Blame - sshd_config.0 - fp2-dev/platform/external/openssh

Greg Hartman

bd77cf7

2015-02-25 13:21:06 -0800

[diff] [blame^]

1

SSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5)

2

3

NAME

4

sshd_config - OpenSSH SSH daemon configuration file

SYNOPSIS

/etc/ssh/sshd_config

DESCRIPTION

sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file

11

specified with -f on the command line). The file contains keyword-

12

argument pairs, one per line. Lines starting with `#' and empty lines

13

are interpreted as comments. Arguments may optionally be enclosed in

14

double quotes (") in order to represent arguments containing spaces.

15

16

The possible keywords and their meanings are as follows (note that

17

keywords are case-insensitive and arguments are case-sensitive):

18

19

AcceptEnv

20

Specifies what environment variables sent by the client will be

21

copied into the session's environ(7). See SendEnv in

22

ssh_config(5) for how to configure the client. Note that

23

environment passing is only supported for protocol 2. Variables

24

are specified by name, which may contain the wildcard characters

25

`*' and `?'. Multiple environment variables may be separated by

26

whitespace or spread across multiple AcceptEnv directives. Be

27

warned that some environment variables could be used to bypass

28

restricted user environments. For this reason, care should be

29

taken in the use of this directive. The default is not to accept

30

any environment variables.

31

32

AddressFamily

33

Specifies which address family should be used by sshd(8). Valid

34

arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6''

35

(use IPv6 only). The default is ``any''.

36

37

AllowAgentForwarding

38

Specifies whether ssh-agent(1) forwarding is permitted. The

39

default is ``yes''. Note that disabling agent forwarding does

40

not improve security unless users are also denied shell access,

41

as they can always install their own forwarders.

42

43

AllowGroups

44

This keyword can be followed by a list of group name patterns,

45

separated by spaces. If specified, login is allowed only for

46

users whose primary group or supplementary group list matches one

47

of the patterns. Only group names are valid; a numerical group

48

ID is not recognized. By default, login is allowed for all

49

groups. The allow/deny directives are processed in the following

50

order: DenyUsers, AllowUsers, DenyGroups, and finally

51

AllowGroups.

52

53

See PATTERNS in ssh_config(5) for more information on patterns.

54

55

AllowTcpForwarding

56

Specifies whether TCP forwarding is permitted. The default is

57

``yes''. Note that disabling TCP forwarding does not improve

58

security unless users are also denied shell access, as they can

59

always install their own forwarders.

60

61

AllowUsers

62

This keyword can be followed by a list of user name patterns,

63

separated by spaces. If specified, login is allowed only for

64

user names that match one of the patterns. Only user names are

65

valid; a numerical user ID is not recognized. By default, login

66

is allowed for all users. If the pattern takes the form

67

USER@HOST then USER and HOST are separately checked, restricting

68

logins to particular users from particular hosts. The allow/deny

69

directives are processed in the following order: DenyUsers,

70

AllowUsers, DenyGroups, and finally AllowGroups.

71

72

See PATTERNS in ssh_config(5) for more information on patterns.

73

74

AuthorizedKeysFile

75

Specifies the file that contains the public keys that can be used

76

for user authentication. The format is described in the

77

AUTHORIZED_KEYS FILE FORMAT section of sshd(8).

78

AuthorizedKeysFile may contain tokens of the form %T which are

79

substituted during connection setup. The following tokens are

80

defined: %% is replaced by a literal '%', %h is replaced by the

81

home directory of the user being authenticated, and %u is

82

replaced by the username of that user. After expansion,

83

AuthorizedKeysFile is taken to be an absolute path or one

84

relative to the user's home directory. Multiple files may be

85

listed, separated by whitespace. The default is

86

``.ssh/authorized_keys .ssh/authorized_keys2''.

87

88

AuthorizedPrincipalsFile

89

Specifies a file that lists principal names that are accepted for

90

certificate authentication. When using certificates signed by a

91

key listed in TrustedUserCAKeys, this file lists names, one of

92

which must appear in the certificate for it to be accepted for

93

authentication. Names are listed one per line preceded by key

94

options (as described in AUTHORIZED_KEYS FILE FORMAT in sshd(8)).

95

Empty lines and comments starting with `#' are ignored.

96

97

AuthorizedPrincipalsFile may contain tokens of the form %T which

98

are substituted during connection setup. The following tokens

99

are defined: %% is replaced by a literal '%', %h is replaced by

100

the home directory of the user being authenticated, and %u is

101

replaced by the username of that user. After expansion,

102

AuthorizedPrincipalsFile is taken to be an absolute path or one

103

relative to the user's home directory.

104

105

The default is not to use a principals file - in this case, the

106

username of the user must appear in a certificate's principals

107

list for it to be accepted. Note that AuthorizedPrincipalsFile

108

is only used when authentication proceeds using a CA listed in

109

TrustedUserCAKeys and is not consulted for certification

110

authorities trusted via ~/.ssh/authorized_keys, though the

111

principals= key option offers a similar facility (see sshd(8) for

112

details).

113

114

Banner The contents of the specified file are sent to the remote user

115

before authentication is allowed. If the argument is ``none''

116

then no banner is displayed. This option is only available for

117

protocol version 2. By default, no banner is displayed.

118

119

ChallengeResponseAuthentication

120

Specifies whether challenge-response authentication is allowed

121

(e.g. via PAM or though authentication styles supported in

122

login.conf(5)) The default is ``yes''.

123

124

ChrootDirectory

125

Specifies the pathname of a directory to chroot(2) to after

126

authentication. All components of the pathname must be root-

127

owned directories that are not writable by any other user or

128

group. After the chroot, sshd(8) changes the working directory

129

to the user's home directory.

130

131

The pathname may contain the following tokens that are expanded

132

at runtime once the connecting user has been authenticated: %% is

133

replaced by a literal '%', %h is replaced by the home directory

134

of the user being authenticated, and %u is replaced by the

135

username of that user.

136

137

The ChrootDirectory must contain the necessary files and

138

directories to support the user's session. For an interactive

139

session this requires at least a shell, typically sh(1), and

140

basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4),

141

stderr(4), arandom(4) and tty(4) devices. For file transfer

142

sessions using ``sftp'', no additional configuration of the

143

environment is necessary if the in-process sftp server is used,

144

though sessions which use logging do require /dev/log inside the

145

chroot directory (see sftp-server(8) for details).

146

147

The default is not to chroot(2).

148

149

Ciphers

150

Specifies the ciphers allowed for protocol version 2. Multiple

151

ciphers must be comma-separated. The supported ciphers are

152

``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',

153

``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'',

154

``arcfour256'', ``arcfour'', ``blowfish-cbc'', and

155

``cast128-cbc''. The default is:

156

157

aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,

158

aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,

aes256-cbc,arcfour

ClientAliveCountMax

Sets the number of client alive messages (see below) which may be

163

sent without sshd(8) receiving any messages back from the client.

164

If this threshold is reached while client alive messages are

165

being sent, sshd will disconnect the client, terminating the

166

session. It is important to note that the use of client alive

167

messages is very different from TCPKeepAlive (below). The client

168

alive messages are sent through the encrypted channel and

169

therefore will not be spoofable. The TCP keepalive option

170

enabled by TCPKeepAlive is spoofable. The client alive mechanism

171

is valuable when the client or server depend on knowing when a

172

connection has become inactive.

173

174

The default value is 3. If ClientAliveInterval (see below) is

175

set to 15, and ClientAliveCountMax is left at the default,

176

unresponsive SSH clients will be disconnected after approximately

177

45 seconds. This option applies to protocol version 2 only.

178

179

ClientAliveInterval

180

Sets a timeout interval in seconds after which if no data has

181

been received from the client, sshd(8) will send a message

182

through the encrypted channel to request a response from the

183

client. The default is 0, indicating that these messages will

184

not be sent to the client. This option applies to protocol

version 2 only.

Compression

Specifies whether compression is allowed, or delayed until the

189

user has authenticated successfully. The argument must be

190

``yes'', ``delayed'', or ``no''. The default is ``delayed''.

191

192

DenyGroups

193

This keyword can be followed by a list of group name patterns,

194

separated by spaces. Login is disallowed for users whose primary

195

group or supplementary group list matches one of the patterns.

196

Only group names are valid; a numerical group ID is not

197

recognized. By default, login is allowed for all groups. The

198

allow/deny directives are processed in the following order:

199

DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

200

201

See PATTERNS in ssh_config(5) for more information on patterns.

202

203

DenyUsers

204

This keyword can be followed by a list of user name patterns,

205

separated by spaces. Login is disallowed for user names that

206

match one of the patterns. Only user names are valid; a

207

numerical user ID is not recognized. By default, login is

208

allowed for all users. If the pattern takes the form USER@HOST

209

then USER and HOST are separately checked, restricting logins to

210

particular users from particular hosts. The allow/deny

211

directives are processed in the following order: DenyUsers,

212

AllowUsers, DenyGroups, and finally AllowGroups.

213

214

See PATTERNS in ssh_config(5) for more information on patterns.

215

216

ForceCommand

217

Forces the execution of the command specified by ForceCommand,

218

ignoring any command supplied by the client and ~/.ssh/rc if

219

present. The command is invoked by using the user's login shell

220

with the -c option. This applies to shell, command, or subsystem

221

execution. It is most useful inside a Match block. The command

222

originally supplied by the client is available in the

223

SSH_ORIGINAL_COMMAND environment variable. Specifying a command

224

of ``internal-sftp'' will force the use of an in-process sftp

225

server that requires no support files when used with

ChrootDirectory.

GatewayPorts

Specifies whether remote hosts are allowed to connect to ports

230

forwarded for the client. By default, sshd(8) binds remote port

231

forwardings to the loopback address. This prevents other remote

232

hosts from connecting to forwarded ports. GatewayPorts can be

233

used to specify that sshd should allow remote port forwardings to

234

bind to non-loopback addresses, thus allowing other hosts to

235

connect. The argument may be ``no'' to force remote port

236

forwardings to be available to the local host only, ``yes'' to

237

force remote port forwardings to bind to the wildcard address, or

238

``clientspecified'' to allow the client to select the address to

239

which the forwarding is bound. The default is ``no''.

240

241

GSSAPIAuthentication

242

Specifies whether user authentication based on GSSAPI is allowed.

243

The default is ``no''. Note that this option applies to protocol

244

version 2 only.

245

246

GSSAPICleanupCredentials

247

Specifies whether to automatically destroy the user's credentials

248

cache on logout. The default is ``yes''. Note that this option

249

applies to protocol version 2 only.

250

251

HostbasedAuthentication

252

Specifies whether rhosts or /etc/hosts.equiv authentication

253

together with successful public key client host authentication is

254

allowed (host-based authentication). This option is similar to

255

RhostsRSAAuthentication and applies to protocol version 2 only.

256

The default is ``no''.

257

258

HostbasedUsesNameFromPacketOnly

259

Specifies whether or not the server will attempt to perform a

260

reverse name lookup when matching the name in the ~/.shosts,

261

~/.rhosts, and /etc/hosts.equiv files during

262

HostbasedAuthentication. A setting of ``yes'' means that sshd(8)

263

uses the name supplied by the client rather than attempting to

264

resolve the name from the TCP connection itself. The default is

``no''.

HostCertificate

Specifies a file containing a public host certificate. The

269

certificate's public key must match a private host key already

270

specified by HostKey. The default behaviour of sshd(8) is not to

271

load any certificates.

272

273

HostKey

274

Specifies a file containing a private host key used by SSH. The

275

default is /etc/ssh/ssh_host_key for protocol version 1, and

276

/etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key and

277

/etc/ssh/ssh_host_rsa_key for protocol version 2. Note that

278

sshd(8) will refuse to use a file if it is group/world-

279

accessible. It is possible to have multiple host key files.

280

``rsa1'' keys are used for version 1 and ``dsa'', ``ecdsa'' or

281

``rsa'' are used for version 2 of the SSH protocol.

282

283

IgnoreRhosts

284

Specifies that .rhosts and .shosts files will not be used in

285

RhostsRSAAuthentication or HostbasedAuthentication.

286

287

/etc/hosts.equiv and /etc/shosts.equiv are still used. The

default is ``yes''.

IgnoreUserKnownHosts

Specifies whether sshd(8) should ignore the user's

292

~/.ssh/known_hosts during RhostsRSAAuthentication or

293

HostbasedAuthentication. The default is ``no''.

294

295

IPQoS Specifies the IPv4 type-of-service or DSCP class for the

296

connection. Accepted values are ``af11'', ``af12'', ``af13'',

297

``af14'', ``af22'', ``af23'', ``af31'', ``af32'', ``af33'',

298

``af41'', ``af42'', ``af43'', ``cs0'', ``cs1'', ``cs2'', ``cs3'',

299

``cs4'', ``cs5'', ``cs6'', ``cs7'', ``ef'', ``lowdelay'',

300

``throughput'', ``reliability'', or a numeric value. This option

301

may take one or two arguments, separated by whitespace. If one

302

argument is specified, it is used as the packet class

303

unconditionally. If two values are specified, the first is

304

automatically selected for interactive sessions and the second

305

for non-interactive sessions. The default is ``lowdelay'' for

306

interactive sessions and ``throughput'' for non-interactive

307

sessions.

308

309

KerberosAuthentication

310

Specifies whether the password provided by the user for

311

PasswordAuthentication will be validated through the Kerberos

312

KDC. To use this option, the server needs a Kerberos servtab

313

which allows the verification of the KDC's identity. The default

is ``no''.

KerberosGetAFSToken

If AFS is active and the user has a Kerberos 5 TGT, attempt to

318

acquire an AFS token before accessing the user's home directory.

319

The default is ``no''.

320

321

KerberosOrLocalPasswd

322

If password authentication through Kerberos fails then the

323

password will be validated via any additional local mechanism

324

such as /etc/passwd. The default is ``yes''.

325

326

KerberosTicketCleanup

327

Specifies whether to automatically destroy the user's ticket

328

cache file on logout. The default is ``yes''.

329

330

KexAlgorithms

331

Specifies the available KEX (Key Exchange) algorithms. Multiple

332

algorithms must be comma-separated. The default is

333

``ecdh-sha2-nistp256'', ``ecdh-sha2-nistp384'',

334

``ecdh-sha2-nistp521'', ``diffie-hellman-group-exchange-sha256'',

335

``diffie-hellman-group-exchange-sha1'',

336

``diffie-hellman-group14-sha1'', ``diffie-hellman-group1-sha1''.

337

338

KeyRegenerationInterval

339

In protocol version 1, the ephemeral server key is automatically

340

regenerated after this many seconds (if it has been used). The

341

purpose of regeneration is to prevent decrypting captured

342

sessions by later breaking into the machine and stealing the

343

keys. The key is never stored anywhere. If the value is 0, the

344

key is never regenerated. The default is 3600 (seconds).

345

346

ListenAddress

347

Specifies the local addresses sshd(8) should listen on. The

348

following forms may be used:

349

350

ListenAddress host|IPv4_addr|IPv6_addr

351

ListenAddress host|IPv4_addr:port

352

ListenAddress [host|IPv6_addr]:port

353

354

If port is not specified, sshd will listen on the address and all

355

prior Port options specified. The default is to listen on all

356

local addresses. Multiple ListenAddress options are permitted.

357

Additionally, any Port options must precede this option for non-

358

port qualified addresses.

359

360

LoginGraceTime

361

The server disconnects after this time if the user has not

362

successfully logged in. If the value is 0, there is no time

363

limit. The default is 120 seconds.

364

365

LogLevel

366

Gives the verbosity level that is used when logging messages from

367

sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO,

368

VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.

369

DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify

370

higher levels of debugging output. Logging with a DEBUG level

371

violates the privacy of users and is not recommended.

372

373

MACs Specifies the available MAC (message authentication code)

374

algorithms. The MAC algorithm is used in protocol version 2 for

375

data integrity protection. Multiple algorithms must be comma-

376

separated. The default is:

377

378

hmac-md5,hmac-sha1,umac-64@openssh.com,

379

hmac-ripemd160,hmac-sha1-96,hmac-md5-96,

380

hmac-sha2-256,hmac-sha256-96,hmac-sha2-512,

381

hmac-sha2-512-96

382

383

Match Introduces a conditional block. If all of the criteria on the

384

Match line are satisfied, the keywords on the following lines

385

override those set in the global section of the config file,

386

until either another Match line or the end of the file.

387

388

The arguments to Match are one or more criteria-pattern pairs.

389

The available criteria are User, Group, Host, and Address. The

390

match patterns may consist of single entries or comma-separated

391

lists and may use the wildcard and negation operators described

392

in the PATTERNS section of ssh_config(5).

393

394

The patterns in an Address criteria may additionally contain

395

addresses to match in CIDR address/masklen format, e.g.

396

``192.0.2.0/24'' or ``3ffe:ffff::/32''. Note that the mask

397

length provided must be consistent with the address - it is an

398

error to specify a mask length that is too long for the address

399

or one with bits set in this host portion of the address. For

400

example, ``192.0.2.0/33'' and ``192.0.2.0/8'' respectively.

401

402

Only a subset of keywords may be used on the lines following a

403

Match keyword. Available keywords are AllowAgentForwarding,

404

AllowTcpForwarding, AuthorizedKeysFile, AuthorizedPrincipalsFile,

405

Banner, ChrootDirectory, ForceCommand, GatewayPorts,

406

GSSAPIAuthentication, HostbasedAuthentication,

407

HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,

408

KerberosAuthentication, MaxAuthTries, MaxSessions,

409

PasswordAuthentication, PermitEmptyPasswords, PermitOpen,

410

PermitRootLogin, PermitTunnel, PubkeyAuthentication,

411

RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,

412

X11Forwarding and X11UseLocalHost.

413

414

MaxAuthTries

415

Specifies the maximum number of authentication attempts permitted

416

per connection. Once the number of failures reaches half this

417

value, additional failures are logged. The default is 6.

418

419

MaxSessions

420

Specifies the maximum number of open sessions permitted per

421

network connection. The default is 10.

422

423

MaxStartups

424

Specifies the maximum number of concurrent unauthenticated

425

connections to the SSH daemon. Additional connections will be

426

dropped until authentication succeeds or the LoginGraceTime

427

expires for a connection. The default is 10.

428

429

Alternatively, random early drop can be enabled by specifying the

430

three colon separated values ``start:rate:full'' (e.g.

431

"10:30:60"). sshd(8) will refuse connection attempts with a

432

probability of ``rate/100'' (30%) if there are currently

433

``start'' (10) unauthenticated connections. The probability

434

increases linearly and all connection attempts are refused if the

435

number of unauthenticated connections reaches ``full'' (60).

436

437

PasswordAuthentication

438

Specifies whether password authentication is allowed. The

default is ``yes''.

PermitEmptyPasswords

When password authentication is allowed, it specifies whether the

443

server allows login to accounts with empty password strings. The

default is ``no''.

PermitOpen

Specifies the destinations to which TCP port forwarding is

448

permitted. The forwarding specification must be one of the

following forms:

PermitOpen host:port

PermitOpen IPv4_addr:port

453

PermitOpen [IPv6_addr]:port

454

455

Multiple forwards may be specified by separating them with

456

whitespace. An argument of ``any'' can be used to remove all

457

restrictions and permit any forwarding requests. By default all

458

port forwarding requests are permitted.

459

460

PermitRootLogin

461

Specifies whether root can log in using ssh(1). The argument

462

must be ``yes'', ``without-password'', ``forced-commands-only'',

463

or ``no''. The default is ``yes''.

464

465

If this option is set to ``without-password'', password

466

authentication is disabled for root.

467

468

If this option is set to ``forced-commands-only'', root login

469

with public key authentication will be allowed, but only if the

470

command option has been specified (which may be useful for taking

471

remote backups even if root login is normally not allowed). All

472

other authentication methods are disabled for root.

473

474

If this option is set to ``no'', root is not allowed to log in.

475

476

PermitTunnel

477

Specifies whether tun(4) device forwarding is allowed. The

478

argument must be ``yes'', ``point-to-point'' (layer 3),

479

``ethernet'' (layer 2), or ``no''. Specifying ``yes'' permits

480

both ``point-to-point'' and ``ethernet''. The default is ``no''.

481

482

PermitUserEnvironment

483

Specifies whether ~/.ssh/environment and environment= options in

484

~/.ssh/authorized_keys are processed by sshd(8). The default is

485

``no''. Enabling environment processing may enable users to

486

bypass access restrictions in some configurations using

487

mechanisms such as LD_PRELOAD.

488

489

PidFile

490

Specifies the file that contains the process ID of the SSH

491

daemon. The default is /var/run/sshd.pid.

492

493

Port Specifies the port number that sshd(8) listens on. The default

494

is 22. Multiple options of this type are permitted. See also

ListenAddress.

PrintLastLog

Specifies whether sshd(8) should print the date and time of the

499

last user login when a user logs in interactively. The default

is ``yes''.

PrintMotd

Specifies whether sshd(8) should print /etc/motd when a user logs

504

in interactively. (On some systems it is also printed by the

505

shell, /etc/profile, or equivalent.) The default is ``yes''.

506

507

Protocol

508

Specifies the protocol versions sshd(8) supports. The possible

509

values are `1' and `2'. Multiple versions must be comma-

510

separated. The default is `2'. Note that the order of the

511

protocol list does not indicate preference, because the client

512

selects among multiple protocol versions offered by the server.

513

Specifying ``2,1'' is identical to ``1,2''.

514

515

PubkeyAuthentication

516

Specifies whether public key authentication is allowed. The

517

default is ``yes''. Note that this option applies to protocol

version 2 only.

RevokedKeys

Specifies a list of revoked public keys. Keys listed in this

522

file will be refused for public key authentication. Note that if

523

this file is not readable, then public key authentication will be

524

refused for all users.

525

526

RhostsRSAAuthentication

527

Specifies whether rhosts or /etc/hosts.equiv authentication

528

together with successful RSA host authentication is allowed. The

529

default is ``no''. This option applies to protocol version 1

only.

RSAAuthentication

Specifies whether pure RSA authentication is allowed. The

534

default is ``yes''. This option applies to protocol version 1

only.

ServerKeyBits

Defines the number of bits in the ephemeral protocol version 1

539

server key. The minimum value is 512, and the default is 1024.

540

541

StrictModes

542

Specifies whether sshd(8) should check file modes and ownership

543

of the user's files and home directory before accepting login.

544

This is normally desirable because novices sometimes accidentally

545

leave their directory or files world-writable. The default is

546

``yes''. Note that this does not apply to ChrootDirectory, whose

547

permissions and ownership are checked unconditionally.

548

549

Subsystem

550

Configures an external subsystem (e.g. file transfer daemon).

551

Arguments should be a subsystem name and a command (with optional

552

arguments) to execute upon subsystem request.

553

554

The command sftp-server(8) implements the ``sftp'' file transfer

555

subsystem.

556

557

Alternately the name ``internal-sftp'' implements an in-process

558

``sftp'' server. This may simplify configurations using

559

ChrootDirectory to force a different filesystem root on clients.

560

561

By default no subsystems are defined. Note that this option

562

applies to protocol version 2 only.

563

564

SyslogFacility

565

Gives the facility code that is used when logging messages from

566

sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,

567

LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The

default is AUTH.

TCPKeepAlive

Specifies whether the system should send TCP keepalive messages

572

to the other side. If they are sent, death of the connection or

573

crash of one of the machines will be properly noticed. However,

574

this means that connections will die if the route is down

575

temporarily, and some people find it annoying. On the other

576

hand, if TCP keepalives are not sent, sessions may hang

577

indefinitely on the server, leaving ``ghost'' users and consuming

578

server resources.

579

580

The default is ``yes'' (to send TCP keepalive messages), and the

581

server will notice if the network goes down or the client host

582

crashes. This avoids infinitely hanging sessions.

583

584

To disable TCP keepalive messages, the value should be set to

``no''.

TrustedUserCAKeys

Specifies a file containing public keys of certificate

589

authorities that are trusted to sign user certificates for

590

authentication. Keys are listed one per line; empty lines and

591

comments starting with `#' are allowed. If a certificate is

592

presented for authentication and has its signing CA key listed in

593

this file, then it may be used for authentication for any user

594

listed in the certificate's principals list. Note that

595

certificates that lack a list of principals will not be permitted

596

for authentication using TrustedUserCAKeys. For more details on

597

certificates, see the CERTIFICATES section in ssh-keygen(1).

598

599

UseDNS Specifies whether sshd(8) should look up the remote host name and

600

check that the resolved host name for the remote IP address maps

601

back to the very same IP address. The default is ``yes''.

602

603

UseLogin

604

Specifies whether login(1) is used for interactive login

605

sessions. The default is ``no''. Note that login(1) is never

606

used for remote command execution. Note also, that if this is

607

enabled, X11Forwarding will be disabled because login(1) does not

608

know how to handle xauth(1) cookies. If UsePrivilegeSeparation

609

is specified, it will be disabled after authentication.

610

611

UsePAM Enables the Pluggable Authentication Module interface. If set to

612

``yes'' this will enable PAM authentication using

613

ChallengeResponseAuthentication and PasswordAuthentication in

614

addition to PAM account and session module processing for all

615

authentication types.

616

617

Because PAM challenge-response authentication usually serves an

618

equivalent role to password authentication, you should disable

619

either PasswordAuthentication or ChallengeResponseAuthentication.

620

621

If UsePAM is enabled, you will not be able to run sshd(8) as a

622

non-root user. The default is ``no''.

623

624

UsePrivilegeSeparation

625

Specifies whether sshd(8) separates privileges by creating an

626

unprivileged child process to deal with incoming network traffic.

627

After successful authentication, another process will be created

628

that has the privilege of the authenticated user. The goal of

629

privilege separation is to prevent privilege escalation by

630

containing any corruption within the unprivileged processes. The

631

default is ``yes''. If UsePrivilegeSeparation is set to

632

``sandbox'' then the pre-authentication unprivileged process is

633

subject to additional restrictions.

634

635

X11DisplayOffset

636

Specifies the first display number available for sshd(8)'s X11

637

forwarding. This prevents sshd from interfering with real X11

638

servers. The default is 10.

639

640

X11Forwarding

641

Specifies whether X11 forwarding is permitted. The argument must

642

be ``yes'' or ``no''. The default is ``no''.

643

644

When X11 forwarding is enabled, there may be additional exposure

645

to the server and to client displays if the sshd(8) proxy display

646

is configured to listen on the wildcard address (see

647

X11UseLocalhost below), though this is not the default.

648

Additionally, the authentication spoofing and authentication data

649

verification and substitution occur on the client side. The

650

security risk of using X11 forwarding is that the client's X11

651

display server may be exposed to attack when the SSH client

652

requests forwarding (see the warnings for ForwardX11 in

653

ssh_config(5)). A system administrator may have a stance in

654

which they want to protect clients that may expose themselves to

655

attack by unwittingly requesting X11 forwarding, which can

656

warrant a ``no'' setting.

657

658

Note that disabling X11 forwarding does not prevent users from

659

forwarding X11 traffic, as users can always install their own

660

forwarders. X11 forwarding is automatically disabled if UseLogin

is enabled.

X11UseLocalhost

Specifies whether sshd(8) should bind the X11 forwarding server

665

to the loopback address or to the wildcard address. By default,

666

sshd binds the forwarding server to the loopback address and sets

667

the hostname part of the DISPLAY environment variable to

668

``localhost''. This prevents remote hosts from connecting to the

669

proxy display. However, some older X11 clients may not function

670

with this configuration. X11UseLocalhost may be set to ``no'' to

671

specify that the forwarding server should be bound to the

672

wildcard address. The argument must be ``yes'' or ``no''. The

default is ``yes''.

XAuthLocation

Specifies the full pathname of the xauth(1) program. The default

677

is /usr/X11R6/bin/xauth.

678

679

TIME FORMATS

680

sshd(8) command-line arguments and configuration file options that

681

specify time may be expressed using a sequence of the form:

682

time[qualifier], where time is a positive integer value and qualifier is

683

one of the following:

<none> seconds

s | S seconds

m | M minutes

h | H hours

d | D days

w | W weeks

Each member of the sequence is added together to calculate the total time

693

value.

694

695

Time format examples:

696

697

600 600 seconds (10 minutes)

698

10m 10 minutes

699

1h30m 1 hour 30 minutes (90 minutes)

FILES

/etc/ssh/sshd_config

Contains configuration data for sshd(8). This file should be

704

writable by root only, but it is recommended (though not

705

necessary) that it be world-readable.

706

707