diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 79 |
1 files changed, 63 insertions, 16 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index ef520680f..4c7ee4254 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.253 2017/09/27 06:45:53 jmc Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.263 2018/02/16 02:40:45 djm Exp $ |
37 | .Dd $Mdocdate: September 27 2017 $ | 37 | .Dd $Mdocdate: February 16 2018 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -48,6 +48,7 @@ reads configuration data from | |||
48 | .Fl f | 48 | .Fl f |
49 | on the command line). | 49 | on the command line). |
50 | The file contains keyword-argument pairs, one per line. | 50 | The file contains keyword-argument pairs, one per line. |
51 | For each keyword, the first obtained value will be used. | ||
51 | Lines starting with | 52 | Lines starting with |
52 | .Ql # | 53 | .Ql # |
53 | and empty lines are interpreted as comments. | 54 | and empty lines are interpreted as comments. |
@@ -749,10 +750,10 @@ is not to load any certificates. | |||
749 | Specifies a file containing a private host key | 750 | Specifies a file containing a private host key |
750 | used by SSH. | 751 | used by SSH. |
751 | The defaults are | 752 | The defaults are |
752 | .Pa /etc/ssh/ssh_host_rsa_key , | 753 | .Pa /etc/ssh/ssh_host_ecdsa_key , |
753 | .Pa /etc/ssh/ssh_host_ecdsa_key | 754 | .Pa /etc/ssh/ssh_host_ed25519_key |
754 | and | 755 | and |
755 | .Pa /etc/ssh/ssh_host_ed25519_key . | 756 | .Pa /etc/ssh/ssh_host_rsa_key . |
756 | .Pp | 757 | .Pp |
757 | Note that | 758 | Note that |
758 | .Xr sshd 8 | 759 | .Xr sshd 8 |
@@ -811,7 +812,9 @@ Specifies whether | |||
811 | should ignore the user's | 812 | should ignore the user's |
812 | .Pa ~/.ssh/known_hosts | 813 | .Pa ~/.ssh/known_hosts |
813 | during | 814 | during |
814 | .Cm HostbasedAuthentication . | 815 | .Cm HostbasedAuthentication |
816 | and use only the system-wide known hosts file | ||
817 | .Pa /etc/ssh/known_hosts . | ||
815 | The default is | 818 | The default is |
816 | .Cm no . | 819 | .Cm no . |
817 | .It Cm IPQoS | 820 | .It Cm IPQoS |
@@ -912,6 +915,12 @@ diffie-hellman-group1-sha1 | |||
912 | .It | 915 | .It |
913 | diffie-hellman-group14-sha1 | 916 | diffie-hellman-group14-sha1 |
914 | .It | 917 | .It |
918 | diffie-hellman-group14-sha256 | ||
919 | .It | ||
920 | diffie-hellman-group16-sha512 | ||
921 | .It | ||
922 | diffie-hellman-group18-sha512 | ||
923 | .It | ||
915 | diffie-hellman-group-exchange-sha1 | 924 | diffie-hellman-group-exchange-sha1 |
916 | .It | 925 | .It |
917 | diffie-hellman-group-exchange-sha256 | 926 | diffie-hellman-group-exchange-sha256 |
@@ -928,7 +937,8 @@ The default is: | |||
928 | curve25519-sha256,curve25519-sha256@libssh.org, | 937 | curve25519-sha256,curve25519-sha256@libssh.org, |
929 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, | 938 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, |
930 | diffie-hellman-group-exchange-sha256, | 939 | diffie-hellman-group-exchange-sha256, |
931 | diffie-hellman-group14-sha1 | 940 | diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, |
941 | diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 | ||
932 | .Ed | 942 | .Ed |
933 | .Pp | 943 | .Pp |
934 | The list of available key exchange algorithms may also be obtained using | 944 | The list of available key exchange algorithms may also be obtained using |
@@ -943,31 +953,47 @@ The following forms may be used: | |||
943 | .It | 953 | .It |
944 | .Cm ListenAddress | 954 | .Cm ListenAddress |
945 | .Sm off | 955 | .Sm off |
946 | .Ar host | Ar IPv4_addr | Ar IPv6_addr | 956 | .Ar hostname | address |
957 | .Sm on | ||
958 | .Op Cm rdomain Ar domain | ||
959 | .It | ||
960 | .Cm ListenAddress | ||
961 | .Sm off | ||
962 | .Ar hostname : port | ||
947 | .Sm on | 963 | .Sm on |
964 | .Op Cm rdomain Ar domain | ||
948 | .It | 965 | .It |
949 | .Cm ListenAddress | 966 | .Cm ListenAddress |
950 | .Sm off | 967 | .Sm off |
951 | .Ar host | Ar IPv4_addr : Ar port | 968 | .Ar IPv4_address : port |
952 | .Sm on | 969 | .Sm on |
970 | .Op Cm rdomain Ar domain | ||
953 | .It | 971 | .It |
954 | .Cm ListenAddress | 972 | .Cm ListenAddress |
955 | .Sm off | 973 | .Sm off |
956 | .Oo | 974 | .Oo Ar hostname | address Oc : Ar port |
957 | .Ar host | Ar IPv6_addr Oc : Ar port | ||
958 | .Sm on | 975 | .Sm on |
976 | .Op Cm rdomain Ar domain | ||
959 | .El | 977 | .El |
960 | .Pp | 978 | .Pp |
979 | The optional | ||
980 | .Cm rdomain | ||
981 | qualifier requests | ||
982 | .Xr sshd 8 | ||
983 | listen in an explicit routing domain. | ||
961 | If | 984 | If |
962 | .Ar port | 985 | .Ar port |
963 | is not specified, | 986 | is not specified, |
964 | sshd will listen on the address and all | 987 | sshd will listen on the address and all |
965 | .Cm Port | 988 | .Cm Port |
966 | options specified. | 989 | options specified. |
967 | The default is to listen on all local addresses. | 990 | The default is to listen on all local addresses on the current default |
991 | routing domain. | ||
968 | Multiple | 992 | Multiple |
969 | .Cm ListenAddress | 993 | .Cm ListenAddress |
970 | options are permitted. | 994 | options are permitted. |
995 | For more information on routing domains, see | ||
996 | .Xr rdomain 4 . | ||
971 | .It Cm LoginGraceTime | 997 | .It Cm LoginGraceTime |
972 | The server disconnects after this time if the user has not | 998 | The server disconnects after this time if the user has not |
973 | successfully logged in. | 999 | successfully logged in. |
@@ -1071,8 +1097,15 @@ The available criteria are | |||
1071 | .Cm Host , | 1097 | .Cm Host , |
1072 | .Cm LocalAddress , | 1098 | .Cm LocalAddress , |
1073 | .Cm LocalPort , | 1099 | .Cm LocalPort , |
1100 | .Cm RDomain , | ||
1074 | and | 1101 | and |
1075 | .Cm Address . | 1102 | .Cm Address |
1103 | (with | ||
1104 | .Cm RDomain | ||
1105 | representing the | ||
1106 | .Xr rdomain 4 | ||
1107 | on which the connection was received.) | ||
1108 | .Pp | ||
1076 | The match patterns may consist of single entries or comma-separated | 1109 | The match patterns may consist of single entries or comma-separated |
1077 | lists and may use the wildcard and negation operators described in the | 1110 | lists and may use the wildcard and negation operators described in the |
1078 | .Sx PATTERNS | 1111 | .Sx PATTERNS |
@@ -1135,6 +1168,7 @@ Available keywords are | |||
1135 | .Cm PubkeyAuthentication , | 1168 | .Cm PubkeyAuthentication , |
1136 | .Cm RekeyLimit , | 1169 | .Cm RekeyLimit , |
1137 | .Cm RevokedKeys , | 1170 | .Cm RevokedKeys , |
1171 | .Cm RDomain , | ||
1138 | .Cm StreamLocalBindMask , | 1172 | .Cm StreamLocalBindMask , |
1139 | .Cm StreamLocalBindUnlink , | 1173 | .Cm StreamLocalBindUnlink , |
1140 | .Cm TrustedUserCAKeys , | 1174 | .Cm TrustedUserCAKeys , |
@@ -1223,7 +1257,6 @@ Specifies whether root can log in using | |||
1223 | The argument must be | 1257 | The argument must be |
1224 | .Cm yes , | 1258 | .Cm yes , |
1225 | .Cm prohibit-password , | 1259 | .Cm prohibit-password , |
1226 | .Cm without-password , | ||
1227 | .Cm forced-commands-only , | 1260 | .Cm forced-commands-only , |
1228 | or | 1261 | or |
1229 | .Cm no . | 1262 | .Cm no . |
@@ -1232,8 +1265,8 @@ The default is | |||
1232 | .Pp | 1265 | .Pp |
1233 | If this option is set to | 1266 | If this option is set to |
1234 | .Cm prohibit-password | 1267 | .Cm prohibit-password |
1235 | or | 1268 | (or its deprecated alias, |
1236 | .Cm without-password , | 1269 | .Cm without-password ) , |
1237 | password and keyboard-interactive authentication are disabled for root. | 1270 | password and keyboard-interactive authentication are disabled for root. |
1238 | .Pp | 1271 | .Pp |
1239 | If this option is set to | 1272 | If this option is set to |
@@ -1396,6 +1429,15 @@ an OpenSSH Key Revocation List (KRL) as generated by | |||
1396 | .Xr ssh-keygen 1 . | 1429 | .Xr ssh-keygen 1 . |
1397 | For more information on KRLs, see the KEY REVOCATION LISTS section in | 1430 | For more information on KRLs, see the KEY REVOCATION LISTS section in |
1398 | .Xr ssh-keygen 1 . | 1431 | .Xr ssh-keygen 1 . |
1432 | .It Cm RDomain | ||
1433 | Specifies an explicit routing domain that is applied after authentication | ||
1434 | has completed. | ||
1435 | The user session, as well and any forwarded or listening IP sockets, | ||
1436 | will be bound to this | ||
1437 | .Xr rdomain 4 . | ||
1438 | If the routing domain is set to | ||
1439 | .Cm \&%D , | ||
1440 | then the domain in which the incoming connection was received will be applied. | ||
1399 | .It Cm StreamLocalBindMask | 1441 | .It Cm StreamLocalBindMask |
1400 | Sets the octal file creation mode mask | 1442 | Sets the octal file creation mode mask |
1401 | .Pq umask | 1443 | .Pq umask |
@@ -1664,6 +1706,8 @@ which are expanded at runtime: | |||
1664 | .It %% | 1706 | .It %% |
1665 | A literal | 1707 | A literal |
1666 | .Sq % . | 1708 | .Sq % . |
1709 | .It \&%D | ||
1710 | The routing domain in which the incoming connection was received. | ||
1667 | .It %F | 1711 | .It %F |
1668 | The fingerprint of the CA key. | 1712 | The fingerprint of the CA key. |
1669 | .It %f | 1713 | .It %f |
@@ -1700,6 +1744,9 @@ accepts the tokens %%, %h, and %u. | |||
1700 | .Pp | 1744 | .Pp |
1701 | .Cm ChrootDirectory | 1745 | .Cm ChrootDirectory |
1702 | accepts the tokens %%, %h, and %u. | 1746 | accepts the tokens %%, %h, and %u. |
1747 | .Pp | ||
1748 | .Cm RoutingDomain | ||
1749 | accepts the token %D. | ||
1703 | .Sh FILES | 1750 | .Sh FILES |
1704 | .Bl -tag -width Ds | 1751 | .Bl -tag -width Ds |
1705 | .It Pa /etc/ssh/sshd_config | 1752 | .It Pa /etc/ssh/sshd_config |