Annotation of src/usr.bin/ssh/sshd_config.5, Revision 1.31
1.1 stevesk 1: .\" -*- nroff -*-
2: .\"
3: .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4: .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5: .\" All rights reserved
6: .\"
7: .\" As far as I am concerned, the code I have written for this software
8: .\" can be used freely for any purpose. Any derived versions of this
9: .\" software must be clearly marked as such, and if the derived work is
10: .\" incompatible with the protocol description in the RFC file, it must be
11: .\" called by a name other than "ssh" or "Secure Shell".
12: .\"
13: .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
14: .\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
15: .\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
16: .\"
17: .\" Redistribution and use in source and binary forms, with or without
18: .\" modification, are permitted provided that the following conditions
19: .\" are met:
20: .\" 1. Redistributions of source code must retain the above copyright
21: .\" notice, this list of conditions and the following disclaimer.
22: .\" 2. Redistributions in binary form must reproduce the above copyright
23: .\" notice, this list of conditions and the following disclaimer in the
24: .\" documentation and/or other materials provided with the distribution.
25: .\"
26: .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27: .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28: .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29: .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30: .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31: .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32: .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33: .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34: .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35: .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36: .\"
1.31 ! djm 37: .\" $OpenBSD: sshd_config.5,v 1.30 2004/04/27 09:46:37 djm Exp $
1.1 stevesk 38: .Dd September 25, 1999
39: .Dt SSHD_CONFIG 5
40: .Os
41: .Sh NAME
42: .Nm sshd_config
43: .Nd OpenSSH SSH daemon configuration file
44: .Sh SYNOPSIS
45: .Bl -tag -width Ds -compact
46: .It Pa /etc/ssh/sshd_config
47: .El
48: .Sh DESCRIPTION
49: .Nm sshd
50: reads configuration data from
51: .Pa /etc/ssh/sshd_config
52: (or the file specified with
53: .Fl f
54: on the command line).
55: The file contains keyword-argument pairs, one per line.
56: Lines starting with
57: .Ql #
58: and empty lines are interpreted as comments.
59: .Pp
60: The possible
61: keywords and their meanings are as follows (note that
62: keywords are case-insensitive and arguments are case-sensitive):
63: .Bl -tag -width Ds
1.30 djm 64: .It Cm AcceptEnv
65: Specifies what environment variables sent by the client will be copied into
66: the session's
67: .Xr environ 7 .
68: See
69: .Cm SendEnv
70: in
71: .Xr ssh_config 5
72: for how to configure the client.
1.31 ! djm 73: Note that environment passing is only supported for protocol 2.
1.30 djm 74: Variables are specified by name, which may contain the wildcard characters
75: .Ql \&*
76: and
77: .Ql \&? .
1.31 ! djm 78: Multiple environment variables may be separated by whitespace or spread
1.30 djm 79: across multiple
80: .Cm AcceptEnv
81: directives.
1.31 ! djm 82: Be warned that some environment variables could be used to bypass restricted
1.30 djm 83: user environments.
84: For this reason, care should be taken in the use of this directive.
85: The default is not to accept any environment variables.
86: .Pp
1.1 stevesk 87: .It Cm AllowGroups
88: This keyword can be followed by a list of group name patterns, separated
89: by spaces.
90: If specified, login is allowed only for users whose primary
91: group or supplementary group list matches one of the patterns.
92: .Ql \&*
93: and
1.16 mouring 94: .Ql \&?
1.1 stevesk 95: can be used as
96: wildcards in the patterns.
97: Only group names are valid; a numerical group ID is not recognized.
98: By default, login is allowed for all groups.
99: .Pp
100: .It Cm AllowTcpForwarding
101: Specifies whether TCP forwarding is permitted.
102: The default is
103: .Dq yes .
104: Note that disabling TCP forwarding does not improve security unless
105: users are also denied shell access, as they can always install their
106: own forwarders.
107: .Pp
108: .It Cm AllowUsers
109: This keyword can be followed by a list of user name patterns, separated
110: by spaces.
1.14 jmc 111: If specified, login is allowed only for user names that
1.1 stevesk 112: match one of the patterns.
113: .Ql \&*
114: and
1.16 mouring 115: .Ql \&?
1.1 stevesk 116: can be used as
117: wildcards in the patterns.
118: Only user names are valid; a numerical user ID is not recognized.
119: By default, login is allowed for all users.
120: If the pattern takes the form USER@HOST then USER and HOST
121: are separately checked, restricting logins to particular
122: users from particular hosts.
123: .Pp
124: .It Cm AuthorizedKeysFile
125: Specifies the file that contains the public keys that can be used
126: for user authentication.
127: .Cm AuthorizedKeysFile
128: may contain tokens of the form %T which are substituted during connection
1.17 jmc 129: set-up.
130: The following tokens are defined: %% is replaced by a literal '%',
1.1 stevesk 131: %h is replaced by the home directory of the user being authenticated and
132: %u is replaced by the username of that user.
133: After expansion,
134: .Cm AuthorizedKeysFile
135: is taken to be an absolute path or one relative to the user's home
136: directory.
137: The default is
138: .Dq .ssh/authorized_keys .
139: .It Cm Banner
140: In some jurisdictions, sending a warning message before authentication
141: may be relevant for getting legal protection.
142: The contents of the specified file are sent to the remote user before
143: authentication is allowed.
144: This option is only available for protocol version 2.
145: By default, no banner is displayed.
146: .Pp
147: .It Cm ChallengeResponseAuthentication
148: Specifies whether challenge response authentication is allowed.
149: All authentication styles from
150: .Xr login.conf 5
151: are supported.
152: The default is
153: .Dq yes .
154: .It Cm Ciphers
155: Specifies the ciphers allowed for protocol version 2.
156: Multiple ciphers must be comma-separated.
157: The default is
158: .Pp
159: .Bd -literal
160: ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
1.20 djm 161: aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr''
1.1 stevesk 162: .Ed
163: .It Cm ClientAliveInterval
164: Sets a timeout interval in seconds after which if no data has been received
165: from the client,
166: .Nm sshd
167: will send a message through the encrypted
168: channel to request a response from the client.
169: The default
170: is 0, indicating that these messages will not be sent to the client.
171: This option applies to protocol version 2 only.
172: .It Cm ClientAliveCountMax
173: Sets the number of client alive messages (see above) which may be
174: sent without
175: .Nm sshd
1.17 jmc 176: receiving any messages back from the client.
177: If this threshold is reached while client alive messages are being sent,
1.1 stevesk 178: .Nm sshd
1.17 jmc 179: will disconnect the client, terminating the session.
180: It is important to note that the use of client alive messages is very
181: different from
1.27 markus 182: .Cm TCPKeepAlive
1.17 jmc 183: (below).
184: The client alive messages are sent through the encrypted channel
185: and therefore will not be spoofable.
186: The TCP keepalive option enabled by
1.27 markus 187: .Cm TCPKeepAlive
1.17 jmc 188: is spoofable.
189: The client alive mechanism is valuable when the client or
1.1 stevesk 190: server depend on knowing when a connection has become inactive.
191: .Pp
1.17 jmc 192: The default value is 3.
193: If
1.1 stevesk 194: .Cm ClientAliveInterval
195: (above) is set to 15, and
196: .Cm ClientAliveCountMax
197: is left at the default, unresponsive ssh clients
198: will be disconnected after approximately 45 seconds.
1.3 markus 199: .It Cm Compression
200: Specifies whether compression is allowed.
201: The argument must be
202: .Dq yes
203: or
204: .Dq no .
205: The default is
206: .Dq yes .
1.1 stevesk 207: .It Cm DenyGroups
208: This keyword can be followed by a list of group name patterns, separated
209: by spaces.
210: Login is disallowed for users whose primary group or supplementary
211: group list matches one of the patterns.
212: .Ql \&*
213: and
1.16 mouring 214: .Ql \&?
1.1 stevesk 215: can be used as
216: wildcards in the patterns.
217: Only group names are valid; a numerical group ID is not recognized.
218: By default, login is allowed for all groups.
219: .Pp
220: .It Cm DenyUsers
221: This keyword can be followed by a list of user name patterns, separated
222: by spaces.
223: Login is disallowed for user names that match one of the patterns.
224: .Ql \&*
225: and
1.16 mouring 226: .Ql \&?
1.1 stevesk 227: can be used as wildcards in the patterns.
228: Only user names are valid; a numerical user ID is not recognized.
229: By default, login is allowed for all users.
230: If the pattern takes the form USER@HOST then USER and HOST
231: are separately checked, restricting logins to particular
232: users from particular hosts.
233: .It Cm GatewayPorts
234: Specifies whether remote hosts are allowed to connect to ports
235: forwarded for the client.
236: By default,
237: .Nm sshd
1.15 jmc 238: binds remote port forwardings to the loopback address.
239: This prevents other remote hosts from connecting to forwarded ports.
1.1 stevesk 240: .Cm GatewayPorts
241: can be used to specify that
242: .Nm sshd
243: should bind remote port forwardings to the wildcard address,
244: thus allowing remote hosts to connect to forwarded ports.
245: The argument must be
246: .Dq yes
247: or
248: .Dq no .
249: The default is
250: .Dq no .
1.23 markus 251: .It Cm GSSAPIAuthentication
1.25 markus 252: Specifies whether user authentication based on GSSAPI is allowed.
1.26 djm 253: The default is
1.23 markus 254: .Dq no .
255: Note that this option applies to protocol version 2 only.
256: .It Cm GSSAPICleanupCredentials
257: Specifies whether to automatically destroy the user's credentials cache
258: on logout.
259: The default is
260: .Dq yes .
261: Note that this option applies to protocol version 2 only.
1.1 stevesk 262: .It Cm HostbasedAuthentication
263: Specifies whether rhosts or /etc/hosts.equiv authentication together
264: with successful public key client host authentication is allowed
265: (hostbased authentication).
266: This option is similar to
267: .Cm RhostsRSAAuthentication
268: and applies to protocol version 2 only.
269: The default is
270: .Dq no .
271: .It Cm HostKey
272: Specifies a file containing a private host key
273: used by SSH.
274: The default is
275: .Pa /etc/ssh/ssh_host_key
276: for protocol version 1, and
277: .Pa /etc/ssh/ssh_host_rsa_key
278: and
279: .Pa /etc/ssh/ssh_host_dsa_key
280: for protocol version 2.
281: Note that
282: .Nm sshd
283: will refuse to use a file if it is group/world-accessible.
284: It is possible to have multiple host key files.
285: .Dq rsa1
286: keys are used for version 1 and
287: .Dq dsa
288: or
289: .Dq rsa
290: are used for version 2 of the SSH protocol.
291: .It Cm IgnoreRhosts
292: Specifies that
293: .Pa .rhosts
294: and
295: .Pa .shosts
296: files will not be used in
297: .Cm RhostsRSAAuthentication
298: or
299: .Cm HostbasedAuthentication .
300: .Pp
301: .Pa /etc/hosts.equiv
302: and
303: .Pa /etc/shosts.equiv
304: are still used.
305: The default is
306: .Dq yes .
307: .It Cm IgnoreUserKnownHosts
308: Specifies whether
309: .Nm sshd
310: should ignore the user's
311: .Pa $HOME/.ssh/known_hosts
312: during
313: .Cm RhostsRSAAuthentication
314: or
315: .Cm HostbasedAuthentication .
316: The default is
317: .Dq no .
318: .It Cm KerberosAuthentication
1.24 markus 319: Specifies whether the password provided by the user for
1.1 stevesk 320: .Cm PasswordAuthentication
1.24 markus 321: will be validated through the Kerberos KDC.
1.1 stevesk 322: To use this option, the server needs a
323: Kerberos servtab which allows the verification of the KDC's identity.
1.29 dtucker 324: Default is
325: .Dq no .
326: .It Cm KerberosGetAFSToken
327: If AFS is active and the user has a Kerberos 5 TGT, attempt to aquire
328: an AFS token before accessing the user's home directory.
1.1 stevesk 329: Default is
330: .Dq no .
331: .It Cm KerberosOrLocalPasswd
332: If set then if password authentication through Kerberos fails then
333: the password will be validated via any additional local mechanism
334: such as
335: .Pa /etc/passwd .
336: Default is
337: .Dq yes .
338: .It Cm KerberosTicketCleanup
339: Specifies whether to automatically destroy the user's ticket cache
340: file on logout.
341: Default is
342: .Dq yes .
343: .It Cm KeyRegenerationInterval
344: In protocol version 1, the ephemeral server key is automatically regenerated
345: after this many seconds (if it has been used).
346: The purpose of regeneration is to prevent
347: decrypting captured sessions by later breaking into the machine and
348: stealing the keys.
349: The key is never stored anywhere.
350: If the value is 0, the key is never regenerated.
351: The default is 3600 (seconds).
352: .It Cm ListenAddress
353: Specifies the local addresses
354: .Nm sshd
355: should listen on.
356: The following forms may be used:
357: .Pp
358: .Bl -item -offset indent -compact
359: .It
360: .Cm ListenAddress
361: .Sm off
362: .Ar host No | Ar IPv4_addr No | Ar IPv6_addr
363: .Sm on
364: .It
365: .Cm ListenAddress
366: .Sm off
367: .Ar host No | Ar IPv4_addr No : Ar port
368: .Sm on
369: .It
370: .Cm ListenAddress
371: .Sm off
372: .Oo
373: .Ar host No | Ar IPv6_addr Oc : Ar port
374: .Sm on
375: .El
376: .Pp
377: If
378: .Ar port
379: is not specified,
380: .Nm sshd
381: will listen on the address and all prior
382: .Cm Port
1.17 jmc 383: options specified.
384: The default is to listen on all local addresses.
1.15 jmc 385: Multiple
1.1 stevesk 386: .Cm ListenAddress
1.17 jmc 387: options are permitted.
388: Additionally, any
1.1 stevesk 389: .Cm Port
390: options must precede this option for non port qualified addresses.
391: .It Cm LoginGraceTime
392: The server disconnects after this time if the user has not
393: successfully logged in.
394: If the value is 0, there is no time limit.
1.12 stevesk 395: The default is 120 seconds.
1.1 stevesk 396: .It Cm LogLevel
397: Gives the verbosity level that is used when logging messages from
398: .Nm sshd .
399: The possible values are:
400: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
1.15 jmc 401: The default is INFO.
402: DEBUG and DEBUG1 are equivalent.
403: DEBUG2 and DEBUG3 each specify higher levels of debugging output.
404: Logging with a DEBUG level violates the privacy of users and is not recommended.
1.1 stevesk 405: .It Cm MACs
406: Specifies the available MAC (message authentication code) algorithms.
407: The MAC algorithm is used in protocol version 2
408: for data integrity protection.
409: Multiple algorithms must be comma-separated.
410: The default is
411: .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
412: .It Cm MaxStartups
413: Specifies the maximum number of concurrent unauthenticated connections to the
414: .Nm sshd
415: daemon.
416: Additional connections will be dropped until authentication succeeds or the
417: .Cm LoginGraceTime
418: expires for a connection.
419: The default is 10.
420: .Pp
421: Alternatively, random early drop can be enabled by specifying
422: the three colon separated values
423: .Dq start:rate:full
424: (e.g., "10:30:60").
425: .Nm sshd
426: will refuse connection attempts with a probability of
427: .Dq rate/100
428: (30%)
429: if there are currently
430: .Dq start
431: (10)
432: unauthenticated connections.
433: The probability increases linearly and all connection attempts
434: are refused if the number of unauthenticated connections reaches
435: .Dq full
436: (60).
437: .It Cm PasswordAuthentication
438: Specifies whether password authentication is allowed.
439: The default is
440: .Dq yes .
441: .It Cm PermitEmptyPasswords
442: When password authentication is allowed, it specifies whether the
443: server allows login to accounts with empty password strings.
444: The default is
445: .Dq no .
446: .It Cm PermitRootLogin
447: Specifies whether root can login using
448: .Xr ssh 1 .
449: The argument must be
450: .Dq yes ,
451: .Dq without-password ,
452: .Dq forced-commands-only
453: or
454: .Dq no .
455: The default is
456: .Dq yes .
457: .Pp
458: If this option is set to
459: .Dq without-password
460: password authentication is disabled for root.
461: .Pp
462: If this option is set to
463: .Dq forced-commands-only
464: root login with public key authentication will be allowed,
465: but only if the
466: .Ar command
467: option has been specified
468: (which may be useful for taking remote backups even if root login is
1.17 jmc 469: normally not allowed).
470: All other authentication methods are disabled for root.
1.1 stevesk 471: .Pp
472: If this option is set to
473: .Dq no
474: root is not allowed to login.
1.6 markus 475: .It Cm PermitUserEnvironment
476: Specifies whether
477: .Pa ~/.ssh/environment
1.9 stevesk 478: and
1.6 markus 479: .Cm environment=
480: options in
481: .Pa ~/.ssh/authorized_keys
1.9 stevesk 482: are processed by
483: .Nm sshd .
1.6 markus 484: The default is
485: .Dq no .
1.9 stevesk 486: Enabling environment processing may enable users to bypass access
487: restrictions in some configurations using mechanisms such as
488: .Ev LD_PRELOAD .
1.1 stevesk 489: .It Cm PidFile
1.4 stevesk 490: Specifies the file that contains the process ID of the
1.1 stevesk 491: .Nm sshd
492: daemon.
493: The default is
494: .Pa /var/run/sshd.pid .
495: .It Cm Port
496: Specifies the port number that
497: .Nm sshd
498: listens on.
499: The default is 22.
500: Multiple options of this type are permitted.
501: See also
502: .Cm ListenAddress .
503: .It Cm PrintLastLog
504: Specifies whether
505: .Nm sshd
506: should print the date and time when the user last logged in.
507: The default is
508: .Dq yes .
509: .It Cm PrintMotd
510: Specifies whether
511: .Nm sshd
512: should print
513: .Pa /etc/motd
514: when a user logs in interactively.
515: (On some systems it is also printed by the shell,
516: .Pa /etc/profile ,
517: or equivalent.)
518: The default is
519: .Dq yes .
520: .It Cm Protocol
521: Specifies the protocol versions
522: .Nm sshd
1.5 stevesk 523: supports.
1.1 stevesk 524: The possible values are
525: .Dq 1
526: and
527: .Dq 2 .
528: Multiple versions must be comma-separated.
529: The default is
530: .Dq 2,1 .
1.5 stevesk 531: Note that the order of the protocol list does not indicate preference,
532: because the client selects among multiple protocol versions offered
533: by the server.
534: Specifying
535: .Dq 2,1
536: is identical to
537: .Dq 1,2 .
1.1 stevesk 538: .It Cm PubkeyAuthentication
539: Specifies whether public key authentication is allowed.
540: The default is
541: .Dq yes .
542: Note that this option applies to protocol version 2 only.
543: .It Cm RhostsRSAAuthentication
544: Specifies whether rhosts or /etc/hosts.equiv authentication together
545: with successful RSA host authentication is allowed.
546: The default is
547: .Dq no .
548: This option applies to protocol version 1 only.
549: .It Cm RSAAuthentication
550: Specifies whether pure RSA authentication is allowed.
551: The default is
552: .Dq yes .
553: This option applies to protocol version 1 only.
554: .It Cm ServerKeyBits
555: Defines the number of bits in the ephemeral protocol version 1 server key.
556: The minimum value is 512, and the default is 768.
557: .It Cm StrictModes
558: Specifies whether
559: .Nm sshd
560: should check file modes and ownership of the
561: user's files and home directory before accepting login.
562: This is normally desirable because novices sometimes accidentally leave their
563: directory or files world-writable.
564: The default is
565: .Dq yes .
566: .It Cm Subsystem
567: Configures an external subsystem (e.g., file transfer daemon).
568: Arguments should be a subsystem name and a command to execute upon subsystem
569: request.
570: The command
571: .Xr sftp-server 8
572: implements the
573: .Dq sftp
574: file transfer subsystem.
575: By default no subsystems are defined.
576: Note that this option applies to protocol version 2 only.
577: .It Cm SyslogFacility
578: Gives the facility code that is used when logging messages from
579: .Nm sshd .
580: The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
581: LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
582: The default is AUTH.
1.27 markus 583: .It Cm TCPKeepAlive
584: Specifies whether the system should send TCP keepalive messages to the
585: other side.
586: If they are sent, death of the connection or crash of one
587: of the machines will be properly noticed.
588: However, this means that
589: connections will die if the route is down temporarily, and some people
590: find it annoying.
591: On the other hand, if TCP keepalives are not sent,
592: sessions may hang indefinitely on the server, leaving
593: .Dq ghost
594: users and consuming server resources.
595: .Pp
596: The default is
597: .Dq yes
598: (to send TCP keepalive messages), and the server will notice
599: if the network goes down or the client host crashes.
600: This avoids infinitely hanging sessions.
601: .Pp
602: To disable TCP keepalive messages, the value should be set to
603: .Dq no .
1.18 markus 604: .It Cm UseDNS
605: Specifies whether
606: .Nm sshd
607: should lookup the remote host name and check that
608: the resolved host name for the remote IP address maps back to the
609: very same IP address.
610: The default is
611: .Dq yes .
1.1 stevesk 612: .It Cm UseLogin
613: Specifies whether
614: .Xr login 1
615: is used for interactive login sessions.
616: The default is
617: .Dq no .
618: Note that
619: .Xr login 1
620: is never used for remote command execution.
621: Note also, that if this is enabled,
622: .Cm X11Forwarding
623: will be disabled because
624: .Xr login 1
625: does not know how to handle
626: .Xr xauth 1
1.15 jmc 627: cookies.
628: If
1.1 stevesk 629: .Cm UsePrivilegeSeparation
630: is specified, it will be disabled after authentication.
631: .It Cm UsePrivilegeSeparation
632: Specifies whether
633: .Nm sshd
1.2 stevesk 634: separates privileges by creating an unprivileged child process
1.15 jmc 635: to deal with incoming network traffic.
636: After successful authentication, another process will be created that has
637: the privilege of the authenticated user.
638: The goal of privilege separation is to prevent privilege
1.1 stevesk 639: escalation by containing any corruption within the unprivileged processes.
640: The default is
641: .Dq yes .
642: .It Cm X11DisplayOffset
643: Specifies the first display number available for
644: .Nm sshd Ns 's
645: X11 forwarding.
646: This prevents
647: .Nm sshd
648: from interfering with real X11 servers.
649: The default is 10.
650: .It Cm X11Forwarding
651: Specifies whether X11 forwarding is permitted.
1.13 stevesk 652: The argument must be
653: .Dq yes
654: or
655: .Dq no .
1.1 stevesk 656: The default is
657: .Dq no .
1.13 stevesk 658: .Pp
659: When X11 forwarding is enabled, there may be additional exposure to
660: the server and to client displays if the
661: .Nm sshd
662: proxy display is configured to listen on the wildcard address (see
663: .Cm X11UseLocalhost
664: below), however this is not the default.
665: Additionally, the authentication spoofing and authentication data
666: verification and substitution occur on the client side.
667: The security risk of using X11 forwarding is that the client's X11
668: display server may be exposed to attack when the ssh client requests
669: forwarding (see the warnings for
670: .Cm ForwardX11
671: in
1.19 jmc 672: .Xr ssh_config 5 ) .
1.13 stevesk 673: A system administrator may have a stance in which they want to
674: protect clients that may expose themselves to attack by unwittingly
675: requesting X11 forwarding, which can warrant a
676: .Dq no
677: setting.
678: .Pp
679: Note that disabling X11 forwarding does not prevent users from
680: forwarding X11 traffic, as users can always install their own forwarders.
1.1 stevesk 681: X11 forwarding is automatically disabled if
682: .Cm UseLogin
683: is enabled.
684: .It Cm X11UseLocalhost
685: Specifies whether
686: .Nm sshd
687: should bind the X11 forwarding server to the loopback address or to
1.15 jmc 688: the wildcard address.
689: By default,
1.1 stevesk 690: .Nm sshd
691: binds the forwarding server to the loopback address and sets the
692: hostname part of the
693: .Ev DISPLAY
694: environment variable to
695: .Dq localhost .
1.8 stevesk 696: This prevents remote hosts from connecting to the proxy display.
1.1 stevesk 697: However, some older X11 clients may not function with this
698: configuration.
699: .Cm X11UseLocalhost
700: may be set to
701: .Dq no
702: to specify that the forwarding server should be bound to the wildcard
703: address.
704: The argument must be
705: .Dq yes
706: or
707: .Dq no .
708: The default is
709: .Dq yes .
710: .It Cm XAuthLocation
1.11 stevesk 711: Specifies the full pathname of the
1.1 stevesk 712: .Xr xauth 1
713: program.
714: The default is
715: .Pa /usr/X11R6/bin/xauth .
716: .El
717: .Ss Time Formats
718: .Nm sshd
719: command-line arguments and configuration file options that specify time
720: may be expressed using a sequence of the form:
721: .Sm off
1.7 stevesk 722: .Ar time Op Ar qualifier ,
1.1 stevesk 723: .Sm on
724: where
725: .Ar time
726: is a positive integer value and
727: .Ar qualifier
728: is one of the following:
729: .Pp
730: .Bl -tag -width Ds -compact -offset indent
731: .It Cm <none>
732: seconds
733: .It Cm s | Cm S
734: seconds
735: .It Cm m | Cm M
736: minutes
737: .It Cm h | Cm H
738: hours
739: .It Cm d | Cm D
740: days
741: .It Cm w | Cm W
742: weeks
743: .El
744: .Pp
745: Each member of the sequence is added together to calculate
746: the total time value.
747: .Pp
748: Time format examples:
749: .Pp
750: .Bl -tag -width Ds -compact -offset indent
751: .It 600
752: 600 seconds (10 minutes)
753: .It 10m
754: 10 minutes
755: .It 1h30m
756: 1 hour 30 minutes (90 minutes)
757: .El
758: .Sh FILES
759: .Bl -tag -width Ds
760: .It Pa /etc/ssh/sshd_config
761: Contains configuration data for
762: .Nm sshd .
763: This file should be writable by root only, but it is recommended
764: (though not necessary) that it be world-readable.
765: .El
1.19 jmc 766: .Sh SEE ALSO
767: .Xr sshd 8
1.1 stevesk 768: .Sh AUTHORS
769: OpenSSH is a derivative of the original and free
770: ssh 1.2.12 release by Tatu Ylonen.
771: Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
772: Theo de Raadt and Dug Song
773: removed many bugs, re-added newer features and
774: created OpenSSH.
775: Markus Friedl contributed the support for SSH
776: protocol versions 1.5 and 2.0.
777: Niels Provos and Markus Friedl contributed support
778: for privilege separation.