1.\" -*- nroff -*- 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this --- 20 unchanged lines hidden (view full) --- 29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" |
37.\" $OpenBSD: sshd_config.5,v 1.35 2004/06/26 09:14:40 jmc Exp $ 38.\" $FreeBSD: head/crypto/openssh/sshd_config.5 137019 2004-10-28 16:11:31Z des $ |
39.Dd September 25, 1999 40.Dt SSHD_CONFIG 5 41.Os 42.Sh NAME 43.Nm sshd_config 44.Nd OpenSSH SSH daemon configuration file 45.Sh SYNOPSIS 46.Bl -tag -width Ds -compact --- 10 unchanged lines hidden (view full) --- 57Lines starting with 58.Ql # 59and empty lines are interpreted as comments. 60.Pp 61The possible 62keywords and their meanings are as follows (note that 63keywords are case-insensitive and arguments are case-sensitive): 64.Bl -tag -width Ds |
65.It Cm AcceptEnv 66Specifies what environment variables sent by the client will be copied into 67the session's 68.Xr environ 7 . 69See 70.Cm SendEnv 71in 72.Xr ssh_config 5 73for how to configure the client. 74Note that environment passing is only supported for protocol 2. 75Variables are specified by name, which may contain the wildcard characters 76.Ql \&* 77and 78.Ql \&? . 79Multiple environment variables may be separated by whitespace or spread 80across multiple 81.Cm AcceptEnv 82directives. 83Be warned that some environment variables could be used to bypass restricted 84user environments. 85For this reason, care should be taken in the use of this directive. 86The default is not to accept any environment variables. |
87.It Cm AllowGroups 88This keyword can be followed by a list of group name patterns, separated 89by spaces. 90If specified, login is allowed only for users whose primary 91group or supplementary group list matches one of the patterns. 92.Ql \&* 93and 94.Ql \&? 95can be used as 96wildcards in the patterns. 97Only group names are valid; a numerical group ID is not recognized. 98By default, login is allowed for all groups. |
99.It Cm AllowTcpForwarding 100Specifies whether TCP forwarding is permitted. 101The default is 102.Dq yes . 103Note that disabling TCP forwarding does not improve security unless 104users are also denied shell access, as they can always install their 105own forwarders. |
106.It Cm AllowUsers 107This keyword can be followed by a list of user name patterns, separated 108by spaces. 109If specified, login is allowed only for user names that 110match one of the patterns. 111.Ql \&* 112and 113.Ql \&? 114can be used as 115wildcards in the patterns. 116Only user names are valid; a numerical user ID is not recognized. 117By default, login is allowed for all users. 118If the pattern takes the form USER@HOST then USER and HOST 119are separately checked, restricting logins to particular 120users from particular hosts. |
121.It Cm AuthorizedKeysFile 122Specifies the file that contains the public keys that can be used 123for user authentication. 124.Cm AuthorizedKeysFile 125may contain tokens of the form %T which are substituted during connection 126set-up. 127The following tokens are defined: %% is replaced by a literal '%', 128%h is replaced by the home directory of the user being authenticated and --- 6 unchanged lines hidden (view full) --- 135.Dq .ssh/authorized_keys . 136.It Cm Banner 137In some jurisdictions, sending a warning message before authentication 138may be relevant for getting legal protection. 139The contents of the specified file are sent to the remote user before 140authentication is allowed. 141This option is only available for protocol version 2. 142By default, no banner is displayed. |
143.It Cm ChallengeResponseAuthentication 144Specifies whether challenge-response authentication is allowed. 145Specifically, in 146.Fx , 147this controls the use of PAM (see 148.Xr pam 3 ) 149for authentication. 150Note that this affects the effectiveness of the 151.Cm PasswordAuthentication 152and 153.Cm PermitRootLogin 154variables. 155The default is 156.Dq yes . 157.It Cm Ciphers 158Specifies the ciphers allowed for protocol version 2. 159Multiple ciphers must be comma-separated. |
160The supported ciphers are 161.Dq 3des-cbc , 162.Dq aes128-cbc , 163.Dq aes192-cbc , 164.Dq aes256-cbc , 165.Dq aes128-ctr , 166.Dq aes192-ctr , 167.Dq aes256-ctr , 168.Dq arcfour , 169.Dq blowfish-cbc , 170and 171.Dq cast128-cbc . |
172The default is |
173.Bd -literal 174 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 175 aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' 176.Ed 177.It Cm ClientAliveInterval 178Sets a timeout interval in seconds after which if no data has been received 179from the client, 180.Nm sshd --- 44 unchanged lines hidden (view full) --- 225group list matches one of the patterns. 226.Ql \&* 227and 228.Ql \&? 229can be used as 230wildcards in the patterns. 231Only group names are valid; a numerical group ID is not recognized. 232By default, login is allowed for all groups. |
233.It Cm DenyUsers 234This keyword can be followed by a list of user name patterns, separated 235by spaces. 236Login is disallowed for user names that match one of the patterns. 237.Ql \&* 238and 239.Ql \&? 240can be used as wildcards in the patterns. --- 174 unchanged lines hidden (view full) --- 415Logging with a DEBUG level violates the privacy of users and is not recommended. 416.It Cm MACs 417Specifies the available MAC (message authentication code) algorithms. 418The MAC algorithm is used in protocol version 2 419for data integrity protection. 420Multiple algorithms must be comma-separated. 421The default is 422.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . |
423.It Cm MaxAuthTries 424Specifies the maximum number of authentication attempts permitted per 425connection. 426Once the number of failures reaches half this value, 427additional failures are logged. 428The default is 6. |
429.It Cm MaxStartups 430Specifies the maximum number of concurrent unauthenticated connections to the 431.Nm sshd 432daemon. 433Additional connections will be dropped until authentication succeeds or the 434.Cm LoginGraceTime 435expires for a connection. 436The default is 10. --- 230 unchanged lines hidden (view full) --- 667.Xr login 1 668does not know how to handle 669.Xr xauth 1 670cookies. 671If 672.Cm UsePrivilegeSeparation 673is specified, it will be disabled after authentication. 674.It Cm UsePAM |
675Enables the Pluggable Authentication Module interface. 676If set to 677.Dq yes 678this will enable PAM authentication using 679.Cm ChallengeResponseAuthentication 680and PAM account and session module processing for all authentication types. 681.Pp 682Because PAM challenge-response authentication usually serves an equivalent 683role to password authentication, you should disable either 684.Cm PasswordAuthentication 685or 686.Cm ChallengeResponseAuthentication. 687.Pp 688If 689.Cm UsePAM 690is enabled, you will not be able to run 691.Xr sshd 8 692as a non-root user. 693The default is |
694.Dq yes . 695.It Cm UsePrivilegeSeparation 696Specifies whether 697.Nm sshd 698separates privileges by creating an unprivileged child process 699to deal with incoming network traffic. 700After successful authentication, another process will be created that has 701the privilege of the authenticated user. 702The goal of privilege separation is to prevent privilege 703escalation by containing any corruption within the unprivileged processes. 704The default is 705.Dq yes . 706.It Cm VersionAddendum 707Specifies a string to append to the regular version string to identify 708OS- or site-specific modifications. 709The default is |
710.Dq FreeBSD-20041028 . |
711.It Cm X11DisplayOffset 712Specifies the first display number available for 713.Nm sshd Ns 's 714X11 forwarding. 715This prevents 716.Nm sshd 717from interfering with real X11 servers. 718The default is 10. --- 129 unchanged lines hidden --- |