summaryrefslogtreecommitdiff
path: root/sshd_config.5
diff options
context:
space:
mode:
Diffstat (limited to 'sshd_config.5')
-rw-r--r--sshd_config.554
1 files changed, 51 insertions, 3 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 6e3c69d05..39ef781ff 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -58,6 +58,33 @@ Arguments may optionally be enclosed in double quotes
58.Pq \&" 58.Pq \&"
59in order to represent arguments containing spaces. 59in order to represent arguments containing spaces.
60.Pp 60.Pp
61Note that the Debian
62.Ic openssh-server
63package sets several options as standard in
64.Pa /etc/ssh/sshd_config
65which are not the default in
66.Xr sshd 8 .
67The exact list depends on whether the package was installed fresh or
68upgraded from various possible previous versions, but includes at least the
69following:
70.Pp
71.Bl -bullet -offset indent -compact
72.It
73.Cm Protocol No 2
74.It
75.Cm ChallengeResponseAuthentication No no
76.It
77.Cm X11Forwarding No yes
78.It
79.Cm PrintMotd No no
80.It
81.Cm AcceptEnv No LANG LC_*
82.It
83.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
84.It
85.Cm UsePAM No yes
86.El
87.Pp
61The possible 88The possible
62keywords and their meanings are as follows (note that 89keywords and their meanings are as follows (note that
63keywords are case-insensitive and arguments are case-sensitive): 90keywords are case-insensitive and arguments are case-sensitive):
@@ -177,8 +204,7 @@ This option is only available for protocol version 2.
177By default, no banner is displayed. 204By default, no banner is displayed.
178.It Cm ChallengeResponseAuthentication 205.It Cm ChallengeResponseAuthentication
179Specifies whether challenge-response authentication is allowed (e.g. via 206Specifies whether challenge-response authentication is allowed (e.g. via
180PAM or though authentication styles supported in 207PAM).
181.Xr login.conf 5 )
182The default is 208The default is
183.Dq yes . 209.Dq yes .
184.It Cm ChrootDirectory 210.It Cm ChrootDirectory
@@ -295,6 +321,11 @@ or
295.Dq no . 321.Dq no .
296The default is 322The default is
297.Dq delayed . 323.Dq delayed .
324.It Cm DebianBanner
325Specifies whether the distribution-specified extra version suffix is
326included during initial protocol handshake.
327The default is
328.Dq yes .
298.It Cm DenyGroups 329.It Cm DenyGroups
299This keyword can be followed by a list of group name patterns, separated 330This keyword can be followed by a list of group name patterns, separated
300by spaces. 331by spaces.
@@ -575,7 +606,7 @@ The default is 120 seconds.
575Gives the verbosity level that is used when logging messages from 606Gives the verbosity level that is used when logging messages from
576.Xr sshd 8 . 607.Xr sshd 8 .
577The possible values are: 608The possible values are:
578QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. 609SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
579The default is INFO. 610The default is INFO.
580DEBUG and DEBUG1 are equivalent. 611DEBUG and DEBUG1 are equivalent.
581DEBUG2 and DEBUG3 each specify higher levels of debugging output. 612DEBUG2 and DEBUG3 each specify higher levels of debugging output.
@@ -694,6 +725,20 @@ are refused if the number of unauthenticated connections reaches
694Specifies whether password authentication is allowed. 725Specifies whether password authentication is allowed.
695The default is 726The default is
696.Dq yes . 727.Dq yes .
728.It Cm PermitBlacklistedKeys
729Specifies whether
730.Xr sshd 8
731should allow keys recorded in its blacklist of known-compromised keys (see
732.Xr ssh-vulnkey 1 ) .
733If
734.Dq yes ,
735then attempts to authenticate with compromised keys will be logged but
736accepted.
737If
738.Dq no ,
739then attempts to authenticate with compromised keys will be rejected.
740The default is
741.Dq no .
697.It Cm PermitEmptyPasswords 742.It Cm PermitEmptyPasswords
698When password authentication is allowed, it specifies whether the 743When password authentication is allowed, it specifies whether the
699server allows login to accounts with empty password strings. 744server allows login to accounts with empty password strings.
@@ -922,6 +967,9 @@ This avoids infinitely hanging sessions.
922.Pp 967.Pp
923To disable TCP keepalive messages, the value should be set to 968To disable TCP keepalive messages, the value should be set to
924.Dq no . 969.Dq no .
970.Pp
971This option was formerly called
972.Cm KeepAlive .
925.It Cm TrustedUserCAKeys 973.It Cm TrustedUserCAKeys
926Specifies a file containing public keys of certificate authorities that are 974Specifies a file containing public keys of certificate authorities that are
927trusted to sign user certificates for authentication. 975trusted to sign user certificates for authentication.