.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.14 2003/01/23 08:58:47 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.22 2003/08/13 08:46:31 markus Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
keywords and their meanings are as follows (note that
keywords are case-insensitive and arguments are case-sensitive):
.Bl -tag -width Ds
-.It Cm AFSTokenPassing
-Specifies whether an AFS token may be forwarded to the server.
-Default is
-.Dq no .
.It Cm AllowGroups
This keyword can be followed by a list of group name patterns, separated
by spaces.
group or supplementary group list matches one of the patterns.
.Ql \&*
and
-.Ql ?
+.Ql \&?
can be used as
wildcards in the patterns.
Only group names are valid; a numerical group ID is not recognized.
match one of the patterns.
.Ql \&*
and
-.Ql ?
+.Ql \&?
can be used as
wildcards in the patterns.
Only user names are valid; a numerical user ID is not recognized.
for user authentication.
.Cm AuthorizedKeysFile
may contain tokens of the form %T which are substituted during connection
-set-up. The following tokens are defined: %% is replaced by a literal '%',
+set-up.
+The following tokens are defined: %% is replaced by a literal '%',
%h is replaced by the home directory of the user being authenticated and
%u is replaced by the username of that user.
After expansion,
.Pp
.Bd -literal
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
- aes192-cbc,aes256-cbc''
+ aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr''
.Ed
.It Cm ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received
Sets the number of client alive messages (see above) which may be
sent without
.Nm sshd
-receiving any messages back from the client. If this threshold is
-reached while client alive messages are being sent,
+receiving any messages back from the client.
+If this threshold is reached while client alive messages are being sent,
.Nm sshd
-will disconnect the client, terminating the session. It is important
-to note that the use of client alive messages is very different from
+will disconnect the client, terminating the session.
+It is important to note that the use of client alive messages is very
+different from
.Cm KeepAlive
-(below). The client alive messages are sent through the
-encrypted channel and therefore will not be spoofable. The TCP keepalive
-option enabled by
+(below).
+The client alive messages are sent through the encrypted channel
+and therefore will not be spoofable.
+The TCP keepalive option enabled by
.Cm KeepAlive
-is spoofable. The client alive mechanism is valuable when the client or
+is spoofable.
+The client alive mechanism is valuable when the client or
server depend on knowing when a connection has become inactive.
.Pp
-The default value is 3. If
+The default value is 3.
+If
.Cm ClientAliveInterval
(above) is set to 15, and
.Cm ClientAliveCountMax
group list matches one of the patterns.
.Ql \&*
and
-.Ql ?
+.Ql \&?
can be used as
wildcards in the patterns.
Only group names are valid; a numerical group ID is not recognized.
Login is disallowed for user names that match one of the patterns.
.Ql \&*
and
-.Ql ?
+.Ql \&?
can be used as wildcards in the patterns.
Only user names are valid; a numerical user ID is not recognized.
By default, login is allowed for all users.
forwarded for the client.
By default,
.Nm sshd
-binds remote port forwardings to the loopback address. This
-prevents other remote hosts from connecting to forwarded ports.
+binds remote port forwardings to the loopback address.
+This prevents other remote hosts from connecting to forwarded ports.
.Cm GatewayPorts
can be used to specify that
.Nm sshd
and
.Pa .shosts
files will not be used in
-.Cm RhostsAuthentication ,
.Cm RhostsRSAAuthentication
or
.Cm HostbasedAuthentication .
.It Cm KerberosTgtPassing
Specifies whether a Kerberos TGT may be forwarded to the server.
Default is
-.Dq no ,
-as this only works when the Kerberos KDC is actually an AFS kaserver.
+.Dq no .
.It Cm KerberosTicketCleanup
Specifies whether to automatically destroy the user's ticket cache
file on logout.
.Nm sshd
will listen on the address and all prior
.Cm Port
-options specified. The default is to listen on all local
-addresses. Multiple
+options specified.
+The default is to listen on all local addresses.
+Multiple
.Cm ListenAddress
-options are permitted. Additionally, any
+options are permitted.
+Additionally, any
.Cm Port
options must precede this option for non port qualified addresses.
