summaryrefslogtreecommitdiff
path: root/sshd_config.5
diff options
context:
space:
mode:
Diffstat (limited to 'sshd_config.5')
-rw-r--r--sshd_config.553
1 files changed, 51 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 6e3c69d05..55e8d8503 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,8 +34,8 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd_config.5,v 1.120 2010/03/04 23:17:25 djm Exp $ 37.\" $OpenBSD: sshd_config.5,v 1.125 2010/06/30 07:28:34 jmc Exp $
38.Dd $Mdocdate: March 4 2010 $ 38.Dd $Mdocdate: June 30 2010 $
39.Dt SSHD_CONFIG 5 39.Dt SSHD_CONFIG 5
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -155,6 +155,10 @@ for more information on patterns.
155.It Cm AuthorizedKeysFile 155.It Cm AuthorizedKeysFile
156Specifies the file that contains the public keys that can be used 156Specifies the file that contains the public keys that can be used
157for user authentication. 157for user authentication.
158The format is described in the
159.Sx AUTHORIZED_KEYS FILE FORMAT
160section of
161.Xr sshd 8 .
158.Cm AuthorizedKeysFile 162.Cm AuthorizedKeysFile
159may contain tokens of the form %T which are substituted during connection 163may contain tokens of the form %T which are substituted during connection
160setup. 164setup.
@@ -167,6 +171,47 @@ is taken to be an absolute path or one relative to the user's home
167directory. 171directory.
168The default is 172The default is
169.Dq .ssh/authorized_keys . 173.Dq .ssh/authorized_keys .
174.It Cm AuthorizedPrincipalsFile
175Specifies a file that lists principal names that are accepted for
176certificate authentication.
177When using certificates signed by a key listed in
178.Cm TrustedUserCAKeys ,
179this file lists names, one of which must appear in the certificate for it
180to be accepted for authentication.
181Names are listed one per line preceded by key options (as described
182in
183.Sx AUTHORIZED_KEYS FILE FORMAT
184in
185.Xr sshd 8 ) .
186Empty lines and comments starting with
187.Ql #
188are ignored.
189.Pp
190.Cm AuthorizedPrincipalsFile
191may contain tokens of the form %T which are substituted during connection
192setup.
193The following tokens are defined: %% is replaced by a literal '%',
194%h is replaced by the home directory of the user being authenticated, and
195%u is replaced by the username of that user.
196After expansion,
197.Cm AuthorizedPrincipalsFile
198is taken to be an absolute path or one relative to the user's home
199directory.
200.Pp
201The default is not to use a principals file \(en in this case, the username
202of the user must appear in a certificate's principals list for it to be
203accepted.
204Note that
205.Cm AuthorizedPrincipalsFile
206is only used when authentication proceeds using a CA listed in
207.Cm TrustedUserCAKeys
208and is not consulted for certification authorities trusted via
209.Pa ~/.ssh/authorized_keys ,
210though the
211.Cm principals=
212key option offers a similar facility (see
213.Xr sshd 8
214for details).
170.It Cm Banner 215.It Cm Banner
171The contents of the specified file are sent to the remote user before 216The contents of the specified file are sent to the remote user before
172authentication is allowed. 217authentication is allowed.
@@ -636,12 +681,15 @@ keyword.
636Available keywords are 681Available keywords are
637.Cm AllowAgentForwarding , 682.Cm AllowAgentForwarding ,
638.Cm AllowTcpForwarding , 683.Cm AllowTcpForwarding ,
684.Cm AuthorizedKeysFile ,
685.Cm AuthorizedPrincipalsFile ,
639.Cm Banner , 686.Cm Banner ,
640.Cm ChrootDirectory , 687.Cm ChrootDirectory ,
641.Cm ForceCommand , 688.Cm ForceCommand ,
642.Cm GatewayPorts , 689.Cm GatewayPorts ,
643.Cm GSSAPIAuthentication , 690.Cm GSSAPIAuthentication ,
644.Cm HostbasedAuthentication , 691.Cm HostbasedAuthentication ,
692.Cm HostbasedUsesNameFromPacketOnly ,
645.Cm KbdInteractiveAuthentication , 693.Cm KbdInteractiveAuthentication ,
646.Cm KerberosAuthentication , 694.Cm KerberosAuthentication ,
647.Cm MaxAuthTries , 695.Cm MaxAuthTries ,
@@ -650,6 +698,7 @@ Available keywords are
650.Cm PermitEmptyPasswords , 698.Cm PermitEmptyPasswords ,
651.Cm PermitOpen , 699.Cm PermitOpen ,
652.Cm PermitRootLogin , 700.Cm PermitRootLogin ,
701.Cm PermitTunnel ,
653.Cm PubkeyAuthentication , 702.Cm PubkeyAuthentication ,
654.Cm RhostsRSAAuthentication , 703.Cm RhostsRSAAuthentication ,
655.Cm RSAAuthentication , 704.Cm RSAAuthentication ,