1 '\" te 2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. 3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. 4 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the 5 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] 6 .TH SSHD_CONFIG 4 "Mar 26, 2009" 7 .SH NAME 8 sshd_config \- sshd configuration file 9 .SH SYNOPSIS 10 .LP 11 .nf 12 \fB/etc/ssh/sshd_config\fR 13 .fi 14 15 .SH DESCRIPTION 16 .sp 17 .LP 18 The \fBsshd\fR(1M) daemon reads configuration data from 19 \fB/etc/ssh/sshd_config\fR (or the file specified with \fBsshd\fR \fB-f\fR on 20 the command line). The file contains keyword-value pairs, one per line. A line 21 starting with a hash mark (\fB#\fR) and empty lines are interpreted as 22 comments. 23 .sp 24 .LP 25 The \fBsshd_config\fR file supports the following keywords. Unless otherwise 26 noted, keywords and their arguments are case-insensitive. 27 .sp 28 .ne 2 29 .na 30 \fB\fBAllowGroups\fR\fR 31 .ad 32 .sp .6 33 .RS 4n 34 This keyword can be followed by a number of group names, separated by spaces. 35 If specified, login is allowed only for users whose primary group or 36 supplementary group list matches one of the patterns. Asterisk (\fB*\fR) and 37 question mark (\fB?\fR) can be used as wildcards in the patterns. Only group 38 names are valid; a numerical group ID is not recognized. By default, login is 39 allowed regardless of the primary group. 40 .RE 41 42 .sp 43 .ne 2 44 .na 45 \fB\fBAllowTcpForwarding\fR\fR 46 .ad 47 .sp .6 48 .RS 4n 49 Specifies whether TCP forwarding is permitted. The default is \fByes\fR. 50 Disabling TCP forwarding does not improve security unless users are also denied 51 shell access, as they can always install their own forwarders. 52 .RE 53 54 .sp 55 .ne 2 56 .na 57 \fB\fBAllowUsers\fR\fR 58 .ad 59 .sp .6 60 .RS 4n 61 This keyword can be followed by a number of user names, separated by spaces. If 62 specified, login is allowed only for user names that match one of the patterns. 63 Asterisk (\fB*\fR) and question mark (\fB?\fR) can be used as wildcards in the 64 patterns. Only user names are valid; a numerical user ID is not recognized. By 65 default login is allowed regardless of the user name. 66 .sp 67 If a specified pattern takes the form \fIuser\fR@\fIhost\fR then \fIuser\fR and 68 \fIhost\fR are checked separately, restricting logins to particular users from 69 particular hosts. 70 .RE 71 72 .sp 73 .ne 2 74 .na 75 \fB\fBAuthorizedKeysFile\fR\fR 76 .ad 77 .sp .6 78 .RS 4n 79 Specifies the file that contains the public keys that can be used for user 80 authentication. \fBAuthorizedKeysFile\fR can contain tokens of the form 81 \fB%T\fR, which are substituted during connection set-up. The following tokens 82 are defined: \fB%%\fR is replaced by a literal \fB%\fR, \fB%h\fR is replaced by 83 the home directory of the user being authenticated and \fB%u\fR is replaced by 84 the username of that user. After expansion, \fBAuthorizedKeysFile\fR is taken 85 to be an absolute path or one relative to the user's home directory. The 86 default is \fB\&.ssh/authorized_keys\fR. 87 .RE 88 89 .sp 90 .ne 2 91 .na 92 \fB\fBBanner\fR\fR 93 .ad 94 .sp .6 95 .RS 4n 96 In some jurisdictions, sending a warning message before authentication can be 97 relevant for getting legal protection. The contents of the specified file are 98 sent to the remote user before authentication is allowed. This option is only 99 available for protocol version 2. By default, no banner is displayed. 100 .RE 101 102 .sp 103 .ne 2 104 .na 105 \fB\fBChrootDirectory\fR\fR 106 .ad 107 .sp .6 108 .RS 4n 109 Specifies a path to \fBchroot\fR(2) to after authentication. This path, and all 110 its components, must be root-owned directories that are not writable by any 111 other user or group. 112 .sp 113 The server always tries to change to the user's home directory locally under 114 the chrooted environment but a failure to do so is not considered an error. In 115 addition, the path might contain the following tokens that are expanded at 116 runtime once the connecting user has been authenticated: \fB%%\fR is replaced 117 by a literal \fB%\fR, \fB%h\fR is replaced by the home directory of the user 118 being authenticated, and \fB%u\fR is replaced by the username of that user. 119 .sp 120 The \fBChrootDirectory\fR must contain the necessary files and directories to 121 support the user's session. For an interactive SSH session this requires at 122 least a user's shell, shared libraries needed by the shell, dynamic linker, and 123 possibly basic \fB/dev\fR nodes such as \fBnull\fR, \fBzero\fR, \fBstdin\fR, 124 \fBstdout\fR, \fBstderr\fR, \fBrandom\fR, and \fBtty\fR. Additionally, terminal 125 databases are needed for screen oriented applications. For file transfer 126 sessions using \fBsftp\fR with the SSH protocol version 2, no additional 127 configuration of the environment is necessary if the in-process \fBsftp\fR 128 server is used. See \fBSubsystem\fR for details. 129 .sp 130 The default is not to \fBchroot\fR(2). 131 .RE 132 133 .sp 134 .ne 2 135 .na 136 \fB\fBCiphers\fR\fR 137 .ad 138 .sp .6 139 .RS 4n 140 Specifies the ciphers allowed for protocol version 2. Cipher ordering on the 141 server side is not relevant. Multiple ciphers must be comma separated. 142 .sp 143 Valid ciphers are: \fBaes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, 144 aes192-cbc, aes256-cbc, arcfour, arcfour128, arcfour256, 3des-cbc\fR, and 145 \fBblowfish-cbc\fR. 146 .sp 147 The default cipher list is: 148 .sp 149 .in +2 150 .nf 151 aes128-ctr,aes192-ctr,aes256-ctr,arcfour128, 152 arcfour256,arcfour 153 .fi 154 .in -2 155 .sp 156 157 Using CBC modes on the server side is not recommended due to potential security 158 issues in connection with the SSH protocol version 2. 159 .RE 160 161 .sp 162 .ne 2 163 .na 164 \fB\fBClientAliveCountMax\fR\fR 165 .ad 166 .sp .6 167 .RS 4n 168 Sets the number of client alive messages, (see \fBClientAliveInterval\fR), that 169 can be sent without \fBsshd\fR receiving any messages back from the client. If 170 this threshold is reached while client alive messages are being sent, 171 \fBsshd\fR disconnects the client, terminating the session. The use of client 172 alive messages is very different from \fBKeepAlive\fR. The client alive 173 messages are sent through the encrypted channel and therefore are not 174 spoofable. The TCP keepalive option enabled by \fBKeepAlive\fR is spoofable. 175 The client alive mechanism is valuable when a client or server depend on 176 knowing when a connection has become inactive. 177 .sp 178 The default value is 3. If \fBClientAliveInterval\fR is set to 15, and 179 \fBClientAliveCountMax\fR is left at the default, unresponsive \fBssh\fR 180 clients are disconnected after approximately 45 seconds. 181 .RE 182 183 .sp 184 .ne 2 185 .na 186 \fB\fBClientAliveInterval\fR\fR 187 .ad 188 .sp .6 189 .RS 4n 190 Sets a timeout interval in seconds after which, if no data has been received 191 from the client, \fBsshd\fR sends a message through the encrypted channel to 192 request a response from the client. The default is 0, indicating that these 193 messages are not sent to the client. This option applies only to protocol 194 version 2. 195 .RE 196 197 .sp 198 .ne 2 199 .na 200 \fB\fBCompression\fR\fR 201 .ad 202 .sp .6 203 .RS 4n 204 Controls whether the server allows the client to negotiate the use of 205 compression. The default is \fByes\fR. 206 .RE 207 208 .sp 209 .ne 2 210 .na 211 \fB\fBDenyGroups\fR\fR 212 .ad 213 .sp .6 214 .RS 4n 215 Can be followed by a number of group names, separated by spaces. Users whose 216 primary group matches one of the patterns are not allowed to log in. Asterisk 217 (\fB*\fR) and question mark (\fB?\fR) can be used as wildcards in the patterns. 218 Only group names are valid; a numerical group ID is not recognized. By default, 219 login is allowed regardless of the primary group. 220 .RE 221 222 .sp 223 .ne 2 224 .na 225 \fB\fBDenyUsers\fR\fR 226 .ad 227 .sp .6 228 .RS 4n 229 Can be followed by a number of user names, separated by spaces. Login is 230 disallowed for user names that match one of the patterns. Asterisk (\fB*\fR) 231 and question mark (\fB?