sshd_config.0 revision 239844
1180740SdesSSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5) 2180740Sdes 3180740SdesNAME 4180740Sdes sshd_config - OpenSSH SSH daemon configuration file 5180740Sdes 6180740SdesSYNOPSIS 7180740Sdes /etc/ssh/sshd_config 8180740Sdes 9180740SdesDESCRIPTION 10180740Sdes sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file 11214979Sdes specified with -f on the command line). The file contains keyword- 12214979Sdes argument pairs, one per line. Lines starting with `#' and empty lines 13214979Sdes are interpreted as comments. Arguments may optionally be enclosed in 14214979Sdes double quotes (") in order to represent arguments containing spaces. 15180740Sdes 16214979Sdes The possible keywords and their meanings are as follows (note that 17214979Sdes keywords are case-insensitive and arguments are case-sensitive): 18180740Sdes 19180740Sdes AcceptEnv 20180740Sdes Specifies what environment variables sent by the client will be 21180740Sdes copied into the session's environ(7). See SendEnv in 22214979Sdes ssh_config(5) for how to configure the client. Note that 23214979Sdes environment passing is only supported for protocol 2. Variables 24214979Sdes are specified by name, which may contain the wildcard characters 25214979Sdes `*' and `?'. Multiple environment variables may be separated by 26180740Sdes whitespace or spread across multiple AcceptEnv directives. Be 27180740Sdes warned that some environment variables could be used to bypass 28180740Sdes restricted user environments. For this reason, care should be 29180740Sdes taken in the use of this directive. The default is not to accept 30180740Sdes any environment variables. 31180740Sdes 32180740Sdes AddressFamily 33180740Sdes Specifies which address family should be used by sshd(8). Valid 34180740Sdes arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' 35180740Sdes (use IPv6 only). The default is ``any''. 36180740Sdes 37180750Sdes AllowAgentForwarding 38214979Sdes Specifies whether ssh-agent(1) forwarding is permitted. The 39214979Sdes default is ``yes''. Note that disabling agent forwarding does 40214979Sdes not improve security unless users are also denied shell access, 41214979Sdes as they can always install their own forwarders. 42180750Sdes 43180740Sdes AllowGroups 44180740Sdes This keyword can be followed by a list of group name patterns, 45180740Sdes separated by spaces. If specified, login is allowed only for 46180740Sdes users whose primary group or supplementary group list matches one 47180740Sdes of the patterns. Only group names are valid; a numerical group 48180740Sdes ID is not recognized. By default, login is allowed for all 49180740Sdes groups. The allow/deny directives are processed in the following 50180740Sdes order: DenyUsers, AllowUsers, DenyGroups, and finally 51180740Sdes AllowGroups. 52180740Sdes 53180740Sdes See PATTERNS in ssh_config(5) for more information on patterns. 54180740Sdes 55180740Sdes AllowTcpForwarding 56180740Sdes Specifies whether TCP forwarding is permitted. The default is 57214979Sdes ``yes''. Note that disabling TCP forwarding does not improve 58214979Sdes security unless users are also denied shell access, as they can 59214979Sdes always install their own forwarders. 60180740Sdes 61180740Sdes AllowUsers 62180740Sdes This keyword can be followed by a list of user name patterns, 63214979Sdes separated by spaces. If specified, login is allowed only for 64214979Sdes user names that match one of the patterns. Only user names are 65180740Sdes valid; a numerical user ID is not recognized. By default, login 66214979Sdes is allowed for all users. If the pattern takes the form 67214979Sdes USER@HOST then USER and HOST are separately checked, restricting 68180740Sdes logins to particular users from particular hosts. The allow/deny 69180740Sdes directives are processed in the following order: DenyUsers, 70180740Sdes AllowUsers, DenyGroups, and finally AllowGroups. 71180740Sdes 72180740Sdes See PATTERNS in ssh_config(5) for more information on patterns. 73180740Sdes 74180740Sdes AuthorizedKeysFile 75180740Sdes Specifies the file that contains the public keys that can be used 76214979Sdes for user authentication. The format is described in the 77214979Sdes AUTHORIZED_KEYS FILE FORMAT section of sshd(8). 78214979Sdes AuthorizedKeysFile may contain tokens of the form %T which are 79214979Sdes substituted during connection setup. The following tokens are 80214979Sdes defined: %% is replaced by a literal '%', %h is replaced by the 81214979Sdes home directory of the user being authenticated, and %u is 82214979Sdes replaced by the username of that user. After expansion, 83214979Sdes AuthorizedKeysFile is taken to be an absolute path or one 84225825Sdes relative to the user's home directory. Multiple files may be 85225825Sdes listed, separated by whitespace. The default is 86225825Sdes ``.ssh/authorized_keys .ssh/authorized_keys2''. 