1.\" -*- nroff -*-
2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\" All rights reserved
6.\"
7.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose. Any derived versions of this
--- 20 unchanged lines hidden (view full) ---
29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\"
37.\" $OpenBSD: sshd_config.5,v 1.35 2004/06/26 09:14:40 jmc Exp $
38.\" $FreeBSD: head/crypto/openssh/sshd_config.5 137019 2004-10-28 16:11:31Z des $
39.Dd September 25, 1999
40.Dt SSHD_CONFIG 5
41.Os
42.Sh NAME
43.Nm sshd_config
44.Nd OpenSSH SSH daemon configuration file
45.Sh SYNOPSIS
46.Bl -tag -width Ds -compact
--- 10 unchanged lines hidden (view full) ---
57Lines starting with
58.Ql #
59and empty lines are interpreted as comments.
60.Pp
61The possible
62keywords and their meanings are as follows (note that
63keywords are case-insensitive and arguments are case-sensitive):
64.Bl -tag -width Ds
65.It Cm AcceptEnv
66Specifies what environment variables sent by the client will be copied into
67the session's
68.Xr environ 7 .
69See
70.Cm SendEnv
71in
72.Xr ssh_config 5
73for how to configure the client.
74Note that environment passing is only supported for protocol 2.
75Variables are specified by name, which may contain the wildcard characters
76.Ql \&*
77and
78.Ql \&? .
79Multiple environment variables may be separated by whitespace or spread
80across multiple
81.Cm AcceptEnv
82directives.
83Be warned that some environment variables could be used to bypass restricted
84user environments.
85For this reason, care should be taken in the use of this directive.
86The default is not to accept any environment variables.
87.It Cm AllowGroups
88This keyword can be followed by a list of group name patterns, separated
89by spaces.
90If specified, login is allowed only for users whose primary
91group or supplementary group list matches one of the patterns.
92.Ql \&*
93and
94.Ql \&?
95can be used as
96wildcards in the patterns.
97Only group names are valid; a numerical group ID is not recognized.
98By default, login is allowed for all groups.
99.It Cm AllowTcpForwarding
100Specifies whether TCP forwarding is permitted.
101The default is
102.Dq yes .
103Note that disabling TCP forwarding does not improve security unless
104users are also denied shell access, as they can always install their
105own forwarders.
106.It Cm AllowUsers
107This keyword can be followed by a list of user name patterns, separated
108by spaces.
109If specified, login is allowed only for user names that
110match one of the patterns.
111.Ql \&*
112and
113.Ql \&?
114can be used as
115wildcards in the patterns.
116Only user names are valid; a numerical user ID is not recognized.
117By default, login is allowed for all users.
118If the pattern takes the form USER@HOST then USER and HOST
119are separately checked, restricting logins to particular
120users from particular hosts.
121.It Cm AuthorizedKeysFile
122Specifies the file that contains the public keys that can be used
123for user authentication.
124.Cm AuthorizedKeysFile
125may contain tokens of the form %T which are substituted during connection
126set-up.
127The following tokens are defined: %% is replaced by a literal '%',
128%h is replaced by the home directory of the user being authenticated and
--- 6 unchanged lines hidden (view full) ---
135.Dq .ssh/authorized_keys .
136.It Cm Banner
137In some jurisdictions, sending a warning message before authentication
138may be relevant for getting legal protection.
139The contents of the specified file are sent to the remote user before
140authentication is allowed.
141This option is only available for protocol version 2.
142By default, no banner is displayed.
143.It Cm ChallengeResponseAuthentication
144Specifies whether challenge-response authentication is allowed.
145Specifically, in
146.Fx ,
147this controls the use of PAM (see
148.Xr pam 3 )
149for authentication.
150Note that this affects the effectiveness of the
151.Cm PasswordAuthentication
152and
153.Cm PermitRootLogin
154variables.
155The default is
156.Dq yes .
157.It Cm Ciphers
158Specifies the ciphers allowed for protocol version 2.
159Multiple ciphers must be comma-separated.
160The supported ciphers are
161.Dq 3des-cbc ,
162.Dq aes128-cbc ,
163.Dq aes192-cbc ,
164.Dq aes256-cbc ,
165.Dq aes128-ctr ,
166.Dq aes192-ctr ,
167.Dq aes256-ctr ,
168.Dq arcfour ,
169.Dq blowfish-cbc ,
170and
171.Dq cast128-cbc .
172The default is
173.Bd -literal
174 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
175 aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr''
176.Ed
177.It Cm ClientAliveInterval
178Sets a timeout interval in seconds after which if no data has been received
179from the client,
180.Nm sshd
--- 44 unchanged lines hidden (view full) ---
225group list matches one of the patterns.
226.Ql \&*
227and
228.Ql \&?
229can be used as
230wildcards in the patterns.
231Only group names are valid; a numerical group ID is not recognized.
232By default, login is allowed for all groups.
233.It Cm DenyUsers
234This keyword can be followed by a list of user name patterns, separated
235by spaces.
236Login is disallowed for user names that match one of the patterns.
