diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 66 |
1 files changed, 30 insertions, 36 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 727fdb12a..41228248c 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd_config.5,v 1.25 2003/09/01 09:50:04 markus Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.28 2004/02/17 19:35:21 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -156,12 +156,12 @@ If this threshold is reached while client alive messages are being sent, | |||
156 | will disconnect the client, terminating the session. | 156 | will disconnect the client, terminating the session. |
157 | It is important to note that the use of client alive messages is very | 157 | It is important to note that the use of client alive messages is very |
158 | different from | 158 | different from |
159 | .Cm KeepAlive | 159 | .Cm TCPKeepAlive |
160 | (below). | 160 | (below). |
161 | The client alive messages are sent through the encrypted channel | 161 | The client alive messages are sent through the encrypted channel |
162 | and therefore will not be spoofable. | 162 | and therefore will not be spoofable. |
163 | The TCP keepalive option enabled by | 163 | The TCP keepalive option enabled by |
164 | .Cm KeepAlive | 164 | .Cm TCPKeepAlive |
165 | is spoofable. | 165 | is spoofable. |
166 | The client alive mechanism is valuable when the client or | 166 | The client alive mechanism is valuable when the client or |
167 | server depend on knowing when a connection has become inactive. | 167 | server depend on knowing when a connection has become inactive. |
@@ -227,7 +227,7 @@ The default is | |||
227 | .Dq no . | 227 | .Dq no . |
228 | .It Cm GSSAPIAuthentication | 228 | .It Cm GSSAPIAuthentication |
229 | Specifies whether user authentication based on GSSAPI is allowed. | 229 | Specifies whether user authentication based on GSSAPI is allowed. |
230 | The default is | 230 | The default is |
231 | .Dq no . | 231 | .Dq no . |
232 | Note that this option applies to protocol version 2 only. | 232 | Note that this option applies to protocol version 2 only. |
233 | .It Cm GSSAPICleanupCredentials | 233 | .It Cm GSSAPICleanupCredentials |
@@ -292,27 +292,6 @@ or | |||
292 | .Cm HostbasedAuthentication . | 292 | .Cm HostbasedAuthentication . |
293 | The default is | 293 | The default is |
294 | .Dq no . | 294 | .Dq no . |
295 | .It Cm KeepAlive | ||
296 | Specifies whether the system should send TCP keepalive messages to the | ||
297 | other side. | ||
298 | If they are sent, death of the connection or crash of one | ||
299 | of the machines will be properly noticed. | ||
300 | However, this means that | ||
301 | connections will die if the route is down temporarily, and some people | ||
302 | find it annoying. | ||
303 | On the other hand, if keepalives are not sent, | ||
304 | sessions may hang indefinitely on the server, leaving | ||
305 | .Dq ghost | ||
306 | users and consuming server resources. | ||
307 | .Pp | ||
308 | The default is | ||
309 | .Dq yes | ||
310 | (to send keepalives), and the server will notice | ||
311 | if the network goes down or the client host crashes. | ||
312 | This avoids infinitely hanging sessions. | ||
313 | .Pp | ||
314 | To disable keepalives, the value should be set to | ||
315 | .Dq no . | ||
316 | .It Cm KerberosAuthentication | 295 | .It Cm KerberosAuthentication |
317 | Specifies whether the password provided by the user for | 296 | Specifies whether the password provided by the user for |
318 | .Cm PasswordAuthentication | 297 | .Cm PasswordAuthentication |
@@ -533,13 +512,6 @@ Specifies whether public key authentication is allowed. | |||
533 | The default is | 512 | The default is |
534 | .Dq yes . | 513 | .Dq yes . |
535 | Note that this option applies to protocol version 2 only. | 514 | Note that this option applies to protocol version 2 only. |
536 | .Cm RhostsRSAAuthentication | ||
537 | should be used | ||
538 | instead, because it performs RSA-based host authentication in addition | ||
539 | to normal rhosts or /etc/hosts.equiv authentication. | ||
540 | The default is | ||
541 | .Dq no . | ||
542 | This option applies to protocol version 1 only. | ||
543 | .It Cm RhostsRSAAuthentication | 515 | .It Cm RhostsRSAAuthentication |
544 | Specifies whether rhosts or /etc/hosts.equiv authentication together | 516 | Specifies whether rhosts or /etc/hosts.equiv authentication together |
545 | with successful RSA host authentication is allowed. | 517 | with successful RSA host authentication is allowed. |
@@ -580,6 +552,27 @@ Gives the facility code that is used when logging messages from | |||
580 | The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, | 552 | The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, |
581 | LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. | 553 | LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. |
582 | The default is AUTH. | 554 | The default is AUTH. |
555 | .It Cm TCPKeepAlive | ||
556 | Specifies whether the system should send TCP keepalive messages to the | ||
557 | other side. | ||
558 | If they are sent, death of the connection or crash of one | ||
559 | of the machines will be properly noticed. | ||
560 | However, this means that | ||
561 | connections will die if the route is down temporarily, and some people | ||
562 | find it annoying. | ||
563 | On the other hand, if TCP keepalives are not sent, | ||
564 | sessions may hang indefinitely on the server, leaving | ||
565 | .Dq ghost | ||
566 | users and consuming server resources. | ||
567 | .Pp | ||
568 | The default is | ||
569 | .Dq yes | ||
570 | (to send TCP keepalive messages), and the server will notice | ||
571 | if the network goes down or the client host crashes. | ||
572 | This avoids infinitely hanging sessions. | ||
573 | .Pp | ||
574 | To disable TCP keepalive messages, the value should be set to | ||
575 | .Dq no . | ||
583 | .It Cm UseDNS | 576 | .It Cm UseDNS |
584 | Specifies whether | 577 | Specifies whether |
585 | .Nm sshd | 578 | .Nm sshd |
@@ -608,12 +601,13 @@ If | |||
608 | .Cm UsePrivilegeSeparation | 601 | .Cm UsePrivilegeSeparation |
609 | is specified, it will be disabled after authentication. | 602 | is specified, it will be disabled after authentication. |
610 | .It Cm UsePAM | 603 | .It Cm UsePAM |
611 | Enables PAM authentication (via challenge-response) and session set up. | 604 | Enables PAM authentication (via challenge-response) and session set up. |
612 | If you enable this, you should probably disable | 605 | If you enable this, you should probably disable |
613 | .Cm PasswordAuthentication . | 606 | .Cm PasswordAuthentication . |
614 | If you enable | 607 | If you enable |
615 | .CM UsePAM | 608 | .CM UsePAM |
616 | then you will not be able to run sshd as a non-root user. | 609 | then you will not be able to run sshd as a non-root user. The default is |
610 | .Dq no . | ||
617 | .It Cm UsePrivilegeSeparation | 611 | .It Cm UsePrivilegeSeparation |
618 | Specifies whether | 612 | Specifies whether |
619 | .Nm sshd | 613 | .Nm sshd |