summaryrefslogtreecommitdiff
path: root/sshd_config.5
diff options
context:
space:
mode:
Diffstat (limited to 'sshd_config.5')
-rw-r--r--sshd_config.573
1 files changed, 60 insertions, 13 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index e15a225f2..09532fb8d 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd_config.5,v 1.29 2004/03/08 10:18:57 dtucker Exp $ 37.\" $OpenBSD: sshd_config.5,v 1.35 2004/06/26 09:14:40 jmc Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSHD_CONFIG 5 39.Dt SSHD_CONFIG 5
40.Os 40.Os
@@ -61,6 +61,28 @@ The possible
61keywords and their meanings are as follows (note that 61keywords and their meanings are as follows (note that
62keywords are case-insensitive and arguments are case-sensitive): 62keywords are case-insensitive and arguments are case-sensitive):
63.Bl -tag -width Ds 63.Bl -tag -width Ds
64.It Cm AcceptEnv
65Specifies what environment variables sent by the client will be copied into
66the session's
67.Xr environ 7 .
68See
69.Cm SendEnv
70in
71.Xr ssh_config 5
72for how to configure the client.
73Note that environment passing is only supported for protocol 2.
74Variables are specified by name, which may contain the wildcard characters
75.Ql \&*
76and
77.Ql \&? .
78Multiple environment variables may be separated by whitespace or spread
79across multiple
80.Cm AcceptEnv
81directives.
82Be warned that some environment variables could be used to bypass restricted
83user environments.
84For this reason, care should be taken in the use of this directive.
85The default is not to accept any environment variables.
64.It Cm AllowGroups 86.It Cm AllowGroups
65This keyword can be followed by a list of group name patterns, separated 87This keyword can be followed by a list of group name patterns, separated
66by spaces. 88by spaces.
@@ -73,7 +95,6 @@ can be used as
73wildcards in the patterns. 95wildcards in the patterns.
74Only group names are valid; a numerical group ID is not recognized. 96Only group names are valid; a numerical group ID is not recognized.
75By default, login is allowed for all groups. 97By default, login is allowed for all groups.
76.Pp
77.It Cm AllowTcpForwarding 98.It Cm AllowTcpForwarding
78Specifies whether TCP forwarding is permitted. 99Specifies whether TCP forwarding is permitted.
79The default is 100The default is
@@ -81,7 +102,6 @@ The default is
81Note that disabling TCP forwarding does not improve security unless 102Note that disabling TCP forwarding does not improve security unless
82users are also denied shell access, as they can always install their 103users are also denied shell access, as they can always install their
83own forwarders. 104own forwarders.
84.Pp
85.It Cm AllowUsers 105.It Cm AllowUsers
86This keyword can be followed by a list of user name patterns, separated 106This keyword can be followed by a list of user name patterns, separated
87by spaces. 107by spaces.
@@ -97,7 +117,6 @@ By default, login is allowed for all users.
97If the pattern takes the form USER@HOST then USER and HOST 117If the pattern takes the form USER@HOST then USER and HOST
98are separately checked, restricting logins to particular 118are separately checked, restricting logins to particular
99users from particular hosts. 119users from particular hosts.
100.Pp
101.It Cm AuthorizedKeysFile 120.It Cm AuthorizedKeysFile
102Specifies the file that contains the public keys that can be used 121Specifies the file that contains the public keys that can be used
103for user authentication. 122for user authentication.
@@ -120,7 +139,6 @@ The contents of the specified file are sent to the remote user before
120authentication is allowed. 139authentication is allowed.
121This option is only available for protocol version 2. 140This option is only available for protocol version 2.
122By default, no banner is displayed. 141By default, no banner is displayed.
123.Pp
124.It Cm ChallengeResponseAuthentication 142.It Cm ChallengeResponseAuthentication
125Specifies whether challenge response authentication is allowed. 143Specifies whether challenge response authentication is allowed.
126All authentication styles from 144All authentication styles from
@@ -131,8 +149,19 @@ The default is
131.It Cm Ciphers 149.It Cm Ciphers
132Specifies the ciphers allowed for protocol version 2. 150Specifies the ciphers allowed for protocol version 2.
133Multiple ciphers must be comma-separated. 151Multiple ciphers must be comma-separated.
152The supported ciphers are
153.Dq 3des-cbc ,
154.Dq aes128-cbc ,
155.Dq aes192-cbc ,
156.Dq aes256-cbc ,
157.Dq aes128-ctr ,
158.Dq aes192-ctr ,
159.Dq aes256-ctr ,
160.Dq arcfour ,
161.Dq blowfish-cbc ,
162and
163.Dq cast128-cbc .
134The default is 164The default is
135.Pp
136.Bd -literal 165.Bd -literal
137 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 166 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
138 aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' 167 aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr''
@@ -193,7 +222,6 @@ can be used as
193wildcards in the patterns. 222wildcards in the patterns.
194Only group names are valid; a numerical group ID is not recognized. 223Only group names are valid; a numerical group ID is not recognized.
195By default, login is allowed for all groups. 224By default, login is allowed for all groups.
196.Pp
197.It Cm DenyUsers 225.It Cm DenyUsers
198This keyword can be followed by a list of user name patterns, separated 226This keyword can be followed by a list of user name patterns, separated
199by spaces. 227by spaces.
@@ -386,6 +414,12 @@ for data integrity protection.
386Multiple algorithms must be comma-separated. 414Multiple algorithms must be comma-separated.
387The default is 415The default is
388.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . 416.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
417.It Cm MaxAuthTries
418Specifies the maximum number of authentication attempts permitted per
419connection.
420Once the number of failures reaches half this value,
421additional failures are logged.
422The default is 6.
389.It Cm MaxStartups 423.It Cm MaxStartups
390Specifies the maximum number of concurrent unauthenticated connections to the 424Specifies the maximum number of concurrent unauthenticated connections to the
391.Nm sshd 425.Nm sshd
@@ -608,12 +642,25 @@ If
608.Cm UsePrivilegeSeparation 642.Cm UsePrivilegeSeparation
609is specified, it will be disabled after authentication. 643is specified, it will be disabled after authentication.
610.It Cm UsePAM 644.It Cm UsePAM
611Enables PAM authentication (via challenge-response) and session set up. 645Enables the Pluggable Authentication Module interface.
612If you enable this, you should probably disable 646If set to
613.Cm PasswordAuthentication . 647.Dq yes
614If you enable 648this will enable PAM authentication using
615.CM UsePAM 649.Cm ChallengeResponseAuthentication
616then you will not be able to run sshd as a non-root user. The default is 650and PAM account and session module processing for all authentication types.
651.Pp
652Because PAM challenge-response authentication usually serves an equivalent
653role to password authentication, you should disable either
654.Cm PasswordAuthentication
655or
656.Cm ChallengeResponseAuthentication.
657.Pp
658If
659.Cm UsePAM
660is enabled, you will not be able to run
661.Xr sshd 8
662as a non-root user.
663The default is
617.Dq no . 664.Dq no .
618.It Cm UsePrivilegeSeparation 665.It Cm UsePrivilegeSeparation
619Specifies whether 666Specifies whether