diff options
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 313 |
1 files changed, 188 insertions, 125 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index d2c5454e1..c9a09a4ff 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -7,10 +7,11 @@ SYNOPSIS | |||
7 | /etc/ssh/sshd_config | 7 | /etc/ssh/sshd_config |
8 | 8 | ||
9 | DESCRIPTION | 9 | DESCRIPTION |
10 | sshd reads configuration data from /etc/ssh/sshd_config (or the file | 10 | sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file |
11 | specified with -f on the command line). The file contains keyword-argu- | 11 | specified with -f on the command line). The file contains keyword-argu- |
12 | ment pairs, one per line. Lines starting with `#' and empty lines are | 12 | ment pairs, one per line. Lines starting with `#' and empty lines are |
13 | interpreted as comments. | 13 | interpreted as comments. Arguments may optionally be enclosed in double |
14 | quotes (") in order to represent arguments containing spaces. | ||
14 | 15 | ||
15 | The possible keywords and their meanings are as follows (note that key- | 16 | The possible keywords and their meanings are as follows (note that key- |
16 | words are case-insensitive and arguments are case-sensitive): | 17 | words are case-insensitive and arguments are case-sensitive): |
@@ -29,17 +30,21 @@ DESCRIPTION | |||
29 | any environment variables. | 30 | any environment variables. |
30 | 31 | ||
31 | AddressFamily | 32 | AddressFamily |
32 | Specifies which address family should be used by sshd. Valid ar- | 33 | Specifies which address family should be used by sshd(8). Valid |
33 | guments are ``any'', ``inet'' (use IPv4 only) or ``inet6'' (use | 34 | arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' |
34 | IPv6 only). The default is ``any''. | 35 | (use IPv6 only). The default is ``any''. |
35 | 36 | ||
36 | AllowGroups | 37 | AllowGroups |
37 | This keyword can be followed by a list of group name patterns, | 38 | This keyword can be followed by a list of group name patterns, |
38 | separated by spaces. If specified, login is allowed only for | 39 | separated by spaces. If specified, login is allowed only for |
39 | users whose primary group or supplementary group list matches one | 40 | users whose primary group or supplementary group list matches one |
40 | of the patterns. `*' and `?' can be used as wildcards in the | 41 | of the patterns. Only group names are valid; a numerical group |
41 | patterns. Only group names are valid; a numerical group ID is | 42 | ID is not recognized. By default, login is allowed for all |
42 | not recognized. By default, login is allowed for all groups. | 43 | groups. The allow/deny directives are processed in the following |
44 | order: DenyUsers, AllowUsers, DenyGroups, and finally | ||
45 | AllowGroups. | ||
46 | |||
47 | See PATTERNS in ssh_config(5) for more information on patterns. | ||
43 | 48 | ||
44 | AllowTcpForwarding | 49 | AllowTcpForwarding |
45 | Specifies whether TCP forwarding is permitted. The default is | 50 | Specifies whether TCP forwarding is permitted. The default is |
@@ -50,23 +55,26 @@ DESCRIPTION | |||
50 | AllowUsers | 55 | AllowUsers |
51 | This keyword can be followed by a list of user name patterns, | 56 | This keyword can be followed by a list of user name patterns, |
52 | separated by spaces. If specified, login is allowed only for us- | 57 | separated by spaces. If specified, login is allowed only for us- |
53 | er names that match one of the patterns. `*' and `?' can be used | 58 | er names that match one of the patterns. Only user names are |
54 | as wildcards in the patterns. Only user names are valid; a nu- | 59 | valid; a numerical user ID is not recognized. By default, login |
55 | merical user ID is not recognized. By default, login is allowed | 60 | is allowed for all users. If the pattern takes the form US- |
56 | for all users. If the pattern takes the form USER@HOST then USER | 61 | ER@HOST then USER and HOST are separately checked, restricting |
57 | and HOST are separately checked, restricting logins to particular | 62 | logins to particular users from particular hosts. The allow/deny |
58 | users from particular hosts. | 63 | directives are processed in the following order: DenyUsers, |
64 | AllowUsers, DenyGroups, and finally AllowGroups. | ||
65 | |||
66 | See PATTERNS in ssh_config(5) for more information on patterns. | ||
59 | 67 | ||
60 | AuthorizedKeysFile | 68 | AuthorizedKeysFile |
61 | Specifies the file that contains the public keys that can be used | 69 | Specifies the file that contains the public keys that can be used |
62 | for user authentication. AuthorizedKeysFile may contain tokens | 70 | for user authentication. AuthorizedKeysFile may contain tokens |
63 | of the form %T which are substituted during connection set-up. | 71 | of the form %T which are substituted during connection setup. |
64 | The following tokens are defined: %% is replaced by a literal | 72 | The following tokens are defined: %% is replaced by a literal |
