[BACK]Return to sshd_config.5 CVS log [TXT][DIR] Up to [local] / src / usr.bin / ssh

Annotation of src/usr.bin/ssh/sshd_config.5, Revision 1.121

1.1       stevesk     1: .\"  -*- nroff -*-
                      2: .\"
                      3: .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
                      4: .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
                      5: .\"                    All rights reserved
                      6: .\"
                      7: .\" As far as I am concerned, the code I have written for this software
                      8: .\" can be used freely for any purpose.  Any derived versions of this
                      9: .\" software must be clearly marked as such, and if the derived work is
                     10: .\" incompatible with the protocol description in the RFC file, it must be
                     11: .\" called by a name other than "ssh" or "Secure Shell".
                     12: .\"
                     13: .\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
                     14: .\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
                     15: .\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
                     16: .\"
                     17: .\" Redistribution and use in source and binary forms, with or without
                     18: .\" modification, are permitted provided that the following conditions
                     19: .\" are met:
                     20: .\" 1. Redistributions of source code must retain the above copyright
                     21: .\"    notice, this list of conditions and the following disclaimer.
                     22: .\" 2. Redistributions in binary form must reproduce the above copyright
                     23: .\"    notice, this list of conditions and the following disclaimer in the
                     24: .\"    documentation and/or other materials provided with the distribution.
                     25: .\"
                     26: .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
                     27: .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
                     28: .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
                     29: .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
                     30: .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
                     31: .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
                     32: .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
                     33: .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
                     34: .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
                     35: .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
                     36: .\"
1.121   ! djm        37: .\" $OpenBSD: sshd_config.5,v 1.120 2010/03/04 23:17:25 djm Exp $
1.119     jmc        38: .Dd $Mdocdate: March 4 2010 $
1.1       stevesk    39: .Dt SSHD_CONFIG 5
                     40: .Os
                     41: .Sh NAME
                     42: .Nm sshd_config
                     43: .Nd OpenSSH SSH daemon configuration file
                     44: .Sh SYNOPSIS
1.71      jmc        45: .Nm /etc/ssh/sshd_config
1.1       stevesk    46: .Sh DESCRIPTION
1.53      jmc        47: .Xr sshd 8
1.1       stevesk    48: reads configuration data from
                     49: .Pa /etc/ssh/sshd_config
                     50: (or the file specified with
                     51: .Fl f
                     52: on the command line).
                     53: The file contains keyword-argument pairs, one per line.
                     54: Lines starting with
                     55: .Ql #
                     56: and empty lines are interpreted as comments.
1.56      dtucker    57: Arguments may optionally be enclosed in double quotes
                     58: .Pq \&"
                     59: in order to represent arguments containing spaces.
1.1       stevesk    60: .Pp
                     61: The possible
                     62: keywords and their meanings are as follows (note that
                     63: keywords are case-insensitive and arguments are case-sensitive):
                     64: .Bl -tag -width Ds
1.30      djm        65: .It Cm AcceptEnv
                     66: Specifies what environment variables sent by the client will be copied into
                     67: the session's
                     68: .Xr environ 7 .
                     69: See
                     70: .Cm SendEnv
                     71: in
                     72: .Xr ssh_config 5
                     73: for how to configure the client.
1.31      djm        74: Note that environment passing is only supported for protocol 2.
1.30      djm        75: Variables are specified by name, which may contain the wildcard characters
1.51      jmc        76: .Ql *
1.30      djm        77: and
                     78: .Ql \&? .
1.31      djm        79: Multiple environment variables may be separated by whitespace or spread
1.30      djm        80: across multiple
                     81: .Cm AcceptEnv
                     82: directives.
1.31      djm        83: Be warned that some environment variables could be used to bypass restricted
1.30      djm        84: user environments.
                     85: For this reason, care should be taken in the use of this directive.
                     86: The default is not to accept any environment variables.
1.37      djm        87: .It Cm AddressFamily
                     88: Specifies which address family should be used by
1.53      jmc        89: .Xr sshd 8 .
1.37      djm        90: Valid arguments are
                     91: .Dq any ,
                     92: .Dq inet
1.52      jmc        93: (use IPv4 only), or
1.37      djm        94: .Dq inet6
                     95: (use IPv6 only).
                     96: The default is
                     97: .Dq any .
1.89      jmc        98: .It Cm AllowAgentForwarding
                     99: Specifies whether
                    100: .Xr ssh-agent 1
                    101: forwarding is permitted.
                    102: The default is
                    103: .Dq yes .
                    104: Note that disabling agent forwarding does not improve security
                    105: unless users are also denied shell access, as they can always install
                    106: their own forwarders.
1.1       stevesk   107: .It Cm AllowGroups
                    108: This keyword can be followed by a list of group name patterns, separated
                    109: by spaces.
                    110: If specified, login is allowed only for users whose primary
                    111: group or supplementary group list matches one of the patterns.
                    112: Only group names are valid; a numerical group ID is not recognized.
                    113: By default, login is allowed for all groups.
1.54      jmc       114: The allow/deny directives are processed in the following order:
                    115: .Cm DenyUsers ,
                    116: .Cm AllowUsers ,
                    117: .Cm DenyGroups ,
                    118: and finally
                    119: .Cm AllowGroups .
1.49      jmc       120: .Pp
                    121: See
                    122: .Sx PATTERNS
                    123: in
                    124: .Xr ssh_config 5
                    125: for more information on patterns.
1.1       stevesk   126: .It Cm AllowTcpForwarding
                    127: Specifies whether TCP forwarding is permitted.
                    128: The default is
                    129: .Dq yes .
                    130: Note that disabling TCP forwarding does not improve security unless
                    131: users are also denied shell access, as they can always install their
                    132: own forwarders.
                    133: .It Cm AllowUsers
                    134: This keyword can be followed by a list of user name patterns, separated
                    135: by spaces.
1.14      jmc       136: If specified, login is allowed only for user names that
1.1       stevesk   137: match one of the patterns.
                    138: Only user names are valid; a numerical user ID is not recognized.
                    139: By default, login is allowed for all users.
                    140: If the pattern takes the form USER@HOST then USER and HOST
                    141: are separately checked, restricting logins to particular
                    142: users from particular hosts.
1.54      jmc       143: The allow/deny directives are processed in the following order:
                    144: .Cm DenyUsers ,
                    145: .Cm AllowUsers ,
                    146: .Cm DenyGroups ,
                    147: and finally
                    148: .Cm AllowGroups .
1.49      jmc       149: .Pp
                    150: See
                    151: .Sx PATTERNS
                    152: in
                    153: .Xr ssh_config 5
                    154: for more information on patterns.
1.1       stevesk   155: .It Cm AuthorizedKeysFile
                    156: Specifies the file that contains the public keys that can be used
                    157: for user authentication.
                    158: .Cm AuthorizedKeysFile
                    159: may contain tokens of the form %T which are substituted during connection
1.52      jmc       160: setup.
1.17      jmc       161: The following tokens are defined: %% is replaced by a literal '%',
1.52      jmc       162: %h is replaced by the home directory of the user being authenticated, and
1.1       stevesk   163: %u is replaced by the username of that user.
                    164: After expansion,
                    165: .Cm AuthorizedKeysFile
                    166: is taken to be an absolute path or one relative to the user's home
                    167: directory.
                    168: The default is
                    169: .Dq .ssh/authorized_keys .
1.121   ! djm       170: .It Cm AuthorizedPrincipalsFile
        !           171: Specifies a file that lists principal names that are accepted for
        !           172: certificate authentication.
        !           173: When using certificates signed by a key listed in
        !           174: .Cm TrustedUserCAKeys ,
        !           175: this file lists names, one of which must appear in the certificate for it
        !           176: to be accepted for authentication.
        !           177: Names are listed one per line; empty lines and comments starting with
        !           178: .Ql #
        !           179: are ignored.
        !           180: .Pp
        !           181: .Cm AuthorizedPrincipalsFile
        !           182: may contain tokens of the form %T which are substituted during connection
        !           183: setup.
        !           184: The following tokens are defined: %% is replaced by a literal '%',
        !           185: %h is replaced by the home directory of the user being authenticated, and
        !           186: %u is replaced by the username of that user.
        !           187: After expansion,
        !           188: .Cm AuthorizedPrincipalsFile
        !           189: is taken to be an absolute path or one relative to the user's home
        !           190: directory.
        !           191: .Pp
        !           192: The default is not to use a principals file - in this case, the username
        !           193: of the user must appear in a certificate's principals list for it to be
        !           194: accepted.
        !           195: Note that
        !           196: .Cm AuthorizedPrincipalsFile
        !           197: is only used when authentication proceeds using a CA listed in
        !           198: .Cm TrustedUserCAKeys
        !           199: and is not consulted for certification authorities trusted via
        !           200: .Pa ~/.ssh/authorized_keys ,
        !           201: though the
        !           202: .Cm principals=
        !           203: key option offers a similar facility (see
        !           204: .Xr sshd 8
        !           205: for details).
        !           206: .Pp
1.1       stevesk   207: .It Cm Banner
                    208: The contents of the specified file are sent to the remote user before
                    209: authentication is allowed.
1.78      djm       210: If the argument is
                    211: .Dq none
                    212: then no banner is displayed.
1.1       stevesk   213: This option is only available for protocol version 2.
                    214: By default, no banner is displayed.
                    215: .It Cm ChallengeResponseAuthentication
1.50      jmc       216: Specifies whether challenge-response authentication is allowed.
1.1       stevesk   217: All authentication styles from
                    218: .Xr login.conf 5
                    219: are supported.
                    220: The default is
                    221: .Dq yes .
1.80      djm       222: .It Cm ChrootDirectory
1.113     stevesk   223: Specifies the pathname of a directory to
1.80      djm       224: .Xr chroot 2
                    225: to after authentication.
1.113     stevesk   226: All components of the pathname must be root-owned directories that are
1.80      djm       227: not writable by any other user or group.
1.106     stevesk   228: After the chroot,
                    229: .Xr sshd 8
                    230: changes the working directory to the user's home directory.
1.80      djm       231: .Pp
1.113     stevesk   232: The pathname may contain the following tokens that are expanded at runtime once
1.80      djm       233: the connecting user has been authenticated: %% is replaced by a literal '%',
                    234: %h is replaced by the home directory of the user being authenticated, and
                    235: %u is replaced by the username of that user.
                    236: .Pp
                    237: The
                    238: .Cm ChrootDirectory
                    239: must contain the necessary files and directories to support the
1.103     stevesk   240: user's session.
1.80      djm       241: For an interactive session this requires at least a shell, typically
                    242: .Xr sh 1 ,
                    243: and basic
                    244: .Pa /dev
                    245: nodes such as
                    246: .Xr null 4 ,
                    247: .Xr zero 4 ,
                    248: .Xr stdin 4 ,
                    249: .Xr stdout 4 ,
                    250: .Xr stderr 4 ,
                    251: .Xr arandom 4
                    252: and
                    253: .Xr tty 4
                    254: devices.
                    255: For file transfer sessions using
1.105     jmc       256: .Dq sftp ,
1.80      djm       257: no additional configuration of the environment is necessary if the
1.105     jmc       258: in-process sftp server is used,
                    259: though sessions which use logging do require
1.104     stevesk   260: .Pa /dev/log
                    261: inside the chroot directory (see
                    262: .Xr sftp-server 8
1.81      jmc       263: for details).
1.80      djm       264: .Pp
                    265: The default is not to
                    266: .Xr chroot 2 .
1.1       stevesk   267: .It Cm Ciphers
                    268: Specifies the ciphers allowed for protocol version 2.
                    269: Multiple ciphers must be comma-separated.
1.34      dtucker   270: The supported ciphers are
                    271: .Dq 3des-cbc ,
                    272: .Dq aes128-cbc ,
                    273: .Dq aes192-cbc ,
                    274: .Dq aes256-cbc ,
                    275: .Dq aes128-ctr ,
                    276: .Dq aes192-ctr ,
                    277: .Dq aes256-ctr ,
1.43      djm       278: .Dq arcfour128 ,
                    279: .Dq arcfour256 ,
1.34      dtucker   280: .Dq arcfour ,
                    281: .Dq blowfish-cbc ,
                    282: and
                    283: .Dq cast128-cbc .
1.52      jmc       284: The default is:
                    285: .Bd -literal -offset 3n
1.100     naddy     286: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
                    287: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
                    288: aes256-cbc,arcfour
1.1       stevesk   289: .Ed
                    290: .It Cm ClientAliveCountMax
1.48      jmc       291: Sets the number of client alive messages (see below) which may be
1.1       stevesk   292: sent without
1.52      jmc       293: .Xr sshd 8
1.17      jmc       294: receiving any messages back from the client.
                    295: If this threshold is reached while client alive messages are being sent,
1.52      jmc       296: sshd will disconnect the client, terminating the session.
1.17      jmc       297: It is important to note that the use of client alive messages is very
                    298: different from
1.27      markus    299: .Cm TCPKeepAlive
1.17      jmc       300: (below).
                    301: The client alive messages are sent through the encrypted channel
                    302: and therefore will not be spoofable.
                    303: The TCP keepalive option enabled by
1.27      markus    304: .Cm TCPKeepAlive
1.17      jmc       305: is spoofable.
                    306: The client alive mechanism is valuable when the client or
1.1       stevesk   307: server depend on knowing when a connection has become inactive.
                    308: .Pp
1.17      jmc       309: The default value is 3.
                    310: If
1.1       stevesk   311: .Cm ClientAliveInterval
1.48      jmc       312: (see below) is set to 15, and
1.1       stevesk   313: .Cm ClientAliveCountMax
1.52      jmc       314: is left at the default, unresponsive SSH clients
1.1       stevesk   315: will be disconnected after approximately 45 seconds.
1.57      markus    316: This option applies to protocol version 2 only.
1.42      djm       317: .It Cm ClientAliveInterval
                    318: Sets a timeout interval in seconds after which if no data has been received
                    319: from the client,
1.52      jmc       320: .Xr sshd 8
1.42      djm       321: will send a message through the encrypted
                    322: channel to request a response from the client.
                    323: The default
                    324: is 0, indicating that these messages will not be sent to the client.
                    325: This option applies to protocol version 2 only.
1.3       markus    326: .It Cm Compression
1.44      markus    327: Specifies whether compression is allowed, or delayed until
                    328: the user has authenticated successfully.
1.3       markus    329: The argument must be
1.44      markus    330: .Dq yes ,
                    331: .Dq delayed ,
1.3       markus    332: or
                    333: .Dq no .
                    334: The default is
1.44      markus    335: .Dq delayed .
1.1       stevesk   336: .It Cm DenyGroups
                    337: This keyword can be followed by a list of group name patterns, separated
                    338: by spaces.
                    339: Login is disallowed for users whose primary group or supplementary
                    340: group list matches one of the patterns.
                    341: Only group names are valid; a numerical group ID is not recognized.
                    342: By default, login is allowed for all groups.
1.54      jmc       343: The allow/deny directives are processed in the following order:
                    344: .Cm DenyUsers ,
                    345: .Cm AllowUsers ,
                    346: .Cm DenyGroups ,
                    347: and finally
                    348: .Cm AllowGroups .
1.49      jmc       349: .Pp
                    350: See
                    351: .Sx PATTERNS
                    352: in
                    353: .Xr ssh_config 5
                    354: for more information on patterns.
1.1       stevesk   355: .It Cm DenyUsers
                    356: This keyword can be followed by a list of user name patterns, separated
                    357: by spaces.
                    358: Login is disallowed for user names that match one of the patterns.
                    359: Only user names are valid; a numerical user ID is not recognized.
                    360: By default, login is allowed for all users.
                    361: If the pattern takes the form USER@HOST then USER and HOST
                    362: are separately checked, restricting logins to particular
                    363: users from particular hosts.
1.54      jmc       364: The allow/deny directives are processed in the following order:
                    365: .Cm DenyUsers ,
                    366: .Cm AllowUsers ,
                    367: .Cm DenyGroups ,
                    368: and finally
                    369: .Cm AllowGroups .
1.49      jmc       370: .Pp
                    371: See
                    372: .Sx PATTERNS
                    373: in
                    374: .Xr ssh_config 5
                    375: for more information on patterns.
1.67      dtucker   376: .It Cm ForceCommand
                    377: Forces the execution of the command specified by
                    378: .Cm ForceCommand ,
1.84      djm       379: ignoring any command supplied by the client and
                    380: .Pa ~/.ssh/rc
                    381: if present.
1.67      dtucker   382: The command is invoked by using the user's login shell with the -c option.
                    383: This applies to shell, command, or subsystem execution.
                    384: It is most useful inside a
                    385: .Cm Match
                    386: block.
                    387: The command originally supplied by the client is available in the
                    388: .Ev SSH_ORIGINAL_COMMAND
                    389: environment variable.
1.82      djm       390: Specifying a command of
                    391: .Dq internal-sftp
                    392: will force the use of an in-process sftp server that requires no support
                    393: files when used with
                    394: .Cm ChrootDirectory .
1.1       stevesk   395: .It Cm GatewayPorts
                    396: Specifies whether remote hosts are allowed to connect to ports
                    397: forwarded for the client.
                    398: By default,
1.52      jmc       399: .Xr sshd 8
1.15      jmc       400: binds remote port forwardings to the loopback address.
                    401: This prevents other remote hosts from connecting to forwarded ports.
1.1       stevesk   402: .Cm GatewayPorts
1.52      jmc       403: can be used to specify that sshd
1.39      djm       404: should allow remote port forwardings to bind to non-loopback addresses, thus
                    405: allowing other hosts to connect.
                    406: The argument may be
                    407: .Dq no
                    408: to force remote port forwardings to be available to the local host only,
1.1       stevesk   409: .Dq yes
1.39      djm       410: to force remote port forwardings to bind to the wildcard address, or
                    411: .Dq clientspecified
                    412: to allow the client to select the address to which the forwarding is bound.
1.1       stevesk   413: The default is
                    414: .Dq no .
1.23      markus    415: .It Cm GSSAPIAuthentication
1.25      markus    416: Specifies whether user authentication based on GSSAPI is allowed.
1.26      djm       417: The default is
1.23      markus    418: .Dq no .
                    419: Note that this option applies to protocol version 2 only.
                    420: .It Cm GSSAPICleanupCredentials
                    421: Specifies whether to automatically destroy the user's credentials cache
                    422: on logout.
                    423: The default is
                    424: .Dq yes .
                    425: Note that this option applies to protocol version 2 only.
1.1       stevesk   426: .It Cm HostbasedAuthentication
                    427: Specifies whether rhosts or /etc/hosts.equiv authentication together
                    428: with successful public key client host authentication is allowed
1.50      jmc       429: (host-based authentication).
1.1       stevesk   430: This option is similar to
                    431: .Cm RhostsRSAAuthentication
                    432: and applies to protocol version 2 only.
1.70      dtucker   433: The default is
                    434: .Dq no .
                    435: .It Cm HostbasedUsesNameFromPacketOnly
                    436: Specifies whether or not the server will attempt to perform a reverse
                    437: name lookup when matching the name in the
                    438: .Pa ~/.shosts ,
                    439: .Pa ~/.rhosts ,
                    440: and
                    441: .Pa /etc/hosts.equiv
                    442: files during
                    443: .Cm HostbasedAuthentication .
                    444: A setting of
                    445: .Dq yes
                    446: means that
                    447: .Xr sshd 8
                    448: uses the name supplied by the client rather than
                    449: attempting to resolve the name from the TCP connection itself.
1.1       stevesk   450: The default is
                    451: .Dq no .
1.117     djm       452: .It Cm HostCertificate
                    453: Specifies a file containing a public host certificate.
                    454: The certificate's public key must match a private host key already specified
                    455: by
                    456: .Cm HostKey .
                    457: The default behaviour of
                    458: .Xr sshd 8
                    459: is not to load any certificates.
1.1       stevesk   460: .It Cm HostKey
                    461: Specifies a file containing a private host key
                    462: used by SSH.
                    463: The default is
                    464: .Pa /etc/ssh/ssh_host_key
                    465: for protocol version 1, and
                    466: .Pa /etc/ssh/ssh_host_rsa_key
                    467: and
                    468: .Pa /etc/ssh/ssh_host_dsa_key
                    469: for protocol version 2.
                    470: Note that
1.52      jmc       471: .Xr sshd 8
1.1       stevesk   472: will refuse to use a file if it is group/world-accessible.
                    473: It is possible to have multiple host key files.
                    474: .Dq rsa1
                    475: keys are used for version 1 and
                    476: .Dq dsa
                    477: or
                    478: .Dq rsa
                    479: are used for version 2 of the SSH protocol.
                    480: .It Cm IgnoreRhosts
                    481: Specifies that
                    482: .Pa .rhosts
                    483: and
                    484: .Pa .shosts
                    485: files will not be used in
                    486: .Cm RhostsRSAAuthentication
                    487: or
                    488: .Cm HostbasedAuthentication .
                    489: .Pp
                    490: .Pa /etc/hosts.equiv
                    491: and
                    492: .Pa /etc/shosts.equiv
                    493: are still used.
                    494: The default is
                    495: .Dq yes .
                    496: .It Cm IgnoreUserKnownHosts
                    497: Specifies whether
1.52      jmc       498: .Xr sshd 8
1.1       stevesk   499: should ignore the user's
1.41      djm       500: .Pa ~/.ssh/known_hosts
1.1       stevesk   501: during
                    502: .Cm RhostsRSAAuthentication
                    503: or
                    504: .Cm HostbasedAuthentication .
                    505: The default is
                    506: .Dq no .
                    507: .It Cm KerberosAuthentication
1.24      markus    508: Specifies whether the password provided by the user for
1.1       stevesk   509: .Cm PasswordAuthentication
1.24      markus    510: will be validated through the Kerberos KDC.
1.1       stevesk   511: To use this option, the server needs a
                    512: Kerberos servtab which allows the verification of the KDC's identity.
1.52      jmc       513: The default is
1.29      dtucker   514: .Dq no .
                    515: .It Cm KerberosGetAFSToken
1.45      djm       516: If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
1.29      dtucker   517: an AFS token before accessing the user's home directory.
1.52      jmc       518: The default is
1.1       stevesk   519: .Dq no .
                    520: .It Cm KerberosOrLocalPasswd
1.52      jmc       521: If password authentication through Kerberos fails then
1.1       stevesk   522: the password will be validated via any additional local mechanism
                    523: such as
                    524: .Pa /etc/passwd .
1.52      jmc       525: The default is
1.1       stevesk   526: .Dq yes .
                    527: .It Cm KerberosTicketCleanup
                    528: Specifies whether to automatically destroy the user's ticket cache
                    529: file on logout.
1.52      jmc       530: The default is
1.1       stevesk   531: .Dq yes .
                    532: .It Cm KeyRegenerationInterval
                    533: In protocol version 1, the ephemeral server key is automatically regenerated
                    534: after this many seconds (if it has been used).
                    535: The purpose of regeneration is to prevent
                    536: decrypting captured sessions by later breaking into the machine and
                    537: stealing the keys.
                    538: The key is never stored anywhere.
                    539: If the value is 0, the key is never regenerated.
                    540: The default is 3600 (seconds).
                    541: .It Cm ListenAddress
                    542: Specifies the local addresses
1.52      jmc       543: .Xr sshd 8
1.1       stevesk   544: should listen on.
                    545: The following forms may be used:
                    546: .Pp
                    547: .Bl -item -offset indent -compact
                    548: .It
                    549: .Cm ListenAddress
                    550: .Sm off
                    551: .Ar host No | Ar IPv4_addr No | Ar IPv6_addr
                    552: .Sm on
                    553: .It
                    554: .Cm ListenAddress
                    555: .Sm off
                    556: .Ar host No | Ar IPv4_addr No : Ar port
                    557: .Sm on
                    558: .It
                    559: .Cm ListenAddress
                    560: .Sm off
                    561: .Oo
                    562: .Ar host No | Ar IPv6_addr Oc : Ar port
                    563: .Sm on
                    564: .El
                    565: .Pp
                    566: If
                    567: .Ar port
                    568: is not specified,
1.52      jmc       569: sshd will listen on the address and all prior
1.1       stevesk   570: .Cm Port
1.17      jmc       571: options specified.
                    572: The default is to listen on all local addresses.
1.15      jmc       573: Multiple
1.1       stevesk   574: .Cm ListenAddress
1.17      jmc       575: options are permitted.
                    576: Additionally, any
1.1       stevesk   577: .Cm Port
1.52      jmc       578: options must precede this option for non-port qualified addresses.
1.1       stevesk   579: .It Cm LoginGraceTime
                    580: The server disconnects after this time if the user has not
                    581: successfully logged in.
                    582: If the value is 0, there is no time limit.
1.12      stevesk   583: The default is 120 seconds.
1.1       stevesk   584: .It Cm LogLevel
                    585: Gives the verbosity level that is used when logging messages from
1.53      jmc       586: .Xr sshd 8 .
1.1       stevesk   587: The possible values are:
1.52      jmc       588: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
1.15      jmc       589: The default is INFO.
                    590: DEBUG and DEBUG1 are equivalent.
                    591: DEBUG2 and DEBUG3 each specify higher levels of debugging output.
                    592: Logging with a DEBUG level violates the privacy of users and is not recommended.
1.1       stevesk   593: .It Cm MACs
                    594: Specifies the available MAC (message authentication code) algorithms.
                    595: The MAC algorithm is used in protocol version 2
                    596: for data integrity protection.
                    597: Multiple algorithms must be comma-separated.
1.52      jmc       598: The default is:
1.77      jmc       599: .Bd -literal -offset indent
                    600: hmac-md5,hmac-sha1,umac-64@openssh.com,
                    601: hmac-ripemd160,hmac-sha1-96,hmac-md5-96
                    602: .Ed
1.60      dtucker   603: .It Cm Match
1.61      jmc       604: Introduces a conditional block.
1.65      dtucker   605: If all of the criteria on the
1.60      dtucker   606: .Cm Match
1.65      dtucker   607: line are satisfied, the keywords on the following lines override those
                    608: set in the global section of the config file, until either another
1.60      dtucker   609: .Cm Match
1.65      dtucker   610: line or the end of the file.
1.91      djm       611: .Pp
1.61      jmc       612: The arguments to
1.60      dtucker   613: .Cm Match
1.65      dtucker   614: are one or more criteria-pattern pairs.
1.60      dtucker   615: The available criteria are
                    616: .Cm User ,
1.69      dtucker   617: .Cm Group ,
1.60      dtucker   618: .Cm Host ,
                    619: and
                    620: .Cm Address .
1.91      djm       621: The match patterns may consist of single entries or comma-separated
                    622: lists and may use the wildcard and negation operators described in the
1.92      djm       623: .Sx PATTERNS
1.91      djm       624: section of
1.92      djm       625: .Xr ssh_config 5 .
1.91      djm       626: .Pp
                    627: The patterns in an
                    628: .Cm Address
                    629: criteria may additionally contain addresses to match in CIDR
1.93      jmc       630: address/masklen format, e.g.\&
1.91      djm       631: .Dq 192.0.2.0/24
                    632: or
                    633: .Dq 3ffe:ffff::/32 .
                    634: Note that the mask length provided must be consistent with the address -
                    635: it is an error to specify a mask length that is too long for the address
1.93      jmc       636: or one with bits set in this host portion of the address.
                    637: For example,
1.91      djm       638: .Dq 192.0.2.0/33
                    639: and
1.93      jmc       640: .Dq 192.0.2.0/8
1.91      djm       641: respectively.
                    642: .Pp
1.60      dtucker   643: Only a subset of keywords may be used on the lines following a
                    644: .Cm Match
                    645: keyword.
                    646: Available keywords are
1.99      okan      647: .Cm AllowAgentForwarding ,
1.62      dtucker   648: .Cm AllowTcpForwarding ,
1.72      dtucker   649: .Cm Banner ,
1.85      djm       650: .Cm ChrootDirectory ,
1.67      dtucker   651: .Cm ForceCommand ,
1.62      dtucker   652: .Cm GatewayPorts ,
1.87      djm       653: .Cm GSSAPIAuthentication ,
                    654: .Cm HostbasedAuthentication ,
1.74      jmc       655: .Cm KbdInteractiveAuthentication ,
1.72      dtucker   656: .Cm KerberosAuthentication ,
1.95      dtucker   657: .Cm MaxAuthTries ,
1.94      dtucker   658: .Cm MaxSessions ,
1.72      dtucker   659: .Cm PasswordAuthentication ,
1.97      djm       660: .Cm PermitEmptyPasswords ,
1.66      dtucker   661: .Cm PermitOpen ,
1.79      dtucker   662: .Cm PermitRootLogin ,
1.107     dtucker   663: .Cm PubkeyAuthentication ,
1.72      dtucker   664: .Cm RhostsRSAAuthentication ,
                    665: .Cm RSAAuthentication ,
1.66      dtucker   666: .Cm X11DisplayOffset ,
1.101     djm       667: .Cm X11Forwarding
1.60      dtucker   668: and
1.102     djm       669: .Cm X11UseLocalHost .
1.33      dtucker   670: .It Cm MaxAuthTries
                    671: Specifies the maximum number of authentication attempts permitted per
1.35      jmc       672: connection.
                    673: Once the number of failures reaches half this value,
                    674: additional failures are logged.
                    675: The default is 6.
1.90      djm       676: .It Cm MaxSessions
                    677: Specifies the maximum number of open sessions permitted per network connection.
                    678: The default is 10.
1.1       stevesk   679: .It Cm MaxStartups
                    680: Specifies the maximum number of concurrent unauthenticated connections to the
1.52      jmc       681: SSH daemon.
1.1       stevesk   682: Additional connections will be dropped until authentication succeeds or the
                    683: .Cm LoginGraceTime
                    684: expires for a connection.
                    685: The default is 10.
                    686: .Pp
                    687: Alternatively, random early drop can be enabled by specifying
                    688: the three colon separated values
                    689: .Dq start:rate:full
1.51      jmc       690: (e.g. "10:30:60").
1.53      jmc       691: .Xr sshd 8
1.1       stevesk   692: will refuse connection attempts with a probability of
                    693: .Dq rate/100
                    694: (30%)
                    695: if there are currently
                    696: .Dq start
                    697: (10)
                    698: unauthenticated connections.
                    699: The probability increases linearly and all connection attempts
                    700: are refused if the number of unauthenticated connections reaches
                    701: .Dq full
                    702: (60).
                    703: .It Cm PasswordAuthentication
                    704: Specifies whether password authentication is allowed.
                    705: The default is
                    706: .Dq yes .
                    707: .It Cm PermitEmptyPasswords
                    708: When password authentication is allowed, it specifies whether the
                    709: server allows login to accounts with empty password strings.
                    710: The default is
                    711: .Dq no .
1.62      dtucker   712: .It Cm PermitOpen
                    713: Specifies the destinations to which TCP port forwarding is permitted.
                    714: The forwarding specification must be one of the following forms:
                    715: .Pp
                    716: .Bl -item -offset indent -compact
                    717: .It
                    718: .Cm PermitOpen
                    719: .Sm off
                    720: .Ar host : port
                    721: .Sm on
                    722: .It
                    723: .Cm PermitOpen
                    724: .Sm off
                    725: .Ar IPv4_addr : port
                    726: .Sm on
                    727: .It
                    728: .Cm PermitOpen
                    729: .Sm off
                    730: .Ar \&[ IPv6_addr \&] : port
                    731: .Sm on
                    732: .El
                    733: .Pp
1.68      dtucker   734: Multiple forwards may be specified by separating them with whitespace.
1.62      dtucker   735: An argument of
                    736: .Dq any
                    737: can be used to remove all restrictions and permit any forwarding requests.
1.63      jmc       738: By default all port forwarding requests are permitted.
1.1       stevesk   739: .It Cm PermitRootLogin
1.38      jmc       740: Specifies whether root can log in using
1.1       stevesk   741: .Xr ssh 1 .
                    742: The argument must be
                    743: .Dq yes ,
                    744: .Dq without-password ,
1.52      jmc       745: .Dq forced-commands-only ,
1.1       stevesk   746: or
                    747: .Dq no .
                    748: The default is
                    749: .Dq yes .
                    750: .Pp
                    751: If this option is set to
1.52      jmc       752: .Dq without-password ,
1.1       stevesk   753: password authentication is disabled for root.
                    754: .Pp
                    755: If this option is set to
1.52      jmc       756: .Dq forced-commands-only ,
1.1       stevesk   757: root login with public key authentication will be allowed,
                    758: but only if the
                    759: .Ar command
                    760: option has been specified
                    761: (which may be useful for taking remote backups even if root login is
1.17      jmc       762: normally not allowed).
                    763: All other authentication methods are disabled for root.
1.1       stevesk   764: .Pp
                    765: If this option is set to
1.52      jmc       766: .Dq no ,
1.38      jmc       767: root is not allowed to log in.
1.46      reyk      768: .It Cm PermitTunnel
                    769: Specifies whether
                    770: .Xr tun 4
                    771: device forwarding is allowed.
1.47      reyk      772: The argument must be
                    773: .Dq yes ,
1.58      stevesk   774: .Dq point-to-point
                    775: (layer 3),
                    776: .Dq ethernet
                    777: (layer 2), or
1.47      reyk      778: .Dq no .
1.58      stevesk   779: Specifying
                    780: .Dq yes
                    781: permits both
                    782: .Dq point-to-point
                    783: and
                    784: .Dq ethernet .
1.46      reyk      785: The default is
                    786: .Dq no .
1.6       markus    787: .It Cm PermitUserEnvironment
                    788: Specifies whether
                    789: .Pa ~/.ssh/environment
1.9       stevesk   790: and
1.6       markus    791: .Cm environment=
                    792: options in
                    793: .Pa ~/.ssh/authorized_keys
1.9       stevesk   794: are processed by
1.52      jmc       795: .Xr sshd 8 .
1.6       markus    796: The default is
                    797: .Dq no .
1.9       stevesk   798: Enabling environment processing may enable users to bypass access
                    799: restrictions in some configurations using mechanisms such as
                    800: .Ev LD_PRELOAD .
1.1       stevesk   801: .It Cm PidFile
1.4       stevesk   802: Specifies the file that contains the process ID of the
1.53      jmc       803: SSH daemon.
1.1       stevesk   804: The default is
                    805: .Pa /var/run/sshd.pid .
                    806: .It Cm Port
                    807: Specifies the port number that
1.52      jmc       808: .Xr sshd 8
1.1       stevesk   809: listens on.
                    810: The default is 22.
                    811: Multiple options of this type are permitted.
                    812: See also
                    813: .Cm ListenAddress .
                    814: .It Cm PrintLastLog
                    815: Specifies whether
1.52      jmc       816: .Xr sshd 8
1.36      jaredy    817: should print the date and time of the last user login when a user logs
                    818: in interactively.
1.1       stevesk   819: The default is
                    820: .Dq yes .
                    821: .It Cm PrintMotd
                    822: Specifies whether
1.52      jmc       823: .Xr sshd 8
1.1       stevesk   824: should print
                    825: .Pa /etc/motd
                    826: when a user logs in interactively.
                    827: (On some systems it is also printed by the shell,
                    828: .Pa /etc/profile ,
                    829: or equivalent.)
                    830: The default is
                    831: .Dq yes .
                    832: .It Cm Protocol
                    833: Specifies the protocol versions
1.52      jmc       834: .Xr sshd 8
1.5       stevesk   835: supports.
1.1       stevesk   836: The possible values are
1.52      jmc       837: .Sq 1
1.1       stevesk   838: and
1.52      jmc       839: .Sq 2 .
1.1       stevesk   840: Multiple versions must be comma-separated.
                    841: The default is
1.109     jmc       842: .Sq 2 .
1.5       stevesk   843: Note that the order of the protocol list does not indicate preference,
                    844: because the client selects among multiple protocol versions offered
                    845: by the server.
                    846: Specifying
                    847: .Dq 2,1
                    848: is identical to
                    849: .Dq 1,2 .
1.1       stevesk   850: .It Cm PubkeyAuthentication
                    851: Specifies whether public key authentication is allowed.
                    852: The default is
                    853: .Dq yes .
                    854: Note that this option applies to protocol version 2 only.
1.118     djm       855: .It Cm RevokedKeys
                    856: Specifies a list of revoked public keys.
                    857: Keys listed in this file will be refused for public key authentication.
                    858: Note that if this file is not readable, then public key authentication will
                    859: be refused for all users.
1.1       stevesk   860: .It Cm RhostsRSAAuthentication
                    861: Specifies whether rhosts or /etc/hosts.equiv authentication together
                    862: with successful RSA host authentication is allowed.
                    863: The default is
                    864: .Dq no .
                    865: This option applies to protocol version 1 only.
                    866: .It Cm RSAAuthentication
                    867: Specifies whether pure RSA authentication is allowed.
                    868: The default is
                    869: .Dq yes .
                    870: This option applies to protocol version 1 only.
                    871: .It Cm ServerKeyBits
                    872: Defines the number of bits in the ephemeral protocol version 1 server key.
1.96      djm       873: The minimum value is 512, and the default is 1024.
1.1       stevesk   874: .It Cm StrictModes
                    875: Specifies whether
1.52      jmc       876: .Xr sshd 8
1.1       stevesk   877: should check file modes and ownership of the
                    878: user's files and home directory before accepting login.
                    879: This is normally desirable because novices sometimes accidentally leave their
                    880: directory or files world-writable.
                    881: The default is
                    882: .Dq yes .
1.112     djm       883: Note that this does not apply to
                    884: .Cm ChrootDirectory ,
                    885: whose permissions and ownership are checked unconditionally.
1.1       stevesk   886: .It Cm Subsystem
1.51      jmc       887: Configures an external subsystem (e.g. file transfer daemon).
1.59      djm       888: Arguments should be a subsystem name and a command (with optional arguments)
                    889: to execute upon subsystem request.
1.80      djm       890: .Pp
1.1       stevesk   891: The command
                    892: .Xr sftp-server 8
                    893: implements the
                    894: .Dq sftp
                    895: file transfer subsystem.
1.80      djm       896: .Pp
                    897: Alternately the name
                    898: .Dq internal-sftp
                    899: implements an in-process
                    900: .Dq sftp
                    901: server.
                    902: This may simplify configurations using
                    903: .Cm ChrootDirectory
                    904: to force a different filesystem root on clients.
                    905: .Pp
1.1       stevesk   906: By default no subsystems are defined.
                    907: Note that this option applies to protocol version 2 only.
                    908: .It Cm SyslogFacility
                    909: Gives the facility code that is used when logging messages from
1.53      jmc       910: .Xr sshd 8 .
1.1       stevesk   911: The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
                    912: LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
                    913: The default is AUTH.
1.27      markus    914: .It Cm TCPKeepAlive
                    915: Specifies whether the system should send TCP keepalive messages to the
                    916: other side.
                    917: If they are sent, death of the connection or crash of one
                    918: of the machines will be properly noticed.
                    919: However, this means that
                    920: connections will die if the route is down temporarily, and some people
                    921: find it annoying.
                    922: On the other hand, if TCP keepalives are not sent,
                    923: sessions may hang indefinitely on the server, leaving
                    924: .Dq ghost
                    925: users and consuming server resources.
                    926: .Pp
                    927: The default is
                    928: .Dq yes
                    929: (to send TCP keepalive messages), and the server will notice
                    930: if the network goes down or the client host crashes.
                    931: This avoids infinitely hanging sessions.
                    932: .Pp
                    933: To disable TCP keepalive messages, the value should be set to
                    934: .Dq no .
1.118     djm       935: .It Cm TrustedUserCAKeys
                    936: Specifies a file containing public keys of certificate authorities that are
1.120     djm       937: trusted to sign user certificates for authentication.
1.119     jmc       938: Keys are listed one per line; empty lines and comments starting with
1.118     djm       939: .Ql #
                    940: are allowed.
                    941: If a certificate is presented for authentication and has its signing CA key
                    942: listed in this file, then it may be used for authentication for any user
                    943: listed in the certificate's principals list.
                    944: Note that certificates that lack a list of principals will not be permitted
                    945: for authentication using
                    946: .Cm TrustedUserCAKeys .
1.119     jmc       947: For more details on certificates, see the
1.118     djm       948: .Sx CERTIFICATES
                    949: section in
                    950: .Xr ssh-keygen 1 .
1.18      markus    951: .It Cm UseDNS
                    952: Specifies whether
1.52      jmc       953: .Xr sshd 8
1.40      jmc       954: should look up the remote host name and check that
1.18      markus    955: the resolved host name for the remote IP address maps back to the
                    956: very same IP address.
                    957: The default is
                    958: .Dq yes .
1.1       stevesk   959: .It Cm UseLogin
                    960: Specifies whether
                    961: .Xr login 1
                    962: is used for interactive login sessions.
                    963: The default is
                    964: .Dq no .
                    965: Note that
                    966: .Xr login 1
                    967: is never used for remote command execution.
                    968: Note also, that if this is enabled,
                    969: .Cm X11Forwarding
                    970: will be disabled because
                    971: .Xr login 1
                    972: does not know how to handle
                    973: .Xr xauth 1
1.15      jmc       974: cookies.
                    975: If
1.1       stevesk   976: .Cm UsePrivilegeSeparation
                    977: is specified, it will be disabled after authentication.
                    978: .It Cm UsePrivilegeSeparation
                    979: Specifies whether
1.52      jmc       980: .Xr sshd 8
1.2       stevesk   981: separates privileges by creating an unprivileged child process
1.15      jmc       982: to deal with incoming network traffic.
                    983: After successful authentication, another process will be created that has
                    984: the privilege of the authenticated user.
                    985: The goal of privilege separation is to prevent privilege
1.1       stevesk   986: escalation by containing any corruption within the unprivileged processes.
                    987: The default is
                    988: .Dq yes .
                    989: .It Cm X11DisplayOffset
                    990: Specifies the first display number available for
1.52      jmc       991: .Xr sshd 8 Ns 's
1.1       stevesk   992: X11 forwarding.
1.52      jmc       993: This prevents sshd from interfering with real X11 servers.
1.1       stevesk   994: The default is 10.
                    995: .It Cm X11Forwarding
                    996: Specifies whether X11 forwarding is permitted.
1.13      stevesk   997: The argument must be
                    998: .Dq yes
                    999: or
                   1000: .Dq no .
1.1       stevesk  1001: The default is
                   1002: .Dq no .
1.13      stevesk  1003: .Pp
                   1004: When X11 forwarding is enabled, there may be additional exposure to
                   1005: the server and to client displays if the
1.52      jmc      1006: .Xr sshd 8
1.13      stevesk  1007: proxy display is configured to listen on the wildcard address (see
                   1008: .Cm X11UseLocalhost
1.52      jmc      1009: below), though this is not the default.
1.13      stevesk  1010: Additionally, the authentication spoofing and authentication data
                   1011: verification and substitution occur on the client side.
                   1012: The security risk of using X11 forwarding is that the client's X11
1.52      jmc      1013: display server may be exposed to attack when the SSH client requests
1.13      stevesk  1014: forwarding (see the warnings for
                   1015: .Cm ForwardX11
                   1016: in
1.19      jmc      1017: .Xr ssh_config 5 ) .
1.13      stevesk  1018: A system administrator may have a stance in which they want to
                   1019: protect clients that may expose themselves to attack by unwittingly
                   1020: requesting X11 forwarding, which can warrant a
                   1021: .Dq no
                   1022: setting.
                   1023: .Pp
                   1024: Note that disabling X11 forwarding does not prevent users from
                   1025: forwarding X11 traffic, as users can always install their own forwarders.
1.1       stevesk  1026: X11 forwarding is automatically disabled if
                   1027: .Cm UseLogin
                   1028: is enabled.
                   1029: .It Cm X11UseLocalhost
                   1030: Specifies whether
1.52      jmc      1031: .Xr sshd 8
1.1       stevesk  1032: should bind the X11 forwarding server to the loopback address or to
1.15      jmc      1033: the wildcard address.
                   1034: By default,
1.52      jmc      1035: sshd binds the forwarding server to the loopback address and sets the
1.1       stevesk  1036: hostname part of the
                   1037: .Ev DISPLAY
                   1038: environment variable to
                   1039: .Dq localhost .
1.8       stevesk  1040: This prevents remote hosts from connecting to the proxy display.
1.1       stevesk  1041: However, some older X11 clients may not function with this
                   1042: configuration.
                   1043: .Cm X11UseLocalhost
                   1044: may be set to
                   1045: .Dq no
                   1046: to specify that the forwarding server should be bound to the wildcard
                   1047: address.
                   1048: The argument must be
                   1049: .Dq yes
                   1050: or
                   1051: .Dq no .
                   1052: The default is
                   1053: .Dq yes .
                   1054: .It Cm XAuthLocation
1.11      stevesk  1055: Specifies the full pathname of the
1.1       stevesk  1056: .Xr xauth 1
                   1057: program.
                   1058: The default is
                   1059: .Pa /usr/X11R6/bin/xauth .
                   1060: .El
1.55      jmc      1061: .Sh TIME FORMATS
1.53      jmc      1062: .Xr sshd 8
1.1       stevesk  1063: command-line arguments and configuration file options that specify time
                   1064: may be expressed using a sequence of the form:
                   1065: .Sm off
1.7       stevesk  1066: .Ar time Op Ar qualifier ,
1.1       stevesk  1067: .Sm on
                   1068: where
                   1069: .Ar time
                   1070: is a positive integer value and
                   1071: .Ar qualifier
                   1072: is one of the following:
                   1073: .Pp
                   1074: .Bl -tag -width Ds -compact -offset indent
1.64      jmc      1075: .It Aq Cm none
1.1       stevesk  1076: seconds
                   1077: .It Cm s | Cm S
                   1078: seconds
                   1079: .It Cm m | Cm M
                   1080: minutes
                   1081: .It Cm h | Cm H
                   1082: hours
                   1083: .It Cm d | Cm D
                   1084: days
                   1085: .It Cm w | Cm W
                   1086: weeks
                   1087: .El
                   1088: .Pp
                   1089: Each member of the sequence is added together to calculate
                   1090: the total time value.
                   1091: .Pp
                   1092: Time format examples:
                   1093: .Pp
                   1094: .Bl -tag -width Ds -compact -offset indent
                   1095: .It 600
                   1096: 600 seconds (10 minutes)
                   1097: .It 10m
                   1098: 10 minutes
                   1099: .It 1h30m
                   1100: 1 hour 30 minutes (90 minutes)
                   1101: .El
                   1102: .Sh FILES
                   1103: .Bl -tag -width Ds
                   1104: .It Pa /etc/ssh/sshd_config
                   1105: Contains configuration data for
1.53      jmc      1106: .Xr sshd 8 .
1.1       stevesk  1107: This file should be writable by root only, but it is recommended
                   1108: (though not necessary) that it be world-readable.
                   1109: .El
1.19      jmc      1110: .Sh SEE ALSO
                   1111: .Xr sshd 8
1.1       stevesk  1112: .Sh AUTHORS
                   1113: OpenSSH is a derivative of the original and free
                   1114: ssh 1.2.12 release by Tatu Ylonen.
                   1115: Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
                   1116: Theo de Raadt and Dug Song
                   1117: removed many bugs, re-added newer features and
                   1118: created OpenSSH.
                   1119: Markus Friedl contributed the support for SSH
                   1120: protocol versions 1.5 and 2.0.
                   1121: Niels Provos and Markus Friedl contributed support
                   1122: for privilege separation.