting with `#' and empty lines are 12 ment pairs, one per line. Lines starting with `#' and empty lines are
13 interpreted as comments. 13 interpreted as comments. Arguments may optionally be enclosed in double
14 quotes (") in order to represent arguments containing spaces.
14 15
15 The possible keywords and their meanings are as follows (note that key- 16 The possible keywords and their meanings are as follows (note that key-
16 words are case-insensitive and arguments are case-sensitive): 17 words are case-insensitive and arguments are case-sensitive):
@@ -29,17 +30,21 @@ DESCRIPTION
29 any environment variables. 30 any environment variables.
30 31
31 AddressFamily 32 AddressFamily
32 Specifies which address family should be used by sshd. Valid ar- 33 Specifies which address family should be used by sshd(8). Valid
33 guments are ``any'', ``inet'' (use IPv4 only) or ``inet6'' (use 34 arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6''
34 IPv6 only). The default is ``any''. 35 (use IPv6 only). The default is ``any''.
35 36
36 AllowGroups 37 AllowGroups
37 This keyword can be followed by a list of group name patterns, 38 This keyword can be followed by a list of group name patterns,
38 separated by spaces. If specified, login is allowed only for 39 separated by spaces. If specified, login is allowed only for
39 users whose primary group or supplementary group list matches one 40 users whose primary group or supplementary group list matches one
40 of the patterns. `*' and `?' can be used as wildcards in the 41 of the patterns. Only group names are valid; a numerical group
41 patterns. Only group names are valid; a numerical group ID is 42 ID is not recognized. By default, login is allowed for all
42 not recognized. By default, login is allowed for all groups. 43 groups. The allow/deny directives are processed in the following
44 order: DenyUsers, AllowUsers, DenyGroups, and finally
45 AllowGroups.
46
47 See PATTERNS in ssh_config(5) for more information on patterns.
43 48
44 AllowTcpForwarding 49 AllowTcpForwarding
45 Specifies whether TCP forwarding is permitted. The default is 50 Specifies whether TCP forwarding is permitted. The default is
@@ -50,23 +55,26 @@ DESCRIPTION
50 AllowUsers 55 AllowUsers
51 This keyword can be followed by a list of user name patterns, 56 This keyword can be followed by a list of user name patterns,
52 separated by spaces. If specified, login is allowed only for us- 57 separated by spaces. If specified, login is allowed only for us-
53 er names that match one of the patterns. `*' and `?' can be used 58 er names that match one of the patterns. Only user names are
54 as wildcards in the patterns. Only user names are valid; a nu- 59 valid; a numerical user ID is not recognized. By default, login
55 merical user ID is not recognized. By default, login is allowed 60 is allowed for all users. If the pattern takes the form US-
56 for all users. If the pattern takes the form USER@HOST then USER 61 ER@HOST then USER and HOST are separately checked, restricting
57 and HOST are separately checked, restricting logins to particular 62 logins to particular users from particular hosts. The allow/deny
58 users from particular hosts. 63 directives are processed in the following order: DenyUsers,
64 AllowUsers, DenyGroups, and finally AllowGroups.
65
66 See PATTERNS in ssh_config(5) for more information on patterns.
59 67
60 AuthorizedKeysFile 68 AuthorizedKeysFile
61 Specifies the file that contains the public keys that can be used 69 Specifies the file that contains the public keys that can be used
62 for user authentication. AuthorizedKeysFile may contain tokens 70 for user authentication. AuthorizedKeysFile may contain tokens
63 of the form %T which are substituted during connection set-up. 71 of the form %T which are substituted during connection setup.
64 The following tokens are defined: %% is replaced by a literal 72 The following tokens are defined: %% is replaced by a literal
65 '%', %h is replaced by the home directory of the user being au- 73 '%', %h is replaced by the home directory of the user being au-
66 thenticated and %u is replaced by the username of that user. Af- 74 thenticated, and %u is replaced by the username of that user.
67 ter expansion, AuthorizedKeysFile is taken to be an absolute path 75 After expansion, AuthorizedKeysFile is taken to be an absolute
68 or one relative to the user's home directory. The default is 76 path or one relative to the user's home directory. The default
69 ``.ssh/authorized_keys''. 77 is ``.ssh/authorized_keys''.
