diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 52 |
1 files changed, 50 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 525d9c858..faf93fc90 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -57,6 +57,33 @@ Arguments may optionally be enclosed in double quotes | |||
57 | .Pq \&" | 57 | .Pq \&" |
58 | in order to represent arguments containing spaces. | 58 | in order to represent arguments containing spaces. |
59 | .Pp | 59 | .Pp |
60 | Note that the Debian | ||
61 | .Ic openssh-server | ||
62 | package sets several options as standard in | ||
63 | .Pa /etc/ssh/sshd_config | ||
64 | which are not the default in | ||
65 | .Xr sshd 8 . | ||
66 | The exact list depends on whether the package was installed fresh or | ||
67 | upgraded from various possible previous versions, but includes at least the | ||
68 | following: | ||
69 | .Pp | ||
70 | .Bl -bullet -offset indent -compact | ||
71 | .It | ||
72 | .Cm Protocol No 2 | ||
73 | .It | ||
74 | .Cm ChallengeResponseAuthentication No no | ||
75 | .It | ||
76 | .Cm X11Forwarding No yes | ||
77 | .It | ||
78 | .Cm PrintMotd No no | ||
79 | .It | ||
80 | .Cm AcceptEnv No LANG LC_* | ||
81 | .It | ||
82 | .Cm Subsystem No sftp /usr/lib/openssh/sftp-server | ||
83 | .It | ||
84 | .Cm UsePAM No yes | ||
85 | .El | ||
86 | .Pp | ||
60 | The possible | 87 | The possible |
61 | keywords and their meanings are as follows (note that | 88 | keywords and their meanings are as follows (note that |
62 | keywords are case-insensitive and arguments are case-sensitive): | 89 | keywords are case-insensitive and arguments are case-sensitive): |
@@ -283,8 +310,7 @@ This option is only available for protocol version 2. | |||
283 | By default, no banner is displayed. | 310 | By default, no banner is displayed. |
284 | .It Cm ChallengeResponseAuthentication | 311 | .It Cm ChallengeResponseAuthentication |
285 | Specifies whether challenge-response authentication is allowed (e.g. via | 312 | Specifies whether challenge-response authentication is allowed (e.g. via |
286 | PAM or though authentication styles supported in | 313 | PAM). |
287 | .Xr login.conf 5 ) | ||
288 | The default is | 314 | The default is |
289 | .Dq yes . | 315 | .Dq yes . |
290 | .It Cm ChrootDirectory | 316 | .It Cm ChrootDirectory |
@@ -404,6 +430,11 @@ or | |||
404 | .Dq no . | 430 | .Dq no . |
405 | The default is | 431 | The default is |
406 | .Dq delayed . | 432 | .Dq delayed . |
433 | .It Cm DebianBanner | ||
434 | Specifies whether the distribution-specified extra version suffix is | ||
435 | included during initial protocol handshake. | ||
436 | The default is | ||
437 | .Dq yes . | ||
407 | .It Cm DenyGroups | 438 | .It Cm DenyGroups |
408 | This keyword can be followed by a list of group name patterns, separated | 439 | This keyword can be followed by a list of group name patterns, separated |
409 | by spaces. | 440 | by spaces. |
@@ -885,6 +916,20 @@ are refused if the number of unauthenticated connections reaches | |||
885 | Specifies whether password authentication is allowed. | 916 | Specifies whether password authentication is allowed. |
886 | The default is | 917 | The default is |
887 | .Dq yes . | 918 | .Dq yes . |
919 | .It Cm PermitBlacklistedKeys | ||
920 | Specifies whether | ||
921 | .Xr sshd 8 | ||
922 | should allow keys recorded in its blacklist of known-compromised keys (see | ||
923 | .Xr ssh-vulnkey 1 ) . | ||
924 | If | ||
925 | .Dq yes , | ||
926 | then attempts to authenticate with compromised keys will be logged but | ||
927 | accepted. | ||
928 | If | ||
929 | .Dq no , | ||
930 | then attempts to authenticate with compromised keys will be rejected. | ||
931 | The default is | ||
932 | .Dq no . | ||
888 | .It Cm PermitEmptyPasswords | 933 | .It Cm PermitEmptyPasswords |
889 | When password authentication is allowed, it specifies whether the | 934 | When password authentication is allowed, it specifies whether the |
890 | server allows login to accounts with empty password strings. | 935 | server allows login to accounts with empty password strings. |
@@ -1147,6 +1192,9 @@ This avoids infinitely hanging sessions. | |||
1147 | .Pp | 1192 | .Pp |
1148 | To disable TCP keepalive messages, the value should be set to | 1193 | To disable TCP keepalive messages, the value should be set to |
1149 | .Dq no . | 1194 | .Dq no . |
1195 | .Pp | ||
1196 | This option was formerly called | ||
1197 | .Cm KeepAlive . | ||
1150 | .It Cm TrustedUserCAKeys | 1198 | .It Cm TrustedUserCAKeys |
1151 | Specifies a file containing public keys of certificate authorities that are | 1199 | Specifies a file containing public keys of certificate authorities that are |
1152 | trusted to sign user certificates for authentication. | 1200 | trusted to sign user certificates for authentication. |