diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 52 |
1 files changed, 50 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 76c95aa19..e73624154 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -57,6 +57,33 @@ Arguments may optionally be enclosed in double quotes | |||
57 | .Pq \&" | 57 | .Pq \&" |
58 | in order to represent arguments containing spaces. | 58 | in order to represent arguments containing spaces. |
59 | .Pp | 59 | .Pp |
60 | Note that the Debian | ||
61 | .Ic openssh-server | ||
62 | package sets several options as standard in | ||
63 | .Pa /etc/ssh/sshd_config | ||
64 | which are not the default in | ||
65 | .Xr sshd 8 . | ||
66 | The exact list depends on whether the package was installed fresh or | ||
67 | upgraded from various possible previous versions, but includes at least the | ||
68 | following: | ||
69 | .Pp | ||
70 | .Bl -bullet -offset indent -compact | ||
71 | .It | ||
72 | .Cm Protocol No 2 | ||
73 | .It | ||
74 | .Cm ChallengeResponseAuthentication No no | ||
75 | .It | ||
76 | .Cm X11Forwarding No yes | ||
77 | .It | ||
78 | .Cm PrintMotd No no | ||
79 | .It | ||
80 | .Cm AcceptEnv No LANG LC_* | ||
81 | .It | ||
82 | .Cm Subsystem No sftp /usr/lib/openssh/sftp-server | ||
83 | .It | ||
84 | .Cm UsePAM No yes | ||
85 | .El | ||
86 | .Pp | ||
60 | The possible | 87 | The possible |
61 | keywords and their meanings are as follows (note that | 88 | keywords and their meanings are as follows (note that |
62 | keywords are case-insensitive and arguments are case-sensitive): | 89 | keywords are case-insensitive and arguments are case-sensitive): |
@@ -222,8 +249,7 @@ This option is only available for protocol version 2. | |||
222 | By default, no banner is displayed. | 249 | By default, no banner is displayed. |
223 | .It Cm ChallengeResponseAuthentication | 250 | .It Cm ChallengeResponseAuthentication |
224 | Specifies whether challenge-response authentication is allowed (e.g. via | 251 | Specifies whether challenge-response authentication is allowed (e.g. via |
225 | PAM or though authentication styles supported in | 252 | PAM). |
226 | .Xr login.conf 5 ) | ||
227 | The default is | 253 | The default is |
228 | .Dq yes . | 254 | .Dq yes . |
229 | .It Cm ChrootDirectory | 255 | .It Cm ChrootDirectory |
@@ -340,6 +366,11 @@ or | |||
340 | .Dq no . | 366 | .Dq no . |
341 | The default is | 367 | The default is |
342 | .Dq delayed . | 368 | .Dq delayed . |
369 | .It Cm DebianBanner | ||
370 | Specifies whether the distribution-specified extra version suffix is | ||
371 | included during initial protocol handshake. | ||
372 | The default is | ||
373 | .Dq yes . | ||
343 | .It Cm DenyGroups | 374 | .It Cm DenyGroups |
344 | This keyword can be followed by a list of group name patterns, separated | 375 | This keyword can be followed by a list of group name patterns, separated |
345 | by spaces. | 376 | by spaces. |
@@ -795,6 +826,20 @@ are refused if the number of unauthenticated connections reaches | |||
795 | Specifies whether password authentication is allowed. | 826 | Specifies whether password authentication is allowed. |
796 | The default is | 827 | The default is |
797 | .Dq yes . | 828 | .Dq yes . |
829 | .It Cm PermitBlacklistedKeys | ||
830 | Specifies whether | ||
831 | .Xr sshd 8 | ||
832 | should allow keys recorded in its blacklist of known-compromised keys (see | ||
833 | .Xr ssh-vulnkey 1 ) . | ||
834 | If | ||
835 | .Dq yes , | ||
836 | then attempts to authenticate with compromised keys will be logged but | ||
837 | accepted. | ||
838 | If | ||
839 | .Dq no , | ||
840 | then attempts to authenticate with compromised keys will be rejected. | ||
841 | The default is | ||
842 | .Dq no . | ||
798 | .It Cm PermitEmptyPasswords | 843 | .It Cm PermitEmptyPasswords |
799 | When password authentication is allowed, it specifies whether the | 844 | When password authentication is allowed, it specifies whether the |
800 | server allows login to accounts with empty password strings. | 845 | server allows login to accounts with empty password strings. |
@@ -1023,6 +1068,9 @@ This avoids infinitely hanging sessions. | |||
1023 | .Pp | 1068 | .Pp |
1024 | To disable TCP keepalive messages, the value should be set to | 1069 | To disable TCP keepalive messages, the value should be set to |
1025 | .Dq no . | 1070 | .Dq no . |
1071 | .Pp | ||
1072 | This option was formerly called | ||
1073 | .Cm KeepAlive . | ||
1026 | .It Cm TrustedUserCAKeys | 1074 | .It Cm TrustedUserCAKeys |
1027 | Specifies a file containing public keys of certificate authorities that are | 1075 | Specifies a file containing public keys of certificate authorities that are |
1028 | trusted to sign user certificates for authentication. | 1076 | trusted to sign user certificates for authentication. |