diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 105 |
1 files changed, 80 insertions, 25 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index db1f2fd69..eb6bff85f 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.194 2015/02/20 23:46:01 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.204 2015/06/05 03:44:14 djm Exp $ |
37 | .Dd $Mdocdate: February 20 2015 $ | 37 | .Dd $Mdocdate: June 5 2015 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -95,7 +95,11 @@ See | |||
95 | in | 95 | in |
96 | .Xr ssh_config 5 | 96 | .Xr ssh_config 5 |
97 | for how to configure the client. | 97 | for how to configure the client. |
98 | Note that environment passing is only supported for protocol 2. | 98 | Note that environment passing is only supported for protocol 2, and |
99 | that the | ||
100 | .Ev TERM | ||
101 | environment variable is always sent whenever the client | ||
102 | requests a pseudo-terminal as it is required by the protocol. | ||
99 | Variables are specified by name, which may contain the wildcard characters | 103 | Variables are specified by name, which may contain the wildcard characters |
100 | .Ql * | 104 | .Ql * |
101 | and | 105 | and |
@@ -255,9 +259,21 @@ The default is not to require multiple authentication; successful completion | |||
255 | of a single authentication method is sufficient. | 259 | of a single authentication method is sufficient. |
256 | .It Cm AuthorizedKeysCommand | 260 | .It Cm AuthorizedKeysCommand |
257 | Specifies a program to be used to look up the user's public keys. | 261 | Specifies a program to be used to look up the user's public keys. |
258 | The program must be owned by root and not writable by group or others. | 262 | The program must be owned by root, not writable by group or others and |
259 | It will be invoked with a single argument of the username | 263 | specified by an absolute path. |
260 | being authenticated, and should produce on standard output zero or | 264 | .Pp |
265 | Arguments to | ||
266 | .Cm AuthorizedKeysCommand | ||
267 | may be provided using the following tokens, which will be expanded | ||
268 | at runtime: %% is replaced by a literal '%', %u is replaced by the | ||
269 | username being authenticated, %h is replaced by the home directory | ||
270 | of the user being authenticated, %t is replaced with the key type | ||
271 | offered for authentication, %f is replaced with the fingerprint of | ||
272 | the key, and %k is replaced with the key being offered for authentication. | ||
273 | If no arguments are specified then the username of the target user | ||
274 | will be supplied. | ||
275 | .Pp | ||
276 | The program should produce on standard output zero or | ||
261 | more lines of authorized_keys output (see AUTHORIZED_KEYS in | 277 | more lines of authorized_keys output (see AUTHORIZED_KEYS in |
262 | .Xr sshd 8 ) . | 278 | .Xr sshd 8 ) . |
263 | If a key supplied by AuthorizedKeysCommand does not successfully authenticate | 279 | If a key supplied by AuthorizedKeysCommand does not successfully authenticate |
@@ -296,6 +312,42 @@ directory. | |||
296 | Multiple files may be listed, separated by whitespace. | 312 | Multiple files may be listed, separated by whitespace. |
297 | The default is | 313 | The default is |
298 | .Dq .ssh/authorized_keys .ssh/authorized_keys2 . | 314 | .Dq .ssh/authorized_keys .ssh/authorized_keys2 . |
315 | .It Cm AuthorizedPrincipalsCommand | ||
316 | Specifies a program to be used to generate the list of allowed | ||
317 | certificate principals as per | ||
318 | .Cm AuthorizedPrincipalsFile . | ||
319 | The program must be owned by root, not writable by group or others and | ||
320 | specified by an absolute path. | ||
321 | .Pp | ||
322 | Arguments to | ||
323 | .Cm AuthorizedPrincipalsCommand | ||
