diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 74 |
1 files changed, 60 insertions, 14 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 251b7467f..e3c7c3936 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.253 2017/09/27 06:45:53 jmc Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.263 2018/02/16 02:40:45 djm Exp $ |
37 | .Dd $Mdocdate: September 27 2017 $ | 37 | .Dd $Mdocdate: February 16 2018 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -48,6 +48,7 @@ reads configuration data from | |||
48 | .Fl f | 48 | .Fl f |
49 | on the command line). | 49 | on the command line). |
50 | The file contains keyword-argument pairs, one per line. | 50 | The file contains keyword-argument pairs, one per line. |
51 | For each keyword, the first obtained value will be used. | ||
51 | Lines starting with | 52 | Lines starting with |
52 | .Ql # | 53 | .Ql # |
53 | and empty lines are interpreted as comments. | 54 | and empty lines are interpreted as comments. |
@@ -713,7 +714,6 @@ is not to load any certificates. | |||
713 | Specifies a file containing a private host key | 714 | Specifies a file containing a private host key |
714 | used by SSH. | 715 | used by SSH. |
715 | The defaults are | 716 | The defaults are |
716 | .Pa /etc/ssh/ssh_host_dsa_key , | ||
717 | .Pa /etc/ssh/ssh_host_ecdsa_key , | 717 | .Pa /etc/ssh/ssh_host_ecdsa_key , |
718 | .Pa /etc/ssh/ssh_host_ed25519_key | 718 | .Pa /etc/ssh/ssh_host_ed25519_key |
719 | and | 719 | and |
@@ -776,7 +776,9 @@ Specifies whether | |||
776 | should ignore the user's | 776 | should ignore the user's |
777 | .Pa ~/.ssh/known_hosts | 777 | .Pa ~/.ssh/known_hosts |
778 | during | 778 | during |
779 | .Cm HostbasedAuthentication . | 779 | .Cm HostbasedAuthentication |
780 | and use only the system-wide known hosts file | ||
781 | .Pa /etc/ssh/known_hosts . | ||
780 | The default is | 782 | The default is |
781 | .Cm no . | 783 | .Cm no . |
782 | .It Cm IPQoS | 784 | .It Cm IPQoS |
@@ -877,6 +879,12 @@ diffie-hellman-group1-sha1 | |||
877 | .It | 879 | .It |
878 | diffie-hellman-group14-sha1 | 880 | diffie-hellman-group14-sha1 |
879 | .It | 881 | .It |
882 | diffie-hellman-group14-sha256 | ||
883 | .It | ||
884 | diffie-hellman-group16-sha512 | ||
885 | .It | ||
886 | diffie-hellman-group18-sha512 | ||
887 | .It | ||
880 | diffie-hellman-group-exchange-sha1 | 888 | diffie-hellman-group-exchange-sha1 |
881 | .It | 889 | .It |
882 | diffie-hellman-group-exchange-sha256 | 890 | diffie-hellman-group-exchange-sha256 |
@@ -893,7 +901,8 @@ The default is: | |||
893 | curve25519-sha256,curve25519-sha256@libssh.org, | 901 | curve25519-sha256,curve25519-sha256@libssh.org, |
894 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, | 902 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, |
895 | diffie-hellman-group-exchange-sha256, | 903 | diffie-hellman-group-exchange-sha256, |
896 | diffie-hellman-group14-sha1 | 904 | diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, |
905 | diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 | ||
897 | .Ed | 906 | .Ed |
898 | .Pp | 907 | .Pp |
