diff options
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 477 |
1 files changed, 238 insertions, 239 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index a4e31be0f..e234efdb4 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -1,445 +1,444 @@ | |||
1 | SSHD_CONFIG(5) System File Formats Manual SSHD_CONFIG(5) | 1 | SSHD_CONFIG(5) BSD File Formats Manual SSHD_CONFIG(5) |
2 | 2 | ||
3 | NAME | 3 | ^[[1mNAME^[[0m |
4 | sshd_config - OpenSSH SSH daemon configuration file | 4 | ^[[1msshd_config ^[[22mM-bMM-^R OpenSSH SSH daemon configuration file |
5 | 5 | ||
6 | SYNOPSIS | 6 | ^[[1mSYNOPSIS^[[0m |
7 | /etc/ssh/sshd_config | 7 | ^[[4m/etc/ssh/sshd_config^[[0m |
8 | 8 | ||
9 | DESCRIPTION | 9 | ^[[1mDESCRIPTION^[[0m |
10 | sshd reads configuration data from /etc/ssh/sshd_config (or the file | 10 | ^[[1msshd ^[[22mreads configuration data from ^[[4m/etc/ssh/sshd_config^[[24m (or the file |
11 | specified with -f on the command line). The file contains keyword-arguM-- | 11 | specified with ^[[1mM-bMM-^Rf ^[[22mon the command line). The file contains keywordM-bM-^@M-^ParguM-bM-^@M-^P |
12 | ment pairs, one per line. Lines starting with `#' and empty lines are | 12 | ment pairs, one per line. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are |
13 | interpreted as comments. | 13 | interpreted as comments. |
14 | 14 | ||
15 | The possible keywords and their meanings are as follows (note that keyM-- | 15 | The possible keywords and their meanings are as follows (note that keyM-bM-^@M-^P |
16 | words are case-insensitive and arguments are case-sensitive): | 16 | words are caseM-bM-^@M-^Pinsensitive and arguments are caseM-bM-^@M-^Psensitive): |
17 | 17 | ||
18 | AFSTokenPassing | 18 | ^[[1mAFSTokenPassing^[[0m |
19 | Specifies whether an AFS token may be forwarded to the server. | 19 | Specifies whether an AFS token may be forwarded to the server. |
20 | Default is ``no''. | 20 | Default is M-bM-^@M-^\noM-bM-^@M-^]. |
21 | 21 | ||
22 | AllowGroups | 22 | ^[[1mAllowGroups^[[0m |
23 | This keyword can be followed by a list of group name patterns, | 23 | This keyword can be followed by a list of group name patterns, |
24 | separated by spaces. If specified, login is allowed only for | 24 | separated by spaces. If specified, login is allowed only for |
25 | users whose primary group or supplementary group list matches one | 25 | users whose primary group or supplementary group list matches one |
26 | of the patterns. `*' and `'? can be used as wildcards in the | 26 | of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards in the |
27 | patterns. Only group names are valid; a numerical group ID is | 27 | patterns. Only group names are valid; a numerical group ID is |
28 | not recognized. By default, login is allowed for all groups. | 28 | not recognized. By default, login is allowed for all groups. |
29 | 29 | ||
30 | AllowTcpForwarding | 30 | ^[[1mAllowTcpForwarding^[[0m |
31 | Specifies whether TCP forwarding is permitted. The default is | 31 | Specifies whether TCP forwarding is permitted. The default is |
32 | ``yes''. Note that disabling TCP forwarding does not improve | 32 | M-bM-^@M-^\yesM-bM-^@M-^]. Note that disabling TCP forwarding does not improve secuM-bM-^@M-^P |
33 | security unless users are also denied shell access, as they can | 33 | rity unless users are also denied shell access, as they can |
34 | always install their own forwarders. | 34 | always install their own forwarders. |
35 | 35 | ||
36 | AllowUsers | 36 | ^[[1mAllowUsers^[[0m |
37 | This keyword can be followed by a list of user name patterns, | 37 | This keyword can be followed by a list of user name patterns, |
38 | separated by spaces. If specified, login is allowed only for | 38 | separated by spaces. If specified, login is allowed only for |
39 | users names that match one of the patterns. `*' and `'? can be | 39 | user names that match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be |
40 | used as wildcards in the patterns. Only user names are valid; a | 40 | used as wildcards in the patterns. Only user names are valid; a |
41 | numerical user ID is not recognized. By default, login is | 41 | numerical user ID is not recognized. By default, login is |
42 | allowed for all users. If the pattern takes the form USER@HOST | 42 | allowed for all users. If the pattern takes the form USER@HOST |
43 | then USER and HOST are separately checked, restricting logins to | 43 | then USER and HOST are separately checked, restricting logins to |
44 | particular users from particular hosts. | 44 | particular users from particular hosts. |
45 | 45 | ||
46 | AuthorizedKeysFile | 46 | ^[[1mAuthorizedKeysFile^[[0m |
47 | Specifies the file that contains the public keys that can be used | 47 | Specifies the file that contains the public keys that can be used |
48 | for user authentication. AuthorizedKeysFile may contain tokens | 48 | for user authentication. ^[[1mAuthorizedKeysFile ^[[22mmay contain tokens |
49 | of the form %T which are substituted during connection set-up. | 49 | of the form %T which are substituted during connection setM-bM-^@M-^Pup. |
50 | The following tokens are defined: %% is replaced by a literal | 50 | The following tokens are defined: %% is replaced by a literal |
51 | '%', %h is replaced by the home directory of the user being | 51 | M-bM-^@M-^Y%M-bM-^@M-^Y, %h is replaced by the home directory of the user being |
52 | authenticated and %u is replaced by the username of that user. | 52 | authenticated and %u is replaced by the username of that user. |
53 | After expansion, AuthorizedKeysFile is taken to be an absolute | 53 | After expansion, ^[[1mAuthorizedKeysFile ^[[22mis taken to be an absolute |
54 | path or one relative to the user's home directory. The default | 54 | path or one relative to the userM-bM-^@M-^Ys home directory. The default |
55 | is ``.ssh/authorized_keys''. | 55 | is M-bM-^@M-^\.ssh/authorized_keysM-bM-^@M-^]. |
56 | 56 | ||
57 | Banner In some jurisdictions, sending a warning message before authentiM-- | 57 | ^[[1mBanner ^[[22mIn some jurisdictions, sending a warning message before authentiM-bM-^@M-^P |
58 | cation may be relevant for getting legal protection. The conM-- | 58 | cation may be relevant for getting legal protection. The conM-bM-^@M-^P |
59 | tents of the specified file are sent to the remote user before | 59 | tents of the specified file are sent to the remote user before |
60 | authentication is allowed. This option is only available for | 60 | authentication is allowed. This option is only available for |
61 | protocol version 2. By default, no banner is displayed. | 61 | protocol version 2. By default, no banner is displayed. |
62 | 62 | ||
63 | ChallengeResponseAuthentication | 63 | ^[[1mChallengeResponseAuthentication^[[0m |
64 | Specifies whether challenge response authentication is allowed. | 64 | Specifies whether challenge response authentication is allowed. |
65 | All authentication styles from login.conf(5) are supported. The | 65 | All authentication styles from login.conf(5) are supported. The |
66 | default is ``yes''. | 66 | default is M-bM-^@M-^\yesM-bM-^@M-^]. |
67 | 67 | ||
68 | Ciphers | 68 | ^[[1mCiphers^[[0m |
69 | Specifies the ciphers allowed for protocol version 2. Multiple | 69 | Specifies the ciphers allowed for protocol version 2. Multiple |
70 | ciphers must be comma-separated. The default is | 70 | ciphers must be commaM-bM-^@M-^Pseparated. The default is |
71 | 71 | ||
72 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, | 72 | M-bM-^@M-^XM-bM-^@M-^Xaes128M-bM-^@M-^Pcbc,3desM-bM-^@M-^Pcbc,blowfishM-bM-^@M-^Pcbc,cast128M-bM-^@M-^Pcbc,arcfour, |
73 | aes192-cbc,aes256-cbc'' | 73 | aes192M-bM-^@M-^Pcbc,aes256M-bM-^@M-^PcbcM-bM-^@M-^YM-bM-^@M-^Y |
74 | 74 | ||
75 | ClientAliveInterval | 75 | ^[[1mClientAliveInterval^[[0m |
76 | Sets a timeout interval in seconds after which if no data has | 76 | Sets a timeout interval in seconds after which if no data has |
77 | been received from the client, sshd will send a message through | 77 | been received from the client, ^[[1msshd ^[[22mwill send a message through |
78 | the encrypted channel to request a response from the client. The | 78 | the encrypted channel to request a response from the client. The |
79 | default is 0, indicating that these messages will not be sent to | 79 | default is 0, indicating that these messages will not be sent to |
80 | the client. This option applies to protocol version 2 only. | 80 | the client. This option applies to protocol version 2 only. |
81 | 81 | ||
82 | ClientAliveCountMax | 82 | ^[[1mClientAliveCountMax^[[0m |
83 | Sets the number of client alive messages (see above) which may be | 83 | Sets the number of client alive messages (see above) which may be |
84 | sent without sshd receiving any messages back from the client. If | 84 | sent without ^[[1msshd ^[[22mreceiving any messages back from the client. If |
85 | this threshold is reached while client alive messages are being | 85 | this threshold is reached while client alive messages are being |
86 | sent, sshd will disconnect the client, terminating the session. | 86 | sent, ^[[1msshd ^[[22mwill disconnect the client, terminating the session. |
87 | It is important to note that the use of client alive messages is | 87 | It is important to note that the use of client alive messages is |
88 | very different from KeepAlive (below). The client alive messages | 88 | very different from ^[[1mKeepAlive ^[[22m(below). The client alive messages |
89 | are sent through the encrypted channel and therefore will not be | 89 | are sent through the encrypted channel and therefore will not be |
90 | spoofable. The TCP keepalive option enabled by KeepAlive is | 90 | spoofable. The TCP keepalive option enabled by ^[[1mKeepAlive ^[[22mis |
91 | spoofable. The client alive mechanism is valuable when the client | 91 | spoofable. The client alive mechanism is valuable when the client |
92 | or server depend on knowing when a connection has become inacM-- | 92 | or server depend on knowing when a connection has become inacM-bM-^@M-^P |
93 | tive. | 93 | tive. |
94 | 94 | ||
95 | The default value is 3. If ClientAliveInterval (above) is set to | 95 | The default value is 3. If ^[[1mClientAliveInterval ^[[22m(above) is set to |
96 | 15, and ClientAliveCountMax is left at the default, unresponsive | 96 | 15, and ^[[1mClientAliveCountMax ^[[22mis left at the default, unresponsive |
97 | ssh clients will be disconnected after approximately 45 seconds. | 97 | ssh clients will be disconnected after approximately 45 seconds. |
98 | 98 | ||
99 | Compression | 99 | ^[[1mCompression^[[0m |
100 | Specifies whether compression is allowed. The argument must be | 100 | Specifies whether compression is allowed. The argument must be |
101 | ``yes'' or ``no''. The default is ``yes''. | 101 | M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
102 | 102 | ||
103 | DenyGroups | 103 | ^[[1mDenyGroups^[[0m |
104 | This keyword can be followed by a list of group name patterns, | 104 | This keyword can be followed by a list of group name patterns, |
105 | separated by spaces. Login is disallowed for users whose primary | 105 | separated by spaces. Login is disallowed for users whose primary |
106 | group or supplementary group list matches one of the patterns. | 106 | group or supplementary group list matches one of the patterns. |
107 | `*' and `'? can be used as wildcards in the patterns. Only | 107 | M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards in the patterns. Only |
108 | group names are valid; a numerical group ID is not recognized. | 108 | group names are valid; a numerical group ID is not recognized. |
109 | By default, login is allowed for all groups. | 109 | By default, login is allowed for all groups. |
110 | 110 | ||
111 | DenyUsers | 111 | ^[[1mDenyUsers^[[0m |
112 | This keyword can be followed by a list of user name patterns, | 112 | This keyword can be followed by a list of user name patterns, |
113 | separated by spaces. Login is disallowed for user names that | 113 | separated by spaces. Login is disallowed for user names that |
114 | match one of the patterns. `*' and `'? can be used as wildcards | 114 | match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards |
115 | in the patterns. Only user names are valid; a numerical user ID | 115 | in the patterns. Only user names are valid; a numerical user ID |
116 | is not recognized. By default, login is allowed for all users. | 116 | is not recognized. By default, login is allowed for all users. |
117 | If the pattern takes the form USER@HOST then USER and HOST are | 117 | If the pattern takes the form USER@HOST then USER and HOST are |
118 | separately checked, restricting logins to particular users from | 118 | separately checked, restricting logins to particular users from |
119 | particular hosts. | 119 | particular hosts. |
120 | 120 | ||
121 | GatewayPorts | 121 | ^[[1mGatewayPorts^[[0m |
122 | Specifies whether remote hosts are allowed to connect to ports | 122 | Specifies whether remote hosts are allowed to connect to ports |
123 | forwarded for the client. By default, sshd binds remote port | 123 | forwarded for the client. By default, ^[[1msshd ^[[22mbinds remote port |
124 | forwardings to the loopback address. This prevents other remote | 124 | forwardings to the loopback address. This prevents other remote |
125 | hosts from connecting to forwarded ports. GatewayPorts can be | 125 | hosts from connecting to forwarded ports. ^[[1mGatewayPorts ^[[22mcan be |
126 | used to specify that sshd should bind remote port forwardings to | 126 | used to specify that ^[[1msshd ^[[22mshould bind remote port forwardings to |
127 | the wildcard address, thus allowing remote hosts to connect to | 127 | the wildcard address, thus allowing remote hosts to connect to |
128 | forwarded ports. The argument must be ``yes'' or ``no''. The | 128 | forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The |
129 | default is ``no''. | 129 | default is M-bM-^@M-^\noM-bM-^@M-^]. |
130 | 130 | ||
131 | HostbasedAuthentication | 131 | ^[[1mHostbasedAuthentication^[[0m |
132 | Specifies whether rhosts or /etc/hosts.equiv authentication | 132 | Specifies whether rhosts or /etc/hosts.equiv authentication |
133 | together with successful public key client host authentication is | 133 | together with successful public key client host authentication is |
134 | allowed (hostbased authentication). This option is similar to | 134 | allowed (hostbased authentication). This option is similar to |
135 | RhostsRSAAuthentication and applies to protocol version 2 only. | 135 | ^[[1mRhostsRSAAuthentication ^[[22mand applies to protocol version 2 only. |
136 | The default is ``no''. | 136 | The default is M-bM-^@M-^\noM-bM-^@M-^]. |
137 | 137 | ||
138 | HostKey | 138 | ^[[1mHostKey^[[0m |
139 | Specifies a file containing a private host key used by SSH. The | 139 | Specifies a file containing a private host key used by SSH. The |
140 | default is /etc/ssh/ssh_host_key for protocol version 1, and | 140 | default is ^[[4m/etc/ssh/ssh_host_key^[[24m for protocol version 1, and |
141 | /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for proM-- | 141 | ^[[4m/etc/ssh/ssh_host_rsa_key^[[24m and ^[[4m/etc/ssh/ssh_host_dsa_key^[[24m for proM-bM-^@M-^P |
142 | tocol version 2. Note that sshd will refuse to use a file if it | 142 | tocol version 2. Note that ^[[1msshd ^[[22mwill refuse to use a file if it |
143 | is group/world-accessible. It is possible to have multiple host | 143 | is group/worldM-bM-^@M-^Paccessible. It is possible to have multiple host |
144 | key files. ``rsa1'' keys are used for version 1 and ``dsa'' or | 144 | key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] |
145 | ``rsa'' are used for version 2 of the SSH protocol. | 145 | are used for version 2 of the SSH protocol. |
146 | 146 | ||
147 | IgnoreRhosts | 147 | ^[[1mIgnoreRhosts^[[0m |
148 | Specifies that .rhosts and .shosts files will not be used in | 148 | Specifies that ^[[4m.rhosts^[[24m and ^[[4m.shosts^[[24m files will not be used in |
149 | RhostsAuthentication, RhostsRSAAuthentication or | 149 | ^[[1mRhostsAuthentication^[[22m, ^[[1mRhostsRSAAuthentication ^[[22mor |
150 | HostbasedAuthentication. | 150 | ^[[1mHostbasedAuthentication^[[22m. |
151 | 151 | ||
152 | /etc/hosts.equiv and /etc/shosts.equiv are still used. The | 152 | ^[[4m/etc/hosts.equiv^[[24m and ^[[4m/etc/shosts.equiv^[[24m are still used. The |
153 | default is ``yes''. | 153 | default is M-bM-^@M-^\yesM-bM-^@M-^]. |
154 | 154 | ||
155 | IgnoreUserKnownHosts | 155 | ^[[1mIgnoreUserKnownHosts^[[0m |
156 | Specifies whether sshd should ignore the user's | 156 | Specifies whether ^[[1msshd ^[[22mshould ignore the userM-bM-^@M-^Ys |
157 | $HOME/.ssh/known_hosts during RhostsRSAAuthentication or | 157 | ^[[4m$HOME/.ssh/known_hosts^[[24m during ^[[1mRhostsRSAAuthentication ^[[22mor |
158 | HostbasedAuthentication. The default is ``no''. | 158 | ^[[1mHostbasedAuthentication^[[22m. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
159 | 159 | ||
160 | KeepAlive | 160 | ^[[1mKeepAlive^[[0m |
161 | Specifies whether the system should send TCP keepalive messages | 161 | Specifies whether the system should send TCP keepalive messages |
162 | to the other side. If they are sent, death of the connection or | 162 | to the other side. If they are sent, death of the connection or |
163 | crash of one of the machines will be properly noticed. However, | 163 | crash of one of the machines will be properly noticed. However, |
164 | this means that connections will die if the route is down temM-- | 164 | this means that connections will die if the route is down temM-bM-^@M-^P |
165 | porarily, and some people find it annoying. On the other hand, | 165 | porarily, and some people find it annoying. On the other hand, |
166 | if keepalives are not sent, sessions may hang indefinitely on the | 166 | if keepalives are not sent, sessions may hang indefinitely on the |
167 | server, leaving ``ghost'' users and consuming server resources. | 167 | server, leaving M-bM-^@M-^\ghostM-bM-^@M-^] users and consuming server resources. |
168 | 168 | ||
169 | The default is ``yes'' (to send keepalives), and the server will | 169 | The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send keepalives), and the server will |
