- (tim) [regress/sftp-cmds.sh] s/cd/lcd/ in lls test. Reported by

[openssh.git] / sshd_config.5

diff --git a/sshd_config.5 b/sshd_config.5
index 9196b761ea7a72fb967b94928a5eb23d51d838a3..6671fa9ed70fd5ba94b81bcec9c781fc09b34544 100644 (file)
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,17 +34,15 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"

-.\" $OpenBSD: sshd_config.5,v 1.66 2006/07/19 08:56:41 dtucker Exp $
-.Dd September 25, 1999
+.\" $OpenBSD: sshd_config.5,v 1.82 2008/02/10 09:55:37 djm Exp $
+.Dd $Mdocdate$

 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
 .Nm sshd_config
 .Nd OpenSSH SSH daemon configuration file
 .Sh SYNOPSIS
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
 .Nm sshd_config
 .Nd OpenSSH SSH daemon configuration file
 .Sh SYNOPSIS

-.Bl -tag -width Ds -compact
-.It Pa /etc/ssh/sshd_config
-.El
+.Nm /etc/ssh/sshd_config

 .Sh DESCRIPTION
 .Xr sshd 8
 reads configuration data from
 .Sh DESCRIPTION
 .Xr sshd 8
 reads configuration data from


@@ -161,10 +159,11 @@ directory.
 The default is
 .Dq .ssh/authorized_keys .
 .It Cm Banner
 The default is
 .Dq .ssh/authorized_keys .
 .It Cm Banner

-In some jurisdictions, sending a warning message before authentication
-may be relevant for getting legal protection.

 The contents of the specified file are sent to the remote user before
 authentication is allowed.
 The contents of the specified file are sent to the remote user before
 authentication is allowed.

+If the argument is
+.Dq none
+then no banner is displayed.

 This option is only available for protocol version 2.
 By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication
 This option is only available for protocol version 2.
 By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication


@@ -174,6 +173,45 @@ All authentication styles from
 are supported.
 The default is
 .Dq yes .
 are supported.
 The default is
 .Dq yes .

+.It Cm ChrootDirectory
+Specifies a path to
+.Xr chroot 2
+to after authentication.
+This path, and all its components, must be root-owned directories that are
+not writable by any other user or group.
+.Pp
+The path may contain the following tokens that are expanded at runtime once
+the connecting user has been authenticated: %% is replaced by a literal '%',
+%h is replaced by the home directory of the user being authenticated, and
+%u is replaced by the username of that user.
+.Pp
+The
+.Cm ChrootDirectory
+must contain the necessary files and directories to support the
+users' session.
+For an interactive session this requires at least a shell, typically
+.Xr sh 1 ,
+and basic
+.Pa /dev
+nodes such as
+.Xr null 4 ,
+.Xr zero 4 ,
+.Xr stdin 4 ,
+.Xr stdout 4 ,
+.Xr stderr 4 ,
+.Xr arandom 4
+and
+.Xr tty 4
+devices.
+For file transfer sessions using
+.Dq sftp ,
+no additional configuration of the environment is necessary if the
+in-process sftp server is used (see
+.Cm Subsystem
+for details).
+.Pp
+The default is not to
+.Xr chroot 2 .

 .It Cm Ciphers
 Specifies the ciphers allowed for protocol version 2.
 Multiple ciphers must be comma-separated.
 .It Cm Ciphers
 Specifies the ciphers allowed for protocol version 2.
 Multiple ciphers must be comma-separated.


@@ -283,6 +321,23 @@ See
 in
 .Xr ssh_config 5
 for more information on patterns.
 in
 .Xr ssh_config 5
 for more information on patterns.

+.It Cm ForceCommand
+Forces the execution of the command specified by
+.Cm ForceCommand ,
+ignoring any command supplied by the client.
+The command is invoked by using the user's login shell with the -c option.
+This applies to shell, command, or subsystem execution.
+It is most useful inside a
+.Cm Match
+block.
+The command originally supplied by the client is available in the
+.Ev SSH_ORIGINAL_COMMAND
+environment variable.
+Specifying a command of
+.Dq internal-sftp
+will force the use of an in-process sftp server that requires no support
+files when used with
+.Cm ChrootDirectory .

 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to ports
 forwarded for the client.
 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to ports
 forwarded for the client.


@@ -323,6 +378,23 @@ This option is similar to
 and applies to protocol version 2 only.
 The default is
 .Dq no .
 and applies to protocol version 2 only.
 The default is
 .Dq no .

+.It Cm HostbasedUsesNameFromPacketOnly
+Specifies whether or not the server will attempt to perform a reverse
+name lookup when matching the name in the
+.Pa ~/.shosts ,
+.Pa ~/.rhosts ,
+and
+.Pa /etc/hosts.equiv
+files during
+.Cm HostbasedAuthentication .
+A setting of
+.Dq yes
+means that
+.Xr sshd 8
+uses the name supplied by the client rather than
+attempting to resolve the name from the TCP connection itself.
+The default is
+.Dq no .

 .It Cm HostKey
 Specifies a file containing a private host key
 used by SSH.
 .It Cm HostKey
 Specifies a file containing a private host key
 used by SSH.


@@ -462,7 +534,10 @@ The MAC algorithm is used in protocol version 2
 for data integrity protection.
 Multiple algorithms must be comma-separated.
 The default is:
 for data integrity protection.
 Multiple algorithms must be comma-separated.
 The default is:

-.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
+.Bd -literal -offset indent
+hmac-md5,hmac-sha1,umac-64@openssh.com,
+hmac-ripemd160,hmac-sha1-96,hmac-md5-96
+.Ed

 .It Cm Match
 Introduces a conditional block.
 If all of the criteria on the
 .It Cm Match
 Introduces a conditional block.
 If all of the criteria on the


@@ -476,6 +551,7 @@ The arguments to
 are one or more criteria-pattern pairs.
 The available criteria are
 .Cm User ,
 are one or more criteria-pattern pairs.
 The available criteria are
 .Cm User ,

+.Cm Group ,

 .Cm Host ,
 and
 .Cm Address .
 .Cm Host ,
 and
 .Cm Address .


@@ -484,8 +560,17 @@ Only a subset of keywords may be used on the lines following a
 keyword.
 Available keywords are
 .Cm AllowTcpForwarding ,
 keyword.
 Available keywords are
 .Cm AllowTcpForwarding ,

+.Cm Banner ,
+.Cm ForceCommand ,

 .Cm GatewayPorts ,
 .Cm GatewayPorts ,

+.Cm GSSApiAuthentication ,
+.Cm KbdInteractiveAuthentication ,
+.Cm KerberosAuthentication ,
+.Cm PasswordAuthentication ,

 .Cm PermitOpen ,
 .Cm PermitOpen ,

+.Cm PermitRootLogin ,
+.Cm RhostsRSAAuthentication ,
+.Cm RSAAuthentication ,

 .Cm X11DisplayOffset ,
 .Cm X11Forwarding ,
 and
 .Cm X11DisplayOffset ,
 .Cm X11Forwarding ,
 and


@@ -551,9 +636,7 @@ The forwarding specification must be one of the following forms:
 .Sm on
 .El
 .Pp
 .Sm on
 .El
 .Pp

-Multiple instances of
-.Cm PermitOpen
-are permitted.
+Multiple forwards may be specified by separating them with whitespace.

 An argument of
 .Dq any
 can be used to remove all restrictions and permit any forwarding requests.
 An argument of
 .Dq any
 can be used to remove all restrictions and permit any forwarding requests.


@@ -701,11 +784,22 @@ The default is
 Configures an external subsystem (e.g. file transfer daemon).
 Arguments should be a subsystem name and a command (with optional arguments)
 to execute upon subsystem request.
 Configures an external subsystem (e.g. file transfer daemon).
 Arguments should be a subsystem name and a command (with optional arguments)
 to execute upon subsystem request.

+.Pp

 The command
 .Xr sftp-server 8
 implements the
 .Dq sftp
 file transfer subsystem.
 The command
 .Xr sftp-server 8
 implements the
 .Dq sftp
 file transfer subsystem.

+.Pp
+Alternately the name
+.Dq internal-sftp
+implements an in-process
+.Dq sftp
+server.
+This may simplify configurations using
+.Cm ChrootDirectory
+to force a different filesystem root on clients.
+.Pp

 By default no subsystems are defined.
 Note that this option applies to protocol version 2 only.
 .It Cm SyslogFacility
 By default no subsystems are defined.
 Note that this option applies to protocol version 2 only.
 .It Cm SyslogFacility