diff options
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 63 |
1 files changed, 47 insertions, 16 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index 0b340ad..cd6744b 100644 --- a/sshd_config.0 +++ b/sshd_config.0 @@ -76,10 +76,9 @@ DESCRIPTION path or one relative to the user's home directory. The default is ``.ssh/authorized_keys''. - Banner In some jurisdictions, sending a warning message before authenti- - cation may be relevant for getting legal protection. The con- - tents of the specified file are sent to the remote user before - authentication is allowed. This option is only available for + Banner The contents of the specified file are sent to the remote user + before authentication is allowed. If the argument is ``none'' + then no banner is displayed. This option is only available for protocol version 2. By default, no banner is displayed. ChallengeResponseAuthentication @@ -87,6 +86,28 @@ DESCRIPTION All authentication styles from login.conf(5) are supported. The default is ``yes''. + ChrootDirectory + Specifies a path to chroot(2) to after authentication. This + path, and all its components, must be root-owned directories that + are not writable by any other user or group. + + The path may contain the following tokens that are expanded at + runtime once the connecting user has been authenticated: %% is + replaced by a literal '%', %h is replaced by the home directory + of the user being authenticated, and %u is replaced by the user- + name of that user. + + The ChrootDirectory must contain the necessary files and directo- + ries to support the users' session. For an interactive session + this requires at least a shell, typically sh(1), and basic /dev + nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), + arandom(4) and tty(4) devices. For file transfer sessions using + ``sftp'', no additional configuration of the environment is nec- + essary if the in-process sftp server is used (see Subsystem for + details). + + The default is not to chroot(2). + Ciphers Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. The supported ciphers are @@ -156,12 +177,15 @@ DESCRIPTION ForceCommand Forces the execution of the command specified by ForceCommand, - ignoring any command supplied by the client. The command is in- - voked by using the user's login shell with the -c option. This - applies to shell, command, or subsystem execution. It is most - useful inside a Match block. The command originally supplied by - the client is available in the SSH_ORIGINAL_COMMAND environment - variable. + ignoring any command supplied by the client and ~/.ssh/rc if pre- + sent. The command is invoked by using the user's login shell + with the -c option. This applies to shell, command, or subsystem + execution. It is most useful inside a Match block. The command + originally supplied by the client is available in the + SSH_ORIGINAL_COMMAND environment variable. Specifying a command + of ``internal-sftp'' will force the use of an in-process sftp + server that requires no support files when used with + ChrootDirectory. GatewayPorts Specifies whether remote hosts are allowed to connect to ports @@ -297,9 +321,9 @@ DESCRIPTION keyword. Available keywords are AllowTcpForwarding, Banner, ForceCommand, GatewayPorts, GSSApiAuthentication, KbdInteractiveAuthentication, KerberosAuthentication, - PasswordAuthentication, PermitOpen, RhostsRSAAuthentication, - RSAAuthentication, X11DisplayOffset, X11Forwarding, and - X11UseLocalHost. + PasswordAuthentication, PermitOpen, PermitRootLogin, + RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, + X11Forwarding, and X11UseLocalHost. MaxAuthTries Specifies the maximum number of authentication attempts permitted @@ -428,8 +452,15 @@ DESCRIPTION Subsystem Configures an external subsystem (e.g. file transfer daemon). Arguments should be a subsystem name and a command (with optional - arguments) to execute upon subsystem request. The command - sftp-server(8) implements the ``sftp'' file transfer subsystem. + arguments) to execute upon subsystem request. + + The command sftp-server(8) implements the ``sftp'' file transfer + subsystem. + + Alternately the name ``internal-sftp'' implements an in-process + ``sftp'' server. This may simplify configurations using + ChrootDirectory to force a different filesystem root on clients. + By default no subsystems are defined. Note that this option ap- plies to protocol version 2 only. @@ -572,4 +603,4 @@ AUTHORS versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 4.2 June 11, 2007 9 +OpenBSD 4.3 March 27, 2008 10 |