diff options
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 125 |
1 files changed, 98 insertions, 27 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index 413c26008..1c82d449f 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -1,4 +1,4 @@ | |||
1 | SSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5) | 1 | SSHD_CONFIG(5) File Formats Manual SSHD_CONFIG(5) |
2 | 2 | ||
3 | NAME | 3 | NAME |
4 | sshd_config - OpenSSH SSH daemon configuration file | 4 | sshd_config - OpenSSH SSH daemon configuration file |
@@ -62,6 +62,16 @@ DESCRIPTION | |||
62 | are also denied shell access, as they can always install their | 62 | are also denied shell access, as they can always install their |
63 | own forwarders. | 63 | own forwarders. |
64 | 64 | ||
65 | AllowStreamLocalForwarding | ||
66 | Specifies whether StreamLocal (Unix-domain socket) forwarding is | ||
67 | permitted. The available options are ``yes'' or ``all'' to allow | ||
68 | StreamLocal forwarding, ``no'' to prevent all StreamLocal | ||
69 | forwarding, ``local'' to allow local (from the perspective of | ||
70 | ssh(1)) forwarding only or ``remote'' to allow remote forwarding | ||
71 | only. The default is ``yes''. Note that disabling StreamLocal | ||
72 | forwarding does not improve security unless users are also denied | ||
73 | shell access, as they can always install their own forwarders. | ||
74 | |||
65 | AllowUsers | 75 | AllowUsers |
66 | This keyword can be followed by a list of user name patterns, | 76 | This keyword can be followed by a list of user name patterns, |
67 | separated by spaces. If specified, login is allowed only for | 77 | separated by spaces. If specified, login is allowed only for |
@@ -168,7 +178,7 @@ DESCRIPTION | |||
168 | 178 | ||
169 | ChallengeResponseAuthentication | 179 | ChallengeResponseAuthentication |
170 | Specifies whether challenge-response authentication is allowed | 180 | Specifies whether challenge-response authentication is allowed |
171 | (e.g. via PAM or though authentication styles supported in | 181 | (e.g. via PAM or through authentication styles supported in |
172 | login.conf(5)) The default is ``yes''. | 182 | login.conf(5)) The default is ``yes''. |
173 | 183 | ||
174 | ChrootDirectory | 184 | ChrootDirectory |
@@ -191,8 +201,9 @@ DESCRIPTION | |||
191 | stderr(4), arandom(4) and tty(4) devices. For file transfer | 201 | stderr(4), arandom(4) and tty(4) devices. For file transfer |
192 | sessions using ``sftp'', no additional configuration of the | 202 | sessions using ``sftp'', no additional configuration of the |
193 | environment is necessary if the in-process sftp server is used, | 203 | environment is necessary if the in-process sftp server is used, |
194 | though sessions which use logging do require /dev/log inside the | 204 | though sessions which use logging may require /dev/log inside the |
195 | chroot directory (see sftp-server(8) for details). | 205 | chroot directory on some operating systems (see sftp-server(8) |
206 | for details). | ||
196 | 207 | ||
197 | The default is not to chroot(2). | 208 | The default is not to chroot(2). |
198 | 209 | ||
@@ -200,19 +211,27 @@ DESCRIPTION | |||
200 | Specifies the ciphers allowed for protocol version 2. Multiple | 211 | Specifies the ciphers allowed for protocol version 2. Multiple |
201 | ciphers must be comma-separated. The supported ciphers are: | 212 | ciphers must be comma-separated. The supported ciphers are: |
202 | 213 | ||
203 | ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', | 214 | 3des-cbc |
204 | ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', | 215 | aes128-cbc |
205 | ``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'', | 216 | aes192-cbc |
206 | ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'', | 217 | aes256-cbc |
207 | ``cast128-cbc'', and ``chacha20-poly1305@openssh.com''. | 218 | aes128-ctr |
219 | aes192-ctr | ||
220 | aes256-ctr | ||
221 | aes128-gcm@openssh.com | ||
222 | aes256-gcm@openssh.com | ||
223 | arcfour | ||
224 | arcfour128 | ||
225 | arcfour256 | ||
226 | blowfish-cbc | ||
227 | cast128-cbc | ||
228 | chacha20-poly1305@openssh.com | ||
208 | 229 | ||
209 | The default is: | 230 | The default is: |
210 | 231 | ||
211 | aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, | 232 | aes128-ctr,aes192-ctr,aes256-ctr, |
212 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, | 233 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, |
213 | chacha20-poly1305@openssh.com, | 234 | chacha20-poly1305@openssh.com |
214 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, | ||
215 | aes256-cbc,arcfour | ||
216 | 235 | ||
217 | The list of available ciphers may also be obtained using the -Q | 236 | The list of available ciphers may also be obtained using the -Q |
218 | option of ssh(1). | 237 | option of ssh(1). |
@@ -403,14 +422,24 @@ DESCRIPTION | |||
403 | 422 | ||
404 | KexAlgorithms | 423 | KexAlgorithms |
405 | Specifies the available KEX (Key Exchange) algorithms. Multiple | 424 | Specifies the available KEX (Key Exchange) algorithms. Multiple |
406 | algorithms must be comma-separated. The default is | 425 | algorithms must be comma-separated. The supported algorithms |
426 | are: | ||
427 | |||
428 | curve25519-sha256@libssh.org | ||
429 | diffie-hellman-group1-sha1 | ||
430 | diffie-hellman-group14-sha1 | ||
431 | diffie-hellman-group-exchange-sha1 | ||
432 | diffie-hellman-group-exchange-sha256 | ||
433 | ecdh-sha2-nistp256 | ||
434 | ecdh-sha2-nistp384 | ||
435 | ecdh-sha2-nistp521 | ||
436 | |||
437 | The default is: | ||
407 | 438 | ||
408 | curve25519-sha256@libssh.org, | 439 | curve25519-sha256@libssh.org, |
409 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, | 440 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, |
410 | diffie-hellman-group-exchange-sha256, | 441 | diffie-hellman-group-exchange-sha256, |
411 | diffie-hellman-group-exchange-sha1, | 442 | diffie-hellman-group14-sha1 |
412 | diffie-hellman-group14-sha1, | ||
413 | diffie-hellman-group1-sha1 | ||
414 | 443 | ||
415 | KeyRegenerationInterval | 444 | KeyRegenerationInterval |
416 | In protocol version 1, the ephemeral server key is automatically | 445 | In protocol version 1, the ephemeral server key is automatically |
@@ -452,16 +481,33 @@ DESCRIPTION | |||
452 | data integrity protection. Multiple algorithms must be comma- | 481 | data integrity protection. Multiple algorithms must be comma- |
453 | separated. The algorithms that contain ``-etm'' calculate the | 482 | separated. The algorithms that contain ``-etm'' calculate the |
454 | MAC after encryption (encrypt-then-mac). These are considered | 483 | MAC after encryption (encrypt-then-mac). These are considered |
455 | safer and their use recommended. The default is: | 484 | safer and their use recommended. The supported MACs are: |
485 | |||
486 | hmac-md5 | ||
487 | hmac-md5-96 | ||
488 | hmac-ripemd160 | ||
489 | hmac-sha1 | ||
490 | hmac-sha1-96 | ||
491 | hmac-sha2-256 | ||
492 | hmac-sha2-512 | ||
493 | umac-64@openssh.com | ||
494 | umac-128@openssh.com | ||
495 | hmac-md5-etm@openssh.com | ||
496 | hmac-md5-96-etm@openssh.com | ||
497 | hmac-ripemd160-etm@openssh.com | ||
498 | hmac-sha1-etm@openssh.com | ||
499 | hmac-sha1-96-etm@openssh.com | ||
500 | hmac-sha2-256-etm@openssh.com | ||
501 | hmac-sha2-512-etm@openssh.com | ||
502 | umac-64-etm@openssh.com | ||
503 | umac-128-etm@openssh.com | ||
504 | |||
505 | The default is: | ||
456 | 506 | ||
457 | hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, | ||
458 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, | 507 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, |
459 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, | 508 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, |
460 | hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com, | 509 | umac-64@openssh.com,umac-128@openssh.com, |
461 | hmac-md5-96-etm@openssh.com, | 510 | hmac-sha2-256,hmac-sha2-512 |
462 | hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, | ||
463 | hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, | ||
464 | hmac-sha1-96,hmac-md5-96 | ||
465 | 511 | ||
466 | Match Introduces a conditional block. If all of the criteria on the | 512 | Match Introduces a conditional block. If all of the criteria on the |
467 | Match line are satisfied, the keywords on the following lines | 513 | Match line are satisfied, the keywords on the following lines |
@@ -496,7 +542,7 @@ DESCRIPTION | |||
496 | KbdInteractiveAuthentication, KerberosAuthentication, | 542 | KbdInteractiveAuthentication, KerberosAuthentication, |
497 | MaxAuthTries, MaxSessions, PasswordAuthentication, | 543 | MaxAuthTries, MaxSessions, PasswordAuthentication, |
498 | PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY, | 544 | PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY, |
499 | PermitTunnel, PubkeyAuthentication, RekeyLimit, | 545 | PermitTunnel, PermitUserRC, PubkeyAuthentication, RekeyLimit, |
500 | RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, | 546 | RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, |
501 | X11Forwarding and X11UseLocalHost. | 547 | X11Forwarding and X11UseLocalHost. |
502 | 548 | ||
@@ -580,6 +626,10 @@ DESCRIPTION | |||
580 | bypass access restrictions in some configurations using | 626 | bypass access restrictions in some configurations using |
581 | mechanisms such as LD_PRELOAD. | 627 | mechanisms such as LD_PRELOAD. |
582 | 628 | ||
629 | PermitUserRC | ||
630 | Specifies whether any ~/.ssh/rc file is executed. The default is | ||
631 | ``yes''. | ||
632 | |||
583 | PidFile | 633 | PidFile |
584 | Specifies the file that contains the process ID of the SSH | 634 | Specifies the file that contains the process ID of the SSH |
585 | daemon. The default is /var/run/sshd.pid. | 635 | daemon. The default is /var/run/sshd.pid. |
@@ -650,6 +700,27 @@ DESCRIPTION | |||
650 | Defines the number of bits in the ephemeral protocol version 1 | 700 | Defines the number of bits in the ephemeral protocol version 1 |
651 | server key. The minimum value is 512, and the default is 1024. | 701 | server key. The minimum value is 512, and the default is 1024. |
652 | 702 | ||
703 | StreamLocalBindMask | ||
704 | Sets the octal file creation mode mask (umask) used when creating | ||
705 | a Unix-domain socket file for local or remote port forwarding. | ||
706 | This option is only used for port forwarding to a Unix-domain | ||
707 | socket file. | ||
708 | |||
709 | The default value is 0177, which creates a Unix-domain socket | ||
710 | file that is readable and writable only by the owner. Note that | ||
711 | not all operating systems honor the file mode on Unix-domain | ||
712 | socket files. | ||
713 | |||
714 | StreamLocalBindUnlink | ||
715 | Specifies whether to remove an existing Unix-domain socket file | ||
716 | for local or remote port forwarding before creating a new one. | ||
717 | If the socket file already exists and StreamLocalBindUnlink is | ||
718 | not enabled, sshd will be unable to forward the port to the Unix- | ||
719 | domain socket file. This option is only used for port forwarding | ||
720 | to a Unix-domain socket file. | ||
721 | |||
722 | The argument must be ``yes'' or ``no''. The default is ``no''. | ||
723 | |||
653 | StrictModes | 724 | StrictModes |
654 | Specifies whether sshd(8) should check file modes and ownership | 725 | Specifies whether sshd(8) should check file modes and ownership |
655 | of the user's files and home directory before accepting login. | 726 | of the user's files and home directory before accepting login. |
@@ -832,4 +903,4 @@ AUTHORS | |||
832 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 903 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
833 | for privilege separation. | 904 | for privilege separation. |
834 | 905 | ||
835 | OpenBSD 5.5 February 27, 2014 OpenBSD 5.5 | 906 | OpenBSD 5.6 July 28, 2014 OpenBSD 5.6 |