| version 1.5, 2010/04/29 18:14:09 |
version 1.6, 2010/11/21 18:29:49 |
|
|
| .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| .\" |
.\" |
| .\" $OpenBSD: sshd_config.5,v 1.106 2009/04/21 15:13:17 stevesk Exp $ |
.\" $OpenBSD: sshd_config.5,v 1.125 2010/06/30 07:28:34 jmc Exp $ |
| .Dd April 21, 2009 |
.Dd June 30, 2010 |
| .Dt SSHD_CONFIG 5 |
.Dt SSHD_CONFIG 5 |
| .Os |
.Os |
| .Sh NAME |
.Sh NAME |
| Line 156 for more information on patterns. |
|
| Line 156 for more information on patterns. |
|
| .It Cm AuthorizedKeysFile |
.It Cm AuthorizedKeysFile |
| Specifies the file that contains the public keys that can be used |
Specifies the file that contains the public keys that can be used |
| for user authentication. |
for user authentication. |
| |
The format is described in the |
| |
.Sx AUTHORIZED_KEYS FILE FORMAT |
| |
section of |
| |
.Xr sshd 8 . |
| .Cm AuthorizedKeysFile |
.Cm AuthorizedKeysFile |
| may contain tokens of the form %T which are substituted during connection |
may contain tokens of the form %T which are substituted during connection |
| setup. |
setup. |
| Line 168 is taken to be an absolute path or one r |
|
| Line 172 is taken to be an absolute path or one r |
|
| directory. |
directory. |
| The default is |
The default is |
| .Dq .ssh/authorized_keys . |
.Dq .ssh/authorized_keys . |
| |
.It Cm AuthorizedPrincipalsFile |
| |
Specifies a file that lists principal names that are accepted for |
| |
certificate authentication. |
| |
When using certificates signed by a key listed in |
| |
.Cm TrustedUserCAKeys , |
| |
this file lists names, one of which must appear in the certificate for it |
| |
to be accepted for authentication. |
| |
Names are listed one per line preceded by key options (as described |
| |
in |
| |
.Sx AUTHORIZED_KEYS FILE FORMAT |
| |
in |
| |
.Xr sshd 8 ) . |
| |
Empty lines and comments starting with |
| |
.Ql # |
| |
are ignored. |
| |
.Pp |
| |
.Cm AuthorizedPrincipalsFile |
| |
may contain tokens of the form %T which are substituted during connection |
| |
setup. |
| |
The following tokens are defined: %% is replaced by a literal '%', |
| |
%h is replaced by the home directory of the user being authenticated, and |
| |
%u is replaced by the username of that user. |
| |
After expansion, |
| |
.Cm AuthorizedPrincipalsFile |
| |
is taken to be an absolute path or one relative to the user's home |
| |
directory. |
| |
.Pp |
| |
The default is not to use a principals file \(en in this case, the username |
| |
of the user must appear in a certificate's principals list for it to be |
| |
accepted. |
| |
Note that |
| |
.Cm AuthorizedPrincipalsFile |
| |
is only used when authentication proceeds using a CA listed in |
| |
.Cm TrustedUserCAKeys |
| |
and is not consulted for certification authorities trusted via |
| |
.Pa ~/.ssh/authorized_keys , |
| |
though the |
| |
.Cm principals= |
| |
key option offers a similar facility (see |
| |
.Xr sshd 8 |
| |
for details). |
| .It Cm Banner |
.It Cm Banner |
| The contents of the specified file are sent to the remote user before |
The contents of the specified file are sent to the remote user before |
| authentication is allowed. |
authentication is allowed. |
|
|
| The default is |
The default is |
| .Dq yes . |
.Dq yes . |
| .It Cm ChrootDirectory |
.It Cm ChrootDirectory |
| Specifies a path to |
Specifies the pathname of a directory to |
| .Xr chroot 2 |
.Xr chroot 2 |
| to after authentication. |
to after authentication. |
| This path, and all its components, must be root-owned directories that are |
All components of the pathname must be root-owned directories that are |
| not writable by any other user or group. |
not writable by any other user or group. |
| After the chroot, |
After the chroot, |
| .Xr sshd 8 |
.Xr sshd 8 |
| changes the working directory to the user's home directory. |
changes the working directory to the user's home directory. |
| .Pp |
.Pp |
| The path may contain the following tokens that are expanded at runtime once |
The pathname may contain the following tokens that are expanded at runtime once |
| the connecting user has been authenticated: %% is replaced by a literal '%', |
the connecting user has been authenticated: %% is replaced by a literal '%', |
| %h is replaced by the home directory of the user being authenticated, and |
%h is replaced by the home directory of the user being authenticated, and |
| %u is replaced by the username of that user. |
%u is replaced by the username of that user. |
| Line 413 uses the name supplied by the client rat |
|
| Line 458 uses the name supplied by the client rat |
|
| attempting to resolve the name from the TCP connection itself. |
attempting to resolve the name from the TCP connection itself. |
| The default is |
The default is |
| .Dq no . |
.Dq no . |
| |
.It Cm HostCertificate |
| |
Specifies a file containing a public host certificate. |
| |
The certificate's public key must match a private host key already specified |
| |
by |
| |
.Cm HostKey . |
| |
The default behaviour of |
| |
.Xr sshd 8 |
| |
is not to load any certificates. |
| .It Cm HostKey |
.It Cm HostKey |
| Specifies a file containing a private host key |
Specifies a file containing a private host key |
| used by SSH. |
used by SSH. |
|
|
| Available keywords are |
Available keywords are |
| .Cm AllowAgentForwarding , |
.Cm AllowAgentForwarding , |
| .Cm AllowTcpForwarding , |
.Cm AllowTcpForwarding , |
| |
.Cm AuthorizedKeysFile , |
| |
.Cm AuthorizedPrincipalsFile , |
| .Cm Banner , |
.Cm Banner , |
| .Cm ChrootDirectory , |
.Cm ChrootDirectory , |
| .Cm ForceCommand , |
.Cm ForceCommand , |
| .Cm GatewayPorts , |
.Cm GatewayPorts , |
| .Cm GSSAPIAuthentication , |
.Cm GSSAPIAuthentication , |
| .Cm HostbasedAuthentication , |
.Cm HostbasedAuthentication , |
| |
.Cm HostbasedUsesNameFromPacketOnly , |
| .Cm KbdInteractiveAuthentication , |
.Cm KbdInteractiveAuthentication , |
| .Cm KerberosAuthentication , |
.Cm KerberosAuthentication , |
| .Cm MaxAuthTries , |
.Cm MaxAuthTries , |
| Line 616 Available keywords are |
|
| Line 672 Available keywords are |
|
| .Cm PermitEmptyPasswords , |
.Cm PermitEmptyPasswords , |
| .Cm PermitOpen , |
.Cm PermitOpen , |
| .Cm PermitRootLogin , |
.Cm PermitRootLogin , |
| |
.Cm PermitTunnel , |
| |
.Cm PubkeyAuthentication , |
| .Cm RhostsRSAAuthentication , |
.Cm RhostsRSAAuthentication , |
| .Cm RSAAuthentication , |
.Cm RSAAuthentication , |
| .Cm X11DisplayOffset , |
.Cm X11DisplayOffset , |
|
|
| .Sq 2 . |
.Sq 2 . |
| Multiple versions must be comma-separated. |
Multiple versions must be comma-separated. |
| The default is |
The default is |
| .Dq 2,1 . |
.Sq 2 . |
| Note that the order of the protocol list does not indicate preference, |
Note that the order of the protocol list does not indicate preference, |
| because the client selects among multiple protocol versions offered |
because the client selects among multiple protocol versions offered |
| by the server. |
by the server. |
| Line 807 Specifies whether public key authenticat |
|
| Line 865 Specifies whether public key authenticat |
|
| The default is |
The default is |
| .Dq yes . |
.Dq yes . |
| Note that this option applies to protocol version 2 only. |
Note that this option applies to protocol version 2 only. |
| |
.It Cm RevokedKeys |
| |
Specifies a list of revoked public keys. |
| |
Keys listed in this file will be refused for public key authentication. |
| |
Note that if this file is not readable, then public key authentication will |
| |
be refused for all users. |
| .It Cm RhostsRSAAuthentication |
.It Cm RhostsRSAAuthentication |
| Specifies whether rhosts or /etc/hosts.equiv authentication together |
Specifies whether rhosts or /etc/hosts.equiv authentication together |
| with successful RSA host authentication is allowed. |
with successful RSA host authentication is allowed. |
| Line 830 This is normally desirable because novic |
|
| Line 893 This is normally desirable because novic |
|
| directory or files world-writable. |
directory or files world-writable. |
| The default is |
The default is |
| .Dq yes . |
.Dq yes . |
| |
Note that this does not apply to |
| |
.Cm ChrootDirectory , |
| |
whose permissions and ownership are checked unconditionally. |
| .It Cm Subsystem |
.It Cm Subsystem |
| Configures an external subsystem (e.g. file transfer daemon). |
Configures an external subsystem (e.g. file transfer daemon). |
| Arguments should be a subsystem name and a command (with optional arguments) |
Arguments should be a subsystem name and a command (with optional arguments) |
| Line 879 This avoids infinitely hanging sessions. |
|
| Line 945 This avoids infinitely hanging sessions. |
|
| .Pp |
.Pp |
| To disable TCP keepalive messages, the value should be set to |
To disable TCP keepalive messages, the value should be set to |
| .Dq no . |
.Dq no . |
| |
.It Cm TrustedUserCAKeys |
| |
Specifies a file containing public keys of certificate authorities that are |
| |
trusted to sign user certificates for authentication. |
| |
Keys are listed one per line; empty lines and comments starting with |
| |
.Ql # |
| |
are allowed. |
| |
If a certificate is presented for authentication and has its signing CA key |
| |
listed in this file, then it may be used for authentication for any user |
| |
listed in the certificate's principals list. |
| |
Note that certificates that lack a list of principals will not be permitted |
| |
for authentication using |
| |
.Cm TrustedUserCAKeys . |
| |
For more details on certificates, see the |
| |
.Sx CERTIFICATES |
| |
section in |
| |
.Xr ssh-keygen 1 . |
| .It Cm UseDNS |
.It Cm UseDNS |
| Specifies whether |
Specifies whether |
| .Xr sshd 8 |
.Xr sshd 8 |
![[BACK]](/icons/back.gif){kind=icon}
Return to sshd_config.5 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / crypto / external / bsd / openssh / dist