diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 52 |
1 files changed, 50 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 55e8d8503..a5e20d1e8 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -58,6 +58,33 @@ Arguments may optionally be enclosed in double quotes | |||
58 | .Pq \&" | 58 | .Pq \&" |
59 | in order to represent arguments containing spaces. | 59 | in order to represent arguments containing spaces. |
60 | .Pp | 60 | .Pp |
61 | Note that the Debian | ||
62 | .Ic openssh-server | ||
63 | package sets several options as standard in | ||
64 | .Pa /etc/ssh/sshd_config | ||
65 | which are not the default in | ||
66 | .Xr sshd 8 . | ||
67 | The exact list depends on whether the package was installed fresh or | ||
68 | upgraded from various possible previous versions, but includes at least the | ||
69 | following: | ||
70 | .Pp | ||
71 | .Bl -bullet -offset indent -compact | ||
72 | .It | ||
73 | .Cm Protocol No 2 | ||
74 | .It | ||
75 | .Cm ChallengeResponseAuthentication No no | ||
76 | .It | ||
77 | .Cm X11Forwarding No yes | ||
78 | .It | ||
79 | .Cm PrintMotd No no | ||
80 | .It | ||
81 | .Cm AcceptEnv No LANG LC_* | ||
82 | .It | ||
83 | .Cm Subsystem No sftp /usr/lib/openssh/sftp-server | ||
84 | .It | ||
85 | .Cm UsePAM No yes | ||
86 | .El | ||
87 | .Pp | ||
61 | The possible | 88 | The possible |
62 | keywords and their meanings are as follows (note that | 89 | keywords and their meanings are as follows (note that |
63 | keywords are case-insensitive and arguments are case-sensitive): | 90 | keywords are case-insensitive and arguments are case-sensitive): |
@@ -222,8 +249,7 @@ This option is only available for protocol version 2. | |||
222 | By default, no banner is displayed. | 249 | By default, no banner is displayed. |
223 | .It Cm ChallengeResponseAuthentication | 250 | .It Cm ChallengeResponseAuthentication |
224 | Specifies whether challenge-response authentication is allowed (e.g. via | 251 | Specifies whether challenge-response authentication is allowed (e.g. via |
225 | PAM or though authentication styles supported in | 252 | PAM). |
226 | .Xr login.conf 5 ) | ||
227 | The default is | 253 | The default is |
228 | .Dq yes . | 254 | .Dq yes . |
229 | .It Cm ChrootDirectory | 255 | .It Cm ChrootDirectory |
@@ -340,6 +366,11 @@ or | |||
340 | .Dq no . | 366 | .Dq no . |
341 | The default is | 367 | The default is |
342 | .Dq delayed . | 368 | .Dq delayed . |
369 | .It Cm DebianBanner | ||
370 | Specifies whether the distribution-specified extra version suffix is | ||
371 | included during initial protocol handshake. | ||
372 | The default is | ||
373 | .Dq yes . | ||
343 | .It Cm DenyGroups | 374 | .It Cm DenyGroups |
344 | This keyword can be followed by a list of group name patterns, separated | 375 | This keyword can be followed by a list of group name patterns, separated |
345 | by spaces. | 376 | by spaces. |
@@ -743,6 +774,20 @@ are refused if the number of unauthenticated connections reaches | |||
743 | Specifies whether password authentication is allowed. | 774 | Specifies whether password authentication is allowed. |
744 | The default is | 775 | The default is |
745 | .Dq yes . | 776 | .Dq yes . |
777 | .It Cm PermitBlacklistedKeys | ||
778 | Specifies whether | ||
779 | .Xr sshd 8 | ||
780 | should allow keys recorded in its blacklist of known-compromised keys (see | ||
781 | .Xr ssh-vulnkey 1 ) . | ||
782 | If | ||
783 | .Dq yes , | ||
784 | then attempts to authenticate with compromised keys will be logged but | ||
785 | accepted. | ||
786 | If | ||
787 | .Dq no , | ||
788 | then attempts to authenticate with compromised keys will be rejected. | ||
789 | The default is | ||
790 | .Dq no . | ||
746 | .It Cm PermitEmptyPasswords | 791 | .It Cm PermitEmptyPasswords |
747 | When password authentication is allowed, it specifies whether the | 792 | When password authentication is allowed, it specifies whether the |
748 | server allows login to accounts with empty password strings. | 793 | server allows login to accounts with empty password strings. |
@@ -971,6 +1016,9 @@ This avoids infinitely hanging sessions. | |||
971 | .Pp | 1016 | .Pp |
972 | To disable TCP keepalive messages, the value should be set to | 1017 | To disable TCP keepalive messages, the value should be set to |
973 | .Dq no . | 1018 | .Dq no . |
1019 | .Pp | ||
1020 | This option was formerly called | ||
1021 | .Cm KeepAlive . | ||
974 | .It Cm TrustedUserCAKeys | 1022 | .It Cm TrustedUserCAKeys |
975 | Specifies a file containing public keys of certificate authorities that are | 1023 | Specifies a file containing public keys of certificate authorities that are |
976 | trusted to sign user certificates for authentication. | 1024 | trusted to sign user certificates for authentication. |