xref: /freebsd/crypto/openssh/sshd_config.5 (revision 6ae1554a5d9b318f8ad53ccc39fa5a961403da73)
1.\"
2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4.\"                    All rights reserved
5.\"
6.\" As far as I am concerned, the code I have written for this software
7.\" can be used freely for any purpose.  Any derived versions of this
8.\" software must be clearly marked as such, and if the derived work is
9.\" incompatible with the protocol description in the RFC file, it must be
10.\" called by a name other than "ssh" or "Secure Shell".
11.\"
12.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
13.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
14.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
15.\"
16.\" Redistribution and use in source and binary forms, with or without
17.\" modification, are permitted provided that the following conditions
18.\" are met:
19.\" 1. Redistributions of source code must retain the above copyright
20.\"    notice, this list of conditions and the following disclaimer.
21.\" 2. Redistributions in binary form must reproduce the above copyright
22.\"    notice, this list of conditions and the following disclaimer in the
23.\"    documentation and/or other materials provided with the distribution.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\"
36.\" $OpenBSD: sshd_config.5,v 1.172 2014/02/27 22:47:07 djm Exp $
37.\" $FreeBSD$
38.Dd March 22, 2015
39.Dt SSHD_CONFIG 5
40.Os
41.Sh NAME
42.Nm sshd_config
43.Nd OpenSSH SSH daemon configuration file
44.Sh SYNOPSIS
45.Nm /etc/ssh/sshd_config
46.Sh DESCRIPTION
47.Xr sshd 8
48reads configuration data from
49.Pa /etc/ssh/sshd_config
50(or the file specified with
51.Fl f
52on the command line).
53The file contains keyword-argument pairs, one per line.
54Lines starting with
55.Ql #
56and empty lines are interpreted as comments.
57Arguments may optionally be enclosed in double quotes
58.Pq \&"
59in order to represent arguments containing spaces.
60.Pp
61The possible
62keywords and their meanings are as follows (note that
63keywords are case-insensitive and arguments are case-sensitive):
64.Bl -tag -width Ds
65.It Cm AcceptEnv
66Specifies what environment variables sent by the client will be copied into
67the session's
68.Xr environ 7 .
69See
70.Cm SendEnv
71in
72.Xr ssh_config 5
73for how to configure the client.
74Note that environment passing is only supported for protocol 2.
75Variables are specified by name, which may contain the wildcard characters
76.Ql *
77and
78.Ql \&? .
79Multiple environment variables may be separated by whitespace or spread
80across multiple
81.Cm AcceptEnv
82directives.
83Be warned that some environment variables could be used to bypass restricted
84user environments.
85For this reason, care should be taken in the use of this directive.
86The default is not to accept any environment variables.
87.It Cm AddressFamily
88Specifies which address family should be used by
89.Xr sshd 8 .
90Valid arguments are
91.Dq any ,
92.Dq inet
93(use IPv4 only), or
94.Dq inet6
95(use IPv6 only).
96The default is
97.Dq any .
98.It Cm AllowAgentForwarding
99Specifies whether
100.Xr ssh-agent 1
101forwarding is permitted.
102The default is
103.Dq yes .
104Note that disabling agent forwarding does not improve security
105unless users are also denied shell access, as they can always install
106their own forwarders.
107.It Cm AllowGroups
108This keyword can be followed by a list of group name patterns, separated
109by spaces.
110If specified, login is allowed only for users whose primary
111group or supplementary group list matches one of the patterns.
112Only group names are valid; a numerical group ID is not recognized.
113By default, login is allowed for all groups.
114The allow/deny directives are processed in the following order:
115.Cm DenyUsers ,
116.Cm AllowUsers ,
117.Cm DenyGroups ,
118and finally
119.Cm AllowGroups .
120.Pp
121See PATTERNS in
122.Xr ssh_config 5
123for more information on patterns.
124.It Cm AllowTcpForwarding
125Specifies whether TCP forwarding is permitted.
126The available options are
127.Dq yes
128or
129.Dq all
130to allow TCP forwarding,
131.Dq no
132to prevent all TCP forwarding,
133.Dq local
134to allow local (from the perspective of
135.Xr ssh 1 )
136forwarding only or
137.Dq remote
138to allow remote forwarding only.
139The default is
140.Dq yes .
141Note that disabling TCP forwarding does not improve security unless
142users are also denied shell access, as they can always install their
143own forwarders.
144.It Cm AllowUsers
145This keyword can be followed by a list of user name patterns, separated
146by spaces.
147If specified, login is allowed only for user names that
148match one of the patterns.
149Only user names are valid; a numerical user ID is not recognized.
150By default, login is allowed for all users.
151If the pattern takes the form USER@HOST then USER and HOST
152are separately checked, restricting logins to particular
153users from particular hosts.
154The allow/deny directives are processed in the following order:
155.Cm DenyUsers ,
156.Cm AllowUsers ,
157.Cm DenyGroups ,
158and finally
159.Cm AllowGroups .
160.Pp
161See PATTERNS in
162.Xr ssh_config 5
163for more information on patterns.
164.It Cm AuthenticationMethods
165Specifies the authentication methods that must be successfully completed
166for a user to be granted access.
167This option must be followed by one or more comma-separated lists of
168authentication method names.
169Successful authentication requires completion of every method in at least
170one of these lists.
171.Pp
172For example, an argument of
173.Dq publickey,password publickey,keyboard-interactive
174would require the user to complete public key authentication, followed by
175either password or keyboard interactive authentication.
176Only methods that are next in one or more lists are offered at each stage,
177so for this example, it would not be possible to attempt password or
178keyboard-interactive authentication before public key.
