summaryrefslogtreecommitdiffstats
path: root/crypto/openssh/sshd_config.5
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/openssh/sshd_config.5')
-rw-r--r--crypto/openssh/sshd_config.599
1 files changed, 68 insertions, 31 deletions
diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5
index 5e3e289..efba408 100644
--- a/crypto/openssh/sshd_config.5
+++ b/crypto/openssh/sshd_config.5
@@ -33,9 +33,9 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.156 2013/02/06 00:20:42 dtucker Exp $
+.\" $OpenBSD: sshd_config.5,v 1.162 2013/07/19 07:37:48 markus Exp $
.\" $FreeBSD$
-.Dd February 6, 2013
+.Dd July 19, 2013
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -118,9 +118,7 @@ The allow/deny directives are processed in the following order:
and finally
.Cm AllowGroups .
.Pp
-See
-.Sx PATTERNS
-in
+See PATTERNS in
.Xr ssh_config 5
for more information on patterns.
.It Cm AllowTcpForwarding
@@ -160,9 +158,7 @@ The allow/deny directives are processed in the following order:
and finally
.Cm AllowGroups .
.Pp
-See
-.Sx PATTERNS
-in
+See PATTERNS in
.Xr ssh_config 5
for more information on patterns.
.It Cm AuthenticationMethods
@@ -181,6 +177,20 @@ Only methods that are next in one or more lists are offered at each stage,
so for this example, it would not be possible to attempt password or
keyboard-interactive authentication before public key.
.Pp
+For keyboard interactive authentication it is also possible to
+restrict authentication to a specific device by appending a
+colon followed by the device identifier
+.Dq bsdauth ,
+.Dq pam ,
+or
+.Dq skey ,
+depending on the server configuration.
+For example,
+.Dq keyboard-interactive:bsdauth
+would restrict keyboard interactive authentication to the
+.Dq bsdauth
+device.
+.Pp
This option is only available for SSH protocol 2 and will yield a fatal
error if enabled if protocol 1 is also enabled.
Note that each authentication method listed should also be explicitly enabled
@@ -189,11 +199,10 @@ The default is not to require multiple authentication; successful completion
of a single authentication method is sufficient.
.It Cm AuthorizedKeysCommand
Specifies a program to be used to look up the user's public keys.
-The program will be invoked with a single argument of the username
+The program must be owned by root and not writable by group or others.
+It will be invoked with a single argument of the username
being authenticated, and should produce on standard output zero or
-more lines of authorized_keys output (see
-.Sx AUTHORIZED_KEYS
-in
+more lines of authorized_keys output (see AUTHORIZED_KEYS in
.Xr sshd 8 ) .
If a key supplied by AuthorizedKeysCommand does not successfully authenticate
and authorize the user then public key authentication continues using the usual
@@ -208,7 +217,7 @@ than running authorized keys commands.
Specifies the file that contains the public keys that can be used
for user authentication.
The format is described in the
-.Sx AUTHORIZED_KEYS FILE FORMAT
+AUTHORIZED_KEYS FILE FORMAT
section of
.Xr sshd 8 .
.Cm AuthorizedKeysFile
@@ -232,9 +241,7 @@ When using certificates signed by a key listed in
this file lists names, one of which must appear in the certificate for it
to be accepted for authentication.
Names are listed one per line preceded by key options (as described
-in
-.Sx AUTHORIZED_KEYS FILE FORMAT
-in
+in AUTHORIZED_KEYS FILE FORMAT in
.Xr sshd 8 ) .
Empty lines and comments starting with
.Ql #
@@ -412,9 +419,7 @@ The allow/deny directives are processed in the following order:
and finally
.Cm AllowGroups .
.Pp
-See
-.Sx PATTERNS
-in
+See PATTERNS in
.Xr ssh_config 5
for more information on patterns.
.It Cm DenyUsers
@@ -433,9 +438,7 @@ The allow/deny directives are processed in the following order:
and finally
.Cm AllowGroups .
.Pp
-See
-.Sx PATTERNS
-in
+See PATTERNS in
.Xr ssh_config 5
for more information on patterns.
.It Cm ForceCommand
@@ -544,6 +547,18 @@ keys are used for version 1 and
or
.Dq rsa
are used for version 2 of the SSH protocol.
+It is also possible to specify public host key files instead.
+In this case operations on the private key will be delegated
+to an
+.Xr ssh-agent 1 .
+.It Cm HostKeyAgent
+Identifies the UNIX-domain socket used to communicate
+with an agent that has access to the private host keys.
+If
+.Dq SSH_AUTH_SOCK
+is specified, the location of the socket will be read from the
+.Ev SSH_AUTH_SOCK
+environment variable.
.It Cm IgnoreRhosts
Specifies that
.Pa .rhosts
@@ -747,8 +762,7 @@ and
.Cm Address .
The match patterns may consist of single entries or comma-separated
lists and may use the wildcard and negation operators described in the
-.Sx PATTERNS
-section of
+PATTERNS section of
.Xr ssh_config 5 .
.Pp
The patterns in an
@@ -800,6 +814,7 @@ Available keywords are
.Cm PermitRootLogin ,
.Cm PermitTunnel ,
.Cm PubkeyAuthentication ,
+.Cm RekeyLimit ,
.Cm RhostsRSAAuthentication ,
.Cm RSAAuthentication ,
.Cm X11DisplayOffset ,
@@ -1003,6 +1018,32 @@ Specifies whether public key authentication is allowed.
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
+.It Cm RekeyLimit
+Specifies the maximum amount of data that may be transmitted before the
+session key is renegotiated, optionally followed a maximum amount of
+time that may pass before the session key is renegotiated.
+The first argument is specified in bytes and may have a suffix of
+.Sq K ,
+.Sq M ,
+or
+.Sq G
+to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
+The default is between
+.Sq 1G
+and
+.Sq 4G ,
+depending on the cipher.
+The optional second value is specified in seconds and may use any of the
+units documented in the
+.Sx TIME FORMATS
+section.
+The default value for
+.Cm RekeyLimit
+is
+.Dq default none ,
+which means that rekeying is performed after the cipher's default amount
+of data has been sent or received and no time based rekeying is done.
+This option applies to protocol version 2 only.
.It Cm RevokedKeys
Specifies revoked public keys.
Keys listed in this file will be refused for public key authentication.
@@ -1011,9 +1052,7 @@ be refused for all users.
Keys may be specified as a text file, listing one public key per line, or as
an OpenSSH Key Revocation List (KRL) as generated by
.Xr ssh-keygen 1 .
-For more information on KRLs, see the
-.Sx KEY REVOCATION LISTS
-section in
+For more information on KRLs, see the KEY REVOCATION LISTS section in
.Xr ssh-keygen 1 .
.It Cm RhostsRSAAuthentication
Specifies whether rhosts or
@@ -1104,9 +1143,7 @@ listed in the certificate's principals list.
Note that certificates that lack a list of principals will not be permitted
for authentication using
.Cm TrustedUserCAKeys .
-For more details on certificates, see the
-.Sx CERTIFICATES
-section in
+For more details on certificates, see the CERTIFICATES section in
.Xr ssh-keygen 1 .
.It Cm UseDNS
Specifies whether
@@ -1180,7 +1217,7 @@ restrictions.
Optionally specifies additional text to append to the SSH protocol banner
sent by the server upon connection.
The default is
-.Dq FreeBSD-20130515 .
+.Dq FreeBSD-20130918 .
.It Cm X11DisplayOffset
Specifies the first display number available for
.Xr sshd 8 Ns 's
OpenPOWER on IntegriCloud