diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 52 |
1 files changed, 50 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 449afb302..e7a5f0a08 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -57,6 +57,33 @@ Arguments may optionally be enclosed in double quotes | |||
57 | .Pq \&" | 57 | .Pq \&" |
58 | in order to represent arguments containing spaces. | 58 | in order to represent arguments containing spaces. |
59 | .Pp | 59 | .Pp |
60 | Note that the Debian | ||
61 | .Ic openssh-server | ||
62 | package sets several options as standard in | ||
63 | .Pa /etc/ssh/sshd_config | ||
64 | which are not the default in | ||
65 | .Xr sshd 8 . | ||
66 | The exact list depends on whether the package was installed fresh or | ||
67 | upgraded from various possible previous versions, but includes at least the | ||
68 | following: | ||
69 | .Pp | ||
70 | .Bl -bullet -offset indent -compact | ||
71 | .It | ||
72 | .Cm Protocol No 2 | ||
73 | .It | ||
74 | .Cm ChallengeResponseAuthentication No no | ||
75 | .It | ||
76 | .Cm X11Forwarding No yes | ||
77 | .It | ||
78 | .Cm PrintMotd No no | ||
79 | .It | ||
80 | .Cm AcceptEnv No LANG LC_* | ||
81 | .It | ||
82 | .Cm Subsystem No sftp /usr/lib/openssh/sftp-server | ||
83 | .It | ||
84 | .Cm UsePAM No yes | ||
85 | .El | ||
86 | .Pp | ||
60 | The possible | 87 | The possible |
61 | keywords and their meanings are as follows (note that | 88 | keywords and their meanings are as follows (note that |
62 | keywords are case-insensitive and arguments are case-sensitive): | 89 | keywords are case-insensitive and arguments are case-sensitive): |
@@ -221,8 +248,7 @@ This option is only available for protocol version 2. | |||
221 | By default, no banner is displayed. | 248 | By default, no banner is displayed. |
222 | .It Cm ChallengeResponseAuthentication | 249 | .It Cm ChallengeResponseAuthentication |
223 | Specifies whether challenge-response authentication is allowed (e.g. via | 250 | Specifies whether challenge-response authentication is allowed (e.g. via |
224 | PAM or though authentication styles supported in | 251 | PAM). |
225 | .Xr login.conf 5 ) | ||
226 | The default is | 252 | The default is |
227 | .Dq yes . | 253 | .Dq yes . |
228 | .It Cm ChrootDirectory | 254 | .It Cm ChrootDirectory |
@@ -339,6 +365,11 @@ or | |||
339 | .Dq no . | 365 | .Dq no . |
340 | The default is | 366 | The default is |
341 | .Dq delayed . | 367 | .Dq delayed . |
368 | .It Cm DebianBanner | ||
369 | Specifies whether the distribution-specified extra version suffix is | ||
370 | included during initial protocol handshake. | ||
371 | The default is | ||
372 | .Dq yes . | ||
342 | .It Cm DenyGroups | 373 | .It Cm DenyGroups |
343 | This keyword can be followed by a list of group name patterns, separated | 374 | This keyword can be followed by a list of group name patterns, separated |
344 | by spaces. | 375 | by spaces. |
@@ -792,6 +823,20 @@ are refused if the number of unauthenticated connections reaches | |||
792 | Specifies whether password authentication is allowed. | 823 | Specifies whether password authentication is allowed. |
793 | The default is | 824 | The default is |
794 | .Dq yes . | 825 | .Dq yes . |
826 | .It Cm PermitBlacklistedKeys | ||
827 | Specifies whether | ||
828 | .Xr sshd 8 | ||
829 | should allow keys recorded in its blacklist of known-compromised keys (see | ||
830 | .Xr ssh-vulnkey 1 ) . | ||
831 | If | ||
832 | .Dq yes , | ||
833 | then attempts to authenticate with compromised keys will be logged but | ||
834 | accepted. | ||
835 | If | ||
836 | .Dq no , | ||
837 | then attempts to authenticate with compromised keys will be rejected. | ||
838 | The default is | ||
839 | .Dq no . | ||
795 | .It Cm PermitEmptyPasswords | 840 | .It Cm PermitEmptyPasswords |
796 | When password authentication is allowed, it specifies whether the | 841 | When password authentication is allowed, it specifies whether the |
797 | server allows login to accounts with empty password strings. | 842 | server allows login to accounts with empty password strings. |
@@ -1020,6 +1065,9 @@ This avoids infinitely hanging sessions. | |||
1020 | .Pp | 1065 | .Pp |
1021 | To disable TCP keepalive messages, the value should be set to | 1066 | To disable TCP keepalive messages, the value should be set to |
1022 | .Dq no . | 1067 | .Dq no . |
1068 | .Pp | ||
1069 | This option was formerly called | ||
1070 | .Cm KeepAlive . | ||
1023 | .It Cm TrustedUserCAKeys | 1071 | .It Cm TrustedUserCAKeys |
1024 | Specifies a file containing public keys of certificate authorities that are | 1072 | Specifies a file containing public keys of certificate authorities that are |
1025 | trusted to sign user certificates for authentication. | 1073 | trusted to sign user certificates for authentication. |