sshd_config.5 (128460) | sshd_config.5 (137019) |
---|---|
1.\" -*- nroff -*- 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this --- 20 unchanged lines hidden (view full) --- 29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" | 1.\" -*- nroff -*- 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this --- 20 unchanged lines hidden (view full) --- 29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" |
37.\" $FreeBSD: head/crypto/openssh/sshd_config.5 128460 2004-04-20 09:46:41Z des $ 38.\" $OpenBSD: sshd_config.5,v 1.28 2004/02/17 19:35:21 jmc Exp $ | 37.\" $OpenBSD: sshd_config.5,v 1.35 2004/06/26 09:14:40 jmc Exp $ 38.\" $FreeBSD: head/crypto/openssh/sshd_config.5 137019 2004-10-28 16:11:31Z des $ |
39.Dd September 25, 1999 40.Dt SSHD_CONFIG 5 41.Os 42.Sh NAME 43.Nm sshd_config 44.Nd OpenSSH SSH daemon configuration file 45.Sh SYNOPSIS 46.Bl -tag -width Ds -compact --- 10 unchanged lines hidden (view full) --- 57Lines starting with 58.Ql # 59and empty lines are interpreted as comments. 60.Pp 61The possible 62keywords and their meanings are as follows (note that 63keywords are case-insensitive and arguments are case-sensitive): 64.Bl -tag -width Ds | 39.Dd September 25, 1999 40.Dt SSHD_CONFIG 5 41.Os 42.Sh NAME 43.Nm sshd_config 44.Nd OpenSSH SSH daemon configuration file 45.Sh SYNOPSIS 46.Bl -tag -width Ds -compact --- 10 unchanged lines hidden (view full) --- 57Lines starting with 58.Ql # 59and empty lines are interpreted as comments. 60.Pp 61The possible 62keywords and their meanings are as follows (note that 63keywords are case-insensitive and arguments are case-sensitive): 64.Bl -tag -width Ds |
65.It Cm AcceptEnv 66Specifies what environment variables sent by the client will be copied into 67the session's 68.Xr environ 7 . 69See 70.Cm SendEnv 71in 72.Xr ssh_config 5 73for how to configure the client. 74Note that environment passing is only supported for protocol 2. 75Variables are specified by name, which may contain the wildcard characters 76.Ql \&* 77and 78.Ql \&? . 79Multiple environment variables may be separated by whitespace or spread 80across multiple 81.Cm AcceptEnv 82directives. 83Be warned that some environment variables could be used to bypass restricted 84user environments. 85For this reason, care should be taken in the use of this directive. 86The default is not to accept any environment variables. |
|
65.It Cm AllowGroups 66This keyword can be followed by a list of group name patterns, separated 67by spaces. 68If specified, login is allowed only for users whose primary 69group or supplementary group list matches one of the patterns. 70.Ql \&* 71and 72.Ql \&? 73can be used as 74wildcards in the patterns. 75Only group names are valid; a numerical group ID is not recognized. 76By default, login is allowed for all groups. | 87.It Cm AllowGroups 88This keyword can be followed by a list of group name patterns, separated 89by spaces. 90If specified, login is allowed only for users whose primary 91group or supplementary group list matches one of the patterns. 92.Ql \&* 93and 94.Ql \&? 95can be used as 96wildcards in the patterns. 97Only group names are valid; a numerical group ID is not recognized. 98By default, login is allowed for all groups. |
77.Pp | |
78.It Cm AllowTcpForwarding 79Specifies whether TCP forwarding is permitted. 80The default is 81.Dq yes . 82Note that disabling TCP forwarding does not improve security unless 83users are also denied shell access, as they can always install their 84own forwarders. | 99.It Cm AllowTcpForwarding 100Specifies whether TCP forwarding is permitted. 101The default is 102.Dq yes . 103Note that disabling TCP forwarding does not improve security unless 104users are also denied shell access, as they can always install their 105own forwarders. |
85.Pp | |
86.It Cm AllowUsers 87This keyword can be followed by a list of user name patterns, separated 88by spaces. 89If specified, login is allowed only for user names that 90match one of the patterns. 91.Ql \&* 92and 93.Ql \&? 94can be used as 95wildcards in the patterns. 96Only user names are valid; a numerical user ID is not recognized. 97By default, login is allowed for all users. 98If the pattern takes the form USER@HOST then USER and HOST 99are separately checked, restricting logins to particular 100users from particular hosts. | 106.It Cm AllowUsers 107This keyword can be followed by a list of user name patterns, separated 108by spaces. 109If specified, login is allowed only for user names that 110match one of the patterns. 111.Ql \&* 112and 113.Ql \&? 114can be used as 115wildcards in the patterns. 116Only user names are valid; a numerical user ID is not recognized. 117By default, login is allowed for all users. 118If the pattern takes the form USER@HOST then USER and HOST 119are separately checked, restricting logins to particular 120users from particular hosts. |
101.Pp | |
102.It Cm AuthorizedKeysFile 103Specifies the file that contains the public keys that can be used 104for user authentication. 105.Cm AuthorizedKeysFile 106may contain tokens of the form %T which are substituted during connection 107set-up. 108The following tokens are defined: %% is replaced by a literal '%', 109%h is replaced by the home directory of the user being authenticated and --- 6 unchanged lines hidden (view full) --- 116.Dq .ssh/authorized_keys . 117.It Cm Banner 118In some jurisdictions, sending a warning message before authentication 119may be relevant for getting legal protection. 120The contents of the specified file are sent to the remote user before 121authentication is allowed. 122This option is only available for protocol version 2. 123By default, no banner is displayed. | 121.It Cm AuthorizedKeysFile 122Specifies the file that contains the public keys that can be used 123for user authentication. 124.Cm AuthorizedKeysFile 125may contain tokens of the form %T which are substituted during connection 126set-up. 127The following tokens are defined: %% is replaced by a literal '%', 128%h is replaced by the home directory of the user being authenticated and --- 6 unchanged lines hidden (view full) --- 135.Dq .ssh/authorized_keys . 136.It Cm Banner 137In some jurisdictions, sending a warning message before authentication 138may be relevant for getting legal protection. 139The contents of the specified file are sent to the remote user before 140authentication is allowed. 141This option is only available for protocol version 2. 142By default, no banner is displayed. |
124.Pp | |
125.It Cm ChallengeResponseAuthentication 126Specifies whether challenge-response authentication is allowed. 127Specifically, in 128.Fx , 129this controls the use of PAM (see 130.Xr pam 3 ) 131for authentication. 132Note that this affects the effectiveness of the 133.Cm PasswordAuthentication 134and 135.Cm PermitRootLogin 136variables. 137The default is 138.Dq yes . 139.It Cm Ciphers 140Specifies the ciphers allowed for protocol version 2. 141Multiple ciphers must be comma-separated. | 143.It Cm ChallengeResponseAuthentication 144Specifies whether challenge-response authentication is allowed. 145Specifically, in 146.Fx , 147this controls the use of PAM (see 148.Xr pam 3 ) 149for authentication. 150Note that this affects the effectiveness of the 151.Cm PasswordAuthentication 152and 153.Cm PermitRootLogin 154variables. 155The default is 156.Dq yes . 157.It Cm Ciphers 158Specifies the ciphers allowed for protocol version 2. 159Multiple ciphers must be comma-separated. |
160The supported ciphers are 161.Dq 3des-cbc , 162.Dq aes128-cbc , 163.Dq aes192-cbc , 164.Dq aes256-cbc , 165.Dq aes128-ctr , 166.Dq aes192-ctr , 167.Dq aes256-ctr , 168.Dq arcfour , 169.Dq blowfish-cbc , 170and 171.Dq cast128-cbc . |
|
142The default is | 172The default is |
143.Pp | |
144.Bd -literal 145 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 146 aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' 147.Ed 148.It Cm ClientAliveInterval 149Sets a timeout interval in seconds after which if no data has been received 150from the client, 151.Nm sshd --- 44 unchanged lines hidden (view full) --- 196group list matches one of the patterns. 197.Ql \&* 198and 199.Ql \&? 200can be used as 201wildcards in the patterns. 202Only group names are valid; a numerical group ID is not recognized. 203By default, login is allowed for all groups. | 173.Bd -literal 174 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 175 aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' 176.Ed 177.It Cm ClientAliveInterval 178Sets a timeout interval in seconds after which if no data has been received 179from the client, 180.Nm sshd --- 44 unchanged lines hidden (view full) --- 225group list matches one of the patterns. 226.Ql \&* 227and 228.Ql \&? 229can be used as 230wildcards in the patterns. 231Only group names are valid; a numerical group ID is not recognized. 232By default, login is allowed for all groups. |
204.Pp | |
205.It Cm DenyUsers 206This keyword can be followed by a list of user name patterns, separated 207by spaces. 208Login is disallowed for user names that match one of the patterns. 209.Ql \&* 210and 211.Ql \&? 212can be used as wildcards in the patterns. --- 174 unchanged lines hidden (view full) --- 387Logging with a DEBUG level violates the privacy of users and is not recommended. 388.It Cm MACs 389Specifies the available MAC (message authentication code) algorithms. 390The MAC algorithm is used in protocol version 2 391for data integrity protection. 392Multiple algorithms must be comma-separated. 393The default is 394.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . | 233.It Cm DenyUsers 234This keyword can be followed by a list of user name patterns, separated 235by spaces. 236Login is disallowed for user names that match one of the patterns. 237.Ql \&* 238and 239.Ql \&? 240can be used as wildcards in the patterns. --- 174 unchanged lines hidden (view full) --- 415Logging with a DEBUG level violates the privacy of users and is not recommended. 416.It Cm MACs 417Specifies the available MAC (message authentication code) algorithms. 418The MAC algorithm is used in protocol version 2 419for data integrity protection. 420Multiple algorithms must be comma-separated. 421The default is 422.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . |
423.It Cm MaxAuthTries 424Specifies the maximum number of authentication attempts permitted per 425connection. 426Once the number of failures reaches half this value, 427additional failures are logged. 428The default is 6. |
|
395.It Cm MaxStartups 396Specifies the maximum number of concurrent unauthenticated connections to the 397.Nm sshd 398daemon. 399Additional connections will be dropped until authentication succeeds or the 400.Cm LoginGraceTime 401expires for a connection. 402The default is 10. --- 230 unchanged lines hidden (view full) --- 633.Xr login 1 634does not know how to handle 635.Xr xauth 1 636cookies. 637If 638.Cm UsePrivilegeSeparation 639is specified, it will be disabled after authentication. 640.It Cm UsePAM | 429.It Cm MaxStartups 430Specifies the maximum number of concurrent unauthenticated connections to the 431.Nm sshd 432daemon. 433Additional connections will be dropped until authentication succeeds or the 434.Cm LoginGraceTime 435expires for a connection. 436The default is 10. --- 230 unchanged lines hidden (view full) --- 667.Xr login 1 668does not know how to handle 669.Xr xauth 1 670cookies. 671If 672.Cm UsePrivilegeSeparation 673is specified, it will be disabled after authentication. 674.It Cm UsePAM |
641Enables PAM authentication (via challenge-response) and session set up. 642If you enable this, you should probably disable 643.Cm PasswordAuthentication . 644If you enable 645.CM UsePAM 646then you will not be able to run sshd as a non-root user. The default is | 675Enables the Pluggable Authentication Module interface. 676If set to 677.Dq yes 678this will enable PAM authentication using 679.Cm ChallengeResponseAuthentication 680and PAM account and session module processing for all authentication types. 681.Pp 682Because PAM challenge-response authentication usually serves an equivalent 683role to password authentication, you should disable either 684.Cm PasswordAuthentication 685or 686.Cm ChallengeResponseAuthentication. 687.Pp 688If 689.Cm UsePAM 690is enabled, you will not be able to run 691.Xr sshd 8 692as a non-root user. 693The default is |
647.Dq yes . 648.It Cm UsePrivilegeSeparation 649Specifies whether 650.Nm sshd 651separates privileges by creating an unprivileged child process 652to deal with incoming network traffic. 653After successful authentication, another process will be created that has 654the privilege of the authenticated user. 655The goal of privilege separation is to prevent privilege 656escalation by containing any corruption within the unprivileged processes. 657The default is 658.Dq yes . 659.It Cm VersionAddendum 660Specifies a string to append to the regular version string to identify 661OS- or site-specific modifications. 662The default is | 694.Dq yes . 695.It Cm UsePrivilegeSeparation 696Specifies whether 697.Nm sshd 698separates privileges by creating an unprivileged child process 699to deal with incoming network traffic. 700After successful authentication, another process will be created that has 701the privilege of the authenticated user. 702The goal of privilege separation is to prevent privilege 703escalation by containing any corruption within the unprivileged processes. 704The default is 705.Dq yes . 706.It Cm VersionAddendum 707Specifies a string to append to the regular version string to identify 708OS- or site-specific modifications. 709The default is |
663.Dq FreeBSD-20040419 . | 710.Dq FreeBSD-20041028 . |
664.It Cm X11DisplayOffset 665Specifies the first display number available for 666.Nm sshd Ns 's 667X11 forwarding. 668This prevents 669.Nm sshd 670from interfering with real X11 servers. 671The default is 10. --- 129 unchanged lines hidden --- | 711.It Cm X11DisplayOffset 712Specifies the first display number available for 713.Nm sshd Ns 's 714X11 forwarding. 715This prevents 716.Nm sshd 717from interfering with real X11 servers. 718The default is 10. --- 129 unchanged lines hidden --- |