| version 1.44.2.2, 2006/10/06 03:19:33 |
version 1.45, 2005/09/21 23:36:54 |
|
|
| .It Pa /etc/ssh/sshd_config |
.It Pa /etc/ssh/sshd_config |
| .El |
.El |
| .Sh DESCRIPTION |
.Sh DESCRIPTION |
| .Xr sshd 8 |
.Nm sshd |
| reads configuration data from |
reads configuration data from |
| .Pa /etc/ssh/sshd_config |
.Pa /etc/ssh/sshd_config |
| (or the file specified with |
(or the file specified with |
|
|
| Lines starting with |
Lines starting with |
| .Ql # |
.Ql # |
| and empty lines are interpreted as comments. |
and empty lines are interpreted as comments. |
| Arguments may optionally be enclosed in double quotes |
|
| .Pq \&" |
|
| in order to represent arguments containing spaces. |
|
| .Pp |
.Pp |
| The possible |
The possible |
| keywords and their meanings are as follows (note that |
keywords and their meanings are as follows (note that |
|
|
| for how to configure the client. |
for how to configure the client. |
| Note that environment passing is only supported for protocol 2. |
Note that environment passing is only supported for protocol 2. |
| Variables are specified by name, which may contain the wildcard characters |
Variables are specified by name, which may contain the wildcard characters |
| .Ql * |
.Ql \&* |
| and |
and |
| .Ql \&? . |
.Ql \&? . |
| Multiple environment variables may be separated by whitespace or spread |
Multiple environment variables may be separated by whitespace or spread |
|
|
| The default is not to accept any environment variables. |
The default is not to accept any environment variables. |
| .It Cm AddressFamily |
.It Cm AddressFamily |
| Specifies which address family should be used by |
Specifies which address family should be used by |
| .Xr sshd 8 . |
.Nm sshd . |
| Valid arguments are |
Valid arguments are |
| .Dq any , |
.Dq any , |
| .Dq inet |
.Dq inet |
| (use IPv4 only), or |
(use IPv4 only) or |
| .Dq inet6 |
.Dq inet6 |
| (use IPv6 only). |
(use IPv6 only). |
| The default is |
The default is |
|
|
| by spaces. |
by spaces. |
| If specified, login is allowed only for users whose primary |
If specified, login is allowed only for users whose primary |
| group or supplementary group list matches one of the patterns. |
group or supplementary group list matches one of the patterns. |
| |
.Ql \&* |
| |
and |
| |
.Ql \&? |
| |
can be used as |
| |
wildcards in the patterns. |
| Only group names are valid; a numerical group ID is not recognized. |
Only group names are valid; a numerical group ID is not recognized. |
| By default, login is allowed for all groups. |
By default, login is allowed for all groups. |
| The allow/deny directives are processed in the following order: |
|
| .Cm DenyUsers , |
|
| .Cm AllowUsers , |
|
| .Cm DenyGroups , |
|
| and finally |
|
| .Cm AllowGroups . |
|
| .Pp |
|
| See |
|
| .Sx PATTERNS |
|
| in |
|
| .Xr ssh_config 5 |
|
| for more information on patterns. |
|
| .It Cm AllowTcpForwarding |
.It Cm AllowTcpForwarding |
| Specifies whether TCP forwarding is permitted. |
Specifies whether TCP forwarding is permitted. |
| The default is |
The default is |
|
|
| by spaces. |
by spaces. |
| If specified, login is allowed only for user names that |
If specified, login is allowed only for user names that |
| match one of the patterns. |
match one of the patterns. |
| |
.Ql \&* |
| |
and |
| |
.Ql \&? |
| |
can be used as |
| |
wildcards in the patterns. |
| Only user names are valid; a numerical user ID is not recognized. |
Only user names are valid; a numerical user ID is not recognized. |
| By default, login is allowed for all users. |
By default, login is allowed for all users. |
| If the pattern takes the form USER@HOST then USER and HOST |
If the pattern takes the form USER@HOST then USER and HOST |
| are separately checked, restricting logins to particular |
are separately checked, restricting logins to particular |
| users from particular hosts. |
users from particular hosts. |
