 |
Index for
Section 4 |
|
 |
Alphabetical
listing for S |
|
 |
Bottom of
page |
|
sshd2_config(4)
NAME
sshd2_config - Configuration file for the sshd2 daemon
DESCRIPTION
The sshd2 daemon reads configuration data from the /etc/ssh2/sshd2_config
file (or the file specified with the sshd2 -f command). The file contains
keyword-argument pairs, one per line. Keywords are case insensitive. Empty
lines and lines starting with a number sign ( # ) are ignored as comments.
The following are sshd2_configfile keywords.
AllowAgentForwarding or ForwardAgent
Specifies whether agent forwarding is permitted. Usually, you should
allow users to freely forward agent connections. The argument must be
yes or no. The default is yes.
AllowedAuthentications
Specifies the authentication methods that the server uses to
authenticate users. Supported authentication methods are password,
publickey, and hostbased. The default is publickey,password.
You can specify any or all authentication methods. Use a comma-
separated list when specifying more than one argument. The order in
which authentication methods are listed is the order in which they are
used. For example, if hostbased is listed first, the server will use
hostbased authentication before trying the next listed authentication.
The first successful authentication is the one used.
With the RequiredAuthentications keyword, you can force users to
complete several authentications before they are considered
authenticated. As with AllowedAuthentications keyword, it is important
how the arguments are ordered.
AllowCshrcSourcingWithSubsystems
Specifies whether to give an additional -f argument to csh or tcsh when
executing subsystems to prevent commands in .cshrc (or .tcshrc) from
interfering with, for example, the sftp-server subsystem. The argument
must be yes or no. The default is no.
AllowGroups
Specifies the names of groups in which only users who belong to those
groups can log in. Groups are defined on the server in the /etc/group
file. Use a comma-separated list when specifying more than one group
name. By default, all groups are allowed to log in. Note that all
other login authentication steps must still be successfully completed.
The DenyGroups keyword specifies additional restrictions.
AllowHosts
Specifies the names of hosts from which users can log in. Use a comma-
separated list when specifying more than one host name. Name servers
are used to map the client's host name. If the name cannot be mapped,
the IP address is used as the host name. By default, user log in is
allowed from all hosts. The DenyHosts keyword specifies additional
restrictions.
AllowSHosts
Specifies the names of hosts from which users can connect. The host
name must also be specified in the .shosts file, the .rhosts file, the
/etc/hosts.equiv file, or the /etc/shosts.equiv file. Use a comma-
separated list when specifying more than one host name.
The asterisk ( * ) and question mark ( ? ) can be used as wildcards in
the patterns. Name servers are used to map the client's host name. If
the name cannot be mapped, the IP address is used as the host name. By
default, all hosts are allowed to connect. The DenySHosts keyword
specifies additional restrictions.
AllowTcpForwarding
Specifies whether TCP forwarding is permitted. Disabling TCP forwarding
does not improve security in any way, as users can always install their
own forwarders. The EnforceSecureRutils keyword requires that the
AllowTcpForwarding keyword be enabled. The argument must be yes or no.
The default is yes.
AllowTcpForwardingForGroups
Specifies the name of groups in which only users who belong to those
groups can forward ports. Use a comma-separated list when specifying
more than one group name. Disabling TCP forwarding does not improve
security in any way, as users can always install their own forwarders.
This does, however, help if you deny the user shell access at the same
time. See ssh-dummy-shell(1). The argument must be yes or no. The
default is yes (enable forwarding).
AllowTcpForwardingForUsers
Specifies the name of usrs who can forward ports. Use a comma-separated
list when specifying more than one user name. Disabling TCP forwarding
does not improve security in any way, as users can always install their
own forwarders. This does, however, help if you deny the user shell
access at the same time. See ssh-dummy-shell(1). The argument must be
yes or no. The default is yes (enable forwarding).
AllowUsers
Specifies the names of users who can log in. Use a comma-separated list
when specifying more than one user name. User names can be entered as
user@host_name where host_name is a DNS name or the IP address. By
default, all users are allowed to log in. Note that all other login
authentication steps must still be successfully completed. The
DenyUsers keyword specifies additional restrictions.
AllowX11Forwarding, X11Forwarding, or ForwardX11
Specifies whether X11 forwarding is permitted. Note that disabling X11
forwarding does not improve security in any way, as users can always
install their own forwarders. The argument must be yes or no. The
default is yes.
AuthorizationFile
Specifies the name of the user's authorization file.
BannerMessageFile
Specifies the path to the message that is sent to the client before
authentication. The default path is /etc/ssh2/ssh_banner_message.
CheckMail
Specifies whether or not information is displayed when there is new
mail or not when a user logs in. The argument must be yes or no. The
default is yes.
ChRootGroups
Specifies the names of groups in which users who belong to those groups
have a chrooted environment. A chrooted environment is one in which
users are restricted to their home directory and it subdirectories.
Groups are defined on the server in the /etc/group file. Use a comma-
separated list when specifying more than one group name.
ChRootUsers
Specifies the names of users who have a chrooted environment. A
chrooted environment is one in which users are restricted to their home
directory and it subdirectories. Use a comma-separated list when
specifying more than one user name.
Ciphers
Specifies the Secure Shell ciphers to use for encrypting the session.
Supported ciphers are des, 3des, blowfish, arcfour, twofish, and cast.
Arguments for this keyword are any, anystd, that allows only standard
ciphers (and none), and anycipher that allows any available cipher or
excludes non-encrypting cipher mode none but allows all others. Use a
comma-separated list when specifying more than one cipher.
DenyGroups
Specifies the names of groups in which users who belong to those groups
can not log in. Groups are defined on the server in the /etc/group
file. Use a comma-separated list when specifying more than one group
name. By default, all groups are allowed to log in.
DenyHosts
Specifies the names of hosts from which users can not log in. Use a
comma-separated list when specifying more than one host name. By
default, user log in is allowed from all hosts.
DenySHosts
Specifies the names of hosts from which users can not connect. The host
name must also be specified in the .shosts file, the .rhosts file, the
/etc/hosts.equiv file, or the /etc/shosts.equiv file. Use a comma-
separated list when specifying more than one host name.
DenyTcpForwardingForGroups
Specifies the name of groups in which users who belong to those groups
can not forward ports. Use a comma-separated list when specifying more
than one group name. Disabling TCP forwarding does not improve security
in any way, as users can always install their own forwarders. This
does, however, help if you deny the user shell access at the same time.
See ssh-dummy-shell(1). The argument must be yes or no.
DenyTcpForwardingForUsers
Specifies the name of usrs who can not forward ports. Use a comma-
separated list when specifying more than one user name. Disabling TCP
forwarding does not improve security in any way, as users can always
install their own forwarders. This does, however, help if you deny the
user shell access at the same time. See ssh-dummy-shell(1). The
argument must be yes or no.
DenyUsers
Specifies the names of users who can not log in. Use a comma-separated
list when specifying more than one user name. User names can be entered
as user@host_name where host_name is a DNS name or the IP address. By
default, all users are allowed to log in. Note that all other login
authentication steps must still be successfully completed. The
DenyUsers keyword specifies additional restrictions.
ForcePTTYAllocation
Force tty allocation, for example allocate a tty even if a command is
given. The argument must be The argument must be yes or no. (not yet
implemented)
ForwardAgent
See AllowAgentForwarding.
HostKeyFile
Specifies the file containing the private host key. The default file is
/etc/ssh2/hostkey.
IdentityFile
Specifies the file containing the user public key. The default file is
identification.
IgnoreRhosts
Specifies that the rhosts and shosts files will not be used in
hostbased authentication (See AllowedAuthentications.) The
/etc/hosts.equiv and the /etc/shosts.equiv files are still used (if
hostbased authentication is used). The argument must be yes or no. The
default is no.
IgnoreRootRhosts
Specifies that the rhosts and shosts files will not be used in
authentication for root. The default is the value of the IgnoreRhosts
keyword.
KeepAlive
Specifies whether or not the system should send keepalive messages. If
they are sent, the loss of a connection or crash of a system will be
noticed. However, this means that connections will die if the route is
down temporarily. The argument must be yes or no. The default is yes
(send keepalive messages). To disable keepalive messages, set the
value to no in both the server and the client configuration files.
ListenAddress
Specifies the IP address of the interface where the sshd2 server socket
is bound.
LoginGraceTime
Specifies the time, in seconds, that the server disconnects after a
user has not successfully logged in. If the value is 0, there is no
time limit. The default is 600 (seconds).
MACs
Specifies the Secure Shell MAC (Message Authentication Code) algorithm
to use for data integrity verification. Supported MAC algorithms are
hmac-sha1, hmac-sha1-96, hmac-md5, hmac-md5-96, hmac-ripemd160, and
hmac-ripemd160-96, of which hmac-sha1, hmac-sha1-96, hmac-md5 and
hmac-md5-96 are included.
Use a comma-separated list when specifying more than one MAC. Special
arguments to this keyword are any, anystd, which allows only standard
MACs (and none), and anymac, which allows either any available MAC or
excludes none but allows all others. The anystdmac argument is the same
as the anymac argument, but includes only those MACs mentioned in the
IETF-SecSH-draft (excluding none).
MaxBroadcastsPerSecond
Specifies the maximum number of UDP broadcasts that the server will
handle per second. The default value is 0, no broadcasts are handled.
Broadcasts that exceed the limit are silently ignored. Received
unrecognized UDP datagrams also consume the capacity defined by this
keyword.
MaxConnections
Specifies the maximum number of connections that the sshd2 daemon will
handle simultaneously. This is useful in systems where spamming the
sshd2 daemon with new connections can cause the system to become
unstable or crash. The argument is a positive number. An argument of 0
means that the number of connections is unlimited (by the sshd2
daemon). The same effect is achieved by using xinetd.
NoDelay
Specifies whether or not to enable socket option TCP_NODELAY. The
argument must be yes or no. The default is no.
PasswordGuesses
Specifies the number of login attempts that the user is permitted when
using password authentication. The default is 3 attempts.
PermitEmptyPasswords
Sspecifies whether or not the server allows login to accounts with
empty password strings when using password authentication. The argument
must be yes or no.
PermitRootLogin
Specifies whether root can log in using the ssh2 command.
The argument must be yes, no, or nopwd. The default is yes.
The nopwd value disables password-authenticated root logins. The no
value disables root logins. The nopwd and no are equivalent unless you
have a .rhosts or .shosts file in the root home directory and you have
not set up public key authentication for root. Root login with public
key authentication will be allowed regardless of the value of this
setting (which may be useful for taking remote backups even if root
login is normally not allowed).
Port
Specifies the port number where the sshd2 daemon listens. The default
is port number 22.
PrintMotd
Specifies whether or not the /etc/motd file is displayed when a user
logs in. The argument must be yes or no. The default is yes.
PublicHostKeyFile
Specifies the name of the file containing the public host key. The
default is the /etc/ssh2/hostkey.pub file.
QuietMode
Specifies whether or not all warnings and diagnostic messages are
displayed. Fatal errors are displayed. The argument must be yes or no.
RandomSeedFile
Specifies the name of the random seed file. The default is the
/etc/ssh2/random_seed file.
RekeyIntervalSeconds
Specifies the number of seconds between key exchanges. The default is
3600 seconds (one hour). A value of 0 (zero) turns rekey requests off.
This does not prevent the client from requesting rekeys. Other clients
might not have rekey capabilities implemented correctly, and might not
support rekey requests. This means that they might terminate the
connection or crash.
RequiredAuthentications
Specifies the authentication methods that users must pass before
connecting. Supported authentication methods are password, publickey,
and hostbased. Use a comma-separated list when specifying more than
one argument. If the value to this argument is not specified, the
client can authenticate users by using any of the authentications
methods specified by the AllowedAuthentications keyword. If a value is
specified, the client must authentication users using the specified
authentication method.
This keyword has no default.
RequireReverseMapping
Specifies whether or not a hostname DNS lookup must succeed when
checking host connections from host that are defined by the AllowHosts
and DenyHosts keywords.
The argument must be yes or no. If the argument is yes and the DNS
name lookup fails, the connection is denied. If the argument is noand
the DNS name lookup fails, the remote host's IP address is used to
check whether it is allowed to connect. This might not be desirable if
you have defined only host names (not IP addresses) with AllowHosts and
DenyHosts keywords.
The default is no.
Subsystem-<subsystem name>
Specifies a subsystem that is a set of commands predefined on the
server. The argument is a command which will be executed when the
subsystem is requested. The sftp command uses a subsystem of the sshd2
daemon to transfer files securely. Do remove the default definition of
subsystem-sftp sftp-server . The scp and sftp command require this
definition.
Ssh1Compatibility
Specifies whether or not the sshd1 daemon is executed when the client
supports only SSH 1.x protocols. The argument must be yes or no.
Sshd1Path
Specifies the path to the sshd1 daemon which will be executed if the
client supports only SSH 1.x protocols. The arguments for the sshd2
daemon are passed to the sshd1 daemon.
SshPAMClientPath
Specifies the path to ssh-pam-client, which is used by the sshd2 daemon
as a helper application to converse with the PAM modules.
SyslogFacility
Specifies the facility code that is used when logging messages from the
sshd2 daemon. The possible values are: DAEMON, USER, AUTH, LOCAL0,
LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is
AUTH.
UserConfigDirectory
Specifies where user-specific configuration data can be retrieved. With
this keyword, administrators can control configuration parameters that
are normally the users' domain. This argument is a pattern string which
is expanded by the sshd2 daemon. Argument %D is the user's home
directory, %U is the user's login name, %IU is the user's user ID
(uid), and %IG is the user's group ID (gid). The default is %D.
UserKnownHosts
Specifies whether the user's $HOME/.ssh2/knownhosts/ directory can be
used to get host public keys when using hostbased authentication. The
argument must be yes or no. The default is yes.
VerboseMode
Specifies whether or not debugging messages are displayed. The argument
must be yes or no. The default is no.
LEGAL NOTICES
SSH is a registered trademark of SSH Communication Security Ltd.
SEE ALSO
Commands: sshd2(1), ssh-dummy-shell(1)
|
Index for
Section 4 |
|
|
Alphabetical
listing for S |
|
 |
Top of
page |
|