diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 73 |
1 files changed, 60 insertions, 13 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index e15a225f2..09532fb8d 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd_config.5,v 1.29 2004/03/08 10:18:57 dtucker Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.35 2004/06/26 09:14:40 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -61,6 +61,28 @@ The possible | |||
61 | keywords and their meanings are as follows (note that | 61 | keywords and their meanings are as follows (note that |
62 | keywords are case-insensitive and arguments are case-sensitive): | 62 | keywords are case-insensitive and arguments are case-sensitive): |
63 | .Bl -tag -width Ds | 63 | .Bl -tag -width Ds |
64 | .It Cm AcceptEnv | ||
65 | Specifies what environment variables sent by the client will be copied into | ||
66 | the session's | ||
67 | .Xr environ 7 . | ||
68 | See | ||
69 | .Cm SendEnv | ||
70 | in | ||
71 | .Xr ssh_config 5 | ||
72 | for how to configure the client. | ||
73 | Note that environment passing is only supported for protocol 2. | ||
74 | Variables are specified by name, which may contain the wildcard characters | ||
75 | .Ql \&* | ||
76 | and | ||
77 | .Ql \&? . | ||
78 | Multiple environment variables may be separated by whitespace or spread | ||
79 | across multiple | ||
80 | .Cm AcceptEnv | ||
81 | directives. | ||
82 | Be warned that some environment variables could be used to bypass restricted | ||
83 | user environments. | ||
84 | For this reason, care should be taken in the use of this directive. | ||
85 | The default is not to accept any environment variables. | ||
64 | .It Cm AllowGroups | 86 | .It Cm AllowGroups |
65 | This keyword can be followed by a list of group name patterns, separated | 87 | This keyword can be followed by a list of group name patterns, separated |
66 | by spaces. | 88 | by spaces. |
@@ -73,7 +95,6 @@ can be used as | |||
73 | wildcards in the patterns. | 95 | wildcards in the patterns. |
74 | Only group names are valid; a numerical group ID is not recognized. | 96 | Only group names are valid; a numerical group ID is not recognized. |
75 | By default, login is allowed for all groups. | 97 | By default, login is allowed for all groups. |
76 | .Pp | ||
77 | .It Cm AllowTcpForwarding | 98 | .It Cm AllowTcpForwarding |
78 | Specifies whether TCP forwarding is permitted. | 99 | Specifies whether TCP forwarding is permitted. |
79 | The default is | 100 | The default is |
@@ -81,7 +102,6 @@ The default is | |||
81 | Note that disabling TCP forwarding does not improve security unless | 102 | Note that disabling TCP forwarding does not improve security unless |
82 | users are also denied shell access, as they can always install their | 103 | users are also denied shell access, as they can always install their |
83 | own forwarders. | 104 | own forwarders. |
84 | .Pp | ||
85 | .It Cm AllowUsers | 105 | .It Cm AllowUsers |
86 | This keyword can be followed by a list of user name patterns, separated | 106 | This keyword can be followed by a list of user name patterns, separated |
87 | by spaces. | 107 | by spaces. |
@@ -97,7 +117,6 @@ By default, login is allowed for all users. | |||
97 | If the pattern takes the form USER@HOST then USER and HOST | 117 | If the pattern takes the form USER@HOST then USER and HOST |
98 | are separately checked, restricting logins to particular | 118 | are separately checked, restricting logins to particular |
99 | users from particular hosts. | 119 | users from particular hosts. |
100 | .Pp | ||
101 | .It Cm AuthorizedKeysFile | 120 | .It Cm AuthorizedKeysFile |
102 | Specifies the file that contains the public keys that can be used | 121 | Specifies the file that contains the public keys that can be used |
103 | for user authentication. | 122 | for user authentication. |
@@ -120,7 +139,6 @@ The contents of the specified file are sent to the remote user before | |||
120 | authentication is allowed. | 139 | authentication is allowed. |
121 | This option is only available for protocol version 2. | 140 | This option is only available for protocol version 2. |
122 | By default, no banner is displayed. | 141 | By default, no banner is displayed. |
123 | .Pp | ||
