src/usr.bin/ssh/sshd_config.5 - diff

Return to sshd_config.5 CVS log

Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/sshd_config.5 between version 1.25.2.1 and 1.25.2.2

version 1.25.2.1, 2004/02/28 03:51:34

version 1.25.2.2, 2004/08/19 22:37:33

Line 61

keywords and their meanings are as follows (note that

keywords are case-insensitive and arguments are case-sensitive):

.Bl -tag -width Ds

.It Cm AcceptEnv

Specifies what environment variables sent by the client will be copied into

the session's

.Xr environ 7 .

See

.Cm SendEnv

.Xr ssh_config 5

for how to configure the client.

Note that environment passing is only supported for protocol 2.

Variables are specified by name, which may contain the wildcard characters

.Ql \&*

and

.Ql \&? .

Multiple environment variables may be separated by whitespace or spread

across multiple

.Cm AcceptEnv

directives.

Be warned that some environment variables could be used to bypass restricted

user environments.

For this reason, care should be taken in the use of this directive.

The default is not to accept any environment variables.

.It Cm AllowGroups

This keyword can be followed by a list of group name patterns, separated

by spaces.

Line 73

Line 95

wildcards in the patterns.

Only group names are valid; a numerical group ID is not recognized.

By default, login is allowed for all groups.

.Pp

.It Cm AllowTcpForwarding

Specifies whether TCP forwarding is permitted.

The default is

Line 81

Line 102

Note that disabling TCP forwarding does not improve security unless

users are also denied shell access, as they can always install their

own forwarders.

.Pp

.It Cm AllowUsers

This keyword can be followed by a list of user name patterns, separated

by spaces.

Line 97

Line 117

If the pattern takes the form USER@HOST then USER and HOST

are separately checked, restricting logins to particular

users from particular hosts.

.Pp

.It Cm AuthorizedKeysFile

Specifies the file that contains the public keys that can be used

for user authentication.

Line 120

Line 139

authentication is allowed.

This option is only available for protocol version 2.

By default, no banner is displayed.

.Pp

.It Cm ChallengeResponseAuthentication

Specifies whether challenge response authentication is allowed.

All authentication styles from

Line 131

Line 149

.It Cm Ciphers

Specifies the ciphers allowed for protocol version 2.

Multiple ciphers must be comma-separated.

The supported ciphers are

.Dq 3des-cbc ,

.Dq aes128-cbc ,

.Dq aes192-cbc ,

.Dq aes256-cbc ,

.Dq aes128-ctr ,

.Dq aes192-ctr ,

.Dq aes256-ctr ,

.Dq arcfour ,

.Dq blowfish-cbc ,

and

.Dq cast128-cbc .

The default is

.Pp

.Bd -literal

``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,

aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr''

Line 193

Line 222

wildcards in the patterns.

Only group names are valid; a numerical group ID is not recognized.

By default, login is allowed for all groups.

.Pp

.It Cm DenyUsers

This keyword can be followed by a list of user name patterns, separated

by spaces.

Line 300

Line 328

Kerberos servtab which allows the verification of the KDC's identity.

Default is

.Dq no .

.It Cm KerberosGetAFSToken

If AFS is active and the user has a Kerberos 5 TGT, attempt to aquire

an AFS token before accessing the user's home directory.

Default is

.Dq no .

.It Cm KerberosOrLocalPasswd

If set then if password authentication through Kerberos fails then

the password will be validated via any additional local mechanism

Line 381

Line 414

Multiple algorithms must be comma-separated.

The default is

.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .

.It Cm MaxAuthTries

Specifies the maximum number of authentication attempts permitted per

connection.

Once the number of failures reaches half this value,

additional failures are logged.

The default is 6.

.It Cm MaxStartups

Specifies the maximum number of concurrent unauthenticated connections to the

.Nm sshd