blob: 9486f2a1c678ab56c260fd57fa0347a4fa0a745e [file] [log] [blame]
Ben Lindstrom9f049032002-06-21 00:59:05 +00001.\"
2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4.\" All rights reserved
5.\"
6.\" As far as I am concerned, the code I have written for this software
7.\" can be used freely for any purpose. Any derived versions of this
8.\" software must be clearly marked as such, and if the derived work is
9.\" incompatible with the protocol description in the RFC file, it must be
10.\" called by a name other than "ssh" or "Secure Shell".
11.\"
12.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
13.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
14.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
15.\"
16.\" Redistribution and use in source and binary forms, with or without
17.\" modification, are permitted provided that the following conditions
18.\" are met:
19.\" 1. Redistributions of source code must retain the above copyright
20.\" notice, this list of conditions and the following disclaimer.
21.\" 2. Redistributions in binary form must reproduce the above copyright
22.\" notice, this list of conditions and the following disclaimer in the
23.\" documentation and/or other materials provided with the distribution.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\"
naddy@openbsd.org91a21352019-09-06 14:45:34 +000036.\" $OpenBSD: sshd_config.5,v 1.290 2019/09/06 14:45:34 naddy Exp $
37.Dd $Mdocdate: September 6 2019 $
Ben Lindstrom9f049032002-06-21 00:59:05 +000038.Dt SSHD_CONFIG 5
39.Os
40.Sh NAME
41.Nm sshd_config
42.Nd OpenSSH SSH daemon configuration file
Ben Lindstrom9f049032002-06-21 00:59:05 +000043.Sh DESCRIPTION
Damien Millerf4f22b52006-03-15 11:57:25 +110044.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +000045reads configuration data from
46.Pa /etc/ssh/sshd_config
47(or the file specified with
48.Fl f
49on the command line).
50The file contains keyword-argument pairs, one per line.
benno@openbsd.orgcfa46822017-10-09 20:12:51 +000051For each keyword, the first obtained value will be used.
Ben Lindstrom9f049032002-06-21 00:59:05 +000052Lines starting with
53.Ql #
54and empty lines are interpreted as comments.
Damien Miller306d1182006-03-15 12:05:59 +110055Arguments may optionally be enclosed in double quotes
56.Pq \&"
57in order to represent arguments containing spaces.
Ben Lindstrom9f049032002-06-21 00:59:05 +000058.Pp
59The possible
60keywords and their meanings are as follows (note that
61keywords are case-insensitive and arguments are case-sensitive):
62.Bl -tag -width Ds
Darren Tucker46bc0752004-05-02 22:11:30 +100063.It Cm AcceptEnv
64Specifies what environment variables sent by the client will be copied into
65the session's
66.Xr environ 7 .
67See
68.Cm SendEnv
djm@openbsd.org7082bb52018-06-09 03:01:12 +000069and
70.Cm SetEnv
Darren Tucker46bc0752004-05-02 22:11:30 +100071in
72.Xr ssh_config 5
73for how to configure the client.
jmc@openbsd.orga685ae82016-02-17 07:38:19 +000074The
dtucker@openbsd.org85b96ef2015-04-28 10:17:58 +000075.Ev TERM
djm@openbsd.org1678d422018-06-09 03:18:11 +000076environment variable is always accepted whenever the client
djm@openbsd.org732d61f2015-06-05 03:44:14 +000077requests a pseudo-terminal as it is required by the protocol.
Darren Tucker46bc0752004-05-02 22:11:30 +100078Variables are specified by name, which may contain the wildcard characters
Damien Miller208f1ed2006-03-15 11:56:03 +110079.Ql *
Darren Tucker46bc0752004-05-02 22:11:30 +100080and
81.Ql \&? .
Darren Tucker1e0c9bf2004-05-02 22:12:48 +100082Multiple environment variables may be separated by whitespace or spread
Darren Tucker46bc0752004-05-02 22:11:30 +100083across multiple
84.Cm AcceptEnv
85directives.
Darren Tucker1e0c9bf2004-05-02 22:12:48 +100086Be warned that some environment variables could be used to bypass restricted
Darren Tucker46bc0752004-05-02 22:11:30 +100087user environments.
88For this reason, care should be taken in the use of this directive.
89The default is not to accept any environment variables.
Darren Tucker0f383232005-01-20 10:57:56 +110090.It Cm AddressFamily
91Specifies which address family should be used by
Damien Millerf4f22b52006-03-15 11:57:25 +110092.Xr sshd 8 .
Darren Tucker0f383232005-01-20 10:57:56 +110093Valid arguments are
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +000094.Cm any
95(the default),
96.Cm inet
Damien Miller5b0d63f2006-03-15 11:56:56 +110097(use IPv4 only), or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +000098.Cm inet6
Darren Tucker0f383232005-01-20 10:57:56 +110099(use IPv6 only).
Damien Millere9890192008-05-19 14:59:02 +1000100.It Cm AllowAgentForwarding
101Specifies whether
102.Xr ssh-agent 1
103forwarding is permitted.
104The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000105.Cm yes .
Damien Millere9890192008-05-19 14:59:02 +1000106Note that disabling agent forwarding does not improve security
107unless users are also denied shell access, as they can always install
108their own forwarders.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000109.It Cm AllowGroups
110This keyword can be followed by a list of group name patterns, separated
111by spaces.
112If specified, login is allowed only for users whose primary
113group or supplementary group list matches one of the patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000114Only group names are valid; a numerical group ID is not recognized.
115By default, login is allowed for all groups.
Damien Millerac73e512006-03-15 11:58:49 +1100116The allow/deny directives are processed in the following order:
117.Cm DenyUsers ,
118.Cm AllowUsers ,
119.Cm DenyGroups ,
120and finally
121.Cm AllowGroups .
Damien Miller0c2079d2006-03-15 11:54:21 +1100122.Pp
Damien Millerfecfd112013-07-18 16:11:50 +1000123See PATTERNS in
Damien Miller0c2079d2006-03-15 11:54:21 +1100124.Xr ssh_config 5
125for more information on patterns.
Damien Miller7acefbb2014-07-18 14:11:24 +1000126.It Cm AllowStreamLocalForwarding
127Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
128The available options are
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000129.Cm yes
130(the default)
Damien Miller7acefbb2014-07-18 14:11:24 +1000131or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000132.Cm all
Damien Miller7acefbb2014-07-18 14:11:24 +1000133to allow StreamLocal forwarding,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000134.Cm no
Damien Miller7acefbb2014-07-18 14:11:24 +1000135to prevent all StreamLocal forwarding,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000136.Cm local
Damien Miller7acefbb2014-07-18 14:11:24 +1000137to allow local (from the perspective of
138.Xr ssh 1 )
139forwarding only or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000140.Cm remote
Damien Miller7acefbb2014-07-18 14:11:24 +1000141to allow remote forwarding only.
Damien Miller7acefbb2014-07-18 14:11:24 +1000142Note that disabling StreamLocal forwarding does not improve security unless
143users are also denied shell access, as they can always install their
144own forwarders.
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +0000145.It Cm AllowTcpForwarding
146Specifies whether TCP forwarding is permitted.
147The available options are
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000148.Cm yes
149(the default)
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +0000150or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000151.Cm all
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +0000152to allow TCP forwarding,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000153.Cm no
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +0000154to prevent all TCP forwarding,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000155.Cm local
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +0000156to allow local (from the perspective of
157.Xr ssh 1 )
158forwarding only or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000159.Cm remote
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +0000160to allow remote forwarding only.
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +0000161Note that disabling TCP forwarding does not improve security unless
162users are also denied shell access, as they can always install their
163own forwarders.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000164.It Cm AllowUsers
165This keyword can be followed by a list of user name patterns, separated
166by spaces.
Damien Miller5a93add2003-01-24 11:34:52 +1100167If specified, login is allowed only for user names that
Ben Lindstrom9f049032002-06-21 00:59:05 +0000168match one of the patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000169Only user names are valid; a numerical user ID is not recognized.
170By default, login is allowed for all users.
171If the pattern takes the form USER@HOST then USER and HOST
172are separately checked, restricting logins to particular
173users from particular hosts.
jmc@openbsd.orgee1e0a12016-04-27 13:53:48 +0000174HOST criteria may additionally contain addresses to match in CIDR
175address/masklen format.
Damien Millerac73e512006-03-15 11:58:49 +1100176The allow/deny directives are processed in the following order:
177.Cm DenyUsers ,
178.Cm AllowUsers ,
179.Cm DenyGroups ,
180and finally
181.Cm AllowGroups .
Damien Miller0c2079d2006-03-15 11:54:21 +1100182.Pp
Damien Millerfecfd112013-07-18 16:11:50 +1000183See PATTERNS in
Damien Miller0c2079d2006-03-15 11:54:21 +1100184.Xr ssh_config 5
185for more information on patterns.
Damien Millera6e3f012012-11-04 23:21:40 +1100186.It Cm AuthenticationMethods
187Specifies the authentication methods that must be successfully completed
188for a user to be granted access.
djm@openbsd.org472269f2018-07-20 05:01:10 +0000189This option must be followed by one or more lists of comma-separated
djm@openbsd.orgb64faeb2016-06-17 05:03:40 +0000190authentication method names, or by the single string
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000191.Cm any
djm@openbsd.orgb64faeb2016-06-17 05:03:40 +0000192to indicate the default behaviour of accepting any single authentication
jmc@openbsd.orgad23a752016-06-17 06:33:30 +0000193method.
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000194If the default is overridden, then successful authentication requires
djm@openbsd.orgb64faeb2016-06-17 05:03:40 +0000195completion of every method in at least one of these lists.
Damien Millera6e3f012012-11-04 23:21:40 +1100196.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000197For example,
198.Qq publickey,password publickey,keyboard-interactive
Damien Millera6e3f012012-11-04 23:21:40 +1100199would require the user to complete public key authentication, followed by
200either password or keyboard interactive authentication.
201Only methods that are next in one or more lists are offered at each stage,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000202so for this example it would not be possible to attempt password or
Damien Millera6e3f012012-11-04 23:21:40 +1100203keyboard-interactive authentication before public key.
204.Pp
Damien Miller91a55f22013-04-23 15:18:10 +1000205For keyboard interactive authentication it is also possible to
206restrict authentication to a specific device by appending a
207colon followed by the device identifier
Damien Miller87f08be2018-07-20 13:18:28 +1000208.Cm bsdauth
Damien Miller91a55f22013-04-23 15:18:10 +1000209or
Damien Miller87f08be2018-07-20 13:18:28 +1000210.Cm pam .
Damien Miller91a55f22013-04-23 15:18:10 +1000211depending on the server configuration.
212For example,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000213.Qq keyboard-interactive:bsdauth
Damien Miller91a55f22013-04-23 15:18:10 +1000214would restrict keyboard interactive authentication to the
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000215.Cm bsdauth
Damien Miller91a55f22013-04-23 15:18:10 +1000216device.
217.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000218If the publickey method is listed more than once,
djm@openbsd.orgf69b69b2014-12-22 07:51:30 +0000219.Xr sshd 8
220verifies that keys that have been used successfully are not reused for
221subsequent authentications.
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000222For example,
223.Qq publickey,publickey
224requires successful authentication using two different public keys.
djm@openbsd.orgf69b69b2014-12-22 07:51:30 +0000225.Pp
Damien Millera6e3f012012-11-04 23:21:40 +1100226Note that each authentication method listed should also be explicitly enabled
227in the configuration.
djm@openbsd.org8042bad2017-09-01 05:50:48 +0000228.Pp
229The available authentication methods are:
230.Qq gssapi-with-mic ,
231.Qq hostbased ,
232.Qq keyboard-interactive ,
233.Qq none
234(used for access to password-less accounts when
jmc@openbsd.orgf41bcd72018-05-15 05:40:11 +0000235.Cm PermitEmptyPasswords
djm@openbsd.org8042bad2017-09-01 05:50:48 +0000236is enabled),
237.Qq password
238and
239.Qq publickey .