237.Ql \&*
238and
239.Ql \&?
240can be used as wildcards in the patterns.
--- 174 unchanged lines hidden (view full) ---
415Logging with a DEBUG level violates the privacy of users and is not recommended.
416.It Cm MACs
417Specifies the available MAC (message authentication code) algorithms.
418The MAC algorithm is used in protocol version 2
419for data integrity protection.
420Multiple algorithms must be comma-separated.
421The default is
422.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
423.It Cm MaxAuthTries
424Specifies the maximum number of authentication attempts permitted per
425connection.
426Once the number of failures reaches half this value,
427additional failures are logged.
428The default is 6.
429.It Cm MaxStartups
430Specifies the maximum number of concurrent unauthenticated connections to the
431.Nm sshd
432daemon.
433Additional connections will be dropped until authentication succeeds or the
434.Cm LoginGraceTime
435expires for a connection.
436The default is 10.
--- 230 unchanged lines hidden (view full) ---
667.Xr login 1
668does not know how to handle
669.Xr xauth 1
670cookies.
671If
672.Cm UsePrivilegeSeparation
673is specified, it will be disabled after authentication.
674.It Cm UsePAM
675Enables the Pluggable Authentication Module interface.
676If set to
677.Dq yes
678this will enable PAM authentication using
679.Cm ChallengeResponseAuthentication
680and PAM account and session module processing for all authentication types.
681.Pp
682Because PAM challenge-response authentication usually serves an equivalent
683role to password authentication, you should disable either
684.Cm PasswordAuthentication
685or
686.Cm ChallengeResponseAuthentication.
687.Pp
688If
689.Cm UsePAM
690is enabled, you will not be able to run
691.Xr sshd 8
692as a non-root user.
693The default is
694.Dq yes .
695.It Cm UsePrivilegeSeparation
696Specifies whether
697.Nm sshd
698separates privileges by creating an unprivileged child process
699to deal with incoming network traffic.
700After successful authentication, another process will be created that has
701the privilege of the authenticated user.
702The goal of privilege separation is to prevent privilege
703escalation by containing any corruption within the unprivileged processes.
704The default is
705.Dq yes .
706.It Cm VersionAddendum
707Specifies a string to append to the regular version string to identify
708OS- or site-specific modifications.
709The default is
710.Dq FreeBSD-20041028 .
711.It Cm X11DisplayOffset
712Specifies the first display number available for
713.Nm sshd Ns 's
714X11 forwarding.
715This prevents
716.Nm sshd
717from interfering with real X11 servers.
718The default is 10.
--- 129 unchanged lines hidden ---
2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\" All rights reserved
6.\"
7.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose. Any derived versions of this
--- 20 unchanged lines hidden (view full) ---
29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\"
37.\" $OpenBSD: sshd_config.5,v 1.35 2004/06/26 09:14:40 jmc Exp $
38.\" $FreeBSD: head/crypto/openssh/sshd_config.5 137019 2004-10-28 16:11:31Z des $
39.Dd September 25, 1999
40.Dt SSHD_CONFIG 5
41.Os
42.Sh NAME
43.Nm sshd_config
44.Nd OpenSSH SSH daemon configuration file
45.Sh SYNOPSIS
46.Bl -tag -width Ds -compact
--- 10 unchanged lines hidden (view full) ---
57Lines starting with
58.Ql #
59and empty lines are interpreted as comments.
60.Pp
61The possible
62keywords and their meanings are as follows (note that
63keywords are case-insensitive and arguments are case-sensitive):
64.Bl -tag -width Ds
65.It Cm AcceptEnv
66Specifies what environment variables sent by the client will be copied into
67the session's
68.Xr environ 7 .
69See
70.Cm SendEnv
71in
72.Xr ssh_config 5
73for how to configure the client.
74Note that environment passing is only supported for protocol 2.
75Variables are specified by name, which may contain the wildcard characters
76.Ql \&*
77and
78.Ql \&? .
79Multiple environment variables may be separated by whitespace or spread
80across multiple
81.Cm AcceptEnv
82directives.
83Be warned that some environment variables could be used to bypass restricted
84user environments.
85For this reason, care should be taken in the use of this directive.
86The default is not to accept any environment variables.
87.It Cm AllowGroups
88This keyword can be followed by a list of group name patterns, separated
89by spaces.
90If specified, login is allowed only for users whose primary
91group or supplementary group list matches one of the patterns.
92.Ql \&*
93and
94.Ql \&?
95can be used as
96wildcards in the patterns.
97Only group names are valid; a numerical group ID is not recognized.
98By default, login is allowed for all groups.
99.It Cm AllowTcpForwarding
100Specifies whether TCP forwarding is permitted.
101The default is
102.Dq yes .
103Note that disabling TCP forwarding does not improve security unless
104users are also denied shell access, as they can always install their
105own forwarders.
106.It Cm AllowUsers
107This keyword can be followed by a list of user name patterns, separated
108by spaces.
109If specified, login is allowed only for user names that
110match one of the patterns.
111.Ql \&*
112and
113.Ql \&?
114can be used as
115wildcards in the patterns.
