1.\" 2.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" All rights reserved 5.\" 6.\" As far as I am concerned, the code I have written for this software 7.\" can be used freely for any purpose. Any derived versions of this 8.\" software must be clearly marked as such, and if the derived work is 9.\" incompatible with the protocol description in the RFC file, it must be 10.\" called by a name other than "ssh" or "Secure Shell". 11.\" 12.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 13.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 14.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 15.\" 16.\" Redistribution and use in source and binary forms, with or without 17.\" modification, are permitted provided that the following conditions 18.\" are met: 19.\" 1. Redistributions of source code must retain the above copyright 20.\" notice, this list of conditions and the following disclaimer. 21.\" 2. Redistributions in binary form must reproduce the above copyright 22.\" notice, this list of conditions and the following disclaimer in the 23.\" documentation and/or other materials provided with the distribution. 24.\" 25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" 36.\" $OpenBSD: sshd_config.5,v 1.172 2014/02/27 22:47:07 djm Exp $ 37.\" $FreeBSD$ 38.Dd February 27, 2014 39.Dt SSHD_CONFIG 5 40.Os 41.Sh NAME 42.Nm sshd_config 43.Nd OpenSSH SSH daemon configuration file 44.Sh SYNOPSIS 45.Nm /etc/ssh/sshd_config 46.Sh DESCRIPTION 47.Xr sshd 8 48reads configuration data from 49.Pa /etc/ssh/sshd_config 50(or the file specified with 51.Fl f 52on the command line). 53The file contains keyword-argument pairs, one per line. 54Lines starting with 55.Ql # 56and empty lines are interpreted as comments. 57Arguments may optionally be enclosed in double quotes 58.Pq \&" 59in order to represent arguments containing spaces. 60.Pp 61The possible 62keywords and their meanings are as follows (note that 63keywords are case-insensitive and arguments are case-sensitive): 64.Bl -tag -width Ds 65.It Cm AcceptEnv 66Specifies what environment variables sent by the client will be copied into 67the session's 68.Xr environ 7 . 69See 70.Cm SendEnv 71in 72.Xr ssh_config 5 73for how to configure the client. 74Note that environment passing is only supported for protocol 2. 75Variables are specified by name, which may contain the wildcard characters 76.Ql * 77and 78.Ql \&? . 79Multiple environment variables may be separated by whitespace or spread 80across multiple 81.Cm AcceptEnv 82directives. 83Be warned that some environment variables could be used to bypass restricted 84user environments. 85For this reason, care should be taken in the use of this directive. 86The default is not to accept any environment variables. 87.It Cm AddressFamily 88Specifies which address family should be used by 89.Xr sshd 8 . 90Valid arguments are 91.Dq any , 92.Dq inet 93(use IPv4 only), or 94.Dq inet6 95(use IPv6 only). 96The default is 97.Dq any . 98.It Cm AllowAgentForwarding 99Specifies whether 100.Xr ssh-agent 1 101forwarding is permitted. 102The default is 103.Dq yes . 104Note that disabling agent forwarding does not improve security 105unless users are also denied shell access, as they can always install 106their own forwarders. 107.It Cm AllowGroups 108This keyword can be followed by a list of group name patterns, separated 109by spaces. 110If specified, login is allowed only for users whose primary 111group or supplementary group list matches one of the patterns. 112Only group names are valid; a numerical group ID is not recognized. 113By default, login is allowed for all groups. 114The allow/deny directives are processed in the following order: 115.Cm DenyUsers , 116.Cm AllowUsers , 117.Cm DenyGroups , 118and finally 119.Cm AllowGroups . 120.Pp 121See PATTERNS in 122.Xr ssh_config 5 123for more information on patterns. 124.It Cm AllowTcpForwarding 125Specifies whether TCP forwarding is permitted. 126The available options are 127.Dq yes 128or 129.Dq all 130to allow TCP forwarding, 131.Dq no 132to prevent all TCP forwarding, 133.Dq local 134to allow local (from the perspective of 135.Xr ssh 1 ) 136forwarding only or 137.Dq remote 138to allow remote forwarding only. 139The default is 140.Dq yes . 141Note that disabling TCP forwarding does not improve security unless 142users are also denied shell access, as they can always install their 143own forwarders. 144.It Cm AllowUsers 145This keyword can be followed by a list of user name patterns, separated 146by spaces. 147If specified, login is allowed only for user names that 148match one of the patterns. 149Only user names are valid; a numerical user ID is not recognized. 150By default, login is allowed for all users. 151If the pattern takes the form USER@HOST then USER and HOST 152are separately checked, restricting logins to particular 153users from particular hosts. 154The allow/deny directives are processed in the following order: 155.Cm DenyUsers , 156.Cm AllowUsers , 157.Cm DenyGroups , 158and finally 159.Cm AllowGroups . 160.Pp 161See PATTERNS in 162.Xr ssh_config 5 163for more information on patterns. 164.It Cm AuthenticationMethods 165Specifies the authentication methods that must be successfully completed 166for a user to be granted access. 167This option must be followed by one or more comma-separated lists of 168authentication method names. 169Successful authentication requires completion of every method in at least 170one of these lists. 171.Pp 172For example, an argument of 173.Dq publickey,password publickey,keyboard-interactive 174would require the user to complete public key authentication, followed by 175either password or keyboard interactive authentication. 176Only methods that are next in one or more lists are offered at each stage, 177so for this example, it would not be possible to attempt password or 178keyboard-interactive authentication before public key. 179.Pp 180For keyboard interactive authentication it is also possible to 181restrict authentication to a specific device by appending a 182colon followed by the device identifier 183.Dq bsdauth , 184.Dq pam , 185or 186.Dq skey , 187depending on the server configuration. 188For example, 189.Dq keyboard-interactive:bsdauth 190would restrict keyboard interactive authentication to the 191.Dq bsdauth 192device. 193.Pp 194This option is only available for SSH protocol 2 and will yield a fatal 195error if enabled if protocol 1 is also enabled. 196Note that each authentication method listed should also be explicitly enabled 197in the configuration. 198The default is not to require multiple authentication; successful completion 199of a single authentication method is sufficient. 200.It Cm AuthorizedKeysCommand 201Specifies a program to be used to look up the user's public keys. 202The program must be owned by root and not writable by group or others. 203It will be invoked with a single argument of the username 204being authenticated, and should produce on standard output zero or 205more lines of authorized_keys output (see AUTHORIZED_KEYS in 206.Xr sshd 8 ) . 207If a key supplied by AuthorizedKeysCommand does not successfully authenticate 208and authorize the user then public key authentication continues using the usual 209.Cm AuthorizedKeysFile 210files. 211By default, no AuthorizedKeysCommand is run. 212.It Cm AuthorizedKeysCommandUser 213Specifies the user under whose account the AuthorizedKeysCommand is run. 214It is recommended to use a dedicated user that has no other role on the host 215than running authorized keys commands. 216.It Cm AuthorizedKeysFile 217Specifies the file that contains the public keys that can be used 218for user authentication. 219The format is described in the 220AUTHORIZED_KEYS FILE FORMAT 221section of 222.Xr sshd 8 . 223.Cm AuthorizedKeysFile 224may contain tokens of the form %T which are substituted during connection 225setup. 226The following tokens are defined: %% is replaced by a literal '%', 227%h is replaced by the home directory of the user being authenticated, and 228%u is replaced by the username of that user. 229After expansion, 230.Cm AuthorizedKeysFile 231is taken to be an absolute path or one relative to the user's home 232directory. 233Multiple files may be listed, separated by whitespace. 234The default is 235.Dq .ssh/authorized_keys .ssh/authorized_keys2 . 236.It Cm AuthorizedPrincipalsFile 237Specifies a file that lists principal names that are accepted for 238certificate authentication. 239When using certificates signed by a key listed in 240.Cm TrustedUserCAKeys , 241this file lists names, one of which must appear in the certificate for it 242to be accepted for authentication. 243Names are listed one per line preceded by key options (as described 244in AUTHORIZED_KEYS FILE FORMAT in 245.Xr sshd 8 ) . 246Empty lines and comments starting with 247.Ql # 248are ignored. 249.Pp 250.Cm AuthorizedPrincipalsFile 251may contain tokens of the form %T which are substituted during connection 252setup. 253The following tokens are defined: %% is replaced by a literal '%', 254%h is replaced by the home directory of the user being authenticated, and 255%u is replaced by the username of that user. 256After expansion, 257.Cm AuthorizedPrincipalsFile 258is taken to be an absolute path or one relative to the user's home 259directory. 260.Pp 261The default is 262.Dq none , 263i.e. not to use a principals file \(en in this case, the username 264of the user must appear in a certificate's principals list for it to be 265accepted. 266Note that 267.Cm AuthorizedPrincipalsFile 268is only used when authentication proceeds using a CA listed in 269.Cm TrustedUserCAKeys 270and is not consulted for certification authorities trusted via 271.Pa ~/.ssh/authorized_keys , 272though the 273.Cm principals= 274key option offers a similar facility (see 275.Xr sshd 8 276for details). 277.It Cm Banner 278The contents of the specified file are sent to the remote user before 279authentication is allowed. 280If the argument is 281.Dq none 282then no banner is displayed. 283This option is only available for protocol version 2. 284By default, no banner is displayed. 285.It Cm ChallengeResponseAuthentication 286Specifies whether challenge-response authentication is allowed (e.g. via 287PAM or though authentication styles supported in 288.Xr login.conf 5 ) 289The default is 290.Dq yes . 291.It Cm ChrootDirectory 292Specifies the pathname of a directory to 293.Xr chroot 2 294to after authentication. 295All components of the pathname must be root-owned directories that are 296not writable by any other user or group. 297After the chroot, 298.Xr sshd 8 299changes the working directory to the user's home directory. 300.Pp 301The pathname may contain the following tokens that are expanded at runtime once 302the connecting user has been authenticated: %% is replaced by a literal '%', 303%h is replaced by the home directory of the user being authenticated, and 304%u is replaced by the username of that user. 305.Pp 306The 307.Cm ChrootDirectory 308must contain the necessary files and directories to support the 309user's session. 310For an interactive session this requires at least a shell, typically 311.Xr sh 1 , 312and basic 313.Pa /dev 314nodes such as 315.Xr null 4 , 316.Xr zero 4 , 317.Xr stdin 4 , 318.Xr stdout 4 , 319.Xr stderr 4 , 320.Xr arandom 4 321and 322.Xr tty 4 323devices. 324For file transfer sessions using 325.Dq sftp , 326no additional configuration of the environment is necessary if the 327in-process sftp server is used, 328though sessions which use logging do require 329.Pa /dev/log 330inside the chroot directory (see 331.Xr sftp-server 8 332for details). 333.Pp 334The default is not to 335.Xr chroot 2 . 336.It Cm Ciphers 337Specifies the ciphers allowed for protocol version 2. 338Multiple ciphers must be comma-separated. 339The supported ciphers are: 340.Pp 341.Dq 3des-cbc , 342.Dq aes128-cbc , 343.Dq aes192-cbc , 344.Dq aes256-cbc , 345.Dq aes128-ctr , 346.Dq aes192-ctr , 347.Dq aes256-ctr , 348.Dq aes128-gcm@openssh.com , 349.Dq aes256-gcm@openssh.com , 350.Dq arcfour128 , 351.Dq arcfour256 , 352.Dq arcfour , 353.Dq blowfish-cbc , 354.Dq cast128-cbc , 355and 356.Dq chacha20-poly1305@openssh.com . 357.Pp 358The default is: 359.Bd -literal -offset 3n 360aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, 361aes128-gcm@openssh.com,aes256-gcm@openssh.com, 362chacha20-poly1305@openssh.com, 363aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, 364aes256-cbc,arcfour 365.Ed 366.Pp 367The list of available ciphers may also be obtained using the 368.Fl Q 369option of 370.Xr ssh 1 . 371.It Cm ClientAliveCountMax 372Sets the number of client alive messages (see below) which may be 373sent without 374.Xr sshd 8 375receiving any messages back from the client. 376If this threshold is reached while client alive messages are being sent, 377sshd will disconnect the client, terminating the session. 378It is important to note that the use of client alive messages is very 379different from 380.Cm TCPKeepAlive 381(below). 382The client alive messages are sent through the encrypted channel 383and therefore will not be spoofable. 384The TCP keepalive option enabled by 385.Cm TCPKeepAlive 386is spoofable. 387The client alive mechanism is valuable when the client or 388server depend on knowing when a connection has become inactive. 389.Pp 390The default value is 3. 391If 392.Cm ClientAliveInterval 393(see below) is set to 15, and 394.Cm ClientAliveCountMax 395is left at the default, unresponsive SSH clients 396will be disconnected after approximately 45 seconds. 397This option applies to protocol version 2 only. 398.It Cm ClientAliveInterval 399Sets a timeout interval in seconds after which if no data has been received 400from the client, 401.Xr sshd 8 402will send a message through the encrypted 403channel to request a response from the client. 404The default 405is 0, indicating that these messages will not be sent to the client. 406This option applies to protocol version 2 only. 407.It Cm Compression 408Specifies whether compression is allowed, or delayed until 409the user has authenticated successfully. 410The argument must be 411.Dq yes , 412.Dq delayed , 413or 414.Dq no . 415The default is 416.Dq delayed . 417.It Cm DenyGroups 418This keyword can be followed by a list of group name patterns, separated 419by spaces. 420Login is disallowed for users whose primary group or supplementary 421group list matches one of the patterns. 422Only group names are valid; a numerical group ID is not recognized. 423By default, login is allowed for all groups. 424The allow/deny directives are processed in the following order: 425.Cm DenyUsers , 426.Cm AllowUsers , 427.Cm DenyGroups , 428and finally 429.Cm AllowGroups . 430.Pp 431See PATTERNS in 432.Xr ssh_config 5 433for more information on patterns. 434.It Cm DenyUsers 435This keyword can be followed by a list of user name patterns, separated 436by spaces. 437Login is disallowed for user names that match one of the patterns. 438Only user names are valid; a numerical user ID is not recognized. 439By default, login is allowed for all users. 440If the pattern takes the form USER@HOST then USER and HOST 441are separately checked, restricting logins to particular 442users from particular hosts. 443The allow/deny directives are processed in the following order: 444.Cm DenyUsers , 445.Cm AllowUsers , 446.Cm DenyGroups , 447and finally 448.Cm AllowGroups . 449.Pp 450See PATTERNS in 451.Xr ssh_config 5 452for more information on patterns. 453.It Cm ForceCommand 454Forces the execution of the command specified by 455.Cm ForceCommand , 456ignoring any command supplied by the client and 457.Pa ~/.ssh/rc 458if present. 459The command is invoked by using the user's login shell with the -c option. 460This applies to shell, command, or subsystem execution. 461It is most useful inside a 462.Cm Match 463block. 464The command originally supplied by the client is available in the 465.Ev SSH_ORIGINAL_COMMAND 466environment variable. 467Specifying a command of 468.Dq internal-sftp 469will force the use of an in-process sftp server that requires no support 470files when used with 471.Cm ChrootDirectory . 472.It Cm GatewayPorts 473Specifies whether remote hosts are allowed to connect to ports 474forwarded for the client. 475By default, 476.Xr sshd 8 477binds remote port forwardings to the loopback address. 478This prevents other remote hosts from connecting to forwarded ports. 479.Cm GatewayPorts 480can be used to specify that sshd 481should allow remote port forwardings to bind to non-loopback addresses, thus 482allowing other hosts to connect. 483The argument may be 484.Dq no 485to force remote port forwardings to be available to the local host only, 486.Dq yes 487to force remote port forwardings to bind to the wildcard address, or 488.Dq clientspecified 489to allow the client to select the address to which the forwarding is bound. 490The default is 491.Dq no . 492.It Cm GSSAPIAuthentication 493Specifies whether user authentication based on GSSAPI is allowed. 494The default is 495.Dq no . 496Note that this option applies to protocol version 2 only. 497.It Cm GSSAPICleanupCredentials 498Specifies whether to automatically destroy the user's credentials cache 499on logout. 500The default is 501.Dq yes . 502Note that this option applies to protocol version 2 only. 503.It Cm HostbasedAuthentication 504Specifies whether rhosts or /etc/hosts.equiv authentication together 505with successful public key client host authentication is allowed 506(host-based authentication). 507This option is similar to 508.Cm RhostsRSAAuthentication 509and applies to protocol version 2 only. 510The default is 511.Dq no . 512.It Cm HostbasedUsesNameFromPacketOnly 513Specifies whether or not the server will attempt to perform a reverse 514name lookup when matching the name in the 515.Pa ~/.shosts , 516.Pa ~/.rhosts , 517and 518.Pa /etc/hosts.equiv 519files during 520.Cm HostbasedAuthentication . 521A setting of 522.Dq yes 523means that 524.Xr sshd 8 525uses the name supplied by the client rather than 526attempting to resolve the name from the TCP connection itself. 527The default is 528.Dq no . 529.It Cm HostCertificate 530Specifies a file containing a public host certificate. 531The certificate's public key must match a private host key already specified 532by 533.Cm HostKey . 534The default behaviour of 535.Xr sshd 8 536is not to load any certificates. 537.It Cm HostKey 538Specifies a file containing a private host key 539used by SSH. 540The default is 541.Pa /etc/ssh/ssh_host_key 542for protocol version 1, and 543.Pa /etc/ssh/ssh_host_dsa_key , 544.Pa /etc/ssh/ssh_host_ecdsa_key , 545.Pa /etc/ssh/ssh_host_ed25519_key 546and 547.Pa /etc/ssh/ssh_host_rsa_key 548for protocol version 2. 549Note that 550.Xr sshd 8 551will refuse to use a file if it is group/world-accessible. 552It is possible to have multiple host key files. 553.Dq rsa1 554keys are used for version 1 and 555.Dq dsa , 556.Dq ecdsa , 557.Dq ed25519 558or 559.Dq rsa 560are used for version 2 of the SSH protocol. 561It is also possible to specify public host key files instead. 562In this case operations on the private key will be delegated 563to an 564.Xr ssh-agent 1 . 565.It Cm HostKeyAgent 566Identifies the UNIX-domain socket used to communicate 567with an agent that has access to the private host keys. 568If 569.Dq SSH_AUTH_SOCK 570is specified, the location of the socket will be read from the 571.Ev SSH_AUTH_SOCK 572environment variable. 573.It Cm IgnoreRhosts 574Specifies that 575.Pa .rhosts 576and 577.Pa .shosts 578files will not be used in 579.Cm RhostsRSAAuthentication 580or 581.Cm HostbasedAuthentication . 582.Pp 583.Pa /etc/hosts.equiv 584and 585.Pa /etc/ssh/shosts.equiv 586are still used. 587The default is 588.Dq yes . 589.It Cm IgnoreUserKnownHosts 590Specifies whether 591.Xr sshd 8 592should ignore the user's 593.Pa ~/.ssh/known_hosts 594during 595.Cm RhostsRSAAuthentication 596or 597.Cm HostbasedAuthentication . 598The default is 599.Dq no . 600.It Cm IPQoS 601Specifies the IPv4 type-of-service or DSCP class for the connection. 602Accepted values are 603.Dq af11 , 604.Dq af12 , 605.Dq af13 , 606.Dq af21 , 607.Dq af22 , 608.Dq af23 , 609.Dq af31 , 610.Dq af32 , 611.Dq af33 , 612.Dq af41 , 613.Dq af42 , 614.Dq af43 , 615.Dq cs0 , 616.Dq cs1 , 617.Dq cs2 , 618.Dq cs3 , 619.Dq cs4 , 620.Dq cs5 , 621.Dq cs6 , 622.Dq cs7 , 623.Dq ef , 624.Dq lowdelay , 625.Dq throughput , 626.Dq reliability , 627or a numeric value. 628This option may take one or two arguments, separated by whitespace. 629If one argument is specified, it is used as the packet class unconditionally. 630If two values are specified, the first is automatically selected for 631interactive sessions and the second for non-interactive sessions. 632The default is 633.Dq lowdelay 634for interactive sessions and 635.Dq throughput 636for non-interactive sessions. 637.It Cm KbdInteractiveAuthentication 638Specifies whether to allow keyboard-interactive authentication. 639The argument to this keyword must be 640.Dq yes 641or 642.Dq no . 643The default is to use whatever value 644.Cm ChallengeResponseAuthentication 645is set to 646(by default 647.Dq yes ) . 648.It Cm KerberosAuthentication 649Specifies whether the password provided by the user for 650.Cm PasswordAuthentication 651will be validated through the Kerberos KDC. 652To use this option, the server needs a 653Kerberos servtab which allows the verification of the KDC's identity. 654The default is 655.Dq no . 656.It Cm KerberosGetAFSToken 657If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire 658an AFS token before accessing the user's home directory. 659The default is 660.Dq no . 661.It Cm KerberosOrLocalPasswd 662If password authentication through Kerberos fails then 663the password will be validated via any additional local mechanism 664such as 665.Pa /etc/passwd . 666The default is 667.Dq yes . 668.It Cm KerberosTicketCleanup 669Specifies whether to automatically destroy the user's ticket cache 670file on logout. 671The default is 672.Dq yes . 673.It Cm KexAlgorithms 674Specifies the available KEX (Key Exchange) algorithms. 675Multiple algorithms must be comma-separated. 676The default is 677.Bd -literal -offset indent 678curve25519-sha256@libssh.org, 679ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, 680diffie-hellman-group-exchange-sha256, 681diffie-hellman-group-exchange-sha1, 682diffie-hellman-group14-sha1, 683diffie-hellman-group1-sha1 684.Ed 685.It Cm KeyRegenerationInterval 686In protocol version 1, the ephemeral server key is automatically regenerated 687after this many seconds (if it has been used). 688The purpose of regeneration is to prevent 689decrypting captured sessions by later breaking into the machine and 690stealing the keys. 691The key is never stored anywhere. 692If the value is 0, the key is never regenerated. 693The default is 3600 (seconds). 694.It Cm ListenAddress 695Specifies the local addresses 696.Xr sshd 8 697should listen on. 698The following forms may be used: 699.Pp 700.Bl -item -offset indent -compact 701.It 702.Cm ListenAddress 703.Sm off 704.Ar host No | Ar IPv4_addr No | Ar IPv6_addr 705.Sm on 706.It 707.Cm ListenAddress 708.Sm off 709.Ar host No | Ar IPv4_addr No : Ar port 710.Sm on 711.It 712.Cm ListenAddress 713.Sm off 714.Oo 715.Ar host No | Ar IPv6_addr Oc : Ar port 716.Sm on 717.El 718.Pp 719If 720.Ar port 721is not specified, 722sshd will listen on the address and all prior 723.Cm Port 724options specified. 725The default is to listen on all local addresses. 726Multiple 727.Cm ListenAddress 728options are permitted. 729Additionally, any 730.Cm Port 731options must precede this option for non-port qualified addresses. 732.It Cm LoginGraceTime 733The server disconnects after this time if the user has not 734successfully logged in. 735If the value is 0, there is no time limit. 736The default is 120 seconds. 737.It Cm LogLevel 738Gives the verbosity level that is used when logging messages from 739.Xr sshd 8 . 740The possible values are: 741QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. 742The default is INFO. 743DEBUG and DEBUG1 are equivalent. 744DEBUG2 and DEBUG3 each specify higher levels of debugging output. 745Logging with a DEBUG level violates the privacy of users and is not recommended. 746.It Cm MACs 747Specifies the available MAC (message authentication code) algorithms. 748The MAC algorithm is used in protocol version 2 749for data integrity protection. 750Multiple algorithms must be comma-separated. 751The algorithms that contain 752.Dq -etm 753calculate the MAC after encryption (encrypt-then-mac). 754These are considered safer and their use recommended. 755The default is: 756.Bd -literal -offset indent 757hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, 758umac-64-etm@openssh.com,umac-128-etm@openssh.com, 759hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, 760hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com, 761hmac-md5-96-etm@openssh.com, 762hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, 763hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, 764hmac-sha1-96,hmac-md5-96 765.Ed 766.It Cm Match 767Introduces a conditional block. 768If all of the criteria on the 769.Cm Match 770line are satisfied, the keywords on the following lines override those 771set in the global section of the config file, until either another 772.Cm Match 773line or the end of the file. 774If a keyword appears in multiple 775.Cm Match 776blocks that are satisified, only the first instance of the keyword is 777applied. 778.Pp 779The arguments to 780.Cm Match 781are one or more criteria-pattern pairs or the single token 782.Cm All 783which matches all criteria. 784The available criteria are 785.Cm User , 786.Cm Group , 787.Cm Host , 788.Cm LocalAddress , 789.Cm LocalPort , 790and 791.Cm Address . 792The match patterns may consist of single entries or comma-separated 793lists and may use the wildcard and negation operators described in the 794PATTERNS section of 795.Xr ssh_config 5 . 796.Pp 797The patterns in an 798.Cm Address 799criteria may additionally contain addresses to match in CIDR 800address/masklen format, e.g.\& 801.Dq 192.0.2.0/24 802or 803.Dq 3ffe:ffff::/32 . 804Note that the mask length provided must be consistent with the address - 805it is an error to specify a mask length that is too long for the address 806or one with bits set in this host portion of the address. 807For example, 808.Dq 192.0.2.0/33 809and 810.Dq 192.0.2.0/8 811respectively. 812.Pp 813Only a subset of keywords may be used on the lines following a 814.Cm Match 815keyword. 816Available keywords are 817.Cm AcceptEnv , 818.Cm AllowAgentForwarding , 819.Cm AllowGroups , 820.Cm AllowTcpForwarding , 821.Cm AllowUsers , 822.Cm AuthenticationMethods , 823.Cm AuthorizedKeysCommand , 824.Cm AuthorizedKeysCommandUser , 825.Cm AuthorizedKeysFile , 826.Cm AuthorizedPrincipalsFile , 827.Cm Banner , 828.Cm ChrootDirectory , 829.Cm DenyGroups , 830.Cm DenyUsers , 831.Cm ForceCommand , 832.Cm GatewayPorts , 833.Cm GSSAPIAuthentication , 834.Cm HostbasedAuthentication , 835.Cm HostbasedUsesNameFromPacketOnly , 836.Cm KbdInteractiveAuthentication , 837.Cm KerberosAuthentication , 838.Cm MaxAuthTries , 839.Cm MaxSessions , 840.Cm PasswordAuthentication , 841.Cm PermitEmptyPasswords , 842.Cm PermitOpen , 843.Cm PermitRootLogin , 844.Cm PermitTTY , 845.Cm PermitTunnel , 846.Cm PubkeyAuthentication , 847.Cm RekeyLimit , 848.Cm RhostsRSAAuthentication , 849.Cm RSAAuthentication , 850.Cm X11DisplayOffset , 851.Cm X11Forwarding 852and 853.Cm X11UseLocalHost . 854.It Cm MaxAuthTries 855Specifies the maximum number of authentication attempts permitted per 856connection. 857Once the number of failures reaches half this value, 858additional failures are logged. 859The default is 6. 860.It Cm MaxSessions 861Specifies the maximum number of open sessions permitted per network connection. 862The default is 10. 863.It Cm MaxStartups 864Specifies the maximum number of concurrent unauthenticated connections to the 865SSH daemon. 866Additional connections will be dropped until authentication succeeds or the 867.Cm LoginGraceTime 868expires for a connection. 869The default is 10:30:100. 870.Pp 871Alternatively, random early drop can be enabled by specifying 872the three colon separated values 873.Dq start:rate:full 874(e.g. "10:30:60"). 875.Xr sshd 8 876will refuse connection attempts with a probability of 877.Dq rate/100 878(30%) 879if there are currently 880.Dq start 881(10) 882unauthenticated connections. 883The probability increases linearly and all connection attempts 884are refused if the number of unauthenticated connections reaches 885.Dq full 886(60). 887.It Cm PasswordAuthentication 888Specifies whether password authentication is allowed. 889See also 890.Cm UsePAM . 891The default is 892.Dq no . 893.It Cm PermitEmptyPasswords 894When password authentication is allowed, it specifies whether the 895server allows login to accounts with empty password strings. 896The default is 897.Dq no . 898.It Cm PermitOpen 899Specifies the destinations to which TCP port forwarding is permitted. 900The forwarding specification must be one of the following forms: 901.Pp 902.Bl -item -offset indent -compact 903.It 904.Cm PermitOpen 905.Sm off 906.Ar host : port 907.Sm on 908.It 909.Cm PermitOpen 910.Sm off 911.Ar IPv4_addr : port 912.Sm on 913.It 914.Cm PermitOpen 915.Sm off 916.Ar \&[ IPv6_addr \&] : port 917.Sm on 918.El 919.Pp 920Multiple forwards may be specified by separating them with whitespace. 921An argument of 922.Dq any 923can be used to remove all restrictions and permit any forwarding requests. 924An argument of 925.Dq none 926can be used to prohibit all forwarding requests. 927By default all port forwarding requests are permitted. 928.It Cm PermitRootLogin 929Specifies whether root can log in using 930.Xr ssh 1 . 931The argument must be 932.Dq yes , 933.Dq without-password , 934.Dq forced-commands-only , 935or 936.Dq no . 937The default is 938.Dq no . 939Note that if 940.Cm ChallengeResponseAuthentication 941is 942.Dq yes , 943the root user may be allowed in with its password even if 944.Cm PermitRootLogin is set to 945.Dq without-password . 946.Pp 947If this option is set to 948.Dq without-password , 949password authentication is disabled for root. 950.Pp 951If this option is set to 952.Dq forced-commands-only , 953root login with public key authentication will be allowed, 954but only if the 955.Ar command 956option has been specified 957(which may be useful for taking remote backups even if root login is 958normally not allowed). 959All other authentication methods are disabled for root. 960.Pp 961If this option is set to 962.Dq no , 963root is not allowed to log in. 964.It Cm PermitTunnel 965Specifies whether 966.Xr tun 4 967device forwarding is allowed. 968The argument must be 969.Dq yes , 970.Dq point-to-point 971(layer 3), 972.Dq ethernet 973(layer 2), or 974.Dq no . 975Specifying 976.Dq yes 977permits both 978.Dq point-to-point 979and 980.Dq ethernet . 981The default is 982.Dq no . 983.It Cm PermitTTY 984Specifies whether 985.Xr pty 4 986allocation is permitted. 987The default is 988.Dq yes . 989.It Cm PermitUserEnvironment 990Specifies whether 991.Pa ~/.ssh/environment 992and 993.Cm environment= 994options in 995.Pa ~/.ssh/authorized_keys 996are processed by 997.Xr sshd 8 . 998The default is 999.Dq no . 1000Enabling environment processing may enable users to bypass access 1001restrictions in some configurations using mechanisms such as 1002.Ev LD_PRELOAD . 1003.It Cm PidFile 1004Specifies the file that contains the process ID of the 1005SSH daemon. 1006The default is 1007.Pa /var/run/sshd.pid . 1008.It Cm Port 1009Specifies the port number that 1010.Xr sshd 8 1011listens on. 1012The default is 22. 1013Multiple options of this type are permitted. 1014See also 1015.Cm ListenAddress . 1016.It Cm PrintLastLog 1017Specifies whether 1018.Xr sshd 8 1019should print the date and time of the last user login when a user logs 1020in interactively. 1021The default is 1022.Dq yes . 1023.It Cm PrintMotd 1024Specifies whether 1025.Xr sshd 8 1026should print 1027.Pa /etc/motd 1028when a user logs in interactively. 1029(On some systems it is also printed by the shell, 1030.Pa /etc/profile , 1031or equivalent.) 1032The default is 1033.Dq yes . 1034.It Cm Protocol 1035Specifies the protocol versions 1036.Xr sshd 8 1037supports. 1038The possible values are 1039.Sq 1 1040and 1041.Sq 2 . 1042Multiple versions must be comma-separated. 1043The default is 1044.Sq 2 . 1045Note that the order of the protocol list does not indicate preference, 1046because the client selects among multiple protocol versions offered 1047by the server. 1048Specifying 1049.Dq 2,1 1050is identical to 1051.Dq 1,2 . 1052.It Cm PubkeyAuthentication 1053Specifies whether public key authentication is allowed. 1054The default is 1055.Dq yes . 1056Note that this option applies to protocol version 2 only. 1057.It Cm RekeyLimit 1058Specifies the maximum amount of data that may be transmitted before the 1059session key is renegotiated, optionally followed a maximum amount of 1060time that may pass before the session key is renegotiated. 1061The first argument is specified in bytes and may have a suffix of 1062.Sq K , 1063.Sq M , 1064or 1065.Sq G 1066to indicate Kilobytes, Megabytes, or Gigabytes, respectively. 1067The default is between 1068.Sq 1G 1069and 1070.Sq 4G , 1071depending on the cipher. 1072The optional second value is specified in seconds and may use any of the 1073units documented in the 1074.Sx TIME FORMATS 1075section. 1076The default value for 1077.Cm RekeyLimit 1078is 1079.Dq default none , 1080which means that rekeying is performed after the cipher's default amount 1081of data has been sent or received and no time based rekeying is done. 1082This option applies to protocol version 2 only. 1083.It Cm RevokedKeys 1084Specifies revoked public keys. 1085Keys listed in this file will be refused for public key authentication. 1086Note that if this file is not readable, then public key authentication will 1087be refused for all users. 1088Keys may be specified as a text file, listing one public key per line, or as 1089an OpenSSH Key Revocation List (KRL) as generated by 1090.Xr ssh-keygen 1 . 1091For more information on KRLs, see the KEY REVOCATION LISTS section in 1092.Xr ssh-keygen 1 . 1093.It Cm RhostsRSAAuthentication 1094Specifies whether rhosts or 1095.Pa /etc/hosts.equiv 1096authentication together 1097with successful RSA host authentication is allowed. 1098The default is 1099.Dq no . 1100This option applies to protocol version 1 only. 1101.It Cm RSAAuthentication 1102Specifies whether pure RSA authentication is allowed. 1103The default is 1104.Dq yes . 1105This option applies to protocol version 1 only. 1106.It Cm ServerKeyBits 1107Defines the number of bits in the ephemeral protocol version 1 server key. 1108The minimum value is 512, and the default is 1024. 1109.It Cm StrictModes 1110Specifies whether 1111.Xr sshd 8 1112should check file modes and ownership of the 1113user's files and home directory before accepting login. 1114This is normally desirable because novices sometimes accidentally leave their 1115directory or files world-writable. 1116The default is 1117.Dq yes . 1118Note that this does not apply to 1119.Cm ChrootDirectory , 1120whose permissions and ownership are checked unconditionally. 1121.It Cm Subsystem 1122Configures an external subsystem (e.g. file transfer daemon). 1123Arguments should be a subsystem name and a command (with optional arguments) 1124to execute upon subsystem request. 1125.Pp 1126The command 1127.Xr sftp-server 8 1128implements the 1129.Dq sftp 1130file transfer subsystem. 1131.Pp 1132Alternately the name 1133.Dq internal-sftp 1134implements an in-process 1135.Dq sftp 1136server. 1137This may simplify configurations using 1138.Cm ChrootDirectory 1139to force a different filesystem root on clients. 1140.Pp 1141By default no subsystems are defined. 1142Note that this option applies to protocol version 2 only. 1143.It Cm SyslogFacility 1144Gives the facility code that is used when logging messages from 1145.Xr sshd 8 . 1146The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, 1147LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. 1148The default is AUTH. 1149.It Cm TCPKeepAlive 1150Specifies whether the system should send TCP keepalive messages to the 1151other side. 1152If they are sent, death of the connection or crash of one 1153of the machines will be properly noticed. 1154However, this means that 1155connections will die if the route is down temporarily, and some people 1156find it annoying. 1157On the other hand, if TCP keepalives are not sent, 1158sessions may hang indefinitely on the server, leaving 1159.Dq ghost 1160users and consuming server resources. 1161.Pp 1162The default is 1163.Dq yes 1164(to send TCP keepalive messages), and the server will notice 1165if the network goes down or the client host crashes. 1166This avoids infinitely hanging sessions. 1167.Pp 1168To disable TCP keepalive messages, the value should be set to 1169.Dq no . 1170.It Cm TrustedUserCAKeys 1171Specifies a file containing public keys of certificate authorities that are 1172trusted to sign user certificates for authentication. 1173Keys are listed one per line; empty lines and comments starting with 1174.Ql # 1175are allowed. 1176If a certificate is presented for authentication and has its signing CA key 1177listed in this file, then it may be used for authentication for any user 1178listed in the certificate's principals list. 1179Note that certificates that lack a list of principals will not be permitted 1180for authentication using 1181.Cm TrustedUserCAKeys . 1182For more details on certificates, see the CERTIFICATES section in 1183.Xr ssh-keygen 1 . 1184.It Cm UseDNS 1185Specifies whether 1186.Xr sshd 8 1187should look up the remote host name and check that 1188the resolved host name for the remote IP address maps back to the 1189very same IP address. 1190The default is 1191.Dq yes . 1192.It Cm UseLogin 1193Specifies whether 1194.Xr login 1 1195is used for interactive login sessions. 1196The default is 1197.Dq no . 1198Note that 1199.Xr login 1 1200is never used for remote command execution. 1201Note also, that if this is enabled, 1202.Cm X11Forwarding 1203will be disabled because 1204.Xr login 1 1205does not know how to handle 1206.Xr xauth 1 1207cookies. 1208If 1209.Cm UsePrivilegeSeparation 1210is specified, it will be disabled after authentication. 1211.It Cm UsePAM 1212Enables the Pluggable Authentication Module interface. 1213If set to 1214.Dq yes 1215this will enable PAM authentication using 1216.Cm ChallengeResponseAuthentication 1217and 1218.Cm PasswordAuthentication 1219in addition to PAM account and session module processing for all 1220authentication types. 1221.Pp 1222Because PAM challenge-response authentication usually serves an equivalent 1223role to password authentication, you should disable either 1224.Cm PasswordAuthentication 1225or 1226.Cm ChallengeResponseAuthentication. 1227.Pp 1228If 1229.Cm UsePAM 1230is enabled, you will not be able to run 1231.Xr sshd 8 1232as a non-root user. 1233The default is 1234.Dq yes . 1235.It Cm UsePrivilegeSeparation 1236Specifies whether 1237.Xr sshd 8 1238separates privileges by creating an unprivileged child process 1239to deal with incoming network traffic. 1240After successful authentication, another process will be created that has 1241the privilege of the authenticated user. 1242The goal of privilege separation is to prevent privilege 1243escalation by containing any corruption within the unprivileged processes. 1244The default is 1245.Dq sandbox . 1246If 1247.Cm UsePrivilegeSeparation 1248is set to 1249.Dq sandbox 1250then the pre-authentication unprivileged process is subject to additional 1251restrictions. 1252.It Cm VersionAddendum 1253Optionally specifies additional text to append to the SSH protocol banner 1254sent by the server upon connection. 1255The default is 1256.Dq FreeBSD-20140420 . 1257.It Cm X11DisplayOffset 1258Specifies the first display number available for 1259.Xr sshd 8 Ns 's 1260X11 forwarding. 1261This prevents sshd from interfering with real X11 servers. 1262The default is 10. 1263.It Cm X11Forwarding 1264Specifies whether X11 forwarding is permitted. 1265The argument must be 1266.Dq yes 1267or 1268.Dq no . 1269The default is 1270.Dq yes . 1271.Pp 1272When X11 forwarding is enabled, there may be additional exposure to 1273the server and to client displays if the 1274.Xr sshd 8 1275proxy display is configured to listen on the wildcard address (see 1276.Cm X11UseLocalhost 1277below), though this is not the default. 1278Additionally, the authentication spoofing and authentication data 1279verification and substitution occur on the client side. 1280The security risk of using X11 forwarding is that the client's X11 1281display server may be exposed to attack when the SSH client requests 1282forwarding (see the warnings for 1283.Cm ForwardX11 1284in 1285.Xr ssh_config 5 ) . 1286A system administrator may have a stance in which they want to 1287protect clients that may expose themselves to attack by unwittingly 1288requesting X11 forwarding, which can warrant a 1289.Dq no 1290setting. 1291.Pp 1292Note that disabling X11 forwarding does not prevent users from 1293forwarding X11 traffic, as users can always install their own forwarders. 1294X11 forwarding is automatically disabled if 1295.Cm UseLogin 1296is enabled. 1297.It Cm X11UseLocalhost 1298Specifies whether 1299.Xr sshd 8 1300should bind the X11 forwarding server to the loopback address or to 1301the wildcard address. 1302By default, 1303sshd binds the forwarding server to the loopback address and sets the 1304hostname part of the 1305.Ev DISPLAY 1306environment variable to 1307.Dq localhost . 1308This prevents remote hosts from connecting to the proxy display. 1309However, some older X11 clients may not function with this 1310configuration. 1311.Cm X11UseLocalhost 1312may be set to 1313.Dq no 1314to specify that the forwarding server should be bound to the wildcard 1315address. 1316The argument must be 1317.Dq yes 1318or 1319.Dq no . 1320The default is 1321.Dq yes . 1322.It Cm XAuthLocation 1323Specifies the full pathname of the 1324.Xr xauth 1 1325program. 1326The default is 1327.Pa /usr/local/bin/xauth . 1328.El 1329.Sh TIME FORMATS 1330.Xr sshd 8 1331command-line arguments and configuration file options that specify time 1332may be expressed using a sequence of the form: 1333.Sm off 1334.Ar time Op Ar qualifier , 1335.Sm on 1336where 1337.Ar time 1338is a positive integer value and 1339.Ar qualifier 1340is one of the following: 1341.Pp 1342.Bl -tag -width Ds -compact -offset indent 1343.It Aq Cm none 1344seconds 1345.It Cm s | Cm S 1346seconds 1347.It Cm m | Cm M 1348minutes 1349.It Cm h | Cm H 1350hours 1351.It Cm d | Cm D 1352days 1353.It Cm w | Cm W 1354weeks 1355.El 1356.Pp 1357Each member of the sequence is added together to calculate 1358the total time value. 1359.Pp 1360Time format examples: 1361.Pp 1362.Bl -tag -width Ds -compact -offset indent 1363.It 600 1364600 seconds (10 minutes) 1365.It 10m 136610 minutes 1367.It 1h30m 13681 hour 30 minutes (90 minutes) 1369.El 1370.Sh FILES 1371.Bl -tag -width Ds 1372.It Pa /etc/ssh/sshd_config 1373Contains configuration data for 1374.Xr sshd 8 . 1375This file should be writable by root only, but it is recommended 1376(though not necessary) that it be world-readable. 1377.El 1378.Sh SEE ALSO 1379.Xr sshd 8 1380.Sh AUTHORS 1381OpenSSH is a derivative of the original and free 1382ssh 1.2.12 release by Tatu Ylonen. 1383Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 1384Theo de Raadt and Dug Song 1385removed many bugs, re-added newer features and 1386created OpenSSH. 1387Markus Friedl contributed the support for SSH 1388protocol versions 1.5 and 2.0. 1389Niels Provos and Markus Friedl contributed support 1390for privilege separation. 1391