=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshd_config.5,v retrieving revision 1.25.2.1 retrieving revision 1.25.2.2 diff -u -r1.25.2.1 -r1.25.2.2 --- src/usr.bin/ssh/sshd_config.5 2004/02/28 03:51:34 1.25.2.1 +++ src/usr.bin/ssh/sshd_config.5 2004/08/19 22:37:33 1.25.2.2 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.25.2.1 2004/02/28 03:51:34 brad Exp $ +.\" $OpenBSD: sshd_config.5,v 1.25.2.2 2004/08/19 22:37:33 brad Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -61,6 +61,28 @@ keywords and their meanings are as follows (note that keywords are case-insensitive and arguments are case-sensitive): .Bl -tag -width Ds +.It Cm AcceptEnv +Specifies what environment variables sent by the client will be copied into +the session's +.Xr environ 7 . +See +.Cm SendEnv +in +.Xr ssh_config 5 +for how to configure the client. +Note that environment passing is only supported for protocol 2. +Variables are specified by name, which may contain the wildcard characters +.Ql \&* +and +.Ql \&? . +Multiple environment variables may be separated by whitespace or spread +across multiple +.Cm AcceptEnv +directives. +Be warned that some environment variables could be used to bypass restricted +user environments. +For this reason, care should be taken in the use of this directive. +The default is not to accept any environment variables. .It Cm AllowGroups This keyword can be followed by a list of group name patterns, separated by spaces. @@ -73,7 +95,6 @@ wildcards in the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. -.Pp .It Cm AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is @@ -81,7 +102,6 @@ Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders. -.Pp .It Cm AllowUsers This keyword can be followed by a list of user name patterns, separated by spaces. @@ -97,7 +117,6 @@ If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. -.Pp .It Cm AuthorizedKeysFile Specifies the file that contains the public keys that can be used for user authentication. @@ -120,7 +139,6 @@ authentication is allowed. This option is only available for protocol version 2. By default, no banner is displayed. -.Pp .It Cm ChallengeResponseAuthentication Specifies whether challenge response authentication is allowed. All authentication styles from @@ -131,8 +149,19 @@ .It Cm Ciphers Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. +The supported ciphers are +.Dq 3des-cbc , +.Dq aes128-cbc , +.Dq aes192-cbc , +.Dq aes256-cbc , +.Dq aes128-ctr , +.Dq aes192-ctr , +.Dq aes256-ctr , +.Dq arcfour , +.Dq blowfish-cbc , +and +.Dq cast128-cbc . The default is -.Pp .Bd -literal ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' @@ -193,7 +222,6 @@ wildcards in the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. -.Pp .It Cm DenyUsers This keyword can be followed by a list of user name patterns, separated by spaces. @@ -300,6 +328,11 @@ Kerberos servtab which allows the verification of the KDC's identity. Default is .Dq no . +.It Cm KerberosGetAFSToken +If AFS is active and the user has a Kerberos 5 TGT, attempt to aquire +an AFS token before accessing the user's home directory. +Default is +.Dq no . .It Cm KerberosOrLocalPasswd If set then if password authentication through Kerberos fails then the password will be validated via any additional local mechanism @@ -381,6 +414,12 @@ Multiple algorithms must be comma-separated. The default is .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . +.It Cm MaxAuthTries +Specifies the maximum number of authentication attempts permitted per +connection. +Once the number of failures reaches half this value, +additional failures are logged. +The default is 6. .It Cm MaxStartups Specifies the maximum number of concurrent unauthenticated connections to the .Nm sshd