.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.6 2002/07/30 17:03:55 markus Exp $
+.\" $OpenBSD: sshd_config.5,v 1.16 2003/04/30 01:16:20 mouring Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
group or supplementary group list matches one of the patterns.
.Ql \&*
and
-.Ql ?
+.Ql \&?
can be used as
wildcards in the patterns.
Only group names are valid; a numerical group ID is not recognized.
.It Cm AllowUsers
This keyword can be followed by a list of user name patterns, separated
by spaces.
-If specified, login is allowed only for users names that
+If specified, login is allowed only for user names that
match one of the patterns.
.Ql \&*
and
-.Ql ?
+.Ql \&?
can be used as
wildcards in the patterns.
Only user names are valid; a numerical user ID is not recognized.
group list matches one of the patterns.
.Ql \&*
and
-.Ql ?
+.Ql \&?
can be used as
wildcards in the patterns.
Only group names are valid; a numerical group ID is not recognized.
Login is disallowed for user names that match one of the patterns.
.Ql \&*
and
-.Ql ?
+.Ql \&?
can be used as wildcards in the patterns.
Only user names are valid; a numerical user ID is not recognized.
By default, login is allowed for all users.
forwarded for the client.
By default,
.Nm sshd
-binds remote port forwardings to the loopback address. This
-prevents other remote hosts from connecting to forwarded ports.
+binds remote port forwardings to the loopback address.
+This prevents other remote hosts from connecting to forwarded ports.
.Cm GatewayPorts
can be used to specify that
.Nm sshd
will listen on the address and all prior
.Cm Port
options specified. The default is to listen on all local
-addresses. Multiple
+addresses.
+Multiple
.Cm ListenAddress
options are permitted. Additionally, any
.Cm Port
The server disconnects after this time if the user has not
successfully logged in.
If the value is 0, there is no time limit.
-The default is 600 (seconds).
+The default is 120 seconds.
.It Cm LogLevel
Gives the verbosity level that is used when logging messages from
.Nm sshd .
The possible values are:
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
-The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2
-and DEBUG3 each specify higher levels of debugging output.
-Logging with a DEBUG level violates the privacy of users
-and is not recommended.
+The default is INFO.
+DEBUG and DEBUG1 are equivalent.
+DEBUG2 and DEBUG3 each specify higher levels of debugging output.
+Logging with a DEBUG level violates the privacy of users and is not recommended.
.It Cm MACs
Specifies the available MAC (message authentication code) algorithms.
The MAC algorithm is used in protocol version 2
.It Cm PermitUserEnvironment
Specifies whether
.Pa ~/.ssh/environment
-is read by
-.Nm sshd
-and whether
+and
.Cm environment=
options in
.Pa ~/.ssh/authorized_keys
-files are permitted.
+are processed by
+.Nm sshd .
The default is
.Dq no .
-This option is useful for locked-down installations where
-.Ev LD_PRELOAD
-and suchlike can cause security problems.
+Enabling environment processing may enable users to bypass access
+restrictions in some configurations using mechanisms such as
+.Ev LD_PRELOAD .
.It Cm PidFile
Specifies the file that contains the process ID of the
.Nm sshd
.Xr login 1
does not know how to handle
.Xr xauth 1
-cookies. If
+cookies.
+If
.Cm UsePrivilegeSeparation
is specified, it will be disabled after authentication.
.It Cm UsePrivilegeSeparation
Specifies whether
.Nm sshd
separates privileges by creating an unprivileged child process
-to deal with incoming network traffic. After successful authentication,
-another process will be created that has the privilege of the authenticated
-user. The goal of privilege separation is to prevent privilege
+to deal with incoming network traffic.
+After successful authentication, another process will be created that has
+the privilege of the authenticated user.
+The goal of privilege separation is to prevent privilege
escalation by containing any corruption within the unprivileged processes.
The default is
.Dq yes .
The default is 10.
.It Cm X11Forwarding
Specifies whether X11 forwarding is permitted.
+The argument must be
+.Dq yes
+or
+.Dq no .
The default is
.Dq no .
-Note that disabling X11 forwarding does not improve security in any
-way, as users can always install their own forwarders.
+.Pp
+When X11 forwarding is enabled, there may be additional exposure to
+the server and to client displays if the
+.Nm sshd
+proxy display is configured to listen on the wildcard address (see
+.Cm X11UseLocalhost
+below), however this is not the default.
+Additionally, the authentication spoofing and authentication data
+verification and substitution occur on the client side.
+The security risk of using X11 forwarding is that the client's X11
+display server may be exposed to attack when the ssh client requests
+forwarding (see the warnings for
+.Cm ForwardX11
+in
+.Xr ssh_config 5 ).
+A system administrator may have a stance in which they want to
+protect clients that may expose themselves to attack by unwittingly
+requesting X11 forwarding, which can warrant a
+.Dq no
+setting.
+.Pp
+Note that disabling X11 forwarding does not prevent users from
+forwarding X11 traffic, as users can always install their own forwarders.
X11 forwarding is automatically disabled if
.Cm UseLogin
is enabled.
Specifies whether
.Nm sshd
should bind the X11 forwarding server to the loopback address or to
-the wildcard address. By default,
+the wildcard address.
+By default,
.Nm sshd
binds the forwarding server to the loopback address and sets the
hostname part of the
.Ev DISPLAY
environment variable to
.Dq localhost .
-This prevents remote hosts from connecting to the fake display.
+This prevents remote hosts from connecting to the proxy display.
However, some older X11 clients may not function with this
configuration.
.Cm X11UseLocalhost
The default is
.Dq yes .
.It Cm XAuthLocation
-Specifies the location of the
+Specifies the full pathname of the
.Xr xauth 1
program.
The default is
command-line arguments and configuration file options that specify time
may be expressed using a sequence of the form:
.Sm off
-.Ar time Oo Ar qualifier Oc ,
+.Ar time Op Ar qualifier ,
.Sm on
where
.Ar time