xref: /freebsd/crypto/openssh/sshd_config.5 (revision 792bbaba989533a1fc93823df1720c8c4aaf0442)
1.\"
2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4.\"                    All rights reserved
5.\"
6.\" As far as I am concerned, the code I have written for this software
7.\" can be used freely for any purpose.  Any derived versions of this
8.\" software must be clearly marked as such, and if the derived work is
9.\" incompatible with the protocol description in the RFC file, it must be
10.\" called by a name other than "ssh" or "Secure Shell".
11.\"
12.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
13.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
14.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
15.\"
16.\" Redistribution and use in source and binary forms, with or without
17.\" modification, are permitted provided that the following conditions
18.\" are met:
19.\" 1. Redistributions of source code must retain the above copyright
20.\"    notice, this list of conditions and the following disclaimer.
21.\" 2. Redistributions in binary form must reproduce the above copyright
22.\"    notice, this list of conditions and the following disclaimer in the
23.\"    documentation and/or other materials provided with the distribution.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\"
36.\" $OpenBSD: sshd_config.5,v 1.220 2016/02/17 08:57:34 djm Exp $
37.\" $FreeBSD$
38.Dd $Mdocdate: February 17 2016 $
39.Dt SSHD_CONFIG 5
40.Os
41.Sh NAME
42.Nm sshd_config
43.Nd OpenSSH SSH daemon configuration file
44.Sh SYNOPSIS
45.Nm /etc/ssh/sshd_config
46.Sh DESCRIPTION
47.Xr sshd 8
48reads configuration data from
49.Pa /etc/ssh/sshd_config
50(or the file specified with
51.Fl f
52on the command line).
53The file contains keyword-argument pairs, one per line.
54Lines starting with
55.Ql #
56and empty lines are interpreted as comments.
57Arguments may optionally be enclosed in double quotes
58.Pq \&"
59in order to represent arguments containing spaces.
60.Pp
61The possible
62keywords and their meanings are as follows (note that
63keywords are case-insensitive and arguments are case-sensitive):
64.Bl -tag -width Ds
65.It Cm AcceptEnv
66Specifies what environment variables sent by the client will be copied into
67the session's
68.Xr environ 7 .
69See
70.Cm SendEnv
71in
72.Xr ssh_config 5
73for how to configure the client.
74The
75.Ev TERM
76environment variable is always sent whenever the client
77requests a pseudo-terminal as it is required by the protocol.
78Variables are specified by name, which may contain the wildcard characters
79.Ql *
80and
81.Ql \&? .
82Multiple environment variables may be separated by whitespace or spread
83across multiple
84.Cm AcceptEnv
85directives.
86Be warned that some environment variables could be used to bypass restricted
87user environments.
88For this reason, care should be taken in the use of this directive.
89The default is not to accept any environment variables.
90.It Cm AddressFamily
91Specifies which address family should be used by
92.Xr sshd 8 .
93Valid arguments are
94.Dq any ,
95.Dq inet
96(use IPv4 only), or
97.Dq inet6
98(use IPv6 only).
99The default is
100.Dq any .
101.It Cm AllowAgentForwarding
102Specifies whether
103.Xr ssh-agent 1
104forwarding is permitted.
105The default is
106.Dq yes .
107Note that disabling agent forwarding does not improve security
108unless users are also denied shell access, as they can always install
109their own forwarders.
110.It Cm AllowGroups
111This keyword can be followed by a list of group name patterns, separated
112by spaces.
113If specified, login is allowed only for users whose primary
114group or supplementary group list matches one of the patterns.
115Only group names are valid; a numerical group ID is not recognized.
116By default, login is allowed for all groups.
117The allow/deny directives are processed in the following order:
118.Cm DenyUsers ,
119.Cm AllowUsers ,
120.Cm DenyGroups ,
121and finally
122.Cm AllowGroups .
123.Pp
124See PATTERNS in
125.Xr ssh_config 5
126for more information on patterns.
127.It Cm AllowTcpForwarding
128Specifies whether TCP forwarding is permitted.
129The available options are
130.Dq yes
131or
132.Dq all
133to allow TCP forwarding,
134.Dq no
135to prevent all TCP forwarding,
136.Dq local
137to allow local (from the perspective of
138.Xr ssh 1 )
139forwarding only or
140.Dq remote
141to allow remote forwarding only.
142The default is
143.Dq yes .
144Note that disabling TCP forwarding does not improve security unless
145users are also denied shell access, as they can always install their
146own forwarders.
147.It Cm AllowStreamLocalForwarding
148Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
149The available options are
150.Dq yes
151or
152.Dq all
153to allow StreamLocal forwarding,
154.Dq no
155to prevent all StreamLocal forwarding,
156.Dq local
157to allow local (from the perspective of
158.Xr ssh 1 )
159forwarding only or
160.Dq remote
161to allow remote forwarding only.
162The default is
163.Dq yes .
164Note that disabling StreamLocal forwarding does not improve security unless
165users are also denied shell access, as they can always install their
166own forwarders.
167.It Cm AllowUsers
168This keyword can be followed by a list of user name patterns, separated
169by spaces.
170If specified, login is allowed only for user names that
171match one of the patterns.
172Only user names are valid; a numerical user ID is not recognized.
173By default, login is allowed for all users.
174If the pattern takes the form USER@HOST then USER and HOST
175are separately checked, restricting logins to particular
176users from particular hosts.
177The allow/deny directives are processed in the following order:
178.Cm DenyUsers ,
179.Cm AllowUsers ,
180.Cm DenyGroups ,
181and finally
182.Cm AllowGroups .
183.Pp
184See PATTERNS in
185.Xr ssh_config 5
186for more information on patterns.
187.It Cm AuthenticationMethods
188Specifies the authentication methods that must be successfully completed
189for a user to be granted access.
190This option must be followed by one or more comma-separated lists of
191authentication method names.
192Successful authentication requires completion of every method in at least
193one of these lists.
194.Pp
195For example, an argument of
196.Dq publickey,password publickey,keyboard-interactive
197would require the user to complete public key authentication, followed by
198either password or keyboard interactive authentication.
199Only methods that are next in one or more lists are offered at each stage,
200so for this example, it would not be possible to attempt password or
201keyboard-interactive authentication before public key.
202.Pp
203For keyboard interactive authentication it is also possible to
204restrict authentication to a specific device by appending a
205colon followed by the device identifier
206.Dq bsdauth ,
207.Dq pam ,
208or
209.Dq skey ,
210depending on the server configuration.
211For example,
212.Dq keyboard-interactive:bsdauth
213would restrict keyboard interactive authentication to the
214.Dq bsdauth
215device.
216.Pp
217If the
218.Dq publickey
219method is listed more than once,
220.Xr sshd 8
221verifies that keys that have been used successfully are not reused for
222subsequent authentications.
223For example, an
224.Cm AuthenticationMethods
225of
226.Dq publickey,publickey
227will require successful authentication using two different public keys.
228.Pp
229This option will yield a fatal
230error if enabled if protocol 1 is also enabled.
231Note that each authentication method listed should also be explicitly enabled
232in the configuration.
233The default is not to require multiple authentication; successful completion
234of a single authentication method is sufficient.
235.It Cm AuthorizedKeysCommand
236Specifies a program to be used to look up the user's public keys.
237The program must be owned by root, not writable by group or others and
238specified by an absolute path.
239.Pp
240Arguments to
241.Cm AuthorizedKeysCommand
242may be provided using the following tokens, which will be expanded
243at runtime: %% is replaced by a literal '%', %u is replaced by the
244username being authenticated, %h is replaced by the home directory
245of the user being authenticated, %t is replaced with the key type
246offered for authentication, %f is replaced with the fingerprint of
247the key, and %k is replaced with the key being offered for authentication.
248If no arguments are specified then the username of the target user
249will be supplied.
250.Pp
251The program should produce on standard output zero or
252more lines of authorized_keys output (see AUTHORIZED_KEYS in
253.Xr sshd 8 ) .
254If a key supplied by AuthorizedKeysCommand does not successfully authenticate
255and authorize the user then public key authentication continues using the usual
256.Cm AuthorizedKeysFile
257files.
258By default, no AuthorizedKeysCommand is run.
259.It Cm AuthorizedKeysCommandUser
260Specifies the user under whose account the AuthorizedKeysCommand is run.
261It is recommended to use a dedicated user that has no other role on the host
262than running authorized keys commands.
263If
264.Cm AuthorizedKeysCommand
265is specified but
266.Cm AuthorizedKeysCommandUser
267is not, then
268.Xr sshd 8
269will refuse to start.
270.It Cm AuthorizedKeysFile
271Specifies the file that contains the public keys that can be used
272for user authentication.
273The format is described in the
274AUTHORIZED_KEYS FILE FORMAT
275section of
276.Xr sshd 8 .
277.Cm AuthorizedKeysFile
278may contain tokens of the form %T which are substituted during connection
279setup.
280The following tokens are defined: %% is replaced by a literal '%',
281%h is replaced by the home directory of the user being authenticated, and
282%u is replaced by the username of that user.
283After expansion,
284.Cm AuthorizedKeysFile
285is taken to be an absolute path or one relative to the user's home
286directory.
287Multiple files may be listed, separated by whitespace.
288Alternately this option may be set to
289.Dq none
290to skip checking for user keys in files.
291The default is
292.Dq .ssh/authorized_keys .ssh/authorized_keys2 .
293.It Cm AuthorizedPrincipalsCommand
294Specifies a program to be used to generate the list of allowed
295certificate principals as per
296.Cm AuthorizedPrincipalsFile .
297The program must be owned by root, not writable by group or others and
298specified by an absolute path.
299.Pp
300Arguments to
301.Cm AuthorizedPrincipalsCommand
302may be provided using the following tokens, which will be expanded
303at runtime: %% is replaced by a literal '%', %u is replaced by the
304username being authenticated and %h is replaced by the home directory
305of the user being authenticated.
306.Pp
307The program should produce on standard output zero or
308more lines of
309.Cm AuthorizedPrincipalsFile
310output.
311If either
312.Cm AuthorizedPrincipalsCommand
313or
314.Cm AuthorizedPrincipalsFile
315is specified, then certificates offered by the client for authentication
316must contain a principal that is listed.
317By default, no AuthorizedPrincipalsCommand is run.
318.It Cm AuthorizedPrincipalsCommandUser
319Specifies the user under whose account the AuthorizedPrincipalsCommand is run.
320It is recommended to use a dedicated user that has no other role on the host
321than running authorized principals commands.
322If
323.Cm AuthorizedPrincipalsCommand
324is specified but
325.Cm AuthorizedPrincipalsCommandUser
326is not, then
327.Xr sshd 8
328will refuse to start.
329.It Cm AuthorizedPrincipalsFile
330Specifies a file that lists principal names that are accepted for
331certificate authentication.
332When using certificates signed by a key listed in
333.Cm TrustedUserCAKeys ,
334this file lists names, one of which must appear in the certificate for it
335to be accepted for authentication.
336Names are listed one per line preceded by key options (as described
337in AUTHORIZED_KEYS FILE FORMAT in
338.Xr sshd 8 ) .
339Empty lines and comments starting with
340.Ql #
341are ignored.
342.Pp
343.Cm AuthorizedPrincipalsFile
344may contain tokens of the form %T which are substituted during connection
345setup.
346The following tokens are defined: %% is replaced by a literal '%',
347%h is replaced by the home directory of the user being authenticated, and
348%u is replaced by the username of that user.
349After expansion,
350.Cm AuthorizedPrincipalsFile
351is taken to be an absolute path or one relative to the user's home
352directory.
353.Pp
354The default is
355.Dq none ,
356i.e. not to use a principals file \(en in this case, the username
357of the user must appear in a certificate's principals list for it to be
358accepted.
359Note that
360.Cm AuthorizedPrincipalsFile
361is only used when authentication proceeds using a CA listed in
362.Cm TrustedUserCAKeys
363and is not consulted for certification authorities trusted via
364.Pa ~/.ssh/authorized_keys ,
365though the
366.Cm principals=
367key option offers a similar facility (see
368.Xr sshd 8
369for details).
370.It Cm Banner
371The contents of the specified file are sent to the remote user before
372authentication is allowed.
373If the argument is
374.Dq none
375then no banner is displayed.
376By default, no banner is displayed.
377.It Cm ChallengeResponseAuthentication
378Specifies whether challenge-response authentication is allowed (e.g. via
379PAM or through authentication styles supported in
380.Xr login.conf 5 )
381The default is
382.Dq yes .
383.It Cm ChrootDirectory
384Specifies the pathname of a directory to
385.Xr chroot 2
386to after authentication.
387At session startup
388.Xr sshd 8
389checks that all components of the pathname are root-owned directories
390which are not writable by any other user or group.
391After the chroot,
392.Xr sshd 8
393changes the working directory to the user's home directory.
394.Pp
395The pathname may contain the following tokens that are expanded at runtime once
396the connecting user has been authenticated: %% is replaced by a literal '%',
397%h is replaced by the home directory of the user being authenticated, and
398%u is replaced by the username of that user.
399.Pp
400The
401.Cm ChrootDirectory
402must contain the necessary files and directories to support the
403user's session.
404For an interactive session this requires at least a shell, typically
405.Xr sh 1 ,
406and basic
407.Pa /dev
408nodes such as
409.Xr null 4 ,
410.Xr zero 4 ,
411.Xr stdin 4 ,
412.Xr stdout 4 ,
413.Xr stderr 4 ,
414and
415.Xr tty 4
416devices.
417For file transfer sessions using
418.Dq sftp ,
419no additional configuration of the environment is necessary if the
420in-process sftp server is used,
421though sessions which use logging may require
422.Pa /dev/log
423inside the chroot directory on some operating systems (see
424.Xr sftp-server 8
425for details).
426.Pp
427For safety, it is very important that the directory hierarchy be
428prevented from modification by other processes on the system (especially
429those outside the jail).
430Misconfiguration can lead to unsafe environments which
431.Xr sshd 8
432cannot detect.
433.Pp
434The default is
435.Dq none ,
436indicating not to
437.Xr chroot 2 .
438.It Cm Ciphers
439Specifies the ciphers allowed.
440Multiple ciphers must be comma-separated.
441If the specified value begins with a
442.Sq +
443character, then the specified ciphers will be appended to the default set
444instead of replacing them.
445.Pp
446The supported ciphers are:
447.Pp
448.Bl -item -compact -offset indent
449.It
4503des-cbc
451.It
452aes128-cbc
453.It
454aes192-cbc
455.It
456aes256-cbc
457.It
458aes128-ctr
459.It
460aes192-ctr
461.It
462aes256-ctr
463.It
464aes128-gcm@openssh.com
465.It
466aes256-gcm@openssh.com
467.It
468arcfour
469.It
470arcfour128
471.It
472arcfour256
473.It
474blowfish-cbc
475.It
476cast128-cbc
477.It
478chacha20-poly1305@openssh.com
479.El
480.Pp
481The default is:
482.Bd -literal -offset indent
483chacha20-poly1305@openssh.com,
484aes128-ctr,aes192-ctr,aes256-ctr,
485aes128-gcm@openssh.com,aes256-gcm@openssh.com,
486aes128-cbc,aes192-cbc,aes256-cbc
487.Ed
488.Pp
489The list of available ciphers may also be obtained using the
490.Fl Q
491option of
492.Xr ssh 1
493with an argument of
494.Dq cipher .
495.It Cm ClientAliveCountMax
496Sets the number of client alive messages (see below) which may be
497sent without
498.Xr sshd 8
499receiving any messages back from the client.
500If this threshold is reached while client alive messages are being sent,
501sshd will disconnect the client, terminating the session.
502It is important to note that the use of client alive messages is very
503different from
504.Cm TCPKeepAlive
505(below).
506The client alive messages are sent through the encrypted channel
507and therefore will not be spoofable.
508The TCP keepalive option enabled by
509.Cm TCPKeepAlive
510is spoofable.
511The client alive mechanism is valuable when the client or
512server depend on knowing when a connection has become inactive.
513.Pp
514The default value is 3.
515If
516.Cm ClientAliveInterval
517(see below) is set to 15, and
518.Cm ClientAliveCountMax
519is left at the default, unresponsive SSH clients
520will be disconnected after approximately 45 seconds.
521.It Cm ClientAliveInterval
522Sets a timeout interval in seconds after which if no data has been received
523from the client,
524.Xr sshd 8
525will send a message through the encrypted
526channel to request a response from the client.
527The default
528is 0, indicating that these messages will not be sent to the client.
529.It Cm Compression
530Specifies whether compression is allowed, or delayed until
531the user has authenticated successfully.
532The argument must be
533.Dq yes ,
534.Dq delayed ,
535or
536.Dq no .
537The default is
538.Dq delayed .
539.It Cm DenyGroups
540This keyword can be followed by a list of group name patterns, separated
541by spaces.
542Login is disallowed for users whose primary group or supplementary
543group list matches one of the patterns.
544Only group names are valid; a numerical group ID is not recognized.
545By default, login is allowed for all groups.
546The allow/deny directives are processed in the following order:
547.Cm DenyUsers ,
548.Cm AllowUsers ,
549.Cm DenyGroups ,
550and finally
551.Cm AllowGroups .
552.Pp
553See PATTERNS in
554.Xr ssh_config 5
555for more information on patterns.
556.It Cm DenyUsers
557This keyword can be followed by a list of user name patterns, separated
558by spaces.
559Login is disallowed for user names that match one of the patterns.
560Only user names are valid; a numerical user ID is not recognized.
561By default, login is allowed for all users.
562If the pattern takes the form USER@HOST then USER and HOST
563are separately checked, restricting logins to particular
564users from particular hosts.
565The allow/deny directives are processed in the following order:
566.Cm DenyUsers ,
567.Cm AllowUsers ,
568.Cm DenyGroups ,
569and finally
570.Cm AllowGroups .
571.Pp
572See PATTERNS in
573.Xr ssh_config 5
574for more information on patterns.
575.It Cm FingerprintHash
576Specifies the hash algorithm used when logging key fingerprints.
577Valid options are:
578.Dq md5
579and
580.Dq sha256 .
581The default is
582.Dq sha256 .
583.It Cm ForceCommand
584Forces the execution of the command specified by
585.Cm ForceCommand ,
586ignoring any command supplied by the client and
587.Pa ~/.ssh/rc
588if present.
589The command is invoked by using the user's login shell with the -c option.
590This applies to shell, command, or subsystem execution.
591It is most useful inside a
592.Cm Match
593block.
594The command originally supplied by the client is available in the
595.Ev SSH_ORIGINAL_COMMAND
596environment variable.
597Specifying a command of
598.Dq internal-sftp
599will force the use of an in-process sftp server that requires no support
600files when used with
601.Cm ChrootDirectory .
602The default is
603.Dq none .
604.It Cm GatewayPorts
605Specifies whether remote hosts are allowed to connect to ports
606forwarded for the client.
607By default,
608.Xr sshd 8
609binds remote port forwardings to the loopback address.
610This prevents other remote hosts from connecting to forwarded ports.
611.Cm GatewayPorts
612can be used to specify that sshd
613should allow remote port forwardings to bind to non-loopback addresses, thus
614allowing other hosts to connect.
615The argument may be
616.Dq no
617to force remote port forwardings to be available to the local host only,
618.Dq yes
619to force remote port forwardings to bind to the wildcard address, or
620.Dq clientspecified
621to allow the client to select the address to which the forwarding is bound.
622The default is
623.Dq no .
624.It Cm GSSAPIAuthentication
625Specifies whether user authentication based on GSSAPI is allowed.
626The default is
627.Dq no .
628.It Cm GSSAPICleanupCredentials
629Specifies whether to automatically destroy the user's credentials cache
630on logout.
631The default is
632.Dq yes .
633.It Cm GSSAPIStrictAcceptorCheck
634Determines whether to be strict about the identity of the GSSAPI acceptor
635a client authenticates against.
636If set to
637.Dq yes
638then the client must authenticate against the
639.Pa host
640service on the current hostname.
641If set to
642.Dq no
643then the client may authenticate against any service key stored in the
644machine's default store.
645This facility is provided to assist with operation on multi homed machines.
646The default is
647.Dq yes .
648.It Cm HostbasedAcceptedKeyTypes
649Specifies the key types that will be accepted for hostbased authentication
650as a comma-separated pattern list.
651Alternately if the specified value begins with a
652.Sq +
653character, then the specified key types will be appended to the default set
654instead of replacing them.
655The default for this option is:
656.Bd -literal -offset 3n
657ecdsa-sha2-nistp256-cert-v01@openssh.com,
658ecdsa-sha2-nistp384-cert-v01@openssh.com,
659ecdsa-sha2-nistp521-cert-v01@openssh.com,
660ssh-ed25519-cert-v01@openssh.com,
661ssh-rsa-cert-v01@openssh.com,
662ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
663ssh-ed25519,ssh-rsa
664.Ed
665.Pp
666The
667.Fl Q
668option of
669.Xr ssh 1
670may be used to list supported key types.
671.It Cm HostbasedAuthentication
672Specifies whether rhosts or /etc/hosts.equiv authentication together
673with successful public key client host authentication is allowed
674(host-based authentication).
675The default is
676.Dq no .
677.It Cm HostbasedUsesNameFromPacketOnly
678Specifies whether or not the server will attempt to perform a reverse
679name lookup when matching the name in the
680.Pa ~/.shosts ,
681.Pa ~/.rhosts ,
682and
683.Pa /etc/hosts.equiv
684files during
685.Cm HostbasedAuthentication .
686A setting of
687.Dq yes
688means that
689.Xr sshd 8
690uses the name supplied by the client rather than
691attempting to resolve the name from the TCP connection itself.
692The default is
693.Dq no .
694.It Cm HostCertificate
695Specifies a file containing a public host certificate.
696The certificate's public key must match a private host key already specified
697by
698.Cm HostKey .
699The default behaviour of
700.Xr sshd 8
701is not to load any certificates.
702.It Cm HostKey
703Specifies a file containing a private host key
704used by SSH.
705The default is
706.Pa /etc/ssh/ssh_host_key
707for protocol version 1, and
708.Pa /etc/ssh/ssh_host_dsa_key ,
709.Pa /etc/ssh/ssh_host_ecdsa_key ,
710.Pa /etc/ssh/ssh_host_ed25519_key
711and
712.Pa /etc/ssh/ssh_host_rsa_key
713for protocol version 2.
714.Pp
715Note that
716.Xr sshd 8
717will refuse to use a file if it is group/world-accessible
718and that the
719.Cm HostKeyAlgorithms
720option restricts which of the keys are actually used by
721.Xr sshd 8 .
722.Pp
723It is possible to have multiple host key files.
724.Dq rsa1
725keys are used for version 1 and
726.Dq dsa ,
727.Dq ecdsa ,
728.Dq ed25519
729or
730.Dq rsa
731are used for version 2 of the SSH protocol.
732It is also possible to specify public host key files instead.
733In this case operations on the private key will be delegated
734to an
735.Xr ssh-agent 1 .
736.It Cm HostKeyAgent
737Identifies the UNIX-domain socket used to communicate
738with an agent that has access to the private host keys.
739If
740.Dq SSH_AUTH_SOCK
741is specified, the location of the socket will be read from the
742.Ev SSH_AUTH_SOCK
743environment variable.
744.It Cm HostKeyAlgorithms
745Specifies the host key algorithms
746that the server offers.
747The default for this option is:
748.Bd -literal -offset 3n
749ecdsa-sha2-nistp256-cert-v01@openssh.com,
750ecdsa-sha2-nistp384-cert-v01@openssh.com,
751ecdsa-sha2-nistp521-cert-v01@openssh.com,
752ssh-ed25519-cert-v01@openssh.com,
753ssh-rsa-cert-v01@openssh.com,
754ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
755ssh-ed25519,ssh-rsa
756.Ed
757.Pp
758The list of available key types may also be obtained using the
759.Fl Q
760option of
761.Xr ssh 1
762with an argument of
763.Dq key .
764.It Cm IgnoreRhosts
765Specifies that
766.Pa .rhosts
767and
768.Pa .shosts
769files will not be used in
770.Cm RhostsRSAAuthentication
771or
772.Cm HostbasedAuthentication .
773.Pp
774.Pa /etc/hosts.equiv
775and
776.Pa /etc/ssh/shosts.equiv
777are still used.
778The default is
779.Dq yes .
780.It Cm IgnoreUserKnownHosts
781Specifies whether
782.Xr sshd 8
783should ignore the user's
784.Pa ~/.ssh/known_hosts
785during
786.Cm RhostsRSAAuthentication
787or
788.Cm HostbasedAuthentication .
789The default is
790.Dq no .
791.It Cm IPQoS
792Specifies the IPv4 type-of-service or DSCP class for the connection.
793Accepted values are
794.Dq af11 ,
795.Dq af12 ,
796.Dq af13 ,
797.Dq af21 ,
798.Dq af22 ,
799.Dq af23 ,
800.Dq af31 ,
801.Dq af32 ,
802.Dq af33 ,
803.Dq af41 ,
804.Dq af42 ,
805.Dq af43 ,
806.Dq cs0 ,
807.Dq cs1 ,
808.Dq cs2 ,
809.Dq cs3 ,
810.Dq cs4 ,
811.Dq cs5 ,
812.Dq cs6 ,
813.Dq cs7 ,
814.Dq ef ,
815.Dq lowdelay ,
816.Dq throughput ,
817.Dq reliability ,
818or a numeric value.
819This option may take one or two arguments, separated by whitespace.
820If one argument is specified, it is used as the packet class unconditionally.
821If two values are specified, the first is automatically selected for
822interactive sessions and the second for non-interactive sessions.
823The default is
824.Dq lowdelay
825for interactive sessions and
826.Dq throughput
827for non-interactive sessions.
828.It Cm KbdInteractiveAuthentication
829Specifies whether to allow keyboard-interactive authentication.
830The argument to this keyword must be
831.Dq yes
832or
833.Dq no .
834The default is to use whatever value
835.Cm ChallengeResponseAuthentication
836is set to
837(by default
838.Dq yes ) .
839.It Cm KerberosAuthentication
840Specifies whether the password provided by the user for
841.Cm PasswordAuthentication
842will be validated through the Kerberos KDC.
843To use this option, the server needs a
844Kerberos servtab which allows the verification of the KDC's identity.
845The default is
846.Dq no .
847.It Cm KerberosGetAFSToken
848If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
849an AFS token before accessing the user's home directory.
850The default is
851.Dq no .
852.It Cm KerberosOrLocalPasswd
853If password authentication through Kerberos fails then
854the password will be validated via any additional local mechanism
855such as
856.Pa /etc/passwd .
857The default is
858.Dq yes .
859.It Cm KerberosTicketCleanup
860Specifies whether to automatically destroy the user's ticket cache
861file on logout.
862The default is
863.Dq yes .
864.It Cm KexAlgorithms
865Specifies the available KEX (Key Exchange) algorithms.
866Multiple algorithms must be comma-separated.
867Alternately if the specified value begins with a
868.Sq +
869character, then the specified methods will be appended to the default set
870instead of replacing them.
871The supported algorithms are:
872.Pp
873.Bl -item -compact -offset indent
874.It
875curve25519-sha256@libssh.org
876.It
877diffie-hellman-group1-sha1
878.It
879diffie-hellman-group14-sha1
880.It
881diffie-hellman-group-exchange-sha1
882.It
883diffie-hellman-group-exchange-sha256
884.It
885ecdh-sha2-nistp256
886.It
887ecdh-sha2-nistp384
888.It
889ecdh-sha2-nistp521
890.El
891.Pp
892The default is:
893.Bd -literal -offset indent
894curve25519-sha256@libssh.org,
895ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
896diffie-hellman-group-exchange-sha256,
897diffie-hellman-group14-sha1
898.Ed
899.Pp
900The list of available key exchange algorithms may also be obtained using the
901.Fl Q
902option of
903.Xr ssh 1
904with an argument of
905.Dq kex .
906.It Cm KeyRegenerationInterval
907In protocol version 1, the ephemeral server key is automatically regenerated
908after this many seconds (if it has been used).
909The purpose of regeneration is to prevent
910decrypting captured sessions by later breaking into the machine and
911stealing the keys.
912The key is never stored anywhere.
913If the value is 0, the key is never regenerated.
914The default is 3600 (seconds).
915.It Cm ListenAddress
916Specifies the local addresses
917.Xr sshd 8
918should listen on.
919The following forms may be used:
920.Pp
921.Bl -item -offset indent -compact
922.It
923.Cm ListenAddress
924.Sm off
925.Ar host | Ar IPv4_addr | Ar IPv6_addr
926.Sm on
927.It
928.Cm ListenAddress
929.Sm off
930.Ar host | Ar IPv4_addr : Ar port
931.Sm on
932.It
933.Cm ListenAddress
934.Sm off
935.Oo
936.Ar host | Ar IPv6_addr Oc : Ar port
937.Sm on
938.El
939.Pp
940If
941.Ar port
942is not specified,
943sshd will listen on the address and all
944.Cm Port
945options specified.
946The default is to listen on all local addresses.
947Multiple
948.Cm ListenAddress
949options are permitted.
950.It Cm LoginGraceTime
951The server disconnects after this time if the user has not
952successfully logged in.
953If the value is 0, there is no time limit.
954The default is 120 seconds.
955.It Cm LogLevel
956Gives the verbosity level that is used when logging messages from
957.Xr sshd 8 .
958The possible values are:
959QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
960The default is INFO.
961DEBUG and DEBUG1 are equivalent.
962DEBUG2 and DEBUG3 each specify higher levels of debugging output.
963Logging with a DEBUG level violates the privacy of users and is not recommended.
964.It Cm MACs
965Specifies the available MAC (message authentication code) algorithms.
966The MAC algorithm is used for data integrity protection.
967Multiple algorithms must be comma-separated.
968If the specified value begins with a
969.Sq +
970character, then the specified algorithms will be appended to the default set
971instead of replacing them.
972.Pp
973The algorithms that contain
974.Dq -etm
975calculate the MAC after encryption (encrypt-then-mac).
976These are considered safer and their use recommended.
977The supported MACs are:
978.Pp
979.Bl -item -compact -offset indent
980.It
981hmac-md5
982.It
983hmac-md5-96
984.It
985hmac-ripemd160
986.It
987hmac-sha1
988.It
989hmac-sha1-96
990.It
991hmac-sha2-256
992.It
993hmac-sha2-512
994.It
995umac-64@openssh.com
996.It
997umac-128@openssh.com
998.It
999hmac-md5-etm@openssh.com
1000.It
1001hmac-md5-96-etm@openssh.com
1002.It
1003hmac-ripemd160-etm@openssh.com
1004.It
1005hmac-sha1-etm@openssh.com
1006.It
1007hmac-sha1-96-etm@openssh.com
1008.It
1009hmac-sha2-256-etm@openssh.com
1010.It
1011hmac-sha2-512-etm@openssh.com
1012.It
1013umac-64-etm@openssh.com
1014.It
1015umac-128-etm@openssh.com
1016.El
1017.Pp
1018The default is:
1019.Bd -literal -offset indent
1020umac-64-etm@openssh.com,umac-128-etm@openssh.com,
1021hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
1022hmac-sha1-etm@openssh.com,
1023umac-64@openssh.com,umac-128@openssh.com,
1024hmac-sha2-256,hmac-sha2-512,hmac-sha1
1025.Ed
1026.Pp
1027The list of available MAC algorithms may also be obtained using the
1028.Fl Q
1029option of
1030.Xr ssh 1
1031with an argument of
1032.Dq mac .
1033.It Cm Match
1034Introduces a conditional block.
1035If all of the criteria on the
1036.Cm Match
1037line are satisfied, the keywords on the following lines override those
1038set in the global section of the config file, until either another
1039.Cm Match
1040line or the end of the file.
1041If a keyword appears in multiple
1042.Cm Match
1043blocks that are satisfied, only the first instance of the keyword is
1044applied.
1045.Pp
1046The arguments to
1047.Cm Match
1048are one or more criteria-pattern pairs or the single token
1049.Cm All
1050which matches all criteria.
1051The available criteria are
1052.Cm User ,
1053.Cm Group ,
1054.Cm Host ,
1055.Cm LocalAddress ,
1056.Cm LocalPort ,
1057and
1058.Cm Address .
1059The match patterns may consist of single entries or comma-separated
1060lists and may use the wildcard and negation operators described in the
1061PATTERNS section of
1062.Xr ssh_config 5 .
1063.Pp
1064The patterns in an
1065.Cm Address
1066criteria may additionally contain addresses to match in CIDR
1067address/masklen format, e.g.\&
1068.Dq 192.0.2.0/24
1069or
1070.Dq 3ffe:ffff::/32 .
1071Note that the mask length provided must be consistent with the address -
1072it is an error to specify a mask length that is too long for the address
1073or one with bits set in this host portion of the address.
1074For example,
1075.Dq 192.0.2.0/33
1076and
1077.Dq 192.0.2.0/8
1078respectively.
1079.Pp
1080Only a subset of keywords may be used on the lines following a
1081.Cm Match
1082keyword.
1083Available keywords are
1084.Cm AcceptEnv ,
1085.Cm AllowAgentForwarding ,
1086.Cm AllowGroups ,
1087.Cm AllowStreamLocalForwarding ,
1088.Cm AllowTcpForwarding ,
1089.Cm AllowUsers ,
1090.Cm AuthenticationMethods ,
1091.Cm AuthorizedKeysCommand ,
1092.Cm AuthorizedKeysCommandUser ,
1093.Cm AuthorizedKeysFile ,
1094.Cm AuthorizedPrincipalsCommand ,
1095.Cm AuthorizedPrincipalsCommandUser ,
1096.Cm AuthorizedPrincipalsFile ,
1097.Cm Banner ,
1098.Cm ChrootDirectory ,
1099.Cm DenyGroups ,
1100.Cm DenyUsers ,
1101.Cm ForceCommand ,
1102.Cm GatewayPorts ,
1103.Cm GSSAPIAuthentication ,
1104.Cm HostbasedAcceptedKeyTypes ,
1105.Cm HostbasedAuthentication ,
1106.Cm HostbasedUsesNameFromPacketOnly ,
1107.Cm IPQoS ,
1108.Cm KbdInteractiveAuthentication ,
1109.Cm KerberosAuthentication ,
1110.Cm MaxAuthTries ,
1111.Cm MaxSessions ,
1112.Cm PasswordAuthentication ,
1113.Cm PermitEmptyPasswords ,
1114.Cm PermitOpen ,
1115.Cm PermitRootLogin ,
1116.Cm PermitTTY ,
1117.Cm PermitTunnel ,
1118.Cm PermitUserRC ,
1119.Cm PubkeyAcceptedKeyTypes ,
1120.Cm PubkeyAuthentication ,
1121.Cm RekeyLimit ,
1122.Cm RevokedKeys ,
1123.Cm RhostsRSAAuthentication ,
1124.Cm RSAAuthentication ,
1125.Cm StreamLocalBindMask ,
1126.Cm StreamLocalBindUnlink ,
1127.Cm TrustedUserCAKeys ,
1128.Cm X11DisplayOffset ,
1129.Cm X11Forwarding
1130and
1131.Cm X11UseLocalHost .
1132.It Cm MaxAuthTries
1133Specifies the maximum number of authentication attempts permitted per
1134connection.
1135Once the number of failures reaches half this value,
1136additional failures are logged.
1137The default is 6.
1138.It Cm MaxSessions
1139Specifies the maximum number of open shell, login or subsystem (e.g. sftp)
1140sessions permitted per network connection.
1141Multiple sessions may be established by clients that support connection
1142multiplexing.
1143Setting
1144.Cm MaxSessions
1145to 1 will effectively disable session multiplexing, whereas setting it to 0
1146will prevent all shell, login and subsystem sessions while still permitting
1147forwarding.
1148The default is 10.
1149.It Cm MaxStartups
1150Specifies the maximum number of concurrent unauthenticated connections to the
1151SSH daemon.
1152Additional connections will be dropped until authentication succeeds or the
1153.Cm LoginGraceTime
1154expires for a connection.
1155The default is 10:30:100.
1156.Pp
1157Alternatively, random early drop can be enabled by specifying
1158the three colon separated values
1159.Dq start:rate:full
1160(e.g. "10:30:60").
1161.Xr sshd 8
1162will refuse connection attempts with a probability of
1163.Dq rate/100
1164(30%)
1165if there are currently
1166.Dq start
1167(10)
1168unauthenticated connections.
1169The probability increases linearly and all connection attempts
1170are refused if the number of unauthenticated connections reaches
1171.Dq full
1172(60).
1173.It Cm PasswordAuthentication
1174Specifies whether password authentication is allowed.
1175See also
1176.Cm UsePAM .
1177The default is
1178.Dq no .
1179.It Cm PermitEmptyPasswords
1180When password authentication is allowed, it specifies whether the
1181server allows login to accounts with empty password strings.
1182The default is
1183.Dq no .
1184.It Cm PermitOpen
1185Specifies the destinations to which TCP port forwarding is permitted.
1186The forwarding specification must be one of the following forms:
1187.Pp
1188.Bl -item -offset indent -compact
1189.It
1190.Cm PermitOpen
1191.Sm off
1192.Ar host : port
1193.Sm on
1194.It
1195.Cm PermitOpen
1196.Sm off
1197.Ar IPv4_addr : port
1198.Sm on
1199.It
1200.Cm PermitOpen
1201.Sm off
1202.Ar \&[ IPv6_addr \&] : port
1203.Sm on
1204.El
1205.Pp
1206Multiple forwards may be specified by separating them with whitespace.
1207An argument of
1208.Dq any
1209can be used to remove all restrictions and permit any forwarding requests.
1210An argument of
1211.Dq none
1212can be used to prohibit all forwarding requests.
1213By default all port forwarding requests are permitted.
1214.It Cm PermitRootLogin
1215Specifies whether root can log in using
1216.Xr ssh 1 .
1217The argument must be
1218.Dq yes ,
1219.Dq prohibit-password ,
1220.Dq without-password ,
1221.Dq forced-commands-only ,
1222or
1223.Dq no .
1224The default is
1225.Dq no .
1226Note that if
1227.Cm ChallengeResponseAuthentication
1228is
1229.Dq yes ,
1230the root user may be allowed in with its password even if
1231.Cm PermitRootLogin is set to
1232.Dq without-password .
1233.Pp
1234If this option is set to
1235.Dq prohibit-password
1236or
1237.Dq without-password ,
1238password and keyboard-interactive authentication are disabled for root.
1239.Pp
1240If this option is set to
1241.Dq forced-commands-only ,
1242root login with public key authentication will be allowed,
1243but only if the
1244.Ar command
1245option has been specified
1246(which may be useful for taking remote backups even if root login is
1247normally not allowed).
1248All other authentication methods are disabled for root.
1249.Pp
1250If this option is set to
1251.Dq no ,
1252root is not allowed to log in.
1253.It Cm PermitTunnel
1254Specifies whether
1255.Xr tun 4
1256device forwarding is allowed.
1257The argument must be
1258.Dq yes ,
1259.Dq point-to-point
1260(layer 3),
1261.Dq ethernet
1262(layer 2), or
1263.Dq no .
1264Specifying
1265.Dq yes
1266permits both
1267.Dq point-to-point
1268and
1269.Dq ethernet .
1270The default is
1271.Dq no .
1272.Pp
1273Independent of this setting, the permissions of the selected
1274.Xr tun 4
1275device must allow access to the user.
1276.It Cm PermitTTY
1277Specifies whether
1278.Xr pty 4
1279allocation is permitted.
1280The default is
1281.Dq yes .
1282.It Cm PermitUserEnvironment
1283Specifies whether
1284.Pa ~/.ssh/environment
1285and
1286.Cm environment=
1287options in
1288.Pa ~/.ssh/authorized_keys
1289are processed by
1290.Xr sshd 8 .
1291The default is
1292.Dq no .
1293Enabling environment processing may enable users to bypass access
1294restrictions in some configurations using mechanisms such as
1295.Ev LD_PRELOAD .
1296.It Cm PermitUserRC
1297Specifies whether any
1298.Pa ~/.ssh/rc
1299file is executed.
1300The default is
1301.Dq yes .
1302.It Cm PidFile
1303Specifies the file that contains the process ID of the
1304SSH daemon, or
1305.Dq none
1306to not write one.
1307The default is
1308.Pa /var/run/sshd.pid .
1309.It Cm Port
1310Specifies the port number that
1311.Xr sshd 8
1312listens on.
1313The default is 22.
1314Multiple options of this type are permitted.
1315See also
1316.Cm ListenAddress .
1317.It Cm PrintLastLog
1318Specifies whether
1319.Xr sshd 8
1320should print the date and time of the last user login when a user logs
1321in interactively.
1322The default is
1323.Dq yes .
1324.It Cm PrintMotd
1325Specifies whether
1326.Xr sshd 8
1327should print
1328.Pa /etc/motd
1329when a user logs in interactively.
1330(On some systems it is also printed by the shell,
1331.Pa /etc/profile ,
1332or equivalent.)
1333The default is
1334.Dq yes .
1335.It Cm Protocol
1336Specifies the protocol versions
1337.Xr sshd 8
1338supports.
1339The possible values are
1340.Sq 1
1341and
1342.Sq 2 .
1343Multiple versions must be comma-separated.
1344The default is
1345.Sq 2 .
1346Protocol 1 suffers from a number of cryptographic weaknesses and should
1347not be used.
1348It is only offered to support legacy devices.
1349.Pp
1350Note that the order of the protocol list does not indicate preference,
1351because the client selects among multiple protocol versions offered
1352by the server.
1353Specifying
1354.Dq 2,1
1355is identical to
1356.Dq 1,2 .
1357.It Cm PubkeyAcceptedKeyTypes
1358Specifies the key types that will be accepted for public key authentication
1359as a comma-separated pattern list.
1360Alternately if the specified value begins with a
1361.Sq +
1362character, then the specified key types will be appended to the default set
1363instead of replacing them.
1364The default for this option is:
1365.Bd -literal -offset 3n
1366ecdsa-sha2-nistp256-cert-v01@openssh.com,
1367ecdsa-sha2-nistp384-cert-v01@openssh.com,
1368ecdsa-sha2-nistp521-cert-v01@openssh.com,
1369ssh-ed25519-cert-v01@openssh.com,
1370ssh-rsa-cert-v01@openssh.com,
1371ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1372ssh-ed25519,ssh-rsa
1373.Ed
1374.Pp
1375The
1376.Fl Q
1377option of
1378.Xr ssh 1
1379may be used to list supported key types.
1380.It Cm PubkeyAuthentication
1381Specifies whether public key authentication is allowed.
1382The default is
1383.Dq yes .
1384.It Cm RekeyLimit
1385Specifies the maximum amount of data that may be transmitted before the
1386session key is renegotiated, optionally followed a maximum amount of
1387time that may pass before the session key is renegotiated.
1388The first argument is specified in bytes and may have a suffix of
1389.Sq K ,
1390.Sq M ,
1391or
1392.Sq G
1393to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
1394The default is between
1395.Sq 1G
1396and
1397.Sq 4G ,
1398depending on the cipher.
1399The optional second value is specified in seconds and may use any of the
1400units documented in the
1401.Sx TIME FORMATS
1402section.
1403The default value for
1404.Cm RekeyLimit
1405is
1406.Dq default none ,
1407which means that rekeying is performed after the cipher's default amount
1408of data has been sent or received and no time based rekeying is done.
1409.It Cm RevokedKeys
1410Specifies revoked public keys file, or
1411.Dq none
1412to not use one.
1413Keys listed in this file will be refused for public key authentication.
1414Note that if this file is not readable, then public key authentication will
1415be refused for all users.
1416Keys may be specified as a text file, listing one public key per line, or as
1417an OpenSSH Key Revocation List (KRL) as generated by
1418.Xr ssh-keygen 1 .
1419For more information on KRLs, see the KEY REVOCATION LISTS section in
1420.Xr ssh-keygen 1 .
1421.It Cm RhostsRSAAuthentication
1422Specifies whether rhosts or
1423.Pa /etc/hosts.equiv
1424authentication together
1425with successful RSA host authentication is allowed.
1426The default is
1427.Dq no .
1428This option applies to protocol version 1 only.
1429.It Cm RSAAuthentication
1430Specifies whether pure RSA authentication is allowed.
1431The default is
1432.Dq yes .
1433This option applies to protocol version 1 only.
1434.It Cm ServerKeyBits
1435Defines the number of bits in the ephemeral protocol version 1 server key.
1436The default and minimum value is 1024.
1437.It Cm StreamLocalBindMask
1438Sets the octal file creation mode mask
1439.Pq umask
1440used when creating a Unix-domain socket file for local or remote
1441port forwarding.
1442This option is only used for port forwarding to a Unix-domain socket file.
1443.Pp
1444The default value is 0177, which creates a Unix-domain socket file that is
1445readable and writable only by the owner.
1446Note that not all operating systems honor the file mode on Unix-domain
1447socket files.
1448.It Cm StreamLocalBindUnlink
1449Specifies whether to remove an existing Unix-domain socket file for local
1450or remote port forwarding before creating a new one.
1451If the socket file already exists and
1452.Cm StreamLocalBindUnlink
1453is not enabled,
1454.Nm sshd
1455will be unable to forward the port to the Unix-domain socket file.
1456This option is only used for port forwarding to a Unix-domain socket file.
1457.Pp
1458The argument must be
1459.Dq yes
1460or
1461.Dq no .
1462The default is
1463.Dq no .
1464.It Cm StrictModes
1465Specifies whether
1466.Xr sshd 8
1467should check file modes and ownership of the
1468user's files and home directory before accepting login.
1469This is normally desirable because novices sometimes accidentally leave their
1470directory or files world-writable.
1471The default is
1472.Dq yes .
1473Note that this does not apply to
1474.Cm ChrootDirectory ,
1475whose permissions and ownership are checked unconditionally.
1476.It Cm Subsystem
1477Configures an external subsystem (e.g. file transfer daemon).
1478Arguments should be a subsystem name and a command (with optional arguments)
1479to execute upon subsystem request.
1480.Pp
1481The command
1482.Xr sftp-server 8
1483implements the
1484.Dq sftp
1485file transfer subsystem.
1486.Pp
1487Alternately the name
1488.Dq internal-sftp
1489implements an in-process
1490.Dq sftp
1491server.
1492This may simplify configurations using
1493.Cm ChrootDirectory
1494to force a different filesystem root on clients.
1495.Pp
1496By default no subsystems are defined.
1497.It Cm SyslogFacility
1498Gives the facility code that is used when logging messages from
1499.Xr sshd 8 .
1500The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
1501LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
1502The default is AUTH.
1503.It Cm TCPKeepAlive
1504Specifies whether the system should send TCP keepalive messages to the
1505other side.
1506If they are sent, death of the connection or crash of one
1507of the machines will be properly noticed.
1508However, this means that
1509connections will die if the route is down temporarily, and some people
1510find it annoying.
1511On the other hand, if TCP keepalives are not sent,
1512sessions may hang indefinitely on the server, leaving
1513.Dq ghost
1514users and consuming server resources.
1515.Pp
1516The default is
1517.Dq yes
1518(to send TCP keepalive messages), and the server will notice
1519if the network goes down or the client host crashes.
1520This avoids infinitely hanging sessions.
1521.Pp
1522To disable TCP keepalive messages, the value should be set to
1523.Dq no .
1524.It Cm TrustedUserCAKeys
1525Specifies a file containing public keys of certificate authorities that are
1526trusted to sign user certificates for authentication, or
1527.Dq none
1528to not use one.
1529Keys are listed one per line; empty lines and comments starting with
1530.Ql #
1531are allowed.
1532If a certificate is presented for authentication and has its signing CA key
1533listed in this file, then it may be used for authentication for any user
1534listed in the certificate's principals list.
1535Note that certificates that lack a list of principals will not be permitted
1536for authentication using
1537.Cm TrustedUserCAKeys .
1538For more details on certificates, see the CERTIFICATES section in
1539.Xr ssh-keygen 1 .
1540.It Cm UseBlacklist
1541Specifies whether
1542.Xr sshd 8
1543attempts to send authentication success and failure messages
1544to the
1545.Xr blacklistd 8
1546daemon.
1547The default is
1548.Dq no .
1549.It Cm UseDNS
1550Specifies whether
1551.Xr sshd 8
1552should look up the remote host name, and to check that
1553the resolved host name for the remote IP address maps back to the
1554very same IP address.
1555.Pp
1556If this option is set to
1557.Dq no ,
1558then only addresses and not host names may be used in
1559.Pa ~/.ssh/known_hosts
1560.Cm from
1561and
1562.Nm
1563.Cm Match
1564.Cm Host
1565directives.
1566The default is
1567.Dq yes .
1568.It Cm UseLogin
1569Specifies whether
1570.Xr login 1
1571is used for interactive login sessions.
1572The default is
1573.Dq no .
1574Note that
1575.Xr login 1
1576is never used for remote command execution.
1577Note also, that if this is enabled,
1578.Cm X11Forwarding
1579will be disabled because
1580.Xr login 1
1581does not know how to handle
1582.Xr xauth 1
1583cookies.
1584If
1585.Cm UsePrivilegeSeparation
1586is specified, it will be disabled after authentication.
1587.It Cm UsePAM
1588Enables the Pluggable Authentication Module interface.
1589If set to
1590.Dq yes
1591this will enable PAM authentication using
1592.Cm ChallengeResponseAuthentication
1593and
1594.Cm PasswordAuthentication
1595in addition to PAM account and session module processing for all
1596authentication types.
1597.Pp
1598Because PAM challenge-response authentication usually serves an equivalent
1599role to password authentication, you should disable either
1600.Cm PasswordAuthentication
1601or
1602.Cm ChallengeResponseAuthentication.
1603.Pp
1604If
1605.Cm UsePAM
1606is enabled, you will not be able to run
1607.Xr sshd 8
1608as a non-root user.
1609The default is
1610.Dq yes .
1611.It Cm UsePrivilegeSeparation
1612Specifies whether
1613.Xr sshd 8
1614separates privileges by creating an unprivileged child process
1615to deal with incoming network traffic.
1616After successful authentication, another process will be created that has
1617the privilege of the authenticated user.
1618The goal of privilege separation is to prevent privilege
1619escalation by containing any corruption within the unprivileged processes.
1620The argument must be
1621.Dq yes ,
1622.Dq no ,
1623or
1624.Dq sandbox .
1625If
1626.Cm UsePrivilegeSeparation
1627is set to
1628.Dq sandbox
1629then the pre-authentication unprivileged process is subject to additional
1630restrictions.
1631The default is
1632.Dq sandbox .
1633.It Cm VersionAddendum
1634Optionally specifies additional text to append to the SSH protocol banner
1635sent by the server upon connection.
1636The default is
1637.Dq FreeBSD-20161230 .
1638The value
1639.Dq none
1640may be used to disable this.
1641.It Cm X11DisplayOffset
1642Specifies the first display number available for
1643.Xr sshd 8 Ns 's
1644X11 forwarding.
1645This prevents sshd from interfering with real X11 servers.
1646The default is 10.
1647.It Cm X11Forwarding
1648Specifies whether X11 forwarding is permitted.
1649The argument must be
1650.Dq yes
1651or
1652.Dq no .
1653The default is
1654.Dq yes .
1655.Pp
1656When X11 forwarding is enabled, there may be additional exposure to
1657the server and to client displays if the
1658.Xr sshd 8
1659proxy display is configured to listen on the wildcard address (see
1660.Cm X11UseLocalhost
1661below), though this is not the default.
1662Additionally, the authentication spoofing and authentication data
1663verification and substitution occur on the client side.
1664The security risk of using X11 forwarding is that the client's X11
1665display server may be exposed to attack when the SSH client requests
1666forwarding (see the warnings for
1667.Cm ForwardX11
1668in
1669.Xr ssh_config 5 ) .
1670A system administrator may have a stance in which they want to
1671protect clients that may expose themselves to attack by unwittingly
1672requesting X11 forwarding, which can warrant a
1673.Dq no
1674setting.
1675.Pp
1676Note that disabling X11 forwarding does not prevent users from
1677forwarding X11 traffic, as users can always install their own forwarders.
1678X11 forwarding is automatically disabled if
1679.Cm UseLogin
1680is enabled.
1681.It Cm X11UseLocalhost
1682Specifies whether
1683.Xr sshd 8
1684should bind the X11 forwarding server to the loopback address or to
1685the wildcard address.
1686By default,
1687sshd binds the forwarding server to the loopback address and sets the
1688hostname part of the
1689.Ev DISPLAY
1690environment variable to
1691.Dq localhost .
1692This prevents remote hosts from connecting to the proxy display.
1693However, some older X11 clients may not function with this
1694configuration.
1695.Cm X11UseLocalhost
1696may be set to
1697.Dq no
1698to specify that the forwarding server should be bound to the wildcard
1699address.
1700The argument must be
1701.Dq yes
1702or
1703.Dq no .
1704The default is
1705.Dq yes .
1706.It Cm XAuthLocation
1707Specifies the full pathname of the
1708.Xr xauth 1
1709program, or
1710.Dq none
1711to not use one.
1712The default is
1713.Pa /usr/local/bin/xauth .
1714.El
1715.Sh TIME FORMATS
1716.Xr sshd 8
1717command-line arguments and configuration file options that specify time
1718may be expressed using a sequence of the form:
1719.Sm off
1720.Ar time Op Ar qualifier ,
1721.Sm on
1722where
1723.Ar time
1724is a positive integer value and
1725.Ar qualifier
1726is one of the following:
1727.Pp
1728.Bl -tag -width Ds -compact -offset indent
1729.It Aq Cm none
1730seconds
1731.It Cm s | Cm S
1732seconds
1733.It Cm m | Cm M
1734minutes
1735.It Cm h | Cm H
1736hours
1737.It Cm d | Cm D
1738days
1739.It Cm w | Cm W
1740weeks
1741.El
1742.Pp
1743Each member of the sequence is added together to calculate
1744the total time value.
1745.Pp
1746Time format examples:
1747.Pp
1748.Bl -tag -width Ds -compact -offset indent
1749.It 600
1750600 seconds (10 minutes)
1751.It 10m
175210 minutes
1753.It 1h30m
17541 hour 30 minutes (90 minutes)
1755.El
1756.Sh FILES
1757.Bl -tag -width Ds
1758.It Pa /etc/ssh/sshd_config
1759Contains configuration data for
1760.Xr sshd 8 .
1761This file should be writable by root only, but it is recommended
1762(though not necessary) that it be world-readable.
1763.El
1764.Sh SEE ALSO
1765.Xr sshd 8
1766.Sh AUTHORS
1767OpenSSH is a derivative of the original and free
1768ssh 1.2.12 release by Tatu Ylonen.
1769Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
1770Theo de Raadt and Dug Song
1771removed many bugs, re-added newer features and
1772created OpenSSH.
1773Markus Friedl contributed the support for SSH
1774protocol versions 1.5 and 2.0.
1775Niels Provos and Markus Friedl contributed support
1776for privilege separation.
1777