1.\" 2.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" All rights reserved 5.\" 6.\" As far as I am concerned, the code I have written for this software 7.\" can be used freely for any purpose. Any derived versions of this 8.\" software must be clearly marked as such, and if the derived work is 9.\" incompatible with the protocol description in the RFC file, it must be 10.\" called by a name other than "ssh" or "Secure Shell". 11.\" 12.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 13.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 14.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 15.\" 16.\" Redistribution and use in source and binary forms, with or without 17.\" modification, are permitted provided that the following conditions 18.\" are met: 19.\" 1. Redistributions of source code must retain the above copyright 20.\" notice, this list of conditions and the following disclaimer. 21.\" 2. Redistributions in binary form must reproduce the above copyright 22.\" notice, this list of conditions and the following disclaimer in the 23.\" documentation and/or other materials provided with the distribution. 24.\" 25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" 36.\" $OpenBSD: sshd_config.5,v 1.335 2021/09/03 05:25:50 dtucker Exp $ 37.\" $FreeBSD$ 38.Dd $Mdocdate: December 4 2021 $ 39.Dt SSHD_CONFIG 5 40.Os 41.Sh NAME 42.Nm sshd_config 43.Nd OpenSSH daemon configuration file 44.Sh DESCRIPTION 45.Xr sshd 8 46reads configuration data from 47.Pa /etc/ssh/sshd_config 48(or the file specified with 49.Fl f 50on the command line). 51The file contains keyword-argument pairs, one per line. 52For each keyword, the first obtained value will be used. 53Lines starting with 54.Ql # 55and empty lines are interpreted as comments. 56Arguments may optionally be enclosed in double quotes 57.Pq \&" 58in order to represent arguments containing spaces. 59.Pp 60The possible 61keywords and their meanings are as follows (note that 62keywords are case-insensitive and arguments are case-sensitive): 63.Bl -tag -width Ds 64.It Cm AcceptEnv 65Specifies what environment variables sent by the client will be copied into 66the session's 67.Xr environ 7 . 68See 69.Cm SendEnv 70and 71.Cm SetEnv 72in 73.Xr ssh_config 5 74for how to configure the client. 75The 76.Ev TERM 77environment variable is always accepted whenever the client 78requests a pseudo-terminal as it is required by the protocol. 79Variables are specified by name, which may contain the wildcard characters 80.Ql * 81and 82.Ql \&? . 83Multiple environment variables may be separated by whitespace or spread 84across multiple 85.Cm AcceptEnv 86directives. 87Be warned that some environment variables could be used to bypass restricted 88user environments. 89For this reason, care should be taken in the use of this directive. 90The default is not to accept any environment variables. 91.It Cm AddressFamily 92Specifies which address family should be used by 93.Xr sshd 8 . 94Valid arguments are 95.Cm any 96(the default), 97.Cm inet 98(use IPv4 only), or 99.Cm inet6 100(use IPv6 only). 101.It Cm AllowAgentForwarding 102Specifies whether 103.Xr ssh-agent 1 104forwarding is permitted. 105The default is 106.Cm yes . 107Note that disabling agent forwarding does not improve security 108unless users are also denied shell access, as they can always install 109their own forwarders. 110.It Cm AllowGroups 111This keyword can be followed by a list of group name patterns, separated 112by spaces. 113If specified, login is allowed only for users whose primary 114group or supplementary group list matches one of the patterns. 115Only group names are valid; a numerical group ID is not recognized. 116By default, login is allowed for all groups. 117The allow/deny groups directives are processed in the following order: 118.Cm DenyGroups , 119.Cm AllowGroups . 120.Pp 121See PATTERNS in 122.Xr ssh_config 5 123for more information on patterns. 124.It Cm AllowStreamLocalForwarding 125Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted. 126The available options are 127.Cm yes 128(the default) 129or 130.Cm all 131to allow StreamLocal forwarding, 132.Cm no 133to prevent all StreamLocal forwarding, 134.Cm local 135to allow local (from the perspective of 136.Xr ssh 1 ) 137forwarding only or 138.Cm remote 139to allow remote forwarding only. 140Note that disabling StreamLocal forwarding does not improve security unless 141users are also denied shell access, as they can always install their 142own forwarders. 143.It Cm AllowTcpForwarding 144Specifies whether TCP forwarding is permitted. 145The available options are 146.Cm yes 147(the default) 148or 149.Cm all 150to allow TCP forwarding, 151.Cm no 152to prevent all TCP forwarding, 153.Cm local 154to allow local (from the perspective of 155.Xr ssh 1 ) 156forwarding only or 157.Cm remote 158to allow remote forwarding only. 159Note that disabling TCP forwarding does not improve security unless 160users are also denied shell access, as they can always install their 161own forwarders. 162.It Cm AllowUsers 163This keyword can be followed by a list of user name patterns, separated 164by spaces. 165If specified, login is allowed only for user names that 166match one of the patterns. 167Only user names are valid; a numerical user ID is not recognized. 168By default, login is allowed for all users. 169If the pattern takes the form USER@HOST then USER and HOST 170are separately checked, restricting logins to particular 171users from particular hosts. 172HOST criteria may additionally contain addresses to match in CIDR 173address/masklen format. 174The allow/deny users directives are processed in the following order: 175.Cm DenyUsers , 176.Cm AllowUsers . 177.Pp 178See PATTERNS in 179.Xr ssh_config 5 180for more information on patterns. 181.It Cm AuthenticationMethods 182Specifies the authentication methods that must be successfully completed 183for a user to be granted access. 184This option must be followed by one or more lists of comma-separated 185authentication method names, or by the single string 186.Cm any 187to indicate the default behaviour of accepting any single authentication 188method. 189If the default is overridden, then successful authentication requires 190completion of every method in at least one of these lists. 191.Pp 192For example, 193.Qq publickey,password publickey,keyboard-interactive 194would require the user to complete public key authentication, followed by 195either password or keyboard interactive authentication. 196Only methods that are next in one or more lists are offered at each stage, 197so for this example it would not be possible to attempt password or 198keyboard-interactive authentication before public key. 199.Pp 200For keyboard interactive authentication it is also possible to 201restrict authentication to a specific device by appending a 202colon followed by the device identifier 203.Cm bsdauth 204or 205.Cm pam . 206depending on the server configuration. 207For example, 208.Qq keyboard-interactive:bsdauth 209would restrict keyboard interactive authentication to the 210.Cm bsdauth 211device. 212.Pp 213If the publickey method is listed more than once, 214.Xr sshd 8 215verifies that keys that have been used successfully are not reused for 216subsequent authentications. 217For example, 218.Qq publickey,publickey 219requires successful authentication using two different public keys. 220.Pp 221Note that each authentication method listed should also be explicitly enabled 222in the configuration. 223.Pp 224The available authentication methods are: 225.Qq gssapi-with-mic , 226.Qq hostbased , 227.Qq keyboard-interactive , 228.Qq none 229(used for access to password-less accounts when 230.Cm PermitEmptyPasswords 231is enabled), 232.Qq password 233and 234.Qq publickey . 235.It Cm AuthorizedKeysCommand 236Specifies a program to be used to look up the user's public keys. 237The program must be owned by root, not writable by group or others and 238specified by an absolute path. 239Arguments to 240.Cm AuthorizedKeysCommand 241accept the tokens described in the 242.Sx TOKENS 243section. 244If no arguments are specified then the username of the target user is used. 245.Pp 246The program should produce on standard output zero or 247more lines of authorized_keys output (see 248.Sx AUTHORIZED_KEYS 249in 250.Xr sshd 8 ) . 251.Cm AuthorizedKeysCommand 252is tried after the usual 253.Cm AuthorizedKeysFile 254files and will not be executed if a matching key is found there. 255By default, no 256.Cm AuthorizedKeysCommand 257is run. 258.It Cm AuthorizedKeysCommandUser 259Specifies the user under whose account the 260.Cm AuthorizedKeysCommand 261is run. 262It is recommended to use a dedicated user that has no other role on the host 263than running authorized keys commands. 264If 265.Cm AuthorizedKeysCommand 266is specified but 267.Cm AuthorizedKeysCommandUser 268is not, then 269.Xr sshd 8 270will refuse to start. 271.It Cm AuthorizedKeysFile 272Specifies the file that contains the public keys used for user authentication. 273The format is described in the AUTHORIZED_KEYS FILE FORMAT section of 274.Xr sshd 8 . 275Arguments to 276.Cm AuthorizedKeysFile 277accept the tokens described in the 278.Sx TOKENS 279section. 280After expansion, 281.Cm AuthorizedKeysFile 282is taken to be an absolute path or one relative to the user's home 283directory. 284Multiple files may be listed, separated by whitespace. 285Alternately this option may be set to 286.Cm none 287to skip checking for user keys in files. 288The default is 289.Qq .ssh/authorized_keys .ssh/authorized_keys2 . 290.It Cm AuthorizedPrincipalsCommand 291Specifies a program to be used to generate the list of allowed 292certificate principals as per 293.Cm AuthorizedPrincipalsFile . 294The program must be owned by root, not writable by group or others and 295specified by an absolute path. 296Arguments to 297.Cm AuthorizedPrincipalsCommand 298accept the tokens described in the 299.Sx TOKENS 300section. 301If no arguments are specified then the username of the target user is used. 302.Pp 303The program should produce on standard output zero or 304more lines of 305.Cm AuthorizedPrincipalsFile 306output. 307If either 308.Cm AuthorizedPrincipalsCommand 309or 310.Cm AuthorizedPrincipalsFile 311is specified, then certificates offered by the client for authentication 312must contain a principal that is listed. 313By default, no 314.Cm AuthorizedPrincipalsCommand 315is run. 316.It Cm AuthorizedPrincipalsCommandUser 317Specifies the user under whose account the 318.Cm AuthorizedPrincipalsCommand 319is run. 320It is recommended to use a dedicated user that has no other role on the host 321than running authorized principals commands. 322If 323.Cm AuthorizedPrincipalsCommand 324is specified but 325.Cm AuthorizedPrincipalsCommandUser 326is not, then 327.Xr sshd 8 328will refuse to start. 329.It Cm AuthorizedPrincipalsFile 330Specifies a file that lists principal names that are accepted for 331certificate authentication. 332When using certificates signed by a key listed in 333.Cm TrustedUserCAKeys , 334this file lists names, one of which must appear in the certificate for it 335to be accepted for authentication. 336Names are listed one per line preceded by key options (as described in 337.Sx AUTHORIZED_KEYS FILE FORMAT 338in 339.Xr sshd 8 ) . 340Empty lines and comments starting with 341.Ql # 342are ignored. 343.Pp 344Arguments to 345.Cm AuthorizedPrincipalsFile 346accept the tokens described in the 347.Sx TOKENS 348section. 349After expansion, 350.Cm AuthorizedPrincipalsFile 351is taken to be an absolute path or one relative to the user's home directory. 352The default is 353.Cm none , 354i.e. not to use a principals file \(en in this case, the username 355of the user must appear in a certificate's principals list for it to be 356accepted. 357.Pp 358Note that 359.Cm AuthorizedPrincipalsFile 360is only used when authentication proceeds using a CA listed in 361.Cm TrustedUserCAKeys 362and is not consulted for certification authorities trusted via 363.Pa ~/.ssh/authorized_keys , 364though the 365.Cm principals= 366key option offers a similar facility (see 367.Xr sshd 8 368for details). 369.It Cm Banner 370The contents of the specified file are sent to the remote user before 371authentication is allowed. 372If the argument is 373.Cm none 374then no banner is displayed. 375By default, no banner is displayed. 376.It Cm CASignatureAlgorithms 377Specifies which algorithms are allowed for signing of certificates 378by certificate authorities (CAs). 379The default is: 380.Bd -literal -offset indent 381ssh-ed25519,ecdsa-sha2-nistp256, 382ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 383sk-ssh-ed25519@openssh.com, 384sk-ecdsa-sha2-nistp256@openssh.com, 385rsa-sha2-512,rsa-sha2-256 386.Ed 387.Pp 388If the specified list begins with a 389.Sq + 390character, then the specified algorithms will be appended to the default set 391instead of replacing them. 392If the specified list begins with a 393.Sq - 394character, then the specified algorithms (including wildcards) will be removed 395from the default set instead of replacing them. 396.Pp 397Certificates signed using other algorithms will not be accepted for 398public key or host-based authentication. 399.It Cm ChrootDirectory 400Specifies the pathname of a directory to 401.Xr chroot 2 402to after authentication. 403At session startup 404.Xr sshd 8 405checks that all components of the pathname are root-owned directories 406which are not writable by any other user or group. 407After the chroot, 408.Xr sshd 8 409changes the working directory to the user's home directory. 410Arguments to 411.Cm ChrootDirectory 412accept the tokens described in the 413.Sx TOKENS 414section. 415.Pp 416The 417.Cm ChrootDirectory 418must contain the necessary files and directories to support the 419user's session. 420For an interactive session this requires at least a shell, typically 421.Xr sh 1 , 422and basic 423.Pa /dev 424nodes such as 425.Xr null 4 , 426.Xr zero 4 , 427.Xr stdin 4 , 428.Xr stdout 4 , 429.Xr stderr 4 , 430and 431.Xr tty 4 432devices. 433For file transfer sessions using SFTP 434no additional configuration of the environment is necessary if the in-process 435sftp-server is used, 436though sessions which use logging may require 437.Pa /dev/log 438inside the chroot directory on some operating systems (see 439.Xr sftp-server 8 440for details). 441.Pp 442For safety, it is very important that the directory hierarchy be 443prevented from modification by other processes on the system (especially 444those outside the jail). 445Misconfiguration can lead to unsafe environments which 446.Xr sshd 8 447cannot detect. 448.Pp 449The default is 450.Cm none , 451indicating not to 452.Xr chroot 2 . 453.It Cm Ciphers 454Specifies the ciphers allowed. 455Multiple ciphers must be comma-separated. 456If the specified list begins with a 457.Sq + 458character, then the specified ciphers will be appended to the default set 459instead of replacing them. 460If the specified list begins with a 461.Sq - 462character, then the specified ciphers (including wildcards) will be removed 463from the default set instead of replacing them. 464If the specified list begins with a 465.Sq ^ 466character, then the specified ciphers will be placed at the head of the 467default set. 468.Pp 469The supported ciphers are: 470.Pp 471.Bl -item -compact -offset indent 472.It 4733des-cbc 474.It 475aes128-cbc 476.It 477aes192-cbc 478.It 479aes256-cbc 480.It 481aes128-ctr 482.It 483aes192-ctr 484.It 485aes256-ctr 486.It 487aes128-gcm@openssh.com 488.It 489aes256-gcm@openssh.com 490.It 491chacha20-poly1305@openssh.com 492.El 493.Pp 494The default is: 495.Bd -literal -offset indent 496chacha20-poly1305@openssh.com, 497aes128-ctr,aes192-ctr,aes256-ctr, 498aes128-gcm@openssh.com,aes256-gcm@openssh.com 499.Ed 500.Pp 501The list of available ciphers may also be obtained using 502.Qq ssh -Q cipher . 503.It Cm ClientAliveCountMax 504Sets the number of client alive messages which may be sent without 505.Xr sshd 8 506receiving any messages back from the client. 507If this threshold is reached while client alive messages are being sent, 508sshd will disconnect the client, terminating the session. 509It is important to note that the use of client alive messages is very 510different from 511.Cm TCPKeepAlive . 512The client alive messages are sent through the encrypted channel 513and therefore will not be spoofable. 514The TCP keepalive option enabled by 515.Cm TCPKeepAlive 516is spoofable. 517The client alive mechanism is valuable when the client or 518server depend on knowing when a connection has become unresponsive. 519.Pp 520The default value is 3. 521If 522.Cm ClientAliveInterval 523is set to 15, and 524.Cm ClientAliveCountMax 525is left at the default, unresponsive SSH clients 526will be disconnected after approximately 45 seconds. 527Setting a zero 528.Cm ClientAliveCountMax 529disables connection termination. 530.It Cm ClientAliveInterval 531Sets a timeout interval in seconds after which if no data has been received 532from the client, 533.Xr sshd 8 534will send a message through the encrypted 535channel to request a response from the client. 536The default 537is 0, indicating that these messages will not be sent to the client. 538.It Cm Compression 539Specifies whether compression is enabled after 540the user has authenticated successfully. 541The argument must be 542.Cm yes , 543.Cm delayed 544(a legacy synonym for 545.Cm yes ) 546or 547.Cm no . 548The default is 549.Cm yes . 550.It Cm DenyGroups 551This keyword can be followed by a list of group name patterns, separated 552by spaces. 553Login is disallowed for users whose primary group or supplementary 554group list matches one of the patterns. 555Only group names are valid; a numerical group ID is not recognized. 556By default, login is allowed for all groups. 557The allow/deny groups directives are processed in the following order: 558.Cm DenyGroups , 559.Cm AllowGroups . 560.Pp 561See PATTERNS in 562.Xr ssh_config 5 563for more information on patterns. 564.It Cm DenyUsers 565This keyword can be followed by a list of user name patterns, separated 566by spaces. 567Login is disallowed for user names that match one of the patterns. 568Only user names are valid; a numerical user ID is not recognized. 569By default, login is allowed for all users. 570If the pattern takes the form USER@HOST then USER and HOST 571are separately checked, restricting logins to particular 572users from particular hosts. 573HOST criteria may additionally contain addresses to match in CIDR 574address/masklen format. 575The allow/deny users directives are processed in the following order: 576.Cm DenyUsers , 577.Cm AllowUsers . 578.Pp 579See PATTERNS in 580.Xr ssh_config 5 581for more information on patterns. 582.It Cm DisableForwarding 583Disables all forwarding features, including X11, 584.Xr ssh-agent 1 , 585TCP and StreamLocal. 586This option overrides all other forwarding-related options and may 587simplify restricted configurations. 588.It Cm ExposeAuthInfo 589Writes a temporary file containing a list of authentication methods and 590public credentials (e.g. keys) used to authenticate the user. 591The location of the file is exposed to the user session through the 592.Ev SSH_USER_AUTH 593environment variable. 594The default is 595.Cm no . 596.It Cm FingerprintHash 597Specifies the hash algorithm used when logging key fingerprints. 598Valid options are: 599.Cm md5 600and 601.Cm sha256 . 602The default is 603.Cm sha256 . 604.It Cm ForceCommand 605Forces the execution of the command specified by 606.Cm ForceCommand , 607ignoring any command supplied by the client and 608.Pa ~/.ssh/rc 609if present. 610The command is invoked by using the user's login shell with the -c option. 611This applies to shell, command, or subsystem execution. 612It is most useful inside a 613.Cm Match 614block. 615The command originally supplied by the client is available in the 616.Ev SSH_ORIGINAL_COMMAND 617environment variable. 618Specifying a command of 619.Cm internal-sftp 620will force the use of an in-process SFTP server that requires no support 621files when used with 622.Cm ChrootDirectory . 623The default is 624.Cm none . 625.It Cm GatewayPorts 626Specifies whether remote hosts are allowed to connect to ports 627forwarded for the client. 628By default, 629.Xr sshd 8 630binds remote port forwardings to the loopback address. 631This prevents other remote hosts from connecting to forwarded ports. 632.Cm GatewayPorts 633can be used to specify that sshd 634should allow remote port forwardings to bind to non-loopback addresses, thus 635allowing other hosts to connect. 636The argument may be 637.Cm no 638to force remote port forwardings to be available to the local host only, 639.Cm yes 640to force remote port forwardings to bind to the wildcard address, or 641.Cm clientspecified 642to allow the client to select the address to which the forwarding is bound. 643The default is 644.Cm no . 645.It Cm GSSAPIAuthentication 646Specifies whether user authentication based on GSSAPI is allowed. 647The default is 648.Cm no . 649.It Cm GSSAPICleanupCredentials 650Specifies whether to automatically destroy the user's credentials cache 651on logout. 652The default is 653.Cm yes . 654.It Cm GSSAPIStrictAcceptorCheck 655Determines whether to be strict about the identity of the GSSAPI acceptor 656a client authenticates against. 657If set to 658.Cm yes 659then the client must authenticate against the host 660service on the current hostname. 661If set to 662.Cm no 663then the client may authenticate against any service key stored in the 664machine's default store. 665This facility is provided to assist with operation on multi homed machines. 666The default is 667.Cm yes . 668.It Cm HostbasedAcceptedAlgorithms 669Specifies the signature algorithms that will be accepted for hostbased 670authentication as a list of comma-separated patterns. 671Alternately if the specified list begins with a 672.Sq + 673character, then the specified signature algorithms will be appended to 674the default set instead of replacing them. 675If the specified list begins with a 676.Sq - 677character, then the specified signature algorithms (including wildcards) 678will be removed from the default set instead of replacing them. 679If the specified list begins with a 680.Sq ^ 681character, then the specified signature algorithms will be placed at 682the head of the default set. 683The default for this option is: 684.Bd -literal -offset 3n 685ssh-ed25519-cert-v01@openssh.com, 686ecdsa-sha2-nistp256-cert-v01@openssh.com, 687ecdsa-sha2-nistp384-cert-v01@openssh.com, 688ecdsa-sha2-nistp521-cert-v01@openssh.com, 689sk-ssh-ed25519-cert-v01@openssh.com, 690sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, 691rsa-sha2-512-cert-v01@openssh.com, 692rsa-sha2-256-cert-v01@openssh.com, 693ssh-ed25519, 694ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 695sk-ssh-ed25519@openssh.com, 696sk-ecdsa-sha2-nistp256@openssh.com, 697rsa-sha2-512,rsa-sha2-256 698.Ed 699.Pp 700The list of available signature algorithms may also be obtained using 701.Qq ssh -Q HostbasedAcceptedAlgorithms . 702This was formerly named HostbasedAcceptedKeyTypes. 703.It Cm HostbasedAuthentication 704Specifies whether rhosts or /etc/hosts.equiv authentication together 705with successful public key client host authentication is allowed 706(host-based authentication). 707The default is 708.Cm no . 709.It Cm HostbasedUsesNameFromPacketOnly 710Specifies whether or not the server will attempt to perform a reverse 711name lookup when matching the name in the 712.Pa ~/.shosts , 713.Pa ~/.rhosts , 714and 715.Pa /etc/hosts.equiv 716files during 717.Cm HostbasedAuthentication . 718A setting of 719.Cm yes 720means that 721.Xr sshd 8 722uses the name supplied by the client rather than 723attempting to resolve the name from the TCP connection itself. 724The default is 725.Cm no . 726.It Cm HostCertificate 727Specifies a file containing a public host certificate. 728The certificate's public key must match a private host key already specified 729by 730.Cm HostKey . 731The default behaviour of 732.Xr sshd 8 733is not to load any certificates. 734.It Cm HostKey 735Specifies a file containing a private host key 736used by SSH. 737The defaults are 738.Pa /etc/ssh/ssh_host_ecdsa_key , 739.Pa /etc/ssh/ssh_host_ed25519_key 740and 741.Pa /etc/ssh/ssh_host_rsa_key . 742.Pp 743Note that 744.Xr sshd 8 745will refuse to use a file if it is group/world-accessible 746and that the 747.Cm HostKeyAlgorithms 748option restricts which of the keys are actually used by 749.Xr sshd 8 . 750.Pp 751It is possible to have multiple host key files. 752It is also possible to specify public host key files instead. 753In this case operations on the private key will be delegated 754to an 755.Xr ssh-agent 1 . 756.It Cm HostKeyAgent 757Identifies the UNIX-domain socket used to communicate 758with an agent that has access to the private host keys. 759If the string 760.Qq SSH_AUTH_SOCK 761is specified, the location of the socket will be read from the 762.Ev SSH_AUTH_SOCK 763environment variable. 764.It Cm HostKeyAlgorithms 765Specifies the host key signature algorithms 766that the server offers. 767The default for this option is: 768.Bd -literal -offset 3n 769ssh-ed25519-cert-v01@openssh.com, 770ecdsa-sha2-nistp256-cert-v01@openssh.com, 771ecdsa-sha2-nistp384-cert-v01@openssh.com, 772ecdsa-sha2-nistp521-cert-v01@openssh.com, 773sk-ssh-ed25519-cert-v01@openssh.com, 774sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, 775rsa-sha2-512-cert-v01@openssh.com, 776rsa-sha2-256-cert-v01@openssh.com, 777ssh-ed25519, 778ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 779sk-ssh-ed25519@openssh.com, 780sk-ecdsa-sha2-nistp256@openssh.com, 781rsa-sha2-512,rsa-sha2-256 782.Ed 783.Pp 784The list of available signature algorithms may also be obtained using 785.Qq ssh -Q HostKeyAlgorithms . 786.It Cm IgnoreRhosts 787Specifies whether to ignore per-user 788.Pa .rhosts 789and 790.Pa .shosts 791files during 792.Cm HostbasedAuthentication . 793The system-wide 794.Pa /etc/hosts.equiv 795and 796.Pa /etc/ssh/shosts.equiv 797are still used regardless of this setting. 798.Pp 799Accepted values are 800.Cm yes 801(the default) to ignore all per-user files, 802.Cm shosts-only 803to allow the use of 804.Pa .shosts 805but to ignore 806.Pa .rhosts 807or 808.Cm no 809to allow both 810.Pa .shosts 811and 812.Pa rhosts . 813.It Cm IgnoreUserKnownHosts 814Specifies whether 815.Xr sshd 8 816should ignore the user's 817.Pa ~/.ssh/known_hosts 818during 819.Cm HostbasedAuthentication 820and use only the system-wide known hosts file 821.Pa /etc/ssh/known_hosts . 822The default is 823.Dq no . 824.It Cm Include 825Include the specified configuration file(s). 826Multiple pathnames may be specified and each pathname may contain 827.Xr glob 7 828wildcards that will be expanded and processed in lexical order. 829Files without absolute paths are assumed to be in 830.Pa /etc/ssh . 831An 832.Cm Include 833directive may appear inside a 834.Cm Match 835block 836to perform conditional inclusion. 837.It Cm IPQoS 838Specifies the IPv4 type-of-service or DSCP class for the connection. 839Accepted values are 840.Cm af11 , 841.Cm af12 , 842.Cm af13 , 843.Cm af21 , 844.Cm af22 , 845.Cm af23 , 846.Cm af31 , 847.Cm af32 , 848.Cm af33 , 849.Cm af41 , 850.Cm af42 , 851.Cm af43 , 852.Cm cs0 , 853.Cm cs1 , 854.Cm cs2 , 855.Cm cs3 , 856.Cm cs4 , 857.Cm cs5 , 858.Cm cs6 , 859.Cm cs7 , 860.Cm ef , 861.Cm le , 862.Cm lowdelay , 863.Cm throughput , 864.Cm reliability , 865a numeric value, or 866.Cm none 867to use the operating system default. 868This option may take one or two arguments, separated by whitespace. 869If one argument is specified, it is used as the packet class unconditionally. 870If two values are specified, the first is automatically selected for 871interactive sessions and the second for non-interactive sessions. 872The default is 873.Cm af21 874(Low-Latency Data) 875for interactive sessions and 876.Cm cs1 877(Lower Effort) 878for non-interactive sessions. 879.It Cm KbdInteractiveAuthentication 880Specifies whether to allow keyboard-interactive authentication. 881All authentication styles from 882.Xr login.conf 5 883are supported. 884The default is 885.Cm yes . 886The argument to this keyword must be 887.Cm yes 888or 889.Cm no . 890.Cm ChallengeResponseAuthentication 891is a deprecated alias for this. 892.It Cm KerberosAuthentication 893Specifies whether the password provided by the user for 894.Cm PasswordAuthentication 895will be validated through the Kerberos KDC. 896To use this option, the server needs a 897Kerberos servtab which allows the verification of the KDC's identity. 898The default is 899.Cm no . 900.It Cm KerberosGetAFSToken 901If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire 902an AFS token before accessing the user's home directory. 903The default is 904.Cm no . 905.It Cm KerberosOrLocalPasswd 906If password authentication through Kerberos fails then 907the password will be validated via any additional local mechanism 908such as 909.Pa /etc/passwd . 910The default is 911.Cm yes . 912.It Cm KerberosTicketCleanup 913Specifies whether to automatically destroy the user's ticket cache 914file on logout. 915The default is 916.Cm yes . 917.It Cm KexAlgorithms 918Specifies the available KEX (Key Exchange) algorithms. 919Multiple algorithms must be comma-separated. 920Alternately if the specified list begins with a 921.Sq + 922character, then the specified algorithms will be appended to the default set 923instead of replacing them. 924If the specified list begins with a 925.Sq - 926character, then the specified algorithms (including wildcards) will be removed 927from the default set instead of replacing them. 928If the specified list begins with a 929.Sq ^ 930character, then the specified algorithms will be placed at the head of the 931default set. 932The supported algorithms are: 933.Pp 934.Bl -item -compact -offset indent 935.It 936curve25519-sha256 937.It 938curve25519-sha256@libssh.org 939.It 940diffie-hellman-group1-sha1 941.It 942diffie-hellman-group14-sha1 943.It 944diffie-hellman-group14-sha256 945.It 946diffie-hellman-group16-sha512 947.It 948diffie-hellman-group18-sha512 949.It 950diffie-hellman-group-exchange-sha1 951.It 952diffie-hellman-group-exchange-sha256 953.It 954ecdh-sha2-nistp256 955.It 956ecdh-sha2-nistp384 957.It 958ecdh-sha2-nistp521 959.It 960sntrup761x25519-sha512@openssh.com 961.El 962.Pp 963The default is: 964.Bd -literal -offset indent 965curve25519-sha256,curve25519-sha256@libssh.org, 966ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, 967diffie-hellman-group-exchange-sha256, 968diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, 969diffie-hellman-group14-sha256 970.Ed 971.Pp 972The list of available key exchange algorithms may also be obtained using 973.Qq ssh -Q KexAlgorithms . 974.It Cm ListenAddress 975Specifies the local addresses 976.Xr sshd 8 977should listen on. 978The following forms may be used: 979.Pp 980.Bl -item -offset indent -compact 981.It 982.Cm ListenAddress 983.Sm off 984.Ar hostname | address 985.Sm on 986.Op Cm rdomain Ar domain 987.It 988.Cm ListenAddress 989.Sm off 990.Ar hostname : port 991.Sm on 992.Op Cm rdomain Ar domain 993.It 994.Cm ListenAddress 995.Sm off 996.Ar IPv4_address : port 997.Sm on 998.Op Cm rdomain Ar domain 999.It 1000.Cm ListenAddress 1001.Sm off 1002.Oo Ar hostname | address Oc : Ar port 1003.Sm on 1004.Op Cm rdomain Ar domain 1005.El 1006.Pp 1007The optional 1008.Cm rdomain 1009qualifier requests 1010.Xr sshd 8 1011listen in an explicit routing domain. 1012If 1013.Ar port 1014is not specified, 1015sshd will listen on the address and all 1016.Cm Port 1017options specified. 1018The default is to listen on all local addresses on the current default 1019routing domain. 1020Multiple 1021.Cm ListenAddress 1022options are permitted. 1023For more information on routing domains, see 1024.Xr rdomain 4 . 1025.It Cm LoginGraceTime 1026The server disconnects after this time if the user has not 1027successfully logged in. 1028If the value is 0, there is no time limit. 1029The default is 120 seconds. 1030.It Cm LogLevel 1031Gives the verbosity level that is used when logging messages from 1032.Xr sshd 8 . 1033The possible values are: 1034QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. 1035The default is INFO. 1036DEBUG and DEBUG1 are equivalent. 1037DEBUG2 and DEBUG3 each specify higher levels of debugging output. 1038Logging with a DEBUG level violates the privacy of users and is not recommended. 1039.It Cm LogVerbose 1040Specify one or more overrides to LogLevel. 1041An override consists of a pattern lists that matches the source file, function 1042and line number to force detailed logging for. 1043For example, an override pattern of: 1044.Bd -literal -offset indent 1045kex.c:*:1000,*:kex_exchange_identification():*,packet.c:* 1046.Ed 1047.Pp 1048would enable detailed logging for line 1000 of 1049.Pa kex.c , 1050everything in the 1051.Fn kex_exchange_identification 1052function, and all code in the 1053.Pa packet.c 1054file. 1055This option is intended for debugging and no overrides are enabled by default. 1056.It Cm MACs 1057Specifies the available MAC (message authentication code) algorithms. 1058The MAC algorithm is used for data integrity protection. 1059Multiple algorithms must be comma-separated. 1060If the specified list begins with a 1061.Sq + 1062character, then the specified algorithms will be appended to the default set 1063instead of replacing them. 1064If the specified list begins with a 1065.Sq - 1066character, then the specified algorithms (including wildcards) will be removed 1067from the default set instead of replacing them. 1068If the specified list begins with a 1069.Sq ^ 1070character, then the specified algorithms will be placed at the head of the 1071default set. 1072.Pp 1073The algorithms that contain 1074.Qq -etm 1075calculate the MAC after encryption (encrypt-then-mac). 1076These are considered safer and their use recommended. 1077The supported MACs are: 1078.Pp 1079.Bl -item -compact -offset indent 1080.It 1081hmac-md5 1082.It 1083hmac-md5-96 1084.It 1085hmac-sha1 1086.It 1087hmac-sha1-96 1088.It 1089hmac-sha2-256 1090.It 1091hmac-sha2-512 1092.It 1093umac-64@openssh.com 1094.It 1095umac-128@openssh.com 1096.It 1097hmac-md5-etm@openssh.com 1098.It 1099hmac-md5-96-etm@openssh.com 1100.It 1101hmac-sha1-etm@openssh.com 1102.It 1103hmac-sha1-96-etm@openssh.com 1104.It 1105hmac-sha2-256-etm@openssh.com 1106.It 1107hmac-sha2-512-etm@openssh.com 1108.It 1109umac-64-etm@openssh.com 1110.It 1111umac-128-etm@openssh.com 1112.El 1113.Pp 1114The default is: 1115.Bd -literal -offset indent 1116umac-64-etm@openssh.com,umac-128-etm@openssh.com, 1117hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, 1118hmac-sha1-etm@openssh.com, 1119umac-64@openssh.com,umac-128@openssh.com, 1120hmac-sha2-256,hmac-sha2-512,hmac-sha1 1121.Ed 1122.Pp 1123The list of available MAC algorithms may also be obtained using 1124.Qq ssh -Q mac . 1125.It Cm Match 1126Introduces a conditional block. 1127If all of the criteria on the 1128.Cm Match 1129line are satisfied, the keywords on the following lines override those 1130set in the global section of the config file, until either another 1131.Cm Match 1132line or the end of the file. 1133If a keyword appears in multiple 1134.Cm Match 1135blocks that are satisfied, only the first instance of the keyword is 1136applied. 1137.Pp 1138The arguments to 1139.Cm Match 1140are one or more criteria-pattern pairs or the single token 1141.Cm All 1142which matches all criteria. 1143The available criteria are 1144.Cm User , 1145.Cm Group , 1146.Cm Host , 1147.Cm LocalAddress , 1148.Cm LocalPort , 1149.Cm RDomain , 1150and 1151.Cm Address 1152(with 1153.Cm RDomain 1154representing the 1155.Xr rdomain 4 1156on which the connection was received). 1157.Pp 1158The match patterns may consist of single entries or comma-separated 1159lists and may use the wildcard and negation operators described in the 1160.Sx PATTERNS 1161section of 1162.Xr ssh_config 5 . 1163.Pp 1164The patterns in an 1165.Cm Address 1166criteria may additionally contain addresses to match in CIDR 1167address/masklen format, 1168such as 192.0.2.0/24 or 2001:db8::/32. 1169Note that the mask length provided must be consistent with the address - 1170it is an error to specify a mask length that is too long for the address 1171or one with bits set in this host portion of the address. 1172For example, 192.0.2.0/33 and 192.0.2.0/8, respectively. 1173.Pp 1174Only a subset of keywords may be used on the lines following a 1175.Cm Match 1176keyword. 1177Available keywords are 1178.Cm AcceptEnv , 1179.Cm AllowAgentForwarding , 1180.Cm AllowGroups , 1181.Cm AllowStreamLocalForwarding , 1182.Cm AllowTcpForwarding , 1183.Cm AllowUsers , 1184.Cm AuthenticationMethods , 1185.Cm AuthorizedKeysCommand , 1186.Cm AuthorizedKeysCommandUser , 1187.Cm AuthorizedKeysFile , 1188.Cm AuthorizedPrincipalsCommand , 1189.Cm AuthorizedPrincipalsCommandUser , 1190.Cm AuthorizedPrincipalsFile , 1191.Cm Banner , 1192.Cm ChrootDirectory , 1193.Cm ClientAliveCountMax , 1194.Cm ClientAliveInterval , 1195.Cm DenyGroups , 1196.Cm DenyUsers , 1197.Cm DisableForwarding , 1198.Cm ForceCommand , 1199.Cm GatewayPorts , 1200.Cm GSSAPIAuthentication , 1201.Cm HostbasedAcceptedAlgorithms , 1202.Cm HostbasedAuthentication , 1203.Cm HostbasedUsesNameFromPacketOnly , 1204.Cm IgnoreRhosts , 1205.Cm Include , 1206.Cm IPQoS , 1207.Cm KbdInteractiveAuthentication , 1208.Cm KerberosAuthentication , 1209.Cm LogLevel , 1210.Cm MaxAuthTries , 1211.Cm MaxSessions , 1212.Cm PasswordAuthentication , 1213.Cm PermitEmptyPasswords , 1214.Cm PermitListen , 1215.Cm PermitOpen , 1216.Cm PermitRootLogin , 1217.Cm PermitTTY , 1218.Cm PermitTunnel , 1219.Cm PermitUserRC , 1220.Cm PubkeyAcceptedAlgorithms , 1221.Cm PubkeyAuthentication , 1222.Cm RekeyLimit , 1223.Cm RevokedKeys , 1224.Cm RDomain , 1225.Cm SetEnv , 1226.Cm StreamLocalBindMask , 1227.Cm StreamLocalBindUnlink , 1228.Cm TrustedUserCAKeys , 1229.Cm X11DisplayOffset , 1230.Cm X11Forwarding 1231and 1232.Cm X11UseLocalhost . 1233.It Cm MaxAuthTries 1234Specifies the maximum number of authentication attempts permitted per 1235connection. 1236Once the number of failures reaches half this value, 1237additional failures are logged. 1238The default is 6. 1239.It Cm MaxSessions 1240Specifies the maximum number of open shell, login or subsystem (e.g. sftp) 1241sessions permitted per network connection. 1242Multiple sessions may be established by clients that support connection 1243multiplexing. 1244Setting 1245.Cm MaxSessions 1246to 1 will effectively disable session multiplexing, whereas setting it to 0 1247will prevent all shell, login and subsystem sessions while still permitting 1248forwarding. 1249The default is 10. 1250.It Cm MaxStartups 1251Specifies the maximum number of concurrent unauthenticated connections to the 1252SSH daemon. 1253Additional connections will be dropped until authentication succeeds or the 1254.Cm LoginGraceTime 1255expires for a connection. 1256The default is 10:30:100. 1257.Pp 1258Alternatively, random early drop can be enabled by specifying 1259the three colon separated values 1260start:rate:full (e.g. "10:30:60"). 1261.Xr sshd 8 1262will refuse connection attempts with a probability of rate/100 (30%) 1263if there are currently start (10) unauthenticated connections. 1264The probability increases linearly and all connection attempts 1265are refused if the number of unauthenticated connections reaches full (60). 1266.It Cm ModuliFile 1267Specifies the 1268.Xr moduli 5 1269file that contains the Diffie-Hellman groups used for the 1270.Dq diffie-hellman-group-exchange-sha1 1271and 1272.Dq diffie-hellman-group-exchange-sha256 1273key exchange methods. 1274The default is 1275.Pa /etc/moduli . 1276.It Cm PasswordAuthentication 1277Specifies whether password authentication is allowed. 1278See also 1279.Cm UsePAM . 1280The default is 1281.Cm no . 1282.It Cm PermitEmptyPasswords 1283When password authentication is allowed, it specifies whether the 1284server allows login to accounts with empty password strings. 1285The default is 1286.Cm no . 1287.It Cm PermitListen 1288Specifies the addresses/ports on which a remote TCP port forwarding may listen. 1289The listen specification must be one of the following forms: 1290.Pp 1291.Bl -item -offset indent -compact 1292.It 1293.Cm PermitListen 1294.Sm off 1295.Ar port 1296.Sm on 1297.It 1298.Cm PermitListen 1299.Sm off 1300.Ar host : port 1301.Sm on 1302.El 1303.Pp 1304Multiple permissions may be specified by separating them with whitespace. 1305An argument of 1306.Cm any 1307can be used to remove all restrictions and permit any listen requests. 1308An argument of 1309.Cm none 1310can be used to prohibit all listen requests. 1311The host name may contain wildcards as described in the PATTERNS section in 1312.Xr ssh_config 5 . 1313The wildcard 1314.Sq * 1315can also be used in place of a port number to allow all ports. 1316By default all port forwarding listen requests are permitted. 1317Note that the 1318.Cm GatewayPorts 1319option may further restrict which addresses may be listened on. 1320Note also that 1321.Xr ssh 1 1322will request a listen host of 1323.Dq localhost 1324if no listen host was specifically requested, and this name is 1325treated differently to explicit localhost addresses of 1326.Dq 127.0.0.1 1327and 1328.Dq ::1 . 1329.It Cm PermitOpen 1330Specifies the destinations to which TCP port forwarding is permitted. 1331The forwarding specification must be one of the following forms: 1332.Pp 1333.Bl -item -offset indent -compact 1334.It 1335.Cm PermitOpen 1336.Sm off 1337.Ar host : port 1338.Sm on 1339.It 1340.Cm PermitOpen 1341.Sm off 1342.Ar IPv4_addr : port 1343.Sm on 1344.It 1345.Cm PermitOpen 1346.Sm off 1347.Ar \&[ IPv6_addr \&] : port 1348.Sm on 1349.El 1350.Pp 1351Multiple forwards may be specified by separating them with whitespace. 1352An argument of 1353.Cm any 1354can be used to remove all restrictions and permit any forwarding requests. 1355An argument of 1356.Cm none 1357can be used to prohibit all forwarding requests. 1358The wildcard 1359.Sq * 1360can be used for host or port to allow all hosts or ports respectively. 1361Otherwise, no pattern matching or address lookups are performed on supplied 1362names. 1363By default all port forwarding requests are permitted. 1364.It Cm PermitRootLogin 1365Specifies whether root can log in using 1366.Xr ssh 1 . 1367The argument must be 1368.Cm yes , 1369.Cm prohibit-password , 1370.Cm forced-commands-only , 1371or 1372.Cm no . 1373The default is 1374.Cm no . 1375Note that if 1376.Cm ChallengeResponseAuthentication 1377and 1378.Cm UsePAM 1379are both 1380.Cm yes , 1381this setting may be overridden by the PAM policy. 1382.Pp 1383If this option is set to 1384.Cm prohibit-password 1385(or its deprecated alias, 1386.Cm without-password ) , 1387password and keyboard-interactive authentication are disabled for root. 1388.Pp 1389If this option is set to 1390.Cm forced-commands-only , 1391root login with public key authentication will be allowed, 1392but only if the 1393.Ar command 1394option has been specified 1395(which may be useful for taking remote backups even if root login is 1396normally not allowed). 1397All other authentication methods are disabled for root. 1398.Pp 1399If this option is set to 1400.Cm no , 1401root is not allowed to log in. 1402.It Cm PermitTTY 1403Specifies whether 1404.Xr pty 4 1405allocation is permitted. 1406The default is 1407.Cm yes . 1408.It Cm PermitTunnel 1409Specifies whether 1410.Xr tun 4 1411device forwarding is allowed. 1412The argument must be 1413.Cm yes , 1414.Cm point-to-point 1415(layer 3), 1416.Cm ethernet 1417(layer 2), or 1418.Cm no . 1419Specifying 1420.Cm yes 1421permits both 1422.Cm point-to-point 1423and 1424.Cm ethernet . 1425The default is 1426.Cm no . 1427.Pp 1428Independent of this setting, the permissions of the selected 1429.Xr tun 4 1430device must allow access to the user. 1431.It Cm PermitUserEnvironment 1432Specifies whether 1433.Pa ~/.ssh/environment 1434and 1435.Cm environment= 1436options in 1437.Pa ~/.ssh/authorized_keys 1438are processed by 1439.Xr sshd 8 . 1440Valid options are 1441.Cm yes , 1442.Cm no 1443or a pattern-list specifying which environment variable names to accept 1444(for example 1445.Qq LANG,LC_* ) . 1446The default is 1447.Cm no . 1448Enabling environment processing may enable users to bypass access 1449restrictions in some configurations using mechanisms such as 1450.Ev LD_PRELOAD . 1451.It Cm PermitUserRC 1452Specifies whether any 1453.Pa ~/.ssh/rc 1454file is executed. 1455The default is 1456.Cm yes . 1457.It Cm PerSourceMaxStartups 1458Specifies the number of unauthenticated connections allowed from a 1459given source address, or 1460.Dq none 1461if there is no limit. 1462This limit is applied in addition to 1463.Cm MaxStartups , 1464whichever is lower. 1465The default is 1466.Cm none . 1467.It Cm PerSourceNetBlockSize 1468Specifies the number of bits of source address that are grouped together 1469for the purposes of applying PerSourceMaxStartups limits. 1470Values for IPv4 and optionally IPv6 may be specified, separated by a colon. 1471The default is 1472.Cm 32:128 , 1473which means each address is considered individually. 1474.It Cm PidFile 1475Specifies the file that contains the process ID of the 1476SSH daemon, or 1477.Cm none 1478to not write one. 1479The default is 1480.Pa /var/run/sshd.pid . 1481.It Cm Port 1482Specifies the port number that 1483.Xr sshd 8 1484listens on. 1485The default is 22. 1486Multiple options of this type are permitted. 1487See also 1488.Cm ListenAddress . 1489.It Cm PrintLastLog 1490Specifies whether 1491.Xr sshd 8 1492should print the date and time of the last user login when a user logs 1493in interactively. 1494The default is 1495.Cm yes . 1496.It Cm PrintMotd 1497Specifies whether 1498.Xr sshd 8 1499should print 1500.Pa /etc/motd 1501when a user logs in interactively. 1502(On some systems it is also printed by the shell, 1503.Pa /etc/profile , 1504or equivalent.) 1505The default is 1506.Cm yes . 1507.It Cm PubkeyAcceptedAlgorithms 1508Specifies the signature algorithms that will be accepted for public key 1509authentication as a list of comma-separated patterns. 1510Alternately if the specified list begins with a 1511.Sq + 1512character, then the specified algorithms will be appended to the default set 1513instead of replacing them. 1514If the specified list begins with a 1515.Sq - 1516character, then the specified algorithms (including wildcards) will be removed 1517from the default set instead of replacing them. 1518If the specified list begins with a 1519.Sq ^ 1520character, then the specified algorithms will be placed at the head of the 1521default set. 1522The default for this option is: 1523.Bd -literal -offset 3n 1524ssh-ed25519-cert-v01@openssh.com, 1525ecdsa-sha2-nistp256-cert-v01@openssh.com, 1526ecdsa-sha2-nistp384-cert-v01@openssh.com, 1527ecdsa-sha2-nistp521-cert-v01@openssh.com, 1528sk-ssh-ed25519-cert-v01@openssh.com, 1529sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, 1530rsa-sha2-512-cert-v01@openssh.com, 1531rsa-sha2-256-cert-v01@openssh.com, 1532ssh-ed25519, 1533ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 1534sk-ssh-ed25519@openssh.com, 1535sk-ecdsa-sha2-nistp256@openssh.com, 1536rsa-sha2-512,rsa-sha2-256 1537.Ed 1538.Pp 1539The list of available signature algorithms may also be obtained using 1540.Qq ssh -Q PubkeyAcceptedAlgorithms . 1541.It Cm PubkeyAuthOptions 1542Sets one or more public key authentication options. 1543The supported keywords are: 1544.Cm none 1545(the default; indicating no additional options are enabled), 1546.Cm touch-required 1547and 1548.Cm verify-required . 1549.Pp 1550The 1551.Cm touch-required 1552option causes public key authentication using a FIDO authenticator algorithm 1553(i.e.\& 1554.Cm ecdsa-sk 1555or 1556.Cm ed25519-sk ) 1557to always require the signature to attest that a physically present user 1558explicitly confirmed the authentication (usually by touching the authenticator). 1559By default, 1560.Xr sshd 8 1561requires user presence unless overridden with an authorized_keys option. 1562The 1563.Cm touch-required 1564flag disables this override. 1565.Pp 1566The 1567.Cm verify-required 1568option requires a FIDO key signature attest that the user was verified, 1569e.g. via a PIN. 1570.Pp 1571Neither the 1572.Cm touch-required 1573or 1574.Cm verify-required 1575options have any effect for other, non-FIDO, public key types. 1576.It Cm PubkeyAuthentication 1577Specifies whether public key authentication is allowed. 1578The default is 1579.Cm yes . 1580.It Cm RekeyLimit 1581Specifies the maximum amount of data that may be transmitted before the 1582session key is renegotiated, optionally followed by a maximum amount of 1583time that may pass before the session key is renegotiated. 1584The first argument is specified in bytes and may have a suffix of 1585.Sq K , 1586.Sq M , 1587or 1588.Sq G 1589to indicate Kilobytes, Megabytes, or Gigabytes, respectively. 1590The default is between 1591.Sq 1G 1592and 1593.Sq 4G , 1594depending on the cipher. 1595The optional second value is specified in seconds and may use any of the 1596units documented in the 1597.Sx TIME FORMATS 1598section. 1599The default value for 1600.Cm RekeyLimit 1601is 1602.Cm default none , 1603which means that rekeying is performed after the cipher's default amount 1604of data has been sent or received and no time based rekeying is done. 1605.It Cm RevokedKeys 1606Specifies revoked public keys file, or 1607.Cm none 1608to not use one. 1609Keys listed in this file will be refused for public key authentication. 1610Note that if this file is not readable, then public key authentication will 1611be refused for all users. 1612Keys may be specified as a text file, listing one public key per line, or as 1613an OpenSSH Key Revocation List (KRL) as generated by 1614.Xr ssh-keygen 1 . 1615For more information on KRLs, see the KEY REVOCATION LISTS section in 1616.Xr ssh-keygen 1 . 1617.It Cm RDomain 1618Specifies an explicit routing domain that is applied after authentication 1619has completed. 1620The user session, as well as any forwarded or listening IP sockets, 1621will be bound to this 1622.Xr rdomain 4 . 1623If the routing domain is set to 1624.Cm \&%D , 1625then the domain in which the incoming connection was received will be applied. 1626.It Cm SecurityKeyProvider 1627Specifies a path to a library that will be used when loading 1628FIDO authenticator-hosted keys, overriding the default of using 1629the built-in USB HID support. 1630.It Cm SetEnv 1631Specifies one or more environment variables to set in child sessions started 1632by 1633.Xr sshd 8 1634as 1635.Dq NAME=VALUE . 1636The environment value may be quoted (e.g. if it contains whitespace 1637characters). 1638Environment variables set by 1639.Cm SetEnv 1640override the default environment and any variables specified by the user 1641via 1642.Cm AcceptEnv 1643or 1644.Cm PermitUserEnvironment . 1645.It Cm StreamLocalBindMask 1646Sets the octal file creation mode mask 1647.Pq umask 1648used when creating a Unix-domain socket file for local or remote 1649port forwarding. 1650This option is only used for port forwarding to a Unix-domain socket file. 1651.Pp 1652The default value is 0177, which creates a Unix-domain socket file that is 1653readable and writable only by the owner. 1654Note that not all operating systems honor the file mode on Unix-domain 1655socket files. 1656.It Cm StreamLocalBindUnlink 1657Specifies whether to remove an existing Unix-domain socket file for local 1658or remote port forwarding before creating a new one. 1659If the socket file already exists and 1660.Cm StreamLocalBindUnlink 1661is not enabled, 1662.Nm sshd 1663will be unable to forward the port to the Unix-domain socket file. 1664This option is only used for port forwarding to a Unix-domain socket file. 1665.Pp 1666The argument must be 1667.Cm yes 1668or 1669.Cm no . 1670The default is 1671.Cm no . 1672.It Cm StrictModes 1673Specifies whether 1674.Xr sshd 8 1675should check file modes and ownership of the 1676user's files and home directory before accepting login. 1677This is normally desirable because novices sometimes accidentally leave their 1678directory or files world-writable. 1679The default is 1680.Cm yes . 1681Note that this does not apply to 1682.Cm ChrootDirectory , 1683whose permissions and ownership are checked unconditionally. 1684.It Cm Subsystem 1685Configures an external subsystem (e.g. file transfer daemon). 1686Arguments should be a subsystem name and a command (with optional arguments) 1687to execute upon subsystem request. 1688.Pp 1689The command 1690.Cm sftp-server 1691implements the SFTP file transfer subsystem. 1692.Pp 1693Alternately the name 1694.Cm internal-sftp 1695implements an in-process SFTP server. 1696This may simplify configurations using 1697.Cm ChrootDirectory 1698to force a different filesystem root on clients. 1699.Pp 1700By default no subsystems are defined. 1701.It Cm SyslogFacility 1702Gives the facility code that is used when logging messages from 1703.Xr sshd 8 . 1704The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, 1705LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. 1706The default is AUTH. 1707.It Cm TCPKeepAlive 1708Specifies whether the system should send TCP keepalive messages to the 1709other side. 1710If they are sent, death of the connection or crash of one 1711of the machines will be properly noticed. 1712However, this means that 1713connections will die if the route is down temporarily, and some people 1714find it annoying. 1715On the other hand, if TCP keepalives are not sent, 1716sessions may hang indefinitely on the server, leaving 1717.Qq ghost 1718users and consuming server resources. 1719.Pp 1720The default is 1721.Cm yes 1722(to send TCP keepalive messages), and the server will notice 1723if the network goes down or the client host crashes. 1724This avoids infinitely hanging sessions. 1725.Pp 1726To disable TCP keepalive messages, the value should be set to 1727.Cm no . 1728.It Cm TrustedUserCAKeys 1729Specifies a file containing public keys of certificate authorities that are 1730trusted to sign user certificates for authentication, or 1731.Cm none 1732to not use one. 1733Keys are listed one per line; empty lines and comments starting with 1734.Ql # 1735are allowed. 1736If a certificate is presented for authentication and has its signing CA key 1737listed in this file, then it may be used for authentication for any user 1738listed in the certificate's principals list. 1739Note that certificates that lack a list of principals will not be permitted 1740for authentication using 1741.Cm TrustedUserCAKeys . 1742For more details on certificates, see the CERTIFICATES section in 1743.Xr ssh-keygen 1 . 1744.It Cm UseBlacklist 1745Specifies whether 1746.Xr sshd 8 1747attempts to send authentication success and failure messages 1748to the 1749.Xr blacklistd 8 1750daemon. 1751The default is 1752.Cm no . 1753For forward compatibility with an upcoming 1754.Xr blacklistd 1755rename, the 1756.Cm UseBlocklist 1757alias can be used instead. 1758.It Cm UseDNS 1759Specifies whether 1760.Xr sshd 8 1761should look up the remote host name, and to check that 1762the resolved host name for the remote IP address maps back to the 1763very same IP address. 1764.Pp 1765If this option is set to 1766.Cm no , 1767then only addresses and not host names may be used in 1768.Pa ~/.ssh/authorized_keys 1769.Cm from 1770and 1771.Nm 1772.Cm Match 1773.Cm Host 1774directives. 1775The default is 1776.Dq yes . 1777.It Cm UsePAM 1778Enables the Pluggable Authentication Module interface. 1779If set to 1780.Cm yes 1781this will enable PAM authentication using 1782.Cm KbdInteractiveAuthentication 1783and 1784.Cm PasswordAuthentication 1785in addition to PAM account and session module processing for all 1786authentication types. 1787.Pp 1788Because PAM keyboard-interactive authentication usually serves an equivalent 1789role to password authentication, you should disable either 1790.Cm PasswordAuthentication 1791or 1792.Cm KbdInteractiveAuthentication . 1793.Pp 1794If 1795.Cm UsePAM 1796is enabled, you will not be able to run 1797.Xr sshd 8 1798as a non-root user. 1799The default is 1800.Cm yes . 1801.It Cm VersionAddendum 1802Optionally specifies additional text to append to the SSH protocol banner 1803sent by the server upon connection. 1804The default is 1805.Qq FreeBSD-20211221 . 1806The value 1807.Cm none 1808may be used to disable this. 1809.It Cm X11DisplayOffset 1810Specifies the first display number available for 1811.Xr sshd 8 Ns 's 1812X11 forwarding. 1813This prevents sshd from interfering with real X11 servers. 1814The default is 10. 1815.It Cm X11Forwarding 1816Specifies whether X11 forwarding is permitted. 1817The argument must be 1818.Cm yes 1819or 1820.Cm no . 1821The default is 1822.Cm yes . 1823.Pp 1824When X11 forwarding is enabled, there may be additional exposure to 1825the server and to client displays if the 1826.Xr sshd 8 1827proxy display is configured to listen on the wildcard address (see 1828.Cm X11UseLocalhost ) , 1829though this is not the default. 1830Additionally, the authentication spoofing and authentication data 1831verification and substitution occur on the client side. 1832The security risk of using X11 forwarding is that the client's X11 1833display server may be exposed to attack when the SSH client requests 1834forwarding (see the warnings for 1835.Cm ForwardX11 1836in 1837.Xr ssh_config 5 ) . 1838A system administrator may have a stance in which they want to 1839protect clients that may expose themselves to attack by unwittingly 1840requesting X11 forwarding, which can warrant a 1841.Cm no 1842setting. 1843.Pp 1844Note that disabling X11 forwarding does not prevent users from 1845forwarding X11 traffic, as users can always install their own forwarders. 1846.It Cm X11UseLocalhost 1847Specifies whether 1848.Xr sshd 8 1849should bind the X11 forwarding server to the loopback address or to 1850the wildcard address. 1851By default, 1852sshd binds the forwarding server to the loopback address and sets the 1853hostname part of the 1854.Ev DISPLAY 1855environment variable to 1856.Cm localhost . 1857This prevents remote hosts from connecting to the proxy display. 1858However, some older X11 clients may not function with this 1859configuration. 1860.Cm X11UseLocalhost 1861may be set to 1862.Cm no 1863to specify that the forwarding server should be bound to the wildcard 1864address. 1865The argument must be 1866.Cm yes 1867or 1868.Cm no . 1869The default is 1870.Cm yes . 1871.It Cm XAuthLocation 1872Specifies the full pathname of the 1873.Xr xauth 1 1874program, or 1875.Cm none 1876to not use one. 1877The default is 1878.Pa /usr/local/bin/xauth . 1879.El 1880.Sh TIME FORMATS 1881.Xr sshd 8 1882command-line arguments and configuration file options that specify time 1883may be expressed using a sequence of the form: 1884.Sm off 1885.Ar time Op Ar qualifier , 1886.Sm on 1887where 1888.Ar time 1889is a positive integer value and 1890.Ar qualifier 1891is one of the following: 1892.Pp 1893.Bl -tag -width Ds -compact -offset indent 1894.It Aq Cm none 1895seconds 1896.It Cm s | Cm S 1897seconds 1898.It Cm m | Cm M 1899minutes 1900.It Cm h | Cm H 1901hours 1902.It Cm d | Cm D 1903days 1904.It Cm w | Cm W 1905weeks 1906.El 1907.Pp 1908Each member of the sequence is added together to calculate 1909the total time value. 1910.Pp 1911Time format examples: 1912.Pp 1913.Bl -tag -width Ds -compact -offset indent 1914.It 600 1915600 seconds (10 minutes) 1916.It 10m 191710 minutes 1918.It 1h30m 19191 hour 30 minutes (90 minutes) 1920.El 1921.Sh TOKENS 1922Arguments to some keywords can make use of tokens, 1923which are expanded at runtime: 1924.Pp 1925.Bl -tag -width XXXX -offset indent -compact 1926.It %% 1927A literal 1928.Sq % . 1929.It \&%D 1930The routing domain in which the incoming connection was received. 1931.It %F 1932The fingerprint of the CA key. 1933.It %f 1934The fingerprint of the key or certificate. 1935.It %h 1936The home directory of the user. 1937.It %i 1938The key ID in the certificate. 1939.It %K 1940The base64-encoded CA key. 1941.It %k 1942The base64-encoded key or certificate for authentication. 1943.It %s 1944The serial number of the certificate. 1945.It \&%T 1946The type of the CA key. 1947.It %t 1948The key or certificate type. 1949.It \&%U 1950The numeric user ID of the target user. 1951.It %u 1952The username. 1953.El 1954.Pp 1955.Cm AuthorizedKeysCommand 1956accepts the tokens %%, %f, %h, %k, %t, %U, and %u. 1957.Pp 1958.Cm AuthorizedKeysFile 1959accepts the tokens %%, %h, %U, and %u. 1960.Pp 1961.Cm AuthorizedPrincipalsCommand 1962accepts the tokens %%, %F, %f, %h, %i, %K, %k, %s, %T, %t, %U, and %u. 1963.Pp 1964.Cm AuthorizedPrincipalsFile 1965accepts the tokens %%, %h, %U, and %u. 1966.Pp 1967.Cm ChrootDirectory 1968accepts the tokens %%, %h, %U, and %u. 1969.Pp 1970.Cm RoutingDomain 1971accepts the token %D. 1972.Sh FILES 1973.Bl -tag -width Ds 1974.It Pa /etc/ssh/sshd_config 1975Contains configuration data for 1976.Xr sshd 8 . 1977This file should be writable by root only, but it is recommended 1978(though not necessary) that it be world-readable. 1979.El 1980.Sh SEE ALSO 1981.Xr sftp-server 8 , 1982.Xr sshd 8 1983.Sh AUTHORS 1984.An -nosplit 1985OpenSSH is a derivative of the original and free 1986ssh 1.2.12 release by 1987.An Tatu Ylonen . 1988.An Aaron Campbell , Bob Beck , Markus Friedl , Niels Provos , 1989.An Theo de Raadt 1990and 1991.An Dug Song 1992removed many bugs, re-added newer features and 1993created OpenSSH. 1994.An Markus Friedl 1995contributed the support for SSH protocol versions 1.5 and 2.0. 1996.An Niels Provos 1997and 1998.An Markus Friedl 1999contributed support for privilege separation. 2000