70 78
71 Banner In some jurisdictions, sending a warning message before authenti- 79 Banner In some jurisdictions, sending a warning message before authenti-
72 cation may be relevant for getting legal protection. The con- 80 cation may be relevant for getting legal protection. The con-
@@ -75,7 +83,7 @@ DESCRIPTION
75 protocol version 2. By default, no banner is displayed. 83 protocol version 2. By default, no banner is displayed.
76 84
77 ChallengeResponseAuthentication 85 ChallengeResponseAuthentication
78 Specifies whether challenge response authentication is allowed. 86 Specifies whether challenge-response authentication is allowed.
79 All authentication styles from login.conf(5) are supported. The 87 All authentication styles from login.conf(5) are supported. The
80 default is ``yes''. 88 default is ``yes''.
81 89
@@ -85,15 +93,15 @@ DESCRIPTION
85 ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', 93 ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
86 ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'', 94 ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'',
87 ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and 95 ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and
88 ``cast128-cbc''. The default is 96 ``cast128-cbc''. The default is:
89 97
90 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, 98 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
91 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, 99 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
92 aes192-ctr,aes256-ctr'' 100 aes192-ctr,aes256-ctr
93 101
94 ClientAliveCountMax 102 ClientAliveCountMax
95 Sets the number of client alive messages (see below) which may be 103 Sets the number of client alive messages (see below) which may be
96 sent without sshd receiving any messages back from the client. 104 sent without sshd(8) receiving any messages back from the client.
97 If this threshold is reached while client alive messages are be- 105 If this threshold is reached while client alive messages are be-
98 ing sent, sshd will disconnect the client, terminating the ses- 106 ing sent, sshd will disconnect the client, terminating the ses-
99 sion. It is important to note that the use of client alive mes- 107 sion. It is important to note that the use of client alive mes-
@@ -106,15 +114,16 @@ DESCRIPTION
106 114
107 The default value is 3. If ClientAliveInterval (see below) is 115 The default value is 3. If ClientAliveInterval (see below) is
108 set to 15, and ClientAliveCountMax is left at the default, unre- 116 set to 15, and ClientAliveCountMax is left at the default, unre-
109 sponsive ssh clients will be disconnected after approximately 45 117 sponsive SSH clients will be disconnected after approximately 45
110 seconds. 118 seconds. This option applies to protocol version 2 only.
111 119
112 ClientAliveInterval 120 ClientAliveInterval
113 Sets a timeout interval in seconds after which if no data has 121 Sets a timeout interval in seconds after which if no data has
114 been received from the client, sshd will send a message through 122 been received from the client, sshd(8) will send a message
115 the encrypted channel to request a response from the client. The 123 through the encrypted channel to request a response from the
116 default is 0, indicating that these messages will not be sent to 124 client. The default is 0, indicating that these messages will
117 the client. This option applies to protocol version 2 only. 125 not be sent to the client. This option applies to protocol ver-
126 sion 2 only.
118 127
119 Compression 128 Compression
120 Specifies whether compression is allowed, or delayed until the 129 Specifies whether compression is allowed, or delayed until the
@@ -125,23 +134,38 @@ DESCRIPTION
125 This keyword can be followed by a list of group name patterns, 134 This keyword can be followed by a list of group name patterns,
126 separated by spaces. Login is disallowed for users whose primary 135 separated by spaces. Login is disallowed for users whose primary
127 group or supplementary group list matches one of the patterns. 136 group or supplementary group list matches one of the patterns.
128 `*' and `?' can be used as wildcards in the patterns. Only group 137 Only group names are valid; a numerical group ID is not recog-
129 names are valid; a numerical group ID is not recognized. By de- 138 nized. By default, login is allowed for all groups. The al-
130 fault, login is allowed for all groups. 139 low/deny directives are processed in the following order:
