X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/3445ca02ebb0b6599f4742e59c995850c3ac48a7..0598d99d917545f1cf2e2a3a09e29cdbe70302ff:/sshd_config.5 diff --git a/sshd_config.5 b/sshd_config.5 index 8d90785f..3d920cc8 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.12 2002/09/04 18:52:42 stevesk Exp $ +.\" $OpenBSD: sshd_config.5,v 1.22 2003/08/13 08:46:31 markus Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -61,10 +61,6 @@ The possible keywords and their meanings are as follows (note that keywords are case-insensitive and arguments are case-sensitive): .Bl -tag -width Ds -.It Cm AFSTokenPassing -Specifies whether an AFS token may be forwarded to the server. -Default is -.Dq no . .It Cm AllowGroups This keyword can be followed by a list of group name patterns, separated by spaces. @@ -72,7 +68,7 @@ If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. .Ql \&* and -.Ql ? +.Ql \&? can be used as wildcards in the patterns. Only group names are valid; a numerical group ID is not recognized. @@ -89,11 +85,11 @@ own forwarders. .It Cm AllowUsers This keyword can be followed by a list of user name patterns, separated by spaces. -If specified, login is allowed only for users names that +If specified, login is allowed only for user names that match one of the patterns. .Ql \&* and -.Ql ? +.Ql \&? can be used as wildcards in the patterns. Only user names are valid; a numerical user ID is not recognized. @@ -107,7 +103,8 @@ Specifies the file that contains the public keys that can be used for user authentication. .Cm AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection -set-up. The following tokens are defined: %% is replaced by a literal '%', +set-up. +The following tokens are defined: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated and %u is replaced by the username of that user. After expansion, @@ -138,7 +135,7 @@ The default is .Pp .Bd -literal ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, - aes192-cbc,aes256-cbc'' + aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' .Ed .It Cm ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received @@ -153,20 +150,24 @@ This option applies to protocol version 2 only. Sets the number of client alive messages (see above) which may be sent without .Nm sshd -receiving any messages back from the client. If this threshold is -reached while client alive messages are being sent, +receiving any messages back from the client. +If this threshold is reached while client alive messages are being sent, .Nm sshd -will disconnect the client, terminating the session. It is important -to note that the use of client alive messages is very different from +will disconnect the client, terminating the session. +It is important to note that the use of client alive messages is very +different from .Cm KeepAlive -(below). The client alive messages are sent through the -encrypted channel and therefore will not be spoofable. The TCP keepalive -option enabled by +(below). +The client alive messages are sent through the encrypted channel +and therefore will not be spoofable. +The TCP keepalive option enabled by .Cm KeepAlive -is spoofable. The client alive mechanism is valuable when the client or +is spoofable. +The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive. .Pp -The default value is 3. If +The default value is 3. +If .Cm ClientAliveInterval (above) is set to 15, and .Cm ClientAliveCountMax @@ -187,7 +188,7 @@ Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. .Ql \&* and -.Ql ? +.Ql \&? can be used as wildcards in the patterns. Only group names are valid; a numerical group ID is not recognized. @@ -199,7 +200,7 @@ by spaces. Login is disallowed for user names that match one of the patterns. .Ql \&* and -.Ql ? +.Ql \&? can be used as wildcards in the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. @@ -211,8 +212,8 @@ Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, .Nm sshd -binds remote port forwardings to the loopback address. This -prevents other remote hosts from connecting to forwarded ports. +binds remote port forwardings to the loopback address. +This prevents other remote hosts from connecting to forwarded ports. .Cm GatewayPorts can be used to specify that .Nm sshd @@ -259,7 +260,6 @@ Specifies that and .Pa .shosts files will not be used in -.Cm RhostsAuthentication , .Cm RhostsRSAAuthentication or .Cm HostbasedAuthentication . @@ -322,8 +322,7 @@ Default is .It Cm KerberosTgtPassing Specifies whether a Kerberos TGT may be forwarded to the server. Default is -.Dq no , -as this only works when the Kerberos KDC is actually an AFS kaserver. +.Dq no . .It Cm KerberosTicketCleanup Specifies whether to automatically destroy the user's ticket cache file on logout. @@ -369,10 +368,12 @@ is not specified, .Nm sshd will listen on the address and all prior .Cm Port -options specified. The default is to listen on all local -addresses. Multiple +options specified. +The default is to listen on all local addresses. +Multiple .Cm ListenAddress -options are permitted. Additionally, any +options are permitted. +Additionally, any .Cm Port options must precede this option for non port qualified addresses. .It Cm LoginGraceTime @@ -385,10 +386,10 @@ Gives the verbosity level that is used when logging messages from .Nm sshd . The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. -The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 -and DEBUG3 each specify higher levels of debugging output. -Logging with a DEBUG level violates the privacy of users -and is not recommended. +The default is INFO. +DEBUG and DEBUG1 are equivalent. +DEBUG2 and DEBUG3 each specify higher levels of debugging output. +Logging with a DEBUG level violates the privacy of users and is not recommended. .It Cm MACs Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 @@ -421,12 +422,6 @@ The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches .Dq full (60). -.It Cm PAMAuthenticationViaKbdInt -Specifies whether PAM challenge response authentication is allowed. This -allows the use of most PAM challenge response authentication modules, but -it will allow password authentication regardless of whether -.Cm PasswordAuthentication -is enabled. .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is @@ -459,8 +454,8 @@ but only if the .Ar command option has been specified (which may be useful for taking remote backups even if root login is -normally not allowed). All other authentication methods are disabled -for root. +normally not allowed). +All other authentication methods are disabled for root. .Pp If this option is set to .Dq no @@ -533,10 +528,6 @@ Specifies whether public key authentication is allowed. The default is .Dq yes . Note that this option applies to protocol version 2 only. -.It Cm RhostsAuthentication -Specifies whether authentication using rhosts or /etc/hosts.equiv -files is sufficient. -Normally, this method should not be permitted because it is insecure. .Cm RhostsRSAAuthentication should be used instead, because it performs RSA-based host authentication in addition @@ -584,6 +575,14 @@ Gives the facility code that is used when logging messages from The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH. +.It Cm UseDNS +Specifies whether +.Nm sshd +should lookup the remote host name and check that +the resolved host name for the remote IP address maps back to the +very same IP address. +The default is +.Dq yes . .It Cm UseLogin Specifies whether .Xr login 1 @@ -599,27 +598,28 @@ will be disabled because .Xr login 1 does not know how to handle .Xr xauth 1 -cookies. If +cookies. +If .Cm UsePrivilegeSeparation is specified, it will be disabled after authentication. +.It Cm UsePAM +Enables PAM authentication (via challenge-response) and session set up. +If you enable this, you should probably disable +.Cm PasswordAuthentication . +If you enable +.CM UsePAM +then you will not be able to run sshd as a non-root user. .It Cm UsePrivilegeSeparation Specifies whether .Nm sshd separates privileges by creating an unprivileged child process -to deal with incoming network traffic. After successful authentication, -another process will be created that has the privilege of the authenticated -user. The goal of privilege separation is to prevent privilege +to deal with incoming network traffic. +After successful authentication, another process will be created that has +the privilege of the authenticated user. +The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The default is .Dq yes . -.It Cm VerifyReverseMapping -Specifies whether -.Nm sshd -should try to verify the remote host name and check that -the resolved host name for the remote IP address maps back to the -very same IP address. -The default is -.Dq no . .It Cm X11DisplayOffset Specifies the first display number available for .Nm sshd Ns 's @@ -630,10 +630,35 @@ from interfering with real X11 servers. The default is 10. .It Cm X11Forwarding Specifies whether X11 forwarding is permitted. +The argument must be +.Dq yes +or +.Dq no . The default is .Dq no . -Note that disabling X11 forwarding does not improve security in any -way, as users can always install their own forwarders. +.Pp +When X11 forwarding is enabled, there may be additional exposure to +the server and to client displays if the +.Nm sshd +proxy display is configured to listen on the wildcard address (see +.Cm X11UseLocalhost +below), however this is not the default. +Additionally, the authentication spoofing and authentication data +verification and substitution occur on the client side. +The security risk of using X11 forwarding is that the client's X11 +display server may be exposed to attack when the ssh client requests +forwarding (see the warnings for +.Cm ForwardX11 +in +.Xr ssh_config 5 ) . +A system administrator may have a stance in which they want to +protect clients that may expose themselves to attack by unwittingly +requesting X11 forwarding, which can warrant a +.Dq no +setting. +.Pp +Note that disabling X11 forwarding does not prevent users from +forwarding X11 traffic, as users can always install their own forwarders. X11 forwarding is automatically disabled if .Cm UseLogin is enabled. @@ -641,7 +666,8 @@ is enabled. Specifies whether .Nm sshd should bind the X11 forwarding server to the loopback address or to -the wildcard address. By default, +the wildcard address. +By default, .Nm sshd binds the forwarding server to the loopback address and sets the hostname part of the @@ -670,7 +696,6 @@ The default is .Pa /usr/X11R6/bin/xauth . .El .Ss Time Formats -.Pp .Nm sshd command-line arguments and configuration file options that specify time may be expressed using a sequence of the form: @@ -719,6 +744,8 @@ Contains configuration data for This file should be writable by root only, but it is recommended (though not necessary) that it be world-readable. .El +.Sh SEE ALSO +.Xr sshd 8 .Sh AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. @@ -730,5 +757,3 @@ Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -.Sh SEE ALSO -.Xr sshd 8