| version 1.3.2.2, 2002/06/26 18:22:37 |
version 1.3.2.3, 2002/10/11 14:53:07 |
|
|
| The server disconnects after this time if the user has not |
The server disconnects after this time if the user has not |
| successfully logged in. |
successfully logged in. |
| If the value is 0, there is no time limit. |
If the value is 0, there is no time limit. |
| The default is 600 (seconds). |
The default is 120 seconds. |
| .It Cm LogLevel |
.It Cm LogLevel |
| Gives the verbosity level that is used when logging messages from |
Gives the verbosity level that is used when logging messages from |
| .Nm sshd . |
.Nm sshd . |
|
|
| If this option is set to |
If this option is set to |
| .Dq no |
.Dq no |
| root is not allowed to login. |
root is not allowed to login. |
| |
.It Cm PermitUserEnvironment |
| |
Specifies whether |
| |
.Pa ~/.ssh/environment |
| |
and |
| |
.Cm environment= |
| |
options in |
| |
.Pa ~/.ssh/authorized_keys |
| |
are processed by |
| |
.Nm sshd . |
| |
The default is |
| |
.Dq no . |
| |
Enabling environment processing may enable users to bypass access |
| |
restrictions in some configurations using mechanisms such as |
| |
.Ev LD_PRELOAD . |
| .It Cm PidFile |
.It Cm PidFile |
| Specifies the file that contains the process ID of the |
Specifies the file that contains the process ID of the |
| .Nm sshd |
.Nm sshd |
|
|
| .It Cm Protocol |
.It Cm Protocol |
| Specifies the protocol versions |
Specifies the protocol versions |
| .Nm sshd |
.Nm sshd |
| should support. |
supports. |
| The possible values are |
The possible values are |
| .Dq 1 |
.Dq 1 |
| and |
and |
|
|
| Multiple versions must be comma-separated. |
Multiple versions must be comma-separated. |
| The default is |
The default is |
| .Dq 2,1 . |
.Dq 2,1 . |
| |
Note that the order of the protocol list does not indicate preference, |
| |
because the client selects among multiple protocol versions offered |
| |
by the server. |
| |
Specifying |
| |
.Dq 2,1 |
| |
is identical to |
| |
.Dq 1,2 . |
| .It Cm PubkeyAuthentication |
.It Cm PubkeyAuthentication |
| Specifies whether public key authentication is allowed. |
Specifies whether public key authentication is allowed. |
| The default is |
The default is |
|
|
| The default is 10. |
The default is 10. |
| .It Cm X11Forwarding |
.It Cm X11Forwarding |
| Specifies whether X11 forwarding is permitted. |
Specifies whether X11 forwarding is permitted. |
| |
The argument must be |
| |
.Dq yes |
| |
or |
| |
.Dq no . |
| The default is |
The default is |
| .Dq no . |
.Dq no . |
| Note that disabling X11 forwarding does not improve security in any |
.Pp |
| way, as users can always install their own forwarders. |
When X11 forwarding is enabled, there may be additional exposure to |
| |
the server and to client displays if the |
| |
.Nm sshd |
| |
proxy display is configured to listen on the wildcard address (see |
| |
.Cm X11UseLocalhost |
| |
below), however this is not the default. |
| |
Additionally, the authentication spoofing and authentication data |
| |
verification and substitution occur on the client side. |
| |
The security risk of using X11 forwarding is that the client's X11 |
| |
display server may be exposed to attack when the ssh client requests |
| |
forwarding (see the warnings for |
| |
.Cm ForwardX11 |
| |
in |
| |
.Xr ssh_config 5 ). |
| |
A system administrator may have a stance in which they want to |
| |
protect clients that may expose themselves to attack by unwittingly |
| |
requesting X11 forwarding, which can warrant a |
| |
.Dq no |
| |
setting. |
| |
.Pp |
| |
Note that disabling X11 forwarding does not prevent users from |
| |
forwarding X11 traffic, as users can always install their own forwarders. |
| X11 forwarding is automatically disabled if |
X11 forwarding is automatically disabled if |
| .Cm UseLogin |
.Cm UseLogin |
| is enabled. |
is enabled. |
|
|
| .Ev DISPLAY |
.Ev DISPLAY |
| environment variable to |
environment variable to |
| .Dq localhost . |
.Dq localhost . |
| This prevents remote hosts from connecting to the fake display. |
This prevents remote hosts from connecting to the proxy display. |
| However, some older X11 clients may not function with this |
However, some older X11 clients may not function with this |
| configuration. |
configuration. |
| .Cm X11UseLocalhost |
.Cm X11UseLocalhost |
|
|
| The default is |
The default is |
| .Dq yes . |
.Dq yes . |
| .It Cm XAuthLocation |
.It Cm XAuthLocation |
| Specifies the location of the |
Specifies the full pathname of the |
| .Xr xauth 1 |
.Xr xauth 1 |
| program. |
program. |
| The default is |
The default is |
|
|
| command-line arguments and configuration file options that specify time |
command-line arguments and configuration file options that specify time |
| may be expressed using a sequence of the form: |
may be expressed using a sequence of the form: |
| .Sm off |
.Sm off |
| .Ar time Oo Ar qualifier Oc , |
.Ar time Op Ar qualifier , |
| .Sm on |
.Sm on |
| where |
where |
| .Ar time |
.Ar time |
![[BACK]](/icons/back.gif){kind=icon}
Return to sshd_config.5 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh