diff options
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 43 |
1 files changed, 38 insertions, 5 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index 2648db3d4..5f1df7b58 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -90,6 +90,13 @@ DESCRIPTION | |||
90 | example, it would not be possible to attempt password or | 90 | example, it would not be possible to attempt password or |
91 | keyboard-interactive authentication before public key. | 91 | keyboard-interactive authentication before public key. |
92 | 92 | ||
93 | For keyboard interactive authentication it is also possible to | ||
94 | restrict authentication to a specific device by appending a colon | ||
95 | followed by the device identifier ``bsdauth'', ``pam'', or | ||
96 | ``skey'', depending on the server configuration. For example, | ||
97 | ``keyboard-interactive:bsdauth'' would restrict keyboard | ||
98 | interactive authentication to the ``bsdauth'' device. | ||
99 | |||
93 | This option is only available for SSH protocol 2 and will yield a | 100 | This option is only available for SSH protocol 2 and will yield a |
94 | fatal error if enabled if protocol 1 is also enabled. Note that | 101 | fatal error if enabled if protocol 1 is also enabled. Note that |
95 | each authentication method listed should also be explicitly | 102 | each authentication method listed should also be explicitly |
@@ -99,7 +106,8 @@ DESCRIPTION | |||
99 | 106 | ||
100 | AuthorizedKeysCommand | 107 | AuthorizedKeysCommand |
101 | Specifies a program to be used to look up the user's public keys. | 108 | Specifies a program to be used to look up the user's public keys. |
102 | The program will be invoked with a single argument of the | 109 | The program must be owned by root and not writable by group or |
110 | others. It will be invoked with a single argument of the | ||
103 | username being authenticated, and should produce on standard | 111 | username being authenticated, and should produce on standard |
104 | output zero or more lines of authorized_keys output (see | 112 | output zero or more lines of authorized_keys output (see |
105 | AUTHORIZED_KEYS in sshd(8)). If a key supplied by | 113 | AUTHORIZED_KEYS in sshd(8)). If a key supplied by |
@@ -322,7 +330,16 @@ DESCRIPTION | |||
322 | sshd(8) will refuse to use a file if it is group/world- | 330 | sshd(8) will refuse to use a file if it is group/world- |
323 | accessible. It is possible to have multiple host key files. | 331 | accessible. It is possible to have multiple host key files. |
324 | ``rsa1'' keys are used for version 1 and ``dsa'', ``ecdsa'' or | 332 | ``rsa1'' keys are used for version 1 and ``dsa'', ``ecdsa'' or |
325 | ``rsa'' are used for version 2 of the SSH protocol. | 333 | ``rsa'' are used for version 2 of the SSH protocol. It is also |
334 | possible to specify public host key files instead. In this case | ||
335 | operations on the private key will be delegated to an | ||
336 | ssh-agent(1). | ||
337 | |||
338 | HostKeyAgent | ||
339 | Identifies the UNIX-domain socket used to communicate with an | ||
340 | agent that has access to the private host keys. If | ||
341 | ``SSH_AUTH_SOCK'' is specified, the location of the socket will | ||
342 | be read from the SSH_AUTH_SOCK environment variable. | ||
326 | 343 | ||
327 | IgnoreRhosts | 344 | IgnoreRhosts |
328 | Specifies that .rhosts and .shosts files will not be used in | 345 | Specifies that .rhosts and .shosts files will not be used in |
@@ -461,8 +478,9 @@ DESCRIPTION | |||
461 | KbdInteractiveAuthentication, KerberosAuthentication, | 478 | KbdInteractiveAuthentication, KerberosAuthentication, |
462 | MaxAuthTries, MaxSessions, PasswordAuthentication, | 479 | MaxAuthTries, MaxSessions, PasswordAuthentication, |
463 | PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTunnel, | 480 | PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTunnel, |
464 | PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication, | 481 | PubkeyAuthentication, RekeyLimit, RhostsRSAAuthentication, |
465 | X11DisplayOffset, X11Forwarding and X11UseLocalHost. | 482 | RSAAuthentication, X11DisplayOffset, X11Forwarding and |
483 | X11UseLocalHost. | ||
466 | 484 | ||
467 | MaxAuthTries | 485 | MaxAuthTries |
468 | Specifies the maximum number of authentication attempts permitted | 486 | Specifies the maximum number of authentication attempts permitted |
@@ -571,6 +589,21 @@ DESCRIPTION | |||
571 | default is ``yes''. Note that this option applies to protocol | 589 | default is ``yes''. Note that this option applies to protocol |
572 | version 2 only. | 590 | version 2 only. |
573 | 591 | ||
592 | RekeyLimit | ||
593 | Specifies the maximum amount of data that may be transmitted | ||
594 | before the session key is renegotiated, optionally followed a | ||
595 | maximum amount of time that may pass before the session key is | ||
596 | renegotiated. The first argument is specified in bytes and may | ||
597 | have a suffix of `K', `M', or `G' to indicate Kilobytes, | ||
598 | Megabytes, or Gigabytes, respectively. The default is between | ||
599 | `1G' and `4G', depending on the cipher. The optional second | ||
600 | value is specified in seconds and may use any of the units | ||
601 | documented in the TIME FORMATS section. The default value for | ||
602 | RekeyLimit is ``default none'', which means that rekeying is | ||
603 | performed after the cipher's default amount of data has been sent | ||
604 | or received and no time based rekeying is done. This option | ||
605 | applies to protocol version 2 only. | ||
606 | |||
574 | RevokedKeys | 607 | RevokedKeys |
575 | Specifies revoked public keys. Keys listed in this file will be | 608 | Specifies revoked public keys. Keys listed in this file will be |
576 | refused for public key authentication. Note that if this file is | 609 | refused for public key authentication. Note that if this file is |
@@ -777,4 +810,4 @@ AUTHORS | |||
777 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 810 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
778 | for privilege separation. | 811 | for privilege separation. |
779 | 812 | ||
780 | OpenBSD 5.3 February 6, 2013 OpenBSD 5.3 | 813 | OpenBSD 5.4 July 19, 2013 OpenBSD 5.4 |