170 | notice if the network goes down or the client host crashes. This | 170 | notice if the network goes down or the client host crashes. This |
171 | avoids infinitely hanging sessions. | 171 | avoids infinitely hanging sessions. |
172 | 172 | ||
173 | To disable keepalives, the value should be set to ``no''. | 173 | To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^]. |
174 | 174 | ||
175 | KerberosAuthentication | 175 | ^[[1mKerberosAuthentication^[[0m |
176 | Specifies whether Kerberos authentication is allowed. This can | 176 | Specifies whether Kerberos authentication is allowed. This can |
177 | be in the form of a Kerberos ticket, or if PasswordAuthentication | 177 | be in the form of a Kerberos ticket, or if ^[[1mPasswordAuthentication^[[0m |
178 | is yes, the password provided by the user will be validated | 178 | is yes, the password provided by the user will be validated |
179 | through the Kerberos KDC. To use this option, the server needs a | 179 | through the Kerberos KDC. To use this option, the server needs a |
180 | Kerberos servtab which allows the verification of the KDC's idenM-- | 180 | Kerberos servtab which allows the verification of the KDCM-bM-^@M-^Ys idenM-bM-^@M-^P |
181 | tity. Default is ``no''. | 181 | tity. Default is M-bM-^@M-^\noM-bM-^@M-^]. |
182 | 182 | ||
183 | KerberosOrLocalPasswd | 183 | ^[[1mKerberosOrLocalPasswd^[[0m |
184 | If set then if password authentication through Kerberos fails | 184 | If set then if password authentication through Kerberos fails |
185 | then the password will be validated via any additional local | 185 | then the password will be validated via any additional local |
186 | mechanism such as /etc/passwd. Default is ``yes''. | 186 | mechanism such as ^[[4m/etc/passwd^[[24m. Default is M-bM-^@M-^\yesM-bM-^@M-^]. |
187 | 187 | ||
188 | KerberosTgtPassing | 188 | ^[[1mKerberosTgtPassing^[[0m |
189 | Specifies whether a Kerberos TGT may be forwarded to the server. | 189 | Specifies whether a Kerberos TGT may be forwarded to the server. |
190 | Default is ``no'', as this only works when the Kerberos KDC is | 190 | Default is M-bM-^@M-^\noM-bM-^@M-^], as this only works when the Kerberos KDC is |
191 | actually an AFS kaserver. | 191 | actually an AFS kaserver. |
192 | 192 | ||
193 | KerberosTicketCleanup | 193 | ^[[1mKerberosTicketCleanup^[[0m |
194 | Specifies whether to automatically destroy the user's ticket | 194 | Specifies whether to automatically destroy the userM-bM-^@M-^Ys ticket |
195 | cache file on logout. Default is ``yes''. | 195 | cache file on logout. Default is M-bM-^@M-^\yesM-bM-^@M-^]. |
196 | 196 | ||
197 | KeyRegenerationInterval | 197 | ^[[1mKeyRegenerationInterval^[[0m |
198 | In protocol version 1, the ephemeral server key is automatically | 198 | In protocol version 1, the ephemeral server key is automatically |
199 | regenerated after this many seconds (if it has been used). The | 199 | regenerated after this many seconds (if it has been used). The |
200 | purpose of regeneration is to prevent decrypting captured sesM-- | 200 | purpose of regeneration is to prevent decrypting captured sesM-bM-^@M-^P |
201 | sions by later breaking into the machine and stealing the keys. | 201 | sions by later breaking into the machine and stealing the keys. |
202 | The key is never stored anywhere. If the value is 0, the key is | 202 | The key is never stored anywhere. If the value is 0, the key is |
203 | never regenerated. The default is 3600 (seconds). | 203 | never regenerated. The default is 3600 (seconds). |
204 | 204 | ||
205 | ListenAddress | 205 | ^[[1mListenAddress^[[0m |
206 | Specifies the local addresses sshd should listen on. The followM-- | 206 | Specifies the local addresses ^[[1msshd ^[[22mshould listen on. The followM-bM-^@M-^P |
207 | ing forms may be used: | 207 | ing forms may be used: |
208 | 208 | ||
209 | ListenAddress host|IPv4_addr|IPv6_addr | 209 | ^[[1mListenAddress ^[[4m^[[22mhost^[[24m|^[[4mIPv4_addr^[[24m|^[[4mIPv6_addr^[[0m |
210 | ListenAddress host|IPv4_addr:port | 210 | ^[[1mListenAddress ^[[4m^[[22mhost^[[24m|^[[4mIPv4_addr^[[24m:^[[4mport^[[0m |
211 | ListenAddress [host|IPv6_addr]:port | 211 | ^[[1mListenAddress ^[[22m[^[[4mhost^[[24m|^[[4mIPv6_addr^[[24m]:^[[4mport^[[0m |
212 | 212 | ||
213 | If port is not specified, sshd will listen on the address and all | 213 | If ^[[4mport^[[24m is not specified, ^[[1msshd ^[[22mwill listen on the address and all |
214 | prior Port options specified. The default is to listen on all | 214 | prior ^[[1mPort ^[[22moptions specified. The default is to listen on all |
215 | local addresses. Multiple ListenAddress options are permitted. | 215 | local addresses. Multiple ^[[1mListenAddress ^[[22moptions are permitted. |
216 | Additionally, any Port options must precede this option for non | 216 | Additionally, any ^[[1mPort ^[[22moptions must precede this option for non |
217 | port qualified addresses. | 217 | port qualified addresses. |
218 | 218 | ||
219 | LoginGraceTime | 219 | ^[[1mLoginGraceTime^[[0m |
220 | The server disconnects after this time if the user has not sucM-- | 220 | The server disconnects after this time if the user has not sucM-bM-^@M-^P |
221 | cessfully logged in. If the value is 0, there is no time limit. | 221 | cessfully logged in. If the value is 0, there is no time limit. |
222 | The default is 120 seconds. | 222 | The default is 120 seconds. |
223 | 223 | ||
224 | LogLevel | 224 | ^[[1mLogLevel^[[0m |
225 | Gives the verbosity level that is used when logging messages from | 225 | Gives the verbosity level that is used when logging messages from |
226 | sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VERM-- | 226 | ^[[1msshd^[[22m. The possible values are: QUIET, FATAL, ERROR, INFO, VERM-bM-^@M-^P |
227 | BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. | 227 | BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. |
228 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify | 228 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify |
229 | higher levels of debugging output. Logging with a DEBUG level | 229 | higher levels of debugging output. Logging with a DEBUG level |
230 | violates the privacy of users and is not recommended. | 230 | violates the privacy of users and is not recommended. |
231 | 231 | ||
232 | MACs Specifies the available MAC (message authentication code) algoM-- | 232 | ^[[1mMACs ^[[22mSpecifies the available MAC (message authentication code) algoM-bM-^@M-^P |
233 | rithms. The MAC algorithm is used in protocol version 2 for data | 233 | rithms. The MAC algorithm is used in protocol version 2 for data |
234 | integrity protection. Multiple algorithms must be comma-sepaM-- | 234 | integrity protection. Multiple algorithms must be commaM-bM-^@M-^PsepaM-bM-^@M-^P |
235 | rated. The default is | 235 | rated. The default is |
236 | ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''. | 236 | M-bM-^@M-^\hmacM-bM-^@M-^Pmd5,hmacM-bM-^@M-^Psha1,hmacM-bM-^@M-^Pripemd160,hmacM-bM-^@M-^Psha1M-bM-^@M-^P96,hmacM-bM-^@M-^Pmd5M-bM-^@M-^P96M-bM-^@M-^]. |
237 | 237 | ||
238 | MaxStartups | 238 | ^[[1mMaxStartups^[[0m |
239 | Specifies the maximum number of concurrent unauthenticated conM-- | 239 | Specifies the maximum number of concurrent unauthenticated conM-bM-^@M-^P |
240 | nections to the sshd daemon. Additional connections will be | 240 | nections to the ^[[1msshd ^[[22mdaemon. Additional connections will be |
241 | dropped until authentication succeeds or the LoginGraceTime | 241 | dropped until authentication succeeds or the ^[[1mLoginGraceTime^[[0m |
242 | expires for a connection. The default is 10. | 242 | expires for a connection. The default is 10. |
243 | 243 | ||
244 | Alternatively, random early drop can be enabled by specifying the | 244 | Alternatively, random early drop can be enabled by specifying the |
245 | three colon separated values ``start:rate:full'' (e.g., | 245 | three colon separated values M-bM-^@M-^\start:rate:fullM-bM-^@M-^] (e.g., |
246 | "10:30:60"). sshd will refuse connection attempts with a probaM-- | 246 | "10:30:60"). ^[[1msshd ^[[22mwill refuse connection attempts with a probaM-bM-^@M-^P |
247 | bility of ``rate/100'' (30%) if there are currently ``start'' | 247 | bility of M-bM-^@M-^\rate/100M-bM-^@M-^] (30%) if there are currently M-bM-^@M-^\startM-bM-^@M-^] (10) |
248 | (10) unauthenticated connections. The probability increases linM-- | 248 | unauthenticated connections. The probability increases linearly |
249 | early and all connection attempts are refused if the number of | 249 | and all connection attempts are refused if the number of unauM-bM-^@M-^P |
250 | unauthenticated connections reaches ``full'' (60). | 250 | thenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60). |
251 | 251 | ||
252 | PAMAuthenticationViaKbdInt | 252 | ^[[1mPAMAuthenticationViaKbdInt^[[0m |
253 | Specifies whether PAM challenge response authentication is | 253 | Specifies whether PAM challenge response authentication is |
254 | allowed. This allows the use of most PAM challenge response | 254 | allowed. This allows the use of most PAM challenge response |
255 | authentication modules, but it will allow password authentication | 255 | authentication modules, but it will allow password authentication |
256 | regardless of whether PasswordAuthentication is enabled. | 256 | regardless of whether ^[[1mPasswordAuthentication ^[[22mis enabled. |
257 | 257 | ||
258 | PasswordAuthentication | 258 | ^[[1mPasswordAuthentication^[[0m |
259 | Specifies whether password authentication is allowed. The | 259 | Specifies whether password authentication is allowed. The |
260 | default is ``yes''. | 260 | default is M-bM-^@M-^\yesM-bM-^@M-^]. |
261 | 261 | ||
262 | PermitEmptyPasswords | 262 | ^[[1mPermitEmptyPasswords^[[0m |
263 | When password authentication is allowed, it specifies whether the | 263 | When password authentication is allowed, it specifies whether the |
264 | server allows login to accounts with empty password strings. The | 264 | server allows login to accounts with empty password strings. The |
265 | default is ``no''. | 265 | default is M-bM-^@M-^\noM-bM-^@M-^]. |
266 | 266 | ||
267 | PermitRootLogin | 267 | ^[[1mPermitRootLogin^[[0m |
268 | Specifies whether root can login using ssh(1). The argument must | 268 | Specifies whether root can login using ssh(1). The argument must |
269 | be ``yes'', ``without-password'', ``forced-commands-only'' or | 269 | be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\withoutM-bM-^@M-^PpasswordM-bM-^@M-^], M-bM-^@M-^\forcedM-bM-^@M-^PcommandsM-bM-^@M-^PonlyM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. |
270 | ``no''. The default is ``yes''. | 270 | The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
271 | 271 | ||
272 | If this option is set to ``without-password'' password authentiM-- | 272 | If this option is set to M-bM-^@M-^\withoutM-bM-^@M-^PpasswordM-bM-^@M-^] password authenticaM-bM-^@M-^P |
273 | cation is disabled for root. | 273 | tion is disabled for root. |
274 | 274 | ||
275 | If this option is set to ``forced-commands-only'' root login with | 275 | If this option is set to M-bM-^@M-^\forcedM-bM-^@M-^PcommandsM-bM-^@M-^PonlyM-bM-^@M-^] root login with |
276 | public key authentication will be allowed, but only if the | 276 | public key authentication will be allowed, but only if the |
277 | command option has been specified (which may be useful for taking | 277 | ^[[4mcommand^[[24m option has been specified (which may be useful for taking |
278 | remote backups even if root login is normally not allowed). All | 278 | remote backups even if root login is normally not allowed). All |
279 | other authentication methods are disabled for root. | 279 | other authentication methods are disabled for root. |
280 | 280 | ||
281 | If this option is set to ``no'' root is not allowed to login. | 281 | If this option is set to M-bM-^@M-^\noM-bM-^@M-^] root is not allowed to login. |
282 | 282 | ||
283 | PermitUserEnvironment | 283 | ^[[1mPermitUserEnvironment^[[0m |
