sshd_config.0 revision 180746
1SSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5) 2 3NAME 4 sshd_config - OpenSSH SSH daemon configuration file 5 6SYNOPSIS 7 /etc/ssh/sshd_config 8 9DESCRIPTION 10 sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file 11 specified with -f on the command line). The file contains keyword-argu- 12 ment pairs, one per line. Lines starting with `#' and empty lines are 13 interpreted as comments. Arguments may optionally be enclosed in double 14 quotes (") in order to represent arguments containing spaces. 15 16 The possible keywords and their meanings are as follows (note that key- 17 words are case-insensitive and arguments are case-sensitive): 18 19 AcceptEnv 20 Specifies what environment variables sent by the client will be 21 copied into the session's environ(7). See SendEnv in 22 ssh_config(5) for how to configure the client. Note that envi- 23 ronment passing is only supported for protocol 2. Variables are 24 specified by name, which may contain the wildcard characters `*' 25 and `?'. Multiple environment variables may be separated by 26 whitespace or spread across multiple AcceptEnv directives. Be 27 warned that some environment variables could be used to bypass 28 restricted user environments. For this reason, care should be 29 taken in the use of this directive. The default is not to accept 30 any environment variables. 31 32 AddressFamily 33 Specifies which address family should be used by sshd(8). Valid 34 arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' 35 (use IPv6 only). The default is ``any''. 36 37 AllowGroups 38 This keyword can be followed by a list of group name patterns, 39 separated by spaces. If specified, login is allowed only for 40 users whose primary group or supplementary group list matches one 41 of the patterns. Only group names are valid; a numerical group 42 ID is not recognized. By default, login is allowed for all 43 groups. The allow/deny directives are processed in the following 44 order: DenyUsers, AllowUsers, DenyGroups, and finally 45 AllowGroups. 46 47 See PATTERNS in ssh_config(5) for more information on patterns. 48 49 AllowTcpForwarding 50 Specifies whether TCP forwarding is permitted. The default is 51 ``yes''. Note that disabling TCP forwarding does not improve se- 52 curity unless users are also denied shell access, as they can al- 53 ways install their own forwarders. 54 55 AllowUsers 56 This keyword can be followed by a list of user name patterns, 57 separated by spaces. If specified, login is allowed only for us- 58 er names that match one of the patterns. Only user names are 59 valid; a numerical user ID is not recognized. By default, login 60 is allowed for all users. If the pattern takes the form US- 61 ER@HOST then USER and HOST are separately checked, restricting 62 logins to particular users from particular hosts. The allow/deny 63 directives are processed in the following order: DenyUsers, 64 AllowUsers, DenyGroups, and finally AllowGroups. 65 66 See PATTERNS in ssh_config(5) for more information on patterns. 67 68 AuthorizedKeysFile 69 Specifies the file that contains the public keys that can be used 70 for user authentication. AuthorizedKeysFile may contain tokens 71 of the form %T which are substituted during connection setup. 72 The following tokens are defined: %% is replaced by a literal 73 '%', %h is replaced by the home directory of the user being au- 74 thenticated, and %u is replaced by the username of that user. 75 After expansion, AuthorizedKeysFile is taken to be an absolute 76 path or one relative to the user's home directory. The default 77 is ``.ssh/authorized_keys''. 78 79 Banner The contents of the specified file are sent to the remote user 80 before authentication is allowed. If the argument is ``none'' 81 then no banner is displayed. This option is only available for 82 protocol version 2. By default, no banner is displayed. 83 84 ChallengeResponseAuthentication 85 Specifies whether challenge-response authentication is allowed. 86 All authentication styles from login.conf(5) are supported. The 87 default is ``yes''. 88 89 ChrootDirectory 90 Specifies a path to chroot(2) to after authentication. This 91 path, and all its components, must be root-owned directories that 92 are not writable by any other user or group. 93 94 The path may contain the following tokens that are expanded at 95 runtime once the connecting user has been authenticated: %% is 96 replaced by a literal '%', %h is replaced by the home directory 97 of the user being authenticated, and %u is replaced by the user- 98 name of that user. 99 100 The ChrootDirectory must contain the necessary files and directo- 101 ries to support the users' session. For an interactive session 102 this requires at least a shell, typically sh(1), and basic /dev 103 nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), 104 arandom(4) and tty(4) devices. For file transfer sessions using 105 ``sftp'', no additional configuration of the environment is nec- 106 essary if the in-process sftp server is used (see Subsystem for 107 details). 108 109 The default is not to chroot(2). 110 111 Ciphers 112 Specifies the ciphers allowed for protocol version 2. Multiple 113 ciphers must be comma-separated. The supported ciphers are 114 ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', 115 ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'', 116 ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and 117 ``cast128-cbc''. The default is: 118 119 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, 120 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, 121 aes192-ctr,aes256-ctr 122 123 ClientAliveCountMax 124 Sets the number of client alive messages (see below) which may be 125 sent without sshd(8) receiving any messages back from the client. 126 If this threshold is reached while client alive messages are be- 127 ing sent, sshd will disconnect the client, terminating the ses- 128 sion. It is important to note that the use of client alive mes- 129 sages is very different from TCPKeepAlive (below). The client 130 alive messages are sent through the encrypted channel and there- 131 fore will not be spoofable. The TCP keepalive option enabled by 132 TCPKeepAlive is spoofable. The client alive mechanism is valu- 133 able when the client or server depend on knowing when a connec- 134 tion has become inactive. 135 136 The default value is 3. If ClientAliveInterval (see below) is 137 set to 15, and ClientAliveCountMax is left at the default, unre- 138 sponsive SSH clients will be disconnected after approximately 45 139 seconds. This option applies to protocol version 2 only. 140 141 ClientAliveInterval 142 Sets a timeout interval in seconds after which if no data has 143 been received from the client, sshd(8) will send a message 144 through the encrypted channel to request a response from the 145 client. The default is 0, indicating that these messages will 146 not be sent to the client. This option applies to protocol ver- 147 sion 2 only. 148 149 Compression 150 Specifies whether compression is allowed, or delayed until the 151 user has authenticated successfully. The argument must be 152 ``yes'', ``delayed'', or ``no''. The default is ``delayed''. 153 154 DenyGroups 155 This keyword can be followed by a list of group name patterns, 156 separated by spaces. Login is disallowed for users whose primary 157 group or supplementary group list matches one of the patterns. 158 Only group names are valid; a numerical group ID is not recog- 159 nized. By default, login is allowed for all groups. The al- 160 low/deny directives are processed in the following order: 161 DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. 162 163 See PATTERNS in ssh_config(5) for more information on patterns. 164 165 DenyUsers 166 This keyword can be followed by a list of user name patterns, 167 separated by spaces. Login is disallowed for user names that 168 match one of the patterns. Only user names are valid; a numeri- 169 cal user ID is not recognized. By default, login is allowed for 170 all users. If the pattern takes the form USER@HOST then USER and 171 HOST are separately checked, restricting logins to particular 172 users from particular hosts. The allow/deny directives are pro- 173 cessed in the following order: DenyUsers, AllowUsers, DenyGroups, 174 and finally AllowGroups. 175 176 See PATTERNS in ssh_config(5) for more information on patterns. 177 178 ForceCommand 179 Forces the execution of the command specified by ForceCommand, 180 ignoring any command supplied by the client and ~/.ssh/rc if pre- 181 sent. The command is invoked by using the user's login shell 182 with the -c option. This applies to shell, command, or subsystem 183 execution. It is most useful inside a Match block. The command 184 originally supplied by the client is available in the 185 SSH_ORIGINAL_COMMAND environment variable. Specifying a command 186 of ``internal-sftp'' will force the use of an in-process sftp 187 server that requires no support files when used with 188 ChrootDirectory. 189 190 GatewayPorts 191 Specifies whether remote hosts are allowed to connect to ports 192 forwarded for the client. By default, sshd(8) binds remote port 193 forwardings to the loopback address. This prevents other remote 194 hosts from connecting to forwarded ports. GatewayPorts can be 195 used to specify that sshd should allow remote port forwardings to 196 bind to non-loopback addresses, thus allowing other hosts to con- 197 nect. The argument may be ``no'' to force remote port forward- 198 ings to be available to the local host only, ``yes'' to force re- 199 mote port forwardings to bind to the wildcard address, or 200 ``clientspecified'' to allow the client to select the address to 201 which the forwarding is bound. The default is ``no''. 202 203 GSSAPIAuthentication 204 Specifies whether user authentication based on GSSAPI is allowed. 205 The default is ``no''. Note that this option applies to protocol 206 version 2 only. 207 208 GSSAPICleanupCredentials 209 Specifies whether to automatically destroy the user's credentials 210 cache on logout. The default is ``yes''. Note that this option 211 applies to protocol version 2 only. 212 213 HostbasedAuthentication 214 Specifies whether rhosts or /etc/hosts.equiv authentication to- 215 gether with successful public key client host authentication is 216 allowed (host-based authentication). This option is similar to 217 RhostsRSAAuthentication and applies to protocol version 2 only. 218 The default is ``no''. 219 220 HostbasedUsesNameFromPacketOnly 221 Specifies whether or not the server will attempt to perform a re- 222 verse name lookup when matching the name in the ~/.shosts, 223 ~/.rhosts, and /etc/hosts.equiv files during 224 HostbasedAuthentication. A setting of ``yes'' means that sshd(8) 225 uses the name supplied by the client rather than attempting to 226 resolve the name from the TCP connection itself. The default is 227 ``no''. 228 229 HostKey 230 Specifies a file containing a private host key used by SSH. The 231 default is /etc/ssh/ssh_host_key for protocol version 1, and 232 /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro- 233 tocol version 2. Note that sshd(8) will refuse to use a file if 234 it is group/world-accessible. It is possible to have multiple 235 host key files. ``rsa1'' keys are used for version 1 and ``dsa'' 236 or ``rsa'' are used for version 2 of the SSH protocol. 237 238 IgnoreRhosts 239 Specifies that .rhosts and .shosts files will not be used in 240 RhostsRSAAuthentication or HostbasedAuthentication. 241 242 /etc/hosts.equiv and /etc/shosts.equiv are still used. The de- 243 fault is ``yes''. 244 245 IgnoreUserKnownHosts 246 Specifies whether sshd(8) should ignore the user's 247 ~/.ssh/known_hosts during RhostsRSAAuthentication or 248 HostbasedAuthentication. The default is ``no''. 249 250 KerberosAuthentication 251 Specifies whether the password provided by the user for 252 PasswordAuthentication will be validated through the Kerberos 253 KDC. To use this option, the server needs a Kerberos servtab 254 which allows the verification of the KDC's identity. The default 255 is ``no''. 256 257 KerberosGetAFSToken 258 If AFS is active and the user has a Kerberos 5 TGT, attempt to 259 acquire an AFS token before accessing the user's home directory. 260 The default is ``no''. 261 262 KerberosOrLocalPasswd 263 If password authentication through Kerberos fails then the pass- 264 word will be validated via any additional local mechanism such as 265 /etc/passwd. The default is ``yes''. 266 267 KerberosTicketCleanup 268 Specifies whether to automatically destroy the user's ticket 269 cache file on logout. The default is ``yes''. 270 271 KeyRegenerationInterval 272 In protocol version 1, the ephemeral server key is automatically 273 regenerated after this many seconds (if it has been used). The 274 purpose of regeneration is to prevent decrypting captured ses- 275 sions by later breaking into the machine and stealing the keys. 276 The key is never stored anywhere. If the value is 0, the key is 277 never regenerated. The default is 3600 (seconds). 278 279 ListenAddress 280 Specifies the local addresses sshd(8) should listen on. The fol- 281 lowing forms may be used: 282 283 ListenAddress host|IPv4_addr|IPv6_addr 284 ListenAddress host|IPv4_addr:port 285 ListenAddress [host|IPv6_addr]:port 286 287 If port is not specified, sshd will listen on the address and all 288 prior Port options specified. The default is to listen on all 289 local addresses. Multiple ListenAddress options are permitted. 290 Additionally, any Port options must precede this option for non- 291 port qualified addresses. 292 293 LoginGraceTime 294 The server disconnects after this time if the user has not suc- 295 cessfully logged in. If the value is 0, there is no time limit. 296 The default is 120 seconds. 297 298 LogLevel 299 Gives the verbosity level that is used when logging messages from 300 sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, 301 VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. 302 DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify 303 higher levels of debugging output. Logging with a DEBUG level 304 violates the privacy of users and is not recommended. 305 306 MACs Specifies the available MAC (message authentication code) algo- 307 rithms. The MAC algorithm is used in protocol version 2 for data 308 integrity protection. Multiple algorithms must be comma-separat- 309 ed. The default is: 310 311 hmac-md5,hmac-sha1,umac-64@openssh.com, 312 hmac-ripemd160,hmac-sha1-96,hmac-md5-96 313 314 Match Introduces a conditional block. If all of the criteria on the 315 Match line are satisfied, the keywords on the following lines 316 override those set in the global section of the config file, un- 317 til either another Match line or the end of the file. The argu- 318 ments to Match are one or more criteria-pattern pairs. The 319 available criteria are User, Group, Host, and Address. Only a 320 subset of keywords may be used on the lines following a Match 321 keyword. Available keywords are AllowTcpForwarding, Banner, 322 ForceCommand, GatewayPorts, GSSApiAuthentication, 323 KbdInteractiveAuthentication, KerberosAuthentication, 324 PasswordAuthentication, PermitOpen, PermitRootLogin, 325 RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, 326 X11Forwarding, and X11UseLocalHost. 327 328 MaxAuthTries 329 Specifies the maximum number of authentication attempts permitted 330 per connection. Once the number of failures reaches half this 331 value, additional failures are logged. The default is 6. 332 333 MaxStartups 334 Specifies the maximum number of concurrent unauthenticated con- 335 nections to the SSH daemon. Additional connections will be 336 dropped until authentication succeeds or the LoginGraceTime ex- 337 pires for a connection. The default is 10. 338 339 Alternatively, random early drop can be enabled by specifying the 340 three colon separated values ``start:rate:full'' (e.g. 341 "10:30:60"). sshd(8) will refuse connection attempts with a 342 probability of ``rate/100'' (30%) if there are currently 343 ``start'' (10) unauthenticated connections. The probability in- 344 creases linearly and all connection attempts are refused if the 345 number of unauthenticated connections reaches ``full'' (60). 346 347 PasswordAuthentication 348 Specifies whether password authentication is allowed. The de- 349 fault is ``yes''. 350 351 PermitEmptyPasswords 352 When password authentication is allowed, it specifies whether the 353 server allows login to accounts with empty password strings. The 354 default is ``no''. 355 356 PermitOpen 357 Specifies the destinations to which TCP port forwarding is per- 358 mitted. The forwarding specification must be one of the follow- 359 ing forms: 360 361 PermitOpen host:port 362 PermitOpen IPv4_addr:port 363 PermitOpen [IPv6_addr]:port 364 365 Multiple forwards may be specified by separating them with 366 whitespace. An argument of ``any'' can be used to remove all re- 367 strictions and permit any forwarding requests. By default all 368 port forwarding requests are permitted. 369 370 PermitRootLogin 371 Specifies whether root can log in using ssh(1). The argument 372 must be ``yes'', ``without-password'', ``forced-commands-only'', 373 or ``no''. The default is ``yes''. 374 375 If this option is set to ``without-password'', password authenti- 376 cation is disabled for root. 377 378 If this option is set to ``forced-commands-only'', root login 379 with public key authentication will be allowed, but only if the 380 command option has been specified (which may be useful for taking 381 remote backups even if root login is normally not allowed). All 382 other authentication methods are disabled for root. 383 384 If this option is set to ``no'', root is not allowed to log in. 385 386 PermitTunnel 387 Specifies whether tun(4) device forwarding is allowed. The argu- 388 ment must be ``yes'', ``point-to-point'' (layer 3), ``ethernet'' 389 (layer 2), or ``no''. Specifying ``yes'' permits both ``point- 390 to-point'' and ``ethernet''. The default is ``no''. 391 392 PermitUserEnvironment 393 Specifies whether ~/.ssh/environment and environment= options in 394 ~/.ssh/authorized_keys are processed by sshd(8). The default is 395 ``no''. Enabling environment processing may enable users to by- 396 pass access restrictions in some configurations using mechanisms 397 such as LD_PRELOAD. 398 399 PidFile 400 Specifies the file that contains the process ID of the SSH dae- 401 mon. The default is /var/run/sshd.pid. 402 403 Port Specifies the port number that sshd(8) listens on. The default 404 is 22. Multiple options of this type are permitted. See also 405 ListenAddress. 406 407 PrintLastLog 408 Specifies whether sshd(8) should print the date and time of the 409 last user login when a user logs in interactively. The default 410 is ``yes''. 411 412 PrintMotd 413 Specifies whether sshd(8) should print /etc/motd when a user logs 414 in interactively. (On some systems it is also printed by the 415 shell, /etc/profile, or equivalent.) The default is ``yes''. 416 417 Protocol 418 Specifies the protocol versions sshd(8) supports. The possible 419 values are `1' and `2'. Multiple versions must be comma-separat- 420 ed. The default is ``2,1''. Note that the order of the protocol 421 list does not indicate preference, because the client selects 422 among multiple protocol versions offered by the server. Specify- 423 ing ``2,1'' is identical to ``1,2''. 424 425 PubkeyAuthentication 426 Specifies whether public key authentication is allowed. The de- 427 fault is ``yes''. Note that this option applies to protocol ver- 428 sion 2 only. 429 430 RhostsRSAAuthentication 431 Specifies whether rhosts or /etc/hosts.equiv authentication to- 432 gether with successful RSA host authentication is allowed. The 433 default is ``no''. This option applies to protocol version 1 on- 434 ly. 435 436 RSAAuthentication 437 Specifies whether pure RSA authentication is allowed. The de- 438 fault is ``yes''. This option applies to protocol version 1 on- 439 ly. 440 441 ServerKeyBits 442 Defines the number of bits in the ephemeral protocol version 1 443 server key. The minimum value is 512, and the default is 768. 444 445 StrictModes 446 Specifies whether sshd(8) should check file modes and ownership 447 of the user's files and home directory before accepting login. 448 This is normally desirable because novices sometimes accidentally 449 leave their directory or files world-writable. The default is 450 ``yes''. 451 452 Subsystem 453 Configures an external subsystem (e.g. file transfer daemon). 454 Arguments should be a subsystem name and a command (with optional 455 arguments) to execute upon subsystem request. 456 457 The command sftp-server(8) implements the ``sftp'' file transfer 458 subsystem. 459 460 Alternately the name ``internal-sftp'' implements an in-process 461 ``sftp'' server. This may simplify configurations using 462 ChrootDirectory to force a different filesystem root on clients. 463 464 By default no subsystems are defined. Note that this option ap- 465 plies to protocol version 2 only. 466 467 SyslogFacility 468 Gives the facility code that is used when logging messages from 469 sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, 470 LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- 471 fault is AUTH. 472 473 TCPKeepAlive 474 Specifies whether the system should send TCP keepalive messages 475 to the other side. If they are sent, death of the connection or 476 crash of one of the machines will be properly noticed. However, 477 this means that connections will die if the route is down tem- 478 porarily, and some people find it annoying. On the other hand, 479 if TCP keepalives are not sent, sessions may hang indefinitely on 480 the server, leaving ``ghost'' users and consuming server re- 481 sources. 482 483 The default is ``yes'' (to send TCP keepalive messages), and the 484 server will notice if the network goes down or the client host 485 crashes. This avoids infinitely hanging sessions. 486 487 To disable TCP keepalive messages, the value should be set to 488 ``no''. 489 490 UseDNS Specifies whether sshd(8) should look up the remote host name and 491 check that the resolved host name for the remote IP address maps 492 back to the very same IP address. The default is ``yes''. 493 494 UseLogin 495 Specifies whether login(1) is used for interactive login ses- 496 sions. The default is ``no''. Note that login(1) is never used 497 for remote command execution. Note also, that if this is en- 498 abled, X11Forwarding will be disabled because login(1) does not 499 know how to handle xauth(1) cookies. If UsePrivilegeSeparation 500 is specified, it will be disabled after authentication. 