X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/01e9e424fc8410fc4cb0de666497530267433d1c..5dec79269b347018cf9c6feb4fa8881a9b65c328:/sshd_config.5 diff --git a/sshd_config.5 b/sshd_config.5 index 21201278..b74ab5b8 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.93 2008/06/10 07:12:00 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.115 2009/12/29 18:03:32 jmc Exp $ .Dd $Mdocdate$ .Dt SSHD_CONFIG 5 .Os @@ -176,20 +176,22 @@ then no banner is displayed. This option is only available for protocol version 2. By default, no banner is displayed. .It Cm ChallengeResponseAuthentication -Specifies whether challenge-response authentication is allowed. -All authentication styles from -.Xr login.conf 5 -are supported. +Specifies whether challenge-response authentication is allowed (e.g. via +PAM or though authentication styles supported in +.Xr login.conf 5 ) The default is .Dq yes . .It Cm ChrootDirectory -Specifies a path to +Specifies the pathname of a directory to .Xr chroot 2 to after authentication. -This path, and all its components, must be root-owned directories that are +All components of the pathname must be root-owned directories that are not writable by any other user or group. +After the chroot, +.Xr sshd 8 +changes the working directory to the user's home directory. .Pp -The path may contain the following tokens that are expanded at runtime once +The pathname may contain the following tokens that are expanded at runtime once the connecting user has been authenticated: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. @@ -197,7 +199,7 @@ the connecting user has been authenticated: %% is replaced by a literal '%', The .Cm ChrootDirectory must contain the necessary files and directories to support the -users' session. +user's session. For an interactive session this requires at least a shell, typically .Xr sh 1 , and basic @@ -215,8 +217,11 @@ devices. For file transfer sessions using .Dq sftp , no additional configuration of the environment is necessary if the -in-process sftp server is used (see -.Cm Subsystem +in-process sftp server is used, +though sessions which use logging do require +.Pa /dev/log +inside the chroot directory (see +.Xr sftp-server 8 for details). .Pp The default is not to @@ -240,9 +245,9 @@ and .Dq cast128-cbc . The default is: .Bd -literal -offset 3n -aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, -arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, -aes192-ctr,aes256-ctr +aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, +aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, +aes256-cbc,arcfour .Ed .It Cm ClientAliveCountMax Sets the number of client alive messages (see below) which may be @@ -593,6 +598,7 @@ Only a subset of keywords may be used on the lines following a .Cm Match keyword. Available keywords are +.Cm AllowAgentForwarding , .Cm AllowTcpForwarding , .Cm Banner , .Cm ChrootDirectory , @@ -602,13 +608,17 @@ Available keywords are .Cm HostbasedAuthentication , .Cm KbdInteractiveAuthentication , .Cm KerberosAuthentication , +.Cm MaxAuthTries , +.Cm MaxSessions , .Cm PasswordAuthentication , +.Cm PermitEmptyPasswords , .Cm PermitOpen , .Cm PermitRootLogin , +.Cm PubkeyAuthentication , .Cm RhostsRSAAuthentication , .Cm RSAAuthentication , .Cm X11DisplayOffset , -.Cm X11Forwarding , +.Cm X11Forwarding and .Cm X11UseLocalHost . .It Cm MaxAuthTries @@ -783,7 +793,7 @@ and .Sq 2 . Multiple versions must be comma-separated. The default is -.Dq 2,1 . +.Sq 2 . Note that the order of the protocol list does not indicate preference, because the client selects among multiple protocol versions offered by the server. @@ -802,6 +812,9 @@ with successful RSA host authentication is allowed. The default is .Dq no . This option applies to protocol version 1 only. +.It Cm RoutingDomain +Set the routing domain number. +The default routing domain is set by the system. .It Cm RSAAuthentication Specifies whether pure RSA authentication is allowed. The default is @@ -809,7 +822,7 @@ The default is This option applies to protocol version 1 only. .It Cm ServerKeyBits Defines the number of bits in the ephemeral protocol version 1 server key. -The minimum value is 512, and the default is 768. +The minimum value is 512, and the default is 1024. .It Cm StrictModes Specifies whether .Xr sshd 8 @@ -819,6 +832,9 @@ This is normally desirable because novices sometimes accidentally leave their directory or files world-writable. The default is .Dq yes . +Note that this does not apply to +.Cm ChrootDirectory , +whose permissions and ownership are checked unconditionally. .It Cm Subsystem Configures an external subsystem (e.g. file transfer daemon). Arguments should be a subsystem name and a command (with optional arguments)