diff options
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 360 |
1 files changed, 200 insertions, 160 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index 1c82d449f..be48e1364 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -1,7 +1,7 @@ | |||
1 | SSHD_CONFIG(5) File Formats Manual SSHD_CONFIG(5) | 1 | SSHD_CONFIG(5) File Formats Manual SSHD_CONFIG(5) |
2 | 2 | ||
3 | NAME | 3 | NAME |
4 | sshd_config - OpenSSH SSH daemon configuration file | 4 | sshd_config M-bM-^@M-^S OpenSSH SSH daemon configuration file |
5 | 5 | ||
6 | SYNOPSIS | 6 | SYNOPSIS |
7 | /etc/ssh/sshd_config | 7 | /etc/ssh/sshd_config |
@@ -9,7 +9,7 @@ SYNOPSIS | |||
9 | DESCRIPTION | 9 | DESCRIPTION |
10 | sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file | 10 | sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file |
11 | specified with -f on the command line). The file contains keyword- | 11 | specified with -f on the command line). The file contains keyword- |
12 | argument pairs, one per line. Lines starting with `#' and empty lines | 12 | argument pairs, one per line. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines |
13 | are interpreted as comments. Arguments may optionally be enclosed in | 13 | are interpreted as comments. Arguments may optionally be enclosed in |
14 | double quotes (") in order to represent arguments containing spaces. | 14 | double quotes (") in order to represent arguments containing spaces. |
15 | 15 | ||
@@ -22,7 +22,7 @@ DESCRIPTION | |||
22 | ssh_config(5) for how to configure the client. Note that | 22 | ssh_config(5) for how to configure the client. Note that |
23 | environment passing is only supported for protocol 2. Variables | 23 | environment passing is only supported for protocol 2. Variables |
24 | are specified by name, which may contain the wildcard characters | 24 | are specified by name, which may contain the wildcard characters |
25 | `*' and `?'. Multiple environment variables may be separated by | 25 | M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y. Multiple environment variables may be separated by |
26 | whitespace or spread across multiple AcceptEnv directives. Be | 26 | whitespace or spread across multiple AcceptEnv directives. Be |
27 | warned that some environment variables could be used to bypass | 27 | warned that some environment variables could be used to bypass |
28 | restricted user environments. For this reason, care should be | 28 | restricted user environments. For this reason, care should be |
@@ -31,14 +31,14 @@ DESCRIPTION | |||
31 | 31 | ||
32 | AddressFamily | 32 | AddressFamily |
33 | Specifies which address family should be used by sshd(8). Valid | 33 | Specifies which address family should be used by sshd(8). Valid |
34 | arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' | 34 | arguments are M-bM-^@M-^\anyM-bM-^@M-^], M-bM-^@M-^\inetM-bM-^@M-^] (use IPv4 only), or M-bM-^@M-^\inet6M-bM-^@M-^] (use IPv6 |
35 | (use IPv6 only). The default is ``any''. | 35 | only). The default is M-bM-^@M-^\anyM-bM-^@M-^]. |
36 | 36 | ||
37 | AllowAgentForwarding | 37 | AllowAgentForwarding |
38 | Specifies whether ssh-agent(1) forwarding is permitted. The | 38 | Specifies whether ssh-agent(1) forwarding is permitted. The |
39 | default is ``yes''. Note that disabling agent forwarding does | 39 | default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that disabling agent forwarding does not |
40 | not improve security unless users are also denied shell access, | 40 | improve security unless users are also denied shell access, as |
41 | as they can always install their own forwarders. | 41 | they can always install their own forwarders. |
42 | 42 | ||
43 | AllowGroups | 43 | AllowGroups |
44 | This keyword can be followed by a list of group name patterns, | 44 | This keyword can be followed by a list of group name patterns, |
@@ -54,21 +54,21 @@ DESCRIPTION | |||
54 | 54 | ||
55 | AllowTcpForwarding | 55 | AllowTcpForwarding |
56 | Specifies whether TCP forwarding is permitted. The available | 56 | Specifies whether TCP forwarding is permitted. The available |
57 | options are ``yes'' or ``all'' to allow TCP forwarding, ``no'' to | 57 | options are M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\allM-bM-^@M-^] to allow TCP forwarding, M-bM-^@M-^\noM-bM-^@M-^] to |
58 | prevent all TCP forwarding, ``local'' to allow local (from the | 58 | prevent all TCP forwarding, M-bM-^@M-^\localM-bM-^@M-^] to allow local (from the |
59 | perspective of ssh(1)) forwarding only or ``remote'' to allow | 59 | perspective of ssh(1)) forwarding only or M-bM-^@M-^\remoteM-bM-^@M-^] to allow |
60 | remote forwarding only. The default is ``yes''. Note that | 60 | remote forwarding only. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that |
61 | disabling TCP forwarding does not improve security unless users | 61 | disabling TCP forwarding does not improve security unless users |
62 | are also denied shell access, as they can always install their | 62 | are also denied shell access, as they can always install their |
63 | own forwarders. | 63 | own forwarders. |
64 | 64 | ||
65 | AllowStreamLocalForwarding | 65 | AllowStreamLocalForwarding |
66 | Specifies whether StreamLocal (Unix-domain socket) forwarding is | 66 | Specifies whether StreamLocal (Unix-domain socket) forwarding is |
67 | permitted. The available options are ``yes'' or ``all'' to allow | 67 | permitted. The available options are M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\allM-bM-^@M-^] to allow |
68 | StreamLocal forwarding, ``no'' to prevent all StreamLocal | 68 | StreamLocal forwarding, M-bM-^@M-^\noM-bM-^@M-^] to prevent all StreamLocal |
69 | forwarding, ``local'' to allow local (from the perspective of | 69 | forwarding, M-bM-^@M-^\localM-bM-^@M-^] to allow local (from the perspective of |
70 | ssh(1)) forwarding only or ``remote'' to allow remote forwarding | 70 | ssh(1)) forwarding only or M-bM-^@M-^\remoteM-bM-^@M-^] to allow remote forwarding |
71 | only. The default is ``yes''. Note that disabling StreamLocal | 71 | only. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that disabling StreamLocal |
72 | forwarding does not improve security unless users are also denied | 72 | forwarding does not improve security unless users are also denied |
73 | shell access, as they can always install their own forwarders. | 73 | shell access, as they can always install their own forwarders. |
74 | 74 | ||
@@ -92,8 +92,8 @@ DESCRIPTION | |||
92 | method names. Successful authentication requires completion of | 92 | method names. Successful authentication requires completion of |
93 | every method in at least one of these lists. | 93 | every method in at least one of these lists. |
94 | 94 | ||
95 | For example, an argument of ``publickey,password | 95 | For example, an argument of M-bM-^@M-^\publickey,password |
96 | publickey,keyboard-interactive'' would require the user to | 96 | publickey,keyboard-interactiveM-bM-^@M-^] would require the user to |
97 | complete public key authentication, followed by either password | 97 | complete public key authentication, followed by either password |
98 | or keyboard interactive authentication. Only methods that are | 98 | or keyboard interactive authentication. Only methods that are |
99 | next in one or more lists are offered at each stage, so for this | 99 | next in one or more lists are offered at each stage, so for this |
@@ -102,10 +102,16 @@ DESCRIPTION | |||
102 | 102 | ||
103 | For keyboard interactive authentication it is also possible to | 103 | For keyboard interactive authentication it is also possible to |
104 | restrict authentication to a specific device by appending a colon | 104 | restrict authentication to a specific device by appending a colon |
105 | followed by the device identifier ``bsdauth'', ``pam'', or | 105 | followed by the device identifier M-bM-^@M-^\bsdauthM-bM-^@M-^], M-bM-^@M-^\pamM-bM-^@M-^], or M-bM-^@M-^\skeyM-bM-^@M-^], |
106 | ``skey'', depending on the server configuration. For example, | 106 | depending on the server configuration. For example, |
107 | ``keyboard-interactive:bsdauth'' would restrict keyboard | 107 | M-bM-^@M-^\keyboard-interactive:bsdauthM-bM-^@M-^] would restrict keyboard |
108 | interactive authentication to the ``bsdauth'' device. | 108 | interactive authentication to the M-bM-^@M-^\bsdauthM-bM-^@M-^] device. |
109 | |||
110 | If the M-bM-^@M-^\publickeyM-bM-^@M-^] method is listed more than once, sshd(8) | ||
111 | verifies that keys that have been used successfully are not | ||
112 | reused for subsequent authentications. For example, an | ||
113 | AuthenticationMethods of M-bM-^@M-^\publickey,publickeyM-bM-^@M-^] will require | ||
114 | successful authentication using two different public keys. | ||
109 | 115 | ||
110 | This option is only available for SSH protocol 2 and will yield a | 116 | This option is only available for SSH protocol 2 and will yield a |
111 | fatal error if enabled if protocol 1 is also enabled. Note that | 117 | fatal error if enabled if protocol 1 is also enabled. Note that |
@@ -129,7 +135,9 @@ DESCRIPTION | |||
129 | AuthorizedKeysCommandUser | 135 | AuthorizedKeysCommandUser |
130 | Specifies the user under whose account the AuthorizedKeysCommand | 136 | Specifies the user under whose account the AuthorizedKeysCommand |
131 | is run. It is recommended to use a dedicated user that has no | 137 | is run. It is recommended to use a dedicated user that has no |
132 | other role on the host than running authorized keys commands. | 138 | other role on the host than running authorized keys commands. If |
139 | AuthorizedKeysCommand is specified but AuthorizedKeysCommandUser | ||
140 | is not, then sshd(8) will refuse to start. | ||
133 | 141 | ||
134 | AuthorizedKeysFile | 142 | AuthorizedKeysFile |
135 | Specifies the file that contains the public keys that can be used | 143 | Specifies the file that contains the public keys that can be used |
@@ -143,7 +151,7 @@ DESCRIPTION | |||
143 | AuthorizedKeysFile is taken to be an absolute path or one | 151 | AuthorizedKeysFile is taken to be an absolute path or one |
144 | relative to the user's home directory. Multiple files may be | 152 | relative to the user's home directory. Multiple files may be |
145 | listed, separated by whitespace. The default is | 153 | listed, separated by whitespace. The default is |
146 | ``.ssh/authorized_keys .ssh/authorized_keys2''. | 154 | M-bM-^@M-^\.ssh/authorized_keys .ssh/authorized_keys2M-bM-^@M-^]. |
147 | 155 | ||
148 | AuthorizedPrincipalsFile | 156 | AuthorizedPrincipalsFile |
149 | Specifies a file that lists principal names that are accepted for | 157 | Specifies a file that lists principal names that are accepted for |
@@ -152,7 +160,7 @@ DESCRIPTION | |||
152 | which must appear in the certificate for it to be accepted for | 160 | which must appear in the certificate for it to be accepted for |
153 | authentication. Names are listed one per line preceded by key | 161 | authentication. Names are listed one per line preceded by key |
154 | options (as described in AUTHORIZED_KEYS FILE FORMAT in sshd(8)). | 162 | options (as described in AUTHORIZED_KEYS FILE FORMAT in sshd(8)). |
155 | Empty lines and comments starting with `#' are ignored. | 163 | Empty lines and comments starting with M-bM-^@M-^X#M-bM-^@M-^Y are ignored. |
156 | 164 | ||
157 | AuthorizedPrincipalsFile may contain tokens of the form %T which | 165 | AuthorizedPrincipalsFile may contain tokens of the form %T which |
158 | are substituted during connection setup. The following tokens | 166 | are substituted during connection setup. The following tokens |
@@ -162,7 +170,7 @@ DESCRIPTION | |||
162 | AuthorizedPrincipalsFile is taken to be an absolute path or one | 170 | AuthorizedPrincipalsFile is taken to be an absolute path or one |
163 | relative to the user's home directory. | 171 | relative to the user's home directory. |
164 | 172 | ||
165 | The default is ``none'', i.e. not to use a principals file - in | 173 | The default is M-bM-^@M-^\noneM-bM-^@M-^], i.e. not to use a principals file M-bM-^@M-^S in |
166 | this case, the username of the user must appear in a | 174 | this case, the username of the user must appear in a |
167 | certificate's principals list for it to be accepted. Note that | 175 | certificate's principals list for it to be accepted. Note that |
168 | AuthorizedPrincipalsFile is only used when authentication | 176 | AuthorizedPrincipalsFile is only used when authentication |
@@ -172,21 +180,22 @@ DESCRIPTION | |||
172 | a similar facility (see sshd(8) for details). | 180 | a similar facility (see sshd(8) for details). |
173 | 181 | ||
174 | Banner The contents of the specified file are sent to the remote user | 182 | Banner The contents of the specified file are sent to the remote user |
175 | before authentication is allowed. If the argument is ``none'' | 183 | before authentication is allowed. If the argument is M-bM-^@M-^\noneM-bM-^@M-^] then |
176 | then no banner is displayed. This option is only available for | 184 | no banner is displayed. This option is only available for |
177 | protocol version 2. By default, no banner is displayed. | 185 | protocol version 2. By default, no banner is displayed. |
178 | 186 | ||
179 | ChallengeResponseAuthentication | 187 | ChallengeResponseAuthentication |
180 | Specifies whether challenge-response authentication is allowed | 188 | Specifies whether challenge-response authentication is allowed |
181 | (e.g. via PAM or through authentication styles supported in | 189 | (e.g. via PAM or through authentication styles supported in |
182 | login.conf(5)) The default is ``yes''. | 190 | login.conf(5)) The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
183 | 191 | ||
184 | ChrootDirectory | 192 | ChrootDirectory |
185 | Specifies the pathname of a directory to chroot(2) to after | 193 | Specifies the pathname of a directory to chroot(2) to after |
186 | authentication. All components of the pathname must be root- | 194 | authentication. At session startup sshd(8) checks that all |
187 | owned directories that are not writable by any other user or | 195 | components of the pathname are root-owned directories which are |
188 | group. After the chroot, sshd(8) changes the working directory | 196 | not writable by any other user or group. After the chroot, |
189 | to the user's home directory. | 197 | sshd(8) changes the working directory to the user's home |
198 | directory. | ||
190 | 199 | ||
191 | The pathname may contain the following tokens that are expanded | 200 | The pathname may contain the following tokens that are expanded |
192 | at runtime once the connecting user has been authenticated: %% is | 201 | at runtime once the connecting user has been authenticated: %% is |
@@ -198,12 +207,17 @@ DESCRIPTION | |||
198 | directories to support the user's session. For an interactive | 207 | directories to support the user's session. For an interactive |
199 | session this requires at least a shell, typically sh(1), and | 208 | session this requires at least a shell, typically sh(1), and |
200 | basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), | 209 | basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), |
201 | stderr(4), arandom(4) and tty(4) devices. For file transfer | 210 | stderr(4), and tty(4) devices. For file transfer sessions using |
202 | sessions using ``sftp'', no additional configuration of the | 211 | M-bM-^@M-^\sftpM-bM-^@M-^], no additional configuration of the environment is |
203 | environment is necessary if the in-process sftp server is used, | 212 | necessary if the in-process sftp server is used, though sessions |
204 | though sessions which use logging may require /dev/log inside the | 213 | which use logging may require /dev/log inside the chroot |
205 | chroot directory on some operating systems (see sftp-server(8) | 214 | directory on some operating systems (see sftp-server(8) for |
206 | for details). | 215 | details). |
216 | |||
217 | For safety, it is very important that the directory hierarchy be | ||
218 | prevented from modification by other processes on the system | ||
219 | (especially those outside the jail). Misconfiguration can lead | ||
220 | to unsafe environments which sshd(8) cannot detect. | ||
207 | 221 | ||
208 | The default is not to chroot(2). | 222 | The default is not to chroot(2). |
209 | 223 | ||
@@ -234,7 +248,7 @@ DESCRIPTION | |||
234 | chacha20-poly1305@openssh.com | 248 | chacha20-poly1305@openssh.com |
235 | 249 | ||
236 | The list of available ciphers may also be obtained using the -Q | 250 | The list of available ciphers may also be obtained using the -Q |
237 | option of ssh(1). | 251 | option of ssh(1) with an argument of M-bM-^@M-^\cipherM-bM-^@M-^]. |
238 | 252 | ||
239 | ClientAliveCountMax | 253 | ClientAliveCountMax |
240 | Sets the number of client alive messages (see below) which may be | 254 | Sets the number of client alive messages (see below) which may be |
@@ -264,8 +278,8 @@ DESCRIPTION | |||
264 | 278 | ||
265 | Compression | 279 | Compression |
266 | Specifies whether compression is allowed, or delayed until the | 280 | Specifies whether compression is allowed, or delayed until the |
267 | user has authenticated successfully. The argument must be | 281 | user has authenticated successfully. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], |
268 | ``yes'', ``delayed'', or ``no''. The default is ``delayed''. | 282 | M-bM-^@M-^\delayedM-bM-^@M-^], or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\delayedM-bM-^@M-^]. |
269 | 283 | ||
270 | DenyGroups | 284 | DenyGroups |
271 | This keyword can be followed by a list of group name patterns, | 285 | This keyword can be followed by a list of group name patterns, |
@@ -291,6 +305,10 @@ DESCRIPTION | |||
291 | 305 | ||
292 | See PATTERNS in ssh_config(5) for more information on patterns. | 306 | See PATTERNS in ssh_config(5) for more information on patterns. |
293 | 307 | ||
308 | FingerprintHash | ||
309 | Specifies the hash algorithm used when logging key fingerprints. | ||
310 | Valid options are: M-bM-^@M-^\md5M-bM-^@M-^] and M-bM-^@M-^\sha256M-bM-^@M-^]. The default is M-bM-^@M-^\sha256M-bM-^@M-^]. | ||
311 | |||
294 | ForceCommand | 312 | ForceCommand |
295 | Forces the execution of the command specified by ForceCommand, | 313 | Forces the execution of the command specified by ForceCommand, |
296 | ignoring any command supplied by the client and ~/.ssh/rc if | 314 | ignoring any command supplied by the client and ~/.ssh/rc if |
@@ -299,7 +317,7 @@ DESCRIPTION | |||
299 | execution. It is most useful inside a Match block. The command | 317 | execution. It is most useful inside a Match block. The command |
300 | originally supplied by the client is available in the | 318 | originally supplied by the client is available in the |
301 | SSH_ORIGINAL_COMMAND environment variable. Specifying a command | 319 | SSH_ORIGINAL_COMMAND environment variable. Specifying a command |
302 | of ``internal-sftp'' will force the use of an in-process sftp | 320 | of M-bM-^@M-^\internal-sftpM-bM-^@M-^] will force the use of an in-process sftp |
303 | server that requires no support files when used with | 321 | server that requires no support files when used with |
304 | ChrootDirectory. | 322 | ChrootDirectory. |
305 | 323 | ||
@@ -310,37 +328,43 @@ DESCRIPTION | |||
310 | hosts from connecting to forwarded ports. GatewayPorts can be | 328 | hosts from connecting to forwarded ports. GatewayPorts can be |
311 | used to specify that sshd should allow remote port forwardings to | 329 | used to specify that sshd should allow remote port forwardings to |
312 | bind to non-loopback addresses, thus allowing other hosts to | 330 | bind to non-loopback addresses, thus allowing other hosts to |
313 | connect. The argument may be ``no'' to force remote port | 331 | connect. The argument may be M-bM-^@M-^\noM-bM-^@M-^] to force remote port |
314 | forwardings to be available to the local host only, ``yes'' to | 332 | forwardings to be available to the local host only, M-bM-^@M-^\yesM-bM-^@M-^] to |
315 | force remote port forwardings to bind to the wildcard address, or | 333 | force remote port forwardings to bind to the wildcard address, or |
316 | ``clientspecified'' to allow the client to select the address to | 334 | M-bM-^@M-^\clientspecifiedM-bM-^@M-^] to allow the client to select the address to |
317 | which the forwarding is bound. The default is ``no''. | 335 | which the forwarding is bound. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
318 | 336 | ||
319 | GSSAPIAuthentication | 337 | GSSAPIAuthentication |
320 | Specifies whether user authentication based on GSSAPI is allowed. | 338 | Specifies whether user authentication based on GSSAPI is allowed. |
321 | The default is ``no''. Note that this option applies to protocol | 339 | The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol |
322 | version 2 only. | 340 | version 2 only. |
323 | 341 | ||
324 | GSSAPICleanupCredentials | 342 | GSSAPICleanupCredentials |
325 | Specifies whether to automatically destroy the user's credentials | 343 | Specifies whether to automatically destroy the user's credentials |
326 | cache on logout. The default is ``yes''. Note that this option | 344 | cache on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option |
327 | applies to protocol version 2 only. | 345 | applies to protocol version 2 only. |
328 | 346 | ||
347 | HostbasedAcceptedKeyTypes | ||
348 | Specifies the key types that will be accepted for hostbased | ||
349 | authentication as a comma-separated pattern list. The default | ||
350 | M-bM-^@M-^\*M-bM-^@M-^] will allow all key types. The -Q option of ssh(1) may be | ||
351 | used to list supported key types. | ||
352 | |||
329 | HostbasedAuthentication | 353 | HostbasedAuthentication |
330 | Specifies whether rhosts or /etc/hosts.equiv authentication | 354 | Specifies whether rhosts or /etc/hosts.equiv authentication |
331 | together with successful public key client host authentication is | 355 | together with successful public key client host authentication is |
332 | allowed (host-based authentication). This option is similar to | 356 | allowed (host-based authentication). This option is similar to |
333 | RhostsRSAAuthentication and applies to protocol version 2 only. | 357 | RhostsRSAAuthentication and applies to protocol version 2 only. |
334 | The default is ``no''. | 358 | The default is M-bM-^@M-^\noM-bM-^@M-^]. |
335 | 359 | ||
336 | HostbasedUsesNameFromPacketOnly | 360 | HostbasedUsesNameFromPacketOnly |
337 | Specifies whether or not the server will attempt to perform a | 361 | Specifies whether or not the server will attempt to perform a |
338 | reverse name lookup when matching the name in the ~/.shosts, | 362 | reverse name lookup when matching the name in the ~/.shosts, |
339 | ~/.rhosts, and /etc/hosts.equiv files during | 363 | ~/.rhosts, and /etc/hosts.equiv files during |
340 | HostbasedAuthentication. A setting of ``yes'' means that sshd(8) | 364 | HostbasedAuthentication. A setting of M-bM-^@M-^\yesM-bM-^@M-^] means that sshd(8) |
341 | uses the name supplied by the client rather than attempting to | 365 | uses the name supplied by the client rather than attempting to |
342 | resolve the name from the TCP connection itself. The default is | 366 | resolve the name from the TCP connection itself. The default is |
343 | ``no''. | 367 | M-bM-^@M-^\noM-bM-^@M-^]. |
344 | 368 | ||
345 | HostCertificate | 369 | HostCertificate |
346 | Specifies a file containing a public host certificate. The | 370 | Specifies a file containing a public host certificate. The |
@@ -355,70 +379,69 @@ DESCRIPTION | |||
355 | /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for | 379 | /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for |
356 | protocol version 2. Note that sshd(8) will refuse to use a file | 380 | protocol version 2. Note that sshd(8) will refuse to use a file |
357 | if it is group/world-accessible. It is possible to have multiple | 381 | if it is group/world-accessible. It is possible to have multiple |
358 | host key files. ``rsa1'' keys are used for version 1 and | 382 | host key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], |
359 | ``dsa'', ``ecdsa'', ``ed25519'' or ``rsa'' are used for version 2 | 383 | M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] are used for version 2 of the SSH |
360 | of the SSH protocol. It is also possible to specify public host | 384 | protocol. It is also possible to specify public host key files |
361 | key files instead. In this case operations on the private key | 385 | instead. In this case operations on the private key will be |
362 | will be delegated to an ssh-agent(1). | 386 | delegated to an ssh-agent(1). |
363 | 387 | ||
364 | HostKeyAgent | 388 | HostKeyAgent |
365 | Identifies the UNIX-domain socket used to communicate with an | 389 | Identifies the UNIX-domain socket used to communicate with an |
366 | agent that has access to the private host keys. If | 390 | agent that has access to the private host keys. If |
367 | ``SSH_AUTH_SOCK'' is specified, the location of the socket will | 391 | M-bM-^@M-^\SSH_AUTH_SOCKM-bM-^@M-^] is specified, the location of the socket will be |
368 | be read from the SSH_AUTH_SOCK environment variable. | 392 | read from the SSH_AUTH_SOCK environment variable. |
369 | 393 | ||
370 | IgnoreRhosts | 394 | IgnoreRhosts |
371 | Specifies that .rhosts and .shosts files will not be used in | 395 | Specifies that .rhosts and .shosts files will not be used in |
372 | RhostsRSAAuthentication or HostbasedAuthentication. | 396 | RhostsRSAAuthentication or HostbasedAuthentication. |
373 | 397 | ||
374 | /etc/hosts.equiv and /etc/shosts.equiv are still used. The | 398 | /etc/hosts.equiv and /etc/shosts.equiv are still used. The |
375 | default is ``yes''. | 399 | default is M-bM-^@M-^\yesM-bM-^@M-^]. |
376 | 400 | ||
377 | IgnoreUserKnownHosts | 401 | IgnoreUserKnownHosts |
378 | Specifies whether sshd(8) should ignore the user's | 402 | Specifies whether sshd(8) should ignore the user's |
379 | ~/.ssh/known_hosts during RhostsRSAAuthentication or | 403 | ~/.ssh/known_hosts during RhostsRSAAuthentication or |
380 | HostbasedAuthentication. The default is ``no''. | 404 | HostbasedAuthentication. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
381 | 405 | ||
382 | IPQoS Specifies the IPv4 type-of-service or DSCP class for the | 406 | IPQoS Specifies the IPv4 type-of-service or DSCP class for the |
383 | connection. Accepted values are ``af11'', ``af12'', ``af13'', | 407 | connection. Accepted values are M-bM-^@M-^\af11M-bM-^@M-^], M-bM-^@M-^\af12M-bM-^@M-^], M-bM-^@M-^\af13M-bM-^@M-^], M-bM-^@M-^\af21M-bM-^@M-^], |
384 | ``af21'', ``af22'', ``af23'', ``af31'', ``af32'', ``af33'', | 408 | M-bM-^@M-^\af22M-bM-^@M-^], M-bM-^@M-^\af23M-bM-^@M-^], M-bM-^@M-^\af31M-bM-^@M-^], M-bM-^@M-^\af32M-bM-^@M-^], M-bM-^@M-^\af33M-bM-^@M-^], M-bM-^@M-^\af41M-bM-^@M-^], M-bM-^@M-^\af42M-bM-^@M-^], M-bM-^@M-^\af43M-bM-^@M-^], |
385 | ``af41'', ``af42'', ``af43'', ``cs0'', ``cs1'', ``cs2'', ``cs3'', | 409 | M-bM-^@M-^\cs0M-bM-^@M-^], M-bM-^@M-^\cs1M-bM-^@M-^], M-bM-^@M-^\cs2M-bM-^@M-^], M-bM-^@M-^\cs3M-bM-^@M-^], M-bM-^@M-^\cs4M-bM-^@M-^], M-bM-^@M-^\cs5M-bM-^@M-^], M-bM-^@M-^\cs6M-bM-^@M-^], M-bM-^@M-^\cs7M-bM-^@M-^], M-bM-^@M-^\efM-bM-^@M-^], |
386 | ``cs4'', ``cs5'', ``cs6'', ``cs7'', ``ef'', ``lowdelay'', | 410 | M-bM-^@M-^\lowdelayM-bM-^@M-^], M-bM-^@M-^\throughputM-bM-^@M-^], M-bM-^@M-^\reliabilityM-bM-^@M-^], or a numeric value. |
387 | ``throughput'', ``reliability'', or a numeric value. This option | 411 | This option may take one or two arguments, separated by |
388 | may take one or two arguments, separated by whitespace. If one | 412 | whitespace. If one argument is specified, it is used as the |
389 | argument is specified, it is used as the packet class | 413 | packet class unconditionally. If two values are specified, the |
390 | unconditionally. If two values are specified, the first is | 414 | first is automatically selected for interactive sessions and the |
391 | automatically selected for interactive sessions and the second | 415 | second for non-interactive sessions. The default is M-bM-^@M-^\lowdelayM-bM-^@M-^] |
392 | for non-interactive sessions. The default is ``lowdelay'' for | 416 | for interactive sessions and M-bM-^@M-^\throughputM-bM-^@M-^] for non-interactive |
393 | interactive sessions and ``throughput'' for non-interactive | ||
394 | sessions. | 417 | sessions. |
395 | 418 | ||
396 | KbdInteractiveAuthentication | 419 | KbdInteractiveAuthentication |
397 | Specifies whether to allow keyboard-interactive authentication. | 420 | Specifies whether to allow keyboard-interactive authentication. |
398 | The argument to this keyword must be ``yes'' or ``no''. The | 421 | The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default |
399 | default is to use whatever value ChallengeResponseAuthentication | 422 | is to use whatever value ChallengeResponseAuthentication is set |
400 | is set to (by default ``yes''). | 423 | to (by default M-bM-^@M-^\yesM-bM-^@M-^]). |
401 | 424 | ||
402 | KerberosAuthentication | 425 | KerberosAuthentication |
403 | Specifies whether the password provided by the user for | 426 | Specifies whether the password provided by the user for |
404 | PasswordAuthentication will be validated through the Kerberos | 427 | PasswordAuthentication will be validated through the Kerberos |
405 | KDC. To use this option, the server needs a Kerberos servtab | 428 | KDC. To use this option, the server needs a Kerberos servtab |
406 | which allows the verification of the KDC's identity. The default | 429 | which allows the verification of the KDC's identity. The default |
407 | is ``no''. | 430 | is M-bM-^@M-^\noM-bM-^@M-^]. |
408 | 431 | ||
409 | KerberosGetAFSToken | 432 | KerberosGetAFSToken |
410 | If AFS is active and the user has a Kerberos 5 TGT, attempt to | 433 | If AFS is active and the user has a Kerberos 5 TGT, attempt to |
411 | acquire an AFS token before accessing the user's home directory. | 434 | acquire an AFS token before accessing the user's home directory. |
412 | The default is ``no''. | 435 | The default is M-bM-^@M-^\noM-bM-^@M-^]. |
413 | 436 | ||
414 | KerberosOrLocalPasswd | 437 | KerberosOrLocalPasswd |
415 | If password authentication through Kerberos fails then the | 438 | If password authentication through Kerberos fails then the |
416 | password will be validated via any additional local mechanism | 439 | password will be validated via any additional local mechanism |
417 | such as /etc/passwd. The default is ``yes''. | 440 | such as /etc/passwd. The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
418 | 441 | ||
419 | KerberosTicketCleanup | 442 | KerberosTicketCleanup |
420 | Specifies whether to automatically destroy the user's ticket | 443 | Specifies whether to automatically destroy the user's ticket |
421 | cache file on logout. The default is ``yes''. | 444 | cache file on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
422 | 445 | ||
423 | KexAlgorithms | 446 | KexAlgorithms |
424 | Specifies the available KEX (Key Exchange) algorithms. Multiple | 447 | Specifies the available KEX (Key Exchange) algorithms. Multiple |
@@ -441,6 +464,9 @@ DESCRIPTION | |||
441 | diffie-hellman-group-exchange-sha256, | 464 | diffie-hellman-group-exchange-sha256, |
442 | diffie-hellman-group14-sha1 | 465 | diffie-hellman-group14-sha1 |
443 | 466 | ||
467 | The list of available key exchange algorithms may also be | ||
468 | obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^]. | ||
469 | |||
444 | KeyRegenerationInterval | 470 | KeyRegenerationInterval |
445 | In protocol version 1, the ephemeral server key is automatically | 471 | In protocol version 1, the ephemeral server key is automatically |
446 | regenerated after this many seconds (if it has been used). The | 472 | regenerated after this many seconds (if it has been used). The |
@@ -479,9 +505,9 @@ DESCRIPTION | |||
479 | MACs Specifies the available MAC (message authentication code) | 505 | MACs Specifies the available MAC (message authentication code) |
480 | algorithms. The MAC algorithm is used in protocol version 2 for | 506 | algorithms. The MAC algorithm is used in protocol version 2 for |
481 | data integrity protection. Multiple algorithms must be comma- | 507 | data integrity protection. Multiple algorithms must be comma- |
482 | separated. The algorithms that contain ``-etm'' calculate the | 508 | separated. The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC |
483 | MAC after encryption (encrypt-then-mac). These are considered | 509 | after encryption (encrypt-then-mac). These are considered safer |
484 | safer and their use recommended. The supported MACs are: | 510 | and their use recommended. The supported MACs are: |
485 | 511 | ||
486 | hmac-md5 | 512 | hmac-md5 |
487 | hmac-md5-96 | 513 | hmac-md5-96 |
@@ -509,12 +535,15 @@ DESCRIPTION | |||
509 | umac-64@openssh.com,umac-128@openssh.com, | 535 | umac-64@openssh.com,umac-128@openssh.com, |
510 | hmac-sha2-256,hmac-sha2-512 | 536 | hmac-sha2-256,hmac-sha2-512 |
511 | 537 | ||
538 | The list of available MAC algorithms may also be obtained using | ||
539 | the -Q option of ssh(1) with an argument of M-bM-^@M-^\macM-bM-^@M-^]. | ||
540 | |||
512 | Match Introduces a conditional block. If all of the criteria on the | 541 | Match Introduces a conditional block. If all of the criteria on the |
513 | Match line are satisfied, the keywords on the following lines | 542 | Match line are satisfied, the keywords on the following lines |
514 | override those set in the global section of the config file, | 543 | override those set in the global section of the config file, |
515 | until either another Match line or the end of the file. If a | 544 | until either another Match line or the end of the file. If a |
516 | keyword appears in multiple Match blocks that are satisified, | 545 | keyword appears in multiple Match blocks that are satisfied, only |
517 | only the first instance of the keyword is applied. | 546 | the first instance of the keyword is applied. |
518 | 547 | ||
519 | The arguments to Match are one or more criteria-pattern pairs or | 548 | The arguments to Match are one or more criteria-pattern pairs or |
520 | the single token All which matches all criteria. The available | 549 | the single token All which matches all criteria. The available |
@@ -525,25 +554,28 @@ DESCRIPTION | |||
525 | 554 | ||
526 | The patterns in an Address criteria may additionally contain | 555 | The patterns in an Address criteria may additionally contain |
527 | addresses to match in CIDR address/masklen format, e.g. | 556 | addresses to match in CIDR address/masklen format, e.g. |
528 | ``192.0.2.0/24'' or ``3ffe:ffff::/32''. Note that the mask | 557 | M-bM-^@M-^\192.0.2.0/24M-bM-^@M-^] or M-bM-^@M-^\3ffe:ffff::/32M-bM-^@M-^]. Note that the mask length |
529 | length provided must be consistent with the address - it is an | 558 | provided must be consistent with the address - it is an error to |
530 | error to specify a mask length that is too long for the address | 559 | specify a mask length that is too long for the address or one |
531 | or one with bits set in this host portion of the address. For | 560 | with bits set in this host portion of the address. For example, |
532 | example, ``192.0.2.0/33'' and ``192.0.2.0/8'' respectively. | 561 | M-bM-^@M-^\192.0.2.0/33M-bM-^@M-^] and M-bM-^@M-^\192.0.2.0/8M-bM-^@M-^] respectively. |
533 | 562 | ||
534 | Only a subset of keywords may be used on the lines following a | 563 | Only a subset of keywords may be used on the lines following a |
535 | Match keyword. Available keywords are AcceptEnv, | 564 | Match keyword. Available keywords are AcceptEnv, |
536 | AllowAgentForwarding, AllowGroups, AllowTcpForwarding, | 565 | AllowAgentForwarding, AllowGroups, AllowStreamLocalForwarding, |
537 | AllowUsers, AuthenticationMethods, AuthorizedKeysCommand, | 566 | AllowTcpForwarding, AllowUsers, AuthenticationMethods, |
538 | AuthorizedKeysCommandUser, AuthorizedKeysFile, | 567 | AuthorizedKeysCommand, AuthorizedKeysCommandUser, |
539 | AuthorizedPrincipalsFile, Banner, ChrootDirectory, DenyGroups, | 568 | AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner, |
540 | DenyUsers, ForceCommand, GatewayPorts, GSSAPIAuthentication, | 569 | ChrootDirectory, DenyGroups, DenyUsers, ForceCommand, |
541 | HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, | 570 | GatewayPorts, GSSAPIAuthentication, HostbasedAcceptedKeyTypes, |
571 | HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IPQoS, | ||
542 | KbdInteractiveAuthentication, KerberosAuthentication, | 572 | KbdInteractiveAuthentication, KerberosAuthentication, |
543 | MaxAuthTries, MaxSessions, PasswordAuthentication, | 573 | MaxAuthTries, MaxSessions, PasswordAuthentication, |
544 | PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY, | 574 | PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY, |
545 | PermitTunnel, PermitUserRC, PubkeyAuthentication, RekeyLimit, | 575 | PermitTunnel, PermitUserRC, PubkeyAcceptedKeyTypes, |
546 | RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, | 576 | PubkeyAuthentication, RekeyLimit, RevokedKeys, |
577 | RhostsRSAAuthentication, RSAAuthentication, StreamLocalBindMask, | ||
578 | StreamLocalBindUnlink, TrustedUserCAKeys, X11DisplayOffset, | ||
547 | X11Forwarding and X11UseLocalHost. | 579 | X11Forwarding and X11UseLocalHost. |
548 | 580 | ||
549 | MaxAuthTries | 581 | MaxAuthTries |
@@ -562,21 +594,21 @@ DESCRIPTION | |||
562 | expires for a connection. The default is 10:30:100. | 594 | expires for a connection. The default is 10:30:100. |
563 | 595 | ||
564 | Alternatively, random early drop can be enabled by specifying the | 596 | Alternatively, random early drop can be enabled by specifying the |
565 | three colon separated values ``start:rate:full'' (e.g. | 597 | three colon separated values M-bM-^@M-^\start:rate:fullM-bM-^@M-^] (e.g. "10:30:60"). |
566 | "10:30:60"). sshd(8) will refuse connection attempts with a | 598 | sshd(8) will refuse connection attempts with a probability of |
567 | probability of ``rate/100'' (30%) if there are currently | 599 | M-bM-^@M-^\rate/100M-bM-^@M-^] (30%) if there are currently M-bM-^@M-^\startM-bM-^@M-^] (10) |
568 | ``start'' (10) unauthenticated connections. The probability | 600 | unauthenticated connections. The probability increases linearly |
569 | increases linearly and all connection attempts are refused if the | 601 | and all connection attempts are refused if the number of |
570 | number of unauthenticated connections reaches ``full'' (60). | 602 | unauthenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60). |
571 | 603 | ||
572 | PasswordAuthentication | 604 | PasswordAuthentication |
573 | Specifies whether password authentication is allowed. The | 605 | Specifies whether password authentication is allowed. The |
574 | default is ``yes''. | 606 | default is M-bM-^@M-^\yesM-bM-^@M-^]. |
575 | 607 | ||
576 | PermitEmptyPasswords | 608 | PermitEmptyPasswords |
577 | When password authentication is allowed, it specifies whether the | 609 | When password authentication is allowed, it specifies whether the |
578 | server allows login to accounts with empty password strings. The | 610 | server allows login to accounts with empty password strings. The |
579 | default is ``no''. | 611 | default is M-bM-^@M-^\noM-bM-^@M-^]. |
580 | 612 | ||
581 | PermitOpen | 613 | PermitOpen |
582 | Specifies the destinations to which TCP port forwarding is | 614 | Specifies the destinations to which TCP port forwarding is |
@@ -588,47 +620,50 @@ DESCRIPTION | |||
588 | PermitOpen [IPv6_addr]:port | 620 | PermitOpen [IPv6_addr]:port |
589 | 621 | ||
590 | Multiple forwards may be specified by separating them with | 622 | Multiple forwards may be specified by separating them with |
591 | whitespace. An argument of ``any'' can be used to remove all | 623 | whitespace. An argument of M-bM-^@M-^\anyM-bM-^@M-^] can be used to remove all |
592 | restrictions and permit any forwarding requests. An argument of | 624 | restrictions and permit any forwarding requests. An argument of |
593 | ``none'' can be used to prohibit all forwarding requests. By | 625 | M-bM-^@M-^\noneM-bM-^@M-^] can be used to prohibit all forwarding requests. By |
594 | default all port forwarding requests are permitted. | 626 | default all port forwarding requests are permitted. |
595 | 627 | ||
596 | PermitRootLogin | 628 | PermitRootLogin |
597 | Specifies whether root can log in using ssh(1). The argument | 629 | Specifies whether root can log in using ssh(1). The argument |
598 | must be ``yes'', ``without-password'', ``forced-commands-only'', | 630 | must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^], M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], or |
599 | or ``no''. The default is ``yes''. | 631 | M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
600 | 632 | ||
601 | If this option is set to ``without-password'', password | 633 | If this option is set to M-bM-^@M-^\without-passwordM-bM-^@M-^], password |
602 | authentication is disabled for root. | 634 | authentication is disabled for root. |
603 | 635 | ||
604 | If this option is set to ``forced-commands-only'', root login | 636 | If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], root login with |
605 | with public key authentication will be allowed, but only if the | 637 | public key authentication will be allowed, but only if the |
606 | command option has been specified (which may be useful for taking | 638 | command option has been specified (which may be useful for taking |
607 | remote backups even if root login is normally not allowed). All | 639 | remote backups even if root login is normally not allowed). All |
608 | other authentication methods are disabled for root. | 640 | other authentication methods are disabled for root. |
609 | 641 | ||
610 | If this option is set to ``no'', root is not allowed to log in. | 642 | If this option is set to M-bM-^@M-^\noM-bM-^@M-^], root is not allowed to log in. |
611 | 643 | ||
612 | PermitTunnel | 644 | PermitTunnel |
613 | Specifies whether tun(4) device forwarding is allowed. The | 645 | Specifies whether tun(4) device forwarding is allowed. The |
614 | argument must be ``yes'', ``point-to-point'' (layer 3), | 646 | argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\point-to-pointM-bM-^@M-^] (layer 3), M-bM-^@M-^\ethernetM-bM-^@M-^] |
615 | ``ethernet'' (layer 2), or ``no''. Specifying ``yes'' permits | 647 | (layer 2), or M-bM-^@M-^\noM-bM-^@M-^]. Specifying M-bM-^@M-^\yesM-bM-^@M-^] permits both |
616 | both ``point-to-point'' and ``ethernet''. The default is ``no''. | 648 | M-bM-^@M-^\point-to-pointM-bM-^@M-^] and M-bM-^@M-^\ethernetM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
649 | |||
650 | Independent of this setting, the permissions of the selected | ||
651 | tun(4) device must allow access to the user. | ||
617 | 652 | ||
618 | PermitTTY | 653 | PermitTTY |
619 | Specifies whether pty(4) allocation is permitted. The default is | 654 | Specifies whether pty(4) allocation is permitted. The default is |
620 | ``yes''. | 655 | M-bM-^@M-^\yesM-bM-^@M-^]. |
621 | 656 | ||
622 | PermitUserEnvironment | 657 | PermitUserEnvironment |
623 | Specifies whether ~/.ssh/environment and environment= options in | 658 | Specifies whether ~/.ssh/environment and environment= options in |
624 | ~/.ssh/authorized_keys are processed by sshd(8). The default is | 659 | ~/.ssh/authorized_keys are processed by sshd(8). The default is |
625 | ``no''. Enabling environment processing may enable users to | 660 | M-bM-^@M-^\noM-bM-^@M-^]. Enabling environment processing may enable users to bypass |
626 | bypass access restrictions in some configurations using | 661 | access restrictions in some configurations using mechanisms such |
627 | mechanisms such as LD_PRELOAD. | 662 | as LD_PRELOAD. |
628 | 663 | ||
629 | PermitUserRC | 664 | PermitUserRC |
630 | Specifies whether any ~/.ssh/rc file is executed. The default is | 665 | Specifies whether any ~/.ssh/rc file is executed. The default is |
631 | ``yes''. | 666 | M-bM-^@M-^\yesM-bM-^@M-^]. |
632 | 667 | ||
633 | PidFile | 668 | PidFile |
634 | Specifies the file that contains the process ID of the SSH | 669 | Specifies the file that contains the process ID of the SSH |
@@ -641,24 +676,30 @@ DESCRIPTION | |||
641 | PrintLastLog | 676 | PrintLastLog |
642 | Specifies whether sshd(8) should print the date and time of the | 677 | Specifies whether sshd(8) should print the date and time of the |
643 | last user login when a user logs in interactively. The default | 678 | last user login when a user logs in interactively. The default |
644 | is ``yes''. | 679 | is M-bM-^@M-^\yesM-bM-^@M-^]. |
645 | 680 | ||
646 | PrintMotd | 681 | PrintMotd |
647 | Specifies whether sshd(8) should print /etc/motd when a user logs | 682 | Specifies whether sshd(8) should print /etc/motd when a user logs |
648 | in interactively. (On some systems it is also printed by the | 683 | in interactively. (On some systems it is also printed by the |
649 | shell, /etc/profile, or equivalent.) The default is ``yes''. | 684 | shell, /etc/profile, or equivalent.) The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
650 | 685 | ||
651 | Protocol | 686 | Protocol |
652 | Specifies the protocol versions sshd(8) supports. The possible | 687 | Specifies the protocol versions sshd(8) supports. The possible |
653 | values are `1' and `2'. Multiple versions must be comma- | 688 | values are M-bM-^@M-^X1M-bM-^@M-^Y and M-bM-^@M-^X2M-bM-^@M-^Y. Multiple versions must be comma- |
654 | separated. The default is `2'. Note that the order of the | 689 | separated. The default is M-bM-^@M-^X2M-bM-^@M-^Y. Note that the order of the |
655 | protocol list does not indicate preference, because the client | 690 | protocol list does not indicate preference, because the client |
656 | selects among multiple protocol versions offered by the server. | 691 | selects among multiple protocol versions offered by the server. |
657 | Specifying ``2,1'' is identical to ``1,2''. | 692 | Specifying M-bM-^@M-^\2,1M-bM-^@M-^] is identical to M-bM-^@M-^\1,2M-bM-^@M-^]. |
693 | |||
694 | PubkeyAcceptedKeyTypes | ||
695 | Specifies the key types that will be accepted for public key | ||
696 | authentication as a comma-separated pattern list. The default | ||
697 | M-bM-^@M-^\*M-bM-^@M-^] will allow all key types. The -Q option of ssh(1) may be | ||
698 | used to list supported key types. | ||
658 | 699 | ||
659 | PubkeyAuthentication | 700 | PubkeyAuthentication |
660 | Specifies whether public key authentication is allowed. The | 701 | Specifies whether public key authentication is allowed. The |
661 | default is ``yes''. Note that this option applies to protocol | 702 | default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol |
662 | version 2 only. | 703 | version 2 only. |
663 | 704 | ||
664 | RekeyLimit | 705 | RekeyLimit |
@@ -666,12 +707,12 @@ DESCRIPTION | |||
666 | before the session key is renegotiated, optionally followed a | 707 | before the session key is renegotiated, optionally followed a |
667 | maximum amount of time that may pass before the session key is | 708 | maximum amount of time that may pass before the session key is |
668 | renegotiated. The first argument is specified in bytes and may | 709 | renegotiated. The first argument is specified in bytes and may |
669 | have a suffix of `K', `M', or `G' to indicate Kilobytes, | 710 | have a suffix of M-bM-^@M-^XKM-bM-^@M-^Y, M-bM-^@M-^XMM-bM-^@M-^Y, or M-bM-^@M-^XGM-bM-^@M-^Y to indicate Kilobytes, |
670 | Megabytes, or Gigabytes, respectively. The default is between | 711 | Megabytes, or Gigabytes, respectively. The default is between |
671 | `1G' and `4G', depending on the cipher. The optional second | 712 | M-bM-^@M-^X1GM-bM-^@M-^Y and M-bM-^@M-^X4GM-bM-^@M-^Y, depending on the cipher. The optional second |
672 | value is specified in seconds and may use any of the units | 713 | value is specified in seconds and may use any of the units |
673 | documented in the TIME FORMATS section. The default value for | 714 | documented in the TIME FORMATS section. The default value for |
674 | RekeyLimit is ``default none'', which means that rekeying is | 715 | RekeyLimit is M-bM-^@M-^\default noneM-bM-^@M-^], which means that rekeying is |
675 | performed after the cipher's default amount of data has been sent | 716 | performed after the cipher's default amount of data has been sent |
676 | or received and no time based rekeying is done. This option | 717 | or received and no time based rekeying is done. This option |
677 | applies to protocol version 2 only. | 718 | applies to protocol version 2 only. |
@@ -688,12 +729,11 @@ DESCRIPTION | |||
688 | RhostsRSAAuthentication | 729 | RhostsRSAAuthentication |
689 | Specifies whether rhosts or /etc/hosts.equiv authentication | 730 | Specifies whether rhosts or /etc/hosts.equiv authentication |
690 | together with successful RSA host authentication is allowed. The | 731 | together with successful RSA host authentication is allowed. The |
691 | default is ``no''. This option applies to protocol version 1 | 732 | default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only. |
692 | only. | ||
693 | 733 | ||
694 | RSAAuthentication | 734 | RSAAuthentication |
695 | Specifies whether pure RSA authentication is allowed. The | 735 | Specifies whether pure RSA authentication is allowed. The |
696 | default is ``yes''. This option applies to protocol version 1 | 736 | default is M-bM-^@M-^\yesM-bM-^@M-^]. This option applies to protocol version 1 |
697 | only. | 737 | only. |
698 | 738 | ||
699 | ServerKeyBits | 739 | ServerKeyBits |
@@ -719,14 +759,14 @@ DESCRIPTION | |||
719 | domain socket file. This option is only used for port forwarding | 759 | domain socket file. This option is only used for port forwarding |
720 | to a Unix-domain socket file. | 760 | to a Unix-domain socket file. |
721 | 761 | ||
722 | The argument must be ``yes'' or ``no''. The default is ``no''. | 762 | The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
723 | 763 | ||
724 | StrictModes | 764 | StrictModes |
725 | Specifies whether sshd(8) should check file modes and ownership | 765 | Specifies whether sshd(8) should check file modes and ownership |
726 | of the user's files and home directory before accepting login. | 766 | of the user's files and home directory before accepting login. |
727 | This is normally desirable because novices sometimes accidentally | 767 | This is normally desirable because novices sometimes accidentally |
728 | leave their directory or files world-writable. The default is | 768 | leave their directory or files world-writable. The default is |
729 | ``yes''. Note that this does not apply to ChrootDirectory, whose | 769 | M-bM-^@M-^\yesM-bM-^@M-^]. Note that this does not apply to ChrootDirectory, whose |
730 | permissions and ownership are checked unconditionally. | 770 | permissions and ownership are checked unconditionally. |
731 | 771 | ||
732 | Subsystem | 772 | Subsystem |
@@ -734,11 +774,11 @@ DESCRIPTION | |||
734 | Arguments should be a subsystem name and a command (with optional | 774 | Arguments should be a subsystem name and a command (with optional |
735 | arguments) to execute upon subsystem request. | 775 | arguments) to execute upon subsystem request. |
736 | 776 | ||
737 | The command sftp-server(8) implements the ``sftp'' file transfer | 777 | The command sftp-server(8) implements the M-bM-^@M-^\sftpM-bM-^@M-^] file transfer |
738 | subsystem. | 778 | subsystem. |
739 | 779 | ||
740 | Alternately the name ``internal-sftp'' implements an in-process | 780 | Alternately the name M-bM-^@M-^\internal-sftpM-bM-^@M-^] implements an in-process |
741 | ``sftp'' server. This may simplify configurations using | 781 | M-bM-^@M-^\sftpM-bM-^@M-^] server. This may simplify configurations using |
742 | ChrootDirectory to force a different filesystem root on clients. | 782 | ChrootDirectory to force a different filesystem root on clients. |
743 | 783 | ||
744 | By default no subsystems are defined. Note that this option | 784 | By default no subsystems are defined. Note that this option |
@@ -757,21 +797,21 @@ DESCRIPTION | |||
757 | this means that connections will die if the route is down | 797 | this means that connections will die if the route is down |
758 | temporarily, and some people find it annoying. On the other | 798 | temporarily, and some people find it annoying. On the other |
759 | hand, if TCP keepalives are not sent, sessions may hang | 799 | hand, if TCP keepalives are not sent, sessions may hang |
760 | indefinitely on the server, leaving ``ghost'' users and consuming | 800 | indefinitely on the server, leaving M-bM-^@M-^\ghostM-bM-^@M-^] users and consuming |
761 | server resources. | 801 | server resources. |
762 | 802 | ||
763 | The default is ``yes'' (to send TCP keepalive messages), and the | 803 | The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send TCP keepalive messages), and the |
764 | server will notice if the network goes down or the client host | 804 | server will notice if the network goes down or the client host |
765 | crashes. This avoids infinitely hanging sessions. | 805 | crashes. This avoids infinitely hanging sessions. |
766 | 806 | ||
767 | To disable TCP keepalive messages, the value should be set to | 807 | To disable TCP keepalive messages, the value should be set to |
768 | ``no''. | 808 | M-bM-^@M-^\noM-bM-^@M-^]. |
769 | 809 | ||
770 | TrustedUserCAKeys | 810 | TrustedUserCAKeys |
771 | Specifies a file containing public keys of certificate | 811 | Specifies a file containing public keys of certificate |
772 | authorities that are trusted to sign user certificates for | 812 | authorities that are trusted to sign user certificates for |
773 | authentication. Keys are listed one per line; empty lines and | 813 | authentication. Keys are listed one per line; empty lines and |
774 | comments starting with `#' are allowed. If a certificate is | 814 | comments starting with M-bM-^@M-^X#M-bM-^@M-^Y are allowed. If a certificate is |
775 | presented for authentication and has its signing CA key listed in | 815 | presented for authentication and has its signing CA key listed in |
776 | this file, then it may be used for authentication for any user | 816 | this file, then it may be used for authentication for any user |
777 | listed in the certificate's principals list. Note that | 817 | listed in the certificate's principals list. Note that |
@@ -781,18 +821,18 @@ DESCRIPTION | |||
781 | 821 | ||
782 | UseDNS Specifies whether sshd(8) should look up the remote host name and | 822 | UseDNS Specifies whether sshd(8) should look up the remote host name and |
783 | check that the resolved host name for the remote IP address maps | 823 | check that the resolved host name for the remote IP address maps |
784 | back to the very same IP address. The default is ``yes''. | 824 | back to the very same IP address. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
785 | 825 | ||
786 | UseLogin | 826 | UseLogin |
787 | Specifies whether login(1) is used for interactive login | 827 | Specifies whether login(1) is used for interactive login |
788 | sessions. The default is ``no''. Note that login(1) is never | 828 | sessions. The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that login(1) is never used |
789 | used for remote command execution. Note also, that if this is | 829 | for remote command execution. Note also, that if this is |
790 | enabled, X11Forwarding will be disabled because login(1) does not | 830 | enabled, X11Forwarding will be disabled because login(1) does not |
791 | know how to handle xauth(1) cookies. If UsePrivilegeSeparation | 831 | know how to handle xauth(1) cookies. If UsePrivilegeSeparation |
792 | is specified, it will be disabled after authentication. | 832 | is specified, it will be disabled after authentication. |
793 | 833 | ||
794 | UsePAM Enables the Pluggable Authentication Module interface. If set to | 834 | UsePAM Enables the Pluggable Authentication Module interface. If set to |
795 | ``yes'' this will enable PAM authentication using | 835 | M-bM-^@M-^\yesM-bM-^@M-^] this will enable PAM authentication using |
796 | ChallengeResponseAuthentication and PasswordAuthentication in | 836 | ChallengeResponseAuthentication and PasswordAuthentication in |
797 | addition to PAM account and session module processing for all | 837 | addition to PAM account and session module processing for all |
798 | authentication types. | 838 | authentication types. |
@@ -802,7 +842,7 @@ DESCRIPTION | |||
802 | either PasswordAuthentication or ChallengeResponseAuthentication. | 842 | either PasswordAuthentication or ChallengeResponseAuthentication. |
803 | 843 | ||
804 | If UsePAM is enabled, you will not be able to run sshd(8) as a | 844 | If UsePAM is enabled, you will not be able to run sshd(8) as a |
805 | non-root user. The default is ``no''. | 845 | non-root user. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
806 | 846 | ||
807 | UsePrivilegeSeparation | 847 | UsePrivilegeSeparation |
808 | Specifies whether sshd(8) separates privileges by creating an | 848 | Specifies whether sshd(8) separates privileges by creating an |
@@ -811,14 +851,14 @@ DESCRIPTION | |||
811 | that has the privilege of the authenticated user. The goal of | 851 | that has the privilege of the authenticated user. The goal of |
812 | privilege separation is to prevent privilege escalation by | 852 | privilege separation is to prevent privilege escalation by |
813 | containing any corruption within the unprivileged processes. The | 853 | containing any corruption within the unprivileged processes. The |
814 | default is ``yes''. If UsePrivilegeSeparation is set to | 854 | default is M-bM-^@M-^\yesM-bM-^@M-^]. If UsePrivilegeSeparation is set to M-bM-^@M-^\sandboxM-bM-^@M-^] |
815 | ``sandbox'' then the pre-authentication unprivileged process is | 855 | then the pre-authentication unprivileged process is subject to |
816 | subject to additional restrictions. | 856 | additional restrictions. |
817 | 857 | ||
818 | VersionAddendum | 858 | VersionAddendum |
819 | Optionally specifies additional text to append to the SSH | 859 | Optionally specifies additional text to append to the SSH |
820 | protocol banner sent by the server upon connection. The default | 860 | protocol banner sent by the server upon connection. The default |
821 | is ``none''. | 861 | is M-bM-^@M-^\noneM-bM-^@M-^]. |
822 | 862 | ||
823 | X11DisplayOffset | 863 | X11DisplayOffset |
824 | Specifies the first display number available for sshd(8)'s X11 | 864 | Specifies the first display number available for sshd(8)'s X11 |
@@ -827,7 +867,7 @@ DESCRIPTION | |||
827 | 867 | ||
828 | X11Forwarding | 868 | X11Forwarding |
829 | Specifies whether X11 forwarding is permitted. The argument must | 869 | Specifies whether X11 forwarding is permitted. The argument must |
830 | be ``yes'' or ``no''. The default is ``no''. | 870 | be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
831 | 871 | ||
832 | When X11 forwarding is enabled, there may be additional exposure | 872 | When X11 forwarding is enabled, there may be additional exposure |
833 | to the server and to client displays if the sshd(8) proxy display | 873 | to the server and to client displays if the sshd(8) proxy display |
@@ -841,7 +881,7 @@ DESCRIPTION | |||
841 | ssh_config(5)). A system administrator may have a stance in | 881 | ssh_config(5)). A system administrator may have a stance in |
842 | which they want to protect clients that may expose themselves to | 882 | which they want to protect clients that may expose themselves to |
843 | attack by unwittingly requesting X11 forwarding, which can | 883 | attack by unwittingly requesting X11 forwarding, which can |
844 | warrant a ``no'' setting. | 884 | warrant a M-bM-^@M-^\noM-bM-^@M-^] setting. |
845 | 885 | ||
846 | Note that disabling X11 forwarding does not prevent users from | 886 | Note that disabling X11 forwarding does not prevent users from |
847 | forwarding X11 traffic, as users can always install their own | 887 | forwarding X11 traffic, as users can always install their own |
@@ -853,12 +893,12 @@ DESCRIPTION | |||
853 | to the loopback address or to the wildcard address. By default, | 893 | to the loopback address or to the wildcard address. By default, |
854 | sshd binds the forwarding server to the loopback address and sets | 894 | sshd binds the forwarding server to the loopback address and sets |
855 | the hostname part of the DISPLAY environment variable to | 895 | the hostname part of the DISPLAY environment variable to |
856 | ``localhost''. This prevents remote hosts from connecting to the | 896 | M-bM-^@M-^\localhostM-bM-^@M-^]. This prevents remote hosts from connecting to the |
857 | proxy display. However, some older X11 clients may not function | 897 | proxy display. However, some older X11 clients may not function |
858 | with this configuration. X11UseLocalhost may be set to ``no'' to | 898 | with this configuration. X11UseLocalhost may be set to M-bM-^@M-^\noM-bM-^@M-^] to |
859 | specify that the forwarding server should be bound to the | 899 | specify that the forwarding server should be bound to the |
860 | wildcard address. The argument must be ``yes'' or ``no''. The | 900 | wildcard address. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The |
861 | default is ``yes''. | 901 | default is M-bM-^@M-^\yesM-bM-^@M-^]. |
862 | 902 | ||
863 | XAuthLocation | 903 | XAuthLocation |
864 | Specifies the full pathname of the xauth(1) program. The default | 904 | Specifies the full pathname of the xauth(1) program. The default |
@@ -870,7 +910,7 @@ TIME FORMATS | |||
870 | time[qualifier], where time is a positive integer value and qualifier is | 910 | time[qualifier], where time is a positive integer value and qualifier is |
871 | one of the following: | 911 | one of the following: |
872 | 912 | ||
873 | <none> seconds | 913 | M-bM-^_M-(noneM-bM-^_M-) seconds |
874 | s | S seconds | 914 | s | S seconds |
875 | m | M minutes | 915 | m | M minutes |
876 | h | H hours | 916 | h | H hours |
@@ -903,4 +943,4 @@ AUTHORS | |||
903 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 943 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
904 | for privilege separation. | 944 | for privilege separation. |
905 | 945 | ||
906 | OpenBSD 5.6 July 28, 2014 OpenBSD 5.6 | 946 | OpenBSD 5.7 February 20, 2015 OpenBSD 5.7 |