Annotation of src/usr.bin/ssh/sshd_config.5, Revision 1.78
1.1 stevesk 1: .\" -*- nroff -*-
2: .\"
3: .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4: .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5: .\" All rights reserved
6: .\"
7: .\" As far as I am concerned, the code I have written for this software
8: .\" can be used freely for any purpose. Any derived versions of this
9: .\" software must be clearly marked as such, and if the derived work is
10: .\" incompatible with the protocol description in the RFC file, it must be
11: .\" called by a name other than "ssh" or "Secure Shell".
12: .\"
13: .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
14: .\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
15: .\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
16: .\"
17: .\" Redistribution and use in source and binary forms, with or without
18: .\" modification, are permitted provided that the following conditions
19: .\" are met:
20: .\" 1. Redistributions of source code must retain the above copyright
21: .\" notice, this list of conditions and the following disclaimer.
22: .\" 2. Redistributions in binary form must reproduce the above copyright
23: .\" notice, this list of conditions and the following disclaimer in the
24: .\" documentation and/or other materials provided with the distribution.
25: .\"
26: .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27: .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28: .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29: .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30: .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31: .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32: .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33: .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34: .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35: .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36: .\"
1.78 ! djm 37: .\" $OpenBSD: sshd_config.5,v 1.77 2007/06/08 07:48:09 jmc Exp $
! 38: .Dd $Mdocdate: June 8 2007 $
1.1 stevesk 39: .Dt SSHD_CONFIG 5
40: .Os
41: .Sh NAME
42: .Nm sshd_config
43: .Nd OpenSSH SSH daemon configuration file
44: .Sh SYNOPSIS
1.71 jmc 45: .Nm /etc/ssh/sshd_config
1.1 stevesk 46: .Sh DESCRIPTION
1.53 jmc 47: .Xr sshd 8
1.1 stevesk 48: reads configuration data from
49: .Pa /etc/ssh/sshd_config
50: (or the file specified with
51: .Fl f
52: on the command line).
53: The file contains keyword-argument pairs, one per line.
54: Lines starting with
55: .Ql #
56: and empty lines are interpreted as comments.
1.56 dtucker 57: Arguments may optionally be enclosed in double quotes
58: .Pq \&"
59: in order to represent arguments containing spaces.
1.1 stevesk 60: .Pp
61: The possible
62: keywords and their meanings are as follows (note that
63: keywords are case-insensitive and arguments are case-sensitive):
64: .Bl -tag -width Ds
1.30 djm 65: .It Cm AcceptEnv
66: Specifies what environment variables sent by the client will be copied into
67: the session's
68: .Xr environ 7 .
69: See
70: .Cm SendEnv
71: in
72: .Xr ssh_config 5
73: for how to configure the client.
1.31 djm 74: Note that environment passing is only supported for protocol 2.
1.30 djm 75: Variables are specified by name, which may contain the wildcard characters
1.51 jmc 76: .Ql *
1.30 djm 77: and
78: .Ql \&? .
1.31 djm 79: Multiple environment variables may be separated by whitespace or spread
1.30 djm 80: across multiple
81: .Cm AcceptEnv
82: directives.
1.31 djm 83: Be warned that some environment variables could be used to bypass restricted
1.30 djm 84: user environments.
85: For this reason, care should be taken in the use of this directive.
86: The default is not to accept any environment variables.
1.37 djm 87: .It Cm AddressFamily
88: Specifies which address family should be used by
1.53 jmc 89: .Xr sshd 8 .
1.37 djm 90: Valid arguments are
91: .Dq any ,
92: .Dq inet
1.52 jmc 93: (use IPv4 only), or
1.37 djm 94: .Dq inet6
95: (use IPv6 only).
96: The default is
97: .Dq any .
1.1 stevesk 98: .It Cm AllowGroups
99: This keyword can be followed by a list of group name patterns, separated
100: by spaces.
101: If specified, login is allowed only for users whose primary
102: group or supplementary group list matches one of the patterns.
103: Only group names are valid; a numerical group ID is not recognized.
104: By default, login is allowed for all groups.
1.54 jmc 105: The allow/deny directives are processed in the following order:
106: .Cm DenyUsers ,
107: .Cm AllowUsers ,
108: .Cm DenyGroups ,
109: and finally
110: .Cm AllowGroups .
1.49 jmc 111: .Pp
112: See
113: .Sx PATTERNS
114: in
115: .Xr ssh_config 5
116: for more information on patterns.
1.1 stevesk 117: .It Cm AllowTcpForwarding
118: Specifies whether TCP forwarding is permitted.
119: The default is
120: .Dq yes .
121: Note that disabling TCP forwarding does not improve security unless
122: users are also denied shell access, as they can always install their
123: own forwarders.
124: .It Cm AllowUsers
125: This keyword can be followed by a list of user name patterns, separated
126: by spaces.
1.14 jmc 127: If specified, login is allowed only for user names that
1.1 stevesk 128: match one of the patterns.
129: Only user names are valid; a numerical user ID is not recognized.
130: By default, login is allowed for all users.
131: If the pattern takes the form USER@HOST then USER and HOST
132: are separately checked, restricting logins to particular
133: users from particular hosts.
1.54 jmc 134: The allow/deny directives are processed in the following order:
135: .Cm DenyUsers ,
136: .Cm AllowUsers ,
137: .Cm DenyGroups ,
138: and finally
139: .Cm AllowGroups .
1.49 jmc 140: .Pp
141: See
142: .Sx PATTERNS
143: in
144: .Xr ssh_config 5
145: for more information on patterns.
1.1 stevesk 146: .It Cm AuthorizedKeysFile
147: Specifies the file that contains the public keys that can be used
148: for user authentication.
149: .Cm AuthorizedKeysFile
150: may contain tokens of the form %T which are substituted during connection
1.52 jmc 151: setup.
1.17 jmc 152: The following tokens are defined: %% is replaced by a literal '%',
1.52 jmc 153: %h is replaced by the home directory of the user being authenticated, and
1.1 stevesk 154: %u is replaced by the username of that user.
155: After expansion,
156: .Cm AuthorizedKeysFile
157: is taken to be an absolute path or one relative to the user's home
158: directory.
159: The default is
160: .Dq .ssh/authorized_keys .
161: .It Cm Banner
162: The contents of the specified file are sent to the remote user before
163: authentication is allowed.
1.78 ! djm 164: If the argument is
! 165: .Dq none
! 166: then no banner is displayed.
1.1 stevesk 167: This option is only available for protocol version 2.
168: By default, no banner is displayed.
169: .It Cm ChallengeResponseAuthentication
1.50 jmc 170: Specifies whether challenge-response authentication is allowed.
1.1 stevesk 171: All authentication styles from
172: .Xr login.conf 5
173: are supported.
174: The default is
175: .Dq yes .
176: .It Cm Ciphers
177: Specifies the ciphers allowed for protocol version 2.
178: Multiple ciphers must be comma-separated.
1.34 dtucker 179: The supported ciphers are
180: .Dq 3des-cbc ,
181: .Dq aes128-cbc ,
182: .Dq aes192-cbc ,
183: .Dq aes256-cbc ,
184: .Dq aes128-ctr ,
185: .Dq aes192-ctr ,
186: .Dq aes256-ctr ,
1.43 djm 187: .Dq arcfour128 ,
188: .Dq arcfour256 ,
1.34 dtucker 189: .Dq arcfour ,
190: .Dq blowfish-cbc ,
191: and
192: .Dq cast128-cbc .
1.52 jmc 193: The default is:
194: .Bd -literal -offset 3n
195: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
196: arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
197: aes192-ctr,aes256-ctr
1.1 stevesk 198: .Ed
199: .It Cm ClientAliveCountMax
1.48 jmc 200: Sets the number of client alive messages (see below) which may be
1.1 stevesk 201: sent without
1.52 jmc 202: .Xr sshd 8
1.17 jmc 203: receiving any messages back from the client.
204: If this threshold is reached while client alive messages are being sent,
1.52 jmc 205: sshd will disconnect the client, terminating the session.
1.17 jmc 206: It is important to note that the use of client alive messages is very
207: different from
1.27 markus 208: .Cm TCPKeepAlive
1.17 jmc 209: (below).
210: The client alive messages are sent through the encrypted channel
211: and therefore will not be spoofable.
212: The TCP keepalive option enabled by
1.27 markus 213: .Cm TCPKeepAlive
1.17 jmc 214: is spoofable.
215: The client alive mechanism is valuable when the client or
1.1 stevesk 216: server depend on knowing when a connection has become inactive.
217: .Pp
1.17 jmc 218: The default value is 3.
219: If
1.1 stevesk 220: .Cm ClientAliveInterval
1.48 jmc 221: (see below) is set to 15, and
1.1 stevesk 222: .Cm ClientAliveCountMax
1.52 jmc 223: is left at the default, unresponsive SSH clients
1.1 stevesk 224: will be disconnected after approximately 45 seconds.
1.57 markus 225: This option applies to protocol version 2 only.
1.42 djm 226: .It Cm ClientAliveInterval
227: Sets a timeout interval in seconds after which if no data has been received
228: from the client,
1.52 jmc 229: .Xr sshd 8
1.42 djm 230: will send a message through the encrypted
231: channel to request a response from the client.
232: The default
233: is 0, indicating that these messages will not be sent to the client.
234: This option applies to protocol version 2 only.
1.3 markus 235: .It Cm Compression
1.44 markus 236: Specifies whether compression is allowed, or delayed until
237: the user has authenticated successfully.
1.3 markus 238: The argument must be
1.44 markus 239: .Dq yes ,
240: .Dq delayed ,
1.3 markus 241: or
242: .Dq no .
243: The default is
1.44 markus 244: .Dq delayed .
1.1 stevesk 245: .It Cm DenyGroups
246: This keyword can be followed by a list of group name patterns, separated
247: by spaces.
248: Login is disallowed for users whose primary group or supplementary
249: group list matches one of the patterns.
250: Only group names are valid; a numerical group ID is not recognized.
251: By default, login is allowed for all groups.
1.54 jmc 252: The allow/deny directives are processed in the following order:
253: .Cm DenyUsers ,
254: .Cm AllowUsers ,
255: .Cm DenyGroups ,
256: and finally
257: .Cm AllowGroups .
1.49 jmc 258: .Pp
259: See
260: .Sx PATTERNS
261: in
262: .Xr ssh_config 5
263: for more information on patterns.
1.1 stevesk 264: .It Cm DenyUsers
265: This keyword can be followed by a list of user name patterns, separated
266: by spaces.
267: Login is disallowed for user names that match one of the patterns.
268: Only user names are valid; a numerical user ID is not recognized.
269: By default, login is allowed for all users.
270: If the pattern takes the form USER@HOST then USER and HOST
271: are separately checked, restricting logins to particular
272: users from particular hosts.
1.54 jmc 273: The allow/deny directives are processed in the following order:
274: .Cm DenyUsers ,
275: .Cm AllowUsers ,
276: .Cm DenyGroups ,
277: and finally
278: .Cm AllowGroups .
1.49 jmc 279: .Pp
280: See
281: .Sx PATTERNS
282: in
283: .Xr ssh_config 5
284: for more information on patterns.
1.67 dtucker 285: .It Cm ForceCommand
286: Forces the execution of the command specified by
287: .Cm ForceCommand ,
288: ignoring any command supplied by the client.
289: The command is invoked by using the user's login shell with the -c option.
290: This applies to shell, command, or subsystem execution.
291: It is most useful inside a
292: .Cm Match
293: block.
294: The command originally supplied by the client is available in the
295: .Ev SSH_ORIGINAL_COMMAND
296: environment variable.
1.1 stevesk 297: .It Cm GatewayPorts
298: Specifies whether remote hosts are allowed to connect to ports
299: forwarded for the client.
300: By default,
1.52 jmc 301: .Xr sshd 8
1.15 jmc 302: binds remote port forwardings to the loopback address.
303: This prevents other remote hosts from connecting to forwarded ports.
1.1 stevesk 304: .Cm GatewayPorts
1.52 jmc 305: can be used to specify that sshd
1.39 djm 306: should allow remote port forwardings to bind to non-loopback addresses, thus
307: allowing other hosts to connect.
308: The argument may be
309: .Dq no
310: to force remote port forwardings to be available to the local host only,
1.1 stevesk 311: .Dq yes
1.39 djm 312: to force remote port forwardings to bind to the wildcard address, or
313: .Dq clientspecified
314: to allow the client to select the address to which the forwarding is bound.
1.1 stevesk 315: The default is
316: .Dq no .
1.23 markus 317: .It Cm GSSAPIAuthentication
1.25 markus 318: Specifies whether user authentication based on GSSAPI is allowed.
1.26 djm 319: The default is
1.23 markus 320: .Dq no .
321: Note that this option applies to protocol version 2 only.
322: .It Cm GSSAPICleanupCredentials
323: Specifies whether to automatically destroy the user's credentials cache
324: on logout.
325: The default is
326: .Dq yes .
327: Note that this option applies to protocol version 2 only.
1.1 stevesk 328: .It Cm HostbasedAuthentication
329: Specifies whether rhosts or /etc/hosts.equiv authentication together
330: with successful public key client host authentication is allowed
1.50 jmc 331: (host-based authentication).
1.1 stevesk 332: This option is similar to
333: .Cm RhostsRSAAuthentication
334: and applies to protocol version 2 only.
1.70 dtucker 335: The default is
336: .Dq no .
337: .It Cm HostbasedUsesNameFromPacketOnly
338: Specifies whether or not the server will attempt to perform a reverse
339: name lookup when matching the name in the
340: .Pa ~/.shosts ,
341: .Pa ~/.rhosts ,
342: and
343: .Pa /etc/hosts.equiv
344: files during
345: .Cm HostbasedAuthentication .
346: A setting of
347: .Dq yes
348: means that
349: .Xr sshd 8
350: uses the name supplied by the client rather than
351: attempting to resolve the name from the TCP connection itself.
1.1 stevesk 352: The default is
353: .Dq no .
354: .It Cm HostKey
355: Specifies a file containing a private host key
356: used by SSH.
357: The default is
358: .Pa /etc/ssh/ssh_host_key
359: for protocol version 1, and
360: .Pa /etc/ssh/ssh_host_rsa_key
361: and
362: .Pa /etc/ssh/ssh_host_dsa_key
363: for protocol version 2.
364: Note that
1.52 jmc 365: .Xr sshd 8
1.1 stevesk 366: will refuse to use a file if it is group/world-accessible.
367: It is possible to have multiple host key files.
368: .Dq rsa1
369: keys are used for version 1 and
370: .Dq dsa
371: or
372: .Dq rsa
373: are used for version 2 of the SSH protocol.
374: .It Cm IgnoreRhosts
375: Specifies that
376: .Pa .rhosts
377: and
378: .Pa .shosts
379: files will not be used in
380: .Cm RhostsRSAAuthentication
381: or
382: .Cm HostbasedAuthentication .
383: .Pp
384: .Pa /etc/hosts.equiv
385: and
386: .Pa /etc/shosts.equiv
387: are still used.
388: The default is
389: .Dq yes .
390: .It Cm IgnoreUserKnownHosts
391: Specifies whether
1.52 jmc 392: .Xr sshd 8
1.1 stevesk 393: should ignore the user's
1.41 djm 394: .Pa ~/.ssh/known_hosts
1.1 stevesk 395: during
396: .Cm RhostsRSAAuthentication
397: or
398: .Cm HostbasedAuthentication .
399: The default is
400: .Dq no .
401: .It Cm KerberosAuthentication
1.24 markus 402: Specifies whether the password provided by the user for
1.1 stevesk 403: .Cm PasswordAuthentication
1.24 markus 404: will be validated through the Kerberos KDC.
1.1 stevesk 405: To use this option, the server needs a
406: Kerberos servtab which allows the verification of the KDC's identity.
1.52 jmc 407: The default is
1.29 dtucker 408: .Dq no .
409: .It Cm KerberosGetAFSToken
1.45 djm 410: If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
1.29 dtucker 411: an AFS token before accessing the user's home directory.
1.52 jmc 412: The default is
1.1 stevesk 413: .Dq no .
414: .It Cm KerberosOrLocalPasswd
1.52 jmc 415: If password authentication through Kerberos fails then
1.1 stevesk 416: the password will be validated via any additional local mechanism
417: such as
418: .Pa /etc/passwd .
1.52 jmc 419: The default is
1.1 stevesk 420: .Dq yes .
421: .It Cm KerberosTicketCleanup
422: Specifies whether to automatically destroy the user's ticket cache
423: file on logout.
1.52 jmc 424: The default is
1.1 stevesk 425: .Dq yes .
426: .It Cm KeyRegenerationInterval
427: In protocol version 1, the ephemeral server key is automatically regenerated
428: after this many seconds (if it has been used).
429: The purpose of regeneration is to prevent
430: decrypting captured sessions by later breaking into the machine and
431: stealing the keys.
432: The key is never stored anywhere.
433: If the value is 0, the key is never regenerated.
434: The default is 3600 (seconds).
435: .It Cm ListenAddress
436: Specifies the local addresses
1.52 jmc 437: .Xr sshd 8
1.1 stevesk 438: should listen on.
439: The following forms may be used:
440: .Pp
441: .Bl -item -offset indent -compact
442: .It
443: .Cm ListenAddress
444: .Sm off
445: .Ar host No | Ar IPv4_addr No | Ar IPv6_addr
446: .Sm on
447: .It
448: .Cm ListenAddress
449: .Sm off
450: .Ar host No | Ar IPv4_addr No : Ar port
451: .Sm on
452: .It
453: .Cm ListenAddress
454: .Sm off
455: .Oo
456: .Ar host No | Ar IPv6_addr Oc : Ar port
457: .Sm on
458: .El
459: .Pp
460: If
461: .Ar port
462: is not specified,
1.52 jmc 463: sshd will listen on the address and all prior
1.1 stevesk 464: .Cm Port
1.17 jmc 465: options specified.
466: The default is to listen on all local addresses.
1.15 jmc 467: Multiple
1.1 stevesk 468: .Cm ListenAddress
1.17 jmc 469: options are permitted.
470: Additionally, any
1.1 stevesk 471: .Cm Port
1.52 jmc 472: options must precede this option for non-port qualified addresses.
1.1 stevesk 473: .It Cm LoginGraceTime
474: The server disconnects after this time if the user has not
475: successfully logged in.
476: If the value is 0, there is no time limit.
1.12 stevesk 477: The default is 120 seconds.
1.1 stevesk 478: .It Cm LogLevel
479: Gives the verbosity level that is used when logging messages from
1.53 jmc 480: .Xr sshd 8 .
1.1 stevesk 481: The possible values are:
1.52 jmc 482: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
1.15 jmc 483: The default is INFO.
484: DEBUG and DEBUG1 are equivalent.
485: DEBUG2 and DEBUG3 each specify higher levels of debugging output.
486: Logging with a DEBUG level violates the privacy of users and is not recommended.
1.1 stevesk 487: .It Cm MACs
488: Specifies the available MAC (message authentication code) algorithms.
489: The MAC algorithm is used in protocol version 2
490: for data integrity protection.
491: Multiple algorithms must be comma-separated.
1.52 jmc 492: The default is:
1.77 jmc 493: .Bd -literal -offset indent
494: hmac-md5,hmac-sha1,umac-64@openssh.com,
495: hmac-ripemd160,hmac-sha1-96,hmac-md5-96
496: .Ed
1.60 dtucker 497: .It Cm Match
1.61 jmc 498: Introduces a conditional block.
1.65 dtucker 499: If all of the criteria on the
1.60 dtucker 500: .Cm Match
1.65 dtucker 501: line are satisfied, the keywords on the following lines override those
502: set in the global section of the config file, until either another
1.60 dtucker 503: .Cm Match
1.65 dtucker 504: line or the end of the file.
1.61 jmc 505: The arguments to
1.60 dtucker 506: .Cm Match
1.65 dtucker 507: are one or more criteria-pattern pairs.
1.60 dtucker 508: The available criteria are
509: .Cm User ,
1.69 dtucker 510: .Cm Group ,
1.60 dtucker 511: .Cm Host ,
512: and
513: .Cm Address .
514: Only a subset of keywords may be used on the lines following a
515: .Cm Match
516: keyword.
517: Available keywords are
1.62 dtucker 518: .Cm AllowTcpForwarding ,
1.72 dtucker 519: .Cm Banner ,
1.67 dtucker 520: .Cm ForceCommand ,
1.62 dtucker 521: .Cm GatewayPorts ,
1.72 dtucker 522: .Cm GSSApiAuthentication ,
1.74 jmc 523: .Cm KbdInteractiveAuthentication ,
1.72 dtucker 524: .Cm KerberosAuthentication ,
525: .Cm PasswordAuthentication ,
1.66 dtucker 526: .Cm PermitOpen ,
1.72 dtucker 527: .Cm RhostsRSAAuthentication ,
528: .Cm RSAAuthentication ,
1.66 dtucker 529: .Cm X11DisplayOffset ,
530: .Cm X11Forwarding ,
1.60 dtucker 531: and
1.66 dtucker 532: .Cm X11UseLocalHost .
1.33 dtucker 533: .It Cm MaxAuthTries
534: Specifies the maximum number of authentication attempts permitted per
1.35 jmc 535: connection.
536: Once the number of failures reaches half this value,
537: additional failures are logged.
538: The default is 6.
1.1 stevesk 539: .It Cm MaxStartups
540: Specifies the maximum number of concurrent unauthenticated connections to the
1.52 jmc 541: SSH daemon.
1.1 stevesk 542: Additional connections will be dropped until authentication succeeds or the
543: .Cm LoginGraceTime
544: expires for a connection.
545: The default is 10.
546: .Pp
547: Alternatively, random early drop can be enabled by specifying
548: the three colon separated values
549: .Dq start:rate:full
1.51 jmc 550: (e.g. "10:30:60").
1.53 jmc 551: .Xr sshd 8
1.1 stevesk 552: will refuse connection attempts with a probability of
553: .Dq rate/100
554: (30%)
555: if there are currently
556: .Dq start
557: (10)
558: unauthenticated connections.
559: The probability increases linearly and all connection attempts
560: are refused if the number of unauthenticated connections reaches
561: .Dq full
562: (60).
563: .It Cm PasswordAuthentication
564: Specifies whether password authentication is allowed.
565: The default is
566: .Dq yes .
567: .It Cm PermitEmptyPasswords
568: When password authentication is allowed, it specifies whether the
569: server allows login to accounts with empty password strings.
570: The default is
571: .Dq no .
1.62 dtucker 572: .It Cm PermitOpen
573: Specifies the destinations to which TCP port forwarding is permitted.
574: The forwarding specification must be one of the following forms:
575: .Pp
576: .Bl -item -offset indent -compact
577: .It
578: .Cm PermitOpen
579: .Sm off
580: .Ar host : port
581: .Sm on
582: .It
583: .Cm PermitOpen
584: .Sm off
585: .Ar IPv4_addr : port
586: .Sm on
587: .It
588: .Cm PermitOpen
589: .Sm off
590: .Ar \&[ IPv6_addr \&] : port
591: .Sm on
592: .El
593: .Pp
1.68 dtucker 594: Multiple forwards may be specified by separating them with whitespace.
1.62 dtucker 595: An argument of
596: .Dq any
597: can be used to remove all restrictions and permit any forwarding requests.
1.63 jmc 598: By default all port forwarding requests are permitted.
1.1 stevesk 599: .It Cm PermitRootLogin
1.38 jmc 600: Specifies whether root can log in using
1.1 stevesk 601: .Xr ssh 1 .
602: The argument must be
603: .Dq yes ,
604: .Dq without-password ,
1.52 jmc 605: .Dq forced-commands-only ,
1.1 stevesk 606: or
607: .Dq no .
608: The default is
609: .Dq yes .
610: .Pp
611: If this option is set to
1.52 jmc 612: .Dq without-password ,
1.1 stevesk 613: password authentication is disabled for root.
614: .Pp
615: If this option is set to
1.52 jmc 616: .Dq forced-commands-only ,
1.1 stevesk 617: root login with public key authentication will be allowed,
618: but only if the
619: .Ar command
620: option has been specified
621: (which may be useful for taking remote backups even if root login is
1.17 jmc 622: normally not allowed).
623: All other authentication methods are disabled for root.
1.1 stevesk 624: .Pp
625: If this option is set to
1.52 jmc 626: .Dq no ,
1.38 jmc 627: root is not allowed to log in.
1.46 reyk 628: .It Cm PermitTunnel
629: Specifies whether
630: .Xr tun 4
631: device forwarding is allowed.
1.47 reyk 632: The argument must be
633: .Dq yes ,
1.58 stevesk 634: .Dq point-to-point
635: (layer 3),
636: .Dq ethernet
637: (layer 2), or
1.47 reyk 638: .Dq no .
1.58 stevesk 639: Specifying
640: .Dq yes
641: permits both
642: .Dq point-to-point
643: and
644: .Dq ethernet .
1.46 reyk 645: The default is
646: .Dq no .
1.6 markus 647: .It Cm PermitUserEnvironment
648: Specifies whether
649: .Pa ~/.ssh/environment
1.9 stevesk 650: and
1.6 markus 651: .Cm environment=
652: options in
653: .Pa ~/.ssh/authorized_keys
1.9 stevesk 654: are processed by
1.52 jmc 655: .Xr sshd 8 .
1.6 markus 656: The default is
657: .Dq no .
1.9 stevesk 658: Enabling environment processing may enable users to bypass access
659: restrictions in some configurations using mechanisms such as
660: .Ev LD_PRELOAD .
1.1 stevesk 661: .It Cm PidFile
1.4 stevesk 662: Specifies the file that contains the process ID of the
1.53 jmc 663: SSH daemon.
1.1 stevesk 664: The default is
665: .Pa /var/run/sshd.pid .
666: .It Cm Port
667: Specifies the port number that
1.52 jmc 668: .Xr sshd 8
1.1 stevesk 669: listens on.
670: The default is 22.
671: Multiple options of this type are permitted.
672: See also
673: .Cm ListenAddress .
674: .It Cm PrintLastLog
675: Specifies whether
1.52 jmc 676: .Xr sshd 8
1.36 jaredy 677: should print the date and time of the last user login when a user logs
678: in interactively.
1.1 stevesk 679: The default is
680: .Dq yes .
681: .It Cm PrintMotd
682: Specifies whether
1.52 jmc 683: .Xr sshd 8
1.1 stevesk 684: should print
685: .Pa /etc/motd
686: when a user logs in interactively.
687: (On some systems it is also printed by the shell,
688: .Pa /etc/profile ,
689: or equivalent.)
690: The default is
691: .Dq yes .
692: .It Cm Protocol
693: Specifies the protocol versions
1.52 jmc 694: .Xr sshd 8
1.5 stevesk 695: supports.
1.1 stevesk 696: The possible values are
1.52 jmc 697: .Sq 1
1.1 stevesk 698: and
1.52 jmc 699: .Sq 2 .
1.1 stevesk 700: Multiple versions must be comma-separated.
701: The default is
702: .Dq 2,1 .
1.5 stevesk 703: Note that the order of the protocol list does not indicate preference,
704: because the client selects among multiple protocol versions offered
705: by the server.
706: Specifying
707: .Dq 2,1
708: is identical to
709: .Dq 1,2 .
1.1 stevesk 710: .It Cm PubkeyAuthentication
711: Specifies whether public key authentication is allowed.
712: The default is
713: .Dq yes .
714: Note that this option applies to protocol version 2 only.
715: .It Cm RhostsRSAAuthentication
716: Specifies whether rhosts or /etc/hosts.equiv authentication together
717: with successful RSA host authentication is allowed.
718: The default is
719: .Dq no .
720: This option applies to protocol version 1 only.
721: .It Cm RSAAuthentication
722: Specifies whether pure RSA authentication is allowed.
723: The default is
724: .Dq yes .
725: This option applies to protocol version 1 only.
726: .It Cm ServerKeyBits
727: Defines the number of bits in the ephemeral protocol version 1 server key.
728: The minimum value is 512, and the default is 768.
729: .It Cm StrictModes
730: Specifies whether
1.52 jmc 731: .Xr sshd 8
1.1 stevesk 732: should check file modes and ownership of the
733: user's files and home directory before accepting login.
734: This is normally desirable because novices sometimes accidentally leave their
735: directory or files world-writable.
736: The default is
737: .Dq yes .
738: .It Cm Subsystem
1.51 jmc 739: Configures an external subsystem (e.g. file transfer daemon).
1.59 djm 740: Arguments should be a subsystem name and a command (with optional arguments)
741: to execute upon subsystem request.
1.1 stevesk 742: The command
743: .Xr sftp-server 8
744: implements the
745: .Dq sftp
746: file transfer subsystem.
747: By default no subsystems are defined.
748: Note that this option applies to protocol version 2 only.
749: .It Cm SyslogFacility
750: Gives the facility code that is used when logging messages from
1.53 jmc 751: .Xr sshd 8 .
1.1 stevesk 752: The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
753: LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
754: The default is AUTH.
1.27 markus 755: .It Cm TCPKeepAlive
756: Specifies whether the system should send TCP keepalive messages to the
757: other side.
758: If they are sent, death of the connection or crash of one
759: of the machines will be properly noticed.
760: However, this means that
761: connections will die if the route is down temporarily, and some people
762: find it annoying.
763: On the other hand, if TCP keepalives are not sent,
764: sessions may hang indefinitely on the server, leaving
765: .Dq ghost
766: users and consuming server resources.
767: .Pp
768: The default is
769: .Dq yes
770: (to send TCP keepalive messages), and the server will notice
771: if the network goes down or the client host crashes.
772: This avoids infinitely hanging sessions.
773: .Pp
774: To disable TCP keepalive messages, the value should be set to
775: .Dq no .
1.18 markus 776: .It Cm UseDNS
777: Specifies whether
1.52 jmc 778: .Xr sshd 8
1.40 jmc 779: should look up the remote host name and check that
1.18 markus 780: the resolved host name for the remote IP address maps back to the
781: very same IP address.
782: The default is
783: .Dq yes .
1.1 stevesk 784: .It Cm UseLogin
785: Specifies whether
786: .Xr login 1
787: is used for interactive login sessions.
788: The default is
789: .Dq no .
790: Note that
791: .Xr login 1
792: is never used for remote command execution.
793: Note also, that if this is enabled,
794: .Cm X11Forwarding
795: will be disabled because
796: .Xr login 1
797: does not know how to handle
798: .Xr xauth 1
1.15 jmc 799: cookies.
800: If
1.1 stevesk 801: .Cm UsePrivilegeSeparation
802: is specified, it will be disabled after authentication.
803: .It Cm UsePrivilegeSeparation
804: Specifies whether
1.52 jmc 805: .Xr sshd 8
1.2 stevesk 806: separates privileges by creating an unprivileged child process
1.15 jmc 807: to deal with incoming network traffic.
808: After successful authentication, another process will be created that has
809: the privilege of the authenticated user.
810: The goal of privilege separation is to prevent privilege
1.1 stevesk 811: escalation by containing any corruption within the unprivileged processes.
812: The default is
813: .Dq yes .
814: .It Cm X11DisplayOffset
815: Specifies the first display number available for
1.52 jmc 816: .Xr sshd 8 Ns 's
1.1 stevesk 817: X11 forwarding.
1.52 jmc 818: This prevents sshd from interfering with real X11 servers.
1.1 stevesk 819: The default is 10.
820: .It Cm X11Forwarding
821: Specifies whether X11 forwarding is permitted.
1.13 stevesk 822: The argument must be
823: .Dq yes
824: or
825: .Dq no .
1.1 stevesk 826: The default is
827: .Dq no .
1.13 stevesk 828: .Pp
829: When X11 forwarding is enabled, there may be additional exposure to
830: the server and to client displays if the
1.52 jmc 831: .Xr sshd 8
1.13 stevesk 832: proxy display is configured to listen on the wildcard address (see
833: .Cm X11UseLocalhost
1.52 jmc 834: below), though this is not the default.
1.13 stevesk 835: Additionally, the authentication spoofing and authentication data
836: verification and substitution occur on the client side.
837: The security risk of using X11 forwarding is that the client's X11
1.52 jmc 838: display server may be exposed to attack when the SSH client requests
1.13 stevesk 839: forwarding (see the warnings for
840: .Cm ForwardX11
841: in
1.19 jmc 842: .Xr ssh_config 5 ) .
1.13 stevesk 843: A system administrator may have a stance in which they want to
844: protect clients that may expose themselves to attack by unwittingly
845: requesting X11 forwarding, which can warrant a
846: .Dq no
847: setting.
848: .Pp
849: Note that disabling X11 forwarding does not prevent users from
850: forwarding X11 traffic, as users can always install their own forwarders.
1.1 stevesk 851: X11 forwarding is automatically disabled if
852: .Cm UseLogin
853: is enabled.
854: .It Cm X11UseLocalhost
855: Specifies whether
1.52 jmc 856: .Xr sshd 8
1.1 stevesk 857: should bind the X11 forwarding server to the loopback address or to
1.15 jmc 858: the wildcard address.
859: By default,
1.52 jmc 860: sshd binds the forwarding server to the loopback address and sets the
1.1 stevesk 861: hostname part of the
862: .Ev DISPLAY
863: environment variable to
864: .Dq localhost .
1.8 stevesk 865: This prevents remote hosts from connecting to the proxy display.
1.1 stevesk 866: However, some older X11 clients may not function with this
867: configuration.
868: .Cm X11UseLocalhost
869: may be set to
870: .Dq no
871: to specify that the forwarding server should be bound to the wildcard
872: address.
873: The argument must be
874: .Dq yes
875: or
876: .Dq no .
877: The default is
878: .Dq yes .
879: .It Cm XAuthLocation
1.11 stevesk 880: Specifies the full pathname of the
1.1 stevesk 881: .Xr xauth 1
882: program.
883: The default is
884: .Pa /usr/X11R6/bin/xauth .
885: .El
1.55 jmc 886: .Sh TIME FORMATS
1.53 jmc 887: .Xr sshd 8
1.1 stevesk 888: command-line arguments and configuration file options that specify time
889: may be expressed using a sequence of the form:
890: .Sm off
1.7 stevesk 891: .Ar time Op Ar qualifier ,
1.1 stevesk 892: .Sm on
893: where
894: .Ar time
895: is a positive integer value and
896: .Ar qualifier
897: is one of the following:
898: .Pp
899: .Bl -tag -width Ds -compact -offset indent
1.64 jmc 900: .It Aq Cm none
1.1 stevesk 901: seconds
902: .It Cm s | Cm S
903: seconds
904: .It Cm m | Cm M
905: minutes
906: .It Cm h | Cm H
907: hours
908: .It Cm d | Cm D
909: days
910: .It Cm w | Cm W
911: weeks
912: .El
913: .Pp
914: Each member of the sequence is added together to calculate
915: the total time value.
916: .Pp
917: Time format examples:
918: .Pp
919: .Bl -tag -width Ds -compact -offset indent
920: .It 600
921: 600 seconds (10 minutes)
922: .It 10m
923: 10 minutes
924: .It 1h30m
925: 1 hour 30 minutes (90 minutes)
926: .El
927: .Sh FILES
928: .Bl -tag -width Ds
929: .It Pa /etc/ssh/sshd_config
930: Contains configuration data for
1.53 jmc 931: .Xr sshd 8 .
1.1 stevesk 932: This file should be writable by root only, but it is recommended
933: (though not necessary) that it be world-readable.
934: .El
1.19 jmc 935: .Sh SEE ALSO
936: .Xr sshd 8
1.1 stevesk 937: .Sh AUTHORS
938: OpenSSH is a derivative of the original and free
939: ssh 1.2.12 release by Tatu Ylonen.
940: Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
941: Theo de Raadt and Dug Song
942: removed many bugs, re-added newer features and
943: created OpenSSH.
944: Markus Friedl contributed the support for SSH
945: protocol versions 1.5 and 2.0.
946: Niels Provos and Markus Friedl contributed support
947: for privilege separation.