blob: 7ccf6fd4e338eddbb1ef1e19abd124de87317b11 [file] [log] [blame]
Ben Lindstrom9f049032002-06-21 00:59:05 +00001.\"
2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4.\" All rights reserved
5.\"
6.\" As far as I am concerned, the code I have written for this software
7.\" can be used freely for any purpose. Any derived versions of this
8.\" software must be clearly marked as such, and if the derived work is
9.\" incompatible with the protocol description in the RFC file, it must be
10.\" called by a name other than "ssh" or "Secure Shell".
11.\"
12.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
13.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
14.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
15.\"
16.\" Redistribution and use in source and binary forms, with or without
17.\" modification, are permitted provided that the following conditions
18.\" are met:
19.\" 1. Redistributions of source code must retain the above copyright
20.\" notice, this list of conditions and the following disclaimer.
21.\" 2. Redistributions in binary form must reproduce the above copyright
22.\" notice, this list of conditions and the following disclaimer in the
23.\" documentation and/or other materials provided with the distribution.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\"
djm@openbsd.orgacaf34f2017-05-07 23:12:57 +000036.\" $OpenBSD: sshd_config.5,v 1.244 2017/05/07 23:12:57 djm Exp $
37.Dd $Mdocdate: May 7 2017 $
Ben Lindstrom9f049032002-06-21 00:59:05 +000038.Dt SSHD_CONFIG 5
39.Os
40.Sh NAME
41.Nm sshd_config
42.Nd OpenSSH SSH daemon configuration file
43.Sh SYNOPSIS
Damien Millerd94fc722007-01-05 16:29:30 +110044.Nm /etc/ssh/sshd_config
Ben Lindstrom9f049032002-06-21 00:59:05 +000045.Sh DESCRIPTION
Damien Millerf4f22b52006-03-15 11:57:25 +110046.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +000047reads configuration data from
48.Pa /etc/ssh/sshd_config
49(or the file specified with
50.Fl f
51on the command line).
52The file contains keyword-argument pairs, one per line.
53Lines starting with
54.Ql #
55and empty lines are interpreted as comments.
Damien Miller306d1182006-03-15 12:05:59 +110056Arguments may optionally be enclosed in double quotes
57.Pq \&"
58in order to represent arguments containing spaces.
Ben Lindstrom9f049032002-06-21 00:59:05 +000059.Pp
60The possible
61keywords and their meanings are as follows (note that
62keywords are case-insensitive and arguments are case-sensitive):
63.Bl -tag -width Ds
Darren Tucker46bc0752004-05-02 22:11:30 +100064.It Cm AcceptEnv
65Specifies what environment variables sent by the client will be copied into
66the session's
67.Xr environ 7 .
68See
69.Cm SendEnv
70in
71.Xr ssh_config 5
72for how to configure the client.
jmc@openbsd.orga685ae82016-02-17 07:38:19 +000073The
dtucker@openbsd.org85b96ef2015-04-28 10:17:58 +000074.Ev TERM
jmc@openbsd.orgc1d5bcf2015-04-28 13:47:38 +000075environment variable is always sent whenever the client
djm@openbsd.org732d61f2015-06-05 03:44:14 +000076requests a pseudo-terminal as it is required by the protocol.
Darren Tucker46bc0752004-05-02 22:11:30 +100077Variables are specified by name, which may contain the wildcard characters
Damien Miller208f1ed2006-03-15 11:56:03 +110078.Ql *
Darren Tucker46bc0752004-05-02 22:11:30 +100079and
80.Ql \&? .
Darren Tucker1e0c9bf2004-05-02 22:12:48 +100081Multiple environment variables may be separated by whitespace or spread
Darren Tucker46bc0752004-05-02 22:11:30 +100082across multiple
83.Cm AcceptEnv
84directives.
Darren Tucker1e0c9bf2004-05-02 22:12:48 +100085Be warned that some environment variables could be used to bypass restricted
Darren Tucker46bc0752004-05-02 22:11:30 +100086user environments.
87For this reason, care should be taken in the use of this directive.
88The default is not to accept any environment variables.
Darren Tucker0f383232005-01-20 10:57:56 +110089.It Cm AddressFamily
90Specifies which address family should be used by
Damien Millerf4f22b52006-03-15 11:57:25 +110091.Xr sshd 8 .
Darren Tucker0f383232005-01-20 10:57:56 +110092Valid arguments are
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +000093.Cm any
94(the default),
95.Cm inet
Damien Miller5b0d63f2006-03-15 11:56:56 +110096(use IPv4 only), or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +000097.Cm inet6
Darren Tucker0f383232005-01-20 10:57:56 +110098(use IPv6 only).
Damien Millere9890192008-05-19 14:59:02 +100099.It Cm AllowAgentForwarding
100Specifies whether
101.Xr ssh-agent 1
102forwarding is permitted.
103The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000104.Cm yes .
Damien Millere9890192008-05-19 14:59:02 +1000105Note that disabling agent forwarding does not improve security
106unless users are also denied shell access, as they can always install
107their own forwarders.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000108.It Cm AllowGroups
109This keyword can be followed by a list of group name patterns, separated
110by spaces.
111If specified, login is allowed only for users whose primary
112group or supplementary group list matches one of the patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000113Only group names are valid; a numerical group ID is not recognized.
114By default, login is allowed for all groups.
Damien Millerac73e512006-03-15 11:58:49 +1100115The allow/deny directives are processed in the following order:
116.Cm DenyUsers ,
117.Cm AllowUsers ,
118.Cm DenyGroups ,
119and finally
120.Cm AllowGroups .
Damien Miller0c2079d2006-03-15 11:54:21 +1100121.Pp
Damien Millerfecfd112013-07-18 16:11:50 +1000122See PATTERNS in
Damien Miller0c2079d2006-03-15 11:54:21 +1100123.Xr ssh_config 5
124for more information on patterns.
Damien Miller7acefbb2014-07-18 14:11:24 +1000125.It Cm AllowStreamLocalForwarding
126Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
127The available options are
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000128.Cm yes
129(the default)
Damien Miller7acefbb2014-07-18 14:11:24 +1000130or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000131.Cm all
Damien Miller7acefbb2014-07-18 14:11:24 +1000132to allow StreamLocal forwarding,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000133.Cm no
Damien Miller7acefbb2014-07-18 14:11:24 +1000134to prevent all StreamLocal forwarding,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000135.Cm local
Damien Miller7acefbb2014-07-18 14:11:24 +1000136to allow local (from the perspective of
137.Xr ssh 1 )
138forwarding only or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000139.Cm remote
Damien Miller7acefbb2014-07-18 14:11:24 +1000140to allow remote forwarding only.
Damien Miller7acefbb2014-07-18 14:11:24 +1000141Note that disabling StreamLocal forwarding does not improve security unless
142users are also denied shell access, as they can always install their
143own forwarders.
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +0000144.It Cm AllowTcpForwarding
145Specifies whether TCP forwarding is permitted.
146The available options are
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000147.Cm yes
148(the default)
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +0000149or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000150.Cm all
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +0000151to allow TCP forwarding,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000152.Cm no
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +0000153to prevent all TCP forwarding,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000154.Cm local
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +0000155to allow local (from the perspective of
156.Xr ssh 1 )
157forwarding only or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000158.Cm remote
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +0000159to allow remote forwarding only.
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +0000160Note that disabling TCP forwarding does not improve security unless
161users are also denied shell access, as they can always install their
162own forwarders.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000163.It Cm AllowUsers
164This keyword can be followed by a list of user name patterns, separated
165by spaces.
Damien Miller5a93add2003-01-24 11:34:52 +1100166If specified, login is allowed only for user names that
Ben Lindstrom9f049032002-06-21 00:59:05 +0000167match one of the patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000168Only user names are valid; a numerical user ID is not recognized.
169By default, login is allowed for all users.
170If the pattern takes the form USER@HOST then USER and HOST
171are separately checked, restricting logins to particular
172users from particular hosts.
jmc@openbsd.orgee1e0a12016-04-27 13:53:48 +0000173HOST criteria may additionally contain addresses to match in CIDR
174address/masklen format.
Damien Millerac73e512006-03-15 11:58:49 +1100175The allow/deny directives are processed in the following order:
176.Cm DenyUsers ,
177.Cm AllowUsers ,
178.Cm DenyGroups ,
179and finally
180.Cm AllowGroups .
Damien Miller0c2079d2006-03-15 11:54:21 +1100181.Pp
Damien Millerfecfd112013-07-18 16:11:50 +1000182See PATTERNS in
Damien Miller0c2079d2006-03-15 11:54:21 +1100183.Xr ssh_config 5
184for more information on patterns.
Damien Millera6e3f012012-11-04 23:21:40 +1100185.It Cm AuthenticationMethods
186Specifies the authentication methods that must be successfully completed
187for a user to be granted access.
188This option must be followed by one or more comma-separated lists of
djm@openbsd.orgb64faeb2016-06-17 05:03:40 +0000189authentication method names, or by the single string
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000190.Cm any
djm@openbsd.orgb64faeb2016-06-17 05:03:40 +0000191to indicate the default behaviour of accepting any single authentication
jmc@openbsd.orgad23a752016-06-17 06:33:30 +0000192method.
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000193If the default is overridden, then successful authentication requires
djm@openbsd.orgb64faeb2016-06-17 05:03:40 +0000194completion of every method in at least one of these lists.
Damien Millera6e3f012012-11-04 23:21:40 +1100195.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000196For example,
197.Qq publickey,password publickey,keyboard-interactive
Damien Millera6e3f012012-11-04 23:21:40 +1100198would require the user to complete public key authentication, followed by
199either password or keyboard interactive authentication.
200Only methods that are next in one or more lists are offered at each stage,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000201so for this example it would not be possible to attempt password or
Damien Millera6e3f012012-11-04 23:21:40 +1100202keyboard-interactive authentication before public key.
203.Pp
Damien Miller91a55f22013-04-23 15:18:10 +1000204For keyboard interactive authentication it is also possible to
205restrict authentication to a specific device by appending a
206colon followed by the device identifier
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000207.Cm bsdauth ,
208.Cm pam ,
Damien Miller91a55f22013-04-23 15:18:10 +1000209or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000210.Cm skey ,
Damien Miller91a55f22013-04-23 15:18:10 +1000211depending on the server configuration.
212For example,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000213.Qq keyboard-interactive:bsdauth
Damien Miller91a55f22013-04-23 15:18:10 +1000214would restrict keyboard interactive authentication to the
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000215.Cm bsdauth
Damien Miller91a55f22013-04-23 15:18:10 +1000216device.
217.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000218If the publickey method is listed more than once,
djm@openbsd.orgf69b69b2014-12-22 07:51:30 +0000219.Xr sshd 8
220verifies that keys that have been used successfully are not reused for
221subsequent authentications.
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000222For example,
223.Qq publickey,publickey
224requires successful authentication using two different public keys.
djm@openbsd.orgf69b69b2014-12-22 07:51:30 +0000225.Pp
Damien Millera6e3f012012-11-04 23:21:40 +1100226Note that each authentication method listed should also be explicitly enabled
227in the configuration.
Damien Miller09d3e122012-10-31 08:58:58 +1100228.It Cm AuthorizedKeysCommand
Damien Millerf33580e2012-11-04 22:22:52 +1100229Specifies a program to be used to look up the user's public keys.
djm@openbsd.org24232a32015-05-21 06:38:35 +0000230The program must be owned by root, not writable by group or others and
231specified by an absolute path.
djm@openbsd.org24232a32015-05-21 06:38:35 +0000232Arguments to
233.Cm AuthorizedKeysCommand
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000234accept the tokens described in the
235.Sx TOKENS
236section.
237If no arguments are specified then the username of the target user is used.
djm@openbsd.org24232a32015-05-21 06:38:35 +0000238.Pp
239The program should produce on standard output zero or
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000240more lines of authorized_keys output (see
241.Sx AUTHORIZED_KEYS
242in
Damien Millerf33580e2012-11-04 22:22:52 +1100243.Xr sshd 8 ) .
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000244If a key supplied by
245.Cm AuthorizedKeysCommand
246does not successfully authenticate
Damien Miller09d3e122012-10-31 08:58:58 +1100247and authorize the user then public key authentication continues using the usual
248.Cm AuthorizedKeysFile
249files.
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000250By default, no
251.Cm AuthorizedKeysCommand
252is run.
Damien Miller09d3e122012-10-31 08:58:58 +1100253.It Cm AuthorizedKeysCommandUser
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000254Specifies the user under whose account the
255.Cm AuthorizedKeysCommand
256is run.
Damien Miller09d3e122012-10-31 08:58:58 +1100257It is recommended to use a dedicated user that has no other role on the host
258than running authorized keys commands.
djm@openbsd.orgf1c4d8e2014-12-22 08:04:23 +0000259If
djm@openbsd.orgd663bea2014-12-11 05:25:06 +0000260.Cm AuthorizedKeysCommand
djm@openbsd.orgf1c4d8e2014-12-22 08:04:23 +0000261is specified but
262.Cm AuthorizedKeysCommandUser
263is not, then
264.Xr sshd 8
265will refuse to start.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000266.It Cm AuthorizedKeysFile
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000267Specifies the file that contains the public keys used for user authentication.
Damien Miller6018a362010-07-02 13:35:19 +1000268The format is described in the
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000269.Sx AUTHORIZED_KEYS FILE FORMAT
Damien Miller6018a362010-07-02 13:35:19 +1000270section of
271.Xr sshd 8 .
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000272Arguments to
Ben Lindstrom9f049032002-06-21 00:59:05 +0000273.Cm AuthorizedKeysFile
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000274accept the tokens described in the
275.Sx TOKENS
276section.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000277After expansion,
278.Cm AuthorizedKeysFile
279is taken to be an absolute path or one relative to the user's home
280directory.
Damien Millerb9132fc2011-05-29 21:41:40 +1000281Multiple files may be listed, separated by whitespace.
djm@openbsd.org2bca8a42015-09-11 03:13:36 +0000282Alternately this option may be set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000283.Cm none
djm@openbsd.org2bca8a42015-09-11 03:13:36 +0000284to skip checking for user keys in files.
Damien Millerb9132fc2011-05-29 21:41:40 +1000285The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000286.Qq .ssh/authorized_keys .ssh/authorized_keys2 .
djm@openbsd.orgbcc50d82015-05-21 06:43:30 +0000287.It Cm AuthorizedPrincipalsCommand
288Specifies a program to be used to generate the list of allowed
289certificate principals as per
290.Cm AuthorizedPrincipalsFile .
291The program must be owned by root, not writable by group or others and
292specified by an absolute path.
djm@openbsd.orgbcc50d82015-05-21 06:43:30 +0000293Arguments to
294.Cm AuthorizedPrincipalsCommand
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000295accept the tokens described in the
296.Sx TOKENS
297section.
298If no arguments are specified then the username of the target user is used.
djm@openbsd.orgbcc50d82015-05-21 06:43:30 +0000299.Pp
300The program should produce on standard output zero or
301more lines of
302.Cm AuthorizedPrincipalsFile
303output.
304If either
305.Cm AuthorizedPrincipalsCommand
306or
307.Cm AuthorizedPrincipalsFile
308is specified, then certificates offered by the client for authentication
309must contain a principal that is listed.
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000310By default, no
311.Cm AuthorizedPrincipalsCommand
312is run.
djm@openbsd.orgbcc50d82015-05-21 06:43:30 +0000313.It Cm AuthorizedPrincipalsCommandUser
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000314Specifies the user under whose account the
315.Cm AuthorizedPrincipalsCommand
316is run.
djm@openbsd.orgbcc50d82015-05-21 06:43:30 +0000317It is recommended to use a dedicated user that has no other role on the host
318than running authorized principals commands.
319If
320.Cm AuthorizedPrincipalsCommand
321is specified but
322.Cm AuthorizedPrincipalsCommandUser
323is not, then
324.Xr sshd 8
325will refuse to start.
Damien Miller30da3442010-05-10 11:58:03 +1000326.It Cm AuthorizedPrincipalsFile
327Specifies a file that lists principal names that are accepted for
328certificate authentication.
329When using certificates signed by a key listed in
330.Cm TrustedUserCAKeys ,
331this file lists names, one of which must appear in the certificate for it
332to be accepted for authentication.
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000333Names are listed one per line preceded by key options (as described in
334.Sx AUTHORIZED_KEYS FILE FORMAT
335in
Damien Millerd59dab82010-07-02 13:37:17 +1000336.Xr sshd 8 ) .
Damien Miller6018a362010-07-02 13:35:19 +1000337Empty lines and comments starting with
Damien Miller30da3442010-05-10 11:58:03 +1000338.Ql #
339are ignored.
340.Pp
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000341Arguments to
Damien Miller30da3442010-05-10 11:58:03 +1000342.Cm AuthorizedPrincipalsFile
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000343accept the tokens described in the
344.Sx TOKENS
345section.
Damien Miller30da3442010-05-10 11:58:03 +1000346After expansion,
347.Cm AuthorizedPrincipalsFile
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000348is taken to be an absolute path or one relative to the user's home directory.
Damien Miller8fef9eb2012-04-22 11:25:10 +1000349The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000350.Cm none ,
Damien Miller8fef9eb2012-04-22 11:25:10 +1000351i.e. not to use a principals file \(en in this case, the username
Damien Miller30da3442010-05-10 11:58:03 +1000352of the user must appear in a certificate's principals list for it to be
353accepted.
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000354.Pp
Damien Miller30da3442010-05-10 11:58:03 +1000355Note that
356.Cm AuthorizedPrincipalsFile
357is only used when authentication proceeds using a CA listed in
358.Cm TrustedUserCAKeys
359and is not consulted for certification authorities trusted via
360.Pa ~/.ssh/authorized_keys ,
361though the
362.Cm principals=
363key option offers a similar facility (see
364.Xr sshd 8
365for details).
Ben Lindstrom9f049032002-06-21 00:59:05 +0000366.It Cm Banner
Ben Lindstrom9f049032002-06-21 00:59:05 +0000367The contents of the specified file are sent to the remote user before
368authentication is allowed.
Damien Miller4890e532007-09-17 11:57:38 +1000369If the argument is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000370.Cm none
Damien Miller4890e532007-09-17 11:57:38 +1000371then no banner is displayed.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000372By default, no banner is displayed.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000373.It Cm ChallengeResponseAuthentication
Damien Miller9c7bf8d2009-08-28 10:27:08 +1000374Specifies whether challenge-response authentication is allowed (e.g. via
Damien Millere8c9f262014-10-03 09:24:56 +1000375PAM or through authentication styles supported in
Damien Miller9c7bf8d2009-08-28 10:27:08 +1000376.Xr login.conf 5 )
Ben Lindstrom9f049032002-06-21 00:59:05 +0000377The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000378.Cm yes .
Damien Millerd8cb1f12008-02-10 22:40:12 +1100379.It Cm ChrootDirectory
Darren Tuckerb8c884a2010-01-08 18:53:43 +1100380Specifies the pathname of a directory to
Damien Millerd8cb1f12008-02-10 22:40:12 +1100381.Xr chroot 2
382to after authentication.
deraadt@openbsd.orgdcff5812015-01-22 20:24:41 +0000383At session startup
384.Xr sshd 8
385checks that all components of the pathname are root-owned directories
386which are not writable by any other user or group.
Darren Tucker51dbe502009-06-21 17:56:51 +1000387After the chroot,
388.Xr sshd 8
389changes the working directory to the user's home directory.
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +0000390Arguments to
391.Cm ChrootDirectory
392accept the tokens described in the
393.Sx TOKENS
394section.
Damien Millerd8cb1f12008-02-10 22:40:12 +1100395.Pp
396The
397.Cm ChrootDirectory
398must contain the necessary files and directories to support the
Darren Tuckeraf501cf2009-06-21 17:53:04 +1000399user's session.
Damien Millerd8cb1f12008-02-10 22:40:12 +1100400For an interactive session this requires at least a shell, typically
401.Xr sh 1 ,
402and basic
403.Pa /dev
404nodes such as
405.Xr null 4 ,
406.Xr zero 4 ,
407.Xr stdin 4 ,
408.Xr stdout 4 ,
409.Xr stderr 4 ,
jmc@openbsd.org08c0eeb2014-11-22 19:21:03 +0000410and
Damien Millerd8cb1f12008-02-10 22:40:12 +1100411.Xr tty 4
412devices.
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000413For file transfer sessions using SFTP
414no additional configuration of the environment is necessary if the in-process
415sftp-server is used,
Damien Miller426117b2014-07-30 12:33:20 +1000416though sessions which use logging may require
Darren Tucker00fcd712009-06-21 17:56:00 +1000417.Pa /dev/log
Damien Miller426117b2014-07-30 12:33:20 +1000418inside the chroot directory on some operating systems (see
Darren Tucker00fcd712009-06-21 17:56:00 +1000419.Xr sftp-server 8
420for details).
Damien Millerd8cb1f12008-02-10 22:40:12 +1100421.Pp
jmc@openbsd.orga5a3e332015-01-22 21:00:42 +0000422For safety, it is very important that the directory hierarchy be
deraadt@openbsd.orgdcff5812015-01-22 20:24:41 +0000423prevented from modification by other processes on the system (especially
424those outside the jail).
425Misconfiguration can lead to unsafe environments which
426.Xr sshd 8
427cannot detect.
428.Pp
djm@openbsd.org9fd04682015-11-13 04:38:06 +0000429The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000430.Cm none ,
djm@openbsd.org9fd04682015-11-13 04:38:06 +0000431indicating not to
Damien Millerd8cb1f12008-02-10 22:40:12 +1100432.Xr chroot 2 .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000433.It Cm Ciphers
jmc@openbsd.orga685ae82016-02-17 07:38:19 +0000434Specifies the ciphers allowed.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000435Multiple ciphers must be comma-separated.
djm@openbsd.orgf9eca242015-07-30 00:01:34 +0000436If the specified value begins with a
437.Sq +
438character, then the specified ciphers will be appended to the default set
439instead of replacing them.
djm@openbsd.org68bc8cf2017-02-03 23:01:19 +0000440If the specified value begins with a
441.Sq -
442character, then the specified ciphers (including wildcards) will be removed
443from the default set instead of replacing them.
djm@openbsd.orgf9eca242015-07-30 00:01:34 +0000444.Pp
Damien Miller0fde8ac2013-11-21 14:12:23 +1100445The supported ciphers are:
446.Pp
Damien Millerc1621c82014-04-20 13:22:46 +1000447.Bl -item -compact -offset indent
448.It
4493des-cbc
450.It
451aes128-cbc
452.It
453aes192-cbc
454.It
455aes256-cbc
456.It
457aes128-ctr
458.It
459aes192-ctr
460.It
461aes256-ctr
462.It
463aes128-gcm@openssh.com
464.It
465aes256-gcm@openssh.com
466.It
Damien Millerc1621c82014-04-20 13:22:46 +1000467chacha20-poly1305@openssh.com
468.El
Damien Miller0fde8ac2013-11-21 14:12:23 +1100469.Pp
Damien Miller5b0d63f2006-03-15 11:56:56 +1100470The default is:
Damien Millerc1621c82014-04-20 13:22:46 +1000471.Bd -literal -offset indent
jmc@openbsd.org1f8d3d62015-08-14 15:32:41 +0000472chacha20-poly1305@openssh.com,
Damien Millerc1621c82014-04-20 13:22:46 +1000473aes128-ctr,aes192-ctr,aes256-ctr,
jmc@openbsd.org1f8d3d62015-08-14 15:32:41 +0000474aes128-gcm@openssh.com,aes256-gcm@openssh.com
Ben Lindstrom9f049032002-06-21 00:59:05 +0000475.Ed
Damien Miller0fde8ac2013-11-21 14:12:23 +1100476.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000477The list of available ciphers may also be obtained using
478.Qq ssh -Q cipher .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000479.It Cm ClientAliveCountMax
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000480Sets the number of client alive messages which may be sent without
Damien Miller5b0d63f2006-03-15 11:56:56 +1100481.Xr sshd 8
Damien Millerfbf486b2003-05-23 18:44:23 +1000482receiving any messages back from the client.
483If this threshold is reached while client alive messages are being sent,
Damien Miller5b0d63f2006-03-15 11:56:56 +1100484sshd will disconnect the client, terminating the session.
Damien Millerfbf486b2003-05-23 18:44:23 +1000485It is important to note that the use of client alive messages is very
486different from
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000487.Cm TCPKeepAlive .
Damien Millerfbf486b2003-05-23 18:44:23 +1000488The client alive messages are sent through the encrypted channel
489and therefore will not be spoofable.
490The TCP keepalive option enabled by
Damien Miller12c150e2003-12-17 16:31:10 +1100491.Cm TCPKeepAlive
Damien Millerfbf486b2003-05-23 18:44:23 +1000492is spoofable.
493The client alive mechanism is valuable when the client or
Ben Lindstrom9f049032002-06-21 00:59:05 +0000494server depend on knowing when a connection has become inactive.
495.Pp
Damien Millerfbf486b2003-05-23 18:44:23 +1000496The default value is 3.
497If
Ben Lindstrom9f049032002-06-21 00:59:05 +0000498.Cm ClientAliveInterval
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000499is set to 15, and
Ben Lindstrom9f049032002-06-21 00:59:05 +0000500.Cm ClientAliveCountMax
Damien Miller5b0d63f2006-03-15 11:56:56 +1100501is left at the default, unresponsive SSH clients
Ben Lindstrom9f049032002-06-21 00:59:05 +0000502will be disconnected after approximately 45 seconds.
Damien Miller1594ad52005-05-26 12:12:19 +1000503.It Cm ClientAliveInterval
504Sets a timeout interval in seconds after which if no data has been received
505from the client,
Damien Miller5b0d63f2006-03-15 11:56:56 +1100506.Xr sshd 8
Damien Miller1594ad52005-05-26 12:12:19 +1000507will send a message through the encrypted
508channel to request a response from the client.
509The default
510is 0, indicating that these messages will not be sent to the client.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000511.It Cm Compression
djm@openbsd.org4577ade2016-09-28 20:32:42 +0000512Specifies whether compression is enabled after
Damien Miller9786e6e2005-07-26 21:54:56 +1000513the user has authenticated successfully.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000514The argument must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000515.Cm yes ,
516.Cm delayed
djm@openbsd.org4577ade2016-09-28 20:32:42 +0000517(a legacy synonym for
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000518.Cm yes )
Ben Lindstrom9f049032002-06-21 00:59:05 +0000519or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000520.Cm no .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000521The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000522.Cm yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000523.It Cm DenyGroups
524This keyword can be followed by a list of group name patterns, separated
525by spaces.
526Login is disallowed for users whose primary group or supplementary
527group list matches one of the patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000528Only group names are valid; a numerical group ID is not recognized.
529By default, login is allowed for all groups.
Damien Millerac73e512006-03-15 11:58:49 +1100530The allow/deny directives are processed in the following order:
531.Cm DenyUsers ,
532.Cm AllowUsers ,
533.Cm DenyGroups ,
534and finally
535.Cm AllowGroups .
Damien Miller0c2079d2006-03-15 11:54:21 +1100536.Pp
Damien Millerfecfd112013-07-18 16:11:50 +1000537See PATTERNS in
Damien Miller0c2079d2006-03-15 11:54:21 +1100538.Xr ssh_config 5
539for more information on patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000540.It Cm DenyUsers
541This keyword can be followed by a list of user name patterns, separated
542by spaces.
543Login is disallowed for user names that match one of the patterns.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000544Only user names are valid; a numerical user ID is not recognized.
545By default, login is allowed for all users.
546If the pattern takes the form USER@HOST then USER and HOST
547are separately checked, restricting logins to particular
548users from particular hosts.
jmc@openbsd.orgee1e0a12016-04-27 13:53:48 +0000549HOST criteria may additionally contain addresses to match in CIDR
550address/masklen format.
Damien Millerac73e512006-03-15 11:58:49 +1100551The allow/deny directives are processed in the following order:
552.Cm DenyUsers ,
553.Cm AllowUsers ,
554.Cm DenyGroups ,
555and finally
556.Cm AllowGroups .
Damien Miller0c2079d2006-03-15 11:54:21 +1100557.Pp
Damien Millerfecfd112013-07-18 16:11:50 +1000558See PATTERNS in
Damien Miller0c2079d2006-03-15 11:54:21 +1100559.Xr ssh_config 5
560for more information on patterns.
djm@openbsd.org7844f352016-11-30 03:00:05 +0000561.It Cm DisableForwarding
562Disables all forwarding features, including X11,
563.Xr ssh-agent 1 ,
564TCP and StreamLocal.
565This option overrides all other forwarding-related options and may
566simplify restricted configurations.
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000567.It Cm FingerprintHash
568Specifies the hash algorithm used when logging key fingerprints.
569Valid options are:
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000570.Cm md5
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000571and
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000572.Cm sha256 .
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000573The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000574.Cm sha256 .
Damien Millere2754432006-07-24 14:06:47 +1000575.It Cm ForceCommand
576Forces the execution of the command specified by
577.Cm ForceCommand ,
Damien Millera1b48cc2008-03-27 11:02:02 +1100578ignoring any command supplied by the client and
579.Pa ~/.ssh/rc
580if present.
Damien Millere2754432006-07-24 14:06:47 +1000581The command is invoked by using the user's login shell with the -c option.
582This applies to shell, command, or subsystem execution.
583It is most useful inside a
584.Cm Match
585block.
586The command originally supplied by the client is available in the
587.Ev SSH_ORIGINAL_COMMAND
588environment variable.
Damien Millercdb6e652008-02-10 22:47:24 +1100589Specifying a command of
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000590.Cm internal-sftp
591will force the use of an in-process SFTP server that requires no support
Damien Millercdb6e652008-02-10 22:47:24 +1100592files when used with
593.Cm ChrootDirectory .
djm@openbsd.org9fd04682015-11-13 04:38:06 +0000594The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000595.Cm none .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000596.It Cm GatewayPorts
597Specifies whether remote hosts are allowed to connect to ports
598forwarded for the client.
599By default,
Damien Miller5b0d63f2006-03-15 11:56:56 +1100600.Xr sshd 8
Damien Miller495dca32003-04-01 21:42:14 +1000601binds remote port forwardings to the loopback address.
602This prevents other remote hosts from connecting to forwarded ports.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000603.Cm GatewayPorts
Damien Miller5b0d63f2006-03-15 11:56:56 +1100604can be used to specify that sshd
Damien Millerf91ee4c2005-03-01 21:24:33 +1100605should allow remote port forwardings to bind to non-loopback addresses, thus
606allowing other hosts to connect.
607The argument may be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000608.Cm no
Damien Millerf91ee4c2005-03-01 21:24:33 +1100609to force remote port forwardings to be available to the local host only,
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000610.Cm yes
Damien Millerf91ee4c2005-03-01 21:24:33 +1100611to force remote port forwardings to bind to the wildcard address, or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000612.Cm clientspecified
Damien Millerf91ee4c2005-03-01 21:24:33 +1100613to allow the client to select the address to which the forwarding is bound.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000614The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000615.Cm no .
Darren Tucker0efd1552003-08-26 11:49:55 +1000616.It Cm GSSAPIAuthentication
Damien Miller9b7b03b2003-09-02 22:57:05 +1000617Specifies whether user authentication based on GSSAPI is allowed.
Damien Millera8e06ce2003-11-21 23:48:55 +1100618The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000619.Cm no .
Darren Tucker0efd1552003-08-26 11:49:55 +1000620.It Cm GSSAPICleanupCredentials
621Specifies whether to automatically destroy the user's credentials cache
622on logout.
623The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000624.Cm yes .
djm@openbsd.orgd7c31da2015-05-22 03:50:02 +0000625.It Cm GSSAPIStrictAcceptorCheck
626Determines whether to be strict about the identity of the GSSAPI acceptor
627a client authenticates against.
628If set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000629.Cm yes
630then the client must authenticate against the host
djm@openbsd.orgd7c31da2015-05-22 03:50:02 +0000631service on the current hostname.
632If set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000633.Cm no
djm@openbsd.orgd7c31da2015-05-22 03:50:02 +0000634then the client may authenticate against any service key stored in the
635machine's default store.
636This facility is provided to assist with operation on multi homed machines.
637The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000638.Cm yes .
djm@openbsd.org1f729f02015-01-13 07:39:19 +0000639.It Cm HostbasedAcceptedKeyTypes
640Specifies the key types that will be accepted for hostbased authentication
641as a comma-separated pattern list.
djm@openbsd.orgf9eca242015-07-30 00:01:34 +0000642Alternately if the specified value begins with a
643.Sq +
644character, then the specified key types will be appended to the default set
645instead of replacing them.
djm@openbsd.org68bc8cf2017-02-03 23:01:19 +0000646If the specified value begins with a
647.Sq -
648character, then the specified key types (including wildcards) will be removed
649from the default set instead of replacing them.
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000650The default for this option is:
651.Bd -literal -offset 3n
652ecdsa-sha2-nistp256-cert-v01@openssh.com,
653ecdsa-sha2-nistp384-cert-v01@openssh.com,
654ecdsa-sha2-nistp521-cert-v01@openssh.com,
655ssh-ed25519-cert-v01@openssh.com,
656ssh-rsa-cert-v01@openssh.com,
657ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
djm@openbsd.org3a13cb52016-02-17 08:57:34 +0000658ssh-ed25519,ssh-rsa
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000659.Ed
660.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000661The list of available key types may also be obtained using
662.Qq ssh -Q key .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000663.It Cm HostbasedAuthentication
664Specifies whether rhosts or /etc/hosts.equiv authentication together
665with successful public key client host authentication is allowed
Damien Miller1faa7132006-03-15 11:55:31 +1100666(host-based authentication).
Ben Lindstrom9f049032002-06-21 00:59:05 +0000667The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000668.Cm no .
Damien Millerb594f382006-08-30 11:06:34 +1000669.It Cm HostbasedUsesNameFromPacketOnly
670Specifies whether or not the server will attempt to perform a reverse
671name lookup when matching the name in the
672.Pa ~/.shosts ,
673.Pa ~/.rhosts ,
674and
675.Pa /etc/hosts.equiv
676files during
677.Cm HostbasedAuthentication .
678A setting of
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000679.Cm yes
Damien Millerb594f382006-08-30 11:06:34 +1000680means that
681.Xr sshd 8
682uses the name supplied by the client rather than
683attempting to resolve the name from the TCP connection itself.
684The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000685.Cm no .
Damien Miller0a80ca12010-02-27 07:55:05 +1100686.It Cm HostCertificate
687Specifies a file containing a public host certificate.
688The certificate's public key must match a private host key already specified
689by
690.Cm HostKey .
691The default behaviour of
692.Xr sshd 8
693is not to load any certificates.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000694.It Cm HostKey
695Specifies a file containing a private host key
696used by SSH.
naddy@openbsd.orgffe65492016-08-15 12:32:04 +0000697The defaults are
Damien Millereb8b60e2010-08-31 22:41:14 +1000698.Pa /etc/ssh/ssh_host_dsa_key ,
Damien Miller8ba0ead2013-12-18 17:46:27 +1100699.Pa /etc/ssh/ssh_host_ecdsa_key ,
700.Pa /etc/ssh/ssh_host_ed25519_key
Ben Lindstrom9f049032002-06-21 00:59:05 +0000701and
naddy@openbsd.orgffe65492016-08-15 12:32:04 +0000702.Pa /etc/ssh/ssh_host_rsa_key .
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000703.Pp
Ben Lindstrom9f049032002-06-21 00:59:05 +0000704Note that
Damien Miller5b0d63f2006-03-15 11:56:56 +1100705.Xr sshd 8
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000706will refuse to use a file if it is group/world-accessible
707and that the
708.Cm HostKeyAlgorithms
709option restricts which of the keys are actually used by
710.Xr sshd 8 .
711.Pp
Ben Lindstrom9f049032002-06-21 00:59:05 +0000712It is possible to have multiple host key files.
Damien Miller85b45e02013-07-20 13:21:52 +1000713It is also possible to specify public host key files instead.
714In this case operations on the private key will be delegated
715to an
716.Xr ssh-agent 1 .
717.It Cm HostKeyAgent
718Identifies the UNIX-domain socket used to communicate
719with an agent that has access to the private host keys.
markus@openbsd.org1a75d142016-05-04 14:29:58 +0000720If the string
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000721.Qq SSH_AUTH_SOCK
Damien Miller85b45e02013-07-20 13:21:52 +1000722is specified, the location of the socket will be read from the
723.Ev SSH_AUTH_SOCK
724environment variable.
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000725.It Cm HostKeyAlgorithms
jmc@openbsd.orga685ae82016-02-17 07:38:19 +0000726Specifies the host key algorithms
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000727that the server offers.
728The default for this option is:
729.Bd -literal -offset 3n
730ecdsa-sha2-nistp256-cert-v01@openssh.com,
731ecdsa-sha2-nistp384-cert-v01@openssh.com,
732ecdsa-sha2-nistp521-cert-v01@openssh.com,
733ssh-ed25519-cert-v01@openssh.com,
734ssh-rsa-cert-v01@openssh.com,
735ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
djm@openbsd.org3a13cb52016-02-17 08:57:34 +0000736ssh-ed25519,ssh-rsa
markus@openbsd.org3a1638d2015-07-10 06:21:53 +0000737.Ed
738.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000739The list of available key types may also be obtained using
740.Qq ssh -Q key .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000741.It Cm IgnoreRhosts
742Specifies that
743.Pa .rhosts
744and
745.Pa .shosts
746files will not be used in
Ben Lindstrom9f049032002-06-21 00:59:05 +0000747.Cm HostbasedAuthentication .
748.Pp
749.Pa /etc/hosts.equiv
750and
751.Pa /etc/shosts.equiv
752are still used.
753The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000754.Cm yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000755.It Cm IgnoreUserKnownHosts
756Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +1100757.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +0000758should ignore the user's
Damien Miller167ea5d2005-05-26 12:04:02 +1000759.Pa ~/.ssh/known_hosts
Ben Lindstrom9f049032002-06-21 00:59:05 +0000760during
Ben Lindstrom9f049032002-06-21 00:59:05 +0000761.Cm HostbasedAuthentication .
762The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000763.Cm no .
Damien Miller0dac6fb2010-11-20 15:19:38 +1100764.It Cm IPQoS
765Specifies the IPv4 type-of-service or DSCP class for the connection.
766Accepted values are
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000767.Cm af11 ,
768.Cm af12 ,
769.Cm af13 ,
770.Cm af21 ,
771.Cm af22 ,
772.Cm af23 ,
773.Cm af31 ,
774.Cm af32 ,
775.Cm af33 ,
776.Cm af41 ,
777.Cm af42 ,
778.Cm af43 ,
779.Cm cs0 ,
780.Cm cs1 ,
781.Cm cs2 ,
782.Cm cs3 ,
783.Cm cs4 ,
784.Cm cs5 ,
785.Cm cs6 ,
786.Cm cs7 ,
787.Cm ef ,
788.Cm lowdelay ,
789.Cm throughput ,
790.Cm reliability ,
Damien Miller0dac6fb2010-11-20 15:19:38 +1100791or a numeric value.
Damien Miller928362d2010-12-26 14:26:45 +1100792This option may take one or two arguments, separated by whitespace.
Damien Miller0dac6fb2010-11-20 15:19:38 +1100793If one argument is specified, it is used as the packet class unconditionally.
794If two values are specified, the first is automatically selected for
795interactive sessions and the second for non-interactive sessions.
796The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000797.Cm lowdelay
Damien Miller0dac6fb2010-11-20 15:19:38 +1100798for interactive sessions and
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000799.Cm throughput
Damien Miller0dac6fb2010-11-20 15:19:38 +1100800for non-interactive sessions.
Damien Millere1e480a2014-02-04 11:13:17 +1100801.It Cm KbdInteractiveAuthentication
802Specifies whether to allow keyboard-interactive authentication.
803The argument to this keyword must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000804.Cm yes
Damien Millere1e480a2014-02-04 11:13:17 +1100805or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000806.Cm no .
Damien Millere1e480a2014-02-04 11:13:17 +1100807The default is to use whatever value
808.Cm ChallengeResponseAuthentication
809is set to
810(by default
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000811.Cm yes ) .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000812.It Cm KerberosAuthentication
Damien Miller1a0c0b92003-09-02 22:51:17 +1000813Specifies whether the password provided by the user for
Ben Lindstrom9f049032002-06-21 00:59:05 +0000814.Cm PasswordAuthentication
Damien Miller1a0c0b92003-09-02 22:51:17 +1000815will be validated through the Kerberos KDC.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000816To use this option, the server needs a
817Kerberos servtab which allows the verification of the KDC's identity.
Damien Miller5b0d63f2006-03-15 11:56:56 +1100818The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000819.Cm no .
Damien Miller8448e662004-03-08 23:13:15 +1100820.It Cm KerberosGetAFSToken
Darren Tuckere2dd2d52005-10-03 18:19:06 +1000821If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
Damien Miller8448e662004-03-08 23:13:15 +1100822an AFS token before accessing the user's home directory.
Damien Miller5b0d63f2006-03-15 11:56:56 +1100823The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000824.Cm no .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000825.It Cm KerberosOrLocalPasswd
Damien Miller5b0d63f2006-03-15 11:56:56 +1100826If password authentication through Kerberos fails then
Ben Lindstrom9f049032002-06-21 00:59:05 +0000827the password will be validated via any additional local mechanism
828such as
829.Pa /etc/passwd .
Damien Miller5b0d63f2006-03-15 11:56:56 +1100830The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000831.Cm yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000832.It Cm KerberosTicketCleanup
833Specifies whether to automatically destroy the user's ticket cache
834file on logout.
Damien Miller5b0d63f2006-03-15 11:56:56 +1100835The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000836.Cm yes .
Damien Millerd5f62bf2010-09-24 22:11:14 +1000837.It Cm KexAlgorithms
838Specifies the available KEX (Key Exchange) algorithms.
839Multiple algorithms must be comma-separated.
djm@openbsd.orgf9eca242015-07-30 00:01:34 +0000840Alternately if the specified value begins with a
841.Sq +
842character, then the specified methods will be appended to the default set
843instead of replacing them.
djm@openbsd.org68bc8cf2017-02-03 23:01:19 +0000844If the specified value begins with a
845.Sq -
846character, then the specified methods (including wildcards) will be removed
847from the default set instead of replacing them.
Damien Millerc1621c82014-04-20 13:22:46 +1000848The supported algorithms are:
849.Pp
850.Bl -item -compact -offset indent
851.It
djm@openbsd.org16277fc2016-09-22 17:55:13 +0000852curve25519-sha256
853.It
Damien Millerc1621c82014-04-20 13:22:46 +1000854curve25519-sha256@libssh.org
855.It
856diffie-hellman-group1-sha1
857.It
858diffie-hellman-group14-sha1
859.It
860diffie-hellman-group-exchange-sha1
861.It
862diffie-hellman-group-exchange-sha256
863.It
864ecdh-sha2-nistp256
865.It
866ecdh-sha2-nistp384
867.It
868ecdh-sha2-nistp521
869.El
870.Pp
871The default is:
Damien Miller6575c3a2013-12-18 17:47:02 +1100872.Bd -literal -offset indent
djm@openbsd.org16277fc2016-09-22 17:55:13 +0000873curve25519-sha256,curve25519-sha256@libssh.org,
Damien Miller6575c3a2013-12-18 17:47:02 +1100874ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
875diffie-hellman-group-exchange-sha256,
Damien Millerc1621c82014-04-20 13:22:46 +1000876diffie-hellman-group14-sha1
Damien Miller6575c3a2013-12-18 17:47:02 +1100877.Ed
djm@openbsd.org8f6784f2014-12-22 09:05:17 +0000878.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000879The list of available key exchange algorithms may also be obtained using
880.Qq ssh -Q kex .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000881.It Cm ListenAddress
882Specifies the local addresses
Damien Miller5b0d63f2006-03-15 11:56:56 +1100883.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +0000884should listen on.
885The following forms may be used:
886.Pp
887.Bl -item -offset indent -compact
888.It
889.Cm ListenAddress
890.Sm off
jmc@openbsd.org08c0eeb2014-11-22 19:21:03 +0000891.Ar host | Ar IPv4_addr | Ar IPv6_addr
Ben Lindstrom9f049032002-06-21 00:59:05 +0000892.Sm on
893.It
894.Cm ListenAddress
895.Sm off
jmc@openbsd.org08c0eeb2014-11-22 19:21:03 +0000896.Ar host | Ar IPv4_addr : Ar port
Ben Lindstrom9f049032002-06-21 00:59:05 +0000897.Sm on
898.It
899.Cm ListenAddress
900.Sm off
901.Oo
jmc@openbsd.org08c0eeb2014-11-22 19:21:03 +0000902.Ar host | Ar IPv6_addr Oc : Ar port
Ben Lindstrom9f049032002-06-21 00:59:05 +0000903.Sm on
904.El
905.Pp
906If
907.Ar port
908is not specified,
dtucker@openbsd.org531a57a2015-04-29 03:48:56 +0000909sshd will listen on the address and all
Ben Lindstrom9f049032002-06-21 00:59:05 +0000910.Cm Port
Damien Millerfbf486b2003-05-23 18:44:23 +1000911options specified.
912The default is to listen on all local addresses.
Damien Miller495dca32003-04-01 21:42:14 +1000913Multiple
Ben Lindstrom9f049032002-06-21 00:59:05 +0000914.Cm ListenAddress
Damien Millerfbf486b2003-05-23 18:44:23 +1000915options are permitted.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000916.It Cm LoginGraceTime
917The server disconnects after this time if the user has not
918successfully logged in.
919If the value is 0, there is no time limit.
Damien Millerc1348632002-09-05 14:35:14 +1000920The default is 120 seconds.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000921.It Cm LogLevel
922Gives the verbosity level that is used when logging messages from
Damien Millerf4f22b52006-03-15 11:57:25 +1100923.Xr sshd 8 .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000924The possible values are:
Damien Miller5b0d63f2006-03-15 11:56:56 +1100925QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
Damien Miller495dca32003-04-01 21:42:14 +1000926The default is INFO.
927DEBUG and DEBUG1 are equivalent.
928DEBUG2 and DEBUG3 each specify higher levels of debugging output.
929Logging with a DEBUG level violates the privacy of users and is not recommended.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000930.It Cm MACs
931Specifies the available MAC (message authentication code) algorithms.
jmc@openbsd.orga685ae82016-02-17 07:38:19 +0000932The MAC algorithm is used for data integrity protection.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000933Multiple algorithms must be comma-separated.
djm@openbsd.orgf9eca242015-07-30 00:01:34 +0000934If the specified value begins with a
935.Sq +
936character, then the specified algorithms will be appended to the default set
937instead of replacing them.
djm@openbsd.org68bc8cf2017-02-03 23:01:19 +0000938If the specified value begins with a
939.Sq -
940character, then the specified algorithms (including wildcards) will be removed
941from the default set instead of replacing them.
djm@openbsd.orgf9eca242015-07-30 00:01:34 +0000942.Pp
Damien Milleraf43a7a2012-12-12 10:46:31 +1100943The algorithms that contain
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000944.Qq -etm
Damien Milleraf43a7a2012-12-12 10:46:31 +1100945calculate the MAC after encryption (encrypt-then-mac).
946These are considered safer and their use recommended.
Damien Millerc1621c82014-04-20 13:22:46 +1000947The supported MACs are:
948.Pp
949.Bl -item -compact -offset indent
950.It
951hmac-md5
952.It
953hmac-md5-96
954.It
Damien Millerc1621c82014-04-20 13:22:46 +1000955hmac-sha1
956.It
957hmac-sha1-96
958.It
959hmac-sha2-256
960.It
961hmac-sha2-512
962.It
963umac-64@openssh.com
964.It
965umac-128@openssh.com
966.It
967hmac-md5-etm@openssh.com
968.It
969hmac-md5-96-etm@openssh.com
970.It
Damien Millerc1621c82014-04-20 13:22:46 +1000971hmac-sha1-etm@openssh.com
972.It
973hmac-sha1-96-etm@openssh.com
974.It
975hmac-sha2-256-etm@openssh.com
976.It
977hmac-sha2-512-etm@openssh.com
978.It
979umac-64-etm@openssh.com
980.It
981umac-128-etm@openssh.com
982.El
983.Pp
Damien Miller5b0d63f2006-03-15 11:56:56 +1100984The default is:
Damien Miller22b7b492007-06-11 14:07:12 +1000985.Bd -literal -offset indent
Damien Milleraf43a7a2012-12-12 10:46:31 +1100986umac-64-etm@openssh.com,umac-128-etm@openssh.com,
987hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
djm@openbsd.orge4c918a2016-02-11 02:56:32 +0000988hmac-sha1-etm@openssh.com,
Damien Millerc1621c82014-04-20 13:22:46 +1000989umac-64@openssh.com,umac-128@openssh.com,
djm@openbsd.orge4c918a2016-02-11 02:56:32 +0000990hmac-sha2-256,hmac-sha2-512,hmac-sha1
Damien Miller22b7b492007-06-11 14:07:12 +1000991.Ed
djm@openbsd.org8f6784f2014-12-22 09:05:17 +0000992.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +0000993The list of available MAC algorithms may also be obtained using
994.Qq ssh -Q mac .
Darren Tucker45150472006-07-12 22:34:17 +1000995.It Cm Match
Damien Millerd04f3572006-07-24 13:46:50 +1000996Introduces a conditional block.
Damien Miller8c234032006-07-24 14:05:08 +1000997If all of the criteria on the
Darren Tucker45150472006-07-12 22:34:17 +1000998.Cm Match
Damien Miller8c234032006-07-24 14:05:08 +1000999line are satisfied, the keywords on the following lines override those
1000set in the global section of the config file, until either another
Darren Tucker45150472006-07-12 22:34:17 +10001001.Cm Match
Damien Miller8c234032006-07-24 14:05:08 +10001002line or the end of the file.
Damien Millerfc5d6752014-02-28 10:01:28 +11001003If a keyword appears in multiple
1004.Cm Match
sobrado@openbsd.org180bcb42014-08-30 16:32:25 +00001005blocks that are satisfied, only the first instance of the keyword is
Damien Millerfc5d6752014-02-28 10:01:28 +11001006applied.
Darren Tucker7a3935d2008-06-10 22:59:10 +10001007.Pp
Damien Millerd04f3572006-07-24 13:46:50 +10001008The arguments to
Darren Tucker45150472006-07-12 22:34:17 +10001009.Cm Match
Damien Millercf31f382013-10-24 21:02:56 +11001010are one or more criteria-pattern pairs or the single token
1011.Cm All
1012which matches all criteria.
Darren Tucker45150472006-07-12 22:34:17 +10001013The available criteria are
1014.Cm User ,
Damien Miller565ca3f2006-08-19 00:23:15 +10001015.Cm Group ,
Darren Tucker45150472006-07-12 22:34:17 +10001016.Cm Host ,
Darren Tuckerfbcf8272012-05-19 19:37:01 +10001017.Cm LocalAddress ,
1018.Cm LocalPort ,
Darren Tucker45150472006-07-12 22:34:17 +10001019and
1020.Cm Address .
Darren Tucker7a3935d2008-06-10 22:59:10 +10001021The match patterns may consist of single entries or comma-separated
1022lists and may use the wildcard and negation operators described in the
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001023.Sx PATTERNS
1024section of
Darren Tuckerb06cc4a2008-06-10 22:59:53 +10001025.Xr ssh_config 5 .
Darren Tucker7a3935d2008-06-10 22:59:10 +10001026.Pp
1027The patterns in an
1028.Cm Address
1029criteria may additionally contain addresses to match in CIDR
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001030address/masklen format,
1031such as 192.0.2.0/24 or 2001:db8::/32.
Darren Tucker7a3935d2008-06-10 22:59:10 +10001032Note that the mask length provided must be consistent with the address -
1033it is an error to specify a mask length that is too long for the address
Darren Tucker6a2a4002008-06-10 23:03:04 +10001034or one with bits set in this host portion of the address.
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001035For example, 192.0.2.0/33 and 192.0.2.0/8, respectively.
Darren Tucker7a3935d2008-06-10 22:59:10 +10001036.Pp
Darren Tucker45150472006-07-12 22:34:17 +10001037Only a subset of keywords may be used on the lines following a
1038.Cm Match
1039keyword.
1040Available keywords are
Damien Millerf8268502012-06-20 21:54:15 +10001041.Cm AcceptEnv ,
Damien Miller17819012009-01-28 16:20:17 +11001042.Cm AllowAgentForwarding ,
Damien Millerf8268502012-06-20 21:54:15 +10001043.Cm AllowGroups ,
djm@openbsd.org18a208d2015-02-20 22:40:32 +00001044.Cm AllowStreamLocalForwarding ,
Damien Miller9b439df2006-07-24 14:04:00 +10001045.Cm AllowTcpForwarding ,
Damien Millerc24da772012-06-20 21:53:58 +10001046.Cm AllowUsers ,
Damien Millera6e3f012012-11-04 23:21:40 +11001047.Cm AuthenticationMethods ,
Damien Miller09d3e122012-10-31 08:58:58 +11001048.Cm AuthorizedKeysCommand ,
1049.Cm AuthorizedKeysCommandUser ,
Damien Millerf33580e2012-11-04 22:22:52 +11001050.Cm AuthorizedKeysFile ,
djm@openbsd.orgb6b91082015-11-13 02:57:46 +00001051.Cm AuthorizedPrincipalsCommand ,
1052.Cm AuthorizedPrincipalsCommandUser ,
Damien Millerab6de352010-06-26 09:38:45 +10001053.Cm AuthorizedPrincipalsFile ,
Darren Tucker1629c072007-02-19 22:25:37 +11001054.Cm Banner ,
Damien Miller797e3d12008-05-19 14:27:42 +10001055.Cm ChrootDirectory ,
markus@openbsd.orgf0ddede2016-11-23 23:14:15 +00001056.Cm ClientAliveCountMax ,
1057.Cm ClientAliveInterval ,
Damien Millerc24da772012-06-20 21:53:58 +10001058.Cm DenyGroups ,
1059.Cm DenyUsers ,
Damien Millere2754432006-07-24 14:06:47 +10001060.Cm ForceCommand ,
djm@openbsd.org18a208d2015-02-20 22:40:32 +00001061.Cm GatewayPorts ,
djm@openbsd.orgbd49da22015-02-20 23:46:01 +00001062.Cm GSSAPIAuthentication ,
djm@openbsd.org1f729f02015-01-13 07:39:19 +00001063.Cm HostbasedAcceptedKeyTypes ,
Damien Miller25434de2008-05-19 14:29:08 +10001064.Cm HostbasedAuthentication ,
Damien Millerab6de352010-06-26 09:38:45 +10001065.Cm HostbasedUsesNameFromPacketOnly ,
djm@openbsd.org18a208d2015-02-20 22:40:32 +00001066.Cm IPQoS ,
Darren Tucker1d75f222007-03-01 21:31:28 +11001067.Cm KbdInteractiveAuthentication ,
Damien Miller5737e362007-03-06 21:21:18 +11001068.Cm KerberosAuthentication ,
Damien Miller307c1d12008-06-16 07:56:20 +10001069.Cm MaxAuthTries ,
Damien Millerc62a5af2008-06-16 07:55:46 +10001070.Cm MaxSessions ,
Darren Tucker1629c072007-02-19 22:25:37 +11001071.Cm PasswordAuthentication ,
Damien Miller51bde602008-11-03 19:23:10 +11001072.Cm PermitEmptyPasswords ,
Damien Millerd1de9952006-07-24 14:05:48 +10001073.Cm PermitOpen ,
Darren Tucker15f94272008-01-01 20:36:56 +11001074.Cm PermitRootLogin ,
Damien Miller5ff30c62013-10-30 22:21:50 +11001075.Cm PermitTTY ,
Damien Millerab6de352010-06-26 09:38:45 +10001076.Cm PermitTunnel ,
Damien Miller72e6b5c2014-07-04 09:00:04 +10001077.Cm PermitUserRC ,
djm@openbsd.org1f729f02015-01-13 07:39:19 +00001078.Cm PubkeyAcceptedKeyTypes ,
Darren Tucker1477ea12009-10-07 08:36:05 +11001079.Cm PubkeyAuthentication ,
djm@openbsd.org18a208d2015-02-20 22:40:32 +00001080.Cm RekeyLimit ,
1081.Cm RevokedKeys ,
djm@openbsd.org18a208d2015-02-20 22:40:32 +00001082.Cm StreamLocalBindMask ,
1083.Cm StreamLocalBindUnlink ,
1084.Cm TrustedUserCAKeys ,
Damien Millerd1de9952006-07-24 14:05:48 +10001085.Cm X11DisplayOffset ,
Damien Miller19913842009-02-23 10:53:58 +11001086.Cm X11Forwarding
Darren Tucker45150472006-07-12 22:34:17 +10001087and
Damien Miller0296ae82009-02-23 11:00:24 +11001088.Cm X11UseLocalHost .
Darren Tucker89413db2004-05-24 10:36:23 +10001089.It Cm MaxAuthTries
1090Specifies the maximum number of authentication attempts permitted per
Damien Miller26213e52004-06-30 22:39:34 +10001091connection.
1092Once the number of failures reaches half this value,
1093additional failures are logged.
1094The default is 6.
Damien Miller7207f642008-05-19 15:34:50 +10001095.It Cm MaxSessions
djm@openbsd.orgcac3b662016-02-05 02:37:56 +00001096Specifies the maximum number of open shell, login or subsystem (e.g. sftp)
1097sessions permitted per network connection.
1098Multiple sessions may be established by clients that support connection
1099multiplexing.
1100Setting
1101.Cm MaxSessions
1102to 1 will effectively disable session multiplexing, whereas setting it to 0
1103will prevent all shell, login and subsystem sessions while still permitting
1104forwarding.
Damien Miller7207f642008-05-19 15:34:50 +10001105The default is 10.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001106.It Cm MaxStartups
1107Specifies the maximum number of concurrent unauthenticated connections to the
Damien Miller5b0d63f2006-03-15 11:56:56 +11001108SSH daemon.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001109Additional connections will be dropped until authentication succeeds or the
1110.Cm LoginGraceTime
1111expires for a connection.
Damien Miller1f583df2013-02-12 11:02:08 +11001112The default is 10:30:100.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001113.Pp
1114Alternatively, random early drop can be enabled by specifying
1115the three colon separated values
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001116start:rate:full (e.g. "10:30:60").
Damien Millerf4f22b52006-03-15 11:57:25 +11001117.Xr sshd 8
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001118will refuse connection attempts with a probability of rate/100 (30%)
1119if there are currently start (10) unauthenticated connections.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001120The probability increases linearly and all connection attempts
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001121are refused if the number of unauthenticated connections reaches full (60).
Ben Lindstrom9f049032002-06-21 00:59:05 +00001122.It Cm PasswordAuthentication
1123Specifies whether password authentication is allowed.
1124The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001125.Cm yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001126.It Cm PermitEmptyPasswords
1127When password authentication is allowed, it specifies whether the
1128server allows login to accounts with empty password strings.
1129The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001130.Cm no .
Damien Miller9b439df2006-07-24 14:04:00 +10001131.It Cm PermitOpen
1132Specifies the destinations to which TCP port forwarding is permitted.
1133The forwarding specification must be one of the following forms:
1134.Pp
1135.Bl -item -offset indent -compact
1136.It
1137.Cm PermitOpen
1138.Sm off
1139.Ar host : port
1140.Sm on
1141.It
1142.Cm PermitOpen
1143.Sm off
1144.Ar IPv4_addr : port
1145.Sm on
1146.It
1147.Cm PermitOpen
1148.Sm off
1149.Ar \&[ IPv6_addr \&] : port
1150.Sm on
1151.El
1152.Pp
Damien Millera765cf42006-07-24 14:08:13 +10001153Multiple forwards may be specified by separating them with whitespace.
Damien Miller9b439df2006-07-24 14:04:00 +10001154An argument of
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001155.Cm any
Damien Miller9b439df2006-07-24 14:04:00 +10001156can be used to remove all restrictions and permit any forwarding requests.
Darren Tuckerba9ea322012-05-19 19:37:33 +10001157An argument of
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001158.Cm none
Darren Tuckerba9ea322012-05-19 19:37:33 +10001159can be used to prohibit all forwarding requests.
jmc@openbsd.org32d921c2016-07-19 12:59:16 +00001160The wildcard
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001161.Sq *
jmc@openbsd.org32d921c2016-07-19 12:59:16 +00001162can be used for host or port to allow all hosts or ports, respectively.
Damien Miller65bc2c42006-07-24 14:04:16 +10001163By default all port forwarding requests are permitted.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001164.It Cm PermitRootLogin
Darren Tuckerb3509012005-01-20 11:01:46 +11001165Specifies whether root can log in using
Ben Lindstrom9f049032002-06-21 00:59:05 +00001166.Xr ssh 1 .
1167The argument must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001168.Cm yes ,
1169.Cm prohibit-password ,
1170.Cm without-password ,
1171.Cm forced-commands-only ,
Ben Lindstrom9f049032002-06-21 00:59:05 +00001172or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001173.Cm no .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001174The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001175.Cm prohibit-password .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001176.Pp
1177If this option is set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001178.Cm prohibit-password
deraadt@openbsd.org1dc8d932015-08-06 14:53:21 +00001179or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001180.Cm without-password ,
deraadt@openbsd.org1dc8d932015-08-06 14:53:21 +00001181password and keyboard-interactive authentication are disabled for root.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001182.Pp
1183If this option is set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001184.Cm forced-commands-only ,
Ben Lindstrom9f049032002-06-21 00:59:05 +00001185root login with public key authentication will be allowed,
1186but only if the
1187.Ar command
1188option has been specified
1189(which may be useful for taking remote backups even if root login is
Damien Millerfbf486b2003-05-23 18:44:23 +10001190normally not allowed).
1191All other authentication methods are disabled for root.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001192.Pp
1193If this option is set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001194.Cm no ,
Darren Tuckerb3509012005-01-20 11:01:46 +11001195root is not allowed to log in.
jmc@openbsd.orgf219fc82016-09-07 18:39:24 +00001196.It Cm PermitTTY
1197Specifies whether
1198.Xr pty 4
1199allocation is permitted.
1200The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001201.Cm yes .
Damien Millerd27b9472005-12-13 19:29:02 +11001202.It Cm PermitTunnel
1203Specifies whether
1204.Xr tun 4
1205device forwarding is allowed.
Damien Miller7b58e802005-12-13 19:33:19 +11001206The argument must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001207.Cm yes ,
1208.Cm point-to-point
Damien Miller991dba42006-07-10 20:16:27 +10001209(layer 3),
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001210.Cm ethernet
Damien Miller991dba42006-07-10 20:16:27 +10001211(layer 2), or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001212.Cm no .
Damien Miller991dba42006-07-10 20:16:27 +10001213Specifying
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001214.Cm yes
Damien Miller991dba42006-07-10 20:16:27 +10001215permits both
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001216.Cm point-to-point
Damien Miller991dba42006-07-10 20:16:27 +10001217and
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001218.Cm ethernet .
Damien Millerd27b9472005-12-13 19:29:02 +11001219The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001220.Cm no .
djm@openbsd.org48dffd52014-09-09 09:45:36 +00001221.Pp
1222Independent of this setting, the permissions of the selected
1223.Xr tun 4
1224device must allow access to the user.
Ben Lindstrom5d860f02002-08-01 01:28:38 +00001225.It Cm PermitUserEnvironment
1226Specifies whether
1227.Pa ~/.ssh/environment
Ben Lindstrombd9bf382002-08-20 18:54:20 +00001228and
Ben Lindstrom5d860f02002-08-01 01:28:38 +00001229.Cm environment=
1230options in
1231.Pa ~/.ssh/authorized_keys
Ben Lindstrombd9bf382002-08-20 18:54:20 +00001232are processed by
Damien Miller5b0d63f2006-03-15 11:56:56 +11001233.Xr sshd 8 .
Ben Lindstrom5d860f02002-08-01 01:28:38 +00001234The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001235.Cm no .
Ben Lindstrombd9bf382002-08-20 18:54:20 +00001236Enabling environment processing may enable users to bypass access
1237restrictions in some configurations using mechanisms such as
1238.Ev LD_PRELOAD .
Damien Miller72e6b5c2014-07-04 09:00:04 +10001239.It Cm PermitUserRC
1240Specifies whether any
1241.Pa ~/.ssh/rc
1242file is executed.
1243The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001244.Cm yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001245.It Cm PidFile
Ben Lindstrom959de992002-06-23 00:35:25 +00001246Specifies the file that contains the process ID of the
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001247SSH daemon, or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001248.Cm none
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001249to not write one.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001250The default is
1251.Pa /var/run/sshd.pid .
1252.It Cm Port
1253Specifies the port number that
Damien Miller5b0d63f2006-03-15 11:56:56 +11001254.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001255listens on.
1256The default is 22.
1257Multiple options of this type are permitted.
1258See also
1259.Cm ListenAddress .
1260.It Cm PrintLastLog
1261Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001262.Xr sshd 8
Darren Tucker7cc5c232004-11-05 20:06:59 +11001263should print the date and time of the last user login when a user logs
1264in interactively.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001265The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001266.Cm yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001267.It Cm PrintMotd
1268Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001269.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001270should print
1271.Pa /etc/motd
1272when a user logs in interactively.
1273(On some systems it is also printed by the shell,
1274.Pa /etc/profile ,
1275or equivalent.)
1276The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001277.Cm yes .
djm@openbsd.org1f729f02015-01-13 07:39:19 +00001278.It Cm PubkeyAcceptedKeyTypes
1279Specifies the key types that will be accepted for public key authentication
1280as a comma-separated pattern list.
djm@openbsd.orgf9eca242015-07-30 00:01:34 +00001281Alternately if the specified value begins with a
1282.Sq +
1283character, then the specified key types will be appended to the default set
1284instead of replacing them.
djm@openbsd.org68bc8cf2017-02-03 23:01:19 +00001285If the specified value begins with a
1286.Sq -
1287character, then the specified key types (including wildcards) will be removed
1288from the default set instead of replacing them.
markus@openbsd.org3a1638d2015-07-10 06:21:53 +00001289The default for this option is:
1290.Bd -literal -offset 3n
1291ecdsa-sha2-nistp256-cert-v01@openssh.com,
1292ecdsa-sha2-nistp384-cert-v01@openssh.com,
1293ecdsa-sha2-nistp521-cert-v01@openssh.com,
1294ssh-ed25519-cert-v01@openssh.com,
1295ssh-rsa-cert-v01@openssh.com,
1296ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
djm@openbsd.org3a13cb52016-02-17 08:57:34 +00001297ssh-ed25519,ssh-rsa
markus@openbsd.org3a1638d2015-07-10 06:21:53 +00001298.Ed
1299.Pp
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001300The list of available key types may also be obtained using
1301.Qq ssh -Q key .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001302.It Cm PubkeyAuthentication
1303Specifies whether public key authentication is allowed.
1304The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001305.Cm yes .
Darren Tucker5f96f3b2013-05-16 20:29:28 +10001306.It Cm RekeyLimit
1307Specifies the maximum amount of data that may be transmitted before the
1308session key is renegotiated, optionally followed a maximum amount of
1309time that may pass before the session key is renegotiated.
1310The first argument is specified in bytes and may have a suffix of
1311.Sq K ,
1312.Sq M ,
1313or
1314.Sq G
1315to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
1316The default is between
1317.Sq 1G
1318and
1319.Sq 4G ,
1320depending on the cipher.
1321The optional second value is specified in seconds and may use any of the
1322units documented in the
1323.Sx TIME FORMATS
Darren Tucker64d22942013-05-16 20:31:29 +10001324section.
Darren Tucker5f96f3b2013-05-16 20:29:28 +10001325The default value for
1326.Cm RekeyLimit
1327is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001328.Cm default none ,
Darren Tucker5f96f3b2013-05-16 20:29:28 +10001329which means that rekeying is performed after the cipher's default amount
1330of data has been sent or received and no time based rekeying is done.
Damien Miller1aed65e2010-03-04 21:53:35 +11001331.It Cm RevokedKeys
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001332Specifies revoked public keys file, or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001333.Cm none
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001334to not use one.
Damien Miller1aed65e2010-03-04 21:53:35 +11001335Keys listed in this file will be refused for public key authentication.
1336Note that if this file is not readable, then public key authentication will
1337be refused for all users.
Damien Millerf3747bf2013-01-18 11:44:04 +11001338Keys may be specified as a text file, listing one public key per line, or as
1339an OpenSSH Key Revocation List (KRL) as generated by
Damien Miller72abeb72013-01-20 22:33:44 +11001340.Xr ssh-keygen 1 .
Damien Millerfecfd112013-07-18 16:11:50 +10001341For more information on KRLs, see the KEY REVOCATION LISTS section in
Damien Millerf3747bf2013-01-18 11:44:04 +11001342.Xr ssh-keygen 1 .
Damien Miller7acefbb2014-07-18 14:11:24 +10001343.It Cm StreamLocalBindMask
1344Sets the octal file creation mode mask
1345.Pq umask
1346used when creating a Unix-domain socket file for local or remote
1347port forwarding.
1348This option is only used for port forwarding to a Unix-domain socket file.
1349.Pp
1350The default value is 0177, which creates a Unix-domain socket file that is
1351readable and writable only by the owner.
1352Note that not all operating systems honor the file mode on Unix-domain
1353socket files.
1354.It Cm StreamLocalBindUnlink
1355Specifies whether to remove an existing Unix-domain socket file for local
1356or remote port forwarding before creating a new one.
1357If the socket file already exists and
1358.Cm StreamLocalBindUnlink
1359is not enabled,
1360.Nm sshd
1361will be unable to forward the port to the Unix-domain socket file.
1362This option is only used for port forwarding to a Unix-domain socket file.
1363.Pp
1364The argument must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001365.Cm yes
Damien Miller7acefbb2014-07-18 14:11:24 +10001366or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001367.Cm no .
Damien Miller7acefbb2014-07-18 14:11:24 +10001368The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001369.Cm no .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001370.It Cm StrictModes
1371Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001372.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001373should check file modes and ownership of the
1374user's files and home directory before accepting login.
1375This is normally desirable because novices sometimes accidentally leave their
1376directory or files world-writable.
1377The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001378.Cm yes .
Darren Tuckerf788a912010-01-08 17:06:47 +11001379Note that this does not apply to
1380.Cm ChrootDirectory ,
1381whose permissions and ownership are checked unconditionally.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001382.It Cm Subsystem
Damien Miller208f1ed2006-03-15 11:56:03 +11001383Configures an external subsystem (e.g. file transfer daemon).
Damien Miller917f9b62006-07-10 20:36:47 +10001384Arguments should be a subsystem name and a command (with optional arguments)
1385to execute upon subsystem request.
Damien Millerd8cb1f12008-02-10 22:40:12 +11001386.Pp
Ben Lindstrom9f049032002-06-21 00:59:05 +00001387The command
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001388.Cm sftp-server
1389implements the SFTP file transfer subsystem.
Damien Millerd8cb1f12008-02-10 22:40:12 +11001390.Pp
1391Alternately the name
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001392.Cm internal-sftp
1393implements an in-process SFTP server.
Damien Millerd8cb1f12008-02-10 22:40:12 +11001394This may simplify configurations using
1395.Cm ChrootDirectory
1396to force a different filesystem root on clients.
1397.Pp
Ben Lindstrom9f049032002-06-21 00:59:05 +00001398By default no subsystems are defined.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001399.It Cm SyslogFacility
1400Gives the facility code that is used when logging messages from
Damien Millerf4f22b52006-03-15 11:57:25 +11001401.Xr sshd 8 .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001402The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
1403LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
1404The default is AUTH.
Damien Miller12c150e2003-12-17 16:31:10 +11001405.It Cm TCPKeepAlive
1406Specifies whether the system should send TCP keepalive messages to the
1407other side.
1408If they are sent, death of the connection or crash of one
1409of the machines will be properly noticed.
1410However, this means that
1411connections will die if the route is down temporarily, and some people
1412find it annoying.
1413On the other hand, if TCP keepalives are not sent,
1414sessions may hang indefinitely on the server, leaving
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001415.Qq ghost
Damien Miller12c150e2003-12-17 16:31:10 +11001416users and consuming server resources.
1417.Pp
1418The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001419.Cm yes
Damien Miller12c150e2003-12-17 16:31:10 +11001420(to send TCP keepalive messages), and the server will notice
1421if the network goes down or the client host crashes.
1422This avoids infinitely hanging sessions.
1423.Pp
1424To disable TCP keepalive messages, the value should be set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001425.Cm no .
Damien Miller1aed65e2010-03-04 21:53:35 +11001426.It Cm TrustedUserCAKeys
1427Specifies a file containing public keys of certificate authorities that are
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001428trusted to sign user certificates for authentication, or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001429.Cm none
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001430to not use one.
Damien Miller72b33822010-03-05 07:39:01 +11001431Keys are listed one per line; empty lines and comments starting with
Damien Miller1aed65e2010-03-04 21:53:35 +11001432.Ql #
1433are allowed.
1434If a certificate is presented for authentication and has its signing CA key
1435listed in this file, then it may be used for authentication for any user
1436listed in the certificate's principals list.
1437Note that certificates that lack a list of principals will not be permitted
1438for authentication using
1439.Cm TrustedUserCAKeys .
Damien Millerfecfd112013-07-18 16:11:50 +10001440For more details on certificates, see the CERTIFICATES section in
Damien Miller1aed65e2010-03-04 21:53:35 +11001441.Xr ssh-keygen 1 .
Damien Miller3a961dc2003-06-03 10:25:48 +10001442.It Cm UseDNS
1443Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001444.Xr sshd 8
djm@openbsd.orgc63c9a62015-07-20 00:30:01 +00001445should look up the remote host name, and to check that
Damien Miller3a961dc2003-06-03 10:25:48 +10001446the resolved host name for the remote IP address maps back to the
1447very same IP address.
djm@openbsd.orgc63c9a62015-07-20 00:30:01 +00001448.Pp
1449If this option is set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001450.Cm no
djm@openbsd.orgc63c9a62015-07-20 00:30:01 +00001451(the default) then only addresses and not host names may be used in
djm@openbsd.org0235a5f2016-03-17 17:19:43 +00001452.Pa ~/.ssh/authorized_keys
djm@openbsd.orgc63c9a62015-07-20 00:30:01 +00001453.Cm from
1454and
jmc@openbsd.org1f8d3d62015-08-14 15:32:41 +00001455.Nm
djm@openbsd.orgc63c9a62015-07-20 00:30:01 +00001456.Cm Match
1457.Cm Host
1458directives.
Damien Miller2e193e22003-05-14 15:13:03 +10001459.It Cm UsePAM
Darren Tucker1dcff9a2004-05-13 16:51:40 +10001460Enables the Pluggable Authentication Module interface.
1461If set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001462.Cm yes
Darren Tucker1dcff9a2004-05-13 16:51:40 +10001463this will enable PAM authentication using
1464.Cm ChallengeResponseAuthentication
Darren Tuckera4904f72006-02-23 21:35:30 +11001465and
1466.Cm PasswordAuthentication
1467in addition to PAM account and session module processing for all
1468authentication types.
Darren Tucker1dcff9a2004-05-13 16:51:40 +10001469.Pp
1470Because PAM challenge-response authentication usually serves an equivalent
1471role to password authentication, you should disable either
1472.Cm PasswordAuthentication
1473or
1474.Cm ChallengeResponseAuthentication.
1475.Pp
1476If
1477.Cm UsePAM
1478is enabled, you will not be able to run
1479.Xr sshd 8
1480as a non-root user.
1481The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001482.Cm no .
Damien Miller23528812012-04-22 11:24:43 +10001483.It Cm VersionAddendum
1484Optionally specifies additional text to append to the SSH protocol banner
1485sent by the server upon connection.
1486The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001487.Cm none .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001488.It Cm X11DisplayOffset
1489Specifies the first display number available for
Damien Miller5b0d63f2006-03-15 11:56:56 +11001490.Xr sshd 8 Ns 's
Ben Lindstrom9f049032002-06-21 00:59:05 +00001491X11 forwarding.
Damien Miller5b0d63f2006-03-15 11:56:56 +11001492This prevents sshd from interfering with real X11 servers.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001493The default is 10.
1494.It Cm X11Forwarding
1495Specifies whether X11 forwarding is permitted.
Damien Miller101c4a72002-09-19 11:51:21 +10001496The argument must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001497.Cm yes
Damien Miller101c4a72002-09-19 11:51:21 +10001498or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001499.Cm no .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001500The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001501.Cm no .
Damien Miller101c4a72002-09-19 11:51:21 +10001502.Pp
1503When X11 forwarding is enabled, there may be additional exposure to
1504the server and to client displays if the
Damien Miller5b0d63f2006-03-15 11:56:56 +11001505.Xr sshd 8
Damien Miller101c4a72002-09-19 11:51:21 +10001506proxy display is configured to listen on the wildcard address (see
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001507.Cm X11UseLocalhost ) ,
1508though this is not the default.
Damien Miller101c4a72002-09-19 11:51:21 +10001509Additionally, the authentication spoofing and authentication data
1510verification and substitution occur on the client side.
1511The security risk of using X11 forwarding is that the client's X11
Damien Miller5b0d63f2006-03-15 11:56:56 +11001512display server may be exposed to attack when the SSH client requests
Damien Miller101c4a72002-09-19 11:51:21 +10001513forwarding (see the warnings for
1514.Cm ForwardX11
1515in
Damien Millerf1ce5052003-06-11 22:04:39 +10001516.Xr ssh_config 5 ) .
Damien Miller101c4a72002-09-19 11:51:21 +10001517A system administrator may have a stance in which they want to
1518protect clients that may expose themselves to attack by unwittingly
1519requesting X11 forwarding, which can warrant a
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001520.Cm no
Damien Miller101c4a72002-09-19 11:51:21 +10001521setting.
1522.Pp
1523Note that disabling X11 forwarding does not prevent users from
1524forwarding X11 traffic, as users can always install their own forwarders.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001525.It Cm X11UseLocalhost
1526Specifies whether
Damien Miller5b0d63f2006-03-15 11:56:56 +11001527.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001528should bind the X11 forwarding server to the loopback address or to
Damien Miller495dca32003-04-01 21:42:14 +10001529the wildcard address.
1530By default,
Damien Miller5b0d63f2006-03-15 11:56:56 +11001531sshd binds the forwarding server to the loopback address and sets the
Ben Lindstrom9f049032002-06-21 00:59:05 +00001532hostname part of the
1533.Ev DISPLAY
1534environment variable to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001535.Cm localhost .
Ben Lindstrom15b61202002-08-20 18:44:24 +00001536This prevents remote hosts from connecting to the proxy display.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001537However, some older X11 clients may not function with this
1538configuration.
1539.Cm X11UseLocalhost
1540may be set to
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001541.Cm no
Ben Lindstrom9f049032002-06-21 00:59:05 +00001542to specify that the forwarding server should be bound to the wildcard
1543address.
1544The argument must be
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001545.Cm yes
Ben Lindstrom9f049032002-06-21 00:59:05 +00001546or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001547.Cm no .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001548The default is
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001549.Cm yes .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001550.It Cm XAuthLocation
Damien Miller05913ba2002-09-04 16:51:03 +10001551Specifies the full pathname of the
Ben Lindstrom9f049032002-06-21 00:59:05 +00001552.Xr xauth 1
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001553program, or
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001554.Cm none
dtucker@openbsd.org6cc7cfa2015-04-16 23:25:50 +00001555to not use one.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001556The default is
1557.Pa /usr/X11R6/bin/xauth .
1558.El
Damien Millere3beba22006-03-15 11:59:25 +11001559.Sh TIME FORMATS
Damien Millerf4f22b52006-03-15 11:57:25 +11001560.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001561command-line arguments and configuration file options that specify time
1562may be expressed using a sequence of the form:
1563.Sm off
Ben Lindstrom1f8cf4f2002-08-20 18:43:27 +00001564.Ar time Op Ar qualifier ,
Ben Lindstrom9f049032002-06-21 00:59:05 +00001565.Sm on
1566where
1567.Ar time
1568is a positive integer value and
1569.Ar qualifier
1570is one of the following:
1571.Pp
1572.Bl -tag -width Ds -compact -offset indent
Damien Miller393821a2006-07-24 14:04:53 +10001573.It Aq Cm none
Ben Lindstrom9f049032002-06-21 00:59:05 +00001574seconds
1575.It Cm s | Cm S
1576seconds
1577.It Cm m | Cm M
1578minutes
1579.It Cm h | Cm H
1580hours
1581.It Cm d | Cm D
1582days
1583.It Cm w | Cm W
1584weeks
1585.El
1586.Pp
1587Each member of the sequence is added together to calculate
1588the total time value.
1589.Pp
1590Time format examples:
1591.Pp
1592.Bl -tag -width Ds -compact -offset indent
1593.It 600
1594600 seconds (10 minutes)
1595.It 10m
159610 minutes
1597.It 1h30m
15981 hour 30 minutes (90 minutes)
1599.El
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +00001600.Sh TOKENS
1601Arguments to some keywords can make use of tokens,
1602which are expanded at runtime:
1603.Pp
1604.Bl -tag -width XXXX -offset indent -compact
1605.It %%
1606A literal
1607.Sq % .
1608.It %F
1609The fingerprint of the CA key.
1610.It %f
1611The fingerprint of the key or certificate.
1612.It %h
1613The home directory of the user.
1614.It %i
1615The key ID in the certificate.
1616.It %K
1617The base64-encoded CA key.
1618.It %k
1619The base64-encoded key or certificate for authentication.
1620.It %s
1621The serial number of the certificate.
1622.It \&%T
1623The type of the CA key.
1624.It %t
1625The key or certificate type.
1626.It %u
1627The username.
1628.El
1629.Pp
1630.Cm AuthorizedKeysCommand
jmc@openbsd.orga1187bd2017-01-06 16:28:12 +00001631accepts the tokens %%, %f, %h, %k, %t, and %u.
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +00001632.Pp
1633.Cm AuthorizedKeysFile
1634accepts the tokens %%, %h, and %u.
1635.Pp
1636.Cm AuthorizedPrincipalsCommand
jmc@openbsd.orga1187bd2017-01-06 16:28:12 +00001637accepts the tokens %%, %F, %f, %h, %i, %K, %k, %s, %T, %t, and %u.
jmc@openbsd.orgde6a1752016-09-22 19:19:01 +00001638.Pp
1639.Cm AuthorizedPrincipalsFile
1640accepts the tokens %%, %h, and %u.
1641.Pp
1642.Cm ChrootDirectory
1643accepts the tokens %%, %h, and %u.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001644.Sh FILES
1645.Bl -tag -width Ds
1646.It Pa /etc/ssh/sshd_config
1647Contains configuration data for
Damien Millerf4f22b52006-03-15 11:57:25 +11001648.Xr sshd 8 .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001649This file should be writable by root only, but it is recommended
1650(though not necessary) that it be world-readable.
1651.El
Damien Millerf1ce5052003-06-11 22:04:39 +10001652.Sh SEE ALSO
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001653.Xr sftp-server 8 ,
Damien Millerf1ce5052003-06-11 22:04:39 +10001654.Xr sshd 8
Ben Lindstrom9f049032002-06-21 00:59:05 +00001655.Sh AUTHORS
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001656.An -nosplit
Ben Lindstrom9f049032002-06-21 00:59:05 +00001657OpenSSH is a derivative of the original and free
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001658ssh 1.2.12 release by
1659.An Tatu Ylonen .
1660.An Aaron Campbell , Bob Beck , Markus Friedl , Niels Provos ,
1661.An Theo de Raadt
1662and
1663.An Dug Song
Ben Lindstrom9f049032002-06-21 00:59:05 +00001664removed many bugs, re-added newer features and
1665created OpenSSH.
jmc@openbsd.orgaae4dbd2016-10-07 14:41:52 +00001666.An Markus Friedl
1667contributed the support for SSH protocol versions 1.5 and 2.0.
1668.An Niels Provos
1669and
1670.An Markus Friedl
1671contributed support for privilege separation.