diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 112 |
1 files changed, 105 insertions, 7 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 7882f8bcf..7255b1c22 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -34,8 +34,8 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd_config.5,v 1.77 2007/06/08 07:48:09 jmc Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.96 2008/07/02 02:24:18 djm Exp $ |
38 | .Dd $Mdocdate: June 11 2007 $ | 38 | .Dd $Mdocdate: July 2 2008 $ |
39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -95,6 +95,15 @@ Valid arguments are | |||
95 | (use IPv6 only). | 95 | (use IPv6 only). |
96 | The default is | 96 | The default is |
97 | .Dq any . | 97 | .Dq any . |
98 | .It Cm AllowAgentForwarding | ||
99 | Specifies whether | ||
100 | .Xr ssh-agent 1 | ||
101 | forwarding is permitted. | ||
102 | The default is | ||
103 | .Dq yes . | ||
104 | Note that disabling agent forwarding does not improve security | ||
105 | unless users are also denied shell access, as they can always install | ||
106 | their own forwarders. | ||
98 | .It Cm AllowGroups | 107 | .It Cm AllowGroups |
99 | This keyword can be followed by a list of group name patterns, separated | 108 | This keyword can be followed by a list of group name patterns, separated |
100 | by spaces. | 109 | by spaces. |
@@ -159,10 +168,11 @@ directory. | |||
159 | The default is | 168 | The default is |
160 | .Dq .ssh/authorized_keys . | 169 | .Dq .ssh/authorized_keys . |
161 | .It Cm Banner | 170 | .It Cm Banner |
162 | In some jurisdictions, sending a warning message before authentication | ||
163 | may be relevant for getting legal protection. | ||
164 | The contents of the specified file are sent to the remote user before | 171 | The contents of the specified file are sent to the remote user before |
165 | authentication is allowed. | 172 | authentication is allowed. |
173 | If the argument is | ||
174 | .Dq none | ||
175 | then no banner is displayed. | ||
166 | This option is only available for protocol version 2. | 176 | This option is only available for protocol version 2. |
167 | By default, no banner is displayed. | 177 | By default, no banner is displayed. |
168 | .It Cm ChallengeResponseAuthentication | 178 | .It Cm ChallengeResponseAuthentication |
@@ -172,6 +182,45 @@ All authentication styles from | |||
172 | are supported. | 182 | are supported. |
173 | The default is | 183 | The default is |
174 | .Dq yes . | 184 | .Dq yes . |
185 | .It Cm ChrootDirectory | ||
186 | Specifies a path to | ||
187 | .Xr chroot 2 | ||
188 | to after authentication. | ||
189 | This path, and all its components, must be root-owned directories that are | ||
190 | not writable by any other user or group. | ||
191 | .Pp | ||
192 | The path may contain the following tokens that are expanded at runtime once | ||
193 | the connecting user has been authenticated: %% is replaced by a literal '%', | ||
194 | %h is replaced by the home directory of the user being authenticated, and | ||
195 | %u is replaced by the username of that user. | ||
196 | .Pp | ||
197 | The | ||
198 | .Cm ChrootDirectory | ||
199 | must contain the necessary files and directories to support the | ||
200 | users' session. | ||
201 | For an interactive session this requires at least a shell, typically | ||
202 | .Xr sh 1 , | ||
203 | and basic | ||
204 | .Pa /dev | ||
205 | nodes such as | ||
206 | .Xr null 4 , | ||
207 | .Xr zero 4 , | ||
208 | .Xr stdin 4 , | ||
209 | .Xr stdout 4 , | ||
210 | .Xr stderr 4 , | ||
211 | .Xr arandom 4 | ||
212 | and | ||
213 | .Xr tty 4 | ||
214 | devices. | ||
215 | For file transfer sessions using | ||
216 | .Dq sftp , | ||
217 | no additional configuration of the environment is necessary if the | ||
218 | in-process sftp server is used (see | ||
219 | .Cm Subsystem | ||
220 | for details). | ||
221 | .Pp | ||
222 | The default is not to | ||
223 | .Xr chroot 2 . | ||
175 | .It Cm Ciphers | 224 | .It Cm Ciphers |
176 | Specifies the ciphers allowed for protocol version 2. | 225 | Specifies the ciphers allowed for protocol version 2. |
177 | Multiple ciphers must be comma-separated. | 226 | Multiple ciphers must be comma-separated. |
@@ -284,7 +333,9 @@ for more information on patterns. | |||
284 | .It Cm ForceCommand | 333 | .It Cm ForceCommand |
285 | Forces the execution of the command specified by | 334 | Forces the execution of the command specified by |
286 | .Cm ForceCommand , | 335 | .Cm ForceCommand , |
287 | ignoring any command supplied by the client. | 336 | ignoring any command supplied by the client and |
337 | .Pa ~/.ssh/rc | ||
338 | if present. | ||
288 | The command is invoked by using the user's login shell with the -c option. | 339 | The command is invoked by using the user's login shell with the -c option. |
289 | This applies to shell, command, or subsystem execution. | 340 | This applies to shell, command, or subsystem execution. |
290 | It is most useful inside a | 341 | It is most useful inside a |
@@ -293,6 +344,11 @@ block. | |||
293 | The command originally supplied by the client is available in the | 344 | The command originally supplied by the client is available in the |
294 | .Ev SSH_ORIGINAL_COMMAND | 345 | .Ev SSH_ORIGINAL_COMMAND |
295 | environment variable. | 346 | environment variable. |
347 | Specifying a command of | ||
348 | .Dq internal-sftp | ||
349 | will force the use of an in-process sftp server that requires no support | ||
350 | files when used with | ||
351 | .Cm ChrootDirectory . | ||
296 | .It Cm GatewayPorts | 352 | .It Cm GatewayPorts |
297 | Specifies whether remote hosts are allowed to connect to ports | 353 | Specifies whether remote hosts are allowed to connect to ports |
298 | forwarded for the client. | 354 | forwarded for the client. |
@@ -501,6 +557,7 @@ line are satisfied, the keywords on the following lines override those | |||
501 | set in the global section of the config file, until either another | 557 | set in the global section of the config file, until either another |
502 | .Cm Match | 558 | .Cm Match |
503 | line or the end of the file. | 559 | line or the end of the file. |
560 | .Pp | ||
504 | The arguments to | 561 | The arguments to |
505 | .Cm Match | 562 | .Cm Match |
506 | are one or more criteria-pattern pairs. | 563 | are one or more criteria-pattern pairs. |
@@ -510,19 +567,46 @@ The available criteria are | |||
510 | .Cm Host , | 567 | .Cm Host , |
511 | and | 568 | and |
512 | .Cm Address . | 569 | .Cm Address . |
570 | The match patterns may consist of single entries or comma-separated | ||
571 | lists and may use the wildcard and negation operators described in the | ||
572 | .Sx PATTERNS | ||
573 | section of | ||
574 | .Xr ssh_config 5 . | ||
575 | .Pp | ||
576 | The patterns in an | ||
577 | .Cm Address | ||
578 | criteria may additionally contain addresses to match in CIDR | ||
579 | address/masklen format, e.g.\& | ||
580 | .Dq 192.0.2.0/24 | ||
581 | or | ||
582 | .Dq 3ffe:ffff::/32 . | ||
583 | Note that the mask length provided must be consistent with the address - | ||
584 | it is an error to specify a mask length that is too long for the address | ||
585 | or one with bits set in this host portion of the address. | ||
586 | For example, | ||
587 | .Dq 192.0.2.0/33 | ||
588 | and | ||
589 | .Dq 192.0.2.0/8 | ||
590 | respectively. | ||
591 | .Pp | ||
513 | Only a subset of keywords may be used on the lines following a | 592 | Only a subset of keywords may be used on the lines following a |
