diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 69 |
1 files changed, 68 insertions, 1 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 7255b1c22..d5f19ea3d 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -58,6 +58,33 @@ Arguments may optionally be enclosed in double quotes | |||
58 | .Pq \&" | 58 | .Pq \&" |
59 | in order to represent arguments containing spaces. | 59 | in order to represent arguments containing spaces. |
60 | .Pp | 60 | .Pp |
61 | Note that the Debian | ||
62 | .Ic openssh-server | ||
63 | package sets several options as standard in | ||
64 | .Pa /etc/ssh/sshd_config | ||
65 | which are not the default in | ||
66 | .Xr sshd 8 . | ||
67 | The exact list depends on whether the package was installed fresh or | ||
68 | upgraded from various possible previous versions, but includes at least the | ||
69 | following: | ||
70 | .Pp | ||
71 | .Bl -bullet -offset indent -compact | ||
72 | .It | ||
73 | .Cm Protocol No 2 | ||
74 | .It | ||
75 | .Cm ChallengeResponseAuthentication No no | ||
76 | .It | ||
77 | .Cm X11Forwarding No yes | ||
78 | .It | ||
79 | .Cm PrintMotd No no | ||
80 | .It | ||
81 | .Cm AcceptEnv No LANG LC_* | ||
82 | .It | ||
83 | .Cm Subsystem No sftp /usr/lib/openssh/sftp-server | ||
84 | .It | ||
85 | .Cm UsePAM No yes | ||
86 | .El | ||
87 | .Pp | ||
61 | The possible | 88 | The possible |
62 | keywords and their meanings are as follows (note that | 89 | keywords and their meanings are as follows (note that |
63 | keywords are case-insensitive and arguments are case-sensitive): | 90 | keywords are case-insensitive and arguments are case-sensitive): |
@@ -374,12 +401,35 @@ Specifies whether user authentication based on GSSAPI is allowed. | |||
374 | The default is | 401 | The default is |
375 | .Dq no . | 402 | .Dq no . |
376 | Note that this option applies to protocol version 2 only. | 403 | Note that this option applies to protocol version 2 only. |
404 | .It Cm GSSAPIKeyExchange | ||
405 | Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange | ||
406 | doesn't rely on ssh keys to verify host identity. | ||
407 | The default is | ||
408 | .Dq no . | ||
409 | Note that this option applies to protocol version 2 only. | ||
377 | .It Cm GSSAPICleanupCredentials | 410 | .It Cm GSSAPICleanupCredentials |
378 | Specifies whether to automatically destroy the user's credentials cache | 411 | Specifies whether to automatically destroy the user's credentials cache |
379 | on logout. | 412 | on logout. |
380 | The default is | 413 | The default is |
381 | .Dq yes . | 414 | .Dq yes . |
382 | Note that this option applies to protocol version 2 only. | 415 | Note that this option applies to protocol version 2 only. |
416 | .It Cm GSSAPIStrictAcceptorCheck | ||
417 | Determines whether to be strict about the identity of the GSSAPI acceptor | ||
418 | a client authenticates against. If | ||
419 | .Dq yes | ||
420 | then the client must authenticate against the | ||
421 | .Pa host | ||
422 | service on the current hostname. If | ||
423 | .Dq no | ||
424 | then the client may authenticate against any service key stored in the | ||
425 | machine's default store. This facility is provided to assist with operation | ||
426 | on multi homed machines. | ||
427 | The default is | ||
428 | .Dq yes . | ||
429 | Note that this option applies only to protocol version 2 GSSAPI connections, | ||
430 | and setting it to | ||
431 | .Dq no | ||
432 | may only work with recent Kerberos GSSAPI libraries. | ||
383 | .It Cm HostbasedAuthentication | 433 | .It Cm HostbasedAuthentication |
384 | Specifies whether rhosts or /etc/hosts.equiv authentication together | 434 | Specifies whether rhosts or /etc/hosts.equiv authentication together |
385 | with successful public key client host authentication is allowed | 435 | with successful public key client host authentication is allowed |
@@ -534,7 +584,7 @@ The default is 120 seconds. | |||
534 | Gives the verbosity level that is used when logging messages from | 584 | Gives the verbosity level that is used when logging messages from |
535 | .Xr sshd 8 . | 585 | .Xr sshd 8 . |
536 | The possible values are: | 586 | The possible values are: |
537 | QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. | 587 | SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. |
538 | The default is INFO. | 588 | The default is INFO. |
539 | DEBUG and DEBUG1 are equivalent. | 589 | DEBUG and DEBUG1 are equivalent. |
540 | DEBUG2 and DEBUG3 each specify higher levels of debugging output. | 590 | DEBUG2 and DEBUG3 each specify higher levels of debugging output. |
@@ -650,6 +700,20 @@ are refused if the number of unauthenticated connections reaches | |||
650 | Specifies whether password authentication is allowed. | 700 | Specifies whether password authentication is allowed. |
651 | The default is | 701 | The default is |
652 | .Dq yes . | 702 | .Dq yes . |
703 | .It Cm PermitBlacklistedKeys | ||
704 | Specifies whether | ||
705 | .Xr sshd 8 | ||
706 | should allow keys recorded in its blacklist of known-compromised keys (see | ||
707 | .Xr ssh-vulnkey 1 ) . | ||
708 | If | ||
709 | .Dq yes , | ||
710 | then attempts to authenticate with compromised keys will be logged but | ||
711 | accepted. | ||
712 | If | ||
713 | .Dq no , | ||
714 | then attempts to authenticate with compromised keys will be rejected. | ||
715 | The default is | ||
716 | .Dq no . | ||
653 | .It Cm PermitEmptyPasswords | 717 | .It Cm PermitEmptyPasswords |
654 | When password authentication is allowed, it specifies whether the | 718 | When password authentication is allowed, it specifies whether the |
655 | server allows login to accounts with empty password strings. | 719 | server allows login to accounts with empty password strings. |
@@ -870,6 +934,9 @@ This avoids infinitely hanging sessions. | |||
870 | .Pp | 934 | .Pp |
871 | To disable TCP keepalive messages, the value should be set to | 935 | To disable TCP keepalive messages, the value should be set to |
872 | .Dq no . | 936 | .Dq no . |
937 | .Pp | ||
938 | This option was formerly called | ||
939 | .Cm KeepAlive . | ||
873 | .It Cm UseDNS | 940 | .It Cm UseDNS |
874 | Specifies whether | 941 | Specifies whether |
875 | .Xr sshd 8 | 942 | .Xr sshd 8 |