X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/22616013c4eef383b19b8ad4f95780a316d0a51b..22ce3a3becb01f9487f7fa12b859100c162e231c:/openssh/sshd_config.5 diff --git a/openssh/sshd_config.5 b/openssh/sshd_config.5 index 7255b1c..5a214bf 100644 --- a/openssh/sshd_config.5 +++ b/openssh/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.96 2008/07/02 02:24:18 djm Exp $ -.Dd $Mdocdate: July 2 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.106 2009/04/21 15:13:17 stevesk Exp $ +.Dd $Mdocdate: April 21 2009 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -176,10 +176,9 @@ then no banner is displayed. This option is only available for protocol version 2. By default, no banner is displayed. .It Cm ChallengeResponseAuthentication -Specifies whether challenge-response authentication is allowed. -All authentication styles from -.Xr login.conf 5 -are supported. +Specifies whether challenge-response authentication is allowed (e.g. via +PAM or though authentication styles supported in +.Xr login.conf 5 ) The default is .Dq yes . .It Cm ChrootDirectory @@ -188,6 +187,9 @@ Specifies a path to to after authentication. This path, and all its components, must be root-owned directories that are not writable by any other user or group. +After the chroot, +.Xr sshd 8 +changes the working directory to the user's home directory. .Pp The path may contain the following tokens that are expanded at runtime once the connecting user has been authenticated: %% is replaced by a literal '%', @@ -197,7 +199,7 @@ the connecting user has been authenticated: %% is replaced by a literal '%', The .Cm ChrootDirectory must contain the necessary files and directories to support the -users' session. +user's session. For an interactive session this requires at least a shell, typically .Xr sh 1 , and basic @@ -215,8 +217,11 @@ devices. For file transfer sessions using .Dq sftp , no additional configuration of the environment is necessary if the -in-process sftp server is used (see -.Cm Subsystem +in-process sftp server is used, +though sessions which use logging do require +.Pa /dev/log +inside the chroot directory (see +.Xr sftp-server 8 for details). .Pp The default is not to @@ -240,9 +245,9 @@ and .Dq cast128-cbc . The default is: .Bd -literal -offset 3n -aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, -arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, -aes192-ctr,aes256-ctr +aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, +aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, +aes256-cbc,arcfour .Ed .It Cm ClientAliveCountMax Sets the number of client alive messages (see below) which may be @@ -372,7 +377,17 @@ The default is .It Cm GSSAPIAuthentication Specifies whether user authentication based on GSSAPI is allowed. The default is -.Dq no . +.Dq yes . +Note that this option applies to protocol version 2 only. +.It Cm GSSAPIDelegateCredentials +Specifies whether delegated credentials are stored in the user's environment. +The default is +.Dq yes . +.It Cm GSSAPIKeyExchange +Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange +doesn't rely on ssh keys to verify host identity. +The default is +.Dq yes . Note that this option applies to protocol version 2 only. .It Cm GSSAPICleanupCredentials Specifies whether to automatically destroy the user's credentials cache @@ -380,6 +395,44 @@ on logout. The default is .Dq yes . Note that this option applies to protocol version 2 only. +.It Cm GSSAPICredentialsPath +If specified, the delegated GSSAPI credential is stored in the +given path, overwriting any existing credentials. +Paths can be specified with syntax similar to the AuthorizedKeysFile +option (i.e., accepting %h and %u tokens). +When using this option, +setting 'GssapiCleanupCredentials no' is recommended, +so logging out of one session +doesn't remove the credentials in use by another session of +the same user. +Currently only implemented for the GSI mechanism. +.It Cm GSIAllowLimitedProxy +Specifies whether to accept limited proxy credentials for +authentication. +The default is +.Dq no . +.It Cm GSSAPIStrictAcceptorCheck +Determines whether to be strict about the identity of the GSSAPI acceptor +a client authenticates against. If +.Dq yes +then the client must authenticate against the +.Pa host +service on the current hostname. If +.Dq no +then the client may authenticate against any service key stored in the +machine's default store. This facility is provided to assist with operation +on multi homed machines. +The default is +.Dq yes . +Note that this option applies only to protocol version 2 GSSAPI connections, +and setting it to +.Dq no +may only work with recent Kerberos GSSAPI libraries. +.It Cm GSSAPIStoreCredentialsOnRekey +Controls whether the user's GSSAPI credentials should be updated following a +successful connection rekeying. This option can be used to accepted renewed +or updated credentials from a compatible client. The default is +.Dq no . .It Cm HostbasedAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed @@ -593,6 +646,7 @@ Only a subset of keywords may be used on the lines following a .Cm Match keyword. Available keywords are +.Cm AllowAgentForwarding , .Cm AllowTcpForwarding , .Cm Banner , .Cm ChrootDirectory , @@ -605,12 +659,13 @@ Available keywords are .Cm MaxAuthTries , .Cm MaxSessions , .Cm PasswordAuthentication , +.Cm PermitEmptyPasswords , .Cm PermitOpen , .Cm PermitRootLogin , .Cm RhostsRSAAuthentication , .Cm RSAAuthentication , .Cm X11DisplayOffset , -.Cm X11Forwarding , +.Cm X11Forwarding and .Cm X11UseLocalHost . .It Cm MaxAuthTries @@ -921,6 +976,12 @@ is enabled, you will not be able to run as a non-root user. The default is .Dq no . +.It Cm PermitPAMUserChange +If set to +.Dq yes +this will enable PAM authentication to change the name of the user being +authenticated. The default is +.Dq no . .It Cm UsePrivilegeSeparation Specifies whether .Xr sshd 8