summaryrefslogtreecommitdiff
path: root/sshd_config.5
diff options
context:
space:
mode:
Diffstat (limited to 'sshd_config.5')
-rw-r--r--sshd_config.5112
1 files changed, 105 insertions, 7 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 7882f8bcf..7255b1c22 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,8 +34,8 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd_config.5,v 1.77 2007/06/08 07:48:09 jmc Exp $ 37.\" $OpenBSD: sshd_config.5,v 1.96 2008/07/02 02:24:18 djm Exp $
38.Dd $Mdocdate: June 11 2007 $ 38.Dd $Mdocdate: July 2 2008 $
39.Dt SSHD_CONFIG 5 39.Dt SSHD_CONFIG 5
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -95,6 +95,15 @@ Valid arguments are
95(use IPv6 only). 95(use IPv6 only).
96The default is 96The default is
97.Dq any . 97.Dq any .
98.It Cm AllowAgentForwarding
99Specifies whether
100.Xr ssh-agent 1
101forwarding is permitted.
102The default is
103.Dq yes .
104Note that disabling agent forwarding does not improve security
105unless users are also denied shell access, as they can always install
106their own forwarders.
98.It Cm AllowGroups 107.It Cm AllowGroups
99This keyword can be followed by a list of group name patterns, separated 108This keyword can be followed by a list of group name patterns, separated
100by spaces. 109by spaces.
@@ -159,10 +168,11 @@ directory.
159The default is 168The default is
160.Dq .ssh/authorized_keys . 169.Dq .ssh/authorized_keys .
161.It Cm Banner 170.It Cm Banner
162In some jurisdictions, sending a warning message before authentication
163may be relevant for getting legal protection.
164The contents of the specified file are sent to the remote user before 171The contents of the specified file are sent to the remote user before
165authentication is allowed. 172authentication is allowed.
173If the argument is
174.Dq none
175then no banner is displayed.
166This option is only available for protocol version 2. 176This option is only available for protocol version 2.
167By default, no banner is displayed. 177By default, no banner is displayed.
168.It Cm ChallengeResponseAuthentication 178.It Cm ChallengeResponseAuthentication
@@ -172,6 +182,45 @@ All authentication styles from
172are supported. 182are supported.
173The default is 183The default is
174.Dq yes . 184.Dq yes .
185.It Cm ChrootDirectory
186Specifies a path to
187.Xr chroot 2
188to after authentication.
189This path, and all its components, must be root-owned directories that are
190not writable by any other user or group.
191.Pp
192The path may contain the following tokens that are expanded at runtime once
193the connecting user has been authenticated: %% is replaced by a literal '%',
194%h is replaced by the home directory of the user being authenticated, and
195%u is replaced by the username of that user.
196.Pp
197The
198.Cm ChrootDirectory
199must contain the necessary files and directories to support the
200users' session.
201For an interactive session this requires at least a shell, typically
202.Xr sh 1 ,
203and basic
204.Pa /dev
205nodes such as
206.Xr null 4 ,
207.Xr zero 4 ,
208.Xr stdin 4 ,
209.Xr stdout 4 ,
210.Xr stderr 4 ,
211.Xr arandom 4
212and
213.Xr tty 4
214devices.
215For file transfer sessions using
216.Dq sftp ,
217no additional configuration of the environment is necessary if the
218in-process sftp server is used (see
219.Cm Subsystem
220for details).
221.Pp
222The default is not to
223.Xr chroot 2 .
175.It Cm Ciphers 224.It Cm Ciphers
176Specifies the ciphers allowed for protocol version 2. 225Specifies the ciphers allowed for protocol version 2.
177Multiple ciphers must be comma-separated. 226Multiple ciphers must be comma-separated.
@@ -284,7 +333,9 @@ for more information on patterns.
284.It Cm ForceCommand 333.It Cm ForceCommand
285Forces the execution of the command specified by 334Forces the execution of the command specified by
286.Cm ForceCommand , 335.Cm ForceCommand ,
287ignoring any command supplied by the client. 336ignoring any command supplied by the client and
337.Pa ~/.ssh/rc
338if present.
288The command is invoked by using the user's login shell with the -c option. 339The command is invoked by using the user's login shell with the -c option.
289This applies to shell, command, or subsystem execution. 340This applies to shell, command, or subsystem execution.
290It is most useful inside a 341It is most useful inside a
@@ -293,6 +344,11 @@ block.
293The command originally supplied by the client is available in the 344The command originally supplied by the client is available in the
294.Ev SSH_ORIGINAL_COMMAND 345.Ev SSH_ORIGINAL_COMMAND
295environment variable. 346environment variable.
347Specifying a command of
348.Dq internal-sftp
349will force the use of an in-process sftp server that requires no support
350files when used with
351.Cm ChrootDirectory .
296.It Cm GatewayPorts 352.It Cm GatewayPorts
297Specifies whether remote hosts are allowed to connect to ports 353Specifies whether remote hosts are allowed to connect to ports
298forwarded for the client. 354forwarded for the client.
