| version 1.51, 2006/02/24 20:31:31 |
version 1.52, 2006/02/24 23:43:57 |
|
|
| Valid arguments are |
Valid arguments are |
| .Dq any , |
.Dq any , |
| .Dq inet |
.Dq inet |
| (use IPv4 only) or |
(use IPv4 only), or |
| .Dq inet6 |
.Dq inet6 |
| (use IPv6 only). |
(use IPv6 only). |
| The default is |
The default is |
|
|
| for user authentication. |
for user authentication. |
| .Cm AuthorizedKeysFile |
.Cm AuthorizedKeysFile |
| may contain tokens of the form %T which are substituted during connection |
may contain tokens of the form %T which are substituted during connection |
| set-up. |
setup. |
| The following tokens are defined: %% is replaced by a literal '%', |
The following tokens are defined: %% is replaced by a literal '%', |
| %h is replaced by the home directory of the user being authenticated and |
%h is replaced by the home directory of the user being authenticated, and |
| %u is replaced by the username of that user. |
%u is replaced by the username of that user. |
| After expansion, |
After expansion, |
| .Cm AuthorizedKeysFile |
.Cm AuthorizedKeysFile |
|
|
| .Dq blowfish-cbc , |
.Dq blowfish-cbc , |
| and |
and |
| .Dq cast128-cbc . |
.Dq cast128-cbc . |
| The default is |
The default is: |
| .Bd -literal |
.Bd -literal -offset 3n |
| ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, |
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, |
| arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, |
arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, |
| aes192-ctr,aes256-ctr'' |
aes192-ctr,aes256-ctr |
| .Ed |
.Ed |
| .It Cm ClientAliveCountMax |
.It Cm ClientAliveCountMax |
| Sets the number of client alive messages (see below) which may be |
Sets the number of client alive messages (see below) which may be |
| sent without |
sent without |
| .Nm sshd |
.Xr sshd 8 |
| receiving any messages back from the client. |
receiving any messages back from the client. |
| If this threshold is reached while client alive messages are being sent, |
If this threshold is reached while client alive messages are being sent, |
| .Nm sshd |
sshd will disconnect the client, terminating the session. |
| will disconnect the client, terminating the session. |
|
| It is important to note that the use of client alive messages is very |
It is important to note that the use of client alive messages is very |
| different from |
different from |
| .Cm TCPKeepAlive |
.Cm TCPKeepAlive |
|
|
| .Cm ClientAliveInterval |
.Cm ClientAliveInterval |
| (see below) is set to 15, and |
(see below) is set to 15, and |
| .Cm ClientAliveCountMax |
.Cm ClientAliveCountMax |
| is left at the default, unresponsive ssh clients |
is left at the default, unresponsive SSH clients |
| will be disconnected after approximately 45 seconds. |
will be disconnected after approximately 45 seconds. |
| .It Cm ClientAliveInterval |
.It Cm ClientAliveInterval |
| Sets a timeout interval in seconds after which if no data has been received |
Sets a timeout interval in seconds after which if no data has been received |
| from the client, |
from the client, |
| .Nm sshd |
.Xr sshd 8 |
| will send a message through the encrypted |
will send a message through the encrypted |
| channel to request a response from the client. |
channel to request a response from the client. |
| The default |
The default |
|
|
| Specifies whether remote hosts are allowed to connect to ports |
Specifies whether remote hosts are allowed to connect to ports |
| forwarded for the client. |
forwarded for the client. |
| By default, |
By default, |
| .Nm sshd |
.Xr sshd 8 |
| binds remote port forwardings to the loopback address. |
binds remote port forwardings to the loopback address. |
| This prevents other remote hosts from connecting to forwarded ports. |
This prevents other remote hosts from connecting to forwarded ports. |
| .Cm GatewayPorts |
.Cm GatewayPorts |
| can be used to specify that |
can be used to specify that sshd |
| .Nm sshd |
|
| should allow remote port forwardings to bind to non-loopback addresses, thus |
should allow remote port forwardings to bind to non-loopback addresses, thus |
| allowing other hosts to connect. |
allowing other hosts to connect. |
| The argument may be |
The argument may be |
|
|
| .Pa /etc/ssh/ssh_host_dsa_key |
.Pa /etc/ssh/ssh_host_dsa_key |
| for protocol version 2. |
for protocol version 2. |
| Note that |
Note that |
| .Nm sshd |
.Xr sshd 8 |
| will refuse to use a file if it is group/world-accessible. |
will refuse to use a file if it is group/world-accessible. |
| It is possible to have multiple host key files. |
It is possible to have multiple host key files. |
| .Dq rsa1 |
.Dq rsa1 |
|
|
| .Dq yes . |
.Dq yes . |
| .It Cm IgnoreUserKnownHosts |
.It Cm IgnoreUserKnownHosts |
| Specifies whether |
Specifies whether |
| .Nm sshd |
.Xr sshd 8 |
| should ignore the user's |
should ignore the user's |
| .Pa ~/.ssh/known_hosts |
.Pa ~/.ssh/known_hosts |
| during |
during |
|
|
| will be validated through the Kerberos KDC. |
will be validated through the Kerberos KDC. |
| To use this option, the server needs a |
To use this option, the server needs a |
| Kerberos servtab which allows the verification of the KDC's identity. |
Kerberos servtab which allows the verification of the KDC's identity. |
| Default is |
The default is |
| .Dq no . |
.Dq no . |
| .It Cm KerberosGetAFSToken |
.It Cm KerberosGetAFSToken |
| If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire |
If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire |
| an AFS token before accessing the user's home directory. |
an AFS token before accessing the user's home directory. |
| Default is |
The default is |
| .Dq no . |
.Dq no . |
| .It Cm KerberosOrLocalPasswd |
.It Cm KerberosOrLocalPasswd |
| If set then if password authentication through Kerberos fails then |
If password authentication through Kerberos fails then |
| the password will be validated via any additional local mechanism |
the password will be validated via any additional local mechanism |
| such as |
such as |
| .Pa /etc/passwd . |
.Pa /etc/passwd . |
| Default is |
The default is |
| .Dq yes . |
.Dq yes . |
| .It Cm KerberosTicketCleanup |
.It Cm KerberosTicketCleanup |
| Specifies whether to automatically destroy the user's ticket cache |
Specifies whether to automatically destroy the user's ticket cache |
| file on logout. |
file on logout. |
| Default is |
The default is |
| .Dq yes . |
.Dq yes . |
| .It Cm KeyRegenerationInterval |
.It Cm KeyRegenerationInterval |
| In protocol version 1, the ephemeral server key is automatically regenerated |
In protocol version 1, the ephemeral server key is automatically regenerated |
|
|
| The default is 3600 (seconds). |
The default is 3600 (seconds). |
| .It Cm ListenAddress |
.It Cm ListenAddress |
| Specifies the local addresses |
Specifies the local addresses |
| .Nm sshd |
.Xr sshd 8 |
| should listen on. |
should listen on. |
| The following forms may be used: |
The following forms may be used: |
| .Pp |
.Pp |
|
|
| If |
If |
| .Ar port |
.Ar port |
| is not specified, |
is not specified, |
| .Nm sshd |
sshd will listen on the address and all prior |
| will listen on the address and all prior |
|
| .Cm Port |
.Cm Port |
| options specified. |
options specified. |
| The default is to listen on all local addresses. |
The default is to listen on all local addresses. |
|
|
| options are permitted. |
options are permitted. |
| Additionally, any |
Additionally, any |
| .Cm Port |
.Cm Port |
| options must precede this option for non port qualified addresses. |
options must precede this option for non-port qualified addresses. |
| .It Cm LoginGraceTime |
.It Cm LoginGraceTime |
| The server disconnects after this time if the user has not |
The server disconnects after this time if the user has not |
| successfully logged in. |
successfully logged in. |
|
|
| Gives the verbosity level that is used when logging messages from |
Gives the verbosity level that is used when logging messages from |
| .Nm sshd . |
.Nm sshd . |
| The possible values are: |
The possible values are: |
| QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. |
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. |
| The default is INFO. |
The default is INFO. |
| DEBUG and DEBUG1 are equivalent. |
DEBUG and DEBUG1 are equivalent. |
| DEBUG2 and DEBUG3 each specify higher levels of debugging output. |
DEBUG2 and DEBUG3 each specify higher levels of debugging output. |
|
|
| The MAC algorithm is used in protocol version 2 |
The MAC algorithm is used in protocol version 2 |
| for data integrity protection. |
for data integrity protection. |
| Multiple algorithms must be comma-separated. |
Multiple algorithms must be comma-separated. |
| The default is |
The default is: |
| .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . |
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . |
| .It Cm MaxAuthTries |
.It Cm MaxAuthTries |
| Specifies the maximum number of authentication attempts permitted per |
Specifies the maximum number of authentication attempts permitted per |
|
|
| The default is 6. |
The default is 6. |
| .It Cm MaxStartups |
.It Cm MaxStartups |
| Specifies the maximum number of concurrent unauthenticated connections to the |
Specifies the maximum number of concurrent unauthenticated connections to the |
| .Nm sshd |
SSH daemon. |
| daemon. |
|
| Additional connections will be dropped until authentication succeeds or the |
Additional connections will be dropped until authentication succeeds or the |
| .Cm LoginGraceTime |
.Cm LoginGraceTime |
| expires for a connection. |
expires for a connection. |
|
|
| The argument must be |
The argument must be |
| .Dq yes , |
.Dq yes , |
| .Dq without-password , |
.Dq without-password , |
| .Dq forced-commands-only |
.Dq forced-commands-only , |
| or |
or |
| .Dq no . |
.Dq no . |
| The default is |
The default is |
| .Dq yes . |
.Dq yes . |
| .Pp |
.Pp |
| If this option is set to |
If this option is set to |
| .Dq without-password |
.Dq without-password , |
| password authentication is disabled for root. |
password authentication is disabled for root. |
| .Pp |
.Pp |
| If this option is set to |
If this option is set to |
| .Dq forced-commands-only |
.Dq forced-commands-only , |
| root login with public key authentication will be allowed, |
root login with public key authentication will be allowed, |
| but only if the |
but only if the |
| .Ar command |
.Ar command |
|
|
| All other authentication methods are disabled for root. |
All other authentication methods are disabled for root. |
| .Pp |
.Pp |
| If this option is set to |
If this option is set to |
| .Dq no |
.Dq no , |
| root is not allowed to log in. |
root is not allowed to log in. |
| .It Cm PermitTunnel |
.It Cm PermitTunnel |
| Specifies whether |
Specifies whether |
|
|
| The argument must be |
The argument must be |
| .Dq yes , |
.Dq yes , |
| .Dq point-to-point , |
.Dq point-to-point , |
| .Dq ethernet |
.Dq ethernet , |
| or |
or |
| .Dq no . |
.Dq no . |
| The default is |
The default is |
|
|
| options in |
options in |
| .Pa ~/.ssh/authorized_keys |
.Pa ~/.ssh/authorized_keys |
| are processed by |
are processed by |
| .Nm sshd . |
.Xr sshd 8 . |
| The default is |
The default is |
| .Dq no . |
.Dq no . |
| Enabling environment processing may enable users to bypass access |
Enabling environment processing may enable users to bypass access |
|
|
| .Pa /var/run/sshd.pid . |
.Pa /var/run/sshd.pid . |
| .It Cm Port |
.It Cm Port |
| Specifies the port number that |
Specifies the port number that |
| .Nm sshd |
.Xr sshd 8 |
| listens on. |
listens on. |
| The default is 22. |
The default is 22. |
| Multiple options of this type are permitted. |
Multiple options of this type are permitted. |
|
|
| .Cm ListenAddress . |
.Cm ListenAddress . |
| .It Cm PrintLastLog |
.It Cm PrintLastLog |
| Specifies whether |
Specifies whether |
| .Nm sshd |
.Xr sshd 8 |
| should print the date and time of the last user login when a user logs |
should print the date and time of the last user login when a user logs |
| in interactively. |
in interactively. |
| The default is |
The default is |
| .Dq yes . |
.Dq yes . |
| .It Cm PrintMotd |
.It Cm PrintMotd |
| Specifies whether |
Specifies whether |
| .Nm sshd |
.Xr sshd 8 |
| should print |
should print |
| .Pa /etc/motd |
.Pa /etc/motd |
| when a user logs in interactively. |
when a user logs in interactively. |
|
|
| .Dq yes . |
.Dq yes . |
| .It Cm Protocol |
.It Cm Protocol |
| Specifies the protocol versions |
Specifies the protocol versions |
| .Nm sshd |
.Xr sshd 8 |
| supports. |
supports. |
| The possible values are |
The possible values are |
| .Dq 1 |
.Sq 1 |
| and |
and |
| .Dq 2 . |
.Sq 2 . |
| Multiple versions must be comma-separated. |
Multiple versions must be comma-separated. |
| The default is |
The default is |
| .Dq 2,1 . |
.Dq 2,1 . |
|
|
| The minimum value is 512, and the default is 768. |
The minimum value is 512, and the default is 768. |
| .It Cm StrictModes |
.It Cm StrictModes |
| Specifies whether |
Specifies whether |
| .Nm sshd |
.Xr sshd 8 |
| should check file modes and ownership of the |
should check file modes and ownership of the |
| user's files and home directory before accepting login. |
user's files and home directory before accepting login. |
| This is normally desirable because novices sometimes accidentally leave their |
This is normally desirable because novices sometimes accidentally leave their |
|
|
| .Dq no . |
.Dq no . |
| .It Cm UseDNS |
.It Cm UseDNS |
| Specifies whether |
Specifies whether |
| .Nm sshd |
.Xr sshd 8 |
| should look up the remote host name and check that |
should look up the remote host name and check that |
| the resolved host name for the remote IP address maps back to the |
the resolved host name for the remote IP address maps back to the |
| very same IP address. |
very same IP address. |
|
|
| is specified, it will be disabled after authentication. |
is specified, it will be disabled after authentication. |
| .It Cm UsePrivilegeSeparation |
.It Cm UsePrivilegeSeparation |
| Specifies whether |
Specifies whether |
| .Nm sshd |
.Xr sshd 8 |
| separates privileges by creating an unprivileged child process |
separates privileges by creating an unprivileged child process |
| to deal with incoming network traffic. |
to deal with incoming network traffic. |
| After successful authentication, another process will be created that has |
After successful authentication, another process will be created that has |
|
|
| .Dq yes . |
.Dq yes . |
| .It Cm X11DisplayOffset |
.It Cm X11DisplayOffset |
| Specifies the first display number available for |
Specifies the first display number available for |
| .Nm sshd Ns 's |
.Xr sshd 8 Ns 's |
| X11 forwarding. |
X11 forwarding. |
| This prevents |
This prevents sshd from interfering with real X11 servers. |
| .Nm sshd |
|
| from interfering with real X11 servers. |
|
| The default is 10. |
The default is 10. |
| .It Cm X11Forwarding |
.It Cm X11Forwarding |
| Specifies whether X11 forwarding is permitted. |
Specifies whether X11 forwarding is permitted. |
|
|
| .Pp |
.Pp |
| When X11 forwarding is enabled, there may be additional exposure to |
When X11 forwarding is enabled, there may be additional exposure to |
| the server and to client displays if the |
the server and to client displays if the |
| .Nm sshd |
.Xr sshd 8 |
| proxy display is configured to listen on the wildcard address (see |
proxy display is configured to listen on the wildcard address (see |
| .Cm X11UseLocalhost |
.Cm X11UseLocalhost |
| below), however this is not the default. |
below), though this is not the default. |
| Additionally, the authentication spoofing and authentication data |
Additionally, the authentication spoofing and authentication data |
| verification and substitution occur on the client side. |
verification and substitution occur on the client side. |
| The security risk of using X11 forwarding is that the client's X11 |
The security risk of using X11 forwarding is that the client's X11 |
| display server may be exposed to attack when the ssh client requests |
display server may be exposed to attack when the SSH client requests |
| forwarding (see the warnings for |
forwarding (see the warnings for |
| .Cm ForwardX11 |
.Cm ForwardX11 |
| in |
in |
|
|
| is enabled. |
is enabled. |
| .It Cm X11UseLocalhost |
.It Cm X11UseLocalhost |
| Specifies whether |
Specifies whether |
| .Nm sshd |
.Xr sshd 8 |
| should bind the X11 forwarding server to the loopback address or to |
should bind the X11 forwarding server to the loopback address or to |
| the wildcard address. |
the wildcard address. |
| By default, |
By default, |
| .Nm sshd |
sshd binds the forwarding server to the loopback address and sets the |
| binds the forwarding server to the loopback address and sets the |
|
| hostname part of the |
hostname part of the |
| .Ev DISPLAY |
.Ev DISPLAY |
| environment variable to |
environment variable to |
![[BACK]](/icons/back.gif){kind=icon}
Return to sshd_config.5 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh