diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 112 |
1 files changed, 105 insertions, 7 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 5e1c7943c..e58b7cfc7 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -34,8 +34,8 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd_config.5,v 1.77 2007/06/08 07:48:09 jmc Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.96 2008/07/02 02:24:18 djm Exp $ |
38 | .Dd $Mdocdate: June 11 2007 $ | 38 | .Dd $Mdocdate: July 2 2008 $ |
39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -95,6 +95,15 @@ Valid arguments are | |||
95 | (use IPv6 only). | 95 | (use IPv6 only). |
96 | The default is | 96 | The default is |
97 | .Dq any . | 97 | .Dq any . |
98 | .It Cm AllowAgentForwarding | ||
99 | Specifies whether | ||
100 | .Xr ssh-agent 1 | ||
101 | forwarding is permitted. | ||
102 | The default is | ||
103 | .Dq yes . | ||
104 | Note that disabling agent forwarding does not improve security | ||
105 | unless users are also denied shell access, as they can always install | ||
106 | their own forwarders. | ||
98 | .It Cm AllowGroups | 107 | .It Cm AllowGroups |
99 | This keyword can be followed by a list of group name patterns, separated | 108 | This keyword can be followed by a list of group name patterns, separated |
100 | by spaces. | 109 | by spaces. |
@@ -159,10 +168,11 @@ directory. | |||
159 | The default is | 168 | The default is |
160 | .Dq .ssh/authorized_keys . | 169 | .Dq .ssh/authorized_keys . |
161 | .It Cm Banner | 170 | .It Cm Banner |
162 | In some jurisdictions, sending a warning message before authentication | ||
163 | may be relevant for getting legal protection. | ||
164 | The contents of the specified file are sent to the remote user before | 171 | The contents of the specified file are sent to the remote user before |
165 | authentication is allowed. | 172 | authentication is allowed. |
173 | If the argument is | ||
174 | .Dq none | ||
175 | then no banner is displayed. | ||
166 | This option is only available for protocol version 2. | 176 | This option is only available for protocol version 2. |
167 | By default, no banner is displayed. | 177 | By default, no banner is displayed. |
168 | .It Cm ChallengeResponseAuthentication | 178 | .It Cm ChallengeResponseAuthentication |
@@ -172,6 +182,45 @@ All authentication styles from | |||
172 | are supported. | 182 | are supported. |
173 | The default is | 183 | The default is |
174 | .Dq yes . | 184 | .Dq yes . |
185 | .It Cm ChrootDirectory | ||
186 | Specifies a path to | ||
187 | .Xr chroot 2 | ||
188 | to after authentication. | ||
189 | This path, and all its components, must be root-owned directories that are | ||
190 | not writable by any other user or group. | ||
191 | .Pp | ||
192 | The path may contain the following tokens that are expanded at runtime once | ||
193 | the connecting user has been authenticated: %% is replaced by a literal '%', | ||
194 | %h is replaced by the home directory of the user being authenticated, and | ||
195 | %u is replaced by the username of that user. | ||
196 | .Pp | ||
197 | The | ||
198 | .Cm ChrootDirectory | ||
199 | must contain the necessary files and directories to support the | ||
200 | users' session. | ||
201 | For an interactive session this requires at least a shell, typically | ||
202 | .Xr sh 1 , | ||
203 | and basic | ||
204 | .Pa /dev | ||
205 | nodes such as | ||
206 | .Xr null 4 , | ||
207 | .Xr zero 4 , | ||
208 | .Xr stdin 4 , | ||
209 | .Xr stdout 4 , | ||
210 | .Xr stderr 4 , | ||
211 | .Xr arandom 4 | ||
212 | and | ||
213 | .Xr tty 4 | ||
214 | devices. | ||
215 | For file transfer sessions using | ||
216 | .Dq sftp , | ||
217 | no additional configuration of the environment is necessary if the | ||
218 | in-process sftp server is used (see | ||
219 | .Cm Subsystem | ||
220 | for details). | ||
221 | .Pp | ||
222 | The default is not to | ||
223 | .Xr chroot 2 . | ||
175 | .It Cm Ciphers | 224 | .It Cm Ciphers |
176 | Specifies the ciphers allowed for protocol version 2. | 225 | Specifies the ciphers allowed for protocol version 2. |
177 | Multiple ciphers must be comma-separated. | 226 | Multiple ciphers must be comma-separated. |
@@ -284,7 +333,9 @@ for more information on patterns. | |||
284 | .It Cm ForceCommand | 333 | .It Cm ForceCommand |
285 | Forces the execution of the command specified by | 334 | Forces the execution of the command specified by |
286 | .Cm ForceCommand , | 335 | .Cm ForceCommand , |
287 | ignoring any command supplied by the client. | 336 | ignoring any command supplied by the client and |
337 | .Pa ~/.ssh/rc | ||
338 | if present. | ||
288 | The command is invoked by using the user's login shell with the -c option. | 339 | The command is invoked by using the user's login shell with the -c option. |
289 | This applies to shell, command, or subsystem execution. | 340 | This applies to shell, command, or subsystem execution. |
290 | It is most useful inside a | 341 | It is most useful inside a |
@@ -293,6 +344,11 @@ block. | |||
293 | The command originally supplied by the client is available in the | 344 | The command originally supplied by the client is available in the |
294 | .Ev SSH_ORIGINAL_COMMAND | 345 | .Ev SSH_ORIGINAL_COMMAND |
295 | environment variable. | 346 | environment variable. |
347 | Specifying a command of | ||
348 | .Dq internal-sftp | ||
349 | will force the use of an in-process sftp server that requires no support | ||
350 | files when used with | ||
351 | .Cm ChrootDirectory . | ||
296 | .It Cm GatewayPorts | 352 | .It Cm GatewayPorts |
297 | Specifies whether remote hosts are allowed to connect to ports | 353 | Specifies whether remote hosts are allowed to connect to ports |
298 | forwarded for the client. | 354 | forwarded for the client. |
@@ -524,6 +580,7 @@ line are satisfied, the keywords on the following lines override those | |||
524 | set in the global section of the config file, until either another | 580 | set in the global section of the config file, until either another |
525 | .Cm Match | 581 | .Cm Match |
526 | line or the end of the file. | 582 | line or the end of the file. |
583 | .Pp | ||
527 | The arguments to | 584 | The arguments to |
528 | .Cm Match | 585 | .Cm Match |
529 | are one or more criteria-pattern pairs. | 586 | are one or more criteria-pattern pairs. |
@@ -533,19 +590,46 @@ The available criteria are | |||
533 | .Cm Host , | 590 | .Cm Host , |
534 | and | 591 | and |
535 | .Cm Address . | 592 | .Cm Address . |
593 | The match patterns may consist of single entries or comma-separated | ||
594 | lists and may use the wildcard and negation operators described in the | ||
595 | .Sx PATTERNS | ||
596 | section of | ||
597 | .Xr ssh_config 5 . | ||
598 | .Pp | ||
599 | The patterns in an | ||
600 | .Cm Address | ||
601 | criteria may additionally contain addresses to match in CIDR | ||
602 | address/masklen format, e.g.\& | ||
603 | .Dq 192.0.2.0/24 | ||
604 | or | ||
605 | .Dq 3ffe:ffff::/32 . | ||
606 | Note that the mask length provided must be consistent with the address - | ||
607 | it is an error to specify a mask length that is too long for the address | ||
608 | or one with bits set in this host portion of the address. | ||
609 | For example, | ||
610 | .Dq 192.0.2.0/33 | ||
611 | and | ||
612 | .Dq 192.0.2.0/8 | ||
613 | respectively. | ||
614 | .Pp | ||
536 | Only a subset of keywords may be used on the lines following a | 615 | Only a subset of keywords may be used on the lines following a |
537 | .Cm Match | 616 | .Cm Match |
538 | keyword. | 617 | keyword. |
539 | Available keywords are | 618 | Available keywords are |
540 | .Cm AllowTcpForwarding , | 619 | .Cm AllowTcpForwarding , |
541 | .Cm Banner , | 620 | .Cm Banner , |
621 | .Cm ChrootDirectory , | ||
542 | .Cm ForceCommand , | 622 | .Cm ForceCommand , |
543 | .Cm GatewayPorts , | 623 | .Cm GatewayPorts , |
544 | .Cm GSSApiAuthentication , | 624 | .Cm GSSAPIAuthentication , |
625 | .Cm HostbasedAuthentication , | ||
545 | .Cm KbdInteractiveAuthentication , | 626 | .Cm KbdInteractiveAuthentication , |
546 | .Cm KerberosAuthentication , | 627 | .Cm KerberosAuthentication , |
628 | .Cm MaxAuthTries , | ||
629 | .Cm MaxSessions , | ||
547 | .Cm PasswordAuthentication , | 630 | .Cm PasswordAuthentication , |
548 | .Cm PermitOpen , | 631 | .Cm PermitOpen , |
632 | .Cm PermitRootLogin , | ||
549 | .Cm RhostsRSAAuthentication , | 633 | .Cm RhostsRSAAuthentication , |
550 | .Cm RSAAuthentication , | 634 | .Cm RSAAuthentication , |
551 | .Cm X11DisplayOffset , | 635 | .Cm X11DisplayOffset , |
@@ -558,6 +642,9 @@ connection. | |||
558 | Once the number of failures reaches half this value, | 642 | Once the number of failures reaches half this value, |
559 | additional failures are logged. | 643 | additional failures are logged. |
560 | The default is 6. | 644 | The default is 6. |
645 | .It Cm MaxSessions | ||
646 | Specifies the maximum number of open sessions permitted per network connection. | ||
647 | The default is 10. | ||
561 | .It Cm MaxStartups | 648 | .It Cm MaxStartups |
562 | Specifies the maximum number of concurrent unauthenticated connections to the | 649 | Specifies the maximum number of concurrent unauthenticated connections to the |
563 | SSH daemon. | 650 | SSH daemon. |
@@ -747,7 +834,7 @@ The default is | |||
747 | This option applies to protocol version 1 only. | 834 | This option applies to protocol version 1 only. |
748 | .It Cm ServerKeyBits | 835 | .It Cm ServerKeyBits |
749 | Defines the number of bits in the ephemeral protocol version 1 server key. | 836 | Defines the number of bits in the ephemeral protocol version 1 server key. |
750 | The minimum value is 512, and the default is 768. | 837 | The minimum value is 512, and the default is 1024. |
751 | .It Cm StrictModes | 838 | .It Cm StrictModes |
752 | Specifies whether | 839 | Specifies whether |
753 | .Xr sshd 8 | 840 | .Xr sshd 8 |
@@ -761,11 +848,22 @@ The default is | |||
761 | Configures an external subsystem (e.g. file transfer daemon). | 848 | Configures an external subsystem (e.g. file transfer daemon). |
762 | Arguments should be a subsystem name and a command (with optional arguments) | 849 | Arguments should be a subsystem name and a command (with optional arguments) |
763 | to execute upon subsystem request. | 850 | to execute upon subsystem request. |
851 | .Pp | ||
764 | The command | 852 | The command |
765 | .Xr sftp-server 8 | 853 | .Xr sftp-server 8 |
766 | implements the | 854 | implements the |
767 | .Dq sftp | 855 | .Dq sftp |
768 | file transfer subsystem. | 856 | file transfer subsystem. |
857 | .Pp | ||
858 | Alternately the name | ||
859 | .Dq internal-sftp | ||
860 | implements an in-process | ||
861 | .Dq sftp | ||
862 | server. | ||
863 | This may simplify configurations using | ||
864 | .Cm ChrootDirectory | ||
865 | to force a different filesystem root on clients. | ||
866 | .Pp | ||
769 | By default no subsystems are defined. | 867 | By default no subsystems are defined. |
770 | Note that this option applies to protocol version 2 only. | 868 | Note that this option applies to protocol version 2 only. |
771 | .It Cm SyslogFacility | 869 | .It Cm SyslogFacility |