Lines Matching +full:ports +full:- +full:block +full:- +full:group +full:- +full:count

50 The file contains keyword-argument pairs, one per line.
61 keywords are case-insensitive and arguments are case-sensitive):
62 .Bl -tag -width Ds
77 requests a pseudo-terminal as it is required by the protocol.
102 .Xr ssh-agent 1
110 This keyword can be followed by a list of group name patterns, separated
113 group or supplementary group list matches one of the patterns.
114 Only group names are valid; a numerical group ID is not recognized.
127 Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
189 This option must be followed by one or more lists of comma-separated
198 .Qq publickey,password publickey,keyboard-interactive
203 keyboard-interactive authentication before public key.
213 .Qq keyboard-interactive:bsdauth
230 .Qq gssapi-with-mic ,
232 .Qq keyboard-interactive ,
234 (used for access to password-less accounts when
242 The program must be owned by root, not writable by group or others and
299 The program must be owned by root, not writable by group or others and
385 .Bd -literal -offset indent
386 ssh-ed25519,ecdsa-sha2-nistp256,
387 ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
388 sk-ssh-ed25519@openssh.com,
389 sk-ecdsa-sha2-nistp256@openssh.com,
390 rsa-sha2-512,rsa-sha2-256
398 .Sq -
403 public key or host-based authentication.
437 .Bl -tag -width Ds
438 .It Cm agent-connection
440 .Xr ssh-agent 1 .
441 .It Cm direct-tcpip , Cm direct-streamlocal@openssh.com
449 .It Cm forwarded-tcpip , Cm forwarded-streamlocal@openssh.com
462 .It Cm tun-connection
466 .It Cm x11-connection
487 checks that all components of the pathname are root-owned directories
488 which are not writable by group or others.
516 no additional configuration of the environment is necessary if the in-process
517 sftp-server is used,
521 .Xr sftp-server 8
537 Multiple ciphers must be comma-separated.
543 .Sq -
553 .Bl -item -compact -offset indent
555 3des-cbc
557 aes128-cbc
559 aes192-cbc
561 aes256-cbc
563 aes128-ctr
565 aes192-ctr
567 aes256-ctr
569 aes128-gcm@openssh.com
571 aes256-gcm@openssh.com
573 chacha20-poly1305@openssh.com
577 .Bd -literal -offset indent
578 chacha20-poly1305@openssh.com,
579 aes128-gcm@openssh.com,aes256-gcm@openssh.com,
580 aes128-ctr,aes192-ctr,aes256-ctr
584 .Qq ssh -Q cipher .
633 This keyword can be followed by a list of group name patterns, separated
635 Login is disallowed for users whose primary group or supplementary
636 group list matches one of the patterns.
637 Only group names are valid; a numerical group ID is not recognized.
672 .Xr ssh-agent 1 ,
674 This option overrides all other forwarding-related options and may
698 The command is invoked by using the user's login shell with the -c option.
702 block.
707 .Cm internal-sftp
708 will force the use of an in-process SFTP server that requires no support
714 Specifies whether remote hosts are allowed to connect to ports
719 This prevents other remote hosts from connecting to forwarded ports.
722 should allow remote port forwardings to bind to non-loopback addresses, thus
758 authentication as a list of comma-separated patterns.
764 .Sq -
772 .Bd -literal -offset 3n
773 ssh-ed25519-cert-v01@openssh.com,
774 ecdsa-sha2-nistp256-cert-v01@openssh.com,
775 ecdsa-sha2-nistp384-cert-v01@openssh.com,
776 ecdsa-sha2-nistp521-cert-v01@openssh.com,
777 sk-ssh-ed25519-cert-v01@openssh.com,
778 sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
779 rsa-sha2-512-cert-v01@openssh.com,
780 rsa-sha2-256-cert-v01@openssh.com,
781 ssh-ed25519,
782 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
783 sk-ssh-ed25519@openssh.com,
784 sk-ecdsa-sha2-nistp256@openssh.com,
785 rsa-sha2-512,rsa-sha2-256
789 .Qq ssh -Q HostbasedAcceptedAlgorithms .
794 (host-based authentication).
833 will refuse to use a file if it is group/world-accessible
843 .Xr ssh-agent 1 .
