1.\" 2.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" All rights reserved 5.\" 6.\" As far as I am concerned, the code I have written for this software 7.\" can be used freely for any purpose. Any derived versions of this 8.\" software must be clearly marked as such, and if the derived work is 9.\" incompatible with the protocol description in the RFC file, it must be 10.\" called by a name other than "ssh" or "Secure Shell". 11.\" 12.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 13.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 14.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 15.\" 16.\" Redistribution and use in source and binary forms, with or without 17.\" modification, are permitted provided that the following conditions 18.\" are met: 19.\" 1. Redistributions of source code must retain the above copyright 20.\" notice, this list of conditions and the following disclaimer. 21.\" 2. Redistributions in binary form must reproduce the above copyright 22.\" notice, this list of conditions and the following disclaimer in the 23.\" documentation and/or other materials provided with the distribution. 24.\" 25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" 36.\" $OpenBSD: sshd_config.5,v 1.347 2023/01/18 06:55:32 jmc Exp $ 37.Dd $Mdocdate: January 18 2023 $ 38.Dt SSHD_CONFIG 5 39.Os 40.Sh NAME 41.Nm sshd_config 42.Nd OpenSSH daemon configuration file 43.Sh DESCRIPTION 44.Xr sshd 8 45reads configuration data from 46.Pa /etc/ssh/sshd_config 47(or the file specified with 48.Fl f 49on the command line). 50The file contains keyword-argument pairs, one per line. 51For each keyword, the first obtained value will be used. 52Lines starting with 53.Ql # 54and empty lines are interpreted as comments. 55Arguments may optionally be enclosed in double quotes 56.Pq \&" 57in order to represent arguments containing spaces. 58.Pp 59The possible 60keywords and their meanings are as follows (note that 61keywords are case-insensitive and arguments are case-sensitive): 62.Bl -tag -width Ds 63.It Cm AcceptEnv 64Specifies what environment variables sent by the client will be copied into 65the session's 66.Xr environ 7 . 67See 68.Cm SendEnv 69and 70.Cm SetEnv 71in 72.Xr ssh_config 5 73for how to configure the client. 74The 75.Ev TERM 76environment variable is always accepted whenever the client 77requests a pseudo-terminal as it is required by the protocol. 78Variables are specified by name, which may contain the wildcard characters 79.Ql * 80and 81.Ql \&? . 82Multiple environment variables may be separated by whitespace or spread 83across multiple 84.Cm AcceptEnv 85directives. 86Be warned that some environment variables could be used to bypass restricted 87user environments. 88For this reason, care should be taken in the use of this directive. 89The default is not to accept any environment variables. 90.It Cm AddressFamily 91Specifies which address family should be used by 92.Xr sshd 8 . 93Valid arguments are 94.Cm any 95(the default), 96.Cm inet 97(use IPv4 only), or 98.Cm inet6 99(use IPv6 only). 100.It Cm AllowAgentForwarding 101Specifies whether 102.Xr ssh-agent 1 103forwarding is permitted. 104The default is 105.Cm yes . 106Note that disabling agent forwarding does not improve security 107unless users are also denied shell access, as they can always install 108their own forwarders. 109.It Cm AllowGroups 110This keyword can be followed by a list of group name patterns, separated 111by spaces. 112If specified, login is allowed only for users whose primary 113group or supplementary group list matches one of the patterns. 114Only group names are valid; a numerical group ID is not recognized. 115By default, login is allowed for all groups. 116The allow/deny groups directives are processed in the following order: 117.Cm DenyGroups , 118.Cm AllowGroups . 119.Pp 120See PATTERNS in 121.Xr ssh_config 5 122for more information on patterns. 123.It Cm AllowStreamLocalForwarding 124Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted. 125The available options are 126.Cm yes 127(the default) 128or 129.Cm all 130to allow StreamLocal forwarding, 131.Cm no 132to prevent all StreamLocal forwarding, 133.Cm local 134to allow local (from the perspective of 135.Xr ssh 1 ) 136forwarding only or 137.Cm remote 138to allow remote forwarding only. 139Note that disabling StreamLocal forwarding does not improve security unless 140users are also denied shell access, as they can always install their 141own forwarders. 142.It Cm AllowTcpForwarding 143Specifies whether TCP forwarding is permitted. 144The available options are 145.Cm yes 146(the default) 147or 148.Cm all 149to allow TCP forwarding, 150.Cm no 151to prevent all TCP forwarding, 152.Cm local 153to allow local (from the perspective of 154.Xr ssh 1 ) 155forwarding only or 156.Cm remote 157to allow remote forwarding only. 158Note that disabling TCP forwarding does not improve security unless 159users are also denied shell access, as they can always install their 160own forwarders. 161.It Cm AllowUsers 162This keyword can be followed by a list of user name patterns, separated 163by spaces. 164If specified, login is allowed only for user names that 165match one of the patterns. 166Only user names are valid; a numerical user ID is not recognized. 167By default, login is allowed for all users. 168If the pattern takes the form USER@HOST then USER and HOST 169are separately checked, restricting logins to particular 170users from particular hosts. 171HOST criteria may additionally contain addresses to match in CIDR 172address/masklen format. 173The allow/deny users directives are processed in the following order: 174.Cm DenyUsers , 175.Cm AllowUsers . 176.Pp 177See PATTERNS in 178.Xr ssh_config 5 179for more information on patterns. 180.It Cm AuthenticationMethods 181Specifies the authentication methods that must be successfully completed 182for a user to be granted access. 183This option must be followed by one or more lists of comma-separated 184authentication method names, or by the single string 185.Cm any 186to indicate the default behaviour of accepting any single authentication 187method. 188If the default is overridden, then successful authentication requires 189completion of every method in at least one of these lists. 190.Pp 191For example, 192.Qq publickey,password publickey,keyboard-interactive 193would require the user to complete public key authentication, followed by 194either password or keyboard interactive authentication. 195Only methods that are next in one or more lists are offered at each stage, 196so for this example it would not be possible to attempt password or 197keyboard-interactive authentication before public key. 198.Pp 199For keyboard interactive authentication it is also possible to 200restrict authentication to a specific device by appending a 201colon followed by the device identifier 202.Cm bsdauth 203or 204.Cm pam . 205depending on the server configuration. 206For example, 207.Qq keyboard-interactive:bsdauth 208would restrict keyboard interactive authentication to the 209.Cm bsdauth 210device. 211.Pp 212If the publickey method is listed more than once, 213.Xr sshd 8 214verifies that keys that have been used successfully are not reused for 215subsequent authentications. 216For example, 217.Qq publickey,publickey 218requires successful authentication using two different public keys. 219.Pp 220Note that each authentication method listed should also be explicitly enabled 221in the configuration. 222.Pp 223The available authentication methods are: 224.Qq gssapi-with-mic , 225.Qq hostbased , 226.Qq keyboard-interactive , 227.Qq none 228(used for access to password-less accounts when 229.Cm PermitEmptyPasswords 230is enabled), 231.Qq password 232and 233.Qq publickey . 234.It Cm AuthorizedKeysCommand 235Specifies a program to be used to look up the user's public keys. 236The program must be owned by root, not writable by group or others and 237specified by an absolute path. 238Arguments to 239.Cm AuthorizedKeysCommand 240accept the tokens described in the 241.Sx TOKENS 242section. 243If no arguments are specified then the username of the target user is used. 244.Pp 245The program should produce on standard output zero or 246more lines of authorized_keys output (see 247.Sx AUTHORIZED_KEYS 248in 249.Xr sshd 8 ) . 250.Cm AuthorizedKeysCommand 251is tried after the usual 252.Cm AuthorizedKeysFile 253files and will not be executed if a matching key is found there. 254By default, no 255.Cm AuthorizedKeysCommand 256is run. 257.It Cm AuthorizedKeysCommandUser 258Specifies the user under whose account the 259.Cm AuthorizedKeysCommand 260is run. 261It is recommended to use a dedicated user that has no other role on the host 262than running authorized keys commands. 263If 264.Cm AuthorizedKeysCommand 265is specified but 266.Cm AuthorizedKeysCommandUser 267is not, then 268.Xr sshd 8 269will refuse to start. 270.It Cm AuthorizedKeysFile 271Specifies the file that contains the public keys used for user authentication. 272The format is described in the AUTHORIZED_KEYS FILE FORMAT section of 273.Xr sshd 8 . 274Arguments to 275.Cm AuthorizedKeysFile 276accept the tokens described in the 277.Sx TOKENS 278section. 279After expansion, 280.Cm AuthorizedKeysFile 281is taken to be an absolute path or one relative to the user's home 282directory. 283Multiple files may be listed, separated by whitespace. 284Alternately this option may be set to 285.Cm none 286to skip checking for user keys in files. 287The default is 288.Qq .ssh/authorized_keys .ssh/authorized_keys2 . 289.It Cm AuthorizedPrincipalsCommand 290Specifies a program to be used to generate the list of allowed 291certificate principals as per 292.Cm AuthorizedPrincipalsFile . 293The program must be owned by root, not writable by group or others and 294specified by an absolute path. 295Arguments to 296.Cm AuthorizedPrincipalsCommand 297accept the tokens described in the 298.Sx TOKENS 299section. 300If no arguments are specified then the username of the target user is used. 301.Pp 302The program should produce on standard output zero or 303more lines of 304.Cm AuthorizedPrincipalsFile 305output. 306If either 307.Cm AuthorizedPrincipalsCommand 308or 309.Cm AuthorizedPrincipalsFile 310is specified, then certificates offered by the client for authentication 311must contain a principal that is listed. 312By default, no 313.Cm AuthorizedPrincipalsCommand 314is run. 315.It Cm AuthorizedPrincipalsCommandUser 316Specifies the user under whose account the 317.Cm AuthorizedPrincipalsCommand 318is run. 319It is recommended to use a dedicated user that has no other role on the host 320than running authorized principals commands. 321If 322.Cm AuthorizedPrincipalsCommand 323is specified but 324.Cm AuthorizedPrincipalsCommandUser 325is not, then 326.Xr sshd 8 327will refuse to start. 328.It Cm AuthorizedPrincipalsFile 329Specifies a file that lists principal names that are accepted for 330certificate authentication. 331When using certificates signed by a key listed in 332.Cm TrustedUserCAKeys , 333this file lists names, one of which must appear in the certificate for it 334to be accepted for authentication. 335Names are listed one per line preceded by key options (as described in 336.Sx AUTHORIZED_KEYS FILE FORMAT 337in 338.Xr sshd 8 ) . 339Empty lines and comments starting with 340.Ql # 341are ignored. 342.Pp 343Arguments to 344.Cm AuthorizedPrincipalsFile 345accept the tokens described in the 346.Sx TOKENS 347section. 348After expansion, 349.Cm AuthorizedPrincipalsFile 350is taken to be an absolute path or one relative to the user's home directory. 351The default is 352.Cm none , 353i.e. not to use a principals file \(en in this case, the username 354of the user must appear in a certificate's principals list for it to be 355accepted. 356.Pp 357Note that 358.Cm AuthorizedPrincipalsFile 359is only used when authentication proceeds using a CA listed in 360.Cm TrustedUserCAKeys 361and is not consulted for certification authorities trusted via 362.Pa ~/.ssh/authorized_keys , 363though the 364.Cm principals= 365key option offers a similar facility (see 366.Xr sshd 8 367for details). 368.It Cm Banner 369The contents of the specified file are sent to the remote user before 370authentication is allowed. 371If the argument is 372.Cm none 373then no banner is displayed. 374By default, no banner is displayed. 375.It Cm CASignatureAlgorithms 376Specifies which algorithms are allowed for signing of certificates 377by certificate authorities (CAs). 378The default is: 379.Bd -literal -offset indent 380ssh-ed25519,ecdsa-sha2-nistp256, 381ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 382sk-ssh-ed25519@openssh.com, 383sk-ecdsa-sha2-nistp256@openssh.com, 384rsa-sha2-512,rsa-sha2-256 385.Ed 386.Pp 387If the specified list begins with a 388.Sq + 389character, then the specified algorithms will be appended to the default set 390instead of replacing them. 391If the specified list begins with a 392.Sq - 393character, then the specified algorithms (including wildcards) will be removed 394from the default set instead of replacing them. 395.Pp 396Certificates signed using other algorithms will not be accepted for 397public key or host-based authentication. 398.It Cm ChannelTimeout 399Specifies whether and how quickly 400.Xr sshd 8 401should close inactive channels. 402Timeouts are specified as one or more 403.Dq type=interval 404pairs separated by whitespace, where the 405.Dq type 406must be a channel type name (as described in the table below), optionally 407containing wildcard characters. 408.Pp 409The timeout value 410.Dq interval 411is specified in seconds or may use any of the units documented in the 412.Sx TIME FORMATS 413section. 414For example, 415.Dq session:*=5m 416would cause all sessions to terminate after five minutes of inactivity. 417Specifying a zero value disables the inactivity timeout. 418.Pp 419The available channel types include: 420.Bl -tag -width Ds 421.It Cm agent-connection 422Open connections to 423.Xr ssh-agent 1 . 424.It Cm direct-tcpip , Cm direct-streamlocal@openssh.com 425Open TCP or Unix socket (respectively) connections that have 426been established from a 427.Xr ssh 1 428local forwarding, i.e.\& 429.Cm LocalForward 430or 431.Cm DynamicForward . 432.It Cm forwarded-tcpip , Cm forwarded-streamlocal@openssh.com 433Open TCP or Unix socket (respectively) connections that have been 434established to a 435.Xr sshd 8 436listening on behalf of a 437.Xr ssh 1 438remote forwarding, i.e.\& 439.Cm RemoteForward . 440.It Cm session:command 441Command execution sessions. 442.It Cm session:shell 443Interactive shell sessions. 444.It Cm session:subsystem:... 445Subsystem sessions, e.g. for 446.Xr sftp 1 , 447which could be identified as 448.Cm session:subsystem:sftp . 449.It Cm x11-connection 450Open X11 forwarding sessions. 451.El 452.Pp 453Note that in all the above cases, terminating an inactive session does not 454guarantee to remove all resources associated with the session, e.g. shell 455processes or X11 clients relating to the session may continue to execute. 456.Pp 457Moreover, terminating an inactive channel or session does not necessarily 458close the SSH connection, nor does it prevent a client from 459requesting another channel of the same type. 460In particular, expiring an inactive forwarding session does not prevent 461another identical forwarding from being subsequently created. 462See also 463.Cm UnusedConnectionTimeout , 464which may be used in conjunction with this option. 465.Pp 466The default is not to expire channels of any type for inactivity. 467.It Cm ChrootDirectory 468Specifies the pathname of a directory to 469.Xr chroot 2 470to after authentication. 471At session startup 472.Xr sshd 8 473checks that all components of the pathname are root-owned directories 474which are not writable by any other user or group. 475After the chroot, 476.Xr sshd 8 477changes the working directory to the user's home directory. 478Arguments to 479.Cm ChrootDirectory 480accept the tokens described in the 481.Sx TOKENS 482section. 483.Pp 484The 485.Cm ChrootDirectory 486must contain the necessary files and directories to support the 487user's session. 488For an interactive session this requires at least a shell, typically 489.Xr sh 1 , 490and basic 491.Pa /dev 492nodes such as 493.Xr null 4 , 494.Xr zero 4 , 495.Xr stdin 4 , 496.Xr stdout 4 , 497.Xr stderr 4 , 498and 499.Xr tty 4 500devices. 501For file transfer sessions using SFTP 502no additional configuration of the environment is necessary if the in-process 503sftp-server is used, 504though sessions which use logging may require 505.Pa /dev/log 506inside the chroot directory on some operating systems (see 507.Xr sftp-server 8 508for details). 509.Pp 510For safety, it is very important that the directory hierarchy be 511prevented from modification by other processes on the system (especially 512those outside the jail). 513Misconfiguration can lead to unsafe environments which 514.Xr sshd 8 515cannot detect. 516.Pp 517The default is 518.Cm none , 519indicating not to 520.Xr chroot 2 . 521.It Cm Ciphers 522Specifies the ciphers allowed. 523Multiple ciphers must be comma-separated. 524If the specified list begins with a 525.Sq + 526character, then the specified ciphers will be appended to the default set 527instead of replacing them. 528If the specified list begins with a 529.Sq - 530character, then the specified ciphers (including wildcards) will be removed 531from the default set instead of replacing them. 532If the specified list begins with a 533.Sq ^ 534character, then the specified ciphers will be placed at the head of the 535default set. 536.Pp 537The supported ciphers are: 538.Pp 539.Bl -item -compact -offset indent 540.It 5413des-cbc 542.It 543aes128-cbc 544.It 545aes192-cbc 546.It 547aes256-cbc 548.It 549aes128-ctr 550.It 551aes192-ctr 552.It 553aes256-ctr 554.It 555aes128-gcm@openssh.com 556.It 557aes256-gcm@openssh.com 558.It 559chacha20-poly1305@openssh.com 560.El 561.Pp 562The default is: 563.Bd -literal -offset indent 564chacha20-poly1305@openssh.com, 565aes128-ctr,aes192-ctr,aes256-ctr, 566aes128-gcm@openssh.com,aes256-gcm@openssh.com 567.Ed 568.Pp 569The list of available ciphers may also be obtained using 570.Qq ssh -Q cipher . 571.It Cm ClientAliveCountMax 572Sets the number of client alive messages which may be sent without 573.Xr sshd 8 574receiving any messages back from the client. 575If this threshold is reached while client alive messages are being sent, 576sshd will disconnect the client, terminating the session. 577It is important to note that the use of client alive messages is very 578different from 579.Cm TCPKeepAlive . 580The client alive messages are sent through the encrypted channel 581and therefore will not be spoofable. 582The TCP keepalive option enabled by 583.Cm TCPKeepAlive 584is spoofable. 585The client alive mechanism is valuable when the client or 586server depend on knowing when a connection has become unresponsive. 587.Pp 588The default value is 3. 589If 590.Cm ClientAliveInterval 591is set to 15, and 592.Cm ClientAliveCountMax 593is left at the default, unresponsive SSH clients 594will be disconnected after approximately 45 seconds. 595Setting a zero 596.Cm ClientAliveCountMax 597disables connection termination. 598.It Cm ClientAliveInterval 599Sets a timeout interval in seconds after which if no data has been received 600from the client, 601.Xr sshd 8 602will send a message through the encrypted 603channel to request a response from the client. 604The default 605is 0, indicating that these messages will not be sent to the client. 606.It Cm Compression 607Specifies whether compression is enabled after 608the user has authenticated successfully. 609The argument must be 610.Cm yes , 611.Cm delayed 612(a legacy synonym for 613.Cm yes ) 614or 615.Cm no . 616The default is 617.Cm yes . 618.It Cm DenyGroups 619This keyword can be followed by a list of group name patterns, separated 620by spaces. 621Login is disallowed for users whose primary group or supplementary 622group list matches one of the patterns. 623Only group names are valid; a numerical group ID is not recognized. 624By default, login is allowed for all groups. 625The allow/deny groups directives are processed in the following order: 626.Cm DenyGroups , 627.Cm AllowGroups . 628.Pp 629See PATTERNS in 630.Xr ssh_config 5 631for more information on patterns. 632.It Cm DenyUsers 633This keyword can be followed by a list of user name patterns, separated 634by spaces. 635Login is disallowed for user names that match one of the patterns. 636Only user names are valid; a numerical user ID is not recognized. 637By default, login is allowed for all users. 638If the pattern takes the form USER@HOST then USER and HOST 639are separately checked, restricting logins to particular 640users from particular hosts. 641HOST criteria may additionally contain addresses to match in CIDR 642address/masklen format. 643The allow/deny users directives are processed in the following order: 644.Cm DenyUsers , 645.Cm AllowUsers . 646.Pp 647See PATTERNS in 648.Xr ssh_config 5 649for more information on patterns. 650.It Cm DisableForwarding 651Disables all forwarding features, including X11, 652.Xr ssh-agent 1 , 653TCP and StreamLocal. 654This option overrides all other forwarding-related options and may 655simplify restricted configurations. 656.It Cm ExposeAuthInfo 657Writes a temporary file containing a list of authentication methods and 658public credentials (e.g. keys) used to authenticate the user. 659The location of the file is exposed to the user session through the 660.Ev SSH_USER_AUTH 661environment variable. 662The default is 663.Cm no . 664.It Cm FingerprintHash 665Specifies the hash algorithm used when logging key fingerprints. 666Valid options are: 667.Cm md5 668and 669.Cm sha256 . 670The default is 671.Cm sha256 . 672.It Cm ForceCommand 673Forces the execution of the command specified by 674.Cm ForceCommand , 675ignoring any command supplied by the client and 676.Pa ~/.ssh/rc 677if present. 678The command is invoked by using the user's login shell with the -c option. 679This applies to shell, command, or subsystem execution. 680It is most useful inside a 681.Cm Match 682block. 683The command originally supplied by the client is available in the 684.Ev SSH_ORIGINAL_COMMAND 685environment variable. 686Specifying a command of 687.Cm internal-sftp 688will force the use of an in-process SFTP server that requires no support 689files when used with 690.Cm ChrootDirectory . 691The default is 692.Cm none . 693.It Cm GatewayPorts 694Specifies whether remote hosts are allowed to connect to ports 695forwarded for the client. 696By default, 697.Xr sshd 8 698binds remote port forwardings to the loopback address. 699This prevents other remote hosts from connecting to forwarded ports. 700.Cm GatewayPorts 701can be used to specify that sshd 702should allow remote port forwardings to bind to non-loopback addresses, thus 703allowing other hosts to connect. 704The argument may be 705.Cm no 706to force remote port forwardings to be available to the local host only, 707.Cm yes 708to force remote port forwardings to bind to the wildcard address, or 709.Cm clientspecified 710to allow the client to select the address to which the forwarding is bound. 711The default is 712.Cm no . 713.It Cm GSSAPIAuthentication 714Specifies whether user authentication based on GSSAPI is allowed. 715The default is 716.Cm no . 717.It Cm GSSAPICleanupCredentials 718Specifies whether to automatically destroy the user's credentials cache 719on logout. 720The default is 721.Cm yes . 722.It Cm GSSAPIStrictAcceptorCheck 723Determines whether to be strict about the identity of the GSSAPI acceptor 724a client authenticates against. 725If set to 726.Cm yes 727then the client must authenticate against the host 728service on the current hostname. 729If set to 730.Cm no 731then the client may authenticate against any service key stored in the 732machine's default store. 733This facility is provided to assist with operation on multi homed machines. 734The default is 735.Cm yes . 736.It Cm HostbasedAcceptedAlgorithms 737Specifies the signature algorithms that will be accepted for hostbased 738authentication as a list of comma-separated patterns. 739Alternately if the specified list begins with a 740.Sq + 741character, then the specified signature algorithms will be appended to 742the default set instead of replacing them. 743If the specified list begins with a 744.Sq - 745character, then the specified signature algorithms (including wildcards) 746will be removed from the default set instead of replacing them. 747If the specified list begins with a 748.Sq ^ 749character, then the specified signature algorithms will be placed at 750the head of the default set. 751The default for this option is: 752.Bd -literal -offset 3n 753ssh-ed25519-cert-v01@openssh.com, 754ecdsa-sha2-nistp256-cert-v01@openssh.com, 755ecdsa-sha2-nistp384-cert-v01@openssh.com, 756ecdsa-sha2-nistp521-cert-v01@openssh.com, 757sk-ssh-ed25519-cert-v01@openssh.com, 758sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, 759rsa-sha2-512-cert-v01@openssh.com, 760rsa-sha2-256-cert-v01@openssh.com, 761ssh-ed25519, 762ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 763sk-ssh-ed25519@openssh.com, 764sk-ecdsa-sha2-nistp256@openssh.com, 765rsa-sha2-512,rsa-sha2-256 766.Ed 767.Pp 768The list of available signature algorithms may also be obtained using 769.Qq ssh -Q HostbasedAcceptedAlgorithms . 770This was formerly named HostbasedAcceptedKeyTypes. 771.It Cm HostbasedAuthentication 772Specifies whether rhosts or /etc/hosts.equiv authentication together 773with successful public key client host authentication is allowed 774(host-based authentication). 775The default is 776.Cm no . 777.It Cm HostbasedUsesNameFromPacketOnly 778Specifies whether or not the server will attempt to perform a reverse 779name lookup when matching the name in the 780.Pa ~/.shosts , 781.Pa ~/.rhosts , 782and 783.Pa /etc/hosts.equiv 784files during 785.Cm HostbasedAuthentication . 786A setting of 787.Cm yes 788means that 789.Xr sshd 8 790uses the name supplied by the client rather than 791attempting to resolve the name from the TCP connection itself. 792The default is 793.Cm no . 794.It Cm HostCertificate 795Specifies a file containing a public host certificate. 796The certificate's public key must match a private host key already specified 797by 798.Cm HostKey . 799The default behaviour of 800.Xr sshd 8 801is not to load any certificates. 802.It Cm HostKey 803Specifies a file containing a private host key 804used by SSH. 805The defaults are 806.Pa /etc/ssh/ssh_host_ecdsa_key , 807.Pa /etc/ssh/ssh_host_ed25519_key 808and 809.Pa /etc/ssh/ssh_host_rsa_key . 810.Pp 811Note that 812.Xr sshd 8 813will refuse to use a file if it is group/world-accessible 814and that the 815.Cm HostKeyAlgorithms 816option restricts which of the keys are actually used by 817.Xr sshd 8 . 818.Pp 819It is possible to have multiple host key files. 820It is also possible to specify public host key files instead. 821In this case operations on the private key will be delegated 822to an 823.Xr ssh-agent 1 . 824.It Cm HostKeyAgent 825Identifies the UNIX-domain socket used to communicate 826with an agent that has access to the private host keys. 827If the string 828.Qq SSH_AUTH_SOCK 829is specified, the location of the socket will be read from the 830.Ev SSH_AUTH_SOCK 831environment variable. 832.It Cm HostKeyAlgorithms 833Specifies the host key signature algorithms 834that the server offers. 835The default for this option is: 836.Bd -literal -offset 3n 837ssh-ed25519-cert-v01@openssh.com, 838ecdsa-sha2-nistp256-cert-v01@openssh.com, 839ecdsa-sha2-nistp384-cert-v01@openssh.com, 840ecdsa-sha2-nistp521-cert-v01@openssh.com, 841sk-ssh-ed25519-cert-v01@openssh.com, 842sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, 843rsa-sha2-512-cert-v01@openssh.com, 844rsa-sha2-256-cert-v01@openssh.com, 845ssh-ed25519, 846ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 847sk-ssh-ed25519@openssh.com, 848sk-ecdsa-sha2-nistp256@openssh.com, 849rsa-sha2-512,rsa-sha2-256 850.Ed 851.Pp 852The list of available signature algorithms may also be obtained using 853.Qq ssh -Q HostKeyAlgorithms . 854.It Cm IgnoreRhosts 855Specifies whether to ignore per-user 856.Pa .rhosts 857and 858.Pa .shosts 859files during 860.Cm HostbasedAuthentication . 861The system-wide 862.Pa /etc/hosts.equiv 863and 864.Pa /etc/ssh/shosts.equiv 865are still used regardless of this setting. 866.Pp 867Accepted values are 868.Cm yes 869(the default) to ignore all per-user files, 870.Cm shosts-only 871to allow the use of 872.Pa .shosts 873but to ignore 874.Pa .rhosts 875or 876.Cm no 877to allow both 878.Pa .shosts 879and 880.Pa rhosts . 881.It Cm IgnoreUserKnownHosts 882Specifies whether 883.Xr sshd 8 884should ignore the user's 885.Pa ~/.ssh/known_hosts 886during 887.Cm HostbasedAuthentication 888and use only the system-wide known hosts file 889.Pa /etc/ssh/ssh_known_hosts . 890The default is 891.Dq no . 892.It Cm Include 893Include the specified configuration file(s). 894Multiple pathnames may be specified and each pathname may contain 895.Xr glob 7 896wildcards that will be expanded and processed in lexical order. 897Files without absolute paths are assumed to be in 898.Pa /etc/ssh . 899An 900.Cm Include 901directive may appear inside a 902.Cm Match 903block 904to perform conditional inclusion. 905.It Cm IPQoS 906Specifies the IPv4 type-of-service or DSCP class for the connection. 907Accepted values are 908.Cm af11 , 909.Cm af12 , 910.Cm af13 , 911.Cm af21 , 912.Cm af22 , 913.Cm af23 , 914.Cm af31 , 915.Cm af32 , 916.Cm af33 , 917.Cm af41 , 918.Cm af42 , 919.Cm af43 , 920.Cm cs0 , 921.Cm cs1 , 922.Cm cs2 , 923.Cm cs3 , 924.Cm cs4 , 925.Cm cs5 , 926.Cm cs6 , 927.Cm cs7 , 928.Cm ef , 929.Cm le , 930.Cm lowdelay , 931.Cm throughput , 932.Cm reliability , 933a numeric value, or 934.Cm none 935to use the operating system default. 936This option may take one or two arguments, separated by whitespace. 937If one argument is specified, it is used as the packet class unconditionally. 938If two values are specified, the first is automatically selected for 939interactive sessions and the second for non-interactive sessions. 940The default is 941.Cm af21 942(Low-Latency Data) 943for interactive sessions and 944.Cm cs1 945(Lower Effort) 946for non-interactive sessions. 947.It Cm KbdInteractiveAuthentication 948Specifies whether to allow keyboard-interactive authentication. 949All authentication styles from 950.Xr login.conf 5 951are supported. 952The default is 953.Cm yes . 954The argument to this keyword must be 955.Cm yes 956or 957.Cm no . 958.Cm ChallengeResponseAuthentication 959is a deprecated alias for this. 960.It Cm KerberosAuthentication 961Specifies whether the password provided by the user for 962.Cm PasswordAuthentication 963will be validated through the Kerberos KDC. 964To use this option, the server needs a 965Kerberos servtab which allows the verification of the KDC's identity. 966The default is 967.Cm no . 968.It Cm KerberosGetAFSToken 969If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire 970an AFS token before accessing the user's home directory. 971The default is 972.Cm no . 973.It Cm KerberosOrLocalPasswd 974If password authentication through Kerberos fails then 975the password will be validated via any additional local mechanism 976such as 977.Pa /etc/passwd . 978The default is 979.Cm yes . 980.It Cm KerberosTicketCleanup 981Specifies whether to automatically destroy the user's ticket cache 982file on logout. 983The default is 984.Cm yes . 985.It Cm KexAlgorithms 986Specifies the available KEX (Key Exchange) algorithms. 987Multiple algorithms must be comma-separated. 988Alternately if the specified list begins with a 989.Sq + 990character, then the specified algorithms will be appended to the default set 991instead of replacing them. 992If the specified list begins with a 993.Sq - 994character, then the specified algorithms (including wildcards) will be removed 995from the default set instead of replacing them. 996If the specified list begins with a 997.Sq ^ 998character, then the specified algorithms will be placed at the head of the 999default set. 1000The supported algorithms are: 1001.Pp 1002.Bl -item -compact -offset indent 1003.It 1004curve25519-sha256 1005.It 1006curve25519-sha256@libssh.org 1007.It 1008diffie-hellman-group1-sha1 1009.It 1010diffie-hellman-group14-sha1 1011.It 1012diffie-hellman-group14-sha256 1013.It 1014diffie-hellman-group16-sha512 1015.It 1016diffie-hellman-group18-sha512 1017.It 1018diffie-hellman-group-exchange-sha1 1019.It 1020diffie-hellman-group-exchange-sha256 1021.It 1022ecdh-sha2-nistp256 1023.It 1024ecdh-sha2-nistp384 1025.It 1026ecdh-sha2-nistp521 1027.It 1028sntrup761x25519-sha512@openssh.com 1029.El 1030.Pp 1031The default is: 1032.Bd -literal -offset indent 1033sntrup761x25519-sha512@openssh.com, 1034curve25519-sha256,curve25519-sha256@libssh.org, 1035ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, 1036diffie-hellman-group-exchange-sha256, 1037diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, 1038diffie-hellman-group14-sha256 1039.Ed 1040.Pp 1041The list of available key exchange algorithms may also be obtained using 1042.Qq ssh -Q KexAlgorithms . 1043.It Cm ListenAddress 1044Specifies the local addresses 1045.Xr sshd 8 1046should listen on. 1047The following forms may be used: 1048.Pp 1049.Bl -item -offset indent -compact 1050.It 1051.Cm ListenAddress 1052.Sm off 1053.Ar hostname | address 1054.Sm on 1055.Op Cm rdomain Ar domain 1056.It 1057.Cm ListenAddress 1058.Sm off 1059.Ar hostname : port 1060.Sm on 1061.Op Cm rdomain Ar domain 1062.It 1063.Cm ListenAddress 1064.Sm off 1065.Ar IPv4_address : port 1066.Sm on 1067.Op Cm rdomain Ar domain 1068.It 1069.Cm ListenAddress 1070.Sm off 1071.Oo Ar hostname | address Oc : Ar port 1072.Sm on 1073.Op Cm rdomain Ar domain 1074.El 1075.Pp 1076The optional 1077.Cm rdomain 1078qualifier requests 1079.Xr sshd 8 1080listen in an explicit routing domain. 1081If 1082.Ar port 1083is not specified, 1084sshd will listen on the address and all 1085.Cm Port 1086options specified. 1087The default is to listen on all local addresses on the current default 1088routing domain. 1089Multiple 1090.Cm ListenAddress 1091options are permitted. 1092For more information on routing domains, see 1093.Xr rdomain 4 . 1094.It Cm LoginGraceTime 1095The server disconnects after this time if the user has not 1096successfully logged in. 1097If the value is 0, there is no time limit. 1098The default is 120 seconds. 1099.It Cm LogLevel 1100Gives the verbosity level that is used when logging messages from 1101.Xr sshd 8 . 1102The possible values are: 1103QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. 1104The default is INFO. 1105DEBUG and DEBUG1 are equivalent. 1106DEBUG2 and DEBUG3 each specify higher levels of debugging output. 1107Logging with a DEBUG level violates the privacy of users and is not recommended. 1108.It Cm LogVerbose 1109Specify one or more overrides to LogLevel. 1110An override consists of a pattern lists that matches the source file, function 1111and line number to force detailed logging for. 1112For example, an override pattern of: 1113.Bd -literal -offset indent 1114kex.c:*:1000,*:kex_exchange_identification():*,packet.c:* 1115.Ed 1116.Pp 1117would enable detailed logging for line 1000 of 1118.Pa kex.c , 1119everything in the 1120.Fn kex_exchange_identification 1121function, and all code in the 1122.Pa packet.c 1123file. 1124This option is intended for debugging and no overrides are enabled by default. 1125.It Cm MACs 1126Specifies the available MAC (message authentication code) algorithms. 1127The MAC algorithm is used for data integrity protection. 1128Multiple algorithms must be comma-separated. 1129If the specified list begins with a 1130.Sq + 1131character, then the specified algorithms will be appended to the default set 1132instead of replacing them. 1133If the specified list begins with a 1134.Sq - 1135character, then the specified algorithms (including wildcards) will be removed 1136from the default set instead of replacing them. 1137If the specified list begins with a 1138.Sq ^ 1139character, then the specified algorithms will be placed at the head of the 1140default set. 1141.Pp 1142The algorithms that contain 1143.Qq -etm 1144calculate the MAC after encryption (encrypt-then-mac). 1145These are considered safer and their use recommended. 1146The supported MACs are: 1147.Pp 1148.Bl -item -compact -offset indent 1149.It 1150hmac-md5 1151.It 1152hmac-md5-96 1153.It 1154hmac-sha1 1155.It 1156hmac-sha1-96 1157.It 1158hmac-sha2-256 1159.It 1160hmac-sha2-512 1161.It 1162umac-64@openssh.com 1163.It 1164umac-128@openssh.com 1165.It 1166hmac-md5-etm@openssh.com 1167.It 1168hmac-md5-96-etm@openssh.com 1169.It 1170hmac-sha1-etm@openssh.com 1171.It 1172hmac-sha1-96-etm@openssh.com 1173.It 1174hmac-sha2-256-etm@openssh.com 1175.It 1176hmac-sha2-512-etm@openssh.com 1177.It 1178umac-64-etm@openssh.com 1179.It 1180umac-128-etm@openssh.com 1181.El 1182.Pp 1183The default is: 1184.Bd -literal -offset indent 1185umac-64-etm@openssh.com,umac-128-etm@openssh.com, 1186hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, 1187hmac-sha1-etm@openssh.com, 1188umac-64@openssh.com,umac-128@openssh.com, 1189hmac-sha2-256,hmac-sha2-512,hmac-sha1 1190.Ed 1191.Pp 1192The list of available MAC algorithms may also be obtained using 1193.Qq ssh -Q mac . 1194.It Cm Match 1195Introduces a conditional block. 1196If all of the criteria on the 1197.Cm Match 1198line are satisfied, the keywords on the following lines override those 1199set in the global section of the config file, until either another 1200.Cm Match 1201line or the end of the file. 1202If a keyword appears in multiple 1203.Cm Match 1204blocks that are satisfied, only the first instance of the keyword is 1205applied. 1206.Pp 1207The arguments to 1208.Cm Match 1209are one or more criteria-pattern pairs or the single token 1210.Cm All 1211which matches all criteria. 1212The available criteria are 1213.Cm User , 1214.Cm Group , 1215.Cm Host , 1216.Cm LocalAddress , 1217.Cm LocalPort , 1218.Cm RDomain , 1219and 1220.Cm Address 1221(with 1222.Cm RDomain 1223representing the 1224.Xr rdomain 4 1225on which the connection was received). 1226.Pp 1227The match patterns may consist of single entries or comma-separated 1228lists and may use the wildcard and negation operators described in the 1229.Sx PATTERNS 1230section of 1231.Xr ssh_config 5 . 1232.Pp 1233The patterns in an 1234.Cm Address 1235criteria may additionally contain addresses to match in CIDR 1236address/masklen format, 1237such as 192.0.2.0/24 or 2001:db8::/32. 1238Note that the mask length provided must be consistent with the address - 1239it is an error to specify a mask length that is too long for the address 1240or one with bits set in this host portion of the address. 1241For example, 192.0.2.0/33 and 192.0.2.0/8, respectively. 1242.Pp 1243Only a subset of keywords may be used on the lines following a 1244.Cm Match 1245keyword. 1246Available keywords are 1247.Cm AcceptEnv , 1248.Cm AllowAgentForwarding , 1249.Cm AllowGroups , 1250.Cm AllowStreamLocalForwarding , 1251.Cm AllowTcpForwarding , 1252.Cm AllowUsers , 1253.Cm AuthenticationMethods , 1254.Cm AuthorizedKeysCommand , 1255.Cm AuthorizedKeysCommandUser , 1256.Cm AuthorizedKeysFile , 1257.Cm AuthorizedPrincipalsCommand , 1258.Cm AuthorizedPrincipalsCommandUser , 1259.Cm AuthorizedPrincipalsFile , 1260.Cm Banner , 1261.Cm CASignatureAlgorithms , 1262.Cm ChannelTimeout , 1263.Cm ChrootDirectory , 1264.Cm ClientAliveCountMax , 1265.Cm ClientAliveInterval , 1266.Cm DenyGroups , 1267.Cm DenyUsers , 1268.Cm DisableForwarding , 1269.Cm ExposeAuthInfo , 1270.Cm ForceCommand , 1271.Cm GatewayPorts , 1272.Cm GSSAPIAuthentication , 1273.Cm HostbasedAcceptedAlgorithms , 1274.Cm HostbasedAuthentication , 1275.Cm HostbasedUsesNameFromPacketOnly , 1276.Cm IgnoreRhosts , 1277.Cm Include , 1278.Cm IPQoS , 1279.Cm KbdInteractiveAuthentication , 1280.Cm KerberosAuthentication , 1281.Cm LogLevel , 1282.Cm MaxAuthTries , 1283.Cm MaxSessions , 1284.Cm PasswordAuthentication , 1285.Cm PermitEmptyPasswords , 1286.Cm PermitListen , 1287.Cm PermitOpen , 1288.Cm PermitRootLogin , 1289.Cm PermitTTY , 1290.Cm PermitTunnel , 1291.Cm PermitUserRC , 1292.Cm PubkeyAcceptedAlgorithms , 1293.Cm PubkeyAuthentication , 1294.Cm PubkeyAuthOptions , 1295.Cm RekeyLimit , 1296.Cm RevokedKeys , 1297.Cm RDomain , 1298.Cm SetEnv , 1299.Cm StreamLocalBindMask , 1300.Cm StreamLocalBindUnlink , 1301.Cm TrustedUserCAKeys , 1302.Cm UnusedConnectionTimeout , 1303.Cm X11DisplayOffset , 1304.Cm X11Forwarding 1305and 1306.Cm X11UseLocalhost . 1307.It Cm MaxAuthTries 1308Specifies the maximum number of authentication attempts permitted per 1309connection. 1310Once the number of failures reaches half this value, 1311additional failures are logged. 1312The default is 6. 1313.It Cm MaxSessions 1314Specifies the maximum number of open shell, login or subsystem (e.g. sftp) 1315sessions permitted per network connection. 1316Multiple sessions may be established by clients that support connection 1317multiplexing. 1318Setting 1319.Cm MaxSessions 1320to 1 will effectively disable session multiplexing, whereas setting it to 0 1321will prevent all shell, login and subsystem sessions while still permitting 1322forwarding. 1323The default is 10. 1324.It Cm MaxStartups 1325Specifies the maximum number of concurrent unauthenticated connections to the 1326SSH daemon. 1327Additional connections will be dropped until authentication succeeds or the 1328.Cm LoginGraceTime 1329expires for a connection. 1330The default is 10:30:100. 1331.Pp 1332Alternatively, random early drop can be enabled by specifying 1333the three colon separated values 1334start:rate:full (e.g. "10:30:60"). 1335.Xr sshd 8 1336will refuse connection attempts with a probability of rate/100 (30%) 1337if there are currently start (10) unauthenticated connections. 1338The probability increases linearly and all connection attempts 1339are refused if the number of unauthenticated connections reaches full (60). 1340.It Cm ModuliFile 1341Specifies the 1342.Xr moduli 5 1343file that contains the Diffie-Hellman groups used for the 1344.Dq diffie-hellman-group-exchange-sha1 1345and 1346.Dq diffie-hellman-group-exchange-sha256 1347key exchange methods. 1348The default is 1349.Pa /etc/moduli . 1350.It Cm PasswordAuthentication 1351Specifies whether password authentication is allowed. 1352Note that passwords may also be accepted via 1353.Cm KbdInteractiveAuthentication . 1354See also 1355.Cm UsePAM . 1356The default is 1357.Cm no . 1358.It Cm PermitEmptyPasswords 1359When password authentication is allowed, it specifies whether the 1360server allows login to accounts with empty password strings. 1361The default is 1362.Cm no . 1363.It Cm PermitListen 1364Specifies the addresses/ports on which a remote TCP port forwarding may listen. 1365The listen specification must be one of the following forms: 1366.Pp 1367.Bl -item -offset indent -compact 1368.It 1369.Cm PermitListen 1370.Sm off 1371.Ar port 1372.Sm on 1373.It 1374.Cm PermitListen 1375.Sm off 1376.Ar host : port 1377.Sm on 1378.El 1379.Pp 1380Multiple permissions may be specified by separating them with whitespace. 1381An argument of 1382.Cm any 1383can be used to remove all restrictions and permit any listen requests. 1384An argument of 1385.Cm none 1386can be used to prohibit all listen requests. 1387The host name may contain wildcards as described in the PATTERNS section in 1388.Xr ssh_config 5 . 1389The wildcard 1390.Sq * 1391can also be used in place of a port number to allow all ports. 1392By default all port forwarding listen requests are permitted. 1393Note that the 1394.Cm GatewayPorts 1395option may further restrict which addresses may be listened on. 1396Note also that 1397.Xr ssh 1 1398will request a listen host of 1399.Dq localhost 1400if no listen host was specifically requested, and this name is 1401treated differently to explicit localhost addresses of 1402.Dq 127.0.0.1 1403and 1404.Dq ::1 . 1405.It Cm PermitOpen 1406Specifies the destinations to which TCP port forwarding is permitted. 1407The forwarding specification must be one of the following forms: 1408.Pp 1409.Bl -item -offset indent -compact 1410.It 1411.Cm PermitOpen 1412.Sm off 1413.Ar host : port 1414.Sm on 1415.It 1416.Cm PermitOpen 1417.Sm off 1418.Ar IPv4_addr : port 1419.Sm on 1420.It 1421.Cm PermitOpen 1422.Sm off 1423.Ar \&[ IPv6_addr \&] : port 1424.Sm on 1425.El 1426.Pp 1427Multiple forwards may be specified by separating them with whitespace. 1428An argument of 1429.Cm any 1430can be used to remove all restrictions and permit any forwarding requests. 1431An argument of 1432.Cm none 1433can be used to prohibit all forwarding requests. 1434The wildcard 1435.Sq * 1436can be used for host or port to allow all hosts or ports respectively. 1437Otherwise, no pattern matching or address lookups are performed on supplied 1438names. 1439By default all port forwarding requests are permitted. 1440.It Cm PermitRootLogin 1441Specifies whether root can log in using 1442.Xr ssh 1 . 1443The argument must be 1444.Cm yes , 1445.Cm prohibit-password , 1446.Cm forced-commands-only , 1447or 1448.Cm no . 1449The default is 1450.Cm no . 1451Note that if 1452.Cm ChallengeResponseAuthentication 1453and 1454.Cm UsePAM 1455are both 1456.Cm yes , 1457this setting may be overridden by the PAM policy. 1458.Pp 1459If this option is set to 1460.Cm prohibit-password 1461(or its deprecated alias, 1462.Cm without-password ) , 1463password and keyboard-interactive authentication are disabled for root. 1464.Pp 1465If this option is set to 1466.Cm forced-commands-only , 1467root login with public key authentication will be allowed, 1468but only if the 1469.Ar command 1470option has been specified 1471(which may be useful for taking remote backups even if root login is 1472normally not allowed). 1473All other authentication methods are disabled for root. 1474.Pp 1475If this option is set to 1476.Cm no , 1477root is not allowed to log in. 1478.It Cm PermitTTY 1479Specifies whether 1480.Xr pty 4 1481allocation is permitted. 1482The default is 1483.Cm yes . 1484.It Cm PermitTunnel 1485Specifies whether 1486.Xr tun 4 1487device forwarding is allowed. 1488The argument must be 1489.Cm yes , 1490.Cm point-to-point 1491(layer 3), 1492.Cm ethernet 1493(layer 2), or 1494.Cm no . 1495Specifying 1496.Cm yes 1497permits both 1498.Cm point-to-point 1499and 1500.Cm ethernet . 1501The default is 1502.Cm no . 1503.Pp 1504Independent of this setting, the permissions of the selected 1505.Xr tun 4 1506device must allow access to the user. 1507.It Cm PermitUserEnvironment 1508Specifies whether 1509.Pa ~/.ssh/environment 1510and 1511.Cm environment= 1512options in 1513.Pa ~/.ssh/authorized_keys 1514are processed by 1515.Xr sshd 8 . 1516Valid options are 1517.Cm yes , 1518.Cm no 1519or a pattern-list specifying which environment variable names to accept 1520(for example 1521.Qq LANG,LC_* ) . 1522The default is 1523.Cm no . 1524Enabling environment processing may enable users to bypass access 1525restrictions in some configurations using mechanisms such as 1526.Ev LD_PRELOAD . 1527.It Cm PermitUserRC 1528Specifies whether any 1529.Pa ~/.ssh/rc 1530file is executed. 1531The default is 1532.Cm yes . 1533.It Cm PerSourceMaxStartups 1534Specifies the number of unauthenticated connections allowed from a 1535given source address, or 1536.Dq none 1537if there is no limit. 1538This limit is applied in addition to 1539.Cm MaxStartups , 1540whichever is lower. 1541The default is 1542.Cm none . 1543.It Cm PerSourceNetBlockSize 1544Specifies the number of bits of source address that are grouped together 1545for the purposes of applying PerSourceMaxStartups limits. 1546Values for IPv4 and optionally IPv6 may be specified, separated by a colon. 1547The default is 1548.Cm 32:128 , 1549which means each address is considered individually. 1550.It Cm PidFile 1551Specifies the file that contains the process ID of the 1552SSH daemon, or 1553.Cm none 1554to not write one. 1555The default is 1556.Pa /var/run/sshd.pid . 1557.It Cm Port 1558Specifies the port number that 1559.Xr sshd 8 1560listens on. 1561The default is 22. 1562Multiple options of this type are permitted. 1563See also 1564.Cm ListenAddress . 1565.It Cm PrintLastLog 1566Specifies whether 1567.Xr sshd 8 1568should print the date and time of the last user login when a user logs 1569in interactively. 1570The default is 1571.Cm yes . 1572.It Cm PrintMotd 1573Specifies whether 1574.Xr sshd 8 1575should print 1576.Pa /etc/motd 1577when a user logs in interactively. 1578(On some systems it is also printed by the shell, 1579.Pa /etc/profile , 1580or equivalent.) 1581The default is 1582.Cm yes . 1583.It Cm PubkeyAcceptedAlgorithms 1584Specifies the signature algorithms that will be accepted for public key 1585authentication as a list of comma-separated patterns. 1586Alternately if the specified list begins with a 1587.Sq + 1588character, then the specified algorithms will be appended to the default set 1589instead of replacing them. 1590If the specified list begins with a 1591.Sq - 1592character, then the specified algorithms (including wildcards) will be removed 1593from the default set instead of replacing them. 1594If the specified list begins with a 1595.Sq ^ 1596character, then the specified algorithms will be placed at the head of the 1597default set. 1598The default for this option is: 1599.Bd -literal -offset 3n 1600ssh-ed25519-cert-v01@openssh.com, 1601ecdsa-sha2-nistp256-cert-v01@openssh.com, 1602ecdsa-sha2-nistp384-cert-v01@openssh.com, 1603ecdsa-sha2-nistp521-cert-v01@openssh.com, 1604sk-ssh-ed25519-cert-v01@openssh.com, 1605sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, 1606rsa-sha2-512-cert-v01@openssh.com, 1607rsa-sha2-256-cert-v01@openssh.com, 1608ssh-ed25519, 1609ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 1610sk-ssh-ed25519@openssh.com, 1611sk-ecdsa-sha2-nistp256@openssh.com, 1612rsa-sha2-512,rsa-sha2-256 1613.Ed 1614.Pp 1615The list of available signature algorithms may also be obtained using 1616.Qq ssh -Q PubkeyAcceptedAlgorithms . 1617.It Cm PubkeyAuthOptions 1618Sets one or more public key authentication options. 1619The supported keywords are: 1620.Cm none 1621(the default; indicating no additional options are enabled), 1622.Cm touch-required 1623and 1624.Cm verify-required . 1625.Pp 1626The 1627.Cm touch-required 1628option causes public key authentication using a FIDO authenticator algorithm 1629(i.e.\& 1630.Cm ecdsa-sk 1631or 1632.Cm ed25519-sk ) 1633to always require the signature to attest that a physically present user 1634explicitly confirmed the authentication (usually by touching the authenticator). 1635By default, 1636.Xr sshd 8 1637requires user presence unless overridden with an authorized_keys option. 1638The 1639.Cm touch-required 1640flag disables this override. 1641.Pp 1642The 1643.Cm verify-required 1644option requires a FIDO key signature attest that the user was verified, 1645e.g. via a PIN. 1646.Pp 1647Neither the 1648.Cm touch-required 1649or 1650.Cm verify-required 1651options have any effect for other, non-FIDO, public key types. 1652.It Cm PubkeyAuthentication 1653Specifies whether public key authentication is allowed. 1654The default is 1655.Cm yes . 1656.It Cm RekeyLimit 1657Specifies the maximum amount of data that may be transmitted or received 1658before the session key is renegotiated, optionally followed by a maximum 1659amount of time that may pass before the session key is renegotiated. 1660The first argument is specified in bytes and may have a suffix of 1661.Sq K , 1662.Sq M , 1663or 1664.Sq G 1665to indicate Kilobytes, Megabytes, or Gigabytes, respectively. 1666The default is between 1667.Sq 1G 1668and 1669.Sq 4G , 1670depending on the cipher. 1671The optional second value is specified in seconds and may use any of the 1672units documented in the 1673.Sx TIME FORMATS 1674section. 1675The default value for 1676.Cm RekeyLimit 1677is 1678.Cm default none , 1679which means that rekeying is performed after the cipher's default amount 1680of data has been sent or received and no time based rekeying is done. 1681.It Cm RequiredRSASize 1682Specifies the minimum RSA key size (in bits) that 1683.Xr sshd 8 1684will accept. 1685User and host-based authentication keys smaller than this limit will be 1686refused. 1687The default is 1688.Cm 1024 1689bits. 1690Note that this limit may only be raised from the default. 1691.It Cm RevokedKeys 1692Specifies revoked public keys file, or 1693.Cm none 1694to not use one. 1695Keys listed in this file will be refused for public key authentication. 1696Note that if this file is not readable, then public key authentication will 1697be refused for all users. 1698Keys may be specified as a text file, listing one public key per line, or as 1699an OpenSSH Key Revocation List (KRL) as generated by 1700.Xr ssh-keygen 1 . 1701For more information on KRLs, see the KEY REVOCATION LISTS section in 1702.Xr ssh-keygen 1 . 1703.It Cm RDomain 1704Specifies an explicit routing domain that is applied after authentication 1705has completed. 1706The user session, as well as any forwarded or listening IP sockets, 1707will be bound to this 1708.Xr rdomain 4 . 1709If the routing domain is set to 1710.Cm \&%D , 1711then the domain in which the incoming connection was received will be applied. 1712.It Cm SecurityKeyProvider 1713Specifies a path to a library that will be used when loading 1714FIDO authenticator-hosted keys, overriding the default of using 1715the built-in USB HID support. 1716.It Cm SetEnv 1717Specifies one or more environment variables to set in child sessions started 1718by 1719.Xr sshd 8 1720as 1721.Dq NAME=VALUE . 1722The environment value may be quoted (e.g. if it contains whitespace 1723characters). 1724Environment variables set by 1725.Cm SetEnv 1726override the default environment and any variables specified by the user 1727via 1728.Cm AcceptEnv 1729or 1730.Cm PermitUserEnvironment . 1731.It Cm StreamLocalBindMask 1732Sets the octal file creation mode mask 1733.Pq umask 1734used when creating a Unix-domain socket file for local or remote 1735port forwarding. 1736This option is only used for port forwarding to a Unix-domain socket file. 1737.Pp 1738The default value is 0177, which creates a Unix-domain socket file that is 1739readable and writable only by the owner. 1740Note that not all operating systems honor the file mode on Unix-domain 1741socket files. 1742.It Cm StreamLocalBindUnlink 1743Specifies whether to remove an existing Unix-domain socket file for local 1744or remote port forwarding before creating a new one. 1745If the socket file already exists and 1746.Cm StreamLocalBindUnlink 1747is not enabled, 1748.Nm sshd 1749will be unable to forward the port to the Unix-domain socket file. 1750This option is only used for port forwarding to a Unix-domain socket file. 1751.Pp 1752The argument must be 1753.Cm yes 1754or 1755.Cm no . 1756The default is 1757.Cm no . 1758.It Cm StrictModes 1759Specifies whether 1760.Xr sshd 8 1761should check file modes and ownership of the 1762user's files and home directory before accepting login. 1763This is normally desirable because novices sometimes accidentally leave their 1764directory or files world-writable. 1765The default is 1766.Cm yes . 1767Note that this does not apply to 1768.Cm ChrootDirectory , 1769whose permissions and ownership are checked unconditionally. 1770.It Cm Subsystem 1771Configures an external subsystem (e.g. file transfer daemon). 1772Arguments should be a subsystem name and a command (with optional arguments) 1773to execute upon subsystem request. 1774.Pp 1775The command 1776.Cm sftp-server 1777implements the SFTP file transfer subsystem. 1778.Pp 1779Alternately the name 1780.Cm internal-sftp 1781implements an in-process SFTP server. 1782This may simplify configurations using 1783.Cm ChrootDirectory 1784to force a different filesystem root on clients. 1785.Pp 1786By default no subsystems are defined. 1787.It Cm SyslogFacility 1788Gives the facility code that is used when logging messages from 1789.Xr sshd 8 . 1790The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, 1791LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. 1792The default is AUTH. 1793.It Cm TCPKeepAlive 1794Specifies whether the system should send TCP keepalive messages to the 1795other side. 1796If they are sent, death of the connection or crash of one 1797of the machines will be properly noticed. 1798However, this means that 1799connections will die if the route is down temporarily, and some people 1800find it annoying. 1801On the other hand, if TCP keepalives are not sent, 1802sessions may hang indefinitely on the server, leaving 1803.Qq ghost 1804users and consuming server resources. 1805.Pp 1806The default is 1807.Cm yes 1808(to send TCP keepalive messages), and the server will notice 1809if the network goes down or the client host crashes. 1810This avoids infinitely hanging sessions. 1811.Pp 1812To disable TCP keepalive messages, the value should be set to 1813.Cm no . 1814.It Cm TrustedUserCAKeys 1815Specifies a file containing public keys of certificate authorities that are 1816trusted to sign user certificates for authentication, or 1817.Cm none 1818to not use one. 1819Keys are listed one per line; empty lines and comments starting with 1820.Ql # 1821are allowed. 1822If a certificate is presented for authentication and has its signing CA key 1823listed in this file, then it may be used for authentication for any user 1824listed in the certificate's principals list. 1825Note that certificates that lack a list of principals will not be permitted 1826for authentication using 1827.Cm TrustedUserCAKeys . 1828For more details on certificates, see the CERTIFICATES section in 1829.Xr ssh-keygen 1 . 1830.It Cm UnusedConnectionTimeout 1831Specifies whether and how quickly 1832.Xr sshd 8 1833should close client connections with no open channels. 1834Open channels include active shell, command execution or subsystem 1835sessions, connected network, socket, agent or X11 forwardings. 1836Forwarding listeners, such as those from the 1837.Xr ssh 1 1838.Fl R 1839flag, are not considered as open channels and do not prevent the timeout. 1840The timeout value 1841is specified in seconds or may use any of the units documented in the 1842.Sx TIME FORMATS 1843section. 1844.Pp 1845Note that this timeout starts when the client connection completes 1846user authentication but before the client has an opportunity to open any 1847channels. 1848Caution should be used when using short timeout values, as they may not 1849provide sufficient time for the client to request and open its channels 1850before terminating the connection. 1851.Pp 1852The default 1853.Cm none 1854is to never expire connections for having no open channels. 1855This option may be useful in conjunction with 1856.Cm ChannelTimeout . 1857.It Cm UseBlacklist 1858Specifies whether 1859.Xr sshd 8 1860attempts to send authentication success and failure messages 1861to the 1862.Xr blacklistd 8 1863daemon. 1864The default is 1865.Cm no . 1866For forward compatibility with an upcoming 1867.Xr blacklistd 1868rename, the 1869.Cm UseBlocklist 1870alias can be used instead. 1871.It Cm UseDNS 1872Specifies whether 1873.Xr sshd 8 1874should look up the remote host name, and to check that 1875the resolved host name for the remote IP address maps back to the 1876very same IP address. 1877.Pp 1878If this option is set to 1879.Cm no , 1880then only addresses and not host names may be used in 1881.Pa ~/.ssh/authorized_keys 1882.Cm from 1883and 1884.Nm 1885.Cm Match 1886.Cm Host 1887directives. 1888The default is 1889.Dq yes . 1890.It Cm UsePAM 1891Enables the Pluggable Authentication Module interface. 1892If set to 1893.Cm yes 1894this will enable PAM authentication using 1895.Cm KbdInteractiveAuthentication 1896and 1897.Cm PasswordAuthentication 1898in addition to PAM account and session module processing for all 1899authentication types. 1900.Pp 1901Because PAM keyboard-interactive authentication usually serves an equivalent 1902role to password authentication, you should disable either 1903.Cm PasswordAuthentication 1904or 1905.Cm KbdInteractiveAuthentication . 1906.Pp 1907If 1908.Cm UsePAM 1909is enabled, you will not be able to run 1910.Xr sshd 8 1911as a non-root user. 1912The default is 1913.Cm yes . 1914.It Cm VersionAddendum 1915Optionally specifies additional text to append to the SSH protocol banner 1916sent by the server upon connection. 1917The default is 1918.Qq FreeBSD-20230205 . 1919The value 1920.Cm none 1921may be used to disable this. 1922.It Cm X11DisplayOffset 1923Specifies the first display number available for 1924.Xr sshd 8 Ns 's 1925X11 forwarding. 1926This prevents sshd from interfering with real X11 servers. 1927The default is 10. 1928.It Cm X11Forwarding 1929Specifies whether X11 forwarding is permitted. 1930The argument must be 1931.Cm yes 1932or 1933.Cm no . 1934The default is 1935.Cm yes . 1936.Pp 1937When X11 forwarding is enabled, there may be additional exposure to 1938the server and to client displays if the 1939.Xr sshd 8 1940proxy display is configured to listen on the wildcard address (see 1941.Cm X11UseLocalhost ) , 1942though this is not the default. 1943Additionally, the authentication spoofing and authentication data 1944verification and substitution occur on the client side. 1945The security risk of using X11 forwarding is that the client's X11 1946display server may be exposed to attack when the SSH client requests 1947forwarding (see the warnings for 1948.Cm ForwardX11 1949in 1950.Xr ssh_config 5 ) . 1951A system administrator may have a stance in which they want to 1952protect clients that may expose themselves to attack by unwittingly 1953requesting X11 forwarding, which can warrant a 1954.Cm no 1955setting. 1956.Pp 1957Note that disabling X11 forwarding does not prevent users from 1958forwarding X11 traffic, as users can always install their own forwarders. 1959.It Cm X11UseLocalhost 1960Specifies whether 1961.Xr sshd 8 1962should bind the X11 forwarding server to the loopback address or to 1963the wildcard address. 1964By default, 1965sshd binds the forwarding server to the loopback address and sets the 1966hostname part of the 1967.Ev DISPLAY 1968environment variable to 1969.Cm localhost . 1970This prevents remote hosts from connecting to the proxy display. 1971However, some older X11 clients may not function with this 1972configuration. 1973.Cm X11UseLocalhost 1974may be set to 1975.Cm no 1976to specify that the forwarding server should be bound to the wildcard 1977address. 1978The argument must be 1979.Cm yes 1980or 1981.Cm no . 1982The default is 1983.Cm yes . 1984.It Cm XAuthLocation 1985Specifies the full pathname of the 1986.Xr xauth 1 1987program, or 1988.Cm none 1989to not use one. 1990The default is 1991.Pa /usr/local/bin/xauth . 1992.El 1993.Sh TIME FORMATS 1994.Xr sshd 8 1995command-line arguments and configuration file options that specify time 1996may be expressed using a sequence of the form: 1997.Sm off 1998.Ar time Op Ar qualifier , 1999.Sm on 2000where 2001.Ar time 2002is a positive integer value and 2003.Ar qualifier 2004is one of the following: 2005.Pp 2006.Bl -tag -width Ds -compact -offset indent 2007.It Aq Cm none 2008seconds 2009.It Cm s | Cm S 2010seconds 2011.It Cm m | Cm M 2012minutes 2013.It Cm h | Cm H 2014hours 2015.It Cm d | Cm D 2016days 2017.It Cm w | Cm W 2018weeks 2019.El 2020.Pp 2021Each member of the sequence is added together to calculate 2022the total time value. 2023.Pp 2024Time format examples: 2025.Pp 2026.Bl -tag -width Ds -compact -offset indent 2027.It 600 2028600 seconds (10 minutes) 2029.It 10m 203010 minutes 2031.It 1h30m 20321 hour 30 minutes (90 minutes) 2033.El 2034.Sh TOKENS 2035Arguments to some keywords can make use of tokens, 2036which are expanded at runtime: 2037.Pp 2038.Bl -tag -width XXXX -offset indent -compact 2039.It %% 2040A literal 2041.Sq % . 2042.It \&%D 2043The routing domain in which the incoming connection was received. 2044.It %F 2045The fingerprint of the CA key. 2046.It %f 2047The fingerprint of the key or certificate. 2048.It %h 2049The home directory of the user. 2050.It %i 2051The key ID in the certificate. 2052.It %K 2053The base64-encoded CA key. 2054.It %k 2055The base64-encoded key or certificate for authentication. 2056.It %s 2057The serial number of the certificate. 2058.It \&%T 2059The type of the CA key. 2060.It %t 2061The key or certificate type. 2062.It \&%U 2063The numeric user ID of the target user. 2064.It %u 2065The username. 2066.El 2067.Pp 2068.Cm AuthorizedKeysCommand 2069accepts the tokens %%, %f, %h, %k, %t, %U, and %u. 2070.Pp 2071.Cm AuthorizedKeysFile 2072accepts the tokens %%, %h, %U, and %u. 2073.Pp 2074.Cm AuthorizedPrincipalsCommand 2075accepts the tokens %%, %F, %f, %h, %i, %K, %k, %s, %T, %t, %U, and %u. 2076.Pp 2077.Cm AuthorizedPrincipalsFile 2078accepts the tokens %%, %h, %U, and %u. 2079.Pp 2080.Cm ChrootDirectory 2081accepts the tokens %%, %h, %U, and %u. 2082.Pp 2083.Cm RoutingDomain 2084accepts the token %D. 2085.Sh FILES 2086.Bl -tag -width Ds 2087.It Pa /etc/ssh/sshd_config 2088Contains configuration data for 2089.Xr sshd 8 . 2090This file should be writable by root only, but it is recommended 2091(though not necessary) that it be world-readable. 2092.El 2093.Sh SEE ALSO 2094.Xr sftp-server 8 , 2095.Xr sshd 8 2096.Sh AUTHORS 2097.An -nosplit 2098OpenSSH is a derivative of the original and free 2099ssh 1.2.12 release by 2100.An Tatu Ylonen . 2101.An Aaron Campbell , Bob Beck , Markus Friedl , Niels Provos , 2102.An Theo de Raadt 2103and 2104.An Dug Song 2105removed many bugs, re-added newer features and 2106created OpenSSH. 2107.An Markus Friedl 2108contributed the support for SSH protocol versions 1.5 and 2.0. 2109.An Niels Provos 2110and 2111.An Markus Friedl 2112contributed support for privilege separation. 2113