.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.34 2004/06/13 14:01:42 dtucker Exp $
+.\" $OpenBSD: sshd_config.5,v 1.48 2006/01/02 17:09:49 jmc Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
user environments.
For this reason, care should be taken in the use of this directive.
The default is not to accept any environment variables.
+.It Cm AddressFamily
+Specifies which address family should be used by
+.Nm sshd .
+Valid arguments are
+.Dq any ,
+.Dq inet
+(use IPv4 only) or
+.Dq inet6
+(use IPv6 only).
+The default is
+.Dq any .
.It Cm AllowGroups
This keyword can be followed by a list of group name patterns, separated
by spaces.
.Dq aes128-ctr ,
.Dq aes192-ctr ,
.Dq aes256-ctr ,
+.Dq arcfour128 ,
+.Dq arcfour256 ,
.Dq arcfour ,
.Dq blowfish-cbc ,
and
.Dq cast128-cbc .
The default is
.Bd -literal
- ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
- aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr''
+ ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
+ arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
+ aes192-ctr,aes256-ctr''
.Ed
-.It Cm ClientAliveInterval
-Sets a timeout interval in seconds after which if no data has been received
-from the client,
-.Nm sshd
-will send a message through the encrypted
-channel to request a response from the client.
-The default
-is 0, indicating that these messages will not be sent to the client.
-This option applies to protocol version 2 only.
.It Cm ClientAliveCountMax
-Sets the number of client alive messages (see above) which may be
+Sets the number of client alive messages (see below) which may be
sent without
.Nm sshd
receiving any messages back from the client.
The default value is 3.
If
.Cm ClientAliveInterval
-(above) is set to 15, and
+(see below) is set to 15, and
.Cm ClientAliveCountMax
is left at the default, unresponsive ssh clients
will be disconnected after approximately 45 seconds.
+.It Cm ClientAliveInterval
+Sets a timeout interval in seconds after which if no data has been received
+from the client,
+.Nm sshd
+will send a message through the encrypted
+channel to request a response from the client.
+The default
+is 0, indicating that these messages will not be sent to the client.
+This option applies to protocol version 2 only.
.It Cm Compression
-Specifies whether compression is allowed.
+Specifies whether compression is allowed, or delayed until
+the user has authenticated successfully.
The argument must be
-.Dq yes
+.Dq yes ,
+.Dq delayed ,
or
.Dq no .
The default is
-.Dq yes .
+.Dq delayed .
.It Cm DenyGroups
This keyword can be followed by a list of group name patterns, separated
by spaces.
.Cm GatewayPorts
can be used to specify that
.Nm sshd
-should bind remote port forwardings to the wildcard address,
-thus allowing remote hosts to connect to forwarded ports.
-The argument must be
+should allow remote port forwardings to bind to non-loopback addresses, thus
+allowing other hosts to connect.
+The argument may be
+.Dq no
+to force remote port forwardings to be available to the local host only,
.Dq yes
-or
-.Dq no .
+to force remote port forwardings to bind to the wildcard address, or
+.Dq clientspecified
+to allow the client to select the address to which the forwarding is bound.
The default is
.Dq no .
.It Cm GSSAPIAuthentication
Specifies whether
.Nm sshd
should ignore the user's
-.Pa $HOME/.ssh/known_hosts
+.Pa ~/.ssh/known_hosts
during
.Cm RhostsRSAAuthentication
or
Default is
.Dq no .
.It Cm KerberosGetAFSToken
-If AFS is active and the user has a Kerberos 5 TGT, attempt to aquire
+If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
an AFS token before accessing the user's home directory.
Default is
.Dq no .
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
.It Cm MaxAuthTries
Specifies the maximum number of authentication attempts permitted per
-connection. Once the number of failures reaches half this value, additional
-failures are logged. The default is 6.
+connection.
+Once the number of failures reaches half this value,
+additional failures are logged.
+The default is 6.
.It Cm MaxStartups
Specifies the maximum number of concurrent unauthenticated connections to the
.Nm sshd
The default is
.Dq no .
.It Cm PermitRootLogin
-Specifies whether root can login using
+Specifies whether root can log in using
.Xr ssh 1 .
The argument must be
.Dq yes ,
.Pp
If this option is set to
.Dq without-password
-password authentication is disabled for root. Note that other authentication
-methods (e.g., keyboard-interactive/PAM) may still allow root to login using
-a password.
+password authentication is disabled for root.
.Pp
If this option is set to
.Dq forced-commands-only
.Pp
If this option is set to
.Dq no
-root is not allowed to login.
+root is not allowed to log in.
+.It Cm PermitTunnel
+Specifies whether
+.Xr tun 4
+device forwarding is allowed.
+The argument must be
+.Dq yes ,
+.Dq point-to-point ,
+.Dq ethernet
+or
+.Dq no .
+The default is
+.Dq no .
.It Cm PermitUserEnvironment
Specifies whether
.Pa ~/.ssh/environment
.It Cm PrintLastLog
Specifies whether
.Nm sshd
-should print the date and time when the user last logged in.
+should print the date and time of the last user login when a user logs
+in interactively.
The default is
.Dq yes .
.It Cm PrintMotd
.It Cm UseDNS
Specifies whether
.Nm sshd
-should lookup the remote host name and check that
+should look up the remote host name and check that
the resolved host name for the remote IP address maps back to the
very same IP address.
The default is
andersk / openssh.git / blobdiff