845 Identifies the UNIX-domain socket used to communicate
856 .Bd -literal -offset 3n
857 ssh-ed25519-cert-v01@openssh.com,
858 ecdsa-sha2-nistp256-cert-v01@openssh.com,
859 ecdsa-sha2-nistp384-cert-v01@openssh.com,
860 ecdsa-sha2-nistp521-cert-v01@openssh.com,
861 sk-ssh-ed25519-cert-v01@openssh.com,
862 sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
863 rsa-sha2-512-cert-v01@openssh.com,
864 rsa-sha2-256-cert-v01@openssh.com,
865 ssh-ed25519,
866 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
867 sk-ssh-ed25519@openssh.com,
868 sk-ecdsa-sha2-nistp256@openssh.com,
869 rsa-sha2-512,rsa-sha2-256
873 .Qq ssh -Q HostKeyAlgorithms .
875 Specifies whether to ignore per-user
881 The system-wide
889 (the default) to ignore all per-user files,
890 .Cm shosts-only
908 and use only the system-wide known hosts file
923 block
926 Specifies the IPv4 type-of-service or DSCP class for the connection.
959 interactive sessions and the second for non-interactive sessions.
962 (Low-Latency Data)
966 for non-interactive sessions.
968 Specifies whether to allow keyboard-interactive authentication.
1010 Multiple algorithms must be comma-separated.
1017 .Sq -
1027 .Bl -item -compact -offset indent
1029 curve25519-sha256
1031 curve25519-sha256@libssh.org
1033 diffie-hellman-group1-sha1
1035 diffie-hellman-group14-sha1
1037 diffie-hellman-group14-sha256
1039 diffie-hellman-group16-sha512
1041 diffie-hellman-group18-sha512
1043 diffie-hellman-group-exchange-sha1
1045 diffie-hellman-group-exchange-sha256
1047 ecdh-sha2-nistp256
1049 ecdh-sha2-nistp384
1051 ecdh-sha2-nistp521
1053 mlkem768x25519-sha256
1055 sntrup761x25519-sha512
1057 sntrup761x25519-sha512@openssh.com
1061 .Bd -literal -offset indent
1062 mlkem768x25519-sha256,
1063 sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
1064 curve25519-sha256,curve25519-sha256@libssh.org,
1065 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
1069 .Qq ssh -Q KexAlgorithms .
1076 .Bl -item -offset indent -compact
1141 .Bd -literal -offset indent
1156 Multiple algorithms must be comma-separated.
1162 .Sq -
1171 .Qq -etm
1172 calculate the MAC after encryption (encrypt-then-mac).
1176 .Bl -item -compact -offset indent
1178 hmac-md5
1180 hmac-md5-96
1182 hmac-sha1
1184 hmac-sha1-96
1186 hmac-sha2-256
1188 hmac-sha2-512
1190 umac-64@openssh.com
1192 umac-128@openssh.com
1194 hmac-md5-etm@openssh.com
1196 hmac-md5-96-etm@openssh.com
1198 hmac-sha1-etm@openssh.com
1200 hmac-sha1-96-etm@openssh.com
1202 hmac-sha2-256-etm@openssh.com
1204 hmac-sha2-512-etm@openssh.com
1206 umac-64-etm@openssh.com
1208 umac-128-etm@openssh.com
1212 .Bd -literal -offset indent
1213 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
1214 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
1215 hmac-sha1-etm@openssh.com,
1216 umac-64@openssh.com,umac-128@openssh.com,
1217 hmac-sha2-256,hmac-sha2-512,hmac-sha1
1221 .Qq ssh -Q mac .
1223 Introduces a conditional block.
1237 are one or more criteria-pattern pairs or one of the single token criteria:
1240 .Cm Invalid-User ,
1241 which matches when the requested user-name does not match any known account.
1244 .Cm Group ,
1258 The match patterns may consist of single entries or comma-separated
1269 Note that the mask length provided must be consistent with the address -
1383 file that contains the Diffie-Hellman groups used for the
1384 .Dq diffie-hellman-group-exchange-sha1
1386 .Dq diffie-hellman-group-exchange-sha256
1411 Specifies the addresses/ports on which a remote TCP port forwarding may listen.
1414 .Bl -item -offset indent -compact
1438 can also be used in place of a port number to allow all ports.
1456 .Bl -item -offset indent -compact
1483 can be used for host or port to allow all hosts or ports respectively.
1492 .Cm prohibit-password ,
1493 .Cm forced-commands-only ,
1507 .Cm prohibit-password
1509 .Cm without-password ) ,
1510 password and keyboard-interactive authentication are disabled for root.
1513 .Cm forced-commands-only ,
1537 .Cm point-to-point
1545 .Cm point-to-point
1566 or a pattern-list specifying which environment variable names to accept
1619 .Bl -tag -width Ds
1636 .Xr ssh-keyscan 1 .
1637 .It Cm grace-exceeded:duration
1648 .It Cm max-sources4:number , max-sources6:number
1653 .Cm max-sources4
1655 .Cm max-sources6
1658 .Cm deny-all ,
1667 threshold count against the total number of tracked penalties.
1675 Specifies a comma-separated list of addresses to exempt from penalties.
1677 Note that the mask length provided must be consistent with the address -
1717 authentication as a list of comma-separated patterns.
1723 .Sq -
1731 .Bd -literal -offset 3n
1732 ssh-ed25519-cert-v01@openssh.com,
1733 ecdsa-sha2-nistp256-cert-v01@openssh.com,
1734 ecdsa-sha2-nistp384-cert-v01@openssh.com,
1735 ecdsa-sha2-nistp521-cert-v01@openssh.com,
1736 sk-ssh-ed25519-cert-v01@openssh.com,
1737 sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
1738 rsa-sha2-512-cert-v01@openssh.com,
1739 rsa-sha2-256-cert-v01@openssh.com,
1740 ssh-ed25519,
1741 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1742 sk-ssh-ed25519@openssh.com,
1743 sk-ecdsa-sha2-nistp256@openssh.com,
1744 rsa-sha2-512,rsa-sha2-256
1748 .Qq ssh -Q PubkeyAcceptedAlgorithms .
1754 .Cm touch-required
1756 .Cm verify-required .
1759 .Cm touch-required
1762 .Cm ecdsa-sk
1764 .Cm ed25519-sk )
1771 .Cm touch-required
1775 .Cm verify-required
1780 .Cm touch-required
1782 .Cm verify-required
1783 options have any effect for other, non-FIDO, public key types.
1799 block.
1829 User and host-based authentication keys smaller than this limit will be
1844 .Xr ssh-keygen 1 .
1846 .Xr ssh-keygen 1 .
1858 FIDO authenticator-hosted keys, overriding the default of using
1859 the built-in USB HID support.
1877 .Cm sshd-auth
1880 .Pa /usr/libexec/sshd-auth .
1884 .Cm sshd-session
1887 .Pa /usr/libexec/sshd-session .
1892 used when creating a Unix-domain socket file for local or remote
1894 This option is only used for port forwarding to a Unix-domain socket file.
1896 The default value is 0177, which creates a Unix-domain socket file that is
1898 Note that not all operating systems honor the file mode on Unix-domain
1901 Specifies whether to remove an existing Unix-domain socket file for local
1907 will be unable to forward the port to the Unix-domain socket file.
1908 This option is only used for port forwarding to a Unix-domain socket file.
1922 directory or files world-writable.
1934 .Cm sftp-server
1938 .Cm internal-sftp
1939 implements an in-process SFTP server.
1944 .Cm sftp-server
1945 and even though it is in-process, settings such as
1995 .Xr ssh-keygen 1 .
2067 Because PAM keyboard-interactive authentication usually serves an equivalent
2077 as a non-root user.
2084 .Qq FreeBSD-20250801 .
2161 command-line arguments and configuration file options that specify time
2172 .Bl -tag -width Ds -compact -offset indent
2192 .Bl -tag -width Ds -compact -offset indent
2204 .Bl -tag -width XXXX -offset indent -compact
2210 four space-separated values: client address, client port number,
2223 The base64-encoded CA key.
2225 The base64-encoded key or certificate for authentication.
2256 .Bl -tag -width Ds
2261 (though not necessary) that it be world-readable.
2264 .Xr sftp-server 8 ,
2267 .An -nosplit
2275 removed many bugs, re-added newer features and