diff options
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 76 |
1 files changed, 50 insertions, 26 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index 678ee14b4d3d..95c17fc8ddf0 100644 --- a/sshd_config.0 +++ b/sshd_config.0 @@ -6,9 +6,10 @@ NAME DESCRIPTION sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file specified with -f on the command line). The file contains keyword- - argument pairs, one per line. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines - are interpreted as comments. Arguments may optionally be enclosed in - double quotes (") in order to represent arguments containing spaces. + argument pairs, one per line. For each keyword, the first obtained value + will be used. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are interpreted as + comments. Arguments may optionally be enclosed in double quotes (") in + order to represent arguments containing spaces. The possible keywords and their meanings are as follows (note that keywords are case-insensitive and arguments are case-sensitive): @@ -422,9 +423,8 @@ DESCRIPTION HostKey Specifies a file containing a private host key used by SSH. The - defaults are /etc/ssh/ssh_host_dsa_key, - /etc/ssh/ssh_host_ecdsa_key, /etc/ssh/ssh_host_ed25519_key and - /etc/ssh/ssh_host_rsa_key. + defaults are /etc/ssh/ssh_host_ecdsa_key, + /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key. Note that sshd(8) will refuse to use a file if it is group/world- accessible and that the HostKeyAlgorithms option restricts which @@ -465,8 +465,9 @@ DESCRIPTION IgnoreUserKnownHosts Specifies whether sshd(8) should ignore the user's - ~/.ssh/known_hosts during HostbasedAuthentication. The default - is no. + ~/.ssh/known_hosts during HostbasedAuthentication and use only + the system-wide known hosts file /etc/ssh/known_hosts. The + default is no. IPQoS Specifies the IPv4 type-of-service or DSCP class for the connection. Accepted values are af11, af12, af13, af21, af22, @@ -521,6 +522,9 @@ DESCRIPTION curve25519-sha256@libssh.org diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 + diffie-hellman-group14-sha256 + diffie-hellman-group16-sha512 + diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 @@ -532,7 +536,8 @@ DESCRIPTION curve25519-sha256,curve25519-sha256@libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, - diffie-hellman-group14-sha1 + diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, + diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 The list of available key exchange algorithms may also be obtained using "ssh -Q kex". @@ -541,13 +546,18 @@ DESCRIPTION Specifies the local addresses sshd(8) should listen on. The following forms may be used: - ListenAddress host|IPv4_addr|IPv6_addr - ListenAddress host|IPv4_addr:port - ListenAddress [host|IPv6_addr]:port + ListenAddress hostname|address [rdomain domain] + ListenAddress hostname:port [rdomain domain] + ListenAddress IPv4_address:port [rdomain domain] + ListenAddress [hostname|address]:port [rdomain domain] - If port is not specified, sshd will listen on the address and all - Port options specified. The default is to listen on all local - addresses. Multiple ListenAddress options are permitted. + The optional rdomain qualifier requests sshd(8) listen in an + explicit routing domain. If port is not specified, sshd will + listen on the address and all Port options specified. The + default is to listen on all local addresses on the current + default routing domain. Multiple ListenAddress options are + permitted. For more information on routing domains, see + rdomain(4). LoginGraceTime The server disconnects after this time if the user has not @@ -612,10 +622,13 @@ DESCRIPTION The arguments to Match are one or more criteria-pattern pairs or the single token All which matches all criteria. The available - criteria are User, Group, Host, LocalAddress, LocalPort, and - Address. The match patterns may consist of single entries or - comma-separated lists and may use the wildcard and negation - operators described in the PATTERNS section of ssh_config(5). + criteria are User, Group, Host, LocalAddress, LocalPort, RDomain, + and Address (with RDomain representing the rdomain(4) on which + the connection was received.) + + The match patterns may consist of single entries or comma- + separated lists and may use the wildcard and negation operators + described in the PATTERNS section of ssh_config(5). The patterns in an Address criteria may additionally contain addresses to match in CIDR address/masklen format, such as @@ -640,7 +653,7 @@ DESCRIPTION MaxAuthTries, MaxSessions, PasswordAuthentication, PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY, PermitTunnel, PermitUserRC, PubkeyAcceptedKeyTypes, - PubkeyAuthentication, RekeyLimit, RevokedKeys, + PubkeyAuthentication, RekeyLimit, RevokedKeys, RDomain, StreamLocalBindMask, StreamLocalBindUnlink, TrustedUserCAKeys, X11DisplayOffset, X11Forwarding and X11UseLocalHost. @@ -700,12 +713,12 @@ DESCRIPTION PermitRootLogin Specifies whether root can log in using ssh(1). The argument - must be yes, prohibit-password, without-password, - forced-commands-only, or no. The default is prohibit-password. + must be yes, prohibit-password, forced-commands-only, or no. The + default is prohibit-password. - If this option is set to prohibit-password or without-password, - password and keyboard-interactive authentication are disabled for - root. + If this option is set to prohibit-password (or its deprecated + alias, without-password), password and keyboard-interactive + authentication are disabled for root. If this option is set to forced-commands-only, root login with public key authentication will be allowed, but only if the @@ -807,6 +820,13 @@ DESCRIPTION ssh-keygen(1). For more information on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1). + RDomain + Specifies an explicit routing domain that is applied after + authentication has completed. The user session, as well and any + forwarded or listening IP sockets, will be bound to this + rdomain(4). If the routing domain is set to %D, then the domain + in which the incoming connection was received will be applied. + StreamLocalBindMask Sets the octal file creation mode mask (umask) used when creating a Unix-domain socket file for local or remote port forwarding. @@ -980,6 +1000,8 @@ TOKENS runtime: %% A literal M-bM-^@M-^X%M-bM-^@M-^Y. + %D The routing domain in which the incoming connection was + received. %F The fingerprint of the CA key. %f The fingerprint of the key or certificate. %h The home directory of the user. @@ -1002,6 +1024,8 @@ TOKENS ChrootDirectory accepts the tokens %%, %h, and %u. + RoutingDomain accepts the token %D. + FILES /etc/ssh/sshd_config Contains configuration data for sshd(8). This file should be @@ -1019,4 +1043,4 @@ AUTHORS versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 6.2 September 27, 2017 OpenBSD 6.2 +OpenBSD 6.2 February 16, 2018 OpenBSD 6.2 |