SSHD_CONFIG (5) OpenBSD Programmer's Manual SSHD_CONFIG (5)
Name
sshd_config - OpenSSH SSH server daemon configuration file
outline
/ etc / ssh / sshd_config
description
sshd (8) default from / etc / ssh / sshd_config file (or by -f command-line option the specified file) to read configuration information.
Profile is "command value" to the composition, one per line. Empty lines and '#' at the beginning of the row will be ignored.
If the value contains special symbols, or other whitespace characters, then both sides can be defined by double quotation marks ( ").
[Note] value is case-sensitive, but instructions are case insensitive.
All current configuration may be used instructions are as follows:
AcceptEnv
specify sent by the client environment variable which will be passed to the session environment. [Note] Only SSH-2 protocol support passing environment variables.
Details reference may ssh_config (5) arranged in SendEnv instructions.
The value of the instruction is a space-separated list of variable names (which you can use '*' and '?' As a wildcard). AcceptEnv plurality may be used for the same purpose.
It should be noted that some environment variables could be used to bypass the ban environment variables used by the user. For this reason, the directive should be used with care.
The default is do not pass any environment variables.
AddressFamily
specified sshd (8) which address family should be used. The range is: "any" (default), "inet" (only IPv4), "inet6" (only IPv6).
AllowGroups
behind this instruction followed by a string of space separated list of group names (which can use the "*" and "?" Wildcards). The default allows all groups to log on.
If you use this command, it will only allow members to log these groups, while rejecting all other groups.
Here, "group" refers to a "primary group" (primary group), that is, / etc / passwd file in the specified group.
Here only allowed to use the name of the group is not allowed to use GID. Related allow / deny instruction processing in the following order:
the DenyUsers, the AllowUsers, DenyGroups, AllowGroups
AllowTcpForwarding
whether to allow TCP forwarding, default is "yes".
Disabling TCP forwarding does not enhance security unless prohibited user access to the shell, because users can install their own forwarders.
AllowUsers
behind this instruction followed by a string of space-separated list of user names (which can use the "*" and "?" Wildcards). By default all users are allowed to log on.
If you use this command, it will only allow these users log on, but denies all other users.
If the user mode USER @ HOST then USER and HOST will also be checked.
Here only allowed to use the user's name is not allowed to use UID. Related allow / deny instruction processing in the following order:
the DenyUsers, the AllowUsers, DenyGroups, AllowGroups
AuthorizedKeysFile
store that users can use to log RSA / DSA public key.
This instruction can be used in accordance with the actual situation of the following connections expanded symbols:
%% denotes '%',% h represents the user's home directory,% u represents the user name.
Value after extended through must either be an absolute path or a relative path is relative to the user's home directory.
The default value is ".ssh / authorized_keys".
Banner
will this directive specifies the file is displayed to the remote user before the user is authenticated.
This feature can only be used for SSH-2, what is not the default display. "none" to disable this feature.
ChallengeResponseAuthentication
whether to allow the question - answer (challenge-response) authentication. The default is "yes".
All login.conf (5) allowed authentication methods are supported.
Ciphers
specify SSH-2 allows the use of encryption algorithms. Separated by commas plurality of algorithms. Algorithm can be used as follows:
"aes128-CBC", "AES192-CBC", "AES256-CBC", "aes128-CTR", "AES192-CTR", "AES256-CTR",
"3DES-CBC", "arcfour128 "," arcfour256 "," arcfour "," blowfish-cbc "," cast128-cbc "
The default value can be used all of the above algorithm.
ClientAliveCountMax
sshd (8) does not receive the maximum of the number of "alive" messages before sending any client response. The default value is 3.
After reaching this limit, sshd (8) are forcibly disconnected, the session is closed.
Note that, "alive" messages TCPKeepAlive are very different.
"alive" message is transmitted over an encrypted connection, it will not be deceived; and TCPKeepAlive it can be spoofed.
If ClientAliveInterval is set to 15 and ClientAliveCountMax left at the default value,
then the customer does not answer the big end date forcibly disconnected after 45 seconds. This command can only be used SSH-2 protocol.
ClientAliveInterval
set up a time to remember long seconds, if more than such a long time have not received any data the client,
sshd (8) will send a "alive" message to the client via a secure channel, and wait for a response.
The default value of 0 indicates that no transmission "alive" message. This option is only valid SSH-2.
Compression
whether communication data is encrypted, or delayed after the successful authentication to re-encrypt the communication data.
Available values: "yes", "delayed" ( default), "no".
DenyGroups
behind this instruction followed by a string of space separated list of group names (which can use the "*" and "?" Wildcards). The default allows all groups to log on.
If you use this command, then the members of the group will be denied login.
Here, "group" refers to a "primary group" (primary group), that is, / etc / passwd file in the specified group.
Here only allowed to use the name of the group is not allowed to use GID. Related allow / deny instruction processing in the following order:
the DenyUsers, the AllowUsers, DenyGroups, AllowGroups
DenyUsers
behind this instruction followed by a string of space-separated list of user names (which can use the "*" and "?" Wildcards). By default all users are allowed to log on.
If you use this command, then those users will be denied login.
If the user mode USER @ HOST then USER and HOST will also be checked.
Here only allowed to use the user's name is not allowed to use UID. Related allow / deny instruction processing in the following order:
the DenyUsers, the AllowUsers, DenyGroups, AllowGroups
ForceCommand
enforce the command specified here and ignore any command supplied by the client. This command will be executed using the user's login shell (shell -c).
This can be applied to the shell, the command, the subsystem is completed, typically for Match block.
The command originally supported the client by SSH_ORIGINAL_COMMAND environment variable.
GatewayPorts
whether to allow remote hosts to connect the local port forwarding. The default is "no".
sshd (8) binds remote port forwarding default to the loopback address. This will prevent other remote hosts to connect to forwarded ports.
GatewayPorts commands allow sshd binds remote port forwarding to a non-loopback address, so you can allow a remote host connection.
"no" allows only local connections, "yes" indicates a mandatory bind remote port forwarding to the wildcard address (wildcard address),
"clientspecified" expressed allows clients to choose which bind to a remote port forwarding address.
GSSAPIAuthentication
whether to allow the use GSSAPI-based user authentication. The default is "no". Only SSH-2.
GSSAPICleanupCredentials
whether to automatically destroy the user's credentials cache after logging off. The default is "yes". Only SSH-2.
HostbasedAuthentication
This instruction RhostsRSAAuthentication similar, but only be used for SSH-2. Recommended to use the default value "no".
The default value is recommended to use "no" prohibition of such insecure authentication method.
HostbasedUsesNameFromPacketOnly
In the case of open HostbasedAuthentication,
specify the server using the ~ / .shosts ~ / .rhosts /etc/hosts.equiv remote host name matches, whether reverse domain name queries.
"yes" represents sshd (8) trusted host name provided by the client without reverse lookup. The default is "no".
HostKey
host location private key file. If the authority does not, sshd (8) may refuse to start.
SSH-1 default / etc / ssh / ssh_host_key.
SSH-2 default / etc / ssh / ssh_host_rsa_key and / etc / ssh / ssh_host_dsa_key.
A host can have several different private key. "rsa1" only for SSH-1, "dsa" and "rsa" only for SSH-2.
IgnoreRhosts
whether to ignore .rhosts files and .shosts RhostsRSAAuthentication or HostbasedAuthentication process.
But /etc/hosts.equiv and /etc/shosts.equiv will be used. Recommended Set as Default "yes".
IgnoreUserKnownHosts
whether to ignore the user's RhostsRSAAuthentication or HostbasedAuthentication process ~ / .ssh / known_hosts file.
The default is "no". To improve security, you can set to "yes".
KerberosAuthentication
whether to require a password for the user must provide PasswordAuthentication, that is, whether to use Kerberos authentication via Kerberos KDC certification.
To use Kerberos authentication, the server needs to be a check KDC identity of Kerberos servtab. The default is "no".
KerberosGetAFSToken
If the AFS and the user has a Kerberos 5 TGT, then after opening the command
will try to get an AFS token before accessing the user's home directory. The default is "no".
KerberosOrLocalPasswd
if Kerberos password authentication fails, then the password will be through other authentication mechanisms (such as / etc / passwd).
The default is "yes".
KerberosTicketCleanup
whether to automatically destroy the user's ticket after the user logs out. The default is "yes".
KeyRegenerationInterval
time at a SSH-1 protocol, the ephemeral key server instruction set for this period (seconds), and constantly regenerated.
This mechanism can minimize the key is lost or hacked losses.
Set to 0 to never be regenerated, the default is 3600 (seconds).
ListenAddress
specified sshd (8) listens on the network address, the default Listen to all addresses. Can use the following format:
ListenAddress Host | IPv4_addr | IPv6_addr
ListenAddress Host | IPv4_addr: port
ListenAddress [Host | IPv6_addr]: port
if the port is not specified, then the instruction value using the Port.
You can use multiple ListenAddress instruction monitor multiple addresses.
LoginGraceTime
restrict user must authenticate successfully within the specified time limit, 0 for unlimited. The default value is 120 seconds.
LogLevel
specified sshd (8) of the log level (level of detail). The possible values are:
QUIET, FATAL, ERROR, the INFO (the default), the VERBOSE, the DEBUG, DEBUG1, DEBUG2, DEBUG3
the DEBUG and DEBUG1 equivalent; DEBUG2 DEBUG3 and respectively designated in more detail, more verbose log output.
DEBUG logs more detail than might leak sensitive information about users, and therefore oppose the use.
MACs
specifies who is allowed to use the message digest algorithm to the SSH-2 data validation.
Comma-separated list may be used to specify a plurality of algorithms allowed. Default (containing all the algorithms can be used) is:
HMAC-MD5, HMAC-SHA1, UMAC-64 @ openssh.com, HMAC-ripemd160 The, HMAC-SHA1-96, HMAC-MD5-96
Match
introducing a conditional block. Block end flag is Match command or another end of the file.
If the Match line specified conditions are met, then the subsequent instructions will override the global configuration commands.
Match value is one or more "condition - Mode" pair. "Conditions" can be used are: User, Group, Host, Address .
Only the following instructions can be used in the Match block: AllowTcpForwarding, Banner,
ForceCommand, GatewayPorts, GSSAPIAuthentication,
KbdInteractiveAuthentication, KerberosAuthentication,
PasswordAuthentication, PermitOpen, the PermitRootLogin,
RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,
X11Forwarding, X11UseLocalhost
MaxAuthTries
specify the number of authentication for each connection the maximum allowed. The default is 6.
If the number of authentication failures exceeds half of this value, the connection will be forcibly turned off, and will generate additional failure log messages.
MaxStartups
maximum number of unauthenticated connections allowed to remain. The default value is 10.
After reaching the limit, you will no longer accept new connections unless a previous connection authentication success or exceed LoginGraceTime limits.
PasswordAuthentication
whether to allow the use of password-based authentication. The default is "yes".
PermitEmptyPasswords
whether to allow a blank password for the user to remotely log. The default is "no".
PermitOpen
specify the destination TCP port forwarding allows, you can use spaces to separate the forwarding destination. The default allows all forwarded requests.
A valid instruction format is as follows:
PermitOpen Host: Port
PermitOpen IPv4_addr: Port
PermitOpen [IPv6_addr]: Port
"the any" can be used to remove all restrictions and allow all forwarded requests.
PermitRootLogin
whether to allow root login. Values are as follows:
"Yes" (default) is allowed. "no" express prohibition.
"without-password" represents the Prohibition of the Use password authentication login.
"forced-commands-only" means that only under the circumstances specified command option only allows the use of public key authentication to log on.
While all other authentication methods are disabled. This value is used to do things like remote backup.
PermitTunnel
whether to allow tun (4) device forwarding. Values are as follows:
"Yes", "Point-to-Point" (Layer. 3), "Ethernet" (Layer 2), "NO" (default).
"yes" at the same time contains a "point-to-point" and "ethernet".
PermitUserEnvironment
Specifies whether sshd (8) Processing ~ / .ssh / environment and ~ / .ssh / authorized_keys the environment = option.
The default is "no". If set to "yes" may cause users to have the opportunity to use some mechanism (such as LD_PRELOAD) to bypass access control, resulting in vulnerabilities.
PidFile
specify a process ID stored in the SSH daemon which file, the default is /var/run/sshd.pid file.
Port
specified sshd (8) daemon listening port number, the default is 22. You can use multiple instructions to listen multiple ports.
The default will listen on all network interfaces of the machine, but you can specify only listen on a specific interface by ListenAddress.
PrintLastLog
specified sshd (8) whether to print the last login time for users at every interactive logon. The default is "yes".
PrintMotd
specified sshd (8) whether to print the contents of / etc / motd file each time interactive logon. The default is "yes".
Protocol
specified sshd (8) supported version of SSH protocol.
'1' and '2' indicates supporting only SSH-1 and SSH-2 protocol. "2,1" indicates that support both SSH-1 and SSH-2 protocol.
PubkeyAuthentication
whether to allow public key authentication. It can only be used for SSH-2. The default is "yes".
RhostsRSAAuthentication
whether to use strong trusted-host authentication (authentication by checking the remote host name and the associated user name). Only SSH-1.
This is certified by the RSA authentication is successful then check the ~ / .rhosts or /etc/hosts.equiv of.
For security reasons, it is recommended to use the default value of "no".
RSAAuthentication
whether to allow the use of pure RSA public key authentication. Only SSH-1. The default is "yes".
ServerKeyBits
specify the length of the temporary server key. Only SSH-1. The default value is 768 (bits). The minimum value is 512.
StrictModes
specify whether sshd (8) for the host and authorization checks for the user's home directory and associated configuration file before accepting the connection request.
It is strongly recommended to use the default value of "yes" to prevent low-level errors that may occur.
Subsystem
configure an external subsystem (eg, file transfer daemon). Only SSH-2 protocol.
Is a value corresponding to the subsystem name and command line (including options and parameters). For example, "sft / bin / sftp-server ".
SyslogFacility
specified sshd (8) through which the log message logging subsystem (facility). Valid values are:
DAEMON, the USER, AUTH (default), LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7
TCPKeepAlive
specify whether the system sends TCP keepalive message to the client. The default is "yes".
This message can be detected is connected to death, connected properly closed, the client crashes and other abnormalities.
It can be set to "no" to turn off this feature.
UseDNS
Specifies whether sshd (8) on the remote host name should reverse analysis to check whether the host name and its real IP address correspondence. The default is "yes".
UseLogin
whether login (1) during the logon process an interactive session. The default is "no".
If you turn this instruction, X11Forwarding will be banned, because login (1) does not know how to handle xauth (1) cookies.
It should be noted, login (1) is prohibited for remote execution of commands.
If UsePrivilegeSeparation specified, it will be disabled when the authentication is completed.
UsePrivilegeSeparation
whether to allow sshd (8) to create a method to separate permission by unprivileged child process handling access requests. The default is "yes".
After authentication is successful, it will create another child process the user's identity.
The aim is to prevent elevation of privilege by a defective child processes, making the system more secure.
X11DisplayOffset
specified sshd (8) first available display area (display) X11 forwarding numbers. The default value is 10.
This can be used to prevent sshd occupied real X11 server display area, which occurred in confusion.
X11Forwarding
whether to allow X11 forwarding. The default is "no", is set to "yes" expressed allows.
If allowed X11 forwarding and sshd (8) proxy display area is configured to listen on the address (X11UseLocalhost) containing wildcards.
So there may be additional information will be leaked. Because of the potential risk of using X11 forwarding, this command default is "no".
Note that prohibits X11 forwarding does not prevent users from forwarding X11 traffic, as users can install their own forwarders.
If UseLogin enabled, X11 forwarding is automatically disabled.
X11UseLocalhost
sshd (8) whether X11 forwarding server should be bound to the local loopback address. The default is "yes".
sshd server forwards default Bind to host name part of the local loopback address of the DISPLAY environment variable is set to "localhost".
This prevents remote hosts to connect to proxy display. However, some older X11 client can not work in this configuration.
For compatibility with these older X11 clients, you can set to "no".
XAuthLocation
specify an absolute path to xauth (1) program. The default is / usr / X11R6 / bin / XAuth
---------------------
Author: integrated thinking Park
Source: CSDN
Original: https: //blog.csdn. net / linghe301 / article / details / 8211305
Disclaimer: This article is a blogger original article, reproduced, please attach Bowen link!