summaryrefslogtreecommitdiff
path: root/sshd_config.5
diff options
context:
space:
mode:
Diffstat (limited to 'sshd_config.5')
-rw-r--r--sshd_config.554
1 files changed, 36 insertions, 18 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index e5380f5dc..ba533af9e 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd_config.5,v 1.284 2019/03/22 20:58:34 jmc Exp $ 36.\" $OpenBSD: sshd_config.5,v 1.290 2019/09/06 14:45:34 naddy Exp $
37.Dd $Mdocdate: March 22 2019 $ 37.Dd $Mdocdate: September 6 2019 $
38.Dt SSHD_CONFIG 5 38.Dt SSHD_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -299,9 +299,7 @@ is not, then
299will refuse to start. 299will refuse to start.
300.It Cm AuthorizedKeysFile 300.It Cm AuthorizedKeysFile
301Specifies the file that contains the public keys used for user authentication. 301Specifies the file that contains the public keys used for user authentication.
302The format is described in the 302The format is described in the AUTHORIZED_KEYS FILE FORMAT section of
303.Sx AUTHORIZED_KEYS FILE FORMAT
304section of
305.Xr sshd 8 . 303.Xr sshd 8 .
306Arguments to 304Arguments to
307.Cm AuthorizedKeysFile 305.Cm AuthorizedKeysFile
@@ -409,7 +407,7 @@ Specifies which algorithms are allowed for signing of certificates
409by certificate authorities (CAs). 407by certificate authorities (CAs).
410The default is: 408The default is:
411.Bd -literal -offset indent 409.Bd -literal -offset indent
412ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 410ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
413ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa 411ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
414.Ed 412.Ed
415.Pp 413.Pp
@@ -477,14 +475,18 @@ indicating not to
477.It Cm Ciphers 475.It Cm Ciphers
478Specifies the ciphers allowed. 476Specifies the ciphers allowed.
479Multiple ciphers must be comma-separated. 477Multiple ciphers must be comma-separated.
480If the specified value begins with a 478If the specified list begins with a
481.Sq + 479.Sq +
482character, then the specified ciphers will be appended to the default set 480character, then the specified ciphers will be appended to the default set
483instead of replacing them. 481instead of replacing them.
484If the specified value begins with a 482If the specified list begins with a
485.Sq - 483.Sq -
486character, then the specified ciphers (including wildcards) will be removed 484character, then the specified ciphers (including wildcards) will be removed
487from the default set instead of replacing them. 485from the default set instead of replacing them.
486If the specified list begins with a
487.Sq ^
488character, then the specified ciphers will be placed at the head of the
489default set.
488.Pp 490.Pp
489The supported ciphers are: 491The supported ciphers are:
490.Pp 492.Pp
@@ -535,7 +537,7 @@ The TCP keepalive option enabled by
535.Cm TCPKeepAlive 537.Cm TCPKeepAlive
536is spoofable. 538is spoofable.
537The client alive mechanism is valuable when the client or 539The client alive mechanism is valuable when the client or
538server depend on knowing when a connection has become inactive. 540server depend on knowing when a connection has become unresponsive.
539.Pp 541.Pp
540The default value is 3. 542The default value is 3.
541If 543If
@@ -726,14 +728,18 @@ This option only applies to protocol version 2 connections using GSSAPI.
726.It Cm HostbasedAcceptedKeyTypes 728.It Cm HostbasedAcceptedKeyTypes
727Specifies the key types that will be accepted for hostbased authentication 729Specifies the key types that will be accepted for hostbased authentication
728as a list of comma-separated patterns. 730as a list of comma-separated patterns.
729Alternately if the specified value begins with a 731Alternately if the specified list begins with a
730.Sq + 732.Sq +
731character, then the specified key types will be appended to the default set 733character, then the specified key types will be appended to the default set
732instead of replacing them. 734instead of replacing them.
733If the specified value begins with a 735If the specified list begins with a
734.Sq - 736.Sq -
735character, then the specified key types (including wildcards) will be removed 737character, then the specified key types (including wildcards) will be removed
736from the default set instead of replacing them. 738from the default set instead of replacing them.
739If the specified list begins with a
740.Sq ^
741character, then the specified key types will be placed at the head of the
742default set.