899 | The list of available key exchange algorithms may also be obtained using | 908 | The list of available key exchange algorithms may also be obtained using |
@@ -908,31 +917,47 @@ The following forms may be used: | |||
908 | .It | 917 | .It |
909 | .Cm ListenAddress | 918 | .Cm ListenAddress |
910 | .Sm off | 919 | .Sm off |
911 | .Ar host | Ar IPv4_addr | Ar IPv6_addr | 920 | .Ar hostname | address |
921 | .Sm on | ||
922 | .Op Cm rdomain Ar domain | ||
923 | .It | ||
924 | .Cm ListenAddress | ||
925 | .Sm off | ||
926 | .Ar hostname : port | ||
912 | .Sm on | 927 | .Sm on |
928 | .Op Cm rdomain Ar domain | ||
913 | .It | 929 | .It |
914 | .Cm ListenAddress | 930 | .Cm ListenAddress |
915 | .Sm off | 931 | .Sm off |
916 | .Ar host | Ar IPv4_addr : Ar port | 932 | .Ar IPv4_address : port |
917 | .Sm on | 933 | .Sm on |
934 | .Op Cm rdomain Ar domain | ||
918 | .It | 935 | .It |
919 | .Cm ListenAddress | 936 | .Cm ListenAddress |
920 | .Sm off | 937 | .Sm off |
921 | .Oo | 938 | .Oo Ar hostname | address Oc : Ar port |
922 | .Ar host | Ar IPv6_addr Oc : Ar port | ||
923 | .Sm on | 939 | .Sm on |
940 | .Op Cm rdomain Ar domain | ||
924 | .El | 941 | .El |
925 | .Pp | 942 | .Pp |
943 | The optional | ||
944 | .Cm rdomain | ||
945 | qualifier requests | ||
946 | .Xr sshd 8 | ||
947 | listen in an explicit routing domain. | ||
926 | If | 948 | If |
927 | .Ar port | 949 | .Ar port |
928 | is not specified, | 950 | is not specified, |
929 | sshd will listen on the address and all | 951 | sshd will listen on the address and all |
930 | .Cm Port | 952 | .Cm Port |
931 | options specified. | 953 | options specified. |
932 | The default is to listen on all local addresses. | 954 | The default is to listen on all local addresses on the current default |
955 | routing domain. | ||
933 | Multiple | 956 | Multiple |
934 | .Cm ListenAddress | 957 | .Cm ListenAddress |
935 | options are permitted. | 958 | options are permitted. |
959 | For more information on routing domains, see | ||
960 | .Xr rdomain 4 . | ||
936 | .It Cm LoginGraceTime | 961 | .It Cm LoginGraceTime |
937 | The server disconnects after this time if the user has not | 962 | The server disconnects after this time if the user has not |
938 | successfully logged in. | 963 | successfully logged in. |
@@ -1036,8 +1061,15 @@ The available criteria are | |||
1036 | .Cm Host , | 1061 | .Cm Host , |
1037 | .Cm LocalAddress , | 1062 | .Cm LocalAddress , |
1038 | .Cm LocalPort , | 1063 | .Cm LocalPort , |
1064 | .Cm RDomain , | ||
1039 | and | 1065 | and |
1040 | .Cm Address . | 1066 | .Cm Address |
1067 | (with | ||
1068 | .Cm RDomain | ||
1069 | representing the | ||
1070 | .Xr rdomain 4 | ||
1071 | on which the connection was received.) | ||
1072 | .Pp | ||
1041 | The match patterns may consist of single entries or comma-separated | 1073 | The match patterns may consist of single entries or comma-separated |
1042 | lists and may use the wildcard and negation operators described in the | 1074 | lists and may use the wildcard and negation operators described in the |
1043 | .Sx PATTERNS | 1075 | .Sx PATTERNS |
@@ -1100,6 +1132,7 @@ Available keywords are | |||
1100 | .Cm PubkeyAuthentication , | 1132 | .Cm PubkeyAuthentication , |
