diff options
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 49 |
1 files changed, 37 insertions, 12 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index 720cc3f80..a4e31be0f 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -219,7 +219,7 @@ DESCRIPTION | |||
219 | LoginGraceTime | 219 | LoginGraceTime |
220 | The server disconnects after this time if the user has not sucM-- | 220 | The server disconnects after this time if the user has not sucM-- |
221 | cessfully logged in. If the value is 0, there is no time limit. | 221 | cessfully logged in. If the value is 0, there is no time limit. |
222 | The default is 600 (seconds). | 222 | The default is 120 seconds. |
223 | 223 | ||
224 | LogLevel | 224 | LogLevel |
225 | Gives the verbosity level that is used when logging messages from | 225 | Gives the verbosity level that is used when logging messages from |
@@ -280,6 +280,13 @@ DESCRIPTION | |||
280 | 280 | ||
281 | If this option is set to ``no'' root is not allowed to login. | 281 | If this option is set to ``no'' root is not allowed to login. |
282 | 282 | ||
283 | PermitUserEnvironment | ||
284 | Specifies whether ~/.ssh/environment and environment= options in | ||
285 | ~/.ssh/authorized_keys are processed by sshd. The default is | ||
286 | ``no''. Enabling environment processing may enable users to | ||
287 | bypass access restrictions in some configurations using mechaM-- | ||
288 | nisms such as LD_PRELOAD. | ||
289 | |||
283 | PidFile | 290 | PidFile |
284 | Specifies the file that contains the process ID of the sshd daeM-- | 291 | Specifies the file that contains the process ID of the sshd daeM-- |
285 | mon. The default is /var/run/sshd.pid. | 292 | mon. The default is /var/run/sshd.pid. |
@@ -298,9 +305,12 @@ DESCRIPTION | |||
298 | /etc/profile, or equivalent.) The default is ``yes''. | 305 | /etc/profile, or equivalent.) The default is ``yes''. |
299 | 306 | ||
300 | Protocol | 307 | Protocol |
301 | Specifies the protocol versions sshd should support. The possiM-- | 308 | Specifies the protocol versions sshd supports. The possible valM-- |
302 | ble values are ``1'' and ``2''. Multiple versions must be comma- | 309 | ues are ``1'' and ``2''. Multiple versions must be comma-sepaM-- |
303 | separated. The default is ``2,1''. | 310 | rated. The default is ``2,1''. Note that the order of the proM-- |
311 | tocol list does not indicate preference, because the client | ||
312 | selects among multiple protocol versions offered by the server. | ||
313 | Specifying ``2,1'' is identical to ``1,2''. | ||
304 | 314 | ||
305 | PubkeyAuthentication | 315 | PubkeyAuthentication |
306 | Specifies whether public key authentication is allowed. The | 316 | Specifies whether public key authentication is allowed. The |
@@ -380,11 +390,26 @@ DESCRIPTION | |||
380 | servers. The default is 10. | 390 | servers. The default is 10. |
381 | 391 | ||
382 | X11Forwarding | 392 | X11Forwarding |
383 | Specifies whether X11 forwarding is permitted. The default is | 393 | Specifies whether X11 forwarding is permitted. The argument must |
384 | ``no''. Note that disabling X11 forwarding does not improve | 394 | be ``yes'' or ``no''. The default is ``no''. |
385 | security in any way, as users can always install their own forM-- | 395 | |
386 | warders. X11 forwarding is automatically disabled if UseLogin is | 396 | When X11 forwarding is enabled, there may be additional exposure |
387 | enabled. | 397 | to the server and to client displays if the sshd proxy display is |
398 | configured to listen on the wildcard address (see X11UseLocalhost | ||
399 | below), however this is not the default. Additionally, the | ||
400 | authentication spoofing and authentication data verification and | ||
401 | substitution occur on the client side. The security risk of | ||
402 | using X11 forwarding is that the client's X11 display server may | ||
403 | be exposed to attack when the ssh client requests forwarding (see | ||
404 | the warnings for ForwardX11 in ssh_config(5) ). A system adminisM-- | ||
405 | trator may have a stance in which they want to protect clients | ||
406 | that may expose themselves to attack by unwittingly requesting | ||
407 | X11 forwarding, which can warrant a ``no'' setting. | ||
408 | |||
409 | Note that disabling X11 forwarding does not prevent users from | ||
410 | forwarding X11 traffic, as users can always install their own | ||
411 | forwarders. X11 forwarding is automatically disabled if UseLogin | ||
412 | is enabled. | ||
388 | 413 | ||
389 | X11UseLocalhost | 414 | X11UseLocalhost |
390 | Specifies whether sshd should bind the X11 forwarding server to | 415 | Specifies whether sshd should bind the X11 forwarding server to |
@@ -392,15 +417,15 @@ DESCRIPTION | |||
392 | sshd binds the forwarding server to the loopback address and sets | 417 | sshd binds the forwarding server to the loopback address and sets |
393 | the hostname part of the DISPLAY environment variable to | 418 | the hostname part of the DISPLAY environment variable to |
394 | ``localhost''. This prevents remote hosts from connecting to the | 419 | ``localhost''. This prevents remote hosts from connecting to the |
395 | fake display. However, some older X11 clients may not function | 420 | proxy display. However, some older X11 clients may not function |
396 | with this configuration. X11UseLocalhost may be set to ``no'' to | 421 | with this configuration. X11UseLocalhost may be set to ``no'' to |
397 | specify that the forwarding server should be bound to the wildM-- | 422 | specify that the forwarding server should be bound to the wildM-- |
398 | card address. The argument must be ``yes'' or ``no''. The | 423 | card address. The argument must be ``yes'' or ``no''. The |
399 | default is ``yes''. | 424 | default is ``yes''. |
400 | 425 | ||
401 | XAuthLocation | 426 | XAuthLocation |
402 | Specifies the location of the xauth(1) program. The default is | 427 | Specifies the full pathname of the xauth(1) program. The default |
403 | /usr/X11R6/bin/xauth. | 428 | is /usr/X11R6/bin/xauth. |
404 | 429 | ||
405 | Time Formats | 430 | Time Formats |
406 | 431 | ||