xref: /freebsd/crypto/openssh/sshd_config.5 (revision f374ba41f55c1a127303d92d830dd58eef2f5243)
1.\"
2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4.\"                    All rights reserved
5.\"
6.\" As far as I am concerned, the code I have written for this software
7.\" can be used freely for any purpose.  Any derived versions of this
8.\" software must be clearly marked as such, and if the derived work is
9.\" incompatible with the protocol description in the RFC file, it must be
10.\" called by a name other than "ssh" or "Secure Shell".
11.\"
12.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
13.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
14.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
15.\"
16.\" Redistribution and use in source and binary forms, with or without
17.\" modification, are permitted provided that the following conditions
18.\" are met:
19.\" 1. Redistributions of source code must retain the above copyright
20.\"    notice, this list of conditions and the following disclaimer.
21.\" 2. Redistributions in binary form must reproduce the above copyright
22.\"    notice, this list of conditions and the following disclaimer in the
23.\"    documentation and/or other materials provided with the distribution.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\"
36.\" $OpenBSD: sshd_config.5,v 1.347 2023/01/18 06:55:32 jmc Exp $
37.Dd $Mdocdate: January 18 2023 $
38.Dt SSHD_CONFIG 5
39.Os
40.Sh NAME
41.Nm sshd_config
42.Nd OpenSSH daemon configuration file
43.Sh DESCRIPTION
44.Xr sshd 8
45reads configuration data from
46.Pa /etc/ssh/sshd_config
47(or the file specified with
48.Fl f
49on the command line).
50The file contains keyword-argument pairs, one per line.
51For each keyword, the first obtained value will be used.
52Lines starting with
53.Ql #
54and empty lines are interpreted as comments.
55Arguments may optionally be enclosed in double quotes
56.Pq \&"
57in order to represent arguments containing spaces.
58.Pp
59The possible
60keywords and their meanings are as follows (note that
61keywords are case-insensitive and arguments are case-sensitive):
62.Bl -tag -width Ds
63.It Cm AcceptEnv
64Specifies what environment variables sent by the client will be copied into
65the session's
66.Xr environ 7 .
67See
68.Cm SendEnv
69and
70.Cm SetEnv
71in
72.Xr ssh_config 5
73for how to configure the client.
74The
75.Ev TERM
76environment variable is always accepted whenever the client
77requests a pseudo-terminal as it is required by the protocol.
78Variables are specified by name, which may contain the wildcard characters
79.Ql *
80and
81.Ql \&? .
82Multiple environment variables may be separated by whitespace or spread
83across multiple
84.Cm AcceptEnv
85directives.
86Be warned that some environment variables could be used to bypass restricted
87user environments.
88For this reason, care should be taken in the use of this directive.
89The default is not to accept any environment variables.
90.It Cm AddressFamily
91Specifies which address family should be used by
92.Xr sshd 8 .
93Valid arguments are
94.Cm any
95(the default),
96.Cm inet
97(use IPv4 only), or
98.Cm inet6
99(use IPv6 only).
100.It Cm AllowAgentForwarding
101Specifies whether
102.Xr ssh-agent 1
103forwarding is permitted.
104The default is
105.Cm yes .
106Note that disabling agent forwarding does not improve security
107unless users are also denied shell access, as they can always install
108their own forwarders.
109.It Cm AllowGroups
110This keyword can be followed by a list of group name patterns, separated
111by spaces.
112If specified, login is allowed only for users whose primary
113group or supplementary group list matches one of the patterns.
114Only group names are valid; a numerical group ID is not recognized.
115By default, login is allowed for all groups.
116The allow/deny groups directives are processed in the following order:
117.Cm DenyGroups ,
118.Cm AllowGroups .
119.Pp
120See PATTERNS in
121.Xr ssh_config 5
122for more information on patterns.
123.It Cm AllowStreamLocalForwarding
124Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
125The available options are
126.Cm yes
127(the default)
128or
129.Cm all
130to allow StreamLocal forwarding,
131.Cm no
132to prevent all StreamLocal forwarding,
133.Cm local
134to allow local (from the perspective of
135.Xr ssh 1 )
136forwarding only or
137.Cm remote
138to allow remote forwarding only.
139Note that disabling StreamLocal forwarding does not improve security unless
140users are also denied shell access, as they can always install their
141own forwarders.
142.It Cm AllowTcpForwarding
143Specifies whether TCP forwarding is permitted.
144The available options are
145.Cm yes
146(the default)
147or
148.Cm all
149to allow TCP forwarding,
150.Cm no
151to prevent all TCP forwarding,
152.Cm local
153to allow local (from the perspective of
154.Xr ssh 1 )
155forwarding only or
156.Cm remote
157to allow remote forwarding only.
158Note that disabling TCP forwarding does not improve security unless
159users are also denied shell access, as they can always install their
160own forwarders.
161.It Cm AllowUsers
162This keyword can be followed by a list of user name patterns, separated
163by spaces.
164If specified, login is allowed only for user names that
165match one of the patterns.
166Only user names are valid; a numerical user ID is not recognized.
167By default, login is allowed for all users.
168If the pattern takes the form USER@HOST then USER and HOST
169are separately checked, restricting logins to particular
170users from particular hosts.
171HOST criteria may additionally contain addresses to match in CIDR
172address/masklen format.
173The allow/deny users directives are processed in the following order:
174.Cm DenyUsers ,
175.Cm AllowUsers .
176.Pp
177See PATTERNS in
178.Xr ssh_config 5
179for more information on patterns.
180.It Cm AuthenticationMethods
181Specifies the authentication methods that must be successfully completed
182for a user to be granted access.
183This option must be followed by one or more lists of comma-separated
184authentication method names, or by the single string
185.Cm any
186to indicate the default behaviour of accepting any single authentication
187method.
188If the default is overridden, then successful authentication requires
189completion of every method in at least one of these lists.
190.Pp
191For example,
192.Qq publickey,password publickey,keyboard-interactive
193would require the user to complete public key authentication, followed by
194either password or keyboard interactive authentication.
195Only methods that are next in one or more lists are offered at each stage,
196so for this example it would not be possible to attempt password or
197keyboard-interactive authentication before public key.
198.Pp
199For keyboard interactive authentication it is also possible to
200restrict authentication to a specific device by appending a
201colon followed by the device identifier
202.Cm bsdauth
203or
204.Cm pam .
205depending on the server configuration.
206For example,
207.Qq keyboard-interactive:bsdauth
208would restrict keyboard interactive authentication to the
209.Cm bsdauth
210device.
211.Pp
212If the publickey method is listed more than once,
213.Xr sshd 8
214verifies that keys that have been used successfully are not reused for
215subsequent authentications.
216For example,
217.Qq publickey,publickey
218requires successful authentication using two different public keys.
219.Pp
220Note that each authentication method listed should also be explicitly enabled
221in the configuration.
222.Pp
223The available authentication methods are:
224.Qq gssapi-with-mic ,
225.Qq hostbased ,
226.Qq keyboard-interactive ,
227.Qq none
228(used for access to password-less accounts when
229.Cm PermitEmptyPasswords
230is enabled),
231.Qq password
232and
233.Qq publickey .
234.It Cm AuthorizedKeysCommand
235Specifies a program to be used to look up the user's public keys.
236The program must be owned by root, not writable by group or others and
237specified by an absolute path.
238Arguments to
239.Cm AuthorizedKeysCommand
240accept the tokens described in the
241.Sx TOKENS
242section.
243If no arguments are specified then the username of the target user is used.
244.Pp
245The program should produce on standard output zero or
246more lines of authorized_keys output (see
247.Sx AUTHORIZED_KEYS
248in
249.Xr sshd 8 ) .
250.Cm AuthorizedKeysCommand
251is tried after the usual
252.Cm AuthorizedKeysFile
253files and will not be executed if a matching key is found there.
254By default, no
255.Cm AuthorizedKeysCommand
256is run.
257.It Cm AuthorizedKeysCommandUser
258Specifies the user under whose account the
259.Cm AuthorizedKeysCommand
260is run.
261It is recommended to use a dedicated user that has no other role on the host
262than running authorized keys commands.
263If
264.Cm AuthorizedKeysCommand
265is specified but
266.Cm AuthorizedKeysCommandUser
267is not, then
268.Xr sshd 8
269will refuse to start.
270.It Cm AuthorizedKeysFile
271Specifies the file that contains the public keys used for user authentication.
272The format is described in the AUTHORIZED_KEYS FILE FORMAT section of
273.Xr sshd 8 .
274Arguments to
275.Cm AuthorizedKeysFile
276accept the tokens described in the
277.Sx TOKENS
278section.
279After expansion,
280.Cm AuthorizedKeysFile
281is taken to be an absolute path or one relative to the user's home
282directory.
283Multiple files may be listed, separated by whitespace.
284Alternately this option may be set to
285.Cm none
286to skip checking for user keys in files.
287The default is
288.Qq .ssh/authorized_keys .ssh/authorized_keys2 .
289.It Cm AuthorizedPrincipalsCommand
290Specifies a program to be used to generate the list of allowed
291certificate principals as per
292.Cm AuthorizedPrincipalsFile .
293The program must be owned by root, not writable by group or others and
294specified by an absolute path.
295Arguments to
296.Cm AuthorizedPrincipalsCommand
297accept the tokens described in the
298.Sx TOKENS
299section.
300If no arguments are specified then the username of the target user is used.
301.Pp
302The program should produce on standard output zero or
303more lines of
304.Cm AuthorizedPrincipalsFile
305output.
306If either
307.Cm AuthorizedPrincipalsCommand
308or
309.Cm AuthorizedPrincipalsFile
310is specified, then certificates offered by the client for authentication
311must contain a principal that is listed.
312By default, no
313.Cm AuthorizedPrincipalsCommand
314is run.
315.It Cm AuthorizedPrincipalsCommandUser
316Specifies the user under whose account the
317.Cm AuthorizedPrincipalsCommand
318is run.
319It is recommended to use a dedicated user that has no other role on the host
320than running authorized principals commands.
321If
322.Cm AuthorizedPrincipalsCommand
323is specified but
324.Cm AuthorizedPrincipalsCommandUser
325is not, then
326.Xr sshd 8
327will refuse to start.
328.It Cm AuthorizedPrincipalsFile
329Specifies a file that lists principal names that are accepted for
330certificate authentication.
331When using certificates signed by a key listed in
332.Cm TrustedUserCAKeys ,
333this file lists names, one of which must appear in the certificate for it
334to be accepted for authentication.
335Names are listed one per line preceded by key options (as described in
336.Sx AUTHORIZED_KEYS FILE FORMAT
337in
338.Xr sshd 8 ) .
339Empty lines and comments starting with
340.Ql #
341are ignored.
342.Pp
343Arguments to
344.Cm AuthorizedPrincipalsFile
345accept the tokens described in the
346.Sx TOKENS
347section.
348After expansion,
349.Cm AuthorizedPrincipalsFile
350is taken to be an absolute path or one relative to the user's home directory.
351The default is
352.Cm none ,
353i.e. not to use a principals file \(en in this case, the username
354of the user must appear in a certificate's principals list for it to be
355accepted.
356.Pp
357Note that
358.Cm AuthorizedPrincipalsFile
359is only used when authentication proceeds using a CA listed in
360.Cm TrustedUserCAKeys
361and is not consulted for certification authorities trusted via
362.Pa ~/.ssh/authorized_keys ,
363though the
364.Cm principals=
365key option offers a similar facility (see
366.Xr sshd 8
367for details).
368.It Cm Banner
369The contents of the specified file are sent to the remote user before
370authentication is allowed.
371If the argument is
372.Cm none
373then no banner is displayed.
374By default, no banner is displayed.
375.It Cm CASignatureAlgorithms
376Specifies which algorithms are allowed for signing of certificates
377by certificate authorities (CAs).
378The default is:
379.Bd -literal -offset indent
380ssh-ed25519,ecdsa-sha2-nistp256,
381ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
382sk-ssh-ed25519@openssh.com,
383sk-ecdsa-sha2-nistp256@openssh.com,
384rsa-sha2-512,rsa-sha2-256
385.Ed
386.Pp
387If the specified list begins with a
388.Sq +
389character, then the specified algorithms will be appended to the default set
390instead of replacing them.
391If the specified list begins with a
392.Sq -
393character, then the specified algorithms (including wildcards) will be removed
394from the default set instead of replacing them.
395.Pp
396Certificates signed using other algorithms will not be accepted for
397public key or host-based authentication.
398.It Cm ChannelTimeout
399Specifies whether and how quickly
400.Xr sshd 8
401should close inactive channels.
402Timeouts are specified as one or more
403.Dq type=interval
404pairs separated by whitespace, where the
405.Dq type
406must be a channel type name (as described in the table below), optionally
407containing wildcard characters.
408.Pp
409The timeout value
410.Dq interval
411is specified in seconds or may use any of the units documented in the
412.Sx TIME FORMATS
413section.
414For example,
415.Dq session:*=5m
416would cause all sessions to terminate after five minutes of inactivity.
417Specifying a zero value disables the inactivity timeout.
418.Pp
419The available channel types include:
420.Bl -tag -width Ds
421.It Cm agent-connection
422Open connections to
423.Xr ssh-agent 1 .
424.It Cm direct-tcpip , Cm direct-streamlocal@openssh.com
425Open TCP or Unix socket (respectively) connections that have
426been established from a
427.Xr ssh 1
428local forwarding, i.e.\&
429.Cm LocalForward
430or
431.Cm DynamicForward .
432.It Cm forwarded-tcpip , Cm forwarded-streamlocal@openssh.com
433Open TCP or Unix socket (respectively) connections that have been
434established to a
435.Xr sshd 8
436listening on behalf of a
437.Xr ssh 1
438remote forwarding, i.e.\&
439.Cm RemoteForward .
440.It Cm session:command
441Command execution sessions.
442.It Cm session:shell
443Interactive shell sessions.
444.It Cm session:subsystem:...
445Subsystem sessions, e.g. for
446.Xr sftp 1 ,
447which could be identified as
448.Cm session:subsystem:sftp .
449.It Cm x11-connection
450Open X11 forwarding sessions.
451.El
452.Pp
453Note that in all the above cases, terminating an inactive session does not
454guarantee to remove all resources associated with the session, e.g. shell
455processes or X11 clients relating to the session may continue to execute.
456.Pp
457Moreover, terminating an inactive channel or session does not necessarily
458close the SSH connection, nor does it prevent a client from
459requesting another channel of the same type.
460In particular, expiring an inactive forwarding session does not prevent
461another identical forwarding from being subsequently created.
462See also
463.Cm UnusedConnectionTimeout ,
464which may be used in conjunction with this option.
465.Pp
466The default is not to expire channels of any type for inactivity.
467.It Cm ChrootDirectory
468Specifies the pathname of a directory to
469.Xr chroot 2
470to after authentication.
471At session startup
472.Xr sshd 8
473checks that all components of the pathname are root-owned directories
474which are not writable by any other user or group.
475After the chroot,
476.Xr sshd 8
477changes the working directory to the user's home directory.
478Arguments to
479.Cm ChrootDirectory
480accept the tokens described in the
481.Sx TOKENS
482section.
483.Pp
484The
485.Cm ChrootDirectory
486must contain the necessary files and directories to support the
487user's session.
488For an interactive session this requires at least a shell, typically
489.Xr sh 1 ,
490and basic
491.Pa /dev
492nodes such as
493.Xr null 4 ,
494.Xr zero 4 ,
495.Xr stdin 4 ,
496.Xr stdout 4 ,
497.Xr stderr 4 ,
498and
499.Xr tty 4
500devices.
501For file transfer sessions using SFTP
502no additional configuration of the environment is necessary if the in-process
503sftp-server is used,
504though sessions which use logging may require
505.Pa /dev/log
506inside the chroot directory on some operating systems (see
507.Xr sftp-server 8
508for details).
509.Pp
510For safety, it is very important that the directory hierarchy be
511prevented from modification by other processes on the system (especially
512those outside the jail).
513Misconfiguration can lead to unsafe environments which
514.Xr sshd 8
515cannot detect.
516.Pp
517The default is
518.Cm none ,
519indicating not to
520.Xr chroot 2 .
521.It Cm Ciphers
522Specifies the ciphers allowed.
523Multiple ciphers must be comma-separated.
524If the specified list begins with a
525.Sq +
526character, then the specified ciphers will be appended to the default set
527instead of replacing them.
528If the specified list begins with a
529.Sq -
530character, then the specified ciphers (including wildcards) will be removed
531from the default set instead of replacing them.
532If the specified list begins with a
533.Sq ^
534character, then the specified ciphers will be placed at the head of the
535default set.
536.Pp
537The supported ciphers are:
538.Pp
539.Bl -item -compact -offset indent
540.It
5413des-cbc
542.It
543aes128-cbc
544.It
545aes192-cbc
546.It
547aes256-cbc
548.It
549aes128-ctr
550.It
551aes192-ctr
552.It
553aes256-ctr
554.It
555aes128-gcm@openssh.com
556.It
557aes256-gcm@openssh.com
558.It
559chacha20-poly1305@openssh.com
560.El
561.Pp
562The default is:
563.Bd -literal -offset indent
564chacha20-poly1305@openssh.com,
565aes128-ctr,aes192-ctr,aes256-ctr,
566aes128-gcm@openssh.com,aes256-gcm@openssh.com
567.Ed
568.Pp
569The list of available ciphers may also be obtained using
570.Qq ssh -Q cipher .
571.It Cm ClientAliveCountMax
572Sets the number of client alive messages which may be sent without
573.Xr sshd 8
574receiving any messages back from the client.
575If this threshold is reached while client alive messages are being sent,
576sshd will disconnect the client, terminating the session.
577It is important to note that the use of client alive messages is very
578different from
579.Cm TCPKeepAlive .
580The client alive messages are sent through the encrypted channel
581and therefore will not be spoofable.
582The TCP keepalive option enabled by
583.Cm TCPKeepAlive
584is spoofable.
585The client alive mechanism is valuable when the client or
586server depend on knowing when a connection has become unresponsive.
587.Pp
588The default value is 3.
589If
590.Cm ClientAliveInterval
591is set to 15, and
592.Cm ClientAliveCountMax
593is left at the default, unresponsive SSH clients
594will be disconnected after approximately 45 seconds.
595Setting a zero
596.Cm ClientAliveCountMax
597disables connection termination.
598.It Cm ClientAliveInterval
599Sets a timeout interval in seconds after which if no data has been received
600from the client,
601.Xr sshd 8
602will send a message through the encrypted
603channel to request a response from the client.
604The default
605is 0, indicating that these messages will not be sent to the client.
606.It Cm Compression
607Specifies whether compression is enabled after
608the user has authenticated successfully.
609The argument must be
610.Cm yes ,
611.Cm delayed
612(a legacy synonym for
613.Cm yes )
614or
615.Cm no .
616The default is
617.Cm yes .
618.It Cm DenyGroups
619This keyword can be followed by a list of group name patterns, separated
620by spaces.
621Login is disallowed for users whose primary group or supplementary
622group list matches one of the patterns.
623Only group names are valid; a numerical group ID is not recognized.
624By default, login is allowed for all groups.
625The allow/deny groups directives are processed in the following order:
626.Cm DenyGroups ,
627.Cm AllowGroups .
628.Pp
629See PATTERNS in
630.Xr ssh_config 5
631for more information on patterns.
632.It Cm DenyUsers
633This keyword can be followed by a list of user name patterns, separated
634by spaces.
635Login is disallowed for user names that match one of the patterns.
636Only user names are valid; a numerical user ID is not recognized.
637By default, login is allowed for all users.
638If the pattern takes the form USER@HOST then USER and HOST
639are separately checked, restricting logins to particular
640users from particular hosts.
641HOST criteria may additionally contain addresses to match in CIDR
642address/masklen format.
643The allow/deny users directives are processed in the following order:
644.Cm DenyUsers ,
645.Cm AllowUsers .
646.Pp
647See PATTERNS in
648.Xr ssh_config 5
649for more information on patterns.
650.It Cm DisableForwarding
651Disables all forwarding features, including X11,
652.Xr ssh-agent 1 ,
653TCP and StreamLocal.
654This option overrides all other forwarding-related options and may
655simplify restricted configurations.
656.It Cm ExposeAuthInfo
657Writes a temporary file containing a list of authentication methods and
658public credentials (e.g. keys) used to authenticate the user.
659The location of the file is exposed to the user session through the
660.Ev SSH_USER_AUTH
661environment variable.
662The default is
663.Cm no .
664.It Cm FingerprintHash
665Specifies the hash algorithm used when logging key fingerprints.
666Valid options are:
667.Cm md5
668and
669.Cm sha256 .
670The default is
671.Cm sha256 .
672.It Cm ForceCommand
673Forces the execution of the command specified by
674.Cm ForceCommand ,
675ignoring any command supplied by the client and
676.Pa ~/.ssh/rc
677if present.
678The command is invoked by using the user's login shell with the -c option.
679This applies to shell, command, or subsystem execution.
680It is most useful inside a
681.Cm Match
682block.
683The command originally supplied by the client is available in the
684.Ev SSH_ORIGINAL_COMMAND
685environment variable.
686Specifying a command of
687.Cm internal-sftp
688will force the use of an in-process SFTP server that requires no support
689files when used with
690.Cm ChrootDirectory .
691The default is
692.Cm none .
693.It Cm GatewayPorts
694Specifies whether remote hosts are allowed to connect to ports
695forwarded for the client.
696By default,
697.Xr sshd 8
698binds remote port forwardings to the loopback address.
699This prevents other remote hosts from connecting to forwarded ports.
700.Cm GatewayPorts
701can be used to specify that sshd
702should allow remote port forwardings to bind to non-loopback addresses, thus
703allowing other hosts to connect.
704The argument may be
705.Cm no
706to force remote port forwardings to be available to the local host only,
707.Cm yes
708to force remote port forwardings to bind to the wildcard address, or
709.Cm clientspecified
710to allow the client to select the address to which the forwarding is bound.
711The default is
712.Cm no .
713.It Cm GSSAPIAuthentication
714Specifies whether user authentication based on GSSAPI is allowed.
715The default is
716.Cm no .
717.It Cm GSSAPICleanupCredentials
718Specifies whether to automatically destroy the user's credentials cache
719on logout.
720The default is
721.Cm yes .
722.It Cm GSSAPIStrictAcceptorCheck
723Determines whether to be strict about the identity of the GSSAPI acceptor
724a client authenticates against.
725If set to
726.Cm yes
727then the client must authenticate against the host
728service on the current hostname.
729If set to
730.Cm no
731then the client may authenticate against any service key stored in the
732machine's default store.
733This facility is provided to assist with operation on multi homed machines.
734The default is
735.Cm yes .
736.It Cm HostbasedAcceptedAlgorithms
737Specifies the signature algorithms that will be accepted for hostbased
738authentication as a list of comma-separated patterns.
739Alternately if the specified list begins with a
740.Sq +
741character, then the specified signature algorithms will be appended to
742the default set instead of replacing them.
743If the specified list begins with a
744.Sq -
745character, then the specified signature algorithms (including wildcards)
746will be removed from the default set instead of replacing them.
747If the specified list begins with a
748.Sq ^
749character, then the specified signature algorithms will be placed at
750the head of the default set.
751The default for this option is:
752.Bd -literal -offset 3n
753ssh-ed25519-cert-v01@openssh.com,
754ecdsa-sha2-nistp256-cert-v01@openssh.com,
755ecdsa-sha2-nistp384-cert-v01@openssh.com,
756ecdsa-sha2-nistp521-cert-v01@openssh.com,
757sk-ssh-ed25519-cert-v01@openssh.com,
758sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
759rsa-sha2-512-cert-v01@openssh.com,
760rsa-sha2-256-cert-v01@openssh.com,
761ssh-ed25519,
762ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
763sk-ssh-ed25519@openssh.com,
764sk-ecdsa-sha2-nistp256@openssh.com,
765rsa-sha2-512,rsa-sha2-256
766.Ed
767.Pp
768The list of available signature algorithms may also be obtained using
769.Qq ssh -Q HostbasedAcceptedAlgorithms .
770This was formerly named HostbasedAcceptedKeyTypes.
771.It Cm HostbasedAuthentication
772Specifies whether rhosts or /etc/hosts.equiv authentication together
773with successful public key client host authentication is allowed
774(host-based authentication).
775The default is
776.Cm no .
777.It Cm HostbasedUsesNameFromPacketOnly
778Specifies whether or not the server will attempt to perform a reverse
779name lookup when matching the name in the
780.Pa ~/.shosts ,
781.Pa ~/.rhosts ,
782and
783.Pa /etc/hosts.equiv
784files during
785.Cm HostbasedAuthentication .
786A setting of
787.Cm yes
788means that
789.Xr sshd 8
790uses the name supplied by the client rather than
791attempting to resolve the name from the TCP connection itself.
792The default is
793.Cm no .
794.It Cm HostCertificate
795Specifies a file containing a public host certificate.
796The certificate's public key must match a private host key already specified
797by
798.Cm HostKey .
799The default behaviour of
800.Xr sshd 8
801is not to load any certificates.
802.It Cm HostKey
803Specifies a file containing a private host key
804used by SSH.
805The defaults are
806.Pa /etc/ssh/ssh_host_ecdsa_key ,
807.Pa /etc/ssh/ssh_host_ed25519_key
808and
809.Pa /etc/ssh/ssh_host_rsa_key .
810.Pp
811Note that
812.Xr sshd 8
813will refuse to use a file if it is group/world-accessible
814and that the
815.Cm HostKeyAlgorithms
816option restricts which of the keys are actually used by
817.Xr sshd 8 .
818.Pp
819It is possible to have multiple host key files.
820It is also possible to specify public host key files instead.
821In this case operations on the private key will be delegated
822to an
823.Xr ssh-agent 1 .
824.It Cm HostKeyAgent
825Identifies the UNIX-domain socket used to communicate
826with an agent that has access to the private host keys.
827If the string
828.Qq SSH_AUTH_SOCK
829is specified, the location of the socket will be read from the
830.Ev SSH_AUTH_SOCK
831environment variable.
832.It Cm HostKeyAlgorithms
833Specifies the host key signature algorithms
834that the server offers.
835The default for this option is:
836.Bd -literal -offset 3n
837ssh-ed25519-cert-v01@openssh.com,
838ecdsa-sha2-nistp256-cert-v01@openssh.com,
839ecdsa-sha2-nistp384-cert-v01@openssh.com,
840ecdsa-sha2-nistp521-cert-v01@openssh.com,
841sk-ssh-ed25519-cert-v01@openssh.com,
842sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
843rsa-sha2-512-cert-v01@openssh.com,
844rsa-sha2-256-cert-v01@openssh.com,
845ssh-ed25519,
846ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
847sk-ssh-ed25519@openssh.com,
848sk-ecdsa-sha2-nistp256@openssh.com,
849rsa-sha2-512,rsa-sha2-256
850.Ed
851.Pp
852The list of available signature algorithms may also be obtained using
853.Qq ssh -Q HostKeyAlgorithms .
854.It Cm IgnoreRhosts
855Specifies whether to ignore per-user
856.Pa .rhosts
857and
858.Pa .shosts
859files during
860.Cm HostbasedAuthentication .
861The system-wide
862.Pa /etc/hosts.equiv
863and
864.Pa /etc/ssh/shosts.equiv
865are still used regardless of this setting.
866.Pp
867Accepted values are
868.Cm yes
869(the default) to ignore all per-user files,
870.Cm shosts-only
871to allow the use of
872.Pa .shosts
873but to ignore
874.Pa .rhosts
875or
876.Cm no
877to allow both
878.Pa .shosts
879and
880.Pa rhosts .
881.It Cm IgnoreUserKnownHosts
882Specifies whether
883.Xr sshd 8
884should ignore the user's
885.Pa ~/.ssh/known_hosts
886during
887.Cm HostbasedAuthentication
888and use only the system-wide known hosts file
889.Pa /etc/ssh/ssh_known_hosts .
890The default is
891.Dq no .
892.It Cm Include
893Include the specified configuration file(s).
894Multiple pathnames may be specified and each pathname may contain
895.Xr glob 7
896wildcards that will be expanded and processed in lexical order.
897Files without absolute paths are assumed to be in
898.Pa /etc/ssh .
899An
900.Cm Include
901directive may appear inside a
902.Cm Match
903block
904to perform conditional inclusion.
905.It Cm IPQoS
906Specifies the IPv4 type-of-service or DSCP class for the connection.
907Accepted values are
908.Cm af11 ,
909.Cm af12 ,
910.Cm af13 ,
911.Cm af21 ,
912.Cm af22 ,
913.Cm af23 ,
914.Cm af31 ,
915.Cm af32 ,
916.Cm af33 ,
917.Cm af41 ,
918.Cm af42 ,
919.Cm af43 ,
920.Cm cs0 ,
921.Cm cs1 ,
922.Cm cs2 ,
923.Cm cs3 ,
924.Cm cs4 ,
925.Cm cs5 ,
926.Cm cs6 ,
927.Cm cs7 ,
928.Cm ef ,
929.Cm le ,
930.Cm lowdelay ,
931.Cm throughput ,
932.Cm reliability ,
933a numeric value, or
934.Cm none
935to use the operating system default.
936This option may take one or two arguments, separated by whitespace.
937If one argument is specified, it is used as the packet class unconditionally.
938If two values are specified, the first is automatically selected for
939interactive sessions and the second for non-interactive sessions.
940The default is
941.Cm af21
942(Low-Latency Data)
943for interactive sessions and
944.Cm cs1
945(Lower Effort)
946for non-interactive sessions.
947.It Cm KbdInteractiveAuthentication
948Specifies whether to allow keyboard-interactive authentication.
949All authentication styles from
950.Xr login.conf 5
951are supported.
952The default is
953.Cm yes .
954The argument to this keyword must be
955.Cm yes
956or
957.Cm no .
958.Cm ChallengeResponseAuthentication
959is a deprecated alias for this.
960.It Cm KerberosAuthentication
961Specifies whether the password provided by the user for
962.Cm PasswordAuthentication
963will be validated through the Kerberos KDC.
964To use this option, the server needs a
965Kerberos servtab which allows the verification of the KDC's identity.
966The default is
967.Cm no .
968.It Cm KerberosGetAFSToken
969If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
970an AFS token before accessing the user's home directory.
971The default is
972.Cm no .
973.It Cm KerberosOrLocalPasswd
974If password authentication through Kerberos fails then
975the password will be validated via any additional local mechanism
976such as
977.Pa /etc/passwd .
978The default is
979.Cm yes .
980.It Cm KerberosTicketCleanup
981Specifies whether to automatically destroy the user's ticket cache
982file on logout.
983The default is
984.Cm yes .
985.It Cm KexAlgorithms
986Specifies the available KEX (Key Exchange) algorithms.
987Multiple algorithms must be comma-separated.
988Alternately if the specified list begins with a
989.Sq +
990character, then the specified algorithms will be appended to the default set
991instead of replacing them.
992If the specified list begins with a
993.Sq -
994character, then the specified algorithms (including wildcards) will be removed
995from the default set instead of replacing them.
996If the specified list begins with a
997.Sq ^
998character, then the specified algorithms will be placed at the head of the
999default set.
1000The supported algorithms are:
1001.Pp
1002.Bl -item -compact -offset indent
1003.It
1004curve25519-sha256
1005.It
1006curve25519-sha256@libssh.org
1007.It
1008diffie-hellman-group1-sha1
1009.It
1010diffie-hellman-group14-sha1
1011.It
1012diffie-hellman-group14-sha256
1013.It
1014diffie-hellman-group16-sha512
1015.It
1016diffie-hellman-group18-sha512
1017.It
1018diffie-hellman-group-exchange-sha1
1019.It
1020diffie-hellman-group-exchange-sha256
1021.It
1022ecdh-sha2-nistp256
1023.It
1024ecdh-sha2-nistp384
1025.It
1026ecdh-sha2-nistp521
1027.It
1028sntrup761x25519-sha512@openssh.com
1029.El
1030.Pp
1031The default is:
1032.Bd -literal -offset indent
1033sntrup761x25519-sha512@openssh.com,
1034curve25519-sha256,curve25519-sha256@libssh.org,
1035ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
1036diffie-hellman-group-exchange-sha256,
1037diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
1038diffie-hellman-group14-sha256
1039.Ed
1040.Pp
1041The list of available key exchange algorithms may also be obtained using
1042.Qq ssh -Q KexAlgorithms .
1043.It Cm ListenAddress
1044Specifies the local addresses
1045.Xr sshd 8
1046should listen on.
1047The following forms may be used:
1048.Pp
1049.Bl -item -offset indent -compact
1050.It
1051.Cm ListenAddress
1052.Sm off
1053.Ar hostname | address
1054.Sm on
1055.Op Cm rdomain Ar domain
1056.It
1057.Cm ListenAddress
1058.Sm off
1059.Ar hostname : port
1060.Sm on
1061.Op Cm rdomain Ar domain
1062.It
1063.Cm ListenAddress
1064.Sm off
1065.Ar IPv4_address : port
1066.Sm on
1067.Op Cm rdomain Ar domain
1068.It
1069.Cm ListenAddress
1070.Sm off
1071.Oo Ar hostname | address Oc : Ar port
1072.Sm on
1073.Op Cm rdomain Ar domain
1074.El
1075.Pp
1076The optional
1077.Cm rdomain
1078qualifier requests
1079.Xr sshd 8
1080listen in an explicit routing domain.
1081If
1082.Ar port
1083is not specified,
1084sshd will listen on the address and all
1085.Cm Port
1086options specified.
1087The default is to listen on all local addresses on the current default
1088routing domain.
1089Multiple
1090.Cm ListenAddress
1091options are permitted.
1092For more information on routing domains, see
1093.Xr rdomain 4 .
1094.It Cm LoginGraceTime
1095The server disconnects after this time if the user has not
1096successfully logged in.
1097If the value is 0, there is no time limit.
1098The default is 120 seconds.
1099.It Cm LogLevel
1100Gives the verbosity level that is used when logging messages from
1101.Xr sshd 8 .
1102The possible values are:
1103QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
1104The default is INFO.
1105DEBUG and DEBUG1 are equivalent.
1106DEBUG2 and DEBUG3 each specify higher levels of debugging output.
1107Logging with a DEBUG level violates the privacy of users and is not recommended.
1108.It Cm LogVerbose
1109Specify one or more overrides to LogLevel.
1110An override consists of a pattern lists that matches the source file, function
1111and line number to force detailed logging for.
1112For example, an override pattern of:
1113.Bd -literal -offset indent
1114kex.c:*:1000,*:kex_exchange_identification():*,packet.c:*
1115.Ed
1116.Pp
1117would enable detailed logging for line 1000 of
1118.Pa kex.c ,
1119everything in the
1120.Fn kex_exchange_identification
1121function, and all code in the
1122.Pa packet.c
1123file.
1124This option is intended for debugging and no overrides are enabled by default.
1125.It Cm MACs
1126Specifies the available MAC (message authentication code) algorithms.
1127The MAC algorithm is used for data integrity protection.
1128Multiple algorithms must be comma-separated.
1129If the specified list begins with a
1130.Sq +
1131character, then the specified algorithms will be appended to the default set
1132instead of replacing them.
1133If the specified list begins with a
1134.Sq -
1135character, then the specified algorithms (including wildcards) will be removed
1136from the default set instead of replacing them.
1137If the specified list begins with a
1138.Sq ^
1139character, then the specified algorithms will be placed at the head of the
1140default set.
1141.Pp
1142The algorithms that contain
1143.Qq -etm
1144calculate the MAC after encryption (encrypt-then-mac).
1145These are considered safer and their use recommended.
1146The supported MACs are:
1147.Pp
1148.Bl -item -compact -offset indent
1149.It
1150hmac-md5
1151.It
1152hmac-md5-96
1153.It
1154hmac-sha1
1155.It
1156hmac-sha1-96
1157.It
1158hmac-sha2-256
1159.It
1160hmac-sha2-512
1161.It
1162umac-64@openssh.com
1163.It
1164umac-128@openssh.com
1165.It
1166hmac-md5-etm@openssh.com
1167.It
1168hmac-md5-96-etm@openssh.com
1169.It
1170hmac-sha1-etm@openssh.com
1171.It
1172hmac-sha1-96-etm@openssh.com
1173.It
1174hmac-sha2-256-etm@openssh.com
1175.It
1176hmac-sha2-512-etm@openssh.com
1177.It
1178umac-64-etm@openssh.com
1179.It
1180umac-128-etm@openssh.com
1181.El
1182.Pp
1183The default is:
1184.Bd -literal -offset indent
1185umac-64-etm@openssh.com,umac-128-etm@openssh.com,
1186hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
1187hmac-sha1-etm@openssh.com,
1188umac-64@openssh.com,umac-128@openssh.com,
1189hmac-sha2-256,hmac-sha2-512,hmac-sha1
1190.Ed
1191.Pp
1192The list of available MAC algorithms may also be obtained using
1193.Qq ssh -Q mac .
1194.It Cm Match
1195Introduces a conditional block.
1196If all of the criteria on the
1197.Cm Match
1198line are satisfied, the keywords on the following lines override those
1199set in the global section of the config file, until either another
1200.Cm Match
1201line or the end of the file.
1202If a keyword appears in multiple
1203.Cm Match
1204blocks that are satisfied, only the first instance of the keyword is
1205applied.
1206.Pp
1207The arguments to
1208.Cm Match
1209are one or more criteria-pattern pairs or the single token
1210.Cm All
1211which matches all criteria.
1212The available criteria are
1213.Cm User ,
1214.Cm Group ,
1215.Cm Host ,
1216.Cm LocalAddress ,
1217.Cm LocalPort ,
1218.Cm RDomain ,
1219and
1220.Cm Address
1221(with
1222.Cm RDomain
1223representing the
1224.Xr rdomain 4
1225on which the connection was received).
1226.Pp
1227The match patterns may consist of single entries or comma-separated
1228lists and may use the wildcard and negation operators described in the
1229.Sx PATTERNS
1230section of
1231.Xr ssh_config 5 .
1232.Pp
1233The patterns in an
1234.Cm Address
1235criteria may additionally contain addresses to match in CIDR
1236address/masklen format,
1237such as 192.0.2.0/24 or 2001:db8::/32.
1238Note that the mask length provided must be consistent with the address -
1239it is an error to specify a mask length that is too long for the address
1240or one with bits set in this host portion of the address.
1241For example, 192.0.2.0/33 and 192.0.2.0/8, respectively.
1242.Pp
1243Only a subset of keywords may be used on the lines following a
1244.Cm Match
1245keyword.
1246Available keywords are
1247.Cm AcceptEnv ,
1248.Cm AllowAgentForwarding ,
1249.Cm AllowGroups ,
1250.Cm AllowStreamLocalForwarding ,
1251.Cm AllowTcpForwarding ,
1252.Cm AllowUsers ,
1253.Cm AuthenticationMethods ,
1254.Cm AuthorizedKeysCommand ,
1255.Cm AuthorizedKeysCommandUser ,
1256.Cm AuthorizedKeysFile ,
1257.Cm AuthorizedPrincipalsCommand ,
1258.Cm AuthorizedPrincipalsCommandUser ,
1259.Cm AuthorizedPrincipalsFile ,
1260.Cm Banner ,
1261.Cm CASignatureAlgorithms ,
1262.Cm ChannelTimeout ,
1263.Cm ChrootDirectory ,
1264.Cm ClientAliveCountMax ,
1265.Cm ClientAliveInterval ,
1266.Cm DenyGroups ,
1267.Cm DenyUsers ,
1268.Cm DisableForwarding ,
1269.Cm ExposeAuthInfo ,
1270.Cm ForceCommand ,
1271.Cm GatewayPorts ,
1272.Cm GSSAPIAuthentication ,
1273.Cm HostbasedAcceptedAlgorithms ,
1274.Cm HostbasedAuthentication ,
1275.Cm HostbasedUsesNameFromPacketOnly ,
1276.Cm IgnoreRhosts ,
1277.Cm Include ,
1278.Cm IPQoS ,
1279.Cm KbdInteractiveAuthentication ,
1280.Cm KerberosAuthentication ,
1281.Cm LogLevel ,
1282.Cm MaxAuthTries ,
1283.Cm MaxSessions ,
1284.Cm PasswordAuthentication ,
1285.Cm PermitEmptyPasswords ,
1286.Cm PermitListen ,
1287.Cm PermitOpen ,
1288.Cm PermitRootLogin ,
1289.Cm PermitTTY ,
1290.Cm PermitTunnel ,
1291.Cm PermitUserRC ,
1292.Cm PubkeyAcceptedAlgorithms ,
1293.Cm PubkeyAuthentication ,
1294.Cm PubkeyAuthOptions ,
1295.Cm RekeyLimit ,
1296.Cm RevokedKeys ,
1297.Cm RDomain ,
1298.Cm SetEnv ,
1299.Cm StreamLocalBindMask ,
1300.Cm StreamLocalBindUnlink ,
1301.Cm TrustedUserCAKeys ,
1302.Cm UnusedConnectionTimeout ,
1303.Cm X11DisplayOffset ,
1304.Cm X11Forwarding
1305and
1306.Cm X11UseLocalhost .
1307.It Cm MaxAuthTries
1308Specifies the maximum number of authentication attempts permitted per
1309connection.
1310Once the number of failures reaches half this value,
1311additional failures are logged.
1312The default is 6.
1313.It Cm MaxSessions
1314Specifies the maximum number of open shell, login or subsystem (e.g. sftp)
1315sessions permitted per network connection.
1316Multiple sessions may be established by clients that support connection
1317multiplexing.
1318Setting
1319.Cm MaxSessions
1320to 1 will effectively disable session multiplexing, whereas setting it to 0
1321will prevent all shell, login and subsystem sessions while still permitting
1322forwarding.
1323The default is 10.
1324.It Cm MaxStartups
1325Specifies the maximum number of concurrent unauthenticated connections to the
1326SSH daemon.
1327Additional connections will be dropped until authentication succeeds or the
1328.Cm LoginGraceTime
1329expires for a connection.
1330The default is 10:30:100.
1331.Pp
1332Alternatively, random early drop can be enabled by specifying
1333the three colon separated values
1334start:rate:full (e.g. "10:30:60").
1335.Xr sshd 8
1336will refuse connection attempts with a probability of rate/100 (30%)
1337if there are currently start (10) unauthenticated connections.
1338The probability increases linearly and all connection attempts
1339are refused if the number of unauthenticated connections reaches full (60).
1340.It Cm ModuliFile
1341Specifies the
1342.Xr moduli 5
1343file that contains the Diffie-Hellman groups used for the
1344.Dq diffie-hellman-group-exchange-sha1
1345and
1346.Dq diffie-hellman-group-exchange-sha256
1347key exchange methods.
1348The default is
1349.Pa /etc/moduli .
1350.It Cm PasswordAuthentication
1351Specifies whether password authentication is allowed.
1352Note that passwords may also be accepted via
1353.Cm KbdInteractiveAuthentication .
1354See also
1355.Cm UsePAM .
1356The default is
1357.Cm no .
1358.It Cm PermitEmptyPasswords
1359When password authentication is allowed, it specifies whether the
1360server allows login to accounts with empty password strings.
1361The default is
1362.Cm no .
1363.It Cm PermitListen
1364Specifies the addresses/ports on which a remote TCP port forwarding may listen.
1365The listen specification must be one of the following forms:
1366.Pp
1367.Bl -item -offset indent -compact
1368.It
1369.Cm PermitListen
1370.Sm off
1371.Ar port
1372.Sm on
1373.It
1374.Cm PermitListen
1375.Sm off
1376.Ar host : port
1377.Sm on
1378.El
1379.Pp
1380Multiple permissions may be specified by separating them with whitespace.
1381An argument of
1382.Cm any
1383can be used to remove all restrictions and permit any listen requests.
1384An argument of
1385.Cm none
1386can be used to prohibit all listen requests.
1387The host name may contain wildcards as described in the PATTERNS section in
1388.Xr ssh_config 5 .
1389The wildcard
1390.Sq *
1391can also be used in place of a port number to allow all ports.
1392By default all port forwarding listen requests are permitted.
1393Note that the
1394.Cm GatewayPorts
1395option may further restrict which addresses may be listened on.
1396Note also that
1397.Xr ssh 1
1398will request a listen host of
1399.Dq localhost
1400if no listen host was specifically requested, and this name is
1401treated differently to explicit localhost addresses of
1402.Dq 127.0.0.1
1403and
1404.Dq ::1 .
1405.It Cm PermitOpen
1406Specifies the destinations to which TCP port forwarding is permitted.
1407The forwarding specification must be one of the following forms:
1408.Pp
1409.Bl -item -offset indent -compact
1410.It
1411.Cm PermitOpen
1412.Sm off
1413.Ar host : port
1414.Sm on
1415.It
1416.Cm PermitOpen
1417.Sm off
1418.Ar IPv4_addr : port
1419.Sm on
1420.It
1421.Cm PermitOpen
1422.Sm off
1423.Ar \&[ IPv6_addr \&] : port
1424.Sm on
1425.El
1426.Pp
1427Multiple forwards may be specified by separating them with whitespace.
1428An argument of
1429.Cm any
1430can be used to remove all restrictions and permit any forwarding requests.
1431An argument of
1432.Cm none
1433can be used to prohibit all forwarding requests.
1434The wildcard
1435.Sq *
1436can be used for host or port to allow all hosts or ports respectively.
1437Otherwise, no pattern matching or address lookups are performed on supplied
1438names.
1439By default all port forwarding requests are permitted.
1440.It Cm PermitRootLogin
1441Specifies whether root can log in using
1442.Xr ssh 1 .
1443The argument must be
1444.Cm yes ,
1445.Cm prohibit-password ,
1446.Cm forced-commands-only ,
1447or
1448.Cm no .
1449The default is
1450.Cm no .
1451Note that if
1452.Cm ChallengeResponseAuthentication
1453and
1454.Cm UsePAM
1455are both
1456.Cm yes ,
1457this setting may be overridden by the PAM policy.
1458.Pp
1459If this option is set to
1460.Cm prohibit-password
1461(or its deprecated alias,
1462.Cm without-password ) ,
1463password and keyboard-interactive authentication are disabled for root.
1464.Pp
1465If this option is set to
1466.Cm forced-commands-only ,
1467root login with public key authentication will be allowed,
1468but only if the
1469.Ar command
1470option has been specified
1471(which may be useful for taking remote backups even if root login is
1472normally not allowed).
1473All other authentication methods are disabled for root.
1474.Pp
1475If this option is set to
1476.Cm no ,
1477root is not allowed to log in.
1478.It Cm PermitTTY
1479Specifies whether
1480.Xr pty 4
1481allocation is permitted.
1482The default is
1483.Cm yes .
1484.It Cm PermitTunnel
1485Specifies whether
1486.Xr tun 4
1487device forwarding is allowed.
1488The argument must be
1489.Cm yes ,
1490.Cm point-to-point
1491(layer 3),
1492.Cm ethernet
1493(layer 2), or
1494.Cm no .
1495Specifying
1496.Cm yes
1497permits both
1498.Cm point-to-point
1499and
1500.Cm ethernet .
1501The default is
1502.Cm no .
1503.Pp
1504Independent of this setting, the permissions of the selected
1505.Xr tun 4
1506device must allow access to the user.
1507.It Cm PermitUserEnvironment
1508Specifies whether
1509.Pa ~/.ssh/environment
1510and
1511.Cm environment=
1512options in
1513.Pa ~/.ssh/authorized_keys
1514are processed by
1515.Xr sshd 8 .
1516Valid options are
1517.Cm yes ,
1518.Cm no
1519or a pattern-list specifying which environment variable names to accept
1520(for example
1521.Qq LANG,LC_* ) .
1522The default is
1523.Cm no .
1524Enabling environment processing may enable users to bypass access
1525restrictions in some configurations using mechanisms such as
1526.Ev LD_PRELOAD .
1527.It Cm PermitUserRC
1528Specifies whether any
1529.Pa ~/.ssh/rc
1530file is executed.
1531The default is
1532.Cm yes .
1533.It Cm PerSourceMaxStartups
1534Specifies the number of unauthenticated connections allowed from a
1535given source address, or
1536.Dq none
1537if there is no limit.
1538This limit is applied in addition to
1539.Cm MaxStartups ,
1540whichever is lower.
1541The default is
1542.Cm none .
1543.It Cm PerSourceNetBlockSize
1544Specifies the number of bits of source address that are grouped together
1545for the purposes of applying PerSourceMaxStartups limits.
1546Values for IPv4 and optionally IPv6 may be specified, separated by a colon.
1547The default is
1548.Cm 32:128 ,
1549which means each address is considered individually.
1550.It Cm PidFile
1551Specifies the file that contains the process ID of the
1552SSH daemon, or
1553.Cm none
1554to not write one.
1555The default is
1556.Pa /var/run/sshd.pid .
1557.It Cm Port
1558Specifies the port number that
1559.Xr sshd 8
1560listens on.
1561The default is 22.
1562Multiple options of this type are permitted.
1563See also
1564.Cm ListenAddress .
1565.It Cm PrintLastLog
1566Specifies whether
1567.Xr sshd 8
1568should print the date and time of the last user login when a user logs
1569in interactively.
1570The default is
1571.Cm yes .
1572.It Cm PrintMotd
1573Specifies whether
1574.Xr sshd 8
1575should print
1576.Pa /etc/motd
1577when a user logs in interactively.
1578(On some systems it is also printed by the shell,
1579.Pa /etc/profile ,
1580or equivalent.)
1581The default is
1582.Cm yes .
1583.It Cm PubkeyAcceptedAlgorithms
1584Specifies the signature algorithms that will be accepted for public key
1585authentication as a list of comma-separated patterns.
1586Alternately if the specified list begins with a
1587.Sq +
1588character, then the specified algorithms will be appended to the default set
1589instead of replacing them.
1590If the specified list begins with a
1591.Sq -
1592character, then the specified algorithms (including wildcards) will be removed
1593from the default set instead of replacing them.
1594If the specified list begins with a
1595.Sq ^
1596character, then the specified algorithms will be placed at the head of the
1597default set.
1598The default for this option is:
1599.Bd -literal -offset 3n
1600ssh-ed25519-cert-v01@openssh.com,
1601ecdsa-sha2-nistp256-cert-v01@openssh.com,
1602ecdsa-sha2-nistp384-cert-v01@openssh.com,
1603ecdsa-sha2-nistp521-cert-v01@openssh.com,
1604sk-ssh-ed25519-cert-v01@openssh.com,
1605sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
1606rsa-sha2-512-cert-v01@openssh.com,
1607rsa-sha2-256-cert-v01@openssh.com,
1608ssh-ed25519,
1609ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1610sk-ssh-ed25519@openssh.com,
1611sk-ecdsa-sha2-nistp256@openssh.com,
1612rsa-sha2-512,rsa-sha2-256
1613.Ed
1614.Pp
1615The list of available signature algorithms may also be obtained using
1616.Qq ssh -Q PubkeyAcceptedAlgorithms .
1617.It Cm PubkeyAuthOptions
1618Sets one or more public key authentication options.
1619The supported keywords are:
1620.Cm none
1621(the default; indicating no additional options are enabled),
1622.Cm touch-required
1623and
1624.Cm verify-required .
1625.Pp
1626The
1627.Cm touch-required
1628option causes public key authentication using a FIDO authenticator algorithm
1629(i.e.\&
1630.Cm ecdsa-sk
1631or
1632.Cm ed25519-sk )
1633to always require the signature to attest that a physically present user
1634explicitly confirmed the authentication (usually by touching the authenticator).
1635By default,
1636.Xr sshd 8
1637requires user presence unless overridden with an authorized_keys option.
1638The
1639.Cm touch-required
1640flag disables this override.
1641.Pp
1642The
1643.Cm verify-required
1644option requires a FIDO key signature attest that the user was verified,
1645e.g. via a PIN.
1646.Pp
1647Neither the
1648.Cm touch-required
1649or
1650.Cm verify-required
1651options have any effect for other, non-FIDO, public key types.
1652.It Cm PubkeyAuthentication
1653Specifies whether public key authentication is allowed.
1654The default is
1655.Cm yes .
1656.It Cm RekeyLimit
1657Specifies the maximum amount of data that may be transmitted or received
1658before the session key is renegotiated, optionally followed by a maximum
1659amount of time that may pass before the session key is renegotiated.
1660The first argument is specified in bytes and may have a suffix of
1661.Sq K ,
1662.Sq M ,
1663or
1664.Sq G
1665to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
1666The default is between
1667.Sq 1G
1668and
1669.Sq 4G ,
1670depending on the cipher.
1671The optional second value is specified in seconds and may use any of the
1672units documented in the
1673.Sx TIME FORMATS
1674section.
1675The default value for
1676.Cm RekeyLimit
1677is
1678.Cm default none ,
1679which means that rekeying is performed after the cipher's default amount
1680of data has been sent or received and no time based rekeying is done.
1681.It Cm RequiredRSASize
1682Specifies the minimum RSA key size (in bits) that
1683.Xr sshd 8
1684will accept.
1685User and host-based authentication keys smaller than this limit will be
1686refused.
1687The default is
1688.Cm 1024
1689bits.
1690Note that this limit may only be raised from the default.
1691.It Cm RevokedKeys
1692Specifies revoked public keys file, or
1693.Cm none
1694to not use one.
1695Keys listed in this file will be refused for public key authentication.
1696Note that if this file is not readable, then public key authentication will
1697be refused for all users.
1698Keys may be specified as a text file, listing one public key per line, or as
1699an OpenSSH Key Revocation List (KRL) as generated by
1700.Xr ssh-keygen 1 .
1701For more information on KRLs, see the KEY REVOCATION LISTS section in
1702.Xr ssh-keygen 1 .
1703.It Cm RDomain
1704Specifies an explicit routing domain that is applied after authentication
1705has completed.
1706The user session, as well as any forwarded or listening IP sockets,
1707will be bound to this
1708.Xr rdomain 4 .
1709If the routing domain is set to
1710.Cm \&%D ,
1711then the domain in which the incoming connection was received will be applied.
1712.It Cm SecurityKeyProvider
1713Specifies a path to a library that will be used when loading
1714FIDO authenticator-hosted keys, overriding the default of using
1715the built-in USB HID support.
1716.It Cm SetEnv
1717Specifies one or more environment variables to set in child sessions started
1718by
1719.Xr sshd 8
1720as
1721.Dq NAME=VALUE .
1722The environment value may be quoted (e.g. if it contains whitespace
1723characters).
1724Environment variables set by
1725.Cm SetEnv
1726override the default environment and any variables specified by the user
1727via
1728.Cm AcceptEnv
1729or
1730.Cm PermitUserEnvironment .
1731.It Cm StreamLocalBindMask
1732Sets the octal file creation mode mask
1733.Pq umask
1734used when creating a Unix-domain socket file for local or remote
1735port forwarding.
1736This option is only used for port forwarding to a Unix-domain socket file.
1737.Pp
1738The default value is 0177, which creates a Unix-domain socket file that is
1739readable and writable only by the owner.
1740Note that not all operating systems honor the file mode on Unix-domain
1741socket files.
1742.It Cm StreamLocalBindUnlink
1743Specifies whether to remove an existing Unix-domain socket file for local
1744or remote port forwarding before creating a new one.
1745If the socket file already exists and
1746.Cm StreamLocalBindUnlink
1747is not enabled,
1748.Nm sshd
1749will be unable to forward the port to the Unix-domain socket file.
1750This option is only used for port forwarding to a Unix-domain socket file.
1751.Pp
1752The argument must be
1753.Cm yes
1754or
1755.Cm no .
1756The default is
1757.Cm no .
1758.It Cm StrictModes
1759Specifies whether
1760.Xr sshd 8
1761should check file modes and ownership of the
1762user's files and home directory before accepting login.
1763This is normally desirable because novices sometimes accidentally leave their
1764directory or files world-writable.
1765The default is
1766.Cm yes .
1767Note that this does not apply to
1768.Cm ChrootDirectory ,
1769whose permissions and ownership are checked unconditionally.
1770.It Cm Subsystem
1771Configures an external subsystem (e.g. file transfer daemon).
1772Arguments should be a subsystem name and a command (with optional arguments)
1773to execute upon subsystem request.
1774.Pp
1775The command
1776.Cm sftp-server
1777implements the SFTP file transfer subsystem.
1778.Pp
1779Alternately the name
1780.Cm internal-sftp
1781implements an in-process SFTP server.
1782This may simplify configurations using
1783.Cm ChrootDirectory
1784to force a different filesystem root on clients.
1785.Pp
1786By default no subsystems are defined.
1787.It Cm SyslogFacility
1788Gives the facility code that is used when logging messages from
1789.Xr sshd 8 .
1790The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
1791LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
1792The default is AUTH.
1793.It Cm TCPKeepAlive
1794Specifies whether the system should send TCP keepalive messages to the
1795other side.
1796If they are sent, death of the connection or crash of one
1797of the machines will be properly noticed.
1798However, this means that
1799connections will die if the route is down temporarily, and some people
1800find it annoying.
1801On the other hand, if TCP keepalives are not sent,
1802sessions may hang indefinitely on the server, leaving
1803.Qq ghost
1804users and consuming server resources.
1805.Pp
1806The default is
1807.Cm yes
1808(to send TCP keepalive messages), and the server will notice
1809if the network goes down or the client host crashes.
1810This avoids infinitely hanging sessions.
1811.Pp
1812To disable TCP keepalive messages, the value should be set to
1813.Cm no .
1814.It Cm TrustedUserCAKeys
1815Specifies a file containing public keys of certificate authorities that are
1816trusted to sign user certificates for authentication, or
1817.Cm none
1818to not use one.
1819Keys are listed one per line; empty lines and comments starting with
1820.Ql #
1821are allowed.
1822If a certificate is presented for authentication and has its signing CA key
1823listed in this file, then it may be used for authentication for any user
1824listed in the certificate's principals list.
1825Note that certificates that lack a list of principals will not be permitted
1826for authentication using
1827.Cm TrustedUserCAKeys .
1828For more details on certificates, see the CERTIFICATES section in
1829.Xr ssh-keygen 1 .
1830.It Cm UnusedConnectionTimeout
1831Specifies whether and how quickly
1832.Xr sshd 8
1833should close client connections with no open channels.
1834Open channels include active shell, command execution or subsystem
1835sessions, connected network, socket, agent or X11 forwardings.
1836Forwarding listeners, such as those from the
1837.Xr ssh 1
1838.Fl R
1839flag, are not considered as open channels and do not prevent the timeout.
1840The timeout value
1841is specified in seconds or may use any of the units documented in the
1842.Sx TIME FORMATS
1843section.
1844.Pp
1845Note that this timeout starts when the client connection completes
1846user authentication but before the client has an opportunity to open any
1847channels.
1848Caution should be used when using short timeout values, as they may not
1849provide sufficient time for the client to request and open its channels
1850before terminating the connection.
1851.Pp
1852The default
1853.Cm none
1854is to never expire connections for having no open channels.
1855This option may be useful in conjunction with
1856.Cm ChannelTimeout .
1857.It Cm UseBlacklist
1858Specifies whether
1859.Xr sshd 8
1860attempts to send authentication success and failure messages
1861to the
1862.Xr blacklistd 8
1863daemon.
1864The default is
1865.Cm no .
1866For forward compatibility with an upcoming
1867.Xr blacklistd
1868rename, the
1869.Cm UseBlocklist
1870alias can be used instead.
1871.It Cm UseDNS
1872Specifies whether
1873.Xr sshd 8
1874should look up the remote host name, and to check that
1875the resolved host name for the remote IP address maps back to the
1876very same IP address.
1877.Pp
1878If this option is set to
1879.Cm no ,
1880then only addresses and not host names may be used in
1881.Pa ~/.ssh/authorized_keys
1882.Cm from
1883and
1884.Nm
1885.Cm Match
1886.Cm Host
1887directives.
1888The default is
1889.Dq yes .
1890.It Cm UsePAM
1891Enables the Pluggable Authentication Module interface.
1892If set to
1893.Cm yes
1894this will enable PAM authentication using
1895.Cm KbdInteractiveAuthentication
1896and
1897.Cm PasswordAuthentication
1898in addition to PAM account and session module processing for all
1899authentication types.
1900.Pp
1901Because PAM keyboard-interactive authentication usually serves an equivalent
1902role to password authentication, you should disable either
1903.Cm PasswordAuthentication
1904or
1905.Cm KbdInteractiveAuthentication .
1906.Pp
1907If
1908.Cm UsePAM
1909is enabled, you will not be able to run
1910.Xr sshd 8
1911as a non-root user.
1912The default is
1913.Cm yes .
1914.It Cm VersionAddendum
1915Optionally specifies additional text to append to the SSH protocol banner
1916sent by the server upon connection.
1917The default is
1918.Qq FreeBSD-20230205 .
1919The value
1920.Cm none
1921may be used to disable this.
1922.It Cm X11DisplayOffset
1923Specifies the first display number available for
1924.Xr sshd 8 Ns 's
1925X11 forwarding.
1926This prevents sshd from interfering with real X11 servers.
1927The default is 10.
1928.It Cm X11Forwarding
1929Specifies whether X11 forwarding is permitted.
1930The argument must be
1931.Cm yes
1932or
1933.Cm no .
1934The default is
1935.Cm yes .
1936.Pp
1937When X11 forwarding is enabled, there may be additional exposure to
1938the server and to client displays if the
1939.Xr sshd 8
1940proxy display is configured to listen on the wildcard address (see
1941.Cm X11UseLocalhost ) ,
1942though this is not the default.
1943Additionally, the authentication spoofing and authentication data
1944verification and substitution occur on the client side.
1945The security risk of using X11 forwarding is that the client's X11
1946display server may be exposed to attack when the SSH client requests
1947forwarding (see the warnings for
1948.Cm ForwardX11
1949in
1950.Xr ssh_config 5 ) .
1951A system administrator may have a stance in which they want to
1952protect clients that may expose themselves to attack by unwittingly
1953requesting X11 forwarding, which can warrant a
1954.Cm no
1955setting.
1956.Pp
1957Note that disabling X11 forwarding does not prevent users from
1958forwarding X11 traffic, as users can always install their own forwarders.
1959.It Cm X11UseLocalhost
1960Specifies whether
1961.Xr sshd 8
1962should bind the X11 forwarding server to the loopback address or to
1963the wildcard address.
1964By default,
1965sshd binds the forwarding server to the loopback address and sets the
1966hostname part of the
1967.Ev DISPLAY
1968environment variable to
1969.Cm localhost .
1970This prevents remote hosts from connecting to the proxy display.
1971However, some older X11 clients may not function with this
1972configuration.
1973.Cm X11UseLocalhost
1974may be set to
1975.Cm no
1976to specify that the forwarding server should be bound to the wildcard
1977address.
1978The argument must be
1979.Cm yes
1980or
1981.Cm no .
1982The default is
1983.Cm yes .
1984.It Cm XAuthLocation
1985Specifies the full pathname of the
1986.Xr xauth 1
1987program, or
1988.Cm none
1989to not use one.
1990The default is
1991.Pa /usr/local/bin/xauth .
1992.El
1993.Sh TIME FORMATS
1994.Xr sshd 8
1995command-line arguments and configuration file options that specify time
1996may be expressed using a sequence of the form:
1997.Sm off
1998.Ar time Op Ar qualifier ,
1999.Sm on
2000where
2001.Ar time
2002is a positive integer value and
2003.Ar qualifier
2004is one of the following:
2005.Pp
2006.Bl -tag -width Ds -compact -offset indent
2007.It Aq Cm none
2008seconds
2009.It Cm s | Cm S
2010seconds
2011.It Cm m | Cm M
2012minutes
2013.It Cm h | Cm H
2014hours
2015.It Cm d | Cm D
2016days
2017.It Cm w | Cm W
2018weeks
2019.El
2020.Pp
2021Each member of the sequence is added together to calculate
2022the total time value.
2023.Pp
2024Time format examples:
2025.Pp
2026.Bl -tag -width Ds -compact -offset indent
2027.It 600
2028600 seconds (10 minutes)
2029.It 10m
203010 minutes
2031.It 1h30m
20321 hour 30 minutes (90 minutes)
2033.El
2034.Sh TOKENS
2035Arguments to some keywords can make use of tokens,
2036which are expanded at runtime:
2037.Pp
2038.Bl -tag -width XXXX -offset indent -compact
2039.It %%
2040A literal
2041.Sq % .
2042.It \&%D
2043The routing domain in which the incoming connection was received.
2044.It %F
2045The fingerprint of the CA key.
2046.It %f
2047The fingerprint of the key or certificate.
2048.It %h
2049The home directory of the user.
2050.It %i
2051The key ID in the certificate.
2052.It %K
2053The base64-encoded CA key.
2054.It %k
2055The base64-encoded key or certificate for authentication.
2056.It %s
2057The serial number of the certificate.
2058.It \&%T
2059The type of the CA key.
2060.It %t
2061The key or certificate type.
2062.It \&%U
2063The numeric user ID of the target user.
2064.It %u
2065The username.
2066.El
2067.Pp
2068.Cm AuthorizedKeysCommand
2069accepts the tokens %%, %f, %h, %k, %t, %U, and %u.
2070.Pp
2071.Cm AuthorizedKeysFile
2072accepts the tokens %%, %h, %U, and %u.
2073.Pp
2074.Cm AuthorizedPrincipalsCommand
2075accepts the tokens %%, %F, %f, %h, %i, %K, %k, %s, %T, %t, %U, and %u.
2076.Pp
2077.Cm AuthorizedPrincipalsFile
2078accepts the tokens %%, %h, %U, and %u.
2079.Pp
2080.Cm ChrootDirectory
2081accepts the tokens %%, %h, %U, and %u.
2082.Pp
2083.Cm RoutingDomain
2084accepts the token %D.
2085.Sh FILES
2086.Bl -tag -width Ds
2087.It Pa /etc/ssh/sshd_config
2088Contains configuration data for
2089.Xr sshd 8 .
2090This file should be writable by root only, but it is recommended
2091(though not necessary) that it be world-readable.
2092.El
2093.Sh SEE ALSO
2094.Xr sftp-server 8 ,
2095.Xr sshd 8
2096.Sh AUTHORS
2097.An -nosplit
2098OpenSSH is a derivative of the original and free
2099ssh 1.2.12 release by
2100.An Tatu Ylonen .
2101.An Aaron Campbell , Bob Beck , Markus Friedl , Niels Provos ,
2102.An Theo de Raadt
2103and
2104.An Dug Song
2105removed many bugs, re-added newer features and
2106created OpenSSH.
2107.An Markus Friedl
2108contributed the support for SSH protocol versions 1.5 and 2.0.
2109.An Niels Provos
2110and
2111.An Markus Friedl
2112contributed support for privilege separation.
2113