sshd_config(4)
NAME
sshd_config - sshd configuration file
SYNOPSIS
/etc/ssh/sshd_config
DESCRIPTION
The sshd(1M) daemon reads configuration data from
/etc/ssh/sshd_config (or the file specified with sshd -f on
the command line). The file contains keyword-value pairs,
one per line. A line starting with a hash mark (#) and empty
lines are interpreted as comments.
The sshd_config file supports the following keywords:
AllowGroups
This keyword can be followed by a number of group
names, separated by spaces. If specified, login is
allowed only for users whose primary group matches one
of the patterns. Asterisk (*) and question mark (?)
can be used as wildcards in the patterns. Only group
names are valid; a numerical group ID is not recog-
nized. By default, login is allowed regardless of the
primary group.
AllowTcpForwarding
Specifies whether TCP forwarding is permitted. The
default is yes. Note that disabling TCP forwarding
does not improve security unless users are also denied
shell access, as they can always install their own
forwarders.
AllowUsers
This keyword can be followed by a number of user
names, separated by spaces. If specified, login is
allowed only for user names that match one of the pat-
terns. Asterisk (*) and question mark (?) can be used
as wildcards in the patterns. Only user names are
valid; a numerical user ID is not recognized. By
default login is allowed regardless of the user name.
Ciphers
Specifies the ciphers allowed for protocol version 2.
Multiple ciphers must be comma-separated. The default
is 3des-cbc,blowfish-cbc,aes-128-cbc.
CheckMail
Specifies whether sshd should check for new mail for
interactive logins. The default is no.
DenyGroups
Can be followed by a number of group names, separated
by spaces. Users whose primary group matches one of
the patterns are not allowed to log in. Asterisk (*)
and question mark (?) can be used as wildcards in the
patterns. Only group names are valid; a numerical
group ID is not recognized. By default, login is
allowed regardless of the primary group.
DenyUsers
Can be followed by a number of user names, separated
by spaces. Login is disallowed for user names that
match one of the patterns. Asterisk (*) and question
mark (?) can be used as wildcards in the patterns.
Only user names are valid; a numerical user ID is not
recognized. By default, login is allowed regardless of
the user name.
DSAAuthentication
Specifies whether DSA authentication is allowed. The
default is yes. Note that this option applies only to
protocol version 2.
GatewayPorts
Specifies whether remote hosts are allowed to connect
to ports forwarded for the client. The argument must
be yes or no. The default is no.
HostKey
Specifies the file containing the private RSA host key
(default /etc/ssh_host_key) used by SSH protocols 1.3
and 1.5. Note that sshd disables protocols 1.3 and 1.5
if this file is group/world-accessible.
IgnoreRhosts
Specifies that .rhosts and .shosts files will not be
used in authentication. /etc/hosts.equiv and
/etc/shosts.equiv are still used. The default is yes.
IgnoreUserKnownHosts
Specifies whether sshd should ignore the user's
$HOME/.ssh/known_hosts during RhostsRSAAuthentication.
The default is no.
KeepAlive
Specifies whether the system should send keepalive
messages to the other side. If they are sent, death of
the connection or crash of one of the machines will be
properly noticed. However, this means that connections
will die if the route is down temporarily, which can
be an annoyance. On the other hand, if keepalives are
not sent, sessions can hang indefinitely on the
server, leaving ``ghost'' users and consuming server
resources.
The default is yes (to send keepalives), and the
server will notice if the network goes down or the
client host reboots. This avoids infinitely hanging
sessions.
To disable keepalives, the value should be set to no
in both the server and the client configuration files.
KeyRegenerationInterval
The server key is automatically regenerated after this
many seconds (if it has been used). The purpose of
regeneration is to prevent decrypting captured ses-
sions by later breaking into the machine and stealing
the keys. The key is never stored anywhere. If the
value is 0, the key is never regenerated. The default
is 3600 (seconds).
ListenAddress
Specifies what local address sshd should listen on.
The default is to listen to all local addresses. Mul-
tiple options of this type are permitted. Addition-
ally, the Ports options must precede this option.
