version 1.3.2.3, 2002/10/11 14:53:07 |
version 1.4, 2002/06/22 16:45:29 |
|
|
.Nd OpenSSH SSH daemon configuration file |
.Nd OpenSSH SSH daemon configuration file |
.Sh SYNOPSIS |
.Sh SYNOPSIS |
.Bl -tag -width Ds -compact |
.Bl -tag -width Ds -compact |
.It Pa /etc/sshd_config |
.It Pa /etc/ssh/sshd_config |
.El |
.El |
.Sh DESCRIPTION |
.Sh DESCRIPTION |
.Nm sshd |
.Nm sshd |
reads configuration data from |
reads configuration data from |
.Pa /etc/sshd_config |
.Pa /etc/ssh/sshd_config |
(or the file specified with |
(or the file specified with |
.Fl f |
.Fl f |
on the command line). |
on the command line). |
|
|
Specifies a file containing a private host key |
Specifies a file containing a private host key |
used by SSH. |
used by SSH. |
The default is |
The default is |
.Pa /etc/ssh_host_key |
.Pa /etc/ssh/ssh_host_key |
for protocol version 1, and |
for protocol version 1, and |
.Pa /etc/ssh_host_rsa_key |
.Pa /etc/ssh/ssh_host_rsa_key |
and |
and |
.Pa /etc/ssh_host_dsa_key |
.Pa /etc/ssh/ssh_host_dsa_key |
for protocol version 2. |
for protocol version 2. |
Note that |
Note that |
.Nm sshd |
.Nm sshd |
|
|
The server disconnects after this time if the user has not |
The server disconnects after this time if the user has not |
successfully logged in. |
successfully logged in. |
If the value is 0, there is no time limit. |
If the value is 0, there is no time limit. |
The default is 120 seconds. |
The default is 600 (seconds). |
.It Cm LogLevel |
.It Cm LogLevel |
Gives the verbosity level that is used when logging messages from |
Gives the verbosity level that is used when logging messages from |
.Nm sshd . |
.Nm sshd . |
|
|
If this option is set to |
If this option is set to |
.Dq no |
.Dq no |
root is not allowed to login. |
root is not allowed to login. |
.It Cm PermitUserEnvironment |
|
Specifies whether |
|
.Pa ~/.ssh/environment |
|
and |
|
.Cm environment= |
|
options in |
|
.Pa ~/.ssh/authorized_keys |
|
are processed by |
|
.Nm sshd . |
|
The default is |
|
.Dq no . |
|
Enabling environment processing may enable users to bypass access |
|
restrictions in some configurations using mechanisms such as |
|
.Ev LD_PRELOAD . |
|
.It Cm PidFile |
.It Cm PidFile |
Specifies the file that contains the process ID of the |
Specifies the file that contains the process ID of the |
.Nm sshd |
.Nm sshd |
|
|
.It Cm Protocol |
.It Cm Protocol |
Specifies the protocol versions |
Specifies the protocol versions |
.Nm sshd |
.Nm sshd |
supports. |
should support. |
The possible values are |
The possible values are |
.Dq 1 |
.Dq 1 |
and |
and |
|
|
Multiple versions must be comma-separated. |
Multiple versions must be comma-separated. |
The default is |
The default is |
.Dq 2,1 . |
.Dq 2,1 . |
Note that the order of the protocol list does not indicate preference, |
|
because the client selects among multiple protocol versions offered |
|
by the server. |
|
Specifying |
|
.Dq 2,1 |
|
is identical to |
|
.Dq 1,2 . |
|
.It Cm PubkeyAuthentication |
.It Cm PubkeyAuthentication |
Specifies whether public key authentication is allowed. |
Specifies whether public key authentication is allowed. |
The default is |
The default is |
|
|
The default is 10. |
The default is 10. |
.It Cm X11Forwarding |
.It Cm X11Forwarding |
Specifies whether X11 forwarding is permitted. |
Specifies whether X11 forwarding is permitted. |
The argument must be |
|
.Dq yes |
|
or |
|
.Dq no . |
|
The default is |
The default is |
.Dq no . |
.Dq no . |
.Pp |
Note that disabling X11 forwarding does not improve security in any |
When X11 forwarding is enabled, there may be additional exposure to |
way, as users can always install their own forwarders. |
the server and to client displays if the |
|
.Nm sshd |
|
proxy display is configured to listen on the wildcard address (see |
|
.Cm X11UseLocalhost |
|
below), however this is not the default. |
|
Additionally, the authentication spoofing and authentication data |
|
verification and substitution occur on the client side. |
|
The security risk of using X11 forwarding is that the client's X11 |
|
display server may be exposed to attack when the ssh client requests |
|
forwarding (see the warnings for |
|
.Cm ForwardX11 |
|
in |
|
.Xr ssh_config 5 ). |
|
A system administrator may have a stance in which they want to |
|
protect clients that may expose themselves to attack by unwittingly |
|
requesting X11 forwarding, which can warrant a |
|
.Dq no |
|
setting. |
|
.Pp |
|
Note that disabling X11 forwarding does not prevent users from |
|
forwarding X11 traffic, as users can always install their own forwarders. |
|
X11 forwarding is automatically disabled if |
X11 forwarding is automatically disabled if |
.Cm UseLogin |
.Cm UseLogin |
is enabled. |
is enabled. |
|
|
.Ev DISPLAY |
.Ev DISPLAY |
environment variable to |
environment variable to |
.Dq localhost . |
.Dq localhost . |
This prevents remote hosts from connecting to the proxy display. |
This prevents remote hosts from connecting to the fake display. |
However, some older X11 clients may not function with this |
However, some older X11 clients may not function with this |
configuration. |
configuration. |
.Cm X11UseLocalhost |
.Cm X11UseLocalhost |
|
|
The default is |
The default is |
.Dq yes . |
.Dq yes . |
.It Cm XAuthLocation |
.It Cm XAuthLocation |
Specifies the full pathname of the |
Specifies the location of the |
.Xr xauth 1 |
.Xr xauth 1 |
program. |
program. |
The default is |
The default is |
|
|
command-line arguments and configuration file options that specify time |
command-line arguments and configuration file options that specify time |
may be expressed using a sequence of the form: |
may be expressed using a sequence of the form: |
.Sm off |
.Sm off |
.Ar time Op Ar qualifier , |
.Ar time Oo Ar qualifier Oc , |
.Sm on |
.Sm on |
where |
where |
.Ar time |
.Ar time |
|
|
.El |
.El |
.Sh FILES |
.Sh FILES |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Pa /etc/sshd_config |
.It Pa /etc/ssh/sshd_config |
Contains configuration data for |
Contains configuration data for |
.Nm sshd . |
.Nm sshd . |
This file should be writable by root only, but it is recommended |
This file should be writable by root only, but it is recommended |