.It Cm LoginGraceTime
.Nm sshd .
The possible values are:
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
-The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2
-and DEBUG3 each specify higher levels of debugging output.
-Logging with a DEBUG level violates the privacy of users
-and is not recommended.
+The default is INFO.
+DEBUG and DEBUG1 are equivalent.
+DEBUG2 and DEBUG3 each specify higher levels of debugging output.
+Logging with a DEBUG level violates the privacy of users and is not recommended.
.It Cm MACs
Specifies the available MAC (message authentication code) algorithms.
The MAC algorithm is used in protocol version 2
are refused if the number of unauthenticated connections reaches
.Dq full
(60).
-.It Cm PAMAuthenticationViaKbdInt
-Specifies whether PAM challenge response authentication is allowed. This
-allows the use of most PAM challenge response authentication modules, but
-it will allow password authentication regardless of whether
-.Cm PasswordAuthentication
-is enabled.
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
.Ar command
option has been specified
(which may be useful for taking remote backups even if root login is
-normally not allowed). All other authentication methods are disabled
-for root.
+normally not allowed).
+All other authentication methods are disabled for root.
.Pp
If this option is set to
.Dq no
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
-.It Cm RhostsAuthentication
-Specifies whether authentication using rhosts or /etc/hosts.equiv
-files is sufficient.
-Normally, this method should not be permitted because it is insecure.
.Cm RhostsRSAAuthentication
should be used
instead, because it performs RSA-based host authentication in addition
The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
+.It Cm UseDNS
+Specifies whether
+.Nm sshd
+should lookup the remote host name and check that
+the resolved host name for the remote IP address maps back to the
+very same IP address.
+The default is
+.Dq yes .
.It Cm UseLogin
Specifies whether
.Xr login 1
.Xr login 1
does not know how to handle
.Xr xauth 1
-cookies. If
+cookies.
+If
.Cm UsePrivilegeSeparation
is specified, it will be disabled after authentication.
+.It Cm UsePAM
+Enables PAM authentication (via challenge-response) and session set up.
+If you enable this, you should probably disable
+.Cm PasswordAuthentication .
+If you enable
+.CM UsePAM
+then you will not be able to run sshd as a non-root user.
.It Cm UsePrivilegeSeparation
Specifies whether
.Nm sshd
separates privileges by creating an unprivileged child process
-to deal with incoming network traffic. After successful authentication,
-another process will be created that has the privilege of the authenticated
-user. The goal of privilege separation is to prevent privilege
+to deal with incoming network traffic.
+After successful authentication, another process will be created that has
+the privilege of the authenticated user.
+The goal of privilege separation is to prevent privilege
escalation by containing any corruption within the unprivileged processes.
The default is
.Dq yes .
-.It Cm VerifyReverseMapping
-Specifies whether
-.Nm sshd
-should try to verify the remote host name and check that
-the resolved host name for the remote IP address maps back to the
-very same IP address.
-The default is
-.Dq no .
.It Cm X11DisplayOffset
Specifies the first display number available for
.Nm sshd Ns 's
forwarding (see the warnings for
.Cm ForwardX11
in
-.Xr ssh_config 5 ).
+.Xr ssh_config 5 ) .
A system administrator may have a stance in which they want to
protect clients that may expose themselves to attack by unwittingly
requesting X11 forwarding, which can warrant a
Specifies whether
.Nm sshd
should bind the X11 forwarding server to the loopback address or to
-the wildcard address. By default,
+the wildcard address.
+By default,
.Nm sshd
binds the forwarding server to the loopback address and sets the
hostname part of the
.Pa /usr/X11R6/bin/xauth .
.El
.Ss Time Formats
-.Pp
.Nm sshd
command-line arguments and configuration file options that specify time
may be expressed using a sequence of the form:
This file should be writable by root only, but it is recommended
(though not necessary) that it be world-readable.
.El
+.Sh SEE ALSO
+.Xr sshd 8
.Sh AUTHORS
OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen.
protocol versions 1.5 and 2.0.
Niels Provos and Markus Friedl contributed support
for privilege separation.
-.Sh SEE ALSO
-.Xr sshd 8