1.\" 2.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" All rights reserved 5.\" 6.\" As far as I am concerned, the code I have written for this software 7.\" can be used freely for any purpose. Any derived versions of this 8.\" software must be clearly marked as such, and if the derived work is 9.\" incompatible with the protocol description in the RFC file, it must be 10.\" called by a name other than "ssh" or "Secure Shell". 11.\" 12.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 13.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 14.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 15.\" 16.\" Redistribution and use in source and binary forms, with or without 17.\" modification, are permitted provided that the following conditions 18.\" are met: 19.\" 1. Redistributions of source code must retain the above copyright 20.\" notice, this list of conditions and the following disclaimer. 21.\" 2. Redistributions in binary form must reproduce the above copyright 22.\" notice, this list of conditions and the following disclaimer in the 23.\" documentation and/or other materials provided with the distribution. 24.\" 25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" 36.\" $OpenBSD: sshd_config.5,v 1.220 2016/02/17 08:57:34 djm Exp $ 37.\" $FreeBSD$ 38.Dd $Mdocdate: February 17 2016 $ 39.Dt SSHD_CONFIG 5 40.Os 41.Sh NAME 42.Nm sshd_config 43.Nd OpenSSH SSH daemon configuration file 44.Sh SYNOPSIS 45.Nm /etc/ssh/sshd_config 46.Sh DESCRIPTION 47.Xr sshd 8 48reads configuration data from 49.Pa /etc/ssh/sshd_config 50(or the file specified with 51.Fl f 52on the command line). 53The file contains keyword-argument pairs, one per line. 54Lines starting with 55.Ql # 56and empty lines are interpreted as comments. 57Arguments may optionally be enclosed in double quotes 58.Pq \&" 59in order to represent arguments containing spaces. 60.Pp 61The possible 62keywords and their meanings are as follows (note that 63keywords are case-insensitive and arguments are case-sensitive): 64.Bl -tag -width Ds 65.It Cm AcceptEnv 66Specifies what environment variables sent by the client will be copied into 67the session's 68.Xr environ 7 . 69See 70.Cm SendEnv 71in 72.Xr ssh_config 5 73for how to configure the client. 74The 75.Ev TERM 76environment variable is always sent whenever the client 77requests a pseudo-terminal as it is required by the protocol. 78Variables are specified by name, which may contain the wildcard characters 79.Ql * 80and 81.Ql \&? . 82Multiple environment variables may be separated by whitespace or spread 83across multiple 84.Cm AcceptEnv 85directives. 86Be warned that some environment variables could be used to bypass restricted 87user environments. 88For this reason, care should be taken in the use of this directive. 89The default is not to accept any environment variables. 90.It Cm AddressFamily 91Specifies which address family should be used by 92.Xr sshd 8 . 93Valid arguments are 94.Dq any , 95.Dq inet 96(use IPv4 only), or 97.Dq inet6 98(use IPv6 only). 99The default is 100.Dq any . 101.It Cm AllowAgentForwarding 102Specifies whether 103.Xr ssh-agent 1 104forwarding is permitted. 105The default is 106.Dq yes . 107Note that disabling agent forwarding does not improve security 108unless users are also denied shell access, as they can always install 109their own forwarders. 110.It Cm AllowGroups 111This keyword can be followed by a list of group name patterns, separated 112by spaces. 113If specified, login is allowed only for users whose primary 114group or supplementary group list matches one of the patterns. 115Only group names are valid; a numerical group ID is not recognized. 116By default, login is allowed for all groups. 117The allow/deny directives are processed in the following order: 118.Cm DenyUsers , 119.Cm AllowUsers , 120.Cm DenyGroups , 121and finally 122.Cm AllowGroups . 123.Pp 124See PATTERNS in 125.Xr ssh_config 5 126for more information on patterns. 127.It Cm AllowTcpForwarding 128Specifies whether TCP forwarding is permitted. 129The available options are 130.Dq yes 131or 132.Dq all 133to allow TCP forwarding, 134.Dq no 135to prevent all TCP forwarding, 136.Dq local 137to allow local (from the perspective of 138.Xr ssh 1 ) 139forwarding only or 140.Dq remote 141to allow remote forwarding only. 142The default is 143.Dq yes . 144Note that disabling TCP forwarding does not improve security unless 145users are also denied shell access, as they can always install their 146own forwarders. 147.It Cm AllowStreamLocalForwarding 148Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted. 149The available options are 150.Dq yes 151or 152.Dq all 153to allow StreamLocal forwarding, 154.Dq no 155to prevent all StreamLocal forwarding, 156.Dq local 157to allow local (from the perspective of 158.Xr ssh 1 ) 159forwarding only or 160.Dq remote 161to allow remote forwarding only. 162The default is 163.Dq yes . 164Note that disabling StreamLocal forwarding does not improve security unless 165users are also denied shell access, as they can always install their 166own forwarders. 167.It Cm AllowUsers 168This keyword can be followed by a list of user name patterns, separated 169by spaces. 170If specified, login is allowed only for user names that 171match one of the patterns. 172Only user names are valid; a numerical user ID is not recognized. 173By default, login is allowed for all users. 174If the pattern takes the form USER@HOST then USER and HOST 175are separately checked, restricting logins to particular 176users from particular hosts. 177The allow/deny directives are processed in the following order: 178.Cm DenyUsers , 179.Cm AllowUsers , 180.Cm DenyGroups , 181and finally 182.Cm AllowGroups . 183.Pp 184See PATTERNS in 185.Xr ssh_config 5 186for more information on patterns. 187.It Cm AuthenticationMethods 188Specifies the authentication methods that must be successfully completed 189for a user to be granted access. 190This option must be followed by one or more comma-separated lists of 191authentication method names. 192Successful authentication requires completion of every method in at least 193one of these lists. 194.Pp 195For example, an argument of 196.Dq publickey,password publickey,keyboard-interactive 197would require the user to complete public key authentication, followed by 198either password or keyboard interactive authentication. 199Only methods that are next in one or more lists are offered at each stage, 200so for this example, it would not be possible to attempt password or 201keyboard-interactive authentication before public key. 202.Pp 203For keyboard interactive authentication it is also possible to 204restrict authentication to a specific device by appending a 205colon followed by the device identifier 206.Dq bsdauth , 207.Dq pam , 208or 209.Dq skey , 210depending on the server configuration. 