140 DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
141
142 See PATTERNS in ssh_config(5) for more information on patterns.
131 143
132 DenyUsers 144 DenyUsers
133 This keyword can be followed by a list of user name patterns, 145 This keyword can be followed by a list of user name patterns,
134 separated by spaces. Login is disallowed for user names that 146 separated by spaces. Login is disallowed for user names that
135 match one of the patterns. `*' and `?' can be used as wildcards 147 match one of the patterns. Only user names are valid; a numeri-
136 in the patterns. Only user names are valid; a numerical user ID 148 cal user ID is not recognized. By default, login is allowed for
137 is not recognized. By default, login is allowed for all users. 149 all users. If the pattern takes the form USER@HOST then USER and
138 If the pattern takes the form USER@HOST then USER and HOST are 150 HOST are separately checked, restricting logins to particular
139 separately checked, restricting logins to particular users from 151 users from particular hosts. The allow/deny directives are pro-
140 particular hosts. 152 cessed in the following order: DenyUsers, AllowUsers, DenyGroups,
153 and finally AllowGroups.
154
155 See PATTERNS in ssh_config(5) for more information on patterns.
156
157 ForceCommand
158 Forces the execution of the command specified by ForceCommand,
159 ignoring any command supplied by the client. The command is in-
160 voked by using the user's login shell with the -c option. This
161 applies to shell, command, or subsystem execution. It is most
162 useful inside a Match block. The command originally supplied by
163 the client is available in the SSH_ORIGINAL_COMMAND environment
164 variable.
141 165
142 GatewayPorts 166 GatewayPorts
143 Specifies whether remote hosts are allowed to connect to ports 167 Specifies whether remote hosts are allowed to connect to ports
144 forwarded for the client. By default, sshd binds remote port 168 forwarded for the client. By default, sshd(8) binds remote port
145 forwardings to the loopback address. This prevents other remote 169 forwardings to the loopback address. This prevents other remote
146 hosts from connecting to forwarded ports. GatewayPorts can be 170 hosts from connecting to forwarded ports. GatewayPorts can be
147 used to specify that sshd should allow remote port forwardings to 171 used to specify that sshd should allow remote port forwardings to
@@ -165,18 +189,27 @@ DESCRIPTION
165 HostbasedAuthentication 189 HostbasedAuthentication
166 Specifies whether rhosts or /etc/hosts.equiv authentication to- 190 Specifies whether rhosts or /etc/hosts.equiv authentication to-
167 gether with successful public key client host authentication is 191 gether with successful public key client host authentication is
168 allowed (hostbased authentication). This option is similar to 192 allowed (host-based authentication). This option is similar to
169 RhostsRSAAuthentication and applies to protocol version 2 only. 193 RhostsRSAAuthentication and applies to protocol version 2 only.
170 The default is ``no''. 194 The default is ``no''.
171 195
196 HostbasedUsesNameFromPacketOnly
197 Specifies whether or not the server will attempt to perform a re-
198 verse name lookup when matching the name in the ~/.shosts,
199 ~/.rhosts, and /etc/hosts.equiv files during
200 HostbasedAuthentication. A setting of ``yes'' means that sshd(8)
201 uses the name supplied by the client rather than attempting to
202 resolve the name from the TCP connection itself. The default is
203 ``no''.
204
172 HostKey 205 HostKey
173 Specifies a file containing a private host key used by SSH. The 206 Specifies a file containing a private host key used by SSH. The
174 default is /etc/ssh/ssh_host_key for protocol version 1, and 207 default is /etc/ssh/ssh_host_key for protocol version 1, and
175 /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro- 208 /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro-
176 tocol version 2. Note that sshd will refuse to use a file if it 209 tocol version 2. Note that sshd(8) will refuse to use a file if
177 is group/world-accessible. It is possible to have multiple host 210 it is group/world-accessible. It is possible to have multiple
178 key files. ``rsa1'' keys are used for version 1 and ``dsa'' or 211 host key files. ``rsa1'' keys are used for version 1 and ``dsa''
179 ``rsa'' are used for version 2 of the SSH protocol. 212 or ``rsa'' are used for version 2 of the SSH protocol.
180 213
181 IgnoreRhosts 214 IgnoreRhosts
182 Specifies that .rhosts and .shosts files will not be used in 215 Specifies that .rhosts and .shosts files will not be used in
@@ -186,7 +219,7 @@ DESCRIPTION
186 fault is ``yes''. 219 fault is ``yes''.
187 220
188 IgnoreUserKnownHosts 221 IgnoreUserKnownHosts
189 Specifies whether sshd should ignore the user's 222 Specifies whether sshd(8) should ignore the user's
190 ~/.ssh/known_hosts during RhostsRSAAuthentication or 223 ~/.ssh/known_hosts during RhostsRSAAuthentication or
191 HostbasedAuthentication. The default is ``no''. 224 HostbasedAuthentication. The default is ``no''.
192 225
@@ -194,22 +227,22 @@ DESCRIPTION
194 Specifies whether the password provided by the user for 227 Specifies whether the password provided by the user for
195 PasswordAuthentication will be validated through the Kerberos 228 PasswordAuthentication will be validated through the Kerberos
196 KDC. To use this option, the server needs a Kerberos servtab 229 KDC. To use this option, the server needs a Kerberos servtab
197 which allows the verification of the KDC's identity. Default is 230 which allows the verification of the KDC's identity. The default
198 ``no''. 231 is ``no''.
199 232
200 KerberosGetAFSToken 233 KerberosGetAFSToken
201 If AFS is active and the user has a Kerberos 5 TGT, attempt to 234 If AFS is active and the user has a Kerberos 5 TGT, attempt to
202 acquire an AFS token before accessing the user's home directory. 235 acquire an AFS token before accessing the user's home directory.
203 Default is ``no''. 236 The default is ``no''.
204 237
205 KerberosOrLocalPasswd 238 KerberosOrLocalPasswd
206 If set then if password authentication through Kerberos fails 239 If password authentication through Kerberos fails then the pass-
207 then the password will be validated via any additional local 240 word will be validated via any additional local mechanism such as
208 mechanism such as /etc/passwd. Default is ``yes''. 241 /etc/passwd. The default is ``yes''.
209 242
210 KerberosTicketCleanup 243 KerberosTicketCleanup
211 Specifies whether to automatically destroy the user's ticket 244 Specifies whether to automatically destroy the user's ticket
212 cache file on logout. Default is ``yes''. 245 cache file on logout. The default is ``yes''.
213 246
214 KeyRegenerationInterval 247 KeyRegenerationInterval
215 In protocol version 1, the ephemeral server key is automatically 248 In protocol version 1, the ephemeral server key is automatically
@@ -220,8 +253,8 @@ DESCRIPTION
220 never regenerated. The default is 3600 (seconds). 253 never regenerated. The default is 3600 (seconds).
221 254
222 ListenAddress 255 ListenAddress
223 Specifies the local addresses sshd should listen on. The follow- 256 Specifies the local addresses sshd(8) should listen on. The fol-
224 ing forms may be used: 257 lowing forms may be used:
225 258
226 ListenAddress host|IPv4_addr|IPv6_addr 259 ListenAddress host|IPv4_addr|IPv6_addr
227 ListenAddress host|IPv4_addr:port 260 ListenAddress host|IPv4_addr:port
@@ -230,7 +263,7 @@ DESCRIPTION
230 If port is not specified, sshd will listen on the address and all 263 If port is not specified, sshd will listen on the address and all
231 prior Port options specified. The default is to listen on all 264 prior Port options specified. The default is to listen on all
232 local addresses. Multiple ListenAddress options are permitted. 265 local addresses. Multiple ListenAddress options are permitted.
233 Additionally, any Port options must precede this option for non 266 Additionally, any Port options must precede this option for non-
234 port qualified addresses. 267 port qualified addresses.
235 268
236 LoginGraceTime 269 LoginGraceTime
@@ -240,8 +273,8 @@ DESCRIPTION
240 273
241 LogLevel 274 LogLevel
242 Gives the verbosity level that is used when logging messages from 275 Gives the verbosity level that is used when logging messages from
243 sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VER- 276 sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO,
244 BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. 277 VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.
245 DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify 278 DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
246 higher levels of debugging output. Logging with a DEBUG level 279 higher levels of debugging output. Logging with a DEBUG level
247 violates the privacy of users and is not recommended. 280 violates the privacy of users and is not recommended.
@@ -249,9 +282,23 @@ DESCRIPTION
249 MACs Specifies the available MAC (message authentication code) algo- 282 MACs Specifies the available MAC (message authentication code) algo-
250 rithms. The MAC algorithm is used in protocol version 2 for data 283 rithms. The MAC algorithm is used in protocol version 2 for data
251 integrity protection. Multiple algorithms must be comma-separat- 284 integrity protection. Multiple algorithms must be comma-separat-
252 ed. The default is ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac- 285 ed. The default is: ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
253 sha1-96,hmac-md5-96''. 286 sha1-96,hmac-md5-96''.
254 287
288 Match Introduces a conditional block. If all of the criteria on the
289 Match line are satisfied, the keywords on the following lines
290 override those set in the global section of the config file, un-
291 til either another Match line or the end of the file. The argu-
292 ments to Match are one or more criteria-pattern pairs. The
293 available criteria are User, Group, Host, and Address. Only a
294 subset of keywords may be used on the lines following a Match
295 keyword. Available keywords are AllowTcpForwarding, Banner,
296 ForceCommand, GatewayPorts, GSSApiAuthentication,
297 KbdInteractiveAuthentication, KerberosAuthentication,
298 PasswordAuthentication, PermitOpen, RhostsRSAAuthentication,
299 RSAAuthentication, X11DisplayOffset, X11Forwarding, and
300 X11UseLocalHost.
301
255 MaxAuthTries 302 MaxAuthTries
256 Specifies the maximum number of authentication attempts permitted 303 Specifies the maximum number of authentication attempts permitted
257 per connection. Once the number of failures reaches half this 304 per connection. Once the number of failures reaches half this
@@ -259,17 +306,17 @@ DESCRIPTION
259 306
260 MaxStartups 307 MaxStartups
261 Specifies the maximum number of concurrent unauthenticated con- 308 Specifies the maximum number of concurrent unauthenticated con-
262 nections to the sshd daemon. Additional connections will be 309 nections to the SSH daemon. Additional connections will be
263 dropped until authentication succeeds or the LoginGraceTime ex- 310 dropped until authentication succeeds or the LoginGraceTime ex-
264 pires for a connection. The default is 10. 311 pires for a connection. The default is 10.
265 312
266 Alternatively, random early drop can be enabled by specifying the 313 Alternatively, random early drop can be enabled by specifying the
267 three colon separated values ``start:rate:full'' (e.g., 314 three colon separated values ``start:rate:full'' (e.g.
268 "10:30:60"). sshd will refuse connection attempts with a proba- 315 "10:30:60"). sshd(8) will refuse connection attempts with a
269 bility of ``rate/100'' (30%) if there are currently ``start'' 316 probability of ``rate/100'' (30%) if there are currently
270 (10) unauthenticated connections. The probability increases lin- 317 ``start'' (10) unauthenticated connections. The probability in-
271 early and all connection attempts are refused if the number of 318 creases linearly and all connection attempts are refused if the
272 unauthenticated connections reaches ``full'' (60). 319 number of unauthenticated connections reaches ``full'' (60).
273 320
274 PasswordAuthentication 321 PasswordAuthentication
275 Specifies whether password authentication is allowed. The de- 322 Specifies whether password authentication is allowed. The de-
@@ -280,59 +327,74 @@ DESCRIPTION
280 server allows login to accounts with empty password strings. The 327 server allows login to accounts with empty password strings. The
281 default is ``no''. 328 default is ``no''.
282 329
330 PermitOpen
331 Specifies the destinations to which TCP port forwarding is per-
332 mitted. The forwarding specification must be one of the follow-
333 ing forms:
334
335 PermitOpen host:port
336 PermitOpen IPv4_addr:port
337 PermitOpen [IPv6_addr]:port
338
339 Multiple forwards may be specified by separating them with
340 whitespace. An argument of ``any'' can be used to remove all re-
341 strictions and permit any forwarding requests. By default all
342 port forwarding requests are permitted.
343
283 PermitRootLogin 344 PermitRootLogin
284 Specifies whether root can log in using ssh(1). The argument 345 Specifies whether root can log in using ssh(1). The argument
285 must be ``yes'', ``without-password'', ``forced-commands-only'' 346 must be ``yes'', ``without-password'', ``forced-commands-only'',
286 or ``no''. The default is ``yes''. 347 or ``no''. The default is ``yes''.
287 348
288 If this option is set to ``without-password'' password authenti- 349 If this option is set to ``without-password'', password authenti-
289 cation is disabled for root. 350 cation is disabled for root.
290 351
291 If this option is set to ``forced-commands-only'' root login with 352 If this option is set to ``forced-commands-only'', root login
292 public key authentication will be allowed, but only if the 353 with public key authentication will be allowed, but only if the
293 command option has been specified (which may be useful for taking 354 command option has been specified (which may be useful for taking
294 remote backups even if root login is normally not allowed). All 355 remote backups even if root login is normally not allowed). All
295 other authentication methods are disabled for root. 356 other authentication methods are disabled for root.
296 357
297 If this option is set to ``no'' root is not allowed to log in. 358 If this option is set to ``no'', root is not allowed to log in.
298 359
299 PermitTunnel 360 PermitTunnel
300 Specifies whether tun(4) device forwarding is allowed. The argu- 361 Specifies whether tun(4) device forwarding is allowed. The argu-
301 ment must be ``yes'', ``point-to-point'', ``ethernet'' or ``no''. 362 ment must be ``yes'', ``point-to-point'' (layer 3), ``ethernet''
302 The default is ``no''. 363 (layer 2), or ``no''. Specifying ``yes'' permits both ``point-
364 to-point'' and ``ethernet''. The default is ``no''.
303 365
304 PermitUserEnvironment 366 PermitUserEnvironment
305 Specifies whether ~/.ssh/environment and environment= options in 367 Specifies whether ~/.ssh/environment and environment= options in
306 ~/.ssh/authorized_keys are processed by sshd. The default is 368 ~/.ssh/authorized_keys are processed by sshd(8). The default is
307 ``no''. Enabling environment processing may enable users to by- 369 ``no''. Enabling environment processing may enable users to by-
308 pass access restrictions in some configurations using mechanisms 370 pass access restrictions in some configurations using mechanisms
309 such as LD_PRELOAD. 371 such as LD_PRELOAD.
310 372
311 PidFile 373 PidFile
312 Specifies the file that contains the process ID of the sshd dae- 374 Specifies the file that contains the process ID of the SSH dae-
313 mon. The default is /var/run/sshd.pid. 375 mon. The default is /var/run/sshd.pid.
314 376
315 Port Specifies the port number that sshd listens on. The default is 377 Port Specifies the port number that sshd(8) listens on. The default
316 22. Multiple options of this type are permitted. See also 378 is 22. Multiple options of this type are permitted. See also
317 ListenAddress. 379 ListenAddress.
318 380
319 PrintLastLog 381 PrintLastLog
320 Specifies whether sshd should print the date and time of the last 382 Specifies whether sshd(8) should print the date and time of the
321 user login when a user logs in interactively. The default is 383 last user login when a user logs in interactively. The default
322 ``yes''. 384 is ``yes''.
323 385
324 PrintMotd 386 PrintMotd
325 Specifies whether sshd should print /etc/motd when a user logs in 387 Specifies whether sshd(8) should print /etc/motd when a user logs
326 interactively. (On some systems it is also printed by the shell, 388 in interactively. (On some systems it is also printed by the
327 /etc/profile, or equivalent.) The default is ``yes''. 389 shell, /etc/profile, or equivalent.) The default is ``yes''.
328 390
329 Protocol 391 Protocol
330 Specifies the protocol versions sshd supports. The possible val- 392 Specifies the protocol versions sshd(8) supports. The possible
331 ues are ``1'' and ``2''. Multiple versions must be comma-sepa- 393 values are `1' and `2'. Multiple versions must be comma-separat-
332 rated. The default is ``2,1''. Note that the order of the pro- 394 ed. The default is ``2,1''. Note that the order of the protocol
333 tocol list does not indicate preference, because the client se- 395 list does not indicate preference, because the client selects
334 lects among multiple protocol versions offered by the server. 396 among multiple protocol versions offered by the server. Specify-
335 Specifying ``2,1'' is identical to ``1,2''. 397 ing ``2,1'' is identical to ``1,2''.
336 398
337 PubkeyAuthentication 399 PubkeyAuthentication
338 Specifies whether public key authentication is allowed. The de- 400 Specifies whether public key authentication is allowed. The de-
@@ -355,24 +417,24 @@ DESCRIPTION
355 server key. The minimum value is 512, and the default is 768. 417 server key. The minimum value is 512, and the default is 768.
356 418
357 StrictModes 419 StrictModes
358 Specifies whether sshd should check file modes and ownership of 420 Specifies whether sshd(8) should check file modes and ownership
359 the user's files and home directory before accepting login. This 421 of the user's files and home directory before accepting login.
360 is normally desirable because novices sometimes accidentally 422 This is normally desirable because novices sometimes accidentally
361 leave their directory or files world-writable. The default is 423 leave their directory or files world-writable. The default is
362 ``yes''. 424 ``yes''.
363 425
364 Subsystem 426 Subsystem
365 Configures an external subsystem (e.g., file transfer daemon). 427 Configures an external subsystem (e.g. file transfer daemon).
366 Arguments should be a subsystem name and a command to execute up- 428 Arguments should be a subsystem name and a command (with optional
367 on subsystem request. The command sftp-server(8) implements the 429 arguments) to execute upon subsystem request. The command
368 ``sftp'' file transfer subsystem. By default no subsystems are 430 sftp-server(8) implements the ``sftp'' file transfer subsystem.
369 defined. Note that this option applies to protocol version 2 on- 431 By default no subsystems are defined. Note that this option ap-
370 ly. 432 plies to protocol version 2 only.
371 433
372 SyslogFacility 434 SyslogFacility
373 Gives the facility code that is used when logging messages from 435 Gives the facility code that is used when logging messages from
374 sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, LO- 436 sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
375 CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- 437 LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de-
376 fault is AUTH. 438 fault is AUTH.
377 439
378 TCPKeepAlive 440 TCPKeepAlive
@@ -392,7 +454,7 @@ DESCRIPTION
392 To disable TCP keepalive messages, the value should be set to 454 To disable TCP keepalive messages, the value should be set to
393 ``no''. 455 ``no''.
394 456
395 UseDNS Specifies whether sshd should look up the remote host name and 457 UseDNS Specifies whether sshd(8) should look up the remote host name and
396 check that the resolved host name for the remote IP address maps 458 check that the resolved host name for the remote IP address maps
397 back to the very same IP address. The default is ``yes''. 459 back to the very same IP address. The default is ``yes''.
398 460
@@ -406,8 +468,9 @@ DESCRIPTION
406 468
407 UsePAM Enables the Pluggable Authentication Module interface. If set to 469 UsePAM Enables the Pluggable Authentication Module interface. If set to
408 ``yes'' this will enable PAM authentication using 470 ``yes'' this will enable PAM authentication using
409 ChallengeResponseAuthentication and PAM account and session mod- 471 ChallengeResponseAuthentication and PasswordAuthentication in ad-
410 ule processing for all authentication types. 472 dition to PAM account and session module processing for all au-
473 thentication types.
411 474
412 Because PAM challenge-response authentication usually serves an 475 Because PAM challenge-response authentication usually serves an
413 equivalent role to password authentication, you should disable 476 equivalent role to password authentication, you should disable
@@ -417,7 +480,7 @@ DESCRIPTION
417 non-root user. The default is ``no''. 480 non-root user. The default is ``no''.
418 481
419 UsePrivilegeSeparation 482 UsePrivilegeSeparation
420 Specifies whether sshd separates privileges by creating an un- 483 Specifies whether sshd(8) separates privileges by creating an un-
421 privileged child process to deal with incoming network traffic. 484 privileged child process to deal with incoming network traffic.
422 After successful authentication, another process will be created 485 After successful authentication, another process will be created
423 that has the privilege of the authenticated user. The goal of 486 that has the privilege of the authenticated user. The goal of
@@ -426,8 +489,8 @@ DESCRIPTION
426 default is ``yes''. 489 default is ``yes''.
427 490
428 X11DisplayOffset 491 X11DisplayOffset
429 Specifies the first display number available for sshd's X11 for- 492 Specifies the first display number available for sshd(8)'s X11
430 warding. This prevents sshd from interfering with real X11 493 forwarding. This prevents sshd from interfering with real X11
431 servers. The default is 10. 494 servers. The default is 10.
432 495
433 X11Forwarding 496 X11Forwarding
@@ -435,17 +498,17 @@ DESCRIPTION
435 be ``yes'' or ``no''. The default is ``no''. 498 be ``yes'' or ``no''. The default is ``no''.
436 499
437 When X11 forwarding is enabled, there may be additional exposure 500 When X11 forwarding is enabled, there may be additional exposure
438 to the server and to client displays if the sshd proxy display is 501 to the server and to client displays if the sshd(8) proxy display
439 configured to listen on the wildcard address (see X11UseLocalhost 502 is configured to listen on the wildcard address (see
440 below), however this is not the default. Additionally, the au- 503 X11UseLocalhost below), though this is not the default. Addi-
441 thentication spoofing and authentication data verification and 504 tionally, the authentication spoofing and authentication data
442 substitution occur on the client side. The security risk of us- 505 verification and substitution occur on the client side. The se-
443 ing X11 forwarding is that the client's X11 display server may be 506 curity risk of using X11 forwarding is that the client's X11 dis-
444 exposed to attack when the ssh client requests forwarding (see 507 play server may be exposed to attack when the SSH client requests
445 the warnings for ForwardX11 in ssh_config(5)). A system adminis- 508 forwarding (see the warnings for ForwardX11 in ssh_config(5)). A
446 trator may have a stance in which they want to protect clients 509 system administrator may have a stance in which they want to pro-
447 that may expose themselves to attack by unwittingly requesting 510 tect clients that may expose themselves to attack by unwittingly
448 X11 forwarding, which can warrant a ``no'' setting. 511 requesting X11 forwarding, which can warrant a ``no'' setting.
449 512
450 Note that disabling X11 forwarding does not prevent users from 513 Note that disabling X11 forwarding does not prevent users from
451 forwarding X11 traffic, as users can always install their own 514 forwarding X11 traffic, as users can always install their own
@@ -453,8 +516,8 @@ DESCRIPTION
453 is enabled. 516 is enabled.
454 517
455 X11UseLocalhost 518 X11UseLocalhost
456 Specifies whether sshd should bind the X11 forwarding server to 519 Specifies whether sshd(8) should bind the X11 forwarding server
457 the loopback address or to the wildcard address. By default, 520 to the loopback address or to the wildcard address. By default,
458 sshd binds the forwarding server to the loopback address and sets 521 sshd binds the forwarding server to the loopback address and sets
459 the hostname part of the DISPLAY environment variable to 522 the hostname part of the DISPLAY environment variable to
460 ``localhost''. This prevents remote hosts from connecting to the 523 ``localhost''. This prevents remote hosts from connecting to the
@@ -468,9 +531,9 @@ DESCRIPTION
468 Specifies the full pathname of the xauth(1) program. The default 531 Specifies the full pathname of the xauth(1) program. The default
469 is /usr/X11R6/bin/xauth. 532 is /usr/X11R6/bin/xauth.
470 533
471 Time Formats 534TIME FORMATS
472 sshd command-line arguments and configuration file options that specify 535 sshd(8) command-line arguments and configuration file options that speci-
473 time may be expressed using a sequence of the form: time[qualifier], 536 fy time may be expressed using a sequence of the form: time[qualifier],
474 where time is a positive integer value and qualifier is one of the fol- 537 where time is a positive integer value and qualifier is one of the fol-
475 lowing: 538 lowing:
476 539
@@ -492,7 +555,7 @@ DESCRIPTION
492 555
493FILES 556FILES
494 /etc/ssh/sshd_config 557 /etc/ssh/sshd_config
495 Contains configuration data for sshd. This file should be 558 Contains configuration data for sshd(8). This file should be
496 writable by root only, but it is recommended (though not neces- 559 writable by root only, but it is recommended (though not neces-
497 sary) that it be world-readable. 560 sary) that it be world-readable.
498 561
@@ -507,4 +570,4 @@ AUTHORS
507 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 570 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
508 for privilege separation. 571 for privilege separation.
509 572
510OpenBSD 3.9 September 25, 1999 8 573OpenBSD 4.1 September 25, 1999 9
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-18 13:17:17 +0000