summaryrefslogtreecommitdiff
path: root/sshd_config.0
diff options
context:
space:
mode:
Diffstat (limited to 'sshd_config.0')
-rw-r--r--sshd_config.0477
1 files changed, 238 insertions, 239 deletions
diff --git a/sshd_config.0 b/sshd_config.0
index a4e31be0f..e234efdb4 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -1,445 +1,444 @@
1SSHD_CONFIG(5) System File Formats Manual SSHD_CONFIG(5) 1SSHD_CONFIG(5) BSD File Formats Manual SSHD_CONFIG(5)
2 2
3NAME 3^[[1mNAME^[[0m
4 sshd_config - OpenSSH SSH daemon configuration file 4 ^[[1msshd_config ^[[22mM-bMM-^R OpenSSH SSH daemon configuration file
5 5
6SYNOPSIS 6^[[1mSYNOPSIS^[[0m
7 /etc/ssh/sshd_config 7 ^[[4m/etc/ssh/sshd_config^[[0m
8 8
9DESCRIPTION 9^[[1mDESCRIPTION^[[0m
10 sshd reads configuration data from /etc/ssh/sshd_config (or the file 10 ^[[1msshd ^[[22mreads configuration data from ^[[4m/etc/ssh/sshd_config^[[24m (or the file
11 specified with -f on the command line). The file contains keyword-arguM-- 11 specified with ^[[1mM-bMM-^Rf ^[[22mon the command line). The file contains keywordM-bM-^@M-^ParguM-bM-^@M-^P
12 ment pairs, one per line. Lines starting with `#' and empty lines are 12 ment pairs, one per line. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are
13 interpreted as comments. 13 interpreted as comments.
14 14
15 The possible keywords and their meanings are as follows (note that keyM-- 15 The possible keywords and their meanings are as follows (note that keyM-bM-^@M-^P
16 words are case-insensitive and arguments are case-sensitive): 16 words are caseM-bM-^@M-^Pinsensitive and arguments are caseM-bM-^@M-^Psensitive):
17 17
18 AFSTokenPassing 18 ^[[1mAFSTokenPassing^[[0m
19 Specifies whether an AFS token may be forwarded to the server. 19 Specifies whether an AFS token may be forwarded to the server.
20 Default is ``no''. 20 Default is M-bM-^@M-^\noM-bM-^@M-^].
21 21
22 AllowGroups 22 ^[[1mAllowGroups^[[0m
23 This keyword can be followed by a list of group name patterns, 23 This keyword can be followed by a list of group name patterns,
24 separated by spaces. If specified, login is allowed only for 24 separated by spaces. If specified, login is allowed only for
25 users whose primary group or supplementary group list matches one 25 users whose primary group or supplementary group list matches one
26 of the patterns. `*' and `'? can be used as wildcards in the 26 of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards in the
27 patterns. Only group names are valid; a numerical group ID is 27 patterns. Only group names are valid; a numerical group ID is
28 not recognized. By default, login is allowed for all groups. 28 not recognized. By default, login is allowed for all groups.
29 29
30 AllowTcpForwarding 30 ^[[1mAllowTcpForwarding^[[0m
31 Specifies whether TCP forwarding is permitted. The default is 31 Specifies whether TCP forwarding is permitted. The default is
32 ``yes''. Note that disabling TCP forwarding does not improve 32 M-bM-^@M-^\yesM-bM-^@M-^]. Note that disabling TCP forwarding does not improve secuM-bM-^@M-^P
33 security unless users are also denied shell access, as they can 33 rity unless users are also denied shell access, as they can
34 always install their own forwarders. 34 always install their own forwarders.
35 35
36 AllowUsers 36 ^[[1mAllowUsers^[[0m
37 This keyword can be followed by a list of user name patterns, 37 This keyword can be followed by a list of user name patterns,
38 separated by spaces. If specified, login is allowed only for 38 separated by spaces. If specified, login is allowed only for
39 users names that match one of the patterns. `*' and `'? can be 39 user names that match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be
40 used as wildcards in the patterns. Only user names are valid; a 40 used as wildcards in the patterns. Only user names are valid; a
41 numerical user ID is not recognized. By default, login is 41 numerical user ID is not recognized. By default, login is
42 allowed for all users. If the pattern takes the form USER@HOST 42 allowed for all users. If the pattern takes the form USER@HOST
43 then USER and HOST are separately checked, restricting logins to 43 then USER and HOST are separately checked, restricting logins to
44 particular users from particular hosts. 44 particular users from particular hosts.
45 45
46 AuthorizedKeysFile 46 ^[[1mAuthorizedKeysFile^[[0m
47 Specifies the file that contains the public keys that can be used 47 Specifies the file that contains the public keys that can be used
48 for user authentication. AuthorizedKeysFile may contain tokens 48 for user authentication. ^[[1mAuthorizedKeysFile ^[[22mmay contain tokens
49 of the form %T which are substituted during connection set-up. 49 of the form %T which are substituted during connection setM-bM-^@M-^Pup.
50 The following tokens are defined: %% is replaced by a literal 50 The following tokens are defined: %% is replaced by a literal
51 '%', %h is replaced by the home directory of the user being 51 M-bM-^@M-^Y%M-bM-^@M-^Y, %h is replaced by the home directory of the user being
52 authenticated and %u is replaced by the username of that user. 52 authenticated and %u is replaced by the username of that user.
53 After expansion, AuthorizedKeysFile is taken to be an absolute 53 After expansion, ^[[1mAuthorizedKeysFile ^[[22mis taken to be an absolute
54 path or one relative to the user's home directory. The default 54 path or one relative to the userM-bM-^@M-^Ys home directory. The default
55 is ``.ssh/authorized_keys''. 55 is M-bM-^@M-^\.ssh/authorized_keysM-bM-^@M-^].
56 56
57 Banner In some jurisdictions, sending a warning message before authentiM-- 57 ^[[1mBanner ^[[22mIn some jurisdictions, sending a warning message before authentiM-bM-^@M-^P
58 cation may be relevant for getting legal protection. The conM-- 58 cation may be relevant for getting legal protection. The conM-bM-^@M-^P
59 tents of the specified file are sent to the remote user before 59 tents of the specified file are sent to the remote user before
60 authentication is allowed. This option is only available for 60 authentication is allowed. This option is only available for
61 protocol version 2. By default, no banner is displayed. 61 protocol version 2. By default, no banner is displayed.
62 62
63 ChallengeResponseAuthentication 63 ^[[1mChallengeResponseAuthentication^[[0m
64 Specifies whether challenge response authentication is allowed. 64 Specifies whether challenge response authentication is allowed.
65 All authentication styles from login.conf(5) are supported. The 65 All authentication styles from login.conf(5) are supported. The
66 default is ``yes''. 66 default is M-bM-^@M-^\yesM-bM-^@M-^].
67 67
68 Ciphers 68 ^[[1mCiphers^[[0m
69 Specifies the ciphers allowed for protocol version 2. Multiple 69 Specifies the ciphers allowed for protocol version 2. Multiple
70 ciphers must be comma-separated. The default is 70 ciphers must be commaM-bM-^@M-^Pseparated. The default is
71 71
72 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 72 M-bM-^@M-^XM-bM-^@M-^Xaes128M-bM-^@M-^Pcbc,3desM-bM-^@M-^Pcbc,blowfishM-bM-^@M-^Pcbc,cast128M-bM-^@M-^Pcbc,arcfour,
73 aes192-cbc,aes256-cbc'' 73 aes192M-bM-^@M-^Pcbc,aes256M-bM-^@M-^PcbcM-bM-^@M-^YM-bM-^@M-^Y
74 74
75 ClientAliveInterval 75 ^[[1mClientAliveInterval^[[0m
76 Sets a timeout interval in seconds after which if no data has 76 Sets a timeout interval in seconds after which if no data has
77 been received from the client, sshd will send a message through 77 been received from the client, ^[[1msshd ^[[22mwill send a message through
78 the encrypted channel to request a response from the client. The 78 the encrypted channel to request a response from the client. The
79 default is 0, indicating that these messages will not be sent to 79 default is 0, indicating that these messages will not be sent to
80 the client. This option applies to protocol version 2 only. 80 the client. This option applies to protocol version 2 only.
81 81
82 ClientAliveCountMax 82 ^[[1mClientAliveCountMax^[[0m
83 Sets the number of client alive messages (see above) which may be 83 Sets the number of client alive messages (see above) which may be
84 sent without sshd receiving any messages back from the client. If 84 sent without ^[[1msshd ^[[22mreceiving any messages back from the client. If
85 this threshold is reached while client alive messages are being 85 this threshold is reached while client alive messages are being
86 sent, sshd will disconnect the client, terminating the session. 86 sent, ^[[1msshd ^[[22mwill disconnect the client, terminating the session.
87 It is important to note that the use of client alive messages is 87 It is important to note that the use of client alive messages is
88 very different from KeepAlive (below). The client alive messages 88 very different from ^[[1mKeepAlive ^[[22m(below). The client alive messages
89 are sent through the encrypted channel and therefore will not be 89 are sent through the encrypted channel and therefore will not be
90 spoofable. The TCP keepalive option enabled by KeepAlive is 90 spoofable. The TCP keepalive option enabled by ^[[1mKeepAlive ^[[22mis
91 spoofable. The client alive mechanism is valuable when the client 91 spoofable. The client alive mechanism is valuable when the client
92 or server depend on knowing when a connection has become inacM-- 92 or server depend on knowing when a connection has become inacM-bM-^@M-^P
93 tive. 93 tive.
94 94
95 The default value is 3. If ClientAliveInterval (above) is set to 95 The default value is 3. If ^[[1mClientAliveInterval ^[[22m(above) is set to
96 15, and ClientAliveCountMax is left at the default, unresponsive 96 15, and ^[[1mClientAliveCountMax ^[[22mis left at the default, unresponsive
97 ssh clients will be disconnected after approximately 45 seconds. 97 ssh clients will be disconnected after approximately 45 seconds.
98 98
99 Compression 99 ^[[1mCompression^[[0m
100 Specifies whether compression is allowed. The argument must be 100 Specifies whether compression is allowed. The argument must be
101 ``yes'' or ``no''. The default is ``yes''. 101 M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^].
102 102
103 DenyGroups 103 ^[[1mDenyGroups^[[0m
104 This keyword can be followed by a list of group name patterns, 104 This keyword can be followed by a list of group name patterns,
105 separated by spaces. Login is disallowed for users whose primary 105 separated by spaces. Login is disallowed for users whose primary
106 group or supplementary group list matches one of the patterns. 106 group or supplementary group list matches one of the patterns.
107 `*' and `'? can be used as wildcards in the patterns. Only 107 M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards in the patterns. Only
108 group names are valid; a numerical group ID is not recognized. 108 group names are valid; a numerical group ID is not recognized.
109 By default, login is allowed for all groups. 109 By default, login is allowed for all groups.
110 110
111 DenyUsers 111 ^[[1mDenyUsers^[[0m
112 This keyword can be followed by a list of user name patterns, 112 This keyword can be followed by a list of user name patterns,
113 separated by spaces. Login is disallowed for user names that 113 separated by spaces. Login is disallowed for user names that
114 match one of the patterns. `*' and `'? can be used as wildcards 114 match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards
115 in the patterns. Only user names are valid; a numerical user ID 115 in the patterns. Only user names are valid; a numerical user ID
116 is not recognized. By default, login is allowed for all users. 116 is not recognized. By default, login is allowed for all users.
117 If the pattern takes the form USER@HOST then USER and HOST are 117 If the pattern takes the form USER@HOST then USER and HOST are
118 separately checked, restricting logins to particular users from 118 separately checked, restricting logins to particular users from
119 particular hosts. 119 particular hosts.
120 120
121 GatewayPorts 121 ^[[1mGatewayPorts^[[0m
122 Specifies whether remote hosts are allowed to connect to ports 122 Specifies whether remote hosts are allowed to connect to ports
123 forwarded for the client. By default, sshd binds remote port 123 forwarded for the client. By default, ^[[1msshd ^[[22mbinds remote port
124 forwardings to the loopback address. This prevents other remote 124 forwardings to the loopback address. This prevents other remote
125 hosts from connecting to forwarded ports. GatewayPorts can be 125 hosts from connecting to forwarded ports. ^[[1mGatewayPorts ^[[22mcan be
126 used to specify that sshd should bind remote port forwardings to 126 used to specify that ^[[1msshd ^[[22mshould bind remote port forwardings to
127 the wildcard address, thus allowing remote hosts to connect to 127 the wildcard address, thus allowing remote hosts to connect to
128 forwarded ports. The argument must be ``yes'' or ``no''. The 128 forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The
129 default is ``no''. 129 default is M-bM-^@M-^\noM-bM-^@M-^].
130 130
131 HostbasedAuthentication 131 ^[[1mHostbasedAuthentication^[[0m
132 Specifies whether rhosts or /etc/hosts.equiv authentication 132 Specifies whether rhosts or /etc/hosts.equiv authentication
133 together with successful public key client host authentication is 133 together with successful public key client host authentication is
134 allowed (hostbased authentication). This option is similar to 134 allowed (hostbased authentication). This option is similar to
135 RhostsRSAAuthentication and applies to protocol version 2 only. 135 ^[[1mRhostsRSAAuthentication ^[[22mand applies to protocol version 2 only.
136 The default is ``no''. 136 The default is M-bM-^@M-^\noM-bM-^@M-^].
137 137
138 HostKey 138 ^[[1mHostKey^[[0m
139 Specifies a file containing a private host key used by SSH. The 139 Specifies a file containing a private host key used by SSH. The
140 default is /etc/ssh/ssh_host_key for protocol version 1, and 140 default is ^[[4m/etc/ssh/ssh_host_key^[[24m for protocol version 1, and
141 /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for proM-- 141 ^[[4m/etc/ssh/ssh_host_rsa_key^[[24m and ^[[4m/etc/ssh/ssh_host_dsa_key^[[24m for proM-bM-^@M-^P
142 tocol version 2. Note that sshd will refuse to use a file if it 142 tocol version 2. Note that ^[[1msshd ^[[22mwill refuse to use a file if it
143 is group/world-accessible. It is possible to have multiple host 143 is group/worldM-bM-^@M-^Paccessible. It is possible to have multiple host
144 key files. ``rsa1'' keys are used for version 1 and ``dsa'' or 144 key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^]
145 ``rsa'' are used for version 2 of the SSH protocol. 145 are used for version 2 of the SSH protocol.
146 146
147 IgnoreRhosts 147 ^[[1mIgnoreRhosts^[[0m
148 Specifies that .rhosts and .shosts files will not be used in 148 Specifies that ^[[4m.rhosts^[[24m and ^[[4m.shosts^[[24m files will not be used in
149 RhostsAuthentication, RhostsRSAAuthentication or 149 ^[[1mRhostsAuthentication^[[22m, ^[[1mRhostsRSAAuthentication ^[[22mor
150 HostbasedAuthentication. 150 ^[[1mHostbasedAuthentication^[[22m.
151 151
152 /etc/hosts.equiv and /etc/shosts.equiv are still used. The 152 ^[[4m/etc/hosts.equiv^[[24m and ^[[4m/etc/shosts.equiv^[[24m are still used. The
153 default is ``yes''. 153 default is M-bM-^@M-^\yesM-bM-^@M-^].
154 154
155 IgnoreUserKnownHosts 155 ^[[1mIgnoreUserKnownHosts^[[0m
156 Specifies whether sshd should ignore the user's 156 Specifies whether ^[[1msshd ^[[22mshould ignore the userM-bM-^@M-^Ys
157 $HOME/.ssh/known_hosts during RhostsRSAAuthentication or 157 ^[[4m$HOME/.ssh/known_hosts^[[24m during ^[[1mRhostsRSAAuthentication ^[[22mor
158 HostbasedAuthentication. The default is ``no''. 158 ^[[1mHostbasedAuthentication^[[22m. The default is M-bM-^@M-^\noM-bM-^@M-^].
159 159
160 KeepAlive 160 ^[[1mKeepAlive^[[0m
161 Specifies whether the system should send TCP keepalive messages 161 Specifies whether the system should send TCP keepalive messages
162 to the other side. If they are sent, death of the connection or 162 to the other side. If they are sent, death of the connection or
163 crash of one of the machines will be properly noticed. However, 163 crash of one of the machines will be properly noticed. However,
164 this means that connections will die if the route is down temM-- 164 this means that connections will die if the route is down temM-bM-^@M-^P
165 porarily, and some people find it annoying. On the other hand, 165 porarily, and some people find it annoying. On the other hand,
166 if keepalives are not sent, sessions may hang indefinitely on the 166 if keepalives are not sent, sessions may hang indefinitely on the
167 server, leaving ``ghost'' users and consuming server resources. 167 server, leaving M-bM-^@M-^\ghostM-bM-^@M-^] users and consuming server resources.
168 168
169 The default is ``yes'' (to send keepalives), and the server will 169 The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send keepalives), and the server will
170 notice if the network goes down or the client host crashes. This 170 notice if the network goes down or the client host crashes. This
171 avoids infinitely hanging sessions. 171 avoids infinitely hanging sessions.
172 172
173 To disable keepalives, the value should be set to ``no''. 173 To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^].
174 174
175 KerberosAuthentication 175 ^[[1mKerberosAuthentication^[[0m
176 Specifies whether Kerberos authentication is allowed. This can 176 Specifies whether Kerberos authentication is allowed. This can
177 be in the form of a Kerberos ticket, or if PasswordAuthentication 177 be in the form of a Kerberos ticket, or if ^[[1mPasswordAuthentication^[[0m
178 is yes, the password provided by the user will be validated 178 is yes, the password provided by the user will be validated
179 through the Kerberos KDC. To use this option, the server needs a 179 through the Kerberos KDC. To use this option, the server needs a
180 Kerberos servtab which allows the verification of the KDC's idenM-- 180 Kerberos servtab which allows the verification of the KDCM-bM-^@M-^Ys idenM-bM-^@M-^P
181 tity. Default is ``no''. 181 tity. Default is M-bM-^@M-^\noM-bM-^@M-^].
182 182
183 KerberosOrLocalPasswd 183 ^[[1mKerberosOrLocalPasswd^[[0m
184 If set then if password authentication through Kerberos fails 184 If set then if password authentication through Kerberos fails
185 then the password will be validated via any additional local 185 then the password will be validated via any additional local
186 mechanism such as /etc/passwd. Default is ``yes''. 186 mechanism such as ^[[4m/etc/passwd^[[24m. Default is M-bM-^@M-^\yesM-bM-^@M-^].
187 187
188 KerberosTgtPassing 188 ^[[1mKerberosTgtPassing^[[0m
189 Specifies whether a Kerberos TGT may be forwarded to the server. 189 Specifies whether a Kerberos TGT may be forwarded to the server.
190 Default is ``no'', as this only works when the Kerberos KDC is 190 Default is M-bM-^@M-^\noM-bM-^@M-^], as this only works when the Kerberos KDC is
191 actually an AFS kaserver. 191 actually an AFS kaserver.
192 192
193 KerberosTicketCleanup 193 ^[[1mKerberosTicketCleanup^[[0m
194 Specifies whether to automatically destroy the user's ticket 194 Specifies whether to automatically destroy the userM-bM-^@M-^Ys ticket
195 cache file on logout. Default is ``yes''. 195 cache file on logout. Default is M-bM-^@M-^\yesM-bM-^@M-^].
196 196
197 KeyRegenerationInterval 197 ^[[1mKeyRegenerationInterval^[[0m
198 In protocol version 1, the ephemeral server key is automatically 198 In protocol version 1, the ephemeral server key is automatically
199 regenerated after this many seconds (if it has been used). The 199 regenerated after this many seconds (if it has been used). The
200 purpose of regeneration is to prevent decrypting captured sesM-- 200 purpose of regeneration is to prevent decrypting captured sesM-bM-^@M-^P
201 sions by later breaking into the machine and stealing the keys. 201 sions by later breaking into the machine and stealing the keys.
202 The key is never stored anywhere. If the value is 0, the key is 202 The key is never stored anywhere. If the value is 0, the key is
203 never regenerated. The default is 3600 (seconds). 203 never regenerated. The default is 3600 (seconds).
204 204
205 ListenAddress 205 ^[[1mListenAddress^[[0m
206 Specifies the local addresses sshd should listen on. The followM-- 206 Specifies the local addresses ^[[1msshd ^[[22mshould listen on. The followM-bM-^@M-^P
207 ing forms may be used: 207 ing forms may be used:
208 208
209 ListenAddress host|IPv4_addr|IPv6_addr 209 ^[[1mListenAddress ^[[4m^[[22mhost^[[24m|^[[4mIPv4_addr^[[24m|^[[4mIPv6_addr^[[0m
210 ListenAddress host|IPv4_addr:port 210 ^[[1mListenAddress ^[[4m^[[22mhost^[[24m|^[[4mIPv4_addr^[[24m:^[[4mport^[[0m
211 ListenAddress [host|IPv6_addr]:port 211 ^[[1mListenAddress ^[[22m[^[[4mhost^[[24m|^[[4mIPv6_addr^[[24m]:^[[4mport^[[0m
212 212
213 If port is not specified, sshd will listen on the address and all 213 If ^[[4mport^[[24m is not specified, ^[[1msshd ^[[22mwill listen on the address and all
214 prior Port options specified. The default is to listen on all 214 prior ^[[1mPort ^[[22moptions specified. The default is to listen on all
215 local addresses. Multiple ListenAddress options are permitted. 215 local addresses. Multiple ^[[1mListenAddress ^[[22moptions are permitted.
216 Additionally, any Port options must precede this option for non 216 Additionally, any ^[[1mPort ^[[22moptions must precede this option for non
217 port qualified addresses. 217 port qualified addresses.
218 218
219 LoginGraceTime 219 ^[[1mLoginGraceTime^[[0m
220 The server disconnects after this time if the user has not sucM-- 220 The server disconnects after this time if the user has not sucM-bM-^@M-^P
221 cessfully logged in. If the value is 0, there is no time limit. 221 cessfully logged in. If the value is 0, there is no time limit.
222 The default is 120 seconds. 222 The default is 120 seconds.
223 223
224 LogLevel 224 ^[[1mLogLevel^[[0m
225 Gives the verbosity level that is used when logging messages from 225 Gives the verbosity level that is used when logging messages from
226 sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VERM-- 226 ^[[1msshd^[[22m. The possible values are: QUIET, FATAL, ERROR, INFO, VERM-bM-^@M-^P
227 BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. 227 BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO.
228 DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify 228 DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
229 higher levels of debugging output. Logging with a DEBUG level 229 higher levels of debugging output. Logging with a DEBUG level
230 violates the privacy of users and is not recommended. 230 violates the privacy of users and is not recommended.
