version 1.228, 2016/08/12 19:19:04 |
version 1.229, 2016/08/15 12:32:04 |
|
|
.Dq publickey,publickey |
.Dq publickey,publickey |
will require successful authentication using two different public keys. |
will require successful authentication using two different public keys. |
.Pp |
.Pp |
This option will yield a fatal |
|
error if enabled if protocol 1 is also enabled. |
|
Note that each authentication method listed should also be explicitly enabled |
Note that each authentication method listed should also be explicitly enabled |
in the configuration. |
in the configuration. |
The default |
The default |
|
|
.It Cm HostKey |
.It Cm HostKey |
Specifies a file containing a private host key |
Specifies a file containing a private host key |
used by SSH. |
used by SSH. |
The default is |
The defaults are |
.Pa /etc/ssh/ssh_host_key |
|
for protocol version 1, and |
|
.Pa /etc/ssh/ssh_host_dsa_key , |
.Pa /etc/ssh/ssh_host_dsa_key , |
.Pa /etc/ssh/ssh_host_ecdsa_key , |
.Pa /etc/ssh/ssh_host_ecdsa_key , |
.Pa /etc/ssh/ssh_host_ed25519_key |
.Pa /etc/ssh/ssh_host_ed25519_key |
and |
and |
.Pa /etc/ssh/ssh_host_rsa_key |
.Pa /etc/ssh/ssh_host_rsa_key . |
for protocol version 2. |
|
.Pp |
.Pp |
Note that |
Note that |
.Xr sshd 8 |
.Xr sshd 8 |
|
|
.Xr sshd 8 . |
.Xr sshd 8 . |
.Pp |
.Pp |
It is possible to have multiple host key files. |
It is possible to have multiple host key files. |
.Dq rsa1 |
|
keys are used for version 1 and |
|
.Dq dsa , |
|
.Dq ecdsa , |
|
.Dq ed25519 |
|
or |
|
.Dq rsa |
|
are used for version 2 of the SSH protocol. |
|
It is also possible to specify public host key files instead. |
It is also possible to specify public host key files instead. |
In this case operations on the private key will be delegated |
In this case operations on the private key will be delegated |
to an |
to an |
|
|
and |
and |
.Pa .shosts |
.Pa .shosts |
files will not be used in |
files will not be used in |
.Cm RhostsRSAAuthentication |
|
or |
|
.Cm HostbasedAuthentication . |
.Cm HostbasedAuthentication . |
.Pp |
.Pp |
.Pa /etc/hosts.equiv |
.Pa /etc/hosts.equiv |
|
|
should ignore the user's |
should ignore the user's |
.Pa ~/.ssh/known_hosts |
.Pa ~/.ssh/known_hosts |
during |
during |
.Cm RhostsRSAAuthentication |
|
or |
|
.Cm HostbasedAuthentication . |
.Cm HostbasedAuthentication . |
The default is |
The default is |
.Dq no . |
.Dq no . |
|
|
.Xr ssh 1 |
.Xr ssh 1 |
with an argument of |
with an argument of |
.Dq kex . |
.Dq kex . |
.It Cm KeyRegenerationInterval |
|
In protocol version 1, the ephemeral server key is automatically regenerated |
|
after this many seconds (if it has been used). |
|
The purpose of regeneration is to prevent |
|
decrypting captured sessions by later breaking into the machine and |
|
stealing the keys. |
|
The key is never stored anywhere. |
|
If the value is 0, the key is never regenerated. |
|
The default is 3600 (seconds). |
|
.It Cm ListenAddress |
.It Cm ListenAddress |
Specifies the local addresses |
Specifies the local addresses |
.Xr sshd 8 |
.Xr sshd 8 |
|
|
.Cm PubkeyAuthentication , |
.Cm PubkeyAuthentication , |
.Cm RekeyLimit , |
.Cm RekeyLimit , |
.Cm RevokedKeys , |
.Cm RevokedKeys , |
.Cm RhostsRSAAuthentication , |
|
.Cm RSAAuthentication , |
|
.Cm StreamLocalBindMask , |
.Cm StreamLocalBindMask , |
.Cm StreamLocalBindUnlink , |
.Cm StreamLocalBindUnlink , |
.Cm TrustedUserCAKeys , |
.Cm TrustedUserCAKeys , |
|
|
or equivalent.) |
or equivalent.) |
The default is |
The default is |
.Dq yes . |
.Dq yes . |
.It Cm Protocol |
|
Specifies the protocol versions |
|
.Xr sshd 8 |
|
supports. |
|
The possible values are |
|
.Sq 1 |
|
and |
|
.Sq 2 . |
|
Multiple versions must be comma-separated. |
|
The default is |
|
.Sq 2 . |
|
Protocol 1 suffers from a number of cryptographic weaknesses and should |
|
not be used. |
|
It is only offered to support legacy devices. |
|
.Pp |
|
Note that the order of the protocol list does not indicate preference, |
|
because the client selects among multiple protocol versions offered |
|
by the server. |
|
Specifying |
|
.Dq 2,1 |
|
is identical to |
|
.Dq 1,2 . |
|
.It Cm PubkeyAcceptedKeyTypes |
.It Cm PubkeyAcceptedKeyTypes |
Specifies the key types that will be accepted for public key authentication |
Specifies the key types that will be accepted for public key authentication |
as a comma-separated pattern list. |
as a comma-separated pattern list. |
|
|
.Xr ssh-keygen 1 . |
.Xr ssh-keygen 1 . |
For more information on KRLs, see the KEY REVOCATION LISTS section in |
For more information on KRLs, see the KEY REVOCATION LISTS section in |
.Xr ssh-keygen 1 . |
.Xr ssh-keygen 1 . |
.It Cm RhostsRSAAuthentication |
|
Specifies whether rhosts or /etc/hosts.equiv authentication together |
|
with successful RSA host authentication is allowed. |
|
The default is |
|
.Dq no . |
|
This option applies to protocol version 1 only. |
|
.It Cm RSAAuthentication |
|
Specifies whether pure RSA authentication is allowed. |
|
The default is |
|
.Dq yes . |
|
This option applies to protocol version 1 only. |
|
.It Cm ServerKeyBits |
|
Defines the number of bits in the ephemeral protocol version 1 server key. |
|
The default and minimum value is 1024. |
|
.It Cm StreamLocalBindMask |
.It Cm StreamLocalBindMask |
Sets the octal file creation mode mask |
Sets the octal file creation mode mask |
.Pq umask |
.Pq umask |