diff options
Diffstat (limited to 'sshd_config.0')
| -rw-r--r-- | sshd_config.0 | 51 |
1 files changed, 29 insertions, 22 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index 9022f8760..d9c87b7a0 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
| @@ -102,14 +102,14 @@ DESCRIPTION | |||
| 102 | AuthorizedPrincipalsFile is taken to be an absolute path or one | 102 | AuthorizedPrincipalsFile is taken to be an absolute path or one |
| 103 | relative to the user's home directory. | 103 | relative to the user's home directory. |
| 104 | 104 | ||
| 105 | The default is not to use a principals file - in this case, the | 105 | The default is ``none'', i.e. not to use a principals file - in |
| 106 | username of the user must appear in a certificate's principals | 106 | this case, the username of the user must appear in a |
| 107 | list for it to be accepted. Note that AuthorizedPrincipalsFile | 107 | certificate's principals list for it to be accepted. Note that |
| 108 | is only used when authentication proceeds using a CA listed in | 108 | AuthorizedPrincipalsFile is only used when authentication |
| 109 | TrustedUserCAKeys and is not consulted for certification | 109 | proceeds using a CA listed in TrustedUserCAKeys and is not |
| 110 | authorities trusted via ~/.ssh/authorized_keys, though the | 110 | consulted for certification authorities trusted via |
| 111 | principals= key option offers a similar facility (see sshd(8) for | 111 | ~/.ssh/authorized_keys, though the principals= key option offers |
| 112 | details). | 112 | a similar facility (see sshd(8) for details). |
| 113 | 113 | ||
| 114 | Banner The contents of the specified file are sent to the remote user | 114 | Banner The contents of the specified file are sent to the remote user |
| 115 | before authentication is allowed. If the argument is ``none'' | 115 | before authentication is allowed. If the argument is ``none'' |
| @@ -376,9 +376,8 @@ DESCRIPTION | |||
| 376 | separated. The default is: | 376 | separated. The default is: |
| 377 | 377 | ||
| 378 | hmac-md5,hmac-sha1,umac-64@openssh.com, | 378 | hmac-md5,hmac-sha1,umac-64@openssh.com, |
| 379 | hmac-ripemd160,hmac-sha1-96,hmac-md5-96, | 379 | hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, |
| 380 | hmac-sha2-256,hmac-sha256-96,hmac-sha2-512, | 380 | hmac-sha1-96,hmac-md5-96 |
| 381 | hmac-sha2-512-96 | ||
| 382 | 381 | ||
| 383 | Match Introduces a conditional block. If all of the criteria on the | 382 | Match Introduces a conditional block. If all of the criteria on the |
| 384 | Match line are satisfied, the keywords on the following lines | 383 | Match line are satisfied, the keywords on the following lines |
| @@ -386,10 +385,11 @@ DESCRIPTION | |||
| 386 | until either another Match line or the end of the file. | 385 | until either another Match line or the end of the file. |
| 387 | 386 | ||
| 388 | The arguments to Match are one or more criteria-pattern pairs. | 387 | The arguments to Match are one or more criteria-pattern pairs. |
| 389 | The available criteria are User, Group, Host, and Address. The | 388 | The available criteria are User, Group, Host, LocalAddress, |
| 390 | match patterns may consist of single entries or comma-separated | 389 | LocalPort, and Address. The match patterns may consist of single |
| 391 | lists and may use the wildcard and negation operators described | 390 | entries or comma-separated lists and may use the wildcard and |
| 392 | in the PATTERNS section of ssh_config(5). | 391 | negation operators described in the PATTERNS section of |
| 392 | ssh_config(5). | ||
| 393 | 393 | ||
| 394 | The patterns in an Address criteria may additionally contain | 394 | The patterns in an Address criteria may additionally contain |
| 395 | addresses to match in CIDR address/masklen format, e.g. | 395 | addresses to match in CIDR address/masklen format, e.g. |
| @@ -400,10 +400,11 @@ DESCRIPTION | |||
| 400 | example, ``192.0.2.0/33'' and ``192.0.2.0/8'' respectively. | 400 | example, ``192.0.2.0/33'' and ``192.0.2.0/8'' respectively. |
| 401 | 401 | ||
| 402 | Only a subset of keywords may be used on the lines following a | 402 | Only a subset of keywords may be used on the lines following a |
| 403 | Match keyword. Available keywords are AllowAgentForwarding, | 403 | Match keyword. Available keywords are AcceptEnv, |
| 404 | AllowTcpForwarding, AuthorizedKeysFile, AuthorizedPrincipalsFile, | 404 | AllowAgentForwarding, AllowGroups, AllowTcpForwarding, |
| 405 | Banner, ChrootDirectory, ForceCommand, GatewayPorts, | 405 | AllowUsers, AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner, |
| 406 | GSSAPIAuthentication, HostbasedAuthentication, | 406 | ChrootDirectory, DenyGroups, DenyUsers, ForceCommand, |
| 407 | GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, | ||
| 407 | HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, | 408 | HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, |
| 408 | KerberosAuthentication, MaxAuthTries, MaxSessions, | 409 | KerberosAuthentication, MaxAuthTries, MaxSessions, |
| 409 | PasswordAuthentication, PermitEmptyPasswords, PermitOpen, | 410 | PasswordAuthentication, PermitEmptyPasswords, PermitOpen, |
| @@ -454,8 +455,9 @@ DESCRIPTION | |||
| 454 | 455 | ||
| 455 | Multiple forwards may be specified by separating them with | 456 | Multiple forwards may be specified by separating them with |
| 456 | whitespace. An argument of ``any'' can be used to remove all | 457 | whitespace. An argument of ``any'' can be used to remove all |
| 457 | restrictions and permit any forwarding requests. By default all | 458 | restrictions and permit any forwarding requests. An argument of |
| 458 | port forwarding requests are permitted. | 459 | ``none'' can be used to prohibit all forwarding requests. By |
| 460 | default all port forwarding requests are permitted. | ||
| 459 | 461 | ||
| 460 | PermitRootLogin | 462 | PermitRootLogin |
| 461 | Specifies whether root can log in using ssh(1). The argument | 463 | Specifies whether root can log in using ssh(1). The argument |
| @@ -632,6 +634,11 @@ DESCRIPTION | |||
| 632 | ``sandbox'' then the pre-authentication unprivileged process is | 634 | ``sandbox'' then the pre-authentication unprivileged process is |
| 633 | subject to additional restrictions. | 635 | subject to additional restrictions. |
| 634 | 636 | ||
| 637 | VersionAddendum | ||
| 638 | Optionally specifies additional text to append to the SSH | ||
| 639 | protocol banner sent by the server upon connection. The default | ||
| 640 | is ``none''. | ||
| 641 | |||
| 635 | X11DisplayOffset | 642 | X11DisplayOffset |
| 636 | Specifies the first display number available for sshd(8)'s X11 | 643 | Specifies the first display number available for sshd(8)'s X11 |
| 637 | forwarding. This prevents sshd from interfering with real X11 | 644 | forwarding. This prevents sshd from interfering with real X11 |
| @@ -715,4 +722,4 @@ AUTHORS | |||
| 715 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 722 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
| 716 | for privilege separation. | 723 | for privilege separation. |
| 717 | 724 | ||
| 718 | OpenBSD 5.0 September 9, 2011 OpenBSD 5.0 | 725 | OpenBSD 5.2 June 29, 2012 OpenBSD 5.2 |