Cross Reference: /freebsd-10.2-release/crypto/openssh/sshd

sshd_config.0 (214979)	sshd_config.0 (218767)
1SSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5) 2 3NAME 4 sshd_config - OpenSSH SSH daemon configuration file 5 6SYNOPSIS 7 /etc/ssh/sshd_config 8 --- 258 unchanged lines hidden (view full) --- 267 Specifies a file containing a public host certificate. The 268 certificate's public key must match a private host key already 269 specified by HostKey. The default behaviour of sshd(8) is not to 270 load any certificates. 271 272 HostKey 273 Specifies a file containing a private host key used by SSH. The 274 default is /etc/ssh/ssh_host_key for protocol version 1, and	1SSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5) 2 3NAME 4 sshd_config - OpenSSH SSH daemon configuration file 5 6SYNOPSIS 7 /etc/ssh/sshd_config 8 --- 258 unchanged lines hidden (view full) --- 267 Specifies a file containing a public host certificate. The 268 certificate's public key must match a private host key already 269 specified by HostKey. The default behaviour of sshd(8) is not to 270 load any certificates. 271 272 HostKey 273 Specifies a file containing a private host key used by SSH. The 274 default is /etc/ssh/ssh_host_key for protocol version 1, and
275 /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for 276 protocol version 2. Note that sshd(8) will refuse to use a file 277 if it is group/world-accessible. It is possible to have multiple 278 host key files. ``rsa1'' keys are used for version 1 and ``dsa'' 279 or ``rsa'' are used for version 2 of the SSH protocol.	275 /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key and 276 /etc/ssh/ssh_host_rsa_key for protocol version 2. Note that 277 sshd(8) will refuse to use a file if it is group/world- 278 accessible. It is possible to have multiple host key files. 279 ``rsa1'' keys are used for version 1 and ``dsa'', ``ecdsa'' or 280 ``rsa'' are used for version 2 of the SSH protocol.
280 281 IgnoreRhosts 282 Specifies that .rhosts and .shosts files will not be used in 283 RhostsRSAAuthentication or HostbasedAuthentication. 284 285 /etc/hosts.equiv and /etc/shosts.equiv are still used. The 286 default is ``yes''. 287 288 IgnoreUserKnownHosts 289 Specifies whether sshd(8) should ignore the user's 290 ~/.ssh/known_hosts during RhostsRSAAuthentication or 291 HostbasedAuthentication. The default is ``no''. 292	281 282 IgnoreRhosts 283 Specifies that .rhosts and .shosts files will not be used in 284 RhostsRSAAuthentication or HostbasedAuthentication. 285 286 /etc/hosts.equiv and /etc/shosts.equiv are still used. The 287 default is ``yes''. 288 289 IgnoreUserKnownHosts 290 Specifies whether sshd(8) should ignore the user's 291 ~/.ssh/known_hosts during RhostsRSAAuthentication or 292 HostbasedAuthentication. The default is ``no''. 293
	294 IPQoS Specifies the IPv4 type-of-service or DSCP class for the 295 connection. Accepted values are ``af11'', ``af12'', ``af13'', 296 ``af14'', ``af22'', ``af23'', ``af31'', ``af32'', ``af33'', 297 ``af41'', ``af42'', ``af43'', ``cs0'', ``cs1'', ``cs2'', ``cs3'', 298 ``cs4'', ``cs5'', ``cs6'', ``cs7'', ``ef'', ``lowdelay'', 299 ``throughput'', ``reliability'', or a numeric value. This option 300 may take one or two arguments, separated by whitespace. If one 301 argument is specified, it is used as the packet class 302 unconditionally. If two values are specified, the first is 303 automatically selected for interactive sessions and the second 304 for non-interactive sessions. The default is ``lowdelay'' for 305 interactive sessions and ``throughput'' for non-interactive 306 sessions. 307
293 KerberosAuthentication 294 Specifies whether the password provided by the user for 295 PasswordAuthentication will be validated through the Kerberos 296 KDC. To use this option, the server needs a Kerberos servtab 297 which allows the verification of the KDC's identity. The default 298 is ``no''. 299 300 KerberosGetAFSToken --- 5 unchanged lines hidden (view full) --- 306 If password authentication through Kerberos fails then the 307 password will be validated via any additional local mechanism 308 such as /etc/passwd. The default is ``yes''. 309 310 KerberosTicketCleanup 311 Specifies whether to automatically destroy the user's ticket 312 cache file on logout. The default is ``yes''. 313	308 KerberosAuthentication 309 Specifies whether the password provided by the user for 310 PasswordAuthentication will be validated through the Kerberos 311 KDC. To use this option, the server needs a Kerberos servtab 312 which allows the verification of the KDC's identity. The default 313 is ``no''. 314 315 KerberosGetAFSToken --- 5 unchanged lines hidden (view full) --- 321 If password authentication through Kerberos fails then the 322 password will be validated via any additional local mechanism 323 such as /etc/passwd. The default is ``yes''. 324 325 KerberosTicketCleanup 326 Specifies whether to automatically destroy the user's ticket 327 cache file on logout. The default is ``yes''. 328
	329 KexAlgorithms 330 Specifies the available KEX (Key Exchange) algorithms. Multiple 331 algorithms must be comma-separated. The default is 332 ``ecdh-sha2-nistp256'', ``ecdh-sha2-nistp384'', 333 ``ecdh-sha2-nistp521'', ``diffie-hellman-group-exchange-sha256'', 334 ``diffie-hellman-group-exchange-sha1'', 335 ``diffie-hellman-group14-sha1'', ``diffie-hellman-group1-sha1''. 336
314 KeyRegenerationInterval 315 In protocol version 1, the ephemeral server key is automatically 316 regenerated after this many seconds (if it has been used). The 317 purpose of regeneration is to prevent decrypting captured 318 sessions by later breaking into the machine and stealing the 319 keys. The key is never stored anywhere. If the value is 0, the 320 key is never regenerated. The default is 3600 (seconds). 321 322 ListenAddress 323 Specifies the local addresses sshd(8) should listen on. The 324 following forms may be used: 325	337 KeyRegenerationInterval 338 In protocol version 1, the ephemeral server key is automatically 339 regenerated after this many seconds (if it has been used). The 340 purpose of regeneration is to prevent decrypting captured 341 sessions by later breaking into the machine and stealing the 342 keys. The key is never stored anywhere. If the value is 0, the 343 key is never regenerated. The default is 3600 (seconds). 344 345 ListenAddress 346 Specifies the local addresses sshd(8) should listen on. The 347 following forms may be used: 348
326 ListenAddress host \| IPv4_addr \| IPv6_addr 327 ListenAddress host \| IPv4_addr:port	349 ListenAddress host\|IPv4_addr\|IPv6_addr 350 ListenAddress host\|IPv4_addr:port
328 ListenAddress [host\|IPv6_addr]:port 329 330 If port is not specified, sshd will listen on the address and all 331 prior Port options specified. The default is to listen on all 332 local addresses. Multiple ListenAddress options are permitted. 333 Additionally, any Port options must precede this option for non- 334 port qualified addresses. 335 --- 83 unchanged lines hidden (view full) --- 419 420 PermitOpen 421 Specifies the destinations to which TCP port forwarding is 422 permitted. The forwarding specification must be one of the 423 following forms: 424 425 PermitOpen host:port 426 PermitOpen IPv4_addr:port	351 ListenAddress [host\|IPv6_addr]:port 352 353 If port is not specified, sshd will listen on the address and all 354 prior Port options specified. The default is to listen on all 355 local addresses. Multiple ListenAddress options are permitted. 356 Additionally, any Port options must precede this option for non- 357 port qualified addresses. 358 --- 83 unchanged lines hidden (view full) --- 442 443 PermitOpen 444 Specifies the destinations to which TCP port forwarding is 445 permitted. The forwarding specification must be one of the 446 following forms: 447 448 PermitOpen host:port 449 PermitOpen IPv4_addr:port
427 PermitOpen [ IPv6_addr ]:port	450 PermitOpen [IPv6_addr]:port
428 429 Multiple forwards may be specified by separating them with 430 whitespace. An argument of ``any'' can be used to remove all 431 restrictions and permit any forwarding requests. By default all 432 port forwarding requests are permitted. 433 434 PermitRootLogin 435 Specifies whether root can log in using ssh(1). The argument --- 209 unchanged lines hidden (view full) --- 645 default is ``yes''. 646 647 XAuthLocation 648 Specifies the full pathname of the xauth(1) program. The default 649 is /usr/X11R6/bin/xauth. 650 651TIME FORMATS 652 sshd(8) command-line arguments and configuration file options that	451 452 Multiple forwards may be specified by separating them with 453 whitespace. An argument of ``any'' can be used to remove all 454 restrictions and permit any forwarding requests. By default all 455 port forwarding requests are permitted. 456 457 PermitRootLogin 458 Specifies whether root can log in using ssh(1). The argument --- 209 unchanged lines hidden (view full) --- 668 default is ``yes''. 669 670 XAuthLocation 671 Specifies the full pathname of the xauth(1) program. The default 672 is /usr/X11R6/bin/xauth. 673 674TIME FORMATS 675 sshd(8) command-line arguments and configuration file options that
653 specify time may be expressed using a sequence of the form: time 654 [qualifier], where time is a positive integer value and qualifier is one 655 of the following:	676 specify time may be expressed using a sequence of the form: 677 time[qualifier], where time is a positive integer value and qualifier is 678 one of the following:
656 657 <none> seconds 658 s \| S seconds 659 m \| M minutes 660 h \| H hours 661 d \| D days 662 w \| W weeks 663 --- 18 unchanged lines hidden (view full) --- 682AUTHORS 683 OpenSSH is a derivative of the original and free ssh 1.2.12 release by 684 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo 685 de Raadt and Dug Song removed many bugs, re-added newer features and 686 created OpenSSH. Markus Friedl contributed the support for SSH protocol 687 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 688 for privilege separation. 689	679 680 <none> seconds 681 s \| S seconds 682 m \| M minutes 683 h \| H hours 684 d \| D days 685 w \| W weeks 686 --- 18 unchanged lines hidden (view full) --- 705AUTHORS 706 OpenSSH is a derivative of the original and free ssh 1.2.12 release by 707 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo 708 de Raadt and Dug Song removed many bugs, re-added newer features and 709 created OpenSSH. Markus Friedl contributed the support for SSH protocol 710 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 711 for privilege separation. 712
690OpenBSD 4.8 June 30, 2010 OpenBSD 4.8	713OpenBSD 4.8 December 8, 2010 OpenBSD 4.8

1SSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5)
2
3NAME
4 sshd_config - OpenSSH SSH daemon configuration file
5
6SYNOPSIS
7 /etc/ssh/sshd_config
8

--- 258 unchanged lines hidden (view full) ---

267 Specifies a file containing a public host certificate. The
268 certificate's public key must match a private host key already
269 specified by HostKey. The default behaviour of sshd(8) is not to
270 load any certificates.
271
272 HostKey
273 Specifies a file containing a private host key used by SSH. The
274 default is /etc/ssh/ssh_host_key for protocol version 1, and

275 /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for
276 protocol version 2. Note that sshd(8) will refuse to use a file
277 if it is group/world-accessible. It is possible to have multiple
278 host key files. ``rsa1'' keys are used for version 1 and ``dsa''
279 or ``rsa'' are used for version 2 of the SSH protocol.

275 /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key and
276 /etc/ssh/ssh_host_rsa_key for protocol version 2. Note that
277 sshd(8) will refuse to use a file if it is group/world-
278 accessible. It is possible to have multiple host key files.
279 ``rsa1'' keys are used for version 1 and ``dsa'', ``ecdsa'' or
280 ``rsa'' are used for version 2 of the SSH protocol.

280
281 IgnoreRhosts
282 Specifies that .rhosts and .shosts files will not be used in
283 RhostsRSAAuthentication or HostbasedAuthentication.
284
285 /etc/hosts.equiv and /etc/shosts.equiv are still used. The
286 default is ``yes''.
287
288 IgnoreUserKnownHosts
289 Specifies whether sshd(8) should ignore the user's
290 ~/.ssh/known_hosts during RhostsRSAAuthentication or
291 HostbasedAuthentication. The default is ``no''.
292

281
282 IgnoreRhosts
283 Specifies that .rhosts and .shosts files will not be used in
284 RhostsRSAAuthentication or HostbasedAuthentication.
285
286 /etc/hosts.equiv and /etc/shosts.equiv are still used. The
287 default is ``yes''.
288
289 IgnoreUserKnownHosts
290 Specifies whether sshd(8) should ignore the user's
291 ~/.ssh/known_hosts during RhostsRSAAuthentication or
292 HostbasedAuthentication. The default is ``no''.
293

294 IPQoS Specifies the IPv4 type-of-service or DSCP class for the
295 connection. Accepted values are ``af11'', ``af12'', ``af13'',
296 ``af14'', ``af22'', ``af23'', ``af31'', ``af32'', ``af33'',
297 ``af41'', ``af42'', ``af43'', ``cs0'', ``cs1'', ``cs2'', ``cs3'',
298 ``cs4'', ``cs5'', ``cs6'', ``cs7'', ``ef'', ``lowdelay'',
299 ``throughput'', ``reliability'', or a numeric value. This option
300 may take one or two arguments, separated by whitespace. If one
301 argument is specified, it is used as the packet class
302 unconditionally. If two values are specified, the first is
303 automatically selected for interactive sessions and the second
304 for non-interactive sessions. The default is ``lowdelay'' for
305 interactive sessions and ``throughput'' for non-interactive
306 sessions.
307

293 KerberosAuthentication
294 Specifies whether the password provided by the user for
295 PasswordAuthentication will be validated through the Kerberos
296 KDC. To use this option, the server needs a Kerberos servtab
297 which allows the verification of the KDC's identity. The default
298 is ``no''.
299
300 KerberosGetAFSToken

--- 5 unchanged lines hidden (view full) ---

306 If password authentication through Kerberos fails then the
307 password will be validated via any additional local mechanism
308 such as /etc/passwd. The default is ``yes''.
309
310 KerberosTicketCleanup
311 Specifies whether to automatically destroy the user's ticket
312 cache file on logout. The default is ``yes''.
313

308 KerberosAuthentication
309 Specifies whether the password provided by the user for
310 PasswordAuthentication will be validated through the Kerberos
311 KDC. To use this option, the server needs a Kerberos servtab
312 which allows the verification of the KDC's identity. The default
313 is ``no''.
314
315 KerberosGetAFSToken

--- 5 unchanged lines hidden (view full) ---

321 If password authentication through Kerberos fails then the
322 password will be validated via any additional local mechanism
323 such as /etc/passwd. The default is ``yes''.
324
325 KerberosTicketCleanup
326 Specifies whether to automatically destroy the user's ticket
327 cache file on logout. The default is ``yes''.
328

329 KexAlgorithms
330 Specifies the available KEX (Key Exchange) algorithms. Multiple
331 algorithms must be comma-separated. The default is
332 ``ecdh-sha2-nistp256'', ``ecdh-sha2-nistp384'',
333 ``ecdh-sha2-nistp521'', ``diffie-hellman-group-exchange-sha256'',
334 ``diffie-hellman-group-exchange-sha1'',
335 ``diffie-hellman-group14-sha1'', ``diffie-hellman-group1-sha1''.
336

314 KeyRegenerationInterval
315 In protocol version 1, the ephemeral server key is automatically
316 regenerated after this many seconds (if it has been used). The
317 purpose of regeneration is to prevent decrypting captured
318 sessions by later breaking into the machine and stealing the
319 keys. The key is never stored anywhere. If the value is 0, the
320 key is never regenerated. The default is 3600 (seconds).
321
322 ListenAddress
323 Specifies the local addresses sshd(8) should listen on. The
324 following forms may be used:
325

337 KeyRegenerationInterval
338 In protocol version 1, the ephemeral server key is automatically
339 regenerated after this many seconds (if it has been used). The
340 purpose of regeneration is to prevent decrypting captured
341 sessions by later breaking into the machine and stealing the
342 keys. The key is never stored anywhere. If the value is 0, the
343 key is never regenerated. The default is 3600 (seconds).
344
345 ListenAddress
346 Specifies the local addresses sshd(8) should listen on. The
347 following forms may be used:
348

326 ListenAddress host | IPv4_addr | IPv6_addr
327 ListenAddress host | IPv4_addr:port

349 ListenAddress host|IPv4_addr|IPv6_addr
350 ListenAddress host|IPv4_addr:port

328 ListenAddress [host|IPv6_addr]:port
329
330 If port is not specified, sshd will listen on the address and all
331 prior Port options specified. The default is to listen on all
332 local addresses. Multiple ListenAddress options are permitted.
333 Additionally, any Port options must precede this option for non-
334 port qualified addresses.
335

--- 83 unchanged lines hidden (view full) ---

419
420 PermitOpen
421 Specifies the destinations to which TCP port forwarding is
422 permitted. The forwarding specification must be one of the
423 following forms:
424
425 PermitOpen host:port
426 PermitOpen IPv4_addr:port

351 ListenAddress [host|IPv6_addr]:port
352
353 If port is not specified, sshd will listen on the address and all
354 prior Port options specified. The default is to listen on all
355 local addresses. Multiple ListenAddress options are permitted.
356 Additionally, any Port options must precede this option for non-
357 port qualified addresses.
358

--- 83 unchanged lines hidden (view full) ---

442
443 PermitOpen
444 Specifies the destinations to which TCP port forwarding is
445 permitted. The forwarding specification must be one of the
446 following forms:
447
448 PermitOpen host:port
449 PermitOpen IPv4_addr:port

427 PermitOpen [ IPv6_addr ]:port

450 PermitOpen [IPv6_addr]:port

428
429 Multiple forwards may be specified by separating them with
430 whitespace. An argument of ``any'' can be used to remove all
431 restrictions and permit any forwarding requests. By default all
432 port forwarding requests are permitted.
433
434 PermitRootLogin
435 Specifies whether root can log in using ssh(1). The argument

--- 209 unchanged lines hidden (view full) ---

645 default is ``yes''.
646
647 XAuthLocation
648 Specifies the full pathname of the xauth(1) program. The default
649 is /usr/X11R6/bin/xauth.
650
651TIME FORMATS
652 sshd(8) command-line arguments and configuration file options that

451
452 Multiple forwards may be specified by separating them with
453 whitespace. An argument of ``any'' can be used to remove all
454 restrictions and permit any forwarding requests. By default all
455 port forwarding requests are permitted.
456
457 PermitRootLogin
458 Specifies whether root can log in using ssh(1). The argument

--- 209 unchanged lines hidden (view full) ---

668 default is ``yes''.
669
670 XAuthLocation
671 Specifies the full pathname of the xauth(1) program. The default
672 is /usr/X11R6/bin/xauth.
673
674TIME FORMATS
675 sshd(8) command-line arguments and configuration file options that

653 specify time may be expressed using a sequence of the form: time
654 [qualifier], where time is a positive integer value and qualifier is one
655 of the following:

676 specify time may be expressed using a sequence of the form:
677 time[qualifier], where time is a positive integer value and qualifier is
678 one of the following:

656
657 <none> seconds
658 s | S seconds
659 m | M minutes
660 h | H hours
661 d | D days
662 w | W weeks
663

--- 18 unchanged lines hidden (view full) ---

682AUTHORS
683 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
684 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
685 de Raadt and Dug Song removed many bugs, re-added newer features and
686 created OpenSSH. Markus Friedl contributed the support for SSH protocol
687 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
688 for privilege separation.
689

679
680 <none> seconds
681 s | S seconds
682 m | M minutes
683 h | H hours
684 d | D days
685 w | W weeks
686

--- 18 unchanged lines hidden (view full) ---

705AUTHORS
706 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
707 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
708 de Raadt and Dug Song removed many bugs, re-added newer features and
709 created OpenSSH. Markus Friedl contributed the support for SSH protocol
710 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
711 for privilege separation.
712

690OpenBSD 4.8 June 30, 2010 OpenBSD 4.8

713OpenBSD 4.8 December 8, 2010 OpenBSD 4.8