| version 1.174, 2014/07/03 22:40:43 |
version 1.175, 2014/07/15 15:54:14 |
|
|
| Note that disabling TCP forwarding does not improve security unless |
Note that disabling TCP forwarding does not improve security unless |
| users are also denied shell access, as they can always install their |
users are also denied shell access, as they can always install their |
| own forwarders. |
own forwarders. |
| |
.It Cm AllowStreamLocalForwarding |
| |
Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted. |
| |
The available options are |
| |
.Dq yes |
| |
or |
| |
.Dq all |
| |
to allow StreamLocal forwarding, |
| |
.Dq no |
| |
to prevent all StreamLocal forwarding, |
| |
.Dq local |
| |
to allow local (from the perspective of |
| |
.Xr ssh 1 ) |
| |
forwarding only or |
| |
.Dq remote |
| |
to allow remote forwarding only. |
| |
The default is |
| |
.Dq yes . |
| |
Note that disabling StreamLocal forwarding does not improve security unless |
| |
users are also denied shell access, as they can always install their |
| |
own forwarders. |
| .It Cm AllowUsers |
.It Cm AllowUsers |
| This keyword can be followed by a list of user name patterns, separated |
This keyword can be followed by a list of user name patterns, separated |
| by spaces. |
by spaces. |
|
|
| .It Cm ServerKeyBits |
.It Cm ServerKeyBits |
| Defines the number of bits in the ephemeral protocol version 1 server key. |
Defines the number of bits in the ephemeral protocol version 1 server key. |
| The minimum value is 512, and the default is 1024. |
The minimum value is 512, and the default is 1024. |
| |
.It Cm StreamLocalBindMask |
| |
Sets the octal file creation mode mask |
| |
.Pq umask |
| |
used when creating a Unix-domain socket file for local or remote |
| |
port forwarding. |
| |
This option is only used for port forwarding to a Unix-domain socket file. |
| |
.Pp |
| |
The default value is 0177, which creates a Unix-domain socket file that is |
| |
readable and writable only by the owner. |
| |
Note that not all operating systems honor the file mode on Unix-domain |
| |
socket files. |
| |
.It Cm StreamLocalBindUnlink |
| |
Specifies whether to remove an existing Unix-domain socket file for local |
| |
or remote port forwarding before creating a new one. |
| |
If the socket file already exists and |
| |
.Cm StreamLocalBindUnlink |
| |
is not enabled, |
| |
.Nm sshd |
| |
will be unable to forward the port to the Unix-domain socket file. |
| |
This option is only used for port forwarding to a Unix-domain socket file. |
| |
.Pp |
| |
The argument must be |
| |
.Dq yes |
| |
or |
| |
.Dq no . |
| |
The default is |
| |
.Dq no . |
| .It Cm StrictModes |
.It Cm StrictModes |
| Specifies whether |
Specifies whether |
| .Xr sshd 8 |
.Xr sshd 8 |
![[BACK]](/icons/back.gif){kind=icon}
Return to sshd_config.5 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh