| version 1.228, 2016/08/12 19:19:04 |
version 1.229, 2016/08/15 12:32:04 |
|
|
| .Dq publickey,publickey |
.Dq publickey,publickey |
| will require successful authentication using two different public keys. |
will require successful authentication using two different public keys. |
| .Pp |
.Pp |
| This option will yield a fatal |
|
| error if enabled if protocol 1 is also enabled. |
|
| Note that each authentication method listed should also be explicitly enabled |
Note that each authentication method listed should also be explicitly enabled |
| in the configuration. |
in the configuration. |
| The default |
The default |
|
|
| .It Cm HostKey |
.It Cm HostKey |
| Specifies a file containing a private host key |
Specifies a file containing a private host key |
| used by SSH. |
used by SSH. |
| The default is |
The defaults are |
| .Pa /etc/ssh/ssh_host_key |
|
| for protocol version 1, and |
|
| .Pa /etc/ssh/ssh_host_dsa_key , |
.Pa /etc/ssh/ssh_host_dsa_key , |
| .Pa /etc/ssh/ssh_host_ecdsa_key , |
.Pa /etc/ssh/ssh_host_ecdsa_key , |
| .Pa /etc/ssh/ssh_host_ed25519_key |
.Pa /etc/ssh/ssh_host_ed25519_key |
| and |
and |
| .Pa /etc/ssh/ssh_host_rsa_key |
.Pa /etc/ssh/ssh_host_rsa_key . |
| for protocol version 2. |
|
| .Pp |
.Pp |
| Note that |
Note that |
| .Xr sshd 8 |
.Xr sshd 8 |
|
|
| .Xr sshd 8 . |
.Xr sshd 8 . |
| .Pp |
.Pp |
| It is possible to have multiple host key files. |
It is possible to have multiple host key files. |
| .Dq rsa1 |
|
| keys are used for version 1 and |
|
| .Dq dsa , |
|
| .Dq ecdsa , |
|
| .Dq ed25519 |
|
| or |
|
| .Dq rsa |
|
| are used for version 2 of the SSH protocol. |
|
| It is also possible to specify public host key files instead. |
It is also possible to specify public host key files instead. |
| In this case operations on the private key will be delegated |
In this case operations on the private key will be delegated |
| to an |
to an |
|
|
| and |
and |
| .Pa .shosts |
.Pa .shosts |
| files will not be used in |
files will not be used in |
| .Cm RhostsRSAAuthentication |
|
| or |
|
| .Cm HostbasedAuthentication . |
.Cm HostbasedAuthentication . |
| .Pp |
.Pp |
| .Pa /etc/hosts.equiv |
.Pa /etc/hosts.equiv |
|
|
| should ignore the user's |
should ignore the user's |
| .Pa ~/.ssh/known_hosts |
.Pa ~/.ssh/known_hosts |
| during |
during |
| .Cm RhostsRSAAuthentication |
|
| or |
|
| .Cm HostbasedAuthentication . |
.Cm HostbasedAuthentication . |
| The default is |
The default is |
| .Dq no . |
.Dq no . |
|
|
| .Xr ssh 1 |
.Xr ssh 1 |
| with an argument of |
with an argument of |
| .Dq kex . |
.Dq kex . |
| .It Cm KeyRegenerationInterval |
|
| In protocol version 1, the ephemeral server key is automatically regenerated |
|
| after this many seconds (if it has been used). |
|
| The purpose of regeneration is to prevent |
|
| decrypting captured sessions by later breaking into the machine and |
|
| stealing the keys. |
|
| The key is never stored anywhere. |
|
| If the value is 0, the key is never regenerated. |
|
| The default is 3600 (seconds). |
|
| .It Cm ListenAddress |
.It Cm ListenAddress |
| Specifies the local addresses |
Specifies the local addresses |
| .Xr sshd 8 |
.Xr sshd 8 |
|
|
| .Cm PubkeyAuthentication , |
.Cm PubkeyAuthentication , |
| .Cm RekeyLimit , |
.Cm RekeyLimit , |
| .Cm RevokedKeys , |
.Cm RevokedKeys , |
| .Cm RhostsRSAAuthentication , |
|
| .Cm RSAAuthentication , |
|
| .Cm StreamLocalBindMask , |
.Cm StreamLocalBindMask , |
| .Cm StreamLocalBindUnlink , |
.Cm StreamLocalBindUnlink , |
| .Cm TrustedUserCAKeys , |
.Cm TrustedUserCAKeys , |
|
|
| or equivalent.) |
or equivalent.) |
| The default is |
The default is |
| .Dq yes . |
.Dq yes . |
| .It Cm Protocol |
|
| Specifies the protocol versions |
|
| .Xr sshd 8 |
|
| supports. |
|
| The possible values are |
|
| .Sq 1 |
|
| and |
|
| .Sq 2 . |
|
| Multiple versions must be comma-separated. |
|
| The default is |
|
| .Sq 2 . |
|
| Protocol 1 suffers from a number of cryptographic weaknesses and should |
|
| not be used. |
|
| It is only offered to support legacy devices. |
|
| .Pp |
|
| Note that the order of the protocol list does not indicate preference, |
|
| because the client selects among multiple protocol versions offered |
|
| by the server. |
|
| Specifying |
|
| .Dq 2,1 |
|
| is identical to |
|
| .Dq 1,2 . |
|
| .It Cm PubkeyAcceptedKeyTypes |
.It Cm PubkeyAcceptedKeyTypes |
| Specifies the key types that will be accepted for public key authentication |
Specifies the key types that will be accepted for public key authentication |
| as a comma-separated pattern list. |
as a comma-separated pattern list. |
|
|
| .Xr ssh-keygen 1 . |
.Xr ssh-keygen 1 . |
| For more information on KRLs, see the KEY REVOCATION LISTS section in |
For more information on KRLs, see the KEY REVOCATION LISTS section in |
| .Xr ssh-keygen 1 . |
.Xr ssh-keygen 1 . |
| .It Cm RhostsRSAAuthentication |
|
| Specifies whether rhosts or /etc/hosts.equiv authentication together |
|
| with successful RSA host authentication is allowed. |
|
| The default is |
|
| .Dq no . |
|
| This option applies to protocol version 1 only. |
|
| .It Cm RSAAuthentication |
|
| Specifies whether pure RSA authentication is allowed. |
|
| The default is |
|
| .Dq yes . |
|
| This option applies to protocol version 1 only. |
|
| .It Cm ServerKeyBits |
|
| Defines the number of bits in the ephemeral protocol version 1 server key. |
|
| The default and minimum value is 1024. |
|
| .It Cm StreamLocalBindMask |
.It Cm StreamLocalBindMask |
| Sets the octal file creation mode mask |
Sets the octal file creation mode mask |
| .Pq umask |
.Pq umask |
![[BACK]](/icons/back.gif){kind=icon}
Return to sshd_config.5 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh