diff options
Diffstat (limited to 'crypto/openssh/sshd_config.0')
-rw-r--r-- | crypto/openssh/sshd_config.0 | 125 |
1 files changed, 98 insertions, 27 deletions
diff --git a/crypto/openssh/sshd_config.0 b/crypto/openssh/sshd_config.0 index 413c260..1c82d44 100644 --- a/crypto/openssh/sshd_config.0 +++ b/crypto/openssh/sshd_config.0 @@ -1,4 +1,4 @@ -SSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5) +SSHD_CONFIG(5) File Formats Manual SSHD_CONFIG(5) NAME sshd_config - OpenSSH SSH daemon configuration file @@ -62,6 +62,16 @@ DESCRIPTION are also denied shell access, as they can always install their own forwarders. + AllowStreamLocalForwarding + Specifies whether StreamLocal (Unix-domain socket) forwarding is + permitted. The available options are ``yes'' or ``all'' to allow + StreamLocal forwarding, ``no'' to prevent all StreamLocal + forwarding, ``local'' to allow local (from the perspective of + ssh(1)) forwarding only or ``remote'' to allow remote forwarding + only. The default is ``yes''. Note that disabling StreamLocal + forwarding does not improve security unless users are also denied + shell access, as they can always install their own forwarders. + AllowUsers This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for @@ -168,7 +178,7 @@ DESCRIPTION ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed - (e.g. via PAM or though authentication styles supported in + (e.g. via PAM or through authentication styles supported in login.conf(5)) The default is ``yes''. ChrootDirectory @@ -191,8 +201,9 @@ DESCRIPTION stderr(4), arandom(4) and tty(4) devices. For file transfer sessions using ``sftp'', no additional configuration of the environment is necessary if the in-process sftp server is used, - though sessions which use logging do require /dev/log inside the - chroot directory (see sftp-server(8) for details). + though sessions which use logging may require /dev/log inside the + chroot directory on some operating systems (see sftp-server(8) + for details). The default is not to chroot(2). @@ -200,19 +211,27 @@ DESCRIPTION Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. The supported ciphers are: - ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', - ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', - ``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'', - ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'', - ``cast128-cbc'', and ``chacha20-poly1305@openssh.com''. + 3des-cbc + aes128-cbc + aes192-cbc + aes256-cbc + aes128-ctr + aes192-ctr + aes256-ctr + aes128-gcm@openssh.com + aes256-gcm@openssh.com + arcfour + arcfour128 + arcfour256 + blowfish-cbc + cast128-cbc + chacha20-poly1305@openssh.com The default is: - aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, - aes128-gcm@openssh.com,aes256-gcm@openssh.com, - chacha20-poly1305@openssh.com, - aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, - aes256-cbc,arcfour + aes128-ctr,aes192-ctr,aes256-ctr, + aes128-gcm@openssh.com,aes256-gcm@openssh.com, + chacha20-poly1305@openssh.com The list of available ciphers may also be obtained using the -Q option of ssh(1). @@ -403,14 +422,24 @@ DESCRIPTION KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple - algorithms must be comma-separated. The default is + algorithms must be comma-separated. The supported algorithms + are: + + curve25519-sha256@libssh.org + diffie-hellman-group1-sha1 + diffie-hellman-group14-sha1 + diffie-hellman-group-exchange-sha1 + diffie-hellman-group-exchange-sha256 + ecdh-sha2-nistp256 + ecdh-sha2-nistp384 + ecdh-sha2-nistp521 + + The default is: curve25519-sha256@libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, - diffie-hellman-group-exchange-sha1, - diffie-hellman-group14-sha1, - diffie-hellman-group1-sha1 + diffie-hellman-group14-sha1 KeyRegenerationInterval In protocol version 1, the ephemeral server key is automatically @@ -452,16 +481,33 @@ DESCRIPTION data integrity protection. Multiple algorithms must be comma- separated. The algorithms that contain ``-etm'' calculate the MAC after encryption (encrypt-then-mac). These are considered - safer and their use recommended. The default is: + safer and their use recommended. The supported MACs are: + + hmac-md5 + hmac-md5-96 + hmac-ripemd160 + hmac-sha1 + hmac-sha1-96 + hmac-sha2-256 + hmac-sha2-512 + umac-64@openssh.com + umac-128@openssh.com + hmac-md5-etm@openssh.com + hmac-md5-96-etm@openssh.com + hmac-ripemd160-etm@openssh.com + hmac-sha1-etm@openssh.com + hmac-sha1-96-etm@openssh.com + hmac-sha2-256-etm@openssh.com + hmac-sha2-512-etm@openssh.com + umac-64-etm@openssh.com + umac-128-etm@openssh.com + + The default is: - hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, umac-64-etm@openssh.com,umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, - hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com, - hmac-md5-96-etm@openssh.com, - hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, - hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, - hmac-sha1-96,hmac-md5-96 + umac-64@openssh.com,umac-128@openssh.com, + hmac-sha2-256,hmac-sha2-512 Match Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines @@ -496,7 +542,7 @@ DESCRIPTION KbdInteractiveAuthentication, KerberosAuthentication, MaxAuthTries, MaxSessions, PasswordAuthentication, PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY, - PermitTunnel, PubkeyAuthentication, RekeyLimit, + PermitTunnel, PermitUserRC, PubkeyAuthentication, RekeyLimit, RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, X11Forwarding and X11UseLocalHost. @@ -580,6 +626,10 @@ DESCRIPTION bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD. + PermitUserRC + Specifies whether any ~/.ssh/rc file is executed. The default is + ``yes''. + PidFile Specifies the file that contains the process ID of the SSH daemon. The default is /var/run/sshd.pid. @@ -650,6 +700,27 @@ DESCRIPTION Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 1024. + StreamLocalBindMask + Sets the octal file creation mode mask (umask) used when creating + a Unix-domain socket file for local or remote port forwarding. + This option is only used for port forwarding to a Unix-domain + socket file. + + The default value is 0177, which creates a Unix-domain socket + file that is readable and writable only by the owner. Note that + not all operating systems honor the file mode on Unix-domain + socket files. + + StreamLocalBindUnlink + Specifies whether to remove an existing Unix-domain socket file + for local or remote port forwarding before creating a new one. + If the socket file already exists and StreamLocalBindUnlink is + not enabled, sshd will be unable to forward the port to the Unix- + domain socket file. This option is only used for port forwarding + to a Unix-domain socket file. + + The argument must be ``yes'' or ``no''. The default is ``no''. + StrictModes Specifies whether sshd(8) should check file modes and ownership of the user's files and home directory before accepting login. @@ -832,4 +903,4 @@ AUTHORS versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 5.5 February 27, 2014 OpenBSD 5.5 +OpenBSD 5.6 July 28, 2014 OpenBSD 5.6 |