diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 54 |
1 files changed, 51 insertions, 3 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 6e3c69d05..39ef781ff 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -58,6 +58,33 @@ Arguments may optionally be enclosed in double quotes | |||
58 | .Pq \&" | 58 | .Pq \&" |
59 | in order to represent arguments containing spaces. | 59 | in order to represent arguments containing spaces. |
60 | .Pp | 60 | .Pp |
61 | Note that the Debian | ||
62 | .Ic openssh-server | ||
63 | package sets several options as standard in | ||
64 | .Pa /etc/ssh/sshd_config | ||
65 | which are not the default in | ||
66 | .Xr sshd 8 . | ||
67 | The exact list depends on whether the package was installed fresh or | ||
68 | upgraded from various possible previous versions, but includes at least the | ||
69 | following: | ||
70 | .Pp | ||
71 | .Bl -bullet -offset indent -compact | ||
72 | .It | ||
73 | .Cm Protocol No 2 | ||
74 | .It | ||
75 | .Cm ChallengeResponseAuthentication No no | ||
76 | .It | ||
77 | .Cm X11Forwarding No yes | ||
78 | .It | ||
79 | .Cm PrintMotd No no | ||
80 | .It | ||
81 | .Cm AcceptEnv No LANG LC_* | ||
82 | .It | ||
83 | .Cm Subsystem No sftp /usr/lib/openssh/sftp-server | ||
84 | .It | ||
85 | .Cm UsePAM No yes | ||
86 | .El | ||
87 | .Pp | ||
61 | The possible | 88 | The possible |
62 | keywords and their meanings are as follows (note that | 89 | keywords and their meanings are as follows (note that |
63 | keywords are case-insensitive and arguments are case-sensitive): | 90 | keywords are case-insensitive and arguments are case-sensitive): |
@@ -177,8 +204,7 @@ This option is only available for protocol version 2. | |||
177 | By default, no banner is displayed. | 204 | By default, no banner is displayed. |
178 | .It Cm ChallengeResponseAuthentication | 205 | .It Cm ChallengeResponseAuthentication |
179 | Specifies whether challenge-response authentication is allowed (e.g. via | 206 | Specifies whether challenge-response authentication is allowed (e.g. via |
180 | PAM or though authentication styles supported in | 207 | PAM). |
181 | .Xr login.conf 5 ) | ||
182 | The default is | 208 | The default is |
183 | .Dq yes . | 209 | .Dq yes . |
184 | .It Cm ChrootDirectory | 210 | .It Cm ChrootDirectory |
@@ -295,6 +321,11 @@ or | |||
295 | .Dq no . | 321 | .Dq no . |
296 | The default is | 322 | The default is |
297 | .Dq delayed . | 323 | .Dq delayed . |
324 | .It Cm DebianBanner | ||
325 | Specifies whether the distribution-specified extra version suffix is | ||
326 | included during initial protocol handshake. | ||
327 | The default is | ||
328 | .Dq yes . | ||
298 | .It Cm DenyGroups | 329 | .It Cm DenyGroups |
299 | This keyword can be followed by a list of group name patterns, separated | 330 | This keyword can be followed by a list of group name patterns, separated |
300 | by spaces. | 331 | by spaces. |
@@ -575,7 +606,7 @@ The default is 120 seconds. | |||
575 | Gives the verbosity level that is used when logging messages from | 606 | Gives the verbosity level that is used when logging messages from |
576 | .Xr sshd 8 . | 607 | .Xr sshd 8 . |
577 | The possible values are: | 608 | The possible values are: |
578 | QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. | 609 | SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. |
579 | The default is INFO. | 610 | The default is INFO. |
580 | DEBUG and DEBUG1 are equivalent. | 611 | DEBUG and DEBUG1 are equivalent. |
581 | DEBUG2 and DEBUG3 each specify higher levels of debugging output. | 612 | DEBUG2 and DEBUG3 each specify higher levels of debugging output. |
@@ -694,6 +725,20 @@ are refused if the number of unauthenticated connections reaches | |||
694 | Specifies whether password authentication is allowed. | 725 | Specifies whether password authentication is allowed. |
695 | The default is | 726 | The default is |
696 | .Dq yes . | 727 | .Dq yes . |
728 | .It Cm PermitBlacklistedKeys | ||
729 | Specifies whether | ||
730 | .Xr sshd 8 | ||
731 | should allow keys recorded in its blacklist of known-compromised keys (see | ||
732 | .Xr ssh-vulnkey 1 ) . | ||
733 | If | ||
734 | .Dq yes , | ||
735 | then attempts to authenticate with compromised keys will be logged but | ||
736 | accepted. | ||
737 | If | ||
738 | .Dq no , | ||
739 | then attempts to authenticate with compromised keys will be rejected. | ||
740 | The default is | ||
741 | .Dq no . | ||
697 | .It Cm PermitEmptyPasswords | 742 | .It Cm PermitEmptyPasswords |
698 | When password authentication is allowed, it specifies whether the | 743 | When password authentication is allowed, it specifies whether the |
699 | server allows login to accounts with empty password strings. | 744 | server allows login to accounts with empty password strings. |
@@ -922,6 +967,9 @@ This avoids infinitely hanging sessions. | |||
922 | .Pp | 967 | .Pp |
923 | To disable TCP keepalive messages, the value should be set to | 968 | To disable TCP keepalive messages, the value should be set to |
924 | .Dq no . | 969 | .Dq no . |
970 | .Pp | ||
971 | This option was formerly called | ||
972 | .Cm KeepAlive . | ||
925 | .It Cm TrustedUserCAKeys | 973 | .It Cm TrustedUserCAKeys |
926 | Specifies a file containing public keys of certificate authorities that are | 974 | Specifies a file containing public keys of certificate authorities that are |
927 | trusted to sign user certificates for authentication. | 975 | trusted to sign user certificates for authentication. |