87180740Sdes 88214979Sdes AuthorizedPrincipalsFile 89214979Sdes Specifies a file that lists principal names that are accepted for 90214979Sdes certificate authentication. When using certificates signed by a 91214979Sdes key listed in TrustedUserCAKeys, this file lists names, one of 92214979Sdes which must appear in the certificate for it to be accepted for 93214979Sdes authentication. Names are listed one per line preceded by key 94214979Sdes options (as described in AUTHORIZED_KEYS FILE FORMAT in sshd(8)). 95214979Sdes Empty lines and comments starting with `#' are ignored. 96214979Sdes 97214979Sdes AuthorizedPrincipalsFile may contain tokens of the form %T which 98214979Sdes are substituted during connection setup. The following tokens 99214979Sdes are defined: %% is replaced by a literal '%', %h is replaced by 100214979Sdes the home directory of the user being authenticated, and %u is 101214979Sdes replaced by the username of that user. After expansion, 102214979Sdes AuthorizedPrincipalsFile is taken to be an absolute path or one 103214979Sdes relative to the user's home directory. 104214979Sdes 105214979Sdes The default is not to use a principals file - in this case, the 106214979Sdes username of the user must appear in a certificate's principals 107214979Sdes list for it to be accepted. Note that AuthorizedPrincipalsFile 108214979Sdes is only used when authentication proceeds using a CA listed in 109214979Sdes TrustedUserCAKeys and is not consulted for certification 110214979Sdes authorities trusted via ~/.ssh/authorized_keys, though the 111214979Sdes principals= key option offers a similar facility (see sshd(8) for 112214979Sdes details). 113214979Sdes 114180746Sdes Banner The contents of the specified file are sent to the remote user 115180746Sdes before authentication is allowed. If the argument is ``none'' 116180746Sdes then no banner is displayed. This option is only available for 117180740Sdes protocol version 2. By default, no banner is displayed. 118180740Sdes 119180740Sdes ChallengeResponseAuthentication 120197670Sdes Specifies whether challenge-response authentication is allowed 121197670Sdes (e.g. via PAM or though authentication styles supported in 122197670Sdes login.conf(5)) The default is ``yes''. 123180740Sdes 124180746Sdes ChrootDirectory 125214979Sdes Specifies the pathname of a directory to chroot(2) to after 126214979Sdes authentication. All components of the pathname must be root- 127214979Sdes owned directories that are not writable by any other user or 128214979Sdes group. After the chroot, sshd(8) changes the working directory 129214979Sdes to the user's home directory. 130180746Sdes 131204861Sdes The pathname may contain the following tokens that are expanded 132204861Sdes at runtime once the connecting user has been authenticated: %% is 133180746Sdes replaced by a literal '%', %h is replaced by the home directory 134214979Sdes of the user being authenticated, and %u is replaced by the 135214979Sdes username of that user. 136180746Sdes 137214979Sdes The ChrootDirectory must contain the necessary files and 138214979Sdes directories to support the user's session. For an interactive 139214979Sdes session this requires at least a shell, typically sh(1), and 140214979Sdes basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), 141214979Sdes stderr(4), arandom(4) and tty(4) devices. For file transfer 142214979Sdes sessions using ``sftp'', no additional configuration of the 143214979Sdes environment is necessary if the in-process sftp server is used, 144214979Sdes though sessions which use logging do require /dev/log inside the 145214979Sdes chroot directory (see sftp-server(8) for details). 146180746Sdes 147180746Sdes The default is not to chroot(2). 148180746Sdes 149180740Sdes Ciphers 150180740Sdes Specifies the ciphers allowed for protocol version 2. Multiple 151180740Sdes ciphers must be comma-separated. The supported ciphers are 152180740Sdes ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', 153180740Sdes ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'', 154180740Sdes ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and 155180740Sdes ``cast128-cbc''. The default is: 156180740Sdes 157189006Sdes aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, 158189006Sdes aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, 159189006Sdes aes256-cbc,arcfour 160180740Sdes 161180740Sdes ClientAliveCountMax 162180740Sdes Sets the number of client alive messages (see below) which may be 163180740Sdes sent without sshd(8) receiving any messages back from the client. 164214979Sdes If this threshold is reached while client alive messages are 165214979Sdes being sent, sshd will disconnect the client, terminating the 166214979Sdes session. It is important to note that the use of client alive 167214979Sdes messages is very different from TCPKeepAlive (below). The client 168214979Sdes alive messages are sent through the encrypted channel and 169214979Sdes therefore will not be spoofable. The TCP keepalive option 170214979Sdes enabled by TCPKeepAlive is spoofable. The client alive mechanism 171214979Sdes is valuable when the client or server depend on knowing when a 172214979Sdes connection has become inactive. 