501 502 UsePAM Enables the Pluggable Authentication Module interface. If set to 503 ``yes'' this will enable PAM authentication using 504 ChallengeResponseAuthentication and PasswordAuthentication in ad- 505 dition to PAM account and session module processing for all au- 506 thentication types. 507 508 Because PAM challenge-response authentication usually serves an 509 equivalent role to password authentication, you should disable 510 either PasswordAuthentication or ChallengeResponseAuthentication. 511 512 If UsePAM is enabled, you will not be able to run sshd(8) as a 513 non-root user. The default is ``no''. 514 515 UsePrivilegeSeparation 516 Specifies whether sshd(8) separates privileges by creating an un- 517 privileged child process to deal with incoming network traffic. 518 After successful authentication, another process will be created 519 that has the privilege of the authenticated user. The goal of 520 privilege separation is to prevent privilege escalation by con- 521 taining any corruption within the unprivileged processes. The 522 default is ``yes''. 523 524 X11DisplayOffset 525 Specifies the first display number available for sshd(8)'s X11 526 forwarding. This prevents sshd from interfering with real X11 527 servers. The default is 10. 528 529 X11Forwarding 530 Specifies whether X11 forwarding is permitted. The argument must 531 be ``yes'' or ``no''. The default is ``no''. 532 533 When X11 forwarding is enabled, there may be additional exposure 534 to the server and to client displays if the sshd(8) proxy display 535 is configured to listen on the wildcard address (see 536 X11UseLocalhost below), though this is not the default. Addi- 537 tionally, the authentication spoofing and authentication data 538 verification and substitution occur on the client side. The se- 539 curity risk of using X11 forwarding is that the client's X11 dis- 540 play server may be exposed to attack when the SSH client requests 541 forwarding (see the warnings for ForwardX11 in ssh_config(5)). A 542 system administrator may have a stance in which they want to pro- 543 tect clients that may expose themselves to attack by unwittingly 544 requesting X11 forwarding, which can warrant a ``no'' setting. 545 546 Note that disabling X11 forwarding does not prevent users from 547 forwarding X11 traffic, as users can always install their own 548 forwarders. X11 forwarding is automatically disabled if UseLogin 549 is enabled. 550 551 X11UseLocalhost 552 Specifies whether sshd(8) should bind the X11 forwarding server 553 to the loopback address or to the wildcard address. By default, 554 sshd binds the forwarding server to the loopback address and sets 555 the hostname part of the DISPLAY environment variable to 556 ``localhost''. This prevents remote hosts from connecting to the 557 proxy display. However, some older X11 clients may not function 558 with this configuration. X11UseLocalhost may be set to ``no'' to 559 specify that the forwarding server should be bound to the wild- 560 card address. The argument must be ``yes'' or ``no''. The de- 561 fault is ``yes''. 562 563 XAuthLocation 564 Specifies the full pathname of the xauth(1) program. The default 565 is /usr/X11R6/bin/xauth. 566 567TIME FORMATS 568 sshd(8) command-line arguments and configuration file options that speci- 569 fy time may be expressed using a sequence of the form: time[qualifier], 570 where time is a positive integer value and qualifier is one of the fol- 571 lowing: 572 573 <none> seconds 574 s | S seconds 575 m | M minutes 576 h | H hours 577 d | D days 578 w | W weeks 579 580 Each member of the sequence is added together to calculate the total time 581 value. 582 583 Time format examples: 584 585 600 600 seconds (10 minutes) 586 10m 10 minutes 587 1h30m 1 hour 30 minutes (90 minutes) 588 589FILES 590 /etc/ssh/sshd_config 591 Contains configuration data for sshd(8). This file should be 592 writable by root only, but it is recommended (though not neces- 593 sary) that it be world-readable. 594 595SEE ALSO 596 sshd(8) 597 598AUTHORS 599 OpenSSH is a derivative of the original and free ssh 1.2.12 release by 600 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo 601 de Raadt and Dug Song removed many bugs, re-added newer features and cre- 602 ated OpenSSH. Markus Friedl contributed the support for SSH protocol 603 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 604 for privilege separation. 605 606OpenBSD 4.3 March 27, 2008 10 607