Added support for reporting usage metrics.

[gssapi-openssh.git] / openssh / sshd_config.5

diff --git a/openssh/sshd_config.5 b/openssh/sshd_config.5
index 439abdbd045b9036bcd693460ced42098e066bde..5a214bfd0f8d257ed738a0bb663ede1f86021795 100644 (file)
--- a/openssh/sshd_config.5
+++ b/openssh/sshd_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"

-.\" $OpenBSD: sshd_config.5,v 1.96 2008/07/02 02:24:18 djm Exp $
-.Dd $Mdocdate: July 2 2008 $
+.\" $OpenBSD: sshd_config.5,v 1.106 2009/04/21 15:13:17 stevesk Exp $
+.Dd $Mdocdate: April 21 2009 $

 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME


@@ -176,10 +176,9 @@ then no banner is displayed.
 This option is only available for protocol version 2.
 By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication
 This option is only available for protocol version 2.
 By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication

-Specifies whether challenge-response authentication is allowed.
-All authentication styles from
-.Xr login.conf 5
-are supported.
+Specifies whether challenge-response authentication is allowed (e.g. via
+PAM or though authentication styles supported in
+.Xr login.conf 5 )

 The default is
 .Dq yes .
 .It Cm ChrootDirectory
 The default is
 .Dq yes .
 .It Cm ChrootDirectory


@@ -188,6 +187,9 @@ Specifies a path to
 to after authentication.
 This path, and all its components, must be root-owned directories that are
 not writable by any other user or group.
 to after authentication.
 This path, and all its components, must be root-owned directories that are
 not writable by any other user or group.

+After the chroot,
+.Xr sshd 8
+changes the working directory to the user's home directory.

 .Pp
 The path may contain the following tokens that are expanded at runtime once
 the connecting user has been authenticated: %% is replaced by a literal '%',
 .Pp
 The path may contain the following tokens that are expanded at runtime once
 the connecting user has been authenticated: %% is replaced by a literal '%',


@@ -197,7 +199,7 @@ the connecting user has been authenticated: %% is replaced by a literal '%',
 The
 .Cm ChrootDirectory
 must contain the necessary files and directories to support the
 The
 .Cm ChrootDirectory
 must contain the necessary files and directories to support the

-users' session.
+user's session.

 For an interactive session this requires at least a shell, typically
 .Xr sh 1 ,
 and basic
 For an interactive session this requires at least a shell, typically
 .Xr sh 1 ,
 and basic


@@ -215,8 +217,11 @@ devices.
 For file transfer sessions using
 .Dq sftp ,
 no additional configuration of the environment is necessary if the
 For file transfer sessions using
 .Dq sftp ,
 no additional configuration of the environment is necessary if the

-in-process sftp server is used (see
-.Cm Subsystem
+in-process sftp server is used,
+though sessions which use logging do require
+.Pa /dev/log
+inside the chroot directory (see
+.Xr sftp-server 8

 for details).
 .Pp
 The default is not to
 for details).
 .Pp
 The default is not to


@@ -240,9 +245,9 @@ and
 .Dq cast128-cbc .
 The default is:
 .Bd -literal -offset 3n
 .Dq cast128-cbc .
 The default is:
 .Bd -literal -offset 3n

-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
-arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
-aes192-ctr,aes256-ctr
+aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
+aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
+aes256-cbc,arcfour

 .Ed
 .It Cm ClientAliveCountMax
 Sets the number of client alive messages (see below) which may be
 .Ed
 .It Cm ClientAliveCountMax
 Sets the number of client alive messages (see below) which may be


@@ -390,6 +395,22 @@ on logout.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.

+.It Cm GSSAPICredentialsPath
+If specified, the delegated GSSAPI credential is stored in the
+given path, overwriting any existing credentials.  
+Paths can be specified with syntax similar to the AuthorizedKeysFile 
+option (i.e., accepting %h and %u tokens).  
+When using this option,
+setting 'GssapiCleanupCredentials no' is recommended,
+so logging out of one session
+doesn't remove the credentials in use by another session of
+the same user.
+Currently only implemented for the GSI mechanism.
+.It Cm GSIAllowLimitedProxy
+Specifies whether to accept limited proxy credentials for
+authentication.
+The default is
+.Dq no .

 .It Cm GSSAPIStrictAcceptorCheck
 Determines whether to be strict about the identity of the GSSAPI acceptor 
 a client authenticates against. If
 .It Cm GSSAPIStrictAcceptorCheck
 Determines whether to be strict about the identity of the GSSAPI acceptor 
 a client authenticates against. If


@@ -407,21 +428,10 @@ Note that this option applies only to protocol version 2 GSSAPI connections,
 and setting it to 
 .Dq no
 may only work with recent Kerberos GSSAPI libraries.
 and setting it to 
 .Dq no
 may only work with recent Kerberos GSSAPI libraries.

-.It Cm GSSAPICredentialsPath
-If specified, the delegated GSSAPI credential is stored in the
-given path, overwriting any existing credentials.  
-Paths can be specified with syntax similar to the AuthorizedKeysFile 
-option (i.e., accepting %h and %u tokens).  
-When using this option,
-setting 'GssapiCleanupCredentials no' is recommended,
-so logging out of one session
-doesn't remove the credentials in use by another session of
-the same user.
-Currently only implemented for the GSI mechanism.
-.It Cm GSIAllowLimitedProxy
-Specifies whether to accept limited proxy credentials for
-authentication.
-The default is
+.It Cm GSSAPIStoreCredentialsOnRekey
+Controls whether the user's GSSAPI credentials should be updated following a 
+successful connection rekeying. This option can be used to accepted renewed 
+or updated credentials from a compatible client. The default is

 .Dq no .
 .It Cm HostbasedAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 .Dq no .
 .It Cm HostbasedAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together


@@ -636,6 +646,7 @@ Only a subset of keywords may be used on the lines following a
 .Cm Match
 keyword.
 Available keywords are
 .Cm Match
 keyword.
 Available keywords are

+.Cm AllowAgentForwarding ,

 .Cm AllowTcpForwarding ,
 .Cm Banner ,
 .Cm ChrootDirectory ,
 .Cm AllowTcpForwarding ,
 .Cm Banner ,
 .Cm ChrootDirectory ,


@@ -648,12 +659,13 @@ Available keywords are
 .Cm MaxAuthTries ,
 .Cm MaxSessions ,
 .Cm PasswordAuthentication ,
 .Cm MaxAuthTries ,
 .Cm MaxSessions ,
 .Cm PasswordAuthentication ,

+.Cm PermitEmptyPasswords ,

 .Cm PermitOpen ,
 .Cm PermitRootLogin ,
 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,
 .Cm X11DisplayOffset ,
 .Cm PermitOpen ,
 .Cm PermitRootLogin ,
 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,
 .Cm X11DisplayOffset ,

-.Cm X11Forwarding ,
+.Cm X11Forwarding

 and
 .Cm X11UseLocalHost .
 .It Cm MaxAuthTries
 and
 .Cm X11UseLocalHost .
 .It Cm MaxAuthTries


@@ -964,6 +976,12 @@ is enabled, you will not be able to run
 as a non-root user.
 The default is
 .Dq no .
 as a non-root user.
 The default is
 .Dq no .

+.It Cm PermitPAMUserChange
+If set to
+.Dq yes
+this will enable PAM authentication to change the name of the user being
+authenticated.  The default is
+.Dq no .

 .It Cm UsePrivilegeSeparation
 Specifies whether
 .Xr sshd 8
 .It Cm UsePrivilegeSeparation
 Specifies whether
 .Xr sshd 8