996 lines
54 KiB
Plaintext
996 lines
54 KiB
Plaintext
SSHD_CONFIG(5) File Formats Manual SSHD_CONFIG(5)
|
|
|
|
NAME
|
|
sshd_config M-bM-^@M-^S OpenSSH SSH daemon configuration file
|
|
|
|
SYNOPSIS
|
|
/etc/ssh/sshd_config
|
|
|
|
DESCRIPTION
|
|
sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file
|
|
specified with -f on the command line). The file contains keyword-
|
|
argument pairs, one per line. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines
|
|
are interpreted as comments. Arguments may optionally be enclosed in
|
|
double quotes (") in order to represent arguments containing spaces.
|
|
|
|
The possible keywords and their meanings are as follows (note that
|
|
keywords are case-insensitive and arguments are case-sensitive):
|
|
|
|
AcceptEnv
|
|
Specifies what environment variables sent by the client will be
|
|
copied into the session's environ(7). See SendEnv in
|
|
ssh_config(5) for how to configure the client. Note that
|
|
environment passing is only supported for protocol 2, and that
|
|
the TERM environment variable is always sent whenever the client
|
|
requests a pseudo-terminal as it is required by the protocol.
|
|
Variables are specified by name, which may contain the wildcard
|
|
characters M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y. Multiple environment variables may be
|
|
separated by whitespace or spread across multiple AcceptEnv
|
|
directives. Be warned that some environment variables could be
|
|
used to bypass restricted user environments. For this reason,
|
|
care should be taken in the use of this directive. The default
|
|
is not to accept any environment variables.
|
|
|
|
AddressFamily
|
|
Specifies which address family should be used by sshd(8). Valid
|
|
arguments are M-bM-^@M-^\anyM-bM-^@M-^], M-bM-^@M-^\inetM-bM-^@M-^] (use IPv4 only), or M-bM-^@M-^\inet6M-bM-^@M-^] (use IPv6
|
|
only). The default is M-bM-^@M-^\anyM-bM-^@M-^].
|
|
|
|
AllowAgentForwarding
|
|
Specifies whether ssh-agent(1) forwarding is permitted. The
|
|
default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that disabling agent forwarding does not
|
|
improve security unless users are also denied shell access, as
|
|
they can always install their own forwarders.
|
|
|
|
AllowGroups
|
|
This keyword can be followed by a list of group name patterns,
|
|
separated by spaces. If specified, login is allowed only for
|
|
users whose primary group or supplementary group list matches one
|
|
of the patterns. Only group names are valid; a numerical group
|
|
ID is not recognized. By default, login is allowed for all
|
|
groups. The allow/deny directives are processed in the following
|
|
order: DenyUsers, AllowUsers, DenyGroups, and finally
|
|
AllowGroups.
|
|
|
|
See PATTERNS in ssh_config(5) for more information on patterns.
|
|
|
|
AllowTcpForwarding
|
|
Specifies whether TCP forwarding is permitted. The available
|
|
options are M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\allM-bM-^@M-^] to allow TCP forwarding, M-bM-^@M-^\noM-bM-^@M-^] to
|
|
prevent all TCP forwarding, M-bM-^@M-^\localM-bM-^@M-^] to allow local (from the
|
|
perspective of ssh(1)) forwarding only or M-bM-^@M-^\remoteM-bM-^@M-^] to allow
|
|
remote forwarding only. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that
|
|
disabling TCP forwarding does not improve security unless users
|
|
are also denied shell access, as they can always install their
|
|
own forwarders.
|
|
|
|
AllowStreamLocalForwarding
|
|
Specifies whether StreamLocal (Unix-domain socket) forwarding is
|
|
permitted. The available options are M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\allM-bM-^@M-^] to allow
|
|
StreamLocal forwarding, M-bM-^@M-^\noM-bM-^@M-^] to prevent all StreamLocal
|
|
forwarding, M-bM-^@M-^\localM-bM-^@M-^] to allow local (from the perspective of
|
|
ssh(1)) forwarding only or M-bM-^@M-^\remoteM-bM-^@M-^] to allow remote forwarding
|
|
only. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that disabling StreamLocal
|
|
forwarding does not improve security unless users are also denied
|
|
shell access, as they can always install their own forwarders.
|
|
|
|
AllowUsers
|
|
This keyword can be followed by a list of user name patterns,
|
|
separated by spaces. If specified, login is allowed only for
|
|
user names that match one of the patterns. Only user names are
|
|
valid; a numerical user ID is not recognized. By default, login
|
|
is allowed for all users. If the pattern takes the form
|
|
USER@HOST then USER and HOST are separately checked, restricting
|
|
logins to particular users from particular hosts. The allow/deny
|
|
directives are processed in the following order: DenyUsers,
|
|
AllowUsers, DenyGroups, and finally AllowGroups.
|
|
|
|
See PATTERNS in ssh_config(5) for more information on patterns.
|
|
|
|
AuthenticationMethods
|
|
Specifies the authentication methods that must be successfully
|
|
completed for a user to be granted access. This option must be
|
|
followed by one or more comma-separated lists of authentication
|
|
method names. Successful authentication requires completion of
|
|
every method in at least one of these lists.
|
|
|
|
For example, an argument of M-bM-^@M-^\publickey,password
|
|
publickey,keyboard-interactiveM-bM-^@M-^] would require the user to
|
|
complete public key authentication, followed by either password
|
|
or keyboard interactive authentication. Only methods that are
|
|
next in one or more lists are offered at each stage, so for this
|
|
example, it would not be possible to attempt password or
|
|
keyboard-interactive authentication before public key.
|
|
|
|
For keyboard interactive authentication it is also possible to
|
|
restrict authentication to a specific device by appending a colon
|
|
followed by the device identifier M-bM-^@M-^\bsdauthM-bM-^@M-^], M-bM-^@M-^\pamM-bM-^@M-^], or M-bM-^@M-^\skeyM-bM-^@M-^],
|
|
depending on the server configuration. For example,
|
|
M-bM-^@M-^\keyboard-interactive:bsdauthM-bM-^@M-^] would restrict keyboard
|
|
interactive authentication to the M-bM-^@M-^\bsdauthM-bM-^@M-^] device.
|
|
|
|
If the M-bM-^@M-^\publickeyM-bM-^@M-^] method is listed more than once, sshd(8)
|
|
verifies that keys that have been used successfully are not
|
|
reused for subsequent authentications. For example, an
|
|
AuthenticationMethods of M-bM-^@M-^\publickey,publickeyM-bM-^@M-^] will require
|
|
successful authentication using two different public keys.
|
|
|
|
This option is only available for SSH protocol 2 and will yield a
|
|
fatal error if enabled if protocol 1 is also enabled. Note that
|
|
each authentication method listed should also be explicitly
|
|
enabled in the configuration. The default is not to require
|
|
multiple authentication; successful completion of a single
|
|
authentication method is sufficient.
|
|
|
|
AuthorizedKeysCommand
|
|
Specifies a program to be used to look up the user's public keys.
|
|
The program must be owned by root, not writable by group or
|
|
others and specified by an absolute path.
|
|
|
|
Arguments to AuthorizedKeysCommand may be provided using the
|
|
following tokens, which will be expanded at runtime: %% is
|
|
replaced by a literal '%', %u is replaced by the username being
|
|
authenticated, %h is replaced by the home directory of the user
|
|
being authenticated, %t is replaced with the key type offered for
|
|
authentication, %f is replaced with the fingerprint of the key,
|
|
and %k is replaced with the key being offered for authentication.
|
|
If no arguments are specified then the username of the target
|
|
user will be supplied.
|
|
|
|
The program should produce on standard output zero or more lines
|
|
of authorized_keys output (see AUTHORIZED_KEYS in sshd(8)). If a
|
|
key supplied by AuthorizedKeysCommand does not successfully
|
|
authenticate and authorize the user then public key
|
|
authentication continues using the usual AuthorizedKeysFile
|
|
files. By default, no AuthorizedKeysCommand is run.
|
|
|
|
AuthorizedKeysCommandUser
|
|
Specifies the user under whose account the AuthorizedKeysCommand
|
|
is run. It is recommended to use a dedicated user that has no
|
|
other role on the host than running authorized keys commands. If
|
|
AuthorizedKeysCommand is specified but AuthorizedKeysCommandUser
|
|
is not, then sshd(8) will refuse to start.
|
|
|
|
AuthorizedKeysFile
|
|
Specifies the file that contains the public keys that can be used
|
|
for user authentication. The format is described in the
|
|
AUTHORIZED_KEYS FILE FORMAT section of sshd(8).
|
|
AuthorizedKeysFile may contain tokens of the form %T which are
|
|
substituted during connection setup. The following tokens are
|
|
defined: %% is replaced by a literal '%', %h is replaced by the
|
|
home directory of the user being authenticated, and %u is
|
|
replaced by the username of that user. After expansion,
|
|
AuthorizedKeysFile is taken to be an absolute path or one
|
|
relative to the user's home directory. Multiple files may be
|
|
listed, separated by whitespace. The default is
|
|
M-bM-^@M-^\.ssh/authorized_keys .ssh/authorized_keys2M-bM-^@M-^].
|
|
|
|
AuthorizedPrincipalsCommand
|
|
Specifies a program to be used to generate the list of allowed
|
|
certificate principals as per AuthorizedPrincipalsFile. The
|
|
program must be owned by root, not writable by group or others
|
|
and specified by an absolute path.
|
|
|
|
Arguments to AuthorizedPrincipalsCommand may be provided using
|
|
the following tokens, which will be expanded at runtime: %% is
|
|
replaced by a literal '%', %u is replaced by the username being
|
|
authenticated and %h is replaced by the home directory of the
|
|
user being authenticated.
|
|
|
|
The program should produce on standard output zero or more lines
|
|
of AuthorizedPrincipalsFile output. If either
|
|
AuthorizedPrincipalsCommand or AuthorizedPrincipalsFile is
|
|
specified, then certificates offered by the client for
|
|
authentication must contain a principal that is listed. By
|
|
default, no AuthorizedPrincipalsCommand is run.
|
|
|
|
AuthorizedPrincipalsCommandUser
|
|
Specifies the user under whose account the
|
|
AuthorizedPrincipalsCommand is run. It is recommended to use a
|
|
dedicated user that has no other role on the host than running
|
|
authorized principals commands. If AuthorizedPrincipalsCommand
|
|
is specified but AuthorizedPrincipalsCommandUser is not, then
|
|
sshd(8) will refuse to start.
|
|
|
|
AuthorizedPrincipalsFile
|
|
Specifies a file that lists principal names that are accepted for
|
|
certificate authentication. When using certificates signed by a
|
|
key listed in TrustedUserCAKeys, this file lists names, one of
|
|
which must appear in the certificate for it to be accepted for
|
|
authentication. Names are listed one per line preceded by key
|
|
options (as described in AUTHORIZED_KEYS FILE FORMAT in sshd(8)).
|
|
Empty lines and comments starting with M-bM-^@M-^X#M-bM-^@M-^Y are ignored.
|
|
|
|
AuthorizedPrincipalsFile may contain tokens of the form %T which
|
|
are substituted during connection setup. The following tokens
|
|
are defined: %% is replaced by a literal '%', %h is replaced by
|
|
the home directory of the user being authenticated, and %u is
|
|
replaced by the username of that user. After expansion,
|
|
AuthorizedPrincipalsFile is taken to be an absolute path or one
|
|
relative to the user's home directory.
|
|
|
|
The default is M-bM-^@M-^\noneM-bM-^@M-^], i.e. not to use a principals file M-bM-^@M-^S in
|
|
this case, the username of the user must appear in a
|
|
certificate's principals list for it to be accepted. Note that
|
|
AuthorizedPrincipalsFile is only used when authentication
|
|
proceeds using a CA listed in TrustedUserCAKeys and is not
|
|
consulted for certification authorities trusted via
|
|
~/.ssh/authorized_keys, though the principals= key option offers
|
|
a similar facility (see sshd(8) for details).
|
|
|
|
Banner The contents of the specified file are sent to the remote user
|
|
before authentication is allowed. If the argument is M-bM-^@M-^\noneM-bM-^@M-^] then
|
|
no banner is displayed. This option is only available for
|
|
protocol version 2. By default, no banner is displayed.
|
|
|
|
ChallengeResponseAuthentication
|
|
Specifies whether challenge-response authentication is allowed
|
|
(e.g. via PAM or through authentication styles supported in
|
|
login.conf(5)) The default is M-bM-^@M-^\yesM-bM-^@M-^].
|
|
|
|
ChrootDirectory
|
|
Specifies the pathname of a directory to chroot(2) to after
|
|
authentication. At session startup sshd(8) checks that all
|
|
components of the pathname are root-owned directories which are
|
|
not writable by any other user or group. After the chroot,
|
|
sshd(8) changes the working directory to the user's home
|
|
directory.
|
|
|
|
The pathname may contain the following tokens that are expanded
|
|
at runtime once the connecting user has been authenticated: %% is
|
|
replaced by a literal '%', %h is replaced by the home directory
|
|
of the user being authenticated, and %u is replaced by the
|
|
username of that user.
|
|
|
|
The ChrootDirectory must contain the necessary files and
|
|
directories to support the user's session. For an interactive
|
|
session this requires at least a shell, typically sh(1), and
|
|
basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4),
|
|
stderr(4), and tty(4) devices. For file transfer sessions using
|
|
M-bM-^@M-^\sftpM-bM-^@M-^], no additional configuration of the environment is
|
|
necessary if the in-process sftp server is used, though sessions
|
|
which use logging may require /dev/log inside the chroot
|
|
directory on some operating systems (see sftp-server(8) for
|
|
details).
|
|
|
|
For safety, it is very important that the directory hierarchy be
|
|
prevented from modification by other processes on the system
|
|
(especially those outside the jail). Misconfiguration can lead
|
|
to unsafe environments which sshd(8) cannot detect.
|
|
|
|
The default is not to chroot(2).
|
|
|
|
Ciphers
|
|
Specifies the ciphers allowed for protocol version 2. Multiple
|
|
ciphers must be comma-separated. The supported ciphers are:
|
|
|
|
3des-cbc
|
|
aes128-cbc
|
|
aes192-cbc
|
|
aes256-cbc
|
|
aes128-ctr
|
|
aes192-ctr
|
|
aes256-ctr
|
|
aes128-gcm@openssh.com
|
|
aes256-gcm@openssh.com
|
|
arcfour
|
|
arcfour128
|
|
arcfour256
|
|
blowfish-cbc
|
|
cast128-cbc
|
|
chacha20-poly1305@openssh.com
|
|
|
|
The default is:
|
|
|
|
aes128-ctr,aes192-ctr,aes256-ctr,
|
|
aes128-gcm@openssh.com,aes256-gcm@openssh.com,
|
|
chacha20-poly1305@openssh.com
|
|
|
|
The list of available ciphers may also be obtained using the -Q
|
|
option of ssh(1) with an argument of M-bM-^@M-^\cipherM-bM-^@M-^].
|
|
|
|
ClientAliveCountMax
|
|
Sets the number of client alive messages (see below) which may be
|
|
sent without sshd(8) receiving any messages back from the client.
|
|
If this threshold is reached while client alive messages are
|
|
being sent, sshd will disconnect the client, terminating the
|
|
session. It is important to note that the use of client alive
|
|
messages is very different from TCPKeepAlive (below). The client
|
|
alive messages are sent through the encrypted channel and
|
|
therefore will not be spoofable. The TCP keepalive option
|
|
enabled by TCPKeepAlive is spoofable. The client alive mechanism
|
|
is valuable when the client or server depend on knowing when a
|
|
connection has become inactive.
|
|
|
|
The default value is 3. If ClientAliveInterval (see below) is
|
|
set to 15, and ClientAliveCountMax is left at the default,
|
|
unresponsive SSH clients will be disconnected after approximately
|
|
45 seconds. This option applies to protocol version 2 only.
|
|
|
|
ClientAliveInterval
|
|
Sets a timeout interval in seconds after which if no data has
|
|
been received from the client, sshd(8) will send a message
|
|
through the encrypted channel to request a response from the
|
|
client. The default is 0, indicating that these messages will
|
|
not be sent to the client. This option applies to protocol
|
|
version 2 only.
|
|
|
|
Compression
|
|
Specifies whether compression is allowed, or delayed until the
|
|
user has authenticated successfully. The argument must be M-bM-^@M-^\yesM-bM-^@M-^],
|
|
M-bM-^@M-^\delayedM-bM-^@M-^], or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\delayedM-bM-^@M-^].
|
|
|
|
DenyGroups
|
|
This keyword can be followed by a list of group name patterns,
|
|
separated by spaces. Login is disallowed for users whose primary
|
|
group or supplementary group list matches one of the patterns.
|
|
Only group names are valid; a numerical group ID is not
|
|
recognized. By default, login is allowed for all groups. The
|
|
allow/deny directives are processed in the following order:
|
|
DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
|
|
|
|
See PATTERNS in ssh_config(5) for more information on patterns.
|
|
|
|
DenyUsers
|
|
This keyword can be followed by a list of user name patterns,
|
|
separated by spaces. Login is disallowed for user names that
|
|
match one of the patterns. Only user names are valid; a
|
|
numerical user ID is not recognized. By default, login is
|
|
allowed for all users. If the pattern takes the form USER@HOST
|
|
then USER and HOST are separately checked, restricting logins to
|
|
particular users from particular hosts. The allow/deny
|
|
directives are processed in the following order: DenyUsers,
|
|
AllowUsers, DenyGroups, and finally AllowGroups.
|
|
|
|
See PATTERNS in ssh_config(5) for more information on patterns.
|
|
|
|
FingerprintHash
|
|
Specifies the hash algorithm used when logging key fingerprints.
|
|
Valid options are: M-bM-^@M-^\md5M-bM-^@M-^] and M-bM-^@M-^\sha256M-bM-^@M-^]. The default is M-bM-^@M-^\sha256M-bM-^@M-^].
|
|
|
|
ForceCommand
|
|
Forces the execution of the command specified by ForceCommand,
|
|
ignoring any command supplied by the client and ~/.ssh/rc if
|
|
present. The command is invoked by using the user's login shell
|
|
with the -c option. This applies to shell, command, or subsystem
|
|
execution. It is most useful inside a Match block. The command
|
|
originally supplied by the client is available in the
|
|
SSH_ORIGINAL_COMMAND environment variable. Specifying a command
|
|
of M-bM-^@M-^\internal-sftpM-bM-^@M-^] will force the use of an in-process sftp
|
|
server that requires no support files when used with
|
|
ChrootDirectory.
|
|
|
|
GatewayPorts
|
|
Specifies whether remote hosts are allowed to connect to ports
|
|
forwarded for the client. By default, sshd(8) binds remote port
|
|
forwardings to the loopback address. This prevents other remote
|
|
hosts from connecting to forwarded ports. GatewayPorts can be
|
|
used to specify that sshd should allow remote port forwardings to
|
|
bind to non-loopback addresses, thus allowing other hosts to
|
|
connect. The argument may be M-bM-^@M-^\noM-bM-^@M-^] to force remote port
|
|
forwardings to be available to the local host only, M-bM-^@M-^\yesM-bM-^@M-^] to
|
|
force remote port forwardings to bind to the wildcard address, or
|
|
M-bM-^@M-^\clientspecifiedM-bM-^@M-^] to allow the client to select the address to
|
|
which the forwarding is bound. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
|
|
|
GSSAPIAuthentication
|
|
Specifies whether user authentication based on GSSAPI is allowed.
|
|
The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol
|
|
version 2 only.
|
|
|
|
GSSAPICleanupCredentials
|
|
Specifies whether to automatically destroy the user's credentials
|
|
cache on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option
|
|
applies to protocol version 2 only.
|
|
|
|
GSSAPIStrictAcceptorCheck
|
|
Determines whether to be strict about the identity of the GSSAPI
|
|
acceptor a client authenticates against. If set to M-bM-^@M-^\yesM-bM-^@M-^] then
|
|
the client must authenticate against the host service on the
|
|
current hostname. If set to M-bM-^@M-^\noM-bM-^@M-^] then the client may
|
|
authenticate against any service key stored in the machine's
|
|
default store. This facility is provided to assist with
|
|
operation on multi homed machines. The default is M-bM-^@M-^\yesM-bM-^@M-^].
|
|
|
|
HostbasedAcceptedKeyTypes
|
|
Specifies the key types that will be accepted for hostbased
|
|
authentication as a comma-separated pattern list. The default
|
|
M-bM-^@M-^\*M-bM-^@M-^] will allow all key types. The -Q option of ssh(1) may be
|
|
used to list supported key types.
|
|
|
|
HostbasedAuthentication
|
|
Specifies whether rhosts or /etc/hosts.equiv authentication
|
|
together with successful public key client host authentication is
|
|
allowed (host-based authentication). This option is similar to
|
|
RhostsRSAAuthentication and applies to protocol version 2 only.
|
|
The default is M-bM-^@M-^\noM-bM-^@M-^].
|
|
|
|
HostbasedUsesNameFromPacketOnly
|
|
Specifies whether or not the server will attempt to perform a
|
|
reverse name lookup when matching the name in the ~/.shosts,
|
|
~/.rhosts, and /etc/hosts.equiv files during
|
|
HostbasedAuthentication. A setting of M-bM-^@M-^\yesM-bM-^@M-^] means that sshd(8)
|
|
uses the name supplied by the client rather than attempting to
|
|
resolve the name from the TCP connection itself. The default is
|
|
M-bM-^@M-^\noM-bM-^@M-^].
|
|
|
|
HostCertificate
|
|
Specifies a file containing a public host certificate. The
|
|
certificate's public key must match a private host key already
|
|
specified by HostKey. The default behaviour of sshd(8) is not to
|
|
load any certificates.
|
|
|
|
HostKey
|
|
Specifies a file containing a private host key used by SSH. The
|
|
default is /etc/ssh/ssh_host_key for protocol version 1, and
|
|
/etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key,
|
|
/etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
|
|
protocol version 2. Note that sshd(8) will refuse to use a file
|
|
if it is group/world-accessible. It is possible to have multiple
|
|
host key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^],
|
|
M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] are used for version 2 of the SSH
|
|
protocol. It is also possible to specify public host key files
|
|
instead. In this case operations on the private key will be
|
|
delegated to an ssh-agent(1).
|
|
|
|
HostKeyAgent
|
|
Identifies the UNIX-domain socket used to communicate with an
|
|
agent that has access to the private host keys. If
|
|
M-bM-^@M-^\SSH_AUTH_SOCKM-bM-^@M-^] is specified, the location of the socket will be
|
|
read from the SSH_AUTH_SOCK environment variable.
|
|
|
|
IgnoreRhosts
|
|
Specifies that .rhosts and .shosts files will not be used in
|
|
RhostsRSAAuthentication or HostbasedAuthentication.
|
|
|
|
/etc/hosts.equiv and /etc/shosts.equiv are still used. The
|
|
default is M-bM-^@M-^\yesM-bM-^@M-^].
|
|
|
|
IgnoreUserKnownHosts
|
|
Specifies whether sshd(8) should ignore the user's
|
|
~/.ssh/known_hosts during RhostsRSAAuthentication or
|
|
HostbasedAuthentication. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
|
|
|
IPQoS Specifies the IPv4 type-of-service or DSCP class for the
|
|
connection. Accepted values are M-bM-^@M-^\af11M-bM-^@M-^], M-bM-^@M-^\af12M-bM-^@M-^], M-bM-^@M-^\af13M-bM-^@M-^], M-bM-^@M-^\af21M-bM-^@M-^],
|
|
M-bM-^@M-^\af22M-bM-^@M-^], M-bM-^@M-^\af23M-bM-^@M-^], M-bM-^@M-^\af31M-bM-^@M-^], M-bM-^@M-^\af32M-bM-^@M-^], M-bM-^@M-^\af33M-bM-^@M-^], M-bM-^@M-^\af41M-bM-^@M-^], M-bM-^@M-^\af42M-bM-^@M-^], M-bM-^@M-^\af43M-bM-^@M-^],
|
|
M-bM-^@M-^\cs0M-bM-^@M-^], M-bM-^@M-^\cs1M-bM-^@M-^], M-bM-^@M-^\cs2M-bM-^@M-^], M-bM-^@M-^\cs3M-bM-^@M-^], M-bM-^@M-^\cs4M-bM-^@M-^], M-bM-^@M-^\cs5M-bM-^@M-^], M-bM-^@M-^\cs6M-bM-^@M-^], M-bM-^@M-^\cs7M-bM-^@M-^], M-bM-^@M-^\efM-bM-^@M-^],
|
|
M-bM-^@M-^\lowdelayM-bM-^@M-^], M-bM-^@M-^\throughputM-bM-^@M-^], M-bM-^@M-^\reliabilityM-bM-^@M-^], or a numeric value.
|
|
This option may take one or two arguments, separated by
|
|
whitespace. If one argument is specified, it is used as the
|
|
packet class unconditionally. If two values are specified, the
|
|
first is automatically selected for interactive sessions and the
|
|
second for non-interactive sessions. The default is M-bM-^@M-^\lowdelayM-bM-^@M-^]
|
|
for interactive sessions and M-bM-^@M-^\throughputM-bM-^@M-^] for non-interactive
|
|
sessions.
|
|
|
|
KbdInteractiveAuthentication
|
|
Specifies whether to allow keyboard-interactive authentication.
|
|
The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default
|
|
is to use whatever value ChallengeResponseAuthentication is set
|
|
to (by default M-bM-^@M-^\yesM-bM-^@M-^]).
|
|
|
|
KerberosAuthentication
|
|
Specifies whether the password provided by the user for
|
|
PasswordAuthentication will be validated through the Kerberos
|
|
KDC. To use this option, the server needs a Kerberos servtab
|
|
which allows the verification of the KDC's identity. The default
|
|
is M-bM-^@M-^\noM-bM-^@M-^].
|
|
|
|
KerberosGetAFSToken
|
|
If AFS is active and the user has a Kerberos 5 TGT, attempt to
|
|
acquire an AFS token before accessing the user's home directory.
|
|
The default is M-bM-^@M-^\noM-bM-^@M-^].
|
|
|
|
KerberosOrLocalPasswd
|
|
If password authentication through Kerberos fails then the
|
|
password will be validated via any additional local mechanism
|
|
such as /etc/passwd. The default is M-bM-^@M-^\yesM-bM-^@M-^].
|
|
|
|
KerberosTicketCleanup
|
|
Specifies whether to automatically destroy the user's ticket
|
|
cache file on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^].
|
|
|
|
KexAlgorithms
|
|
Specifies the available KEX (Key Exchange) algorithms. Multiple
|
|
algorithms must be comma-separated. The supported algorithms
|
|
are:
|
|
|
|
curve25519-sha256@libssh.org
|
|
diffie-hellman-group1-sha1
|
|
diffie-hellman-group14-sha1
|
|
diffie-hellman-group-exchange-sha1
|
|
diffie-hellman-group-exchange-sha256
|
|
ecdh-sha2-nistp256
|
|
ecdh-sha2-nistp384
|
|
ecdh-sha2-nistp521
|
|
|
|
The default is:
|
|
|
|
curve25519-sha256@libssh.org,
|
|
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
|
diffie-hellman-group-exchange-sha256,
|
|
diffie-hellman-group14-sha1
|
|
|
|
The list of available key exchange algorithms may also be
|
|
obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^].
|
|
|
|
KeyRegenerationInterval
|
|
In protocol version 1, the ephemeral server key is automatically
|
|
regenerated after this many seconds (if it has been used). The
|
|
purpose of regeneration is to prevent decrypting captured
|
|
sessions by later breaking into the machine and stealing the
|
|
keys. The key is never stored anywhere. If the value is 0, the
|
|
key is never regenerated. The default is 3600 (seconds).
|
|
|
|
ListenAddress
|
|
Specifies the local addresses sshd(8) should listen on. The
|
|
following forms may be used:
|
|
|
|
ListenAddress host|IPv4_addr|IPv6_addr
|
|
ListenAddress host|IPv4_addr:port
|
|
ListenAddress [host|IPv6_addr]:port
|
|
|
|
If port is not specified, sshd will listen on the address and all
|
|
Port options specified. The default is to listen on all local
|
|
addresses. Multiple ListenAddress options are permitted.
|
|
|
|
LoginGraceTime
|
|
The server disconnects after this time if the user has not
|
|
successfully logged in. If the value is 0, there is no time
|
|
limit. The default is 120 seconds.
|
|
|
|
LogLevel
|
|
Gives the verbosity level that is used when logging messages from
|
|
sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO,
|
|
VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.
|
|
DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
|
|
higher levels of debugging output. Logging with a DEBUG level
|
|
violates the privacy of users and is not recommended.
|
|
|
|
MACs Specifies the available MAC (message authentication code)
|
|
algorithms. The MAC algorithm is used in protocol version 2 for
|
|
data integrity protection. Multiple algorithms must be comma-
|
|
separated. The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC
|
|
after encryption (encrypt-then-mac). These are considered safer
|
|
and their use recommended. The supported MACs are:
|
|
|
|
hmac-md5
|
|
hmac-md5-96
|
|
hmac-ripemd160
|
|
hmac-sha1
|
|
hmac-sha1-96
|
|
hmac-sha2-256
|
|
hmac-sha2-512
|
|
umac-64@openssh.com
|
|
umac-128@openssh.com
|
|
hmac-md5-etm@openssh.com
|
|
hmac-md5-96-etm@openssh.com
|
|
hmac-ripemd160-etm@openssh.com
|
|
hmac-sha1-etm@openssh.com
|
|
hmac-sha1-96-etm@openssh.com
|
|
hmac-sha2-256-etm@openssh.com
|
|
hmac-sha2-512-etm@openssh.com
|
|
umac-64-etm@openssh.com
|
|
umac-128-etm@openssh.com
|
|
|
|
The default is:
|
|
|
|
umac-64-etm@openssh.com,umac-128-etm@openssh.com,
|
|
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
|
|
umac-64@openssh.com,umac-128@openssh.com,
|
|
hmac-sha2-256,hmac-sha2-512
|
|
|
|
The list of available MAC algorithms may also be obtained using
|
|
the -Q option of ssh(1) with an argument of M-bM-^@M-^\macM-bM-^@M-^].
|
|
|
|
Match Introduces a conditional block. If all of the criteria on the
|
|
Match line are satisfied, the keywords on the following lines
|
|
override those set in the global section of the config file,
|
|
until either another Match line or the end of the file. If a
|
|
keyword appears in multiple Match blocks that are satisfied, only
|
|
the first instance of the keyword is applied.
|
|
|
|
The arguments to Match are one or more criteria-pattern pairs or
|
|
the single token All which matches all criteria. The available
|
|
criteria are User, Group, Host, LocalAddress, LocalPort, and
|
|
Address. The match patterns may consist of single entries or
|
|
comma-separated lists and may use the wildcard and negation
|
|
operators described in the PATTERNS section of ssh_config(5).
|
|
|
|
The patterns in an Address criteria may additionally contain
|
|
addresses to match in CIDR address/masklen format, e.g.
|
|
M-bM-^@M-^\192.0.2.0/24M-bM-^@M-^] or M-bM-^@M-^\3ffe:ffff::/32M-bM-^@M-^]. Note that the mask length
|
|
provided must be consistent with the address - it is an error to
|
|
specify a mask length that is too long for the address or one
|
|
with bits set in this host portion of the address. For example,
|
|
M-bM-^@M-^\192.0.2.0/33M-bM-^@M-^] and M-bM-^@M-^\192.0.2.0/8M-bM-^@M-^] respectively.
|
|
|
|
Only a subset of keywords may be used on the lines following a
|
|
Match keyword. Available keywords are AcceptEnv,
|
|
AllowAgentForwarding, AllowGroups, AllowStreamLocalForwarding,
|
|
AllowTcpForwarding, AllowUsers, AuthenticationMethods,
|
|
AuthorizedKeysCommand, AuthorizedKeysCommandUser,
|
|
AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner,
|
|
ChrootDirectory, DenyGroups, DenyUsers, ForceCommand,
|
|
GatewayPorts, GSSAPIAuthentication, HostbasedAcceptedKeyTypes,
|
|
HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IPQoS,
|
|
KbdInteractiveAuthentication, KerberosAuthentication,
|
|
MaxAuthTries, MaxSessions, PasswordAuthentication,
|
|
PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY,
|
|
PermitTunnel, PermitUserRC, PubkeyAcceptedKeyTypes,
|
|
PubkeyAuthentication, RekeyLimit, RevokedKeys,
|
|
RhostsRSAAuthentication, RSAAuthentication, StreamLocalBindMask,
|
|
StreamLocalBindUnlink, TrustedUserCAKeys, X11DisplayOffset,
|
|
X11Forwarding and X11UseLocalHost.
|
|
|
|
MaxAuthTries
|
|
Specifies the maximum number of authentication attempts permitted
|
|
per connection. Once the number of failures reaches half this
|
|
value, additional failures are logged. The default is 6.
|
|
|
|
MaxSessions
|
|
Specifies the maximum number of open sessions permitted per
|
|
network connection. The default is 10.
|
|
|
|
MaxStartups
|
|
Specifies the maximum number of concurrent unauthenticated
|
|
connections to the SSH daemon. Additional connections will be
|
|
dropped until authentication succeeds or the LoginGraceTime
|
|
expires for a connection. The default is 10:30:100.
|
|
|
|
Alternatively, random early drop can be enabled by specifying the
|
|
three colon separated values M-bM-^@M-^\start:rate:fullM-bM-^@M-^] (e.g. "10:30:60").
|
|
sshd(8) will refuse connection attempts with a probability of
|
|
M-bM-^@M-^\rate/100M-bM-^@M-^] (30%) if there are currently M-bM-^@M-^\startM-bM-^@M-^] (10)
|
|
unauthenticated connections. The probability increases linearly
|
|
and all connection attempts are refused if the number of
|
|
unauthenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60).
|
|
|
|
PasswordAuthentication
|
|
Specifies whether password authentication is allowed. The
|
|
default is M-bM-^@M-^\yesM-bM-^@M-^].
|
|
|
|
PermitEmptyPasswords
|
|
When password authentication is allowed, it specifies whether the
|
|
server allows login to accounts with empty password strings. The
|
|
default is M-bM-^@M-^\noM-bM-^@M-^].
|
|
|
|
PermitOpen
|
|
Specifies the destinations to which TCP port forwarding is
|
|
permitted. The forwarding specification must be one of the
|
|
following forms:
|
|
|
|
PermitOpen host:port
|
|
PermitOpen IPv4_addr:port
|
|
PermitOpen [IPv6_addr]:port
|
|
|
|
Multiple forwards may be specified by separating them with
|
|
whitespace. An argument of M-bM-^@M-^\anyM-bM-^@M-^] can be used to remove all
|
|
restrictions and permit any forwarding requests. An argument of
|
|
M-bM-^@M-^\noneM-bM-^@M-^] can be used to prohibit all forwarding requests. By
|
|
default all port forwarding requests are permitted.
|
|
|
|
PermitRootLogin
|
|
Specifies whether root can log in using ssh(1). The argument
|
|
must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^], M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], or
|
|
M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
|
|
|
If this option is set to M-bM-^@M-^\without-passwordM-bM-^@M-^], password
|
|
authentication is disabled for root.
|
|
|
|
If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], root login with
|
|
public key authentication will be allowed, but only if the
|
|
command option has been specified (which may be useful for taking
|
|
remote backups even if root login is normally not allowed). All
|
|
other authentication methods are disabled for root.
|
|
|
|
If this option is set to M-bM-^@M-^\noM-bM-^@M-^], root is not allowed to log in.
|
|
|
|
PermitTunnel
|
|
Specifies whether tun(4) device forwarding is allowed. The
|
|
argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\point-to-pointM-bM-^@M-^] (layer 3), M-bM-^@M-^\ethernetM-bM-^@M-^]
|
|
(layer 2), or M-bM-^@M-^\noM-bM-^@M-^]. Specifying M-bM-^@M-^\yesM-bM-^@M-^] permits both
|
|
M-bM-^@M-^\point-to-pointM-bM-^@M-^] and M-bM-^@M-^\ethernetM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
|
|
|
Independent of this setting, the permissions of the selected
|
|
tun(4) device must allow access to the user.
|
|
|
|
PermitTTY
|
|
Specifies whether pty(4) allocation is permitted. The default is
|
|
M-bM-^@M-^\yesM-bM-^@M-^].
|
|
|
|
PermitUserEnvironment
|
|
Specifies whether ~/.ssh/environment and environment= options in
|
|
~/.ssh/authorized_keys are processed by sshd(8). The default is
|
|
M-bM-^@M-^\noM-bM-^@M-^]. Enabling environment processing may enable users to bypass
|
|
access restrictions in some configurations using mechanisms such
|
|
as LD_PRELOAD.
|
|
|
|
PermitUserRC
|
|
Specifies whether any ~/.ssh/rc file is executed. The default is
|
|
M-bM-^@M-^\yesM-bM-^@M-^].
|
|
|
|
PidFile
|
|
Specifies the file that contains the process ID of the SSH
|
|
daemon, or M-bM-^@M-^\noneM-bM-^@M-^] to not write one. The default is
|
|
/var/run/sshd.pid.
|
|
|
|
Port Specifies the port number that sshd(8) listens on. The default
|
|
is 22. Multiple options of this type are permitted. See also
|
|
ListenAddress.
|
|
|
|
PrintLastLog
|
|
Specifies whether sshd(8) should print the date and time of the
|
|
last user login when a user logs in interactively. The default
|
|
is M-bM-^@M-^\yesM-bM-^@M-^].
|
|
|
|
PrintMotd
|
|
Specifies whether sshd(8) should print /etc/motd when a user logs
|
|
in interactively. (On some systems it is also printed by the
|
|
shell, /etc/profile, or equivalent.) The default is M-bM-^@M-^\yesM-bM-^@M-^].
|
|
|
|
Protocol
|
|
Specifies the protocol versions sshd(8) supports. The possible
|
|
values are M-bM-^@M-^X1M-bM-^@M-^Y and M-bM-^@M-^X2M-bM-^@M-^Y. Multiple versions must be comma-
|
|
separated. The default is M-bM-^@M-^X2M-bM-^@M-^Y. Note that the order of the
|
|
protocol list does not indicate preference, because the client
|
|
selects among multiple protocol versions offered by the server.
|
|
Specifying M-bM-^@M-^\2,1M-bM-^@M-^] is identical to M-bM-^@M-^\1,2M-bM-^@M-^].
|
|
|
|
PubkeyAcceptedKeyTypes
|
|
Specifies the key types that will be accepted for public key
|
|
authentication as a comma-separated pattern list. The default
|
|
M-bM-^@M-^\*M-bM-^@M-^] will allow all key types. The -Q option of ssh(1) may be
|
|
used to list supported key types.
|
|
|
|
PubkeyAuthentication
|
|
Specifies whether public key authentication is allowed. The
|
|
default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol
|
|
version 2 only.
|
|
|
|
RekeyLimit
|
|
Specifies the maximum amount of data that may be transmitted
|
|
before the session key is renegotiated, optionally followed a
|
|
maximum amount of time that may pass before the session key is
|
|
renegotiated. The first argument is specified in bytes and may
|
|
have a suffix of M-bM-^@M-^XKM-bM-^@M-^Y, M-bM-^@M-^XMM-bM-^@M-^Y, or M-bM-^@M-^XGM-bM-^@M-^Y to indicate Kilobytes,
|
|
Megabytes, or Gigabytes, respectively. The default is between
|
|
M-bM-^@M-^X1GM-bM-^@M-^Y and M-bM-^@M-^X4GM-bM-^@M-^Y, depending on the cipher. The optional second
|
|
value is specified in seconds and may use any of the units
|
|
documented in the TIME FORMATS section. The default value for
|
|
RekeyLimit is M-bM-^@M-^\default noneM-bM-^@M-^], which means that rekeying is
|
|
performed after the cipher's default amount of data has been sent
|
|
or received and no time based rekeying is done. This option
|
|
applies to protocol version 2 only.
|
|
|
|
RevokedKeys
|
|
Specifies revoked public keys file, or M-bM-^@M-^\noneM-bM-^@M-^] to not use one.
|
|
Keys listed in this file will be refused for public key
|
|
authentication. Note that if this file is not readable, then
|
|
public key authentication will be refused for all users. Keys
|
|
may be specified as a text file, listing one public key per line,
|
|
or as an OpenSSH Key Revocation List (KRL) as generated by
|
|
ssh-keygen(1). For more information on KRLs, see the KEY
|
|
REVOCATION LISTS section in ssh-keygen(1).
|
|
|
|
RhostsRSAAuthentication
|
|
Specifies whether rhosts or /etc/hosts.equiv authentication
|
|
together with successful RSA host authentication is allowed. The
|
|
default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only.
|
|
|
|
RSAAuthentication
|
|
Specifies whether pure RSA authentication is allowed. The
|
|
default is M-bM-^@M-^\yesM-bM-^@M-^]. This option applies to protocol version 1
|
|
only.
|
|
|
|
ServerKeyBits
|
|
Defines the number of bits in the ephemeral protocol version 1
|
|
server key. The minimum value is 512, and the default is 1024.
|
|
|
|
StreamLocalBindMask
|
|
Sets the octal file creation mode mask (umask) used when creating
|
|
a Unix-domain socket file for local or remote port forwarding.
|
|
This option is only used for port forwarding to a Unix-domain
|
|
socket file.
|
|
|
|
The default value is 0177, which creates a Unix-domain socket
|
|
file that is readable and writable only by the owner. Note that
|
|
not all operating systems honor the file mode on Unix-domain
|
|
socket files.
|
|
|
|
StreamLocalBindUnlink
|
|
Specifies whether to remove an existing Unix-domain socket file
|
|
for local or remote port forwarding before creating a new one.
|
|
If the socket file already exists and StreamLocalBindUnlink is
|
|
not enabled, sshd will be unable to forward the port to the Unix-
|
|
domain socket file. This option is only used for port forwarding
|
|
to a Unix-domain socket file.
|
|
|
|
The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
|
|
|
StrictModes
|
|
Specifies whether sshd(8) should check file modes and ownership
|
|
of the user's files and home directory before accepting login.
|
|
This is normally desirable because novices sometimes accidentally
|
|
leave their directory or files world-writable. The default is
|
|
M-bM-^@M-^\yesM-bM-^@M-^]. Note that this does not apply to ChrootDirectory, whose
|
|
permissions and ownership are checked unconditionally.
|
|
|
|
Subsystem
|
|
Configures an external subsystem (e.g. file transfer daemon).
|
|
Arguments should be a subsystem name and a command (with optional
|
|
arguments) to execute upon subsystem request.
|
|
|
|
The command sftp-server(8) implements the M-bM-^@M-^\sftpM-bM-^@M-^] file transfer
|
|
subsystem.
|
|
|
|
Alternately the name M-bM-^@M-^\internal-sftpM-bM-^@M-^] implements an in-process
|
|
M-bM-^@M-^\sftpM-bM-^@M-^] server. This may simplify configurations using
|
|
ChrootDirectory to force a different filesystem root on clients.
|
|
|
|
By default no subsystems are defined. Note that this option
|
|
applies to protocol version 2 only.
|
|
|
|
SyslogFacility
|
|
Gives the facility code that is used when logging messages from
|
|
sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
|
|
LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
|
|
default is AUTH.
|
|
|
|
TCPKeepAlive
|
|
Specifies whether the system should send TCP keepalive messages
|
|
to the other side. If they are sent, death of the connection or
|
|
crash of one of the machines will be properly noticed. However,
|
|
this means that connections will die if the route is down
|
|
temporarily, and some people find it annoying. On the other
|
|
hand, if TCP keepalives are not sent, sessions may hang
|
|
indefinitely on the server, leaving M-bM-^@M-^\ghostM-bM-^@M-^] users and consuming
|
|
server resources.
|
|
|
|
The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send TCP keepalive messages), and the
|
|
server will notice if the network goes down or the client host
|
|
crashes. This avoids infinitely hanging sessions.
|
|
|
|
To disable TCP keepalive messages, the value should be set to
|
|
M-bM-^@M-^\noM-bM-^@M-^].
|
|
|
|
TrustedUserCAKeys
|
|
Specifies a file containing public keys of certificate
|
|
authorities that are trusted to sign user certificates for
|
|
authentication, or M-bM-^@M-^\noneM-bM-^@M-^] to not use one. Keys are listed one
|
|
per line; empty lines and comments starting with M-bM-^@M-^X#M-bM-^@M-^Y are allowed.
|
|
If a certificate is presented for authentication and has its
|
|
signing CA key listed in this file, then it may be used for
|
|
authentication for any user listed in the certificate's
|
|
principals list. Note that certificates that lack a list of
|
|
principals will not be permitted for authentication using
|
|
TrustedUserCAKeys. For more details on certificates, see the
|
|
CERTIFICATES section in ssh-keygen(1).
|
|
|
|
UseDNS Specifies whether sshd(8) should look up the remote host name and
|
|
check that the resolved host name for the remote IP address maps
|
|
back to the very same IP address. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
|
|
|
UseLogin
|
|
Specifies whether login(1) is used for interactive login
|
|
sessions. The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that login(1) is never used
|
|
for remote command execution. Note also, that if this is
|
|
enabled, X11Forwarding will be disabled because login(1) does not
|
|
know how to handle xauth(1) cookies. If UsePrivilegeSeparation
|
|
is specified, it will be disabled after authentication.
|
|
|
|
UsePAM Enables the Pluggable Authentication Module interface. If set to
|
|
M-bM-^@M-^\yesM-bM-^@M-^] this will enable PAM authentication using
|
|
ChallengeResponseAuthentication and PasswordAuthentication in
|
|
addition to PAM account and session module processing for all
|
|
authentication types.
|
|
|
|
Because PAM challenge-response authentication usually serves an
|
|
equivalent role to password authentication, you should disable
|
|
either PasswordAuthentication or ChallengeResponseAuthentication.
|
|
|
|
If UsePAM is enabled, you will not be able to run sshd(8) as a
|
|
non-root user. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
|
|
|
UsePrivilegeSeparation
|
|
Specifies whether sshd(8) separates privileges by creating an
|
|
unprivileged child process to deal with incoming network traffic.
|
|
After successful authentication, another process will be created
|
|
that has the privilege of the authenticated user. The goal of
|
|
privilege separation is to prevent privilege escalation by
|
|
containing any corruption within the unprivileged processes. The
|
|
default is M-bM-^@M-^\yesM-bM-^@M-^]. If UsePrivilegeSeparation is set to M-bM-^@M-^\sandboxM-bM-^@M-^]
|
|
then the pre-authentication unprivileged process is subject to
|
|
additional restrictions.
|
|
|
|
VersionAddendum
|
|
Optionally specifies additional text to append to the SSH
|
|
protocol banner sent by the server upon connection. The default
|
|
is M-bM-^@M-^\noneM-bM-^@M-^].
|
|
|
|
X11DisplayOffset
|
|
Specifies the first display number available for sshd(8)'s X11
|
|
forwarding. This prevents sshd from interfering with real X11
|
|
servers. The default is 10.
|
|
|
|
X11Forwarding
|
|
Specifies whether X11 forwarding is permitted. The argument must
|
|
be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
|
|
|
When X11 forwarding is enabled, there may be additional exposure
|
|
to the server and to client displays if the sshd(8) proxy display
|
|
is configured to listen on the wildcard address (see
|
|
X11UseLocalhost below), though this is not the default.
|
|
Additionally, the authentication spoofing and authentication data
|
|
verification and substitution occur on the client side. The
|
|
security risk of using X11 forwarding is that the client's X11
|
|
display server may be exposed to attack when the SSH client
|
|
requests forwarding (see the warnings for ForwardX11 in
|
|
ssh_config(5)). A system administrator may have a stance in
|
|
which they want to protect clients that may expose themselves to
|
|
attack by unwittingly requesting X11 forwarding, which can
|
|
warrant a M-bM-^@M-^\noM-bM-^@M-^] setting.
|
|
|
|
Note that disabling X11 forwarding does not prevent users from
|
|
forwarding X11 traffic, as users can always install their own
|
|
forwarders. X11 forwarding is automatically disabled if UseLogin
|
|
is enabled.
|
|
|
|
X11UseLocalhost
|
|
Specifies whether sshd(8) should bind the X11 forwarding server
|
|
to the loopback address or to the wildcard address. By default,
|
|
sshd binds the forwarding server to the loopback address and sets
|
|
the hostname part of the DISPLAY environment variable to
|
|
M-bM-^@M-^\localhostM-bM-^@M-^]. This prevents remote hosts from connecting to the
|
|
proxy display. However, some older X11 clients may not function
|
|
with this configuration. X11UseLocalhost may be set to M-bM-^@M-^\noM-bM-^@M-^] to
|
|
specify that the forwarding server should be bound to the
|
|
wildcard address. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The
|
|
default is M-bM-^@M-^\yesM-bM-^@M-^].
|
|
|
|
XAuthLocation
|
|
Specifies the full pathname of the xauth(1) program, or M-bM-^@M-^\noneM-bM-^@M-^] to
|
|
not use one. The default is /usr/X11R6/bin/xauth.
|
|
|
|
TIME FORMATS
|
|
sshd(8) command-line arguments and configuration file options that
|
|
specify time may be expressed using a sequence of the form:
|
|
time[qualifier], where time is a positive integer value and qualifier is
|
|
one of the following:
|
|
|
|
M-bM-^_M-(noneM-bM-^_M-) seconds
|
|
s | S seconds
|
|
m | M minutes
|
|
h | H hours
|
|
d | D days
|
|
w | W weeks
|
|
|
|
Each member of the sequence is added together to calculate the total time
|
|
value.
|
|
|
|
Time format examples:
|
|
|
|
600 600 seconds (10 minutes)
|
|
10m 10 minutes
|
|
1h30m 1 hour 30 minutes (90 minutes)
|
|
|
|
FILES
|
|
/etc/ssh/sshd_config
|
|
Contains configuration data for sshd(8). This file should be
|
|
writable by root only, but it is recommended (though not
|
|
necessary) that it be world-readable.
|
|
|
|
SEE ALSO
|
|
sshd(8)
|
|
|
|
AUTHORS
|
|
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
|
|
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
|
|
de Raadt and Dug Song removed many bugs, re-added newer features and
|
|
created OpenSSH. Markus Friedl contributed the support for SSH protocol
|
|
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
|
|
for privilege separation.
|
|
|
|
OpenBSD 5.7 June 5, 2015 OpenBSD 5.7
|