| version 1.236, 2016/09/28 20:32:42 |
version 1.237, 2016/10/07 14:41:52 |
|
|
| Specifies which address family should be used by |
Specifies which address family should be used by |
| .Xr sshd 8 . |
.Xr sshd 8 . |
| Valid arguments are |
Valid arguments are |
| .Dq any , |
.Cm any |
| .Dq inet |
(the default), |
| |
.Cm inet |
| (use IPv4 only), or |
(use IPv4 only), or |
| .Dq inet6 |
.Cm inet6 |
| (use IPv6 only). |
(use IPv6 only). |
| The default is |
|
| .Dq any . |
|
| .It Cm AllowAgentForwarding |
.It Cm AllowAgentForwarding |
| Specifies whether |
Specifies whether |
| .Xr ssh-agent 1 |
.Xr ssh-agent 1 |
| forwarding is permitted. |
forwarding is permitted. |
| The default is |
The default is |
| .Dq yes . |
.Cm yes . |
| Note that disabling agent forwarding does not improve security |
Note that disabling agent forwarding does not improve security |
| unless users are also denied shell access, as they can always install |
unless users are also denied shell access, as they can always install |
| their own forwarders. |
their own forwarders. |
|
|
| .It Cm AllowStreamLocalForwarding |
.It Cm AllowStreamLocalForwarding |
| Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted. |
Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted. |
| The available options are |
The available options are |
| .Dq yes |
.Cm yes |
| |
(the default) |
| or |
or |
| .Dq all |
.Cm all |
| to allow StreamLocal forwarding, |
to allow StreamLocal forwarding, |
| .Dq no |
.Cm no |
| to prevent all StreamLocal forwarding, |
to prevent all StreamLocal forwarding, |
| .Dq local |
.Cm local |
| to allow local (from the perspective of |
to allow local (from the perspective of |
| .Xr ssh 1 ) |
.Xr ssh 1 ) |
| forwarding only or |
forwarding only or |
| .Dq remote |
.Cm remote |
| to allow remote forwarding only. |
to allow remote forwarding only. |
| The default is |
|
| .Dq yes . |
|
| Note that disabling StreamLocal forwarding does not improve security unless |
Note that disabling StreamLocal forwarding does not improve security unless |
| users are also denied shell access, as they can always install their |
users are also denied shell access, as they can always install their |
| own forwarders. |
own forwarders. |
| .It Cm AllowTcpForwarding |
.It Cm AllowTcpForwarding |
| Specifies whether TCP forwarding is permitted. |
Specifies whether TCP forwarding is permitted. |
| The available options are |
The available options are |
| .Dq yes |
.Cm yes |
| |
(the default) |
| or |
or |
| .Dq all |
.Cm all |
| to allow TCP forwarding, |
to allow TCP forwarding, |
| .Dq no |
.Cm no |
| to prevent all TCP forwarding, |
to prevent all TCP forwarding, |
| .Dq local |
.Cm local |
| to allow local (from the perspective of |
to allow local (from the perspective of |
| .Xr ssh 1 ) |
.Xr ssh 1 ) |
| forwarding only or |
forwarding only or |
| .Dq remote |
.Cm remote |
| to allow remote forwarding only. |
to allow remote forwarding only. |
| The default is |
|
| .Dq yes . |
|
| Note that disabling TCP forwarding does not improve security unless |
Note that disabling TCP forwarding does not improve security unless |
| users are also denied shell access, as they can always install their |
users are also denied shell access, as they can always install their |
| own forwarders. |
own forwarders. |
|
|
| for a user to be granted access. |
for a user to be granted access. |
| This option must be followed by one or more comma-separated lists of |
This option must be followed by one or more comma-separated lists of |
| authentication method names, or by the single string |
authentication method names, or by the single string |
| .Dq any |
.Cm any |
| to indicate the default behaviour of accepting any single authentication |
to indicate the default behaviour of accepting any single authentication |
| method. |
method. |
| if the default is overridden, then successful authentication requires |
If the default is overridden, then successful authentication requires |
| completion of every method in at least one of these lists. |
completion of every method in at least one of these lists. |
| .Pp |
.Pp |
| For example, an argument of |
For example, |
| .Dq publickey,password publickey,keyboard-interactive |
.Qq publickey,password publickey,keyboard-interactive |
| would require the user to complete public key authentication, followed by |
would require the user to complete public key authentication, followed by |
| either password or keyboard interactive authentication. |
either password or keyboard interactive authentication. |
| Only methods that are next in one or more lists are offered at each stage, |
Only methods that are next in one or more lists are offered at each stage, |
| so for this example, it would not be possible to attempt password or |
so for this example it would not be possible to attempt password or |
| keyboard-interactive authentication before public key. |
keyboard-interactive authentication before public key. |
| .Pp |
.Pp |
| For keyboard interactive authentication it is also possible to |
For keyboard interactive authentication it is also possible to |
| restrict authentication to a specific device by appending a |
restrict authentication to a specific device by appending a |
| colon followed by the device identifier |
colon followed by the device identifier |
| .Dq bsdauth , |
.Cm bsdauth , |
| .Dq pam , |
.Cm pam , |
| or |
or |
| .Dq skey , |
.Cm skey , |
| depending on the server configuration. |
depending on the server configuration. |
| For example, |
For example, |
| .Dq keyboard-interactive:bsdauth |
.Qq keyboard-interactive:bsdauth |
| would restrict keyboard interactive authentication to the |
would restrict keyboard interactive authentication to the |
| .Dq bsdauth |
.Cm bsdauth |
| device. |
device. |
| .Pp |
