X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/5adf6b9a142245b3f5d707d2fb7475ba47ad7121..HEAD:/sshd_config.5 diff --git a/sshd_config.5 b/sshd_config.5 index d496a1e0..1e5390a6 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.98 2008/11/04 08:22:13 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.116 2010/01/09 23:04:13 dtucker Exp $ .Dd $Mdocdate$ .Dt SSHD_CONFIG 5 .Os @@ -176,20 +176,22 @@ then no banner is displayed. This option is only available for protocol version 2. By default, no banner is displayed. .It Cm ChallengeResponseAuthentication -Specifies whether challenge-response authentication is allowed. -All authentication styles from -.Xr login.conf 5 -are supported. +Specifies whether challenge-response authentication is allowed (e.g. via +PAM or though authentication styles supported in +.Xr login.conf 5 ) The default is .Dq yes . .It Cm ChrootDirectory -Specifies a path to +Specifies the pathname of a directory to .Xr chroot 2 to after authentication. -This path, and all its components, must be root-owned directories that are +All components of the pathname must be root-owned directories that are not writable by any other user or group. +After the chroot, +.Xr sshd 8 +changes the working directory to the user's home directory. .Pp -The path may contain the following tokens that are expanded at runtime once +The pathname may contain the following tokens that are expanded at runtime once the connecting user has been authenticated: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. @@ -197,7 +199,7 @@ the connecting user has been authenticated: %% is replaced by a literal '%', The .Cm ChrootDirectory must contain the necessary files and directories to support the -users' session. +user's session. For an interactive session this requires at least a shell, typically .Xr sh 1 , and basic @@ -215,8 +217,11 @@ devices. For file transfer sessions using .Dq sftp , no additional configuration of the environment is necessary if the -in-process sftp server is used (see -.Cm Subsystem +in-process sftp server is used, +though sessions which use logging do require +.Pa /dev/log +inside the chroot directory (see +.Xr sftp-server 8 for details). .Pp The default is not to @@ -240,9 +245,9 @@ and .Dq cast128-cbc . The default is: .Bd -literal -offset 3n -aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, -arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, -aes192-ctr,aes256-ctr +aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, +aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, +aes256-cbc,arcfour .Ed .It Cm ClientAliveCountMax Sets the number of client alive messages (see below) which may be @@ -593,6 +598,7 @@ Only a subset of keywords may be used on the lines following a .Cm Match keyword. Available keywords are +.Cm AllowAgentForwarding , .Cm AllowTcpForwarding , .Cm Banner , .Cm ChrootDirectory , @@ -608,13 +614,13 @@ Available keywords are .Cm PermitEmptyPasswords , .Cm PermitOpen , .Cm PermitRootLogin , +.Cm PubkeyAuthentication , .Cm RhostsRSAAuthentication , .Cm RSAAuthentication , .Cm X11DisplayOffset , -.Cm X11Forwarding , -.Cm X11UseLocalHost , +.Cm X11Forwarding and -.Cm ZeroKnowledgePasswordAuthentication . +.Cm X11UseLocalHost . .It Cm MaxAuthTries Specifies the maximum number of authentication attempts permitted per connection. @@ -787,7 +793,7 @@ and .Sq 2 . Multiple versions must be comma-separated. The default is -.Dq 2,1 . +.Sq 2 . Note that the order of the protocol list does not indicate preference, because the client selects among multiple protocol versions offered by the server. @@ -823,6 +829,9 @@ This is normally desirable because novices sometimes accidentally leave their directory or files world-writable. The default is .Dq yes . +Note that this does not apply to +.Cm ChrootDirectory , +whose permissions and ownership are checked unconditionally. .It Cm Subsystem Configures an external subsystem (e.g. file transfer daemon). Arguments should be a subsystem name and a command (with optional arguments) @@ -1005,17 +1014,6 @@ Specifies the full pathname of the program. The default is .Pa /usr/X11R6/bin/xauth . -.It Cm ZeroKnowledgePasswordAuthentication -Specifies whether to use zero knowledge password authentication. -This authentication method avoids exposure of password to untrusted -hosts. -The argument to this keyword must be -.Dq yes -or -.Dq no . -The default is currently -.Dq no -as this method is considered experimental. .El .Sh TIME FORMATS .Xr sshd 8