illumos-gate Sdiff usr/src/man/man4/sshd

Print this page

3477 SunSSH config should accept TCPKeepAlive as synonym for KeepAlive
Reviewed by: Jerry Jelinek <jerry@joyent.com>

   1 '\" te
   2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.

   3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
   4 .\"  See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
   5 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   6 .TH SSHD_CONFIG 4 "Mar 26, 2009"
   7 .SH NAME
   8 sshd_config \- sshd configuration file
   9 .SH SYNOPSIS
  10 .LP
  11 .nf
  12 \fB/etc/ssh/sshd_config\fR
  13 .fi
  14 
  15 .SH DESCRIPTION
  16 .sp
  17 .LP
  18 The \fBsshd\fR(1M) daemon reads configuration data from
  19 \fB/etc/ssh/sshd_config\fR (or the file specified with \fBsshd\fR \fB-f\fR on
  20 the command line). The file contains keyword-value pairs, one per line. A line
  21 starting with a hash mark (\fB#\fR) and empty lines are interpreted as
  22 comments.
  23 .sp
  24 .LP
  25 The \fBsshd_config\fR file supports the following keywords. Unless otherwise
  26 noted, keywords and their arguments are case-insensitive.

 152 arcfour256,arcfour
 153 .fi
 154 .in -2
 155 .sp
 156 
 157 Using CBC modes on the server side is not recommended due to potential security
 158 issues in connection with the SSH protocol version 2.
 159 .RE
 160 
 161 .sp
 162 .ne 2
 163 .na
 164 \fB\fBClientAliveCountMax\fR\fR
 165 .ad
 166 .sp .6
 167 .RS 4n
 168 Sets the number of client alive messages, (see \fBClientAliveInterval\fR), that
 169 can be sent without \fBsshd\fR receiving any messages back from the client. If
 170 this threshold is reached while client alive messages are being sent,
 171 \fBsshd\fR disconnects the client, terminating the session. The use of client
 172 alive messages is very different from \fBKeepAlive\fR. The client alive
 173 messages are sent through the encrypted channel and therefore are not
 174 spoofable. The TCP keepalive option enabled by \fBKeepAlive\fR is spoofable.
 175 The client alive mechanism is valuable when a client or server depend on
 176 knowing when a connection has become inactive.
 177 .sp
 178 The default value is 3. If \fBClientAliveInterval\fR is set to 15, and
 179 \fBClientAliveCountMax\fR is left at the default, unresponsive \fBssh\fR
 180 clients are disconnected after approximately 45 seconds.
 181 .RE
 182 
 183 .sp
 184 .ne 2
 185 .na
 186 \fB\fBClientAliveInterval\fR\fR
 187 .ad
 188 .sp .6
 189 .RS 4n
 190 Sets a timeout interval in seconds after which, if no data has been received
 191 from the client, \fBsshd\fR sends a message through the encrypted channel to
 192 request a response from the client. The default is 0, indicating that these
 193 messages are not sent to the client. This option applies only to protocol
 194 version 2.

 385 Specifies whether \fBsshd\fR should ignore the user's
 386 \fB$HOME/.ssh/known_hosts\fR during \fBRhostsRSAAuthentication\fR. The default
 387 is \fBno\fR. This parameter applies to both protocol versions 1 and 2.
 388 .RE
 389 
 390 .sp
 391 .ne 2
 392 .na
 393 \fB\fBKbdInteractiveAuthentication\fR\fR
 394 .ad
 395 .sp .6
 396 .RS 4n
 397 Specifies whether authentication by means of the "keyboard-interactive"
 398 authentication method (and PAM) is allowed. Defaults to \fByes\fR. (Deprecated:
 399 this parameter can only be set to \fByes\fR.)
 400 .RE
 401 
 402 .sp
 403 .ne 2
 404 .na
 405 \fB\fBKeepAlive\fR\fR
 406 .ad
 407 .sp .6
 408 .RS 4n
 409 Specifies whether the system should send keepalive messages to the other side.
 410 If they are sent, death of the connection or crash of one of the machines is
 411 properly noticed. However, this means that connections die if the route is down
 412 temporarily, which can be an annoyance. On the other hand, if keepalives are
 413 not sent, sessions can hang indefinitely on the server, leaving ghost users and
 414 consuming server resources.
 415 .sp
 416 The default is \fByes\fR (to send keepalives), and the server notices if the
 417 network goes down or the client host reboots. This avoids infinitely hanging
 418 sessions.
 419 .sp
 420 To disable keepalives, the value should be set to \fBno\fR in both the server
 421 and the client configuration files.
 422 .RE
 423 
 424 .sp
 425 .ne 2

   1 '\" te
   2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
   3 .\" Copyright (c) 2013, Joyent, Inc. All Rights Reserved.
   4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
   5 .\"  See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
   6 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   7 .TH SSHD_CONFIG 4 "Jan 17, 2013"
   8 .SH NAME
   9 sshd_config \- sshd configuration file
  10 .SH SYNOPSIS
  11 .LP
  12 .nf
  13 \fB/etc/ssh/sshd_config\fR
  14 .fi
  15 
  16 .SH DESCRIPTION
  17 .sp
  18 .LP
  19 The \fBsshd\fR(1M) daemon reads configuration data from
  20 \fB/etc/ssh/sshd_config\fR (or the file specified with \fBsshd\fR \fB-f\fR on
  21 the command line). The file contains keyword-value pairs, one per line. A line
  22 starting with a hash mark (\fB#\fR) and empty lines are interpreted as
  23 comments.
  24 .sp
  25 .LP
  26 The \fBsshd_config\fR file supports the following keywords. Unless otherwise
  27 noted, keywords and their arguments are case-insensitive.

 153 arcfour256,arcfour
 154 .fi
 155 .in -2
 156 .sp
 157 
 158 Using CBC modes on the server side is not recommended due to potential security
 159 issues in connection with the SSH protocol version 2.
 160 .RE
 161 
 162 .sp
 163 .ne 2
 164 .na
 165 \fB\fBClientAliveCountMax\fR\fR
 166 .ad
 167 .sp .6
 168 .RS 4n
 169 Sets the number of client alive messages, (see \fBClientAliveInterval\fR), that
 170 can be sent without \fBsshd\fR receiving any messages back from the client. If
 171 this threshold is reached while client alive messages are being sent,
 172 \fBsshd\fR disconnects the client, terminating the session. The use of client
 173 alive messages is very different from \fBTCPKeepAlive\fR. The client alive
 174 messages are sent through the encrypted channel and therefore are not
 175 spoofable. The TCP keepalive option enabled by \fBTCPKeepAlive\fR is spoofable.
 176 The client alive mechanism is valuable when a client or server depend on
 177 knowing when a connection has become inactive.
 178 .sp
 179 The default value is 3. If \fBClientAliveInterval\fR is set to 15, and
 180 \fBClientAliveCountMax\fR is left at the default, unresponsive \fBssh\fR
 181 clients are disconnected after approximately 45 seconds.
 182 .RE
 183 
 184 .sp
 185 .ne 2
 186 .na
 187 \fB\fBClientAliveInterval\fR\fR
 188 .ad
 189 .sp .6
 190 .RS 4n
 191 Sets a timeout interval in seconds after which, if no data has been received
 192 from the client, \fBsshd\fR sends a message through the encrypted channel to
 193 request a response from the client. The default is 0, indicating that these
 194 messages are not sent to the client. This option applies only to protocol
 195 version 2.

 386 Specifies whether \fBsshd\fR should ignore the user's
 387 \fB$HOME/.ssh/known_hosts\fR during \fBRhostsRSAAuthentication\fR. The default
 388 is \fBno\fR. This parameter applies to both protocol versions 1 and 2.
 389 .RE
 390 
 391 .sp
 392 .ne 2
 393 .na
 394 \fB\fBKbdInteractiveAuthentication\fR\fR
 395 .ad
 396 .sp .6
 397 .RS 4n
 398 Specifies whether authentication by means of the "keyboard-interactive"
 399 authentication method (and PAM) is allowed. Defaults to \fByes\fR. (Deprecated:
 400 this parameter can only be set to \fByes\fR.)
 401 .RE
 402 
 403 .sp
 404 .ne 2
 405 .na
 406 \fB\fBTCPKeepAlive\fR\fR
 407 .ad
 408 .sp .6
 409 .RS 4n
 410 Specifies whether the system should send keepalive messages to the other side.
 411 If they are sent, death of the connection or crash of one of the machines is
 412 properly noticed. However, this means that connections die if the route is down
 413 temporarily, which can be an annoyance. On the other hand, if keepalives are
 414 not sent, sessions can hang indefinitely on the server, leaving ghost users and
 415 consuming server resources.
 416 .sp
 417 The default is \fByes\fR (to send keepalives), and the server notices if the
 418 network goes down or the client host reboots. This avoids infinitely hanging
 419 sessions.
 420 .sp
 421 To disable keepalives, the value should be set to \fBno\fR in both the server
 422 and the client configuration files.
 423 .RE
 424 
 425 .sp
 426 .ne 2