version 1.236, 2016/09/28 20:32:42 |
version 1.237, 2016/10/07 14:41:52 |
|
|
Specifies which address family should be used by |
Specifies which address family should be used by |
.Xr sshd 8 . |
.Xr sshd 8 . |
Valid arguments are |
Valid arguments are |
.Dq any , |
.Cm any |
.Dq inet |
(the default), |
|
.Cm inet |
(use IPv4 only), or |
(use IPv4 only), or |
.Dq inet6 |
.Cm inet6 |
(use IPv6 only). |
(use IPv6 only). |
The default is |
|
.Dq any . |
|
.It Cm AllowAgentForwarding |
.It Cm AllowAgentForwarding |
Specifies whether |
Specifies whether |
.Xr ssh-agent 1 |
.Xr ssh-agent 1 |
forwarding is permitted. |
forwarding is permitted. |
The default is |
The default is |
.Dq yes . |
.Cm yes . |
Note that disabling agent forwarding does not improve security |
Note that disabling agent forwarding does not improve security |
unless users are also denied shell access, as they can always install |
unless users are also denied shell access, as they can always install |
their own forwarders. |
their own forwarders. |
|
|
.It Cm AllowStreamLocalForwarding |
.It Cm AllowStreamLocalForwarding |
Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted. |
Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted. |
The available options are |
The available options are |
.Dq yes |
.Cm yes |
|
(the default) |
or |
or |
.Dq all |
.Cm all |
to allow StreamLocal forwarding, |
to allow StreamLocal forwarding, |
.Dq no |
.Cm no |
to prevent all StreamLocal forwarding, |
to prevent all StreamLocal forwarding, |
.Dq local |
.Cm local |
to allow local (from the perspective of |
to allow local (from the perspective of |
.Xr ssh 1 ) |
.Xr ssh 1 ) |
forwarding only or |
forwarding only or |
.Dq remote |
.Cm remote |
to allow remote forwarding only. |
to allow remote forwarding only. |
The default is |
|
.Dq yes . |
|
Note that disabling StreamLocal forwarding does not improve security unless |
Note that disabling StreamLocal forwarding does not improve security unless |
users are also denied shell access, as they can always install their |
users are also denied shell access, as they can always install their |
own forwarders. |
own forwarders. |
.It Cm AllowTcpForwarding |
.It Cm AllowTcpForwarding |
Specifies whether TCP forwarding is permitted. |
Specifies whether TCP forwarding is permitted. |
The available options are |
The available options are |
.Dq yes |
.Cm yes |
|
(the default) |
or |
or |
.Dq all |
.Cm all |
to allow TCP forwarding, |
to allow TCP forwarding, |
.Dq no |
.Cm no |
to prevent all TCP forwarding, |
to prevent all TCP forwarding, |
.Dq local |
.Cm local |
to allow local (from the perspective of |
to allow local (from the perspective of |
.Xr ssh 1 ) |
.Xr ssh 1 ) |
forwarding only or |
forwarding only or |
.Dq remote |
.Cm remote |
to allow remote forwarding only. |
to allow remote forwarding only. |
The default is |
|
.Dq yes . |
|
Note that disabling TCP forwarding does not improve security unless |
Note that disabling TCP forwarding does not improve security unless |
users are also denied shell access, as they can always install their |
users are also denied shell access, as they can always install their |
own forwarders. |
own forwarders. |
|
|
for a user to be granted access. |
for a user to be granted access. |
This option must be followed by one or more comma-separated lists of |
This option must be followed by one or more comma-separated lists of |
authentication method names, or by the single string |
authentication method names, or by the single string |
.Dq any |
.Cm any |
to indicate the default behaviour of accepting any single authentication |
to indicate the default behaviour of accepting any single authentication |
method. |
method. |
if the default is overridden, then successful authentication requires |
If the default is overridden, then successful authentication requires |
completion of every method in at least one of these lists. |
completion of every method in at least one of these lists. |
.Pp |
.Pp |
For example, an argument of |
For example, |
.Dq publickey,password publickey,keyboard-interactive |
.Qq publickey,password publickey,keyboard-interactive |
would require the user to complete public key authentication, followed by |
would require the user to complete public key authentication, followed by |
either password or keyboard interactive authentication. |
either password or keyboard interactive authentication. |
Only methods that are next in one or more lists are offered at each stage, |
Only methods that are next in one or more lists are offered at each stage, |
so for this example, it would not be possible to attempt password or |
so for this example it would not be possible to attempt password or |
keyboard-interactive authentication before public key. |
keyboard-interactive authentication before public key. |
.Pp |
.Pp |
For keyboard interactive authentication it is also possible to |
For keyboard interactive authentication it is also possible to |
restrict authentication to a specific device by appending a |
restrict authentication to a specific device by appending a |
colon followed by the device identifier |
colon followed by the device identifier |
.Dq bsdauth , |
.Cm bsdauth , |
.Dq pam , |
.Cm pam , |
or |
or |
.Dq skey , |
.Cm skey , |
depending on the server configuration. |
depending on the server configuration. |
For example, |
For example, |
.Dq keyboard-interactive:bsdauth |
.Qq keyboard-interactive:bsdauth |
would restrict keyboard interactive authentication to the |
would restrict keyboard interactive authentication to the |
.Dq bsdauth |
.Cm bsdauth |
device. |
device. |
.Pp |
.Pp |
If the |
If the publickey method is listed more than once, |
.Dq publickey |
|
method is listed more than once, |
|
.Xr sshd 8 |
.Xr sshd 8 |
verifies that keys that have been used successfully are not reused for |
verifies that keys that have been used successfully are not reused for |
subsequent authentications. |
subsequent authentications. |
For example, an |
For example, |
.Cm AuthenticationMethods |
.Qq publickey,publickey |
of |
requires successful authentication using two different public keys. |
.Dq publickey,publickey |
|
will require successful authentication using two different public keys. |
|
.Pp |
.Pp |
Note that each authentication method listed should also be explicitly enabled |
Note that each authentication method listed should also be explicitly enabled |
in the configuration. |
in the configuration. |
The default |
|
.Dq any |
|
is not to require multiple authentication; successful completion |
|
of a single authentication method is sufficient. |
|
.It Cm AuthorizedKeysCommand |
.It Cm AuthorizedKeysCommand |
Specifies a program to be used to look up the user's public keys. |
Specifies a program to be used to look up the user's public keys. |
The program must be owned by root, not writable by group or others and |
The program must be owned by root, not writable by group or others and |
|
|
and authorize the user then public key authentication continues using the usual |
and authorize the user then public key authentication continues using the usual |
.Cm AuthorizedKeysFile |
.Cm AuthorizedKeysFile |
files. |
files. |
By default, no AuthorizedKeysCommand is run. |
By default, no |
|
.Cm AuthorizedKeysCommand |
|
is run. |
.It Cm AuthorizedKeysCommandUser |
.It Cm AuthorizedKeysCommandUser |
Specifies the user under whose account the AuthorizedKeysCommand is run. |
Specifies the user under whose account the |
|
.Cm AuthorizedKeysCommand |
|
is run. |
It is recommended to use a dedicated user that has no other role on the host |
It is recommended to use a dedicated user that has no other role on the host |
than running authorized keys commands. |
than running authorized keys commands. |
If |
If |
|
|
directory. |
directory. |
Multiple files may be listed, separated by whitespace. |
Multiple files may be listed, separated by whitespace. |
Alternately this option may be set to |
Alternately this option may be set to |
.Dq none |
.Cm none |
to skip checking for user keys in files. |
to skip checking for user keys in files. |
The default is |
The default is |
.Dq .ssh/authorized_keys .ssh/authorized_keys2 . |
.Qq .ssh/authorized_keys .ssh/authorized_keys2 . |
.It Cm AuthorizedPrincipalsCommand |
.It Cm AuthorizedPrincipalsCommand |
Specifies a program to be used to generate the list of allowed |
Specifies a program to be used to generate the list of allowed |
certificate principals as per |
certificate principals as per |
|
|
.Cm AuthorizedPrincipalsFile |
.Cm AuthorizedPrincipalsFile |
is taken to be an absolute path or one relative to the user's home directory. |
is taken to be an absolute path or one relative to the user's home directory. |
The default is |
The default is |
.Dq none , |
.Cm none , |
i.e. not to use a principals file \(en in this case, the username |
i.e. not to use a principals file \(en in this case, the username |
of the user must appear in a certificate's principals list for it to be |
of the user must appear in a certificate's principals list for it to be |
accepted. |
accepted. |
|
|
The contents of the specified file are sent to the remote user before |
The contents of the specified file are sent to the remote user before |
authentication is allowed. |
authentication is allowed. |
If the argument is |
If the argument is |
.Dq none |
.Cm none |
then no banner is displayed. |
then no banner is displayed. |
By default, no banner is displayed. |
By default, no banner is displayed. |
.It Cm ChallengeResponseAuthentication |
.It Cm ChallengeResponseAuthentication |
|
|
.Xr login.conf 5 |
.Xr login.conf 5 |
are supported. |
are supported. |
The default is |
The default is |
.Dq yes . |
.Cm yes . |
.It Cm ChrootDirectory |
.It Cm ChrootDirectory |
Specifies the pathname of a directory to |
Specifies the pathname of a directory to |
.Xr chroot 2 |
.Xr chroot 2 |
|
|
and |
and |
.Xr tty 4 |
.Xr tty 4 |
devices. |
devices. |
For file transfer sessions using |
For file transfer sessions using SFTP |
.Dq sftp , |
no additional configuration of the environment is necessary if the in-process |
no additional configuration of the environment is necessary if the |
sftp-server is used, |
in-process sftp server is used, |
|
though sessions which use logging may require |
though sessions which use logging may require |
.Pa /dev/log |
.Pa /dev/log |
inside the chroot directory on some operating systems (see |
inside the chroot directory on some operating systems (see |
|
|
cannot detect. |
cannot detect. |
.Pp |
.Pp |
The default is |
The default is |
.Dq none , |
.Cm none , |
indicating not to |
indicating not to |
.Xr chroot 2 . |
.Xr chroot 2 . |
.It Cm Ciphers |
.It Cm Ciphers |
|
|
aes128-gcm@openssh.com,aes256-gcm@openssh.com |
aes128-gcm@openssh.com,aes256-gcm@openssh.com |
.Ed |
.Ed |
.Pp |
.Pp |
The list of available ciphers may also be obtained using the |
The list of available ciphers may also be obtained using |
.Fl Q |
.Qq ssh -Q cipher . |
option of |
|
.Xr ssh 1 |
|
with an argument of |
|
.Dq cipher . |
|
.It Cm ClientAliveCountMax |
.It Cm ClientAliveCountMax |
Sets the number of client alive messages (see below) which may be |
Sets the number of client alive messages which may be sent without |
sent without |
|
.Xr sshd 8 |
.Xr sshd 8 |
receiving any messages back from the client. |
receiving any messages back from the client. |
If this threshold is reached while client alive messages are being sent, |
If this threshold is reached while client alive messages are being sent, |
sshd will disconnect the client, terminating the session. |
sshd will disconnect the client, terminating the session. |
It is important to note that the use of client alive messages is very |
It is important to note that the use of client alive messages is very |
different from |
different from |
.Cm TCPKeepAlive |
.Cm TCPKeepAlive . |
(below). |
|
The client alive messages are sent through the encrypted channel |
The client alive messages are sent through the encrypted channel |
and therefore will not be spoofable. |
and therefore will not be spoofable. |
The TCP keepalive option enabled by |
The TCP keepalive option enabled by |
|
|
The default value is 3. |
The default value is 3. |
If |
If |
.Cm ClientAliveInterval |
.Cm ClientAliveInterval |
(see below) is set to 15, and |
is set to 15, and |
.Cm ClientAliveCountMax |
.Cm ClientAliveCountMax |
is left at the default, unresponsive SSH clients |
is left at the default, unresponsive SSH clients |
will be disconnected after approximately 45 seconds. |
will be disconnected after approximately 45 seconds. |
|
|
Specifies whether compression is enabled after |
Specifies whether compression is enabled after |
the user has authenticated successfully. |
the user has authenticated successfully. |
The argument must be |
The argument must be |
.Dq yes , |
.Cm yes , |
.Dq delayed |
.Cm delayed |
(a legacy synonym for |
(a legacy synonym for |
.Dq yes ) |
.Cm yes ) |
or |
or |
.Dq no . |
.Cm no . |
The default is |
The default is |
.Dq yes . |
.Cm yes . |
.It Cm DenyGroups |
.It Cm DenyGroups |
This keyword can be followed by a list of group name patterns, separated |
This keyword can be followed by a list of group name patterns, separated |
by spaces. |
by spaces. |
|
|
.It Cm FingerprintHash |
.It Cm FingerprintHash |
Specifies the hash algorithm used when logging key fingerprints. |
Specifies the hash algorithm used when logging key fingerprints. |
Valid options are: |
Valid options are: |
.Dq md5 |
.Cm md5 |
and |
and |
.Dq sha256 . |
.Cm sha256 . |
The default is |
The default is |
.Dq sha256 . |
.Cm sha256 . |
.It Cm ForceCommand |
.It Cm ForceCommand |
Forces the execution of the command specified by |
Forces the execution of the command specified by |
.Cm ForceCommand , |
.Cm ForceCommand , |
|
|
.Ev SSH_ORIGINAL_COMMAND |
.Ev SSH_ORIGINAL_COMMAND |
environment variable. |
environment variable. |
Specifying a command of |
Specifying a command of |
.Dq internal-sftp |
.Cm internal-sftp |
will force the use of an in-process sftp server that requires no support |
will force the use of an in-process SFTP server that requires no support |
files when used with |
files when used with |
.Cm ChrootDirectory . |
.Cm ChrootDirectory . |
The default is |
The default is |
.Dq none . |
.Cm none . |
.It Cm GatewayPorts |
.It Cm GatewayPorts |
Specifies whether remote hosts are allowed to connect to ports |
Specifies whether remote hosts are allowed to connect to ports |
forwarded for the client. |
forwarded for the client. |
|
|
should allow remote port forwardings to bind to non-loopback addresses, thus |
should allow remote port forwardings to bind to non-loopback addresses, thus |
allowing other hosts to connect. |
allowing other hosts to connect. |
The argument may be |
The argument may be |
.Dq no |
.Cm no |
to force remote port forwardings to be available to the local host only, |
to force remote port forwardings to be available to the local host only, |
.Dq yes |
.Cm yes |
to force remote port forwardings to bind to the wildcard address, or |
to force remote port forwardings to bind to the wildcard address, or |
.Dq clientspecified |
.Cm clientspecified |
to allow the client to select the address to which the forwarding is bound. |
to allow the client to select the address to which the forwarding is bound. |
The default is |
The default is |
.Dq no . |
.Cm no . |
.It Cm GSSAPIAuthentication |
.It Cm GSSAPIAuthentication |
Specifies whether user authentication based on GSSAPI is allowed. |
Specifies whether user authentication based on GSSAPI is allowed. |
The default is |
The default is |
.Dq no . |
.Cm no . |
.It Cm GSSAPICleanupCredentials |
.It Cm GSSAPICleanupCredentials |
Specifies whether to automatically destroy the user's credentials cache |
Specifies whether to automatically destroy the user's credentials cache |
on logout. |
on logout. |
The default is |
The default is |
.Dq yes . |
.Cm yes . |
.It Cm GSSAPIStrictAcceptorCheck |
.It Cm GSSAPIStrictAcceptorCheck |
Determines whether to be strict about the identity of the GSSAPI acceptor |
Determines whether to be strict about the identity of the GSSAPI acceptor |
a client authenticates against. |
a client authenticates against. |
If set to |
If set to |
.Dq yes |
.Cm yes |
then the client must authenticate against the |
then the client must authenticate against the host |
.Pa host |
|
service on the current hostname. |
service on the current hostname. |
If set to |
If set to |
.Dq no |
.Cm no |
then the client may authenticate against any service key stored in the |
then the client may authenticate against any service key stored in the |
machine's default store. |
machine's default store. |
This facility is provided to assist with operation on multi homed machines. |
This facility is provided to assist with operation on multi homed machines. |
The default is |
The default is |
.Dq yes . |
.Cm yes . |
.It Cm HostbasedAcceptedKeyTypes |
.It Cm HostbasedAcceptedKeyTypes |
Specifies the key types that will be accepted for hostbased authentication |
Specifies the key types that will be accepted for hostbased authentication |
as a comma-separated pattern list. |
as a comma-separated pattern list. |
|
|
ssh-ed25519,ssh-rsa |
ssh-ed25519,ssh-rsa |
.Ed |
.Ed |
.Pp |
.Pp |
The |
The list of available key types may also be obtained using |
.Fl Q |
.Qq ssh -Q key . |
option of |
|
.Xr ssh 1 |
|
may be used to list supported key types. |
|
.It Cm HostbasedAuthentication |
.It Cm HostbasedAuthentication |
Specifies whether rhosts or /etc/hosts.equiv authentication together |
Specifies whether rhosts or /etc/hosts.equiv authentication together |
with successful public key client host authentication is allowed |
with successful public key client host authentication is allowed |
(host-based authentication). |
(host-based authentication). |
The default is |
The default is |
.Dq no . |
.Cm no . |
.It Cm HostbasedUsesNameFromPacketOnly |
.It Cm HostbasedUsesNameFromPacketOnly |
Specifies whether or not the server will attempt to perform a reverse |
Specifies whether or not the server will attempt to perform a reverse |
name lookup when matching the name in the |
name lookup when matching the name in the |
|
|
files during |
files during |
.Cm HostbasedAuthentication . |
.Cm HostbasedAuthentication . |
A setting of |
A setting of |
.Dq yes |
.Cm yes |
means that |
means that |
.Xr sshd 8 |
.Xr sshd 8 |
uses the name supplied by the client rather than |
uses the name supplied by the client rather than |
attempting to resolve the name from the TCP connection itself. |
attempting to resolve the name from the TCP connection itself. |
The default is |
The default is |
.Dq no . |
.Cm no . |
.It Cm HostCertificate |
.It Cm HostCertificate |
Specifies a file containing a public host certificate. |
Specifies a file containing a public host certificate. |
The certificate's public key must match a private host key already specified |
The certificate's public key must match a private host key already specified |
|
|
Identifies the UNIX-domain socket used to communicate |
Identifies the UNIX-domain socket used to communicate |
with an agent that has access to the private host keys. |
with an agent that has access to the private host keys. |
If the string |
If the string |
.Dq SSH_AUTH_SOCK |
.Qq SSH_AUTH_SOCK |
is specified, the location of the socket will be read from the |
is specified, the location of the socket will be read from the |
.Ev SSH_AUTH_SOCK |
.Ev SSH_AUTH_SOCK |
environment variable. |
environment variable. |
|
|
ssh-ed25519,ssh-rsa |
ssh-ed25519,ssh-rsa |
.Ed |
.Ed |
.Pp |
.Pp |
The list of available key types may also be obtained using the |
The list of available key types may also be obtained using |
.Fl Q |
.Qq ssh -Q key . |
option of |
|
.Xr ssh 1 |
|
with an argument of |
|
.Dq key . |
|
.It Cm IgnoreRhosts |
.It Cm IgnoreRhosts |
Specifies that |
Specifies that |
.Pa .rhosts |
.Pa .rhosts |
|
|
.Pa /etc/shosts.equiv |
.Pa /etc/shosts.equiv |
are still used. |
are still used. |
The default is |
The default is |
.Dq yes . |
.Cm yes . |
.It Cm IgnoreUserKnownHosts |
.It Cm IgnoreUserKnownHosts |
Specifies whether |
Specifies whether |
.Xr sshd 8 |
.Xr sshd 8 |
|
|
during |
during |
.Cm HostbasedAuthentication . |
.Cm HostbasedAuthentication . |
The default is |
The default is |
.Dq no . |
.Cm no . |
.It Cm IPQoS |
.It Cm IPQoS |
Specifies the IPv4 type-of-service or DSCP class for the connection. |
Specifies the IPv4 type-of-service or DSCP class for the connection. |
Accepted values are |
Accepted values are |
.Dq af11 , |
.Cm af11 , |
.Dq af12 , |
.Cm af12 , |
.Dq af13 , |
.Cm af13 , |
.Dq af21 , |
.Cm af21 , |
.Dq af22 , |
.Cm af22 , |
.Dq af23 , |
.Cm af23 , |
.Dq af31 , |
.Cm af31 , |
.Dq af32 , |
.Cm af32 , |
.Dq af33 , |
.Cm af33 , |
.Dq af41 , |
.Cm af41 , |
.Dq af42 , |
.Cm af42 , |
.Dq af43 , |
.Cm af43 , |
.Dq cs0 , |
.Cm cs0 , |
.Dq cs1 , |
.Cm cs1 , |
.Dq cs2 , |
.Cm cs2 , |
.Dq cs3 , |
.Cm cs3 , |
.Dq cs4 , |
.Cm cs4 , |
.Dq cs5 , |
.Cm cs5 , |
.Dq cs6 , |
.Cm cs6 , |
.Dq cs7 , |
.Cm cs7 , |
.Dq ef , |
.Cm ef , |
.Dq lowdelay , |
.Cm lowdelay , |
.Dq throughput , |
.Cm throughput , |
.Dq reliability , |
.Cm reliability , |
or a numeric value. |
or a numeric value. |
This option may take one or two arguments, separated by whitespace. |
This option may take one or two arguments, separated by whitespace. |
If one argument is specified, it is used as the packet class unconditionally. |
If one argument is specified, it is used as the packet class unconditionally. |
If two values are specified, the first is automatically selected for |
If two values are specified, the first is automatically selected for |
interactive sessions and the second for non-interactive sessions. |
interactive sessions and the second for non-interactive sessions. |
The default is |
The default is |
.Dq lowdelay |
.Cm lowdelay |
for interactive sessions and |
for interactive sessions and |
.Dq throughput |
.Cm throughput |
for non-interactive sessions. |
for non-interactive sessions. |
.It Cm KbdInteractiveAuthentication |
.It Cm KbdInteractiveAuthentication |
Specifies whether to allow keyboard-interactive authentication. |
Specifies whether to allow keyboard-interactive authentication. |
The argument to this keyword must be |
The argument to this keyword must be |
.Dq yes |
.Cm yes |
or |
or |
.Dq no . |
.Cm no . |
The default is to use whatever value |
The default is to use whatever value |
.Cm ChallengeResponseAuthentication |
.Cm ChallengeResponseAuthentication |
is set to |
is set to |
(by default |
(by default |
.Dq yes ) . |
.Cm yes ) . |
.It Cm KerberosAuthentication |
.It Cm KerberosAuthentication |
Specifies whether the password provided by the user for |
Specifies whether the password provided by the user for |
.Cm PasswordAuthentication |
.Cm PasswordAuthentication |
|
|
To use this option, the server needs a |
To use this option, the server needs a |
Kerberos servtab which allows the verification of the KDC's identity. |
Kerberos servtab which allows the verification of the KDC's identity. |
The default is |
The default is |
.Dq no . |
.Cm no . |
.It Cm KerberosGetAFSToken |
.It Cm KerberosGetAFSToken |
If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire |
If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire |
an AFS token before accessing the user's home directory. |
an AFS token before accessing the user's home directory. |
The default is |
The default is |
.Dq no . |
.Cm no . |
.It Cm KerberosOrLocalPasswd |
.It Cm KerberosOrLocalPasswd |
If password authentication through Kerberos fails then |
If password authentication through Kerberos fails then |
the password will be validated via any additional local mechanism |
the password will be validated via any additional local mechanism |
such as |
such as |
.Pa /etc/passwd . |
.Pa /etc/passwd . |
The default is |
The default is |
.Dq yes . |
.Cm yes . |
.It Cm KerberosTicketCleanup |
.It Cm KerberosTicketCleanup |
Specifies whether to automatically destroy the user's ticket cache |
Specifies whether to automatically destroy the user's ticket cache |
file on logout. |
file on logout. |
The default is |
The default is |
.Dq yes . |
.Cm yes . |
.It Cm KexAlgorithms |
.It Cm KexAlgorithms |
Specifies the available KEX (Key Exchange) algorithms. |
Specifies the available KEX (Key Exchange) algorithms. |
Multiple algorithms must be comma-separated. |
Multiple algorithms must be comma-separated. |
|
|
diffie-hellman-group14-sha1 |
diffie-hellman-group14-sha1 |
.Ed |
.Ed |
.Pp |
.Pp |
The list of available key exchange algorithms may also be obtained using the |
The list of available key exchange algorithms may also be obtained using |
.Fl Q |
.Qq ssh -Q kex . |
option of |
|
.Xr ssh 1 |
|
with an argument of |
|
.Dq kex . |
|
.It Cm ListenAddress |
.It Cm ListenAddress |
Specifies the local addresses |
Specifies the local addresses |
.Xr sshd 8 |
.Xr sshd 8 |
|
|
instead of replacing them. |
instead of replacing them. |
.Pp |
.Pp |
The algorithms that contain |
The algorithms that contain |
.Dq -etm |
.Qq -etm |
calculate the MAC after encryption (encrypt-then-mac). |
calculate the MAC after encryption (encrypt-then-mac). |
These are considered safer and their use recommended. |
These are considered safer and their use recommended. |
The supported MACs are: |
The supported MACs are: |
|
|
hmac-sha2-256,hmac-sha2-512,hmac-sha1 |
hmac-sha2-256,hmac-sha2-512,hmac-sha1 |
.Ed |
.Ed |
.Pp |
.Pp |
The list of available MAC algorithms may also be obtained using the |
The list of available MAC algorithms may also be obtained using |
.Fl Q |
.Qq ssh -Q mac . |
option of |
|
.Xr ssh 1 |
|
with an argument of |
|
.Dq mac . |
|
.It Cm Match |
.It Cm Match |
Introduces a conditional block. |
Introduces a conditional block. |
If all of the criteria on the |
If all of the criteria on the |
|
|
.Cm Address . |
.Cm Address . |
The match patterns may consist of single entries or comma-separated |
The match patterns may consist of single entries or comma-separated |
lists and may use the wildcard and negation operators described in the |
lists and may use the wildcard and negation operators described in the |
PATTERNS section of |
.Sx PATTERNS |
|
section of |
.Xr ssh_config 5 . |
.Xr ssh_config 5 . |
.Pp |
.Pp |
The patterns in an |
The patterns in an |
.Cm Address |
.Cm Address |
criteria may additionally contain addresses to match in CIDR |
criteria may additionally contain addresses to match in CIDR |
address/masklen format, e.g.\& |
address/masklen format, |
.Dq 192.0.2.0/24 |
such as 192.0.2.0/24 or 2001:db8::/32. |
or |
|
.Dq 2001:db8::/32 . |
|
Note that the mask length provided must be consistent with the address - |
Note that the mask length provided must be consistent with the address - |
it is an error to specify a mask length that is too long for the address |
it is an error to specify a mask length that is too long for the address |
or one with bits set in this host portion of the address. |
or one with bits set in this host portion of the address. |
For example, |
For example, 192.0.2.0/33 and 192.0.2.0/8, respectively. |
.Dq 192.0.2.0/33 |
|
and |
|
.Dq 192.0.2.0/8 |
|
respectively. |
|
.Pp |
.Pp |
Only a subset of keywords may be used on the lines following a |
Only a subset of keywords may be used on the lines following a |
.Cm Match |
.Cm Match |
|
|
.Pp |
.Pp |
Alternatively, random early drop can be enabled by specifying |
Alternatively, random early drop can be enabled by specifying |
the three colon separated values |
the three colon separated values |
.Dq start:rate:full |
start:rate:full (e.g. "10:30:60"). |
(e.g. "10:30:60"). |
|
.Xr sshd 8 |
.Xr sshd 8 |
will refuse connection attempts with a probability of |
will refuse connection attempts with a probability of rate/100 (30%) |
.Dq rate/100 |
if there are currently start (10) unauthenticated connections. |
(30%) |
|
