Lines Matching +full:default +full:- +full:on

31 .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
50 The file contains keyword-argument pairs, one per line.
61 keywords are case-insensitive and arguments are case-sensitive):
62 .Bl -tag -width Ds
77 requests a pseudo-terminal as it is required by the protocol.
89 The default is not to accept any environment variables.
95 (the default),
102 .Xr ssh-agent 1
104 The default is
115 By default, login is allowed for all groups.
122 for more information on patterns.
127 Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
130 (the default)
149 (the default)
170 By default, login is allowed for all users.
182 for more information on patterns.
189 This option must be followed by one or more lists of comma-separated
192 to indicate the default behaviour of accepting any single authentication
194 If the default is overridden, then successful authentication requires
198 .Qq publickey,password publickey,keyboard-interactive
203 keyboard-interactive authentication before public key.
211 depending on the server configuration.
213 .Qq keyboard-interactive:bsdauth
230 .Qq gssapi-with-mic ,
232 .Qq keyboard-interactive ,
234 (used for access to password-less accounts when
251 The program should produce on standard output zero or
260 By default, no
267 It is recommended to use a dedicated user that has no other role on the host
293 The default is
308 The program should produce on standard output zero or
318 By default, no
325 It is recommended to use a dedicated user that has no other role on the host
357 The default is
380 By default, no banner is displayed.
384 The default is:
385 .Bd -literal -offset indent
386 ssh-ed25519,ecdsa-sha2-nistp256,
387 ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
388 sk-ssh-ed25519@openssh.com,
389 sk-ecdsa-sha2-nistp256@openssh.com,
390 rsa-sha2-512,rsa-sha2-256
395 character, then the specified algorithms will be appended to the default set
398 .Sq -
400 from the default set instead of replacing them.
403 public key or host-based authentication.
431 Traffic on any active channel will reset the timeout, but when the timeout
437 .Bl -tag -width Ds
438 .It Cm agent-connection
440 .Xr ssh-agent 1 .
441 .It Cm direct-tcpip , Cm direct-streamlocal@openssh.com
449 .It Cm forwarded-tcpip , Cm forwarded-streamlocal@openssh.com
453 listening on behalf of a
462 .It Cm tun-connection
466 .It Cm x11-connection
480 The default is not to expire channels of any type for inactivity.
487 checks that all components of the pathname are root-owned directories
516 no additional configuration of the environment is necessary if the in-process
517 sftp-server is used,
520 inside the chroot directory on some operating systems (see
521 .Xr sftp-server 8
525 prevented from modification by other processes on the system (especially
531 The default is
537 Multiple ciphers must be comma-separated.
540 character, then the specified ciphers will be appended to the default set
543 .Sq -
545 from the default set instead of replacing them.
549 default set.
553 .Bl -item -compact -offset indent
555 3des-cbc
557 aes128-cbc
559 aes192-cbc
561 aes256-cbc
563 aes128-ctr
565 aes192-ctr
567 aes256-ctr
569 aes128-gcm@openssh.com
571 aes256-gcm@openssh.com
573 chacha20-poly1305@openssh.com
576 The default is:
577 .Bd -literal -offset indent
578 chacha20-poly1305@openssh.com,
579 aes128-ctr,aes192-ctr,aes256-ctr,
580 aes128-gcm@openssh.com,aes256-gcm@openssh.com
584 .Qq ssh -Q cipher .
600 server depend on knowing when a connection has become unresponsive.
602 The default value is 3.
607 is left at the default, unresponsive SSH clients
618 The default
630 The default is
638 By default, login is allowed for all groups.
645 for more information on patterns.
654 By default, login is allowed for all users.
666 for more information on patterns.
672 .Xr ssh-agent 1 ,
674 This option overrides all other forwarding-related options and may
682 The default is
690 The default is
698 The command is invoked by using the user's login shell with the -c option.
707 .Cm internal-sftp
708 will force the use of an in-process SFTP server that requires no support
711 The default is
716 By default,
722 should allow remote port forwardings to bind to non-loopback addresses, thus
731 The default is
734 Specifies whether user authentication based on GSSAPI is allowed.
735 The default is
740 The default is
748 service on the current hostname.
752 machine's default store.
753 This facility is provided to assist with operation on multi homed machines.
754 The default is
758 authentication as a list of comma-separated patterns.
762 the default set instead of replacing them.
764 .Sq -
766 will be removed from the default set instead of replacing them.
770 the head of the default set.
771 The default for this option is:
772 .Bd -literal -offset 3n
773 ssh-ed25519-cert-v01@openssh.com,
774 ecdsa-sha2-nistp256-cert-v01@openssh.com,
775 ecdsa-sha2-nistp384-cert-v01@openssh.com,
776 ecdsa-sha2-nistp521-cert-v01@openssh.com,
777 sk-ssh-ed25519-cert-v01@openssh.com,
778 sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
779 rsa-sha2-512-cert-v01@openssh.com,
780 rsa-sha2-256-cert-v01@openssh.com,
781 ssh-ed25519,
782 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
783 sk-ssh-ed25519@openssh.com,
784 sk-ecdsa-sha2-nistp256@openssh.com,
785 rsa-sha2-512,rsa-sha2-256
789 .Qq ssh -Q HostbasedAcceptedAlgorithms .
794 (host-based authentication).
795 The default is
812 The default is
819 The default behaviour of
833 will refuse to use a file if it is group/world-accessible
841 In this case operations on the private key will be delegated
843 .Xr ssh-agent 1 .
845 Identifies the UNIX-domain socket used to communicate
855 The default for this option is:
856 .Bd -literal -offset 3n
857 ssh-ed25519-cert-v01@openssh.com,
858 ecdsa-sha2-nistp256-cert-v01@openssh.com,
859 ecdsa-sha2-nistp384-cert-v01@openssh.com,
860 ecdsa-sha2-nistp521-cert-v01@openssh.com,
861 sk-ssh-ed25519-cert-v01@openssh.com,
862 sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
863 rsa-sha2-512-cert-v01@openssh.com,
864 rsa-sha2-256-cert-v01@openssh.com,
865 ssh-ed25519,
866 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
867 sk-ssh-ed25519@openssh.com,
868 sk-ecdsa-sha2-nistp256@openssh.com,
869 rsa-sha2-512,rsa-sha2-256
873 .Qq ssh -Q HostKeyAlgorithms .
875 Specifies whether to ignore per-user
881 The system-wide
889 (the default) to ignore all per-user files,
890 .Cm shosts-only
908 and use only the system-wide known hosts file
910 The default is
926 Specifies the IPv4 type-of-service or DSCP class for the connection.
955 to use the operating system default.
959 interactive sessions and the second for non-interactive sessions.
960 The default is
962 (Low-Latency Data)
966 for non-interactive sessions.
968 Specifies whether to allow keyboard-interactive authentication.
972 The default is
986 The default is
991 The default is
998 The default is
1002 file on logout.
1003 The default is
1010 Multiple algorithms must be comma-separated.
1014 character, then the specified algorithms will be appended to the default set
1017 .Sq -
1019 from the default set instead of replacing them.
1023 default set.
1027 .Bl -item -compact -offset indent
1029 curve25519-sha256
1031 curve25519-sha256@libssh.org
1033 diffie-hellman-group1-sha1
1035 diffie-hellman-group14-sha1
1037 diffie-hellman-group14-sha256
1039 diffie-hellman-group16-sha512
1041 diffie-hellman-group18-sha512
1043 diffie-hellman-group-exchange-sha1
1045 diffie-hellman-group-exchange-sha256
1047 ecdh-sha2-nistp256
1049 ecdh-sha2-nistp384
1051 ecdh-sha2-nistp521
1053 mlkem768x25519-sha256
1055 sntrup761x25519-sha512
1057 sntrup761x25519-sha512@openssh.com
1060 The default is:
1061 .Bd -literal -offset indent
1062 sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
1063 mlkem768x25519-sha256,
1064 curve25519-sha256,curve25519-sha256@libssh.org,
1065 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
1066 diffie-hellman-group-exchange-sha256,
1067 diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
1068 diffie-hellman-group14-sha256
1072 .Qq ssh -Q KexAlgorithms .
1076 should listen on.
1079 .Bl -item -offset indent -compact
1084 .Sm on
1090 .Sm on
1096 .Sm on
1102 .Sm on
1114 sshd will listen on the address and all
1117 The default is to listen on all local addresses on the current default
1122 For more information on routing domains, see
1128 The default is 120 seconds.
1134 The default is INFO.
1144 .Bd -literal -offset indent
1155 This option is intended for debugging and no overrides are enabled by default.
1159 Multiple algorithms must be comma-separated.
1162 character, then the specified algorithms will be appended to the default set
1165 .Sq -
1167 from the default set instead of replacing them.
1171 default set.
1174 .Qq -etm
1175 calculate the MAC after encryption (encrypt-then-mac).
1179 .Bl -item -compact -offset indent
1181 hmac-md5
1183 hmac-md5-96
1185 hmac-sha1
1187 hmac-sha1-96
1189 hmac-sha2-256
1191 hmac-sha2-512
1193 umac-64@openssh.com
1195 umac-128@openssh.com
1197 hmac-md5-etm@openssh.com
1199 hmac-md5-96-etm@openssh.com
1201 hmac-sha1-etm@openssh.com
1203 hmac-sha1-96-etm@openssh.com
1205 hmac-sha2-256-etm@openssh.com
1207 hmac-sha2-512-etm@openssh.com
1209 umac-64-etm@openssh.com
1211 umac-128-etm@openssh.com
1214 The default is:
1215 .Bd -literal -offset indent
1216 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
1217 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
1218 hmac-sha1-etm@openssh.com,
1219 umac-64@openssh.com,umac-128@openssh.com,
1220 hmac-sha2-256,hmac-sha2-512,hmac-sha1
1224 .Qq ssh -Q mac .
1227 If all of the criteria on the
1229 line are satisfied, the keywords on the following lines override those
1240 are one or more criteria-pattern pairs or one of the single token criteria:
1243 .Cm Invalid-User ,
1244 which matches when the requested user-name does not match any known account.
1260 The match patterns may consist of single entries or comma-separated
1271 Note that the mask length provided must be consistent with the address -
1276 Only a subset of keywords may be used on the lines following a
1347 The default is 6.
1358 The default is 10.
1365 The default is 10:30:100.
1378 file that contains the Diffie-Hellman groups used for the
1379 .Dq diffie-hellman-group-exchange-sha1
1381 .Dq diffie-hellman-group-exchange-sha256
1383 The default is
1390 The default is
1398 The default is
1403 The default is
1406 Specifies the addresses/ports on which a remote TCP port forwarding may listen.
1409 .Bl -item -offset indent -compact
1414 .Sm on
1419 .Sm on
1434 By default all port forwarding listen requests are permitted.
1437 option may further restrict which addresses may be listened on.
1451 .Bl -item -offset indent -compact
1456 .Sm on
1461 .Sm on
1466 .Sm on
1479 Otherwise, no pattern matching or address lookups are performed on supplied
1481 By default all port forwarding requests are permitted.
1487 .Cm prohibit-password ,
1488 .Cm forced-commands-only ,
1491 The default is
1502 .Cm prohibit-password
1504 .Cm without-password ) ,
1505 password and keyboard-interactive authentication are disabled for root.
1508 .Cm forced-commands-only ,
1524 The default is
1532 .Cm point-to-point
1540 .Cm point-to-point
1543 The default is
1561 or a pattern-list specifying which environment variable names to accept
1564 The default is
1573 The default is
1583 The default is
1589 The default is
1593 Controls penalties for various conditions that may represent attacks on
1606 Penalties are enabled by default with the default settings listed below
1614 .Bl -tag -width Ds
1617 .Xr sshd 8 (default: 90s).
1620 unsuccessful authentication attempts (default: 5s).
1625 option (default: 10s).
1628 authentication (default: 1s).
1631 .Xr ssh-keyscan 1 .
1632 .It Cm grace-exceeded:duration
1638 access for (default: 10m).
1643 .It Cm max-sources4:number , max-sources6:number
1645 track for penalties (default: 65536 for both).
1648 .Cm max-sources4
1650 .Cm max-sources6
1653 .Cm deny-all ,
1667 The default it to use the same overflow mode as was specified for IPv4.
1670 Specifies a comma-separated list of addresses to exempt from penalties.
1672 Note that the mask length provided must be consistent with the address -
1676 The default is not to exempt any addresses.
1682 The default is
1687 listens on.
1688 The default is 22.
1697 The default is
1708 The default is
1712 authentication as a list of comma-separated patterns.
1715 character, then the specified algorithms will be appended to the default set
1718 .Sq -
1720 from the default set instead of replacing them.
1724 default set.
1725 The default for this option is:
1726 .Bd -literal -offset 3n
1727 ssh-ed25519-cert-v01@openssh.com,
1728 ecdsa-sha2-nistp256-cert-v01@openssh.com,
1729 ecdsa-sha2-nistp384-cert-v01@openssh.com,
1730 ecdsa-sha2-nistp521-cert-v01@openssh.com,
1731 sk-ssh-ed25519-cert-v01@openssh.com,
1732 sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
1733 rsa-sha2-512-cert-v01@openssh.com,
1734 rsa-sha2-256-cert-v01@openssh.com,
1735 ssh-ed25519,
1736 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1737 sk-ssh-ed25519@openssh.com,
1738 sk-ecdsa-sha2-nistp256@openssh.com,
1739 rsa-sha2-512,rsa-sha2-256
1743 .Qq ssh -Q PubkeyAcceptedAlgorithms .
1748 (the default; indicating no additional options are enabled),
1749 .Cm touch-required
1751 .Cm verify-required .
1754 .Cm touch-required
1757 .Cm ecdsa-sk
1759 .Cm ed25519-sk )
1762 By default,
1766 .Cm touch-required
1770 .Cm verify-required
1775 .Cm touch-required
1777 .Cm verify-required
1778 options have any effect for other, non-FIDO, public key types.
1781 The default is
1805 The default is between
1809 depending on the cipher.
1814 The default value for
1817 .Cm default none ,
1818 which means that rekeying is performed after the cipher's default amount
1824 User and host-based authentication keys smaller than this limit will be
1826 The default is
1829 Note that this limit may only be raised from the default.
1839 .Xr ssh-keygen 1 .
1840 For more information on KRLs, see the KEY REVOCATION LISTS section in
1841 .Xr ssh-keygen 1 .
1853 FIDO authenticator-hosted keys, overriding the default of using
1854 the built-in USB HID support.
1865 override the default environment and any variables specified by the user
1871 Overrides the default path to the
1872 .Cm sshd-session
1874 The default is
1875 .Pa /usr/libexec/sshd-session .
1880 used when creating a Unix-domain socket file for local or remote
1882 This option is only used for port forwarding to a Unix-domain socket file.
1884 The default value is 0177, which creates a Unix-domain socket file that is
1886 Note that not all operating systems honor the file mode on Unix-domain
1889 Specifies whether to remove an existing Unix-domain socket file for local
1895 will be unable to forward the port to the Unix-domain socket file.
1896 This option is only used for port forwarding to a Unix-domain socket file.
1902 The default is
1910 directory or files world-writable.
1911 The default is
1922 .Cm sftp-server
1926 .Cm internal-sftp
1927 implements an in-process SFTP server.
1930 to force a different filesystem root on clients.
1932 .Cm sftp-server
1933 and even though it is in-process, settings such as
1940 By default no subsystems are defined.
1946 The default is AUTH.
1956 sessions may hang indefinitely on the server, leaving
1960 The default is
1982 For more details on certificates, see the CERTIFICATES section in
1983 .Xr ssh-keygen 1 .
2006 The default
2018 The default is
2042 The default is
2055 Because PAM keyboard-interactive authentication usually serves an equivalent
2065 as a non-root user.
2066 The default is
2071 The default is
2072 .Qq FreeBSD-20250219 .
2081 The default is 10.
2088 The default is
2094 proxy display is configured to listen on the wildcard address (see
2096 though this is not the default.
2098 verification and substitution occur on the client side.
2118 By default,
2136 The default is
2144 The default is
2149 command-line arguments and configuration file options that specify time
2153 .Sm on
2160 .Bl -tag -width Ds -compact -offset indent
2180 .Bl -tag -width Ds -compact -offset indent
2192 .Bl -tag -width XXXX -offset indent -compact
2198 four space-separated values: client address, client port number,
2211 The base64-encoded CA key.
2213 The base64-encoded key or certificate for authentication.
2244 .Bl -tag -width Ds
2249 (though not necessary) that it be world-readable.
2252 .Xr sftp-server 8 ,
2255 .An -nosplit
2263 removed many bugs, re-added newer features and