231 231
232 MACs Specifies the available MAC (message authentication code) algoM-- 232 ^[[1mMACs ^[[22mSpecifies the available MAC (message authentication code) algoM-bM-^@M-^P
233 rithms. The MAC algorithm is used in protocol version 2 for data 233 rithms. The MAC algorithm is used in protocol version 2 for data
234 integrity protection. Multiple algorithms must be comma-sepaM-- 234 integrity protection. Multiple algorithms must be commaM-bM-^@M-^PsepaM-bM-^@M-^P
235 rated. The default is 235 rated. The default is
236 ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''. 236 M-bM-^@M-^\hmacM-bM-^@M-^Pmd5,hmacM-bM-^@M-^Psha1,hmacM-bM-^@M-^Pripemd160,hmacM-bM-^@M-^Psha1M-bM-^@M-^P96,hmacM-bM-^@M-^Pmd5M-bM-^@M-^P96M-bM-^@M-^].
237 237
238 MaxStartups 238 ^[[1mMaxStartups^[[0m
239 Specifies the maximum number of concurrent unauthenticated conM-- 239 Specifies the maximum number of concurrent unauthenticated conM-bM-^@M-^P
240 nections to the sshd daemon. Additional connections will be 240 nections to the ^[[1msshd ^[[22mdaemon. Additional connections will be
241 dropped until authentication succeeds or the LoginGraceTime 241 dropped until authentication succeeds or the ^[[1mLoginGraceTime^[[0m
242 expires for a connection. The default is 10. 242 expires for a connection. The default is 10.
243 243
244 Alternatively, random early drop can be enabled by specifying the 244 Alternatively, random early drop can be enabled by specifying the
245 three colon separated values ``start:rate:full'' (e.g., 245 three colon separated values M-bM-^@M-^\start:rate:fullM-bM-^@M-^] (e.g.,
246 "10:30:60"). sshd will refuse connection attempts with a probaM-- 246 "10:30:60"). ^[[1msshd ^[[22mwill refuse connection attempts with a probaM-bM-^@M-^P
247 bility of ``rate/100'' (30%) if there are currently ``start'' 247 bility of M-bM-^@M-^\rate/100M-bM-^@M-^] (30%) if there are currently M-bM-^@M-^\startM-bM-^@M-^] (10)
248 (10) unauthenticated connections. The probability increases linM-- 248 unauthenticated connections. The probability increases linearly
249 early and all connection attempts are refused if the number of 249 and all connection attempts are refused if the number of unauM-bM-^@M-^P
250 unauthenticated connections reaches ``full'' (60). 250 thenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60).
251 251
252 PAMAuthenticationViaKbdInt 252 ^[[1mPAMAuthenticationViaKbdInt^[[0m
253 Specifies whether PAM challenge response authentication is 253 Specifies whether PAM challenge response authentication is
254 allowed. This allows the use of most PAM challenge response 254 allowed. This allows the use of most PAM challenge response
255 authentication modules, but it will allow password authentication 255 authentication modules, but it will allow password authentication
256 regardless of whether PasswordAuthentication is enabled. 256 regardless of whether ^[[1mPasswordAuthentication ^[[22mis enabled.
257 257
258 PasswordAuthentication 258 ^[[1mPasswordAuthentication^[[0m
259 Specifies whether password authentication is allowed. The 259 Specifies whether password authentication is allowed. The
260 default is ``yes''. 260 default is M-bM-^@M-^\yesM-bM-^@M-^].
261 261
262 PermitEmptyPasswords 262 ^[[1mPermitEmptyPasswords^[[0m
263 When password authentication is allowed, it specifies whether the 263 When password authentication is allowed, it specifies whether the
264 server allows login to accounts with empty password strings. The 264 server allows login to accounts with empty password strings. The
265 default is ``no''. 265 default is M-bM-^@M-^\noM-bM-^@M-^].
266 266
267 PermitRootLogin 267 ^[[1mPermitRootLogin^[[0m
268 Specifies whether root can login using ssh(1). The argument must 268 Specifies whether root can login using ssh(1). The argument must
269 be ``yes'', ``without-password'', ``forced-commands-only'' or 269 be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\withoutM-bM-^@M-^PpasswordM-bM-^@M-^], M-bM-^@M-^\forcedM-bM-^@M-^PcommandsM-bM-^@M-^PonlyM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].
270 ``no''. The default is ``yes''. 270 The default is M-bM-^@M-^\yesM-bM-^@M-^].
271 271
272 If this option is set to ``without-password'' password authentiM-- 272 If this option is set to M-bM-^@M-^\withoutM-bM-^@M-^PpasswordM-bM-^@M-^] password authenticaM-bM-^@M-^P
273 cation is disabled for root. 273 tion is disabled for root.
274 274
275 If this option is set to ``forced-commands-only'' root login with 275 If this option is set to M-bM-^@M-^\forcedM-bM-^@M-^PcommandsM-bM-^@M-^PonlyM-bM-^@M-^] root login with
276 public key authentication will be allowed, but only if the 276 public key authentication will be allowed, but only if the
277 command option has been specified (which may be useful for taking 277 ^[[4mcommand^[[24m option has been specified (which may be useful for taking
278 remote backups even if root login is normally not allowed). All 278 remote backups even if root login is normally not allowed). All
279 other authentication methods are disabled for root. 279 other authentication methods are disabled for root.
280 280
281 If this option is set to ``no'' root is not allowed to login. 281 If this option is set to M-bM-^@M-^\noM-bM-^@M-^] root is not allowed to login.
282 282
283 PermitUserEnvironment 283 ^[[1mPermitUserEnvironment^[[0m
284 Specifies whether ~/.ssh/environment and environment= options in 284 Specifies whether ^[[4m~/.ssh/environment^[[24m and ^[[1menvironment= ^[[22moptions in
285 ~/.ssh/authorized_keys are processed by sshd. The default is 285 ^[[4m~/.ssh/authorized_keys^[[24m are processed by ^[[1msshd^[[22m. The default is
286 ``no''. Enabling environment processing may enable users to 286 M-bM-^@M-^\noM-bM-^@M-^]. Enabling environment processing may enable users to bypass
287 bypass access restrictions in some configurations using mechaM-- 287 access restrictions in some configurations using mechanisms such
288 nisms such as LD_PRELOAD. 288 as LD_PRELOAD.
289 289
290 PidFile 290 ^[[1mPidFile^[[0m
291 Specifies the file that contains the process ID of the sshd daeM-- 291 Specifies the file that contains the process ID of the ^[[1msshd ^[[22mdaeM-bM-^@M-^P
292 mon. The default is /var/run/sshd.pid. 292 mon. The default is ^[[4m/var/run/sshd.pid^[[24m.
293 293
294 Port Specifies the port number that sshd listens on. The default is 294 ^[[1mPort ^[[22mSpecifies the port number that ^[[1msshd ^[[22mlistens on. The default is
295 22. Multiple options of this type are permitted. See also 295 22. Multiple options of this type are permitted. See also
296 ListenAddress. 296 ^[[1mListenAddress^[[22m.
297 297
298 PrintLastLog 298 ^[[1mPrintLastLog^[[0m
299 Specifies whether sshd should print the date and time when the 299 Specifies whether ^[[1msshd ^[[22mshould print the date and time when the
300 user last logged in. The default is ``yes''. 300 user last logged in. The default is M-bM-^@M-^\yesM-bM-^@M-^].
301 301
302 PrintMotd 302 ^[[1mPrintMotd^[[0m
303 Specifies whether sshd should print /etc/motd when a user logs in 303 Specifies whether ^[[1msshd ^[[22mshould print ^[[4m/etc/motd^[[24m when a user logs in
304 interactively. (On some systems it is also printed by the shell, 304 interactively. (On some systems it is also printed by the shell,
305 /etc/profile, or equivalent.) The default is ``yes''. 305 ^[[4m/etc/profile^[[24m, or equivalent.) The default is M-bM-^@M-^\yesM-bM-^@M-^].
306 306
307 Protocol 307 ^[[1mProtocol^[[0m
308 Specifies the protocol versions sshd supports. The possible valM-- 308 Specifies the protocol versions ^[[1msshd ^[[22msupports. The possible valM-bM-^@M-^P
309 ues are ``1'' and ``2''. Multiple versions must be comma-sepaM-- 309 ues are M-bM-^@M-^\1M-bM-^@M-^] and M-bM-^@M-^\2M-bM-^@M-^]. Multiple versions must be commaM-bM-^@M-^Pseparated.
310 rated. The default is ``2,1''. Note that the order of the proM-- 310 The default is M-bM-^@M-^\2,1M-bM-^@M-^]. Note that the order of the protocol list
311 tocol list does not indicate preference, because the client 311 does not indicate preference, because the client selects among
312 selects among multiple protocol versions offered by the server. 312 multiple protocol versions offered by the server. Specifying
313 Specifying ``2,1'' is identical to ``1,2''. 313 M-bM-^@M-^\2,1M-bM-^@M-^] is identical to M-bM-^@M-^\1,2M-bM-^@M-^].
314 314
315 PubkeyAuthentication 315 ^[[1mPubkeyAuthentication^[[0m
316 Specifies whether public key authentication is allowed. The 316 Specifies whether public key authentication is allowed. The
317 default is ``yes''. Note that this option applies to protocol 317 default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol verM-bM-^@M-^P
318 version 2 only. 318 sion 2 only.
319 319
320 RhostsAuthentication 320 ^[[1mRhostsAuthentication^[[0m
321 Specifies whether authentication using rhosts or /etc/hosts.equiv 321 Specifies whether authentication using rhosts or /etc/hosts.equiv
322 files is sufficient. Normally, this method should not be permitM-- 322 files is sufficient. Normally, this method should not be permitM-bM-^@M-^P
323 ted because it is insecure. RhostsRSAAuthentication should be 323 ted because it is insecure. ^[[1mRhostsRSAAuthentication ^[[22mshould be
324 used instead, because it performs RSA-based host authentication 324 used instead, because it performs RSAM-bM-^@M-^Pbased host authentication
325 in addition to normal rhosts or /etc/hosts.equiv authentication. 325 in addition to normal rhosts or /etc/hosts.equiv authentication.
326 The default is ``no''. This option applies to protocol version 1 326 The default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1
327 only. 327 only.
328 328
329 RhostsRSAAuthentication 329 ^[[1mRhostsRSAAuthentication^[[0m
330 Specifies whether rhosts or /etc/hosts.equiv authentication 330 Specifies whether rhosts or /etc/hosts.equiv authentication
331 together with successful RSA host authentication is allowed. The 331 together with successful RSA host authentication is allowed. The
332 default is ``no''. This option applies to protocol version 1 332 default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only.
333 only.
334 333
335 RSAAuthentication 334 ^[[1mRSAAuthentication^[[0m
336 Specifies whether pure RSA authentication is allowed. The 335 Specifies whether pure RSA authentication is allowed. The
337 default is ``yes''. This option applies to protocol version 1 336 default is M-bM-^@M-^\yesM-bM-^@M-^]. This option applies to protocol version 1
338 only. 337 only.
339 338
340 ServerKeyBits 339 ^[[1mServerKeyBits^[[0m
341 Defines the number of bits in the ephemeral protocol version 1 340 Defines the number of bits in the ephemeral protocol version 1
342 server key. The minimum value is 512, and the default is 768. 341 server key. The minimum value is 512, and the default is 768.
