diff options
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 780 |
1 files changed, 780 insertions, 0 deletions
diff --git a/sshd_config.0 b/sshd_config.0 new file mode 100644 index 000000000..2648db3d4 --- /dev/null +++ b/sshd_config.0 | |||
@@ -0,0 +1,780 @@ | |||
1 | SSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5) | ||
2 | |||
3 | NAME | ||
4 | sshd_config - OpenSSH SSH daemon configuration file | ||
5 | |||
6 | SYNOPSIS | ||
7 | /etc/ssh/sshd_config | ||
8 | |||
9 | DESCRIPTION | ||
10 | sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file | ||
11 | specified with -f on the command line). The file contains keyword- | ||
12 | argument pairs, one per line. Lines starting with `#' and empty lines | ||
13 | are interpreted as comments. Arguments may optionally be enclosed in | ||
14 | double quotes (") in order to represent arguments containing spaces. | ||
15 | |||
16 | The possible keywords and their meanings are as follows (note that | ||
17 | keywords are case-insensitive and arguments are case-sensitive): | ||
18 | |||
19 | AcceptEnv | ||
20 | Specifies what environment variables sent by the client will be | ||
21 | copied into the session's environ(7). See SendEnv in | ||
22 | ssh_config(5) for how to configure the client. Note that | ||
23 | environment passing is only supported for protocol 2. Variables | ||
24 | are specified by name, which may contain the wildcard characters | ||
25 | `*' and `?'. Multiple environment variables may be separated by | ||
26 | whitespace or spread across multiple AcceptEnv directives. Be | ||
27 | warned that some environment variables could be used to bypass | ||
28 | restricted user environments. For this reason, care should be | ||
29 | taken in the use of this directive. The default is not to accept | ||
30 | any environment variables. | ||
31 | |||
32 | AddressFamily | ||
33 | Specifies which address family should be used by sshd(8). Valid | ||
34 | arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' | ||
35 | (use IPv6 only). The default is ``any''. | ||
36 | |||
37 | AllowAgentForwarding | ||
38 | Specifies whether ssh-agent(1) forwarding is permitted. The | ||
39 | default is ``yes''. Note that disabling agent forwarding does | ||
40 | not improve security unless users are also denied shell access, | ||
41 | as they can always install their own forwarders. | ||
42 | |||
43 | AllowGroups | ||
44 | This keyword can be followed by a list of group name patterns, | ||
45 | separated by spaces. If specified, login is allowed only for | ||
46 | users whose primary group or supplementary group list matches one | ||
47 | of the patterns. Only group names are valid; a numerical group | ||
48 | ID is not recognized. By default, login is allowed for all | ||
49 | groups. The allow/deny directives are processed in the following | ||
50 | order: DenyUsers, AllowUsers, DenyGroups, and finally | ||
51 | AllowGroups. | ||
52 | |||
53 | See PATTERNS in ssh_config(5) for more information on patterns. | ||
54 | |||
55 | AllowTcpForwarding | ||
56 | Specifies whether TCP forwarding is permitted. The available | ||
57 | options are ``yes'' or ``all'' to allow TCP forwarding, ``no'' to | ||
58 | prevent all TCP forwarding, ``local'' to allow local (from the | ||
59 | perspective of ssh(1)) forwarding only or ``remote'' to allow | ||
60 | remote forwarding only. The default is ``yes''. Note that | ||
61 | disabling TCP forwarding does not improve security unless users | ||
62 | are also denied shell access, as they can always install their | ||
63 | own forwarders. | ||
64 | |||
65 | AllowUsers | ||
66 | This keyword can be followed by a list of user name patterns, | ||
67 | separated by spaces. If specified, login is allowed only for | ||
68 | user names that match one of the patterns. Only user names are | ||
69 | valid; a numerical user ID is not recognized. By default, login | ||
70 | is allowed for all users. If the pattern takes the form | ||
71 | USER@HOST then USER and HOST are separately checked, restricting | ||
72 | logins to particular users from particular hosts. The allow/deny | ||
73 | directives are processed in the following order: DenyUsers, | ||
74 | AllowUsers, DenyGroups, and finally AllowGroups. | ||
75 | |||
76 | See PATTERNS in ssh_config(5) for more information on patterns. | ||
77 | |||
78 | AuthenticationMethods | ||
79 | Specifies the authentication methods that must be successfully | ||
80 | completed for a user to be granted access. This option must be | ||
81 | followed by one or more comma-separated lists of authentication | ||
82 | method names. Successful authentication requires completion of | ||
83 | every method in at least one of these lists. | ||
84 | |||
85 | For example, an argument of ``publickey,password | ||
86 | publickey,keyboard-interactive'' would require the user to | ||
87 | complete public key authentication, followed by either password | ||
88 | or keyboard interactive authentication. Only methods that are | ||
89 | next in one or more lists are offered at each stage, so for this | ||
90 | example, it would not be possible to attempt password or | ||
91 | keyboard-interactive authentication before public key. | ||
92 | |||
93 | This option is only available for SSH protocol 2 and will yield a | ||
94 | fatal error if enabled if protocol 1 is also enabled. Note that | ||
95 | each authentication method listed should also be explicitly | ||
96 | enabled in the configuration. The default is not to require | ||
97 | multiple authentication; successful completion of a single | ||
98 | authentication method is sufficient. | ||
99 | |||
100 | AuthorizedKeysCommand | ||
101 | Specifies a program to be used to look up the user's public keys. | ||
102 | The program will be invoked with a single argument of the | ||
103 | username being authenticated, and should produce on standard | ||
104 | output zero or more lines of authorized_keys output (see | ||
105 | AUTHORIZED_KEYS in sshd(8)). If a key supplied by | ||
106 | AuthorizedKeysCommand does not successfully authenticate and | ||
107 | authorize the user then public key authentication continues using | ||
108 | the usual AuthorizedKeysFile files. By default, no | ||
109 | AuthorizedKeysCommand is run. | ||
110 | |||
111 | AuthorizedKeysCommandUser | ||
112 | Specifies the user under whose account the AuthorizedKeysCommand | ||
113 | is run. It is recommended to use a dedicated user that has no | ||
114 | other role on the host than running authorized keys commands. | ||
115 | |||
116 | AuthorizedKeysFile | ||
117 | Specifies the file that contains the public keys that can be used | ||
118 | for user authentication. The format is described in the | ||
119 | AUTHORIZED_KEYS FILE FORMAT section of sshd(8). | ||
120 | AuthorizedKeysFile may contain tokens of the form %T which are | ||
121 | substituted during connection setup. The following tokens are | ||
122 | defined: %% is replaced by a literal '%', %h is replaced by the | ||
123 | home directory of the user being authenticated, and %u is | ||
124 | replaced by the username of that user. After expansion, | ||
125 | AuthorizedKeysFile is taken to be an absolute path or one | ||
126 | relative to the user's home directory. Multiple files may be | ||
127 | listed, separated by whitespace. The default is | ||
128 | ``.ssh/authorized_keys .ssh/authorized_keys2''. | ||
129 | |||
130 | AuthorizedPrincipalsFile | ||
131 | Specifies a file that lists principal names that are accepted for | ||
132 | certificate authentication. When using certificates signed by a | ||
133 | key listed in TrustedUserCAKeys, this file lists names, one of | ||
134 | which must appear in the certificate for it to be accepted for | ||
135 | authentication. Names are listed one per line preceded by key | ||
136 | options (as described in AUTHORIZED_KEYS FILE FORMAT in sshd(8)). | ||
137 | Empty lines and comments starting with `#' are ignored. | ||
138 | |||
139 | AuthorizedPrincipalsFile may contain tokens of the form %T which | ||
140 | are substituted during connection setup. The following tokens | ||
141 | are defined: %% is replaced by a literal '%', %h is replaced by | ||
142 | the home directory of the user being authenticated, and %u is | ||
143 | replaced by the username of that user. After expansion, | ||
144 | AuthorizedPrincipalsFile is taken to be an absolute path or one | ||
145 | relative to the user's home directory. | ||
146 | |||
147 | The default is ``none'', i.e. not to use a principals file - in | ||
148 | this case, the username of the user must appear in a | ||
149 | certificate's principals list for it to be accepted. Note that | ||
150 | AuthorizedPrincipalsFile is only used when authentication | ||
151 | proceeds using a CA listed in TrustedUserCAKeys and is not | ||
152 | consulted for certification authorities trusted via | ||
153 | ~/.ssh/authorized_keys, though the principals= key option offers | ||
154 | a similar facility (see sshd(8) for details). | ||
155 | |||
156 | Banner The contents of the specified file are sent to the remote user | ||
157 | before authentication is allowed. If the argument is ``none'' | ||
158 | then no banner is displayed. This option is only available for | ||
159 | protocol version 2. By default, no banner is displayed. | ||
160 | |||
161 | ChallengeResponseAuthentication | ||
162 | Specifies whether challenge-response authentication is allowed | ||
163 | (e.g. via PAM or though authentication styles supported in | ||
164 | login.conf(5)) The default is ``yes''. | ||
165 | |||
166 | ChrootDirectory | ||
167 | Specifies the pathname of a directory to chroot(2) to after | ||
168 | authentication. All components of the pathname must be root- | ||
169 | owned directories that are not writable by any other user or | ||
170 | group. After the chroot, sshd(8) changes the working directory | ||
171 | to the user's home directory. | ||
172 | |||
173 | The pathname may contain the following tokens that are expanded | ||
174 | at runtime once the connecting user has been authenticated: %% is | ||
175 | replaced by a literal '%', %h is replaced by the home directory | ||
176 | of the user being authenticated, and %u is replaced by the | ||
177 | username of that user. | ||
178 | |||
179 | The ChrootDirectory must contain the necessary files and | ||
180 | directories to support the user's session. For an interactive | ||
181 | session this requires at least a shell, typically sh(1), and | ||
182 | basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), | ||
183 | stderr(4), arandom(4) and tty(4) devices. For file transfer | ||
184 | sessions using ``sftp'', no additional configuration of the | ||
185 | environment is necessary if the in-process sftp server is used, | ||
186 | though sessions which use logging do require /dev/log inside the | ||
187 | chroot directory (see sftp-server(8) for details). | ||
188 | |||
189 | The default is not to chroot(2). | ||
190 | |||
191 | Ciphers | ||
192 | Specifies the ciphers allowed for protocol version 2. Multiple | ||
193 | ciphers must be comma-separated. The supported ciphers are | ||
194 | ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', | ||
195 | ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', | ||
196 | ``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'', | ||
197 | ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'', | ||
198 | and ``cast128-cbc''. The default is: | ||
199 | |||
200 | aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, | ||
201 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, | ||
202 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, | ||
203 | aes256-cbc,arcfour | ||
204 | |||
205 | ClientAliveCountMax | ||
206 | Sets the number of client alive messages (see below) which may be | ||
207 | sent without sshd(8) receiving any messages back from the client. | ||
208 | If this threshold is reached while client alive messages are | ||
209 | being sent, sshd will disconnect the client, terminating the | ||
210 | session. It is important to note that the use of client alive | ||
211 | messages is very different from TCPKeepAlive (below). The client | ||
212 | alive messages are sent through the encrypted channel and | ||
213 | therefore will not be spoofable. The TCP keepalive option | ||
214 | enabled by TCPKeepAlive is spoofable. The client alive mechanism | ||
215 | is valuable when the client or server depend on knowing when a | ||
216 | connection has become inactive. | ||
217 | |||
218 | The default value is 3. If ClientAliveInterval (see below) is | ||
219 | set to 15, and ClientAliveCountMax is left at the default, | ||
220 | unresponsive SSH clients will be disconnected after approximately | ||
221 | 45 seconds. This option applies to protocol version 2 only. | ||
222 | |||
223 | ClientAliveInterval | ||
224 | Sets a timeout interval in seconds after which if no data has | ||
225 | been received from the client, sshd(8) will send a message | ||
226 | through the encrypted channel to request a response from the | ||
227 | client. The default is 0, indicating that these messages will | ||
228 | not be sent to the client. This option applies to protocol | ||
229 | version 2 only. | ||
230 | |||
231 | Compression | ||
232 | Specifies whether compression is allowed, or delayed until the | ||
233 | user has authenticated successfully. The argument must be | ||
234 | ``yes'', ``delayed'', or ``no''. The default is ``delayed''. | ||
235 | |||
236 | DenyGroups | ||
237 | This keyword can be followed by a list of group name patterns, | ||
238 | separated by spaces. Login is disallowed for users whose primary | ||
239 | group or supplementary group list matches one of the patterns. | ||
240 | Only group names are valid; a numerical group ID is not | ||
241 | recognized. By default, login is allowed for all groups. The | ||
242 | allow/deny directives are processed in the following order: | ||
243 | DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. | ||
244 | |||
245 | See PATTERNS in ssh_config(5) for more information on patterns. | ||
246 | |||
247 | DenyUsers | ||
248 | This keyword can be followed by a list of user name patterns, | ||
249 | separated by spaces. Login is disallowed for user names that | ||
250 | match one of the patterns. Only user names are valid; a | ||
251 | numerical user ID is not recognized. By default, login is | ||
252 | allowed for all users. If the pattern takes the form USER@HOST | ||
253 | then USER and HOST are separately checked, restricting logins to | ||
254 | particular users from particular hosts. The allow/deny | ||
255 | directives are processed in the following order: DenyUsers, | ||
256 | AllowUsers, DenyGroups, and finally AllowGroups. | ||
257 | |||
258 | See PATTERNS in ssh_config(5) for more information on patterns. | ||
259 | |||
260 | ForceCommand | ||
261 | Forces the execution of the command specified by ForceCommand, | ||
262 | ignoring any command supplied by the client and ~/.ssh/rc if | ||
263 | present. The command is invoked by using the user's login shell | ||
264 | with the -c option. This applies to shell, command, or subsystem | ||
265 | execution. It is most useful inside a Match block. The command | ||
266 | originally supplied by the client is available in the | ||
267 | SSH_ORIGINAL_COMMAND environment variable. Specifying a command | ||
268 | of ``internal-sftp'' will force the use of an in-process sftp | ||
269 | server that requires no support files when used with | ||
270 | ChrootDirectory. | ||
271 | |||
272 | GatewayPorts | ||
273 | Specifies whether remote hosts are allowed to connect to ports | ||
274 | forwarded for the client. By default, sshd(8) binds remote port | ||
275 | forwardings to the loopback address. This prevents other remote | ||
276 | hosts from connecting to forwarded ports. GatewayPorts can be | ||
277 | used to specify that sshd should allow remote port forwardings to | ||
278 | bind to non-loopback addresses, thus allowing other hosts to | ||
279 | connect. The argument may be ``no'' to force remote port | ||
280 | forwardings to be available to the local host only, ``yes'' to | ||
281 | force remote port forwardings to bind to the wildcard address, or | ||
282 | ``clientspecified'' to allow the client to select the address to | ||
283 | which the forwarding is bound. The default is ``no''. | ||
284 | |||
285 | GSSAPIAuthentication | ||
286 | Specifies whether user authentication based on GSSAPI is allowed. | ||
287 | The default is ``no''. Note that this option applies to protocol | ||
288 | version 2 only. | ||
289 | |||
290 | GSSAPICleanupCredentials | ||
291 | Specifies whether to automatically destroy the user's credentials | ||
292 | cache on logout. The default is ``yes''. Note that this option | ||
293 | applies to protocol version 2 only. | ||
294 | |||
295 | HostbasedAuthentication | ||
296 | Specifies whether rhosts or /etc/hosts.equiv authentication | ||
297 | together with successful public key client host authentication is | ||
298 | allowed (host-based authentication). This option is similar to | ||
299 | RhostsRSAAuthentication and applies to protocol version 2 only. | ||
300 | The default is ``no''. | ||
301 | |||
302 | HostbasedUsesNameFromPacketOnly | ||
303 | Specifies whether or not the server will attempt to perform a | ||
304 | reverse name lookup when matching the name in the ~/.shosts, | ||
305 | ~/.rhosts, and /etc/hosts.equiv files during | ||
306 | HostbasedAuthentication. A setting of ``yes'' means that sshd(8) | ||
307 | uses the name supplied by the client rather than attempting to | ||
308 | resolve the name from the TCP connection itself. The default is | ||
309 | ``no''. | ||
310 | |||
311 | HostCertificate | ||
312 | Specifies a file containing a public host certificate. The | ||
313 | certificate's public key must match a private host key already | ||
314 | specified by HostKey. The default behaviour of sshd(8) is not to | ||
315 | load any certificates. | ||
316 | |||
317 | HostKey | ||
318 | Specifies a file containing a private host key used by SSH. The | ||
319 | default is /etc/ssh/ssh_host_key for protocol version 1, and | ||
320 | /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key and | ||
321 | /etc/ssh/ssh_host_rsa_key for protocol version 2. Note that | ||
322 | sshd(8) will refuse to use a file if it is group/world- | ||
323 | accessible. It is possible to have multiple host key files. | ||
324 | ``rsa1'' keys are used for version 1 and ``dsa'', ``ecdsa'' or | ||
325 | ``rsa'' are used for version 2 of the SSH protocol. | ||
326 | |||
327 | IgnoreRhosts | ||
328 | Specifies that .rhosts and .shosts files will not be used in | ||
329 | RhostsRSAAuthentication or HostbasedAuthentication. | ||
330 | |||
331 | /etc/hosts.equiv and /etc/shosts.equiv are still used. The | ||
332 | default is ``yes''. | ||
333 | |||
334 | IgnoreUserKnownHosts | ||
335 | Specifies whether sshd(8) should ignore the user's | ||
336 | ~/.ssh/known_hosts during RhostsRSAAuthentication or | ||
337 | HostbasedAuthentication. The default is ``no''. | ||
338 | |||
339 | IPQoS Specifies the IPv4 type-of-service or DSCP class for the | ||
340 | connection. Accepted values are ``af11'', ``af12'', ``af13'', | ||
341 | ``af21'', ``af22'', ``af23'', ``af31'', ``af32'', ``af33'', | ||
342 | ``af41'', ``af42'', ``af43'', ``cs0'', ``cs1'', ``cs2'', ``cs3'', | ||
343 | ``cs4'', ``cs5'', ``cs6'', ``cs7'', ``ef'', ``lowdelay'', | ||
344 | ``throughput'', ``reliability'', or a numeric value. This option | ||
345 | may take one or two arguments, separated by whitespace. If one | ||
346 | argument is specified, it is used as the packet class | ||
347 | unconditionally. If two values are specified, the first is | ||
348 | automatically selected for interactive sessions and the second | ||
349 | for non-interactive sessions. The default is ``lowdelay'' for | ||
350 | interactive sessions and ``throughput'' for non-interactive | ||
351 | sessions. | ||
352 | |||
353 | KerberosAuthentication | ||
354 | Specifies whether the password provided by the user for | ||
355 | PasswordAuthentication will be validated through the Kerberos | ||
356 | KDC. To use this option, the server needs a Kerberos servtab | ||
357 | which allows the verification of the KDC's identity. The default | ||
358 | is ``no''. | ||
359 | |||
360 | KerberosGetAFSToken | ||
361 | If AFS is active and the user has a Kerberos 5 TGT, attempt to | ||
362 | acquire an AFS token before accessing the user's home directory. | ||
363 | The default is ``no''. | ||
364 | |||
365 | KerberosOrLocalPasswd | ||
366 | If password authentication through Kerberos fails then the | ||
367 | password will be validated via any additional local mechanism | ||
368 | such as /etc/passwd. The default is ``yes''. | ||
369 | |||
370 | KerberosTicketCleanup | ||
371 | Specifies whether to automatically destroy the user's ticket | ||
372 | cache file on logout. The default is ``yes''. | ||
