diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 121 |
1 files changed, 87 insertions, 34 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 9486f2a1c..70ccea449 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,13 +33,13 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.290 2019/09/06 14:45:34 naddy Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.307 2020/02/07 03:54:44 dtucker Exp $ |
37 | .Dd $Mdocdate: September 6 2019 $ | 37 | .Dd $Mdocdate: February 7 2020 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
41 | .Nm sshd_config | 41 | .Nm sshd_config |
42 | .Nd OpenSSH SSH daemon configuration file | 42 | .Nd OpenSSH daemon configuration file |
43 | .Sh DESCRIPTION | 43 | .Sh DESCRIPTION |
44 | .Xr sshd 8 | 44 | .Xr sshd 8 |
45 | reads configuration data from | 45 | reads configuration data from |
@@ -113,11 +113,8 @@ If specified, login is allowed only for users whose primary | |||
113 | group or supplementary group list matches one of the patterns. | 113 | group or supplementary group list matches one of the patterns. |
114 | Only group names are valid; a numerical group ID is not recognized. | 114 | Only group names are valid; a numerical group ID is not recognized. |
115 | By default, login is allowed for all groups. | 115 | By default, login is allowed for all groups. |
116 | The allow/deny directives are processed in the following order: | 116 | The allow/deny groups directives are processed in the following order: |
117 | .Cm DenyUsers , | ||
118 | .Cm AllowUsers , | ||
119 | .Cm DenyGroups , | 117 | .Cm DenyGroups , |
120 | and finally | ||
121 | .Cm AllowGroups . | 118 | .Cm AllowGroups . |
122 | .Pp | 119 | .Pp |
123 | See PATTERNS in | 120 | See PATTERNS in |
@@ -173,12 +170,9 @@ are separately checked, restricting logins to particular | |||
173 | users from particular hosts. | 170 | users from particular hosts. |
174 | HOST criteria may additionally contain addresses to match in CIDR | 171 | HOST criteria may additionally contain addresses to match in CIDR |
175 | address/masklen format. | 172 | address/masklen format. |
176 | The allow/deny directives are processed in the following order: | 173 | The allow/deny users directives are processed in the following order: |
177 | .Cm DenyUsers , | 174 | .Cm DenyUsers , |
178 | .Cm AllowUsers , | 175 | .Cm AllowUsers . |
179 | .Cm DenyGroups , | ||
180 | and finally | ||
181 | .Cm AllowGroups . | ||
182 | .Pp | 176 | .Pp |
183 | See PATTERNS in | 177 | See PATTERNS in |
184 | .Xr ssh_config 5 | 178 | .Xr ssh_config 5 |
@@ -525,6 +519,9 @@ is set to 15, and | |||
525 | .Cm ClientAliveCountMax | 519 | .Cm ClientAliveCountMax |
526 | is left at the default, unresponsive SSH clients | 520 | is left at the default, unresponsive SSH clients |
527 | will be disconnected after approximately 45 seconds. | 521 | will be disconnected after approximately 45 seconds. |
522 | Setting a zero | ||
523 | .Cm ClientAliveCountMax | ||
524 | disables connection termination. | ||
528 | .It Cm ClientAliveInterval | 525 | .It Cm ClientAliveInterval |
529 | Sets a timeout interval in seconds after which if no data has been received | 526 | Sets a timeout interval in seconds after which if no data has been received |
530 | from the client, | 527 | from the client, |
@@ -552,11 +549,8 @@ Login is disallowed for users whose primary group or supplementary | |||
552 | group list matches one of the patterns. | 549 | group list matches one of the patterns. |
553 | Only group names are valid; a numerical group ID is not recognized. | 550 | Only group names are valid; a numerical group ID is not recognized. |
554 | By default, login is allowed for all groups. | 551 | By default, login is allowed for all groups. |
555 | The allow/deny directives are processed in the following order: | 552 | The allow/deny groups directives are processed in the following order: |
556 | .Cm DenyUsers , | ||
557 | .Cm AllowUsers , | ||
558 | .Cm DenyGroups , | 553 | .Cm DenyGroups , |
559 | and finally | ||
560 | .Cm AllowGroups . | 554 | .Cm AllowGroups . |
561 | .Pp | 555 | .Pp |
562 | See PATTERNS in | 556 | See PATTERNS in |
@@ -573,12 +567,9 @@ are separately checked, restricting logins to particular | |||
573 | users from particular hosts. | 567 | users from particular hosts. |
574 | HOST criteria may additionally contain addresses to match in CIDR | 568 | HOST criteria may additionally contain addresses to match in CIDR |
575 | address/masklen format. | 569 | address/masklen format. |
576 | The allow/deny directives are processed in the following order: | 570 | The allow/deny users directives are processed in the following order: |
577 | .Cm DenyUsers , | 571 | .Cm DenyUsers , |
578 | .Cm AllowUsers , | 572 | .Cm AllowUsers . |
579 | .Cm DenyGroups , | ||
580 | and finally | ||
581 | .Cm AllowGroups . | ||
582 | .Pp | 573 | .Pp |
583 | See PATTERNS in | 574 | See PATTERNS in |
584 | .Xr ssh_config 5 | 575 | .Xr ssh_config 5 |
@@ -689,15 +680,20 @@ The default for this option is: | |||
689 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 680 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
690 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 681 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
691 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 682 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
683 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
692 | ssh-ed25519-cert-v01@openssh.com, | 684 | ssh-ed25519-cert-v01@openssh.com, |
693 | rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, | 685 | sk-ssh-ed25519-cert-v01@openssh.com, |
686 | rsa-sha2-512-cert-v01@openssh.com, | ||
687 | rsa-sha2-256-cert-v01@openssh.com, | ||
694 | ssh-rsa-cert-v01@openssh.com, | 688 | ssh-rsa-cert-v01@openssh.com, |
695 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 689 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
696 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | 690 | sk-ecdsa-sha2-nistp256@openssh.com, |
691 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
692 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
697 | .Ed | 693 | .Ed |
698 | .Pp | 694 | .Pp |
699 | The list of available key types may also be obtained using | 695 | The list of available key types may also be obtained using |
700 | .Qq ssh -Q key . | 696 | .Qq ssh -Q HostbasedAcceptedKeyTypes . |
701 | .It Cm HostbasedAuthentication | 697 | .It Cm HostbasedAuthentication |
702 | Specifies whether rhosts or /etc/hosts.equiv authentication together | 698 | Specifies whether rhosts or /etc/hosts.equiv authentication together |
703 | with successful public key client host authentication is allowed | 699 | with successful public key client host authentication is allowed |
@@ -767,15 +763,20 @@ The default for this option is: | |||
767 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 763 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
768 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 764 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
769 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 765 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
766 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
770 | ssh-ed25519-cert-v01@openssh.com, | 767 | ssh-ed25519-cert-v01@openssh.com, |
771 | rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, | 768 | sk-ssh-ed25519-cert-v01@openssh.com, |
769 | rsa-sha2-512-cert-v01@openssh.com, | ||
770 | rsa-sha2-256-cert-v01@openssh.com, | ||
772 | ssh-rsa-cert-v01@openssh.com, | 771 | ssh-rsa-cert-v01@openssh.com, |
773 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 772 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
774 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | 773 | sk-ecdsa-sha2-nistp256@openssh.com, |
774 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
775 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
775 | .Ed | 776 | .Ed |
776 | .Pp | 777 | .Pp |
777 | The list of available key types may also be obtained using | 778 | The list of available key types may also be obtained using |
778 | .Qq ssh -Q key . | 779 | .Qq ssh -Q HostKeyAlgorithms . |
779 | .It Cm IgnoreRhosts | 780 | .It Cm IgnoreRhosts |
780 | Specifies that | 781 | Specifies that |
781 | .Pa .rhosts | 782 | .Pa .rhosts |
@@ -800,7 +801,20 @@ during | |||
800 | and use only the system-wide known hosts file | 801 | and use only the system-wide known hosts file |
801 | .Pa /etc/ssh/known_hosts . | 802 | .Pa /etc/ssh/known_hosts . |
802 | The default is | 803 | The default is |
803 | .Cm no . | 804 | .Dq no . |
805 | .It Cm Include | ||
806 | Include the specified configuration file(s). | ||
807 | Multiple pathnames may be specified and each pathname may contain | ||
808 | .Xr glob 7 | ||
809 | wildcards. | ||
810 | Files without absolute paths are assumed to be in | ||
811 | .Pa /etc/ssh . | ||
812 | An | ||
813 | .Cm Include | ||
814 | directive may appear inside a | ||
815 | .Cm Match | ||
816 | block | ||
817 | to perform conditional inclusion. | ||
804 | .It Cm IPQoS | 818 | .It Cm IPQoS |
805 | Specifies the IPv4 type-of-service or DSCP class for the connection. | 819 | Specifies the IPv4 type-of-service or DSCP class for the connection. |
806 | Accepted values are | 820 | Accepted values are |
@@ -825,6 +839,7 @@ Accepted values are | |||
825 | .Cm cs6 , | 839 | .Cm cs6 , |
826 | .Cm cs7 , | 840 | .Cm cs7 , |
827 | .Cm ef , | 841 | .Cm ef , |
842 | .Cm le , | ||
828 | .Cm lowdelay , | 843 | .Cm lowdelay , |
829 | .Cm throughput , | 844 | .Cm throughput , |
830 | .Cm reliability , | 845 | .Cm reliability , |
@@ -920,6 +935,8 @@ ecdh-sha2-nistp256 | |||
920 | ecdh-sha2-nistp384 | 935 | ecdh-sha2-nistp384 |
921 | .It | 936 | .It |
922 | ecdh-sha2-nistp521 | 937 | ecdh-sha2-nistp521 |
938 | .It | ||
939 | sntrup4591761x25519-sha512@tinyssh.org | ||
923 | .El | 940 | .El |
924 | .Pp | 941 | .Pp |
925 | The default is: | 942 | The default is: |
@@ -928,11 +945,11 @@ curve25519-sha256,curve25519-sha256@libssh.org, | |||
928 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, | 945 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, |
929 | diffie-hellman-group-exchange-sha256, | 946 | diffie-hellman-group-exchange-sha256, |
930 | diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, | 947 | diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, |
931 | diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 | 948 | diffie-hellman-group14-sha256 |
932 | .Ed | 949 | .Ed |
933 | .Pp | 950 | .Pp |
934 | The list of available key exchange algorithms may also be obtained using | 951 | The list of available key exchange algorithms may also be obtained using |
935 | .Qq ssh -Q kex . | 952 | .Qq ssh -Q KexAlgorithms . |
936 | .It Cm ListenAddress | 953 | .It Cm ListenAddress |
937 | Specifies the local addresses | 954 | Specifies the local addresses |
938 | .Xr sshd 8 | 955 | .Xr sshd 8 |
@@ -1145,6 +1162,7 @@ Available keywords are | |||
1145 | .Cm HostbasedAcceptedKeyTypes , | 1162 | .Cm HostbasedAcceptedKeyTypes , |
1146 | .Cm HostbasedAuthentication , | 1163 | .Cm HostbasedAuthentication , |
1147 | .Cm HostbasedUsesNameFromPacketOnly , | 1164 | .Cm HostbasedUsesNameFromPacketOnly , |
1165 | .Cm Include , | ||
1148 | .Cm IPQoS , | 1166 | .Cm IPQoS , |
1149 | .Cm KbdInteractiveAuthentication , | 1167 | .Cm KbdInteractiveAuthentication , |
1150 | .Cm KerberosAuthentication , | 1168 | .Cm KerberosAuthentication , |
@@ -1287,7 +1305,9 @@ An argument of | |||
1287 | can be used to prohibit all forwarding requests. | 1305 | can be used to prohibit all forwarding requests. |
1288 | The wildcard | 1306 | The wildcard |
1289 | .Sq * | 1307 | .Sq * |
1290 | can be used for host or port to allow all hosts or ports, respectively. | 1308 | can be used for host or port to allow all hosts or ports respectively. |
1309 | Otherwise, no pattern matching or address lookups are performed on supplied | ||
1310 | names. | ||
1291 | By default all port forwarding requests are permitted. | 1311 | By default all port forwarding requests are permitted. |
1292 | .It Cm PermitRootLogin | 1312 | .It Cm PermitRootLogin |
1293 | Specifies whether root can log in using | 1313 | Specifies whether root can log in using |
@@ -1428,15 +1448,44 @@ The default for this option is: | |||
1428 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 1448 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
1429 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 1449 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
1430 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 1450 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
1451 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
1431 | ssh-ed25519-cert-v01@openssh.com, | 1452 | ssh-ed25519-cert-v01@openssh.com, |
1432 | rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, | 1453 | sk-ssh-ed25519-cert-v01@openssh.com, |
1454 | rsa-sha2-512-cert-v01@openssh.com, | ||
1455 | rsa-sha2-256-cert-v01@openssh.com, | ||
1433 | ssh-rsa-cert-v01@openssh.com, | 1456 | ssh-rsa-cert-v01@openssh.com, |
1434 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 1457 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
1435 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | 1458 | sk-ecdsa-sha2-nistp256@openssh.com, |
1459 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
1460 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
1436 | .Ed | 1461 | .Ed |
1437 | .Pp | 1462 | .Pp |
1438 | The list of available key types may also be obtained using | 1463 | The list of available key types may also be obtained using |
1439 | .Qq ssh -Q key . | 1464 | .Qq ssh -Q PubkeyAcceptedKeyTypes . |
1465 | .It Cm PubkeyAuthOptions | ||
1466 | Sets one or more public key authentication options. | ||
1467 | Two option keywords are currently supported: | ||
1468 | .Cm none | ||
1469 | (the default; indicating no additional options are enabled) | ||
1470 | and | ||
1471 | .Cm touch-required . | ||
1472 | .Pp | ||
1473 | The | ||
1474 | .Cm touch-required | ||
1475 | option causes public key authentication using a FIDO authenticator algorithm | ||
1476 | (i.e.\& | ||
1477 | .Cm ecdsa-sk | ||
1478 | or | ||
1479 | .Cm ed25519-sk ) | ||
1480 | to always require the signature to attest that a physically present user | ||
1481 | explicitly confirmed the authentication (usually by touching the authenticator). | ||
1482 | By default, | ||
1483 | .Xr sshd 8 | ||
1484 | requires user presence unless overridden with an authorized_keys option. | ||
1485 | The | ||
1486 | .Cm touch-required | ||
1487 | flag disables this override. | ||
1488 | This option has no effect for other, non-authenticator public key types. | ||
1440 | .It Cm PubkeyAuthentication | 1489 | .It Cm PubkeyAuthentication |
1441 | Specifies whether public key authentication is allowed. | 1490 | Specifies whether public key authentication is allowed. |
1442 | The default is | 1491 | The default is |
@@ -1487,6 +1536,10 @@ will be bound to this | |||
1487 | If the routing domain is set to | 1536 | If the routing domain is set to |
1488 | .Cm \&%D , | 1537 | .Cm \&%D , |
1489 | then the domain in which the incoming connection was received will be applied. | 1538 | then the domain in which the incoming connection was received will be applied. |
1539 | .It Cm SecurityKeyProvider | ||
1540 | Specifies a path to a library that will be used when loading | ||
1541 | FIDO authenticator-hosted keys, overriding the default of using | ||
1542 | the built-in USB HID support. | ||
1490 | .It Cm SetEnv | 1543 | .It Cm SetEnv |
1491 | Specifies one or more environment variables to set in child sessions started | 1544 | Specifies one or more environment variables to set in child sessions started |
1492 | by | 1545 | by |