Print this page
3477 SunSSH config should accept TCPKeepAlive as synonym for KeepAlive
Reviewed by: Jerry Jelinek <jerry@joyent.com>
Split |
Close |
Expand all |
Collapse all |
--- old/usr/src/man/man4/sshd_config.4
+++ new/usr/src/man/man4/sshd_config.4
1 1 '\" te
2 2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
3 +.\" Copyright (c) 2013, Joyent, Inc. All Rights Reserved.
3 4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
4 5 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
5 6 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 -.TH SSHD_CONFIG 4 "Mar 26, 2009"
7 +.TH SSHD_CONFIG 4 "Jan 17, 2013"
7 8 .SH NAME
8 9 sshd_config \- sshd configuration file
9 10 .SH SYNOPSIS
10 11 .LP
11 12 .nf
12 13 \fB/etc/ssh/sshd_config\fR
13 14 .fi
14 15
15 16 .SH DESCRIPTION
16 17 .sp
17 18 .LP
18 19 The \fBsshd\fR(1M) daemon reads configuration data from
19 20 \fB/etc/ssh/sshd_config\fR (or the file specified with \fBsshd\fR \fB-f\fR on
20 21 the command line). The file contains keyword-value pairs, one per line. A line
21 22 starting with a hash mark (\fB#\fR) and empty lines are interpreted as
22 23 comments.
23 24 .sp
24 25 .LP
25 26 The \fBsshd_config\fR file supports the following keywords. Unless otherwise
26 27 noted, keywords and their arguments are case-insensitive.
27 28 .sp
28 29 .ne 2
29 30 .na
30 31 \fB\fBAllowGroups\fR\fR
31 32 .ad
32 33 .sp .6
33 34 .RS 4n
34 35 This keyword can be followed by a number of group names, separated by spaces.
35 36 If specified, login is allowed only for users whose primary group or
36 37 supplementary group list matches one of the patterns. Asterisk (\fB*\fR) and
37 38 question mark (\fB?\fR) can be used as wildcards in the patterns. Only group
38 39 names are valid; a numerical group ID is not recognized. By default, login is
39 40 allowed regardless of the primary group.
40 41 .RE
41 42
42 43 .sp
43 44 .ne 2
44 45 .na
45 46 \fB\fBAllowTcpForwarding\fR\fR
46 47 .ad
47 48 .sp .6
48 49 .RS 4n
49 50 Specifies whether TCP forwarding is permitted. The default is \fByes\fR.
50 51 Disabling TCP forwarding does not improve security unless users are also denied
51 52 shell access, as they can always install their own forwarders.
52 53 .RE
53 54
54 55 .sp
55 56 .ne 2
56 57 .na
57 58 \fB\fBAllowUsers\fR\fR
58 59 .ad
59 60 .sp .6
60 61 .RS 4n
61 62 This keyword can be followed by a number of user names, separated by spaces. If
62 63 specified, login is allowed only for user names that match one of the patterns.
63 64 Asterisk (\fB*\fR) and question mark (\fB?\fR) can be used as wildcards in the
64 65 patterns. Only user names are valid; a numerical user ID is not recognized. By
65 66 default login is allowed regardless of the user name.
66 67 .sp
67 68 If a specified pattern takes the form \fIuser\fR@\fIhost\fR then \fIuser\fR and
68 69 \fIhost\fR are checked separately, restricting logins to particular users from
69 70 particular hosts.
70 71 .RE
71 72
72 73 .sp
73 74 .ne 2
74 75 .na
75 76 \fB\fBAuthorizedKeysFile\fR\fR
76 77 .ad
77 78 .sp .6
78 79 .RS 4n
79 80 Specifies the file that contains the public keys that can be used for user
80 81 authentication. \fBAuthorizedKeysFile\fR can contain tokens of the form
81 82 \fB%T\fR, which are substituted during connection set-up. The following tokens
82 83 are defined: \fB%%\fR is replaced by a literal \fB%\fR, \fB%h\fR is replaced by
83 84 the home directory of the user being authenticated and \fB%u\fR is replaced by
84 85 the username of that user. After expansion, \fBAuthorizedKeysFile\fR is taken
85 86 to be an absolute path or one relative to the user's home directory. The
86 87 default is \fB\&.ssh/authorized_keys\fR.
87 88 .RE
88 89
89 90 .sp
90 91 .ne 2
91 92 .na
92 93 \fB\fBBanner\fR\fR
93 94 .ad
94 95 .sp .6
95 96 .RS 4n
96 97 In some jurisdictions, sending a warning message before authentication can be
97 98 relevant for getting legal protection. The contents of the specified file are
98 99 sent to the remote user before authentication is allowed. This option is only
99 100 available for protocol version 2. By default, no banner is displayed.
100 101 .RE
101 102
102 103 .sp
103 104 .ne 2
104 105 .na
105 106 \fB\fBChrootDirectory\fR\fR
106 107 .ad
107 108 .sp .6
108 109 .RS 4n
109 110 Specifies a path to \fBchroot\fR(2) to after authentication. This path, and all
110 111 its components, must be root-owned directories that are not writable by any
111 112 other user or group.
112 113 .sp
113 114 The server always tries to change to the user's home directory locally under
114 115 the chrooted environment but a failure to do so is not considered an error. In
115 116 addition, the path might contain the following tokens that are expanded at
116 117 runtime once the connecting user has been authenticated: \fB%%\fR is replaced
117 118 by a literal \fB%\fR, \fB%h\fR is replaced by the home directory of the user
118 119 being authenticated, and \fB%u\fR is replaced by the username of that user.
