Lines Matching +full:allow +full:- +full:set +full:- +full:time

50 The file contains keyword-argument pairs, one per line.
61 keywords are case-insensitive and arguments are case-sensitive):
62 .Bl -tag -width Ds
77 requests a pseudo-terminal as it is required by the protocol.
102 .Xr ssh-agent 1
116 The allow/deny groups directives are processed in the following order:
127 Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
133 to allow StreamLocal forwarding,
137 to allow local (from the perspective of
141 to allow remote forwarding only.
152 to allow TCP forwarding,
156 to allow local (from the perspective of
160 to allow remote forwarding only.
176 The allow/deny users directives are processed in the following order:
189 This option must be followed by one or more lists of comma-separated
198 .Qq publickey,password publickey,keyboard-interactive
203 keyboard-interactive authentication before public key.
213 .Qq keyboard-interactive:bsdauth
230 .Qq gssapi-with-mic ,
232 .Qq keyboard-interactive ,
234 (used for access to password-less accounts when
290 Alternately this option may be set to
385 .Bd -literal -offset indent
386 ssh-ed25519,ecdsa-sha2-nistp256,
387 ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
388 sk-ssh-ed25519@openssh.com,
389 sk-ecdsa-sha2-nistp256@openssh.com,
390 rsa-sha2-512,rsa-sha2-256
395 character, then the specified algorithms will be appended to the default set
398 .Sq -
400 from the default set instead of replacing them.
403 public key or host-based authentication.
420 .Sx TIME FORMATS
437 .Bl -tag -width Ds
438 .It Cm agent-connection
440 .Xr ssh-agent 1 .
441 .It Cm direct-tcpip , Cm direct-streamlocal@openssh.com
449 .It Cm forwarded-tcpip , Cm forwarded-streamlocal@openssh.com
462 .It Cm tun-connection
466 .It Cm x11-connection
487 checks that all components of the pathname are root-owned directories
516 no additional configuration of the environment is necessary if the in-process
517 sftp-server is used,
521 .Xr sftp-server 8
537 Multiple ciphers must be comma-separated.
540 character, then the specified ciphers will be appended to the default set
543 .Sq -
545 from the default set instead of replacing them.
549 default set.
553 .Bl -item -compact -offset indent
555 3des-cbc
557 aes128-cbc
559 aes192-cbc
561 aes256-cbc
563 aes128-ctr
565 aes192-ctr
567 aes256-ctr
569 aes128-gcm@openssh.com
571 aes256-gcm@openssh.com
573 chacha20-poly1305@openssh.com
577 .Bd -literal -offset indent
578 chacha20-poly1305@openssh.com,
579 aes128-ctr,aes192-ctr,aes256-ctr,
580 aes128-gcm@openssh.com,aes256-gcm@openssh.com
584 .Qq ssh -Q cipher .
605 is set to 15, and
639 The allow/deny groups directives are processed in the following order:
660 The allow/deny users directives are processed in the following order:
672 .Xr ssh-agent 1 ,
674 This option overrides all other forwarding-related options and may
698 The command is invoked by using the user's login shell with the -c option.
707 .Cm internal-sftp
708 will force the use of an in-process SFTP server that requires no support
722 should allow remote port forwardings to bind to non-loopback addresses, thus
730 to allow the client to select the address to which the forwarding is bound.
745 If set to
749 If set to
758 authentication as a list of comma-separated patterns.
762 the default set instead of replacing them.
764 .Sq -
766 will be removed from the default set instead of replacing them.
770 the head of the default set.
772 .Bd -literal -offset 3n
773 ssh-ed25519-cert-v01@openssh.com,
774 ecdsa-sha2-nistp256-cert-v01@openssh.com,
775 ecdsa-sha2-nistp384-cert-v01@openssh.com,
776 ecdsa-sha2-nistp521-cert-v01@openssh.com,
777 sk-ssh-ed25519-cert-v01@openssh.com,
778 sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
779 rsa-sha2-512-cert-v01@openssh.com,
780 rsa-sha2-256-cert-v01@openssh.com,
781 ssh-ed25519,
782 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
783 sk-ssh-ed25519@openssh.com,
784 sk-ecdsa-sha2-nistp256@openssh.com,
785 rsa-sha2-512,rsa-sha2-256
789 .Qq ssh -Q HostbasedAcceptedAlgorithms .
794 (host-based authentication).
833 will refuse to use a file if it is group/world-accessible
843 .Xr ssh-agent 1 .
845 Identifies the UNIX-domain socket used to communicate
856 .Bd -literal -offset 3n
857 ssh-ed25519-cert-v01@openssh.com,
858 ecdsa-sha2-nistp256-cert-v01@openssh.com,
859 ecdsa-sha2-nistp384-cert-v01@openssh.com,
860 ecdsa-sha2-nistp521-cert-v01@openssh.com,
861 sk-ssh-ed25519-cert-v01@openssh.com,
862 sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
863 rsa-sha2-512-cert-v01@openssh.com,
864 rsa-sha2-256-cert-v01@openssh.com,
865 ssh-ed25519,
866 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
867 sk-ssh-ed25519@openssh.com,
868 sk-ecdsa-sha2-nistp256@openssh.com,
869 rsa-sha2-512,rsa-sha2-256
873 .Qq ssh -Q HostKeyAlgorithms .
875 Specifies whether to ignore per-user
881 The system-wide
889 (the default) to ignore all per-user files,
890 .Cm shosts-only
891 to allow the use of
897 to allow both
908 and use only the system-wide known hosts file
926 Specifies the IPv4 type-of-service or DSCP class for the connection.
959 interactive sessions and the second for non-interactive sessions.
962 (Low-Latency Data)
966 for non-interactive sessions.
968 Specifies whether to allow keyboard-interactive authentication.
1010 Multiple algorithms must be comma-separated.
1014 character, then the specified algorithms will be appended to the default set
1017 .Sq -
1019 from the default set instead of replacing them.
1023 default set.
1027 .Bl -item -compact -offset indent
1029 curve25519-sha256
1031 curve25519-sha256@libssh.org
1033 diffie-hellman-group1-sha1
1035 diffie-hellman-group14-sha1
1037 diffie-hellman-group14-sha256
1039 diffie-hellman-group16-sha512
1041 diffie-hellman-group18-sha512
1043 diffie-hellman-group-exchange-sha1
1045 diffie-hellman-group-exchange-sha256
1047 ecdh-sha2-nistp256
1049 ecdh-sha2-nistp384
1051 ecdh-sha2-nistp521
1053 mlkem768x25519-sha256
1055 sntrup761x25519-sha512
1057 sntrup761x25519-sha512@openssh.com
1061 .Bd -literal -offset indent
1062 sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
1063 mlkem768x25519-sha256,
1064 curve25519-sha256,curve25519-sha256@libssh.org,
1065 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
1066 diffie-hellman-group-exchange-sha256,
1067 diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
1068 diffie-hellman-group14-sha256
1072 .Qq ssh -Q KexAlgorithms .
1079 .Bl -item -offset indent -compact
1125 The server disconnects after this time if the user has not
1127 If the value is 0, there is no time limit.
1144 .Bd -literal -offset indent
1159 Multiple algorithms must be comma-separated.
1162 character, then the specified algorithms will be appended to the default set
1165 .Sq -
1167 from the default set instead of replacing them.
1171 default set.
1174 .Qq -etm
1175 calculate the MAC after encryption (encrypt-then-mac).
1179 .Bl -item -compact -offset indent
1181 hmac-md5
1183 hmac-md5-96
1185 hmac-sha1
1187 hmac-sha1-96
1189 hmac-sha2-256
1191 hmac-sha2-512
1193 umac-64@openssh.com
1195 umac-128@openssh.com
1197 hmac-md5-etm@openssh.com
1199 hmac-md5-96-etm@openssh.com
1201 hmac-sha1-etm@openssh.com
1203 hmac-sha1-96-etm@openssh.com
1205 hmac-sha2-256-etm@openssh.com
1207 hmac-sha2-512-etm@openssh.com
1209 umac-64-etm@openssh.com
1211 umac-128-etm@openssh.com
1215 .Bd -literal -offset indent
1216 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
1217 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
1218 hmac-sha1-etm@openssh.com,
1219 umac-64@openssh.com,umac-128@openssh.com,
1220 hmac-sha2-256,hmac-sha2-512,hmac-sha1
1224 .Qq ssh -Q mac .
1240 are one or more criteria-pattern pairs or one of the single token criteria:
1243 .Cm Invalid-User ,
1244 which matches when the requested user-name does not match any known account.
1260 The match patterns may consist of single entries or comma-separated
1271 Note that the mask length provided must be consistent with the address -
1273 or one with bits set in this host portion of the address.
1378 file that contains the Diffie-Hellman groups used for the
1379 .Dq diffie-hellman-group-exchange-sha1
1381 .Dq diffie-hellman-group-exchange-sha256
1409 .Bl -item -offset indent -compact
1433 can also be used in place of a port number to allow all ports.
1451 .Bl -item -offset indent -compact
1478 can be used for host or port to allow all hosts or ports respectively.
1487 .Cm prohibit-password ,
1488 .Cm forced-commands-only ,
1501 If this option is set to
1502 .Cm prohibit-password
1504 .Cm without-password ) ,
1505 password and keyboard-interactive authentication are disabled for root.
1507 If this option is set to
1508 .Cm forced-commands-only ,
1517 If this option is set to
1532 .Cm point-to-point
1540 .Cm point-to-point
1548 device must allow access to the user.
1561 or a pattern-list specifying which environment variable names to accept
1603 Conversely, penalties are not applied until a minimum threshold time has been
1614 .Bl -tag -width Ds
1631 .Xr ssh-keyscan 1 .
1632 .It Cm grace-exceeded:duration
1637 Specifies the maximum time a particular source address range will be refused
1643 .It Cm max-sources4:number , max-sources6:number
1648 .Cm max-sources4
1650 .Cm max-sources6
1653 .Cm deny-all ,
1670 Specifies a comma-separated list of addresses to exempt from penalties.
1672 Note that the mask length provided must be consistent with the address -
1674 or one with bits set in this host portion of the address.
1695 should print the date and time of the last user login when a user logs
1712 authentication as a list of comma-separated patterns.
1715 character, then the specified algorithms will be appended to the default set
1718 .Sq -
1720 from the default set instead of replacing them.
1724 default set.
1726 .Bd -literal -offset 3n
1727 ssh-ed25519-cert-v01@openssh.com,
1728 ecdsa-sha2-nistp256-cert-v01@openssh.com,
1729 ecdsa-sha2-nistp384-cert-v01@openssh.com,
1730 ecdsa-sha2-nistp521-cert-v01@openssh.com,
1731 sk-ssh-ed25519-cert-v01@openssh.com,
1732 sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
1733 rsa-sha2-512-cert-v01@openssh.com,
1734 rsa-sha2-256-cert-v01@openssh.com,
1735 ssh-ed25519,
1736 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1737 sk-ssh-ed25519@openssh.com,
1738 sk-ecdsa-sha2-nistp256@openssh.com,
1739 rsa-sha2-512,rsa-sha2-256
1743 .Qq ssh -Q PubkeyAcceptedAlgorithms .
1749 .Cm touch-required
1751 .Cm verify-required .
1754 .Cm touch-required
1757 .Cm ecdsa-sk
1759 .Cm ed25519-sk )
1766 .Cm touch-required
1770 .Cm verify-required
1775 .Cm touch-required
1777 .Cm verify-required
1778 options have any effect for other, non-FIDO, public key types.
1798 amount of time that may pass before the session key is renegotiated.
1812 .Sx TIME FORMATS
1819 of data has been sent or received and no time based rekeying is done.
1824 User and host-based authentication keys smaller than this limit will be
1839 .Xr ssh-keygen 1 .
1841 .Xr ssh-keygen 1 .
1848 If the routing domain is set to
1853 FIDO authenticator-hosted keys, overriding the default of using
1854 the built-in USB HID support.
1856 Specifies one or more environment variables to set in child sessions started
1863 Environment variables set by
1872 .Cm sshd-session
1875 .Pa /usr/libexec/sshd-session .
1880 used when creating a Unix-domain socket file for local or remote
1882 This option is only used for port forwarding to a Unix-domain socket file.
1884 The default value is 0177, which creates a Unix-domain socket file that is
1886 Note that not all operating systems honor the file mode on Unix-domain
1889 Specifies whether to remove an existing Unix-domain socket file for local
1895 will be unable to forward the port to the Unix-domain socket file.
1896 This option is only used for port forwarding to a Unix-domain socket file.
1910 directory or files world-writable.
1922 .Cm sftp-server
1926 .Cm internal-sftp
1927 implements an in-process SFTP server.
1932 .Cm sftp-server
1933 and even though it is in-process, settings such as
1937 do not apply to it and must be set explicitly via
1966 To disable TCP keepalive messages, the value should be set to
1983 .Xr ssh-keygen 1 .
1996 .Sx TIME FORMATS
2003 provide sufficient time for the client to request and open its channels
2032 If this option is set to
2046 If set to
2055 Because PAM keyboard-interactive authentication usually serves an equivalent
2065 as a non-root user.
2072 .Qq FreeBSD-20250219 .
2128 may be set to
2147 .Sh TIME FORMATS
2149 command-line arguments and configuration file options that specify time
2152 .Ar time Op Ar qualifier ,
2155 .Ar time
2160 .Bl -tag -width Ds -compact -offset indent
2176 the total time value.
2178 Time format examples:
2180 .Bl -tag -width Ds -compact -offset indent
2192 .Bl -tag -width XXXX -offset indent -compact
2198 four space-separated values: client address, client port number,
2211 The base64-encoded CA key.
2213 The base64-encoded key or certificate for authentication.
2244 .Bl -tag -width Ds
2249 (though not necessary) that it be world-readable.
2252 .Xr sftp-server 8 ,
2255 .An -nosplit
2263 removed many bugs, re-added newer features and