summaryrefslogtreecommitdiff
path: root/sshd_config.5
diff options
context:
space:
mode:
Diffstat (limited to 'sshd_config.5')
-rw-r--r--sshd_config.5340
1 files changed, 241 insertions, 99 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 841cb29d3..ce9888d03 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd_config.5,v 1.48 2006/01/02 17:09:49 jmc Exp $ 37.\" $OpenBSD: sshd_config.5,v 1.74 2007/03/01 16:19:33 jmc Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSHD_CONFIG 5 39.Dt SSHD_CONFIG 5
40.Os 40.Os
@@ -42,11 +42,9 @@
42.Nm sshd_config 42.Nm sshd_config
43.Nd OpenSSH SSH daemon configuration file 43.Nd OpenSSH SSH daemon configuration file
44.Sh SYNOPSIS 44.Sh SYNOPSIS
45.Bl -tag -width Ds -compact 45.Nm /etc/ssh/sshd_config
46.It Pa /etc/ssh/sshd_config
47.El
48.Sh DESCRIPTION 46.Sh DESCRIPTION
49.Nm sshd 47.Xr sshd 8
50reads configuration data from 48reads configuration data from
51.Pa /etc/ssh/sshd_config 49.Pa /etc/ssh/sshd_config
52(or the file specified with 50(or the file specified with
@@ -56,6 +54,9 @@ The file contains keyword-argument pairs, one per line.
56Lines starting with 54Lines starting with
57.Ql # 55.Ql #
58and empty lines are interpreted as comments. 56and empty lines are interpreted as comments.
57Arguments may optionally be enclosed in double quotes
58.Pq \&"
59in order to represent arguments containing spaces.
59.Pp 60.Pp
60The possible 61The possible
61keywords and their meanings are as follows (note that 62keywords and their meanings are as follows (note that
@@ -72,7 +73,7 @@ in
72for how to configure the client. 73for how to configure the client.
73Note that environment passing is only supported for protocol 2. 74Note that environment passing is only supported for protocol 2.
74Variables are specified by name, which may contain the wildcard characters 75Variables are specified by name, which may contain the wildcard characters
75.Ql \&* 76.Ql *
76and 77and
77.Ql \&? . 78.Ql \&? .
78Multiple environment variables may be separated by whitespace or spread 79Multiple environment variables may be separated by whitespace or spread
@@ -85,11 +86,11 @@ For this reason, care should be taken in the use of this directive.
85The default is not to accept any environment variables. 86The default is not to accept any environment variables.
86.It Cm AddressFamily 87.It Cm AddressFamily
87Specifies which address family should be used by 88Specifies which address family should be used by
88.Nm sshd . 89.Xr sshd 8 .
89Valid arguments are 90Valid arguments are
90.Dq any , 91.Dq any ,
91.Dq inet 92.Dq inet
92(use IPv4 only) or 93(use IPv4 only), or
93.Dq inet6 94.Dq inet6
94(use IPv6 only). 95(use IPv6 only).
95The default is 96The default is
@@ -99,13 +100,20 @@ This keyword can be followed by a list of group name patterns, separated
99by spaces. 100by spaces.
100If specified, login is allowed only for users whose primary 101If specified, login is allowed only for users whose primary
101group or supplementary group list matches one of the patterns. 102group or supplementary group list matches one of the patterns.
102.Ql \&*
103and
104.Ql \&?
105can be used as
106wildcards in the patterns.
107Only group names are valid; a numerical group ID is not recognized. 103Only group names are valid; a numerical group ID is not recognized.
108By default, login is allowed for all groups. 104By default, login is allowed for all groups.
105The allow/deny directives are processed in the following order:
106.Cm DenyUsers ,
107.Cm AllowUsers ,
108.Cm DenyGroups ,
109and finally
110.Cm AllowGroups .
111.Pp
112See
113.Sx PATTERNS
114in
115.Xr ssh_config 5
116for more information on patterns.
109.It Cm AllowTcpForwarding 117.It Cm AllowTcpForwarding
110Specifies whether TCP forwarding is permitted. 118Specifies whether TCP forwarding is permitted.
111The default is 119The default is
@@ -118,24 +126,31 @@ This keyword can be followed by a list of user name patterns, separated
118by spaces. 126by spaces.
119If specified, login is allowed only for user names that 127If specified, login is allowed only for user names that
120match one of the patterns. 128match one of the patterns.
121.Ql \&*
122and
123.Ql \&?
124can be used as
125wildcards in the patterns.
126Only user names are valid; a numerical user ID is not recognized. 129Only user names are valid; a numerical user ID is not recognized.
127By default, login is allowed for all users. 130By default, login is allowed for all users.
128If the pattern takes the form USER@HOST then USER and HOST 131If the pattern takes the form USER@HOST then USER and HOST
129are separately checked, restricting logins to particular 132are separately checked, restricting logins to particular
130users from particular hosts. 133users from particular hosts.
134The allow/deny directives are processed in the following order:
135.Cm DenyUsers ,
136.Cm AllowUsers ,
137.Cm DenyGroups ,
138and finally
139.Cm AllowGroups .
140.Pp
141See
142.Sx PATTERNS
143in
144.Xr ssh_config 5
145for more information on patterns.
131.It Cm AuthorizedKeysFile 146.It Cm AuthorizedKeysFile
132Specifies the file that contains the public keys that can be used 147Specifies the file that contains the public keys that can be used
133for user authentication. 148for user authentication.
134.Cm AuthorizedKeysFile 149.Cm AuthorizedKeysFile
135may contain tokens of the form %T which are substituted during connection 150may contain tokens of the form %T which are substituted during connection
136set-up. 151setup.
137The following tokens are defined: %% is replaced by a literal '%', 152The following tokens are defined: %% is replaced by a literal '%',
138%h is replaced by the home directory of the user being authenticated and 153%h is replaced by the home directory of the user being authenticated, and
139%u is replaced by the username of that user. 154%u is replaced by the username of that user.
140After expansion, 155After expansion,
141.Cm AuthorizedKeysFile 156.Cm AuthorizedKeysFile
@@ -151,7 +166,7 @@ authentication is allowed.
151This option is only available for protocol version 2. 166This option is only available for protocol version 2.
152By default, no banner is displayed. 167By default, no banner is displayed.
153.It Cm ChallengeResponseAuthentication 168.It Cm ChallengeResponseAuthentication
154Specifies whether challenge response authentication is allowed. 169Specifies whether challenge-response authentication is allowed.
155All authentication styles from 170All authentication styles from
156.Xr login.conf 5 171.Xr login.conf 5
157are supported. 172are supported.
@@ -174,20 +189,19 @@ The supported ciphers are
174.Dq blowfish-cbc , 189.Dq blowfish-cbc ,
175and 190and
176.Dq cast128-cbc . 191.Dq cast128-cbc .
177The default is 192The default is:
178.Bd -literal 193.Bd -literal -offset 3n
179 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, 194aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
180 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, 195arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
181 aes192-ctr,aes256-ctr'' 196aes192-ctr,aes256-ctr
182.Ed 197.Ed
183.It Cm ClientAliveCountMax 198.It Cm ClientAliveCountMax
184Sets the number of client alive messages (see below) which may be 199Sets the number of client alive messages (see below) which may be
185sent without 200sent without
186.Nm sshd 201.Xr sshd 8
187receiving any messages back from the client. 202receiving any messages back from the client.
188If this threshold is reached while client alive messages are being sent, 203If this threshold is reached while client alive messages are being sent,
189.Nm sshd 204sshd will disconnect the client, terminating the session.
190will disconnect the client, terminating the session.
191It is important to note that the use of client alive messages is very 205It is important to note that the use of client alive messages is very
192different from 206different from
193.Cm TCPKeepAlive 207.Cm TCPKeepAlive
@@ -205,12 +219,13 @@ If
205.Cm ClientAliveInterval 219.Cm ClientAliveInterval
206(see below) is set to 15, and 220(see below) is set to 15, and
207.Cm ClientAliveCountMax 221.Cm ClientAliveCountMax
208is left at the default, unresponsive ssh clients 222is left at the default, unresponsive SSH clients
209will be disconnected after approximately 45 seconds. 223will be disconnected after approximately 45 seconds.
224This option applies to protocol version 2 only.
210.It Cm ClientAliveInterval 225.It Cm ClientAliveInterval
211Sets a timeout interval in seconds after which if no data has been received 226Sets a timeout interval in seconds after which if no data has been received
212from the client, 227from the client,
213.Nm sshd 228.Xr sshd 8
214will send a message through the encrypted 229will send a message through the encrypted
215channel to request a response from the client. 230channel to request a response from the client.
216The default 231The default
@@ -231,36 +246,62 @@ This keyword can be followed by a list of group name patterns, separated
231by spaces. 246by spaces.
232Login is disallowed for users whose primary group or supplementary 247Login is disallowed for users whose primary group or supplementary
233group list matches one of the patterns. 248group list matches one of the patterns.
234.Ql \&*
235and
236.Ql \&?
237can be used as
238wildcards in the patterns.
239Only group names are valid; a numerical group ID is not recognized. 249Only group names are valid; a numerical group ID is not recognized.
240By default, login is allowed for all groups. 250By default, login is allowed for all groups.
251The allow/deny directives are processed in the following order:
252.Cm DenyUsers ,
253.Cm AllowUsers ,
254.Cm DenyGroups ,
255and finally
256.Cm AllowGroups .
257.Pp
258See
259.Sx PATTERNS
260in
261.Xr ssh_config 5
262for more information on patterns.
241.It Cm DenyUsers 263.It Cm DenyUsers
242This keyword can be followed by a list of user name patterns, separated 264This keyword can be followed by a list of user name patterns, separated
243by spaces. 265by spaces.
244Login is disallowed for user names that match one of the patterns. 266Login is disallowed for user names that match one of the patterns.
245.Ql \&*
246and
247.Ql \&?
248can be used as wildcards in the patterns.
249Only user names are valid; a numerical user ID is not recognized. 267Only user names are valid; a numerical user ID is not recognized.
250By default, login is allowed for all users. 268By default, login is allowed for all users.
251If the pattern takes the form USER@HOST then USER and HOST 269If the pattern takes the form USER@HOST then USER and HOST
252are separately checked, restricting logins to particular 270are separately checked, restricting logins to particular
253users from particular hosts. 271users from particular hosts.
272The allow/deny directives are processed in the following order:
273.Cm DenyUsers ,
274.Cm AllowUsers ,
275.Cm DenyGroups ,
276and finally
277.Cm AllowGroups .
278.Pp
279See
280.Sx PATTERNS
281in
282.Xr ssh_config 5
283for more information on patterns.
284.It Cm ForceCommand
285Forces the execution of the command specified by
286.Cm ForceCommand ,
287ignoring any command supplied by the client.
288The command is invoked by using the user's login shell with the -c option.
289This applies to shell, command, or subsystem execution.
290It is most useful inside a
291.Cm Match
292block.
293The command originally supplied by the client is available in the
294.Ev SSH_ORIGINAL_COMMAND
295environment variable.
254.It Cm GatewayPorts 296.It Cm GatewayPorts
255Specifies whether remote hosts are allowed to connect to ports 297Specifies whether remote hosts are allowed to connect to ports
256forwarded for the client. 298forwarded for the client.
257By default, 299By default,
258.Nm sshd 300.Xr sshd 8
259binds remote port forwardings to the loopback address. 301binds remote port forwardings to the loopback address.
260This prevents other remote hosts from connecting to forwarded ports. 302This prevents other remote hosts from connecting to forwarded ports.
261.Cm GatewayPorts 303.Cm GatewayPorts
262can be used to specify that 304can be used to specify that sshd
263.Nm sshd
264should allow remote port forwardings to bind to non-loopback addresses, thus 305should allow remote port forwardings to bind to non-loopback addresses, thus
265allowing other hosts to connect. 306allowing other hosts to connect.
266The argument may be 307The argument may be
@@ -289,15 +330,49 @@ on logout.
289The default is 330The default is
290.Dq yes . 331.Dq yes .
291Note that this option applies to protocol version 2 only. 332Note that this option applies to protocol version 2 only.
333.It Cm GSSAPIStrictAcceptorCheck
334Determines whether to be strict about the identity of the GSSAPI acceptor
335a client authenticates against. If
336.Dq yes
337then the client must authenticate against the
338.Pa host
339service on the current hostname. If
340.Dq no
341then the client may authenticate against any service key stored in the
342machine's default store. This facility is provided to assist with operation
343on multi homed machines.
344The default is
345.Dq yes .
346Note that this option applies only to protocol version 2 GSSAPI connections,
347and setting it to
348.Dq no
349may only work with recent Kerberos GSSAPI libraries.
292.It Cm HostbasedAuthentication 350.It Cm HostbasedAuthentication
293Specifies whether rhosts or /etc/hosts.equiv authentication together 351Specifies whether rhosts or /etc/hosts.equiv authentication together
294with successful public key client host authentication is allowed 352with successful public key client host authentication is allowed
295(hostbased authentication). 353(host-based authentication).
296This option is similar to 354This option is similar to
297.Cm RhostsRSAAuthentication 355.Cm RhostsRSAAuthentication
298and applies to protocol version 2 only. 356and applies to protocol version 2 only.
299The default is 357The default is
300.Dq no . 358.Dq no .
359.It Cm HostbasedUsesNameFromPacketOnly
360Specifies whether or not the server will attempt to perform a reverse
361name lookup when matching the name in the
362.Pa ~/.shosts ,
363.Pa ~/.rhosts ,
364and
365.Pa /etc/hosts.equiv
366files during
367.Cm HostbasedAuthentication .
368A setting of
369.Dq yes
370means that
371.Xr sshd 8
372uses the name supplied by the client rather than
373attempting to resolve the name from the TCP connection itself.
374The default is
375.Dq no .
301.It Cm HostKey 376.It Cm HostKey
302Specifies a file containing a private host key 377Specifies a file containing a private host key
303used by SSH. 378used by SSH.
@@ -309,7 +384,7 @@ and
309.Pa /etc/ssh/ssh_host_dsa_key 384.Pa /etc/ssh/ssh_host_dsa_key
310for protocol version 2. 385for protocol version 2.
311Note that 386Note that
312.Nm sshd 387.Xr sshd 8
313will refuse to use a file if it is group/world-accessible. 388will refuse to use a file if it is group/world-accessible.
314It is possible to have multiple host key files. 389It is possible to have multiple host key files.
315.Dq rsa1 390.Dq rsa1
@@ -336,7 +411,7 @@ The default is
336.Dq yes . 411.Dq yes .
337.It Cm IgnoreUserKnownHosts 412.It Cm IgnoreUserKnownHosts
338Specifies whether 413Specifies whether
339.Nm sshd 414.Xr sshd 8
340should ignore the user's 415should ignore the user's
341.Pa ~/.ssh/known_hosts 416.Pa ~/.ssh/known_hosts
342during 417during
@@ -351,24 +426,24 @@ Specifies whether the password provided by the user for
351will be validated through the Kerberos KDC. 426will be validated through the Kerberos KDC.
352To use this option, the server needs a 427To use this option, the server needs a
353Kerberos servtab which allows the verification of the KDC's identity. 428Kerberos servtab which allows the verification of the KDC's identity.
354Default is 429The default is
355.Dq no . 430.Dq no .
356.It Cm KerberosGetAFSToken 431.It Cm KerberosGetAFSToken
357If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire 432If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
358an AFS token before accessing the user's home directory. 433an AFS token before accessing the user's home directory.
359Default is 434The default is
360.Dq no . 435.Dq no .
361.It Cm KerberosOrLocalPasswd 436.It Cm KerberosOrLocalPasswd
362If set then if password authentication through Kerberos fails then 437If password authentication through Kerberos fails then
363the password will be validated via any additional local mechanism 438the password will be validated via any additional local mechanism
364such as 439such as
365.Pa /etc/passwd . 440.Pa /etc/passwd .
366Default is 441The default is
367.Dq yes . 442.Dq yes .
368.It Cm KerberosTicketCleanup 443.It Cm KerberosTicketCleanup
369Specifies whether to automatically destroy the user's ticket cache 444Specifies whether to automatically destroy the user's ticket cache
370file on logout. 445file on logout.
371Default is 446The default is
372.Dq yes . 447.Dq yes .
373.It Cm KeyRegenerationInterval 448.It Cm KeyRegenerationInterval
374In protocol version 1, the ephemeral server key is automatically regenerated 449In protocol version 1, the ephemeral server key is automatically regenerated
@@ -381,7 +456,7 @@ If the value is 0, the key is never regenerated.
381The default is 3600 (seconds). 456The default is 3600 (seconds).
382.It Cm ListenAddress 457.It Cm ListenAddress
383Specifies the local addresses 458Specifies the local addresses
384.Nm sshd 459.Xr sshd 8
385should listen on. 460should listen on.