373 | |||
374 | KexAlgorithms | ||
375 | Specifies the available KEX (Key Exchange) algorithms. Multiple | ||
376 | algorithms must be comma-separated. The default is | ||
377 | ``ecdh-sha2-nistp256'', ``ecdh-sha2-nistp384'', | ||
378 | ``ecdh-sha2-nistp521'', ``diffie-hellman-group-exchange-sha256'', | ||
379 | ``diffie-hellman-group-exchange-sha1'', | ||
380 | ``diffie-hellman-group14-sha1'', ``diffie-hellman-group1-sha1''. | ||
381 | |||
382 | KeyRegenerationInterval | ||
383 | In protocol version 1, the ephemeral server key is automatically | ||
384 | regenerated after this many seconds (if it has been used). The | ||
385 | purpose of regeneration is to prevent decrypting captured | ||
386 | sessions by later breaking into the machine and stealing the | ||
387 | keys. The key is never stored anywhere. If the value is 0, the | ||
388 | key is never regenerated. The default is 3600 (seconds). | ||
389 | |||
390 | ListenAddress | ||
391 | Specifies the local addresses sshd(8) should listen on. The | ||
392 | following forms may be used: | ||
393 | |||
394 | ListenAddress host|IPv4_addr|IPv6_addr | ||
395 | ListenAddress host|IPv4_addr:port | ||
396 | ListenAddress [host|IPv6_addr]:port | ||
397 | |||
398 | If port is not specified, sshd will listen on the address and all | ||
399 | prior Port options specified. The default is to listen on all | ||
400 | local addresses. Multiple ListenAddress options are permitted. | ||
401 | Additionally, any Port options must precede this option for non- | ||
402 | port qualified addresses. | ||
403 | |||
404 | LoginGraceTime | ||
405 | The server disconnects after this time if the user has not | ||
406 | successfully logged in. If the value is 0, there is no time | ||
407 | limit. The default is 120 seconds. | ||
408 | |||
409 | LogLevel | ||
410 | Gives the verbosity level that is used when logging messages from | ||
411 | sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, | ||
412 | VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. | ||
413 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify | ||
414 | higher levels of debugging output. Logging with a DEBUG level | ||
415 | violates the privacy of users and is not recommended. | ||
416 | |||
417 | MACs Specifies the available MAC (message authentication code) | ||
418 | algorithms. The MAC algorithm is used in protocol version 2 for | ||
419 | data integrity protection. Multiple algorithms must be comma- | ||
420 | separated. The algorithms that contain ``-etm'' calculate the | ||
421 | MAC after encryption (encrypt-then-mac). These are considered | ||
422 | safer and their use recommended. The default is: | ||
423 | |||
424 | hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, | ||
425 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, | ||
426 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, | ||
427 | hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com, | ||
428 | hmac-md5-96-etm@openssh.com, | ||
429 | hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, | ||
430 | hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, | ||
431 | hmac-sha1-96,hmac-md5-96 | ||
432 | |||
433 | Match Introduces a conditional block. If all of the criteria on the | ||
434 | Match line are satisfied, the keywords on the following lines | ||
435 | override those set in the global section of the config file, | ||
436 | until either another Match line or the end of the file. | ||
437 | |||
438 | The arguments to Match are one or more criteria-pattern pairs. | ||
439 | The available criteria are User, Group, Host, LocalAddress, | ||
440 | LocalPort, and Address. The match patterns may consist of single | ||
441 | entries or comma-separated lists and may use the wildcard and | ||
442 | negation operators described in the PATTERNS section of | ||
443 | ssh_config(5). | ||
444 | |||
445 | The patterns in an Address criteria may additionally contain | ||
446 | addresses to match in CIDR address/masklen format, e.g. | ||
447 | ``192.0.2.0/24'' or ``3ffe:ffff::/32''. Note that the mask | ||
448 | length provided must be consistent with the address - it is an | ||
449 | error to specify a mask length that is too long for the address | ||
450 | or one with bits set in this host portion of the address. For | ||
451 | example, ``192.0.2.0/33'' and ``192.0.2.0/8'' respectively. | ||
452 | |||
453 | Only a subset of keywords may be used on the lines following a | ||
454 | Match keyword. Available keywords are AcceptEnv, | ||
455 | AllowAgentForwarding, AllowGroups, AllowTcpForwarding, | ||
456 | AllowUsers, AuthenticationMethods, AuthorizedKeysCommand, | ||
457 | AuthorizedKeysCommandUser, AuthorizedKeysFile, | ||
458 | AuthorizedPrincipalsFile, Banner, ChrootDirectory, DenyGroups, | ||
459 | DenyUsers, ForceCommand, GatewayPorts, GSSAPIAuthentication, | ||
460 | HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, | ||
461 | KbdInteractiveAuthentication, KerberosAuthentication, | ||
462 | MaxAuthTries, MaxSessions, PasswordAuthentication, | ||
463 | PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTunnel, | ||
464 | PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication, | ||
465 | X11DisplayOffset, X11Forwarding and X11UseLocalHost. | ||
466 | |||
467 | MaxAuthTries | ||
468 | Specifies the maximum number of authentication attempts permitted | ||
469 | per connection. Once the number of failures reaches half this | ||
470 | value, additional failures are logged. The default is 6. | ||
471 | |||
472 | MaxSessions | ||
473 | Specifies the maximum number of open sessions permitted per | ||
474 | network connection. The default is 10. | ||
475 | |||
476 | MaxStartups | ||
477 | Specifies the maximum number of concurrent unauthenticated | ||
478 | connections to the SSH daemon. Additional connections will be | ||
479 | dropped until authentication succeeds or the LoginGraceTime | ||
480 | expires for a connection. The default is 10:30:100. | ||
481 | |||
482 | Alternatively, random early drop can be enabled by specifying the | ||
483 | three colon separated values ``start:rate:full'' (e.g. | ||
484 | "10:30:60"). sshd(8) will refuse connection attempts with a | ||
485 | probability of ``rate/100'' (30%) if there are currently | ||
486 | ``start'' (10) unauthenticated connections. The probability | ||
487 | increases linearly and all connection attempts are refused if the | ||
488 | number of unauthenticated connections reaches ``full'' (60). | ||
489 | |||
490 | PasswordAuthentication | ||
491 | Specifies whether password authentication is allowed. The | ||
492 | default is ``yes''. | ||
493 | |||
494 | PermitEmptyPasswords | ||
495 | When password authentication is allowed, it specifies whether the | ||
496 | server allows login to accounts with empty password strings. The | ||
497 | default is ``no''. | ||
498 | |||
499 | PermitOpen | ||
500 | Specifies the destinations to which TCP port forwarding is | ||
501 | permitted. The forwarding specification must be one of the | ||
502 | following forms: | ||
503 | |||
504 | PermitOpen host:port | ||
505 | PermitOpen IPv4_addr:port | ||
506 | PermitOpen [IPv6_addr]:port | ||
507 | |||
508 | Multiple forwards may be specified by separating them with | ||
509 | whitespace. An argument of ``any'' can be used to remove all | ||
510 | restrictions and permit any forwarding requests. An argument of | ||
511 | ``none'' can be used to prohibit all forwarding requests. By | ||
512 | default all port forwarding requests are permitted. | ||
513 | |||
514 | PermitRootLogin | ||
515 | Specifies whether root can log in using ssh(1). The argument | ||
516 | must be ``yes'', ``without-password'', ``forced-commands-only'', | ||
517 | or ``no''. The default is ``yes''. | ||
518 | |||
519 | If this option is set to ``without-password'', password | ||
520 | authentication is disabled for root. | ||
521 | |||
522 | If this option is set to ``forced-commands-only'', root login | ||
523 | with public key authentication will be allowed, but only if the | ||
524 | command option has been specified (which may be useful for taking | ||
525 | remote backups even if root login is normally not allowed). All | ||
526 | other authentication methods are disabled for root. | ||
527 | |||
528 | If this option is set to ``no'', root is not allowed to log in. | ||
529 | |||
530 | PermitTunnel | ||
531 | Specifies whether tun(4) device forwarding is allowed. The | ||
532 | argument must be ``yes'', ``point-to-point'' (layer 3), | ||
533 | ``ethernet'' (layer 2), or ``no''. Specifying ``yes'' permits | ||
534 | both ``point-to-point'' and ``ethernet''. The default is ``no''. | ||
535 | |||
536 | PermitUserEnvironment | ||
537 | Specifies whether ~/.ssh/environment and environment= options in | ||
538 | ~/.ssh/authorized_keys are processed by sshd(8). The default is | ||
539 | ``no''. Enabling environment processing may enable users to | ||
540 | bypass access restrictions in some configurations using | ||
541 | mechanisms such as LD_PRELOAD. | ||
542 | |||
543 | PidFile | ||
544 | Specifies the file that contains the process ID of the SSH | ||
545 | daemon. The default is /var/run/sshd.pid. | ||
546 | |||
547 | Port Specifies the port number that sshd(8) listens on. The default | ||
548 | is 22. Multiple options of this type are permitted. See also | ||
549 | ListenAddress. | ||
550 | |||
551 | PrintLastLog | ||
552 | Specifies whether sshd(8) should print the date and time of the | ||
553 | last user login when a user logs in interactively. The default | ||
554 | is ``yes''. | ||
555 | |||
556 | PrintMotd | ||
557 | Specifies whether sshd(8) should print /etc/motd when a user logs | ||
558 | in interactively. (On some systems it is also printed by the | ||
559 | shell, /etc/profile, or equivalent.) The default is ``yes''. | ||
560 | |||
561 | Protocol | ||
562 | Specifies the protocol versions sshd(8) supports. The possible | ||
563 | values are `1' and `2'. Multiple versions must be comma- | ||
564 | separated. The default is `2'. Note that the order of the | ||
565 | protocol list does not indicate preference, because the client | ||
566 | selects among multiple protocol versions offered by the server. | ||
567 | Specifying ``2,1'' is identical to ``1,2''. | ||
568 | |||
569 | PubkeyAuthentication | ||
570 | Specifies whether public key authentication is allowed. The | ||
571 | default is ``yes''. Note that this option applies to protocol | ||
572 | version 2 only. | ||
573 | |||
574 | RevokedKeys | ||
575 | Specifies revoked public keys. Keys listed in this file will be | ||
576 | refused for public key authentication. Note that if this file is | ||
577 | not readable, then public key authentication will be refused for | ||
578 | all users. Keys may be specified as a text file, listing one | ||
579 | public key per line, or as an OpenSSH Key Revocation List (KRL) | ||
580 | as generated by ssh-keygen(1). For more information on KRLs, see | ||
581 | the KEY REVOCATION LISTS section in ssh-keygen(1). | ||
582 | |||
583 | RhostsRSAAuthentication | ||
584 | Specifies whether rhosts or /etc/hosts.equiv authentication | ||
585 | together with successful RSA host authentication is allowed. The | ||
586 | default is ``no''. This option applies to protocol version 1 | ||
587 | only. | ||
588 | |||
589 | RSAAuthentication | ||
590 | Specifies whether pure RSA authentication is allowed. The | ||
591 | default is ``yes''. This option applies to protocol version 1 | ||
592 | only. | ||
593 | |||
594 | ServerKeyBits | ||
595 | Defines the number of bits in the ephemeral protocol version 1 | ||
596 | server key. The minimum value is 512, and the default is 1024. | ||
597 | |||
598 | StrictModes | ||
599 | Specifies whether sshd(8) should check file modes and ownership | ||
600 | of the user's files and home directory before accepting login. | ||
601 | This is normally desirable because novices sometimes accidentally | ||
602 | leave their directory or files world-writable. The default is | ||
603 | ``yes''. Note that this does not apply to ChrootDirectory, whose | ||
604 | permissions and ownership are checked unconditionally. | ||
605 | |||
606 | Subsystem | ||
607 | Configures an external subsystem (e.g. file transfer daemon). | ||
608 | Arguments should be a subsystem name and a command (with optional | ||
609 | arguments) to execute upon subsystem request. | ||
610 | |||
611 | The command sftp-server(8) implements the ``sftp'' file transfer | ||
612 | subsystem. | ||
613 | |||
614 | Alternately the name ``internal-sftp'' implements an in-process | ||
615 | ``sftp'' server. This may simplify configurations using | ||
616 | ChrootDirectory to force a different filesystem root on clients. | ||
617 | |||
618 | By default no subsystems are defined. Note that this option | ||
619 | applies to protocol version 2 only. | ||
620 | |||
621 | SyslogFacility | ||
622 | Gives the facility code that is used when logging messages from | ||
623 | sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, | ||
624 | LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The | ||
625 | default is AUTH. | ||
626 | |||
627 | TCPKeepAlive | ||
628 | Specifies whether the system should send TCP keepalive messages | ||
629 | to the other side. If they are sent, death of the connection or | ||
630 | crash of one of the machines will be properly noticed. However, | ||
631 | this means that connections will die if the route is down | ||
632 | temporarily, and some people find it annoying. On the other | ||
633 | hand, if TCP keepalives are not sent, sessions may hang | ||
634 | indefinitely on the server, leaving ``ghost'' users and consuming | ||
635 | server resources. | ||
636 | |||
637 | The default is ``yes'' (to send TCP keepalive messages), and the | ||
638 | server will notice if the network goes down or the client host | ||
639 | crashes. This avoids infinitely hanging sessions. | ||
640 | |||
641 | To disable TCP keepalive messages, the value should be set to | ||
642 | ``no''. | ||
643 | |||
644 | TrustedUserCAKeys | ||
645 | Specifies a file containing public keys of certificate | ||
646 | authorities that are trusted to sign user certificates for | ||
647 | authentication. Keys are listed one per line; empty lines and | ||
648 | comments starting with `#' are allowed. If a certificate is | ||
649 | presented for authentication and has its signing CA key listed in | ||
650 | this file, then it may be used for authentication for any user | ||
651 | listed in the certificate's principals list. Note that | ||
652 | certificates that lack a list of principals will not be permitted | ||
653 | for authentication using TrustedUserCAKeys. For more details on | ||
654 | certificates, see the CERTIFICATES section in ssh-keygen(1). | ||
655 | |||
656 | UseDNS Specifies whether sshd(8) should look up the remote host name and | ||
657 | check that the resolved host name for the remote IP address maps | ||
658 | back to the very same IP address. The default is ``yes''. | ||
659 | |||
660 | UseLogin | ||
661 | Specifies whether login(1) is used for interactive login | ||
662 | sessions. The default is ``no''. Note that login(1) is never | ||
663 | used for remote command execution. Note also, that if this is | ||
664 | enabled, X11Forwarding will be disabled because login(1) does not | ||
665 | know how to handle xauth(1) cookies. If UsePrivilegeSeparation | ||
666 | is specified, it will be disabled after authentication. | ||
667 | |||
668 | UsePAM Enables the Pluggable Authentication Module interface. If set to | ||
669 | ``yes'' this will enable PAM authentication using | ||
670 | ChallengeResponseAuthentication and PasswordAuthentication in | ||
671 | addition to PAM account and session module processing for all | ||
672 | authentication types. | ||
673 | |||
674 | Because PAM challenge-response authentication usually serves an | ||
675 | equivalent role to password authentication, you should disable | ||
676 | either PasswordAuthentication or ChallengeResponseAuthentication. | ||
677 | |||
678 | If UsePAM is enabled, you will not be able to run sshd(8) as a | ||
679 | non-root user. The default is ``no''. | ||
680 | |||
681 | UsePrivilegeSeparation | ||
682 | Specifies whether sshd(8) separates privileges by creating an | ||
683 | unprivileged child process to deal with incoming network traffic. | ||
684 | After successful authentication, another process will be created | ||
685 | that has the privilege of the authenticated user. The goal of | ||
686 | privilege separation is to prevent privilege escalation by | ||
687 | containing any corruption within the unprivileged processes. The | ||
688 | default is ``yes''. If UsePrivilegeSeparation is set to | ||
689 | ``sandbox'' then the pre-authentication unprivileged process is | ||
690 | subject to additional restrictions. | ||
691 | |||
692 | VersionAddendum | ||
693 | Optionally specifies additional text to append to the SSH | ||
694 | protocol banner sent by the server upon connection. The default | ||
695 | is ``none''. | ||
696 | |||
697 | X11DisplayOffset | ||
698 | Specifies the first display number available for sshd(8)'s X11 | ||
699 | forwarding. This prevents sshd from interfering with real X11 | ||
700 | servers. The default is 10. | ||
701 | |||
702 | X11Forwarding | ||
703 | Specifies whether X11 forwarding is permitted. The argument must | ||
704 | be ``yes'' or ``no''. The default is ``no''. | ||
705 | |||
706 | When X11 forwarding is enabled, there may be additional exposure | ||
707 | to the server and to client displays if the sshd(8) proxy display | ||
708 | is configured to listen on the wildcard address (see | ||
709 | X11UseLocalhost below), though this is not the default. | ||
710 | Additionally, the authentication spoofing and authentication data | ||
711 | verification and substitution occur on the client side. The | ||
712 | security risk of using X11 forwarding is that the client's X11 | ||
713 | display server may be exposed to attack when the SSH client | ||
714 | requests forwarding (see the warnings for ForwardX11 in | ||
715 | ssh_config(5)). A system administrator may have a stance in | ||
716 | which they want to protect clients that may expose themselves to | ||
717 | attack by unwittingly requesting X11 forwarding, which can | ||
718 | warrant a ``no'' setting. | ||
719 | |||
720 | Note that disabling X11 forwarding does not prevent users from | ||
721 | forwarding X11 traffic, as users can always install their own | ||
722 | forwarders. X11 forwarding is automatically disabled if UseLogin | ||
723 | is enabled. | ||
724 | |||
725 | X11UseLocalhost | ||
726 | Specifies whether sshd(8) should bind the X11 forwarding server | ||
727 | to the loopback address or to the wildcard address. By default, | ||
728 | sshd binds the forwarding server to the loopback address and sets | ||
729 | the hostname part of the DISPLAY environment variable to | ||
730 | ``localhost''. This prevents remote hosts from connecting to the | ||
731 | proxy display. However, some older X11 clients may not function | ||
732 | with this configuration. X11UseLocalhost may be set to ``no'' to | ||
733 | specify that the forwarding server should be bound to the | ||
734 | wildcard address. The argument must be ``yes'' or ``no''. The | ||
735 | default is ``yes''. | ||
736 | |||
737 | XAuthLocation | ||
738 | Specifies the full pathname of the xauth(1) program. The default | ||
739 | is /usr/X11R6/bin/xauth. | ||
740 | |||
741 | TIME FORMATS | ||
742 | sshd(8) command-line arguments and configuration file options that | ||
743 | specify time may be expressed using a sequence of the form: | ||
744 | time[qualifier], where time is a positive integer value and qualifier is | ||
745 | one of the following: | ||
746 | |||
747 | <none> seconds | ||
748 | s | S seconds | ||
749 | m | M minutes | ||
750 | h | H hours | ||
751 | d | D days | ||
752 | w | W weeks | ||
753 | |||
754 | Each member of the sequence is added together to calculate the total time | ||
755 | value. | ||
756 | |||
757 | Time format examples: | ||
758 | |||
759 | 600 600 seconds (10 minutes) | ||
760 | 10m 10 minutes | ||
761 | 1h30m 1 hour 30 minutes (90 minutes) | ||
762 | |||
763 | FILES | ||
764 | /etc/ssh/sshd_config | ||
765 | Contains configuration data for sshd(8). This file should be | ||
766 | writable by root only, but it is recommended (though not | ||
767 | necessary) that it be world-readable. | ||
768 | |||
769 | SEE ALSO | ||
770 | sshd(8) | ||
771 | |||
772 | AUTHORS | ||
773 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | ||
774 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | ||
775 | de Raadt and Dug Song removed many bugs, re-added newer features and | ||
776 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | ||
777 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | ||
778 | for privilege separation. | ||
779 | |||
780 | OpenBSD 5.3 February 6, 2013 OpenBSD 5.3 | ||