|SSHD_CONFIG(5)||File Formats Manual||SSHD_CONFIG(5)|
OpenSSH SSH daemon configuration file
configuration data from /etc/ssh/sshd_config (or the
file specified with
-f on the command line). The
file contains keyword-argument pairs, one per line. Lines starting with
#’ and empty lines are interpreted as
comments. Arguments may optionally be enclosed in double quotes (") in
order to represent arguments containing spaces.
The possible keywords and their meanings are as follows (note that keywords are case-insensitive and arguments are case-sensitive):
SendEnvin ssh_config(5) for how to configure the client. Note that environment passing is only supported for protocol 2. Variables are specified by name, which may contain the wildcard characters ‘
*’ and ‘
?’. Multiple environment variables may be separated by whitespace or spread across multiple
AcceptEnvdirectives. Be warned that some environment variables could be used to bypass restricted user environments. For this reason, care should be taken in the use of this directive. The default is not to accept any environment variables.
DenyGroups, and finally
DenyGroups, and finally
AuthorizedKeysFilemay contain tokens of the form %T which are substituted during connection setup. The following tokens are defined: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. After expansion,
AuthorizedKeysFileis taken to be an absolute path or one relative to the user's home directory. Multiple files may be listed, separated by whitespace. The default is “.ssh/authorized_keys .ssh/authorized_keys2”.
TrustedUserCAKeys, this file lists names, one of which must appear in the certificate for it to be accepted for authentication. Names are listed one per line preceded by key options (as described in AUTHORIZED_KEYS FILE FORMAT in sshd(8)). Empty lines and comments starting with ‘
#’ are ignored.
AuthorizedPrincipalsFile may contain
tokens of the form %T which are substituted during connection setup. The
following tokens are defined: %% is replaced by a literal '%', %h is
replaced by the home directory of the user being authenticated, and %u
is replaced by the username of that user. After expansion,
AuthorizedPrincipalsFile is taken to be an
absolute path or one relative to the user's home directory.
The default is not to use a principals file – in this
case, the username of the user must appear in a certificate's principals
list for it to be accepted. Note that
AuthorizedPrincipalsFile is only used when
authentication proceeds using a CA listed in
TrustedUserCAKeys and is not consulted for
certification authorities trusted via
~/.ssh/authorized_keys, though the
principals= key option offers a similar facility
(see sshd(8) for
The pathname may contain the following tokens that are expanded at runtime once the connecting user has been authenticated: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user.
ChrootDirectory must contain the
necessary files and directories to support the user's session. For an
interactive session this requires at least a shell, typically
sh(1), and basic
/dev nodes such as
tty(4) devices. For file
transfer sessions using “sftp”, no additional
configuration of the environment is necessary if the in-process sftp
server is used, though sessions which use logging do require
/dev/log inside the chroot directory (see
The default is not to chroot(2).
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, aes256-cbc,arcfour
TCPKeepAlive(below). The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by
TCPKeepAliveis spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive.
The default value is 3. If
ClientAliveInterval (see below) is set to 15,
ClientAliveCountMax is left at the default,
unresponsive SSH clients will be disconnected after approximately 45
seconds. This option applies to protocol version 2 only.
DenyGroups, and finally
DenyGroups, and finally
ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a
Matchblock. The command originally supplied by the client is available in the
SSH_ORIGINAL_COMMANDenvironment variable. Specifying a command of “internal-sftp” will force the use of an in-process sftp server that requires no support files when used with
GatewayPortscan be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be “no” to force remote port forwardings to be available to the local host only, “yes” to force remote port forwardings to bind to the wildcard address, or “clientspecified” to allow the client to select the address to which the forwarding is bound. The default is “no”.
RhostsRSAAuthenticationand applies to protocol version 2 only. The default is “no”.
HostbasedAuthentication. A setting of “yes” means that sshd(8) uses the name supplied by the client rather than attempting to resolve the name from the TCP connection itself. The default is “no”.
HostKey. The default behaviour of sshd(8) is not to load any certificates.
/etc/hosts.equiv and /etc/shosts.equiv are still used. The default is “yes”.
HostbasedAuthentication. The default is “no”.
PasswordAuthenticationwill be validated through the Kerberos KDC. To use this option, the server needs a Kerberos servtab which allows the verification of the KDC's identity. The default is “no”.
If port is not specified, sshd will
listen on the address and all prior
specified. The default is to listen on all local addresses. Multiple
ListenAddress options are permitted.
Port options must precede this
option for non-port qualified addresses.
hmac-md5,hmac-sha1,email@example.com, hmac-ripemd160,hmac-sha1-96,hmac-md5-96, hmac-sha2-256,hmac-sha256-96,hmac-sha2-512, hmac-sha2-512-96
Matchline are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another
Matchline or the end of the file.
The arguments to
Match are one or more
criteria-pattern pairs. The available criteria are
match patterns may consist of single entries or comma-separated lists
and may use the wildcard and negation operators described in the
PATTERNS section of
The patterns in an
may additionally contain addresses to match in CIDR address/masklen
format, e.g. “192.0.2.0/24” or
“3ffe:ffff::/32”. Note that the mask length provided must
be consistent with the address - it is an error to specify a mask length
that is too long for the address or one with bits set in this host
portion of the address. For example, “192.0.2.0/33” and
Only a subset of keywords may be used on the lines following a
Match keyword. Available keywords are
LoginGraceTimeexpires for a connection. The default is 10.
Alternatively, random early drop can be enabled by specifying the three colon separated values “start:rate:full” (e.g. "10:30:60"). sshd(8) will refuse connection attempts with a probability of “rate/100” (30%) if there are currently “start” (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches “full” (60).
Multiple forwards may be specified by separating them with whitespace. An argument of “any” can be used to remove all restrictions and permit any forwarding requests. By default all port forwarding requests are permitted.
If this option is set to “without-password”, password authentication is disabled for root.
If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.
If this option is set to “no”, root is not allowed to log in.
environment=options in ~/.ssh/authorized_keys are processed by sshd(8). The default is “no”. Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as
ChrootDirectory, whose permissions and ownership are checked unconditionally.
The command sftp-server(8) implements the “sftp” file transfer subsystem.
Alternately the name “internal-sftp” implements
an in-process “sftp” server. This may simplify
ChrootDirectory to force a
different filesystem root on clients.
By default no subsystems are defined. Note that this option applies to protocol version 2 only.
The default is “yes” (to send TCP keepalive messages), and the server will notice if the network goes down or the client host crashes. This avoids infinitely hanging sessions.
To disable TCP keepalive messages, the value should be set to “no”.
#’ are allowed. If a certificate is presented for authentication and has its signing CA key listed in this file, then it may be used for authentication for any user listed in the certificate's principals list. Note that certificates that lack a list of principals will not be permitted for authentication using
TrustedUserCAKeys. For more details on certificates, see the CERTIFICATES section in ssh-keygen(1).
X11Forwardingwill be disabled because login(1) does not know how to handle xauth(1) cookies. If
UsePrivilegeSeparationis specified, it will be disabled after authentication.
UsePrivilegeSeparationis set to “sandbox” then the pre-authentication unprivileged process is subject to additional restrictions.
When X11 forwarding is enabled, there may be additional
exposure to the server and to client displays if the
sshd(8) proxy display is
configured to listen on the wildcard address (see
X11UseLocalhost below), though this is not the
default. Additionally, the authentication spoofing and authentication
data verification and substitution occur on the client side. The
security risk of using X11 forwarding is that the client's X11 display
server may be exposed to attack when the SSH client requests forwarding
(see the warnings for
system administrator may have a stance in which they want to protect
clients that may expose themselves to attack by unwittingly requesting
X11 forwarding, which can warrant a “no” setting.
Note that disabling X11 forwarding does not prevent users from
forwarding X11 traffic, as users can always install their own
forwarders. X11 forwarding is automatically disabled if
UseLogin is enabled.
DISPLAYenvironment variable to “localhost”. This prevents remote hosts from connecting to the proxy display. However, some older X11 clients may not function with this configuration.
X11UseLocalhostmay be set to “no” to specify that the forwarding server should be bound to the wildcard address. The argument must be “yes” or “no”. The default is “yes”.
sshd(8) command-line arguments and configuration file options that specify time may be expressed using a sequence of the form: time[qualifier], where time is a positive integer value and qualifier is one of the following:
Each member of the sequence is added together to calculate the total time value.
Time format examples:
OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt and Dug Song removed many bugs, re-added newer features and created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation.
|September 9, 2011||OpenBSD-5.1|