diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 106 |
1 files changed, 91 insertions, 15 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 5ab431890..58e277f95 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.204 2015/06/05 03:44:14 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.210 2015/08/06 14:53:21 deraadt Exp $ |
37 | .Dd $Mdocdate: June 5 2015 $ | 37 | .Dd $Mdocdate: August 6 2015 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -434,6 +434,11 @@ The default is not to | |||
434 | .It Cm Ciphers | 434 | .It Cm Ciphers |
435 | Specifies the ciphers allowed for protocol version 2. | 435 | Specifies the ciphers allowed for protocol version 2. |
436 | Multiple ciphers must be comma-separated. | 436 | Multiple ciphers must be comma-separated. |
437 | If the specified value begins with a | ||
438 | .Sq + | ||
439 | character, then the specified ciphers will be appended to the default set | ||
440 | instead of replacing them. | ||
441 | .Pp | ||
437 | The supported ciphers are: | 442 | The supported ciphers are: |
438 | .Pp | 443 | .Pp |
439 | .Bl -item -compact -offset indent | 444 | .Bl -item -compact -offset indent |
@@ -640,9 +645,21 @@ The default is | |||
640 | .It Cm HostbasedAcceptedKeyTypes | 645 | .It Cm HostbasedAcceptedKeyTypes |
641 | Specifies the key types that will be accepted for hostbased authentication | 646 | Specifies the key types that will be accepted for hostbased authentication |
642 | as a comma-separated pattern list. | 647 | as a comma-separated pattern list. |
643 | The default | 648 | Alternately if the specified value begins with a |
644 | .Dq * | 649 | .Sq + |
645 | will allow all key types. | 650 | character, then the specified key types will be appended to the default set |
651 | instead of replacing them. | ||
652 | The default for this option is: | ||
653 | .Bd -literal -offset 3n | ||
654 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
655 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
656 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
657 | ssh-ed25519-cert-v01@openssh.com, | ||
658 | ssh-rsa-cert-v01@openssh.com, | ||
659 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
660 | ssh-ed25519,ssh-rsa | ||
661 | .Ed | ||
662 | .Pp | ||
646 | The | 663 | The |
647 | .Fl Q | 664 | .Fl Q |
648 | option of | 665 | option of |
@@ -694,9 +711,15 @@ for protocol version 1, and | |||
694 | and | 711 | and |
695 | .Pa /etc/ssh/ssh_host_rsa_key | 712 | .Pa /etc/ssh/ssh_host_rsa_key |
696 | for protocol version 2. | 713 | for protocol version 2. |
714 | .Pp | ||
697 | Note that | 715 | Note that |
698 | .Xr sshd 8 | 716 | .Xr sshd 8 |
699 | will refuse to use a file if it is group/world-accessible. | 717 | will refuse to use a file if it is group/world-accessible |
718 | and that the | ||
719 | .Cm HostKeyAlgorithms | ||
720 | option restricts which of the keys are actually used by | ||
721 | .Xr sshd 8 . | ||
722 | .Pp | ||
700 | It is possible to have multiple host key files. | 723 | It is possible to have multiple host key files. |
701 | .Dq rsa1 | 724 | .Dq rsa1 |
702 | keys are used for version 1 and | 725 | keys are used for version 1 and |
@@ -718,6 +741,26 @@ If | |||
718 | is specified, the location of the socket will be read from the | 741 | is specified, the location of the socket will be read from the |
719 | .Ev SSH_AUTH_SOCK | 742 | .Ev SSH_AUTH_SOCK |
720 | environment variable. | 743 | environment variable. |
744 | .It Cm HostKeyAlgorithms | ||
745 | Specifies the protocol version 2 host key algorithms | ||
746 | that the server offers. | ||
747 | The default for this option is: | ||
748 | .Bd -literal -offset 3n | ||
749 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
750 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
751 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
752 | ssh-ed25519-cert-v01@openssh.com, | ||
753 | ssh-rsa-cert-v01@openssh.com, | ||
754 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
755 | ssh-ed25519,ssh-rsa | ||
756 | .Ed | ||
757 | .Pp | ||
758 | The list of available key types may also be obtained using the | ||
759 | .Fl Q | ||
760 | option of | ||
761 | .Xr ssh 1 | ||
762 | with an argument of | ||
763 | .Dq key . | ||
721 | .It Cm IgnoreRhosts | 764 | .It Cm IgnoreRhosts |
722 | Specifies that | 765 | Specifies that |
723 | .Pa .rhosts | 766 | .Pa .rhosts |
@@ -821,6 +864,10 @@ The default is | |||
821 | .It Cm KexAlgorithms | 864 | .It Cm KexAlgorithms |
822 | Specifies the available KEX (Key Exchange) algorithms. | 865 | Specifies the available KEX (Key Exchange) algorithms. |
823 | Multiple algorithms must be comma-separated. | 866 | Multiple algorithms must be comma-separated. |
867 | Alternately if the specified value begins with a | ||
868 | .Sq + | ||
869 | character, then the specified methods will be appended to the default set | ||
870 | instead of replacing them. | ||
824 | The supported algorithms are: | 871 | The supported algorithms are: |
825 | .Pp | 872 | .Pp |
826 | .Bl -item -compact -offset indent | 873 | .Bl -item -compact -offset indent |
@@ -919,6 +966,11 @@ Specifies the available MAC (message authentication code) algorithms. | |||
919 | The MAC algorithm is used in protocol version 2 | 966 | The MAC algorithm is used in protocol version 2 |
920 | for data integrity protection. | 967 | for data integrity protection. |
921 | Multiple algorithms must be comma-separated. | 968 | Multiple algorithms must be comma-separated. |
969 | If the specified value begins with a | ||
970 | .Sq + | ||
971 | character, then the specified algorithms will be appended to the default set | ||
972 | instead of replacing them. | ||
973 | .Pp | ||
922 | The algorithms that contain | 974 | The algorithms that contain |
923 | .Dq -etm | 975 | .Dq -etm |
924 | calculate the MAC after encryption (encrypt-then-mac). | 976 | calculate the MAC after encryption (encrypt-then-mac). |
@@ -1152,16 +1204,19 @@ Specifies whether root can log in using | |||
1152 | .Xr ssh 1 . | 1204 | .Xr ssh 1 . |
1153 | The argument must be | 1205 | The argument must be |
1154 | .Dq yes , | 1206 | .Dq yes , |
1207 | .Dq prohibit-password , | ||
1155 | .Dq without-password , | 1208 | .Dq without-password , |
1156 | .Dq forced-commands-only , | 1209 | .Dq forced-commands-only , |
1157 | or | 1210 | or |
1158 | .Dq no . | 1211 | .Dq no . |
1159 | The default is | 1212 | The default is |
1160 | .Dq no . | 1213 | .Dq prohibit-password . |
1161 | .Pp | 1214 | .Pp |
1162 | If this option is set to | 1215 | If this option is set to |
1216 | .Dq prohibit-password | ||
1217 | or | ||
1163 | .Dq without-password , | 1218 | .Dq without-password , |
1164 | password authentication is disabled for root. | 1219 | password and keyboard-interactive authentication are disabled for root. |
1165 | .Pp | 1220 | .Pp |
1166 | If this option is set to | 1221 | If this option is set to |
1167 | .Dq forced-commands-only , | 1222 | .Dq forced-commands-only , |
@@ -1279,9 +1334,21 @@ is identical to | |||
1279 | .It Cm PubkeyAcceptedKeyTypes | 1334 | .It Cm PubkeyAcceptedKeyTypes |
1280 | Specifies the key types that will be accepted for public key authentication | 1335 | Specifies the key types that will be accepted for public key authentication |
1281 | as a comma-separated pattern list. | 1336 | as a comma-separated pattern list. |
1282 | The default | 1337 | Alternately if the specified value begins with a |
1283 | .Dq * | 1338 | .Sq + |
1284 | will allow all key types. | 1339 | character, then the specified key types will be appended to the default set |
1340 | instead of replacing them. | ||
1341 | The default for this option is: | ||
1342 | .Bd -literal -offset 3n | ||
1343 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
1344 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
1345 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
1346 | ssh-ed25519-cert-v01@openssh.com, | ||
1347 | ssh-rsa-cert-v01@openssh.com, | ||
1348 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
1349 | ssh-ed25519,ssh-rsa | ||
1350 | .Ed | ||
1351 | .Pp | ||
1285 | The | 1352 | The |
1286 | .Fl Q | 1353 | .Fl Q |
1287 | option of | 1354 | option of |
@@ -1343,7 +1410,7 @@ The default is | |||
1343 | This option applies to protocol version 1 only. | 1410 | This option applies to protocol version 1 only. |
1344 | .It Cm ServerKeyBits | 1411 | .It Cm ServerKeyBits |
1345 | Defines the number of bits in the ephemeral protocol version 1 server key. | 1412 | Defines the number of bits in the ephemeral protocol version 1 server key. |
1346 | The minimum value is 512, and the default is 1024. | 1413 | The default and minimum value is 1024. |
1347 | .It Cm StreamLocalBindMask | 1414 | .It Cm StreamLocalBindMask |
1348 | Sets the octal file creation mode mask | 1415 | Sets the octal file creation mode mask |
1349 | .Pq umask | 1416 | .Pq umask |
@@ -1451,11 +1518,20 @@ For more details on certificates, see the CERTIFICATES section in | |||
1451 | .It Cm UseDNS | 1518 | .It Cm UseDNS |
1452 | Specifies whether | 1519 | Specifies whether |
1453 | .Xr sshd 8 | 1520 | .Xr sshd 8 |
1454 | should look up the remote host name and check that | 1521 | should look up the remote host name, and to check that |
1455 | the resolved host name for the remote IP address maps back to the | 1522 | the resolved host name for the remote IP address maps back to the |
1456 | very same IP address. | 1523 | very same IP address. |
1457 | The default is | 1524 | .Pp |
1458 | .Dq no . | 1525 | If this option is set to |
1526 | .Dq no | ||
1527 | (the default) then only addresses and not host names may be used in | ||
1528 | .Pa ~/.ssh/known_hosts | ||
1529 | .Cm from | ||
1530 | and | ||
1531 | .Xr sshd_config 5 | ||
1532 | .Cm Match | ||
1533 | .Cm Host | ||
1534 | directives. | ||
1459 | .It Cm UseLogin | 1535 | .It Cm UseLogin |
1460 | Specifies whether | 1536 | Specifies whether |
1461 | .Xr login 1 | 1537 | .Xr login 1 |