version 1.174, 2014/07/03 22:40:43 |
version 1.175, 2014/07/15 15:54:14 |
|
|
Note that disabling TCP forwarding does not improve security unless |
Note that disabling TCP forwarding does not improve security unless |
users are also denied shell access, as they can always install their |
users are also denied shell access, as they can always install their |
own forwarders. |
own forwarders. |
|
.It Cm AllowStreamLocalForwarding |
|
Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted. |
|
The available options are |
|
.Dq yes |
|
or |
|
.Dq all |
|
to allow StreamLocal forwarding, |
|
.Dq no |
|
to prevent all StreamLocal forwarding, |
|
.Dq local |
|
to allow local (from the perspective of |
|
.Xr ssh 1 ) |
|
forwarding only or |
|
.Dq remote |
|
to allow remote forwarding only. |
|
The default is |
|
.Dq yes . |
|
Note that disabling StreamLocal forwarding does not improve security unless |
|
users are also denied shell access, as they can always install their |
|
own forwarders. |
.It Cm AllowUsers |
.It Cm AllowUsers |
This keyword can be followed by a list of user name patterns, separated |
This keyword can be followed by a list of user name patterns, separated |
by spaces. |
by spaces. |
|
|
.It Cm ServerKeyBits |
.It Cm ServerKeyBits |
Defines the number of bits in the ephemeral protocol version 1 server key. |
Defines the number of bits in the ephemeral protocol version 1 server key. |
The minimum value is 512, and the default is 1024. |
The minimum value is 512, and the default is 1024. |
|
.It Cm StreamLocalBindMask |
|
Sets the octal file creation mode mask |
|
.Pq umask |
|
used when creating a Unix-domain socket file for local or remote |
|
port forwarding. |
|
This option is only used for port forwarding to a Unix-domain socket file. |
|
.Pp |
|
The default value is 0177, which creates a Unix-domain socket file that is |
|
readable and writable only by the owner. |
|
Note that not all operating systems honor the file mode on Unix-domain |
|
socket files. |
|
.It Cm StreamLocalBindUnlink |
|
Specifies whether to remove an existing Unix-domain socket file for local |
|
or remote port forwarding before creating a new one. |
|
If the socket file already exists and |
|
.Cm StreamLocalBindUnlink |
|
is not enabled, |
|
.Nm sshd |
|
will be unable to forward the port to the Unix-domain socket file. |
|
This option is only used for port forwarding to a Unix-domain socket file. |
|
.Pp |
|
The argument must be |
|
.Dq yes |
|
or |
|
.Dq no . |
|
The default is |
|
.Dq no . |
.It Cm StrictModes |
.It Cm StrictModes |
Specifies whether |
Specifies whether |
.Xr sshd 8 |
.Xr sshd 8 |