179.Pp
180For keyboard interactive authentication it is also possible to
181restrict authentication to a specific device by appending a
182colon followed by the device identifier
183.Dq bsdauth ,
184.Dq pam ,
185or
186.Dq skey ,
187depending on the server configuration.
188For example,
189.Dq keyboard-interactive:bsdauth
190would restrict keyboard interactive authentication to the
191.Dq bsdauth
192device.
193.Pp
194This option is only available for SSH protocol 2 and will yield a fatal
195error if enabled if protocol 1 is also enabled.
196Note that each authentication method listed should also be explicitly enabled
197in the configuration.
198The default is not to require multiple authentication; successful completion
199of a single authentication method is sufficient.
200.It Cm AuthorizedKeysCommand
201Specifies a program to be used to look up the user's public keys.
202The program must be owned by root and not writable by group or others.
203It will be invoked with a single argument of the username
204being authenticated, and should produce on standard output zero or
205more lines of authorized_keys output (see AUTHORIZED_KEYS in
206.Xr sshd 8 ) .
207If a key supplied by AuthorizedKeysCommand does not successfully authenticate
208and authorize the user then public key authentication continues using the usual
209.Cm AuthorizedKeysFile
210files.
211By default, no AuthorizedKeysCommand is run.
212.It Cm AuthorizedKeysCommandUser
213Specifies the user under whose account the AuthorizedKeysCommand is run.
214It is recommended to use a dedicated user that has no other role on the host
215than running authorized keys commands.
216.It Cm AuthorizedKeysFile
217Specifies the file that contains the public keys that can be used
218for user authentication.
219The format is described in the
220AUTHORIZED_KEYS FILE FORMAT
221section of
222.Xr sshd 8 .
223.Cm AuthorizedKeysFile
224may contain tokens of the form %T which are substituted during connection
225setup.
226The following tokens are defined: %% is replaced by a literal '%',
227%h is replaced by the home directory of the user being authenticated, and
228%u is replaced by the username of that user.
229After expansion,
230.Cm AuthorizedKeysFile
231is taken to be an absolute path or one relative to the user's home
232directory.
233Multiple files may be listed, separated by whitespace.
234The default is
235.Dq .ssh/authorized_keys .ssh/authorized_keys2 .
236.It Cm AuthorizedPrincipalsFile
237Specifies a file that lists principal names that are accepted for
238certificate authentication.
239When using certificates signed by a key listed in
240.Cm TrustedUserCAKeys ,
241this file lists names, one of which must appear in the certificate for it
242to be accepted for authentication.
243Names are listed one per line preceded by key options (as described
244in AUTHORIZED_KEYS FILE FORMAT in
245.Xr sshd 8 ) .
246Empty lines and comments starting with
247.Ql #
248are ignored.
249.Pp
250.Cm AuthorizedPrincipalsFile
251may contain tokens of the form %T which are substituted during connection
252setup.
253The following tokens are defined: %% is replaced by a literal '%',
254%h is replaced by the home directory of the user being authenticated, and
255%u is replaced by the username of that user.
256After expansion,
257.Cm AuthorizedPrincipalsFile
258is taken to be an absolute path or one relative to the user's home
259directory.
260.Pp
261The default is
262.Dq none ,
263i.e. not to use a principals file \(en in this case, the username
264of the user must appear in a certificate's principals list for it to be
265accepted.
266Note that
267.Cm AuthorizedPrincipalsFile
268is only used when authentication proceeds using a CA listed in
269.Cm TrustedUserCAKeys
270and is not consulted for certification authorities trusted via
271.Pa ~/.ssh/authorized_keys ,
272though the
273.Cm principals=
274key option offers a similar facility (see
275.Xr sshd 8
276for details).
277.It Cm Banner
278The contents of the specified file are sent to the remote user before
279authentication is allowed.
280If the argument is
281.Dq none
282then no banner is displayed.
283This option is only available for protocol version 2.
284By default, no banner is displayed.
285.It Cm ChallengeResponseAuthentication
286Specifies whether challenge-response authentication is allowed (e.g. via
287PAM or though authentication styles supported in
288.Xr login.conf 5 )
289The default is
290.Dq yes .
291.It Cm ChrootDirectory
292Specifies the pathname of a directory to
293.Xr chroot 2
294to after authentication.
295All components of the pathname must be root-owned directories that are
296not writable by any other user or group.
297After the chroot,
298.Xr sshd 8
299changes the working directory to the user's home directory.
300.Pp
301The pathname may contain the following tokens that are expanded at runtime once
302the connecting user has been authenticated: %% is replaced by a literal '%',
303%h is replaced by the home directory of the user being authenticated, and
304%u is replaced by the username of that user.
305.Pp
306The
307.Cm ChrootDirectory
308must contain the necessary files and directories to support the
309user's session.
310For an interactive session this requires at least a shell, typically
311.Xr sh 1 ,
312and basic
313.Pa /dev
314nodes such as
315.Xr null 4 ,
316.Xr zero 4 ,
317.Xr stdin 4 ,
318.Xr stdout 4 ,
319.Xr stderr 4 ,
320.Xr arandom 4
321and
322.Xr tty 4
323devices.
324For file transfer sessions using
325.Dq sftp ,
326no additional configuration of the environment is necessary if the
327in-process sftp server is used,
328though sessions which use logging do require
329.Pa /dev/log
330inside the chroot directory (see
331.Xr sftp-server 8
332for details).
333.Pp
334The default is not to
335.Xr chroot 2 .
336.It Cm Ciphers
337Specifies the ciphers allowed for protocol version 2.
338Multiple ciphers must be comma-separated.
339The supported ciphers are:
340.Pp
341.Dq 3des-cbc ,
342.Dq aes128-cbc ,
343.Dq aes192-cbc ,
344.Dq aes256-cbc ,
345.Dq aes128-ctr ,
346.Dq aes192-ctr ,
347.Dq aes256-ctr ,
348.Dq aes128-gcm@openssh.com ,
349.Dq aes256-gcm@openssh.com ,
350.Dq arcfour128 ,
351.Dq arcfour256 ,
352.Dq arcfour ,
353.Dq blowfish-cbc ,
354.Dq cast128-cbc ,
355and
356.Dq chacha20-poly1305@openssh.com .
357.Pp
358The default is:
359.Bd -literal -offset 3n
360aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
361aes128-gcm@openssh.com,aes256-gcm@openssh.com,
362chacha20-poly1305@openssh.com,
363aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
364aes256-cbc,arcfour
365.Ed
366.Pp
367The list of available ciphers may also be obtained using the
368.Fl Q
369option of
370.Xr ssh 1 .
371.It Cm ClientAliveCountMax
372Sets the number of client alive messages (see below) which may be
373sent without
374.Xr sshd 8
375receiving any messages back from the client.
376If this threshold is reached while client alive messages are being sent,
377sshd will disconnect the client, terminating the session.
378It is important to note that the use of client alive messages is very
379different from
380.Cm TCPKeepAlive
381(below).
382The client alive messages are sent through the encrypted channel
383and therefore will not be spoofable.
384The TCP keepalive option enabled by
385.Cm TCPKeepAlive
386is spoofable.
387The client alive mechanism is valuable when the client or
388server depend on knowing when a connection has become inactive.
389.Pp
390The default value is 3.
391If
392.Cm ClientAliveInterval
393(see below) is set to 15, and
394.Cm ClientAliveCountMax
395is left at the default, unresponsive SSH clients
396will be disconnected after approximately 45 seconds.
397This option applies to protocol version 2 only.
398.It Cm ClientAliveInterval
399Sets a timeout interval in seconds after which if no data has been received
400from the client,
401.Xr sshd 8
402will send a message through the encrypted
403channel to request a response from the client.
404The default
405is 0, indicating that these messages will not be sent to the client.
406This option applies to protocol version 2 only.
407.It Cm Compression
408Specifies whether compression is allowed, or delayed until
409the user has authenticated successfully.
410The argument must be
411.Dq yes ,
412.Dq delayed ,
413or
414.Dq no .
415The default is
416.Dq delayed .
417.It Cm DenyGroups
418This keyword can be followed by a list of group name patterns, separated
419by spaces.
420Login is disallowed for users whose primary group or supplementary
421group list matches one of the patterns.
422Only group names are valid; a numerical group ID is not recognized.
423By default, login is allowed for all groups.
424The allow/deny directives are processed in the following order:
425.Cm DenyUsers ,
426.Cm AllowUsers ,
427.Cm DenyGroups ,
428and finally
429.Cm AllowGroups .
430.Pp
431See PATTERNS in
432.Xr ssh_config 5
433for more information on patterns.
434.It Cm DenyUsers
435This keyword can be followed by a list of user name patterns, separated
436by spaces.
437Login is disallowed for user names that match one of the patterns.
438Only user names are valid; a numerical user ID is not recognized.
439By default, login is allowed for all users.
440If the pattern takes the form USER@HOST then USER and HOST
441are separately checked, restricting logins to particular
442users from particular hosts.
443The allow/deny directives are processed in the following order:
444.Cm DenyUsers ,
445.Cm AllowUsers ,
446.Cm DenyGroups ,
447and finally
448.Cm AllowGroups .
449.Pp
450See PATTERNS in
451.Xr ssh_config 5
452for more information on patterns.
453.It Cm ForceCommand
454Forces the execution of the command specified by
455.Cm ForceCommand ,
456ignoring any command supplied by the client and
457.Pa ~/.ssh/rc
458if present.
459The command is invoked by using the user's login shell with the -c option.
460This applies to shell, command, or subsystem execution.
461It is most useful inside a
462.Cm Match
463block.
464The command originally supplied by the client is available in the
465.Ev SSH_ORIGINAL_COMMAND
466environment variable.
467Specifying a command of
468.Dq internal-sftp
469will force the use of an in-process sftp server that requires no support
470files when used with
471.Cm ChrootDirectory .
472.It Cm GatewayPorts
473Specifies whether remote hosts are allowed to connect to ports
474forwarded for the client.
475By default,
476.Xr sshd 8
477binds remote port forwardings to the loopback address.
478This prevents other remote hosts from connecting to forwarded ports.
479.Cm GatewayPorts
480can be used to specify that sshd
481should allow remote port forwardings to bind to non-loopback addresses, thus
482allowing other hosts to connect.
483The argument may be
484.Dq no
485to force remote port forwardings to be available to the local host only,
486.Dq yes
487to force remote port forwardings to bind to the wildcard address, or
488.Dq clientspecified
489to allow the client to select the address to which the forwarding is bound.
490The default is
491.Dq no .
492.It Cm GSSAPIAuthentication
493Specifies whether user authentication based on GSSAPI is allowed.
494The default is
495.Dq no .
496Note that this option applies to protocol version 2 only.
497.It Cm GSSAPICleanupCredentials
498Specifies whether to automatically destroy the user's credentials cache
499on logout.
500The default is
501.Dq yes .
502Note that this option applies to protocol version 2 only.
503.It Cm HostbasedAuthentication
504Specifies whether rhosts or /etc/hosts.equiv authentication together
505with successful public key client host authentication is allowed
506(host-based authentication).
507This option is similar to
508.Cm RhostsRSAAuthentication
509and applies to protocol version 2 only.
510The default is
511.Dq no .
512.It Cm HostbasedUsesNameFromPacketOnly
513Specifies whether or not the server will attempt to perform a reverse
514name lookup when matching the name in the
515.Pa ~/.shosts ,
516.Pa ~/.rhosts ,
517and
518.Pa /etc/hosts.equiv
519files during
520.Cm HostbasedAuthentication .
521A setting of
522.Dq yes
523means that
524.Xr sshd 8
525uses the name supplied by the client rather than
526attempting to resolve the name from the TCP connection itself.
527The default is
528.Dq no .
529.It Cm HostCertificate
530Specifies a file containing a public host certificate.
531The certificate's public key must match a private host key already specified
532by
533.Cm HostKey .
534The default behaviour of
535.Xr sshd 8
536is not to load any certificates.
537.It Cm HostKey
538Specifies a file containing a private host key
539used by SSH.
540The default is
541.Pa /etc/ssh/ssh_host_key
542for protocol version 1, and
543.Pa /etc/ssh/ssh_host_dsa_key ,
544.Pa /etc/ssh/ssh_host_ecdsa_key ,
545.Pa /etc/ssh/ssh_host_ed25519_key
546and
547.Pa /etc/ssh/ssh_host_rsa_key
548for protocol version 2.
549Note that
550.Xr sshd 8
551will refuse to use a file if it is group/world-accessible.
552It is possible to have multiple host key files.
553.Dq rsa1
554keys are used for version 1 and
555.Dq dsa ,
556.Dq ecdsa ,
557.Dq ed25519
558or
559.Dq rsa
560are used for version 2 of the SSH protocol.
561It is also possible to specify public host key files instead.
562In this case operations on the private key will be delegated
563to an
564.Xr ssh-agent 1 .
565.It Cm HostKeyAgent
566Identifies the UNIX-domain socket used to communicate
567with an agent that has access to the private host keys.
568If
569.Dq SSH_AUTH_SOCK
570is specified, the location of the socket will be read from the
571.Ev SSH_AUTH_SOCK
572environment variable.
573.It Cm IgnoreRhosts
574Specifies that
575.Pa .rhosts
576and
577.Pa .shosts
578files will not be used in
579.Cm RhostsRSAAuthentication
580or
581.Cm HostbasedAuthentication .
582.Pp
583.Pa /etc/hosts.equiv
584and
585.Pa /etc/ssh/shosts.equiv
586are still used.
587The default is
588.Dq yes .
589.It Cm IgnoreUserKnownHosts
590Specifies whether
591.Xr sshd 8
592should ignore the user's
593.Pa ~/.ssh/known_hosts
594during
595.Cm RhostsRSAAuthentication
596or
597.Cm HostbasedAuthentication .
598The default is
599.Dq no .
600.It Cm IPQoS
601Specifies the IPv4 type-of-service or DSCP class for the connection.
602Accepted values are
603.Dq af11 ,
604.Dq af12 ,
605.Dq af13 ,
606.Dq af21 ,
607.Dq af22 ,
608.Dq af23 ,
609.Dq af31 ,
610.Dq af32 ,
611.Dq af33 ,
612.Dq af41 ,
613.Dq af42 ,
614.Dq af43 ,
615.Dq cs0 ,
616.Dq cs1 ,
617.Dq cs2 ,
618.Dq cs3 ,
619.Dq cs4 ,
620.Dq cs5 ,
621.Dq cs6 ,
622.Dq cs7 ,
623.Dq ef ,
624.Dq lowdelay ,
625.Dq throughput ,
626.Dq reliability ,
627or a numeric value.
628This option may take one or two arguments, separated by whitespace.
629If one argument is specified, it is used as the packet class unconditionally.
630If two values are specified, the first is automatically selected for
631interactive sessions and the second for non-interactive sessions.
632The default is
633.Dq lowdelay
634for interactive sessions and
635.Dq throughput
636for non-interactive sessions.
637.It Cm KbdInteractiveAuthentication
638Specifies whether to allow keyboard-interactive authentication.
639The argument to this keyword must be
640.Dq yes
641or
642.Dq no .
643The default is to use whatever value
644.Cm ChallengeResponseAuthentication
645is set to
646(by default
647.Dq yes ) .
648.It Cm KerberosAuthentication
649Specifies whether the password provided by the user for
650.Cm PasswordAuthentication
651will be validated through the Kerberos KDC.
652To use this option, the server needs a
653Kerberos servtab which allows the verification of the KDC's identity.
654The default is
655.Dq no .
656.It Cm KerberosGetAFSToken
657If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
658an AFS token before accessing the user's home directory.
659The default is
660.Dq no .
661.It Cm KerberosOrLocalPasswd
662If password authentication through Kerberos fails then
663the password will be validated via any additional local mechanism
664such as
665.Pa /etc/passwd .
666The default is
667.Dq yes .
668.It Cm KerberosTicketCleanup
669Specifies whether to automatically destroy the user's ticket cache
670file on logout.
671The default is
672.Dq yes .
673.It Cm KexAlgorithms
674Specifies the available KEX (Key Exchange) algorithms.
675Multiple algorithms must be comma-separated.
676The default is
677.Bd -literal -offset indent
678curve25519-sha256@libssh.org,
679ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
680diffie-hellman-group-exchange-sha256,
681diffie-hellman-group-exchange-sha1,
682diffie-hellman-group14-sha1,
683diffie-hellman-group1-sha1
684.Ed
685.It Cm KeyRegenerationInterval
686In protocol version 1, the ephemeral server key is automatically regenerated
687after this many seconds (if it has been used).
