.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.84 2008/03/25 11:58:02 djm Exp $
-.Dd $Mdocdate: March 27 2008 $
+.\" $OpenBSD: sshd_config.5,v 1.106 2009/04/21 15:13:17 stevesk Exp $
+.Dd $Mdocdate: April 21 2009 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
(use IPv6 only).
The default is
.Dq any .
+.It Cm AllowAgentForwarding
+Specifies whether
+.Xr ssh-agent 1
+forwarding is permitted.
+The default is
+.Dq yes .
+Note that disabling agent forwarding does not improve security
+unless users are also denied shell access, as they can always install
+their own forwarders.
.It Cm AllowGroups
This keyword can be followed by a list of group name patterns, separated
by spaces.
This option is only available for protocol version 2.
By default, no banner is displayed.
.It Cm ChallengeResponseAuthentication
-Specifies whether challenge-response authentication is allowed.
-All authentication styles from
-.Xr login.conf 5
-are supported.
+Specifies whether challenge-response authentication is allowed (e.g. via
+PAM or though authentication styles supported in
+.Xr login.conf 5 )
The default is
.Dq yes .
.It Cm ChrootDirectory
to after authentication.
This path, and all its components, must be root-owned directories that are
not writable by any other user or group.
+After the chroot,
+.Xr sshd 8
+changes the working directory to the user's home directory.
.Pp
The path may contain the following tokens that are expanded at runtime once
the connecting user has been authenticated: %% is replaced by a literal '%',
The
.Cm ChrootDirectory
must contain the necessary files and directories to support the
-users' session.
+user's session.
For an interactive session this requires at least a shell, typically
.Xr sh 1 ,
and basic
For file transfer sessions using
.Dq sftp ,
no additional configuration of the environment is necessary if the
-in-process sftp server is used (see
-.Cm Subsystem
+in-process sftp server is used,
+though sessions which use logging do require
+.Pa /dev/log
+inside the chroot directory (see
+.Xr sftp-server 8
for details).
.Pp
The default is not to
.Dq cast128-cbc .
The default is:
.Bd -literal -offset 3n
-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
-arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
-aes192-ctr,aes256-ctr
+aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
+aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
+aes256-cbc,arcfour
.Ed
.It Cm ClientAliveCountMax
Sets the number of client alive messages (see below) which may be
in
.Xr ssh_config 5
for more information on patterns.
+.It Cm DisableUsageStats
+This keyword can be followed by one of the keywords "true", "enabled", "yes",
+"on" or "1" to disable reporting of usage metrics. Or it can be set to "false",
+"disabled", "no", "off", "0" to enable reporting of usage metrics, which is the
+default. Setting the
+.Cm GLOBUS_USAGE_OPTOUT
+environment variable to "1" will also disable the reporting of usage metrics.
+Disabling reporting of usage metrics will cause the
+.Cm UsageStatsTargets
+setting to be ignored.
.It Cm ForceCommand
Forces the execution of the command specified by
.Cm ForceCommand ,
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIDelegateCredentials
+Specifies whether delegated credentials are stored in the user's environment.
+The default is
+.Dq yes .
.It Cm GSSAPIKeyExchange
Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
doesn't rely on ssh keys to verify host identity.
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
+.It Cm GSSAPICredentialsPath
+If specified, the delegated GSSAPI credential is stored in the
+given path, overwriting any existing credentials.
+Paths can be specified with syntax similar to the AuthorizedKeysFile
+option (i.e., accepting %h and %u tokens).
+When using this option,
+setting 'GssapiCleanupCredentials no' is recommended,
+so logging out of one session
+doesn't remove the credentials in use by another session of
+the same user.
+Currently only implemented for the GSI mechanism.
+.It Cm GSIAllowLimitedProxy
+Specifies whether to accept limited proxy credentials for
+authentication.
+The default is
+.Dq no .
.It Cm GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI acceptor
a client authenticates against. If
and setting it to
.Dq no
may only work with recent Kerberos GSSAPI libraries.
-.It Cm GSSAPICredentialsPath
-If specified, the delegated GSSAPI credential is stored in the
-given path, overwriting any existing credentials.
-Paths can be specified with syntax similar to the AuthorizedKeysFile
-option (i.e., accepting %h and %u tokens).
-When using this option,
-setting 'GssapiCleanupCredentials no' is recommended,
-so logging out of one session
-doesn't remove the credentials in use by another session of
-the same user.
-Currently only implemented for the GSI mechanism.
-.It Cm GSIAllowLimitedProxy
-Specifies whether to accept limited proxy credentials for
-authentication.
-The default is
+.It Cm GSSAPIStoreCredentialsOnRekey
+Controls whether the user's GSSAPI credentials should be updated following a
+successful connection rekeying. This option can be used to accepted renewed
+or updated credentials from a compatible client. The default is
.Dq no .
.It Cm HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
set in the global section of the config file, until either another
.Cm Match
line or the end of the file.
+.Pp
The arguments to
.Cm Match
are one or more criteria-pattern pairs.
.Cm Host ,
and
.Cm Address .
+The match patterns may consist of single entries or comma-separated
+lists and may use the wildcard and negation operators described in the
+.Sx PATTERNS
+section of
+.Xr ssh_config 5 .
+.Pp
+The patterns in an
+.Cm Address
+criteria may additionally contain addresses to match in CIDR
+address/masklen format, e.g.\&
+.Dq 192.0.2.0/24
+or
+.Dq 3ffe:ffff::/32 .
+Note that the mask length provided must be consistent with the address -
+it is an error to specify a mask length that is too long for the address
+or one with bits set in this host portion of the address.
+For example,
+.Dq 192.0.2.0/33
+and
+.Dq 192.0.2.0/8
+respectively.
+.Pp
Only a subset of keywords may be used on the lines following a
.Cm Match
keyword.
Available keywords are
+.Cm AllowAgentForwarding ,
.Cm AllowTcpForwarding ,
.Cm Banner ,
+.Cm ChrootDirectory ,
.Cm ForceCommand ,
.Cm GatewayPorts ,
-.Cm GSSApiAuthentication ,
+.Cm GSSAPIAuthentication ,
+.Cm HostbasedAuthentication ,
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
+.Cm MaxAuthTries ,
+.Cm MaxSessions ,
.Cm PasswordAuthentication ,
+.Cm PermitEmptyPasswords ,
.Cm PermitOpen ,
.Cm PermitRootLogin ,
.Cm RhostsRSAAuthentication ,
.Cm RSAAuthentication ,
.Cm X11DisplayOffset ,
-.Cm X11Forwarding ,
+.Cm X11Forwarding
and
.Cm X11UseLocalHost .
.It Cm MaxAuthTries
Once the number of failures reaches half this value,
additional failures are logged.
The default is 6.
+.It Cm MaxSessions
+Specifies the maximum number of open sessions permitted per network connection.
+The default is 10.
.It Cm MaxStartups
Specifies the maximum number of concurrent unauthenticated connections to the
SSH daemon.
This option applies to protocol version 1 only.
.It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key.
-The minimum value is 512, and the default is 768.
+The minimum value is 512, and the default is 1024.
.It Cm StrictModes
Specifies whether
.Xr sshd 8
.Pp
To disable TCP keepalive messages, the value should be set to
.Dq no .
+.It Cm UsageStatsTargets
+This option can be used to specify the target collector hosts to which usage
+metrics should be reported. This setting will be ignored if
+.Cm DisableUsageStats
+is enabled. Multiple targets can be specified separated by comma(s), but no
+space(s). Each target specification is of the format
+.Pa host:port[!tags].
+Tags control what data elements are reported. The following list specifies
+the tags for the corresponding data elements.
+.Pp
+.Bl -item -offset indent -compact
+.It
+.Cm V
+.Sm off
+- OpenSSH version, reported by default.
+.Sm on
+.It
+.Cm v
+.Sm off
+- SSL version, reported by default.
+.Sm on
+.It
+.Cm M
+.Sm off
+- User authentication method used such as "gssapi-keyex", "gssapi-with-mic", etc. Reported by default.
+.Sm on
+.It
+.Cm m
+.Sm off
+- User authentication mechanism used such as "GSI", "Kerberos", etc. Reported by default.
+.Sm on
+.It
+.Cm I
+.Sm off
+- Client IP address. Not reported by default.
+.Sm on
+.It
+.Cm u
+.Sm off
+- User name. Not reported by default.
+.Sm on
+.It
+.Cm U
+.Sm off
+- User DN. Not reported by default.
+.Sm on
+.Pp
+In addition to the above selected information, the following data are
+reported to ALL the specified/default target collectors. There's no way to
+exclude these from being reported other than by disabling the reporting of
+usage metrics altogether:
+.Pp
+.It
+.Cm Component code
+.Sm off
+- 12 for GSI OpenSSH
+.Sm on
+.It
+.Cm Component Data Format version
+.Sm off
+- 0 currently
+.Sm on
+.It
+.Cm IP Address
+.Sm off
+- IP address of reporting server
+.Sm on
+.It
+.Cm Timestamp
+.It
+.Cm Hostname
+.Sm off
+- Host name of reporting server
+.Sm on
+.Pp
+If no tags are specified in a host spec, or the special string "default"
+is specified, the tags VvtrlLB are assumed. A site could choose to allow a
+different set of data to be reported by specifying a different tag set. The
+last 3 tags I, u and U above are more meant for a local collector that a
+site might like to deploy since they could be construed as private information.
+The special string "all" denotes all tags.
+.El
+.Pp
+By default, Usage Metrics reporting is sent to
+.Dq usage-stats.cilogon.org:4810 .
+This can be made explicit by specifying
+.Dq default
+(all by itself) for the
+target specification as in:
+.Pp
+.Bl -item -offset indent -compact
+.It
+.Cm UsageStatsTargets
+.Sm off
+default
+.Sm on
+.El
+.Pp
+If
+.Cm UsageStatsTargets
+is not specified, a comma-separated list of targets
+(without any tags specified) if specified in the environment variable
+.Cm GLOBUS_USAGE_TARGETS
+will be used.
+.Pp
.It Cm UseDNS
Specifies whether
.Xr sshd 8
as a non-root user.
The default is
.Dq no .
+.It Cm PermitPAMUserChange
+If set to
+.Dq yes
+this will enable PAM authentication to change the name of the user being
+authenticated. The default is
+.Dq no .
.It Cm UsePrivilegeSeparation
Specifies whether
.Xr sshd 8