version 1.25.2.1, 2004/02/28 03:51:34 |
version 1.25.2.2, 2004/08/19 22:37:33 |
|
|
keywords and their meanings are as follows (note that |
keywords and their meanings are as follows (note that |
keywords are case-insensitive and arguments are case-sensitive): |
keywords are case-insensitive and arguments are case-sensitive): |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
|
.It Cm AcceptEnv |
|
Specifies what environment variables sent by the client will be copied into |
|
the session's |
|
.Xr environ 7 . |
|
See |
|
.Cm SendEnv |
|
in |
|
.Xr ssh_config 5 |
|
for how to configure the client. |
|
Note that environment passing is only supported for protocol 2. |
|
Variables are specified by name, which may contain the wildcard characters |
|
.Ql \&* |
|
and |
|
.Ql \&? . |
|
Multiple environment variables may be separated by whitespace or spread |
|
across multiple |
|
.Cm AcceptEnv |
|
directives. |
|
Be warned that some environment variables could be used to bypass restricted |
|
user environments. |
|
For this reason, care should be taken in the use of this directive. |
|
The default is not to accept any environment variables. |
.It Cm AllowGroups |
.It Cm AllowGroups |
This keyword can be followed by a list of group name patterns, separated |
This keyword can be followed by a list of group name patterns, separated |
by spaces. |
by spaces. |
|
|
wildcards in the patterns. |
wildcards in the patterns. |
Only group names are valid; a numerical group ID is not recognized. |
Only group names are valid; a numerical group ID is not recognized. |
By default, login is allowed for all groups. |
By default, login is allowed for all groups. |
.Pp |
|
.It Cm AllowTcpForwarding |
.It Cm AllowTcpForwarding |
Specifies whether TCP forwarding is permitted. |
Specifies whether TCP forwarding is permitted. |
The default is |
The default is |
|
|
Note that disabling TCP forwarding does not improve security unless |
Note that disabling TCP forwarding does not improve security unless |
users are also denied shell access, as they can always install their |
users are also denied shell access, as they can always install their |
own forwarders. |
own forwarders. |
.Pp |
|
.It Cm AllowUsers |
.It Cm AllowUsers |
This keyword can be followed by a list of user name patterns, separated |
This keyword can be followed by a list of user name patterns, separated |
by spaces. |
by spaces. |
|
|
If the pattern takes the form USER@HOST then USER and HOST |
If the pattern takes the form USER@HOST then USER and HOST |
are separately checked, restricting logins to particular |
are separately checked, restricting logins to particular |
users from particular hosts. |
users from particular hosts. |
.Pp |
|
.It Cm AuthorizedKeysFile |
.It Cm AuthorizedKeysFile |
Specifies the file that contains the public keys that can be used |
Specifies the file that contains the public keys that can be used |
for user authentication. |
for user authentication. |
|
|
authentication is allowed. |
authentication is allowed. |
This option is only available for protocol version 2. |
This option is only available for protocol version 2. |
By default, no banner is displayed. |
By default, no banner is displayed. |
.Pp |
|
.It Cm ChallengeResponseAuthentication |
.It Cm ChallengeResponseAuthentication |
Specifies whether challenge response authentication is allowed. |
Specifies whether challenge response authentication is allowed. |
All authentication styles from |
All authentication styles from |
|
|
.It Cm Ciphers |
.It Cm Ciphers |
Specifies the ciphers allowed for protocol version 2. |
Specifies the ciphers allowed for protocol version 2. |
Multiple ciphers must be comma-separated. |
Multiple ciphers must be comma-separated. |
|
The supported ciphers are |
|
.Dq 3des-cbc , |
|
.Dq aes128-cbc , |
|
.Dq aes192-cbc , |
|
.Dq aes256-cbc , |
|
.Dq aes128-ctr , |
|
.Dq aes192-ctr , |
|
.Dq aes256-ctr , |
|
.Dq arcfour , |
|
.Dq blowfish-cbc , |
|
and |
|
.Dq cast128-cbc . |
The default is |
The default is |
.Pp |
|
.Bd -literal |
.Bd -literal |
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' |
aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' |
|
|
wildcards in the patterns. |
wildcards in the patterns. |
Only group names are valid; a numerical group ID is not recognized. |
Only group names are valid; a numerical group ID is not recognized. |
By default, login is allowed for all groups. |
By default, login is allowed for all groups. |
.Pp |
|
.It Cm DenyUsers |
.It Cm DenyUsers |
This keyword can be followed by a list of user name patterns, separated |
This keyword can be followed by a list of user name patterns, separated |
by spaces. |
by spaces. |
|
|
Kerberos servtab which allows the verification of the KDC's identity. |
Kerberos servtab which allows the verification of the KDC's identity. |
Default is |
Default is |
.Dq no . |
.Dq no . |
|
.It Cm KerberosGetAFSToken |
|
If AFS is active and the user has a Kerberos 5 TGT, attempt to aquire |
|
an AFS token before accessing the user's home directory. |
|
Default is |
|
.Dq no . |
.It Cm KerberosOrLocalPasswd |
.It Cm KerberosOrLocalPasswd |
If set then if password authentication through Kerberos fails then |
If set then if password authentication through Kerberos fails then |
the password will be validated via any additional local mechanism |
the password will be validated via any additional local mechanism |
|
|
Multiple algorithms must be comma-separated. |
Multiple algorithms must be comma-separated. |
The default is |
The default is |
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . |
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . |
|
.It Cm MaxAuthTries |
|
Specifies the maximum number of authentication attempts permitted per |
|
connection. |
|
Once the number of failures reaches half this value, |
|
additional failures are logged. |
|
The default is 6. |
.It Cm MaxStartups |
.It Cm MaxStartups |
Specifies the maximum number of concurrent unauthenticated connections to the |
Specifies the maximum number of concurrent unauthenticated connections to the |
.Nm sshd |
.Nm sshd |