summaryrefslogtreecommitdiff
path: root/sshd_config.0
diff options
context:
space:
mode:
Diffstat (limited to 'sshd_config.0')
-rw-r--r--sshd_config.0113
1 files changed, 85 insertions, 28 deletions
diff --git a/sshd_config.0 b/sshd_config.0
index 641041852..1cc7459f8 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -262,7 +262,11 @@ DESCRIPTION
262 262
263 Ciphers 263 Ciphers
264 Specifies the ciphers allowed for protocol version 2. Multiple 264 Specifies the ciphers allowed for protocol version 2. Multiple
265 ciphers must be comma-separated. The supported ciphers are: 265 ciphers must be comma-separated. If the specified value begins
266 with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified ciphers will be appended
267 to the default set instead of replacing them.
268
269 The supported ciphers are:
266 270
267 3des-cbc 271 3des-cbc
268 aes128-cbc 272 aes128-cbc
@@ -394,9 +398,20 @@ DESCRIPTION
394 398
395 HostbasedAcceptedKeyTypes 399 HostbasedAcceptedKeyTypes
396 Specifies the key types that will be accepted for hostbased 400 Specifies the key types that will be accepted for hostbased
397 authentication as a comma-separated pattern list. The default 401 authentication as a comma-separated pattern list. Alternately if
398 M-bM-^@M-^\*M-bM-^@M-^] will allow all key types. The -Q option of ssh(1) may be 402 the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the
399 used to list supported key types. 403 specified key types will be appended to the default set instead
404 of replacing them. The default for this option is:
405
406 ecdsa-sha2-nistp256-cert-v01@openssh.com,
407 ecdsa-sha2-nistp384-cert-v01@openssh.com,
408 ecdsa-sha2-nistp521-cert-v01@openssh.com,
409 ssh-ed25519-cert-v01@openssh.com,
410 ssh-rsa-cert-v01@openssh.com,
411 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
412 ssh-ed25519,ssh-rsa
413
414 The -Q option of ssh(1) may be used to list supported key types.
400 415
401 HostbasedAuthentication 416 HostbasedAuthentication
402 Specifies whether rhosts or /etc/hosts.equiv authentication 417 Specifies whether rhosts or /etc/hosts.equiv authentication
@@ -425,13 +440,17 @@ DESCRIPTION
425 default is /etc/ssh/ssh_host_key for protocol version 1, and 440 default is /etc/ssh/ssh_host_key for protocol version 1, and
426 /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key, 441 /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key,
427 /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for 442 /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
428 protocol version 2. Note that sshd(8) will refuse to use a file 443 protocol version 2.
429 if it is group/world-accessible. It is possible to have multiple 444
430 host key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], 445 Note that sshd(8) will refuse to use a file if it is group/world-
431 M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] are used for version 2 of the SSH 446 accessible and that the HostKeyAlgorithms option restricts which
432 protocol. It is also possible to specify public host key files 447 of the keys are actually used by sshd(8).
433 instead. In this case operations on the private key will be 448
434 delegated to an ssh-agent(1). 449 It is possible to have multiple host key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are
450 used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] are
451 used for version 2 of the SSH protocol. It is also possible to
452 specify public host key files instead. In this case operations
453 on the private key will be delegated to an ssh-agent(1).
435 454
436 HostKeyAgent 455 HostKeyAgent
437 Identifies the UNIX-domain socket used to communicate with an 456 Identifies the UNIX-domain socket used to communicate with an
@@ -439,6 +458,21 @@ DESCRIPTION
439 M-bM-^@M-^\SSH_AUTH_SOCKM-bM-^@M-^] is specified, the location of the socket will be 458 M-bM-^@M-^\SSH_AUTH_SOCKM-bM-^@M-^] is specified, the location of the socket will be
440 read from the SSH_AUTH_SOCK environment variable. 459 read from the SSH_AUTH_SOCK environment variable.
441 460
461 HostKeyAlgorithms
462 Specifies the protocol version 2 host key algorithms that the
463 server offers. The default for this option is:
464
465 ecdsa-sha2-nistp256-cert-v01@openssh.com,
466 ecdsa-sha2-nistp384-cert-v01@openssh.com,
467 ecdsa-sha2-nistp521-cert-v01@openssh.com,
468 ssh-ed25519-cert-v01@openssh.com,
469 ssh-rsa-cert-v01@openssh.com,
470 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
471 ssh-ed25519,ssh-rsa
472
473 The list of available key types may also be obtained using the -Q
474 option of ssh(1) with an argument of M-bM-^@M-^\keyM-bM-^@M-^].
475
442 IgnoreRhosts 476 IgnoreRhosts
443 Specifies that .rhosts and .shosts files will not be used in 477 Specifies that .rhosts and .shosts files will not be used in
444 RhostsRSAAuthentication or HostbasedAuthentication. 478 RhostsRSAAuthentication or HostbasedAuthentication.
@@ -493,8 +527,10 @@ DESCRIPTION
493 527
494 KexAlgorithms 528 KexAlgorithms
495 Specifies the available KEX (Key Exchange) algorithms. Multiple 529 Specifies the available KEX (Key Exchange) algorithms. Multiple
496 algorithms must be comma-separated. The supported algorithms 530 algorithms must be comma-separated. Alternately if the specified
497 are: 531 value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods
532 will be appended to the default set instead of replacing them.
533 The supported algorithms are:
498 534
499 curve25519-sha256@libssh.org 535 curve25519-sha256@libssh.org
500 diffie-hellman-group1-sha1 536 diffie-hellman-group1-sha1
@@ -551,9 +587,13 @@ DESCRIPTION
551 MACs Specifies the available MAC (message authentication code) 587 MACs Specifies the available MAC (message authentication code)
552 algorithms. The MAC algorithm is used in protocol version 2 for 588 algorithms. The MAC algorithm is used in protocol version 2 for
553 data integrity protection. Multiple algorithms must be comma- 589 data integrity protection. Multiple algorithms must be comma-
554 separated. The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC 590 separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character,
555 after encryption (encrypt-then-mac). These are considered safer 591 then the specified algorithms will be appended to the default set
556 and their use recommended. The supported MACs are: 592 instead of replacing them.
593
594 The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC after
595 encryption (encrypt-then-mac). These are considered safer and
596 their use recommended. The supported MACs are:
557 597
558 hmac-md5 598 hmac-md5
559 hmac-md5-96 599 hmac-md5-96
@@ -673,11 +713,13 @@ DESCRIPTION
673 713
674 PermitRootLogin 714 PermitRootLogin
675 Specifies whether root can log in using ssh(1). The argument 715 Specifies whether root can log in using ssh(1). The argument
676 must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^], M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], or 716 must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\prohibit-passwordM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^],
677 M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. 717 M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], or M-bM-^@M-^\noM-bM-^@M-^]. The default is
718 M-bM-^@M-^\prohibit-passwordM-bM-^@M-^].
678 719
679 If this option is set to M-bM-^@M-^\without-passwordM-bM-^@M-^], password 720 If this option is set to M-bM-^@M-^\prohibit-passwordM-bM-^@M-^] or
680 authentication is disabled for root. 721 M-bM-^@M-^\without-passwordM-bM-^@M-^], password and keyboard-interactive
722 authentication are disabled for root.
681 723
682 If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], root login with 724 If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], root login with
683 public key authentication will be allowed, but only if the 725 public key authentication will be allowed, but only if the
@@ -740,9 +782,20 @@ DESCRIPTION
740 782
741 PubkeyAcceptedKeyTypes 783 PubkeyAcceptedKeyTypes
742 Specifies the key types that will be accepted for public key 784 Specifies the key types that will be accepted for public key
743 authentication as a comma-separated pattern list. The default 785 authentication as a comma-separated pattern list. Alternately if
744 M-bM-^@M-^\*M-bM-^@M-^] will allow all key types. The -Q option of ssh(1) may be 786 the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the
745 used to list supported key types. 787 specified key types will be appended to the default set instead
788 of replacing them. The default for this option is:
789
790 ecdsa-sha2-nistp256-cert-v01@openssh.com,
791 ecdsa-sha2-nistp384-cert-v01@openssh.com,
792 ecdsa-sha2-nistp521-cert-v01@openssh.com,
793 ssh-ed25519-cert-v01@openssh.com,
794 ssh-rsa-cert-v01@openssh.com,
795 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
796 ssh-ed25519,ssh-rsa
797
798 The -Q option of ssh(1) may be used to list supported key types.
746 799
747 PubkeyAuthentication 800 PubkeyAuthentication
748 Specifies whether public key authentication is allowed. The 801 Specifies whether public key authentication is allowed. The
@@ -786,7 +839,7 @@ DESCRIPTION
786 839
787 ServerKeyBits 840 ServerKeyBits
788 Defines the number of bits in the ephemeral protocol version 1 841 Defines the number of bits in the ephemeral protocol version 1
789 server key. The minimum value is 512, and the default is 1024. 842 server key. The default and minimum value is 1024.
790 843
791 StreamLocalBindMask 844 StreamLocalBindMask
792 Sets the octal file creation mode mask (umask) used when creating 845 Sets the octal file creation mode mask (umask) used when creating
@@ -868,9 +921,13 @@ DESCRIPTION
868 TrustedUserCAKeys. For more details on certificates, see the 921 TrustedUserCAKeys. For more details on certificates, see the
869 CERTIFICATES section in ssh-keygen(1). 922 CERTIFICATES section in ssh-keygen(1).
870 923
871 UseDNS Specifies whether sshd(8) should look up the remote host name and 924 UseDNS Specifies whether sshd(8) should look up the remote host name,
872 check that the resolved host name for the remote IP address maps 925 and to check that the resolved host name for the remote IP
873 back to the very same IP address. The default is M-bM-^@M-^\noM-bM-^@M-^]. 926 address maps back to the very same IP address.
927
928 If this option is set to M-bM-^@M-^\noM-bM-^@M-^] (the default) then only addresses
929 and not host names may be used in ~/.ssh/known_hosts from and
930 sshd_config(5) Match Host directives.
874 931
875 UseLogin 932 UseLogin
876 Specifies whether login(1) is used for interactive login 933 Specifies whether login(1) is used for interactive login
@@ -992,4 +1049,4 @@ AUTHORS
992 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 1049 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
993 for privilege separation. 1050 for privilege separation.
994 1051
995OpenBSD 5.7 June 5, 2015 OpenBSD 5.7 1052OpenBSD 5.8 August 6, 2015 OpenBSD 5.8