]>
Commit | Line | Data |
---|---|---|
f713db99 | 1 | SSHD_CONFIG(5) BSD File Formats Manual SSHD_CONFIG(5) |
317e5d15 | 2 | |
3 | NAME | |
4 | sshd_config - OpenSSH SSH daemon configuration file | |
5 | ||
6 | SYNOPSIS | |
7 | /etc/ssh/sshd_config | |
8 | ||
9 | DESCRIPTION | |
10 | sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file | |
11 | specified with -f on the command line). The file contains keyword-argu- | |
f713db99 | 12 | ment pairs, one per line. Lines starting with '#' and empty lines are |
317e5d15 | 13 | interpreted as comments. Arguments may optionally be enclosed in double |
14 | quotes (") in order to represent arguments containing spaces. | |
15 | ||
16 | The possible keywords and their meanings are as follows (note that key- | |
17 | words are case-insensitive and arguments are case-sensitive): | |
18 | ||
19 | AcceptEnv | |
20 | Specifies what environment variables sent by the client will be | |
21 | copied into the session's environ(7). See SendEnv in | |
22 | ssh_config(5) for how to configure the client. Note that envi- | |
23 | ronment passing is only supported for protocol 2. Variables are | |
f713db99 | 24 | specified by name, which may contain the wildcard characters '*' |
25 | and '?'. Multiple environment variables may be separated by | |
317e5d15 | 26 | whitespace or spread across multiple AcceptEnv directives. Be |
27 | warned that some environment variables could be used to bypass | |
28 | restricted user environments. For this reason, care should be | |
29 | taken in the use of this directive. The default is not to accept | |
30 | any environment variables. | |
31 | ||
32 | AddressFamily | |
33 | Specifies which address family should be used by sshd(8). Valid | |
34 | arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' | |
35 | (use IPv6 only). The default is ``any''. | |
36 | ||
37 | AllowGroups | |
38 | This keyword can be followed by a list of group name patterns, | |
39 | separated by spaces. If specified, login is allowed only for | |
40 | users whose primary group or supplementary group list matches one | |
41 | of the patterns. Only group names are valid; a numerical group | |
42 | ID is not recognized. By default, login is allowed for all | |
43 | groups. The allow/deny directives are processed in the following | |
44 | order: DenyUsers, AllowUsers, DenyGroups, and finally | |
45 | AllowGroups. | |
46 | ||
47 | See PATTERNS in ssh_config(5) for more information on patterns. | |
48 | ||
49 | AllowTcpForwarding | |
50 | Specifies whether TCP forwarding is permitted. The default is | |
f713db99 | 51 | ``yes''. Note that disabling TCP forwarding does not improve |
52 | security unless users are also denied shell access, as they can | |
53 | always install their own forwarders. | |
317e5d15 | 54 | |
55 | AllowUsers | |
56 | This keyword can be followed by a list of user name patterns, | |
f713db99 | 57 | separated by spaces. If specified, login is allowed only for |
58 | user names that match one of the patterns. Only user names are | |
317e5d15 | 59 | valid; a numerical user ID is not recognized. By default, login |
f713db99 | 60 | is allowed for all users. If the pattern takes the form |
61 | USER@HOST then USER and HOST are separately checked, restricting | |
317e5d15 | 62 | logins to particular users from particular hosts. The allow/deny |
63 | directives are processed in the following order: DenyUsers, | |
64 | AllowUsers, DenyGroups, and finally AllowGroups. | |
65 | ||
66 | See PATTERNS in ssh_config(5) for more information on patterns. | |
67 | ||
68 | AuthorizedKeysFile | |
69 | Specifies the file that contains the public keys that can be used | |
70 | for user authentication. AuthorizedKeysFile may contain tokens | |
71 | of the form %T which are substituted during connection setup. | |
72 | The following tokens are defined: %% is replaced by a literal | |
f713db99 | 73 | '%', %h is replaced by the home directory of the user being |
74 | authenticated, and %u is replaced by the username of that user. | |
317e5d15 | 75 | After expansion, AuthorizedKeysFile is taken to be an absolute |
76 | path or one relative to the user's home directory. The default | |
77 | is ``.ssh/authorized_keys''. | |
78 | ||
79 | Banner In some jurisdictions, sending a warning message before authenti- | |
80 | cation may be relevant for getting legal protection. The con- | |
81 | tents of the specified file are sent to the remote user before | |
82 | authentication is allowed. This option is only available for | |
83 | protocol version 2. By default, no banner is displayed. | |
84 | ||
85 | ChallengeResponseAuthentication | |
86 | Specifies whether challenge-response authentication is allowed. | |
87 | All authentication styles from login.conf(5) are supported. The | |
88 | default is ``yes''. | |
89 | ||
90 | Ciphers | |
91 | Specifies the ciphers allowed for protocol version 2. Multiple | |
92 | ciphers must be comma-separated. The supported ciphers are | |
93 | ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', | |
94 | ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'', | |
95 | ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and | |
96 | ``cast128-cbc''. The default is: | |
97 | ||
98 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, | |
99 | arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, | |
100 | aes192-ctr,aes256-ctr | |
101 | ||
102 | ClientAliveCountMax | |
103 | Sets the number of client alive messages (see below) which may be | |
104 | sent without sshd(8) receiving any messages back from the client. | |
f713db99 | 105 | If this threshold is reached while client alive messages are |
106 | being sent, sshd will disconnect the client, terminating the ses- | |
317e5d15 | 107 | sion. It is important to note that the use of client alive mes- |
108 | sages is very different from TCPKeepAlive (below). The client | |
109 | alive messages are sent through the encrypted channel and there- | |
110 | fore will not be spoofable. The TCP keepalive option enabled by | |
111 | TCPKeepAlive is spoofable. The client alive mechanism is valu- | |
112 | able when the client or server depend on knowing when a connec- | |
113 | tion has become inactive. | |
114 | ||
115 | The default value is 3. If ClientAliveInterval (see below) is | |
116 | set to 15, and ClientAliveCountMax is left at the default, unre- | |
117 | sponsive SSH clients will be disconnected after approximately 45 | |
118 | seconds. This option applies to protocol version 2 only. | |
119 | ||
120 | ClientAliveInterval | |
121 | Sets a timeout interval in seconds after which if no data has | |
122 | been received from the client, sshd(8) will send a message | |
123 | through the encrypted channel to request a response from the | |
124 | client. The default is 0, indicating that these messages will | |
125 | not be sent to the client. This option applies to protocol ver- | |
126 | sion 2 only. | |
127 | ||
128 | Compression | |
129 | Specifies whether compression is allowed, or delayed until the | |
130 | user has authenticated successfully. The argument must be | |
131 | ``yes'', ``delayed'', or ``no''. The default is ``delayed''. | |
132 | ||
133 | DenyGroups | |
134 | This keyword can be followed by a list of group name patterns, | |
135 | separated by spaces. Login is disallowed for users whose primary | |
136 | group or supplementary group list matches one of the patterns. | |
137 | Only group names are valid; a numerical group ID is not recog- | |
f713db99 | 138 | nized. By default, login is allowed for all groups. The |
139 | allow/deny directives are processed in the following order: | |
317e5d15 | 140 | DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. |
141 | ||
142 | See PATTERNS in ssh_config(5) for more information on patterns. | |
143 | ||
144 | DenyUsers | |
145 | This keyword can be followed by a list of user name patterns, | |
146 | separated by spaces. Login is disallowed for user names that | |
147 | match one of the patterns. Only user names are valid; a numeri- | |
148 | cal user ID is not recognized. By default, login is allowed for | |
149 | all users. If the pattern takes the form USER@HOST then USER and | |
150 | HOST are separately checked, restricting logins to particular | |
151 | users from particular hosts. The allow/deny directives are pro- | |
152 | cessed in the following order: DenyUsers, AllowUsers, DenyGroups, | |
153 | and finally AllowGroups. | |
154 | ||
155 | See PATTERNS in ssh_config(5) for more information on patterns. | |
156 | ||
157 | ForceCommand | |
158 | Forces the execution of the command specified by ForceCommand, | |
f713db99 | 159 | ignoring any command supplied by the client. The command is |
160 | invoked by using the user's login shell with the -c option. This | |
317e5d15 | 161 | applies to shell, command, or subsystem execution. It is most |
162 | useful inside a Match block. The command originally supplied by | |
163 | the client is available in the SSH_ORIGINAL_COMMAND environment | |
164 | variable. | |
165 | ||
166 | GatewayPorts | |
167 | Specifies whether remote hosts are allowed to connect to ports | |
168 | forwarded for the client. By default, sshd(8) binds remote port | |
169 | forwardings to the loopback address. This prevents other remote | |
170 | hosts from connecting to forwarded ports. GatewayPorts can be | |
171 | used to specify that sshd should allow remote port forwardings to | |
172 | bind to non-loopback addresses, thus allowing other hosts to con- | |
173 | nect. The argument may be ``no'' to force remote port forward- | |
f713db99 | 174 | ings to be available to the local host only, ``yes'' to force |
175 | remote port forwardings to bind to the wildcard address, or | |
317e5d15 | 176 | ``clientspecified'' to allow the client to select the address to |
177 | which the forwarding is bound. The default is ``no''. | |
178 | ||
179 | GSSAPIAuthentication | |
180 | Specifies whether user authentication based on GSSAPI is allowed. | |
f713db99 | 181 | The default is ``yes''. Note that this option applies to proto- |
182 | col version 2 only. | |
183 | ||
184 | GSSAPIKeyExchange | |
185 | Specifies whether key exchange based on GSSAPI is allowed. GSSAPI | |
186 | key exchange doesn't rely on ssh keys to verify host identity. | |
187 | The default is ``yes''. Note that this option applies to proto- | |
188 | col version 2 only. | |
317e5d15 | 189 | |
190 | GSSAPICleanupCredentials | |
191 | Specifies whether to automatically destroy the user's credentials | |
192 | cache on logout. The default is ``yes''. Note that this option | |
193 | applies to protocol version 2 only. | |
194 | ||
f713db99 | 195 | GSSAPIStrictAcceptorCheck |
196 | Determines whether to be strict about the identity of the GSSAPI | |
197 | acceptor a client authenticates against. If ``yes'' then the | |
198 | client must authenticate against the host service on the current | |
199 | hostname. If ``no'' then the client may authenticate against any | |
200 | service key stored in the machine's default store. This facility | |
201 | is provided to assist with operation on multi homed machines. | |
202 | The default is ``yes''. Note that this option applies only to | |
203 | protocol version 2 GSSAPI connections, and setting it to ``no'' | |
204 | may only work with recent Kerberos GSSAPI libraries. | |
205 | ||
206 | GSIAllowLimitedProxy | |
207 | Specifies whether to accept limited proxy credentials for authen- | |
208 | tication. The default is ``no''. | |
209 | ||
317e5d15 | 210 | HostbasedAuthentication |
f713db99 | 211 | Specifies whether rhosts or /etc/hosts.equiv authentication |
212 | together with successful public key client host authentication is | |
317e5d15 | 213 | allowed (host-based authentication). This option is similar to |
214 | RhostsRSAAuthentication and applies to protocol version 2 only. | |
215 | The default is ``no''. | |
216 | ||
217 | HostbasedUsesNameFromPacketOnly | |
f713db99 | 218 | Specifies whether or not the server will attempt to perform a |
219 | reverse name lookup when matching the name in the ~/.shosts, | |
317e5d15 | 220 | ~/.rhosts, and /etc/hosts.equiv files during |
221 | HostbasedAuthentication. A setting of ``yes'' means that sshd(8) | |
222 | uses the name supplied by the client rather than attempting to | |
223 | resolve the name from the TCP connection itself. The default is | |
224 | ``no''. | |
225 | ||
226 | HostKey | |
227 | Specifies a file containing a private host key used by SSH. The | |
228 | default is /etc/ssh/ssh_host_key for protocol version 1, and | |
229 | /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro- | |
230 | tocol version 2. Note that sshd(8) will refuse to use a file if | |
231 | it is group/world-accessible. It is possible to have multiple | |
232 | host key files. ``rsa1'' keys are used for version 1 and ``dsa'' | |
233 | or ``rsa'' are used for version 2 of the SSH protocol. | |
234 | ||
235 | IgnoreRhosts | |
236 | Specifies that .rhosts and .shosts files will not be used in | |
237 | RhostsRSAAuthentication or HostbasedAuthentication. | |
238 | ||
f713db99 | 239 | /etc/hosts.equiv and /etc/shosts.equiv are still used. The |
240 | default is ``yes''. | |
317e5d15 | 241 | |
242 | IgnoreUserKnownHosts | |
243 | Specifies whether sshd(8) should ignore the user's | |
244 | ~/.ssh/known_hosts during RhostsRSAAuthentication or | |
245 | HostbasedAuthentication. The default is ``no''. | |
246 | ||
247 | KerberosAuthentication | |
248 | Specifies whether the password provided by the user for | |
249 | PasswordAuthentication will be validated through the Kerberos | |
250 | KDC. To use this option, the server needs a Kerberos servtab | |
251 | which allows the verification of the KDC's identity. The default | |
252 | is ``no''. | |
253 | ||
254 | KerberosGetAFSToken | |
255 | If AFS is active and the user has a Kerberos 5 TGT, attempt to | |
256 | acquire an AFS token before accessing the user's home directory. | |
257 | The default is ``no''. | |
258 | ||
259 | KerberosOrLocalPasswd | |
260 | If password authentication through Kerberos fails then the pass- | |
261 | word will be validated via any additional local mechanism such as | |
262 | /etc/passwd. The default is ``yes''. | |
263 | ||
264 | KerberosTicketCleanup | |
265 | Specifies whether to automatically destroy the user's ticket | |
266 | cache file on logout. The default is ``yes''. | |
267 | ||
268 | KeyRegenerationInterval | |
269 | In protocol version 1, the ephemeral server key is automatically | |
270 | regenerated after this many seconds (if it has been used). The | |
271 | purpose of regeneration is to prevent decrypting captured ses- | |
272 | sions by later breaking into the machine and stealing the keys. | |
273 | The key is never stored anywhere. If the value is 0, the key is | |
274 | never regenerated. The default is 3600 (seconds). | |
275 | ||
276 | ListenAddress | |
277 | Specifies the local addresses sshd(8) should listen on. The fol- | |
278 | lowing forms may be used: | |
279 | ||
280 | ListenAddress host|IPv4_addr|IPv6_addr | |
281 | ListenAddress host|IPv4_addr:port | |
282 | ListenAddress [host|IPv6_addr]:port | |
283 | ||
284 | If port is not specified, sshd will listen on the address and all | |
285 | prior Port options specified. The default is to listen on all | |
286 | local addresses. Multiple ListenAddress options are permitted. | |
287 | Additionally, any Port options must precede this option for non- | |
288 | port qualified addresses. | |
289 | ||
290 | LoginGraceTime | |
291 | The server disconnects after this time if the user has not suc- | |
292 | cessfully logged in. If the value is 0, there is no time limit. | |
293 | The default is 120 seconds. | |
294 | ||
295 | LogLevel | |
296 | Gives the verbosity level that is used when logging messages from | |
297 | sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, | |
298 | VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. | |
299 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify | |
300 | higher levels of debugging output. Logging with a DEBUG level | |
301 | violates the privacy of users and is not recommended. | |
302 | ||
303 | MACs Specifies the available MAC (message authentication code) algo- | |
304 | rithms. The MAC algorithm is used in protocol version 2 for data | |
f713db99 | 305 | integrity protection. Multiple algorithms must be comma-sepa- |
306 | rated. The default is: | |
307 | ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''. | |
317e5d15 | 308 | |
309 | Match Introduces a conditional block. If all of the criteria on the | |
310 | Match line are satisfied, the keywords on the following lines | |
f713db99 | 311 | override those set in the global section of the config file, |
312 | until either another Match line or the end of the file. The | |
313 | arguments to Match are one or more criteria-pattern pairs. The | |
317e5d15 | 314 | available criteria are User, Group, Host, and Address. Only a |
315 | subset of keywords may be used on the lines following a Match | |
316 | keyword. Available keywords are AllowTcpForwarding, | |
317 | ForceCommand, GatewayPorts, PermitOpen, X11DisplayOffset, | |
318 | X11Forwarding, and X11UseLocalHost. | |
319 | ||
320 | MaxAuthTries | |
321 | Specifies the maximum number of authentication attempts permitted | |
322 | per connection. Once the number of failures reaches half this | |
323 | value, additional failures are logged. The default is 6. | |
324 | ||
325 | MaxStartups | |
326 | Specifies the maximum number of concurrent unauthenticated con- | |
327 | nections to the SSH daemon. Additional connections will be | |
f713db99 | 328 | dropped until authentication succeeds or the LoginGraceTime |
329 | expires for a connection. The default is 10. | |
317e5d15 | 330 | |
331 | Alternatively, random early drop can be enabled by specifying the | |
332 | three colon separated values ``start:rate:full'' (e.g. | |
333 | "10:30:60"). sshd(8) will refuse connection attempts with a | |
334 | probability of ``rate/100'' (30%) if there are currently | |
f713db99 | 335 | ``start'' (10) unauthenticated connections. The probability |
336 | increases linearly and all connection attempts are refused if the | |
317e5d15 | 337 | number of unauthenticated connections reaches ``full'' (60). |
338 | ||
339 | PasswordAuthentication | |
f713db99 | 340 | Specifies whether password authentication is allowed. The |
341 | default is ``yes''. | |
317e5d15 | 342 | |
343 | PermitEmptyPasswords | |
344 | When password authentication is allowed, it specifies whether the | |
345 | server allows login to accounts with empty password strings. The | |
346 | default is ``no''. | |
347 | ||
348 | PermitOpen | |
349 | Specifies the destinations to which TCP port forwarding is per- | |
350 | mitted. The forwarding specification must be one of the follow- | |
351 | ing forms: | |
352 | ||
353 | PermitOpen host:port | |
354 | PermitOpen IPv4_addr:port | |
355 | PermitOpen [IPv6_addr]:port | |
356 | ||
357 | Multiple forwards may be specified by separating them with | |
f713db99 | 358 | whitespace. An argument of ``any'' can be used to remove all |
359 | restrictions and permit any forwarding requests. By default all | |
317e5d15 | 360 | port forwarding requests are permitted. |
361 | ||
362 | PermitRootLogin | |
363 | Specifies whether root can log in using ssh(1). The argument | |
364 | must be ``yes'', ``without-password'', ``forced-commands-only'', | |
365 | or ``no''. The default is ``yes''. | |
366 | ||
367 | If this option is set to ``without-password'', password authenti- | |
368 | cation is disabled for root. | |
369 | ||
370 | If this option is set to ``forced-commands-only'', root login | |
371 | with public key authentication will be allowed, but only if the | |
372 | command option has been specified (which may be useful for taking | |
373 | remote backups even if root login is normally not allowed). All | |
374 | other authentication methods are disabled for root. | |
375 | ||
376 | If this option is set to ``no'', root is not allowed to log in. | |
377 | ||
378 | PermitTunnel | |
379 | Specifies whether tun(4) device forwarding is allowed. The argu- | |
380 | ment must be ``yes'', ``point-to-point'' (layer 3), ``ethernet'' | |
f713db99 | 381 | (layer 2), or ``no''. Specifying ``yes'' permits both |
382 | ``point-to-point'' and ``ethernet''. The default is ``no''. | |
317e5d15 | 383 | |
384 | PermitUserEnvironment | |
385 | Specifies whether ~/.ssh/environment and environment= options in | |
386 | ~/.ssh/authorized_keys are processed by sshd(8). The default is | |
f713db99 | 387 | ``no''. Enabling environment processing may enable users to |
388 | bypass access restrictions in some configurations using mecha- | |
389 | nisms such as LD_PRELOAD. | |
317e5d15 | 390 | |
391 | PidFile | |
392 | Specifies the file that contains the process ID of the SSH dae- | |
393 | mon. The default is /var/run/sshd.pid. | |
394 | ||
395 | Port Specifies the port number that sshd(8) listens on. The default | |
396 | is 22. Multiple options of this type are permitted. See also | |
397 | ListenAddress. | |
398 | ||
399 | PrintLastLog | |
400 | Specifies whether sshd(8) should print the date and time of the | |
401 | last user login when a user logs in interactively. The default | |
402 | is ``yes''. | |
403 | ||
404 | PrintMotd | |
405 | Specifies whether sshd(8) should print /etc/motd when a user logs | |
406 | in interactively. (On some systems it is also printed by the | |
407 | shell, /etc/profile, or equivalent.) The default is ``yes''. | |
408 | ||
409 | Protocol | |
410 | Specifies the protocol versions sshd(8) supports. The possible | |
f713db99 | 411 | values are '1' and '2'. Multiple versions must be comma-sepa- |
412 | rated. The default is ``2,1''. Note that the order of the pro- | |
413 | tocol list does not indicate preference, because the client | |
414 | selects among multiple protocol versions offered by the server. | |
415 | Specifying ``2,1'' is identical to ``1,2''. | |
317e5d15 | 416 | |
417 | PubkeyAuthentication | |
f713db99 | 418 | Specifies whether public key authentication is allowed. The |
419 | default is ``yes''. Note that this option applies to protocol | |
420 | version 2 only. | |
317e5d15 | 421 | |
422 | RhostsRSAAuthentication | |
f713db99 | 423 | Specifies whether rhosts or /etc/hosts.equiv authentication |
424 | together with successful RSA host authentication is allowed. The | |
425 | default is ``no''. This option applies to protocol version 1 | |
426 | only. | |
317e5d15 | 427 | |
428 | RSAAuthentication | |
f713db99 | 429 | Specifies whether pure RSA authentication is allowed. The |
430 | default is ``yes''. This option applies to protocol version 1 | |
431 | only. | |
317e5d15 | 432 | |
433 | ServerKeyBits | |
434 | Defines the number of bits in the ephemeral protocol version 1 | |
435 | server key. The minimum value is 512, and the default is 768. | |
436 | ||
437 | StrictModes | |
438 | Specifies whether sshd(8) should check file modes and ownership | |
439 | of the user's files and home directory before accepting login. | |
440 | This is normally desirable because novices sometimes accidentally | |
441 | leave their directory or files world-writable. The default is | |
442 | ``yes''. | |
443 | ||
444 | Subsystem | |
445 | Configures an external subsystem (e.g. file transfer daemon). | |
446 | Arguments should be a subsystem name and a command (with optional | |
447 | arguments) to execute upon subsystem request. The command | |
448 | sftp-server(8) implements the ``sftp'' file transfer subsystem. | |
f713db99 | 449 | By default no subsystems are defined. Note that this option |
450 | applies to protocol version 2 only. | |
317e5d15 | 451 | |
452 | SyslogFacility | |
453 | Gives the facility code that is used when logging messages from | |
454 | sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, | |
f713db99 | 455 | LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The |
456 | default is AUTH. | |
317e5d15 | 457 | |
458 | TCPKeepAlive | |
459 | Specifies whether the system should send TCP keepalive messages | |
460 | to the other side. If they are sent, death of the connection or | |
461 | crash of one of the machines will be properly noticed. However, | |
462 | this means that connections will die if the route is down tem- | |
463 | porarily, and some people find it annoying. On the other hand, | |
464 | if TCP keepalives are not sent, sessions may hang indefinitely on | |
f713db99 | 465 | the server, leaving ``ghost'' users and consuming server |
466 | resources. | |
317e5d15 | 467 | |
468 | The default is ``yes'' (to send TCP keepalive messages), and the | |
469 | server will notice if the network goes down or the client host | |
470 | crashes. This avoids infinitely hanging sessions. | |
471 | ||
472 | To disable TCP keepalive messages, the value should be set to | |
473 | ``no''. | |
474 | ||
475 | UseDNS Specifies whether sshd(8) should look up the remote host name and | |
476 | check that the resolved host name for the remote IP address maps | |
477 | back to the very same IP address. The default is ``yes''. | |
478 | ||
479 | UseLogin | |
480 | Specifies whether login(1) is used for interactive login ses- | |
481 | sions. The default is ``no''. Note that login(1) is never used | |
f713db99 | 482 | for remote command execution. Note also, that if this is |
483 | enabled, X11Forwarding will be disabled because login(1) does not | |
317e5d15 | 484 | know how to handle xauth(1) cookies. If UsePrivilegeSeparation |
485 | is specified, it will be disabled after authentication. | |
486 | ||
487 | UsePAM Enables the Pluggable Authentication Module interface. If set to | |
488 | ``yes'' this will enable PAM authentication using | |
f713db99 | 489 | ChallengeResponseAuthentication and PasswordAuthentication in |
490 | addition to PAM account and session module processing for all | |
491 | authentication types. | |
317e5d15 | 492 | |
493 | Because PAM challenge-response authentication usually serves an | |
494 | equivalent role to password authentication, you should disable | |
495 | either PasswordAuthentication or ChallengeResponseAuthentication. | |
496 | ||
497 | If UsePAM is enabled, you will not be able to run sshd(8) as a | |
498 | non-root user. The default is ``no''. | |
499 | ||
500 | UsePrivilegeSeparation | |
f713db99 | 501 | Specifies whether sshd(8) separates privileges by creating an |
502 | unprivileged child process to deal with incoming network traffic. | |
317e5d15 | 503 | After successful authentication, another process will be created |
504 | that has the privilege of the authenticated user. The goal of | |
505 | privilege separation is to prevent privilege escalation by con- | |
506 | taining any corruption within the unprivileged processes. The | |
507 | default is ``yes''. | |
508 | ||
509 | X11DisplayOffset | |
510 | Specifies the first display number available for sshd(8)'s X11 | |
511 | forwarding. This prevents sshd from interfering with real X11 | |
512 | servers. The default is 10. | |
513 | ||
514 | X11Forwarding | |
515 | Specifies whether X11 forwarding is permitted. The argument must | |
516 | be ``yes'' or ``no''. The default is ``no''. | |
517 | ||
518 | When X11 forwarding is enabled, there may be additional exposure | |
519 | to the server and to client displays if the sshd(8) proxy display | |
520 | is configured to listen on the wildcard address (see | |
521 | X11UseLocalhost below), though this is not the default. Addi- | |
522 | tionally, the authentication spoofing and authentication data | |
f713db99 | 523 | verification and substitution occur on the client side. The |
524 | security risk of using X11 forwarding is that the client's X11 | |
525 | display server may be exposed to attack when the SSH client | |
526 | requests forwarding (see the warnings for ForwardX11 in | |
527 | ssh_config(5)). A system administrator may have a stance in | |
528 | which they want to protect clients that may expose themselves to | |
529 | attack by unwittingly requesting X11 forwarding, which can war- | |
530 | rant a ``no'' setting. | |
317e5d15 | 531 | |
532 | Note that disabling X11 forwarding does not prevent users from | |
533 | forwarding X11 traffic, as users can always install their own | |
534 | forwarders. X11 forwarding is automatically disabled if UseLogin | |
535 | is enabled. | |
536 | ||
537 | X11UseLocalhost | |
538 | Specifies whether sshd(8) should bind the X11 forwarding server | |
539 | to the loopback address or to the wildcard address. By default, | |
540 | sshd binds the forwarding server to the loopback address and sets | |
541 | the hostname part of the DISPLAY environment variable to | |
542 | ``localhost''. This prevents remote hosts from connecting to the | |
543 | proxy display. However, some older X11 clients may not function | |
544 | with this configuration. X11UseLocalhost may be set to ``no'' to | |
545 | specify that the forwarding server should be bound to the wild- | |
f713db99 | 546 | card address. The argument must be ``yes'' or ``no''. The |
547 | default is ``yes''. | |
317e5d15 | 548 | |
549 | XAuthLocation | |
550 | Specifies the full pathname of the xauth(1) program. The default | |
551 | is /usr/X11R6/bin/xauth. | |
552 | ||
553 | TIME FORMATS | |
f713db99 | 554 | sshd(8) command-line arguments and configuration file options that spec- |
555 | ify time may be expressed using a sequence of the form: time[qualifier], | |
317e5d15 | 556 | where time is a positive integer value and qualifier is one of the fol- |
557 | lowing: | |
558 | ||
559 | <none> seconds | |
560 | s | S seconds | |
561 | m | M minutes | |
562 | h | H hours | |
563 | d | D days | |
564 | w | W weeks | |
565 | ||
566 | Each member of the sequence is added together to calculate the total time | |
567 | value. | |
568 | ||
569 | Time format examples: | |
570 | ||
571 | 600 600 seconds (10 minutes) | |
572 | 10m 10 minutes | |
573 | 1h30m 1 hour 30 minutes (90 minutes) | |
574 | ||
575 | FILES | |
576 | /etc/ssh/sshd_config | |
577 | Contains configuration data for sshd(8). This file should be | |
578 | writable by root only, but it is recommended (though not neces- | |
579 | sary) that it be world-readable. | |
580 | ||
581 | SEE ALSO | |
582 | sshd(8) | |
583 | ||
584 | AUTHORS | |
585 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | |
586 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | |
587 | de Raadt and Dug Song removed many bugs, re-added newer features and cre- | |
588 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | |
589 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | |
590 | for privilege separation. | |
591 | ||
f713db99 | 592 | BSD September 25, 1999 BSD |