.Pp |
| If the |
If the publickey method is listed more than once, |
| .Dq publickey |
|
| method is listed more than once, |
|
| .Xr sshd 8 |
.Xr sshd 8 |
| verifies that keys that have been used successfully are not reused for |
verifies that keys that have been used successfully are not reused for |
| subsequent authentications. |
subsequent authentications. |
| For example, an |
For example, |
| .Cm AuthenticationMethods |
.Qq publickey,publickey |
| of |
requires successful authentication using two different public keys. |
| .Dq publickey,publickey |
|
| will require successful authentication using two different public keys. |
|
| .Pp |
.Pp |
| Note that each authentication method listed should also be explicitly enabled |
Note that each authentication method listed should also be explicitly enabled |
| in the configuration. |
in the configuration. |
| The default |
|
| .Dq any |
|
| is not to require multiple authentication; successful completion |
|
| of a single authentication method is sufficient. |
|
| .It Cm AuthorizedKeysCommand |
.It Cm AuthorizedKeysCommand |
| Specifies a program to be used to look up the user's public keys. |
Specifies a program to be used to look up the user's public keys. |
| The program must be owned by root, not writable by group or others and |
The program must be owned by root, not writable by group or others and |
|
|
| and authorize the user then public key authentication continues using the usual |
and authorize the user then public key authentication continues using the usual |
| .Cm AuthorizedKeysFile |
.Cm AuthorizedKeysFile |
| files. |
files. |
| By default, no AuthorizedKeysCommand is run. |
By default, no |
| |
.Cm AuthorizedKeysCommand |
| |
is run. |
| .It Cm AuthorizedKeysCommandUser |
.It Cm AuthorizedKeysCommandUser |
| Specifies the user under whose account the AuthorizedKeysCommand is run. |
Specifies the user under whose account the |
| |
.Cm AuthorizedKeysCommand |
| |
is run. |
| It is recommended to use a dedicated user that has no other role on the host |
It is recommended to use a dedicated user that has no other role on the host |
| than running authorized keys commands. |
than running authorized keys commands. |
| If |
If |
|
|
| directory. |
directory. |
| Multiple files may be listed, separated by whitespace. |
Multiple files may be listed, separated by whitespace. |
| Alternately this option may be set to |
Alternately this option may be set to |
| .Dq none |
.Cm none |
| to skip checking for user keys in files. |
to skip checking for user keys in files. |
| The default is |
The default is |
| .Dq .ssh/authorized_keys .ssh/authorized_keys2 . |
.Qq .ssh/authorized_keys .ssh/authorized_keys2 . |
| .It Cm AuthorizedPrincipalsCommand |
.It Cm AuthorizedPrincipalsCommand |
| Specifies a program to be used to generate the list of allowed |
Specifies a program to be used to generate the list of allowed |
| certificate principals as per |
certificate principals as per |
|
|
| .Cm AuthorizedPrincipalsFile |
.Cm AuthorizedPrincipalsFile |
| is taken to be an absolute path or one relative to the user's home directory. |
is taken to be an absolute path or one relative to the user's home directory. |
| The default is |
The default is |
| .Dq none , |
.Cm none , |
| i.e. not to use a principals file \(en in this case, the username |
i.e. not to use a principals file \(en in this case, the username |
| of the user must appear in a certificate's principals list for it to be |
of the user must appear in a certificate's principals list for it to be |
| accepted. |
accepted. |
|
|
| The contents of the specified file are sent to the remote user before |
The contents of the specified file are sent to the remote user before |
| authentication is allowed. |
authentication is allowed. |
| If the argument is |
If the argument is |
| .Dq none |
.Cm none |
| then no banner is displayed. |
then no banner is displayed. |
| By default, no banner is displayed. |
By default, no banner is displayed. |
| .It Cm ChallengeResponseAuthentication |
.It Cm ChallengeResponseAuthentication |
|
|
| .Xr login.conf 5 |
.Xr login.conf 5 |
| are supported. |
are supported. |
| The default is |
The default is |
| .Dq yes . |
.Cm yes . |
| .It Cm ChrootDirectory |
.It Cm ChrootDirectory |
| Specifies the pathname of a directory to |
Specifies the pathname of a directory to |
| .Xr chroot 2 |
.Xr chroot 2 |
|
|
| and |
and |
| .Xr tty 4 |
.Xr tty 4 |
| devices. |
devices. |
| For file transfer sessions using |
For file transfer sessions using SFTP |
| .Dq sftp , |
no additional configuration of the environment is necessary if the in-process |
| no additional configuration of the environment is necessary if the |
sftp-server is used, |
| in-process sftp server is used, |
|
| though sessions which use logging may require |
though sessions which use logging may require |
| .Pa /dev/log |
.Pa /dev/log |
| inside the chroot directory on some operating systems (see |
inside the chroot directory on some operating systems (see |
|
|
| cannot detect. |
cannot detect. |
| .Pp |
.Pp |
| The default is |
The default is |
| .Dq none , |
.Cm none , |
| indicating not to |
indicating not to |
| .Xr chroot 2 . |
.Xr chroot 2 . |
| .It Cm Ciphers |
.It Cm Ciphers |
|
|
| aes128-gcm@openssh.com,aes256-gcm@openssh.com |
aes128-gcm@openssh.com,aes256-gcm@openssh.com |
| .Ed |
.Ed |
| .Pp |
.Pp |
| The list of available ciphers may also be obtained using the |
The list of available ciphers may also be obtained using |
| .Fl Q |
.Qq ssh -Q cipher . |
| option of |
|
| .Xr ssh 1 |
|
| with an argument of |
|
| .Dq cipher . |
|
| .It Cm ClientAliveCountMax |
.It Cm ClientAliveCountMax |
| Sets the number of client alive messages (see below) which may be |
Sets the number of client alive messages which may be sent without |
| sent without |
|
| .Xr sshd 8 |
.Xr sshd 8 |
| receiving any messages back from the client. |
receiving any messages back from the client. |
| If this threshold is reached while client alive messages are being sent, |
If this threshold is reached while client alive messages are being sent, |
| sshd will disconnect the client, terminating the session. |
sshd will disconnect the client, terminating the session. |
| It is important to note that the use of client alive messages is very |
It is important to note that the use of client alive messages is very |
| different from |
different from |
| .Cm TCPKeepAlive |
.Cm TCPKeepAlive . |
| (below). |
|
| The client alive messages are sent through the encrypted channel |
The client alive messages are sent through the encrypted channel |
| and therefore will not be spoofable. |
and therefore will not be spoofable. |
| The TCP keepalive option enabled by |
The TCP keepalive option enabled by |
|
|
| The default value is 3. |
The default value is 3. |
| If |
If |
| .Cm ClientAliveInterval |
.Cm ClientAliveInterval |
| (see below) is set to 15, and |
is set to 15, and |
| .Cm ClientAliveCountMax |
.Cm ClientAliveCountMax |
| is left at the default, unresponsive SSH clients |
is left at the default, unresponsive SSH clients |
| will be disconnected after approximately 45 seconds. |
will be disconnected after approximately 45 seconds. |
|
|
| Specifies whether compression is enabled after |
Specifies whether compression is enabled after |
| the user has authenticated successfully. |
the user has authenticated successfully. |
| The argument must be |
The argument must be |
| .Dq yes , |
.Cm yes , |
| .Dq delayed |
.Cm delayed |
| (a legacy synonym for |
(a legacy synonym for |
| .Dq yes ) |
.Cm yes ) |
| or |
or |
| .Dq no . |
.Cm no . |
| The default is |
The default is |
| .Dq yes . |
.Cm yes . |
| .It Cm DenyGroups |
.It Cm DenyGroups |
| This keyword can be followed by a list of group name patterns, separated |
This keyword can be followed by a list of group name patterns, separated |
| by spaces. |
by spaces. |
|
|
| .It Cm FingerprintHash |
.It Cm FingerprintHash |
| Specifies the hash algorithm used when logging key fingerprints. |
Specifies the hash algorithm used when logging key fingerprints. |
| Valid options are: |
Valid options are: |
| .Dq md5 |
.Cm md5 |
| and |
and |
| .Dq sha256 . |
.Cm sha256 . |
| The default is |
The default is |
| .Dq sha256 . |
.Cm sha256 . |
| .It Cm ForceCommand |
.It Cm ForceCommand |
| Forces the execution of the command specified by |
Forces the execution of the command specified by |
| .Cm ForceCommand , |
.Cm ForceCommand , |
|
|
| .Ev SSH_ORIGINAL_COMMAND |
.Ev SSH_ORIGINAL_COMMAND |
| environment variable. |
environment variable. |
| Specifying a command of |
Specifying a command of |
| .Dq internal-sftp |
.Cm internal-sftp |
| will force the use of an in-process sftp server that requires no support |
will force the use of an in-process SFTP server that requires no support |
| files when used with |
files when used with |
| .Cm ChrootDirectory . |
.Cm ChrootDirectory . |
| The default is |
The default is |
| .Dq none . |
.Cm none . |
| .It Cm GatewayPorts |
.It Cm GatewayPorts |
| Specifies whether remote hosts are allowed to connect to ports |
Specifies whether remote hosts are allowed to connect to ports |
| forwarded for the client. |
forwarded for the client. |
|
|
| should allow remote port forwardings to bind to non-loopback addresses, thus |
should allow remote port forwardings to bind to non-loopback addresses, thus |
| allowing other hosts to connect. |
allowing other hosts to connect. |
| The argument may be |
The argument may be |
| .Dq no |
.Cm no |
| to force remote port forwardings to be available to the local host only, |
to force remote port forwardings to be available to the local host only, |
| .Dq yes |
.Cm yes |
| to force remote port forwardings to bind to the wildcard address, or |
to force remote port forwardings to bind to the wildcard address, or |
| .Dq clientspecified |
.Cm clientspecified |
| to allow the client to select the address to which the forwarding is bound. |
to allow the client to select the address to which the forwarding is bound. |
| The default is |
The default is |
| .Dq no . |
.Cm no . |
| .It Cm GSSAPIAuthentication |
.It Cm GSSAPIAuthentication |
| Specifies whether user authentication based on GSSAPI is allowed. |
Specifies whether user authentication based on GSSAPI is allowed. |
| The default is |
The default is |
| .Dq no . |
.Cm no . |
| .It Cm GSSAPICleanupCredentials |
.It Cm GSSAPICleanupCredentials |
| Specifies whether to automatically destroy the user's credentials cache |
Specifies whether to automatically destroy the user's credentials cache |
| on logout. |
on logout. |
| The default is |
The default is |
| .Dq yes . |
.Cm yes . |
| .It Cm GSSAPIStrictAcceptorCheck |
.It Cm GSSAPIStrictAcceptorCheck |
| Determines whether to be strict about the identity of the GSSAPI acceptor |
Determines whether to be strict about the identity of the GSSAPI acceptor |
| a client authenticates against. |
a client authenticates against. |
| If set to |
If set to |
| .Dq yes |
.Cm yes |
| then the client must authenticate against the |
then the client must authenticate against the host |
| .Pa host |
|
| service on the current hostname. |
service on the current hostname. |
| If set to |
If set to |
| .Dq no |
.Cm no |
| then the client may authenticate against any service key stored in the |
then the client may authenticate against any service key stored in the |
| machine's default store. |
machine's default store. |
| This facility is provided to assist with operation on multi homed machines. |
This facility is provided to assist with operation on multi homed machines. |
| The default is |
The default is |
| .Dq yes . |
.Cm yes . |
| .It Cm HostbasedAcceptedKeyTypes |
.It Cm HostbasedAcceptedKeyTypes |
| Specifies the key types that will be accepted for hostbased authentication |
Specifies the key types that will be accepted for hostbased authentication |
| as a comma-separated pattern list. |
as a comma-separated pattern list. |
|
|
| ssh-ed25519,ssh-rsa |
ssh-ed25519,ssh-rsa |
| .Ed |
.Ed |
| .Pp |
.Pp |
| The |
The list of available key types may also be obtained using |
| .Fl Q |
.Qq ssh -Q key . |
| option of |
|
| .Xr ssh 1 |
|
| may be used to list supported key types. |
|
| .It Cm HostbasedAuthentication |
.It Cm HostbasedAuthentication |
| Specifies whether rhosts or /etc/hosts.equiv authentication together |
Specifies whether rhosts or /etc/hosts.equiv authentication together |
| with successful public key client host authentication is allowed |
with successful public key client host authentication is allowed |
| (host-based authentication). |
(host-based authentication). |
| The default is |
The default is |
| .Dq no . |
.Cm no . |
| .It Cm HostbasedUsesNameFromPacketOnly |
.It Cm HostbasedUsesNameFromPacketOnly |
| Specifies whether or not the server will attempt to perform a reverse |
Specifies whether or not the server will attempt to perform a reverse |
| name lookup when matching the name in the |
name lookup when matching the name in the |
|
|
| files during |
files during |
| .Cm HostbasedAuthentication . |
.Cm HostbasedAuthentication . |
| A setting of |
A setting of |
| .Dq yes |
.Cm yes |
| means that |
means that |
| .Xr sshd 8 |
.Xr sshd 8 |
| uses the name supplied by the client rather than |
uses the name supplied by the client rather than |
| attempting to resolve the name from the TCP connection itself. |
attempting to resolve the name from the TCP connection itself. |
| The default is |
The default is |
| .Dq no . |
.Cm no . |
| .It Cm HostCertificate |
.It Cm HostCertificate |
| Specifies a file containing a public host certificate. |
Specifies a file containing a public host certificate. |
| The certificate's public key must match a private host key already specified |
The certificate's public key must match a private host key already specified |
|
|
| Identifies the UNIX-domain socket used to communicate |
Identifies the UNIX-domain socket used to communicate |
| with an agent that has access to the private host keys. |
with an agent that has access to the private host keys. |
| If the string |
If the string |
| .Dq SSH_AUTH_SOCK |
.Qq SSH_AUTH_SOCK |
| is specified, the location of the socket will be read from the |
is specified, the location of the socket will be read from the |
| .Ev SSH_AUTH_SOCK |
.Ev SSH_AUTH_SOCK |
| environment variable. |
environment variable. |
|
|
| ssh-ed25519,ssh-rsa |
ssh-ed25519,ssh-rsa |
| .Ed |
.Ed |
| .Pp |
.Pp |
| The list of available key types may also be obtained using the |
The list of available key types may also be obtained using |
| .Fl Q |
.Qq ssh -Q key . |
| option of |
|
| .Xr ssh 1 |
|
| with an argument of |
|
| .Dq key . |
|
| .It Cm IgnoreRhosts |
.It Cm IgnoreRhosts |
| Specifies that |
Specifies that |
| .Pa .rhosts |
.Pa .rhosts |
|
|
| .Pa /etc/shosts.equiv |
.Pa /etc/shosts.equiv |
| are still used. |
are still used. |
| The default is |
The default is |
| .Dq yes . |
.Cm yes . |
| .It Cm IgnoreUserKnownHosts |
.It Cm IgnoreUserKnownHosts |
| Specifies whether |
Specifies whether |
| .Xr sshd 8 |
.Xr sshd 8 |
|
|
| during |
during |
| .Cm HostbasedAuthentication . |
.Cm HostbasedAuthentication . |
| The default is |
The default is |
| .Dq no . |
.Cm no . |
| .It Cm IPQoS |
.It Cm IPQoS |
| Specifies the IPv4 type-of-service or DSCP class for the connection. |
Specifies the IPv4 type-of-service or DSCP class for the connection. |
| Accepted values are |
Accepted values are |
| .Dq af11 , |
.Cm af11 , |
| .Dq af12 , |
.Cm af12 , |
| .Dq af13 , |
.Cm af13 , |
| .Dq af21 , |
.Cm af21 , |
| .Dq af22 , |
.Cm af22 , |
| .Dq af23 , |
.Cm af23 , |
| .Dq af31 , |
.Cm af31 , |
| .Dq af32 , |
.Cm af32 , |
| .Dq af33 , |
.Cm af33 , |
| .Dq af41 , |
.Cm af41 , |
| .Dq af42 , |
.Cm af42 , |
| .Dq af43 , |
.Cm af43 , |
| .Dq cs0 , |
.Cm cs0 , |
| .Dq cs1 , |
.Cm cs1 , |
| .Dq cs2 , |
.Cm cs2 , |
| .Dq cs3 , |
.Cm cs3 , |
| .Dq cs4 , |
.Cm cs4 , |
| .Dq cs5 , |
.Cm cs5 , |
| .Dq cs6 , |
.Cm cs6 , |
| .Dq cs7 , |
.Cm cs7 , |
| .Dq ef , |
.Cm ef , |
| .Dq lowdelay , |
.Cm lowdelay , |
| .Dq throughput , |
.Cm throughput , |
| .Dq reliability , |
.Cm reliability , |
| or a numeric value. |
or a numeric value. |
| This option may take one or two arguments, separated by whitespace. |
This option may take one or two arguments, separated by whitespace. |
| If one argument is specified, it is used as the packet class unconditionally. |
If one argument is specified, it is used as the packet class unconditionally. |
| If two values are specified, the first is automatically selected for |
If two values are specified, the first is automatically selected for |
| interactive sessions and the second for non-interactive sessions. |
interactive sessions and the second for non-interactive sessions. |
| The default is |
The default is |
| .Dq lowdelay |
.Cm lowdelay |
| for interactive sessions and |
for interactive sessions and |
| .Dq throughput |
.Cm throughput |
| for non-interactive sessions. |
for non-interactive sessions. |
| .It Cm KbdInteractiveAuthentication |
.It Cm KbdInteractiveAuthentication |
| Specifies whether to allow keyboard-interactive authentication. |
Specifies whether to allow keyboard-interactive authentication. |
| The argument to this keyword must be |
The argument to this keyword must be |
| .Dq yes |
.Cm yes |
| or |
or |
| .Dq no . |
.Cm no . |
| The default is to use whatever value |
The default is to use whatever value |
| .Cm ChallengeResponseAuthentication |
.Cm ChallengeResponseAuthentication |
| is set to |
is set to |
| (by default |
(by default |
| .Dq yes ) . |
.Cm yes ) . |
| .It Cm KerberosAuthentication |
.It Cm KerberosAuthentication |
| Specifies whether the password provided by the user for |
Specifies whether the password provided by the user for |
| .Cm PasswordAuthentication |
.Cm PasswordAuthentication |
|
|
| To use this option, the server needs a |
To use this option, the server needs a |
| Kerberos servtab which allows the verification of the KDC's identity. |
Kerberos servtab which allows the verification of the KDC's identity. |
| The default is |
The default is |
| .Dq no . |
.Cm no . |
| .It Cm KerberosGetAFSToken |
.It Cm KerberosGetAFSToken |
| If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire |
If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire |
| an AFS token before accessing the user's home directory. |
an AFS token before accessing the user's home directory. |
| The default is |
The default is |
| .Dq no . |
.Cm no . |
| .It Cm KerberosOrLocalPasswd |
.It Cm KerberosOrLocalPasswd |
| If password authentication through Kerberos fails then |
If password authentication through Kerberos fails then |
| the password will be validated via any additional local mechanism |
the password will be validated via any additional local mechanism |
| such as |
such as |
| .Pa /etc/passwd . |
.Pa /etc/passwd . |
| The default is |
The default is |
| .Dq yes . |
.Cm yes . |
| .It Cm KerberosTicketCleanup |
.It Cm KerberosTicketCleanup |
| Specifies whether to automatically destroy the user's ticket cache |
Specifies whether to automatically destroy the user's ticket cache |
| file on logout. |
file on logout. |
| The default is |
The default is |
| .Dq yes . |
.Cm yes . |
| .It Cm KexAlgorithms |
.It Cm KexAlgorithms |
| Specifies the available KEX (Key Exchange) algorithms. |
Specifies the available KEX (Key Exchange) algorithms. |
| Multiple algorithms must be comma-separated. |
Multiple algorithms must be comma-separated. |
|
|
| diffie-hellman-group14-sha1 |
diffie-hellman-group14-sha1 |
| .Ed |
.Ed |
| .Pp |
.Pp |
| The list of available key exchange algorithms may also be obtained using the |
The list of available key exchange algorithms may also be obtained using |
| .Fl Q |
.Qq ssh -Q kex . |
| option of |
|
| .Xr ssh 1 |
|
| with an argument of |
|
| .Dq kex . |
|
| .It Cm ListenAddress |
.It Cm ListenAddress |
| Specifies the local addresses |
Specifies the local addresses |
| .Xr sshd 8 |
.Xr sshd 8 |
|
|
| instead of replacing them. |
instead of replacing them. |
| .Pp |
.Pp |
| The algorithms that contain |
The algorithms that contain |
| .Dq -etm |
.Qq -etm |
| calculate the MAC after encryption (encrypt-then-mac). |
calculate the MAC after encryption (encrypt-then-mac). |
| These are considered safer and their use recommended. |
These are considered safer and their use recommended. |
| The supported MACs are: |
The supported MACs are: |
|
|
| hmac-sha2-256,hmac-sha2-512,hmac-sha1 |
hmac-sha2-256,hmac-sha2-512,hmac-sha1 |
| .Ed |
.Ed |
| .Pp |
.Pp |
| The list of available MAC algorithms may also be obtained using the |
The list of available MAC algorithms may also be obtained using |
| .Fl Q |
.Qq ssh -Q mac . |
| option of |
|
| .Xr ssh 1 |
|
| with an argument of |
|
| .Dq mac . |
|
| .It Cm Match |
.It Cm Match |
| Introduces a conditional block. |
Introduces a conditional block. |
| If all of the criteria on the |
If all of the criteria on the |
|
|
| .Cm Address . |
.Cm Address . |
| The match patterns may consist of single entries or comma-separated |
The match patterns may consist of single entries or comma-separated |
| lists and may use the wildcard and negation operators described in the |
lists and may use the wildcard and negation operators described in the |
| PATTERNS section of |
.Sx PATTERNS |
| |
section of |
| .Xr ssh_config 5 . |
.Xr ssh_config 5 . |
| .Pp |
.Pp |
| The patterns in an |
The patterns in an |
| .Cm Address |
.Cm Address |
| criteria may additionally contain addresses to match in CIDR |
criteria may additionally contain addresses to match in CIDR |
| address/masklen format, e.g.\& |
address/masklen format, |
| .Dq 192.0.2.0/24 |
such as 192.0.2.0/24 or 2001:db8::/32. |
| or |
|
| .Dq 2001:db8::/32 . |
|
| Note that the mask length provided must be consistent with the address - |
Note that the mask length provided must be consistent with the address - |
| it is an error to specify a mask length that is too long for the address |
it is an error to specify a mask length that is too long for the address |
| or one with bits set in this host portion of the address. |
or one with bits set in this host portion of the address. |
| For example, |
For example, 192.0.2.0/33 and 192.0.2.0/8, respectively. |
| .Dq 192.0.2.0/33 |
|
| and |
|
| .Dq 192.0.2.0/8 |
|
| respectively. |
|
| .Pp |
.Pp |
| Only a subset of keywords may be used on the lines following a |
Only a subset of keywords may be used on the lines following a |
| .Cm Match |
.Cm Match |
|
|
| .Pp |
.Pp |
| Alternatively, random early drop can be enabled by specifying |
Alternatively, random early drop can be enabled by specifying |
| the three colon separated values |
the three colon separated values |
| .Dq start:rate:full |
start:rate:full (e.g. "10:30:60"). |
| (e.g. "10:30:60"). |
|
| .Xr sshd 8 |
.Xr sshd 8 |
| will refuse connection attempts with a probability of |
will refuse connection attempts with a probability of rate/100 (30%) |
| .Dq rate/100 |
if there are currently start (10) unauthenticated connections. |
| (30%) |
|
| if there are currently |
|
| .Dq start |
|
| (10) |
|
| unauthenticated connections. |
|
| The probability increases linearly and all connection attempts |
The probability increases linearly and all connection attempts |
| are refused if the number of unauthenticated connections reaches |
are refused if the number of unauthenticated connections reaches full (60). |
| .Dq full |
|
| (60). |
|
| .It Cm PasswordAuthentication |
.It Cm PasswordAuthentication |
| Specifies whether password authentication is allowed. |
Specifies whether password authentication is allowed. |
| The default is |
The default is |
| .Dq yes . |
.Cm yes . |
| .It Cm PermitEmptyPasswords |
.It Cm PermitEmptyPasswords |
| When password authentication is allowed, it specifies whether the |
When password authentication is allowed, it specifies whether the |
| server allows login to accounts with empty password strings. |
server allows login to accounts with empty password strings. |
| The default is |
The default is |
| .Dq no . |
.Cm no . |
| .It Cm PermitOpen |
.It Cm PermitOpen |
| Specifies the destinations to which TCP port forwarding is permitted. |
Specifies the destinations to which TCP port forwarding is permitted. |
| The forwarding specification must be one of the following forms: |
The forwarding specification must be one of the following forms: |
|
|
| .Pp |
.Pp |
| Multiple forwards may be specified by separating them with whitespace. |
Multiple forwards may be specified by separating them with whitespace. |
| An argument of |
An argument of |
| .Dq any |
.Cm any |
| can be used to remove all restrictions and permit any forwarding requests. |
can be used to remove all restrictions and permit any forwarding requests. |
| An argument of |
An argument of |
| .Dq none |
.Cm none |
| can be used to prohibit all forwarding requests. |
can be used to prohibit all forwarding requests. |
| The wildcard |
The wildcard |
| .Dq * |
.Sq * |
| can be used for host or port to allow all hosts or ports, respectively. |
can be used for host or port to allow all hosts or ports, respectively. |
| By default all port forwarding requests are permitted. |
By default all port forwarding requests are permitted. |
| .It Cm PermitRootLogin |
.It Cm PermitRootLogin |
| Specifies whether root can log in using |
Specifies whether root can log in using |
| .Xr ssh 1 . |
.Xr ssh 1 . |
| The argument must be |
The argument must be |
| .Dq yes , |
.Cm yes , |
| .Dq prohibit-password , |
.Cm prohibit-password , |
| .Dq without-password , |
.Cm without-password , |
| .Dq forced-commands-only , |
.Cm forced-commands-only , |
| or |
or |
| .Dq no . |
.Cm no . |
| The default is |
The default is |
| .Dq prohibit-password . |
.Cm prohibit-password . |
| .Pp |
.Pp |
| If this option is set to |
If this option is set to |
| .Dq prohibit-password |
.Cm prohibit-password |
| or |
or |
| .Dq without-password , |
.Cm without-password , |
| password and keyboard-interactive authentication are disabled for root. |
password and keyboard-interactive authentication are disabled for root. |
| .Pp |
.Pp |
| If this option is set to |
If this option is set to |
| .Dq forced-commands-only , |
.Cm forced-commands-only , |
| root login with public key authentication will be allowed, |
root login with public key authentication will be allowed, |
| but only if the |
but only if the |
| .Ar command |
.Ar command |
|
|
| All other authentication methods are disabled for root. |
All other authentication methods are disabled for root. |
| .Pp |
.Pp |
| If this option is set to |
If this option is set to |
| .Dq no , |
.Cm no , |
| root is not allowed to log in. |
root is not allowed to log in. |
| .It Cm PermitTTY |
.It Cm PermitTTY |
| Specifies whether |
Specifies whether |
| .Xr pty 4 |
.Xr pty 4 |
| allocation is permitted. |
allocation is permitted. |
| The default is |
The default is |
| .Dq yes . |
.Cm yes . |
| .It Cm PermitTunnel |
.It Cm PermitTunnel |
| Specifies whether |
Specifies whether |
| .Xr tun 4 |
.Xr tun 4 |
| device forwarding is allowed. |
device forwarding is allowed. |
| The argument must be |
The argument must be |
| .Dq yes , |
.Cm yes , |
| .Dq point-to-point |
.Cm point-to-point |
| (layer 3), |
(layer 3), |
| .Dq ethernet |
.Cm ethernet |
| (layer 2), or |
(layer 2), or |
| .Dq no . |
.Cm no . |
| Specifying |
Specifying |
| .Dq yes |
.Cm yes |
| permits both |
permits both |
| .Dq point-to-point |
.Cm point-to-point |
| and |
and |
| .Dq ethernet . |
.Cm ethernet . |
| The default is |
The default is |
| .Dq no . |
.Cm no . |
| .Pp |
.Pp |
| Independent of this setting, the permissions of the selected |
Independent of this setting, the permissions of the selected |
| .Xr tun 4 |
.Xr tun 4 |
|
|
| are processed by |
are processed by |
| .Xr sshd 8 . |
.Xr sshd 8 . |
| The default is |
The default is |
| .Dq no . |
.Cm no . |
| Enabling environment processing may enable users to bypass access |
Enabling environment processing may enable users to bypass access |
| restrictions in some configurations using mechanisms such as |
restrictions in some configurations using mechanisms such as |
| .Ev LD_PRELOAD . |
.Ev LD_PRELOAD . |
|
|
| .Pa ~/.ssh/rc |
.Pa ~/.ssh/rc |
| file is executed. |
file is executed. |
| The default is |
The default is |
| .Dq yes . |
.Cm yes . |
| .It Cm PidFile |
.It Cm PidFile |
| Specifies the file that contains the process ID of the |
Specifies the file that contains the process ID of the |
| SSH daemon, or |
SSH daemon, or |
| .Dq none |
.Cm none |
| to not write one. |
to not write one. |
| The default is |
The default is |
| .Pa /var/run/sshd.pid . |
.Pa /var/run/sshd.pid . |
|
|
| should print the date and time of the last user login when a user logs |
should print the date and time of the last user login when a user logs |
| in interactively. |
in interactively. |
| The default is |
The default is |
| .Dq yes . |
.Cm yes . |
