diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 107 |
1 files changed, 96 insertions, 11 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 7aa7b4733..db1f2fd69 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.176 2014/07/28 15:40:08 schwarze Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.194 2015/02/20 23:46:01 djm Exp $ |
37 | .Dd $Mdocdate: July 28 2014 $ | 37 | .Dd $Mdocdate: February 20 2015 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -235,6 +235,18 @@ would restrict keyboard interactive authentication to the | |||
235 | .Dq bsdauth | 235 | .Dq bsdauth |
236 | device. | 236 | device. |
237 | .Pp | 237 | .Pp |
238 | If the | ||
239 | .Dq publickey | ||
240 | method is listed more than once, | ||
241 | .Xr sshd 8 | ||
242 | verifies that keys that have been used successfully are not reused for | ||
243 | subsequent authentications. | ||
244 | For example, an | ||
245 | .Cm AuthenticationMethods | ||
246 | of | ||
247 | .Dq publickey,publickey | ||
248 | will require successful authentication using two different public keys. | ||
249 | .Pp | ||
238 | This option is only available for SSH protocol 2 and will yield a fatal | 250 | This option is only available for SSH protocol 2 and will yield a fatal |
239 | error if enabled if protocol 1 is also enabled. | 251 | error if enabled if protocol 1 is also enabled. |
240 | Note that each authentication method listed should also be explicitly enabled | 252 | Note that each authentication method listed should also be explicitly enabled |
@@ -257,6 +269,13 @@ By default, no AuthorizedKeysCommand is run. | |||
257 | Specifies the user under whose account the AuthorizedKeysCommand is run. | 269 | Specifies the user under whose account the AuthorizedKeysCommand is run. |
258 | It is recommended to use a dedicated user that has no other role on the host | 270 | It is recommended to use a dedicated user that has no other role on the host |
259 | than running authorized keys commands. | 271 | than running authorized keys commands. |
272 | If | ||
273 | .Cm AuthorizedKeysCommand | ||
274 | is specified but | ||
275 | .Cm AuthorizedKeysCommandUser | ||
276 | is not, then | ||
277 | .Xr sshd 8 | ||
278 | will refuse to start. | ||
260 | .It Cm AuthorizedKeysFile | 279 | .It Cm AuthorizedKeysFile |
261 | Specifies the file that contains the public keys that can be used | 280 | Specifies the file that contains the public keys that can be used |
262 | for user authentication. | 281 | for user authentication. |
@@ -335,8 +354,10 @@ The default is | |||
335 | Specifies the pathname of a directory to | 354 | Specifies the pathname of a directory to |
336 | .Xr chroot 2 | 355 | .Xr chroot 2 |
337 | to after authentication. | 356 | to after authentication. |
338 | All components of the pathname must be root-owned directories that are | 357 | At session startup |
339 | not writable by any other user or group. | 358 | .Xr sshd 8 |
359 | checks that all components of the pathname are root-owned directories | ||
360 | which are not writable by any other user or group. | ||
340 | After the chroot, | 361 | After the chroot, |
341 | .Xr sshd 8 | 362 | .Xr sshd 8 |
342 | changes the working directory to the user's home directory. | 363 | changes the working directory to the user's home directory. |
@@ -360,7 +381,6 @@ nodes such as | |||
360 | .Xr stdin 4 , | 381 | .Xr stdin 4 , |
361 | .Xr stdout 4 , | 382 | .Xr stdout 4 , |
362 | .Xr stderr 4 , | 383 | .Xr stderr 4 , |
363 | .Xr arandom 4 | ||
364 | and | 384 | and |
365 | .Xr tty 4 | 385 | .Xr tty 4 |
366 | devices. | 386 | devices. |
@@ -374,6 +394,13 @@ inside the chroot directory on some operating systems (see | |||
374 | .Xr sftp-server 8 | 394 | .Xr sftp-server 8 |
375 | for details). | 395 | for details). |
376 | .Pp | 396 | .Pp |
397 | For safety, it is very important that the directory hierarchy be | ||
398 | prevented from modification by other processes on the system (especially | ||
399 | those outside the jail). | ||
400 | Misconfiguration can lead to unsafe environments which | ||
401 | .Xr sshd 8 | ||
402 | cannot detect. | ||
403 | .Pp | ||
377 | The default is not to | 404 | The default is not to |
378 | .Xr chroot 2 . | 405 | .Xr chroot 2 . |
379 | .It Cm Ciphers | 406 | .It Cm Ciphers |
@@ -424,7 +451,9 @@ chacha20-poly1305@openssh.com | |||
424 | The list of available ciphers may also be obtained using the | 451 | The list of available ciphers may also be obtained using the |
425 | .Fl Q | 452 | .Fl Q |
426 | option of | 453 | option of |
427 | .Xr ssh 1 . | 454 | .Xr ssh 1 |
455 | with an argument of | ||
456 | .Dq cipher . | ||
428 | .It Cm ClientAliveCountMax | 457 | .It Cm ClientAliveCountMax |
429 | Sets the number of client alive messages (see below) which may be | 458 | Sets the number of client alive messages (see below) which may be |
430 | sent without | 459 | sent without |
@@ -512,6 +541,14 @@ and finally | |||
512 | See PATTERNS in | 541 | See PATTERNS in |
513 | .Xr ssh_config 5 | 542 | .Xr ssh_config 5 |
514 | for more information on patterns. | 543 | for more information on patterns. |
544 | .It Cm FingerprintHash | ||
545 | Specifies the hash algorithm used when logging key fingerprints. | ||
546 | Valid options are: | ||
547 | .Dq md5 | ||
548 | and | ||
549 | .Dq sha256 . | ||
550 | The default is | ||
551 | .Dq sha256 . | ||
515 | .It Cm ForceCommand | 552 | .It Cm ForceCommand |
516 | Forces the execution of the command specified by | 553 | Forces the execution of the command specified by |
517 | .Cm ForceCommand , | 554 | .Cm ForceCommand , |
@@ -590,6 +627,17 @@ Controls whether the user's GSSAPI credentials should be updated following a | |||
590 | successful connection rekeying. This option can be used to accepted renewed | 627 | successful connection rekeying. This option can be used to accepted renewed |
591 | or updated credentials from a compatible client. The default is | 628 | or updated credentials from a compatible client. The default is |
592 | .Dq no . | 629 | .Dq no . |
630 | .It Cm HostbasedAcceptedKeyTypes | ||
631 | Specifies the key types that will be accepted for hostbased authentication | ||
632 | as a comma-separated pattern list. | ||
633 | The default | ||
634 | .Dq * | ||
635 | will allow all key types. | ||
636 | The | ||
637 | .Fl Q | ||
638 | option of | ||
639 | .Xr ssh 1 | ||
640 | may be used to list supported key types. | ||
593 | .It Cm HostbasedAuthentication | 641 | .It Cm HostbasedAuthentication |
594 | Specifies whether rhosts or /etc/hosts.equiv authentication together | 642 | Specifies whether rhosts or /etc/hosts.equiv authentication together |
