1 '\" te
   2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
   3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
   4 .\"  See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
   5 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   6 .TH SSHD_CONFIG 4 "Mar 26, 2009"
   7 .SH NAME
   8 sshd_config \- sshd configuration file
   9 .SH SYNOPSIS
  10 .LP
  11 .nf
  12 \fB/etc/ssh/sshd_config\fR
  13 .fi
  14 
  15 .SH DESCRIPTION
  16 .sp
  17 .LP
  18 The \fBsshd\fR(1M) daemon reads configuration data from
  19 \fB/etc/ssh/sshd_config\fR (or the file specified with \fBsshd\fR \fB-f\fR on
  20 the command line). The file contains keyword-value pairs, one per line. A line
  21 starting with a hash mark (\fB#\fR) and empty lines are interpreted as
  22 comments.
  23 .sp
  24 .LP
  25 The \fBsshd_config\fR file supports the following keywords. Unless otherwise
  26 noted, keywords and their arguments are case-insensitive.
  27 .sp
  28 .ne 2
  29 .na
  30 \fB\fBAllowGroups\fR\fR
  31 .ad
  32 .sp .6
  33 .RS 4n
  34 This keyword can be followed by a number of group names, separated by spaces.
  35 If specified, login is allowed only for users whose primary group or
  36 supplementary group list matches one of the patterns. Asterisk (\fB*\fR) and
  37 question mark (\fB?\fR) can be used as wildcards in the patterns. Only group
  38 names are valid; a numerical group ID is not recognized. By default, login is
  39 allowed regardless of the primary group.
  40 .RE
  41 
  42 .sp
  43 .ne 2
  44 .na
  45 \fB\fBAllowTcpForwarding\fR\fR
  46 .ad
  47 .sp .6
  48 .RS 4n
  49 Specifies whether TCP forwarding is permitted. The default is \fByes\fR.
  50 Disabling TCP forwarding does not improve security unless users are also denied
  51 shell access, as they can always install their own forwarders.
  52 .RE
  53 
  54 .sp
  55 .ne 2
  56 .na
  57 \fB\fBAllowUsers\fR\fR
  58 .ad
  59 .sp .6
  60 .RS 4n
  61 This keyword can be followed by a number of user names, separated by spaces. If
  62 specified, login is allowed only for user names that match one of the patterns.
  63 Asterisk (\fB*\fR) and question mark (\fB?\fR) can be used as wildcards in the
  64 patterns. Only user names are valid; a numerical user ID is not recognized. By
  65 default login is allowed regardless of the user name.
  66 .sp
  67 If a specified pattern takes the form \fIuser\fR@\fIhost\fR then \fIuser\fR and
  68 \fIhost\fR are checked separately, restricting logins to particular users from
  69 particular hosts.
  70 .RE
  71 
  72 .sp
  73 .ne 2
  74 .na
  75 \fB\fBAuthorizedKeysFile\fR\fR
  76 .ad
  77 .sp .6
  78 .RS 4n
  79 Specifies the file that contains the public keys that can be used for user
  80 authentication. \fBAuthorizedKeysFile\fR can contain tokens of the form
  81 \fB%T\fR, which are substituted during connection set-up. The following tokens
  82 are defined: \fB%%\fR is replaced by a literal \fB%\fR, \fB%h\fR is replaced by
  83 the home directory of the user being authenticated and \fB%u\fR is replaced by
  84 the username of that user. After expansion, \fBAuthorizedKeysFile\fR is taken
  85 to be an absolute path or one relative to the user's home directory. The
  86 default is \fB\&.ssh/authorized_keys\fR.
  87 .RE
  88 
  89 .sp
  90 .ne 2
  91 .na
  92 \fB\fBBanner\fR\fR
  93 .ad
  94 .sp .6
  95 .RS 4n
  96 In some jurisdictions, sending a warning message before authentication can be
  97 relevant for getting legal protection. The contents of the specified file are
  98 sent to the remote user before authentication is allowed. This option is only
  99 available for protocol version 2. By default, no banner is displayed.
 100 .RE
 101 
 102 .sp
 103 .ne 2
 104 .na
 105 \fB\fBChrootDirectory\fR\fR
 106 .ad
 107 .sp .6
 108 .RS 4n
 109 Specifies a path to \fBchroot\fR(2) to after authentication. This path, and all
 110 its components, must be root-owned directories that are not writable by any
 111 other user or group.
 112 .sp
 113 The server always tries to change to the user's home directory locally under
 114 the chrooted environment but a failure to do so is not considered an error. In
 115 addition, the path might contain the following tokens that are expanded at
 116 runtime once the connecting user has been authenticated: \fB%%\fR is replaced
 117 by a literal \fB%\fR, \fB%h\fR is replaced by the home directory of the user
 118 being authenticated, and \fB%u\fR is replaced by the username of that user.
 119 .sp
 120 The \fBChrootDirectory\fR must contain the necessary files and directories to
 121 support the user's session. For an interactive SSH session this requires at
 122 least a user's shell, shared libraries needed by the shell, dynamic linker, and
 123 possibly basic \fB/dev\fR nodes such as \fBnull\fR, \fBzero\fR, \fBstdin\fR,
 124 \fBstdout\fR, \fBstderr\fR, \fBrandom\fR, and \fBtty\fR. Additionally, terminal
 125 databases are needed for screen oriented applications. For file transfer
 126 sessions using \fBsftp\fR with the SSH protocol version 2, no additional
 127 configuration of the environment is necessary if the in-process \fBsftp\fR
 128 server is used. See \fBSubsystem\fR for details.
 129 .sp
 130 The default is not to \fBchroot\fR(2).
 131 .RE
 132 
 133 .sp
 134 .ne 2
 135 .na
 136 \fB\fBCiphers\fR\fR
 137 .ad
 138 .sp .6
 139 .RS 4n
 140 Specifies the ciphers allowed for protocol version 2. Cipher ordering on the
 141 server side is not relevant. Multiple ciphers must be comma separated.
 142 .sp
 143 Valid ciphers are: \fBaes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc,
 144 aes192-cbc, aes256-cbc, arcfour, arcfour128, arcfour256, 3des-cbc\fR, and
 145 \fBblowfish-cbc\fR.
 146 .sp
 147 The default cipher list is:
 148 .sp
 149 .in +2
 150 .nf
 151 aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,
 152 arcfour256,arcfour
 153 .fi
 154 .in -2
 155 .sp
 156 
 157 Using CBC modes on the server side is not recommended due to potential security
 158 issues in connection with the SSH protocol version 2.
 159 .RE
 160 
 161 .sp
 162 .ne 2
 163 .na
 164 \fB\fBClientAliveCountMax\fR\fR
 165 .ad
 166 .sp .6
 167 .RS 4n
 168 Sets the number of client alive messages, (see \fBClientAliveInterval\fR), that
 169 can be sent without \fBsshd\fR receiving any messages back from the client. If
 170 this threshold is reached while client alive messages are being sent,
 171 \fBsshd\fR disconnects the client, terminating the session. The use of client
 172 alive messages is very different from \fBKeepAlive\fR. The client alive
 173 messages are sent through the encrypted channel and therefore are not
 174 spoofable. The TCP keepalive option enabled by \fBKeepAlive\fR is spoofable.
 175 The client alive mechanism is valuable when a client or server depend on
 176 knowing when a connection has become inactive.
 177 .sp
 178 The default value is 3. If \fBClientAliveInterval\fR is set to 15, and
 179 \fBClientAliveCountMax\fR is left at the default, unresponsive \fBssh\fR
 180 clients are disconnected after approximately 45 seconds.
 181 .RE
 182 
 183 .sp
 184 .ne 2
 185 .na
 186 \fB\fBClientAliveInterval\fR\fR
 187 .ad
 188 .sp .6
 189 .RS 4n
 190 Sets a timeout interval in seconds after which, if no data has been received
 191 from the client, \fBsshd\fR sends a message through the encrypted channel to
 192 request a response from the client. The default is 0, indicating that these
 193 messages are not sent to the client. This option applies only to protocol
 194 version 2.
 195 .RE
 196 
 197 .sp
 198 .ne 2
 199 .na
 200 \fB\fBCompression\fR\fR
 201 .ad
 202 .sp .6
 203 .RS 4n
 204 Controls whether the server allows the client to negotiate the use of
 205 compression. The default is \fByes\fR.
 206 .RE
 207 
 208 .sp
 209 .ne 2
 210 .na
 211 \fB\fBDenyGroups\fR\fR
 212 .ad
 213 .sp .6
 214 .RS 4n
 215 Can be followed by a number of group names, separated by spaces. Users whose
 216 primary group matches one of the patterns are not allowed to log in. Asterisk
 217 (\fB*\fR) and question mark (\fB?\fR) can be used as wildcards in the patterns.
 218 Only group names are valid; a numerical group ID is not recognized. By default,
 219 login is allowed regardless of the primary group.
 220 .RE
 221 
 222 .sp
 223 .ne 2
 224 .na
 225 \fB\fBDenyUsers\fR\fR
 226 .ad
 227 .sp .6
 228 .RS 4n
 229 Can be followed by a number of user names, separated by spaces. Login is
 230 disallowed for user names that match one of the patterns. Asterisk (\fB*\fR)
 231 and question mark (\fB?\fR) can be used as wildcards in the patterns. Only user
 232 names are valid; a numerical user ID is not recognized. By default, login is
 233 allowed regardless of the user name.
 234 .sp
 235 If a specified pattern takes the form \fIuser\fR@\fIhost\fR then \fIuser\fR and
 236 \fIhost\fR are checked separately, disallowing logins to particular users from
 237 particular hosts.
 238 .RE
 239 
 240 .sp
 241 .ne 2
 242 .na
 243 \fB\fBGatewayPorts\fR\fR
 244 .ad
 245 .sp .6
 246 .RS 4n
 247 Specifies whether remote hosts are allowed to connect to ports forwarded for
 248 the client. By default, \fBsshd\fR binds remote port forwardings to the
 249 loopback address. This prevents other remote hosts from connecting to forwarded
 250 ports. \fBGatewayPorts\fR can be used to specify that \fBsshd\fR should bind
 251 remote port forwardings to the wildcard address, thus allowing remote hosts to
 252 connect to forwarded ports.
 253 .sp
 254 The argument can be \fBno\fR to force remote port forwardings to be available
 255 to the local host only, \fByes\fR to force remote port forwardings to bind to
 256 the wildcard address, or \fBclientspecified\fR to allow the client to select
 257 the address to which the forwarding is bound. The default is \fBno\fR. See also
 258 \fBRemoteForward\fR in \fBssh_config\fR(4).
 259 .RE
 260 
 261 .sp
 262 .ne 2
 263 .na
 264 \fB\fBGSSAPIAuthentication\fR\fR
 265 .ad
 266 .sp .6
 267 .RS 4n
 268 Enables/disables GSS-API user authentication. The default is \fByes\fR.
 269 .sp
 270 Currently \fBsshd\fR authorizes client user principals to user accounts as
 271 follows: if the principal name matches the requested user account, then the
 272 principal is authorized. Otherwise, GSS-API authentication fails.
 273 .RE
 274 
 275 .sp
 276 .ne 2
 277 .na
 278 \fB\fBGSSAPIKeyExchange\fR\fR
 279 .ad
 280 .sp .6
 281 .RS 4n
 282 Enables/disables GSS-API-authenticated key exchanges. The default is \fByes\fR.
 283 .sp
 284 This option also enables the use of the GSS-API to authenticate the user to
 285 server after the key exchange. GSS-API key exchange can succeed but the
 286 subsequent authentication using the GSS-API fail if the server does not
 287 authorize the user's GSS principal name to the target user account.
 288 .sp
 289 Currently \fBsshd\fR authorizes client user principals to user accounts as
 290 follows: if the principal name matches the requested user account, then the
 291 principal is authorized. Otherwise, GSS-API authentication fails.
 292 .RE
 293 
 294 .sp
 295 .ne 2
 296 .na
 297 \fB\fBGSSAPIStoreDelegatedCredentials\fR\fR
 298 .ad
 299 .sp .6
 300 .RS 4n
 301 Enables/disables the use of delegated GSS-API credentials on the server-side.
 302 The default is \fByes\fR.
 303 .sp
 304 Specifically, this option, when enabled, causes the server to store delegated
 305 GSS-API credentials in the user's default GSS-API credential store (which for
 306 the Kerberos V mechanism means \fB/tmp/krb5cc_\fI<uid>\fR\fR).
 307 .LP
 308 Note -
 309 .sp
 310 .RS 2
 311 \fBsshd\fR does not take any steps to explicitly destroy stored delegated
 312 GSS-API credentials upon logout. It is the responsibility of PAM modules to
 313 destroy credentials associated with a session.
 314 .RE
 315 .RE
 316 
 317 .sp
 318 .ne 2
 319 .na
 320 \fB\fBHostbasedAuthentication\fR\fR
 321 .ad
 322 .sp .6
 323 .RS 4n
 324 Specifies whether to try \fBrhosts\fR-based authentication with public key
 325 authentication. The argument must be \fByes\fR or \fBno\fR. The default is
 326 \fBno\fR. This option applies to protocol version 2 only and is similar to
 327 \fBRhostsRSAAuthentication\fR. See \fBsshd\fR(1M) for guidelines on setting up
 328 host-based authentication.
 329 .RE
 330 
 331 .sp
 332 .ne 2
 333 .na
 334 \fB\fBHostbasedUsesNameFromPacketOnly\fR\fR
 335 .ad
 336 .sp .6
 337 .RS 4n
 338 Controls which hostname is searched for in the files \fB~/.shosts\fR,
 339 \fB/etc/shosts.equiv\fR, and \fB/etc/hosts.equiv\fR. If this parameter is set
 340 to \fByes\fR, the server uses the name the client claimed for itself and signed
 341 with that host's key. If set to \fBno\fR, the default, the server uses the name
 342 to which the client's IP address resolves.
 343 .sp
 344 Setting this parameter to \fBno\fR disables host-based authentication when
 345 using NAT or when the client gets to the server indirectly through a
 346 port-forwarding firewall.
 347 .RE
 348 
 349 .sp
 350 .ne 2
 351 .na
 352 \fB\fBHostKey\fR\fR
 353 .ad
 354 .sp .6
 355 .RS 4n
 356 Specifies the file containing the private host key used by SSH. The default is
 357 \fB/etc/ssh/ssh_host_key\fR for protocol version 1, and
 358 \fB/etc/ssh/ssh_host_rsa_key\fR and \fB/etc/ssh/ssh_host_dsa_key\fR for
 359 protocol version 2. \fBsshd\fR refuses to use a file if it is
 360 group/world-accessible. It is possible to have multiple host key files.
 361 \fBrsa1\fR keys are used for version 1 and \fBdsa\fR or \fBrsa\fR are used for
 362 version 2 of the SSH protocol.
 363 .RE
 364 
 365 .sp
 366 .ne 2
 367 .na
 368 \fB\fBIgnoreRhosts\fR\fR
 369 .ad
 370 .sp .6
 371 .RS 4n
 372 Specifies that \fB\&.rhosts\fR and \fB\&.shosts\fR files are not used in
 373 authentication. \fB/etc/hosts.equiv\fR and \fB/etc/shosts.equiv\fR are still
 374 used. The default is \fByes\fR. This parameter applies to both protocol
 375 versions 1 and 2.
 376 .RE
 377 
 378 .sp
 379 .ne 2
 380 .na
 381 \fB\fBIgnoreUserKnownHosts\fR\fR
 382 .ad
 383 .sp .6
 384 .RS 4n
 385 Specifies whether \fBsshd\fR should ignore the user's
 386 \fB$HOME/.ssh/known_hosts\fR during \fBRhostsRSAAuthentication\fR. The default
 387 is \fBno\fR. This parameter applies to both protocol versions 1 and 2.
 388 .RE
 389 
 390 .sp
 391 .ne 2
 392 .na
 393 \fB\fBKbdInteractiveAuthentication\fR\fR
 394 .ad
 395 .sp .6
 396 .RS 4n
 397 Specifies whether authentication by means of the "keyboard-interactive"
 398 authentication method (and PAM) is allowed. Defaults to \fByes\fR. (Deprecated:
 399 this parameter can only be set to \fByes\fR.)
 400 .RE
 401 
 402 .sp
 403 .ne 2
 404 .na
 405 \fB\fBKeepAlive\fR\fR
 406 .ad
 407 .sp .6
 408 .RS 4n
 409 Specifies whether the system should send keepalive messages to the other side.
 410 If they are sent, death of the connection or crash of one of the machines is
 411 properly noticed. However, this means that connections die if the route is down
 412 temporarily, which can be an annoyance. On the other hand, if keepalives are
 413 not sent, sessions can hang indefinitely on the server, leaving ghost users and
 414 consuming server resources.
 415 .sp
 416 The default is \fByes\fR (to send keepalives), and the server notices if the
 417 network goes down or the client host reboots. This avoids infinitely hanging
 418 sessions.
 419 .sp
 420 To disable keepalives, the value should be set to \fBno\fR in both the server
 421 and the client configuration files.
 422 .RE
 423 
 424 .sp
 425 .ne 2
 426 .na
 427 \fB\fBKeyRegenerationInterval\fR\fR
 428 .ad
 429 .sp .6
 430 .RS 4n
 431 In protocol version 1, the ephemeral server key is automatically regenerated
 432 after this many seconds (if it has been used). The purpose of regeneration is
 433 to prevent decrypting captured sessions by later breaking into the machine and
 434 stealing the keys. The key is never stored anywhere. If the value is 0, the key
 435 is never regenerated. The default is 3600 (seconds).
 436 .RE
 437 
 438 .sp
 439 .ne 2
 440 .na
 441 \fB\fBListenAddress\fR\fR
 442 .ad
 443 .sp .6
 444 .RS 4n
 445 Specifies what local address \fBsshd\fR should listen on. The following forms
 446 can be used:
 447 .sp
 448 .in +2
 449 .nf
 450 ListenAddress \fIhost\fR|\fIIPv4_addr\fR|\fIIPv6_addr\fR
 451 ListenAddress \fIhost\fR|\fIIPv4_addr\fR:\fIport\fR
 452 ListenAddress [\fIhost\fR|\fIIPv6_addr\fR]:\fIport\fR
 453 .fi
 454 .in -2
 455 
 456 If \fIport\fR is not specified, \fBsshd\fR listens on the address and all prior
 457 \fBPort\fR options specified. The default is to listen on all local addresses.
 458 Multiple \fBListenAddress\fR options are permitted. Additionally, any
 459 \fBPort\fR options must precede this option for non-port qualified addresses.
 460 .sp
 461 The default is to listen on all local addresses. Multiple options of this type
 462 are permitted. Additionally, the \fBPorts\fR options must precede this option.
 463 .RE
 464 
 465 .sp
 466 .ne 2
 467 .na
 468 \fB\fBLoginGraceTime\fR\fR
 469 .ad
 470 .sp .6
 471 .RS 4n
 472 The server disconnects after this time (in seconds) if the user has not
 473 successfully logged in. If the value is 0, there is no time limit. The default
 474 is 120 (seconds).
 475 .RE
 476 
 477 .sp
 478 .ne 2
 479 .na
 480 \fB\fBLogLevel\fR\fR
 481 .ad
 482 .sp .6
 483 .RS 4n
 484 Gives the verbosity level that is used when logging messages from \fBsshd\fR.
 485 The possible values are: \fBQUIET\fR, \fBFATAL\fR, \fBERROR\fR, \fBINFO\fR,
 486 \fBVERBOSE\fR, \fBDEBUG\fR, \fBDEBUG1\fR, \fBDEBUG2\fR, and \fBDEBUG3\fR. The
 487 default is \fBINFO\fR. DEBUG2 and DEBUG3 each specify higher levels of
 488 debugging output. Logging with level \fBDEBUG\fR violates the privacy of users
 489 and is not recommended.
 490 .RE
 491 
 492 .sp
 493 .ne 2
 494 .na
 495 \fB\fBLookupClientHostnames\fR\fR
 496 .ad
 497 .sp .6
 498 .RS 4n
 499 Specifies whether or not to lookup the names of client's addresses. Defaults to
 500 yes.
 501 .RE
 502 
 503 .sp
 504 .ne 2
 505 .na
 506 \fBMACs\fR
 507 .ad
 508 .sp .6
 509 .RS 4n
 510 Specifies the available MAC (message authentication code) algorithms. The MAC
 511 algorithm is used in protocol version 2 for data integrity protection. Multiple
 512 algorithms must be comma-separated. The default is
 513 \fBhmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96\fR.
 514 .RE
 515 
 516 .sp
 517 .ne 2
 518 .na
 519 \fB\fBMaxStartups\fR\fR
 520 .ad
 521 .sp .6
 522 .RS 4n
 523 Specifies the maximum number of concurrent unauthenticated connections to the
 524 \fBsshd\fR daemon. Additional connections are dropped until authentication
 525 succeeds or the \fBLoginGraceTime\fR expires for a connection. The default is
 526 \fB10\fR.
 527 .sp
 528 Alternatively, random early drop can be enabled by specifying the three
 529 colon-separated values \fB\fIstart\fR:\fIrate\fR:\fIfull\fR\fR (for example,
 530 \fB10:30:60\fR). Referring to this example, \fBsshd\fR refuse connection
 531 attempts with a probability of \fIrate\fR/100 (30% in our example) if there are
 532 currently 10 (from the \fIstart\fR field) unauthenticated connections. The
 533 probability increases linearly and all connection attempts are refused if the
 534 number of unauthenticated connections reaches \fIfull\fR (60 in our example).
 535 .RE
 536 
 537 .sp
 538 .ne 2
 539 .na
 540 \fB\fBPasswordAuthentication\fR\fR
 541 .ad
 542 .sp .6
 543 .RS 4n
 544 Specifies whether password authentication is allowed. The default is \fByes\fR.
 545 This option applies to both protocol versions 1 and 2.
 546 .RE
 547 
 548 .sp
 549 .ne 2
 550 .na
 551 \fB\fBPermitEmptyPasswords\fR\fR
 552 .ad
 553 .sp .6
 554 .RS 4n
 555 When password or keyboard-interactive authentication is allowed, it specifies
 556 whether the server allows login to accounts with empty password strings.
 557 .sp
 558 If not set then the \fB/etc/default/login\fR \fBPASSREQ\fR value is used
 559 instead.
 560 .sp
 561 \fBPASSREQ=no\fR is equivalent to \fBPermitEmptyPasswords yes\fR.
 562 \fBPASSREQ=yes\fR is equivalent to \fBPermitEmptyPasswords no\fR. If neither
 563 \fBPermitEmptyPasswords\fR or \fBPASSREQ\fR are set the default is \fBno\fR.
 564 .RE
 565 
 566 .sp
 567 .ne 2
 568 .na
 569 \fB\fBPermitRootLogin\fR\fR
 570 .ad
 571 .sp .6
 572 .RS 4n
 573 Specifies whether the root can log in using \fBssh\fR(1). The argument must be
 574 \fByes\fR, \fBwithout-password\fR, \fBforced-commands-only\fR, or \fBno\fR.
 575 \fBwithout-password\fR means that root cannot be authenticated using the
 576 "password" or "keyboard-interactive" methods (see description of
 577 \fBKbdInteractiveAuthentication\fR). \fBforced-commands-only\fR means that
 578 authentication is allowed only for \fBpublickey\fR (for SSHv2, or RSA, for
 579 SSHv1) and only if the matching \fBauthorized_keys entry\fR for root has a
 580 \fBcommand=\fR\fI<cmd>\fR option.
 581 .sp
 582 In Solaris, the default \fB/etc/ssh/sshd_config\fR file is shipped with
 583 \fBPermitRootLogin\fR set to \fBno\fR. If unset by the administrator, then
 584 \fBCONSOLE\fR parameter from \fB/etc/default/login\fR supplies the default
 585 value as follows: if the \fBCONSOLE\fR parameter is not commented out (it can
 586 even be empty, that is, "\fBCONSOLE=\fR"), then \fBwithout-password\fR is used
 587 as default value. If \fBCONSOLE\fR is commented out, then the default for
 588 \fBPermitRootLogin\fR is \fByes\fR.
 589 .sp
 590 The \fBwithout-password\fR and \fBforced-commands-only\fR settings are useful
 591 for, for example, performing remote administration and backups using trusted
 592 public keys for authentication of the remote client, without allowing access to
 593 the root account using passwords.
 594 .RE
 595 
 596 .sp
 597 .ne 2
 598 .na
 599 \fB\fBPermitUserEnvironment\fR\fR
 600 .ad
 601 .sp .6
 602 .RS 4n
 603 Specifies whether a user's \fB~/.ssh/environment\fR on the server side and
 604 \fBenvironment\fR options in the \fBAuthorizedKeysFile\fR file are processed by
 605 \fBsshd\fR. The default is \fBno\fR. Enabling environment processing can enable
 606 users to bypass access restrictions in some configurations using mechanisms
 607 such as \fBLD_PRELOAD\fR.
 608 .sp
 609 Environment setting from a relevant entry in \fBAuthorizedKeysFile\fR file is
 610 processed only if the user was authenticated using the public key
 611 authentication method. Of the two files used, values of variables set in
 612 \fB~/.ssh/environment\fR are of higher priority.
 613 .RE
 614 
 615 .sp
 616 .ne 2
 617 .na
 618 \fB\fBPidFile\fR\fR
 619 .ad
 620 .sp .6
 621 .RS 4n
 622 Allows you to specify an alternative to \fB/var/run/sshd.pid\fR, the default
 623 file for storing the PID of the \fBsshd\fR listening for connections. See
 624 \fBsshd\fR(1M).
 625 .RE
 626 
 627 .sp
 628 .ne 2
 629 .na
 630 \fB\fBPort\fR\fR
 631 .ad
 632 .sp .6
 633 .RS 4n
 634 Specifies the port number that \fBsshd\fR listens on. The default is 22.
 635 Multiple options of this type are permitted. See also \fBListenAddress\fR.
 636 .RE
 637 
 638 .sp
 639 .ne 2
 640 .na
 641 \fB\fBPrintLastLog\fR\fR
 642 .ad
 643 .sp .6
 644 .RS 4n
 645 Specifies whether \fBsshd\fR should display the date and time when the user
 646 last logged in. The default is \fByes\fR.
 647 .RE
 648 
 649 .sp
 650 .ne 2
 651 .na
 652 \fB\fBPrintMotd\fR\fR
 653 .ad
 654 .sp .6
 655 .RS 4n
 656 Specifies whether \fBsshd\fR should display the contents of \fB/etc/motd\fR
 657 when a user logs in interactively. (On some systems it is also displayed by the
 658 shell or a shell startup file, such as \fB/etc/profile\fR.) The default is
 659 \fByes\fR.
 660 .RE
 661 
 662 .sp
 663 .ne 2
 664 .na
 665 \fB\fBProtocol\fR\fR
 666 .ad
 667 .sp .6
 668 .RS 4n
 669 Specifies the protocol versions \fBsshd\fR should support in order of
 670 preference. The possible values are \fB1\fR and \fB2\fR. Multiple versions must
 671 be comma-separated. The default is \fB2,1\fR. This means that \fBssh\fR tries
 672 version 2 and falls back to version 1 if version 2 is not available.
 673 .RE
 674 
 675 .sp
 676 .ne 2
 677 .na
 678 \fB\fBPubkeyAuthentication\fR\fR
 679 .ad
 680 .sp .6
 681 .RS 4n
 682 Specifies whether public key authentication is allowed. The default is
 683 \fByes\fR. This option applies to protocol version 2 only.
 684 .RE
 685 
 686 .sp
 687 .ne 2
 688 .na
 689 \fB\fBRhostsAuthentication\fR\fR
 690 .ad
 691 .sp .6
 692 .RS 4n
 693 Specifies whether authentication using \fBrhosts\fR or \fB/etc/hosts.equiv\fR
 694 files is sufficient. Normally, this method should not be permitted because it
 695 is insecure. \fBRhostsRSAAuthentication\fR should be used instead, because it
 696 performs RSA-based host authentication in addition to normal \fBrhosts\fR or
 697 \fB/etc/hosts.equiv\fR authentication. The default is \fBno\fR. This parameter
 698 applies only to protocol version 1.
 699 .RE
 700 
 701 .sp
 702 .ne 2
 703 .na
 704 \fB\fBRhostsRSAAuthentication\fR\fR
 705 .ad
 706 .sp .6
 707 .RS 4n
 708 Specifies whether \fBrhosts\fR or \fB/etc/hosts.equiv\fR authentication
 709 together with successful RSA host authentication is allowed. The default is
 710 \fBno\fR. This parameter applies only to protocol version 1.
 711 .RE
 712 
 713 .sp
 714 .ne 2
 715 .na
 716 \fB\fBRSAAuthentication\fR\fR
 717 .ad
 718 .sp .6
 719 .RS 4n
 720 Specifies whether pure RSA authentication is allowed. The default is \fByes\fR.
 721 This option applies to protocol version 1 only.
 722 .RE
 723 
 724 .sp
 725 .ne 2
 726 .na
 727 \fB\fBServerKeyBits\fR\fR
 728 .ad
 729 .sp .6
 730 .RS 4n
 731 Defines the number of bits in the ephemeral protocol version 1 server key. The
 732 minimum value is 512, and the default is 768.
 733 .RE
 734 
 735 .sp
 736 .ne 2
 737 .na
 738 \fB\fBStrictModes\fR\fR
 739 .ad
 740 .sp .6
 741 .RS 4n
 742 Specifies whether \fBsshd\fR should check file modes and ownership of the
 743 user's files and home directory before accepting login. This is normally
 744 desirable because novices sometimes accidentally leave their directory or files
 745 world-writable. The default is \fByes\fR.
 746 .RE
 747 
 748 .sp
 749 .ne 2
 750 .na
 751 \fB\fBSubsystem\fR\fR
 752 .ad
 753 .sp .6
 754 .RS 4n
 755 Configures an external subsystem (for example, a file transfer daemon).
 756 Arguments should be a subsystem name and a command to execute upon subsystem
 757 request. The command \fBsftp-server\fR(1M) implements the \fBsftp\fR file
 758 transfer subsystem.
 759 .sp
 760 Alternately, the name \fBinternal-sftp\fR implements an in-process \fBsftp\fR
 761 server. This can simplify configurations using \fBChrootDirectory\fR to force a
 762 different filesystem root on clients.
 763 .sp
 764 By default, no subsystems are defined. This option applies to protocol version
 765 2 only.
 766 .RE
 767 
 768 .sp
 769 .ne 2
 770 .na
 771 \fB\fBSyslogFacility\fR\fR
 772 .ad
 773 .sp .6
 774 .RS 4n
 775 Gives the facility code that is used when logging messages from \fBsshd\fR. The
 776 possible values are: \fBDAEMON\fR, \fBUSER\fR, \fBAUTH\fR, \fBLOCAL0\fR,
 777 \fBLOCAL1\fR, \fBLOCAL2\fR, \fBLOCAL3\fR, \fBLOCAL4\fR, \fBLOCAL5\fR,
 778 \fBLOCAL6\fR, and \fBLOCAL7\fR. The default is \fBAUTH\fR.
 779 .RE
 780 
 781 .sp
 782 .ne 2
 783 .na
 784 \fB\fBUseOpenSSLEngine\fR\fR
 785 .ad
 786 .sp .6
 787 .RS 4n
 788 Specifies whether \fBsshd\fR should use the OpenSSL PKCS#11 engine for
 789 offloading cryptographic operations to the Cryptographic Framework.
 790 Cryptographic operations are accelerated according to the available installed
 791 plug-ins. When no suitable plug-ins are present this option does not have an
 792 effect. The default is \fByes\fR.
 793 .RE
 794 
 795 .sp
 796 .ne 2
 797 .na
 798 \fB\fBVerifyReverseMapping\fR\fR
 799 .ad
 800 .sp .6
 801 .RS 4n
 802 Specifies whether \fBsshd\fR should try to verify the remote host name and
 803 check that the resolved host name for the remote IP address maps back to the
 804 very same IP address. (A \fByes\fR setting means "verify".) Setting this
 805 parameter to \fBno\fR can be useful where DNS servers might be down and thus
 806 cause \fBsshd\fR to spend much time trying to resolve the client's IP address
 807 to a name. This feature is useful for Internet-facing servers. The default is
 808 \fBno\fR.
 809 .RE
 810 
 811 .sp
 812 .ne 2
 813 .na
 814 \fB\fBX11DisplayOffset\fR\fR
 815 .ad
 816 .sp .6
 817 .RS 4n
 818 Specifies the first display number available for \fBsshd\fR's X11 forwarding.
 819 This prevents \fBsshd\fR from interfering with real X11 servers. The default is
 820 10.
 821 .RE
 822 
 823 .sp
 824 .ne 2
 825 .na
 826 \fB\fBX11Forwarding\fR\fR
 827 .ad
 828 .sp .6
 829 .RS 4n
 830 Specifies whether X11 forwarding is permitted. The default is \fByes\fR.
 831 Disabling X11 forwarding does not improve security in any way, as users can
 832 always install their own forwarders.
 833 .sp
 834 When X11 forwarding is enabled, there can be additional exposure to the server
 835 and to client displays if the \fBsshd\fR proxy display is configured to listen
 836 on the wildcard address (see \fBX11UseLocalhost\fR). However, this is not the
 837 default. Additionally, the authentication spoofing and authentication data
 838 verification and substitution occur on the client side. The security risk of
 839 using X11 forwarding is that the client's X11 display server can be exposed to
 840 attack when the \fBssh\fR client requests forwarding (see the warnings for
 841 \fBForwardX11\fR in \fBssh_config\fR(4)). A system administrator who wants to
 842 protect clients that expose themselves to attack by unwittingly requesting X11
 843 forwarding, should specify a \fBno\fR setting.
 844 .sp
 845 Disabling X11 forwarding does not prevent users from forwarding X11 traffic, as
 846 users can always install their own forwarders.
 847 .RE
 848 
 849 .sp
 850 .ne 2
 851 .na
 852 \fB\fBX11UseLocalhost\fR\fR
 853 .ad
 854 .sp .6
 855 .RS 4n
 856 Specifies whether \fBsshd\fR should bind the X11 forwarding server to the
 857 loopback address or to the wildcard address. By default, \fBsshd\fR binds the
 858 forwarding server to the loopback address and sets the hostname part of the
 859 \fBDISPLAY\fR environment variable to \fBlocalhost\fR. This prevents remote
 860 hosts from connecting to the proxy display. However, some older X11 clients
 861 might not function with this configuration. \fBX11UseLocalhost\fR can be set to
 862 \fBno\fR to specify that the forwarding server should be bound to the wildcard
 863 address. The argument must be \fByes\fR or \fBno\fR. The default is \fByes\fR.
 864 .RE
 865 
 866 .sp
 867 .ne 2
 868 .na
 869 \fB\fBXAuthLocation\fR\fR
 870 .ad
 871 .sp .6
 872 .RS 4n
 873 Specifies the location of the \fBxauth\fR(1) program. The default is
 874 \fB/usr/X11/bin/xauth\fR and \fBsshd\fR attempts to open it when X11 forwarding
 875 is enabled.
 876 .RE
 877 
 878 .SS "Time Formats"
 879 .sp
 880 .LP
 881 \fBsshd\fR command-line arguments and configuration file options that specify
 882 time can be expressed using a sequence of the form:
 883 \fItime\fR[\fIqualifier\fR,] where \fItime\fR is a positive integer value and
 884 \fIqualifier\fR is one of the following:
 885 .sp
 886 .ne 2
 887 .na
 888 \fB\fI<none>\fR\fR
 889 .ad
 890 .RS 10n
 891 seconds
 892 .RE
 893 
 894 .sp
 895 .ne 2
 896 .na
 897 \fB\fBs\fR | \fBS\fR\fR
 898 .ad
 899 .RS 10n
 900 seconds
 901 .RE
 902 
 903 .sp
 904 .ne 2
 905 .na
 906 \fB\fBm\fR | \fBM\fR\fR
 907 .ad
 908 .RS 10n
 909 minutes
 910 .RE
 911 
 912 .sp
 913 .ne 2
 914 .na
 915 \fB\fBh\fR | \fBH\fR\fR
 916 .ad
 917 .RS 10n
 918 hours
 919 .RE
 920 
 921 .sp
 922 .ne 2
 923 .na
 924 \fB\fBd\fR | \fBD\fR\fR
 925 .ad
 926 .RS 10n
 927 days
 928 .RE
 929 
 930 .sp
 931 .ne 2
 932 .na
 933 \fB\fBw\fR | \fB\fR\fR
 934 .ad
 935 .RS 10n
 936 weeks
 937 .RE
 938 
 939 .sp
 940 .LP
 941 Each element of the sequence is added together to calculate the total time
 942 value. For example:
 943 .sp
 944 .ne 2
 945 .na
 946 \fB\fB600\fR\fR
 947 .ad
 948 .RS 9n
 949 600 seconds (10 minutes)
 950 .RE
 951 
 952 .sp
 953 .ne 2
 954 .na
 955 \fB\fB10m\fR\fR
 956 .ad
 957 .RS 9n
 958 10 minutes
 959 .RE
 960 
 961 .sp
 962 .ne 2
 963 .na
 964 \fB\fB1h30m\fR\fR
 965 .ad
 966 .RS 9n
 967 1 hour, 30 minutes (90 minutes)
 968 .RE
 969 
 970 .SH FILES
 971 .sp
 972 .ne 2
 973 .na
 974 \fB\fB/etc/ssh/sshd_config\fR\fR
 975 .ad
 976 .RS 24n
 977 Contains configuration data for \fBsshd\fR. This file should be writable by
 978 root only, but it is recommended (though not necessary) that it be
 979 world-readable.
 980 .RE
 981 
 982 .SH ATTRIBUTES
 983 .sp
 984 .LP
 985 See \fBattributes\fR(5) for descriptions of the following attributes:
 986 .sp
 987 
 988 .sp
 989 .TS
 990 box;
 991 c | c
 992 l | l .
 993 ATTRIBUTE TYPE  ATTRIBUTE VALUE
 994 _
 995 Interface Stability     Uncommitted
 996 .TE
 997 
 998 .SH SEE ALSO
 999 .sp
1000 .LP
1001 \fBlogin\fR(1), \fBsshd\fR(1M), \fBchroot\fR(2), \fBssh_config\fR(4),
1002 \fBattributes\fR(5), \fBkerberos\fR(5)
1003 .SH AUTHORS
1004 .sp
1005 .LP
1006 OpenSSH is a derivative of the original and free \fBssh\fR 1.2.12 release by
1007 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de
1008 Raadt, and Dug Song removed many bugs, re-added recent features, and created
1009 OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5
1010 and 2.0. Niels Provos and Markus Friedl contributed support for privilege
1011 separation.