211For example, 212.Dq keyboard-interactive:bsdauth 213would restrict keyboard interactive authentication to the 214.Dq bsdauth 215device. 216.Pp 217If the 218.Dq publickey 219method is listed more than once, 220.Xr sshd 8 221verifies that keys that have been used successfully are not reused for 222subsequent authentications. 223For example, an 224.Cm AuthenticationMethods 225of 226.Dq publickey,publickey 227will require successful authentication using two different public keys. 228.Pp 229This option will yield a fatal 230error if enabled if protocol 1 is also enabled. 231Note that each authentication method listed should also be explicitly enabled 232in the configuration. 233The default is not to require multiple authentication; successful completion 234of a single authentication method is sufficient. 235.It Cm AuthorizedKeysCommand 236Specifies a program to be used to look up the user's public keys. 237The program must be owned by root, not writable by group or others and 238specified by an absolute path. 239.Pp 240Arguments to 241.Cm AuthorizedKeysCommand 242may be provided using the following tokens, which will be expanded 243at runtime: %% is replaced by a literal '%', %u is replaced by the 244username being authenticated, %h is replaced by the home directory 245of the user being authenticated, %t is replaced with the key type 246offered for authentication, %f is replaced with the fingerprint of 247the key, and %k is replaced with the key being offered for authentication. 248If no arguments are specified then the username of the target user 249will be supplied. 250.Pp 251The program should produce on standard output zero or 252more lines of authorized_keys output (see AUTHORIZED_KEYS in 253.Xr sshd 8 ) . 254If a key supplied by AuthorizedKeysCommand does not successfully authenticate 255and authorize the user then public key authentication continues using the usual 256.Cm AuthorizedKeysFile 257files. 258By default, no AuthorizedKeysCommand is run. 259.It Cm AuthorizedKeysCommandUser 260Specifies the user under whose account the AuthorizedKeysCommand is run. 261It is recommended to use a dedicated user that has no other role on the host 262than running authorized keys commands. 263If 264.Cm AuthorizedKeysCommand 265is specified but 266.Cm AuthorizedKeysCommandUser 267is not, then 268.Xr sshd 8 269will refuse to start. 270.It Cm AuthorizedKeysFile 271Specifies the file that contains the public keys that can be used 272for user authentication. 273The format is described in the 274AUTHORIZED_KEYS FILE FORMAT 275section of 276.Xr sshd 8 . 277.Cm AuthorizedKeysFile 278may contain tokens of the form %T which are substituted during connection 279setup. 280The following tokens are defined: %% is replaced by a literal '%', 281%h is replaced by the home directory of the user being authenticated, and 282%u is replaced by the username of that user. 283After expansion, 284.Cm AuthorizedKeysFile 285is taken to be an absolute path or one relative to the user's home 286directory. 287Multiple files may be listed, separated by whitespace. 288Alternately this option may be set to 289.Dq none 290to skip checking for user keys in files. 291The default is 292.Dq .ssh/authorized_keys .ssh/authorized_keys2 . 293.It Cm AuthorizedPrincipalsCommand 294Specifies a program to be used to generate the list of allowed 295certificate principals as per 296.Cm AuthorizedPrincipalsFile . 297The program must be owned by root, not writable by group or others and 298specified by an absolute path. 299.Pp 300Arguments to 301.Cm AuthorizedPrincipalsCommand 302may be provided using the following tokens, which will be expanded 303at runtime: %% is replaced by a literal '%', %u is replaced by the 304username being authenticated and %h is replaced by the home directory 305of the user being authenticated. 306.Pp 307The program should produce on standard output zero or 308more lines of 309.Cm AuthorizedPrincipalsFile 310output. 311If either 312.Cm AuthorizedPrincipalsCommand 313or 314.Cm AuthorizedPrincipalsFile 315is specified, then certificates offered by the client for authentication 316must contain a principal that is listed. 317By default, no AuthorizedPrincipalsCommand is run. 318.It Cm AuthorizedPrincipalsCommandUser 319Specifies the user under whose account the AuthorizedPrincipalsCommand is run. 320It is recommended to use a dedicated user that has no other role on the host 321than running authorized principals commands. 322If 323.Cm AuthorizedPrincipalsCommand 324is specified but 325.Cm AuthorizedPrincipalsCommandUser 326is not, then 327.Xr sshd 8 328will refuse to start. 329.It Cm AuthorizedPrincipalsFile 330Specifies a file that lists principal names that are accepted for 331certificate authentication. 332When using certificates signed by a key listed in 333.Cm TrustedUserCAKeys , 334this file lists names, one of which must appear in the certificate for it 335to be accepted for authentication. 336Names are listed one per line preceded by key options (as described 337in AUTHORIZED_KEYS FILE FORMAT in 338.Xr sshd 8 ) . 339Empty lines and comments starting with 340.Ql # 341are ignored. 342.Pp 343.Cm AuthorizedPrincipalsFile 344may contain tokens of the form %T which are substituted during connection 345setup. 346The following tokens are defined: %% is replaced by a literal '%', 347%h is replaced by the home directory of the user being authenticated, and 348%u is replaced by the username of that user. 349After expansion, 350.Cm AuthorizedPrincipalsFile 351is taken to be an absolute path or one relative to the user's home 352directory. 353.Pp 354The default is 355.Dq none , 356i.e. not to use a principals file \(en in this case, the username 357of the user must appear in a certificate's principals list for it to be 358accepted. 359Note that 360.Cm AuthorizedPrincipalsFile 361is only used when authentication proceeds using a CA listed in 362.Cm TrustedUserCAKeys 363and is not consulted for certification authorities trusted via 364.Pa ~/.ssh/authorized_keys , 365though the 366.Cm principals= 367key option offers a similar facility (see 368.Xr sshd 8 369for details). 370.It Cm Banner 371The contents of the specified file are sent to the remote user before 372authentication is allowed. 373If the argument is 374.Dq none 375then no banner is displayed. 376By default, no banner is displayed. 377.It Cm ChallengeResponseAuthentication 378Specifies whether challenge-response authentication is allowed (e.g. via 379PAM or through authentication styles supported in 380.Xr login.conf 5 ) 381The default is 382.Dq yes . 383.It Cm ChrootDirectory 384Specifies the pathname of a directory to 385.Xr chroot 2 386to after authentication. 387At session startup 388.Xr sshd 8 389checks that all components of the pathname are root-owned directories 390which are not writable by any other user or group. 391After the chroot, 392.Xr sshd 8 393changes the working directory to the user's home directory. 394.Pp 395The pathname may contain the following tokens that are expanded at runtime once 396the connecting user has been authenticated: %% is replaced by a literal '%', 397%h is replaced by the home directory of the user being authenticated, and 398%u is replaced by the username of that user. 399.Pp 400The 401.Cm ChrootDirectory 402must contain the necessary files and directories to support the 403user's session. 404For an interactive session this requires at least a shell, typically 405.Xr sh 1 , 406and basic 407.Pa /dev 408nodes such as 409.Xr null 4 , 410.Xr zero 4 , 411.Xr stdin 4 , 412.Xr stdout 4 , 413.Xr stderr 4 , 414and 415.Xr tty 4 416devices. 417For file transfer sessions using 418.Dq sftp , 419no additional configuration of the environment is necessary if the 420in-process sftp server is used, 421though sessions which use logging may require 422.Pa /dev/log 423inside the chroot directory on some operating systems (see 424.Xr sftp-server 8 425for details). 426.Pp 427For safety, it is very important that the directory hierarchy be 428prevented from modification by other processes on the system (especially 429those outside the jail). 430Misconfiguration can lead to unsafe environments which 431.Xr sshd 8 432cannot detect. 433.Pp 434The default is 435.Dq none , 436indicating not to 437.Xr chroot 2 . 438.It Cm Ciphers 439Specifies the ciphers allowed. 440Multiple ciphers must be comma-separated. 441If the specified value begins with a 442.Sq + 443character, then the specified ciphers will be appended to the default set 444instead of replacing them. 445.Pp 446The supported ciphers are: 447.Pp 448.Bl -item -compact -offset indent 449.It 4503des-cbc 451.It 452aes128-cbc 453.It 454aes192-cbc 455.It 456aes256-cbc 457.It 458aes128-ctr 459.It 460aes192-ctr 461.It 462aes256-ctr 463.It 464aes128-gcm@openssh.com 465.It 466aes256-gcm@openssh.com 467.It 468arcfour 469.It 470arcfour128 471.It 472arcfour256 473.It 474blowfish-cbc 475.It 476cast128-cbc 477.It 478chacha20-poly1305@openssh.com 479.El 480.Pp 481The default is: 482.Bd -literal -offset indent 483chacha20-poly1305@openssh.com, 484aes128-ctr,aes192-ctr,aes256-ctr, 485aes128-gcm@openssh.com,aes256-gcm@openssh.com, 486aes128-cbc,aes192-cbc,aes256-cbc 487.Ed 488.Pp 489The list of available ciphers may also be obtained using the 490.Fl Q 491option of 492.Xr ssh 1 493with an argument of 494.Dq cipher . 495.It Cm ClientAliveCountMax 496Sets the number of client alive messages (see below) which may be 497sent without 498.Xr sshd 8 499receiving any messages back from the client. 500If this threshold is reached while client alive messages are being sent, 501sshd will disconnect the client, terminating the session. 502It is important to note that the use of client alive messages is very 503different from 504.Cm TCPKeepAlive 505(below). 506The client alive messages are sent through the encrypted channel 507and therefore will not be spoofable. 508The TCP keepalive option enabled by 509.Cm TCPKeepAlive 510is spoofable. 511The client alive mechanism is valuable when the client or 512server depend on knowing when a connection has become inactive. 513.Pp 514The default value is 3. 515If 516.Cm ClientAliveInterval 517(see below) is set to 15, and 518.Cm ClientAliveCountMax 519is left at the default, unresponsive SSH clients 520will be disconnected after approximately 45 seconds. 521.It Cm ClientAliveInterval 522Sets a timeout interval in seconds after which if no data has been received 523from the client, 524.Xr sshd 8 525will send a message through the encrypted 526channel to request a response from the client. 527The default 528is 0, indicating that these messages will not be sent to the client. 529.It Cm Compression 530Specifies whether compression is allowed, or delayed until 531the user has authenticated successfully. 532The argument must be 533.Dq yes , 534.Dq delayed , 535or 536.Dq no . 537The default is 538.Dq delayed . 539.It Cm DenyGroups 540This keyword can be followed by a list of group name patterns, separated 541by spaces. 542Login is disallowed for users whose primary group or supplementary 543group list matches one of the patterns. 544Only group names are valid; a numerical group ID is not recognized. 545By default, login is allowed for all groups. 546The allow/deny directives are processed in the following order: 547.Cm DenyUsers , 548.Cm AllowUsers , 549.Cm DenyGroups , 550and finally 551.Cm AllowGroups . 552.Pp 553See PATTERNS in 554.Xr ssh_config 5 555for more information on patterns. 556.It Cm DenyUsers 557This keyword can be followed by a list of user name patterns, separated 558by spaces. 559Login is disallowed for user names that match one of the patterns. 560Only user names are valid; a numerical user ID is not recognized. 561By default, login is allowed for all users. 562If the pattern takes the form USER@HOST then USER and HOST 563are separately checked, restricting logins to particular 564users from particular hosts. 565The allow/deny directives are processed in the following order: 566.Cm DenyUsers , 567.Cm AllowUsers , 568.Cm DenyGroups , 569and finally 570.Cm AllowGroups . 571.Pp 572See PATTERNS in 573.Xr ssh_config 5 574for more information on patterns. 575.It Cm FingerprintHash 576Specifies the hash algorithm used when logging key fingerprints. 577Valid options are: 578.Dq md5 579and 580.Dq sha256 . 581The default is 582.Dq sha256 . 583.It Cm ForceCommand 584Forces the execution of the command specified by 585.Cm ForceCommand , 586ignoring any command supplied by the client and 587.Pa ~/.ssh/rc 588if present. 589The command is invoked by using the user's login shell with the -c option. 590This applies to shell, command, or subsystem execution. 591It is most useful inside a 592.Cm Match 593block. 594The command originally supplied by the client is available in the 595.Ev SSH_ORIGINAL_COMMAND 596environment variable. 597Specifying a command of 598.Dq internal-sftp 599will force the use of an in-process sftp server that requires no support 600files when used with 601.Cm ChrootDirectory . 602The default is 603.Dq none . 604.It Cm GatewayPorts 605Specifies whether remote hosts are allowed to connect to ports 606forwarded for the client. 607By default, 608.Xr sshd 8 609binds remote port forwardings to the loopback address. 610This prevents other remote hosts from connecting to forwarded ports. 611.Cm GatewayPorts 612can be used to specify that sshd 613should allow remote port forwardings to bind to non-loopback addresses, thus 614allowing other hosts to connect. 615The argument may be 616.Dq no 617to force remote port forwardings to be available to the local host only, 618.Dq yes 619to force remote port forwardings to bind to the wildcard address, or 620.Dq clientspecified 621to allow the client to select the address to which the forwarding is bound. 622The default is 623.Dq no . 624.It Cm GSSAPIAuthentication 625Specifies whether user authentication based on GSSAPI is allowed. 626The default is 627.Dq no . 628.It Cm GSSAPICleanupCredentials 629Specifies whether to automatically destroy the user's credentials cache 630on logout. 631The default is 632.Dq yes . 633.It Cm GSSAPIStrictAcceptorCheck 634Determines whether to be strict about the identity of the GSSAPI acceptor 635a client authenticates against. 636If set to 637.Dq yes 638then the client must authenticate against the 639.Pa host 640service on the current hostname. 641If set to 642.Dq no 643then the client may authenticate against any service key stored in the 644machine's default store. 645This facility is provided to assist with operation on multi homed machines. 646The default is 647.Dq yes . 648.It Cm HostbasedAcceptedKeyTypes 649Specifies the key types that will be accepted for hostbased authentication 650as a comma-separated pattern list. 651Alternately if the specified value begins with a 652.Sq + 653character, then the specified key types will be appended to the default set 654instead of replacing them. 655The default for this option is: 656.Bd -literal -offset 3n 657ecdsa-sha2-nistp256-cert-v01@openssh.com, 658ecdsa-sha2-nistp384-cert-v01@openssh.com, 659ecdsa-sha2-nistp521-cert-v01@openssh.com, 660ssh-ed25519-cert-v01@openssh.com, 661ssh-rsa-cert-v01@openssh.com, 662ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 663ssh-ed25519,ssh-rsa 664.Ed 665.Pp 666The 667.Fl Q 668option of 669.Xr ssh 1 670may be used to list supported key types. 671.It Cm HostbasedAuthentication 672Specifies whether rhosts or /etc/hosts.equiv authentication together 673with successful public key client host authentication is allowed 674(host-based authentication). 675The default is 676.Dq no . 677.It Cm HostbasedUsesNameFromPacketOnly 678Specifies whether or not the server will attempt to perform a reverse 679name lookup when matching the name in the 680.Pa ~/.shosts , 681.Pa ~/.rhosts , 682and 683.Pa /etc/hosts.equiv 684files during 685.Cm HostbasedAuthentication . 686A setting of 687.Dq yes 688means that 689.Xr sshd 8 690uses the name supplied by the client rather than 691attempting to resolve the name from the TCP connection itself. 692The default is 693.Dq no . 694.It Cm HostCertificate 695Specifies a file containing a public host certificate. 696The certificate's public key must match a private host key already specified 697by 698.Cm HostKey . 699The default behaviour of 700.Xr sshd 8 701is not to load any certificates. 702.It Cm HostKey 703Specifies a file containing a private host key 704used by SSH. 705The default is 706.Pa /etc/ssh/ssh_host_key 707for protocol version 1, and 708.Pa /etc/ssh/ssh_host_dsa_key , 709.Pa /etc/ssh/ssh_host_ecdsa_key , 710.Pa /etc/ssh/ssh_host_ed25519_key 711and 712.Pa /etc/ssh/ssh_host_rsa_key 713for protocol version 2. 714.Pp 715Note that 716.Xr sshd 8 717will refuse to use a file if it is group/world-accessible 718and that the 719.Cm HostKeyAlgorithms 720option restricts which of the keys are actually used by 721.Xr sshd 8 . 722.Pp 723It is possible to have multiple host key files. 724.Dq rsa1 725keys are used for version 1 and 726.Dq dsa , 727.Dq ecdsa , 728.Dq ed25519 729or 730.Dq rsa 731are used for version 2 of the SSH protocol. 732It is also possible to specify public host key files instead. 733In this case operations on the private key will be delegated 734to an 735.Xr ssh-agent 1 . 736.It Cm HostKeyAgent 737Identifies the UNIX-domain socket used to communicate 738with an agent that has access to the private host keys. 739If 740.Dq SSH_AUTH_SOCK 741is specified, the location of the socket will be read from the 742.Ev SSH_AUTH_SOCK 743environment variable. 744.It Cm HostKeyAlgorithms 745Specifies the host key algorithms 746that the server offers. 747The default for this option is: 748.Bd -literal -offset 3n 749ecdsa-sha2-nistp256-cert-v01@openssh.com, 750ecdsa-sha2-nistp384-cert-v01@openssh.com, 751ecdsa-sha2-nistp521-cert-v01@openssh.com, 752ssh-ed25519-cert-v01@openssh.com, 753ssh-rsa-cert-v01@openssh.com, 754ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 755ssh-ed25519,ssh-rsa 756.Ed 757.Pp 758The list of available key types may also be obtained using the 759.Fl Q 760option of 761.Xr ssh 1 762with an argument of 763.Dq key . 764.It Cm IgnoreRhosts 765Specifies that 766.Pa .rhosts 767and 768.Pa .shosts 769files will not be used in 770.Cm RhostsRSAAuthentication 771or 772.Cm HostbasedAuthentication . 773.Pp 774.Pa /etc/hosts.equiv 775and 776.Pa /etc/ssh/shosts.equiv 777are still used. 778The default is 779.Dq yes . 780.It Cm IgnoreUserKnownHosts 781Specifies whether 782.Xr sshd 8 783should ignore the user's 784.Pa ~/.ssh/known_hosts 785during 786.Cm RhostsRSAAuthentication 787or 788.Cm HostbasedAuthentication . 789The default is 790.Dq no . 791.It Cm IPQoS 792Specifies the IPv4 type-of-service or DSCP class for the connection. 793Accepted values are 794.Dq af11 , 795.Dq af12 , 796.Dq af13 , 797.Dq af21 , 798.Dq af22 , 799.Dq af23 , 800.Dq af31 , 801.Dq af32 , 802.Dq af33 , 803.Dq af41 , 804.Dq af42 , 805.Dq af43 , 806.Dq cs0 , 807.Dq cs1 , 808.Dq cs2 , 809.Dq cs3 , 810.Dq cs4 , 811.Dq cs5 , 812.Dq cs6 , 813.Dq cs7 , 814.Dq ef , 815.Dq lowdelay , 816.Dq throughput , 817.Dq reliability , 818or a numeric value. 819This option may take one or two arguments, separated by whitespace. 820If one argument is specified, it is used as the packet class unconditionally. 821If two values are specified, the first is automatically selected for 822interactive sessions and the second for non-interactive sessions. 823The default is 824.Dq lowdelay 825for interactive sessions and 826.Dq throughput 827for non-interactive sessions. 828.It Cm KbdInteractiveAuthentication 829Specifies whether to allow keyboard-interactive authentication. 830The argument to this keyword must be 831.Dq yes 832or 833.Dq no . 834The default is to use whatever value 835.Cm ChallengeResponseAuthentication 836is set to 837(by default 838.Dq yes ) . 839.It Cm KerberosAuthentication 840Specifies whether the password provided by the user for 841.Cm PasswordAuthentication 842will be validated through the Kerberos KDC. 843To use this option, the server needs a 844Kerberos servtab which allows the verification of the KDC's identity. 845The default is 846.Dq no . 847.It Cm KerberosGetAFSToken 848If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire 849an AFS token before accessing the user's home directory. 850The default is 851.Dq no . 852.It Cm KerberosOrLocalPasswd 853If password authentication through Kerberos fails then 854the password will be validated via any additional local mechanism 855such as 856.Pa /etc/passwd . 857The default is 858.Dq yes . 859.It Cm KerberosTicketCleanup 860Specifies whether to automatically destroy the user's ticket cache 861file on logout. 862The default is 863.Dq yes . 864.It Cm KexAlgorithms 865Specifies the available KEX (Key Exchange) algorithms. 866Multiple algorithms must be comma-separated. 867Alternately if the specified value begins with a 868.Sq + 869character, then the specified methods will be appended to the default set 870instead of replacing them. 871The supported algorithms are: 872.Pp 873.Bl -item -compact -offset indent 874.It 875curve25519-sha256@libssh.org 876.It 877diffie-hellman-group1-sha1 878.It 879diffie-hellman-group14-sha1 880.It 881diffie-hellman-group-exchange-sha1 882.It 883diffie-hellman-group-exchange-sha256 884.It 885ecdh-sha2-nistp256 886.It 887ecdh-sha2-nistp384 888.It 889ecdh-sha2-nistp521 890.El 891.Pp 892The default is: 893.Bd -literal -offset indent 894curve25519-sha256@libssh.org, 895ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, 896diffie-hellman-group-exchange-sha256, 897diffie-hellman-group14-sha1 898.Ed 899.Pp 900The list of available key exchange algorithms may also be obtained using the 901.Fl Q 902option of 903.Xr ssh 1 904with an argument of 905.Dq kex . 906.It Cm KeyRegenerationInterval 907In protocol version 1, the ephemeral server key is automatically regenerated 908after this many seconds (if it has been used). 909The purpose of regeneration is to prevent 910decrypting captured sessions by later breaking into the machine and 911stealing the keys. 912The key is never stored anywhere. 913If the value is 0, the key is never regenerated. 914The default is 3600 (seconds). 915.It Cm ListenAddress 916Specifies the local addresses 917.Xr sshd 8 918should listen on. 919The following forms may be used: 920.Pp 921.Bl -item -offset indent -compact 922.It 923.Cm ListenAddress 924.Sm off 925.Ar host | Ar IPv4_addr | Ar IPv6_addr 926.Sm on 927.It 928.Cm ListenAddress 929.Sm off 930.Ar host | Ar IPv4_addr : Ar port 931.Sm on 932.It 933.Cm ListenAddress 934.Sm off 935.Oo 936.Ar host | Ar IPv6_addr Oc : Ar port 937.Sm on 938.El 939.Pp 940If 941.Ar port 942is not specified, 943sshd will listen on the address and all 944.Cm Port 945options specified. 946The default is to listen on all local addresses. 947Multiple 948.Cm ListenAddress 949options are permitted. 950.It Cm LoginGraceTime 951The server disconnects after this time if the user has not 952successfully logged in. 953If the value is 0, there is no time limit. 954The default is 120 seconds. 955.It Cm LogLevel 956Gives the verbosity level that is used when logging messages from 957.Xr sshd 8 . 958The possible values are: 959QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. 960The default is INFO. 961DEBUG and DEBUG1 are equivalent. 962DEBUG2 and DEBUG3 each specify higher levels of debugging output. 963Logging with a DEBUG level violates the privacy of users and is not recommended. 964.It Cm MACs 965Specifies the available MAC (message authentication code) algorithms. 966The MAC algorithm is used for data integrity protection. 967Multiple algorithms must be comma-separated. 968If the specified value begins with a 969.Sq + 970character, then the specified algorithms will be appended to the default set 971instead of replacing them. 972.Pp 973The algorithms that contain 974.Dq -etm 975calculate the MAC after encryption (encrypt-then-mac). 976These are considered safer and their use recommended. 977The supported MACs are: 978.Pp 979.Bl -item -compact -offset indent 980.It 981hmac-md5 982.It 983hmac-md5-96 984.It 985hmac-ripemd160 986.It 987hmac-sha1 988.It 989hmac-sha1-96 990.It 991hmac-sha2-256 992.It 993hmac-sha2-512 994.It 995umac-64@openssh.com 996.It 997umac-128@openssh.com 998.It 999hmac-md5-etm@openssh.com 1000.It 1001hmac-md5-96-etm@openssh.com 1002.It 1003hmac-ripemd160-etm@openssh.com 1004.It 1005hmac-sha1-etm@openssh.com 1006.It 1007hmac-sha1-96-etm@openssh.com 1008.It 1009hmac-sha2-256-etm@openssh.com 1010.It 1011hmac-sha2-512-etm@openssh.com 1012.It 1013umac-64-etm@openssh.com 1014.It 1015umac-128-etm@openssh.com 1016.El 1017.Pp 1018The default is: 1019.Bd -literal -offset indent 1020umac-64-etm@openssh.com,umac-128-etm@openssh.com, 1021hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, 1022hmac-sha1-etm@openssh.com, 1023umac-64@openssh.com,umac-128@openssh.com, 1024hmac-sha2-256,hmac-sha2-512,hmac-sha1 1025.Ed 1026.Pp 1027The list of available MAC algorithms may also be obtained using the 1028.Fl Q 1029option of 1030.Xr ssh 1 1031with an argument of 1032.Dq mac . 1033.It Cm Match 1034Introduces a conditional block. 1035If all of the criteria on the 1036.Cm Match 1037line are satisfied, the keywords on the following lines override those 1038set in the global section of the config file, until either another 1039.Cm Match 1040line or the end of the file. 1041If a keyword appears in multiple 1042.Cm Match 1043blocks that are satisfied, only the first instance of the keyword is 1044applied. 1045.Pp 1046The arguments to 1047.Cm Match 1048are one or more criteria-pattern pairs or the single token 1049.Cm All 1050which matches all criteria. 1051The available criteria are 1052.Cm User , 1053.Cm Group , 1054.Cm Host , 1055.Cm LocalAddress , 1056.Cm LocalPort , 1057and 1058.Cm Address . 1059The match patterns may consist of single entries or comma-separated 1060lists and may use the wildcard and negation operators described in the 1061PATTERNS section of 1062.Xr ssh_config 5 . 1063.Pp 1064The patterns in an 1065.Cm Address 1066criteria may additionally contain addresses to match in CIDR 1067address/masklen format, e.g.\& 1068.Dq 192.0.2.0/24 1069or 1070.Dq 3ffe:ffff::/32 . 1071Note that the mask length provided must be consistent with the address - 1072it is an error to specify a mask length that is too long for the address 1073or one with bits set in this host portion of the address. 1074For example, 1075.Dq 192.0.2.0/33 1076and 1077.Dq 192.0.2.0/8 1078respectively. 1079.Pp 1080Only a subset of keywords may be used on the lines following a 1081.Cm Match 1082keyword. 1083Available keywords are 1084.Cm AcceptEnv , 1085.Cm AllowAgentForwarding , 1086.Cm AllowGroups , 1087.Cm AllowStreamLocalForwarding , 1088.Cm AllowTcpForwarding , 1089.Cm AllowUsers , 1090.Cm AuthenticationMethods , 1091.Cm AuthorizedKeysCommand , 1092.Cm AuthorizedKeysCommandUser , 1093.Cm AuthorizedKeysFile , 1094.Cm AuthorizedPrincipalsCommand , 1095.Cm AuthorizedPrincipalsCommandUser , 1096.Cm AuthorizedPrincipalsFile , 1097.Cm Banner , 1098.Cm ChrootDirectory , 1099.Cm DenyGroups , 1100.Cm DenyUsers , 1101.Cm ForceCommand , 1102.Cm GatewayPorts , 1103.Cm GSSAPIAuthentication , 1104.Cm HostbasedAcceptedKeyTypes , 1105.Cm HostbasedAuthentication , 1106.Cm HostbasedUsesNameFromPacketOnly , 1107.Cm IPQoS , 1108.Cm KbdInteractiveAuthentication , 1109.Cm KerberosAuthentication , 1110.Cm MaxAuthTries , 1111.Cm MaxSessions , 1112.Cm PasswordAuthentication , 1113.Cm PermitEmptyPasswords , 1114.Cm PermitOpen , 1115.Cm PermitRootLogin , 1116.Cm PermitTTY , 1117.Cm PermitTunnel , 1118.Cm PermitUserRC , 1119.Cm PubkeyAcceptedKeyTypes , 1120.Cm PubkeyAuthentication , 1121.Cm RekeyLimit , 1122.Cm RevokedKeys , 1123.Cm RhostsRSAAuthentication , 1124.Cm RSAAuthentication , 1125.Cm StreamLocalBindMask , 1126.Cm StreamLocalBindUnlink , 1127.Cm TrustedUserCAKeys , 1128.Cm X11DisplayOffset , 1129.Cm X11Forwarding 1130and 1131.Cm X11UseLocalHost . 1132.It Cm MaxAuthTries 1133Specifies the maximum number of authentication attempts permitted per 1134connection. 1135Once the number of failures reaches half this value, 1136additional failures are logged. 1137The default is 6. 1138.It Cm MaxSessions 1139Specifies the maximum number of open shell, login or subsystem (e.g. sftp) 1140sessions permitted per network connection. 1141Multiple sessions may be established by clients that support connection 1142multiplexing. 1143Setting 1144.Cm MaxSessions 1145to 1 will effectively disable session multiplexing, whereas setting it to 0 1146will prevent all shell, login and subsystem sessions while still permitting 1147forwarding. 1148The default is 10. 1149.It Cm MaxStartups 1150Specifies the maximum number of concurrent unauthenticated connections to the 1151SSH daemon. 1152Additional connections will be dropped until authentication succeeds or the 1153.Cm LoginGraceTime 1154expires for a connection. 1155The default is 10:30:100. 1156.Pp 1157Alternatively, random early drop can be enabled by specifying 1158the three colon separated values 1159.Dq start:rate:full 1160(e.g. "10:30:60"). 1161.Xr sshd 8 1162will refuse connection attempts with a probability of 1163.Dq rate/100 1164(30%) 1165if there are currently 1166.Dq start 1167(10) 1168unauthenticated connections. 1169The probability increases linearly and all connection attempts 1170are refused if the number of unauthenticated connections reaches 1171.Dq full 1172(60). 1173.It Cm PasswordAuthentication 1174Specifies whether password authentication is allowed. 1175See also 1176.Cm UsePAM . 1177The default is 1178.Dq no . 1179.It Cm PermitEmptyPasswords 1180When password authentication is allowed, it specifies whether the 1181server allows login to accounts with empty password strings. 1182The default is 1183.Dq no . 1184.It Cm PermitOpen 1185Specifies the destinations to which TCP port forwarding is permitted. 1186The forwarding specification must be one of the following forms: 1187.Pp 1188.Bl -item -offset indent -compact 1189.It 1190.Cm PermitOpen 1191.Sm off 1192.Ar host : port 1193.Sm on 1194.It 1195.Cm PermitOpen 1196.Sm off 1197.Ar IPv4_addr : port 1198.Sm on 1199.It 1200.Cm PermitOpen 1201.Sm off 1202.Ar \&[ IPv6_addr \&] : port 1203.Sm on 1204.El 1205.Pp 1206Multiple forwards may be specified by separating them with whitespace. 1207An argument of 1208.Dq any 1209can be used to remove all restrictions and permit any forwarding requests. 1210An argument of 1211.Dq none 1212can be used to prohibit all forwarding requests. 1213By default all port forwarding requests are permitted. 1214.It Cm PermitRootLogin 1215Specifies whether root can log in using 1216.Xr ssh 1 . 1217The argument must be 1218.Dq yes , 1219.Dq prohibit-password , 1220.Dq without-password , 1221.Dq forced-commands-only , 1222or 1223.Dq no . 1224The default is 1225.Dq no . 1226Note that if 1227.Cm ChallengeResponseAuthentication 1228is 1229.Dq yes , 1230the root user may be allowed in with its password even if 1231.Cm PermitRootLogin is set to 1232.Dq without-password . 1233.Pp 1234If this option is set to 1235.Dq prohibit-password 1236or 1237.Dq without-password , 1238password and keyboard-interactive authentication are disabled for root. 1239.Pp 1240If this option is set to 1241.Dq forced-commands-only , 1242root login with public key authentication will be allowed, 1243but only if the 1244.Ar command 1245option has been specified 1246(which may be useful for taking remote backups even if root login is 1247normally not allowed). 1248All other authentication methods are disabled for root. 1249.Pp 1250If this option is set to 1251.Dq no , 1252root is not allowed to log in. 1253.It Cm PermitTunnel 1254Specifies whether 1255.Xr tun 4 1256device forwarding is allowed. 1257The argument must be 1258.Dq yes , 1259.Dq point-to-point 1260(layer 3), 1261.Dq ethernet 1262(layer 2), or 1263.Dq no . 1264Specifying 1265.Dq yes 1266permits both 1267.Dq point-to-point 1268and 1269.Dq ethernet . 1270The default is 1271.Dq no . 1272.Pp 1273Independent of this setting, the permissions of the selected 1274.Xr tun 4 1275device must allow access to the user. 1276.It Cm PermitTTY 1277Specifies whether 1278.Xr pty 4 1279allocation is permitted. 1280The default is 1281.Dq yes . 1282.It Cm PermitUserEnvironment 1283Specifies whether 1284.Pa ~/.ssh/environment 1285and 1286.Cm environment= 1287options in 1288.Pa ~/.ssh/authorized_keys 1289are processed by 1290.Xr sshd 8 . 1291The default is 1292.Dq no . 1293Enabling environment processing may enable users to bypass access 1294restrictions in some configurations using mechanisms such as 1295.Ev LD_PRELOAD . 1296.It Cm PermitUserRC 1297Specifies whether any 1298.Pa ~/.ssh/rc 1299file is executed. 1300The default is 1301.Dq yes . 1302.It Cm PidFile 1303Specifies the file that contains the process ID of the 1304SSH daemon, or 1305.Dq none 1306to not write one. 1307The default is 1308.Pa /var/run/sshd.pid . 1309.It Cm Port 1310Specifies the port number that 1311.Xr sshd 8 1312listens on. 1313The default is 22. 1314Multiple options of this type are permitted. 1315See also 1316.Cm ListenAddress . 1317.It Cm PrintLastLog 1318Specifies whether 1319.Xr sshd 8 1320should print the date and time of the last user login when a user logs 1321in interactively. 1322The default is 1323.Dq yes . 1324.It Cm PrintMotd 1325Specifies whether 1326.Xr sshd 8 1327should print 1328.Pa /etc/motd 1329when a user logs in interactively. 1330(On some systems it is also printed by the shell, 1331.Pa /etc/profile , 1332or equivalent.) 1333The default is 1334.Dq yes . 1335.It Cm Protocol 1336Specifies the protocol versions 1337.Xr sshd 8 1338supports. 1339The possible values are 1340.Sq 1 1341and 1342.Sq 2 . 1343Multiple versions must be comma-separated. 1344The default is 1345.Sq 2 . 1346Protocol 1 suffers from a number of cryptographic weaknesses and should 1347not be used. 1348It is only offered to support legacy devices. 1349.Pp 1350Note that the order of the protocol list does not indicate preference, 1351because the client selects among multiple protocol versions offered 1352by the server. 1353Specifying 1354.Dq 2,1 1355is identical to 1356.Dq 1,2 . 1357.It Cm PubkeyAcceptedKeyTypes 1358Specifies the key types that will be accepted for public key authentication 1359as a comma-separated pattern list. 1360Alternately if the specified value begins with a 1361.Sq + 1362character, then the specified key types will be appended to the default set 1363instead of replacing them. 1364The default for this option is: 1365.Bd -literal -offset 3n 1366ecdsa-sha2-nistp256-cert-v01@openssh.com, 1367ecdsa-sha2-nistp384-cert-v01@openssh.com, 1368ecdsa-sha2-nistp521-cert-v01@openssh.com, 1369ssh-ed25519-cert-v01@openssh.com, 1370ssh-rsa-cert-v01@openssh.com, 1371ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 1372ssh-ed25519,ssh-rsa 1373.Ed 1374.Pp 1375The 1376.Fl Q 1377option of 1378.Xr ssh 1 1379may be used to list supported key types. 1380.It Cm PubkeyAuthentication 1381Specifies whether public key authentication is allowed. 1382The default is 1383.Dq yes . 1384.It Cm RekeyLimit 1385Specifies the maximum amount of data that may be transmitted before the 1386session key is renegotiated, optionally followed a maximum amount of 1387time that may pass before the session key is renegotiated. 1388The first argument is specified in bytes and may have a suffix of 1389.Sq K , 1390.Sq M , 1391or 1392.Sq G 1393to indicate Kilobytes, Megabytes, or Gigabytes, respectively. 1394The default is between 1395.Sq 1G 1396and 1397.Sq 4G , 1398depending on the cipher. 1399The optional second value is specified in seconds and may use any of the 1400units documented in the 1401.Sx TIME FORMATS 1402section. 1403The default value for 1404.Cm RekeyLimit 1405is 1406.Dq default none , 1407which means that rekeying is performed after the cipher's default amount 1408of data has been sent or received and no time based rekeying is done. 1409.It Cm RevokedKeys 1410Specifies revoked public keys file, or 1411.Dq none 1412to not use one. 1413Keys listed in this file will be refused for public key authentication. 1414Note that if this file is not readable, then public key authentication will 1415be refused for all users. 1416Keys may be specified as a text file, listing one public key per line, or as 1417an OpenSSH Key Revocation List (KRL) as generated by 1418.Xr ssh-keygen 1 . 1419For more information on KRLs, see the KEY REVOCATION LISTS section in 1420.Xr ssh-keygen 1 . 1421.It Cm RhostsRSAAuthentication 1422Specifies whether rhosts or 1423.Pa /etc/hosts.equiv 1424authentication together 1425with successful RSA host authentication is allowed. 1426The default is 1427.Dq no . 1428This option applies to protocol version 1 only. 1429.It Cm RSAAuthentication 1430Specifies whether pure RSA authentication is allowed. 1431The default is 1432.Dq yes . 1433This option applies to protocol version 1 only. 1434.It Cm ServerKeyBits 1435Defines the number of bits in the ephemeral protocol version 1 server key. 1436The default and minimum value is 1024. 1437.It Cm StreamLocalBindMask 1438Sets the octal file creation mode mask 1439.Pq umask 1440used when creating a Unix-domain socket file for local or remote 1441port forwarding. 1442This option is only used for port forwarding to a Unix-domain socket file. 1443.Pp 1444The default value is 0177, which creates a Unix-domain socket file that is 1445readable and writable only by the owner. 1446Note that not all operating systems honor the file mode on Unix-domain 1447socket files. 1448.It Cm StreamLocalBindUnlink 1449Specifies whether to remove an existing Unix-domain socket file for local 1450or remote port forwarding before creating a new one. 1451If the socket file already exists and 1452.Cm StreamLocalBindUnlink 1453is not enabled, 1454.Nm sshd 1455will be unable to forward the port to the Unix-domain socket file. 1456This option is only used for port forwarding to a Unix-domain socket file. 1457.Pp 1458The argument must be 1459.Dq yes 1460or 1461.Dq no . 1462The default is 1463.Dq no . 1464.It Cm StrictModes 1465Specifies whether 1466.Xr sshd 8 1467should check file modes and ownership of the 1468user's files and home directory before accepting login. 1469This is normally desirable because novices sometimes accidentally leave their 1470directory or files world-writable. 1471The default is 1472.Dq yes . 1473Note that this does not apply to 1474.Cm ChrootDirectory , 1475whose permissions and ownership are checked unconditionally. 1476.It Cm Subsystem 1477Configures an external subsystem (e.g. file transfer daemon). 1478Arguments should be a subsystem name and a command (with optional arguments) 1479to execute upon subsystem request. 1480.Pp 1481The command 1482.Xr sftp-server 8 1483implements the 1484.Dq sftp 1485file transfer subsystem. 1486.Pp 1487Alternately the name 1488.Dq internal-sftp 1489implements an in-process 1490.Dq sftp 1491server. 1492This may simplify configurations using 1493.Cm ChrootDirectory 1494to force a different filesystem root on clients. 1495.Pp 1496By default no subsystems are defined. 1497.It Cm SyslogFacility 1498Gives the facility code that is used when logging messages from 1499.Xr sshd 8 . 1500The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, 1501LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. 1502The default is AUTH. 1503.It Cm TCPKeepAlive 1504Specifies whether the system should send TCP keepalive messages to the 1505other side. 1506If they are sent, death of the connection or crash of one 1507of the machines will be properly noticed. 1508However, this means that 1509connections will die if the route is down temporarily, and some people 1510find it annoying. 1511On the other hand, if TCP keepalives are not sent, 1512sessions may hang indefinitely on the server, leaving 1513.Dq ghost 1514users and consuming server resources. 1515.Pp 1516The default is 1517.Dq yes 1518(to send TCP keepalive messages), and the server will notice 1519if the network goes down or the client host crashes. 1520This avoids infinitely hanging sessions. 1521.Pp 1522To disable TCP keepalive messages, the value should be set to 1523.Dq no . 1524.It Cm TrustedUserCAKeys 1525Specifies a file containing public keys of certificate authorities that are 1526trusted to sign user certificates for authentication, or 1527.Dq none 1528to not use one. 1529Keys are listed one per line; empty lines and comments starting with 1530.Ql # 1531are allowed. 1532If a certificate is presented for authentication and has its signing CA key 1533listed in this file, then it may be used for authentication for any user 1534listed in the certificate's principals list. 1535Note that certificates that lack a list of principals will not be permitted 1536for authentication using 1537.Cm TrustedUserCAKeys . 1538For more details on certificates, see the CERTIFICATES section in 1539.Xr ssh-keygen 1 . 1540.It Cm UseBlacklist 1541Specifies whether 1542.Xr sshd 8 1543attempts to send authentication success and failure messages 1544to the 1545.Xr blacklistd 8 1546daemon. 1547The default is 1548.Dq no . 1549.It Cm UseDNS 1550Specifies whether 1551.Xr sshd 8 1552should look up the remote host name, and to check that 1553the resolved host name for the remote IP address maps back to the 1554very same IP address. 1555.Pp 1556If this option is set to 1557.Dq no , 1558then only addresses and not host names may be used in 1559.Pa ~/.ssh/known_hosts 1560.Cm from 1561and 1562.Nm 1563.Cm Match 1564.Cm Host 1565directives. 1566The default is 1567.Dq yes . 1568.It Cm UseLogin 1569Specifies whether 1570.Xr login 1 1571is used for interactive login sessions. 1572The default is 1573.Dq no . 1574Note that 1575.Xr login 1 1576is never used for remote command execution. 1577Note also, that if this is enabled, 1578.Cm X11Forwarding 1579will be disabled because 1580.Xr login 1 1581does not know how to handle 1582.Xr xauth 1 1583cookies. 1584If 1585.Cm UsePrivilegeSeparation 1586is specified, it will be disabled after authentication. 1587.It Cm UsePAM 1588Enables the Pluggable Authentication Module interface. 1589If set to 1590.Dq yes 1591this will enable PAM authentication using 1592.Cm ChallengeResponseAuthentication 1593and 1594.Cm PasswordAuthentication 1595in addition to PAM account and session module processing for all 1596authentication types. 1597.Pp 1598Because PAM challenge-response authentication usually serves an equivalent 1599role to password authentication, you should disable either 1600.Cm PasswordAuthentication 1601or 1602.Cm ChallengeResponseAuthentication. 1603.Pp 1604If 1605.Cm UsePAM 1606is enabled, you will not be able to run 1607.Xr sshd 8 1608as a non-root user. 1609The default is 1610.Dq yes . 1611.It Cm UsePrivilegeSeparation 1612Specifies whether 1613.Xr sshd 8 1614separates privileges by creating an unprivileged child process 1615to deal with incoming network traffic. 1616After successful authentication, another process will be created that has 1617the privilege of the authenticated user. 1618The goal of privilege separation is to prevent privilege 1619escalation by containing any corruption within the unprivileged processes. 1620The argument must be 1621.Dq yes , 1622.Dq no , 1623or 1624.Dq sandbox . 1625If 1626.Cm UsePrivilegeSeparation 1627is set to 1628.Dq sandbox 1629then the pre-authentication unprivileged process is subject to additional 1630restrictions. 1631The default is 1632.Dq sandbox . 1633.It Cm VersionAddendum 1634Optionally specifies additional text to append to the SSH protocol banner 1635sent by the server upon connection. 1636The default is 1637.Dq FreeBSD-20160310 . 1638The value 1639.Dq none 1640may be used to disable this. 1641.It Cm X11DisplayOffset 1642Specifies the first display number available for 1643.Xr sshd 8 Ns 's 1644X11 forwarding. 1645This prevents sshd from interfering with real X11 servers. 1646The default is 10. 1647.It Cm X11Forwarding 1648Specifies whether X11 forwarding is permitted. 1649The argument must be 1650.Dq yes 1651or 1652.Dq no . 1653The default is 1654.Dq yes . 1655.Pp 1656When X11 forwarding is enabled, there may be additional exposure to 1657the server and to client displays if the 1658.Xr sshd 8 1659proxy display is configured to listen on the wildcard address (see 1660.Cm X11UseLocalhost 1661below), though this is not the default. 1662Additionally, the authentication spoofing and authentication data 1663verification and substitution occur on the client side. 1664The security risk of using X11 forwarding is that the client's X11 1665display server may be exposed to attack when the SSH client requests 1666forwarding (see the warnings for 1667.Cm ForwardX11 1668in 1669.Xr ssh_config 5 ) . 1670A system administrator may have a stance in which they want to 1671protect clients that may expose themselves to attack by unwittingly 1672requesting X11 forwarding, which can warrant a 1673.Dq no 1674setting. 1675.Pp 1676Note that disabling X11 forwarding does not prevent users from 1677forwarding X11 traffic, as users can always install their own forwarders. 1678X11 forwarding is automatically disabled if 1679.Cm UseLogin 1680is enabled. 1681.It Cm X11UseLocalhost 1682Specifies whether 1683.Xr sshd 8 1684should bind the X11 forwarding server to the loopback address or to 1685the wildcard address. 1686By default, 1687sshd binds the forwarding server to the loopback address and sets the 1688hostname part of the 1689.Ev DISPLAY 1690environment variable to 1691.Dq localhost . 1692This prevents remote hosts from connecting to the proxy display. 1693However, some older X11 clients may not function with this 1694configuration. 1695.Cm X11UseLocalhost 1696may be set to 1697.Dq no 1698to specify that the forwarding server should be bound to the wildcard 1699address. 1700The argument must be 1701.Dq yes 1702or 1703.Dq no . 1704The default is 1705.Dq yes . 1706.It Cm XAuthLocation 1707Specifies the full pathname of the 1708.Xr xauth 1 1709program, or 1710.Dq none 1711to not use one. 1712The default is 1713.Pa /usr/local/bin/xauth . 1714.El 1715.Sh TIME FORMATS 1716.Xr sshd 8 1717command-line arguments and configuration file options that specify time 1718may be expressed using a sequence of the form: 1719.Sm off 1720.Ar time Op Ar qualifier , 1721.Sm on 1722where 1723.Ar time 1724is a positive integer value and 1725.Ar qualifier 1726is one of the following: 1727.Pp 1728.Bl -tag -width Ds -compact -offset indent 1729.It Aq Cm none 1730seconds 1731.It Cm s | Cm S 1732seconds 1733.It Cm m | Cm M 1734minutes 1735.It Cm h | Cm H 1736hours 1737.It Cm d | Cm D 1738days 1739.It Cm w | Cm W 1740weeks 1741.El 1742.Pp 1743Each member of the sequence is added together to calculate 1744the total time value. 1745.Pp 1746Time format examples: 1747.Pp 1748.Bl -tag -width Ds -compact -offset indent 1749.It 600 1750600 seconds (10 minutes) 1751.It 10m 175210 minutes 1753.It 1h30m 17541 hour 30 minutes (90 minutes) 1755.El 1756.Sh FILES 1757.Bl -tag -width Ds 1758.It Pa /etc/ssh/sshd_config 1759Contains configuration data for 1760.Xr sshd 8 . 1761This file should be writable by root only, but it is recommended 1762(though not necessary) that it be world-readable. 1763.El 1764.Sh SEE ALSO 1765.Xr sshd 8 1766.Sh AUTHORS 1767OpenSSH is a derivative of the original and free 1768ssh 1.2.12 release by Tatu Ylonen. 1769Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 1770Theo de Raadt and Dug Song 1771removed many bugs, re-added newer features and 1772created OpenSSH. 1773Markus Friedl contributed the support for SSH 1774protocol versions 1.5 and 2.0. 1775Niels Provos and Markus Friedl contributed support 1776for privilege separation. 1777