343 342
344 StrictModes 343 ^[[1mStrictModes^[[0m
345 Specifies whether sshd should check file modes and ownership of 344 Specifies whether ^[[1msshd ^[[22mshould check file modes and ownership of
346 the user's files and home directory before accepting login. This 345 the userM-bM-^@M-^Ys files and home directory before accepting login. This
347 is normally desirable because novices sometimes accidentally 346 is normally desirable because novices sometimes accidentally
348 leave their directory or files world-writable. The default is 347 leave their directory or files worldM-bM-^@M-^Pwritable. The default is
349 ``yes''. 348 M-bM-^@M-^\yesM-bM-^@M-^].
350 349
351 Subsystem 350 ^[[1mSubsystem^[[0m
352 Configures an external subsystem (e.g., file transfer daemon). 351 Configures an external subsystem (e.g., file transfer daemon).
353 Arguments should be a subsystem name and a command to execute 352 Arguments should be a subsystem name and a command to execute
354 upon subsystem request. The command sftp-server(8) implements 353 upon subsystem request. The command sftpM-bM-^@M-^Pserver(8) implements
355 the ``sftp'' file transfer subsystem. By default no subsystems 354 the M-bM-^@M-^\sftpM-bM-^@M-^] file transfer subsystem. By default no subsystems are
356 are defined. Note that this option applies to protocol version 2 355 defined. Note that this option applies to protocol version 2
357 only. 356 only.
358 357
359 SyslogFacility 358 ^[[1mSyslogFacility^[[0m
360 Gives the facility code that is used when logging messages from 359 Gives the facility code that is used when logging messages from
361 sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, 360 ^[[1msshd^[[22m. The possible values are: DAEMON, USER, AUTH, LOCAL0,
362 LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The 361 LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
363 default is AUTH. 362 default is AUTH.
364 363
365 UseLogin 364 ^[[1mUseLogin^[[0m
366 Specifies whether login(1) is used for interactive login sesM-- 365 Specifies whether login(1) is used for interactive login sesM-bM-^@M-^P
367 sions. The default is ``no''. Note that login(1) is never used 366 sions. The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that login(1) is never used
368 for remote command execution. Note also, that if this is 367 for remote command execution. Note also, that if this is
369 enabled, X11Forwarding will be disabled because login(1) does not 368 enabled, ^[[1mX11Forwarding ^[[22mwill be disabled because login(1) does not
370 know how to handle xauth(1) cookies. If UsePrivilegeSeparation 369 know how to handle xauth(1) cookies. If ^[[1mUsePrivilegeSeparation^[[0m
371 is specified, it will be disabled after authentication. 370 is specified, it will be disabled after authentication.
372 371
373 UsePrivilegeSeparation 372 ^[[1mUsePrivilegeSeparation^[[0m
374 Specifies whether sshd separates privileges by creating an 373 Specifies whether ^[[1msshd ^[[22mseparates privileges by creating an
375 unprivileged child process to deal with incoming network traffic. 374 unprivileged child process to deal with incoming network traffic.
376 After successful authentication, another process will be created 375 After successful authentication, another process will be created
377 that has the privilege of the authenticated user. The goal of 376 that has the privilege of the authenticated user. The goal of
378 privilege separation is to prevent privilege escalation by conM-- 377 privilege separation is to prevent privilege escalation by conM-bM-^@M-^P
379 taining any corruption within the unprivileged processes. The 378 taining any corruption within the unprivileged processes. The
380 default is ``yes''. 379 default is M-bM-^@M-^\yesM-bM-^@M-^].
381 380
382 VerifyReverseMapping 381 ^[[1mVerifyReverseMapping^[[0m
383 Specifies whether sshd should try to verify the remote host name 382 Specifies whether ^[[1msshd ^[[22mshould try to verify the remote host name
384 and check that the resolved host name for the remote IP address 383 and check that the resolved host name for the remote IP address
385 maps back to the very same IP address. The default is ``no''. 384 maps back to the very same IP address. The default is M-bM-^@M-^\noM-bM-^@M-^].
386 385
387 X11DisplayOffset 386 ^[[1mX11DisplayOffset^[[0m
388 Specifies the first display number available for sshd's X11 forM-- 387 Specifies the first display number available for ^[[1msshd^[[22mM-bM-^@M-^Ys X11 forM-bM-^@M-^P
389 warding. This prevents sshd from interfering with real X11 388 warding. This prevents ^[[1msshd ^[[22mfrom interfering with real X11
390 servers. The default is 10. 389 servers. The default is 10.
391 390
392 X11Forwarding 391 ^[[1mX11Forwarding^[[0m
393 Specifies whether X11 forwarding is permitted. The argument must 392 Specifies whether X11 forwarding is permitted. The argument must
394 be ``yes'' or ``no''. The default is ``no''. 393 be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^].
395 394
396 When X11 forwarding is enabled, there may be additional exposure 395 When X11 forwarding is enabled, there may be additional exposure
397 to the server and to client displays if the sshd proxy display is 396 to the server and to client displays if the ^[[1msshd ^[[22mproxy display is
398 configured to listen on the wildcard address (see X11UseLocalhost 397 configured to listen on the wildcard address (see ^[[1mX11UseLocalhost^[[0m
399 below), however this is not the default. Additionally, the 398 below), however this is not the default. Additionally, the
400 authentication spoofing and authentication data verification and 399 authentication spoofing and authentication data verification and
401 substitution occur on the client side. The security risk of 400 substitution occur on the client side. The security risk of
402 using X11 forwarding is that the client's X11 display server may 401 using X11 forwarding is that the clientM-bM-^@M-^Ys X11 display server may
403 be exposed to attack when the ssh client requests forwarding (see 402 be exposed to attack when the ssh client requests forwarding (see
404 the warnings for ForwardX11 in ssh_config(5) ). A system adminisM-- 403 the warnings for ^[[1mForwardX11 ^[[22min ssh_config(5) ). A system adminisM-bM-^@M-^P
405 trator may have a stance in which they want to protect clients 404 trator may have a stance in which they want to protect clients
406 that may expose themselves to attack by unwittingly requesting 405 that may expose themselves to attack by unwittingly requesting
407 X11 forwarding, which can warrant a ``no'' setting. 406 X11 forwarding, which can warrant a M-bM-^@M-^\noM-bM-^@M-^] setting.
