aboutsummaryrefslogtreecommitdiff
path: root/sshd_config.5
diff options
context:
space:
mode:
Diffstat (limited to 'sshd_config.5')
-rw-r--r--sshd_config.5196
1 files changed, 160 insertions, 36 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index ce71efe3c100..fd44abe75e4c 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.172 2014/02/27 22:47:07 djm Exp $
-.Dd $Mdocdate: February 27 2014 $
+.\" $OpenBSD: sshd_config.5,v 1.176 2014/07/28 15:40:08 schwarze Exp $
+.Dd $Mdocdate: July 28 2014 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -140,6 +140,26 @@ The default is
Note that disabling TCP forwarding does not improve security unless
users are also denied shell access, as they can always install their
own forwarders.
+.It Cm AllowStreamLocalForwarding
+Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
+The available options are
+.Dq yes
+or
+.Dq all
+to allow StreamLocal forwarding,
+.Dq no
+to prevent all StreamLocal forwarding,
+.Dq local
+to allow local (from the perspective of
+.Xr ssh 1 )
+forwarding only or
+.Dq remote
+to allow remote forwarding only.
+The default is
+.Dq yes .
+Note that disabling StreamLocal forwarding does not improve security unless
+users are also denied shell access, as they can always install their
+own forwarders.
.It Cm AllowUsers
This keyword can be followed by a list of user name patterns, separated
by spaces.
@@ -283,7 +303,7 @@ This option is only available for protocol version 2.
By default, no banner is displayed.
.It Cm ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed (e.g. via
-PAM or though authentication styles supported in
+PAM or through authentication styles supported in
.Xr login.conf 5 )
The default is
.Dq yes .
@@ -324,9 +344,9 @@ For file transfer sessions using
.Dq sftp ,
no additional configuration of the environment is necessary if the
in-process sftp server is used,
-though sessions which use logging do require
+though sessions which use logging may require
.Pa /dev/log
-inside the chroot directory (see
+inside the chroot directory on some operating systems (see
.Xr sftp-server 8
for details).
.Pp
@@ -337,30 +357,44 @@ Specifies the ciphers allowed for protocol version 2.
Multiple ciphers must be comma-separated.
The supported ciphers are:
.Pp
-.Dq 3des-cbc ,
-.Dq aes128-cbc ,
-.Dq aes192-cbc ,
-.Dq aes256-cbc ,
-.Dq aes128-ctr ,
-.Dq aes192-ctr ,
-.Dq aes256-ctr ,
-.Dq aes128-gcm@openssh.com ,
-.Dq aes256-gcm@openssh.com ,
-.Dq arcfour128 ,
-.Dq arcfour256 ,
-.Dq arcfour ,
-.Dq blowfish-cbc ,
-.Dq cast128-cbc ,
-and
-.Dq chacha20-poly1305@openssh.com .
+.Bl -item -compact -offset indent
+.It
+3des-cbc
+.It
+aes128-cbc
+.It
+aes192-cbc
+.It
+aes256-cbc
+.It
+aes128-ctr
+.It
+aes192-ctr
+.It
+aes256-ctr
+.It
+aes128-gcm@openssh.com
+.It
+aes256-gcm@openssh.com
+.It
+arcfour
+.It
+arcfour128
+.It
+arcfour256
+.It
+blowfish-cbc
+.It
+cast128-cbc
+.It
+chacha20-poly1305@openssh.com
+.El
.Pp
The default is:
-.Bd -literal -offset 3n
-aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
+.Bd -literal -offset indent
+aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@openssh.com,aes256-gcm@openssh.com,
-chacha20-poly1305@openssh.com,
-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
-aes256-cbc,arcfour
+chacha20-poly1305@openssh.com
.Ed
.Pp
The list of available ciphers may also be obtained using the
@@ -672,14 +706,33 @@ The default is
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
-The default is
+The supported algorithms are:
+.Pp
+.Bl -item -compact -offset indent
+.It
+curve25519-sha256@libssh.org
+.It
+diffie-hellman-group1-sha1
+.It
+diffie-hellman-group14-sha1
+.It
+diffie-hellman-group-exchange-sha1
+.It
+diffie-hellman-group-exchange-sha256
+.It
+ecdh-sha2-nistp256
+.It
+ecdh-sha2-nistp384
+.It
+ecdh-sha2-nistp521
+.El
+.Pp
+The default is:
.Bd -literal -offset indent
curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
-diffie-hellman-group-exchange-sha1,
-diffie-hellman-group14-sha1,
-diffie-hellman-group1-sha1
+diffie-hellman-group14-sha1
.Ed
.It Cm KeyRegenerationInterval
In protocol version 1, the ephemeral server key is automatically regenerated
@@ -751,16 +804,53 @@ The algorithms that contain
.Dq -etm
calculate the MAC after encryption (encrypt-then-mac).