688The purpose of regeneration is to prevent
689decrypting captured sessions by later breaking into the machine and
690stealing the keys.
691The key is never stored anywhere.
692If the value is 0, the key is never regenerated.
693The default is 3600 (seconds).
694.It Cm ListenAddress
695Specifies the local addresses
696.Xr sshd 8
697should listen on.
698The following forms may be used:
699.Pp
700.Bl -item -offset indent -compact
701.It
702.Cm ListenAddress
703.Sm off
704.Ar host No | Ar IPv4_addr No | Ar IPv6_addr
705.Sm on
706.It
707.Cm ListenAddress
708.Sm off
709.Ar host No | Ar IPv4_addr No : Ar port
710.Sm on
711.It
712.Cm ListenAddress
713.Sm off
714.Oo
715.Ar host No | Ar IPv6_addr Oc : Ar port
716.Sm on
717.El
718.Pp
719If
720.Ar port
721is not specified,
722sshd will listen on the address and all prior
723.Cm Port
724options specified.
725The default is to listen on all local addresses.
726Multiple
727.Cm ListenAddress
728options are permitted.
729Additionally, any
730.Cm Port
731options must precede this option for non-port qualified addresses.
732.It Cm LoginGraceTime
733The server disconnects after this time if the user has not
734successfully logged in.
735If the value is 0, there is no time limit.
736The default is 120 seconds.
737.It Cm LogLevel
738Gives the verbosity level that is used when logging messages from
739.Xr sshd 8 .
740The possible values are:
741QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
742The default is INFO.
743DEBUG and DEBUG1 are equivalent.
744DEBUG2 and DEBUG3 each specify higher levels of debugging output.
745Logging with a DEBUG level violates the privacy of users and is not recommended.
746.It Cm MACs
747Specifies the available MAC (message authentication code) algorithms.
748The MAC algorithm is used in protocol version 2
749for data integrity protection.
750Multiple algorithms must be comma-separated.
751The algorithms that contain
752.Dq -etm
753calculate the MAC after encryption (encrypt-then-mac).
754These are considered safer and their use recommended.
755The default is:
756.Bd -literal -offset indent
757hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
758umac-64-etm@openssh.com,umac-128-etm@openssh.com,
759hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
760hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
761hmac-md5-96-etm@openssh.com,
762hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
763hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
764hmac-sha1-96,hmac-md5-96
765.Ed
766.It Cm Match
767Introduces a conditional block.
768If all of the criteria on the
769.Cm Match
770line are satisfied, the keywords on the following lines override those
771set in the global section of the config file, until either another
772.Cm Match
773line or the end of the file.
774If a keyword appears in multiple
775.Cm Match
776blocks that are satisified, only the first instance of the keyword is
777applied.
778.Pp
779The arguments to
780.Cm Match
781are one or more criteria-pattern pairs or the single token
782.Cm All
783which matches all criteria.
784The available criteria are
785.Cm User ,
786.Cm Group ,
787.Cm Host ,
788.Cm LocalAddress ,
789.Cm LocalPort ,
790and
791.Cm Address .
792The match patterns may consist of single entries or comma-separated
793lists and may use the wildcard and negation operators described in the
794PATTERNS section of
795.Xr ssh_config 5 .
796.Pp
797The patterns in an
798.Cm Address
799criteria may additionally contain addresses to match in CIDR
800address/masklen format, e.g.\&
801.Dq 192.0.2.0/24
802or
803.Dq 3ffe:ffff::/32 .
804Note that the mask length provided must be consistent with the address -
805it is an error to specify a mask length that is too long for the address
806or one with bits set in this host portion of the address.
807For example,
808.Dq 192.0.2.0/33
809and
810.Dq 192.0.2.0/8
811respectively.
812.Pp
813Only a subset of keywords may be used on the lines following a
814.Cm Match
815keyword.
816Available keywords are
817.Cm AcceptEnv ,
818.Cm AllowAgentForwarding ,
819.Cm AllowGroups ,
820.Cm AllowTcpForwarding ,
821.Cm AllowUsers ,
822.Cm AuthenticationMethods ,
823.Cm AuthorizedKeysCommand ,
824.Cm AuthorizedKeysCommandUser ,
825.Cm AuthorizedKeysFile ,
826.Cm AuthorizedPrincipalsFile ,
827.Cm Banner ,
828.Cm ChrootDirectory ,
829.Cm DenyGroups ,
830.Cm DenyUsers ,
831.Cm ForceCommand ,
832.Cm GatewayPorts ,
833.Cm GSSAPIAuthentication ,
834.Cm HostbasedAuthentication ,
835.Cm HostbasedUsesNameFromPacketOnly ,
836.Cm KbdInteractiveAuthentication ,
837.Cm KerberosAuthentication ,
838.Cm MaxAuthTries ,
839.Cm MaxSessions ,
840.Cm PasswordAuthentication ,
841.Cm PermitEmptyPasswords ,
842.Cm PermitOpen ,
843.Cm PermitRootLogin ,
844.Cm PermitTTY ,
845.Cm PermitTunnel ,
846.Cm PubkeyAuthentication ,
847.Cm RekeyLimit ,
848.Cm RhostsRSAAuthentication ,
849.Cm RSAAuthentication ,
850.Cm X11DisplayOffset ,
851.Cm X11Forwarding
852and
853.Cm X11UseLocalHost .
854.It Cm MaxAuthTries
855Specifies the maximum number of authentication attempts permitted per
856connection.
857Once the number of failures reaches half this value,
858additional failures are logged.
859The default is 6.
860.It Cm MaxSessions
861Specifies the maximum number of open sessions permitted per network connection.
862The default is 10.
863.It Cm MaxStartups
864Specifies the maximum number of concurrent unauthenticated connections to the
865SSH daemon.
866Additional connections will be dropped until authentication succeeds or the
867.Cm LoginGraceTime
868expires for a connection.
869The default is 10:30:100.
870.Pp
871Alternatively, random early drop can be enabled by specifying
872the three colon separated values
873.Dq start:rate:full
874(e.g. "10:30:60").
875.Xr sshd 8
876will refuse connection attempts with a probability of
877.Dq rate/100
878(30%)
879if there are currently
880.Dq start
881(10)
882unauthenticated connections.
883The probability increases linearly and all connection attempts
884are refused if the number of unauthenticated connections reaches
885.Dq full
886(60).
887.It Cm PasswordAuthentication
888Specifies whether password authentication is allowed.
889See also
890.Cm UsePAM .
891The default is
892.Dq no .
893.It Cm PermitEmptyPasswords
894When password authentication is allowed, it specifies whether the
895server allows login to accounts with empty password strings.
896The default is
897.Dq no .
898.It Cm PermitOpen
899Specifies the destinations to which TCP port forwarding is permitted.
900The forwarding specification must be one of the following forms:
901.Pp
902.Bl -item -offset indent -compact
903.It
904.Cm PermitOpen
905.Sm off
906.Ar host : port
907.Sm on
908.It
909.Cm PermitOpen
910.Sm off
911.Ar IPv4_addr : port
912.Sm on
913.It
914.Cm PermitOpen
915.Sm off
916.Ar \&[ IPv6_addr \&] : port
917.Sm on
918.El
919.Pp
920Multiple forwards may be specified by separating them with whitespace.
921An argument of
922.Dq any
923can be used to remove all restrictions and permit any forwarding requests.
924An argument of
925.Dq none
926can be used to prohibit all forwarding requests.
927By default all port forwarding requests are permitted.
928.It Cm PermitRootLogin
929Specifies whether root can log in using
930.Xr ssh 1 .
931The argument must be
932.Dq yes ,
933.Dq without-password ,
934.Dq forced-commands-only ,
935or
936.Dq no .
937The default is
938.Dq no .
939Note that if
940.Cm ChallengeResponseAuthentication
941is
942.Dq yes ,
943the root user may be allowed in with its password even if
944.Cm PermitRootLogin is set to
945.Dq without-password .
946.Pp
947If this option is set to
948.Dq without-password ,
949password authentication is disabled for root.
950.Pp
951If this option is set to
952.Dq forced-commands-only ,
953root login with public key authentication will be allowed,
954but only if the
955.Ar command
956option has been specified
957(which may be useful for taking remote backups even if root login is
958normally not allowed).
959All other authentication methods are disabled for root.
960.Pp
961If this option is set to
962.Dq no ,
963root is not allowed to log in.
964.It Cm PermitTunnel
965Specifies whether
966.Xr tun 4
967device forwarding is allowed.
968The argument must be
969.Dq yes ,
970.Dq point-to-point
971(layer 3),
972.Dq ethernet
973(layer 2), or
974.Dq no .
975Specifying
976.Dq yes
977permits both
978.Dq point-to-point
979and
980.Dq ethernet .
981The default is
982.Dq no .
983.It Cm PermitTTY
984Specifies whether
985.Xr pty 4
986allocation is permitted.
987The default is
988.Dq yes .
989.It Cm PermitUserEnvironment
990Specifies whether
991.Pa ~/.ssh/environment
992and
993.Cm environment=
994options in
995.Pa ~/.ssh/authorized_keys
996are processed by
997.Xr sshd 8 .
998The default is
999.Dq no .
1000Enabling environment processing may enable users to bypass access
1001restrictions in some configurations using mechanisms such as
1002.Ev LD_PRELOAD .
1003.It Cm PidFile
1004Specifies the file that contains the process ID of the
1005SSH daemon.
1006The default is
1007.Pa /var/run/sshd.pid .
1008.It Cm Port
1009Specifies the port number that
1010.Xr sshd 8
1011listens on.
1012The default is 22.
1013Multiple options of this type are permitted.
1014See also
1015.Cm ListenAddress .
1016.It Cm PrintLastLog
1017Specifies whether
1018.Xr sshd 8
1019should print the date and time of the last user login when a user logs
1020in interactively.
1021The default is
1022.Dq yes .
1023.It Cm PrintMotd
1024Specifies whether
1025.Xr sshd 8
1026should print
1027.Pa /etc/motd
1028when a user logs in interactively.
1029(On some systems it is also printed by the shell,
1030.Pa /etc/profile ,
1031or equivalent.)
1032The default is
1033.Dq yes .
1034.It Cm Protocol
1035Specifies the protocol versions
1036.Xr sshd 8
1037supports.
1038The possible values are
1039.Sq 1
1040and
1041.Sq 2 .
1042Multiple versions must be comma-separated.
1043The default is
1044.Sq 2 .
1045Note that the order of the protocol list does not indicate preference,
1046because the client selects among multiple protocol versions offered
1047by the server.
1048Specifying
1049.Dq 2,1
1050is identical to
1051.Dq 1,2 .
1052.It Cm PubkeyAuthentication
1053Specifies whether public key authentication is allowed.
1054The default is
1055.Dq yes .
1056Note that this option applies to protocol version 2 only.
1057.It Cm RekeyLimit
1058Specifies the maximum amount of data that may be transmitted before the
1059session key is renegotiated, optionally followed a maximum amount of
1060time that may pass before the session key is renegotiated.
1061The first argument is specified in bytes and may have a suffix of
1062.Sq K ,
1063.Sq M ,
1064or
1065.Sq G
1066to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
1067The default is between
1068.Sq 1G
1069and
1070.Sq 4G ,
1071depending on the cipher.
1072The optional second value is specified in seconds and may use any of the
1073units documented in the
1074.Sx TIME FORMATS
1075section.
1076The default value for
1077.Cm RekeyLimit
1078is
1079.Dq default none ,
1080which means that rekeying is performed after the cipher's default amount
1081of data has been sent or received and no time based rekeying is done.
1082This option applies to protocol version 2 only.
1083.It Cm RevokedKeys
1084Specifies revoked public keys.
1085Keys listed in this file will be refused for public key authentication.
1086Note that if this file is not readable, then public key authentication will
1087be refused for all users.
1088Keys may be specified as a text file, listing one public key per line, or as
1089an OpenSSH Key Revocation List (KRL) as generated by
1090.Xr ssh-keygen 1 .
1091For more information on KRLs, see the KEY REVOCATION LISTS section in
1092.Xr ssh-keygen 1 .
1093.It Cm RhostsRSAAuthentication
1094Specifies whether rhosts or
1095.Pa /etc/hosts.equiv
1096authentication together
1097with successful RSA host authentication is allowed.
1098The default is
1099.Dq no .
1100This option applies to protocol version 1 only.
1101.It Cm RSAAuthentication
1102Specifies whether pure RSA authentication is allowed.
1103The default is
1104.Dq yes .
1105This option applies to protocol version 1 only.
1106.It Cm ServerKeyBits
1107Defines the number of bits in the ephemeral protocol version 1 server key.
1108The minimum value is 512, and the default is 1024.
1109.It Cm StrictModes
1110Specifies whether
1111.Xr sshd 8
1112should check file modes and ownership of the
1113user's files and home directory before accepting login.
1114This is normally desirable because novices sometimes accidentally leave their
1115directory or files world-writable.
1116The default is
1117.Dq yes .
1118Note that this does not apply to
1119.Cm ChrootDirectory ,
1120whose permissions and ownership are checked unconditionally.
1121.It Cm Subsystem
1122Configures an external subsystem (e.g. file transfer daemon).
1123Arguments should be a subsystem name and a command (with optional arguments)
1124to execute upon subsystem request.
1125.Pp
1126The command
1127.Xr sftp-server 8
1128implements the
1129.Dq sftp
1130file transfer subsystem.
1131.Pp
1132Alternately the name
1133.Dq internal-sftp
1134implements an in-process
1135.Dq sftp
1136server.
1137This may simplify configurations using
1138.Cm ChrootDirectory
1139to force a different filesystem root on clients.
1140.Pp
1141By default no subsystems are defined.
1142Note that this option applies to protocol version 2 only.
1143.It Cm SyslogFacility
1144Gives the facility code that is used when logging messages from
1145.Xr sshd 8 .
1146The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
1147LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
1148The default is AUTH.
1149.It Cm TCPKeepAlive
1150Specifies whether the system should send TCP keepalive messages to the
1151other side.
1152If they are sent, death of the connection or crash of one
1153of the machines will be properly noticed.
1154However, this means that
1155connections will die if the route is down temporarily, and some people
1156find it annoying.
1157On the other hand, if TCP keepalives are not sent,
1158sessions may hang indefinitely on the server, leaving
1159.Dq ghost
1160users and consuming server resources.
1161.Pp
1162The default is
1163.Dq yes
1164(to send TCP keepalive messages), and the server will notice
1165if the network goes down or the client host crashes.
1166This avoids infinitely hanging sessions.
1167.Pp
1168To disable TCP keepalive messages, the value should be set to
1169.Dq no .
1170.It Cm TrustedUserCAKeys
1171Specifies a file containing public keys of certificate authorities that are
1172trusted to sign user certificates for authentication.
1173Keys are listed one per line; empty lines and comments starting with
1174.Ql #
1175are allowed.
1176If a certificate is presented for authentication and has its signing CA key
1177listed in this file, then it may be used for authentication for any user
1178listed in the certificate's principals list.
1179Note that certificates that lack a list of principals will not be permitted
1180for authentication using
1181.Cm TrustedUserCAKeys .
1182For more details on certificates, see the CERTIFICATES section in
1183.Xr ssh-keygen 1 .
1184.It Cm UseDNS
1185Specifies whether
1186.Xr sshd 8
1187should look up the remote host name and check that
1188the resolved host name for the remote IP address maps back to the
1189very same IP address.
1190The default is
1191.Dq yes .
1192.It Cm UseLogin
1193Specifies whether
1194.Xr login 1
1195is used for interactive login sessions.
1196The default is
1197.Dq no .
1198Note that
1199.Xr login 1
1200is never used for remote command execution.
1201Note also, that if this is enabled,
1202.Cm X11Forwarding
1203will be disabled because
1204.Xr login 1
1205does not know how to handle
1206.Xr xauth 1
1207cookies.
1208If
1209.Cm UsePrivilegeSeparation
1210is specified, it will be disabled after authentication.
1211.It Cm UsePAM
1212Enables the Pluggable Authentication Module interface.
1213If set to
1214.Dq yes
1215this will enable PAM authentication using
1216.Cm ChallengeResponseAuthentication
1217and
1218.Cm PasswordAuthentication
1219in addition to PAM account and session module processing for all
1220authentication types.
1221.Pp
1222Because PAM challenge-response authentication usually serves an equivalent
1223role to password authentication, you should disable either
1224.Cm PasswordAuthentication
1225or
1226.Cm ChallengeResponseAuthentication.
1227.Pp
1228If
1229.Cm UsePAM
1230is enabled, you will not be able to run
1231.Xr sshd 8
1232as a non-root user.
1233The default is
1234.Dq yes .
1235.It Cm UsePrivilegeSeparation
1236Specifies whether
1237.Xr sshd 8
1238separates privileges by creating an unprivileged child process
1239to deal with incoming network traffic.
1240After successful authentication, another process will be created that has
1241the privilege of the authenticated user.
1242The goal of privilege separation is to prevent privilege
1243escalation by containing any corruption within the unprivileged processes.
1244The default is
1245.Dq sandbox .
1246If
1247.Cm UsePrivilegeSeparation
1248is set to
1249.Dq sandbox
1250then the pre-authentication unprivileged process is subject to additional
1251restrictions.
1252.It Cm VersionAddendum
1253Optionally specifies additional text to append to the SSH protocol banner
1254sent by the server upon connection.
1255The default is
1256.Dq FreeBSD-20140420 .
1257The value
1258.Dq none
1259may be used to disable this.
1260.It Cm X11DisplayOffset
1261Specifies the first display number available for
1262.Xr sshd 8 Ns 's
1263X11 forwarding.
1264This prevents sshd from interfering with real X11 servers.
1265The default is 10.
1266.It Cm X11Forwarding
1267Specifies whether X11 forwarding is permitted.
1268The argument must be
1269.Dq yes
1270or
1271.Dq no .
1272The default is
1273.Dq yes .
1274.Pp
1275When X11 forwarding is enabled, there may be additional exposure to
1276the server and to client displays if the
1277.Xr sshd 8
1278proxy display is configured to listen on the wildcard address (see
1279.Cm X11UseLocalhost
1280below), though this is not the default.
1281Additionally, the authentication spoofing and authentication data
1282verification and substitution occur on the client side.
1283The security risk of using X11 forwarding is that the client's X11
1284display server may be exposed to attack when the SSH client requests
1285forwarding (see the warnings for
1286.Cm ForwardX11
1287in
1288.Xr ssh_config 5 ) .
1289A system administrator may have a stance in which they want to
1290protect clients that may expose themselves to attack by unwittingly
1291requesting X11 forwarding, which can warrant a
1292.Dq no
1293setting.
1294.Pp
1295Note that disabling X11 forwarding does not prevent users from
1296forwarding X11 traffic, as users can always install their own forwarders.
1297X11 forwarding is automatically disabled if
1298.Cm UseLogin
1299is enabled.
1300.It Cm X11UseLocalhost
1301Specifies whether
1302.Xr sshd 8
1303should bind the X11 forwarding server to the loopback address or to
1304the wildcard address.
1305By default,
1306sshd binds the forwarding server to the loopback address and sets the
1307hostname part of the
1308.Ev DISPLAY
1309environment variable to
1310.Dq localhost .
1311This prevents remote hosts from connecting to the proxy display.
1312However, some older X11 clients may not function with this
1313configuration.
1314.Cm X11UseLocalhost
1315may be set to
1316.Dq no
1317to specify that the forwarding server should be bound to the wildcard
1318address.
1319The argument must be
1320.Dq yes
1321or
1322.Dq no .
1323The default is
1324.Dq yes .
1325.It Cm XAuthLocation
1326Specifies the full pathname of the
1327.Xr xauth 1
1328program.
1329The default is
1330.Pa /usr/local/bin/xauth .
1331.El
1332.Sh TIME FORMATS
1333.Xr sshd 8
1334command-line arguments and configuration file options that specify time
1335may be expressed using a sequence of the form:
1336.Sm off
1337.Ar time Op Ar qualifier ,
1338.Sm on
1339where
1340.Ar time
1341is a positive integer value and
1342.Ar qualifier
1343is one of the following:
1344.Pp
1345.Bl -tag -width Ds -compact -offset indent
1346.It Aq Cm none
1347seconds
1348.It Cm s | Cm S
1349seconds
1350.It Cm m | Cm M
1351minutes
1352.It Cm h | Cm H
1353hours
1354.It Cm d | Cm D
1355days
1356.It Cm w | Cm W
1357weeks
1358.El
1359.Pp
1360Each member of the sequence is added together to calculate
1361the total time value.
1362.Pp
1363Time format examples:
1364.Pp
1365.Bl -tag -width Ds -compact -offset indent
1366.It 600
1367600 seconds (10 minutes)
1368.It 10m
136910 minutes
1370.It 1h30m
13711 hour 30 minutes (90 minutes)
1372.El
1373.Sh FILES
1374.Bl -tag -width Ds
1375.It Pa /etc/ssh/sshd_config
1376Contains configuration data for
1377.Xr sshd 8 .
1378This file should be writable by root only, but it is recommended
1379(though not necessary) that it be world-readable.
1380.El
1381.Sh SEE ALSO
1382.Xr sshd 8
1383.Sh AUTHORS
1384OpenSSH is a derivative of the original and free
1385ssh 1.2.12 release by Tatu Ylonen.
1386Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
1387Theo de Raadt and Dug Song
1388removed many bugs, re-added newer features and
1389created OpenSSH.
1390Markus Friedl contributed the support for SSH
1391protocol versions 1.5 and 2.0.
1392Niels Provos and Markus Friedl contributed support
1393for privilege separation.
1394