Lines Matching +full:pam +full:- +full:enabled

50 The file contains keyword-argument pairs, one per line.
61 keywords are case-insensitive and arguments are case-sensitive):
62 .Bl -tag -width Ds
77 requests a pseudo-terminal as it is required by the protocol.
102 .Xr ssh-agent 1
127 Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
189 This option must be followed by one or more lists of comma-separated
198 .Qq publickey,password publickey,keyboard-interactive
203 keyboard-interactive authentication before public key.
210 .Cm pam .
213 .Qq keyboard-interactive:bsdauth
226 Note that each authentication method listed should also be explicitly enabled
230 .Qq gssapi-with-mic ,
232 .Qq keyboard-interactive ,
234 (used for access to password-less accounts when
236 is enabled),
385 .Bd -literal -offset indent
386 ssh-ed25519,ecdsa-sha2-nistp256,
387 ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
388 sk-ssh-ed25519@openssh.com,
389 sk-ecdsa-sha2-nistp256@openssh.com,
390 rsa-sha2-512,rsa-sha2-256
398 .Sq -
403 public key or host-based authentication.
437 .Bl -tag -width Ds
438 .It Cm agent-connection
440 .Xr ssh-agent 1 .
441 .It Cm direct-tcpip , Cm direct-streamlocal@openssh.com
449 .It Cm forwarded-tcpip , Cm forwarded-streamlocal@openssh.com
462 .It Cm tun-connection
466 .It Cm x11-connection
487 checks that all components of the pathname are root-owned directories
516 no additional configuration of the environment is necessary if the in-process
517 sftp-server is used,
521 .Xr sftp-server 8
537 Multiple ciphers must be comma-separated.
543 .Sq -
553 .Bl -item -compact -offset indent
555 3des-cbc
557 aes128-cbc
559 aes192-cbc
561 aes256-cbc
563 aes128-ctr
565 aes192-ctr
567 aes256-ctr
569 aes128-gcm@openssh.com
571 aes256-gcm@openssh.com
573 chacha20-poly1305@openssh.com
577 .Bd -literal -offset indent
578 chacha20-poly1305@openssh.com,
579 aes128-gcm@openssh.com,aes256-gcm@openssh.com,
580 aes128-ctr,aes192-ctr,aes256-ctr
584 .Qq ssh -Q cipher .
596 The TCP keepalive option enabled by
621 Specifies whether compression is enabled after
672 .Xr ssh-agent 1 ,
674 This option overrides all other forwarding-related options and may
698 The command is invoked by using the user's login shell with the -c option.
707 .Cm internal-sftp
708 will force the use of an in-process SFTP server that requires no support
722 should allow remote port forwardings to bind to non-loopback addresses, thus
758 authentication as a list of comma-separated patterns.
764 .Sq -
772 .Bd -literal -offset 3n
773 ssh-ed25519-cert-v01@openssh.com,
774 ecdsa-sha2-nistp256-cert-v01@openssh.com,
775 ecdsa-sha2-nistp384-cert-v01@openssh.com,
776 ecdsa-sha2-nistp521-cert-v01@openssh.com,
777 sk-ssh-ed25519-cert-v01@openssh.com,
778 sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
779 rsa-sha2-512-cert-v01@openssh.com,
780 rsa-sha2-256-cert-v01@openssh.com,
781 ssh-ed25519,
782 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
783 sk-ssh-ed25519@openssh.com,
784 sk-ecdsa-sha2-nistp256@openssh.com,
785 rsa-sha2-512,rsa-sha2-256
789 .Qq ssh -Q HostbasedAcceptedAlgorithms .
794 (host-based authentication).
833 will refuse to use a file if it is group/world-accessible
843 .Xr ssh-agent 1 .
845 Identifies the UNIX-domain socket used to communicate
856 .Bd -literal -offset 3n
857 ssh-ed25519-cert-v01@openssh.com,
858 ecdsa-sha2-nistp256-cert-v01@openssh.com,
859 ecdsa-sha2-nistp384-cert-v01@openssh.com,
860 ecdsa-sha2-nistp521-cert-v01@openssh.com,
861 sk-ssh-ed25519-cert-v01@openssh.com,
862 sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
863 rsa-sha2-512-cert-v01@openssh.com,
864 rsa-sha2-256-cert-v01@openssh.com,
865 ssh-ed25519,
866 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
867 sk-ssh-ed25519@openssh.com,
868 sk-ecdsa-sha2-nistp256@openssh.com,
869 rsa-sha2-512,rsa-sha2-256
873 .Qq ssh -Q HostKeyAlgorithms .
875 Specifies whether to ignore per-user
881 The system-wide
889 (the default) to ignore all per-user files,
890 .Cm shosts-only
908 and use only the system-wide known hosts file
926 Specifies the IPv4 type-of-service or DSCP class for the connection.
959 interactive sessions and the second for non-interactive sessions.
962 (Low-Latency Data)
966 for non-interactive sessions.
968 Specifies whether to allow keyboard-interactive authentication.
1010 Multiple algorithms must be comma-separated.
1017 .Sq -
1027 .Bl -item -compact -offset indent
1029 curve25519-sha256
1031 curve25519-sha256@libssh.org
1033 diffie-hellman-group1-sha1
1035 diffie-hellman-group14-sha1
1037 diffie-hellman-group14-sha256
1039 diffie-hellman-group16-sha512
1041 diffie-hellman-group18-sha512
1043 diffie-hellman-group-exchange-sha1
1045 diffie-hellman-group-exchange-sha256
1047 ecdh-sha2-nistp256
1049 ecdh-sha2-nistp384
1051 ecdh-sha2-nistp521
1053 mlkem768x25519-sha256
1055 sntrup761x25519-sha512
1057 sntrup761x25519-sha512@openssh.com
1061 .Bd -literal -offset indent
1062 mlkem768x25519-sha256,
1063 sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
1064 curve25519-sha256,curve25519-sha256@libssh.org,
1065 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
1069 .Qq ssh -Q KexAlgorithms .
1076 .Bl -item -offset indent -compact
1141 .Bd -literal -offset indent
1152 This option is intended for debugging and no overrides are enabled by default.
1156 Multiple algorithms must be comma-separated.
1162 .Sq -
1171 .Qq -etm
1172 calculate the MAC after encryption (encrypt-then-mac).
1176 .Bl -item -compact -offset indent
1178 hmac-md5
1180 hmac-md5-96
1182 hmac-sha1
1184 hmac-sha1-96
1186 hmac-sha2-256
1188 hmac-sha2-512
1190 umac-64@openssh.com
1192 umac-128@openssh.com
1194 hmac-md5-etm@openssh.com
1196 hmac-md5-96-etm@openssh.com
1198 hmac-sha1-etm@openssh.com
1200 hmac-sha1-96-etm@openssh.com
1202 hmac-sha2-256-etm@openssh.com
1204 hmac-sha2-512-etm@openssh.com
1206 umac-64-etm@openssh.com
1208 umac-128-etm@openssh.com
1212 .Bd -literal -offset indent
1213 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
1214 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
1215 hmac-sha1-etm@openssh.com,
1216 umac-64@openssh.com,umac-128@openssh.com,
1217 hmac-sha2-256,hmac-sha2-512,hmac-sha1
1221 .Qq ssh -Q mac .
1237 are one or more criteria-pattern pairs or one of the single token criteria:
1240 .Cm Invalid-User ,
1241 which matches when the requested user-name does not match any known account.
1258 The match patterns may consist of single entries or comma-separated
1269 Note that the mask length provided must be consistent with the address -
1372 Alternatively, random early drop can be enabled by specifying
1383 file that contains the Diffie-Hellman groups used for the
1384 .Dq diffie-hellman-group-exchange-sha1
1386 .Dq diffie-hellman-group-exchange-sha256
1391 Specifies the service name used for Pluggable Authentication Modules (PAM)
1394 is enabled.
1414 .Bl -item -offset indent -compact
1456 .Bl -item -offset indent -compact
1492 .Cm prohibit-password ,
1493 .Cm forced-commands-only ,
1504 this setting may be overridden by the PAM policy.
1507 .Cm prohibit-password
1509 .Cm without-password ) ,
1510 password and keyboard-interactive authentication are disabled for root.
1513 .Cm forced-commands-only ,
1537 .Cm point-to-point
1545 .Cm point-to-point
1566 or a pattern-list specifying which environment variable names to accept
1611 Penalties are enabled by default with the default settings listed below
1619 .Bl -tag -width Ds
1636 .Xr ssh-keyscan 1 .
1637 .It Cm grace-exceeded:duration
1648 .It Cm max-sources4:number , max-sources6:number
1653 .Cm max-sources4
1655 .Cm max-sources6
1658 .Cm deny-all ,
1675 Specifies a comma-separated list of addresses to exempt from penalties.
1677 Note that the mask length provided must be consistent with the address -
1717 authentication as a list of comma-separated patterns.
1723 .Sq -
1731 .Bd -literal -offset 3n
1732 ssh-ed25519-cert-v01@openssh.com,
1733 ecdsa-sha2-nistp256-cert-v01@openssh.com,
1734 ecdsa-sha2-nistp384-cert-v01@openssh.com,
1735 ecdsa-sha2-nistp521-cert-v01@openssh.com,
1736 sk-ssh-ed25519-cert-v01@openssh.com,
1737 sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
1738 rsa-sha2-512-cert-v01@openssh.com,
1739 rsa-sha2-256-cert-v01@openssh.com,
1740 ssh-ed25519,
1741 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1742 sk-ssh-ed25519@openssh.com,
1743 sk-ecdsa-sha2-nistp256@openssh.com,
1744 rsa-sha2-512,rsa-sha2-256
1748 .Qq ssh -Q PubkeyAcceptedAlgorithms .
1753 (the default; indicating no additional options are enabled),
1754 .Cm touch-required
1756 .Cm verify-required .
1759 .Cm touch-required
1762 .Cm ecdsa-sk
1764 .Cm ed25519-sk )
1771 .Cm touch-required
1775 .Cm verify-required
1780 .Cm touch-required
1782 .Cm verify-required
1783 options have any effect for other, non-FIDO, public key types.
1796 are enabled.
1829 User and host-based authentication keys smaller than this limit will be
1844 .Xr ssh-keygen 1 .
1846 .Xr ssh-keygen 1 .
1858 FIDO authenticator-hosted keys, overriding the default of using
1859 the built-in USB HID support.
1877 .Cm sshd-auth
1880 .Pa /usr/libexec/sshd-auth .
1884 .Cm sshd-session
1887 .Pa /usr/libexec/sshd-session .
1892 used when creating a Unix-domain socket file for local or remote
1894 This option is only used for port forwarding to a Unix-domain socket file.
1896 The default value is 0177, which creates a Unix-domain socket file that is
1898 Note that not all operating systems honor the file mode on Unix-domain
1901 Specifies whether to remove an existing Unix-domain socket file for local
1905 is not enabled,
1907 will be unable to forward the port to the Unix-domain socket file.
1908 This option is only used for port forwarding to a Unix-domain socket file.
1922 directory or files world-writable.
1934 .Cm sftp-server
1938 .Cm internal-sftp
1939 implements an in-process SFTP server.
1944 .Cm sftp-server
1945 and even though it is in-process, settings such as
1995 .Xr ssh-keygen 1 .
2060 this will enable PAM authentication using
2064 in addition to PAM account and session module processing for all
2067 Because PAM keyboard-interactive authentication usually serves an equivalent
2075 is enabled, you will not be able to run
2077 as a non-root user.
2084 .Qq FreeBSD-20250801 .
2103 When X11 forwarding is enabled, there may be additional exposure to
2161 command-line arguments and configuration file options that specify time
2172 .Bl -tag -width Ds -compact -offset indent
2192 .Bl -tag -width Ds -compact -offset indent
2204 .Bl -tag -width XXXX -offset indent -compact
2210 four space-separated values: client address, client port number,
2223 The base64-encoded CA key.
2225 The base64-encoded key or certificate for authentication.
2256 .Bl -tag -width Ds
2261 (though not necessary) that it be world-readable.
2264 .Xr sftp-server 8 ,
2267 .An -nosplit
2275 removed many bugs, re-added newer features and