|
Hopefully, this page is exactly what you are looking for, but if not, you can always find further assistance on Unix/Linux Forum!
File Formats sshd_config(4)
NAME
sshd_config - sshd configuration file
SYNOPSIS
/etc/ssh/sshd_config
DESCRIPTION
The sshd(1M) daemon reads configuration data from
/etc/ssh/sshd_config (or the file specified with sshd -f on
the command line). The file contains keyword-value pairs,
one per line. A line starting with a hash mark (#) and empty
lines are interpreted as comments.
The sshd_config file supports the keywords listed below.
Unless otherwise noted, keywords and their arguments are
case-insensitive.
AllowGroups
This keyword can be followed by a number of group names,
separated by spaces. If specified, login is allowed only
for users whose primary group matches one of the pat-
terns. Asterisk (*) and question mark (?) can be used as
wildcards in the patterns. Only group names are valid; a
numerical group ID is not recognized. By default, login
is allowed regardless of the primary group.
AllowTcpForwarding
Specifies whether TCP forwarding is permitted. The
default is yes. Note that disabling TCP forwarding does
not improve security unless users are also denied shell
access, as they can always install their own forwarders.
AllowUsers
This keyword can be followed by a number of user names,
separated by spaces. If specified, login is allowed only
for user names that match one of the patterns. Asterisk
(*) and question mark (?) can be used as wildcards in
the patterns. Only user names are valid; a numerical
user ID is not recognized. By default login is allowed
regardless of the user name.
If a specified pattern takes the form user@host then
user and host are checked separately, restricting logins
to particular users from particular hosts.
SunOS 5.10 Last change: 19 Sep 2006 1
File Formats sshd_config(4)
AuthorizedKeysFile
Specifies the file that contains the public keys that
can be used for user authentication. AuthorizedKeysFile
can contain tokens of the form %T, which are substituted
during connection set-up. The following tokens are
defined: %% is replaced by a literal %, %h is replaced
by the home directory of the user being authenticated
and %u is replaced by the username of that user. After
expansion, AuthorizedKeysFile is taken to be an absolute
path or one relative to the user's home directory. The
default is .ssh/authorized_keys.
Banner
In some jurisdictions, sending a warning message before
authentication can be relevant for getting legal protec-
tion. The contents of the specified file are sent to the
remote user before authentication is allowed. This
option is only available for protocol version 2. By
default, no banner is displayed.
Ciphers
Specifies the ciphers allowed for protocol version 2.
Multiple ciphers must be comma-separated. The default is
aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc.
ClientAliveCountMax
Sets the number of client alive messages (see Clien-
tAliveInterval, below) that can be sent without sshd
receiving any messages back from the client. If this
threshold is reached while client alive messages are
being sent, sshd will disconnect the client, terminating
the session. It is important to note that the use of
client alive messages is very different from KeepAlive
(see below). The client alive messages are sent through
the encrypted channel and therefore will not be spoofa-
ble. The TCP keepalive option enabled by KeepAlive is
spoofable. The client alive mechanism is valuable when a
client or server depend on knowing when a connection has
become inactive.
The default value is 3. If ClientAliveInterval (below)
is set to 15, and ClientAliveCountMax is left at the
SunOS 5.10 Last change: 19 Sep 2006 2
File Formats sshd_config(4)
default, unresponsive ssh clients will be disconnected
after approximately 45 seconds.
ClientAliveInterval
Sets a timeout interval in seconds after which, if no
data has been received from the client, sshd sends a
message through the encrypted channel to request a
response from the client. The default is 0, indicating
that these messages will not be sent to the client. This
option applies only to protocol version 2.
Compression
Controls whether the server allows the client to nego-
tiate the use of compression. The default is yes.
DenyGroups
Can be followed by a number of group names, separated by
spaces. Users whose primary group matches one of the
patterns are not allowed to log in. Asterisk (*) and
question mark (?) can be used as wildcards in the pat-
terns. Only group names are valid; a numerical group ID
is not recognized. By default, login is allowed regard-
less of the primary group.
DenyUsers
Can be followed by a number of user names, separated by
spaces. Login is disallowed for user names that match
one of the patterns. Asterisk (*) and question mark (?)
can be used as wildcards in the patterns. Only user
names are valid; a numerical user ID is not recognized.
By default, login is allowed regardless of the user
name.
If a specified pattern takes the form user@host then
user and host are checked separately, disallowing logins
to particular users from particular hosts.
SunOS 5.10 Last change: 19 Sep 2006 3
File Formats sshd_config(4)
GatewayPorts
Specifies whether remote hosts are allowed to connect to
ports forwarded for the client. By default, sshd binds
remote port forwardings to the loopback address. This
prevents other remote hosts from connecting to forwarded
ports. GatewayPorts can be used to specify that sshd
should bind remote port forwardings to the wildcard
address, thus allowing remote hosts to connect to for-
warded ports. The argument must be yes or no. The
default is no.
GSSAPIAuthentication
Enables/disables GSS-API user authentication. The
default is yes.
Currently sshd authorizes client user principals to user
accounts as follows: if the principal name matches the
requested user account, then the principal is author-
ized. Otherwise, GSS-API authentication fails.
GSSAPIKeyExchange
Enables/disables GSS-API-authenticated key exchanges.
The default is yes.
This option also enables the use of the GSS-API to
authenticate the user to server after the key exchange.
Note that GSS-API key exchange can succeed but the sub-
sequent authentication using the GSS-API fail if the
server does not authorize the user's GSS principal name
to the target user account.
Currently sshd authorizes client user principals to user
accounts as follows: if the principal name matches the
requested user account, then the principal is author-
ized. Otherwise, GSS-API authentication fails.
GSSAPIStoreDelegatedCredentials
Enables/disables the use of delegated GSS-API creden-
tials on the server-side. The default is yes.
Specifically, this option, when enabled, causes the
server to store delegated GSS-API credentials in the
SunOS 5.10 Last change: 19 Sep 2006 4
File Formats sshd_config(4)
user's default GSS-API credential store (which for the
Kerberos V mechanism means /tmp/krb5cc_<uid>).
Note - sshd does not take any steps to explicitly des-
troy stored delegated GSS-API credentials upon
logout. It is the responsibility of PAM modules
to destroy credentials associated with a ses-
sion.
HostbasedAuthentication
Specifies whether to try rhosts-based authentication
with public key authentication. The argument must be yes
or no. The default is no. This option applies to proto-
col version 2 only and is similar to RhostsRSAAuthenti-
cation. See sshd(1M) for guidelines on setting up host-
based authentication.
HostbasedUsesNameFromPacketOnly
Controls which hostname is searched for in the files
~/.shosts, /etc/shosts.equiv, and /etc/hosts.equiv. If
this parameter is set to yes, the server uses the name
the client claimed for itself and signed with that
host's key. If set to no, the default, the server uses
the name to which the client's IP address resolves.
Setting this parameter to no disables host-based authen-
tication when using NAT or when the client gets to the
server indirectly through a port-forwarding firewall.
HostKey
Specifies the file containing the private host key used
by SSH. The default is /etc/ssh/ssh_host_key for proto-
col version 1, and /etc/ssh/ssh_host_rsa_key and
/etc/ssh/ssh_host_dsa_key for protocol version 2. Note
that sshd will refuse to use a file if it is
group/world-accessible. It is possible to have multiple
host key files. rsa1 keys are used for version 1 and dsa
or rsa are used for version 2 of the SSH protocol.
SunOS 5.10 Last change: 19 Sep 2006 5
File Formats sshd_config(4)
IgnoreRhosts
Specifies that .rhosts and .shosts files will not be
used in authentication. /etc/hosts.equiv and
/etc/shosts.equiv are still used. The default is yes.
This parameter applies to both protocol versions 1 and
2.
IgnoreUserKnownHosts
Specifies whether sshd should ignore the user's
$HOME/.ssh/known_hosts during RhostsRSAAuthentication.
The default is no. This parameter applies to both proto-
col versions 1 and 2.
KbdInteractiveAuthentication
Specifies whether authentication by means of the
"keyboard-interactive" authentication method (and PAM)
is allowed. Defaults to yes. (Deprecated: this parameter
can only be set to yes.)
KeepAlive
Specifies whether the system should send keepalive mes-
sages to the other side. If they are sent, death of the
connection or crash of one of the machines will be prop-
erly noticed. However, this means that connections will
die if the route is down temporarily, which can be an
annoyance. On the other hand, if keepalives are not
sent, sessions can hang indefinitely on the server,
leaving ``ghost'' users and consuming server resources.
The default is yes (to send keepalives), and the server
will notice if the network goes down or the client host
reboots. This avoids infinitely hanging sessions.
To disable keepalives, the value should be set to no in
both the server and the client configuration files.
KeyRegenerationInterval
In protocol version 1, the ephemeral server key is
automatically regenerated after this many seconds (if it
SunOS 5.10 Last change: 19 Sep 2006 6
File Formats sshd_config(4)
has been used). The purpose of regeneration is to
prevent decrypting captured sessions by later breaking
into the machine and stealing the keys. The key is never
stored anywhere. If the value is 0, the key is never
regenerated. The default is 3600 (seconds).
ListenAddress
Specifies what local address sshd should listen on. The
following forms can be used:
ListenAddress host|IPv4_addr|IPv6_addr
ListenAddress host|IPv4_addr:port
ListenAddress [host|IPv6_addr]:port
If port is not specified, sshd will listen on the
address and all prior Port options specified. The
default is to listen on all local addresses. Multiple
ListenAddress options are permitted. Additionally, any
Port options must precede this option for non-port qual-
ified addresses.
The default is to listen on all local addresses. Multi-
ple options of this type are permitted. Additionally,
the Ports options must precede this option.
LoginGraceTime
The server disconnects after this time (in seconds) if
the user has not successfully logged in. If the value is
0, there is no time limit. The default is 120 (seconds).
LogLevel
Gives the verbosity level that is used when logging mes-
sages from sshd. The possible values are: QUIET, FATAL,
ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
The default is INFO. DEBUG2 and DEBUG3 each specify
higher levels of debugging output. Logging with level
DEBUG violates the privacy of users and is not recom-
mended.
SunOS 5.10 Last change: 19 Sep 2006 7
File Formats sshd_config(4)
LookupClientHostnames
Specifies whether or not to lookup the names of client's
addresses. Defaults to yes.
MACs
Specifies the available MAC (message authentication
code) algorithms. The MAC algorithm is used in protocol
version 2 for data integrity protection. Multiple algo-
rithms must be comma-separated. The default is hmac-
md5,hmac-sha1,hmac-sha1-96,hmac-md5-96.
MaxStartups
Specifies the maximum number of concurrent unauthenti-
cated connections to the sshd daemon. Additional connec-
tions will be dropped until authentication succeeds or
the LoginGraceTime expires for a connection. The default
is 10.
Alternatively, random early drop can be enabled by
specifying the three colon-separated values
start:rate:full (for example, 10:30:60). Referring to
this example, sshd will refuse connection attempts with
a probability of rate/100 (30% in our example) if there
are currently 10 (from the start field) unauthenticated
connections. The probabillity increases linearly and all
connection attempts are refused if the number of unau-
thenticated connections reaches full (60 in our exam-
ple).
PasswordAuthentication
Specifies whether password authentication is allowed.
The default is yes. Note that this option applies to
both protocol versions 1 and 2.
PermitEmptyPasswords
When password authentication is allowed, it specifies
whether the server allows login to accounts with empty
password strings. In /etc/default/login, if PASSREQ is
not set, or PASSREQ=YES, then the default is no; if
SunOS 5.10 Last change: 19 Sep 2006 8
File Formats sshd_config(4)
PASSREQ=NO, then the default is yes.
