diff options
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 1146 |
1 files changed, 1146 insertions, 0 deletions
diff --git a/sshd_config.0 b/sshd_config.0 new file mode 100644 index 000000000..e75ed1b32 --- /dev/null +++ b/sshd_config.0 | |||
@@ -0,0 +1,1146 @@ | |||
1 | SSHD_CONFIG(5) File Formats Manual SSHD_CONFIG(5) | ||
2 | |||
3 | NAME | ||
4 | sshd_config M-bM-^@M-^S OpenSSH daemon configuration file | ||
5 | |||
6 | DESCRIPTION | ||
7 | sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file | ||
8 | specified with -f on the command line). The file contains keyword- | ||
9 | argument pairs, one per line. For each keyword, the first obtained value | ||
10 | will be used. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are interpreted as | ||
11 | comments. Arguments may optionally be enclosed in double quotes (") in | ||
12 | order to represent arguments containing spaces. | ||
13 | |||
14 | The possible keywords and their meanings are as follows (note that | ||
15 | keywords are case-insensitive and arguments are case-sensitive): | ||
16 | |||
17 | AcceptEnv | ||
18 | Specifies what environment variables sent by the client will be | ||
19 | copied into the session's environ(7). See SendEnv and SetEnv in | ||
20 | ssh_config(5) for how to configure the client. The TERM | ||
21 | environment variable is always accepted whenever the client | ||
22 | requests a pseudo-terminal as it is required by the protocol. | ||
23 | Variables are specified by name, which may contain the wildcard | ||
24 | characters M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y. Multiple environment variables may be | ||
25 | separated by whitespace or spread across multiple AcceptEnv | ||
26 | directives. Be warned that some environment variables could be | ||
27 | used to bypass restricted user environments. For this reason, | ||
28 | care should be taken in the use of this directive. The default | ||
29 | is not to accept any environment variables. | ||
30 | |||
31 | AddressFamily | ||
32 | Specifies which address family should be used by sshd(8). Valid | ||
33 | arguments are any (the default), inet (use IPv4 only), or inet6 | ||
34 | (use IPv6 only). | ||
35 | |||
36 | AllowAgentForwarding | ||
37 | Specifies whether ssh-agent(1) forwarding is permitted. The | ||
38 | default is yes. Note that disabling agent forwarding does not | ||
39 | improve security unless users are also denied shell access, as | ||
40 | they can always install their own forwarders. | ||
41 | |||
42 | AllowGroups | ||
43 | This keyword can be followed by a list of group name patterns, | ||
44 | separated by spaces. If specified, login is allowed only for | ||
45 | users whose primary group or supplementary group list matches one | ||
46 | of the patterns. Only group names are valid; a numerical group | ||
47 | ID is not recognized. By default, login is allowed for all | ||
48 | groups. The allow/deny groups directives are processed in the | ||
49 | following order: DenyGroups, AllowGroups. | ||
50 | |||
51 | See PATTERNS in ssh_config(5) for more information on patterns. | ||
52 | |||
53 | AllowStreamLocalForwarding | ||
54 | Specifies whether StreamLocal (Unix-domain socket) forwarding is | ||
55 | permitted. The available options are yes (the default) or all to | ||
56 | allow StreamLocal forwarding, no to prevent all StreamLocal | ||
57 | forwarding, local to allow local (from the perspective of ssh(1)) | ||
58 | forwarding only or remote to allow remote forwarding only. Note | ||
59 | that disabling StreamLocal forwarding does not improve security | ||
60 | unless users are also denied shell access, as they can always | ||
61 | install their own forwarders. | ||
62 | |||
63 | AllowTcpForwarding | ||
64 | Specifies whether TCP forwarding is permitted. The available | ||
65 | options are yes (the default) or all to allow TCP forwarding, no | ||
66 | to prevent all TCP forwarding, local to allow local (from the | ||
67 | perspective of ssh(1)) forwarding only or remote to allow remote | ||
68 | forwarding only. Note that disabling TCP forwarding does not | ||
69 | improve security unless users are also denied shell access, as | ||
70 | they can always install their own forwarders. | ||
71 | |||
72 | AllowUsers | ||
73 | This keyword can be followed by a list of user name patterns, | ||
74 | separated by spaces. If specified, login is allowed only for | ||
75 | user names that match one of the patterns. Only user names are | ||
76 | valid; a numerical user ID is not recognized. By default, login | ||
77 | is allowed for all users. If the pattern takes the form | ||
78 | USER@HOST then USER and HOST are separately checked, restricting | ||
79 | logins to particular users from particular hosts. HOST criteria | ||
80 | may additionally contain addresses to match in CIDR | ||
81 | address/masklen format. The allow/deny users directives are | ||
82 | processed in the following order: DenyUsers, AllowUsers. | ||
83 | |||
84 | See PATTERNS in ssh_config(5) for more information on patterns. | ||
85 | |||
86 | AuthenticationMethods | ||
87 | Specifies the authentication methods that must be successfully | ||
88 | completed for a user to be granted access. This option must be | ||
89 | followed by one or more lists of comma-separated authentication | ||
90 | method names, or by the single string any to indicate the default | ||
91 | behaviour of accepting any single authentication method. If the | ||
92 | default is overridden, then successful authentication requires | ||
93 | completion of every method in at least one of these lists. | ||
94 | |||
95 | For example, "publickey,password publickey,keyboard-interactive" | ||
96 | would require the user to complete public key authentication, | ||
97 | followed by either password or keyboard interactive | ||
98 | authentication. Only methods that are next in one or more lists | ||
99 | are offered at each stage, so for this example it would not be | ||
100 | possible to attempt password or keyboard-interactive | ||
101 | authentication before public key. | ||
102 | |||
103 | For keyboard interactive authentication it is also possible to | ||
104 | restrict authentication to a specific device by appending a colon | ||
105 | followed by the device identifier bsdauth or pam. depending on | ||
106 | the server configuration. For example, | ||
107 | "keyboard-interactive:bsdauth" would restrict keyboard | ||
108 | interactive authentication to the bsdauth device. | ||
109 | |||
110 | If the publickey method is listed more than once, sshd(8) | ||
111 | verifies that keys that have been used successfully are not | ||
112 | reused for subsequent authentications. For example, | ||
113 | "publickey,publickey" requires successful authentication using | ||
114 | two different public keys. | ||
115 | |||
116 | Note that each authentication method listed should also be | ||
117 | explicitly enabled in the configuration. | ||
118 | |||
119 | The available authentication methods are: "gssapi-with-mic", | ||
120 | "hostbased", "keyboard-interactive", "none" (used for access to | ||
121 | password-less accounts when PermitEmptyPasswords is enabled), | ||
122 | "password" and "publickey". | ||
123 | |||
124 | AuthorizedKeysCommand | ||
125 | Specifies a program to be used to look up the user's public keys. | ||
126 | The program must be owned by root, not writable by group or | ||
127 | others and specified by an absolute path. Arguments to | ||
128 | AuthorizedKeysCommand accept the tokens described in the TOKENS | ||
129 | section. If no arguments are specified then the username of the | ||
130 | target user is used. | ||
131 | |||
132 | The program should produce on standard output zero or more lines | ||
133 | of authorized_keys output (see AUTHORIZED_KEYS in sshd(8)). | ||
134 | AuthorizedKeysCommand is tried after the usual AuthorizedKeysFile | ||
135 | files and will not be executed if a matching key is found there. | ||
136 | By default, no AuthorizedKeysCommand is run. | ||
137 | |||
138 | AuthorizedKeysCommandUser | ||
139 | Specifies the user under whose account the AuthorizedKeysCommand | ||
140 | is run. It is recommended to use a dedicated user that has no | ||
141 | other role on the host than running authorized keys commands. If | ||
142 | AuthorizedKeysCommand is specified but AuthorizedKeysCommandUser | ||
143 | is not, then sshd(8) will refuse to start. | ||
144 | |||
145 | AuthorizedKeysFile | ||
146 | Specifies the file that contains the public keys used for user | ||
147 | authentication. The format is described in the AUTHORIZED_KEYS | ||
148 | FILE FORMAT section of sshd(8). Arguments to AuthorizedKeysFile | ||
149 | accept the tokens described in the TOKENS section. After | ||
150 | expansion, AuthorizedKeysFile is taken to be an absolute path or | ||
151 | one relative to the user's home directory. Multiple files may be | ||
152 | listed, separated by whitespace. Alternately this option may be | ||
153 | set to none to skip checking for user keys in files. The default | ||
154 | is ".ssh/authorized_keys .ssh/authorized_keys2". | ||
155 | |||
156 | AuthorizedPrincipalsCommand | ||
157 | Specifies a program to be used to generate the list of allowed | ||
158 | certificate principals as per AuthorizedPrincipalsFile. The | ||
159 | program must be owned by root, not writable by group or others | ||
160 | and specified by an absolute path. Arguments to | ||
161 | AuthorizedPrincipalsCommand accept the tokens described in the | ||
162 | TOKENS section. If no arguments are specified then the username | ||
163 | of the target user is used. | ||
164 | |||
165 | The program should produce on standard output zero or more lines | ||
166 | of AuthorizedPrincipalsFile output. If either | ||
167 | AuthorizedPrincipalsCommand or AuthorizedPrincipalsFile is | ||
168 | specified, then certificates offered by the client for | ||
169 | authentication must contain a principal that is listed. By | ||
170 | default, no AuthorizedPrincipalsCommand is run. | ||
171 | |||
172 | AuthorizedPrincipalsCommandUser | ||
173 | Specifies the user under whose account the | ||
174 | AuthorizedPrincipalsCommand is run. It is recommended to use a | ||
175 | dedicated user that has no other role on the host than running | ||
176 | authorized principals commands. If AuthorizedPrincipalsCommand | ||
177 | is specified but AuthorizedPrincipalsCommandUser is not, then | ||
178 | sshd(8) will refuse to start. | ||
179 | |||
180 | AuthorizedPrincipalsFile | ||
181 | Specifies a file that lists principal names that are accepted for | ||
182 | certificate authentication. When using certificates signed by a | ||
183 | key listed in TrustedUserCAKeys, this file lists names, one of | ||
184 | which must appear in the certificate for it to be accepted for | ||
185 | authentication. Names are listed one per line preceded by key | ||
186 | options (as described in AUTHORIZED_KEYS FILE FORMAT in sshd(8)). | ||
187 | Empty lines and comments starting with M-bM-^@M-^X#M-bM-^@M-^Y are ignored. | ||
188 | |||
189 | Arguments to AuthorizedPrincipalsFile accept the tokens described | ||
190 | in the TOKENS section. After expansion, AuthorizedPrincipalsFile | ||
191 | is taken to be an absolute path or one relative to the user's | ||
192 | home directory. The default is none, i.e. not to use a | ||
193 | principals file M-bM-^@M-^S in this case, the username of the user must | ||
194 | appear in a certificate's principals list for it to be accepted. | ||
195 | |||
196 | Note that AuthorizedPrincipalsFile is only used when | ||
197 | authentication proceeds using a CA listed in TrustedUserCAKeys | ||
198 | and is not consulted for certification authorities trusted via | ||
199 | ~/.ssh/authorized_keys, though the principals= key option offers | ||
200 | a similar facility (see sshd(8) for details). | ||
201 | |||
202 | Banner The contents of the specified file are sent to the remote user | ||
203 | before authentication is allowed. If the argument is none then | ||
204 | no banner is displayed. By default, no banner is displayed. | ||
205 | |||
206 | CASignatureAlgorithms | ||
207 | Specifies which algorithms are allowed for signing of | ||
208 | certificates by certificate authorities (CAs). The default is: | ||
209 | |||
210 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
211 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
212 | |||
213 | Certificates signed using other algorithms will not be accepted | ||
214 | for public key or host-based authentication. | ||
215 | |||
216 | ChallengeResponseAuthentication | ||
217 | Specifies whether challenge-response authentication is allowed | ||
218 | (e.g. via PAM or through authentication styles supported in | ||
219 | login.conf(5)) The default is yes. | ||
220 | |||
221 | ChrootDirectory | ||
222 | Specifies the pathname of a directory to chroot(2) to after | ||
223 | authentication. At session startup sshd(8) checks that all | ||
224 | components of the pathname are root-owned directories which are | ||
225 | not writable by any other user or group. After the chroot, | ||
226 | sshd(8) changes the working directory to the user's home | ||
227 | directory. Arguments to ChrootDirectory accept the tokens | ||
228 | described in the TOKENS section. | ||
229 | |||
230 | The ChrootDirectory must contain the necessary files and | ||
231 | directories to support the user's session. For an interactive | ||
232 | session this requires at least a shell, typically sh(1), and | ||
233 | basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), | ||
234 | stderr(4), and tty(4) devices. For file transfer sessions using | ||
235 | SFTP no additional configuration of the environment is necessary | ||
236 | if the in-process sftp-server is used, though sessions which use | ||
237 | logging may require /dev/log inside the chroot directory on some | ||
238 | operating systems (see sftp-server(8) for details). | ||
239 | |||
240 | For safety, it is very important that the directory hierarchy be | ||
241 | prevented from modification by other processes on the system | ||
242 | (especially those outside the jail). Misconfiguration can lead | ||
243 | to unsafe environments which sshd(8) cannot detect. | ||
244 | |||
245 | The default is none, indicating not to chroot(2). | ||
246 | |||
247 | Ciphers | ||
248 | Specifies the ciphers allowed. Multiple ciphers must be comma- | ||
249 | separated. If the specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, | ||
250 | then the specified ciphers will be appended to the default set | ||
251 | instead of replacing them. If the specified list begins with a | ||
252 | M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified ciphers (including wildcards) | ||
253 | will be removed from the default set instead of replacing them. | ||
254 | If the specified list begins with a M-bM-^@M-^X^M-bM-^@M-^Y character, then the | ||
255 | specified ciphers will be placed at the head of the default set. | ||
256 | |||
257 | The supported ciphers are: | ||
258 | |||
259 | 3des-cbc | ||
260 | aes128-cbc | ||
261 | aes192-cbc | ||
262 | aes256-cbc | ||
263 | aes128-ctr | ||
264 | aes192-ctr | ||
265 | aes256-ctr | ||
266 | aes128-gcm@openssh.com | ||
267 | aes256-gcm@openssh.com | ||
268 | chacha20-poly1305@openssh.com | ||
269 | |||
270 | The default is: | ||
271 | |||
272 | chacha20-poly1305@openssh.com, | ||
273 | aes128-ctr,aes192-ctr,aes256-ctr, | ||
274 | aes128-gcm@openssh.com,aes256-gcm@openssh.com | ||
275 | |||
276 | The list of available ciphers may also be obtained using "ssh -Q | ||
277 | cipher". | ||
278 | |||
279 | ClientAliveCountMax | ||
280 | Sets the number of client alive messages which may be sent | ||
281 | without sshd(8) receiving any messages back from the client. If | ||
282 | this threshold is reached while client alive messages are being | ||
283 | sent, sshd will disconnect the client, terminating the session. | ||
284 | It is important to note that the use of client alive messages is | ||
285 | very different from TCPKeepAlive. The client alive messages are | ||
286 | sent through the encrypted channel and therefore will not be | ||
287 | spoofable. The TCP keepalive option enabled by TCPKeepAlive is | ||
288 | spoofable. The client alive mechanism is valuable when the | ||
289 | client or server depend on knowing when a connection has become | ||
290 | unresponsive. | ||
291 | |||
292 | The default value is 3. If ClientAliveInterval is set to 15, and | ||
293 | ClientAliveCountMax is left at the default, unresponsive SSH | ||
294 | clients will be disconnected after approximately 45 seconds. | ||
295 | Setting a zero ClientAliveCountMax disables connection | ||
296 | termination. | ||
297 | |||
298 | ClientAliveInterval | ||
299 | Sets a timeout interval in seconds after which if no data has | ||
300 | been received from the client, sshd(8) will send a message | ||
301 | through the encrypted channel to request a response from the | ||
302 | client. The default is 0, indicating that these messages will | ||
303 | not be sent to the client. | ||
304 | |||
305 | Compression | ||
306 | Specifies whether compression is enabled after the user has | ||
307 | authenticated successfully. The argument must be yes, delayed (a | ||
308 | legacy synonym for yes) or no. The default is yes. | ||
309 | |||
310 | DenyGroups | ||
311 | This keyword can be followed by a list of group name patterns, | ||
312 | separated by spaces. Login is disallowed for users whose primary | ||
313 | group or supplementary group list matches one of the patterns. | ||
314 | Only group names are valid; a numerical group ID is not | ||
315 | recognized. By default, login is allowed for all groups. The | ||
316 | allow/deny groups directives are processed in the following | ||
317 | order: DenyGroups, AllowGroups. | ||
318 | |||
319 | See PATTERNS in ssh_config(5) for more information on patterns. | ||
320 | |||
321 | DenyUsers | ||
322 | This keyword can be followed by a list of user name patterns, | ||
323 | separated by spaces. Login is disallowed for user names that | ||
324 | match one of the patterns. Only user names are valid; a | ||
325 | numerical user ID is not recognized. By default, login is | ||
326 | allowed for all users. If the pattern takes the form USER@HOST | ||
327 | then USER and HOST are separately checked, restricting logins to | ||
328 | particular users from particular hosts. HOST criteria may | ||
329 | additionally contain addresses to match in CIDR address/masklen | ||
330 | format. The allow/deny users directives are processed in the | ||
331 | following order: DenyUsers, AllowUsers. | ||
332 | |||
333 | See PATTERNS in ssh_config(5) for more information on patterns. | ||
334 | |||
335 | DisableForwarding | ||
336 | Disables all forwarding features, including X11, ssh-agent(1), | ||
337 | TCP and StreamLocal. This option overrides all other forwarding- | ||
338 | related options and may simplify restricted configurations. | ||
339 | |||
340 | ExposeAuthInfo | ||
341 | Writes a temporary file containing a list of authentication | ||
342 | methods and public credentials (e.g. keys) used to authenticate | ||
343 | the user. The location of the file is exposed to the user | ||
344 | session through the SSH_USER_AUTH environment variable. The | ||
345 | default is no. | ||
346 | |||
347 | FingerprintHash | ||
348 | Specifies the hash algorithm used when logging key fingerprints. | ||
349 | Valid options are: md5 and sha256. The default is sha256. | ||
350 | |||
351 | ForceCommand | ||
352 | Forces the execution of the command specified by ForceCommand, | ||
353 | ignoring any command supplied by the client and ~/.ssh/rc if | ||
354 | present. The command is invoked by using the user's login shell | ||
355 | with the -c option. This applies to shell, command, or subsystem | ||
356 | execution. It is most useful inside a Match block. The command | ||
357 | originally supplied by the client is available in the | ||
358 | SSH_ORIGINAL_COMMAND environment variable. Specifying a command | ||
359 | of internal-sftp will force the use of an in-process SFTP server | ||
360 | that requires no support files when used with ChrootDirectory. | ||
361 | The default is none. | ||
362 | |||
363 | GatewayPorts | ||
364 | Specifies whether remote hosts are allowed to connect to ports | ||
365 | forwarded for the client. By default, sshd(8) binds remote port | ||
366 | forwardings to the loopback address. This prevents other remote | ||
367 | hosts from connecting to forwarded ports. GatewayPorts can be | ||
368 | used to specify that sshd should allow remote port forwardings to | ||
369 | bind to non-loopback addresses, thus allowing other hosts to | ||
370 | connect. The argument may be no to force remote port forwardings | ||
371 | to be available to the local host only, yes to force remote port | ||
372 | forwardings to bind to the wildcard address, or clientspecified | ||
373 | to allow the client to select the address to which the forwarding | ||
374 | is bound. The default is no. | ||
375 | |||
376 | GSSAPIAuthentication | ||
377 | Specifies whether user authentication based on GSSAPI is allowed. | ||
378 | The default is no. | ||
379 | |||
380 | GSSAPICleanupCredentials | ||
381 | Specifies whether to automatically destroy the user's credentials | ||
382 | cache on logout. The default is yes. | ||
383 | |||
384 | GSSAPIStrictAcceptorCheck | ||
385 | Determines whether to be strict about the identity of the GSSAPI | ||
386 | acceptor a client authenticates against. If set to yes then the | ||
387 | client must authenticate against the host service on the current | ||
388 | hostname. If set to no then the client may authenticate against | ||
389 | any service key stored in the machine's default store. This | ||
390 | facility is provided to assist with operation on multi homed | ||
391 | machines. The default is yes. | ||
392 | |||
393 | HostbasedAcceptedKeyTypes | ||
394 | Specifies the key types that will be accepted for hostbased | ||
395 | authentication as a list of comma-separated patterns. | ||
396 | Alternately if the specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, | ||
397 | then the specified key types will be appended to the default set | ||
398 | instead of replacing them. If the specified list begins with a | ||
399 | M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified key types (including wildcards) | ||
400 | will be removed from the default set instead of replacing them. | ||
401 | If the specified list begins with a M-bM-^@M-^X^M-bM-^@M-^Y character, then the | ||
402 | specified key types will be placed at the head of the default | ||
403 | set. The default for this option is: | ||
404 | |||
405 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
406 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
407 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
408 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
409 | ssh-ed25519-cert-v01@openssh.com, | ||
410 | sk-ssh-ed25519-cert-v01@openssh.com, | ||
411 | rsa-sha2-512-cert-v01@openssh.com, | ||
412 | rsa-sha2-256-cert-v01@openssh.com, | ||
413 | ssh-rsa-cert-v01@openssh.com, | ||
414 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
415 | sk-ecdsa-sha2-nistp256@openssh.com, | ||
416 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
417 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
418 | |||
419 | The list of available key types may also be obtained using "ssh | ||
420 | -Q HostbasedAcceptedKeyTypes". | ||
421 | |||
422 | HostbasedAuthentication | ||
423 | Specifies whether rhosts or /etc/hosts.equiv authentication | ||
424 | together with successful public key client host authentication is | ||
425 | allowed (host-based authentication). The default is no. | ||
426 | |||
427 | HostbasedUsesNameFromPacketOnly | ||
428 | Specifies whether or not the server will attempt to perform a | ||
429 | reverse name lookup when matching the name in the ~/.shosts, | ||
430 | ~/.rhosts, and /etc/hosts.equiv files during | ||
431 | HostbasedAuthentication. A setting of yes means that sshd(8) | ||
432 | uses the name supplied by the client rather than attempting to | ||
433 | resolve the name from the TCP connection itself. The default is | ||
434 | no. | ||
435 | |||
436 | HostCertificate | ||
437 | Specifies a file containing a public host certificate. The | ||
438 | certificate's public key must match a private host key already | ||
439 | specified by HostKey. The default behaviour of sshd(8) is not to | ||
440 | load any certificates. | ||
441 | |||
442 | HostKey | ||
443 | Specifies a file containing a private host key used by SSH. The | ||
444 | defaults are /etc/ssh/ssh_host_ecdsa_key, | ||
445 | /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key. | ||
446 | |||
447 | Note that sshd(8) will refuse to use a file if it is group/world- | ||
448 | accessible and that the HostKeyAlgorithms option restricts which | ||
449 | of the keys are actually used by sshd(8). | ||
450 | |||
451 | It is possible to have multiple host key files. It is also | ||
452 | possible to specify public host key files instead. In this case | ||
453 | operations on the private key will be delegated to an | ||
454 | ssh-agent(1). | ||
455 | |||
456 | HostKeyAgent | ||
457 | Identifies the UNIX-domain socket used to communicate with an | ||
458 | agent that has access to the private host keys. If the string | ||
459 | "SSH_AUTH_SOCK" is specified, the location of the socket will be | ||
460 | read from the SSH_AUTH_SOCK environment variable. | ||
461 | |||
462 | HostKeyAlgorithms | ||
463 | Specifies the host key algorithms that the server offers. The | ||
464 | default for this option is: | ||
465 | |||
466 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
467 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
468 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
469 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
470 | ssh-ed25519-cert-v01@openssh.com, | ||
471 | sk-ssh-ed25519-cert-v01@openssh.com, | ||
472 | rsa-sha2-512-cert-v01@openssh.com, | ||
473 | rsa-sha2-256-cert-v01@openssh.com, | ||
474 | ssh-rsa-cert-v01@openssh.com, | ||
475 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
476 | sk-ecdsa-sha2-nistp256@openssh.com, | ||
477 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
478 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
479 | |||
480 | The list of available key types may also be obtained using "ssh | ||
481 | -Q HostKeyAlgorithms". | ||
482 | |||
483 | IgnoreRhosts | ||
484 | Specifies whether to ignore per-user .rhosts and .shosts files | ||
485 | during HostbasedAuthentication. The system-wide /etc/hosts.equiv | ||
486 | and /etc/shosts.equiv are still used regardless of this setting. | ||
487 | |||
488 | Accepted values are yes (the default) to ignore all per-user | ||
489 | files, shosts-only to allow the use of .shosts but to ignore | ||
490 | .rhosts or no to allow both .shosts and rhosts. | ||
491 | |||
492 | IgnoreUserKnownHosts | ||
493 | Specifies whether sshd(8) should ignore the user's | ||
494 | ~/.ssh/known_hosts during HostbasedAuthentication and use only | ||
495 | the system-wide known hosts file /etc/ssh/known_hosts. The | ||
496 | default is M-bM-^@M-^\noM-bM-^@M-^]. | ||
497 | |||
498 | Include | ||
499 | Include the specified configuration file(s). Multiple pathnames | ||
500 | may be specified and each pathname may contain glob(7) wildcards. | ||
501 | Files without absolute paths are assumed to be in /etc/ssh. An | ||
502 | Include directive may appear inside a Match block to perform | ||
503 | conditional inclusion. | ||
504 | |||
505 | IPQoS Specifies the IPv4 type-of-service or DSCP class for the | ||
506 | connection. Accepted values are af11, af12, af13, af21, af22, | ||
507 | af23, af31, af32, af33, af41, af42, af43, cs0, cs1, cs2, cs3, | ||
508 | cs4, cs5, cs6, cs7, ef, le, lowdelay, throughput, reliability, a | ||
509 | numeric value, or none to use the operating system default. This | ||
510 | option may take one or two arguments, separated by whitespace. | ||
511 | If one argument is specified, it is used as the packet class | ||
512 | unconditionally. If two values are specified, the first is | ||
513 | automatically selected for interactive sessions and the second | ||
514 | for non-interactive sessions. The default is af21 (Low-Latency | ||
515 | Data) for interactive sessions and cs1 (Lower Effort) for non- | ||
516 | interactive sessions. | ||
517 | |||
518 | KbdInteractiveAuthentication | ||
519 | Specifies whether to allow keyboard-interactive authentication. | ||
520 | The argument to this keyword must be yes or no. The default is | ||
521 | to use whatever value ChallengeResponseAuthentication is set to | ||
522 | (by default yes). | ||
523 | |||
524 | KerberosAuthentication | ||
525 | Specifies whether the password provided by the user for | ||
526 | PasswordAuthentication will be validated through the Kerberos | ||
527 | KDC. To use this option, the server needs a Kerberos servtab | ||
528 | which allows the verification of the KDC's identity. The default | ||
529 | is no. | ||
530 | |||
531 | KerberosGetAFSToken | ||
532 | If AFS is active and the user has a Kerberos 5 TGT, attempt to | ||
533 | acquire an AFS token before accessing the user's home directory. | ||
534 | The default is no. | ||
535 | |||
536 | KerberosOrLocalPasswd | ||
537 | If password authentication through Kerberos fails then the | ||
538 | password will be validated via any additional local mechanism | ||
539 | such as /etc/passwd. The default is yes. | ||
540 | |||
541 | KerberosTicketCleanup | ||
542 | Specifies whether to automatically destroy the user's ticket | ||
543 | cache file on logout. The default is yes. | ||
544 | |||
545 | KexAlgorithms | ||
546 | Specifies the available KEX (Key Exchange) algorithms. Multiple | ||
547 | algorithms must be comma-separated. Alternately if the specified | ||
548 | list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods will | ||
549 | be appended to the default set instead of replacing them. If the | ||
550 | specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified | ||
551 | methods (including wildcards) will be removed from the default | ||
552 | set instead of replacing them. If the specified list begins with | ||
553 | a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified methods will be placed at the | ||
554 | head of the default set. The supported algorithms are: | ||
555 | |||
556 | curve25519-sha256 | ||
557 | curve25519-sha256@libssh.org | ||
558 | diffie-hellman-group1-sha1 | ||
559 | diffie-hellman-group14-sha1 | ||
560 | diffie-hellman-group14-sha256 | ||
561 | diffie-hellman-group16-sha512 | ||
562 | diffie-hellman-group18-sha512 | ||
563 | diffie-hellman-group-exchange-sha1 | ||
564 | diffie-hellman-group-exchange-sha256 | ||
565 | ecdh-sha2-nistp256 | ||
566 | ecdh-sha2-nistp384 | ||
567 | ecdh-sha2-nistp521 | ||
568 | sntrup4591761x25519-sha512@tinyssh.org | ||
569 | |||
570 | The default is: | ||
571 | |||
572 | curve25519-sha256,curve25519-sha256@libssh.org, | ||
573 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, | ||
574 | diffie-hellman-group-exchange-sha256, | ||
575 | diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, | ||
576 | diffie-hellman-group14-sha256 | ||
577 | |||
578 | The list of available key exchange algorithms may also be | ||
579 | obtained using "ssh -Q KexAlgorithms". | ||
580 | |||
581 | ListenAddress | ||
582 | Specifies the local addresses sshd(8) should listen on. The | ||
583 | following forms may be used: | ||
584 | |||
585 | ListenAddress hostname|address [rdomain domain] | ||
586 | ListenAddress hostname:port [rdomain domain] | ||
587 | ListenAddress IPv4_address:port [rdomain domain] | ||
588 | ListenAddress [hostname|address]:port [rdomain domain] | ||
589 | |||
590 | The optional rdomain qualifier requests sshd(8) listen in an | ||
591 | explicit routing domain. If port is not specified, sshd will | ||
592 | listen on the address and all Port options specified. The | ||
593 | default is to listen on all local addresses on the current | ||
594 | default routing domain. Multiple ListenAddress options are | ||
595 | permitted. For more information on routing domains, see | ||
596 | rdomain(4). | ||
597 | |||
598 | LoginGraceTime | ||
599 | The server disconnects after this time if the user has not | ||
600 | successfully logged in. If the value is 0, there is no time | ||
601 | limit. The default is 120 seconds. | ||
602 | |||
603 | LogLevel | ||
604 | Gives the verbosity level that is used when logging messages from | ||
605 | sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, | ||
606 | VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. | ||
607 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify | ||
608 | higher levels of debugging output. Logging with a DEBUG level | ||
609 | violates the privacy of users and is not recommended. | ||
610 | |||
611 | MACs Specifies the available MAC (message authentication code) | ||
612 | algorithms. The MAC algorithm is used for data integrity | ||
613 | protection. Multiple algorithms must be comma-separated. If the | ||
614 | specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified | ||
615 | algorithms will be appended to the default set instead of | ||
616 | replacing them. If the specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y | ||
617 | character, then the specified algorithms (including wildcards) | ||
618 | will be removed from the default set instead of replacing them. | ||
619 | If the specified list begins with a M-bM-^@M-^X^M-bM-^@M-^Y character, then the | ||
620 | specified algorithms will be placed at the head of the default | ||
621 | set. | ||
622 | |||
623 | The algorithms that contain "-etm" calculate the MAC after | ||
624 | encryption (encrypt-then-mac). These are considered safer and | ||
625 | their use recommended. The supported MACs are: | ||
626 | |||
627 | hmac-md5 | ||
628 | hmac-md5-96 | ||
629 | hmac-sha1 | ||
630 | hmac-sha1-96 | ||
631 | hmac-sha2-256 | ||
632 | hmac-sha2-512 | ||
633 | umac-64@openssh.com | ||
634 | umac-128@openssh.com | ||
635 | hmac-md5-etm@openssh.com | ||
636 | hmac-md5-96-etm@openssh.com | ||
637 | hmac-sha1-etm@openssh.com | ||
638 | hmac-sha1-96-etm@openssh.com | ||
639 | hmac-sha2-256-etm@openssh.com | ||
640 | hmac-sha2-512-etm@openssh.com | ||
641 | umac-64-etm@openssh.com | ||
642 | umac-128-etm@openssh.com | ||
643 | |||
644 | The default is: | ||
645 | |||
646 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, | ||
647 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, | ||
648 | hmac-sha1-etm@openssh.com, | ||
649 | umac-64@openssh.com,umac-128@openssh.com, | ||
650 | hmac-sha2-256,hmac-sha2-512,hmac-sha1 | ||
651 | |||
652 | The list of available MAC algorithms may also be obtained using | ||
653 | "ssh -Q mac". | ||
654 | |||
655 | Match Introduces a conditional block. If all of the criteria on the | ||
656 | Match line are satisfied, the keywords on the following lines | ||
657 | override those set in the global section of the config file, | ||
658 | until either another Match line or the end of the file. If a | ||
659 | keyword appears in multiple Match blocks that are satisfied, only | ||
660 | the first instance of the keyword is applied. | ||
661 | |||
662 | The arguments to Match are one or more criteria-pattern pairs or | ||
663 | the single token All which matches all criteria. The available | ||
664 | criteria are User, Group, Host, LocalAddress, LocalPort, RDomain, | ||
665 | and Address (with RDomain representing the rdomain(4) on which | ||
666 | the connection was received). | ||
667 | |||
668 | The match patterns may consist of single entries or comma- | ||
669 | separated lists and may use the wildcard and negation operators | ||
670 | described in the PATTERNS section of ssh_config(5). | ||
671 | |||
672 | The patterns in an Address criteria may additionally contain | ||
673 | addresses to match in CIDR address/masklen format, such as | ||
674 | 192.0.2.0/24 or 2001:db8::/32. Note that the mask length | ||
675 | provided must be consistent with the address - it is an error to | ||
676 | specify a mask length that is too long for the address or one | ||
677 | with bits set in this host portion of the address. For example, | ||
678 | 192.0.2.0/33 and 192.0.2.0/8, respectively. | ||
679 | |||
680 | Only a subset of keywords may be used on the lines following a | ||
681 | Match keyword. Available keywords are AcceptEnv, | ||
682 | AllowAgentForwarding, AllowGroups, AllowStreamLocalForwarding, | ||
683 | AllowTcpForwarding, AllowUsers, AuthenticationMethods, | ||
684 | AuthorizedKeysCommand, AuthorizedKeysCommandUser, | ||
685 | AuthorizedKeysFile, AuthorizedPrincipalsCommand, | ||
686 | AuthorizedPrincipalsCommandUser, AuthorizedPrincipalsFile, | ||
687 | Banner, ChrootDirectory, ClientAliveCountMax, | ||
688 | ClientAliveInterval, DenyGroups, DenyUsers, ForceCommand, | ||
689 | GatewayPorts, GSSAPIAuthentication, HostbasedAcceptedKeyTypes, | ||
690 | HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, | ||
691 | IgnoreRhosts, Include, IPQoS, KbdInteractiveAuthentication, | ||
692 | KerberosAuthentication, LogLevel, MaxAuthTries, MaxSessions, | ||
693 | PasswordAuthentication, PermitEmptyPasswords, PermitListen, | ||
694 | PermitOpen, PermitRootLogin, PermitTTY, PermitTunnel, | ||
695 | PermitUserRC, PubkeyAcceptedKeyTypes, PubkeyAuthentication, | ||
696 | RekeyLimit, RevokedKeys, RDomain, SetEnv, StreamLocalBindMask, | ||
697 | StreamLocalBindUnlink, TrustedUserCAKeys, X11DisplayOffset, | ||
698 | X11Forwarding and X11UseLocalhost. | ||
699 | |||
700 | MaxAuthTries | ||
701 | Specifies the maximum number of authentication attempts permitted | ||
702 | per connection. Once the number of failures reaches half this | ||
703 | value, additional failures are logged. The default is 6. | ||
704 | |||
705 | MaxSessions | ||
706 | Specifies the maximum number of open shell, login or subsystem | ||
707 | (e.g. sftp) sessions permitted per network connection. Multiple | ||
708 | sessions may be established by clients that support connection | ||
709 | multiplexing. Setting MaxSessions to 1 will effectively disable | ||
710 | session multiplexing, whereas setting it to 0 will prevent all | ||
711 | shell, login and subsystem sessions while still permitting | ||
712 | forwarding. The default is 10. | ||
713 | |||
714 | MaxStartups | ||
715 | Specifies the maximum number of concurrent unauthenticated | ||
716 | connections to the SSH daemon. Additional connections will be | ||
717 | dropped until authentication succeeds or the LoginGraceTime | ||
718 | expires for a connection. The default is 10:30:100. | ||
719 | |||
720 | Alternatively, random early drop can be enabled by specifying the | ||
721 | three colon separated values start:rate:full (e.g. "10:30:60"). | ||
722 | sshd(8) will refuse connection attempts with a probability of | ||
723 | rate/100 (30%) if there are currently start (10) unauthenticated | ||
724 | connections. The probability increases linearly and all | ||
725 | connection attempts are refused if the number of unauthenticated | ||
726 | connections reaches full (60). | ||
727 | |||
728 | PasswordAuthentication | ||
729 | Specifies whether password authentication is allowed. The | ||
730 | default is yes. | ||
731 | |||
732 | PermitEmptyPasswords | ||
733 | When password authentication is allowed, it specifies whether the | ||
734 | server allows login to accounts with empty password strings. The | ||
735 | default is no. | ||
736 | |||
737 | PermitListen | ||
738 | Specifies the addresses/ports on which a remote TCP port | ||
739 | forwarding may listen. The listen specification must be one of | ||
740 | the following forms: | ||
741 | |||
742 | PermitListen port | ||
743 | PermitListen host:port | ||
744 | |||
745 | Multiple permissions may be specified by separating them with | ||
746 | whitespace. An argument of any can be used to remove all | ||
747 | restrictions and permit any listen requests. An argument of none | ||
748 | can be used to prohibit all listen requests. The host name may | ||
749 | contain wildcards as described in the PATTERNS section in | ||
750 | ssh_config(5). The wildcard M-bM-^@M-^X*M-bM-^@M-^Y can also be used in place of a | ||
751 | port number to allow all ports. By default all port forwarding | ||
752 | listen requests are permitted. Note that the GatewayPorts option | ||
753 | may further restrict which addresses may be listened on. Note | ||
754 | also that ssh(1) will request a listen host of M-bM-^@M-^\localhostM-bM-^@M-^] if no | ||
755 | listen host was specifically requested, and this name is treated | ||
756 | differently to explicit localhost addresses of M-bM-^@M-^\127.0.0.1M-bM-^@M-^] and | ||
757 | M-bM-^@M-^\::1M-bM-^@M-^]. | ||
758 | |||
759 | PermitOpen | ||
760 | Specifies the destinations to which TCP port forwarding is | ||
761 | permitted. The forwarding specification must be one of the | ||
762 | following forms: | ||
763 | |||
764 | PermitOpen host:port | ||
765 | PermitOpen IPv4_addr:port | ||
766 | PermitOpen [IPv6_addr]:port | ||
767 | |||
768 | Multiple forwards may be specified by separating them with | ||
769 | whitespace. An argument of any can be used to remove all | ||
770 | restrictions and permit any forwarding requests. An argument of | ||
771 | none can be used to prohibit all forwarding requests. The | ||
772 | wildcard M-bM-^@M-^X*M-bM-^@M-^Y can be used for host or port to allow all hosts or | ||
773 | ports respectively. Otherwise, no pattern matching or address | ||
774 | lookups are performed on supplied names. By default all port | ||
775 | forwarding requests are permitted. | ||
776 | |||
777 | PermitRootLogin | ||
778 | Specifies whether root can log in using ssh(1). The argument | ||
779 | must be yes, prohibit-password, forced-commands-only, or no. The | ||
780 | default is prohibit-password. | ||
781 | |||
782 | If this option is set to prohibit-password (or its deprecated | ||
783 | alias, without-password), password and keyboard-interactive | ||
784 | authentication are disabled for root. | ||
785 | |||
786 | If this option is set to forced-commands-only, root login with | ||
787 | public key authentication will be allowed, but only if the | ||
788 | command option has been specified (which may be useful for taking | ||
789 | remote backups even if root login is normally not allowed). All | ||
790 | other authentication methods are disabled for root. | ||
791 | |||
792 | If this option is set to no, root is not allowed to log in. | ||
793 | |||
794 | PermitTTY | ||
795 | Specifies whether pty(4) allocation is permitted. The default is | ||
796 | yes. | ||
797 | |||
798 | PermitTunnel | ||
799 | Specifies whether tun(4) device forwarding is allowed. The | ||
800 | argument must be yes, point-to-point (layer 3), ethernet (layer | ||
801 | 2), or no. Specifying yes permits both point-to-point and | ||
802 | ethernet. The default is no. | ||
803 | |||
804 | Independent of this setting, the permissions of the selected | ||
805 | tun(4) device must allow access to the user. | ||
806 | |||
807 | PermitUserEnvironment | ||
808 | Specifies whether ~/.ssh/environment and environment= options in | ||
809 | ~/.ssh/authorized_keys are processed by sshd(8). Valid options | ||
810 | are yes, no or a pattern-list specifying which environment | ||
811 | variable names to accept (for example "LANG,LC_*"). The default | ||
812 | is no. Enabling environment processing may enable users to | ||
813 | bypass access restrictions in some configurations using | ||
814 | mechanisms such as LD_PRELOAD. | ||
815 | |||
816 | PermitUserRC | ||
817 | Specifies whether any ~/.ssh/rc file is executed. The default is | ||
818 | yes. | ||
819 | |||
820 | PidFile | ||
821 | Specifies the file that contains the process ID of the SSH | ||
822 | daemon, or none to not write one. The default is | ||
823 | /var/run/sshd.pid. | ||
824 | |||
825 | Port Specifies the port number that sshd(8) listens on. The default | ||
826 | is 22. Multiple options of this type are permitted. See also | ||
827 | ListenAddress. | ||
828 | |||
829 | PrintLastLog | ||
830 | Specifies whether sshd(8) should print the date and time of the | ||
831 | last user login when a user logs in interactively. The default | ||
832 | is yes. | ||
833 | |||
834 | PrintMotd | ||
835 | Specifies whether sshd(8) should print /etc/motd when a user logs | ||
836 | in interactively. (On some systems it is also printed by the | ||
837 | shell, /etc/profile, or equivalent.) The default is yes. | ||
838 | |||
839 | PubkeyAcceptedKeyTypes | ||
840 | Specifies the key types that will be accepted for public key | ||
841 | authentication as a list of comma-separated patterns. | ||
842 | Alternately if the specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, | ||
843 | then the specified key types will be appended to the default set | ||
844 | instead of replacing them. If the specified list begins with a | ||
845 | M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified key types (including wildcards) | ||
846 | will be removed from the default set instead of replacing them. | ||
847 | If the specified list begins with a M-bM-^@M-^X^M-bM-^@M-^Y character, then the | ||
848 | specified key types will be placed at the head of the default | ||
849 | set. The default for this option is: | ||