65 | '%', %h is replaced by the home directory of the user being au- | 73 | '%', %h is replaced by the home directory of the user being au- |
66 | thenticated and %u is replaced by the username of that user. Af- | 74 | thenticated, and %u is replaced by the username of that user. |
67 | ter expansion, AuthorizedKeysFile is taken to be an absolute path | 75 | After expansion, AuthorizedKeysFile is taken to be an absolute |
68 | or one relative to the user's home directory. The default is | 76 | path or one relative to the user's home directory. The default |
69 | ``.ssh/authorized_keys''. | 77 | is ``.ssh/authorized_keys''. |
70 | 78 | ||
71 | Banner In some jurisdictions, sending a warning message before authenti- | 79 | Banner In some jurisdictions, sending a warning message before authenti- |
72 | cation may be relevant for getting legal protection. The con- | 80 | cation may be relevant for getting legal protection. The con- |
@@ -75,7 +83,7 @@ DESCRIPTION | |||
75 | protocol version 2. By default, no banner is displayed. | 83 | protocol version 2. By default, no banner is displayed. |
76 | 84 | ||
77 | ChallengeResponseAuthentication | 85 | ChallengeResponseAuthentication |
78 | Specifies whether challenge response authentication is allowed. | 86 | Specifies whether challenge-response authentication is allowed. |
79 | All authentication styles from login.conf(5) are supported. The | 87 | All authentication styles from login.conf(5) are supported. The |
80 | default is ``yes''. | 88 | default is ``yes''. |
81 | 89 | ||
@@ -85,15 +93,15 @@ DESCRIPTION | |||
85 | ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', | 93 | ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', |
86 | ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'', | 94 | ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'', |
87 | ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and | 95 | ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and |
88 | ``cast128-cbc''. The default is | 96 | ``cast128-cbc''. The default is: |
89 | 97 | ||
90 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, | 98 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, |
91 | arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, | 99 | arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, |
92 | aes192-ctr,aes256-ctr'' | 100 | aes192-ctr,aes256-ctr |
93 | 101 | ||
94 | ClientAliveCountMax | 102 | ClientAliveCountMax |
95 | Sets the number of client alive messages (see below) which may be | 103 | Sets the number of client alive messages (see below) which may be |
96 | sent without sshd receiving any messages back from the client. | 104 | sent without sshd(8) receiving any messages back from the client. |
97 | If this threshold is reached while client alive messages are be- | 105 | If this threshold is reached while client alive messages are be- |
98 | ing sent, sshd will disconnect the client, terminating the ses- | 106 | ing sent, sshd will disconnect the client, terminating the ses- |
99 | sion. It is important to note that the use of client alive mes- | 107 | sion. It is important to note that the use of client alive mes- |
@@ -106,15 +114,16 @@ DESCRIPTION | |||
106 | 114 | ||
107 | The default value is 3. If ClientAliveInterval (see below) is | 115 | The default value is 3. If ClientAliveInterval (see below) is |
108 | set to 15, and ClientAliveCountMax is left at the default, unre- | 116 | set to 15, and ClientAliveCountMax is left at the default, unre- |
109 | sponsive ssh clients will be disconnected after approximately 45 | 117 | sponsive SSH clients will be disconnected after approximately 45 |
110 | seconds. | 118 | seconds. This option applies to protocol version 2 only. |
111 | 119 | ||
112 | ClientAliveInterval | 120 | ClientAliveInterval |
113 | Sets a timeout interval in seconds after which if no data has | 121 | Sets a timeout interval in seconds after which if no data has |
114 | been received from the client, sshd will send a message through | 122 | been received from the client, sshd(8) will send a message |
115 | the encrypted channel to request a response from the client. The | 123 | through the encrypted channel to request a response from the |
116 | default is 0, indicating that these messages will not be sent to | 124 | client. The default is 0, indicating that these messages will |
117 | the client. This option applies to protocol version 2 only. | 125 | not be sent to the client. This option applies to protocol ver- |
126 | sion 2 only. | ||
118 | 127 | ||
119 | Compression | 128 | Compression |
120 | Specifies whether compression is allowed, or delayed until the | 129 | Specifies whether compression is allowed, or delayed until the |
@@ -125,23 +134,38 @@ DESCRIPTION | |||
125 | This keyword can be followed by a list of group name patterns, | 134 | This keyword can be followed by a list of group name patterns, |
126 | separated by spaces. Login is disallowed for users whose primary | 135 | separated by spaces. Login is disallowed for users whose primary |
