diff options
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 51 |
1 files changed, 25 insertions, 26 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index 643db2640..981e91042 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -81,12 +81,12 @@ DESCRIPTION | |||
81 | If this threshold is reached while client alive messages are be- | 81 | If this threshold is reached while client alive messages are be- |
82 | ing sent, sshd will disconnect the client, terminating the ses- | 82 | ing sent, sshd will disconnect the client, terminating the ses- |
83 | sion. It is important to note that the use of client alive mes- | 83 | sion. It is important to note that the use of client alive mes- |
84 | sages is very different from KeepAlive (below). The client alive | 84 | sages is very different from TCPKeepAlive (below). The client |
85 | messages are sent through the encrypted channel and therefore | 85 | alive messages are sent through the encrypted channel and there- |
86 | will not be spoofable. The TCP keepalive option enabled by | 86 | fore will not be spoofable. The TCP keepalive option enabled by |
87 | KeepAlive is spoofable. The client alive mechanism is valuable | 87 | TCPKeepAlive is spoofable. The client alive mechanism is valu- |
88 | when the client or server depend on knowing when a connection has | 88 | able when the client or server depend on knowing when a connec- |
89 | become inactive. | 89 | tion has become inactive. |
90 | 90 | ||
91 | The default value is 3. If ClientAliveInterval (above) is set to | 91 | The default value is 3. If ClientAliveInterval (above) is set to |
92 | 15, and ClientAliveCountMax is left at the default, unresponsive | 92 | 15, and ClientAliveCountMax is left at the default, unresponsive |
@@ -162,21 +162,6 @@ DESCRIPTION | |||
162 | $HOME/.ssh/known_hosts during RhostsRSAAuthentication or | 162 | $HOME/.ssh/known_hosts during RhostsRSAAuthentication or |
163 | HostbasedAuthentication. The default is ``no''. | 163 | HostbasedAuthentication. The default is ``no''. |
164 | 164 | ||
165 | KeepAlive | ||
166 | Specifies whether the system should send TCP keepalive messages | ||
167 | to the other side. If they are sent, death of the connection or | ||
168 | crash of one of the machines will be properly noticed. However, | ||
169 | this means that connections will die if the route is down tem- | ||
170 | porarily, and some people find it annoying. On the other hand, | ||
171 | if keepalives are not sent, sessions may hang indefinitely on the | ||
172 | server, leaving ``ghost'' users and consuming server resources. | ||
173 | |||
174 | The default is ``yes'' (to send keepalives), and the server will | ||
175 | notice if the network goes down or the client host crashes. This | ||
176 | avoids infinitely hanging sessions. | ||
177 | |||
178 | To disable keepalives, the value should be set to ``no''. | ||
179 | |||
180 | KerberosAuthentication | 165 | KerberosAuthentication |
181 | Specifies whether the password provided by the user for | 166 | Specifies whether the password provided by the user for |
182 | PasswordAuthentication will be validated through the Kerberos | 167 | PasswordAuthentication will be validated through the Kerberos |
@@ -308,10 +293,7 @@ DESCRIPTION | |||
308 | PubkeyAuthentication | 293 | PubkeyAuthentication |
309 | Specifies whether public key authentication is allowed. The de- | 294 | Specifies whether public key authentication is allowed. The de- |
310 | fault is ``yes''. Note that this option applies to protocol ver- | 295 | fault is ``yes''. Note that this option applies to protocol ver- |
311 | sion 2 only. RhostsRSAAuthentication should be used instead, be- | 296 | sion 2 only. |
312 | cause it performs RSA-based host authentication in addition to | ||
313 | normal rhosts or /etc/hosts.equiv authentication. The default is | ||
314 | ``no''. This option applies to protocol version 1 only. | ||
315 | 297 | ||
316 | RhostsRSAAuthentication | 298 | RhostsRSAAuthentication |
317 | Specifies whether rhosts or /etc/hosts.equiv authentication to- | 299 | Specifies whether rhosts or /etc/hosts.equiv authentication to- |
@@ -349,6 +331,23 @@ DESCRIPTION | |||
349 | CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- | 331 | CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- |
350 | fault is AUTH. | 332 | fault is AUTH. |
351 | 333 | ||
334 | TCPKeepAlive | ||
335 | Specifies whether the system should send TCP keepalive messages | ||
336 | to the other side. If they are sent, death of the connection or | ||
337 | crash of one of the machines will be properly noticed. However, | ||
338 | this means that connections will die if the route is down tem- | ||
339 | porarily, and some people find it annoying. On the other hand, | ||
340 | if TCP keepalives are not sent, sessions may hang indefinitely on | ||
341 | the server, leaving ``ghost'' users and consuming server re- | ||
342 | sources. | ||
343 | |||
344 | The default is ``yes'' (to send TCP keepalive messages), and the | ||
345 | server will notice if the network goes down or the client host | ||
346 | crashes. This avoids infinitely hanging sessions. | ||
347 | |||
348 | To disable TCP keepalive messages, the value should be set to | ||
349 | ``no''. | ||
350 | |||
352 | UseDNS Specifies whether sshd should lookup the remote host name and | 351 | UseDNS Specifies whether sshd should lookup the remote host name and |
353 | check that the resolved host name for the remote IP address maps | 352 | check that the resolved host name for the remote IP address maps |
354 | back to the very same IP address. The default is ``yes''. | 353 | back to the very same IP address. The default is ``yes''. |
@@ -364,7 +363,7 @@ DESCRIPTION | |||
364 | UsePAM Enables PAM authentication (via challenge-response) and session | 363 | UsePAM Enables PAM authentication (via challenge-response) and session |
365 | set up. If you enable this, you should probably disable | 364 | set up. If you enable this, you should probably disable |
366 | PasswordAuthentication. If you enable then you will not be able | 365 | PasswordAuthentication. If you enable then you will not be able |
367 | to run sshd as a non-root user. | 366 | to run sshd as a non-root user. The default is ``no''. |
368 | 367 | ||
369 | UsePrivilegeSeparation | 368 | UsePrivilegeSeparation |
370 | Specifies whether sshd separates privileges by creating an un- | 369 | Specifies whether sshd separates privileges by creating an un- |