850 | |||
851 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
852 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
853 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
854 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
855 | ssh-ed25519-cert-v01@openssh.com, | ||
856 | sk-ssh-ed25519-cert-v01@openssh.com, | ||
857 | rsa-sha2-512-cert-v01@openssh.com, | ||
858 | rsa-sha2-256-cert-v01@openssh.com, | ||
859 | ssh-rsa-cert-v01@openssh.com, | ||
860 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
861 | sk-ecdsa-sha2-nistp256@openssh.com, | ||
862 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
863 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
864 | |||
865 | The list of available key types may also be obtained using "ssh | ||
866 | -Q PubkeyAcceptedKeyTypes". | ||
867 | |||
868 | PubkeyAuthOptions | ||
869 | Sets one or more public key authentication options. Two option | ||
870 | keywords are currently supported: none (the default; indicating | ||
871 | no additional options are enabled) and touch-required. | ||
872 | |||
873 | The touch-required option causes public key authentication using | ||
874 | a FIDO authenticator algorithm (i.e. ecdsa-sk or ed25519-sk) to | ||
875 | always require the signature to attest that a physically present | ||
876 | user explicitly confirmed the authentication (usually by touching | ||
877 | the authenticator). By default, sshd(8) requires user presence | ||
878 | unless overridden with an authorized_keys option. The | ||
879 | touch-required flag disables this override. This option has no | ||
880 | effect for other, non-authenticator public key types. | ||
881 | |||
882 | PubkeyAuthentication | ||
883 | Specifies whether public key authentication is allowed. The | ||
884 | default is yes. | ||
885 | |||
886 | RekeyLimit | ||
887 | Specifies the maximum amount of data that may be transmitted | ||
888 | before the session key is renegotiated, optionally followed a | ||
889 | maximum amount of time that may pass before the session key is | ||
890 | renegotiated. The first argument is specified in bytes and may | ||
891 | have a suffix of M-bM-^@M-^XKM-bM-^@M-^Y, M-bM-^@M-^XMM-bM-^@M-^Y, or M-bM-^@M-^XGM-bM-^@M-^Y to indicate Kilobytes, | ||
892 | Megabytes, or Gigabytes, respectively. The default is between | ||
893 | M-bM-^@M-^X1GM-bM-^@M-^Y and M-bM-^@M-^X4GM-bM-^@M-^Y, depending on the cipher. The optional second | ||
894 | value is specified in seconds and may use any of the units | ||
895 | documented in the TIME FORMATS section. The default value for | ||
896 | RekeyLimit is default none, which means that rekeying is | ||
897 | performed after the cipher's default amount of data has been sent | ||
898 | or received and no time based rekeying is done. | ||
899 | |||
900 | RevokedKeys | ||
901 | Specifies revoked public keys file, or none to not use one. Keys | ||
902 | listed in this file will be refused for public key | ||
903 | authentication. Note that if this file is not readable, then | ||
904 | public key authentication will be refused for all users. Keys | ||
905 | may be specified as a text file, listing one public key per line, | ||
906 | or as an OpenSSH Key Revocation List (KRL) as generated by | ||
907 | ssh-keygen(1). For more information on KRLs, see the KEY | ||
908 | REVOCATION LISTS section in ssh-keygen(1). | ||
909 | |||
910 | RDomain | ||
911 | Specifies an explicit routing domain that is applied after | ||
912 | authentication has completed. The user session, as well and any | ||
913 | forwarded or listening IP sockets, will be bound to this | ||
914 | rdomain(4). If the routing domain is set to %D, then the domain | ||
915 | in which the incoming connection was received will be applied. | ||
916 | |||
917 | SecurityKeyProvider | ||
918 | Specifies a path to a library that will be used when loading FIDO | ||
919 | authenticator-hosted keys, overriding the default of using the | ||
920 | built-in USB HID support. | ||
921 | |||
922 | SetEnv Specifies one or more environment variables to set in child | ||
923 | sessions started by sshd(8) as M-bM-^@M-^\NAME=VALUEM-bM-^@M-^]. The environment | ||
924 | value may be quoted (e.g. if it contains whitespace characters). | ||
925 | Environment variables set by SetEnv override the default | ||
926 | environment and any variables specified by the user via AcceptEnv | ||
927 | or PermitUserEnvironment. | ||
928 | |||
929 | StreamLocalBindMask | ||
930 | Sets the octal file creation mode mask (umask) used when creating | ||
931 | a Unix-domain socket file for local or remote port forwarding. | ||
932 | This option is only used for port forwarding to a Unix-domain | ||
933 | socket file. | ||
934 | |||
935 | The default value is 0177, which creates a Unix-domain socket | ||
936 | file that is readable and writable only by the owner. Note that | ||
937 | not all operating systems honor the file mode on Unix-domain | ||
938 | socket files. | ||
939 | |||
940 | StreamLocalBindUnlink | ||
941 | Specifies whether to remove an existing Unix-domain socket file | ||
942 | for local or remote port forwarding before creating a new one. | ||
943 | If the socket file already exists and StreamLocalBindUnlink is | ||
944 | not enabled, sshd will be unable to forward the port to the Unix- | ||
945 | domain socket file. This option is only used for port forwarding | ||
946 | to a Unix-domain socket file. | ||
947 | |||
948 | The argument must be yes or no. The default is no. | ||
949 | |||
950 | StrictModes | ||
951 | Specifies whether sshd(8) should check file modes and ownership | ||
952 | of the user's files and home directory before accepting login. | ||
953 | This is normally desirable because novices sometimes accidentally | ||
954 | leave their directory or files world-writable. The default is | ||
955 | yes. Note that this does not apply to ChrootDirectory, whose | ||
956 | permissions and ownership are checked unconditionally. | ||
957 | |||
958 | Subsystem | ||
959 | Configures an external subsystem (e.g. file transfer daemon). | ||
960 | Arguments should be a subsystem name and a command (with optional | ||
961 | arguments) to execute upon subsystem request. | ||
962 | |||
963 | The command sftp-server implements the SFTP file transfer | ||
964 | subsystem. | ||
965 | |||
966 | Alternately the name internal-sftp implements an in-process SFTP | ||
967 | server. This may simplify configurations using ChrootDirectory | ||
968 | to force a different filesystem root on clients. | ||
969 | |||
970 | By default no subsystems are defined. | ||
971 | |||
972 | SyslogFacility | ||
973 | Gives the facility code that is used when logging messages from | ||
974 | sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, | ||
975 | LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The | ||
976 | default is AUTH. | ||
977 | |||
978 | TCPKeepAlive | ||
979 | Specifies whether the system should send TCP keepalive messages | ||
980 | to the other side. If they are sent, death of the connection or | ||
981 | crash of one of the machines will be properly noticed. However, | ||
982 | this means that connections will die if the route is down | ||
983 | temporarily, and some people find it annoying. On the other | ||
984 | hand, if TCP keepalives are not sent, sessions may hang | ||
985 | indefinitely on the server, leaving "ghost" users and consuming | ||
986 | server resources. | ||
987 | |||
988 | The default is yes (to send TCP keepalive messages), and the | ||
989 | server will notice if the network goes down or the client host | ||
990 | crashes. This avoids infinitely hanging sessions. | ||
991 | |||
992 | To disable TCP keepalive messages, the value should be set to no. | ||
993 | |||
994 | TrustedUserCAKeys | ||
995 | Specifies a file containing public keys of certificate | ||
996 | authorities that are trusted to sign user certificates for | ||
997 | authentication, or none to not use one. Keys are listed one per | ||
998 | line; empty lines and comments starting with M-bM-^@M-^X#M-bM-^@M-^Y are allowed. If | ||
999 | a certificate is presented for authentication and has its signing | ||
1000 | CA key listed in this file, then it may be used for | ||
1001 | authentication for any user listed in the certificate's | ||
1002 | principals list. Note that certificates that lack a list of | ||
1003 | principals will not be permitted for authentication using | ||
1004 | TrustedUserCAKeys. For more details on certificates, see the | ||
1005 | CERTIFICATES section in ssh-keygen(1). | ||
1006 | |||
1007 | UseDNS Specifies whether sshd(8) should look up the remote host name, | ||
1008 | and to check that the resolved host name for the remote IP | ||
1009 | address maps back to the very same IP address. | ||
1010 | |||
1011 | If this option is set to no (the default) then only addresses and | ||
1012 | not host names may be used in ~/.ssh/authorized_keys from and | ||
1013 | sshd_config Match Host directives. | ||
1014 | |||
1015 | UsePAM Enables the Pluggable Authentication Module interface. If set to | ||
1016 | yes this will enable PAM authentication using | ||
1017 | ChallengeResponseAuthentication and PasswordAuthentication in | ||
1018 | addition to PAM account and session module processing for all | ||
1019 | authentication types. | ||
1020 | |||
1021 | Because PAM challenge-response authentication usually serves an | ||
1022 | equivalent role to password authentication, you should disable | ||
1023 | either PasswordAuthentication or ChallengeResponseAuthentication. | ||
1024 | |||
1025 | If UsePAM is enabled, you will not be able to run sshd(8) as a | ||
1026 | non-root user. The default is no. | ||
1027 | |||
1028 | VersionAddendum | ||
1029 | Optionally specifies additional text to append to the SSH | ||
1030 | protocol banner sent by the server upon connection. The default | ||
1031 | is none. | ||
1032 | |||
1033 | X11DisplayOffset | ||
1034 | Specifies the first display number available for sshd(8)'s X11 | ||
1035 | forwarding. This prevents sshd from interfering with real X11 | ||
1036 | servers. The default is 10. | ||
1037 | |||
1038 | X11Forwarding | ||
1039 | Specifies whether X11 forwarding is permitted. The argument must | ||
1040 | be yes or no. The default is no. | ||
1041 | |||
1042 | When X11 forwarding is enabled, there may be additional exposure | ||
1043 | to the server and to client displays if the sshd(8) proxy display | ||
1044 | is configured to listen on the wildcard address (see | ||
1045 | X11UseLocalhost), though this is not the default. Additionally, | ||
1046 | the authentication spoofing and authentication data verification | ||
1047 | and substitution occur on the client side. The security risk of | ||
1048 | using X11 forwarding is that the client's X11 display server may | ||
1049 | be exposed to attack when the SSH client requests forwarding (see | ||
1050 | the warnings for ForwardX11 in ssh_config(5)). A system | ||
1051 | administrator may have a stance in which they want to protect | ||
1052 | clients that may expose themselves to attack by unwittingly | ||
1053 | requesting X11 forwarding, which can warrant a no setting. | ||
1054 | |||
1055 | Note that disabling X11 forwarding does not prevent users from | ||
1056 | forwarding X11 traffic, as users can always install their own | ||
1057 | forwarders. | ||
1058 | |||
1059 | X11UseLocalhost | ||
1060 | Specifies whether sshd(8) should bind the X11 forwarding server | ||
1061 | to the loopback address or to the wildcard address. By default, | ||
1062 | sshd binds the forwarding server to the loopback address and sets | ||
1063 | the hostname part of the DISPLAY environment variable to | ||
1064 | localhost. This prevents remote hosts from connecting to the | ||
1065 | proxy display. However, some older X11 clients may not function | ||
1066 | with this configuration. X11UseLocalhost may be set to no to | ||
1067 | specify that the forwarding server should be bound to the | ||
1068 | wildcard address. The argument must be yes or no. The default | ||
1069 | is yes. | ||
1070 | |||
1071 | XAuthLocation | ||
1072 | Specifies the full pathname of the xauth(1) program, or none to | ||
1073 | not use one. The default is /usr/X11R6/bin/xauth. | ||
1074 | |||
1075 | TIME FORMATS | ||
1076 | sshd(8) command-line arguments and configuration file options that | ||
1077 | specify time may be expressed using a sequence of the form: | ||
1078 | time[qualifier], where time is a positive integer value and qualifier is | ||
1079 | one of the following: | ||
1080 | |||
1081 | M-bM-^_M-(noneM-bM-^_M-) seconds | ||
1082 | s | S seconds | ||
1083 | m | M minutes | ||
1084 | h | H hours | ||
1085 | d | D days | ||
1086 | w | W weeks | ||
1087 | |||
1088 | Each member of the sequence is added together to calculate the total time | ||
1089 | value. | ||
1090 | |||
1091 | Time format examples: | ||
1092 | |||
1093 | 600 600 seconds (10 minutes) | ||
1094 | 10m 10 minutes | ||
1095 | 1h30m 1 hour 30 minutes (90 minutes) | ||
1096 | |||
1097 | TOKENS | ||
1098 | Arguments to some keywords can make use of tokens, which are expanded at | ||
1099 | runtime: | ||
1100 | |||
1101 | %% A literal M-bM-^@M-^X%M-bM-^@M-^Y. | ||
1102 | %D The routing domain in which the incoming connection was | ||
1103 | received. | ||
1104 | %F The fingerprint of the CA key. | ||
1105 | %f The fingerprint of the key or certificate. | ||
1106 | %h The home directory of the user. | ||
1107 | %i The key ID in the certificate. | ||
1108 | %K The base64-encoded CA key. | ||
1109 | %k The base64-encoded key or certificate for authentication. | ||
1110 | %s The serial number of the certificate. | ||
1111 | %T The type of the CA key. | ||
1112 | %t The key or certificate type. | ||
1113 | %U The numeric user ID of the target user. | ||
1114 | %u The username. | ||
1115 | |||
1116 | AuthorizedKeysCommand accepts the tokens %%, %f, %h, %k, %t, %U, and %u. | ||
1117 | |||
1118 | AuthorizedKeysFile accepts the tokens %%, %h, %U, and %u. | ||
1119 | |||
1120 | AuthorizedPrincipalsCommand accepts the tokens %%, %F, %f, %h, %i, %K, | ||
1121 | %k, %s, %T, %t, %U, and %u. | ||
1122 | |||
1123 | AuthorizedPrincipalsFile accepts the tokens %%, %h, %U, and %u. | ||
1124 | |||
1125 | ChrootDirectory accepts the tokens %%, %h, %U, and %u. | ||
1126 | |||
1127 | RoutingDomain accepts the token %D. | ||
1128 | |||
1129 | FILES | ||
1130 | /etc/ssh/sshd_config | ||
1131 | Contains configuration data for sshd(8). This file should be | ||
1132 | writable by root only, but it is recommended (though not | ||
1133 | necessary) that it be world-readable. | ||
1134 | |||
1135 | SEE ALSO | ||
1136 | sftp-server(8), sshd(8) | ||
1137 | |||
1138 | AUTHORS | ||
1139 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | ||
1140 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | ||
1141 | de Raadt and Dug Song removed many bugs, re-added newer features and | ||
1142 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | ||
1143 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | ||
1144 | for privilege separation. | ||
1145 | |||
1146 | OpenBSD 6.7 April 17, 2020 OpenBSD 6.7 | ||