From d984a3c6658e950881edcfb2aae464add93f68d4 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 1 Sep 2003 00:45:47 +0000 Subject: Import OpenSSH 3.4p1. --- sshd_config.0 | 445 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 445 insertions(+) create mode 100644 sshd_config.0 (limited to 'sshd_config.0') diff --git a/sshd_config.0 b/sshd_config.0 new file mode 100644 index 000000000..720cc3f80 --- /dev/null +++ b/sshd_config.0 @@ -0,0 +1,445 @@ +SSHD_CONFIG(5) System File Formats Manual SSHD_CONFIG(5) + +NAME + sshd_config - OpenSSH SSH daemon configuration file + +SYNOPSIS + /etc/ssh/sshd_config + +DESCRIPTION + sshd reads configuration data from /etc/ssh/sshd_config (or the file + specified with -f on the command line). The file contains keyword-arguM-- + ment pairs, one per line. Lines starting with `#' and empty lines are + interpreted as comments. + + The possible keywords and their meanings are as follows (note that keyM-- + words are case-insensitive and arguments are case-sensitive): + + AFSTokenPassing + Specifies whether an AFS token may be forwarded to the server. + Default is ``no''. + + AllowGroups + This keyword can be followed by a list of group name patterns, + separated by spaces. If specified, login is allowed only for + users whose primary group or supplementary group list matches one + of the patterns. `*' and `'? can be used as wildcards in the + patterns. Only group names are valid; a numerical group ID is + not recognized. By default, login is allowed for all groups. + + AllowTcpForwarding + Specifies whether TCP forwarding is permitted. The default is + ``yes''. Note that disabling TCP forwarding does not improve + security unless users are also denied shell access, as they can + always install their own forwarders. + + AllowUsers + This keyword can be followed by a list of user name patterns, + separated by spaces. If specified, login is allowed only for + users names that match one of the patterns. `*' and `'? can be + used as wildcards in the patterns. Only user names are valid; a + numerical user ID is not recognized. By default, login is + allowed for all users. If the pattern takes the form USER@HOST + then USER and HOST are separately checked, restricting logins to + particular users from particular hosts. + + AuthorizedKeysFile + Specifies the file that contains the public keys that can be used + for user authentication. AuthorizedKeysFile may contain tokens + of the form %T which are substituted during connection set-up. + The following tokens are defined: %% is replaced by a literal + '%', %h is replaced by the home directory of the user being + authenticated and %u is replaced by the username of that user. + After expansion, AuthorizedKeysFile is taken to be an absolute + path or one relative to the user's home directory. The default + is ``.ssh/authorized_keys''. + + Banner In some jurisdictions, sending a warning message before authentiM-- + cation may be relevant for getting legal protection. The conM-- + tents of the specified file are sent to the remote user before + authentication is allowed. This option is only available for + protocol version 2. By default, no banner is displayed. + + ChallengeResponseAuthentication + Specifies whether challenge response authentication is allowed. + All authentication styles from login.conf(5) are supported. The + default is ``yes''. + + Ciphers + Specifies the ciphers allowed for protocol version 2. Multiple + ciphers must be comma-separated. The default is + + ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, + aes192-cbc,aes256-cbc'' + + ClientAliveInterval + Sets a timeout interval in seconds after which if no data has + been received from the client, sshd will send a message through + the encrypted channel to request a response from the client. The + default is 0, indicating that these messages will not be sent to + the client. This option applies to protocol version 2 only. + + ClientAliveCountMax + Sets the number of client alive messages (see above) which may be + sent without sshd receiving any messages back from the client. If + this threshold is reached while client alive messages are being + sent, sshd will disconnect the client, terminating the session. + It is important to note that the use of client alive messages is + very different from KeepAlive (below). The client alive messages + are sent through the encrypted channel and therefore will not be + spoofable. The TCP keepalive option enabled by KeepAlive is + spoofable. The client alive mechanism is valuable when the client + or server depend on knowing when a connection has become inacM-- + tive. + + The default value is 3. If ClientAliveInterval (above) is set to + 15, and ClientAliveCountMax is left at the default, unresponsive + ssh clients will be disconnected after approximately 45 seconds. + + Compression + Specifies whether compression is allowed. The argument must be + ``yes'' or ``no''. The default is ``yes''. + + DenyGroups + This keyword can be followed by a list of group name patterns, + separated by spaces. Login is disallowed for users whose primary + group or supplementary group list matches one of the patterns. + `*' and `'? can be used as wildcards in the patterns. Only + group names are valid; a numerical group ID is not recognized. + By default, login is allowed for all groups. + + DenyUsers + This keyword can be followed by a list of user name patterns, + separated by spaces. Login is disallowed for user names that + match one of the patterns. `*' and `'? can be used as wildcards + in the patterns. Only user names are valid; a numerical user ID + is not recognized. By default, login is allowed for all users. + If the pattern takes the form USER@HOST then USER and HOST are + separately checked, restricting logins to particular users from + particular hosts. + + GatewayPorts + Specifies whether remote hosts are allowed to connect to ports + forwarded for the client. By default, sshd binds remote port + forwardings to the loopback address. This prevents other remote + hosts from connecting to forwarded ports. GatewayPorts can be + used to specify that sshd should bind remote port forwardings to + the wildcard address, thus allowing remote hosts to connect to + forwarded ports. The argument must be ``yes'' or ``no''. The + default is ``no''. + + HostbasedAuthentication + Specifies whether rhosts or /etc/hosts.equiv authentication + together with successful public key client host authentication is + allowed (hostbased authentication). This option is similar to + RhostsRSAAuthentication and applies to protocol version 2 only. + The default is ``no''. + + HostKey + Specifies a file containing a private host key used by SSH. The + default is /etc/ssh/ssh_host_key for protocol version 1, and + /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for proM-- + tocol version 2. Note that sshd will refuse to use a file if it + is group/world-accessible. It is possible to have multiple host + key files. ``rsa1'' keys are used for version 1 and ``dsa'' or + ``rsa'' are used for version 2 of the SSH protocol. + + IgnoreRhosts + Specifies that .rhosts and .shosts files will not be used in + RhostsAuthentication, RhostsRSAAuthentication or + HostbasedAuthentication. + + /etc/hosts.equiv and /etc/shosts.equiv are still used. The + default is ``yes''. + + IgnoreUserKnownHosts + Specifies whether sshd should ignore the user's + $HOME/.ssh/known_hosts during RhostsRSAAuthentication or + HostbasedAuthentication. The default is ``no''. + + KeepAlive + Specifies whether the system should send TCP keepalive messages + to the other side. If they are sent, death of the connection or + crash of one of the machines will be properly noticed. However, + this means that connections will die if the route is down temM-- + porarily, and some people find it annoying. On the other hand, + if keepalives are not sent, sessions may hang indefinitely on the + server, leaving ``ghost'' users and consuming server resources. + + The default is ``yes'' (to send keepalives), and the server will + notice if the network goes down or the client host crashes. This + avoids infinitely hanging sessions. + + To disable keepalives, the value should be set to ``no''. + + KerberosAuthentication + Specifies whether Kerberos authentication is allowed. This can + be in the form of a Kerberos ticket, or if PasswordAuthentication + is yes, the password provided by the user will be validated + through the Kerberos KDC. To use this option, the server needs a + Kerberos servtab which allows the verification of the KDC's idenM-- + tity. Default is ``no''. + + KerberosOrLocalPasswd + If set then if password authentication through Kerberos fails + then the password will be validated via any additional local + mechanism such as /etc/passwd. Default is ``yes''. + + KerberosTgtPassing + Specifies whether a Kerberos TGT may be forwarded to the server. + Default is ``no'', as this only works when the Kerberos KDC is + actually an AFS kaserver. + + KerberosTicketCleanup + Specifies whether to automatically destroy the user's ticket + cache file on logout. Default is ``yes''. + + KeyRegenerationInterval + In protocol version 1, the ephemeral server key is automatically + regenerated after this many seconds (if it has been used). The + purpose of regeneration is to prevent decrypting captured sesM-- + sions by later breaking into the machine and stealing the keys. + The key is never stored anywhere. If the value is 0, the key is + never