408 407
409 Note that disabling X11 forwarding does not prevent users from 408 Note that disabling X11 forwarding does not prevent users from
410 forwarding X11 traffic, as users can always install their own 409 forwarding X11 traffic, as users can always install their own
411 forwarders. X11 forwarding is automatically disabled if UseLogin 410 forwarders. X11 forwarding is automatically disabled if ^[[1mUseLogin^[[0m
412 is enabled. 411 is enabled.
413 412
414 X11UseLocalhost 413 ^[[1mX11UseLocalhost^[[0m
415 Specifies whether sshd should bind the X11 forwarding server to 414 Specifies whether ^[[1msshd ^[[22mshould bind the X11 forwarding server to
416 the loopback address or to the wildcard address. By default, 415 the loopback address or to the wildcard address. By default,
417 sshd binds the forwarding server to the loopback address and sets 416 ^[[1msshd ^[[22mbinds the forwarding server to the loopback address and sets
418 the hostname part of the DISPLAY environment variable to 417 the hostname part of the DISPLAY environment variable to
419 ``localhost''. This prevents remote hosts from connecting to the 418 M-bM-^@M-^\localhostM-bM-^@M-^]. This prevents remote hosts from connecting to the
420 proxy display. However, some older X11 clients may not function 419 proxy display. However, some older X11 clients may not function
421 with this configuration. X11UseLocalhost may be set to ``no'' to 420 with this configuration. ^[[1mX11UseLocalhost ^[[22mmay be set to M-bM-^@M-^\noM-bM-^@M-^] to
422 specify that the forwarding server should be bound to the wildM-- 421 specify that the forwarding server should be bound to the wildM-bM-^@M-^P
423 card address. The argument must be ``yes'' or ``no''. The 422 card address. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default
424 default is ``yes''. 423 is M-bM-^@M-^\yesM-bM-^@M-^].
425 424
426 XAuthLocation 425 ^[[1mXAuthLocation^[[0m
427 Specifies the full pathname of the xauth(1) program. The default 426 Specifies the full pathname of the xauth(1) program. The default
428 is /usr/X11R6/bin/xauth. 427 is ^[[4m/usr/X11R6/bin/xauth^[[24m.
429 428
430 Time Formats 429 ^[[1mTime Formats^[[0m
431 430
432 sshd command-line arguments and configuration file options that specify 431 ^[[1msshd ^[[22mcommandM-bM-^@M-^Pline arguments and configuration file options that specify
433 time may be expressed using a sequence of the form: time[qualifier], 432 time may be expressed using a sequence of the form: ^[[4mtime^[[24m[^[[4mqualifier^[[24m],
434 where time is a positive integer value and qualifier is one of the folM-- 433 where ^[[4mtime^[[24m is a positive integer value and ^[[4mqualifier^[[24m is one of the folM-bM-^@M-^P
435 lowing: 434 lowing:
436 435
437 <none> seconds 436 ^[[1m<none> ^[[22mseconds
438 s | S seconds 437 ^[[1ms ^[[22m| ^[[1mS ^[[22mseconds
439 m | M minutes 438 ^[[1mm ^[[22m| ^[[1mM ^[[22mminutes
440 h | H hours 439 ^[[1mh ^[[22m| ^[[1mH ^[[22mhours
441 d | D days 440 ^[[1md ^[[22m| ^[[1mD ^[[22mdays
442 w | W weeks 441 ^[[1mw ^[[22m| ^[[1mW ^[[22mweeks
443 442
444 Each member of the sequence is added together to calculate the total time 443 Each member of the sequence is added together to calculate the total time
445 value. 444 value.
@@ -450,21 +449,21 @@ DESCRIPTION
450 10m 10 minutes 449 10m 10 minutes
451 1h30m 1 hour 30 minutes (90 minutes) 450 1h30m 1 hour 30 minutes (90 minutes)
452 451
453FILES 452^[[1mFILES^[[0m
454 /etc/ssh/sshd_config 453 /etc/ssh/sshd_config
455 Contains configuration data for sshd. This file should be 454 Contains configuration data for ^[[1msshd^[[22m. This file should be
456 writable by root only, but it is recommended (though not necesM-- 455 writable by root only, but it is recommended (though not necesM-bM-^@M-^P
457 sary) that it be world-readable. 456 sary) that it be worldM-bM-^@M-^Preadable.
458 457
459AUTHORS 458^[[1mAUTHORS^[[0m
460 OpenSSH is a derivative of the original and free ssh 1.2.12 release by 459 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
461 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo 460 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
462 de Raadt and Dug Song removed many bugs, re-added newer features and creM-- 461 de Raadt and Dug Song removed many bugs, reM-bM-^@M-^Padded newer features and creM-bM-^@M-^P
463 ated OpenSSH. Markus Friedl contributed the support for SSH protocol 462 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
464 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 463 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
465 for privilege separation. 464 for privilege separation.
466 465
467SEE ALSO 466^[[1mSEE ALSO^[[0m
468 sshd(8) 467 sshd(8)
469 468
470BSD September 25, 1999 BSD 469BSD September 25, 1999 BSD
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-18 13:00:57 +0000