@@ -501,6 +557,7 @@ line are satisfied, the keywords on the following lines override those
501set in the global section of the config file, until either another 557set in the global section of the config file, until either another
502.Cm Match 558.Cm Match
503line or the end of the file. 559line or the end of the file.
560.Pp
504The arguments to 561The arguments to
505.Cm Match 562.Cm Match
506are one or more criteria-pattern pairs. 563are one or more criteria-pattern pairs.
@@ -510,19 +567,46 @@ The available criteria are
510.Cm Host , 567.Cm Host ,
511and 568and
512.Cm Address . 569.Cm Address .
570The match patterns may consist of single entries or comma-separated
571lists and may use the wildcard and negation operators described in the
572.Sx PATTERNS
573section of
574.Xr ssh_config 5 .
575.Pp
576The patterns in an
577.Cm Address
578criteria may additionally contain addresses to match in CIDR
579address/masklen format, e.g.\&
580.Dq 192.0.2.0/24
581or
582.Dq 3ffe:ffff::/32 .
583Note that the mask length provided must be consistent with the address -
584it is an error to specify a mask length that is too long for the address
585or one with bits set in this host portion of the address.
586For example,
587.Dq 192.0.2.0/33
588and
589.Dq 192.0.2.0/8
590respectively.
591.Pp
513Only a subset of keywords may be used on the lines following a 592Only a subset of keywords may be used on the lines following a
514.Cm Match 593.Cm Match
515keyword. 594keyword.
516Available keywords are 595Available keywords are
517.Cm AllowTcpForwarding , 596.Cm AllowTcpForwarding ,
518.Cm Banner , 597.Cm Banner ,
598.Cm ChrootDirectory ,
519.Cm ForceCommand , 599.Cm ForceCommand ,
520.Cm GatewayPorts , 600.Cm GatewayPorts ,
521.Cm GSSApiAuthentication , 601.Cm GSSAPIAuthentication ,
602.Cm HostbasedAuthentication ,
522.Cm KbdInteractiveAuthentication , 603.Cm KbdInteractiveAuthentication ,
523.Cm KerberosAuthentication , 604.Cm KerberosAuthentication ,
605.Cm MaxAuthTries ,
606.Cm MaxSessions ,
524.Cm PasswordAuthentication , 607.Cm PasswordAuthentication ,
525.Cm PermitOpen , 608.Cm PermitOpen ,
609.Cm PermitRootLogin ,
526.Cm RhostsRSAAuthentication , 610.Cm RhostsRSAAuthentication ,
527.Cm RSAAuthentication , 611.Cm RSAAuthentication ,
528.Cm X11DisplayOffset , 612.Cm X11DisplayOffset ,
@@ -535,6 +619,9 @@ connection.
535Once the number of failures reaches half this value, 619Once the number of failures reaches half this value,
536additional failures are logged. 620additional failures are logged.
537The default is 6. 621The default is 6.
622.It Cm MaxSessions
623Specifies the maximum number of open sessions permitted per network connection.
624The default is 10.
538.It Cm MaxStartups 625.It Cm MaxStartups
539Specifies the maximum number of concurrent unauthenticated connections to the 626Specifies the maximum number of concurrent unauthenticated connections to the
540SSH daemon. 627SSH daemon.
@@ -724,7 +811,7 @@ The default is
724This option applies to protocol version 1 only. 811This option applies to protocol version 1 only.
725.It Cm ServerKeyBits 812.It Cm ServerKeyBits
726Defines the number of bits in the ephemeral protocol version 1 server key. 813Defines the number of bits in the ephemeral protocol version 1 server key.
727The minimum value is 512, and the default is 768. 814The minimum value is 512, and the default is 1024.
728.It Cm StrictModes 815.It Cm StrictModes
729Specifies whether 816Specifies whether
730.Xr sshd 8 817.Xr sshd 8
@@ -738,11 +825,22 @@ The default is
738Configures an external subsystem (e.g. file transfer daemon). 825Configures an external subsystem (e.g. file transfer daemon).
739Arguments should be a subsystem name and a command (with optional arguments) 826Arguments should be a subsystem name and a command (with optional arguments)
740to execute upon subsystem request. 827to execute upon subsystem request.
828.Pp
741The command 829The command
742.Xr sftp-server 8 830.Xr sftp-server 8
743implements the 831implements the
744.Dq sftp 832.Dq sftp
745file transfer subsystem. 833file transfer subsystem.
834.Pp
835Alternately the name
836.Dq internal-sftp
837implements an in-process
838.Dq sftp
839server.
840This may simplify configurations using
841.Cm ChrootDirectory
842to force a different filesystem root on clients.
843.Pp
746By default no subsystems are defined. 844By default no subsystems are defined.
747Note that this option applies to protocol version 2 only. 845Note that this option applies to protocol version 2 only.
748.It Cm SyslogFacility 846.It Cm SyslogFacility