summaryrefslogtreecommitdiff
path: root/sshd_config.5
diff options
context:
space:
mode:
Diffstat (limited to 'sshd_config.5')
-rw-r--r--sshd_config.564
1 files changed, 39 insertions, 25 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index b18d340af..a37a3aca3 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd_config.5,v 1.211 2015/08/14 15:32:41 jmc Exp $ 36.\" $OpenBSD: sshd_config.5,v 1.220 2016/02/17 08:57:34 djm Exp $
37.Dd $Mdocdate: August 14 2015 $ 37.Dd $Mdocdate: February 17 2016 $
38.Dt SSHD_CONFIG 5 38.Dt SSHD_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -70,8 +70,7 @@ See
70in 70in
71.Xr ssh_config 5 71.Xr ssh_config 5
72for how to configure the client. 72for how to configure the client.
73Note that environment passing is only supported for protocol 2, and 73The
74that the
75.Ev TERM 74.Ev TERM
76environment variable is always sent whenever the client 75environment variable is always sent whenever the client
77requests a pseudo-terminal as it is required by the protocol. 76requests a pseudo-terminal as it is required by the protocol.
@@ -226,7 +225,7 @@ of
226.Dq publickey,publickey 225.Dq publickey,publickey
227will require successful authentication using two different public keys. 226will require successful authentication using two different public keys.
228.Pp 227.Pp
229This option is only available for SSH protocol 2 and will yield a fatal 228This option will yield a fatal
230error if enabled if protocol 1 is also enabled. 229error if enabled if protocol 1 is also enabled.
231Note that each authentication method listed should also be explicitly enabled 230Note that each authentication method listed should also be explicitly enabled
232in the configuration. 231in the configuration.
@@ -285,6 +284,9 @@ After expansion,
285is taken to be an absolute path or one relative to the user's home 284is taken to be an absolute path or one relative to the user's home
286directory. 285directory.
287Multiple files may be listed, separated by whitespace. 286Multiple files may be listed, separated by whitespace.
287Alternately this option may be set to
288.Dq none
289to skip checking for user keys in files.
288The default is 290The default is
289.Dq .ssh/authorized_keys .ssh/authorized_keys2 . 291.Dq .ssh/authorized_keys .ssh/authorized_keys2 .
290.It Cm AuthorizedPrincipalsCommand 292.It Cm AuthorizedPrincipalsCommand
@@ -370,7 +372,6 @@ authentication is allowed.
370If the argument is 372If the argument is
371.Dq none 373.Dq none
372then no banner is displayed. 374then no banner is displayed.
373This option is only available for protocol version 2.
374By default, no banner is displayed. 375By default, no banner is displayed.
375.It Cm ChallengeResponseAuthentication 376.It Cm ChallengeResponseAuthentication
376Specifies whether challenge-response authentication is allowed (e.g. via 377Specifies whether challenge-response authentication is allowed (e.g. via
@@ -429,10 +430,12 @@ Misconfiguration can lead to unsafe environments which
429.Xr sshd 8 430.Xr sshd 8
430cannot detect. 431cannot detect.
431.Pp 432.Pp
432The default is not to 433The default is
434.Dq none ,
435indicating not to
433.Xr chroot 2 . 436.Xr chroot 2 .
434.It Cm Ciphers 437.It Cm Ciphers
435Specifies the ciphers allowed for protocol version 2. 438Specifies the ciphers allowed.
436Multiple ciphers must be comma-separated. 439Multiple ciphers must be comma-separated.
437If the specified value begins with a 440If the specified value begins with a
438.Sq + 441.Sq +
@@ -513,7 +516,6 @@ If
513.Cm ClientAliveCountMax 516.Cm ClientAliveCountMax
514is left at the default, unresponsive SSH clients 517is left at the default, unresponsive SSH clients
515will be disconnected after approximately 45 seconds. 518will be disconnected after approximately 45 seconds.
516This option applies to protocol version 2 only.
517.It Cm ClientAliveInterval 519.It Cm ClientAliveInterval
518Sets a timeout interval in seconds after which if no data has been received 520Sets a timeout interval in seconds after which if no data has been received
519from the client, 521from the client,
@@ -522,7 +524,6 @@ will send a message through the encrypted
522channel to request a response from the client. 524channel to request a response from the client.
523The default 525The default
524is 0, indicating that these messages will not be sent to the client. 526is 0, indicating that these messages will not be sent to the client.
525This option applies to protocol version 2 only.
526.It Cm Compression 527.It Cm Compression
527Specifies whether compression is allowed, or delayed until 528Specifies whether compression is allowed, or delayed until
528the user has authenticated successfully. 529the user has authenticated successfully.
@@ -596,6 +597,8 @@ Specifying a command of
596will force the use of an in-process sftp server that requires no support 597will force the use of an in-process sftp server that requires no support
597files when used with 598files when used with
598.Cm ChrootDirectory . 599.Cm ChrootDirectory .
600The default is
601.Dq none .
599.It Cm GatewayPorts 602.It Cm GatewayPorts
600Specifies whether remote hosts are allowed to connect to ports 603Specifies whether remote hosts are allowed to connect to ports
601forwarded for the client. 604forwarded for the client.
@@ -620,13 +623,11 @@ The default is
620Specifies whether user authentication based on GSSAPI is allowed. 623Specifies whether user authentication based on GSSAPI is allowed.
621The default is 624The default is
622.Dq no . 625.Dq no .
623Note that this option applies to protocol version 2 only.
624.It Cm GSSAPICleanupCredentials 626.It Cm GSSAPICleanupCredentials
625Specifies whether to automatically destroy the user's credentials cache 627Specifies whether to automatically destroy the user's credentials cache
626on logout. 628on logout.
627The default is 629The default is
628.Dq yes . 630.Dq yes .
629Note that this option applies to protocol version 2 only.
630.It Cm GSSAPIStrictAcceptorCheck 631.It Cm GSSAPIStrictAcceptorCheck
631Determines whether to be strict about the identity of the GSSAPI acceptor 632Determines whether to be strict about the identity of the GSSAPI acceptor
632a client authenticates against. 633a client authenticates against.
@@ -669,9 +670,6 @@ may be used to list supported key types.
669Specifies whether rhosts or /etc/hosts.equiv authentication together 670Specifies whether rhosts or /etc/hosts.equiv authentication together
670with successful public key client host authentication is allowed 671with successful public key client host authentication is allowed
671(host-based authentication). 672(host-based authentication).
672This option is similar to
673.Cm RhostsRSAAuthentication
674and applies to protocol version 2 only.
675The default is 673The default is
676.Dq no . 674.Dq no .
677.It Cm HostbasedUsesNameFromPacketOnly 675.It Cm HostbasedUsesNameFromPacketOnly
@@ -742,7 +740,7 @@ is specified, the location of the socket will be read from the
742.Ev SSH_AUTH_SOCK 740.Ev SSH_AUTH_SOCK
743environment variable. 741environment variable.
744.It Cm HostKeyAlgorithms 742.It Cm HostKeyAlgorithms
745Specifies the protocol version 2 host key algorithms 743Specifies the host key algorithms
746that the server offers. 744that the server offers.
747The default for this option is: 745The default for this option is:
748.Bd -literal -offset 3n 746.Bd -literal -offset 3n
@@ -963,8 +961,7 @@ DEBUG2 and DEBUG3 each specify higher levels of debugging output.
963Logging with a DEBUG level violates the privacy of users and is not recommended. 961Logging with a DEBUG level violates the privacy of users and is not recommended.
964.It Cm MACs 962.It Cm MACs
965Specifies the available MAC (message authentication code) algorithms. 963Specifies the available MAC (message authentication code) algorithms.
966The MAC algorithm is used in protocol version 2 964The MAC algorithm is used for data integrity protection.
967for data integrity protection.
968Multiple algorithms must be comma-separated. 965Multiple algorithms must be comma-separated.
969If the specified value begins with a 966If the specified value begins with a
970.Sq + 967.Sq +
@@ -1020,8 +1017,9 @@ The default is:
1020.Bd -literal -offset indent 1017.Bd -literal -offset indent
1021umac-64-etm@openssh.com,umac-128-etm@openssh.com, 1018umac-64-etm@openssh.com,umac-128-etm@openssh.com,
1022hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, 1019hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
1020hmac-sha1-etm@openssh.com,
1023umac-64@openssh.com,umac-128@openssh.com, 1021umac-64@openssh.com,umac-128@openssh.com,
1024hmac-sha2-256,hmac-sha2-512 1022hmac-sha2-256,hmac-sha2-512,hmac-sha1
1025.Ed 1023.Ed
1026.Pp 1024.Pp
1027The list of available MAC algorithms may also be obtained using the 1025The list of available MAC algorithms may also be obtained using the
@@ -1091,6 +1089,8 @@ Available keywords are
1091.Cm AuthorizedKeysCommand , 1089.Cm AuthorizedKeysCommand ,
1092.Cm AuthorizedKeysCommandUser , 1090.Cm AuthorizedKeysCommandUser ,
1093.Cm AuthorizedKeysFile , 1091.Cm AuthorizedKeysFile ,
1092.Cm AuthorizedPrincipalsCommand ,
1093.Cm AuthorizedPrincipalsCommandUser ,
1094.Cm AuthorizedPrincipalsFile , 1094.Cm AuthorizedPrincipalsFile ,
1095.Cm Banner , 1095.Cm Banner ,
1096.Cm ChrootDirectory , 1096.Cm ChrootDirectory ,
@@ -1134,7 +1134,15 @@ Once the number of failures reaches half this value,
1134additional failures are logged. 1134additional failures are logged.
1135The default is 6. 1135The default is 6.
1136.It Cm MaxSessions 1136.It Cm MaxSessions
1137Specifies the maximum number of open sessions permitted per network connection. 1137Specifies the maximum number of open shell, login or subsystem (e.g. sftp)
1138sessions permitted per network connection.
1139Multiple sessions may be established by clients that support connection
1140multiplexing.
1141Setting
1142.Cm MaxSessions
1143to 1 will effectively disable session multiplexing, whereas setting it to 0
1144will prevent all shell, login and subsystem sessions while still permitting
1145forwarding.
1138The default is 10. 1146The default is 10.
1139.It Cm MaxStartups 1147.It Cm MaxStartups
1140Specifies the maximum number of concurrent unauthenticated connections to the 1148Specifies the maximum number of concurrent unauthenticated connections to the
@@ -1324,6 +1332,10 @@ and
1324Multiple versions must be comma-separated. 1332Multiple versions must be comma-separated.
1325The default is 1333The default is
1326.Sq 2 . 1334.Sq 2 .
1335Protocol 1 suffers from a number of cryptographic weaknesses and should
1336not be used.
1337It is only offered to support legacy devices.
1338.Pp
1327Note that the order of the protocol list does not indicate preference, 1339Note that the order of the protocol list does not indicate preference,
1328because the client selects among multiple protocol versions offered 1340because the client selects among multiple protocol versions offered
1329by the server. 1341by the server.
@@ -1358,7 +1370,6 @@ may be used to list supported key types.
1358Specifies whether public key authentication is allowed. 1370Specifies whether public key authentication is allowed.
1359The default is 1371The default is
1360.Dq yes . 1372.Dq yes .
1361Note that this option applies to protocol version 2 only.
1362.It Cm RekeyLimit 1373.It Cm RekeyLimit
1363Specifies the maximum amount of data that may be transmitted before the 1374Specifies the maximum amount of data that may be transmitted before the
1364session key is renegotiated, optionally followed a maximum amount of 1375session key is renegotiated, optionally followed a maximum amount of
@@ -1384,7 +1395,6 @@ is
1384.Dq default none , 1395.Dq default none ,
1385which means that rekeying is performed after the cipher's default amount 1396which means that rekeying is performed after the cipher's default amount
1386of data has been sent or received and no time based rekeying is done. 1397of data has been sent or received and no time based rekeying is done.
1387This option applies to protocol version 2 only.
1388.It Cm RevokedKeys 1398.It Cm RevokedKeys
1389Specifies revoked public keys file, or 1399Specifies revoked public keys file, or
1390.Dq none 1400.Dq none
@@ -1471,7 +1481,6 @@ This may simplify configurations using
1471to force a different filesystem root on clients. 1481to force a different filesystem root on clients.
1472.Pp 1482.Pp
1473By default no subsystems are defined. 1483By default no subsystems are defined.
1474Note that this option applies to protocol version 2 only.
1475.It Cm SyslogFacility 1484.It Cm SyslogFacility
1476Gives the facility code that is used when logging messages from 1485Gives the facility code that is used when logging messages from
1477.Xr sshd 8 . 1486.Xr sshd 8 .
@@ -1584,14 +1593,19 @@ After successful authentication, another process will be created that has
1584the privilege of the authenticated user. 1593the privilege of the authenticated user.
1585The goal of privilege separation is to prevent privilege 1594The goal of privilege separation is to prevent privilege
1586escalation by containing any corruption within the unprivileged processes. 1595escalation by containing any corruption within the unprivileged processes.
1587The default is 1596The argument must be
1588.Dq yes . 1597.Dq yes ,
1598.Dq no ,
1599or
1600.Dq sandbox .
1589If 1601If
1590.Cm UsePrivilegeSeparation 1602.Cm UsePrivilegeSeparation
1591is set to 1603is set to
1592.Dq sandbox 1604.Dq sandbox
1593then the pre-authentication unprivileged process is subject to additional 1605then the pre-authentication unprivileged process is subject to additional
1594restrictions. 1606restrictions.
1607The default is
1608.Dq sandbox .
1595.It Cm VersionAddendum 1609.It Cm VersionAddendum
1596Optionally specifies additional text to append to the SSH protocol banner 1610Optionally specifies additional text to append to the SSH protocol banner
1597sent by the server upon connection. 1611sent by the server upon connection.