X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/8b32eddc967aaf168381bd0552cafc7fd3b6fad6..8af0406b1081f4edaca548090d7c5d4cfb8fb9a3:/openssh/sshd_config.5 diff --git a/openssh/sshd_config.5 b/openssh/sshd_config.5 index 0350340..6b7724d 100644 --- a/openssh/sshd_config.5 +++ b/openssh/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.40 2005/03/18 17:05:00 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.48 2006/01/02 17:09:49 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -168,26 +168,20 @@ The supported ciphers are .Dq aes128-ctr , .Dq aes192-ctr , .Dq aes256-ctr , +.Dq arcfour128 , +.Dq arcfour256 , .Dq arcfour , .Dq blowfish-cbc , and .Dq cast128-cbc . The default is .Bd -literal - ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, - aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' + ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, + arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, + aes192-ctr,aes256-ctr'' .Ed -.It Cm ClientAliveInterval -Sets a timeout interval in seconds after which if no data has been received -from the client, -.Nm sshd -will send a message through the encrypted -channel to request a response from the client. -The default -is 0, indicating that these messages will not be sent to the client. -This option applies to protocol version 2 only. .It Cm ClientAliveCountMax -Sets the number of client alive messages (see above) which may be +Sets the number of client alive messages (see below) which may be sent without .Nm sshd receiving any messages back from the client. @@ -209,18 +203,29 @@ server depend on knowing when a connection has become inactive. The default value is 3. If .Cm ClientAliveInterval -(above) is set to 15, and +(see below) is set to 15, and .Cm ClientAliveCountMax is left at the default, unresponsive ssh clients will be disconnected after approximately 45 seconds. +.It Cm ClientAliveInterval +Sets a timeout interval in seconds after which if no data has been received +from the client, +.Nm sshd +will send a message through the encrypted +channel to request a response from the client. +The default +is 0, indicating that these messages will not be sent to the client. +This option applies to protocol version 2 only. .It Cm Compression -Specifies whether compression is allowed. +Specifies whether compression is allowed, or delayed until +the user has authenticated successfully. The argument must be -.Dq yes +.Dq yes , +.Dq delayed , or .Dq no . The default is -.Dq yes . +.Dq delayed . .It Cm DenyGroups This keyword can be followed by a list of group name patterns, separated by spaces. @@ -272,21 +277,15 @@ Specifies whether user authentication based on GSSAPI is allowed. The default is .Dq yes . Note that this option applies to protocol version 2 only. -.It Cm GSSAPICleanupCredentials -Specifies whether to automatically destroy the user's credentials cache -on logout. -The default is -.Dq yes . -Note that this option applies to protocol version 2 only. .It Cm GSSAPIKeyExchange -Specifies whether key exchange based on GSSAPI may be used. When using -GSSAPI key exchange the server need not have a host key. +Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange +doesn't rely on ssh keys to verify host identity. The default is .Dq yes . Note that this option applies to protocol version 2 only. -.It Cm GSSAPIUseSessionCredCache -Specifies whether a unique credentials cache name should be generated per -session for storing delegated credentials. +.It Cm GSSAPICleanupCredentials +Specifies whether to automatically destroy the user's credentials cache +on logout. The default is .Dq yes . Note that this option applies to protocol version 2 only. @@ -339,7 +338,7 @@ The default is Specifies whether .Nm sshd should ignore the user's -.Pa $HOME/.ssh/known_hosts +.Pa ~/.ssh/known_hosts during .Cm RhostsRSAAuthentication or @@ -355,7 +354,7 @@ Kerberos servtab which allows the verification of the KDC's identity. Default is .Dq no . .It Cm KerberosGetAFSToken -If AFS is active and the user has a Kerberos 5 TGT, attempt to aquire +If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire an AFS token before accessing the user's home directory. Default is .Dq no . @@ -509,6 +508,18 @@ All other authentication methods are disabled for root. If this option is set to .Dq no root is not allowed to log in. +.It Cm PermitTunnel +Specifies whether +.Xr tun 4 +device forwarding is allowed. +The argument must be +.Dq yes , +.Dq point-to-point , +.Dq ethernet +or +.Dq no . +The default is +.Dq no . .It Cm PermitUserEnvironment Specifies whether .Pa ~/.ssh/environment