386The following forms may be used: 461The following forms may be used:
387.Pp 462.Pp
@@ -407,8 +482,7 @@ The following forms may be used:
407If 482If
408.Ar port 483.Ar port
409is not specified, 484is not specified,
410.Nm sshd 485sshd will listen on the address and all prior
411will listen on the address and all prior
412.Cm Port 486.Cm Port
413options specified. 487options specified.
414The default is to listen on all local addresses. 488The default is to listen on all local addresses.
@@ -417,7 +491,7 @@ Multiple
417options are permitted. 491options are permitted.
418Additionally, any 492Additionally, any
419.Cm Port 493.Cm Port
420options must precede this option for non port qualified addresses. 494options must precede this option for non-port qualified addresses.
421.It Cm LoginGraceTime 495.It Cm LoginGraceTime
422The server disconnects after this time if the user has not 496The server disconnects after this time if the user has not
423successfully logged in. 497successfully logged in.
@@ -425,9 +499,9 @@ If the value is 0, there is no time limit.
425The default is 120 seconds. 499The default is 120 seconds.
426.It Cm LogLevel 500.It Cm LogLevel
427Gives the verbosity level that is used when logging messages from 501Gives the verbosity level that is used when logging messages from
428.Nm sshd . 502.Xr sshd 8 .
429The possible values are: 503The possible values are:
430QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. 504QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
431The default is INFO. 505The default is INFO.
432DEBUG and DEBUG1 are equivalent. 506DEBUG and DEBUG1 are equivalent.
433DEBUG2 and DEBUG3 each specify higher levels of debugging output. 507DEBUG2 and DEBUG3 each specify higher levels of debugging output.
@@ -437,8 +511,44 @@ Specifies the available MAC (message authentication code) algorithms.
437The MAC algorithm is used in protocol version 2 511The MAC algorithm is used in protocol version 2
438for data integrity protection. 512for data integrity protection.
439Multiple algorithms must be comma-separated. 513Multiple algorithms must be comma-separated.
440The default is 514The default is:
441.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . 515.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
516.It Cm Match
517Introduces a conditional block.
518If all of the criteria on the
519.Cm Match
520line are satisfied, the keywords on the following lines override those
521set in the global section of the config file, until either another
522.Cm Match
523line or the end of the file.
524The arguments to
525.Cm Match
526are one or more criteria-pattern pairs.
527The available criteria are
528.Cm User ,
529.Cm Group ,
530.Cm Host ,
531and
532.Cm Address .
533Only a subset of keywords may be used on the lines following a
534.Cm Match
535keyword.
536Available keywords are
537.Cm AllowTcpForwarding ,
538.Cm Banner ,
539.Cm ForceCommand ,
540.Cm GatewayPorts ,
541.Cm GSSApiAuthentication ,
542.Cm KbdInteractiveAuthentication ,
543.Cm KerberosAuthentication ,
544.Cm PasswordAuthentication ,
545.Cm PermitOpen ,
546.Cm RhostsRSAAuthentication ,
547.Cm RSAAuthentication ,
548.Cm X11DisplayOffset ,
549.Cm X11Forwarding ,
550and
551.Cm X11UseLocalHost .
442.It Cm MaxAuthTries 552.It Cm MaxAuthTries
443Specifies the maximum number of authentication attempts permitted per 553Specifies the maximum number of authentication attempts permitted per
444connection. 554connection.
@@ -447,8 +557,7 @@ additional failures are logged.
447The default is 6. 557The default is 6.
448.It Cm MaxStartups 558.It Cm MaxStartups
449Specifies the maximum number of concurrent unauthenticated connections to the 559Specifies the maximum number of concurrent unauthenticated connections to the
450.Nm sshd 560SSH daemon.
451daemon.
452Additional connections will be dropped until authentication succeeds or the 561Additional connections will be dropped until authentication succeeds or the
453.Cm LoginGraceTime 562.Cm LoginGraceTime
454expires for a connection. 563expires for a connection.
@@ -457,8 +566,8 @@ The default is 10.
457Alternatively, random early drop can be enabled by specifying 566Alternatively, random early drop can be enabled by specifying
458the three colon separated values 567the three colon separated values
459.Dq start:rate:full 568.Dq start:rate:full
460(e.g., "10:30:60"). 569(e.g. "10:30:60").
461.Nm sshd 570.Xr sshd 8
462will refuse connection attempts with a probability of 571will refuse connection attempts with a probability of
463.Dq rate/100 572.Dq rate/100
464(30%) 573(30%)
@@ -479,24 +588,51 @@ When password authentication is allowed, it specifies whether the
479server allows login to accounts with empty password strings. 588server allows login to accounts with empty password strings.
480The default is 589The default is
481.Dq no . 590.Dq no .
591.It Cm PermitOpen
592Specifies the destinations to which TCP port forwarding is permitted.
593The forwarding specification must be one of the following forms:
594.Pp
595.Bl -item -offset indent -compact
596.It
597.Cm PermitOpen
598.Sm off
599.Ar host : port
600.Sm on
601.It
602.Cm PermitOpen
603.Sm off
604.Ar IPv4_addr : port
605.Sm on
606.It
607.Cm PermitOpen
608.Sm off
609.Ar \&[ IPv6_addr \&] : port
610.Sm on
611.El
612.Pp
613Multiple forwards may be specified by separating them with whitespace.
614An argument of
615.Dq any
616can be used to remove all restrictions and permit any forwarding requests.
617By default all port forwarding requests are permitted.
482.It Cm PermitRootLogin 618.It Cm PermitRootLogin
483Specifies whether root can log in using 619Specifies whether root can log in using
484.Xr ssh 1 . 620.Xr ssh 1 .
485The argument must be 621The argument must be
486.Dq yes , 622.Dq yes ,
487.Dq without-password , 623.Dq without-password ,
488.Dq forced-commands-only 624.Dq forced-commands-only ,
489or 625or
490.Dq no . 626.Dq no .
491The default is 627The default is
492.Dq yes . 628.Dq yes .
493.Pp 629.Pp
494If this option is set to 630If this option is set to
495.Dq without-password 631.Dq without-password ,
496password authentication is disabled for root. 632password authentication is disabled for root.
497.Pp 633.Pp
498If this option is set to 634If this option is set to
499.Dq forced-commands-only 635.Dq forced-commands-only ,
500root login with public key authentication will be allowed, 636root login with public key authentication will be allowed,
501but only if the 637but only if the
502.Ar command 638.Ar command
@@ -506,7 +642,7 @@ normally not allowed).
506All other authentication methods are disabled for root. 642All other authentication methods are disabled for root.
507.Pp 643.Pp
508If this option is set to 644If this option is set to
509.Dq no 645.Dq no ,
510root is not allowed to log in. 646root is not allowed to log in.
511.It Cm PermitTunnel 647.It Cm PermitTunnel
512Specifies whether 648Specifies whether
@@ -514,10 +650,17 @@ Specifies whether
514device forwarding is allowed. 650device forwarding is allowed.
515The argument must be 651The argument must be
516.Dq yes , 652.Dq yes ,
517.Dq point-to-point , 653.Dq point-to-point
654(layer 3),
518.Dq ethernet 655.Dq ethernet
519or 656(layer 2), or
520.Dq no . 657.Dq no .
658Specifying
659.Dq yes
660permits both
661.Dq point-to-point
662and
663.Dq ethernet .
521The default is 664The default is
522.Dq no . 665.Dq no .
523.It Cm PermitUserEnvironment 666.It Cm PermitUserEnvironment
@@ -528,7 +671,7 @@ and
528options in 671options in
529.Pa ~/.ssh/authorized_keys 672.Pa ~/.ssh/authorized_keys
530are processed by 673are processed by
531.Nm sshd . 674.Xr sshd 8 .
532The default is 675The default is
533.Dq no . 676.Dq no .
534Enabling environment processing may enable users to bypass access 677Enabling environment processing may enable users to bypass access
@@ -536,13 +679,12 @@ restrictions in some configurations using mechanisms such as
536.Ev LD_PRELOAD . 679.Ev LD_PRELOAD .
537.It Cm PidFile 680.It Cm PidFile
538Specifies the file that contains the process ID of the 681Specifies the file that contains the process ID of the
539.Nm sshd 682SSH daemon.
540daemon.
541The default is 683The default is
542.Pa /var/run/sshd.pid . 684.Pa /var/run/sshd.pid .
543.It Cm Port 685.It Cm Port
544Specifies the port number that 686Specifies the port number that
545.Nm sshd 687.Xr sshd 8
546listens on. 688listens on.
547The default is 22. 689The default is 22.
548Multiple options of this type are permitted. 690Multiple options of this type are permitted.
@@ -550,14 +692,14 @@ See also
550.Cm ListenAddress . 692.Cm ListenAddress .
551.It Cm PrintLastLog 693.It Cm PrintLastLog
552Specifies whether 694Specifies whether
553.Nm sshd 695.Xr sshd 8
554should print the date and time of the last user login when a user logs 696should print the date and time of the last user login when a user logs
555in interactively. 697in interactively.
556The default is 698The default is
557.Dq yes . 699.Dq yes .
558.It Cm PrintMotd 700.It Cm PrintMotd
559Specifies whether 701Specifies whether
560.Nm sshd 702.Xr sshd 8
561should print 703should print
562.Pa /etc/motd 704.Pa /etc/motd
563when a user logs in interactively. 705when a user logs in interactively.
@@ -568,12 +710,12 @@ The default is
568.Dq yes . 710.Dq yes .
569.It Cm Protocol 711.It Cm Protocol
570Specifies the protocol versions 712Specifies the protocol versions
571.Nm sshd 713.Xr sshd 8
572supports. 714supports.
573The possible values are 715The possible values are
574.Dq 1 716.Sq 1
575and 717and
576.Dq 2 . 718.Sq 2 .
577Multiple versions must be comma-separated. 719Multiple versions must be comma-separated.
578The default is 720The default is
579.Dq 2,1 . 721.Dq 2,1 .
@@ -605,7 +747,7 @@ Defines the number of bits in the ephemeral protocol version 1 server key.
605The minimum value is 512, and the default is 768. 747The minimum value is 512, and the default is 768.
606.It Cm StrictModes 748.It Cm StrictModes
607Specifies whether 749Specifies whether
608.Nm sshd 750.Xr sshd 8
609should check file modes and ownership of the 751should check file modes and ownership of the
610user's files and home directory before accepting login. 752user's files and home directory before accepting login.
611This is normally desirable because novices sometimes accidentally leave their 753This is normally desirable because novices sometimes accidentally leave their
@@ -613,9 +755,9 @@ directory or files world-writable.
613The default is 755The default is
614.Dq yes . 756.Dq yes .
615.It Cm Subsystem 757.It Cm Subsystem
616Configures an external subsystem (e.g., file transfer daemon). 758Configures an external subsystem (e.g. file transfer daemon).
617Arguments should be a subsystem name and a command to execute upon subsystem 759Arguments should be a subsystem name and a command (with optional arguments)
618request. 760to execute upon subsystem request.
619The command 761The command
620.Xr sftp-server 8 762.Xr sftp-server 8
621implements the 763implements the
@@ -625,7 +767,7 @@ By default no subsystems are defined.
625Note that this option applies to protocol version 2 only. 767Note that this option applies to protocol version 2 only.
626.It Cm SyslogFacility 768.It Cm SyslogFacility
627Gives the facility code that is used when logging messages from 769Gives the facility code that is used when logging messages from
628.Nm sshd . 770.Xr sshd 8 .
629The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, 771The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
630LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. 772LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
631The default is AUTH. 773The default is AUTH.
@@ -652,7 +794,7 @@ To disable TCP keepalive messages, the value should be set to
652.Dq no . 794.Dq no .
653.It Cm UseDNS 795.It Cm UseDNS
654Specifies whether 796Specifies whether
655.Nm sshd 797.Xr sshd 8
656should look up the remote host name and check that 798should look up the remote host name and check that
657the resolved host name for the remote IP address maps back to the 799the resolved host name for the remote IP address maps back to the
658very same IP address. 800very same IP address.
@@ -683,7 +825,10 @@ If set to
683.Dq yes 825.Dq yes
684this will enable PAM authentication using 826this will enable PAM authentication using
685.Cm ChallengeResponseAuthentication 827.Cm ChallengeResponseAuthentication
686and PAM account and session module processing for all authentication types. 828and
829.Cm PasswordAuthentication
830in addition to PAM account and session module processing for all
831authentication types.
687.Pp 832.Pp
688Because PAM challenge-response authentication usually serves an equivalent 833Because PAM challenge-response authentication usually serves an equivalent
689role to password authentication, you should disable either 834role to password authentication, you should disable either
@@ -700,7 +845,7 @@ The default is
700.Dq no . 845.Dq no .
701.It Cm UsePrivilegeSeparation 846.It Cm UsePrivilegeSeparation
702Specifies whether 847Specifies whether
703.Nm sshd 848.Xr sshd 8
704separates privileges by creating an unprivileged child process 849separates privileges by creating an unprivileged child process
705to deal with incoming network traffic. 850to deal with incoming network traffic.
706After successful authentication, another process will be created that has 851After successful authentication, another process will be created that has
@@ -711,11 +856,9 @@ The default is
711.Dq yes . 856.Dq yes .
712.It Cm X11DisplayOffset 857.It Cm X11DisplayOffset
713Specifies the first display number available for 858Specifies the first display number available for
714.Nm sshd Ns 's 859.Xr sshd 8 Ns 's
715X11 forwarding. 860X11 forwarding.
716This prevents 861This prevents sshd from interfering with real X11 servers.
717.Nm sshd
718from interfering with real X11 servers.
719The default is 10. 862The default is 10.
720.It Cm X11Forwarding 863.It Cm X11Forwarding
721Specifies whether X11 forwarding is permitted. 864Specifies whether X11 forwarding is permitted.
@@ -728,14 +871,14 @@ The default is
728.Pp 871.Pp
729When X11 forwarding is enabled, there may be additional exposure to 872When X11 forwarding is enabled, there may be additional exposure to
730the server and to client displays if the 873the server and to client displays if the
731.Nm sshd 874.Xr sshd 8
732proxy display is configured to listen on the wildcard address (see 875proxy display is configured to listen on the wildcard address (see
733.Cm X11UseLocalhost 876.Cm X11UseLocalhost
734below), however this is not the default. 877below), though this is not the default.
735Additionally, the authentication spoofing and authentication data 878Additionally, the authentication spoofing and authentication data
736verification and substitution occur on the client side. 879verification and substitution occur on the client side.
737The security risk of using X11 forwarding is that the client's X11 880The security risk of using X11 forwarding is that the client's X11
738display server may be exposed to attack when the ssh client requests 881display server may be exposed to attack when the SSH client requests
739forwarding (see the warnings for 882forwarding (see the warnings for
740.Cm ForwardX11 883.Cm ForwardX11
741in 884in
@@ -753,12 +896,11 @@ X11 forwarding is automatically disabled if
753is enabled. 896is enabled.
754.It Cm X11UseLocalhost 897.It Cm X11UseLocalhost
755Specifies whether 898Specifies whether
756.Nm sshd 899.Xr sshd 8
757should bind the X11 forwarding server to the loopback address or to 900should bind the X11 forwarding server to the loopback address or to
758the wildcard address. 901the wildcard address.
759By default, 902By default,
760.Nm sshd 903sshd binds the forwarding server to the loopback address and sets the
761binds the forwarding server to the loopback address and sets the
762hostname part of the 904hostname part of the
763.Ev DISPLAY 905.Ev DISPLAY
764environment variable to 906environment variable to
@@ -784,8 +926,8 @@ program.
784The default is 926The default is
785.Pa /usr/X11R6/bin/xauth . 927.Pa /usr/X11R6/bin/xauth .
786.El 928.El
787.Ss Time Formats 929.Sh TIME FORMATS
788.Nm sshd 930.Xr sshd 8
789command-line arguments and configuration file options that specify time 931command-line arguments and configuration file options that specify time
790may be expressed using a sequence of the form: 932may be expressed using a sequence of the form:
791.Sm off 933.Sm off
@@ -798,7 +940,7 @@ is a positive integer value and
798is one of the following: 940is one of the following:
799.Pp 941.Pp
800.Bl -tag -width Ds -compact -offset indent 942.Bl -tag -width Ds -compact -offset indent
801.It Cm <none> 943.It Aq Cm none
802seconds 944seconds
803.It Cm s | Cm S 945.It Cm s | Cm S
804seconds 946seconds
@@ -829,7 +971,7 @@ Time format examples:
829.Bl -tag -width Ds 971.Bl -tag -width Ds
830.It Pa /etc/ssh/sshd_config 972.It Pa /etc/ssh/sshd_config
831Contains configuration data for 973Contains configuration data for
832.Nm sshd . 974.Xr sshd 8 .
833This file should be writable by root only, but it is recommended 975This file should be writable by root only, but it is recommended
834(though not necessary) that it be world-readable. 976(though not necessary) that it be world-readable.
835.El 977.El