diff options
Diffstat (limited to 'sshd_config.0')
| -rw-r--r-- | sshd_config.0 | 51 |
1 files changed, 38 insertions, 13 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index 9e73c5906..a9162f18d 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
| @@ -93,14 +93,14 @@ DESCRIPTION | |||
| 93 | login.conf(5)) The default is ``yes''. | 93 | login.conf(5)) The default is ``yes''. |
| 94 | 94 | ||
| 95 | ChrootDirectory | 95 | ChrootDirectory |
| 96 | Specifies a path to chroot(2) to after authentication. This | 96 | Specifies the pathname of a directory to chroot(2) to after au- |
| 97 | path, and all its components, must be root-owned directories that | 97 | thentication. All components of the pathname must be root-owned |
| 98 | are not writable by any other user or group. After the chroot, | 98 | directories that are not writable by any other user or group. |
| 99 | sshd(8) changes the working directory to the user's home directo- | 99 | After the chroot, sshd(8) changes the working directory to the |
| 100 | ry. | 100 | user's home directory. |
| 101 | 101 | ||
| 102 | The path may contain the following tokens that are expanded at | 102 | The pathname may contain the following tokens that are expanded |
| 103 | runtime once the connecting user has been authenticated: %% is | 103 | at runtime once the connecting user has been authenticated: %% is |
| 104 | replaced by a literal '%', %h is replaced by the home directory | 104 | replaced by a literal '%', %h is replaced by the home directory |
| 105 | of the user being authenticated, and %u is replaced by the user- | 105 | of the user being authenticated, and %u is replaced by the user- |
| 106 | name of that user. | 106 | name of that user. |
| @@ -235,6 +235,12 @@ DESCRIPTION | |||
| 235 | resolve the name from the TCP connection itself. The default is | 235 | resolve the name from the TCP connection itself. The default is |
| 236 | ``no''. | 236 | ``no''. |
| 237 | 237 | ||
| 238 | HostCertificate | ||
| 239 | Specifies a file containing a public host certificate. The cer- | ||
| 240 | tificate's public key must match a private host key already spec- | ||
| 241 | ified by HostKey. The default behaviour of sshd(8) is not to | ||
| 242 | load any certificates. | ||
| 243 | |||
| 238 | HostKey | 244 | HostKey |
| 239 | Specifies a file containing a private host key used by SSH. The | 245 | Specifies a file containing a private host key used by SSH. The |
| 240 | default is /etc/ssh/ssh_host_key for protocol version 1, and | 246 | default is /etc/ssh/ssh_host_key for protocol version 1, and |
| @@ -346,8 +352,8 @@ DESCRIPTION | |||
| 346 | KbdInteractiveAuthentication, KerberosAuthentication, | 352 | KbdInteractiveAuthentication, KerberosAuthentication, |
| 347 | MaxAuthTries, MaxSessions, PasswordAuthentication, | 353 | MaxAuthTries, MaxSessions, PasswordAuthentication, |
| 348 | PermitEmptyPasswords, PermitOpen, PermitRootLogin, | 354 | PermitEmptyPasswords, PermitOpen, PermitRootLogin, |
| 349 | RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, | 355 | PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication, |
| 350 | X11Forwarding and X11UseLocalHost. | 356 | X11DisplayOffset, X11Forwarding and X11UseLocalHost. |
| 351 | 357 | ||
| 352 | MaxAuthTries | 358 | MaxAuthTries |
| 353 | Specifies the maximum number of authentication attempts permitted | 359 | Specifies the maximum number of authentication attempts permitted |
| @@ -445,7 +451,7 @@ DESCRIPTION | |||
| 445 | Protocol | 451 | Protocol |
| 446 | Specifies the protocol versions sshd(8) supports. The possible | 452 | Specifies the protocol versions sshd(8) supports. The possible |
| 447 | values are `1' and `2'. Multiple versions must be comma-separat- | 453 | values are `1' and `2'. Multiple versions must be comma-separat- |
| 448 | ed. The default is ``2,1''. Note that the order of the protocol | 454 | ed. The default is `2'. Note that the order of the protocol |
| 449 | list does not indicate preference, because the client selects | 455 | list does not indicate preference, because the client selects |
| 450 | among multiple protocol versions offered by the server. Specify- | 456 | among multiple protocol versions offered by the server. Specify- |
| 451 | ing ``2,1'' is identical to ``1,2''. | 457 | ing ``2,1'' is identical to ``1,2''. |
| @@ -455,6 +461,12 @@ DESCRIPTION | |||
| 455 | fault is ``yes''. Note that this option applies to protocol ver- | 461 | fault is ``yes''. Note that this option applies to protocol ver- |
| 456 | sion 2 only. | 462 | sion 2 only. |
| 457 | 463 | ||
| 464 | RevokedKeys | ||
| 465 | Specifies a list of revoked public keys. Keys listed in this | ||
| 466 | file will be refused for public key authentication. Note that if | ||
| 467 | this file is not readable, then public key authentication will be | ||
| 468 | refused for all users. | ||
| 469 | |||
| 458 | RhostsRSAAuthentication | 470 | RhostsRSAAuthentication |
| 459 | Specifies whether rhosts or /etc/hosts.equiv authentication to- | 471 | Specifies whether rhosts or /etc/hosts.equiv authentication to- |
| 460 | gether with successful RSA host authentication is allowed. The | 472 | gether with successful RSA host authentication is allowed. The |
| @@ -475,7 +487,8 @@ DESCRIPTION | |||
| 475 | of the user's files and home directory before accepting login. | 487 | of the user's files and home directory before accepting login. |
| 476 | This is normally desirable because novices sometimes accidentally | 488 | This is normally desirable because novices sometimes accidentally |
| 477 | leave their directory or files world-writable. The default is | 489 | leave their directory or files world-writable. The default is |
| 478 | ``yes''. | 490 | ``yes''. Note that this does not apply to ChrootDirectory, whose |
| 491 | permissions and ownership are checked unconditionally. | ||
| 479 | 492 | ||
| 480 | Subsystem | 493 | Subsystem |
| 481 | Configures an external subsystem (e.g. file transfer daemon). | 494 | Configures an external subsystem (e.g. file transfer daemon). |
| @@ -515,6 +528,18 @@ DESCRIPTION | |||
| 515 | To disable TCP keepalive messages, the value should be set to | 528 | To disable TCP keepalive messages, the value should be set to |
| 516 | ``no''. | 529 | ``no''. |
| 517 | 530 | ||
| 531 | TrustedUserCAKeys | ||
| 532 | Specifies a file containing public keys of certificate authori- | ||
| 533 | ties that are trusted to sign user certificates for authentica- | ||
| 534 | tion. Keys are listed one per line; empty lines and comments | ||
| 535 | starting with `#' are allowed. If a certificate is presented for | ||
| 536 | authentication and has its signing CA key listed in this file, | ||
| 537 | then it may be used for authentication for any user listed in the | ||
| 538 | certificate's principals list. Note that certificates that lack | ||
| 539 | a list of principals will not be permitted for authentication us- | ||
| 540 | ing TrustedUserCAKeys. For more details on certificates, see the | ||
| 541 | CERTIFICATES section in ssh-keygen(1). | ||
| 542 | |||
| 518 | UseDNS Specifies whether sshd(8) should look up the remote host name and | 543 | UseDNS Specifies whether sshd(8) should look up the remote host name and |
| 519 | check that the resolved host name for the remote IP address maps | 544 | check that the resolved host name for the remote IP address maps |
| 520 | back to the very same IP address. The default is ``yes''. | 545 | back to the very same IP address. The default is ``yes''. |
| @@ -631,4 +656,4 @@ AUTHORS | |||
| 631 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 656 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
| 632 | for privilege separation. | 657 | for privilege separation. |
| 633 | 658 | ||
| 634 | OpenBSD 4.6 April 21, 2009 10 | 659 | OpenBSD 4.6 March 4, 2010 10 |