.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.62 2006/07/17 12:06:00 dtucker Exp $
-.Dd September 25, 1999
+.\" $OpenBSD: sshd_config.5,v 1.78 2007/08/23 03:22:16 djm Exp $
+.Dd $Mdocdate$
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
.Nm sshd_config
.Nd OpenSSH SSH daemon configuration file
.Sh SYNOPSIS
-.Bl -tag -width Ds -compact
-.It Pa /etc/ssh/sshd_config
-.El
+.Nm /etc/ssh/sshd_config
.Sh DESCRIPTION
.Xr sshd 8
reads configuration data from
The default is
.Dq .ssh/authorized_keys .
.It Cm Banner
-In some jurisdictions, sending a warning message before authentication
-may be relevant for getting legal protection.
The contents of the specified file are sent to the remote user before
authentication is allowed.
+If the argument is
+.Dq none
+then no banner is displayed.
This option is only available for protocol version 2.
By default, no banner is displayed.
.It Cm ChallengeResponseAuthentication
in
.Xr ssh_config 5
for more information on patterns.
+.It Cm ForceCommand
+Forces the execution of the command specified by
+.Cm ForceCommand ,
+ignoring any command supplied by the client.
+The command is invoked by using the user's login shell with the -c option.
+This applies to shell, command, or subsystem execution.
+It is most useful inside a
+.Cm Match
+block.
+The command originally supplied by the client is available in the
+.Ev SSH_ORIGINAL_COMMAND
+environment variable.
.It Cm GatewayPorts
Specifies whether remote hosts are allowed to connect to ports
forwarded for the client.
and applies to protocol version 2 only.
The default is
.Dq no .
+.It Cm HostbasedUsesNameFromPacketOnly
+Specifies whether or not the server will attempt to perform a reverse
+name lookup when matching the name in the
+.Pa ~/.shosts ,
+.Pa ~/.rhosts ,
+and
+.Pa /etc/hosts.equiv
+files during
+.Cm HostbasedAuthentication .
+A setting of
+.Dq yes
+means that
+.Xr sshd 8
+uses the name supplied by the client rather than
+attempting to resolve the name from the TCP connection itself.
+The default is
+.Dq no .
.It Cm HostKey
Specifies a file containing a private host key
used by SSH.
for data integrity protection.
Multiple algorithms must be comma-separated.
The default is:
-.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
+.Bd -literal -offset indent
+hmac-md5,hmac-sha1,umac-64@openssh.com,
+hmac-ripemd160,hmac-sha1-96,hmac-md5-96
+.Ed
.It Cm Match
Introduces a conditional block.
-Keywords on lines following a
+If all of the criteria on the
.Cm Match
-block are only applied if all of the criteria on the
+line are satisfied, the keywords on the following lines override those
+set in the global section of the config file, until either another
.Cm Match
-are satisfied.
+line or the end of the file.
The arguments to
.Cm Match
-block are one or more criteria-pattern pairs.
+are one or more criteria-pattern pairs.
The available criteria are
.Cm User ,
+.Cm Group ,
.Cm Host ,
and
.Cm Address .
keyword.
Available keywords are
.Cm AllowTcpForwarding ,
+.Cm Banner ,
+.Cm ForceCommand ,
.Cm GatewayPorts ,
+.Cm GSSApiAuthentication ,
+.Cm KbdInteractiveAuthentication ,
+.Cm KerberosAuthentication ,
+.Cm PasswordAuthentication ,
+.Cm PermitOpen ,
+.Cm RhostsRSAAuthentication ,
+.Cm RSAAuthentication ,
+.Cm X11DisplayOffset ,
+.Cm X11Forwarding ,
and
-.Cm PermitOpen .
+.Cm X11UseLocalHost .
.It Cm MaxAuthTries
Specifies the maximum number of authentication attempts permitted per
connection.
.Sm on
.El
.Pp
-Multiple instances of
-.Cm PermitOpen
-are permitted.
+Multiple forwards may be specified by separating them with whitespace.
An argument of
.Dq any
can be used to remove all restrictions and permit any forwarding requests.
-By default all port forward requests are permitted.
+By default all port forwarding requests are permitted.
.It Cm PermitRootLogin
Specifies whether root can log in using
.Xr ssh 1 .
is one of the following:
.Pp
.Bl -tag -width Ds -compact -offset indent
-.It Cm <none>
+.It Aq Cm none
seconds
.It Cm s | Cm S
seconds