124 | .It Cm ChallengeResponseAuthentication | 142 | .It Cm ChallengeResponseAuthentication |
125 | Specifies whether challenge response authentication is allowed. | 143 | Specifies whether challenge response authentication is allowed. |
126 | All authentication styles from | 144 | All authentication styles from |
@@ -131,8 +149,19 @@ The default is | |||
131 | .It Cm Ciphers | 149 | .It Cm Ciphers |
132 | Specifies the ciphers allowed for protocol version 2. | 150 | Specifies the ciphers allowed for protocol version 2. |
133 | Multiple ciphers must be comma-separated. | 151 | Multiple ciphers must be comma-separated. |
152 | The supported ciphers are | ||
153 | .Dq 3des-cbc , | ||
154 | .Dq aes128-cbc , | ||
155 | .Dq aes192-cbc , | ||
156 | .Dq aes256-cbc , | ||
157 | .Dq aes128-ctr , | ||
158 | .Dq aes192-ctr , | ||
159 | .Dq aes256-ctr , | ||
160 | .Dq arcfour , | ||
161 | .Dq blowfish-cbc , | ||
162 | and | ||
163 | .Dq cast128-cbc . | ||
134 | The default is | 164 | The default is |
135 | .Pp | ||
136 | .Bd -literal | 165 | .Bd -literal |
137 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, | 166 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
138 | aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' | 167 | aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' |
@@ -193,7 +222,6 @@ can be used as | |||
193 | wildcards in the patterns. | 222 | wildcards in the patterns. |
194 | Only group names are valid; a numerical group ID is not recognized. | 223 | Only group names are valid; a numerical group ID is not recognized. |
195 | By default, login is allowed for all groups. | 224 | By default, login is allowed for all groups. |
196 | .Pp | ||
197 | .It Cm DenyUsers | 225 | .It Cm DenyUsers |
198 | This keyword can be followed by a list of user name patterns, separated | 226 | This keyword can be followed by a list of user name patterns, separated |
199 | by spaces. | 227 | by spaces. |
@@ -386,6 +414,12 @@ for data integrity protection. | |||
386 | Multiple algorithms must be comma-separated. | 414 | Multiple algorithms must be comma-separated. |
387 | The default is | 415 | The default is |
388 | .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . | 416 | .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . |
417 | .It Cm MaxAuthTries | ||
418 | Specifies the maximum number of authentication attempts permitted per | ||
419 | connection. | ||
420 | Once the number of failures reaches half this value, | ||
421 | additional failures are logged. | ||
422 | The default is 6. | ||
389 | .It Cm MaxStartups | 423 | .It Cm MaxStartups |
390 | Specifies the maximum number of concurrent unauthenticated connections to the | 424 | Specifies the maximum number of concurrent unauthenticated connections to the |
391 | .Nm sshd | 425 | .Nm sshd |
@@ -608,12 +642,25 @@ If | |||
608 | .Cm UsePrivilegeSeparation | 642 | .Cm UsePrivilegeSeparation |
609 | is specified, it will be disabled after authentication. | 643 | is specified, it will be disabled after authentication. |
610 | .It Cm UsePAM | 644 | .It Cm UsePAM |
611 | Enables PAM authentication (via challenge-response) and session set up. | 645 | Enables the Pluggable Authentication Module interface. |
612 | If you enable this, you should probably disable | 646 | If set to |
613 | .Cm PasswordAuthentication . | 647 | .Dq yes |
614 | If you enable | 648 | this will enable PAM authentication using |
615 | .CM UsePAM | 649 | .Cm ChallengeResponseAuthentication |
616 | then you will not be able to run sshd as a non-root user. The default is | 650 | and PAM account and session module processing for all authentication types. |
651 | .Pp | ||
652 | Because PAM challenge-response authentication usually serves an equivalent | ||
653 | role to password authentication, you should disable either | ||
654 | .Cm PasswordAuthentication | ||
655 | or | ||
656 | .Cm ChallengeResponseAuthentication. | ||
657 | .Pp | ||
658 | If | ||
659 | .Cm UsePAM | ||
660 | is enabled, you will not be able to run | ||
661 | .Xr sshd 8 | ||
662 | as a non-root user. | ||
663 | The default is | ||
617 | .Dq no . | 664 | .Dq no . |
618 | .It Cm UsePrivilegeSeparation | 665 | .It Cm UsePrivilegeSeparation |
619 | Specifies whether | 666 | Specifies whether |