sshd2_config - Configuration file for the sshd2 daemon
The sshd2 daemon reads configuration data from the
/etc/ssh2/sshd2_config file (or the file specified with
the sshd2 -f command). The file contains keyword-argument
pairs, one per line.
Empty lines and lines starting with the pound (#) sign are
ignored as comments. Otherwise a line is of the format
keyword arguments. It is possible to enclose arguments in
quotes, and use the standard C convention. Configuration
files are case sensitive, but keywords are not case sensitive.
Configuration blocks are not allowed in sshd2_config.
Subconfiguration files can be specified in the main configuration
file. See the HostSpecificConfig and UserSpecificConfig
keyword explanations.
If changes are made in the main configuration file, sshd2
must be restarted. For example, if the /var/run/ directory
does not exist, you can send a signal to it, such as #
kill -HUP `cat /var/run/sshd2_22.pid' or # kill -HUP `cat
/etc/ssh2/sshd2_22.pid'.
The following sshd2_configfile keywords are allowed: Specifies
whether agent forwarding is permitted. Usually, you
should allow users to freely forward agent connections.
The argument must be yes or no. The default is yes. Specifies
the authentication methods that the server uses to
authenticate users. Supported authentication methods are:
keyboard-interactive, password, publickey, ker[email protected], and [email protected]. The default
is publickey,password.
You can specify any or all authentication methods.
Use a comma-separated list when specifying more
than one argument. The order in which authentication
methods are listed is the order in which they
are used. For example, if hostbased is listed
first, the server will use hostbased authentication
before trying the next listed authentication. The
first successful authentication is the one used.
With the RequiredAuthentications keyword, you can
force users to complete several authentications
before they are considered authenticated. See the
explanation for the RequiredAuthentications keyword.
Follows any number of group name patterns,
separated by commas. If specified, login is
allowed only if one of the groups the user belongs
to matches one of the patterns. Patterns are
matched using the egrep syntax (see sshregex(5)),
or the syntax specified in the metaconfiguration
header of the configuration file. You can use the
comma character in the patterns by escaping it with
a backslash. By default, all groups are allowed to
log in. However, all other authentication steps
must be successfully completed. The AllowGroups
and DenyGroups keywords are additional restrictions
that never increase the tolerance. Follows any
number of host name patterns, separated by commas.
If specified, log in is allowed only if a host name
matches one of the patterns. Patterns are matched
using the egrep syntax (see sshregex(5)), or the
syntax specified in the metaconfiguration section
of the configuration file.
If you want the pattern to match the host's IP
address (ignoring the canonical host name), prefix
your pattern with \i. You can also use subnet
masks (e.g. , 127.0.0.0/8) by prefixing the pattern
with \m. DNS is used to map the client's host name
into a canonical host name. If the name cannot be
mapped, the IP address is used as the host name.
By default, all hosts are allowed to connect. The
sshd2 daemon also can be configured to use
tcp_wrappers using the --with-libwrap compile-time
configuration option. Follows any number of host
name patterns, separated by commas. The entries in
/etc/hosts.equiv and /etc/shosts.equiv are ignored
if they do not match one of the patterns. Specifies
whether TCP forwarding is permitted. Disabling
TCP forwarding does not improve security, unless
you deny the user shell access at the same time.
(See ssh-dummy-shell(1)). Any user who has a shell
can install forwarders. The argument must be yes
or no. The default is yes.
This option is required if EnforceSecureRutils is
enabled. Specifies the group names that can forward
ports. Use a comma-separated list when specifying
more than one group name. Disabling TCP forwarding
does not improve security, unless you deny
the user shell access at the same time. (See sshdummy-shell(1)). Any user who has a shell can
install forwarders. The argument must be yes or
no. The default is yes (enable forwarding). Specifies
the names of users who can forward ports. Use
a comma-separated list when specifying more than
one user name. Disabling TCP forwarding does not
improve security, unless you deny the user shell
access at the same time. (See ssh-dummy-shell(1)).
Any user who has a shell can install forwarders.
The argument must be yes or no. The default is yes
(enable forwarding). Specifies the names of users
who can log in. Use a comma-separated list when
specifying more than one user name. User names can
be entered as user@host_name where host_name is a
DNS name or an IP address. By default, all users
are allowed to log in. However, all other login
authentication steps must be successfully completed.
The AllowUsers and DenyUsers keywords
specify additional restrictions. Specifies whether
X11 forwarding is permitted. Disabling X11 forwarding
does not improve security, unless you deny the
user shell access at the same time. (See ssh-dummyshell(1)). Any user who has a shell can install
forwarders.. The argument must be yes or no. The
default is yes. Specifies the server delay, in
seconds, after a failed attempt to log in using
keyboard-interactive, password authentication. The
default is 2. Specifies how many optional submethods
must be passed before the authentication is
considered a success ( all required submethods must
be passed). See the AuthKbdInt.Optional explanation
for specifying optional submethods, and the AuthKbdInt.Required
explanation for required submethods.
The default is 0. If no required submethods are
specified, the client must pass at least one
optional submethod. Specifies the optional submethods
keyboard-interactive will use. Defined
submethods are: pam, securid, plugin, and password.
The pam and securid submethods must have the necessary
libraries and headers when the distribution is
compiled. The pam submethod is usually available
in binary packages if the architecture supports
Pluggable Authentication Modules (PAM). The keyboard-interactive
authentication method is considered
a success when the specified amount of
optional submethods and all required submethods are
passed. The plugin submethod can be used if a system
administrator wants to create a new authentication
method. (See AuthKbdInt.Plugin, AuthKbdInt.NumOptional
and AuthKbdInt.Required. ) Specifies
the program used by the keyboard-interactive
plugin submethod. The sshd2 daemon, running as
root, communicates with this program using a linebased
protocol. There is no default for this keyword.
It must be set if the plugin submethod is
used. Otherwise, the submethod will fail and
authentication could fail.
More information about the protocol can be found in
the distribution package. The RFC.kbdint_plugin_protocol
file has a description of the protocol
used; the kbdint_plugin_example.sh file is a sample
script. Specifies the required submethods that
must be passed before the keyboard-interactive
authentication method can succeed. See AuthKbdInt.Optional.
Specifies how many times the user
can retry keyboard-interactive. The default is 3.
Specifies the name of the user's authorization
file. Specifies the maximum size of a publickey
that can be used to log in. Value 0 disables the
check. The default is 0. Specifies the minimum
size of a publickey that can be used to log in.
Value 0 disables the check. The default is 0.
Specifies the path to the message that is sent to
the client before authentication. The default path
is /etc/ssh2/ssh_banner_message. Specifies whether
information is displayed when there is new mail
when a user logs in. The argument must be yes or
no. The default is yes. Specifies the names of
groups in which users who belong to those groups
have a chrooted environment. A chrooted environment
is one in which users are restricted to their home
directory and its subdirectories. Groups are
defined on the server in the /etc/group file. Use
a comma-separated list when specifying more than
one group name. Specifies the names of users who
have a chrooted environment. A chrooted environment
is one in which users are restricted to their home
directory and its subdirectories. Users are defined
on the server in the /etc/group file. Use a commaseparated
list when specifying more than one user
name. Specifies the Secure Shell ciphers to use
for encrypting the session. Supported ciphers are:
aes, blowfish, twofish, arcfour, cast, 3des, and
des. Multiple ciphers can be specified as a commaseparated
list. Special values for this option
are: Any, AnyStd, none, AnyCipher, and
AnyStdCipher. The Any value allows all ciphers
including none. TheAnyStd value allows only those
mentioned in the IETF-SecSH draft plus none; none
forbids any use of encryption. The AnyCipher and
AnyStdCipher values are analogous to the first two
cases but exclude none. The AnyStdCipher value is
the default. Follows any number of group name patterns,
separated by commas. If specified, login
is denied if one of the groups the user belongs to
matches one of the patterns. Otherwise, this
option is parsed and matched identically with
AllowGroups. By default, all users are allowed to
log in. If a user's group matches a pattern in both
DenyGroups and AllowGroups, login will be denied.
All other authentication steps must be successfully
completed. The AllowGroups and DenyGroups keywords
are additional restrictions and never increase the
tolerance. Groups are defined on the server in the
/etc/group file. Specifies the names of hosts from
which users can not log in. Use a comma-separated
list when specifying more than one host name. By
default, all hosts are allowed to log in. Specifies
the names of hosts from which users can not
connect. The host name must be specified in the
file, the file, the /etc/hosts.equiv file, or the
/etc/shosts.equiv file. Use a comma-separated list
when specifying more than one host name. Specifies
the names of groups who cannot forward ports. Use a
comma-separated list when specifying more than one
group name. Disabling TCP forwarding does not
improve security, unless you deny the user shell
access at the same time. (See ssh-dummy-shell(1)).
Any user who has a shell can install forwarders.
The argument must be yes or no. Specifies the
names of users who cannot forward ports. Use a
comma-separated list when specifying more than one
user name. Disabling TCP forwarding does not
improve security, unless you deny the user shell
access at the same time. (See ssh-dummy-shell(1)).
Any user who has a shell can install forwarders.
The argument must be yes or no. Specifies the
names of users who cannot log in. Use a comma-separated
list when specifying more than one user name.
User names can be entered as user@host_name where
host_name is a DNS name or the IP address. By
default, all users are allowed to log in. Note
that all other login authentication steps must
still be successfully completed. If a user's name
matches a pattern in both DenyUsers and AllowUsers,
login is denied. Verifies whether the user is
authorized to log in. The sshd2 daemon, running as
root, communicates with this program using a linebased
protocol. There is no default for this keyword.
It must be set if the plugin submethod is
used. Otherwise, the submethod will fail and
authentication could fail.
More information about the protocol can be found in
the distribution package. The RFC.kbdint_plugin_protocol
file has a description of the protocol
used; the kbdint_plugin_example.sh file is a sample
script. Specifies an external mapper program for
the preceding Pki keyword. When a certificate is
received and is valid under the Pki block in question,
the external mapper is executed and the certificate
is written to its standard input. The
external mapper is expected to output a newlineseparated
list of user names. If the user name is
found in the list, the authentication succeeds;
otherwise, the authentication using the certificate
in question fails. The ExternalMapper keyword will
override all MapFile keywords for the current (preceding)
Pki keyword. If multiple ExternalMapper
keywords are specified for a Pki block, the first
one is used. Specifies an external mapper timeout
for the preceding Pki keyword. If the server is
unable to read the full output from an external
mapper in the given period, the operation will fail
and the external mapper program will be terminated.
The default timeout is 10 seconds. If multiple
ExternalMapperTimeout keywords are specified
for a Pki block, the first one is used. Controls
what the client is allowed to forward and where it
is forwarded. The format for this option is:
(allow|deny) (local|remote) user-pat forward-pat
[originator-pat]
The user-pat pattern will be used to match the
client user, as specified under the UserSpecificConfig
option. The format for the forward-pat pattern
is : host-id[%port]
This has different interpretations depending on
whether the ACL is specified for local or remote
forwards. For local forwards, the host-id will
match the target host of the forwarding, as specified
under the AllowHosts option. The port will
match with the target port. If the client sends a
host name, the IP will be looked up from the DNS,
which will be used to match the pattern. For
remote forwardings, where the forward target is not
known (the client handles that end of the connection),
ForwardACL will be used to match the listen
address specified by the user. The port will match
the server port designated by the forward. With
local forwards, the originator-pat pattern will
match the originator address that the client
reported.
If you do not administer the client machine, or the
users on that machine have shell access, they can
use a modified copy of Secure Shell to lie about
the originator address. Also, with Network Address
Translation (NAT) the originator address will not
be meaningful; it probably will be an internal network
address. So, you should not rely on the originator
address with local forwards.
With remote forwards, the originator-pat will
match the IP address of the host connecting to the
forwarded port. This will be valid information,
because the server checks the information. If you
specify any allow directives, all forwards in that
class (local or remote) not specifically allowed
will be denied. Local and remote forwards are separate
in this respect. For example, if you have
one "allow remote" definition, local forwards are
still allowed, pending other restrictions. If a
forward matches allow and deny directives, the forwarding
will be denied. If you specify
{Allow,Deny}TcpForwardingFor{Users,Groups} or
AllowTcpForwarding, and the forwarding for the user
is disabled, an allow directive will not re-enable
the forwarding for the user. Forwarding is enabled
by default. See AllowAgentForwarding. Fails hostbased
authentication if the host name given by the
client does not match the one found in DNS .
Defaults to no. Works the same as in the ssh2_config
file, but DefaultDomain is not used. Works the
same as in the ssh2_config file, but DefaultDomain
is not used. Similar to PublicHostKeyFile, except
that the file is assumed to contain an X.509 certificate
in binary format. The keyword must be
paired with a corresponding HostKeyFile keyword.
If multiple certificates with the same public key
type (dss or rsa) are specified, only the first one
is used. Specifies the initialization string for
the external host key provider. This is ignored
when the keyword HostKeyEkProvider is not present
or when external key support is not included in the
software. See ssh-externalkeys(4) for details about
specifying initialization strings. Specifies the
external host key provider. This is ignored when
external key support is not included in the software.
See ssh-externalkeys(4) for details about
specifying providers. Specifies the maximum time
in seconds to wait for the keys from the external
host key provider. This is ignored when external
key support is not included in the software. Specifies
the file containing the private host key. The
default file is /etc/ssh2/hostkey. Specifies a
subconfiguration file for the sshd2 daemon. The
syntax for this option is pattern subconfig-file.
The pattern will be used to match the client host,
as specified under the AllowHostsoption. The subconfig-file
will then be read, and configuration
data amended accordingly. The file is read before
any protocol transactions begin. You can specify
most of the options allowed in the main configuration
file, and you can specify more than one subconfiguration
file, in which case the patterns are
matched and the files read in the order specified.
Later defined values of configuration options will
either override or amend the previous value
depending on which option it is. The effect of
redefining an option is described in the
documentation for that option. For example, setting
Ciphers in the subconfiguration file will override
the old value, but setting AllowUsers will amend
the value. See sshd2_subconfig(4) for information
on subconfiguration settings. See also the UserSpecificConfig
option. Sets the idle timeout limit
to time in seconds (s or nothing after number), in
minutes (m), in hours (h), in days (d), or in weeks
(w). If the connection has been idle (all channels)
for weeks, the connection is closed. The
default is zero, which disables idle timeouts.
Specifies that the rhosts and shosts files will not
be used in hostbased authentication (See AllowedAuthentications.)
The /etc/hosts.equiv and the
/etc/shosts.equiv files are used (if hostbased
authentication is used). The argument must be yes
or no. The default is no. Specifies that the
rhosts and shosts files will not be used in authentication
for root. The default is the value of the
IgnoreRhosts keyword. Specifies whether the system
should send keepalive messages. If they are sent,
the loss of a connection or crash of a system will
be noticed. However, this means that connections
will die if the route is down temporarily. The
argument must be yes or no. The default is yes
(send keepalive messages). If keepalive messages
are not sent, sessions may hang indefinitely on the
server, leaving ghost users and consuming server
resources. To disable keepalive messages, set the
value to no in both the server and the client configuration
files. Works the same as in the
ssh2_config file. Specifies the IP address of the
interface where the sshd2 server socket is bound.
Specifies the time, in seconds, that the server
disconnects after a user has not successfully
logged in. If the value is 0, there is no time
limit. The default is 600 (seconds). Specifies the
Message Authentication Code (MAC) algorithm to use
for data integrity verification. Supported MAC
algorithms are: hmac-sha1, hmac-sha1-96, hmac-md5,
hmac-md5-96, hmac-ripemd160, and hmac-ripemd160-96,
of which hmac-sha1, hmac-sha1-96, hmac-md5 and
hmac-md5-96 are included in all distributions.
Use a comma-separated list when specifying more
than one MAC. Special arguments to this keyword are
Any, AnyStd, none, AnyMac, and AnyStdMac. The Any
argument allows all MACs including none. The AnyStd
argument allows onlythose mentioned in the IETFSecSH
draft and none. The none argument forbids any
use of MACs. The AnyMac and AnyStdMac arguments are
analogous to the first two cases but exclude none.
The AnyStdMac argument is the default. Specifies a
mapping file for the preceding Pki keyword. Multiple
mapping files are permitted for Pki keywords.
Specifies the maximum number of UDP broadcasts that
the server will handle per second. The default
value is 0 (i.e., no broadcasts are handled).
Broadcasts that exceed the limit are silently
ignored. Received unrecognized UDP datagrams also
consume the capacity defined by this keyword.
Specifies the maximum number of connections that
the sshd2 daemon will handle simultaneously. This
is useful in systems where spamming the sshd2 daemon
with new connections can cause the system to
become unstable or crash. The argument is a positive
number. An argument of zero means that the
number of connections is unlimited. The same
effect is achieved by using xinetd. Specifies
whether to enable the TCP_NODELAY socket option.
The argument must be yes or no. The default is no.
Specifies the location of the passwd program (or
equivalent). By default this is set to where the
configure script found it. This pro- gram
will be run with the privileges of the user logging
in. Specifies the number of login attempts that
the user is permitted when using password authentication.
The default is 3 attempts. Specifies
whether the server allows login to accounts with
empty password strings when using password authentication.
The argument must be yes or no. The
default is yes. Specifies whether root can log in
using the ssh2 command.
The argument must be yes, no, or nopwd. The default
is yes.
The nopwd value disables password-authenticated
root logins. The no value disables root logins.
The nopwd and no are equivalent unless you have an
or file in the root home directory and you have not
set up public key authentication for root. Root
login with public key authentication will be
allowed regardless of the value of this setting
(which may be useful for taking remote backups even
if root login is usually not allowed). Enables
user authentication using certificates. The ca-certificate
must be an X.509 certificate in binary
format. This keyword must be followed by one or
more MapFile keywords.
The validity of a received certificate is checked
separately using each of the defined Pki keywords
in turn until they are exhausted (in which case the
authentication fails), or a positive result is
achieved. If the certificate is valid, the mapping
files are examined to determine whether the certificate
allows the user to log in. Correct signature
generated by a matching private key is always
required. Disables CRL checking for the preceding
Pki keyword, if argument is y. By default, CRL
checking is y. Specifies the port number where the
sshd2 daemon listens. The default is port number
22. Specifies whether the /etc/motd file is displayed
when a user logs in. The argument must be
yes or no. The default is yes. Specifies the name
of the file containing the public host key. The
default is the /etc/ssh2/hostkey.pub file. Displays
nothing in the system log except fatal
errors. The argument must be yes or no. The default
is no. Specifies the name of the random seed file.
Specifies the number of seconds between key
exchanges. The default is 3600 seconds (one hour).
A value of zero turns rekey requests off. This does
not prevent the client from requesting rekeys.
Other clients might not have rekey capabilities
implemented correctly, and might not support rekey
requests. This means that they might terminate the
connection or crash. Specifies the authentication
methods that users must pass before connecting.
Supported authentication methods are password, publickey,
and hostbased. Use a comma-separated list
when specifying more than one argument. If the
value to this argument is not specified, the client
can authenticate users by using any of the authentications
methods specified by the AllowedAuthentications
keyword. If a value is specified, the
client must use the specified authentication
method, and AllowedAuthentications is ignored.
Note
Prior to Secure Shell version 3.1.0, the
RequiredAuthentications option was a required subset
of AllowedAuthentications. This is no longer a
requirement. Specifies whether a hostname DNS
lookup must succeed when checking host connections
from hosts that are defined by the AllowHosts and
DenyHosts keywords.
The argument must be yes or no. The default is no.
If the argument is yes and the DNS name lookup
fails, the connection is denied. If the argument is
noand the DNS name lookup fails, the remote host's
IP address is used to check whether it is allowed
to connect. This might not be desirable if you
defined only host names (not IP addresses) with
AllowHosts and DenyHosts keywords. Controls
whether sshd2 will try to resolve the client ip.
This is useful when you know that the DNS cannot be
reached, and the query would cause additional delay
in logging in. If you set this to no, you should
not set RequireReverseMapping to yes. The default
is yes. The argument must be yes or no. Follows
any number of patterns, separated by commas. Patterns
are matched using the egrep syntax (see
sshregex(5)), or the syntax specified in the metaconfiguration
header of the configuration file.
You can use the comma character in the patterns by
escaping it with the default. The
/etc/ssh2/sshd2_config file specifies some common
and safe environment variables. You can set some
or all environment variables with this option. You
can check whether a setting is allowed by the
client (ssh2), by the user's $HOME/.ssh2/environment
file or public key options. This option is
not used when setting variables from /etc/environment
or other root-only files. It only changes the
setting of environment variables before the user's
shell is run. After that, the user can set any
environment variables. Defines what log facility
the sftp-server will use. By default this has no
value (i.e., no logging is performed by the subsystem).
Specifies the name of a socks server. Used
when fetching certificates or CRLs from remote
servers. Specifies whether the sshd1 daemon is
executed when the client supports only SSH 1.x protocols.
The argument must be yes or no. Specifies
an alternate configuration file for sshd1 for the
case that sshd2 runs in compatibility mode. This is
only used if sshd2 is executed with the -f command
line option. If -fis not specified, sshd1 will
read its configuration from the standard location,
typically /etc/sshd_config. Specifies the path to
the sshd1 daemon which will be executed if the
client supports only SSH 1.x protocols. The arguments
for the sshd2 daemon are passed to the sshd1
daemon. Specifies whether the sshd2 daemon should
check file modes and ownership of the user's home
directory and rhosts files before accepting login.
This is desirable because novices sometimes leave
their directory or files world-writable. The argument
must be yes or no. The default is yes. (This
only used with host-based authentication.) Specifies
a subsystem. The argument is a commd that will
be executed when the subsystem is requested. The
sftp command uses a subsystem of the sshd2 daemon
to transfer files securely. In order to use the
sftp server you must have the subsystem-sftp sftpserver
definition (the default) or subsystem-sftp
internal://sftp-server which will execute an sftpservice
internally in the child process.
The child process usually executes a command using
the user's shell, but in this case it will start to
handle SFTP requests. This enables better logging
in chrooted environments, and does not require any
static binaries to be built. The only binary needed
will be the sshd2 daemon. Specifies the facility
code that is used when logging messages from the
sshd2 daemon. The possible values are: DAEMON,
USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4,
LOCAL5, LOCAL6, LOCAL7. The default is AUTH.
Specifies where user-specific configuration data
can be retrieved. With this keyword, administrators
can control configuration parameters that are usually
the users' domain. This argument is a pattern
string which is expanded by the sshd2 daemon. Argument
%D is the user's home directory, %U is the
user's login name, %IU is the user's user ID (uid),
and %IG is the user's group ID (gid). The default
is %D/.ssh2. Specifies whether the user's
$HOME/.ssh2/knownhosts/ directory can be used to
get host public keys when using hostbased authentication.
The argument must be yes or no. The
default is yes. Reads configuration files when the
user name the client is trying to log into is
known. You can use patterns of the form
user[%group][@host], where the pattern user is
matched with the user name and UID, group is
matched with the user's primary and any secondary
groups, both group name and GID, and host is
matched as described under option AllowHosts. See
sshd2_subconfig(4) for more information on what you
can set in this subconfiguration file. Prompts the
sshd2 daemon to print debugging messages about its
progress, and prevents it from handling more than
one connecton at a time. This is helpful in debugging
connection, authentication, and configuration
problems. Specifies where to find the xauth program.
This option is useful if you are using binaries
and your X11 programs are installed where ssh2
might not find them. The default is set by the configure
script.
SSH is a registered trademark of SSH Communication Security
Ltd.
Commands: sshd2(8)
Files: Files: ssh_certificates(4), sshd2_subconfig(4),
sshd-check-conf(4)
Others: sshregex(5)
sshd2_config(4)
[ Back ] |