PermitRootLogin
Specifies whether the root can log in using ssh(1). The
argument must be yes, without-password, forced-
commands-only, or no. The default is yes. without-
password means that root cannot be authenticated using
the "password" or "keyboard-interactive" methods (see
description of KbdInteractiveAuthentication above).
forced-commands-only means that authentication is
allowed only for "publickey" (for SSHv2, or RSA, for
SSHv1) and only if the matching authorized_keys entry
for root has a command=<cmd> option.
The without-password and forced-commands-only settings
are useful for, for example, performing remote adminis-
tration and backups using trusted public keys for
authentication of the remote client, without allowing
access to the root account using passwords.
PermitUserEnvironment
Specifies whether ~/.ssh/environment and environment=
options in ~/.ssh/authorized_keys are processed by sshd.
The default is no. Enabling environment processing can
enable users to bypass access restrictions in some con-
figurations using mechanisms such as LD_PRELOAD.
PidFile
Allows you to specify an alternative to
/var/run/sshd.pid, the default file for storing the PID
of the sshd listening for connections. See sshd(1M).
Port
Specifies the port number that sshd listens on. The
default is 22. Multiple options of this type are permit-
ted. See also ListenAddress.
SunOS 5.10 Last change: 19 Sep 2006 9
File Formats sshd_config(4)
PrintLastLog
Specifies whether sshd should display the date and time
when the user last logged in. The default is yes.
PrintMotd
Specifies whether sshd should display the contents of
/etc/motd when a user logs in interactively. (On some
systems it is also displayed by the shell or a shell
startup file, such as /etc/profile.) The default is yes.
Protocol
Specifies the protocol versions sshd should support in
order of preference. The possible values are 1 and 2.
Multiple versions must be comma-separated. The default
is 2,1. This means that ssh tries version 2 and falls
back to version 1 if version 2 is not available.
PubkeyAuthentication
Specifies whether public key authentication is allowed.
The default is yes. Note that this option applies to
protocol version 2 only.
RhostsAuthentication
Specifies whether authentication using rhosts or
/etc/hosts.equiv files is sufficient. Normally, this
method should not be permitted because it is insecure.
RhostsRSAAuthentication should be used instead, because
it performs RSA-based host authentication in addition to
normal rhosts or /etc/hosts.equiv authentication. The
default is no. Note that this parameter applies only to
protocol version 1.
RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentica-
tion together with successful RSA host authentication is
allowed. The default is no. Note that this parameter
SunOS 5.10 Last change: 19 Sep 2006 10
File Formats sshd_config(4)
applies only to protocol version 1.
RSAAuthentication
Specifies whether pure RSA authentication is allowed.
The default is yes. Note that this option applies to
protocol version 1 only.
ServerKeyBits
Defines the number of bits in the ephemeral protocol
version 1 server key. The minimum value is 512, and the
default is 768.
StrictModes
Specifies whether sshd should check file modes and own-
ership of the user's files and home directory before
accepting login. This is normally desirable because
novices sometimes accidentally leave their directory or
files world-writable. The default is yes.
Subsystem
Configures an external subsystem (for example, a file
transfer daemon). Arguments should be a subsystem name
and a command to execute upon subsystem request. The
command sftp-server(1M) implements the sftp file
transfer subsystem. By default, no subsystems are
defined. Note that this option applies to protocol ver-
sion 2 only.
SyslogFacility
Gives the facility code that is used when logging mes-
sages from sshd. The possible values are: DAEMON, USER,
AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5,
LOCAL6, and LOCAL7. The default is AUTH.
SunOS 5.10 Last change: 19 Sep 2006 11
File Formats sshd_config(4)
VerifyReverseMapping
Specifies whether sshd should try to verify the remote
host name and check that the resolved host name for the
remote IP address maps back to the very same IP address.
(A yes setting means "verify".) Setting this parameter
to no can be useful where DNS servers might be down and
thus cause sshd to spend much time trying to resolve the
client's IP address to a name. This feature is useful
for Internet-facing servers. The default is no.
X11DisplayOffset
Specifies the first display number available for sshd's
X11 forwarding. This prevents sshd from interfering with
real X11 servers. The default is 10.
X11Forwarding
Specifies whether X11 forwarding is permitted. The
default is yes. Note that disabling X11 forwarding does
not improve security in any way, as users can always
install their own forwarders.
When X11 forwarding is enabled, there can be additional
exposure to the server and to client displays if the
sshd proxy display is configured to listen on the wild-
card address (see X11UseLocalhost below). However, this
is not the default. Additionally, the authentication
spoofing and authentication data verification and sub-
stitution occur on the client side. The security risk of
using X11 forwarding is that the client's X11 display
server can be exposed to attack when the ssh client
requests forwarding (see the warnings for ForwardX11 in
ssh_config(4)). A system administrator who wants to pro-
tect clients that expose themselves to attack by unwit-
tingly requesting X11 forwarding, should specify a
``no'' setting.
Note that disabling X11 forwarding does not prevent
users from forwarding X11 traffic, as users can always
install their own forwarders.
X11UseLocalhost
Specifies whether sshd should bind the X11 forwarding
SunOS 5.10 Last change: 19 Sep 2006 12
File Formats sshd_config(4)
server to the loopback address or to the wildcard
address. By default, sshd binds the forwarding server to
the loopback address and sets the hostname part of the
DISPLAY environment variable to ``localhost''. This
prevents remote hosts from connecting to the proxy
display. However, some older X11 clients might not func-
tion with this configuration. X11UseLocalhost can be set
to no to specify that the forwarding server should be
bound to the wildcard address. The argument must be yes
or no. The default is yes.
XAuthLocation
Specifies the location of the xauth(1) program. The
default is /usr/X/bin/xauth.
Time Formats
sshd command-line arguments and configuration file options
that specify time can be expressed using a sequence of the
form: time[qualifier,] where time is a positive integer
value and qualifier is one of the following:
<none>
seconds
s | S
seconds
m | M
minutes
h | H
hours
d | D
SunOS 5.10 Last change: 19 Sep 2006 13
File Formats sshd_config(4)
days
w |
weeks
Each element of the sequence is added together to calculate
the total time value. For example:
600
600 seconds (10 minutes)
10m
10 minutes
1h30m
1 hour, 30 minutes (90 minutes)
FILES
/etc/ssh/sshd_config
Contains configuration data for sshd. This file should
be writable by root only, but it is recommended (though
not necessary) that it be world-readable.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWsshu |
|_____________________________|_____________________________|
| Interface Stability | Evolving |
|_____________________________|_____________________________|
SunOS 5.10 Last change: 19 Sep 2006 14
File Formats sshd_config(4)
SEE ALSO
login(1), sshd(1M), ssh_config(4), attributes(5), ker-
beros(5)
AUTHORS
OpenSSH is a derivative of the original and free ssh 1.2.12
release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus
Friedl, Niels Provos, Theo de Raadt, and Dug Song removed
many bugs, re-added recent features, and created OpenSSH.
Markus Friedl contributed the support for SSH protocol ver-
sions 1.5 and 2.0. Niels Provos and Markus Friedl contri-
buted support for privilege separation.
SunOS 5.10 Last change: 19 Sep 2006 15
Man(1) output converted with
man2html and wrapped by fishsponge
This page was generated on Wed Sep 12 11:27:32 GMT 2007
|
Your favourite pages:
No pages logged yet.
Trying to save cookie... Top 10 most popular pages:
sqlite3 man page (5334 hits)
(openSUSE 10.2)
svn man page (5208 hits)
(FreeBSD 6.2)
adv_cap_autoneg man page (4870 hits)
(Solaris 10 11_06)
CPAN man page (4607 hits)
(Suse Linux 10.1)
ssh man page (4342 hits)
(Suse Linux 10.1)
ssh-socks5-proxy-connect man page (2878 hits)
(Solaris 10 11_06)
netcat man page (2717 hits)
(Suse Linux 10.1)
pprosetup man page (2489 hits)
(Solaris 10 11_06)
startproc man page (2471 hits)
(Suse Linux 10.1)
signal man page (2408 hits)
(Suse Linux 10.1)
|
Man Pages 