1101 | .Cm RekeyLimit , | 1133 | .Cm RekeyLimit , |
1102 | .Cm RevokedKeys , | 1134 | .Cm RevokedKeys , |
1135 | .Cm RDomain , | ||
1103 | .Cm StreamLocalBindMask , | 1136 | .Cm StreamLocalBindMask , |
1104 | .Cm StreamLocalBindUnlink , | 1137 | .Cm StreamLocalBindUnlink , |
1105 | .Cm TrustedUserCAKeys , | 1138 | .Cm TrustedUserCAKeys , |
@@ -1188,7 +1221,6 @@ Specifies whether root can log in using | |||
1188 | The argument must be | 1221 | The argument must be |
1189 | .Cm yes , | 1222 | .Cm yes , |
1190 | .Cm prohibit-password , | 1223 | .Cm prohibit-password , |
1191 | .Cm without-password , | ||
1192 | .Cm forced-commands-only , | 1224 | .Cm forced-commands-only , |
1193 | or | 1225 | or |
1194 | .Cm no . | 1226 | .Cm no . |
@@ -1197,8 +1229,8 @@ The default is | |||
1197 | .Pp | 1229 | .Pp |
1198 | If this option is set to | 1230 | If this option is set to |
1199 | .Cm prohibit-password | 1231 | .Cm prohibit-password |
1200 | or | 1232 | (or its deprecated alias, |
1201 | .Cm without-password , | 1233 | .Cm without-password ) , |
1202 | password and keyboard-interactive authentication are disabled for root. | 1234 | password and keyboard-interactive authentication are disabled for root. |
1203 | .Pp | 1235 | .Pp |
1204 | If this option is set to | 1236 | If this option is set to |
@@ -1361,6 +1393,15 @@ an OpenSSH Key Revocation List (KRL) as generated by | |||
1361 | .Xr ssh-keygen 1 . | 1393 | .Xr ssh-keygen 1 . |
1362 | For more information on KRLs, see the KEY REVOCATION LISTS section in | 1394 | For more information on KRLs, see the KEY REVOCATION LISTS section in |
1363 | .Xr ssh-keygen 1 . | 1395 | .Xr ssh-keygen 1 . |
1396 | .It Cm RDomain | ||
1397 | Specifies an explicit routing domain that is applied after authentication | ||
1398 | has completed. | ||
1399 | The user session, as well and any forwarded or listening IP sockets, | ||
1400 | will be bound to this | ||
1401 | .Xr rdomain 4 . | ||
1402 | If the routing domain is set to | ||
1403 | .Cm \&%D , | ||
1404 | then the domain in which the incoming connection was received will be applied. | ||
1364 | .It Cm StreamLocalBindMask | 1405 | .It Cm StreamLocalBindMask |
1365 | Sets the octal file creation mode mask | 1406 | Sets the octal file creation mode mask |
1366 | .Pq umask | 1407 | .Pq umask |
@@ -1626,6 +1667,8 @@ which are expanded at runtime: | |||
1626 | .It %% | 1667 | .It %% |
1627 | A literal | 1668 | A literal |
1628 | .Sq % . | 1669 | .Sq % . |
1670 | .It \&%D | ||
1671 | The routing domain in which the incoming connection was received. | ||
1629 | .It %F | 1672 | .It %F |
1630 | The fingerprint of the CA key. | 1673 | The fingerprint of the CA key. |
1631 | .It %f | 1674 | .It %f |
@@ -1662,6 +1705,9 @@ accepts the tokens %%, %h, and %u. | |||
1662 | .Pp | 1705 | .Pp |
1663 | .Cm ChrootDirectory | 1706 | .Cm ChrootDirectory |
1664 | accepts the tokens %%, %h, and %u. | 1707 | accepts the tokens %%, %h, and %u. |
1708 | .Pp | ||
1709 | .Cm RoutingDomain | ||
1710 | accepts the token %D. | ||
1665 | .Sh FILES | 1711 | .Sh FILES |
1666 | .Bl -tag -width Ds | 1712 | .Bl -tag -width Ds |
1667 | .It Pa /etc/ssh/sshd_config | 1713 | .It Pa /etc/ssh/sshd_config |