\fR) can be used as wildcards in the patterns. Only user 232 names are valid; a numerical user ID is not recognized. By default, login is 233 allowed regardless of the user name. 234 .sp 235 If a specified pattern takes the form \fIuser\fR@\fIhost\fR then \fIuser\fR and 236 \fIhost\fR are checked separately, disallowing logins to particular users from 237 particular hosts. 238 .RE 239 240 .sp 241 .ne 2 242 .na 243 \fB\fBGatewayPorts\fR\fR 244 .ad 245 .sp .6 246 .RS 4n 247 Specifies whether remote hosts are allowed to connect to ports forwarded for 248 the client. By default, \fBsshd\fR binds remote port forwardings to the 249 loopback address. This prevents other remote hosts from connecting to forwarded 250 ports. \fBGatewayPorts\fR can be used to specify that \fBsshd\fR should bind 251 remote port forwardings to the wildcard address, thus allowing remote hosts to 252 connect to forwarded ports. 253 .sp 254 The argument can be \fBno\fR to force remote port forwardings to be available 255 to the local host only, \fByes\fR to force remote port forwardings to bind to 256 the wildcard address, or \fBclientspecified\fR to allow the client to select 257 the address to which the forwarding is bound. The default is \fBno\fR. See also 258 \fBRemoteForward\fR in \fBssh_config\fR(4). 259 .RE 260 261 .sp 262 .ne 2 263 .na 264 \fB\fBGSSAPIAuthentication\fR\fR 265 .ad 266 .sp .6 267 .RS 4n 268 Enables/disables GSS-API user authentication. The default is \fByes\fR. 269 .sp 270 Currently \fBsshd\fR authorizes client user principals to user accounts as 271 follows: if the principal name matches the requested user account, then the 272 principal is authorized. Otherwise, GSS-API authentication fails. 273 .RE 274 275 .sp 276 .ne 2 277 .na 278 \fB\fBGSSAPIKeyExchange\fR\fR 279 .ad 280 .sp .6 281 .RS 4n 282 Enables/disables GSS-API-authenticated key exchanges. The default is \fByes\fR. 283 .sp 284 This option also enables the use of the GSS-API to authenticate the user to 285 server after the key exchange. GSS-API key exchange can succeed but the 286 subsequent authentication using the GSS-API fail if the server does not 287 authorize the user's GSS principal name to the target user account. 288 .sp 289 Currently \fBsshd\fR authorizes client user principals to user accounts as 290 follows: if the principal name matches the requested user account, then the 291 principal is authorized. Otherwise, GSS-API authentication fails. 292 .RE 293 294 .sp 295 .ne 2 296 .na 297 \fB\fBGSSAPIStoreDelegatedCredentials\fR\fR 298 .ad 299 .sp .6 300 .RS 4n 301 Enables/disables the use of delegated GSS-API credentials on the server-side. 302 The default is \fByes\fR. 303 .sp 304 Specifically, this option, when enabled, causes the server to store delegated 305 GSS-API credentials in the user's default GSS-API credential store (which for 306 the Kerberos V mechanism means \fB/tmp/krb5cc_\fI<uid>\fR\fR). 307 .LP 308 Note - 309 .sp 310 .RS 2 311 \fBsshd\fR does not take any steps to explicitly destroy stored delegated 312 GSS-API credentials upon logout. It is the responsibility of PAM modules to 313 destroy credentials associated with a session. 314 .RE 315 .RE 316 317 .sp 318 .ne 2 319 .na 320 \fB\fBHostbasedAuthentication\fR\fR 321 .ad 322 .sp .6 323 .RS 4n 324 Specifies whether to try \fBrhosts\fR-based authentication with public key 325 authentication. The argument must be \fByes\fR or \fBno\fR. The default is 326 \fBno\fR. This option applies to protocol version 2 only and is similar to 327 \fBRhostsRSAAuthentication\fR. See \fBsshd\fR(1M) for guidelines on setting up 328 host-based authentication. 329 .RE 330 331 .sp 332 .ne 2 333 .na 334 \fB\fBHostbasedUsesNameFromPacketOnly\fR\fR 335 .ad 336 .sp .6 337 .RS 4n 338 Controls which hostname is searched for in the files \fB~/.shosts\fR, 339 \fB/etc/shosts.equiv\fR, and \fB/etc/hosts.equiv\fR. If this parameter is set 340 to \fByes\fR, the server uses the name the client claimed for itself and signed 341 with that host's key. If set to \fBno\fR, the default, the server uses the name 342 to which the client's IP address resolves. 343 .sp 344 Setting this parameter to \fBno\fR disables host-based authentication when 345 using NAT or when the client gets to the server indirectly through a 346 port-forwarding firewall. 347 .RE 348 349 .sp 350 .ne 2 351 .na 352 \fB\fBHostKey\fR\fR 353 .ad 354 .sp .6 355 .RS 4n 356 Specifies the file containing the private host key used by SSH. The default is 357 \fB/etc/ssh/ssh_host_key\fR for protocol version 1, and 358 \fB/etc/ssh/ssh_host_rsa_key\fR and \fB/etc/ssh/ssh_host_dsa_key\fR for 359 protocol version 2. \fBsshd\fR refuses to use a file if it is 360 group/world-accessible. It is possible to have multiple host key files. 361 \fBrsa1\fR keys are used for version 1 and \fBdsa\fR or \fBrsa\fR are used for 362 version 2 of the SSH protocol. 363 .RE 364 365 .sp 366 .ne 2 367 .na 368 \fB\fBIgnoreRhosts\fR\fR 369 .ad 370 .sp .6 371 .RS 4n 372 Specifies that \fB\&.rhosts\fR and \fB\&.shosts\fR files are not used in 373 authentication. \fB/etc/hosts.equiv\fR and \fB/etc/shosts.equiv\fR are still 374 used. The default is \fByes\fR. This parameter applies to both protocol 375 versions 1 and 2. 376 .RE 377 378 .sp 379 .ne 2 380 .na 381 \fB\fBIgnoreUserKnownHosts\fR\fR 382 .ad 383 .sp .6 384 .RS 4n 385 Specifies whether \fBsshd\fR should ignore the user's 386 \fB$HOME/.ssh/known_hosts\fR during \fBRhostsRSAAuthentication\fR. The default 387 is \fBno\fR. This parameter applies to both protocol versions 1 and 2. 388 .RE 389 390 .sp 391 .ne 2 392 .na 393 \fB\fBKbdInteractiveAuthentication\fR\fR 394 .ad 395 .sp .6 396 .RS 4n 397 Specifies whether authentication by means of the "keyboard-interactive" 398 authentication method (and PAM) is allowed. Defaults to \fByes\fR. (Deprecated: 399 this parameter can only be set to \fByes\fR.) 400 .RE 401 402 .sp 403 .ne 2 404 .na 405 \fB\fBKeepAlive\fR\fR 406 .ad 407 .sp .6 408 .RS 4n 409 Specifies whether the system should send keepalive messages to the other side. 410 If they are sent, death of the connection or crash of one of the machines is 411 properly noticed. However, this means that connections die if the route is down 412 temporarily, which can be an annoyance. On the other hand, if keepalives are 413 not sent, sessions can hang indefinitely on the server, leaving ghost users and 414 consuming server resources. 415 .sp 416 The default is \fByes\fR (to send keepalives), and the server notices if the 417 network goes down or the client host reboots. This avoids infinitely hanging 418 sessions. 419 .sp 420 To disable keepalives, the value should be set to \fBno\fR in both the server 421 and the client configuration files. 422 .RE 423 424 .sp 425 .ne 2 426 .na 427 \fB\fBKeyRegenerationInterval\fR\fR 428 .ad 429 .sp .6 430 .RS 4n 431 In protocol version 1, the ephemeral server key is automatically regenerated 432 after this many seconds (if it has been used). The purpose of regeneration is 433 to prevent decrypting captured sessions by later breaking into the machine and 434 stealing the keys. The key is never stored anywhere. If the value is 0, the key 435 is never regenerated. The default is 3600 (seconds). 436 .RE 437 438 .sp 439 .ne 2 440 .na 441 \fB\fBListenAddress\fR\fR 442 .ad 443 .sp .6 444 .RS 4n 445 Specifies what local address \fBsshd\fR should listen on. The following forms 446 can be used: 447 .sp 448 .in +2 449 .nf 450 ListenAddress \fIhost\fR|\fIIPv4_addr\fR|\fIIPv6_addr\fR 451 ListenAddress \fIhost\fR|\fIIPv4_addr\fR:\fIport\fR 452 ListenAddress [\fIhost\fR|\fIIPv6_addr\fR]:\fIport\fR 453 .fi 454 .in -2 455 456 If \fIport\fR is not specified, \fBsshd\fR listens on the address and all prior 457 \fBPort\fR options specified. The default is to listen on all local addresses. 458 Multiple \fBListenAddress\fR options are permitted. Additionally, any 459 \fBPort\fR options must precede this option for non-port qualified addresses. 460 .sp 461 The default is to listen on all local addresses. Multiple options of this type 462 are permitted. Additionally, the \fBPorts\fR options must precede this option. 463 .RE 464 465 .sp 466 .ne 2 467 .na 468 \fB\fBLoginGraceTime\fR\fR 469 .ad 470 .sp .6 471 .RS 4n 472 The server disconnects after this time (in seconds) if the user has not 473 successfully logged in. If the value is 0, there is no time limit. The default 474 is 120 (seconds). 475 .RE 476 477 .sp 478 .ne 2 479 .na 480 \fB\fBLogLevel\fR\fR 481 .ad 482 .sp .6 483 .RS 4n 484 Gives the verbosity level that is used when logging messages from \fBsshd\fR. 485 The possible values are: \fBQUIET\fR, \fBFATAL\fR, \fBERROR\fR, \fBINFO\fR, 486 \fBVERBOSE\fR, \fBDEBUG\fR, \fBDEBUG1\fR, \fBDEBUG2\fR, and \fBDEBUG3\fR. The 487 default is \fBINFO\fR. DEBUG2 and DEBUG3 each specify higher levels of 488 debugging output. Logging with level \fBDEBUG\fR violates the privacy of users 489 and is not recommended. 490 .RE 491 492 .sp 493 .ne 2 494 .na 495 \fB\fBLookupClientHostnames\fR\fR 496 .ad 497 .sp .6 498 .RS 4n 499 Specifies whether or not to lookup the names of client's addresses. Defaults to 500 yes. 501 .RE 502 503 .sp 504 .ne 2 505 .na 506 \fBMACs\fR 507 .ad 508 .sp .6 509 .RS 4n 510 Specifies the available MAC (message authentication code) algorithms. The MAC 511 algorithm is used in protocol version 2 for data integrity protection. Multiple 512 algorithms must be comma-separated. The default is 513 \fBhmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96\fR. 514 .RE 515 516 .sp 517 .ne 2 518 .na 519 \fB\fBMaxStartups\fR\fR 520 .ad 521 .sp .6 522 .RS 4n 523 Specifies the maximum number of concurrent unauthenticated connections to the 524 \fBsshd\fR daemon. Additional connections are dropped until authentication 525 succeeds or the \fBLoginGraceTime\fR expires for a connection. The default is 526 \fB10\fR. 527 .sp 528 Alternatively, random early drop can be enabled by specifying the three 529 colon-separated values \fB\fIstart\fR:\fIrate\fR:\fIfull\fR\fR (for example, 530 \fB10:30:60\fR). Referring to this example, \fBsshd\fR refuse connection 531 attempts with a probability of \fIrate\fR/100 (30% in our example) if there are 532 currently 10 (from the \fIstart\fR field) unauthenticated connections. The 533 probability increases linearly and all connection attempts are refused if the 534 number of unauthenticated connections reaches \fIfull\fR (60 in our example). 535 .RE 536 537 .sp 538 .ne 2 539 .na 540 \fB\fBPasswordAuthentication\fR\fR 541 .ad 542 .sp .6 543 .RS 4n 544 Specifies whether password authentication is allowed. The default is \fByes\fR. 545 This option applies to both protocol versions 1 and 2. 546 .RE 547 548 .sp 549 .ne 2 550 .na 551 \fB\fBPermitEmptyPasswords\fR\fR 552 .ad 553 .sp .6 554 .RS 4n 555 When password or keyboard-interactive authentication is allowed, it specifies 556 whether the server allows login to accounts with empty password strings. 557 .sp 558 If not set then the \fB/etc/default/login\fR \fBPASSREQ\fR value is used 559 instead. 560 .sp 561 \fBPASSREQ=no\fR is equivalent to \fBPermitEmptyPasswords yes\fR. 562 \fBPASSREQ=yes\fR is equivalent to \fBPermitEmptyPasswords no\fR. If neither 563 \fBPermitEmptyPasswords\fR or \fBPASSREQ\fR are set the default is \fBno\fR. 564 .RE 565 566 .sp 567 .ne 2 568 .na 569 \fB\fBPermitRootLogin\fR\fR 570 .ad 571 .sp .6 572 .RS 4n 573 Specifies whether the root can log in using \fBssh\fR(1). The argument must be 574 \fByes\fR, \fBwithout-password\fR, \fBforced-commands-only\fR, or \fBno\fR. 575 \fBwithout-password\fR means that root cannot be authenticated using the 576 "password" or "keyboard-interactive" methods (see description of 577 \fBKbdInteractiveAuthentication\fR). \fBforced-commands-only\fR means that 578 authentication is allowed only for \fBpublickey\fR (for SSHv2, or RSA, for 579 SSHv1) and only if the matching \fBauthorized_keys entry\fR for root has a 580 \fBcommand=\fR\fI<cmd>\fR option. 