119 120 .sp
120 121 The \fBChrootDirectory\fR must contain the necessary files and directories to
121 122 support the user's session. For an interactive SSH session this requires at
122 123 least a user's shell, shared libraries needed by the shell, dynamic linker, and
123 124 possibly basic \fB/dev\fR nodes such as \fBnull\fR, \fBzero\fR, \fBstdin\fR,
124 125 \fBstdout\fR, \fBstderr\fR, \fBrandom\fR, and \fBtty\fR. Additionally, terminal
125 126 databases are needed for screen oriented applications. For file transfer
126 127 sessions using \fBsftp\fR with the SSH protocol version 2, no additional
127 128 configuration of the environment is necessary if the in-process \fBsftp\fR
128 129 server is used. See \fBSubsystem\fR for details.
129 130 .sp
130 131 The default is not to \fBchroot\fR(2).
131 132 .RE
132 133
133 134 .sp
134 135 .ne 2
135 136 .na
136 137 \fB\fBCiphers\fR\fR
137 138 .ad
138 139 .sp .6
139 140 .RS 4n
140 141 Specifies the ciphers allowed for protocol version 2. Cipher ordering on the
141 142 server side is not relevant. Multiple ciphers must be comma separated.
142 143 .sp
143 144 Valid ciphers are: \fBaes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc,
144 145 aes192-cbc, aes256-cbc, arcfour, arcfour128, arcfour256, 3des-cbc\fR, and
145 146 \fBblowfish-cbc\fR.
146 147 .sp
147 148 The default cipher list is:
148 149 .sp
149 150 .in +2
150 151 .nf
151 152 aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,
152 153 arcfour256,arcfour
153 154 .fi
154 155 .in -2
155 156 .sp
156 157
157 158 Using CBC modes on the server side is not recommended due to potential security
158 159 issues in connection with the SSH protocol version 2.
159 160 .RE
160 161
161 162 .sp
↓ open down ↓ |
145 lines elided |
↑ open up ↑ |
162 163 .ne 2
163 164 .na
164 165 \fB\fBClientAliveCountMax\fR\fR
165 166 .ad
166 167 .sp .6
167 168 .RS 4n
168 169 Sets the number of client alive messages, (see \fBClientAliveInterval\fR), that
169 170 can be sent without \fBsshd\fR receiving any messages back from the client. If
170 171 this threshold is reached while client alive messages are being sent,
171 172 \fBsshd\fR disconnects the client, terminating the session. The use of client
172 -alive messages is very different from \fBKeepAlive\fR. The client alive
173 +alive messages is very different from \fBTCPKeepAlive\fR. The client alive
173 174 messages are sent through the encrypted channel and therefore are not
174 -spoofable. The TCP keepalive option enabled by \fBKeepAlive\fR is spoofable.
175 +spoofable. The TCP keepalive option enabled by \fBTCPKeepAlive\fR is spoofable.
175 176 The client alive mechanism is valuable when a client or server depend on
176 177 knowing when a connection has become inactive.
177 178 .sp
178 179 The default value is 3. If \fBClientAliveInterval\fR is set to 15, and
179 180 \fBClientAliveCountMax\fR is left at the default, unresponsive \fBssh\fR
180 181 clients are disconnected after approximately 45 seconds.
181 182 .RE
182 183
183 184 .sp
184 185 .ne 2
185 186 .na
186 187 \fB\fBClientAliveInterval\fR\fR
187 188 .ad
188 189 .sp .6
189 190 .RS 4n
190 191 Sets a timeout interval in seconds after which, if no data has been received
191 192 from the client, \fBsshd\fR sends a message through the encrypted channel to
192 193 request a response from the client. The default is 0, indicating that these
193 194 messages are not sent to the client. This option applies only to protocol
194 195 version 2.
195 196 .RE
196 197
197 198 .sp
198 199 .ne 2
199 200 .na
200 201 \fB\fBCompression\fR\fR
201 202 .ad
202 203 .sp .6
203 204 .RS 4n
204 205 Controls whether the server allows the client to negotiate the use of
205 206 compression. The default is \fByes\fR.
206 207 .RE
207 208
208 209 .sp
209 210 .ne 2
210 211 .na
211 212 \fB\fBDenyGroups\fR\fR
212 213 .ad
213 214 .sp .6
214 215 .RS 4n
215 216 Can be followed by a number of group names, separated by spaces. Users whose
216 217 primary group matches one of the patterns are not allowed to log in. Asterisk
217 218 (\fB*\fR) and question mark (\fB?\fR) can be used as wildcards in the patterns.
218 219 Only group names are valid; a numerical group ID is not recognized. By default,
219 220 login is allowed regardless of the primary group.
220 221 .RE
221 222
222 223 .sp
223 224 .ne 2
224 225 .na
225 226 \fB\fBDenyUsers\fR\fR
226 227 .ad
227 228 .sp .6
228 229 .RS 4n
229 230 Can be followed by a number of user names, separated by spaces. Login is
230 231 disallowed for user names that match one of the patterns. Asterisk (\fB*\fR)
231 232 and question mark (\fB?\fR) can be used as wildcards in the patterns. Only user
232 233 names are valid; a numerical user ID is not recognized. By default, login is
233 234 allowed regardless of the user name.
234 235 .sp
235 236 If a specified pattern takes the form \fIuser\fR@\fIhost\fR then \fIuser\fR and
236 237 \fIhost\fR are checked separately, disallowing logins to particular users from
237 238 particular hosts.
238 239 .RE
239 240
240 241 .sp
241 242 .ne 2
242 243 .na
243 244 \fB\fBGatewayPorts\fR\fR
244 245 .ad
245 246 .sp .6
246 247 .RS 4n
247 248 Specifies whether remote hosts are allowed to connect to ports forwarded for
248 249 the client. By default, \fBsshd\fR binds remote port forwardings to the
249 250 loopback address. This prevents other remote hosts from connecting to forwarded
250 251 ports. \fBGatewayPorts\fR can be used to specify that \fBsshd\fR should bind
251 252 remote port forwardings to the wildcard address, thus allowing remote hosts to
252 253 connect to forwarded ports.
253 254 .sp
254 255 The argument can be \fBno\fR to force remote port forwardings to be available
255 256 to the local host only, \fByes\fR to force remote port forwardings to bind to
256 257 the wildcard address, or \fBclientspecified\fR to allow the client to select
257 258 the address to which the forwarding is bound. The default is \fBno\fR. See also
258 259 \fBRemoteForward\fR in \fBssh_config\fR(4).
259 260 .RE
260 261
261 262 .sp
262 263 .ne 2
263 264 .na
264 265 \fB\fBGSSAPIAuthentication\fR\fR
265 266 .ad
266 267 .sp .6
267 268 .RS 4n
268 269 Enables/disables GSS-API user authentication. The default is \fByes\fR.
269 270 .sp
270 271 Currently \fBsshd\fR authorizes client user principals to user accounts as
271 272 follows: if the principal name matches the requested user account, then the
272 273 principal is authorized. Otherwise, GSS-API authentication fails.
273 274 .RE
274 275
275 276 .sp
276 277 .ne 2
277 278 .na
278 279 \fB\fBGSSAPIKeyExchange\fR\fR
279 280 .ad
280 281 .sp .6
281 282 .RS 4n
282 283 Enables/disables GSS-API-authenticated key exchanges. The default is \fByes\fR.
283 284 .sp
284 285 This option also enables the use of the GSS-API to authenticate the user to
285 286 server after the key exchange. GSS-API key exchange can succeed but the
286 287 subsequent authentication using the GSS-API fail if the server does not
287 288 authorize the user's GSS principal name to the target user account.
288 289 .sp
289 290 Currently \fBsshd\fR authorizes client user principals to user accounts as
290 291 follows: if the principal name matches the requested user account, then the
291 292 principal is authorized. Otherwise, GSS-API authentication fails.
292 293 .RE
293 294
294 295 .sp
295 296 .ne 2
296 297 .na
297 298 \fB\fBGSSAPIStoreDelegatedCredentials\fR\fR
298 299 .ad
299 300 .sp .6
300 301 .RS 4n
301 302 Enables/disables the use of delegated GSS-API credentials on the server-side.
302 303 The default is \fByes\fR.
303 304 .sp
304 305 Specifically, this option, when enabled, causes the server to store delegated
305 306 GSS-API credentials in the user's default GSS-API credential store (which for
306 307 the Kerberos V mechanism means \fB/tmp/krb5cc_\fI<uid>\fR\fR).
307 308 .LP
308 309 Note -
309 310 .sp
310 311 .RS 2
311 312 \fBsshd\fR does not take any steps to explicitly destroy stored delegated
312 313 GSS-API credentials upon logout. It is the responsibility of PAM modules to
313 314 destroy credentials associated with a session.
314 315 .RE
315 316 .RE
316 317
317 318 .sp
318 319 .ne 2
319 320 .na
320 321 \fB\fBHostbasedAuthentication\fR\fR
321 322 .ad
322 323 .sp .6
323 324 .RS 4n
324 325 Specifies whether to try \fBrhosts\fR-based authentication with public key
325 326 authentication. The argument must be \fByes\fR or \fBno\fR. The default is
326 327 \fBno\fR. This option applies to protocol version 2 only and is similar to
327 328 \fBRhostsRSAAuthentication\fR. See \fBsshd\fR(1M) for guidelines on setting up
328 329 host-based authentication.
329 330 .RE
330 331
331 332 .sp
332 333 .ne 2
333 334 .na
334 335 \fB\fBHostbasedUsesNameFromPacketOnly\fR\fR
335 336 .ad
336 337 .sp .6
337 338 .RS 4n
338 339 Controls which hostname is searched for in the files \fB~/.shosts\fR,
339 340 \fB/etc/shosts.equiv\fR, and \fB/etc/hosts.equiv\fR. If this parameter is set
340 341 to \fByes\fR, the server uses the name the client claimed for itself and signed
341 342 with that host's key. If set to \fBno\fR, the default, the server uses the name
342 343 to which the client's IP address resolves.
343 344 .sp
344 345 Setting this parameter to \fBno\fR disables host-based authentication when
345 346 using NAT or when the client gets to the server indirectly through a
346 347 port-forwarding firewall.
347 348 .RE
348 349
349 350 .sp
350 351 .ne 2
351 352 .na
352 353 \fB\fBHostKey\fR\fR
353 354 .ad
354 355 .sp .6
355 356 .RS 4n
356 357 Specifies the file containing the private host key used by SSH. The default is
357 358 \fB/etc/ssh/ssh_host_key\fR for protocol version 1, and
358 359 \fB/etc/ssh/ssh_host_rsa_key\fR and \fB/etc/ssh/ssh_host_dsa_key\fR for
359 360 protocol version 2. \fBsshd\fR refuses to use a file if it is
360 361 group/world-accessible. It is possible to have multiple host key files.
361 362 \fBrsa1\fR keys are used for version 1 and \fBdsa\fR or \fBrsa\fR are used for
362 363 version 2 of the SSH protocol.
363 364 .RE
364 365
365 366 .sp
366 367 .ne 2
367 368 .na
368 369 \fB\fBIgnoreRhosts\fR\fR
369 370 .ad
370 371 .sp .6
371 372 .RS 4n
372 373 Specifies that \fB\&.rhosts\fR and \fB\&.shosts\fR files are not used in
373 374 authentication. \fB/etc/hosts.equiv\fR and \fB/etc/shosts.equiv\fR are still
374 375 used. The default is \fByes\fR. This parameter applies to both protocol
375 376 versions 1 and 2.
376 377 .RE
377 378
378 379 .sp
379 380 .ne 2
380 381 .na
381 382 \fB\fBIgnoreUserKnownHosts\fR\fR
382 383 .ad
383 384 .sp .6
384 385 .RS 4n
385 386 Specifies whether \fBsshd\fR should ignore the user's
386 387 \fB$HOME/.ssh/known_hosts\fR during \fBRhostsRSAAuthentication\fR. The default
387 388 is \fBno\fR. This parameter applies to both protocol versions 1 and 2.
388 389 .RE
389 390
390 391 .sp
391 392 .ne 2
392 393 .na
393 394 \fB\fBKbdInteractiveAuthentication\fR\fR
394 395 .ad
↓ open down ↓ |
210 lines elided |
↑ open up ↑ |
395 396 .sp .6
396 397 .RS 4n
397 398 Specifies whether authentication by means of the "keyboard-interactive"
398 399 authentication method (and PAM) is allowed. Defaults to \fByes\fR. (Deprecated:
399 400 this parameter can only be set to \fByes\fR.)
400 401 .RE
401 402
402 403 .sp
403 404 .ne 2
404 405 .na
405 -\fB\fBKeepAlive\fR\fR
406 +\fB\fBTCPKeepAlive\fR\fR
406 407 .ad
407 408 .sp .6
408 409 .RS 4n
409 410 Specifies whether the system should send keepalive messages to the other side.
410 411 If they are sent, death of the connection or crash of one of the machines is
411 412 properly noticed. However, this means that connections die if the route is down
412 413 temporarily, which can be an annoyance. On the other hand, if keepalives are
413 414 not sent, sessions can hang indefinitely on the server, leaving ghost users and
414 415 consuming server resources.
415 416 .sp
416 417 The default is \fByes\fR (to send keepalives), and the server notices if the
417 418 network goes down or the client host reboots. This avoids infinitely hanging
418 419 sessions.
419 420 .sp
420 421 To disable keepalives, the value should be set to \fBno\fR in both the server
421 422 and the client configuration files.
422 423 .RE
423 424
424 425 .sp
425 426 .ne 2
426 427 .na
427 428 \fB\fBKeyRegenerationInterval\fR\fR
428 429 .ad
429 430 .sp .6
430 431 .RS 4n
431 432 In protocol version 1, the ephemeral server key is automatically regenerated
432 433 after this many seconds (if it has been used). The purpose of regeneration is
433 434 to prevent decrypting captured sessions by later breaking into the machine and
434 435 stealing the keys. The key is never stored anywhere. If the value is 0, the key
435 436 is never regenerated. The default is 3600 (seconds).
436 437 .RE
437 438
438 439 .sp
439 440 .ne 2
440 441 .na
441 442 \fB\fBListenAddress\fR\fR
442 443 .ad
443 444 .sp .6
444 445 .RS 4n
445 446 Specifies what local address \fBsshd\fR should listen on. The following forms
446 447 can be used:
447 448 .sp
448 449 .in +2
449 450 .nf
450 451 ListenAddress \fIhost\fR|\fIIPv4_addr\fR|\fIIPv6_addr\fR
451 452 ListenAddress \fIhost\fR|\fIIPv4_addr\fR:\fIport\fR
452 453 ListenAddress [\fIhost\fR|\fIIPv6_addr\fR]:\fIport\fR
453 454 .fi
454 455 .in -2
455 456
456 457 If \fIport\fR is not specified, \fBsshd\fR listens on the address and all prior
457 458 \fBPort\fR options specified. The default is to listen on all local addresses.
458 459 Multiple \fBListenAddress\fR options are permitted. Additionally, any
459 460 \fBPort\fR options must precede this option for non-port qualified addresses.
460 461 .sp
461 462 The default is to listen on all local addresses. Multiple options of this type
462 463 are permitted. Additionally, the \fBPorts\fR options must precede this option.
463 464 .RE
464 465
465 466 .sp
466 467 .ne 2
467 468 .na
468 469 \fB\fBLoginGraceTime\fR\fR
469 470 .ad
470 471 .sp .6
471 472 .RS 4n
472 473 The server disconnects after this time (in seconds) if the user has not
473 474 successfully logged in. If the value is 0, there is no time limit. The default
474 475 is 120 (seconds).
475 476 .RE
476 477
477 478 .sp
478 479 .ne 2
479 480 .na
480 481 \fB\fBLogLevel\fR\fR
481 482 .ad
482 483 .sp .6
483 484 .RS 4n
484 485 Gives the verbosity level that is used when logging messages from \fBsshd\fR.
485 486 The possible values are: \fBQUIET\fR, \fBFATAL\fR, \fBERROR\fR, \fBINFO\fR,
486 487 \fBVERBOSE\fR, \fBDEBUG\fR, \fBDEBUG1\fR, \fBDEBUG2\fR, and \fBDEBUG3\fR. The
487 488 default is \fBINFO\fR. DEBUG2 and DEBUG3 each specify higher levels of
488 489 debugging output. Logging with level \fBDEBUG\fR violates the privacy of users
489 490 and is not recommended.
490 491 .RE
491 492
492 493 .sp
493 494 .ne 2
494 495 .na
495 496 \fB\fBLookupClientHostnames\fR\fR
496 497 .ad
497 498 .sp .6
498 499 .RS 4n
499 500 Specifies whether or not to lookup the names of client's addresses. Defaults to
500 501 yes.
501 502 .RE
502 503
503 504 .sp
504 505 .ne 2
505 506 .na
506 507 \fBMACs\fR
507 508 .ad
508 509 .sp .6
509 510 .RS 4n
510 511 Specifies the available MAC (message authentication code) algorithms. The MAC
511 512 algorithm is used in protocol version 2 for data integrity protection. Multiple
512 513 algorithms must be comma-separated. The default is
513 514 \fBhmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96\fR.
514 515 .RE
515 516
516 517 .sp
517 518 .ne 2
518 519 .na
519 520 \fB\fBMaxStartups\fR\fR
520 521 .ad
521 522 .sp .6
522 523 .RS 4n
523 524 Specifies the maximum number of concurrent unauthenticated connections to the
524 525 \fBsshd\fR daemon. Additional connections are dropped until authentication
525 526 succeeds or the \fBLoginGraceTime\fR expires for a connection. The default is
526 527 \fB10\fR.
527 528 .sp
528 529 Alternatively, random early drop can be enabled by specifying the three
529 530 colon-separated values \fB\fIstart\fR:\fIrate\fR:\fIfull\fR\fR (for example,
530 531 \fB10:30:60\fR). Referring to this example, \fBsshd\fR refuse connection
531 532 attempts with a probability of \fIrate\fR/100 (30% in our example) if there are
532 533 currently 10 (from the \fIstart\fR field) unauthenticated connections. The
533 534 probability increases linearly and all connection attempts are refused if the
534 535 number of unauthenticated connections reaches \fIfull\fR (60 in our example).
535 536 .RE
536 537
537 538 .sp
538 539 .ne 2
539 540 .na
540 541 \fB\fBPasswordAuthentication\fR\fR
541 542 .ad
542 543 .sp .6
543 544 .RS 4n
544 545 Specifies whether password authentication is allowed. The default is \fByes\fR.
545 546 This option applies to both protocol versions 1 and 2.
546 547 .RE
547 548
548 549 .sp
549 550 .ne 2
550 551 .na
551 552 \fB\fBPermitEmptyPasswords\fR\fR
552 553 .ad
553 554 .sp .6
554 555 .RS 4n
555 556 When password or keyboard-interactive authentication is allowed, it specifies
556 557 whether the server allows login to accounts with empty password strings.
557 558 .sp
558 559 If not set then the \fB/etc/default/login\fR \fBPASSREQ\fR value is used
559 560 instead.
560 561 .sp
561 562 \fBPASSREQ=no\fR is equivalent to \fBPermitEmptyPasswords yes\fR.
562 563 \fBPASSREQ=yes\fR is equivalent to \fBPermitEmptyPasswords no\fR. If neither
563 564 \fBPermitEmptyPasswords\fR or \fBPASSREQ\fR are set the default is \fBno\fR.
564 565 .RE
565 566
566 567 .sp
567 568 .ne 2
568 569 .na
569 570 \fB\fBPermitRootLogin\fR\fR
570 571 .ad
571 572 .sp .6
572 573 .RS 4n
573 574 Specifies whether the root can log in using \fBssh\fR(1). The argument must be
574 575 \fByes\fR, \fBwithout-password\fR, \fBforced-commands-only\fR, or \fBno\fR.
575 576 \fBwithout-password\fR means that root cannot be authenticated using the
576 577 "password" or "keyboard-interactive" methods (see description of
577 578 \fBKbdInteractiveAuthentication\fR). \fBforced-commands-only\fR means that
578 579 authentication is allowed only for \fBpublickey\fR (for SSHv2, or RSA, for
579 580 SSHv1) and only if the matching \fBauthorized_keys entry\fR for root has a
580 581 \fBcommand=\fR\fI<cmd>\fR option.
581 582 .sp
582 583 In Solaris, the default \fB/etc/ssh/sshd_config\fR file is shipped with
583 584 \fBPermitRootLogin\fR set to \fBno\fR. If unset by the administrator, then
584 585 \fBCONSOLE\fR parameter from \fB/etc/default/login\fR supplies the default
585 586 value as follows: if the \fBCONSOLE\fR parameter is not commented out (it can
586 587 even be empty, that is, "\fBCONSOLE=\fR"), then \fBwithout-password\fR is used
587 588 as default value. If \fBCONSOLE\fR is commented out, then the default for
588 589 \fBPermitRootLogin\fR is \fByes\fR.
589 590 .sp
590 591 The \fBwithout-password\fR and \fBforced-commands-only\fR settings are useful
591 592 for, for example, performing remote administration and backups using trusted
592 593 public keys for authentication of the remote client, without allowing access to
593 594 the root account using passwords.
594 595 .RE
595 596
596 597 .sp
597 598 .ne 2
598 599 .na
599 600 \fB\fBPermitUserEnvironment\fR\fR
600 601 .ad
601 602 .sp .6
602 603 .RS 4n
603 604 Specifies whether a user's \fB~/.ssh/environment\fR on the server side and
604 605 \fBenvironment\fR options in the \fBAuthorizedKeysFile\fR file are processed by
605 606 \fBsshd\fR. The default is \fBno\fR. Enabling environment processing can enable
606 607 users to bypass access restrictions in some configurations using mechanisms
607 608 such as \fBLD_PRELOAD\fR.
608 609 .sp
609 610 Environment setting from a relevant entry in \fBAuthorizedKeysFile\fR file is
610 611 processed only if the user was authenticated using the public key
611 612 authentication method. Of the two files used, values of variables set in
612 613 \fB~/.ssh/environment\fR are of higher priority.
613 614 .RE
614 615
615 616 .sp
616 617 .ne 2
617 618 .na
618 619 \fB\fBPidFile\fR\fR
619 620 .ad
620 621 .sp .6
621 622 .RS 4n
622 623 Allows you to specify an alternative to \fB/var/run/sshd.pid\fR, the default
623 624 file for storing the PID of the \fBsshd\fR listening for connections. See
624 625 \fBsshd\fR(1M).
625 626 .RE
626 627
627 628 .sp
628 629 .ne 2
629 630 .na
630 631 \fB\fBPort\fR\fR
631 632 .ad
632 633 .sp .6
633 634 .RS 4n
634 635 Specifies the port number that \fBsshd\fR listens on. The default is 22.
635 636 Multiple options of this type are permitted. See also \fBListenAddress\fR.
636 637 .RE
637 638
638 639 .sp
639 640 .ne 2
640 641 .na
641 642 \fB\fBPrintLastLog\fR\fR
642 643 .ad
643 644 .sp .6
644 645 .RS 4n
645 646 Specifies whether \fBsshd\fR should display the date and time when the user
646 647 last logged in. The default is \fByes\fR.
647 648 .RE
648 649
649 650 .sp
650 651 .ne 2
651 652 .na
652 653 \fB\fBPrintMotd\fR\fR
653 654 .ad
654 655 .sp .6
655 656 .RS 4n
656 657 Specifies whether \fBsshd\fR should display the contents of \fB/etc/motd\fR
657 658 when a user logs in interactively. (On some systems it is also displayed by the
658 659 shell or a shell startup file, such as \fB/etc/profile\fR.) The default is
659 660 \fByes\fR.
660 661 .RE
661 662
662 663 .sp
663 664 .ne 2
664 665 .na
665 666 \fB\fBProtocol\fR\fR
666 667 .ad
667 668 .sp .6
668 669 .RS 4n
669 670 Specifies the protocol versions \fBsshd\fR should support in order of
670 671 preference. The possible values are \fB1\fR and \fB2\fR. Multiple versions must
671 672 be comma-separated. The default is \fB2,1\fR. This means that \fBssh\fR tries
672 673 version 2 and falls back to version 1 if version 2 is not available.
673 674 .RE
674 675
675 676 .sp
676 677 .ne 2
677 678 .na
678 679 \fB\fBPubkeyAuthentication\fR\fR
679 680 .ad
680 681 .sp .6
681 682 .RS 4n
682 683 Specifies whether public key authentication is allowed. The default is
683 684 \fByes\fR. This option applies to protocol version 2 only.
684 685 .RE
685 686
686 687 .sp
687 688 .ne 2
688 689 .na
689 690 \fB\fBRhostsAuthentication\fR\fR
690 691 .ad
691 692 .sp .6
692 693 .RS 4n
693 694 Specifies whether authentication using \fBrhosts\fR or \fB/etc/hosts.equiv\fR
694 695 files is sufficient. Normally, this method should not be permitted because it
695 696 is insecure. \fBRhostsRSAAuthentication\fR should be used instead, because it
696 697 performs RSA-based host authentication in addition to normal \fBrhosts\fR or
697 698 \fB/etc/hosts.equiv\fR authentication. The default is \fBno\fR. This parameter
698 699 applies only to protocol version 1.
699 700 .RE
700 701
701 702 .sp
702 703 .ne 2
703 704 .na
704 705 \fB\fBRhostsRSAAuthentication\fR\fR
705 706 .ad
706 707 .sp .6
707 708 .RS 4n
708 709 Specifies whether \fBrhosts\fR or \fB/etc/hosts.equiv\fR authentication
709 710 together with successful RSA host authentication is allowed. The default is
710 711 \fBno\fR. This parameter applies only to protocol version 1.
711 712 .RE
712 713
713 714 .sp
714 715 .ne 2
715 716 .na
716 717 \fB\fBRSAAuthentication\fR\fR
717 718 .ad
718 719 .sp .6
719 720 .RS 4n
720 721 Specifies whether pure RSA authentication is allowed. The default is \fByes\fR.
721 722 This option applies to protocol version 1 only.
722 723 .RE
723 724
724 725 .sp
725 726 .ne 2
726 727 .na
727 728 \fB\fBServerKeyBits\fR\fR
728 729 .ad
729 730 .sp .6
730 731 .RS 4n
731 732 Defines the number of bits in the ephemeral protocol version 1 server key. The
732 733 minimum value is 512, and the default is 768.
733 734 .RE
734 735
735 736 .sp
736 737 .ne 2
737 738 .na
738 739 \fB\fBStrictModes\fR\fR
739 740 .ad
740 741 .sp .6
741 742 .RS 4n
742 743 Specifies whether \fBsshd\fR should check file modes and ownership of the
743 744 user's files and home directory before accepting login. This is normally
744 745 desirable because novices sometimes accidentally leave their directory or files
745 746 world-writable. The default is \fByes\fR.
746 747 .RE
747 748
748 749 .sp
749 750 .ne 2
750 751 .na
751 752 \fB\fBSubsystem\fR\fR
752 753 .ad
753 754 .sp .6
754 755 .RS 4n
755 756 Configures an external subsystem (for example, a file transfer daemon).
756 757 Arguments should be a subsystem name and a command to execute upon subsystem
757 758 request. The command \fBsftp-server\fR(1M) implements the \fBsftp\fR file
758 759 transfer subsystem.
759 760 .sp
760 761 Alternately, the name \fBinternal-sftp\fR implements an in-process \fBsftp\fR
761 762 server. This can simplify configurations using \fBChrootDirectory\fR to force a
762 763 different filesystem root on clients.
763 764 .sp
764 765 By default, no subsystems are defined. This option applies to protocol version
765 766 2 only.
766 767 .RE
767 768
768 769 .sp
769 770 .ne 2
770 771 .na
771 772 \fB\fBSyslogFacility\fR\fR
772 773 .ad
773 774 .sp .6
774 775 .RS 4n
775 776 Gives the facility code that is used when logging messages from \fBsshd\fR. The
776 777 possible values are: \fBDAEMON\fR, \fBUSER\fR, \fBAUTH\fR, \fBLOCAL0\fR,
777 778 \fBLOCAL1\fR, \fBLOCAL2\fR, \fBLOCAL3\fR, \fBLOCAL4\fR, \fBLOCAL5\fR,
778 779 \fBLOCAL6\fR, and \fBLOCAL7\fR. The default is \fBAUTH\fR.
779 780 .RE
780 781
781 782 .sp
782 783 .ne 2
783 784 .na
784 785 \fB\fBUseOpenSSLEngine\fR\fR
785 786 .ad
786 787 .sp .6
787 788 .RS 4n
788 789 Specifies whether \fBsshd\fR should use the OpenSSL PKCS#11 engine for
789 790 offloading cryptographic operations to the Cryptographic Framework.
790 791 Cryptographic operations are accelerated according to the available installed
791 792 plug-ins. When no suitable plug-ins are present this option does not have an
792 793 effect. The default is \fByes\fR.
793 794 .RE
794 795
795 796 .sp
796 797 .ne 2
797 798 .na
798 799 \fB\fBVerifyReverseMapping\fR\fR
799 800 .ad
800 801 .sp .6
801 802 .RS 4n
802 803 Specifies whether \fBsshd\fR should try to verify the remote host name and
803 804 check that the resolved host name for the remote IP address maps back to the
804 805 very same IP address. (A \fByes\fR setting means "verify".) Setting this
805 806 parameter to \fBno\fR can be useful where DNS servers might be down and thus
806 807 cause \fBsshd\fR to spend much time trying to resolve the client's IP address
807 808 to a name. This feature is useful for Internet-facing servers. The default is
808 809 \fBno\fR.
809 810 .RE
810 811
811 812 .sp
812 813 .ne 2
813 814 .na
814 815 \fB\fBX11DisplayOffset\fR\fR
815 816 .ad
816 817 .sp .6
817 818 .RS 4n
818 819 Specifies the first display number available for \fBsshd\fR's X11 forwarding.
819 820 This prevents \fBsshd\fR from interfering with real X11 servers. The default is
820 821 10.
821 822 .RE
822 823
823 824 .sp
824 825 .ne 2
825 826 .na
826 827 \fB\fBX11Forwarding\fR\fR
827 828 .ad
828 829 .sp .6
829 830 .RS 4n
830 831 Specifies whether X11 forwarding is permitted. The default is \fByes\fR.
831 832 Disabling X11 forwarding does not improve security in any way, as users can
832 833 always install their own forwarders.
833 834 .sp
834 835 When X11 forwarding is enabled, there can be additional exposure to the server
835 836 and to client displays if the \fBsshd\fR proxy display is configured to listen
836 837 on the wildcard address (see \fBX11UseLocalhost\fR). However, this is not the
837 838 default. Additionally, the authentication spoofing and authentication data
838 839 verification and substitution occur on the client side. The security risk of
839 840 using X11 forwarding is that the client's X11 display server can be exposed to
840 841 attack when the \fBssh\fR client requests forwarding (see the warnings for
841 842 \fBForwardX11\fR in \fBssh_config\fR(4)). A system administrator who wants to
842 843 protect clients that expose themselves to attack by unwittingly requesting X11
843 844 forwarding, should specify a \fBno\fR setting.
844 845 .sp
845 846 Disabling X11 forwarding does not prevent users from forwarding X11 traffic, as
846 847 users can always install their own forwarders.
847 848 .RE
848 849
849 850 .sp
850 851 .ne 2
851 852 .na
852 853 \fB\fBX11UseLocalhost\fR\fR
853 854 .ad
854 855 .sp .6
855 856 .RS 4n
856 857 Specifies whether \fBsshd\fR should bind the X11 forwarding server to the
857 858 loopback address or to the wildcard address. By default, \fBsshd\fR binds the
858 859 forwarding server to the loopback address and sets the hostname part of the
859 860 \fBDISPLAY\fR environment variable to \fBlocalhost\fR. This prevents remote
860 861 hosts from connecting to the proxy display. However, some older X11 clients
861 862 might not function with this configuration. \fBX11UseLocalhost\fR can be set to
862 863 \fBno\fR to specify that the forwarding server should be bound to the wildcard
863 864 address. The argument must be \fByes\fR or \fBno\fR. The default is \fByes\fR.
864 865 .RE
865 866
866 867 .sp
867 868 .ne 2
868 869 .na
869 870 \fB\fBXAuthLocation\fR\fR
870 871 .ad
871 872 .sp .6
872 873 .RS 4n
873 874 Specifies the location of the \fBxauth\fR(1) program. The default is
874 875 \fB/usr/X11/bin/xauth\fR and \fBsshd\fR attempts to open it when X11 forwarding
875 876 is enabled.
876 877 .RE
877 878
878 879 .SS "Time Formats"
879 880 .sp
880 881 .LP
881 882 \fBsshd\fR command-line arguments and configuration file options that specify
882 883 time can be expressed using a sequence of the form:
883 884 \fItime\fR[\fIqualifier\fR,] where \fItime\fR is a positive integer value and
884 885 \fIqualifier\fR is one of the following:
885 886 .sp
886 887 .ne 2
887 888 .na
888 889 \fB\fI<none>\fR\fR
889 890 .ad
890 891 .RS 10n
891 892 seconds
892 893 .RE
893 894
894 895 .sp
895 896 .ne 2
896 897 .na
897 898 \fB\fBs\fR | \fBS\fR\fR
898 899 .ad
899 900 .RS 10n
900 901 seconds
901 902 .RE
902 903
903 904 .sp
904 905 .ne 2
905 906 .na
906 907 \fB\fBm\fR | \fBM\fR\fR
907 908 .ad
908 909 .RS 10n
909 910 minutes
910 911 .RE
911 912
912 913 .sp
913 914 .ne 2
914 915 .na
915 916 \fB\fBh\fR | \fBH\fR\fR
916 917 .ad
917 918 .RS 10n
918 919 hours
919 920 .RE
920 921
921 922 .sp
922 923 .ne 2
923 924 .na
924 925 \fB\fBd\fR | \fBD\fR\fR
925 926 .ad
926 927 .RS 10n
927 928 days
928 929 .RE
929 930
930 931 .sp
931 932 .ne 2
932 933 .na
933 934 \fB\fBw\fR | \fB\fR\fR
934 935 .ad
935 936 .RS 10n
936 937 weeks
937 938 .RE
938 939
939 940 .sp
940 941 .LP
941 942 Each element of the sequence is added together to calculate the total time
942 943 value. For example:
943 944 .sp
944 945 .ne 2
945 946 .na
946 947 \fB\fB600\fR\fR
947 948 .ad
948 949 .RS 9n
949 950 600 seconds (10 minutes)
950 951 .RE
951 952
952 953 .sp
953 954 .ne 2
954 955 .na
955 956 \fB\fB10m\fR\fR
956 957 .ad
957 958 .RS 9n
958 959 10 minutes
959 960 .RE
960 961
961 962 .sp
962 963 .ne 2
963 964 .na
964 965 \fB\fB1h30m\fR\fR
965 966 .ad
966 967 .RS 9n
967 968 1 hour, 30 minutes (90 minutes)
968 969 .RE
969 970
970 971 .SH FILES
971 972 .sp
972 973 .ne 2
973 974 .na
974 975 \fB\fB/etc/ssh/sshd_config\fR\fR
975 976 .ad
976 977 .RS 24n
977 978 Contains configuration data for \fBsshd\fR. This file should be writable by
978 979 root only, but it is recommended (though not necessary) that it be
979 980 world-readable.
980 981 .RE
981 982
982 983 .SH ATTRIBUTES
983 984 .sp
984 985 .LP
985 986 See \fBattributes\fR(5) for descriptions of the following attributes:
986 987 .sp
987 988
988 989 .sp
989 990 .TS
990 991 box;
991 992 c | c
992 993 l | l .
993 994 ATTRIBUTE TYPE ATTRIBUTE VALUE
994 995 _
995 996 Interface Stability Uncommitted
996 997 .TE
997 998
998 999 .SH SEE ALSO
999 1000 .sp
1000 1001 .LP
1001 1002 \fBlogin\fR(1), \fBsshd\fR(1M), \fBchroot\fR(2), \fBssh_config\fR(4),
1002 1003 \fBattributes\fR(5), \fBkerberos\fR(5)
1003 1004 .SH AUTHORS
1004 1005 .sp
1005 1006 .LP
1006 1007 OpenSSH is a derivative of the original and free \fBssh\fR 1.2.12 release by
1007 1008 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de
1008 1009 Raadt, and Dug Song removed many bugs, re-added recent features, and created
1009 1010 OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5
1010 1011 and 2.0. Niels Provos and Markus Friedl contributed support for privilege
1011 1012 separation.
↓ open down ↓ |
596 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX