diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 97 |
1 files changed, 67 insertions, 30 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 251d847fd..faf93fc90 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.156 2013/02/06 00:20:42 dtucker Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.162 2013/07/19 07:37:48 markus Exp $ |
37 | .Dd $Mdocdate: February 6 2013 $ | 37 | .Dd $Mdocdate: July 19 2013 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -144,9 +144,7 @@ The allow/deny directives are processed in the following order: | |||
144 | and finally | 144 | and finally |
145 | .Cm AllowGroups . | 145 | .Cm AllowGroups . |
146 | .Pp | 146 | .Pp |
147 | See | 147 | See PATTERNS in |
148 | .Sx PATTERNS | ||
149 | in | ||
150 | .Xr ssh_config 5 | 148 | .Xr ssh_config 5 |
151 | for more information on patterns. | 149 | for more information on patterns. |
152 | .It Cm AllowTcpForwarding | 150 | .It Cm AllowTcpForwarding |
@@ -186,9 +184,7 @@ The allow/deny directives are processed in the following order: | |||
186 | and finally | 184 | and finally |
187 | .Cm AllowGroups . | 185 | .Cm AllowGroups . |
188 | .Pp | 186 | .Pp |
189 | See | 187 | See PATTERNS in |
190 | .Sx PATTERNS | ||
191 | in | ||
192 | .Xr ssh_config 5 | 188 | .Xr ssh_config 5 |
193 | for more information on patterns. | 189 | for more information on patterns. |
194 | .It Cm AuthenticationMethods | 190 | .It Cm AuthenticationMethods |
@@ -207,6 +203,20 @@ Only methods that are next in one or more lists are offered at each stage, | |||
207 | so for this example, it would not be possible to attempt password or | 203 | so for this example, it would not be possible to attempt password or |
208 | keyboard-interactive authentication before public key. | 204 | keyboard-interactive authentication before public key. |
209 | .Pp | 205 | .Pp |
206 | For keyboard interactive authentication it is also possible to | ||
207 | restrict authentication to a specific device by appending a | ||
208 | colon followed by the device identifier | ||
209 | .Dq bsdauth , | ||
210 | .Dq pam , | ||
211 | or | ||
212 | .Dq skey , | ||
213 | depending on the server configuration. | ||
214 | For example, | ||
215 | .Dq keyboard-interactive:bsdauth | ||
216 | would restrict keyboard interactive authentication to the | ||
217 | .Dq bsdauth | ||
218 | device. | ||
219 | .Pp | ||
210 | This option is only available for SSH protocol 2 and will yield a fatal | 220 | This option is only available for SSH protocol 2 and will yield a fatal |
211 | error if enabled if protocol 1 is also enabled. | 221 | error if enabled if protocol 1 is also enabled. |
212 | Note that each authentication method listed should also be explicitly enabled | 222 | Note that each authentication method listed should also be explicitly enabled |
@@ -215,11 +225,10 @@ The default is not to require multiple authentication; successful completion | |||
215 | of a single authentication method is sufficient. | 225 | of a single authentication method is sufficient. |
216 | .It Cm AuthorizedKeysCommand | 226 | .It Cm AuthorizedKeysCommand |
217 | Specifies a program to be used to look up the user's public keys. | 227 | Specifies a program to be used to look up the user's public keys. |
218 | The program will be invoked with a single argument of the username | 228 | The program must be owned by root and not writable by group or others. |
229 | It will be invoked with a single argument of the username | ||
219 | being authenticated, and should produce on standard output zero or | 230 | being authenticated, and should produce on standard output zero or |
220 | more lines of authorized_keys output (see | 231 | more lines of authorized_keys output (see AUTHORIZED_KEYS in |
221 | .Sx AUTHORIZED_KEYS | ||
222 | in | ||
223 | .Xr sshd 8 ) . | 232 | .Xr sshd 8 ) . |
224 | If a key supplied by AuthorizedKeysCommand does not successfully authenticate | 233 | If a key supplied by AuthorizedKeysCommand does not successfully authenticate |
225 | and authorize the user then public key authentication continues using the usual | 234 | and authorize the user then public key authentication continues using the usual |
@@ -234,7 +243,7 @@ than running authorized keys commands. | |||
234 | Specifies the file that contains the public keys that can be used | 243 | Specifies the file that contains the public keys that can be used |
235 | for user authentication. | 244 | for user authentication. |
236 | The format is described in the | 245 | The format is described in the |
237 | .Sx AUTHORIZED_KEYS FILE FORMAT | 246 | AUTHORIZED_KEYS FILE FORMAT |
238 | section of | 247 | section of |
239 | .Xr sshd 8 . | 248 | .Xr sshd 8 . |
240 | .Cm AuthorizedKeysFile | 249 | .Cm AuthorizedKeysFile |
@@ -258,9 +267,7 @@ When using certificates signed by a key listed in | |||
258 | this file lists names, one of which must appear in the certificate for it | 267 | this file lists names, one of which must appear in the certificate for it |
259 | to be accepted for authentication. | 268 | to be accepted for authentication. |
260 | Names are listed one per line preceded by key options (as described | 269 | Names are listed one per line preceded by key options (as described |
261 | in | 270 | in AUTHORIZED_KEYS FILE FORMAT in |
262 | .Sx AUTHORIZED_KEYS FILE FORMAT | ||
263 | in | ||
264 | .Xr sshd 8 ) . | 271 | .Xr sshd 8 ) . |
265 | Empty lines and comments starting with | 272 | Empty lines and comments starting with |
266 | .Ql # | 273 | .Ql # |
@@ -442,9 +449,7 @@ The allow/deny directives are processed in the following order: | |||
442 | and finally | 449 | and finally |
443 | .Cm AllowGroups . | 450 | .Cm AllowGroups . |
444 | .Pp | 451 | .Pp |
445 | See | 452 | See PATTERNS in |
446 | .Sx PATTERNS | ||
447 | in | ||
448 | .Xr ssh_config 5 | 453 | .Xr ssh_config 5 |
449 | for more information on patterns. | 454 | for more information on patterns. |
450 | .It Cm DenyUsers | 455 | .It Cm DenyUsers |
@@ -463,9 +468,7 @@ The allow/deny directives are processed in the following order: | |||
463 | and finally | 468 | and finally |
464 | .Cm AllowGroups . | 469 | .Cm AllowGroups . |
465 | .Pp | 470 | .Pp |
466 | See | 471 | See PATTERNS in |
467 | .Sx PATTERNS | ||
468 | in | ||
469 | .Xr ssh_config 5 | 472 | .Xr ssh_config 5 |
470 | for more information on patterns. | 473 | for more information on patterns. |
471 | .It Cm ForceCommand | 474 | .It Cm ForceCommand |
@@ -602,6 +605,18 @@ keys are used for version 1 and | |||
602 | or | 605 | or |
603 | .Dq rsa | 606 | .Dq rsa |
604 | are used for version 2 of the SSH protocol. | 607 | are used for version 2 of the SSH protocol. |
608 | It is also possible to specify public host key files instead. | ||
609 | In this case operations on the private key will be delegated | ||
610 | to an | ||
611 | .Xr ssh-agent 1 . | ||
612 | .It Cm HostKeyAgent | ||
613 | Identifies the UNIX-domain socket used to communicate | ||
614 | with an agent that has access to the private host keys. | ||
615 | If | ||
616 | .Dq SSH_AUTH_SOCK | ||
617 | is specified, the location of the socket will be read from the | ||
618 | .Ev SSH_AUTH_SOCK | ||
619 | environment variable. | ||
605 | .It Cm IgnoreRhosts | 620 | .It Cm IgnoreRhosts |
606 | Specifies that | 621 | Specifies that |
607 | .Pa .rhosts | 622 | .Pa .rhosts |
@@ -805,8 +820,7 @@ and | |||
805 | .Cm Address . | 820 | .Cm Address . |
806 | The match patterns may consist of single entries or comma-separated | 821 | The match patterns may consist of single entries or comma-separated |
807 | lists and may use the wildcard and negation operators described in the | 822 | lists and may use the wildcard and negation operators described in the |
808 | .Sx PATTERNS | 823 | PATTERNS section of |
809 | section of | ||
810 | .Xr ssh_config 5 . | 824 | .Xr ssh_config 5 . |
811 | .Pp | 825 | .Pp |
812 | The patterns in an | 826 | The patterns in an |
@@ -858,6 +872,7 @@ Available keywords are | |||
858 | .Cm PermitRootLogin , | 872 | .Cm PermitRootLogin , |
859 | .Cm PermitTunnel , | 873 | .Cm PermitTunnel , |
860 | .Cm PubkeyAuthentication , | 874 | .Cm PubkeyAuthentication , |
875 | .Cm RekeyLimit , | ||
861 | .Cm RhostsRSAAuthentication , | 876 | .Cm RhostsRSAAuthentication , |
862 | .Cm RSAAuthentication , | 877 | .Cm RSAAuthentication , |
863 | .Cm X11DisplayOffset , | 878 | .Cm X11DisplayOffset , |
@@ -1066,6 +1081,32 @@ Specifies whether public key authentication is allowed. | |||
1066 | The default is | 1081 | The default is |
1067 | .Dq yes . | 1082 | .Dq yes . |
1068 | Note that this option applies to protocol version 2 only. | 1083 | Note that this option applies to protocol version 2 only. |
1084 | .It Cm RekeyLimit | ||
1085 | Specifies the maximum amount of data that may be transmitted before the | ||
1086 | session key is renegotiated, optionally followed a maximum amount of | ||
1087 | time that may pass before the session key is renegotiated. | ||
1088 | The first argument is specified in bytes and may have a suffix of | ||
1089 | .Sq K , | ||
1090 | .Sq M , | ||
1091 | or | ||
1092 | .Sq G | ||
1093 | to indicate Kilobytes, Megabytes, or Gigabytes, respectively. | ||
1094 | The default is between | ||
1095 | .Sq 1G | ||
1096 | and | ||
1097 | .Sq 4G , | ||
1098 | depending on the cipher. | ||
1099 | The optional second value is specified in seconds and may use any of the | ||
1100 | units documented in the | ||
1101 | .Sx TIME FORMATS | ||
1102 | section. | ||
1103 | The default value for | ||
1104 | .Cm RekeyLimit | ||
1105 | is | ||
1106 | .Dq default none , | ||
1107 | which means that rekeying is performed after the cipher's default amount | ||
1108 | of data has been sent or received and no time based rekeying is done. | ||
1109 | This option applies to protocol version 2 only. | ||
1069 | .It Cm RevokedKeys | 1110 | .It Cm RevokedKeys |
1070 | Specifies revoked public keys. | 1111 | Specifies revoked public keys. |
1071 | Keys listed in this file will be refused for public key authentication. | 1112 | Keys listed in this file will be refused for public key authentication. |
@@ -1074,9 +1115,7 @@ be refused for all users. | |||
1074 | Keys may be specified as a text file, listing one public key per line, or as | 1115 | Keys may be specified as a text file, listing one public key per line, or as |
1075 | an OpenSSH Key Revocation List (KRL) as generated by | 1116 | an OpenSSH Key Revocation List (KRL) as generated by |
1076 | .Xr ssh-keygen 1 . | 1117 | .Xr ssh-keygen 1 . |
1077 | For more information on KRLs, see the | 1118 | For more information on KRLs, see the KEY REVOCATION LISTS section in |
1078 | .Sx KEY REVOCATION LISTS | ||
1079 | section in | ||
1080 | .Xr ssh-keygen 1 . | 1119 | .Xr ssh-keygen 1 . |
1081 | .It Cm RhostsRSAAuthentication | 1120 | .It Cm RhostsRSAAuthentication |
1082 | Specifies whether rhosts or /etc/hosts.equiv authentication together | 1121 | Specifies whether rhosts or /etc/hosts.equiv authentication together |
@@ -1168,9 +1207,7 @@ listed in the certificate's principals list. | |||
1168 | Note that certificates that lack a list of principals will not be permitted | 1207 | Note that certificates that lack a list of principals will not be permitted |
1169 | for authentication using | 1208 | for authentication using |
1170 | .Cm TrustedUserCAKeys . | 1209 | .Cm TrustedUserCAKeys . |
1171 | For more details on certificates, see the | 1210 | For more details on certificates, see the CERTIFICATES section in |
1172 | .Sx CERTIFICATES | ||
1173 | section in | ||
1174 | .Xr ssh-keygen 1 . | 1211 | .Xr ssh-keygen 1 . |
1175 | .It Cm UseDNS | 1212 | .It Cm UseDNS |
1176 | Specifies whether | 1213 | Specifies whether |