581 .sp 582 In Solaris, the default \fB/etc/ssh/sshd_config\fR file is shipped with 583 \fBPermitRootLogin\fR set to \fBno\fR. If unset by the administrator, then 584 \fBCONSOLE\fR parameter from \fB/etc/default/login\fR supplies the default 585 value as follows: if the \fBCONSOLE\fR parameter is not commented out (it can 586 even be empty, that is, "\fBCONSOLE=\fR"), then \fBwithout-password\fR is used 587 as default value. If \fBCONSOLE\fR is commented out, then the default for 588 \fBPermitRootLogin\fR is \fByes\fR. 589 .sp 590 The \fBwithout-password\fR and \fBforced-commands-only\fR settings are useful 591 for, for example, performing remote administration and backups using trusted 592 public keys for authentication of the remote client, without allowing access to 593 the root account using passwords. 594 .RE 595 596 .sp 597 .ne 2 598 .na 599 \fB\fBPermitUserEnvironment\fR\fR 600 .ad 601 .sp .6 602 .RS 4n 603 Specifies whether a user's \fB~/.ssh/environment\fR on the server side and 604 \fBenvironment\fR options in the \fBAuthorizedKeysFile\fR file are processed by 605 \fBsshd\fR. The default is \fBno\fR. Enabling environment processing can enable 606 users to bypass access restrictions in some configurations using mechanisms 607 such as \fBLD_PRELOAD\fR. 608 .sp 609 Environment setting from a relevant entry in \fBAuthorizedKeysFile\fR file is 610 processed only if the user was authenticated using the public key 611 authentication method. Of the two files used, values of variables set in 612 \fB~/.ssh/environment\fR are of higher priority. 613 .RE 614 615 .sp 616 .ne 2 617 .na 618 \fB\fBPidFile\fR\fR 619 .ad 620 .sp .6 621 .RS 4n 622 Allows you to specify an alternative to \fB/var/run/sshd.pid\fR, the default 623 file for storing the PID of the \fBsshd\fR listening for connections. See 624 \fBsshd\fR(1M). 625 .RE 626 627 .sp 628 .ne 2 629 .na 630 \fB\fBPort\fR\fR 631 .ad 632 .sp .6 633 .RS 4n 634 Specifies the port number that \fBsshd\fR listens on. The default is 22. 635 Multiple options of this type are permitted. See also \fBListenAddress\fR. 636 .RE 637 638 .sp 639 .ne 2 640 .na 641 \fB\fBPrintLastLog\fR\fR 642 .ad 643 .sp .6 644 .RS 4n 645 Specifies whether \fBsshd\fR should display the date and time when the user 646 last logged in. The default is \fByes\fR. 647 .RE 648 649 .sp 650 .ne 2 651 .na 652 \fB\fBPrintMotd\fR\fR 653 .ad 654 .sp .6 655 .RS 4n 656 Specifies whether \fBsshd\fR should display the contents of \fB/etc/motd\fR 657 when a user logs in interactively. (On some systems it is also displayed by the 658 shell or a shell startup file, such as \fB/etc/profile\fR.) The default is 659 \fByes\fR. 660 .RE 661 662 .sp 663 .ne 2 664 .na 665 \fB\fBProtocol\fR\fR 666 .ad 667 .sp .6 668 .RS 4n 669 Specifies the protocol versions \fBsshd\fR should support in order of 670 preference. The possible values are \fB1\fR and \fB2\fR. Multiple versions must 671 be comma-separated. The default is \fB2,1\fR. This means that \fBssh\fR tries 672 version 2 and falls back to version 1 if version 2 is not available. 673 .RE 674 675 .sp 676 .ne 2 677 .na 678 \fB\fBPubkeyAuthentication\fR\fR 679 .ad 680 .sp .6 681 .RS 4n 682 Specifies whether public key authentication is allowed. The default is 683 \fByes\fR. This option applies to protocol version 2 only. 684 .RE 685 686 .sp 687 .ne 2 688 .na 689 \fB\fBRhostsAuthentication\fR\fR 690 .ad 691 .sp .6 692 .RS 4n 693 Specifies whether authentication using \fBrhosts\fR or \fB/etc/hosts.equiv\fR 694 files is sufficient. Normally, this method should not be permitted because it 695 is insecure. \fBRhostsRSAAuthentication\fR should be used instead, because it 696 performs RSA-based host authentication in addition to normal \fBrhosts\fR or 697 \fB/etc/hosts.equiv\fR authentication. The default is \fBno\fR. This parameter 698 applies only to protocol version 1. 699 .RE 700 701 .sp 702 .ne 2 703 .na 704 \fB\fBRhostsRSAAuthentication\fR\fR 705 .ad 706 .sp .6 707 .RS 4n 708 Specifies whether \fBrhosts\fR or \fB/etc/hosts.equiv\fR authentication 709 together with successful RSA host authentication is allowed. The default is 710 \fBno\fR. This parameter applies only to protocol version 1. 