version 1.44.2.2, 2006/10/06 03:19:33 |
version 1.45, 2005/09/21 23:36:54 |
|
|
.It Pa /etc/ssh/sshd_config |
.It Pa /etc/ssh/sshd_config |
.El |
.El |
.Sh DESCRIPTION |
.Sh DESCRIPTION |
.Xr sshd 8 |
.Nm sshd |
reads configuration data from |
reads configuration data from |
.Pa /etc/ssh/sshd_config |
.Pa /etc/ssh/sshd_config |
(or the file specified with |
(or the file specified with |
|
|
Lines starting with |
Lines starting with |
.Ql # |
.Ql # |
and empty lines are interpreted as comments. |
and empty lines are interpreted as comments. |
Arguments may optionally be enclosed in double quotes |
|
.Pq \&" |
|
in order to represent arguments containing spaces. |
|
.Pp |
.Pp |
The possible |
The possible |
keywords and their meanings are as follows (note that |
keywords and their meanings are as follows (note that |
|
|
for how to configure the client. |
for how to configure the client. |
Note that environment passing is only supported for protocol 2. |
Note that environment passing is only supported for protocol 2. |
Variables are specified by name, which may contain the wildcard characters |
Variables are specified by name, which may contain the wildcard characters |
.Ql * |
.Ql \&* |
and |
and |
.Ql \&? . |
.Ql \&? . |
Multiple environment variables may be separated by whitespace or spread |
Multiple environment variables may be separated by whitespace or spread |
|
|
The default is not to accept any environment variables. |
The default is not to accept any environment variables. |
.It Cm AddressFamily |
.It Cm AddressFamily |
Specifies which address family should be used by |
Specifies which address family should be used by |
.Xr sshd 8 . |
.Nm sshd . |
Valid arguments are |
Valid arguments are |
.Dq any , |
.Dq any , |
.Dq inet |
.Dq inet |
(use IPv4 only), or |
(use IPv4 only) or |
.Dq inet6 |
.Dq inet6 |
(use IPv6 only). |
(use IPv6 only). |
The default is |
The default is |
|
|
by spaces. |
by spaces. |
If specified, login is allowed only for users whose primary |
If specified, login is allowed only for users whose primary |
group or supplementary group list matches one of the patterns. |
group or supplementary group list matches one of the patterns. |
|
.Ql \&* |
|
and |
|
.Ql \&? |
|
can be used as |
|
wildcards in the patterns. |
Only group names are valid; a numerical group ID is not recognized. |
Only group names are valid; a numerical group ID is not recognized. |
By default, login is allowed for all groups. |
By default, login is allowed for all groups. |
The allow/deny directives are processed in the following order: |
|
.Cm DenyUsers , |
|
.Cm AllowUsers , |
|
.Cm DenyGroups , |
|
and finally |
|
.Cm AllowGroups . |
|
.Pp |
|
See |
|
.Sx PATTERNS |
|
in |
|
.Xr ssh_config 5 |
|
for more information on patterns. |
|
.It Cm AllowTcpForwarding |
.It Cm AllowTcpForwarding |
Specifies whether TCP forwarding is permitted. |
Specifies whether TCP forwarding is permitted. |
The default is |
The default is |
|
|
by spaces. |
by spaces. |
If specified, login is allowed only for user names that |
If specified, login is allowed only for user names that |
match one of the patterns. |
match one of the patterns. |
|
.Ql \&* |
|
and |
|
.Ql \&? |
|
can be used as |
|
wildcards in the patterns. |
Only user names are valid; a numerical user ID is not recognized. |
Only user names are valid; a numerical user ID is not recognized. |
By default, login is allowed for all users. |
By default, login is allowed for all users. |
If the pattern takes the form USER@HOST then USER and HOST |
If the pattern takes the form USER@HOST then USER and HOST |
are separately checked, restricting logins to particular |
are separately checked, restricting logins to particular |
users from particular hosts. |
users from particular hosts. |
The allow/deny directives are processed in the following order: |
|
.Cm DenyUsers , |
|
.Cm AllowUsers , |
|
.Cm DenyGroups , |
|
and finally |
|
.Cm AllowGroups . |
|
.Pp |
|
See |
|
.Sx PATTERNS |
|
in |
|
.Xr ssh_config 5 |
|
for more information on patterns. |
|
.It Cm AuthorizedKeysFile |
.It Cm AuthorizedKeysFile |
Specifies the file that contains the public keys that can be used |
Specifies the file that contains the public keys that can be used |
for user authentication. |
for user authentication. |
.Cm AuthorizedKeysFile |
.Cm AuthorizedKeysFile |
may contain tokens of the form %T which are substituted during connection |
may contain tokens of the form %T which are substituted during connection |
setup. |
set-up. |
The following tokens are defined: %% is replaced by a literal '%', |
The following tokens are defined: %% is replaced by a literal '%', |
%h is replaced by the home directory of the user being authenticated, and |
%h is replaced by the home directory of the user being authenticated and |
%u is replaced by the username of that user. |
%u is replaced by the username of that user. |
After expansion, |
After expansion, |
.Cm AuthorizedKeysFile |
.Cm AuthorizedKeysFile |
|
|
This option is only available for protocol version 2. |
This option is only available for protocol version 2. |
By default, no banner is displayed. |
By default, no banner is displayed. |
.It Cm ChallengeResponseAuthentication |
.It Cm ChallengeResponseAuthentication |
Specifies whether challenge-response authentication is allowed. |
Specifies whether challenge response authentication is allowed. |
All authentication styles from |
All authentication styles from |
.Xr login.conf 5 |
.Xr login.conf 5 |
are supported. |
are supported. |
|
|
.Dq blowfish-cbc , |
.Dq blowfish-cbc , |
and |
and |
.Dq cast128-cbc . |
.Dq cast128-cbc . |
The default is: |
The default is |
.Bd -literal -offset 3n |
.Bd -literal |
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, |
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, |
arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, |
arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, |
aes192-ctr,aes256-ctr |
aes192-ctr,aes256-ctr'' |
.Ed |
.Ed |
.It Cm ClientAliveCountMax |
.It Cm ClientAliveCountMax |
Sets the number of client alive messages (see below) which may be |
Sets the number of client alive messages (see above) which may be |
sent without |
sent without |
.Xr sshd 8 |
.Nm sshd |
receiving any messages back from the client. |
receiving any messages back from the client. |
If this threshold is reached while client alive messages are being sent, |
If this threshold is reached while client alive messages are being sent, |
sshd will disconnect the client, terminating the session. |
.Nm sshd |
|
will disconnect the client, terminating the session. |
It is important to note that the use of client alive messages is very |
It is important to note that the use of client alive messages is very |
different from |
different from |
.Cm TCPKeepAlive |
.Cm TCPKeepAlive |
|
|
The default value is 3. |
The default value is 3. |
If |
If |
.Cm ClientAliveInterval |
.Cm ClientAliveInterval |
(see below) is set to 15, and |
(above) is set to 15, and |
.Cm ClientAliveCountMax |
.Cm ClientAliveCountMax |
is left at the default, unresponsive SSH clients |
is left at the default, unresponsive ssh clients |
will be disconnected after approximately 45 seconds. |
will be disconnected after approximately 45 seconds. |
This option applies to protocol version 2 only. |
|
.It Cm ClientAliveInterval |
.It Cm ClientAliveInterval |
Sets a timeout interval in seconds after which if no data has been received |
Sets a timeout interval in seconds after which if no data has been received |
from the client, |
from the client, |
.Xr sshd 8 |
.Nm sshd |
will send a message through the encrypted |
will send a message through the encrypted |
channel to request a response from the client. |
channel to request a response from the client. |
The default |
The default |
|
|
by spaces. |
by spaces. |
Login is disallowed for users whose primary group or supplementary |
Login is disallowed for users whose primary group or supplementary |
group list matches one of the patterns. |
group list matches one of the patterns. |
|
.Ql \&* |
|
and |
|
.Ql \&? |
|
can be used as |
|
wildcards in the patterns. |
Only group names are valid; a numerical group ID is not recognized. |
Only group names are valid; a numerical group ID is not recognized. |
By default, login is allowed for all groups. |
By default, login is allowed for all groups. |
The allow/deny directives are processed in the following order: |
|
.Cm DenyUsers , |
|
.Cm AllowUsers , |
|
.Cm DenyGroups , |
|
and finally |
|
.Cm AllowGroups . |
|
.Pp |
|
See |
|
.Sx PATTERNS |
|
in |
|
.Xr ssh_config 5 |
|
for more information on patterns. |
|
.It Cm DenyUsers |
.It Cm DenyUsers |
This keyword can be followed by a list of user name patterns, separated |
This keyword can be followed by a list of user name patterns, separated |
by spaces. |
by spaces. |
Login is disallowed for user names that match one of the patterns. |
Login is disallowed for user names that match one of the patterns. |
|
.Ql \&* |
|
and |
|
.Ql \&? |
|
can be used as wildcards in the patterns. |
Only user names are valid; a numerical user ID is not recognized. |
Only user names are valid; a numerical user ID is not recognized. |
By default, login is allowed for all users. |
By default, login is allowed for all users. |
If the pattern takes the form USER@HOST then USER and HOST |
If the pattern takes the form USER@HOST then USER and HOST |
are separately checked, restricting logins to particular |
are separately checked, restricting logins to particular |
users from particular hosts. |
users from particular hosts. |
The allow/deny directives are processed in the following order: |
|
.Cm DenyUsers , |
|
.Cm AllowUsers , |
|
.Cm DenyGroups , |
|
and finally |
|
.Cm AllowGroups . |
|
.Pp |
|
See |
|
.Sx PATTERNS |
|
in |
|
.Xr ssh_config 5 |
|
for more information on patterns. |
|
.It Cm ForceCommand |
|
Forces the execution of the command specified by |
|
.Cm ForceCommand , |
|
ignoring any command supplied by the client. |
|
The command is invoked by using the user's login shell with the -c option. |
|
This applies to shell, command, or subsystem execution. |
|
It is most useful inside a |
|
.Cm Match |
|
block. |
|
The command originally supplied by the client is available in the |
|
.Ev SSH_ORIGINAL_COMMAND |
|
environment variable. |
|
.It Cm GatewayPorts |
.It Cm GatewayPorts |
Specifies whether remote hosts are allowed to connect to ports |
Specifies whether remote hosts are allowed to connect to ports |
forwarded for the client. |
forwarded for the client. |
By default, |
By default, |
.Xr sshd 8 |
.Nm sshd |
binds remote port forwardings to the loopback address. |
binds remote port forwardings to the loopback address. |
This prevents other remote hosts from connecting to forwarded ports. |
This prevents other remote hosts from connecting to forwarded ports. |
.Cm GatewayPorts |
.Cm GatewayPorts |
can be used to specify that sshd |
can be used to specify that |
|
.Nm sshd |
should allow remote port forwardings to bind to non-loopback addresses, thus |
should allow remote port forwardings to bind to non-loopback addresses, thus |
allowing other hosts to connect. |
allowing other hosts to connect. |
The argument may be |
The argument may be |
|
|
.It Cm HostbasedAuthentication |
.It Cm HostbasedAuthentication |
Specifies whether rhosts or /etc/hosts.equiv authentication together |
Specifies whether rhosts or /etc/hosts.equiv authentication together |
with successful public key client host authentication is allowed |
with successful public key client host authentication is allowed |
(host-based authentication). |
(hostbased authentication). |
This option is similar to |
This option is similar to |
.Cm RhostsRSAAuthentication |
.Cm RhostsRSAAuthentication |
and applies to protocol version 2 only. |
and applies to protocol version 2 only. |
The default is |
The default is |
.Dq no . |
.Dq no . |
.It Cm HostbasedUsesNameFromPacketOnly |
|
Specifies whether or not the server will attempt to perform a reverse |
|
name lookup when matching the name in the |
|
.Pa ~/.shosts , |
|
.Pa ~/.rhosts , |
|
and |
|
.Pa /etc/hosts.equiv |
|
files during |
|
.Cm HostbasedAuthentication . |
|
A setting of |
|
.Dq yes |
|
means that |
|
.Xr sshd 8 |
|
uses the name supplied by the client rather than |
|
attempting to resolve the name from the TCP connection itself. |
|
The default is |
|
.Dq no . |
|
.It Cm HostKey |
.It Cm HostKey |
Specifies a file containing a private host key |
Specifies a file containing a private host key |
used by SSH. |
used by SSH. |
|
|
.Pa /etc/ssh/ssh_host_dsa_key |
.Pa /etc/ssh/ssh_host_dsa_key |
for protocol version 2. |
for protocol version 2. |
Note that |
Note that |
.Xr sshd 8 |
.Nm sshd |
will refuse to use a file if it is group/world-accessible. |
will refuse to use a file if it is group/world-accessible. |
It is possible to have multiple host key files. |
It is possible to have multiple host key files. |
.Dq rsa1 |
.Dq rsa1 |
|
|
.Dq yes . |
.Dq yes . |
.It Cm IgnoreUserKnownHosts |
.It Cm IgnoreUserKnownHosts |
Specifies whether |
Specifies whether |
.Xr sshd 8 |
.Nm sshd |
should ignore the user's |
should ignore the user's |
.Pa ~/.ssh/known_hosts |
.Pa ~/.ssh/known_hosts |
during |
during |
|
|
will be validated through the Kerberos KDC. |
will be validated through the Kerberos KDC. |
To use this option, the server needs a |
To use this option, the server needs a |
Kerberos servtab which allows the verification of the KDC's identity. |
Kerberos servtab which allows the verification of the KDC's identity. |
The default is |
Default is |
.Dq no . |
.Dq no . |
.It Cm KerberosGetAFSToken |
.It Cm KerberosGetAFSToken |
If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire |
If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire |
an AFS token before accessing the user's home directory. |
an AFS token before accessing the user's home directory. |
The default is |
Default is |
.Dq no . |
.Dq no . |
.It Cm KerberosOrLocalPasswd |
.It Cm KerberosOrLocalPasswd |
If password authentication through Kerberos fails then |
If set then if password authentication through Kerberos fails then |
the password will be validated via any additional local mechanism |
the password will be validated via any additional local mechanism |
such as |
such as |
.Pa /etc/passwd . |
.Pa /etc/passwd . |
The default is |
Default is |
.Dq yes . |
.Dq yes . |
.It Cm KerberosTicketCleanup |
.It Cm KerberosTicketCleanup |
Specifies whether to automatically destroy the user's ticket cache |
Specifies whether to automatically destroy the user's ticket cache |
file on logout. |
file on logout. |
The default is |
Default is |
.Dq yes . |
.Dq yes . |
.It Cm KeyRegenerationInterval |
.It Cm KeyRegenerationInterval |
In protocol version 1, the ephemeral server key is automatically regenerated |
In protocol version 1, the ephemeral server key is automatically regenerated |
|
|
The default is 3600 (seconds). |
The default is 3600 (seconds). |
.It Cm ListenAddress |
.It Cm ListenAddress |
Specifies the local addresses |
Specifies the local addresses |
.Xr sshd 8 |
.Nm sshd |
should listen on. |
should listen on. |
The following forms may be used: |
The following forms may be used: |
.Pp |
.Pp |
|
|
If |
If |
.Ar port |
.Ar port |
is not specified, |
is not specified, |
sshd will listen on the address and all prior |
.Nm sshd |
|
will listen on the address and all prior |
.Cm Port |
.Cm Port |
options specified. |
options specified. |
The default is to listen on all local addresses. |
The default is to listen on all local addresses. |
|
|
options are permitted. |
options are permitted. |
Additionally, any |
Additionally, any |
.Cm Port |
.Cm Port |
options must precede this option for non-port qualified addresses. |
options must precede this option for non port qualified addresses. |
.It Cm LoginGraceTime |
.It Cm LoginGraceTime |
The server disconnects after this time if the user has not |
The server disconnects after this time if the user has not |
successfully logged in. |
successfully logged in. |
|
|
The default is 120 seconds. |
The default is 120 seconds. |
.It Cm LogLevel |
.It Cm LogLevel |
Gives the verbosity level that is used when logging messages from |
Gives the verbosity level that is used when logging messages from |
.Xr sshd 8 . |
.Nm sshd . |
The possible values are: |
The possible values are: |
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. |
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. |
The default is INFO. |
The default is INFO. |
DEBUG and DEBUG1 are equivalent. |
DEBUG and DEBUG1 are equivalent. |
DEBUG2 and DEBUG3 each specify higher levels of debugging output. |
DEBUG2 and DEBUG3 each specify higher levels of debugging output. |
|
|
The MAC algorithm is used in protocol version 2 |
The MAC algorithm is used in protocol version 2 |
for data integrity protection. |
for data integrity protection. |
Multiple algorithms must be comma-separated. |
Multiple algorithms must be comma-separated. |
The default is: |
The default is |
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . |
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . |
.It Cm Match |
|
Introduces a conditional block. |
|
If all of the criteria on the |
|
.Cm Match |
|
line are satisfied, the keywords on the following lines override those |
|
set in the global section of the config file, until either another |
|
.Cm Match |
|
line or the end of the file. |
|
The arguments to |
|
.Cm Match |
|
are one or more criteria-pattern pairs. |
|
The available criteria are |
|
.Cm User , |
|
.Cm Group , |
|
.Cm Host , |
|
and |
|
.Cm Address . |
|
Only a subset of keywords may be used on the lines following a |
|
.Cm Match |
|
keyword. |
|
Available keywords are |
|
.Cm AllowTcpForwarding , |
|
.Cm ForceCommand , |
|
.Cm GatewayPorts , |
|
.Cm PermitOpen , |
|
.Cm X11DisplayOffset , |
|
.Cm X11Forwarding , |
|
and |
|
.Cm X11UseLocalHost . |
|
.It Cm MaxAuthTries |
.It Cm MaxAuthTries |
Specifies the maximum number of authentication attempts permitted per |
Specifies the maximum number of authentication attempts permitted per |
connection. |
connection. |
|
|
The default is 6. |
The default is 6. |
.It Cm MaxStartups |
.It Cm MaxStartups |
Specifies the maximum number of concurrent unauthenticated connections to the |
Specifies the maximum number of concurrent unauthenticated connections to the |
SSH daemon. |
.Nm sshd |
|
daemon. |
Additional connections will be dropped until authentication succeeds or the |
Additional connections will be dropped until authentication succeeds or the |
.Cm LoginGraceTime |
.Cm LoginGraceTime |
expires for a connection. |
expires for a connection. |
|
|
Alternatively, random early drop can be enabled by specifying |
Alternatively, random early drop can be enabled by specifying |
the three colon separated values |
the three colon separated values |
.Dq start:rate:full |
.Dq start:rate:full |
(e.g. "10:30:60"). |
(e.g., "10:30:60"). |
.Xr sshd 8 |
.Nm sshd |
will refuse connection attempts with a probability of |
will refuse connection attempts with a probability of |
.Dq rate/100 |
.Dq rate/100 |
(30%) |
(30%) |
|
|
server allows login to accounts with empty password strings. |
server allows login to accounts with empty password strings. |
The default is |
The default is |
.Dq no . |
.Dq no . |
.It Cm PermitOpen |
|
Specifies the destinations to which TCP port forwarding is permitted. |
|
The forwarding specification must be one of the following forms: |
|
.Pp |
|
.Bl -item -offset indent -compact |
|
.It |
|
.Cm PermitOpen |
|
.Sm off |
|
.Ar host : port |
|
.Sm on |
|
.It |
|
.Cm PermitOpen |
|
.Sm off |
|
.Ar IPv4_addr : port |
|
.Sm on |
|
.It |
|
.Cm PermitOpen |
|
.Sm off |
|
.Ar \&[ IPv6_addr \&] : port |
|
.Sm on |
|
.El |
|
.Pp |
|
Multiple forwards may be specified by separating them with whitespace. |
|
An argument of |
|
.Dq any |
|
can be used to remove all restrictions and permit any forwarding requests. |
|
By default all port forwarding requests are permitted. |
|
.It Cm PermitRootLogin |
.It Cm PermitRootLogin |
Specifies whether root can log in using |
Specifies whether root can log in using |
.Xr ssh 1 . |
.Xr ssh 1 . |
The argument must be |
The argument must be |
.Dq yes , |
.Dq yes , |
.Dq without-password , |
.Dq without-password , |
.Dq forced-commands-only , |
.Dq forced-commands-only |
or |
or |
.Dq no . |
.Dq no . |
The default is |
The default is |
.Dq yes . |
.Dq yes . |
.Pp |
.Pp |
If this option is set to |
If this option is set to |
.Dq without-password , |
.Dq without-password |
password authentication is disabled for root. |
password authentication is disabled for root. |
.Pp |
.Pp |
If this option is set to |
If this option is set to |
.Dq forced-commands-only , |
.Dq forced-commands-only |
root login with public key authentication will be allowed, |
root login with public key authentication will be allowed, |
but only if the |
but only if the |
.Ar command |
.Ar command |
|
|
All other authentication methods are disabled for root. |
All other authentication methods are disabled for root. |
.Pp |
.Pp |
If this option is set to |
If this option is set to |
.Dq no , |
.Dq no |
root is not allowed to log in. |
root is not allowed to log in. |
.It Cm PermitTunnel |
|
Specifies whether |
|
.Xr tun 4 |
|
device forwarding is allowed. |
|
The argument must be |
|
.Dq yes , |
|
.Dq point-to-point |
|
(layer 3), |
|
.Dq ethernet |
|
(layer 2), or |
|
.Dq no . |
|
Specifying |
|
.Dq yes |
|
permits both |
|
.Dq point-to-point |
|
and |
|
.Dq ethernet . |
|
The default is |
|
.Dq no . |
|
.It Cm PermitUserEnvironment |
.It Cm PermitUserEnvironment |
Specifies whether |
Specifies whether |
.Pa ~/.ssh/environment |
.Pa ~/.ssh/environment |
|
|
options in |
options in |
.Pa ~/.ssh/authorized_keys |
.Pa ~/.ssh/authorized_keys |
are processed by |
are processed by |
.Xr sshd 8 . |
.Nm sshd . |
The default is |
The default is |
.Dq no . |
.Dq no . |
Enabling environment processing may enable users to bypass access |
Enabling environment processing may enable users to bypass access |
|
|
.Ev LD_PRELOAD . |
.Ev LD_PRELOAD . |
.It Cm PidFile |
.It Cm PidFile |
Specifies the file that contains the process ID of the |
Specifies the file that contains the process ID of the |
SSH daemon. |
.Nm sshd |
|
daemon. |
The default is |
The default is |
.Pa /var/run/sshd.pid . |
.Pa /var/run/sshd.pid . |
.It Cm Port |
.It Cm Port |
Specifies the port number that |
Specifies the port number that |
.Xr sshd 8 |
.Nm sshd |
listens on. |
listens on. |
The default is 22. |
The default is 22. |
Multiple options of this type are permitted. |
Multiple options of this type are permitted. |
|
|
.Cm ListenAddress . |
.Cm ListenAddress . |
.It Cm PrintLastLog |
.It Cm PrintLastLog |
Specifies whether |
Specifies whether |
.Xr sshd 8 |
.Nm sshd |
should print the date and time of the last user login when a user logs |
should print the date and time of the last user login when a user logs |
in interactively. |
in interactively. |
The default is |
The default is |
.Dq yes . |
.Dq yes . |
.It Cm PrintMotd |
.It Cm PrintMotd |
Specifies whether |
Specifies whether |
.Xr sshd 8 |
.Nm sshd |
should print |
should print |
.Pa /etc/motd |
.Pa /etc/motd |
when a user logs in interactively. |
when a user logs in interactively. |
|
|
.Dq yes . |
.Dq yes . |
.It Cm Protocol |
.It Cm Protocol |
Specifies the protocol versions |
Specifies the protocol versions |
.Xr sshd 8 |
.Nm sshd |
supports. |
supports. |
The possible values are |
The possible values are |
.Sq 1 |
.Dq 1 |
and |
and |
.Sq 2 . |
.Dq 2 . |
Multiple versions must be comma-separated. |
Multiple versions must be comma-separated. |
The default is |
The default is |
.Dq 2,1 . |
.Dq 2,1 . |
|
|
The minimum value is 512, and the default is 768. |
The minimum value is 512, and the default is 768. |
.It Cm StrictModes |
.It Cm StrictModes |
Specifies whether |
Specifies whether |
.Xr sshd 8 |
.Nm sshd |
should check file modes and ownership of the |
should check file modes and ownership of the |
user's files and home directory before accepting login. |
user's files and home directory before accepting login. |
This is normally desirable because novices sometimes accidentally leave their |
This is normally desirable because novices sometimes accidentally leave their |
|
|
The default is |
The default is |
.Dq yes . |
.Dq yes . |
.It Cm Subsystem |
.It Cm Subsystem |
Configures an external subsystem (e.g. file transfer daemon). |
Configures an external subsystem (e.g., file transfer daemon). |
Arguments should be a subsystem name and a command (with optional arguments) |
Arguments should be a subsystem name and a command to execute upon subsystem |
to execute upon subsystem request. |
request. |
The command |
The command |
.Xr sftp-server 8 |
.Xr sftp-server 8 |
implements the |
implements the |
|
|
Note that this option applies to protocol version 2 only. |
Note that this option applies to protocol version 2 only. |
.It Cm SyslogFacility |
.It Cm SyslogFacility |
Gives the facility code that is used when logging messages from |
Gives the facility code that is used when logging messages from |
.Xr sshd 8 . |
.Nm sshd . |
The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, |
The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, |
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. |
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. |
The default is AUTH. |
The default is AUTH. |
|
|
.Dq no . |
.Dq no . |
.It Cm UseDNS |
.It Cm UseDNS |
Specifies whether |
Specifies whether |
.Xr sshd 8 |
.Nm sshd |
should look up the remote host name and check that |
should look up the remote host name and check that |
the resolved host name for the remote IP address maps back to the |
the resolved host name for the remote IP address maps back to the |
very same IP address. |
very same IP address. |
|
|
is specified, it will be disabled after authentication. |
is specified, it will be disabled after authentication. |
.It Cm UsePrivilegeSeparation |
.It Cm UsePrivilegeSeparation |
Specifies whether |
Specifies whether |
.Xr sshd 8 |
.Nm sshd |
separates privileges by creating an unprivileged child process |
separates privileges by creating an unprivileged child process |
to deal with incoming network traffic. |
to deal with incoming network traffic. |
After successful authentication, another process will be created that has |
After successful authentication, another process will be created that has |
|
|
.Dq yes . |
.Dq yes . |
.It Cm X11DisplayOffset |
.It Cm X11DisplayOffset |
Specifies the first display number available for |
Specifies the first display number available for |
.Xr sshd 8 Ns 's |
.Nm sshd Ns 's |
X11 forwarding. |
X11 forwarding. |
This prevents sshd from interfering with real X11 servers. |
This prevents |
|
.Nm sshd |
|
from interfering with real X11 servers. |
The default is 10. |
The default is 10. |
.It Cm X11Forwarding |
.It Cm X11Forwarding |
Specifies whether X11 forwarding is permitted. |
Specifies whether X11 forwarding is permitted. |
|
|
.Pp |
.Pp |
When X11 forwarding is enabled, there may be additional exposure to |
When X11 forwarding is enabled, there may be additional exposure to |
the server and to client displays if the |
the server and to client displays if the |
.Xr sshd 8 |
.Nm sshd |
proxy display is configured to listen on the wildcard address (see |
proxy display is configured to listen on the wildcard address (see |
.Cm X11UseLocalhost |
.Cm X11UseLocalhost |
below), though this is not the default. |
below), however this is not the default. |
Additionally, the authentication spoofing and authentication data |
Additionally, the authentication spoofing and authentication data |
verification and substitution occur on the client side. |
verification and substitution occur on the client side. |
The security risk of using X11 forwarding is that the client's X11 |
The security risk of using X11 forwarding is that the client's X11 |
display server may be exposed to attack when the SSH client requests |
display server may be exposed to attack when the ssh client requests |
forwarding (see the warnings for |
forwarding (see the warnings for |
.Cm ForwardX11 |
.Cm ForwardX11 |
in |
in |
|
|
is enabled. |
is enabled. |
.It Cm X11UseLocalhost |
.It Cm X11UseLocalhost |
Specifies whether |
Specifies whether |
.Xr sshd 8 |
.Nm sshd |
should bind the X11 forwarding server to the loopback address or to |
should bind the X11 forwarding server to the loopback address or to |
the wildcard address. |
the wildcard address. |
By default, |
By default, |
sshd binds the forwarding server to the loopback address and sets the |
.Nm sshd |
|
binds the forwarding server to the loopback address and sets the |
hostname part of the |
hostname part of the |
.Ev DISPLAY |
.Ev DISPLAY |
environment variable to |
environment variable to |
|
|
The default is |
The default is |
.Pa /usr/X11R6/bin/xauth . |
.Pa /usr/X11R6/bin/xauth . |
.El |
.El |
.Sh TIME FORMATS |
.Ss Time Formats |
.Xr sshd 8 |
.Nm sshd |
command-line arguments and configuration file options that specify time |
command-line arguments and configuration file options that specify time |
may be expressed using a sequence of the form: |
may be expressed using a sequence of the form: |
.Sm off |
.Sm off |
|
|
is one of the following: |
is one of the following: |
.Pp |
.Pp |
.Bl -tag -width Ds -compact -offset indent |
.Bl -tag -width Ds -compact -offset indent |
.It Aq Cm none |
.It Cm <none> |
seconds |
seconds |
.It Cm s | Cm S |
.It Cm s | Cm S |
seconds |
seconds |
|
|
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Pa /etc/ssh/sshd_config |
.It Pa /etc/ssh/sshd_config |
Contains configuration data for |
Contains configuration data for |
.Xr sshd 8 . |
.Nm sshd . |
This file should be writable by root only, but it is recommended |
This file should be writable by root only, but it is recommended |
(though not necessary) that it be world-readable. |
(though not necessary) that it be world-readable. |
.El |
.El |