1 | SSHD_CONFIG(5) System File Formats Manual SSHD_CONFIG(5) |
---|
2 | |
---|
3 | NAME |
---|
4 | sshd_config - OpenSSH SSH daemon configuration file |
---|
5 | |
---|
6 | SYNOPSIS |
---|
7 | /etc/ssh/sshd_config |
---|
8 | |
---|
9 | DESCRIPTION |
---|
10 | sshd reads configuration data from /etc/ssh/sshd_config (or the file |
---|
11 | specified with -f on the command line). The file contains keyword-arguM-- |
---|
12 | ment pairs, one per line. Lines starting with `#' and empty lines are |
---|
13 | interpreted as comments. |
---|
14 | |
---|
15 | The possible keywords and their meanings are as follows (note that keyM-- |
---|
16 | words are case-insensitive and arguments are case-sensitive): |
---|
17 | |
---|
18 | AFSTokenPassing |
---|
19 | Specifies whether an AFS token may be forwarded to the server. |
---|
20 | Default is ``no''. |
---|
21 | |
---|
22 | AllowGroups |
---|
23 | This keyword can be followed by a list of group name patterns, |
---|
24 | separated by spaces. If specified, login is allowed only for |
---|
25 | users whose primary group or supplementary group list matches one |
---|
26 | of the patterns. `*' and `'? can be used as wildcards in the |
---|
27 | patterns. Only group names are valid; a numerical group ID is |
---|
28 | not recognized. By default, login is allowed for all groups. |
---|
29 | |
---|
30 | AllowTcpForwarding |
---|
31 | Specifies whether TCP forwarding is permitted. The default is |
---|
32 | ``yes''. Note that disabling TCP forwarding does not improve |
---|
33 | security unless users are also denied shell access, as they can |
---|
34 | always install their own forwarders. |
---|
35 | |
---|
36 | AllowUsers |
---|
37 | This keyword can be followed by a list of user name patterns, |
---|
38 | separated by spaces. If specified, login is allowed only for |
---|
39 | users names that match one of the patterns. `*' and `'? can be |
---|
40 | used as wildcards in the patterns. Only user names are valid; a |
---|
41 | numerical user ID is not recognized. By default, login is |
---|
42 | allowed for all users. If the pattern takes the form USER@HOST |
---|
43 | then USER and HOST are separately checked, restricting logins to |
---|
44 | particular users from particular hosts. |
---|
45 | |
---|
46 | AuthorizedKeysFile |
---|
47 | Specifies the file that contains the public keys that can be used |
---|
48 | for user authentication. AuthorizedKeysFile may contain tokens |
---|
49 | of the form %T which are substituted during connection set-up. |
---|
50 | The following tokens are defined: %% is replaced by a literal |
---|
51 | '%', %h is replaced by the home directory of the user being |
---|
52 | authenticated and %u is replaced by the username of that user. |
---|
53 | After expansion, AuthorizedKeysFile is taken to be an absolute |
---|
54 | path or one relative to the user's home directory. The default |
---|
55 | is ``.ssh/authorized_keys''. |
---|
56 | |
---|
57 | Banner In some jurisdictions, sending a warning message before authentiM-- |
---|
58 | cation may be relevant for getting legal protection. The conM-- |
---|
59 | tents of the specified file are sent to the remote user before |
---|
60 | authentication is allowed. This option is only available for |
---|
61 | protocol version 2. By default, no banner is displayed. |
---|
62 | |
---|
63 | ChallengeResponseAuthentication |
---|
64 | Specifies whether challenge response authentication is allowed. |
---|
65 | All authentication styles from login.conf(5) are supported. The |
---|
66 | default is ``yes''. |
---|
67 | |
---|
68 | Ciphers |
---|
69 | Specifies the ciphers allowed for protocol version 2. Multiple |
---|
70 | ciphers must be comma-separated. The default is |
---|
71 | |
---|
72 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
---|
73 | aes192-cbc,aes256-cbc'' |
---|
74 | |
---|
75 | ClientAliveInterval |
---|
76 | Sets a timeout interval in seconds after which if no data has |
---|
77 | been received from the client, sshd will send a message through |
---|
78 | the encrypted channel to request a response from the client. The |
---|
79 | default is 0, indicating that these messages will not be sent to |
---|
80 | the client. This option applies to protocol version 2 only. |
---|
81 | |
---|
82 | ClientAliveCountMax |
---|
83 | Sets the number of client alive messages (see above) which may be |
---|
84 | sent without sshd receiving any messages back from the client. If |
---|
85 | this threshold is reached while client alive messages are being |
---|
86 | sent, sshd will disconnect the client, terminating the session. |
---|
87 | It is important to note that the use of client alive messages is |
---|
88 | very different from KeepAlive (below). The client alive messages |
---|
89 | are sent through the encrypted channel and therefore will not be |
---|
90 | spoofable. The TCP keepalive option enabled by KeepAlive is |
---|
91 | spoofable. The client alive mechanism is valuable when the client |
---|
92 | or server depend on knowing when a connection has become inacM-- |
---|
93 | tive. |
---|
94 | |
---|
95 | The default value is 3. If ClientAliveInterval (above) is set to |
---|
96 | 15, and ClientAliveCountMax is left at the default, unresponsive |
---|
97 | ssh clients will be disconnected after approximately 45 seconds. |
---|
98 | |
---|
99 | Compression |
---|
100 | Specifies whether compression is allowed. The argument must be |
---|
101 | ``yes'' or ``no''. The default is ``yes''. |
---|
102 | |
---|
103 | DenyGroups |
---|
104 | This keyword can be followed by a list of group name patterns, |
---|
105 | separated by spaces. Login is disallowed for users whose primary |
---|
106 | group or supplementary group list matches one of the patterns. |
---|
107 | `*' and `'? can be used as wildcards in the patterns. Only |
---|
108 | group names are valid; a numerical group ID is not recognized. |
---|
109 | By default, login is allowed for all groups. |
---|
110 | |
---|
111 | DenyUsers |
---|
112 | This keyword can be followed by a list of user name patterns, |
---|
113 | separated by spaces. Login is disallowed for user names that |
---|
114 | match one of the patterns. `*' and `'? can be used as wildcards |
---|
115 | in the patterns. Only user names are valid; a numerical user ID |
---|
116 | is not recognized. By default, login is allowed for all users. |
---|
117 | If the pattern takes the form USER@HOST then USER and HOST are |
---|
118 | separately checked, restricting logins to particular users from |
---|
119 | particular hosts. |
---|
120 | |
---|
121 | GatewayPorts |
---|
122 | Specifies whether remote hosts are allowed to connect to ports |
---|
123 | forwarded for the client. By default, sshd binds remote port |
---|
124 | forwardings to the loopback address. This prevents other remote |
---|
125 | hosts from connecting to forwarded ports. GatewayPorts can be |
---|
126 | used to specify that sshd should bind remote port forwardings to |
---|
127 | the wildcard address, thus allowing remote hosts to connect to |
---|
128 | forwarded ports. The argument must be ``yes'' or ``no''. The |
---|
129 | default is ``no''. |
---|
130 | |
---|
131 | HostbasedAuthentication |
---|
132 | Specifies whether rhosts or /etc/hosts.equiv authentication |
---|
133 | together with successful public key client host authentication is |
---|
134 | allowed (hostbased authentication). This option is similar to |
---|
135 | RhostsRSAAuthentication and applies to protocol version 2 only. |
---|
136 | The default is ``no''. |
---|
137 | |
---|
138 | HostKey |
---|
139 | Specifies a file containing a private host key used by SSH. The |
---|
140 | default is /etc/ssh/ssh_host_key for protocol version 1, and |
---|
141 | /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for proM-- |
---|
142 | tocol version 2. Note that sshd will refuse to use a file if it |
---|
143 | is group/world-accessible. It is possible to have multiple host |
---|
144 | key files. ``rsa1'' keys are used for version 1 and ``dsa'' or |
---|
145 | ``rsa'' are used for version 2 of the SSH protocol. |
---|
146 | |
---|
147 | IgnoreRhosts |
---|
148 | Specifies that .rhosts and .shosts files will not be used in |
---|
149 | RhostsAuthentication, RhostsRSAAuthentication or |
---|
150 | HostbasedAuthentication. |
---|
151 | |
---|
152 | /etc/hosts.equiv and /etc/shosts.equiv are still used. The |
---|
153 | default is ``yes''. |
---|
154 | |
---|
155 | IgnoreUserKnownHosts |
---|
156 | Specifies whether sshd should ignore the user's |
---|
157 | $HOME/.ssh/known_hosts during RhostsRSAAuthentication or |
---|
158 | HostbasedAuthentication. The default is ``no''. |
---|
159 | |
---|
160 | KeepAlive |
---|
161 | Specifies whether the system should send TCP keepalive messages |
---|
162 | to the other side. If they are sent, death of the connection or |
---|
163 | crash of one of the machines will be properly noticed. However, |
---|
164 | this means that connections will die if the route is down temM-- |
---|
165 | porarily, and some people find it annoying. On the other hand, |
---|
166 | if keepalives are not sent, sessions may hang indefinitely on the |
---|
167 | server, leaving ``ghost'' users and consuming server resources. |
---|
168 | |
---|
169 | The default is ``yes'' (to send keepalives), and the server will |
---|
170 | notice if the network goes down or the client host crashes. This |
---|
171 | avoids infinitely hanging sessions. |
---|
172 | |
---|
173 | To disable keepalives, the value should be set to ``no''. |
---|
174 | |
---|
175 | KerberosAuthentication |
---|
176 | Specifies whether Kerberos authentication is allowed. This can |
---|
177 | be in the form of a Kerberos ticket, or if PasswordAuthentication |
---|
178 | is yes, the password provided by the user will be validated |
---|
179 | through the Kerberos KDC. To use this option, the server needs a |
---|
180 | Kerberos servtab which allows the verification of the KDC's idenM-- |
---|
181 | tity. Default is ``no''. |
---|
182 | |
---|
183 | KerberosOrLocalPasswd |
---|
184 | If set then if password authentication through Kerberos fails |
---|
185 | then the password will be validated via any additional local |
---|
186 | mechanism such as /etc/passwd. Default is ``yes''. |
---|
187 | |
---|
188 | KerberosTgtPassing |
---|
189 | Specifies whether a Kerberos TGT may be forwarded to the server. |
---|
190 | Default is ``no'', as this only works when the Kerberos KDC is |
---|
191 | actually an AFS kaserver. |
---|
192 | |
---|
193 | KerberosTicketCleanup |
---|
194 | Specifies whether to automatically destroy the user's ticket |
---|
195 | cache file on logout. Default is ``yes''. |
---|
196 | |
---|
197 | KeyRegenerationInterval |
---|
198 | In protocol version 1, the ephemeral server key is automatically |
---|
199 | regenerated after this many seconds (if it has been used). The |
---|
200 | purpose of regeneration is to prevent decrypting captured sesM-- |
---|
201 | sions by later breaking into the machine and stealing the keys. |
---|
202 | The key is never stored anywhere. If the value is 0, the key is |
---|
203 | never regenerated. The default is 3600 (seconds). |
---|
204 | |
---|
205 | ListenAddress |
---|
206 | Specifies the local addresses sshd should listen on. The followM-- |
---|
207 | ing forms may be used: |
---|
208 | |
---|
209 | ListenAddress host|IPv4_addr|IPv6_addr |
---|
210 | ListenAddress host|IPv4_addr:port |
---|
211 | ListenAddress [host|IPv6_addr]:port |
---|
212 | |
---|
213 | If port is not specified, sshd will listen on the address and all |
---|
214 | prior Port options specified. The default is to listen on all |
---|
215 | local addresses. Multiple ListenAddress options are permitted. |
---|
216 | Additionally, any Port options must precede this option for non |
---|
217 | port qualified addresses. |
---|
218 | |
---|
219 | LoginGraceTime |
---|
220 | The server disconnects after this time if the user has not sucM-- |
---|
221 | cessfully logged in. If the value is 0, there is no time limit. |
---|
222 | The default is 120 seconds. |
---|
223 | |
---|
224 | LogLevel |
---|
225 | Gives the verbosity level that is used when logging messages from |
---|
226 | sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VERM-- |
---|
227 | BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. |
---|
228 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify |
---|
229 | higher levels of debugging output. Logging with a DEBUG level |
---|
230 | violates the privacy of users and is not recommended. |
---|
231 | |
---|
232 | MACs Specifies the available MAC (message authentication code) algoM-- |
---|
233 | rithms. The MAC algorithm is used in protocol version 2 for data |
---|
234 | integrity protection. Multiple algorithms must be comma-sepaM-- |
---|
235 | rated. The default is |
---|
236 | ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''. |
---|
237 | |
---|
238 | MaxStartups |
---|
239 | Specifies the maximum number of concurrent unauthenticated conM-- |
---|
240 | nections to the sshd daemon. Additional connections will be |
---|
241 | dropped until authentication succeeds or the LoginGraceTime |
---|
242 | expires for a connection. The default is 10. |
---|
243 | |
---|
244 | Alternatively, random early drop can be enabled by specifying the |
---|
245 | three colon separated values ``start:rate:full'' (e.g., |
---|
246 | "10:30:60"). sshd will refuse connection attempts with a probaM-- |
---|
247 | bility of ``rate/100'' (30%) if there are currently ``start'' |
---|
248 | (10) unauthenticated connections. The probability increases linM-- |
---|
249 | early and all connection attempts are refused if the number of |
---|
250 | unauthenticated connections reaches ``full'' (60). |
---|
251 | |
---|
252 | PAMAuthenticationViaKbdInt |
---|
253 | Specifies whether PAM challenge response authentication is |
---|
254 | allowed. This allows the use of most PAM challenge response |
---|
255 | authentication modules, but it will allow password authentication |
---|
256 | regardless of whether PasswordAuthentication is enabled. |
---|
257 | |
---|
258 | PasswordAuthentication |
---|
259 | Specifies whether password authentication is allowed. The |
---|
260 | default is ``yes''. |
---|
261 | |
---|
262 | PermitEmptyPasswords |
---|
263 | When password authentication is allowed, it specifies whether the |
---|
264 | server allows login to accounts with empty password strings. The |
---|
265 | default is ``no''. |
---|
266 | |
---|
267 | PermitRootLogin |
---|
268 | Specifies whether root can login using ssh(1). The argument must |
---|
269 | be ``yes'', ``without-password'', ``forced-commands-only'' or |
---|
270 | ``no''. The default is ``yes''. |
---|
271 | |
---|
272 | If this option is set to ``without-password'' password authentiM-- |
---|
273 | cation is disabled for root. |
---|
274 | |
---|
275 | If this option is set to ``forced-commands-only'' root login with |
---|
276 | public key authentication will be allowed, but only if the |
---|
277 | command option has been specified (which may be useful for taking |
---|
278 | remote backups even if root login is normally not allowed). All |
---|
279 | other authentication methods are disabled for root. |
---|
280 | |
---|
281 | If this option is set to ``no'' root is not allowed to login. |
---|
282 | |
---|
283 | PermitUserEnvironment |
---|
284 | Specifies whether ~/.ssh/environment and environment= options in |
---|
285 | ~/.ssh/authorized_keys are processed by sshd. The default is |
---|
286 | ``no''. Enabling environment processing may enable users to |
---|
287 | bypass access restrictions in some configurations using mechaM-- |
---|
288 | nisms such as LD_PRELOAD. |
---|
289 | |
---|
290 | PidFile |
---|
291 | Specifies the file that contains the process ID of the sshd daeM-- |
---|
292 | mon. The default is /var/run/sshd.pid. |
---|
293 | |
---|
294 | Port Specifies the port number that sshd listens on. The default is |
---|
295 | 22. Multiple options of this type are permitted. See also |
---|
296 | ListenAddress. |
---|
297 | |
---|
298 | PrintLastLog |
---|
299 | Specifies whether sshd should print the date and time when the |
---|
300 | user last logged in. The default is ``yes''. |
---|
301 | |
---|
302 | PrintMotd |
---|
303 | Specifies whether sshd should print /etc/motd when a user logs in |
---|
304 | interactively. (On some systems it is also printed by the shell, |
---|
305 | /etc/profile, or equivalent.) The default is ``yes''. |
---|
306 | |
---|
307 | Protocol |
---|
308 | Specifies the protocol versions sshd supports. The possible valM-- |
---|
309 | ues are ``1'' and ``2''. Multiple versions must be comma-sepaM-- |
---|
310 | rated. The default is ``2,1''. Note that the order of the proM-- |
---|
311 | tocol list does not indicate preference, because the client |
---|
312 | selects among multiple protocol versions offered by the server. |
---|
313 | Specifying ``2,1'' is identical to ``1,2''. |
---|
314 | |
---|
315 | PubkeyAuthentication |
---|
316 | Specifies whether public key authentication is allowed. The |
---|
317 | default is ``yes''. Note that this option applies to protocol |
---|
318 | version 2 only. |
---|
319 | |
---|
320 | RhostsAuthentication |
---|
321 | Specifies whether authentication using rhosts or /etc/hosts.equiv |
---|
322 | files is sufficient. Normally, this method should not be permitM-- |
---|
323 | ted because it is insecure. RhostsRSAAuthentication should be |
---|
324 | used instead, because it performs RSA-based host authentication |
---|
325 | in addition to normal rhosts or /etc/hosts.equiv authentication. |
---|
326 | The default is ``no''. This option applies to protocol version 1 |
---|
327 | only. |
---|
328 | |
---|
329 | RhostsRSAAuthentication |
---|
330 | Specifies whether rhosts or /etc/hosts.equiv authentication |
---|
331 | together with successful RSA host authentication is allowed. The |
---|
332 | default is ``no''. This option applies to protocol version 1 |
---|
333 | only. |
---|
334 | |
---|
335 | RSAAuthentication |
---|
336 | Specifies whether pure RSA authentication is allowed. The |
---|
337 | default is ``yes''. This option applies to protocol version 1 |
---|
338 | only. |
---|
339 | |
---|
340 | ServerKeyBits |
---|
341 | Defines the number of bits in the ephemeral protocol version 1 |
---|
342 | server key. The minimum value is 512, and the default is 768. |
---|
343 | |
---|
344 | StrictModes |
---|
345 | Specifies whether sshd should check file modes and ownership of |
---|
346 | the user's files and home directory before accepting login. This |
---|
347 | is normally desirable because novices sometimes accidentally |
---|
348 | leave their directory or files world-writable. The default is |
---|
349 | ``yes''. |
---|
350 | |
---|
351 | Subsystem |
---|
352 | Configures an external subsystem (e.g., file transfer daemon). |
---|
353 | Arguments should be a subsystem name and a command to execute |
---|
354 | upon subsystem request. The command sftp-server(8) implements |
---|
355 | the ``sftp'' file transfer subsystem. By default no subsystems |
---|
356 | are defined. Note that this option applies to protocol version 2 |
---|
357 | only. |
---|
358 | |
---|
359 | SyslogFacility |
---|
360 | Gives the facility code that is used when logging messages from |
---|
361 | sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, |
---|
362 | LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The |
---|
363 | default is AUTH. |
---|
364 | |
---|
365 | UseLogin |
---|
366 | Specifies whether login(1) is used for interactive login sesM-- |
---|
367 | sions. The default is ``no''. Note that login(1) is never used |
---|
368 | for remote command execution. Note also, that if this is |
---|
369 | enabled, X11Forwarding will be disabled because login(1) does not |
---|
370 | know how to handle xauth(1) cookies. If UsePrivilegeSeparation |
---|
371 | is specified, it will be disabled after authentication. |
---|
372 | |
---|
373 | UsePrivilegeSeparation |
---|
374 | Specifies whether sshd separates privileges by creating an |
---|
375 | unprivileged child process to deal with incoming network traffic. |
---|
376 | After successful authentication, another process will be created |
---|
377 | that has the privilege of the authenticated user. The goal of |
---|
378 | privilege separation is to prevent privilege escalation by conM-- |
---|
379 | taining any corruption within the unprivileged processes. The |
---|
380 | default is ``yes''. |
---|
381 | |
---|
382 | VerifyReverseMapping |
---|
383 | Specifies whether sshd should try to verify the remote host name |
---|
384 | and check that the resolved host name for the remote IP address |
---|
385 | maps back to the very same IP address. The default is ``no''. |
---|
386 | |
---|
387 | X11DisplayOffset |
---|
388 | Specifies the first display number available for sshd's X11 forM-- |
---|
389 | warding. This prevents sshd from interfering with real X11 |
---|
390 | servers. The default is 10. |
---|
391 | |
---|
392 | X11Forwarding |
---|
393 | Specifies whether X11 forwarding is permitted. The argument must |
---|
394 | be ``yes'' or ``no''. The default is ``no''. |
---|
395 | |
---|
396 | When X11 forwarding is enabled, there may be additional exposure |
---|
397 | to the server and to client displays if the sshd proxy display is |
---|
398 | configured to listen on the wildcard address (see X11UseLocalhost |
---|
399 | below), however this is not the default. Additionally, the |
---|
400 | authentication spoofing and authentication data verification and |
---|
401 | substitution occur on the client side. The security risk of |
---|
402 | using X11 forwarding is that the client's X11 display server may |
---|
403 | be exposed to attack when the ssh client requests forwarding (see |
---|
404 | the warnings for ForwardX11 in ssh_config(5) ). A system adminisM-- |
---|
405 | trator may have a stance in which they want to protect clients |
---|
406 | that may expose themselves to attack by unwittingly requesting |
---|
407 | X11 forwarding, which can warrant a ``no'' setting. |
---|
408 | |
---|
409 | Note that disabling X11 forwarding does not prevent users from |
---|
410 | forwarding X11 traffic, as users can always install their own |
---|
411 | forwarders. X11 forwarding is automatically disabled if UseLogin |
---|
412 | is enabled. |
---|
413 | |
---|
414 | X11UseLocalhost |
---|
415 | Specifies whether sshd should bind the X11 forwarding server to |
---|
416 | the loopback address or to the wildcard address. By default, |
---|
417 | sshd binds the forwarding server to the loopback address and sets |
---|
418 | the hostname part of the DISPLAY environment variable to |
---|
419 | ``localhost''. This prevents remote hosts from connecting to the |
---|
420 | proxy display. However, some older X11 clients may not function |
---|
421 | with this configuration. X11UseLocalhost may be set to ``no'' to |
---|
422 | specify that the forwarding server should be bound to the wildM-- |
---|
423 | card address. The argument must be ``yes'' or ``no''. The |
---|
424 | default is ``yes''. |
---|
425 | |
---|
426 | XAuthLocation |
---|
427 | Specifies the full pathname of the xauth(1) program. The default |
---|
428 | is /usr/X11R6/bin/xauth. |
---|
429 | |
---|
430 | Time Formats |
---|
431 | |
---|
432 | sshd command-line arguments and configuration file options that specify |
---|
433 | time may be expressed using a sequence of the form: time[qualifier], |
---|
434 | where time is a positive integer value and qualifier is one of the folM-- |
---|
435 | lowing: |
---|
436 | |
---|
437 | <none> seconds |
---|
438 | s | S seconds |
---|
439 | m | M minutes |
---|
440 | h | H hours |
---|
441 | d | D days |
---|
442 | w | W weeks |
---|
443 | |
---|
444 | Each member of the sequence is added together to calculate the total time |
---|
445 | value. |
---|
446 | |
---|
447 | Time format examples: |
---|
448 | |
---|
449 | 600 600 seconds (10 minutes) |
---|
450 | 10m 10 minutes |
---|
451 | 1h30m 1 hour 30 minutes (90 minutes) |
---|
452 | |
---|
453 | FILES |
---|
454 | /etc/ssh/sshd_config |
---|
455 | Contains configuration data for sshd. This file should be |
---|
456 | writable by root only, but it is recommended (though not necesM-- |
---|
457 | sary) that it be world-readable. |
---|
458 | |
---|
459 | AUTHORS |
---|
460 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
---|
461 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo |
---|
462 | de Raadt and Dug Song removed many bugs, re-added newer features and creM-- |
---|
463 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol |
---|
464 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
---|
465 | for privilege separation. |
---|
466 | |
---|
467 | SEE ALSO |
---|
468 | sshd(8) |
---|
469 | |
---|
470 | BSD September 25, 1999 BSD |
---|