1.\" 2.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" All rights reserved 5.\" 6.\" As far as I am concerned, the code I have written for this software 7.\" can be used freely for any purpose. Any derived versions of this 8.\" software must be clearly marked as such, and if the derived work is 9.\" incompatible with the protocol description in the RFC file, it must be 10.\" called by a name other than "ssh" or "Secure Shell". 11.\" 12.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 13.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 14.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 15.\" 16.\" Redistribution and use in source and binary forms, with or without 17.\" modification, are permitted provided that the following conditions 18.\" are met: 19.\" 1. Redistributions of source code must retain the above copyright 20.\" notice, this list of conditions and the following disclaimer. 21.\" 2. Redistributions in binary form must reproduce the above copyright 22.\" notice, this list of conditions and the following disclaimer in the 23.\" documentation and/or other materials provided with the distribution. 24.\" 25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" 36.\" $OpenBSD: sshd_config.5,v 1.211 2015/08/14 15:32:41 jmc Exp $ 37.\" $FreeBSD$ 38.Dd $Mdocdate: August 14 2015 $ 39.Dt SSHD_CONFIG 5 40.Os 41.Sh NAME 42.Nm sshd_config 43.Nd OpenSSH SSH daemon configuration file 44.Sh SYNOPSIS 45.Nm /etc/ssh/sshd_config 46.Sh DESCRIPTION 47.Xr sshd 8 48reads configuration data from 49.Pa /etc/ssh/sshd_config 50(or the file specified with 51.Fl f 52on the command line). 53The file contains keyword-argument pairs, one per line. 54Lines starting with 55.Ql # 56and empty lines are interpreted as comments. 57Arguments may optionally be enclosed in double quotes 58.Pq \&" 59in order to represent arguments containing spaces. 60.Pp 61The possible 62keywords and their meanings are as follows (note that 63keywords are case-insensitive and arguments are case-sensitive): 64.Bl -tag -width Ds 65.It Cm AcceptEnv 66Specifies what environment variables sent by the client will be copied into 67the session's 68.Xr environ 7 . 69See 70.Cm SendEnv 71in 72.Xr ssh_config 5 73for how to configure the client. 74Note that environment passing is only supported for protocol 2, and 75that the 76.Ev TERM 77environment variable is always sent whenever the client 78requests a pseudo-terminal as it is required by the protocol. 79Variables are specified by name, which may contain the wildcard characters 80.Ql * 81and 82.Ql \&? . 83Multiple environment variables may be separated by whitespace or spread 84across multiple 85.Cm AcceptEnv 86directives. 87Be warned that some environment variables could be used to bypass restricted 88user environments. 89For this reason, care should be taken in the use of this directive. 90The default is not to accept any environment variables. 91.It Cm AddressFamily 92Specifies which address family should be used by 93.Xr sshd 8 . 94Valid arguments are 95.Dq any , 96.Dq inet 97(use IPv4 only), or 98.Dq inet6 99(use IPv6 only). 100The default is 101.Dq any . 102.It Cm AllowAgentForwarding 103Specifies whether 104.Xr ssh-agent 1 105forwarding is permitted. 106The default is 107.Dq yes . 108Note that disabling agent forwarding does not improve security 109unless users are also denied shell access, as they can always install 110their own forwarders. 111.It Cm AllowGroups 112This keyword can be followed by a list of group name patterns, separated 113by spaces. 114If specified, login is allowed only for users whose primary 115group or supplementary group list matches one of the patterns. 116Only group names are valid; a numerical group ID is not recognized. 117By default, login is allowed for all groups. 118The allow/deny directives are processed in the following order: 119.Cm DenyUsers , 120.Cm AllowUsers , 121.Cm DenyGroups , 122and finally 123.Cm AllowGroups . 124.Pp 125See PATTERNS in 126.Xr ssh_config 5 127for more information on patterns. 128.It Cm AllowTcpForwarding 129Specifies whether TCP forwarding is permitted. 130The available options are 131.Dq yes 132or 133.Dq all 134to allow TCP forwarding, 135.Dq no 136to prevent all TCP forwarding, 137.Dq local 138to allow local (from the perspective of 139.Xr ssh 1 ) 140forwarding only or 141.Dq remote 142to allow remote forwarding only. 143The default is 144.Dq yes . 145Note that disabling TCP forwarding does not improve security unless 146users are also denied shell access, as they can always install their 147own forwarders. 148.It Cm AllowStreamLocalForwarding 149Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted. 150The available options are 151.Dq yes 152or 153.Dq all 154to allow StreamLocal forwarding, 155.Dq no 156to prevent all StreamLocal forwarding, 157.Dq local 158to allow local (from the perspective of 159.Xr ssh 1 ) 160forwarding only or 161.Dq remote 162to allow remote forwarding only. 163The default is 164.Dq yes . 165Note that disabling StreamLocal forwarding does not improve security unless 166users are also denied shell access, as they can always install their 167own forwarders. 168.It Cm AllowUsers 169This keyword can be followed by a list of user name patterns, separated 170by spaces. 171If specified, login is allowed only for user names that 172match one of the patterns. 173Only user names are valid; a numerical user ID is not recognized. 174By default, login is allowed for all users. 175If the pattern takes the form USER@HOST then USER and HOST 176are separately checked, restricting logins to particular 177users from particular hosts. 178The allow/deny directives are processed in the following order: 179.Cm DenyUsers , 180.Cm AllowUsers , 181.Cm DenyGroups , 182and finally 183.Cm AllowGroups . 184.Pp 185See PATTERNS in 186.Xr ssh_config 5 187for more information on patterns. 188.It Cm AuthenticationMethods 189Specifies the authentication methods that must be successfully completed 190for a user to be granted access. 191This option must be followed by one or more comma-separated lists of 192authentication method names. 193Successful authentication requires completion of every method in at least 194one of these lists. 195.Pp 196For example, an argument of 197.Dq publickey,password publickey,keyboard-interactive 198would require the user to complete public key authentication, followed by 199either password or keyboard interactive authentication. 200Only methods that are next in one or more lists are offered at each stage, 201so for this example, it would not be possible to attempt password or 202keyboard-interactive authentication before public key. 203.Pp 204For keyboard interactive authentication it is also possible to 205restrict authentication to a specific device by appending a 206colon followed by the device identifier 207.Dq bsdauth , 208.Dq pam , 209or 210.Dq skey , 211depending on the server configuration. 212For example, 213.Dq keyboard-interactive:bsdauth 214would restrict keyboard interactive authentication to the 215.Dq bsdauth 216device. 217.Pp 218If the 219.Dq publickey 220method is listed more than once, 221.Xr sshd 8 222verifies that keys that have been used successfully are not reused for 223subsequent authentications. 224For example, an 225.Cm AuthenticationMethods 226of 227.Dq publickey,publickey 228will require successful authentication using two different public keys. 229.Pp 230This option is only available for SSH protocol 2 and will yield a fatal 231error if enabled if protocol 1 is also enabled. 232Note that each authentication method listed should also be explicitly enabled 233in the configuration. 234The default is not to require multiple authentication; successful completion 235of a single authentication method is sufficient. 236.It Cm AuthorizedKeysCommand 237Specifies a program to be used to look up the user's public keys. 238The program must be owned by root, not writable by group or others and 239specified by an absolute path. 240.Pp 241Arguments to 242.Cm AuthorizedKeysCommand 243may be provided using the following tokens, which will be expanded 244at runtime: %% is replaced by a literal '%', %u is replaced by the 245username being authenticated, %h is replaced by the home directory 246of the user being authenticated, %t is replaced with the key type 247offered for authentication, %f is replaced with the fingerprint of 248the key, and %k is replaced with the key being offered for authentication. 249If no arguments are specified then the username of the target user 250will be supplied. 251.Pp 252The program should produce on standard output zero or 253more lines of authorized_keys output (see AUTHORIZED_KEYS in 254.Xr sshd 8 ) . 255If a key supplied by AuthorizedKeysCommand does not successfully authenticate 256and authorize the user then public key authentication continues using the usual 257.Cm AuthorizedKeysFile 258files. 259By default, no AuthorizedKeysCommand is run. 260.It Cm AuthorizedKeysCommandUser 261Specifies the user under whose account the AuthorizedKeysCommand is run. 262It is recommended to use a dedicated user that has no other role on the host 263than running authorized keys commands. 264If 265.Cm AuthorizedKeysCommand 266is specified but 267.Cm AuthorizedKeysCommandUser 268is not, then 269.Xr sshd 8 270will refuse to start. 271.It Cm AuthorizedKeysFile 272Specifies the file that contains the public keys that can be used 273for user authentication. 274The format is described in the 275AUTHORIZED_KEYS FILE FORMAT 276section of 277.Xr sshd 8 . 278.Cm AuthorizedKeysFile 279may contain tokens of the form %T which are substituted during connection 280setup. 281The following tokens are defined: %% is replaced by a literal '%', 282%h is replaced by the home directory of the user being authenticated, and 283%u is replaced by the username of that user. 284After expansion, 285.Cm AuthorizedKeysFile 286is taken to be an absolute path or one relative to the user's home 287directory. 288Multiple files may be listed, separated by whitespace. 289The default is 290.Dq .ssh/authorized_keys .ssh/authorized_keys2 . 291.It Cm AuthorizedPrincipalsCommand 292Specifies a program to be used to generate the list of allowed 293certificate principals as per 294.Cm AuthorizedPrincipalsFile . 295The program must be owned by root, not writable by group or others and 296specified by an absolute path. 297.Pp 298Arguments to 299.Cm AuthorizedPrincipalsCommand 300may be provided using the following tokens, which will be expanded 301at runtime: %% is replaced by a literal '%', %u is replaced by the 302username being authenticated and %h is replaced by the home directory 303of the user being authenticated. 304.Pp 305The program should produce on standard output zero or 306more lines of 307.Cm AuthorizedPrincipalsFile 308output. 309If either 310.Cm AuthorizedPrincipalsCommand 311or 312.Cm AuthorizedPrincipalsFile 313is specified, then certificates offered by the client for authentication 314must contain a principal that is listed. 315By default, no AuthorizedPrincipalsCommand is run. 316.It Cm AuthorizedPrincipalsCommandUser 317Specifies the user under whose account the AuthorizedPrincipalsCommand is run. 318It is recommended to use a dedicated user that has no other role on the host 319than running authorized principals commands. 320If 321.Cm AuthorizedPrincipalsCommand 322is specified but 323.Cm AuthorizedPrincipalsCommandUser 324is not, then 325.Xr sshd 8 326will refuse to start. 327.It Cm AuthorizedPrincipalsFile 328Specifies a file that lists principal names that are accepted for 329certificate authentication. 330When using certificates signed by a key listed in 331.Cm TrustedUserCAKeys , 332this file lists names, one of which must appear in the certificate for it 333to be accepted for authentication. 334Names are listed one per line preceded by key options (as described 335in AUTHORIZED_KEYS FILE FORMAT in 336.Xr sshd 8 ) . 337Empty lines and comments starting with 338.Ql # 339are ignored. 340.Pp 341.Cm AuthorizedPrincipalsFile 342may contain tokens of the form %T which are substituted during connection 343setup. 344The following tokens are defined: %% is replaced by a literal '%', 345%h is replaced by the home directory of the user being authenticated, and 346%u is replaced by the username of that user. 347After expansion, 348.Cm AuthorizedPrincipalsFile 349is taken to be an absolute path or one relative to the user's home 350directory. 351.Pp 352The default is 353.Dq none , 354i.e. not to use a principals file \(en in this case, the username 355of the user must appear in a certificate's principals list for it to be 356accepted. 357Note that 358.Cm AuthorizedPrincipalsFile 359is only used when authentication proceeds using a CA listed in 360.Cm TrustedUserCAKeys 361and is not consulted for certification authorities trusted via 362.Pa ~/.ssh/authorized_keys , 363though the 364.Cm principals= 365key option offers a similar facility (see 366.Xr sshd 8 367for details). 368.It Cm Banner 369The contents of the specified file are sent to the remote user before 370authentication is allowed. 371If the argument is 372.Dq none 373then no banner is displayed. 374This option is only available for protocol version 2. 375By default, no banner is displayed. 376.It Cm ChallengeResponseAuthentication 377Specifies whether challenge-response authentication is allowed (e.g. via 378PAM or through authentication styles supported in 379.Xr login.conf 5 ) 380The default is 381.Dq yes . 382.It Cm ChrootDirectory 383Specifies the pathname of a directory to 384.Xr chroot 2 385to after authentication. 386At session startup 387.Xr sshd 8 388checks that all components of the pathname are root-owned directories 389which are not writable by any other user or group. 390After the chroot, 391.Xr sshd 8 392changes the working directory to the user's home directory. 393.Pp 394The pathname may contain the following tokens that are expanded at runtime once 395the connecting user has been authenticated: %% is replaced by a literal '%', 396%h is replaced by the home directory of the user being authenticated, and 397%u is replaced by the username of that user. 398.Pp 399The 400.Cm ChrootDirectory 401must contain the necessary files and directories to support the 402user's session. 403For an interactive session this requires at least a shell, typically 404.Xr sh 1 , 405and basic 406.Pa /dev 407nodes such as 408.Xr null 4 , 409.Xr zero 4 , 410.Xr stdin 4 , 411.Xr stdout 4 , 412.Xr stderr 4 , 413and 414.Xr tty 4 415devices. 416For file transfer sessions using 417.Dq sftp , 418no additional configuration of the environment is necessary if the 419in-process sftp server is used, 420though sessions which use logging may require 421.Pa /dev/log 422inside the chroot directory on some operating systems (see 423.Xr sftp-server 8 424for details). 425.Pp 426For safety, it is very important that the directory hierarchy be 427prevented from modification by other processes on the system (especially 428those outside the jail). 429Misconfiguration can lead to unsafe environments which 430.Xr sshd 8 431cannot detect. 432.Pp 433The default is not to 434.Xr chroot 2 . 435.It Cm Ciphers 436Specifies the ciphers allowed for protocol version 2. 437Multiple ciphers must be comma-separated. 438If the specified value begins with a 439.Sq + 440character, then the specified ciphers will be appended to the default set 441instead of replacing them. 442.Pp 443The supported ciphers are: 444.Pp 445.Bl -item -compact -offset indent 446.It 4473des-cbc 448.It 449aes128-cbc 450.It 451aes192-cbc 452.It 453aes256-cbc 454.It 455aes128-ctr 456.It 457aes192-ctr 458.It 459aes256-ctr 460.It 461aes128-gcm@openssh.com 462.It 463aes256-gcm@openssh.com 464.It 465arcfour 466.It 467arcfour128 468.It 469arcfour256 470.It 471blowfish-cbc 472.It 473cast128-cbc 474.It 475chacha20-poly1305@openssh.com 476.El 477.Pp 478The default is: 479.Bd -literal -offset indent 480chacha20-poly1305@openssh.com, 481aes128-ctr,aes192-ctr,aes256-ctr, 482aes128-gcm@openssh.com,aes256-gcm@openssh.com 483.Ed 484.Pp 485The list of available ciphers may also be obtained using the 486.Fl Q 487option of 488.Xr ssh 1 489with an argument of 490.Dq cipher . 491.It Cm ClientAliveCountMax 492Sets the number of client alive messages (see below) which may be 493sent without 494.Xr sshd 8 495receiving any messages back from the client. 496If this threshold is reached while client alive messages are being sent, 497sshd will disconnect the client, terminating the session. 498It is important to note that the use of client alive messages is very 499different from 500.Cm TCPKeepAlive 501(below). 502The client alive messages are sent through the encrypted channel 503and therefore will not be spoofable. 504The TCP keepalive option enabled by 505.Cm TCPKeepAlive 506is spoofable. 507The client alive mechanism is valuable when the client or 508server depend on knowing when a connection has become inactive. 509.Pp 510The default value is 3. 511If 512.Cm ClientAliveInterval 513(see below) is set to 15, and 514.Cm ClientAliveCountMax 515is left at the default, unresponsive SSH clients 516will be disconnected after approximately 45 seconds. 517This option applies to protocol version 2 only. 518.It Cm ClientAliveInterval 519Sets a timeout interval in seconds after which if no data has been received 520from the client, 521.Xr sshd 8 522will send a message through the encrypted 523channel to request a response from the client. 524The default 525is 0, indicating that these messages will not be sent to the client. 526This option applies to protocol version 2 only. 527.It Cm Compression 528Specifies whether compression is allowed, or delayed until 529the user has authenticated successfully. 530The argument must be 531.Dq yes , 532.Dq delayed , 533or 534.Dq no . 535The default is 536.Dq delayed . 537.It Cm DenyGroups 538This keyword can be followed by a list of group name patterns, separated 539by spaces. 540Login is disallowed for users whose primary group or supplementary 541group list matches one of the patterns. 542Only group names are valid; a numerical group ID is not recognized. 543By default, login is allowed for all groups. 544The allow/deny directives are processed in the following order: 545.Cm DenyUsers , 546.Cm AllowUsers , 547.Cm DenyGroups , 548and finally 549.Cm AllowGroups . 550.Pp 551See PATTERNS in 552.Xr ssh_config 5 553for more information on patterns. 554.It Cm DenyUsers 555This keyword can be followed by a list of user name patterns, separated 556by spaces. 557Login is disallowed for user names that match one of the patterns. 558Only user names are valid; a numerical user ID is not recognized. 559By default, login is allowed for all users. 560If the pattern takes the form USER@HOST then USER and HOST 561are separately checked, restricting logins to particular 562users from particular hosts. 563The allow/deny directives are processed in the following order: 564.Cm DenyUsers , 565.Cm AllowUsers , 566.Cm DenyGroups , 567and finally 568.Cm AllowGroups . 569.Pp 570See PATTERNS in 571.Xr ssh_config 5 572for more information on patterns. 573.It Cm FingerprintHash 574Specifies the hash algorithm used when logging key fingerprints. 575Valid options are: 576.Dq md5 577and 578.Dq sha256 . 579The default is 580.Dq sha256 . 581.It Cm ForceCommand 582Forces the execution of the command specified by 583.Cm ForceCommand , 584ignoring any command supplied by the client and 585.Pa ~/.ssh/rc 586if present. 587The command is invoked by using the user's login shell with the -c option. 588This applies to shell, command, or subsystem execution. 589It is most useful inside a 590.Cm Match 591block. 592The command originally supplied by the client is available in the 593.Ev SSH_ORIGINAL_COMMAND 594environment variable. 595Specifying a command of 596.Dq internal-sftp 597will force the use of an in-process sftp server that requires no support 598files when used with 599.Cm ChrootDirectory . 600.It Cm GatewayPorts 601Specifies whether remote hosts are allowed to connect to ports 602forwarded for the client. 603By default, 604.Xr sshd 8 605binds remote port forwardings to the loopback address. 606This prevents other remote hosts from connecting to forwarded ports. 607.Cm GatewayPorts 608can be used to specify that sshd 609should allow remote port forwardings to bind to non-loopback addresses, thus 610allowing other hosts to connect. 611The argument may be 612.Dq no 613to force remote port forwardings to be available to the local host only, 614.Dq yes 615to force remote port forwardings to bind to the wildcard address, or 616.Dq clientspecified 617to allow the client to select the address to which the forwarding is bound. 618The default is 619.Dq no . 620.It Cm GSSAPIAuthentication 621Specifies whether user authentication based on GSSAPI is allowed. 622The default is 623.Dq no . 624Note that this option applies to protocol version 2 only. 625.It Cm GSSAPICleanupCredentials 626Specifies whether to automatically destroy the user's credentials cache 627on logout. 628The default is 629.Dq yes . 630Note that this option applies to protocol version 2 only. 631.It Cm GSSAPIStrictAcceptorCheck 632Determines whether to be strict about the identity of the GSSAPI acceptor 633a client authenticates against. 634If set to 635.Dq yes 636then the client must authenticate against the 637.Pa host 638service on the current hostname. 639If set to 640.Dq no 641then the client may authenticate against any service key stored in the 642machine's default store. 643This facility is provided to assist with operation on multi homed machines. 644The default is 645.Dq yes . 646.It Cm HostbasedAcceptedKeyTypes 647Specifies the key types that will be accepted for hostbased authentication 648as a comma-separated pattern list. 649Alternately if the specified value begins with a 650.Sq + 651character, then the specified key types will be appended to the default set 652instead of replacing them. 653The default for this option is: 654.Bd -literal -offset 3n 655ecdsa-sha2-nistp256-cert-v01@openssh.com, 656ecdsa-sha2-nistp384-cert-v01@openssh.com, 657ecdsa-sha2-nistp521-cert-v01@openssh.com, 658ssh-ed25519-cert-v01@openssh.com, 659ssh-rsa-cert-v01@openssh.com, 660ssh-dss-cert-v01@openssh.com, 661ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, 662ecdsa-sha2-nistp521,ssh-ed25519, 663ssh-rsa,ssh-dss 664.Ed 665.Pp 666The 667.Fl Q 668option of 669.Xr ssh 1 670may be used to list supported key types. 671.It Cm HostbasedAuthentication 672Specifies whether rhosts or /etc/hosts.equiv authentication together 673with successful public key client host authentication is allowed 674(host-based authentication). 675This option is similar to 676.Cm RhostsRSAAuthentication 677and applies to protocol version 2 only. 678The default is 679.Dq no . 680.It Cm HostbasedUsesNameFromPacketOnly 681Specifies whether or not the server will attempt to perform a reverse 682name lookup when matching the name in the 683.Pa ~/.shosts , 684.Pa ~/.rhosts , 685and 686.Pa /etc/hosts.equiv 687files during 688.Cm HostbasedAuthentication . 689A setting of 690.Dq yes 691means that 692.Xr sshd 8 693uses the name supplied by the client rather than 694attempting to resolve the name from the TCP connection itself. 695The default is 696.Dq no . 697.It Cm HostCertificate 698Specifies a file containing a public host certificate. 699The certificate's public key must match a private host key already specified 700by 701.Cm HostKey . 702The default behaviour of 703.Xr sshd 8 704is not to load any certificates. 705.It Cm HostKey 706Specifies a file containing a private host key 707used by SSH. 708The default is 709.Pa /etc/ssh/ssh_host_key 710for protocol version 1, and 711.Pa /etc/ssh/ssh_host_dsa_key , 712.Pa /etc/ssh/ssh_host_ecdsa_key , 713.Pa /etc/ssh/ssh_host_ed25519_key 714and 715.Pa /etc/ssh/ssh_host_rsa_key 716for protocol version 2. 717.Pp 718Note that 719.Xr sshd 8 720will refuse to use a file if it is group/world-accessible 721and that the 722.Cm HostKeyAlgorithms 723option restricts which of the keys are actually used by 724.Xr sshd 8 . 725.Pp 726It is possible to have multiple host key files. 727.Dq rsa1 728keys are used for version 1 and 729.Dq dsa , 730.Dq ecdsa , 731.Dq ed25519 732or 733.Dq rsa 734are used for version 2 of the SSH protocol. 735It is also possible to specify public host key files instead. 736In this case operations on the private key will be delegated 737to an 738.Xr ssh-agent 1 . 739.It Cm HostKeyAgent 740Identifies the UNIX-domain socket used to communicate 741with an agent that has access to the private host keys. 742If 743.Dq SSH_AUTH_SOCK 744is specified, the location of the socket will be read from the 745.Ev SSH_AUTH_SOCK 746environment variable. 747.It Cm HostKeyAlgorithms 748Specifies the protocol version 2 host key algorithms 749that the server offers. 750The default for this option is: 751.Bd -literal -offset 3n 752ecdsa-sha2-nistp256-cert-v01@openssh.com, 753ecdsa-sha2-nistp384-cert-v01@openssh.com, 754ecdsa-sha2-nistp521-cert-v01@openssh.com, 755ssh-ed25519-cert-v01@openssh.com, 756ssh-rsa-cert-v01@openssh.com, 757ssh-dss-cert-v01@openssh.com, 758ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, 759ecdsa-sha2-nistp521,ssh-ed25519, 760ssh-rsa,ssh-dss 761.Ed 762.Pp 763The list of available key types may also be obtained using the 764.Fl Q 765option of 766.Xr ssh 1 767with an argument of 768.Dq key . 769.It Cm IgnoreRhosts 770Specifies that 771.Pa .rhosts 772and 773.Pa .shosts 774files will not be used in 775.Cm RhostsRSAAuthentication 776or 777.Cm HostbasedAuthentication . 778.Pp 779.Pa /etc/hosts.equiv 780and 781.Pa /etc/ssh/shosts.equiv 782are still used. 783The default is 784.Dq yes . 785.It Cm IgnoreUserKnownHosts 786Specifies whether 787.Xr sshd 8 788should ignore the user's 789.Pa ~/.ssh/known_hosts 790during 791.Cm RhostsRSAAuthentication 792or 793.Cm HostbasedAuthentication . 794The default is 795.Dq no . 796.It Cm IPQoS 797Specifies the IPv4 type-of-service or DSCP class for the connection. 798Accepted values are 799.Dq af11 , 800.Dq af12 , 801.Dq af13 , 802.Dq af21 , 803.Dq af22 , 804.Dq af23 , 805.Dq af31 , 806.Dq af32 , 807.Dq af33 , 808.Dq af41 , 809.Dq af42 , 810.Dq af43 , 811.Dq cs0 , 812.Dq cs1 , 813.Dq cs2 , 814.Dq cs3 , 815.Dq cs4 , 816.Dq cs5 , 817.Dq cs6 , 818.Dq cs7 , 819.Dq ef , 820.Dq lowdelay , 821.Dq throughput , 822.Dq reliability , 823or a numeric value. 824This option may take one or two arguments, separated by whitespace. 825If one argument is specified, it is used as the packet class unconditionally. 826If two values are specified, the first is automatically selected for 827interactive sessions and the second for non-interactive sessions. 828The default is 829.Dq lowdelay 830for interactive sessions and 831.Dq throughput 832for non-interactive sessions. 833.It Cm KbdInteractiveAuthentication 834Specifies whether to allow keyboard-interactive authentication. 835The argument to this keyword must be 836.Dq yes 837or 838.Dq no . 839The default is to use whatever value 840.Cm ChallengeResponseAuthentication 841is set to 842(by default 843.Dq yes ) . 844.It Cm KerberosAuthentication 845Specifies whether the password provided by the user for 846.Cm PasswordAuthentication 847will be validated through the Kerberos KDC. 848To use this option, the server needs a 849Kerberos servtab which allows the verification of the KDC's identity. 850The default is 851.Dq no . 852.It Cm KerberosGetAFSToken 853If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire 854an AFS token before accessing the user's home directory. 855The default is 856.Dq no . 857.It Cm KerberosOrLocalPasswd 858If password authentication through Kerberos fails then 859the password will be validated via any additional local mechanism 860such as 861.Pa /etc/passwd . 862The default is 863.Dq yes . 864.It Cm KerberosTicketCleanup 865Specifies whether to automatically destroy the user's ticket cache 866file on logout. 867The default is 868.Dq yes . 869.It Cm KexAlgorithms 870Specifies the available KEX (Key Exchange) algorithms. 871Multiple algorithms must be comma-separated. 872Alternately if the specified value begins with a 873.Sq + 874character, then the specified methods will be appended to the default set 875instead of replacing them. 876The supported algorithms are: 877.Pp 878.Bl -item -compact -offset indent 879.It 880curve25519-sha256@libssh.org 881.It 882diffie-hellman-group1-sha1 883.It 884diffie-hellman-group14-sha1 885.It 886diffie-hellman-group-exchange-sha1 887.It 888diffie-hellman-group-exchange-sha256 889.It 890ecdh-sha2-nistp256 891.It 892ecdh-sha2-nistp384 893.It 894ecdh-sha2-nistp521 895.El 896.Pp 897The default is: 898.Bd -literal -offset indent 899curve25519-sha256@libssh.org, 900ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, 901diffie-hellman-group-exchange-sha256, 902diffie-hellman-group14-sha1 903.Ed 904.Pp 905The list of available key exchange algorithms may also be obtained using the 906.Fl Q 907option of 908.Xr ssh 1 909with an argument of 910.Dq kex . 911.It Cm KeyRegenerationInterval 912In protocol version 1, the ephemeral server key is automatically regenerated 913after this many seconds (if it has been used). 914The purpose of regeneration is to prevent 915decrypting captured sessions by later breaking into the machine and 916stealing the keys. 917The key is never stored anywhere. 918If the value is 0, the key is never regenerated. 919The default is 3600 (seconds). 920.It Cm ListenAddress 921Specifies the local addresses 922.Xr sshd 8 923should listen on. 924The following forms may be used: 925.Pp 926.Bl -item -offset indent -compact 927.It 928.Cm ListenAddress 929.Sm off 930.Ar host | Ar IPv4_addr | Ar IPv6_addr 931.Sm on 932.It 933.Cm ListenAddress 934.Sm off 935.Ar host | Ar IPv4_addr : Ar port 936.Sm on 937.It 938.Cm ListenAddress 939.Sm off 940.Oo 941.Ar host | Ar IPv6_addr Oc : Ar port 942.Sm on 943.El 944.Pp 945If 946.Ar port 947is not specified, 948sshd will listen on the address and all 949.Cm Port 950options specified. 951The default is to listen on all local addresses. 952Multiple 953.Cm ListenAddress 954options are permitted. 955.It Cm LoginGraceTime 956The server disconnects after this time if the user has not 957successfully logged in. 958If the value is 0, there is no time limit. 959The default is 120 seconds. 960.It Cm LogLevel 961Gives the verbosity level that is used when logging messages from 962.Xr sshd 8 . 963The possible values are: 964QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. 965The default is INFO. 966DEBUG and DEBUG1 are equivalent. 967DEBUG2 and DEBUG3 each specify higher levels of debugging output. 968Logging with a DEBUG level violates the privacy of users and is not recommended. 969.It Cm MACs 970Specifies the available MAC (message authentication code) algorithms. 971The MAC algorithm is used in protocol version 2 972for data integrity protection. 973Multiple algorithms must be comma-separated. 974If the specified value begins with a 975.Sq + 976character, then the specified algorithms will be appended to the default set 977instead of replacing them. 978.Pp 979The algorithms that contain 980.Dq -etm 981calculate the MAC after encryption (encrypt-then-mac). 982These are considered safer and their use recommended. 983The supported MACs are: 984.Pp 985.Bl -item -compact -offset indent 986.It 987hmac-md5 988.It 989hmac-md5-96 990.It 991hmac-ripemd160 992.It 993hmac-sha1 994.It 995hmac-sha1-96 996.It 997hmac-sha2-256 998.It 999hmac-sha2-512 1000.It 1001umac-64@openssh.com 1002.It 1003umac-128@openssh.com 1004.It 1005hmac-md5-etm@openssh.com 1006.It 1007hmac-md5-96-etm@openssh.com 1008.It 1009hmac-ripemd160-etm@openssh.com 1010.It 1011hmac-sha1-etm@openssh.com 1012.It 1013hmac-sha1-96-etm@openssh.com 1014.It 1015hmac-sha2-256-etm@openssh.com 1016.It 1017hmac-sha2-512-etm@openssh.com 1018.It 1019umac-64-etm@openssh.com 1020.It 1021umac-128-etm@openssh.com 1022.El 1023.Pp 1024The default is: 1025.Bd -literal -offset indent 1026umac-64-etm@openssh.com,umac-128-etm@openssh.com, 1027hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, 1028umac-64@openssh.com,umac-128@openssh.com, 1029hmac-sha2-256,hmac-sha2-512 1030.Ed 1031.Pp 1032The list of available MAC algorithms may also be obtained using the 1033.Fl Q 1034option of 1035.Xr ssh 1 1036with an argument of 1037.Dq mac . 1038.It Cm Match 1039Introduces a conditional block. 1040If all of the criteria on the 1041.Cm Match 1042line are satisfied, the keywords on the following lines override those 1043set in the global section of the config file, until either another 1044.Cm Match 1045line or the end of the file. 1046If a keyword appears in multiple 1047.Cm Match 1048blocks that are satisfied, only the first instance of the keyword is 1049applied. 1050.Pp 1051The arguments to 1052.Cm Match 1053are one or more criteria-pattern pairs or the single token 1054.Cm All 1055which matches all criteria. 1056The available criteria are 1057.Cm User , 1058.Cm Group , 1059.Cm Host , 1060.Cm LocalAddress , 1061.Cm LocalPort , 1062and 1063.Cm Address . 1064The match patterns may consist of single entries or comma-separated 1065lists and may use the wildcard and negation operators described in the 1066PATTERNS section of 1067.Xr ssh_config 5 . 1068.Pp 1069The patterns in an 1070.Cm Address 1071criteria may additionally contain addresses to match in CIDR 1072address/masklen format, e.g.\& 1073.Dq 192.0.2.0/24 1074or 1075.Dq 3ffe:ffff::/32 . 1076Note that the mask length provided must be consistent with the address - 1077it is an error to specify a mask length that is too long for the address 1078or one with bits set in this host portion of the address. 1079For example, 1080.Dq 192.0.2.0/33 1081and 1082.Dq 192.0.2.0/8 1083respectively. 1084.Pp 1085Only a subset of keywords may be used on the lines following a 1086.Cm Match 1087keyword. 1088Available keywords are 1089.Cm AcceptEnv , 1090.Cm AllowAgentForwarding , 1091.Cm AllowGroups , 1092.Cm AllowStreamLocalForwarding , 1093.Cm AllowTcpForwarding , 1094.Cm AllowUsers , 1095.Cm AuthenticationMethods , 1096.Cm AuthorizedKeysCommand , 1097.Cm AuthorizedKeysCommandUser , 1098.Cm AuthorizedKeysFile , 1099.Cm AuthorizedPrincipalsFile , 1100.Cm Banner , 1101.Cm ChrootDirectory , 1102.Cm DenyGroups , 1103.Cm DenyUsers , 1104.Cm ForceCommand , 1105.Cm GatewayPorts , 1106.Cm GSSAPIAuthentication , 1107.Cm HostbasedAcceptedKeyTypes , 1108.Cm HostbasedAuthentication , 1109.Cm HostbasedUsesNameFromPacketOnly , 1110.Cm IPQoS , 1111.Cm KbdInteractiveAuthentication , 1112.Cm KerberosAuthentication , 1113.Cm MaxAuthTries , 1114.Cm MaxSessions , 1115.Cm PasswordAuthentication , 1116.Cm PermitEmptyPasswords , 1117.Cm PermitOpen , 1118.Cm PermitRootLogin , 1119.Cm PermitTTY , 1120.Cm PermitTunnel , 1121.Cm PermitUserRC , 1122.Cm PubkeyAcceptedKeyTypes , 1123.Cm PubkeyAuthentication , 1124.Cm RekeyLimit , 1125.Cm RevokedKeys , 1126.Cm RhostsRSAAuthentication , 1127.Cm RSAAuthentication , 1128.Cm StreamLocalBindMask , 1129.Cm StreamLocalBindUnlink , 1130.Cm TrustedUserCAKeys , 1131.Cm X11DisplayOffset , 1132.Cm X11Forwarding 1133and 1134.Cm X11UseLocalHost . 1135.It Cm MaxAuthTries 1136Specifies the maximum number of authentication attempts permitted per 1137connection. 1138Once the number of failures reaches half this value, 1139additional failures are logged. 1140The default is 6. 1141.It Cm MaxSessions 1142Specifies the maximum number of open sessions permitted per network connection. 1143The default is 10. 1144.It Cm MaxStartups 1145Specifies the maximum number of concurrent unauthenticated connections to the 1146SSH daemon. 1147Additional connections will be dropped until authentication succeeds or the 1148.Cm LoginGraceTime 1149expires for a connection. 1150The default is 10:30:100. 1151.Pp 1152Alternatively, random early drop can be enabled by specifying 1153the three colon separated values 1154.Dq start:rate:full 1155(e.g. "10:30:60"). 1156.Xr sshd 8 1157will refuse connection attempts with a probability of 1158.Dq rate/100 1159(30%) 1160if there are currently 1161.Dq start 1162(10) 1163unauthenticated connections. 1164The probability increases linearly and all connection attempts 1165are refused if the number of unauthenticated connections reaches 1166.Dq full 1167(60). 1168.It Cm PasswordAuthentication 1169Specifies whether password authentication is allowed. 1170See also 1171.Cm UsePAM . 1172The default is 1173.Dq no . 1174.It Cm PermitEmptyPasswords 1175When password authentication is allowed, it specifies whether the 1176server allows login to accounts with empty password strings. 1177The default is 1178.Dq no . 1179.It Cm PermitOpen 1180Specifies the destinations to which TCP port forwarding is permitted. 1181The forwarding specification must be one of the following forms: 1182.Pp 1183.Bl -item -offset indent -compact 1184.It 1185.Cm PermitOpen 1186.Sm off 1187.Ar host : port 1188.Sm on 1189.It 1190.Cm PermitOpen 1191.Sm off 1192.Ar IPv4_addr : port 1193.Sm on 1194.It 1195.Cm PermitOpen 1196.Sm off 1197.Ar \&[ IPv6_addr \&] : port 1198.Sm on 1199.El 1200.Pp 1201Multiple forwards may be specified by separating them with whitespace. 1202An argument of 1203.Dq any 1204can be used to remove all restrictions and permit any forwarding requests. 1205An argument of 1206.Dq none 1207can be used to prohibit all forwarding requests. 1208By default all port forwarding requests are permitted. 1209.It Cm PermitRootLogin 1210Specifies whether root can log in using 1211.Xr ssh 1 . 1212The argument must be 1213.Dq yes , 1214.Dq prohibit-password , 1215.Dq without-password , 1216.Dq forced-commands-only , 1217or 1218.Dq no . 1219The default is 1220.Dq prohibit-password . 1221Note that if 1222.Cm ChallengeResponseAuthentication 1223is 1224.Dq yes , 1225the root user may be allowed in with its password even if 1226.Cm PermitRootLogin is set to 1227.Dq without-password . 1228.Pp 1229If this option is set to 1230.Dq prohibit-password 1231or 1232.Dq without-password , 1233password and keyboard-interactive authentication are disabled for root. 1234.Pp 1235If this option is set to 1236.Dq forced-commands-only , 1237root login with public key authentication will be allowed, 1238but only if the 1239.Ar command 1240option has been specified 1241(which may be useful for taking remote backups even if root login is 1242normally not allowed). 1243All other authentication methods are disabled for root. 1244.Pp 1245If this option is set to 1246.Dq no , 1247root is not allowed to log in. 1248.It Cm PermitTunnel 1249Specifies whether 1250.Xr tun 4 1251device forwarding is allowed. 1252The argument must be 1253.Dq yes , 1254.Dq point-to-point 1255(layer 3), 1256.Dq ethernet 1257(layer 2), or 1258.Dq no . 1259Specifying 1260.Dq yes 1261permits both 1262.Dq point-to-point 1263and 1264.Dq ethernet . 1265The default is 1266.Dq no . 1267.Pp 1268Independent of this setting, the permissions of the selected 1269.Xr tun 4 1270device must allow access to the user. 1271.It Cm PermitTTY 1272Specifies whether 1273.Xr pty 4 1274allocation is permitted. 1275The default is 1276.Dq yes . 1277.It Cm PermitUserEnvironment 1278Specifies whether 1279.Pa ~/.ssh/environment 1280and 1281.Cm environment= 1282options in 1283.Pa ~/.ssh/authorized_keys 1284are processed by 1285.Xr sshd 8 . 1286The default is 1287.Dq no . 1288Enabling environment processing may enable users to bypass access 1289restrictions in some configurations using mechanisms such as 1290.Ev LD_PRELOAD . 1291.It Cm PermitUserRC 1292Specifies whether any 1293.Pa ~/.ssh/rc 1294file is executed. 1295The default is 1296.Dq yes . 1297.It Cm PidFile 1298Specifies the file that contains the process ID of the 1299SSH daemon, or 1300.Dq none 1301to not write one. 1302The default is 1303.Pa /var/run/sshd.pid . 1304.It Cm Port 1305Specifies the port number that 1306.Xr sshd 8 1307listens on. 1308The default is 22. 1309Multiple options of this type are permitted. 1310See also 1311.Cm ListenAddress . 1312.It Cm PrintLastLog 1313Specifies whether 1314.Xr sshd 8 1315should print the date and time of the last user login when a user logs 1316in interactively. 1317The default is 1318.Dq yes . 1319.It Cm PrintMotd 1320Specifies whether 1321.Xr sshd 8 1322should print 1323.Pa /etc/motd 1324when a user logs in interactively. 1325(On some systems it is also printed by the shell, 1326.Pa /etc/profile , 1327or equivalent.) 1328The default is 1329.Dq yes . 1330.It Cm Protocol 1331Specifies the protocol versions 1332.Xr sshd 8 1333supports. 1334The possible values are 1335.Sq 1 1336and 1337.Sq 2 . 1338Multiple versions must be comma-separated. 1339The default is 1340.Sq 2 . 1341Note that the order of the protocol list does not indicate preference, 1342because the client selects among multiple protocol versions offered 1343by the server. 1344Specifying 1345.Dq 2,1 1346is identical to 1347.Dq 1,2 . 1348.It Cm PubkeyAcceptedKeyTypes 1349Specifies the key types that will be accepted for public key authentication 1350as a comma-separated pattern list. 1351Alternately if the specified value begins with a 1352.Sq + 1353character, then the specified key types will be appended to the default set 1354instead of replacing them. 1355The default for this option is: 1356.Bd -literal -offset 3n 1357ecdsa-sha2-nistp256-cert-v01@openssh.com, 1358ecdsa-sha2-nistp384-cert-v01@openssh.com, 1359ecdsa-sha2-nistp521-cert-v01@openssh.com, 1360ssh-ed25519-cert-v01@openssh.com, 1361ssh-rsa-cert-v01@openssh.com, 1362ssh-dss-cert-v01@openssh.com, 1363ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, 1364ecdsa-sha2-nistp521,ssh-ed25519, 1365ssh-rsa,ssh-dss 1366.Ed 1367.Pp 1368The 1369.Fl Q 1370option of 1371.Xr ssh 1 1372may be used to list supported key types. 1373.It Cm PubkeyAuthentication 1374Specifies whether public key authentication is allowed. 1375The default is 1376.Dq yes . 1377Note that this option applies to protocol version 2 only. 1378.It Cm RekeyLimit 1379Specifies the maximum amount of data that may be transmitted before the 1380session key is renegotiated, optionally followed a maximum amount of 1381time that may pass before the session key is renegotiated. 1382The first argument is specified in bytes and may have a suffix of 1383.Sq K , 1384.Sq M , 1385or 1386.Sq G 1387to indicate Kilobytes, Megabytes, or Gigabytes, respectively. 1388The default is between 1389.Sq 1G 1390and 1391.Sq 4G , 1392depending on the cipher. 1393The optional second value is specified in seconds and may use any of the 1394units documented in the 1395.Sx TIME FORMATS 1396section. 1397The default value for 1398.Cm RekeyLimit 1399is 1400.Dq default none , 1401which means that rekeying is performed after the cipher's default amount 1402of data has been sent or received and no time based rekeying is done. 1403This option applies to protocol version 2 only. 1404.It Cm RevokedKeys 1405Specifies revoked public keys file, or 1406.Dq none 1407to not use one. 1408Keys listed in this file will be refused for public key authentication. 1409Note that if this file is not readable, then public key authentication will 1410be refused for all users. 1411Keys may be specified as a text file, listing one public key per line, or as 1412an OpenSSH Key Revocation List (KRL) as generated by 1413.Xr ssh-keygen 1 . 1414For more information on KRLs, see the KEY REVOCATION LISTS section in 1415.Xr ssh-keygen 1 . 1416.It Cm RhostsRSAAuthentication 1417Specifies whether rhosts or 1418.Pa /etc/hosts.equiv 1419authentication together 1420with successful RSA host authentication is allowed. 1421The default is 1422.Dq no . 1423This option applies to protocol version 1 only. 1424.It Cm RSAAuthentication 1425Specifies whether pure RSA authentication is allowed. 1426The default is 1427.Dq yes . 1428This option applies to protocol version 1 only. 1429.It Cm ServerKeyBits 1430Defines the number of bits in the ephemeral protocol version 1 server key. 1431The default and minimum value is 1024. 1432.It Cm StreamLocalBindMask 1433Sets the octal file creation mode mask 1434.Pq umask 1435used when creating a Unix-domain socket file for local or remote 1436port forwarding. 1437This option is only used for port forwarding to a Unix-domain socket file. 1438.Pp 1439The default value is 0177, which creates a Unix-domain socket file that is 1440readable and writable only by the owner. 1441Note that not all operating systems honor the file mode on Unix-domain 1442socket files. 1443.It Cm StreamLocalBindUnlink 1444Specifies whether to remove an existing Unix-domain socket file for local 1445or remote port forwarding before creating a new one. 1446If the socket file already exists and 1447.Cm StreamLocalBindUnlink 1448is not enabled, 1449.Nm sshd 1450will be unable to forward the port to the Unix-domain socket file. 1451This option is only used for port forwarding to a Unix-domain socket file. 1452.Pp 1453The argument must be 1454.Dq yes 1455or 1456.Dq no . 1457The default is 1458.Dq no . 1459.It Cm StrictModes 1460Specifies whether 1461.Xr sshd 8 1462should check file modes and ownership of the 1463user's files and home directory before accepting login. 1464This is normally desirable because novices sometimes accidentally leave their 1465directory or files world-writable. 1466The default is 1467.Dq yes . 1468Note that this does not apply to 1469.Cm ChrootDirectory , 1470whose permissions and ownership are checked unconditionally. 1471.It Cm Subsystem 1472Configures an external subsystem (e.g. file transfer daemon). 1473Arguments should be a subsystem name and a command (with optional arguments) 1474to execute upon subsystem request. 1475.Pp 1476The command 1477.Xr sftp-server 8 1478implements the 1479.Dq sftp 1480file transfer subsystem. 1481.Pp 1482Alternately the name 1483.Dq internal-sftp 1484implements an in-process 1485.Dq sftp 1486server. 1487This may simplify configurations using 1488.Cm ChrootDirectory 1489to force a different filesystem root on clients. 1490.Pp 1491By default no subsystems are defined. 1492Note that this option applies to protocol version 2 only. 1493.It Cm SyslogFacility 1494Gives the facility code that is used when logging messages from 1495.Xr sshd 8 . 1496The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, 1497LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. 1498The default is AUTH. 1499.It Cm TCPKeepAlive 1500Specifies whether the system should send TCP keepalive messages to the 1501other side. 1502If they are sent, death of the connection or crash of one 1503of the machines will be properly noticed. 1504However, this means that 1505connections will die if the route is down temporarily, and some people 1506find it annoying. 1507On the other hand, if TCP keepalives are not sent, 1508sessions may hang indefinitely on the server, leaving 1509.Dq ghost 1510users and consuming server resources. 1511.Pp 1512The default is 1513.Dq yes 1514(to send TCP keepalive messages), and the server will notice 1515if the network goes down or the client host crashes. 1516This avoids infinitely hanging sessions. 1517.Pp 1518To disable TCP keepalive messages, the value should be set to 1519.Dq no . 1520.It Cm TrustedUserCAKeys 1521Specifies a file containing public keys of certificate authorities that are 1522trusted to sign user certificates for authentication, or 1523.Dq none 1524to not use one. 1525Keys are listed one per line; empty lines and comments starting with 1526.Ql # 1527are allowed. 1528If a certificate is presented for authentication and has its signing CA key 1529listed in this file, then it may be used for authentication for any user 1530listed in the certificate's principals list. 1531Note that certificates that lack a list of principals will not be permitted 1532for authentication using 1533.Cm TrustedUserCAKeys . 1534For more details on certificates, see the CERTIFICATES section in 1535.Xr ssh-keygen 1 . 1536.It Cm UseDNS 1537Specifies whether 1538.Xr sshd 8 1539should look up the remote host name, and to check that 1540the resolved host name for the remote IP address maps back to the 1541very same IP address. 1542.Pp 1543If this option is set to 1544.Dq no 1545(the default) then only addresses and not host names may be used in 1546.Pa ~/.ssh/known_hosts 1547.Cm from 1548and 1549.Nm 1550.Cm Match 1551.Cm Host 1552directives. 1553.It Cm UseLogin 1554Specifies whether 1555.Xr login 1 1556is used for interactive login sessions. 1557The default is 1558.Dq no . 1559Note that 1560.Xr login 1 1561is never used for remote command execution. 1562Note also, that if this is enabled, 1563.Cm X11Forwarding 1564will be disabled because 1565.Xr login 1 1566does not know how to handle 1567.Xr xauth 1 1568cookies. 1569If 1570.Cm UsePrivilegeSeparation 1571is specified, it will be disabled after authentication. 1572.It Cm UsePAM 1573Enables the Pluggable Authentication Module interface. 1574If set to 1575.Dq yes 1576this will enable PAM authentication using 1577.Cm ChallengeResponseAuthentication 1578and 1579.Cm PasswordAuthentication 1580in addition to PAM account and session module processing for all 1581authentication types. 1582.Pp 1583Because PAM challenge-response authentication usually serves an equivalent 1584role to password authentication, you should disable either 1585.Cm PasswordAuthentication 1586or 1587.Cm ChallengeResponseAuthentication. 1588.Pp 1589If 1590.Cm UsePAM 1591is enabled, you will not be able to run 1592.Xr sshd 8 1593as a non-root user. 1594The default is 1595.Dq yes . 1596.It Cm UsePrivilegeSeparation 1597Specifies whether 1598.Xr sshd 8 1599separates privileges by creating an unprivileged child process 1600to deal with incoming network traffic. 1601After successful authentication, another process will be created that has 1602the privilege of the authenticated user. 1603The goal of privilege separation is to prevent privilege 1604escalation by containing any corruption within the unprivileged processes. 1605The default is 1606.Dq sandbox . 1607If 1608.Cm UsePrivilegeSeparation 1609is set to 1610.Dq sandbox 1611then the pre-authentication unprivileged process is subject to additional 1612restrictions. 1613.It Cm VersionAddendum 1614Optionally specifies additional text to append to the SSH protocol banner 1615sent by the server upon connection. 1616The default is 1617.Dq FreeBSD-20160121 . 1618The value 1619.Dq none 1620may be used to disable this. 1621.It Cm X11DisplayOffset 1622Specifies the first display number available for 1623.Xr sshd 8 Ns 's 1624X11 forwarding. 1625This prevents sshd from interfering with real X11 servers. 1626The default is 10. 1627.It Cm X11Forwarding 1628Specifies whether X11 forwarding is permitted. 1629The argument must be 1630.Dq yes 1631or 1632.Dq no . 1633The default is 1634.Dq yes . 1635.Pp 1636When X11 forwarding is enabled, there may be additional exposure to 1637the server and to client displays if the 1638.Xr sshd 8 1639proxy display is configured to listen on the wildcard address (see 1640.Cm X11UseLocalhost 1641below), though this is not the default. 1642Additionally, the authentication spoofing and authentication data 1643verification and substitution occur on the client side. 1644The security risk of using X11 forwarding is that the client's X11 1645display server may be exposed to attack when the SSH client requests 1646forwarding (see the warnings for 1647.Cm ForwardX11 1648in 1649.Xr ssh_config 5 ) . 1650A system administrator may have a stance in which they want to 1651protect clients that may expose themselves to attack by unwittingly 1652requesting X11 forwarding, which can warrant a 1653.Dq no 1654setting. 1655.Pp 1656Note that disabling X11 forwarding does not prevent users from 1657forwarding X11 traffic, as users can always install their own forwarders. 1658X11 forwarding is automatically disabled if 1659.Cm UseLogin 1660is enabled. 1661.It Cm X11UseLocalhost 1662Specifies whether 1663.Xr sshd 8 1664should bind the X11 forwarding server to the loopback address or to 1665the wildcard address. 1666By default, 1667sshd binds the forwarding server to the loopback address and sets the 1668hostname part of the 1669.Ev DISPLAY 1670environment variable to 1671.Dq localhost . 1672This prevents remote hosts from connecting to the proxy display. 1673However, some older X11 clients may not function with this 1674configuration. 1675.Cm X11UseLocalhost 1676may be set to 1677.Dq no 1678to specify that the forwarding server should be bound to the wildcard 1679address. 1680The argument must be 1681.Dq yes 1682or 1683.Dq no . 1684The default is 1685.Dq yes . 1686.It Cm XAuthLocation 1687Specifies the full pathname of the 1688.Xr xauth 1 1689program, or 1690.Dq none 1691to not use one. 1692The default is 1693.Pa /usr/local/bin/xauth . 1694.El 1695.Sh TIME FORMATS 1696.Xr sshd 8 1697command-line arguments and configuration file options that specify time 1698may be expressed using a sequence of the form: 1699.Sm off 1700.Ar time Op Ar qualifier , 1701.Sm on 1702where 1703.Ar time 1704is a positive integer value and 1705.Ar qualifier 1706is one of the following: 1707.Pp 1708.Bl -tag -width Ds -compact -offset indent 1709.It Aq Cm none 1710seconds 1711.It Cm s | Cm S 1712seconds 1713.It Cm m | Cm M 1714minutes 1715.It Cm h | Cm H 1716hours 1717.It Cm d | Cm D 1718days 1719.It Cm w | Cm W 1720weeks 1721.El 1722.Pp 1723Each member of the sequence is added together to calculate 1724the total time value. 1725.Pp 1726Time format examples: 1727.Pp 1728.Bl -tag -width Ds -compact -offset indent 1729.It 600 1730600 seconds (10 minutes) 1731.It 10m 173210 minutes 1733.It 1h30m 17341 hour 30 minutes (90 minutes) 1735.El 1736.Sh FILES 1737.Bl -tag -width Ds 1738.It Pa /etc/ssh/sshd_config 1739Contains configuration data for 1740.Xr sshd 8 . 1741This file should be writable by root only, but it is recommended 1742(though not necessary) that it be world-readable. 1743.El 1744.Sh SEE ALSO 1745.Xr sshd 8 1746.Sh AUTHORS 1747OpenSSH is a derivative of the original and free 1748ssh 1.2.12 release by Tatu Ylonen. 1749Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 1750Theo de Raadt and Dug Song 1751removed many bugs, re-added newer features and 1752created OpenSSH. 1753Markus Friedl contributed the support for SSH 1754protocol versions 1.5 and 2.0. 1755Niels Provos and Markus Friedl contributed support 1756for privilege separation. 1757