- dtucker@cvs.openbsd.org 2010/01/08 21:50:49

[openssh.git] / sshd_config.5

diff --git a/sshd_config.5 b/sshd_config.5
index 9eafb294fe9fddd8818664bc6e176f6eae899808..b74ab5b8cfb03b8d90f6e3d329d53a504e305439 100644 (file)
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"

-.\" $OpenBSD: sshd_config.5,v 1.101 2009/02/22 23:50:57 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.115 2009/12/29 18:03:32 jmc Exp $

 .Dd $Mdocdate$
 .Dt SSHD_CONFIG 5
 .Os
 .Dd $Mdocdate$
 .Dt SSHD_CONFIG 5
 .Os


@@ -176,20 +176,22 @@ then no banner is displayed.
 This option is only available for protocol version 2.
 By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication
 This option is only available for protocol version 2.
 By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication

-Specifies whether challenge-response authentication is allowed.
-All authentication styles from
-.Xr login.conf 5
-are supported.
+Specifies whether challenge-response authentication is allowed (e.g. via
+PAM or though authentication styles supported in
+.Xr login.conf 5 )

 The default is
 .Dq yes .
 .It Cm ChrootDirectory
 The default is
 .Dq yes .
 .It Cm ChrootDirectory

-Specifies a path to
+Specifies the pathname of a directory to

 .Xr chroot 2
 to after authentication.
 .Xr chroot 2
 to after authentication.

-This path, and all its components, must be root-owned directories that are
+All components of the pathname must be root-owned directories that are

 not writable by any other user or group.
 not writable by any other user or group.

+After the chroot,
+.Xr sshd 8
+changes the working directory to the user's home directory.

 .Pp
 .Pp

-The path may contain the following tokens that are expanded at runtime once
+The pathname may contain the following tokens that are expanded at runtime once

 the connecting user has been authenticated: %% is replaced by a literal '%',
 %h is replaced by the home directory of the user being authenticated, and
 %u is replaced by the username of that user.
 the connecting user has been authenticated: %% is replaced by a literal '%',
 %h is replaced by the home directory of the user being authenticated, and
 %u is replaced by the username of that user.


@@ -197,7 +199,7 @@ the connecting user has been authenticated: %% is replaced by a literal '%',
 The
 .Cm ChrootDirectory
 must contain the necessary files and directories to support the
 The
 .Cm ChrootDirectory
 must contain the necessary files and directories to support the

-users' session.
+user's session.

 For an interactive session this requires at least a shell, typically
 .Xr sh 1 ,
 and basic
 For an interactive session this requires at least a shell, typically
 .Xr sh 1 ,
 and basic


@@ -215,8 +217,11 @@ devices.
 For file transfer sessions using
 .Dq sftp ,
 no additional configuration of the environment is necessary if the
 For file transfer sessions using
 .Dq sftp ,
 no additional configuration of the environment is necessary if the

-in-process sftp server is used (see
-.Cm Subsystem
+in-process sftp server is used,
+though sessions which use logging do require
+.Pa /dev/log
+inside the chroot directory (see
+.Xr sftp-server 8

 for details).
 .Pp
 The default is not to
 for details).
 .Pp
 The default is not to


@@ -609,12 +614,13 @@ Available keywords are
 .Cm PermitEmptyPasswords ,
 .Cm PermitOpen ,
 .Cm PermitRootLogin ,
 .Cm PermitEmptyPasswords ,
 .Cm PermitOpen ,
 .Cm PermitRootLogin ,

+.Cm PubkeyAuthentication ,

 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,
 .Cm X11DisplayOffset ,
 .Cm X11Forwarding
 and
 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,
 .Cm X11DisplayOffset ,
 .Cm X11Forwarding
 and

-.Cm X11UseLocalHost
+.Cm X11UseLocalHost .

 .It Cm MaxAuthTries
 Specifies the maximum number of authentication attempts permitted per
 connection.
 .It Cm MaxAuthTries
 Specifies the maximum number of authentication attempts permitted per
 connection.


@@ -787,7 +793,7 @@ and
 .Sq 2 .
 Multiple versions must be comma-separated.
 The default is
 .Sq 2 .
 Multiple versions must be comma-separated.
 The default is

-.Dq 2,1 .
+.Sq 2 .

 Note that the order of the protocol list does not indicate preference,
 because the client selects among multiple protocol versions offered
 by the server.
 Note that the order of the protocol list does not indicate preference,
 because the client selects among multiple protocol versions offered
 by the server.


@@ -806,6 +812,9 @@ with successful RSA host authentication is allowed.
 The default is
 .Dq no .
 This option applies to protocol version 1 only.
 The default is
 .Dq no .
 This option applies to protocol version 1 only.

+.It Cm RoutingDomain
+Set the routing domain number.
+The default routing domain is set by the system.

 .It Cm RSAAuthentication
 Specifies whether pure RSA authentication is allowed.
 The default is
 .It Cm RSAAuthentication
 Specifies whether pure RSA authentication is allowed.
 The default is


@@ -823,6 +832,9 @@ This is normally desirable because novices sometimes accidentally leave their
 directory or files world-writable.
 The default is
 .Dq yes .
 directory or files world-writable.
 The default is
 .Dq yes .

+Note that this does not apply to
+.Cm ChrootDirectory ,
+whose permissions and ownership are checked unconditionally.

 .It Cm Subsystem
 Configures an external subsystem (e.g. file transfer daemon).
 Arguments should be a subsystem name and a command (with optional arguments)
 .It Cm Subsystem
 Configures an external subsystem (e.g. file transfer daemon).
 Arguments should be a subsystem name and a command (with optional arguments)