sshd_config.5 (215116) | sshd_config.5 (221420) |
---|---|
1.\" -*- nroff -*- | |
2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this 9.\" software must be clearly marked as such, and if the derived work is --- 19 unchanged lines hidden (view full) --- 29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" | 1.\" 2.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" All rights reserved 5.\" 6.\" As far as I am concerned, the code I have written for this software 7.\" can be used freely for any purpose. Any derived versions of this 8.\" software must be clearly marked as such, and if the derived work is --- 19 unchanged lines hidden (view full) --- 28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" |
37.\" $OpenBSD: sshd_config.5,v 1.125 2010/06/30 07:28:34 jmc Exp $ 38.\" $FreeBSD: head/crypto/openssh/sshd_config.5 215116 2010-11-11 11:46:19Z des $ 39.Dd June 30, 2010 | 36.\" $OpenBSD: sshd_config.5,v 1.131 2010/12/08 04:02:47 djm Exp $ 37.\" $FreeBSD: head/crypto/openssh/sshd_config.5 221420 2011-05-04 07:34:44Z des $ 38.Dd December 8, 2010 |
40.Dt SSHD_CONFIG 5 41.Os 42.Sh NAME 43.Nm sshd_config 44.Nd OpenSSH SSH daemon configuration file 45.Sh SYNOPSIS 46.Nm /etc/ssh/sshd_config 47.Sh DESCRIPTION --- 418 unchanged lines hidden (view full) --- 466.Xr sshd 8 467is not to load any certificates. 468.It Cm HostKey 469Specifies a file containing a private host key 470used by SSH. 471The default is 472.Pa /etc/ssh/ssh_host_key 473for protocol version 1, and | 39.Dt SSHD_CONFIG 5 40.Os 41.Sh NAME 42.Nm sshd_config 43.Nd OpenSSH SSH daemon configuration file 44.Sh SYNOPSIS 45.Nm /etc/ssh/sshd_config 46.Sh DESCRIPTION --- 418 unchanged lines hidden (view full) --- 465.Xr sshd 8 466is not to load any certificates. 467.It Cm HostKey 468Specifies a file containing a private host key 469used by SSH. 470The default is 471.Pa /etc/ssh/ssh_host_key 472for protocol version 1, and |
474.Pa /etc/ssh/ssh_host_rsa_key | 473.Pa /etc/ssh/ssh_host_dsa_key , 474.Pa /etc/ssh/ssh_host_ecdsa_key |
475and | 475and |
476.Pa /etc/ssh/ssh_host_dsa_key | 476.Pa /etc/ssh/ssh_host_rsa_key |
477for protocol version 2. 478Note that 479.Xr sshd 8 480will refuse to use a file if it is group/world-accessible. 481It is possible to have multiple host key files. 482.Dq rsa1 483keys are used for version 1 and | 477for protocol version 2. 478Note that 479.Xr sshd 8 480will refuse to use a file if it is group/world-accessible. 481It is possible to have multiple host key files. 482.Dq rsa1 483keys are used for version 1 and |
484.Dq dsa | 484.Dq dsa , 485.Dq ecdsa |
485or 486.Dq rsa 487are used for version 2 of the SSH protocol. 488.It Cm IgnoreRhosts 489Specifies that 490.Pa .rhosts 491and 492.Pa .shosts --- 14 unchanged lines hidden (view full) --- 507should ignore the user's 508.Pa ~/.ssh/known_hosts 509during 510.Cm RhostsRSAAuthentication 511or 512.Cm HostbasedAuthentication . 513The default is 514.Dq no . | 486or 487.Dq rsa 488are used for version 2 of the SSH protocol. 489.It Cm IgnoreRhosts 490Specifies that 491.Pa .rhosts 492and 493.Pa .shosts --- 14 unchanged lines hidden (view full) --- 508should ignore the user's 509.Pa ~/.ssh/known_hosts 510during 511.Cm RhostsRSAAuthentication 512or 513.Cm HostbasedAuthentication . 514The default is 515.Dq no . |
516.It Cm IPQoS 517Specifies the IPv4 type-of-service or DSCP class for the connection. 518Accepted values are 519.Dq af11 , 520.Dq af12 , 521.Dq af13 , 522.Dq af14 , 523.Dq af22 , 524.Dq af23 , 525.Dq af31 , 526.Dq af32 , 527.Dq af33 , 528.Dq af41 , 529.Dq af42 , 530.Dq af43 , 531.Dq cs0 , 532.Dq cs1 , 533.Dq cs2 , 534.Dq cs3 , 535.Dq cs4 , 536.Dq cs5 , 537.Dq cs6 , 538.Dq cs7 , 539.Dq ef , 540.Dq lowdelay , 541.Dq throughput , 542.Dq reliability , 543or a numeric value. 544This option may take one or two arguments, separated by whitespace. 545If one argument is specified, it is used as the packet class unconditionally. 546If two values are specified, the first is automatically selected for 547interactive sessions and the second for non-interactive sessions. 548The default is 549.Dq lowdelay 550for interactive sessions and 551.Dq throughput 552for non-interactive sessions. |
|
515.It Cm KerberosAuthentication 516Specifies whether the password provided by the user for 517.Cm PasswordAuthentication 518will be validated through the Kerberos KDC. 519To use this option, the server needs a 520Kerberos servtab which allows the verification of the KDC's identity. 521The default is 522.Dq no . --- 9 unchanged lines hidden (view full) --- 532.Pa /etc/passwd . 533The default is 534.Dq yes . 535.It Cm KerberosTicketCleanup 536Specifies whether to automatically destroy the user's ticket cache 537file on logout. 538The default is 539.Dq yes . | 553.It Cm KerberosAuthentication 554Specifies whether the password provided by the user for 555.Cm PasswordAuthentication 556will be validated through the Kerberos KDC. 557To use this option, the server needs a 558Kerberos servtab which allows the verification of the KDC's identity. 559The default is 560.Dq no . --- 9 unchanged lines hidden (view full) --- 570.Pa /etc/passwd . 571The default is 572.Dq yes . 573.It Cm KerberosTicketCleanup 574Specifies whether to automatically destroy the user's ticket cache 575file on logout. 576The default is 577.Dq yes . |
578.It Cm KexAlgorithms 579Specifies the available KEX (Key Exchange) algorithms. 580Multiple algorithms must be comma-separated. 581The default is 582.Dq ecdh-sha2-nistp256 , 583.Dq ecdh-sha2-nistp384 , 584.Dq ecdh-sha2-nistp521 , 585.Dq diffie-hellman-group-exchange-sha256 , 586.Dq diffie-hellman-group-exchange-sha1 , 587.Dq diffie-hellman-group14-sha1 , 588.Dq diffie-hellman-group1-sha1 . |
|
540.It Cm KeyRegenerationInterval 541In protocol version 1, the ephemeral server key is automatically regenerated 542after this many seconds (if it has been used). 543The purpose of regeneration is to prevent 544decrypting captured sessions by later breaking into the machine and 545stealing the keys. 546The key is never stored anywhere. 547If the value is 0, the key is never regenerated. --- 484 unchanged lines hidden (view full) --- 1032The goal of privilege separation is to prevent privilege 1033escalation by containing any corruption within the unprivileged processes. 1034The default is 1035.Dq yes . 1036.It Cm VersionAddendum 1037Specifies a string to append to the regular version string to identify 1038OS- or site-specific modifications. 1039The default is | 589.It Cm KeyRegenerationInterval 590In protocol version 1, the ephemeral server key is automatically regenerated 591after this many seconds (if it has been used). 592The purpose of regeneration is to prevent 593decrypting captured sessions by later breaking into the machine and 594stealing the keys. 595The key is never stored anywhere. 596If the value is 0, the key is never regenerated. --- 484 unchanged lines hidden (view full) --- 1081The goal of privilege separation is to prevent privilege 1082escalation by containing any corruption within the unprivileged processes. 1083The default is 1084.Dq yes . 1085.It Cm VersionAddendum 1086Specifies a string to append to the regular version string to identify 1087OS- or site-specific modifications. 1088The default is |
1040.Dq FreeBSD-20101111 . | 1089.Dq FreeBSD-20110503 . |
1041.It Cm X11DisplayOffset 1042Specifies the first display number available for 1043.Xr sshd 8 Ns 's 1044X11 forwarding. 1045This prevents sshd from interfering with real X11 servers. 1046The default is 10. 1047.It Cm X11Forwarding 1048Specifies whether X11 forwarding is permitted. --- 126 unchanged lines hidden --- | 1090.It Cm X11DisplayOffset 1091Specifies the first display number available for 1092.Xr sshd 8 Ns 's 1093X11 forwarding. 1094This prevents sshd from interfering with real X11 servers. 1095The default is 10. 1096.It Cm X11Forwarding 1097Specifies whether X11 forwarding is permitted. --- 126 unchanged lines hidden --- |