diff options
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 241 |
1 files changed, 121 insertions, 120 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index bc266317f..643db2640 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -1,4 +1,4 @@ | |||
1 | SSHD_CONFIG(5) BSD File Formats Manual SSHD_CONFIG(5) | 1 | SSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5) |
2 | 2 | ||
3 | NAME | 3 | NAME |
4 | sshd_config - OpenSSH SSH daemon configuration file | 4 | sshd_config - OpenSSH SSH daemon configuration file |
@@ -9,7 +9,7 @@ SYNOPSIS | |||
9 | DESCRIPTION | 9 | DESCRIPTION |
10 | sshd reads configuration data from /etc/ssh/sshd_config (or the file | 10 | sshd reads configuration data from /etc/ssh/sshd_config (or the file |
11 | specified with -f on the command line). The file contains keyword-argu- | 11 | specified with -f on the command line). The file contains keyword-argu- |
12 | ment pairs, one per line. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are | 12 | ment pairs, one per line. Lines starting with `#' and empty lines are |
13 | interpreted as comments. | 13 | interpreted as comments. |
14 | 14 | ||
15 | The possible keywords and their meanings are as follows (note that key- | 15 | The possible keywords and their meanings are as follows (note that key- |
@@ -19,36 +19,36 @@ DESCRIPTION | |||
19 | This keyword can be followed by a list of group name patterns, | 19 | This keyword can be followed by a list of group name patterns, |
20 | separated by spaces. If specified, login is allowed only for | 20 | separated by spaces. If specified, login is allowed only for |
21 | users whose primary group or supplementary group list matches one | 21 | users whose primary group or supplementary group list matches one |
22 | of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards in the | 22 | of the patterns. `*' and `?' can be used as wildcards in the |
23 | patterns. Only group names are valid; a numerical group ID is | 23 | patterns. Only group names are valid; a numerical group ID is |
24 | not recognized. By default, login is allowed for all groups. | 24 | not recognized. By default, login is allowed for all groups. |
25 | 25 | ||
26 | AllowTcpForwarding | 26 | AllowTcpForwarding |
27 | Specifies whether TCP forwarding is permitted. The default is | 27 | Specifies whether TCP forwarding is permitted. The default is |
28 | M-bM-^@M-^\yesM-bM-^@M-^]. Note that disabling TCP forwarding does not improve secu- | 28 | ``yes''. Note that disabling TCP forwarding does not improve se- |
29 | rity unless users are also denied shell access, as they can | 29 | curity unless users are also denied shell access, as they can al- |
30 | always install their own forwarders. | 30 | ways install their own forwarders. |
31 | 31 | ||
32 | AllowUsers | 32 | AllowUsers |
33 | This keyword can be followed by a list of user name patterns, | 33 | This keyword can be followed by a list of user name patterns, |
34 | separated by spaces. If specified, login is allowed only for | 34 | separated by spaces. If specified, login is allowed only for us- |
35 | user names that match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be | 35 | er names that match one of the patterns. `*' and `?' can be used |
36 | used as wildcards in the patterns. Only user names are valid; a | 36 | as wildcards in the patterns. Only user names are valid; a nu- |
37 | numerical user ID is not recognized. By default, login is | 37 | merical user ID is not recognized. By default, login is allowed |
38 | allowed for all users. If the pattern takes the form USER@HOST | 38 | for all users. If the pattern takes the form USER@HOST then USER |
39 | then USER and HOST are separately checked, restricting logins to | 39 | and HOST are separately checked, restricting logins to particular |
40 | particular users from particular hosts. | 40 | users from particular hosts. |
41 | 41 | ||
42 | AuthorizedKeysFile | 42 | AuthorizedKeysFile |
43 | Specifies the file that contains the public keys that can be used | 43 | Specifies the file that contains the public keys that can be used |
44 | for user authentication. AuthorizedKeysFile may contain tokens | 44 | for user authentication. AuthorizedKeysFile may contain tokens |
45 | of the form %T which are substituted during connection set-up. | 45 | of the form %T which are substituted during connection set-up. |
46 | The following tokens are defined: %% is replaced by a literal | 46 | The following tokens are defined: %% is replaced by a literal |
47 | M-bM-^@M-^Y%M-bM-^@M-^Y, %h is replaced by the home directory of the user being | 47 | '%', %h is replaced by the home directory of the user being au- |
48 | authenticated and %u is replaced by the username of that user. | 48 | thenticated and %u is replaced by the username of that user. Af- |
49 | After expansion, AuthorizedKeysFile is taken to be an absolute | 49 | ter expansion, AuthorizedKeysFile is taken to be an absolute path |
50 | path or one relative to the userM-bM-^@M-^Ys home directory. The default | 50 | or one relative to the user's home directory. The default is |
51 | is M-bM-^@M-^\.ssh/authorized_keysM-bM-^@M-^]. | 51 | ``.ssh/authorized_keys''. |
52 | 52 | ||
53 | Banner In some jurisdictions, sending a warning message before authenti- | 53 | Banner In some jurisdictions, sending a warning message before authenti- |
54 | cation may be relevant for getting legal protection. The con- | 54 | cation may be relevant for getting legal protection. The con- |
@@ -59,14 +59,14 @@ DESCRIPTION | |||
59 | ChallengeResponseAuthentication | 59 | ChallengeResponseAuthentication |
60 | Specifies whether challenge response authentication is allowed. | 60 | Specifies whether challenge response authentication is allowed. |
61 | All authentication styles from login.conf(5) are supported. The | 61 | All authentication styles from login.conf(5) are supported. The |
62 | default is M-bM-^@M-^\yesM-bM-^@M-^]. | 62 | default is ``yes''. |
63 | 63 | ||
64 | Ciphers | 64 | Ciphers |
65 | Specifies the ciphers allowed for protocol version 2. Multiple | 65 | Specifies the ciphers allowed for protocol version 2. Multiple |
66 | ciphers must be comma-separated. The default is | 66 | ciphers must be comma-separated. The default is |
67 | 67 | ||
68 | M-bM-^@M-^XM-bM-^@M-^Xaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, | 68 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
69 | aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctrM-bM-^@M-^YM-bM-^@M-^Y | 69 | aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' |
70 | 70 | ||
71 | ClientAliveInterval | 71 | ClientAliveInterval |
72 | Sets a timeout interval in seconds after which if no data has | 72 | Sets a timeout interval in seconds after which if no data has |
@@ -78,8 +78,8 @@ DESCRIPTION | |||
78 | ClientAliveCountMax | 78 | ClientAliveCountMax |
79 | Sets the number of client alive messages (see above) which may be | 79 | Sets the number of client alive messages (see above) which may be |
80 | sent without sshd receiving any messages back from the client. | 80 | sent without sshd receiving any messages back from the client. |
81 | If this threshold is reached while client alive messages are | 81 | If this threshold is reached while client alive messages are be- |
82 | being sent, sshd will disconnect the client, terminating the ses- | 82 | ing sent, sshd will disconnect the client, terminating the ses- |
83 | sion. It is important to note that the use of client alive mes- | 83 | sion. It is important to note that the use of client alive mes- |
84 | sages is very different from KeepAlive (below). The client alive | 84 | sages is very different from KeepAlive (below). The client alive |
85 | messages are sent through the encrypted channel and therefore | 85 | messages are sent through the encrypted channel and therefore |
@@ -94,20 +94,20 @@ DESCRIPTION | |||
94 | 94 | ||
95 | Compression | 95 | Compression |
96 | Specifies whether compression is allowed. The argument must be | 96 | Specifies whether compression is allowed. The argument must be |
97 | M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. | 97 | ``yes'' or ``no''. The default is ``yes''. |
98 | 98 | ||
99 | DenyGroups | 99 | DenyGroups |
100 | This keyword can be followed by a list of group name patterns, | 100 | This keyword can be followed by a list of group name patterns, |
101 | separated by spaces. Login is disallowed for users whose primary | 101 | separated by spaces. Login is disallowed for users whose primary |
102 | group or supplementary group list matches one of the patterns. | 102 | group or supplementary group list matches one of the patterns. |
103 | M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards in the patterns. Only group | 103 | `*' and `?' can be used as wildcards in the patterns. Only group |
104 | names are valid; a numerical group ID is not recognized. By | 104 | names are valid; a numerical group ID is not recognized. By de- |
105 | default, login is allowed for all groups. | 105 | fault, login is allowed for all groups. |
106 | 106 | ||
107 | DenyUsers | 107 | DenyUsers |
108 | This keyword can be followed by a list of user name patterns, | 108 | This keyword can be followed by a list of user name patterns, |
109 | separated by spaces. Login is disallowed for user names that | 109 | separated by spaces. Login is disallowed for user names that |
110 | match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards | 110 | match one of the patterns. `*' and `?' can be used as wildcards |
111 | in the patterns. Only user names are valid; a numerical user ID | 111 | in the patterns. Only user names are valid; a numerical user ID |
112 | is not recognized. By default, login is allowed for all users. | 112 | is not recognized. By default, login is allowed for all users. |
113 | If the pattern takes the form USER@HOST then USER and HOST are | 113 | If the pattern takes the form USER@HOST then USER and HOST are |
@@ -121,25 +121,25 @@ DESCRIPTION | |||
121 | hosts from connecting to forwarded ports. GatewayPorts can be | 121 | hosts from connecting to forwarded ports. GatewayPorts can be |
122 | used to specify that sshd should bind remote port forwardings to | 122 | used to specify that sshd should bind remote port forwardings to |
123 | the wildcard address, thus allowing remote hosts to connect to | 123 | the wildcard address, thus allowing remote hosts to connect to |
124 | forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The | 124 | forwarded ports. The argument must be ``yes'' or ``no''. The |
125 | default is M-bM-^@M-^\noM-bM-^@M-^]. | 125 | default is ``no''. |
126 | 126 | ||
127 | GSSAPIAuthentication | 127 | GSSAPIAuthentication |
128 | Specifies whether user authentication based on GSSAPI is allowed. | 128 | Specifies whether user authentication based on GSSAPI is allowed. |
129 | The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol | 129 | The default is ``no''. Note that this option applies to protocol |
130 | version 2 only. | 130 | version 2 only. |
131 | 131 | ||
132 | GSSAPICleanupCredentials | 132 | GSSAPICleanupCredentials |
133 | Specifies whether to automatically destroy the userM-bM-^@M-^Ys credentials | 133 | Specifies whether to automatically destroy the user's credentials |
134 | cache on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option | 134 | cache on logout. The default is ``yes''. Note that this option |
135 | applies to protocol version 2 only. | 135 | applies to protocol version 2 only. |
136 | 136 | ||
137 | HostbasedAuthentication | 137 | HostbasedAuthentication |
138 | Specifies whether rhosts or /etc/hosts.equiv authentication | 138 | Specifies whether rhosts or /etc/hosts.equiv authentication to- |
139 | together with successful public key client host authentication is | 139 | gether with successful public key client host authentication is |
140 | allowed (hostbased authentication). This option is similar to | 140 | allowed (hostbased authentication). This option is similar to |
141 | RhostsRSAAuthentication and applies to protocol version 2 only. | 141 | RhostsRSAAuthentication and applies to protocol version 2 only. |
142 | The default is M-bM-^@M-^\noM-bM-^@M-^]. | 142 | The default is ``no''. |
143 | 143 | ||
144 | HostKey | 144 | HostKey |
145 | Specifies a file containing a private host key used by SSH. The | 145 | Specifies a file containing a private host key used by SSH. The |
@@ -147,20 +147,20 @@ DESCRIPTION | |||
147 | /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro- | 147 | /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro- |
148 | tocol version 2. Note that sshd will refuse to use a file if it | 148 | tocol version 2. Note that sshd will refuse to use a file if it |
149 | is group/world-accessible. It is possible to have multiple host | 149 | is group/world-accessible. It is possible to have multiple host |
150 | key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] | 150 | key files. ``rsa1'' keys are used for version 1 and ``dsa'' or |
151 | are used for version 2 of the SSH protocol. | 151 | ``rsa'' are used for version 2 of the SSH protocol. |
152 | 152 | ||
153 | IgnoreRhosts | 153 | IgnoreRhosts |
154 | Specifies that .rhosts and .shosts files will not be used in | 154 | Specifies that .rhosts and .shosts files will not be used in |
155 | RhostsRSAAuthentication or HostbasedAuthentication. | 155 | RhostsRSAAuthentication or HostbasedAuthentication. |
156 | 156 | ||
157 | /etc/hosts.equiv and /etc/shosts.equiv are still used. The | 157 | /etc/hosts.equiv and /etc/shosts.equiv are still used. The de- |
158 | default is M-bM-^@M-^\yesM-bM-^@M-^]. | 158 | fault is ``yes''. |
159 | 159 | ||
160 | IgnoreUserKnownHosts | 160 | IgnoreUserKnownHosts |
161 | Specifies whether sshd should ignore the userM-bM-^@M-^Ys | 161 | Specifies whether sshd should ignore the user's |
162 | $HOME/.ssh/known_hosts during RhostsRSAAuthentication or | 162 | $HOME/.ssh/known_hosts during RhostsRSAAuthentication or |
163 | HostbasedAuthentication. The default is M-bM-^@M-^\noM-bM-^@M-^]. | 163 | HostbasedAuthentication. The default is ``no''. |
164 | 164 | ||
165 | KeepAlive | 165 | KeepAlive |
166 | Specifies whether the system should send TCP keepalive messages | 166 | Specifies whether the system should send TCP keepalive messages |
@@ -169,29 +169,29 @@ DESCRIPTION | |||
169 | this means that connections will die if the route is down tem- | 169 | this means that connections will die if the route is down tem- |
170 | porarily, and some people find it annoying. On the other hand, | 170 | porarily, and some people find it annoying. On the other hand, |
171 | if keepalives are not sent, sessions may hang indefinitely on the | 171 | if keepalives are not sent, sessions may hang indefinitely on the |
172 | server, leaving M-bM-^@M-^\ghostM-bM-^@M-^] users and consuming server resources. | 172 | server, leaving ``ghost'' users and consuming server resources. |
173 | 173 | ||
174 | The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send keepalives), and the server will | 174 | The default is ``yes'' (to send keepalives), and the server will |
175 | notice if the network goes down or the client host crashes. This | 175 | notice if the network goes down or the client host crashes. This |
176 | avoids infinitely hanging sessions. | 176 | avoids infinitely hanging sessions. |
177 | 177 | ||
178 | To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^]. | 178 | To disable keepalives, the value should be set to ``no''. |
179 | 179 | ||
180 | KerberosAuthentication | 180 | KerberosAuthentication |
181 | Specifies whether the password provided by the user for | 181 | Specifies whether the password provided by the user for |
182 | PasswordAuthentication will be validated through the Kerberos | 182 | PasswordAuthentication will be validated through the Kerberos |
183 | KDC. To use this option, the server needs a Kerberos servtab | 183 | KDC. To use this option, the server needs a Kerberos servtab |
184 | which allows the verification of the KDCM-bM-^@M-^Ys identity. Default is | 184 | which allows the verification of the KDC's identity. Default is |
185 | M-bM-^@M-^\noM-bM-^@M-^]. | 185 | ``no''. |
186 | 186 | ||
187 | KerberosOrLocalPasswd | 187 | KerberosOrLocalPasswd |
188 | If set then if password authentication through Kerberos fails | 188 | If set then if password authentication through Kerberos fails |
189 | then the password will be validated via any additional local | 189 | then the password will be validated via any additional local |
190 | mechanism such as /etc/passwd. Default is M-bM-^@M-^\yesM-bM-^@M-^]. | 190 | mechanism such as /etc/passwd. Default is ``yes''. |
191 | 191 | ||
192 | KerberosTicketCleanup | 192 | KerberosTicketCleanup |
193 | Specifies whether to automatically destroy the userM-bM-^@M-^Ys ticket | 193 | Specifies whether to automatically destroy the user's ticket |
194 | cache file on logout. Default is M-bM-^@M-^\yesM-bM-^@M-^]. | 194 | cache file on logout. Default is ``yes''. |
195 | 195 | ||
196 | KeyRegenerationInterval | 196 | KeyRegenerationInterval |
197 | In protocol version 1, the ephemeral server key is automatically | 197 | In protocol version 1, the ephemeral server key is automatically |
@@ -230,55 +230,55 @@ DESCRIPTION | |||
230 | 230 | ||
231 | MACs Specifies the available MAC (message authentication code) algo- | 231 | MACs Specifies the available MAC (message authentication code) algo- |
232 | rithms. The MAC algorithm is used in protocol version 2 for data | 232 | rithms. The MAC algorithm is used in protocol version 2 for data |
233 | integrity protection. Multiple algorithms must be comma-sepa- | 233 | integrity protection. Multiple algorithms must be comma-separat- |
234 | rated. The default is | 234 | ed. The default is ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac- |
235 | M-bM-^@M-^\hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96M-bM-^@M-^]. | 235 | sha1-96,hmac-md5-96''. |
236 | 236 | ||
237 | MaxStartups | 237 | MaxStartups |
238 | Specifies the maximum number of concurrent unauthenticated con- | 238 | Specifies the maximum number of concurrent unauthenticated con- |
239 | nections to the sshd daemon. Additional connections will be | 239 | nections to the sshd daemon. Additional connections will be |
240 | dropped until authentication succeeds or the LoginGraceTime | 240 | dropped until authentication succeeds or the LoginGraceTime ex- |
241 | expires for a connection. The default is 10. | 241 | pires for a connection. The default is 10. |
242 | 242 | ||
243 | Alternatively, random early drop can be enabled by specifying the | 243 | Alternatively, random early drop can be enabled by specifying the |
244 | three colon separated values M-bM-^@M-^\start:rate:fullM-bM-^@M-^] (e.g., | 244 | three colon separated values ``start:rate:full'' (e.g., |
245 | "10:30:60"). sshd will refuse connection attempts with a proba- | 245 | "10:30:60"). sshd will refuse connection attempts with a proba- |
246 | bility of M-bM-^@M-^\rate/100M-bM-^@M-^] (30%) if there are currently M-bM-^@M-^\startM-bM-^@M-^] (10) | 246 | bility of ``rate/100'' (30%) if there are currently ``start'' |
247 | unauthenticated connections. The probability increases linearly | 247 | (10) unauthenticated connections. The probability increases lin- |
248 | and all connection attempts are refused if the number of unau- | 248 | early and all connection attempts are refused if the number of |
249 | thenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60). | 249 | unauthenticated connections reaches ``full'' (60). |
250 | 250 | ||
251 | PasswordAuthentication | 251 | PasswordAuthentication |
252 | Specifies whether password authentication is allowed. The | 252 | Specifies whether password authentication is allowed. The de- |
253 | default is M-bM-^@M-^\yesM-bM-^@M-^]. | 253 | fault is ``yes''. |
254 | 254 | ||
255 | PermitEmptyPasswords | 255 | PermitEmptyPasswords |
256 | When password authentication is allowed, it specifies whether the | 256 | When password authentication is allowed, it specifies whether the |
257 | server allows login to accounts with empty password strings. The | 257 | server allows login to accounts with empty password strings. The |
258 | default is M-bM-^@M-^\noM-bM-^@M-^]. | 258 | default is ``no''. |
259 | 259 | ||
260 | PermitRootLogin | 260 | PermitRootLogin |
261 | Specifies whether root can login using ssh(1). The argument must | 261 | Specifies whether root can login using ssh(1). The argument must |
262 | be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^], M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. | 262 | be ``yes'', ``without-password'', ``forced-commands-only'' or |
263 | The default is M-bM-^@M-^\yesM-bM-^@M-^]. | 263 | ``no''. The default is ``yes''. |
264 | 264 | ||
265 | If this option is set to M-bM-^@M-^\without-passwordM-bM-^@M-^] password authentica- | 265 | If this option is set to ``without-password'' password authenti- |
266 | tion is disabled for root. | 266 | cation is disabled for root. |
267 | 267 | ||
268 | If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^] root login with | 268 | If this option is set to ``forced-commands-only'' root login with |
269 | public key authentication will be allowed, but only if the | 269 | public key authentication will be allowed, but only if the |
270 | command option has been specified (which may be useful for taking | 270 | command option has been specified (which may be useful for taking |
271 | remote backups even if root login is normally not allowed). All | 271 | remote backups even if root login is normally not allowed). All |
272 | other authentication methods are disabled for root. | 272 | other authentication methods are disabled for root. |
273 | 273 | ||
274 | If this option is set to M-bM-^@M-^\noM-bM-^@M-^] root is not allowed to login. | 274 | If this option is set to ``no'' root is not allowed to login. |
275 | 275 | ||
276 | PermitUserEnvironment | 276 | PermitUserEnvironment |
277 | Specifies whether ~/.ssh/environment and environment= options in | 277 | Specifies whether ~/.ssh/environment and environment= options in |
278 | ~/.ssh/authorized_keys are processed by sshd. The default is | 278 | ~/.ssh/authorized_keys are processed by sshd. The default is |
279 | M-bM-^@M-^\noM-bM-^@M-^]. Enabling environment processing may enable users to bypass | 279 | ``no''. Enabling environment processing may enable users to by- |
280 | access restrictions in some configurations using mechanisms such | 280 | pass access restrictions in some configurations using mechanisms |
281 | as LD_PRELOAD. | 281 | such as LD_PRELOAD. |
282 | 282 | ||
283 | PidFile | 283 | PidFile |
284 | Specifies the file that contains the process ID of the sshd dae- | 284 | Specifies the file that contains the process ID of the sshd dae- |
@@ -290,38 +290,39 @@ DESCRIPTION | |||
290 | 290 | ||
291 | PrintLastLog | 291 | PrintLastLog |
292 | Specifies whether sshd should print the date and time when the | 292 | Specifies whether sshd should print the date and time when the |
293 | user last logged in. The default is M-bM-^@M-^\yesM-bM-^@M-^]. | 293 | user last logged in. The default is ``yes''. |
294 | 294 | ||
295 | PrintMotd | 295 | PrintMotd |
296 | Specifies whether sshd should print /etc/motd when a user logs in | 296 | Specifies whether sshd should print /etc/motd when a user logs in |
297 | interactively. (On some systems it is also printed by the shell, | 297 | interactively. (On some systems it is also printed by the shell, |
298 | /etc/profile, or equivalent.) The default is M-bM-^@M-^\yesM-bM-^@M-^]. | 298 | /etc/profile, or equivalent.) The default is ``yes''. |
299 | 299 | ||
300 | Protocol | 300 | Protocol |
301 | Specifies the protocol versions sshd supports. The possible val- | 301 | Specifies the protocol versions sshd supports. The possible val- |
302 | ues are M-bM-^@M-^\1M-bM-^@M-^] and M-bM-^@M-^\2M-bM-^@M-^]. Multiple versions must be comma-separated. | 302 | ues are ``1'' and ``2''. Multiple versions must be comma-sepa- |
303 | The default is M-bM-^@M-^\2,1M-bM-^@M-^]. Note that the order of the protocol list | 303 | rated. The default is ``2,1''. Note that the order of the pro- |
304 | does not indicate preference, because the client selects among | 304 | tocol list does not indicate preference, because the client se- |
305 | multiple protocol versions offered by the server. Specifying | 305 | lects among multiple protocol versions offered by the server. |
306 | M-bM-^@M-^\2,1M-bM-^@M-^] is identical to M-bM-^@M-^\1,2M-bM-^@M-^]. | 306 | Specifying ``2,1'' is identical to ``1,2''. |
307 | 307 | ||
308 | PubkeyAuthentication | 308 | PubkeyAuthentication |
309 | Specifies whether public key authentication is allowed. The | 309 | Specifies whether public key authentication is allowed. The de- |
310 | default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol ver- | 310 | fault is ``yes''. Note that this option applies to protocol ver- |
311 | sion 2 only. RhostsRSAAuthentication should be used instead, | 311 | sion 2 only. RhostsRSAAuthentication should be used instead, be- |
312 | because it performs RSA-based host authentication in addition to | 312 | cause it performs RSA-based host authentication in addition to |
313 | normal rhosts or /etc/hosts.equiv authentication. The default is | 313 | normal rhosts or /etc/hosts.equiv authentication. The default is |
314 | M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only. | 314 | ``no''. This option applies to protocol version 1 only. |
315 | 315 | ||
316 | RhostsRSAAuthentication | 316 | RhostsRSAAuthentication |
317 | Specifies whether rhosts or /etc/hosts.equiv authentication | 317 | Specifies whether rhosts or /etc/hosts.equiv authentication to- |
318 | together with successful RSA host authentication is allowed. The | 318 | gether with successful RSA host authentication is allowed. The |
319 | default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only. | 319 | default is ``no''. This option applies to protocol version 1 on- |
320 | ly. | ||
320 | 321 | ||
321 | RSAAuthentication | 322 | RSAAuthentication |
322 | Specifies whether pure RSA authentication is allowed. The | 323 | Specifies whether pure RSA authentication is allowed. The de- |
323 | default is M-bM-^@M-^\yesM-bM-^@M-^]. This option applies to protocol version 1 | 324 | fault is ``yes''. This option applies to protocol version 1 on- |
324 | only. | 325 | ly. |
325 | 326 | ||
326 | ServerKeyBits | 327 | ServerKeyBits |
327 | Defines the number of bits in the ephemeral protocol version 1 | 328 | Defines the number of bits in the ephemeral protocol version 1 |
@@ -329,34 +330,34 @@ DESCRIPTION | |||
329 | 330 | ||
330 | StrictModes | 331 | StrictModes |
331 | Specifies whether sshd should check file modes and ownership of | 332 | Specifies whether sshd should check file modes and ownership of |
332 | the userM-bM-^@M-^Ys files and home directory before accepting login. This | 333 | the user's files and home directory before accepting login. This |
333 | is normally desirable because novices sometimes accidentally | 334 | is normally desirable because novices sometimes accidentally |
334 | leave their directory or files world-writable. The default is | 335 | leave their directory or files world-writable. The default is |
335 | M-bM-^@M-^\yesM-bM-^@M-^]. | 336 | ``yes''. |
336 | 337 | ||
337 | Subsystem | 338 | Subsystem |
338 | Configures an external subsystem (e.g., file transfer daemon). | 339 | Configures an external subsystem (e.g., file transfer daemon). |
339 | Arguments should be a subsystem name and a command to execute | 340 | Arguments should be a subsystem name and a command to execute up- |
340 | upon subsystem request. The command sftp-server(8) implements | 341 | on subsystem request. The command sftp-server(8) implements the |
341 | the M-bM-^@M-^\sftpM-bM-^@M-^] file transfer subsystem. By default no subsystems are | 342 | ``sftp'' file transfer subsystem. By default no subsystems are |
342 | defined. Note that this option applies to protocol version 2 | 343 | defined. Note that this option applies to protocol version 2 on- |
343 | only. | 344 | ly. |
344 | 345 | ||
345 | SyslogFacility | 346 | SyslogFacility |
346 | Gives the facility code that is used when logging messages from | 347 | Gives the facility code that is used when logging messages from |
347 | sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, | 348 | sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, LO- |
348 | LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The | 349 | CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- |
349 | default is AUTH. | 350 | fault is AUTH. |
350 | 351 | ||
351 | UseDNS Specifies whether sshd should lookup the remote host name and | 352 | UseDNS Specifies whether sshd should lookup the remote host name and |
352 | check that the resolved host name for the remote IP address maps | 353 | check that the resolved host name for the remote IP address maps |
353 | back to the very same IP address. The default is M-bM-^@M-^\yesM-bM-^@M-^]. | 354 | back to the very same IP address. The default is ``yes''. |
354 | 355 | ||
355 | UseLogin | 356 | UseLogin |
356 | Specifies whether login(1) is used for interactive login ses- | 357 | Specifies whether login(1) is used for interactive login ses- |
357 | sions. The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that login(1) is never used | 358 | sions. The default is ``no''. Note that login(1) is never used |
358 | for remote command execution. Note also, that if this is | 359 | for remote command execution. Note also, that if this is en- |
359 | enabled, X11Forwarding will be disabled because login(1) does not | 360 | abled, X11Forwarding will be disabled because login(1) does not |
360 | know how to handle xauth(1) cookies. If UsePrivilegeSeparation | 361 | know how to handle xauth(1) cookies. If UsePrivilegeSeparation |
361 | is specified, it will be disabled after authentication. | 362 | is specified, it will be disabled after authentication. |
362 | 363 | ||
@@ -366,35 +367,35 @@ DESCRIPTION | |||
366 | to run sshd as a non-root user. | 367 | to run sshd as a non-root user. |
367 | 368 | ||
368 | UsePrivilegeSeparation | 369 | UsePrivilegeSeparation |
369 | Specifies whether sshd separates privileges by creating an | 370 | Specifies whether sshd separates privileges by creating an un- |
370 | unprivileged child process to deal with incoming network traffic. | 371 | privileged child process to deal with incoming network traffic. |
371 | After successful authentication, another process will be created | 372 | After successful authentication, another process will be created |
372 | that has the privilege of the authenticated user. The goal of | 373 | that has the privilege of the authenticated user. The goal of |
373 | privilege separation is to prevent privilege escalation by con- | 374 | privilege separation is to prevent privilege escalation by con- |
374 | taining any corruption within the unprivileged processes. The | 375 | taining any corruption within the unprivileged processes. The |
375 | default is M-bM-^@M-^\yesM-bM-^@M-^]. | 376 | default is ``yes''. |
376 | 377 | ||
377 | X11DisplayOffset | 378 | X11DisplayOffset |
378 | Specifies the first display number available for sshdM-bM-^@M-^Ys X11 for- | 379 | Specifies the first display number available for sshd's X11 for- |
379 | warding. This prevents sshd from interfering with real X11 | 380 | warding. This prevents sshd from interfering with real X11 |
380 | servers. The default is 10. | 381 | servers. The default is 10. |
381 | 382 | ||
382 | X11Forwarding | 383 | X11Forwarding |
383 | Specifies whether X11 forwarding is permitted. The argument must | 384 | Specifies whether X11 forwarding is permitted. The argument must |
384 | be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. | 385 | be ``yes'' or ``no''. The default is ``no''. |
385 | 386 | ||
386 | When X11 forwarding is enabled, there may be additional exposure | 387 | When X11 forwarding is enabled, there may be additional exposure |
387 | to the server and to client displays if the sshd proxy display is | 388 | to the server and to client displays if the sshd proxy display is |
388 | configured to listen on the wildcard address (see X11UseLocalhost | 389 | configured to listen on the wildcard address (see X11UseLocalhost |
389 | below), however this is not the default. Additionally, the | 390 | below), however this is not the default. Additionally, the au- |
390 | authentication spoofing and authentication data verification and | 391 | thentication spoofing and authentication data verification and |
391 | substitution occur on the client side. The security risk of | 392 | substitution occur on the client side. The security risk of us- |
392 | using X11 forwarding is that the clientM-bM-^@M-^Ys X11 display server may | 393 | ing X11 forwarding is that the client's X11 display server may be |
393 | be exposed to attack when the ssh client requests forwarding (see | 394 | exposed to attack when the ssh client requests forwarding (see |
394 | the warnings for ForwardX11 in ssh_config(5)). A system adminis- | 395 | the warnings for ForwardX11 in ssh_config(5)). A system adminis- |
395 | trator may have a stance in which they want to protect clients | 396 | trator may have a stance in which they want to protect clients |
396 | that may expose themselves to attack by unwittingly requesting | 397 | that may expose themselves to attack by unwittingly requesting |
397 | X11 forwarding, which can warrant a M-bM-^@M-^\noM-bM-^@M-^] setting. | 398 | X11 forwarding, which can warrant a ``no'' setting. |
398 | 399 | ||
399 | Note that disabling X11 forwarding does not prevent users from | 400 | Note that disabling X11 forwarding does not prevent users from |
400 | forwarding X11 traffic, as users can always install their own | 401 | forwarding X11 traffic, as users can always install their own |
@@ -406,12 +407,12 @@ DESCRIPTION | |||
406 | the loopback address or to the wildcard address. By default, | 407 | the loopback address or to the wildcard address. By default, |
407 | sshd binds the forwarding server to the loopback address and sets | 408 | sshd binds the forwarding server to the loopback address and sets |
408 | the hostname part of the DISPLAY environment variable to | 409 | the hostname part of the DISPLAY environment variable to |
409 | M-bM-^@M-^\localhostM-bM-^@M-^]. This prevents remote hosts from connecting to the | 410 | ``localhost''. This prevents remote hosts from connecting to the |
410 | proxy display. However, some older X11 clients may not function | 411 | proxy display. However, some older X11 clients may not function |
411 | with this configuration. X11UseLocalhost may be set to M-bM-^@M-^\noM-bM-^@M-^] to | 412 | with this configuration. X11UseLocalhost may be set to ``no'' to |
412 | specify that the forwarding server should be bound to the wild- | 413 | specify that the forwarding server should be bound to the wild- |
413 | card address. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default | 414 | card address. The argument must be ``yes'' or ``no''. The de- |
414 | is M-bM-^@M-^\yesM-bM-^@M-^]. | 415 | fault is ``yes''. |
415 | 416 | ||
416 | XAuthLocation | 417 | XAuthLocation |
417 | Specifies the full pathname of the xauth(1) program. The default | 418 | Specifies the full pathname of the xauth(1) program. The default |
@@ -456,4 +457,4 @@ AUTHORS | |||
456 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 457 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
457 | for privilege separation. | 458 | for privilege separation. |
458 | 459 | ||
459 | BSD September 25, 1999 BSD | 460 | OpenBSD 3.4 September 25, 1999 7 |