284 | Specifies whether ~/.ssh/environment and environment= options in | 284 | Specifies whether ^[[4m~/.ssh/environment^[[24m and ^[[1menvironment= ^[[22moptions in |
285 | ~/.ssh/authorized_keys are processed by sshd. The default is | 285 | ^[[4m~/.ssh/authorized_keys^[[24m are processed by ^[[1msshd^[[22m. The default is |
286 | ``no''. Enabling environment processing may enable users to | 286 | M-bM-^@M-^\noM-bM-^@M-^]. Enabling environment processing may enable users to bypass |
287 | bypass access restrictions in some configurations using mechaM-- | 287 | access restrictions in some configurations using mechanisms such |
288 | nisms such as LD_PRELOAD. | 288 | as LD_PRELOAD. |
289 | 289 | ||
290 | PidFile | 290 | ^[[1mPidFile^[[0m |
291 | Specifies the file that contains the process ID of the sshd daeM-- | 291 | Specifies the file that contains the process ID of the ^[[1msshd ^[[22mdaeM-bM-^@M-^P |
292 | mon. The default is /var/run/sshd.pid. | 292 | mon. The default is ^[[4m/var/run/sshd.pid^[[24m. |
293 | 293 | ||
294 | Port Specifies the port number that sshd listens on. The default is | 294 | ^[[1mPort ^[[22mSpecifies the port number that ^[[1msshd ^[[22mlistens on. The default is |
295 | 22. Multiple options of this type are permitted. See also | 295 | 22. Multiple options of this type are permitted. See also |
296 | ListenAddress. | 296 | ^[[1mListenAddress^[[22m. |
297 | 297 | ||
298 | PrintLastLog | 298 | ^[[1mPrintLastLog^[[0m |
299 | Specifies whether sshd should print the date and time when the | 299 | Specifies whether ^[[1msshd ^[[22mshould print the date and time when the |
300 | user last logged in. The default is ``yes''. | 300 | user last logged in. The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
301 | 301 | ||
302 | PrintMotd | 302 | ^[[1mPrintMotd^[[0m |
303 | Specifies whether sshd should print /etc/motd when a user logs in | 303 | Specifies whether ^[[1msshd ^[[22mshould print ^[[4m/etc/motd^[[24m when a user logs in |
304 | interactively. (On some systems it is also printed by the shell, | 304 | interactively. (On some systems it is also printed by the shell, |
305 | /etc/profile, or equivalent.) The default is ``yes''. | 305 | ^[[4m/etc/profile^[[24m, or equivalent.) The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
306 | 306 | ||
307 | Protocol | 307 | ^[[1mProtocol^[[0m |
308 | Specifies the protocol versions sshd supports. The possible valM-- | 308 | Specifies the protocol versions ^[[1msshd ^[[22msupports. The possible valM-bM-^@M-^P |
309 | ues are ``1'' and ``2''. Multiple versions must be comma-sepaM-- | 309 | ues are M-bM-^@M-^\1M-bM-^@M-^] and M-bM-^@M-^\2M-bM-^@M-^]. Multiple versions must be commaM-bM-^@M-^Pseparated. |
310 | rated. The default is ``2,1''. Note that the order of the proM-- | 310 | The default is M-bM-^@M-^\2,1M-bM-^@M-^]. Note that the order of the protocol list |
311 | tocol list does not indicate preference, because the client | 311 | does not indicate preference, because the client selects among |
312 | selects among multiple protocol versions offered by the server. | 312 | multiple protocol versions offered by the server. Specifying |
313 | Specifying ``2,1'' is identical to ``1,2''. | 313 | M-bM-^@M-^\2,1M-bM-^@M-^] is identical to M-bM-^@M-^\1,2M-bM-^@M-^]. |
314 | 314 | ||
315 | PubkeyAuthentication | 315 | ^[[1mPubkeyAuthentication^[[0m |
316 | Specifies whether public key authentication is allowed. The | 316 | Specifies whether public key authentication is allowed. The |
317 | default is ``yes''. Note that this option applies to protocol | 317 | default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol verM-bM-^@M-^P |
318 | version 2 only. | 318 | sion 2 only. |
319 | 319 | ||
320 | RhostsAuthentication | 320 | ^[[1mRhostsAuthentication^[[0m |
321 | Specifies whether authentication using rhosts or /etc/hosts.equiv | 321 | Specifies whether authentication using rhosts or /etc/hosts.equiv |
322 | files is sufficient. Normally, this method should not be permitM-- | 322 | files is sufficient. Normally, this method should not be permitM-bM-^@M-^P |
323 | ted because it is insecure. RhostsRSAAuthentication should be | 323 | ted because it is insecure. ^[[1mRhostsRSAAuthentication ^[[22mshould be |
324 | used instead, because it performs RSA-based host authentication | 324 | used instead, because it performs RSAM-bM-^@M-^Pbased host authentication |
325 | in addition to normal rhosts or /etc/hosts.equiv authentication. | 325 | in addition to normal rhosts or /etc/hosts.equiv authentication. |
326 | The default is ``no''. This option applies to protocol version 1 | 326 | The default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 |
327 | only. | 327 | only. |
328 | 328 | ||
329 | RhostsRSAAuthentication | 329 | ^[[1mRhostsRSAAuthentication^[[0m |
330 | Specifies whether rhosts or /etc/hosts.equiv authentication | 330 | Specifies whether rhosts or /etc/hosts.equiv authentication |
331 | together with successful RSA host authentication is allowed. The | 331 | together with successful RSA host authentication is allowed. The |
332 | default is ``no''. This option applies to protocol version 1 | 332 | default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only. |
333 | only. | ||
334 | 333 | ||
335 | RSAAuthentication | 334 | ^[[1mRSAAuthentication^[[0m |
336 | Specifies whether pure RSA authentication is allowed. The | 335 | Specifies whether pure RSA authentication is allowed. The |
337 | default is ``yes''. This option applies to protocol version 1 | 336 | default is M-bM-^@M-^\yesM-bM-^@M-^]. This option applies to protocol version 1 |
338 | only. | 337 | only. |
339 | 338 | ||
340 | ServerKeyBits | 339 | ^[[1mServerKeyBits^[[0m |
341 | Defines the number of bits in the ephemeral protocol version 1 | 340 | Defines the number of bits in the ephemeral protocol version 1 |
342 | server key. The minimum value is 512, and the default is 768. | 341 | server key. The minimum value is 512, and the default is 768. |
343 | 342 | ||
344 | StrictModes | 343 | ^[[1mStrictModes^[[0m |
345 | Specifies whether sshd should check file modes and ownership of | 344 | Specifies whether ^[[1msshd ^[[22mshould check file modes and ownership of |
346 | the user's files and home directory before accepting login. This | 345 | the userM-bM-^@M-^Ys files and home directory before accepting login. This |
347 | is normally desirable because novices sometimes accidentally | 346 | is normally desirable because novices sometimes accidentally |
348 | leave their directory or files world-writable. The default is | 347 | leave their directory or files worldM-bM-^@M-^Pwritable. The default is |
349 | ``yes''. | 348 | M-bM-^@M-^\yesM-bM-^@M-^]. |
350 | 349 | ||
351 | Subsystem | 350 | ^[[1mSubsystem^[[0m |
352 | Configures an external subsystem (e.g., file transfer daemon). | 351 | Configures an external subsystem (e.g., file transfer daemon). |
353 | Arguments should be a subsystem name and a command to execute | 352 | Arguments should be a subsystem name and a command to execute |
354 | upon subsystem request. The command sftp-server(8) implements | 353 | upon subsystem request. The command sftpM-bM-^@M-^Pserver(8) implements |
355 | the ``sftp'' file transfer subsystem. By default no subsystems | 354 | the M-bM-^@M-^\sftpM-bM-^@M-^] file transfer subsystem. By default no subsystems are |
356 | are defined. Note that this option applies to protocol version 2 | 355 | defined. Note that this option applies to protocol version 2 |
357 | only. | 356 | only. |
358 | 357 | ||
359 | SyslogFacility | 358 | ^[[1mSyslogFacility^[[0m |
360 | Gives the facility code that is used when logging messages from | 359 | Gives the facility code that is used when logging messages from |
361 | sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, | 360 | ^[[1msshd^[[22m. The possible values are: DAEMON, USER, AUTH, LOCAL0, |
362 | LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The | 361 | LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The |
363 | default is AUTH. | 362 | default is AUTH. |
364 | 363 | ||
365 | UseLogin | 364 | ^[[1mUseLogin^[[0m |
366 | Specifies whether login(1) is used for interactive login sesM-- | 365 | Specifies whether login(1) is used for interactive login sesM-bM-^@M-^P |
367 | sions. The default is ``no''. Note that login(1) is never used | 366 | sions. The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that login(1) is never used |
368 | for remote command execution. Note also, that if this is | 367 | for remote command execution. Note also, that if this is |
369 | enabled, X11Forwarding will be disabled because login(1) does not | 368 | enabled, ^[[1mX11Forwarding ^[[22mwill be disabled because login(1) does not |
370 | know how to handle xauth(1) cookies. If UsePrivilegeSeparation | 369 | know how to handle xauth(1) cookies. If ^[[1mUsePrivilegeSeparation^[[0m |
371 | is specified, it will be disabled after authentication. | 370 | is specified, it will be disabled after authentication. |
372 | 371 | ||
373 | UsePrivilegeSeparation | 372 | ^[[1mUsePrivilegeSeparation^[[0m |
374 | Specifies whether sshd separates privileges by creating an | 373 | Specifies whether ^[[1msshd ^[[22mseparates privileges by creating an |
375 | unprivileged child process to deal with incoming network traffic. | 374 | unprivileged child process to deal with incoming network traffic. |
376 | After successful authentication, another process will be created | 375 | After successful authentication, another process will be created |
377 | that has the privilege of the authenticated user. The goal of | 376 | that has the privilege of the authenticated user. The goal of |
378 | privilege separation is to prevent privilege escalation by conM-- | 377 | privilege separation is to prevent privilege escalation by conM-bM-^@M-^P |
379 | taining any corruption within the unprivileged processes. The | 378 | taining any corruption within the unprivileged processes. The |
380 | default is ``yes''. | 379 | default is M-bM-^@M-^\yesM-bM-^@M-^]. |
381 | 380 | ||
382 | VerifyReverseMapping | 381 | ^[[1mVerifyReverseMapping^[[0m |
383 | Specifies whether sshd should try to verify the remote host name | 382 | Specifies whether ^[[1msshd ^[[22mshould try to verify the remote host name |
384 | and check that the resolved host name for the remote IP address | 383 | and check that the resolved host name for the remote IP address |
385 | maps back to the very same IP address. The default is ``no''. | 384 | maps back to the very same IP address. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
386 | 385 | ||
387 | X11DisplayOffset | 386 | ^[[1mX11DisplayOffset^[[0m |
388 | Specifies the first display number available for sshd's X11 forM-- | 387 | Specifies the first display number available for ^[[1msshd^[[22mM-bM-^@M-^Ys X11 forM-bM-^@M-^P |
389 | warding. This prevents sshd from interfering with real X11 | 388 | warding. This prevents ^[[1msshd ^[[22mfrom interfering with real X11 |
390 | servers. The default is 10. | 389 | servers. The default is 10. |
391 | 390 | ||
392 | X11Forwarding | 391 | ^[[1mX11Forwarding^[[0m |
393 | Specifies whether X11 forwarding is permitted. The argument must | 392 | Specifies whether X11 forwarding is permitted. The argument must |
394 | be ``yes'' or ``no''. The default is ``no''. | 393 | be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
395 | 394 | ||
396 | When X11 forwarding is enabled, there may be additional exposure | 395 | When X11 forwarding is enabled, there may be additional exposure |
397 | to the server and to client displays if the sshd proxy display is | 396 | to the server and to client displays if the ^[[1msshd ^[[22mproxy display is |
398 | configured to listen on the wildcard address (see X11UseLocalhost | 397 | configured to listen on the wildcard address (see ^[[1mX11UseLocalhost^[[0m |
399 | below), however this is not the default. Additionally, the | 398 | below), however this is not the default. Additionally, the |
400 | authentication spoofing and authentication data verification and | 399 | authentication spoofing and authentication data verification and |
401 | substitution occur on the client side. The security risk of | 400 | substitution occur on the client side. The security risk of |
402 | using X11 forwarding is that the client's X11 display server may | 401 | using X11 forwarding is that the clientM-bM-^@M-^Ys X11 display server may |
403 | be exposed to attack when the ssh client requests forwarding (see | 402 | be exposed to attack when the ssh client requests forwarding (see |
404 | the warnings for ForwardX11 in ssh_config(5) ). A system adminisM-- | 403 | the warnings for ^[[1mForwardX11 ^[[22min ssh_config(5) ). A system adminisM-bM-^@M-^P |
405 | trator may have a stance in which they want to protect clients | 404 | trator may have a stance in which they want to protect clients |
406 | that may expose themselves to attack by unwittingly requesting | 405 | that may expose themselves to attack by unwittingly requesting |
407 | X11 forwarding, which can warrant a ``no'' setting. | 406 | X11 forwarding, which can warrant a M-bM-^@M-^\noM-bM-^@M-^] setting. |
408 | 407 | ||
409 | Note that disabling X11 forwarding does not prevent users from | 408 | Note that disabling X11 forwarding does not prevent users from |
410 | forwarding X11 traffic, as users can always install their own | 409 | forwarding X11 traffic, as users can always install their own |
411 | forwarders. X11 forwarding is automatically disabled if UseLogin | 410 | forwarders. X11 forwarding is automatically disabled if ^[[1mUseLogin^[[0m |
412 | is enabled. | 411 | is enabled. |
413 | 412 | ||
414 | X11UseLocalhost | 413 | ^[[1mX11UseLocalhost^[[0m |
415 | Specifies whether sshd should bind the X11 forwarding server to | 414 | Specifies whether ^[[1msshd ^[[22mshould bind the X11 forwarding server to |
416 | the loopback address or to the wildcard address. By default, | 415 | the loopback address or to the wildcard address. By default, |
417 | sshd binds the forwarding server to the loopback address and sets | 416 | ^[[1msshd ^[[22mbinds the forwarding server to the loopback address and sets |
418 | the hostname part of the DISPLAY environment variable to | 417 | the hostname part of the DISPLAY environment variable to |
419 | ``localhost''. This prevents remote hosts from connecting to the | 418 | M-bM-^@M-^\localhostM-bM-^@M-^]. This prevents remote hosts from connecting to the |
420 | proxy display. However, some older X11 clients may not function | 419 | proxy display. However, some older X11 clients may not function |
421 | with this configuration. X11UseLocalhost may be set to ``no'' to | 420 | with this configuration. ^[[1mX11UseLocalhost ^[[22mmay be set to M-bM-^@M-^\noM-bM-^@M-^] to |
422 | specify that the forwarding server should be bound to the wildM-- | 421 | specify that the forwarding server should be bound to the wildM-bM-^@M-^P |
423 | card address. The argument must be ``yes'' or ``no''. The | 422 | card address. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default |
424 | default is ``yes''. | 423 | is M-bM-^@M-^\yesM-bM-^@M-^]. |
425 | 424 | ||
426 | XAuthLocation | 425 | ^[[1mXAuthLocation^[[0m |
427 | Specifies the full pathname of the xauth(1) program. The default | 426 | Specifies the full pathname of the xauth(1) program. The default |
428 | is /usr/X11R6/bin/xauth. | 427 | is ^[[4m/usr/X11R6/bin/xauth^[[24m. |
429 | 428 | ||
430 | Time Formats | 429 | ^[[1mTime Formats^[[0m |
431 | 430 | ||
432 | sshd command-line arguments and configuration file options that specify | 431 | ^[[1msshd ^[[22mcommandM-bM-^@M-^Pline arguments and configuration file options that specify |
433 | time may be expressed using a sequence of the form: time[qualifier], | 432 | time may be expressed using a sequence of the form: ^[[4mtime^[[24m[^[[4mqualifier^[[24m], |
434 | where time is a positive integer value and qualifier is one of the folM-- | 433 | where ^[[4mtime^[[24m is a positive integer value and ^[[4mqualifier^[[24m is one of the folM-bM-^@M-^P |
435 | lowing: | 434 | lowing: |
436 | 435 | ||
437 | <none> seconds | 436 | ^[[1m<none> ^[[22mseconds |
438 | s | S seconds | 437 | ^[[1ms ^[[22m| ^[[1mS ^[[22mseconds |
439 | m | M minutes | 438 | ^[[1mm ^[[22m| ^[[1mM ^[[22mminutes |
440 | h | H hours | 439 | ^[[1mh ^[[22m| ^[[1mH ^[[22mhours |
441 | d | D days | 440 | ^[[1md ^[[22m| ^[[1mD ^[[22mdays |
442 | w | W weeks | 441 | ^[[1mw ^[[22m| ^[[1mW ^[[22mweeks |
443 | 442 | ||
444 | Each member of the sequence is added together to calculate the total time | 443 | Each member of the sequence is added together to calculate the total time |
445 | value. | 444 | value. |
@@ -450,21 +449,21 @@ DESCRIPTION | |||
450 | 10m 10 minutes | 449 | 10m 10 minutes |
451 | 1h30m 1 hour 30 minutes (90 minutes) | 450 | 1h30m 1 hour 30 minutes (90 minutes) |
452 | 451 | ||
453 | FILES | 452 | ^[[1mFILES^[[0m |
454 | /etc/ssh/sshd_config | 453 | /etc/ssh/sshd_config |
455 | Contains configuration data for sshd. This file should be | 454 | Contains configuration data for ^[[1msshd^[[22m. This file should be |
456 | writable by root only, but it is recommended (though not necesM-- | 455 | writable by root only, but it is recommended (though not necesM-bM-^@M-^P |
457 | sary) that it be world-readable. | 456 | sary) that it be worldM-bM-^@M-^Preadable. |
458 | 457 | ||
459 | AUTHORS | 458 | ^[[1mAUTHORS^[[0m |
460 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | 459 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
461 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | 460 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo |
462 | de Raadt and Dug Song removed many bugs, re-added newer features and creM-- | 461 | de Raadt and Dug Song removed many bugs, reM-bM-^@M-^Padded newer features and creM-bM-^@M-^P |
463 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | 462 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol |
464 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 463 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
465 | for privilege separation. | 464 | for privilege separation. |
466 | 465 | ||
467 | SEE ALSO | 466 | ^[[1mSEE ALSO^[[0m |
468 | sshd(8) | 467 | sshd(8) |
469 | 468 | ||
470 | BSD September 25, 1999 BSD | 469 | BSD September 25, 1999 BSD |