737The default for this option is: 743The default for this option is:
738.Bd -literal -offset 3n 744.Bd -literal -offset 3n
739ecdsa-sha2-nistp256-cert-v01@openssh.com, 745ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -929,14 +935,18 @@ The default is
929.It Cm KexAlgorithms 935.It Cm KexAlgorithms
930Specifies the available KEX (Key Exchange) algorithms. 936Specifies the available KEX (Key Exchange) algorithms.
931Multiple algorithms must be comma-separated. 937Multiple algorithms must be comma-separated.
932Alternately if the specified value begins with a 938Alternately if the specified list begins with a
933.Sq + 939.Sq +
934character, then the specified methods will be appended to the default set 940character, then the specified methods will be appended to the default set
935instead of replacing them. 941instead of replacing them.
936If the specified value begins with a 942If the specified list begins with a
937.Sq - 943.Sq -
938character, then the specified methods (including wildcards) will be removed 944character, then the specified methods (including wildcards) will be removed
939from the default set instead of replacing them. 945from the default set instead of replacing them.
946If the specified list begins with a
947.Sq ^
948character, then the specified methods will be placed at the head of the
949default set.
940The supported algorithms are: 950The supported algorithms are:
941.Pp 951.Pp
942.Bl -item -compact -offset indent 952.Bl -item -compact -offset indent
@@ -1046,14 +1056,18 @@ Logging with a DEBUG level violates the privacy of users and is not recommended.
1046Specifies the available MAC (message authentication code) algorithms. 1056Specifies the available MAC (message authentication code) algorithms.
1047The MAC algorithm is used for data integrity protection. 1057The MAC algorithm is used for data integrity protection.
1048Multiple algorithms must be comma-separated. 1058Multiple algorithms must be comma-separated.
1049If the specified value begins with a 1059If the specified list begins with a
1050.Sq + 1060.Sq +
1051character, then the specified algorithms will be appended to the default set 1061character, then the specified algorithms will be appended to the default set
1052instead of replacing them. 1062instead of replacing them.
1053If the specified value begins with a 1063If the specified list begins with a
1054.Sq - 1064.Sq -
1055character, then the specified algorithms (including wildcards) will be removed 1065character, then the specified algorithms (including wildcards) will be removed
1056from the default set instead of replacing them. 1066from the default set instead of replacing them.
1067If the specified list begins with a
1068.Sq ^
1069character, then the specified algorithms will be placed at the head of the
1070default set.
1057.Pp 1071.Pp
1058The algorithms that contain 1072The algorithms that contain
1059.Qq -etm 1073.Qq -etm
@@ -1211,7 +1225,7 @@ Available keywords are
1211.Cm X11DisplayOffset , 1225.Cm X11DisplayOffset ,
1212.Cm X11Forwarding 1226.Cm X11Forwarding
1213and 1227and
1214.Cm X11UseLocalHost . 1228.Cm X11UseLocalhost .
1215.It Cm MaxAuthTries 1229.It Cm MaxAuthTries
1216Specifies the maximum number of authentication attempts permitted per 1230Specifies the maximum number of authentication attempts permitted per
1217connection. 1231connection.
@@ -1451,14 +1465,18 @@ The default is
1451.It Cm PubkeyAcceptedKeyTypes 1465.It Cm PubkeyAcceptedKeyTypes
1452Specifies the key types that will be accepted for public key authentication 1466Specifies the key types that will be accepted for public key authentication
1453as a list of comma-separated patterns. 1467as a list of comma-separated patterns.
1454Alternately if the specified value begins with a 1468Alternately if the specified list begins with a
1455.Sq + 1469.Sq +
1456character, then the specified key types will be appended to the default set 1470character, then the specified key types will be appended to the default set
1457instead of replacing them. 1471instead of replacing them.
1458If the specified value begins with a 1472If the specified list begins with a
1459.Sq - 1473.Sq -
1460character, then the specified key types (including wildcards) will be removed 1474character, then the specified key types (including wildcards) will be removed
1461from the default set instead of replacing them. 1475from the default set instead of replacing them.
1476If the specified list begins with a
1477.Sq ^
1478character, then the specified key types will be placed at the head of the
1479default set.
1462The default for this option is: 1480The default for this option is:
1463.Bd -literal -offset 3n 1481.Bd -literal -offset 3n
1464ecdsa-sha2-nistp256-cert-v01@openssh.com, 1482ecdsa-sha2-nistp256-cert-v01@openssh.com,