if there are currently |
|
.Dq start |
|
(10) |
|
unauthenticated connections. |
|
The probability increases linearly and all connection attempts |
The probability increases linearly and all connection attempts |
are refused if the number of unauthenticated connections reaches |
are refused if the number of unauthenticated connections reaches full (60). |
.Dq full |
|
(60). |
|
.It Cm PasswordAuthentication |
.It Cm PasswordAuthentication |
Specifies whether password authentication is allowed. |
Specifies whether password authentication is allowed. |
The default is |
The default is |
.Dq yes . |
.Cm yes . |
.It Cm PermitEmptyPasswords |
.It Cm PermitEmptyPasswords |
When password authentication is allowed, it specifies whether the |
When password authentication is allowed, it specifies whether the |
server allows login to accounts with empty password strings. |
server allows login to accounts with empty password strings. |
The default is |
The default is |
.Dq no . |
.Cm no . |
.It Cm PermitOpen |
.It Cm PermitOpen |
Specifies the destinations to which TCP port forwarding is permitted. |
Specifies the destinations to which TCP port forwarding is permitted. |
The forwarding specification must be one of the following forms: |
The forwarding specification must be one of the following forms: |
|
|
.Pp |
.Pp |
Multiple forwards may be specified by separating them with whitespace. |
Multiple forwards may be specified by separating them with whitespace. |
An argument of |
An argument of |
.Dq any |
.Cm any |
can be used to remove all restrictions and permit any forwarding requests. |
can be used to remove all restrictions and permit any forwarding requests. |
An argument of |
An argument of |
.Dq none |
.Cm none |
can be used to prohibit all forwarding requests. |
can be used to prohibit all forwarding requests. |
The wildcard |
The wildcard |
.Dq * |
.Sq * |
can be used for host or port to allow all hosts or ports, respectively. |
can be used for host or port to allow all hosts or ports, respectively. |
By default all port forwarding requests are permitted. |
By default all port forwarding requests are permitted. |
.It Cm PermitRootLogin |
.It Cm PermitRootLogin |
Specifies whether root can log in using |
Specifies whether root can log in using |
.Xr ssh 1 . |
.Xr ssh 1 . |
The argument must be |
The argument must be |
.Dq yes , |
.Cm yes , |
.Dq prohibit-password , |
.Cm prohibit-password , |
.Dq without-password , |
.Cm without-password , |
.Dq forced-commands-only , |
.Cm forced-commands-only , |
or |
or |
.Dq no . |
.Cm no . |
The default is |
The default is |
.Dq prohibit-password . |
.Cm prohibit-password . |
.Pp |
.Pp |
If this option is set to |
If this option is set to |
.Dq prohibit-password |
.Cm prohibit-password |
or |
or |
.Dq without-password , |
.Cm without-password , |
password and keyboard-interactive authentication are disabled for root. |
password and keyboard-interactive authentication are disabled for root. |
.Pp |
.Pp |
If this option is set to |
If this option is set to |
.Dq forced-commands-only , |
.Cm forced-commands-only , |
root login with public key authentication will be allowed, |
root login with public key authentication will be allowed, |
but only if the |
but only if the |
.Ar command |
.Ar command |
|
|
All other authentication methods are disabled for root. |
All other authentication methods are disabled for root. |
.Pp |
.Pp |
If this option is set to |
If this option is set to |
.Dq no , |
.Cm no , |
root is not allowed to log in. |
root is not allowed to log in. |
.It Cm PermitTTY |
.It Cm PermitTTY |
Specifies whether |
Specifies whether |
.Xr pty 4 |
.Xr pty 4 |
allocation is permitted. |
allocation is permitted. |
The default is |
The default is |
.Dq yes . |
.Cm yes . |
.It Cm PermitTunnel |
.It Cm PermitTunnel |
Specifies whether |
Specifies whether |
.Xr tun 4 |
.Xr tun 4 |
device forwarding is allowed. |
device forwarding is allowed. |
The argument must be |
The argument must be |
.Dq yes , |
.Cm yes , |
.Dq point-to-point |
.Cm point-to-point |
(layer 3), |
(layer 3), |
.Dq ethernet |
.Cm ethernet |
(layer 2), or |
(layer 2), or |
.Dq no . |
.Cm no . |
Specifying |
Specifying |
.Dq yes |
.Cm yes |
permits both |
permits both |
.Dq point-to-point |
.Cm point-to-point |
and |
and |
.Dq ethernet . |
.Cm ethernet . |
The default is |
The default is |
.Dq no . |
.Cm no . |
.Pp |
.Pp |
Independent of this setting, the permissions of the selected |
Independent of this setting, the permissions of the selected |
.Xr tun 4 |
.Xr tun 4 |
|
|
are processed by |
are processed by |
.Xr sshd 8 . |
.Xr sshd 8 . |
The default is |
The default is |
.Dq no . |
.Cm no . |
Enabling environment processing may enable users to bypass access |
Enabling environment processing may enable users to bypass access |
restrictions in some configurations using mechanisms such as |
restrictions in some configurations using mechanisms such as |
.Ev LD_PRELOAD . |
.Ev LD_PRELOAD . |
|
|
.Pa ~/.ssh/rc |
.Pa ~/.ssh/rc |
file is executed. |
file is executed. |
The default is |
The default is |
.Dq yes . |
.Cm yes . |
.It Cm PidFile |
.It Cm PidFile |
Specifies the file that contains the process ID of the |
Specifies the file that contains the process ID of the |
SSH daemon, or |
SSH daemon, or |
.Dq none |
.Cm none |
to not write one. |
to not write one. |
The default is |
The default is |
.Pa /var/run/sshd.pid . |
.Pa /var/run/sshd.pid . |
|
|
should print the date and time of the last user login when a user logs |
should print the date and time of the last user login when a user logs |
in interactively. |
in interactively. |
The default is |
The default is |
.Dq yes . |
.Cm yes . |
.It Cm PrintMotd |
.It Cm PrintMotd |
Specifies whether |
Specifies whether |
.Xr sshd 8 |
.Xr sshd 8 |
|
|
.Pa /etc/profile , |
.Pa /etc/profile , |
or equivalent.) |
or equivalent.) |
The default is |
The default is |
.Dq yes . |
.Cm yes . |
.It Cm PubkeyAcceptedKeyTypes |
.It Cm PubkeyAcceptedKeyTypes |
Specifies the key types that will be accepted for public key authentication |
Specifies the key types that will be accepted for public key authentication |
as a comma-separated pattern list. |
as a comma-separated pattern list. |
|
|
ssh-ed25519,ssh-rsa |
ssh-ed25519,ssh-rsa |
.Ed |
.Ed |
.Pp |
.Pp |
The |
The list of available key types may also be obtained using |
.Fl Q |
.Qq ssh -Q key . |
option of |
|
.Xr ssh 1 |
|
may be used to list supported key types. |
|
.It Cm PubkeyAuthentication |
.It Cm PubkeyAuthentication |
Specifies whether public key authentication is allowed. |
Specifies whether public key authentication is allowed. |
The default is |
The default is |
.Dq yes . |
.Cm yes . |
.It Cm RekeyLimit |
.It Cm RekeyLimit |
Specifies the maximum amount of data that may be transmitted before the |
Specifies the maximum amount of data that may be transmitted before the |
session key is renegotiated, optionally followed a maximum amount of |
session key is renegotiated, optionally followed a maximum amount of |
|
|
The default value for |
The default value for |
.Cm RekeyLimit |
.Cm RekeyLimit |
is |
is |
.Dq default none , |
.Cm default none , |
which means that rekeying is performed after the cipher's default amount |
which means that rekeying is performed after the cipher's default amount |
of data has been sent or received and no time based rekeying is done. |
of data has been sent or received and no time based rekeying is done. |
.It Cm RevokedKeys |
.It Cm RevokedKeys |
Specifies revoked public keys file, or |
Specifies revoked public keys file, or |
.Dq none |
.Cm none |
to not use one. |
to not use one. |
Keys listed in this file will be refused for public key authentication. |
Keys listed in this file will be refused for public key authentication. |
Note that if this file is not readable, then public key authentication will |
Note that if this file is not readable, then public key authentication will |
|
|
This option is only used for port forwarding to a Unix-domain socket file. |
This option is only used for port forwarding to a Unix-domain socket file. |
.Pp |
.Pp |
The argument must be |
The argument must be |
.Dq yes |
.Cm yes |
or |
or |
.Dq no . |
.Cm no . |
The default is |
The default is |
.Dq no . |
.Cm no . |
.It Cm StrictModes |
.It Cm StrictModes |
Specifies whether |
Specifies whether |
.Xr sshd 8 |
.Xr sshd 8 |
|
|
This is normally desirable because novices sometimes accidentally leave their |
This is normally desirable because novices sometimes accidentally leave their |
directory or files world-writable. |
directory or files world-writable. |
The default is |
The default is |
.Dq yes . |
.Cm yes . |
Note that this does not apply to |
Note that this does not apply to |
.Cm ChrootDirectory , |
.Cm ChrootDirectory , |
whose permissions and ownership are checked unconditionally. |
whose permissions and ownership are checked unconditionally. |
|
|
to execute upon subsystem request. |
to execute upon subsystem request. |
.Pp |
.Pp |
The command |
The command |
.Xr sftp-server 8 |
.Cm sftp-server |
implements the |
implements the SFTP file transfer subsystem. |
.Dq sftp |
|
file transfer subsystem. |
|
.Pp |
.Pp |
Alternately the name |
Alternately the name |
.Dq internal-sftp |
.Cm internal-sftp |
implements an in-process |
implements an in-process SFTP server. |
.Dq sftp |
|
server. |
|
This may simplify configurations using |
This may simplify configurations using |
.Cm ChrootDirectory |
.Cm ChrootDirectory |
to force a different filesystem root on clients. |
to force a different filesystem root on clients. |
|
|
find it annoying. |
find it annoying. |
On the other hand, if TCP keepalives are not sent, |
On the other hand, if TCP keepalives are not sent, |
sessions may hang indefinitely on the server, leaving |
sessions may hang indefinitely on the server, leaving |
.Dq ghost |
.Qq ghost |
users and consuming server resources. |
users and consuming server resources. |
.Pp |
.Pp |
The default is |
The default is |
.Dq yes |
.Cm yes |
(to send TCP keepalive messages), and the server will notice |
(to send TCP keepalive messages), and the server will notice |
if the network goes down or the client host crashes. |
if the network goes down or the client host crashes. |
This avoids infinitely hanging sessions. |
This avoids infinitely hanging sessions. |
.Pp |
.Pp |
To disable TCP keepalive messages, the value should be set to |
To disable TCP keepalive messages, the value should be set to |
.Dq no . |
.Cm no . |
.It Cm TrustedUserCAKeys |
.It Cm TrustedUserCAKeys |
Specifies a file containing public keys of certificate authorities that are |
Specifies a file containing public keys of certificate authorities that are |
trusted to sign user certificates for authentication, or |
trusted to sign user certificates for authentication, or |
.Dq none |
.Cm none |
to not use one. |
to not use one. |
Keys are listed one per line; empty lines and comments starting with |
Keys are listed one per line; empty lines and comments starting with |
.Ql # |
.Ql # |
|
|
very same IP address. |
very same IP address. |
.Pp |
.Pp |
If this option is set to |
If this option is set to |
.Dq no |
.Cm no |
(the default) then only addresses and not host names may be used in |
(the default) then only addresses and not host names may be used in |
.Pa ~/.ssh/authorized_keys |
.Pa ~/.ssh/authorized_keys |
.Cm from |
.Cm from |
|
|
The goal of privilege separation is to prevent privilege |
The goal of privilege separation is to prevent privilege |
escalation by containing any corruption within the unprivileged processes. |
escalation by containing any corruption within the unprivileged processes. |
The argument must be |
The argument must be |
.Dq yes , |
.Cm yes , |
.Dq no , |
.Cm no , |
or |
or |
.Dq sandbox . |
.Cm sandbox . |
If |
If |
.Cm UsePrivilegeSeparation |
.Cm UsePrivilegeSeparation |
is set to |
is set to |
.Dq sandbox |
.Cm sandbox |
then the pre-authentication unprivileged process is subject to additional |
then the pre-authentication unprivileged process is subject to additional |
restrictions. |
restrictions. |
The default is |
The default is |
.Dq sandbox . |
.Cm sandbox . |
.It Cm VersionAddendum |
.It Cm VersionAddendum |
Optionally specifies additional text to append to the SSH protocol banner |
Optionally specifies additional text to append to the SSH protocol banner |
sent by the server upon connection. |
sent by the server upon connection. |
The default is |
The default is |
.Dq none . |
.Cm none . |
.It Cm X11DisplayOffset |
.It Cm X11DisplayOffset |
Specifies the first display number available for |
Specifies the first display number available for |
.Xr sshd 8 Ns 's |
.Xr sshd 8 Ns 's |
|
|
.It Cm X11Forwarding |
.It Cm X11Forwarding |
Specifies whether X11 forwarding is permitted. |
Specifies whether X11 forwarding is permitted. |
The argument must be |
The argument must be |
.Dq yes |
.Cm yes |
or |
or |
.Dq no . |
.Cm no . |
The default is |
The default is |
.Dq no . |
.Cm no . |
.Pp |
.Pp |
When X11 forwarding is enabled, there may be additional exposure to |
When X11 forwarding is enabled, there may be additional exposure to |
the server and to client displays if the |
the server and to client displays if the |
.Xr sshd 8 |
.Xr sshd 8 |
proxy display is configured to listen on the wildcard address (see |
proxy display is configured to listen on the wildcard address (see |
.Cm X11UseLocalhost |
.Cm X11UseLocalhost ) , |
below), though this is not the default. |
though this is not the default. |
Additionally, the authentication spoofing and authentication data |
Additionally, the authentication spoofing and authentication data |
verification and substitution occur on the client side. |
verification and substitution occur on the client side. |
The security risk of using X11 forwarding is that the client's X11 |
The security risk of using X11 forwarding is that the client's X11 |
|
|
A system administrator may have a stance in which they want to |
A system administrator may have a stance in which they want to |
protect clients that may expose themselves to attack by unwittingly |
protect clients that may expose themselves to attack by unwittingly |
requesting X11 forwarding, which can warrant a |
requesting X11 forwarding, which can warrant a |
.Dq no |
.Cm no |
setting. |
setting. |
.Pp |
.Pp |
Note that disabling X11 forwarding does not prevent users from |
Note that disabling X11 forwarding does not prevent users from |
|
|
hostname part of the |
hostname part of the |
.Ev DISPLAY |
.Ev DISPLAY |
environment variable to |
environment variable to |
.Dq localhost . |
.Cm localhost . |
This prevents remote hosts from connecting to the proxy display. |
This prevents remote hosts from connecting to the proxy display. |
However, some older X11 clients may not function with this |
However, some older X11 clients may not function with this |
configuration. |
configuration. |
.Cm X11UseLocalhost |
.Cm X11UseLocalhost |
may be set to |
may be set to |
.Dq no |
.Cm no |
to specify that the forwarding server should be bound to the wildcard |
to specify that the forwarding server should be bound to the wildcard |
address. |
address. |
The argument must be |
The argument must be |
.Dq yes |
.Cm yes |
or |
or |
.Dq no . |
.Cm no . |
The default is |
The default is |
.Dq yes . |
.Cm yes . |
.It Cm XAuthLocation |
.It Cm XAuthLocation |
Specifies the full pathname of the |
Specifies the full pathname of the |
.Xr xauth 1 |
.Xr xauth 1 |
program, or |
program, or |
.Dq none |
.Cm none |
to not use one. |
to not use one. |
The default is |
The default is |
.Pa /usr/X11R6/bin/xauth . |
.Pa /usr/X11R6/bin/xauth . |
|
|
(though not necessary) that it be world-readable. |
(though not necessary) that it be world-readable. |
.El |
.El |
.Sh SEE ALSO |
.Sh SEE ALSO |
|
.Xr sftp-server 8 , |
.Xr sshd 8 |
.Xr sshd 8 |
.Sh AUTHORS |
.Sh AUTHORS |
|
.An -nosplit |
OpenSSH is a derivative of the original and free |
OpenSSH is a derivative of the original and free |
ssh 1.2.12 release by Tatu Ylonen. |
ssh 1.2.12 release by |
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, |
.An Tatu Ylonen . |
Theo de Raadt and Dug Song |
.An Aaron Campbell , Bob Beck , Markus Friedl , Niels Provos , |
|
.An Theo de Raadt |
|
and |
|
.An Dug Song |
removed many bugs, re-added newer features and |
removed many bugs, re-added newer features and |
created OpenSSH. |
created OpenSSH. |
Markus Friedl contributed the support for SSH |
.An Markus Friedl |
protocol versions 1.5 and 2.0. |
contributed the support for SSH protocol versions 1.5 and 2.0. |
Niels Provos and Markus Friedl contributed support |
.An Niels Provos |
for privilege separation. |
and |
|
.An Markus Friedl |
|
contributed support for privilege separation. |