127 | group or supplementary group list matches one of the patterns. | 136 | group or supplementary group list matches one of the patterns. |
128 | `*' and `?' can be used as wildcards in the patterns. Only group | 137 | Only group names are valid; a numerical group ID is not recog- |
129 | names are valid; a numerical group ID is not recognized. By de- | 138 | nized. By default, login is allowed for all groups. The al- |
130 | fault, login is allowed for all groups. | 139 | low/deny directives are processed in the following order: |
140 | DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. | ||
141 | |||
142 | See PATTERNS in ssh_config(5) for more information on patterns. | ||
131 | 143 | ||
132 | DenyUsers | 144 | DenyUsers |
133 | This keyword can be followed by a list of user name patterns, | 145 | This keyword can be followed by a list of user name patterns, |
134 | separated by spaces. Login is disallowed for user names that | 146 | separated by spaces. Login is disallowed for user names that |
135 | match one of the patterns. `*' and `?' can be used as wildcards | 147 | match one of the patterns. Only user names are valid; a numeri- |
136 | in the patterns. Only user names are valid; a numerical user ID | 148 | cal user ID is not recognized. By default, login is allowed for |
137 | is not recognized. By default, login is allowed for all users. | 149 | all users. If the pattern takes the form USER@HOST then USER and |
138 | If the pattern takes the form USER@HOST then USER and HOST are | 150 | HOST are separately checked, restricting logins to particular |
139 | separately checked, restricting logins to particular users from | 151 | users from particular hosts. The allow/deny directives are pro- |
140 | particular hosts. | 152 | cessed in the following order: DenyUsers, AllowUsers, DenyGroups, |
153 | and finally AllowGroups. | ||
154 | |||
155 | See PATTERNS in ssh_config(5) for more information on patterns. | ||
156 | |||
157 | ForceCommand | ||
158 | Forces the execution of the command specified by ForceCommand, | ||
159 | ignoring any command supplied by the client. The command is in- | ||
160 | voked by using the user's login shell with the -c option. This | ||
161 | applies to shell, command, or subsystem execution. It is most | ||
162 | useful inside a Match block. The command originally supplied by | ||
163 | the client is available in the SSH_ORIGINAL_COMMAND environment | ||
164 | variable. | ||
141 | 165 | ||
142 | GatewayPorts | 166 | GatewayPorts |
143 | Specifies whether remote hosts are allowed to connect to ports | 167 | Specifies whether remote hosts are allowed to connect to ports |
144 | forwarded for the client. By default, sshd binds remote port | 168 | forwarded for the client. By default, sshd(8) binds remote port |
145 | forwardings to the loopback address. This prevents other remote | 169 | forwardings to the loopback address. This prevents other remote |
146 | hosts from connecting to forwarded ports. GatewayPorts can be | 170 | hosts from connecting to forwarded ports. GatewayPorts can be |
147 | used to specify that sshd should allow remote port forwardings to | 171 | used to specify that sshd should allow remote port forwardings to |
@@ -165,18 +189,27 @@ DESCRIPTION | |||
165 | HostbasedAuthentication | 189 | HostbasedAuthentication |
166 | Specifies whether rhosts or /etc/hosts.equiv authentication to- | 190 | Specifies whether rhosts or /etc/hosts.equiv authentication to- |
167 | gether with successful public key client host authentication is | 191 | gether with successful public key client host authentication is |
168 | allowed (hostbased authentication). This option is similar to | 192 | allowed (host-based authentication). This option is similar to |
169 | RhostsRSAAuthentication and applies to protocol version 2 only. | 193 | RhostsRSAAuthentication and applies to protocol version 2 only. |
170 | The default is ``no''. | 194 | The default is ``no''. |
171 | 195 | ||
196 | HostbasedUsesNameFromPacketOnly | ||
197 | Specifies whether or not the server will attempt to perform a re- | ||
198 | verse name lookup when matching the name in the ~/.shosts, | ||
199 | ~/.rhosts, and /etc/hosts.equiv files during | ||
200 | HostbasedAuthentication. A setting of ``yes'' means that sshd(8) | ||
201 | uses the name supplied by the client rather than attempting to | ||
202 | resolve the name from the TCP connection itself. The default is | ||
203 | ``no''. | ||
204 | |||
172 | HostKey | 205 | HostKey |
173 | Specifies a file containing a private host key used by SSH. The | 206 | Specifies a file containing a private host key used by SSH. The |
174 | default is /etc/ssh/ssh_host_key for protocol version 1, and | 207 | default is /etc/ssh/ssh_host_key for protocol version 1, and |
175 | /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro- | 208 | /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro- |
176 | tocol version 2. Note that sshd will refuse to use a file if it | 209 | tocol version 2. Note that sshd(8) will refuse to use a file if |
177 | is group/world-accessible. It is possible to have multiple host | 210 | it is group/world-accessible. It is possible to have multiple |
178 | key files. ``rsa1'' keys are used for version 1 and ``dsa'' or | 211 | host key files. ``rsa1'' keys are used for version 1 and ``dsa'' |
179 | ``rsa'' are used for version 2 of the SSH protocol. | 212 | or ``rsa'' are used for version 2 of the SSH protocol. |
180 | 213 | ||
181 | IgnoreRhosts | 214 | IgnoreRhosts |
182 | Specifies that .rhosts and .shosts files will not be used in | 215 | Specifies that .rhosts and .shosts files will not be used in |
@@ -186,7 +219,7 @@ DESCRIPTION | |||
186 | fault is ``yes''. | 219 | fault is ``yes''. |
187 | 220 | ||
188 | IgnoreUserKnownHosts | 221 | IgnoreUserKnownHosts |
189 | Specifies whether sshd should ignore the user's | 222 | Specifies whether sshd(8) should ignore the user's |
190 | ~/.ssh/known_hosts during RhostsRSAAuthentication or | 223 | ~/.ssh/known_hosts during RhostsRSAAuthentication or |
191 | HostbasedAuthentication. The default is ``no''. | 224 | HostbasedAuthentication. The default is ``no''. |
192 | 225 | ||
@@ -194,22 +227,22 @@ DESCRIPTION | |||
194 | Specifies whether the password provided by the user for | 227 | Specifies whether the password provided by the user for |
195 | PasswordAuthentication will be validated through the Kerberos | 228 | PasswordAuthentication will be validated through the Kerberos |
196 | KDC. To use this option, the server needs a Kerberos servtab | 229 | KDC. To use this option, the server needs a Kerberos servtab |
197 | which allows the verification of the KDC's identity. Default is | 230 | which allows the verification of the KDC's identity. The default |
198 | ``no''. | 231 | is ``no''. |
199 | 232 | ||
200 | KerberosGetAFSToken | 233 | KerberosGetAFSToken |
201 | If AFS is active and the user has a Kerberos 5 TGT, attempt to | 234 | If AFS is active and the user has a Kerberos 5 TGT, attempt to |
202 | acquire an AFS token before accessing the user's home directory. | 235 | acquire an AFS token before accessing the user's home directory. |
203 | Default is ``no''. | 236 | The default is ``no''. |
204 | 237 | ||
205 | KerberosOrLocalPasswd | 238 | KerberosOrLocalPasswd |
206 | If set then if password authentication through Kerberos fails | 239 | If password authentication through Kerberos fails then the pass- |
207 | then the password will be validated via any additional local | 240 | word will be validated via any additional local mechanism such as |
208 | mechanism such as /etc/passwd. Default is ``yes''. | 241 | /etc/passwd. The default is ``yes''. |
209 | 242 | ||
210 | KerberosTicketCleanup | 243 | KerberosTicketCleanup |
211 | Specifies whether to automatically destroy the user's ticket | 244 | Specifies whether to automatically destroy the user's ticket |
212 | cache file on logout. Default is ``yes''. | 245 | cache file on logout. The default is ``yes''. |
213 | 246 | ||
214 | KeyRegenerationInterval | 247 | KeyRegenerationInterval |
215 | In protocol version 1, the ephemeral server key is automatically | 248 | In protocol version 1, the ephemeral server key is automatically |
@@ -220,8 +253,8 @@ DESCRIPTION | |||
220 | never regenerated. The default is 3600 (seconds). | 253 | never regenerated. The default is 3600 (seconds). |
221 | 254 | ||
222 | ListenAddress | 255 | ListenAddress |
223 | Specifies the local addresses sshd should listen on. The follow- | 256 | Specifies the local addresses sshd(8) should listen on. The fol- |
224 | ing forms may be used: | 257 | lowing forms may be used: |
225 | 258 | ||
226 | ListenAddress host|IPv4_addr|IPv6_addr | 259 | ListenAddress host|IPv4_addr|IPv6_addr |
227 | ListenAddress host|IPv4_addr:port | 260 | ListenAddress host|IPv4_addr:port |
@@ -230,7 +263,7 @@ DESCRIPTION | |||
230 | If port is not specified, sshd will listen on the address and all | 263 | If port is not specified, sshd will listen on the address and all |
231 | prior Port options specified. The default is to listen on all | 264 | prior Port options specified. The default is to listen on all |
232 | local addresses. Multiple ListenAddress options are permitted. | 265 | local addresses. Multiple ListenAddress options are permitted. |
233 | Additionally, any Port options must precede this option for non | 266 | Additionally, any Port options must precede this option for non- |
234 | port qualified addresses. | 267 | port qualified addresses. |
235 | 268 | ||
236 | LoginGraceTime | 269 | LoginGraceTime |
@@ -240,8 +273,8 @@ DESCRIPTION | |||
240 | 273 | ||
241 | LogLevel | 274 | LogLevel |
242 | Gives the verbosity level that is used when logging messages from | 275 | Gives the verbosity level that is used when logging messages from |
243 | sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VER- | 276 | sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, |
244 | BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. | 277 | VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. |
245 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify | 278 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify |
246 | higher levels of debugging output. Logging with a DEBUG level | 279 | higher levels of debugging output. Logging with a DEBUG level |
247 | violates the privacy of users and is not recommended. | 280 | violates the privacy of users and is not recommended. |
@@ -249,9 +282,23 @@ DESCRIPTION | |||
249 | MACs Specifies the available MAC (message authentication code) algo- | 282 | MACs Specifies the available MAC (message authentication code) algo- |
250 | rithms. The MAC algorithm is used in protocol version 2 for data | 283 | rithms. The MAC algorithm is used in protocol version 2 for data |
251 | integrity protection. Multiple algorithms must be comma-separat- | 284 | integrity protection. Multiple algorithms must be comma-separat- |
252 | ed. The default is ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac- | 285 | ed. The default is: ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac- |
253 | sha1-96,hmac-md5-96''. | 286 | sha1-96,hmac-md5-96''. |
254 | 287 | ||
288 | Match Introduces a conditional block. If all of the criteria on the | ||
289 | Match line are satisfied, the keywords on the following lines | ||
290 | override those set in the global section of the config file, un- | ||
291 | til either another Match line or the end of the file. The argu- | ||
292 | ments to Match are one or more criteria-pattern pairs. The | ||
293 | available criteria are User, Group, Host, and Address. Only a | ||
294 | subset of keywords may be used on the lines following a Match | ||
295 | keyword. Available keywords are AllowTcpForwarding, Banner, | ||
296 | ForceCommand, GatewayPorts, GSSApiAuthentication, | ||
297 | KbdInteractiveAuthentication, KerberosAuthentication, | ||
298 | PasswordAuthentication, PermitOpen, RhostsRSAAuthentication, | ||
299 | RSAAuthentication, X11DisplayOffset, X11Forwarding, and | ||
300 | X11UseLocalHost. | ||
301 | |||
255 | MaxAuthTries | 302 | MaxAuthTries |
256 | Specifies the maximum number of authentication attempts permitted | 303 | Specifies the maximum number of authentication attempts permitted |
257 | per connection. Once the number of failures reaches half this | 304 | per connection. Once the number of failures reaches half this |
@@ -259,17 +306,17 @@ DESCRIPTION | |||
259 | 306 | ||
260 | MaxStartups | 307 | MaxStartups |
261 | Specifies the maximum number of concurrent unauthenticated con- | 308 | Specifies the maximum number of concurrent unauthenticated con- |
262 | nections to the sshd daemon. Additional connections will be | 309 | nections to the SSH daemon. Additional connections will be |
263 | dropped until authentication succeeds or the LoginGraceTime ex- | 310 | dropped until authentication succeeds or the LoginGraceTime ex- |
264 | pires for a connection. The default is 10. | 311 | pires for a connection. The default is 10. |
265 | 312 | ||
266 | Alternatively, random early drop can be enabled by specifying the | 313 | Alternatively, random early drop can be enabled by specifying the |
267 | three colon separated values ``start:rate:full'' (e.g., | 314 | three colon separated values ``start:rate:full'' (e.g. |
268 | "10:30:60"). sshd will refuse connection attempts with a proba- | 315 | "10:30:60"). sshd(8) will refuse connection attempts with a |
269 | bility of ``rate/100'' (30%) if there are currently ``start'' | 316 | probability of ``rate/100'' (30%) if there are currently |
270 | (10) unauthenticated connections. The probability increases lin- | 317 | ``start'' (10) unauthenticated connections. The probability in- |
271 | early and all connection attempts are refused if the number of | 318 | creases linearly and all connection attempts are refused if the |
272 | unauthenticated connections reaches ``full'' (60). | 319 | number of unauthenticated connections reaches ``full'' (60). |
273 | 320 | ||
274 | PasswordAuthentication | 321 | PasswordAuthentication |
275 | Specifies whether password authentication is allowed. The de- | 322 | Specifies whether password authentication is allowed. The de- |
@@ -280,59 +327,74 @@ DESCRIPTION | |||
280 | server allows login to accounts with empty password strings. The | 327 | server allows login to accounts with empty password strings. The |
281 | default is ``no''. | 328 | default is ``no''. |
282 | 329 | ||
330 | PermitOpen | ||
331 | Specifies the destinations to which TCP port forwarding is per- | ||
332 | mitted. The forwarding specification must be one of the follow- | ||
333 | ing forms: | ||
334 | |||
335 | PermitOpen host:port | ||
336 | PermitOpen IPv4_addr:port | ||
337 | PermitOpen [IPv6_addr]:port | ||
338 | |||
339 | Multiple forwards may be specified by separating them with | ||
340 | whitespace. An argument of ``any'' can be used to remove all re- | ||
341 | strictions and permit any forwarding requests. By default all | ||
342 | port forwarding requests are permitted. | ||
343 | |||
283 | PermitRootLogin | 344 | PermitRootLogin |
284 | Specifies whether root can log in using ssh(1). The argument | 345 | Specifies whether root can log in using ssh(1). The argument |
285 | must be ``yes'', ``without-password'', ``forced-commands-only'' | 346 | must be ``yes'', ``without-password'', ``forced-commands-only'', |
286 | or ``no''. The default is ``yes''. | 347 | or ``no''. The default is ``yes''. |
287 | 348 | ||
288 | If this option is set to ``without-password'' password authenti- | 349 | If this option is set to ``without-password'', password authenti- |
289 | cation is disabled for root. | 350 | cation is disabled for root. |
290 | 351 | ||
291 | If this option is set to ``forced-commands-only'' root login with | 352 | If this option is set to ``forced-commands-only'', root login |
292 | public key authentication will be allowed, but only if the | 353 | with public key authentication will be allowed, but only if the |
293 | command option has been specified (which may be useful for taking | 354 | command option has been specified (which may be useful for taking |
294 | remote backups even if root login is normally not allowed). All | 355 | remote backups even if root login is normally not allowed). All |
295 | other authentication methods are disabled for root. | 356 | other authentication methods are disabled for root. |
296 | 357 | ||
297 | If this option is set to ``no'' root is not allowed to log in. | 358 | If this option is set to ``no'', root is not allowed to log in. |
298 | 359 | ||
299 | PermitTunnel | 360 | PermitTunnel |
300 | Specifies whether tun(4) device forwarding is allowed. The argu- | 361 | Specifies whether tun(4) device forwarding is allowed. The argu- |
301 | ment must be ``yes'', ``point-to-point'', ``ethernet'' or ``no''. | 362 | ment must be ``yes'', ``point-to-point'' (layer 3), ``ethernet'' |
302 | The default is ``no''. | 363 | (layer 2), or ``no''. Specifying ``yes'' permits both ``point- |
364 | to-point'' and ``ethernet''. The default is ``no''. | ||
303 | 365 | ||
304 | PermitUserEnvironment | 366 | PermitUserEnvironment |
305 | Specifies whether ~/.ssh/environment and environment= options in | 367 | Specifies whether ~/.ssh/environment and environment= options in |
306 | ~/.ssh/authorized_keys are processed by sshd. The default is | 368 | ~/.ssh/authorized_keys are processed by sshd(8). The default is |
307 | ``no''. Enabling environment processing may enable users to by- | 369 | ``no''. Enabling environment processing may enable users to by- |
308 | pass access restrictions in some configurations using mechanisms | 370 | pass access restrictions in some configurations using mechanisms |
309 | such as LD_PRELOAD. | 371 | such as LD_PRELOAD. |
310 | 372 | ||
311 | PidFile | 373 | PidFile |
312 | Specifies the file that contains the process ID of the sshd dae- | 374 | Specifies the file that contains the process ID of the SSH dae- |
313 | mon. The default is /var/run/sshd.pid. | 375 | mon. The default is /var/run/sshd.pid. |
314 | 376 | ||
315 | Port Specifies the port number that sshd listens on. The default is | 377 | Port Specifies the port number that sshd(8) listens on. The default |
316 | 22. Multiple options of this type are permitted. See also | 378 | is 22. Multiple options of this type are permitted. See also |
317 | ListenAddress. | 379 | ListenAddress. |
318 | 380 | ||
319 | PrintLastLog | 381 | PrintLastLog |
320 | Specifies whether sshd should print the date and time of the last | 382 | Specifies whether sshd(8) should print the date and time of the |
321 | user login when a user logs in interactively. The default is | 383 | last user login when a user logs in interactively. The default |
322 | ``yes''. | 384 | is ``yes''. |
323 | 385 | ||
324 | PrintMotd | 386 | PrintMotd |
325 | Specifies whether sshd should print /etc/motd when a user logs in | 387 | Specifies whether sshd(8) should print /etc/motd when a user logs |
326 | interactively. (On some systems it is also printed by the shell, | 388 | in interactively. (On some systems it is also printed by the |
327 | /etc/profile, or equivalent.) The default is ``yes''. | 389 | shell, /etc/profile, or equivalent.) The default is ``yes''. |
328 | 390 | ||
329 | Protocol | 391 | Protocol |
330 | Specifies the protocol versions sshd supports. The possible val- | 392 | Specifies the protocol versions sshd(8) supports. The possible |
331 | ues are ``1'' and ``2''. Multiple versions must be comma-sepa- | 393 | values are `1' and `2'. Multiple versions must be comma-separat- |
332 | rated. The default is ``2,1''. Note that the order of the pro- | 394 | ed. The default is ``2,1''. Note that the order of the protocol |
333 | tocol list does not indicate preference, because the client se- | 395 | list does not indicate preference, because the client selects |
334 | lects among multiple protocol versions offered by the server. | 396 | among multiple protocol versions offered by the server. Specify- |
335 | Specifying ``2,1'' is identical to ``1,2''. | 397 | ing ``2,1'' is identical to ``1,2''. |
