Annotation of src/usr.bin/ssh/sshd_config.5, Revision 1.29
1.1 stevesk 1: .\" -*- nroff -*-
2: .\"
3: .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4: .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5: .\" All rights reserved
6: .\"
7: .\" As far as I am concerned, the code I have written for this software
8: .\" can be used freely for any purpose. Any derived versions of this
9: .\" software must be clearly marked as such, and if the derived work is
10: .\" incompatible with the protocol description in the RFC file, it must be
11: .\" called by a name other than "ssh" or "Secure Shell".
12: .\"
13: .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
14: .\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
15: .\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
16: .\"
17: .\" Redistribution and use in source and binary forms, with or without
18: .\" modification, are permitted provided that the following conditions
19: .\" are met:
20: .\" 1. Redistributions of source code must retain the above copyright
21: .\" notice, this list of conditions and the following disclaimer.
22: .\" 2. Redistributions in binary form must reproduce the above copyright
23: .\" notice, this list of conditions and the following disclaimer in the
24: .\" documentation and/or other materials provided with the distribution.
25: .\"
26: .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27: .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28: .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29: .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30: .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31: .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32: .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33: .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34: .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35: .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36: .\"
1.29 ! dtucker 37: .\" $OpenBSD: sshd_config.5,v 1.28 2004/02/17 19:35:21 jmc Exp $
1.1 stevesk 38: .Dd September 25, 1999
39: .Dt SSHD_CONFIG 5
40: .Os
41: .Sh NAME
42: .Nm sshd_config
43: .Nd OpenSSH SSH daemon configuration file
44: .Sh SYNOPSIS
45: .Bl -tag -width Ds -compact
46: .It Pa /etc/ssh/sshd_config
47: .El
48: .Sh DESCRIPTION
49: .Nm sshd
50: reads configuration data from
51: .Pa /etc/ssh/sshd_config
52: (or the file specified with
53: .Fl f
54: on the command line).
55: The file contains keyword-argument pairs, one per line.
56: Lines starting with
57: .Ql #
58: and empty lines are interpreted as comments.
59: .Pp
60: The possible
61: keywords and their meanings are as follows (note that
62: keywords are case-insensitive and arguments are case-sensitive):
63: .Bl -tag -width Ds
64: .It Cm AllowGroups
65: This keyword can be followed by a list of group name patterns, separated
66: by spaces.
67: If specified, login is allowed only for users whose primary
68: group or supplementary group list matches one of the patterns.
69: .Ql \&*
70: and
1.16 mouring 71: .Ql \&?
1.1 stevesk 72: can be used as
73: wildcards in the patterns.
74: Only group names are valid; a numerical group ID is not recognized.
75: By default, login is allowed for all groups.
76: .Pp
77: .It Cm AllowTcpForwarding
78: Specifies whether TCP forwarding is permitted.
79: The default is
80: .Dq yes .
81: Note that disabling TCP forwarding does not improve security unless
82: users are also denied shell access, as they can always install their
83: own forwarders.
84: .Pp
85: .It Cm AllowUsers
86: This keyword can be followed by a list of user name patterns, separated
87: by spaces.
1.14 jmc 88: If specified, login is allowed only for user names that
1.1 stevesk 89: match one of the patterns.
90: .Ql \&*
91: and
1.16 mouring 92: .Ql \&?
1.1 stevesk 93: can be used as
94: wildcards in the patterns.
95: Only user names are valid; a numerical user ID is not recognized.
96: By default, login is allowed for all users.
97: If the pattern takes the form USER@HOST then USER and HOST
98: are separately checked, restricting logins to particular
99: users from particular hosts.
100: .Pp
101: .It Cm AuthorizedKeysFile
102: Specifies the file that contains the public keys that can be used
103: for user authentication.
104: .Cm AuthorizedKeysFile
105: may contain tokens of the form %T which are substituted during connection
1.17 jmc 106: set-up.
107: The following tokens are defined: %% is replaced by a literal '%',
1.1 stevesk 108: %h is replaced by the home directory of the user being authenticated and
109: %u is replaced by the username of that user.
110: After expansion,
111: .Cm AuthorizedKeysFile
112: is taken to be an absolute path or one relative to the user's home
113: directory.
114: The default is
115: .Dq .ssh/authorized_keys .
116: .It Cm Banner
117: In some jurisdictions, sending a warning message before authentication
118: may be relevant for getting legal protection.
119: The contents of the specified file are sent to the remote user before
120: authentication is allowed.
121: This option is only available for protocol version 2.
122: By default, no banner is displayed.
123: .Pp
124: .It Cm ChallengeResponseAuthentication
125: Specifies whether challenge response authentication is allowed.
126: All authentication styles from
127: .Xr login.conf 5
128: are supported.
129: The default is
130: .Dq yes .
131: .It Cm Ciphers
132: Specifies the ciphers allowed for protocol version 2.
133: Multiple ciphers must be comma-separated.
134: The default is
135: .Pp
136: .Bd -literal
137: ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
1.20 djm 138: aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr''
1.1 stevesk 139: .Ed
140: .It Cm ClientAliveInterval
141: Sets a timeout interval in seconds after which if no data has been received
142: from the client,
143: .Nm sshd
144: will send a message through the encrypted
145: channel to request a response from the client.
146: The default
147: is 0, indicating that these messages will not be sent to the client.
148: This option applies to protocol version 2 only.
149: .It Cm ClientAliveCountMax
150: Sets the number of client alive messages (see above) which may be
151: sent without
152: .Nm sshd
1.17 jmc 153: receiving any messages back from the client.
154: If this threshold is reached while client alive messages are being sent,
1.1 stevesk 155: .Nm sshd
1.17 jmc 156: will disconnect the client, terminating the session.
157: It is important to note that the use of client alive messages is very
158: different from
1.27 markus 159: .Cm TCPKeepAlive
1.17 jmc 160: (below).
161: The client alive messages are sent through the encrypted channel
162: and therefore will not be spoofable.
163: The TCP keepalive option enabled by
1.27 markus 164: .Cm TCPKeepAlive
1.17 jmc 165: is spoofable.
166: The client alive mechanism is valuable when the client or
1.1 stevesk 167: server depend on knowing when a connection has become inactive.
168: .Pp
1.17 jmc 169: The default value is 3.
170: If
1.1 stevesk 171: .Cm ClientAliveInterval
172: (above) is set to 15, and
173: .Cm ClientAliveCountMax
174: is left at the default, unresponsive ssh clients
175: will be disconnected after approximately 45 seconds.
1.3 markus 176: .It Cm Compression
177: Specifies whether compression is allowed.
178: The argument must be
179: .Dq yes
180: or
181: .Dq no .
182: The default is
183: .Dq yes .
1.1 stevesk 184: .It Cm DenyGroups
185: This keyword can be followed by a list of group name patterns, separated
186: by spaces.
187: Login is disallowed for users whose primary group or supplementary
188: group list matches one of the patterns.
189: .Ql \&*
190: and
1.16 mouring 191: .Ql \&?
1.1 stevesk 192: can be used as
193: wildcards in the patterns.
194: Only group names are valid; a numerical group ID is not recognized.
195: By default, login is allowed for all groups.
196: .Pp
197: .It Cm DenyUsers
198: This keyword can be followed by a list of user name patterns, separated
199: by spaces.
200: Login is disallowed for user names that match one of the patterns.
201: .Ql \&*
202: and
1.16 mouring 203: .Ql \&?
1.1 stevesk 204: can be used as wildcards in the patterns.
205: Only user names are valid; a numerical user ID is not recognized.
206: By default, login is allowed for all users.
207: If the pattern takes the form USER@HOST then USER and HOST
208: are separately checked, restricting logins to particular
209: users from particular hosts.
210: .It Cm GatewayPorts
211: Specifies whether remote hosts are allowed to connect to ports
212: forwarded for the client.
213: By default,
214: .Nm sshd
1.15 jmc 215: binds remote port forwardings to the loopback address.
216: This prevents other remote hosts from connecting to forwarded ports.
1.1 stevesk 217: .Cm GatewayPorts
218: can be used to specify that
219: .Nm sshd
220: should bind remote port forwardings to the wildcard address,
221: thus allowing remote hosts to connect to forwarded ports.
222: The argument must be
223: .Dq yes
224: or
225: .Dq no .
226: The default is
227: .Dq no .
1.23 markus 228: .It Cm GSSAPIAuthentication
1.25 markus 229: Specifies whether user authentication based on GSSAPI is allowed.
1.26 djm 230: The default is
1.23 markus 231: .Dq no .
232: Note that this option applies to protocol version 2 only.
233: .It Cm GSSAPICleanupCredentials
234: Specifies whether to automatically destroy the user's credentials cache
235: on logout.
236: The default is
237: .Dq yes .
238: Note that this option applies to protocol version 2 only.
1.1 stevesk 239: .It Cm HostbasedAuthentication
240: Specifies whether rhosts or /etc/hosts.equiv authentication together
241: with successful public key client host authentication is allowed
242: (hostbased authentication).
243: This option is similar to
244: .Cm RhostsRSAAuthentication
245: and applies to protocol version 2 only.
246: The default is
247: .Dq no .
248: .It Cm HostKey
249: Specifies a file containing a private host key
250: used by SSH.
251: The default is
252: .Pa /etc/ssh/ssh_host_key
253: for protocol version 1, and
254: .Pa /etc/ssh/ssh_host_rsa_key
255: and
256: .Pa /etc/ssh/ssh_host_dsa_key
257: for protocol version 2.
258: Note that
259: .Nm sshd
260: will refuse to use a file if it is group/world-accessible.
261: It is possible to have multiple host key files.
262: .Dq rsa1
263: keys are used for version 1 and
264: .Dq dsa
265: or
266: .Dq rsa
267: are used for version 2 of the SSH protocol.
268: .It Cm IgnoreRhosts
269: Specifies that
270: .Pa .rhosts
271: and
272: .Pa .shosts
273: files will not be used in
274: .Cm RhostsRSAAuthentication
275: or
276: .Cm HostbasedAuthentication .
277: .Pp
278: .Pa /etc/hosts.equiv
279: and
280: .Pa /etc/shosts.equiv
281: are still used.
282: The default is
283: .Dq yes .
284: .It Cm IgnoreUserKnownHosts
285: Specifies whether
286: .Nm sshd
287: should ignore the user's
288: .Pa $HOME/.ssh/known_hosts
289: during
290: .Cm RhostsRSAAuthentication
291: or
292: .Cm HostbasedAuthentication .
293: The default is
294: .Dq no .
295: .It Cm KerberosAuthentication
1.24 markus 296: Specifies whether the password provided by the user for
1.1 stevesk 297: .Cm PasswordAuthentication
1.24 markus 298: will be validated through the Kerberos KDC.
1.1 stevesk 299: To use this option, the server needs a
300: Kerberos servtab which allows the verification of the KDC's identity.
1.29 ! dtucker 301: Default is
! 302: .Dq no .
! 303: .It Cm KerberosGetAFSToken
! 304: If AFS is active and the user has a Kerberos 5 TGT, attempt to aquire
! 305: an AFS token before accessing the user's home directory.
1.1 stevesk 306: Default is
307: .Dq no .
308: .It Cm KerberosOrLocalPasswd
309: If set then if password authentication through Kerberos fails then
310: the password will be validated via any additional local mechanism
311: such as
312: .Pa /etc/passwd .
313: Default is
314: .Dq yes .
315: .It Cm KerberosTicketCleanup
316: Specifies whether to automatically destroy the user's ticket cache
317: file on logout.
318: Default is
319: .Dq yes .
320: .It Cm KeyRegenerationInterval
321: In protocol version 1, the ephemeral server key is automatically regenerated
322: after this many seconds (if it has been used).
323: The purpose of regeneration is to prevent
324: decrypting captured sessions by later breaking into the machine and
325: stealing the keys.
326: The key is never stored anywhere.
327: If the value is 0, the key is never regenerated.
328: The default is 3600 (seconds).
329: .It Cm ListenAddress
330: Specifies the local addresses
331: .Nm sshd
332: should listen on.
333: The following forms may be used:
334: .Pp
335: .Bl -item -offset indent -compact
336: .It
337: .Cm ListenAddress
338: .Sm off
339: .Ar host No | Ar IPv4_addr No | Ar IPv6_addr
340: .Sm on
341: .It
342: .Cm ListenAddress
343: .Sm off
344: .Ar host No | Ar IPv4_addr No : Ar port
345: .Sm on
346: .It
347: .Cm ListenAddress
348: .Sm off
349: .Oo
350: .Ar host No | Ar IPv6_addr Oc : Ar port
351: .Sm on
352: .El
353: .Pp
354: If
355: .Ar port
356: is not specified,
357: .Nm sshd
358: will listen on the address and all prior
359: .Cm Port
1.17 jmc 360: options specified.
361: The default is to listen on all local addresses.
1.15 jmc 362: Multiple
1.1 stevesk 363: .Cm ListenAddress
1.17 jmc 364: options are permitted.
365: Additionally, any
1.1 stevesk 366: .Cm Port
367: options must precede this option for non port qualified addresses.
368: .It Cm LoginGraceTime
369: The server disconnects after this time if the user has not
370: successfully logged in.
371: If the value is 0, there is no time limit.
1.12 stevesk 372: The default is 120 seconds.
1.1 stevesk 373: .It Cm LogLevel
374: Gives the verbosity level that is used when logging messages from
375: .Nm sshd .
376: The possible values are:
377: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
1.15 jmc 378: The default is INFO.
379: DEBUG and DEBUG1 are equivalent.
380: DEBUG2 and DEBUG3 each specify higher levels of debugging output.
381: Logging with a DEBUG level violates the privacy of users and is not recommended.
1.1 stevesk 382: .It Cm MACs
383: Specifies the available MAC (message authentication code) algorithms.
384: The MAC algorithm is used in protocol version 2
385: for data integrity protection.
386: Multiple algorithms must be comma-separated.
387: The default is
388: .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
389: .It Cm MaxStartups
390: Specifies the maximum number of concurrent unauthenticated connections to the
391: .Nm sshd
392: daemon.
393: Additional connections will be dropped until authentication succeeds or the
394: .Cm LoginGraceTime
395: expires for a connection.
396: The default is 10.
397: .Pp
398: Alternatively, random early drop can be enabled by specifying
399: the three colon separated values
400: .Dq start:rate:full
401: (e.g., "10:30:60").
402: .Nm sshd
403: will refuse connection attempts with a probability of
404: .Dq rate/100
405: (30%)
406: if there are currently
407: .Dq start
408: (10)
409: unauthenticated connections.
410: The probability increases linearly and all connection attempts
411: are refused if the number of unauthenticated connections reaches
412: .Dq full
413: (60).
414: .It Cm PasswordAuthentication
415: Specifies whether password authentication is allowed.
416: The default is
417: .Dq yes .
418: .It Cm PermitEmptyPasswords
419: When password authentication is allowed, it specifies whether the
420: server allows login to accounts with empty password strings.
421: The default is
422: .Dq no .
423: .It Cm PermitRootLogin
424: Specifies whether root can login using
425: .Xr ssh 1 .
426: The argument must be
427: .Dq yes ,
428: .Dq without-password ,
429: .Dq forced-commands-only
430: or
431: .Dq no .
432: The default is
433: .Dq yes .
434: .Pp
435: If this option is set to
436: .Dq without-password
437: password authentication is disabled for root.
438: .Pp
439: If this option is set to
440: .Dq forced-commands-only
441: root login with public key authentication will be allowed,
442: but only if the
443: .Ar command
444: option has been specified
445: (which may be useful for taking remote backups even if root login is
1.17 jmc 446: normally not allowed).
447: All other authentication methods are disabled for root.
1.1 stevesk 448: .Pp
449: If this option is set to
450: .Dq no
451: root is not allowed to login.
1.6 markus 452: .It Cm PermitUserEnvironment
453: Specifies whether
454: .Pa ~/.ssh/environment
1.9 stevesk 455: and
1.6 markus 456: .Cm environment=
457: options in
458: .Pa ~/.ssh/authorized_keys
1.9 stevesk 459: are processed by
460: .Nm sshd .
1.6 markus 461: The default is
462: .Dq no .
1.9 stevesk 463: Enabling environment processing may enable users to bypass access
464: restrictions in some configurations using mechanisms such as
465: .Ev LD_PRELOAD .
1.1 stevesk 466: .It Cm PidFile
1.4 stevesk 467: Specifies the file that contains the process ID of the
1.1 stevesk 468: .Nm sshd
469: daemon.
470: The default is
471: .Pa /var/run/sshd.pid .
472: .It Cm Port
473: Specifies the port number that
474: .Nm sshd
475: listens on.
476: The default is 22.
477: Multiple options of this type are permitted.
478: See also
479: .Cm ListenAddress .
480: .It Cm PrintLastLog
481: Specifies whether
482: .Nm sshd
483: should print the date and time when the user last logged in.
484: The default is
485: .Dq yes .
486: .It Cm PrintMotd
487: Specifies whether
488: .Nm sshd
489: should print
490: .Pa /etc/motd
491: when a user logs in interactively.
492: (On some systems it is also printed by the shell,
493: .Pa /etc/profile ,
494: or equivalent.)
495: The default is
496: .Dq yes .
497: .It Cm Protocol
498: Specifies the protocol versions
499: .Nm sshd
1.5 stevesk 500: supports.
1.1 stevesk 501: The possible values are
502: .Dq 1
503: and
504: .Dq 2 .
505: Multiple versions must be comma-separated.
506: The default is
507: .Dq 2,1 .
1.5 stevesk 508: Note that the order of the protocol list does not indicate preference,
509: because the client selects among multiple protocol versions offered
510: by the server.
511: Specifying
512: .Dq 2,1
513: is identical to
514: .Dq 1,2 .
1.1 stevesk 515: .It Cm PubkeyAuthentication
516: Specifies whether public key authentication is allowed.
517: The default is
518: .Dq yes .
519: Note that this option applies to protocol version 2 only.
520: .It Cm RhostsRSAAuthentication
521: Specifies whether rhosts or /etc/hosts.equiv authentication together
522: with successful RSA host authentication is allowed.
523: The default is
524: .Dq no .
525: This option applies to protocol version 1 only.
526: .It Cm RSAAuthentication
527: Specifies whether pure RSA authentication is allowed.
528: The default is
529: .Dq yes .
530: This option applies to protocol version 1 only.
531: .It Cm ServerKeyBits
532: Defines the number of bits in the ephemeral protocol version 1 server key.
533: The minimum value is 512, and the default is 768.
534: .It Cm StrictModes
535: Specifies whether
536: .Nm sshd
537: should check file modes and ownership of the
538: user's files and home directory before accepting login.
539: This is normally desirable because novices sometimes accidentally leave their
540: directory or files world-writable.
541: The default is
542: .Dq yes .
543: .It Cm Subsystem
544: Configures an external subsystem (e.g., file transfer daemon).
545: Arguments should be a subsystem name and a command to execute upon subsystem
546: request.
547: The command
548: .Xr sftp-server 8
549: implements the
550: .Dq sftp
551: file transfer subsystem.
552: By default no subsystems are defined.
553: Note that this option applies to protocol version 2 only.
554: .It Cm SyslogFacility
555: Gives the facility code that is used when logging messages from
556: .Nm sshd .
557: The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
558: LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
559: The default is AUTH.
1.27 markus 560: .It Cm TCPKeepAlive
561: Specifies whether the system should send TCP keepalive messages to the
562: other side.
563: If they are sent, death of the connection or crash of one
564: of the machines will be properly noticed.
565: However, this means that
566: connections will die if the route is down temporarily, and some people
567: find it annoying.
568: On the other hand, if TCP keepalives are not sent,
569: sessions may hang indefinitely on the server, leaving
570: .Dq ghost
571: users and consuming server resources.
572: .Pp
573: The default is
574: .Dq yes
575: (to send TCP keepalive messages), and the server will notice
576: if the network goes down or the client host crashes.
577: This avoids infinitely hanging sessions.
578: .Pp
579: To disable TCP keepalive messages, the value should be set to
580: .Dq no .
1.18 markus 581: .It Cm UseDNS
582: Specifies whether
583: .Nm sshd
584: should lookup the remote host name and check that
585: the resolved host name for the remote IP address maps back to the
586: very same IP address.
587: The default is
588: .Dq yes .
1.1 stevesk 589: .It Cm UseLogin
590: Specifies whether
591: .Xr login 1
592: is used for interactive login sessions.
593: The default is
594: .Dq no .
595: Note that
596: .Xr login 1
597: is never used for remote command execution.
598: Note also, that if this is enabled,
599: .Cm X11Forwarding
600: will be disabled because
601: .Xr login 1
602: does not know how to handle
603: .Xr xauth 1
1.15 jmc 604: cookies.
605: If
1.1 stevesk 606: .Cm UsePrivilegeSeparation
607: is specified, it will be disabled after authentication.
608: .It Cm UsePrivilegeSeparation
609: Specifies whether
610: .Nm sshd
1.2 stevesk 611: separates privileges by creating an unprivileged child process
1.15 jmc 612: to deal with incoming network traffic.
613: After successful authentication, another process will be created that has
614: the privilege of the authenticated user.
615: The goal of privilege separation is to prevent privilege
1.1 stevesk 616: escalation by containing any corruption within the unprivileged processes.
617: The default is
618: .Dq yes .
619: .It Cm X11DisplayOffset
620: Specifies the first display number available for
621: .Nm sshd Ns 's
622: X11 forwarding.
623: This prevents
624: .Nm sshd
625: from interfering with real X11 servers.
626: The default is 10.
627: .It Cm X11Forwarding
628: Specifies whether X11 forwarding is permitted.
1.13 stevesk 629: The argument must be
630: .Dq yes
631: or
632: .Dq no .
1.1 stevesk 633: The default is
634: .Dq no .
1.13 stevesk 635: .Pp
636: When X11 forwarding is enabled, there may be additional exposure to
637: the server and to client displays if the
638: .Nm sshd
639: proxy display is configured to listen on the wildcard address (see
640: .Cm X11UseLocalhost
641: below), however this is not the default.
642: Additionally, the authentication spoofing and authentication data
643: verification and substitution occur on the client side.
644: The security risk of using X11 forwarding is that the client's X11
645: display server may be exposed to attack when the ssh client requests
646: forwarding (see the warnings for
647: .Cm ForwardX11
648: in
1.19 jmc 649: .Xr ssh_config 5 ) .
1.13 stevesk 650: A system administrator may have a stance in which they want to
651: protect clients that may expose themselves to attack by unwittingly
652: requesting X11 forwarding, which can warrant a
653: .Dq no
654: setting.
655: .Pp
656: Note that disabling X11 forwarding does not prevent users from
657: forwarding X11 traffic, as users can always install their own forwarders.
1.1 stevesk 658: X11 forwarding is automatically disabled if
659: .Cm UseLogin
660: is enabled.
661: .It Cm X11UseLocalhost
662: Specifies whether
663: .Nm sshd
664: should bind the X11 forwarding server to the loopback address or to
1.15 jmc 665: the wildcard address.
666: By default,
1.1 stevesk 667: .Nm sshd
668: binds the forwarding server to the loopback address and sets the
669: hostname part of the
670: .Ev DISPLAY
671: environment variable to
672: .Dq localhost .
1.8 stevesk 673: This prevents remote hosts from connecting to the proxy display.
1.1 stevesk 674: However, some older X11 clients may not function with this
675: configuration.
676: .Cm X11UseLocalhost
677: may be set to
678: .Dq no
679: to specify that the forwarding server should be bound to the wildcard
680: address.
681: The argument must be
682: .Dq yes
683: or
684: .Dq no .
685: The default is
686: .Dq yes .
687: .It Cm XAuthLocation
1.11 stevesk 688: Specifies the full pathname of the
1.1 stevesk 689: .Xr xauth 1
690: program.
691: The default is
692: .Pa /usr/X11R6/bin/xauth .
693: .El
694: .Ss Time Formats
695: .Nm sshd
696: command-line arguments and configuration file options that specify time
697: may be expressed using a sequence of the form:
698: .Sm off
1.7 stevesk 699: .Ar time Op Ar qualifier ,
1.1 stevesk 700: .Sm on
701: where
702: .Ar time
703: is a positive integer value and
704: .Ar qualifier
705: is one of the following:
706: .Pp
707: .Bl -tag -width Ds -compact -offset indent
708: .It Cm <none>
709: seconds
710: .It Cm s | Cm S
711: seconds
712: .It Cm m | Cm M
713: minutes
714: .It Cm h | Cm H
715: hours
716: .It Cm d | Cm D
717: days
718: .It Cm w | Cm W
719: weeks
720: .El
721: .Pp
722: Each member of the sequence is added together to calculate
723: the total time value.
724: .Pp
725: Time format examples:
726: .Pp
727: .Bl -tag -width Ds -compact -offset indent
728: .It 600
729: 600 seconds (10 minutes)
730: .It 10m
731: 10 minutes
732: .It 1h30m
733: 1 hour 30 minutes (90 minutes)
734: .El
735: .Sh FILES
736: .Bl -tag -width Ds
737: .It Pa /etc/ssh/sshd_config
738: Contains configuration data for
739: .Nm sshd .
740: This file should be writable by root only, but it is recommended
741: (though not necessary) that it be world-readable.
742: .El
1.19 jmc 743: .Sh SEE ALSO
744: .Xr sshd 8
1.1 stevesk 745: .Sh AUTHORS
746: OpenSSH is a derivative of the original and free
747: ssh 1.2.12 release by Tatu Ylonen.
748: Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
749: Theo de Raadt and Dug Song
750: removed many bugs, re-added newer features and
751: created OpenSSH.
752: Markus Friedl contributed the support for SSH
753: protocol versions 1.5 and 2.0.
754: Niels Provos and Markus Friedl contributed support
755: for privilege separation.