summaryrefslogtreecommitdiffstats
path: root/crypto/openssh/sshd_config.0
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/openssh/sshd_config.0')
-rw-r--r--crypto/openssh/sshd_config.01052
1 files changed, 0 insertions, 1052 deletions
diff --git a/crypto/openssh/sshd_config.0 b/crypto/openssh/sshd_config.0
deleted file mode 100644
index 1cc7459..0000000
--- a/crypto/openssh/sshd_config.0
+++ /dev/null
@@ -1,1052 +0,0 @@
-SSHD_CONFIG(5) File Formats Manual SSHD_CONFIG(5)
-
-NAME
- sshd_config M-bM-^@M-^S OpenSSH SSH daemon configuration file
-
-SYNOPSIS
- /etc/ssh/sshd_config
-
-DESCRIPTION
- sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file
- specified with -f on the command line). The file contains keyword-
- argument pairs, one per line. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines
- are interpreted as comments. Arguments may optionally be enclosed in
- double quotes (") in order to represent arguments containing spaces.
-
- The possible keywords and their meanings are as follows (note that
- keywords are case-insensitive and arguments are case-sensitive):
-
- AcceptEnv
- Specifies what environment variables sent by the client will be
- copied into the session's environ(7). See SendEnv in
- ssh_config(5) for how to configure the client. Note that
- environment passing is only supported for protocol 2, and that
- the TERM environment variable is always sent whenever the client
- requests a pseudo-terminal as it is required by the protocol.
- Variables are specified by name, which may contain the wildcard
- characters M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y. Multiple environment variables may be
- separated by whitespace or spread across multiple AcceptEnv
- directives. Be warned that some environment variables could be
- used to bypass restricted user environments. For this reason,
- care should be taken in the use of this directive. The default
- is not to accept any environment variables.
-
- AddressFamily
- Specifies which address family should be used by sshd(8). Valid
- arguments are M-bM-^@M-^\anyM-bM-^@M-^], M-bM-^@M-^\inetM-bM-^@M-^] (use IPv4 only), or M-bM-^@M-^\inet6M-bM-^@M-^] (use IPv6
- only). The default is M-bM-^@M-^\anyM-bM-^@M-^].
-
- AllowAgentForwarding
- Specifies whether ssh-agent(1) forwarding is permitted. The
- default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that disabling agent forwarding does not
- improve security unless users are also denied shell access, as
- they can always install their own forwarders.
-
- AllowGroups
- This keyword can be followed by a list of group name patterns,
- separated by spaces. If specified, login is allowed only for
- users whose primary group or supplementary group list matches one
- of the patterns. Only group names are valid; a numerical group
- ID is not recognized. By default, login is allowed for all
- groups. The allow/deny directives are processed in the following
- order: DenyUsers, AllowUsers, DenyGroups, and finally
- AllowGroups.
-
- See PATTERNS in ssh_config(5) for more information on patterns.
-
- AllowTcpForwarding
- Specifies whether TCP forwarding is permitted. The available
- options are M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\allM-bM-^@M-^] to allow TCP forwarding, M-bM-^@M-^\noM-bM-^@M-^] to
- prevent all TCP forwarding, M-bM-^@M-^\localM-bM-^@M-^] to allow local (from the
- perspective of ssh(1)) forwarding only or M-bM-^@M-^\remoteM-bM-^@M-^] to allow
- remote forwarding only. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that
- disabling TCP forwarding does not improve security unless users
- are also denied shell access, as they can always install their
- own forwarders.
-
- AllowStreamLocalForwarding
- Specifies whether StreamLocal (Unix-domain socket) forwarding is
- permitted. The available options are M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\allM-bM-^@M-^] to allow
- StreamLocal forwarding, M-bM-^@M-^\noM-bM-^@M-^] to prevent all StreamLocal
- forwarding, M-bM-^@M-^\localM-bM-^@M-^] to allow local (from the perspective of
- ssh(1)) forwarding only or M-bM-^@M-^\remoteM-bM-^@M-^] to allow remote forwarding
- only. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that disabling StreamLocal
- forwarding does not improve security unless users are also denied
- shell access, as they can always install their own forwarders.
-
- AllowUsers
- This keyword can be followed by a list of user name patterns,
- separated by spaces. If specified, login is allowed only for
- user names that match one of the patterns. Only user names are
- valid; a numerical user ID is not recognized. By default, login
- is allowed for all users. If the pattern takes the form
- USER@HOST then USER and HOST are separately checked, restricting
- logins to particular users from particular hosts. The allow/deny
- directives are processed in the following order: DenyUsers,
- AllowUsers, DenyGroups, and finally AllowGroups.
-
- See PATTERNS in ssh_config(5) for more information on patterns.
-
- AuthenticationMethods
- Specifies the authentication methods that must be successfully
- completed for a user to be granted access. This option must be
- followed by one or more comma-separated lists of authentication
- method names. Successful authentication requires completion of
- every method in at least one of these lists.
-
- For example, an argument of M-bM-^@M-^\publickey,password
- publickey,keyboard-interactiveM-bM-^@M-^] would require the user to
- complete public key authentication, followed by either password
- or keyboard interactive authentication. Only methods that are
- next in one or more lists are offered at each stage, so for this
- example, it would not be possible to attempt password or
- keyboard-interactive authentication before public key.
-
- For keyboard interactive authentication it is also possible to
- restrict authentication to a specific device by appending a colon
- followed by the device identifier M-bM-^@M-^\bsdauthM-bM-^@M-^], M-bM-^@M-^\pamM-bM-^@M-^], or M-bM-^@M-^\skeyM-bM-^@M-^],
- depending on the server configuration. For example,
- M-bM-^@M-^\keyboard-interactive:bsdauthM-bM-^@M-^] would restrict keyboard
- interactive authentication to the M-bM-^@M-^\bsdauthM-bM-^@M-^] device.
-
- If the M-bM-^@M-^\publickeyM-bM-^@M-^] method is listed more than once, sshd(8)
- verifies that keys that have been used successfully are not
- reused for subsequent authentications. For example, an
- AuthenticationMethods of M-bM-^@M-^\publickey,publickeyM-bM-^@M-^] will require
- successful authentication using two different public keys.
-
- This option is only available for SSH protocol 2 and will yield a
- fatal error if enabled if protocol 1 is also enabled. Note that
- each authentication method listed should also be explicitly
- enabled in the configuration. The default is not to require
- multiple authentication; successful completion of a single
- authentication method is sufficient.
-
- AuthorizedKeysCommand
- Specifies a program to be used to look up the user's public keys.
- The program must be owned by root, not writable by group or
- others and specified by an absolute path.
-
- Arguments to AuthorizedKeysCommand may be provided using the
- following tokens, which will be expanded at runtime: %% is
- replaced by a literal '%', %u is replaced by the username being
- authenticated, %h is replaced by the home directory of the user
- being authenticated, %t is replaced with the key type offered for
- authentication, %f is replaced with the fingerprint of the key,
- and %k is replaced with the key being offered for authentication.
- If no arguments are specified then the username of the target
- user will be supplied.
-
- The program should produce on standard output zero or more lines
- of authorized_keys output (see AUTHORIZED_KEYS in sshd(8)). If a
- key supplied by AuthorizedKeysCommand does not successfully
- authenticate and authorize the user then public key
- authentication continues using the usual AuthorizedKeysFile
- files. By default, no AuthorizedKeysCommand is run.
-
- AuthorizedKeysCommandUser
- Specifies the user under whose account the AuthorizedKeysCommand
- is run. It is recommended to use a dedicated user that has no
- other role on the host than running authorized keys commands. If
- AuthorizedKeysCommand is specified but AuthorizedKeysCommandUser
- is not, then sshd(8) will refuse to start.
-
- AuthorizedKeysFile
- Specifies the file that contains the public keys that can be used
- for user authentication. The format is described in the
- AUTHORIZED_KEYS FILE FORMAT section of sshd(8).
- AuthorizedKeysFile may contain tokens of the form %T which are
- substituted during connection setup. The following tokens are
- defined: %% is replaced by a literal '%', %h is replaced by the
- home directory of the user being authenticated, and %u is
- replaced by the username of that user. After expansion,
- AuthorizedKeysFile is taken to be an absolute path or one
- relative to the user's home directory. Multiple files may be
- listed, separated by whitespace. The default is
- M-bM-^@M-^\.ssh/authorized_keys .ssh/authorized_keys2M-bM-^@M-^].
-
- AuthorizedPrincipalsCommand
- Specifies a program to be used to generate the list of allowed
- certificate principals as per AuthorizedPrincipalsFile. The
- program must be owned by root, not writable by group or others
- and specified by an absolute path.
-
- Arguments to AuthorizedPrincipalsCommand may be provided using
- the following tokens, which will be expanded at runtime: %% is
- replaced by a literal '%', %u is replaced by the username being
- authenticated and %h is replaced by the home directory of the
- user being authenticated.
-
- The program should produce on standard output zero or more lines
- of AuthorizedPrincipalsFile output. If either
- AuthorizedPrincipalsCommand or AuthorizedPrincipalsFile is
- specified, then certificates offered by the client for
- authentication must contain a principal that is listed. By
- default, no AuthorizedPrincipalsCommand is run.
-
- AuthorizedPrincipalsCommandUser
- Specifies the user under whose account the
- AuthorizedPrincipalsCommand is run. It is recommended to use a
- dedicated user that has no other role on the host than running
- authorized principals commands. If AuthorizedPrincipalsCommand
- is specified but AuthorizedPrincipalsCommandUser is not, then
- sshd(8) will refuse to start.
-
- AuthorizedPrincipalsFile
- Specifies a file that lists principal names that are accepted for
- certificate authentication. When using certificates signed by a
- key listed in TrustedUserCAKeys, this file lists names, one of
- which must appear in the certificate for it to be accepted for
- authentication. Names are listed one per line preceded by key
- options (as described in AUTHORIZED_KEYS FILE FORMAT in sshd(8)).
- Empty lines and comments starting with M-bM-^@M-^X#M-bM-^@M-^Y are ignored.
-
- AuthorizedPrincipalsFile may contain tokens of the form %T which
- are substituted during connection setup. The following tokens
- are defined: %% is replaced by a literal '%', %h is replaced by
- the home directory of the user being authenticated, and %u is
- replaced by the username of that user. After expansion,
- AuthorizedPrincipalsFile is taken to be an absolute path or one
- relative to the user's home directory.
-
- The default is M-bM-^@M-^\noneM-bM-^@M-^], i.e. not to use a principals file M-bM-^@M-^S in
- this case, the username of the user must appear in a
- certificate's principals list for it to be accepted. Note that
- AuthorizedPrincipalsFile is only used when authentication
- proceeds using a CA listed in TrustedUserCAKeys and is not
- consulted for certification authorities trusted via
- ~/.ssh/authorized_keys, though the principals= key option offers
- a similar facility (see sshd(8) for details).
-
- Banner The contents of the specified file are sent to the remote user
- before authentication is allowed. If the argument is M-bM-^@M-^\noneM-bM-^@M-^] then
- no banner is displayed. This option is only available for
- protocol version 2. By default, no banner is displayed.
-
- ChallengeResponseAuthentication
- Specifies whether challenge-response authentication is allowed
- (e.g. via PAM or through authentication styles supported in
- login.conf(5)) The default is M-bM-^@M-^\yesM-bM-^@M-^].
-
- ChrootDirectory
- Specifies the pathname of a directory to chroot(2) to after
- authentication. At session startup sshd(8) checks that all
- components of the pathname are root-owned directories which are
- not writable by any other user or group. After the chroot,
- sshd(8) changes the working directory to the user's home
- directory.
-
- The pathname may contain the following tokens that are expanded
- at runtime once the connecting user has been authenticated: %% is
- replaced by a literal '%', %h is replaced by the home directory
- of the user being authenticated, and %u is replaced by the
- username of that user.
-
- The ChrootDirectory must contain the necessary files and
- directories to support the user's session. For an interactive
- session this requires at least a shell, typically sh(1), and
- basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4),
- stderr(4), and tty(4) devices. For file transfer sessions using
- M-bM-^@M-^\sftpM-bM-^@M-^], no additional configuration of the environment is
- necessary if the in-process sftp server is used, though sessions
- which use logging may require /dev/log inside the chroot
- directory on some operating systems (see sftp-server(8) for
- details).
-
- For safety, it is very important that the directory hierarchy be
- prevented from modification by other processes on the system
- (especially those outside the jail). Misconfiguration can lead
- to unsafe environments which sshd(8) cannot detect.
-
- The default is not to chroot(2).
-
- Ciphers
- Specifies the ciphers allowed for protocol version 2. Multiple
- ciphers must be comma-separated. If the specified value begins
- with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified ciphers will be appended
- to the default set instead of replacing them.
-
- The supported ciphers are:
-
- 3des-cbc
- aes128-cbc
- aes192-cbc
- aes256-cbc
- aes128-ctr
- aes192-ctr
- aes256-ctr
- aes128-gcm@openssh.com
- aes256-gcm@openssh.com
- arcfour
- arcfour128
- arcfour256
- blowfish-cbc
- cast128-cbc
- chacha20-poly1305@openssh.com
-
- The default is:
-
- aes128-ctr,aes192-ctr,aes256-ctr,
- aes128-gcm@openssh.com,aes256-gcm@openssh.com,
- chacha20-poly1305@openssh.com
-
- The list of available ciphers may also be obtained using the -Q
- option of ssh(1) with an argument of M-bM-^@M-^\cipherM-bM-^@M-^].
-
- ClientAliveCountMax
- Sets the number of client alive messages (see below) which may be
- sent without sshd(8) receiving any messages back from the client.
- If this threshold is reached while client alive messages are
- being sent, sshd will disconnect the client, terminating the
- session. It is important to note that the use of client alive
- messages is very different from TCPKeepAlive (below). The client
- alive messages are sent through the encrypted channel and
- therefore will not be spoofable. The TCP keepalive option
- enabled by TCPKeepAlive is spoofable. The client alive mechanism
- is valuable when the client or server depend on knowing when a
- connection has become inactive.
-
- The default value is 3. If ClientAliveInterval (see below) is
- set to 15, and ClientAliveCountMax is left at the default,
- unresponsive SSH clients will be disconnected after approximately
- 45 seconds. This option applies to protocol version 2 only.
-
- ClientAliveInterval
- Sets a timeout interval in seconds after which if no data has
- been received from the client, sshd(8) will send a message
- through the encrypted channel to request a response from the
- client. The default is 0, indicating that these messages will
- not be sent to the client. This option applies to protocol
- version 2 only.
-
- Compression
- Specifies whether compression is allowed, or delayed until the
- user has authenticated successfully. The argument must be M-bM-^@M-^\yesM-bM-^@M-^],
- M-bM-^@M-^\delayedM-bM-^@M-^], or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\delayedM-bM-^@M-^].
-
- DenyGroups
- This keyword can be followed by a list of group name patterns,
- separated by spaces. Login is disallowed for users whose primary
- group or supplementary group list matches one of the patterns.
- Only group names are valid; a numerical group ID is not
- recognized. By default, login is allowed for all groups. The
- allow/deny directives are processed in the following order:
- DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
-
- See PATTERNS in ssh_config(5) for more information on patterns.
-
- DenyUsers
- This keyword can be followed by a list of user name patterns,
- separated by spaces. Login is disallowed for user names that
- match one of the patterns. Only user names are valid; a
- numerical user ID is not recognized. By default, login is
- allowed for all users. If the pattern takes the form USER@HOST
- then USER and HOST are separately checked, restricting logins to
- particular users from particular hosts. The allow/deny
- directives are processed in the following order: DenyUsers,
- AllowUsers, DenyGroups, and finally AllowGroups.
-
- See PATTERNS in ssh_config(5) for more information on patterns.
-
- FingerprintHash
- Specifies the hash algorithm used when logging key fingerprints.
- Valid options are: M-bM-^@M-^\md5M-bM-^@M-^] and M-bM-^@M-^\sha256M-bM-^@M-^]. The default is M-bM-^@M-^\sha256M-bM-^@M-^].
-
- ForceCommand
- Forces the execution of the command specified by ForceCommand,
- ignoring any command supplied by the client and ~/.ssh/rc if
- present. The command is invoked by using the user's login shell
- with the -c option. This applies to shell, command, or subsystem
- execution. It is most useful inside a Match block. The command
- originally supplied by the client is available in the
- SSH_ORIGINAL_COMMAND environment variable. Specifying a command
- of M-bM-^@M-^\internal-sftpM-bM-^@M-^] will force the use of an in-process sftp
- server that requires no support files when used with
- ChrootDirectory.
-
- GatewayPorts
- Specifies whether remote hosts are allowed to connect to ports
- forwarded for the client. By default, sshd(8) binds remote port
- forwardings to the loopback address. This prevents other remote
- hosts from connecting to forwarded ports. GatewayPorts can be
- used to specify that sshd should allow remote port forwardings to
- bind to non-loopback addresses, thus allowing other hosts to
- connect. The argument may be M-bM-^@M-^\noM-bM-^@M-^] to force remote port
- forwardings to be available to the local host only, M-bM-^@M-^\yesM-bM-^@M-^] to
- force remote port forwardings to bind to the wildcard address, or
- M-bM-^@M-^\clientspecifiedM-bM-^@M-^] to allow the client to select the address to
- which the forwarding is bound. The default is M-bM-^@M-^\noM-bM-^@M-^].
-
- GSSAPIAuthentication
- Specifies whether user authentication based on GSSAPI is allowed.
- The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol
- version 2 only.
-
- GSSAPICleanupCredentials
- Specifies whether to automatically destroy the user's credentials
- cache on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option
- applies to protocol version 2 only.
-
- GSSAPIStrictAcceptorCheck
- Determines whether to be strict about the identity of the GSSAPI
- acceptor a client authenticates against. If set to M-bM-^@M-^\yesM-bM-^@M-^] then
- the client must authenticate against the host service on the
- current hostname. If set to M-bM-^@M-^\noM-bM-^@M-^] then the client may
- authenticate against any service key stored in the machine's
- default store. This facility is provided to assist with
- operation on multi homed machines. The default is M-bM-^@M-^\yesM-bM-^@M-^].
-
- HostbasedAcceptedKeyTypes
- Specifies the key types that will be accepted for hostbased
- authentication as a comma-separated pattern list. Alternately if
- the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the
- specified key types will be appended to the default set instead
- of replacing them. The default for this option is:
-
- ecdsa-sha2-nistp256-cert-v01@openssh.com,
- ecdsa-sha2-nistp384-cert-v01@openssh.com,
- ecdsa-sha2-nistp521-cert-v01@openssh.com,
- ssh-ed25519-cert-v01@openssh.com,
- ssh-rsa-cert-v01@openssh.com,
- ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
- ssh-ed25519,ssh-rsa
-
- The -Q option of ssh(1) may be used to list supported key types.
-
- HostbasedAuthentication
- Specifies whether rhosts or /etc/hosts.equiv authentication
- together with successful public key client host authentication is
- allowed (host-based authentication). This option is similar to
- RhostsRSAAuthentication and applies to protocol version 2 only.
- The default is M-bM-^@M-^\noM-bM-^@M-^].
-
- HostbasedUsesNameFromPacketOnly
- Specifies whether or not the server will attempt to perform a
- reverse name lookup when matching the name in the ~/.shosts,
- ~/.rhosts, and /etc/hosts.equiv files during
- HostbasedAuthentication. A setting of M-bM-^@M-^\yesM-bM-^@M-^] means that sshd(8)
- uses the name supplied by the client rather than attempting to
- resolve the name from the TCP connection itself. The default is
- M-bM-^@M-^\noM-bM-^@M-^].
-
- HostCertificate
- Specifies a file containing a public host certificate. The
- certificate's public key must match a private host key already
- specified by HostKey. The default behaviour of sshd(8) is not to
- load any certificates.
-
- HostKey
- Specifies a file containing a private host key used by SSH. The
- default is /etc/ssh/ssh_host_key for protocol version 1, and
- /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key,
- /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
- protocol version 2.
-
- Note that sshd(8) will refuse to use a file if it is group/world-
- accessible and that the HostKeyAlgorithms option restricts which
- of the keys are actually used by sshd(8).
-
- It is possible to have multiple host key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are
- used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] are
- used for version 2 of the SSH protocol. It is also possible to
- specify public host key files instead. In this case operations
- on the private key will be delegated to an ssh-agent(1).
-
- HostKeyAgent
- Identifies the UNIX-domain socket used to communicate with an
- agent that has access to the private host keys. If
- M-bM-^@M-^\SSH_AUTH_SOCKM-bM-^@M-^] is specified, the location of the socket will be
- read from the SSH_AUTH_SOCK environment variable.
-
- HostKeyAlgorithms
- Specifies the protocol version 2 host key algorithms that the
- server offers. The default for this option is:
-
- ecdsa-sha2-nistp256-cert-v01@openssh.com,
- ecdsa-sha2-nistp384-cert-v01@openssh.com,
- ecdsa-sha2-nistp521-cert-v01@openssh.com,
- ssh-ed25519-cert-v01@openssh.com,
- ssh-rsa-cert-v01@openssh.com,
- ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
- ssh-ed25519,ssh-rsa
-
- The list of available key types may also be obtained using the -Q
- option of ssh(1) with an argument of M-bM-^@M-^\keyM-bM-^@M-^].
-
- IgnoreRhosts
- Specifies that .rhosts and .shosts files will not be used in
- RhostsRSAAuthentication or HostbasedAuthentication.
-
- /etc/hosts.equiv and /etc/shosts.equiv are still used. The
- default is M-bM-^@M-^\yesM-bM-^@M-^].
-
- IgnoreUserKnownHosts
- Specifies whether sshd(8) should ignore the user's
- ~/.ssh/known_hosts during RhostsRSAAuthentication or
- HostbasedAuthentication. The default is M-bM-^@M-^\noM-bM-^@M-^].
-
- IPQoS Specifies the IPv4 type-of-service or DSCP class for the
- connection. Accepted values are M-bM-^@M-^\af11M-bM-^@M-^], M-bM-^@M-^\af12M-bM-^@M-^], M-bM-^@M-^\af13M-bM-^@M-^], M-bM-^@M-^\af21M-bM-^@M-^],
- M-bM-^@M-^\af22M-bM-^@M-^], M-bM-^@M-^\af23M-bM-^@M-^], M-bM-^@M-^\af31M-bM-^@M-^], M-bM-^@M-^\af32M-bM-^@M-^], M-bM-^@M-^\af33M-bM-^@M-^], M-bM-^@M-^\af41M-bM-^@M-^], M-bM-^@M-^\af42M-bM-^@M-^], M-bM-^@M-^\af43M-bM-^@M-^],
- M-bM-^@M-^\cs0M-bM-^@M-^], M-bM-^@M-^\cs1M-bM-^@M-^], M-bM-^@M-^\cs2M-bM-^@M-^], M-bM-^@M-^\cs3M-bM-^@M-^], M-bM-^@M-^\cs4M-bM-^@M-^], M-bM-^@M-^\cs5M-bM-^@M-^], M-bM-^@M-^\cs6M-bM-^@M-^], M-bM-^@M-^\cs7M-bM-^@M-^], M-bM-^@M-^\efM-bM-^@M-^],
- M-bM-^@M-^\lowdelayM-bM-^@M-^], M-bM-^@M-^\throughputM-bM-^@M-^], M-bM-^@M-^\reliabilityM-bM-^@M-^], or a numeric value.
- This option may take one or two arguments, separated by
- whitespace. If one argument is specified, it is used as the
- packet class unconditionally. If two values are specified, the
- first is automatically selected for interactive sessions and the
- second for non-interactive sessions. The default is M-bM-^@M-^\lowdelayM-bM-^@M-^]
- for interactive sessions and M-bM-^@M-^\throughputM-bM-^@M-^] for non-interactive
- sessions.
-
- KbdInteractiveAuthentication
- Specifies whether to allow keyboard-interactive authentication.
- The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default
- is to use whatever value ChallengeResponseAuthentication is set
- to (by default M-bM-^@M-^\yesM-bM-^@M-^]).
-
- KerberosAuthentication
- Specifies whether the password provided by the user for
- PasswordAuthentication will be validated through the Kerberos
- KDC. To use this option, the server needs a Kerberos servtab
- which allows the verification of the KDC's identity. The default
- is M-bM-^@M-^\noM-bM-^@M-^].
-
- KerberosGetAFSToken
- If AFS is active and the user has a Kerberos 5 TGT, attempt to
- acquire an AFS token before accessing the user's home directory.
- The default is M-bM-^@M-^\noM-bM-^@M-^].
-
- KerberosOrLocalPasswd
- If password authentication through Kerberos fails then the
- password will be validated via any additional local mechanism
- such as /etc/passwd. The default is M-bM-^@M-^\yesM-bM-^@M-^].
-
- KerberosTicketCleanup
- Specifies whether to automatically destroy the user's ticket
- cache file on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^].
-
- KexAlgorithms
- Specifies the available KEX (Key Exchange) algorithms. Multiple
- algorithms must be comma-separated. Alternately if the specified
- value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods
- will be appended to the default set instead of replacing them.
- The supported algorithms are:
-
- curve25519-sha256@libssh.org
- diffie-hellman-group1-sha1
- diffie-hellman-group14-sha1
- diffie-hellman-group-exchange-sha1
- diffie-hellman-group-exchange-sha256
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
-
- The default is:
-
- curve25519-sha256@libssh.org,
- ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
- diffie-hellman-group-exchange-sha256,
- diffie-hellman-group14-sha1
-
- The list of available key exchange algorithms may also be
- obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^].
-
- KeyRegenerationInterval
- In protocol version 1, the ephemeral server key is automatically
- regenerated after this many seconds (if it has been used). The
- purpose of regeneration is to prevent decrypting captured
- sessions by later breaking into the machine and stealing the
- keys. The key is never stored anywhere. If the value is 0, the
- key is never regenerated. The default is 3600 (seconds).
-
- ListenAddress
- Specifies the local addresses sshd(8) should listen on. The
- following forms may be used:
-
- ListenAddress host|IPv4_addr|IPv6_addr
- ListenAddress host|IPv4_addr:port
- ListenAddress [host|IPv6_addr]:port
-
- If port is not specified, sshd will listen on the address and all
- Port options specified. The default is to listen on all local
- addresses. Multiple ListenAddress options are permitted.
-
- LoginGraceTime
- The server disconnects after this time if the user has not
- successfully logged in. If the value is 0, there is no time
- limit. The default is 120 seconds.
-
- LogLevel
- Gives the verbosity level that is used when logging messages from
- sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO,
- VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.
- DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
- higher levels of debugging output. Logging with a DEBUG level
- violates the privacy of users and is not recommended.
-
- MACs Specifies the available MAC (message authentication code)
- algorithms. The MAC algorithm is used in protocol version 2 for
- data integrity protection. Multiple algorithms must be comma-
- separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character,
- then the specified algorithms will be appended to the default set
- instead of replacing them.
-
- The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC after
- encryption (encrypt-then-mac). These are considered safer and
- their use recommended. The supported MACs are:
-
- hmac-md5
- hmac-md5-96
- hmac-ripemd160
- hmac-sha1
- hmac-sha1-96
- hmac-sha2-256
- hmac-sha2-512
- umac-64@openssh.com
- umac-128@openssh.com
- hmac-md5-etm@openssh.com
- hmac-md5-96-etm@openssh.com
- hmac-ripemd160-etm@openssh.com
- hmac-sha1-etm@openssh.com
- hmac-sha1-96-etm@openssh.com
- hmac-sha2-256-etm@openssh.com
- hmac-sha2-512-etm@openssh.com
- umac-64-etm@openssh.com
- umac-128-etm@openssh.com
-
- The default is:
-
- umac-64-etm@openssh.com,umac-128-etm@openssh.com,
- hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
- umac-64@openssh.com,umac-128@openssh.com,
- hmac-sha2-256,hmac-sha2-512
-
- The list of available MAC algorithms may also be obtained using
- the -Q option of ssh(1) with an argument of M-bM-^@M-^\macM-bM-^@M-^].
-
- Match Introduces a conditional block. If all of the criteria on the
- Match line are satisfied, the keywords on the following lines
- override those set in the global section of the config file,
- until either another Match line or the end of the file. If a
- keyword appears in multiple Match blocks that are satisfied, only
- the first instance of the keyword is applied.
-
- The arguments to Match are one or more criteria-pattern pairs or
- the single token All which matches all criteria. The available
- criteria are User, Group, Host, LocalAddress, LocalPort, and
- Address. The match patterns may consist of single entries or
- comma-separated lists and may use the wildcard and negation
- operators described in the PATTERNS section of ssh_config(5).
-
- The patterns in an Address criteria may additionally contain
- addresses to match in CIDR address/masklen format, e.g.
- M-bM-^@M-^\192.0.2.0/24M-bM-^@M-^] or M-bM-^@M-^\3ffe:ffff::/32M-bM-^@M-^]. Note that the mask length
- provided must be consistent with the address - it is an error to
- specify a mask length that is too long for the address or one
- with bits set in this host portion of the address. For example,
- M-bM-^@M-^\192.0.2.0/33M-bM-^@M-^] and M-bM-^@M-^\192.0.2.0/8M-bM-^@M-^] respectively.
-
- Only a subset of keywords may be used on the lines following a
- Match keyword. Available keywords are AcceptEnv,
- AllowAgentForwarding, AllowGroups, AllowStreamLocalForwarding,
- AllowTcpForwarding, AllowUsers, AuthenticationMethods,
- AuthorizedKeysCommand, AuthorizedKeysCommandUser,
- AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner,
- ChrootDirectory, DenyGroups, DenyUsers, ForceCommand,
- GatewayPorts, GSSAPIAuthentication, HostbasedAcceptedKeyTypes,
- HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IPQoS,
- KbdInteractiveAuthentication, KerberosAuthentication,
- MaxAuthTries, MaxSessions, PasswordAuthentication,
- PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY,
- PermitTunnel, PermitUserRC, PubkeyAcceptedKeyTypes,
- PubkeyAuthentication, RekeyLimit, RevokedKeys,
- RhostsRSAAuthentication, RSAAuthentication, StreamLocalBindMask,
- StreamLocalBindUnlink, TrustedUserCAKeys, X11DisplayOffset,
- X11Forwarding and X11UseLocalHost.
-
- MaxAuthTries
- Specifies the maximum number of authentication attempts permitted
- per connection. Once the number of failures reaches half this
- value, additional failures are logged. The default is 6.
-
- MaxSessions
- Specifies the maximum number of open sessions permitted per
- network connection. The default is 10.
-
- MaxStartups
- Specifies the maximum number of concurrent unauthenticated
- connections to the SSH daemon. Additional connections will be
- dropped until authentication succeeds or the LoginGraceTime
- expires for a connection. The default is 10:30:100.
-
- Alternatively, random early drop can be enabled by specifying the
- three colon separated values M-bM-^@M-^\start:rate:fullM-bM-^@M-^] (e.g. "10:30:60").
- sshd(8) will refuse connection attempts with a probability of
- M-bM-^@M-^\rate/100M-bM-^@M-^] (30%) if there are currently M-bM-^@M-^\startM-bM-^@M-^] (10)
- unauthenticated connections. The probability increases linearly
- and all connection attempts are refused if the number of
- unauthenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60).
-
- PasswordAuthentication
- Specifies whether password authentication is allowed. The
- default is M-bM-^@M-^\yesM-bM-^@M-^].
-
- PermitEmptyPasswords
- When password authentication is allowed, it specifies whether the
- server allows login to accounts with empty password strings. The
- default is M-bM-^@M-^\noM-bM-^@M-^].
-
- PermitOpen
- Specifies the destinations to which TCP port forwarding is
- permitted. The forwarding specification must be one of the
- following forms:
-
- PermitOpen host:port
- PermitOpen IPv4_addr:port
- PermitOpen [IPv6_addr]:port
-
- Multiple forwards may be specified by separating them with
- whitespace. An argument of M-bM-^@M-^\anyM-bM-^@M-^] can be used to remove all
- restrictions and permit any forwarding requests. An argument of
- M-bM-^@M-^\noneM-bM-^@M-^] can be used to prohibit all forwarding requests. By
- default all port forwarding requests are permitted.
-
- PermitRootLogin
- Specifies whether root can log in using ssh(1). The argument
- must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\prohibit-passwordM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^],
- M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], or M-bM-^@M-^\noM-bM-^@M-^]. The default is
- M-bM-^@M-^\prohibit-passwordM-bM-^@M-^].
-
- If this option is set to M-bM-^@M-^\prohibit-passwordM-bM-^@M-^] or
- M-bM-^@M-^\without-passwordM-bM-^@M-^], password and keyboard-interactive
- authentication are disabled for root.
-
- If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], root login with
- public key authentication will be allowed, but only if the
- command option has been specified (which may be useful for taking
- remote backups even if root login is normally not allowed). All
- other authentication methods are disabled for root.
-
- If this option is set to M-bM-^@M-^\noM-bM-^@M-^], root is not allowed to log in.
-
- PermitTunnel
- Specifies whether tun(4) device forwarding is allowed. The
- argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\point-to-pointM-bM-^@M-^] (layer 3), M-bM-^@M-^\ethernetM-bM-^@M-^]
- (layer 2), or M-bM-^@M-^\noM-bM-^@M-^]. Specifying M-bM-^@M-^\yesM-bM-^@M-^] permits both
- M-bM-^@M-^\point-to-pointM-bM-^@M-^] and M-bM-^@M-^\ethernetM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^].
-
- Independent of this setting, the permissions of the selected
- tun(4) device must allow access to the user.
-
- PermitTTY
- Specifies whether pty(4) allocation is permitted. The default is
- M-bM-^@M-^\yesM-bM-^@M-^].
-
- PermitUserEnvironment
- Specifies whether ~/.ssh/environment and environment= options in
- ~/.ssh/authorized_keys are processed by sshd(8). The default is
- M-bM-^@M-^\noM-bM-^@M-^]. Enabling environment processing may enable users to bypass
- access restrictions in some configurations using mechanisms such
- as LD_PRELOAD.
-
- PermitUserRC
- Specifies whether any ~/.ssh/rc file is executed. The default is
- M-bM-^@M-^\yesM-bM-^@M-^].
-
- PidFile
- Specifies the file that contains the process ID of the SSH
- daemon, or M-bM-^@M-^\noneM-bM-^@M-^] to not write one. The default is
- /var/run/sshd.pid.
-
- Port Specifies the port number that sshd(8) listens on. The default
- is 22. Multiple options of this type are permitted. See also
- ListenAddress.
-
- PrintLastLog
- Specifies whether sshd(8) should print the date and time of the
- last user login when a user logs in interactively. The default
- is M-bM-^@M-^\yesM-bM-^@M-^].
-
- PrintMotd
- Specifies whether sshd(8) should print /etc/motd when a user logs
- in interactively. (On some systems it is also printed by the
- shell, /etc/profile, or equivalent.) The default is M-bM-^@M-^\yesM-bM-^@M-^].
-
- Protocol
- Specifies the protocol versions sshd(8) supports. The possible
- values are M-bM-^@M-^X1M-bM-^@M-^Y and M-bM-^@M-^X2M-bM-^@M-^Y. Multiple versions must be comma-
- separated. The default is M-bM-^@M-^X2M-bM-^@M-^Y. Note that the order of the
- protocol list does not indicate preference, because the client
- selects among multiple protocol versions offered by the server.
- Specifying M-bM-^@M-^\2,1M-bM-^@M-^] is identical to M-bM-^@M-^\1,2M-bM-^@M-^].
-
- PubkeyAcceptedKeyTypes
- Specifies the key types that will be accepted for public key
- authentication as a comma-separated pattern list. Alternately if
- the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the
- specified key types will be appended to the default set instead
- of replacing them. The default for this option is:
-
- ecdsa-sha2-nistp256-cert-v01@openssh.com,
- ecdsa-sha2-nistp384-cert-v01@openssh.com,
- ecdsa-sha2-nistp521-cert-v01@openssh.com,
- ssh-ed25519-cert-v01@openssh.com,
- ssh-rsa-cert-v01@openssh.com,
- ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
- ssh-ed25519,ssh-rsa
-
- The -Q option of ssh(1) may be used to list supported key types.
-
- PubkeyAuthentication
- Specifies whether public key authentication is allowed. The
- default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol
- version 2 only.
-
- RekeyLimit
- Specifies the maximum amount of data that may be transmitted
- before the session key is renegotiated, optionally followed a
- maximum amount of time that may pass before the session key is
- renegotiated. The first argument is specified in bytes and may
- have a suffix of M-bM-^@M-^XKM-bM-^@M-^Y, M-bM-^@M-^XMM-bM-^@M-^Y, or M-bM-^@M-^XGM-bM-^@M-^Y to indicate Kilobytes,
- Megabytes, or Gigabytes, respectively. The default is between
- M-bM-^@M-^X1GM-bM-^@M-^Y and M-bM-^@M-^X4GM-bM-^@M-^Y, depending on the cipher. The optional second
- value is specified in seconds and may use any of the units
- documented in the TIME FORMATS section. The default value for
- RekeyLimit is M-bM-^@M-^\default noneM-bM-^@M-^], which means that rekeying is
- performed after the cipher's default amount of data has been sent
- or received and no time based rekeying is done. This option
- applies to protocol version 2 only.
-
- RevokedKeys
- Specifies revoked public keys file, or M-bM-^@M-^\noneM-bM-^@M-^] to not use one.
- Keys listed in this file will be refused for public key
- authentication. Note that if this file is not readable, then
- public key authentication will be refused for all users. Keys
- may be specified as a text file, listing one public key per line,
- or as an OpenSSH Key Revocation List (KRL) as generated by
- ssh-keygen(1). For more information on KRLs, see the KEY
- REVOCATION LISTS section in ssh-keygen(1).
-
- RhostsRSAAuthentication
- Specifies whether rhosts or /etc/hosts.equiv authentication
- together with successful RSA host authentication is allowed. The
- default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only.
-
- RSAAuthentication
- Specifies whether pure RSA authentication is allowed. The
- default is M-bM-^@M-^\yesM-bM-^@M-^]. This option applies to protocol version 1
- only.
-
- ServerKeyBits
- Defines the number of bits in the ephemeral protocol version 1
- server key. The default and minimum value is 1024.
-
- StreamLocalBindMask
- Sets the octal file creation mode mask (umask) used when creating
- a Unix-domain socket file for local or remote port forwarding.
- This option is only used for port forwarding to a Unix-domain
- socket file.
-
- The default value is 0177, which creates a Unix-domain socket
- file that is readable and writable only by the owner. Note that
- not all operating systems honor the file mode on Unix-domain
- socket files.
-
- StreamLocalBindUnlink
- Specifies whether to remove an existing Unix-domain socket file
- for local or remote port forwarding before creating a new one.
- If the socket file already exists and StreamLocalBindUnlink is
- not enabled, sshd will be unable to forward the port to the Unix-
- domain socket file. This option is only used for port forwarding
- to a Unix-domain socket file.
-
- The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^].
-
- StrictModes
- Specifies whether sshd(8) should check file modes and ownership
- of the user's files and home directory before accepting login.
- This is normally desirable because novices sometimes accidentally
- leave their directory or files world-writable. The default is
- M-bM-^@M-^\yesM-bM-^@M-^]. Note that this does not apply to ChrootDirectory, whose
- permissions and ownership are checked unconditionally.
-
- Subsystem
- Configures an external subsystem (e.g. file transfer daemon).
- Arguments should be a subsystem name and a command (with optional
- arguments) to execute upon subsystem request.
-
- The command sftp-server(8) implements the M-bM-^@M-^\sftpM-bM-^@M-^] file transfer
- subsystem.
-
- Alternately the name M-bM-^@M-^\internal-sftpM-bM-^@M-^] implements an in-process
- M-bM-^@M-^\sftpM-bM-^@M-^] server. This may simplify configurations using
- ChrootDirectory to force a different filesystem root on clients.
-
- By default no subsystems are defined. Note that this option
- applies to protocol version 2 only.
-
- SyslogFacility
- Gives the facility code that is used when logging messages from
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
- default is AUTH.
-
- TCPKeepAlive
- Specifies whether the system should send TCP keepalive messages
- to the other side. If they are sent, death of the connection or
- crash of one of the machines will be properly noticed. However,
- this means that connections will die if the route is down
- temporarily, and some people find it annoying. On the other
- hand, if TCP keepalives are not sent, sessions may hang
- indefinitely on the server, leaving M-bM-^@M-^\ghostM-bM-^@M-^] users and consuming
- server resources.
-
- The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send TCP keepalive messages), and the
- server will notice if the network goes down or the client host
- crashes. This avoids infinitely hanging sessions.
-
- To disable TCP keepalive messages, the value should be set to
- M-bM-^@M-^\noM-bM-^@M-^].
-
- TrustedUserCAKeys
- Specifies a file containing public keys of certificate
- authorities that are trusted to sign user certificates for
- authentication, or M-bM-^@M-^\noneM-bM-^@M-^] to not use one. Keys are listed one
- per line; empty lines and comments starting with M-bM-^@M-^X#M-bM-^@M-^Y are allowed.
- If a certificate is presented for authentication and has its
- signing CA key listed in this file, then it may be used for
- authentication for any user listed in the certificate's
- principals list. Note that certificates that lack a list of
- principals will not be permitted for authentication using
- TrustedUserCAKeys. For more details on certificates, see the
- CERTIFICATES section in ssh-keygen(1).
-
- UseDNS Specifies whether sshd(8) should look up the remote host name,
- and to check that the resolved host name for the remote IP
- address maps back to the very same IP address.
-
- If this option is set to M-bM-^@M-^\noM-bM-^@M-^] (the default) then only addresses
- and not host names may be used in ~/.ssh/known_hosts from and
- sshd_config(5) Match Host directives.
-
- UseLogin
- Specifies whether login(1) is used for interactive login
- sessions. The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that login(1) is never used
- for remote command execution. Note also, that if this is
- enabled, X11Forwarding will be disabled because login(1) does not
- know how to handle xauth(1) cookies. If UsePrivilegeSeparation
- is specified, it will be disabled after authentication.
-
- UsePAM Enables the Pluggable Authentication Module interface. If set to
- M-bM-^@M-^\yesM-bM-^@M-^] this will enable PAM authentication using
- ChallengeResponseAuthentication and PasswordAuthentication in
- addition to PAM account and session module processing for all
- authentication types.
-
- Because PAM challenge-response authentication usually serves an
- equivalent role to password authentication, you should disable
- either PasswordAuthentication or ChallengeResponseAuthentication.
-
- If UsePAM is enabled, you will not be able to run sshd(8) as a
- non-root user. The default is M-bM-^@M-^\noM-bM-^@M-^].
-
- UsePrivilegeSeparation
- Specifies whether sshd(8) separates privileges by creating an
- unprivileged child process to deal with incoming network traffic.
- After successful authentication, another process will be created
- that has the privilege of the authenticated user. The goal of
- privilege separation is to prevent privilege escalation by
- containing any corruption within the unprivileged processes. The
- default is M-bM-^@M-^\yesM-bM-^@M-^]. If UsePrivilegeSeparation is set to M-bM-^@M-^\sandboxM-bM-^@M-^]
- then the pre-authentication unprivileged process is subject to
- additional restrictions.
-
- VersionAddendum
- Optionally specifies additional text to append to the SSH
- protocol banner sent by the server upon connection. The default
- is M-bM-^@M-^\noneM-bM-^@M-^].
-
- X11DisplayOffset
- Specifies the first display number available for sshd(8)'s X11
- forwarding. This prevents sshd from interfering with real X11
- servers. The default is 10.
-
- X11Forwarding
- Specifies whether X11 forwarding is permitted. The argument must
- be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^].
-
- When X11 forwarding is enabled, there may be additional exposure
- to the server and to client displays if the sshd(8) proxy display
- is configured to listen on the wildcard address (see
- X11UseLocalhost below), though this is not the default.
- Additionally, the authentication spoofing and authentication data
- verification and substitution occur on the client side. The
- security risk of using X11 forwarding is that the client's X11
- display server may be exposed to attack when the SSH client
- requests forwarding (see the warnings for ForwardX11 in
- ssh_config(5)). A system administrator may have a stance in
- which they want to protect clients that may expose themselves to
- attack by unwittingly requesting X11 forwarding, which can
- warrant a M-bM-^@M-^\noM-bM-^@M-^] setting.
-
- Note that disabling X11 forwarding does not prevent users from
- forwarding X11 traffic, as users can always install their own
- forwarders. X11 forwarding is automatically disabled if UseLogin
- is enabled.
-
- X11UseLocalhost
- Specifies whether sshd(8) should bind the X11 forwarding server
- to the loopback address or to the wildcard address. By default,
- sshd binds the forwarding server to the loopback address and sets
- the hostname part of the DISPLAY environment variable to
- M-bM-^@M-^\localhostM-bM-^@M-^]. This prevents remote hosts from connecting to the
- proxy display. However, some older X11 clients may not function
- with this configuration. X11UseLocalhost may be set to M-bM-^@M-^\noM-bM-^@M-^] to
- specify that the forwarding server should be bound to the
- wildcard address. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The
- default is M-bM-^@M-^\yesM-bM-^@M-^].
-
- XAuthLocation
- Specifies the full pathname of the xauth(1) program, or M-bM-^@M-^\noneM-bM-^@M-^] to
- not use one. The default is /usr/X11R6/bin/xauth.
-
-TIME FORMATS
- sshd(8) command-line arguments and configuration file options that
- specify time may be expressed using a sequence of the form:
- time[qualifier], where time is a positive integer value and qualifier is
- one of the following:
-
- M-bM-^_M-(noneM-bM-^_M-) seconds
- s | S seconds
- m | M minutes
- h | H hours
- d | D days
- w | W weeks
-
- Each member of the sequence is added together to calculate the total time
- value.
-
- Time format examples:
-
- 600 600 seconds (10 minutes)
- 10m 10 minutes
- 1h30m 1 hour 30 minutes (90 minutes)
-
-FILES
- /etc/ssh/sshd_config
- Contains configuration data for sshd(8). This file should be
- writable by root only, but it is recommended (though not
- necessary) that it be world-readable.
-
-SEE ALSO
- sshd(8)
-
-AUTHORS
- OpenSSH is a derivative of the original and free ssh 1.2.12 release by
- Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
- de Raadt and Dug Song removed many bugs, re-added newer features and
- created OpenSSH. Markus Friedl contributed the support for SSH protocol
- versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
- for privilege separation.
-
-OpenBSD 5.8 August 6, 2015 OpenBSD 5.8
OpenPOWER on IntegriCloud