1 '\" te
2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
4 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
5 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH SSHD_CONFIG 4 "Mar 26, 2009"
7 .SH NAME
8 sshd_config \- sshd configuration file
9 .SH SYNOPSIS
10 .LP
11 .nf
12 \fB/etc/ssh/sshd_config\fR
13 .fi
14
15 .SH DESCRIPTION
16 .sp
17 .LP
18 The \fBsshd\fR(1M) daemon reads configuration data from
19 \fB/etc/ssh/sshd_config\fR (or the file specified with \fBsshd\fR \fB-f\fR on
20 the command line). The file contains keyword-value pairs, one per line. A line
21 starting with a hash mark (\fB#\fR) and empty lines are interpreted as
22 comments.
23 .sp
24 .LP
25 The \fBsshd_config\fR file supports the following keywords. Unless otherwise
26 noted, keywords and their arguments are case-insensitive.
152 arcfour256,arcfour
153 .fi
154 .in -2
155 .sp
156
157 Using CBC modes on the server side is not recommended due to potential security
158 issues in connection with the SSH protocol version 2.
159 .RE
160
161 .sp
162 .ne 2
163 .na
164 \fB\fBClientAliveCountMax\fR\fR
165 .ad
166 .sp .6
167 .RS 4n
168 Sets the number of client alive messages, (see \fBClientAliveInterval\fR), that
169 can be sent without \fBsshd\fR receiving any messages back from the client. If
170 this threshold is reached while client alive messages are being sent,
171 \fBsshd\fR disconnects the client, terminating the session. The use of client
172 alive messages is very different from \fBKeepAlive\fR. The client alive
173 messages are sent through the encrypted channel and therefore are not
174 spoofable. The TCP keepalive option enabled by \fBKeepAlive\fR is spoofable.
175 The client alive mechanism is valuable when a client or server depend on
176 knowing when a connection has become inactive.
177 .sp
178 The default value is 3. If \fBClientAliveInterval\fR is set to 15, and
179 \fBClientAliveCountMax\fR is left at the default, unresponsive \fBssh\fR
180 clients are disconnected after approximately 45 seconds.
181 .RE
182
183 .sp
184 .ne 2
185 .na
186 \fB\fBClientAliveInterval\fR\fR
187 .ad
188 .sp .6
189 .RS 4n
190 Sets a timeout interval in seconds after which, if no data has been received
191 from the client, \fBsshd\fR sends a message through the encrypted channel to
192 request a response from the client. The default is 0, indicating that these
193 messages are not sent to the client. This option applies only to protocol
194 version 2.
385 Specifies whether \fBsshd\fR should ignore the user's
386 \fB$HOME/.ssh/known_hosts\fR during \fBRhostsRSAAuthentication\fR. The default
387 is \fBno\fR. This parameter applies to both protocol versions 1 and 2.
388 .RE
389
390 .sp
391 .ne 2
392 .na
393 \fB\fBKbdInteractiveAuthentication\fR\fR
394 .ad
395 .sp .6
396 .RS 4n
397 Specifies whether authentication by means of the "keyboard-interactive"
398 authentication method (and PAM) is allowed. Defaults to \fByes\fR. (Deprecated:
399 this parameter can only be set to \fByes\fR.)
400 .RE
401
402 .sp
403 .ne 2
404 .na
405 \fB\fBKeepAlive\fR\fR
406 .ad
407 .sp .6
408 .RS 4n
409 Specifies whether the system should send keepalive messages to the other side.
410 If they are sent, death of the connection or crash of one of the machines is
411 properly noticed. However, this means that connections die if the route is down
412 temporarily, which can be an annoyance. On the other hand, if keepalives are
413 not sent, sessions can hang indefinitely on the server, leaving ghost users and
414 consuming server resources.
415 .sp
416 The default is \fByes\fR (to send keepalives), and the server notices if the
417 network goes down or the client host reboots. This avoids infinitely hanging
418 sessions.
419 .sp
420 To disable keepalives, the value should be set to \fBno\fR in both the server
421 and the client configuration files.
422 .RE
423
424 .sp
425 .ne 2
|
1 '\" te
2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
3 .\" Copyright (c) 2013, Joyent, Inc. All Rights Reserved.
4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
5 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
6 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 .TH SSHD_CONFIG 4 "Jan 17, 2013"
8 .SH NAME
9 sshd_config \- sshd configuration file
10 .SH SYNOPSIS
11 .LP
12 .nf
13 \fB/etc/ssh/sshd_config\fR
14 .fi
15
16 .SH DESCRIPTION
17 .sp
18 .LP
19 The \fBsshd\fR(1M) daemon reads configuration data from
20 \fB/etc/ssh/sshd_config\fR (or the file specified with \fBsshd\fR \fB-f\fR on
21 the command line). The file contains keyword-value pairs, one per line. A line
22 starting with a hash mark (\fB#\fR) and empty lines are interpreted as
23 comments.
24 .sp
25 .LP
26 The \fBsshd_config\fR file supports the following keywords. Unless otherwise
27 noted, keywords and their arguments are case-insensitive.
153 arcfour256,arcfour
154 .fi
155 .in -2
156 .sp
157
158 Using CBC modes on the server side is not recommended due to potential security
159 issues in connection with the SSH protocol version 2.
160 .RE
161
162 .sp
163 .ne 2
164 .na
165 \fB\fBClientAliveCountMax\fR\fR
166 .ad
167 .sp .6
168 .RS 4n
169 Sets the number of client alive messages, (see \fBClientAliveInterval\fR), that
170 can be sent without \fBsshd\fR receiving any messages back from the client. If
171 this threshold is reached while client alive messages are being sent,
172 \fBsshd\fR disconnects the client, terminating the session. The use of client
173 alive messages is very different from \fBTCPKeepAlive\fR. The client alive
174 messages are sent through the encrypted channel and therefore are not
175 spoofable. The TCP keepalive option enabled by \fBTCPKeepAlive\fR is spoofable.
176 The client alive mechanism is valuable when a client or server depend on
177 knowing when a connection has become inactive.
178 .sp
179 The default value is 3. If \fBClientAliveInterval\fR is set to 15, and
180 \fBClientAliveCountMax\fR is left at the default, unresponsive \fBssh\fR
181 clients are disconnected after approximately 45 seconds.
182 .RE
183
184 .sp
185 .ne 2
186 .na
187 \fB\fBClientAliveInterval\fR\fR
188 .ad
189 .sp .6
190 .RS 4n
191 Sets a timeout interval in seconds after which, if no data has been received
192 from the client, \fBsshd\fR sends a message through the encrypted channel to
193 request a response from the client. The default is 0, indicating that these
194 messages are not sent to the client. This option applies only to protocol
195 version 2.
386 Specifies whether \fBsshd\fR should ignore the user's
387 \fB$HOME/.ssh/known_hosts\fR during \fBRhostsRSAAuthentication\fR. The default
388 is \fBno\fR. This parameter applies to both protocol versions 1 and 2.
389 .RE
390
391 .sp
392 .ne 2
393 .na
394 \fB\fBKbdInteractiveAuthentication\fR\fR
395 .ad
396 .sp .6
397 .RS 4n
398 Specifies whether authentication by means of the "keyboard-interactive"
399 authentication method (and PAM) is allowed. Defaults to \fByes\fR. (Deprecated:
400 this parameter can only be set to \fByes\fR.)
401 .RE
402
403 .sp
404 .ne 2
405 .na
406 \fB\fBTCPKeepAlive\fR\fR
407 .ad
408 .sp .6
409 .RS 4n
410 Specifies whether the system should send keepalive messages to the other side.
411 If they are sent, death of the connection or crash of one of the machines is
412 properly noticed. However, this means that connections die if the route is down
413 temporarily, which can be an annoyance. On the other hand, if keepalives are
414 not sent, sessions can hang indefinitely on the server, leaving ghost users and
415 consuming server resources.
416 .sp
417 The default is \fByes\fR (to send keepalives), and the server notices if the
418 network goes down or the client host reboots. This avoids infinitely hanging
419 sessions.
420 .sp
421 To disable keepalives, the value should be set to \fBno\fR in both the server
422 and the client configuration files.
423 .RE
424
425 .sp
426 .ne 2
|