sshd_config(4)




NAME

     sshd_config - sshd configuration file


SYNOPSIS

     /etc/ssh/sshd_config


DESCRIPTION

     The  sshd(1M)   daemon   reads   configuration   data   from
     /etc/ssh/sshd_config  (or the file specified with sshd -f on
     the command line). The file  contains  keyword-value  pairs,
     one per line. A line starting with a hash mark (#) and empty
     lines are interpreted as comments.

     The sshd_config file supports the following keywords:

     AllowGroups
           This keyword can be followed  by  a  number  of  group
           names,  separated  by  spaces.  If specified, login is
           allowed only for users whose primary group matches one
           of  the  patterns.  Asterisk (*) and question mark (?)
           can be used as wildcards in the patterns.  Only  group
           names  are  valid;  a numerical group ID is not recog-
           nized. By default, login is allowed regardless of  the
           primary group.

     AllowTcpForwarding
           Specifies whether TCP  forwarding  is  permitted.  The
           default  is  yes.  Note  that disabling TCP forwarding
           does not improve security unless users are also denied
           shell  access,  as  they  can always install their own
           forwarders.

     AllowUsers
           This keyword can be  followed  by  a  number  of  user
           names,  separated  by  spaces.  If specified, login is
           allowed only for user names that match one of the pat-
           terns. Asterisk (*) and question mark (?)  can be used
           as wildcards in the  patterns.  Only  user  names  are
           valid;  a  numerical  user  ID  is  not recognized. By
           default login is allowed regardless of the user name.

     Ciphers
           Specifies the ciphers allowed for protocol version  2.
           Multiple  ciphers must be comma-separated. The default
           is 3des-cbc,blowfish-cbc,aes-128-cbc.

     CheckMail
           Specifies whether sshd should check for new  mail  for
           interactive logins. The default is no.

     DenyGroups
           Can be followed by a number of group names,  separated
           by  spaces.  Users  whose primary group matches one of
           the patterns are not allowed to log in.  Asterisk  (*)
           and  question mark (?) can be used as wildcards in the
           patterns. Only group  names  are  valid;  a  numerical
           group  ID  is  not  recognized.  By  default, login is
           allowed regardless of the primary group.

     DenyUsers
           Can be followed by a number of user  names,  separated
           by  spaces.  Login  is  disallowed for user names that
           match one of the patterns. Asterisk (*)  and  question
           mark  (?)  can  be  used as wildcards in the patterns.
           Only user names are valid; a numerical user ID is  not
           recognized. By default, login is allowed regardless of
           the user name.

     DSAAuthentication
           Specifies whether DSA authentication is  allowed.  The
           default  is yes. Note that this option applies only to
           protocol version 2.

     GatewayPorts
           Specifies whether remote hosts are allowed to  connect
           to  ports  forwarded for the client. The argument must
           be yes or no. The default is no.

     HostKey
           Specifies the file containing the private RSA host key
           (default  /etc/ssh_host_key) used by SSH protocols 1.3
           and 1.5. Note that sshd disables protocols 1.3 and 1.5
           if this file is group/world-accessible.

     IgnoreRhosts
           Specifies that .rhosts and .shosts files will  not  be
           used    in    authentication.   /etc/hosts.equiv   and
           /etc/shosts.equiv are still used. The default is yes.

     IgnoreUserKnownHosts
           Specifies  whether  sshd  should  ignore  the   user's
           $HOME/.ssh/known_hosts during RhostsRSAAuthentication.
           The default is no.

     KeepAlive
           Specifies whether the  system  should  send  keepalive
           messages to the other side. If they are sent, death of
           the connection or crash of one of the machines will be
           properly noticed. However, this means that connections
           will die if the route is down temporarily,  which  can
           be  an annoyance. On the other hand, if keepalives are
           not  sent,  sessions  can  hang  indefinitely  on  the
           server,  leaving  ``ghost'' users and consuming server
           resources.
           The default is  yes  (to  send  keepalives),  and  the
           server  will  notice  if  the network goes down or the
           client host reboots. This  avoids  infinitely  hanging
           sessions.

           To disable keepalives, the value should be set  to  no
           in both the server and the client configuration files.

     KeyRegenerationInterval
           The server key is automatically regenerated after this
           many  seconds  (if  it  has been used). The purpose of
           regeneration is to prevent  decrypting  captured  ses-
           sions  by later breaking into the machine and stealing
           the keys.  The key is never stored  anywhere.  If  the
           value  is 0, the key is never regenerated. The default
           is 3600 (seconds).

     ListenAddress
           Specifies what local address sshd  should  listen  on.
           The  default is to listen to all local addresses. Mul-
           tiple options of this type  are  permitted.  Addition-
           ally, the Ports options must precede this option.

     LoginGraceTime
           The server disconnects after this time if the user has
           not  successfully  logged in. If the value is 0, there
           is no time limit. The default is 600 (seconds).

     LogLevel
           Gives the verbosity level that is  used  when  logging
           messages  from  sshd.  The possible values are: QUIET,
           FATAL, ERROR, INFO, VERBOSE, and DEBUG. The default is
           INFO. Logging with level DEBUG violates the privacy of
           users and is not recommended.

     MaxStartups
           Specifies the maximum number of concurrent unauthenti-
           cated  connections to the sshd daemon. Additional con-
           nections will be dropped until authentication succeeds
           or  the  LoginGraceTime  expires for a connection. The
           default is 10.

           Alternatively, random early drop  can  be  enabled  by
           specifying    the    three    colon-separated   values
           start:rate:full (for example, 10:30:60). Referring  to
           this  example,  sshd  will  refuse connection attempts
           with a probability of rate/100 (30% in our example) if
           there  are  currently  10 (from the start field) unau-
           thenticated connections.  The  probabillity  increases
           linearly  and  all  connection attempts are refused if
           the number of unauthenticated connections reaches full
           (60 in our example).

     PasswordAuthentication
           Specifies whether password authentication is  allowed.
           The  default  is yes. Note that this option applies to
           both protocol versions 1 and 2.

     PermitEmptyPasswords
           When password authentication is allowed, it  specifies
           whether the server allows login to accounts with empty
           password strings. The default is no.

     PermitRootLogin
           Specifies whether the root can log in using ssh(). The
           argument  must  be  yes,  without-password, or no. The
           default is yes. If this options  is  set  to  without-
           password  only password authentication is disabled for
           root.

           Root login with RSA authentication  when  the  command
           option  has  been specified will be allowed regardless
           of the value of this setting. This might be useful for
           taking  remote  backups even if root login is normally
           not allowed.

     PidFile
           Allows   you   to   specify    an    alternative    to
           /var/run/sshd.pid,  the  default  file for storing the
           PID  of  the  sshd  listening  for  connections.   See
           sshd(1M).

     Port  Specifies the port number that sshd  listens  on.  The
           default  is 22. Multiple options of this type are per-
           mitted.

     PrintMotd
           Specifies whether sshd should display the contents  of
           /etc/motd  when a user logs in interactively. (On some
           systems it is also displayed by the shell or  a  shell
           startup  file,  such  as /etc/profile.) The default is
           yes.

     Protocol
           Specifies the protocol versions sshd  should  support.
           The  possible  values  are  1 and 2. Multiple versions
           must be comma-separated. The default is 1.

     RhostsAuthentication
           Specifies  whether  authentication  using  rhosts   or
           /etc/hosts.equiv  files  is sufficient. Normally, this
           method should not be permitted because it is insecure.
           RhostsRSAAuthentication   should   be   used  instead,
           because it performs RSA-based host  authentication  in
           addition   to   normal   rhosts   or  /etc/hosts.equiv
           authentication. The default is no.

     RhostsRSAAuthentication
           Specifies whether rhosts or /etc/hosts.equiv authenti-
           cation  together  with successful RSA host authentica-
           tion is allowed. The default is no.

     RSAAuthentication
           Specifies whether pure RSA authentication is  allowed.
           The  default  is yes. Note that this option applies to
           protocol version 1 only.

     ServerKeyBits
           Defines the number of bits  in  the  server  key.  The
           minimum value is 512, and the default is 768.

     StrictModes
           Specifies whether sshd should  check  file  modes  and
           ownership  of  the  user's  files  and  home directory
           before accepting login.  This  is  normally  desirable
           because  novices  sometimes  accidentally  leave their
           directory or files world-writable. The default is yes.

     Subsystem
           Configures an external subsystem (for example, a  file
           transfer daemon). Arguments should be a subsystem name
           and a command to execute upon subsystem  request.  The
           command   sftp-server(1M)  implements  the  sftp  file
           transfer subsystem.  By  default,  no  subsystems  are
           defined.  Note  that  this  option applies to protocol
           version 2 only.

     SyslogFacility
           Gives the facility code that is used when logging mes-
           sages  from  sshd.  The  possible  values are: DAEMON,
           USER, AUTH, LOCAL0, LOCAL1,  LOCAL2,  LOCAL3,  LOCAL4,
           LOCAL5, LOCAL6, and LOCAL7. The default is AUTH.

     X11DisplayOffset
           Specifies  the  first  display  number  available  for
           sshd's   X11   forwarding.  This  prevents  sshd  from
           interfering with real X11 servers. The default is 10.

     X11Forwarding
           Specifies whether X11  forwarding  is  permitted.  The
           default is no. Note that disabling X11 forwarding does
           not improve security in any way, as users  can  always
           install their own forwarders.

     XAuthLocation
           Specifies the location of the  xauth(1)  program.  The
           default is /usr/X/bin/xauth.


SEE ALSO

     sshd(1M), ssh_config(4)


Man(1) output converted with man2html