1.\" 2.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" All rights reserved 5.\" 6.\" As far as I am concerned, the code I have written for this software 7.\" can be used freely for any purpose. Any derived versions of this 8.\" software must be clearly marked as such, and if the derived work is 9.\" incompatible with the protocol description in the RFC file, it must be 10.\" called by a name other than "ssh" or "Secure Shell". 11.\" 12.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 13.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 14.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 15.\" 16.\" Redistribution and use in source and binary forms, with or without 17.\" modification, are permitted provided that the following conditions 18.\" are met: 19.\" 1. Redistributions of source code must retain the above copyright 20.\" notice, this list of conditions and the following disclaimer. 21.\" 2. Redistributions in binary form must reproduce the above copyright 22.\" notice, this list of conditions and the following disclaimer in the 23.\" documentation and/or other materials provided with the distribution. 24.\" 25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" 36.\" $OpenBSD: sshd_config.5,v 1.227 2016/07/19 12:59:16 jmc Exp $ 37.Dd $Mdocdate: July 19 2016 $ 38.Dt SSHD_CONFIG 5 39.Os 40.Sh NAME 41.Nm sshd_config 42.Nd OpenSSH SSH daemon configuration file 43.Sh SYNOPSIS 44.Nm /etc/ssh/sshd_config 45.Sh DESCRIPTION 46.Xr sshd 8 47reads configuration data from 48.Pa /etc/ssh/sshd_config 49(or the file specified with 50.Fl f 51on the command line). 52The file contains keyword-argument pairs, one per line. 53Lines starting with 54.Ql # 55and empty lines are interpreted as comments. 56Arguments may optionally be enclosed in double quotes 57.Pq \&" 58in order to represent arguments containing spaces. 59.Pp 60The possible 61keywords and their meanings are as follows (note that 62keywords are case-insensitive and arguments are case-sensitive): 63.Bl -tag -width Ds 64.It Cm AcceptEnv 65Specifies what environment variables sent by the client will be copied into 66the session's 67.Xr environ 7 . 68See 69.Cm SendEnv 70in 71.Xr ssh_config 5 72for how to configure the client. 73The 74.Ev TERM 75environment variable is always sent whenever the client 76requests a pseudo-terminal as it is required by the protocol. 77Variables are specified by name, which may contain the wildcard characters 78.Ql * 79and 80.Ql \&? . 81Multiple environment variables may be separated by whitespace or spread 82across multiple 83.Cm AcceptEnv 84directives. 85Be warned that some environment variables could be used to bypass restricted 86user environments. 87For this reason, care should be taken in the use of this directive. 88The default is not to accept any environment variables. 89.It Cm AddressFamily 90Specifies which address family should be used by 91.Xr sshd 8 . 92Valid arguments are 93.Dq any , 94.Dq inet 95(use IPv4 only), or 96.Dq inet6 97(use IPv6 only). 98The default is 99.Dq any . 100.It Cm AllowAgentForwarding 101Specifies whether 102.Xr ssh-agent 1 103forwarding is permitted. 104The default is 105.Dq yes . 106Note that disabling agent forwarding does not improve security 107unless users are also denied shell access, as they can always install 108their own forwarders. 109.It Cm AllowGroups 110This keyword can be followed by a list of group name patterns, separated 111by spaces. 112If specified, login is allowed only for users whose primary 113group or supplementary group list matches one of the patterns. 114Only group names are valid; a numerical group ID is not recognized. 115By default, login is allowed for all groups. 116The allow/deny directives are processed in the following order: 117.Cm DenyUsers , 118.Cm AllowUsers , 119.Cm DenyGroups , 120and finally 121.Cm AllowGroups . 122.Pp 123See PATTERNS in 124.Xr ssh_config 5 125for more information on patterns. 126.It Cm AllowTcpForwarding 127Specifies whether TCP forwarding is permitted. 128The available options are 129.Dq yes 130or 131.Dq all 132to allow TCP forwarding, 133.Dq no 134to prevent all TCP forwarding, 135.Dq local 136to allow local (from the perspective of 137.Xr ssh 1 ) 138forwarding only or 139.Dq remote 140to allow remote forwarding only. 141The default is 142.Dq yes . 143Note that disabling TCP forwarding does not improve security unless 144users are also denied shell access, as they can always install their 145own forwarders. 146.It Cm AllowStreamLocalForwarding 147Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted. 148The available options are 149.Dq yes 150or 151.Dq all 152to allow StreamLocal forwarding, 153.Dq no 154to prevent all StreamLocal forwarding, 155.Dq local 156to allow local (from the perspective of 157.Xr ssh 1 ) 158forwarding only or 159.Dq remote 160to allow remote forwarding only. 161The default is 162.Dq yes . 163Note that disabling StreamLocal forwarding does not improve security unless 164users are also denied shell access, as they can always install their 165own forwarders. 166.It Cm AllowUsers 167This keyword can be followed by a list of user name patterns, separated 168by spaces. 169If specified, login is allowed only for user names that 170match one of the patterns. 171Only user names are valid; a numerical user ID is not recognized. 172By default, login is allowed for all users. 173If the pattern takes the form USER@HOST then USER and HOST 174are separately checked, restricting logins to particular 175users from particular hosts. 176HOST criteria may additionally contain addresses to match in CIDR 177address/masklen format. 178The allow/deny directives are processed in the following order: 179.Cm DenyUsers , 180.Cm AllowUsers , 181.Cm DenyGroups , 182and finally 183.Cm AllowGroups . 184.Pp 185See PATTERNS in 186.Xr ssh_config 5 187for more information on patterns. 188.It Cm AuthenticationMethods 189Specifies the authentication methods that must be successfully completed 190for a user to be granted access. 191This option must be followed by one or more comma-separated lists of 192authentication method names, or by the single string 193.Dq any 194to indicate the default behaviour of accepting any single authentication 195method. 196if the default is overridden, then successful authentication requires 197completion of every method in at least one of these lists. 198.Pp 199For example, an argument of 200.Dq publickey,password publickey,keyboard-interactive 201would require the user to complete public key authentication, followed by 202either password or keyboard interactive authentication. 203Only methods that are next in one or more lists are offered at each stage, 204so for this example, it would not be possible to attempt password or 205keyboard-interactive authentication before public key. 206.Pp 207For keyboard interactive authentication it is also possible to 208restrict authentication to a specific device by appending a 209colon followed by the device identifier 210.Dq bsdauth , 211.Dq pam , 212or 213.Dq skey , 214depending on the server configuration. 215For example, 216.Dq keyboard-interactive:bsdauth 217would restrict keyboard interactive authentication to the 218.Dq bsdauth 219device. 220.Pp 221If the 222.Dq publickey 223method is listed more than once, 224.Xr sshd 8 225verifies that keys that have been used successfully are not reused for 226subsequent authentications. 227For example, an 228.Cm AuthenticationMethods 229of 230.Dq publickey,publickey 231will require successful authentication using two different public keys. 232.Pp 233This option will yield a fatal 234error if enabled if protocol 1 is also enabled. 235Note that each authentication method listed should also be explicitly enabled 236in the configuration. 237The default 238.Dq any 239is not to require multiple authentication; successful completion 240of a single authentication method is sufficient. 241.It Cm AuthorizedKeysCommand 242Specifies a program to be used to look up the user's public keys. 243The program must be owned by root, not writable by group or others and 244specified by an absolute path. 245.Pp 246Arguments to 247.Cm AuthorizedKeysCommand 248may be provided using the following tokens, which will be expanded 249at runtime: %% is replaced by a literal '%', %u is replaced by the 250username being authenticated, %h is replaced by the home directory 251of the user being authenticated, %t is replaced with the key type 252offered for authentication, %f is replaced with the fingerprint of 253the key, and %k is replaced with the key being offered for authentication. 254If no arguments are specified then the username of the target user 255will be supplied. 256.Pp 257The program should produce on standard output zero or 258more lines of authorized_keys output (see AUTHORIZED_KEYS in 259.Xr sshd 8 ) . 260If a key supplied by AuthorizedKeysCommand does not successfully authenticate 261and authorize the user then public key authentication continues using the usual 262.Cm AuthorizedKeysFile 263files. 264By default, no AuthorizedKeysCommand is run. 265.It Cm AuthorizedKeysCommandUser 266Specifies the user under whose account the AuthorizedKeysCommand is run. 267It is recommended to use a dedicated user that has no other role on the host 268than running authorized keys commands. 269If 270.Cm AuthorizedKeysCommand 271is specified but 272.Cm AuthorizedKeysCommandUser 273is not, then 274.Xr sshd 8 275will refuse to start. 276.It Cm AuthorizedKeysFile 277Specifies the file that contains the public keys that can be used 278for user authentication. 279The format is described in the 280AUTHORIZED_KEYS FILE FORMAT 281section of 282.Xr sshd 8 . 283.Cm AuthorizedKeysFile 284may contain tokens of the form %T which are substituted during connection 285setup. 286The following tokens are defined: %% is replaced by a literal '%', 287%h is replaced by the home directory of the user being authenticated, and 288%u is replaced by the username of that user. 289After expansion, 290.Cm AuthorizedKeysFile 291is taken to be an absolute path or one relative to the user's home 292directory. 293Multiple files may be listed, separated by whitespace. 294Alternately this option may be set to 295.Dq none 296to skip checking for user keys in files. 297The default is 298.Dq .ssh/authorized_keys .ssh/authorized_keys2 . 299.It Cm AuthorizedPrincipalsCommand 300Specifies a program to be used to generate the list of allowed 301certificate principals as per 302.Cm AuthorizedPrincipalsFile . 303The program must be owned by root, not writable by group or others and 304specified by an absolute path. 305.Pp 306Arguments to 307.Cm AuthorizedPrincipalsCommand 308may be provided using the following tokens, which will be expanded 309at runtime: %% is replaced by a literal '%', %u is replaced by the 310username being authenticated and %h is replaced by the home directory 311of the user being authenticated. 312.Pp 313The program should produce on standard output zero or 314more lines of 315.Cm AuthorizedPrincipalsFile 316output. 317If either 318.Cm AuthorizedPrincipalsCommand 319or 320.Cm AuthorizedPrincipalsFile 321is specified, then certificates offered by the client for authentication 322must contain a principal that is listed. 323By default, no AuthorizedPrincipalsCommand is run. 324.It Cm AuthorizedPrincipalsCommandUser 325Specifies the user under whose account the AuthorizedPrincipalsCommand is run. 326It is recommended to use a dedicated user that has no other role on the host 327than running authorized principals commands. 328If 329.Cm AuthorizedPrincipalsCommand 330is specified but 331.Cm AuthorizedPrincipalsCommandUser 332is not, then 333.Xr sshd 8 334will refuse to start. 335.It Cm AuthorizedPrincipalsFile 336Specifies a file that lists principal names that are accepted for 337certificate authentication. 338When using certificates signed by a key listed in 339.Cm TrustedUserCAKeys , 340this file lists names, one of which must appear in the certificate for it 341to be accepted for authentication. 342Names are listed one per line preceded by key options (as described 343in AUTHORIZED_KEYS FILE FORMAT in 344.Xr sshd 8 ) . 345Empty lines and comments starting with 346.Ql # 347are ignored. 348.Pp 349.Cm AuthorizedPrincipalsFile 350may contain tokens of the form %T which are substituted during connection 351setup. 352The following tokens are defined: %% is replaced by a literal '%', 353%h is replaced by the home directory of the user being authenticated, and 354%u is replaced by the username of that user. 355After expansion, 356.Cm AuthorizedPrincipalsFile 357is taken to be an absolute path or one relative to the user's home 358directory. 359.Pp 360The default is 361.Dq none , 362i.e. not to use a principals file \(en in this case, the username 363of the user must appear in a certificate's principals list for it to be 364accepted. 365Note that 366.Cm AuthorizedPrincipalsFile 367is only used when authentication proceeds using a CA listed in 368.Cm TrustedUserCAKeys 369and is not consulted for certification authorities trusted via 370.Pa ~/.ssh/authorized_keys , 371though the 372.Cm principals= 373key option offers a similar facility (see 374.Xr sshd 8 375for details). 376.It Cm Banner 377The contents of the specified file are sent to the remote user before 378authentication is allowed. 379If the argument is 380.Dq none 381then no banner is displayed. 382By default, no banner is displayed. 383.It Cm ChallengeResponseAuthentication 384Specifies whether challenge-response authentication is allowed (e.g. via 385PAM or through authentication styles supported in 386.Xr login.conf 5 ) 387The default is 388.Dq yes . 389.It Cm ChrootDirectory 390Specifies the pathname of a directory to 391.Xr chroot 2 392to after authentication. 393At session startup 394.Xr sshd 8 395checks that all components of the pathname are root-owned directories 396which are not writable by any other user or group. 397After the chroot, 398.Xr sshd 8 399changes the working directory to the user's home directory. 400.Pp 401The pathname may contain the following tokens that are expanded at runtime once 402the connecting user has been authenticated: %% is replaced by a literal '%', 403%h is replaced by the home directory of the user being authenticated, and 404%u is replaced by the username of that user. 405.Pp 406The 407.Cm ChrootDirectory 408must contain the necessary files and directories to support the 409user's session. 410For an interactive session this requires at least a shell, typically 411.Xr sh 1 , 412and basic 413.Pa /dev 414nodes such as 415.Xr null 4 , 416.Xr zero 4 , 417.Xr stdin 4 , 418.Xr stdout 4 , 419.Xr stderr 4 , 420and 421.Xr tty 4 422devices. 423For file transfer sessions using 424.Dq sftp , 425no additional configuration of the environment is necessary if the 426in-process sftp server is used, 427though sessions which use logging may require 428.Pa /dev/log 429inside the chroot directory on some operating systems (see 430.Xr sftp-server 8 431for details). 432.Pp 433For safety, it is very important that the directory hierarchy be 434prevented from modification by other processes on the system (especially 435those outside the jail). 436Misconfiguration can lead to unsafe environments which 437.Xr sshd 8 438cannot detect. 439.Pp 440The default is 441.Dq none , 442indicating not to 443.Xr chroot 2 . 444.It Cm Ciphers 445Specifies the ciphers allowed. 446Multiple ciphers must be comma-separated. 447If the specified value begins with a 448.Sq + 449character, then the specified ciphers will be appended to the default set 450instead of replacing them. 451.Pp 452The supported ciphers are: 453.Pp 454.Bl -item -compact -offset indent 455.It 4563des-cbc 457.It 458aes128-cbc 459.It 460aes192-cbc 461.It 462aes256-cbc 463.It 464aes128-ctr 465.It 466aes192-ctr 467.It 468aes256-ctr 469.It 470aes128-gcm@openssh.com 471.It 472aes256-gcm@openssh.com 473.It 474arcfour 475.It 476arcfour128 477.It 478arcfour256 479.It 480blowfish-cbc 481.It 482cast128-cbc 483.It 484chacha20-poly1305@openssh.com 485.El 486.Pp 487The default is: 488.Bd -literal -offset indent 489chacha20-poly1305@openssh.com, 490aes128-ctr,aes192-ctr,aes256-ctr, 491aes128-gcm@openssh.com,aes256-gcm@openssh.com 492.Ed 493.Pp 494The list of available ciphers may also be obtained using the 495.Fl Q 496option of 497.Xr ssh 1 498with an argument of 499.Dq cipher . 500.It Cm ClientAliveCountMax 501Sets the number of client alive messages (see below) which may be 502sent without 503.Xr sshd 8 504receiving any messages back from the client. 505If this threshold is reached while client alive messages are being sent, 506sshd will disconnect the client, terminating the session. 507It is important to note that the use of client alive messages is very 508different from 509.Cm TCPKeepAlive 510(below). 511The client alive messages are sent through the encrypted channel 512and therefore will not be spoofable. 513The TCP keepalive option enabled by 514.Cm TCPKeepAlive 515is spoofable. 516The client alive mechanism is valuable when the client or 517server depend on knowing when a connection has become inactive. 518.Pp 519The default value is 3. 520If 521.Cm ClientAliveInterval 522(see below) is set to 15, and 523.Cm ClientAliveCountMax 524is left at the default, unresponsive SSH clients 525will be disconnected after approximately 45 seconds. 526.It Cm ClientAliveInterval 527Sets a timeout interval in seconds after which if no data has been received 528from the client, 529.Xr sshd 8 530will send a message through the encrypted 531channel to request a response from the client. 532The default 533is 0, indicating that these messages will not be sent to the client. 534.It Cm Compression 535Specifies whether compression is allowed, or delayed until 536the user has authenticated successfully. 537The argument must be 538.Dq yes , 539.Dq delayed , 540or 541.Dq no . 542The default is 543.Dq delayed . 544.It Cm DenyGroups 545This keyword can be followed by a list of group name patterns, separated 546by spaces. 547Login is disallowed for users whose primary group or supplementary 548group list matches one of the patterns. 549Only group names are valid; a numerical group ID is not recognized. 550By default, login is allowed for all groups. 551The allow/deny directives are processed in the following order: 552.Cm DenyUsers , 553.Cm AllowUsers , 554.Cm DenyGroups , 555and finally 556.Cm AllowGroups . 557.Pp 558See PATTERNS in 559.Xr ssh_config 5 560for more information on patterns. 561.It Cm DenyUsers 562This keyword can be followed by a list of user name patterns, separated 563by spaces. 564Login is disallowed for user names that match one of the patterns. 565Only user names are valid; a numerical user ID is not recognized. 566By default, login is allowed for all users. 567If the pattern takes the form USER@HOST then USER and HOST 568are separately checked, restricting logins to particular 569users from particular hosts. 570HOST criteria may additionally contain addresses to match in CIDR 571address/masklen format. 572The allow/deny directives are processed in the following order: 573.Cm DenyUsers , 574.Cm AllowUsers , 575.Cm DenyGroups , 576and finally 577.Cm AllowGroups . 578.Pp 579See PATTERNS in 580.Xr ssh_config 5 581for more information on patterns. 582.It Cm FingerprintHash 583Specifies the hash algorithm used when logging key fingerprints. 584Valid options are: 585.Dq md5 586and 587.Dq sha256 . 588The default is 589.Dq sha256 . 590.It Cm ForceCommand 591Forces the execution of the command specified by 592.Cm ForceCommand , 593ignoring any command supplied by the client and 594.Pa ~/.ssh/rc 595if present. 596The command is invoked by using the user's login shell with the -c option. 597This applies to shell, command, or subsystem execution. 598It is most useful inside a 599.Cm Match 600block. 601The command originally supplied by the client is available in the 602.Ev SSH_ORIGINAL_COMMAND 603environment variable. 604Specifying a command of 605.Dq internal-sftp 606will force the use of an in-process sftp server that requires no support 607files when used with 608.Cm ChrootDirectory . 609The default is 610.Dq none . 611.It Cm GatewayPorts 612Specifies whether remote hosts are allowed to connect to ports 613forwarded for the client. 614By default, 615.Xr sshd 8 616binds remote port forwardings to the loopback address. 617This prevents other remote hosts from connecting to forwarded ports. 618.Cm GatewayPorts 619can be used to specify that sshd 620should allow remote port forwardings to bind to non-loopback addresses, thus 621allowing other hosts to connect. 622The argument may be 623.Dq no 624to force remote port forwardings to be available to the local host only, 625.Dq yes 626to force remote port forwardings to bind to the wildcard address, or 627.Dq clientspecified 628to allow the client to select the address to which the forwarding is bound. 629The default is 630.Dq no . 631.It Cm GSSAPIAuthentication 632Specifies whether user authentication based on GSSAPI is allowed. 633The default is 634.Dq no . 635.It Cm GSSAPICleanupCredentials 636Specifies whether to automatically destroy the user's credentials cache 637on logout. 638The default is 639.Dq yes . 640.It Cm GSSAPIStrictAcceptorCheck 641Determines whether to be strict about the identity of the GSSAPI acceptor 642a client authenticates against. 643If set to 644.Dq yes 645then the client must authenticate against the 646.Pa host 647service on the current hostname. 648If set to 649.Dq no 650then the client may authenticate against any service key stored in the 651machine's default store. 652This facility is provided to assist with operation on multi homed machines. 653The default is 654.Dq yes . 655.It Cm HostbasedAcceptedKeyTypes 656Specifies the key types that will be accepted for hostbased authentication 657as a comma-separated pattern list. 658Alternately if the specified value begins with a 659.Sq + 660character, then the specified key types will be appended to the default set 661instead of replacing them. 662The default for this option is: 663.Bd -literal -offset 3n 664ecdsa-sha2-nistp256-cert-v01@openssh.com, 665ecdsa-sha2-nistp384-cert-v01@openssh.com, 666ecdsa-sha2-nistp521-cert-v01@openssh.com, 667ssh-ed25519-cert-v01@openssh.com, 668ssh-rsa-cert-v01@openssh.com, 669ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 670ssh-ed25519,ssh-rsa 671.Ed 672.Pp 673The 674.Fl Q 675option of 676.Xr ssh 1 677may be used to list supported key types. 678.It Cm HostbasedAuthentication 679Specifies whether rhosts or /etc/hosts.equiv authentication together 680with successful public key client host authentication is allowed 681(host-based authentication). 682The default is 683.Dq no . 684.It Cm HostbasedUsesNameFromPacketOnly 685Specifies whether or not the server will attempt to perform a reverse 686name lookup when matching the name in the 687.Pa ~/.shosts , 688.Pa ~/.rhosts , 689and 690.Pa /etc/hosts.equiv 691files during 692.Cm HostbasedAuthentication . 693A setting of 694.Dq yes 695means that 696.Xr sshd 8 697uses the name supplied by the client rather than 698attempting to resolve the name from the TCP connection itself. 699The default is 700.Dq no . 701.It Cm HostCertificate 702Specifies a file containing a public host certificate. 703The certificate's public key must match a private host key already specified 704by 705.Cm HostKey . 706The default behaviour of 707.Xr sshd 8 708is not to load any certificates. 709.It Cm HostKey 710Specifies a file containing a private host key 711used by SSH. 712The default is 713.Pa /etc/ssh/ssh_host_key 714for protocol version 1, and 715.Pa /etc/ssh/ssh_host_dsa_key , 716.Pa /etc/ssh/ssh_host_ecdsa_key , 717.Pa /etc/ssh/ssh_host_ed25519_key 718and 719.Pa /etc/ssh/ssh_host_rsa_key 720for protocol version 2. 721.Pp 722Note that 723.Xr sshd 8 724will refuse to use a file if it is group/world-accessible 725and that the 726.Cm HostKeyAlgorithms 727option restricts which of the keys are actually used by 728.Xr sshd 8 . 729.Pp 730It is possible to have multiple host key files. 731.Dq rsa1 732keys are used for version 1 and 733.Dq dsa , 734.Dq ecdsa , 735.Dq ed25519 736or 737.Dq rsa 738are used for version 2 of the SSH protocol. 739It is also possible to specify public host key files instead. 740In this case operations on the private key will be delegated 741to an 742.Xr ssh-agent 1 . 743.It Cm HostKeyAgent 744Identifies the UNIX-domain socket used to communicate 745with an agent that has access to the private host keys. 746If the string 747.Dq SSH_AUTH_SOCK 748is specified, the location of the socket will be read from the 749.Ev SSH_AUTH_SOCK 750environment variable. 751.It Cm HostKeyAlgorithms 752Specifies the host key algorithms 753that the server offers. 754The default for this option is: 755.Bd -literal -offset 3n 756ecdsa-sha2-nistp256-cert-v01@openssh.com, 757ecdsa-sha2-nistp384-cert-v01@openssh.com, 758ecdsa-sha2-nistp521-cert-v01@openssh.com, 759ssh-ed25519-cert-v01@openssh.com, 760ssh-rsa-cert-v01@openssh.com, 761ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 762ssh-ed25519,ssh-rsa 763.Ed 764.Pp 765The list of available key types may also be obtained using the 766.Fl Q 767option of 768.Xr ssh 1 769with an argument of 770.Dq key . 771.It Cm IgnoreRhosts 772Specifies that 773.Pa .rhosts 774and 775.Pa .shosts 776files will not be used in 777.Cm RhostsRSAAuthentication 778or 779.Cm HostbasedAuthentication . 780.Pp 781.Pa /etc/hosts.equiv 782and 783.Pa /etc/ssh/shosts.equiv 784are still used. 785The default is 786.Dq yes . 787.It Cm IgnoreUserKnownHosts 788Specifies whether 789.Xr sshd 8 790should ignore the user's 791.Pa ~/.ssh/known_hosts 792during 793.Cm RhostsRSAAuthentication 794or 795.Cm HostbasedAuthentication . 796The default is 797.Dq no . 798.It Cm IPQoS 799Specifies the IPv4 type-of-service or DSCP class for the connection. 800Accepted values are 801.Dq af11 , 802.Dq af12 , 803.Dq af13 , 804.Dq af21 , 805.Dq af22 , 806.Dq af23 , 807.Dq af31 , 808.Dq af32 , 809.Dq af33 , 810.Dq af41 , 811.Dq af42 , 812.Dq af43 , 813.Dq cs0 , 814.Dq cs1 , 815.Dq cs2 , 816.Dq cs3 , 817.Dq cs4 , 818.Dq cs5 , 819.Dq cs6 , 820.Dq cs7 , 821.Dq ef , 822.Dq lowdelay , 823.Dq throughput , 824.Dq reliability , 825or a numeric value. 826This option may take one or two arguments, separated by whitespace. 827If one argument is specified, it is used as the packet class unconditionally. 828If two values are specified, the first is automatically selected for 829interactive sessions and the second for non-interactive sessions. 830The default is 831.Dq lowdelay 832for interactive sessions and 833.Dq throughput 834for non-interactive sessions. 835.It Cm KbdInteractiveAuthentication 836Specifies whether to allow keyboard-interactive authentication. 837The argument to this keyword must be 838.Dq yes 839or 840.Dq no . 841The default is to use whatever value 842.Cm ChallengeResponseAuthentication 843is set to 844(by default 845.Dq yes ) . 846.It Cm KerberosAuthentication 847Specifies whether the password provided by the user for 848.Cm PasswordAuthentication 849will be validated through the Kerberos KDC. 850To use this option, the server needs a 851Kerberos servtab which allows the verification of the KDC's identity. 852The default is 853.Dq no . 854.It Cm KerberosGetAFSToken 855If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire 856an AFS token before accessing the user's home directory. 857The default is 858.Dq no . 859.It Cm KerberosOrLocalPasswd 860If password authentication through Kerberos fails then 861the password will be validated via any additional local mechanism 862such as 863.Pa /etc/passwd . 864The default is 865.Dq yes . 866.It Cm KerberosTicketCleanup 867Specifies whether to automatically destroy the user's ticket cache 868file on logout. 869The default is 870.Dq yes . 871.It Cm KexAlgorithms 872Specifies the available KEX (Key Exchange) algorithms. 873Multiple algorithms must be comma-separated. 874Alternately if the specified value begins with a 875.Sq + 876character, then the specified methods will be appended to the default set 877instead of replacing them. 878The supported algorithms are: 879.Pp 880.Bl -item -compact -offset indent 881.It 882curve25519-sha256@libssh.org 883.It 884diffie-hellman-group1-sha1 885.It 886diffie-hellman-group14-sha1 887.It 888diffie-hellman-group-exchange-sha1 889.It 890diffie-hellman-group-exchange-sha256 891.It 892ecdh-sha2-nistp256 893.It 894ecdh-sha2-nistp384 895.It 896ecdh-sha2-nistp521 897.El 898.Pp 899The default is: 900.Bd -literal -offset indent 901curve25519-sha256@libssh.org, 902ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, 903diffie-hellman-group-exchange-sha256, 904diffie-hellman-group14-sha1 905.Ed 906.Pp 907The list of available key exchange algorithms may also be obtained using the 908.Fl Q 909option of 910.Xr ssh 1 911with an argument of 912.Dq kex . 913.It Cm KeyRegenerationInterval 914In protocol version 1, the ephemeral server key is automatically regenerated 915after this many seconds (if it has been used). 916The purpose of regeneration is to prevent 917decrypting captured sessions by later breaking into the machine and 918stealing the keys. 919The key is never stored anywhere. 920If the value is 0, the key is never regenerated. 921The default is 3600 (seconds). 922.It Cm ListenAddress 923Specifies the local addresses 924.Xr sshd 8 925should listen on. 926The following forms may be used: 927.Pp 928.Bl -item -offset indent -compact 929.It 930.Cm ListenAddress 931.Sm off 932.Ar host | Ar IPv4_addr | Ar IPv6_addr 933.Sm on 934.It 935.Cm ListenAddress 936.Sm off 937.Ar host | Ar IPv4_addr : Ar port 938.Sm on 939.It 940.Cm ListenAddress 941.Sm off 942.Oo 943.Ar host | Ar IPv6_addr Oc : Ar port 944.Sm on 945.El 946.Pp 947If 948.Ar port 949is not specified, 950sshd will listen on the address and all 951.Cm Port 952options specified. 953The default is to listen on all local addresses. 954Multiple 955.Cm ListenAddress 956options are permitted. 957.It Cm LoginGraceTime 958The server disconnects after this time if the user has not 959successfully logged in. 960If the value is 0, there is no time limit. 961The default is 120 seconds. 962.It Cm LogLevel 963Gives the verbosity level that is used when logging messages from 964.Xr sshd 8 . 965The possible values are: 966QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. 967The default is INFO. 968DEBUG and DEBUG1 are equivalent. 969DEBUG2 and DEBUG3 each specify higher levels of debugging output. 970Logging with a DEBUG level violates the privacy of users and is not recommended. 971.It Cm MACs 972Specifies the available MAC (message authentication code) algorithms. 973The MAC algorithm is used for data integrity protection. 974Multiple algorithms must be comma-separated. 975If the specified value begins with a 976.Sq + 977character, then the specified algorithms will be appended to the default set 978instead of replacing them. 979.Pp 980The algorithms that contain 981.Dq -etm 982calculate the MAC after encryption (encrypt-then-mac). 983These are considered safer and their use recommended. 984The supported MACs are: 985.Pp 986.Bl -item -compact -offset indent 987.It 988hmac-md5 989.It 990hmac-md5-96 991.It 992hmac-ripemd160 993.It 994hmac-sha1 995.It 996hmac-sha1-96 997.It 998hmac-sha2-256 999.It 1000hmac-sha2-512 1001.It 1002umac-64@openssh.com 1003.It 1004umac-128@openssh.com 1005.It 1006hmac-md5-etm@openssh.com 1007.It 1008hmac-md5-96-etm@openssh.com 1009.It 1010hmac-ripemd160-etm@openssh.com 1011.It 1012hmac-sha1-etm@openssh.com 1013.It 1014hmac-sha1-96-etm@openssh.com 1015.It 1016hmac-sha2-256-etm@openssh.com 1017.It 1018hmac-sha2-512-etm@openssh.com 1019.It 1020umac-64-etm@openssh.com 1021.It 1022umac-128-etm@openssh.com 1023.El 1024.Pp 1025The default is: 1026.Bd -literal -offset indent 1027umac-64-etm@openssh.com,umac-128-etm@openssh.com, 1028hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, 1029hmac-sha1-etm@openssh.com, 1030umac-64@openssh.com,umac-128@openssh.com, 1031hmac-sha2-256,hmac-sha2-512,hmac-sha1 1032.Ed 1033.Pp 1034The list of available MAC algorithms may also be obtained using the 1035.Fl Q 1036option of 1037.Xr ssh 1 1038with an argument of 1039.Dq mac . 1040.It Cm Match 1041Introduces a conditional block. 1042If all of the criteria on the 1043.Cm Match 1044line are satisfied, the keywords on the following lines override those 1045set in the global section of the config file, until either another 1046.Cm Match 1047line or the end of the file. 1048If a keyword appears in multiple 1049.Cm Match 1050blocks that are satisfied, only the first instance of the keyword is 1051applied. 1052.Pp 1053The arguments to 1054.Cm Match 1055are one or more criteria-pattern pairs or the single token 1056.Cm All 1057which matches all criteria. 1058The available criteria are 1059.Cm User , 1060.Cm Group , 1061.Cm Host , 1062.Cm LocalAddress , 1063.Cm LocalPort , 1064and 1065.Cm Address . 1066The match patterns may consist of single entries or comma-separated 1067lists and may use the wildcard and negation operators described in the 1068PATTERNS section of 1069.Xr ssh_config 5 . 1070.Pp 1071The patterns in an 1072.Cm Address 1073criteria may additionally contain addresses to match in CIDR 1074address/masklen format, e.g.\& 1075.Dq 192.0.2.0/24 1076or 1077.Dq 3ffe:ffff::/32 . 1078Note that the mask length provided must be consistent with the address - 1079it is an error to specify a mask length that is too long for the address 1080or one with bits set in this host portion of the address. 1081For example, 1082.Dq 192.0.2.0/33 1083and 1084.Dq 192.0.2.0/8 1085respectively. 1086.Pp 1087Only a subset of keywords may be used on the lines following a 1088.Cm Match 1089keyword. 1090Available keywords are 1091.Cm AcceptEnv , 1092.Cm AllowAgentForwarding , 1093.Cm AllowGroups , 1094.Cm AllowStreamLocalForwarding , 1095.Cm AllowTcpForwarding , 1096.Cm AllowUsers , 1097.Cm AuthenticationMethods , 1098.Cm AuthorizedKeysCommand , 1099.Cm AuthorizedKeysCommandUser , 1100.Cm AuthorizedKeysFile , 1101.Cm AuthorizedPrincipalsCommand , 1102.Cm AuthorizedPrincipalsCommandUser , 1103.Cm AuthorizedPrincipalsFile , 1104.Cm Banner , 1105.Cm ChrootDirectory , 1106.Cm DenyGroups , 1107.Cm DenyUsers , 1108.Cm ForceCommand , 1109.Cm GatewayPorts , 1110.Cm GSSAPIAuthentication , 1111.Cm HostbasedAcceptedKeyTypes , 1112.Cm HostbasedAuthentication , 1113.Cm HostbasedUsesNameFromPacketOnly , 1114.Cm IPQoS , 1115.Cm KbdInteractiveAuthentication , 1116.Cm KerberosAuthentication , 1117.Cm MaxAuthTries , 1118.Cm MaxSessions , 1119.Cm PasswordAuthentication , 1120.Cm PermitEmptyPasswords , 1121.Cm PermitOpen , 1122.Cm PermitRootLogin , 1123.Cm PermitTTY , 1124.Cm PermitTunnel , 1125.Cm PermitUserRC , 1126.Cm PubkeyAcceptedKeyTypes , 1127.Cm PubkeyAuthentication , 1128.Cm RekeyLimit , 1129.Cm RevokedKeys , 1130.Cm RhostsRSAAuthentication , 1131.Cm RSAAuthentication , 1132.Cm StreamLocalBindMask , 1133.Cm StreamLocalBindUnlink , 1134.Cm TrustedUserCAKeys , 1135.Cm X11DisplayOffset , 1136.Cm X11Forwarding 1137and 1138.Cm X11UseLocalHost . 1139.It Cm MaxAuthTries 1140Specifies the maximum number of authentication attempts permitted per 1141connection. 1142Once the number of failures reaches half this value, 1143additional failures are logged. 1144The default is 6. 1145.It Cm MaxSessions 1146Specifies the maximum number of open shell, login or subsystem (e.g. sftp) 1147sessions permitted per network connection. 1148Multiple sessions may be established by clients that support connection 1149multiplexing. 1150Setting 1151.Cm MaxSessions 1152to 1 will effectively disable session multiplexing, whereas setting it to 0 1153will prevent all shell, login and subsystem sessions while still permitting 1154forwarding. 1155The default is 10. 1156.It Cm MaxStartups 1157Specifies the maximum number of concurrent unauthenticated connections to the 1158SSH daemon. 1159Additional connections will be dropped until authentication succeeds or the 1160.Cm LoginGraceTime 1161expires for a connection. 1162The default is 10:30:100. 1163.Pp 1164Alternatively, random early drop can be enabled by specifying 1165the three colon separated values 1166.Dq start:rate:full 1167(e.g. "10:30:60"). 1168.Xr sshd 8 1169will refuse connection attempts with a probability of 1170.Dq rate/100 1171(30%) 1172if there are currently 1173.Dq start 1174(10) 1175unauthenticated connections. 1176The probability increases linearly and all connection attempts 1177are refused if the number of unauthenticated connections reaches 1178.Dq full 1179(60). 1180.It Cm PasswordAuthentication 1181Specifies whether password authentication is allowed. 1182The default is 1183.Dq no . 1184Note that if 1185.Cm ChallengeResponseAuthentication 1186is 1187.Dq yes , 1188.Cm UsePAM 1189is 1190.Dq yes , 1191and the PAM authentication policy for 1192.Nm sshd 1193includes 1194.Xr pam_unix 8 , 1195password authentication will be allowed through the challenge-response 1196mechanism regardless of the value of 1197.Cm PasswordAuthentication . 1198.It Cm PermitEmptyPasswords 1199When password authentication is allowed, it specifies whether the 1200server allows login to accounts with empty password strings. 1201The default is 1202.Dq no . 1203.It Cm PermitOpen 1204Specifies the destinations to which TCP port forwarding is permitted. 1205The forwarding specification must be one of the following forms: 1206.Pp 1207.Bl -item -offset indent -compact 1208.It 1209.Cm PermitOpen 1210.Sm off 1211.Ar host : port 1212.Sm on 1213.It 1214.Cm PermitOpen 1215.Sm off 1216.Ar IPv4_addr : port 1217.Sm on 1218.It 1219.Cm PermitOpen 1220.Sm off 1221.Ar \&[ IPv6_addr \&] : port 1222.Sm on 1223.El 1224.Pp 1225Multiple forwards may be specified by separating them with whitespace. 1226An argument of 1227.Dq any 1228can be used to remove all restrictions and permit any forwarding requests. 1229An argument of 1230.Dq none 1231can be used to prohibit all forwarding requests. 1232The wildcard 1233.Dq * 1234can be used for host or port to allow all hosts or ports, respectively. 1235By default all port forwarding requests are permitted. 1236.It Cm PermitRootLogin 1237Specifies whether root can log in using 1238.Xr ssh 1 . 1239The argument must be 1240.Dq yes , 1241.Dq prohibit-password , 1242.Dq without-password , 1243.Dq forced-commands-only , 1244or 1245.Dq no . 1246The default is 1247.Dq prohibit-password . 1248.Pp 1249If this option is set to 1250.Dq prohibit-password 1251or 1252.Dq without-password , 1253password and keyboard-interactive authentication are disabled for root. 1254.Pp 1255If this option is set to 1256.Dq forced-commands-only , 1257root login with public key authentication will be allowed, 1258but only if the 1259.Ar command 1260option has been specified 1261(which may be useful for taking remote backups even if root login is 1262normally not allowed). 1263All other authentication methods are disabled for root. 1264.Pp 1265If this option is set to 1266.Dq no , 1267root is not allowed to log in. 1268.It Cm PermitTunnel 1269Specifies whether 1270.Xr tun 4 1271device forwarding is allowed. 1272The argument must be 1273.Dq yes , 1274.Dq point-to-point 1275(layer 3), 1276.Dq ethernet 1277(layer 2), or 1278.Dq no . 1279Specifying 1280.Dq yes 1281permits both 1282.Dq point-to-point 1283and 1284.Dq ethernet . 1285The default is 1286.Dq no . 1287.Pp 1288Independent of this setting, the permissions of the selected 1289.Xr tun 4 1290device must allow access to the user. 1291.It Cm PermitTTY 1292Specifies whether 1293.Xr pty 4 1294allocation is permitted. 1295The default is 1296.Dq yes . 1297.It Cm PermitUserEnvironment 1298Specifies whether 1299.Pa ~/.ssh/environment 1300and 1301.Cm environment= 1302options in 1303.Pa ~/.ssh/authorized_keys 1304are processed by 1305.Xr sshd 8 . 1306The default is 1307.Dq no . 1308Enabling environment processing may enable users to bypass access 1309restrictions in some configurations using mechanisms such as 1310.Ev LD_PRELOAD . 1311.It Cm PermitUserRC 1312Specifies whether any 1313.Pa ~/.ssh/rc 1314file is executed. 1315The default is 1316.Dq yes . 1317.It Cm PidFile 1318Specifies the file that contains the process ID of the 1319SSH daemon, or 1320.Dq none 1321to not write one. 1322The default is 1323.Pa /var/run/sshd.pid . 1324.It Cm Port 1325Specifies the port number that 1326.Xr sshd 8 1327listens on. 1328The default is 22. 1329Multiple options of this type are permitted. 1330See also 1331.Cm ListenAddress . 1332.It Cm PrintLastLog 1333Specifies whether 1334.Xr sshd 8 1335should print the date and time of the last user login when a user logs 1336in interactively. 1337The default is 1338.Dq yes . 1339.It Cm PrintMotd 1340Specifies whether 1341.Xr sshd 8 1342should print 1343.Pa /etc/motd 1344when a user logs in interactively. 1345(On some systems it is also printed by the shell, 1346.Pa /etc/profile , 1347or equivalent.) 1348The default is 1349.Dq yes . 1350.It Cm Protocol 1351Specifies the protocol versions 1352.Xr sshd 8 1353supports. 1354The possible values are 1355.Sq 1 1356and 1357.Sq 2 . 1358Multiple versions must be comma-separated. 1359The default is 1360.Sq 2 . 1361Protocol 1 suffers from a number of cryptographic weaknesses and should 1362not be used. 1363It is only offered to support legacy devices. 1364.Pp 1365Note that the order of the protocol list does not indicate preference, 1366because the client selects among multiple protocol versions offered 1367by the server. 1368Specifying 1369.Dq 2,1 1370is identical to 1371.Dq 1,2 . 1372.It Cm PubkeyAcceptedKeyTypes 1373Specifies the key types that will be accepted for public key authentication 1374as a comma-separated pattern list. 1375Alternately if the specified value begins with a 1376.Sq + 1377character, then the specified key types will be appended to the default set 1378instead of replacing them. 1379The default for this option is: 1380.Bd -literal -offset 3n 1381ecdsa-sha2-nistp256-cert-v01@openssh.com, 1382ecdsa-sha2-nistp384-cert-v01@openssh.com, 1383ecdsa-sha2-nistp521-cert-v01@openssh.com, 1384ssh-ed25519-cert-v01@openssh.com, 1385ssh-rsa-cert-v01@openssh.com, 1386ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 1387ssh-ed25519,ssh-rsa 1388.Ed 1389.Pp 1390The 1391.Fl Q 1392option of 1393.Xr ssh 1 1394may be used to list supported key types. 1395.It Cm PubkeyAuthentication 1396Specifies whether public key authentication is allowed. 1397The default is 1398.Dq yes . 1399.It Cm RekeyLimit 1400Specifies the maximum amount of data that may be transmitted before the 1401session key is renegotiated, optionally followed a maximum amount of 1402time that may pass before the session key is renegotiated. 1403The first argument is specified in bytes and may have a suffix of 1404.Sq K , 1405.Sq M , 1406or 1407.Sq G 1408to indicate Kilobytes, Megabytes, or Gigabytes, respectively. 1409The default is between 1410.Sq 1G 1411and 1412.Sq 4G , 1413depending on the cipher. 1414The optional second value is specified in seconds and may use any of the 1415units documented in the 1416.Sx TIME FORMATS 1417section. 1418The default value for 1419.Cm RekeyLimit 1420is 1421.Dq default none , 1422which means that rekeying is performed after the cipher's default amount 1423of data has been sent or received and no time based rekeying is done. 1424.It Cm RevokedKeys 1425Specifies revoked public keys file, or 1426.Dq none 1427to not use one. 1428Keys listed in this file will be refused for public key authentication. 1429Note that if this file is not readable, then public key authentication will 1430be refused for all users. 1431Keys may be specified as a text file, listing one public key per line, or as 1432an OpenSSH Key Revocation List (KRL) as generated by 1433.Xr ssh-keygen 1 . 1434For more information on KRLs, see the KEY REVOCATION LISTS section in 1435.Xr ssh-keygen 1 . 1436.It Cm RhostsRSAAuthentication 1437Specifies whether rhosts or 1438.Pa /etc/hosts.equiv 1439authentication together 1440with successful RSA host authentication is allowed. 1441The default is 1442.Dq no . 1443This option applies to protocol version 1 only. 1444.It Cm RSAAuthentication 1445Specifies whether pure RSA authentication is allowed. 1446The default is 1447.Dq yes . 1448This option applies to protocol version 1 only. 1449.It Cm ServerKeyBits 1450Defines the number of bits in the ephemeral protocol version 1 server key. 1451The default and minimum value is 1024. 1452.It Cm StreamLocalBindMask 1453Sets the octal file creation mode mask 1454.Pq umask 1455used when creating a Unix-domain socket file for local or remote 1456port forwarding. 1457This option is only used for port forwarding to a Unix-domain socket file. 1458.Pp 1459The default value is 0177, which creates a Unix-domain socket file that is 1460readable and writable only by the owner. 1461Note that not all operating systems honor the file mode on Unix-domain 1462socket files. 1463.It Cm StreamLocalBindUnlink 1464Specifies whether to remove an existing Unix-domain socket file for local 1465or remote port forwarding before creating a new one. 1466If the socket file already exists and 1467.Cm StreamLocalBindUnlink 1468is not enabled, 1469.Nm sshd 1470will be unable to forward the port to the Unix-domain socket file. 1471This option is only used for port forwarding to a Unix-domain socket file. 1472.Pp 1473The argument must be 1474.Dq yes 1475or 1476.Dq no . 1477The default is 1478.Dq no . 1479.It Cm StrictModes 1480Specifies whether 1481.Xr sshd 8 1482should check file modes and ownership of the 1483user's files and home directory before accepting login. 1484This is normally desirable because novices sometimes accidentally leave their 1485directory or files world-writable. 1486The default is 1487.Dq yes . 1488Note that this does not apply to 1489.Cm ChrootDirectory , 1490whose permissions and ownership are checked unconditionally. 1491.It Cm Subsystem 1492Configures an external subsystem (e.g. file transfer daemon). 1493Arguments should be a subsystem name and a command (with optional arguments) 1494to execute upon subsystem request. 1495.Pp 1496The command 1497.Xr sftp-server 8 1498implements the 1499.Dq sftp 1500file transfer subsystem. 1501.Pp 1502Alternately the name 1503.Dq internal-sftp 1504implements an in-process 1505.Dq sftp 1506server. 1507This may simplify configurations using 1508.Cm ChrootDirectory 1509to force a different filesystem root on clients. 1510.Pp 1511By default no subsystems are defined. 1512.It Cm SyslogFacility 1513Gives the facility code that is used when logging messages from 1514.Xr sshd 8 . 1515The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, 1516LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. 1517The default is AUTH. 1518.It Cm TCPKeepAlive 1519Specifies whether the system should send TCP keepalive messages to the 1520other side. 1521If they are sent, death of the connection or crash of one 1522of the machines will be properly noticed. 1523However, this means that 1524connections will die if the route is down temporarily, and some people 1525find it annoying. 1526On the other hand, if TCP keepalives are not sent, 1527sessions may hang indefinitely on the server, leaving 1528.Dq ghost 1529users and consuming server resources. 1530.Pp 1531The default is 1532.Dq yes 1533(to send TCP keepalive messages), and the server will notice 1534if the network goes down or the client host crashes. 1535This avoids infinitely hanging sessions. 1536.Pp 1537To disable TCP keepalive messages, the value should be set to 1538.Dq no . 1539.It Cm TrustedUserCAKeys 1540Specifies a file containing public keys of certificate authorities that are 1541trusted to sign user certificates for authentication, or 1542.Dq none 1543to not use one. 1544Keys are listed one per line; empty lines and comments starting with 1545.Ql # 1546are allowed. 1547If a certificate is presented for authentication and has its signing CA key 1548listed in this file, then it may be used for authentication for any user 1549listed in the certificate's principals list. 1550Note that certificates that lack a list of principals will not be permitted 1551for authentication using 1552.Cm TrustedUserCAKeys . 1553For more details on certificates, see the CERTIFICATES section in 1554.Xr ssh-keygen 1 . 1555.It Cm UseDNS 1556Specifies whether 1557.Xr sshd 8 1558should look up the remote host name, and to check that 1559the resolved host name for the remote IP address maps back to the 1560very same IP address. 1561.Pp 1562If this option is set to 1563.Dq no 1564(the default) then only addresses and not host names may be used in 1565.Pa ~/.ssh/authorized_keys 1566.Cm from 1567and 1568.Nm 1569.Cm Match 1570.Cm Host 1571directives. 1572.It Cm UseLogin 1573Specifies whether 1574.Xr login 1 1575is used for interactive login sessions. 1576The default is 1577.Dq no . 1578Note that 1579.Xr login 1 1580is never used for remote command execution. 1581Note also, that if this is enabled, 1582.Cm X11Forwarding 1583will be disabled because 1584.Xr login 1 1585does not know how to handle 1586.Xr xauth 1 1587cookies. 1588If 1589.Cm UsePrivilegeSeparation 1590is specified, it will be disabled after authentication. 1591.It Cm UsePAM 1592Enables the Pluggable Authentication Module interface. 1593If set to 1594.Dq yes 1595this will enable PAM authentication using 1596.Cm ChallengeResponseAuthentication 1597and 1598.Cm PasswordAuthentication 1599in addition to PAM account and session module processing for all 1600authentication types. 1601.Pp 1602Because PAM challenge-response authentication usually serves an equivalent 1603role to password authentication, you should disable either 1604.Cm PasswordAuthentication 1605or 1606.Cm ChallengeResponseAuthentication. 1607.Pp 1608If 1609.Cm UsePAM 1610is enabled, you will not be able to run 1611.Xr sshd 8 1612as a non-root user. 1613The default is 1614.Dq no . 1615.It Cm UsePrivilegeSeparation 1616Specifies whether 1617.Xr sshd 8 1618separates privileges by creating an unprivileged child process 1619to deal with incoming network traffic. 1620After successful authentication, another process will be created that has 1621the privilege of the authenticated user. 1622The goal of privilege separation is to prevent privilege 1623escalation by containing any corruption within the unprivileged processes. 1624The argument must be 1625.Dq yes , 1626.Dq no , 1627or 1628.Dq sandbox . 1629If 1630.Cm UsePrivilegeSeparation 1631is set to 1632.Dq sandbox 1633then the pre-authentication unprivileged process is subject to additional 1634restrictions. 1635The default is 1636.Dq sandbox . 1637.It Cm VersionAddendum 1638Optionally specifies additional text to append to the SSH protocol banner 1639sent by the server upon connection. 1640The default is 1641.Dq DragonFly-20160813 . 1642.It Cm X11DisplayOffset 1643Specifies the first display number available for 1644.Xr sshd 8 Ns 's 1645X11 forwarding. 1646This prevents sshd from interfering with real X11 servers. 1647The default is 10. 1648.It Cm X11Forwarding 1649Specifies whether X11 forwarding is permitted. 1650The argument must be 1651.Dq yes 1652or 1653.Dq no . 1654The default is 1655.Dq no . 1656.Pp 1657When X11 forwarding is enabled, there may be additional exposure to 1658the server and to client displays if the 1659.Xr sshd 8 1660proxy display is configured to listen on the wildcard address (see 1661.Cm X11UseLocalhost 1662below), though this is not the default. 1663Additionally, the authentication spoofing and authentication data 1664verification and substitution occur on the client side. 1665The security risk of using X11 forwarding is that the client's X11 1666display server may be exposed to attack when the SSH client requests 1667forwarding (see the warnings for 1668.Cm ForwardX11 1669in 1670.Xr ssh_config 5 ) . 1671A system administrator may have a stance in which they want to 1672protect clients that may expose themselves to attack by unwittingly 1673requesting X11 forwarding, which can warrant a 1674.Dq no 1675setting. 1676.Pp 1677Note that disabling X11 forwarding does not prevent users from 1678forwarding X11 traffic, as users can always install their own forwarders. 1679X11 forwarding is automatically disabled if 1680.Cm UseLogin 1681is enabled. 1682.It Cm X11UseLocalhost 1683Specifies whether 1684.Xr sshd 8 1685should bind the X11 forwarding server to the loopback address or to 1686the wildcard address. 1687By default, 1688sshd binds the forwarding server to the loopback address and sets the 1689hostname part of the 1690.Ev DISPLAY 1691environment variable to 1692.Dq localhost . 1693This prevents remote hosts from connecting to the proxy display. 1694However, some older X11 clients may not function with this 1695configuration. 1696.Cm X11UseLocalhost 1697may be set to 1698.Dq no 1699to specify that the forwarding server should be bound to the wildcard 1700address. 1701The argument must be 1702.Dq yes 1703or 1704.Dq no . 1705The default is 1706.Dq yes . 1707.It Cm XAuthLocation 1708Specifies the full pathname of the 1709.Xr xauth 1 1710program, or 1711.Dq none 1712to not use one. 1713The default is 1714.Pa /usr/local/bin/xauth . 1715.El 1716.Sh TIME FORMATS 1717.Xr sshd 8 1718command-line arguments and configuration file options that specify time 1719may be expressed using a sequence of the form: 1720.Sm off 1721.Ar time Op Ar qualifier , 1722.Sm on 1723where 1724.Ar time 1725is a positive integer value and 1726.Ar qualifier 1727is one of the following: 1728.Pp 1729.Bl -tag -width Ds -compact -offset indent 1730.It Aq Cm none 1731seconds 1732.It Cm s | Cm S 1733seconds 1734.It Cm m | Cm M 1735minutes 1736.It Cm h | Cm H 1737hours 1738.It Cm d | Cm D 1739days 1740.It Cm w | Cm W 1741weeks 1742.El 1743.Pp 1744Each member of the sequence is added together to calculate 1745the total time value. 1746.Pp 1747Time format examples: 1748.Pp 1749.Bl -tag -width Ds -compact -offset indent 1750.It 600 1751600 seconds (10 minutes) 1752.It 10m 175310 minutes 1754.It 1h30m 17551 hour 30 minutes (90 minutes) 1756.El 1757.Sh FILES 1758.Bl -tag -width Ds 1759.It Pa /etc/ssh/sshd_config 1760Contains configuration data for 1761.Xr sshd 8 . 1762This file should be writable by root only, but it is recommended 1763(though not necessary) that it be world-readable. 1764.El 1765.Sh SEE ALSO 1766.Xr sshd 8 1767.Sh AUTHORS 1768OpenSSH is a derivative of the original and free 1769ssh 1.2.12 release by Tatu Ylonen. 1770Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 1771Theo de Raadt and Dug Song 1772removed many bugs, re-added newer features and 1773created OpenSSH. 1774Markus Friedl contributed the support for SSH 1775protocol versions 1.5 and 2.0. 1776Niels Provos and Markus Friedl contributed support 1777for privilege separation. 1778