Damien Miller09d3e122012-10-31 08:58:58 +1100240.It Cm AuthorizedKeysCommand
Damien Millerf33580e2012-11-04 22:22:52 +1100241Specifies a program to be used to look up the user's public keys.
djm@openbsd.org24232a32015-05-21 06:38:35 +0000242The program must be owned by root, not writable by group or others and
243specified by an absolute path.
djm@openbsd.org24232a32015-05-21 06:38:35 +0000244Arguments to
245.Cm AuthorizedKeysCommand
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000246accept the tokens described in the
247.Sx TOKENS
248section.
249If no arguments are specified then the username of the target user is used.
djm@openbsd.org24232a32015-05-21 06:38:35 +0000250.Pp
251The program should produce on standard output zero or
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000252more lines of authorized_keys output (see
253.Sx AUTHORIZED_KEYS
254in
Damien Millerf33580e2012-11-04 22:22:52 +1100255.Xr sshd 8 ) .
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000256If a key supplied by
257.Cm AuthorizedKeysCommand
258does not successfully authenticate
Damien Miller09d3e122012-10-31 08:58:58 +1100259and authorize the user then public key authentication continues using the usual
260.Cm AuthorizedKeysFile
261files.
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000262By default, no
263.Cm AuthorizedKeysCommand
264is run.
Damien Miller09d3e122012-10-31 08:58:58 +1100265.It Cm AuthorizedKeysCommandUser
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000266Specifies the user under whose account the
267.Cm AuthorizedKeysCommand
268is run.
Damien Miller09d3e122012-10-31 08:58:58 +1100269It is recommended to use a dedicated user that has no other role on the host
270than running authorized keys commands.
djm@openbsd.orgf1c4d8e2014-12-22 08:04:23 +0000271If
djm@openbsd.orgd663bea2014-12-11 05:25:06 +0000272.Cm AuthorizedKeysCommand
djm@openbsd.orgf1c4d8e2014-12-22 08:04:23 +0000273is specified but
274.Cm AuthorizedKeysCommandUser
275is not, then
276.Xr sshd 8
277will refuse to start.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000278.It Cm AuthorizedKeysFile
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000279Specifies the file that contains the public keys used for user authentication.
schwarze@openbsd.orgdb7606d2019-05-14 12:47:17 +0000280The format is described in the AUTHORIZED_KEYS FILE FORMAT section of
Damien Miller6018a362010-07-02 13:35:19 +1000281.Xr sshd 8 .
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000282Arguments to
Ben Lindstrom9f049032002-06-21 00:59:05 +0000283.Cm AuthorizedKeysFile
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000284accept the tokens described in the
285.Sx TOKENS
286section.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000287After expansion,
288.Cm AuthorizedKeysFile
289is taken to be an absolute path or one relative to the user's home
290directory.
Damien Millerb9132fc2011-05-29 21:41:40 +1000291Multiple files may be listed, separated by whitespace.
djm@openbsd.org2bca8a42015-09-11 03:13:36 +0000292Alternately this option may be set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000293.Cm none
djm@openbsd.org2bca8a42015-09-11 03:13:36 +0000294to skip checking for user keys in files.
Damien Millerb9132fc2011-05-29 21:41:40 +1000295The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000296.Qq .ssh/authorized_keys .ssh/authorized_keys2 .
djm@openbsd.orgbcc50d82015-05-21 06:43:30 +0000297.It Cm AuthorizedPrincipalsCommand
298Specifies a program to be used to generate the list of allowed
299certificate principals as per
300.Cm AuthorizedPrincipalsFile .
301The program must be owned by root, not writable by group or others and
302specified by an absolute path.
djm@openbsd.orgbcc50d82015-05-21 06:43:30 +0000303Arguments to
304.Cm AuthorizedPrincipalsCommand
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000305accept the tokens described in the
306.Sx TOKENS
307section.
308If no arguments are specified then the username of the target user is used.
djm@openbsd.orgbcc50d82015-05-21 06:43:30 +0000309.Pp
310The program should produce on standard output zero or
311more lines of
312.Cm AuthorizedPrincipalsFile
313output.
314If either
315.Cm AuthorizedPrincipalsCommand
316or
317.Cm AuthorizedPrincipalsFile
318is specified, then certificates offered by the client for authentication
319must contain a principal that is listed.
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000320By default, no
321.Cm AuthorizedPrincipalsCommand
322is run.
djm@openbsd.orgbcc50d82015-05-21 06:43:30 +0000323.It Cm AuthorizedPrincipalsCommandUser
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000324Specifies the user under whose account the
325.Cm AuthorizedPrincipalsCommand
326is run.
djm@openbsd.orgbcc50d82015-05-21 06:43:30 +0000327It is recommended to use a dedicated user that has no other role on the host
328than running authorized principals commands.
329If
330.Cm AuthorizedPrincipalsCommand
331is specified but
332.Cm AuthorizedPrincipalsCommandUser
333is not, then
334.Xr sshd 8
335will refuse to start.
Damien Miller30da3442010-05-10 11:58:03 +1000336.It Cm AuthorizedPrincipalsFile
337Specifies a file that lists principal names that are accepted for
338certificate authentication.
339When using certificates signed by a key listed in
340.Cm TrustedUserCAKeys ,
341this file lists names, one of which must appear in the certificate for it
342to be accepted for authentication.
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000343Names are listed one per line preceded by key options (as described in
344.Sx AUTHORIZED_KEYS FILE FORMAT
345in
Damien Millerd59dab82010-07-02 13:37:17 +1000346.Xr sshd 8 ) .
Damien Miller6018a362010-07-02 13:35:19 +1000347Empty lines and comments starting with
Damien Miller30da3442010-05-10 11:58:03 +1000348.Ql #
349are ignored.
350.Pp
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000351Arguments to
Damien Miller30da3442010-05-10 11:58:03 +1000352.Cm AuthorizedPrincipalsFile
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000353accept the tokens described in the
354.Sx TOKENS
355section.
Damien Miller30da3442010-05-10 11:58:03 +1000356After expansion,
357.Cm AuthorizedPrincipalsFile
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000358is taken to be an absolute path or one relative to the user's home directory.
Damien Miller8fef9eb2012-04-22 11:25:10 +1000359The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000360.Cm none ,
Damien Miller8fef9eb2012-04-22 11:25:10 +1000361i.e. not to use a principals file \(en in this case, the username
Damien Miller30da3442010-05-10 11:58:03 +1000362of the user must appear in a certificate's principals list for it to be
363accepted.
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000364.Pp
Damien Miller30da3442010-05-10 11:58:03 +1000365Note that
366.Cm AuthorizedPrincipalsFile
367is only used when authentication proceeds using a CA listed in
368.Cm TrustedUserCAKeys
369and is not consulted for certification authorities trusted via
370.Pa ~/.ssh/authorized_keys ,
371though the
372.Cm principals=
373key option offers a similar facility (see
374.Xr sshd 8
375for details).
Ben Lindstrom9f049032002-06-21 00:59:05 +0000376.It Cm Banner
Ben Lindstrom9f049032002-06-21 00:59:05 +0000377The contents of the specified file are sent to the remote user before
378authentication is allowed.
Damien Miller4890e532007-09-17 11:57:38 +1000379If the argument is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000380.Cm none
Damien Miller4890e532007-09-17 11:57:38 +1000381then no banner is displayed.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000382By default, no banner is displayed.
djm@openbsd.org86e57372018-09-20 03:28:06 +0000383.It Cm CASignatureAlgorithms
384Specifies which algorithms are allowed for signing of certificates
385by certificate authorities (CAs).
386The default is:
387.Bd -literal -offset indent
dtucker@openbsd.org0e2fe182019-07-23 23:06:57 +0000388ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
djm@openbsd.org86e57372018-09-20 03:28:06 +0000389ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
390.Ed
391.Pp
392Certificates signed using other algorithms will not be accepted for
393public key or host-based authentication.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000394.It Cm ChallengeResponseAuthentication
Damien Miller9c7bf8d2009-08-28 10:27:08 +1000395Specifies whether challenge-response authentication is allowed (e.g. via
Damien Millere8c9f262014-10-03 09:24:56 +1000396PAM or through authentication styles supported in
Damien Miller9c7bf8d2009-08-28 10:27:08 +1000397.Xr login.conf 5 )
Ben Lindstrom9f049032002-06-21 00:59:05 +0000398The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000399.Cm yes .
Damien Millerd8cb1f12008-02-10 22:40:12 +1100400.It Cm ChrootDirectory
Darren Tuckerb8c884a2010-01-08 18:53:43 +1100401Specifies the pathname of a directory to
Damien Millerd8cb1f12008-02-10 22:40:12 +1100402.Xr chroot 2
403to after authentication.
deraadt@openbsd.orgdcff5812015-01-22 20:24:41 +0000404At session startup
405.Xr sshd 8
406checks that all components of the pathname are root-owned directories
407which are not writable by any other user or group.
Darren Tucker51dbe502009-06-21 17:56:51 +1000408After the chroot,
409.Xr sshd 8
410changes the working directory to the user's home directory.
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000411Arguments to
412.Cm ChrootDirectory
413accept the tokens described in the
414.Sx TOKENS
415section.
Damien Millerd8cb1f12008-02-10 22:40:12 +1100416.Pp
417The
418.Cm ChrootDirectory
419must contain the necessary files and directories to support the
Darren Tuckeraf501cf2009-06-21 17:53:04 +1000420user's session.
Damien Millerd8cb1f12008-02-10 22:40:12 +1100421For an interactive session this requires at least a shell, typically
422.Xr sh 1 ,
423and basic
424.Pa /dev
425nodes such as
426.Xr null 4 ,
427.Xr zero 4 ,
428.Xr stdin 4 ,
429.Xr stdout 4 ,
430.Xr stderr 4 ,
jmc@openbsd.org08c0eeb2014-11-22 19:21:03 +0000431and
Damien Millerd8cb1f12008-02-10 22:40:12 +1100432.Xr tty 4
433devices.
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000434For file transfer sessions using SFTP
435no additional configuration of the environment is necessary if the in-process
436sftp-server is used,
Damien Miller426117b2014-07-30 12:33:20 +1000437though sessions which use logging may require
Darren Tucker00fcd712009-06-21 17:56:00 +1000438.Pa /dev/log
Damien Miller426117b2014-07-30 12:33:20 +1000439inside the chroot directory on some operating systems (see
Darren Tucker00fcd712009-06-21 17:56:00 +1000440.Xr sftp-server 8
441for details).
Damien Millerd8cb1f12008-02-10 22:40:12 +1100442.Pp
jmc@openbsd.orga5a3e332015-01-22 21:00:42 +0000443For safety, it is very important that the directory hierarchy be
deraadt@openbsd.orgdcff5812015-01-22 20:24:41 +0000444prevented from modification by other processes on the system (especially
445those outside the jail).
446Misconfiguration can lead to unsafe environments which
447.Xr sshd 8
448cannot detect.
449.Pp
djm@openbsd.org9fd04682015-11-13 04:38:06 +0000450The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000451.Cm none ,
djm@openbsd.org9fd04682015-11-13 04:38:06 +0000452indicating not to
Damien Millerd8cb1f12008-02-10 22:40:12 +1100453.Xr chroot 2 .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000454.It Cm Ciphers
jmc@openbsd.orga685ae82016-02-17 07:38:19 +0000455Specifies the ciphers allowed.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000456Multiple ciphers must be comma-separated.
naddy@openbsd.org4f9d75f2019-09-04 20:31:15 +0000457If the specified list begins with a
djm@openbsd.orgf9eca242015-07-30 00:01:34 +0000458.Sq +
459character, then the specified ciphers will be appended to the default set
460instead of replacing them.
naddy@openbsd.org4f9d75f2019-09-04 20:31:15 +0000461If the specified list begins with a
djm@openbsd.org68bc8cf2017-02-03 23:01:19 +0000462.Sq -
463character, then the specified ciphers (including wildcards) will be removed
464from the default set instead of replacing them.
naddy@openbsd.org91a21352019-09-06 14:45:34 +0000465If the specified list begins with a
466.Sq ^
467character, then the specified ciphers will be placed at the head of the
468default set.
djm@openbsd.orgf9eca242015-07-30 00:01:34 +0000469.Pp
Damien Miller0fde8ac2013-11-21 14:12:23 +1100470The supported ciphers are:
471.Pp
Damien Millerc1621c82014-04-20 13:22:46 +1000472.Bl -item -compact -offset indent
473.It
4743des-cbc
475.It
476aes128-cbc
477.It
478aes192-cbc
479.It
480aes256-cbc
481.It
482aes128-ctr
483.It
484aes192-ctr
485.It
486aes256-ctr
487.It
488aes128-gcm@openssh.com
489.It
490aes256-gcm@openssh.com
491.It
Damien Millerc1621c82014-04-20 13:22:46 +1000492chacha20-poly1305@openssh.com
493.El
Damien Miller0fde8ac2013-11-21 14:12:23 +1100494.Pp
Damien Miller5b0d63f2006-03-15 11:56:56 +1100495The default is:
Damien Millerc1621c82014-04-20 13:22:46 +1000496.Bd -literal -offset indent
jmc@openbsd.org1f8d3d62015-08-14 15:32:41 +0000497chacha20-poly1305@openssh.com,
Damien Millerc1621c82014-04-20 13:22:46 +1000498aes128-ctr,aes192-ctr,aes256-ctr,
jmc@openbsd.org1f8d3d62015-08-14 15:32:41 +0000499aes128-gcm@openssh.com,aes256-gcm@openssh.com
Ben Lindstrom9f049032002-06-21 00:59:05 +0000500.Ed
Damien Miller0fde8ac2013-11-21 14:12:23 +1100501.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000502The list of available ciphers may also be obtained using
503.Qq ssh -Q cipher .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000504.It Cm ClientAliveCountMax
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000505Sets the number of client alive messages which may be sent without
Damien Miller5b0d63f2006-03-15 11:56:56 +1100506.Xr sshd 8
Damien Millerfbf486b2003-05-23 18:44:23 +1000507receiving any messages back from the client.
508If this threshold is reached while client alive messages are being sent,
Damien Miller5b0d63f2006-03-15 11:56:56 +1100509sshd will disconnect the client, terminating the session.
Damien Millerfbf486b2003-05-23 18:44:23 +1000510It is important to note that the use of client alive messages is very
511different from
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000512.Cm TCPKeepAlive .
Damien Millerfbf486b2003-05-23 18:44:23 +1000513The client alive messages are sent through the encrypted channel
514and therefore will not be spoofable.
515The TCP keepalive option enabled by
Damien Miller12c150e2003-12-17 16:31:10 +1100516.Cm TCPKeepAlive
Damien Millerfbf486b2003-05-23 18:44:23 +1000517is spoofable.
518The client alive mechanism is valuable when the client or
dtucker@openbsd.org8fdbc722019-08-09 04:24:03 +0000519server depend on knowing when a connection has become unresponsive.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000520.Pp
Damien Millerfbf486b2003-05-23 18:44:23 +1000521The default value is 3.
522If
Ben Lindstrom9f049032002-06-21 00:59:05 +0000523.Cm ClientAliveInterval
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000524is set to 15, and
Ben Lindstrom9f049032002-06-21 00:59:05 +0000525.Cm ClientAliveCountMax
Damien Miller5b0d63f2006-03-15 11:56:56 +1100526is left at the default, unresponsive SSH clients
Ben Lindstrom9f049032002-06-21 00:59:05 +0000527will be disconnected after approximately 45 seconds.
Damien Miller1594ad52005-05-26 12:12:19 +1000528.It Cm ClientAliveInterval
529Sets a timeout interval in seconds after which if no data has been received
530from the client,
Damien Miller5b0d63f2006-03-15 11:56:56 +1100531.Xr sshd 8
Damien Miller1594ad52005-05-26 12:12:19 +1000532will send a message through the encrypted
533channel to request a response from the client.
534The default
535is 0, indicating that these messages will not be sent to the client.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000536.It Cm Compression
djm@openbsd.org4577ade2016-09-28 20:32:42 +0000537Specifies whether compression is enabled after
Damien Miller9786e6e2005-07-26 21:54:56 +1000538the user has authenticated successfully.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000539The argument must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000540.Cm yes ,
541.Cm delayed
djm@openbsd.org4577ade2016-09-28 20:32:42 +0000542(a legacy synonym for
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000543.Cm yes )
Ben Lindstrom9f049032002-06-21 00:59:05 +0000544or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000545.Cm no .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000546The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000547.Cm yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000548.It Cm DenyGroups
549This keyword can be followed by a list of group name patterns, separated
550by spaces.
551Login is disallowed for users whose primary group or supplementary
552group list matches one of the patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000553Only group names are valid; a numerical group ID is not recognized.
554By default, login is allowed for all groups.
Damien Millerac73e512006-03-15 11:58:49 +1100555The allow/deny directives are processed in the following order:
556.Cm DenyUsers ,
557.Cm AllowUsers ,
558.Cm DenyGroups ,
559and finally
560.Cm AllowGroups .
Damien Miller0c2079d2006-03-15 11:54:21 +1100561.Pp
Damien Millerfecfd112013-07-18 16:11:50 +1000562See PATTERNS in
Damien Miller0c2079d2006-03-15 11:54:21 +1100563.Xr ssh_config 5
564for more information on patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000565.It Cm DenyUsers
566This keyword can be followed by a list of user name patterns, separated
567by spaces.
568Login is disallowed for user names that match one of the patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000569Only user names are valid; a numerical user ID is not recognized.
570By default, login is allowed for all users.
571If the pattern takes the form USER@HOST then USER and HOST
572are separately checked, restricting logins to particular
573users from particular hosts.
jmc@openbsd.orgee1e0a12016-04-27 13:53:48 +0000574HOST criteria may additionally contain addresses to match in CIDR
575address/masklen format.
Damien Millerac73e512006-03-15 11:58:49 +1100576The allow/deny directives are processed in the following order:
577.Cm DenyUsers ,
578.Cm AllowUsers ,
579.Cm DenyGroups ,
580and finally
581.Cm AllowGroups .
Damien Miller0c2079d2006-03-15 11:54:21 +1100582.Pp
Damien Millerfecfd112013-07-18 16:11:50 +1000583See PATTERNS in
Damien Miller0c2079d2006-03-15 11:54:21 +1100584.Xr ssh_config 5
585for more information on patterns.
djm@openbsd.org7844f352016-11-30 03:00:05 +0000586.It Cm DisableForwarding
587Disables all forwarding features, including X11,
588.Xr ssh-agent 1 ,
589TCP and StreamLocal.
590This option overrides all other forwarding-related options and may
591simplify restricted configurations.
djm@openbsd.org8f574952017-06-24 06:34:38 +0000592.It Cm ExposeAuthInfo
jmc@openbsd.org5fa14072017-09-27 06:45:53 +0000593Writes a temporary file containing a list of authentication methods and
djm@openbsd.org8f574952017-06-24 06:34:38 +0000594public credentials (e.g. keys) used to authenticate the user.
jmc@openbsd.org40962192017-06-24 06:57:04 +0000595The location of the file is exposed to the user session through the
djm@openbsd.orgf17ee612017-06-24 07:08:57 +0000596.Ev SSH_USER_AUTH
jmc@openbsd.org40962192017-06-24 06:57:04 +0000597environment variable.
jmc@openbsd.org5fa14072017-09-27 06:45:53 +0000598The default is
599.Cm no .
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000600.It Cm FingerprintHash
601Specifies the hash algorithm used when logging key fingerprints.
602Valid options are:
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000603.Cm md5
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000604and
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000605.Cm sha256 .
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000606The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000607.Cm sha256 .
Damien Millere2754432006-07-24 14:06:47 +1000608.It Cm ForceCommand
609Forces the execution of the command specified by
610.Cm ForceCommand ,
Damien Millera1b48cc2008-03-27 11:02:02 +1100611ignoring any command supplied by the client and
612.Pa ~/.ssh/rc
613if present.
Damien Millere2754432006-07-24 14:06:47 +1000614The command is invoked by using the user's login shell with the -c option.
615This applies to shell, command, or subsystem execution.
616It is most useful inside a
617.Cm Match
618block.
619The command originally supplied by the client is available in the
620.Ev SSH_ORIGINAL_COMMAND
621environment variable.
Damien Millercdb6e652008-02-10 22:47:24 +1100622Specifying a command of
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000623.Cm internal-sftp
624will force the use of an in-process SFTP server that requires no support
Damien Millercdb6e652008-02-10 22:47:24 +1100625files when used with
626.Cm ChrootDirectory .
djm@openbsd.org9fd04682015-11-13 04:38:06 +0000627The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000628.Cm none .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000629.It Cm GatewayPorts
630Specifies whether remote hosts are allowed to connect to ports
631forwarded for the client.
632By default,
Damien Miller5b0d63f2006-03-15 11:56:56 +1100633.Xr sshd 8
Damien Miller495dca32003-04-01 21:42:14 +1000634binds remote port forwardings to the loopback address.
635This prevents other remote hosts from connecting to forwarded ports.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000636.Cm GatewayPorts
Damien Miller5b0d63f2006-03-15 11:56:56 +1100637can be used to specify that sshd
Damien Millerf91ee4c2005-03-01 21:24:33 +1100638should allow remote port forwardings to bind to non-loopback addresses, thus
639allowing other hosts to connect.
640The argument may be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000641.Cm no
Damien Millerf91ee4c2005-03-01 21:24:33 +1100642to force remote port forwardings to be available to the local host only,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000643.Cm yes
Damien Millerf91ee4c2005-03-01 21:24:33 +1100644to force remote port forwardings to bind to the wildcard address, or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000645.Cm clientspecified
Damien Millerf91ee4c2005-03-01 21:24:33 +1100646to allow the client to select the address to which the forwarding is bound.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000647The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000648.Cm no .
Darren Tucker0efd1552003-08-26 11:49:55 +1000649.It Cm GSSAPIAuthentication
Damien Miller9b7b03b2003-09-02 22:57:05 +1000650Specifies whether user authentication based on GSSAPI is allowed.
Damien Millera8e06ce2003-11-21 23:48:55 +1100651The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000652.Cm no .
Darren Tucker0efd1552003-08-26 11:49:55 +1000653.It Cm GSSAPICleanupCredentials
654Specifies whether to automatically destroy the user's credentials cache
655on logout.
656The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000657.Cm yes .
djm@openbsd.orgd7c31da2015-05-22 03:50:02 +0000658.It Cm GSSAPIStrictAcceptorCheck
659Determines whether to be strict about the identity of the GSSAPI acceptor
660a client authenticates against.
661If set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000662.Cm yes
663then the client must authenticate against the host
djm@openbsd.orgd7c31da2015-05-22 03:50:02 +0000664service on the current hostname.
665If set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000666.Cm no
djm@openbsd.orgd7c31da2015-05-22 03:50:02 +0000667then the client may authenticate against any service key stored in the
668machine's default store.
669This facility is provided to assist with operation on multi homed machines.
670The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000671.Cm yes .
djm@openbsd.org1f729f02015-01-13 07:39:19 +0000672.It Cm HostbasedAcceptedKeyTypes
673Specifies the key types that will be accepted for hostbased authentication
djm@openbsd.org312d2f22018-07-04 13:49:31 +0000674as a list of comma-separated patterns.
naddy@openbsd.org4f9d75f2019-09-04 20:31:15 +0000675Alternately if the specified list begins with a
djm@openbsd.orgf9eca242015-07-30 00:01:34 +0000676.Sq +
677character, then the specified key types will be appended to the default set
678instead of replacing them.
naddy@openbsd.org4f9d75f2019-09-04 20:31:15 +0000679If the specified list begins with a
djm@openbsd.org68bc8cf2017-02-03 23:01:19 +0000680.Sq -
681character, then the specified key types (including wildcards) will be removed
682from the default set instead of replacing them.
naddy@openbsd.org91a21352019-09-06 14:45:34 +0000683If the specified list begins with a
684.Sq ^
685character, then the specified key types will be placed at the head of the
686default set.
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000687The default for this option is:
688.Bd -literal -offset 3n
689ecdsa-sha2-nistp256-cert-v01@openssh.com,
690ecdsa-sha2-nistp384-cert-v01@openssh.com,
691ecdsa-sha2-nistp521-cert-v01@openssh.com,
692ssh-ed25519-cert-v01@openssh.com,
djm@openbsd.org4ba0d542018-07-03 11:39:54 +0000693rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000694ssh-rsa-cert-v01@openssh.com,
695ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
djm@openbsd.org4ba0d542018-07-03 11:39:54 +0000696ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000697.Ed
698.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000699The list of available key types may also be obtained using
700.Qq ssh -Q key .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000701.It Cm HostbasedAuthentication
702Specifies whether rhosts or /etc/hosts.equiv authentication together
703with successful public key client host authentication is allowed
Damien Miller1faa7132006-03-15 11:55:31 +1100704(host-based authentication).
Ben Lindstrom9f049032002-06-21 00:59:05 +0000705The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000706.Cm no .
Damien Millerb594f382006-08-30 11:06:34 +1000707.It Cm HostbasedUsesNameFromPacketOnly
708Specifies whether or not the server will attempt to perform a reverse
709name lookup when matching the name in the
710.Pa ~/.shosts ,
711.Pa ~/.rhosts ,
712and
713.Pa /etc/hosts.equiv
714files during
715.Cm HostbasedAuthentication .
716A setting of
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000717.Cm yes
Damien Millerb594f382006-08-30 11:06:34 +1000718means that
719.Xr sshd 8
720uses the name supplied by the client rather than
721attempting to resolve the name from the TCP connection itself.
722The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000723.Cm no .
Damien Miller0a80ca12010-02-27 07:55:05 +1100724.It Cm HostCertificate
725Specifies a file containing a public host certificate.
726The certificate's public key must match a private host key already specified
727by
728.Cm HostKey .
729The default behaviour of
730.Xr sshd 8
731is not to load any certificates.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000732.It Cm HostKey
733Specifies a file containing a private host key
734used by SSH.
naddy@openbsd.orgffe65492016-08-15 12:32:04 +0000735The defaults are
Damien Miller8ba0ead2013-12-18 17:46:27 +1100736.Pa /etc/ssh/ssh_host_ecdsa_key ,
737.Pa /etc/ssh/ssh_host_ed25519_key
Ben Lindstrom9f049032002-06-21 00:59:05 +0000738and
naddy@openbsd.orgffe65492016-08-15 12:32:04 +0000739.Pa /etc/ssh/ssh_host_rsa_key .
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000740.Pp
Ben Lindstrom9f049032002-06-21 00:59:05 +0000741Note that
Damien Miller5b0d63f2006-03-15 11:56:56 +1100742.Xr sshd 8
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000743will refuse to use a file if it is group/world-accessible
744and that the
745.Cm HostKeyAlgorithms
746option restricts which of the keys are actually used by
747.Xr sshd 8 .
748.Pp
Ben Lindstrom9f049032002-06-21 00:59:05 +0000749It is possible to have multiple host key files.
Damien Miller85b45e02013-07-20 13:21:52 +1000750It is also possible to specify public host key files instead.
751In this case operations on the private key will be delegated
752to an
753.Xr ssh-agent 1 .
754.It Cm HostKeyAgent
755Identifies the UNIX-domain socket used to communicate
756with an agent that has access to the private host keys.
markus@openbsd.org1a75d142016-05-04 14:29:58 +0000757If the string
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000758.Qq SSH_AUTH_SOCK
Damien Miller85b45e02013-07-20 13:21:52 +1000759is specified, the location of the socket will be read from the
760.Ev SSH_AUTH_SOCK
761environment variable.
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000762.It Cm HostKeyAlgorithms
jmc@openbsd.orga685ae82016-02-17 07:38:19 +0000763Specifies the host key algorithms
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000764that the server offers.
765The default for this option is:
766.Bd -literal -offset 3n
767ecdsa-sha2-nistp256-cert-v01@openssh.com,
768ecdsa-sha2-nistp384-cert-v01@openssh.com,
769ecdsa-sha2-nistp521-cert-v01@openssh.com,
770ssh-ed25519-cert-v01@openssh.com,
djm@openbsd.org4ba0d542018-07-03 11:39:54 +0000771rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000772ssh-rsa-cert-v01@openssh.com,
773ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
djm@openbsd.org4ba0d542018-07-03 11:39:54 +0000774ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000775.Ed
776.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000777The list of available key types may also be obtained using
778.Qq ssh -Q key .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000779.It Cm IgnoreRhosts
780Specifies that
781.Pa .rhosts
782and
783.Pa .shosts
784files will not be used in
Ben Lindstrom9f049032002-06-21 00:59:05 +0000785.Cm HostbasedAuthentication .
786.Pp
787.Pa /etc/hosts.equiv
788and
789.Pa /etc/shosts.equiv
790are still used.
791The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000792.Cm yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000793.It Cm IgnoreUserKnownHosts
794Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +1100795.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +0000796should ignore the user's
Damien Miller167ea5d2005-05-26 12:04:02 +1000797.Pa ~/.ssh/known_hosts
Ben Lindstrom9f049032002-06-21 00:59:05 +0000798during
djm@openbsd.org62562ce2018-02-10 06:54:38 +0000799.Cm HostbasedAuthentication
800and use only the system-wide known hosts file
801.Pa /etc/ssh/known_hosts .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000802The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000803.Cm no .
Damien Miller0dac6fb2010-11-20 15:19:38 +1100804.It Cm IPQoS
805Specifies the IPv4 type-of-service or DSCP class for the connection.
806Accepted values are
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000807.Cm af11 ,
808.Cm af12 ,
809.Cm af13 ,
810.Cm af21 ,
811.Cm af22 ,
812.Cm af23 ,
813.Cm af31 ,
814.Cm af32 ,
815.Cm af33 ,
816.Cm af41 ,
817.Cm af42 ,
818.Cm af43 ,
819.Cm cs0 ,
820.Cm cs1 ,
821.Cm cs2 ,
822.Cm cs3 ,
823.Cm cs4 ,
824.Cm cs5 ,
825.Cm cs6 ,
826.Cm cs7 ,
827.Cm ef ,
828.Cm lowdelay ,
829.Cm throughput ,
830.Cm reliability ,
djm@openbsd.org51676ec2017-07-23 23:37:02 +0000831a numeric value, or
832.Cm none
833to use the operating system default.
Damien Miller928362d2010-12-26 14:26:45 +1100834This option may take one or two arguments, separated by whitespace.
Damien Miller0dac6fb2010-11-20 15:19:38 +1100835If one argument is specified, it is used as the packet class unconditionally.
836If two values are specified, the first is automatically selected for
837interactive sessions and the second for non-interactive sessions.
838The default is
job@openbsd.org5ee84482018-04-04 15:12:17 +0000839.Cm af21
jmc@openbsd.org3e36f282018-04-08 07:36:02 +0000840(Low-Latency Data)
Damien Miller0dac6fb2010-11-20 15:19:38 +1100841for interactive sessions and
job@openbsd.org5ee84482018-04-04 15:12:17 +0000842.Cm cs1
jmc@openbsd.org3e36f282018-04-08 07:36:02 +0000843(Lower Effort)
Damien Miller0dac6fb2010-11-20 15:19:38 +1100844for non-interactive sessions.
Damien Millere1e480a2014-02-04 11:13:17 +1100845.It Cm KbdInteractiveAuthentication
846Specifies whether to allow keyboard-interactive authentication.
847The argument to this keyword must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000848.Cm yes
Damien Millere1e480a2014-02-04 11:13:17 +1100849or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000850.Cm no .
Damien Millere1e480a2014-02-04 11:13:17 +1100851The default is to use whatever value
852.Cm ChallengeResponseAuthentication
853is set to
854(by default
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000855.Cm yes ) .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000856.It Cm KerberosAuthentication
Damien Miller1a0c0b92003-09-02 22:51:17 +1000857Specifies whether the password provided by the user for
Ben Lindstrom9f049032002-06-21 00:59:05 +0000858.Cm PasswordAuthentication
Damien Miller1a0c0b92003-09-02 22:51:17 +1000859will be validated through the Kerberos KDC.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000860To use this option, the server needs a
861Kerberos servtab which allows the verification of the KDC's identity.
Damien Miller5b0d63f2006-03-15 11:56:56 +1100862The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000863.Cm no .
Damien Miller8448e662004-03-08 23:13:15 +1100864.It Cm KerberosGetAFSToken
Darren Tuckere2dd2d52005-10-03 18:19:06 +1000865If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
Damien Miller8448e662004-03-08 23:13:15 +1100866an AFS token before accessing the user's home directory.
Damien Miller5b0d63f2006-03-15 11:56:56 +1100867The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000868.Cm no .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000869.It Cm KerberosOrLocalPasswd
Damien Miller5b0d63f2006-03-15 11:56:56 +1100870If password authentication through Kerberos fails then
Ben Lindstrom9f049032002-06-21 00:59:05 +0000871the password will be validated via any additional local mechanism
872such as
873.Pa /etc/passwd .
Damien Miller5b0d63f2006-03-15 11:56:56 +1100874The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000875.Cm yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000876.It Cm KerberosTicketCleanup
877Specifies whether to automatically destroy the user's ticket cache
878file on logout.
Damien Miller5b0d63f2006-03-15 11:56:56 +1100879The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000880.Cm yes .
Damien Millerd5f62bf2010-09-24 22:11:14 +1000881.It Cm KexAlgorithms
882Specifies the available KEX (Key Exchange) algorithms.
883Multiple algorithms must be comma-separated.
naddy@openbsd.org4f9d75f2019-09-04 20:31:15 +0000884Alternately if the specified list begins with a
djm@openbsd.orgf9eca242015-07-30 00:01:34 +0000885.Sq +
886character, then the specified methods will be appended to the default set
887instead of replacing them.
naddy@openbsd.org4f9d75f2019-09-04 20:31:15 +0000888If the specified list begins with a
djm@openbsd.org68bc8cf2017-02-03 23:01:19 +0000889.Sq -
890character, then the specified methods (including wildcards) will be removed
891from the default set instead of replacing them.
naddy@openbsd.org91a21352019-09-06 14:45:34 +0000892If the specified list begins with a
893.Sq ^
894character, then the specified methods will be placed at the head of the
895default set.
Damien Millerc1621c82014-04-20 13:22:46 +1000896The supported algorithms are:
897.Pp
898.Bl -item -compact -offset indent
899.It
djm@openbsd.org16277fc2016-09-22 17:55:13 +0000900curve25519-sha256
901.It
Damien Millerc1621c82014-04-20 13:22:46 +1000902curve25519-sha256@libssh.org
903.It
904diffie-hellman-group1-sha1
905.It
906diffie-hellman-group14-sha1
907.It
djm@openbsd.org680321f2018-02-16 02:40:45 +0000908diffie-hellman-group14-sha256
909.It
910diffie-hellman-group16-sha512
911.It
912diffie-hellman-group18-sha512
913.It
Damien Millerc1621c82014-04-20 13:22:46 +1000914diffie-hellman-group-exchange-sha1
915.It
916diffie-hellman-group-exchange-sha256
917.It
918ecdh-sha2-nistp256
919.It
920ecdh-sha2-nistp384
921.It
922ecdh-sha2-nistp521
923.El
924.Pp
925The default is:
Damien Miller6575c3a2013-12-18 17:47:02 +1100926.Bd -literal -offset indent
djm@openbsd.org16277fc2016-09-22 17:55:13 +0000927curve25519-sha256,curve25519-sha256@libssh.org,
Damien Miller6575c3a2013-12-18 17:47:02 +1100928ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
929diffie-hellman-group-exchange-sha256,
djm@openbsd.org680321f2018-02-16 02:40:45 +0000930diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
931diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
Damien Miller6575c3a2013-12-18 17:47:02 +1100932.Ed
djm@openbsd.org8f6784f2014-12-22 09:05:17 +0000933.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000934The list of available key exchange algorithms may also be obtained using
935.Qq ssh -Q kex .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000936.It Cm ListenAddress
937Specifies the local addresses
Damien Miller5b0d63f2006-03-15 11:56:56 +1100938.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +0000939should listen on.
940The following forms may be used:
941.Pp
942.Bl -item -offset indent -compact
943.It
944.Cm ListenAddress
945.Sm off
jmc@openbsd.org@openbsd.org7530e772017-10-25 06:18:06 +0000946.Ar hostname | address
Ben Lindstrom9f049032002-06-21 00:59:05 +0000947.Sm on
jmc@openbsd.org@openbsd.org68d3bbb2017-10-26 06:44:01 +0000948.Op Cm rdomain Ar domain
Ben Lindstrom9f049032002-06-21 00:59:05 +0000949.It
950.Cm ListenAddress
951.Sm off
jmc@openbsd.org@openbsd.org7530e772017-10-25 06:18:06 +0000952.Ar hostname : port
Ben Lindstrom9f049032002-06-21 00:59:05 +0000953.Sm on
jmc@openbsd.org@openbsd.org68d3bbb2017-10-26 06:44:01 +0000954.Op Cm rdomain Ar domain
djm@openbsd.orgacf559e2017-10-25 00:15:35 +0000955.It
956.Cm ListenAddress
957.Sm off
jmc@openbsd.org@openbsd.org7530e772017-10-25 06:18:06 +0000958.Ar IPv4_address : port
djm@openbsd.orgacf559e2017-10-25 00:15:35 +0000959.Sm on
jmc@openbsd.org@openbsd.org68d3bbb2017-10-26 06:44:01 +0000960.Op Cm rdomain Ar domain
Ben Lindstrom9f049032002-06-21 00:59:05 +0000961.It
962.Cm ListenAddress
963.Sm off
jmc@openbsd.org@openbsd.org7530e772017-10-25 06:18:06 +0000964.Oo Ar hostname | address Oc : Ar port
Ben Lindstrom9f049032002-06-21 00:59:05 +0000965.Sm on
jmc@openbsd.org@openbsd.org68d3bbb2017-10-26 06:44:01 +0000966.Op Cm rdomain Ar domain
Ben Lindstrom9f049032002-06-21 00:59:05 +0000967.El
968.Pp
djm@openbsd.orgacf559e2017-10-25 00:15:35 +0000969The optional
970.Cm rdomain
971qualifier requests
972.Xr sshd 8
973listen in an explicit routing domain.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000974If
975.Ar port
976is not specified,
dtucker@openbsd.org531a57a2015-04-29 03:48:56 +0000977sshd will listen on the address and all
Ben Lindstrom9f049032002-06-21 00:59:05 +0000978.Cm Port
Damien Millerfbf486b2003-05-23 18:44:23 +1000979options specified.
djm@openbsd.orgacf559e2017-10-25 00:15:35 +0000980The default is to listen on all local addresses on the current default
981routing domain.
Damien Miller495dca32003-04-01 21:42:14 +1000982Multiple
Ben Lindstrom9f049032002-06-21 00:59:05 +0000983.Cm ListenAddress
Damien Millerfbf486b2003-05-23 18:44:23 +1000984options are permitted.
djm@openbsd.orgacf559e2017-10-25 00:15:35 +0000985For more information on routing domains, see
jmc@openbsd.org@openbsd.org7530e772017-10-25 06:18:06 +0000986.Xr rdomain 4 .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000987.It Cm LoginGraceTime
988The server disconnects after this time if the user has not
989successfully logged in.
990If the value is 0, there is no time limit.
Damien Millerc1348632002-09-05 14:35:14 +1000991The default is 120 seconds.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000992.It Cm LogLevel
993Gives the verbosity level that is used when logging messages from
Damien Millerf4f22b52006-03-15 11:57:25 +1100994.Xr sshd 8 .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000995The possible values are:
Damien Miller5b0d63f2006-03-15 11:56:56 +1100996QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
Damien Miller495dca32003-04-01 21:42:14 +1000997The default is INFO.
998DEBUG and DEBUG1 are equivalent.
999DEBUG2 and DEBUG3 each specify higher levels of debugging output.
1000Logging with a DEBUG level violates the privacy of users and is not recommended.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001001.It Cm MACs
1002Specifies the available MAC (message authentication code) algorithms.
jmc@openbsd.orga685ae82016-02-17 07:38:19 +00001003The MAC algorithm is used for data integrity protection.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001004Multiple algorithms must be comma-separated.
naddy@openbsd.org4f9d75f2019-09-04 20:31:15 +00001005If the specified list begins with a
djm@openbsd.orgf9eca242015-07-30 00:01:34 +00001006.Sq +
1007character, then the specified algorithms will be appended to the default set
1008instead of replacing them.
naddy@openbsd.org4f9d75f2019-09-04 20:31:15 +00001009If the specified list begins with a
djm@openbsd.org68bc8cf2017-02-03 23:01:19 +00001010.Sq -
1011character, then the specified algorithms (including wildcards) will be removed
1012from the default set instead of replacing them.
naddy@openbsd.org91a21352019-09-06 14:45:34 +00001013If the specified list begins with a
1014.Sq ^
1015character, then the specified algorithms will be placed at the head of the
1016default set.
djm@openbsd.orgf9eca242015-07-30 00:01:34 +00001017.Pp
Damien Milleraf43a7a2012-12-12 10:46:31 +11001018The algorithms that contain
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001019.Qq -etm
Damien Milleraf43a7a2012-12-12 10:46:31 +11001020calculate the MAC after encryption (encrypt-then-mac).
1021These are considered safer and their use recommended.
Damien Millerc1621c82014-04-20 13:22:46 +10001022The supported MACs are:
1023.Pp
1024.Bl -item -compact -offset indent
1025.It
1026hmac-md5
1027.It
1028hmac-md5-96
1029.It
Damien Millerc1621c82014-04-20 13:22:46 +10001030hmac-sha1
1031.It
1032hmac-sha1-96
1033.It
1034hmac-sha2-256
1035.It
1036hmac-sha2-512
1037.It
1038umac-64@openssh.com
1039.It
1040umac-128@openssh.com
1041.It
1042hmac-md5-etm@openssh.com
1043.It
1044hmac-md5-96-etm@openssh.com
1045.It
Damien Millerc1621c82014-04-20 13:22:46 +10001046hmac-sha1-etm@openssh.com
1047.It
1048hmac-sha1-96-etm@openssh.com
1049.It
1050hmac-sha2-256-etm@openssh.com
1051.It
1052hmac-sha2-512-etm@openssh.com
1053.It
1054umac-64-etm@openssh.com
1055.It
1056umac-128-etm@openssh.com
1057.El
1058.Pp
Damien Miller5b0d63f2006-03-15 11:56:56 +11001059The default is:
Damien Miller22b7b492007-06-11 14:07:12 +10001060.Bd -literal -offset indent
Damien Milleraf43a7a2012-12-12 10:46:31 +11001061umac-64-etm@openssh.com,umac-128-etm@openssh.com,
1062hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
djm@openbsd.orge4c918a2016-02-11 02:56:32 +00001063hmac-sha1-etm@openssh.com,
Damien Millerc1621c82014-04-20 13:22:46 +10001064umac-64@openssh.com,umac-128@openssh.com,
djm@openbsd.orge4c918a2016-02-11 02:56:32 +00001065hmac-sha2-256,hmac-sha2-512,hmac-sha1
Damien Miller22b7b492007-06-11 14:07:12 +10001066.Ed
djm@openbsd.org8f6784f2014-12-22 09:05:17 +00001067.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001068The list of available MAC algorithms may also be obtained using
1069.Qq ssh -Q mac .
Darren Tucker45150472006-07-12 22:34:17 +10001070.It Cm Match
Damien Millerd04f3572006-07-24 13:46:50 +10001071Introduces a conditional block.
Damien Miller8c234032006-07-24 14:05:08 +10001072If all of the criteria on the
Darren Tucker45150472006-07-12 22:34:17 +10001073.Cm Match
Damien Miller8c234032006-07-24 14:05:08 +10001074line are satisfied, the keywords on the following lines override those
1075set in the global section of the config file, until either another
Darren Tucker45150472006-07-12 22:34:17 +10001076.Cm Match
Damien Miller8c234032006-07-24 14:05:08 +10001077line or the end of the file.
Damien Millerfc5d6752014-02-28 10:01:28 +11001078If a keyword appears in multiple
1079.Cm Match
sobrado@openbsd.org180bcb42014-08-30 16:32:25 +00001080blocks that are satisfied, only the first instance of the keyword is
Damien Millerfc5d6752014-02-28 10:01:28 +11001081applied.
Darren Tucker7a3935d2008-06-10 22:59:10 +10001082.Pp
Damien Millerd04f3572006-07-24 13:46:50 +10001083The arguments to
Darren Tucker45150472006-07-12 22:34:17 +10001084.Cm Match
Damien Millercf31f382013-10-24 21:02:56 +11001085are one or more criteria-pattern pairs or the single token
1086.Cm All
1087which matches all criteria.
Darren Tucker45150472006-07-12 22:34:17 +10001088The available criteria are
1089.Cm User ,
Damien Miller565ca3f2006-08-19 00:23:15 +10001090.Cm Group ,
Darren Tucker45150472006-07-12 22:34:17 +10001091.Cm Host ,
Darren Tuckerfbcf8272012-05-19 19:37:01 +10001092.Cm LocalAddress ,
1093.Cm LocalPort ,
djm@openbsd.org68af80e2017-10-25 00:19:47 +00001094.Cm RDomain ,
Darren Tucker45150472006-07-12 22:34:17 +10001095and
djm@openbsd.org68af80e2017-10-25 00:19:47 +00001096.Cm Address
1097(with
1098.Cm RDomain
1099representing the
1100.Xr rdomain 4
jmc@openbsd.org62949c52019-03-22 20:58:34 +00001101on which the connection was received).
djm@openbsd.org68af80e2017-10-25 00:19:47 +00001102.Pp
Darren Tucker7a3935d2008-06-10 22:59:10 +10001103The match patterns may consist of single entries or comma-separated
1104lists and may use the wildcard and negation operators described in the
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001105.Sx PATTERNS
1106section of
Darren Tuckerb06cc4a2008-06-10 22:59:53 +10001107.Xr ssh_config 5 .
Darren Tucker7a3935d2008-06-10 22:59:10 +10001108.Pp
1109The patterns in an
1110.Cm Address
1111criteria may additionally contain addresses to match in CIDR
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001112address/masklen format,
1113such as 192.0.2.0/24 or 2001:db8::/32.
Darren Tucker7a3935d2008-06-10 22:59:10 +10001114Note that the mask length provided must be consistent with the address -
1115it is an error to specify a mask length that is too long for the address
Darren Tucker6a2a4002008-06-10 23:03:04 +10001116or one with bits set in this host portion of the address.
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001117For example, 192.0.2.0/33 and 192.0.2.0/8, respectively.
Darren Tucker7a3935d2008-06-10 22:59:10 +10001118.Pp
Darren Tucker45150472006-07-12 22:34:17 +10001119Only a subset of keywords may be used on the lines following a
1120.Cm Match
1121keyword.
1122Available keywords are
Damien Millerf8268502012-06-20 21:54:15 +10001123.Cm AcceptEnv ,
Damien Miller17819012009-01-28 16:20:17 +11001124.Cm AllowAgentForwarding ,
Damien Millerf8268502012-06-20 21:54:15 +10001125.Cm AllowGroups ,
djm@openbsd.org18a208d2015-02-20 22:40:32 +00001126.Cm AllowStreamLocalForwarding ,
Damien Miller9b439df2006-07-24 14:04:00 +10001127.Cm AllowTcpForwarding ,
Damien Millerc24da772012-06-20 21:53:58 +10001128.Cm AllowUsers ,
Damien Millera6e3f012012-11-04 23:21:40 +11001129.Cm AuthenticationMethods ,
Damien Miller09d3e122012-10-31 08:58:58 +11001130.Cm AuthorizedKeysCommand ,
1131.Cm AuthorizedKeysCommandUser ,
Damien Millerf33580e2012-11-04 22:22:52 +11001132.Cm AuthorizedKeysFile ,
djm@openbsd.orgb6b91082015-11-13 02:57:46 +00001133.Cm AuthorizedPrincipalsCommand ,
1134.Cm AuthorizedPrincipalsCommandUser ,
Damien Millerab6de352010-06-26 09:38:45 +10001135.Cm AuthorizedPrincipalsFile ,
Darren Tucker1629c072007-02-19 22:25:37 +11001136.Cm Banner ,
Damien Miller797e3d12008-05-19 14:27:42 +10001137.Cm ChrootDirectory ,
markus@openbsd.orgf0ddede2016-11-23 23:14:15 +00001138.Cm ClientAliveCountMax ,
1139.Cm ClientAliveInterval ,
Damien Millerc24da772012-06-20 21:53:58 +10001140.Cm DenyGroups ,
1141.Cm DenyUsers ,
Damien Millere2754432006-07-24 14:06:47 +10001142.Cm ForceCommand ,
djm@openbsd.org18a208d2015-02-20 22:40:32 +00001143.Cm GatewayPorts ,
djm@openbsd.orgbd49da22015-02-20 23:46:01 +00001144.Cm GSSAPIAuthentication ,
djm@openbsd.org1f729f02015-01-13 07:39:19 +00001145.Cm HostbasedAcceptedKeyTypes ,
Damien Miller25434de2008-05-19 14:29:08 +10001146.Cm HostbasedAuthentication ,
Damien Millerab6de352010-06-26 09:38:45 +10001147.Cm HostbasedUsesNameFromPacketOnly ,
djm@openbsd.org18a208d2015-02-20 22:40:32 +00001148.Cm IPQoS ,
Darren Tucker1d75f222007-03-01 21:31:28 +11001149.Cm KbdInteractiveAuthentication ,
Damien Miller5737e362007-03-06 21:21:18 +11001150.Cm KerberosAuthentication ,
djm@openbsd.org54cd41a2017-05-17 01:24:17 +00001151.Cm LogLevel ,
Damien Miller307c1d12008-06-16 07:56:20 +10001152.Cm MaxAuthTries ,
Damien Millerc62a5af2008-06-16 07:55:46 +10001153.Cm MaxSessions ,
Darren Tucker1629c072007-02-19 22:25:37 +11001154.Cm PasswordAuthentication ,
Damien Miller51bde602008-11-03 19:23:10 +11001155.Cm PermitEmptyPasswords ,
djm@openbsd.org04df4322018-06-06 18:24:00 +00001156.Cm PermitListen ,
Damien Millerd1de9952006-07-24 14:05:48 +10001157.Cm PermitOpen ,
Darren Tucker15f94272008-01-01 20:36:56 +11001158.Cm PermitRootLogin ,
Damien Miller5ff30c62013-10-30 22:21:50 +11001159.Cm PermitTTY ,
Damien Millerab6de352010-06-26 09:38:45 +10001160.Cm PermitTunnel ,
Damien Miller72e6b5c2014-07-04 09:00:04 +10001161.Cm PermitUserRC ,
djm@openbsd.org1f729f02015-01-13 07:39:19 +00001162.Cm PubkeyAcceptedKeyTypes ,
Darren Tucker1477ea12009-10-07 08:36:05 +11001163.Cm PubkeyAuthentication ,
djm@openbsd.org18a208d2015-02-20 22:40:32 +00001164.Cm RekeyLimit ,
1165.Cm RevokedKeys ,
djm@openbsd.org35eb33f2017-10-25 00:17:08 +00001166.Cm RDomain ,
djm@openbsd.org28013752018-06-09 03:03:10 +00001167.Cm SetEnv ,
djm@openbsd.org18a208d2015-02-20 22:40:32 +00001168.Cm StreamLocalBindMask ,
1169.Cm StreamLocalBindUnlink ,
1170.Cm TrustedUserCAKeys ,
Damien Millerd1de9952006-07-24 14:05:48 +10001171.Cm X11DisplayOffset ,
Damien Miller19913842009-02-23 10:53:58 +11001172.Cm X11Forwarding
Darren Tucker45150472006-07-12 22:34:17 +10001173and
jmc@openbsd.org76af9c52019-06-12 05:53:21 +00001174.Cm X11UseLocalhost .
Darren Tucker89413db2004-05-24 10:36:23 +10001175.It Cm MaxAuthTries
1176Specifies the maximum number of authentication attempts permitted per
Damien Miller26213e52004-06-30 22:39:34 +10001177connection.
1178Once the number of failures reaches half this value,
1179additional failures are logged.
1180The default is 6.
Damien Miller7207f642008-05-19 15:34:50 +10001181.It Cm MaxSessions
djm@openbsd.orgcac3b662016-02-05 02:37:56 +00001182Specifies the maximum number of open shell, login or subsystem (e.g. sftp)
1183sessions permitted per network connection.
1184Multiple sessions may be established by clients that support connection
1185multiplexing.
1186Setting
1187.Cm MaxSessions
1188to 1 will effectively disable session multiplexing, whereas setting it to 0
1189will prevent all shell, login and subsystem sessions while still permitting
1190forwarding.
Damien Miller7207f642008-05-19 15:34:50 +10001191The default is 10.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001192.It Cm MaxStartups
1193Specifies the maximum number of concurrent unauthenticated connections to the
Damien Miller5b0d63f2006-03-15 11:56:56 +11001194SSH daemon.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001195Additional connections will be dropped until authentication succeeds or the
1196.Cm LoginGraceTime
1197expires for a connection.
Damien Miller1f583df2013-02-12 11:02:08 +11001198The default is 10:30:100.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001199.Pp
1200Alternatively, random early drop can be enabled by specifying
1201the three colon separated values
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001202start:rate:full (e.g. "10:30:60").
Damien Millerf4f22b52006-03-15 11:57:25 +11001203.Xr sshd 8
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001204will refuse connection attempts with a probability of rate/100 (30%)
1205if there are currently start (10) unauthenticated connections.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001206The probability increases linearly and all connection attempts
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001207are refused if the number of unauthenticated connections reaches full (60).
Ben Lindstrom9f049032002-06-21 00:59:05 +00001208.It Cm PasswordAuthentication
1209Specifies whether password authentication is allowed.
1210The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001211.Cm yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001212.It Cm PermitEmptyPasswords
1213When password authentication is allowed, it specifies whether the
1214server allows login to accounts with empty password strings.
1215The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001216.Cm no .
djm@openbsd.org04df4322018-06-06 18:24:00 +00001217.It Cm PermitListen
1218Specifies the addresses/ports on which a remote TCP port forwarding may listen.
1219The listen specification must be one of the following forms:
1220.Pp
1221.Bl -item -offset indent -compact
1222.It
1223.Cm PermitListen
1224.Sm off
djm@openbsd.org87ddd672018-06-19 02:59:41 +00001225.Ar port
1226.Sm on
1227.It
1228.Cm PermitListen
1229.Sm off
djm@openbsd.org04df4322018-06-06 18:24:00 +00001230.Ar host : port
1231.Sm on
djm@openbsd.org04df4322018-06-06 18:24:00 +00001232.El
1233.Pp
1234Multiple permissions may be specified by separating them with whitespace.
1235An argument of
1236.Cm any
1237can be used to remove all restrictions and permit any listen requests.
1238An argument of
1239.Cm none
1240can be used to prohibit all listen requests.
1241The host name may contain wildcards as described in the PATTERNS section in
1242.Xr ssh_config 5 .
1243The wildcard
1244.Sq *
1245can also be used in place of a port number to allow all ports.
1246By default all port forwarding listen requests are permitted.
jmc@openbsd.org6ff6fda2018-06-07 11:26:14 +00001247Note that the
djm@openbsd.org04df4322018-06-06 18:24:00 +00001248.Cm GatewayPorts
1249option may further restrict which addresses may be listened on.
djm@openbsd.org87ddd672018-06-19 02:59:41 +00001250Note also that
1251.Xr ssh 1
1252will request a listen host of
1253.Dq localhost
dtucker@openbsd.org177d6c82019-01-23 20:48:52 +00001254if no listen host was specifically requested, and this name is
jmc@openbsd.orgf535ff92018-06-19 05:36:57 +00001255treated differently to explicit localhost addresses of
djm@openbsd.org87ddd672018-06-19 02:59:41 +00001256.Dq 127.0.0.1
1257and
1258.Dq ::1 .
Damien Miller9b439df2006-07-24 14:04:00 +10001259.It Cm PermitOpen
1260Specifies the destinations to which TCP port forwarding is permitted.
1261The forwarding specification must be one of the following forms:
1262.Pp
1263.Bl -item -offset indent -compact
1264.It
1265.Cm PermitOpen
1266.Sm off
1267.Ar host : port
1268.Sm on
1269.It
1270.Cm PermitOpen
1271.Sm off
1272.Ar IPv4_addr : port
1273.Sm on
1274.It
1275.Cm PermitOpen
1276.Sm off
1277.Ar \&[ IPv6_addr \&] : port
1278.Sm on
1279.El
1280.Pp
Damien Millera765cf42006-07-24 14:08:13 +10001281Multiple forwards may be specified by separating them with whitespace.
Damien Miller9b439df2006-07-24 14:04:00 +10001282An argument of
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001283.Cm any
Damien Miller9b439df2006-07-24 14:04:00 +10001284can be used to remove all restrictions and permit any forwarding requests.
Darren Tuckerba9ea322012-05-19 19:37:33 +10001285An argument of
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001286.Cm none
Darren Tuckerba9ea322012-05-19 19:37:33 +10001287can be used to prohibit all forwarding requests.
jmc@openbsd.org32d921c2016-07-19 12:59:16 +00001288The wildcard
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001289.Sq *
jmc@openbsd.org32d921c2016-07-19 12:59:16 +00001290can be used for host or port to allow all hosts or ports, respectively.
Damien Miller65bc2c42006-07-24 14:04:16 +10001291By default all port forwarding requests are permitted.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001292.It Cm PermitRootLogin
Darren Tuckerb3509012005-01-20 11:01:46 +11001293Specifies whether root can log in using
Ben Lindstrom9f049032002-06-21 00:59:05 +00001294.Xr ssh 1 .
1295The argument must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001296.Cm yes ,
1297.Cm prohibit-password ,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001298.Cm forced-commands-only ,
Ben Lindstrom9f049032002-06-21 00:59:05 +00001299or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001300.Cm no .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001301The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001302.Cm prohibit-password .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001303.Pp
1304If this option is set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001305.Cm prohibit-password
jmc@openbsd.org071325f2017-10-13 16:50:45 +00001306(or its deprecated alias,
1307.Cm without-password ) ,
deraadt@openbsd.org1dc8d932015-08-06 14:53:21 +00001308password and keyboard-interactive authentication are disabled for root.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001309.Pp
1310If this option is set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001311.Cm forced-commands-only ,
Ben Lindstrom9f049032002-06-21 00:59:05 +00001312root login with public key authentication will be allowed,
1313but only if the
1314.Ar command
1315option has been specified
1316(which may be useful for taking remote backups even if root login is
Damien Millerfbf486b2003-05-23 18:44:23 +10001317normally not allowed).
1318All other authentication methods are disabled for root.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001319.Pp
1320If this option is set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001321.Cm no ,
Darren Tuckerb3509012005-01-20 11:01:46 +11001322root is not allowed to log in.
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +00001323.It Cm PermitTTY
1324Specifies whether
1325.Xr pty 4
1326allocation is permitted.
1327The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001328.Cm yes .
Damien Millerd27b9472005-12-13 19:29:02 +11001329.It Cm PermitTunnel
1330Specifies whether
1331.Xr tun 4
1332device forwarding is allowed.
Damien Miller7b58e802005-12-13 19:33:19 +11001333The argument must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001334.Cm yes ,
1335.Cm point-to-point
Damien Miller991dba42006-07-10 20:16:27 +10001336(layer 3),
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001337.Cm ethernet
Damien Miller991dba42006-07-10 20:16:27 +10001338(layer 2), or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001339.Cm no .
Damien Miller991dba42006-07-10 20:16:27 +10001340Specifying
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001341.Cm yes
Damien Miller991dba42006-07-10 20:16:27 +10001342permits both
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001343.Cm point-to-point
Damien Miller991dba42006-07-10 20:16:27 +10001344and
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001345.Cm ethernet .
Damien Millerd27b9472005-12-13 19:29:02 +11001346The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001347.Cm no .
djm@openbsd.org48dffd52014-09-09 09:45:36 +00001348.Pp
1349Independent of this setting, the permissions of the selected
1350.Xr tun 4
1351device must allow access to the user.
Ben Lindstrom5d860f02002-08-01 01:28:38 +00001352.It Cm PermitUserEnvironment
1353Specifies whether
1354.Pa ~/.ssh/environment
Ben Lindstrombd9bf382002-08-20 18:54:20 +00001355and
Ben Lindstrom5d860f02002-08-01 01:28:38 +00001356.Cm environment=
1357options in
1358.Pa ~/.ssh/authorized_keys
Ben Lindstrombd9bf382002-08-20 18:54:20 +00001359are processed by
Damien Miller5b0d63f2006-03-15 11:56:56 +11001360.Xr sshd 8 .
djm@openbsd.org95344c22018-07-03 10:59:35 +00001361Valid options are
1362.Cm yes ,
1363.Cm no
1364or a pattern-list specifying which environment variable names to accept
1365(for example
1366.Qq LANG,LC_* ) .
Ben Lindstrom5d860f02002-08-01 01:28:38 +00001367The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001368.Cm no .
Ben Lindstrombd9bf382002-08-20 18:54:20 +00001369Enabling environment processing may enable users to bypass access
1370restrictions in some configurations using mechanisms such as
1371.Ev LD_PRELOAD .
Damien Miller72e6b5c2014-07-04 09:00:04 +10001372.It Cm PermitUserRC
1373Specifies whether any
1374.Pa ~/.ssh/rc
1375file is executed.
1376The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001377.Cm yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001378.It Cm PidFile
Ben Lindstrom959de992002-06-23 00:35:25 +00001379Specifies the file that contains the process ID of the
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001380SSH daemon, or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001381.Cm none
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001382to not write one.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001383The default is
1384.Pa /var/run/sshd.pid .
1385.It Cm Port
1386Specifies the port number that
Damien Miller5b0d63f2006-03-15 11:56:56 +11001387.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001388listens on.
1389The default is 22.
1390Multiple options of this type are permitted.
1391See also
1392.Cm ListenAddress .
1393.It Cm PrintLastLog
1394Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001395.Xr sshd 8
Darren Tucker7cc5c232004-11-05 20:06:59 +11001396should print the date and time of the last user login when a user logs
1397in interactively.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001398The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001399.Cm yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001400.It Cm PrintMotd
1401Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001402.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001403should print
1404.Pa /etc/motd
1405when a user logs in interactively.
1406(On some systems it is also printed by the shell,
1407.Pa /etc/profile ,
1408or equivalent.)
1409The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001410.Cm yes .
djm@openbsd.org1f729f02015-01-13 07:39:19 +00001411.It Cm PubkeyAcceptedKeyTypes
1412Specifies the key types that will be accepted for public key authentication
djm@openbsd.org312d2f22018-07-04 13:49:31 +00001413as a list of comma-separated patterns.
naddy@openbsd.org4f9d75f2019-09-04 20:31:15 +00001414Alternately if the specified list begins with a
djm@openbsd.orgf9eca242015-07-30 00:01:34 +00001415.Sq +
1416character, then the specified key types will be appended to the default set
1417instead of replacing them.
naddy@openbsd.org4f9d75f2019-09-04 20:31:15 +00001418If the specified list begins with a
djm@openbsd.org68bc8cf2017-02-03 23:01:19 +00001419.Sq -
1420character, then the specified key types (including wildcards) will be removed
1421from the default set instead of replacing them.
naddy@openbsd.org91a21352019-09-06 14:45:34 +00001422If the specified list begins with a
1423.Sq ^
1424character, then the specified key types will be placed at the head of the
1425default set.
markus@openbsd.org3a1638d2015-07-10 06:21:53 +00001426The default for this option is:
1427.Bd -literal -offset 3n
1428ecdsa-sha2-nistp256-cert-v01@openssh.com,
1429ecdsa-sha2-nistp384-cert-v01@openssh.com,
1430ecdsa-sha2-nistp521-cert-v01@openssh.com,
1431ssh-ed25519-cert-v01@openssh.com,
djm@openbsd.org4ba0d542018-07-03 11:39:54 +00001432rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
markus@openbsd.org3a1638d2015-07-10 06:21:53 +00001433ssh-rsa-cert-v01@openssh.com,
1434ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
djm@openbsd.org4ba0d542018-07-03 11:39:54 +00001435ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
markus@openbsd.org3a1638d2015-07-10 06:21:53 +00001436.Ed
1437.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001438The list of available key types may also be obtained using
1439.Qq ssh -Q key .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001440.It Cm PubkeyAuthentication
1441Specifies whether public key authentication is allowed.
1442The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001443.Cm yes .
Darren Tucker5f96f3b2013-05-16 20:29:28 +10001444.It Cm RekeyLimit
1445Specifies the maximum amount of data that may be transmitted before the
1446session key is renegotiated, optionally followed a maximum amount of
1447time that may pass before the session key is renegotiated.
1448The first argument is specified in bytes and may have a suffix of
1449.Sq K ,
1450.Sq M ,
1451or
1452.Sq G
1453to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
1454The default is between
1455.Sq 1G
1456and
1457.Sq 4G ,
1458depending on the cipher.
1459The optional second value is specified in seconds and may use any of the
1460units documented in the
1461.Sx TIME FORMATS
Darren Tucker64d22942013-05-16 20:31:29 +10001462section.
Darren Tucker5f96f3b2013-05-16 20:29:28 +10001463The default value for
1464.Cm RekeyLimit
1465is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001466.Cm default none ,
Darren Tucker5f96f3b2013-05-16 20:29:28 +10001467which means that rekeying is performed after the cipher's default amount
1468of data has been sent or received and no time based rekeying is done.
Damien Miller1aed65e2010-03-04 21:53:35 +11001469.It Cm RevokedKeys
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001470Specifies revoked public keys file, or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001471.Cm none
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001472to not use one.
Damien Miller1aed65e2010-03-04 21:53:35 +11001473Keys listed in this file will be refused for public key authentication.
1474Note that if this file is not readable, then public key authentication will
1475be refused for all users.
Damien Millerf3747bf2013-01-18 11:44:04 +11001476Keys may be specified as a text file, listing one public key per line, or as
1477an OpenSSH Key Revocation List (KRL) as generated by
Damien Miller72abeb72013-01-20 22:33:44 +11001478.Xr ssh-keygen 1 .
Damien Millerfecfd112013-07-18 16:11:50 +10001479For more information on KRLs, see the KEY REVOCATION LISTS section in
Damien Millerf3747bf2013-01-18 11:44:04 +11001480.Xr ssh-keygen 1 .
djm@openbsd.org35eb33f2017-10-25 00:17:08 +00001481.It Cm RDomain
1482Specifies an explicit routing domain that is applied after authentication
1483has completed.
jmc@openbsd.org@openbsd.org7530e772017-10-25 06:18:06 +00001484The user session, as well and any forwarded or listening IP sockets,
1485will be bound to this
djm@openbsd.org35eb33f2017-10-25 00:17:08 +00001486.Xr rdomain 4 .
1487If the routing domain is set to
1488.Cm \&%D ,
jmc@openbsd.org@openbsd.org7530e772017-10-25 06:18:06 +00001489then the domain in which the incoming connection was received will be applied.
djm@openbsd.org28013752018-06-09 03:03:10 +00001490.It Cm SetEnv
1491Specifies one or more environment variables to set in child sessions started
1492by
1493.Xr sshd 8
1494as
1495.Dq NAME=VALUE .
1496The environment value may be quoted (e.g. if it contains whitespace
1497characters).
1498Environment variables set by
1499.Cm SetEnv
1500override the default environment and any variables specified by the user
1501via
1502.Cm AcceptEnv
1503or
1504.Cm PermitUserEnvironment .
Damien Miller7acefbb2014-07-18 14:11:24 +10001505.It Cm StreamLocalBindMask
1506Sets the octal file creation mode mask
1507.Pq umask
1508used when creating a Unix-domain socket file for local or remote
1509port forwarding.
1510This option is only used for port forwarding to a Unix-domain socket file.
1511.Pp
1512The default value is 0177, which creates a Unix-domain socket file that is
1513readable and writable only by the owner.
1514Note that not all operating systems honor the file mode on Unix-domain
1515socket files.
1516.It Cm StreamLocalBindUnlink
1517Specifies whether to remove an existing Unix-domain socket file for local
1518or remote port forwarding before creating a new one.
1519If the socket file already exists and
1520.Cm StreamLocalBindUnlink
1521is not enabled,
1522.Nm sshd
1523will be unable to forward the port to the Unix-domain socket file.
1524This option is only used for port forwarding to a Unix-domain socket file.
1525.Pp
1526The argument must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001527.Cm yes
Damien Miller7acefbb2014-07-18 14:11:24 +10001528or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001529.Cm no .
Damien Miller7acefbb2014-07-18 14:11:24 +10001530The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001531.Cm no .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001532.It Cm StrictModes
1533Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001534.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001535should check file modes and ownership of the
1536user's files and home directory before accepting login.
1537This is normally desirable because novices sometimes accidentally leave their
1538directory or files world-writable.
1539The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001540.Cm yes .
Darren Tuckerf788a912010-01-08 17:06:47 +11001541Note that this does not apply to
1542.Cm ChrootDirectory ,
1543whose permissions and ownership are checked unconditionally.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001544.It Cm Subsystem
Damien Miller208f1ed2006-03-15 11:56:03 +11001545Configures an external subsystem (e.g. file transfer daemon).
Damien Miller917f9b62006-07-10 20:36:47 +10001546Arguments should be a subsystem name and a command (with optional arguments)
1547to execute upon subsystem request.
Damien Millerd8cb1f12008-02-10 22:40:12 +11001548.Pp
Ben Lindstrom9f049032002-06-21 00:59:05 +00001549The command
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001550.Cm sftp-server
1551implements the SFTP file transfer subsystem.
Damien Millerd8cb1f12008-02-10 22:40:12 +11001552.Pp
1553Alternately the name
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001554.Cm internal-sftp
1555implements an in-process SFTP server.
Damien Millerd8cb1f12008-02-10 22:40:12 +11001556This may simplify configurations using
1557.Cm ChrootDirectory
1558to force a different filesystem root on clients.
1559.Pp
Ben Lindstrom9f049032002-06-21 00:59:05 +00001560By default no subsystems are defined.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001561.It Cm SyslogFacility
1562Gives the facility code that is used when logging messages from
Damien Millerf4f22b52006-03-15 11:57:25 +11001563.Xr sshd 8 .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001564The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
1565LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
1566The default is AUTH.
Damien Miller12c150e2003-12-17 16:31:10 +11001567.It Cm TCPKeepAlive
1568Specifies whether the system should send TCP keepalive messages to the
1569other side.
1570If they are sent, death of the connection or crash of one
1571of the machines will be properly noticed.
1572However, this means that
1573connections will die if the route is down temporarily, and some people
1574find it annoying.
1575On the other hand, if TCP keepalives are not sent,
1576sessions may hang indefinitely on the server, leaving
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001577.Qq ghost
Damien Miller12c150e2003-12-17 16:31:10 +11001578users and consuming server resources.
1579.Pp
1580The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001581.Cm yes
Damien Miller12c150e2003-12-17 16:31:10 +11001582(to send TCP keepalive messages), and the server will notice
1583if the network goes down or the client host crashes.
1584This avoids infinitely hanging sessions.
1585.Pp
1586To disable TCP keepalive messages, the value should be set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001587.Cm no .
Damien Miller1aed65e2010-03-04 21:53:35 +11001588.It Cm TrustedUserCAKeys
1589Specifies a file containing public keys of certificate authorities that are
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001590trusted to sign user certificates for authentication, or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001591.Cm none
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001592to not use one.
Damien Miller72b33822010-03-05 07:39:01 +11001593Keys are listed one per line; empty lines and comments starting with
Damien Miller1aed65e2010-03-04 21:53:35 +11001594.Ql #
1595are allowed.
1596If a certificate is presented for authentication and has its signing CA key
1597listed in this file, then it may be used for authentication for any user
1598listed in the certificate's principals list.
1599Note that certificates that lack a list of principals will not be permitted
1600for authentication using
1601.Cm TrustedUserCAKeys .
Damien Millerfecfd112013-07-18 16:11:50 +10001602For more details on certificates, see the CERTIFICATES section in
Damien Miller1aed65e2010-03-04 21:53:35 +11001603.Xr ssh-keygen 1 .
Damien Miller3a961dc2003-06-03 10:25:48 +10001604.It Cm UseDNS
1605Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001606.Xr sshd 8
djm@openbsd.orgc63c9a62015-07-20 00:30:01 +00001607should look up the remote host name, and to check that
Damien Miller3a961dc2003-06-03 10:25:48 +10001608the resolved host name for the remote IP address maps back to the
1609very same IP address.
djm@openbsd.orgc63c9a62015-07-20 00:30:01 +00001610.Pp
1611If this option is set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001612.Cm no
djm@openbsd.orgc63c9a62015-07-20 00:30:01 +00001613(the default) then only addresses and not host names may be used in
djm@openbsd.org0235a5f2016-03-17 17:19:43 +00001614.Pa ~/.ssh/authorized_keys
djm@openbsd.orgc63c9a62015-07-20 00:30:01 +00001615.Cm from
1616and
jmc@openbsd.org1f8d3d62015-08-14 15:32:41 +00001617.Nm
djm@openbsd.orgc63c9a62015-07-20 00:30:01 +00001618.Cm Match
1619.Cm Host
1620directives.
Damien Miller2e193e22003-05-14 15:13:03 +10001621.It Cm UsePAM
Darren Tucker1dcff9a2004-05-13 16:51:40 +10001622Enables the Pluggable Authentication Module interface.
1623If set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001624.Cm yes
Darren Tucker1dcff9a2004-05-13 16:51:40 +10001625this will enable PAM authentication using
1626.Cm ChallengeResponseAuthentication
Darren Tuckera4904f72006-02-23 21:35:30 +11001627and
1628.Cm PasswordAuthentication
1629in addition to PAM account and session module processing for all
1630authentication types.
Darren Tucker1dcff9a2004-05-13 16:51:40 +10001631.Pp
1632Because PAM challenge-response authentication usually serves an equivalent
1633role to password authentication, you should disable either
1634.Cm PasswordAuthentication
1635or
1636.Cm ChallengeResponseAuthentication.
1637.Pp
1638If
1639.Cm UsePAM
1640is enabled, you will not be able to run
1641.Xr sshd 8
1642as a non-root user.
1643The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001644.Cm no .
Damien Miller23528812012-04-22 11:24:43 +10001645.It Cm VersionAddendum
1646Optionally specifies additional text to append to the SSH protocol banner
1647sent by the server upon connection.
1648The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001649.Cm none .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001650.It Cm X11DisplayOffset
1651Specifies the first display number available for
Damien Miller5b0d63f2006-03-15 11:56:56 +11001652.Xr sshd 8 Ns 's
Ben Lindstrom9f049032002-06-21 00:59:05 +00001653X11 forwarding.
Damien Miller5b0d63f2006-03-15 11:56:56 +11001654This prevents sshd from interfering with real X11 servers.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001655The default is 10.
1656.It Cm X11Forwarding
1657Specifies whether X11 forwarding is permitted.
Damien Miller101c4a72002-09-19 11:51:21 +10001658The argument must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001659.Cm yes
Damien Miller101c4a72002-09-19 11:51:21 +10001660or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001661.Cm no .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001662The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001663.Cm no .
Damien Miller101c4a72002-09-19 11:51:21 +10001664.Pp
1665When X11 forwarding is enabled, there may be additional exposure to
1666the server and to client displays if the
Damien Miller5b0d63f2006-03-15 11:56:56 +11001667.Xr sshd 8
Damien Miller101c4a72002-09-19 11:51:21 +10001668proxy display is configured to listen on the wildcard address (see
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001669.Cm X11UseLocalhost ) ,
1670though this is not the default.
Damien Miller101c4a72002-09-19 11:51:21 +10001671Additionally, the authentication spoofing and authentication data
1672verification and substitution occur on the client side.
1673The security risk of using X11 forwarding is that the client's X11
Damien Miller5b0d63f2006-03-15 11:56:56 +11001674display server may be exposed to attack when the SSH client requests
Damien Miller101c4a72002-09-19 11:51:21 +10001675forwarding (see the warnings for
1676.Cm ForwardX11
1677in
Damien Millerf1ce5052003-06-11 22:04:39 +10001678.Xr ssh_config 5 ) .
Damien Miller101c4a72002-09-19 11:51:21 +10001679A system administrator may have a stance in which they want to
1680protect clients that may expose themselves to attack by unwittingly
1681requesting X11 forwarding, which can warrant a
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001682.Cm no
Damien Miller101c4a72002-09-19 11:51:21 +10001683setting.
1684.Pp
1685Note that disabling X11 forwarding does not prevent users from
1686forwarding X11 traffic, as users can always install their own forwarders.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001687.It Cm X11UseLocalhost
1688Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001689.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001690should bind the X11 forwarding server to the loopback address or to
Damien Miller495dca32003-04-01 21:42:14 +10001691the wildcard address.
1692By default,
Damien Miller5b0d63f2006-03-15 11:56:56 +11001693sshd binds the forwarding server to the loopback address and sets the
Ben Lindstrom9f049032002-06-21 00:59:05 +00001694hostname part of the
1695.Ev DISPLAY
1696environment variable to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001697.Cm localhost .
Ben Lindstrom15b61202002-08-20 18:44:24 +00001698This prevents remote hosts from connecting to the proxy display.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001699However, some older X11 clients may not function with this
1700configuration.
1701.Cm X11UseLocalhost
1702may be set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001703.Cm no
Ben Lindstrom9f049032002-06-21 00:59:05 +00001704to specify that the forwarding server should be bound to the wildcard
1705address.
1706The argument must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001707.Cm yes
Ben Lindstrom9f049032002-06-21 00:59:05 +00001708or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001709.Cm no .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001710The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001711.Cm yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001712.It Cm XAuthLocation
Damien Miller05913ba2002-09-04 16:51:03 +10001713Specifies the full pathname of the
Ben Lindstrom9f049032002-06-21 00:59:05 +00001714.Xr xauth 1
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001715program, or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001716.Cm none
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001717to not use one.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001718The default is
1719.Pa /usr/X11R6/bin/xauth .
1720.El
Damien Millere3beba22006-03-15 11:59:25 +11001721.Sh TIME FORMATS
Damien Millerf4f22b52006-03-15 11:57:25 +11001722.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001723command-line arguments and configuration file options that specify time
1724may be expressed using a sequence of the form:
1725.Sm off
Ben Lindstrom1f8cf4f2002-08-20 18:43:27 +00001726.Ar time Op Ar qualifier ,
Ben Lindstrom9f049032002-06-21 00:59:05 +00001727.Sm on
1728where
1729.Ar time
1730is a positive integer value and
1731.Ar qualifier
1732is one of the following:
1733.Pp
1734.Bl -tag -width Ds -compact -offset indent
Damien Miller393821a2006-07-24 14:04:53 +10001735.It Aq Cm none
Ben Lindstrom9f049032002-06-21 00:59:05 +00001736seconds
1737.It Cm s | Cm S
1738seconds
1739.It Cm m | Cm M
1740minutes
1741.It Cm h | Cm H
1742hours
1743.It Cm d | Cm D
1744days
1745.It Cm w | Cm W
1746weeks
1747.El
1748.Pp
1749Each member of the sequence is added together to calculate
1750the total time value.
1751.Pp
1752Time format examples:
1753.Pp
1754.Bl -tag -width Ds -compact -offset indent
1755.It 600
1756600 seconds (10 minutes)
1757.It 10m
175810 minutes
1759.It 1h30m
17601 hour 30 minutes (90 minutes)
1761.El
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +00001762.Sh TOKENS
1763Arguments to some keywords can make use of tokens,
1764which are expanded at runtime:
1765.Pp
1766.Bl -tag -width XXXX -offset indent -compact
1767.It %%
1768A literal
1769.Sq % .
djm@openbsd.org35eb33f2017-10-25 00:17:08 +00001770.It \&%D
1771The routing domain in which the incoming connection was received.
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +00001772.It %F
1773The fingerprint of the CA key.
1774.It %f
1775The fingerprint of the key or certificate.
1776.It %h
1777The home directory of the user.
1778.It %i
1779The key ID in the certificate.
1780.It %K
1781The base64-encoded CA key.
1782.It %k
1783The base64-encoded key or certificate for authentication.
1784.It %s
1785The serial number of the certificate.
1786.It \&%T
1787The type of the CA key.
1788.It %t
1789The key or certificate type.
jmc@openbsd.org29402842018-06-01 05:50:18 +00001790.It \&%U
1791The numeric user ID of the target user.
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +00001792.It %u
1793The username.
1794.El
1795.Pp
1796.Cm AuthorizedKeysCommand
jmc@openbsd.orge8d59fe2018-06-01 06:23:10 +00001797accepts the tokens %%, %f, %h, %k, %t, %U, and %u.
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +00001798.Pp
1799.Cm AuthorizedKeysFile
jmc@openbsd.orge8d59fe2018-06-01 06:23:10 +00001800accepts the tokens %%, %h, %U, and %u.
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +00001801.Pp
1802.Cm AuthorizedPrincipalsCommand
jmc@openbsd.orge8d59fe2018-06-01 06:23:10 +00001803accepts the tokens %%, %F, %f, %h, %i, %K, %k, %s, %T, %t, %U, and %u.
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +00001804.Pp
1805.Cm AuthorizedPrincipalsFile
jmc@openbsd.orge8d59fe2018-06-01 06:23:10 +00001806accepts the tokens %%, %h, %U, and %u.
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +00001807.Pp
1808.Cm ChrootDirectory
jmc@openbsd.orge8d59fe2018-06-01 06:23:10 +00001809accepts the tokens %%, %h, %U, and %u.
djm@openbsd.org35eb33f2017-10-25 00:17:08 +00001810.Pp
1811.Cm RoutingDomain
1812accepts the token %D.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001813.Sh FILES
1814.Bl -tag -width Ds
1815.It Pa /etc/ssh/sshd_config
1816Contains configuration data for
Damien Millerf4f22b52006-03-15 11:57:25 +11001817.Xr sshd 8 .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001818This file should be writable by root only, but it is recommended
1819(though not necessary) that it be world-readable.
1820.El
Damien Millerf1ce5052003-06-11 22:04:39 +10001821.Sh SEE ALSO
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001822.Xr sftp-server 8 ,
Damien Millerf1ce5052003-06-11 22:04:39 +10001823.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001824.Sh AUTHORS
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001825.An -nosplit
Ben Lindstrom9f049032002-06-21 00:59:05 +00001826OpenSSH is a derivative of the original and free
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001827ssh 1.2.12 release by
1828.An Tatu Ylonen .
1829.An Aaron Campbell , Bob Beck , Markus Friedl , Niels Provos ,
1830.An Theo de Raadt
1831and
1832.An Dug Song
Ben Lindstrom9f049032002-06-21 00:59:05 +00001833removed many bugs, re-added newer features and
1834created OpenSSH.
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001835.An Markus Friedl
1836contributed the support for SSH protocol versions 1.5 and 2.0.
1837.An Niels Provos
1838and
1839.An Markus Friedl
1840contributed support for privilege separation.