blob: 88be8d984634cf571f7a1982e36390d1d3fb671f [file] [log] [blame]
Ben Lindstrom9f049032002-06-21 00:59:05 +00001.\"
2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4.\" All rights reserved
5.\"
6.\" As far as I am concerned, the code I have written for this software
7.\" can be used freely for any purpose. Any derived versions of this
8.\" software must be clearly marked as such, and if the derived work is
9.\" incompatible with the protocol description in the RFC file, it must be
10.\" called by a name other than "ssh" or "Secure Shell".
11.\"
12.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
13.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
14.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
15.\"
16.\" Redistribution and use in source and binary forms, with or without
17.\" modification, are permitted provided that the following conditions
18.\" are met:
19.\" 1. Redistributions of source code must retain the above copyright
20.\" notice, this list of conditions and the following disclaimer.
21.\" 2. Redistributions in binary form must reproduce the above copyright
22.\" notice, this list of conditions and the following disclaimer in the
23.\" documentation and/or other materials provided with the distribution.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\"
Damien Millerc1621c82014-04-20 13:22:46 +100036.\" $OpenBSD: sshd_config.5,v 1.173 2014/03/28 05:17:11 naddy Exp $
37.Dd $Mdocdate: March 28 2014 $
Ben Lindstrom9f049032002-06-21 00:59:05 +000038.Dt SSHD_CONFIG 5
39.Os
40.Sh NAME
41.Nm sshd_config
42.Nd OpenSSH SSH daemon configuration file
43.Sh SYNOPSIS
Damien Millerd94fc722007-01-05 16:29:30 +110044.Nm /etc/ssh/sshd_config
Ben Lindstrom9f049032002-06-21 00:59:05 +000045.Sh DESCRIPTION
Damien Millerf4f22b52006-03-15 11:57:25 +110046.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +000047reads configuration data from
48.Pa /etc/ssh/sshd_config
49(or the file specified with
50.Fl f
51on the command line).
52The file contains keyword-argument pairs, one per line.
53Lines starting with
54.Ql #
55and empty lines are interpreted as comments.
Damien Miller306d1182006-03-15 12:05:59 +110056Arguments may optionally be enclosed in double quotes
57.Pq \&"
58in order to represent arguments containing spaces.
Ben Lindstrom9f049032002-06-21 00:59:05 +000059.Pp
60The possible
61keywords and their meanings are as follows (note that
62keywords are case-insensitive and arguments are case-sensitive):
63.Bl -tag -width Ds
Darren Tucker46bc0752004-05-02 22:11:30 +100064.It Cm AcceptEnv
65Specifies what environment variables sent by the client will be copied into
66the session's
67.Xr environ 7 .
68See
69.Cm SendEnv
70in
71.Xr ssh_config 5
72for how to configure the client.
Darren Tucker1e0c9bf2004-05-02 22:12:48 +100073Note that environment passing is only supported for protocol 2.
Darren Tucker46bc0752004-05-02 22:11:30 +100074Variables are specified by name, which may contain the wildcard characters
Damien Miller208f1ed2006-03-15 11:56:03 +110075.Ql *
Darren Tucker46bc0752004-05-02 22:11:30 +100076and
77.Ql \&? .
Darren Tucker1e0c9bf2004-05-02 22:12:48 +100078Multiple environment variables may be separated by whitespace or spread
Darren Tucker46bc0752004-05-02 22:11:30 +100079across multiple
80.Cm AcceptEnv
81directives.
Darren Tucker1e0c9bf2004-05-02 22:12:48 +100082Be warned that some environment variables could be used to bypass restricted
Darren Tucker46bc0752004-05-02 22:11:30 +100083user environments.
84For this reason, care should be taken in the use of this directive.
85The default is not to accept any environment variables.
Darren Tucker0f383232005-01-20 10:57:56 +110086.It Cm AddressFamily
87Specifies which address family should be used by
Damien Millerf4f22b52006-03-15 11:57:25 +110088.Xr sshd 8 .
Darren Tucker0f383232005-01-20 10:57:56 +110089Valid arguments are
90.Dq any ,
91.Dq inet
Damien Miller5b0d63f2006-03-15 11:56:56 +110092(use IPv4 only), or
Darren Tucker0f383232005-01-20 10:57:56 +110093.Dq inet6
94(use IPv6 only).
95The default is
96.Dq any .
Damien Millere9890192008-05-19 14:59:02 +100097.It Cm AllowAgentForwarding
98Specifies whether
99.Xr ssh-agent 1
100forwarding is permitted.
101The default is
102.Dq yes .
103Note that disabling agent forwarding does not improve security
104unless users are also denied shell access, as they can always install
105their own forwarders.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000106.It Cm AllowGroups
107This keyword can be followed by a list of group name patterns, separated
108by spaces.
109If specified, login is allowed only for users whose primary
110group or supplementary group list matches one of the patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000111Only group names are valid; a numerical group ID is not recognized.
112By default, login is allowed for all groups.
Damien Millerac73e512006-03-15 11:58:49 +1100113The allow/deny directives are processed in the following order:
114.Cm DenyUsers ,
115.Cm AllowUsers ,
116.Cm DenyGroups ,
117and finally
118.Cm AllowGroups .
Damien Miller0c2079d2006-03-15 11:54:21 +1100119.Pp
Damien Millerfecfd112013-07-18 16:11:50 +1000120See PATTERNS in
Damien Miller0c2079d2006-03-15 11:54:21 +1100121.Xr ssh_config 5
122for more information on patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000123.It Cm AllowTcpForwarding
124Specifies whether TCP forwarding is permitted.
Damien Milleraa5b3f82012-12-03 09:50:54 +1100125The available options are
126.Dq yes
127or
128.Dq all
129to allow TCP forwarding,
130.Dq no
131to prevent all TCP forwarding,
132.Dq local
133to allow local (from the perspective of
Darren Tuckerf9333d52012-12-07 13:06:13 +1100134.Xr ssh 1 )
135forwarding only or
Damien Milleraa5b3f82012-12-03 09:50:54 +1100136.Dq remote
137to allow remote forwarding only.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000138The default is
139.Dq yes .
140Note that disabling TCP forwarding does not improve security unless
141users are also denied shell access, as they can always install their
142own forwarders.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000143.It Cm AllowUsers
144This keyword can be followed by a list of user name patterns, separated
145by spaces.
Damien Miller5a93add2003-01-24 11:34:52 +1100146If specified, login is allowed only for user names that
Ben Lindstrom9f049032002-06-21 00:59:05 +0000147match one of the patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000148Only user names are valid; a numerical user ID is not recognized.
149By default, login is allowed for all users.
150If the pattern takes the form USER@HOST then USER and HOST
151are separately checked, restricting logins to particular
152users from particular hosts.
Damien Millerac73e512006-03-15 11:58:49 +1100153The allow/deny directives are processed in the following order:
154.Cm DenyUsers ,
155.Cm AllowUsers ,
156.Cm DenyGroups ,
157and finally
158.Cm AllowGroups .
Damien Miller0c2079d2006-03-15 11:54:21 +1100159.Pp
Damien Millerfecfd112013-07-18 16:11:50 +1000160See PATTERNS in
Damien Miller0c2079d2006-03-15 11:54:21 +1100161.Xr ssh_config 5
162for more information on patterns.
Damien Millera6e3f012012-11-04 23:21:40 +1100163.It Cm AuthenticationMethods
164Specifies the authentication methods that must be successfully completed
165for a user to be granted access.
166This option must be followed by one or more comma-separated lists of
167authentication method names.
168Successful authentication requires completion of every method in at least
169one of these lists.
170.Pp
171For example, an argument of
172.Dq publickey,password publickey,keyboard-interactive
173would require the user to complete public key authentication, followed by
174either password or keyboard interactive authentication.
175Only methods that are next in one or more lists are offered at each stage,
176so for this example, it would not be possible to attempt password or
177keyboard-interactive authentication before public key.
178.Pp
Damien Miller91a55f22013-04-23 15:18:10 +1000179For keyboard interactive authentication it is also possible to
180restrict authentication to a specific device by appending a
181colon followed by the device identifier
182.Dq bsdauth ,
183.Dq pam ,
184or
185.Dq skey ,
186depending on the server configuration.
187For example,
188.Dq keyboard-interactive:bsdauth
189would restrict keyboard interactive authentication to the
190.Dq bsdauth
191device.
192.Pp
Damien Millera6e3f012012-11-04 23:21:40 +1100193This option is only available for SSH protocol 2 and will yield a fatal
194error if enabled if protocol 1 is also enabled.
195Note that each authentication method listed should also be explicitly enabled
196in the configuration.
197The default is not to require multiple authentication; successful completion
198of a single authentication method is sufficient.
Damien Miller09d3e122012-10-31 08:58:58 +1100199.It Cm AuthorizedKeysCommand
Damien Millerf33580e2012-11-04 22:22:52 +1100200Specifies a program to be used to look up the user's public keys.
Damien Miller467b00c2013-04-23 15:23:07 +1000201The program must be owned by root and not writable by group or others.
202It will be invoked with a single argument of the username
Damien Miller09d3e122012-10-31 08:58:58 +1100203being authenticated, and should produce on standard output zero or
Damien Millerfecfd112013-07-18 16:11:50 +1000204more lines of authorized_keys output (see AUTHORIZED_KEYS in
Damien Millerf33580e2012-11-04 22:22:52 +1100205.Xr sshd 8 ) .
Damien Miller09d3e122012-10-31 08:58:58 +1100206If a key supplied by AuthorizedKeysCommand does not successfully authenticate
207and authorize the user then public key authentication continues using the usual
208.Cm AuthorizedKeysFile
209files.
210By default, no AuthorizedKeysCommand is run.
211.It Cm AuthorizedKeysCommandUser
212Specifies the user under whose account the AuthorizedKeysCommand is run.
Damien Miller09d3e122012-10-31 08:58:58 +1100213It is recommended to use a dedicated user that has no other role on the host
214than running authorized keys commands.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000215.It Cm AuthorizedKeysFile
216Specifies the file that contains the public keys that can be used
217for user authentication.
Damien Miller6018a362010-07-02 13:35:19 +1000218The format is described in the
Damien Millerfecfd112013-07-18 16:11:50 +1000219AUTHORIZED_KEYS FILE FORMAT
Damien Miller6018a362010-07-02 13:35:19 +1000220section of
221.Xr sshd 8 .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000222.Cm AuthorizedKeysFile
223may contain tokens of the form %T which are substituted during connection
Damien Miller5b0d63f2006-03-15 11:56:56 +1100224setup.
Damien Millerfbf486b2003-05-23 18:44:23 +1000225The following tokens are defined: %% is replaced by a literal '%',
Damien Miller5b0d63f2006-03-15 11:56:56 +1100226%h is replaced by the home directory of the user being authenticated, and
Ben Lindstrom9f049032002-06-21 00:59:05 +0000227%u is replaced by the username of that user.
228After expansion,
229.Cm AuthorizedKeysFile
230is taken to be an absolute path or one relative to the user's home
231directory.
Damien Millerb9132fc2011-05-29 21:41:40 +1000232Multiple files may be listed, separated by whitespace.
233The default is
234.Dq .ssh/authorized_keys .ssh/authorized_keys2 .
Damien Miller30da3442010-05-10 11:58:03 +1000235.It Cm AuthorizedPrincipalsFile
236Specifies a file that lists principal names that are accepted for
237certificate authentication.
238When using certificates signed by a key listed in
239.Cm TrustedUserCAKeys ,
240this file lists names, one of which must appear in the certificate for it
241to be accepted for authentication.
Damien Millerd59dab82010-07-02 13:37:17 +1000242Names are listed one per line preceded by key options (as described
Damien Millerfecfd112013-07-18 16:11:50 +1000243in AUTHORIZED_KEYS FILE FORMAT in
Damien Millerd59dab82010-07-02 13:37:17 +1000244.Xr sshd 8 ) .
Damien Miller6018a362010-07-02 13:35:19 +1000245Empty lines and comments starting with
Damien Miller30da3442010-05-10 11:58:03 +1000246.Ql #
247are ignored.
248.Pp
249.Cm AuthorizedPrincipalsFile
250may contain tokens of the form %T which are substituted during connection
251setup.
252The following tokens are defined: %% is replaced by a literal '%',
253%h is replaced by the home directory of the user being authenticated, and
254%u is replaced by the username of that user.
255After expansion,
256.Cm AuthorizedPrincipalsFile
257is taken to be an absolute path or one relative to the user's home
258directory.
259.Pp
Damien Miller8fef9eb2012-04-22 11:25:10 +1000260The default is
261.Dq none ,
262i.e. not to use a principals file \(en in this case, the username
Damien Miller30da3442010-05-10 11:58:03 +1000263of the user must appear in a certificate's principals list for it to be
264accepted.
265Note that
266.Cm AuthorizedPrincipalsFile
267is only used when authentication proceeds using a CA listed in
268.Cm TrustedUserCAKeys
269and is not consulted for certification authorities trusted via
270.Pa ~/.ssh/authorized_keys ,
271though the
272.Cm principals=
273key option offers a similar facility (see
274.Xr sshd 8
275for details).
Ben Lindstrom9f049032002-06-21 00:59:05 +0000276.It Cm Banner
Ben Lindstrom9f049032002-06-21 00:59:05 +0000277The contents of the specified file are sent to the remote user before
278authentication is allowed.
Damien Miller4890e532007-09-17 11:57:38 +1000279If the argument is
280.Dq none
281then no banner is displayed.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000282This option is only available for protocol version 2.
283By default, no banner is displayed.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000284.It Cm ChallengeResponseAuthentication
Damien Miller9c7bf8d2009-08-28 10:27:08 +1000285Specifies whether challenge-response authentication is allowed (e.g. via
286PAM or though authentication styles supported in
287.Xr login.conf 5 )
Ben Lindstrom9f049032002-06-21 00:59:05 +0000288The default is
289.Dq yes .
Damien Millerd8cb1f12008-02-10 22:40:12 +1100290.It Cm ChrootDirectory
Darren Tuckerb8c884a2010-01-08 18:53:43 +1100291Specifies the pathname of a directory to
Damien Millerd8cb1f12008-02-10 22:40:12 +1100292.Xr chroot 2
293to after authentication.
Darren Tuckerb8c884a2010-01-08 18:53:43 +1100294All components of the pathname must be root-owned directories that are
Damien Millerd8cb1f12008-02-10 22:40:12 +1100295not writable by any other user or group.
Darren Tucker51dbe502009-06-21 17:56:51 +1000296After the chroot,
297.Xr sshd 8
298changes the working directory to the user's home directory.
Damien Millerd8cb1f12008-02-10 22:40:12 +1100299.Pp
Darren Tuckerb8c884a2010-01-08 18:53:43 +1100300The pathname may contain the following tokens that are expanded at runtime once
Damien Millerd8cb1f12008-02-10 22:40:12 +1100301the connecting user has been authenticated: %% is replaced by a literal '%',
302%h is replaced by the home directory of the user being authenticated, and
303%u is replaced by the username of that user.
304.Pp
305The
306.Cm ChrootDirectory
307must contain the necessary files and directories to support the
Darren Tuckeraf501cf2009-06-21 17:53:04 +1000308user's session.
Damien Millerd8cb1f12008-02-10 22:40:12 +1100309For an interactive session this requires at least a shell, typically
310.Xr sh 1 ,
311and basic
312.Pa /dev
313nodes such as
314.Xr null 4 ,
315.Xr zero 4 ,
316.Xr stdin 4 ,
317.Xr stdout 4 ,
318.Xr stderr 4 ,
319.Xr arandom 4
320and
321.Xr tty 4
322devices.
323For file transfer sessions using
Darren Tuckerf92077f2009-06-21 17:56:25 +1000324.Dq sftp ,
Damien Millerd8cb1f12008-02-10 22:40:12 +1100325no additional configuration of the environment is necessary if the
Darren Tuckerf92077f2009-06-21 17:56:25 +1000326in-process sftp server is used,
327though sessions which use logging do require
Darren Tucker00fcd712009-06-21 17:56:00 +1000328.Pa /dev/log
329inside the chroot directory (see
330.Xr sftp-server 8
331for details).
Damien Millerd8cb1f12008-02-10 22:40:12 +1100332.Pp
333The default is not to
334.Xr chroot 2 .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000335.It Cm Ciphers
336Specifies the ciphers allowed for protocol version 2.
337Multiple ciphers must be comma-separated.
Damien Miller0fde8ac2013-11-21 14:12:23 +1100338The supported ciphers are:
339.Pp
Damien Millerc1621c82014-04-20 13:22:46 +1000340.Bl -item -compact -offset indent
341.It
3423des-cbc
343.It
344aes128-cbc
345.It
346aes192-cbc
347.It
348aes256-cbc
349.It
350aes128-ctr
351.It
352aes192-ctr
353.It
354aes256-ctr
355.It
356aes128-gcm@openssh.com
357.It
358aes256-gcm@openssh.com
359.It
360arcfour
361.It
362arcfour128
363.It
364arcfour256
365.It
366blowfish-cbc
367.It
368cast128-cbc
369.It
370chacha20-poly1305@openssh.com
371.El
Damien Miller0fde8ac2013-11-21 14:12:23 +1100372.Pp
Damien Miller5b0d63f2006-03-15 11:56:56 +1100373The default is:
Damien Millerc1621c82014-04-20 13:22:46 +1000374.Bd -literal -offset indent
375aes128-ctr,aes192-ctr,aes256-ctr,
Damien Miller1d75abf2013-01-09 16:12:19 +1100376aes128-gcm@openssh.com,aes256-gcm@openssh.com,
Damien Millerc1621c82014-04-20 13:22:46 +1000377chacha20-poly1305@openssh.com
Ben Lindstrom9f049032002-06-21 00:59:05 +0000378.Ed
Damien Miller0fde8ac2013-11-21 14:12:23 +1100379.Pp
380The list of available ciphers may also be obtained using the
381.Fl Q
382option of
383.Xr ssh 1 .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000384.It Cm ClientAliveCountMax
Damien Millerb7977702006-01-03 18:47:31 +1100385Sets the number of client alive messages (see below) which may be
Ben Lindstrom9f049032002-06-21 00:59:05 +0000386sent without
Damien Miller5b0d63f2006-03-15 11:56:56 +1100387.Xr sshd 8
Damien Millerfbf486b2003-05-23 18:44:23 +1000388receiving any messages back from the client.
389If this threshold is reached while client alive messages are being sent,
Damien Miller5b0d63f2006-03-15 11:56:56 +1100390sshd will disconnect the client, terminating the session.
Damien Millerfbf486b2003-05-23 18:44:23 +1000391It is important to note that the use of client alive messages is very
392different from
Damien Miller12c150e2003-12-17 16:31:10 +1100393.Cm TCPKeepAlive
Damien Millerfbf486b2003-05-23 18:44:23 +1000394(below).
395The client alive messages are sent through the encrypted channel
396and therefore will not be spoofable.
397The TCP keepalive option enabled by
Damien Miller12c150e2003-12-17 16:31:10 +1100398.Cm TCPKeepAlive
Damien Millerfbf486b2003-05-23 18:44:23 +1000399is spoofable.
400The client alive mechanism is valuable when the client or
Ben Lindstrom9f049032002-06-21 00:59:05 +0000401server depend on knowing when a connection has become inactive.
402.Pp
Damien Millerfbf486b2003-05-23 18:44:23 +1000403The default value is 3.
404If
Ben Lindstrom9f049032002-06-21 00:59:05 +0000405.Cm ClientAliveInterval
Damien Millerb7977702006-01-03 18:47:31 +1100406(see below) is set to 15, and
Ben Lindstrom9f049032002-06-21 00:59:05 +0000407.Cm ClientAliveCountMax
Damien Miller5b0d63f2006-03-15 11:56:56 +1100408is left at the default, unresponsive SSH clients
Ben Lindstrom9f049032002-06-21 00:59:05 +0000409will be disconnected after approximately 45 seconds.
Damien Millercc3e8ba2006-03-15 12:06:55 +1100410This option applies to protocol version 2 only.
Damien Miller1594ad52005-05-26 12:12:19 +1000411.It Cm ClientAliveInterval
412Sets a timeout interval in seconds after which if no data has been received
413from the client,
Damien Miller5b0d63f2006-03-15 11:56:56 +1100414.Xr sshd 8
Damien Miller1594ad52005-05-26 12:12:19 +1000415will send a message through the encrypted
416channel to request a response from the client.
417The default
418is 0, indicating that these messages will not be sent to the client.
419This option applies to protocol version 2 only.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000420.It Cm Compression
Damien Miller9786e6e2005-07-26 21:54:56 +1000421Specifies whether compression is allowed, or delayed until
422the user has authenticated successfully.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000423The argument must be
Damien Miller9786e6e2005-07-26 21:54:56 +1000424.Dq yes ,
425.Dq delayed ,
Ben Lindstrom9f049032002-06-21 00:59:05 +0000426or
427.Dq no .
428The default is
Damien Miller9786e6e2005-07-26 21:54:56 +1000429.Dq delayed .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000430.It Cm DenyGroups
431This keyword can be followed by a list of group name patterns, separated
432by spaces.
433Login is disallowed for users whose primary group or supplementary
434group list matches one of the patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000435Only group names are valid; a numerical group ID is not recognized.
436By default, login is allowed for all groups.
Damien Millerac73e512006-03-15 11:58:49 +1100437The allow/deny directives are processed in the following order:
438.Cm DenyUsers ,
439.Cm AllowUsers ,
440.Cm DenyGroups ,
441and finally
442.Cm AllowGroups .
Damien Miller0c2079d2006-03-15 11:54:21 +1100443.Pp
Damien Millerfecfd112013-07-18 16:11:50 +1000444See PATTERNS in
Damien Miller0c2079d2006-03-15 11:54:21 +1100445.Xr ssh_config 5
446for more information on patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000447.It Cm DenyUsers
448This keyword can be followed by a list of user name patterns, separated
449by spaces.
450Login is disallowed for user names that match one of the patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000451Only user names are valid; a numerical user ID is not recognized.
452By default, login is allowed for all users.
453If the pattern takes the form USER@HOST then USER and HOST
454are separately checked, restricting logins to particular
455users from particular hosts.
Damien Millerac73e512006-03-15 11:58:49 +1100456The allow/deny directives are processed in the following order:
457.Cm DenyUsers ,
458.Cm AllowUsers ,
459.Cm DenyGroups ,
460and finally
461.Cm AllowGroups .
Damien Miller0c2079d2006-03-15 11:54:21 +1100462.Pp
Damien Millerfecfd112013-07-18 16:11:50 +1000463See PATTERNS in
Damien Miller0c2079d2006-03-15 11:54:21 +1100464.Xr ssh_config 5
465for more information on patterns.
Damien Millere2754432006-07-24 14:06:47 +1000466.It Cm ForceCommand
467Forces the execution of the command specified by
468.Cm ForceCommand ,
Damien Millera1b48cc2008-03-27 11:02:02 +1100469ignoring any command supplied by the client and
470.Pa ~/.ssh/rc
471if present.
Damien Millere2754432006-07-24 14:06:47 +1000472The command is invoked by using the user's login shell with the -c option.
473This applies to shell, command, or subsystem execution.
474It is most useful inside a
475.Cm Match
476block.
477The command originally supplied by the client is available in the
478.Ev SSH_ORIGINAL_COMMAND
479environment variable.
Damien Millercdb6e652008-02-10 22:47:24 +1100480Specifying a command of
481.Dq internal-sftp
482will force the use of an in-process sftp server that requires no support
483files when used with
484.Cm ChrootDirectory .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000485.It Cm GatewayPorts
486Specifies whether remote hosts are allowed to connect to ports
487forwarded for the client.
488By default,
Damien Miller5b0d63f2006-03-15 11:56:56 +1100489.Xr sshd 8
Damien Miller495dca32003-04-01 21:42:14 +1000490binds remote port forwardings to the loopback address.
491This prevents other remote hosts from connecting to forwarded ports.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000492.Cm GatewayPorts
Damien Miller5b0d63f2006-03-15 11:56:56 +1100493can be used to specify that sshd
Damien Millerf91ee4c2005-03-01 21:24:33 +1100494should allow remote port forwardings to bind to non-loopback addresses, thus
495allowing other hosts to connect.
496The argument may be
497.Dq no
498to force remote port forwardings to be available to the local host only,
Ben Lindstrom9f049032002-06-21 00:59:05 +0000499.Dq yes
Damien Millerf91ee4c2005-03-01 21:24:33 +1100500to force remote port forwardings to bind to the wildcard address, or
501.Dq clientspecified
502to allow the client to select the address to which the forwarding is bound.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000503The default is
504.Dq no .
Darren Tucker0efd1552003-08-26 11:49:55 +1000505.It Cm GSSAPIAuthentication
Damien Miller9b7b03b2003-09-02 22:57:05 +1000506Specifies whether user authentication based on GSSAPI is allowed.
Damien Millera8e06ce2003-11-21 23:48:55 +1100507The default is
Darren Tucker0efd1552003-08-26 11:49:55 +1000508.Dq no .
509Note that this option applies to protocol version 2 only.
510.It Cm GSSAPICleanupCredentials
511Specifies whether to automatically destroy the user's credentials cache
512on logout.
513The default is
514.Dq yes .
515Note that this option applies to protocol version 2 only.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000516.It Cm HostbasedAuthentication
517Specifies whether rhosts or /etc/hosts.equiv authentication together
518with successful public key client host authentication is allowed
Damien Miller1faa7132006-03-15 11:55:31 +1100519(host-based authentication).
Ben Lindstrom9f049032002-06-21 00:59:05 +0000520This option is similar to
521.Cm RhostsRSAAuthentication
522and applies to protocol version 2 only.
523The default is
524.Dq no .
Damien Millerb594f382006-08-30 11:06:34 +1000525.It Cm HostbasedUsesNameFromPacketOnly
526Specifies whether or not the server will attempt to perform a reverse
527name lookup when matching the name in the
528.Pa ~/.shosts ,
529.Pa ~/.rhosts ,
530and
531.Pa /etc/hosts.equiv
532files during
533.Cm HostbasedAuthentication .
534A setting of
535.Dq yes
536means that
537.Xr sshd 8
538uses the name supplied by the client rather than
539attempting to resolve the name from the TCP connection itself.
540The default is
541.Dq no .
Damien Miller0a80ca12010-02-27 07:55:05 +1100542.It Cm HostCertificate
543Specifies a file containing a public host certificate.
544The certificate's public key must match a private host key already specified
545by
546.Cm HostKey .
547The default behaviour of
548.Xr sshd 8
549is not to load any certificates.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000550.It Cm HostKey
551Specifies a file containing a private host key
552used by SSH.
553The default is
554.Pa /etc/ssh/ssh_host_key
555for protocol version 1, and
Damien Millereb8b60e2010-08-31 22:41:14 +1000556.Pa /etc/ssh/ssh_host_dsa_key ,
Damien Miller8ba0ead2013-12-18 17:46:27 +1100557.Pa /etc/ssh/ssh_host_ecdsa_key ,
558.Pa /etc/ssh/ssh_host_ed25519_key
Ben Lindstrom9f049032002-06-21 00:59:05 +0000559and
Damien Millereb8b60e2010-08-31 22:41:14 +1000560.Pa /etc/ssh/ssh_host_rsa_key
Ben Lindstrom9f049032002-06-21 00:59:05 +0000561for protocol version 2.
562Note that
Damien Miller5b0d63f2006-03-15 11:56:56 +1100563.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +0000564will refuse to use a file if it is group/world-accessible.
565It is possible to have multiple host key files.
566.Dq rsa1
567keys are used for version 1 and
Damien Millereb8b60e2010-08-31 22:41:14 +1000568.Dq dsa ,
Damien Miller8ba0ead2013-12-18 17:46:27 +1100569.Dq ecdsa ,
570.Dq ed25519
Ben Lindstrom9f049032002-06-21 00:59:05 +0000571or
572.Dq rsa
573are used for version 2 of the SSH protocol.
Damien Miller85b45e02013-07-20 13:21:52 +1000574It is also possible to specify public host key files instead.
575In this case operations on the private key will be delegated
576to an
577.Xr ssh-agent 1 .
578.It Cm HostKeyAgent
579Identifies the UNIX-domain socket used to communicate
580with an agent that has access to the private host keys.
581If
582.Dq SSH_AUTH_SOCK
583is specified, the location of the socket will be read from the
584.Ev SSH_AUTH_SOCK
585environment variable.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000586.It Cm IgnoreRhosts
587Specifies that
588.Pa .rhosts
589and
590.Pa .shosts
591files will not be used in
Ben Lindstrom9f049032002-06-21 00:59:05 +0000592.Cm RhostsRSAAuthentication
593or
594.Cm HostbasedAuthentication .
595.Pp
596.Pa /etc/hosts.equiv
597and
598.Pa /etc/shosts.equiv
599are still used.
600The default is
601.Dq yes .
602.It Cm IgnoreUserKnownHosts
603Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +1100604.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +0000605should ignore the user's
Damien Miller167ea5d2005-05-26 12:04:02 +1000606.Pa ~/.ssh/known_hosts
Ben Lindstrom9f049032002-06-21 00:59:05 +0000607during
608.Cm RhostsRSAAuthentication
609or
610.Cm HostbasedAuthentication .
611The default is
612.Dq no .
Damien Miller0dac6fb2010-11-20 15:19:38 +1100613.It Cm IPQoS
614Specifies the IPv4 type-of-service or DSCP class for the connection.
615Accepted values are
616.Dq af11 ,
617.Dq af12 ,
618.Dq af13 ,
Damien Millerf6e758c2011-09-22 21:37:13 +1000619.Dq af21 ,
Damien Miller0dac6fb2010-11-20 15:19:38 +1100620.Dq af22 ,
621.Dq af23 ,
622.Dq af31 ,
623.Dq af32 ,
624.Dq af33 ,
625.Dq af41 ,
626.Dq af42 ,
627.Dq af43 ,
628.Dq cs0 ,
629.Dq cs1 ,
630.Dq cs2 ,
631.Dq cs3 ,
632.Dq cs4 ,
633.Dq cs5 ,
634.Dq cs6 ,
635.Dq cs7 ,
636.Dq ef ,
637.Dq lowdelay ,
638.Dq throughput ,
639.Dq reliability ,
640or a numeric value.
Damien Miller928362d2010-12-26 14:26:45 +1100641This option may take one or two arguments, separated by whitespace.
Damien Miller0dac6fb2010-11-20 15:19:38 +1100642If one argument is specified, it is used as the packet class unconditionally.
643If two values are specified, the first is automatically selected for
644interactive sessions and the second for non-interactive sessions.
645The default is
646.Dq lowdelay
647for interactive sessions and
648.Dq throughput
649for non-interactive sessions.
Damien Millere1e480a2014-02-04 11:13:17 +1100650.It Cm KbdInteractiveAuthentication
651Specifies whether to allow keyboard-interactive authentication.
652The argument to this keyword must be
653.Dq yes
654or
655.Dq no .
656The default is to use whatever value
657.Cm ChallengeResponseAuthentication
658is set to
659(by default
660.Dq yes ) .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000661.It Cm KerberosAuthentication
Damien Miller1a0c0b92003-09-02 22:51:17 +1000662Specifies whether the password provided by the user for
Ben Lindstrom9f049032002-06-21 00:59:05 +0000663.Cm PasswordAuthentication
Damien Miller1a0c0b92003-09-02 22:51:17 +1000664will be validated through the Kerberos KDC.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000665To use this option, the server needs a
666Kerberos servtab which allows the verification of the KDC's identity.
Damien Miller5b0d63f2006-03-15 11:56:56 +1100667The default is
Ben Lindstrom9f049032002-06-21 00:59:05 +0000668.Dq no .
Damien Miller8448e662004-03-08 23:13:15 +1100669.It Cm KerberosGetAFSToken
Darren Tuckere2dd2d52005-10-03 18:19:06 +1000670If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
Damien Miller8448e662004-03-08 23:13:15 +1100671an AFS token before accessing the user's home directory.
Damien Miller5b0d63f2006-03-15 11:56:56 +1100672The default is
Damien Miller8448e662004-03-08 23:13:15 +1100673.Dq no .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000674.It Cm KerberosOrLocalPasswd
Damien Miller5b0d63f2006-03-15 11:56:56 +1100675If password authentication through Kerberos fails then
Ben Lindstrom9f049032002-06-21 00:59:05 +0000676the password will be validated via any additional local mechanism
677such as
678.Pa /etc/passwd .
Damien Miller5b0d63f2006-03-15 11:56:56 +1100679The default is
Ben Lindstrom9f049032002-06-21 00:59:05 +0000680.Dq yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000681.It Cm KerberosTicketCleanup
682Specifies whether to automatically destroy the user's ticket cache
683file on logout.
Damien Miller5b0d63f2006-03-15 11:56:56 +1100684The default is
Ben Lindstrom9f049032002-06-21 00:59:05 +0000685.Dq yes .
Damien Millerd5f62bf2010-09-24 22:11:14 +1000686.It Cm KexAlgorithms
687Specifies the available KEX (Key Exchange) algorithms.
688Multiple algorithms must be comma-separated.
Damien Millerc1621c82014-04-20 13:22:46 +1000689The supported algorithms are:
690.Pp
691.Bl -item -compact -offset indent
692.It
693curve25519-sha256@libssh.org
694.It
695diffie-hellman-group1-sha1
696.It
697diffie-hellman-group14-sha1
698.It
699diffie-hellman-group-exchange-sha1
700.It
701diffie-hellman-group-exchange-sha256
702.It
703ecdh-sha2-nistp256
704.It
705ecdh-sha2-nistp384
706.It
707ecdh-sha2-nistp521
708.El
709.Pp
710The default is:
Damien Miller6575c3a2013-12-18 17:47:02 +1100711.Bd -literal -offset indent
712curve25519-sha256@libssh.org,
713ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
714diffie-hellman-group-exchange-sha256,
Damien Millerc1621c82014-04-20 13:22:46 +1000715diffie-hellman-group14-sha1
Damien Miller6575c3a2013-12-18 17:47:02 +1100716.Ed
Ben Lindstrom9f049032002-06-21 00:59:05 +0000717.It Cm KeyRegenerationInterval
718In protocol version 1, the ephemeral server key is automatically regenerated
719after this many seconds (if it has been used).
720The purpose of regeneration is to prevent
721decrypting captured sessions by later breaking into the machine and
722stealing the keys.
723The key is never stored anywhere.
724If the value is 0, the key is never regenerated.
725The default is 3600 (seconds).
726.It Cm ListenAddress
727Specifies the local addresses
Damien Miller5b0d63f2006-03-15 11:56:56 +1100728.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +0000729should listen on.
730The following forms may be used:
731.Pp
732.Bl -item -offset indent -compact
733.It
734.Cm ListenAddress
735.Sm off
736.Ar host No | Ar IPv4_addr No | Ar IPv6_addr
737.Sm on
738.It
739.Cm ListenAddress
740.Sm off
741.Ar host No | Ar IPv4_addr No : Ar port
742.Sm on
743.It
744.Cm ListenAddress
745.Sm off
746.Oo
747.Ar host No | Ar IPv6_addr Oc : Ar port
748.Sm on
749.El
750.Pp
751If
752.Ar port
753is not specified,
Damien Miller5b0d63f2006-03-15 11:56:56 +1100754sshd will listen on the address and all prior
Ben Lindstrom9f049032002-06-21 00:59:05 +0000755.Cm Port
Damien Millerfbf486b2003-05-23 18:44:23 +1000756options specified.
757The default is to listen on all local addresses.
Damien Miller495dca32003-04-01 21:42:14 +1000758Multiple
Ben Lindstrom9f049032002-06-21 00:59:05 +0000759.Cm ListenAddress
Damien Millerfbf486b2003-05-23 18:44:23 +1000760options are permitted.
761Additionally, any
Ben Lindstrom9f049032002-06-21 00:59:05 +0000762.Cm Port
Damien Miller5b0d63f2006-03-15 11:56:56 +1100763options must precede this option for non-port qualified addresses.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000764.It Cm LoginGraceTime
765The server disconnects after this time if the user has not
766successfully logged in.
767If the value is 0, there is no time limit.
Damien Millerc1348632002-09-05 14:35:14 +1000768The default is 120 seconds.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000769.It Cm LogLevel
770Gives the verbosity level that is used when logging messages from
Damien Millerf4f22b52006-03-15 11:57:25 +1100771.Xr sshd 8 .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000772The possible values are:
Damien Miller5b0d63f2006-03-15 11:56:56 +1100773QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
Damien Miller495dca32003-04-01 21:42:14 +1000774The default is INFO.
775DEBUG and DEBUG1 are equivalent.
776DEBUG2 and DEBUG3 each specify higher levels of debugging output.
777Logging with a DEBUG level violates the privacy of users and is not recommended.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000778.It Cm MACs
779Specifies the available MAC (message authentication code) algorithms.
780The MAC algorithm is used in protocol version 2
781for data integrity protection.
782Multiple algorithms must be comma-separated.
Damien Milleraf43a7a2012-12-12 10:46:31 +1100783The algorithms that contain
784.Dq -etm
785calculate the MAC after encryption (encrypt-then-mac).
786These are considered safer and their use recommended.
Damien Millerc1621c82014-04-20 13:22:46 +1000787The supported MACs are:
788.Pp
789.Bl -item -compact -offset indent
790.It
791hmac-md5
792.It
793hmac-md5-96
794.It
795hmac-ripemd160
796.It
797hmac-sha1
798.It
799hmac-sha1-96
800.It
801hmac-sha2-256
802.It
803hmac-sha2-512
804.It
805umac-64@openssh.com
806.It
807umac-128@openssh.com
808.It
809hmac-md5-etm@openssh.com
810.It
811hmac-md5-96-etm@openssh.com
812.It
813hmac-ripemd160-etm@openssh.com
814.It
815hmac-sha1-etm@openssh.com
816.It
817hmac-sha1-96-etm@openssh.com
818.It
819hmac-sha2-256-etm@openssh.com
820.It
821hmac-sha2-512-etm@openssh.com
822.It
823umac-64-etm@openssh.com
824.It
825umac-128-etm@openssh.com
826.El
827.Pp
Damien Miller5b0d63f2006-03-15 11:56:56 +1100828The default is:
Damien Miller22b7b492007-06-11 14:07:12 +1000829.Bd -literal -offset indent
Damien Milleraf43a7a2012-12-12 10:46:31 +1100830umac-64-etm@openssh.com,umac-128-etm@openssh.com,
831hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
Damien Millerc1621c82014-04-20 13:22:46 +1000832umac-64@openssh.com,umac-128@openssh.com,
833hmac-sha2-256,hmac-sha2-512
Damien Miller22b7b492007-06-11 14:07:12 +1000834.Ed
Darren Tucker45150472006-07-12 22:34:17 +1000835.It Cm Match
Damien Millerd04f3572006-07-24 13:46:50 +1000836Introduces a conditional block.
Damien Miller8c234032006-07-24 14:05:08 +1000837If all of the criteria on the
Darren Tucker45150472006-07-12 22:34:17 +1000838.Cm Match
Damien Miller8c234032006-07-24 14:05:08 +1000839line are satisfied, the keywords on the following lines override those
840set in the global section of the config file, until either another
Darren Tucker45150472006-07-12 22:34:17 +1000841.Cm Match
Damien Miller8c234032006-07-24 14:05:08 +1000842line or the end of the file.
Damien Millerfc5d6752014-02-28 10:01:28 +1100843If a keyword appears in multiple
844.Cm Match
845blocks that are satisified, only the first instance of the keyword is
846applied.
Darren Tucker7a3935d2008-06-10 22:59:10 +1000847.Pp
Damien Millerd04f3572006-07-24 13:46:50 +1000848The arguments to
Darren Tucker45150472006-07-12 22:34:17 +1000849.Cm Match
Damien Millercf31f382013-10-24 21:02:56 +1100850are one or more criteria-pattern pairs or the single token
851.Cm All
852which matches all criteria.
Darren Tucker45150472006-07-12 22:34:17 +1000853The available criteria are
854.Cm User ,
Damien Miller565ca3f2006-08-19 00:23:15 +1000855.Cm Group ,
Darren Tucker45150472006-07-12 22:34:17 +1000856.Cm Host ,
Darren Tuckerfbcf8272012-05-19 19:37:01 +1000857.Cm LocalAddress ,
858.Cm LocalPort ,
Darren Tucker45150472006-07-12 22:34:17 +1000859and
860.Cm Address .
Darren Tucker7a3935d2008-06-10 22:59:10 +1000861The match patterns may consist of single entries or comma-separated
862lists and may use the wildcard and negation operators described in the
Damien Millerfecfd112013-07-18 16:11:50 +1000863PATTERNS section of
Darren Tuckerb06cc4a2008-06-10 22:59:53 +1000864.Xr ssh_config 5 .
Darren Tucker7a3935d2008-06-10 22:59:10 +1000865.Pp
866The patterns in an
867.Cm Address
868criteria may additionally contain addresses to match in CIDR
Darren Tucker6a2a4002008-06-10 23:03:04 +1000869address/masklen format, e.g.\&
Darren Tucker7a3935d2008-06-10 22:59:10 +1000870.Dq 192.0.2.0/24
871or
872.Dq 3ffe:ffff::/32 .
873Note that the mask length provided must be consistent with the address -
874it is an error to specify a mask length that is too long for the address
Darren Tucker6a2a4002008-06-10 23:03:04 +1000875or one with bits set in this host portion of the address.
876For example,
Darren Tucker7a3935d2008-06-10 22:59:10 +1000877.Dq 192.0.2.0/33
878and
Darren Tucker6a2a4002008-06-10 23:03:04 +1000879.Dq 192.0.2.0/8
Darren Tucker7a3935d2008-06-10 22:59:10 +1000880respectively.
881.Pp
Darren Tucker45150472006-07-12 22:34:17 +1000882Only a subset of keywords may be used on the lines following a
883.Cm Match
884keyword.
885Available keywords are
Damien Millerf8268502012-06-20 21:54:15 +1000886.Cm AcceptEnv ,
Damien Miller17819012009-01-28 16:20:17 +1100887.Cm AllowAgentForwarding ,
Damien Millerf8268502012-06-20 21:54:15 +1000888.Cm AllowGroups ,
Damien Miller9b439df2006-07-24 14:04:00 +1000889.Cm AllowTcpForwarding ,
Damien Millerc24da772012-06-20 21:53:58 +1000890.Cm AllowUsers ,
Damien Millera6e3f012012-11-04 23:21:40 +1100891.Cm AuthenticationMethods ,
Damien Miller09d3e122012-10-31 08:58:58 +1100892.Cm AuthorizedKeysCommand ,
893.Cm AuthorizedKeysCommandUser ,
Damien Millerf33580e2012-11-04 22:22:52 +1100894.Cm AuthorizedKeysFile ,
Damien Millerab6de352010-06-26 09:38:45 +1000895.Cm AuthorizedPrincipalsFile ,
Darren Tucker1629c072007-02-19 22:25:37 +1100896.Cm Banner ,
Damien Miller797e3d12008-05-19 14:27:42 +1000897.Cm ChrootDirectory ,
Damien Millerc24da772012-06-20 21:53:58 +1000898.Cm DenyGroups ,
899.Cm DenyUsers ,
Damien Millere2754432006-07-24 14:06:47 +1000900.Cm ForceCommand ,
Damien Millerc24da772012-06-20 21:53:58 +1000901.Cm GatewayPorts ,
Damien Millerf8268502012-06-20 21:54:15 +1000902.Cm GSSAPIAuthentication ,
Damien Miller25434de2008-05-19 14:29:08 +1000903.Cm HostbasedAuthentication ,
Damien Millerab6de352010-06-26 09:38:45 +1000904.Cm HostbasedUsesNameFromPacketOnly ,
Darren Tucker1d75f222007-03-01 21:31:28 +1100905.Cm KbdInteractiveAuthentication ,
Damien Miller5737e362007-03-06 21:21:18 +1100906.Cm KerberosAuthentication ,
Damien Miller307c1d12008-06-16 07:56:20 +1000907.Cm MaxAuthTries ,
Damien Millerc62a5af2008-06-16 07:55:46 +1000908.Cm MaxSessions ,
Darren Tucker1629c072007-02-19 22:25:37 +1100909.Cm PasswordAuthentication ,
Damien Miller51bde602008-11-03 19:23:10 +1100910.Cm PermitEmptyPasswords ,
Damien Millerd1de9952006-07-24 14:05:48 +1000911.Cm PermitOpen ,
Darren Tucker15f94272008-01-01 20:36:56 +1100912.Cm PermitRootLogin ,
Damien Miller5ff30c62013-10-30 22:21:50 +1100913.Cm PermitTTY ,
Damien Millerab6de352010-06-26 09:38:45 +1000914.Cm PermitTunnel ,
Darren Tucker1477ea12009-10-07 08:36:05 +1100915.Cm PubkeyAuthentication ,
Darren Tucker5f96f3b2013-05-16 20:29:28 +1000916.Cm RekeyLimit ,
Damien Millerc24da772012-06-20 21:53:58 +1000917.Cm RhostsRSAAuthentication ,
Damien Millerf8268502012-06-20 21:54:15 +1000918.Cm RSAAuthentication ,
Damien Millerd1de9952006-07-24 14:05:48 +1000919.Cm X11DisplayOffset ,
Damien Miller19913842009-02-23 10:53:58 +1100920.Cm X11Forwarding
Darren Tucker45150472006-07-12 22:34:17 +1000921and
Damien Miller0296ae82009-02-23 11:00:24 +1100922.Cm X11UseLocalHost .
Darren Tucker89413db2004-05-24 10:36:23 +1000923.It Cm MaxAuthTries
924Specifies the maximum number of authentication attempts permitted per
Damien Miller26213e52004-06-30 22:39:34 +1000925connection.
926Once the number of failures reaches half this value,
927additional failures are logged.
928The default is 6.
Damien Miller7207f642008-05-19 15:34:50 +1000929.It Cm MaxSessions
930Specifies the maximum number of open sessions permitted per network connection.
931The default is 10.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000932.It Cm MaxStartups
933Specifies the maximum number of concurrent unauthenticated connections to the
Damien Miller5b0d63f2006-03-15 11:56:56 +1100934SSH daemon.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000935Additional connections will be dropped until authentication succeeds or the
936.Cm LoginGraceTime
937expires for a connection.
Damien Miller1f583df2013-02-12 11:02:08 +1100938The default is 10:30:100.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000939.Pp
940Alternatively, random early drop can be enabled by specifying
941the three colon separated values
942.Dq start:rate:full
Damien Miller208f1ed2006-03-15 11:56:03 +1100943(e.g. "10:30:60").
Damien Millerf4f22b52006-03-15 11:57:25 +1100944.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +0000945will refuse connection attempts with a probability of
946.Dq rate/100
947(30%)
948if there are currently
949.Dq start
950(10)
951unauthenticated connections.
952The probability increases linearly and all connection attempts
953are refused if the number of unauthenticated connections reaches
954.Dq full
955(60).
956.It Cm PasswordAuthentication
957Specifies whether password authentication is allowed.
958The default is
959.Dq yes .
960.It Cm PermitEmptyPasswords
961When password authentication is allowed, it specifies whether the
962server allows login to accounts with empty password strings.
963The default is
964.Dq no .
Damien Miller9b439df2006-07-24 14:04:00 +1000965.It Cm PermitOpen
966Specifies the destinations to which TCP port forwarding is permitted.
967The forwarding specification must be one of the following forms:
968.Pp
969.Bl -item -offset indent -compact
970.It
971.Cm PermitOpen
972.Sm off
973.Ar host : port
974.Sm on
975.It
976.Cm PermitOpen
977.Sm off
978.Ar IPv4_addr : port
979.Sm on
980.It
981.Cm PermitOpen
982.Sm off
983.Ar \&[ IPv6_addr \&] : port
984.Sm on
985.El
986.Pp
Damien Millera765cf42006-07-24 14:08:13 +1000987Multiple forwards may be specified by separating them with whitespace.
Damien Miller9b439df2006-07-24 14:04:00 +1000988An argument of
989.Dq any
990can be used to remove all restrictions and permit any forwarding requests.
Darren Tuckerba9ea322012-05-19 19:37:33 +1000991An argument of
992.Dq none
993can be used to prohibit all forwarding requests.
Damien Miller65bc2c42006-07-24 14:04:16 +1000994By default all port forwarding requests are permitted.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000995.It Cm PermitRootLogin
Darren Tuckerb3509012005-01-20 11:01:46 +1100996Specifies whether root can log in using
Ben Lindstrom9f049032002-06-21 00:59:05 +0000997.Xr ssh 1 .
998The argument must be
999.Dq yes ,
1000.Dq without-password ,
Damien Miller5b0d63f2006-03-15 11:56:56 +11001001.Dq forced-commands-only ,
Ben Lindstrom9f049032002-06-21 00:59:05 +00001002or
1003.Dq no .
1004The default is
1005.Dq yes .
1006.Pp
1007If this option is set to
Damien Miller5b0d63f2006-03-15 11:56:56 +11001008.Dq without-password ,
Darren Tucker9dca0992005-02-01 19:16:45 +11001009password authentication is disabled for root.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001010.Pp
1011If this option is set to
Damien Miller5b0d63f2006-03-15 11:56:56 +11001012.Dq forced-commands-only ,
Ben Lindstrom9f049032002-06-21 00:59:05 +00001013root login with public key authentication will be allowed,
1014but only if the
1015.Ar command
1016option has been specified
1017(which may be useful for taking remote backups even if root login is
Damien Millerfbf486b2003-05-23 18:44:23 +10001018normally not allowed).
1019All other authentication methods are disabled for root.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001020.Pp
1021If this option is set to
Damien Miller5b0d63f2006-03-15 11:56:56 +11001022.Dq no ,
Darren Tuckerb3509012005-01-20 11:01:46 +11001023root is not allowed to log in.
Damien Millerd27b9472005-12-13 19:29:02 +11001024.It Cm PermitTunnel
1025Specifies whether
1026.Xr tun 4
1027device forwarding is allowed.
Damien Miller7b58e802005-12-13 19:33:19 +11001028The argument must be
1029.Dq yes ,
Damien Miller991dba42006-07-10 20:16:27 +10001030.Dq point-to-point
1031(layer 3),
1032.Dq ethernet
1033(layer 2), or
Damien Miller7b58e802005-12-13 19:33:19 +11001034.Dq no .
Damien Miller991dba42006-07-10 20:16:27 +10001035Specifying
1036.Dq yes
1037permits both
1038.Dq point-to-point
1039and
1040.Dq ethernet .
Damien Millerd27b9472005-12-13 19:29:02 +11001041The default is
1042.Dq no .
Damien Miller5ff30c62013-10-30 22:21:50 +11001043.It Cm PermitTTY
1044Specifies whether
Damien Miller63857c92013-10-30 22:31:06 +11001045.Xr pty 4
Damien Miller5ff30c62013-10-30 22:21:50 +11001046allocation is permitted.
1047The default is
1048.Dq yes .
Ben Lindstrom5d860f02002-08-01 01:28:38 +00001049.It Cm PermitUserEnvironment
1050Specifies whether
1051.Pa ~/.ssh/environment
Ben Lindstrombd9bf382002-08-20 18:54:20 +00001052and
Ben Lindstrom5d860f02002-08-01 01:28:38 +00001053.Cm environment=
1054options in
1055.Pa ~/.ssh/authorized_keys
Ben Lindstrombd9bf382002-08-20 18:54:20 +00001056are processed by
Damien Miller5b0d63f2006-03-15 11:56:56 +11001057.Xr sshd 8 .
Ben Lindstrom5d860f02002-08-01 01:28:38 +00001058The default is
1059.Dq no .
Ben Lindstrombd9bf382002-08-20 18:54:20 +00001060Enabling environment processing may enable users to bypass access
1061restrictions in some configurations using mechanisms such as
1062.Ev LD_PRELOAD .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001063.It Cm PidFile
Ben Lindstrom959de992002-06-23 00:35:25 +00001064Specifies the file that contains the process ID of the
Damien Millerf4f22b52006-03-15 11:57:25 +11001065SSH daemon.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001066The default is
1067.Pa /var/run/sshd.pid .
1068.It Cm Port
1069Specifies the port number that
Damien Miller5b0d63f2006-03-15 11:56:56 +11001070.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001071listens on.
1072The default is 22.
1073Multiple options of this type are permitted.
1074See also
1075.Cm ListenAddress .
1076.It Cm PrintLastLog
1077Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001078.Xr sshd 8
Darren Tucker7cc5c232004-11-05 20:06:59 +11001079should print the date and time of the last user login when a user logs
1080in interactively.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001081The default is
1082.Dq yes .
1083.It Cm PrintMotd
1084Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001085.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001086should print
1087.Pa /etc/motd
1088when a user logs in interactively.
1089(On some systems it is also printed by the shell,
1090.Pa /etc/profile ,
1091or equivalent.)
1092The default is
1093.Dq yes .
1094.It Cm Protocol
1095Specifies the protocol versions
Damien Miller5b0d63f2006-03-15 11:56:56 +11001096.Xr sshd 8
Ben Lindstrom9c445542002-07-11 03:59:18 +00001097supports.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001098The possible values are
Damien Miller5b0d63f2006-03-15 11:56:56 +11001099.Sq 1
Ben Lindstrom9f049032002-06-21 00:59:05 +00001100and
Damien Miller5b0d63f2006-03-15 11:56:56 +11001101.Sq 2 .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001102Multiple versions must be comma-separated.
1103The default is
Darren Tucker7a4a7652009-10-11 21:51:40 +11001104.Sq 2 .
Ben Lindstrom9c445542002-07-11 03:59:18 +00001105Note that the order of the protocol list does not indicate preference,
1106because the client selects among multiple protocol versions offered
1107by the server.
1108Specifying
1109.Dq 2,1
1110is identical to
1111.Dq 1,2 .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001112.It Cm PubkeyAuthentication
1113Specifies whether public key authentication is allowed.
1114The default is
1115.Dq yes .
1116Note that this option applies to protocol version 2 only.
Darren Tucker5f96f3b2013-05-16 20:29:28 +10001117.It Cm RekeyLimit
1118Specifies the maximum amount of data that may be transmitted before the
1119session key is renegotiated, optionally followed a maximum amount of
1120time that may pass before the session key is renegotiated.
1121The first argument is specified in bytes and may have a suffix of
1122.Sq K ,
1123.Sq M ,
1124or
1125.Sq G
1126to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
1127The default is between
1128.Sq 1G
1129and
1130.Sq 4G ,
1131depending on the cipher.
1132The optional second value is specified in seconds and may use any of the
1133units documented in the
1134.Sx TIME FORMATS
Darren Tucker64d22942013-05-16 20:31:29 +10001135section.
Darren Tucker5f96f3b2013-05-16 20:29:28 +10001136The default value for
1137.Cm RekeyLimit
1138is
1139.Dq default none ,
1140which means that rekeying is performed after the cipher's default amount
1141of data has been sent or received and no time based rekeying is done.
1142This option applies to protocol version 2 only.
Damien Miller1aed65e2010-03-04 21:53:35 +11001143.It Cm RevokedKeys
Damien Millerf3747bf2013-01-18 11:44:04 +11001144Specifies revoked public keys.
Damien Miller1aed65e2010-03-04 21:53:35 +11001145Keys listed in this file will be refused for public key authentication.
1146Note that if this file is not readable, then public key authentication will
1147be refused for all users.
Damien Millerf3747bf2013-01-18 11:44:04 +11001148Keys may be specified as a text file, listing one public key per line, or as
1149an OpenSSH Key Revocation List (KRL) as generated by
Damien Miller72abeb72013-01-20 22:33:44 +11001150.Xr ssh-keygen 1 .
Damien Millerfecfd112013-07-18 16:11:50 +10001151For more information on KRLs, see the KEY REVOCATION LISTS section in
Damien Millerf3747bf2013-01-18 11:44:04 +11001152.Xr ssh-keygen 1 .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001153.It Cm RhostsRSAAuthentication
1154Specifies whether rhosts or /etc/hosts.equiv authentication together
1155with successful RSA host authentication is allowed.
1156The default is
1157.Dq no .
1158This option applies to protocol version 1 only.
1159.It Cm RSAAuthentication
1160Specifies whether pure RSA authentication is allowed.
1161The default is
1162.Dq yes .
1163This option applies to protocol version 1 only.
1164.It Cm ServerKeyBits
1165Defines the number of bits in the ephemeral protocol version 1 server key.
Darren Tucker7499b0c2008-07-02 22:35:43 +10001166The minimum value is 512, and the default is 1024.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001167.It Cm StrictModes
1168Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001169.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001170should check file modes and ownership of the
1171user's files and home directory before accepting login.
1172This is normally desirable because novices sometimes accidentally leave their
1173directory or files world-writable.
1174The default is
1175.Dq yes .
Darren Tuckerf788a912010-01-08 17:06:47 +11001176Note that this does not apply to
1177.Cm ChrootDirectory ,
1178whose permissions and ownership are checked unconditionally.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001179.It Cm Subsystem
Damien Miller208f1ed2006-03-15 11:56:03 +11001180Configures an external subsystem (e.g. file transfer daemon).
Damien Miller917f9b62006-07-10 20:36:47 +10001181Arguments should be a subsystem name and a command (with optional arguments)
1182to execute upon subsystem request.
Damien Millerd8cb1f12008-02-10 22:40:12 +11001183.Pp
Ben Lindstrom9f049032002-06-21 00:59:05 +00001184The command
1185.Xr sftp-server 8
1186implements the
1187.Dq sftp
1188file transfer subsystem.
Damien Millerd8cb1f12008-02-10 22:40:12 +11001189.Pp
1190Alternately the name
1191.Dq internal-sftp
1192implements an in-process
1193.Dq sftp
1194server.
1195This may simplify configurations using
1196.Cm ChrootDirectory
1197to force a different filesystem root on clients.
1198.Pp
Ben Lindstrom9f049032002-06-21 00:59:05 +00001199By default no subsystems are defined.
1200Note that this option applies to protocol version 2 only.
1201.It Cm SyslogFacility
1202Gives the facility code that is used when logging messages from
Damien Millerf4f22b52006-03-15 11:57:25 +11001203.Xr sshd 8 .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001204The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
1205LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
1206The default is AUTH.
Damien Miller12c150e2003-12-17 16:31:10 +11001207.It Cm TCPKeepAlive
1208Specifies whether the system should send TCP keepalive messages to the
1209other side.
1210If they are sent, death of the connection or crash of one
1211of the machines will be properly noticed.
1212However, this means that
1213connections will die if the route is down temporarily, and some people
1214find it annoying.
1215On the other hand, if TCP keepalives are not sent,
1216sessions may hang indefinitely on the server, leaving
1217.Dq ghost
1218users and consuming server resources.
1219.Pp
1220The default is
1221.Dq yes
1222(to send TCP keepalive messages), and the server will notice
1223if the network goes down or the client host crashes.
1224This avoids infinitely hanging sessions.
1225.Pp
1226To disable TCP keepalive messages, the value should be set to
1227.Dq no .
Damien Miller1aed65e2010-03-04 21:53:35 +11001228.It Cm TrustedUserCAKeys
1229Specifies a file containing public keys of certificate authorities that are
Damien Millerc6db99e2010-03-05 10:41:45 +11001230trusted to sign user certificates for authentication.
Damien Miller72b33822010-03-05 07:39:01 +11001231Keys are listed one per line; empty lines and comments starting with
Damien Miller1aed65e2010-03-04 21:53:35 +11001232.Ql #
1233are allowed.
1234If a certificate is presented for authentication and has its signing CA key
1235listed in this file, then it may be used for authentication for any user
1236listed in the certificate's principals list.
1237Note that certificates that lack a list of principals will not be permitted
1238for authentication using
1239.Cm TrustedUserCAKeys .
Damien Millerfecfd112013-07-18 16:11:50 +10001240For more details on certificates, see the CERTIFICATES section in
Damien Miller1aed65e2010-03-04 21:53:35 +11001241.Xr ssh-keygen 1 .
Damien Miller3a961dc2003-06-03 10:25:48 +10001242.It Cm UseDNS
1243Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001244.Xr sshd 8
Darren Tucker83d5a982005-03-31 21:33:50 +10001245should look up the remote host name and check that
Damien Miller3a961dc2003-06-03 10:25:48 +10001246the resolved host name for the remote IP address maps back to the
1247very same IP address.
1248The default is
1249.Dq yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001250.It Cm UseLogin
1251Specifies whether
1252.Xr login 1
1253is used for interactive login sessions.
1254The default is
1255.Dq no .
1256Note that
1257.Xr login 1
1258is never used for remote command execution.
1259Note also, that if this is enabled,
1260.Cm X11Forwarding
1261will be disabled because
1262.Xr login 1
1263does not know how to handle
1264.Xr xauth 1
Damien Miller495dca32003-04-01 21:42:14 +10001265cookies.
1266If
Ben Lindstrom9f049032002-06-21 00:59:05 +00001267.Cm UsePrivilegeSeparation
1268is specified, it will be disabled after authentication.
Damien Miller2e193e22003-05-14 15:13:03 +10001269.It Cm UsePAM
Darren Tucker1dcff9a2004-05-13 16:51:40 +10001270Enables the Pluggable Authentication Module interface.
1271If set to
1272.Dq yes
1273this will enable PAM authentication using
1274.Cm ChallengeResponseAuthentication
Darren Tuckera4904f72006-02-23 21:35:30 +11001275and
1276.Cm PasswordAuthentication
1277in addition to PAM account and session module processing for all
1278authentication types.
Darren Tucker1dcff9a2004-05-13 16:51:40 +10001279.Pp
1280Because PAM challenge-response authentication usually serves an equivalent
1281role to password authentication, you should disable either
1282.Cm PasswordAuthentication
1283or
1284.Cm ChallengeResponseAuthentication.
1285.Pp
1286If
1287.Cm UsePAM
1288is enabled, you will not be able to run
1289.Xr sshd 8
1290as a non-root user.
1291The default is
Darren Tucker6c0c0702003-10-09 14:13:53 +10001292.Dq no .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001293.It Cm UsePrivilegeSeparation
1294Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001295.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001296separates privileges by creating an unprivileged child process
Damien Miller495dca32003-04-01 21:42:14 +10001297to deal with incoming network traffic.
1298After successful authentication, another process will be created that has
1299the privilege of the authenticated user.
1300The goal of privilege separation is to prevent privilege
Ben Lindstrom9f049032002-06-21 00:59:05 +00001301escalation by containing any corruption within the unprivileged processes.
1302The default is
1303.Dq yes .
Damien Miller69ff1df2011-06-23 08:30:03 +10001304If
1305.Cm UsePrivilegeSeparation
1306is set to
1307.Dq sandbox
1308then the pre-authentication unprivileged process is subject to additional
1309restrictions.
Damien Miller23528812012-04-22 11:24:43 +10001310.It Cm VersionAddendum
1311Optionally specifies additional text to append to the SSH protocol banner
1312sent by the server upon connection.
1313The default is
1314.Dq none .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001315.It Cm X11DisplayOffset
1316Specifies the first display number available for
Damien Miller5b0d63f2006-03-15 11:56:56 +11001317.Xr sshd 8 Ns 's
Ben Lindstrom9f049032002-06-21 00:59:05 +00001318X11 forwarding.
Damien Miller5b0d63f2006-03-15 11:56:56 +11001319This prevents sshd from interfering with real X11 servers.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001320The default is 10.
1321.It Cm X11Forwarding
1322Specifies whether X11 forwarding is permitted.
Damien Miller101c4a72002-09-19 11:51:21 +10001323The argument must be
1324.Dq yes
1325or
1326.Dq no .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001327The default is
1328.Dq no .
Damien Miller101c4a72002-09-19 11:51:21 +10001329.Pp
1330When X11 forwarding is enabled, there may be additional exposure to
1331the server and to client displays if the
Damien Miller5b0d63f2006-03-15 11:56:56 +11001332.Xr sshd 8
Damien Miller101c4a72002-09-19 11:51:21 +10001333proxy display is configured to listen on the wildcard address (see
1334.Cm X11UseLocalhost
Damien Miller5b0d63f2006-03-15 11:56:56 +11001335below), though this is not the default.
Damien Miller101c4a72002-09-19 11:51:21 +10001336Additionally, the authentication spoofing and authentication data
1337verification and substitution occur on the client side.
1338The security risk of using X11 forwarding is that the client's X11
Damien Miller5b0d63f2006-03-15 11:56:56 +11001339display server may be exposed to attack when the SSH client requests
Damien Miller101c4a72002-09-19 11:51:21 +10001340forwarding (see the warnings for
1341.Cm ForwardX11
1342in
Damien Millerf1ce5052003-06-11 22:04:39 +10001343.Xr ssh_config 5 ) .
Damien Miller101c4a72002-09-19 11:51:21 +10001344A system administrator may have a stance in which they want to
1345protect clients that may expose themselves to attack by unwittingly
1346requesting X11 forwarding, which can warrant a
1347.Dq no
1348setting.
1349.Pp
1350Note that disabling X11 forwarding does not prevent users from
1351forwarding X11 traffic, as users can always install their own forwarders.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001352X11 forwarding is automatically disabled if
1353.Cm UseLogin
1354is enabled.
1355.It Cm X11UseLocalhost
1356Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001357.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001358should bind the X11 forwarding server to the loopback address or to
Damien Miller495dca32003-04-01 21:42:14 +10001359the wildcard address.
1360By default,
Damien Miller5b0d63f2006-03-15 11:56:56 +11001361sshd binds the forwarding server to the loopback address and sets the
Ben Lindstrom9f049032002-06-21 00:59:05 +00001362hostname part of the
1363.Ev DISPLAY
1364environment variable to
1365.Dq localhost .
Ben Lindstrom15b61202002-08-20 18:44:24 +00001366This prevents remote hosts from connecting to the proxy display.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001367However, some older X11 clients may not function with this
1368configuration.
1369.Cm X11UseLocalhost
1370may be set to
1371.Dq no
1372to specify that the forwarding server should be bound to the wildcard
1373address.
1374The argument must be
1375.Dq yes
1376or
1377.Dq no .
1378The default is
1379.Dq yes .
1380.It Cm XAuthLocation
Damien Miller05913ba2002-09-04 16:51:03 +10001381Specifies the full pathname of the
Ben Lindstrom9f049032002-06-21 00:59:05 +00001382.Xr xauth 1
1383program.
1384The default is
1385.Pa /usr/X11R6/bin/xauth .
1386.El
Damien Millere3beba22006-03-15 11:59:25 +11001387.Sh TIME FORMATS
Damien Millerf4f22b52006-03-15 11:57:25 +11001388.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001389command-line arguments and configuration file options that specify time
1390may be expressed using a sequence of the form:
1391.Sm off
Ben Lindstrom1f8cf4f2002-08-20 18:43:27 +00001392.Ar time Op Ar qualifier ,
Ben Lindstrom9f049032002-06-21 00:59:05 +00001393.Sm on
1394where
1395.Ar time
1396is a positive integer value and
1397.Ar qualifier
1398is one of the following:
1399.Pp
1400.Bl -tag -width Ds -compact -offset indent
Damien Miller393821a2006-07-24 14:04:53 +10001401.It Aq Cm none
Ben Lindstrom9f049032002-06-21 00:59:05 +00001402seconds
1403.It Cm s | Cm S
1404seconds
1405.It Cm m | Cm M
1406minutes
1407.It Cm h | Cm H
1408hours
1409.It Cm d | Cm D
1410days
1411.It Cm w | Cm W
1412weeks
1413.El
1414.Pp
1415Each member of the sequence is added together to calculate
1416the total time value.
1417.Pp
1418Time format examples:
1419.Pp
1420.Bl -tag -width Ds -compact -offset indent
1421.It 600
1422600 seconds (10 minutes)
1423.It 10m
142410 minutes
1425.It 1h30m
14261 hour 30 minutes (90 minutes)
1427.El
1428.Sh FILES
1429.Bl -tag -width Ds
1430.It Pa /etc/ssh/sshd_config
1431Contains configuration data for
Damien Millerf4f22b52006-03-15 11:57:25 +11001432.Xr sshd 8 .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001433This file should be writable by root only, but it is recommended
1434(though not necessary) that it be world-readable.
1435.El
Damien Millerf1ce5052003-06-11 22:04:39 +10001436.Sh SEE ALSO
1437.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001438.Sh AUTHORS
1439OpenSSH is a derivative of the original and free
1440ssh 1.2.12 release by Tatu Ylonen.
1441Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
1442Theo de Raadt and Dug Song
1443removed many bugs, re-added newer features and
1444created OpenSSH.
1445Markus Friedl contributed the support for SSH
1446protocol versions 1.5 and 2.0.
1447Niels Provos and Markus Friedl contributed support
1448for privilege separation.