173180740Sdes 174180740Sdes The default value is 3. If ClientAliveInterval (see below) is 175214979Sdes set to 15, and ClientAliveCountMax is left at the default, 176214979Sdes unresponsive SSH clients will be disconnected after approximately 177214979Sdes 45 seconds. This option applies to protocol version 2 only. 178180740Sdes 179180740Sdes ClientAliveInterval 180180740Sdes Sets a timeout interval in seconds after which if no data has 181180740Sdes been received from the client, sshd(8) will send a message 182180740Sdes through the encrypted channel to request a response from the 183180740Sdes client. The default is 0, indicating that these messages will 184214979Sdes not be sent to the client. This option applies to protocol 185214979Sdes version 2 only. 186180740Sdes 187180740Sdes Compression 188180740Sdes Specifies whether compression is allowed, or delayed until the 189180740Sdes user has authenticated successfully. The argument must be 190180740Sdes ``yes'', ``delayed'', or ``no''. The default is ``delayed''. 191180740Sdes 192180740Sdes DenyGroups 193180740Sdes This keyword can be followed by a list of group name patterns, 194180740Sdes separated by spaces. Login is disallowed for users whose primary 195180740Sdes group or supplementary group list matches one of the patterns. 196214979Sdes Only group names are valid; a numerical group ID is not 197214979Sdes recognized. By default, login is allowed for all groups. The 198214979Sdes allow/deny directives are processed in the following order: 199180740Sdes DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. 200180740Sdes 201180740Sdes See PATTERNS in ssh_config(5) for more information on patterns. 202180740Sdes 203180740Sdes DenyUsers 204180740Sdes This keyword can be followed by a list of user name patterns, 205180740Sdes separated by spaces. Login is disallowed for user names that 206214979Sdes match one of the patterns. Only user names are valid; a 207214979Sdes numerical user ID is not recognized. By default, login is 208214979Sdes allowed for all users. If the pattern takes the form USER@HOST 209214979Sdes then USER and HOST are separately checked, restricting logins to 210214979Sdes particular users from particular hosts. The allow/deny 211214979Sdes directives are processed in the following order: DenyUsers, 212214979Sdes AllowUsers, DenyGroups, and finally AllowGroups. 213180740Sdes 214180740Sdes See PATTERNS in ssh_config(5) for more information on patterns. 215180740Sdes 216180740Sdes ForceCommand 217180740Sdes Forces the execution of the command specified by ForceCommand, 218214979Sdes ignoring any command supplied by the client and ~/.ssh/rc if 219214979Sdes present. The command is invoked by using the user's login shell 220180746Sdes with the -c option. This applies to shell, command, or subsystem 221180746Sdes execution. It is most useful inside a Match block. The command 222180746Sdes originally supplied by the client is available in the 223180746Sdes SSH_ORIGINAL_COMMAND environment variable. Specifying a command 224180746Sdes of ``internal-sftp'' will force the use of an in-process sftp 225180746Sdes server that requires no support files when used with 226180746Sdes ChrootDirectory. 227180740Sdes 228180740Sdes GatewayPorts 229180740Sdes Specifies whether remote hosts are allowed to connect to ports 230180740Sdes forwarded for the client. By default, sshd(8) binds remote port 231180740Sdes forwardings to the loopback address. This prevents other remote 232180740Sdes hosts from connecting to forwarded ports. GatewayPorts can be 233180740Sdes used to specify that sshd should allow remote port forwardings to 234214979Sdes bind to non-loopback addresses, thus allowing other hosts to 235214979Sdes connect. The argument may be ``no'' to force remote port 236214979Sdes forwardings to be available to the local host only, ``yes'' to 237214979Sdes force remote port forwardings to bind to the wildcard address, or 238180740Sdes ``clientspecified'' to allow the client to select the address to 239180740Sdes which the forwarding is bound. The default is ``no''. 240180740Sdes 241180740Sdes GSSAPIAuthentication 242180740Sdes Specifies whether user authentication based on GSSAPI is allowed. 243180740Sdes The default is ``no''. Note that this option applies to protocol 244180740Sdes version 2 only. 245180740Sdes 246180740Sdes GSSAPICleanupCredentials 247180740Sdes Specifies whether to automatically destroy the user's credentials 248180740Sdes cache on logout. The default is ``yes''. Note that this option 249180740Sdes applies to protocol version 2 only. 250180740Sdes 251180740Sdes HostbasedAuthentication 252214979Sdes Specifies whether rhosts or /etc/hosts.equiv authentication 253214979Sdes together with successful public key client host authentication is 254180740Sdes allowed (host-based authentication). This option is similar to 255180740Sdes RhostsRSAAuthentication and applies to protocol version 2 only. 256180740Sdes The default is ``no''. 257180740Sdes 258180740Sdes HostbasedUsesNameFromPacketOnly 259214979Sdes Specifies whether or not the server will attempt to perform a 260214979Sdes reverse name lookup when matching the name in the ~/.shosts, 261180740Sdes ~/.rhosts, and /etc/hosts.equiv files during 262180740Sdes HostbasedAuthentication. A setting of ``yes'' means that sshd(8) 263180740Sdes uses the name supplied by the client rather than attempting to 264180740Sdes resolve the name from the TCP connection itself. The default is 265180740Sdes ``no''. 266180740Sdes 267204861Sdes HostCertificate 268214979Sdes Specifies a file containing a public host certificate. The 269214979Sdes certificate's public key must match a private host key already 270214979Sdes specified by HostKey. The default behaviour of sshd(8) is not to 271204861Sdes load any certificates. 272204861Sdes 273180740Sdes HostKey 274180740Sdes Specifies a file containing a private host key used by SSH. The 275180740Sdes default is /etc/ssh/ssh_host_key for protocol version 1, and 276218767Sdes /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key and 277218767Sdes /etc/ssh/ssh_host_rsa_key for protocol version 2. Note that 278218767Sdes sshd(8) will refuse to use a file if it is group/world- 279218767Sdes accessible. It is possible to have multiple host key files. 280218767Sdes ``rsa1'' keys are used for version 1 and ``dsa'', ``ecdsa'' or 281218767Sdes ``rsa'' are used for version 2 of the SSH protocol. 282180740Sdes 283180740Sdes IgnoreRhosts 284180740Sdes Specifies that .rhosts and .shosts files will not be used in 285180740Sdes RhostsRSAAuthentication or HostbasedAuthentication. 286180740Sdes 287214979Sdes /etc/hosts.equiv and /etc/shosts.equiv are still used. The 288214979Sdes default is ``yes''. 289180740Sdes 290180740Sdes IgnoreUserKnownHosts 291180740Sdes Specifies whether sshd(8) should ignore the user's 292180740Sdes ~/.ssh/known_hosts during RhostsRSAAuthentication or 293180740Sdes HostbasedAuthentication. The default is ``no''. 294180740Sdes 295218767Sdes IPQoS Specifies the IPv4 type-of-service or DSCP class for the 296218767Sdes connection. Accepted values are ``af11'', ``af12'', ``af13'', 297239844Sdes ``af21'', ``af22'', ``af23'', ``af31'', ``af32'', ``af33'', 298218767Sdes ``af41'', ``af42'', ``af43'', ``cs0'', ``cs1'', ``cs2'', ``cs3'', 299218767Sdes ``cs4'', ``cs5'', ``cs6'', ``cs7'', ``ef'', ``lowdelay'', 300218767Sdes ``throughput'', ``reliability'', or a numeric value. This option 301218767Sdes may take one or two arguments, separated by whitespace. If one 302218767Sdes argument is specified, it is used as the packet class 303218767Sdes unconditionally. If two values are specified, the first is 304218767Sdes automatically selected for interactive sessions and the second 305218767Sdes for non-interactive sessions. The default is ``lowdelay'' for 306218767Sdes interactive sessions and ``throughput'' for non-interactive 307218767Sdes sessions. 308218767Sdes 309180740Sdes KerberosAuthentication 310180740Sdes Specifies whether the password provided by the user for 311180740Sdes PasswordAuthentication will be validated through the Kerberos 312180740Sdes KDC. To use this option, the server needs a Kerberos servtab 313180740Sdes which allows the verification of the KDC's identity. The default 314180740Sdes is ``no''. 315180740Sdes 316180740Sdes KerberosGetAFSToken 317180740Sdes If AFS is active and the user has a Kerberos 5 TGT, attempt to 318180740Sdes acquire an AFS token before accessing the user's home directory. 319180740Sdes The default is ``no''. 320180740Sdes 321180740Sdes KerberosOrLocalPasswd 322214979Sdes If password authentication through Kerberos fails then the 323214979Sdes password will be validated via any additional local mechanism 324214979Sdes such as /etc/passwd. The default is ``yes''. 325180740Sdes 326180740Sdes KerberosTicketCleanup 327180740Sdes Specifies whether to automatically destroy the user's ticket 328180740Sdes cache file on logout. The default is ``yes''. 329180740Sdes 330218767Sdes KexAlgorithms 331218767Sdes Specifies the available KEX (Key Exchange) algorithms. Multiple 332218767Sdes algorithms must be comma-separated. The default is 333218767Sdes ``ecdh-sha2-nistp256'', ``ecdh-sha2-nistp384'', 334218767Sdes ``ecdh-sha2-nistp521'', ``diffie-hellman-group-exchange-sha256'', 335218767Sdes ``diffie-hellman-group-exchange-sha1'', 336218767Sdes ``diffie-hellman-group14-sha1'', ``diffie-hellman-group1-sha1''. 337218767Sdes 338180740Sdes KeyRegenerationInterval 339180740Sdes In protocol version 1, the ephemeral server key is automatically 340180740Sdes regenerated after this many seconds (if it has been used). The 341214979Sdes purpose of regeneration is to prevent decrypting captured 342214979Sdes sessions by later breaking into the machine and stealing the 343214979Sdes keys. The key is never stored anywhere. If the value is 0, the 344214979Sdes key is never regenerated. The default is 3600 (seconds). 345180740Sdes 346180740Sdes ListenAddress 347214979Sdes Specifies the local addresses sshd(8) should listen on. The 348214979Sdes following forms may be used: 349180740Sdes 350218767Sdes ListenAddress host|IPv4_addr|IPv6_addr 351218767Sdes ListenAddress host|IPv4_addr:port 352180740Sdes ListenAddress [host|IPv6_addr]:port 353180740Sdes 354180740Sdes If port is not specified, sshd will listen on the address and all 355180740Sdes prior Port options specified. The default is to listen on all 356180740Sdes local addresses. Multiple ListenAddress options are permitted. 357180740Sdes Additionally, any Port options must precede this option for non- 358180740Sdes port qualified addresses. 359180740Sdes 360180740Sdes LoginGraceTime 361214979Sdes The server disconnects after this time if the user has not 362214979Sdes successfully logged in. If the value is 0, there is no time 363214979Sdes limit. The default is 120 seconds. 364180740Sdes 365180740Sdes LogLevel 366180740Sdes Gives the verbosity level that is used when logging messages from 367180740Sdes sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, 368180740Sdes VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. 369180740Sdes DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify 370180740Sdes higher levels of debugging output. Logging with a DEBUG level 371180740Sdes violates the privacy of users and is not recommended. 372180740Sdes 373214979Sdes MACs Specifies the available MAC (message authentication code) 374214979Sdes algorithms. The MAC algorithm is used in protocol version 2 for 375214979Sdes data integrity protection. Multiple algorithms must be comma- 376214979Sdes separated. The default is: 377180740Sdes 378180744Sdes hmac-md5,hmac-sha1,umac-64@openssh.com, 379225825Sdes hmac-ripemd160,hmac-sha1-96,hmac-md5-96, 380225825Sdes hmac-sha2-256,hmac-sha256-96,hmac-sha2-512, 381225825Sdes hmac-sha2-512-96 382180744Sdes 383180740Sdes Match Introduces a conditional block. If all of the criteria on the 384180740Sdes Match line are satisfied, the keywords on the following lines 385214979Sdes override those set in the global section of the config file, 386214979Sdes until either another Match line or the end of the file. 387180750Sdes 388180750Sdes The arguments to Match are one or more criteria-pattern pairs. 389180750Sdes The available criteria are User, Group, Host, and Address. The 390180750Sdes match patterns may consist of single entries or comma-separated 391180750Sdes lists and may use the wildcard and negation operators described 392180750Sdes in the PATTERNS section of ssh_config(5). 393180750Sdes 394214979Sdes The patterns in an Address criteria may additionally contain 395214979Sdes addresses to match in CIDR address/masklen format, e.g. 396180750Sdes ``192.0.2.0/24'' or ``3ffe:ffff::/32''. Note that the mask 397180750Sdes length provided must be consistent with the address - it is an 398180750Sdes error to specify a mask length that is too long for the address 399180750Sdes or one with bits set in this host portion of the address. For 400180750Sdes example, ``192.0.2.0/33'' and ``192.0.2.0/8'' respectively. 401180750Sdes 402180750Sdes Only a subset of keywords may be used on the lines following a 403189006Sdes Match keyword. Available keywords are AllowAgentForwarding, 404214979Sdes AllowTcpForwarding, AuthorizedKeysFile, AuthorizedPrincipalsFile, 405214979Sdes Banner, ChrootDirectory, ForceCommand, GatewayPorts, 406214979Sdes GSSAPIAuthentication, HostbasedAuthentication, 407214979Sdes HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, 408214979Sdes KerberosAuthentication, MaxAuthTries, MaxSessions, 409214979Sdes PasswordAuthentication, PermitEmptyPasswords, PermitOpen, 410214979Sdes PermitRootLogin, PermitTunnel, PubkeyAuthentication, 411214979Sdes RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, 412214979Sdes X11Forwarding and X11UseLocalHost. 413180740Sdes 414180740Sdes MaxAuthTries 415180740Sdes Specifies the maximum number of authentication attempts permitted 416180740Sdes per connection. Once the number of failures reaches half this 417180740Sdes value, additional failures are logged. The default is 6. 418180740Sdes 419180750Sdes MaxSessions 420214979Sdes Specifies the maximum number of open sessions permitted per 421214979Sdes network connection. The default is 10. 422180750Sdes 423180740Sdes MaxStartups 424214979Sdes Specifies the maximum number of concurrent unauthenticated 425214979Sdes connections to the SSH daemon. Additional connections will be 426214979Sdes dropped until authentication succeeds or the LoginGraceTime 427214979Sdes expires for a connection. The default is 10. 428180740Sdes 429180740Sdes Alternatively, random early drop can be enabled by specifying the 430180740Sdes three colon separated values ``start:rate:full'' (e.g. 431180740Sdes "10:30:60"). sshd(8) will refuse connection attempts with a 432180740Sdes probability of ``rate/100'' (30%) if there are currently 433214979Sdes ``start'' (10) unauthenticated connections. The probability 434214979Sdes increases linearly and all connection attempts are refused if the 435180740Sdes number of unauthenticated connections reaches ``full'' (60). 436180740Sdes 437180740Sdes PasswordAuthentication 438214979Sdes Specifies whether password authentication is allowed. The 439214979Sdes default is ``yes''. 440180740Sdes 441180740Sdes PermitEmptyPasswords 442180740Sdes When password authentication is allowed, it specifies whether the 443180740Sdes server allows login to accounts with empty password strings. The 444180740Sdes default is ``no''. 445180740Sdes 446180740Sdes PermitOpen 447214979Sdes Specifies the destinations to which TCP port forwarding is 448214979Sdes permitted. The forwarding specification must be one of the 449214979Sdes following forms: 450180740Sdes 451180740Sdes PermitOpen host:port 452180740Sdes PermitOpen IPv4_addr:port 453218767Sdes PermitOpen [IPv6_addr]:port 454180740Sdes 455180740Sdes Multiple forwards may be specified by separating them with 456214979Sdes whitespace. An argument of ``any'' can be used to remove all 457214979Sdes restrictions and permit any forwarding requests. By default all 458180740Sdes port forwarding requests are permitted. 459180740Sdes 460180740Sdes PermitRootLogin 461180740Sdes Specifies whether root can log in using ssh(1). The argument 462180740Sdes must be ``yes'', ``without-password'', ``forced-commands-only'', 463180740Sdes or ``no''. The default is ``yes''. 464180740Sdes 465214979Sdes If this option is set to ``without-password'', password 466214979Sdes authentication is disabled for root. 467180740Sdes 468180740Sdes If this option is set to ``forced-commands-only'', root login 469180740Sdes with public key authentication will be allowed, but only if the 470180740Sdes command option has been specified (which may be useful for taking 471180740Sdes remote backups even if root login is normally not allowed). All 472180740Sdes other authentication methods are disabled for root. 473180740Sdes 474180740Sdes If this option is set to ``no'', root is not allowed to log in. 475180740Sdes 476180740Sdes PermitTunnel 477214979Sdes Specifies whether tun(4) device forwarding is allowed. The 478214979Sdes argument must be ``yes'', ``point-to-point'' (layer 3), 479214979Sdes ``ethernet'' (layer 2), or ``no''. Specifying ``yes'' permits 480214979Sdes both ``point-to-point'' and ``ethernet''. The default is ``no''. 481180740Sdes 482180740Sdes PermitUserEnvironment 483180740Sdes Specifies whether ~/.ssh/environment and environment= options in 484180740Sdes ~/.ssh/authorized_keys are processed by sshd(8). The default is 485214979Sdes ``no''. Enabling environment processing may enable users to 486214979Sdes bypass access restrictions in some configurations using 487214979Sdes mechanisms such as LD_PRELOAD. 488180740Sdes 489180740Sdes PidFile 490214979Sdes Specifies the file that contains the process ID of the SSH 491214979Sdes daemon. The default is /var/run/sshd.pid. 492180740Sdes 493180740Sdes Port Specifies the port number that sshd(8) listens on. The default 494180740Sdes is 22. Multiple options of this type are permitted. See also 495180740Sdes ListenAddress. 496180740Sdes 497180740Sdes PrintLastLog 498180740Sdes Specifies whether sshd(8) should print the date and time of the 499180740Sdes last user login when a user logs in interactively. The default 500180740Sdes is ``yes''. 501180740Sdes 502180740Sdes PrintMotd 503180740Sdes Specifies whether sshd(8) should print /etc/motd when a user logs 504180740Sdes in interactively. (On some systems it is also printed by the 505180740Sdes shell, /etc/profile, or equivalent.) The default is ``yes''. 506180740Sdes 507180740Sdes Protocol 508180740Sdes Specifies the protocol versions sshd(8) supports. The possible 509214979Sdes values are `1' and `2'. Multiple versions must be comma- 510214979Sdes separated. The default is `2'. Note that the order of the 511214979Sdes protocol list does not indicate preference, because the client 512214979Sdes selects among multiple protocol versions offered by the server. 513214979Sdes Specifying ``2,1'' is identical to ``1,2''. 514180740Sdes 515180740Sdes PubkeyAuthentication 516214979Sdes Specifies whether public key authentication is allowed. The 517214979Sdes default is ``yes''. Note that this option applies to protocol 518214979Sdes version 2 only. 519180740Sdes 520204861Sdes RevokedKeys 521204861Sdes Specifies a list of revoked public keys. Keys listed in this 522204861Sdes file will be refused for public key authentication. Note that if 523204861Sdes this file is not readable, then public key authentication will be 524204861Sdes refused for all users. 525204861Sdes 526180740Sdes RhostsRSAAuthentication 527214979Sdes Specifies whether rhosts or /etc/hosts.equiv authentication 528214979Sdes together with successful RSA host authentication is allowed. The 529214979Sdes default is ``no''. This option applies to protocol version 1 530214979Sdes only. 531180740Sdes 532180740Sdes RSAAuthentication 533214979Sdes Specifies whether pure RSA authentication is allowed. The 534214979Sdes default is ``yes''. This option applies to protocol version 1 535214979Sdes only. 536180740Sdes 537180740Sdes ServerKeyBits 538180740Sdes Defines the number of bits in the ephemeral protocol version 1 539180750Sdes server key. The minimum value is 512, and the default is 1024. 540180740Sdes 541180740Sdes StrictModes 542180740Sdes Specifies whether sshd(8) should check file modes and ownership 543180740Sdes of the user's files and home directory before accepting login. 544180740Sdes This is normally desirable because novices sometimes accidentally 545180740Sdes leave their directory or files world-writable. The default is 546204861Sdes ``yes''. Note that this does not apply to ChrootDirectory, whose 547204861Sdes permissions and ownership are checked unconditionally. 548180740Sdes 549180740Sdes Subsystem 550180740Sdes Configures an external subsystem (e.g. file transfer daemon). 551180740Sdes Arguments should be a subsystem name and a command (with optional 552180746Sdes arguments) to execute upon subsystem request. 553180746Sdes 554180746Sdes The command sftp-server(8) implements the ``sftp'' file transfer 555180746Sdes subsystem. 556180746Sdes 557180746Sdes Alternately the name ``internal-sftp'' implements an in-process 558180746Sdes ``sftp'' server. This may simplify configurations using 559180746Sdes ChrootDirectory to force a different filesystem root on clients. 560180746Sdes 561214979Sdes By default no subsystems are defined. Note that this option 562214979Sdes applies to protocol version 2 only. 563180740Sdes 564180740Sdes SyslogFacility 565180740Sdes Gives the facility code that is used when logging messages from 566180740Sdes sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, 567214979Sdes LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The 568214979Sdes default is AUTH. 569180740Sdes 570180740Sdes TCPKeepAlive 571180740Sdes Specifies whether the system should send TCP keepalive messages 572180740Sdes to the other side. If they are sent, death of the connection or 573180740Sdes crash of one of the machines will be properly noticed. However, 574214979Sdes this means that connections will die if the route is down 575214979Sdes temporarily, and some people find it annoying. On the other 576214979Sdes hand, if TCP keepalives are not sent, sessions may hang 577214979Sdes indefinitely on the server, leaving ``ghost'' users and consuming 578214979Sdes server resources. 579180740Sdes 580180740Sdes The default is ``yes'' (to send TCP keepalive messages), and the 581180740Sdes server will notice if the network goes down or the client host 582180740Sdes crashes. This avoids infinitely hanging sessions. 583180740Sdes 584180740Sdes To disable TCP keepalive messages, the value should be set to 585180740Sdes ``no''. 586180740Sdes 587204861Sdes TrustedUserCAKeys 588214979Sdes Specifies a file containing public keys of certificate 589214979Sdes authorities that are trusted to sign user certificates for 590214979Sdes authentication. Keys are listed one per line; empty lines and 591214979Sdes comments starting with `#' are allowed. If a certificate is 592214979Sdes presented for authentication and has its signing CA key listed in 593214979Sdes this file, then it may be used for authentication for any user 594214979Sdes listed in the certificate's principals list. Note that 595214979Sdes certificates that lack a list of principals will not be permitted 596214979Sdes for authentication using TrustedUserCAKeys. For more details on 597214979Sdes certificates, see the CERTIFICATES section in ssh-keygen(1). 598204861Sdes 599180740Sdes UseDNS Specifies whether sshd(8) should look up the remote host name and 600180740Sdes check that the resolved host name for the remote IP address maps 601180740Sdes back to the very same IP address. The default is ``yes''. 602180740Sdes 603180740Sdes UseLogin 604214979Sdes Specifies whether login(1) is used for interactive login 605214979Sdes sessions. The default is ``no''. Note that login(1) is never 606214979Sdes used for remote command execution. Note also, that if this is 607214979Sdes enabled, X11Forwarding will be disabled because login(1) does not 608180740Sdes know how to handle xauth(1) cookies. If UsePrivilegeSeparation 609180740Sdes is specified, it will be disabled after authentication. 610180740Sdes 611180740Sdes UsePAM Enables the Pluggable Authentication Module interface. If set to 612180740Sdes ``yes'' this will enable PAM authentication using 613214979Sdes ChallengeResponseAuthentication and PasswordAuthentication in 614214979Sdes addition to PAM account and session module processing for all 615214979Sdes authentication types. 616180740Sdes 617180740Sdes Because PAM challenge-response authentication usually serves an 618180740Sdes equivalent role to password authentication, you should disable 619180740Sdes either PasswordAuthentication or ChallengeResponseAuthentication. 