Put ssh back into the repository
Change-Id: I23324372188fa6ed3f93a32b84365f5df6367590
diff --git a/sshd_config.0 b/sshd_config.0
new file mode 100644
index 0000000..e19ca87
--- /dev/null
+++ b/sshd_config.0
@@ -0,0 +1,718 @@
+SSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5)
+
+NAME
+ sshd_config - OpenSSH SSH daemon configuration file
+
+SYNOPSIS
+ /etc/ssh/sshd_config
+
+DESCRIPTION
+ sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file
+ specified with -f on the command line). The file contains keyword-
+ argument pairs, one per line. Lines starting with `#' and empty lines
+ are interpreted as comments. Arguments may optionally be enclosed in
+ double quotes (") in order to represent arguments containing spaces.
+
+ The possible keywords and their meanings are as follows (note that
+ keywords are case-insensitive and arguments are case-sensitive):
+
+ AcceptEnv
+ Specifies what environment variables sent by the client will be
+ copied into the session's environ(7). See SendEnv in
+ ssh_config(5) for how to configure the client. Note that
+ environment passing is only supported for protocol 2. Variables
+ are specified by name, which may contain the wildcard characters
+ `*' and `?'. Multiple environment variables may be separated by
+ whitespace or spread across multiple AcceptEnv directives. Be
+ warned that some environment variables could be used to bypass
+ restricted user environments. For this reason, care should be
+ taken in the use of this directive. The default is not to accept
+ any environment variables.
+
+ AddressFamily
+ Specifies which address family should be used by sshd(8). Valid
+ arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6''
+ (use IPv6 only). The default is ``any''.
+
+ AllowAgentForwarding
+ Specifies whether ssh-agent(1) forwarding is permitted. The
+ default is ``yes''. Note that disabling agent forwarding does
+ not improve security unless users are also denied shell access,
+ as they can always install their own forwarders.
+
+ AllowGroups
+ This keyword can be followed by a list of group name patterns,
+ separated by spaces. If specified, login is allowed only for
+ users whose primary group or supplementary group list matches one
+ of the patterns. Only group names are valid; a numerical group
+ ID is not recognized. By default, login is allowed for all
+ groups. The allow/deny directives are processed in the following
+ order: DenyUsers, AllowUsers, DenyGroups, and finally
+ AllowGroups.
+
+ See PATTERNS in ssh_config(5) for more information on patterns.
+
+ AllowTcpForwarding
+ Specifies whether TCP forwarding is permitted. The default is
+ ``yes''. Note that disabling TCP forwarding does not improve
+ security unless users are also denied shell access, as they can
+ always install their own forwarders.
+
+ AllowUsers
+ This keyword can be followed by a list of user name patterns,
+ separated by spaces. If specified, login is allowed only for
+ user names that match one of the patterns. Only user names are
+ valid; a numerical user ID is not recognized. By default, login
+ is allowed for all users. If the pattern takes the form
+ USER@HOST then USER and HOST are separately checked, restricting
+ logins to particular users from particular hosts. The allow/deny
+ directives are processed in the following order: DenyUsers,
+ AllowUsers, DenyGroups, and finally AllowGroups.
+
+ See PATTERNS in ssh_config(5) for more information on patterns.
+
+ AuthorizedKeysFile
+ Specifies the file that contains the public keys that can be used
+ for user authentication. The format is described in the
+ AUTHORIZED_KEYS FILE FORMAT section of sshd(8).
+ AuthorizedKeysFile may contain tokens of the form %T which are
+ substituted during connection setup. The following tokens are
+ defined: %% is replaced by a literal '%', %h is replaced by the
+ home directory of the user being authenticated, and %u is
+ replaced by the username of that user. After expansion,
+ AuthorizedKeysFile is taken to be an absolute path or one
+ relative to the user's home directory. Multiple files may be
+ listed, separated by whitespace. The default is
+ ``.ssh/authorized_keys .ssh/authorized_keys2''.
+
+ AuthorizedPrincipalsFile
+ Specifies a file that lists principal names that are accepted for
+ certificate authentication. When using certificates signed by a
+ key listed in TrustedUserCAKeys, this file lists names, one of
+ which must appear in the certificate for it to be accepted for
+ authentication. Names are listed one per line preceded by key
+ options (as described in AUTHORIZED_KEYS FILE FORMAT in sshd(8)).
+ Empty lines and comments starting with `#' are ignored.
+
+ AuthorizedPrincipalsFile may contain tokens of the form %T which
+ are substituted during connection setup. The following tokens
+ are defined: %% is replaced by a literal '%', %h is replaced by
+ the home directory of the user being authenticated, and %u is
+ replaced by the username of that user. After expansion,
+ AuthorizedPrincipalsFile is taken to be an absolute path or one
+ relative to the user's home directory.
+
+ The default is not to use a principals file - in this case, the
+ username of the user must appear in a certificate's principals
+ list for it to be accepted. Note that AuthorizedPrincipalsFile
+ is only used when authentication proceeds using a CA listed in
+ TrustedUserCAKeys and is not consulted for certification
+ authorities trusted via ~/.ssh/authorized_keys, though the
+ principals= key option offers a similar facility (see sshd(8) for
+ details).
+
+ Banner The contents of the specified file are sent to the remote user
+ before authentication is allowed. If the argument is ``none''
+ then no banner is displayed. This option is only available for
+ protocol version 2. By default, no banner is displayed.
+
+ ChallengeResponseAuthentication
+ Specifies whether challenge-response authentication is allowed
+ (e.g. via PAM or though authentication styles supported in
+ login.conf(5)) The default is ``yes''.
+
+ ChrootDirectory
+ Specifies the pathname of a directory to chroot(2) to after
+ authentication. All components of the pathname must be root-
+ owned directories that are not writable by any other user or
+ group. After the chroot, sshd(8) changes the working directory
+ to the user's home directory.
+
+ The pathname may contain the following tokens that are expanded
+ at runtime once the connecting user has been authenticated: %% is
+ replaced by a literal '%', %h is replaced by the home directory
+ of the user being authenticated, and %u is replaced by the
+ username of that user.
+
+ The ChrootDirectory must contain the necessary files and
+ directories to support the user's session. For an interactive
+ session this requires at least a shell, typically sh(1), and
+ basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4),
+ stderr(4), arandom(4) and tty(4) devices. For file transfer
+ sessions using ``sftp'', no additional configuration of the
+ environment is necessary if the in-process sftp server is used,
+ though sessions which use logging do require /dev/log inside the
+ chroot directory (see sftp-server(8) for details).
+
+ The default is not to chroot(2).
+
+ Ciphers
+ Specifies the ciphers allowed for protocol version 2. Multiple
+ ciphers must be comma-separated. The supported ciphers are
+ ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
+ ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'',
+ ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and
+ ``cast128-cbc''. The default is:
+
+ aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
+ aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
+ aes256-cbc,arcfour
+
+ ClientAliveCountMax
+ Sets the number of client alive messages (see below) which may be
+ sent without sshd(8) receiving any messages back from the client.
+ If this threshold is reached while client alive messages are
+ being sent, sshd will disconnect the client, terminating the
+ session. It is important to note that the use of client alive
+ messages is very different from TCPKeepAlive (below). The client
+ alive messages are sent through the encrypted channel and
+ therefore will not be spoofable. The TCP keepalive option
+ enabled by TCPKeepAlive is spoofable. The client alive mechanism
+ is valuable when the client or server depend on knowing when a
+ connection has become inactive.
+
+ The default value is 3. If ClientAliveInterval (see below) is
+ set to 15, and ClientAliveCountMax is left at the default,
+ unresponsive SSH clients will be disconnected after approximately
+ 45 seconds. This option applies to protocol version 2 only.
+
+ ClientAliveInterval
+ Sets a timeout interval in seconds after which if no data has
+ been received from the client, sshd(8) will send a message
+ through the encrypted channel to request a response from the
+ client. The default is 0, indicating that these messages will
+ not be sent to the client. This option applies to protocol
+ version 2 only.
+
+ Compression
+ Specifies whether compression is allowed, or delayed until the
+ user has authenticated successfully. The argument must be
+ ``yes'', ``delayed'', or ``no''. The default is ``delayed''.
+
+ DenyGroups
+ This keyword can be followed by a list of group name patterns,
+ separated by spaces. Login is disallowed for users whose primary
+ group or supplementary group list matches one of the patterns.
+ Only group names are valid; a numerical group ID is not
+ recognized. By default, login is allowed for all groups. The
+ allow/deny directives are processed in the following order:
+ DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
+
+ See PATTERNS in ssh_config(5) for more information on patterns.
+
+ DenyUsers
+ This keyword can be followed by a list of user name patterns,
+ separated by spaces. Login is disallowed for user names that
+ match one of the patterns. Only user names are valid; a
+ numerical user ID is not recognized. By default, login is
+ allowed for all users. If the pattern takes the form USER@HOST
+ then USER and HOST are separately checked, restricting logins to
+ particular users from particular hosts. The allow/deny
+ directives are processed in the following order: DenyUsers,
+ AllowUsers, DenyGroups, and finally AllowGroups.
+
+ See PATTERNS in ssh_config(5) for more information on patterns.
+
+ ForceCommand
+ Forces the execution of the command specified by ForceCommand,
+ ignoring any command supplied by the client and ~/.ssh/rc if
+ present. The command is invoked by using the user's login shell
+ with the -c option. This applies to shell, command, or subsystem
+ execution. It is most useful inside a Match block. The command
+ originally supplied by the client is available in the
+ SSH_ORIGINAL_COMMAND environment variable. Specifying a command
+ of ``internal-sftp'' will force the use of an in-process sftp
+ server that requires no support files when used with
+ ChrootDirectory.
+
+ GatewayPorts
+ Specifies whether remote hosts are allowed to connect to ports
+ forwarded for the client. By default, sshd(8) binds remote port
+ forwardings to the loopback address. This prevents other remote
+ hosts from connecting to forwarded ports. GatewayPorts can be
+ used to specify that sshd should allow remote port forwardings to
+ bind to non-loopback addresses, thus allowing other hosts to
+ connect. The argument may be ``no'' to force remote port
+ forwardings to be available to the local host only, ``yes'' to
+ force remote port forwardings to bind to the wildcard address, or
+ ``clientspecified'' to allow the client to select the address to
+ which the forwarding is bound. The default is ``no''.
+
+ GSSAPIAuthentication
+ Specifies whether user authentication based on GSSAPI is allowed.
+ The default is ``no''. Note that this option applies to protocol
+ version 2 only.
+
+ GSSAPICleanupCredentials
+ Specifies whether to automatically destroy the user's credentials
+ cache on logout. The default is ``yes''. Note that this option
+ applies to protocol version 2 only.
+
+ HostbasedAuthentication
+ Specifies whether rhosts or /etc/hosts.equiv authentication
+ together with successful public key client host authentication is
+ allowed (host-based authentication). This option is similar to
+ RhostsRSAAuthentication and applies to protocol version 2 only.
+ The default is ``no''.
+
+ HostbasedUsesNameFromPacketOnly
+ Specifies whether or not the server will attempt to perform a
+ reverse name lookup when matching the name in the ~/.shosts,
+ ~/.rhosts, and /etc/hosts.equiv files during
+ HostbasedAuthentication. A setting of ``yes'' means that sshd(8)
+ uses the name supplied by the client rather than attempting to
+ resolve the name from the TCP connection itself. The default is
+ ``no''.
+
+ HostCertificate
+ Specifies a file containing a public host certificate. The
+ certificate's public key must match a private host key already
+ specified by HostKey. The default behaviour of sshd(8) is not to
+ load any certificates.
+
+ HostKey
+ Specifies a file containing a private host key used by SSH. The
+ default is /etc/ssh/ssh_host_key for protocol version 1, and
+ /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key and
+ /etc/ssh/ssh_host_rsa_key for protocol version 2. Note that
+ sshd(8) will refuse to use a file if it is group/world-
+ accessible. It is possible to have multiple host key files.
+ ``rsa1'' keys are used for version 1 and ``dsa'', ``ecdsa'' or
+ ``rsa'' are used for version 2 of the SSH protocol.
+
+ IgnoreRhosts
+ Specifies that .rhosts and .shosts files will not be used in
+ RhostsRSAAuthentication or HostbasedAuthentication.
+
+ /etc/hosts.equiv and /etc/shosts.equiv are still used. The
+ default is ``yes''.
+
+ IgnoreUserKnownHosts
+ Specifies whether sshd(8) should ignore the user's
+ ~/.ssh/known_hosts during RhostsRSAAuthentication or
+ HostbasedAuthentication. The default is ``no''.
+
+ IPQoS Specifies the IPv4 type-of-service or DSCP class for the
+ connection. Accepted values are ``af11'', ``af12'', ``af13'',
+ ``af14'', ``af22'', ``af23'', ``af31'', ``af32'', ``af33'',
+ ``af41'', ``af42'', ``af43'', ``cs0'', ``cs1'', ``cs2'', ``cs3'',
+ ``cs4'', ``cs5'', ``cs6'', ``cs7'', ``ef'', ``lowdelay'',
+ ``throughput'', ``reliability'', or a numeric value. This option
+ may take one or two arguments, separated by whitespace. If one
+ argument is specified, it is used as the packet class
+ unconditionally. If two values are specified, the first is
+ automatically selected for interactive sessions and the second
+ for non-interactive sessions. The default is ``lowdelay'' for
+ interactive sessions and ``throughput'' for non-interactive
+ sessions.
+
+ KerberosAuthentication
+ Specifies whether the password provided by the user for
+ PasswordAuthentication will be validated through the Kerberos
+ KDC. To use this option, the server needs a Kerberos servtab
+ which allows the verification of the KDC's identity. The default
+ is ``no''.
+
+ KerberosGetAFSToken
+ If AFS is active and the user has a Kerberos 5 TGT, attempt to
+ acquire an AFS token before accessing the user's home directory.
+ The default is ``no''.
+
+ KerberosOrLocalPasswd
+ If password authentication through Kerberos fails then the
+ password will be validated via any additional local mechanism
+ such as /etc/passwd. The default is ``yes''.
+
+ KerberosTicketCleanup
+ Specifies whether to automatically destroy the user's ticket
+ cache file on logout. The default is ``yes''.
+
+ KexAlgorithms
+ Specifies the available KEX (Key Exchange) algorithms. Multiple
+ algorithms must be comma-separated. The default is
+ ``ecdh-sha2-nistp256'', ``ecdh-sha2-nistp384'',
+ ``ecdh-sha2-nistp521'', ``diffie-hellman-group-exchange-sha256'',
+ ``diffie-hellman-group-exchange-sha1'',
+ ``diffie-hellman-group14-sha1'', ``diffie-hellman-group1-sha1''.
+
+ KeyRegenerationInterval
+ In protocol version 1, the ephemeral server key is automatically
+ regenerated after this many seconds (if it has been used). The
+ purpose of regeneration is to prevent decrypting captured
+ sessions by later breaking into the machine and stealing the
+ keys. The key is never stored anywhere. If the value is 0, the
+ key is never regenerated. The default is 3600 (seconds).
+
+ ListenAddress
+ Specifies the local addresses sshd(8) should listen on. The
+ following forms may be used:
+
+ ListenAddress host|IPv4_addr|IPv6_addr
+ ListenAddress host|IPv4_addr:port
+ ListenAddress [host|IPv6_addr]:port
+
+ If port is not specified, sshd will listen on the address and all
+ prior Port options specified. The default is to listen on all
+ local addresses. Multiple ListenAddress options are permitted.
+ Additionally, any Port options must precede this option for non-
+ port qualified addresses.
+
+ LoginGraceTime
+ The server disconnects after this time if the user has not
+ successfully logged in. If the value is 0, there is no time
+ limit. The default is 120 seconds.
+
+ LogLevel
+ Gives the verbosity level that is used when logging messages from
+ sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO,
+ VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.
+ DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
+ higher levels of debugging output. Logging with a DEBUG level
+ violates the privacy of users and is not recommended.
+
+ MACs Specifies the available MAC (message authentication code)
+ algorithms. The MAC algorithm is used in protocol version 2 for
+ data integrity protection. Multiple algorithms must be comma-
+ separated. The default is:
+
+ hmac-md5,hmac-sha1,umac-64@openssh.com,
+ hmac-ripemd160,hmac-sha1-96,hmac-md5-96,
+ hmac-sha2-256,hmac-sha256-96,hmac-sha2-512,
+ hmac-sha2-512-96
+
+ Match Introduces a conditional block. If all of the criteria on the
+ Match line are satisfied, the keywords on the following lines
+ override those set in the global section of the config file,
+ until either another Match line or the end of the file.
+
+ The arguments to Match are one or more criteria-pattern pairs.
+ The available criteria are User, Group, Host, and Address. The
+ match patterns may consist of single entries or comma-separated
+ lists and may use the wildcard and negation operators described
+ in the PATTERNS section of ssh_config(5).
+
+ The patterns in an Address criteria may additionally contain
+ addresses to match in CIDR address/masklen format, e.g.
+ ``192.0.2.0/24'' or ``3ffe:ffff::/32''. Note that the mask
+ length provided must be consistent with the address - it is an
+ error to specify a mask length that is too long for the address
+ or one with bits set in this host portion of the address. For
+ example, ``192.0.2.0/33'' and ``192.0.2.0/8'' respectively.
+
+ Only a subset of keywords may be used on the lines following a
+ Match keyword. Available keywords are AllowAgentForwarding,
+ AllowTcpForwarding, AuthorizedKeysFile, AuthorizedPrincipalsFile,
+ Banner, ChrootDirectory, ForceCommand, GatewayPorts,
+ GSSAPIAuthentication, HostbasedAuthentication,
+ HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
+ KerberosAuthentication, MaxAuthTries, MaxSessions,
+ PasswordAuthentication, PermitEmptyPasswords, PermitOpen,
+ PermitRootLogin, PermitTunnel, PubkeyAuthentication,
+ RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,
+ X11Forwarding and X11UseLocalHost.
+
+ MaxAuthTries
+ Specifies the maximum number of authentication attempts permitted
+ per connection. Once the number of failures reaches half this
+ value, additional failures are logged. The default is 6.
+
+ MaxSessions
+ Specifies the maximum number of open sessions permitted per
+ network connection. The default is 10.
+
+ MaxStartups
+ Specifies the maximum number of concurrent unauthenticated
+ connections to the SSH daemon. Additional connections will be
+ dropped until authentication succeeds or the LoginGraceTime
+ expires for a connection. The default is 10.
+
+ Alternatively, random early drop can be enabled by specifying the
+ three colon separated values ``start:rate:full'' (e.g.
+ "10:30:60"). sshd(8) will refuse connection attempts with a
+ probability of ``rate/100'' (30%) if there are currently
+ ``start'' (10) unauthenticated connections. The probability
+ increases linearly and all connection attempts are refused if the
+ number of unauthenticated connections reaches ``full'' (60).
+
+ PasswordAuthentication
+ Specifies whether password authentication is allowed. The
+ default is ``yes''.
+
+ PermitEmptyPasswords
+ When password authentication is allowed, it specifies whether the
+ server allows login to accounts with empty password strings. The
+ default is ``no''.
+
+ PermitOpen
+ Specifies the destinations to which TCP port forwarding is
+ permitted. The forwarding specification must be one of the
+ following forms:
+
+ PermitOpen host:port
+ PermitOpen IPv4_addr:port
+ PermitOpen [IPv6_addr]:port
+
+ Multiple forwards may be specified by separating them with
+ whitespace. An argument of ``any'' can be used to remove all
+ restrictions and permit any forwarding requests. By default all
+ port forwarding requests are permitted.
+
+ PermitRootLogin
+ Specifies whether root can log in using ssh(1). The argument
+ must be ``yes'', ``without-password'', ``forced-commands-only'',
+ or ``no''. The default is ``yes''.
+
+ If this option is set to ``without-password'', password
+ authentication is disabled for root.
+
+ If this option is set to ``forced-commands-only'', root login
+ with public key authentication will be allowed, but only if the
+ command option has been specified (which may be useful for taking
+ remote backups even if root login is normally not allowed). All
+ other authentication methods are disabled for root.
+
+ If this option is set to ``no'', root is not allowed to log in.
+
+ PermitTunnel
+ Specifies whether tun(4) device forwarding is allowed. The
+ argument must be ``yes'', ``point-to-point'' (layer 3),
+ ``ethernet'' (layer 2), or ``no''. Specifying ``yes'' permits
+ both ``point-to-point'' and ``ethernet''. The default is ``no''.
+
+ PermitUserEnvironment
+ Specifies whether ~/.ssh/environment and environment= options in
+ ~/.ssh/authorized_keys are processed by sshd(8). The default is
+ ``no''. Enabling environment processing may enable users to
+ bypass access restrictions in some configurations using
+ mechanisms such as LD_PRELOAD.
+
+ PidFile
+ Specifies the file that contains the process ID of the SSH
+ daemon. The default is /var/run/sshd.pid.
+
+ Port Specifies the port number that sshd(8) listens on. The default
+ is 22. Multiple options of this type are permitted. See also
+ ListenAddress.
+
+ PrintLastLog
+ Specifies whether sshd(8) should print the date and time of the
+ last user login when a user logs in interactively. The default
+ is ``yes''.
+
+ PrintMotd
+ Specifies whether sshd(8) should print /etc/motd when a user logs
+ in interactively. (On some systems it is also printed by the
+ shell, /etc/profile, or equivalent.) The default is ``yes''.
+
+ Protocol
+ Specifies the protocol versions sshd(8) supports. The possible
+ values are `1' and `2'. Multiple versions must be comma-
+ separated. The default is `2'. Note that the order of the
+ protocol list does not indicate preference, because the client
+ selects among multiple protocol versions offered by the server.
+ Specifying ``2,1'' is identical to ``1,2''.
+
+ PubkeyAuthentication
+ Specifies whether public key authentication is allowed. The
+ default is ``yes''. Note that this option applies to protocol
+ version 2 only.
+
+ RevokedKeys
+ Specifies a list of revoked public keys. Keys listed in this
+ file will be refused for public key authentication. Note that if
+ this file is not readable, then public key authentication will be
+ refused for all users.
+
+ RhostsRSAAuthentication
+ Specifies whether rhosts or /etc/hosts.equiv authentication
+ together with successful RSA host authentication is allowed. The
+ default is ``no''. This option applies to protocol version 1
+ only.
+
+ RSAAuthentication
+ Specifies whether pure RSA authentication is allowed. The
+ default is ``yes''. This option applies to protocol version 1
+ only.
+
+ ServerKeyBits
+ Defines the number of bits in the ephemeral protocol version 1
+ server key. The minimum value is 512, and the default is 1024.
+
+ StrictModes
+ Specifies whether sshd(8) should check file modes and ownership
+ of the user's files and home directory before accepting login.
+ This is normally desirable because novices sometimes accidentally
+ leave their directory or files world-writable. The default is
+ ``yes''. Note that this does not apply to ChrootDirectory, whose
+ permissions and ownership are checked unconditionally.
+
+ Subsystem
+ Configures an external subsystem (e.g. file transfer daemon).
+ Arguments should be a subsystem name and a command (with optional
+ arguments) to execute upon subsystem request.
+
+ The command sftp-server(8) implements the ``sftp'' file transfer
+ subsystem.
+
+ Alternately the name ``internal-sftp'' implements an in-process
+ ``sftp'' server. This may simplify configurations using
+ ChrootDirectory to force a different filesystem root on clients.
+
+ By default no subsystems are defined. Note that this option
+ applies to protocol version 2 only.
+
+ SyslogFacility
+ Gives the facility code that is used when logging messages from
+ sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
+ LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
+ default is AUTH.
+
+ TCPKeepAlive
+ Specifies whether the system should send TCP keepalive messages
+ to the other side. If they are sent, death of the connection or
+ crash of one of the machines will be properly noticed. However,
+ this means that connections will die if the route is down
+ temporarily, and some people find it annoying. On the other
+ hand, if TCP keepalives are not sent, sessions may hang
+ indefinitely on the server, leaving ``ghost'' users and consuming
+ server resources.
+
+ The default is ``yes'' (to send TCP keepalive messages), and the
+ server will notice if the network goes down or the client host
+ crashes. This avoids infinitely hanging sessions.
+
+ To disable TCP keepalive messages, the value should be set to
+ ``no''.
+
+ TrustedUserCAKeys
+ Specifies a file containing public keys of certificate
+ authorities that are trusted to sign user certificates for
+ authentication. Keys are listed one per line; empty lines and
+ comments starting with `#' are allowed. If a certificate is
+ presented for authentication and has its signing CA key listed in
+ this file, then it may be used for authentication for any user
+ listed in the certificate's principals list. Note that
+ certificates that lack a list of principals will not be permitted
+ for authentication using TrustedUserCAKeys. For more details on
+ certificates, see the CERTIFICATES section in ssh-keygen(1).
+
+ UseDNS Specifies whether sshd(8) should look up the remote host name and
+ check that the resolved host name for the remote IP address maps
+ back to the very same IP address. The default is ``yes''.
+
+ UseLogin
+ Specifies whether login(1) is used for interactive login
+ sessions. The default is ``no''. Note that login(1) is never
+ used for remote command execution. Note also, that if this is
+ enabled, X11Forwarding will be disabled because login(1) does not
+ know how to handle xauth(1) cookies. If UsePrivilegeSeparation
+ is specified, it will be disabled after authentication.
+
+ UsePAM Enables the Pluggable Authentication Module interface. If set to
+ ``yes'' this will enable PAM authentication using
+ ChallengeResponseAuthentication and PasswordAuthentication in
+ addition to PAM account and session module processing for all
+ authentication types.
+
+ Because PAM challenge-response authentication usually serves an
+ equivalent role to password authentication, you should disable
+ either PasswordAuthentication or ChallengeResponseAuthentication.
+
+ If UsePAM is enabled, you will not be able to run sshd(8) as a
+ non-root user. The default is ``no''.
+
+ UsePrivilegeSeparation
+ Specifies whether sshd(8) separates privileges by creating an
+ unprivileged child process to deal with incoming network traffic.
+ After successful authentication, another process will be created
+ that has the privilege of the authenticated user. The goal of
+ privilege separation is to prevent privilege escalation by
+ containing any corruption within the unprivileged processes. The
+ default is ``yes''. If UsePrivilegeSeparation is set to
+ ``sandbox'' then the pre-authentication unprivileged process is
+ subject to additional restrictions.
+
+ X11DisplayOffset
+ Specifies the first display number available for sshd(8)'s X11
+ forwarding. This prevents sshd from interfering with real X11
+ servers. The default is 10.
+
+ X11Forwarding
+ Specifies whether X11 forwarding is permitted. The argument must
+ be ``yes'' or ``no''. The default is ``no''.
+
+ When X11 forwarding is enabled, there may be additional exposure
+ to the server and to client displays if the sshd(8) proxy display
+ is configured to listen on the wildcard address (see
+ X11UseLocalhost below), though this is not the default.
+ Additionally, the authentication spoofing and authentication data
+ verification and substitution occur on the client side. The
+ security risk of using X11 forwarding is that the client's X11
+ display server may be exposed to attack when the SSH client
+ requests forwarding (see the warnings for ForwardX11 in
+ ssh_config(5)). A system administrator may have a stance in
+ which they want to protect clients that may expose themselves to
+ attack by unwittingly requesting X11 forwarding, which can
+ warrant a ``no'' setting.
+
+ Note that disabling X11 forwarding does not prevent users from
+ forwarding X11 traffic, as users can always install their own
+ forwarders. X11 forwarding is automatically disabled if UseLogin
+ is enabled.
+
+ X11UseLocalhost
+ Specifies whether sshd(8) should bind the X11 forwarding server
+ to the loopback address or to the wildcard address. By default,
+ sshd binds the forwarding server to the loopback address and sets
+ the hostname part of the DISPLAY environment variable to
+ ``localhost''. This prevents remote hosts from connecting to the
+ proxy display. However, some older X11 clients may not function
+ with this configuration. X11UseLocalhost may be set to ``no'' to
+ specify that the forwarding server should be bound to the
+ wildcard address. The argument must be ``yes'' or ``no''. The
+ default is ``yes''.
+
+ XAuthLocation
+ Specifies the full pathname of the xauth(1) program. The default
+ is /usr/X11R6/bin/xauth.
+
+TIME FORMATS
+ sshd(8) command-line arguments and configuration file options that
+ specify time may be expressed using a sequence of the form:
+ time[qualifier], where time is a positive integer value and qualifier is
+ one of the following:
+
+ <none> seconds
+ s | S seconds
+ m | M minutes
+ h | H hours
+ d | D days
+ w | W weeks
+
+ Each member of the sequence is added together to calculate the total time
+ value.
+
+ Time format examples:
+
+ 600 600 seconds (10 minutes)
+ 10m 10 minutes
+ 1h30m 1 hour 30 minutes (90 minutes)
+
+FILES
+ /etc/ssh/sshd_config
+ Contains configuration data for sshd(8). This file should be
+ writable by root only, but it is recommended (though not
+ necessary) that it be world-readable.
+
+SEE ALSO
+ sshd(8)
+
+AUTHORS
+ OpenSSH is a derivative of the original and free ssh 1.2.12 release by
+ Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
+ de Raadt and Dug Song removed many bugs, re-added newer features and
+ created OpenSSH. Markus Friedl contributed the support for SSH protocol
+ versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
+ for privilege separation.
+
+OpenBSD 5.0 August 2, 2011 OpenBSD 5.0