| The allow/deny directives are processed in the following order: |
|
| .Cm DenyUsers , |
|
| .Cm AllowUsers , |
|
| .Cm DenyGroups , |
|
| and finally |
|
| .Cm AllowGroups . |
|
| .Pp |
|
| See |
|
| .Sx PATTERNS |
|
| in |
|
| .Xr ssh_config 5 |
|
| for more information on patterns. |
|
| .It Cm AuthorizedKeysFile |
.It Cm AuthorizedKeysFile |
| Specifies the file that contains the public keys that can be used |
Specifies the file that contains the public keys that can be used |
| for user authentication. |
for user authentication. |
| .Cm AuthorizedKeysFile |
.Cm AuthorizedKeysFile |
| may contain tokens of the form %T which are substituted during connection |
may contain tokens of the form %T which are substituted during connection |
| setup. |
set-up. |
| The following tokens are defined: %% is replaced by a literal '%', |
The following tokens are defined: %% is replaced by a literal '%', |
| %h is replaced by the home directory of the user being authenticated, and |
%h is replaced by the home directory of the user being authenticated and |
| %u is replaced by the username of that user. |
%u is replaced by the username of that user. |
| After expansion, |
After expansion, |
| .Cm AuthorizedKeysFile |
.Cm AuthorizedKeysFile |
|
|
| This option is only available for protocol version 2. |
This option is only available for protocol version 2. |
| By default, no banner is displayed. |
By default, no banner is displayed. |
| .It Cm ChallengeResponseAuthentication |
.It Cm ChallengeResponseAuthentication |
| Specifies whether challenge-response authentication is allowed. |
Specifies whether challenge response authentication is allowed. |
| All authentication styles from |
All authentication styles from |
| .Xr login.conf 5 |
.Xr login.conf 5 |
| are supported. |
are supported. |
|
|
| .Dq blowfish-cbc , |
.Dq blowfish-cbc , |
| and |
and |
| .Dq cast128-cbc . |
.Dq cast128-cbc . |
| The default is: |
The default is |
| .Bd -literal -offset 3n |
.Bd -literal |
| aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, |
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, |
| arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, |
arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, |
| aes192-ctr,aes256-ctr |
aes192-ctr,aes256-ctr'' |
| .Ed |
.Ed |
| .It Cm ClientAliveCountMax |
.It Cm ClientAliveCountMax |
| Sets the number of client alive messages (see below) which may be |
Sets the number of client alive messages (see above) which may be |
| sent without |
sent without |
| .Xr sshd 8 |
.Nm sshd |
| receiving any messages back from the client. |
receiving any messages back from the client. |
| If this threshold is reached while client alive messages are being sent, |
If this threshold is reached while client alive messages are being sent, |
| sshd will disconnect the client, terminating the session. |
.Nm sshd |
| |
will disconnect the client, terminating the session. |
| It is important to note that the use of client alive messages is very |
It is important to note that the use of client alive messages is very |
| different from |
different from |
| .Cm TCPKeepAlive |
.Cm TCPKeepAlive |
|
|
| The default value is 3. |
The default value is 3. |
| If |
If |
| .Cm ClientAliveInterval |
.Cm ClientAliveInterval |
| (see below) is set to 15, and |
(above) is set to 15, and |
| .Cm ClientAliveCountMax |
.Cm ClientAliveCountMax |
| is left at the default, unresponsive SSH clients |
is left at the default, unresponsive ssh clients |
| will be disconnected after approximately 45 seconds. |
will be disconnected after approximately 45 seconds. |
| This option applies to protocol version 2 only. |
|
| .It Cm ClientAliveInterval |
.It Cm ClientAliveInterval |
| Sets a timeout interval in seconds after which if no data has been received |
Sets a timeout interval in seconds after which if no data has been received |
| from the client, |
from the client, |
| .Xr sshd 8 |
.Nm sshd |
| will send a message through the encrypted |
will send a message through the encrypted |
| channel to request a response from the client. |
channel to request a response from the client. |
| The default |
The default |
|
|
| by spaces. |
by spaces. |
| Login is disallowed for users whose primary group or supplementary |
Login is disallowed for users whose primary group or supplementary |
| group list matches one of the patterns. |
group list matches one of the patterns. |
| |
.Ql \&* |
| |
and |
| |
.Ql \&? |
| |
can be used as |
| |
wildcards in the patterns. |
| Only group names are valid; a numerical group ID is not recognized. |
Only group names are valid; a numerical group ID is not recognized. |
| By default, login is allowed for all groups. |
By default, login is allowed for all groups. |
| The allow/deny directives are processed in the following order: |
|
| .Cm DenyUsers , |
|
| .Cm AllowUsers , |
|
| .Cm DenyGroups , |
|
| and finally |
|
| .Cm AllowGroups . |
|
| .Pp |
|
| See |
|
| .Sx PATTERNS |
|
| in |
|
| .Xr ssh_config 5 |
|
| for more information on patterns. |
|
| .It Cm DenyUsers |
.It Cm DenyUsers |
| This keyword can be followed by a list of user name patterns, separated |
This keyword can be followed by a list of user name patterns, separated |
| by spaces. |
by spaces. |
| Login is disallowed for user names that match one of the patterns. |
Login is disallowed for user names that match one of the patterns. |
| |
.Ql \&* |
| |
and |
| |
.Ql \&? |
| |
can be used as wildcards in the patterns. |
| Only user names are valid; a numerical user ID is not recognized. |
Only user names are valid; a numerical user ID is not recognized. |
| By default, login is allowed for all users. |
By default, login is allowed for all users. |
| If the pattern takes the form USER@HOST then USER and HOST |
If the pattern takes the form USER@HOST then USER and HOST |
| are separately checked, restricting logins to particular |
are separately checked, restricting logins to particular |
| users from particular hosts. |
users from particular hosts. |
| The allow/deny directives are processed in the following order: |
|
| .Cm DenyUsers , |
|
| .Cm AllowUsers , |
|
| .Cm DenyGroups , |
|
| and finally |
|
| .Cm AllowGroups . |
|
| .Pp |
|
| See |
|
| .Sx PATTERNS |
|
| in |
|
| .Xr ssh_config 5 |
|
| for more information on patterns. |
|
| .It Cm ForceCommand |
|
| Forces the execution of the command specified by |
|
| .Cm ForceCommand , |
|
| ignoring any command supplied by the client. |
|
| The command is invoked by using the user's login shell with the -c option. |
|
| This applies to shell, command, or subsystem execution. |
|
| It is most useful inside a |
|
| .Cm Match |
|
| block. |
|
| The command originally supplied by the client is available in the |
|
| .Ev SSH_ORIGINAL_COMMAND |
|
| environment variable. |
|
| .It Cm GatewayPorts |
.It Cm GatewayPorts |
| Specifies whether remote hosts are allowed to connect to ports |
Specifies whether remote hosts are allowed to connect to ports |
| forwarded for the client. |
forwarded for the client. |
| By default, |
By default, |
| .Xr sshd 8 |
.Nm sshd |
| binds remote port forwardings to the loopback address. |
binds remote port forwardings to the loopback address. |
| This prevents other remote hosts from connecting to forwarded ports. |
This prevents other remote hosts from connecting to forwarded ports. |
| .Cm GatewayPorts |
.Cm GatewayPorts |
| can be used to specify that sshd |
can be used to specify that |
| |
.Nm sshd |
| should allow remote port forwardings to bind to non-loopback addresses, thus |
should allow remote port forwardings to bind to non-loopback addresses, thus |
| allowing other hosts to connect. |
allowing other hosts to connect. |
| The argument may be |
The argument may be |
|
|
| .It Cm HostbasedAuthentication |
.It Cm HostbasedAuthentication |
| Specifies whether rhosts or /etc/hosts.equiv authentication together |
Specifies whether rhosts or /etc/hosts.equiv authentication together |
| with successful public key client host authentication is allowed |
with successful public key client host authentication is allowed |
| (host-based authentication). |
(hostbased authentication). |
| This option is similar to |
This option is similar to |
| .Cm RhostsRSAAuthentication |
.Cm RhostsRSAAuthentication |
| and applies to protocol version 2 only. |
and applies to protocol version 2 only. |
| The default is |
The default is |
| .Dq no . |
.Dq no . |
| .It Cm HostbasedUsesNameFromPacketOnly |
|
| Specifies whether or not the server will attempt to perform a reverse |
|
| name lookup when matching the name in the |
|
| .Pa ~/.shosts , |
|
| .Pa ~/.rhosts , |
|
| and |
|
| .Pa /etc/hosts.equiv |
|
| files during |
|
| .Cm HostbasedAuthentication . |
|
| A setting of |
|
| .Dq yes |
|
| means that |
|
| .Xr sshd 8 |
|
| uses the name supplied by the client rather than |
|
| attempting to resolve the name from the TCP connection itself. |
|
| The default is |
|
| .Dq no . |
|
| .It Cm HostKey |
.It Cm HostKey |
| Specifies a file containing a private host key |
Specifies a file containing a private host key |
| used by SSH. |
used by SSH. |
|
|
| .Pa /etc/ssh/ssh_host_dsa_key |
.Pa /etc/ssh/ssh_host_dsa_key |
| for protocol version 2. |
for protocol version 2. |
| Note that |
Note that |
| .Xr sshd 8 |
.Nm sshd |
| will refuse to use a file if it is group/world-accessible. |
will refuse to use a file if it is group/world-accessible. |
| It is possible to have multiple host key files. |
It is possible to have multiple host key files. |
| .Dq rsa1 |
.Dq rsa1 |
|
|
| .Dq yes . |
.Dq yes . |
| .It Cm IgnoreUserKnownHosts |
.It Cm IgnoreUserKnownHosts |
| Specifies whether |
Specifies whether |
| .Xr sshd 8 |
.Nm sshd |
| should ignore the user's |
should ignore the user's |
| .Pa ~/.ssh/known_hosts |
.Pa ~/.ssh/known_hosts |
| during |
during |
|
|
| will be validated through the Kerberos KDC. |
will be validated through the Kerberos KDC. |
| To use this option, the server needs a |
To use this option, the server needs a |
| Kerberos servtab which allows the verification of the KDC's identity. |
Kerberos servtab which allows the verification of the KDC's identity. |
| The default is |
Default is |
| .Dq no . |
.Dq no . |
| .It Cm KerberosGetAFSToken |
.It Cm KerberosGetAFSToken |
| If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire |
If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire |
| an AFS token before accessing the user's home directory. |
an AFS token before accessing the user's home directory. |
| The default is |
Default is |
| .Dq no . |
.Dq no . |
| .It Cm KerberosOrLocalPasswd |
.It Cm KerberosOrLocalPasswd |
| If password authentication through Kerberos fails then |
If set then if password authentication through Kerberos fails then |
| the password will be validated via any additional local mechanism |
the password will be validated via any additional local mechanism |
| such as |
such as |
| .Pa /etc/passwd . |
.Pa /etc/passwd . |
| The default is |
Default is |
| .Dq yes . |
.Dq yes . |
| .It Cm KerberosTicketCleanup |
.It Cm KerberosTicketCleanup |
| Specifies whether to automatically destroy the user's ticket cache |
Specifies whether to automatically destroy the user's ticket cache |
| file on logout. |
file on logout. |
| The default is |
Default is |
| .Dq yes . |
.Dq yes . |
| .It Cm KeyRegenerationInterval |
.It Cm KeyRegenerationInterval |
| In protocol version 1, the ephemeral server key is automatically regenerated |
In protocol version 1, the ephemeral server key is automatically regenerated |
|
|
| The default is 3600 (seconds). |
The default is 3600 (seconds). |
| .It Cm ListenAddress |
.It Cm ListenAddress |
| Specifies the local addresses |
Specifies the local addresses |
| .Xr sshd 8 |
.Nm sshd |
| should listen on. |
should listen on. |
| The following forms may be used: |
The following forms may be used: |
| .Pp |
.Pp |
|
|
| If |
If |
| .Ar port |
.Ar port |
| is not specified, |
is not specified, |
| sshd will listen on the address and all prior |
.Nm sshd |
| |
will listen on the address and all prior |
| .Cm Port |
.Cm Port |
| options specified. |
options specified. |
| The default is to listen on all local addresses. |
The default is to listen on all local addresses. |
|
|
| options are permitted. |
options are permitted. |
| Additionally, any |
Additionally, any |
| .Cm Port |
.Cm Port |
| options must precede this option for non-port qualified addresses. |
options must precede this option for non port qualified addresses. |
| .It Cm LoginGraceTime |
.It Cm LoginGraceTime |
| The server disconnects after this time if the user has not |
The server disconnects after this time if the user has not |
| successfully logged in. |
successfully logged in. |
|
|
| The default is 120 seconds. |
The default is 120 seconds. |
| .It Cm LogLevel |
.It Cm LogLevel |
| Gives the verbosity level that is used when logging messages from |
Gives the verbosity level that is used when logging messages from |
| .Xr sshd 8 . |
.Nm sshd . |
| The possible values are: |
The possible values are: |
| QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. |
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. |
| The default is INFO. |
The default is INFO. |
| DEBUG and DEBUG1 are equivalent. |
DEBUG and DEBUG1 are equivalent. |
| DEBUG2 and DEBUG3 each specify higher levels of debugging output. |
DEBUG2 and DEBUG3 each specify higher levels of debugging output. |
|
|
| The MAC algorithm is used in protocol version 2 |
The MAC algorithm is used in protocol version 2 |
| for data integrity protection. |
for data integrity protection. |
| Multiple algorithms must be comma-separated. |
Multiple algorithms must be comma-separated. |
| The default is: |
The default is |
| .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . |
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . |
| .It Cm Match |
|
| Introduces a conditional block. |
|
| If all of the criteria on the |
|
| .Cm Match |
|
| line are satisfied, the keywords on the following lines override those |
|
| set in the global section of the config file, until either another |
|
| .Cm Match |
|
| line or the end of the file. |
|
| The arguments to |
|
| .Cm Match |
|
| are one or more criteria-pattern pairs. |
|
| The available criteria are |
|
| .Cm User , |
|
| .Cm Group , |
|
| .Cm Host , |
|
| and |
|
| .Cm Address . |
|
| Only a subset of keywords may be used on the lines following a |
|
| .Cm Match |
|
| keyword. |
|
| Available keywords are |
|
| .Cm AllowTcpForwarding , |
|
| .Cm ForceCommand , |
|
| .Cm GatewayPorts , |
|
| .Cm PermitOpen , |
|
| .Cm X11DisplayOffset , |
|
| .Cm X11Forwarding , |
|
| and |
|
| .Cm X11UseLocalHost . |
|
| .It Cm MaxAuthTries |
.It Cm MaxAuthTries |
| Specifies the maximum number of authentication attempts permitted per |
Specifies the maximum number of authentication attempts permitted per |
| connection. |
connection. |
|
|
| The default is 6. |
The default is 6. |
| .It Cm MaxStartups |
.It Cm MaxStartups |
| Specifies the maximum number of concurrent unauthenticated connections to the |
Specifies the maximum number of concurrent unauthenticated connections to the |
| SSH daemon. |
.Nm sshd |
| |
daemon. |
| Additional connections will be dropped until authentication succeeds or the |
Additional connections will be dropped until authentication succeeds or the |
| .Cm LoginGraceTime |
.Cm LoginGraceTime |
| expires for a connection. |
expires for a connection. |
|
|
| Alternatively, random early drop can be enabled by specifying |
Alternatively, random early drop can be enabled by specifying |
| the three colon separated values |
the three colon separated values |
| .Dq start:rate:full |
.Dq start:rate:full |
| (e.g. "10:30:60"). |
(e.g., "10:30:60"). |
| .Xr sshd 8 |
.Nm sshd |
| will refuse connection attempts with a probability of |
will refuse connection attempts with a probability of |
| .Dq rate/100 |
.Dq rate/100 |
| (30%) |
(30%) |
|
|
| server allows login to accounts with empty password strings. |
server allows login to accounts with empty password strings. |
| The default is |
The default is |
| .Dq no . |
.Dq no . |
| .It Cm PermitOpen |
|
| Specifies the destinations to which TCP port forwarding is permitted. |
|
| The forwarding specification must be one of the following forms: |
|
| .Pp |
|
| .Bl -item -offset indent -compact |
|
| .It |
|
| .Cm PermitOpen |
|
| .Sm off |
|
| .Ar host : port |
|
| .Sm on |
|
| .It |
|
| .Cm PermitOpen |
|
| .Sm off |
|
| .Ar IPv4_addr : port |
|
| .Sm on |
|
| .It |
|
| .Cm PermitOpen |
|
| .Sm off |
|
| .Ar \&[ IPv6_addr \&] : port |
|
| .Sm on |
|
| .El |
|
| .Pp |
|
| Multiple forwards may be specified by separating them with whitespace. |
|
| An argument of |
|
| .Dq any |
|
| can be used to remove all restrictions and permit any forwarding requests. |
|
| By default all port forwarding requests are permitted. |
|
| .It Cm PermitRootLogin |
.It Cm PermitRootLogin |
| Specifies whether root can log in using |
Specifies whether root can log in using |
| .Xr ssh 1 . |
.Xr ssh 1 . |
| The argument must be |
The argument must be |
| .Dq yes , |
.Dq yes , |
| .Dq without-password , |
.Dq without-password , |
| .Dq forced-commands-only , |
.Dq forced-commands-only |
| or |
or |
| .Dq no . |
.Dq no . |
| The default is |
The default is |
| .Dq yes . |
.Dq yes . |
| .Pp |
.Pp |
| If this option is set to |
If this option is set to |
| .Dq without-password , |
.Dq without-password |
| password authentication is disabled for root. |
password authentication is disabled for root. |
| .Pp |
.Pp |
| If this option is set to |
If this option is set to |
| .Dq forced-commands-only , |
.Dq forced-commands-only |
| root login with public key authentication will be allowed, |
root login with public key authentication will be allowed, |
| but only if the |
but only if the |
| .Ar command |
.Ar command |
|
|
| All other authentication methods are disabled for root. |
All other authentication methods are disabled for root. |
| .Pp |
.Pp |
| If this option is set to |
If this option is set to |
| .Dq no , |
.Dq no |
| root is not allowed to log in. |
root is not allowed to log in. |
| .It Cm PermitTunnel |
|
| Specifies whether |
|
| .Xr tun 4 |
|
| device forwarding is allowed. |
|
| The argument must be |
|
| .Dq yes , |
|
| .Dq point-to-point |
|
| (layer 3), |
|
| .Dq ethernet |
|
| (layer 2), or |
|
| .Dq no . |
|
| Specifying |
|
| .Dq yes |
|
| permits both |
|
| .Dq point-to-point |
|
| and |
|
| .Dq ethernet . |
|
| The default is |
|
| .Dq no . |
|
| .It Cm PermitUserEnvironment |
.It Cm PermitUserEnvironment |
| Specifies whether |
Specifies whether |
| .Pa ~/.ssh/environment |
.Pa ~/.ssh/environment |
|
|
| options in |
options in |
| .Pa ~/.ssh/authorized_keys |
.Pa ~/.ssh/authorized_keys |
| are processed by |
are processed by |
| .Xr sshd 8 . |
.Nm sshd . |
| The default is |
The default is |
| .Dq no . |
.Dq no . |
| Enabling environment processing may enable users to bypass access |
Enabling environment processing may enable users to bypass access |
|
|
| .Ev LD_PRELOAD . |
.Ev LD_PRELOAD . |
| .It Cm PidFile |
.It Cm PidFile |
| Specifies the file that contains the process ID of the |
Specifies the file that contains the process ID of the |
| SSH daemon. |
.Nm sshd |
| |
daemon. |
| The default is |
The default is |
| .Pa /var/run/sshd.pid . |
.Pa /var/run/sshd.pid . |
| .It Cm Port |
.It Cm Port |
| Specifies the port number that |
Specifies the port number that |
| .Xr sshd 8 |
.Nm sshd |
| listens on. |
listens on. |
| The default is 22. |
The default is 22. |
| Multiple options of this type are permitted. |
Multiple options of this type are permitted. |
|
|
| .Cm ListenAddress . |
.Cm ListenAddress . |
| .It Cm PrintLastLog |
.It Cm PrintLastLog |
| Specifies whether |
Specifies whether |
| .Xr sshd 8 |
.Nm sshd |
| should print the date and time of the last user login when a user logs |
should print the date and time of the last user login when a user logs |
| in interactively. |
in interactively. |
| The default is |
The default is |
| .Dq yes . |
.Dq yes . |
| .It Cm PrintMotd |
.It Cm PrintMotd |
| Specifies whether |
Specifies whether |
| .Xr sshd 8 |
.Nm sshd |
| should print |
should print |
| .Pa /etc/motd |
.Pa /etc/motd |
| when a user logs in interactively. |
when a user logs in interactively. |
|
|
| .Dq yes . |
.Dq yes . |
| .It Cm Protocol |
.It Cm Protocol |
| Specifies the protocol versions |
Specifies the protocol versions |
| .Xr sshd 8 |
.Nm sshd |
| supports. |
supports. |
| The possible values are |
The possible values are |
| .Sq 1 |
.Dq 1 |
| and |
and |
| .Sq 2 . |
.Dq 2 . |
| Multiple versions must be comma-separated. |
Multiple versions must be comma-separated. |
| The default is |
The default is |
| .Dq 2,1 . |
.Dq 2,1 . |
|
|
| The minimum value is 512, and the default is 768. |
The minimum value is 512, and the default is 768. |
| .It Cm StrictModes |
.It Cm StrictModes |
| Specifies whether |
Specifies whether |
| .Xr sshd 8 |
.Nm sshd |
| should check file modes and ownership of the |
should check file modes and ownership of the |
| user's files and home directory before accepting login. |
user's files and home directory before accepting login. |
| This is normally desirable because novices sometimes accidentally leave their |
This is normally desirable because novices sometimes accidentally leave their |
|
|
| The default is |
The default is |
| .Dq yes . |
.Dq yes . |
| .It Cm Subsystem |
.It Cm Subsystem |
| Configures an external subsystem (e.g. file transfer daemon). |
Configures an external subsystem (e.g., file transfer daemon). |
| Arguments should be a subsystem name and a command (with optional arguments) |
Arguments should be a subsystem name and a command to execute upon subsystem |
| to execute upon subsystem request. |
request. |
| The command |
The command |
| .Xr sftp-server 8 |
.Xr sftp-server 8 |
| implements the |
implements the |
|
|
| Note that this option applies to protocol version 2 only. |
Note that this option applies to protocol version 2 only. |
| .It Cm SyslogFacility |
.It Cm SyslogFacility |
| Gives the facility code that is used when logging messages from |
Gives the facility code that is used when logging messages from |
| .Xr sshd 8 . |
.Nm sshd . |
| The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, |
The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, |
| LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. |
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. |
| The default is AUTH. |
The default is AUTH. |
|
|
| .Dq no . |
.Dq no . |
| .It Cm UseDNS |
.It Cm UseDNS |
| Specifies whether |
Specifies whether |
| .Xr sshd 8 |
.Nm sshd |
| should look up the remote host name and check that |
should look up the remote host name and check that |
| the resolved host name for the remote IP address maps back to the |
the resolved host name for the remote IP address maps back to the |
| very same IP address. |
very same IP address. |
|
|
| is specified, it will be disabled after authentication. |
is specified, it will be disabled after authentication. |
| .It Cm UsePrivilegeSeparation |
.It Cm UsePrivilegeSeparation |
| Specifies whether |
Specifies whether |
| .Xr sshd 8 |
.Nm sshd |
| separates privileges by creating an unprivileged child process |
separates privileges by creating an unprivileged child process |
| to deal with incoming network traffic. |
to deal with incoming network traffic. |
