sshd_config.5

C＋＋编写

.\"  -*- nroff -*-
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
.\"                    All rights reserved
.\"
.\" As far as I am concerned, the code I have written for this software
.\" can be used freely for any purpose.  Any derived versions of this
.\" software must be clearly marked as such, and if the derived work is
.\" incompatible with the protocol description in the RFC file, it must be
.\" called by a name other than "ssh" or "Secure Shell".
.\"
.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd_config.5,v 1.15 2003/03/28 10:11:43 jmc Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
.Nm sshd_config
.Nd OpenSSH SSH daemon configuration file
.Sh SYNOPSIS
.Bl -tag -width Ds -compact
.It Pa /etc/ssh/sshd_config
.El
.Sh DESCRIPTION
.Nm sshd
reads configuration data from
.Pa /etc/ssh/sshd_config
(or the file specified with
.Fl f
on the command line).
The file contains keyword-argument pairs, one per line.
Lines starting with
.Ql #
and empty lines are interpreted as comments.
.Pp
The possible
keywords and their meanings are as follows (note that
keywords are case-insensitive and arguments are case-sensitive):
.Bl -tag -width Ds
.It Cm AFSTokenPassing
Specifies whether an AFS token may be forwarded to the server.
Default is
.Dq no .
.It Cm AllowGroups
This keyword can be followed by a list of group name patterns, separated
by spaces.
If specified, login is allowed only for users whose primary
group or supplementary group list matches one of the patterns.
.Ql \&*
and
.Ql ?
can be used as
wildcards in the patterns.
Only group names are valid; a numerical group ID is not recognized.
By default, login is allowed for all groups.
.Pp
.It Cm AllowTcpForwarding
Specifies whether TCP forwarding is permitted.
The default is
.Dq yes .
Note that disabling TCP forwarding does not improve security unless
users are also denied shell access, as they can always install their
own forwarders.
.Pp
.It Cm AllowUsers
This keyword can be followed by a list of user name patterns, separated
by spaces.
If specified, login is allowed only for user names that
match one of the patterns.
.Ql \&*
and
.Ql ?
can be used as
wildcards in the patterns.
Only user names are valid; a numerical user ID is not recognized.
By default, login is allowed for all users.
If the pattern takes the form USER@HOST then USER and HOST
are separately checked, restricting logins to particular
users from particular hosts.
.Pp
.It Cm AuthorizedKeysFile
Specifies the file that contains the public keys that can be used
for user authentication.
.Cm AuthorizedKeysFile
may contain tokens of the form %T which are substituted during connection
set-up. The following tokens are defined: %% is replaced by a literal '%',
%h is replaced by the home directory of the user being authenticated and
%u is replaced by the username of that user.
After expansion,
.Cm AuthorizedKeysFile
is taken to be an absolute path or one relative to the user's home
directory.
The default is
.Dq .ssh/authorized_keys .
.It Cm Banner
In some jurisdictions, sending a warning message before authentication
may be relevant for getting legal protection.
The contents of the specified file are sent to the remote user before
authentication is allowed.
This option is only available for protocol version 2.
By default, no banner is displayed.
.Pp
.It Cm ChallengeResponseAuthentication
Specifies whether challenge response authentication is allowed.
All authentication styles from
.Xr login.conf 5
are supported.
The default is
.Dq yes .
.It Cm Ciphers
Specifies the ciphers allowed for protocol version 2.
Multiple ciphers must be comma-separated.
The default is
.Pp
.Bd -literal
  ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
    aes192-cbc,aes256-cbc''
.Ed
.It Cm ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received
from the client,
.Nm sshd
will send a message through the encrypted
channel to request a response from the client.
The default
is 0, indicating that these messages will not be sent to the client.
This option applies to protocol version 2 only.
.It Cm ClientAliveCountMax
Sets the number of client alive messages (see above) which may be
sent without
.Nm sshd
receiving any messages back from the client. If this threshold is
reached while client alive messages are being sent,
.Nm sshd
will disconnect the client, terminating the session. It is important
to note that the use of client alive messages is very different from
.Cm KeepAlive
(below). The client alive messages are sent through the
encrypted channel and therefore will not be spoofable. The TCP keepalive
option enabled by
.Cm KeepAlive
is spoofable. The client alive mechanism is valuable when the client or
server depend on knowing when a connection has become inactive.
.Pp
The default value is 3. If
.Cm ClientAliveInterval
(above) is set to 15, and
.Cm ClientAliveCountMax
is left at the default, unresponsive ssh clients
will be disconnected after approximately 45 seconds.
.It Cm Compression
Specifies whether compression is allowed.
The argument must be
.Dq yes
or
.Dq no .
The default is
.Dq yes .
.It Cm DenyGroups
This keyword can be followed by a list of group name patterns, separated
by spaces.
Login is disallowed for users whose primary group or supplementary
group list matches one of the patterns.
.Ql \&*
and
.Ql ?
can be used as
wildcards in the patterns.
Only group names are valid; a numerical group ID is not recognized.
By default, login is allowed for all groups.
.Pp
.It Cm DenyUsers
This keyword can be followed by a list of user name patterns, separated
by spaces.
Login is disallowed for user names that match one of the patterns.
.Ql \&*
and
.Ql ?
can be used as wildcards in the patterns.
Only user names are valid; a numerical user ID is not recognized.
By default, login is allowed for all users.
If the pattern takes the form USER@HOST then USER and HOST
are separately checked, restricting logins to particular
users from particular hosts.
.It Cm GatewayPorts
Specifies whether remote hosts are allowed to connect to ports
forwarded for the client.
By default,
.Nm sshd
binds remote port forwardings to the loopback address.
This prevents other remote hosts from connecting to forwarded ports.
.Cm GatewayPorts
can be used to specify that
.Nm sshd
should bind remote port forwardings to the wildcard address,
thus allowing remote hosts to connect to forwarded ports.
The argument must be
.Dq yes
or
.Dq no .
The default is
.Dq no .
.It Cm HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful public key client host authentication is allowed
(hostbased authentication).
This option is similar to
.Cm RhostsRSAAuthentication
and applies to protocol version 2 only.
The default is
.Dq no .
.It Cm HostKey
Specifies a file containing a private host key
used by SSH.
The default is
.Pa /etc/ssh/ssh_host_key
for protocol version 1, and
.Pa /etc/ssh/ssh_host_rsa_key
and
.Pa /etc/ssh/ssh_host_dsa_key
for protocol version 2.
Note that
.Nm sshd
will refuse to use a file if it is group/world-accessible.
It is possible to have multiple host key files.
.Dq rsa1
keys are used for version 1 and
.Dq dsa
or
.Dq rsa
are used for version 2 of the SSH protocol.
.It Cm IgnoreRhosts
Specifies that
.Pa .rhosts
and
.Pa .shosts
files will not be used in
.Cm RhostsAuthentication ,
.Cm RhostsRSAAuthentication
or
.Cm HostbasedAuthentication .
.Pp
.Pa /etc/hosts.equiv
and
.Pa /etc/shosts.equiv
are still used.
The default is
.Dq yes .
.It Cm IgnoreUserKnownHosts
Specifies whether
.Nm sshd
should ignore the user's
.Pa $HOME/.ssh/known_hosts
during
.Cm RhostsRSAAuthentication
or
.Cm HostbasedAuthentication .
The default is
.Dq no .
.It Cm KeepAlive
Specifies whether the system should send TCP keepalive messages to the
other side.
If they are sent, death of the connection or crash of one
of the machines will be properly noticed.
However, this means that
connections will die if the route is down temporarily, and some people
find it annoying.
On the other hand, if keepalives are not sent,
sessions may hang indefinitely on the server, leaving
.Dq ghost
users and consuming server resources.
.Pp
The default is
.Dq yes
(to send keepalives), and the server will notice
if the network goes down or the client host crashes.
This avoids infinitely hanging sessions.
.Pp
To disable keepalives, the value should be set to
.Dq no .
.It Cm KerberosAuthentication
Specifies whether Kerberos authentication is allowed.
This can be in the form of a Kerberos ticket, or if
.Cm PasswordAuthentication
is yes, the password provided by the user will be validated through
the Kerberos KDC.
To use this option, the server needs a
Kerberos servtab which allows the verification of the KDC's identity.
Default is
.Dq no .
.It Cm KerberosOrLocalPasswd
If set then if password authentication through Kerberos fails then
the password will be validated via any additional local mechanism
such as
.Pa /etc/passwd .
Default is
.Dq yes .
.It Cm KerberosTgtPassing
Specifies whether a Kerberos TGT may be forwarded to the server.
Default is
.Dq no ,
as this only works when the Kerberos KDC is actually an AFS kaserver.
.It Cm KerberosTicketCleanup
Specifies whether to automatically destroy the user's ticket cache
file on logout.
Default is
.Dq yes .
.It Cm KeyRegenerationInterval
In protocol version 1, the ephemeral server key is automatically regenerated
after this many seconds (if it has been used).
The purpose of regeneration is to prevent
decrypting captured sessions by later breaking into the machine and
stealing the keys.
The key is never stored anywhere.
If the value is 0, the key is never regenerated.
The default is 3600 (seconds).
.It Cm ListenAddress
Specifies the local addresses
.Nm sshd
should listen on.
The following forms may be used:
.Pp
.Bl -item -offset indent -compact
.It
.Cm ListenAddress
.Sm off
.Ar host No | Ar IPv4_addr No | Ar IPv6_addr
.Sm on
.It
.Cm ListenAddress
.Sm off
.Ar host No | Ar IPv4_addr No : Ar port
.Sm on
.It
.Cm ListenAddress
.Sm off
.Oo
.Ar host No | Ar IPv6_addr Oc : Ar port
.Sm on
.El
.Pp
If
.Ar port
is not specified,
.Nm sshd
will listen on the address and all prior
.Cm Port
options specified. The default is to listen on all local
addresses.
Multiple
.Cm ListenAddress
options are permitted. Additionally, any
.Cm Port
options must precede this option for non port qualified addresses.
.It Cm LoginGraceTime