| .It Cm PrintMotd |
.It Cm PrintMotd |
| Specifies whether |
Specifies whether |
| .Xr sshd 8 |
.Xr sshd 8 |
|
|
| .Pa /etc/profile , |
.Pa /etc/profile , |
| or equivalent.) |
or equivalent.) |
| The default is |
The default is |
| .Dq yes . |
.Cm yes . |
| .It Cm PubkeyAcceptedKeyTypes |
.It Cm PubkeyAcceptedKeyTypes |
| Specifies the key types that will be accepted for public key authentication |
Specifies the key types that will be accepted for public key authentication |
| as a comma-separated pattern list. |
as a comma-separated pattern list. |
|
|
| ssh-ed25519,ssh-rsa |
ssh-ed25519,ssh-rsa |
| .Ed |
.Ed |
| .Pp |
.Pp |
| The |
The list of available key types may also be obtained using |
| .Fl Q |
.Qq ssh -Q key . |
| option of |
|
| .Xr ssh 1 |
|
| may be used to list supported key types. |
|
| .It Cm PubkeyAuthentication |
.It Cm PubkeyAuthentication |
| Specifies whether public key authentication is allowed. |
Specifies whether public key authentication is allowed. |
| The default is |
The default is |
| .Dq yes . |
.Cm yes . |
| .It Cm RekeyLimit |
.It Cm RekeyLimit |
| Specifies the maximum amount of data that may be transmitted before the |
Specifies the maximum amount of data that may be transmitted before the |
| session key is renegotiated, optionally followed a maximum amount of |
session key is renegotiated, optionally followed a maximum amount of |
|
|
| The default value for |
The default value for |
| .Cm RekeyLimit |
.Cm RekeyLimit |
| is |
is |
| .Dq default none , |
.Cm default none , |
| which means that rekeying is performed after the cipher's default amount |
which means that rekeying is performed after the cipher's default amount |
| of data has been sent or received and no time based rekeying is done. |
of data has been sent or received and no time based rekeying is done. |
| .It Cm RevokedKeys |
.It Cm RevokedKeys |
| Specifies revoked public keys file, or |
Specifies revoked public keys file, or |
| .Dq none |
.Cm none |
| to not use one. |
to not use one. |
| Keys listed in this file will be refused for public key authentication. |
Keys listed in this file will be refused for public key authentication. |
| Note that if this file is not readable, then public key authentication will |
Note that if this file is not readable, then public key authentication will |
|
|
| This option is only used for port forwarding to a Unix-domain socket file. |
This option is only used for port forwarding to a Unix-domain socket file. |
| .Pp |
.Pp |
| The argument must be |
The argument must be |
| .Dq yes |
.Cm yes |
| or |
or |
| .Dq no . |
.Cm no . |
| The default is |
The default is |
| .Dq no . |
.Cm no . |
| .It Cm StrictModes |
.It Cm StrictModes |
| Specifies whether |
Specifies whether |
| .Xr sshd 8 |
.Xr sshd 8 |
|
|
| This is normally desirable because novices sometimes accidentally leave their |
This is normally desirable because novices sometimes accidentally leave their |
| directory or files world-writable. |
directory or files world-writable. |
| The default is |
The default is |
| .Dq yes . |
.Cm yes . |
| Note that this does not apply to |
Note that this does not apply to |
| .Cm ChrootDirectory , |
.Cm ChrootDirectory , |
| whose permissions and ownership are checked unconditionally. |
whose permissions and ownership are checked unconditionally. |
|
|
| to execute upon subsystem request. |
to execute upon subsystem request. |
| .Pp |
.Pp |
| The command |
The command |
| .Xr sftp-server 8 |
.Cm sftp-server |
| implements the |
implements the SFTP file transfer subsystem. |
| .Dq sftp |
|
| file transfer subsystem. |
|
| .Pp |
.Pp |
| Alternately the name |
Alternately the name |
| .Dq internal-sftp |
.Cm internal-sftp |
| implements an in-process |
implements an in-process SFTP server. |
| .Dq sftp |
|
| server. |
|
| This may simplify configurations using |
This may simplify configurations using |
| .Cm ChrootDirectory |
.Cm ChrootDirectory |
| to force a different filesystem root on clients. |
to force a different filesystem root on clients. |
|
|
| find it annoying. |
find it annoying. |
| On the other hand, if TCP keepalives are not sent, |
On the other hand, if TCP keepalives are not sent, |
| sessions may hang indefinitely on the server, leaving |
sessions may hang indefinitely on the server, leaving |
| .Dq ghost |
.Qq ghost |
| users and consuming server resources. |
users and consuming server resources. |
| .Pp |
.Pp |
| The default is |
The default is |
| .Dq yes |
.Cm yes |
| (to send TCP keepalive messages), and the server will notice |
(to send TCP keepalive messages), and the server will notice |
| if the network goes down or the client host crashes. |
if the network goes down or the client host crashes. |
| This avoids infinitely hanging sessions. |
This avoids infinitely hanging sessions. |
| .Pp |
.Pp |
| To disable TCP keepalive messages, the value should be set to |
To disable TCP keepalive messages, the value should be set to |
| .Dq no . |
.Cm no . |
| .It Cm TrustedUserCAKeys |
.It Cm TrustedUserCAKeys |
| Specifies a file containing public keys of certificate authorities that are |
Specifies a file containing public keys of certificate authorities that are |
| trusted to sign user certificates for authentication, or |
trusted to sign user certificates for authentication, or |
| .Dq none |
.Cm none |
| to not use one. |
to not use one. |
| Keys are listed one per line; empty lines and comments starting with |
Keys are listed one per line; empty lines and comments starting with |
| .Ql # |
.Ql # |
|
|
| very same IP address. |
very same IP address. |
| .Pp |
.Pp |
| If this option is set to |
If this option is set to |
| .Dq no |
.Cm no |
| (the default) then only addresses and not host names may be used in |
(the default) then only addresses and not host names may be used in |
| .Pa ~/.ssh/authorized_keys |
.Pa ~/.ssh/authorized_keys |
| .Cm from |
.Cm from |
|
|
| The goal of privilege separation is to prevent privilege |
The goal of privilege separation is to prevent privilege |
| escalation by containing any corruption within the unprivileged processes. |
escalation by containing any corruption within the unprivileged processes. |
| The argument must be |
The argument must be |
| .Dq yes , |
.Cm yes , |
| .Dq no , |
.Cm no , |
| or |
or |
| .Dq sandbox . |
.Cm sandbox . |
| If |
If |
| .Cm UsePrivilegeSeparation |
.Cm UsePrivilegeSeparation |
| is set to |
is set to |
| .Dq sandbox |
.Cm sandbox |
| then the pre-authentication unprivileged process is subject to additional |
then the pre-authentication unprivileged process is subject to additional |
| restrictions. |
restrictions. |
| The default is |
The default is |
| .Dq sandbox . |
.Cm sandbox . |
| .It Cm VersionAddendum |
.It Cm VersionAddendum |
| Optionally specifies additional text to append to the SSH protocol banner |
Optionally specifies additional text to append to the SSH protocol banner |
| sent by the server upon connection. |
sent by the server upon connection. |
| The default is |
The default is |
| .Dq none . |
.Cm none . |
| .It Cm X11DisplayOffset |
.It Cm X11DisplayOffset |
| Specifies the first display number available for |
Specifies the first display number available for |
| .Xr sshd 8 Ns 's |
.Xr sshd 8 Ns 's |
|
|
| .It Cm X11Forwarding |
.It Cm X11Forwarding |
| Specifies whether X11 forwarding is permitted. |
Specifies whether X11 forwarding is permitted. |
| The argument must be |
The argument must be |
| .Dq yes |
.Cm yes |
| or |
or |
| .Dq no . |
.Cm no . |
| The default is |
The default is |
| .Dq no . |
.Cm no . |
| .Pp |
.Pp |
| When X11 forwarding is enabled, there may be additional exposure to |
When X11 forwarding is enabled, there may be additional exposure to |
| the server and to client displays if the |
the server and to client displays if the |
| .Xr sshd 8 |
.Xr sshd 8 |
| proxy display is configured to listen on the wildcard address (see |
proxy display is configured to listen on the wildcard address (see |
| .Cm X11UseLocalhost |
.Cm X11UseLocalhost ) , |
| below), though this is not the default. |
though this is not the default. |
| Additionally, the authentication spoofing and authentication data |
Additionally, the authentication spoofing and authentication data |
| verification and substitution occur on the client side. |
verification and substitution occur on the client side. |
| The security risk of using X11 forwarding is that the client's X11 |
The security risk of using X11 forwarding is that the client's X11 |
|
|
| A system administrator may have a stance in which they want to |
A system administrator may have a stance in which they want to |
| protect clients that may expose themselves to attack by unwittingly |
protect clients that may expose themselves to attack by unwittingly |
| requesting X11 forwarding, which can warrant a |
requesting X11 forwarding, which can warrant a |
| .Dq no |
.Cm no |
| setting. |
setting. |
| .Pp |
.Pp |
| Note that disabling X11 forwarding does not prevent users from |
Note that disabling X11 forwarding does not prevent users from |
|
|
| hostname part of the |
hostname part of the |
| .Ev DISPLAY |
.Ev DISPLAY |
| environment variable to |
environment variable to |
| .Dq localhost . |
.Cm localhost . |
| This prevents remote hosts from connecting to the proxy display. |
This prevents remote hosts from connecting to the proxy display. |
| However, some older X11 clients may not function with this |
However, some older X11 clients may not function with this |
| configuration. |
configuration. |
| .Cm X11UseLocalhost |
.Cm X11UseLocalhost |
| may be set to |
may be set to |
| .Dq no |
.Cm no |
| to specify that the forwarding server should be bound to the wildcard |
to specify that the forwarding server should be bound to the wildcard |
| address. |
address. |
| The argument must be |
The argument must be |
| .Dq yes |
.Cm yes |
| or |
or |
| .Dq no . |
.Cm no . |
| The default is |
The default is |
| .Dq yes . |
.Cm yes . |
| .It Cm XAuthLocation |
.It Cm XAuthLocation |
| Specifies the full pathname of the |
Specifies the full pathname of the |
| .Xr xauth 1 |
.Xr xauth 1 |
| program, or |
program, or |
| .Dq none |
.Cm none |
| to not use one. |
to not use one. |
| The default is |
The default is |
| .Pa /usr/X11R6/bin/xauth . |
.Pa /usr/X11R6/bin/xauth . |
|
|
| (though not necessary) that it be world-readable. |
(though not necessary) that it be world-readable. |
| .El |
.El |
| .Sh SEE ALSO |
.Sh SEE ALSO |
| |
.Xr sftp-server 8 , |
| .Xr sshd 8 |
.Xr sshd 8 |
| .Sh AUTHORS |
.Sh AUTHORS |
| |
.An -nosplit |
| OpenSSH is a derivative of the original and free |
OpenSSH is a derivative of the original and free |
| ssh 1.2.12 release by Tatu Ylonen. |
ssh 1.2.12 release by |
| Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, |
.An Tatu Ylonen . |
| Theo de Raadt and Dug Song |
.An Aaron Campbell , Bob Beck , Markus Friedl , Niels Provos , |
| |
.An Theo de Raadt |
| |
and |
| |
.An Dug Song |
| removed many bugs, re-added newer features and |
removed many bugs, re-added newer features and |
| created OpenSSH. |
created OpenSSH. |
| Markus Friedl contributed the support for SSH |
.An Markus Friedl |
| protocol versions 1.5 and 2.0. |
contributed the support for SSH protocol versions 1.5 and 2.0. |
| Niels Provos and Markus Friedl contributed support |
.An Niels Provos |
| for privilege separation. |
and |
| |
.An Markus Friedl |
| |
contributed support for privilege separation. |
![[BACK]](/icons/back.gif){kind=icon}
Return to sshd_config.5 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh