blob: 82a3ad14aef364c784454dc736a0c5cca20f6470 [file] [log] [blame]
Ben Lindstrom9f049032002-06-21 00:59:05 +00001.\"
2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4.\" All rights reserved
5.\"
6.\" As far as I am concerned, the code I have written for this software
7.\" can be used freely for any purpose. Any derived versions of this
8.\" software must be clearly marked as such, and if the derived work is
9.\" incompatible with the protocol description in the RFC file, it must be
10.\" called by a name other than "ssh" or "Secure Shell".
11.\"
12.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
13.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
14.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
15.\"
16.\" Redistribution and use in source and binary forms, with or without
17.\" modification, are permitted provided that the following conditions
18.\" are met:
19.\" 1. Redistributions of source code must retain the above copyright
20.\" notice, this list of conditions and the following disclaimer.
21.\" 2. Redistributions in binary form must reproduce the above copyright
22.\" notice, this list of conditions and the following disclaimer in the
23.\" documentation and/or other materials provided with the distribution.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\"
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +000036.\" $OpenBSD: sshd_config.5,v 1.237 2016/10/07 14:41:52 jmc Exp $
37.Dd $Mdocdate: October 7 2016 $
Ben Lindstrom9f049032002-06-21 00:59:05 +000038.Dt SSHD_CONFIG 5
39.Os
40.Sh NAME
41.Nm sshd_config
42.Nd OpenSSH SSH daemon configuration file
43.Sh SYNOPSIS
Damien Millerd94fc722007-01-05 16:29:30 +110044.Nm /etc/ssh/sshd_config
Ben Lindstrom9f049032002-06-21 00:59:05 +000045.Sh DESCRIPTION
Damien Millerf4f22b52006-03-15 11:57:25 +110046.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +000047reads configuration data from
48.Pa /etc/ssh/sshd_config
49(or the file specified with
50.Fl f
51on the command line).
52The file contains keyword-argument pairs, one per line.
53Lines starting with
54.Ql #
55and empty lines are interpreted as comments.
Damien Miller306d1182006-03-15 12:05:59 +110056Arguments may optionally be enclosed in double quotes
57.Pq \&"
58in order to represent arguments containing spaces.
Ben Lindstrom9f049032002-06-21 00:59:05 +000059.Pp
60The possible
61keywords and their meanings are as follows (note that
62keywords are case-insensitive and arguments are case-sensitive):
63.Bl -tag -width Ds
Darren Tucker46bc0752004-05-02 22:11:30 +100064.It Cm AcceptEnv
65Specifies what environment variables sent by the client will be copied into
66the session's
67.Xr environ 7 .
68See
69.Cm SendEnv
70in
71.Xr ssh_config 5
72for how to configure the client.
jmc@openbsd.orga685ae82016-02-17 07:38:19 +000073The
dtucker@openbsd.org85b96ef2015-04-28 10:17:58 +000074.Ev TERM
jmc@openbsd.orgc1d5bcf2015-04-28 13:47:38 +000075environment variable is always sent whenever the client
djm@openbsd.org732d61f2015-06-05 03:44:14 +000076requests a pseudo-terminal as it is required by the protocol.
Darren Tucker46bc0752004-05-02 22:11:30 +100077Variables are specified by name, which may contain the wildcard characters
Damien Miller208f1ed2006-03-15 11:56:03 +110078.Ql *
Darren Tucker46bc0752004-05-02 22:11:30 +100079and
80.Ql \&? .
Darren Tucker1e0c9bf2004-05-02 22:12:48 +100081Multiple environment variables may be separated by whitespace or spread
Darren Tucker46bc0752004-05-02 22:11:30 +100082across multiple
83.Cm AcceptEnv
84directives.
Darren Tucker1e0c9bf2004-05-02 22:12:48 +100085Be warned that some environment variables could be used to bypass restricted
Darren Tucker46bc0752004-05-02 22:11:30 +100086user environments.
87For this reason, care should be taken in the use of this directive.
88The default is not to accept any environment variables.
Darren Tucker0f383232005-01-20 10:57:56 +110089.It Cm AddressFamily
90Specifies which address family should be used by
Damien Millerf4f22b52006-03-15 11:57:25 +110091.Xr sshd 8 .
Darren Tucker0f383232005-01-20 10:57:56 +110092Valid arguments are
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +000093.Cm any
94(the default),
95.Cm inet
Damien Miller5b0d63f2006-03-15 11:56:56 +110096(use IPv4 only), or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +000097.Cm inet6
Darren Tucker0f383232005-01-20 10:57:56 +110098(use IPv6 only).
Damien Millere9890192008-05-19 14:59:02 +100099.It Cm AllowAgentForwarding
100Specifies whether
101.Xr ssh-agent 1
102forwarding is permitted.
103The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000104.Cm yes .
Damien Millere9890192008-05-19 14:59:02 +1000105Note that disabling agent forwarding does not improve security
106unless users are also denied shell access, as they can always install
107their own forwarders.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000108.It Cm AllowGroups
109This keyword can be followed by a list of group name patterns, separated
110by spaces.
111If specified, login is allowed only for users whose primary
112group or supplementary group list matches one of the patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000113Only group names are valid; a numerical group ID is not recognized.
114By default, login is allowed for all groups.
Damien Millerac73e512006-03-15 11:58:49 +1100115The allow/deny directives are processed in the following order:
116.Cm DenyUsers ,
117.Cm AllowUsers ,
118.Cm DenyGroups ,
119and finally
120.Cm AllowGroups .
Damien Miller0c2079d2006-03-15 11:54:21 +1100121.Pp
Damien Millerfecfd112013-07-18 16:11:50 +1000122See PATTERNS in
Damien Miller0c2079d2006-03-15 11:54:21 +1100123.Xr ssh_config 5
124for more information on patterns.
Damien Miller7acefbb2014-07-18 14:11:24 +1000125.It Cm AllowStreamLocalForwarding
126Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
127The available options are
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000128.Cm yes
129(the default)
Damien Miller7acefbb2014-07-18 14:11:24 +1000130or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000131.Cm all
Damien Miller7acefbb2014-07-18 14:11:24 +1000132to allow StreamLocal forwarding,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000133.Cm no
Damien Miller7acefbb2014-07-18 14:11:24 +1000134to prevent all StreamLocal forwarding,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000135.Cm local
Damien Miller7acefbb2014-07-18 14:11:24 +1000136to allow local (from the perspective of
137.Xr ssh 1 )
138forwarding only or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000139.Cm remote
Damien Miller7acefbb2014-07-18 14:11:24 +1000140to allow remote forwarding only.
Damien Miller7acefbb2014-07-18 14:11:24 +1000141Note that disabling StreamLocal forwarding does not improve security unless
142users are also denied shell access, as they can always install their
143own forwarders.
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +0000144.It Cm AllowTcpForwarding
145Specifies whether TCP forwarding is permitted.
146The available options are
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000147.Cm yes
148(the default)
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +0000149or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000150.Cm all
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +0000151to allow TCP forwarding,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000152.Cm no
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +0000153to prevent all TCP forwarding,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000154.Cm local
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +0000155to allow local (from the perspective of
156.Xr ssh 1 )
157forwarding only or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000158.Cm remote
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +0000159to allow remote forwarding only.
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +0000160Note that disabling TCP forwarding does not improve security unless
161users are also denied shell access, as they can always install their
162own forwarders.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000163.It Cm AllowUsers
164This keyword can be followed by a list of user name patterns, separated
165by spaces.
Damien Miller5a93add2003-01-24 11:34:52 +1100166If specified, login is allowed only for user names that
Ben Lindstrom9f049032002-06-21 00:59:05 +0000167match one of the patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000168Only user names are valid; a numerical user ID is not recognized.
169By default, login is allowed for all users.
170If the pattern takes the form USER@HOST then USER and HOST
171are separately checked, restricting logins to particular
172users from particular hosts.
jmc@openbsd.orgee1e0a12016-04-27 13:53:48 +0000173HOST criteria may additionally contain addresses to match in CIDR
174address/masklen format.
Damien Millerac73e512006-03-15 11:58:49 +1100175The allow/deny directives are processed in the following order:
176.Cm DenyUsers ,
177.Cm AllowUsers ,
178.Cm DenyGroups ,
179and finally
180.Cm AllowGroups .
Damien Miller0c2079d2006-03-15 11:54:21 +1100181.Pp
Damien Millerfecfd112013-07-18 16:11:50 +1000182See PATTERNS in
Damien Miller0c2079d2006-03-15 11:54:21 +1100183.Xr ssh_config 5
184for more information on patterns.
Damien Millera6e3f012012-11-04 23:21:40 +1100185.It Cm AuthenticationMethods
186Specifies the authentication methods that must be successfully completed
187for a user to be granted access.
188This option must be followed by one or more comma-separated lists of
djm@openbsd.orgb64faeb2016-06-17 05:03:40 +0000189authentication method names, or by the single string
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000190.Cm any
djm@openbsd.orgb64faeb2016-06-17 05:03:40 +0000191to indicate the default behaviour of accepting any single authentication
jmc@openbsd.orgad23a752016-06-17 06:33:30 +0000192method.
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000193If the default is overridden, then successful authentication requires
djm@openbsd.orgb64faeb2016-06-17 05:03:40 +0000194completion of every method in at least one of these lists.
Damien Millera6e3f012012-11-04 23:21:40 +1100195.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000196For example,
197.Qq publickey,password publickey,keyboard-interactive
Damien Millera6e3f012012-11-04 23:21:40 +1100198would require the user to complete public key authentication, followed by
199either password or keyboard interactive authentication.
200Only methods that are next in one or more lists are offered at each stage,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000201so for this example it would not be possible to attempt password or
Damien Millera6e3f012012-11-04 23:21:40 +1100202keyboard-interactive authentication before public key.
203.Pp
Damien Miller91a55f22013-04-23 15:18:10 +1000204For keyboard interactive authentication it is also possible to
205restrict authentication to a specific device by appending a
206colon followed by the device identifier
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000207.Cm bsdauth ,
208.Cm pam ,
Damien Miller91a55f22013-04-23 15:18:10 +1000209or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000210.Cm skey ,
Damien Miller91a55f22013-04-23 15:18:10 +1000211depending on the server configuration.
212For example,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000213.Qq keyboard-interactive:bsdauth
Damien Miller91a55f22013-04-23 15:18:10 +1000214would restrict keyboard interactive authentication to the
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000215.Cm bsdauth
Damien Miller91a55f22013-04-23 15:18:10 +1000216device.
217.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000218If the publickey method is listed more than once,
djm@openbsd.orgf69b69b2014-12-22 07:51:30 +0000219.Xr sshd 8
220verifies that keys that have been used successfully are not reused for
221subsequent authentications.
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000222For example,
223.Qq publickey,publickey
224requires successful authentication using two different public keys.
djm@openbsd.orgf69b69b2014-12-22 07:51:30 +0000225.Pp
Damien Millera6e3f012012-11-04 23:21:40 +1100226Note that each authentication method listed should also be explicitly enabled
227in the configuration.
Damien Miller09d3e122012-10-31 08:58:58 +1100228.It Cm AuthorizedKeysCommand
Damien Millerf33580e2012-11-04 22:22:52 +1100229Specifies a program to be used to look up the user's public keys.
djm@openbsd.org24232a32015-05-21 06:38:35 +0000230The program must be owned by root, not writable by group or others and
231specified by an absolute path.
djm@openbsd.org24232a32015-05-21 06:38:35 +0000232Arguments to
233.Cm AuthorizedKeysCommand
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000234accept the tokens described in the
235.Sx TOKENS
236section.
237If no arguments are specified then the username of the target user is used.
djm@openbsd.org24232a32015-05-21 06:38:35 +0000238.Pp
239The program should produce on standard output zero or
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000240more lines of authorized_keys output (see
241.Sx AUTHORIZED_KEYS
242in
Damien Millerf33580e2012-11-04 22:22:52 +1100243.Xr sshd 8 ) .
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000244If a key supplied by
245.Cm AuthorizedKeysCommand
246does not successfully authenticate
Damien Miller09d3e122012-10-31 08:58:58 +1100247and authorize the user then public key authentication continues using the usual
248.Cm AuthorizedKeysFile
249files.
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000250By default, no
251.Cm AuthorizedKeysCommand
252is run.
Damien Miller09d3e122012-10-31 08:58:58 +1100253.It Cm AuthorizedKeysCommandUser
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000254Specifies the user under whose account the
255.Cm AuthorizedKeysCommand
256is run.
Damien Miller09d3e122012-10-31 08:58:58 +1100257It is recommended to use a dedicated user that has no other role on the host
258than running authorized keys commands.
djm@openbsd.orgf1c4d8e2014-12-22 08:04:23 +0000259If
djm@openbsd.orgd663bea2014-12-11 05:25:06 +0000260.Cm AuthorizedKeysCommand
djm@openbsd.orgf1c4d8e2014-12-22 08:04:23 +0000261is specified but
262.Cm AuthorizedKeysCommandUser
263is not, then
264.Xr sshd 8
265will refuse to start.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000266.It Cm AuthorizedKeysFile
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000267Specifies the file that contains the public keys used for user authentication.
Damien Miller6018a362010-07-02 13:35:19 +1000268The format is described in the
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000269.Sx AUTHORIZED_KEYS FILE FORMAT
Damien Miller6018a362010-07-02 13:35:19 +1000270section of
271.Xr sshd 8 .
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000272Arguments to
Ben Lindstrom9f049032002-06-21 00:59:05 +0000273.Cm AuthorizedKeysFile
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000274accept the tokens described in the
275.Sx TOKENS
276section.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000277After expansion,
278.Cm AuthorizedKeysFile
279is taken to be an absolute path or one relative to the user's home
280directory.
Damien Millerb9132fc2011-05-29 21:41:40 +1000281Multiple files may be listed, separated by whitespace.
djm@openbsd.org2bca8a42015-09-11 03:13:36 +0000282Alternately this option may be set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000283.Cm none
djm@openbsd.org2bca8a42015-09-11 03:13:36 +0000284to skip checking for user keys in files.
Damien Millerb9132fc2011-05-29 21:41:40 +1000285The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000286.Qq .ssh/authorized_keys .ssh/authorized_keys2 .
djm@openbsd.orgbcc50d82015-05-21 06:43:30 +0000287.It Cm AuthorizedPrincipalsCommand
288Specifies a program to be used to generate the list of allowed
289certificate principals as per
290.Cm AuthorizedPrincipalsFile .
291The program must be owned by root, not writable by group or others and
292specified by an absolute path.
djm@openbsd.orgbcc50d82015-05-21 06:43:30 +0000293Arguments to
294.Cm AuthorizedPrincipalsCommand
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000295accept the tokens described in the
296.Sx TOKENS
297section.
298If no arguments are specified then the username of the target user is used.
djm@openbsd.orgbcc50d82015-05-21 06:43:30 +0000299.Pp
300The program should produce on standard output zero or
301more lines of
302.Cm AuthorizedPrincipalsFile
303output.
304If either
305.Cm AuthorizedPrincipalsCommand
306or
307.Cm AuthorizedPrincipalsFile
308is specified, then certificates offered by the client for authentication
309must contain a principal that is listed.
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000310By default, no
311.Cm AuthorizedPrincipalsCommand
312is run.
djm@openbsd.orgbcc50d82015-05-21 06:43:30 +0000313.It Cm AuthorizedPrincipalsCommandUser
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000314Specifies the user under whose account the
315.Cm AuthorizedPrincipalsCommand
316is run.
djm@openbsd.orgbcc50d82015-05-21 06:43:30 +0000317It is recommended to use a dedicated user that has no other role on the host
318than running authorized principals commands.
319If
320.Cm AuthorizedPrincipalsCommand
321is specified but
322.Cm AuthorizedPrincipalsCommandUser
323is not, then
324.Xr sshd 8
325will refuse to start.
Damien Miller30da3442010-05-10 11:58:03 +1000326.It Cm AuthorizedPrincipalsFile
327Specifies a file that lists principal names that are accepted for
328certificate authentication.
329When using certificates signed by a key listed in
330.Cm TrustedUserCAKeys ,
331this file lists names, one of which must appear in the certificate for it
332to be accepted for authentication.
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000333Names are listed one per line preceded by key options (as described in
334.Sx AUTHORIZED_KEYS FILE FORMAT
335in
Damien Millerd59dab82010-07-02 13:37:17 +1000336.Xr sshd 8 ) .
Damien Miller6018a362010-07-02 13:35:19 +1000337Empty lines and comments starting with
Damien Miller30da3442010-05-10 11:58:03 +1000338.Ql #
339are ignored.
340.Pp
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000341Arguments to
Damien Miller30da3442010-05-10 11:58:03 +1000342.Cm AuthorizedPrincipalsFile
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000343accept the tokens described in the
344.Sx TOKENS
345section.
Damien Miller30da3442010-05-10 11:58:03 +1000346After expansion,
347.Cm AuthorizedPrincipalsFile
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000348is taken to be an absolute path or one relative to the user's home directory.
Damien Miller8fef9eb2012-04-22 11:25:10 +1000349The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000350.Cm none ,
Damien Miller8fef9eb2012-04-22 11:25:10 +1000351i.e. not to use a principals file \(en in this case, the username
Damien Miller30da3442010-05-10 11:58:03 +1000352of the user must appear in a certificate's principals list for it to be
353accepted.
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000354.Pp
Damien Miller30da3442010-05-10 11:58:03 +1000355Note that
356.Cm AuthorizedPrincipalsFile
357is only used when authentication proceeds using a CA listed in
358.Cm TrustedUserCAKeys
359and is not consulted for certification authorities trusted via
360.Pa ~/.ssh/authorized_keys ,
361though the
362.Cm principals=
363key option offers a similar facility (see
364.Xr sshd 8
365for details).
Ben Lindstrom9f049032002-06-21 00:59:05 +0000366.It Cm Banner
Ben Lindstrom9f049032002-06-21 00:59:05 +0000367The contents of the specified file are sent to the remote user before
368authentication is allowed.
Damien Miller4890e532007-09-17 11:57:38 +1000369If the argument is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000370.Cm none
Damien Miller4890e532007-09-17 11:57:38 +1000371then no banner is displayed.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000372By default, no banner is displayed.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000373.It Cm ChallengeResponseAuthentication
Damien Miller9c7bf8d2009-08-28 10:27:08 +1000374Specifies whether challenge-response authentication is allowed (e.g. via
Damien Millere8c9f262014-10-03 09:24:56 +1000375PAM or through authentication styles supported in
Damien Miller9c7bf8d2009-08-28 10:27:08 +1000376.Xr login.conf 5 )
Ben Lindstrom9f049032002-06-21 00:59:05 +0000377The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000378.Cm yes .
Damien Millerd8cb1f12008-02-10 22:40:12 +1100379.It Cm ChrootDirectory
Darren Tuckerb8c884a2010-01-08 18:53:43 +1100380Specifies the pathname of a directory to
Damien Millerd8cb1f12008-02-10 22:40:12 +1100381.Xr chroot 2
382to after authentication.
deraadt@openbsd.orgdcff5812015-01-22 20:24:41 +0000383At session startup
384.Xr sshd 8
385checks that all components of the pathname are root-owned directories
386which are not writable by any other user or group.
Darren Tucker51dbe502009-06-21 17:56:51 +1000387After the chroot,
388.Xr sshd 8
389changes the working directory to the user's home directory.
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000390Arguments to
391.Cm ChrootDirectory
392accept the tokens described in the
393.Sx TOKENS
394section.
Damien Millerd8cb1f12008-02-10 22:40:12 +1100395.Pp
396The
397.Cm ChrootDirectory
398must contain the necessary files and directories to support the
Darren Tuckeraf501cf2009-06-21 17:53:04 +1000399user's session.
Damien Millerd8cb1f12008-02-10 22:40:12 +1100400For an interactive session this requires at least a shell, typically
401.Xr sh 1 ,
402and basic
403.Pa /dev
404nodes such as
405.Xr null 4 ,
406.Xr zero 4 ,
407.Xr stdin 4 ,
408.Xr stdout 4 ,
409.Xr stderr 4 ,
jmc@openbsd.org08c0eeb2014-11-22 19:21:03 +0000410and
Damien Millerd8cb1f12008-02-10 22:40:12 +1100411.Xr tty 4
412devices.
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000413For file transfer sessions using SFTP
414no additional configuration of the environment is necessary if the in-process
415sftp-server is used,
Damien Miller426117b2014-07-30 12:33:20 +1000416though sessions which use logging may require
Darren Tucker00fcd712009-06-21 17:56:00 +1000417.Pa /dev/log
Damien Miller426117b2014-07-30 12:33:20 +1000418inside the chroot directory on some operating systems (see
Darren Tucker00fcd712009-06-21 17:56:00 +1000419.Xr sftp-server 8
420for details).
Damien Millerd8cb1f12008-02-10 22:40:12 +1100421.Pp
jmc@openbsd.orga5a3e332015-01-22 21:00:42 +0000422For safety, it is very important that the directory hierarchy be
deraadt@openbsd.orgdcff5812015-01-22 20:24:41 +0000423prevented from modification by other processes on the system (especially
424those outside the jail).
425Misconfiguration can lead to unsafe environments which
426.Xr sshd 8
427cannot detect.
428.Pp
djm@openbsd.org9fd04682015-11-13 04:38:06 +0000429The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000430.Cm none ,
djm@openbsd.org9fd04682015-11-13 04:38:06 +0000431indicating not to
Damien Millerd8cb1f12008-02-10 22:40:12 +1100432.Xr chroot 2 .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000433.It Cm Ciphers
jmc@openbsd.orga685ae82016-02-17 07:38:19 +0000434Specifies the ciphers allowed.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000435Multiple ciphers must be comma-separated.
djm@openbsd.orgf9eca242015-07-30 00:01:34 +0000436If the specified value begins with a
437.Sq +
438character, then the specified ciphers will be appended to the default set
439instead of replacing them.
440.Pp
Damien Miller0fde8ac2013-11-21 14:12:23 +1100441The supported ciphers are:
442.Pp
Damien Millerc1621c82014-04-20 13:22:46 +1000443.Bl -item -compact -offset indent
444.It
4453des-cbc
446.It
447aes128-cbc
448.It
449aes192-cbc
450.It
451aes256-cbc
452.It
453aes128-ctr
454.It
455aes192-ctr
456.It
457aes256-ctr
458.It
459aes128-gcm@openssh.com
460.It
461aes256-gcm@openssh.com
462.It
463arcfour
464.It
465arcfour128
466.It
467arcfour256
468.It
469blowfish-cbc
470.It
471cast128-cbc
472.It
473chacha20-poly1305@openssh.com
474.El
Damien Miller0fde8ac2013-11-21 14:12:23 +1100475.Pp
Damien Miller5b0d63f2006-03-15 11:56:56 +1100476The default is:
Damien Millerc1621c82014-04-20 13:22:46 +1000477.Bd -literal -offset indent
jmc@openbsd.org1f8d3d62015-08-14 15:32:41 +0000478chacha20-poly1305@openssh.com,
Damien Millerc1621c82014-04-20 13:22:46 +1000479aes128-ctr,aes192-ctr,aes256-ctr,
jmc@openbsd.org1f8d3d62015-08-14 15:32:41 +0000480aes128-gcm@openssh.com,aes256-gcm@openssh.com
Ben Lindstrom9f049032002-06-21 00:59:05 +0000481.Ed
Damien Miller0fde8ac2013-11-21 14:12:23 +1100482.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000483The list of available ciphers may also be obtained using
484.Qq ssh -Q cipher .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000485.It Cm ClientAliveCountMax
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000486Sets the number of client alive messages which may be sent without
Damien Miller5b0d63f2006-03-15 11:56:56 +1100487.Xr sshd 8
Damien Millerfbf486b2003-05-23 18:44:23 +1000488receiving any messages back from the client.
489If this threshold is reached while client alive messages are being sent,
Damien Miller5b0d63f2006-03-15 11:56:56 +1100490sshd will disconnect the client, terminating the session.
Damien Millerfbf486b2003-05-23 18:44:23 +1000491It is important to note that the use of client alive messages is very
492different from
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000493.Cm TCPKeepAlive .
Damien Millerfbf486b2003-05-23 18:44:23 +1000494The client alive messages are sent through the encrypted channel
495and therefore will not be spoofable.
496The TCP keepalive option enabled by
Damien Miller12c150e2003-12-17 16:31:10 +1100497.Cm TCPKeepAlive
Damien Millerfbf486b2003-05-23 18:44:23 +1000498is spoofable.
499The client alive mechanism is valuable when the client or
Ben Lindstrom9f049032002-06-21 00:59:05 +0000500server depend on knowing when a connection has become inactive.
501.Pp
Damien Millerfbf486b2003-05-23 18:44:23 +1000502The default value is 3.
503If
Ben Lindstrom9f049032002-06-21 00:59:05 +0000504.Cm ClientAliveInterval
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000505is set to 15, and
Ben Lindstrom9f049032002-06-21 00:59:05 +0000506.Cm ClientAliveCountMax
Damien Miller5b0d63f2006-03-15 11:56:56 +1100507is left at the default, unresponsive SSH clients
Ben Lindstrom9f049032002-06-21 00:59:05 +0000508will be disconnected after approximately 45 seconds.
Damien Miller1594ad52005-05-26 12:12:19 +1000509.It Cm ClientAliveInterval
510Sets a timeout interval in seconds after which if no data has been received
511from the client,
Damien Miller5b0d63f2006-03-15 11:56:56 +1100512.Xr sshd 8
Damien Miller1594ad52005-05-26 12:12:19 +1000513will send a message through the encrypted
514channel to request a response from the client.
515The default
516is 0, indicating that these messages will not be sent to the client.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000517.It Cm Compression
djm@openbsd.org4577ade2016-09-28 20:32:42 +0000518Specifies whether compression is enabled after
Damien Miller9786e6e2005-07-26 21:54:56 +1000519the user has authenticated successfully.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000520The argument must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000521.Cm yes ,
522.Cm delayed
djm@openbsd.org4577ade2016-09-28 20:32:42 +0000523(a legacy synonym for
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000524.Cm yes )
Ben Lindstrom9f049032002-06-21 00:59:05 +0000525or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000526.Cm no .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000527The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000528.Cm yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000529.It Cm DenyGroups
530This keyword can be followed by a list of group name patterns, separated
531by spaces.
532Login is disallowed for users whose primary group or supplementary
533group list matches one of the patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000534Only group names are valid; a numerical group ID is not recognized.
535By default, login is allowed for all groups.
Damien Millerac73e512006-03-15 11:58:49 +1100536The allow/deny directives are processed in the following order:
537.Cm DenyUsers ,
538.Cm AllowUsers ,
539.Cm DenyGroups ,
540and finally
541.Cm AllowGroups .
Damien Miller0c2079d2006-03-15 11:54:21 +1100542.Pp
Damien Millerfecfd112013-07-18 16:11:50 +1000543See PATTERNS in
Damien Miller0c2079d2006-03-15 11:54:21 +1100544.Xr ssh_config 5
545for more information on patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000546.It Cm DenyUsers
547This keyword can be followed by a list of user name patterns, separated
548by spaces.
549Login is disallowed for user names that match one of the patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000550Only user names are valid; a numerical user ID is not recognized.
551By default, login is allowed for all users.
552If the pattern takes the form USER@HOST then USER and HOST
553are separately checked, restricting logins to particular
554users from particular hosts.
jmc@openbsd.orgee1e0a12016-04-27 13:53:48 +0000555HOST criteria may additionally contain addresses to match in CIDR
556address/masklen format.
Damien Millerac73e512006-03-15 11:58:49 +1100557The allow/deny directives are processed in the following order:
558.Cm DenyUsers ,
559.Cm AllowUsers ,
560.Cm DenyGroups ,
561and finally
562.Cm AllowGroups .
Damien Miller0c2079d2006-03-15 11:54:21 +1100563.Pp
Damien Millerfecfd112013-07-18 16:11:50 +1000564See PATTERNS in
Damien Miller0c2079d2006-03-15 11:54:21 +1100565.Xr ssh_config 5
566for more information on patterns.
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000567.It Cm FingerprintHash
568Specifies the hash algorithm used when logging key fingerprints.
569Valid options are:
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000570.Cm md5
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000571and
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000572.Cm sha256 .
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000573The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000574.Cm sha256 .
Damien Millere2754432006-07-24 14:06:47 +1000575.It Cm ForceCommand
576Forces the execution of the command specified by
577.Cm ForceCommand ,
Damien Millera1b48cc2008-03-27 11:02:02 +1100578ignoring any command supplied by the client and
579.Pa ~/.ssh/rc
580if present.
Damien Millere2754432006-07-24 14:06:47 +1000581The command is invoked by using the user's login shell with the -c option.
582This applies to shell, command, or subsystem execution.
583It is most useful inside a
584.Cm Match
585block.
586The command originally supplied by the client is available in the
587.Ev SSH_ORIGINAL_COMMAND
588environment variable.
Damien Millercdb6e652008-02-10 22:47:24 +1100589Specifying a command of
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000590.Cm internal-sftp
591will force the use of an in-process SFTP server that requires no support
Damien Millercdb6e652008-02-10 22:47:24 +1100592files when used with
593.Cm ChrootDirectory .
djm@openbsd.org9fd04682015-11-13 04:38:06 +0000594The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000595.Cm none .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000596.It Cm GatewayPorts
597Specifies whether remote hosts are allowed to connect to ports
598forwarded for the client.
599By default,
Damien Miller5b0d63f2006-03-15 11:56:56 +1100600.Xr sshd 8
Damien Miller495dca32003-04-01 21:42:14 +1000601binds remote port forwardings to the loopback address.
602This prevents other remote hosts from connecting to forwarded ports.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000603.Cm GatewayPorts
Damien Miller5b0d63f2006-03-15 11:56:56 +1100604can be used to specify that sshd
Damien Millerf91ee4c2005-03-01 21:24:33 +1100605should allow remote port forwardings to bind to non-loopback addresses, thus
606allowing other hosts to connect.
607The argument may be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000608.Cm no
Damien Millerf91ee4c2005-03-01 21:24:33 +1100609to force remote port forwardings to be available to the local host only,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000610.Cm yes
Damien Millerf91ee4c2005-03-01 21:24:33 +1100611to force remote port forwardings to bind to the wildcard address, or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000612.Cm clientspecified
Damien Millerf91ee4c2005-03-01 21:24:33 +1100613to allow the client to select the address to which the forwarding is bound.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000614The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000615.Cm no .
Darren Tucker0efd1552003-08-26 11:49:55 +1000616.It Cm GSSAPIAuthentication
Damien Miller9b7b03b2003-09-02 22:57:05 +1000617Specifies whether user authentication based on GSSAPI is allowed.
Damien Millera8e06ce2003-11-21 23:48:55 +1100618The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000619.Cm no .
Darren Tucker0efd1552003-08-26 11:49:55 +1000620.It Cm GSSAPICleanupCredentials
621Specifies whether to automatically destroy the user's credentials cache
622on logout.
623The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000624.Cm yes .
djm@openbsd.orgd7c31da2015-05-22 03:50:02 +0000625.It Cm GSSAPIStrictAcceptorCheck
626Determines whether to be strict about the identity of the GSSAPI acceptor
627a client authenticates against.
628If set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000629.Cm yes
630then the client must authenticate against the host
djm@openbsd.orgd7c31da2015-05-22 03:50:02 +0000631service on the current hostname.
632If set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000633.Cm no
djm@openbsd.orgd7c31da2015-05-22 03:50:02 +0000634then the client may authenticate against any service key stored in the
635machine's default store.
636This facility is provided to assist with operation on multi homed machines.
637The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000638.Cm yes .
djm@openbsd.org1f729f02015-01-13 07:39:19 +0000639.It Cm HostbasedAcceptedKeyTypes
640Specifies the key types that will be accepted for hostbased authentication
641as a comma-separated pattern list.
djm@openbsd.orgf9eca242015-07-30 00:01:34 +0000642Alternately if the specified value begins with a
643.Sq +
644character, then the specified key types will be appended to the default set
645instead of replacing them.
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000646The default for this option is:
647.Bd -literal -offset 3n
648ecdsa-sha2-nistp256-cert-v01@openssh.com,
649ecdsa-sha2-nistp384-cert-v01@openssh.com,
650ecdsa-sha2-nistp521-cert-v01@openssh.com,
651ssh-ed25519-cert-v01@openssh.com,
652ssh-rsa-cert-v01@openssh.com,
653ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
djm@openbsd.org3a13cb52016-02-17 08:57:34 +0000654ssh-ed25519,ssh-rsa
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000655.Ed
656.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000657The list of available key types may also be obtained using
658.Qq ssh -Q key .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000659.It Cm HostbasedAuthentication
660Specifies whether rhosts or /etc/hosts.equiv authentication together
661with successful public key client host authentication is allowed
Damien Miller1faa7132006-03-15 11:55:31 +1100662(host-based authentication).
Ben Lindstrom9f049032002-06-21 00:59:05 +0000663The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000664.Cm no .
Damien Millerb594f382006-08-30 11:06:34 +1000665.It Cm HostbasedUsesNameFromPacketOnly
666Specifies whether or not the server will attempt to perform a reverse
667name lookup when matching the name in the
668.Pa ~/.shosts ,
669.Pa ~/.rhosts ,
670and
671.Pa /etc/hosts.equiv
672files during
673.Cm HostbasedAuthentication .
674A setting of
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000675.Cm yes
Damien Millerb594f382006-08-30 11:06:34 +1000676means that
677.Xr sshd 8
678uses the name supplied by the client rather than
679attempting to resolve the name from the TCP connection itself.
680The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000681.Cm no .
Damien Miller0a80ca12010-02-27 07:55:05 +1100682.It Cm HostCertificate
683Specifies a file containing a public host certificate.
684The certificate's public key must match a private host key already specified
685by
686.Cm HostKey .
687The default behaviour of
688.Xr sshd 8
689is not to load any certificates.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000690.It Cm HostKey
691Specifies a file containing a private host key
692used by SSH.
naddy@openbsd.orgffe65492016-08-15 12:32:04 +0000693The defaults are
Damien Millereb8b60e2010-08-31 22:41:14 +1000694.Pa /etc/ssh/ssh_host_dsa_key ,
Damien Miller8ba0ead2013-12-18 17:46:27 +1100695.Pa /etc/ssh/ssh_host_ecdsa_key ,
696.Pa /etc/ssh/ssh_host_ed25519_key
Ben Lindstrom9f049032002-06-21 00:59:05 +0000697and
naddy@openbsd.orgffe65492016-08-15 12:32:04 +0000698.Pa /etc/ssh/ssh_host_rsa_key .
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000699.Pp
Ben Lindstrom9f049032002-06-21 00:59:05 +0000700Note that
Damien Miller5b0d63f2006-03-15 11:56:56 +1100701.Xr sshd 8
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000702will refuse to use a file if it is group/world-accessible
703and that the
704.Cm HostKeyAlgorithms
705option restricts which of the keys are actually used by
706.Xr sshd 8 .
707.Pp
Ben Lindstrom9f049032002-06-21 00:59:05 +0000708It is possible to have multiple host key files.
Damien Miller85b45e02013-07-20 13:21:52 +1000709It is also possible to specify public host key files instead.
710In this case operations on the private key will be delegated
711to an
712.Xr ssh-agent 1 .
713.It Cm HostKeyAgent
714Identifies the UNIX-domain socket used to communicate
715with an agent that has access to the private host keys.
markus@openbsd.org1a75d142016-05-04 14:29:58 +0000716If the string
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000717.Qq SSH_AUTH_SOCK
Damien Miller85b45e02013-07-20 13:21:52 +1000718is specified, the location of the socket will be read from the
719.Ev SSH_AUTH_SOCK
720environment variable.
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000721.It Cm HostKeyAlgorithms
jmc@openbsd.orga685ae82016-02-17 07:38:19 +0000722Specifies the host key algorithms
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000723that the server offers.
724The default for this option is:
725.Bd -literal -offset 3n
726ecdsa-sha2-nistp256-cert-v01@openssh.com,
727ecdsa-sha2-nistp384-cert-v01@openssh.com,
728ecdsa-sha2-nistp521-cert-v01@openssh.com,
729ssh-ed25519-cert-v01@openssh.com,
730ssh-rsa-cert-v01@openssh.com,
731ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
djm@openbsd.org3a13cb52016-02-17 08:57:34 +0000732ssh-ed25519,ssh-rsa
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000733.Ed
734.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000735The list of available key types may also be obtained using
736.Qq ssh -Q key .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000737.It Cm IgnoreRhosts
738Specifies that
739.Pa .rhosts
740and
741.Pa .shosts
742files will not be used in
Ben Lindstrom9f049032002-06-21 00:59:05 +0000743.Cm HostbasedAuthentication .
744.Pp
745.Pa /etc/hosts.equiv
746and
747.Pa /etc/shosts.equiv
748are still used.
749The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000750.Cm yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000751.It Cm IgnoreUserKnownHosts
752Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +1100753.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +0000754should ignore the user's
Damien Miller167ea5d2005-05-26 12:04:02 +1000755.Pa ~/.ssh/known_hosts
Ben Lindstrom9f049032002-06-21 00:59:05 +0000756during
Ben Lindstrom9f049032002-06-21 00:59:05 +0000757.Cm HostbasedAuthentication .
758The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000759.Cm no .
Damien Miller0dac6fb2010-11-20 15:19:38 +1100760.It Cm IPQoS
761Specifies the IPv4 type-of-service or DSCP class for the connection.
762Accepted values are
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000763.Cm af11 ,
764.Cm af12 ,
765.Cm af13 ,
766.Cm af21 ,
767.Cm af22 ,
768.Cm af23 ,
769.Cm af31 ,
770.Cm af32 ,
771.Cm af33 ,
772.Cm af41 ,
773.Cm af42 ,
774.Cm af43 ,
775.Cm cs0 ,
776.Cm cs1 ,
777.Cm cs2 ,
778.Cm cs3 ,
779.Cm cs4 ,
780.Cm cs5 ,
781.Cm cs6 ,
782.Cm cs7 ,
783.Cm ef ,
784.Cm lowdelay ,
785.Cm throughput ,
786.Cm reliability ,
Damien Miller0dac6fb2010-11-20 15:19:38 +1100787or a numeric value.
Damien Miller928362d2010-12-26 14:26:45 +1100788This option may take one or two arguments, separated by whitespace.
Damien Miller0dac6fb2010-11-20 15:19:38 +1100789If one argument is specified, it is used as the packet class unconditionally.
790If two values are specified, the first is automatically selected for
791interactive sessions and the second for non-interactive sessions.
792The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000793.Cm lowdelay
Damien Miller0dac6fb2010-11-20 15:19:38 +1100794for interactive sessions and
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000795.Cm throughput
Damien Miller0dac6fb2010-11-20 15:19:38 +1100796for non-interactive sessions.
Damien Millere1e480a2014-02-04 11:13:17 +1100797.It Cm KbdInteractiveAuthentication
798Specifies whether to allow keyboard-interactive authentication.
799The argument to this keyword must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000800.Cm yes
Damien Millere1e480a2014-02-04 11:13:17 +1100801or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000802.Cm no .
Damien Millere1e480a2014-02-04 11:13:17 +1100803The default is to use whatever value
804.Cm ChallengeResponseAuthentication
805is set to
806(by default
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000807.Cm yes ) .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000808.It Cm KerberosAuthentication
Damien Miller1a0c0b92003-09-02 22:51:17 +1000809Specifies whether the password provided by the user for
Ben Lindstrom9f049032002-06-21 00:59:05 +0000810.Cm PasswordAuthentication
Damien Miller1a0c0b92003-09-02 22:51:17 +1000811will be validated through the Kerberos KDC.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000812To use this option, the server needs a
813Kerberos servtab which allows the verification of the KDC's identity.
Damien Miller5b0d63f2006-03-15 11:56:56 +1100814The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000815.Cm no .
Damien Miller8448e662004-03-08 23:13:15 +1100816.It Cm KerberosGetAFSToken
Darren Tuckere2dd2d52005-10-03 18:19:06 +1000817If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
Damien Miller8448e662004-03-08 23:13:15 +1100818an AFS token before accessing the user's home directory.
Damien Miller5b0d63f2006-03-15 11:56:56 +1100819The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000820.Cm no .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000821.It Cm KerberosOrLocalPasswd
Damien Miller5b0d63f2006-03-15 11:56:56 +1100822If password authentication through Kerberos fails then
Ben Lindstrom9f049032002-06-21 00:59:05 +0000823the password will be validated via any additional local mechanism
824such as
825.Pa /etc/passwd .
Damien Miller5b0d63f2006-03-15 11:56:56 +1100826The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000827.Cm yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000828.It Cm KerberosTicketCleanup
829Specifies whether to automatically destroy the user's ticket cache
830file on logout.
Damien Miller5b0d63f2006-03-15 11:56:56 +1100831The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000832.Cm yes .
Damien Millerd5f62bf2010-09-24 22:11:14 +1000833.It Cm KexAlgorithms
834Specifies the available KEX (Key Exchange) algorithms.
835Multiple algorithms must be comma-separated.
djm@openbsd.orgf9eca242015-07-30 00:01:34 +0000836Alternately if the specified value begins with a
837.Sq +
838character, then the specified methods will be appended to the default set
839instead of replacing them.
Damien Millerc1621c82014-04-20 13:22:46 +1000840The supported algorithms are:
841.Pp
842.Bl -item -compact -offset indent
843.It
djm@openbsd.org16277fc2016-09-22 17:55:13 +0000844curve25519-sha256
845.It
Damien Millerc1621c82014-04-20 13:22:46 +1000846curve25519-sha256@libssh.org
847.It
848diffie-hellman-group1-sha1
849.It
850diffie-hellman-group14-sha1
851.It
852diffie-hellman-group-exchange-sha1
853.It
854diffie-hellman-group-exchange-sha256
855.It
856ecdh-sha2-nistp256
857.It
858ecdh-sha2-nistp384
859.It
860ecdh-sha2-nistp521
861.El
862.Pp
863The default is:
Damien Miller6575c3a2013-12-18 17:47:02 +1100864.Bd -literal -offset indent
djm@openbsd.org16277fc2016-09-22 17:55:13 +0000865curve25519-sha256,curve25519-sha256@libssh.org,
Damien Miller6575c3a2013-12-18 17:47:02 +1100866ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
867diffie-hellman-group-exchange-sha256,
Damien Millerc1621c82014-04-20 13:22:46 +1000868diffie-hellman-group14-sha1
Damien Miller6575c3a2013-12-18 17:47:02 +1100869.Ed
djm@openbsd.org8f6784f2014-12-22 09:05:17 +0000870.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000871The list of available key exchange algorithms may also be obtained using
872.Qq ssh -Q kex .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000873.It Cm ListenAddress
874Specifies the local addresses
Damien Miller5b0d63f2006-03-15 11:56:56 +1100875.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +0000876should listen on.
877The following forms may be used:
878.Pp
879.Bl -item -offset indent -compact
880.It
881.Cm ListenAddress
882.Sm off
jmc@openbsd.org08c0eeb2014-11-22 19:21:03 +0000883.Ar host | Ar IPv4_addr | Ar IPv6_addr
Ben Lindstrom9f049032002-06-21 00:59:05 +0000884.Sm on
885.It
886.Cm ListenAddress
887.Sm off
jmc@openbsd.org08c0eeb2014-11-22 19:21:03 +0000888.Ar host | Ar IPv4_addr : Ar port
Ben Lindstrom9f049032002-06-21 00:59:05 +0000889.Sm on
890.It
891.Cm ListenAddress
892.Sm off
893.Oo
jmc@openbsd.org08c0eeb2014-11-22 19:21:03 +0000894.Ar host | Ar IPv6_addr Oc : Ar port
Ben Lindstrom9f049032002-06-21 00:59:05 +0000895.Sm on
896.El
897.Pp
898If
899.Ar port
900is not specified,
dtucker@openbsd.org531a57a2015-04-29 03:48:56 +0000901sshd will listen on the address and all
Ben Lindstrom9f049032002-06-21 00:59:05 +0000902.Cm Port
Damien Millerfbf486b2003-05-23 18:44:23 +1000903options specified.
904The default is to listen on all local addresses.
Damien Miller495dca32003-04-01 21:42:14 +1000905Multiple
Ben Lindstrom9f049032002-06-21 00:59:05 +0000906.Cm ListenAddress
Damien Millerfbf486b2003-05-23 18:44:23 +1000907options are permitted.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000908.It Cm LoginGraceTime
909The server disconnects after this time if the user has not
910successfully logged in.
911If the value is 0, there is no time limit.
Damien Millerc1348632002-09-05 14:35:14 +1000912The default is 120 seconds.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000913.It Cm LogLevel
914Gives the verbosity level that is used when logging messages from
Damien Millerf4f22b52006-03-15 11:57:25 +1100915.Xr sshd 8 .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000916The possible values are:
Damien Miller5b0d63f2006-03-15 11:56:56 +1100917QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
Damien Miller495dca32003-04-01 21:42:14 +1000918The default is INFO.
919DEBUG and DEBUG1 are equivalent.
920DEBUG2 and DEBUG3 each specify higher levels of debugging output.
921Logging with a DEBUG level violates the privacy of users and is not recommended.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000922.It Cm MACs
923Specifies the available MAC (message authentication code) algorithms.
jmc@openbsd.orga685ae82016-02-17 07:38:19 +0000924The MAC algorithm is used for data integrity protection.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000925Multiple algorithms must be comma-separated.
djm@openbsd.orgf9eca242015-07-30 00:01:34 +0000926If the specified value begins with a
927.Sq +
928character, then the specified algorithms will be appended to the default set
929instead of replacing them.
930.Pp
Damien Milleraf43a7a2012-12-12 10:46:31 +1100931The algorithms that contain
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000932.Qq -etm
Damien Milleraf43a7a2012-12-12 10:46:31 +1100933calculate the MAC after encryption (encrypt-then-mac).
934These are considered safer and their use recommended.
Damien Millerc1621c82014-04-20 13:22:46 +1000935The supported MACs are:
936.Pp
937.Bl -item -compact -offset indent
938.It
939hmac-md5
940.It
941hmac-md5-96
942.It
943hmac-ripemd160
944.It
945hmac-sha1
946.It
947hmac-sha1-96
948.It
949hmac-sha2-256
950.It
951hmac-sha2-512
952.It
953umac-64@openssh.com
954.It
955umac-128@openssh.com
956.It
957hmac-md5-etm@openssh.com
958.It
959hmac-md5-96-etm@openssh.com
960.It
961hmac-ripemd160-etm@openssh.com
962.It
963hmac-sha1-etm@openssh.com
964.It
965hmac-sha1-96-etm@openssh.com
966.It
967hmac-sha2-256-etm@openssh.com
968.It
969hmac-sha2-512-etm@openssh.com
970.It
971umac-64-etm@openssh.com
972.It
973umac-128-etm@openssh.com
974.El
975.Pp
Damien Miller5b0d63f2006-03-15 11:56:56 +1100976The default is:
Damien Miller22b7b492007-06-11 14:07:12 +1000977.Bd -literal -offset indent
Damien Milleraf43a7a2012-12-12 10:46:31 +1100978umac-64-etm@openssh.com,umac-128-etm@openssh.com,
979hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
djm@openbsd.orge4c918a2016-02-11 02:56:32 +0000980hmac-sha1-etm@openssh.com,
Damien Millerc1621c82014-04-20 13:22:46 +1000981umac-64@openssh.com,umac-128@openssh.com,
djm@openbsd.orge4c918a2016-02-11 02:56:32 +0000982hmac-sha2-256,hmac-sha2-512,hmac-sha1
Damien Miller22b7b492007-06-11 14:07:12 +1000983.Ed
djm@openbsd.org8f6784f2014-12-22 09:05:17 +0000984.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000985The list of available MAC algorithms may also be obtained using
986.Qq ssh -Q mac .
Darren Tucker45150472006-07-12 22:34:17 +1000987.It Cm Match
Damien Millerd04f3572006-07-24 13:46:50 +1000988Introduces a conditional block.
Damien Miller8c234032006-07-24 14:05:08 +1000989If all of the criteria on the
Darren Tucker45150472006-07-12 22:34:17 +1000990.Cm Match
Damien Miller8c234032006-07-24 14:05:08 +1000991line are satisfied, the keywords on the following lines override those
992set in the global section of the config file, until either another
Darren Tucker45150472006-07-12 22:34:17 +1000993.Cm Match
Damien Miller8c234032006-07-24 14:05:08 +1000994line or the end of the file.
Damien Millerfc5d6752014-02-28 10:01:28 +1100995If a keyword appears in multiple
996.Cm Match
sobrado@openbsd.org180bcb42014-08-30 16:32:25 +0000997blocks that are satisfied, only the first instance of the keyword is
Damien Millerfc5d6752014-02-28 10:01:28 +1100998applied.
Darren Tucker7a3935d2008-06-10 22:59:10 +1000999.Pp
Damien Millerd04f3572006-07-24 13:46:50 +10001000The arguments to
Darren Tucker45150472006-07-12 22:34:17 +10001001.Cm Match
Damien Millercf31f382013-10-24 21:02:56 +11001002are one or more criteria-pattern pairs or the single token
1003.Cm All
1004which matches all criteria.
Darren Tucker45150472006-07-12 22:34:17 +10001005The available criteria are
1006.Cm User ,
Damien Miller565ca3f2006-08-19 00:23:15 +10001007.Cm Group ,
Darren Tucker45150472006-07-12 22:34:17 +10001008.Cm Host ,
Darren Tuckerfbcf8272012-05-19 19:37:01 +10001009.Cm LocalAddress ,
1010.Cm LocalPort ,
Darren Tucker45150472006-07-12 22:34:17 +10001011and
1012.Cm Address .
Darren Tucker7a3935d2008-06-10 22:59:10 +10001013The match patterns may consist of single entries or comma-separated
1014lists and may use the wildcard and negation operators described in the
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001015.Sx PATTERNS
1016section of
Darren Tuckerb06cc4a2008-06-10 22:59:53 +10001017.Xr ssh_config 5 .
Darren Tucker7a3935d2008-06-10 22:59:10 +10001018.Pp
1019The patterns in an
1020.Cm Address
1021criteria may additionally contain addresses to match in CIDR
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001022address/masklen format,
1023such as 192.0.2.0/24 or 2001:db8::/32.
Darren Tucker7a3935d2008-06-10 22:59:10 +10001024Note that the mask length provided must be consistent with the address -
1025it is an error to specify a mask length that is too long for the address
Darren Tucker6a2a4002008-06-10 23:03:04 +10001026or one with bits set in this host portion of the address.
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001027For example, 192.0.2.0/33 and 192.0.2.0/8, respectively.
Darren Tucker7a3935d2008-06-10 22:59:10 +10001028.Pp
Darren Tucker45150472006-07-12 22:34:17 +10001029Only a subset of keywords may be used on the lines following a
1030.Cm Match
1031keyword.
1032Available keywords are
Damien Millerf8268502012-06-20 21:54:15 +10001033.Cm AcceptEnv ,
Damien Miller17819012009-01-28 16:20:17 +11001034.Cm AllowAgentForwarding ,
Damien Millerf8268502012-06-20 21:54:15 +10001035.Cm AllowGroups ,
djm@openbsd.org18a208d2015-02-20 22:40:32 +00001036.Cm AllowStreamLocalForwarding ,
Damien Miller9b439df2006-07-24 14:04:00 +10001037.Cm AllowTcpForwarding ,
Damien Millerc24da772012-06-20 21:53:58 +10001038.Cm AllowUsers ,
Damien Millera6e3f012012-11-04 23:21:40 +11001039.Cm AuthenticationMethods ,
Damien Miller09d3e122012-10-31 08:58:58 +11001040.Cm AuthorizedKeysCommand ,
1041.Cm AuthorizedKeysCommandUser ,
Damien Millerf33580e2012-11-04 22:22:52 +11001042.Cm AuthorizedKeysFile ,
djm@openbsd.orgb6b91082015-11-13 02:57:46 +00001043.Cm AuthorizedPrincipalsCommand ,
1044.Cm AuthorizedPrincipalsCommandUser ,
Damien Millerab6de352010-06-26 09:38:45 +10001045.Cm AuthorizedPrincipalsFile ,
Darren Tucker1629c072007-02-19 22:25:37 +11001046.Cm Banner ,
Damien Miller797e3d12008-05-19 14:27:42 +10001047.Cm ChrootDirectory ,
Damien Millerc24da772012-06-20 21:53:58 +10001048.Cm DenyGroups ,
1049.Cm DenyUsers ,
Damien Millere2754432006-07-24 14:06:47 +10001050.Cm ForceCommand ,
djm@openbsd.org18a208d2015-02-20 22:40:32 +00001051.Cm GatewayPorts ,
djm@openbsd.orgbd49da22015-02-20 23:46:01 +00001052.Cm GSSAPIAuthentication ,
djm@openbsd.org1f729f02015-01-13 07:39:19 +00001053.Cm HostbasedAcceptedKeyTypes ,
Damien Miller25434de2008-05-19 14:29:08 +10001054.Cm HostbasedAuthentication ,
Damien Millerab6de352010-06-26 09:38:45 +10001055.Cm HostbasedUsesNameFromPacketOnly ,
djm@openbsd.org18a208d2015-02-20 22:40:32 +00001056.Cm IPQoS ,
Darren Tucker1d75f222007-03-01 21:31:28 +11001057.Cm KbdInteractiveAuthentication ,
Damien Miller5737e362007-03-06 21:21:18 +11001058.Cm KerberosAuthentication ,
Damien Miller307c1d12008-06-16 07:56:20 +10001059.Cm MaxAuthTries ,
Damien Millerc62a5af2008-06-16 07:55:46 +10001060.Cm MaxSessions ,
Darren Tucker1629c072007-02-19 22:25:37 +11001061.Cm PasswordAuthentication ,
Damien Miller51bde602008-11-03 19:23:10 +11001062.Cm PermitEmptyPasswords ,
Damien Millerd1de9952006-07-24 14:05:48 +10001063.Cm PermitOpen ,
Darren Tucker15f94272008-01-01 20:36:56 +11001064.Cm PermitRootLogin ,
Damien Miller5ff30c62013-10-30 22:21:50 +11001065.Cm PermitTTY ,
Damien Millerab6de352010-06-26 09:38:45 +10001066.Cm PermitTunnel ,
Damien Miller72e6b5c2014-07-04 09:00:04 +10001067.Cm PermitUserRC ,
djm@openbsd.org1f729f02015-01-13 07:39:19 +00001068.Cm PubkeyAcceptedKeyTypes ,
Darren Tucker1477ea12009-10-07 08:36:05 +11001069.Cm PubkeyAuthentication ,
djm@openbsd.org18a208d2015-02-20 22:40:32 +00001070.Cm RekeyLimit ,
1071.Cm RevokedKeys ,
djm@openbsd.org18a208d2015-02-20 22:40:32 +00001072.Cm StreamLocalBindMask ,
1073.Cm StreamLocalBindUnlink ,
1074.Cm TrustedUserCAKeys ,
Damien Millerd1de9952006-07-24 14:05:48 +10001075.Cm X11DisplayOffset ,
Damien Miller19913842009-02-23 10:53:58 +11001076.Cm X11Forwarding
Darren Tucker45150472006-07-12 22:34:17 +10001077and
Damien Miller0296ae82009-02-23 11:00:24 +11001078.Cm X11UseLocalHost .
Darren Tucker89413db2004-05-24 10:36:23 +10001079.It Cm MaxAuthTries
1080Specifies the maximum number of authentication attempts permitted per
Damien Miller26213e52004-06-30 22:39:34 +10001081connection.
1082Once the number of failures reaches half this value,
1083additional failures are logged.
1084The default is 6.
Damien Miller7207f642008-05-19 15:34:50 +10001085.It Cm MaxSessions
djm@openbsd.orgcac3b662016-02-05 02:37:56 +00001086Specifies the maximum number of open shell, login or subsystem (e.g. sftp)
1087sessions permitted per network connection.
1088Multiple sessions may be established by clients that support connection
1089multiplexing.
1090Setting
1091.Cm MaxSessions
1092to 1 will effectively disable session multiplexing, whereas setting it to 0
1093will prevent all shell, login and subsystem sessions while still permitting
1094forwarding.
Damien Miller7207f642008-05-19 15:34:50 +10001095The default is 10.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001096.It Cm MaxStartups
1097Specifies the maximum number of concurrent unauthenticated connections to the
Damien Miller5b0d63f2006-03-15 11:56:56 +11001098SSH daemon.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001099Additional connections will be dropped until authentication succeeds or the
1100.Cm LoginGraceTime
1101expires for a connection.
Damien Miller1f583df2013-02-12 11:02:08 +11001102The default is 10:30:100.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001103.Pp
1104Alternatively, random early drop can be enabled by specifying
1105the three colon separated values
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001106start:rate:full (e.g. "10:30:60").
Damien Millerf4f22b52006-03-15 11:57:25 +11001107.Xr sshd 8
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001108will refuse connection attempts with a probability of rate/100 (30%)
1109if there are currently start (10) unauthenticated connections.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001110The probability increases linearly and all connection attempts
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001111are refused if the number of unauthenticated connections reaches full (60).
Ben Lindstrom9f049032002-06-21 00:59:05 +00001112.It Cm PasswordAuthentication
1113Specifies whether password authentication is allowed.
1114The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001115.Cm yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001116.It Cm PermitEmptyPasswords
1117When password authentication is allowed, it specifies whether the
1118server allows login to accounts with empty password strings.
1119The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001120.Cm no .
Damien Miller9b439df2006-07-24 14:04:00 +10001121.It Cm PermitOpen
1122Specifies the destinations to which TCP port forwarding is permitted.
1123The forwarding specification must be one of the following forms:
1124.Pp
1125.Bl -item -offset indent -compact
1126.It
1127.Cm PermitOpen
1128.Sm off
1129.Ar host : port
1130.Sm on
1131.It
1132.Cm PermitOpen
1133.Sm off
1134.Ar IPv4_addr : port
1135.Sm on
1136.It
1137.Cm PermitOpen
1138.Sm off
1139.Ar \&[ IPv6_addr \&] : port
1140.Sm on
1141.El
1142.Pp
Damien Millera765cf42006-07-24 14:08:13 +10001143Multiple forwards may be specified by separating them with whitespace.
Damien Miller9b439df2006-07-24 14:04:00 +10001144An argument of
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001145.Cm any
Damien Miller9b439df2006-07-24 14:04:00 +10001146can be used to remove all restrictions and permit any forwarding requests.
Darren Tuckerba9ea322012-05-19 19:37:33 +10001147An argument of
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001148.Cm none
Darren Tuckerba9ea322012-05-19 19:37:33 +10001149can be used to prohibit all forwarding requests.
jmc@openbsd.org32d921c2016-07-19 12:59:16 +00001150The wildcard
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001151.Sq *
jmc@openbsd.org32d921c2016-07-19 12:59:16 +00001152can be used for host or port to allow all hosts or ports, respectively.
Damien Miller65bc2c42006-07-24 14:04:16 +10001153By default all port forwarding requests are permitted.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001154.It Cm PermitRootLogin
Darren Tuckerb3509012005-01-20 11:01:46 +11001155Specifies whether root can log in using
Ben Lindstrom9f049032002-06-21 00:59:05 +00001156.Xr ssh 1 .
1157The argument must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001158.Cm yes ,
1159.Cm prohibit-password ,
1160.Cm without-password ,
1161.Cm forced-commands-only ,
Ben Lindstrom9f049032002-06-21 00:59:05 +00001162or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001163.Cm no .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001164The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001165.Cm prohibit-password .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001166.Pp
1167If this option is set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001168.Cm prohibit-password
deraadt@openbsd.org1dc8d932015-08-06 14:53:21 +00001169or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001170.Cm without-password ,
deraadt@openbsd.org1dc8d932015-08-06 14:53:21 +00001171password and keyboard-interactive authentication are disabled for root.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001172.Pp
1173If this option is set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001174.Cm forced-commands-only ,
Ben Lindstrom9f049032002-06-21 00:59:05 +00001175root login with public key authentication will be allowed,
1176but only if the
1177.Ar command
1178option has been specified
1179(which may be useful for taking remote backups even if root login is
Damien Millerfbf486b2003-05-23 18:44:23 +10001180normally not allowed).
1181All other authentication methods are disabled for root.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001182.Pp
1183If this option is set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001184.Cm no ,
Darren Tuckerb3509012005-01-20 11:01:46 +11001185root is not allowed to log in.
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +00001186.It Cm PermitTTY
1187Specifies whether
1188.Xr pty 4
1189allocation is permitted.
1190The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001191.Cm yes .
Damien Millerd27b9472005-12-13 19:29:02 +11001192.It Cm PermitTunnel
1193Specifies whether
1194.Xr tun 4
1195device forwarding is allowed.
Damien Miller7b58e802005-12-13 19:33:19 +11001196The argument must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001197.Cm yes ,
1198.Cm point-to-point
Damien Miller991dba42006-07-10 20:16:27 +10001199(layer 3),
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001200.Cm ethernet
Damien Miller991dba42006-07-10 20:16:27 +10001201(layer 2), or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001202.Cm no .
Damien Miller991dba42006-07-10 20:16:27 +10001203Specifying
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001204.Cm yes
Damien Miller991dba42006-07-10 20:16:27 +10001205permits both
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001206.Cm point-to-point
Damien Miller991dba42006-07-10 20:16:27 +10001207and
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001208.Cm ethernet .
Damien Millerd27b9472005-12-13 19:29:02 +11001209The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001210.Cm no .
djm@openbsd.org48dffd52014-09-09 09:45:36 +00001211.Pp
1212Independent of this setting, the permissions of the selected
1213.Xr tun 4
1214device must allow access to the user.
Ben Lindstrom5d860f02002-08-01 01:28:38 +00001215.It Cm PermitUserEnvironment
1216Specifies whether
1217.Pa ~/.ssh/environment
Ben Lindstrombd9bf382002-08-20 18:54:20 +00001218and
Ben Lindstrom5d860f02002-08-01 01:28:38 +00001219.Cm environment=
1220options in
1221.Pa ~/.ssh/authorized_keys
Ben Lindstrombd9bf382002-08-20 18:54:20 +00001222are processed by
Damien Miller5b0d63f2006-03-15 11:56:56 +11001223.Xr sshd 8 .
Ben Lindstrom5d860f02002-08-01 01:28:38 +00001224The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001225.Cm no .
Ben Lindstrombd9bf382002-08-20 18:54:20 +00001226Enabling environment processing may enable users to bypass access
1227restrictions in some configurations using mechanisms such as
1228.Ev LD_PRELOAD .
Damien Miller72e6b5c2014-07-04 09:00:04 +10001229.It Cm PermitUserRC
1230Specifies whether any
1231.Pa ~/.ssh/rc
1232file is executed.
1233The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001234.Cm yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001235.It Cm PidFile
Ben Lindstrom959de992002-06-23 00:35:25 +00001236Specifies the file that contains the process ID of the
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001237SSH daemon, or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001238.Cm none
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001239to not write one.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001240The default is
1241.Pa /var/run/sshd.pid .
1242.It Cm Port
1243Specifies the port number that
Damien Miller5b0d63f2006-03-15 11:56:56 +11001244.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001245listens on.
1246The default is 22.
1247Multiple options of this type are permitted.
1248See also
1249.Cm ListenAddress .
1250.It Cm PrintLastLog
1251Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001252.Xr sshd 8
Darren Tucker7cc5c232004-11-05 20:06:59 +11001253should print the date and time of the last user login when a user logs
1254in interactively.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001255The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001256.Cm yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001257.It Cm PrintMotd
1258Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001259.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001260should print
1261.Pa /etc/motd
1262when a user logs in interactively.
1263(On some systems it is also printed by the shell,
1264.Pa /etc/profile ,
1265or equivalent.)
1266The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001267.Cm yes .
djm@openbsd.org1f729f02015-01-13 07:39:19 +00001268.It Cm PubkeyAcceptedKeyTypes
1269Specifies the key types that will be accepted for public key authentication
1270as a comma-separated pattern list.
djm@openbsd.orgf9eca242015-07-30 00:01:34 +00001271Alternately if the specified value begins with a
1272.Sq +
1273character, then the specified key types will be appended to the default set
1274instead of replacing them.
markus@openbsd.org3a1638d2015-07-10 06:21:53 +00001275The default for this option is:
1276.Bd -literal -offset 3n
1277ecdsa-sha2-nistp256-cert-v01@openssh.com,
1278ecdsa-sha2-nistp384-cert-v01@openssh.com,
1279ecdsa-sha2-nistp521-cert-v01@openssh.com,
1280ssh-ed25519-cert-v01@openssh.com,
1281ssh-rsa-cert-v01@openssh.com,
1282ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
djm@openbsd.org3a13cb52016-02-17 08:57:34 +00001283ssh-ed25519,ssh-rsa
markus@openbsd.org3a1638d2015-07-10 06:21:53 +00001284.Ed
1285.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001286The list of available key types may also be obtained using
1287.Qq ssh -Q key .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001288.It Cm PubkeyAuthentication
1289Specifies whether public key authentication is allowed.
1290The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001291.Cm yes .
Darren Tucker5f96f3b2013-05-16 20:29:28 +10001292.It Cm RekeyLimit
1293Specifies the maximum amount of data that may be transmitted before the
1294session key is renegotiated, optionally followed a maximum amount of
1295time that may pass before the session key is renegotiated.
1296The first argument is specified in bytes and may have a suffix of
1297.Sq K ,
1298.Sq M ,
1299or
1300.Sq G
1301to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
1302The default is between
1303.Sq 1G
1304and
1305.Sq 4G ,
1306depending on the cipher.
1307The optional second value is specified in seconds and may use any of the
1308units documented in the
1309.Sx TIME FORMATS
Darren Tucker64d22942013-05-16 20:31:29 +10001310section.
Darren Tucker5f96f3b2013-05-16 20:29:28 +10001311The default value for
1312.Cm RekeyLimit
1313is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001314.Cm default none ,
Darren Tucker5f96f3b2013-05-16 20:29:28 +10001315which means that rekeying is performed after the cipher's default amount
1316of data has been sent or received and no time based rekeying is done.
Damien Miller1aed65e2010-03-04 21:53:35 +11001317.It Cm RevokedKeys
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001318Specifies revoked public keys file, or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001319.Cm none
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001320to not use one.
Damien Miller1aed65e2010-03-04 21:53:35 +11001321Keys listed in this file will be refused for public key authentication.
1322Note that if this file is not readable, then public key authentication will
1323be refused for all users.
Damien Millerf3747bf2013-01-18 11:44:04 +11001324Keys may be specified as a text file, listing one public key per line, or as
1325an OpenSSH Key Revocation List (KRL) as generated by
Damien Miller72abeb72013-01-20 22:33:44 +11001326.Xr ssh-keygen 1 .
Damien Millerfecfd112013-07-18 16:11:50 +10001327For more information on KRLs, see the KEY REVOCATION LISTS section in
Damien Millerf3747bf2013-01-18 11:44:04 +11001328.Xr ssh-keygen 1 .
Damien Miller7acefbb2014-07-18 14:11:24 +10001329.It Cm StreamLocalBindMask
1330Sets the octal file creation mode mask
1331.Pq umask
1332used when creating a Unix-domain socket file for local or remote
1333port forwarding.
1334This option is only used for port forwarding to a Unix-domain socket file.
1335.Pp
1336The default value is 0177, which creates a Unix-domain socket file that is
1337readable and writable only by the owner.
1338Note that not all operating systems honor the file mode on Unix-domain
1339socket files.
1340.It Cm StreamLocalBindUnlink
1341Specifies whether to remove an existing Unix-domain socket file for local
1342or remote port forwarding before creating a new one.
1343If the socket file already exists and
1344.Cm StreamLocalBindUnlink
1345is not enabled,
1346.Nm sshd
1347will be unable to forward the port to the Unix-domain socket file.
1348This option is only used for port forwarding to a Unix-domain socket file.
1349.Pp
1350The argument must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001351.Cm yes
Damien Miller7acefbb2014-07-18 14:11:24 +10001352or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001353.Cm no .
Damien Miller7acefbb2014-07-18 14:11:24 +10001354The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001355.Cm no .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001356.It Cm StrictModes
1357Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001358.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001359should check file modes and ownership of the
1360user's files and home directory before accepting login.
1361This is normally desirable because novices sometimes accidentally leave their
1362directory or files world-writable.
1363The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001364.Cm yes .
Darren Tuckerf788a912010-01-08 17:06:47 +11001365Note that this does not apply to
1366.Cm ChrootDirectory ,
1367whose permissions and ownership are checked unconditionally.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001368.It Cm Subsystem
Damien Miller208f1ed2006-03-15 11:56:03 +11001369Configures an external subsystem (e.g. file transfer daemon).
Damien Miller917f9b62006-07-10 20:36:47 +10001370Arguments should be a subsystem name and a command (with optional arguments)
1371to execute upon subsystem request.
Damien Millerd8cb1f12008-02-10 22:40:12 +11001372.Pp
Ben Lindstrom9f049032002-06-21 00:59:05 +00001373The command
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001374.Cm sftp-server
1375implements the SFTP file transfer subsystem.
Damien Millerd8cb1f12008-02-10 22:40:12 +11001376.Pp
1377Alternately the name
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001378.Cm internal-sftp
1379implements an in-process SFTP server.
Damien Millerd8cb1f12008-02-10 22:40:12 +11001380This may simplify configurations using
1381.Cm ChrootDirectory
1382to force a different filesystem root on clients.
1383.Pp
Ben Lindstrom9f049032002-06-21 00:59:05 +00001384By default no subsystems are defined.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001385.It Cm SyslogFacility
1386Gives the facility code that is used when logging messages from
Damien Millerf4f22b52006-03-15 11:57:25 +11001387.Xr sshd 8 .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001388The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
1389LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
1390The default is AUTH.
Damien Miller12c150e2003-12-17 16:31:10 +11001391.It Cm TCPKeepAlive
1392Specifies whether the system should send TCP keepalive messages to the
1393other side.
1394If they are sent, death of the connection or crash of one
1395of the machines will be properly noticed.
1396However, this means that
1397connections will die if the route is down temporarily, and some people
1398find it annoying.
1399On the other hand, if TCP keepalives are not sent,
1400sessions may hang indefinitely on the server, leaving
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001401.Qq ghost
Damien Miller12c150e2003-12-17 16:31:10 +11001402users and consuming server resources.
1403.Pp
1404The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001405.Cm yes
Damien Miller12c150e2003-12-17 16:31:10 +11001406(to send TCP keepalive messages), and the server will notice
1407if the network goes down or the client host crashes.
1408This avoids infinitely hanging sessions.
1409.Pp
1410To disable TCP keepalive messages, the value should be set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001411.Cm no .
Damien Miller1aed65e2010-03-04 21:53:35 +11001412.It Cm TrustedUserCAKeys
1413Specifies a file containing public keys of certificate authorities that are
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001414trusted to sign user certificates for authentication, or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001415.Cm none
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001416to not use one.
Damien Miller72b33822010-03-05 07:39:01 +11001417Keys are listed one per line; empty lines and comments starting with
Damien Miller1aed65e2010-03-04 21:53:35 +11001418.Ql #
1419are allowed.
1420If a certificate is presented for authentication and has its signing CA key
1421listed in this file, then it may be used for authentication for any user
1422listed in the certificate's principals list.
1423Note that certificates that lack a list of principals will not be permitted
1424for authentication using
1425.Cm TrustedUserCAKeys .
Damien Millerfecfd112013-07-18 16:11:50 +10001426For more details on certificates, see the CERTIFICATES section in
Damien Miller1aed65e2010-03-04 21:53:35 +11001427.Xr ssh-keygen 1 .
Damien Miller3a961dc2003-06-03 10:25:48 +10001428.It Cm UseDNS
1429Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001430.Xr sshd 8
djm@openbsd.orgc63c9a62015-07-20 00:30:01 +00001431should look up the remote host name, and to check that
Damien Miller3a961dc2003-06-03 10:25:48 +10001432the resolved host name for the remote IP address maps back to the
1433very same IP address.
djm@openbsd.orgc63c9a62015-07-20 00:30:01 +00001434.Pp
1435If this option is set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001436.Cm no
djm@openbsd.orgc63c9a62015-07-20 00:30:01 +00001437(the default) then only addresses and not host names may be used in
djm@openbsd.org0235a5f2016-03-17 17:19:43 +00001438.Pa ~/.ssh/authorized_keys
djm@openbsd.orgc63c9a62015-07-20 00:30:01 +00001439.Cm from
1440and
jmc@openbsd.org1f8d3d62015-08-14 15:32:41 +00001441.Nm
djm@openbsd.orgc63c9a62015-07-20 00:30:01 +00001442.Cm Match
1443.Cm Host
1444directives.
Damien Miller2e193e22003-05-14 15:13:03 +10001445.It Cm UsePAM
Darren Tucker1dcff9a2004-05-13 16:51:40 +10001446Enables the Pluggable Authentication Module interface.
1447If set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001448.Cm yes
Darren Tucker1dcff9a2004-05-13 16:51:40 +10001449this will enable PAM authentication using
1450.Cm ChallengeResponseAuthentication
Darren Tuckera4904f72006-02-23 21:35:30 +11001451and
1452.Cm PasswordAuthentication
1453in addition to PAM account and session module processing for all
1454authentication types.
Darren Tucker1dcff9a2004-05-13 16:51:40 +10001455.Pp
1456Because PAM challenge-response authentication usually serves an equivalent
1457role to password authentication, you should disable either
1458.Cm PasswordAuthentication
1459or
1460.Cm ChallengeResponseAuthentication.
1461.Pp
1462If
1463.Cm UsePAM
1464is enabled, you will not be able to run
1465.Xr sshd 8
1466as a non-root user.
1467The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001468.Cm no .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001469.It Cm UsePrivilegeSeparation
1470Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001471.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001472separates privileges by creating an unprivileged child process
Damien Miller495dca32003-04-01 21:42:14 +10001473to deal with incoming network traffic.
1474After successful authentication, another process will be created that has
1475the privilege of the authenticated user.
1476The goal of privilege separation is to prevent privilege
Ben Lindstrom9f049032002-06-21 00:59:05 +00001477escalation by containing any corruption within the unprivileged processes.
sobrado@openbsd.orgbdcb73f2015-10-07 14:45:30 +00001478The argument must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001479.Cm yes ,
1480.Cm no ,
sobrado@openbsd.orgbdcb73f2015-10-07 14:45:30 +00001481or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001482.Cm sandbox .
Damien Miller69ff1df2011-06-23 08:30:03 +10001483If
1484.Cm UsePrivilegeSeparation
1485is set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001486.Cm sandbox
Damien Miller69ff1df2011-06-23 08:30:03 +10001487then the pre-authentication unprivileged process is subject to additional
1488restrictions.
sobrado@openbsd.orgbdcb73f2015-10-07 14:45:30 +00001489The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001490.Cm sandbox .
Damien Miller23528812012-04-22 11:24:43 +10001491.It Cm VersionAddendum
1492Optionally specifies additional text to append to the SSH protocol banner
1493sent by the server upon connection.
1494The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001495.Cm none .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001496.It Cm X11DisplayOffset
1497Specifies the first display number available for
Damien Miller5b0d63f2006-03-15 11:56:56 +11001498.Xr sshd 8 Ns 's
Ben Lindstrom9f049032002-06-21 00:59:05 +00001499X11 forwarding.
Damien Miller5b0d63f2006-03-15 11:56:56 +11001500This prevents sshd from interfering with real X11 servers.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001501The default is 10.
1502.It Cm X11Forwarding
1503Specifies whether X11 forwarding is permitted.
Damien Miller101c4a72002-09-19 11:51:21 +10001504The argument must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001505.Cm yes
Damien Miller101c4a72002-09-19 11:51:21 +10001506or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001507.Cm no .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001508The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001509.Cm no .
Damien Miller101c4a72002-09-19 11:51:21 +10001510.Pp
1511When X11 forwarding is enabled, there may be additional exposure to
1512the server and to client displays if the
Damien Miller5b0d63f2006-03-15 11:56:56 +11001513.Xr sshd 8
Damien Miller101c4a72002-09-19 11:51:21 +10001514proxy display is configured to listen on the wildcard address (see
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001515.Cm X11UseLocalhost ) ,
1516though this is not the default.
Damien Miller101c4a72002-09-19 11:51:21 +10001517Additionally, the authentication spoofing and authentication data
1518verification and substitution occur on the client side.
1519The security risk of using X11 forwarding is that the client's X11
Damien Miller5b0d63f2006-03-15 11:56:56 +11001520display server may be exposed to attack when the SSH client requests
Damien Miller101c4a72002-09-19 11:51:21 +10001521forwarding (see the warnings for
1522.Cm ForwardX11
1523in
Damien Millerf1ce5052003-06-11 22:04:39 +10001524.Xr ssh_config 5 ) .
Damien Miller101c4a72002-09-19 11:51:21 +10001525A system administrator may have a stance in which they want to
1526protect clients that may expose themselves to attack by unwittingly
1527requesting X11 forwarding, which can warrant a
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001528.Cm no
Damien Miller101c4a72002-09-19 11:51:21 +10001529setting.
1530.Pp
1531Note that disabling X11 forwarding does not prevent users from
1532forwarding X11 traffic, as users can always install their own forwarders.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001533.It Cm X11UseLocalhost
1534Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001535.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001536should bind the X11 forwarding server to the loopback address or to
Damien Miller495dca32003-04-01 21:42:14 +10001537the wildcard address.
1538By default,
Damien Miller5b0d63f2006-03-15 11:56:56 +11001539sshd binds the forwarding server to the loopback address and sets the
Ben Lindstrom9f049032002-06-21 00:59:05 +00001540hostname part of the
1541.Ev DISPLAY
1542environment variable to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001543.Cm localhost .
Ben Lindstrom15b61202002-08-20 18:44:24 +00001544This prevents remote hosts from connecting to the proxy display.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001545However, some older X11 clients may not function with this
1546configuration.
1547.Cm X11UseLocalhost
1548may be set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001549.Cm no
Ben Lindstrom9f049032002-06-21 00:59:05 +00001550to specify that the forwarding server should be bound to the wildcard
1551address.
1552The argument must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001553.Cm yes
Ben Lindstrom9f049032002-06-21 00:59:05 +00001554or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001555.Cm no .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001556The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001557.Cm yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001558.It Cm XAuthLocation
Damien Miller05913ba2002-09-04 16:51:03 +10001559Specifies the full pathname of the
Ben Lindstrom9f049032002-06-21 00:59:05 +00001560.Xr xauth 1
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001561program, or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001562.Cm none
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001563to not use one.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001564The default is
1565.Pa /usr/X11R6/bin/xauth .
1566.El
Damien Millere3beba22006-03-15 11:59:25 +11001567.Sh TIME FORMATS
Damien Millerf4f22b52006-03-15 11:57:25 +11001568.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001569command-line arguments and configuration file options that specify time
1570may be expressed using a sequence of the form:
1571.Sm off
Ben Lindstrom1f8cf4f2002-08-20 18:43:27 +00001572.Ar time Op Ar qualifier ,
Ben Lindstrom9f049032002-06-21 00:59:05 +00001573.Sm on
1574where
1575.Ar time
1576is a positive integer value and
1577.Ar qualifier
1578is one of the following:
1579.Pp
1580.Bl -tag -width Ds -compact -offset indent
Damien Miller393821a2006-07-24 14:04:53 +10001581.It Aq Cm none
Ben Lindstrom9f049032002-06-21 00:59:05 +00001582seconds
1583.It Cm s | Cm S
1584seconds
1585.It Cm m | Cm M
1586minutes
1587.It Cm h | Cm H
1588hours
1589.It Cm d | Cm D
1590days
1591.It Cm w | Cm W
1592weeks
1593.El
1594.Pp
1595Each member of the sequence is added together to calculate
1596the total time value.
1597.Pp
1598Time format examples:
1599.Pp
1600.Bl -tag -width Ds -compact -offset indent
1601.It 600
1602600 seconds (10 minutes)
1603.It 10m
160410 minutes
1605.It 1h30m
16061 hour 30 minutes (90 minutes)
1607.El
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +00001608.Sh TOKENS
1609Arguments to some keywords can make use of tokens,
1610which are expanded at runtime:
1611.Pp
1612.Bl -tag -width XXXX -offset indent -compact
1613.It %%
1614A literal
1615.Sq % .
1616.It %F
1617The fingerprint of the CA key.
1618.It %f
1619The fingerprint of the key or certificate.
1620.It %h
1621The home directory of the user.
1622.It %i
1623The key ID in the certificate.
1624.It %K
1625The base64-encoded CA key.
1626.It %k
1627The base64-encoded key or certificate for authentication.
1628.It %s
1629The serial number of the certificate.
1630.It \&%T
1631The type of the CA key.
1632.It %t
1633The key or certificate type.
1634.It %u
1635The username.
1636.El
1637.Pp
1638.Cm AuthorizedKeysCommand
1639accepts the tokens %%, %f, %h, %t, and %u.
1640.Pp
1641.Cm AuthorizedKeysFile
1642accepts the tokens %%, %h, and %u.
1643.Pp
1644.Cm AuthorizedPrincipalsCommand
1645accepts the tokens %%, %F, %f, %K, %k, %h, %i, %s, %T, %t, and %u.
1646.Pp
1647.Cm AuthorizedPrincipalsFile
1648accepts the tokens %%, %h, and %u.
1649.Pp
1650.Cm ChrootDirectory
1651accepts the tokens %%, %h, and %u.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001652.Sh FILES
1653.Bl -tag -width Ds
1654.It Pa /etc/ssh/sshd_config
1655Contains configuration data for
Damien Millerf4f22b52006-03-15 11:57:25 +11001656.Xr sshd 8 .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001657This file should be writable by root only, but it is recommended
1658(though not necessary) that it be world-readable.
1659.El
Damien Millerf1ce5052003-06-11 22:04:39 +10001660.Sh SEE ALSO
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001661.Xr sftp-server 8 ,
Damien Millerf1ce5052003-06-11 22:04:39 +10001662.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001663.Sh AUTHORS
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001664.An -nosplit
Ben Lindstrom9f049032002-06-21 00:59:05 +00001665OpenSSH is a derivative of the original and free
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001666ssh 1.2.12 release by
1667.An Tatu Ylonen .
1668.An Aaron Campbell , Bob Beck , Markus Friedl , Niels Provos ,
1669.An Theo de Raadt
1670and
1671.An Dug Song
Ben Lindstrom9f049032002-06-21 00:59:05 +00001672removed many bugs, re-added newer features and
1673created OpenSSH.
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001674.An Markus Friedl
1675contributed the support for SSH protocol versions 1.5 and 2.0.
1676.An Niels Provos
1677and
1678.An Markus Friedl
1679contributed support for privilege separation.