595 | with successful public key client host authentication is allowed | 643 | with successful public key client host authentication is allowed |
@@ -791,6 +839,13 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, | |||
791 | diffie-hellman-group-exchange-sha256, | 839 | diffie-hellman-group-exchange-sha256, |
792 | diffie-hellman-group14-sha1 | 840 | diffie-hellman-group14-sha1 |
793 | .Ed | 841 | .Ed |
842 | .Pp | ||
843 | The list of available key exchange algorithms may also be obtained using the | ||
844 | .Fl Q | ||
845 | option of | ||
846 | .Xr ssh 1 | ||
847 | with an argument of | ||
848 | .Dq kex . | ||
794 | .It Cm KeyRegenerationInterval | 849 | .It Cm KeyRegenerationInterval |
795 | In protocol version 1, the ephemeral server key is automatically regenerated | 850 | In protocol version 1, the ephemeral server key is automatically regenerated |
796 | after this many seconds (if it has been used). | 851 | after this many seconds (if it has been used). |
@@ -810,18 +865,18 @@ The following forms may be used: | |||
810 | .It | 865 | .It |
811 | .Cm ListenAddress | 866 | .Cm ListenAddress |
812 | .Sm off | 867 | .Sm off |
813 | .Ar host No | Ar IPv4_addr No | Ar IPv6_addr | 868 | .Ar host | Ar IPv4_addr | Ar IPv6_addr |
814 | .Sm on | 869 | .Sm on |
815 | .It | 870 | .It |
816 | .Cm ListenAddress | 871 | .Cm ListenAddress |
817 | .Sm off | 872 | .Sm off |
818 | .Ar host No | Ar IPv4_addr No : Ar port | 873 | .Ar host | Ar IPv4_addr : Ar port |
819 | .Sm on | 874 | .Sm on |
820 | .It | 875 | .It |
821 | .Cm ListenAddress | 876 | .Cm ListenAddress |
822 | .Sm off | 877 | .Sm off |
823 | .Oo | 878 | .Oo |
824 | .Ar host No | Ar IPv6_addr Oc : Ar port | 879 | .Ar host | Ar IPv6_addr Oc : Ar port |
825 | .Sm on | 880 | .Sm on |
826 | .El | 881 | .El |
827 | .Pp | 882 | .Pp |
@@ -909,6 +964,13 @@ hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, | |||
909 | umac-64@openssh.com,umac-128@openssh.com, | 964 | umac-64@openssh.com,umac-128@openssh.com, |
910 | hmac-sha2-256,hmac-sha2-512 | 965 | hmac-sha2-256,hmac-sha2-512 |
911 | .Ed | 966 | .Ed |
967 | .Pp | ||
968 | The list of available MAC algorithms may also be obtained using the | ||
969 | .Fl Q | ||
970 | option of | ||
971 | .Xr ssh 1 | ||
972 | with an argument of | ||
973 | .Dq mac . | ||
912 | .It Cm Match | 974 | .It Cm Match |
913 | Introduces a conditional block. | 975 | Introduces a conditional block. |
914 | If all of the criteria on the | 976 | If all of the criteria on the |
@@ -919,7 +981,7 @@ set in the global section of the config file, until either another | |||
919 | line or the end of the file. | 981 | line or the end of the file. |
920 | If a keyword appears in multiple | 982 | If a keyword appears in multiple |
921 | .Cm Match | 983 | .Cm Match |
922 | blocks that are satisified, only the first instance of the keyword is | 984 | blocks that are satisfied, only the first instance of the keyword is |
923 | applied. | 985 | applied. |
924 | .Pp | 986 | .Pp |
925 | The arguments to | 987 | The arguments to |
@@ -963,6 +1025,7 @@ Available keywords are | |||
963 | .Cm AcceptEnv , | 1025 | .Cm AcceptEnv , |
964 | .Cm AllowAgentForwarding , | 1026 | .Cm AllowAgentForwarding , |
965 | .Cm AllowGroups , | 1027 | .Cm AllowGroups , |
1028 | .Cm AllowStreamLocalForwarding , | ||
966 | .Cm AllowTcpForwarding , | 1029 | .Cm AllowTcpForwarding , |
967 | .Cm AllowUsers , | 1030 | .Cm AllowUsers , |
