sshd_config.5 50.6 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
.\"                    All rights reserved
.\"
.\" As far as I am concerned, the code I have written for this software
.\" can be used freely for any purpose.  Any derived versions of this
.\" software must be clearly marked as such, and if the derived work is
.\" incompatible with the protocol description in the RFC file, it must be
.\" called by a name other than "ssh" or "Secure Shell".
.\"
.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
36 37
.\" $OpenBSD: sshd_config.5,v 1.282 2018/09/20 03:28:06 djm Exp $
.Dd $Mdocdate: September 20 2018 $
38 39 40 41 42 43
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
.Nm sshd_config
.Nd OpenSSH SSH daemon configuration file
.Sh DESCRIPTION
44
.Xr sshd 8
45 46 47 48 49 50
reads configuration data from
.Pa /etc/ssh/sshd_config
(or the file specified with
.Fl f
on the command line).
The file contains keyword-argument pairs, one per line.
benno@openbsd.org's avatar
benno@openbsd.org committed
51
For each keyword, the first obtained value will be used.
52 53 54
Lines starting with
.Ql #
and empty lines are interpreted as comments.
55 56 57
Arguments may optionally be enclosed in double quotes
.Pq \&"
in order to represent arguments containing spaces.
58 59 60 61 62
.Pp
The possible
keywords and their meanings are as follows (note that
keywords are case-insensitive and arguments are case-sensitive):
.Bl -tag -width Ds
63 64 65 66 67 68
.It Cm AcceptEnv
Specifies what environment variables sent by the client will be copied into
the session's
.Xr environ 7 .
See
.Cm SendEnv
69 70
and
.Cm SetEnv
71 72 73
in
.Xr ssh_config 5
for how to configure the client.
jmc@openbsd.org's avatar
jmc@openbsd.org committed
74
The
dtucker@openbsd.org's avatar
dtucker@openbsd.org committed
75
.Ev TERM
76
environment variable is always accepted whenever the client
djm@openbsd.org's avatar
djm@openbsd.org committed
77
requests a pseudo-terminal as it is required by the protocol.
78
Variables are specified by name, which may contain the wildcard characters
79
.Ql *
80 81
and
.Ql \&? .
82
Multiple environment variables may be separated by whitespace or spread
83 84 85
across multiple
.Cm AcceptEnv
directives.
86
Be warned that some environment variables could be used to bypass restricted
87 88 89
user environments.
For this reason, care should be taken in the use of this directive.
The default is not to accept any environment variables.
90 91
.It Cm AddressFamily
Specifies which address family should be used by
92
.Xr sshd 8 .
93
Valid arguments are
jmc@openbsd.org's avatar
jmc@openbsd.org committed
94 95 96
.Cm any
(the default),
.Cm inet
97
(use IPv4 only), or
jmc@openbsd.org's avatar
jmc@openbsd.org committed
98
.Cm inet6
99
(use IPv6 only).
100 101 102 103 104
.It Cm AllowAgentForwarding
Specifies whether
.Xr ssh-agent 1
forwarding is permitted.
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
105
.Cm yes .
106 107 108
Note that disabling agent forwarding does not improve security
unless users are also denied shell access, as they can always install
their own forwarders.
109 110 111 112 113 114 115
.It Cm AllowGroups
This keyword can be followed by a list of group name patterns, separated
by spaces.
If specified, login is allowed only for users whose primary
group or supplementary group list matches one of the patterns.
Only group names are valid; a numerical group ID is not recognized.
By default, login is allowed for all groups.
116 117 118 119 120 121
The allow/deny directives are processed in the following order:
.Cm DenyUsers ,
.Cm AllowUsers ,
.Cm DenyGroups ,
and finally
.Cm AllowGroups .
122
.Pp
123
See PATTERNS in
124 125
.Xr ssh_config 5
for more information on patterns.
jmc@openbsd.org's avatar
jmc@openbsd.org committed
126 127
.It Cm AllowStreamLocalForwarding
Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
128
The available options are
jmc@openbsd.org's avatar
jmc@openbsd.org committed
129 130
.Cm yes
(the default)
131
or
jmc@openbsd.org's avatar
jmc@openbsd.org committed
132
.Cm all
jmc@openbsd.org's avatar
jmc@openbsd.org committed
133
to allow StreamLocal forwarding,
jmc@openbsd.org's avatar
jmc@openbsd.org committed
134
.Cm no
jmc@openbsd.org's avatar
jmc@openbsd.org committed
135
to prevent all StreamLocal forwarding,
jmc@openbsd.org's avatar
jmc@openbsd.org committed
136
.Cm local
137
to allow local (from the perspective of
138 139
.Xr ssh 1 )
forwarding only or
jmc@openbsd.org's avatar
jmc@openbsd.org committed
140
.Cm remote
141
to allow remote forwarding only.
jmc@openbsd.org's avatar
jmc@openbsd.org committed
142
Note that disabling StreamLocal forwarding does not improve security unless
143 144
users are also denied shell access, as they can always install their
own forwarders.
jmc@openbsd.org's avatar
jmc@openbsd.org committed
145 146
.It Cm AllowTcpForwarding
Specifies whether TCP forwarding is permitted.
147
The available options are
jmc@openbsd.org's avatar
jmc@openbsd.org committed
148 149
.Cm yes
(the default)
150
or
jmc@openbsd.org's avatar
jmc@openbsd.org committed
151
.Cm all
jmc@openbsd.org's avatar
jmc@openbsd.org committed
152
to allow TCP forwarding,
jmc@openbsd.org's avatar
jmc@openbsd.org committed
153
.Cm no
jmc@openbsd.org's avatar
jmc@openbsd.org committed
154
to prevent all TCP forwarding,
jmc@openbsd.org's avatar
jmc@openbsd.org committed
155
.Cm local
156 157 158
to allow local (from the perspective of
.Xr ssh 1 )
forwarding only or
jmc@openbsd.org's avatar
jmc@openbsd.org committed
159
.Cm remote
160
to allow remote forwarding only.
jmc@openbsd.org's avatar
jmc@openbsd.org committed
161
Note that disabling TCP forwarding does not improve security unless
162 163
users are also denied shell access, as they can always install their
own forwarders.
164 165 166
.It Cm AllowUsers
This keyword can be followed by a list of user name patterns, separated
by spaces.
167
If specified, login is allowed only for user names that
168 169 170 171 172 173
match one of the patterns.
Only user names are valid; a numerical user ID is not recognized.
By default, login is allowed for all users.
If the pattern takes the form USER@HOST then USER and HOST
are separately checked, restricting logins to particular
users from particular hosts.
jmc@openbsd.org's avatar
jmc@openbsd.org committed
174 175
HOST criteria may additionally contain addresses to match in CIDR
address/masklen format.
176 177 178 179 180 181
The allow/deny directives are processed in the following order:
.Cm DenyUsers ,
.Cm AllowUsers ,
.Cm DenyGroups ,
and finally
.Cm AllowGroups .
182
.Pp
183
See PATTERNS in
184 185
.Xr ssh_config 5
for more information on patterns.
186 187 188
.It Cm AuthenticationMethods
Specifies the authentication methods that must be successfully completed
for a user to be granted access.
189
This option must be followed by one or more lists of comma-separated
djm@openbsd.org's avatar
djm@openbsd.org committed
190
authentication method names, or by the single string
jmc@openbsd.org's avatar
jmc@openbsd.org committed
191
.Cm any
djm@openbsd.org's avatar
djm@openbsd.org committed
192
to indicate the default behaviour of accepting any single authentication
jmc@openbsd.org's avatar
jmc@openbsd.org committed
193
method.
jmc@openbsd.org's avatar
jmc@openbsd.org committed
194
If the default is overridden, then successful authentication requires
djm@openbsd.org's avatar
djm@openbsd.org committed
195
completion of every method in at least one of these lists.
196
.Pp
jmc@openbsd.org's avatar
jmc@openbsd.org committed
197 198
For example,
.Qq publickey,password publickey,keyboard-interactive
199 200 201
would require the user to complete public key authentication, followed by
either password or keyboard interactive authentication.
Only methods that are next in one or more lists are offered at each stage,
jmc@openbsd.org's avatar
jmc@openbsd.org committed
202
so for this example it would not be possible to attempt password or
203 204
keyboard-interactive authentication before public key.
.Pp
205 206 207
For keyboard interactive authentication it is also possible to
restrict authentication to a specific device by appending a
colon followed by the device identifier
Damien Miller's avatar
Damien Miller committed
208
.Cm bsdauth
209
or
Damien Miller's avatar
Damien Miller committed
210
.Cm pam .
211 212
depending on the server configuration.
For example,
jmc@openbsd.org's avatar
jmc@openbsd.org committed
213
.Qq keyboard-interactive:bsdauth
214
would restrict keyboard interactive authentication to the
jmc@openbsd.org's avatar
jmc@openbsd.org committed
215
.Cm bsdauth
216 217
device.
.Pp
jmc@openbsd.org's avatar
jmc@openbsd.org committed
218
If the publickey method is listed more than once,
djm@openbsd.org's avatar
djm@openbsd.org committed
219 220 221
.Xr sshd 8
verifies that keys that have been used successfully are not reused for
subsequent authentications.
jmc@openbsd.org's avatar
jmc@openbsd.org committed
222 223 224
For example,
.Qq publickey,publickey
requires successful authentication using two different public keys.
djm@openbsd.org's avatar
djm@openbsd.org committed
225
.Pp
226 227
Note that each authentication method listed should also be explicitly enabled
in the configuration.
djm@openbsd.org's avatar
djm@openbsd.org committed
228 229 230 231 232 233 234
.Pp
The available authentication methods are:
.Qq gssapi-with-mic ,
.Qq hostbased ,
.Qq keyboard-interactive ,
.Qq none
(used for access to password-less accounts when
235
.Cm PermitEmptyPasswords
djm@openbsd.org's avatar
djm@openbsd.org committed
236 237 238 239
is enabled),
.Qq password
and
.Qq publickey .
240
.It Cm AuthorizedKeysCommand
Damien Miller's avatar
Damien Miller committed
241
Specifies a program to be used to look up the user's public keys.
djm@openbsd.org's avatar
djm@openbsd.org committed
242 243 244 245
The program must be owned by root, not writable by group or others and
specified by an absolute path.
Arguments to
.Cm AuthorizedKeysCommand
jmc@openbsd.org's avatar
jmc@openbsd.org committed
246 247 248 249
accept the tokens described in the
.Sx TOKENS
section.
If no arguments are specified then the username of the target user is used.
djm@openbsd.org's avatar
djm@openbsd.org committed
250 251
.Pp
The program should produce on standard output zero or
jmc@openbsd.org's avatar
jmc@openbsd.org committed
252 253 254
more lines of authorized_keys output (see
.Sx AUTHORIZED_KEYS
in
Damien Miller's avatar
Damien Miller committed
255
.Xr sshd 8 ) .
jmc@openbsd.org's avatar
jmc@openbsd.org committed
256 257 258
If a key supplied by
.Cm AuthorizedKeysCommand
does not successfully authenticate
259 260 261
and authorize the user then public key authentication continues using the usual
.Cm AuthorizedKeysFile
files.
jmc@openbsd.org's avatar
jmc@openbsd.org committed
262 263 264
By default, no
.Cm AuthorizedKeysCommand
is run.
265
.It Cm AuthorizedKeysCommandUser
jmc@openbsd.org's avatar
jmc@openbsd.org committed
266 267 268
Specifies the user under whose account the
.Cm AuthorizedKeysCommand
is run.
269 270
It is recommended to use a dedicated user that has no other role on the host
than running authorized keys commands.
djm@openbsd.org's avatar
djm@openbsd.org committed
271
If
djm@openbsd.org's avatar
djm@openbsd.org committed
272
.Cm AuthorizedKeysCommand
djm@openbsd.org's avatar
djm@openbsd.org committed
273 274 275 276 277
is specified but
.Cm AuthorizedKeysCommandUser
is not, then
.Xr sshd 8
will refuse to start.
278
.It Cm AuthorizedKeysFile
jmc@openbsd.org's avatar
jmc@openbsd.org committed
279
Specifies the file that contains the public keys used for user authentication.
280
The format is described in the
jmc@openbsd.org's avatar
jmc@openbsd.org committed
281
.Sx AUTHORIZED_KEYS FILE FORMAT
282 283
section of
.Xr sshd 8 .
jmc@openbsd.org's avatar
jmc@openbsd.org committed
284
Arguments to
285
.Cm AuthorizedKeysFile
jmc@openbsd.org's avatar
jmc@openbsd.org committed
286 287 288
accept the tokens described in the
.Sx TOKENS
section.
289 290 291 292
After expansion,
.Cm AuthorizedKeysFile
is taken to be an absolute path or one relative to the user's home
directory.
293
Multiple files may be listed, separated by whitespace.
djm@openbsd.org's avatar
djm@openbsd.org committed
294
Alternately this option may be set to
jmc@openbsd.org's avatar
jmc@openbsd.org committed
295
.Cm none
djm@openbsd.org's avatar
djm@openbsd.org committed
296
to skip checking for user keys in files.
297
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
298
.Qq .ssh/authorized_keys .ssh/authorized_keys2 .
djm@openbsd.org's avatar
djm@openbsd.org committed
299 300 301 302 303 304 305 306
.It Cm AuthorizedPrincipalsCommand
Specifies a program to be used to generate the list of allowed
certificate principals as per
.Cm AuthorizedPrincipalsFile .
The program must be owned by root, not writable by group or others and
specified by an absolute path.
Arguments to
.Cm AuthorizedPrincipalsCommand
jmc@openbsd.org's avatar
jmc@openbsd.org committed
307 308 309 310
accept the tokens described in the
.Sx TOKENS
section.
If no arguments are specified then the username of the target user is used.
djm@openbsd.org's avatar
djm@openbsd.org committed
311 312 313 314 315 316 317 318 319 320 321
.Pp
The program should produce on standard output zero or
more lines of
.Cm AuthorizedPrincipalsFile
output.
If either
.Cm AuthorizedPrincipalsCommand
or
.Cm AuthorizedPrincipalsFile
is specified, then certificates offered by the client for authentication
must contain a principal that is listed.
jmc@openbsd.org's avatar
jmc@openbsd.org committed
322 323 324
By default, no
.Cm AuthorizedPrincipalsCommand
is run.
djm@openbsd.org's avatar
djm@openbsd.org committed
325
.It Cm AuthorizedPrincipalsCommandUser
jmc@openbsd.org's avatar
jmc@openbsd.org committed
326 327 328
Specifies the user under whose account the
.Cm AuthorizedPrincipalsCommand
is run.
djm@openbsd.org's avatar
djm@openbsd.org committed
329 330 331 332 333 334 335 336 337
It is recommended to use a dedicated user that has no other role on the host
than running authorized principals commands.
If
.Cm AuthorizedPrincipalsCommand
is specified but
.Cm AuthorizedPrincipalsCommandUser
is not, then
.Xr sshd 8
will refuse to start.
338 339 340 341 342 343 344
.It Cm AuthorizedPrincipalsFile
Specifies a file that lists principal names that are accepted for
certificate authentication.
When using certificates signed by a key listed in
.Cm TrustedUserCAKeys ,
this file lists names, one of which must appear in the certificate for it
to be accepted for authentication.
jmc@openbsd.org's avatar
jmc@openbsd.org committed
345 346 347
Names are listed one per line preceded by key options (as described in
.Sx AUTHORIZED_KEYS FILE FORMAT
in
348
.Xr sshd 8 ) .
349
Empty lines and comments starting with
350 351 352
.Ql #
are ignored.
.Pp
jmc@openbsd.org's avatar
jmc@openbsd.org committed
353
Arguments to
354
.Cm AuthorizedPrincipalsFile
jmc@openbsd.org's avatar
jmc@openbsd.org committed
355 356 357
accept the tokens described in the
.Sx TOKENS
section.
358 359
After expansion,
.Cm AuthorizedPrincipalsFile
jmc@openbsd.org's avatar
jmc@openbsd.org committed
360
is taken to be an absolute path or one relative to the user's home directory.
361
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
362
.Cm none ,
363
i.e. not to use a principals file \(en in this case, the username
364 365
of the user must appear in a certificate's principals list for it to be
accepted.
jmc@openbsd.org's avatar
jmc@openbsd.org committed
366
.Pp
367 368 369 370 371 372 373 374 375 376 377
Note that
.Cm AuthorizedPrincipalsFile
is only used when authentication proceeds using a CA listed in
.Cm TrustedUserCAKeys
and is not consulted for certification authorities trusted via
.Pa ~/.ssh/authorized_keys ,
though the
.Cm principals=
key option offers a similar facility (see
.Xr sshd 8
for details).
378 379 380
.It Cm Banner
The contents of the specified file are sent to the remote user before
authentication is allowed.
381
If the argument is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
382
.Cm none
383
then no banner is displayed.
384
By default, no banner is displayed.
385 386 387 388 389 390 391 392 393 394 395
.It Cm CASignatureAlgorithms
Specifies which algorithms are allowed for signing of certificates
by certificate authorities (CAs).
The default is:
.Bd -literal -offset indent
ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
.Ed
.Pp
Certificates signed using other algorithms will not be accepted for
public key or host-based authentication.
396
.It Cm ChallengeResponseAuthentication
397
Specifies whether challenge-response authentication is allowed (e.g. via
398
PAM).
399
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
400
.Cm yes .
401
.It Cm ChrootDirectory
402
Specifies the pathname of a directory to
403 404
.Xr chroot 2
to after authentication.
deraadt@openbsd.org's avatar
deraadt@openbsd.org committed
405 406 407 408
At session startup
.Xr sshd 8
checks that all components of the pathname are root-owned directories
which are not writable by any other user or group.
409 410 411
After the chroot,
.Xr sshd 8
changes the working directory to the user's home directory.
jmc@openbsd.org's avatar
jmc@openbsd.org committed
412 413 414 415 416
Arguments to
.Cm ChrootDirectory
accept the tokens described in the
.Sx TOKENS
section.
417 418 419 420
.Pp
The
.Cm ChrootDirectory
must contain the necessary files and directories to support the
421
user's session.
422 423 424 425 426 427 428 429 430 431
For an interactive session this requires at least a shell, typically
.Xr sh 1 ,
and basic
.Pa /dev
nodes such as
.Xr null 4 ,
.Xr zero 4 ,
.Xr stdin 4 ,
.Xr stdout 4 ,
.Xr stderr 4 ,
jmc@openbsd.org's avatar
jmc@openbsd.org committed
432
and
433 434
.Xr tty 4
devices.
jmc@openbsd.org's avatar
jmc@openbsd.org committed
435 436 437
For file transfer sessions using SFTP
no additional configuration of the environment is necessary if the in-process
sftp-server is used,
438
though sessions which use logging may require
439
.Pa /dev/log
440
inside the chroot directory on some operating systems (see
441 442
.Xr sftp-server 8
for details).
443
.Pp
jmc@openbsd.org's avatar
jmc@openbsd.org committed
444
For safety, it is very important that the directory hierarchy be
deraadt@openbsd.org's avatar
deraadt@openbsd.org committed
445 446 447 448 449 450
prevented from modification by other processes on the system (especially
those outside the jail).
Misconfiguration can lead to unsafe environments which
.Xr sshd 8
cannot detect.
.Pp
djm@openbsd.org's avatar
djm@openbsd.org committed
451
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
452
.Cm none ,
djm@openbsd.org's avatar
djm@openbsd.org committed
453
indicating not to
454
.Xr chroot 2 .
455
.It Cm Ciphers
jmc@openbsd.org's avatar
jmc@openbsd.org committed
456
Specifies the ciphers allowed.
457
Multiple ciphers must be comma-separated.
djm@openbsd.org's avatar
djm@openbsd.org committed
458 459 460 461
If the specified value begins with a
.Sq +
character, then the specified ciphers will be appended to the default set
instead of replacing them.
djm@openbsd.org's avatar
djm@openbsd.org committed
462 463 464 465
If the specified value begins with a
.Sq -
character, then the specified ciphers (including wildcards) will be removed
from the default set instead of replacing them.
djm@openbsd.org's avatar
djm@openbsd.org committed
466
.Pp
467 468
The supported ciphers are:
.Pp
469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490
.Bl -item -compact -offset indent
.It
3des-cbc
.It
aes128-cbc
.It
aes192-cbc
.It
aes256-cbc
.It
aes128-ctr
.It
aes192-ctr
.It
aes256-ctr
.It
aes128-gcm@openssh.com
.It
aes256-gcm@openssh.com
.It
chacha20-poly1305@openssh.com
.El
491
.Pp
492
The default is:
493
.Bd -literal -offset indent
jmc@openbsd.org's avatar
jmc@openbsd.org committed
494
chacha20-poly1305@openssh.com,
495
aes128-ctr,aes192-ctr,aes256-ctr,
jmc@openbsd.org's avatar
jmc@openbsd.org committed
496
aes128-gcm@openssh.com,aes256-gcm@openssh.com
497
.Ed
498
.Pp
jmc@openbsd.org's avatar
jmc@openbsd.org committed
499 500
The list of available ciphers may also be obtained using
.Qq ssh -Q cipher .
501
.It Cm ClientAliveCountMax
jmc@openbsd.org's avatar
jmc@openbsd.org committed
502
Sets the number of client alive messages which may be sent without
503
.Xr sshd 8
504 505
receiving any messages back from the client.
If this threshold is reached while client alive messages are being sent,
506
sshd will disconnect the client, terminating the session.
507 508
It is important to note that the use of client alive messages is very
different from
jmc@openbsd.org's avatar
jmc@openbsd.org committed
509
.Cm TCPKeepAlive .
510 511 512
The client alive messages are sent through the encrypted channel
and therefore will not be spoofable.
The TCP keepalive option enabled by
513
.Cm TCPKeepAlive
514 515
is spoofable.
The client alive mechanism is valuable when the client or
516 517
server depend on knowing when a connection has become inactive.
.Pp
518 519
The default value is 3.
If
520
.Cm ClientAliveInterval
jmc@openbsd.org's avatar
jmc@openbsd.org committed
521
is set to 15, and
522
.Cm ClientAliveCountMax
523
is left at the default, unresponsive SSH clients
524
will be disconnected after approximately 45 seconds.
525 526 527
.It Cm ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received
from the client,
528
.Xr sshd 8
529 530 531 532
will send a message through the encrypted
channel to request a response from the client.
The default
is 0, indicating that these messages will not be sent to the client.
533
.It Cm Compression
djm@openbsd.org's avatar
djm@openbsd.org committed
534
Specifies whether compression is enabled after
535
the user has authenticated successfully.
536
The argument must be
jmc@openbsd.org's avatar
jmc@openbsd.org committed
537 538
.Cm yes ,
.Cm delayed
djm@openbsd.org's avatar
djm@openbsd.org committed
539
(a legacy synonym for
jmc@openbsd.org's avatar
jmc@openbsd.org committed
540
.Cm yes )
541
or
jmc@openbsd.org's avatar
jmc@openbsd.org committed
542
.Cm no .
543
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
544
.Cm yes .
545 546 547 548 549
.It Cm DebianBanner
Specifies whether the distribution-specified extra version suffix is
included during initial protocol handshake.
The default is
.Cm yes .
550 551 552 553 554 555 556
.It Cm DenyGroups
This keyword can be followed by a list of group name patterns, separated
by spaces.
Login is disallowed for users whose primary group or supplementary
group list matches one of the patterns.
Only group names are valid; a numerical group ID is not recognized.
By default, login is allowed for all groups.
557 558 559 560 561 562
The allow/deny directives are processed in the following order:
.Cm DenyUsers ,
.Cm AllowUsers ,
.Cm DenyGroups ,
and finally
.Cm AllowGroups .
563
.Pp
564
See PATTERNS in
565 566
.Xr ssh_config 5
for more information on patterns.
567 568 569 570 571 572 573 574 575
.It Cm DenyUsers
This keyword can be followed by a list of user name patterns, separated
by spaces.
Login is disallowed for user names that match one of the patterns.
Only user names are valid; a numerical user ID is not recognized.
By default, login is allowed for all users.
If the pattern takes the form USER@HOST then USER and HOST
are separately checked, restricting logins to particular
users from particular hosts.
jmc@openbsd.org's avatar
jmc@openbsd.org committed
576 577
HOST criteria may additionally contain addresses to match in CIDR
address/masklen format.
578 579 580 581 582 583
The allow/deny directives are processed in the following order:
.Cm DenyUsers ,
.Cm AllowUsers ,
.Cm DenyGroups ,
and finally
.Cm AllowGroups .
584
.Pp
585
See PATTERNS in
586 587
.Xr ssh_config 5
for more information on patterns.
djm@openbsd.org's avatar
djm@openbsd.org committed
588 589 590 591 592 593
.It Cm DisableForwarding
Disables all forwarding features, including X11,
.Xr ssh-agent 1 ,
TCP and StreamLocal.
This option overrides all other forwarding-related options and may
simplify restricted configurations.
djm@openbsd.org's avatar
djm@openbsd.org committed
594
.It Cm ExposeAuthInfo
jmc@openbsd.org's avatar
jmc@openbsd.org committed
595
Writes a temporary file containing a list of authentication methods and
djm@openbsd.org's avatar
djm@openbsd.org committed
596
public credentials (e.g. keys) used to authenticate the user.
jmc@openbsd.org's avatar
jmc@openbsd.org committed
597
The location of the file is exposed to the user session through the
djm@openbsd.org's avatar
djm@openbsd.org committed
598
.Ev SSH_USER_AUTH
jmc@openbsd.org's avatar
jmc@openbsd.org committed
599
environment variable.
jmc@openbsd.org's avatar
jmc@openbsd.org committed
600 601
The default is
.Cm no .
djm@openbsd.org's avatar
djm@openbsd.org committed
602 603 604
.It Cm FingerprintHash
Specifies the hash algorithm used when logging key fingerprints.
Valid options are:
jmc@openbsd.org's avatar
jmc@openbsd.org committed
605
.Cm md5
djm@openbsd.org's avatar
djm@openbsd.org committed
606
and
jmc@openbsd.org's avatar
jmc@openbsd.org committed
607
.Cm sha256 .
djm@openbsd.org's avatar
djm@openbsd.org committed
608
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
609
.Cm sha256 .
610 611 612
.It Cm ForceCommand
Forces the execution of the command specified by
.Cm ForceCommand ,
613 614 615
ignoring any command supplied by the client and
.Pa ~/.ssh/rc
if present.
616 617 618 619 620 621 622 623
The command is invoked by using the user's login shell with the -c option.
This applies to shell, command, or subsystem execution.
It is most useful inside a
.Cm Match
block.
The command originally supplied by the client is available in the
.Ev SSH_ORIGINAL_COMMAND
environment variable.
624
Specifying a command of
jmc@openbsd.org's avatar
jmc@openbsd.org committed
625 626
.Cm internal-sftp
will force the use of an in-process SFTP server that requires no support
627 628
files when used with
.Cm ChrootDirectory .
djm@openbsd.org's avatar
djm@openbsd.org committed
629
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
630
.Cm none .
631 632 633 634
.It Cm GatewayPorts
Specifies whether remote hosts are allowed to connect to ports
forwarded for the client.
By default,
635
.Xr sshd 8
636 637
binds remote port forwardings to the loopback address.
This prevents other remote hosts from connecting to forwarded ports.
638
.Cm GatewayPorts
639
can be used to specify that sshd
640 641 642
should allow remote port forwardings to bind to non-loopback addresses, thus
allowing other hosts to connect.
The argument may be
jmc@openbsd.org's avatar
jmc@openbsd.org committed
643
.Cm no
644
to force remote port forwardings to be available to the local host only,
jmc@openbsd.org's avatar
jmc@openbsd.org committed
645
.Cm yes
646
to force remote port forwardings to bind to the wildcard address, or
jmc@openbsd.org's avatar
jmc@openbsd.org committed
647
.Cm clientspecified
648
to allow the client to select the address to which the forwarding is bound.
649
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
650
.Cm no .
651
.It Cm GSSAPIAuthentication
652
Specifies whether user authentication based on GSSAPI is allowed.
653
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
654
.Cm no .
655 656 657 658 659
.It Cm GSSAPIKeyExchange
Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
doesn't rely on ssh keys to verify host identity.
The default is
.Cm no .
660 661 662 663
.It Cm GSSAPICleanupCredentials
Specifies whether to automatically destroy the user's credentials cache
on logout.
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
664
.Cm yes .
djm@openbsd.org's avatar
djm@openbsd.org committed
665 666 667 668
.It Cm GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI acceptor
a client authenticates against.
If set to
jmc@openbsd.org's avatar
jmc@openbsd.org committed
669 670
.Cm yes
then the client must authenticate against the host
djm@openbsd.org's avatar
djm@openbsd.org committed
671 672
service on the current hostname.
If set to
jmc@openbsd.org's avatar
jmc@openbsd.org committed
673
.Cm no
djm@openbsd.org's avatar
djm@openbsd.org committed
674 675 676 677
then the client may authenticate against any service key stored in the
machine's default store.
This facility is provided to assist with operation on multi homed machines.
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
678
.Cm yes .
679 680 681 682 683
.It Cm GSSAPIStoreCredentialsOnRekey
Controls whether the user's GSSAPI credentials should be updated following a 
successful connection rekeying. This option can be used to accepted renewed 
or updated credentials from a compatible client. The default is
.Cm no .
djm@openbsd.org's avatar
djm@openbsd.org committed
684 685
.It Cm HostbasedAcceptedKeyTypes
Specifies the key types that will be accepted for hostbased authentication
686
as a list of comma-separated patterns.
djm@openbsd.org's avatar
djm@openbsd.org committed
687 688 689 690
Alternately if the specified value begins with a
.Sq +
character, then the specified key types will be appended to the default set
instead of replacing them.
djm@openbsd.org's avatar
djm@openbsd.org committed
691 692 693 694
If the specified value begins with a
.Sq -
character, then the specified key types (including wildcards) will be removed
from the default set instead of replacing them.
markus@openbsd.org's avatar
markus@openbsd.org committed
695 696 697 698 699 700
The default for this option is:
.Bd -literal -offset 3n
ecdsa-sha2-nistp256-cert-v01@openssh.com,
ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
701
rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
markus@openbsd.org's avatar
markus@openbsd.org committed
702 703
ssh-rsa-cert-v01@openssh.com,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
704
ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
markus@openbsd.org's avatar
markus@openbsd.org committed
705 706
.Ed
.Pp
jmc@openbsd.org's avatar
jmc@openbsd.org committed
707 708
The list of available key types may also be obtained using
.Qq ssh -Q key .
709 710 711
.It Cm HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful public key client host authentication is allowed
712
(host-based authentication).
713
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
714
.Cm no .
715 716 717 718 719 720 721 722 723 724
.It Cm HostbasedUsesNameFromPacketOnly
Specifies whether or not the server will attempt to perform a reverse
name lookup when matching the name in the
.Pa ~/.shosts ,
.Pa ~/.rhosts ,
and
.Pa /etc/hosts.equiv
files during
.Cm HostbasedAuthentication .
A setting of
jmc@openbsd.org's avatar
jmc@openbsd.org committed
725
.Cm yes
726 727 728 729 730
means that
.Xr sshd 8
uses the name supplied by the client rather than
attempting to resolve the name from the TCP connection itself.
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
731
.Cm no .
Damien Miller's avatar
Damien Miller committed
732 733 734 735 736 737 738 739
.It Cm HostCertificate
Specifies a file containing a public host certificate.
The certificate's public key must match a private host key already specified
by
.Cm HostKey .
The default behaviour of
.Xr sshd 8
is not to load any certificates.
740 741 742
.It Cm HostKey
Specifies a file containing a private host key
used by SSH.
naddy@openbsd.org's avatar
naddy@openbsd.org committed
743
The defaults are
744 745
.Pa /etc/ssh/ssh_host_ecdsa_key ,
.Pa /etc/ssh/ssh_host_ed25519_key
746
and
naddy@openbsd.org's avatar
naddy@openbsd.org committed
747
.Pa /etc/ssh/ssh_host_rsa_key .
markus@openbsd.org's avatar
markus@openbsd.org committed
748
.Pp
749
Note that
750
.Xr sshd 8
markus@openbsd.org's avatar
markus@openbsd.org committed
751 752 753 754 755 756
will refuse to use a file if it is group/world-accessible
and that the
.Cm HostKeyAlgorithms
option restricts which of the keys are actually used by
.Xr sshd 8 .
.Pp
757
It is possible to have multiple host key files.
758 759 760 761 762 763 764
It is also possible to specify public host key files instead.
In this case operations on the private key will be delegated
to an
.Xr ssh-agent 1 .
.It Cm HostKeyAgent
Identifies the UNIX-domain socket used to communicate
with an agent that has access to the private host keys.
markus@openbsd.org's avatar
markus@openbsd.org committed
765
If the string
jmc@openbsd.org's avatar
jmc@openbsd.org committed
766
.Qq SSH_AUTH_SOCK
767 768 769
is specified, the location of the socket will be read from the
.Ev SSH_AUTH_SOCK
environment variable.
markus@openbsd.org's avatar
markus@openbsd.org committed
770
.It Cm HostKeyAlgorithms
jmc@openbsd.org's avatar
jmc@openbsd.org committed
771
Specifies the host key algorithms
markus@openbsd.org's avatar
markus@openbsd.org committed
772 773 774 775 776 777 778
that the server offers.
The default for this option is:
.Bd -literal -offset 3n
ecdsa-sha2-nistp256-cert-v01@openssh.com,
ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
779
rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
markus@openbsd.org's avatar
markus@openbsd.org committed
780 781
ssh-rsa-cert-v01@openssh.com,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
782
ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
markus@openbsd.org's avatar
markus@openbsd.org committed
783 784
.Ed
.Pp
jmc@openbsd.org's avatar
jmc@openbsd.org committed
785 786
The list of available key types may also be obtained using
.Qq ssh -Q key .
787 788 789 790 791 792 793 794 795 796 797 798 799
.It Cm IgnoreRhosts
Specifies that
.Pa .rhosts
and
.Pa .shosts
files will not be used in
.Cm HostbasedAuthentication .
.Pp
.Pa /etc/hosts.equiv
and
.Pa /etc/shosts.equiv
are still used.
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
800
.Cm yes .
801 802
.It Cm IgnoreUserKnownHosts
Specifies whether
803
.Xr sshd 8
804
should ignore the user's
805
.Pa ~/.ssh/known_hosts
806
during
djm@openbsd.org's avatar
djm@openbsd.org committed
807 808 809
.Cm HostbasedAuthentication
and use only the system-wide known hosts file
.Pa /etc/ssh/known_hosts .
810
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
811
.Cm no .
812 813 814
.It Cm IPQoS
Specifies the IPv4 type-of-service or DSCP class for the connection.
Accepted values are
jmc@openbsd.org's avatar
jmc@openbsd.org committed
815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838
.Cm af11 ,
.Cm af12 ,
.Cm af13 ,
.Cm af21 ,
.Cm af22 ,
.Cm af23 ,
.Cm af31 ,
.Cm af32 ,
.Cm af33 ,
.Cm af41 ,
.Cm af42 ,
.Cm af43 ,
.Cm cs0 ,
.Cm cs1 ,
.Cm cs2 ,
.Cm cs3 ,
.Cm cs4 ,
.Cm cs5 ,
.Cm cs6 ,
.Cm cs7 ,
.Cm ef ,
.Cm lowdelay ,
.Cm throughput ,
.Cm reliability ,
djm@openbsd.org's avatar
djm@openbsd.org committed
839 840 841
a numeric value, or
.Cm none
to use the operating system default.
842
This option may take one or two arguments, separated by whitespace.
843 844 845 846
If one argument is specified, it is used as the packet class unconditionally.
If two values are specified, the first is automatically selected for
interactive sessions and the second for non-interactive sessions.
The default is
847
.Cm af21
848
(Low-Latency Data)
849
for interactive sessions and
850
.Cm cs1
851
(Lower Effort)
852
for non-interactive sessions.
853 854 855
.It Cm KbdInteractiveAuthentication
Specifies whether to allow keyboard-interactive authentication.
The argument to this keyword must be
jmc@openbsd.org's avatar
jmc@openbsd.org committed
856
.Cm yes
857
or
jmc@openbsd.org's avatar
jmc@openbsd.org committed
858
.Cm no .
859 860 861 862
The default is to use whatever value
.Cm ChallengeResponseAuthentication
is set to
(by default
jmc@openbsd.org's avatar
jmc@openbsd.org committed
863
.Cm yes ) .
864
.It Cm KerberosAuthentication
865
Specifies whether the password provided by the user for
866
.Cm PasswordAuthentication
867
will be validated through the Kerberos KDC.
868 869
To use this option, the server needs a
Kerberos servtab which allows the verification of the KDC's identity.
870
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
871
.Cm no .
872
.It Cm KerberosGetAFSToken
873
If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
874
an AFS token before accessing the user's home directory.
875
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
876
.Cm no .
877
.It Cm KerberosOrLocalPasswd
878
If password authentication through Kerberos fails then
879 880 881
the password will be validated via any additional local mechanism
such as
.Pa /etc/passwd .
882
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
883
.Cm yes .
884 885 886
.It Cm KerberosTicketCleanup
Specifies whether to automatically destroy the user's ticket cache
file on logout.
887
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
888
.Cm yes .
889 890 891
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
djm@openbsd.org's avatar
djm@openbsd.org committed
892 893 894 895
Alternately if the specified value begins with a
.Sq +
character, then the specified methods will be appended to the default set
instead of replacing them.
djm@openbsd.org's avatar
djm@openbsd.org committed
896 897 898 899
If the specified value begins with a
.Sq -
character, then the specified methods (including wildcards) will be removed
from the default set instead of replacing them.
900 901 902 903
The supported algorithms are:
.Pp
.Bl -item -compact -offset indent
.It
djm@openbsd.org's avatar
djm@openbsd.org committed
904 905
curve25519-sha256
.It
906 907 908 909 910 911
curve25519-sha256@libssh.org
.It
diffie-hellman-group1-sha1
.It
diffie-hellman-group14-sha1
.It
912 913 914 915 916 917
diffie-hellman-group14-sha256
.It
diffie-hellman-group16-sha512
.It
diffie-hellman-group18-sha512
.It
918 919 920 921 922 923 924 925 926 927 928 929
diffie-hellman-group-exchange-sha1
.It
diffie-hellman-group-exchange-sha256
.It
ecdh-sha2-nistp256
.It
ecdh-sha2-nistp384
.It
ecdh-sha2-nistp521
.El
.Pp
The default is:
930
.Bd -literal -offset indent
djm@openbsd.org's avatar
djm@openbsd.org committed
931
curve25519-sha256,curve25519-sha256@libssh.org,
932 933
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
934 935
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
936
.Ed
djm@openbsd.org's avatar
djm@openbsd.org committed
937
.Pp
jmc@openbsd.org's avatar
jmc@openbsd.org committed
938 939
The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex .
940 941
.It Cm ListenAddress
Specifies the local addresses
942
.Xr sshd 8
943 944 945 946 947 948 949
should listen on.
The following forms may be used:
.Pp
.Bl -item -offset indent -compact
.It
.Cm ListenAddress
.Sm off
950
.Ar hostname | address
951
.Sm on
952
.Op Cm rdomain Ar domain
953 954 955
.It
.Cm ListenAddress
.Sm off
956
.Ar hostname : port
957
.Sm on
958
.Op Cm rdomain Ar domain
djm@openbsd.org's avatar
djm@openbsd.org committed
959 960 961
.It
.Cm ListenAddress
.Sm off
962
.Ar IPv4_address : port
djm@openbsd.org's avatar
djm@openbsd.org committed
963
.Sm on
964
.Op Cm rdomain Ar domain
965 966 967
.It
.Cm ListenAddress
.Sm off
968
.Oo Ar hostname | address Oc : Ar port
969
.Sm on
970
.Op Cm rdomain Ar domain
971 972
.El
.Pp
djm@openbsd.org's avatar
djm@openbsd.org committed
973 974 975 976 977
The optional
.Cm rdomain
qualifier requests
.Xr sshd 8
listen in an explicit routing domain.
978 979 980
If
.Ar port
is not specified,
dtucker@openbsd.org's avatar
dtucker@openbsd.org committed
981
sshd will listen on the address and all
982
.Cm Port
983
options specified.
djm@openbsd.org's avatar
djm@openbsd.org committed
984 985
The default is to listen on all local addresses on the current default
routing domain.
986
Multiple
987
.Cm ListenAddress
988
options are permitted.
djm@openbsd.org's avatar
djm@openbsd.org committed
989
For more information on routing domains, see
990
.Xr rdomain 4 .
991 992 993 994
.It Cm LoginGraceTime
The server disconnects after this time if the user has not
successfully logged in.
If the value is 0, there is no time limit.
995
The default is 120 seconds.
996 997
.It Cm LogLevel
Gives the verbosity level that is used when logging messages from
998
.Xr sshd 8 .
999
The possible values are:
1000
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
1001 1002 1003 1004
The default is INFO.
DEBUG and DEBUG1 are equivalent.
DEBUG2 and DEBUG3 each specify higher levels of debugging output.
Logging with a DEBUG level violates the privacy of users and is not recommended.
1005 1006
.It Cm MACs
Specifies the available MAC (message authentication code) algorithms.
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1007
The MAC algorithm is used for data integrity protection.
1008
Multiple algorithms must be comma-separated.
djm@openbsd.org's avatar
djm@openbsd.org committed
1009 1010 1011 1012
If the specified value begins with a
.Sq +
character, then the specified algorithms will be appended to the default set
instead of replacing them.
djm@openbsd.org's avatar
djm@openbsd.org committed
1013 1014 1015 1016
If the specified value begins with a
.Sq -
character, then the specified algorithms (including wildcards) will be removed
from the default set instead of replacing them.
djm@openbsd.org's avatar
djm@openbsd.org committed
1017
.Pp
1018
The algorithms that contain
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1019
.Qq -etm
1020 1021
calculate the MAC after encryption (encrypt-then-mac).
These are considered safer and their use recommended.
1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058
The supported MACs are:
.Pp
.Bl -item -compact -offset indent
.It
hmac-md5
.It
hmac-md5-96
.It
hmac-sha1
.It
hmac-sha1-96
.It
hmac-sha2-256
.It
hmac-sha2-512
.It
umac-64@openssh.com
.It
umac-128@openssh.com
.It
hmac-md5-etm@openssh.com
.It
hmac-md5-96-etm@openssh.com
.It
hmac-sha1-etm@openssh.com
.It
hmac-sha1-96-etm@openssh.com
.It
hmac-sha2-256-etm@openssh.com
.It
hmac-sha2-512-etm@openssh.com
.It
umac-64-etm@openssh.com
.It
umac-128-etm@openssh.com
.El
.Pp
1059
The default is:
1060
.Bd -literal -offset indent
1061 1062
umac-64-etm@openssh.com,umac-128-etm@openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
djm@openbsd.org's avatar
djm@openbsd.org committed
1063
hmac-sha1-etm@openssh.com,
1064
umac-64@openssh.com,umac-128@openssh.com,
djm@openbsd.org's avatar
djm@openbsd.org committed
1065
hmac-sha2-256,hmac-sha2-512,hmac-sha1
1066
.Ed
djm@openbsd.org's avatar
djm@openbsd.org committed
1067
.Pp
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1068 1069
The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac .
1070
.It Cm Match
1071
Introduces a conditional block.
1072
If all of the criteria on the
1073
.Cm Match
1074 1075
line are satisfied, the keywords on the following lines override those
set in the global section of the config file, until either another
1076
.Cm Match
1077
line or the end of the file.
1078 1079
If a keyword appears in multiple
.Cm Match
sobrado@openbsd.org's avatar
sobrado@openbsd.org committed
1080
blocks that are satisfied, only the first instance of the keyword is
1081
applied.
1082
.Pp
1083
The arguments to
1084
.Cm Match
1085 1086 1087
are one or more criteria-pattern pairs or the single token
.Cm All
which matches all criteria.
1088 1089
The available criteria are
.Cm User ,
1090
.Cm Group ,
1091
.Cm Host ,
1092 1093
.Cm LocalAddress ,
.Cm LocalPort ,
djm@openbsd.org's avatar
djm@openbsd.org committed
1094
.Cm RDomain ,
1095
and
djm@openbsd.org's avatar
djm@openbsd.org committed
1096 1097 1098 1099 1100 1101 1102
.Cm Address
(with
.Cm RDomain
representing the
.Xr rdomain 4
on which the connection was received.)
.Pp
1103 1104
The match patterns may consist of single entries or comma-separated
lists and may use the wildcard and negation operators described in the
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1105 1106
.Sx PATTERNS
section of
1107
.Xr ssh_config 5 .
1108 1109 1110 1111
.Pp
The patterns in an
.Cm Address
criteria may additionally contain addresses to match in CIDR
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1112 1113
address/masklen format,
such as 192.0.2.0/24 or 2001:db8::/32.
1114 1115
Note that the mask length provided must be consistent with the address -
it is an error to specify a mask length that is too long for the address
1116
or one with bits set in this host portion of the address.
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1117
For example, 192.0.2.0/33 and 192.0.2.0/8, respectively.
1118
.Pp
1119 1120 1121 1122
Only a subset of keywords may be used on the lines following a
.Cm Match
keyword.
Available keywords are
1123
.Cm AcceptEnv ,
1124
.Cm AllowAgentForwarding ,
1125
.Cm AllowGroups ,
djm@openbsd.org's avatar
djm@openbsd.org committed
1126
.Cm AllowStreamLocalForwarding ,
1127
.Cm AllowTcpForwarding ,
1128
.Cm AllowUsers ,
1129
.Cm AuthenticationMethods ,
1130 1131
.Cm AuthorizedKeysCommand ,
.Cm AuthorizedKeysCommandUser ,
Damien Miller's avatar
Damien Miller committed
1132
.Cm AuthorizedKeysFile ,
djm@openbsd.org's avatar
djm@openbsd.org committed
1133 1134
.Cm AuthorizedPrincipalsCommand ,
.Cm AuthorizedPrincipalsCommandUser ,
1135
.Cm AuthorizedPrincipalsFile ,
1136
.Cm Banner ,
1137
.Cm ChrootDirectory ,
markus@openbsd.org's avatar
markus@openbsd.org committed
1138 1139
.Cm ClientAliveCountMax ,
.Cm ClientAliveInterval ,
1140 1141
.Cm DenyGroups ,
.Cm DenyUsers ,
1142
.Cm ForceCommand ,
djm@openbsd.org's avatar
djm@openbsd.org committed
1143
.Cm GatewayPorts ,
djm@openbsd.org's avatar
djm@openbsd.org committed
1144
.Cm GSSAPIAuthentication ,
djm@openbsd.org's avatar
djm@openbsd.org committed
1145
.Cm HostbasedAcceptedKeyTypes ,
1146
.Cm HostbasedAuthentication ,
1147
.Cm HostbasedUsesNameFromPacketOnly ,
djm@openbsd.org's avatar
djm@openbsd.org committed
1148
.Cm IPQoS ,
1149
.Cm KbdInteractiveAuthentication ,
Damien Miller's avatar
Damien Miller committed
1150
.Cm KerberosAuthentication ,
djm@openbsd.org's avatar
djm@openbsd.org committed
1151
.Cm LogLevel ,
1152
.Cm MaxAuthTries ,
1153
.Cm MaxSessions ,
1154
.Cm PasswordAuthentication ,
1155
.Cm PermitEmptyPasswords ,
1156
.Cm PermitListen ,
1157
.Cm PermitOpen ,
1158
.Cm PermitRootLogin ,
1159
.Cm PermitTTY ,
1160
.Cm PermitTunnel ,
1161
.Cm PermitUserRC ,
djm@openbsd.org's avatar
djm@openbsd.org committed
1162
.Cm PubkeyAcceptedKeyTypes ,
1163
.Cm PubkeyAuthentication ,
1164
.Cm RekeyLimit ,
djm@openbsd.org's avatar
djm@openbsd.org committed
1165
.Cm RevokedKeys ,
djm@openbsd.org's avatar
djm@openbsd.org committed
1166
.Cm RDomain ,
1167
.Cm SetEnv ,
djm@openbsd.org's avatar
djm@openbsd.org committed
1168 1169 1170
.Cm StreamLocalBindMask ,
.Cm StreamLocalBindUnlink ,
.Cm TrustedUserCAKeys ,
1171
.Cm X11DisplayOffset ,
1172
.Cm X11Forwarding
1173
and
1174
.Cm X11UseLocalHost .
1175 1176
.It Cm MaxAuthTries
Specifies the maximum number of authentication attempts permitted per
1177 1178 1179 1180
connection.
Once the number of failures reaches half this value,
additional failures are logged.
The default is 6.
1181
.It Cm MaxSessions
djm@openbsd.org's avatar
djm@openbsd.org committed
1182 1183 1184 1185 1186 1187 1188 1189 1190
Specifies the maximum number of open shell, login or subsystem (e.g. sftp)
sessions permitted per network connection.
Multiple sessions may be established by clients that support connection
multiplexing.
Setting
.Cm MaxSessions
to 1 will effectively disable session multiplexing, whereas setting it to 0
will prevent all shell, login and subsystem sessions while still permitting
forwarding.
1191
The default is 10.
1192 1193
.It Cm MaxStartups
Specifies the maximum number of concurrent unauthenticated connections to the
1194
SSH daemon.
1195 1196 1197
Additional connections will be dropped until authentication succeeds or the
.Cm LoginGraceTime
expires for a connection.
1198
The default is 10:30:100.
1199 1200 1201
.Pp
Alternatively, random early drop can be enabled by specifying
the three colon separated values
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1202
start:rate:full (e.g. "10:30:60").
1203
.Xr sshd 8
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1204 1205
will refuse connection attempts with a probability of rate/100 (30%)
if there are currently start (10) unauthenticated connections.
1206
The probability increases linearly and all connection attempts
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1207
are refused if the number of unauthenticated connections reaches full (60).
1208 1209 1210
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1211
.Cm yes .
1212 1213 1214 1215
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1216
.Cm no .
1217 1218 1219 1220 1221 1222 1223 1224
.It Cm PermitListen
Specifies the addresses/ports on which a remote TCP port forwarding may listen.
The listen specification must be one of the following forms:
.Pp
.Bl -item -offset indent -compact
.It
.Cm PermitListen
.Sm off
1225
.Ar port
1226 1227 1228 1229
.Sm on
.It
.Cm PermitListen
.Sm off
1230
.Ar host : port
1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246
.Sm on
.El
.Pp
Multiple permissions may be specified by separating them with whitespace.
An argument of
.Cm any
can be used to remove all restrictions and permit any listen requests.
An argument of
.Cm none
can be used to prohibit all listen requests.
The host name may contain wildcards as described in the PATTERNS section in
.Xr ssh_config 5 .
The wildcard
.Sq *
can also be used in place of a port number to allow all ports.
By default all port forwarding listen requests are permitted.
1247
Note that the
1248 1249
.Cm GatewayPorts
option may further restrict which addresses may be listened on.
1250 1251 1252 1253 1254
Note also that
.Xr ssh 1
will request a listen host of
.Dq localhost
if no listen host was specifically requested, and this this name is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1255
treated differently to explicit localhost addresses of
1256 1257 1258
.Dq 127.0.0.1
and
.Dq ::1 .
1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280
.It Cm PermitOpen
Specifies the destinations to which TCP port forwarding is permitted.
The forwarding specification must be one of the following forms:
.Pp
.Bl -item -offset indent -compact
.It
.Cm PermitOpen
.Sm off
.Ar host : port
.Sm on
.It
.Cm PermitOpen
.Sm off
.Ar IPv4_addr : port
.Sm on
.It
.Cm PermitOpen
.Sm off
.Ar \&[ IPv6_addr \&] : port
.Sm on
.El
.Pp
1281
Multiple forwards may be specified by separating them with whitespace.
1282
An argument of
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1283
.Cm any
1284
can be used to remove all restrictions and permit any forwarding requests.
1285
An argument of
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1286
.Cm none
1287
can be used to prohibit all forwarding requests.
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1288
The wildcard
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1289
.Sq *
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1290
can be used for host or port to allow all hosts or ports, respectively.
1291
By default all port forwarding requests are permitted.
1292
.It Cm PermitRootLogin
1293
Specifies whether root can log in using
1294 1295
.Xr ssh 1 .
The argument must be
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1296 1297 1298
.Cm yes ,
.Cm prohibit-password ,
.Cm forced-commands-only ,
1299
or
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1300
.Cm no .
1301
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1302
.Cm prohibit-password .
1303 1304
.Pp
If this option is set to
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1305
.Cm prohibit-password
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1306 1307
(or its deprecated alias,
.Cm without-password ) ,
deraadt@openbsd.org's avatar
deraadt@openbsd.org committed
1308
password and keyboard-interactive authentication are disabled for root.
1309 1310
.Pp
If this option is set to
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1311
.Cm forced-commands-only ,
1312 1313 1314 1315 1316
root login with public key authentication will be allowed,
but only if the
.Ar command
option has been specified
(which may be useful for taking remote backups even if root login is
1317 1318
normally not allowed).
All other authentication methods are disabled for root.
1319 1320
.Pp
If this option is set to
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1321
.Cm no ,
1322
root is not allowed to log in.
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1323 1324 1325 1326 1327
.It Cm PermitTTY
Specifies whether
.Xr pty 4
allocation is permitted.
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1328
.Cm yes .
1329 1330 1331 1332
.It Cm PermitTunnel
Specifies whether
.Xr tun 4
device forwarding is allowed.
1333
The argument must be
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1334 1335
.Cm yes ,
.Cm point-to-point
1336
(layer 3),
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1337
.Cm ethernet
1338
(layer 2), or
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1339
.Cm no .
1340
Specifying
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1341
.Cm yes
1342
permits both
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1343
.Cm point-to-point
1344
and
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1345
.Cm ethernet .
1346
The default is
jmc@openbsd.org's avatar
jmc@openbsd.org committed
1347
.Cm no .
djm@openbsd.org's avatar
djm@openbsd.org committed
1348 1349 1350 1351
.Pp
Independent of this setting, the permissions of the selected
.Xr tun 4
device must allow access to the user.
1352 1353 1354
.It Cm PermitUserEnvironment
Specifies whether
.Pa ~/.ssh/environment
1355
and
1356 1357 1358
.Cm environment=
options in
.Pa ~/.ssh/authorized_keys
1359
are processed by
1360
.Xr sshd 8 .
1361 1362 1363 1364 1365 1366
Valid options are
.Cm yes ,
.Cm no
or a pattern-list specifying which environment variable names to accept
(for example
.Qq LANG,LC_* ) .
1367
The default is