diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 28 |
1 files changed, 20 insertions, 8 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 2387b51b8..79f2d611f 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.220 2016/02/17 08:57:34 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.227 2016/07/19 12:59:16 jmc Exp $ |
37 | .Dd $Mdocdate: February 17 2016 $ | 37 | .Dd $Mdocdate: July 19 2016 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -198,6 +198,8 @@ By default, login is allowed for all users. | |||
198 | If the pattern takes the form USER@HOST then USER and HOST | 198 | If the pattern takes the form USER@HOST then USER and HOST |
199 | are separately checked, restricting logins to particular | 199 | are separately checked, restricting logins to particular |
200 | users from particular hosts. | 200 | users from particular hosts. |
201 | HOST criteria may additionally contain addresses to match in CIDR | ||
202 | address/masklen format. | ||
201 | The allow/deny directives are processed in the following order: | 203 | The allow/deny directives are processed in the following order: |
202 | .Cm DenyUsers , | 204 | .Cm DenyUsers , |
203 | .Cm AllowUsers , | 205 | .Cm AllowUsers , |
@@ -212,9 +214,12 @@ for more information on patterns. | |||
212 | Specifies the authentication methods that must be successfully completed | 214 | Specifies the authentication methods that must be successfully completed |
213 | for a user to be granted access. | 215 | for a user to be granted access. |
214 | This option must be followed by one or more comma-separated lists of | 216 | This option must be followed by one or more comma-separated lists of |
215 | authentication method names. | 217 | authentication method names, or by the single string |
216 | Successful authentication requires completion of every method in at least | 218 | .Dq any |
217 | one of these lists. | 219 | to indicate the default behaviour of accepting any single authentication |
220 | method. | ||
221 | if the default is overridden, then successful authentication requires | ||
222 | completion of every method in at least one of these lists. | ||
218 | .Pp | 223 | .Pp |
219 | For example, an argument of | 224 | For example, an argument of |
220 | .Dq publickey,password publickey,keyboard-interactive | 225 | .Dq publickey,password publickey,keyboard-interactive |
@@ -254,7 +259,9 @@ This option will yield a fatal | |||
254 | error if enabled if protocol 1 is also enabled. | 259 | error if enabled if protocol 1 is also enabled. |
255 | Note that each authentication method listed should also be explicitly enabled | 260 | Note that each authentication method listed should also be explicitly enabled |
256 | in the configuration. | 261 | in the configuration. |
257 | The default is not to require multiple authentication; successful completion | 262 | The default |
263 | .Dq any | ||
264 | is not to require multiple authentication; successful completion | ||
258 | of a single authentication method is sufficient. | 265 | of a single authentication method is sufficient. |
259 | .It Cm AuthorizedKeysCommand | 266 | .It Cm AuthorizedKeysCommand |
260 | Specifies a program to be used to look up the user's public keys. | 267 | Specifies a program to be used to look up the user's public keys. |
@@ -589,6 +596,8 @@ By default, login is allowed for all users. | |||
589 | If the pattern takes the form USER@HOST then USER and HOST | 596 | If the pattern takes the form USER@HOST then USER and HOST |
590 | are separately checked, restricting logins to particular | 597 | are separately checked, restricting logins to particular |
591 | users from particular hosts. | 598 | users from particular hosts. |
599 | HOST criteria may additionally contain addresses to match in CIDR | ||
600 | address/masklen format. | ||
592 | The allow/deny directives are processed in the following order: | 601 | The allow/deny directives are processed in the following order: |
593 | .Cm DenyUsers , | 602 | .Cm DenyUsers , |
594 | .Cm AllowUsers , | 603 | .Cm AllowUsers , |
@@ -773,7 +782,7 @@ to an | |||
773 | .It Cm HostKeyAgent | 782 | .It Cm HostKeyAgent |
774 | Identifies the UNIX-domain socket used to communicate | 783 | Identifies the UNIX-domain socket used to communicate |
775 | with an agent that has access to the private host keys. | 784 | with an agent that has access to the private host keys. |
776 | If | 785 | If the string |
777 | .Dq SSH_AUTH_SOCK | 786 | .Dq SSH_AUTH_SOCK |
778 | is specified, the location of the socket will be read from the | 787 | is specified, the location of the socket will be read from the |
779 | .Ev SSH_AUTH_SOCK | 788 | .Ev SSH_AUTH_SOCK |
@@ -1245,6 +1254,9 @@ can be used to remove all restrictions and permit any forwarding requests. | |||
1245 | An argument of | 1254 | An argument of |
1246 | .Dq none | 1255 | .Dq none |
1247 | can be used to prohibit all forwarding requests. | 1256 | can be used to prohibit all forwarding requests. |
1257 | The wildcard | ||
1258 | .Dq * | ||
1259 | can be used for host or port to allow all hosts or ports, respectively. | ||
1248 | By default all port forwarding requests are permitted. | 1260 | By default all port forwarding requests are permitted. |
1249 | .It Cm PermitRootLogin | 1261 | .It Cm PermitRootLogin |
1250 | Specifies whether root can log in using | 1262 | Specifies whether root can log in using |
@@ -1576,7 +1588,7 @@ very same IP address. | |||
1576 | If this option is set to | 1588 | If this option is set to |
1577 | .Dq no | 1589 | .Dq no |
1578 | (the default) then only addresses and not host names may be used in | 1590 | (the default) then only addresses and not host names may be used in |
1579 | .Pa ~/.ssh/known_hosts | 1591 | .Pa ~/.ssh/authorized_keys |
1580 | .Cm from | 1592 | .Cm from |
1581 | and | 1593 | and |
1582 | .Nm | 1594 | .Nm |