summaryrefslogtreecommitdiff
path: root/sshd_config.5
diff options
context:
space:
mode:
Diffstat (limited to 'sshd_config.5')
-rw-r--r--sshd_config.552
1 files changed, 50 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 76c95aa19..e73624154 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -57,6 +57,33 @@ Arguments may optionally be enclosed in double quotes
57.Pq \&" 57.Pq \&"
58in order to represent arguments containing spaces. 58in order to represent arguments containing spaces.
59.Pp 59.Pp
60Note that the Debian
61.Ic openssh-server
62package sets several options as standard in
63.Pa /etc/ssh/sshd_config
64which are not the default in
65.Xr sshd 8 .
66The exact list depends on whether the package was installed fresh or
67upgraded from various possible previous versions, but includes at least the
68following:
69.Pp
70.Bl -bullet -offset indent -compact
71.It
72.Cm Protocol No 2
73.It
74.Cm ChallengeResponseAuthentication No no
75.It
76.Cm X11Forwarding No yes
77.It
78.Cm PrintMotd No no
79.It
80.Cm AcceptEnv No LANG LC_*
81.It
82.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
83.It
84.Cm UsePAM No yes
85.El
86.Pp
60The possible 87The possible
61keywords and their meanings are as follows (note that 88keywords and their meanings are as follows (note that
62keywords are case-insensitive and arguments are case-sensitive): 89keywords are case-insensitive and arguments are case-sensitive):
@@ -222,8 +249,7 @@ This option is only available for protocol version 2.
222By default, no banner is displayed. 249By default, no banner is displayed.
223.It Cm ChallengeResponseAuthentication 250.It Cm ChallengeResponseAuthentication
224Specifies whether challenge-response authentication is allowed (e.g. via 251Specifies whether challenge-response authentication is allowed (e.g. via
225PAM or though authentication styles supported in 252PAM).
226.Xr login.conf 5 )
227The default is 253The default is
228.Dq yes . 254.Dq yes .
229.It Cm ChrootDirectory 255.It Cm ChrootDirectory
@@ -340,6 +366,11 @@ or
340.Dq no . 366.Dq no .
341The default is 367The default is
342.Dq delayed . 368.Dq delayed .
369.It Cm DebianBanner
370Specifies whether the distribution-specified extra version suffix is
371included during initial protocol handshake.
372The default is
373.Dq yes .
343.It Cm DenyGroups 374.It Cm DenyGroups
344This keyword can be followed by a list of group name patterns, separated 375This keyword can be followed by a list of group name patterns, separated
345by spaces. 376by spaces.
@@ -795,6 +826,20 @@ are refused if the number of unauthenticated connections reaches
795Specifies whether password authentication is allowed. 826Specifies whether password authentication is allowed.
796The default is 827The default is
797.Dq yes . 828.Dq yes .
829.It Cm PermitBlacklistedKeys
830Specifies whether
831.Xr sshd 8
832should allow keys recorded in its blacklist of known-compromised keys (see
833.Xr ssh-vulnkey 1 ) .
834If
835.Dq yes ,
836then attempts to authenticate with compromised keys will be logged but
837accepted.
838If
839.Dq no ,
840then attempts to authenticate with compromised keys will be rejected.
841The default is
842.Dq no .
798.It Cm PermitEmptyPasswords 843.It Cm PermitEmptyPasswords
799When password authentication is allowed, it specifies whether the 844When password authentication is allowed, it specifies whether the
800server allows login to accounts with empty password strings. 845server allows login to accounts with empty password strings.
@@ -1023,6 +1068,9 @@ This avoids infinitely hanging sessions.
1023.Pp 1068.Pp
1024To disable TCP keepalive messages, the value should be set to 1069To disable TCP keepalive messages, the value should be set to
1025.Dq no . 1070.Dq no .
1071.Pp
1072This option was formerly called
1073.Cm KeepAlive .
1026.It Cm TrustedUserCAKeys 1074.It Cm TrustedUserCAKeys
1027Specifies a file containing public keys of certificate authorities that are 1075Specifies a file containing public keys of certificate authorities that are
1028trusted to sign user certificates for authentication. 1076trusted to sign user certificates for authentication.