| version 1.25, 2003/09/01 09:50:04 |
version 1.25.2.2, 2004/08/19 22:37:33 |
|
|
| keywords and their meanings are as follows (note that |
keywords and their meanings are as follows (note that |
| keywords are case-insensitive and arguments are case-sensitive): |
keywords are case-insensitive and arguments are case-sensitive): |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| |
.It Cm AcceptEnv |
| |
Specifies what environment variables sent by the client will be copied into |
| |
the session's |
| |
.Xr environ 7 . |
| |
See |
| |
.Cm SendEnv |
| |
in |
| |
.Xr ssh_config 5 |
| |
for how to configure the client. |
| |
Note that environment passing is only supported for protocol 2. |
| |
Variables are specified by name, which may contain the wildcard characters |
| |
.Ql \&* |
| |
and |
| |
.Ql \&? . |
| |
Multiple environment variables may be separated by whitespace or spread |
| |
across multiple |
| |
.Cm AcceptEnv |
| |
directives. |
| |
Be warned that some environment variables could be used to bypass restricted |
| |
user environments. |
| |
For this reason, care should be taken in the use of this directive. |
| |
The default is not to accept any environment variables. |
| .It Cm AllowGroups |
.It Cm AllowGroups |
| This keyword can be followed by a list of group name patterns, separated |
This keyword can be followed by a list of group name patterns, separated |
| by spaces. |
by spaces. |
|
|
| wildcards in the patterns. |
wildcards in the patterns. |
| Only group names are valid; a numerical group ID is not recognized. |
Only group names are valid; a numerical group ID is not recognized. |
| By default, login is allowed for all groups. |
By default, login is allowed for all groups. |
| .Pp |
|
| .It Cm AllowTcpForwarding |
.It Cm AllowTcpForwarding |
| Specifies whether TCP forwarding is permitted. |
Specifies whether TCP forwarding is permitted. |
| The default is |
The default is |
|
|
| Note that disabling TCP forwarding does not improve security unless |
Note that disabling TCP forwarding does not improve security unless |
| users are also denied shell access, as they can always install their |
users are also denied shell access, as they can always install their |
| own forwarders. |
own forwarders. |
| .Pp |
|
| .It Cm AllowUsers |
.It Cm AllowUsers |
| This keyword can be followed by a list of user name patterns, separated |
This keyword can be followed by a list of user name patterns, separated |
| by spaces. |
by spaces. |
|
|
| If the pattern takes the form USER@HOST then USER and HOST |
If the pattern takes the form USER@HOST then USER and HOST |
| are separately checked, restricting logins to particular |
are separately checked, restricting logins to particular |
| users from particular hosts. |
users from particular hosts. |
| .Pp |
|
| .It Cm AuthorizedKeysFile |
.It Cm AuthorizedKeysFile |
| Specifies the file that contains the public keys that can be used |
Specifies the file that contains the public keys that can be used |
| for user authentication. |
for user authentication. |
|
|
| authentication is allowed. |
authentication is allowed. |
| This option is only available for protocol version 2. |
This option is only available for protocol version 2. |
| By default, no banner is displayed. |
By default, no banner is displayed. |
| .Pp |
|
| .It Cm ChallengeResponseAuthentication |
.It Cm ChallengeResponseAuthentication |
| Specifies whether challenge response authentication is allowed. |
Specifies whether challenge response authentication is allowed. |
| All authentication styles from |
All authentication styles from |
|
|
| .It Cm Ciphers |
.It Cm Ciphers |
| Specifies the ciphers allowed for protocol version 2. |
Specifies the ciphers allowed for protocol version 2. |
| Multiple ciphers must be comma-separated. |
Multiple ciphers must be comma-separated. |
| |
The supported ciphers are |
| |
.Dq 3des-cbc , |
| |
.Dq aes128-cbc , |
| |
.Dq aes192-cbc , |
| |
.Dq aes256-cbc , |
| |
.Dq aes128-ctr , |
| |
.Dq aes192-ctr , |
| |
.Dq aes256-ctr , |
| |
.Dq arcfour , |
| |
.Dq blowfish-cbc , |
| |
and |
| |
.Dq cast128-cbc . |
| The default is |
The default is |
| .Pp |
|
| .Bd -literal |
.Bd -literal |
| ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
| aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' |
aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' |
|
|
| will disconnect the client, terminating the session. |
will disconnect the client, terminating the session. |
| It is important to note that the use of client alive messages is very |
It is important to note that the use of client alive messages is very |
| different from |
different from |
| .Cm KeepAlive |
.Cm TCPKeepAlive |
| (below). |
(below). |
| The client alive messages are sent through the encrypted channel |
The client alive messages are sent through the encrypted channel |
| and therefore will not be spoofable. |
and therefore will not be spoofable. |
| The TCP keepalive option enabled by |
The TCP keepalive option enabled by |
| .Cm KeepAlive |
.Cm TCPKeepAlive |
| is spoofable. |
is spoofable. |
| The client alive mechanism is valuable when the client or |
The client alive mechanism is valuable when the client or |
| server depend on knowing when a connection has become inactive. |
server depend on knowing when a connection has become inactive. |
|
|
| wildcards in the patterns. |
wildcards in the patterns. |
| Only group names are valid; a numerical group ID is not recognized. |
Only group names are valid; a numerical group ID is not recognized. |
| By default, login is allowed for all groups. |
By default, login is allowed for all groups. |
| .Pp |
|
| .It Cm DenyUsers |
.It Cm DenyUsers |
| This keyword can be followed by a list of user name patterns, separated |
This keyword can be followed by a list of user name patterns, separated |
| by spaces. |
by spaces. |
|
|
| .Dq no . |
.Dq no . |
| .It Cm GSSAPIAuthentication |
.It Cm GSSAPIAuthentication |
| Specifies whether user authentication based on GSSAPI is allowed. |
Specifies whether user authentication based on GSSAPI is allowed. |
| The default is |
The default is |
| .Dq no . |
.Dq no . |
| Note that this option applies to protocol version 2 only. |
Note that this option applies to protocol version 2 only. |
| .It Cm GSSAPICleanupCredentials |
.It Cm GSSAPICleanupCredentials |
|
|
| .Cm HostbasedAuthentication . |
.Cm HostbasedAuthentication . |
| The default is |
The default is |
| .Dq no . |
.Dq no . |
| .It Cm KeepAlive |
|
| Specifies whether the system should send TCP keepalive messages to the |
|
| other side. |
|
| If they are sent, death of the connection or crash of one |
|
| of the machines will be properly noticed. |
|
| However, this means that |
|
| connections will die if the route is down temporarily, and some people |
|
| find it annoying. |
|
| On the other hand, if keepalives are not sent, |
|
| sessions may hang indefinitely on the server, leaving |
|
| .Dq ghost |
|
| users and consuming server resources. |
|
| .Pp |
|
| The default is |
|
| .Dq yes |
|
| (to send keepalives), and the server will notice |
|
| if the network goes down or the client host crashes. |
|
| This avoids infinitely hanging sessions. |
|
| .Pp |
|
| To disable keepalives, the value should be set to |
|
| .Dq no . |
|
| .It Cm KerberosAuthentication |
.It Cm KerberosAuthentication |
| Specifies whether the password provided by the user for |
Specifies whether the password provided by the user for |
| .Cm PasswordAuthentication |
.Cm PasswordAuthentication |
|
|
| Kerberos servtab which allows the verification of the KDC's identity. |
Kerberos servtab which allows the verification of the KDC's identity. |
| Default is |
Default is |
| .Dq no . |
.Dq no . |
| |
.It Cm KerberosGetAFSToken |
| |
If AFS is active and the user has a Kerberos 5 TGT, attempt to aquire |
| |
an AFS token before accessing the user's home directory. |
| |
Default is |
| |
.Dq no . |
| .It Cm KerberosOrLocalPasswd |
.It Cm KerberosOrLocalPasswd |
| If set then if password authentication through Kerberos fails then |
If set then if password authentication through Kerberos fails then |
| the password will be validated via any additional local mechanism |
the password will be validated via any additional local mechanism |
|
|
| Multiple algorithms must be comma-separated. |
Multiple algorithms must be comma-separated. |
| The default is |
The default is |
| .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . |
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . |
| |
.It Cm MaxAuthTries |
| |
Specifies the maximum number of authentication attempts permitted per |
| |
connection. |
| |
Once the number of failures reaches half this value, |
| |
additional failures are logged. |
| |
The default is 6. |
| .It Cm MaxStartups |
.It Cm MaxStartups |
| Specifies the maximum number of concurrent unauthenticated connections to the |
Specifies the maximum number of concurrent unauthenticated connections to the |
| .Nm sshd |
.Nm sshd |
|
|
| The default is |
The default is |
| .Dq yes . |
.Dq yes . |
| Note that this option applies to protocol version 2 only. |
Note that this option applies to protocol version 2 only. |
| .Cm RhostsRSAAuthentication |
|
| should be used |
|
| instead, because it performs RSA-based host authentication in addition |
|
| to normal rhosts or /etc/hosts.equiv authentication. |
|
| The default is |
|
| .Dq no . |
|
| This option applies to protocol version 1 only. |
|
| .It Cm RhostsRSAAuthentication |
.It Cm RhostsRSAAuthentication |
| Specifies whether rhosts or /etc/hosts.equiv authentication together |
Specifies whether rhosts or /etc/hosts.equiv authentication together |
| with successful RSA host authentication is allowed. |
with successful RSA host authentication is allowed. |
|
|
| The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, |
The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, |
| LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. |
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. |
| The default is AUTH. |
The default is AUTH. |
| |
.It Cm TCPKeepAlive |
| |
Specifies whether the system should send TCP keepalive messages to the |
| |
other side. |
| |
If they are sent, death of the connection or crash of one |
| |
of the machines will be properly noticed. |
| |
However, this means that |
| |
connections will die if the route is down temporarily, and some people |
| |
find it annoying. |
| |
On the other hand, if TCP keepalives are not sent, |
| |
sessions may hang indefinitely on the server, leaving |
| |
.Dq ghost |
| |
users and consuming server resources. |
| |
.Pp |
| |
The default is |
| |
.Dq yes |
| |
(to send TCP keepalive messages), and the server will notice |
| |
if the network goes down or the client host crashes. |
| |
This avoids infinitely hanging sessions. |
| |
.Pp |
| |
To disable TCP keepalive messages, the value should be set to |
| |
.Dq no . |
| .It Cm UseDNS |
.It Cm UseDNS |
| Specifies whether |
Specifies whether |
| .Nm sshd |
.Nm sshd |
![[BACK]](/icons/back.gif){kind=icon}
Return to sshd_config.5 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh