illumos-gate New usr/src/man/man4/sshd

   1 '\" te
   2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
   3 .\" Copyright (c) 2013, Joyent, Inc. All Rights Reserved.
   4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
   5 .\"  See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
   6 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   7 .TH SSHD_CONFIG 4 "Jan 17, 2013"
   8 .SH NAME
   9 sshd_config \- sshd configuration file
  10 .SH SYNOPSIS
  11 .LP
  12 .nf
  13 \fB/etc/ssh/sshd_config\fR
  14 .fi
  15 
  16 .SH DESCRIPTION
  17 .sp
  18 .LP
  19 The \fBsshd\fR(1M) daemon reads configuration data from
  20 \fB/etc/ssh/sshd_config\fR (or the file specified with \fBsshd\fR \fB-f\fR on
  21 the command line). The file contains keyword-value pairs, one per line. A line
  22 starting with a hash mark (\fB#\fR) and empty lines are interpreted as
  23 comments.
  24 .sp
  25 .LP
  26 The \fBsshd_config\fR file supports the following keywords. Unless otherwise
  27 noted, keywords and their arguments are case-insensitive.
  28 .sp
  29 .ne 2
  30 .na
  31 \fB\fBAllowGroups\fR\fR
  32 .ad
  33 .sp .6
  34 .RS 4n
  35 This keyword can be followed by a number of group names, separated by spaces.
  36 If specified, login is allowed only for users whose primary group or
  37 supplementary group list matches one of the patterns. Asterisk (\fB*\fR) and
  38 question mark (\fB?\fR) can be used as wildcards in the patterns. Only group
  39 names are valid; a numerical group ID is not recognized. By default, login is
  40 allowed regardless of the primary group.
  41 .RE
  42 
  43 .sp
  44 .ne 2
  45 .na
  46 \fB\fBAllowTcpForwarding\fR\fR
  47 .ad
  48 .sp .6
  49 .RS 4n
  50 Specifies whether TCP forwarding is permitted. The default is \fByes\fR.
  51 Disabling TCP forwarding does not improve security unless users are also denied
  52 shell access, as they can always install their own forwarders.
  53 .RE
  54 
  55 .sp
  56 .ne 2
  57 .na
  58 \fB\fBAllowUsers\fR\fR
  59 .ad
  60 .sp .6
  61 .RS 4n
  62 This keyword can be followed by a number of user names, separated by spaces. If
  63 specified, login is allowed only for user names that match one of the patterns.
  64 Asterisk (\fB*\fR) and question mark (\fB?\fR) can be used as wildcards in the
  65 patterns. Only user names are valid; a numerical user ID is not recognized. By
  66 default login is allowed regardless of the user name.
  67 .sp
  68 If a specified pattern takes the form \fIuser\fR@\fIhost\fR then \fIuser\fR and
  69 \fIhost\fR are checked separately, restricting logins to particular users from
  70 particular hosts.
  71 .RE
  72 
  73 .sp
  74 .ne 2
  75 .na
  76 \fB\fBAuthorizedKeysFile\fR\fR
  77 .ad
  78 .sp .6
  79 .RS 4n
  80 Specifies the file that contains the public keys that can be used for user
  81 authentication. \fBAuthorizedKeysFile\fR can contain tokens of the form
  82 \fB%T\fR, which are substituted during connection set-up. The following tokens
  83 are defined: \fB%%\fR is replaced by a literal \fB%\fR, \fB%h\fR is replaced by
  84 the home directory of the user being authenticated and \fB%u\fR is replaced by
  85 the username of that user. After expansion, \fBAuthorizedKeysFile\fR is taken
  86 to be an absolute path or one relative to the user's home directory. The
  87 default is \fB\&.ssh/authorized_keys\fR.
  88 .RE
  89 
  90 .sp
  91 .ne 2
  92 .na
  93 \fB\fBBanner\fR\fR
  94 .ad
  95 .sp .6
  96 .RS 4n
  97 In some jurisdictions, sending a warning message before authentication can be
  98 relevant for getting legal protection. The contents of the specified file are
  99 sent to the remote user before authentication is allowed. This option is only
 100 available for protocol version 2. By default, no banner is displayed.
 101 .RE
 102 
 103 .sp
 104 .ne 2
 105 .na
 106 \fB\fBChrootDirectory\fR\fR
 107 .ad
 108 .sp .6
 109 .RS 4n
 110 Specifies a path to \fBchroot\fR(2) to after authentication. This path, and all
 111 its components, must be root-owned directories that are not writable by any
 112 other user or group.
 113 .sp
 114 The server always tries to change to the user's home directory locally under
 115 the chrooted environment but a failure to do so is not considered an error. In
 116 addition, the path might contain the following tokens that are expanded at
 117 runtime once the connecting user has been authenticated: \fB%%\fR is replaced
 118 by a literal \fB%\fR, \fB%h\fR is replaced by the home directory of the user
 119 being authenticated, and \fB%u\fR is replaced by the username of that user.