968 | .Cm AuthenticationMethods , | 1031 | .Cm AuthenticationMethods , |
@@ -977,8 +1040,10 @@ Available keywords are | |||
977 | .Cm ForceCommand , | 1040 | .Cm ForceCommand , |
978 | .Cm GatewayPorts , | 1041 | .Cm GatewayPorts , |
979 | .Cm GSSAPIAuthentication , | 1042 | .Cm GSSAPIAuthentication , |
1043 | .Cm HostbasedAcceptedKeyTypes , | ||
980 | .Cm HostbasedAuthentication , | 1044 | .Cm HostbasedAuthentication , |
981 | .Cm HostbasedUsesNameFromPacketOnly , | 1045 | .Cm HostbasedUsesNameFromPacketOnly , |
1046 | .Cm IPQoS , | ||
982 | .Cm KbdInteractiveAuthentication , | 1047 | .Cm KbdInteractiveAuthentication , |
983 | .Cm KerberosAuthentication , | 1048 | .Cm KerberosAuthentication , |
984 | .Cm MaxAuthTries , | 1049 | .Cm MaxAuthTries , |
@@ -990,10 +1055,15 @@ Available keywords are | |||
990 | .Cm PermitTTY , | 1055 | .Cm PermitTTY , |
991 | .Cm PermitTunnel , | 1056 | .Cm PermitTunnel , |
992 | .Cm PermitUserRC , | 1057 | .Cm PermitUserRC , |
1058 | .Cm PubkeyAcceptedKeyTypes , | ||
993 | .Cm PubkeyAuthentication , | 1059 | .Cm PubkeyAuthentication , |
994 | .Cm RekeyLimit , | 1060 | .Cm RekeyLimit , |
1061 | .Cm RevokedKeys , | ||
995 | .Cm RhostsRSAAuthentication , | 1062 | .Cm RhostsRSAAuthentication , |
996 | .Cm RSAAuthentication , | 1063 | .Cm RSAAuthentication , |
1064 | .Cm StreamLocalBindMask , | ||
1065 | .Cm StreamLocalBindUnlink , | ||
1066 | .Cm TrustedUserCAKeys , | ||
997 | .Cm X11DisplayOffset , | 1067 | .Cm X11DisplayOffset , |
998 | .Cm X11Forwarding | 1068 | .Cm X11Forwarding |
999 | and | 1069 | and |
@@ -1118,6 +1188,10 @@ and | |||
1118 | .Dq ethernet . | 1188 | .Dq ethernet . |
1119 | The default is | 1189 | The default is |
1120 | .Dq no . | 1190 | .Dq no . |
1191 | .Pp | ||
1192 | Independent of this setting, the permissions of the selected | ||
1193 | .Xr tun 4 | ||
1194 | device must allow access to the user. | ||
1121 | .It Cm PermitTTY | 1195 | .It Cm PermitTTY |
1122 | Specifies whether | 1196 | Specifies whether |
1123 | .Xr pty 4 | 1197 | .Xr pty 4 |
@@ -1193,6 +1267,17 @@ Specifying | |||
1193 | .Dq 2,1 | 1267 | .Dq 2,1 |
1194 | is identical to | 1268 | is identical to |
1195 | .Dq 1,2 . | 1269 | .Dq 1,2 . |
1270 | .It Cm PubkeyAcceptedKeyTypes | ||
1271 | Specifies the key types that will be accepted for public key authentication | ||
1272 | as a comma-separated pattern list. | ||
1273 | The default | ||
1274 | .Dq * | ||
1275 | will allow all key types. | ||
1276 | The | ||
1277 | .Fl Q | ||
1278 | option of | ||
1279 | .Xr ssh 1 | ||
1280 | may be used to list supported key types. | ||
1196 | .It Cm PubkeyAuthentication | 1281 | .It Cm PubkeyAuthentication |
1197 | Specifies whether public key authentication is allowed. | 1282 | Specifies whether public key authentication is allowed. |
1198 | The default is | 1283 | The default is |
@@ -1360,7 +1445,7 @@ should look up the remote host name and check that | |||
1360 | the resolved host name for the remote IP address maps back to the | 1445 | the resolved host name for the remote IP address maps back to the |
1361 | very same IP address. | 1446 | very same IP address. |
1362 | The default is | 1447 | The default is |
1363 | .Dq yes . | 1448 | .Dq no . |
1364 | .It Cm UseLogin | 1449 | .It Cm UseLogin |
1365 | Specifies whether | 1450 | Specifies whether |
1366 | .Xr login 1 | 1451 | .Xr login 1 |