1 | .\" -*- nroff -*- |
---|
2 | .\" |
---|
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
---|
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
---|
5 | .\" All rights reserved |
---|
6 | .\" |
---|
7 | .\" As far as I am concerned, the code I have written for this software |
---|
8 | .\" can be used freely for any purpose. Any derived versions of this |
---|
9 | .\" software must be clearly marked as such, and if the derived work is |
---|
10 | .\" incompatible with the protocol description in the RFC file, it must be |
---|
11 | .\" called by a name other than "ssh" or "Secure Shell". |
---|
12 | .\" |
---|
13 | .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. |
---|
14 | .\" Copyright (c) 1999 Aaron Campbell. All rights reserved. |
---|
15 | .\" Copyright (c) 1999 Theo de Raadt. All rights reserved. |
---|
16 | .\" |
---|
17 | .\" Redistribution and use in source and binary forms, with or without |
---|
18 | .\" modification, are permitted provided that the following conditions |
---|
19 | .\" are met: |
---|
20 | .\" 1. Redistributions of source code must retain the above copyright |
---|
21 | .\" notice, this list of conditions and the following disclaimer. |
---|
22 | .\" 2. Redistributions in binary form must reproduce the above copyright |
---|
23 | .\" notice, this list of conditions and the following disclaimer in the |
---|
24 | .\" documentation and/or other materials provided with the distribution. |
---|
25 | .\" |
---|
26 | .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
---|
27 | .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
---|
28 | .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
---|
29 | .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
---|
30 | .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
---|
31 | .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
---|
32 | .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
---|
33 | .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
---|
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
---|
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
---|
36 | .\" |
---|
37 | .\" $OpenBSD: sshd_config.5,v 1.13 2002/09/16 20:12:11 stevesk Exp $ |
---|
38 | .Dd September 25, 1999 |
---|
39 | .Dt SSHD_CONFIG 5 |
---|
40 | .Os |
---|
41 | .Sh NAME |
---|
42 | .Nm sshd_config |
---|
43 | .Nd OpenSSH SSH daemon configuration file |
---|
44 | .Sh SYNOPSIS |
---|
45 | .Bl -tag -width Ds -compact |
---|
46 | .It Pa /etc/ssh/sshd_config |
---|
47 | .El |
---|
48 | .Sh DESCRIPTION |
---|
49 | .Nm sshd |
---|
50 | reads configuration data from |
---|
51 | .Pa /etc/ssh/sshd_config |
---|
52 | (or the file specified with |
---|
53 | .Fl f |
---|
54 | on the command line). |
---|
55 | The file contains keyword-argument pairs, one per line. |
---|
56 | Lines starting with |
---|
57 | .Ql # |
---|
58 | and empty lines are interpreted as comments. |
---|
59 | .Pp |
---|
60 | The possible |
---|
61 | keywords and their meanings are as follows (note that |
---|
62 | keywords are case-insensitive and arguments are case-sensitive): |
---|
63 | .Bl -tag -width Ds |
---|
64 | .It Cm AFSTokenPassing |
---|
65 | Specifies whether an AFS token may be forwarded to the server. |
---|
66 | Default is |
---|
67 | .Dq no . |
---|
68 | .It Cm AllowGroups |
---|
69 | This keyword can be followed by a list of group name patterns, separated |
---|
70 | by spaces. |
---|
71 | If specified, login is allowed only for users whose primary |
---|
72 | group or supplementary group list matches one of the patterns. |
---|
73 | .Ql \&* |
---|
74 | and |
---|
75 | .Ql ? |
---|
76 | can be used as |
---|
77 | wildcards in the patterns. |
---|
78 | Only group names are valid; a numerical group ID is not recognized. |
---|
79 | By default, login is allowed for all groups. |
---|
80 | .Pp |
---|
81 | .It Cm AllowTcpForwarding |
---|
82 | Specifies whether TCP forwarding is permitted. |
---|
83 | The default is |
---|
84 | .Dq yes . |
---|
85 | Note that disabling TCP forwarding does not improve security unless |
---|
86 | users are also denied shell access, as they can always install their |
---|
87 | own forwarders. |
---|
88 | .Pp |
---|
89 | .It Cm AllowUsers |
---|
90 | This keyword can be followed by a list of user name patterns, separated |
---|
91 | by spaces. |
---|
92 | If specified, login is allowed only for users names that |
---|
93 | match one of the patterns. |
---|
94 | .Ql \&* |
---|
95 | and |
---|
96 | .Ql ? |
---|
97 | can be used as |
---|
98 | wildcards in the patterns. |
---|
99 | Only user names are valid; a numerical user ID is not recognized. |
---|
100 | By default, login is allowed for all users. |
---|
101 | If the pattern takes the form USER@HOST then USER and HOST |
---|
102 | are separately checked, restricting logins to particular |
---|
103 | users from particular hosts. |
---|
104 | .Pp |
---|
105 | .It Cm AuthorizedKeysFile |
---|
106 | Specifies the file that contains the public keys that can be used |
---|
107 | for user authentication. |
---|
108 | .Cm AuthorizedKeysFile |
---|
109 | may contain tokens of the form %T which are substituted during connection |
---|
110 | set-up. The following tokens are defined: %% is replaced by a literal '%', |
---|
111 | %h is replaced by the home directory of the user being authenticated and |
---|
112 | %u is replaced by the username of that user. |
---|
113 | After expansion, |
---|
114 | .Cm AuthorizedKeysFile |
---|
115 | is taken to be an absolute path or one relative to the user's home |
---|
116 | directory. |
---|
117 | The default is |
---|
118 | .Dq .ssh/authorized_keys . |
---|
119 | .It Cm Banner |
---|
120 | In some jurisdictions, sending a warning message before authentication |
---|
121 | may be relevant for getting legal protection. |
---|
122 | The contents of the specified file are sent to the remote user before |
---|
123 | authentication is allowed. |
---|
124 | This option is only available for protocol version 2. |
---|
125 | By default, no banner is displayed. |
---|
126 | .Pp |
---|
127 | .It Cm ChallengeResponseAuthentication |
---|
128 | Specifies whether challenge response authentication is allowed. |
---|
129 | All authentication styles from |
---|
130 | .Xr login.conf 5 |
---|
131 | are supported. |
---|
132 | The default is |
---|
133 | .Dq yes . |
---|
134 | .It Cm Ciphers |
---|
135 | Specifies the ciphers allowed for protocol version 2. |
---|
136 | Multiple ciphers must be comma-separated. |
---|
137 | The default is |
---|
138 | .Pp |
---|
139 | .Bd -literal |
---|
140 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
---|
141 | aes192-cbc,aes256-cbc'' |
---|
142 | .Ed |
---|
143 | .It Cm ClientAliveInterval |
---|
144 | Sets a timeout interval in seconds after which if no data has been received |
---|
145 | from the client, |
---|
146 | .Nm sshd |
---|
147 | will send a message through the encrypted |
---|
148 | channel to request a response from the client. |
---|
149 | The default |
---|
150 | is 0, indicating that these messages will not be sent to the client. |
---|
151 | This option applies to protocol version 2 only. |
---|
152 | .It Cm ClientAliveCountMax |
---|
153 | Sets the number of client alive messages (see above) which may be |
---|
154 | sent without |
---|
155 | .Nm sshd |
---|
156 | receiving any messages back from the client. If this threshold is |
---|
157 | reached while client alive messages are being sent, |
---|
158 | .Nm sshd |
---|
159 | will disconnect the client, terminating the session. It is important |
---|
160 | to note that the use of client alive messages is very different from |
---|
161 | .Cm KeepAlive |
---|
162 | (below). The client alive messages are sent through the |
---|
163 | encrypted channel and therefore will not be spoofable. The TCP keepalive |
---|
164 | option enabled by |
---|
165 | .Cm KeepAlive |
---|
166 | is spoofable. The client alive mechanism is valuable when the client or |
---|
167 | server depend on knowing when a connection has become inactive. |
---|
168 | .Pp |
---|
169 | The default value is 3. If |
---|
170 | .Cm ClientAliveInterval |
---|
171 | (above) is set to 15, and |
---|
172 | .Cm ClientAliveCountMax |
---|
173 | is left at the default, unresponsive ssh clients |
---|
174 | will be disconnected after approximately 45 seconds. |
---|
175 | .It Cm Compression |
---|
176 | Specifies whether compression is allowed. |
---|
177 | The argument must be |
---|
178 | .Dq yes |
---|
179 | or |
---|
180 | .Dq no . |
---|
181 | The default is |
---|
182 | .Dq yes . |
---|
183 | .It Cm DenyGroups |
---|
184 | This keyword can be followed by a list of group name patterns, separated |
---|
185 | by spaces. |
---|
186 | Login is disallowed for users whose primary group or supplementary |
---|
187 | group list matches one of the patterns. |
---|
188 | .Ql \&* |
---|
189 | and |
---|
190 | .Ql ? |
---|
191 | can be used as |
---|
192 | wildcards in the patterns. |
---|
193 | Only group names are valid; a numerical group ID is not recognized. |
---|
194 | By default, login is allowed for all groups. |
---|
195 | .Pp |
---|
196 | .It Cm DenyUsers |
---|
197 | This keyword can be followed by a list of user name patterns, separated |
---|
198 | by spaces. |
---|
199 | Login is disallowed for user names that match one of the patterns. |
---|
200 | .Ql \&* |
---|
201 | and |
---|
202 | .Ql ? |
---|
203 | can be used as wildcards in the patterns. |
---|
204 | Only user names are valid; a numerical user ID is not recognized. |
---|
205 | By default, login is allowed for all users. |
---|
206 | If the pattern takes the form USER@HOST then USER and HOST |
---|
207 | are separately checked, restricting logins to particular |
---|
208 | users from particular hosts. |
---|
209 | .It Cm GatewayPorts |
---|
210 | Specifies whether remote hosts are allowed to connect to ports |
---|
211 | forwarded for the client. |
---|
212 | By default, |
---|
213 | .Nm sshd |
---|
214 | binds remote port forwardings to the loopback address. This |
---|
215 | prevents other remote hosts from connecting to forwarded ports. |
---|
216 | .Cm GatewayPorts |
---|
217 | can be used to specify that |
---|
218 | .Nm sshd |
---|
219 | should bind remote port forwardings to the wildcard address, |
---|
220 | thus allowing remote hosts to connect to forwarded ports. |
---|
221 | The argument must be |
---|
222 | .Dq yes |
---|
223 | or |
---|
224 | .Dq no . |
---|
225 | The default is |
---|
226 | .Dq no . |
---|
227 | .It Cm HostbasedAuthentication |
---|
228 | Specifies whether rhosts or /etc/hosts.equiv authentication together |
---|
229 | with successful public key client host authentication is allowed |
---|
230 | (hostbased authentication). |
---|
231 | This option is similar to |
---|
232 | .Cm RhostsRSAAuthentication |
---|
233 | and applies to protocol version 2 only. |
---|
234 | The default is |
---|
235 | .Dq no . |
---|
236 | .It Cm HostKey |
---|
237 | Specifies a file containing a private host key |
---|
238 | used by SSH. |
---|
239 | The default is |
---|
240 | .Pa /etc/ssh/ssh_host_key |
---|
241 | for protocol version 1, and |
---|
242 | .Pa /etc/ssh/ssh_host_rsa_key |
---|
243 | and |
---|
244 | .Pa /etc/ssh/ssh_host_dsa_key |
---|
245 | for protocol version 2. |
---|
246 | Note that |
---|
247 | .Nm sshd |
---|
248 | will refuse to use a file if it is group/world-accessible. |
---|
249 | It is possible to have multiple host key files. |
---|
250 | .Dq rsa1 |
---|
251 | keys are used for version 1 and |
---|
252 | .Dq dsa |
---|
253 | or |
---|
254 | .Dq rsa |
---|
255 | are used for version 2 of the SSH protocol. |
---|
256 | .It Cm GssapiAuthentication |
---|
257 | Specifies whether authentication based on GSSAPI may be used, either using |
---|
258 | the result of a successful key exchange, or using GSSAPI user |
---|
259 | authentication. |
---|
260 | The default is |
---|
261 | .Dq yes . |
---|
262 | Note that this option applies to protocol version 2 only. |
---|
263 | .It Cm GssapiKeyExchange |
---|
264 | Specifies whether key exchange based on GSSAPI may be used. When using |
---|
265 | GSSAPI key exchange the server need not have a host key. |
---|
266 | The default is |
---|
267 | .Dq yes . |
---|
268 | Note that this option applies to protocol version 2 only. |
---|
269 | .It Cm GssapiUseSessionCredCache |
---|
270 | Specifies whether a unique credentials cache name should be generated per |
---|
271 | session for storing delegated credentials. |
---|
272 | The default is |
---|
273 | .Dq yes . |
---|
274 | Note that this option applies to protocol version 2 only. |
---|
275 | |
---|
276 | .It Cm IgnoreRhosts |
---|
277 | Specifies that |
---|
278 | .Pa .rhosts |
---|
279 | and |
---|
280 | .Pa .shosts |
---|
281 | files will not be used in |
---|
282 | .Cm RhostsAuthentication , |
---|
283 | .Cm RhostsRSAAuthentication |
---|
284 | or |
---|
285 | .Cm HostbasedAuthentication . |
---|
286 | .Pp |
---|
287 | .Pa /etc/hosts.equiv |
---|
288 | and |
---|
289 | .Pa /etc/shosts.equiv |
---|
290 | are still used. |
---|
291 | The default is |
---|
292 | .Dq yes . |
---|
293 | .It Cm IgnoreUserKnownHosts |
---|
294 | Specifies whether |
---|
295 | .Nm sshd |
---|
296 | should ignore the user's |
---|
297 | .Pa $HOME/.ssh/known_hosts |
---|
298 | during |
---|
299 | .Cm RhostsRSAAuthentication |
---|
300 | or |
---|
301 | .Cm HostbasedAuthentication . |
---|
302 | The default is |
---|
303 | .Dq no . |
---|
304 | .It Cm KeepAlive |
---|
305 | Specifies whether the system should send TCP keepalive messages to the |
---|
306 | other side. |
---|
307 | If they are sent, death of the connection or crash of one |
---|
308 | of the machines will be properly noticed. |
---|
309 | However, this means that |
---|
310 | connections will die if the route is down temporarily, and some people |
---|
311 | find it annoying. |
---|
312 | On the other hand, if keepalives are not sent, |
---|
313 | sessions may hang indefinitely on the server, leaving |
---|
314 | .Dq ghost |
---|
315 | users and consuming server resources. |
---|
316 | .Pp |
---|
317 | The default is |
---|
318 | .Dq yes |
---|
319 | (to send keepalives), and the server will notice |
---|
320 | if the network goes down or the client host crashes. |
---|
321 | This avoids infinitely hanging sessions. |
---|
322 | .Pp |
---|
323 | To disable keepalives, the value should be set to |
---|
324 | .Dq no . |
---|
325 | .It Cm Kerberos524 |
---|
326 | Specifies whether Kerberos 4 tickets should be obtained |
---|
327 | from Kerberos 5 tickets, similar to |
---|
328 | .Xr krb524init 1 . |
---|
329 | Default is |
---|
330 | .Dq yes . |
---|
331 | .It Cm KerberosAuthentication |
---|
332 | Specifies whether Kerberos authentication is allowed. |
---|
333 | This can be in the form of a Kerberos ticket, or if |
---|
334 | .Cm PasswordAuthentication |
---|
335 | is yes, the password provided by the user will be validated through |
---|
336 | the Kerberos KDC. |
---|
337 | To use this option, the server needs a |
---|
338 | Kerberos servtab which allows the verification of the KDC's identity. |
---|
339 | Default is |
---|
340 | .Dq no . |
---|
341 | .It Cm KerberosOrLocalPasswd |
---|
342 | If set then if password authentication through Kerberos fails then |
---|
343 | the password will be validated via any additional local mechanism |
---|
344 | such as |
---|
345 | .Pa /etc/passwd . |
---|
346 | Default is |
---|
347 | .Dq yes . |
---|
348 | .It Cm KerberosTgtPassing |
---|
349 | Specifies whether a Kerberos TGT may be forwarded to the server. |
---|
350 | Default is |
---|
351 | .Dq no , |
---|
352 | as this only works when the Kerberos KDC is actually an AFS kaserver. |
---|
353 | .It Cm KerberosTicketCleanup |
---|
354 | Specifies whether to automatically destroy the user's ticket cache |
---|
355 | file on logout. |
---|
356 | Default is |
---|
357 | .Dq yes . |
---|
358 | .It Cm KeyRegenerationInterval |
---|
359 | In protocol version 1, the ephemeral server key is automatically regenerated |
---|
360 | after this many seconds (if it has been used). |
---|
361 | The purpose of regeneration is to prevent |
---|
362 | decrypting captured sessions by later breaking into the machine and |
---|
363 | stealing the keys. |
---|
364 | The key is never stored anywhere. |
---|
365 | If the value is 0, the key is never regenerated. |
---|
366 | The default is 3600 (seconds). |
---|
367 | .It Cm ListenAddress |
---|
368 | Specifies the local addresses |
---|
369 | .Nm sshd |
---|
370 | should listen on. |
---|
371 | The following forms may be used: |
---|
372 | .Pp |
---|
373 | .Bl -item -offset indent -compact |
---|
374 | .It |
---|
375 | .Cm ListenAddress |
---|
376 | .Sm off |
---|
377 | .Ar host No | Ar IPv4_addr No | Ar IPv6_addr |
---|
378 | .Sm on |
---|
379 | .It |
---|
380 | .Cm ListenAddress |
---|
381 | .Sm off |
---|
382 | .Ar host No | Ar IPv4_addr No : Ar port |
---|
383 | .Sm on |
---|
384 | .It |
---|
385 | .Cm ListenAddress |
---|
386 | .Sm off |
---|
387 | .Oo |
---|
388 | .Ar host No | Ar IPv6_addr Oc : Ar port |
---|
389 | .Sm on |
---|
390 | .El |
---|
391 | .Pp |
---|
392 | If |
---|
393 | .Ar port |
---|
394 | is not specified, |
---|
395 | .Nm sshd |
---|
396 | will listen on the address and all prior |
---|
397 | .Cm Port |
---|
398 | options specified. The default is to listen on all local |
---|
399 | addresses. Multiple |
---|
400 | .Cm ListenAddress |
---|
401 | options are permitted. Additionally, any |
---|
402 | .Cm Port |
---|
403 | options must precede this option for non port qualified addresses. |
---|
404 | .It Cm LoginGraceTime |
---|
405 | The server disconnects after this time if the user has not |
---|
406 | successfully logged in. |
---|
407 | If the value is 0, there is no time limit. |
---|
408 | The default is 120 seconds. |
---|
409 | .It Cm LogLevel |
---|
410 | Gives the verbosity level that is used when logging messages from |
---|
411 | .Nm sshd . |
---|
412 | The possible values are: |
---|
413 | QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. |
---|
414 | The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 |
---|
415 | and DEBUG3 each specify higher levels of debugging output. |
---|
416 | Logging with a DEBUG level violates the privacy of users |
---|
417 | and is not recommended. |
---|
418 | .It Cm MACs |
---|
419 | Specifies the available MAC (message authentication code) algorithms. |
---|
420 | The MAC algorithm is used in protocol version 2 |
---|
421 | for data integrity protection. |
---|
422 | Multiple algorithms must be comma-separated. |
---|
423 | The default is |
---|
424 | .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . |
---|
425 | .It Cm MaxStartups |
---|
426 | Specifies the maximum number of concurrent unauthenticated connections to the |
---|
427 | .Nm sshd |
---|
428 | daemon. |
---|
429 | Additional connections will be dropped until authentication succeeds or the |
---|
430 | .Cm LoginGraceTime |
---|
431 | expires for a connection. |
---|
432 | The default is 10. |
---|
433 | .Pp |
---|
434 | Alternatively, random early drop can be enabled by specifying |
---|
435 | the three colon separated values |
---|
436 | .Dq start:rate:full |
---|
437 | (e.g., "10:30:60"). |
---|
438 | .Nm sshd |
---|
439 | will refuse connection attempts with a probability of |
---|
440 | .Dq rate/100 |
---|
441 | (30%) |
---|
442 | if there are currently |
---|
443 | .Dq start |
---|
444 | (10) |
---|
445 | unauthenticated connections. |
---|
446 | The probability increases linearly and all connection attempts |
---|
447 | are refused if the number of unauthenticated connections reaches |
---|
448 | .Dq full |
---|
449 | (60). |
---|
450 | .It Cm PAMAuthenticationViaKbdInt |
---|
451 | Specifies whether PAM challenge response authentication is allowed. This |
---|
452 | allows the use of most PAM challenge response authentication modules, but |
---|
453 | it will allow password authentication regardless of whether |
---|
454 | .Cm PasswordAuthentication |
---|
455 | is enabled. |
---|
456 | .It Cm PasswordAuthentication |
---|
457 | Specifies whether password authentication is allowed. |
---|
458 | The default is |
---|
459 | .Dq yes . |
---|
460 | .It Cm PermitEmptyPasswords |
---|
461 | When password authentication is allowed, it specifies whether the |
---|
462 | server allows login to accounts with empty password strings. |
---|
463 | The default is |
---|
464 | .Dq no . |
---|
465 | .It Cm PermitRootLogin |
---|
466 | Specifies whether root can login using |
---|
467 | .Xr ssh 1 . |
---|
468 | The argument must be |
---|
469 | .Dq yes , |
---|
470 | .Dq without-password , |
---|
471 | .Dq forced-commands-only |
---|
472 | or |
---|
473 | .Dq no . |
---|
474 | The default is |
---|
475 | .Dq yes . |
---|
476 | .Pp |
---|
477 | If this option is set to |
---|
478 | .Dq without-password |
---|
479 | password authentication is disabled for root. |
---|
480 | .Pp |
---|
481 | If this option is set to |
---|
482 | .Dq forced-commands-only |
---|
483 | root login with public key authentication will be allowed, |
---|
484 | but only if the |
---|
485 | .Ar command |
---|
486 | option has been specified |
---|
487 | (which may be useful for taking remote backups even if root login is |
---|
488 | normally not allowed). All other authentication methods are disabled |
---|
489 | for root. |
---|
490 | .Pp |
---|
491 | If this option is set to |
---|
492 | .Dq no |
---|
493 | root is not allowed to login. |
---|
494 | .It Cm PermitUserEnvironment |
---|
495 | Specifies whether |
---|
496 | .Pa ~/.ssh/environment |
---|
497 | and |
---|
498 | .Cm environment= |
---|
499 | options in |
---|
500 | .Pa ~/.ssh/authorized_keys |
---|
501 | are processed by |
---|
502 | .Nm sshd . |
---|
503 | The default is |
---|
504 | .Dq no . |
---|
505 | Enabling environment processing may enable users to bypass access |
---|
506 | restrictions in some configurations using mechanisms such as |
---|
507 | .Ev LD_PRELOAD . |
---|
508 | .It Cm PidFile |
---|
509 | Specifies the file that contains the process ID of the |
---|
510 | .Nm sshd |
---|
511 | daemon. |
---|
512 | The default is |
---|
513 | .Pa /var/run/sshd.pid . |
---|
514 | .It Cm Port |
---|
515 | Specifies the port number that |
---|
516 | .Nm sshd |
---|
517 | listens on. |
---|
518 | The default is 22. |
---|
519 | Multiple options of this type are permitted. |
---|
520 | See also |
---|
521 | .Cm ListenAddress . |
---|
522 | .It Cm PrintLastLog |
---|
523 | Specifies whether |
---|
524 | .Nm sshd |
---|
525 | should print the date and time when the user last logged in. |
---|
526 | The default is |
---|
527 | .Dq yes . |
---|
528 | .It Cm PrintMotd |
---|
529 | Specifies whether |
---|
530 | .Nm sshd |
---|
531 | should print |
---|
532 | .Pa /etc/motd |
---|
533 | when a user logs in interactively. |
---|
534 | (On some systems it is also printed by the shell, |
---|
535 | .Pa /etc/profile , |
---|
536 | or equivalent.) |
---|
537 | The default is |
---|
538 | .Dq yes . |
---|
539 | .It Cm Protocol |
---|
540 | Specifies the protocol versions |
---|
541 | .Nm sshd |
---|
542 | supports. |
---|
543 | The possible values are |
---|
544 | .Dq 1 |
---|
545 | and |
---|
546 | .Dq 2 . |
---|
547 | Multiple versions must be comma-separated. |
---|
548 | The default is |
---|
549 | .Dq 2,1 . |
---|
550 | Note that the order of the protocol list does not indicate preference, |
---|
551 | because the client selects among multiple protocol versions offered |
---|
552 | by the server. |
---|
553 | Specifying |
---|
554 | .Dq 2,1 |
---|
555 | is identical to |
---|
556 | .Dq 1,2 . |
---|
557 | .It Cm PubkeyAuthentication |
---|
558 | Specifies whether public key authentication is allowed. |
---|
559 | The default is |
---|
560 | .Dq yes . |
---|
561 | Note that this option applies to protocol version 2 only. |
---|
562 | .It Cm RhostsAuthentication |
---|
563 | Specifies whether authentication using rhosts or /etc/hosts.equiv |
---|
564 | files is sufficient. |
---|
565 | Normally, this method should not be permitted because it is insecure. |
---|
566 | .Cm RhostsRSAAuthentication |
---|
567 | should be used |
---|
568 | instead, because it performs RSA-based host authentication in addition |
---|
569 | to normal rhosts or /etc/hosts.equiv authentication. |
---|
570 | The default is |
---|
571 | .Dq no . |
---|
572 | This option applies to protocol version 1 only. |
---|
573 | .It Cm RhostsRSAAuthentication |
---|
574 | Specifies whether rhosts or /etc/hosts.equiv authentication together |
---|
575 | with successful RSA host authentication is allowed. |
---|
576 | The default is |
---|
577 | .Dq no . |
---|
578 | This option applies to protocol version 1 only. |
---|
579 | .It Cm RSAAuthentication |
---|
580 | Specifies whether pure RSA authentication is allowed. |
---|
581 | The default is |
---|
582 | .Dq yes . |
---|
583 | This option applies to protocol version 1 only. |
---|
584 | .It Cm ServerKeyBits |
---|
585 | Defines the number of bits in the ephemeral protocol version 1 server key. |
---|
586 | The minimum value is 512, and the default is 768. |
---|
587 | .It Cm StrictModes |
---|
588 | Specifies whether |
---|
589 | .Nm sshd |
---|
590 | should check file modes and ownership of the |
---|
591 | user's files and home directory before accepting login. |
---|
592 | This is normally desirable because novices sometimes accidentally leave their |
---|
593 | directory or files world-writable. |
---|
594 | The default is |
---|
595 | .Dq yes . |
---|
596 | .It Cm Subsystem |
---|
597 | Configures an external subsystem (e.g., file transfer daemon). |
---|
598 | Arguments should be a subsystem name and a command to execute upon subsystem |
---|
599 | request. |
---|
600 | The command |
---|
601 | .Xr sftp-server 8 |
---|
602 | implements the |
---|
603 | .Dq sftp |
---|
604 | file transfer subsystem. |
---|
605 | By default no subsystems are defined. |
---|
606 | Note that this option applies to protocol version 2 only. |
---|
607 | .It Cm SyslogFacility |
---|
608 | Gives the facility code that is used when logging messages from |
---|
609 | .Nm sshd . |
---|
610 | The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, |
---|
611 | LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. |
---|
612 | The default is AUTH. |
---|
613 | .It Cm UseLogin |
---|
614 | Specifies whether |
---|
615 | .Xr login 1 |
---|
616 | is used for interactive login sessions. |
---|
617 | The default is |
---|
618 | .Dq no . |
---|
619 | Note that |
---|
620 | .Xr login 1 |
---|
621 | is never used for remote command execution. |
---|
622 | Note also, that if this is enabled, |
---|
623 | .Cm X11Forwarding |
---|
624 | will be disabled because |
---|
625 | .Xr login 1 |
---|
626 | does not know how to handle |
---|
627 | .Xr xauth 1 |
---|
628 | cookies. If |
---|
629 | .Cm UsePrivilegeSeparation |
---|
630 | is specified, it will be disabled after authentication. |
---|
631 | .It Cm UsePrivilegeSeparation |
---|
632 | Specifies whether |
---|
633 | .Nm sshd |
---|
634 | separates privileges by creating an unprivileged child process |
---|
635 | to deal with incoming network traffic. After successful authentication, |
---|
636 | another process will be created that has the privilege of the authenticated |
---|
637 | user. The goal of privilege separation is to prevent privilege |
---|
638 | escalation by containing any corruption within the unprivileged processes. |
---|
639 | The default is |
---|
640 | .Dq yes . |
---|
641 | .It Cm VerifyReverseMapping |
---|
642 | Specifies whether |
---|
643 | .Nm sshd |
---|
644 | should try to verify the remote host name and check that |
---|
645 | the resolved host name for the remote IP address maps back to the |
---|
646 | very same IP address. |
---|
647 | The default is |
---|
648 | .Dq no . |
---|
649 | .It Cm X11DisplayOffset |
---|
650 | Specifies the first display number available for |
---|
651 | .Nm sshd Ns 's |
---|
652 | X11 forwarding. |
---|
653 | This prevents |
---|
654 | .Nm sshd |
---|
655 | from interfering with real X11 servers. |
---|
656 | The default is 10. |
---|
657 | .It Cm X11Forwarding |
---|
658 | Specifies whether X11 forwarding is permitted. |
---|
659 | The argument must be |
---|
660 | .Dq yes |
---|
661 | or |
---|
662 | .Dq no . |
---|
663 | The default is |
---|
664 | .Dq no . |
---|
665 | .Pp |
---|
666 | When X11 forwarding is enabled, there may be additional exposure to |
---|
667 | the server and to client displays if the |
---|
668 | .Nm sshd |
---|
669 | proxy display is configured to listen on the wildcard address (see |
---|
670 | .Cm X11UseLocalhost |
---|
671 | below), however this is not the default. |
---|
672 | Additionally, the authentication spoofing and authentication data |
---|
673 | verification and substitution occur on the client side. |
---|
674 | The security risk of using X11 forwarding is that the client's X11 |
---|
675 | display server may be exposed to attack when the ssh client requests |
---|
676 | forwarding (see the warnings for |
---|
677 | .Cm ForwardX11 |
---|
678 | in |
---|
679 | .Xr ssh_config 5 ). |
---|
680 | A system administrator may have a stance in which they want to |
---|
681 | protect clients that may expose themselves to attack by unwittingly |
---|
682 | requesting X11 forwarding, which can warrant a |
---|
683 | .Dq no |
---|
684 | setting. |
---|
685 | .Pp |
---|
686 | Note that disabling X11 forwarding does not prevent users from |
---|
687 | forwarding X11 traffic, as users can always install their own forwarders. |
---|
688 | X11 forwarding is automatically disabled if |
---|
689 | .Cm UseLogin |
---|
690 | is enabled. |
---|
691 | .It Cm X11UseLocalhost |
---|
692 | Specifies whether |
---|
693 | .Nm sshd |
---|
694 | should bind the X11 forwarding server to the loopback address or to |
---|
695 | the wildcard address. By default, |
---|
696 | .Nm sshd |
---|
697 | binds the forwarding server to the loopback address and sets the |
---|
698 | hostname part of the |
---|
699 | .Ev DISPLAY |
---|
700 | environment variable to |
---|
701 | .Dq localhost . |
---|
702 | This prevents remote hosts from connecting to the proxy display. |
---|
703 | However, some older X11 clients may not function with this |
---|
704 | configuration. |
---|
705 | .Cm X11UseLocalhost |
---|
706 | may be set to |
---|
707 | .Dq no |
---|
708 | to specify that the forwarding server should be bound to the wildcard |
---|
709 | address. |
---|
710 | The argument must be |
---|
711 | .Dq yes |
---|
712 | or |
---|
713 | .Dq no . |
---|
714 | The default is |
---|
715 | .Dq yes . |
---|
716 | .It Cm XAuthLocation |
---|
717 | Specifies the full pathname of the |
---|
718 | .Xr xauth 1 |
---|
719 | program. |
---|
720 | The default is |
---|
721 | .Pa /usr/X11R6/bin/xauth . |
---|
722 | .El |
---|
723 | .Ss Time Formats |
---|
724 | .Pp |
---|
725 | .Nm sshd |
---|
726 | command-line arguments and configuration file options that specify time |
---|
727 | may be expressed using a sequence of the form: |
---|
728 | .Sm off |
---|
729 | .Ar time Op Ar qualifier , |
---|
730 | .Sm on |
---|
731 | where |
---|
732 | .Ar time |
---|
733 | is a positive integer value and |
---|
734 | .Ar qualifier |
---|
735 | is one of the following: |
---|
736 | .Pp |
---|
737 | .Bl -tag -width Ds -compact -offset indent |
---|
738 | .It Cm <none> |
---|
739 | seconds |
---|
740 | .It Cm s | Cm S |
---|
741 | seconds |
---|
742 | .It Cm m | Cm M |
---|
743 | minutes |
---|
744 | .It Cm h | Cm H |
---|
745 | hours |
---|
746 | .It Cm d | Cm D |
---|
747 | days |
---|
748 | .It Cm w | Cm W |
---|
749 | weeks |
---|
750 | .El |
---|
751 | .Pp |
---|
752 | Each member of the sequence is added together to calculate |
---|
753 | the total time value. |
---|
754 | .Pp |
---|
755 | Time format examples: |
---|
756 | .Pp |
---|
757 | .Bl -tag -width Ds -compact -offset indent |
---|
758 | .It 600 |
---|
759 | 600 seconds (10 minutes) |
---|
760 | .It 10m |
---|
761 | 10 minutes |
---|
762 | .It 1h30m |
---|
763 | 1 hour 30 minutes (90 minutes) |
---|
764 | .El |
---|
765 | .Sh FILES |
---|
766 | .Bl -tag -width Ds |
---|
767 | .It Pa /etc/ssh/sshd_config |
---|
768 | Contains configuration data for |
---|
769 | .Nm sshd . |
---|
770 | This file should be writable by root only, but it is recommended |
---|
771 | (though not necessary) that it be world-readable. |
---|
772 | .El |
---|
773 | .Sh AUTHORS |
---|
774 | OpenSSH is a derivative of the original and free |
---|
775 | ssh 1.2.12 release by Tatu Ylonen. |
---|
776 | Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, |
---|
777 | Theo de Raadt and Dug Song |
---|
778 | removed many bugs, re-added newer features and |
---|
779 | created OpenSSH. |
---|
780 | Markus Friedl contributed the support for SSH |
---|
781 | protocol versions 1.5 and 2.0. |
---|
782 | Niels Provos and Markus Friedl contributed support |
---|
783 | for privilege separation. |
---|
784 | .Sh SEE ALSO |
---|
785 | .Xr sshd 8 |
---|