X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/533b91336948318cf51d3e98e0e320e731f86787..f8f89bae5e11c9c8e1895f0b62b0bdf80a5539fc:/sshd_config.5 diff --git a/sshd_config.5 b/sshd_config.5 index 1bd3a624..5d6fbf68 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,17 +34,15 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.56 2006/03/13 10:14:29 dtucker Exp $ -.Dd September 25, 1999 +.\" $OpenBSD: sshd_config.5,v 1.79 2008/01/01 09:27:33 dtucker Exp $ +.Dd $Mdocdate$ .Dt SSHD_CONFIG 5 .Os .Sh NAME .Nm sshd_config .Nd OpenSSH SSH daemon configuration file .Sh SYNOPSIS -.Bl -tag -width Ds -compact -.It Pa /etc/ssh/sshd_config -.El +.Nm /etc/ssh/sshd_config .Sh DESCRIPTION .Xr sshd 8 reads configuration data from @@ -161,10 +159,11 @@ directory. The default is .Dq .ssh/authorized_keys . .It Cm Banner -In some jurisdictions, sending a warning message before authentication -may be relevant for getting legal protection. The contents of the specified file are sent to the remote user before authentication is allowed. +If the argument is +.Dq none +then no banner is displayed. This option is only available for protocol version 2. By default, no banner is displayed. .It Cm ChallengeResponseAuthentication @@ -223,6 +222,7 @@ If .Cm ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. +This option applies to protocol version 2 only. .It Cm ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, @@ -282,6 +282,18 @@ See in .Xr ssh_config 5 for more information on patterns. +.It Cm ForceCommand +Forces the execution of the command specified by +.Cm ForceCommand , +ignoring any command supplied by the client. +The command is invoked by using the user's login shell with the -c option. +This applies to shell, command, or subsystem execution. +It is most useful inside a +.Cm Match +block. +The command originally supplied by the client is available in the +.Ev SSH_ORIGINAL_COMMAND +environment variable. .It Cm GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. @@ -322,6 +334,23 @@ This option is similar to and applies to protocol version 2 only. The default is .Dq no . +.It Cm HostbasedUsesNameFromPacketOnly +Specifies whether or not the server will attempt to perform a reverse +name lookup when matching the name in the +.Pa ~/.shosts , +.Pa ~/.rhosts , +and +.Pa /etc/hosts.equiv +files during +.Cm HostbasedAuthentication . +A setting of +.Dq yes +means that +.Xr sshd 8 +uses the name supplied by the client rather than +attempting to resolve the name from the TCP connection itself. +The default is +.Dq no . .It Cm HostKey Specifies a file containing a private host key used by SSH. @@ -461,7 +490,47 @@ The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. The default is: -.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . +.Bd -literal -offset indent +hmac-md5,hmac-sha1,umac-64@openssh.com, +hmac-ripemd160,hmac-sha1-96,hmac-md5-96 +.Ed +.It Cm Match +Introduces a conditional block. +If all of the criteria on the +.Cm Match +line are satisfied, the keywords on the following lines override those +set in the global section of the config file, until either another +.Cm Match +line or the end of the file. +The arguments to +.Cm Match +are one or more criteria-pattern pairs. +The available criteria are +.Cm User , +.Cm Group , +.Cm Host , +and +.Cm Address . +Only a subset of keywords may be used on the lines following a +.Cm Match +keyword. +Available keywords are +.Cm AllowTcpForwarding , +.Cm Banner , +.Cm ForceCommand , +.Cm GatewayPorts , +.Cm GSSApiAuthentication , +.Cm KbdInteractiveAuthentication , +.Cm KerberosAuthentication , +.Cm PasswordAuthentication , +.Cm PermitOpen , +.Cm PermitRootLogin , +.Cm RhostsRSAAuthentication , +.Cm RSAAuthentication , +.Cm X11DisplayOffset , +.Cm X11Forwarding , +and +.Cm X11UseLocalHost . .It Cm MaxAuthTries Specifies the maximum number of authentication attempts permitted per connection. @@ -501,6 +570,33 @@ When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is .Dq no . +.It Cm PermitOpen +Specifies the destinations to which TCP port forwarding is permitted. +The forwarding specification must be one of the following forms: +.Pp +.Bl -item -offset indent -compact +.It +.Cm PermitOpen +.Sm off +.Ar host : port +.Sm on +.It +.Cm PermitOpen +.Sm off +.Ar IPv4_addr : port +.Sm on +.It +.Cm PermitOpen +.Sm off +.Ar \&[ IPv6_addr \&] : port +.Sm on +.El +.Pp +Multiple forwards may be specified by separating them with whitespace. +An argument of +.Dq any +can be used to remove all restrictions and permit any forwarding requests. +By default all port forwarding requests are permitted. .It Cm PermitRootLogin Specifies whether root can log in using .Xr ssh 1 . @@ -536,10 +632,17 @@ Specifies whether device forwarding is allowed. The argument must be .Dq yes , -.Dq point-to-point , -.Dq ethernet , -or +.Dq point-to-point +(layer 3), +.Dq ethernet +(layer 2), or .Dq no . +Specifying +.Dq yes +permits both +.Dq point-to-point +and +.Dq ethernet . The default is .Dq no . .It Cm PermitUserEnvironment @@ -635,8 +738,8 @@ The default is .Dq yes . .It Cm Subsystem Configures an external subsystem (e.g. file transfer daemon). -Arguments should be a subsystem name and a command to execute upon subsystem -request. +Arguments should be a subsystem name and a command (with optional arguments) +to execute upon subsystem request. The command .Xr sftp-server 8 implements the @@ -819,7 +922,7 @@ is a positive integer value and is one of the following: .Pp .Bl -tag -width Ds -compact -offset indent -.It Cm +.It Aq Cm none seconds .It Cm s | Cm S seconds