unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OSF1-V5.1-alpha)
Page:
Section:
Apropos / Subsearch:
optional field



sshd2_config(4)						      sshd2_config(4)



NAME

  sshd2_config - Configuration file for	the sshd2 daemon

DESCRIPTION

  The sshd2 daemon reads configuration data from the /etc/ssh2/sshd2_config
  file (or the file specified with the sshd2 -f	command).  The file contains
  keyword-argument pairs, one per line.

  Empty	lines and lines	starting with the pound	(#) sign are ignored as	com-
  ments.  Otherwise a line is of the format keyword arguments.	It is possi-
  ble to enclose arguments in quotes, and use the standard C convention.
  Configuration	files are case sensitive, but keywords are not case sensi-
  tive.

  Configuration	blocks are not allowed in sshd2_config.	 Subconfiguration
  files	can be specified in the	main configuration file. See the HostSpeci-
  ficConfig and	UserSpecificConfig keyword explanations.

  If changes are made in the main configuration	file, sshd2 must be res-
  tarted. For example, if the /var/run/	directory does not exist, you can
  send a signal	to it, such as # kill -HUP `cat	/var/run/sshd2_22.pid' or #
  kill -HUP `cat /etc/ssh2/sshd2_22.pid'.

  The following	sshd2_configfile keywords are allowed:

  AllowAgentForwarding or ForwardAgent
      Specifies	whether	agent forwarding is permitted. Usually,	you should
      allow users to freely forward agent connections. The argument must be
      yes or no. The default is	yes.

  AllowedAuthentications
      Specifies	the authentication methods that	the server uses	to authenti-
      cate users. Supported authentication methods are:	keyboard-interactive,
      password,	publickey, kerberos-2@ssh.com, and kerberos-tgt-2@ssh.com.
      The default is publickey,password.

      You can specify any or all authentication	methods. Use a comma-
      separated	list when specifying more than one argument. The order in
      which authentication methods are listed is the order in which they are
      used. For	example, if hostbased is listed	first, the server will use
      hostbased	authentication before trying the next listed authentication.
      The first	successful authentication is the one used.

      With the RequiredAuthentications keyword,	you can	force users to com-
      plete several authentications before they	are considered authenticated.
      See the explanation for the RequiredAuthentications keyword.

  AllowGroups
      Follows any number of group name patterns,	 separated by commas.
      If specified, login is allowed only if one of the	groups the user
      belongs to matches one of	the patterns.  Patterns	are matched using the
      egrep syntax (see	sshregex(5)), or the syntax specified in the metacon-
      figuration header	of the configuration file.  You	can  use the comma
      character	in the patterns	by escaping it with a backslash.  By default,
      all groups are allowed to	log in.	 However, all other authentication
      steps must be successfully completed.  The AllowGroups and DenyGroups
      keywords are additional restrictions that	never increase the tolerance.

  AllowHosts
      Follows any number of host name patterns,	separated by commas.  If
      specified, log in	is allowed only	if a host name matches one of the
      patterns.	 Patterns are matched using the	egrep syntax (see sshre-
      gex(5)), or the syntax specified in the metaconfiguration	section	of
      the configuration	file.

      If you want the pattern to match the host's IP address (ignoring the
      canonical	host name), prefix your	pattern	with \i.  You can also use
      subnet masks (e.g. , 127.0.0.0/8)	by prefixing the pattern with \m.
      DNS is used to map the client's host name	into a canonical host name.
      If the name cannot be mapped, the	IP address is used as the host name.
      By default, all hosts are	allowed	to connect. The	sshd2 daemon also can
      be configured to use tcp_wrappers	using the --with-libwrap compile-time
      configuration option.

  AllowSHosts
      Follows any number of host name patterns,	separated by commas.  The
      entries in .shosts, .rhosts, /etc/hosts.equiv and	/etc/shosts.equiv are
      ignored if they do not match one of the patterns.

  AllowTcpForwarding
      Specifies	whether	TCP forwarding is permitted. Disabling TCP forwarding
      does not improve security, unless	you deny the user shell	access at the
      same time. (See ssh-dummy-shell(1)). Any user who	has a shell can
      install forwarders.  The argument	must be	yes or no. The default is
      yes.

      This option is required if EnforceSecureRutils is	enabled.

  AllowTcpForwardingForGroups
      Specifies	the group names	that can forward ports.	Use a comma-separated
      list when	specifying more	than one group name. Disabling TCP forwarding
      does not improve security, unless	you deny the user shell	access at the
      same time.  (See ssh-dummy-shell(1)). Any	user who has a shell can
      install forwarders.  The argument	must be	yes or no. The default is yes
      (enable forwarding).

  AllowTcpForwardingForUsers
      Specifies	the names of users who can forward ports. Use a	comma-
      separated	list when specifying more than one user	name. Disabling	TCP
      forwarding does not improve security, unless you deny the	user shell
      access at	the same time.	(See ssh-dummy-shell(1)). Any user who has a
      shell can	install	forwarders.  The argument must be yes or no. The
      default is yes (enable forwarding).

  AllowUsers
      Specifies	the names of users who can log in. Use a comma-separated list
      when specifying more than	one user name. User names can be entered as
      user@host_name where host_name is	a DNS name or an IP address. By
      default, all users are allowed to	log in.	 However, all other login
      authentication steps must	be successfully	completed.  The	AllowUsers
      and DenyUsers keywords specify additional	restrictions.

  AllowX11Forwarding, X11Forwarding, or	ForwardX11
      Specifies	whether	X11 forwarding is permitted. Disabling X11 forwarding
      does not improve security, unless	you deny the user shell	access at the
      same time. (See ssh-dummy-shell(1)). Any user who	has a shell can
      install forwarders.. The argument	must be	yes or no. The default is
      yes.

  AuthInteractiveFailureTimeout
      Specifies	the server delay, in seconds, after a failed attempt to	log
      in using keyboard-interactive, password authentication. The default is
      2.

  AuthKbdInt.NumOptional
      Specifies	how many optional submethods must be passed before the
      authentication is	considered a success ( all required submethods must
      be passed). See the AuthKbdInt.Optional explanation for specifying
      optional submethods, and the AuthKbdInt.Required explanation for
      required submethods. The default is 0. If	no required submethods are
      specified,  the client must pass at least	one optional submethod.

  AuthKbdInt.Optional
      Specifies	the optional submethods	keyboard-interactive will use.
      Defined submethods are: pam, securid, plugin, and	password. The pam and
      securid submethods must have the necessary libraries and headers when
      the distribution is compiled.  The pam submethod is usually available
      in binary	packages if the	architecture supports Pluggable	Authentica-
      tion Modules (PAM).  The keyboard-interactive authentication method is
      considered a success when	the specified  amount of optional submethods
      and all required submethods are passed. The plugin submethod can be
      used if a	system administrator wants to  create a	new authentication
      method. (See AuthKbdInt.Plugin, AuthKbdInt.NumOptional and
      AuthKbdInt.Required. )

  AuthKbdInt.Plugin
      Specifies	the program used by the	keyboard-interactive plugin sub-
      method. The sshd2	daemon,	running	as root, communicates with this	pro-
      gram using a line-based protocol.	There is no default for	this keyword.
      It must be set if	the plugin submethod is	used. Otherwise, the sub-
      method will fail and authentication could	fail.

      More information about the protocol can be found in the distribution
      package. The RFC.kbdint_plugin_protocol file has a description of	the
      protocol used; the kbdint_plugin_example.sh file is a sample script.

  AuthKbdInt.Required
      Specifies	the required submethods	that must be passed before the
      keyboard-interactive authentication method can succeed.  See
      AuthKbdInt.Optional.

  AuthKbdInt.Retries
      Specifies	how many times the user	can retry keyboard-interactive.	 The
      default is 3.

  AuthorizationFile
      Specifies	the name of the	user's authorization file.

  AuthPublicKey.MaxSize
      Specifies	the maximum size of a publickey	that can be used to log	in.
      Value 0 disables the check. The default is 0.

  AuthPublicKey.MinSize
      Specifies	the minimum size of a publickey	that can be used to log	in.
      Value 0 disables the check. The default is 0.

  BannerMessageFile
      Specifies	the path to the	message	that is	sent to	the client before
      authentication.  The default path	is /etc/ssh2/ssh_banner_message.

  CheckMail
      Specifies	whether	information is displayed when there is new mail	when
      a	user logs in.  The argument must be yes	or no. The default is yes.

  ChRootGroups
      Specifies	the names of groups in which users who belong to those groups
      have a chrooted environment. A chrooted environment is one in which
      users are	restricted to their home directory and its subdirectories.
      Groups are defined on the	server in the /etc/group file.	Use a comma-
      separated	list when specifying more than one group name.

  ChRootUsers
      Specifies	the names of users who have a chrooted environment. A
      chrooted environment is one in which users are restricted	to their home
      directory	and its	subdirectories.	Users are defined on the server	in
      the /etc/group file. Use a comma-separated list when specifying more
      than one user name.

  Ciphers
      Specifies	the Secure Shell ciphers to use	for encrypting the session.
      Supported	ciphers	are: aes, blowfish, twofish, arcfour, cast, 3des, and
      des.  Multiple ciphers can be specified as a comma-separated list.
      Special values for this option are: Any, AnyStd, none, AnyCipher,	and
      AnyStdCipher.  The Any value allows all ciphers including	none.
      TheAnyStd	value allows only those	mentioned in the IETF-SecSH draft
      plus none; none forbids any use of encryption. The AnyCipher and
      AnyStdCipher values are analogous	to the first two cases but exclude
      none. The	AnyStdCipher value is the default.

  DenyGroups
      Follows any number of group name patterns,  separated by commas.	If
      specified, login is denied if one	of the groups the user belongs to
      matches one of the patterns.  Otherwise, this option is parsed and
      matched identically with AllowGroups.  By	 default, all users are
      allowed to log in. If a user's group matches a pattern in	both Deny-
      Groups and AllowGroups, login will be denied.  All other authentication
      steps must be successfully completed.  The AllowGroups and DenyGroups
      keywords are additional restrictions and never increase the tolerance.
      Groups are defined on the	server in the /etc/group file.

  DenyHosts
      Specifies	the names of hosts from	which users can	not log	in. Use	a
      comma-separated list when	specifying more	than one host name. By
      default,	all hosts are allowed to log in.

  DenySHosts
      Specifies	the names of hosts from	which users can	not connect. The host
      name must	be specified in	the .shosts file, the .rhosts file, the
      /etc/hosts.equiv file, or	the /etc/shosts.equiv file. Use	a comma-
      separated	list when specifying more than one host	name.

  DenyTcpForwardingForGroups
      Specifies	the names of groups who	cannot forward ports. Use a comma-
      separated	list when specifying more than one group name. Disabling TCP
      forwarding does not improve security, unless you deny the	user shell
      access at	the same time.	(See ssh-dummy-shell(1)). Any user who has a
      shell can	install	forwarders.  The argument must be yes or no.

  DenyTcpForwardingForUsers
      Specifies	the names of users who cannot forward ports. Use a comma-
      separated	list when specifying more than one user	name. Disabling	TCP
      forwarding does not improve security, unless you deny the	user shell
      access at	the same time.	(See ssh-dummy-shell(1)). Any user who has a
      shell can	install	forwarders.  The argument must be yes or no.

  DenyUsers
      Specifies	the names of users who cannot log in. Use a comma-separated
      list when	specifying more	than one user name. User names can be entered
      as user@host_name	where host_name	is a DNS name or the IP	address. By
      default, all users are allowed to	log in.	 Note that all other login
      authentication steps must	still be successfully completed.   If a
      user's name matches a pattern in both DenyUsers and AllowUsers, login
      is denied.

  ExternalAuthorizationProgram
      Verifies whether the user	is authorized to log in.  The sshd2 daemon,
      running as root, communicates with this program using a line-based pro-
      tocol. There is no default for this keyword. It must be set if the plu-
      gin submethod is used. Otherwise,	the submethod will fail	and authenti-
      cation could fail.

      More information about the protocol can be found in the distribution
      package. The RFC.kbdint_plugin_protocol file has a description of	the
      protocol used; the kbdint_plugin_example.sh file is a sample script.

  ExternalMapper filename
      Specifies	an external mapper program for the preceding Pki keyword.
      When a certificate is received and is valid under	the Pki	block in
      question,	the external mapper is executed	and the	certificate is writ-
      ten to its standard input. The external mapper is	expected to output a
      newline-separated	list of	user names. If the user	name is	found in the
      list, the	authentication succeeds; otherwise, the	authentication using
      the certificate in question fails. The ExternalMapper keyword will
      override all MapFile keywords for	the current (preceding)	Pki keyword.
      If multiple ExternalMapper keywords are specified	for a Pki block, the
      first one	is used.

  ExternalMapperTimeout	seconds
      Specifies	an external mapper timeout for the preceding Pki keyword. If
      the server is unable to read the full output from	an external mapper in
      the given	period,	the operation will fail	and the	 external mapper pro-
      gram will	be terminated.	The default timeout is 10 seconds. If multi-
      ple ExternalMapperTimeout	keywords are specified for a Pki block,	the
      first one	is used.

  ForwardACL
      Controls what the	client is allowed to forward and  where	it is for-
      warded. The format for this option is:
	   (allow|deny)	(local|remote) user-pat	forward-pat [originator-pat]

      The user-pat pattern will	be used	to match the client user, as speci-
      fied under  the UserSpecificConfig option.  The format for the
      forward-pat pattern is :
	   host-id[%port]

      This has different interpretations depending on whether the ACL is
      specified	for local or remote forwards. For local	forwards, the host-id
      will match the target host of the	forwarding, as specified under the
      AllowHosts option.  The port will	match with the target port. If the
      client sends a host name,	the IP will be looked up from the DNS, which
      will be used to match the	pattern.  For  remote forwardings, where the
      forward target is	not known (the client handles that end of the connec-
      tion), ForwardACL	will be	used to	match the listen address specified by
      the user.	 The port will match the server	port designated	by the for-
      ward. With local forwards, the originator-pat pattern will match the
      originator address that the client reported.

      If you do	not administer the client machine, or the users	on that
      machine have shell access, they can use a	modified copy of Secure	Shell
      to lie about the originator address. Also, with Network Address Trans-
      lation (NAT) the originator address  will	not be meaningful; it prob-
      ably will	be an internal network address.	 So, you should	not rely on
      the originator address with local	 forwards.

      With remote  forwards, the originator-pat	will match the IP  address of
      the host connecting to the forwarded port. This will be valid informa-
      tion, because the	server checks the information.	If you specify any
      allow directives,	all forwards in	that class (local or remote) not
      specifically allowed will	be denied. Local  and remote forwards are
      separate in this respect.	 For example,  if you have one "allow remote"
      definition, local	forwards are still allowed, pending other
      restrictions.  If	a forward matches allow	and deny directives, the for-
      warding will be denied. If you specify
      {Allow,Deny}TcpForwardingFor{Users,Groups} or AllowTcpForwarding,	and
      the forwarding for the user is disabled, an allow	directive will not
      re-enable	the forwarding for the user. Forwarding	is enabled by
      default.

  ForwardAgent
      See AllowAgentForwarding.

  HostbasedAuthForceClientHostnameDNSMatch
      Fails host-based authentication if the host name given by	the client
      does not match the one found in DNS .  Defaults to no.

  HostCA ca-certificate
      Works the	same as	in the ssh2_config file, but DefaultDomain is not
      used.

  HostCANoCRLs ca-certificate
      Works the	same as	in the ssh2_config file, but DefaultDomain is not
      used.

  HostCertificateFile ca-certificate
      Similar to PublicHostKeyFile, except that	the file is assumed to con-
      tain an X.509 certificate	in binary format.  The keyword must be paired
      with a corresponding HostKeyFile keyword.	 If multiple certificates
      with the same public key type (dss or rsa) are specified,	only the
      first one	is used.

  HostKeyEkInitString
      Specifies	the initialization string for the external host	key provider.
      This is ignored when the keyword HostKeyEkProvider is not	present	or
      when external key	support	is not included	in the software. See ssh-
      externalkeys(4) for details about	specifying initialization strings.

  HostKeyEkProvider
      Specifies	the external host key provider.	This is	ignored	when external
      key support is not included in the software. See ssh-externalkeys(4)
      for details about	specifying providers.

  HostKeyEkTimeOut
      Specifies	the maximum time in seconds to wait for	the keys from the
      external host key	provider. This is ignored when external	key support
      is not included in the software.

  HostKeyFile
      Specifies	the file containing the	private	host key. The default file is
      /etc/ssh2/hostkey.

  HostSpecificConfig
      Specifies	a subconfiguration file	for the	sshd2 daemon.  The syntax for
      this option is pattern subconfig-file. The pattern will be used to
      match the	client host, as	specified under	the AllowHostsoption.  The
      subconfig-file will then be read,	and configuration data amended
      accordingly. The file is read before any protocol	transactions begin.
      You can specify most of the options allowed in the main configuration
      file, and	you can	specify	more than one subconfiguration file, in	which
      case the patterns	are matched and	the files read in the order speci-
      fied.  Later defined values of configuration options will	either over-
      ride or amend the	previous value	depending on which option it is. The
      effect of	redefining an option is		described in the documenta-
      tion for that option. For	example, setting Ciphers  in the subconfi-
      guration file will override the old value, but  setting AllowUsers will
      amend the	value.	See sshd2_subconfig(4) for information on subconfi-
      guration settings.  See also the UserSpecificConfig option.

  IdleTimeOut
      Sets the idle timeout limit to time in seconds (s	or nothing after
      number), in minutes (m), in hours	(h), in	days (d), or in	weeks (w).
      If the connection	has been idle (all channels) for weeks,	the connec-
      tion is closed. The default is zero, which disables idle timeouts.

  IgnoreRhosts
      Specifies	that the rhosts	and shosts files will not be used in host-
      based authentication (See	AllowedAuthentications.) The /etc/hosts.equiv
      and the /etc/shosts.equiv	files are used (if hostbased authentication
      is used).	The argument must be yes or no.	The default is no.

  IgnoreRootRhosts
      Specifies	that the rhosts	and shosts files will not be used in authen-
      tication for root. The default is	the value of the IgnoreRhosts key-
      word.

  KeepAlive
      Specifies	whether	the system should send keepalive messages.  If they
      are sent,	the loss of a connection or crash of  a	system will be
      noticed.	However, this means that connections will die if the route is
      down temporarily.	 The argument must be yes or no. The default is	yes
      (send keepalive messages). If keepalive messages are not sent, sessions
      may hang indefinitely on the server, leaving ghost users and consuming
      server resources.	  To disable keepalive messages, set the value to no
      in both the server and the client	configuration files.

  LdapServers ldap://server.domain-name:389
      Works the	same as	in the ssh2_config file.

  ListenAddress
      Specifies	the IP address of the interface	where the sshd2	server socket
      is bound.

  LoginGraceTime
      Specifies	the time, in seconds, that the server disconnects after	a
      user has not successfully	logged in.  If the value is 0, there is	no
      time limit. The default is 600 (seconds).

  MACs
      Specifies	the Message Authentication Code	(MAC) algorithm	to use for
      data integrity verification.  Supported MAC algorithms are: hmac-sha1,
      hmac-sha1-96, hmac-md5, hmac-md5-96, hmac-ripemd160, and hmac-
      ripemd160-96, of which hmac-sha1,	hmac-sha1-96, hmac-md5 and hmac-md5-
      96 are included in all distributions.

      Use a comma-separated list when specifying more than one MAC. Special
      arguments	to this	keyword	are Any, AnyStd, none, AnyMac, and AnyStdMac.
      The Any argument allows all MACs including none. The AnyStd argument
      allows onlythose mentioned in the	IETF-SecSH draft and none. The none
      argument forbids any use of MACs.	The AnyMac and AnyStdMac arguments
      are analogous to the first two cases but exclude none. The AnyStdMac
      argument is the default.

  MapFile filename
      Specifies	a mapping file for the preceding Pki keyword. Multiple map-
      ping files are permitted for Pki keywords.

  MaxBroadcastsPerSecond
      Specifies	the maximum number of UDP broadcasts that the server will
      handle per second.  The default value is 0 (i.e.,	no broadcasts are
      handled).	Broadcasts that	exceed the limit are silently ignored.
      Received unrecognized UDP	datagrams also consume the capacity defined
      by this keyword.

  MaxConnections
      Specifies	the maximum number of connections that the sshd2 daemon	will
      handle simultaneously. This is useful in systems where spamming the
      sshd2 daemon with	new connections	can cause the system to	become
      unstable or crash. The argument is a positive number. An argument	of
      zero means that the number of connections	is unlimited.  The same
      effect is	achieved by using xinetd.

  NoDelay
      Specifies	whether	to enable the TCP_NODELAY socket option. The argument
      must be yes or no. The default is	no.

  PasswdPath
      Specifies	the location of	the passwd program (or equivalent). By
      default this is set to where the configure script	found it. This pro-
      gram will	be run with the	privileges of the user logging in.

