xref: /freebsd/crypto/openssh/sshd_config.5 (revision d9f0ce31900a48d1a2bfc1c8c86f79d1e831451a)
1.\"
2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4.\"                    All rights reserved
5.\"
6.\" As far as I am concerned, the code I have written for this software
7.\" can be used freely for any purpose.  Any derived versions of this
8.\" software must be clearly marked as such, and if the derived work is
9.\" incompatible with the protocol description in the RFC file, it must be
10.\" called by a name other than "ssh" or "Secure Shell".
11.\"
12.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
13.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
14.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
15.\"
16.\" Redistribution and use in source and binary forms, with or without
17.\" modification, are permitted provided that the following conditions
18.\" are met:
19.\" 1. Redistributions of source code must retain the above copyright
20.\"    notice, this list of conditions and the following disclaimer.
21.\" 2. Redistributions in binary form must reproduce the above copyright
22.\"    notice, this list of conditions and the following disclaimer in the
23.\"    documentation and/or other materials provided with the distribution.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\"
36.\" $OpenBSD: sshd_config.5,v 1.220 2016/02/17 08:57:34 djm Exp $
37.\" $FreeBSD$
38.Dd $Mdocdate: February 17 2016 $
39.Dt SSHD_CONFIG 5
40.Os
41.Sh NAME
42.Nm sshd_config
43.Nd OpenSSH SSH daemon configuration file
44.Sh SYNOPSIS
45.Nm /etc/ssh/sshd_config
46.Sh DESCRIPTION
47.Xr sshd 8
48reads configuration data from
49.Pa /etc/ssh/sshd_config
50(or the file specified with
51.Fl f
52on the command line).
53The file contains keyword-argument pairs, one per line.
54Lines starting with
55.Ql #
56and empty lines are interpreted as comments.
57Arguments may optionally be enclosed in double quotes
58.Pq \&"
59in order to represent arguments containing spaces.
60.Pp
61The possible
62keywords and their meanings are as follows (note that
63keywords are case-insensitive and arguments are case-sensitive):
64.Bl -tag -width Ds
65.It Cm AcceptEnv
66Specifies what environment variables sent by the client will be copied into
67the session's
68.Xr environ 7 .
69See
70.Cm SendEnv
71in
72.Xr ssh_config 5
73for how to configure the client.
74The
75.Ev TERM
76environment variable is always sent whenever the client
77requests a pseudo-terminal as it is required by the protocol.
78Variables are specified by name, which may contain the wildcard characters
79.Ql *
80and
81.Ql \&? .
82Multiple environment variables may be separated by whitespace or spread
83across multiple
84.Cm AcceptEnv
85directives.
86Be warned that some environment variables could be used to bypass restricted
87user environments.
88For this reason, care should be taken in the use of this directive.
89The default is not to accept any environment variables.
90.It Cm AddressFamily
91Specifies which address family should be used by
92.Xr sshd 8 .
93Valid arguments are
94.Dq any ,
95.Dq inet
96(use IPv4 only), or
97.Dq inet6
98(use IPv6 only).
99The default is
100.Dq any .
101.It Cm AllowAgentForwarding
102Specifies whether
103.Xr ssh-agent 1
104forwarding is permitted.
105The default is
106.Dq yes .
107Note that disabling agent forwarding does not improve security
108unless users are also denied shell access, as they can always install
109their own forwarders.
110.It Cm AllowGroups
111This keyword can be followed by a list of group name patterns, separated
112by spaces.
113If specified, login is allowed only for users whose primary
114group or supplementary group list matches one of the patterns.
115Only group names are valid; a numerical group ID is not recognized.
116By default, login is allowed for all groups.
117The allow/deny directives are processed in the following order:
118.Cm DenyUsers ,
119.Cm AllowUsers ,
120.Cm DenyGroups ,
121and finally
122.Cm AllowGroups .
123.Pp
124See PATTERNS in
125.Xr ssh_config 5
126for more information on patterns.
127.It Cm AllowTcpForwarding
128Specifies whether TCP forwarding is permitted.
129The available options are
130.Dq yes
131or
132.Dq all
133to allow TCP forwarding,
134.Dq no
135to prevent all TCP forwarding,
136.Dq local
137to allow local (from the perspective of
138.Xr ssh 1 )
139forwarding only or
140.Dq remote
141to allow remote forwarding only.
142The default is
143.Dq yes .
144Note that disabling TCP forwarding does not improve security unless
145users are also denied shell access, as they can always install their
146own forwarders.
147.It Cm AllowStreamLocalForwarding
148Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
149The available options are
150.Dq yes
151or
152.Dq all
153to allow StreamLocal forwarding,
154.Dq no
155to prevent all StreamLocal forwarding,
156.Dq local
157to allow local (from the perspective of
158.Xr ssh 1 )
159forwarding only or
160.Dq remote
161to allow remote forwarding only.
162The default is
163.Dq yes .
164Note that disabling StreamLocal forwarding does not improve security unless
165users are also denied shell access, as they can always install their
166own forwarders.
167.It Cm AllowUsers
168This keyword can be followed by a list of user name patterns, separated
169by spaces.
170If specified, login is allowed only for user names that
171match one of the patterns.
172Only user names are valid; a numerical user ID is not recognized.
173By default, login is allowed for all users.
174If the pattern takes the form USER@HOST then USER and HOST
175are separately checked, restricting logins to particular
176users from particular hosts.
177The allow/deny directives are processed in the following order:
178.Cm DenyUsers ,
179.Cm AllowUsers ,
180.Cm DenyGroups ,
181and finally
182.Cm AllowGroups .
183.Pp
184See PATTERNS in
185.Xr ssh_config 5
186for more information on patterns.
187.It Cm AuthenticationMethods
188Specifies the authentication methods that must be successfully completed
189for a user to be granted access.
190This option must be followed by one or more comma-separated lists of
191authentication method names.
192Successful authentication requires completion of every method in at least
193one of these lists.
194.Pp
195For example, an argument of
196.Dq publickey,password publickey,keyboard-interactive
197would require the user to complete public key authentication, followed by
198either password or keyboard interactive authentication.
199Only methods that are next in one or more lists are offered at each stage,
200so for this example, it would not be possible to attempt password or
201keyboard-interactive authentication before public key.
202.Pp
203For keyboard interactive authentication it is also possible to
204restrict authentication to a specific device by appending a
205colon followed by the device identifier
206.Dq bsdauth ,
207.Dq pam ,
208or
209.Dq skey ,
210depending on the server configuration.
211For example,
212.Dq keyboard-interactive:bsdauth
213would restrict keyboard interactive authentication to the
214.Dq bsdauth
215device.
216.Pp
217If the
218.Dq publickey
219method is listed more than once,
220.Xr sshd 8
221verifies that keys that have been used successfully are not reused for
222subsequent authentications.
223For example, an
224.Cm AuthenticationMethods
225of
226.Dq publickey,publickey
227will require successful authentication using two different public keys.
228.Pp
229This option will yield a fatal
230error if enabled if protocol 1 is also enabled.
231Note that each authentication method listed should also be explicitly enabled
232in the configuration.
233The default is not to require multiple authentication; successful completion
234of a single authentication method is sufficient.
235.It Cm AuthorizedKeysCommand
236Specifies a program to be used to look up the user's public keys.
237The program must be owned by root, not writable by group or others and
238specified by an absolute path.
239.Pp
240Arguments to
241.Cm AuthorizedKeysCommand
242may be provided using the following tokens, which will be expanded
243at runtime: %% is replaced by a literal '%', %u is replaced by the
244username being authenticated, %h is replaced by the home directory
245of the user being authenticated, %t is replaced with the key type
246offered for authentication, %f is replaced with the fingerprint of
247the key, and %k is replaced with the key being offered for authentication.
248If no arguments are specified then the username of the target user
249will be supplied.
250.Pp
251The program should produce on standard output zero or
252more lines of authorized_keys output (see AUTHORIZED_KEYS in
253.Xr sshd 8 ) .
254If a key supplied by AuthorizedKeysCommand does not successfully authenticate
255and authorize the user then public key authentication continues using the usual
256.Cm AuthorizedKeysFile
257files.
258By default, no AuthorizedKeysCommand is run.
259.It Cm AuthorizedKeysCommandUser
260Specifies the user under whose account the AuthorizedKeysCommand is run.
261It is recommended to use a dedicated user that has no other role on the host
262than running authorized keys commands.
263If
264.Cm AuthorizedKeysCommand
265is specified but
266.Cm AuthorizedKeysCommandUser
267is not, then
268.Xr sshd 8
269will refuse to start.
270.It Cm AuthorizedKeysFile
271Specifies the file that contains the public keys that can be used
272for user authentication.
273The format is described in the
274AUTHORIZED_KEYS FILE FORMAT
275section of
276.Xr sshd 8 .
277.Cm AuthorizedKeysFile
278may contain tokens of the form %T which are substituted during connection
279setup.
280The following tokens are defined: %% is replaced by a literal '%',
281%h is replaced by the home directory of the user being authenticated, and
282%u is replaced by the username of that user.
283After expansion,
284.Cm AuthorizedKeysFile
285is taken to be an absolute path or one relative to the user's home
286directory.
287Multiple files may be listed, separated by whitespace.
288Alternately this option may be set to
289.Dq none
290to skip checking for user keys in files.
291The default is
292.Dq .ssh/authorized_keys .ssh/authorized_keys2 .
293.It Cm AuthorizedPrincipalsCommand
294Specifies a program to be used to generate the list of allowed
295certificate principals as per
296.Cm AuthorizedPrincipalsFile .
297The program must be owned by root, not writable by group or others and
298specified by an absolute path.
299.Pp
300Arguments to
301.Cm AuthorizedPrincipalsCommand
302may be provided using the following tokens, which will be expanded
303at runtime: %% is replaced by a literal '%', %u is replaced by the
304username being authenticated and %h is replaced by the home directory
305of the user being authenticated.
306.Pp
307The program should produce on standard output zero or
308more lines of
309.Cm AuthorizedPrincipalsFile
310output.
311If either
312.Cm AuthorizedPrincipalsCommand
313or
314.Cm AuthorizedPrincipalsFile
315is specified, then certificates offered by the client for authentication
316must contain a principal that is listed.
317By default, no AuthorizedPrincipalsCommand is run.
318.It Cm AuthorizedPrincipalsCommandUser
319Specifies the user under whose account the AuthorizedPrincipalsCommand is run.
320It is recommended to use a dedicated user that has no other role on the host
321than running authorized principals commands.
322If
323.Cm AuthorizedPrincipalsCommand
324is specified but
325.Cm AuthorizedPrincipalsCommandUser
326is not, then
327.Xr sshd 8
328will refuse to start.
329.It Cm AuthorizedPrincipalsFile
330Specifies a file that lists principal names that are accepted for
331certificate authentication.
332When using certificates signed by a key listed in
333.Cm TrustedUserCAKeys ,
334this file lists names, one of which must appear in the certificate for it
335to be accepted for authentication.
336Names are listed one per line preceded by key options (as described
337in AUTHORIZED_KEYS FILE FORMAT in
338.Xr sshd 8 ) .
339Empty lines and comments starting with
340.Ql #
341are ignored.
342.Pp
343.Cm AuthorizedPrincipalsFile
344may contain tokens of the form %T which are substituted during connection
345setup.
346The following tokens are defined: %% is replaced by a literal '%',
347%h is replaced by the home directory of the user being authenticated, and
348%u is replaced by the username of that user.
349After expansion,
350.Cm AuthorizedPrincipalsFile
351is taken to be an absolute path or one relative to the user's home
352directory.
353.Pp
354The default is
355.Dq none ,
356i.e. not to use a principals file \(en in this case, the username
357of the user must appear in a certificate's principals list for it to be
358accepted.
359Note that
360.Cm AuthorizedPrincipalsFile
361is only used when authentication proceeds using a CA listed in
362.Cm TrustedUserCAKeys
363and is not consulted for certification authorities trusted via
364.Pa ~/.ssh/authorized_keys ,
365though the
366.Cm principals=
367key option offers a similar facility (see
368.Xr sshd 8
369for details).
370.It Cm Banner
371The contents of the specified file are sent to the remote user before
372authentication is allowed.
373If the argument is
374.Dq none
375then no banner is displayed.
376By default, no banner is displayed.
377.It Cm ChallengeResponseAuthentication
378Specifies whether challenge-response authentication is allowed (e.g. via
379PAM or through authentication styles supported in
380.Xr login.conf 5 )
381The default is
382.Dq yes .
383.It Cm ChrootDirectory
384Specifies the pathname of a directory to
385.Xr chroot 2
386to after authentication.
387At session startup
388.Xr sshd 8
389checks that all components of the pathname are root-owned directories
390which are not writable by any other user or group.
391After the chroot,
392.Xr sshd 8
393changes the working directory to the user's home directory.
394.Pp
395The pathname may contain the following tokens that are expanded at runtime once
396the connecting user has been authenticated: %% is replaced by a literal '%',
397%h is replaced by the home directory of the user being authenticated, and
398%u is replaced by the username of that user.
399.Pp
400The
401.Cm ChrootDirectory
402must contain the necessary files and directories to support the
403user's session.
404For an interactive session this requires at least a shell, typically
405.Xr sh 1 ,
406and basic
407.Pa /dev
408nodes such as
409.Xr null 4 ,
410.Xr zero 4 ,
411.Xr stdin 4 ,
412.Xr stdout 4 ,
413.Xr stderr 4 ,
414and
415.Xr tty 4
416devices.
417For file transfer sessions using
418.Dq sftp ,
419no additional configuration of the environment is necessary if the
420in-process sftp server is used,
421though sessions which use logging may require
422.Pa /dev/log
423inside the chroot directory on some operating systems (see
424.Xr sftp-server 8
425for details).
426.Pp
427For safety, it is very important that the directory hierarchy be
428prevented from modification by other processes on the system (especially
429those outside the jail).
430Misconfiguration can lead to unsafe environments which
431.Xr sshd 8
432cannot detect.
433.Pp
434The default is
435.Dq none ,
436indicating not to
437.Xr chroot 2 .
438.It Cm Ciphers
439Specifies the ciphers allowed.
440Multiple ciphers must be comma-separated.
441If the specified value begins with a
442.Sq +
443character, then the specified ciphers will be appended to the default set
444instead of replacing them.
445.Pp
446The supported ciphers are:
447.Pp
448.Bl -item -compact -offset indent
449.It
4503des-cbc
451.It
452aes128-cbc
453.It
454aes192-cbc
455.It
456aes256-cbc
457.It
458aes128-ctr
459.It
460aes192-ctr
461.It
462aes256-ctr
463.It
464aes128-gcm@openssh.com
465.It
466aes256-gcm@openssh.com
467.It
468arcfour
469.It
470arcfour128
471.It
472arcfour256
473.It
474blowfish-cbc
475.It
476cast128-cbc
477.It
478chacha20-poly1305@openssh.com
479.El
480.Pp
481The default is:
482.Bd -literal -offset indent
483chacha20-poly1305@openssh.com,
484aes128-ctr,aes192-ctr,aes256-ctr,
485aes128-gcm@openssh.com,aes256-gcm@openssh.com,
486aes128-cbc,aes192-cbc,aes256-cbc
487.Ed
488.Pp
489The list of available ciphers may also be obtained using the
490.Fl Q
491option of
492.Xr ssh 1
493with an argument of
494.Dq cipher .
495.It Cm ClientAliveCountMax
496Sets the number of client alive messages (see below) which may be
497sent without
498.Xr sshd 8
499receiving any messages back from the client.
500If this threshold is reached while client alive messages are being sent,
501sshd will disconnect the client, terminating the session.
502It is important to note that the use of client alive messages is very
503different from
504.Cm TCPKeepAlive
505(below).
506The client alive messages are sent through the encrypted channel
507and therefore will not be spoofable.
508The TCP keepalive option enabled by
509.Cm TCPKeepAlive
510is spoofable.
511The client alive mechanism is valuable when the client or
512server depend on knowing when a connection has become inactive.
513.Pp
514The default value is 3.
515If
516.Cm ClientAliveInterval
517(see below) is set to 15, and
518.Cm ClientAliveCountMax
519is left at the default, unresponsive SSH clients
520will be disconnected after approximately 45 seconds.
521.It Cm ClientAliveInterval
522Sets a timeout interval in seconds after which if no data has been received
523from the client,
524.Xr sshd 8
525will send a message through the encrypted
526channel to request a response from the client.
527The default
528is 0, indicating that these messages will not be sent to the client.
529.It Cm Compression
530Specifies whether compression is allowed, or delayed until
531the user has authenticated successfully.
532The argument must be
533.Dq yes ,
534.Dq delayed ,
535or
536.Dq no .
537The default is
538.Dq delayed .
539.It Cm DenyGroups
540This keyword can be followed by a list of group name patterns, separated
541by spaces.
542Login is disallowed for users whose primary group or supplementary
543group list matches one of the patterns.
544Only group names are valid; a numerical group ID is not recognized.
545By default, login is allowed for all groups.
546The allow/deny directives are processed in the following order:
547.Cm DenyUsers ,
548.Cm AllowUsers ,
549.Cm DenyGroups ,
550and finally
551.Cm AllowGroups .
552.Pp
553See PATTERNS in
554.Xr ssh_config 5
555for more information on patterns.
556.It Cm DenyUsers
557This keyword can be followed by a list of user name patterns, separated
558by spaces.
559Login is disallowed for user names that match one of the patterns.
560Only user names are valid; a numerical user ID is not recognized.
561By default, login is allowed for all users.
562If the pattern takes the form USER@HOST then USER and HOST
563are separately checked, restricting logins to particular
564users from particular hosts.
565The allow/deny directives are processed in the following order:
566.Cm DenyUsers ,
567.Cm AllowUsers ,
568.Cm DenyGroups ,
569and finally
570.Cm AllowGroups .
571.Pp
572See PATTERNS in
573.Xr ssh_config 5
574for more information on patterns.
575.It Cm FingerprintHash
576Specifies the hash algorithm used when logging key fingerprints.
577Valid options are:
578.Dq md5
579and
580.Dq sha256 .
581The default is
582.Dq sha256 .
583.It Cm ForceCommand
584Forces the execution of the command specified by
585.Cm ForceCommand ,
586ignoring any command supplied by the client and
587.Pa ~/.ssh/rc
588if present.
589The command is invoked by using the user's login shell with the -c option.
590This applies to shell, command, or subsystem execution.
591It is most useful inside a
592.Cm Match
593block.
594The command originally supplied by the client is available in the
595.Ev SSH_ORIGINAL_COMMAND
596environment variable.
597Specifying a command of
598.Dq internal-sftp
599will force the use of an in-process sftp server that requires no support
600files when used with
601.Cm ChrootDirectory .
602The default is
603.Dq none .
604.It Cm GatewayPorts
605Specifies whether remote hosts are allowed to connect to ports
606forwarded for the client.
607By default,
608.Xr sshd 8
609binds remote port forwardings to the loopback address.
610This prevents other remote hosts from connecting to forwarded ports.
611.Cm GatewayPorts
612can be used to specify that sshd
613should allow remote port forwardings to bind to non-loopback addresses, thus
614allowing other hosts to connect.
615The argument may be
616.Dq no
617to force remote port forwardings to be available to the local host only,
618.Dq yes
619to force remote port forwardings to bind to the wildcard address, or
620.Dq clientspecified
621to allow the client to select the address to which the forwarding is bound.
622The default is
623.Dq no .
624.It Cm GSSAPIAuthentication
625Specifies whether user authentication based on GSSAPI is allowed.
626The default is
627.Dq no .
628.It Cm GSSAPICleanupCredentials
629Specifies whether to automatically destroy the user's credentials cache
630on logout.
631The default is
632.Dq yes .
633.It Cm GSSAPIStrictAcceptorCheck
634Determines whether to be strict about the identity of the GSSAPI acceptor
635a client authenticates against.
636If set to
637.Dq yes
638then the client must authenticate against the
639.Pa host
640service on the current hostname.
641If set to
642.Dq no
643then the client may authenticate against any service key stored in the
644machine's default store.
645This facility is provided to assist with operation on multi homed machines.
646The default is
647.Dq yes .
648.It Cm HostbasedAcceptedKeyTypes
649Specifies the key types that will be accepted for hostbased authentication
650as a comma-separated pattern list.
651Alternately if the specified value begins with a
652.Sq +
653character, then the specified key types will be appended to the default set
654instead of replacing them.
655The default for this option is:
656.Bd -literal -offset 3n
657ecdsa-sha2-nistp256-cert-v01@openssh.com,
658ecdsa-sha2-nistp384-cert-v01@openssh.com,
659ecdsa-sha2-nistp521-cert-v01@openssh.com,
660ssh-ed25519-cert-v01@openssh.com,
661ssh-rsa-cert-v01@openssh.com,
662ssh-dss-cert-v01@openssh.com,
663ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
664ecdsa-sha2-nistp521,ssh-ed25519,
665ssh-rsa,ssh-dss
666.Ed
667.Pp
668The
669.Fl Q
670option of
671.Xr ssh 1
672may be used to list supported key types.
673.It Cm HostbasedAuthentication
674Specifies whether rhosts or /etc/hosts.equiv authentication together
675with successful public key client host authentication is allowed
676(host-based authentication).
677The default is
678.Dq no .
679.It Cm HostbasedUsesNameFromPacketOnly
680Specifies whether or not the server will attempt to perform a reverse
681name lookup when matching the name in the
682.Pa ~/.shosts ,
683.Pa ~/.rhosts ,
684and
685.Pa /etc/hosts.equiv
686files during
687.Cm HostbasedAuthentication .
688A setting of
689.Dq yes
690means that
691.Xr sshd 8
692uses the name supplied by the client rather than
693attempting to resolve the name from the TCP connection itself.
694The default is
695.Dq no .
696.It Cm HostCertificate
697Specifies a file containing a public host certificate.
698The certificate's public key must match a private host key already specified
699by
700.Cm HostKey .
701The default behaviour of
702.Xr sshd 8
703is not to load any certificates.
704.It Cm HostKey
705Specifies a file containing a private host key
706used by SSH.
707The default is
708.Pa /etc/ssh/ssh_host_key
709for protocol version 1, and
710.Pa /etc/ssh/ssh_host_dsa_key ,
711.Pa /etc/ssh/ssh_host_ecdsa_key ,
712.Pa /etc/ssh/ssh_host_ed25519_key
713and
714.Pa /etc/ssh/ssh_host_rsa_key
715for protocol version 2.
716.Pp
717Note that
718.Xr sshd 8
719will refuse to use a file if it is group/world-accessible
720and that the
721.Cm HostKeyAlgorithms
722option restricts which of the keys are actually used by
723.Xr sshd 8 .
724.Pp
725It is possible to have multiple host key files.
726.Dq rsa1
727keys are used for version 1 and
728.Dq dsa ,
729.Dq ecdsa ,
730.Dq ed25519
731or
732.Dq rsa
733are used for version 2 of the SSH protocol.
734It is also possible to specify public host key files instead.
735In this case operations on the private key will be delegated
736to an
737.Xr ssh-agent 1 .
738.It Cm HostKeyAgent
739Identifies the UNIX-domain socket used to communicate
740with an agent that has access to the private host keys.
741If
742.Dq SSH_AUTH_SOCK
743is specified, the location of the socket will be read from the
744.Ev SSH_AUTH_SOCK
745environment variable.
746.It Cm HostKeyAlgorithms
747Specifies the host key algorithms
748that the server offers.
749The default for this option is:
750.Bd -literal -offset 3n
751ecdsa-sha2-nistp256-cert-v01@openssh.com,
752ecdsa-sha2-nistp384-cert-v01@openssh.com,
753ecdsa-sha2-nistp521-cert-v01@openssh.com,
754ssh-ed25519-cert-v01@openssh.com,
755ssh-rsa-cert-v01@openssh.com,
756ssh-dss-cert-v01@openssh.com,
757ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
758ecdsa-sha2-nistp521,ssh-ed25519,
759ssh-rsa,ssh-dss
760.Ed
761.Pp
762The list of available key types may also be obtained using the
763.Fl Q
764option of
765.Xr ssh 1
766with an argument of
767.Dq key .
768.It Cm IgnoreRhosts
769Specifies that
770.Pa .rhosts
771and
772.Pa .shosts
773files will not be used in
774.Cm RhostsRSAAuthentication
775or
776.Cm HostbasedAuthentication .
777.Pp
778.Pa /etc/hosts.equiv
779and
780.Pa /etc/ssh/shosts.equiv
781are still used.
782The default is
783.Dq yes .
784.It Cm IgnoreUserKnownHosts
785Specifies whether
786.Xr sshd 8
787should ignore the user's
788.Pa ~/.ssh/known_hosts
789during
790.Cm RhostsRSAAuthentication
791or
792.Cm HostbasedAuthentication .
793The default is
794.Dq no .
795.It Cm IPQoS
796Specifies the IPv4 type-of-service or DSCP class for the connection.
797Accepted values are
798.Dq af11 ,
799.Dq af12 ,
800.Dq af13 ,
801.Dq af21 ,
802.Dq af22 ,
803.Dq af23 ,
804.Dq af31 ,
805.Dq af32 ,
806.Dq af33 ,
807.Dq af41 ,
808.Dq af42 ,
809.Dq af43 ,
810.Dq cs0 ,
811.Dq cs1 ,
812.Dq cs2 ,
813.Dq cs3 ,
814.Dq cs4 ,
815.Dq cs5 ,
816.Dq cs6 ,
817.Dq cs7 ,
818.Dq ef ,
819.Dq lowdelay ,
820.Dq throughput ,
821.Dq reliability ,
822or a numeric value.
823This option may take one or two arguments, separated by whitespace.
824If one argument is specified, it is used as the packet class unconditionally.
825If two values are specified, the first is automatically selected for
826interactive sessions and the second for non-interactive sessions.
827The default is
828.Dq lowdelay
829for interactive sessions and
830.Dq throughput
831for non-interactive sessions.
832.It Cm KbdInteractiveAuthentication
833Specifies whether to allow keyboard-interactive authentication.
834The argument to this keyword must be
835.Dq yes
836or
837.Dq no .
838The default is to use whatever value
839.Cm ChallengeResponseAuthentication
840is set to
841(by default
842.Dq yes ) .
843.It Cm KerberosAuthentication
844Specifies whether the password provided by the user for
845.Cm PasswordAuthentication
846will be validated through the Kerberos KDC.
847To use this option, the server needs a
848Kerberos servtab which allows the verification of the KDC's identity.
849The default is
850.Dq no .
851.It Cm KerberosGetAFSToken
852If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
853an AFS token before accessing the user's home directory.
854The default is
855.Dq no .
856.It Cm KerberosOrLocalPasswd
857If password authentication through Kerberos fails then
858the password will be validated via any additional local mechanism
859such as
860.Pa /etc/passwd .
861The default is
862.Dq yes .
863.It Cm KerberosTicketCleanup
864Specifies whether to automatically destroy the user's ticket cache
865file on logout.
866The default is
867.Dq yes .
868.It Cm KexAlgorithms
869Specifies the available KEX (Key Exchange) algorithms.
870Multiple algorithms must be comma-separated.
871Alternately if the specified value begins with a
872.Sq +
873character, then the specified methods will be appended to the default set
874instead of replacing them.
875The supported algorithms are:
876.Pp
877.Bl -item -compact -offset indent
878.It
879curve25519-sha256@libssh.org
880.It
881diffie-hellman-group1-sha1
882.It
883diffie-hellman-group14-sha1
884.It
885diffie-hellman-group-exchange-sha1
886.It
887diffie-hellman-group-exchange-sha256
888.It
889ecdh-sha2-nistp256
890.It
891ecdh-sha2-nistp384
892.It
893ecdh-sha2-nistp521
894.El
895.Pp
896The default is:
897.Bd -literal -offset indent
898curve25519-sha256@libssh.org,
899ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
900diffie-hellman-group-exchange-sha256,
901diffie-hellman-group14-sha1
902.Ed
903.Pp
904The list of available key exchange algorithms may also be obtained using the
905.Fl Q
906option of
907.Xr ssh 1
908with an argument of
909.Dq kex .
910.It Cm KeyRegenerationInterval
911In protocol version 1, the ephemeral server key is automatically regenerated
912after this many seconds (if it has been used).
913The purpose of regeneration is to prevent
914decrypting captured sessions by later breaking into the machine and
915stealing the keys.
916The key is never stored anywhere.
917If the value is 0, the key is never regenerated.
918The default is 3600 (seconds).
919.It Cm ListenAddress
920Specifies the local addresses
921.Xr sshd 8
922should listen on.
923The following forms may be used:
924.Pp
925.Bl -item -offset indent -compact
926.It
927.Cm ListenAddress
928.Sm off
929.Ar host | Ar IPv4_addr | Ar IPv6_addr
930.Sm on
931.It
932.Cm ListenAddress
933.Sm off
934.Ar host | Ar IPv4_addr : Ar port
935.Sm on
936.It
937.Cm ListenAddress
938.Sm off
939.Oo
940.Ar host | Ar IPv6_addr Oc : Ar port
941.Sm on
942.El
943.Pp
944If
945.Ar port
946is not specified,
947sshd will listen on the address and all
948.Cm Port
949options specified.
950The default is to listen on all local addresses.
951Multiple
952.Cm ListenAddress
953options are permitted.
954.It Cm LoginGraceTime
955The server disconnects after this time if the user has not
956successfully logged in.
957If the value is 0, there is no time limit.
958The default is 120 seconds.
959.It Cm LogLevel
960Gives the verbosity level that is used when logging messages from
961.Xr sshd 8 .
962The possible values are:
963QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
964The default is INFO.
965DEBUG and DEBUG1 are equivalent.
966DEBUG2 and DEBUG3 each specify higher levels of debugging output.
967Logging with a DEBUG level violates the privacy of users and is not recommended.
968.It Cm MACs
969Specifies the available MAC (message authentication code) algorithms.
970The MAC algorithm is used for data integrity protection.
971Multiple algorithms must be comma-separated.
972If the specified value begins with a
973.Sq +
974character, then the specified algorithms will be appended to the default set
975instead of replacing them.
976.Pp
977The algorithms that contain
978.Dq -etm
979calculate the MAC after encryption (encrypt-then-mac).
980These are considered safer and their use recommended.
981The supported MACs are:
982.Pp
983.Bl -item -compact -offset indent
984.It
985hmac-md5
986.It
987hmac-md5-96
988.It
989hmac-ripemd160
990.It
991hmac-sha1
992.It
993hmac-sha1-96
994.It
995hmac-sha2-256
996.It
997hmac-sha2-512
998.It
999umac-64@openssh.com
1000.It
1001umac-128@openssh.com
1002.It
1003hmac-md5-etm@openssh.com
1004.It
1005hmac-md5-96-etm@openssh.com
1006.It
1007hmac-ripemd160-etm@openssh.com
1008.It
1009hmac-sha1-etm@openssh.com
1010.It
1011hmac-sha1-96-etm@openssh.com
1012.It
1013hmac-sha2-256-etm@openssh.com
1014.It
1015hmac-sha2-512-etm@openssh.com
1016.It
1017umac-64-etm@openssh.com
1018.It
1019umac-128-etm@openssh.com
1020.El
1021.Pp
1022The default is:
1023.Bd -literal -offset indent
1024umac-64-etm@openssh.com,umac-128-etm@openssh.com,
1025hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
1026hmac-sha1-etm@openssh.com,
1027umac-64@openssh.com,umac-128@openssh.com,
1028hmac-sha2-256,hmac-sha2-512,hmac-sha1
1029.Ed
1030.Pp
1031The list of available MAC algorithms may also be obtained using the
1032.Fl Q
1033option of
1034.Xr ssh 1
1035with an argument of
1036.Dq mac .
1037.It Cm Match
1038Introduces a conditional block.
1039If all of the criteria on the
1040.Cm Match
1041line are satisfied, the keywords on the following lines override those
1042set in the global section of the config file, until either another
1043.Cm Match
1044line or the end of the file.
1045If a keyword appears in multiple
1046.Cm Match
1047blocks that are satisfied, only the first instance of the keyword is
1048applied.
1049.Pp
1050The arguments to
1051.Cm Match
1052are one or more criteria-pattern pairs or the single token
1053.Cm All
1054which matches all criteria.
1055The available criteria are
1056.Cm User ,
1057.Cm Group ,
1058.Cm Host ,
1059.Cm LocalAddress ,
1060.Cm LocalPort ,
1061and
1062.Cm Address .
1063The match patterns may consist of single entries or comma-separated
1064lists and may use the wildcard and negation operators described in the
1065PATTERNS section of
1066.Xr ssh_config 5 .
1067.Pp
1068The patterns in an
1069.Cm Address
1070criteria may additionally contain addresses to match in CIDR
1071address/masklen format, e.g.\&
1072.Dq 192.0.2.0/24
1073or
1074.Dq 3ffe:ffff::/32 .
1075Note that the mask length provided must be consistent with the address -
1076it is an error to specify a mask length that is too long for the address
1077or one with bits set in this host portion of the address.
1078For example,
1079.Dq 192.0.2.0/33
1080and
1081.Dq 192.0.2.0/8
1082respectively.
1083.Pp
1084Only a subset of keywords may be used on the lines following a
1085.Cm Match
1086keyword.
1087Available keywords are
1088.Cm AcceptEnv ,
1089.Cm AllowAgentForwarding ,
1090.Cm AllowGroups ,
1091.Cm AllowStreamLocalForwarding ,
1092.Cm AllowTcpForwarding ,
1093.Cm AllowUsers ,
1094.Cm AuthenticationMethods ,
1095.Cm AuthorizedKeysCommand ,
1096.Cm AuthorizedKeysCommandUser ,
1097.Cm AuthorizedKeysFile ,
1098.Cm AuthorizedPrincipalsCommand ,
1099.Cm AuthorizedPrincipalsCommandUser ,
1100.Cm AuthorizedPrincipalsFile ,
1101.Cm Banner ,
1102.Cm ChrootDirectory ,
1103.Cm DenyGroups ,
1104.Cm DenyUsers ,
1105.Cm ForceCommand ,
1106.Cm GatewayPorts ,
1107.Cm GSSAPIAuthentication ,
1108.Cm HostbasedAcceptedKeyTypes ,
1109.Cm HostbasedAuthentication ,
1110.Cm HostbasedUsesNameFromPacketOnly ,
1111.Cm IPQoS ,
1112.Cm KbdInteractiveAuthentication ,
1113.Cm KerberosAuthentication ,
1114.Cm MaxAuthTries ,
1115.Cm MaxSessions ,
1116.Cm PasswordAuthentication ,
1117.Cm PermitEmptyPasswords ,
1118.Cm PermitOpen ,
1119.Cm PermitRootLogin ,
1120.Cm PermitTTY ,
1121.Cm PermitTunnel ,
1122.Cm PermitUserRC ,
1123.Cm PubkeyAcceptedKeyTypes ,
1124.Cm PubkeyAuthentication ,
1125.Cm RekeyLimit ,
1126.Cm RevokedKeys ,
1127.Cm RhostsRSAAuthentication ,
1128.Cm RSAAuthentication ,
1129.Cm StreamLocalBindMask ,
1130.Cm StreamLocalBindUnlink ,
1131.Cm TrustedUserCAKeys ,
1132.Cm X11DisplayOffset ,
1133.Cm X11Forwarding
1134and
1135.Cm X11UseLocalHost .
1136.It Cm MaxAuthTries
1137Specifies the maximum number of authentication attempts permitted per
1138connection.
1139Once the number of failures reaches half this value,
1140additional failures are logged.
1141The default is 6.
1142.It Cm MaxSessions
1143Specifies the maximum number of open shell, login or subsystem (e.g. sftp)
1144sessions permitted per network connection.
1145Multiple sessions may be established by clients that support connection
1146multiplexing.
1147Setting
1148.Cm MaxSessions
1149to 1 will effectively disable session multiplexing, whereas setting it to 0
1150will prevent all shell, login and subsystem sessions while still permitting
1151forwarding.
1152The default is 10.
1153.It Cm MaxStartups
1154Specifies the maximum number of concurrent unauthenticated connections to the
1155SSH daemon.
1156Additional connections will be dropped until authentication succeeds or the
1157.Cm LoginGraceTime
1158expires for a connection.
1159The default is 10:30:100.
1160.Pp
1161Alternatively, random early drop can be enabled by specifying
1162the three colon separated values
1163.Dq start:rate:full
1164(e.g. "10:30:60").
1165.Xr sshd 8
1166will refuse connection attempts with a probability of
1167.Dq rate/100
1168(30%)
1169if there are currently
1170.Dq start
1171(10)
1172unauthenticated connections.
1173The probability increases linearly and all connection attempts
1174are refused if the number of unauthenticated connections reaches
1175.Dq full
1176(60).
1177.It Cm PasswordAuthentication
1178Specifies whether password authentication is allowed.
1179See also
1180.Cm UsePAM .
1181The default is
1182.Dq no .
1183.It Cm PermitEmptyPasswords
1184When password authentication is allowed, it specifies whether the
1185server allows login to accounts with empty password strings.
1186The default is
1187.Dq no .
1188.It Cm PermitOpen
1189Specifies the destinations to which TCP port forwarding is permitted.
1190The forwarding specification must be one of the following forms:
1191.Pp
1192.Bl -item -offset indent -compact
1193.It
1194.Cm PermitOpen
1195.Sm off
1196.Ar host : port
1197.Sm on
1198.It
1199.Cm PermitOpen
1200.Sm off
1201.Ar IPv4_addr : port
1202.Sm on
1203.It
1204.Cm PermitOpen
1205.Sm off
1206.Ar \&[ IPv6_addr \&] : port
1207.Sm on
1208.El
1209.Pp
1210Multiple forwards may be specified by separating them with whitespace.
1211An argument of
1212.Dq any
1213can be used to remove all restrictions and permit any forwarding requests.
1214An argument of
1215.Dq none
1216can be used to prohibit all forwarding requests.
1217By default all port forwarding requests are permitted.
1218.It Cm PermitRootLogin
1219Specifies whether root can log in using
1220.Xr ssh 1 .
1221The argument must be
1222.Dq yes ,
1223.Dq prohibit-password ,
1224.Dq without-password ,
1225.Dq forced-commands-only ,
1226or
1227.Dq no .
1228The default is
1229.Dq no .
1230Note that if
1231.Cm ChallengeResponseAuthentication
1232is
1233.Dq yes ,
1234the root user may be allowed in with its password even if
1235.Cm PermitRootLogin is set to
1236.Dq without-password .
1237.Pp
1238If this option is set to
1239.Dq prohibit-password
1240or
1241.Dq without-password ,
1242password and keyboard-interactive authentication are disabled for root.
1243.Pp
1244If this option is set to
1245.Dq forced-commands-only ,
1246root login with public key authentication will be allowed,
1247but only if the
1248.Ar command
1249option has been specified
1250(which may be useful for taking remote backups even if root login is
1251normally not allowed).
1252All other authentication methods are disabled for root.
1253.Pp
1254If this option is set to
1255.Dq no ,
1256root is not allowed to log in.
1257.It Cm PermitTunnel
1258Specifies whether
1259.Xr tun 4
1260device forwarding is allowed.
1261The argument must be
1262.Dq yes ,
1263.Dq point-to-point
1264(layer 3),
1265.Dq ethernet
1266(layer 2), or
1267.Dq no .
1268Specifying
1269.Dq yes
1270permits both
1271.Dq point-to-point
1272and
1273.Dq ethernet .
1274The default is
1275.Dq no .
1276.Pp
1277Independent of this setting, the permissions of the selected
1278.Xr tun 4
1279device must allow access to the user.
1280.It Cm PermitTTY
1281Specifies whether
1282.Xr pty 4
1283allocation is permitted.
1284The default is
1285.Dq yes .
1286.It Cm PermitUserEnvironment
1287Specifies whether
1288.Pa ~/.ssh/environment
1289and
1290.Cm environment=
1291options in
1292.Pa ~/.ssh/authorized_keys
1293are processed by
1294.Xr sshd 8 .
1295The default is
1296.Dq no .
1297Enabling environment processing may enable users to bypass access
1298restrictions in some configurations using mechanisms such as
1299.Ev LD_PRELOAD .
1300.It Cm PermitUserRC
1301Specifies whether any
1302.Pa ~/.ssh/rc
1303file is executed.
1304The default is
1305.Dq yes .
1306.It Cm PidFile
1307Specifies the file that contains the process ID of the
1308SSH daemon, or
1309.Dq none
1310to not write one.
1311The default is
1312.Pa /var/run/sshd.pid .
1313.It Cm Port
1314Specifies the port number that
1315.Xr sshd 8
1316listens on.
1317The default is 22.
1318Multiple options of this type are permitted.
1319See also
1320.Cm ListenAddress .
1321.It Cm PrintLastLog
1322Specifies whether
1323.Xr sshd 8
1324should print the date and time of the last user login when a user logs
1325in interactively.
1326The default is
1327.Dq yes .
1328.It Cm PrintMotd
1329Specifies whether
1330.Xr sshd 8
1331should print
1332.Pa /etc/motd
1333when a user logs in interactively.
1334(On some systems it is also printed by the shell,
1335.Pa /etc/profile ,
1336or equivalent.)
1337The default is
1338.Dq yes .
1339.It Cm Protocol
1340Specifies the protocol versions
1341.Xr sshd 8
1342supports.
1343The possible values are
1344.Sq 1
1345and
1346.Sq 2 .
1347Multiple versions must be comma-separated.
1348The default is
1349.Sq 2 .
1350Protocol 1 suffers from a number of cryptographic weaknesses and should
1351not be used.
1352It is only offered to support legacy devices.
1353.Pp
1354Note that the order of the protocol list does not indicate preference,
1355because the client selects among multiple protocol versions offered
1356by the server.
1357Specifying
1358.Dq 2,1
1359is identical to
1360.Dq 1,2 .
1361.It Cm PubkeyAcceptedKeyTypes
1362Specifies the key types that will be accepted for public key authentication
1363as a comma-separated pattern list.
1364Alternately if the specified value begins with a
1365.Sq +
1366character, then the specified key types will be appended to the default set
1367instead of replacing them.
1368The default for this option is:
1369.Bd -literal -offset 3n
1370ecdsa-sha2-nistp256-cert-v01@openssh.com,
1371ecdsa-sha2-nistp384-cert-v01@openssh.com,
1372ecdsa-sha2-nistp521-cert-v01@openssh.com,
1373ssh-ed25519-cert-v01@openssh.com,
1374ssh-rsa-cert-v01@openssh.com,
1375ssh-dss-cert-v01@openssh.com,
1376ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
1377ecdsa-sha2-nistp521,ssh-ed25519,
1378ssh-rsa,ssh-dss
1379.Ed
1380.Pp
1381The
1382.Fl Q
1383option of
1384.Xr ssh 1
1385may be used to list supported key types.
1386.It Cm PubkeyAuthentication
1387Specifies whether public key authentication is allowed.
1388The default is
1389.Dq yes .
1390.It Cm RekeyLimit
1391Specifies the maximum amount of data that may be transmitted before the
1392session key is renegotiated, optionally followed a maximum amount of
1393time that may pass before the session key is renegotiated.
1394The first argument is specified in bytes and may have a suffix of
1395.Sq K ,
1396.Sq M ,
1397or
1398.Sq G
1399to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
1400The default is between
1401.Sq 1G
1402and
1403.Sq 4G ,
1404depending on the cipher.
1405The optional second value is specified in seconds and may use any of the
1406units documented in the
1407.Sx TIME FORMATS
1408section.
1409The default value for
1410.Cm RekeyLimit
1411is
1412.Dq default none ,
1413which means that rekeying is performed after the cipher's default amount
1414of data has been sent or received and no time based rekeying is done.
1415.It Cm RevokedKeys
1416Specifies revoked public keys file, or
1417.Dq none
1418to not use one.
1419Keys listed in this file will be refused for public key authentication.
1420Note that if this file is not readable, then public key authentication will
1421be refused for all users.
1422Keys may be specified as a text file, listing one public key per line, or as
1423an OpenSSH Key Revocation List (KRL) as generated by
1424.Xr ssh-keygen 1 .
1425For more information on KRLs, see the KEY REVOCATION LISTS section in
1426.Xr ssh-keygen 1 .
1427.It Cm RhostsRSAAuthentication
1428Specifies whether rhosts or
1429.Pa /etc/hosts.equiv
1430authentication together
1431with successful RSA host authentication is allowed.
1432The default is
1433.Dq no .
1434This option applies to protocol version 1 only.
1435.It Cm RSAAuthentication
1436Specifies whether pure RSA authentication is allowed.
1437The default is
1438.Dq yes .
1439This option applies to protocol version 1 only.
1440.It Cm ServerKeyBits
1441Defines the number of bits in the ephemeral protocol version 1 server key.
1442The default and minimum value is 1024.
1443.It Cm StreamLocalBindMask
1444Sets the octal file creation mode mask
1445.Pq umask
1446used when creating a Unix-domain socket file for local or remote
1447port forwarding.
1448This option is only used for port forwarding to a Unix-domain socket file.
1449.Pp
1450The default value is 0177, which creates a Unix-domain socket file that is
1451readable and writable only by the owner.
1452Note that not all operating systems honor the file mode on Unix-domain
1453socket files.
1454.It Cm StreamLocalBindUnlink
1455Specifies whether to remove an existing Unix-domain socket file for local
1456or remote port forwarding before creating a new one.
1457If the socket file already exists and
1458.Cm StreamLocalBindUnlink
1459is not enabled,
1460.Nm sshd
1461will be unable to forward the port to the Unix-domain socket file.
1462This option is only used for port forwarding to a Unix-domain socket file.
1463.Pp
1464The argument must be
1465.Dq yes
1466or
1467.Dq no .
1468The default is
1469.Dq no .
1470.It Cm StrictModes
1471Specifies whether
1472.Xr sshd 8
1473should check file modes and ownership of the
1474user's files and home directory before accepting login.
1475This is normally desirable because novices sometimes accidentally leave their
1476directory or files world-writable.
1477The default is
1478.Dq yes .
1479Note that this does not apply to
1480.Cm ChrootDirectory ,
1481whose permissions and ownership are checked unconditionally.
1482.It Cm Subsystem
1483Configures an external subsystem (e.g. file transfer daemon).
1484Arguments should be a subsystem name and a command (with optional arguments)
1485to execute upon subsystem request.
1486.Pp
1487The command
1488.Xr sftp-server 8
1489implements the
1490.Dq sftp
1491file transfer subsystem.
1492.Pp
1493Alternately the name
1494.Dq internal-sftp
1495implements an in-process
1496.Dq sftp
1497server.
1498This may simplify configurations using
1499.Cm ChrootDirectory
1500to force a different filesystem root on clients.
1501.Pp
1502By default no subsystems are defined.
1503.It Cm SyslogFacility
1504Gives the facility code that is used when logging messages from
1505.Xr sshd 8 .
1506The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
1507LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
1508The default is AUTH.
1509.It Cm TCPKeepAlive
1510Specifies whether the system should send TCP keepalive messages to the
1511other side.
1512If they are sent, death of the connection or crash of one
1513of the machines will be properly noticed.
1514However, this means that
1515connections will die if the route is down temporarily, and some people
1516find it annoying.
1517On the other hand, if TCP keepalives are not sent,
1518sessions may hang indefinitely on the server, leaving
1519.Dq ghost
1520users and consuming server resources.
1521.Pp
1522The default is
1523.Dq yes
1524(to send TCP keepalive messages), and the server will notice
1525if the network goes down or the client host crashes.
1526This avoids infinitely hanging sessions.
1527.Pp
1528To disable TCP keepalive messages, the value should be set to
1529.Dq no .
1530.It Cm TrustedUserCAKeys
1531Specifies a file containing public keys of certificate authorities that are
1532trusted to sign user certificates for authentication, or
1533.Dq none
1534to not use one.
1535Keys are listed one per line; empty lines and comments starting with
1536.Ql #
1537are allowed.
1538If a certificate is presented for authentication and has its signing CA key
1539listed in this file, then it may be used for authentication for any user
1540listed in the certificate's principals list.
1541Note that certificates that lack a list of principals will not be permitted
1542for authentication using
1543.Cm TrustedUserCAKeys .
1544For more details on certificates, see the CERTIFICATES section in
1545.Xr ssh-keygen 1 .
1546.It Cm UseDNS
1547Specifies whether
1548.Xr sshd 8
1549should look up the remote host name, and to check that
1550the resolved host name for the remote IP address maps back to the
1551very same IP address.
1552.Pp
1553If this option is set to
1554.Dq no ,
1555then only addresses and not host names may be used in
1556.Pa ~/.ssh/known_hosts
1557.Cm from
1558and
1559.Nm
1560.Cm Match
1561.Cm Host
1562directives.
1563The default is
1564.Dq yes .
1565.It Cm UseLogin
1566Specifies whether
1567.Xr login 1
1568is used for interactive login sessions.
1569The default is
1570.Dq no .
1571Note that
1572.Xr login 1
1573is never used for remote command execution.
1574Note also, that if this is enabled,
1575.Cm X11Forwarding
1576will be disabled because
1577.Xr login 1
1578does not know how to handle
1579.Xr xauth 1
1580cookies.
1581If
1582.Cm UsePrivilegeSeparation
1583is specified, it will be disabled after authentication.
1584.It Cm UsePAM
1585Enables the Pluggable Authentication Module interface.
1586If set to
1587.Dq yes
1588this will enable PAM authentication using
1589.Cm ChallengeResponseAuthentication
1590and
1591.Cm PasswordAuthentication
1592in addition to PAM account and session module processing for all
1593authentication types.
1594.Pp
1595Because PAM challenge-response authentication usually serves an equivalent
1596role to password authentication, you should disable either
1597.Cm PasswordAuthentication
1598or
1599.Cm ChallengeResponseAuthentication.
1600.Pp
1601If
1602.Cm UsePAM
1603is enabled, you will not be able to run
1604.Xr sshd 8
1605as a non-root user.
1606The default is
1607.Dq yes .
1608.It Cm UsePrivilegeSeparation
1609Specifies whether
1610.Xr sshd 8
1611separates privileges by creating an unprivileged child process
1612to deal with incoming network traffic.
1613After successful authentication, another process will be created that has
1614the privilege of the authenticated user.
1615The goal of privilege separation is to prevent privilege
1616escalation by containing any corruption within the unprivileged processes.
1617The argument must be
1618.Dq yes ,
1619.Dq no ,
1620or
1621.Dq sandbox .
1622If
1623.Cm UsePrivilegeSeparation
1624is set to
1625.Dq sandbox
1626then the pre-authentication unprivileged process is subject to additional
1627restrictions.
1628The default is
1629.Dq sandbox .
1630.It Cm VersionAddendum
1631Optionally specifies additional text to append to the SSH protocol banner
1632sent by the server upon connection.
1633The default is
1634.Dq FreeBSD-20160310 .
1635The value
1636.Dq none
1637may be used to disable this.
1638.It Cm X11DisplayOffset
1639Specifies the first display number available for
1640.Xr sshd 8 Ns 's
1641X11 forwarding.
1642This prevents sshd from interfering with real X11 servers.
1643The default is 10.
1644.It Cm X11Forwarding
1645Specifies whether X11 forwarding is permitted.
1646The argument must be
1647.Dq yes
1648or
1649.Dq no .
1650The default is
1651.Dq yes .
1652.Pp
1653When X11 forwarding is enabled, there may be additional exposure to
1654the server and to client displays if the
1655.Xr sshd 8
1656proxy display is configured to listen on the wildcard address (see
1657.Cm X11UseLocalhost
1658below), though this is not the default.
1659Additionally, the authentication spoofing and authentication data
1660verification and substitution occur on the client side.
1661The security risk of using X11 forwarding is that the client's X11
1662display server may be exposed to attack when the SSH client requests
1663forwarding (see the warnings for
1664.Cm ForwardX11
1665in
1666.Xr ssh_config 5 ) .
1667A system administrator may have a stance in which they want to
1668protect clients that may expose themselves to attack by unwittingly
1669requesting X11 forwarding, which can warrant a
1670.Dq no
1671setting.
1672.Pp
1673Note that disabling X11 forwarding does not prevent users from
1674forwarding X11 traffic, as users can always install their own forwarders.
1675X11 forwarding is automatically disabled if
1676.Cm UseLogin
1677is enabled.
1678.It Cm X11UseLocalhost
1679Specifies whether
1680.Xr sshd 8
1681should bind the X11 forwarding server to the loopback address or to
1682the wildcard address.
1683By default,
1684sshd binds the forwarding server to the loopback address and sets the
1685hostname part of the
1686.Ev DISPLAY
1687environment variable to
1688.Dq localhost .
1689This prevents remote hosts from connecting to the proxy display.
1690However, some older X11 clients may not function with this
1691configuration.
1692.Cm X11UseLocalhost
1693may be set to
1694.Dq no
1695to specify that the forwarding server should be bound to the wildcard
1696address.
1697The argument must be
1698.Dq yes
1699or
1700.Dq no .
1701The default is
1702.Dq yes .
1703.It Cm XAuthLocation
1704Specifies the full pathname of the
1705.Xr xauth 1
1706program, or
1707.Dq none
1708to not use one.
1709The default is
1710.Pa /usr/local/bin/xauth .
1711.El
1712.Sh TIME FORMATS
1713.Xr sshd 8
1714command-line arguments and configuration file options that specify time
1715may be expressed using a sequence of the form:
1716.Sm off
1717.Ar time Op Ar qualifier ,
1718.Sm on
1719where
1720.Ar time
1721is a positive integer value and
1722.Ar qualifier
1723is one of the following:
1724.Pp
1725.Bl -tag -width Ds -compact -offset indent
1726.It Aq Cm none
1727seconds
1728.It Cm s | Cm S
1729seconds
1730.It Cm m | Cm M
1731minutes
1732.It Cm h | Cm H
1733hours
1734.It Cm d | Cm D
1735days
1736.It Cm w | Cm W
1737weeks
1738.El
1739.Pp
1740Each member of the sequence is added together to calculate
1741the total time value.
1742.Pp
1743Time format examples:
1744.Pp
1745.Bl -tag -width Ds -compact -offset indent
1746.It 600
1747600 seconds (10 minutes)
1748.It 10m
174910 minutes
1750.It 1h30m
17511 hour 30 minutes (90 minutes)
1752.El
1753.Sh FILES
1754.Bl -tag -width Ds
1755.It Pa /etc/ssh/sshd_config
1756Contains configuration data for
1757.Xr sshd 8 .
1758This file should be writable by root only, but it is recommended
1759(though not necessary) that it be world-readable.
1760.El
1761.Sh SEE ALSO
1762.Xr sshd 8
1763.Sh AUTHORS
1764OpenSSH is a derivative of the original and free
1765ssh 1.2.12 release by Tatu Ylonen.
1766Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
1767Theo de Raadt and Dug Song
1768removed many bugs, re-added newer features and
1769created OpenSSH.
1770Markus Friedl contributed the support for SSH
1771protocol versions 1.5 and 2.0.
1772Niels Provos and Markus Friedl contributed support
1773for privilege separation.
1774