]> andersk Git - gssapi-openssh.git/blame - openssh/sshd_config.0
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
merge updates from OPENSSH_4_4P1_SIMON_20061002_HPN to trunk
[gssapi-openssh.git] / openssh / sshd_config.0
CommitLineData
f713db99 1SSHD_CONFIG(5) BSD File Formats Manual SSHD_CONFIG(5)
317e5d15 2
3NAME
4 sshd_config - OpenSSH SSH daemon configuration file
5
6SYNOPSIS
7 /etc/ssh/sshd_config
8
9DESCRIPTION
10 sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file
11 specified with -f on the command line). The file contains keyword-argu-
f713db99 12 ment pairs, one per line. Lines starting with '#' and empty lines are
317e5d15 13 interpreted as comments. Arguments may optionally be enclosed in double
14 quotes (") in order to represent arguments containing spaces.
15
16 The possible keywords and their meanings are as follows (note that key-
17 words are case-insensitive and arguments are case-sensitive):
18
19 AcceptEnv
20 Specifies what environment variables sent by the client will be
21 copied into the session's environ(7). See SendEnv in
22 ssh_config(5) for how to configure the client. Note that envi-
23 ronment passing is only supported for protocol 2. Variables are
f713db99 24 specified by name, which may contain the wildcard characters '*'
25 and '?'. Multiple environment variables may be separated by
317e5d15 26 whitespace or spread across multiple AcceptEnv directives. Be
27 warned that some environment variables could be used to bypass
28 restricted user environments. For this reason, care should be
29 taken in the use of this directive. The default is not to accept
30 any environment variables.
31
32 AddressFamily
33 Specifies which address family should be used by sshd(8). Valid
34 arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6''
35 (use IPv6 only). The default is ``any''.
36
37 AllowGroups
38 This keyword can be followed by a list of group name patterns,
39 separated by spaces. If specified, login is allowed only for
40 users whose primary group or supplementary group list matches one
41 of the patterns. Only group names are valid; a numerical group
42 ID is not recognized. By default, login is allowed for all
43 groups. The allow/deny directives are processed in the following
44 order: DenyUsers, AllowUsers, DenyGroups, and finally
45 AllowGroups.
46
47 See PATTERNS in ssh_config(5) for more information on patterns.
48
49 AllowTcpForwarding
50 Specifies whether TCP forwarding is permitted. The default is
f713db99 51 ``yes''. Note that disabling TCP forwarding does not improve
52 security unless users are also denied shell access, as they can
53 always install their own forwarders.
317e5d15 54
55 AllowUsers
56 This keyword can be followed by a list of user name patterns,
f713db99 57 separated by spaces. If specified, login is allowed only for
58 user names that match one of the patterns. Only user names are
317e5d15 59 valid; a numerical user ID is not recognized. By default, login
f713db99 60 is allowed for all users. If the pattern takes the form
61 USER@HOST then USER and HOST are separately checked, restricting
317e5d15 62 logins to particular users from particular hosts. The allow/deny
63 directives are processed in the following order: DenyUsers,
64 AllowUsers, DenyGroups, and finally AllowGroups.
65
66 See PATTERNS in ssh_config(5) for more information on patterns.
67
68 AuthorizedKeysFile
69 Specifies the file that contains the public keys that can be used
70 for user authentication. AuthorizedKeysFile may contain tokens
71 of the form %T which are substituted during connection setup.
72 The following tokens are defined: %% is replaced by a literal
f713db99 73 '%', %h is replaced by the home directory of the user being
74 authenticated, and %u is replaced by the username of that user.
317e5d15 75 After expansion, AuthorizedKeysFile is taken to be an absolute
76 path or one relative to the user's home directory. The default
77 is ``.ssh/authorized_keys''.
78
79 Banner In some jurisdictions, sending a warning message before authenti-
80 cation may be relevant for getting legal protection. The con-
81 tents of the specified file are sent to the remote user before
82 authentication is allowed. This option is only available for
83 protocol version 2. By default, no banner is displayed.
84
85 ChallengeResponseAuthentication
86 Specifies whether challenge-response authentication is allowed.
87 All authentication styles from login.conf(5) are supported. The
88 default is ``yes''.
89
90 Ciphers
91 Specifies the ciphers allowed for protocol version 2. Multiple
92 ciphers must be comma-separated. The supported ciphers are
93 ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
94 ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'',
95 ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and
96 ``cast128-cbc''. The default is:
97
98 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
99 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
100 aes192-ctr,aes256-ctr
101
102 ClientAliveCountMax
103 Sets the number of client alive messages (see below) which may be
104 sent without sshd(8) receiving any messages back from the client.
f713db99 105 If this threshold is reached while client alive messages are
106 being sent, sshd will disconnect the client, terminating the ses-
317e5d15 107 sion. It is important to note that the use of client alive mes-
108 sages is very different from TCPKeepAlive (below). The client
109 alive messages are sent through the encrypted channel and there-
110 fore will not be spoofable. The TCP keepalive option enabled by
111 TCPKeepAlive is spoofable. The client alive mechanism is valu-
112 able when the client or server depend on knowing when a connec-
113 tion has become inactive.
114
115 The default value is 3. If ClientAliveInterval (see below) is
116 set to 15, and ClientAliveCountMax is left at the default, unre-
117 sponsive SSH clients will be disconnected after approximately 45
118 seconds. This option applies to protocol version 2 only.
119
120 ClientAliveInterval
121 Sets a timeout interval in seconds after which if no data has
122 been received from the client, sshd(8) will send a message
123 through the encrypted channel to request a response from the
124 client. The default is 0, indicating that these messages will
125 not be sent to the client. This option applies to protocol ver-
126 sion 2 only.
127
128 Compression
129 Specifies whether compression is allowed, or delayed until the
130 user has authenticated successfully. The argument must be
131 ``yes'', ``delayed'', or ``no''. The default is ``delayed''.
132
133 DenyGroups
134 This keyword can be followed by a list of group name patterns,
135 separated by spaces. Login is disallowed for users whose primary
136 group or supplementary group list matches one of the patterns.
137 Only group names are valid; a numerical group ID is not recog-
f713db99 138 nized. By default, login is allowed for all groups. The
139 allow/deny directives are processed in the following order:
317e5d15 140 DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
141
142 See PATTERNS in ssh_config(5) for more information on patterns.
143
144 DenyUsers
145 This keyword can be followed by a list of user name patterns,
146 separated by spaces. Login is disallowed for user names that
147 match one of the patterns. Only user names are valid; a numeri-
148 cal user ID is not recognized. By default, login is allowed for
149 all users. If the pattern takes the form USER@HOST then USER and
150 HOST are separately checked, restricting logins to particular
151 users from particular hosts. The allow/deny directives are pro-
152 cessed in the following order: DenyUsers, AllowUsers, DenyGroups,
153 and finally AllowGroups.
154
155 See PATTERNS in ssh_config(5) for more information on patterns.
156
157 ForceCommand
158 Forces the execution of the command specified by ForceCommand,
f713db99 159 ignoring any command supplied by the client. The command is
160 invoked by using the user's login shell with the -c option. This
317e5d15 161 applies to shell, command, or subsystem execution. It is most
162 useful inside a Match block. The command originally supplied by
163 the client is available in the SSH_ORIGINAL_COMMAND environment
164 variable.
165
166 GatewayPorts
167 Specifies whether remote hosts are allowed to connect to ports
168 forwarded for the client. By default, sshd(8) binds remote port
169 forwardings to the loopback address. This prevents other remote
170 hosts from connecting to forwarded ports. GatewayPorts can be
171 used to specify that sshd should allow remote port forwardings to
172 bind to non-loopback addresses, thus allowing other hosts to con-
173 nect. The argument may be ``no'' to force remote port forward-
f713db99 174 ings to be available to the local host only, ``yes'' to force
175 remote port forwardings to bind to the wildcard address, or
317e5d15 176 ``clientspecified'' to allow the client to select the address to
177 which the forwarding is bound. The default is ``no''.
178
179 GSSAPIAuthentication
180 Specifies whether user authentication based on GSSAPI is allowed.
f713db99 181 The default is ``yes''. Note that this option applies to proto-
182 col version 2 only.
183
184 GSSAPIKeyExchange
185 Specifies whether key exchange based on GSSAPI is allowed. GSSAPI
186 key exchange doesn't rely on ssh keys to verify host identity.
187 The default is ``yes''. Note that this option applies to proto-
188 col version 2 only.
317e5d15 189
190 GSSAPICleanupCredentials
191 Specifies whether to automatically destroy the user's credentials
192 cache on logout. The default is ``yes''. Note that this option
193 applies to protocol version 2 only.
194
f713db99 195 GSSAPIStrictAcceptorCheck
196 Determines whether to be strict about the identity of the GSSAPI
197 acceptor a client authenticates against. If ``yes'' then the
198 client must authenticate against the host service on the current
199 hostname. If ``no'' then the client may authenticate against any
200 service key stored in the machine's default store. This facility
201 is provided to assist with operation on multi homed machines.
202 The default is ``yes''. Note that this option applies only to
203 protocol version 2 GSSAPI connections, and setting it to ``no''
204 may only work with recent Kerberos GSSAPI libraries.
205
206 GSIAllowLimitedProxy
207 Specifies whether to accept limited proxy credentials for authen-
208 tication. The default is ``no''.
209
317e5d15 210 HostbasedAuthentication
f713db99 211 Specifies whether rhosts or /etc/hosts.equiv authentication
212 together with successful public key client host authentication is
317e5d15 213 allowed (host-based authentication). This option is similar to
214 RhostsRSAAuthentication and applies to protocol version 2 only.
215 The default is ``no''.
216
217 HostbasedUsesNameFromPacketOnly
f713db99 218 Specifies whether or not the server will attempt to perform a
219 reverse name lookup when matching the name in the ~/.shosts,
317e5d15 220 ~/.rhosts, and /etc/hosts.equiv files during
221 HostbasedAuthentication. A setting of ``yes'' means that sshd(8)
222 uses the name supplied by the client rather than attempting to
223 resolve the name from the TCP connection itself. The default is
224 ``no''.
225
226 HostKey
227 Specifies a file containing a private host key used by SSH. The
228 default is /etc/ssh/ssh_host_key for protocol version 1, and
229 /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro-
230 tocol version 2. Note that sshd(8) will refuse to use a file if
231 it is group/world-accessible. It is possible to have multiple
232 host key files. ``rsa1'' keys are used for version 1 and ``dsa''
233 or ``rsa'' are used for version 2 of the SSH protocol.
234
235 IgnoreRhosts
236 Specifies that .rhosts and .shosts files will not be used in
237 RhostsRSAAuthentication or HostbasedAuthentication.
238
f713db99 239 /etc/hosts.equiv and /etc/shosts.equiv are still used. The
240 default is ``yes''.
317e5d15 241
242 IgnoreUserKnownHosts
243 Specifies whether sshd(8) should ignore the user's
244 ~/.ssh/known_hosts during RhostsRSAAuthentication or
245 HostbasedAuthentication. The default is ``no''.
246
247 KerberosAuthentication
248 Specifies whether the password provided by the user for
249 PasswordAuthentication will be validated through the Kerberos
250 KDC. To use this option, the server needs a Kerberos servtab
251 which allows the verification of the KDC's identity. The default
252 is ``no''.
253
254 KerberosGetAFSToken
255 If AFS is active and the user has a Kerberos 5 TGT, attempt to
256 acquire an AFS token before accessing the user's home directory.
257 The default is ``no''.
258
259 KerberosOrLocalPasswd
260 If password authentication through Kerberos fails then the pass-
261 word will be validated via any additional local mechanism such as
262 /etc/passwd. The default is ``yes''.
263
264 KerberosTicketCleanup
265 Specifies whether to automatically destroy the user's ticket
266 cache file on logout. The default is ``yes''.
267
268 KeyRegenerationInterval
269 In protocol version 1, the ephemeral server key is automatically
270 regenerated after this many seconds (if it has been used). The
271 purpose of regeneration is to prevent decrypting captured ses-
272 sions by later breaking into the machine and stealing the keys.
273 The key is never stored anywhere. If the value is 0, the key is
274 never regenerated. The default is 3600 (seconds).
275
276 ListenAddress
277 Specifies the local addresses sshd(8) should listen on. The fol-
278 lowing forms may be used:
279
280 ListenAddress host|IPv4_addr|IPv6_addr
281 ListenAddress host|IPv4_addr:port
282 ListenAddress [host|IPv6_addr]:port
283
284 If port is not specified, sshd will listen on the address and all
285 prior Port options specified. The default is to listen on all
286 local addresses. Multiple ListenAddress options are permitted.
287 Additionally, any Port options must precede this option for non-
288 port qualified addresses.
289
290 LoginGraceTime
291 The server disconnects after this time if the user has not suc-
292 cessfully logged in. If the value is 0, there is no time limit.
293 The default is 120 seconds.
294
295 LogLevel
296 Gives the verbosity level that is used when logging messages from
297 sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO,
298 VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.
299 DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
300 higher levels of debugging output. Logging with a DEBUG level
301 violates the privacy of users and is not recommended.
302
303 MACs Specifies the available MAC (message authentication code) algo-
304 rithms. The MAC algorithm is used in protocol version 2 for data
f713db99 305 integrity protection. Multiple algorithms must be comma-sepa-
306 rated. The default is:
307 ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''.
317e5d15 308
309 Match Introduces a conditional block. If all of the criteria on the
310 Match line are satisfied, the keywords on the following lines
f713db99 311 override those set in the global section of the config file,
312 until either another Match line or the end of the file. The
313 arguments to Match are one or more criteria-pattern pairs. The
317e5d15 314 available criteria are User, Group, Host, and Address. Only a
315 subset of keywords may be used on the lines following a Match
316 keyword. Available keywords are AllowTcpForwarding,
317 ForceCommand, GatewayPorts, PermitOpen, X11DisplayOffset,
318 X11Forwarding, and X11UseLocalHost.
319
320 MaxAuthTries
321 Specifies the maximum number of authentication attempts permitted
322 per connection. Once the number of failures reaches half this
323 value, additional failures are logged. The default is 6.
324
325 MaxStartups
326 Specifies the maximum number of concurrent unauthenticated con-
327 nections to the SSH daemon. Additional connections will be
f713db99 328 dropped until authentication succeeds or the LoginGraceTime
329 expires for a connection. The default is 10.
317e5d15 330
331 Alternatively, random early drop can be enabled by specifying the
332 three colon separated values ``start:rate:full'' (e.g.
333 "10:30:60"). sshd(8) will refuse connection attempts with a
334 probability of ``rate/100'' (30%) if there are currently
f713db99 335 ``start'' (10) unauthenticated connections. The probability
336 increases linearly and all connection attempts are refused if the
317e5d15 337 number of unauthenticated connections reaches ``full'' (60).
338
339 PasswordAuthentication
f713db99 340 Specifies whether password authentication is allowed. The
341 default is ``yes''.
317e5d15 342
343 PermitEmptyPasswords
344 When password authentication is allowed, it specifies whether the
345 server allows login to accounts with empty password strings. The
346 default is ``no''.
347
348 PermitOpen
349 Specifies the destinations to which TCP port forwarding is per-
350 mitted. The forwarding specification must be one of the follow-
351 ing forms:
352
353 PermitOpen host:port
354 PermitOpen IPv4_addr:port
355 PermitOpen [IPv6_addr]:port
356
357 Multiple forwards may be specified by separating them with
f713db99 358 whitespace. An argument of ``any'' can be used to remove all
359 restrictions and permit any forwarding requests. By default all
317e5d15 360 port forwarding requests are permitted.
361
362 PermitRootLogin
363 Specifies whether root can log in using ssh(1). The argument
364 must be ``yes'', ``without-password'', ``forced-commands-only'',
365 or ``no''. The default is ``yes''.
366
367 If this option is set to ``without-password'', password authenti-
368 cation is disabled for root.
369
370 If this option is set to ``forced-commands-only'', root login
371 with public key authentication will be allowed, but only if the
372 command option has been specified (which may be useful for taking
373 remote backups even if root login is normally not allowed). All
374 other authentication methods are disabled for root.
375
376 If this option is set to ``no'', root is not allowed to log in.
377
378 PermitTunnel
379 Specifies whether tun(4) device forwarding is allowed. The argu-
380 ment must be ``yes'', ``point-to-point'' (layer 3), ``ethernet''
f713db99 381 (layer 2), or ``no''. Specifying ``yes'' permits both
382 ``point-to-point'' and ``ethernet''. The default is ``no''.
317e5d15 383
384 PermitUserEnvironment
385 Specifies whether ~/.ssh/environment and environment= options in
386 ~/.ssh/authorized_keys are processed by sshd(8). The default is
f713db99 387 ``no''. Enabling environment processing may enable users to
388 bypass access restrictions in some configurations using mecha-
389 nisms such as LD_PRELOAD.
317e5d15 390
391 PidFile
392 Specifies the file that contains the process ID of the SSH dae-
393 mon. The default is /var/run/sshd.pid.
394
395 Port Specifies the port number that sshd(8) listens on. The default
396 is 22. Multiple options of this type are permitted. See also
397 ListenAddress.
398
399 PrintLastLog
400 Specifies whether sshd(8) should print the date and time of the
401 last user login when a user logs in interactively. The default
402 is ``yes''.
403
404 PrintMotd
405 Specifies whether sshd(8) should print /etc/motd when a user logs
406 in interactively. (On some systems it is also printed by the
407 shell, /etc/profile, or equivalent.) The default is ``yes''.
408
409 Protocol
410 Specifies the protocol versions sshd(8) supports. The possible
f713db99 411 values are '1' and '2'. Multiple versions must be comma-sepa-
412 rated. The default is ``2,1''. Note that the order of the pro-
413 tocol list does not indicate preference, because the client
414 selects among multiple protocol versions offered by the server.
415 Specifying ``2,1'' is identical to ``1,2''.
317e5d15 416
417 PubkeyAuthentication
f713db99 418 Specifies whether public key authentication is allowed. The
419 default is ``yes''. Note that this option applies to protocol
420 version 2 only.
317e5d15 421
422 RhostsRSAAuthentication
f713db99 423 Specifies whether rhosts or /etc/hosts.equiv authentication
424 together with successful RSA host authentication is allowed. The
425 default is ``no''. This option applies to protocol version 1
426 only.
317e5d15 427
428 RSAAuthentication
f713db99 429 Specifies whether pure RSA authentication is allowed. The
430 default is ``yes''. This option applies to protocol version 1
431 only.
317e5d15 432
433 ServerKeyBits
434 Defines the number of bits in the ephemeral protocol version 1
435 server key. The minimum value is 512, and the default is 768.
436
437 StrictModes
438 Specifies whether sshd(8) should check file modes and ownership
439 of the user's files and home directory before accepting login.
440 This is normally desirable because novices sometimes accidentally
441 leave their directory or files world-writable. The default is
442 ``yes''.
443
444 Subsystem
445 Configures an external subsystem (e.g. file transfer daemon).
446 Arguments should be a subsystem name and a command (with optional
447 arguments) to execute upon subsystem request. The command
448 sftp-server(8) implements the ``sftp'' file transfer subsystem.
f713db99 449 By default no subsystems are defined. Note that this option
450 applies to protocol version 2 only.
317e5d15 451
452 SyslogFacility
453 Gives the facility code that is used when logging messages from
454 sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
f713db99 455 LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
456 default is AUTH.
317e5d15 457
458 TCPKeepAlive
459 Specifies whether the system should send TCP keepalive messages
460 to the other side. If they are sent, death of the connection or
461 crash of one of the machines will be properly noticed. However,
462 this means that connections will die if the route is down tem-
463 porarily, and some people find it annoying. On the other hand,
464 if TCP keepalives are not sent, sessions may hang indefinitely on
f713db99 465 the server, leaving ``ghost'' users and consuming server
466 resources.
317e5d15 467
468 The default is ``yes'' (to send TCP keepalive messages), and the
469 server will notice if the network goes down or the client host
470 crashes. This avoids infinitely hanging sessions.
471
472 To disable TCP keepalive messages, the value should be set to
473 ``no''.
474
475 UseDNS Specifies whether sshd(8) should look up the remote host name and
476 check that the resolved host name for the remote IP address maps
477 back to the very same IP address. The default is ``yes''.
478
479 UseLogin
480 Specifies whether login(1) is used for interactive login ses-
481 sions. The default is ``no''. Note that login(1) is never used
f713db99 482 for remote command execution. Note also, that if this is
483 enabled, X11Forwarding will be disabled because login(1) does not
317e5d15 484 know how to handle xauth(1) cookies. If UsePrivilegeSeparation
485 is specified, it will be disabled after authentication.
486
487 UsePAM Enables the Pluggable Authentication Module interface. If set to
488 ``yes'' this will enable PAM authentication using
f713db99 489 ChallengeResponseAuthentication and PasswordAuthentication in
490 addition to PAM account and session module processing for all
491 authentication types.
317e5d15 492
493 Because PAM challenge-response authentication usually serves an
494 equivalent role to password authentication, you should disable
495 either PasswordAuthentication or ChallengeResponseAuthentication.
496
497 If UsePAM is enabled, you will not be able to run sshd(8) as a
498 non-root user. The default is ``no''.
499
500 UsePrivilegeSeparation
f713db99 501 Specifies whether sshd(8) separates privileges by creating an
502 unprivileged child process to deal with incoming network traffic.
317e5d15 503 After successful authentication, another process will be created
504 that has the privilege of the authenticated user. The goal of
505 privilege separation is to prevent privilege escalation by con-
506 taining any corruption within the unprivileged processes. The
507 default is ``yes''.
508
509 X11DisplayOffset
510 Specifies the first display number available for sshd(8)'s X11
511 forwarding. This prevents sshd from interfering with real X11
512 servers. The default is 10.
513
514 X11Forwarding
515 Specifies whether X11 forwarding is permitted. The argument must
516 be ``yes'' or ``no''. The default is ``no''.
517
518 When X11 forwarding is enabled, there may be additional exposure
519 to the server and to client displays if the sshd(8) proxy display
520 is configured to listen on the wildcard address (see
521 X11UseLocalhost below), though this is not the default. Addi-
522 tionally, the authentication spoofing and authentication data
f713db99 523 verification and substitution occur on the client side. The
524 security risk of using X11 forwarding is that the client's X11
525 display server may be exposed to attack when the SSH client
526 requests forwarding (see the warnings for ForwardX11 in
527 ssh_config(5)). A system administrator may have a stance in
528 which they want to protect clients that may expose themselves to
529 attack by unwittingly requesting X11 forwarding, which can war-
530 rant a ``no'' setting.
317e5d15 531
532 Note that disabling X11 forwarding does not prevent users from
533 forwarding X11 traffic, as users can always install their own
534 forwarders. X11 forwarding is automatically disabled if UseLogin
535 is enabled.
536
537 X11UseLocalhost
538 Specifies whether sshd(8) should bind the X11 forwarding server
539 to the loopback address or to the wildcard address. By default,
540 sshd binds the forwarding server to the loopback address and sets
541 the hostname part of the DISPLAY environment variable to
542 ``localhost''. This prevents remote hosts from connecting to the
543 proxy display. However, some older X11 clients may not function
544 with this configuration. X11UseLocalhost may be set to ``no'' to
545 specify that the forwarding server should be bound to the wild-
f713db99 546 card address. The argument must be ``yes'' or ``no''. The
547 default is ``yes''.
317e5d15 548
549 XAuthLocation
550 Specifies the full pathname of the xauth(1) program. The default
551 is /usr/X11R6/bin/xauth.
552
553TIME FORMATS
f713db99 554 sshd(8) command-line arguments and configuration file options that spec-
555 ify time may be expressed using a sequence of the form: time[qualifier],
317e5d15 556 where time is a positive integer value and qualifier is one of the fol-
557 lowing:
558
559 <none> seconds
560 s | S seconds
561 m | M minutes
562 h | H hours
563 d | D days
564 w | W weeks
565
566 Each member of the sequence is added together to calculate the total time
567 value.
568
569 Time format examples:
570
571 600 600 seconds (10 minutes)
572 10m 10 minutes
573 1h30m 1 hour 30 minutes (90 minutes)
574
575FILES
576 /etc/ssh/sshd_config
577 Contains configuration data for sshd(8). This file should be
578 writable by root only, but it is recommended (though not neces-
579 sary) that it be world-readable.
580
581SEE ALSO
582 sshd(8)
583
584AUTHORS
585 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
586 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
587 de Raadt and Dug Song removed many bugs, re-added newer features and cre-
588 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
589 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
590 for privilege separation.
591
f713db99 592BSD September 25, 1999 BSD
git-cvsimport mirror of GSI OpenSSH
This page took 0.125009 seconds and 5 git commands to generate.