336 | 398 | ||
337 | PubkeyAuthentication | 399 | PubkeyAuthentication |
338 | Specifies whether public key authentication is allowed. The de- | 400 | Specifies whether public key authentication is allowed. The de- |
@@ -355,24 +417,24 @@ DESCRIPTION | |||
355 | server key. The minimum value is 512, and the default is 768. | 417 | server key. The minimum value is 512, and the default is 768. |
356 | 418 | ||
357 | StrictModes | 419 | StrictModes |
358 | Specifies whether sshd should check file modes and ownership of | 420 | Specifies whether sshd(8) should check file modes and ownership |
359 | the user's files and home directory before accepting login. This | 421 | of the user's files and home directory before accepting login. |
360 | is normally desirable because novices sometimes accidentally | 422 | This is normally desirable because novices sometimes accidentally |
361 | leave their directory or files world-writable. The default is | 423 | leave their directory or files world-writable. The default is |
362 | ``yes''. | 424 | ``yes''. |
363 | 425 | ||
364 | Subsystem | 426 | Subsystem |
365 | Configures an external subsystem (e.g., file transfer daemon). | 427 | Configures an external subsystem (e.g. file transfer daemon). |
366 | Arguments should be a subsystem name and a command to execute up- | 428 | Arguments should be a subsystem name and a command (with optional |
367 | on subsystem request. The command sftp-server(8) implements the | 429 | arguments) to execute upon subsystem request. The command |
368 | ``sftp'' file transfer subsystem. By default no subsystems are | 430 | sftp-server(8) implements the ``sftp'' file transfer subsystem. |
369 | defined. Note that this option applies to protocol version 2 on- | 431 | By default no subsystems are defined. Note that this option ap- |
370 | ly. | 432 | plies to protocol version 2 only. |
371 | 433 | ||
372 | SyslogFacility | 434 | SyslogFacility |
373 | Gives the facility code that is used when logging messages from | 435 | Gives the facility code that is used when logging messages from |
374 | sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, LO- | 436 | sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, |
375 | CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- | 437 | LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- |
376 | fault is AUTH. | 438 | fault is AUTH. |
377 | 439 | ||
378 | TCPKeepAlive | 440 | TCPKeepAlive |
@@ -392,7 +454,7 @@ DESCRIPTION | |||
392 | To disable TCP keepalive messages, the value should be set to | 454 | To disable TCP keepalive messages, the value should be set to |
393 | ``no''. | 455 | ``no''. |
394 | 456 | ||
395 | UseDNS Specifies whether sshd should look up the remote host name and | 457 | UseDNS Specifies whether sshd(8) should look up the remote host name and |
396 | check that the resolved host name for the remote IP address maps | 458 | check that the resolved host name for the remote IP address maps |
397 | back to the very same IP address. The default is ``yes''. | 459 | back to the very same IP address. The default is ``yes''. |
398 | 460 | ||
@@ -406,8 +468,9 @@ DESCRIPTION | |||
406 | 468 | ||
407 | UsePAM Enables the Pluggable Authentication Module interface. If set to | 469 | UsePAM Enables the Pluggable Authentication Module interface. If set to |
408 | ``yes'' this will enable PAM authentication using | 470 | ``yes'' this will enable PAM authentication using |
409 | ChallengeResponseAuthentication and PAM account and session mod- | 471 | ChallengeResponseAuthentication and PasswordAuthentication in ad- |
410 | ule processing for all authentication types. | 472 | dition to PAM account and session module processing for all au- |
473 | thentication types. | ||
411 | 474 | ||
412 | Because PAM challenge-response authentication usually serves an | 475 | Because PAM challenge-response authentication usually serves an |
413 | equivalent role to password authentication, you should disable | 476 | equivalent role to password authentication, you should disable |
@@ -417,7 +480,7 @@ DESCRIPTION | |||
417 | non-root user. The default is ``no''. | 480 | non-root user. The default is ``no''. |
418 | 481 | ||
419 | UsePrivilegeSeparation | 482 | UsePrivilegeSeparation |
420 | Specifies whether sshd separates privileges by creating an un- | 483 | Specifies whether sshd(8) separates privileges by creating an un- |
421 | privileged child process to deal with incoming network traffic. | 484 | privileged child process to deal with incoming network traffic. |
422 | After successful authentication, another process will be created | 485 | After successful authentication, another process will be created |
423 | that has the privilege of the authenticated user. The goal of | 486 | that has the privilege of the authenticated user. The goal of |
@@ -426,8 +489,8 @@ DESCRIPTION | |||
426 | default is ``yes''. | 489 | default is ``yes''. |
427 | 490 | ||
428 | X11DisplayOffset | 491 | X11DisplayOffset |
