.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.20 2003/06/20 05:47:58 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.28 2004/02/17 19:35:21 jmc Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
keywords and their meanings are as follows (note that
keywords are case-insensitive and arguments are case-sensitive):
.Bl -tag -width Ds
-.It Cm AFSTokenPassing
-Specifies whether an AFS token may be forwarded to the server.
-Default is
-.Dq no .
.It Cm AllowGroups
This keyword can be followed by a list of group name patterns, separated
by spaces.
will disconnect the client, terminating the session.
It is important to note that the use of client alive messages is very
different from
-.Cm KeepAlive
+.Cm TCPKeepAlive
(below).
The client alive messages are sent through the encrypted channel
and therefore will not be spoofable.
The TCP keepalive option enabled by
-.Cm KeepAlive
+.Cm TCPKeepAlive
is spoofable.
The client alive mechanism is valuable when the client or
server depend on knowing when a connection has become inactive.
.Dq no .
The default is
.Dq no .
+.It Cm GSSAPIAuthentication
+Specifies whether user authentication based on GSSAPI is allowed.
+The default is
+.Dq no .
+Note that this option applies to protocol version 2 only.
+.It Cm GSSAPICleanupCredentials
+Specifies whether to automatically destroy the user's credentials cache
+on logout.
+The default is
+.Dq yes .
+Note that this option applies to protocol version 2 only.
.It Cm HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful public key client host authentication is allowed
and
.Pa .shosts
files will not be used in
-.Cm RhostsAuthentication ,
.Cm RhostsRSAAuthentication
or
.Cm HostbasedAuthentication .
.Cm HostbasedAuthentication .
The default is
.Dq no .
-.It Cm KeepAlive
-Specifies whether the system should send TCP keepalive messages to the
-other side.
-If they are sent, death of the connection or crash of one
-of the machines will be properly noticed.
-However, this means that
-connections will die if the route is down temporarily, and some people
-find it annoying.
-On the other hand, if keepalives are not sent,
-sessions may hang indefinitely on the server, leaving
-.Dq ghost
-users and consuming server resources.
-.Pp
-The default is
-.Dq yes
-(to send keepalives), and the server will notice
-if the network goes down or the client host crashes.
-This avoids infinitely hanging sessions.
-.Pp
-To disable keepalives, the value should be set to
-.Dq no .
.It Cm KerberosAuthentication
-Specifies whether Kerberos authentication is allowed.
-This can be in the form of a Kerberos ticket, or if
+Specifies whether the password provided by the user for
.Cm PasswordAuthentication
-is yes, the password provided by the user will be validated through
-the Kerberos KDC.
+will be validated through the Kerberos KDC.
To use this option, the server needs a
Kerberos servtab which allows the verification of the KDC's identity.
Default is
.Pa /etc/passwd .
Default is
.Dq yes .
-.It Cm KerberosTgtPassing
-Specifies whether a Kerberos TGT may be forwarded to the server.
-Default is
-.Dq no ,
-as this only works when the Kerberos KDC is actually an AFS kaserver.
.It Cm KerberosTicketCleanup
Specifies whether to automatically destroy the user's ticket cache
file on logout.
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
-.It Cm RhostsAuthentication
-Specifies whether authentication using rhosts or /etc/hosts.equiv
-files is sufficient.
-Normally, this method should not be permitted because it is insecure.
-.Cm RhostsRSAAuthentication
-should be used
-instead, because it performs RSA-based host authentication in addition
-to normal rhosts or /etc/hosts.equiv authentication.
-The default is
-.Dq no .
-This option applies to protocol version 1 only.
.It Cm RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful RSA host authentication is allowed.
The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
+.It Cm TCPKeepAlive
+Specifies whether the system should send TCP keepalive messages to the
+other side.
+If they are sent, death of the connection or crash of one
+of the machines will be properly noticed.
+However, this means that
+connections will die if the route is down temporarily, and some people
+find it annoying.
+On the other hand, if TCP keepalives are not sent,
+sessions may hang indefinitely on the server, leaving
+.Dq ghost
+users and consuming server resources.
+.Pp
+The default is
+.Dq yes
+(to send TCP keepalive messages), and the server will notice
+if the network goes down or the client host crashes.
+This avoids infinitely hanging sessions.
+.Pp
+To disable TCP keepalive messages, the value should be set to
+.Dq no .
.It Cm UseDNS
Specifies whether
.Nm sshd
.Cm UsePrivilegeSeparation
is specified, it will be disabled after authentication.
.It Cm UsePAM
-Enables PAM authentication (via challenge-response) and session set up.
-If you enable this, you should probably disable
+Enables PAM authentication (via challenge-response) and session set up.
+If you enable this, you should probably disable
.Cm PasswordAuthentication .
-If you enable
+If you enable
.CM UsePAM
-then you will not be able to run sshd as a non-root user.
+then you will not be able to run sshd as a non-root user. The default is
+.Dq no .
.It Cm UsePrivilegeSeparation
Specifies whether
.Nm sshd