These are considered safer and their use recommended.
+The supported MACs are:
+.Pp
+.Bl -item -compact -offset indent
+.It
+hmac-md5
+.It
+hmac-md5-96
+.It
+hmac-ripemd160
+.It
+hmac-sha1
+.It
+hmac-sha1-96
+.It
+hmac-sha2-256
+.It
+hmac-sha2-512
+.It
+umac-64@openssh.com
+.It
+umac-128@openssh.com
+.It
+hmac-md5-etm@openssh.com
+.It
+hmac-md5-96-etm@openssh.com
+.It
+hmac-ripemd160-etm@openssh.com
+.It
+hmac-sha1-etm@openssh.com
+.It
+hmac-sha1-96-etm@openssh.com
+.It
+hmac-sha2-256-etm@openssh.com
+.It
+hmac-sha2-512-etm@openssh.com
+.It
+umac-64-etm@openssh.com
+.It
+umac-128-etm@openssh.com
+.El
+.Pp
The default is:
.Bd -literal -offset indent
-hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
umac-64-etm@openssh.com,umac-128-etm@openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
-hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
-hmac-md5-96-etm@openssh.com,
-hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
-hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
-hmac-sha1-96,hmac-md5-96
+umac-64@openssh.com,umac-128@openssh.com,
+hmac-sha2-256,hmac-sha2-512
.Ed
.It Cm Match
Introduces a conditional block.
@@ -842,6 +932,7 @@ Available keywords are
.Cm PermitRootLogin ,
.Cm PermitTTY ,
.Cm PermitTunnel ,
+.Cm PermitUserRC ,
.Cm PubkeyAuthentication ,
.Cm RekeyLimit ,
.Cm RhostsRSAAuthentication ,
@@ -990,6 +1081,12 @@ The default is
Enabling environment processing may enable users to bypass access
restrictions in some configurations using mechanisms such as
.Ev LD_PRELOAD .
+.It Cm PermitUserRC
+Specifies whether any
+.Pa ~/.ssh/rc
+file is executed.
+The default is
+.Dq yes .
.It Cm PidFile
Specifies the file that contains the process ID of the
SSH daemon.
@@ -1094,6 +1191,33 @@ This option applies to protocol version 1 only.
.It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key.
The minimum value is 512, and the default is 1024.
+.It Cm StreamLocalBindMask
+Sets the octal file creation mode mask
+.Pq umask
+used when creating a Unix-domain socket file for local or remote
+port forwarding.
+This option is only used for port forwarding to a Unix-domain socket file.
+.Pp
+The default value is 0177, which creates a Unix-domain socket file that is
+readable and writable only by the owner.
+Note that not all operating systems honor the file mode on Unix-domain
+socket files.
+.It Cm StreamLocalBindUnlink
+Specifies whether to remove an existing Unix-domain socket file for local
+or remote port forwarding before creating a new one.
+If the socket file already exists and
+.Cm StreamLocalBindUnlink
+is not enabled,
+.Nm sshd
+will be unable to forward the port to the Unix-domain socket file.
+This option is only used for port forwarding to a Unix-domain socket file.
+.Pp
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
.It Cm StrictModes
Specifies whether
.Xr sshd 8
generated by cgit v1.2.3 (git 2.25.1) at 2025-03-11 07:51:55 +0000