aboutsummaryrefslogtreecommitdiff
path: root/sshd_config.5
diff options
context:
space:
mode:
Diffstat (limited to 'sshd_config.5')
-rw-r--r--sshd_config.5113
1 files changed, 93 insertions, 20 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index e3c7c3936dd30..e1b54ba20e3fa 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.263 2018/02/16 02:40:45 djm Exp $
-.Dd $Mdocdate: February 16 2018 $
+.\" $OpenBSD: sshd_config.5,v 1.281 2018/07/20 05:01:10 djm Exp $
+.Dd $Mdocdate: July 20 2018 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -66,12 +66,14 @@ the session's
.Xr environ 7 .
See
.Cm SendEnv
+and
+.Cm SetEnv
in
.Xr ssh_config 5
for how to configure the client.
The
.Ev TERM
-environment variable is always sent whenever the client
+environment variable is always accepted whenever the client
requests a pseudo-terminal as it is required by the protocol.
Variables are specified by name, which may contain the wildcard characters
.Ql *
@@ -184,7 +186,7 @@ for more information on patterns.
.It Cm AuthenticationMethods
Specifies the authentication methods that must be successfully completed
for a user to be granted access.
-This option must be followed by one or more comma-separated lists of
+This option must be followed by one or more lists of comma-separated
authentication method names, or by the single string
.Cm any
to indicate the default behaviour of accepting any single authentication
@@ -203,10 +205,9 @@ keyboard-interactive authentication before public key.
For keyboard interactive authentication it is also possible to
restrict authentication to a specific device by appending a
colon followed by the device identifier
-.Cm bsdauth ,
-.Cm pam ,
+.Cm bsdauth
or
-.Cm skey ,
+.Cm pam .
depending on the server configuration.
For example,
.Qq keyboard-interactive:bsdauth
@@ -231,7 +232,7 @@ The available authentication methods are:
.Qq keyboard-interactive ,
.Qq none
(used for access to password-less accounts when
-.Cm PermitEmptyPassword
+.Cm PermitEmptyPasswords
is enabled),
.Qq password
and
@@ -657,7 +658,7 @@ The default is
.Cm yes .
.It Cm HostbasedAcceptedKeyTypes
Specifies the key types that will be accepted for hostbased authentication
-as a comma-separated pattern list.
+as a list of comma-separated patterns.
Alternately if the specified value begins with a
.Sq +
character, then the specified key types will be appended to the default set
@@ -672,9 +673,10 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com,
ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
+rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa
+ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
.Ed
.Pp
The list of available key types may also be obtained using
@@ -749,9 +751,10 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com,
ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
+rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa
+ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
.Ed
.Pp
The list of available key types may also be obtained using
@@ -816,9 +819,11 @@ If one argument is specified, it is used as the packet class unconditionally.
If two values are specified, the first is automatically selected for
interactive sessions and the second for non-interactive sessions.
The default is
-.Cm lowdelay
+.Cm af21
+(Low-Latency Data)
for interactive sessions and
-.Cm throughput
+.Cm cs1
+(Lower Effort)
for non-interactive sessions.
.It Cm KbdInteractiveAuthentication
Specifies whether to allow keyboard-interactive authentication.
@@ -1123,6 +1128,7 @@ Available keywords are
.Cm MaxSessions ,
.Cm PasswordAuthentication ,
.Cm PermitEmptyPasswords ,
+.Cm PermitListen ,
.Cm PermitOpen ,
.Cm PermitRootLogin ,
.Cm PermitTTY ,
@@ -1133,6 +1139,7 @@ Available keywords are
.Cm RekeyLimit ,
.Cm RevokedKeys ,
.Cm RDomain ,
+.Cm SetEnv ,
.Cm StreamLocalBindMask ,
.Cm StreamLocalBindUnlink ,
.Cm TrustedUserCAKeys ,
@@ -1182,6 +1189,48 @@ When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
The default is
.Cm no .
+.It Cm PermitListen
+Specifies the addresses/ports on which a remote TCP port forwarding may listen.
+The listen specification must be one of the following forms:
+.Pp
+.Bl -item -offset indent -compact
+.It
+.Cm PermitListen
+.Sm off
+.Ar port
+.Sm on
+.It
+.Cm PermitListen
+.Sm off
+.Ar host : port
+.Sm on
+.El
+.Pp
+Multiple permissions may be specified by separating them with whitespace.
+An argument of
+.Cm any
+can be used to remove all restrictions and permit any listen requests.
+An argument of
+.Cm none
+can be used to prohibit all listen requests.
+The host name may contain wildcards as described in the PATTERNS section in
+.Xr ssh_config 5 .
+The wildcard
+.Sq *
+can also be used in place of a port number to allow all ports.
+By default all port forwarding listen requests are permitted.
+Note that the
+.Cm GatewayPorts
+option may further restrict which addresses may be listened on.
+Note also that
+.Xr ssh 1
+will request a listen host of
+.Dq localhost
+if no listen host was specifically requested, and this this name is
+treated differently to explicit localhost addresses of
+.Dq 127.0.0.1
+and
+.Dq ::1 .
.It Cm PermitOpen
Specifies the destinations to which TCP port forwarding is permitted.
The forwarding specification must be one of the following forms:
@@ -1284,6 +1333,12 @@ options in
.Pa ~/.ssh/authorized_keys
are processed by
.Xr sshd 8 .
+Valid options are
+.Cm yes ,
+.Cm no
+or a pattern-list specifying which environment variable names to accept
+(for example
+.Qq LANG,LC_* ) .
The default is
.Cm no .
Enabling environment processing may enable users to bypass access
@@ -1330,7 +1385,7 @@ The default is
.Cm yes .
.It Cm PubkeyAcceptedKeyTypes
Specifies the key types that will be accepted for public key authentication
-as a comma-separated pattern list.
+as a list of comma-separated patterns.
Alternately if the specified value begins with a
.Sq +
character, then the specified key types will be appended to the default set
@@ -1345,9 +1400,10 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com,
ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
+rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa
+ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
.Ed
.Pp
The list of available key types may also be obtained using
@@ -1402,6 +1458,21 @@ will be bound to this
If the routing domain is set to
.Cm \&%D ,
then the domain in which the incoming connection was received will be applied.
+.It Cm SetEnv
+Specifies one or more environment variables to set in child sessions started
+by
+.Xr sshd 8
+as
+.Dq NAME=VALUE .
+The environment value may be quoted (e.g. if it contains whitespace
+characters).
+Environment variables set by
+.Cm SetEnv
+override the default environment and any variables specified by the user
+via
+.Cm AcceptEnv
+or
+.Cm PermitUserEnvironment .
.It Cm StreamLocalBindMask
Sets the octal file creation mode mask
.Pq umask
@@ -1687,24 +1758,26 @@ The serial number of the certificate.
The type of the CA key.
.It %t
The key or certificate type.
+.It \&%U
+The numeric user ID of the target user.
.It %u
The username.
.El
.Pp
.Cm AuthorizedKeysCommand
-accepts the tokens %%, %f, %h, %k, %t, and %u.
+accepts the tokens %%, %f, %h, %k, %t, %U, and %u.
.Pp
.Cm AuthorizedKeysFile
-accepts the tokens %%, %h, and %u.
+accepts the tokens %%, %h, %U, and %u.
.Pp
.Cm AuthorizedPrincipalsCommand
-accepts the tokens %%, %F, %f, %h, %i, %K, %k, %s, %T, %t, and %u.
+accepts the tokens %%, %F, %f, %h, %i, %K, %k, %s, %T, %t, %U, and %u.
.Pp
.Cm AuthorizedPrincipalsFile
-accepts the tokens %%, %h, and %u.
+accepts the tokens %%, %h, %U, and %u.
.Pp
.Cm ChrootDirectory
-accepts the tokens %%, %h, and %u.
+accepts the tokens %%, %h, %U, and %u.
.Pp
.Cm RoutingDomain
accepts the token %D.
generated by cgit v1.3 (git 2.53.0) at 2026-05-11 15:49:23 +0000