711 .RE 712 713 .sp 714 .ne 2 715 .na 716 \fB\fBRSAAuthentication\fR\fR 717 .ad 718 .sp .6 719 .RS 4n 720 Specifies whether pure RSA authentication is allowed. The default is \fByes\fR. 721 This option applies to protocol version 1 only. 722 .RE 723 724 .sp 725 .ne 2 726 .na 727 \fB\fBServerKeyBits\fR\fR 728 .ad 729 .sp .6 730 .RS 4n 731 Defines the number of bits in the ephemeral protocol version 1 server key. The 732 minimum value is 512, and the default is 768. 733 .RE 734 735 .sp 736 .ne 2 737 .na 738 \fB\fBStrictModes\fR\fR 739 .ad 740 .sp .6 741 .RS 4n 742 Specifies whether \fBsshd\fR should check file modes and ownership of the 743 user's files and home directory before accepting login. This is normally 744 desirable because novices sometimes accidentally leave their directory or files 745 world-writable. The default is \fByes\fR. 746 .RE 747 748 .sp 749 .ne 2 750 .na 751 \fB\fBSubsystem\fR\fR 752 .ad 753 .sp .6 754 .RS 4n 755 Configures an external subsystem (for example, a file transfer daemon). 756 Arguments should be a subsystem name and a command to execute upon subsystem 757 request. The command \fBsftp-server\fR(1M) implements the \fBsftp\fR file 758 transfer subsystem. 759 .sp 760 Alternately, the name \fBinternal-sftp\fR implements an in-process \fBsftp\fR 761 server. This can simplify configurations using \fBChrootDirectory\fR to force a 762 different filesystem root on clients. 763 .sp 764 By default, no subsystems are defined. This option applies to protocol version 765 2 only. 766 .RE 767 768 .sp 769 .ne 2 770 .na 771 \fB\fBSyslogFacility\fR\fR 772 .ad 773 .sp .6 774 .RS 4n 775 Gives the facility code that is used when logging messages from \fBsshd\fR. The 776 possible values are: \fBDAEMON\fR, \fBUSER\fR, \fBAUTH\fR, \fBLOCAL0\fR, 777 \fBLOCAL1\fR, \fBLOCAL2\fR, \fBLOCAL3\fR, \fBLOCAL4\fR, \fBLOCAL5\fR, 778 \fBLOCAL6\fR, and \fBLOCAL7\fR. The default is \fBAUTH\fR. 779 .RE 780 781 .sp 782 .ne 2 783 .na 784 \fB\fBUseOpenSSLEngine\fR\fR 785 .ad 786 .sp .6 787 .RS 4n 788 Specifies whether \fBsshd\fR should use the OpenSSL PKCS#11 engine for 789 offloading cryptographic operations to the Cryptographic Framework. 790 Cryptographic operations are accelerated according to the available installed 791 plug-ins. When no suitable plug-ins are present this option does not have an 792 effect. The default is \fByes\fR. 793 .RE 794 795 .sp 796 .ne 2 797 .na 798 \fB\fBVerifyReverseMapping\fR\fR 799 .ad 800 .sp .6 801 .RS 4n 802 Specifies whether \fBsshd\fR should try to verify the remote host name and 803 check that the resolved host name for the remote IP address maps back to the 804 very same IP address. (A \fByes\fR setting means "verify".) Setting this 805 parameter to \fBno\fR can be useful where DNS servers might be down and thus 806 cause \fBsshd\fR to spend much time trying to resolve the client's IP address 807 to a name. This feature is useful for Internet-facing servers. The default is 808 \fBno\fR. 809 .RE 810 811 .sp 812 .ne 2 813 .na 814 \fB\fBX11DisplayOffset\fR\fR 815 .ad 816 .sp .6 817 .RS 4n 818 Specifies the first display number available for \fBsshd\fR's X11 forwarding. 819 This prevents \fBsshd\fR from interfering with real X11 servers. The default is 820 10. 821 .RE 822 823 .sp 824 .ne 2 825 .na 826 \fB\fBX11Forwarding\fR\fR 827 .ad 828 .sp .6 829 .RS 4n 830 Specifies whether X11 forwarding is permitted. The default is \fByes\fR. 831 Disabling X11 forwarding does not improve security in any way, as users can 832 always install their own forwarders. 833 .sp 834 When X11 forwarding is enabled, there can be additional exposure to the server 835 and to client displays if the \fBsshd\fR proxy display is configured to listen 836 on the wildcard address (see \fBX11UseLocalhost\fR). However, this is not the 837 default. Additionally, the authentication spoofing and authentication data 838 verification and substitution occur on the client side. The security risk of 839 using X11 forwarding is that the client's X11 display server can be exposed to 840 attack when the \fBssh\fR client requests forwarding (see the warnings for 841 \fBForwardX11\fR in \fBssh_config\fR(4)). A system administrator who wants to 842 protect clients that expose themselves to attack by unwittingly requesting X11 843 forwarding, should specify a \fBno\fR setting. 844 .sp 845 Disabling X11 forwarding does not prevent users from forwarding X11 traffic, as 846 users can always install their own forwarders. 847 .RE 848 849 .sp 850 .ne 2 851 .na 852 \fB\fBX11UseLocalhost\fR\fR 853 .ad 854 .sp .6 855 .RS 4n 856 Specifies whether \fBsshd\fR should bind the X11 forwarding server to the 857 loopback address or to the wildcard address. By default, \fBsshd\fR binds the 858 forwarding server to the loopback address and sets the hostname part of the 859 \fBDISPLAY\fR environment variable to \fBlocalhost\fR. This prevents remote 860 hosts from connecting to the proxy display. However, some older X11 clients 861 might not function with this configuration. \fBX11UseLocalhost\fR can be set to 862 \fBno\fR to specify that the forwarding server should be bound to the wildcard 863 address. The argument must be \fByes\fR or \fBno\fR. The default is \fByes\fR. 864 .RE 865 866 .sp 867 .ne 2 868 .na 869 \fB\fBXAuthLocation\fR\fR 870 .ad 871 .sp .6 872 .RS 4n 873 Specifies the location of the \fBxauth\fR(1) program. The default is 874 \fB/usr/X11/bin/xauth\fR and \fBsshd\fR attempts to open it when X11 forwarding 875 is enabled. 876 .RE 877 878 .SS "Time Formats" 879 .sp 880 .LP 881 \fBsshd\fR command-line arguments and configuration file options that specify 882 time can be expressed using a sequence of the form: 883 \fItime\fR[\fIqualifier\fR,] where \fItime\fR is a positive integer value and 884 \fIqualifier\fR is one of the following: 885 .sp 886 .ne 2 887 .na 888 \fB\fI<none>\fR\fR 889 .ad 890 .RS 10n 891 seconds 892 .RE 893 894 .sp 895 .ne 2 896 .na 897 \fB\fBs\fR | \fBS\fR\fR 898 .ad 899 .RS 10n 900 seconds 901 .RE 902 903 .sp 904 .ne 2 905 .na 906 \fB\fBm\fR | \fBM\fR\fR 907 .ad 908 .RS 10n 909 minutes 910 .RE 911 912 .sp 913 .ne 2 914 .na 915 \fB\fBh\fR | \fBH\fR\fR 916 .ad 917 .RS 10n 918 hours 919 .RE 920 921 .sp 922 .ne 2 923 .na 924 \fB\fBd\fR | \fBD\fR\fR 925 .ad 926 .RS 10n 927 days 928 .RE 929 930 .sp 931 .ne 2 932 .na 933 \fB\fBw\fR | \fB\fR\fR 934 .ad 935 .RS 10n 936 weeks 937 .RE 938 939 .sp 940 .LP 941 Each element of the sequence is added together to calculate the total time 942 value. For example: 943 .sp 944 .ne 2 945 .na 946 \fB\fB600\fR\fR 947 .ad 948 .RS 9n 949 600 seconds (10 minutes) 950 .RE 951 952 .sp 953 .ne 2 954 .na 955 \fB\fB10m\fR\fR 956 .ad 957 .RS 9n 958 10 minutes 959 .RE 960 961 .sp 962 .ne 2 963 .na 964 \fB\fB1h30m\fR\fR 965 .ad 966 .RS 9n 967 1 hour, 30 minutes (90 minutes) 968 .RE 969 970 .SH FILES 971 .sp 972 .ne 2 973 .na 974 \fB\fB/etc/ssh/sshd_config\fR\fR 975 .ad 976 .RS 24n 977 Contains configuration data for \fBsshd\fR. This file should be writable by 978 root only, but it is recommended (though not necessary) that it be 979 world-readable. 980 .RE 981 982 .SH ATTRIBUTES 983 .sp 984 .LP 985 See \fBattributes\fR(5) for descriptions of the following attributes: 986 .sp 987 988 .sp 989 .TS 990 box; 991 c | c 992 l | l . 993 ATTRIBUTE TYPE ATTRIBUTE VALUE 994 _ 995 Interface Stability Uncommitted 996 .TE 997 998 .SH SEE ALSO 999 .sp 1000 .LP 1001 \fBlogin\fR(1), \fBsshd\fR(1M), \fBchroot\fR(2), \fBssh_config\fR(4), 1002 \fBattributes\fR(5), \fBkerberos\fR(5) 1003 .SH AUTHORS 1004 .sp 1005 .LP 1006 OpenSSH is a derivative of the original and free \fBssh\fR 1.2.12 release by 1007 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de 1008 Raadt, and Dug Song removed many bugs, re-added recent features, and created 1009 OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 1010 and 2.0. Niels Provos and Markus Friedl contributed support for privilege 1011 separation.