diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 27 |
1 files changed, 7 insertions, 20 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 711a02524..ef9190568 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.218 2016/02/16 05:11:04 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.219 2016/02/17 07:38:19 jmc Exp $ |
37 | .Dd $Mdocdate: February 16 2016 $ | 37 | .Dd $Mdocdate: February 17 2016 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -70,8 +70,7 @@ See | |||
70 | in | 70 | in |
71 | .Xr ssh_config 5 | 71 | .Xr ssh_config 5 |
72 | for how to configure the client. | 72 | for how to configure the client. |
73 | Note that environment passing is only supported for protocol 2, and | 73 | The |
74 | that the | ||
75 | .Ev TERM | 74 | .Ev TERM |
76 | environment variable is always sent whenever the client | 75 | environment variable is always sent whenever the client |
77 | requests a pseudo-terminal as it is required by the protocol. | 76 | requests a pseudo-terminal as it is required by the protocol. |
@@ -226,7 +225,7 @@ of | |||
226 | .Dq publickey,publickey | 225 | .Dq publickey,publickey |
227 | will require successful authentication using two different public keys. | 226 | will require successful authentication using two different public keys. |
228 | .Pp | 227 | .Pp |
229 | This option is only available for SSH protocol 2 and will yield a fatal | 228 | This option will yield a fatal |
230 | error if enabled if protocol 1 is also enabled. | 229 | error if enabled if protocol 1 is also enabled. |
231 | Note that each authentication method listed should also be explicitly enabled | 230 | Note that each authentication method listed should also be explicitly enabled |
232 | in the configuration. | 231 | in the configuration. |
@@ -373,7 +372,6 @@ authentication is allowed. | |||
373 | If the argument is | 372 | If the argument is |
374 | .Dq none | 373 | .Dq none |
375 | then no banner is displayed. | 374 | then no banner is displayed. |
376 | This option is only available for protocol version 2. | ||
377 | By default, no banner is displayed. | 375 | By default, no banner is displayed. |
378 | .It Cm ChallengeResponseAuthentication | 376 | .It Cm ChallengeResponseAuthentication |
379 | Specifies whether challenge-response authentication is allowed (e.g. via | 377 | Specifies whether challenge-response authentication is allowed (e.g. via |
@@ -437,7 +435,7 @@ The default is | |||
437 | indicating not to | 435 | indicating not to |
438 | .Xr chroot 2 . | 436 | .Xr chroot 2 . |
439 | .It Cm Ciphers | 437 | .It Cm Ciphers |
440 | Specifies the ciphers allowed for protocol version 2. | 438 | Specifies the ciphers allowed. |
441 | Multiple ciphers must be comma-separated. | 439 | Multiple ciphers must be comma-separated. |
442 | If the specified value begins with a | 440 | If the specified value begins with a |
443 | .Sq + | 441 | .Sq + |
@@ -518,7 +516,6 @@ If | |||
518 | .Cm ClientAliveCountMax | 516 | .Cm ClientAliveCountMax |
519 | is left at the default, unresponsive SSH clients | 517 | is left at the default, unresponsive SSH clients |
520 | will be disconnected after approximately 45 seconds. | 518 | will be disconnected after approximately 45 seconds. |
521 | This option applies to protocol version 2 only. | ||
522 | .It Cm ClientAliveInterval | 519 | .It Cm ClientAliveInterval |
523 | Sets a timeout interval in seconds after which if no data has been received | 520 | Sets a timeout interval in seconds after which if no data has been received |
524 | from the client, | 521 | from the client, |
@@ -527,7 +524,6 @@ will send a message through the encrypted | |||
527 | channel to request a response from the client. | 524 | channel to request a response from the client. |
528 | The default | 525 | The default |
529 | is 0, indicating that these messages will not be sent to the client. | 526 | is 0, indicating that these messages will not be sent to the client. |
530 | This option applies to protocol version 2 only. | ||
531 | .It Cm Compression | 527 | .It Cm Compression |
532 | Specifies whether compression is allowed, or delayed until | 528 | Specifies whether compression is allowed, or delayed until |
533 | the user has authenticated successfully. | 529 | the user has authenticated successfully. |
@@ -627,13 +623,11 @@ The default is | |||
627 | Specifies whether user authentication based on GSSAPI is allowed. | 623 | Specifies whether user authentication based on GSSAPI is allowed. |
628 | The default is | 624 | The default is |
629 | .Dq no . | 625 | .Dq no . |
630 | Note that this option applies to protocol version 2 only. | ||
631 | .It Cm GSSAPICleanupCredentials | 626 | .It Cm GSSAPICleanupCredentials |
632 | Specifies whether to automatically destroy the user's credentials cache | 627 | Specifies whether to automatically destroy the user's credentials cache |
633 | on logout. | 628 | on logout. |
634 | The default is | 629 | The default is |
635 | .Dq yes . | 630 | .Dq yes . |
636 | Note that this option applies to protocol version 2 only. | ||
637 | .It Cm GSSAPIStrictAcceptorCheck | 631 | .It Cm GSSAPIStrictAcceptorCheck |
638 | Determines whether to be strict about the identity of the GSSAPI acceptor | 632 | Determines whether to be strict about the identity of the GSSAPI acceptor |
639 | a client authenticates against. | 633 | a client authenticates against. |
@@ -676,9 +670,6 @@ may be used to list supported key types. | |||
676 | Specifies whether rhosts or /etc/hosts.equiv authentication together | 670 | Specifies whether rhosts or /etc/hosts.equiv authentication together |
677 | with successful public key client host authentication is allowed | 671 | with successful public key client host authentication is allowed |
678 | (host-based authentication). | 672 | (host-based authentication). |
679 | This option is similar to | ||
680 | .Cm RhostsRSAAuthentication | ||
681 | and applies to protocol version 2 only. | ||
682 | The default is | 673 | The default is |
683 | .Dq no . | 674 | .Dq no . |
684 | .It Cm HostbasedUsesNameFromPacketOnly | 675 | .It Cm HostbasedUsesNameFromPacketOnly |
@@ -749,7 +740,7 @@ is specified, the location of the socket will be read from the | |||
749 | .Ev SSH_AUTH_SOCK | 740 | .Ev SSH_AUTH_SOCK |
750 | environment variable. | 741 | environment variable. |
751 | .It Cm HostKeyAlgorithms | 742 | .It Cm HostKeyAlgorithms |
752 | Specifies the protocol version 2 host key algorithms | 743 | Specifies the host key algorithms |
753 | that the server offers. | 744 | that the server offers. |
754 | The default for this option is: | 745 | The default for this option is: |
755 | .Bd -literal -offset 3n | 746 | .Bd -literal -offset 3n |
@@ -970,8 +961,7 @@ DEBUG2 and DEBUG3 each specify higher levels of debugging output. | |||
970 | Logging with a DEBUG level violates the privacy of users and is not recommended. | 961 | Logging with a DEBUG level violates the privacy of users and is not recommended. |
971 | .It Cm MACs | 962 | .It Cm MACs |
972 | Specifies the available MAC (message authentication code) algorithms. | 963 | Specifies the available MAC (message authentication code) algorithms. |
973 | The MAC algorithm is used in protocol version 2 | 964 | The MAC algorithm is used for data integrity protection. |
974 | for data integrity protection. | ||
975 | Multiple algorithms must be comma-separated. | 965 | Multiple algorithms must be comma-separated. |
976 | If the specified value begins with a | 966 | If the specified value begins with a |
977 | .Sq + | 967 | .Sq + |
@@ -1380,7 +1370,6 @@ may be used to list supported key types. | |||
1380 | Specifies whether public key authentication is allowed. | 1370 | Specifies whether public key authentication is allowed. |
1381 | The default is | 1371 | The default is |
1382 | .Dq yes . | 1372 | .Dq yes . |
1383 | Note that this option applies to protocol version 2 only. | ||
1384 | .It Cm RekeyLimit | 1373 | .It Cm RekeyLimit |
1385 | Specifies the maximum amount of data that may be transmitted before the | 1374 | Specifies the maximum amount of data that may be transmitted before the |
1386 | session key is renegotiated, optionally followed a maximum amount of | 1375 | session key is renegotiated, optionally followed a maximum amount of |
@@ -1406,7 +1395,6 @@ is | |||
1406 | .Dq default none , | 1395 | .Dq default none , |
1407 | which means that rekeying is performed after the cipher's default amount | 1396 | which means that rekeying is performed after the cipher's default amount |
1408 | of data has been sent or received and no time based rekeying is done. | 1397 | of data has been sent or received and no time based rekeying is done. |
1409 | This option applies to protocol version 2 only. | ||
1410 | .It Cm RevokedKeys | 1398 | .It Cm RevokedKeys |
1411 | Specifies revoked public keys file, or | 1399 | Specifies revoked public keys file, or |
1412 | .Dq none | 1400 | .Dq none |
@@ -1493,7 +1481,6 @@ This may simplify configurations using | |||
1493 | to force a different filesystem root on clients. | 1481 | to force a different filesystem root on clients. |
1494 | .Pp | 1482 | .Pp |
1495 | By default no subsystems are defined. | 1483 | By default no subsystems are defined. |
1496 | Note that this option applies to protocol version 2 only. | ||
1497 | .It Cm SyslogFacility | 1484 | .It Cm SyslogFacility |
1498 | Gives the facility code that is used when logging messages from | 1485 | Gives the facility code that is used when logging messages from |
1499 | .Xr sshd 8 . | 1486 | .Xr sshd 8 . |