620180740Sdes 621180740Sdes If UsePAM is enabled, you will not be able to run sshd(8) as a 622180740Sdes non-root user. The default is ``no''. 623180740Sdes 624180740Sdes UsePrivilegeSeparation 625214979Sdes Specifies whether sshd(8) separates privileges by creating an 626214979Sdes unprivileged child process to deal with incoming network traffic. 627180740Sdes After successful authentication, another process will be created 628180740Sdes that has the privilege of the authenticated user. The goal of 629214979Sdes privilege separation is to prevent privilege escalation by 630214979Sdes containing any corruption within the unprivileged processes. The 631225825Sdes default is ``yes''. If UsePrivilegeSeparation is set to 632225825Sdes ``sandbox'' then the pre-authentication unprivileged process is 633225825Sdes subject to additional restrictions. 634180740Sdes 635180740Sdes X11DisplayOffset 636180740Sdes Specifies the first display number available for sshd(8)'s X11 637180740Sdes forwarding. This prevents sshd from interfering with real X11 638180740Sdes servers. The default is 10. 639180740Sdes 640180740Sdes X11Forwarding 641180740Sdes Specifies whether X11 forwarding is permitted. The argument must 642180740Sdes be ``yes'' or ``no''. The default is ``no''. 643180740Sdes 644180740Sdes When X11 forwarding is enabled, there may be additional exposure 645180740Sdes to the server and to client displays if the sshd(8) proxy display 646180740Sdes is configured to listen on the wildcard address (see 647214979Sdes X11UseLocalhost below), though this is not the default. 648214979Sdes Additionally, the authentication spoofing and authentication data 649214979Sdes verification and substitution occur on the client side. The 650214979Sdes security risk of using X11 forwarding is that the client's X11 651214979Sdes display server may be exposed to attack when the SSH client 652214979Sdes requests forwarding (see the warnings for ForwardX11 in 653214979Sdes ssh_config(5)). A system administrator may have a stance in 654214979Sdes which they want to protect clients that may expose themselves to 655214979Sdes attack by unwittingly requesting X11 forwarding, which can 656214979Sdes warrant a ``no'' setting. 657180740Sdes 658180740Sdes Note that disabling X11 forwarding does not prevent users from 659180740Sdes forwarding X11 traffic, as users can always install their own 660180740Sdes forwarders. X11 forwarding is automatically disabled if UseLogin 661180740Sdes is enabled. 662180740Sdes 663180740Sdes X11UseLocalhost 664180740Sdes Specifies whether sshd(8) should bind the X11 forwarding server 665180740Sdes to the loopback address or to the wildcard address. By default, 666180740Sdes sshd binds the forwarding server to the loopback address and sets 667180740Sdes the hostname part of the DISPLAY environment variable to 668180740Sdes ``localhost''. This prevents remote hosts from connecting to the 669180740Sdes proxy display. However, some older X11 clients may not function 670180740Sdes with this configuration. X11UseLocalhost may be set to ``no'' to 671214979Sdes specify that the forwarding server should be bound to the 672214979Sdes wildcard address. The argument must be ``yes'' or ``no''. The 673214979Sdes default is ``yes''. 674180740Sdes 675180740Sdes XAuthLocation 676180740Sdes Specifies the full pathname of the xauth(1) program. The default 677180740Sdes is /usr/X11R6/bin/xauth. 678180740Sdes 679180740SdesTIME FORMATS 680214979Sdes sshd(8) command-line arguments and configuration file options that 681218767Sdes specify time may be expressed using a sequence of the form: 682218767Sdes time[qualifier], where time is a positive integer value and qualifier is 683218767Sdes one of the following: 684180740Sdes 685180740Sdes <none> seconds 686180740Sdes s | S seconds 687180740Sdes m | M minutes 688180740Sdes h | H hours 689180740Sdes d | D days 690180740Sdes w | W weeks 691180740Sdes 692180740Sdes Each member of the sequence is added together to calculate the total time 693180740Sdes value. 694180740Sdes 695180740Sdes Time format examples: 696180740Sdes 697180740Sdes 600 600 seconds (10 minutes) 698180740Sdes 10m 10 minutes 699180740Sdes 1h30m 1 hour 30 minutes (90 minutes) 700180740Sdes 701180740SdesFILES 702180740Sdes /etc/ssh/sshd_config 703180740Sdes Contains configuration data for sshd(8). This file should be 704214979Sdes writable by root only, but it is recommended (though not 705214979Sdes necessary) that it be world-readable. 706180740Sdes 707180740SdesSEE ALSO 708180740Sdes sshd(8) 709180740Sdes 710180740SdesAUTHORS 711180740Sdes OpenSSH is a derivative of the original and free ssh 1.2.12 release by 712180740Sdes Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo 713214979Sdes de Raadt and Dug Song removed many bugs, re-added newer features and 714214979Sdes created OpenSSH. Markus Friedl contributed the support for SSH protocol 715180740Sdes versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 716180740Sdes for privilege separation. 717180740Sdes 718239844SdesOpenBSD 5.0 September 9, 2011 OpenBSD 5.0 719