.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.98 2008/11/04 08:22:13 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.116 2010/01/09 23:04:13 dtucker Exp $
.Dd $Mdocdate$
.Dt SSHD_CONFIG 5
.Os
This option is only available for protocol version 2.
By default, no banner is displayed.
.It Cm ChallengeResponseAuthentication
-Specifies whether challenge-response authentication is allowed.
-All authentication styles from
-.Xr login.conf 5
-are supported.
+Specifies whether challenge-response authentication is allowed (e.g. via
+PAM or though authentication styles supported in
+.Xr login.conf 5 )
The default is
.Dq yes .
.It Cm ChrootDirectory
-Specifies a path to
+Specifies the pathname of a directory to
.Xr chroot 2
to after authentication.
-This path, and all its components, must be root-owned directories that are
+All components of the pathname must be root-owned directories that are
not writable by any other user or group.
+After the chroot,
+.Xr sshd 8
+changes the working directory to the user's home directory.
.Pp
-The path may contain the following tokens that are expanded at runtime once
+The pathname may contain the following tokens that are expanded at runtime once
the connecting user has been authenticated: %% is replaced by a literal '%',
%h is replaced by the home directory of the user being authenticated, and
%u is replaced by the username of that user.
The
.Cm ChrootDirectory
must contain the necessary files and directories to support the
-users' session.
+user's session.
For an interactive session this requires at least a shell, typically
.Xr sh 1 ,
and basic
For file transfer sessions using
.Dq sftp ,
no additional configuration of the environment is necessary if the
-in-process sftp server is used (see
-.Cm Subsystem
+in-process sftp server is used,
+though sessions which use logging do require
+.Pa /dev/log
+inside the chroot directory (see
+.Xr sftp-server 8
for details).
.Pp
The default is not to
.Dq cast128-cbc .
The default is:
.Bd -literal -offset 3n
-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
-arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
-aes192-ctr,aes256-ctr
+aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
+aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
+aes256-cbc,arcfour
.Ed
.It Cm ClientAliveCountMax
Sets the number of client alive messages (see below) which may be
.Cm Match
keyword.
Available keywords are
+.Cm AllowAgentForwarding ,
.Cm AllowTcpForwarding ,
.Cm Banner ,
.Cm ChrootDirectory ,
.Cm PermitEmptyPasswords ,
.Cm PermitOpen ,
.Cm PermitRootLogin ,
+.Cm PubkeyAuthentication ,
.Cm RhostsRSAAuthentication ,
.Cm RSAAuthentication ,
.Cm X11DisplayOffset ,
-.Cm X11Forwarding ,
-.Cm X11UseLocalHost ,
+.Cm X11Forwarding
and
-.Cm ZeroKnowledgePasswordAuthentication .
+.Cm X11UseLocalHost .
.It Cm MaxAuthTries
Specifies the maximum number of authentication attempts permitted per
connection.
.Sq 2 .
Multiple versions must be comma-separated.
The default is
-.Dq 2,1 .
+.Sq 2 .
Note that the order of the protocol list does not indicate preference,
because the client selects among multiple protocol versions offered
by the server.
directory or files world-writable.
The default is
.Dq yes .
+Note that this does not apply to
+.Cm ChrootDirectory ,
+whose permissions and ownership are checked unconditionally.
.It Cm Subsystem
Configures an external subsystem (e.g. file transfer daemon).
Arguments should be a subsystem name and a command (with optional arguments)
program.
The default is
.Pa /usr/X11R6/bin/xauth .
-.It Cm ZeroKnowledgePasswordAuthentication
-Specifies whether to use zero knowledge password authentication.
-This authentication method avoids exposure of password to untrusted
-hosts.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-The default is currently
-.Dq no
-as this method is considered experimental.
.El
.Sh TIME FORMATS
.Xr sshd 8
andersk / openssh.git / blobdiff