324 | may be provided using the following tokens, which will be expanded | ||
325 | at runtime: %% is replaced by a literal '%', %u is replaced by the | ||
326 | username being authenticated and %h is replaced by the home directory | ||
327 | of the user being authenticated. | ||
328 | .Pp | ||
329 | The program should produce on standard output zero or | ||
330 | more lines of | ||
331 | .Cm AuthorizedPrincipalsFile | ||
332 | output. | ||
333 | If either | ||
334 | .Cm AuthorizedPrincipalsCommand | ||
335 | or | ||
336 | .Cm AuthorizedPrincipalsFile | ||
337 | is specified, then certificates offered by the client for authentication | ||
338 | must contain a principal that is listed. | ||
339 | By default, no AuthorizedPrincipalsCommand is run. | ||
340 | .It Cm AuthorizedPrincipalsCommandUser | ||
341 | Specifies the user under whose account the AuthorizedPrincipalsCommand is run. | ||
342 | It is recommended to use a dedicated user that has no other role on the host | ||
343 | than running authorized principals commands. | ||
344 | If | ||
345 | .Cm AuthorizedPrincipalsCommand | ||
346 | is specified but | ||
347 | .Cm AuthorizedPrincipalsCommandUser | ||
348 | is not, then | ||
349 | .Xr sshd 8 | ||
350 | will refuse to start. | ||
299 | .It Cm AuthorizedPrincipalsFile | 351 | .It Cm AuthorizedPrincipalsFile |
300 | Specifies a file that lists principal names that are accepted for | 352 | Specifies a file that lists principal names that are accepted for |
301 | certificate authentication. | 353 | certificate authentication. |
@@ -606,22 +658,20 @@ The default is | |||
606 | .Dq yes . | 658 | .Dq yes . |
607 | Note that this option applies to protocol version 2 only. | 659 | Note that this option applies to protocol version 2 only. |
608 | .It Cm GSSAPIStrictAcceptorCheck | 660 | .It Cm GSSAPIStrictAcceptorCheck |
609 | Determines whether to be strict about the identity of the GSSAPI acceptor | 661 | Determines whether to be strict about the identity of the GSSAPI acceptor |
610 | a client authenticates against. If | 662 | a client authenticates against. |
663 | If set to | ||
611 | .Dq yes | 664 | .Dq yes |
612 | then the client must authenticate against the | 665 | then the client must authenticate against the |
613 | .Pa host | 666 | .Pa host |
614 | service on the current hostname. If | 667 | service on the current hostname. |
668 | If set to | ||
615 | .Dq no | 669 | .Dq no |
616 | then the client may authenticate against any service key stored in the | 670 | then the client may authenticate against any service key stored in the |
617 | machine's default store. This facility is provided to assist with operation | 671 | machine's default store. |
618 | on multi homed machines. | 672 | This facility is provided to assist with operation on multi homed machines. |
619 | The default is | 673 | The default is |
620 | .Dq yes . | 674 | .Dq yes . |
621 | Note that this option applies only to protocol version 2 GSSAPI connections, | ||
622 | and setting it to | ||
623 | .Dq no | ||
624 | may only work with recent Kerberos GSSAPI libraries. | ||
625 | .It Cm GSSAPIStoreCredentialsOnRekey | 675 | .It Cm GSSAPIStoreCredentialsOnRekey |
626 | Controls whether the user's GSSAPI credentials should be updated following a | 676 | Controls whether the user's GSSAPI credentials should be updated following a |
627 | successful connection rekeying. This option can be used to accepted renewed | 677 | successful connection rekeying. This option can be used to accepted renewed |
@@ -883,16 +933,13 @@ The following forms may be used: | |||
883 | If | 933 | If |
884 | .Ar port | 934 | .Ar port |
885 | is not specified, | 935 | is not specified, |
886 | sshd will listen on the address and all prior | 936 | sshd will listen on the address and all |
887 | .Cm Port | 937 | .Cm Port |
888 | options specified. | 938 | options specified. |
889 | The default is to listen on all local addresses. | 939 | The default is to listen on all local addresses. |
890 | Multiple | 940 | Multiple |
891 | .Cm ListenAddress | 941 | .Cm ListenAddress |
892 | options are permitted. | 942 | options are permitted. |
893 | Additionally, any | ||
894 | .Cm Port | ||
895 | options must precede this option for non-port qualified addresses. | ||
896 | .It Cm LoginGraceTime | 943 | .It Cm LoginGraceTime |
897 | The server disconnects after this time if the user has not | 944 | The server disconnects after this time if the user has not |
898 | successfully logged in. | 945 | successfully logged in. |
@@ -1150,7 +1197,7 @@ The argument must be | |||
1150 | or | 1197 | or |
1151 | .Dq no . | 1198 | .Dq no . |
1152 | The default is | 1199 | The default is |
1153 | .Dq yes . | 1200 | .Dq no . |
1154 | .Pp | 1201 | .Pp |
1155 | If this option is set to | 1202 | If this option is set to |
1156 | .Dq without-password , | 1203 | .Dq without-password , |
@@ -1220,7 +1267,9 @@ The default is | |||
1220 | .Dq yes . | 1267 | .Dq yes . |
1221 | .It Cm PidFile | 1268 | .It Cm PidFile |
1222 | Specifies the file that contains the process ID of the | 1269 | Specifies the file that contains the process ID of the |
1223 | SSH daemon. | 1270 | SSH daemon, or |
1271 | .Dq none | ||
1272 | to not write one. | ||
1224 | The default is | 1273 | The default is |
1225 | .Pa /var/run/sshd.pid . | 1274 | .Pa /var/run/sshd.pid . |
1226 | .It Cm Port | 1275 | .It Cm Port |
@@ -1310,7 +1359,9 @@ which means that rekeying is performed after the cipher's default amount | |||
1310 | of data has been sent or received and no time based rekeying is done. | 1359 | of data has been sent or received and no time based rekeying is done. |
1311 | This option applies to protocol version 2 only. | 1360 | This option applies to protocol version 2 only. |
1312 | .It Cm RevokedKeys | 1361 | .It Cm RevokedKeys |
1313 | Specifies revoked public keys. | 1362 | Specifies revoked public keys file, or |
1363 | .Dq none | ||
1364 | to not use one. | ||
1314 | Keys listed in this file will be refused for public key authentication. | 1365 | Keys listed in this file will be refused for public key authentication. |
1315 | Note that if this file is not readable, then public key authentication will | 1366 | Note that if this file is not readable, then public key authentication will |
1316 | be refused for all users. | 1367 | be refused for all users. |
@@ -1426,7 +1477,9 @@ This option was formerly called | |||
1426 | .Cm KeepAlive . | 1477 | .Cm KeepAlive . |
1427 | .It Cm TrustedUserCAKeys | 1478 | .It Cm TrustedUserCAKeys |
1428 | Specifies a file containing public keys of certificate authorities that are | 1479 | Specifies a file containing public keys of certificate authorities that are |
1429 | trusted to sign user certificates for authentication. | 1480 | trusted to sign user certificates for authentication, or |
1481 | .Dq none | ||
1482 | to not use one. | ||
1430 | Keys are listed one per line; empty lines and comments starting with | 1483 | Keys are listed one per line; empty lines and comments starting with |
1431 | .Ql # | 1484 | .Ql # |
1432 | are allowed. | 1485 | are allowed. |
@@ -1579,7 +1632,9 @@ The default is | |||
1579 | .It Cm XAuthLocation | 1632 | .It Cm XAuthLocation |
1580 | Specifies the full pathname of the | 1633 | Specifies the full pathname of the |
1581 | .Xr xauth 1 | 1634 | .Xr xauth 1 |
1582 | program. | 1635 | program, or |
1636 | .Dq none | ||
1637 | to not use one. | ||
1583 | The default is | 1638 | The default is |
1584 | .Pa /usr/X11R6/bin/xauth . | 1639 | .Pa /usr/X11R6/bin/xauth . |
1585 | .El | 1640 | .El |