summaryrefslogtreecommitdiff
path: root/sshd_config.5
diff options
context:
space:
mode:
Diffstat (limited to 'sshd_config.5')
-rw-r--r--sshd_config.582
1 files changed, 78 insertions, 4 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index de2b776fd..251d847fd 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd_config.5,v 1.144 2012/06/29 13:57:25 naddy Exp $ 36.\" $OpenBSD: sshd_config.5,v 1.156 2013/02/06 00:20:42 dtucker Exp $
37.Dd $Mdocdate: June 29 2012 $ 37.Dd $Mdocdate: February 6 2013 $
38.Dt SSHD_CONFIG 5 38.Dt SSHD_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -151,6 +151,19 @@ in
151for more information on patterns. 151for more information on patterns.
152.It Cm AllowTcpForwarding 152.It Cm AllowTcpForwarding
153Specifies whether TCP forwarding is permitted. 153Specifies whether TCP forwarding is permitted.
154The available options are
155.Dq yes
156or
157.Dq all
158to allow TCP forwarding,
159.Dq no
160to prevent all TCP forwarding,
161.Dq local
162to allow local (from the perspective of
163.Xr ssh 1 )
164forwarding only or
165.Dq remote
166to allow remote forwarding only.
154The default is 167The default is
155.Dq yes . 168.Dq yes .
156Note that disabling TCP forwarding does not improve security unless 169Note that disabling TCP forwarding does not improve security unless
@@ -178,6 +191,45 @@ See
178in 191in
179.Xr ssh_config 5 192.Xr ssh_config 5
180for more information on patterns. 193for more information on patterns.
194.It Cm AuthenticationMethods
195Specifies the authentication methods that must be successfully completed
196for a user to be granted access.
197This option must be followed by one or more comma-separated lists of
198authentication method names.
199Successful authentication requires completion of every method in at least
200one of these lists.
201.Pp
202For example, an argument of
203.Dq publickey,password publickey,keyboard-interactive
204would require the user to complete public key authentication, followed by
205either password or keyboard interactive authentication.
206Only methods that are next in one or more lists are offered at each stage,
207so for this example, it would not be possible to attempt password or
208keyboard-interactive authentication before public key.
209.Pp
210This option is only available for SSH protocol 2 and will yield a fatal
211error if enabled if protocol 1 is also enabled.
212Note that each authentication method listed should also be explicitly enabled
213in the configuration.
214The default is not to require multiple authentication; successful completion
215of a single authentication method is sufficient.
216.It Cm AuthorizedKeysCommand
217Specifies a program to be used to look up the user's public keys.
218The program will be invoked with a single argument of the username
219being authenticated, and should produce on standard output zero or
220more lines of authorized_keys output (see
221.Sx AUTHORIZED_KEYS
222in
223.Xr sshd 8 ) .
224If a key supplied by AuthorizedKeysCommand does not successfully authenticate
225and authorize the user then public key authentication continues using the usual
226.Cm AuthorizedKeysFile
227files.
228By default, no AuthorizedKeysCommand is run.
229.It Cm AuthorizedKeysCommandUser
230Specifies the user under whose account the AuthorizedKeysCommand is run.
231It is recommended to use a dedicated user that has no other role on the host
232than running authorized keys commands.
181.It Cm AuthorizedKeysFile 233.It Cm AuthorizedKeysFile
182Specifies the file that contains the public keys that can be used 234Specifies the file that contains the public keys that can be used
183for user authentication. 235for user authentication.
@@ -310,6 +362,8 @@ The supported ciphers are
310.Dq aes128-ctr , 362.Dq aes128-ctr ,
311.Dq aes192-ctr , 363.Dq aes192-ctr ,
312.Dq aes256-ctr , 364.Dq aes256-ctr ,
365.Dq aes128-gcm@openssh.com ,
366.Dq aes256-gcm@openssh.com ,
313.Dq arcfour128 , 367.Dq arcfour128 ,
314.Dq arcfour256 , 368.Dq arcfour256 ,
315.Dq arcfour , 369.Dq arcfour ,
@@ -319,6 +373,7 @@ and
319The default is: 373The default is:
320.Bd -literal -offset 3n 374.Bd -literal -offset 3n
321aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, 375aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
376aes128-gcm@openssh.com,aes256-gcm@openssh.com,
322aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, 377aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
323aes256-cbc,arcfour 378aes256-cbc,arcfour
324.Ed 379.Ed
@@ -713,9 +768,18 @@ Specifies the available MAC (message authentication code) algorithms.
713The MAC algorithm is used in protocol version 2 768The MAC algorithm is used in protocol version 2
714for data integrity protection. 769for data integrity protection.
715Multiple algorithms must be comma-separated. 770Multiple algorithms must be comma-separated.
771The algorithms that contain
772.Dq -etm
773calculate the MAC after encryption (encrypt-then-mac).
774These are considered safer and their use recommended.
716The default is: 775The default is:
717.Bd -literal -offset indent 776.Bd -literal -offset indent
718hmac-md5,hmac-sha1,umac-64@openssh.com, 777hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
778umac-64-etm@openssh.com,umac-128-etm@openssh.com,
779hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
780hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
781hmac-md5-96-etm@openssh.com,
782hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
719hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, 783hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
720hmac-sha1-96,hmac-md5-96 784hmac-sha1-96,hmac-md5-96
721.Ed 785.Ed
@@ -770,6 +834,9 @@ Available keywords are
770.Cm AllowGroups , 834.Cm AllowGroups ,
771.Cm AllowTcpForwarding , 835.Cm AllowTcpForwarding ,
772.Cm AllowUsers , 836.Cm AllowUsers ,
837.Cm AuthenticationMethods ,
838.Cm AuthorizedKeysCommand ,
839.Cm AuthorizedKeysCommandUser ,
773.Cm AuthorizedKeysFile , 840.Cm AuthorizedKeysFile ,
774.Cm AuthorizedPrincipalsFile , 841.Cm AuthorizedPrincipalsFile ,
775.Cm Banner , 842.Cm Banner ,
@@ -1000,10 +1067,17 @@ The default is
1000.Dq yes . 1067.Dq yes .
1001Note that this option applies to protocol version 2 only. 1068Note that this option applies to protocol version 2 only.
1002.It Cm RevokedKeys 1069.It Cm RevokedKeys
1003Specifies a list of revoked public keys. 1070Specifies revoked public keys.
1004Keys listed in this file will be refused for public key authentication. 1071Keys listed in this file will be refused for public key authentication.
1005Note that if this file is not readable, then public key authentication will 1072Note that if this file is not readable, then public key authentication will
1006be refused for all users. 1073be refused for all users.
1074Keys may be specified as a text file, listing one public key per line, or as
1075an OpenSSH Key Revocation List (KRL) as generated by
1076.Xr ssh-keygen 1 .
1077For more information on KRLs, see the
1078.Sx KEY REVOCATION LISTS
1079section in
1080.Xr ssh-keygen 1 .
1007.It Cm RhostsRSAAuthentication 1081.It Cm RhostsRSAAuthentication
1008Specifies whether rhosts or /etc/hosts.equiv authentication together 1082Specifies whether rhosts or /etc/hosts.equiv authentication together
1009with successful RSA host authentication is allowed. 1083with successful RSA host authentication is allowed.