 120 .sp
 121 The \fBChrootDirectory\fR must contain the necessary files and directories to
 122 support the user's session. For an interactive SSH session this requires at
 123 least a user's shell, shared libraries needed by the shell, dynamic linker, and
 124 possibly basic \fB/dev\fR nodes such as \fBnull\fR, \fBzero\fR, \fBstdin\fR,
 125 \fBstdout\fR, \fBstderr\fR, \fBrandom\fR, and \fBtty\fR. Additionally, terminal
 126 databases are needed for screen oriented applications. For file transfer
 127 sessions using \fBsftp\fR with the SSH protocol version 2, no additional
 128 configuration of the environment is necessary if the in-process \fBsftp\fR
 129 server is used. See \fBSubsystem\fR for details.
 130 .sp
 131 The default is not to \fBchroot\fR(2).
 132 .RE
 133 
 134 .sp
 135 .ne 2
 136 .na
 137 \fB\fBCiphers\fR\fR
 138 .ad
 139 .sp .6
 140 .RS 4n
 141 Specifies the ciphers allowed for protocol version 2. Cipher ordering on the
 142 server side is not relevant. Multiple ciphers must be comma separated.
 143 .sp
 144 Valid ciphers are: \fBaes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc,
 145 aes192-cbc, aes256-cbc, arcfour, arcfour128, arcfour256, 3des-cbc\fR, and
 146 \fBblowfish-cbc\fR.
 147 .sp
 148 The default cipher list is:
 149 .sp
 150 .in +2
 151 .nf
 152 aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,
 153 arcfour256,arcfour
 154 .fi
 155 .in -2
 156 .sp
 157 
 158 Using CBC modes on the server side is not recommended due to potential security
 159 issues in connection with the SSH protocol version 2.
 160 .RE
 161 
 162 .sp
 163 .ne 2
 164 .na
 165 \fB\fBClientAliveCountMax\fR\fR
 166 .ad
 167 .sp .6
 168 .RS 4n
 169 Sets the number of client alive messages, (see \fBClientAliveInterval\fR), that
 170 can be sent without \fBsshd\fR receiving any messages back from the client. If
 171 this threshold is reached while client alive messages are being sent,
 172 \fBsshd\fR disconnects the client, terminating the session. The use of client
 173 alive messages is very different from \fBTCPKeepAlive\fR. The client alive
 174 messages are sent through the encrypted channel and therefore are not
 175 spoofable. The TCP keepalive option enabled by \fBTCPKeepAlive\fR is spoofable.
 176 The client alive mechanism is valuable when a client or server depend on
 177 knowing when a connection has become inactive.
 178 .sp
 179 The default value is 3. If \fBClientAliveInterval\fR is set to 15, and
 180 \fBClientAliveCountMax\fR is left at the default, unresponsive \fBssh\fR
 181 clients are disconnected after approximately 45 seconds.
 182 .RE
 183 
 184 .sp
 185 .ne 2
 186 .na
 187 \fB\fBClientAliveInterval\fR\fR
 188 .ad
 189 .sp .6
 190 .RS 4n
 191 Sets a timeout interval in seconds after which, if no data has been received
 192 from the client, \fBsshd\fR sends a message through the encrypted channel to
 193 request a response from the client. The default is 0, indicating that these
 194 messages are not sent to the client. This option applies only to protocol
 195 version 2.
 196 .RE
 197 
 198 .sp
 199 .ne 2
 200 .na
 201 \fB\fBCompression\fR\fR
 202 .ad
 203 .sp .6
 204 .RS 4n
 205 Controls whether the server allows the client to negotiate the use of
 206 compression. The default is \fByes\fR.
 207 .RE
 208 
 209 .sp
 210 .ne 2
 211 .na
 212 \fB\fBDenyGroups\fR\fR
 213 .ad
 214 .sp .6
 215 .RS 4n
 216 Can be followed by a number of group names, separated by spaces. Users whose
 217 primary group matches one of the patterns are not allowed to log in. Asterisk
 218 (\fB*\fR) and question mark (\fB?\fR) can be used as wildcards in the patterns.
 219 Only group names are valid; a numerical group ID is not recognized. By default,
 220 login is allowed regardless of the primary group.
 221 .RE
 222 
 223 .sp
 224 .ne 2
 225 .na
 226 \fB\fBDenyUsers\fR\fR
 227 .ad
 228 .sp .6
 229 .RS 4n
 230 Can be followed by a number of user names, separated by spaces. Login is
 231 disallowed for user names that match one of the patterns. Asterisk (\fB*\fR)
 232 and question mark (\fB?\fR) can be used as wildcards in the patterns. Only user
 233 names are valid; a numerical user ID is not recognized. By default, login is
 234 allowed regardless of the user name.
 235 .sp
 236 If a specified pattern takes the form \fIuser\fR@\fIhost\fR then \fIuser\fR and
 237 \fIhost\fR are checked separately, disallowing logins to particular users from
 238 particular hosts.
 239 .RE
 240 
 241 .sp
 242 .ne 2
 243 .na
 244 \fB\fBGatewayPorts\fR\fR
 245 .ad
 246 .sp .6
 247 .RS 4n
 248 Specifies whether remote hosts are allowed to connect to ports forwarded for
 249 the client. By default, \fBsshd\fR binds remote port forwardings to the
 250 loopback address. This prevents other remote hosts from connecting to forwarded
 251 ports. \fBGatewayPorts\fR can be used to specify that \fBsshd\fR should bind
 252 remote port forwardings to the wildcard address, thus allowing remote hosts to
 253 connect to forwarded ports.
 254 .sp
 255 The argument can be \fBno\fR to force remote port forwardings to be available
 256 to the local host only, \fByes\fR to force remote port forwardings to bind to
 257 the wildcard address, or \fBclientspecified\fR to allow the client to select
 258 the address to which the forwarding is bound. The default is \fBno\fR. See also
 259 \fBRemoteForward\fR in \fBssh_config\fR(4).
 260 .RE
 261 
 262 .sp
 263 .ne 2
 264 .na
 265 \fB\fBGSSAPIAuthentication\fR\fR
 266 .ad
 267 .sp .6
 268 .RS 4n
 269 Enables/disables GSS-API user authentication. The default is \fByes\fR.
 270 .sp
 271 Currently \fBsshd\fR authorizes client user principals to user accounts as
 272 follows: if the principal name matches the requested user account, then the
 273 principal is authorized. Otherwise, GSS-API authentication fails.
 274 .RE
 275 
 276 .sp
 277 .ne 2
 278 .na
 279 \fB\fBGSSAPIKeyExchange\fR\fR
 280 .ad
 281 .sp .6
 282 .RS 4n
 283 Enables/disables GSS-API-authenticated key exchanges. The default is \fByes\fR.
 284 .sp
 285 This option also enables the use of the GSS-API to authenticate the user to
 286 server after the key exchange. GSS-API key exchange can succeed but the
 287 subsequent authentication using the GSS-API fail if the server does not
 288 authorize the user's GSS principal name to the target user account.
 289 .sp
 290 Currently \fBsshd\fR authorizes client user principals to user accounts as
 291 follows: if the principal name matches the requested user account, then the
 292 principal is authorized. Otherwise, GSS-API authentication fails.
 293 .RE
 294 
 295 .sp
 296 .ne 2
 297 .na
 298 \fB\fBGSSAPIStoreDelegatedCredentials\fR\fR
 299 .ad
 300 .sp .6
 301 .RS 4n
 302 Enables/disables the use of delegated GSS-API credentials on the server-side.
 303 The default is \fByes\fR.
 304 .sp
 305 Specifically, this option, when enabled, causes the server to store delegated
 306 GSS-API credentials in the user's default GSS-API credential store (which for
 307 the Kerberos V mechanism means \fB/tmp/krb5cc_\fI<uid>\fR\fR).
 308 .LP
 309 Note -
 310 .sp
 311 .RS 2
 312 \fBsshd\fR does not take any steps to explicitly destroy stored delegated
 313 GSS-API credentials upon logout. It is the responsibility of PAM modules to
 314 destroy credentials associated with a session.
 315 .RE
 316 .RE
 317 
 318 .sp
 319 .ne 2
 320 .na
 321 \fB\fBHostbasedAuthentication\fR\fR
 322 .ad
 323 .sp .6
 324 .RS 4n
 325 Specifies whether to try \fBrhosts\fR-based authentication with public key
 326 authentication. The argument must be \fByes\fR or \fBno\fR. The default is
 327 \fBno\fR. This option applies to protocol version 2 only and is similar to
 328 \fBRhostsRSAAuthentication\fR. See \fBsshd\fR(1M) for guidelines on setting up
 329 host-based authentication.
 330 .RE
 331 
 332 .sp
 333 .ne 2
 334 .na
 335 \fB\fBHostbasedUsesNameFromPacketOnly\fR\fR
 336 .ad
 337 .sp .6
 338 .RS 4n
 339 Controls which hostname is searched for in the files \fB~/.shosts\fR,
 340 \fB/etc/shosts.equiv\fR, and \fB/etc/hosts.equiv\fR. If this parameter is set
 341 to \fByes\fR, the server uses the name the client claimed for itself and signed
 342 with that host's key. If set to \fBno\fR, the default, the server uses the name
 343 to which the client's IP address resolves.
 344 .sp
 345 Setting this parameter to \fBno\fR disables host-based authentication when
 346 using NAT or when the client gets to the server indirectly through a
 347 port-forwarding firewall.
 348 .RE
 349 
 350 .sp
 351 .ne 2
 352 .na
 353 \fB\fBHostKey\fR\fR
 354 .ad
 355 .sp .6
 356 .RS 4n
 357 Specifies the file containing the private host key used by SSH. The default is
 358 \fB/etc/ssh/ssh_host_key\fR for protocol version 1, and
 359 \fB/etc/ssh/ssh_host_rsa_key\fR and \fB/etc/ssh/ssh_host_dsa_key\fR for
 360 protocol version 2. \fBsshd\fR refuses to use a file if it is
 361 group/world-accessible. It is possible to have multiple host key files.
 362 \fBrsa1\fR keys are used for version 1 and \fBdsa\fR or \fBrsa\fR are used for
 363 version 2 of the SSH protocol.
 364 .RE
 365 
 366 .sp
 367 .ne 2
 368 .na
 369 \fB\fBIgnoreRhosts\fR\fR
 370 .ad
 371 .sp .6
 372 .RS 4n
 373 Specifies that \fB\&.rhosts\fR and \fB\&.shosts\fR files are not used in
 374 authentication. \fB/etc/hosts.equiv\fR and \fB/etc/shosts.equiv\fR are still
 375 used. The default is \fByes\fR. This parameter applies to both protocol
 376 versions 1 and 2.
 377 .RE
 378 
 379 .sp
 380 .ne 2
 381 .na
 382 \fB\fBIgnoreUserKnownHosts\fR\fR
 383 .ad
 384 .sp .6
 385 .RS 4n
 386 Specifies whether \fBsshd\fR should ignore the user's
 387 \fB$HOME/.ssh/known_hosts\fR during \fBRhostsRSAAuthentication\fR. The default
 388 is \fBno\fR. This parameter applies to both protocol versions 1 and 2.
 389 .RE
 390 
 391 .sp
 392 .ne 2
 393 .na
 394 \fB\fBKbdInteractiveAuthentication\fR\fR
 395 .ad
 396 .sp .6
 397 .RS 4n
 398 Specifies whether authentication by means of the "keyboard-interactive"
 399 authentication method (and PAM) is allowed. Defaults to \fByes\fR. (Deprecated:
 400 this parameter can only be set to \fByes\fR.)
 401 .RE
 402 
 403 .sp
 404 .ne 2
 405 .na
 406 \fB\fBTCPKeepAlive\fR\fR
 407 .ad
 408 .sp .6
 409 .RS 4n
 410 Specifies whether the system should send keepalive messages to the other side.
 411 If they are sent, death of the connection or crash of one of the machines is
 412 properly noticed. However, this means that connections die if the route is down
 413 temporarily, which can be an annoyance. On the other hand, if keepalives are
 414 not sent, sessions can hang indefinitely on the server, leaving ghost users and
 415 consuming server resources.
 416 .sp
 417 The default is \fByes\fR (to send keepalives), and the server notices if the
 418 network goes down or the client host reboots. This avoids infinitely hanging
 419 sessions.
 420 .sp
 421 To disable keepalives, the value should be set to \fBno\fR in both the server
 422 and the client configuration files.
 423 .RE
 424 
 425 .sp
 426 .ne 2
 427 .na
 428 \fB\fBKeyRegenerationInterval\fR\fR
 429 .ad
 430 .sp .6
 431 .RS 4n
 432 In protocol version 1, the ephemeral server key is automatically regenerated
 433 after this many seconds (if it has been used). The purpose of regeneration is
 434 to prevent decrypting captured sessions by later breaking into the machine and
 435 stealing the keys. The key is never stored anywhere. If the value is 0, the key
 436 is never regenerated. The default is 3600 (seconds).
 437 .RE
 438 
 439 .sp
 440 .ne 2
 441 .na
 442 \fB\fBListenAddress\fR\fR
 443 .ad
 444 .sp .6
 445 .RS 4n
 446 Specifies what local address \fBsshd\fR should listen on. The following forms
 447 can be used:
 448 .sp
 449 .in +2
 450 .nf
 451 ListenAddress \fIhost\fR|\fIIPv4_addr\fR|\fIIPv6_addr\fR
 452 ListenAddress \fIhost\fR|\fIIPv4_addr\fR:\fIport\fR
 453 ListenAddress [\fIhost\fR|\fIIPv6_addr\fR]:\fIport\fR
 454 .fi
 455 .in -2
 456 
 457 If \fIport\fR is not specified, \fBsshd\fR listens on the address and all prior
 458 \fBPort\fR options specified. The default is to listen on all local addresses.
 459 Multiple \fBListenAddress\fR options are permitted. Additionally, any
 460 \fBPort\fR options must precede this option for non-port qualified addresses.
 461 .sp
 462 The default is to listen on all local addresses. Multiple options of this type
 463 are permitted. Additionally, the \fBPorts\fR options must precede this option.
 464 .RE
 465 
 466 .sp
 467 .ne 2
 468 .na
 469 \fB\fBLoginGraceTime\fR\fR
 470 .ad
 471 .sp .6
 472 .RS 4n
 473 The server disconnects after this time (in seconds) if the user has not
 474 successfully logged in. If the value is 0, there is no time limit. The default
 475 is 120 (seconds).
 476 .RE
 477 
 478 .sp
 479 .ne 2
 480 .na
 481 \fB\fBLogLevel\fR\fR
 482 .ad
 483 .sp .6
 484 .RS 4n
 485 Gives the verbosity level that is used when logging messages from \fBsshd\fR.
 486 The possible values are: \fBQUIET\fR, \fBFATAL\fR, \fBERROR\fR, \fBINFO\fR,
 487 \fBVERBOSE\fR, \fBDEBUG\fR, \fBDEBUG1\fR, \fBDEBUG2\fR, and \fBDEBUG3\fR. The
 488 default is \fBINFO\fR. DEBUG2 and DEBUG3 each specify higher levels of
 489 debugging output. Logging with level \fBDEBUG\fR violates the privacy of users
 490 and is not recommended.
 491 .RE
 492 
 493 .sp
 494 .ne 2
 495 .na
 496 \fB\fBLookupClientHostnames\fR\fR
 497 .ad
 498 .sp .6
 499 .RS 4n
 500 Specifies whether or not to lookup the names of client's addresses. Defaults to
 501 yes.
 502 .RE
 503 
 504 .sp
 505 .ne 2
 506 .na
 507 \fBMACs\fR
 508 .ad
 509 .sp .6
 510 .RS 4n
 511 Specifies the available MAC (message authentication code) algorithms. The MAC
 512 algorithm is used in protocol version 2 for data integrity protection. Multiple
 513 algorithms must be comma-separated. The default is
 514 \fBhmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96\fR.
 515 .RE
 516 
 517 .sp
 518 .ne 2
 519 .na
 520 \fB\fBMaxStartups\fR\fR
 521 .ad
 522 .sp .6
 523 .RS 4n
 524 Specifies the maximum number of concurrent unauthenticated connections to the
 525 \fBsshd\fR daemon. Additional connections are dropped until authentication
 526 succeeds or the \fBLoginGraceTime\fR expires for a connection. The default is
 527 \fB10\fR.
 528 .sp
 529 Alternatively, random early drop can be enabled by specifying the three
 530 colon-separated values \fB\fIstart\fR:\fIrate\fR:\fIfull\fR\fR (for example,
 531 \fB10:30:60\fR). Referring to this example, \fBsshd\fR refuse connection
 532 attempts with a probability of \fIrate\fR/100 (30% in our example) if there are
 533 currently 10 (from the \fIstart\fR field) unauthenticated connections. The
 534 probability increases linearly and all connection attempts are refused if the
 535 number of unauthenticated connections reaches \fIfull\fR (60 in our example).
 536 .RE
 537 
 538 .sp
 539 .ne 2
 540 .na
 541 \fB\fBPasswordAuthentication\fR\fR
 542 .ad
 543 .sp .6
 544 .RS 4n
 545 Specifies whether password authentication is allowed. The default is \fByes\fR.
 546 This option applies to both protocol versions 1 and 2.
 547 .RE
 548 
 549 .sp
 550 .ne 2
 551 .na
 552 \fB\fBPermitEmptyPasswords\fR\fR
 553 .ad
 554 .sp .6
 555 .RS 4n
 556 When password or keyboard-interactive authentication is allowed, it specifies
 557 whether the server allows login to accounts with empty password strings.
 558 .sp
 559 If not set then the \fB/etc/default/login\fR \fBPASSREQ\fR value is used
 560 instead.
 561 .sp
 562 \fBPASSREQ=no\fR is equivalent to \fBPermitEmptyPasswords yes\fR.
 563 \fBPASSREQ=yes\fR is equivalent to \fBPermitEmptyPasswords no\fR. If neither
 564 \fBPermitEmptyPasswords\fR or \fBPASSREQ\fR are set the default is \fBno\fR.
 565 .RE
 566 
 567 .sp
 568 .ne 2
 569 .na
 570 \fB\fBPermitRootLogin\fR\fR
 571 .ad
 572 .sp .6
 573 .RS 4n
 574 Specifies whether the root can log in using \fBssh\fR(1). The argument must be
 575 \fByes\fR, \fBwithout-password\fR, \fBforced-commands-only\fR, or \fBno\fR.
 576 \fBwithout-password\fR means that root cannot be authenticated using the
 577 "password" or "keyboard-interactive" methods (see description of
 578 \fBKbdInteractiveAuthentication\fR). \fBforced-commands-only\fR means that
 579 authentication is allowed only for \fBpublickey\fR (for SSHv2, or RSA, for
 580 SSHv1) and only if the matching \fBauthorized_keys entry\fR for root has a
 581 \fBcommand=\fR\fI<cmd>\fR option.
 582 .sp
 583 In Solaris, the default \fB/etc/ssh/sshd_config\fR file is shipped with
 584 \fBPermitRootLogin\fR set to \fBno\fR. If unset by the administrator, then
 585 \fBCONSOLE\fR parameter from \fB/etc/default/login\fR supplies the default
 586 value as follows: if the \fBCONSOLE\fR parameter is not commented out (it can
 587 even be empty, that is, "\fBCONSOLE=\fR"), then \fBwithout-password\fR is used
 588 as default value. If \fBCONSOLE\fR is commented out, then the default for
 589 \fBPermitRootLogin\fR is \fByes\fR.
 590 .sp
 591 The \fBwithout-password\fR and \fBforced-commands-only\fR settings are useful
 592 for, for example, performing remote administration and backups using trusted
 593 public keys for authentication of the remote client, without allowing access to
 594 the root account using passwords.
 595 .RE
 596 
 597 .sp
 598 .ne 2
 599 .na
 600 \fB\fBPermitUserEnvironment\fR\fR
 601 .ad
 602 .sp .6
 603 .RS 4n
 604 Specifies whether a user's \fB~/.ssh/environment\fR on the server side and
 605 \fBenvironment\fR options in the \fBAuthorizedKeysFile\fR file are processed by
 606 \fBsshd\fR. The default is \fBno\fR. Enabling environment processing can enable
 607 users to bypass access restrictions in some configurations using mechanisms
 608 such as \fBLD_PRELOAD\fR.
 609 .sp
 610 Environment setting from a relevant entry in \fBAuthorizedKeysFile\fR file is
 611 processed only if the user was authenticated using the public key
 612 authentication method. Of the two files used, values of variables set in
 613 \fB~/.ssh/environment\fR are of higher priority.
 614 .RE
 615 
 616 .sp
 617 .ne 2
 618 .na
 619 \fB\fBPidFile\fR\fR
 620 .ad
 621 .sp .6
 622 .RS 4n
 623 Allows you to specify an alternative to \fB/var/run/sshd.pid\fR, the default
 624 file for storing the PID of the \fBsshd\fR listening for connections. See
 625 \fBsshd\fR(1M).
 626 .RE
 627 
 628 .sp
 629 .ne 2
 630 .na
 631 \fB\fBPort\fR\fR
 632 .ad
 633 .sp .6
 634 .RS 4n
 635 Specifies the port number that \fBsshd\fR listens on. The default is 22.
 636 Multiple options of this type are permitted. See also \fBListenAddress\fR.
 637 .RE
 638 
 639 .sp
 640 .ne 2
 641 .na
 642 \fB\fBPrintLastLog\fR\fR
 643 .ad
 644 .sp .6
 645 .RS 4n
 646 Specifies whether \fBsshd\fR should display the date and time when the user
 647 last logged in. The default is \fByes\fR.
 648 .RE
 649 
 650 .sp
 651 .ne 2
 652 .na
 653 \fB\fBPrintMotd\fR\fR
 654 .ad
 655 .sp .6
 656 .RS 4n
 657 Specifies whether \fBsshd\fR should display the contents of \fB/etc/motd\fR
 658 when a user logs in interactively. (On some systems it is also displayed by the
 659 shell or a shell startup file, such as \fB/etc/profile\fR.) The default is
 660 \fByes\fR.
 661 .RE
 662 
 663 .sp
 664 .ne 2
 665 .na
 666 \fB\fBProtocol\fR\fR
 667 .ad
 668 .sp .6
 669 .RS 4n
 670 Specifies the protocol versions \fBsshd\fR should support in order of
 671 preference. The possible values are \fB1\fR and \fB2\fR. Multiple versions must
 672 be comma-separated. The default is \fB2,1\fR. This means that \fBssh\fR tries
 673 version 2 and falls back to version 1 if version 2 is not available.
 674 .RE
 675 
 676 .sp
 677 .ne 2
 678 .na
 679 \fB\fBPubkeyAuthentication\fR\fR
 680 .ad
 681 .sp .6
 682 .RS 4n
 683 Specifies whether public key authentication is allowed. The default is
 684 \fByes\fR. This option applies to protocol version 2 only.
 685 .RE
 686 
 687 .sp
 688 .ne 2
 689 .na
 690 \fB\fBRhostsAuthentication\fR\fR
 691 .ad
 692 .sp .6
 693 .RS 4n
 694 Specifies whether authentication using \fBrhosts\fR or \fB/etc/hosts.equiv\fR
 695 files is sufficient. Normally, this method should not be permitted because it
 696 is insecure. \fBRhostsRSAAuthentication\fR should be used instead, because it
 697 performs RSA-based host authentication in addition to normal \fBrhosts\fR or
 698 \fB/etc/hosts.equiv\fR authentication. The default is \fBno\fR. This parameter
 699 applies only to protocol version 1.
 700 .RE
 701 
 702 .sp
 703 .ne 2
 704 .na
 705 \fB\fBRhostsRSAAuthentication\fR\fR
 706 .ad
 707 .sp .6
 708 .RS 4n
 709 Specifies whether \fBrhosts\fR or \fB/etc/hosts.equiv\fR authentication
 710 together with successful RSA host authentication is allowed. The default is
 711 \fBno\fR. This parameter applies only to protocol version 1.
 712 .RE
 713 
 714 .sp
 715 .ne 2
 716 .na
 717 \fB\fBRSAAuthentication\fR\fR
 718 .ad
 719 .sp .6
 720 .RS 4n
 721 Specifies whether pure RSA authentication is allowed. The default is \fByes\fR.
 722 This option applies to protocol version 1 only.
 723 .RE
 724 
 725 .sp
 726 .ne 2
 727 .na
 728 \fB\fBServerKeyBits\fR\fR
 729 .ad
 730 .sp .6
 731 .RS 4n
 732 Defines the number of bits in the ephemeral protocol version 1 server key. The
 733 minimum value is 512, and the default is 768.
 734 .RE
 735 
 736 .sp
 737 .ne 2
 738 .na
 739 \fB\fBStrictModes\fR\fR
 740 .ad
 741 .sp .6
 742 .RS 4n
 743 Specifies whether \fBsshd\fR should check file modes and ownership of the
 744 user's files and home directory before accepting login. This is normally
 745 desirable because novices sometimes accidentally leave their directory or files
 746 world-writable. The default is \fByes\fR.
 747 .RE
 748 
 749 .sp
 750 .ne 2
 751 .na
 752 \fB\fBSubsystem\fR\fR
 753 .ad
 754 .sp .6
 755 .RS 4n
 756 Configures an external subsystem (for example, a file transfer daemon).
 757 Arguments should be a subsystem name and a command to execute upon subsystem
 758 request. The command \fBsftp-server\fR(1M) implements the \fBsftp\fR file
 759 transfer subsystem.
 760 .sp
 761 Alternately, the name \fBinternal-sftp\fR implements an in-process \fBsftp\fR
 762 server. This can simplify configurations using \fBChrootDirectory\fR to force a
 763 different filesystem root on clients.
 764 .sp
 765 By default, no subsystems are defined. This option applies to protocol version
 766 2 only.
 767 .RE
 768 
 769 .sp
 770 .ne 2
 771 .na
 772 \fB\fBSyslogFacility\fR\fR
 773 .ad
 774 .sp .6
 775 .RS 4n
 776 Gives the facility code that is used when logging messages from \fBsshd\fR. The
 777 possible values are: \fBDAEMON\fR, \fBUSER\fR, \fBAUTH\fR, \fBLOCAL0\fR,
 778 \fBLOCAL1\fR, \fBLOCAL2\fR, \fBLOCAL3\fR, \fBLOCAL4\fR, \fBLOCAL5\fR,
 779 \fBLOCAL6\fR, and \fBLOCAL7\fR. The default is \fBAUTH\fR.
 780 .RE
 781 
 782 .sp
 783 .ne 2
 784 .na
 785 \fB\fBUseOpenSSLEngine\fR\fR
 786 .ad
 787 .sp .6
 788 .RS 4n
 789 Specifies whether \fBsshd\fR should use the OpenSSL PKCS#11 engine for
 790 offloading cryptographic operations to the Cryptographic Framework.
 791 Cryptographic operations are accelerated according to the available installed
 792 plug-ins. When no suitable plug-ins are present this option does not have an
 793 effect. The default is \fByes\fR.
 794 .RE
 795 
 796 .sp
 797 .ne 2
 798 .na
 799 \fB\fBVerifyReverseMapping\fR\fR
 800 .ad
 801 .sp .6
 802 .RS 4n
 803 Specifies whether \fBsshd\fR should try to verify the remote host name and
 804 check that the resolved host name for the remote IP address maps back to the
 805 very same IP address. (A \fByes\fR setting means "verify".) Setting this
 806 parameter to \fBno\fR can be useful where DNS servers might be down and thus
 807 cause \fBsshd\fR to spend much time trying to resolve the client's IP address
 808 to a name. This feature is useful for Internet-facing servers. The default is
 809 \fBno\fR.
 810 .RE
 811 
 812 .sp
 813 .ne 2
 814 .na
 815 \fB\fBX11DisplayOffset\fR\fR
 816 .ad
 817 .sp .6
 818 .RS 4n
 819 Specifies the first display number available for \fBsshd\fR's X11 forwarding.
 820 This prevents \fBsshd\fR from interfering with real X11 servers. The default is
 821 10.
 822 .RE
 823 
 824 .sp
 825 .ne 2
 826 .na
 827 \fB\fBX11Forwarding\fR\fR
 828 .ad
 829 .sp .6
 830 .RS 4n
 831 Specifies whether X11 forwarding is permitted. The default is \fByes\fR.
 832 Disabling X11 forwarding does not improve security in any way, as users can
 833 always install their own forwarders.
 834 .sp
 835 When X11 forwarding is enabled, there can be additional exposure to the server
 836 and to client displays if the \fBsshd\fR proxy display is configured to listen
 837 on the wildcard address (see \fBX11UseLocalhost\fR). However, this is not the
 838 default. Additionally, the authentication spoofing and authentication data
 839 verification and substitution occur on the client side. The security risk of
 840 using X11 forwarding is that the client's X11 display server can be exposed to
 841 attack when the \fBssh\fR client requests forwarding (see the warnings for
 842 \fBForwardX11\fR in \fBssh_config\fR(4)). A system administrator who wants to
 843 protect clients that expose themselves to attack by unwittingly requesting X11
 844 forwarding, should specify a \fBno\fR setting.
 845 .sp
 846 Disabling X11 forwarding does not prevent users from forwarding X11 traffic, as
 847 users can always install their own forwarders.
 848 .RE
 849 
 850 .sp
 851 .ne 2
 852 .na
 853 \fB\fBX11UseLocalhost\fR\fR
 854 .ad
 855 .sp .6
 856 .RS 4n
 857 Specifies whether \fBsshd\fR should bind the X11 forwarding server to the
 858 loopback address or to the wildcard address. By default, \fBsshd\fR binds the
 859 forwarding server to the loopback address and sets the hostname part of the
 860 \fBDISPLAY\fR environment variable to \fBlocalhost\fR. This prevents remote
 861 hosts from connecting to the proxy display. However, some older X11 clients
 862 might not function with this configuration. \fBX11UseLocalhost\fR can be set to
 863 \fBno\fR to specify that the forwarding server should be bound to the wildcard
 864 address. The argument must be \fByes\fR or \fBno\fR. The default is \fByes\fR.
 865 .RE
 866 
 867 .sp
 868 .ne 2
 869 .na
 870 \fB\fBXAuthLocation\fR\fR
 871 .ad
 872 .sp .6
 873 .RS 4n
 874 Specifies the location of the \fBxauth\fR(1) program. The default is
 875 \fB/usr/X11/bin/xauth\fR and \fBsshd\fR attempts to open it when X11 forwarding
 876 is enabled.
 877 .RE
 878 
 879 .SS "Time Formats"
 880 .sp
 881 .LP
 882 \fBsshd\fR command-line arguments and configuration file options that specify
 883 time can be expressed using a sequence of the form:
 884 \fItime\fR[\fIqualifier\fR,] where \fItime\fR is a positive integer value and
 885 \fIqualifier\fR is one of the following:
 886 .sp
 887 .ne 2
 888 .na
 889 \fB\fI<none>\fR\fR
 890 .ad
 891 .RS 10n
 892 seconds
 893 .RE
 894 
 895 .sp
 896 .ne 2
 897 .na
 898 \fB\fBs\fR | \fBS\fR\fR
 899 .ad
 900 .RS 10n
 901 seconds
 902 .RE
 903 
 904 .sp
 905 .ne 2
 906 .na
 907 \fB\fBm\fR | \fBM\fR\fR
 908 .ad
 909 .RS 10n
 910 minutes
 911 .RE
 912 
 913 .sp
 914 .ne 2
 915 .na
 916 \fB\fBh\fR | \fBH\fR\fR
 917 .ad
 918 .RS 10n
 919 hours
 920 .RE
 921 
 922 .sp
 923 .ne 2
 924 .na
 925 \fB\fBd\fR | \fBD\fR\fR
 926 .ad
 927 .RS 10n
 928 days
 929 .RE
 930 
 931 .sp
 932 .ne 2
 933 .na
 934 \fB\fBw\fR | \fB\fR\fR
 935 .ad
 936 .RS 10n
 937 weeks
 938 .RE
 939 
 940 .sp
 941 .LP
 942 Each element of the sequence is added together to calculate the total time
 943 value. For example:
 944 .sp
 945 .ne 2
 946 .na
 947 \fB\fB600\fR\fR
 948 .ad
 949 .RS 9n
 950 600 seconds (10 minutes)
 951 .RE
 952 
 953 .sp
 954 .ne 2
 955 .na
 956 \fB\fB10m\fR\fR
 957 .ad
 958 .RS 9n
 959 10 minutes
 960 .RE
 961 
 962 .sp
 963 .ne 2
 964 .na
 965 \fB\fB1h30m\fR\fR
 966 .ad
 967 .RS 9n
 968 1 hour, 30 minutes (90 minutes)
 969 .RE
 970 
 971 .SH FILES
 972 .sp
 973 .ne 2
 974 .na
 975 \fB\fB/etc/ssh/sshd_config\fR\fR
 976 .ad
 977 .RS 24n
 978 Contains configuration data for \fBsshd\fR. This file should be writable by
 979 root only, but it is recommended (though not necessary) that it be
 980 world-readable.
 981 .RE
 982 
 983 .SH ATTRIBUTES
 984 .sp
 985 .LP
 986 See \fBattributes\fR(5) for descriptions of the following attributes:
 987 .sp
 988 
 989 .sp
 990 .TS
 991 box;
 992 c | c
 993 l | l .
 994 ATTRIBUTE TYPE  ATTRIBUTE VALUE
 995 _
 996 Interface Stability     Uncommitted
 997 .TE
 998 
 999 .SH SEE ALSO
1000 .sp
1001 .LP
1002 \fBlogin\fR(1), \fBsshd\fR(1M), \fBchroot\fR(2), \fBssh_config\fR(4),
1003 \fBattributes\fR(5), \fBkerberos\fR(5)
1004 .SH AUTHORS
1005 .sp
1006 .LP
1007 OpenSSH is a derivative of the original and free \fBssh\fR 1.2.12 release by
1008 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de
1009 Raadt, and Dug Song removed many bugs, re-added recent features, and created
1010 OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5
1011 and 2.0. Niels Provos and Markus Friedl contributed support for privilege
1012 separation.