blob: 0d8c140bf1a49c96f37583903e4773b33b472dd5 [file] [log] [blame]
Ben Lindstrom9f049032002-06-21 00:59:05 +00001.\" -*- nroff -*-
2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\" All rights reserved
6.\"
7.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose. Any derived versions of this
9.\" software must be clearly marked as such, and if the derived work is
10.\" incompatible with the protocol description in the RFC file, it must be
11.\" called by a name other than "ssh" or "Secure Shell".
12.\"
13.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
14.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
15.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
16.\"
17.\" Redistribution and use in source and binary forms, with or without
18.\" modification, are permitted provided that the following conditions
19.\" are met:
20.\" 1. Redistributions of source code must retain the above copyright
21.\" notice, this list of conditions and the following disclaimer.
22.\" 2. Redistributions in binary form must reproduce the above copyright
23.\" notice, this list of conditions and the following disclaimer in the
24.\" documentation and/or other materials provided with the distribution.
25.\"
26.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\"
Damien Miller7207f642008-05-19 15:34:50 +100037.\" $OpenBSD: sshd_config.5,v 1.90 2008/05/08 12:21:16 djm Exp $
38.Dd $Mdocdate: May 8 2008 $
Ben Lindstrom9f049032002-06-21 00:59:05 +000039.Dt SSHD_CONFIG 5
40.Os
41.Sh NAME
42.Nm sshd_config
43.Nd OpenSSH SSH daemon configuration file
44.Sh SYNOPSIS
Damien Millerd94fc722007-01-05 16:29:30 +110045.Nm /etc/ssh/sshd_config
Ben Lindstrom9f049032002-06-21 00:59:05 +000046.Sh DESCRIPTION
Damien Millerf4f22b52006-03-15 11:57:25 +110047.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +000048reads configuration data from
49.Pa /etc/ssh/sshd_config
50(or the file specified with
51.Fl f
52on the command line).
53The file contains keyword-argument pairs, one per line.
54Lines starting with
55.Ql #
56and empty lines are interpreted as comments.
Damien Miller306d1182006-03-15 12:05:59 +110057Arguments may optionally be enclosed in double quotes
58.Pq \&"
59in order to represent arguments containing spaces.
Ben Lindstrom9f049032002-06-21 00:59:05 +000060.Pp
61The possible
62keywords and their meanings are as follows (note that
63keywords are case-insensitive and arguments are case-sensitive):
64.Bl -tag -width Ds
Darren Tucker46bc0752004-05-02 22:11:30 +100065.It Cm AcceptEnv
66Specifies what environment variables sent by the client will be copied into
67the session's
68.Xr environ 7 .
69See
70.Cm SendEnv
71in
72.Xr ssh_config 5
73for how to configure the client.
Darren Tucker1e0c9bf2004-05-02 22:12:48 +100074Note that environment passing is only supported for protocol 2.
Darren Tucker46bc0752004-05-02 22:11:30 +100075Variables are specified by name, which may contain the wildcard characters
Damien Miller208f1ed2006-03-15 11:56:03 +110076.Ql *
Darren Tucker46bc0752004-05-02 22:11:30 +100077and
78.Ql \&? .
Darren Tucker1e0c9bf2004-05-02 22:12:48 +100079Multiple environment variables may be separated by whitespace or spread
Darren Tucker46bc0752004-05-02 22:11:30 +100080across multiple
81.Cm AcceptEnv
82directives.
Darren Tucker1e0c9bf2004-05-02 22:12:48 +100083Be warned that some environment variables could be used to bypass restricted
Darren Tucker46bc0752004-05-02 22:11:30 +100084user environments.
85For this reason, care should be taken in the use of this directive.
86The default is not to accept any environment variables.
Darren Tucker0f383232005-01-20 10:57:56 +110087.It Cm AddressFamily
88Specifies which address family should be used by
Damien Millerf4f22b52006-03-15 11:57:25 +110089.Xr sshd 8 .
Darren Tucker0f383232005-01-20 10:57:56 +110090Valid arguments are
91.Dq any ,
92.Dq inet
Damien Miller5b0d63f2006-03-15 11:56:56 +110093(use IPv4 only), or
Darren Tucker0f383232005-01-20 10:57:56 +110094.Dq inet6
95(use IPv6 only).
96The default is
97.Dq any .
Damien Millere9890192008-05-19 14:59:02 +100098.It Cm AllowAgentForwarding
99Specifies whether
100.Xr ssh-agent 1
101forwarding is permitted.
102The default is
103.Dq yes .
104Note that disabling agent forwarding does not improve security
105unless users are also denied shell access, as they can always install
106their own forwarders.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000107.It Cm AllowGroups
108This keyword can be followed by a list of group name patterns, separated
109by spaces.
110If specified, login is allowed only for users whose primary
111group or supplementary group list matches one of the patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000112Only group names are valid; a numerical group ID is not recognized.
113By default, login is allowed for all groups.
Damien Millerac73e512006-03-15 11:58:49 +1100114The allow/deny directives are processed in the following order:
115.Cm DenyUsers ,
116.Cm AllowUsers ,
117.Cm DenyGroups ,
118and finally
119.Cm AllowGroups .
Damien Miller0c2079d2006-03-15 11:54:21 +1100120.Pp
121See
122.Sx PATTERNS
123in
124.Xr ssh_config 5
125for more information on patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000126.It Cm AllowTcpForwarding
127Specifies whether TCP forwarding is permitted.
128The default is
129.Dq yes .
130Note that disabling TCP forwarding does not improve security unless
131users are also denied shell access, as they can always install their
132own forwarders.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000133.It Cm AllowUsers
134This keyword can be followed by a list of user name patterns, separated
135by spaces.
Damien Miller5a93add2003-01-24 11:34:52 +1100136If specified, login is allowed only for user names that
Ben Lindstrom9f049032002-06-21 00:59:05 +0000137match one of the patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000138Only user names are valid; a numerical user ID is not recognized.
139By default, login is allowed for all users.
140If the pattern takes the form USER@HOST then USER and HOST
141are separately checked, restricting logins to particular
142users from particular hosts.
Damien Millerac73e512006-03-15 11:58:49 +1100143The allow/deny directives are processed in the following order:
144.Cm DenyUsers ,
145.Cm AllowUsers ,
146.Cm DenyGroups ,
147and finally
148.Cm AllowGroups .
Damien Miller0c2079d2006-03-15 11:54:21 +1100149.Pp
150See
151.Sx PATTERNS
152in
153.Xr ssh_config 5
154for more information on patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000155.It Cm AuthorizedKeysFile
156Specifies the file that contains the public keys that can be used
157for user authentication.
158.Cm AuthorizedKeysFile
159may contain tokens of the form %T which are substituted during connection
Damien Miller5b0d63f2006-03-15 11:56:56 +1100160setup.
Damien Millerfbf486b2003-05-23 18:44:23 +1000161The following tokens are defined: %% is replaced by a literal '%',
Damien Miller5b0d63f2006-03-15 11:56:56 +1100162%h is replaced by the home directory of the user being authenticated, and
Ben Lindstrom9f049032002-06-21 00:59:05 +0000163%u is replaced by the username of that user.
164After expansion,
165.Cm AuthorizedKeysFile
166is taken to be an absolute path or one relative to the user's home
167directory.
168The default is
169.Dq .ssh/authorized_keys .
170.It Cm Banner
Ben Lindstrom9f049032002-06-21 00:59:05 +0000171The contents of the specified file are sent to the remote user before
172authentication is allowed.
Damien Miller4890e532007-09-17 11:57:38 +1000173If the argument is
174.Dq none
175then no banner is displayed.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000176This option is only available for protocol version 2.
177By default, no banner is displayed.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000178.It Cm ChallengeResponseAuthentication
Damien Miller1faa7132006-03-15 11:55:31 +1100179Specifies whether challenge-response authentication is allowed.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000180All authentication styles from
181.Xr login.conf 5
182are supported.
183The default is
184.Dq yes .
Damien Millerd8cb1f12008-02-10 22:40:12 +1100185.It Cm ChrootDirectory
186Specifies a path to
187.Xr chroot 2
188to after authentication.
189This path, and all its components, must be root-owned directories that are
190not writable by any other user or group.
191.Pp
192The path may contain the following tokens that are expanded at runtime once
193the connecting user has been authenticated: %% is replaced by a literal '%',
194%h is replaced by the home directory of the user being authenticated, and
195%u is replaced by the username of that user.
196.Pp
197The
198.Cm ChrootDirectory
199must contain the necessary files and directories to support the
200users' session.
201For an interactive session this requires at least a shell, typically
202.Xr sh 1 ,
203and basic
204.Pa /dev
205nodes such as
206.Xr null 4 ,
207.Xr zero 4 ,
208.Xr stdin 4 ,
209.Xr stdout 4 ,
210.Xr stderr 4 ,
211.Xr arandom 4
212and
213.Xr tty 4
214devices.
215For file transfer sessions using
216.Dq sftp ,
217no additional configuration of the environment is necessary if the
218in-process sftp server is used (see
219.Cm Subsystem
Damien Miller70433b52008-02-10 22:45:13 +1100220for details).
Damien Millerd8cb1f12008-02-10 22:40:12 +1100221.Pp
222The default is not to
223.Xr chroot 2 .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000224.It Cm Ciphers
225Specifies the ciphers allowed for protocol version 2.
226Multiple ciphers must be comma-separated.
Damien Miller05202ff2004-06-15 10:30:39 +1000227The supported ciphers are
228.Dq 3des-cbc ,
229.Dq aes128-cbc ,
230.Dq aes192-cbc ,
231.Dq aes256-cbc ,
232.Dq aes128-ctr ,
233.Dq aes192-ctr ,
234.Dq aes256-ctr ,
Damien Miller3710f272005-05-26 12:19:17 +1000235.Dq arcfour128 ,
236.Dq arcfour256 ,
Damien Miller05202ff2004-06-15 10:30:39 +1000237.Dq arcfour ,
238.Dq blowfish-cbc ,
239and
240.Dq cast128-cbc .
Damien Miller5b0d63f2006-03-15 11:56:56 +1100241The default is:
242.Bd -literal -offset 3n
243aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
244arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
245aes192-ctr,aes256-ctr
Ben Lindstrom9f049032002-06-21 00:59:05 +0000246.Ed
Ben Lindstrom9f049032002-06-21 00:59:05 +0000247.It Cm ClientAliveCountMax
Damien Millerb7977702006-01-03 18:47:31 +1100248Sets the number of client alive messages (see below) which may be
Ben Lindstrom9f049032002-06-21 00:59:05 +0000249sent without
Damien Miller5b0d63f2006-03-15 11:56:56 +1100250.Xr sshd 8
Damien Millerfbf486b2003-05-23 18:44:23 +1000251receiving any messages back from the client.
252If this threshold is reached while client alive messages are being sent,
Damien Miller5b0d63f2006-03-15 11:56:56 +1100253sshd will disconnect the client, terminating the session.
Damien Millerfbf486b2003-05-23 18:44:23 +1000254It is important to note that the use of client alive messages is very
255different from
Damien Miller12c150e2003-12-17 16:31:10 +1100256.Cm TCPKeepAlive
Damien Millerfbf486b2003-05-23 18:44:23 +1000257(below).
258The client alive messages are sent through the encrypted channel
259and therefore will not be spoofable.
260The TCP keepalive option enabled by
Damien Miller12c150e2003-12-17 16:31:10 +1100261.Cm TCPKeepAlive
Damien Millerfbf486b2003-05-23 18:44:23 +1000262is spoofable.
263The client alive mechanism is valuable when the client or
Ben Lindstrom9f049032002-06-21 00:59:05 +0000264server depend on knowing when a connection has become inactive.
265.Pp
Damien Millerfbf486b2003-05-23 18:44:23 +1000266The default value is 3.
267If
Ben Lindstrom9f049032002-06-21 00:59:05 +0000268.Cm ClientAliveInterval
Damien Millerb7977702006-01-03 18:47:31 +1100269(see below) is set to 15, and
Ben Lindstrom9f049032002-06-21 00:59:05 +0000270.Cm ClientAliveCountMax
Damien Miller5b0d63f2006-03-15 11:56:56 +1100271is left at the default, unresponsive SSH clients
Ben Lindstrom9f049032002-06-21 00:59:05 +0000272will be disconnected after approximately 45 seconds.
Damien Millercc3e8ba2006-03-15 12:06:55 +1100273This option applies to protocol version 2 only.
Damien Miller1594ad52005-05-26 12:12:19 +1000274.It Cm ClientAliveInterval
275Sets a timeout interval in seconds after which if no data has been received
276from the client,
Damien Miller5b0d63f2006-03-15 11:56:56 +1100277.Xr sshd 8
Damien Miller1594ad52005-05-26 12:12:19 +1000278will send a message through the encrypted
279channel to request a response from the client.
280The default
281is 0, indicating that these messages will not be sent to the client.
282This option applies to protocol version 2 only.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000283.It Cm Compression
Damien Miller9786e6e2005-07-26 21:54:56 +1000284Specifies whether compression is allowed, or delayed until
285the user has authenticated successfully.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000286The argument must be
Damien Miller9786e6e2005-07-26 21:54:56 +1000287.Dq yes ,
288.Dq delayed ,
Ben Lindstrom9f049032002-06-21 00:59:05 +0000289or
290.Dq no .
291The default is
Damien Miller9786e6e2005-07-26 21:54:56 +1000292.Dq delayed .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000293.It Cm DenyGroups
294This keyword can be followed by a list of group name patterns, separated
295by spaces.
296Login is disallowed for users whose primary group or supplementary
297group list matches one of the patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000298Only group names are valid; a numerical group ID is not recognized.
299By default, login is allowed for all groups.
Damien Millerac73e512006-03-15 11:58:49 +1100300The allow/deny directives are processed in the following order:
301.Cm DenyUsers ,
302.Cm AllowUsers ,
303.Cm DenyGroups ,
304and finally
305.Cm AllowGroups .
Damien Miller0c2079d2006-03-15 11:54:21 +1100306.Pp
307See
308.Sx PATTERNS
309in
310.Xr ssh_config 5
311for more information on patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000312.It Cm DenyUsers
313This keyword can be followed by a list of user name patterns, separated
314by spaces.
315Login is disallowed for user names that match one of the patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000316Only user names are valid; a numerical user ID is not recognized.
317By default, login is allowed for all users.
318If the pattern takes the form USER@HOST then USER and HOST
319are separately checked, restricting logins to particular
320users from particular hosts.
Damien Millerac73e512006-03-15 11:58:49 +1100321The allow/deny directives are processed in the following order:
322.Cm DenyUsers ,
323.Cm AllowUsers ,
324.Cm DenyGroups ,
325and finally
326.Cm AllowGroups .
Damien Miller0c2079d2006-03-15 11:54:21 +1100327.Pp
328See
329.Sx PATTERNS
330in
331.Xr ssh_config 5
332for more information on patterns.
Damien Millere2754432006-07-24 14:06:47 +1000333.It Cm ForceCommand
334Forces the execution of the command specified by
335.Cm ForceCommand ,
Damien Millera1b48cc2008-03-27 11:02:02 +1100336ignoring any command supplied by the client and
337.Pa ~/.ssh/rc
338if present.
Damien Millere2754432006-07-24 14:06:47 +1000339The command is invoked by using the user's login shell with the -c option.
340This applies to shell, command, or subsystem execution.
341It is most useful inside a
342.Cm Match
343block.
344The command originally supplied by the client is available in the
345.Ev SSH_ORIGINAL_COMMAND
346environment variable.
Damien Millercdb6e652008-02-10 22:47:24 +1100347Specifying a command of
348.Dq internal-sftp
349will force the use of an in-process sftp server that requires no support
350files when used with
351.Cm ChrootDirectory .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000352.It Cm GatewayPorts
353Specifies whether remote hosts are allowed to connect to ports
354forwarded for the client.
355By default,
Damien Miller5b0d63f2006-03-15 11:56:56 +1100356.Xr sshd 8
Damien Miller495dca32003-04-01 21:42:14 +1000357binds remote port forwardings to the loopback address.
358This prevents other remote hosts from connecting to forwarded ports.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000359.Cm GatewayPorts
Damien Miller5b0d63f2006-03-15 11:56:56 +1100360can be used to specify that sshd
Damien Millerf91ee4c2005-03-01 21:24:33 +1100361should allow remote port forwardings to bind to non-loopback addresses, thus
362allowing other hosts to connect.
363The argument may be
364.Dq no
365to force remote port forwardings to be available to the local host only,
Ben Lindstrom9f049032002-06-21 00:59:05 +0000366.Dq yes
Damien Millerf91ee4c2005-03-01 21:24:33 +1100367to force remote port forwardings to bind to the wildcard address, or
368.Dq clientspecified
369to allow the client to select the address to which the forwarding is bound.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000370The default is
371.Dq no .
Darren Tucker0efd1552003-08-26 11:49:55 +1000372.It Cm GSSAPIAuthentication
Damien Miller9b7b03b2003-09-02 22:57:05 +1000373Specifies whether user authentication based on GSSAPI is allowed.
Damien Millera8e06ce2003-11-21 23:48:55 +1100374The default is
Darren Tucker0efd1552003-08-26 11:49:55 +1000375.Dq no .
376Note that this option applies to protocol version 2 only.
377.It Cm GSSAPICleanupCredentials
378Specifies whether to automatically destroy the user's credentials cache
379on logout.
380The default is
381.Dq yes .
382Note that this option applies to protocol version 2 only.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000383.It Cm HostbasedAuthentication
384Specifies whether rhosts or /etc/hosts.equiv authentication together
385with successful public key client host authentication is allowed
Damien Miller1faa7132006-03-15 11:55:31 +1100386(host-based authentication).
Ben Lindstrom9f049032002-06-21 00:59:05 +0000387This option is similar to
388.Cm RhostsRSAAuthentication
389and applies to protocol version 2 only.
390The default is
391.Dq no .
Damien Millerb594f382006-08-30 11:06:34 +1000392.It Cm HostbasedUsesNameFromPacketOnly
393Specifies whether or not the server will attempt to perform a reverse
394name lookup when matching the name in the
395.Pa ~/.shosts ,
396.Pa ~/.rhosts ,
397and
398.Pa /etc/hosts.equiv
399files during
400.Cm HostbasedAuthentication .
401A setting of
402.Dq yes
403means that
404.Xr sshd 8
405uses the name supplied by the client rather than
406attempting to resolve the name from the TCP connection itself.
407The default is
408.Dq no .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000409.It Cm HostKey
410Specifies a file containing a private host key
411used by SSH.
412The default is
413.Pa /etc/ssh/ssh_host_key
414for protocol version 1, and
415.Pa /etc/ssh/ssh_host_rsa_key
416and
417.Pa /etc/ssh/ssh_host_dsa_key
418for protocol version 2.
419Note that
Damien Miller5b0d63f2006-03-15 11:56:56 +1100420.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +0000421will refuse to use a file if it is group/world-accessible.
422It is possible to have multiple host key files.
423.Dq rsa1
424keys are used for version 1 and
425.Dq dsa
426or
427.Dq rsa
428are used for version 2 of the SSH protocol.
429.It Cm IgnoreRhosts
430Specifies that
431.Pa .rhosts
432and
433.Pa .shosts
434files will not be used in
Ben Lindstrom9f049032002-06-21 00:59:05 +0000435.Cm RhostsRSAAuthentication
436or
437.Cm HostbasedAuthentication .
438.Pp
439.Pa /etc/hosts.equiv
440and
441.Pa /etc/shosts.equiv
442are still used.
443The default is
444.Dq yes .
445.It Cm IgnoreUserKnownHosts
446Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +1100447.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +0000448should ignore the user's
Damien Miller167ea5d2005-05-26 12:04:02 +1000449.Pa ~/.ssh/known_hosts
Ben Lindstrom9f049032002-06-21 00:59:05 +0000450during
451.Cm RhostsRSAAuthentication
452or
453.Cm HostbasedAuthentication .
454The default is
455.Dq no .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000456.It Cm KerberosAuthentication
Damien Miller1a0c0b92003-09-02 22:51:17 +1000457Specifies whether the password provided by the user for
Ben Lindstrom9f049032002-06-21 00:59:05 +0000458.Cm PasswordAuthentication
Damien Miller1a0c0b92003-09-02 22:51:17 +1000459will be validated through the Kerberos KDC.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000460To use this option, the server needs a
461Kerberos servtab which allows the verification of the KDC's identity.
Damien Miller5b0d63f2006-03-15 11:56:56 +1100462The default is
Ben Lindstrom9f049032002-06-21 00:59:05 +0000463.Dq no .
Damien Miller8448e662004-03-08 23:13:15 +1100464.It Cm KerberosGetAFSToken
Darren Tuckere2dd2d52005-10-03 18:19:06 +1000465If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
Damien Miller8448e662004-03-08 23:13:15 +1100466an AFS token before accessing the user's home directory.
Damien Miller5b0d63f2006-03-15 11:56:56 +1100467The default is
Damien Miller8448e662004-03-08 23:13:15 +1100468.Dq no .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000469.It Cm KerberosOrLocalPasswd
Damien Miller5b0d63f2006-03-15 11:56:56 +1100470If password authentication through Kerberos fails then
Ben Lindstrom9f049032002-06-21 00:59:05 +0000471the password will be validated via any additional local mechanism
472such as
473.Pa /etc/passwd .
Damien Miller5b0d63f2006-03-15 11:56:56 +1100474The default is
Ben Lindstrom9f049032002-06-21 00:59:05 +0000475.Dq yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000476.It Cm KerberosTicketCleanup
477Specifies whether to automatically destroy the user's ticket cache
478file on logout.
Damien Miller5b0d63f2006-03-15 11:56:56 +1100479The default is
Ben Lindstrom9f049032002-06-21 00:59:05 +0000480.Dq yes .
481.It Cm KeyRegenerationInterval
482In protocol version 1, the ephemeral server key is automatically regenerated
483after this many seconds (if it has been used).
484The purpose of regeneration is to prevent
485decrypting captured sessions by later breaking into the machine and
486stealing the keys.
487The key is never stored anywhere.
488If the value is 0, the key is never regenerated.
489The default is 3600 (seconds).
490.It Cm ListenAddress
491Specifies the local addresses
Damien Miller5b0d63f2006-03-15 11:56:56 +1100492.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +0000493should listen on.
494The following forms may be used:
495.Pp
496.Bl -item -offset indent -compact
497.It
498.Cm ListenAddress
499.Sm off
500.Ar host No | Ar IPv4_addr No | Ar IPv6_addr
501.Sm on
502.It
503.Cm ListenAddress
504.Sm off
505.Ar host No | Ar IPv4_addr No : Ar port
506.Sm on
507.It
508.Cm ListenAddress
509.Sm off
510.Oo
511.Ar host No | Ar IPv6_addr Oc : Ar port
512.Sm on
513.El
514.Pp
515If
516.Ar port
517is not specified,
Damien Miller5b0d63f2006-03-15 11:56:56 +1100518sshd will listen on the address and all prior
Ben Lindstrom9f049032002-06-21 00:59:05 +0000519.Cm Port
Damien Millerfbf486b2003-05-23 18:44:23 +1000520options specified.
521The default is to listen on all local addresses.
Damien Miller495dca32003-04-01 21:42:14 +1000522Multiple
Ben Lindstrom9f049032002-06-21 00:59:05 +0000523.Cm ListenAddress
Damien Millerfbf486b2003-05-23 18:44:23 +1000524options are permitted.
525Additionally, any
Ben Lindstrom9f049032002-06-21 00:59:05 +0000526.Cm Port
Damien Miller5b0d63f2006-03-15 11:56:56 +1100527options must precede this option for non-port qualified addresses.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000528.It Cm LoginGraceTime
529The server disconnects after this time if the user has not
530successfully logged in.
531If the value is 0, there is no time limit.
Damien Millerc1348632002-09-05 14:35:14 +1000532The default is 120 seconds.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000533.It Cm LogLevel
534Gives the verbosity level that is used when logging messages from
Damien Millerf4f22b52006-03-15 11:57:25 +1100535.Xr sshd 8 .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000536The possible values are:
Damien Miller5b0d63f2006-03-15 11:56:56 +1100537QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
Damien Miller495dca32003-04-01 21:42:14 +1000538The default is INFO.
539DEBUG and DEBUG1 are equivalent.
540DEBUG2 and DEBUG3 each specify higher levels of debugging output.
541Logging with a DEBUG level violates the privacy of users and is not recommended.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000542.It Cm MACs
543Specifies the available MAC (message authentication code) algorithms.
544The MAC algorithm is used in protocol version 2
545for data integrity protection.
546Multiple algorithms must be comma-separated.
Damien Miller5b0d63f2006-03-15 11:56:56 +1100547The default is:
Damien Miller22b7b492007-06-11 14:07:12 +1000548.Bd -literal -offset indent
549hmac-md5,hmac-sha1,umac-64@openssh.com,
550hmac-ripemd160,hmac-sha1-96,hmac-md5-96
551.Ed
Darren Tucker45150472006-07-12 22:34:17 +1000552.It Cm Match
Damien Millerd04f3572006-07-24 13:46:50 +1000553Introduces a conditional block.
Damien Miller8c234032006-07-24 14:05:08 +1000554If all of the criteria on the
Darren Tucker45150472006-07-12 22:34:17 +1000555.Cm Match
Damien Miller8c234032006-07-24 14:05:08 +1000556line are satisfied, the keywords on the following lines override those
557set in the global section of the config file, until either another
Darren Tucker45150472006-07-12 22:34:17 +1000558.Cm Match
Damien Miller8c234032006-07-24 14:05:08 +1000559line or the end of the file.
Damien Millerd04f3572006-07-24 13:46:50 +1000560The arguments to
Darren Tucker45150472006-07-12 22:34:17 +1000561.Cm Match
Damien Miller8c234032006-07-24 14:05:08 +1000562are one or more criteria-pattern pairs.
Darren Tucker45150472006-07-12 22:34:17 +1000563The available criteria are
564.Cm User ,
Damien Miller565ca3f2006-08-19 00:23:15 +1000565.Cm Group ,
Darren Tucker45150472006-07-12 22:34:17 +1000566.Cm Host ,
567and
568.Cm Address .
569Only a subset of keywords may be used on the lines following a
570.Cm Match
571keyword.
572Available keywords are
Damien Miller9b439df2006-07-24 14:04:00 +1000573.Cm AllowTcpForwarding ,
Darren Tucker1629c072007-02-19 22:25:37 +1100574.Cm Banner ,
Damien Miller797e3d12008-05-19 14:27:42 +1000575.Cm ChrootDirectory ,
Damien Millere2754432006-07-24 14:06:47 +1000576.Cm ForceCommand ,
Damien Miller9b439df2006-07-24 14:04:00 +1000577.Cm GatewayPorts ,
Damien Miller25434de2008-05-19 14:29:08 +1000578.Cm GSSAPIAuthentication ,
579.Cm HostbasedAuthentication ,
Darren Tucker1d75f222007-03-01 21:31:28 +1100580.Cm KbdInteractiveAuthentication ,
Damien Miller5737e362007-03-06 21:21:18 +1100581.Cm KerberosAuthentication ,
Darren Tucker1629c072007-02-19 22:25:37 +1100582.Cm PasswordAuthentication ,
Damien Millerd1de9952006-07-24 14:05:48 +1000583.Cm PermitOpen ,
Darren Tucker15f94272008-01-01 20:36:56 +1100584.Cm PermitRootLogin ,
Darren Tucker1629c072007-02-19 22:25:37 +1100585.Cm RhostsRSAAuthentication ,
586.Cm RSAAuthentication ,
Damien Millerd1de9952006-07-24 14:05:48 +1000587.Cm X11DisplayOffset ,
588.Cm X11Forwarding ,
Darren Tucker45150472006-07-12 22:34:17 +1000589and
Damien Millerd1de9952006-07-24 14:05:48 +1000590.Cm X11UseLocalHost .
Darren Tucker89413db2004-05-24 10:36:23 +1000591.It Cm MaxAuthTries
592Specifies the maximum number of authentication attempts permitted per
Damien Miller26213e52004-06-30 22:39:34 +1000593connection.
594Once the number of failures reaches half this value,
595additional failures are logged.
596The default is 6.
Damien Miller7207f642008-05-19 15:34:50 +1000597.It Cm MaxSessions
598Specifies the maximum number of open sessions permitted per network connection.
599The default is 10.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000600.It Cm MaxStartups
601Specifies the maximum number of concurrent unauthenticated connections to the
Damien Miller5b0d63f2006-03-15 11:56:56 +1100602SSH daemon.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000603Additional connections will be dropped until authentication succeeds or the
604.Cm LoginGraceTime
605expires for a connection.
606The default is 10.
607.Pp
608Alternatively, random early drop can be enabled by specifying
609the three colon separated values
610.Dq start:rate:full
Damien Miller208f1ed2006-03-15 11:56:03 +1100611(e.g. "10:30:60").
Damien Millerf4f22b52006-03-15 11:57:25 +1100612.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +0000613will refuse connection attempts with a probability of
614.Dq rate/100
615(30%)
616if there are currently
617.Dq start
618(10)
619unauthenticated connections.
620The probability increases linearly and all connection attempts
621are refused if the number of unauthenticated connections reaches
622.Dq full
623(60).
624.It Cm PasswordAuthentication
625Specifies whether password authentication is allowed.
626The default is
627.Dq yes .
628.It Cm PermitEmptyPasswords
629When password authentication is allowed, it specifies whether the
630server allows login to accounts with empty password strings.
631The default is
632.Dq no .
Damien Miller9b439df2006-07-24 14:04:00 +1000633.It Cm PermitOpen
634Specifies the destinations to which TCP port forwarding is permitted.
635The forwarding specification must be one of the following forms:
636.Pp
637.Bl -item -offset indent -compact
638.It
639.Cm PermitOpen
640.Sm off
641.Ar host : port
642.Sm on
643.It
644.Cm PermitOpen
645.Sm off
646.Ar IPv4_addr : port
647.Sm on
648.It
649.Cm PermitOpen
650.Sm off
651.Ar \&[ IPv6_addr \&] : port
652.Sm on
653.El
654.Pp
Damien Millera765cf42006-07-24 14:08:13 +1000655Multiple forwards may be specified by separating them with whitespace.
Damien Miller9b439df2006-07-24 14:04:00 +1000656An argument of
657.Dq any
658can be used to remove all restrictions and permit any forwarding requests.
Damien Miller65bc2c42006-07-24 14:04:16 +1000659By default all port forwarding requests are permitted.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000660.It Cm PermitRootLogin
Darren Tuckerb3509012005-01-20 11:01:46 +1100661Specifies whether root can log in using
Ben Lindstrom9f049032002-06-21 00:59:05 +0000662.Xr ssh 1 .
663The argument must be
664.Dq yes ,
665.Dq without-password ,
Damien Miller5b0d63f2006-03-15 11:56:56 +1100666.Dq forced-commands-only ,
Ben Lindstrom9f049032002-06-21 00:59:05 +0000667or
668.Dq no .
669The default is
670.Dq yes .
671.Pp
672If this option is set to
Damien Miller5b0d63f2006-03-15 11:56:56 +1100673.Dq without-password ,
Darren Tucker9dca0992005-02-01 19:16:45 +1100674password authentication is disabled for root.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000675.Pp
676If this option is set to
Damien Miller5b0d63f2006-03-15 11:56:56 +1100677.Dq forced-commands-only ,
Ben Lindstrom9f049032002-06-21 00:59:05 +0000678root login with public key authentication will be allowed,
679but only if the
680.Ar command
681option has been specified
682(which may be useful for taking remote backups even if root login is
Damien Millerfbf486b2003-05-23 18:44:23 +1000683normally not allowed).
684All other authentication methods are disabled for root.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000685.Pp
686If this option is set to
Damien Miller5b0d63f2006-03-15 11:56:56 +1100687.Dq no ,
Darren Tuckerb3509012005-01-20 11:01:46 +1100688root is not allowed to log in.
Damien Millerd27b9472005-12-13 19:29:02 +1100689.It Cm PermitTunnel
690Specifies whether
691.Xr tun 4
692device forwarding is allowed.
Damien Miller7b58e802005-12-13 19:33:19 +1100693The argument must be
694.Dq yes ,
Damien Miller991dba42006-07-10 20:16:27 +1000695.Dq point-to-point
696(layer 3),
697.Dq ethernet
698(layer 2), or
Damien Miller7b58e802005-12-13 19:33:19 +1100699.Dq no .
Damien Miller991dba42006-07-10 20:16:27 +1000700Specifying
701.Dq yes
702permits both
703.Dq point-to-point
704and
705.Dq ethernet .
Damien Millerd27b9472005-12-13 19:29:02 +1100706The default is
707.Dq no .
Ben Lindstrom5d860f02002-08-01 01:28:38 +0000708.It Cm PermitUserEnvironment
709Specifies whether
710.Pa ~/.ssh/environment
Ben Lindstrombd9bf382002-08-20 18:54:20 +0000711and
Ben Lindstrom5d860f02002-08-01 01:28:38 +0000712.Cm environment=
713options in
714.Pa ~/.ssh/authorized_keys
Ben Lindstrombd9bf382002-08-20 18:54:20 +0000715are processed by
Damien Miller5b0d63f2006-03-15 11:56:56 +1100716.Xr sshd 8 .
Ben Lindstrom5d860f02002-08-01 01:28:38 +0000717The default is
718.Dq no .
Ben Lindstrombd9bf382002-08-20 18:54:20 +0000719Enabling environment processing may enable users to bypass access
720restrictions in some configurations using mechanisms such as
721.Ev LD_PRELOAD .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000722.It Cm PidFile
Ben Lindstrom959de992002-06-23 00:35:25 +0000723Specifies the file that contains the process ID of the
Damien Millerf4f22b52006-03-15 11:57:25 +1100724SSH daemon.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000725The default is
726.Pa /var/run/sshd.pid .
727.It Cm Port
728Specifies the port number that
Damien Miller5b0d63f2006-03-15 11:56:56 +1100729.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +0000730listens on.
731The default is 22.
732Multiple options of this type are permitted.
733See also
734.Cm ListenAddress .
735.It Cm PrintLastLog
736Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +1100737.Xr sshd 8
Darren Tucker7cc5c232004-11-05 20:06:59 +1100738should print the date and time of the last user login when a user logs
739in interactively.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000740The default is
741.Dq yes .
742.It Cm PrintMotd
743Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +1100744.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +0000745should print
746.Pa /etc/motd
747when a user logs in interactively.
748(On some systems it is also printed by the shell,
749.Pa /etc/profile ,
750or equivalent.)
751The default is
752.Dq yes .
753.It Cm Protocol
754Specifies the protocol versions
Damien Miller5b0d63f2006-03-15 11:56:56 +1100755.Xr sshd 8
Ben Lindstrom9c445542002-07-11 03:59:18 +0000756supports.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000757The possible values are
Damien Miller5b0d63f2006-03-15 11:56:56 +1100758.Sq 1
Ben Lindstrom9f049032002-06-21 00:59:05 +0000759and
Damien Miller5b0d63f2006-03-15 11:56:56 +1100760.Sq 2 .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000761Multiple versions must be comma-separated.
762The default is
763.Dq 2,1 .
Ben Lindstrom9c445542002-07-11 03:59:18 +0000764Note that the order of the protocol list does not indicate preference,
765because the client selects among multiple protocol versions offered
766by the server.
767Specifying
768.Dq 2,1
769is identical to
770.Dq 1,2 .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000771.It Cm PubkeyAuthentication
772Specifies whether public key authentication is allowed.
773The default is
774.Dq yes .
775Note that this option applies to protocol version 2 only.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000776.It Cm RhostsRSAAuthentication
777Specifies whether rhosts or /etc/hosts.equiv authentication together
778with successful RSA host authentication is allowed.
779The default is
780.Dq no .
781This option applies to protocol version 1 only.
782.It Cm RSAAuthentication
783Specifies whether pure RSA authentication is allowed.
784The default is
785.Dq yes .
786This option applies to protocol version 1 only.
787.It Cm ServerKeyBits
788Defines the number of bits in the ephemeral protocol version 1 server key.
789The minimum value is 512, and the default is 768.
790.It Cm StrictModes
791Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +1100792.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +0000793should check file modes and ownership of the
794user's files and home directory before accepting login.
795This is normally desirable because novices sometimes accidentally leave their
796directory or files world-writable.
797The default is
798.Dq yes .
799.It Cm Subsystem
Damien Miller208f1ed2006-03-15 11:56:03 +1100800Configures an external subsystem (e.g. file transfer daemon).
Damien Miller917f9b62006-07-10 20:36:47 +1000801Arguments should be a subsystem name and a command (with optional arguments)
802to execute upon subsystem request.
Damien Millerd8cb1f12008-02-10 22:40:12 +1100803.Pp
Ben Lindstrom9f049032002-06-21 00:59:05 +0000804The command
805.Xr sftp-server 8
806implements the
807.Dq sftp
808file transfer subsystem.
Damien Millerd8cb1f12008-02-10 22:40:12 +1100809.Pp
810Alternately the name
811.Dq internal-sftp
812implements an in-process
813.Dq sftp
814server.
815This may simplify configurations using
816.Cm ChrootDirectory
817to force a different filesystem root on clients.
818.Pp
Ben Lindstrom9f049032002-06-21 00:59:05 +0000819By default no subsystems are defined.
820Note that this option applies to protocol version 2 only.
821.It Cm SyslogFacility
822Gives the facility code that is used when logging messages from
Damien Millerf4f22b52006-03-15 11:57:25 +1100823.Xr sshd 8 .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000824The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
825LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
826The default is AUTH.
Damien Miller12c150e2003-12-17 16:31:10 +1100827.It Cm TCPKeepAlive
828Specifies whether the system should send TCP keepalive messages to the
829other side.
830If they are sent, death of the connection or crash of one
831of the machines will be properly noticed.
832However, this means that
833connections will die if the route is down temporarily, and some people
834find it annoying.
835On the other hand, if TCP keepalives are not sent,
836sessions may hang indefinitely on the server, leaving
837.Dq ghost
838users and consuming server resources.
839.Pp
840The default is
841.Dq yes
842(to send TCP keepalive messages), and the server will notice
843if the network goes down or the client host crashes.
844This avoids infinitely hanging sessions.
845.Pp
846To disable TCP keepalive messages, the value should be set to
847.Dq no .
Damien Miller3a961dc2003-06-03 10:25:48 +1000848.It Cm UseDNS
849Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +1100850.Xr sshd 8
Darren Tucker83d5a982005-03-31 21:33:50 +1000851should look up the remote host name and check that
Damien Miller3a961dc2003-06-03 10:25:48 +1000852the resolved host name for the remote IP address maps back to the
853very same IP address.
854The default is
855.Dq yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000856.It Cm UseLogin
857Specifies whether
858.Xr login 1
859is used for interactive login sessions.
860The default is
861.Dq no .
862Note that
863.Xr login 1
864is never used for remote command execution.
865Note also, that if this is enabled,
866.Cm X11Forwarding
867will be disabled because
868.Xr login 1
869does not know how to handle
870.Xr xauth 1
Damien Miller495dca32003-04-01 21:42:14 +1000871cookies.
872If
Ben Lindstrom9f049032002-06-21 00:59:05 +0000873.Cm UsePrivilegeSeparation
874is specified, it will be disabled after authentication.
Damien Miller2e193e22003-05-14 15:13:03 +1000875.It Cm UsePAM
Darren Tucker1dcff9a2004-05-13 16:51:40 +1000876Enables the Pluggable Authentication Module interface.
877If set to
878.Dq yes
879this will enable PAM authentication using
880.Cm ChallengeResponseAuthentication
Darren Tuckera4904f72006-02-23 21:35:30 +1100881and
882.Cm PasswordAuthentication
883in addition to PAM account and session module processing for all
884authentication types.
Darren Tucker1dcff9a2004-05-13 16:51:40 +1000885.Pp
886Because PAM challenge-response authentication usually serves an equivalent
887role to password authentication, you should disable either
888.Cm PasswordAuthentication
889or
890.Cm ChallengeResponseAuthentication.
891.Pp
892If
893.Cm UsePAM
894is enabled, you will not be able to run
895.Xr sshd 8
896as a non-root user.
897The default is
Darren Tucker6c0c0702003-10-09 14:13:53 +1000898.Dq no .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000899.It Cm UsePrivilegeSeparation
900Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +1100901.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +0000902separates privileges by creating an unprivileged child process
Damien Miller495dca32003-04-01 21:42:14 +1000903to deal with incoming network traffic.
904After successful authentication, another process will be created that has
905the privilege of the authenticated user.
906The goal of privilege separation is to prevent privilege
Ben Lindstrom9f049032002-06-21 00:59:05 +0000907escalation by containing any corruption within the unprivileged processes.
908The default is
909.Dq yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000910.It Cm X11DisplayOffset
911Specifies the first display number available for
Damien Miller5b0d63f2006-03-15 11:56:56 +1100912.Xr sshd 8 Ns 's
Ben Lindstrom9f049032002-06-21 00:59:05 +0000913X11 forwarding.
Damien Miller5b0d63f2006-03-15 11:56:56 +1100914This prevents sshd from interfering with real X11 servers.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000915The default is 10.
916.It Cm X11Forwarding
917Specifies whether X11 forwarding is permitted.
Damien Miller101c4a72002-09-19 11:51:21 +1000918The argument must be
919.Dq yes
920or
921.Dq no .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000922The default is
923.Dq no .
Damien Miller101c4a72002-09-19 11:51:21 +1000924.Pp
925When X11 forwarding is enabled, there may be additional exposure to
926the server and to client displays if the
Damien Miller5b0d63f2006-03-15 11:56:56 +1100927.Xr sshd 8
Damien Miller101c4a72002-09-19 11:51:21 +1000928proxy display is configured to listen on the wildcard address (see
929.Cm X11UseLocalhost
Damien Miller5b0d63f2006-03-15 11:56:56 +1100930below), though this is not the default.
Damien Miller101c4a72002-09-19 11:51:21 +1000931Additionally, the authentication spoofing and authentication data
932verification and substitution occur on the client side.
933The security risk of using X11 forwarding is that the client's X11
Damien Miller5b0d63f2006-03-15 11:56:56 +1100934display server may be exposed to attack when the SSH client requests
Damien Miller101c4a72002-09-19 11:51:21 +1000935forwarding (see the warnings for
936.Cm ForwardX11
937in
Damien Millerf1ce5052003-06-11 22:04:39 +1000938.Xr ssh_config 5 ) .
Damien Miller101c4a72002-09-19 11:51:21 +1000939A system administrator may have a stance in which they want to
940protect clients that may expose themselves to attack by unwittingly
941requesting X11 forwarding, which can warrant a
942.Dq no
943setting.
944.Pp
945Note that disabling X11 forwarding does not prevent users from
946forwarding X11 traffic, as users can always install their own forwarders.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000947X11 forwarding is automatically disabled if
948.Cm UseLogin
949is enabled.
950.It Cm X11UseLocalhost
951Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +1100952.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +0000953should bind the X11 forwarding server to the loopback address or to
Damien Miller495dca32003-04-01 21:42:14 +1000954the wildcard address.
955By default,
Damien Miller5b0d63f2006-03-15 11:56:56 +1100956sshd binds the forwarding server to the loopback address and sets the
Ben Lindstrom9f049032002-06-21 00:59:05 +0000957hostname part of the
958.Ev DISPLAY
959environment variable to
960.Dq localhost .
Ben Lindstrom15b61202002-08-20 18:44:24 +0000961This prevents remote hosts from connecting to the proxy display.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000962However, some older X11 clients may not function with this
963configuration.
964.Cm X11UseLocalhost
965may be set to
966.Dq no
967to specify that the forwarding server should be bound to the wildcard
968address.
969The argument must be
970.Dq yes
971or
972.Dq no .
973The default is
974.Dq yes .
975.It Cm XAuthLocation
Damien Miller05913ba2002-09-04 16:51:03 +1000976Specifies the full pathname of the
Ben Lindstrom9f049032002-06-21 00:59:05 +0000977.Xr xauth 1
978program.
979The default is
980.Pa /usr/X11R6/bin/xauth .
981.El
Damien Millere3beba22006-03-15 11:59:25 +1100982.Sh TIME FORMATS
Damien Millerf4f22b52006-03-15 11:57:25 +1100983.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +0000984command-line arguments and configuration file options that specify time
985may be expressed using a sequence of the form:
986.Sm off
Ben Lindstrom1f8cf4f2002-08-20 18:43:27 +0000987.Ar time Op Ar qualifier ,
Ben Lindstrom9f049032002-06-21 00:59:05 +0000988.Sm on
989where
990.Ar time
991is a positive integer value and
992.Ar qualifier
993is one of the following:
994.Pp
995.Bl -tag -width Ds -compact -offset indent
Damien Miller393821a2006-07-24 14:04:53 +1000996.It Aq Cm none
Ben Lindstrom9f049032002-06-21 00:59:05 +0000997seconds
998.It Cm s | Cm S
999seconds
1000.It Cm m | Cm M
1001minutes
1002.It Cm h | Cm H
1003hours
1004.It Cm d | Cm D
1005days
1006.It Cm w | Cm W
1007weeks
1008.El
1009.Pp
1010Each member of the sequence is added together to calculate
1011the total time value.
1012.Pp
1013Time format examples:
1014.Pp
1015.Bl -tag -width Ds -compact -offset indent
1016.It 600
1017600 seconds (10 minutes)
1018.It 10m
101910 minutes
1020.It 1h30m
10211 hour 30 minutes (90 minutes)
1022.El
1023.Sh FILES
1024.Bl -tag -width Ds
1025.It Pa /etc/ssh/sshd_config
1026Contains configuration data for
Damien Millerf4f22b52006-03-15 11:57:25 +11001027.Xr sshd 8 .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001028This file should be writable by root only, but it is recommended
1029(though not necessary) that it be world-readable.
1030.El
Damien Millerf1ce5052003-06-11 22:04:39 +10001031.Sh SEE ALSO
1032.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001033.Sh AUTHORS
1034OpenSSH is a derivative of the original and free
1035ssh 1.2.12 release by Tatu Ylonen.
1036Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
1037Theo de Raadt and Dug Song
1038removed many bugs, re-added newer features and
1039created OpenSSH.
1040Markus Friedl contributed the support for SSH
1041protocol versions 1.5 and 2.0.
1042Niels Provos and Markus Friedl contributed support
1043for privilege separation.