429 | Specifies the first display number available for sshd's X11 for- | 492 | Specifies the first display number available for sshd(8)'s X11 |
430 | warding. This prevents sshd from interfering with real X11 | 493 | forwarding. This prevents sshd from interfering with real X11 |
431 | servers. The default is 10. | 494 | servers. The default is 10. |
432 | 495 | ||
433 | X11Forwarding | 496 | X11Forwarding |
@@ -435,17 +498,17 @@ DESCRIPTION | |||
435 | be ``yes'' or ``no''. The default is ``no''. | 498 | be ``yes'' or ``no''. The default is ``no''. |
436 | 499 | ||
437 | When X11 forwarding is enabled, there may be additional exposure | 500 | When X11 forwarding is enabled, there may be additional exposure |
438 | to the server and to client displays if the sshd proxy display is | 501 | to the server and to client displays if the sshd(8) proxy display |
439 | configured to listen on the wildcard address (see X11UseLocalhost | 502 | is configured to listen on the wildcard address (see |
440 | below), however this is not the default. Additionally, the au- | 503 | X11UseLocalhost below), though this is not the default. Addi- |
441 | thentication spoofing and authentication data verification and | 504 | tionally, the authentication spoofing and authentication data |
442 | substitution occur on the client side. The security risk of us- | 505 | verification and substitution occur on the client side. The se- |
443 | ing X11 forwarding is that the client's X11 display server may be | 506 | curity risk of using X11 forwarding is that the client's X11 dis- |
444 | exposed to attack when the ssh client requests forwarding (see | 507 | play server may be exposed to attack when the SSH client requests |
445 | the warnings for ForwardX11 in ssh_config(5)). A system adminis- | 508 | forwarding (see the warnings for ForwardX11 in ssh_config(5)). A |
446 | trator may have a stance in which they want to protect clients | 509 | system administrator may have a stance in which they want to pro- |
447 | that may expose themselves to attack by unwittingly requesting | 510 | tect clients that may expose themselves to attack by unwittingly |
448 | X11 forwarding, which can warrant a ``no'' setting. | 511 | requesting X11 forwarding, which can warrant a ``no'' setting. |
449 | 512 | ||
450 | Note that disabling X11 forwarding does not prevent users from | 513 | Note that disabling X11 forwarding does not prevent users from |
451 | forwarding X11 traffic, as users can always install their own | 514 | forwarding X11 traffic, as users can always install their own |
@@ -453,8 +516,8 @@ DESCRIPTION | |||
453 | is enabled. | 516 | is enabled. |
454 | 517 | ||
455 | X11UseLocalhost | 518 | X11UseLocalhost |
456 | Specifies whether sshd should bind the X11 forwarding server to | 519 | Specifies whether sshd(8) should bind the X11 forwarding server |
457 | the loopback address or to the wildcard address. By default, | 520 | to the loopback address or to the wildcard address. By default, |
458 | sshd binds the forwarding server to the loopback address and sets | 521 | sshd binds the forwarding server to the loopback address and sets |
459 | the hostname part of the DISPLAY environment variable to | 522 | the hostname part of the DISPLAY environment variable to |
460 | ``localhost''. This prevents remote hosts from connecting to the | 523 | ``localhost''. This prevents remote hosts from connecting to the |
@@ -468,9 +531,9 @@ DESCRIPTION | |||
468 | Specifies the full pathname of the xauth(1) program. The default | 531 | Specifies the full pathname of the xauth(1) program. The default |
469 | is /usr/X11R6/bin/xauth. | 532 | is /usr/X11R6/bin/xauth. |
470 | 533 | ||
471 | Time Formats | 534 | TIME FORMATS |
472 | sshd command-line arguments and configuration file options that specify | 535 | sshd(8) command-line arguments and configuration file options that speci- |
473 | time may be expressed using a sequence of the form: time[qualifier], | 536 | fy time may be expressed using a sequence of the form: time[qualifier], |
474 | where time is a positive integer value and qualifier is one of the fol- | 537 | where time is a positive integer value and qualifier is one of the fol- |
475 | lowing: | 538 | lowing: |
476 | 539 | ||
@@ -492,7 +555,7 @@ DESCRIPTION | |||
492 | 555 | ||
493 | FILES | 556 | FILES |
494 | /etc/ssh/sshd_config | 557 | /etc/ssh/sshd_config |
495 | Contains configuration data for sshd. This file should be | 558 | Contains configuration data for sshd(8). This file should be |
496 | writable by root only, but it is recommended (though not neces- | 559 | writable by root only, but it is recommended (though not neces- |
497 | sary) that it be world-readable. | 560 | sary) that it be world-readable. |
498 | 561 | ||
@@ -507,4 +570,4 @@ AUTHORS | |||
507 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 570 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
508 | for privilege separation. | 571 | for privilege separation. |
509 | 572 | ||
510 | OpenBSD 3.9 September 25, 1999 8 | 573 | OpenBSD 4.1 September 25, 1999 9 |