source: trunk/third/openssh/sshd_config.5 @ 18763

Revision 18763, 22.8 KB checked in by zacheiss, 22 years ago (diff)
Merge openssh 3.5p1.
Line 
1.\"  -*- nroff -*-
2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\"                    All rights reserved
6.\"
7.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose.  Any derived versions of this
9.\" software must be clearly marked as such, and if the derived work is
10.\" incompatible with the protocol description in the RFC file, it must be
11.\" called by a name other than "ssh" or "Secure Shell".
12.\"
13.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
14.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
15.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
16.\"
17.\" Redistribution and use in source and binary forms, with or without
18.\" modification, are permitted provided that the following conditions
19.\" are met:
20.\" 1. Redistributions of source code must retain the above copyright
21.\"    notice, this list of conditions and the following disclaimer.
22.\" 2. Redistributions in binary form must reproduce the above copyright
23.\"    notice, this list of conditions and the following disclaimer in the
24.\"    documentation and/or other materials provided with the distribution.
25.\"
26.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\"
37.\" $OpenBSD: sshd_config.5,v 1.13 2002/09/16 20:12:11 stevesk Exp $
38.Dd September 25, 1999
39.Dt SSHD_CONFIG 5
40.Os
41.Sh NAME
42.Nm sshd_config
43.Nd OpenSSH SSH daemon configuration file
44.Sh SYNOPSIS
45.Bl -tag -width Ds -compact
46.It Pa /etc/ssh/sshd_config
47.El
48.Sh DESCRIPTION
49.Nm sshd
50reads configuration data from
51.Pa /etc/ssh/sshd_config
52(or the file specified with
53.Fl f
54on the command line).
55The file contains keyword-argument pairs, one per line.
56Lines starting with
57.Ql #
58and empty lines are interpreted as comments.
59.Pp
60The possible
61keywords and their meanings are as follows (note that
62keywords are case-insensitive and arguments are case-sensitive):
63.Bl -tag -width Ds
64.It Cm AFSTokenPassing
65Specifies whether an AFS token may be forwarded to the server.
66Default is
67.Dq no .
68.It Cm AllowGroups
69This keyword can be followed by a list of group name patterns, separated
70by spaces.
71If specified, login is allowed only for users whose primary
72group or supplementary group list matches one of the patterns.
73.Ql \&*
74and
75.Ql ?
76can be used as
77wildcards in the patterns.
78Only group names are valid; a numerical group ID is not recognized.
79By default, login is allowed for all groups.
80.Pp
81.It Cm AllowTcpForwarding
82Specifies whether TCP forwarding is permitted.
83The default is
84.Dq yes .
85Note that disabling TCP forwarding does not improve security unless
86users are also denied shell access, as they can always install their
87own forwarders.
88.Pp
89.It Cm AllowUsers
90This keyword can be followed by a list of user name patterns, separated
91by spaces.
92If specified, login is allowed only for users names that
93match one of the patterns.
94.Ql \&*
95and
96.Ql ?
97can be used as
98wildcards in the patterns.
99Only user names are valid; a numerical user ID is not recognized.
100By default, login is allowed for all users.
101If the pattern takes the form USER@HOST then USER and HOST
102are separately checked, restricting logins to particular
103users from particular hosts.
104.Pp
105.It Cm AuthorizedKeysFile
106Specifies the file that contains the public keys that can be used
107for user authentication.
108.Cm AuthorizedKeysFile
109may contain tokens of the form %T which are substituted during connection
110set-up. The following tokens are defined: %% is replaced by a literal '%',
111%h is replaced by the home directory of the user being authenticated and
112%u is replaced by the username of that user.
113After expansion,
114.Cm AuthorizedKeysFile
115is taken to be an absolute path or one relative to the user's home
116directory.
117The default is
118.Dq .ssh/authorized_keys .
119.It Cm Banner
120In some jurisdictions, sending a warning message before authentication
121may be relevant for getting legal protection.
122The contents of the specified file are sent to the remote user before
123authentication is allowed.
124This option is only available for protocol version 2.
125By default, no banner is displayed.
126.Pp
127.It Cm ChallengeResponseAuthentication
128Specifies whether challenge response authentication is allowed.
129All authentication styles from
130.Xr login.conf 5
131are supported.
132The default is
133.Dq yes .
134.It Cm Ciphers
135Specifies the ciphers allowed for protocol version 2.
136Multiple ciphers must be comma-separated.
137The default is
138.Pp
139.Bd -literal
140  ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
141    aes192-cbc,aes256-cbc''
142.Ed
143.It Cm ClientAliveInterval
144Sets a timeout interval in seconds after which if no data has been received
145from the client,
146.Nm sshd
147will send a message through the encrypted
148channel to request a response from the client.
149The default
150is 0, indicating that these messages will not be sent to the client.
151This option applies to protocol version 2 only.
152.It Cm ClientAliveCountMax
153Sets the number of client alive messages (see above) which may be
154sent without
155.Nm sshd
156receiving any messages back from the client. If this threshold is
157reached while client alive messages are being sent,
158.Nm sshd
159will disconnect the client, terminating the session. It is important
160to note that the use of client alive messages is very different from
161.Cm KeepAlive
162(below). The client alive messages are sent through the
163encrypted channel and therefore will not be spoofable. The TCP keepalive
164option enabled by
165.Cm KeepAlive
166is spoofable. The client alive mechanism is valuable when the client or
167server depend on knowing when a connection has become inactive.
168.Pp
169The default value is 3. If
170.Cm ClientAliveInterval
171(above) is set to 15, and
172.Cm ClientAliveCountMax
173is left at the default, unresponsive ssh clients
174will be disconnected after approximately 45 seconds.
175.It Cm Compression
176Specifies whether compression is allowed.
177The argument must be
178.Dq yes
179or
180.Dq no .
181The default is
182.Dq yes .
183.It Cm DenyGroups
184This keyword can be followed by a list of group name patterns, separated
185by spaces.
186Login is disallowed for users whose primary group or supplementary
187group list matches one of the patterns.
188.Ql \&*
189and
190.Ql ?
191can be used as
192wildcards in the patterns.
193Only group names are valid; a numerical group ID is not recognized.
194By default, login is allowed for all groups.
195.Pp
196.It Cm DenyUsers
197This keyword can be followed by a list of user name patterns, separated
198by spaces.
199Login is disallowed for user names that match one of the patterns.
200.Ql \&*
201and
202.Ql ?
203can be used as wildcards in the patterns.
204Only user names are valid; a numerical user ID is not recognized.
205By default, login is allowed for all users.
206If the pattern takes the form USER@HOST then USER and HOST
207are separately checked, restricting logins to particular
208users from particular hosts.
209.It Cm GatewayPorts
210Specifies whether remote hosts are allowed to connect to ports
211forwarded for the client.
212By default,
213.Nm sshd
214binds remote port forwardings to the loopback address.  This
215prevents other remote hosts from connecting to forwarded ports.
216.Cm GatewayPorts
217can be used to specify that
218.Nm sshd
219should bind remote port forwardings to the wildcard address,
220thus allowing remote hosts to connect to forwarded ports.
221The argument must be
222.Dq yes
223or
224.Dq no .
225The default is
226.Dq no .
227.It Cm HostbasedAuthentication
228Specifies whether rhosts or /etc/hosts.equiv authentication together
229with successful public key client host authentication is allowed
230(hostbased authentication).
231This option is similar to
232.Cm RhostsRSAAuthentication
233and applies to protocol version 2 only.
234The default is
235.Dq no .
236.It Cm HostKey
237Specifies a file containing a private host key
238used by SSH.
239The default is
240.Pa /etc/ssh/ssh_host_key
241for protocol version 1, and
242.Pa /etc/ssh/ssh_host_rsa_key
243and
244.Pa /etc/ssh/ssh_host_dsa_key
245for protocol version 2.
246Note that
247.Nm sshd
248will refuse to use a file if it is group/world-accessible.
249It is possible to have multiple host key files.
250.Dq rsa1
251keys are used for version 1 and
252.Dq dsa
253or
254.Dq rsa
255are used for version 2 of the SSH protocol.
256.It Cm GssapiAuthentication
257Specifies whether authentication based on GSSAPI may be used, either using
258the result of a successful key exchange, or using GSSAPI user
259authentication.
260The default is
261.Dq yes .
262Note that this option applies to protocol version 2 only.
263.It Cm GssapiKeyExchange
264Specifies whether key exchange based on GSSAPI may be used. When using
265GSSAPI key exchange the server need not have a host key.
266The default is
267.Dq yes .
268Note that this option applies to protocol version 2 only.
269.It Cm GssapiUseSessionCredCache
270Specifies whether a unique credentials cache name should be generated per
271session for storing delegated credentials.
272The default is
273.Dq yes .
274Note that this option applies to protocol version 2 only.
275
276.It Cm IgnoreRhosts
277Specifies that
278.Pa .rhosts
279and
280.Pa .shosts
281files will not be used in
282.Cm RhostsAuthentication ,
283.Cm RhostsRSAAuthentication
284or
285.Cm HostbasedAuthentication .
286.Pp
287.Pa /etc/hosts.equiv
288and
289.Pa /etc/shosts.equiv
290are still used.
291The default is
292.Dq yes .
293.It Cm IgnoreUserKnownHosts
294Specifies whether
295.Nm sshd
296should ignore the user's
297.Pa $HOME/.ssh/known_hosts
298during
299.Cm RhostsRSAAuthentication
300or
301.Cm HostbasedAuthentication .
302The default is
303.Dq no .
304.It Cm KeepAlive
305Specifies whether the system should send TCP keepalive messages to the
306other side.
307If they are sent, death of the connection or crash of one
308of the machines will be properly noticed.
309However, this means that
310connections will die if the route is down temporarily, and some people
311find it annoying.
312On the other hand, if keepalives are not sent,
313sessions may hang indefinitely on the server, leaving
314.Dq ghost
315users and consuming server resources.
316.Pp
317The default is
318.Dq yes
319(to send keepalives), and the server will notice
320if the network goes down or the client host crashes.
321This avoids infinitely hanging sessions.
322.Pp
323To disable keepalives, the value should be set to
324.Dq no .
325.It Cm Kerberos524
326Specifies whether Kerberos 4 tickets should be obtained
327from Kerberos 5 tickets, similar to
328.Xr krb524init 1 . 
329Default is
330.Dq yes .
331.It Cm KerberosAuthentication
332Specifies whether Kerberos authentication is allowed.
333This can be in the form of a Kerberos ticket, or if
334.Cm PasswordAuthentication
335is yes, the password provided by the user will be validated through
336the Kerberos KDC.
337To use this option, the server needs a
338Kerberos servtab which allows the verification of the KDC's identity.
339Default is
340.Dq no .
341.It Cm KerberosOrLocalPasswd
342If set then if password authentication through Kerberos fails then
343the password will be validated via any additional local mechanism
344such as
345.Pa /etc/passwd .
346Default is
347.Dq yes .
348.It Cm KerberosTgtPassing
349Specifies whether a Kerberos TGT may be forwarded to the server.
350Default is
351.Dq no ,
352as this only works when the Kerberos KDC is actually an AFS kaserver.
353.It Cm KerberosTicketCleanup
354Specifies whether to automatically destroy the user's ticket cache
355file on logout.
356Default is
357.Dq yes .
358.It Cm KeyRegenerationInterval
359In protocol version 1, the ephemeral server key is automatically regenerated
360after this many seconds (if it has been used).
361The purpose of regeneration is to prevent
362decrypting captured sessions by later breaking into the machine and
363stealing the keys.
364The key is never stored anywhere.
365If the value is 0, the key is never regenerated.
366The default is 3600 (seconds).
367.It Cm ListenAddress
368Specifies the local addresses
369.Nm sshd
370should listen on.
371The following forms may be used:
372.Pp
373.Bl -item -offset indent -compact
374.It
375.Cm ListenAddress
376.Sm off
377.Ar host No | Ar IPv4_addr No | Ar IPv6_addr
378.Sm on
379.It
380.Cm ListenAddress
381.Sm off
382.Ar host No | Ar IPv4_addr No : Ar port
383.Sm on
384.It
385.Cm ListenAddress
386.Sm off
387.Oo
388.Ar host No | Ar IPv6_addr Oc : Ar port
389.Sm on
390.El
391.Pp
392If
393.Ar port
394is not specified,
395.Nm sshd
396will listen on the address and all prior
397.Cm Port
398options specified. The default is to listen on all local
399addresses.  Multiple
400.Cm ListenAddress
401options are permitted. Additionally, any
402.Cm Port
403options must precede this option for non port qualified addresses.
404.It Cm LoginGraceTime
405The server disconnects after this time if the user has not
406successfully logged in.
407If the value is 0, there is no time limit.
408The default is 120 seconds.
409.It Cm LogLevel
410Gives the verbosity level that is used when logging messages from
411.Nm sshd .
412The possible values are:
413QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
414The default is INFO.  DEBUG and DEBUG1 are equivalent.  DEBUG2
415and DEBUG3 each specify higher levels of debugging output.
416Logging with a DEBUG level violates the privacy of users
417and is not recommended.
418.It Cm MACs
419Specifies the available MAC (message authentication code) algorithms.
420The MAC algorithm is used in protocol version 2
421for data integrity protection.
422Multiple algorithms must be comma-separated.
423The default is
424.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
425.It Cm MaxStartups
426Specifies the maximum number of concurrent unauthenticated connections to the
427.Nm sshd
428daemon.
429Additional connections will be dropped until authentication succeeds or the
430.Cm LoginGraceTime
431expires for a connection.
432The default is 10.
433.Pp
434Alternatively, random early drop can be enabled by specifying
435the three colon separated values
436.Dq start:rate:full
437(e.g., "10:30:60").
438.Nm sshd
439will refuse connection attempts with a probability of
440.Dq rate/100
441(30%)
442if there are currently
443.Dq start
444(10)
445unauthenticated connections.
446The probability increases linearly and all connection attempts
447are refused if the number of unauthenticated connections reaches
448.Dq full
449(60).
450.It Cm PAMAuthenticationViaKbdInt
451Specifies whether PAM challenge response authentication is allowed. This
452allows the use of most PAM challenge response authentication modules, but
453it will allow password authentication regardless of whether
454.Cm PasswordAuthentication
455is enabled.
456.It Cm PasswordAuthentication
457Specifies whether password authentication is allowed.
458The default is
459.Dq yes .
460.It Cm PermitEmptyPasswords
461When password authentication is allowed, it specifies whether the
462server allows login to accounts with empty password strings.
463The default is
464.Dq no .
465.It Cm PermitRootLogin
466Specifies whether root can login using
467.Xr ssh 1 .
468The argument must be
469.Dq yes ,
470.Dq without-password ,
471.Dq forced-commands-only
472or
473.Dq no .
474The default is
475.Dq yes .
476.Pp
477If this option is set to
478.Dq without-password
479password authentication is disabled for root.
480.Pp
481If this option is set to
482.Dq forced-commands-only
483root login with public key authentication will be allowed,
484but only if the
485.Ar command
486option has been specified
487(which may be useful for taking remote backups even if root login is
488normally not allowed). All other authentication methods are disabled
489for root.
490.Pp
491If this option is set to
492.Dq no
493root is not allowed to login.
494.It Cm PermitUserEnvironment
495Specifies whether
496.Pa ~/.ssh/environment
497and
498.Cm environment=
499options in
500.Pa ~/.ssh/authorized_keys
501are processed by
502.Nm sshd .
503The default is
504.Dq no .
505Enabling environment processing may enable users to bypass access
506restrictions in some configurations using mechanisms such as
507.Ev LD_PRELOAD .
508.It Cm PidFile
509Specifies the file that contains the process ID of the
510.Nm sshd
511daemon.
512The default is
513.Pa /var/run/sshd.pid .
514.It Cm Port
515Specifies the port number that
516.Nm sshd
517listens on.
518The default is 22.
519Multiple options of this type are permitted.
520See also
521.Cm ListenAddress .
522.It Cm PrintLastLog
523Specifies whether
524.Nm sshd
525should print the date and time when the user last logged in.
526The default is
527.Dq yes .
528.It Cm PrintMotd
529Specifies whether
530.Nm sshd
531should print
532.Pa /etc/motd
533when a user logs in interactively.
534(On some systems it is also printed by the shell,
535.Pa /etc/profile ,
536or equivalent.)
537The default is
538.Dq yes .
539.It Cm Protocol
540Specifies the protocol versions
541.Nm sshd
542supports.
543The possible values are
544.Dq 1
545and
546.Dq 2 .
547Multiple versions must be comma-separated.
548The default is
549.Dq 2,1 .
550Note that the order of the protocol list does not indicate preference,
551because the client selects among multiple protocol versions offered
552by the server.
553Specifying
554.Dq 2,1
555is identical to
556.Dq 1,2 .
557.It Cm PubkeyAuthentication
558Specifies whether public key authentication is allowed.
559The default is
560.Dq yes .
561Note that this option applies to protocol version 2 only.
562.It Cm RhostsAuthentication
563Specifies whether authentication using rhosts or /etc/hosts.equiv
564files is sufficient.
565Normally, this method should not be permitted because it is insecure.
566.Cm RhostsRSAAuthentication
567should be used
568instead, because it performs RSA-based host authentication in addition
569to normal rhosts or /etc/hosts.equiv authentication.
570The default is
571.Dq no .
572This option applies to protocol version 1 only.
573.It Cm RhostsRSAAuthentication
574Specifies whether rhosts or /etc/hosts.equiv authentication together
575with successful RSA host authentication is allowed.
576The default is
577.Dq no .
578This option applies to protocol version 1 only.
579.It Cm RSAAuthentication
580Specifies whether pure RSA authentication is allowed.
581The default is
582.Dq yes .
583This option applies to protocol version 1 only.
584.It Cm ServerKeyBits
585Defines the number of bits in the ephemeral protocol version 1 server key.
586The minimum value is 512, and the default is 768.
587.It Cm StrictModes
588Specifies whether
589.Nm sshd
590should check file modes and ownership of the
591user's files and home directory before accepting login.
592This is normally desirable because novices sometimes accidentally leave their
593directory or files world-writable.
594The default is
595.Dq yes .
596.It Cm Subsystem
597Configures an external subsystem (e.g., file transfer daemon).
598Arguments should be a subsystem name and a command to execute upon subsystem
599request.
600The command
601.Xr sftp-server 8
602implements the
603.Dq sftp
604file transfer subsystem.
605By default no subsystems are defined.
606Note that this option applies to protocol version 2 only.
607.It Cm SyslogFacility
608Gives the facility code that is used when logging messages from
609.Nm sshd .
610The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
611LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
612The default is AUTH.
613.It Cm UseLogin
614Specifies whether
615.Xr login 1
616is used for interactive login sessions.
617The default is
618.Dq no .
619Note that
620.Xr login 1
621is never used for remote command execution.
622Note also, that if this is enabled,
623.Cm X11Forwarding
624will be disabled because
625.Xr login 1
626does not know how to handle
627.Xr xauth 1
628cookies.  If
629.Cm UsePrivilegeSeparation
630is specified, it will be disabled after authentication.
631.It Cm UsePrivilegeSeparation
632Specifies whether
633.Nm sshd
634separates privileges by creating an unprivileged child process
635to deal with incoming network traffic.  After successful authentication,
636another process will be created that has the privilege of the authenticated
637user.  The goal of privilege separation is to prevent privilege
638escalation by containing any corruption within the unprivileged processes.
639The default is
640.Dq yes .
641.It Cm VerifyReverseMapping
642Specifies whether
643.Nm sshd
644should try to verify the remote host name and check that
645the resolved host name for the remote IP address maps back to the
646very same IP address.
647The default is
648.Dq no .
649.It Cm X11DisplayOffset
650Specifies the first display number available for
651.Nm sshd Ns 's
652X11 forwarding.
653This prevents
654.Nm sshd
655from interfering with real X11 servers.
656The default is 10.
657.It Cm X11Forwarding
658Specifies whether X11 forwarding is permitted.
659The argument must be
660.Dq yes
661or
662.Dq no .
663The default is
664.Dq no .
665.Pp
666When X11 forwarding is enabled, there may be additional exposure to
667the server and to client displays if the
668.Nm sshd
669proxy display is configured to listen on the wildcard address (see
670.Cm X11UseLocalhost
671below), however this is not the default.
672Additionally, the authentication spoofing and authentication data
673verification and substitution occur on the client side.
674The security risk of using X11 forwarding is that the client's X11
675display server may be exposed to attack when the ssh client requests
676forwarding (see the warnings for
677.Cm ForwardX11
678in
679.Xr ssh_config 5 ).
680A system administrator may have a stance in which they want to
681protect clients that may expose themselves to attack by unwittingly
682requesting X11 forwarding, which can warrant a
683.Dq no
684setting.
685.Pp
686Note that disabling X11 forwarding does not prevent users from
687forwarding X11 traffic, as users can always install their own forwarders.
688X11 forwarding is automatically disabled if
689.Cm UseLogin
690is enabled.
691.It Cm X11UseLocalhost
692Specifies whether
693.Nm sshd
694should bind the X11 forwarding server to the loopback address or to
695the wildcard address.  By default,
696.Nm sshd
697binds the forwarding server to the loopback address and sets the
698hostname part of the
699.Ev DISPLAY
700environment variable to
701.Dq localhost .
702This prevents remote hosts from connecting to the proxy display.
703However, some older X11 clients may not function with this
704configuration.
705.Cm X11UseLocalhost
706may be set to
707.Dq no
708to specify that the forwarding server should be bound to the wildcard
709address.
710The argument must be
711.Dq yes
712or
713.Dq no .
714The default is
715.Dq yes .
716.It Cm XAuthLocation
717Specifies the full pathname of the
718.Xr xauth 1
719program.
720The default is
721.Pa /usr/X11R6/bin/xauth .
722.El
723.Ss Time Formats
724.Pp
725.Nm sshd
726command-line arguments and configuration file options that specify time
727may be expressed using a sequence of the form:
728.Sm off
729.Ar time Op Ar qualifier ,
730.Sm on
731where
732.Ar time
733is a positive integer value and
734.Ar qualifier
735is one of the following:
736.Pp
737.Bl -tag -width Ds -compact -offset indent
738.It Cm <none>
739seconds
740.It Cm s | Cm S
741seconds
742.It Cm m | Cm M
743minutes
744.It Cm h | Cm H
745hours
746.It Cm d | Cm D
747days
748.It Cm w | Cm W
749weeks
750.El
751.Pp
752Each member of the sequence is added together to calculate
753the total time value.
754.Pp
755Time format examples:
756.Pp
757.Bl -tag -width Ds -compact -offset indent
758.It 600
759600 seconds (10 minutes)
760.It 10m
76110 minutes
762.It 1h30m
7631 hour 30 minutes (90 minutes)
764.El
765.Sh FILES
766.Bl -tag -width Ds
767.It Pa /etc/ssh/sshd_config
768Contains configuration data for
769.Nm sshd .
770This file should be writable by root only, but it is recommended
771(though not necessary) that it be world-readable.
772.El
773.Sh AUTHORS
774OpenSSH is a derivative of the original and free
775ssh 1.2.12 release by Tatu Ylonen.
776Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
777Theo de Raadt and Dug Song
778removed many bugs, re-added newer features and
779created OpenSSH.
780Markus Friedl contributed the support for SSH
781protocol versions 1.5 and 2.0.
782Niels Provos and Markus Friedl contributed support
783for privilege separation.
784.Sh SEE ALSO
785.Xr sshd 8
Note: See TracBrowser for help on using the repository browser.