Differences between version 2 and predecessor to the previous major change of sshd(8).
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
Newer page: | version 2 | Last edited on Monday, June 3, 2002 11:58:53 pm | by perry | Revert |
Older page: | version 1 | Last edited on Monday, June 3, 2002 11:58:53 pm | by perry | Revert |
@@ -84,9 +84,9 @@
hmac-md5).
Protocol version 2 provides a public key based user (Pub-
-keyAuthentication) or client host (HostbasedAuthentication)
+keyAuthentication) or client host (!
HostbasedAuthentication)
authentication method, conventional password authentication
and challenge response based methods.
@@ -197,10 +197,10 @@
dotted decimal addresses should be put into the
utmp file. -u0 is also be used to prevent sshd from
making DNS requests unless the authentication mechanism or
configuration requires it. Authentication mechanisms that
-may require DNS include RhostsAuthentication,
-RhostsRSAAuthentication, HostbasedAuthentication and using a
+may require DNS include !
RhostsAuthentication,
+RhostsRSAAuthentication, !
HostbasedAuthentication and using a
from=
-D
@@ -232,48 +232,48 @@
case-sensitive):
AFSTokenPassing
-Specifies whether an AFS token may be forwarded tothe server. Default is ``yes''.AllowGroupsThis keyword can be followed by a list of groupnames, separated by spaces. If specified, login isallowed only for users whose primary group or supple-mentary group list matches one of the patterns. and? can be used as wildcards in the patterns. Onlygroup names are valid; a numerical group ID is notrecognized. By default login is allowed regardlessof the group list.AllowTcpForwardingSpecifies whether TCP forwarding is permitted. Thedefault is ``yes''. Note that disabling TCP forward-ing does not improve security unless users are alsodenied shell access, as they can always install theirown forwarders.AllowUsersThis keyword can be followed by a list of user names,separated by spaces. If specified, login is allowedonly for users names that match one of the patterns.and ? can be used as wildcards in the patterns.Only user names are valid; a numerical user ID is notrecognized. By default login is allowed regardlessof the user name. If the pattern takes the formUSER@HOST then USER and HOST are separately checked,restricting logins to particular users from particu-lar hosts.AuthorizedKeysFileSpecifies the file that contains the public keys thatcan be used for user authentication.AuthorizedKeysFile may contain tokens of the form %Twhich are substituted during connection set-up. Thefollowing tokens are defined: %% is replaced by aliteral '%', %h is replaced by the home directory ofthe user being authenticated and %u is replaced bythe username of that user. After expansion,AuthorizedKeysFile is taken to be an absolute path orone relative to the user's home directory. Thedefault is ``.ssh/authorized_keys''BannerIn some jurisdictions, sending a warning messagebefore authentication may be relevant for gettinglegal protection. The contents of the specified fileare sent to the remote user before authentication isallowed. This option is only available for protocolversion 2.ChallengeResponseAuthenticationSpecifies whether challenge response authenticationis allowed. All authentication styles fromlogin.conf(5) are supported. The default is ``yes''.
+Specifies whether an AFS token may be forwarded tothe server. Default is ``yes''.!
AllowGroupsThis keyword can be followed by a list of groupnames, separated by spaces. If specified, login isallowed only for users whose primary group or supple-mentary group list matches one of the patterns. and? can be used as wildcards in the patterns. Onlygroup names are valid; a numerical group ID is notrecognized. By default login is allowed regardlessof the group list.!
AllowTcpForwardingSpecifies whether TCP forwarding is permitted. Thedefault is ``yes''. Note that disabling TCP forward-ing does not improve security unless users are alsodenied shell access, as they can always install theirown forwarders.!
AllowUsersThis keyword can be followed by a list of user names,separated by spaces. If specified, login is allowedonly for users names that match one of the patterns.and ? can be used as wildcards in the patterns.Only user names are valid; a numerical user ID is notrecognized. By default login is allowed regardlessof the user name. If the pattern takes the formUSER@HOST then USER and HOST are separately checked,restricting logins to particular users from particu-lar hosts.!
AuthorizedKeysFileSpecifies the file that contains the public keys thatcan be used for user authentication.!
AuthorizedKeysFile may contain tokens of the form %Twhich are substituted during connection set-up. Thefollowing tokens are defined: %% is replaced by aliteral '%', %h is replaced by the home directory ofthe user being authenticated and %u is replaced bythe username of that user. After expansion,!
AuthorizedKeysFile is taken to be an absolute path orone relative to the user's home directory. Thedefault is ``.ssh/authorized_keys''!
BannerIn some jurisdictions, sending a warning messagebefore authentication may be relevant for gettinglegal protection. The contents of the specified fileare sent to the remote user before authentication isallowed. This option is only available for protocolversion 2.!
ChallengeResponseAuthenticationSpecifies whether challenge response authenticationis allowed. All authentication styles fromlogin.conf(5) are supported. The default is ``yes''.
Ciphers
Specifies the ciphers allowed for protocol version 2.
Multiple ciphers must be comma-separated. The default is
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour.''
-ClientAliveInterval
+!
ClientAliveInterval
Sets a timeout interval in seconds after which if no data
has been received from the client, sshd will send a message
through the encrypted channel to request a response from the
client. The default is 0, indicating that these messages
will not be sent to the client. This option applies to
protocol version 2 only.
-ClientAliveCountMax
+!
ClientAliveCountMax
Sets the number of client alive messages (see above) which
may be sent without sshd receiving any messages back from
the client. If this threshold is reached while client alive
messages are being sent, sshd will disconnect the client,
terminating the session. It is important to note that the
use of client alive mes- sages is very different from
-KeepAlive (below). The client alive messages are sent
+!
KeepAlive (below). The client alive messages are sent
through the encrypted channel and therefore will not be
-spoofable. The TCP keepalive option enabled by KeepAlive is
+spoofable. The TCP keepalive option enabled by !
KeepAlive is
spoofable. The client alive mechanism is valuable when the
client or server depend on knowing when a connection has
become inactive.
-The default value is 3. If ClientAliveInterval (above) is
-set to 15, and ClientAliveCountMax is left at the default,
+The default value is 3. If !
ClientAliveInterval (above) is
+set to 15, and !
ClientAliveCountMax is left at the default,
unresponsive ssh clients will be dis- connected after
approximately 45 seconds.
-DenyGroups
+!
DenyGroups
This keyword can be followed by a number of group names,
separated by spaces. Users whose primary group or
supplementary group list matches one of the patterns aren't
allowed to log in. and ? can be used as wildcards in the
@@ -281,39 +281,39 @@
is not recognized. By default login is allowed regardless of
the group list.
-DenyUsers
+!
DenyUsers
This keyword can be followed by a number of user names,
separated by spaces. Login is disallowed for user names that
match one of the patterns. and ? can be used as wildcards in
the patterns. Only user names are valid; a numerical user ID
is not recog- nized. By default login is allowed regardless
of the user name.
-GatewayPorts
+!
GatewayPorts
Specifies whether remote hosts are allowed to connect to
ports forwarded for the client. By default, sshd binds
remote port forwardings to the loopback addresss. This
prevents other remote hosts from con- necting to forwarded
-ports. GatewayPorts can be used to specify that sshd should
+ports. !
GatewayPorts can be used to specify that sshd should
bind remote port forward- ings to the wildcard address, thus
allowing remote hosts to connect to forwarded ports. The
argument must be ``yes'' or ``no''. The default is
``no''.
-HostbasedAuthentication
+!
HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authen-
tication together with successful public key client host
authentication is allowed (hostbased authentica- tion). This
option is similar to RhostsRSAAuthentication and applies to
protocol ver- sion 2 only. The default is
``no''.
-HostKey
+!
HostKey
Specifies the file containing the private host keys (default
/etc/ssh/ssh_host_key) used by SSH protocol
versions 1 and 2. Note that sshd will refuse to use a file
if it is group/world-accessible. It is possi- ble to have
@@ -321,27 +321,27 @@
1 and ``dsa'' or ``rsa'' are used for version 2 of the SSH
protocol.
-IgnoreRhosts
+!
IgnoreRhosts
Specifies that .rhosts and .shosts files
-will not be used in RhostsAuthentication,
+will not be used in !
RhostsAuthentication,
RhostsRSAAuthentication or
-HostbasedAuthentication.
+!
HostbasedAuthentication.
/etc/hosts.equiv and /etc/ssh/shosts.equiv
are still used. The default is ``yes''.
-IgnoreUserKnownHosts
+!
IgnoreUserKnownHosts
Specifies whether sshd should ignore the user's
$HOME/.ssh/known_hosts during
-RhostsRSAAuthentication or HostbasedAuthentication. The
+RhostsRSAAuthentication or !
HostbasedAuthentication. The
default is ``no''.
-KeepAlive
+!
KeepAlive
Specifies whether the system should send keepalive messages
to the other side. If they are sent, death of the connection
or crash of one of the machines will be properly noticed.
However, this means that connections will die if the route
@@ -361,37 +361,37 @@
both the server and the client configura- tion
files.
-KerberosAuthentication
+!
KerberosAuthentication
Specifies whether Kerberos authentication is allowed. This
can be in the form of a Kerberos ticket, or if
-PasswordAuthentication is yes, the password provided by the
+!
PasswordAuthentication is yes, the password provided by the
user will be validated through the Kerberos KDC. To use this
option, the server needs a Kerberos servtab which allows the
verification of the KDC's identity. Default is
``yes''.
-KerberosOrLocalPasswd
+!
KerberosOrLocalPasswd
If set then if password authentication through Ker- beros
fails then the password will be validated via any additional
local mechanism such as /etc/passwd. Default is
``yes''.
-KerberosTgtPassing
+!
KerberosTgtPassing
Specifies whether a Kerberos TGT may be forwarded to the
server. Default is ``no'', as this only works when the
Kerberos KDC is actually an AFS kaserver.
-KerberosTicketCleanup
+!
KerberosTicketCleanup
Specifies whether to automatically destroy the user's ticket
cache file on logout. Default is ``yes''.
-KeyRegenerationInterval
+!
KeyRegenerationInterval
In protocol version 1, the ephemeral server key is
automatically regenerated after this many seconds (if it has
been used). The purpose of regeneration is to prevent
decrypting captured sessions by later break- ing into the
@@ -399,34 +399,34 @@
anywhere. If the value is 0, the key is never regenerated.
The default is 3600 (seconds).
-ListenAddress
+!
ListenAddress
Specifies the local addresses sshd should listen on. The
following forms may be used:
-ListenAddress host|IPv4_addr|IPv6_addr
-ListenAddress host|IPv4_addr:port
-ListenAddress [[
+!
ListenAddress host|IPv4_addr|IPv6_addr
+!
ListenAddress host|IPv4_addr:port
+!
ListenAddress [[
host|IPv6_addr]:port
If port is not specified, sshd will listen on the address
and all prior Port options specified. The default is to
-listen on all local addresses. Multi- ple ListenAddress
+listen on all local addresses. Multi- ple !
ListenAddress
options are permitted. Addition- ally, any Port options must
precede this option for non port qualified
addresses.
-LoginGraceTime
+!
LoginGraceTime
The server disconnects after this time if the user has not
successfully logged in. If the value is 0, there is no time
limit. The default is 600 (sec- onds).
-LogLevel
+!
LogLevel
Gives the verbosity level that is used when logging messages
from sshd. The possible values are: QUIET, FATAL, ERROR,
INFO, VERBOSE and DEBUG. The default is INFO. Logging with
level DEBUG violates the pri- vacy of users and is not
@@ -440,13 +440,13 @@
be comma-separated. The default is
``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''.
-MaxStartups
+!
MaxStartups
Specifies the maximum number of concurrent unauthen- ticated
connections to the sshd daemon. Additional connections will
be dropped until authentication suc- ceeds or the
-LoginGraceTime expires for a connection. The default is
+!
LoginGraceTime expires for a connection. The default is
10.
Alternatively, random early drop can be enabled by
@@ -457,24 +457,24 @@
PAMAuthenticationViaKbdInt
Specifies whether PAM challenge response authentica- tion is
allowed. This allows the use of most PAM challenge response
authentication modules, but it will allow password
-authentication regardless of whether PasswordAuthentication
+authentication regardless of whether !
PasswordAuthentication
is disabled. The default is ``no''.
-PasswordAuthentication
+!
PasswordAuthentication
Specifies whether password authentication is allowed. The
default is ``yes''.
-PermitEmptyPasswords
+!
PermitEmptyPasswords
When password authentication is allowed, it specifies
whether the server allows login to accounts with empty
password strings. The default is ``no''.
-PermitRootLogin
+!
PermitRootLogin
Specifies whether root can login using ssh(1). The
argument must be ``yes'', ``without-password'',
``forced-commands-only'' or ``no''. The default is
``yes''.
@@ -495,27 +495,27 @@
If this option is set to ``no'' root is not allowed to
login.
-PidFile
+!
PidFile
Specifies the file that contains the process identi- fier of
the sshd daemon. The default is
/var/run/sshd.pid.
Port
Specifies the port number that sshd listens on. The default
is 22. Multiple options of this type are permitted. See also
-ListenAddress.
+!
ListenAddress.
-PrintLastLog
+!
PrintLastLog
Specifies whether sshd should print the date and time when
the user last logged in. The default is
``yes''.
-PrintMotd
+!
PrintMotd
Specifies whether sshd should print /etc/motd when
a user logs in interactively. (On some systems it is also
printed by the shell, /etc/profile, or equiva-
lent.) The default is ``yes''.
@@ -526,22 +526,22 @@
possible values are ``1'' and ``2''. Multiple versions must
be comma-separated. The default is ``2,1''.
-PubkeyAuthentication
+!
PubkeyAuthentication
Specifies whether public key authentication is allowed. The
default is ``yes''. Note that this option applies to
protocol version 2 only.
-ReverseMappingCheck
+!
ReverseMappingCheck
Specifies whether sshd should try to verify the remote host
name and check that the resolved host name for the remote IP
address maps back to the very same IP address. The default
is ``no''.
-RhostsAuthentication
+!
RhostsAuthentication
Specifies whether authentication using rhosts or
/etc/hosts.equiv files is sufficient. Normally, this method
should not be permitted because it is inse- cure.
RhostsRSAAuthentication should be used instead, because it
@@ -563,15 +563,15 @@
default is ``yes''. This option applies to pro- tocol
version 1 only.
-ServerKeyBits
+!
ServerKeyBits
Defines the number of bits in the ephemeral protocol version
1 server key. The minimum value is 512, and the default is
768.
-StrictModes
+!
StrictModes
Specifies whether sshd should check file modes and ownership
of the user's files and home directory before accepting
login. This is normally desirable because novices sometimes
accidentally leave their directory or files world-writable.
@@ -587,16 +587,16 @@
Note that this option applies to protocol version 2
only.
-SyslogFacility
+!
SyslogFacility
Gives the facility code that is used when logging messages
from sshd. The possible values are: DAEMON, USER, AUTH,
LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6,
LOCAL7. The default is AUTH.
-UseLogin
+!
UseLogin
Specifies whether login(1) is used for interactive
login sessions. The default is ``no''. Note that
login(1) is never used for remote command
execution. Note also, that if this is enabled, X11Forwarding
@@ -614,9 +614,9 @@
Specifies whether X11 forwarding is permitted. The default
is ``no''. Note that disabling X11 forward- ing does not
improve security in any way, as users can always install
their own forwarders. X11 for- warding is automatically
-disabled if UseLogin is enabled.
+disabled if !
UseLogin is enabled.
XAuthLocation
Specifies the location of the xauth(1) program. The
@@ -707,9 +707,9 @@
$HOME/.ssh/authorized_keys is the default file that
lists the public keys that are permitted for RSA
authentication in protocol version 1 and for public key
authentication (Pub- keyAuthentication) in protocol version
-2. AuthorizedKeysFile may be used to specify an alternative
+2. !
AuthorizedKeysFile may be used to specify an alternative
file.
Each line of the file contains one key (empty lines and
@@ -1020,6 +1020,6 @@
scp(1), sftp(1), ssh(1),
ssh-add(1), ssh-agent(1),
ssh-keygen(1), login.conf(5),
moduli(5), sftp-server(8)
- T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen,'' SSH Protocol Architecture'', draft-ietf-secsh-architecture-09.txt, July 2001, work inprogress material. M. Friedl, N. Provos, and W. A. Simpson,'' Diffie-Hellman Group Exchange for the SSH Transport LayerProtocol'', draft-ietf-secsh-dh-group-exchange-01.txt, April 2001, work in progress material.BSD September 25, 1999 1
+ T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen,'' SSH Protocol Architecture'', draft-ietf-secsh-architecture-09.txt, July 2001, work inprogress material. M. Friedl, N. Provos, and W. A. Simpson,'' Diffie-Hellman Group Exchange for the SSH Transport !
LayerProtocol'', draft-ietf-secsh-dh-group-exchange-01.txt, April 2001, work in progress material.BSD September 25, 1999 1
----