diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 62 |
1 files changed, 54 insertions, 8 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index aa7b7c7d4..0944ba076 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd_config.5,v 1.4 2002/06/22 16:45:29 stevesk Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.13 2002/09/16 20:12:11 stevesk Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -379,7 +379,7 @@ options must precede this option for non port qualified addresses. | |||
379 | The server disconnects after this time if the user has not | 379 | The server disconnects after this time if the user has not |
380 | successfully logged in. | 380 | successfully logged in. |
381 | If the value is 0, there is no time limit. | 381 | If the value is 0, there is no time limit. |
382 | The default is 600 (seconds). | 382 | The default is 120 seconds. |
383 | .It Cm LogLevel | 383 | .It Cm LogLevel |
384 | Gives the verbosity level that is used when logging messages from | 384 | Gives the verbosity level that is used when logging messages from |
385 | .Nm sshd . | 385 | .Nm sshd . |
@@ -465,6 +465,20 @@ for root. | |||
465 | If this option is set to | 465 | If this option is set to |
466 | .Dq no | 466 | .Dq no |
467 | root is not allowed to login. | 467 | root is not allowed to login. |
468 | .It Cm PermitUserEnvironment | ||
469 | Specifies whether | ||
470 | .Pa ~/.ssh/environment | ||
471 | and | ||
472 | .Cm environment= | ||
473 | options in | ||
474 | .Pa ~/.ssh/authorized_keys | ||
475 | are processed by | ||
476 | .Nm sshd . | ||
477 | The default is | ||
478 | .Dq no . | ||
479 | Enabling environment processing may enable users to bypass access | ||
480 | restrictions in some configurations using mechanisms such as | ||
481 | .Ev LD_PRELOAD . | ||
468 | .It Cm PidFile | 482 | .It Cm PidFile |
469 | Specifies the file that contains the process ID of the | 483 | Specifies the file that contains the process ID of the |
470 | .Nm sshd | 484 | .Nm sshd |
@@ -499,7 +513,7 @@ The default is | |||
499 | .It Cm Protocol | 513 | .It Cm Protocol |
500 | Specifies the protocol versions | 514 | Specifies the protocol versions |
501 | .Nm sshd | 515 | .Nm sshd |
502 | should support. | 516 | supports. |
503 | The possible values are | 517 | The possible values are |
504 | .Dq 1 | 518 | .Dq 1 |
505 | and | 519 | and |
@@ -507,6 +521,13 @@ and | |||
507 | Multiple versions must be comma-separated. | 521 | Multiple versions must be comma-separated. |
508 | The default is | 522 | The default is |
509 | .Dq 2,1 . | 523 | .Dq 2,1 . |
524 | Note that the order of the protocol list does not indicate preference, | ||
525 | because the client selects among multiple protocol versions offered | ||
526 | by the server. | ||
527 | Specifying | ||
528 | .Dq 2,1 | ||
529 | is identical to | ||
530 | .Dq 1,2 . | ||
510 | .It Cm PubkeyAuthentication | 531 | .It Cm PubkeyAuthentication |
511 | Specifies whether public key authentication is allowed. | 532 | Specifies whether public key authentication is allowed. |
512 | The default is | 533 | The default is |
@@ -609,10 +630,35 @@ from interfering with real X11 servers. | |||
609 | The default is 10. | 630 | The default is 10. |
610 | .It Cm X11Forwarding | 631 | .It Cm X11Forwarding |
611 | Specifies whether X11 forwarding is permitted. | 632 | Specifies whether X11 forwarding is permitted. |
633 | The argument must be | ||
634 | .Dq yes | ||
635 | or | ||
636 | .Dq no . | ||
612 | The default is | 637 | The default is |
613 | .Dq no . | 638 | .Dq no . |
614 | Note that disabling X11 forwarding does not improve security in any | 639 | .Pp |
615 | way, as users can always install their own forwarders. | 640 | When X11 forwarding is enabled, there may be additional exposure to |
641 | the server and to client displays if the | ||
642 | .Nm sshd | ||
643 | proxy display is configured to listen on the wildcard address (see | ||
644 | .Cm X11UseLocalhost | ||
645 | below), however this is not the default. | ||
646 | Additionally, the authentication spoofing and authentication data | ||
647 | verification and substitution occur on the client side. | ||
648 | The security risk of using X11 forwarding is that the client's X11 | ||
649 | display server may be exposed to attack when the ssh client requests | ||
650 | forwarding (see the warnings for | ||
651 | .Cm ForwardX11 | ||
652 | in | ||
653 | .Xr ssh_config 5 ). | ||
654 | A system administrator may have a stance in which they want to | ||
655 | protect clients that may expose themselves to attack by unwittingly | ||
656 | requesting X11 forwarding, which can warrant a | ||
657 | .Dq no | ||
658 | setting. | ||
659 | .Pp | ||
660 | Note that disabling X11 forwarding does not prevent users from | ||
661 | forwarding X11 traffic, as users can always install their own forwarders. | ||
616 | X11 forwarding is automatically disabled if | 662 | X11 forwarding is automatically disabled if |
617 | .Cm UseLogin | 663 | .Cm UseLogin |
618 | is enabled. | 664 | is enabled. |
@@ -627,7 +673,7 @@ hostname part of the | |||
627 | .Ev DISPLAY | 673 | .Ev DISPLAY |
628 | environment variable to | 674 | environment variable to |
629 | .Dq localhost . | 675 | .Dq localhost . |
630 | This prevents remote hosts from connecting to the fake display. | 676 | This prevents remote hosts from connecting to the proxy display. |
631 | However, some older X11 clients may not function with this | 677 | However, some older X11 clients may not function with this |
632 | configuration. | 678 | configuration. |
633 | .Cm X11UseLocalhost | 679 | .Cm X11UseLocalhost |
@@ -642,7 +688,7 @@ or | |||
642 | The default is | 688 | The default is |
643 | .Dq yes . | 689 | .Dq yes . |
644 | .It Cm XAuthLocation | 690 | .It Cm XAuthLocation |
645 | Specifies the location of the | 691 | Specifies the full pathname of the |
646 | .Xr xauth 1 | 692 | .Xr xauth 1 |
647 | program. | 693 | program. |
648 | The default is | 694 | The default is |
@@ -654,7 +700,7 @@ The default is | |||
654 | command-line arguments and configuration file options that specify time | 700 | command-line arguments and configuration file options that specify time |
655 | may be expressed using a sequence of the form: | 701 | may be expressed using a sequence of the form: |
656 | .Sm off | 702 | .Sm off |
657 | .Ar time Oo Ar qualifier Oc , | 703 | .Ar time Op Ar qualifier , |
658 | .Sm on | 704 | .Sm on |
659 | where | 705 | where |
660 | .Ar time | 706 | .Ar time |