116Only user names are valid; a numerical user ID is not recognized.
117By default, login is allowed for all users.
118If the pattern takes the form USER@HOST then USER and HOST
119are separately checked, restricting logins to particular
120users from particular hosts.
121.It Cm AuthorizedKeysFile
122Specifies the file that contains the public keys that can be used
123for user authentication.
124.Cm AuthorizedKeysFile
125may contain tokens of the form %T which are substituted during connection
126set-up.
127The following tokens are defined: %% is replaced by a literal '%',
128%h is replaced by the home directory of the user being authenticated and
--- 6 unchanged lines hidden (view full) ---
135.Dq .ssh/authorized_keys .
136.It Cm Banner
137In some jurisdictions, sending a warning message before authentication
138may be relevant for getting legal protection.
139The contents of the specified file are sent to the remote user before
140authentication is allowed.
141This option is only available for protocol version 2.
142By default, no banner is displayed.
143.It Cm ChallengeResponseAuthentication
144Specifies whether challenge-response authentication is allowed.
145Specifically, in
146.Fx ,
147this controls the use of PAM (see
148.Xr pam 3 )
149for authentication.
150Note that this affects the effectiveness of the
151.Cm PasswordAuthentication
152and
153.Cm PermitRootLogin
154variables.
155The default is
156.Dq yes .
157.It Cm Ciphers
158Specifies the ciphers allowed for protocol version 2.
159Multiple ciphers must be comma-separated.
160The supported ciphers are
161.Dq 3des-cbc ,
162.Dq aes128-cbc ,
163.Dq aes192-cbc ,
164.Dq aes256-cbc ,
165.Dq aes128-ctr ,
166.Dq aes192-ctr ,
167.Dq aes256-ctr ,
168.Dq arcfour ,
169.Dq blowfish-cbc ,
170and
171.Dq cast128-cbc .
172The default is
173.Bd -literal
174 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
175 aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr''
176.Ed
177.It Cm ClientAliveInterval
178Sets a timeout interval in seconds after which if no data has been received
179from the client,
180.Nm sshd
--- 44 unchanged lines hidden (view full) ---
225group list matches one of the patterns.
226.Ql \&*
227and
228.Ql \&?
229can be used as
230wildcards in the patterns.
231Only group names are valid; a numerical group ID is not recognized.
232By default, login is allowed for all groups.
233.It Cm DenyUsers
234This keyword can be followed by a list of user name patterns, separated
235by spaces.
236Login is disallowed for user names that match one of the patterns.
237.Ql \&*
238and
239.Ql \&?
240can be used as wildcards in the patterns.
--- 174 unchanged lines hidden (view full) ---
415Logging with a DEBUG level violates the privacy of users and is not recommended.
416.It Cm MACs
417Specifies the available MAC (message authentication code) algorithms.
418The MAC algorithm is used in protocol version 2
419for data integrity protection.
420Multiple algorithms must be comma-separated.
421The default is
422.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
423.It Cm MaxAuthTries
424Specifies the maximum number of authentication attempts permitted per
425connection.
426Once the number of failures reaches half this value,
427additional failures are logged.
428The default is 6.
429.It Cm MaxStartups
430Specifies the maximum number of concurrent unauthenticated connections to the
431.Nm sshd
432daemon.
433Additional connections will be dropped until authentication succeeds or the
434.Cm LoginGraceTime
435expires for a connection.
436The default is 10.
--- 230 unchanged lines hidden (view full) ---
667.Xr login 1
668does not know how to handle
669.Xr xauth 1
670cookies.
671If
672.Cm UsePrivilegeSeparation
673is specified, it will be disabled after authentication.
674.It Cm UsePAM
675Enables the Pluggable Authentication Module interface.
676If set to
677.Dq yes
678this will enable PAM authentication using
679.Cm ChallengeResponseAuthentication
680and PAM account and session module processing for all authentication types.
681.Pp
682Because PAM challenge-response authentication usually serves an equivalent
683role to password authentication, you should disable either
684.Cm PasswordAuthentication
685or
686.Cm ChallengeResponseAuthentication.
687.Pp
688If
689.Cm UsePAM
690is enabled, you will not be able to run
691.Xr sshd 8
692as a non-root user.
693The default is
694.Dq yes .
695.It Cm UsePrivilegeSeparation
696Specifies whether
697.Nm sshd
698separates privileges by creating an unprivileged child process
699to deal with incoming network traffic.
700After successful authentication, another process will be created that has
701the privilege of the authenticated user.
702The goal of privilege separation is to prevent privilege
703escalation by containing any corruption within the unprivileged processes.
704The default is
705.Dq yes .
706.It Cm VersionAddendum
707Specifies a string to append to the regular version string to identify
708OS- or site-specific modifications.
709The default is
710.Dq FreeBSD-20041028 .
711.It Cm X11DisplayOffset
712Specifies the first display number available for
713.Nm sshd Ns 's
714X11 forwarding.
715This prevents
716.Nm sshd
717from interfering with real X11 servers.
718The default is 10.
--- 129 unchanged lines hidden ---