| After successful authentication, another process will be created that has |
After successful authentication, another process will be created that has |
|
|
| .Dq yes . |
.Dq yes . |
| .It Cm X11DisplayOffset |
.It Cm X11DisplayOffset |
| Specifies the first display number available for |
Specifies the first display number available for |
| .Xr sshd 8 Ns 's |
.Nm sshd Ns 's |
| X11 forwarding. |
X11 forwarding. |
| This prevents sshd from interfering with real X11 servers. |
This prevents |
| |
.Nm sshd |
| |
from interfering with real X11 servers. |
| The default is 10. |
The default is 10. |
| .It Cm X11Forwarding |
.It Cm X11Forwarding |
| Specifies whether X11 forwarding is permitted. |
Specifies whether X11 forwarding is permitted. |
|
|
| .Pp |
.Pp |
| When X11 forwarding is enabled, there may be additional exposure to |
When X11 forwarding is enabled, there may be additional exposure to |
| the server and to client displays if the |
the server and to client displays if the |
| .Xr sshd 8 |
.Nm sshd |
| proxy display is configured to listen on the wildcard address (see |
proxy display is configured to listen on the wildcard address (see |
| .Cm X11UseLocalhost |
.Cm X11UseLocalhost |
| below), though this is not the default. |
below), however this is not the default. |
| Additionally, the authentication spoofing and authentication data |
Additionally, the authentication spoofing and authentication data |
| verification and substitution occur on the client side. |
verification and substitution occur on the client side. |
| The security risk of using X11 forwarding is that the client's X11 |
The security risk of using X11 forwarding is that the client's X11 |
| display server may be exposed to attack when the SSH client requests |
display server may be exposed to attack when the ssh client requests |
| forwarding (see the warnings for |
forwarding (see the warnings for |
| .Cm ForwardX11 |
.Cm ForwardX11 |
| in |
in |
|
|
| is enabled. |
is enabled. |
| .It Cm X11UseLocalhost |
.It Cm X11UseLocalhost |
| Specifies whether |
Specifies whether |
| .Xr sshd 8 |
.Nm sshd |
| should bind the X11 forwarding server to the loopback address or to |
should bind the X11 forwarding server to the loopback address or to |
| the wildcard address. |
the wildcard address. |
| By default, |
By default, |
| sshd binds the forwarding server to the loopback address and sets the |
.Nm sshd |
| |
binds the forwarding server to the loopback address and sets the |
| hostname part of the |
hostname part of the |
| .Ev DISPLAY |
.Ev DISPLAY |
| environment variable to |
environment variable to |
|
|
| The default is |
The default is |
| .Pa /usr/X11R6/bin/xauth . |
.Pa /usr/X11R6/bin/xauth . |
| .El |
.El |
| .Sh TIME FORMATS |
.Ss Time Formats |
| .Xr sshd 8 |
.Nm sshd |
| command-line arguments and configuration file options that specify time |
command-line arguments and configuration file options that specify time |
| may be expressed using a sequence of the form: |
may be expressed using a sequence of the form: |
| .Sm off |
.Sm off |
|
|
| is one of the following: |
is one of the following: |
| .Pp |
.Pp |
| .Bl -tag -width Ds -compact -offset indent |
.Bl -tag -width Ds -compact -offset indent |
| .It Aq Cm none |
.It Cm <none> |
| seconds |
seconds |
| .It Cm s | Cm S |
.It Cm s | Cm S |
| seconds |
seconds |
|
|
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Pa /etc/ssh/sshd_config |
.It Pa /etc/ssh/sshd_config |
| Contains configuration data for |
Contains configuration data for |
| .Xr sshd 8 . |
.Nm sshd . |
| This file should be writable by root only, but it is recommended |
This file should be writable by root only, but it is recommended |
| (though not necessary) that it be world-readable. |
(though not necessary) that it be world-readable. |
| .El |
.El |
![[BACK]](/icons/back.gif){kind=icon}
Return to sshd_config.5 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh