- (tim) [configure.ac] Use the C99-conforming functions snprintf() and

[openssh.git] / sshd_config.5

diff --git a/sshd_config.5 b/sshd_config.5
index 833063faa4d1a31493f3d67d57ebe3cca97f8fbd..1e5390a6fb99262d75ccecab06b4882a1176b2ce 100644 (file)
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"

-.\" $OpenBSD: sshd_config.5,v 1.99 2008/12/30 00:46:56 okan Exp $
+.\" $OpenBSD: sshd_config.5,v 1.116 2010/01/09 23:04:13 dtucker Exp $

 .Dd $Mdocdate$
 .Dt SSHD_CONFIG 5
 .Os
 .Dd $Mdocdate$
 .Dt SSHD_CONFIG 5
 .Os


@@ -176,20 +176,22 @@ then no banner is displayed.
 This option is only available for protocol version 2.
 By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication
 This option is only available for protocol version 2.
 By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication

-Specifies whether challenge-response authentication is allowed.
-All authentication styles from
-.Xr login.conf 5
-are supported.
+Specifies whether challenge-response authentication is allowed (e.g. via
+PAM or though authentication styles supported in
+.Xr login.conf 5 )

 The default is
 .Dq yes .
 .It Cm ChrootDirectory
 The default is
 .Dq yes .
 .It Cm ChrootDirectory

-Specifies a path to
+Specifies the pathname of a directory to

 .Xr chroot 2
 to after authentication.
 .Xr chroot 2
 to after authentication.

-This path, and all its components, must be root-owned directories that are
+All components of the pathname must be root-owned directories that are

 not writable by any other user or group.
 not writable by any other user or group.

+After the chroot,
+.Xr sshd 8
+changes the working directory to the user's home directory.

 .Pp
 .Pp

-The path may contain the following tokens that are expanded at runtime once
+The pathname may contain the following tokens that are expanded at runtime once

 the connecting user has been authenticated: %% is replaced by a literal '%',
 %h is replaced by the home directory of the user being authenticated, and
 %u is replaced by the username of that user.
 the connecting user has been authenticated: %% is replaced by a literal '%',
 %h is replaced by the home directory of the user being authenticated, and
 %u is replaced by the username of that user.


@@ -197,7 +199,7 @@ the connecting user has been authenticated: %% is replaced by a literal '%',
 The
 .Cm ChrootDirectory
 must contain the necessary files and directories to support the
 The
 .Cm ChrootDirectory
 must contain the necessary files and directories to support the

-users' session.
+user's session.

 For an interactive session this requires at least a shell, typically
 .Xr sh 1 ,
 and basic
 For an interactive session this requires at least a shell, typically
 .Xr sh 1 ,
 and basic


@@ -215,8 +217,11 @@ devices.
 For file transfer sessions using
 .Dq sftp ,
 no additional configuration of the environment is necessary if the
 For file transfer sessions using
 .Dq sftp ,
 no additional configuration of the environment is necessary if the

-in-process sftp server is used (see
-.Cm Subsystem
+in-process sftp server is used,
+though sessions which use logging do require
+.Pa /dev/log
+inside the chroot directory (see
+.Xr sftp-server 8

 for details).
 .Pp
 The default is not to
 for details).
 .Pp
 The default is not to


@@ -240,9 +245,9 @@ and
 .Dq cast128-cbc .
 The default is:
 .Bd -literal -offset 3n
 .Dq cast128-cbc .
 The default is:
 .Bd -literal -offset 3n

-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
-arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
-aes192-ctr,aes256-ctr
+aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
+aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
+aes256-cbc,arcfour

 .Ed
 .It Cm ClientAliveCountMax
 Sets the number of client alive messages (see below) which may be
 .Ed
 .It Cm ClientAliveCountMax
 Sets the number of client alive messages (see below) which may be


@@ -609,13 +614,13 @@ Available keywords are
 .Cm PermitEmptyPasswords ,
 .Cm PermitOpen ,
 .Cm PermitRootLogin ,
 .Cm PermitEmptyPasswords ,
 .Cm PermitOpen ,
 .Cm PermitRootLogin ,

+.Cm PubkeyAuthentication ,

 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,
 .Cm X11DisplayOffset ,
 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,
 .Cm X11DisplayOffset ,

-.Cm X11Forwarding ,
-.Cm X11UseLocalHost ,
+.Cm X11Forwarding

 and
 and

-.Cm ZeroKnowledgePasswordAuthentication .
+.Cm X11UseLocalHost .

 .It Cm MaxAuthTries
 Specifies the maximum number of authentication attempts permitted per
 connection.
 .It Cm MaxAuthTries
 Specifies the maximum number of authentication attempts permitted per
 connection.


@@ -788,7 +793,7 @@ and
 .Sq 2 .
 Multiple versions must be comma-separated.
 The default is
 .Sq 2 .
 Multiple versions must be comma-separated.
 The default is

-.Dq 2,1 .
+.Sq 2 .

 Note that the order of the protocol list does not indicate preference,
 because the client selects among multiple protocol versions offered
 by the server.
 Note that the order of the protocol list does not indicate preference,
 because the client selects among multiple protocol versions offered
 by the server.


@@ -824,6 +829,9 @@ This is normally desirable because novices sometimes accidentally leave their
 directory or files world-writable.
 The default is
 .Dq yes .
 directory or files world-writable.
 The default is
 .Dq yes .

+Note that this does not apply to
+.Cm ChrootDirectory ,
+whose permissions and ownership are checked unconditionally.

 .It Cm Subsystem
 Configures an external subsystem (e.g. file transfer daemon).
 Arguments should be a subsystem name and a command (with optional arguments)
 .It Cm Subsystem
 Configures an external subsystem (e.g. file transfer daemon).
 Arguments should be a subsystem name and a command (with optional arguments)


@@ -1006,17 +1014,6 @@ Specifies the full pathname of the
 program.
 The default is
 .Pa /usr/X11R6/bin/xauth .
 program.
 The default is
 .Pa /usr/X11R6/bin/xauth .

-.It Cm ZeroKnowledgePasswordAuthentication
-Specifies whether to use zero knowledge password authentication.
-This authentication method avoids exposure of password to untrusted
-hosts.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-The default is currently
-.Dq no
-as this method is considered experimental.

 .El
 .Sh TIME FORMATS
 .Xr sshd 8
 .El
 .Sh TIME FORMATS
 .Xr sshd 8