xref: /freebsd/crypto/openssh/sshd_config.5 (revision 1f4bcc459a76b7aa664f3fd557684cd0ba6da352)
1.\"
2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4.\"                    All rights reserved
5.\"
6.\" As far as I am concerned, the code I have written for this software
7.\" can be used freely for any purpose.  Any derived versions of this
8.\" software must be clearly marked as such, and if the derived work is
9.\" incompatible with the protocol description in the RFC file, it must be
10.\" called by a name other than "ssh" or "Secure Shell".
11.\"
12.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
13.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
14.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
15.\"
16.\" Redistribution and use in source and binary forms, with or without
17.\" modification, are permitted provided that the following conditions
18.\" are met:
19.\" 1. Redistributions of source code must retain the above copyright
20.\"    notice, this list of conditions and the following disclaimer.
21.\" 2. Redistributions in binary form must reproduce the above copyright
22.\"    notice, this list of conditions and the following disclaimer in the
23.\"    documentation and/or other materials provided with the distribution.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\"
36.\" $OpenBSD: sshd_config.5,v 1.211 2015/08/14 15:32:41 jmc Exp $
37.\" $FreeBSD$
38.Dd $Mdocdate: August 14 2015 $
39.Dt SSHD_CONFIG 5
40.Os
41.Sh NAME
42.Nm sshd_config
43.Nd OpenSSH SSH daemon configuration file
44.Sh SYNOPSIS
45.Nm /etc/ssh/sshd_config
46.Sh DESCRIPTION
47.Xr sshd 8
48reads configuration data from
49.Pa /etc/ssh/sshd_config
50(or the file specified with
51.Fl f
52on the command line).
53The file contains keyword-argument pairs, one per line.
54Lines starting with
55.Ql #
56and empty lines are interpreted as comments.
57Arguments may optionally be enclosed in double quotes
58.Pq \&"
59in order to represent arguments containing spaces.
60.Pp
61The possible
62keywords and their meanings are as follows (note that
63keywords are case-insensitive and arguments are case-sensitive):
64.Bl -tag -width Ds
65.It Cm AcceptEnv
66Specifies what environment variables sent by the client will be copied into
67the session's
68.Xr environ 7 .
69See
70.Cm SendEnv
71in
72.Xr ssh_config 5
73for how to configure the client.
74Note that environment passing is only supported for protocol 2, and
75that the
76.Ev TERM
77environment variable is always sent whenever the client
78requests a pseudo-terminal as it is required by the protocol.
79Variables are specified by name, which may contain the wildcard characters
80.Ql *
81and
82.Ql \&? .
83Multiple environment variables may be separated by whitespace or spread
84across multiple
85.Cm AcceptEnv
86directives.
87Be warned that some environment variables could be used to bypass restricted
88user environments.
89For this reason, care should be taken in the use of this directive.
90The default is not to accept any environment variables.
91.It Cm AddressFamily
92Specifies which address family should be used by
93.Xr sshd 8 .
94Valid arguments are
95.Dq any ,
96.Dq inet
97(use IPv4 only), or
98.Dq inet6
99(use IPv6 only).
100The default is
101.Dq any .
102.It Cm AllowAgentForwarding
103Specifies whether
104.Xr ssh-agent 1
105forwarding is permitted.
106The default is
107.Dq yes .
108Note that disabling agent forwarding does not improve security
109unless users are also denied shell access, as they can always install
110their own forwarders.
111.It Cm AllowGroups
112This keyword can be followed by a list of group name patterns, separated
113by spaces.
114If specified, login is allowed only for users whose primary
115group or supplementary group list matches one of the patterns.
116Only group names are valid; a numerical group ID is not recognized.
117By default, login is allowed for all groups.
118The allow/deny directives are processed in the following order:
119.Cm DenyUsers ,
120.Cm AllowUsers ,
121.Cm DenyGroups ,
122and finally
123.Cm AllowGroups .
124.Pp
125See PATTERNS in
126.Xr ssh_config 5
127for more information on patterns.
128.It Cm AllowTcpForwarding
129Specifies whether TCP forwarding is permitted.
130The available options are
131.Dq yes
132or
133.Dq all
134to allow TCP forwarding,
135.Dq no
136to prevent all TCP forwarding,
137.Dq local
138to allow local (from the perspective of
139.Xr ssh 1 )
140forwarding only or
141.Dq remote
142to allow remote forwarding only.
143The default is
144.Dq yes .
145Note that disabling TCP forwarding does not improve security unless
146users are also denied shell access, as they can always install their
147own forwarders.
148.It Cm AllowStreamLocalForwarding
149Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
150The available options are
151.Dq yes
152or
153.Dq all
154to allow StreamLocal forwarding,
155.Dq no
156to prevent all StreamLocal forwarding,
157.Dq local
158to allow local (from the perspective of
159.Xr ssh 1 )
160forwarding only or
161.Dq remote
162to allow remote forwarding only.
163The default is
164.Dq yes .
165Note that disabling StreamLocal forwarding does not improve security unless
166users are also denied shell access, as they can always install their
167own forwarders.
168.It Cm AllowUsers
169This keyword can be followed by a list of user name patterns, separated
170by spaces.
171If specified, login is allowed only for user names that
172match one of the patterns.
173Only user names are valid; a numerical user ID is not recognized.
174By default, login is allowed for all users.
175If the pattern takes the form USER@HOST then USER and HOST
176are separately checked, restricting logins to particular
177users from particular hosts.
178The allow/deny directives are processed in the following order:
179.Cm DenyUsers ,
180.Cm AllowUsers ,
181.Cm DenyGroups ,
182and finally
183.Cm AllowGroups .
184.Pp
185See PATTERNS in
186.Xr ssh_config 5
187for more information on patterns.
188.It Cm AuthenticationMethods
189Specifies the authentication methods that must be successfully completed
190for a user to be granted access.
191This option must be followed by one or more comma-separated lists of
192authentication method names.
193Successful authentication requires completion of every method in at least
194one of these lists.
195.Pp
196For example, an argument of
197.Dq publickey,password publickey,keyboard-interactive
198would require the user to complete public key authentication, followed by
199either password or keyboard interactive authentication.
200Only methods that are next in one or more lists are offered at each stage,
201so for this example, it would not be possible to attempt password or
202keyboard-interactive authentication before public key.
203.Pp
204For keyboard interactive authentication it is also possible to
205restrict authentication to a specific device by appending a
206colon followed by the device identifier
207.Dq bsdauth ,
208.Dq pam ,
209or
210.Dq skey ,
211depending on the server configuration.
212For example,
213.Dq keyboard-interactive:bsdauth
214would restrict keyboard interactive authentication to the
215.Dq bsdauth
216device.
217.Pp
218If the
219.Dq publickey
220method is listed more than once,
221.Xr sshd 8
222verifies that keys that have been used successfully are not reused for
223subsequent authentications.
224For example, an
225.Cm AuthenticationMethods
226of
227.Dq publickey,publickey
228will require successful authentication using two different public keys.
229.Pp
230This option is only available for SSH protocol 2 and will yield a fatal
231error if enabled if protocol 1 is also enabled.
232Note that each authentication method listed should also be explicitly enabled
233in the configuration.
234The default is not to require multiple authentication; successful completion
235of a single authentication method is sufficient.
236.It Cm AuthorizedKeysCommand
237Specifies a program to be used to look up the user's public keys.
238The program must be owned by root, not writable by group or others and
239specified by an absolute path.
240.Pp
241Arguments to
242.Cm AuthorizedKeysCommand
243may be provided using the following tokens, which will be expanded
244at runtime: %% is replaced by a literal '%', %u is replaced by the
245username being authenticated, %h is replaced by the home directory
246of the user being authenticated, %t is replaced with the key type
247offered for authentication, %f is replaced with the fingerprint of
248the key, and %k is replaced with the key being offered for authentication.
249If no arguments are specified then the username of the target user
250will be supplied.
251.Pp
252The program should produce on standard output zero or
253more lines of authorized_keys output (see AUTHORIZED_KEYS in
254.Xr sshd 8 ) .
255If a key supplied by AuthorizedKeysCommand does not successfully authenticate
256and authorize the user then public key authentication continues using the usual
257.Cm AuthorizedKeysFile
258files.
259By default, no AuthorizedKeysCommand is run.
260.It Cm AuthorizedKeysCommandUser
261Specifies the user under whose account the AuthorizedKeysCommand is run.
262It is recommended to use a dedicated user that has no other role on the host
263than running authorized keys commands.
264If
265.Cm AuthorizedKeysCommand
266is specified but
267.Cm AuthorizedKeysCommandUser
268is not, then
269.Xr sshd 8
270will refuse to start.
271.It Cm AuthorizedKeysFile
272Specifies the file that contains the public keys that can be used
273for user authentication.
274The format is described in the
275AUTHORIZED_KEYS FILE FORMAT
276section of
277.Xr sshd 8 .
278.Cm AuthorizedKeysFile
279may contain tokens of the form %T which are substituted during connection
280setup.
281The following tokens are defined: %% is replaced by a literal '%',
282%h is replaced by the home directory of the user being authenticated, and
283%u is replaced by the username of that user.
284After expansion,
285.Cm AuthorizedKeysFile
286is taken to be an absolute path or one relative to the user's home
287directory.
288Multiple files may be listed, separated by whitespace.
289The default is
290.Dq .ssh/authorized_keys .ssh/authorized_keys2 .
291.It Cm AuthorizedPrincipalsCommand
292Specifies a program to be used to generate the list of allowed
293certificate principals as per
294.Cm AuthorizedPrincipalsFile .
295The program must be owned by root, not writable by group or others and
296specified by an absolute path.
297.Pp
298Arguments to
299.Cm AuthorizedPrincipalsCommand
300may be provided using the following tokens, which will be expanded
301at runtime: %% is replaced by a literal '%', %u is replaced by the
302username being authenticated and %h is replaced by the home directory
303of the user being authenticated.
304.Pp
305The program should produce on standard output zero or
306more lines of
307.Cm AuthorizedPrincipalsFile
308output.
309If either
310.Cm AuthorizedPrincipalsCommand
311or
312.Cm AuthorizedPrincipalsFile
313is specified, then certificates offered by the client for authentication
314must contain a principal that is listed.
315By default, no AuthorizedPrincipalsCommand is run.
316.It Cm AuthorizedPrincipalsCommandUser
317Specifies the user under whose account the AuthorizedPrincipalsCommand is run.
318It is recommended to use a dedicated user that has no other role on the host
319than running authorized principals commands.
320If
321.Cm AuthorizedPrincipalsCommand
322is specified but
323.Cm AuthorizedPrincipalsCommandUser
324is not, then
325.Xr sshd 8
326will refuse to start.
327.It Cm AuthorizedPrincipalsFile
328Specifies a file that lists principal names that are accepted for
329certificate authentication.
330When using certificates signed by a key listed in
331.Cm TrustedUserCAKeys ,
332this file lists names, one of which must appear in the certificate for it
333to be accepted for authentication.
334Names are listed one per line preceded by key options (as described
335in AUTHORIZED_KEYS FILE FORMAT in
336.Xr sshd 8 ) .
337Empty lines and comments starting with
338.Ql #
339are ignored.
340.Pp
341.Cm AuthorizedPrincipalsFile
342may contain tokens of the form %T which are substituted during connection
343setup.
344The following tokens are defined: %% is replaced by a literal '%',
345%h is replaced by the home directory of the user being authenticated, and
346%u is replaced by the username of that user.
347After expansion,
348.Cm AuthorizedPrincipalsFile
349is taken to be an absolute path or one relative to the user's home
350directory.
351.Pp
352The default is
353.Dq none ,
354i.e. not to use a principals file \(en in this case, the username
355of the user must appear in a certificate's principals list for it to be
356accepted.
357Note that
358.Cm AuthorizedPrincipalsFile
359is only used when authentication proceeds using a CA listed in
360.Cm TrustedUserCAKeys
361and is not consulted for certification authorities trusted via
362.Pa ~/.ssh/authorized_keys ,
363though the
364.Cm principals=
365key option offers a similar facility (see
366.Xr sshd 8
367for details).
368.It Cm Banner
369The contents of the specified file are sent to the remote user before
370authentication is allowed.
371If the argument is
372.Dq none
373then no banner is displayed.
374This option is only available for protocol version 2.
375By default, no banner is displayed.
376.It Cm ChallengeResponseAuthentication
377Specifies whether challenge-response authentication is allowed (e.g. via
378PAM or through authentication styles supported in
379.Xr login.conf 5 )
380The default is
381.Dq yes .
382.It Cm ChrootDirectory
383Specifies the pathname of a directory to
384.Xr chroot 2
385to after authentication.
386At session startup
387.Xr sshd 8
388checks that all components of the pathname are root-owned directories
389which are not writable by any other user or group.
390After the chroot,
391.Xr sshd 8
392changes the working directory to the user's home directory.
393.Pp
394The pathname may contain the following tokens that are expanded at runtime once
395the connecting user has been authenticated: %% is replaced by a literal '%',
396%h is replaced by the home directory of the user being authenticated, and
397%u is replaced by the username of that user.
398.Pp
399The
400.Cm ChrootDirectory
401must contain the necessary files and directories to support the
402user's session.
403For an interactive session this requires at least a shell, typically
404.Xr sh 1 ,
405and basic
406.Pa /dev
407nodes such as
408.Xr null 4 ,
409.Xr zero 4 ,
410.Xr stdin 4 ,
411.Xr stdout 4 ,
412.Xr stderr 4 ,
413and
414.Xr tty 4
415devices.
416For file transfer sessions using
417.Dq sftp ,
418no additional configuration of the environment is necessary if the
419in-process sftp server is used,
420though sessions which use logging may require
421.Pa /dev/log
422inside the chroot directory on some operating systems (see
423.Xr sftp-server 8
424for details).
