[BACK]Return to sshd_config.5 CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / src / crypto / external / bsd / openssh / dist

Annotation of src/crypto/external/bsd/openssh/dist/sshd_config.5, Revision 1.25.2.2

1.25.2.2! pgoyette    1: .\"    $NetBSD: sshd_config.5,v 1.27 2018/08/26 07:46:37 christos Exp $
1.1       christos    2: .\"  -*- nroff -*-
                      3: .\"
                      4: .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
                      5: .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
                      6: .\"                    All rights reserved
                      7: .\"
                      8: .\" As far as I am concerned, the code I have written for this software
                      9: .\" can be used freely for any purpose.  Any derived versions of this
                     10: .\" software must be clearly marked as such, and if the derived work is
                     11: .\" incompatible with the protocol description in the RFC file, it must be
                     12: .\" called by a name other than "ssh" or "Secure Shell".
                     13: .\"
                     14: .\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
                     15: .\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
                     16: .\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
                     17: .\"
                     18: .\" Redistribution and use in source and binary forms, with or without
                     19: .\" modification, are permitted provided that the following conditions
                     20: .\" are met:
                     21: .\" 1. Redistributions of source code must retain the above copyright
                     22: .\"    notice, this list of conditions and the following disclaimer.
                     23: .\" 2. Redistributions in binary form must reproduce the above copyright
                     24: .\"    notice, this list of conditions and the following disclaimer in the
                     25: .\"    documentation and/or other materials provided with the distribution.
                     26: .\"
                     27: .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
                     28: .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
                     29: .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
                     30: .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
                     31: .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
                     32: .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
                     33: .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
                     34: .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
                     35: .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
                     36: .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
                     37: .\"
1.25.2.2! pgoyette   38: .\" $OpenBSD: sshd_config.5,v 1.281 2018/07/20 05:01:10 djm Exp $
        !            39: .Dd July 20 2018
1.1       christos   40: .Dt SSHD_CONFIG 5
                     41: .Os
                     42: .Sh NAME
                     43: .Nm sshd_config
                     44: .Nd OpenSSH SSH daemon configuration file
                     45: .Sh DESCRIPTION
                     46: .Xr sshd 8
                     47: reads configuration data from
                     48: .Pa /etc/ssh/sshd_config
                     49: (or the file specified with
                     50: .Fl f
                     51: on the command line).
                     52: The file contains keyword-argument pairs, one per line.
1.25.2.1  pgoyette   53: For each keyword, the first obtained value will be used.
1.1       christos   54: Lines starting with
                     55: .Ql #
                     56: and empty lines are interpreted as comments.
                     57: Arguments may optionally be enclosed in double quotes
                     58: .Pq \&"
                     59: in order to represent arguments containing spaces.
                     60: .Pp
                     61: The possible
                     62: keywords and their meanings are as follows (note that
                     63: keywords are case-insensitive and arguments are case-sensitive):
                     64: .Bl -tag -width Ds
                     65: .It Cm AcceptEnv
                     66: Specifies what environment variables sent by the client will be copied into
                     67: the session's
                     68: .Xr environ 7 .
                     69: See
                     70: .Cm SendEnv
1.25.2.2! pgoyette   71: and
        !            72: .Cm SetEnv
1.1       christos   73: in
                     74: .Xr ssh_config 5
                     75: for how to configure the client.
1.21      christos   76: The
1.18      christos   77: .Ev TERM
1.25.2.2! pgoyette   78: environment variable is always accepted whenever the client
1.18      christos   79: requests a pseudo-terminal as it is required by the protocol.
1.1       christos   80: Variables are specified by name, which may contain the wildcard characters
                     81: .Ql *
                     82: and
                     83: .Ql \&? .
                     84: Multiple environment variables may be separated by whitespace or spread
                     85: across multiple
                     86: .Cm AcceptEnv
                     87: directives.
                     88: Be warned that some environment variables could be used to bypass restricted
                     89: user environments.
                     90: For this reason, care should be taken in the use of this directive.
                     91: The default is not to accept any environment variables.
                     92: .It Cm AddressFamily
                     93: Specifies which address family should be used by
                     94: .Xr sshd 8 .
                     95: Valid arguments are
1.23      christos   96: .Cm any
                     97: (the default),
                     98: .Cm inet
1.1       christos   99: (use IPv4 only), or
1.23      christos  100: .Cm inet6
1.1       christos  101: (use IPv6 only).
                    102: .It Cm AllowAgentForwarding
                    103: Specifies whether
                    104: .Xr ssh-agent 1
                    105: forwarding is permitted.
                    106: The default is
1.23      christos  107: .Cm yes .
1.1       christos  108: Note that disabling agent forwarding does not improve security
                    109: unless users are also denied shell access, as they can always install
                    110: their own forwarders.
                    111: .It Cm AllowGroups
                    112: This keyword can be followed by a list of group name patterns, separated
                    113: by spaces.
                    114: If specified, login is allowed only for users whose primary
                    115: group or supplementary group list matches one of the patterns.
                    116: Only group names are valid; a numerical group ID is not recognized.
                    117: By default, login is allowed for all groups.
                    118: The allow/deny directives are processed in the following order:
                    119: .Cm DenyUsers ,
                    120: .Cm AllowUsers ,
                    121: .Cm DenyGroups ,
                    122: and finally
                    123: .Cm AllowGroups .
                    124: .Pp
1.15      christos  125: See PATTERNS in
1.1       christos  126: .Xr ssh_config 5
                    127: for more information on patterns.
1.23      christos  128: .It Cm AllowStreamLocalForwarding
                    129: Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
1.14      christos  130: The available options are
1.23      christos  131: .Cm yes
                    132: (the default)
1.14      christos  133: or
1.23      christos  134: .Cm all
                    135: to allow StreamLocal forwarding,
                    136: .Cm no
                    137: to prevent all StreamLocal forwarding,
                    138: .Cm local
1.14      christos  139: to allow local (from the perspective of
                    140: .Xr ssh 1 )
                    141: forwarding only or
1.23      christos  142: .Cm remote
1.14      christos  143: to allow remote forwarding only.
1.23      christos  144: Note that disabling StreamLocal forwarding does not improve security unless
1.1       christos  145: users are also denied shell access, as they can always install their
                    146: own forwarders.
1.23      christos  147: .It Cm AllowTcpForwarding
                    148: Specifies whether TCP forwarding is permitted.
1.16      christos  149: The available options are
1.23      christos  150: .Cm yes
                    151: (the default)
1.16      christos  152: or
1.23      christos  153: .Cm all
                    154: to allow TCP forwarding,
                    155: .Cm no
                    156: to prevent all TCP forwarding,
                    157: .Cm local
1.16      christos  158: to allow local (from the perspective of
                    159: .Xr ssh 1 )
                    160: forwarding only or
1.23      christos  161: .Cm remote
1.16      christos  162: to allow remote forwarding only.
1.23      christos  163: Note that disabling TCP forwarding does not improve security unless
1.16      christos  164: users are also denied shell access, as they can always install their
                    165: own forwarders.
1.1       christos  166: .It Cm AllowUsers
                    167: This keyword can be followed by a list of user name patterns, separated
                    168: by spaces.
                    169: If specified, login is allowed only for user names that
                    170: match one of the patterns.
                    171: Only user names are valid; a numerical user ID is not recognized.
                    172: By default, login is allowed for all users.
                    173: If the pattern takes the form USER@HOST then USER and HOST
                    174: are separately checked, restricting logins to particular
                    175: users from particular hosts.
1.22      christos  176: HOST criteria may additionally contain addresses to match in CIDR
                    177: address/masklen format.
1.1       christos  178: The allow/deny directives are processed in the following order:
                    179: .Cm DenyUsers ,
                    180: .Cm AllowUsers ,
                    181: .Cm DenyGroups ,
                    182: and finally
                    183: .Cm AllowGroups .
                    184: .Pp
1.15      christos  185: See PATTERNS in
1.1       christos  186: .Xr ssh_config 5
                    187: for more information on patterns.
1.14      christos  188: .It Cm AuthenticationMethods
                    189: Specifies the authentication methods that must be successfully completed
                    190: for a user to be granted access.
1.25.2.2! pgoyette  191: This option must be followed by one or more lists of comma-separated
1.22      christos  192: authentication method names, or by the single string
1.23      christos  193: .Cm any
1.22      christos  194: to indicate the default behaviour of accepting any single authentication
                    195: method.
1.23      christos  196: If the default is overridden, then successful authentication requires
1.22      christos  197: completion of every method in at least one of these lists.
1.14      christos  198: .Pp
1.23      christos  199: For example,
                    200: .Qq publickey,password publickey,keyboard-interactive
1.14      christos  201: would require the user to complete public key authentication, followed by
                    202: either password or keyboard interactive authentication.
                    203: Only methods that are next in one or more lists are offered at each stage,
1.23      christos  204: so for this example it would not be possible to attempt password or
1.14      christos  205: keyboard-interactive authentication before public key.
                    206: .Pp
1.15      christos  207: For keyboard interactive authentication it is also possible to
                    208: restrict authentication to a specific device by appending a
                    209: colon followed by the device identifier
1.23      christos  210: .Cm bsdauth ,
                    211: .Cm pam ,
1.15      christos  212: or
1.23      christos  213: .Cm skey ,
1.15      christos  214: depending on the server configuration.
                    215: For example,
1.23      christos  216: .Qq keyboard-interactive:bsdauth
1.15      christos  217: would restrict keyboard interactive authentication to the
1.23      christos  218: .Cm bsdauth
1.15      christos  219: device.
                    220: .Pp
1.23      christos  221: If the publickey method is listed more than once,
1.17      christos  222: .Xr sshd 8
                    223: verifies that keys that have been used successfully are not reused for
                    224: subsequent authentications.
1.23      christos  225: For example,
                    226: .Qq publickey,publickey
                    227: requires successful authentication using two different public keys.
1.17      christos  228: .Pp
1.14      christos  229: Note that each authentication method listed should also be explicitly enabled
                    230: in the configuration.
1.25      christos  231: .Pp
                    232: The available authentication methods are:
                    233: .Qq gssapi-with-mic ,
                    234: .Qq hostbased ,
                    235: .Qq keyboard-interactive ,
                    236: .Qq none
                    237: (used for access to password-less accounts when
1.25.2.2! pgoyette  238: .Cm PermitEmptyPasswords
1.25      christos  239: is enabled),
                    240: .Qq password
                    241: and
                    242: .Qq publickey .
1.14      christos  243: .It Cm AuthorizedKeysCommand
                    244: Specifies a program to be used to look up the user's public keys.
1.18      christos  245: The program must be owned by root, not writable by group or others and
                    246: specified by an absolute path.
                    247: Arguments to
                    248: .Cm AuthorizedKeysCommand
1.23      christos  249: accept the tokens described in the
                    250: .Sx TOKENS
                    251: section.
                    252: If no arguments are specified then the username of the target user is used.
1.18      christos  253: .Pp
                    254: The program should produce on standard output zero or
1.23      christos  255: more lines of authorized_keys output (see
                    256: .Sx AUTHORIZED_KEYS
                    257: in
1.14      christos  258: .Xr sshd 8 ) .
1.23      christos  259: If a key supplied by
                    260: .Cm AuthorizedKeysCommand
                    261: does not successfully authenticate
1.14      christos  262: and authorize the user then public key authentication continues using the usual
                    263: .Cm AuthorizedKeysFile
                    264: files.
1.23      christos  265: By default, no
                    266: .Cm AuthorizedKeysCommand
                    267: is run.
1.14      christos  268: .It Cm AuthorizedKeysCommandUser
1.23      christos  269: Specifies the user under whose account the
                    270: .Cm AuthorizedKeysCommand
                    271: is run.
1.14      christos  272: It is recommended to use a dedicated user that has no other role on the host
                    273: than running authorized keys commands.
1.17      christos  274: If
                    275: .Cm AuthorizedKeysCommand
                    276: is specified but
                    277: .Cm AuthorizedKeysCommandUser
                    278: is not, then
                    279: .Xr sshd 8
                    280: will refuse to start.
1.1       christos  281: .It Cm AuthorizedKeysFile
1.23      christos  282: Specifies the file that contains the public keys used for user authentication.
1.6       adam      283: The format is described in the
1.23      christos  284: .Sx AUTHORIZED_KEYS FILE FORMAT
1.6       adam      285: section of
                    286: .Xr sshd 8 .
1.23      christos  287: Arguments to
1.1       christos  288: .Cm AuthorizedKeysFile
1.23      christos  289: accept the tokens described in the
                    290: .Sx TOKENS
                    291: section.
1.1       christos  292: After expansion,
                    293: .Cm AuthorizedKeysFile
                    294: is taken to be an absolute path or one relative to the user's home
                    295: directory.
1.11      christos  296: Multiple files may be listed, separated by whitespace.
1.21      christos  297: Alternately this option may be set to
1.23      christos  298: .Cm none
1.21      christos  299: to skip checking for user keys in files.
1.1       christos  300: The default is
1.23      christos  301: .Qq .ssh/authorized_keys .ssh/authorized_keys2 .
1.18      christos  302: .It Cm AuthorizedPrincipalsCommand
                    303: Specifies a program to be used to generate the list of allowed
                    304: certificate principals as per
                    305: .Cm AuthorizedPrincipalsFile .
                    306: The program must be owned by root, not writable by group or others and
                    307: specified by an absolute path.
                    308: Arguments to
                    309: .Cm AuthorizedPrincipalsCommand
1.23      christos  310: accept the tokens described in the
                    311: .Sx TOKENS
                    312: section.
                    313: If no arguments are specified then the username of the target user is used.
1.18      christos  314: .Pp
                    315: The program should produce on standard output zero or
                    316: more lines of
                    317: .Cm AuthorizedPrincipalsFile
                    318: output.
                    319: If either
                    320: .Cm AuthorizedPrincipalsCommand
                    321: or
                    322: .Cm AuthorizedPrincipalsFile
                    323: is specified, then certificates offered by the client for authentication
                    324: must contain a principal that is listed.
1.23      christos  325: By default, no
                    326: .Cm AuthorizedPrincipalsCommand
                    327: is run.
1.18      christos  328: .It Cm AuthorizedPrincipalsCommandUser
1.23      christos  329: Specifies the user under whose account the
                    330: .Cm AuthorizedPrincipalsCommand
                    331: is run.
1.18      christos  332: It is recommended to use a dedicated user that has no other role on the host
                    333: than running authorized principals commands.
                    334: If
                    335: .Cm AuthorizedPrincipalsCommand
                    336: is specified but
                    337: .Cm AuthorizedPrincipalsCommandUser
                    338: is not, then
                    339: .Xr sshd 8
                    340: will refuse to start.
1.6       adam      341: .It Cm AuthorizedPrincipalsFile
                    342: Specifies a file that lists principal names that are accepted for
                    343: certificate authentication.
                    344: When using certificates signed by a key listed in
                    345: .Cm TrustedUserCAKeys ,
                    346: this file lists names, one of which must appear in the certificate for it
                    347: to be accepted for authentication.
1.23      christos  348: Names are listed one per line preceded by key options (as described in
                    349: .Sx AUTHORIZED_KEYS FILE FORMAT
                    350: in
1.6       adam      351: .Xr sshd 8 ) .
                    352: Empty lines and comments starting with
                    353: .Ql #
                    354: are ignored.
                    355: .Pp
1.23      christos  356: Arguments to
1.6       adam      357: .Cm AuthorizedPrincipalsFile
1.23      christos  358: accept the tokens described in the
                    359: .Sx TOKENS
                    360: section.
1.6       adam      361: After expansion,
                    362: .Cm AuthorizedPrincipalsFile
1.23      christos  363: is taken to be an absolute path or one relative to the user's home directory.
1.13      christos  364: The default is
1.23      christos  365: .Cm none ,
1.13      christos  366: i.e. not to use a principals file \(en in this case, the username
1.6       adam      367: of the user must appear in a certificate's principals list for it to be
                    368: accepted.
1.23      christos  369: .Pp
1.6       adam      370: Note that
                    371: .Cm AuthorizedPrincipalsFile
                    372: is only used when authentication proceeds using a CA listed in
                    373: .Cm TrustedUserCAKeys
                    374: and is not consulted for certification authorities trusted via
                    375: .Pa ~/.ssh/authorized_keys ,
                    376: though the
                    377: .Cm principals=
                    378: key option offers a similar facility (see
                    379: .Xr sshd 8
                    380: for details).
1.1       christos  381: .It Cm Banner
                    382: The contents of the specified file are sent to the remote user before
                    383: authentication is allowed.
                    384: If the argument is
1.23      christos  385: .Cm none
1.1       christos  386: then no banner is displayed.
                    387: By default, no banner is displayed.
                    388: .It Cm ChallengeResponseAuthentication
                    389: Specifies whether challenge-response authentication is allowed.
                    390: All authentication styles from
                    391: .Xr login.conf 5
                    392: are supported.
                    393: The default is
1.23      christos  394: .Cm yes .
1.1       christos  395: .It Cm ChrootDirectory
1.6       adam      396: Specifies the pathname of a directory to
1.1       christos  397: .Xr chroot 2
                    398: to after authentication.
1.17      christos  399: At session startup
                    400: .Xr sshd 8
                    401: checks that all components of the pathname are root-owned directories
                    402: which are not writable by any other user or group.
1.3       christos  403: After the chroot,
                    404: .Xr sshd 8
                    405: changes the working directory to the user's home directory.
1.23      christos  406: Arguments to
                    407: .Cm ChrootDirectory
                    408: accept the tokens described in the
                    409: .Sx TOKENS
                    410: section.
1.1       christos  411: .Pp
                    412: The
                    413: .Cm ChrootDirectory
                    414: must contain the necessary files and directories to support the
1.3       christos  415: user's session.
1.1       christos  416: For an interactive session this requires at least a shell, typically
                    417: .Xr sh 1 ,
                    418: and basic
                    419: .Pa /dev
                    420: nodes such as
                    421: .Xr null 4 ,
                    422: .Xr zero 4 ,
                    423: .Xr stdin 4 ,
                    424: .Xr stdout 4 ,
                    425: .Xr stderr 4 ,
                    426: and
                    427: .Xr tty 4
                    428: devices.
1.23      christos  429: For file transfer sessions using SFTP
                    430: no additional configuration of the environment is necessary if the in-process
                    431: sftp-server is used,
1.16      christos  432: though sessions which use logging may require
1.3       christos  433: .Pa /dev/log
1.16      christos  434: inside the chroot directory on some operating systems (see
1.3       christos  435: .Xr sftp-server 8
1.1       christos  436: for details).
                    437: .Pp
1.17      christos  438: For safety, it is very important that the directory hierarchy be
                    439: prevented from modification by other processes on the system (especially
                    440: those outside the jail).
                    441: Misconfiguration can lead to unsafe environments which
                    442: .Xr sshd 8
                    443: cannot detect.
                    444: .Pp
1.21      christos  445: The default is
1.23      christos  446: .Cm none ,
1.21      christos  447: indicating not to
1.1       christos  448: .Xr chroot 2 .
                    449: .It Cm Ciphers
1.21      christos  450: Specifies the ciphers allowed.
1.1       christos  451: Multiple ciphers must be comma-separated.
1.19      christos  452: If the specified value begins with a
                    453: .Sq +
                    454: character, then the specified ciphers will be appended to the default set
                    455: instead of replacing them.
1.24      christos  456: If the specified value begins with a
                    457: .Sq -
                    458: character, then the specified ciphers (including wildcards) will be removed
                    459: from the default set instead of replacing them.
1.19      christos  460: .Pp
1.16      christos  461: The supported ciphers are:
                    462: .Pp
                    463: .Bl -item -compact -offset indent
                    464: .It
                    465: 3des-cbc
                    466: .It
                    467: aes128-cbc
                    468: .It
                    469: aes192-cbc
                    470: .It
                    471: aes256-cbc
                    472: .It
                    473: aes128-ctr
                    474: .It
                    475: aes192-ctr
                    476: .It
                    477: aes256-ctr
                    478: .It
                    479: aes128-gcm@openssh.com
                    480: .It
                    481: aes256-gcm@openssh.com
                    482: .It
                    483: chacha20-poly1305@openssh.com
                    484: .El
                    485: .Pp
1.1       christos  486: The default is:
1.16      christos  487: .Bd -literal -offset indent
1.20      christos  488: chacha20-poly1305@openssh.com,
1.16      christos  489: aes128-ctr,aes192-ctr,aes256-ctr,
1.20      christos  490: aes128-gcm@openssh.com,aes256-gcm@openssh.com
1.1       christos  491: .Ed
1.16      christos  492: .Pp
1.23      christos  493: The list of available ciphers may also be obtained using
                    494: .Qq ssh -Q cipher .
1.1       christos  495: .It Cm ClientAliveCountMax
1.23      christos  496: Sets the number of client alive messages which may be sent without
1.1       christos  497: .Xr sshd 8
                    498: receiving any messages back from the client.
                    499: If this threshold is reached while client alive messages are being sent,
                    500: sshd will disconnect the client, terminating the session.
                    501: It is important to note that the use of client alive messages is very
                    502: different from
1.23      christos  503: .Cm TCPKeepAlive .
1.1       christos  504: The client alive messages are sent through the encrypted channel
                    505: and therefore will not be spoofable.
                    506: The TCP keepalive option enabled by
                    507: .Cm TCPKeepAlive
                    508: is spoofable.
                    509: The client alive mechanism is valuable when the client or
                    510: server depend on knowing when a connection has become inactive.
                    511: .Pp
                    512: The default value is 3.
                    513: If
                    514: .Cm ClientAliveInterval
1.23      christos  515: is set to 15, and
1.1       christos  516: .Cm ClientAliveCountMax
                    517: is left at the default, unresponsive SSH clients
                    518: will be disconnected after approximately 45 seconds.
                    519: .It Cm ClientAliveInterval
                    520: Sets a timeout interval in seconds after which if no data has been received
                    521: from the client,
                    522: .Xr sshd 8
                    523: will send a message through the encrypted
                    524: channel to request a response from the client.
                    525: The default
                    526: is 0, indicating that these messages will not be sent to the client.
                    527: .It Cm Compression
1.23      christos  528: Specifies whether compression is enabled after
1.1       christos  529: the user has authenticated successfully.
                    530: The argument must be
1.23      christos  531: .Cm yes ,
                    532: .Cm delayed
                    533: (a legacy synonym for
                    534: .Cm yes )
1.1       christos  535: or
1.23      christos  536: .Cm no .
1.1       christos  537: The default is
1.23      christos  538: .Cm yes .
1.1       christos  539: .It Cm DenyGroups
                    540: This keyword can be followed by a list of group name patterns, separated
                    541: by spaces.
                    542: Login is disallowed for users whose primary group or supplementary
                    543: group list matches one of the patterns.
                    544: Only group names are valid; a numerical group ID is not recognized.
                    545: By default, login is allowed for all groups.
                    546: The allow/deny directives are processed in the following order:
                    547: .Cm DenyUsers ,
                    548: .Cm AllowUsers ,
                    549: .Cm DenyGroups ,
                    550: and finally
                    551: .Cm AllowGroups .
                    552: .Pp
1.15      christos  553: See PATTERNS in
1.1       christos  554: .Xr ssh_config 5
                    555: for more information on patterns.
                    556: .It Cm DenyUsers
                    557: This keyword can be followed by a list of user name patterns, separated
                    558: by spaces.
                    559: Login is disallowed for user names that match one of the patterns.
                    560: Only user names are valid; a numerical user ID is not recognized.
                    561: By default, login is allowed for all users.
                    562: If the pattern takes the form USER@HOST then USER and HOST
                    563: are separately checked, restricting logins to particular
                    564: users from particular hosts.
1.22      christos  565: HOST criteria may additionally contain addresses to match in CIDR
                    566: address/masklen format.
1.1       christos  567: The allow/deny directives are processed in the following order:
                    568: .Cm DenyUsers ,
                    569: .Cm AllowUsers ,
                    570: .Cm DenyGroups ,
                    571: and finally
                    572: .Cm AllowGroups .
                    573: .Pp
1.15      christos  574: See PATTERNS in
1.1       christos  575: .Xr ssh_config 5
                    576: for more information on patterns.
1.23      christos  577: .It Cm DisableForwarding
                    578: Disables all forwarding features, including X11,
                    579: .Xr ssh-agent 1 ,
                    580: TCP and StreamLocal.
                    581: This option overrides all other forwarding-related options and may
                    582: simplify restricted configurations.
1.25      christos  583: .It Cm ExposeAuthInfo
                    584: Writes a temporary file containing a list of authentication methods and
                    585: public credentials (e.g. keys) used to authenticate the user.
                    586: The location of the file is exposed to the user session through the
                    587: .Ev SSH_USER_AUTH
                    588: environment variable.
                    589: The default is
                    590: .Cm no .
1.17      christos  591: .It Cm FingerprintHash
                    592: Specifies the hash algorithm used when logging key fingerprints.
                    593: Valid options are:
1.23      christos  594: .Cm md5
1.17      christos  595: and
1.23      christos  596: .Cm sha256 .
1.17      christos  597: The default is
1.23      christos  598: .Cm sha256 .
1.1       christos  599: .It Cm ForceCommand
                    600: Forces the execution of the command specified by
                    601: .Cm ForceCommand ,
                    602: ignoring any command supplied by the client and
                    603: .Pa ~/.ssh/rc
                    604: if present.
                    605: The command is invoked by using the user's login shell with the -c option.
                    606: This applies to shell, command, or subsystem execution.
                    607: It is most useful inside a
                    608: .Cm Match
                    609: block.
                    610: The command originally supplied by the client is available in the
                    611: .Ev SSH_ORIGINAL_COMMAND
                    612: environment variable.
                    613: Specifying a command of
1.23      christos  614: .Cm internal-sftp
                    615: will force the use of an in-process SFTP server that requires no support
1.1       christos  616: files when used with
                    617: .Cm ChrootDirectory .
1.21      christos  618: The default is
1.23      christos  619: .Cm none .
1.1       christos  620: .It Cm GatewayPorts
                    621: Specifies whether remote hosts are allowed to connect to ports
                    622: forwarded for the client.
                    623: By default,
                    624: .Xr sshd 8
                    625: binds remote port forwardings to the loopback address.
                    626: This prevents other remote hosts from connecting to forwarded ports.
                    627: .Cm GatewayPorts
                    628: can be used to specify that sshd
                    629: should allow remote port forwardings to bind to non-loopback addresses, thus
                    630: allowing other hosts to connect.
                    631: The argument may be
1.23      christos  632: .Cm no
1.1       christos  633: to force remote port forwardings to be available to the local host only,
1.23      christos  634: .Cm yes
1.1       christos  635: to force remote port forwardings to bind to the wildcard address, or
1.23      christos  636: .Cm clientspecified
1.1       christos  637: to allow the client to select the address to which the forwarding is bound.
                    638: The default is
1.23      christos  639: .Cm no .
1.1       christos  640: .It Cm GSSAPIAuthentication
                    641: Specifies whether user authentication based on GSSAPI is allowed.
                    642: The default is
1.23      christos  643: .Cm no .
1.1       christos  644: .It Cm GSSAPICleanupCredentials
                    645: Specifies whether to automatically destroy the user's credentials cache
                    646: on logout.
                    647: The default is
1.23      christos  648: .Cm yes .
1.18      christos  649: .It Cm GSSAPIStrictAcceptorCheck
                    650: Determines whether to be strict about the identity of the GSSAPI acceptor
                    651: a client authenticates against.
                    652: If set to
1.23      christos  653: .Cm yes
                    654: then the client must authenticate against the host
1.18      christos  655: service on the current hostname.
                    656: If set to
1.23      christos  657: .Cm no
1.18      christos  658: then the client may authenticate against any service key stored in the
                    659: machine's default store.
                    660: This facility is provided to assist with operation on multi homed machines.
                    661: The default is
1.23      christos  662: .Cm yes .
1.17      christos  663: .It Cm HostbasedAcceptedKeyTypes
                    664: Specifies the key types that will be accepted for hostbased authentication
1.25.2.2! pgoyette  665: as a list of comma-separated patterns.
1.19      christos  666: Alternately if the specified value begins with a
                    667: .Sq +
                    668: character, then the specified key types will be appended to the default set
                    669: instead of replacing them.
1.24      christos  670: If the specified value begins with a
                    671: .Sq -
                    672: character, then the specified key types (including wildcards) will be removed
                    673: from the default set instead of replacing them.
1.19      christos  674: The default for this option is:
                    675: .Bd -literal -offset 3n
                    676: ecdsa-sha2-nistp256-cert-v01@openssh.com,
                    677: ecdsa-sha2-nistp384-cert-v01@openssh.com,
                    678: ecdsa-sha2-nistp521-cert-v01@openssh.com,
                    679: ssh-ed25519-cert-v01@openssh.com,
1.25.2.2! pgoyette  680: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
1.19      christos  681: ssh-rsa-cert-v01@openssh.com,
                    682: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1.25.2.2! pgoyette  683: ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
1.19      christos  684: .Ed
                    685: .Pp
1.23      christos  686: The list of available key types may also be obtained using
                    687: .Qq ssh -Q key .
1.1       christos  688: .It Cm HostbasedAuthentication
                    689: Specifies whether rhosts or /etc/hosts.equiv authentication together
                    690: with successful public key client host authentication is allowed
                    691: (host-based authentication).
                    692: The default is
1.23      christos  693: .Cm no .
1.1       christos  694: .It Cm HostbasedUsesNameFromPacketOnly
                    695: Specifies whether or not the server will attempt to perform a reverse
                    696: name lookup when matching the name in the
                    697: .Pa ~/.shosts ,
                    698: .Pa ~/.rhosts ,
                    699: and
                    700: .Pa /etc/hosts.equiv
                    701: files during
                    702: .Cm HostbasedAuthentication .
                    703: A setting of
1.23      christos  704: .Cm yes
1.1       christos  705: means that
                    706: .Xr sshd 8
                    707: uses the name supplied by the client rather than
                    708: attempting to resolve the name from the TCP connection itself.
                    709: The default is
1.23      christos  710: .Cm no .
1.6       adam      711: .It Cm HostCertificate
                    712: Specifies a file containing a public host certificate.
                    713: The certificate's public key must match a private host key already specified
                    714: by
                    715: .Cm HostKey .
                    716: The default behaviour of
                    717: .Xr sshd 8
                    718: is not to load any certificates.
1.1       christos  719: .It Cm HostKey
                    720: Specifies a file containing a private host key
                    721: used by SSH.
1.23      christos  722: The defaults are
1.16      christos  723: .Pa /etc/ssh/ssh_host_ecdsa_key ,
                    724: .Pa /etc/ssh/ssh_host_ed25519_key
1.10      christos  725: and
1.23      christos  726: .Pa /etc/ssh/ssh_host_rsa_key .
1.19      christos  727: .Pp
1.1       christos  728: Note that
                    729: .Xr sshd 8
1.19      christos  730: will refuse to use a file if it is group/world-accessible
                    731: and that the
                    732: .Cm HostKeyAlgorithms
                    733: option restricts which of the keys are actually used by
                    734: .Xr sshd 8 .
                    735: .Pp
1.1       christos  736: It is possible to have multiple host key files.
1.15      christos  737: It is also possible to specify public host key files instead.
                    738: In this case operations on the private key will be delegated
                    739: to an
                    740: .Xr ssh-agent 1 .
                    741: .It Cm HostKeyAgent
                    742: Identifies the UNIX-domain socket used to communicate
                    743: with an agent that has access to the private host keys.
1.22      christos  744: If the string
1.23      christos  745: .Qq SSH_AUTH_SOCK
1.15      christos  746: is specified, the location of the socket will be read from the
                    747: .Ev SSH_AUTH_SOCK
                    748: environment variable.
1.19      christos  749: .It Cm HostKeyAlgorithms
1.21      christos  750: Specifies the host key algorithms
1.19      christos  751: that the server offers.
                    752: The default for this option is:
                    753: .Bd -literal -offset 3n
                    754: ecdsa-sha2-nistp256-cert-v01@openssh.com,
                    755: ecdsa-sha2-nistp384-cert-v01@openssh.com,
                    756: ecdsa-sha2-nistp521-cert-v01@openssh.com,
                    757: ssh-ed25519-cert-v01@openssh.com,
1.25.2.2! pgoyette  758: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
1.19      christos  759: ssh-rsa-cert-v01@openssh.com,
                    760: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1.25.2.2! pgoyette  761: ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
1.19      christos  762: .Ed
                    763: .Pp
1.23      christos  764: The list of available key types may also be obtained using
                    765: .Qq ssh -Q key .
1.1       christos  766: .It Cm IgnoreRhosts
                    767: Specifies that
                    768: .Pa .rhosts
                    769: and
                    770: .Pa .shosts
                    771: files will not be used in
                    772: .Cm HostbasedAuthentication .
                    773: .Pp
                    774: .Pa /etc/hosts.equiv
                    775: and
                    776: .Pa /etc/shosts.equiv
                    777: are still used.
                    778: The default is
1.23      christos  779: .Cm yes .
1.1       christos  780: .It Cm IgnoreUserKnownHosts
                    781: Specifies whether
                    782: .Xr sshd 8
                    783: should ignore the user's
                    784: .Pa ~/.ssh/known_hosts
                    785: during
1.25.2.1  pgoyette  786: .Cm HostbasedAuthentication
                    787: and use only the system-wide known hosts file
                    788: .Pa /etc/ssh/known_hosts .
1.1       christos  789: The default is
1.23      christos  790: .Cm no .
1.10      christos  791: .It Cm IPQoS
                    792: Specifies the IPv4 type-of-service or DSCP class for the connection.
                    793: Accepted values are
1.23      christos  794: .Cm af11 ,
                    795: .Cm af12 ,
                    796: .Cm af13 ,
                    797: .Cm af21 ,
                    798: .Cm af22 ,
                    799: .Cm af23 ,
                    800: .Cm af31 ,
                    801: .Cm af32 ,
                    802: .Cm af33 ,
                    803: .Cm af41 ,
                    804: .Cm af42 ,
                    805: .Cm af43 ,
                    806: .Cm cs0 ,
                    807: .Cm cs1 ,
                    808: .Cm cs2 ,
                    809: .Cm cs3 ,
                    810: .Cm cs4 ,
                    811: .Cm cs5 ,
                    812: .Cm cs6 ,
                    813: .Cm cs7 ,
                    814: .Cm ef ,
                    815: .Cm lowdelay ,
                    816: .Cm throughput ,
                    817: .Cm reliability ,
1.25      christos  818: a numeric value, or
                    819: .Cm none
                    820: to use the operating system default.
1.10      christos  821: This option may take one or two arguments, separated by whitespace.
                    822: If one argument is specified, it is used as the packet class unconditionally.
                    823: If two values are specified, the first is automatically selected for
                    824: interactive sessions and the second for non-interactive sessions.
                    825: The default is
1.25.2.2! pgoyette  826: .Cm af21
        !           827: (Low-Latency Data)
1.10      christos  828: for interactive sessions and
1.25.2.2! pgoyette  829: .Cm cs1
        !           830: (Lower Effort)
1.10      christos  831: for non-interactive sessions.
1.16      christos  832: .It Cm KbdInteractiveAuthentication
                    833: Specifies whether to allow keyboard-interactive authentication.
                    834: The argument to this keyword must be
1.23      christos  835: .Cm yes
1.16      christos  836: or
1.23      christos  837: .Cm no .
1.16      christos  838: The default is to use whatever value
                    839: .Cm ChallengeResponseAuthentication
                    840: is set to
                    841: (by default
1.23      christos  842: .Cm yes ) .
1.1       christos  843: .It Cm KerberosAuthentication
                    844: Specifies whether the password provided by the user for
                    845: .Cm PasswordAuthentication
                    846: will be validated through the Kerberos KDC.
                    847: To use this option, the server needs a
                    848: Kerberos servtab which allows the verification of the KDC's identity.
                    849: The default is
1.23      christos  850: .Cm no .
1.1       christos  851: .It Cm KerberosGetAFSToken
                    852: If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
                    853: an AFS token before accessing the user's home directory.
                    854: The default is
1.23      christos  855: .Cm no .
1.1       christos  856: .It Cm KerberosOrLocalPasswd
                    857: If password authentication through Kerberos fails then
                    858: the password will be validated via any additional local mechanism
                    859: such as
                    860: .Pa /etc/passwd .
                    861: The default is
1.23      christos  862: .Cm yes .
1.1       christos  863: .It Cm KerberosTicketCleanup
                    864: Specifies whether to automatically destroy the user's ticket cache
                    865: file on logout.
                    866: The default is
1.23      christos  867: .Cm yes .
1.10      christos  868: .It Cm KexAlgorithms
                    869: Specifies the available KEX (Key Exchange) algorithms.
                    870: Multiple algorithms must be comma-separated.
1.19      christos  871: Alternately if the specified value begins with a
                    872: .Sq +
                    873: character, then the specified methods will be appended to the default set
                    874: instead of replacing them.
1.24      christos  875: If the specified value begins with a
                    876: .Sq -
                    877: character, then the specified methods (including wildcards) will be removed
                    878: from the default set instead of replacing them.
1.16      christos  879: The supported algorithms are:
                    880: .Pp
                    881: .Bl -item -compact -offset indent
                    882: .It
1.23      christos  883: curve25519-sha256
                    884: .It
1.16      christos  885: curve25519-sha256@libssh.org
                    886: .It
                    887: diffie-hellman-group1-sha1
                    888: .It
                    889: diffie-hellman-group14-sha1
                    890: .It
1.25.2.1  pgoyette  891: diffie-hellman-group14-sha256
                    892: .It
                    893: diffie-hellman-group16-sha512
                    894: .It
                    895: diffie-hellman-group18-sha512
                    896: .It
1.16      christos  897: diffie-hellman-group-exchange-sha1
                    898: .It
                    899: diffie-hellman-group-exchange-sha256
                    900: .It
                    901: ecdh-sha2-nistp256
                    902: .It
                    903: ecdh-sha2-nistp384
                    904: .It
                    905: ecdh-sha2-nistp521
                    906: .El
                    907: .Pp
                    908: The default is:
                    909: .Bd -literal -offset indent
1.23      christos  910: curve25519-sha256,curve25519-sha256@libssh.org,
1.16      christos  911: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
                    912: diffie-hellman-group-exchange-sha256,
1.25.2.1  pgoyette  913: diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
                    914: diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
1.16      christos  915: .Ed
1.17      christos  916: .Pp
1.23      christos  917: The list of available key exchange algorithms may also be obtained using
                    918: .Qq ssh -Q kex .
1.1       christos  919: .It Cm ListenAddress
                    920: Specifies the local addresses
                    921: .Xr sshd 8
                    922: should listen on.
                    923: The following forms may be used:
                    924: .Pp
                    925: .Bl -item -offset indent -compact
                    926: .It
                    927: .Cm ListenAddress
                    928: .Sm off
1.25.2.1  pgoyette  929: .Ar hostname | address
                    930: .Sm on
                    931: .Op Cm rdomain Ar domain
                    932: .It
                    933: .Cm ListenAddress
                    934: .Sm off
                    935: .Ar hostname : port
1.1       christos  936: .Sm on
1.25.2.1  pgoyette  937: .Op Cm rdomain Ar domain
1.1       christos  938: .It
                    939: .Cm ListenAddress
                    940: .Sm off
1.25.2.1  pgoyette  941: .Ar IPv4_address : port
1.1       christos  942: .Sm on
1.25.2.1  pgoyette  943: .Op Cm rdomain Ar domain
1.1       christos  944: .It
                    945: .Cm ListenAddress
                    946: .Sm off
1.25.2.1  pgoyette  947: .Oo Ar hostname | address Oc : Ar port
1.1       christos  948: .Sm on
1.25.2.1  pgoyette  949: .Op Cm rdomain Ar domain
1.1       christos  950: .El
                    951: .Pp
1.25.2.1  pgoyette  952: The optional
                    953: .Cm rdomain
                    954: qualifier requests
                    955: .Xr sshd 8
                    956: listen in an explicit routing domain.
1.1       christos  957: If
                    958: .Ar port
                    959: is not specified,
1.18      christos  960: sshd will listen on the address and all
1.1       christos  961: .Cm Port
                    962: options specified.
1.25.2.1  pgoyette  963: The default is to listen on all local addresses on the current default
                    964: routing domain.
1.1       christos  965: Multiple
                    966: .Cm ListenAddress
                    967: options are permitted.
1.25.2.1  pgoyette  968: For more information on routing domains, see
                    969: .Xr rdomain 4 .
1.1       christos  970: .It Cm LoginGraceTime
                    971: The server disconnects after this time if the user has not
                    972: successfully logged in.
                    973: If the value is 0, there is no time limit.
1.8       enami     974: The default is 120 seconds but the default
                    975: .Pa /etc/ssh/sshd_config
                    976: overwrites it to 600 seconds.
1.1       christos  977: .It Cm LogLevel
                    978: Gives the verbosity level that is used when logging messages from
                    979: .Xr sshd 8 .
                    980: The possible values are:
                    981: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
                    982: The default is INFO.
                    983: DEBUG and DEBUG1 are equivalent.
                    984: DEBUG2 and DEBUG3 each specify higher levels of debugging output.
                    985: Logging with a DEBUG level violates the privacy of users and is not recommended.
                    986: .It Cm MACs
                    987: Specifies the available MAC (message authentication code) algorithms.
1.21      christos  988: The MAC algorithm is used for data integrity protection.
1.1       christos  989: Multiple algorithms must be comma-separated.
1.19      christos  990: If the specified value begins with a
                    991: .Sq +
                    992: character, then the specified algorithms will be appended to the default set
                    993: instead of replacing them.
1.24      christos  994: If the specified value begins with a
                    995: .Sq -
                    996: character, then the specified algorithms (including wildcards) will be removed
                    997: from the default set instead of replacing them.
1.19      christos  998: .Pp
1.14      christos  999: The algorithms that contain
1.23      christos 1000: .Qq -etm
1.14      christos 1001: calculate the MAC after encryption (encrypt-then-mac).
                   1002: These are considered safer and their use recommended.
1.16      christos 1003: The supported MACs are:
                   1004: .Pp
                   1005: .Bl -item -compact -offset indent
                   1006: .It
                   1007: hmac-md5
                   1008: .It
                   1009: hmac-md5-96
                   1010: .It
                   1011: hmac-sha1
                   1012: .It
                   1013: hmac-sha1-96
                   1014: .It
                   1015: hmac-sha2-256
                   1016: .It
                   1017: hmac-sha2-512
                   1018: .It
                   1019: umac-64@openssh.com
                   1020: .It
                   1021: umac-128@openssh.com
                   1022: .It
                   1023: hmac-md5-etm@openssh.com
                   1024: .It
                   1025: hmac-md5-96-etm@openssh.com
                   1026: .It
                   1027: hmac-sha1-etm@openssh.com
                   1028: .It
                   1029: hmac-sha1-96-etm@openssh.com
                   1030: .It
                   1031: hmac-sha2-256-etm@openssh.com
                   1032: .It
                   1033: hmac-sha2-512-etm@openssh.com
                   1034: .It
                   1035: umac-64-etm@openssh.com
                   1036: .It
                   1037: umac-128-etm@openssh.com
                   1038: .El
                   1039: .Pp
1.1       christos 1040: The default is:
                   1041: .Bd -literal -offset indent
1.14      christos 1042: umac-64-etm@openssh.com,umac-128-etm@openssh.com,
                   1043: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
1.21      christos 1044: hmac-sha1-etm@openssh.com,
1.16      christos 1045: umac-64@openssh.com,umac-128@openssh.com,
1.21      christos 1046: hmac-sha2-256,hmac-sha2-512,hmac-sha1
1.1       christos 1047: .Ed
1.17      christos 1048: .Pp
1.23      christos 1049: The list of available MAC algorithms may also be obtained using
                   1050: .Qq ssh -Q mac .
1.1       christos 1051: .It Cm Match
                   1052: Introduces a conditional block.
                   1053: If all of the criteria on the
                   1054: .Cm Match
                   1055: line are satisfied, the keywords on the following lines override those
                   1056: set in the global section of the config file, until either another
                   1057: .Cm Match
                   1058: line or the end of the file.
1.16      christos 1059: If a keyword appears in multiple
                   1060: .Cm Match
1.17      christos 1061: blocks that are satisfied, only the first instance of the keyword is
1.16      christos 1062: applied.
1.1       christos 1063: .Pp
                   1064: The arguments to
                   1065: .Cm Match
1.16      christos 1066: are one or more criteria-pattern pairs or the single token
                   1067: .Cm All
                   1068: which matches all criteria.
1.1       christos 1069: The available criteria are
                   1070: .Cm User ,
                   1071: .Cm Group ,
                   1072: .Cm Host ,
1.13      christos 1073: .Cm LocalAddress ,
                   1074: .Cm LocalPort ,
1.25.2.1  pgoyette 1075: .Cm RDomain ,
1.1       christos 1076: and
1.25.2.1  pgoyette 1077: .Cm Address
                   1078: (with
                   1079: .Cm RDomain
                   1080: representing the
                   1081: .Xr rdomain 4
                   1082: on which the connection was received.)
                   1083: .Pp
1.1       christos 1084: The match patterns may consist of single entries or comma-separated
                   1085: lists and may use the wildcard and negation operators described in the
1.23      christos 1086: .Sx PATTERNS
                   1087: section of
1.1       christos 1088: .Xr ssh_config 5 .
                   1089: .Pp
                   1090: The patterns in an
                   1091: .Cm Address
                   1092: criteria may additionally contain addresses to match in CIDR
1.23      christos 1093: address/masklen format,
                   1094: such as 192.0.2.0/24 or 2001:db8::/32.
1.1       christos 1095: Note that the mask length provided must be consistent with the address -
                   1096: it is an error to specify a mask length that is too long for the address
                   1097: or one with bits set in this host portion of the address.
1.23      christos 1098: For example, 192.0.2.0/33 and 192.0.2.0/8, respectively.
1.1       christos 1099: .Pp
                   1100: Only a subset of keywords may be used on the lines following a
                   1101: .Cm Match
                   1102: keyword.
                   1103: Available keywords are
1.13      christos 1104: .Cm AcceptEnv ,
1.1       christos 1105: .Cm AllowAgentForwarding ,
1.13      christos 1106: .Cm AllowGroups ,
1.17      christos 1107: .Cm AllowStreamLocalForwarding ,
1.1       christos 1108: .Cm AllowTcpForwarding ,
1.13      christos 1109: .Cm AllowUsers ,
1.14      christos 1110: .Cm AuthenticationMethods ,
                   1111: .Cm AuthorizedKeysCommand ,
                   1112: .Cm AuthorizedKeysCommandUser ,
1.6       adam     1113: .Cm AuthorizedKeysFile ,
1.21      christos 1114: .Cm AuthorizedPrincipalsCommand ,
                   1115: .Cm AuthorizedPrincipalsCommandUser ,
1.6       adam     1116: .Cm AuthorizedPrincipalsFile ,
1.1       christos 1117: .Cm Banner ,
                   1118: .Cm ChrootDirectory ,
1.23      christos 1119: .Cm ClientAliveCountMax ,
                   1120: .Cm ClientAliveInterval ,
1.13      christos 1121: .Cm DenyGroups ,
                   1122: .Cm DenyUsers ,
1.1       christos 1123: .Cm ForceCommand ,
                   1124: .Cm GatewayPorts ,
                   1125: .Cm GSSAPIAuthentication ,
1.17      christos 1126: .Cm HostbasedAcceptedKeyTypes ,
1.1       christos 1127: .Cm HostbasedAuthentication ,
1.6       adam     1128: .Cm HostbasedUsesNameFromPacketOnly ,
1.17      christos 1129: .Cm IPQoS ,
1.1       christos 1130: .Cm KbdInteractiveAuthentication ,
                   1131: .Cm KerberosAuthentication ,
1.25      christos 1132: .Cm LogLevel ,
1.1       christos 1133: .Cm MaxAuthTries ,
                   1134: .Cm MaxSessions ,
                   1135: .Cm PasswordAuthentication ,
                   1136: .Cm PermitEmptyPasswords ,
1.25.2.2! pgoyette 1137: .Cm PermitListen ,
1.1       christos 1138: .Cm PermitOpen ,
                   1139: .Cm PermitRootLogin ,
1.16      christos 1140: .Cm PermitTTY ,
1.6       adam     1141: .Cm PermitTunnel ,
1.16      christos 1142: .Cm PermitUserRC ,
1.17      christos 1143: .Cm PubkeyAcceptedKeyTypes ,
1.6       adam     1144: .Cm PubkeyAuthentication ,
1.15      christos 1145: .Cm RekeyLimit ,
1.17      christos 1146: .Cm RevokedKeys ,
1.25.2.1  pgoyette 1147: .Cm RDomain ,
1.25.2.2! pgoyette 1148: .Cm SetEnv ,
1.17      christos 1149: .Cm StreamLocalBindMask ,
                   1150: .Cm StreamLocalBindUnlink ,
                   1151: .Cm TrustedUserCAKeys ,
1.1       christos 1152: .Cm X11DisplayOffset ,
                   1153: .Cm X11Forwarding
                   1154: and
                   1155: .Cm X11UseLocalHost .
                   1156: .It Cm MaxAuthTries
                   1157: Specifies the maximum number of authentication attempts permitted per
                   1158: connection.
                   1159: Once the number of failures reaches half this value,
                   1160: additional failures are logged.
                   1161: The default is 6.
                   1162: .It Cm MaxSessions
1.21      christos 1163: Specifies the maximum number of open shell, login or subsystem (e.g. sftp)
                   1164: sessions permitted per network connection.
                   1165: Multiple sessions may be established by clients that support connection
                   1166: multiplexing.
                   1167: Setting
                   1168: .Cm MaxSessions
                   1169: to 1 will effectively disable session multiplexing, whereas setting it to 0
                   1170: will prevent all shell, login and subsystem sessions while still permitting
                   1171: forwarding.
1.1       christos 1172: The default is 10.
                   1173: .It Cm MaxStartups
                   1174: Specifies the maximum number of concurrent unauthenticated connections to the
                   1175: SSH daemon.
                   1176: Additional connections will be dropped until authentication succeeds or the
                   1177: .Cm LoginGraceTime
                   1178: expires for a connection.
1.14      christos 1179: The default is 10:30:100.
1.1       christos 1180: .Pp
                   1181: Alternatively, random early drop can be enabled by specifying
                   1182: the three colon separated values
1.23      christos 1183: start:rate:full (e.g. "10:30:60").
1.1       christos 1184: .Xr sshd 8
1.23      christos 1185: will refuse connection attempts with a probability of rate/100 (30%)
                   1186: if there are currently start (10) unauthenticated connections.
1.1       christos 1187: The probability increases linearly and all connection attempts
1.23      christos 1188: are refused if the number of unauthenticated connections reaches full (60).
1.1       christos 1189: .It Cm PasswordAuthentication
                   1190: Specifies whether password authentication is allowed.
                   1191: The default is
1.23      christos 1192: .Cm yes .
1.1       christos 1193: .It Cm PermitEmptyPasswords
                   1194: When password authentication is allowed, it specifies whether the
                   1195: server allows login to accounts with empty password strings.
                   1196: The default is
1.23      christos 1197: .Cm no .
1.25.2.2! pgoyette 1198: .It Cm PermitListen
        !          1199: Specifies the addresses/ports on which a remote TCP port forwarding may listen.
        !          1200: The listen specification must be one of the following forms:
        !          1201: .Pp
        !          1202: .Bl -item -offset indent -compact
        !          1203: .It
        !          1204: .Cm PermitListen
        !          1205: .Sm off
        !          1206: .Ar port
        !          1207: .Sm on
        !          1208: .It
        !          1209: .Cm PermitListen
        !          1210: .Sm off
        !          1211: .Ar host : port
        !          1212: .Sm on
        !          1213: .El
        !          1214: .Pp
        !          1215: Multiple permissions may be specified by separating them with whitespace.
        !          1216: An argument of
        !          1217: .Cm any
        !          1218: can be used to remove all restrictions and permit any listen requests.
        !          1219: An argument of
        !          1220: .Cm none
        !          1221: can be used to prohibit all listen requests.
        !          1222: The host name may contain wildcards as described in the PATTERNS section in
        !          1223: .Xr ssh_config 5 .
        !          1224: The wildcard
        !          1225: .Sq *
        !          1226: can also be used in place of a port number to allow all ports.
        !          1227: By default all port forwarding listen requests are permitted.
        !          1228: Note that the
        !          1229: .Cm GatewayPorts
        !          1230: option may further restrict which addresses may be listened on.
        !          1231: Note also that
        !          1232: .Xr ssh 1
        !          1233: will request a listen host of
        !          1234: .Dq localhost
        !          1235: if no listen host was specifically requested, and this this name is
        !          1236: treated differently to explicit localhost addresses of
        !          1237: .Dq 127.0.0.1
        !          1238: and
        !          1239: .Dq ::1 .
1.1       christos 1240: .It Cm PermitOpen
                   1241: Specifies the destinations to which TCP port forwarding is permitted.
                   1242: The forwarding specification must be one of the following forms:
                   1243: .Pp
                   1244: .Bl -item -offset indent -compact
                   1245: .It
                   1246: .Cm PermitOpen
                   1247: .Sm off
                   1248: .Ar host : port
                   1249: .Sm on
                   1250: .It
                   1251: .Cm PermitOpen
                   1252: .Sm off
                   1253: .Ar IPv4_addr : port
                   1254: .Sm on
                   1255: .It
                   1256: .Cm PermitOpen
                   1257: .Sm off
                   1258: .Ar \&[ IPv6_addr \&] : port
                   1259: .Sm on
                   1260: .El
                   1261: .Pp
                   1262: Multiple forwards may be specified by separating them with whitespace.
                   1263: An argument of
1.23      christos 1264: .Cm any
1.1       christos 1265: can be used to remove all restrictions and permit any forwarding requests.
1.13      christos 1266: An argument of
1.23      christos 1267: .Cm none
1.13      christos 1268: can be used to prohibit all forwarding requests.
1.22      christos 1269: The wildcard
1.23      christos 1270: .Sq *
1.22      christos 1271: can be used for host or port to allow all hosts or ports, respectively.
1.1       christos 1272: By default all port forwarding requests are permitted.
                   1273: .It Cm PermitRootLogin
                   1274: Specifies whether root can log in using
                   1275: .Xr ssh 1 .
                   1276: The argument must be
1.23      christos 1277: .Cm yes ,
                   1278: .Cm prohibit-password ,
                   1279: .Cm forced-commands-only ,
1.1       christos 1280: or
1.23      christos 1281: .Cm no .
1.1       christos 1282: The default is
1.23      christos 1283: .Cm prohibit-password .
1.1       christos 1284: .Pp
                   1285: If this option is set to
1.23      christos 1286: .Cm prohibit-password
1.25.2.1  pgoyette 1287: (or its deprecated alias,
                   1288: .Cm without-password ) ,
1.19      christos 1289: password and keyboard-interactive authentication are disabled for root.
1.1       christos 1290: .Pp
                   1291: If this option is set to
1.23      christos 1292: .Cm forced-commands-only ,
1.1       christos 1293: root login with public key authentication will be allowed,
                   1294: but only if the
                   1295: .Ar command
                   1296: option has been specified
                   1297: (which may be useful for taking remote backups even if root login is
                   1298: normally not allowed).
                   1299: All other authentication methods are disabled for root.
                   1300: .Pp
                   1301: If this option is set to
1.23      christos 1302: .Cm no ,
1.1       christos 1303: root is not allowed to log in.
1.23      christos 1304: .It Cm PermitTTY
                   1305: Specifies whether
                   1306: .Xr pty 4
                   1307: allocation is permitted.
                   1308: The default is
                   1309: .Cm yes .
1.1       christos 1310: .It Cm PermitTunnel
                   1311: Specifies whether
                   1312: .Xr tun 4
                   1313: device forwarding is allowed.
                   1314: The argument must be
1.23      christos 1315: .Cm yes ,
                   1316: .Cm point-to-point
1.1       christos 1317: (layer 3),
1.23      christos 1318: .Cm ethernet
1.1       christos 1319: (layer 2), or
1.23      christos 1320: .Cm no .
1.1       christos 1321: Specifying
1.23      christos 1322: .Cm yes
1.1       christos 1323: permits both
1.23      christos 1324: .Cm point-to-point
1.1       christos 1325: and
1.23      christos 1326: .Cm ethernet .
1.1       christos 1327: The default is
1.23      christos 1328: .Cm no .
1.17      christos 1329: .Pp
                   1330: Independent of this setting, the permissions of the selected
                   1331: .Xr tun 4
                   1332: device must allow access to the user.
1.1       christos 1333: .It Cm PermitUserEnvironment
                   1334: Specifies whether
                   1335: .Pa ~/.ssh/environment
                   1336: and
                   1337: .Cm environment=
                   1338: options in
                   1339: .Pa ~/.ssh/authorized_keys
                   1340: are processed by
                   1341: .Xr sshd 8 .
1.25.2.2! pgoyette 1342: Valid options are
        !          1343: .Cm yes ,
        !          1344: .Cm no
        !          1345: or a pattern-list specifying which environment variable names to accept
        !          1346: (for example
        !          1347: .Qq LANG,LC_* ) .
1.1       christos 1348: The default is
1.23      christos 1349: .Cm no .
1.1       christos 1350: Enabling environment processing may enable users to bypass access
                   1351: restrictions in some configurations using mechanisms such as
                   1352: .Ev LD_PRELOAD .
1.16      christos 1353: .It Cm PermitUserRC
                   1354: Specifies whether any
                   1355: .Pa ~/.ssh/rc
                   1356: file is executed.
                   1357: The default is
1.23      christos 1358: .Cm yes .
1.1       christos 1359: .It Cm PidFile
                   1360: Specifies the file that contains the process ID of the
1.18      christos 1361: SSH daemon, or
1.23      christos 1362: .Cm none
1.18      christos 1363: to not write one.
1.1       christos 1364: The default is
                   1365: .Pa /var/run/sshd.pid .
                   1366: .It Cm Port
                   1367: Specifies the port number that
                   1368: .Xr sshd 8
                   1369: listens on.
                   1370: The default is 22.
                   1371: Multiple options of this type are permitted.
                   1372: See also
                   1373: .Cm ListenAddress .
                   1374: .It Cm PrintLastLog
                   1375: Specifies whether
                   1376: .Xr sshd 8
                   1377: should print the date and time of the last user login when a user logs
                   1378: in interactively.
                   1379: The default is
1.23      christos 1380: .Cm yes .
1.1       christos 1381: .It Cm PrintMotd
                   1382: Specifies whether
                   1383: .Xr sshd 8
                   1384: should print
                   1385: .Pa /etc/motd
                   1386: when a user logs in interactively.
                   1387: (On some systems it is also printed by the shell,
                   1388: .Pa /etc/profile ,
                   1389: or equivalent.)
                   1390: The default is
1.23      christos 1391: .Cm yes .
1.17      christos 1392: .It Cm PubkeyAcceptedKeyTypes
                   1393: Specifies the key types that will be accepted for public key authentication
1.25.2.2! pgoyette 1394: as a list of comma-separated patterns.
1.19      christos 1395: Alternately if the specified value begins with a
                   1396: .Sq +
                   1397: character, then the specified key types will be appended to the default set
                   1398: instead of replacing them.
1.24      christos 1399: If the specified value begins with a
                   1400: .Sq -
                   1401: character, then the specified key types (including wildcards) will be removed
                   1402: from the default set instead of replacing them.
1.19      christos 1403: The default for this option is:
                   1404: .Bd -literal -offset 3n
                   1405: ecdsa-sha2-nistp256-cert-v01@openssh.com,
                   1406: ecdsa-sha2-nistp384-cert-v01@openssh.com,
                   1407: ecdsa-sha2-nistp521-cert-v01@openssh.com,
                   1408: ssh-ed25519-cert-v01@openssh.com,
1.25.2.2! pgoyette 1409: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
1.19      christos 1410: ssh-rsa-cert-v01@openssh.com,
                   1411: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1.25.2.2! pgoyette 1412: ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
1.19      christos 1413: .Ed
                   1414: .Pp
1.23      christos 1415: The list of available key types may also be obtained using
                   1416: .Qq ssh -Q key .
1.1       christos 1417: .It Cm PubkeyAuthentication
                   1418: Specifies whether public key authentication is allowed.
                   1419: The default is
1.23      christos 1420: .Cm yes .
1.15      christos 1421: .It Cm RekeyLimit
                   1422: Specifies the maximum amount of data that may be transmitted before the
                   1423: session key is renegotiated, optionally followed a maximum amount of
                   1424: time that may pass before the session key is renegotiated.
                   1425: The first argument is specified in bytes and may have a suffix of
                   1426: .Sq K ,
                   1427: .Sq M ,
                   1428: or
                   1429: .Sq G
                   1430: to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
                   1431: The default is between
                   1432: .Sq 1G
                   1433: and
                   1434: .Sq 4G ,
                   1435: depending on the cipher.
                   1436: The optional second value is specified in seconds and may use any of the
                   1437: units documented in the
                   1438: .Sx TIME FORMATS
                   1439: section.
                   1440: The default value for
                   1441: .Cm RekeyLimit
                   1442: is
1.23      christos 1443: .Cm default none ,
1.15      christos 1444: which means that rekeying is performed after the cipher's default amount
                   1445: of data has been sent or received and no time based rekeying is done.
1.6       adam     1446: .It Cm RevokedKeys
1.18      christos 1447: Specifies revoked public keys file, or
1.23      christos 1448: .Cm none
1.18      christos 1449: to not use one.
1.6       adam     1450: Keys listed in this file will be refused for public key authentication.
                   1451: Note that if this file is not readable, then public key authentication will
                   1452: be refused for all users.
1.14      christos 1453: Keys may be specified as a text file, listing one public key per line, or as
                   1454: an OpenSSH Key Revocation List (KRL) as generated by
                   1455: .Xr ssh-keygen 1 .
1.15      christos 1456: For more information on KRLs, see the KEY REVOCATION LISTS section in
1.14      christos 1457: .Xr ssh-keygen 1 .
1.25.2.1  pgoyette 1458: .It Cm RDomain
                   1459: Specifies an explicit routing domain that is applied after authentication
                   1460: has completed.
                   1461: The user session, as well and any forwarded or listening IP sockets,
                   1462: will be bound to this
                   1463: .Xr rdomain 4 .
                   1464: If the routing domain is set to
                   1465: .Cm \&%D ,
                   1466: then the domain in which the incoming connection was received will be applied.
1.25.2.2! pgoyette 1467: .It Cm SetEnv
        !          1468: Specifies one or more environment variables to set in child sessions started
        !          1469: by
        !          1470: .Xr sshd 8
        !          1471: as
        !          1472: .Dq NAME=VALUE .
        !          1473: The environment value may be quoted (e.g. if it contains whitespace
        !          1474: characters).
        !          1475: Environment variables set by
        !          1476: .Cm SetEnv
        !          1477: override the default environment and any variables specified by the user
        !          1478: via
        !          1479: .Cm AcceptEnv
        !          1480: or
        !          1481: .Cm PermitUserEnvironment .
1.16      christos 1482: .It Cm StreamLocalBindMask
                   1483: Sets the octal file creation mode mask
                   1484: .Pq umask
                   1485: used when creating a Unix-domain socket file for local or remote
                   1486: port forwarding.
                   1487: This option is only used for port forwarding to a Unix-domain socket file.
                   1488: .Pp
                   1489: The default value is 0177, which creates a Unix-domain socket file that is
                   1490: readable and writable only by the owner.
                   1491: Note that not all operating systems honor the file mode on Unix-domain
                   1492: socket files.
                   1493: .It Cm StreamLocalBindUnlink
                   1494: Specifies whether to remove an existing Unix-domain socket file for local
                   1495: or remote port forwarding before creating a new one.
                   1496: If the socket file already exists and
                   1497: .Cm StreamLocalBindUnlink
                   1498: is not enabled,
                   1499: .Nm sshd
                   1500: will be unable to forward the port to the Unix-domain socket file.
                   1501: This option is only used for port forwarding to a Unix-domain socket file.
                   1502: .Pp
                   1503: The argument must be
1.23      christos 1504: .Cm yes
1.16      christos 1505: or
1.23      christos 1506: .Cm no .
1.16      christos 1507: The default is
1.23      christos 1508: .Cm no .
1.1       christos 1509: .It Cm StrictModes
                   1510: Specifies whether
                   1511: .Xr sshd 8
                   1512: should check file modes and ownership of the
                   1513: user's files and home directory before accepting login.
                   1514: This is normally desirable because novices sometimes accidentally leave their
                   1515: directory or files world-writable.
                   1516: The default is
1.23      christos 1517: .Cm yes .
1.6       adam     1518: Note that this does not apply to
                   1519: .Cm ChrootDirectory ,
                   1520: whose permissions and ownership are checked unconditionally.
1.1       christos 1521: .It Cm Subsystem
                   1522: Configures an external subsystem (e.g. file transfer daemon).
                   1523: Arguments should be a subsystem name and a command (with optional arguments)
                   1524: to execute upon subsystem request.
                   1525: .Pp
                   1526: The command
1.23      christos 1527: .Cm sftp-server
                   1528: implements the SFTP file transfer subsystem.
1.1       christos 1529: .Pp
                   1530: Alternately the name
1.23      christos 1531: .Cm internal-sftp
                   1532: implements an in-process SFTP server.
1.1       christos 1533: This may simplify configurations using
                   1534: .Cm ChrootDirectory
                   1535: to force a different filesystem root on clients.
                   1536: .Pp
                   1537: By default no subsystems are defined.
                   1538: .It Cm SyslogFacility
                   1539: Gives the facility code that is used when logging messages from
                   1540: .Xr sshd 8 .
                   1541: The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
                   1542: LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
                   1543: The default is AUTH.
                   1544: .It Cm TCPKeepAlive
                   1545: Specifies whether the system should send TCP keepalive messages to the
                   1546: other side.
                   1547: If they are sent, death of the connection or crash of one
                   1548: of the machines will be properly noticed.
                   1549: However, this means that
                   1550: connections will die if the route is down temporarily, and some people
                   1551: find it annoying.
                   1552: On the other hand, if TCP keepalives are not sent,
                   1553: sessions may hang indefinitely on the server, leaving
1.23      christos 1554: .Qq ghost
1.1       christos 1555: users and consuming server resources.
                   1556: .Pp
                   1557: The default is
1.23      christos 1558: .Cm yes
1.1       christos 1559: (to send TCP keepalive messages), and the server will notice
                   1560: if the network goes down or the client host crashes.
                   1561: This avoids infinitely hanging sessions.
                   1562: .Pp
                   1563: To disable TCP keepalive messages, the value should be set to
1.23      christos 1564: .Cm no .
1.6       adam     1565: .It Cm TrustedUserCAKeys
                   1566: Specifies a file containing public keys of certificate authorities that are
1.18      christos 1567: trusted to sign user certificates for authentication, or
1.23      christos 1568: .Cm none
1.18      christos 1569: to not use one.
1.6       adam     1570: Keys are listed one per line; empty lines and comments starting with
                   1571: .Ql #
                   1572: are allowed.
                   1573: If a certificate is presented for authentication and has its signing CA key
                   1574: listed in this file, then it may be used for authentication for any user
                   1575: listed in the certificate's principals list.
                   1576: Note that certificates that lack a list of principals will not be permitted
                   1577: for authentication using
                   1578: .Cm TrustedUserCAKeys .
1.15      christos 1579: For more details on certificates, see the CERTIFICATES section in
1.6       adam     1580: .Xr ssh-keygen 1 .
1.1       christos 1581: .It Cm UseDNS
                   1582: Specifies whether
                   1583: .Xr sshd 8
1.19      christos 1584: should look up the remote host name, and to check that
1.1       christos 1585: the resolved host name for the remote IP address maps back to the
                   1586: very same IP address.
1.19      christos 1587: .Pp
                   1588: If this option is set to
1.23      christos 1589: .Cm no
1.19      christos 1590: (the default) then only addresses and not host names may be used in
1.22      christos 1591: .Pa ~/.ssh/authorized_keys
1.19      christos 1592: .Cm from
                   1593: and
1.20      christos 1594: .Nm
1.19      christos 1595: .Cm Match
                   1596: .Cm Host
                   1597: directives.
1.13      christos 1598: .It Cm VersionAddendum
                   1599: Optionally specifies additional text to append to the SSH protocol banner
                   1600: sent by the server upon connection.
                   1601: The default is
1.23      christos 1602: .Cm none .
1.1       christos 1603: .It Cm X11DisplayOffset
                   1604: Specifies the first display number available for
                   1605: .Xr sshd 8 Ns 's
                   1606: X11 forwarding.
                   1607: This prevents sshd from interfering with real X11 servers.
                   1608: The default is 10.
                   1609: .It Cm X11Forwarding
                   1610: Specifies whether X11 forwarding is permitted.
                   1611: The argument must be
1.23      christos 1612: .Cm yes
1.1       christos 1613: or
1.23      christos 1614: .Cm no .
1.1       christos 1615: The default is
1.23      christos 1616: .Cm no .
1.1       christos 1617: .Pp
                   1618: When X11 forwarding is enabled, there may be additional exposure to
                   1619: the server and to client displays if the
                   1620: .Xr sshd 8
                   1621: proxy display is configured to listen on the wildcard address (see
1.23      christos 1622: .Cm X11UseLocalhost ) ,
                   1623: though this is not the default.
1.1       christos 1624: Additionally, the authentication spoofing and authentication data
                   1625: verification and substitution occur on the client side.
                   1626: The security risk of using X11 forwarding is that the client's X11
                   1627: display server may be exposed to attack when the SSH client requests
                   1628: forwarding (see the warnings for
                   1629: .Cm ForwardX11
                   1630: in
                   1631: .Xr ssh_config 5 ) .
                   1632: A system administrator may have a stance in which they want to
                   1633: protect clients that may expose themselves to attack by unwittingly
                   1634: requesting X11 forwarding, which can warrant a
1.23      christos 1635: .Cm no
1.1       christos 1636: setting.
                   1637: .Pp
                   1638: Note that disabling X11 forwarding does not prevent users from
                   1639: forwarding X11 traffic, as users can always install their own forwarders.
                   1640: .It Cm X11UseLocalhost
                   1641: Specifies whether
                   1642: .Xr sshd 8
                   1643: should bind the X11 forwarding server to the loopback address or to
                   1644: the wildcard address.
                   1645: By default,
                   1646: sshd binds the forwarding server to the loopback address and sets the
                   1647: hostname part of the
                   1648: .Ev DISPLAY
                   1649: environment variable to
1.23      christos 1650: .Cm localhost .
1.1       christos 1651: This prevents remote hosts from connecting to the proxy display.
                   1652: However, some older X11 clients may not function with this
                   1653: configuration.
                   1654: .Cm X11UseLocalhost
                   1655: may be set to
1.23      christos 1656: .Cm no
1.1       christos 1657: to specify that the forwarding server should be bound to the wildcard
                   1658: address.
                   1659: The argument must be
1.23      christos 1660: .Cm yes
1.1       christos 1661: or
1.23      christos 1662: .Cm no .
1.1       christos 1663: The default is
1.23      christos 1664: .Cm yes .
1.1       christos 1665: .It Cm XAuthLocation
                   1666: Specifies the full pathname of the
                   1667: .Xr xauth 1
1.18      christos 1668: program, or
1.23      christos 1669: .Cm none
1.18      christos 1670: to not use one.
1.1       christos 1671: The default is
                   1672: .Pa /usr/X11R6/bin/xauth .
1.7       adam     1673: .It Cm UseLPK
                   1674: Specifies whether LDAP public key retrieval must be used or not. It allow
                   1675: an easy centralisation of public keys within an LDAP directory. The argument must be
                   1676: .Dq yes
                   1677: or
                   1678: .Dq no .
                   1679: .It Cm LpkLdapConf
                   1680: Specifies whether LDAP Public keys should parse the specified ldap.conf file
                   1681: instead of sshd_config Tokens. The argument must be a valid path to an ldap.conf
                   1682: file like
                   1683: .Pa /etc/ldap.conf
                   1684: .It Cm LpkServers
                   1685: Specifies LDAP one or more [:space:] separated server's url the following form may be used:
                   1686: .Pp
                   1687: LpkServers ldaps://127.0.0.1 ldap://127.0.0.2 ldap://127.0.0.3
                   1688: .It Cm LpkUserDN
                   1689: Specifies the LDAP user DN.
                   1690: .Pp
                   1691: LpkUserDN ou=users,dc=phear,dc=org
                   1692: .It Cm LpkGroupDN
                   1693: Specifies the LDAP groups DN.
                   1694: .Pp
                   1695: LpkGroupDN ou=groups,dc=phear,dc=org
                   1696: .It Cm LpkBindDN
                   1697: Specifies the LDAP bind DN to use if necessary.
                   1698: .Pp
                   1699: LpkBindDN cn=Manager,dc=phear,dc=org
                   1700: .It Cm LpkBindPw
                   1701: Specifies the LDAP bind credential.
                   1702: .Pp
                   1703: LpkBindPw secret
                   1704: .It Cm LpkServerGroup
                   1705: Specifies one or more [:space:] separated group the server is part of.
                   1706: .Pp
                   1707: LpkServerGroup unix mail prod
                   1708: .It Cm LpkFilter
                   1709: Specifies an additional LDAP filter to use for finding SSH keys
                   1710: .Pp
                   1711: LpkFilter (hostAccess=master.phear.org)
                   1712: .It Cm LpkForceTLS
                   1713: Specifies if the LDAP server connection must be tried, forced or not used. The argument must be
                   1714: .Dq yes
                   1715: or
                   1716: .Dq no
                   1717: or
                   1718: .Dq try .
                   1719: .It Cm LpkSearchTimelimit
1.9       agc      1720: Specifies the search time limit before the search is considered over. value is
1.7       adam     1721: in seconds.
                   1722: .Pp
                   1723: LpkSearchTimelimit 3
                   1724: .It Cm LpkBindTimelimit
1.9       agc      1725: Specifies the bind time limit before the connection is considered dead. value is
1.7       adam     1726: in seconds.
                   1727: .Pp
                   1728: LpkBindTimelimit 3
1.1       christos 1729: .El
                   1730: .Sh TIME FORMATS
                   1731: .Xr sshd 8
                   1732: command-line arguments and configuration file options that specify time
                   1733: may be expressed using a sequence of the form:
                   1734: .Sm off
                   1735: .Ar time Op Ar qualifier ,
                   1736: .Sm on
                   1737: where
                   1738: .Ar time
                   1739: is a positive integer value and
                   1740: .Ar qualifier
                   1741: is one of the following:
                   1742: .Pp
                   1743: .Bl -tag -width Ds -compact -offset indent
                   1744: .It Aq Cm none
                   1745: seconds
                   1746: .It Cm s | Cm S
                   1747: seconds
                   1748: .It Cm m | Cm M
                   1749: minutes
                   1750: .It Cm h | Cm H
                   1751: hours
                   1752: .It Cm d | Cm D
                   1753: days
                   1754: .It Cm w | Cm W
                   1755: weeks
                   1756: .El
                   1757: .Pp
                   1758: Each member of the sequence is added together to calculate
                   1759: the total time value.
                   1760: .Pp
                   1761: Time format examples:
                   1762: .Pp
                   1763: .Bl -tag -width Ds -compact -offset indent
                   1764: .It 600
                   1765: 600 seconds (10 minutes)
                   1766: .It 10m
                   1767: 10 minutes
                   1768: .It 1h30m
                   1769: 1 hour 30 minutes (90 minutes)
                   1770: .El
1.23      christos 1771: .Sh TOKENS
                   1772: Arguments to some keywords can make use of tokens,
                   1773: which are expanded at runtime:
                   1774: .Pp
                   1775: .Bl -tag -width XXXX -offset indent -compact
                   1776: .It %%
                   1777: A literal
                   1778: .Sq % .
1.25.2.1  pgoyette 1779: .It \&%D
                   1780: The routing domain in which the incoming connection was received.
1.23      christos 1781: .It %F
                   1782: The fingerprint of the CA key.
                   1783: .It %f
                   1784: The fingerprint of the key or certificate.
                   1785: .It %h
                   1786: The home directory of the user.
                   1787: .It %i
                   1788: The key ID in the certificate.
                   1789: .It %K
                   1790: The base64-encoded CA key.
                   1791: .It %k
                   1792: The base64-encoded key or certificate for authentication.
                   1793: .It %s
                   1794: The serial number of the certificate.
                   1795: .It \&%T
                   1796: The type of the CA key.
                   1797: .It %t
                   1798: The key or certificate type.
1.25.2.2! pgoyette 1799: .It \&%U
        !          1800: The numeric user ID of the target user.
1.23      christos 1801: .It %u
                   1802: The username.
                   1803: .El
                   1804: .Pp
                   1805: .Cm AuthorizedKeysCommand
1.25.2.2! pgoyette 1806: accepts the tokens %%, %f, %h, %k, %t, %U, and %u.
1.23      christos 1807: .Pp
                   1808: .Cm AuthorizedKeysFile
1.25.2.2! pgoyette 1809: accepts the tokens %%, %h, %U, and %u.
1.23      christos 1810: .Pp
                   1811: .Cm AuthorizedPrincipalsCommand
1.25.2.2! pgoyette 1812: accepts the tokens %%, %F, %f, %h, %i, %K, %k, %s, %T, %t, %U, and %u.
1.23      christos 1813: .Pp
                   1814: .Cm AuthorizedPrincipalsFile
1.25.2.2! pgoyette 1815: accepts the tokens %%, %h, %U, and %u.
1.23      christos 1816: .Pp
                   1817: .Cm ChrootDirectory
1.25.2.2! pgoyette 1818: accepts the tokens %%, %h, %U, and %u.
1.25.2.1  pgoyette 1819: .Pp
                   1820: .Cm RoutingDomain
                   1821: accepts the token %D.
1.1       christos 1822: .Sh FILES
                   1823: .Bl -tag -width Ds
                   1824: .It Pa /etc/ssh/sshd_config
                   1825: Contains configuration data for
                   1826: .Xr sshd 8 .
                   1827: This file should be writable by root only, but it is recommended
                   1828: (though not necessary) that it be world-readable.
                   1829: .El
                   1830: .Sh SEE ALSO
1.23      christos 1831: .Xr sftp-server 8 ,
1.1       christos 1832: .Xr sshd 8
                   1833: .Sh AUTHORS
1.23      christos 1834: .An -nosplit
1.1       christos 1835: OpenSSH is a derivative of the original and free
1.23      christos 1836: ssh 1.2.12 release by
                   1837: .An Tatu Ylonen .
                   1838: .An Aaron Campbell , Bob Beck , Markus Friedl , Niels Provos ,
                   1839: .An Theo de Raadt
                   1840: and
                   1841: .An Dug Song
1.1       christos 1842: removed many bugs, re-added newer features and
                   1843: created OpenSSH.
1.23      christos 1844: .An Markus Friedl
                   1845: contributed the support for SSH protocol versions 1.5 and 2.0.
                   1846: .An Niels Provos
                   1847: and
                   1848: .An Markus Friedl
                   1849: contributed support for privilege separation.

CVSweb <webmaster@jp.NetBSD.org>