]> andersk Git - gssapi-openssh.git/blame - openssh/sshd_config.5
http://www.sxw.org.uk/computing/patches/openssh-4.2p1-gsskex-20050926-2.patch
[gssapi-openssh.git] / openssh / sshd_config.5
CommitLineData
f5799ae1 1.\" -*- nroff -*-
2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\" All rights reserved
6.\"
7.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose. Any derived versions of this
9.\" software must be clearly marked as such, and if the derived work is
10.\" incompatible with the protocol description in the RFC file, it must be
11.\" called by a name other than "ssh" or "Secure Shell".
12.\"
13.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
14.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
15.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
16.\"
17.\" Redistribution and use in source and binary forms, with or without
18.\" modification, are permitted provided that the following conditions
19.\" are met:
20.\" 1. Redistributions of source code must retain the above copyright
21.\" notice, this list of conditions and the following disclaimer.
22.\" 2. Redistributions in binary form must reproduce the above copyright
23.\" notice, this list of conditions and the following disclaimer in the
24.\" documentation and/or other materials provided with the distribution.
25.\"
26.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\"
665a873d 37.\" $OpenBSD: sshd_config.5,v 1.44 2005/07/25 11:59:40 markus Exp $
f5799ae1 38.Dd September 25, 1999
39.Dt SSHD_CONFIG 5
40.Os
41.Sh NAME
42.Nm sshd_config
43.Nd OpenSSH SSH daemon configuration file
44.Sh SYNOPSIS
45.Bl -tag -width Ds -compact
46.It Pa /etc/ssh/sshd_config
47.El
48.Sh DESCRIPTION
49.Nm sshd
50reads configuration data from
51.Pa /etc/ssh/sshd_config
52(or the file specified with
53.Fl f
54on the command line).
55The file contains keyword-argument pairs, one per line.
56Lines starting with
57.Ql #
58and empty lines are interpreted as comments.
59.Pp
60The possible
61keywords and their meanings are as follows (note that
62keywords are case-insensitive and arguments are case-sensitive):
63.Bl -tag -width Ds
c9f39d2c 64.It Cm AcceptEnv
65Specifies what environment variables sent by the client will be copied into
66the session's
67.Xr environ 7 .
68See
69.Cm SendEnv
70in
71.Xr ssh_config 5
72for how to configure the client.
73Note that environment passing is only supported for protocol 2.
74Variables are specified by name, which may contain the wildcard characters
75.Ql \&*
76and
77.Ql \&? .
78Multiple environment variables may be separated by whitespace or spread
79across multiple
80.Cm AcceptEnv
81directives.
82Be warned that some environment variables could be used to bypass restricted
83user environments.
84For this reason, care should be taken in the use of this directive.
85The default is not to accept any environment variables.
996d5e62 86.It Cm AddressFamily
87Specifies which address family should be used by
88.Nm sshd .
89Valid arguments are
90.Dq any ,
91.Dq inet
92(use IPv4 only) or
93.Dq inet6
94(use IPv6 only).
95The default is
96.Dq any .
f5799ae1 97.It Cm AllowGroups
98This keyword can be followed by a list of group name patterns, separated
99by spaces.
100If specified, login is allowed only for users whose primary
101group or supplementary group list matches one of the patterns.
102.Ql \&*
103and
0fff78ff 104.Ql \&?
f5799ae1 105can be used as
106wildcards in the patterns.
107Only group names are valid; a numerical group ID is not recognized.
108By default, login is allowed for all groups.
f5799ae1 109.It Cm AllowTcpForwarding
110Specifies whether TCP forwarding is permitted.
111The default is
112.Dq yes .
113Note that disabling TCP forwarding does not improve security unless
114users are also denied shell access, as they can always install their
115own forwarders.
f5799ae1 116.It Cm AllowUsers
117This keyword can be followed by a list of user name patterns, separated
118by spaces.
6a9b3198 119If specified, login is allowed only for user names that
f5799ae1 120match one of the patterns.
121.Ql \&*
122and
0fff78ff 123.Ql \&?
f5799ae1 124can be used as
125wildcards in the patterns.
126Only user names are valid; a numerical user ID is not recognized.
127By default, login is allowed for all users.
128If the pattern takes the form USER@HOST then USER and HOST
129are separately checked, restricting logins to particular
130users from particular hosts.
f5799ae1 131.It Cm AuthorizedKeysFile
132Specifies the file that contains the public keys that can be used
133for user authentication.
134.Cm AuthorizedKeysFile
135may contain tokens of the form %T which are substituted during connection
0fff78ff 136set-up.
137The following tokens are defined: %% is replaced by a literal '%',
f5799ae1 138%h is replaced by the home directory of the user being authenticated and
139%u is replaced by the username of that user.
140After expansion,
141.Cm AuthorizedKeysFile
142is taken to be an absolute path or one relative to the user's home
143directory.
144The default is
145.Dq .ssh/authorized_keys .
146.It Cm Banner
147In some jurisdictions, sending a warning message before authentication
148may be relevant for getting legal protection.
149The contents of the specified file are sent to the remote user before
150authentication is allowed.
151This option is only available for protocol version 2.
152By default, no banner is displayed.
f5799ae1 153.It Cm ChallengeResponseAuthentication
154Specifies whether challenge response authentication is allowed.
155All authentication styles from
156.Xr login.conf 5
157are supported.
158The default is
159.Dq yes .
160.It Cm Ciphers
161Specifies the ciphers allowed for protocol version 2.
162Multiple ciphers must be comma-separated.
c9f39d2c 163The supported ciphers are
164.Dq 3des-cbc ,
165.Dq aes128-cbc ,
166.Dq aes192-cbc ,
167.Dq aes256-cbc ,
168.Dq aes128-ctr ,
169.Dq aes192-ctr ,
170.Dq aes256-ctr ,
665a873d 171.Dq arcfour128 ,
172.Dq arcfour256 ,
c9f39d2c 173.Dq arcfour ,
174.Dq blowfish-cbc ,
175and
176.Dq cast128-cbc .
f5799ae1 177The default is
f5799ae1 178.Bd -literal
665a873d 179 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
180 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
181 aes192-ctr,aes256-ctr''
f5799ae1 182.Ed
f5799ae1 183.It Cm ClientAliveCountMax
184Sets the number of client alive messages (see above) which may be
185sent without
186.Nm sshd
0fff78ff 187receiving any messages back from the client.
188If this threshold is reached while client alive messages are being sent,
f5799ae1 189.Nm sshd
0fff78ff 190will disconnect the client, terminating the session.
191It is important to note that the use of client alive messages is very
192different from
cdd66111 193.Cm TCPKeepAlive
0fff78ff 194(below).
195The client alive messages are sent through the encrypted channel
196and therefore will not be spoofable.
197The TCP keepalive option enabled by
cdd66111 198.Cm TCPKeepAlive
0fff78ff 199is spoofable.
200The client alive mechanism is valuable when the client or
f5799ae1 201server depend on knowing when a connection has become inactive.
202.Pp
0fff78ff 203The default value is 3.
204If
f5799ae1 205.Cm ClientAliveInterval
206(above) is set to 15, and
207.Cm ClientAliveCountMax
208is left at the default, unresponsive ssh clients
209will be disconnected after approximately 45 seconds.
665a873d 210.It Cm ClientAliveInterval
211Sets a timeout interval in seconds after which if no data has been received
212from the client,
213.Nm sshd
214will send a message through the encrypted
215channel to request a response from the client.
216The default
217is 0, indicating that these messages will not be sent to the client.
218This option applies to protocol version 2 only.
f5799ae1 219.It Cm Compression
665a873d 220Specifies whether compression is allowed, or delayed until
221the user has authenticated successfully.
f5799ae1 222The argument must be
665a873d 223.Dq yes ,
224.Dq delayed ,
f5799ae1 225or
226.Dq no .
227The default is
665a873d 228.Dq delayed .
f5799ae1 229.It Cm DenyGroups
230This keyword can be followed by a list of group name patterns, separated
231by spaces.
232Login is disallowed for users whose primary group or supplementary
233group list matches one of the patterns.
234.Ql \&*
235and
0fff78ff 236.Ql \&?
f5799ae1 237can be used as
238wildcards in the patterns.
239Only group names are valid; a numerical group ID is not recognized.
240By default, login is allowed for all groups.
f5799ae1 241.It Cm DenyUsers
242This keyword can be followed by a list of user name patterns, separated
243by spaces.
244Login is disallowed for user names that match one of the patterns.
245.Ql \&*
246and
0fff78ff 247.Ql \&?
f5799ae1 248can be used as wildcards in the patterns.
249Only user names are valid; a numerical user ID is not recognized.
250By default, login is allowed for all users.
251If the pattern takes the form USER@HOST then USER and HOST
252are separately checked, restricting logins to particular
253users from particular hosts.
254.It Cm GatewayPorts
255Specifies whether remote hosts are allowed to connect to ports
256forwarded for the client.
257By default,
258.Nm sshd
6a9b3198 259binds remote port forwardings to the loopback address.
260This prevents other remote hosts from connecting to forwarded ports.
f5799ae1 261.Cm GatewayPorts
262can be used to specify that
263.Nm sshd
996d5e62 264should allow remote port forwardings to bind to non-loopback addresses, thus
265allowing other hosts to connect.
266The argument may be
267.Dq no
268to force remote port forwardings to be available to the local host only,
f5799ae1 269.Dq yes
996d5e62 270to force remote port forwardings to bind to the wildcard address, or
271.Dq clientspecified
272to allow the client to select the address to which the forwarding is bound.
f5799ae1 273The default is
274.Dq no .
0fff78ff 275.It Cm GSSAPIAuthentication
276Specifies whether user authentication based on GSSAPI is allowed.
cdd66111 277The default is
0fff78ff 278.Dq no .
279Note that this option applies to protocol version 2 only.
280.It Cm GSSAPICleanupCredentials
281Specifies whether to automatically destroy the user's credentials cache
282on logout.
283The default is
284.Dq yes .
285Note that this option applies to protocol version 2 only.
f5799ae1 286.It Cm HostbasedAuthentication
287Specifies whether rhosts or /etc/hosts.equiv authentication together
288with successful public key client host authentication is allowed
289(hostbased authentication).
290This option is similar to
291.Cm RhostsRSAAuthentication
292and applies to protocol version 2 only.
293The default is
294.Dq no .
295.It Cm HostKey
296Specifies a file containing a private host key
297used by SSH.
298The default is
299.Pa /etc/ssh/ssh_host_key
300for protocol version 1, and
301.Pa /etc/ssh/ssh_host_rsa_key
302and
303.Pa /etc/ssh/ssh_host_dsa_key
304for protocol version 2.
305Note that
306.Nm sshd
307will refuse to use a file if it is group/world-accessible.
308It is possible to have multiple host key files.
309.Dq rsa1
310keys are used for version 1 and
311.Dq dsa
312or
313.Dq rsa
314are used for version 2 of the SSH protocol.
315.It Cm IgnoreRhosts
316Specifies that
317.Pa .rhosts
318and
319.Pa .shosts
320files will not be used in
f5799ae1 321.Cm RhostsRSAAuthentication
322or
323.Cm HostbasedAuthentication .
324.Pp
325.Pa /etc/hosts.equiv
326and
327.Pa /etc/shosts.equiv
328are still used.
329The default is
330.Dq yes .
331.It Cm IgnoreUserKnownHosts
332Specifies whether
333.Nm sshd
334should ignore the user's
665a873d 335.Pa ~/.ssh/known_hosts
f5799ae1 336during
337.Cm RhostsRSAAuthentication
338or
339.Cm HostbasedAuthentication .
340The default is
341.Dq no .
f5799ae1 342.It Cm KerberosAuthentication
0fff78ff 343Specifies whether the password provided by the user for
f5799ae1 344.Cm PasswordAuthentication
0fff78ff 345will be validated through the Kerberos KDC.
f5799ae1 346To use this option, the server needs a
347Kerberos servtab which allows the verification of the KDC's identity.
348Default is
349.Dq no .
99be0775 350.It Cm KerberosGetAFSToken
351If AFS is active and the user has a Kerberos 5 TGT, attempt to aquire
352an AFS token before accessing the user's home directory.
353Default is
354.Dq no .
f5799ae1 355.It Cm KerberosOrLocalPasswd
356If set then if password authentication through Kerberos fails then
357the password will be validated via any additional local mechanism
358such as
359.Pa /etc/passwd .
360Default is
361.Dq yes .
f5799ae1 362.It Cm KerberosTicketCleanup
363Specifies whether to automatically destroy the user's ticket cache
364file on logout.
365Default is
366.Dq yes .
367.It Cm KeyRegenerationInterval
368In protocol version 1, the ephemeral server key is automatically regenerated
369after this many seconds (if it has been used).
370The purpose of regeneration is to prevent
371decrypting captured sessions by later breaking into the machine and
372stealing the keys.
373The key is never stored anywhere.
374If the value is 0, the key is never regenerated.
375The default is 3600 (seconds).
376.It Cm ListenAddress
377Specifies the local addresses
378.Nm sshd
379should listen on.
380The following forms may be used:
381.Pp
382.Bl -item -offset indent -compact
383.It
384.Cm ListenAddress
385.Sm off
386.Ar host No | Ar IPv4_addr No | Ar IPv6_addr
387.Sm on
388.It
389.Cm ListenAddress
390.Sm off
391.Ar host No | Ar IPv4_addr No : Ar port
392.Sm on
393.It
394.Cm ListenAddress
395.Sm off
396.Oo
397.Ar host No | Ar IPv6_addr Oc : Ar port
398.Sm on
399.El
400.Pp
401If
402.Ar port
403is not specified,
404.Nm sshd
405will listen on the address and all prior
406.Cm Port
0fff78ff 407options specified.
408The default is to listen on all local addresses.
6a9b3198 409Multiple
f5799ae1 410.Cm ListenAddress
0fff78ff 411options are permitted.
412Additionally, any
f5799ae1 413.Cm Port
414options must precede this option for non port qualified addresses.
415.It Cm LoginGraceTime
416The server disconnects after this time if the user has not
417successfully logged in.
418If the value is 0, there is no time limit.
41b2f314 419The default is 120 seconds.
f5799ae1 420.It Cm LogLevel
421Gives the verbosity level that is used when logging messages from
422.Nm sshd .
423The possible values are:
424QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
6a9b3198 425The default is INFO.
426DEBUG and DEBUG1 are equivalent.
427DEBUG2 and DEBUG3 each specify higher levels of debugging output.
428Logging with a DEBUG level violates the privacy of users and is not recommended.
f5799ae1 429.It Cm MACs
430Specifies the available MAC (message authentication code) algorithms.
431The MAC algorithm is used in protocol version 2
432for data integrity protection.
433Multiple algorithms must be comma-separated.
434The default is
435.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
c9f39d2c 436.It Cm MaxAuthTries
437Specifies the maximum number of authentication attempts permitted per
438connection.
439Once the number of failures reaches half this value,
440additional failures are logged.
441The default is 6.
f5799ae1 442.It Cm MaxStartups
443Specifies the maximum number of concurrent unauthenticated connections to the
444.Nm sshd
445daemon.
446Additional connections will be dropped until authentication succeeds or the
447.Cm LoginGraceTime
448expires for a connection.
449The default is 10.
450.Pp
451Alternatively, random early drop can be enabled by specifying
452the three colon separated values
453.Dq start:rate:full
454(e.g., "10:30:60").
455.Nm sshd
456will refuse connection attempts with a probability of
457.Dq rate/100
458(30%)
459if there are currently
460.Dq start
461(10)
462unauthenticated connections.
463The probability increases linearly and all connection attempts
464are refused if the number of unauthenticated connections reaches
465.Dq full
466(60).
467.It Cm PasswordAuthentication
468Specifies whether password authentication is allowed.
469The default is
470.Dq yes .
471.It Cm PermitEmptyPasswords
472When password authentication is allowed, it specifies whether the
473server allows login to accounts with empty password strings.
474The default is
475.Dq no .
476.It Cm PermitRootLogin
996d5e62 477Specifies whether root can log in using
f5799ae1 478.Xr ssh 1 .
479The argument must be
480.Dq yes ,
481.Dq without-password ,
482.Dq forced-commands-only
483or
484.Dq no .
485The default is
486.Dq yes .
487.Pp
488If this option is set to
489.Dq without-password
996d5e62 490password authentication is disabled for root.
f5799ae1 491.Pp
492If this option is set to
493.Dq forced-commands-only
494root login with public key authentication will be allowed,
495but only if the
496.Ar command
497option has been specified
498(which may be useful for taking remote backups even if root login is
0fff78ff 499normally not allowed).
500All other authentication methods are disabled for root.
f5799ae1 501.Pp
502If this option is set to
503.Dq no
996d5e62 504root is not allowed to log in.
41b2f314 505.It Cm PermitUserEnvironment
506Specifies whether
507.Pa ~/.ssh/environment
508and
509.Cm environment=
510options in
511.Pa ~/.ssh/authorized_keys
512are processed by
513.Nm sshd .
514The default is
515.Dq no .
516Enabling environment processing may enable users to bypass access
517restrictions in some configurations using mechanisms such as
518.Ev LD_PRELOAD .
f5799ae1 519.It Cm PidFile
680cee3b 520Specifies the file that contains the process ID of the
f5799ae1 521.Nm sshd
522daemon.
523The default is
524.Pa /var/run/sshd.pid .
525.It Cm Port
526Specifies the port number that
527.Nm sshd
528listens on.
529The default is 22.
530Multiple options of this type are permitted.
531See also
532.Cm ListenAddress .
533.It Cm PrintLastLog
534Specifies whether
535.Nm sshd
996d5e62 536should print the date and time of the last user login when a user logs
537in interactively.
f5799ae1 538The default is
539.Dq yes .
540.It Cm PrintMotd
541Specifies whether
542.Nm sshd
543should print
544.Pa /etc/motd
545when a user logs in interactively.
546(On some systems it is also printed by the shell,
547.Pa /etc/profile ,
548or equivalent.)
549The default is
550.Dq yes .
551.It Cm Protocol
552Specifies the protocol versions
553.Nm sshd
41b2f314 554supports.
f5799ae1 555The possible values are
556.Dq 1
557and
558.Dq 2 .
559Multiple versions must be comma-separated.
560The default is
561.Dq 2,1 .
41b2f314 562Note that the order of the protocol list does not indicate preference,
563because the client selects among multiple protocol versions offered
564by the server.
565Specifying
566.Dq 2,1
567is identical to
568.Dq 1,2 .
f5799ae1 569.It Cm PubkeyAuthentication
570Specifies whether public key authentication is allowed.
571The default is
572.Dq yes .
573Note that this option applies to protocol version 2 only.
f5799ae1 574.It Cm RhostsRSAAuthentication
575Specifies whether rhosts or /etc/hosts.equiv authentication together
576with successful RSA host authentication is allowed.
577The default is
578.Dq no .
579This option applies to protocol version 1 only.
580.It Cm RSAAuthentication
581Specifies whether pure RSA authentication is allowed.
582The default is
583.Dq yes .
584This option applies to protocol version 1 only.
585.It Cm ServerKeyBits
586Defines the number of bits in the ephemeral protocol version 1 server key.
587The minimum value is 512, and the default is 768.
588.It Cm StrictModes
589Specifies whether
590.Nm sshd
591should check file modes and ownership of the
592user's files and home directory before accepting login.
593This is normally desirable because novices sometimes accidentally leave their
594directory or files world-writable.
595The default is
596.Dq yes .
597.It Cm Subsystem
598Configures an external subsystem (e.g., file transfer daemon).
599Arguments should be a subsystem name and a command to execute upon subsystem
600request.
601The command
602.Xr sftp-server 8
603implements the
604.Dq sftp
605file transfer subsystem.
606By default no subsystems are defined.
607Note that this option applies to protocol version 2 only.
608.It Cm SyslogFacility
609Gives the facility code that is used when logging messages from
610.Nm sshd .
611The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
612LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
613The default is AUTH.
cdd66111 614.It Cm TCPKeepAlive
615Specifies whether the system should send TCP keepalive messages to the
616other side.
617If they are sent, death of the connection or crash of one
618of the machines will be properly noticed.
619However, this means that
620connections will die if the route is down temporarily, and some people
621find it annoying.
622On the other hand, if TCP keepalives are not sent,
623sessions may hang indefinitely on the server, leaving
624.Dq ghost
625users and consuming server resources.
626.Pp
627The default is
628.Dq yes
629(to send TCP keepalive messages), and the server will notice
630if the network goes down or the client host crashes.
631This avoids infinitely hanging sessions.
632.Pp
633To disable TCP keepalive messages, the value should be set to
634.Dq no .
0fff78ff 635.It Cm UseDNS
636Specifies whether
637.Nm sshd
dec6d9fe 638should look up the remote host name and check that
0fff78ff 639the resolved host name for the remote IP address maps back to the
640very same IP address.
641The default is
642.Dq yes .
f5799ae1 643.It Cm UseLogin
644Specifies whether
645.Xr login 1
646is used for interactive login sessions.
647The default is
648.Dq no .
649Note that
650.Xr login 1
651is never used for remote command execution.
652Note also, that if this is enabled,
653.Cm X11Forwarding
654will be disabled because
655.Xr login 1
656does not know how to handle
657.Xr xauth 1
6a9b3198 658cookies.
659If
f5799ae1 660.Cm UsePrivilegeSeparation
661is specified, it will be disabled after authentication.
0fff78ff 662.It Cm UsePAM
c9f39d2c 663Enables the Pluggable Authentication Module interface.
664If set to
665.Dq yes
666this will enable PAM authentication using
667.Cm ChallengeResponseAuthentication
668and PAM account and session module processing for all authentication types.
669.Pp
670Because PAM challenge-response authentication usually serves an equivalent
671role to password authentication, you should disable either
672.Cm PasswordAuthentication
673or
674.Cm ChallengeResponseAuthentication.
675.Pp
676If
677.Cm UsePAM
678is enabled, you will not be able to run
679.Xr sshd 8
680as a non-root user.
681The default is
cdd66111 682.Dq no .
f5799ae1 683.It Cm UsePrivilegeSeparation
684Specifies whether
685.Nm sshd
686separates privileges by creating an unprivileged child process
6a9b3198 687to deal with incoming network traffic.
688After successful authentication, another process will be created that has
689the privilege of the authenticated user.
690The goal of privilege separation is to prevent privilege
f5799ae1 691escalation by containing any corruption within the unprivileged processes.
692The default is
693.Dq yes .
f5799ae1 694.It Cm X11DisplayOffset
695Specifies the first display number available for
696.Nm sshd Ns 's
697X11 forwarding.
698This prevents
699.Nm sshd
700from interfering with real X11 servers.
701The default is 10.
702.It Cm X11Forwarding
703Specifies whether X11 forwarding is permitted.
41b2f314 704The argument must be
705.Dq yes
706or
707.Dq no .
f5799ae1 708The default is
709.Dq no .
41b2f314 710.Pp
711When X11 forwarding is enabled, there may be additional exposure to
712the server and to client displays if the
713.Nm sshd
714proxy display is configured to listen on the wildcard address (see
715.Cm X11UseLocalhost
716below), however this is not the default.
717Additionally, the authentication spoofing and authentication data
718verification and substitution occur on the client side.
719The security risk of using X11 forwarding is that the client's X11
720display server may be exposed to attack when the ssh client requests
721forwarding (see the warnings for
722.Cm ForwardX11
723in
0fff78ff 724.Xr ssh_config 5 ) .
41b2f314 725A system administrator may have a stance in which they want to
726protect clients that may expose themselves to attack by unwittingly
727requesting X11 forwarding, which can warrant a
728.Dq no
729setting.
730.Pp
731Note that disabling X11 forwarding does not prevent users from
732forwarding X11 traffic, as users can always install their own forwarders.
f5799ae1 733X11 forwarding is automatically disabled if
734.Cm UseLogin
735is enabled.
736.It Cm X11UseLocalhost
737Specifies whether
738.Nm sshd
739should bind the X11 forwarding server to the loopback address or to
6a9b3198 740the wildcard address.
741By default,
f5799ae1 742.Nm sshd
743binds the forwarding server to the loopback address and sets the
744hostname part of the
745.Ev DISPLAY
746environment variable to
747.Dq localhost .
41b2f314 748This prevents remote hosts from connecting to the proxy display.
f5799ae1 749However, some older X11 clients may not function with this
750configuration.
751.Cm X11UseLocalhost
752may be set to
753.Dq no
754to specify that the forwarding server should be bound to the wildcard
755address.
756The argument must be
757.Dq yes
758or
759.Dq no .
760The default is
761.Dq yes .
762.It Cm XAuthLocation
41b2f314 763Specifies the full pathname of the
f5799ae1 764.Xr xauth 1
765program.
766The default is
767.Pa /usr/X11R6/bin/xauth .
768.El
769.Ss Time Formats
f5799ae1 770.Nm sshd
771command-line arguments and configuration file options that specify time
772may be expressed using a sequence of the form:
773.Sm off
41b2f314 774.Ar time Op Ar qualifier ,
f5799ae1 775.Sm on
776where
777.Ar time
778is a positive integer value and
779.Ar qualifier
780is one of the following:
781.Pp
782.Bl -tag -width Ds -compact -offset indent
783.It Cm <none>
784seconds
785.It Cm s | Cm S
786seconds
787.It Cm m | Cm M
788minutes
789.It Cm h | Cm H
790hours
791.It Cm d | Cm D
792days
793.It Cm w | Cm W
794weeks
795.El
796.Pp
797Each member of the sequence is added together to calculate
798the total time value.
799.Pp
800Time format examples:
801.Pp
802.Bl -tag -width Ds -compact -offset indent
803.It 600
804600 seconds (10 minutes)
805.It 10m
80610 minutes
807.It 1h30m
8081 hour 30 minutes (90 minutes)
809.El
810.Sh FILES
811.Bl -tag -width Ds
812.It Pa /etc/ssh/sshd_config
813Contains configuration data for
814.Nm sshd .
815This file should be writable by root only, but it is recommended
816(though not necessary) that it be world-readable.
817.El
0fff78ff 818.Sh SEE ALSO
819.Xr sshd 8
f5799ae1 820.Sh AUTHORS
821OpenSSH is a derivative of the original and free
822ssh 1.2.12 release by Tatu Ylonen.
823Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
824Theo de Raadt and Dug Song
825removed many bugs, re-added newer features and
826created OpenSSH.
827Markus Friedl contributed the support for SSH
828protocol versions 1.5 and 2.0.
829Niels Provos and Markus Friedl contributed support
830for privilege separation.
This page took 0.167769 seconds and 5 git commands to generate.