  PasswordGuesses
      Specifies	the number of login attempts that the user is permitted	when
      using password authentication. The default is 3 attempts.

  PermitEmptyPasswords
      Specifies	whether	the server allows login	to accounts with empty pass-
      word strings when	using password authentication. The argument must be
      yes or no. The default is	yes.

  PermitRootLogin
      Specifies	whether	root can log in	using the ssh2 command.

      The argument must	be yes,	no, or nopwd. The default is yes.

      The nopwd	value disables password-authenticated root logins.  The	no
      value disables root logins. The nopwd and	no are equivalent unless you
      have an .rhosts or .shosts file in the root home directory and you have
      not set up public	key authentication for root.  Root login with public
      key authentication will be allowed regardless of the value of this set-
      ting (which may be useful	for taking remote backups even if root login
      is usually not allowed).

  Pki ca-certificate
      Enables user authentication using	certificates. The ca-certificate must
      be an X.509 certificate in binary	format.	This keyword must be followed
      by one or	more MapFile keywords.

      The validity of a	received certificate is	checked	separately using each
      of the defined Pki keywords in turn until	they are exhausted (in which
      case the authentication fails), or a positive result is achieved.	 If
      the certificate is valid,	the mapping files are examined to determine
      whether the certificate allows the user to log in. Correct signature
      generated	by a matching private key is always required.

  PkiDisableCrls argument
      Disables CRL checking for	the preceding Pki keyword, if  argument	is y.
      By default, CRL checking is y.

  Port
      Specifies	the port number	where the sshd2	daemon listens.	 The default
      is port number 22.

  PrintMotd
      Specifies	whether	the /etc/motd file is displayed	when a user logs in.
      The argument must	be yes or no. The default is yes.

  PublicHostKeyFile
      Specifies	the name of the	file containing	the public host	key. The
      default is the /etc/ssh2/hostkey.pub file.

  QuietMode
      Displays nothing in the system log except	fatal errors. The argument
      must be yes or no. The default is	no.

  RandomSeedFile
      Specifies	the name of the	random seed file.

  RekeyIntervalSeconds
      Specifies	the number of seconds between key exchanges. The default is
      3600 seconds (one	hour). A value of zero turns rekey requests off. This
      does not prevent the client from requesting rekeys. Other	clients	might
      not have rekey capabilities implemented correctly, and might not sup-
      port rekey requests. This	means that they	might terminate	the connec-
      tion or crash.

  RequiredAuthentications
      Specifies	the authentication methods that	users must pass	before con-
      necting. Supported authentication	methods	are password, publickey, and
      hostbased.  Use a	comma-separated	list when specifying more than one
      argument.	If the value to	this argument is not specified,	the client
      can authenticate users by	using any of the authentications methods
      specified	by the AllowedAuthentications keyword.	If a value is speci-
      fied, the	client must use	the specified authentication method, and
      AllowedAuthentications is	ignored.


				       Note

	 Prior to Secure Shell version 3.1.0, the RequiredAuthentications
	 option	was a required subset of AllowedAuthentications. This is no
	 longer	a requirement.

  RequireReverseMapping
      Specifies	whether	a hostname DNS lookup must succeed when	checking host
      connections from hosts that are defined by the AllowHosts	and DenyHosts
      keywords.

      The argument must	be yes or no.  The default is no. If the argument is
      yes and the DNS name lookup fails, the connection	is denied. If the
      argument is noand	the DNS	name lookup fails, the remote host's IP
      address is used to check whether it is allowed to	connect. This might
      not be desirable if you defined only host	names (not IP addresses) with
      AllowHosts and DenyHosts keywords.

  ResolveClientHostName
      Controls whether sshd2 will try to resolve the client ip.	This is	use-
      ful when you know	that the DNS cannot be	reached, and the query would
      cause additional delay in	logging	in. If you set this to no, you should
      not set RequireReverseMapping to yes.  The default is yes.  The argu-
      ment must	be yes or no.

  SettableEnvironmentVar
      Follows any number of patterns, separated	by commas.  Patterns are
      matched using the	egrep syntax (see sshregex(5)),	or the syntax speci-
      fied in the metaconfiguration header of the  configuration file.	You
      can use the comma	character in the patterns by escaping it with the
      default. The /etc/ssh2/sshd2_config file specifies some common and safe
      environment variables.  You can set some or all environment variables
      with this	option.	You can	check whether a	setting	is allowed by the
      client (ssh2), by	the user's $HOME/.ssh2/environment file	or public key
      options.	This option is not used	when setting variables from
      /etc/environment or other	root-only files.  It only changes the setting
      of environment variables before the user's shell is run.	After that,
      the user can set any environment variables.

  SftpSysLogFacility
      Defines what log facility	the sftp-server	 will use. By default this
      has no value (i.e., no logging is	performed by the subsystem).

  SocksServer socks_server_name
      Specifies	the name of a socks server. Used when fetching certificates
      or CRLs from remote servers.

  Ssh1Compatibility
      Specifies	whether	the sshd1 daemon  is executed when the client sup-
      ports only SSH 1.x protocols. The	argument must be yes or	no.

  Sshd1ConfigFile
      Specifies	an alternate configuration file	for sshd1 for the case that
      sshd2 runs in compatibility mode.	This is	only used if sshd2 is exe-
      cuted with the -f	command	line option.  If -fis not specified, sshd1
      will read	its configuration from the standard location, typically
      /etc/sshd_config.

  Sshd1Path
      Specifies	the path to the	sshd1 daemon which will	be executed if the
      client supports only SSH 1.x protocols. The arguments for	the sshd2
      daemon are passed	to the sshd1 daemon.

  StrictModes
      Specifies	whether	the sshd2 daemon should	check file modes and owner-
      ship of the user's home directory	and rhosts files before	accepting
      login.  This is desirable	because	novices	sometimes leave	 their direc-
      tory or files world-writable.  The argument must be yes or no.  The
      default is yes.  (This only used with host-based authentication.)

  Subsystem-<&lt;subsystem name>
      Specifies	a subsystem. The argument is a commd that will be executed
      when the subsystem is requested.	The sftp command uses a	subsystem of
      the sshd2	daemon to transfer files securely. In order to use the sftp
      server you must have the subsystem-sftp sftp-server definition (the
      default) or subsystem-sftp internal://sftp-server	which will execute an
      sftp-service internally in the child process.

      The child	process	usually	executes a command using the user's shell,
      but in this case it will start to	handle SFTP requests. This enables
      better logging in	chrooted environments, and does	not require any
      static binaries to be built. The only binary needed will be the sshd2
      daemon.

  SyslogFacility
      Specifies	the facility code that is used when logging messages from the
      sshd2 daemon. The	possible values	are: DAEMON, USER, AUTH, LOCAL0,
      LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The default is
      AUTH.

  UserConfigDirectory
      Specifies	where user-specific configuration data can be retrieved. With
      this keyword, administrators can control configuration parameters	that
      are usually the users' domain. This argument is a	pattern	string which
      is expanded by the sshd2 daemon. Argument	%D is the user's home direc-
      tory, %U is the user's login name, %IU is	the user's user	ID (uid), and
      %IG is the user's	group ID (gid).	The default is %D/.ssh2.

  UserKnownHosts
      Specifies	whether	the user's $HOME/.ssh2/knownhosts/ directory can be
      used to get host public keys when	using hostbased	authentication.	 The
      argument must be yes or no. The default is yes.

  UserSpecificConfig
      Reads configuration files	when the user name the client is trying	to
      log into is known.  You can use patterns of the form
      user[%group][@host], where the pattern user is matched with the user
      name and UID, group is matched with the user's primary and any secon-
      dary groups, both	group name and GID, and	host is	matched	as described
      under option AllowHosts.	See sshd2_subconfig(4) for more	information
      on what you can set in this subconfiguration file.

  VerboseMode
      Prompts the sshd2	daemon to print	debugging messages about its pro-
      gress, and prevents it from handling more	than one connecton at a	time.
      This is helpful in debugging connection, authentication, and configura-
      tion problems.

  XauthPath
      Specifies	where to find the xauth	program. This option is	useful if you
      are using	binaries and your X11 programs are installed where ssh2	might
      not find them. The default is set	by the configure script.

LEGAL NOTICES

  SSH is a registered trademark	of SSH Communication Security Ltd.

SEE ALSO

  Commands: sshd2(8)

  Files: Files:	ssh_certificates(4), sshd2_subconfig(4), sshd-check-conf(4)

  Others: sshregex(5)