514 | .Cm Match | 593 | .Cm Match |
515 | keyword. | 594 | keyword. |
516 | Available keywords are | 595 | Available keywords are |
517 | .Cm AllowTcpForwarding , | 596 | .Cm AllowTcpForwarding , |
518 | .Cm Banner , | 597 | .Cm Banner , |
598 | .Cm ChrootDirectory , | ||
519 | .Cm ForceCommand , | 599 | .Cm ForceCommand , |
520 | .Cm GatewayPorts , | 600 | .Cm GatewayPorts , |
521 | .Cm GSSApiAuthentication , | 601 | .Cm GSSAPIAuthentication , |
602 | .Cm HostbasedAuthentication , | ||
522 | .Cm KbdInteractiveAuthentication , | 603 | .Cm KbdInteractiveAuthentication , |
523 | .Cm KerberosAuthentication , | 604 | .Cm KerberosAuthentication , |
605 | .Cm MaxAuthTries , | ||
606 | .Cm MaxSessions , | ||
524 | .Cm PasswordAuthentication , | 607 | .Cm PasswordAuthentication , |
525 | .Cm PermitOpen , | 608 | .Cm PermitOpen , |
609 | .Cm PermitRootLogin , | ||
526 | .Cm RhostsRSAAuthentication , | 610 | .Cm RhostsRSAAuthentication , |
527 | .Cm RSAAuthentication , | 611 | .Cm RSAAuthentication , |
528 | .Cm X11DisplayOffset , | 612 | .Cm X11DisplayOffset , |
@@ -535,6 +619,9 @@ connection. | |||
535 | Once the number of failures reaches half this value, | 619 | Once the number of failures reaches half this value, |
536 | additional failures are logged. | 620 | additional failures are logged. |
537 | The default is 6. | 621 | The default is 6. |
622 | .It Cm MaxSessions | ||
623 | Specifies the maximum number of open sessions permitted per network connection. | ||
624 | The default is 10. | ||
538 | .It Cm MaxStartups | 625 | .It Cm MaxStartups |
539 | Specifies the maximum number of concurrent unauthenticated connections to the | 626 | Specifies the maximum number of concurrent unauthenticated connections to the |
540 | SSH daemon. | 627 | SSH daemon. |
@@ -724,7 +811,7 @@ The default is | |||
724 | This option applies to protocol version 1 only. | 811 | This option applies to protocol version 1 only. |
725 | .It Cm ServerKeyBits | 812 | .It Cm ServerKeyBits |
726 | Defines the number of bits in the ephemeral protocol version 1 server key. | 813 | Defines the number of bits in the ephemeral protocol version 1 server key. |
727 | The minimum value is 512, and the default is 768. | 814 | The minimum value is 512, and the default is 1024. |
728 | .It Cm StrictModes | 815 | .It Cm StrictModes |
729 | Specifies whether | 816 | Specifies whether |
730 | .Xr sshd 8 | 817 | .Xr sshd 8 |
@@ -738,11 +825,22 @@ The default is | |||
738 | Configures an external subsystem (e.g. file transfer daemon). | 825 | Configures an external subsystem (e.g. file transfer daemon). |
739 | Arguments should be a subsystem name and a command (with optional arguments) | 826 | Arguments should be a subsystem name and a command (with optional arguments) |
740 | to execute upon subsystem request. | 827 | to execute upon subsystem request. |
828 | .Pp | ||
741 | The command | 829 | The command |
742 | .Xr sftp-server 8 | 830 | .Xr sftp-server 8 |
743 | implements the | 831 | implements the |
744 | .Dq sftp | 832 | .Dq sftp |
745 | file transfer subsystem. | 833 | file transfer subsystem. |
834 | .Pp | ||
835 | Alternately the name | ||
836 | .Dq internal-sftp | ||
837 | implements an in-process | ||
838 | .Dq sftp | ||
839 | server. | ||
840 | This may simplify configurations using | ||
841 | .Cm ChrootDirectory | ||
842 | to force a different filesystem root on clients. | ||
843 | .Pp | ||
746 | By default no subsystems are defined. | 844 | By default no subsystems are defined. |
747 | Note that this option applies to protocol version 2 only. | 845 | Note that this option applies to protocol version 2 only. |
748 | .It Cm SyslogFacility | 846 | .It Cm SyslogFacility |