unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

sshd_config(4)                   File Formats                   sshd_config(4)



NAME
       sshd_config - sshd configuration file

SYNOPSIS
       /etc/ssh/sshd_config

DESCRIPTION
       The  sshd(1M) daemon reads configuration data from /etc/ssh/sshd_config
       (or the file specified with sshd -f on the command line). The file con-
       tains  keyword-value  pairs,  one per line. A line starting with a hash
       mark (#) and empty lines are interpreted as comments.

       The sshd_config file supports the keywords listed below. Unless  other-
       wise noted, keywords and their arguments are case-insensitive.

       AllowGroups

           This  keyword can be followed by a number of group names, separated
           by spaces. If specified, login is allowed only for users whose pri-
           mary  group  matches one of the patterns. Asterisk (*) and question
           mark (?) can be used as wildcards in the patterns. Only group names
           are  valid;  a  numerical  group  ID is not recognized. By default,
           login is allowed regardless of the primary group.



       AllowTcpForwarding

           Specifies whether TCP forwarding is permitted. The default is  yes.
           Note that disabling TCP forwarding does not improve security unless
           users are also denied shell access,  as  they  can  always  install
           their own forwarders.



       AllowUsers

           This  keyword  can be followed by a number of user names, separated
           by spaces. If specified, login is allowed only for user names  that
           match  one of the patterns. Asterisk (*) and question mark (?)  can
           be used as wildcards in the patterns. Only user names are valid;  a
           numerical  user  ID  is not recognized. By default login is allowed
           regardless of the user name.

           If a specified pattern takes the form user@host then user and  host
           are checked separately, restricting logins to particular users from
           particular hosts.



       AuthorizedKeysFile

           Specifies the file that contains the public keys that can  be  used
           for  user  authentication. AuthorizedKeysFile can contain tokens of
           the form %T, which are substituted during  connection  set-up.  The
           following  tokens are defined: %% is replaced by a literal %, %h is
           replaced by the home directory of the user being authenticated  and
           %u  is  replaced  by  the  username  of that user. After expansion,
           AuthorizedKeysFile is taken to be an absolute path or one  relative
           to the user's home directory. The default is .ssh/authorized_keys.



       Banner

           In some jurisdictions, sending a warning message before authentica-
           tion can be relevant for getting legal protection. The contents  of
           the  specified  file are sent to the remote user before authentica-
           tion is allowed. This option is only available for protocol version
           2. By default, no banner is displayed.



       Ciphers

           Specifies  the  ciphers  allowed  for  protocol version 2. Multiple
           ciphers    must    be    comma-separated.    The     default     is
           aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc.



       ClientAliveInterval

           Sets a timeout interval in seconds after which, if no data has been
           received  from  the  client,  sshd  sends  a  message  through  the
           encrypted  channel  to  request  a  response  from  the client. The
           default is 0, indicating that these messages will not  be  sent  to
           the client. This option applies only to protocol version 2.



       ClientAliveCountMax

           Sets  the number of client alive messages (see ClientAliveInterval,
           above) that can be sent without sshd receiving  any  messages  back
           from  the  client.  If this threshold is reached while client alive
           messages are being sent, sshd will disconnect the client, terminat-
           ing  the  session.  It  is important to note that the use of client
           alive messages is very different from KeepAlive  (see  below).  The
           client  alive  messages  are sent through the encrypted channel and
           therefore will not be spoofable. The TCP keepalive  option  enabled
           by  KeepAlive  is spoofable. The client alive mechanism is valuable
           when a client or server depend on knowing  when  a  connection  has
           become inactive.

           The  default  value  is 3. If ClientAliveInterval (above) is set to
           15, and ClientAliveCountMax is left at  the  default,  unresponsive
           ssh clients will be disconnected after approximately 45 seconds.



       Compression

           Controls  whether the server allows the client to negotiate the use
           of compression. The default is yes.



       DenyGroups

           Can be followed by a number of group names,  separated  by  spaces.
           Users  whose  primary  group  matches  one  of the patterns are not
           allowed to log in. Asterisk (*) and question mark (?) can  be  used
           as wildcards in the patterns. Only group names are valid; a numeri-
           cal group ID is  not  recognized.  By  default,  login  is  allowed
           regardless of the primary group.



       DenyUsers

           Can  be  followed  by  a number of user names, separated by spaces.
           Login is disallowed for user names that match one of the  patterns.
           Asterisk  (*) and question mark (?) can be used as wildcards in the
           patterns. Only user names are valid; a numerical  user  ID  is  not
           recognized.  By  default,  login  is allowed regardless of the user
           name.

           If a specified pattern takes the form user@host then user and  host
           are checked separately, disallowing logins to particular users from
           particular hosts.



       GatewayPorts

           Specifies whether remote hosts are allowed to connect to ports for-
           warded  for the client. By default, sshd binds remote port forward-
           ings to the loopback address. This prevents other remote hosts from
           connecting  to forwarded ports. GatewayPorts can be used to specify
           that sshd should bind  remote  port  forwardings  to  the  wildcard
           address,  thus allowing remote hosts to connect to forwarded ports.
           The argument must be yes or no. The default is no.



       GSSAPIAuthentication

           Enables/disables GSS-API user authentication. The default is yes.

           Currently sshd authorizes client user principals to  user  accounts
           as  follows:  if  the  principal  name  matches  the requested user
           account, then  the  principal  is  authorized.  Otherwise,  GSS-API
           authentication fails.



       GSSAPIKeyExchange

           Enables/disables  GSS-API-authenticated  key exchanges. The default
           is yes.

           This option also enables the use of the GSS-API to authenticate the
           user  to  server  after  the  key  exchange.  Note that GSS-API key
           exchange can succeed but the subsequent  authentication  using  the
           GSS-API  fail if the server does not authorize the user's GSS prin-
           cipal name to the target user account.

           Currently sshd authorizes client user principals to  user  accounts
           as  follows:  if  the  principal  name  matches  the requested user
           account, then  the  principal  is  authorized.  Otherwise,  GSS-API
           authentication fails.



       GSSAPIStoreDelegatedCredentials

           Enables/disables  the  use  of delegated GSS-API credentials on the
           server-side. The default is yes.

           Specifically, this option, when enabled, causes the server to store
           delegated GSS-API credentials in the user's default GSS-API creden-
           tial  store   (which   for   the   Kerberos   V   mechanism   means
           /tmp/krb5cc_<uid>).


           Note -  sshd  does  not take any steps to explicitly destroy stored
                   delegated  GSS-API  credentials  upon  logout.  It  is  the
                   responsibility  of PAM modules to destroy credentials asso-
                   ciated with a session.



       HostbasedAuthentication

           Specifies whether to try rhosts-based  authentication  with  public
           key  authentication. The argument must be yes or no. The default is
           no. This option applies to protocol version 2 only and  is  similar
           to  RhostsRSAAuthentication. See sshd(1M) for guidelines on setting
           up host-based authentication.



       HostbasedUsesNameFromPacketOnly

           Controls which hostname is searched for  in  the  files  ~/.shosts,
           /etc/shosts.equiv,  and  /etc/hosts.equiv. If this parameter is set
           to yes, the server uses the name the client claimed for itself  and
           signed  with that host's key. If set to no, the default, the server
           uses the name to which the client's IP address resolves.

           Setting this parameter to  no  disables  host-based  authentication
           when  using  NAT  or  when the client gets to the server indirectly
           through a port-forwarding firewall.



       HostKey

           Specifies the file containing the private host key used by SSH. The
           default  is  /etc/ssh/ssh_host_key  for  protocol  version  1,  and
           /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for  proto-
           col  version  2.  Note that sshd will refuse to use a file if it is
           group/world-accessible. It is possible to have  multiple  host  key
           files. rsa1 keys are used for version 1 and dsa or rsa are used for
           version 2 of the SSH protocol.



       IgnoreRhosts

           Specifies that .rhosts and  .shosts  files  will  not  be  used  in
           authentication.  /etc/hosts.equiv  and  /etc/shosts.equiv are still
           used. The default is yes. This parameter applies to  both  protocol
           versions 1 and 2.



       IgnoreUserKnownHosts

           Specifies     whether     sshd    should    ignore    the    user's
           $HOME/.ssh/known_hosts during RhostsRSAAuthentication. The  default
           is no. This parameter applies to both protocol versions 1 and 2.



       KbdInteractiveAuthentication

           Specifies whether authentication by means of the "keyboard-interac-
           tive" authentication method (and PAM) is allowed. Defaults to  yes.
           (Deprecated: this parameter can only be set to yes.)



       KeepAlive

           Specifies  whether the system should send keepalive messages to the
           other side. If they are sent, death of the connection or  crash  of
           one  of  the machines will be properly noticed. However, this means
           that connections will die if the route is down  temporarily,  which
           can be an annoyance. On the other hand, if keepalives are not sent,
           sessions can hang indefinitely on  the  server,  leaving  ``ghost''
           users and consuming server resources.

           The default is yes (to send keepalives), and the server will notice
           if the network goes down or the client host  reboots.  This  avoids
           infinitely hanging sessions.

           To  disable  keepalives,  the value should be set to no in both the
           server and the client configuration files.



       KeyRegenerationInterval

           In protocol version 1, the ephemeral server  key  is  automatically
           regenerated after this many seconds (if it has been used). The pur-
           pose of regeneration is to prevent decrypting captured sessions  by
           later  breaking  into the machine and stealing the keys. The key is
           never stored anywhere. If the value is 0, the key is never regener-
           ated. The default is 3600 (seconds).



       ListenAddress

           Specifies  what  local address sshd should listen on. The following
           forms can be used:


           ListenAddress host|IPv4_addr|IPv6_addr
           ListenAddress host|IPv4_addr:port
           ListenAddress [host|IPv6_addr]:port

           If port is not specified, sshd will listen on the address  and  all
           prior Port options specified. The default is to listen on all local
           addresses. Multiple ListenAddress options are permitted.  Addition-
           ally, any Port options must precede this option for non-port quali-
           fied addresses.

           The default is to listen on all local addresses.  Multiple  options
           of  this  type  are permitted. Additionally, the Ports options must
           precede this option.



       LoginGraceTime

           The server disconnects after this time (in seconds) if the user has
           not  successfully  logged  in.  If the value is 0, there is no time
           limit. The default is 120 (seconds).



       LogLevel

           Gives the verbosity level that is used when logging  messages  from
           sshd.  The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE,
           DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG2  and
           DEBUG3 each specify higher levels of debugging output. Logging with
           level DEBUG violates the privacy of users and is not recommended.



       LookupClientHostnames

           Specifies whether or not to lookup the names of client's addresses.
           Defaults to yes.



       MACs

           Specifies  the  available  MAC  (message authentication code) algo-
           rithms. The MAC algorithm is used in protocol version  2  for  data
           integrity  protection. Multiple algorithms must be comma-separated.
           The default is hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96.



       MaxStartups

           Specifies the maximum number of concurrent unauthenticated  connec-
           tions  to  the  sshd daemon. Additional connections will be dropped
           until authentication succeeds or the LoginGraceTime expires  for  a
           connection. The default is 10.

           Alternatively,  random  early drop can be enabled by specifying the
           three  colon-separated   values   start:rate:full   (for   example,
           10:30:60).  Referring  to this example, sshd will refuse connection
           attempts with a probability of rate/100 (30%  in  our  example)  if
           there  are currently 10 (from the start field) unauthenticated con-
           nections. The probabillity increases linearly  and  all  connection
           attempts  are  refused if the number of unauthenticated connections
           reaches full (60 in our example).



       PasswordAuthentication

           Specifies whether password authentication is allowed.  The  default
           is  yes.  Note that this option applies to both protocol versions 1
           and 2.



       PamSvcForNone

           Name of  PAM  service  to  use  during  none  user  authentication.
           Defaults to sshd.



       PamSvcForPassword

           Name  of  PAM  service  to use during password user authentication.
           Defaults to sshd.



       PamSvcForKbdInt

           Name of PAM  service  to  use  during  "keyboard-interactive"  user
           authentication. Defaults to sshd.



       PamSvcForOther

           Name  of  PAM  service  to  use during any user authentication type
           other than "none," "password," and "keyboard-interactive." Defaults
           to sshd.



       PermitEmptyPasswords

           When  password  authentication is allowed, it specifies whether the
           server allows login to accounts with  empty  password  strings.  In
           /etc/default/login, if PASSREQ is not set, or PASSREQ=YES, then the
           default is no; if PASSREQ=NO, then the default is yes.



       PermitRootLogin

           Specifies whether the root can log in using  ssh(1).  The  argument
           must  be  yes,  without-password,  forced-commands-only, or no. The
           default is yes. without-password means that root cannot be  authen-
           ticated using the "password" or "keyboard-interactive" methods (see
           description  of  KbdInteractiveAuthentication  above).  forced-com-
           mands-only  means  that  authentication  is  allowed only for "pub-
           lickey" (for SSHv2, or "RSA", for SSHv1) and only if  the  matching
           authorized_keys entry for root has a "command=<cmd>" option.

           The  without-password  and forced-commands-only settings are useful
           for, for example,  performing  remote  administration  and  backups
           using  trusted public keys for authentication of the remote client,
           without allowing access to the root account using passwords.



       PermitUserEnvironment

           Specifies whether ~/.ssh/environment and  environment=  options  in
           ~/.ssh/authorized_keys  are  processed  by sshd. The default is no.
           Enabling environment processing can enable users to  bypass  access
           restrictions  in  some  configurations  using  mechanisms  such  as
           LD_PRELOAD.



       PidFile

           Allows you to specify  an  alternative  to  /var/run/sshd.pid,  the
           default  file for storing the PID of the sshd listening for connec-
           tions. See sshd(1M).



       Port

           Specifies the port number that sshd listens on. The default is  22.
           Multiple  options  of  this  type are permitted. See also ListenAd-
           dress.



       PrintLastLog

           Specifies whether sshd should display the date and  time  when  the
           user last logged in. The default is yes.



       PrintMotd

           Specifies  whether  sshd  should  display the contents of /etc/motd
           when a user logs in interactively. (On some systems it is also dis-
           played by the shell or a shell startup file, such as /etc/profile.)
           The default is yes.



       Protocol

           Specifies the protocol versions sshd should support.  The  possible
           values  are 1 and 2. Multiple versions must be comma-separated. The
           default is 1.



       PubkeyAuthentication

           Specifies whether public key authentication is allowed. The default
           is yes. Note that this option applies to protocol version 2 only.



       RhostsAuthentication

           Specifies  whether  authentication using rhosts or /etc/hosts.equiv
           files is sufficient. Normally, this method should not be  permitted
           because  it  is  insecure.  RhostsRSAAuthentication  should be used
           instead, because it performs RSA-based host authentication in addi-
           tion  to  normal  rhosts  or  /etc/hosts.equiv  authentication. The
           default is no. Note that this parameter applies  only  to  protocol
           version 1.



       RhostsRSAAuthentication

           Specifies   whether   rhosts   or  /etc/hosts.equiv  authentication
           together with successful RSA host authentication  is  allowed.  The
           default  is  no.  Note that this parameter applies only to protocol
           version 1.



       RSAAuthentication

           Specifies whether pure RSA authentication is allowed.  The  default
           is yes. Note that this option applies to protocol version 1 only.



       ServerKeyBits

           Defines  the number of bits in the the ephemeral protocol version 1
           server key. The minimum value is 512, and the default is 768.



       StrictModes

           Specifies whether sshd should check file modes and ownership of the
           user's  files  and  home  directory before accepting login. This is
           normally desirable because  novices  sometimes  accidentally  leave
           their directory or files world-writable. The default is yes.



       Subsystem

           Configures an external subsystem (for example, a file transfer dae-
           mon). Arguments should be a subsystem name and a command to execute
           upon  subsystem request. The command sftp-server(1M) implements the
           sftp  file  transfer  subsystem.  By  default,  no  subsystems  are
           defined. Note that this option applies to protocol version 2 only.



       SyslogFacility

           Gives  the  facility  code  that is used when logging messages from
           sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0,  LOCAL1,
           LOCAL2,  LOCAL3, LOCAL4, LOCAL5, LOCAL6, and LOCAL7. The default is
           AUTH.



       VerifyReverseMapping

           Specifies whether sshd should try to verify the  remote  host  name
           and  check  that  the  resolved host name for the remote IP address
           maps back to the very same IP address. (A yes setting  means  "ver-
           ify".) Setting this parameter to no can be useful where DNS servers
           might be down and thus cause sshd to  spend  much  time  trying  to
           resolve  the  client's IP address to a name. This feature is useful
           for Internet-facing servers. The default is no.



       X11DisplayOffset

           Specifies the first display number available for  sshd's  X11  for-
           warding. This prevents sshd from interfering with real X11 servers.
           The default is 10.



       X11Forwarding

           Specifies whether X11 forwarding is permitted. The default is  yes.
           Note that disabling X11 forwarding does not improve security in any
           way, as users can always install their own forwarders.

           When X11 forwarding is enabled, there can be additional exposure to
           the server and to client displays if the sshd proxy display is con-
           figured to listen on  the  wildcard  address  (see  X11UseLocalhost
           below). However, this is not the default. Additionally, the authen-
           tication spoofing and authentication data verification and  substi-
           tution  occur  on  the  client side. The security risk of using X11
           forwarding is that the client's X11 display server can  be  exposed
           to attack when the ssh client requests forwarding (see the warnings
           for ForwardX11 in ssh_config(4)). A system administrator who  wants
           to  protect clients that expose themselves to attack by unwittingly
           requesting X11 forwarding, should specify a ``no'' setting.

           Note that disabling X11 forwarding does not prevent users from for-
           warding  X11  traffic,  as  users can always install their own for-
           warders.



       X11UseLocalhost

           Specifies whether sshd should bind the X11 forwarding server to the
           loopback address or to the wildcard address. By default, sshd binds
           the forwarding server to the loopback address and sets the hostname
           part  of  the  DISPLAY  environment variable to ``localhost''. This
           prevents remote hosts from connecting to the  proxy  display.  How-
           ever,  some older X11 clients might not function with this configu-
           ration. X11UseLocalhost can be set to no to specify that  the  for-
           warding  server  should be bound to the wildcard address. The argu-
           ment must be yes or no. The default is yes.



       XAuthLocation

           Specifies the location of the  xauth(1)  program.  The  default  is
           /usr/X/bin/xauth.



   Time Formats
       sshd command-line arguments and configuration file options that specify
       time can be expressed using a sequence of  the  form:  time[qualifier,]
       where time is a positive integer value and qualifier is one of the fol-
       lowing:

       <none>

           seconds



       s | S

           seconds



       m | M

           minutes



       h | H

           hours



       d | D

           days



       w |

           weeks



       Each element of the sequence is added together to calculate  the  total
       time value. For example:

       600

           600 seconds (10 minutes)



       10m

           10 minutes



       1h30m

           1 hour, 30 minutes (90 minutes)



FILES
       /etc/ssh/sshd_config

           Contains  configuration data for sshd. This file should be writable
           by root only, but it is recommended (though not necessary) that  it
           be world-readable.



ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:


       tab()     allbox;     cw(2.750000i)|    cw(2.750000i)    lw(2.750000i)|
       lw(2.750000i).   ATTRIBUTE  TYPEATTRIBUTE  VALUE   AvailabilitySUNWsshu
       Interface StabilityEvolving


SEE ALSO
       login(1), sshd(1M), ssh_config(4), SEAM(5), attributes(5)

AUTHORS
       OpenSSH  is a derivative of the original and free ssh 1.2.12 release by
       Tatu Ylonen. Aaron Campbell, Bob Beck,  Markus  Friedl,  Niels  Provos,
       Theo  de  Raadt,  and  Dug Song removed many bugs, re-added recent fea-
       tures, and created OpenSSH. Markus Friedl contributed the  support  for
       SSH  protocol versions 1.5 and 2.0. Niels Provos and Markus Friedl con-
       tributed support for privilege separation.



SunOS 5.10                        11 Aug 2004                   sshd_config(4)