LoginGraceTime
The server disconnects after this time if the user has
not successfully logged in. If the value is 0, there
is no time limit. The default is 600 (seconds).
LogLevel
Gives the verbosity level that is used when logging
messages from sshd. The possible values are: QUIET,
FATAL, ERROR, INFO, VERBOSE, and DEBUG. The default is
INFO. Logging with level DEBUG violates the privacy of
users and is not recommended.
MaxStartups
Specifies the maximum number of concurrent unauthenti-
cated connections to the sshd daemon. Additional con-
nections will be dropped until authentication succeeds
or the LoginGraceTime expires for a connection. The
default is 10.
Alternatively, random early drop can be enabled by
specifying the three colon-separated values
start:rate:full (for example, 10:30:60). Referring to
this example, sshd will refuse connection attempts
with a probability of rate/100 (30% in our example) if
there are currently 10 (from the start field) unau-
thenticated connections. The probabillity increases
linearly and all connection attempts are refused if
the number of unauthenticated connections reaches full
(60 in our example).
PasswordAuthentication
Specifies whether password authentication is allowed.
The default is yes. Note that this option applies to
both protocol versions 1 and 2.
PermitEmptyPasswords
When password authentication is allowed, it specifies
whether the server allows login to accounts with empty
password strings. The default is no.
PermitRootLogin
Specifies whether the root can log in using ssh(). The
argument must be yes, without-password, or no. The
default is yes. If this options is set to without-
password only password authentication is disabled for
root.
Root login with RSA authentication when the command
option has been specified will be allowed regardless
of the value of this setting. This might be useful for
taking remote backups even if root login is normally
not allowed.
PidFile
Allows you to specify an alternative to
/var/run/sshd.pid, the default file for storing the
PID of the sshd listening for connections. See
sshd(1M).
Port Specifies the port number that sshd listens on. The
default is 22. Multiple options of this type are per-
mitted.
PrintMotd
Specifies whether sshd should display the contents of
/etc/motd when a user logs in interactively. (On some
systems it is also displayed by the shell or a shell
startup file, such as /etc/profile.) The default is
yes.
Protocol
Specifies the protocol versions sshd should support.
The possible values are 1 and 2. Multiple versions
must be comma-separated. The default is 1.
RhostsAuthentication
Specifies whether authentication using rhosts or
/etc/hosts.equiv files is sufficient. Normally, this
method should not be permitted because it is insecure.
RhostsRSAAuthentication should be used instead,
because it performs RSA-based host authentication in
addition to normal rhosts or /etc/hosts.equiv
authentication. The default is no.
RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authenti-
cation together with successful RSA host authentica-
tion is allowed. The default is no.
RSAAuthentication
Specifies whether pure RSA authentication is allowed.
The default is yes. Note that this option applies to
protocol version 1 only.
ServerKeyBits
Defines the number of bits in the server key. The
minimum value is 512, and the default is 768.
StrictModes
Specifies whether sshd should check file modes and
ownership of the user's files and home directory
before accepting login. This is normally desirable
because novices sometimes accidentally leave their
directory or files world-writable. The default is yes.
Subsystem
Configures an external subsystem (for example, a file
transfer daemon). Arguments should be a subsystem name
and a command to execute upon subsystem request. The
command sftp-server(1M) implements the sftp file
transfer subsystem. By default, no subsystems are
defined. Note that this option applies to protocol
version 2 only.
SyslogFacility
Gives the facility code that is used when logging mes-
sages from sshd. The possible values are: DAEMON,
USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4,
LOCAL5, LOCAL6, and LOCAL7. The default is AUTH.
X11DisplayOffset
Specifies the first display number available for
sshd's X11 forwarding. This prevents sshd from
interfering with real X11 servers. The default is 10.
X11Forwarding
Specifies whether X11 forwarding is permitted. The
default is no. Note that disabling X11 forwarding does
not improve security in any way, as users can always
install their own forwarders.
XAuthLocation
Specifies the location of the xauth(1) program. The
default is /usr/X/bin/xauth.
SEE ALSO
sshd(1M), ssh_config(4)
Man(1) output converted with
man2html