regenerated. The default is 3600 (seconds). + + ListenAddress + Specifies the local addresses sshd should listen on. The followM-- + ing forms may be used: + + ListenAddress host|IPv4_addr|IPv6_addr + ListenAddress host|IPv4_addr:port + ListenAddress [host|IPv6_addr]:port + + If port is not specified, sshd will listen on the address and all + prior Port options specified. The default is to listen on all + local addresses. Multiple ListenAddress options are permitted. + Additionally, any Port options must precede this option for non + port qualified addresses. + + LoginGraceTime + The server disconnects after this time if the user has not sucM-- + cessfully logged in. If the value is 0, there is no time limit. + The default is 600 (seconds). + + LogLevel + Gives the verbosity level that is used when logging messages from + sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VERM-- + BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. + DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify + higher levels of debugging output. Logging with a DEBUG level + violates the privacy of users and is not recommended. + + MACs Specifies the available MAC (message authentication code) algoM-- + rithms. The MAC algorithm is used in protocol version 2 for data + integrity protection. Multiple algorithms must be comma-sepaM-- + rated. The default is + ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''. + + MaxStartups + Specifies the maximum number of concurrent unauthenticated conM-- + nections to the sshd daemon. Additional connections will be + dropped until authentication succeeds or the LoginGraceTime + expires for a connection. The default is 10. + + Alternatively, random early drop can be enabled by specifying the + three colon separated values ``start:rate:full'' (e.g., + "10:30:60"). sshd will refuse connection attempts with a probaM-- + bility of ``rate/100'' (30%) if there are currently ``start'' + (10) unauthenticated connections. The probability increases linM-- + early and all connection attempts are refused if the number of + unauthenticated connections reaches ``full'' (60). + + PAMAuthenticationViaKbdInt + Specifies whether PAM challenge response authentication is + allowed. This allows the use of most PAM challenge response + authentication modules, but it will allow password authentication + regardless of whether PasswordAuthentication is enabled. + + PasswordAuthentication + Specifies whether password authentication is allowed. The + default is ``yes''. + + PermitEmptyPasswords + When password authentication is allowed, it specifies whether the + server allows login to accounts with empty password strings. The + default is ``no''. + + PermitRootLogin + Specifies whether root can login using ssh(1). The argument must + be ``yes'', ``without-password'', ``forced-commands-only'' or + ``no''. The default is ``yes''. + + If this option is set to ``without-password'' password authentiM-- + cation is disabled for root. + + If this option is set to ``forced-commands-only'' root login with + public key authentication will be allowed, but only if the + command option has been specified (which may be useful for taking + remote backups even if root login is normally not allowed). All + other authentication methods are disabled for root. + + If this option is set to ``no'' root is not allowed to login. + + PidFile + Specifies the file that contains the process ID of the sshd daeM-- + mon. The default is /var/run/sshd.pid. + + Port Specifies the port number that sshd listens on. The default is + 22. Multiple options of this type are permitted. See also + ListenAddress. + + PrintLastLog + Specifies whether sshd should print the date and time when the + user last logged in. The default is ``yes''. + + PrintMotd + Specifies whether sshd should print /etc/motd when a user logs in + interactively. (On some systems it is also printed by the shell, + /etc/profile, or equivalent.) The default is ``yes''. + + Protocol + Specifies the protocol versions sshd should support. The possiM-- + ble values are ``1'' and ``2''. Multiple versions must be comma- + separated. The default is ``2,1''. + + PubkeyAuthentication + Specifies whether public key authentication is allowed. The + default is ``yes''. Note that this option applies to protocol + version 2 only. + + RhostsAuthentication + Specifies whether authentication using rhosts or /etc/hosts.equiv + files is sufficient. Normally, this method should not be permitM-- + ted because it is insecure. RhostsRSAAuthentication should be + used instead, because it performs RSA-based host authentication + in addition to normal rhosts or /etc/hosts.equiv authentication. + The default is ``no''. This option applies to protocol version 1 + only. + + RhostsRSAAuthentication + Specifies whether rhosts or /etc/hosts.equiv authentication + together with successful RSA host authentication is allowed. The + default is ``no''. This option applies to protocol version 1 + only. + + RSAAuthentication + Specifies whether pure RSA authentication is allowed. The + default is ``yes''. This option applies to protocol version 1 + only. + + ServerKeyBits + Defines the number of bits in the ephemeral protocol version 1 + server key. The minimum value is 512, and the default is 768. + + StrictModes + Specifies whether sshd should check file modes and ownership of + the user's files and home directory before accepting login. This + is normally desirable because novices sometimes accidentally + leave their directory or files world-writable. The default is + ``yes''. + + Subsystem + Configures an external subsystem (e.g., file transfer daemon). + Arguments should be a subsystem name and a command to execute + upon subsystem request. The command sftp-server(8) implements + the ``sftp'' file transfer subsystem. By default no subsystems + are defined. Note that this option applies to protocol version 2 + only. + + SyslogFacility + Gives the facility code that is used when logging messages from + sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, + LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The + default is AUTH. + + UseLogin + Specifies whether login(1) is used for interactive login sesM-- + sions. The default is ``no''. Note that login(1) is never used + for remote command execution. Note also, that if this is + enabled, X11Forwarding will be disabled because login(1) does not + know how to handle xauth(1) cookies. If UsePrivilegeSeparation + is specified, it will be disabled after authentication. + + UsePrivilegeSeparation + Specifies whether sshd separates privileges by creating an + unprivileged child process to deal with incoming network traffic. + After successful authentication, another process will be created + that has the privilege of the authenticated user. The goal of + privilege separation is to prevent privilege escalation by conM-- + taining any corruption within the unprivileged processes. The + default is ``yes''. + + VerifyReverseMapping + Specifies whether sshd should try to verify the remote host name + and check that the resolved host name for the remote IP address + maps back to the very same IP address. The default is ``no''. + + X11DisplayOffset + Specifies the first display number available for sshd's X11 forM-- + warding. This prevents sshd from interfering with real X11 + servers. The default is 10. + + X11Forwarding + Specifies whether X11 forwarding is permitted. The default is + ``no''. Note that disabling X11 forwarding does not improve + security in any way, as users can always install their own forM-- + warders. X11 forwarding is automatically disabled if UseLogin is + enabled. + + X11UseLocalhost + Specifies whether sshd should bind the X11 forwarding server to + the loopback address or to the wildcard address. By default, + sshd binds the forwarding server to the loopback address and sets + the hostname part of the DISPLAY environment variable to + ``localhost''. This prevents remote hosts from connecting to the + fake display. However, some older X11 clients may not function + with this configuration. X11UseLocalhost may be set to ``no'' to + specify that the forwarding server should be bound to the wildM-- + card address. The argument must be ``yes'' or ``no''. The + default is ``yes''. + + XAuthLocation + Specifies the location of the xauth(1) program. The default is + /usr/X11R6/bin/xauth. + + Time Formats + + sshd command-line arguments and configuration file options that specify + time may be expressed using a sequence of the form: time[qualifier], + where time is a positive integer value and qualifier is one of the folM-- + lowing: + + seconds + s | S seconds + m | M minutes + h | H hours + d | D days + w | W weeks + + Each member of the sequence is added together to calculate the total time + value. + + Time format examples: + + 600 600 seconds (10 minutes) + 10m 10 minutes + 1h30m 1 hour 30 minutes (90 minutes) + +FILES + /etc/ssh/sshd_config + Contains configuration data for sshd. This file should be + writable by root only, but it is recommended (though not necesM-- + sary) that it be world-readable. + +AUTHORS + OpenSSH is a derivative of the original and free ssh 1.2.12 release by + Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo + de Raadt and Dug Song removed many bugs, re-added newer features and creM-- + ated OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support + for privilege separation. + +SEE ALSO + sshd(8) + +BSD September 25, 1999 BSD -- cgit v1.2.3