| SSHD_CONFIG(5) File Formats Manual SSHD_CONFIG(5) |
| |
| NAME |
| sshd_config M-bM-^@M-^S OpenSSH SSH daemon configuration file |
| |
| SYNOPSIS |
| /etc/ssh/sshd_config |
| |
| DESCRIPTION |
| sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file |
| specified with -f on the command line). The file contains keyword- |
| argument pairs, one per line. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines |
| are interpreted as comments. Arguments may optionally be enclosed in |
| double quotes (") in order to represent arguments containing spaces. |
| |
| The possible keywords and their meanings are as follows (note that |
| keywords are case-insensitive and arguments are case-sensitive): |
| |
| AcceptEnv |
| Specifies what environment variables sent by the client will be |
| copied into the session's environ(7). See SendEnv in |
| ssh_config(5) for how to configure the client. The TERM |
| environment variable is always sent whenever the client requests |
| a pseudo-terminal as it is required by the protocol. Variables |
| are specified by name, which may contain the wildcard characters |
| M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y. Multiple environment variables may be separated by |
| whitespace or spread across multiple AcceptEnv directives. Be |
| warned that some environment variables could be used to bypass |
| restricted user environments. For this reason, care should be |
| taken in the use of this directive. The default is not to accept |
| any environment variables. |
| |
| AddressFamily |
| Specifies which address family should be used by sshd(8). Valid |
| arguments are M-bM-^@M-^\anyM-bM-^@M-^], M-bM-^@M-^\inetM-bM-^@M-^] (use IPv4 only), or M-bM-^@M-^\inet6M-bM-^@M-^] (use IPv6 |
| only). The default is M-bM-^@M-^\anyM-bM-^@M-^]. |
| |
| AllowAgentForwarding |
| Specifies whether ssh-agent(1) forwarding is permitted. The |
| default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that disabling agent forwarding does not |
| improve security unless users are also denied shell access, as |
| they can always install their own forwarders. |
| |
| AllowGroups |
| This keyword can be followed by a list of group name patterns, |
| separated by spaces. If specified, login is allowed only for |
| users whose primary group or supplementary group list matches one |
| of the patterns. Only group names are valid; a numerical group |
| ID is not recognized. By default, login is allowed for all |
| groups. The allow/deny directives are processed in the following |
| order: DenyUsers, AllowUsers, DenyGroups, and finally |
| AllowGroups. |
| |
| See PATTERNS in ssh_config(5) for more information on patterns. |
| |
| AllowTcpForwarding |
| Specifies whether TCP forwarding is permitted. The available |
| options are M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\allM-bM-^@M-^] to allow TCP forwarding, M-bM-^@M-^\noM-bM-^@M-^] to |
| prevent all TCP forwarding, M-bM-^@M-^\localM-bM-^@M-^] to allow local (from the |
| perspective of ssh(1)) forwarding only or M-bM-^@M-^\remoteM-bM-^@M-^] to allow |
| remote forwarding only. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that |
| disabling TCP forwarding does not improve security unless users |
| are also denied shell access, as they can always install their |
| own forwarders. |
| |
| AllowStreamLocalForwarding |
| Specifies whether StreamLocal (Unix-domain socket) forwarding is |
| permitted. The available options are M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\allM-bM-^@M-^] to allow |
| StreamLocal forwarding, M-bM-^@M-^\noM-bM-^@M-^] to prevent all StreamLocal |
| forwarding, M-bM-^@M-^\localM-bM-^@M-^] to allow local (from the perspective of |
| ssh(1)) forwarding only or M-bM-^@M-^\remoteM-bM-^@M-^] to allow remote forwarding |
| only. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that disabling StreamLocal |
| forwarding does not improve security unless users are also denied |
| shell access, as they can always install their own forwarders. |
| |
| AllowUsers |
| This keyword can be followed by a list of user name patterns, |
| separated by spaces. If specified, login is allowed only for |
| user names that match one of the patterns. Only user names are |
| valid; a numerical user ID is not recognized. By default, login |
| is allowed for all users. If the pattern takes the form |
| USER@HOST then USER and HOST are separately checked, restricting |
| logins to particular users from particular hosts. HOST criteria |
| may additionally contain addresses to match in CIDR |
| address/masklen format. The allow/deny directives are processed |
| in the following order: DenyUsers, AllowUsers, DenyGroups, and |
| finally AllowGroups. |
| |
| See PATTERNS in ssh_config(5) for more information on patterns. |
| |
| AuthenticationMethods |
| Specifies the authentication methods that must be successfully |
| completed for a user to be granted access. This option must be |
| followed by one or more comma-separated lists of authentication |
| method names, or by the single string M-bM-^@M-^\anyM-bM-^@M-^] to indicate the |
| default behaviour of accepting any single authentication method. |
| if the default is overridden, then successful authentication |
| requires completion of every method in at least one of these |
| lists. |
| |
| For example, an argument of M-bM-^@M-^\publickey,password |
| publickey,keyboard-interactiveM-bM-^@M-^] would require the user to |
| complete public key authentication, followed by either password |
| or keyboard interactive authentication. Only methods that are |
| next in one or more lists are offered at each stage, so for this |
| example, it would not be possible to attempt password or |
| keyboard-interactive authentication before public key. |
| |
| For keyboard interactive authentication it is also possible to |
| restrict authentication to a specific device by appending a colon |
| followed by the device identifier M-bM-^@M-^\bsdauthM-bM-^@M-^], M-bM-^@M-^\pamM-bM-^@M-^], or M-bM-^@M-^\skeyM-bM-^@M-^], |
| depending on the server configuration. For example, |
| M-bM-^@M-^\keyboard-interactive:bsdauthM-bM-^@M-^] would restrict keyboard |
| interactive authentication to the M-bM-^@M-^\bsdauthM-bM-^@M-^] device. |
| |
| If the M-bM-^@M-^\publickeyM-bM-^@M-^] method is listed more than once, sshd(8) |
| verifies that keys that have been used successfully are not |
| reused for subsequent authentications. For example, an |
| AuthenticationMethods of M-bM-^@M-^\publickey,publickeyM-bM-^@M-^] will require |
| successful authentication using two different public keys. |
| |
| This option will yield a fatal error if enabled if protocol 1 is |
| also enabled. Note that each authentication method listed should |
| also be explicitly enabled in the configuration. The default |
| M-bM-^@M-^\anyM-bM-^@M-^] is not to require multiple authentication; successful |
| completion of a single authentication method is sufficient. |
| |
| AuthorizedKeysCommand |
| Specifies a program to be used to look up the user's public keys. |
| The program must be owned by root, not writable by group or |
| others and specified by an absolute path. |
| |
| Arguments to AuthorizedKeysCommand may be provided using the |
| following tokens, which will be expanded at runtime: %% is |
| replaced by a literal '%', %u is replaced by the username being |
| authenticated, %h is replaced by the home directory of the user |
| being authenticated, %t is replaced with the key type offered for |
| authentication, %f is replaced with the fingerprint of the key, |
| and %k is replaced with the key being offered for authentication. |
| If no arguments are specified then the username of the target |
| user will be supplied. |
| |
| The program should produce on standard output zero or more lines |
| of authorized_keys output (see AUTHORIZED_KEYS in sshd(8)). If a |
| key supplied by AuthorizedKeysCommand does not successfully |
| authenticate and authorize the user then public key |
| authentication continues using the usual AuthorizedKeysFile |
| files. By default, no AuthorizedKeysCommand is run. |
| |
| AuthorizedKeysCommandUser |
| Specifies the user under whose account the AuthorizedKeysCommand |
| is run. It is recommended to use a dedicated user that has no |
| other role on the host than running authorized keys commands. If |
| AuthorizedKeysCommand is specified but AuthorizedKeysCommandUser |
| is not, then sshd(8) will refuse to start. |
| |
| AuthorizedKeysFile |
| Specifies the file that contains the public keys that can be used |
| for user authentication. The format is described in the |
| AUTHORIZED_KEYS FILE FORMAT section of sshd(8). |
| AuthorizedKeysFile may contain tokens of the form %T which are |
| substituted during connection setup. The following tokens are |
| defined: %% is replaced by a literal '%', %h is replaced by the |
| home directory of the user being authenticated, and %u is |
| replaced by the username of that user. After expansion, |
| AuthorizedKeysFile is taken to be an absolute path or one |
| relative to the user's home directory. Multiple files may be |
| listed, separated by whitespace. Alternately this option may be |
| set to M-bM-^@M-^\noneM-bM-^@M-^] to skip checking for user keys in files. The |
| default is M-bM-^@M-^\.ssh/authorized_keys .ssh/authorized_keys2M-bM-^@M-^]. |
| |
| AuthorizedPrincipalsCommand |
| Specifies a program to be used to generate the list of allowed |
| certificate principals as per AuthorizedPrincipalsFile. The |
| program must be owned by root, not writable by group or others |
| and specified by an absolute path. |
| |
| Arguments to AuthorizedPrincipalsCommand may be provided using |
| the following tokens, which will be expanded at runtime: %% is |
| replaced by a literal '%', %u is replaced by the username being |
| authenticated and %h is replaced by the home directory of the |
| user being authenticated. |
| |
| The program should produce on standard output zero or more lines |
| of AuthorizedPrincipalsFile output. If either |
| AuthorizedPrincipalsCommand or AuthorizedPrincipalsFile is |
| specified, then certificates offered by the client for |
| authentication must contain a principal that is listed. By |
| default, no AuthorizedPrincipalsCommand is run. |
| |
| AuthorizedPrincipalsCommandUser |
| Specifies the user under whose account the |
| AuthorizedPrincipalsCommand is run. It is recommended to use a |
| dedicated user that has no other role on the host than running |
| authorized principals commands. If AuthorizedPrincipalsCommand |
| is specified but AuthorizedPrincipalsCommandUser is not, then |
| sshd(8) will refuse to start. |
| |
| AuthorizedPrincipalsFile |
| Specifies a file that lists principal names that are accepted for |
| certificate authentication. When using certificates signed by a |
| key listed in TrustedUserCAKeys, this file lists names, one of |
| which must appear in the certificate for it to be accepted for |
| authentication. Names are listed one per line preceded by key |
| options (as described in AUTHORIZED_KEYS FILE FORMAT in sshd(8)). |
| Empty lines and comments starting with M-bM-^@M-^X#M-bM-^@M-^Y are ignored. |
| |
| AuthorizedPrincipalsFile may contain tokens of the form %T which |
| are substituted during connection setup. The following tokens |
| are defined: %% is replaced by a literal '%', %h is replaced by |
| the home directory of the user being authenticated, and %u is |
| replaced by the username of that user. After expansion, |
| AuthorizedPrincipalsFile is taken to be an absolute path or one |
| relative to the user's home directory. |
| |
| The default is M-bM-^@M-^\noneM-bM-^@M-^], i.e. not to use a principals file M-bM-^@M-^S in |
| this case, the username of the user must appear in a |
| certificate's principals list for it to be accepted. Note that |
| AuthorizedPrincipalsFile is only used when authentication |
| proceeds using a CA listed in TrustedUserCAKeys and is not |
| consulted for certification authorities trusted via |
| ~/.ssh/authorized_keys, though the principals= key option offers |
| a similar facility (see sshd(8) for details). |
| |
| Banner The contents of the specified file are sent to the remote user |
| before authentication is allowed. If the argument is M-bM-^@M-^\noneM-bM-^@M-^] then |
| no banner is displayed. By default, no banner is displayed. |
| |
| ChallengeResponseAuthentication |
| Specifies whether challenge-response authentication is allowed |
| (e.g. via PAM or through authentication styles supported in |
| login.conf(5)) The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
| |
| ChrootDirectory |
| Specifies the pathname of a directory to chroot(2) to after |
| authentication. At session startup sshd(8) checks that all |
| components of the pathname are root-owned directories which are |
| not writable by any other user or group. After the chroot, |
| sshd(8) changes the working directory to the user's home |
| directory. |
| |
| The pathname may contain the following tokens that are expanded |
| at runtime once the connecting user has been authenticated: %% is |
| replaced by a literal '%', %h is replaced by the home directory |
| of the user being authenticated, and %u is replaced by the |
| username of that user. |
| |
| The ChrootDirectory must contain the necessary files and |
| directories to support the user's session. For an interactive |
| session this requires at least a shell, typically sh(1), and |
| basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), |
| stderr(4), and tty(4) devices. For file transfer sessions using |
| M-bM-^@M-^\sftpM-bM-^@M-^], no additional configuration of the environment is |
| necessary if the in-process sftp server is used, though sessions |
| which use logging may require /dev/log inside the chroot |
| directory on some operating systems (see sftp-server(8) for |
| details). |
| |
| For safety, it is very important that the directory hierarchy be |
| prevented from modification by other processes on the system |
| (especially those outside the jail). Misconfiguration can lead |
| to unsafe environments which sshd(8) cannot detect. |
| |
| The default is M-bM-^@M-^\noneM-bM-^@M-^], indicating not to chroot(2). |
| |
| Ciphers |
| Specifies the ciphers allowed. Multiple ciphers must be comma- |
| separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, |
| then the specified ciphers will be appended to the default set |
| instead of replacing them. |
| |
| The supported ciphers are: |
| |
| 3des-cbc |
| aes128-cbc |
| aes192-cbc |
| aes256-cbc |
| aes128-ctr |
| aes192-ctr |
| aes256-ctr |
| aes128-gcm@openssh.com |
| aes256-gcm@openssh.com |
| arcfour |
| arcfour128 |
| arcfour256 |
| blowfish-cbc |
| cast128-cbc |
| chacha20-poly1305@openssh.com |
| |
| The default is: |
| |
| chacha20-poly1305@openssh.com, |
| aes128-ctr,aes192-ctr,aes256-ctr, |
| aes128-gcm@openssh.com,aes256-gcm@openssh.com |
| |
| The list of available ciphers may also be obtained using the -Q |
| option of ssh(1) with an argument of M-bM-^@M-^\cipherM-bM-^@M-^]. |
| |
| ClientAliveCountMax |
| Sets the number of client alive messages (see below) which may be |
| sent without sshd(8) receiving any messages back from the client. |
| If this threshold is reached while client alive messages are |
| being sent, sshd will disconnect the client, terminating the |
| session. It is important to note that the use of client alive |
| messages is very different from TCPKeepAlive (below). The client |
| alive messages are sent through the encrypted channel and |
| therefore will not be spoofable. The TCP keepalive option |
| enabled by TCPKeepAlive is spoofable. The client alive mechanism |
| is valuable when the client or server depend on knowing when a |
| connection has become inactive. |
| |
| The default value is 3. If ClientAliveInterval (see below) is |
| set to 15, and ClientAliveCountMax is left at the default, |
| unresponsive SSH clients will be disconnected after approximately |
| 45 seconds. |
| |
| ClientAliveInterval |
| Sets a timeout interval in seconds after which if no data has |
| been received from the client, sshd(8) will send a message |
| through the encrypted channel to request a response from the |
| client. The default is 0, indicating that these messages will |
| not be sent to the client. |
| |
| Compression |
| Specifies whether compression is allowed, or delayed until the |
| user has authenticated successfully. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], |
| M-bM-^@M-^\delayedM-bM-^@M-^], or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\delayedM-bM-^@M-^]. |
| |
| DenyGroups |
| This keyword can be followed by a list of group name patterns, |
| separated by spaces. Login is disallowed for users whose primary |
| group or supplementary group list matches one of the patterns. |
| Only group names are valid; a numerical group ID is not |
| recognized. By default, login is allowed for all groups. The |
| allow/deny directives are processed in the following order: |
| DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. |
| |
| See PATTERNS in ssh_config(5) for more information on patterns. |
| |
| DenyUsers |
| This keyword can be followed by a list of user name patterns, |
| separated by spaces. Login is disallowed for user names that |
| match one of the patterns. Only user names are valid; a |
| numerical user ID is not recognized. By default, login is |
| allowed for all users. If the pattern takes the form USER@HOST |
| then USER and HOST are separately checked, restricting logins to |
| particular users from particular hosts. HOST criteria may |
| additionally contain addresses to match in CIDR address/masklen |
| format. The allow/deny directives are processed in the following |
| order: DenyUsers, AllowUsers, DenyGroups, and finally |
| AllowGroups. |
| |
| See PATTERNS in ssh_config(5) for more information on patterns. |
| |
| FingerprintHash |
| Specifies the hash algorithm used when logging key fingerprints. |
| Valid options are: M-bM-^@M-^\md5M-bM-^@M-^] and M-bM-^@M-^\sha256M-bM-^@M-^]. The default is M-bM-^@M-^\sha256M-bM-^@M-^]. |
| |
| ForceCommand |
| Forces the execution of the command specified by ForceCommand, |
| ignoring any command supplied by the client and ~/.ssh/rc if |
| present. The command is invoked by using the user's login shell |
| with the -c option. This applies to shell, command, or subsystem |
| execution. It is most useful inside a Match block. The command |
| originally supplied by the client is available in the |
| SSH_ORIGINAL_COMMAND environment variable. Specifying a command |
| of M-bM-^@M-^\internal-sftpM-bM-^@M-^] will force the use of an in-process sftp |
| server that requires no support files when used with |
| ChrootDirectory. The default is M-bM-^@M-^\noneM-bM-^@M-^]. |
| |
| GatewayPorts |
| Specifies whether remote hosts are allowed to connect to ports |
| forwarded for the client. By default, sshd(8) binds remote port |
| forwardings to the loopback address. This prevents other remote |
| hosts from connecting to forwarded ports. GatewayPorts can be |
| used to specify that sshd should allow remote port forwardings to |
| bind to non-loopback addresses, thus allowing other hosts to |
| connect. The argument may be M-bM-^@M-^\noM-bM-^@M-^] to force remote port |
| forwardings to be available to the local host only, M-bM-^@M-^\yesM-bM-^@M-^] to |
| force remote port forwardings to bind to the wildcard address, or |
| M-bM-^@M-^\clientspecifiedM-bM-^@M-^] to allow the client to select the address to |
| which the forwarding is bound. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| GSSAPIAuthentication |
| Specifies whether user authentication based on GSSAPI is allowed. |
| The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| GSSAPICleanupCredentials |
| Specifies whether to automatically destroy the user's credentials |
| cache on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
| |
| GSSAPIStrictAcceptorCheck |
| Determines whether to be strict about the identity of the GSSAPI |
| acceptor a client authenticates against. If set to M-bM-^@M-^\yesM-bM-^@M-^] then |
| the client must authenticate against the host service on the |
| current hostname. If set to M-bM-^@M-^\noM-bM-^@M-^] then the client may |
| authenticate against any service key stored in the machine's |
| default store. This facility is provided to assist with |
| operation on multi homed machines. The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
| |
| HostbasedAcceptedKeyTypes |
| Specifies the key types that will be accepted for hostbased |
| authentication as a comma-separated pattern list. Alternately if |
| the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the |
| specified key types will be appended to the default set instead |
| of replacing them. The default for this option is: |
| |
| ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| ssh-ed25519-cert-v01@openssh.com, |
| ssh-rsa-cert-v01@openssh.com, |
| ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| ssh-ed25519,ssh-rsa |
| |
| The -Q option of ssh(1) may be used to list supported key types. |
| |
| HostbasedAuthentication |
| Specifies whether rhosts or /etc/hosts.equiv authentication |
| together with successful public key client host authentication is |
| allowed (host-based authentication). The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| HostbasedUsesNameFromPacketOnly |
| Specifies whether or not the server will attempt to perform a |
| reverse name lookup when matching the name in the ~/.shosts, |
| ~/.rhosts, and /etc/hosts.equiv files during |
| HostbasedAuthentication. A setting of M-bM-^@M-^\yesM-bM-^@M-^] means that sshd(8) |
| uses the name supplied by the client rather than attempting to |
| resolve the name from the TCP connection itself. The default is |
| M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| HostCertificate |
| Specifies a file containing a public host certificate. The |
| certificate's public key must match a private host key already |
| specified by HostKey. The default behaviour of sshd(8) is not to |
| load any certificates. |
| |
| HostKey |
| Specifies a file containing a private host key used by SSH. The |
| default is /etc/ssh/ssh_host_key for protocol version 1, and |
| /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key, |
| /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for |
| protocol version 2. |
| |
| Note that sshd(8) will refuse to use a file if it is group/world- |
| accessible and that the HostKeyAlgorithms option restricts which |
| of the keys are actually used by sshd(8). |
| |
| It is possible to have multiple host key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are |
| used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] are |
| used for version 2 of the SSH protocol. It is also possible to |
| specify public host key files instead. In this case operations |
| on the private key will be delegated to an ssh-agent(1). |
| |
| HostKeyAgent |
| Identifies the UNIX-domain socket used to communicate with an |
| agent that has access to the private host keys. If the string |
| M-bM-^@M-^\SSH_AUTH_SOCKM-bM-^@M-^] is specified, the location of the socket will be |
| read from the SSH_AUTH_SOCK environment variable. |
| |
| HostKeyAlgorithms |
| Specifies the host key algorithms that the server offers. The |
| default for this option is: |
| |
| ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| ssh-ed25519-cert-v01@openssh.com, |
| ssh-rsa-cert-v01@openssh.com, |
| ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| ssh-ed25519,ssh-rsa |
| |
| The list of available key types may also be obtained using the -Q |
| option of ssh(1) with an argument of M-bM-^@M-^\keyM-bM-^@M-^]. |
| |
| IgnoreRhosts |
| Specifies that .rhosts and .shosts files will not be used in |
| RhostsRSAAuthentication or HostbasedAuthentication. |
| |
| /etc/hosts.equiv and /etc/shosts.equiv are still used. The |
| default is M-bM-^@M-^\yesM-bM-^@M-^]. |
| |
| IgnoreUserKnownHosts |
| Specifies whether sshd(8) should ignore the user's |
| ~/.ssh/known_hosts during RhostsRSAAuthentication or |
| HostbasedAuthentication. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| IPQoS Specifies the IPv4 type-of-service or DSCP class for the |
| connection. Accepted values are M-bM-^@M-^\af11M-bM-^@M-^], M-bM-^@M-^\af12M-bM-^@M-^], M-bM-^@M-^\af13M-bM-^@M-^], M-bM-^@M-^\af21M-bM-^@M-^], |
| M-bM-^@M-^\af22M-bM-^@M-^], M-bM-^@M-^\af23M-bM-^@M-^], M-bM-^@M-^\af31M-bM-^@M-^], M-bM-^@M-^\af32M-bM-^@M-^], M-bM-^@M-^\af33M-bM-^@M-^], M-bM-^@M-^\af41M-bM-^@M-^], M-bM-^@M-^\af42M-bM-^@M-^], M-bM-^@M-^\af43M-bM-^@M-^], |
| M-bM-^@M-^\cs0M-bM-^@M-^], M-bM-^@M-^\cs1M-bM-^@M-^], M-bM-^@M-^\cs2M-bM-^@M-^], M-bM-^@M-^\cs3M-bM-^@M-^], M-bM-^@M-^\cs4M-bM-^@M-^], M-bM-^@M-^\cs5M-bM-^@M-^], M-bM-^@M-^\cs6M-bM-^@M-^], M-bM-^@M-^\cs7M-bM-^@M-^], M-bM-^@M-^\efM-bM-^@M-^], |
| M-bM-^@M-^\lowdelayM-bM-^@M-^], M-bM-^@M-^\throughputM-bM-^@M-^], M-bM-^@M-^\reliabilityM-bM-^@M-^], or a numeric value. |
| This option may take one or two arguments, separated by |
| whitespace. If one argument is specified, it is used as the |
| packet class unconditionally. If two values are specified, the |
| first is automatically selected for interactive sessions and the |
| second for non-interactive sessions. The default is M-bM-^@M-^\lowdelayM-bM-^@M-^] |
| for interactive sessions and M-bM-^@M-^\throughputM-bM-^@M-^] for non-interactive |
| sessions. |
| |
| KbdInteractiveAuthentication |
| Specifies whether to allow keyboard-interactive authentication. |
| The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default |
| is to use whatever value ChallengeResponseAuthentication is set |
| to (by default M-bM-^@M-^\yesM-bM-^@M-^]). |
| |
| KerberosAuthentication |
| Specifies whether the password provided by the user for |
| PasswordAuthentication will be validated through the Kerberos |
| KDC. To use this option, the server needs a Kerberos servtab |
| which allows the verification of the KDC's identity. The default |
| is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| KerberosGetAFSToken |
| If AFS is active and the user has a Kerberos 5 TGT, attempt to |
| acquire an AFS token before accessing the user's home directory. |
| The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| KerberosOrLocalPasswd |
| If password authentication through Kerberos fails then the |
| password will be validated via any additional local mechanism |
| such as /etc/passwd. The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
| |
| KerberosTicketCleanup |
| Specifies whether to automatically destroy the user's ticket |
| cache file on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
| |
| KexAlgorithms |
| Specifies the available KEX (Key Exchange) algorithms. Multiple |
| algorithms must be comma-separated. Alternately if the specified |
| value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods |
| will be appended to the default set instead of replacing them. |
| The supported algorithms are: |
| |
| curve25519-sha256@libssh.org |
| diffie-hellman-group1-sha1 |
| diffie-hellman-group14-sha1 |
| diffie-hellman-group-exchange-sha1 |
| diffie-hellman-group-exchange-sha256 |
| ecdh-sha2-nistp256 |
| ecdh-sha2-nistp384 |
| ecdh-sha2-nistp521 |
| |
| The default is: |
| |
| curve25519-sha256@libssh.org, |
| ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, |
| diffie-hellman-group-exchange-sha256, |
| diffie-hellman-group14-sha1 |
| |
| The list of available key exchange algorithms may also be |
| obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^]. |
| |
| KeyRegenerationInterval |
| In protocol version 1, the ephemeral server key is automatically |
| regenerated after this many seconds (if it has been used). The |
| purpose of regeneration is to prevent decrypting captured |
| sessions by later breaking into the machine and stealing the |
| keys. The key is never stored anywhere. If the value is 0, the |
| key is never regenerated. The default is 3600 (seconds). |
| |
| ListenAddress |
| Specifies the local addresses sshd(8) should listen on. The |
| following forms may be used: |
| |
| ListenAddress host|IPv4_addr|IPv6_addr |
| ListenAddress host|IPv4_addr:port |
| ListenAddress [host|IPv6_addr]:port |
| |
| If port is not specified, sshd will listen on the address and all |
| Port options specified. The default is to listen on all local |
| addresses. Multiple ListenAddress options are permitted. |
| |
| LoginGraceTime |
| The server disconnects after this time if the user has not |
| successfully logged in. If the value is 0, there is no time |
| limit. The default is 120 seconds. |
| |
| LogLevel |
| Gives the verbosity level that is used when logging messages from |
| sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, |
| VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. |
| DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify |
| higher levels of debugging output. Logging with a DEBUG level |
| violates the privacy of users and is not recommended. |
| |
| MACs Specifies the available MAC (message authentication code) |
| algorithms. The MAC algorithm is used for data integrity |
| protection. Multiple algorithms must be comma-separated. If the |
| specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified |
| algorithms will be appended to the default set instead of |
| replacing them. |
| |
| The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC after |
| encryption (encrypt-then-mac). These are considered safer and |
| their use recommended. The supported MACs are: |
| |
| hmac-md5 |
| hmac-md5-96 |
| hmac-ripemd160 |
| hmac-sha1 |
| hmac-sha1-96 |
| hmac-sha2-256 |
| hmac-sha2-512 |
| umac-64@openssh.com |
| umac-128@openssh.com |
| hmac-md5-etm@openssh.com |
| hmac-md5-96-etm@openssh.com |
| hmac-ripemd160-etm@openssh.com |
| hmac-sha1-etm@openssh.com |
| hmac-sha1-96-etm@openssh.com |
| hmac-sha2-256-etm@openssh.com |
| hmac-sha2-512-etm@openssh.com |
| umac-64-etm@openssh.com |
| umac-128-etm@openssh.com |
| |
| The default is: |
| |
| umac-64-etm@openssh.com,umac-128-etm@openssh.com, |
| hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, |
| hmac-sha1-etm@openssh.com, |
| umac-64@openssh.com,umac-128@openssh.com, |
| hmac-sha2-256,hmac-sha2-512,hmac-sha1 |
| |
| The list of available MAC algorithms may also be obtained using |
| the -Q option of ssh(1) with an argument of M-bM-^@M-^\macM-bM-^@M-^]. |
| |
| Match Introduces a conditional block. If all of the criteria on the |
| Match line are satisfied, the keywords on the following lines |
| override those set in the global section of the config file, |
| until either another Match line or the end of the file. If a |
| keyword appears in multiple Match blocks that are satisfied, only |
| the first instance of the keyword is applied. |
| |
| The arguments to Match are one or more criteria-pattern pairs or |
| the single token All which matches all criteria. The available |
| criteria are User, Group, Host, LocalAddress, LocalPort, and |
| Address. The match patterns may consist of single entries or |
| comma-separated lists and may use the wildcard and negation |
| operators described in the PATTERNS section of ssh_config(5). |
| |
| The patterns in an Address criteria may additionally contain |
| addresses to match in CIDR address/masklen format, e.g. |
| M-bM-^@M-^\192.0.2.0/24M-bM-^@M-^] or M-bM-^@M-^\3ffe:ffff::/32M-bM-^@M-^]. Note that the mask length |
| provided must be consistent with the address - it is an error to |
| specify a mask length that is too long for the address or one |
| with bits set in this host portion of the address. For example, |
| M-bM-^@M-^\192.0.2.0/33M-bM-^@M-^] and M-bM-^@M-^\192.0.2.0/8M-bM-^@M-^] respectively. |
| |
| Only a subset of keywords may be used on the lines following a |
| Match keyword. Available keywords are AcceptEnv, |
| AllowAgentForwarding, AllowGroups, AllowStreamLocalForwarding, |
| AllowTcpForwarding, AllowUsers, AuthenticationMethods, |
| AuthorizedKeysCommand, AuthorizedKeysCommandUser, |
| AuthorizedKeysFile, AuthorizedPrincipalsCommand, |
| AuthorizedPrincipalsCommandUser, AuthorizedPrincipalsFile, |
| Banner, ChrootDirectory, DenyGroups, DenyUsers, ForceCommand, |
| GatewayPorts, GSSAPIAuthentication, HostbasedAcceptedKeyTypes, |
| HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IPQoS, |
| KbdInteractiveAuthentication, KerberosAuthentication, |
| MaxAuthTries, MaxSessions, PasswordAuthentication, |
| PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY, |
| PermitTunnel, PermitUserRC, PubkeyAcceptedKeyTypes, |
| PubkeyAuthentication, RekeyLimit, RevokedKeys, |
| RhostsRSAAuthentication, RSAAuthentication, StreamLocalBindMask, |
| StreamLocalBindUnlink, TrustedUserCAKeys, X11DisplayOffset, |
| X11Forwarding and X11UseLocalHost. |
| |
| MaxAuthTries |
| Specifies the maximum number of authentication attempts permitted |
| per connection. Once the number of failures reaches half this |
| value, additional failures are logged. The default is 6. |
| |
| MaxSessions |
| Specifies the maximum number of open shell, login or subsystem |
| (e.g. sftp) sessions permitted per network connection. Multiple |
| sessions may be established by clients that support connection |
| multiplexing. Setting MaxSessions to 1 will effectively disable |
| session multiplexing, whereas setting it to 0 will prevent all |
| shell, login and subsystem sessions while still permitting |
| forwarding. The default is 10. |
| |
| MaxStartups |
| Specifies the maximum number of concurrent unauthenticated |
| connections to the SSH daemon. Additional connections will be |
| dropped until authentication succeeds or the LoginGraceTime |
| expires for a connection. The default is 10:30:100. |
| |
| Alternatively, random early drop can be enabled by specifying the |
| three colon separated values M-bM-^@M-^\start:rate:fullM-bM-^@M-^] (e.g. "10:30:60"). |
| sshd(8) will refuse connection attempts with a probability of |
| M-bM-^@M-^\rate/100M-bM-^@M-^] (30%) if there are currently M-bM-^@M-^\startM-bM-^@M-^] (10) |
| unauthenticated connections. The probability increases linearly |
| and all connection attempts are refused if the number of |
| unauthenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60). |
| |
| PasswordAuthentication |
| Specifies whether password authentication is allowed. The |
| default is M-bM-^@M-^\yesM-bM-^@M-^]. |
| |
| PermitEmptyPasswords |
| When password authentication is allowed, it specifies whether the |
| server allows login to accounts with empty password strings. The |
| default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| PermitOpen |
| Specifies the destinations to which TCP port forwarding is |
| permitted. The forwarding specification must be one of the |
| following forms: |
| |
| PermitOpen host:port |
| PermitOpen IPv4_addr:port |
| PermitOpen [IPv6_addr]:port |
| |
| Multiple forwards may be specified by separating them with |
| whitespace. An argument of M-bM-^@M-^\anyM-bM-^@M-^] can be used to remove all |
| restrictions and permit any forwarding requests. An argument of |
| M-bM-^@M-^\noneM-bM-^@M-^] can be used to prohibit all forwarding requests. The |
| wildcard M-bM-^@M-^\*M-bM-^@M-^] can be used for host or port to allow all hosts or |
| ports, respectively. By default all port forwarding requests are |
| permitted. |
| |
| PermitRootLogin |
| Specifies whether root can log in using ssh(1). The argument |
| must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\prohibit-passwordM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^], |
| M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], or M-bM-^@M-^\noM-bM-^@M-^]. The default is |
| M-bM-^@M-^\prohibit-passwordM-bM-^@M-^]. |
| |
| If this option is set to M-bM-^@M-^\prohibit-passwordM-bM-^@M-^] or |
| M-bM-^@M-^\without-passwordM-bM-^@M-^], password and keyboard-interactive |
| authentication are disabled for root. |
| |
| If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], root login with |
| public key authentication will be allowed, but only if the |
| command option has been specified (which may be useful for taking |
| remote backups even if root login is normally not allowed). All |
| other authentication methods are disabled for root. |
| |
| If this option is set to M-bM-^@M-^\noM-bM-^@M-^], root is not allowed to log in. |
| |
| PermitTunnel |
| Specifies whether tun(4) device forwarding is allowed. The |
| argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\point-to-pointM-bM-^@M-^] (layer 3), M-bM-^@M-^\ethernetM-bM-^@M-^] |
| (layer 2), or M-bM-^@M-^\noM-bM-^@M-^]. Specifying M-bM-^@M-^\yesM-bM-^@M-^] permits both |
| M-bM-^@M-^\point-to-pointM-bM-^@M-^] and M-bM-^@M-^\ethernetM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| Independent of this setting, the permissions of the selected |
| tun(4) device must allow access to the user. |
| |
| PermitTTY |
| Specifies whether pty(4) allocation is permitted. The default is |
| M-bM-^@M-^\yesM-bM-^@M-^]. |
| |
| PermitUserEnvironment |
| Specifies whether ~/.ssh/environment and environment= options in |
| ~/.ssh/authorized_keys are processed by sshd(8). The default is |
| M-bM-^@M-^\noM-bM-^@M-^]. Enabling environment processing may enable users to bypass |
| access restrictions in some configurations using mechanisms such |
| as LD_PRELOAD. |
| |
| PermitUserRC |
| Specifies whether any ~/.ssh/rc file is executed. The default is |
| M-bM-^@M-^\yesM-bM-^@M-^]. |
| |
| PidFile |
| Specifies the file that contains the process ID of the SSH |
| daemon, or M-bM-^@M-^\noneM-bM-^@M-^] to not write one. The default is |
| /var/run/sshd.pid. |
| |
| Port Specifies the port number that sshd(8) listens on. The default |
| is 22. Multiple options of this type are permitted. See also |
| ListenAddress. |
| |
| PrintLastLog |
| Specifies whether sshd(8) should print the date and time of the |
| last user login when a user logs in interactively. The default |
| is M-bM-^@M-^\yesM-bM-^@M-^]. |
| |
| PrintMotd |
| Specifies whether sshd(8) should print /etc/motd when a user logs |
| in interactively. (On some systems it is also printed by the |
| shell, /etc/profile, or equivalent.) The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
| |
| Protocol |
| Specifies the protocol versions sshd(8) supports. The possible |
| values are M-bM-^@M-^X1M-bM-^@M-^Y and M-bM-^@M-^X2M-bM-^@M-^Y. Multiple versions must be comma- |
| separated. The default is M-bM-^@M-^X2M-bM-^@M-^Y. Protocol 1 suffers from a number |
| of cryptographic weaknesses and should not be used. It is only |
| offered to support legacy devices. |
| |
| Note that the order of the protocol list does not indicate |
| preference, because the client selects among multiple protocol |
| versions offered by the server. Specifying M-bM-^@M-^\2,1M-bM-^@M-^] is identical to |
| M-bM-^@M-^\1,2M-bM-^@M-^]. |
| |
| PubkeyAcceptedKeyTypes |
| Specifies the key types that will be accepted for public key |
| authentication as a comma-separated pattern list. Alternately if |
| the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the |
| specified key types will be appended to the default set instead |
| of replacing them. The default for this option is: |
| |
| ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| ssh-ed25519-cert-v01@openssh.com, |
| ssh-rsa-cert-v01@openssh.com, |
| ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| ssh-ed25519,ssh-rsa |
| |
| The -Q option of ssh(1) may be used to list supported key types. |
| |
| PubkeyAuthentication |
| Specifies whether public key authentication is allowed. The |
| default is M-bM-^@M-^\yesM-bM-^@M-^]. |
| |
| RekeyLimit |
| Specifies the maximum amount of data that may be transmitted |
| before the session key is renegotiated, optionally followed a |
| maximum amount of time that may pass before the session key is |
| renegotiated. The first argument is specified in bytes and may |
| have a suffix of M-bM-^@M-^XKM-bM-^@M-^Y, M-bM-^@M-^XMM-bM-^@M-^Y, or M-bM-^@M-^XGM-bM-^@M-^Y to indicate Kilobytes, |
| Megabytes, or Gigabytes, respectively. The default is between |
| M-bM-^@M-^X1GM-bM-^@M-^Y and M-bM-^@M-^X4GM-bM-^@M-^Y, depending on the cipher. The optional second |
| value is specified in seconds and may use any of the units |
| documented in the TIME FORMATS section. The default value for |
| RekeyLimit is M-bM-^@M-^\default noneM-bM-^@M-^], which means that rekeying is |
| performed after the cipher's default amount of data has been sent |
| or received and no time based rekeying is done. |
| |
| RevokedKeys |
| Specifies revoked public keys file, or M-bM-^@M-^\noneM-bM-^@M-^] to not use one. |
| Keys listed in this file will be refused for public key |
| authentication. Note that if this file is not readable, then |
| public key authentication will be refused for all users. Keys |
| may be specified as a text file, listing one public key per line, |
| or as an OpenSSH Key Revocation List (KRL) as generated by |
| ssh-keygen(1). For more information on KRLs, see the KEY |
| REVOCATION LISTS section in ssh-keygen(1). |
| |
| RhostsRSAAuthentication |
| Specifies whether rhosts or /etc/hosts.equiv authentication |
| together with successful RSA host authentication is allowed. The |
| default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only. |
| |
| RSAAuthentication |
| Specifies whether pure RSA authentication is allowed. The |
| default is M-bM-^@M-^\yesM-bM-^@M-^]. This option applies to protocol version 1 |
| only. |
| |
| ServerKeyBits |
| Defines the number of bits in the ephemeral protocol version 1 |
| server key. The default and minimum value is 1024. |
| |
| StreamLocalBindMask |
| Sets the octal file creation mode mask (umask) used when creating |
| a Unix-domain socket file for local or remote port forwarding. |
| This option is only used for port forwarding to a Unix-domain |
| socket file. |
| |
| The default value is 0177, which creates a Unix-domain socket |
| file that is readable and writable only by the owner. Note that |
| not all operating systems honor the file mode on Unix-domain |
| socket files. |
| |
| StreamLocalBindUnlink |
| Specifies whether to remove an existing Unix-domain socket file |
| for local or remote port forwarding before creating a new one. |
| If the socket file already exists and StreamLocalBindUnlink is |
| not enabled, sshd will be unable to forward the port to the Unix- |
| domain socket file. This option is only used for port forwarding |
| to a Unix-domain socket file. |
| |
| The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| StrictModes |
| Specifies whether sshd(8) should check file modes and ownership |
| of the user's files and home directory before accepting login. |
| This is normally desirable because novices sometimes accidentally |
| leave their directory or files world-writable. The default is |
| M-bM-^@M-^\yesM-bM-^@M-^]. Note that this does not apply to ChrootDirectory, whose |
| permissions and ownership are checked unconditionally. |
| |
| Subsystem |
| Configures an external subsystem (e.g. file transfer daemon). |
| Arguments should be a subsystem name and a command (with optional |
| arguments) to execute upon subsystem request. |
| |
| The command sftp-server(8) implements the M-bM-^@M-^\sftpM-bM-^@M-^] file transfer |
| subsystem. |
| |
| Alternately the name M-bM-^@M-^\internal-sftpM-bM-^@M-^] implements an in-process |
| M-bM-^@M-^\sftpM-bM-^@M-^] server. This may simplify configurations using |
| ChrootDirectory to force a different filesystem root on clients. |
| |
| By default no subsystems are defined. |
| |
| SyslogFacility |
| Gives the facility code that is used when logging messages from |
| sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, |
| LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The |
| default is AUTH. |
| |
| TCPKeepAlive |
| Specifies whether the system should send TCP keepalive messages |
| to the other side. If they are sent, death of the connection or |
| crash of one of the machines will be properly noticed. However, |
| this means that connections will die if the route is down |
| temporarily, and some people find it annoying. On the other |
| hand, if TCP keepalives are not sent, sessions may hang |
| indefinitely on the server, leaving M-bM-^@M-^\ghostM-bM-^@M-^] users and consuming |
| server resources. |
| |
| The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send TCP keepalive messages), and the |
| server will notice if the network goes down or the client host |
| crashes. This avoids infinitely hanging sessions. |
| |
| To disable TCP keepalive messages, the value should be set to |
| M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| TrustedUserCAKeys |
| Specifies a file containing public keys of certificate |
| authorities that are trusted to sign user certificates for |
| authentication, or M-bM-^@M-^\noneM-bM-^@M-^] to not use one. Keys are listed one |
| per line; empty lines and comments starting with M-bM-^@M-^X#M-bM-^@M-^Y are allowed. |
| If a certificate is presented for authentication and has its |
| signing CA key listed in this file, then it may be used for |
| authentication for any user listed in the certificate's |
| principals list. Note that certificates that lack a list of |
| principals will not be permitted for authentication using |
| TrustedUserCAKeys. For more details on certificates, see the |
| CERTIFICATES section in ssh-keygen(1). |
| |
| UseDNS Specifies whether sshd(8) should look up the remote host name, |
| and to check that the resolved host name for the remote IP |
| address maps back to the very same IP address. |
| |
| If this option is set to M-bM-^@M-^\noM-bM-^@M-^] (the default) then only addresses |
| and not host names may be used in ~/.ssh/authorized_keys from and |
| sshd_config Match Host directives. |
| |
| UseLogin |
| Specifies whether login(1) is used for interactive login |
| sessions. The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that login(1) is never used |
| for remote command execution. Note also, that if this is |
| enabled, X11Forwarding will be disabled because login(1) does not |
| know how to handle xauth(1) cookies. If UsePrivilegeSeparation |
| is specified, it will be disabled after authentication. |
| |
| UsePAM Enables the Pluggable Authentication Module interface. If set to |
| M-bM-^@M-^\yesM-bM-^@M-^] this will enable PAM authentication using |
| ChallengeResponseAuthentication and PasswordAuthentication in |
| addition to PAM account and session module processing for all |
| authentication types. |
| |
| Because PAM challenge-response authentication usually serves an |
| equivalent role to password authentication, you should disable |
| either PasswordAuthentication or ChallengeResponseAuthentication. |
| |
| If UsePAM is enabled, you will not be able to run sshd(8) as a |
| non-root user. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| UsePrivilegeSeparation |
| Specifies whether sshd(8) separates privileges by creating an |
| unprivileged child process to deal with incoming network traffic. |
| After successful authentication, another process will be created |
| that has the privilege of the authenticated user. The goal of |
| privilege separation is to prevent privilege escalation by |
| containing any corruption within the unprivileged processes. The |
| argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or M-bM-^@M-^\sandboxM-bM-^@M-^]. If |
| UsePrivilegeSeparation is set to M-bM-^@M-^\sandboxM-bM-^@M-^] then the pre- |
| authentication unprivileged process is subject to additional |
| restrictions. The default is M-bM-^@M-^\sandboxM-bM-^@M-^]. |
| |
| VersionAddendum |
| Optionally specifies additional text to append to the SSH |
| protocol banner sent by the server upon connection. The default |
| is M-bM-^@M-^\noneM-bM-^@M-^]. |
| |
| X11DisplayOffset |
| Specifies the first display number available for sshd(8)'s X11 |
| forwarding. This prevents sshd from interfering with real X11 |
| servers. The default is 10. |
| |
| X11Forwarding |
| Specifies whether X11 forwarding is permitted. The argument must |
| be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| When X11 forwarding is enabled, there may be additional exposure |
| to the server and to client displays if the sshd(8) proxy display |
| is configured to listen on the wildcard address (see |
| X11UseLocalhost below), though this is not the default. |
| Additionally, the authentication spoofing and authentication data |
| verification and substitution occur on the client side. The |
| security risk of using X11 forwarding is that the client's X11 |
| display server may be exposed to attack when the SSH client |
| requests forwarding (see the warnings for ForwardX11 in |
| ssh_config(5)). A system administrator may have a stance in |
| which they want to protect clients that may expose themselves to |
| attack by unwittingly requesting X11 forwarding, which can |
| warrant a M-bM-^@M-^\noM-bM-^@M-^] setting. |
| |
| Note that disabling X11 forwarding does not prevent users from |
| forwarding X11 traffic, as users can always install their own |
| forwarders. X11 forwarding is automatically disabled if UseLogin |
| is enabled. |
| |
| X11UseLocalhost |
| Specifies whether sshd(8) should bind the X11 forwarding server |
| to the loopback address or to the wildcard address. By default, |
| sshd binds the forwarding server to the loopback address and sets |
| the hostname part of the DISPLAY environment variable to |
| M-bM-^@M-^\localhostM-bM-^@M-^]. This prevents remote hosts from connecting to the |
| proxy display. However, some older X11 clients may not function |
| with this configuration. X11UseLocalhost may be set to M-bM-^@M-^\noM-bM-^@M-^] to |
| specify that the forwarding server should be bound to the |
| wildcard address. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The |
| default is M-bM-^@M-^\yesM-bM-^@M-^]. |
| |
| XAuthLocation |
| Specifies the full pathname of the xauth(1) program, or M-bM-^@M-^\noneM-bM-^@M-^] to |
| not use one. The default is /usr/X11R6/bin/xauth. |
| |
| TIME FORMATS |
| sshd(8) command-line arguments and configuration file options that |
| specify time may be expressed using a sequence of the form: |
| time[qualifier], where time is a positive integer value and qualifier is |
| one of the following: |
| |
| M-bM-^_M-(noneM-bM-^_M-) seconds |
| s | S seconds |
| m | M minutes |
| h | H hours |
| d | D days |
| w | W weeks |
| |
| Each member of the sequence is added together to calculate the total time |
| value. |
| |
| Time format examples: |
| |
| 600 600 seconds (10 minutes) |
| 10m 10 minutes |
| 1h30m 1 hour 30 minutes (90 minutes) |
| |
| FILES |
| /etc/ssh/sshd_config |
| Contains configuration data for sshd(8). This file should be |
| writable by root only, but it is recommended (though not |
| necessary) that it be world-readable. |
| |
| SEE ALSO |
| sshd(8) |
| |
| AUTHORS |
| OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
| Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo |
| de Raadt and Dug Song removed many bugs, re-added newer features and |
| created OpenSSH. Markus Friedl contributed the support for SSH protocol |
| versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
| for privilege separation. |
| |
| OpenBSD 6.0 July 19, 2016 OpenBSD 6.0 |