425.Pp
426For safety, it is very important that the directory hierarchy be
427prevented from modification by other processes on the system (especially
428those outside the jail).
429Misconfiguration can lead to unsafe environments which
430.Xr sshd 8
431cannot detect.
432.Pp
433The default is not to
434.Xr chroot 2 .
435.It Cm Ciphers
436Specifies the ciphers allowed for protocol version 2.
437Multiple ciphers must be comma-separated.
438If the specified value begins with a
439.Sq +
440character, then the specified ciphers will be appended to the default set
441instead of replacing them.
442.Pp
443The supported ciphers are:
444.Pp
445.Bl -item -compact -offset indent
446.It
4473des-cbc
448.It
449aes128-cbc
450.It
451aes192-cbc
452.It
453aes256-cbc
454.It
455aes128-ctr
456.It
457aes192-ctr
458.It
459aes256-ctr
460.It
461aes128-gcm@openssh.com
462.It
463aes256-gcm@openssh.com
464.It
465arcfour
466.It
467arcfour128
468.It
469arcfour256
470.It
471blowfish-cbc
472.It
473cast128-cbc
474.It
475chacha20-poly1305@openssh.com
476.El
477.Pp
478The default is:
479.Bd -literal -offset indent
480chacha20-poly1305@openssh.com,
481aes128-ctr,aes192-ctr,aes256-ctr,
482aes128-gcm@openssh.com,aes256-gcm@openssh.com
483.Ed
484.Pp
485The list of available ciphers may also be obtained using the
486.Fl Q
487option of
488.Xr ssh 1
489with an argument of
490.Dq cipher .
491.It Cm ClientAliveCountMax
492Sets the number of client alive messages (see below) which may be
493sent without
494.Xr sshd 8
495receiving any messages back from the client.
496If this threshold is reached while client alive messages are being sent,
497sshd will disconnect the client, terminating the session.
498It is important to note that the use of client alive messages is very
499different from
500.Cm TCPKeepAlive
501(below).
502The client alive messages are sent through the encrypted channel
503and therefore will not be spoofable.
504The TCP keepalive option enabled by
505.Cm TCPKeepAlive
506is spoofable.
507The client alive mechanism is valuable when the client or
508server depend on knowing when a connection has become inactive.
509.Pp
510The default value is 3.
511If
512.Cm ClientAliveInterval
513(see below) is set to 15, and
514.Cm ClientAliveCountMax
515is left at the default, unresponsive SSH clients
516will be disconnected after approximately 45 seconds.
517This option applies to protocol version 2 only.
518.It Cm ClientAliveInterval
519Sets a timeout interval in seconds after which if no data has been received
520from the client,
521.Xr sshd 8
522will send a message through the encrypted
523channel to request a response from the client.
524The default
525is 0, indicating that these messages will not be sent to the client.
526This option applies to protocol version 2 only.
527.It Cm Compression
528Specifies whether compression is allowed, or delayed until
529the user has authenticated successfully.
530The argument must be
531.Dq yes ,
532.Dq delayed ,
533or
534.Dq no .
535The default is
536.Dq delayed .
537.It Cm DenyGroups
538This keyword can be followed by a list of group name patterns, separated
539by spaces.
540Login is disallowed for users whose primary group or supplementary
541group list matches one of the patterns.
542Only group names are valid; a numerical group ID is not recognized.
543By default, login is allowed for all groups.
544The allow/deny directives are processed in the following order:
545.Cm DenyUsers ,
546.Cm AllowUsers ,
547.Cm DenyGroups ,
548and finally
549.Cm AllowGroups .
550.Pp
551See PATTERNS in
552.Xr ssh_config 5
553for more information on patterns.
554.It Cm DenyUsers
555This keyword can be followed by a list of user name patterns, separated
556by spaces.
557Login is disallowed for user names that match one of the patterns.
558Only user names are valid; a numerical user ID is not recognized.
559By default, login is allowed for all users.
560If the pattern takes the form USER@HOST then USER and HOST
561are separately checked, restricting logins to particular
562users from particular hosts.
563The allow/deny directives are processed in the following order:
564.Cm DenyUsers ,
565.Cm AllowUsers ,
566.Cm DenyGroups ,
567and finally
568.Cm AllowGroups .
569.Pp
570See PATTERNS in
571.Xr ssh_config 5
572for more information on patterns.
573.It Cm FingerprintHash
574Specifies the hash algorithm used when logging key fingerprints.
575Valid options are:
576.Dq md5
577and
578.Dq sha256 .
579The default is
580.Dq sha256 .
581.It Cm ForceCommand
582Forces the execution of the command specified by
583.Cm ForceCommand ,
584ignoring any command supplied by the client and
585.Pa ~/.ssh/rc
586if present.
587The command is invoked by using the user's login shell with the -c option.
588This applies to shell, command, or subsystem execution.
589It is most useful inside a
590.Cm Match
591block.
592The command originally supplied by the client is available in the
593.Ev SSH_ORIGINAL_COMMAND
594environment variable.
595Specifying a command of
596.Dq internal-sftp
597will force the use of an in-process sftp server that requires no support
598files when used with
599.Cm ChrootDirectory .
600.It Cm GatewayPorts
601Specifies whether remote hosts are allowed to connect to ports
602forwarded for the client.
603By default,
604.Xr sshd 8
605binds remote port forwardings to the loopback address.
606This prevents other remote hosts from connecting to forwarded ports.
607.Cm GatewayPorts
608can be used to specify that sshd
609should allow remote port forwardings to bind to non-loopback addresses, thus
610allowing other hosts to connect.
611The argument may be
612.Dq no
613to force remote port forwardings to be available to the local host only,
614.Dq yes
615to force remote port forwardings to bind to the wildcard address, or
616.Dq clientspecified
617to allow the client to select the address to which the forwarding is bound.
618The default is
619.Dq no .
620.It Cm GSSAPIAuthentication
621Specifies whether user authentication based on GSSAPI is allowed.
622The default is
623.Dq no .
624Note that this option applies to protocol version 2 only.
625.It Cm GSSAPICleanupCredentials
626Specifies whether to automatically destroy the user's credentials cache
627on logout.
628The default is
629.Dq yes .
630Note that this option applies to protocol version 2 only.
631.It Cm GSSAPIStrictAcceptorCheck
632Determines whether to be strict about the identity of the GSSAPI acceptor
633a client authenticates against.
634If set to
635.Dq yes
636then the client must authenticate against the
637.Pa host
638service on the current hostname.
639If set to
640.Dq no
641then the client may authenticate against any service key stored in the
642machine's default store.
643This facility is provided to assist with operation on multi homed machines.
644The default is
645.Dq yes .
646.It Cm HostbasedAcceptedKeyTypes
647Specifies the key types that will be accepted for hostbased authentication
648as a comma-separated pattern list.
649Alternately if the specified value begins with a
650.Sq +
651character, then the specified key types will be appended to the default set
652instead of replacing them.
653The default for this option is:
654.Bd -literal -offset 3n
655ecdsa-sha2-nistp256-cert-v01@openssh.com,
656ecdsa-sha2-nistp384-cert-v01@openssh.com,
657ecdsa-sha2-nistp521-cert-v01@openssh.com,
658ssh-ed25519-cert-v01@openssh.com,
659ssh-rsa-cert-v01@openssh.com,
660ssh-dss-cert-v01@openssh.com,
661ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
662ecdsa-sha2-nistp521,ssh-ed25519,
663ssh-rsa,ssh-dss
664.Ed
665.Pp
666The
667.Fl Q
668option of
669.Xr ssh 1
670may be used to list supported key types.
671.It Cm HostbasedAuthentication
672Specifies whether rhosts or /etc/hosts.equiv authentication together
673with successful public key client host authentication is allowed
674(host-based authentication).
675This option is similar to
676.Cm RhostsRSAAuthentication
677and applies to protocol version 2 only.
678The default is
679.Dq no .
680.It Cm HostbasedUsesNameFromPacketOnly
681Specifies whether or not the server will attempt to perform a reverse
682name lookup when matching the name in the
683.Pa ~/.shosts ,
684.Pa ~/.rhosts ,
685and
686.Pa /etc/hosts.equiv
687files during
688.Cm HostbasedAuthentication .
689A setting of
690.Dq yes
691means that
692.Xr sshd 8
693uses the name supplied by the client rather than
694attempting to resolve the name from the TCP connection itself.
695The default is
696.Dq no .
697.It Cm HostCertificate
698Specifies a file containing a public host certificate.
699The certificate's public key must match a private host key already specified
700by
701.Cm HostKey .
702The default behaviour of
703.Xr sshd 8
704is not to load any certificates.
705.It Cm HostKey
706Specifies a file containing a private host key
707used by SSH.
708The default is
709.Pa /etc/ssh/ssh_host_key
710for protocol version 1, and
711.Pa /etc/ssh/ssh_host_dsa_key ,
712.Pa /etc/ssh/ssh_host_ecdsa_key ,
713.Pa /etc/ssh/ssh_host_ed25519_key
714and
715.Pa /etc/ssh/ssh_host_rsa_key
716for protocol version 2.
717.Pp
718Note that
719.Xr sshd 8
720will refuse to use a file if it is group/world-accessible
721and that the
722.Cm HostKeyAlgorithms
723option restricts which of the keys are actually used by
724.Xr sshd 8 .
725.Pp
726It is possible to have multiple host key files.
727.Dq rsa1
728keys are used for version 1 and
729.Dq dsa ,
730.Dq ecdsa ,
731.Dq ed25519
732or
733.Dq rsa
734are used for version 2 of the SSH protocol.
735It is also possible to specify public host key files instead.
736In this case operations on the private key will be delegated
737to an
738.Xr ssh-agent 1 .
739.It Cm HostKeyAgent
740Identifies the UNIX-domain socket used to communicate
741with an agent that has access to the private host keys.
742If
743.Dq SSH_AUTH_SOCK
744is specified, the location of the socket will be read from the
745.Ev SSH_AUTH_SOCK
746environment variable.
747.It Cm HostKeyAlgorithms
748Specifies the protocol version 2 host key algorithms
749that the server offers.
750The default for this option is:
751.Bd -literal -offset 3n
752ecdsa-sha2-nistp256-cert-v01@openssh.com,
753ecdsa-sha2-nistp384-cert-v01@openssh.com,
754ecdsa-sha2-nistp521-cert-v01@openssh.com,
755ssh-ed25519-cert-v01@openssh.com,
756ssh-rsa-cert-v01@openssh.com,
757ssh-dss-cert-v01@openssh.com,
758ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
759ecdsa-sha2-nistp521,ssh-ed25519,
760ssh-rsa,ssh-dss
761.Ed
762.Pp
763The list of available key types may also be obtained using the
764.Fl Q
765option of
766.Xr ssh 1
767with an argument of
768.Dq key .
769.It Cm IgnoreRhosts
770Specifies that
771.Pa .rhosts
772and
773.Pa .shosts
774files will not be used in
775.Cm RhostsRSAAuthentication
776or
777.Cm HostbasedAuthentication .
778.Pp
779.Pa /etc/hosts.equiv
780and
781.Pa /etc/ssh/shosts.equiv
782are still used.
783The default is
784.Dq yes .
785.It Cm IgnoreUserKnownHosts
786Specifies whether
787.Xr sshd 8
788should ignore the user's
789.Pa ~/.ssh/known_hosts
790during
791.Cm RhostsRSAAuthentication
792or
793.Cm HostbasedAuthentication .
794The default is
795.Dq no .
796.It Cm IPQoS
797Specifies the IPv4 type-of-service or DSCP class for the connection.
798Accepted values are
799.Dq af11 ,
800.Dq af12 ,
801.Dq af13 ,
802.Dq af21 ,
803.Dq af22 ,
804.Dq af23 ,
805.Dq af31 ,
806.Dq af32 ,
807.Dq af33 ,
808.Dq af41 ,
809.Dq af42 ,
810.Dq af43 ,
811.Dq cs0 ,
812.Dq cs1 ,
813.Dq cs2 ,
814.Dq cs3 ,
815.Dq cs4 ,
816.Dq cs5 ,
817.Dq cs6 ,
818.Dq cs7 ,
819.Dq ef ,
820.Dq lowdelay ,
821.Dq throughput ,
822.Dq reliability ,
823or a numeric value.
824This option may take one or two arguments, separated by whitespace.
825If one argument is specified, it is used as the packet class unconditionally.
826If two values are specified, the first is automatically selected for
827interactive sessions and the second for non-interactive sessions.
828The default is
829.Dq lowdelay
830for interactive sessions and
831.Dq throughput
832for non-interactive sessions.
833.It Cm KbdInteractiveAuthentication
834Specifies whether to allow keyboard-interactive authentication.
835The argument to this keyword must be
836.Dq yes
837or
838.Dq no .
839The default is to use whatever value
840.Cm ChallengeResponseAuthentication
841is set to
842(by default
843.Dq yes ) .
844.It Cm KerberosAuthentication
845Specifies whether the password provided by the user for
846.Cm PasswordAuthentication
847will be validated through the Kerberos KDC.
848To use this option, the server needs a
849Kerberos servtab which allows the verification of the KDC's identity.
850The default is
851.Dq no .
852.It Cm KerberosGetAFSToken
853If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
854an AFS token before accessing the user's home directory.
855The default is
856.Dq no .
857.It Cm KerberosOrLocalPasswd
858If password authentication through Kerberos fails then
859the password will be validated via any additional local mechanism
860such as
861.Pa /etc/passwd .
862The default is
863.Dq yes .
864.It Cm KerberosTicketCleanup
865Specifies whether to automatically destroy the user's ticket cache
866file on logout.
867The default is
868.Dq yes .
869.It Cm KexAlgorithms
870Specifies the available KEX (Key Exchange) algorithms.
871Multiple algorithms must be comma-separated.
872Alternately if the specified value begins with a
873.Sq +
874character, then the specified methods will be appended to the default set
875instead of replacing them.
876The supported algorithms are:
877.Pp
878.Bl -item -compact -offset indent
879.It
880curve25519-sha256@libssh.org
881.It
882diffie-hellman-group1-sha1
883.It
884diffie-hellman-group14-sha1
885.It
886diffie-hellman-group-exchange-sha1
887.It
888diffie-hellman-group-exchange-sha256
889.It
890ecdh-sha2-nistp256
891.It
892ecdh-sha2-nistp384
893.It
894ecdh-sha2-nistp521
895.El
896.Pp
897The default is:
898.Bd -literal -offset indent
899curve25519-sha256@libssh.org,
900ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
901diffie-hellman-group-exchange-sha256,
902diffie-hellman-group14-sha1
903.Ed
904.Pp
905The list of available key exchange algorithms may also be obtained using the
906.Fl Q
907option of
908.Xr ssh 1
909with an argument of
910.Dq kex .
911.It Cm KeyRegenerationInterval
912In protocol version 1, the ephemeral server key is automatically regenerated
913after this many seconds (if it has been used).
914The purpose of regeneration is to prevent
915decrypting captured sessions by later breaking into the machine and
916stealing the keys.
917The key is never stored anywhere.
918If the value is 0, the key is never regenerated.
919The default is 3600 (seconds).
920.It Cm ListenAddress
921Specifies the local addresses
922.Xr sshd 8
923should listen on.
924The following forms may be used:
925.Pp
926.Bl -item -offset indent -compact
927.It
928.Cm ListenAddress
929.Sm off
930.Ar host | Ar IPv4_addr | Ar IPv6_addr
931.Sm on
932.It
933.Cm ListenAddress
934.Sm off
935.Ar host | Ar IPv4_addr : Ar port
936.Sm on
937.It
938.Cm ListenAddress
939.Sm off
940.Oo
941.Ar host | Ar IPv6_addr Oc : Ar port
942.Sm on
943.El
944.Pp
945If
946.Ar port
947is not specified,
948sshd will listen on the address and all
949.Cm Port
950options specified.
951The default is to listen on all local addresses.
952Multiple
953.Cm ListenAddress
954options are permitted.
955.It Cm LoginGraceTime
956The server disconnects after this time if the user has not
957successfully logged in.
958If the value is 0, there is no time limit.
959The default is 120 seconds.
960.It Cm LogLevel
961Gives the verbosity level that is used when logging messages from
962.Xr sshd 8 .
963The possible values are:
964QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
965The default is INFO.
966DEBUG and DEBUG1 are equivalent.
967DEBUG2 and DEBUG3 each specify higher levels of debugging output.
968Logging with a DEBUG level violates the privacy of users and is not recommended.
969.It Cm MACs
970Specifies the available MAC (message authentication code) algorithms.
971The MAC algorithm is used in protocol version 2
972for data integrity protection.
973Multiple algorithms must be comma-separated.
974If the specified value begins with a
975.Sq +
976character, then the specified algorithms will be appended to the default set
977instead of replacing them.
978.Pp
979The algorithms that contain
980.Dq -etm
981calculate the MAC after encryption (encrypt-then-mac).
982These are considered safer and their use recommended.
983The supported MACs are:
984.Pp
985.Bl -item -compact -offset indent
986.It
987hmac-md5
988.It
989hmac-md5-96
990.It
991hmac-ripemd160
992.It
993hmac-sha1
994.It
995hmac-sha1-96
996.It
997hmac-sha2-256
998.It
999hmac-sha2-512
1000.It
1001umac-64@openssh.com
1002.It
1003umac-128@openssh.com
1004.It
1005hmac-md5-etm@openssh.com
1006.It
1007hmac-md5-96-etm@openssh.com
1008.It
1009hmac-ripemd160-etm@openssh.com
1010.It
1011hmac-sha1-etm@openssh.com
1012.It
1013hmac-sha1-96-etm@openssh.com
1014.It
1015hmac-sha2-256-etm@openssh.com
1016.It
1017hmac-sha2-512-etm@openssh.com
1018.It
1019umac-64-etm@openssh.com
1020.It
1021umac-128-etm@openssh.com
1022.El
1023.Pp
1024The default is:
1025.Bd -literal -offset indent
1026umac-64-etm@openssh.com,umac-128-etm@openssh.com,
1027hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
1028umac-64@openssh.com,umac-128@openssh.com,
1029hmac-sha2-256,hmac-sha2-512
1030.Ed
1031.Pp
1032The list of available MAC algorithms may also be obtained using the
1033.Fl Q
1034option of
1035.Xr ssh 1
1036with an argument of
1037.Dq mac .
1038.It Cm Match
1039Introduces a conditional block.
1040If all of the criteria on the
1041.Cm Match
1042line are satisfied, the keywords on the following lines override those
1043set in the global section of the config file, until either another
1044.Cm Match
1045line or the end of the file.
1046If a keyword appears in multiple
1047.Cm Match
1048blocks that are satisfied, only the first instance of the keyword is
1049applied.
1050.Pp
1051The arguments to
1052.Cm Match
1053are one or more criteria-pattern pairs or the single token
1054.Cm All
1055which matches all criteria.
1056The available criteria are
1057.Cm User ,
1058.Cm Group ,
1059.Cm Host ,
1060.Cm LocalAddress ,
1061.Cm LocalPort ,
1062and
1063.Cm Address .
1064The match patterns may consist of single entries or comma-separated
1065lists and may use the wildcard and negation operators described in the
1066PATTERNS section of
1067.Xr ssh_config 5 .
1068.Pp
1069The patterns in an
1070.Cm Address
1071criteria may additionally contain addresses to match in CIDR
1072address/masklen format, e.g.\&
1073.Dq 192.0.2.0/24
1074or
1075.Dq 3ffe:ffff::/32 .
1076Note that the mask length provided must be consistent with the address -
1077it is an error to specify a mask length that is too long for the address
1078or one with bits set in this host portion of the address.
1079For example,
1080.Dq 192.0.2.0/33
1081and
1082.Dq 192.0.2.0/8
1083respectively.
1084.Pp
1085Only a subset of keywords may be used on the lines following a
1086.Cm Match
1087keyword.
1088Available keywords are
1089.Cm AcceptEnv ,
1090.Cm AllowAgentForwarding ,
1091.Cm AllowGroups ,
1092.Cm AllowStreamLocalForwarding ,
1093.Cm AllowTcpForwarding ,
1094.Cm AllowUsers ,
1095.Cm AuthenticationMethods ,
1096.Cm AuthorizedKeysCommand ,
1097.Cm AuthorizedKeysCommandUser ,
1098.Cm AuthorizedKeysFile ,
1099.Cm AuthorizedPrincipalsFile ,
1100.Cm Banner ,
1101.Cm ChrootDirectory ,
1102.Cm DenyGroups ,
1103.Cm DenyUsers ,
1104.Cm ForceCommand ,
1105.Cm GatewayPorts ,
1106.Cm GSSAPIAuthentication ,
1107.Cm HostbasedAcceptedKeyTypes ,
1108.Cm HostbasedAuthentication ,
1109.Cm HostbasedUsesNameFromPacketOnly ,
1110.Cm IPQoS ,
1111.Cm KbdInteractiveAuthentication ,
1112.Cm KerberosAuthentication ,
1113.Cm MaxAuthTries ,
1114.Cm MaxSessions ,
1115.Cm PasswordAuthentication ,
1116.Cm PermitEmptyPasswords ,
1117.Cm PermitOpen ,
1118.Cm PermitRootLogin ,
1119.Cm PermitTTY ,
1120.Cm PermitTunnel ,
1121.Cm PermitUserRC ,
1122.Cm PubkeyAcceptedKeyTypes ,
1123.Cm PubkeyAuthentication ,
1124.Cm RekeyLimit ,
1125.Cm RevokedKeys ,
1126.Cm RhostsRSAAuthentication ,
1127.Cm RSAAuthentication ,
1128.Cm StreamLocalBindMask ,
1129.Cm StreamLocalBindUnlink ,
1130.Cm TrustedUserCAKeys ,
1131.Cm X11DisplayOffset ,
1132.Cm X11Forwarding
1133and
1134.Cm X11UseLocalHost .
1135.It Cm MaxAuthTries
1136Specifies the maximum number of authentication attempts permitted per
1137connection.
1138Once the number of failures reaches half this value,
1139additional failures are logged.
1140The default is 6.
1141.It Cm MaxSessions
1142Specifies the maximum number of open sessions permitted per network connection.
1143The default is 10.
1144.It Cm MaxStartups
1145Specifies the maximum number of concurrent unauthenticated connections to the
1146SSH daemon.
1147Additional connections will be dropped until authentication succeeds or the
1148.Cm LoginGraceTime
1149expires for a connection.
1150The default is 10:30:100.
1151.Pp
1152Alternatively, random early drop can be enabled by specifying
1153the three colon separated values
1154.Dq start:rate:full
1155(e.g. "10:30:60").
1156.Xr sshd 8
1157will refuse connection attempts with a probability of
1158.Dq rate/100
1159(30%)
1160if there are currently
1161.Dq start
1162(10)
1163unauthenticated connections.
1164The probability increases linearly and all connection attempts
1165are refused if the number of unauthenticated connections reaches
1166.Dq full
1167(60).
1168.It Cm PasswordAuthentication
1169Specifies whether password authentication is allowed.
1170See also
1171.Cm UsePAM .
1172The default is
1173.Dq no .
1174.It Cm PermitEmptyPasswords
1175When password authentication is allowed, it specifies whether the
1176server allows login to accounts with empty password strings.
1177The default is
1178.Dq no .
1179.It Cm PermitOpen
1180Specifies the destinations to which TCP port forwarding is permitted.
1181The forwarding specification must be one of the following forms:
1182.Pp
1183.Bl -item -offset indent -compact
1184.It
1185.Cm PermitOpen
1186.Sm off
1187.Ar host : port
1188.Sm on
1189.It
1190.Cm PermitOpen
1191.Sm off
1192.Ar IPv4_addr : port
1193.Sm on
1194.It
1195.Cm PermitOpen
1196.Sm off
1197.Ar \&[ IPv6_addr \&] : port
1198.Sm on
1199.El
1200.Pp
1201Multiple forwards may be specified by separating them with whitespace.
1202An argument of
1203.Dq any
1204can be used to remove all restrictions and permit any forwarding requests.
1205An argument of
1206.Dq none
1207can be used to prohibit all forwarding requests.
1208By default all port forwarding requests are permitted.
1209.It Cm PermitRootLogin
1210Specifies whether root can log in using
1211.Xr ssh 1 .
1212The argument must be
1213.Dq yes ,
1214.Dq prohibit-password ,
1215.Dq without-password ,
1216.Dq forced-commands-only ,
1217or
1218.Dq no .
1219The default is
1220.Dq no .
1221Note that if
1222.Cm ChallengeResponseAuthentication
1223is
1224.Dq yes ,
1225the root user may be allowed in with its password even if
1226.Cm PermitRootLogin is set to
1227.Dq without-password .
1228.Pp
1229If this option is set to
1230.Dq prohibit-password
1231or
1232.Dq without-password ,
1233password and keyboard-interactive authentication are disabled for root.
1234.Pp
1235If this option is set to
1236.Dq forced-commands-only ,
1237root login with public key authentication will be allowed,
1238but only if the
1239.Ar command
1240option has been specified
1241(which may be useful for taking remote backups even if root login is
1242normally not allowed).
1243All other authentication methods are disabled for root.
1244.Pp
1245If this option is set to
1246.Dq no ,
1247root is not allowed to log in.
1248.It Cm PermitTunnel
1249Specifies whether
1250.Xr tun 4
1251device forwarding is allowed.
1252The argument must be
1253.Dq yes ,
1254.Dq point-to-point
1255(layer 3),
1256.Dq ethernet
1257(layer 2), or
1258.Dq no .
1259Specifying
1260.Dq yes
1261permits both
1262.Dq point-to-point
1263and
1264.Dq ethernet .
1265The default is
1266.Dq no .
1267.Pp
1268Independent of this setting, the permissions of the selected
1269.Xr tun 4
1270device must allow access to the user.
1271.It Cm PermitTTY
1272Specifies whether
1273.Xr pty 4
1274allocation is permitted.
1275The default is
1276.Dq yes .
1277.It Cm PermitUserEnvironment
1278Specifies whether
1279.Pa ~/.ssh/environment
1280and
1281.Cm environment=
1282options in
1283.Pa ~/.ssh/authorized_keys
1284are processed by
1285.Xr sshd 8 .
1286The default is
1287.Dq no .
1288Enabling environment processing may enable users to bypass access
1289restrictions in some configurations using mechanisms such as
1290.Ev LD_PRELOAD .
1291.It Cm PermitUserRC
1292Specifies whether any
1293.Pa ~/.ssh/rc
1294file is executed.
1295The default is
1296.Dq yes .
1297.It Cm PidFile
1298Specifies the file that contains the process ID of the
1299SSH daemon, or
1300.Dq none
1301to not write one.
1302The default is
1303.Pa /var/run/sshd.pid .
1304.It Cm Port
1305Specifies the port number that
1306.Xr sshd 8
1307listens on.
1308The default is 22.
1309Multiple options of this type are permitted.
1310See also
1311.Cm ListenAddress .
1312.It Cm PrintLastLog
1313Specifies whether
1314.Xr sshd 8
1315should print the date and time of the last user login when a user logs
1316in interactively.
1317The default is
1318.Dq yes .
1319.It Cm PrintMotd
1320Specifies whether
1321.Xr sshd 8
1322should print
1323.Pa /etc/motd
1324when a user logs in interactively.
1325(On some systems it is also printed by the shell,
1326.Pa /etc/profile ,
1327or equivalent.)
1328The default is
1329.Dq yes .
1330.It Cm Protocol
1331Specifies the protocol versions
1332.Xr sshd 8
1333supports.
1334The possible values are
1335.Sq 1
1336and
1337.Sq 2 .
1338Multiple versions must be comma-separated.
1339The default is
1340.Sq 2 .
1341Note that the order of the protocol list does not indicate preference,
1342because the client selects among multiple protocol versions offered
1343by the server.
1344Specifying
1345.Dq 2,1
1346is identical to
1347.Dq 1,2 .
1348.It Cm PubkeyAcceptedKeyTypes
1349Specifies the key types that will be accepted for public key authentication
1350as a comma-separated pattern list.
1351Alternately if the specified value begins with a
1352.Sq +
1353character, then the specified key types will be appended to the default set
1354instead of replacing them.
1355The default for this option is:
1356.Bd -literal -offset 3n
1357ecdsa-sha2-nistp256-cert-v01@openssh.com,
1358ecdsa-sha2-nistp384-cert-v01@openssh.com,
1359ecdsa-sha2-nistp521-cert-v01@openssh.com,
1360ssh-ed25519-cert-v01@openssh.com,
1361ssh-rsa-cert-v01@openssh.com,
1362ssh-dss-cert-v01@openssh.com,
1363ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
1364ecdsa-sha2-nistp521,ssh-ed25519,
1365ssh-rsa,ssh-dss
1366.Ed
1367.Pp
1368The
1369.Fl Q
1370option of
1371.Xr ssh 1
1372may be used to list supported key types.
1373.It Cm PubkeyAuthentication
1374Specifies whether public key authentication is allowed.
1375The default is
1376.Dq yes .
1377Note that this option applies to protocol version 2 only.
1378.It Cm RekeyLimit
1379Specifies the maximum amount of data that may be transmitted before the
1380session key is renegotiated, optionally followed a maximum amount of
1381time that may pass before the session key is renegotiated.
1382The first argument is specified in bytes and may have a suffix of
1383.Sq K ,
1384.Sq M ,
1385or
1386.Sq G
1387to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
1388The default is between
1389.Sq 1G
1390and
1391.Sq 4G ,
1392depending on the cipher.
1393The optional second value is specified in seconds and may use any of the
1394units documented in the
1395.Sx TIME FORMATS
1396section.
1397The default value for
1398.Cm RekeyLimit
1399is
1400.Dq default none ,
1401which means that rekeying is performed after the cipher's default amount
1402of data has been sent or received and no time based rekeying is done.
1403This option applies to protocol version 2 only.
1404.It Cm RevokedKeys
1405Specifies revoked public keys file, or
1406.Dq none
1407to not use one.
1408Keys listed in this file will be refused for public key authentication.
1409Note that if this file is not readable, then public key authentication will
1410be refused for all users.
1411Keys may be specified as a text file, listing one public key per line, or as
1412an OpenSSH Key Revocation List (KRL) as generated by
1413.Xr ssh-keygen 1 .
1414For more information on KRLs, see the KEY REVOCATION LISTS section in
1415.Xr ssh-keygen 1 .
1416.It Cm RhostsRSAAuthentication
1417Specifies whether rhosts or
1418.Pa /etc/hosts.equiv
1419authentication together
1420with successful RSA host authentication is allowed.
1421The default is
1422.Dq no .
1423This option applies to protocol version 1 only.
1424.It Cm RSAAuthentication
1425Specifies whether pure RSA authentication is allowed.
1426The default is
1427.Dq yes .
1428This option applies to protocol version 1 only.
1429.It Cm ServerKeyBits
1430Defines the number of bits in the ephemeral protocol version 1 server key.
1431The default and minimum value is 1024.
1432.It Cm StreamLocalBindMask
1433Sets the octal file creation mode mask
1434.Pq umask
1435used when creating a Unix-domain socket file for local or remote
1436port forwarding.
1437This option is only used for port forwarding to a Unix-domain socket file.
1438.Pp
1439The default value is 0177, which creates a Unix-domain socket file that is
1440readable and writable only by the owner.
1441Note that not all operating systems honor the file mode on Unix-domain
1442socket files.
1443.It Cm StreamLocalBindUnlink
1444Specifies whether to remove an existing Unix-domain socket file for local
1445or remote port forwarding before creating a new one.
1446If the socket file already exists and
1447.Cm StreamLocalBindUnlink
1448is not enabled,
1449.Nm sshd
1450will be unable to forward the port to the Unix-domain socket file.
1451This option is only used for port forwarding to a Unix-domain socket file.
1452.Pp
1453The argument must be
1454.Dq yes
1455or
1456.Dq no .
1457The default is
1458.Dq no .
1459.It Cm StrictModes
1460Specifies whether
1461.Xr sshd 8
1462should check file modes and ownership of the
1463user's files and home directory before accepting login.
1464This is normally desirable because novices sometimes accidentally leave their
1465directory or files world-writable.
1466The default is
1467.Dq yes .
1468Note that this does not apply to
1469.Cm ChrootDirectory ,
1470whose permissions and ownership are checked unconditionally.
1471.It Cm Subsystem
1472Configures an external subsystem (e.g. file transfer daemon).
1473Arguments should be a subsystem name and a command (with optional arguments)
1474to execute upon subsystem request.
1475.Pp
1476The command
1477.Xr sftp-server 8
1478implements the
1479.Dq sftp
1480file transfer subsystem.
1481.Pp
1482Alternately the name
1483.Dq internal-sftp
1484implements an in-process
1485.Dq sftp
1486server.
1487This may simplify configurations using
1488.Cm ChrootDirectory
1489to force a different filesystem root on clients.
1490.Pp
1491By default no subsystems are defined.
1492Note that this option applies to protocol version 2 only.
1493.It Cm SyslogFacility
1494Gives the facility code that is used when logging messages from
1495.Xr sshd 8 .
1496The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
1497LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
1498The default is AUTH.
1499.It Cm TCPKeepAlive
1500Specifies whether the system should send TCP keepalive messages to the
1501other side.
1502If they are sent, death of the connection or crash of one
1503of the machines will be properly noticed.
1504However, this means that
1505connections will die if the route is down temporarily, and some people
1506find it annoying.
1507On the other hand, if TCP keepalives are not sent,
1508sessions may hang indefinitely on the server, leaving
1509.Dq ghost
1510users and consuming server resources.
1511.Pp
1512The default is
1513.Dq yes
1514(to send TCP keepalive messages), and the server will notice
1515if the network goes down or the client host crashes.
1516This avoids infinitely hanging sessions.
1517.Pp
1518To disable TCP keepalive messages, the value should be set to
1519.Dq no .
1520.It Cm TrustedUserCAKeys
1521Specifies a file containing public keys of certificate authorities that are
1522trusted to sign user certificates for authentication, or
1523.Dq none
1524to not use one.
1525Keys are listed one per line; empty lines and comments starting with
1526.Ql #
1527are allowed.
1528If a certificate is presented for authentication and has its signing CA key
1529listed in this file, then it may be used for authentication for any user
1530listed in the certificate's principals list.
1531Note that certificates that lack a list of principals will not be permitted
1532for authentication using
1533.Cm TrustedUserCAKeys .
1534For more details on certificates, see the CERTIFICATES section in
1535.Xr ssh-keygen 1 .
1536.It Cm UseDNS
1537Specifies whether
1538.Xr sshd 8
1539should look up the remote host name, and to check that
1540the resolved host name for the remote IP address maps back to the
1541very same IP address.
1542.Pp
1543If this option is set to
1544.Dq no ,
1545then only addresses and not host names may be used in
1546.Pa ~/.ssh/known_hosts
1547.Cm from
1548and
1549.Nm
1550.Cm Match
1551.Cm Host
1552directives.
1553The default is
1554.Dq yes .
1555.It Cm UseLogin
1556Specifies whether
1557.Xr login 1
1558is used for interactive login sessions.
1559The default is
1560.Dq no .
1561Note that
1562.Xr login 1
1563is never used for remote command execution.
1564Note also, that if this is enabled,
1565.Cm X11Forwarding
1566will be disabled because
1567.Xr login 1
1568does not know how to handle
1569.Xr xauth 1
1570cookies.
1571If
1572.Cm UsePrivilegeSeparation
1573is specified, it will be disabled after authentication.
1574.It Cm UsePAM
1575Enables the Pluggable Authentication Module interface.
1576If set to
1577.Dq yes
1578this will enable PAM authentication using
1579.Cm ChallengeResponseAuthentication
1580and
1581.Cm PasswordAuthentication
1582in addition to PAM account and session module processing for all
1583authentication types.
1584.Pp
1585Because PAM challenge-response authentication usually serves an equivalent
1586role to password authentication, you should disable either
1587.Cm PasswordAuthentication
1588or
1589.Cm ChallengeResponseAuthentication.
1590.Pp
1591If
1592.Cm UsePAM
1593is enabled, you will not be able to run
1594.Xr sshd 8
1595as a non-root user.
1596The default is
1597.Dq yes .
1598.It Cm UsePrivilegeSeparation
1599Specifies whether
1600.Xr sshd 8
1601separates privileges by creating an unprivileged child process
1602to deal with incoming network traffic.
1603After successful authentication, another process will be created that has
1604the privilege of the authenticated user.
1605The goal of privilege separation is to prevent privilege
1606escalation by containing any corruption within the unprivileged processes.
1607The default is
1608.Dq sandbox .
1609If
1610.Cm UsePrivilegeSeparation
1611is set to
1612.Dq sandbox
1613then the pre-authentication unprivileged process is subject to additional
1614restrictions.
1615.It Cm VersionAddendum
1616Optionally specifies additional text to append to the SSH protocol banner
1617sent by the server upon connection.
1618The default is
1619.Dq FreeBSD-20160121 .
1620The value
1621.Dq none
1622may be used to disable this.
1623.It Cm X11DisplayOffset
1624Specifies the first display number available for
1625.Xr sshd 8 Ns 's
1626X11 forwarding.
1627This prevents sshd from interfering with real X11 servers.
1628The default is 10.
1629.It Cm X11Forwarding
1630Specifies whether X11 forwarding is permitted.
1631The argument must be
1632.Dq yes
1633or
1634.Dq no .
1635The default is
1636.Dq yes .
1637.Pp
1638When X11 forwarding is enabled, there may be additional exposure to
1639the server and to client displays if the
1640.Xr sshd 8
1641proxy display is configured to listen on the wildcard address (see
1642.Cm X11UseLocalhost
1643below), though this is not the default.
1644Additionally, the authentication spoofing and authentication data
1645verification and substitution occur on the client side.
1646The security risk of using X11 forwarding is that the client's X11
1647display server may be exposed to attack when the SSH client requests
1648forwarding (see the warnings for
1649.Cm ForwardX11
1650in
1651.Xr ssh_config 5 ) .
1652A system administrator may have a stance in which they want to
1653protect clients that may expose themselves to attack by unwittingly
1654requesting X11 forwarding, which can warrant a
1655.Dq no
1656setting.
1657.Pp
1658Note that disabling X11 forwarding does not prevent users from
1659forwarding X11 traffic, as users can always install their own forwarders.
1660X11 forwarding is automatically disabled if
1661.Cm UseLogin
1662is enabled.
1663.It Cm X11UseLocalhost
1664Specifies whether
1665.Xr sshd 8
1666should bind the X11 forwarding server to the loopback address or to
1667the wildcard address.
1668By default,
1669sshd binds the forwarding server to the loopback address and sets the
1670hostname part of the
1671.Ev DISPLAY
1672environment variable to
1673.Dq localhost .
1674This prevents remote hosts from connecting to the proxy display.
1675However, some older X11 clients may not function with this
1676configuration.
1677.Cm X11UseLocalhost
1678may be set to
1679.Dq no
1680to specify that the forwarding server should be bound to the wildcard
1681address.
1682The argument must be
1683.Dq yes
1684or
1685.Dq no .
1686The default is
1687.Dq yes .
1688.It Cm XAuthLocation
1689Specifies the full pathname of the
1690.Xr xauth 1
1691program, or
1692.Dq none
1693to not use one.
1694The default is
1695.Pa /usr/local/bin/xauth .
1696.El
1697.Sh TIME FORMATS
1698.Xr sshd 8
1699command-line arguments and configuration file options that specify time
1700may be expressed using a sequence of the form:
1701.Sm off
1702.Ar time Op Ar qualifier ,
1703.Sm on
1704where
1705.Ar time
1706is a positive integer value and
1707.Ar qualifier
1708is one of the following:
1709.Pp
1710.Bl -tag -width Ds -compact -offset indent
1711.It Aq Cm none
1712seconds
1713.It Cm s | Cm S
1714seconds
1715.It Cm m | Cm M
1716minutes
1717.It Cm h | Cm H
1718hours
1719.It Cm d | Cm D
1720days
1721.It Cm w | Cm W
1722weeks
1723.El
1724.Pp
1725Each member of the sequence is added together to calculate
1726the total time value.
1727.Pp
1728Time format examples:
1729.Pp
1730.Bl -tag -width Ds -compact -offset indent
1731.It 600
1732600 seconds (10 minutes)
1733.It 10m
173410 minutes
1735.It 1h30m
17361 hour 30 minutes (90 minutes)
1737.El
1738.Sh FILES
1739.Bl -tag -width Ds
1740.It Pa /etc/ssh/sshd_config
1741Contains configuration data for
1742.Xr sshd 8 .
1743This file should be writable by root only, but it is recommended
1744(though not necessary) that it be world-readable.
1745.El
1746.Sh SEE ALSO
1747.Xr sshd 8
1748.Sh AUTHORS
1749OpenSSH is a derivative of the original and free
1750ssh 1.2.12 release by Tatu Ylonen.
1751Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
1752Theo de Raadt and Dug Song
1753removed many bugs, re-added newer features and
1754created OpenSSH.
1755Markus Friedl contributed the support for SSH
1756protocol versions 1.5 and 2.0.
1757Niels Provos and Markus Friedl contributed support
1758for privilege separation.
1759