Flatten the OpenSSH vendor tree for 3.x and newer.

1 files changed, 0 insertions, 962 deletions

diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5
deleted file mode 100644
index 2bcaf22..0000000
--- a/crypto/openssh/sshd_config.5
+++ /dev/null
@@ -1,962 +0,0 @@
-.\"  -*- nroff -*-
-.\"
-.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
-.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-.\"                    All rights reserved
-.\"
-.\" As far as I am concerned, the code I have written for this software
-.\" can be used freely for any purpose.  Any derived versions of this
-.\" software must be clearly marked as such, and if the derived work is
-.\" incompatible with the protocol description in the RFC file, it must be
-.\" called by a name other than "ssh" or "Secure Shell".
-.\"
-.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
-.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
-.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" $OpenBSD: sshd_config.5,v 1.70 2006/08/21 08:14:01 dtucker Exp $
-.Dd September 25, 1999
-.Dt SSHD_CONFIG 5
-.Os
-.Sh NAME
-.Nm sshd_config
-.Nd OpenSSH SSH daemon configuration file
-.Sh SYNOPSIS
-.Bl -tag -width Ds -compact
-.It Pa /etc/ssh/sshd_config
-.El
-.Sh DESCRIPTION
-.Xr sshd 8
-reads configuration data from
-.Pa /etc/ssh/sshd_config
-(or the file specified with
-.Fl f
-on the command line).
-The file contains keyword-argument pairs, one per line.
-Lines starting with
-.Ql #
-and empty lines are interpreted as comments.
-Arguments may optionally be enclosed in double quotes
-.Pq \&"
-in order to represent arguments containing spaces.
-.Pp
-The possible
-keywords and their meanings are as follows (note that
-keywords are case-insensitive and arguments are case-sensitive):
-.Bl -tag -width Ds
-.It Cm AcceptEnv
-Specifies what environment variables sent by the client will be copied into
-the session's
-.Xr environ 7 .
-See
-.Cm SendEnv
-in
-.Xr ssh_config 5
-for how to configure the client.
-Note that environment passing is only supported for protocol 2.
-Variables are specified by name, which may contain the wildcard characters
-.Ql *
-and
-.Ql \&? .
-Multiple environment variables may be separated by whitespace or spread
-across multiple
-.Cm AcceptEnv
-directives.
-Be warned that some environment variables could be used to bypass restricted
-user environments.
-For this reason, care should be taken in the use of this directive.
-The default is not to accept any environment variables.
-.It Cm AddressFamily
-Specifies which address family should be used by
-.Xr sshd 8 .
-Valid arguments are
-.Dq any ,
-.Dq inet
-(use IPv4 only), or
-.Dq inet6
-(use IPv6 only).
-The default is
-.Dq any .
-.It Cm AllowGroups
-This keyword can be followed by a list of group name patterns, separated
-by spaces.
-If specified, login is allowed only for users whose primary
-group or supplementary group list matches one of the patterns.
-Only group names are valid; a numerical group ID is not recognized.
-By default, login is allowed for all groups.
-The allow/deny directives are processed in the following order:
-.Cm DenyUsers ,
-.Cm AllowUsers ,
-.Cm DenyGroups ,
-and finally
-.Cm AllowGroups .
-.Pp
-See
-.Sx PATTERNS
-in
-.Xr ssh_config 5
-for more information on patterns.
-.It Cm AllowTcpForwarding
-Specifies whether TCP forwarding is permitted.
-The default is
-.Dq yes .
-Note that disabling TCP forwarding does not improve security unless
-users are also denied shell access, as they can always install their
-own forwarders.
-.It Cm AllowUsers
-This keyword can be followed by a list of user name patterns, separated
-by spaces.
-If specified, login is allowed only for user names that
-match one of the patterns.
-Only user names are valid; a numerical user ID is not recognized.
-By default, login is allowed for all users.
-If the pattern takes the form USER@HOST then USER and HOST
-are separately checked, restricting logins to particular
-users from particular hosts.
-The allow/deny directives are processed in the following order:
-.Cm DenyUsers ,
-.Cm AllowUsers ,
-.Cm DenyGroups ,
-and finally
-.Cm AllowGroups .
-.Pp
-See
-.Sx PATTERNS
-in
-.Xr ssh_config 5
-for more information on patterns.
-.It Cm AuthorizedKeysFile
-Specifies the file that contains the public keys that can be used
-for user authentication.
-.Cm AuthorizedKeysFile
-may contain tokens of the form %T which are substituted during connection
-setup.
-The following tokens are defined: %% is replaced by a literal '%',
-%h is replaced by the home directory of the user being authenticated, and
-%u is replaced by the username of that user.
-After expansion,
-.Cm AuthorizedKeysFile
-is taken to be an absolute path or one relative to the user's home
-directory.
-The default is
-.Dq .ssh/authorized_keys .
-.It Cm Banner
-In some jurisdictions, sending a warning message before authentication
-may be relevant for getting legal protection.
-The contents of the specified file are sent to the remote user before
-authentication is allowed.
-This option is only available for protocol version 2.
-By default, no banner is displayed.
-.It Cm ChallengeResponseAuthentication
-Specifies whether challenge-response authentication is allowed.
-All authentication styles from
-.Xr login.conf 5
-are supported.
-The default is
-.Dq yes .
-.It Cm Ciphers
-Specifies the ciphers allowed for protocol version 2.
-Multiple ciphers must be comma-separated.
-The supported ciphers are
-.Dq 3des-cbc ,
-.Dq aes128-cbc ,
-.Dq aes192-cbc ,
-.Dq aes256-cbc ,
-.Dq aes128-ctr ,
-.Dq aes192-ctr ,
-.Dq aes256-ctr ,
-.Dq arcfour128 ,
-.Dq arcfour256 ,
-.Dq arcfour ,
-.Dq blowfish-cbc ,
-and
-.Dq cast128-cbc .
-The default is:
-.Bd -literal -offset 3n
-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
-arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
-aes192-ctr,aes256-ctr
-.Ed
-.It Cm ClientAliveCountMax
-Sets the number of client alive messages (see below) which may be
-sent without
-.Xr sshd 8
-receiving any messages back from the client.
-If this threshold is reached while client alive messages are being sent,
-sshd will disconnect the client, terminating the session.
-It is important to note that the use of client alive messages is very
-different from
-.Cm TCPKeepAlive
-(below).
-The client alive messages are sent through the encrypted channel
-and therefore will not be spoofable.
-The TCP keepalive option enabled by
-.Cm TCPKeepAlive
-is spoofable.
-The client alive mechanism is valuable when the client or
-server depend on knowing when a connection has become inactive.
-.Pp
-The default value is 3.
-If
-.Cm ClientAliveInterval
-(see below) is set to 15, and
-.Cm ClientAliveCountMax
-is left at the default, unresponsive SSH clients
-will be disconnected after approximately 45 seconds.
-This option applies to protocol version 2 only.
-.It Cm ClientAliveInterval
-Sets a timeout interval in seconds after which if no data has been received
-from the client,
-.Xr sshd 8
-will send a message through the encrypted
-channel to request a response from the client.
-The default
-is 0, indicating that these messages will not be sent to the client.
-This option applies to protocol version 2 only.
-.It Cm Compression
-Specifies whether compression is allowed, or delayed until
-the user has authenticated successfully.
-The argument must be
-.Dq yes ,
-.Dq delayed ,
-or
-.Dq no .
-The default is
-.Dq delayed .
-.It Cm DenyGroups
-This keyword can be followed by a list of group name patterns, separated
-by spaces.
-Login is disallowed for users whose primary group or supplementary
-group list matches one of the patterns.
-Only group names are valid; a numerical group ID is not recognized.
-By default, login is allowed for all groups.
-The allow/deny directives are processed in the following order:
-.Cm DenyUsers ,
-.Cm AllowUsers ,
-.Cm DenyGroups ,
-and finally
-.Cm AllowGroups .
-.Pp
-See
-.Sx PATTERNS
-in
-.Xr ssh_config 5
-for more information on patterns.
-.It Cm DenyUsers
-This keyword can be followed by a list of user name patterns, separated
-by spaces.
-Login is disallowed for user names that match one of the patterns.
-Only user names are valid; a numerical user ID is not recognized.
-By default, login is allowed for all users.
-If the pattern takes the form USER@HOST then USER and HOST
-are separately checked, restricting logins to particular
-users from particular hosts.
-The allow/deny directives are processed in the following order:
-.Cm DenyUsers ,
-.Cm AllowUsers ,
-.Cm DenyGroups ,
-and finally
-.Cm AllowGroups .
-.Pp
-See
-.Sx PATTERNS
-in
-.Xr ssh_config 5
-for more information on patterns.
-.It Cm ForceCommand
-Forces the execution of the command specified by
-.Cm ForceCommand ,
-ignoring any command supplied by the client.
-The command is invoked by using the user's login shell with the -c option.
-This applies to shell, command, or subsystem execution.
-It is most useful inside a
-.Cm Match
-block.
-The command originally supplied by the client is available in the
-.Ev SSH_ORIGINAL_COMMAND
-environment variable.
-.It Cm GatewayPorts
-Specifies whether remote hosts are allowed to connect to ports
-forwarded for the client.
-By default,
-.Xr sshd 8
-binds remote port forwardings to the loopback address.
-This prevents other remote hosts from connecting to forwarded ports.
-.Cm GatewayPorts
-can be used to specify that sshd
-should allow remote port forwardings to bind to non-loopback addresses, thus
-allowing other hosts to connect.
-The argument may be
-.Dq no
-to force remote port forwardings to be available to the local host only,
-.Dq yes
-to force remote port forwardings to bind to the wildcard address, or
-.Dq clientspecified
-to allow the client to select the address to which the forwarding is bound.
-The default is
-.Dq no .
-.It Cm GSSAPIAuthentication
-Specifies whether user authentication based on GSSAPI is allowed.
-The default is
-.Dq no .
-Note that this option applies to protocol version 2 only.
-.It Cm GSSAPICleanupCredentials
-Specifies whether to automatically destroy the user's credentials cache
-on logout.
-The default is
-.Dq yes .
-Note that this option applies to protocol version 2 only.
-.It Cm HostbasedAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
-with successful public key client host authentication is allowed
-(host-based authentication).
-This option is similar to
-.Cm RhostsRSAAuthentication
-and applies to protocol version 2 only.
-The default is
-.Dq no .
-.It Cm HostbasedUsesNameFromPacketOnly
-Specifies whether or not the server will attempt to perform a reverse
-name lookup when matching the name in the
-.Pa ~/.shosts ,
-.Pa ~/.rhosts ,
-and
-.Pa /etc/hosts.equiv
-files during
-.Cm HostbasedAuthentication .
-A setting of
-.Dq yes
-means that
-.Xr sshd 8
-uses the name supplied by the client rather than
-attempting to resolve the name from the TCP connection itself.
-The default is
-.Dq no .
-.It Cm HostKey
-Specifies a file containing a private host key
-used by SSH.
-The default is
-.Pa /etc/ssh/ssh_host_key
-for protocol version 1, and
-.Pa /etc/ssh/ssh_host_rsa_key
-and
-.Pa /etc/ssh/ssh_host_dsa_key
-for protocol version 2.
-Note that
-.Xr sshd 8
-will refuse to use a file if it is group/world-accessible.
-It is possible to have multiple host key files.
-.Dq rsa1
-keys are used for version 1 and
-.Dq dsa
-or
-.Dq rsa
-are used for version 2 of the SSH protocol.
-.It Cm IgnoreRhosts
-Specifies that
-.Pa .rhosts
-and
-.Pa .shosts
-files will not be used in
-.Cm RhostsRSAAuthentication
-or
-.Cm HostbasedAuthentication .
-.Pp
-.Pa /etc/hosts.equiv
-and
-.Pa /etc/shosts.equiv
-are still used.
-The default is
-.Dq yes .
-.It Cm IgnoreUserKnownHosts
-Specifies whether
-.Xr sshd 8
-should ignore the user's
-.Pa ~/.ssh/known_hosts
-during
-.Cm RhostsRSAAuthentication
-or
-.Cm HostbasedAuthentication .
-The default is
-.Dq no .
-.It Cm KerberosAuthentication
-Specifies whether the password provided by the user for
-.Cm PasswordAuthentication
-will be validated through the Kerberos KDC.
-To use this option, the server needs a
-Kerberos servtab which allows the verification of the KDC's identity.
-The default is
-.Dq no .
-.It Cm KerberosGetAFSToken
-If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
-an AFS token before accessing the user's home directory.
-The default is
-.Dq no .
-.It Cm KerberosOrLocalPasswd
-If password authentication through Kerberos fails then
-the password will be validated via any additional local mechanism
-such as
-.Pa /etc/passwd .
-The default is
-.Dq yes .
-.It Cm KerberosTicketCleanup
-Specifies whether to automatically destroy the user's ticket cache
-file on logout.
-The default is
-.Dq yes .
-.It Cm KeyRegenerationInterval
-In protocol version 1, the ephemeral server key is automatically regenerated
-after this many seconds (if it has been used).
-The purpose of regeneration is to prevent
-decrypting captured sessions by later breaking into the machine and
-stealing the keys.
-The key is never stored anywhere.
-If the value is 0, the key is never regenerated.
-The default is 3600 (seconds).
-.It Cm ListenAddress
-Specifies the local addresses
-.Xr sshd 8
-should listen on.
-The following forms may be used:
-.Pp
-.Bl -item -offset indent -compact
-.It
-.Cm ListenAddress
-.Sm off
-.Ar host No | Ar IPv4_addr No | Ar IPv6_addr
-.Sm on
-.It
-.Cm ListenAddress
-.Sm off
-.Ar host No | Ar IPv4_addr No : Ar port
-.Sm on
-.It
-.Cm ListenAddress
-.Sm off
-.Oo
-.Ar host No | Ar IPv6_addr Oc : Ar port
-.Sm on
-.El
-.Pp
-If
-.Ar port
-is not specified,
-sshd will listen on the address and all prior
-.Cm Port
-options specified.
-The default is to listen on all local addresses.
-Multiple
-.Cm ListenAddress
-options are permitted.
-Additionally, any
-.Cm Port
-options must precede this option for non-port qualified addresses.
-.It Cm LoginGraceTime
-The server disconnects after this time if the user has not
-successfully logged in.
-If the value is 0, there is no time limit.
-The default is 120 seconds.
-.It Cm LogLevel
-Gives the verbosity level that is used when logging messages from
-.Xr sshd 8 .
-The possible values are:
-QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
-The default is INFO.
-DEBUG and DEBUG1 are equivalent.
-DEBUG2 and DEBUG3 each specify higher levels of debugging output.
-Logging with a DEBUG level violates the privacy of users and is not recommended.
-.It Cm MACs
-Specifies the available MAC (message authentication code) algorithms.
-The MAC algorithm is used in protocol version 2
-for data integrity protection.
-Multiple algorithms must be comma-separated.
-The default is:
-.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
-.It Cm Match
-Introduces a conditional block.
-If all of the criteria on the
-.Cm Match
-line are satisfied, the keywords on the following lines override those
-set in the global section of the config file, until either another
-.Cm Match
-line or the end of the file.
-The arguments to
-.Cm Match
-are one or more criteria-pattern pairs.
-The available criteria are
-.Cm User ,
-.Cm Group ,
-.Cm Host ,
-and
-.Cm Address .
-Only a subset of keywords may be used on the lines following a
-.Cm Match
-keyword.
-Available keywords are
-.Cm AllowTcpForwarding ,
-.Cm ForceCommand ,
-.Cm GatewayPorts ,
-.Cm PermitOpen ,
-.Cm X11DisplayOffset ,
-.Cm X11Forwarding ,
-and
-.Cm X11UseLocalHost .
-.It Cm MaxAuthTries
-Specifies the maximum number of authentication attempts permitted per
-connection.
-Once the number of failures reaches half this value,
-additional failures are logged.
-The default is 6.
-.It Cm MaxStartups
-Specifies the maximum number of concurrent unauthenticated connections to the
-SSH daemon.
-Additional connections will be dropped until authentication succeeds or the
-.Cm LoginGraceTime
-expires for a connection.
-The default is 10.
-.Pp
-Alternatively, random early drop can be enabled by specifying
-the three colon separated values
-.Dq start:rate:full
-(e.g. "10:30:60").
-.Xr sshd 8
-will refuse connection attempts with a probability of
-.Dq rate/100
-(30%)
-if there are currently
-.Dq start
-(10)
-unauthenticated connections.
-The probability increases linearly and all connection attempts
-are refused if the number of unauthenticated connections reaches
-.Dq full
-(60).
-.It Cm PasswordAuthentication
-Specifies whether password authentication is allowed.
-The default is
-.Dq yes .
-.It Cm PermitEmptyPasswords
-When password authentication is allowed, it specifies whether the
-server allows login to accounts with empty password strings.
-The default is
-.Dq no .
-.It Cm PermitOpen
-Specifies the destinations to which TCP port forwarding is permitted.
-The forwarding specification must be one of the following forms:
-.Pp
-.Bl -item -offset indent -compact
-.It
-.Cm PermitOpen
-.Sm off
-.Ar host : port
-.Sm on
-.It
-.Cm PermitOpen
-.Sm off
-.Ar IPv4_addr : port
-.Sm on
-.It
-.Cm PermitOpen
-.Sm off
-.Ar \&[ IPv6_addr \&] : port
-.Sm on
-.El
-.Pp
-Multiple forwards may be specified by separating them with whitespace.
-An argument of
-.Dq any
-can be used to remove all restrictions and permit any forwarding requests.
-By default all port forwarding requests are permitted.
-.It Cm PermitRootLogin
-Specifies whether root can log in using
-.Xr ssh 1 .
-The argument must be
-.Dq yes ,
-.Dq without-password ,
-.Dq forced-commands-only ,
-or
-.Dq no .
-The default is
-.Dq yes .
-.Pp
-If this option is set to
-.Dq without-password ,
-password authentication is disabled for root.
-.Pp
-If this option is set to
-.Dq forced-commands-only ,
-root login with public key authentication will be allowed,
-but only if the
-.Ar command
-option has been specified
-(which may be useful for taking remote backups even if root login is
-normally not allowed).
-All other authentication methods are disabled for root.
-.Pp
-If this option is set to
-.Dq no ,
-root is not allowed to log in.
-.It Cm PermitTunnel
-Specifies whether
-.Xr tun 4
-device forwarding is allowed.
-The argument must be
-.Dq yes ,
-.Dq point-to-point
-(layer 3),
-.Dq ethernet
-(layer 2), or
-.Dq no .
-Specifying
-.Dq yes
-permits both
-.Dq point-to-point
-and
-.Dq ethernet .
-The default is
-.Dq no .
-.It Cm PermitUserEnvironment
-Specifies whether
-.Pa ~/.ssh/environment
-and
-.Cm environment=
-options in
-.Pa ~/.ssh/authorized_keys
-are processed by
-.Xr sshd 8 .
-The default is
-.Dq no .
-Enabling environment processing may enable users to bypass access
-restrictions in some configurations using mechanisms such as
-.Ev LD_PRELOAD .
-.It Cm PidFile
-Specifies the file that contains the process ID of the
-SSH daemon.
-The default is
-.Pa /var/run/sshd.pid .
-.It Cm Port
-Specifies the port number that
-.Xr sshd 8
-listens on.
-The default is 22.
-Multiple options of this type are permitted.
-See also
-.Cm ListenAddress .
-.It Cm PrintLastLog
-Specifies whether
-.Xr sshd 8
-should print the date and time of the last user login when a user logs
-in interactively.
-The default is
-.Dq yes .
-.It Cm PrintMotd
-Specifies whether
-.Xr sshd 8
-should print
-.Pa /etc/motd
-when a user logs in interactively.
-(On some systems it is also printed by the shell,
-.Pa /etc/profile ,
-or equivalent.)
-The default is
-.Dq yes .
-.It Cm Protocol
-Specifies the protocol versions
-.Xr sshd 8
-supports.
-The possible values are
-.Sq 1
-and
-.Sq 2 .
-Multiple versions must be comma-separated.
-The default is
-.Dq 2,1 .
-Note that the order of the protocol list does not indicate preference,
-because the client selects among multiple protocol versions offered
-by the server.
-Specifying
-.Dq 2,1
-is identical to
-.Dq 1,2 .
-.It Cm PubkeyAuthentication
-Specifies whether public key authentication is allowed.
-The default is
-.Dq yes .
-Note that this option applies to protocol version 2 only.
-.It Cm RhostsRSAAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
-with successful RSA host authentication is allowed.
-The default is
-.Dq no .
-This option applies to protocol version 1 only.
-.It Cm RSAAuthentication
-Specifies whether pure RSA authentication is allowed.
-The default is
-.Dq yes .
-This option applies to protocol version 1 only.
-.It Cm ServerKeyBits
-Defines the number of bits in the ephemeral protocol version 1 server key.
-The minimum value is 512, and the default is 768.
-.It Cm StrictModes
-Specifies whether
-.Xr sshd 8
-should check file modes and ownership of the
-user's files and home directory before accepting login.
-This is normally desirable because novices sometimes accidentally leave their
-directory or files world-writable.
-The default is
-.Dq yes .
-.It Cm Subsystem
-Configures an external subsystem (e.g. file transfer daemon).
-Arguments should be a subsystem name and a command (with optional arguments)
-to execute upon subsystem request.
-The command
-.Xr sftp-server 8
-implements the
-.Dq sftp
-file transfer subsystem.
-By default no subsystems are defined.
-Note that this option applies to protocol version 2 only.
-.It Cm SyslogFacility
-Gives the facility code that is used when logging messages from
-.Xr sshd 8 .
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
-LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
-The default is AUTH.
-.It Cm TCPKeepAlive
-Specifies whether the system should send TCP keepalive messages to the
-other side.
-If they are sent, death of the connection or crash of one
-of the machines will be properly noticed.
-However, this means that
-connections will die if the route is down temporarily, and some people
-find it annoying.
-On the other hand, if TCP keepalives are not sent,
-sessions may hang indefinitely on the server, leaving
-.Dq ghost
-users and consuming server resources.
-.Pp
-The default is
-.Dq yes
-(to send TCP keepalive messages), and the server will notice
-if the network goes down or the client host crashes.
-This avoids infinitely hanging sessions.
-.Pp
-To disable TCP keepalive messages, the value should be set to
-.Dq no .
-.It Cm UseDNS
-Specifies whether
-.Xr sshd 8
-should look up the remote host name and check that
-the resolved host name for the remote IP address maps back to the
-very same IP address.
-The default is
-.Dq yes .
-.It Cm UseLogin
-Specifies whether
-.Xr login 1
-is used for interactive login sessions.
-The default is
-.Dq no .
-Note that
-.Xr login 1
-is never used for remote command execution.
-Note also, that if this is enabled,
-.Cm X11Forwarding
-will be disabled because
-.Xr login 1
-does not know how to handle
-.Xr xauth 1
-cookies.
-If
-.Cm UsePrivilegeSeparation
-is specified, it will be disabled after authentication.
-.It Cm UsePAM
-Enables the Pluggable Authentication Module interface.
-If set to
-.Dq yes
-this will enable PAM authentication using
-.Cm ChallengeResponseAuthentication
-and
-.Cm PasswordAuthentication
-in addition to PAM account and session module processing for all
-authentication types.
-.Pp
-Because PAM challenge-response authentication usually serves an equivalent
-role to password authentication, you should disable either
-.Cm PasswordAuthentication
-or
-.Cm ChallengeResponseAuthentication.
-.Pp
-If
-.Cm UsePAM
-is enabled, you will not be able to run
-.Xr sshd 8
-as a non-root user.
-The default is
-.Dq no .
-.It Cm UsePrivilegeSeparation
-Specifies whether
-.Xr sshd 8
-separates privileges by creating an unprivileged child process
-to deal with incoming network traffic.
-After successful authentication, another process will be created that has
-the privilege of the authenticated user.
-The goal of privilege separation is to prevent privilege
-escalation by containing any corruption within the unprivileged processes.
-The default is
-.Dq yes .
-.It Cm X11DisplayOffset
-Specifies the first display number available for
-.Xr sshd 8 Ns 's
-X11 forwarding.
-This prevents sshd from interfering with real X11 servers.
-The default is 10.
-.It Cm X11Forwarding
-Specifies whether X11 forwarding is permitted.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-.Pp
-When X11 forwarding is enabled, there may be additional exposure to
-the server and to client displays if the
-.Xr sshd 8
-proxy display is configured to listen on the wildcard address (see
-.Cm X11UseLocalhost
-below), though this is not the default.
-Additionally, the authentication spoofing and authentication data
-verification and substitution occur on the client side.
-The security risk of using X11 forwarding is that the client's X11
-display server may be exposed to attack when the SSH client requests
-forwarding (see the warnings for
-.Cm ForwardX11
-in
-.Xr ssh_config 5 ) .
-A system administrator may have a stance in which they want to
-protect clients that may expose themselves to attack by unwittingly
-requesting X11 forwarding, which can warrant a
-.Dq no
-setting.
-.Pp
-Note that disabling X11 forwarding does not prevent users from
-forwarding X11 traffic, as users can always install their own forwarders.
-X11 forwarding is automatically disabled if
-.Cm UseLogin
-is enabled.
-.It Cm X11UseLocalhost
-Specifies whether
-.Xr sshd 8
-should bind the X11 forwarding server to the loopback address or to
-the wildcard address.
-By default,
-sshd binds the forwarding server to the loopback address and sets the
-hostname part of the
-.Ev DISPLAY
-environment variable to
-.Dq localhost .
-This prevents remote hosts from connecting to the proxy display.
-However, some older X11 clients may not function with this
-configuration.
-.Cm X11UseLocalhost
-may be set to
-.Dq no
-to specify that the forwarding server should be bound to the wildcard
-address.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq yes .
-.It Cm XAuthLocation
-Specifies the full pathname of the
-.Xr xauth 1
-program.
-The default is
-.Pa /usr/X11R6/bin/xauth .
-.El
-.Sh TIME FORMATS
-.Xr sshd 8
-command-line arguments and configuration file options that specify time
-may be expressed using a sequence of the form:
-.Sm off
-.Ar time Op Ar qualifier ,
-.Sm on
-where
-.Ar time
-is a positive integer value and
-.Ar qualifier
-is one of the following:
-.Pp
-.Bl -tag -width Ds -compact -offset indent
-.It Aq Cm none
-seconds
-.It Cm s | Cm S
-seconds
-.It Cm m | Cm M
-minutes
-.It Cm h | Cm H
-hours
-.It Cm d | Cm D
-days
-.It Cm w | Cm W
-weeks
-.El
-.Pp
-Each member of the sequence is added together to calculate
-the total time value.
-.Pp
-Time format examples:
-.Pp
-.Bl -tag -width Ds -compact -offset indent
-.It 600
-600 seconds (10 minutes)
-.It 10m
-10 minutes
-.It 1h30m
-1 hour 30 minutes (90 minutes)
-.El
-.Sh FILES
-.Bl -tag -width Ds
-.It Pa /etc/ssh/sshd_config
-Contains configuration data for
-.Xr sshd 8 .
-This file should be writable by root only, but it is recommended
-(though not necessary) that it be world-readable.
-.El
-.Sh SEE ALSO
-.Xr sshd 8
-.Sh AUTHORS
-OpenSSH is a derivative of the original and free
-ssh 1.2.12 release by Tatu Ylonen.
-Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
-Theo de Raadt and Dug Song
-removed many bugs, re-added newer features and
-created OpenSSH.
-Markus Friedl contributed the support for SSH
-protocol versions 1.5 and 2.0.
-Niels Provos and Markus Friedl contributed support
-for privilege separation.