xref: /openssh-portable/sshd_config.5 (revision 8b8b6054)
1.\"
2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4.\"                    All rights reserved
5.\"
6.\" As far as I am concerned, the code I have written for this software
7.\" can be used freely for any purpose.  Any derived versions of this
8.\" software must be clearly marked as such, and if the derived work is
9.\" incompatible with the protocol description in the RFC file, it must be
10.\" called by a name other than "ssh" or "Secure Shell".
11.\"
12.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
13.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
14.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
15.\"
16.\" Redistribution and use in source and binary forms, with or without
17.\" modification, are permitted provided that the following conditions
18.\" are met:
19.\" 1. Redistributions of source code must retain the above copyright
20.\"    notice, this list of conditions and the following disclaimer.
21.\" 2. Redistributions in binary form must reproduce the above copyright
22.\"    notice, this list of conditions and the following disclaimer in the
23.\"    documentation and/or other materials provided with the distribution.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\"
36.\" $OpenBSD: sshd_config.5,v 1.327 2021/02/23 21:55:08 djm Exp $
37.Dd $Mdocdate: February 23 2021 $
38.Dt SSHD_CONFIG 5
39.Os
40.Sh NAME
41.Nm sshd_config
42.Nd OpenSSH daemon configuration file
43.Sh DESCRIPTION
44.Xr sshd 8
45reads configuration data from
46.Pa /etc/ssh/sshd_config
47(or the file specified with
48.Fl f
49on the command line).
50The file contains keyword-argument pairs, one per line.
51For each keyword, the first obtained value will be used.
52Lines starting with
53.Ql #
54and empty lines are interpreted as comments.
55Arguments may optionally be enclosed in double quotes
56.Pq \&"
57in order to represent arguments containing spaces.
58.Pp
59The possible
60keywords and their meanings are as follows (note that
61keywords are case-insensitive and arguments are case-sensitive):
62.Bl -tag -width Ds
63.It Cm AcceptEnv
64Specifies what environment variables sent by the client will be copied into
65the session's
66.Xr environ 7 .
67See
68.Cm SendEnv
69and
70.Cm SetEnv
71in
72.Xr ssh_config 5
73for how to configure the client.
74The
75.Ev TERM
76environment variable is always accepted whenever the client
77requests a pseudo-terminal as it is required by the protocol.
78Variables are specified by name, which may contain the wildcard characters
79.Ql *
80and
81.Ql \&? .
82Multiple environment variables may be separated by whitespace or spread
83across multiple
84.Cm AcceptEnv
85directives.
86Be warned that some environment variables could be used to bypass restricted
87user environments.
88For this reason, care should be taken in the use of this directive.
89The default is not to accept any environment variables.
90.It Cm AddressFamily
91Specifies which address family should be used by
92.Xr sshd 8 .
93Valid arguments are
94.Cm any
95(the default),
96.Cm inet
97(use IPv4 only), or
98.Cm inet6
99(use IPv6 only).
100.It Cm AllowAgentForwarding
101Specifies whether
102.Xr ssh-agent 1
103forwarding is permitted.
104The default is
105.Cm yes .
106Note that disabling agent forwarding does not improve security
107unless users are also denied shell access, as they can always install
108their own forwarders.
109.It Cm AllowGroups
110This keyword can be followed by a list of group name patterns, separated
111by spaces.
112If specified, login is allowed only for users whose primary
113group or supplementary group list matches one of the patterns.
114Only group names are valid; a numerical group ID is not recognized.
115By default, login is allowed for all groups.
116The allow/deny groups directives are processed in the following order:
117.Cm DenyGroups ,
118.Cm AllowGroups .
119.Pp
120See PATTERNS in
121.Xr ssh_config 5
122for more information on patterns.
123.It Cm AllowStreamLocalForwarding
124Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
125The available options are
126.Cm yes
127(the default)
128or
129.Cm all
130to allow StreamLocal forwarding,
131.Cm no
132to prevent all StreamLocal forwarding,
133.Cm local
134to allow local (from the perspective of
135.Xr ssh 1 )
136forwarding only or
137.Cm remote
138to allow remote forwarding only.
139Note that disabling StreamLocal forwarding does not improve security unless
140users are also denied shell access, as they can always install their
141own forwarders.
142.It Cm AllowTcpForwarding
143Specifies whether TCP forwarding is permitted.
144The available options are
145.Cm yes
146(the default)
147or
148.Cm all
149to allow TCP forwarding,
150.Cm no
151to prevent all TCP forwarding,
152.Cm local
153to allow local (from the perspective of
154.Xr ssh 1 )
155forwarding only or
156.Cm remote
157to allow remote forwarding only.
158Note that disabling TCP forwarding does not improve security unless
159users are also denied shell access, as they can always install their
160own forwarders.
161.It Cm AllowUsers
162This keyword can be followed by a list of user name patterns, separated
163by spaces.
164If specified, login is allowed only for user names that
165match one of the patterns.
166Only user names are valid; a numerical user ID is not recognized.
167By default, login is allowed for all users.
168If the pattern takes the form USER@HOST then USER and HOST
169are separately checked, restricting logins to particular
170users from particular hosts.
171HOST criteria may additionally contain addresses to match in CIDR
172address/masklen format.
173The allow/deny users directives are processed in the following order:
174.Cm DenyUsers ,
175.Cm AllowUsers .
176.Pp
177See PATTERNS in
178.Xr ssh_config 5
179for more information on patterns.
180.It Cm AuthenticationMethods
181Specifies the authentication methods that must be successfully completed
182for a user to be granted access.
183This option must be followed by one or more lists of comma-separated
184authentication method names, or by the single string
185.Cm any
186to indicate the default behaviour of accepting any single authentication
187method.
188If the default is overridden, then successful authentication requires
189completion of every method in at least one of these lists.
190.Pp
191For example,
192.Qq publickey,password publickey,keyboard-interactive
193would require the user to complete public key authentication, followed by
194either password or keyboard interactive authentication.
195Only methods that are next in one or more lists are offered at each stage,
196so for this example it would not be possible to attempt password or
197keyboard-interactive authentication before public key.
198.Pp
199For keyboard interactive authentication it is also possible to
200restrict authentication to a specific device by appending a
201colon followed by the device identifier
202.Cm bsdauth
203or
204.Cm pam .
205depending on the server configuration.
206For example,
207.Qq keyboard-interactive:bsdauth
208would restrict keyboard interactive authentication to the
209.Cm bsdauth
210device.
211.Pp
212If the publickey method is listed more than once,
213.Xr sshd 8
214verifies that keys that have been used successfully are not reused for
215subsequent authentications.
216For example,
217.Qq publickey,publickey
218requires successful authentication using two different public keys.
219.Pp
220Note that each authentication method listed should also be explicitly enabled
221in the configuration.
222.Pp
223The available authentication methods are:
224.Qq gssapi-with-mic ,
225.Qq hostbased ,
226.Qq keyboard-interactive ,
227.Qq none
228(used for access to password-less accounts when
229.Cm PermitEmptyPasswords
230is enabled),
231.Qq password
232and
233.Qq publickey .
234.It Cm AuthorizedKeysCommand
235Specifies a program to be used to look up the user's public keys.
236The program must be owned by root, not writable by group or others and
237specified by an absolute path.
238Arguments to
239.Cm AuthorizedKeysCommand
240accept the tokens described in the
241.Sx TOKENS
242section.
243If no arguments are specified then the username of the target user is used.
244.Pp
245The program should produce on standard output zero or
246more lines of authorized_keys output (see
247.Sx AUTHORIZED_KEYS
248in
249.Xr sshd 8 ) .
250.Cm AuthorizedKeysCommand
251is tried after the usual
252.Cm AuthorizedKeysFile
253files and will not be executed if a matching key is found there.
254By default, no
255.Cm AuthorizedKeysCommand
256is run.
257.It Cm AuthorizedKeysCommandUser
258Specifies the user under whose account the
259.Cm AuthorizedKeysCommand
260is run.
261It is recommended to use a dedicated user that has no other role on the host
262than running authorized keys commands.
263If
264.Cm AuthorizedKeysCommand
265is specified but
266.Cm AuthorizedKeysCommandUser
267is not, then
268.Xr sshd 8
269will refuse to start.
270.It Cm AuthorizedKeysFile
271Specifies the file that contains the public keys used for user authentication.
272The format is described in the AUTHORIZED_KEYS FILE FORMAT section of
273.Xr sshd 8 .
274Arguments to
275.Cm AuthorizedKeysFile
276accept the tokens described in the
277.Sx TOKENS
278section.
279After expansion,
280.Cm AuthorizedKeysFile
281is taken to be an absolute path or one relative to the user's home
282directory.
283Multiple files may be listed, separated by whitespace.
284Alternately this option may be set to
285.Cm none
286to skip checking for user keys in files.
287The default is
288.Qq .ssh/authorized_keys .ssh/authorized_keys2 .
289.It Cm AuthorizedPrincipalsCommand
290Specifies a program to be used to generate the list of allowed
291certificate principals as per
292.Cm AuthorizedPrincipalsFile .
293The program must be owned by root, not writable by group or others and
294specified by an absolute path.
295Arguments to
296.Cm AuthorizedPrincipalsCommand
297accept the tokens described in the
298.Sx TOKENS
299section.
300If no arguments are specified then the username of the target user is used.
301.Pp
302The program should produce on standard output zero or
303more lines of
304.Cm AuthorizedPrincipalsFile
305output.
306If either
307.Cm AuthorizedPrincipalsCommand
308or
309.Cm AuthorizedPrincipalsFile
310is specified, then certificates offered by the client for authentication
311must contain a principal that is listed.
312By default, no
313.Cm AuthorizedPrincipalsCommand
314is run.
315.It Cm AuthorizedPrincipalsCommandUser
316Specifies the user under whose account the
317.Cm AuthorizedPrincipalsCommand
318is run.
319It is recommended to use a dedicated user that has no other role on the host
320than running authorized principals commands.
321If
322.Cm AuthorizedPrincipalsCommand
323is specified but
324.Cm AuthorizedPrincipalsCommandUser
325is not, then
326.Xr sshd 8
327will refuse to start.
328.It Cm AuthorizedPrincipalsFile
329Specifies a file that lists principal names that are accepted for
330certificate authentication.
331When using certificates signed by a key listed in
332.Cm TrustedUserCAKeys ,
333this file lists names, one of which must appear in the certificate for it
334to be accepted for authentication.
335Names are listed one per line preceded by key options (as described in
336.Sx AUTHORIZED_KEYS FILE FORMAT
337in
338.Xr sshd 8 ) .
339Empty lines and comments starting with
340.Ql #
341are ignored.
342.Pp
343Arguments to
344.Cm AuthorizedPrincipalsFile
345accept the tokens described in the
346.Sx TOKENS
347section.
348After expansion,
349.Cm AuthorizedPrincipalsFile
350is taken to be an absolute path or one relative to the user's home directory.
351The default is
352.Cm none ,
353i.e. not to use a principals file \(en in this case, the username
354of the user must appear in a certificate's principals list for it to be
355accepted.
356.Pp
357Note that
358.Cm AuthorizedPrincipalsFile
359is only used when authentication proceeds using a CA listed in
360.Cm TrustedUserCAKeys
361and is not consulted for certification authorities trusted via
362.Pa ~/.ssh/authorized_keys ,
363though the
364.Cm principals=
365key option offers a similar facility (see
366.Xr sshd 8
367for details).
368.It Cm Banner
369The contents of the specified file are sent to the remote user before
370authentication is allowed.
371If the argument is
372.Cm none
373then no banner is displayed.
374By default, no banner is displayed.
375.It Cm CASignatureAlgorithms
376Specifies which algorithms are allowed for signing of certificates
377by certificate authorities (CAs).
378The default is:
379.Bd -literal -offset indent
380ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
381ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
382.Ed
383.Pp
384Certificates signed using other algorithms will not be accepted for
385public key or host-based authentication.
386.It Cm ChallengeResponseAuthentication
387Specifies whether challenge-response authentication is allowed (e.g. via
388PAM or through authentication styles supported in
389.Xr login.conf 5 )
390The default is
391.Cm yes .
392.It Cm ChrootDirectory
393Specifies the pathname of a directory to
394.Xr chroot 2
395to after authentication.
396At session startup
397.Xr sshd 8
398checks that all components of the pathname are root-owned directories
399which are not writable by any other user or group.
400After the chroot,
401.Xr sshd 8
402changes the working directory to the user's home directory.
403Arguments to
404.Cm ChrootDirectory
405accept the tokens described in the
406.Sx TOKENS
407section.
408.Pp
409The
410.Cm ChrootDirectory
411must contain the necessary files and directories to support the
412user's session.
413For an interactive session this requires at least a shell, typically
414.Xr sh 1 ,
415and basic
416.Pa /dev
417nodes such as
418.Xr null 4 ,
419.Xr zero 4 ,
420.Xr stdin 4 ,
421.Xr stdout 4 ,
422.Xr stderr 4 ,
423and
424.Xr tty 4
425devices.
426For file transfer sessions using SFTP
427no additional configuration of the environment is necessary if the in-process
428sftp-server is used,
429though sessions which use logging may require
430.Pa /dev/log
431inside the chroot directory on some operating systems (see
432.Xr sftp-server 8
433for details).
434.Pp
435For safety, it is very important that the directory hierarchy be
436prevented from modification by other processes on the system (especially
437those outside the jail).
438Misconfiguration can lead to unsafe environments which
439.Xr sshd 8
440cannot detect.
441.Pp
442The default is
443.Cm none ,
444indicating not to
445.Xr chroot 2 .
446.It Cm Ciphers
447Specifies the ciphers allowed.
448Multiple ciphers must be comma-separated.
449If the specified list begins with a
450.Sq +
451character, then the specified ciphers will be appended to the default set
452instead of replacing them.
453If the specified list begins with a
454.Sq -
455character, then the specified ciphers (including wildcards) will be removed
456from the default set instead of replacing them.
457If the specified list begins with a
458.Sq ^
459character, then the specified ciphers will be placed at the head of the
460default set.
461.Pp
462The supported ciphers are:
463.Pp
464.Bl -item -compact -offset indent
465.It
4663des-cbc
467.It
468aes128-cbc
469.It
470aes192-cbc
471.It
472aes256-cbc
473.It
474aes128-ctr
475.It
476aes192-ctr
477.It
478aes256-ctr
479.It
480aes128-gcm@openssh.com
481.It
482aes256-gcm@openssh.com
483.It
484chacha20-poly1305@openssh.com
485.El
486.Pp
487The default is:
488.Bd -literal -offset indent
489chacha20-poly1305@openssh.com,
490aes128-ctr,aes192-ctr,aes256-ctr,
491aes128-gcm@openssh.com,aes256-gcm@openssh.com
492.Ed
493.Pp
494The list of available ciphers may also be obtained using
495.Qq ssh -Q cipher .
496.It Cm ClientAliveCountMax
497Sets the number of client alive messages which may be sent without
498.Xr sshd 8
499receiving any messages back from the client.
500If this threshold is reached while client alive messages are being sent,
501sshd will disconnect the client, terminating the session.
502It is important to note that the use of client alive messages is very
503different from
504.Cm TCPKeepAlive .
505The client alive messages are sent through the encrypted channel
506and therefore will not be spoofable.
507The TCP keepalive option enabled by
508.Cm TCPKeepAlive
509is spoofable.
510The client alive mechanism is valuable when the client or
511server depend on knowing when a connection has become unresponsive.
512.Pp
513The default value is 3.
514If
515.Cm ClientAliveInterval
516is set to 15, and
517.Cm ClientAliveCountMax
518is left at the default, unresponsive SSH clients
519will be disconnected after approximately 45 seconds.
520Setting a zero
521.Cm ClientAliveCountMax
522disables connection termination.
523.It Cm ClientAliveInterval
524Sets a timeout interval in seconds after which if no data has been received
525from the client,
526.Xr sshd 8
527will send a message through the encrypted
528channel to request a response from the client.
529The default
530is 0, indicating that these messages will not be sent to the client.
531.It Cm Compression
532Specifies whether compression is enabled after
533the user has authenticated successfully.
534The argument must be
535.Cm yes ,
536.Cm delayed
537(a legacy synonym for
538.Cm yes )
539or
540.Cm no .
541The default is
542.Cm yes .
543.It Cm DenyGroups
544This keyword can be followed by a list of group name patterns, separated
545by spaces.
546Login is disallowed for users whose primary group or supplementary
547group list matches one of the patterns.
548Only group names are valid; a numerical group ID is not recognized.
549By default, login is allowed for all groups.
550The allow/deny groups directives are processed in the following order:
551.Cm DenyGroups ,
552.Cm AllowGroups .
553.Pp
554See PATTERNS in
555.Xr ssh_config 5
556for more information on patterns.
557.It Cm DenyUsers
558This keyword can be followed by a list of user name patterns, separated
559by spaces.
560Login is disallowed for user names that match one of the patterns.
561Only user names are valid; a numerical user ID is not recognized.
562By default, login is allowed for all users.
563If the pattern takes the form USER@HOST then USER and HOST
564are separately checked, restricting logins to particular
565users from particular hosts.
566HOST criteria may additionally contain addresses to match in CIDR
567address/masklen format.
568The allow/deny users directives are processed in the following order:
569.Cm DenyUsers ,
570.Cm AllowUsers .
571.Pp
572See PATTERNS in
573.Xr ssh_config 5
574for more information on patterns.
575.It Cm DisableForwarding
576Disables all forwarding features, including X11,
577.Xr ssh-agent 1 ,
578TCP and StreamLocal.
579This option overrides all other forwarding-related options and may
580simplify restricted configurations.
581.It Cm ExposeAuthInfo
582Writes a temporary file containing a list of authentication methods and
583public credentials (e.g. keys) used to authenticate the user.
584The location of the file is exposed to the user session through the
585.Ev SSH_USER_AUTH
586environment variable.
587The default is
588.Cm no .
589.It Cm FingerprintHash
590Specifies the hash algorithm used when logging key fingerprints.
591Valid options are:
592.Cm md5
593and
594.Cm sha256 .
595The default is
596.Cm sha256 .
597.It Cm ForceCommand
598Forces the execution of the command specified by
599.Cm ForceCommand ,
600ignoring any command supplied by the client and
601.Pa ~/.ssh/rc
602if present.
603The command is invoked by using the user's login shell with the -c option.
604This applies to shell, command, or subsystem execution.
605It is most useful inside a
606.Cm Match
607block.
608The command originally supplied by the client is available in the
609.Ev SSH_ORIGINAL_COMMAND
610environment variable.
611Specifying a command of
612.Cm internal-sftp
613will force the use of an in-process SFTP server that requires no support
614files when used with
615.Cm ChrootDirectory .
616The default is
617.Cm none .
618.It Cm GatewayPorts
619Specifies whether remote hosts are allowed to connect to ports
620forwarded for the client.
621By default,
622.Xr sshd 8
623binds remote port forwardings to the loopback address.
624This prevents other remote hosts from connecting to forwarded ports.
625.Cm GatewayPorts
626can be used to specify that sshd
627should allow remote port forwardings to bind to non-loopback addresses, thus
628allowing other hosts to connect.
629The argument may be
630.Cm no
631to force remote port forwardings to be available to the local host only,
632.Cm yes
633to force remote port forwardings to bind to the wildcard address, or
634.Cm clientspecified
635to allow the client to select the address to which the forwarding is bound.
636The default is
637.Cm no .
638.It Cm GSSAPIAuthentication
639Specifies whether user authentication based on GSSAPI is allowed.
640The default is
641.Cm no .
642.It Cm GSSAPICleanupCredentials
643Specifies whether to automatically destroy the user's credentials cache
644on logout.
645The default is
646.Cm yes .
647.It Cm GSSAPIStrictAcceptorCheck
648Determines whether to be strict about the identity of the GSSAPI acceptor
649a client authenticates against.
650If set to
651.Cm yes
652then the client must authenticate against the host
653service on the current hostname.
654If set to
655.Cm no
656then the client may authenticate against any service key stored in the
657machine's default store.
658This facility is provided to assist with operation on multi homed machines.
659The default is
660.Cm yes .
661.It Cm HostbasedAcceptedAlgorithms
662Specifies the signature algorithms that will be accepted for hostbased
663authentication as a list of comma-separated patterns.
664Alternately if the specified list begins with a
665.Sq +
666character, then the specified signature algorithms will be appended to
667the default set instead of replacing them.
668If the specified list begins with a
669.Sq -
670character, then the specified signature algorithms (including wildcards)
671will be removed from the default set instead of replacing them.
672If the specified list begins with a
673.Sq ^
674character, then the specified signature algorithms will be placed at
675the head of the default set.
676The default for this option is:
677.Bd -literal -offset 3n
678ssh-ed25519-cert-v01@openssh.com,
679ecdsa-sha2-nistp256-cert-v01@openssh.com,
680ecdsa-sha2-nistp384-cert-v01@openssh.com,
681ecdsa-sha2-nistp521-cert-v01@openssh.com,
682sk-ssh-ed25519-cert-v01@openssh.com,
683sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
684rsa-sha2-512-cert-v01@openssh.com,
685rsa-sha2-256-cert-v01@openssh.com,
686ssh-rsa-cert-v01@openssh.com,
687ssh-ed25519,
688ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
689sk-ssh-ed25519@openssh.com,
690sk-ecdsa-sha2-nistp256@openssh.com,
691rsa-sha2-512,rsa-sha2-256,ssh-rsa
692.Ed
693.Pp
694The list of available signature algorithms may also be obtained using
695.Qq ssh -Q HostbasedAcceptedAlgorithms .
696This was formerly named HostbasedAcceptedKeyTypes.
697.It Cm HostbasedAuthentication
698Specifies whether rhosts or /etc/hosts.equiv authentication together
699with successful public key client host authentication is allowed
700(host-based authentication).
701The default is
702.Cm no .
703.It Cm HostbasedUsesNameFromPacketOnly
704Specifies whether or not the server will attempt to perform a reverse
705name lookup when matching the name in the
706.Pa ~/.shosts ,
707.Pa ~/.rhosts ,
708and
709.Pa /etc/hosts.equiv
710files during
711.Cm HostbasedAuthentication .
712A setting of
713.Cm yes
714means that
715.Xr sshd 8
716uses the name supplied by the client rather than
717attempting to resolve the name from the TCP connection itself.
718The default is
719.Cm no .
720.It Cm HostCertificate
721Specifies a file containing a public host certificate.
722The certificate's public key must match a private host key already specified
723by
724.Cm HostKey .
725The default behaviour of
726.Xr sshd 8
727is not to load any certificates.
728.It Cm HostKey
729Specifies a file containing a private host key
730used by SSH.
731The defaults are
732.Pa /etc/ssh/ssh_host_ecdsa_key ,
733.Pa /etc/ssh/ssh_host_ed25519_key
734and
735.Pa /etc/ssh/ssh_host_rsa_key .
736.Pp
737Note that
738.Xr sshd 8
739will refuse to use a file if it is group/world-accessible
740and that the
741.Cm HostKeyAlgorithms
742option restricts which of the keys are actually used by
743.Xr sshd 8 .
744.Pp
745It is possible to have multiple host key files.
746It is also possible to specify public host key files instead.
747In this case operations on the private key will be delegated
748to an
749.Xr ssh-agent 1 .
750.It Cm HostKeyAgent
751Identifies the UNIX-domain socket used to communicate
752with an agent that has access to the private host keys.
753If the string
754.Qq SSH_AUTH_SOCK
755is specified, the location of the socket will be read from the
756.Ev SSH_AUTH_SOCK
757environment variable.
758.It Cm HostKeyAlgorithms
759Specifies the host key signature algorithms
760that the server offers.
761The default for this option is:
762.Bd -literal -offset 3n
763ssh-ed25519-cert-v01@openssh.com,
764ecdsa-sha2-nistp256-cert-v01@openssh.com,
765ecdsa-sha2-nistp384-cert-v01@openssh.com,
766ecdsa-sha2-nistp521-cert-v01@openssh.com,
767sk-ssh-ed25519-cert-v01@openssh.com,
768sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
769rsa-sha2-512-cert-v01@openssh.com,
770rsa-sha2-256-cert-v01@openssh.com,
771ssh-rsa-cert-v01@openssh.com,
772ssh-ed25519,
773ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
774sk-ssh-ed25519@openssh.com,
775sk-ecdsa-sha2-nistp256@openssh.com,
776rsa-sha2-512,rsa-sha2-256,ssh-rsa
777.Ed
778.Pp
779The list of available signature algorithms may also be obtained using
780.Qq ssh -Q HostKeyAlgorithms .
781.It Cm IgnoreRhosts
782Specifies whether to ignore per-user
783.Pa .rhosts
784and
785.Pa .shosts
786files during
787.Cm HostbasedAuthentication .
788The system-wide
789.Pa /etc/hosts.equiv
790and
791.Pa /etc/shosts.equiv
792are still used regardless of this setting.
793.Pp
794Accepted values are
795.Cm yes
796(the default) to ignore all per-user files,
797.Cm shosts-only
798to allow the use of
799.Pa .shosts
800but to ignore
801.Pa .rhosts
802or
803.Cm no
804to allow both
805.Pa .shosts
806and
807.Pa rhosts .
808.It Cm IgnoreUserKnownHosts
809Specifies whether
810.Xr sshd 8
811should ignore the user's
812.Pa ~/.ssh/known_hosts
813during
814.Cm HostbasedAuthentication
815and use only the system-wide known hosts file
816.Pa /etc/ssh/known_hosts .
817The default is
818.Dq no .
819.It Cm Include
820Include the specified configuration file(s).
821Multiple pathnames may be specified and each pathname may contain
822.Xr glob 7
823wildcards that will be expanded and processed in lexical order.
824Files without absolute paths are assumed to be in
825.Pa /etc/ssh .
826An
827.Cm Include
828directive may appear inside a
829.Cm Match
830block
831to perform conditional inclusion.
832.It Cm IPQoS
833Specifies the IPv4 type-of-service or DSCP class for the connection.
834Accepted values are
835.Cm af11 ,
836.Cm af12 ,
837.Cm af13 ,
838.Cm af21 ,
839.Cm af22 ,
840.Cm af23 ,
841.Cm af31 ,
842.Cm af32 ,
843.Cm af33 ,
844.Cm af41 ,
845.Cm af42 ,
846.Cm af43 ,
847.Cm cs0 ,
848.Cm cs1 ,
849.Cm cs2 ,
850.Cm cs3 ,
851.Cm cs4 ,
852.Cm cs5 ,
853.Cm cs6 ,
854.Cm cs7 ,
855.Cm ef ,
856.Cm le ,
857.Cm lowdelay ,
858.Cm throughput ,
859.Cm reliability ,
860a numeric value, or
861.Cm none
862to use the operating system default.
863This option may take one or two arguments, separated by whitespace.
864If one argument is specified, it is used as the packet class unconditionally.
865If two values are specified, the first is automatically selected for
866interactive sessions and the second for non-interactive sessions.
867The default is
868.Cm af21
869(Low-Latency Data)
870for interactive sessions and
871.Cm cs1
872(Lower Effort)
873for non-interactive sessions.
874.It Cm KbdInteractiveAuthentication
875Specifies whether to allow keyboard-interactive authentication.
876The argument to this keyword must be
877.Cm yes
878or
879.Cm no .
880The default is to use whatever value
881.Cm ChallengeResponseAuthentication
882is set to
883(by default
884.Cm yes ) .
885.It Cm KerberosAuthentication
886Specifies whether the password provided by the user for
887.Cm PasswordAuthentication
888will be validated through the Kerberos KDC.
889To use this option, the server needs a
890Kerberos servtab which allows the verification of the KDC's identity.
891The default is
892.Cm no .
893.It Cm KerberosGetAFSToken
894If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
895an AFS token before accessing the user's home directory.
896The default is
897.Cm no .
898.It Cm KerberosOrLocalPasswd
899If password authentication through Kerberos fails then
900the password will be validated via any additional local mechanism
901such as
902.Pa /etc/passwd .
903The default is
904.Cm yes .
905.It Cm KerberosTicketCleanup
906Specifies whether to automatically destroy the user's ticket cache
907file on logout.
908The default is
909.Cm yes .
910.It Cm KexAlgorithms
911Specifies the available KEX (Key Exchange) algorithms.
912Multiple algorithms must be comma-separated.
913Alternately if the specified list begins with a
914.Sq +
915character, then the specified methods will be appended to the default set
916instead of replacing them.
917If the specified list begins with a
918.Sq -
919character, then the specified methods (including wildcards) will be removed
920from the default set instead of replacing them.
921If the specified list begins with a
922.Sq ^
923character, then the specified methods will be placed at the head of the
924default set.
925The supported algorithms are:
926.Pp
927.Bl -item -compact -offset indent
928.It
929curve25519-sha256
930.It
931curve25519-sha256@libssh.org
932.It
933diffie-hellman-group1-sha1
934.It
935diffie-hellman-group14-sha1
936.It
937diffie-hellman-group14-sha256
938.It
939diffie-hellman-group16-sha512
940.It
941diffie-hellman-group18-sha512
942.It
943diffie-hellman-group-exchange-sha1
944.It
945diffie-hellman-group-exchange-sha256
946.It
947ecdh-sha2-nistp256
948.It
949ecdh-sha2-nistp384
950.It
951ecdh-sha2-nistp521
952.It
953sntrup761x25519-sha512@openssh.com
954.El
955.Pp
956The default is:
957.Bd -literal -offset indent
958curve25519-sha256,curve25519-sha256@libssh.org,
959ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
960diffie-hellman-group-exchange-sha256,
961diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
962diffie-hellman-group14-sha256
963.Ed
964.Pp
965The list of available key exchange algorithms may also be obtained using
966.Qq ssh -Q KexAlgorithms .
967.It Cm ListenAddress
968Specifies the local addresses
969.Xr sshd 8
970should listen on.
971The following forms may be used:
972.Pp
973.Bl -item -offset indent -compact
974.It
975.Cm ListenAddress
976.Sm off
977.Ar hostname | address
978.Sm on
979.Op Cm rdomain Ar domain
980.It
981.Cm ListenAddress
982.Sm off
983.Ar hostname : port
984.Sm on
985.Op Cm rdomain Ar domain
986.It
987.Cm ListenAddress
988.Sm off
989.Ar IPv4_address : port
990.Sm on
991.Op Cm rdomain Ar domain
992.It
993.Cm ListenAddress
994.Sm off
995.Oo Ar hostname | address Oc : Ar port
996.Sm on
997.Op Cm rdomain Ar domain
998.El
999.Pp
1000The optional
1001.Cm rdomain
1002qualifier requests
1003.Xr sshd 8
1004listen in an explicit routing domain.
1005If
1006.Ar port
1007is not specified,
1008sshd will listen on the address and all
1009.Cm Port
1010options specified.
1011The default is to listen on all local addresses on the current default
1012routing domain.
1013Multiple
1014.Cm ListenAddress
1015options are permitted.
1016For more information on routing domains, see
1017.Xr rdomain 4 .
1018.It Cm LoginGraceTime
1019The server disconnects after this time if the user has not
1020successfully logged in.
1021If the value is 0, there is no time limit.
1022The default is 120 seconds.
1023.It Cm LogLevel
1024Gives the verbosity level that is used when logging messages from
1025.Xr sshd 8 .
1026The possible values are:
1027QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
1028The default is INFO.
1029DEBUG and DEBUG1 are equivalent.
1030DEBUG2 and DEBUG3 each specify higher levels of debugging output.
1031Logging with a DEBUG level violates the privacy of users and is not recommended.
1032.It Cm LogVerbose
1033Specify one or more overrides to LogLevel.
1034An override consists of a pattern lists that matches the source file, function
1035and line number to force detailed logging for.
1036For example, an override pattern of:
1037.Bd -literal -offset indent
1038kex.c:*:1000,*:kex_exchange_identification():*,packet.c:*
1039.Ed
1040.Pp
1041would enable detailed logging for line 1000 of
1042.Pa kex.c ,
1043everything in the
1044.Fn kex_exchange_identification
1045function, and all code in the
1046.Pa packet.c
1047file.
1048This option is intended for debugging and no overrides are enabled by default.
1049.It Cm MACs
1050Specifies the available MAC (message authentication code) algorithms.
1051The MAC algorithm is used for data integrity protection.
1052Multiple algorithms must be comma-separated.
1053If the specified list begins with a
1054.Sq +
1055character, then the specified algorithms will be appended to the default set
1056instead of replacing them.
1057If the specified list begins with a
1058.Sq -
1059character, then the specified algorithms (including wildcards) will be removed
1060from the default set instead of replacing them.
1061If the specified list begins with a
1062.Sq ^
1063character, then the specified algorithms will be placed at the head of the
1064default set.
1065.Pp
1066The algorithms that contain
1067.Qq -etm
1068calculate the MAC after encryption (encrypt-then-mac).
1069These are considered safer and their use recommended.
1070The supported MACs are:
1071.Pp
1072.Bl -item -compact -offset indent
1073.It
1074hmac-md5
1075.It
1076hmac-md5-96
1077.It
1078hmac-sha1
1079.It
1080hmac-sha1-96
1081.It
1082hmac-sha2-256
1083.It
1084hmac-sha2-512
1085.It
1086umac-64@openssh.com
1087.It
1088umac-128@openssh.com
1089.It
1090hmac-md5-etm@openssh.com
1091.It
1092hmac-md5-96-etm@openssh.com
1093.It
1094hmac-sha1-etm@openssh.com
1095.It
1096hmac-sha1-96-etm@openssh.com
1097.It
1098hmac-sha2-256-etm@openssh.com
1099.It
1100hmac-sha2-512-etm@openssh.com
1101.It
1102umac-64-etm@openssh.com
1103.It
1104umac-128-etm@openssh.com
1105.El
1106.Pp
1107The default is:
1108.Bd -literal -offset indent
1109umac-64-etm@openssh.com,umac-128-etm@openssh.com,
1110hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
1111hmac-sha1-etm@openssh.com,
1112umac-64@openssh.com,umac-128@openssh.com,
1113hmac-sha2-256,hmac-sha2-512,hmac-sha1
1114.Ed
1115.Pp
1116The list of available MAC algorithms may also be obtained using
1117.Qq ssh -Q mac .
1118.It Cm Match
1119Introduces a conditional block.
1120If all of the criteria on the
1121.Cm Match
1122line are satisfied, the keywords on the following lines override those
1123set in the global section of the config file, until either another
1124.Cm Match
1125line or the end of the file.
1126If a keyword appears in multiple
1127.Cm Match
1128blocks that are satisfied, only the first instance of the keyword is
1129applied.
1130.Pp
1131The arguments to
1132.Cm Match
1133are one or more criteria-pattern pairs or the single token
1134.Cm All
1135which matches all criteria.
1136The available criteria are
1137.Cm User ,
1138.Cm Group ,
1139.Cm Host ,
1140.Cm LocalAddress ,
1141.Cm LocalPort ,
1142.Cm RDomain ,
1143and
1144.Cm Address
1145(with
1146.Cm RDomain
1147representing the
1148.Xr rdomain 4
1149on which the connection was received).
1150.Pp
1151The match patterns may consist of single entries or comma-separated
1152lists and may use the wildcard and negation operators described in the
1153.Sx PATTERNS
1154section of
1155.Xr ssh_config 5 .
1156.Pp
1157The patterns in an
1158.Cm Address
1159criteria may additionally contain addresses to match in CIDR
1160address/masklen format,
1161such as 192.0.2.0/24 or 2001:db8::/32.
1162Note that the mask length provided must be consistent with the address -
1163it is an error to specify a mask length that is too long for the address
1164or one with bits set in this host portion of the address.
1165For example, 192.0.2.0/33 and 192.0.2.0/8, respectively.
1166.Pp
1167Only a subset of keywords may be used on the lines following a
1168.Cm Match
1169keyword.
1170Available keywords are
1171.Cm AcceptEnv ,
1172.Cm AllowAgentForwarding ,
1173.Cm AllowGroups ,
1174.Cm AllowStreamLocalForwarding ,
1175.Cm AllowTcpForwarding ,
1176.Cm AllowUsers ,
1177.Cm AuthenticationMethods ,
1178.Cm AuthorizedKeysCommand ,
1179.Cm AuthorizedKeysCommandUser ,
1180.Cm AuthorizedKeysFile ,
1181.Cm AuthorizedPrincipalsCommand ,
1182.Cm AuthorizedPrincipalsCommandUser ,
1183.Cm AuthorizedPrincipalsFile ,
1184.Cm Banner ,
1185.Cm ChrootDirectory ,
1186.Cm ClientAliveCountMax ,
1187.Cm ClientAliveInterval ,
1188.Cm DenyGroups ,
1189.Cm DenyUsers ,
1190.Cm DisableForwarding ,
1191.Cm ForceCommand ,
1192.Cm GatewayPorts ,
1193.Cm GSSAPIAuthentication ,
1194.Cm HostbasedAcceptedAlgorithms ,
1195.Cm HostbasedAuthentication ,
1196.Cm HostbasedUsesNameFromPacketOnly ,
1197.Cm IgnoreRhosts ,
1198.Cm Include ,
1199.Cm IPQoS ,
1200.Cm KbdInteractiveAuthentication ,
1201.Cm KerberosAuthentication ,
1202.Cm LogLevel ,
1203.Cm MaxAuthTries ,
1204.Cm MaxSessions ,
1205.Cm PasswordAuthentication ,
1206.Cm PermitEmptyPasswords ,
1207.Cm PermitListen ,
1208.Cm PermitOpen ,
1209.Cm PermitRootLogin ,
1210.Cm PermitTTY ,
1211.Cm PermitTunnel ,
1212.Cm PermitUserRC ,
1213.Cm PubkeyAcceptedAlgorithms ,
1214.Cm PubkeyAuthentication ,
1215.Cm RekeyLimit ,
1216.Cm RevokedKeys ,
1217.Cm RDomain ,
1218.Cm SetEnv ,
1219.Cm StreamLocalBindMask ,
1220.Cm StreamLocalBindUnlink ,
1221.Cm TrustedUserCAKeys ,
1222.Cm X11DisplayOffset ,
1223.Cm X11Forwarding
1224and
1225.Cm X11UseLocalhost .
1226.It Cm MaxAuthTries
1227Specifies the maximum number of authentication attempts permitted per
1228connection.
1229Once the number of failures reaches half this value,
1230additional failures are logged.
1231The default is 6.
1232.It Cm MaxSessions
1233Specifies the maximum number of open shell, login or subsystem (e.g. sftp)
1234sessions permitted per network connection.
1235Multiple sessions may be established by clients that support connection
1236multiplexing.
1237Setting
1238.Cm MaxSessions
1239to 1 will effectively disable session multiplexing, whereas setting it to 0
1240will prevent all shell, login and subsystem sessions while still permitting
1241forwarding.
1242The default is 10.
1243.It Cm MaxStartups
1244Specifies the maximum number of concurrent unauthenticated connections to the
1245SSH daemon.
1246Additional connections will be dropped until authentication succeeds or the
1247.Cm LoginGraceTime
1248expires for a connection.
1249The default is 10:30:100.
1250.Pp
1251Alternatively, random early drop can be enabled by specifying
1252the three colon separated values
1253start:rate:full (e.g. "10:30:60").
1254.Xr sshd 8
1255will refuse connection attempts with a probability of rate/100 (30%)
1256if there are currently start (10) unauthenticated connections.
1257The probability increases linearly and all connection attempts
1258are refused if the number of unauthenticated connections reaches full (60).
1259.It Cm PasswordAuthentication
1260Specifies whether password authentication is allowed.
1261The default is
1262.Cm yes .
1263.It Cm PermitEmptyPasswords
1264When password authentication is allowed, it specifies whether the
1265server allows login to accounts with empty password strings.
1266The default is
1267.Cm no .
1268.It Cm PermitListen
1269Specifies the addresses/ports on which a remote TCP port forwarding may listen.
1270The listen specification must be one of the following forms:
1271.Pp
1272.Bl -item -offset indent -compact
1273.It
1274.Cm PermitListen
1275.Sm off
1276.Ar port
1277.Sm on
1278.It
1279.Cm PermitListen
1280.Sm off
1281.Ar host : port
1282.Sm on
1283.El
1284.Pp
1285Multiple permissions may be specified by separating them with whitespace.
1286An argument of
1287.Cm any
1288can be used to remove all restrictions and permit any listen requests.
1289An argument of
1290.Cm none
1291can be used to prohibit all listen requests.
1292The host name may contain wildcards as described in the PATTERNS section in
1293.Xr ssh_config 5 .
1294The wildcard
1295.Sq *
1296can also be used in place of a port number to allow all ports.
1297By default all port forwarding listen requests are permitted.
1298Note that the
1299.Cm GatewayPorts
1300option may further restrict which addresses may be listened on.
1301Note also that
1302.Xr ssh 1
1303will request a listen host of
1304.Dq localhost
1305if no listen host was specifically requested, and this name is
1306treated differently to explicit localhost addresses of
1307.Dq 127.0.0.1
1308and
1309.Dq ::1 .
1310.It Cm PermitOpen
1311Specifies the destinations to which TCP port forwarding is permitted.
1312The forwarding specification must be one of the following forms:
1313.Pp
1314.Bl -item -offset indent -compact
1315.It
1316.Cm PermitOpen
1317.Sm off
1318.Ar host : port
1319.Sm on
1320.It
1321.Cm PermitOpen
1322.Sm off
1323.Ar IPv4_addr : port
1324.Sm on
1325.It
1326.Cm PermitOpen
1327.Sm off
1328.Ar \&[ IPv6_addr \&] : port
1329.Sm on
1330.El
1331.Pp
1332Multiple forwards may be specified by separating them with whitespace.
1333An argument of
1334.Cm any
1335can be used to remove all restrictions and permit any forwarding requests.
1336An argument of
1337.Cm none
1338can be used to prohibit all forwarding requests.
1339The wildcard
1340.Sq *
1341can be used for host or port to allow all hosts or ports respectively.
1342Otherwise, no pattern matching or address lookups are performed on supplied
1343names.
1344By default all port forwarding requests are permitted.
1345.It Cm PermitRootLogin
1346Specifies whether root can log in using
1347.Xr ssh 1 .
1348The argument must be
1349.Cm yes ,
1350.Cm prohibit-password ,
1351.Cm forced-commands-only ,
1352or
1353.Cm no .
1354The default is
1355.Cm prohibit-password .
1356.Pp
1357If this option is set to
1358.Cm prohibit-password
1359(or its deprecated alias,
1360.Cm without-password ) ,
1361password and keyboard-interactive authentication are disabled for root.
1362.Pp
1363If this option is set to
1364.Cm forced-commands-only ,
1365root login with public key authentication will be allowed,
1366but only if the
1367.Ar command
1368option has been specified
1369(which may be useful for taking remote backups even if root login is
1370normally not allowed).
1371All other authentication methods are disabled for root.
1372.Pp
1373If this option is set to
1374.Cm no ,
1375root is not allowed to log in.
1376.It Cm PermitTTY
1377Specifies whether
1378.Xr pty 4
1379allocation is permitted.
1380The default is
1381.Cm yes .
1382.It Cm PermitTunnel
1383Specifies whether
1384.Xr tun 4
1385device forwarding is allowed.
1386The argument must be
1387.Cm yes ,
1388.Cm point-to-point
1389(layer 3),
1390.Cm ethernet
1391(layer 2), or
1392.Cm no .
1393Specifying
1394.Cm yes
1395permits both
1396.Cm point-to-point
1397and
1398.Cm ethernet .
1399The default is
1400.Cm no .
1401.Pp
1402Independent of this setting, the permissions of the selected
1403.Xr tun 4
1404device must allow access to the user.
1405.It Cm PermitUserEnvironment
1406Specifies whether
1407.Pa ~/.ssh/environment
1408and
1409.Cm environment=
1410options in
1411.Pa ~/.ssh/authorized_keys
1412are processed by
1413.Xr sshd 8 .
1414Valid options are
1415.Cm yes ,
1416.Cm no
1417or a pattern-list specifying which environment variable names to accept
1418(for example
1419.Qq LANG,LC_* ) .
1420The default is
1421.Cm no .
1422Enabling environment processing may enable users to bypass access
1423restrictions in some configurations using mechanisms such as
1424.Ev LD_PRELOAD .
1425.It Cm PermitUserRC
1426Specifies whether any
1427.Pa ~/.ssh/rc
1428file is executed.
1429The default is
1430.Cm yes .
1431.It Cm PidFile
1432Specifies the file that contains the process ID of the
1433SSH daemon, or
1434.Cm none
1435to not write one.
1436The default is
1437.Pa /var/run/sshd.pid .
1438.It Cm PerSourceMaxStartups
1439Specifies the number of unauthenticated connections allowed from a
1440given source address, or
1441.Dq none
1442if there is no limit.
1443This limit is applied in addition to
1444.Cm MaxStartups ,
1445whichever is lower.
1446The default is
1447.Cm none .
1448.It Cm PerSourceNetBlockSize
1449Specifies the number of bits of source address that are grouped together
1450for the purposes of applying PerSourceMaxStartups limits.
1451Values for IPv4 and optionally IPv6 may be specified, separated by a colon.
1452The default is
1453.Cm 32:128 ,
1454which means each address is considered individually.
1455.It Cm Port
1456Specifies the port number that
1457.Xr sshd 8
1458listens on.
1459The default is 22.
1460Multiple options of this type are permitted.
1461See also
1462.Cm ListenAddress .
1463.It Cm PrintLastLog
1464Specifies whether
1465.Xr sshd 8
1466should print the date and time of the last user login when a user logs
1467in interactively.
1468The default is
1469.Cm yes .
1470.It Cm PrintMotd
1471Specifies whether
1472.Xr sshd 8
1473should print
1474.Pa /etc/motd
1475when a user logs in interactively.
1476(On some systems it is also printed by the shell,
1477.Pa /etc/profile ,
1478or equivalent.)
1479The default is
1480.Cm yes .
1481.It Cm PubkeyAcceptedAlgorithms
1482Specifies the signature algorithms that will be accepted for public key
1483authentication as a list of comma-separated patterns.
1484Alternately if the specified list begins with a
1485.Sq +
1486character, then the specified algorithms will be appended to the default set
1487instead of replacing them.
1488If the specified list begins with a
1489.Sq -
1490character, then the specified algorithms (including wildcards) will be removed
1491from the default set instead of replacing them.
1492If the specified list begins with a
1493.Sq ^
1494character, then the specified algorithms will be placed at the head of the
1495default set.
1496The default for this option is:
1497.Bd -literal -offset 3n
1498ssh-ed25519-cert-v01@openssh.com,
1499ecdsa-sha2-nistp256-cert-v01@openssh.com,
1500ecdsa-sha2-nistp384-cert-v01@openssh.com,
1501ecdsa-sha2-nistp521-cert-v01@openssh.com,
1502sk-ssh-ed25519-cert-v01@openssh.com,
1503sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
1504rsa-sha2-512-cert-v01@openssh.com,
1505rsa-sha2-256-cert-v01@openssh.com,
1506ssh-rsa-cert-v01@openssh.com,
1507ssh-ed25519,
1508ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1509sk-ssh-ed25519@openssh.com,
1510sk-ecdsa-sha2-nistp256@openssh.com,
1511rsa-sha2-512,rsa-sha2-256,ssh-rsa
1512.Ed
1513.Pp
1514The list of available signature algorithms may also be obtained using
1515.Qq ssh -Q PubkeyAcceptedAlgorithms .
1516.It Cm PubkeyAuthOptions
1517Sets one or more public key authentication options.
1518The supported keywords are:
1519.Cm none
1520(the default; indicating no additional options are enabled),
1521.Cm touch-required
1522and
1523.Cm verify-required .
1524.Pp
1525The
1526.Cm touch-required
1527option causes public key authentication using a FIDO authenticator algorithm
1528(i.e.\&
1529.Cm ecdsa-sk
1530or
1531.Cm ed25519-sk )
1532to always require the signature to attest that a physically present user
1533explicitly confirmed the authentication (usually by touching the authenticator).
1534By default,
1535.Xr sshd 8
1536requires user presence unless overridden with an authorized_keys option.
1537The
1538.Cm touch-required
1539flag disables this override.
1540.Pp
1541The
1542.Cm verify-required
1543option requires a FIDO key signature attest that the user was verified,
1544e.g. via a PIN.
1545.Pp
1546Neither the
1547.Cm touch-required
1548or
1549.Cm verify-required
1550options have any effect for other, non-FIDO, public key types.
1551.It Cm PubkeyAuthentication
1552Specifies whether public key authentication is allowed.
1553The default is
1554.Cm yes .
1555.It Cm RekeyLimit
1556Specifies the maximum amount of data that may be transmitted before the
1557session key is renegotiated, optionally followed by a maximum amount of
1558time that may pass before the session key is renegotiated.
1559The first argument is specified in bytes and may have a suffix of
1560.Sq K ,
1561.Sq M ,
1562or
1563.Sq G
1564to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
1565The default is between
1566.Sq 1G
1567and
1568.Sq 4G ,
1569depending on the cipher.
1570The optional second value is specified in seconds and may use any of the
1571units documented in the
1572.Sx TIME FORMATS
1573section.
1574The default value for
1575.Cm RekeyLimit
1576is
1577.Cm default none ,
1578which means that rekeying is performed after the cipher's default amount
1579of data has been sent or received and no time based rekeying is done.
1580.It Cm RevokedKeys
1581Specifies revoked public keys file, or
1582.Cm none
1583to not use one.
1584Keys listed in this file will be refused for public key authentication.
1585Note that if this file is not readable, then public key authentication will
1586be refused for all users.
1587Keys may be specified as a text file, listing one public key per line, or as
1588an OpenSSH Key Revocation List (KRL) as generated by
1589.Xr ssh-keygen 1 .
1590For more information on KRLs, see the KEY REVOCATION LISTS section in
1591.Xr ssh-keygen 1 .
1592.It Cm RDomain
1593Specifies an explicit routing domain that is applied after authentication
1594has completed.
1595The user session, as well and any forwarded or listening IP sockets,
1596will be bound to this
1597.Xr rdomain 4 .
1598If the routing domain is set to
1599.Cm \&%D ,
1600then the domain in which the incoming connection was received will be applied.
1601.It Cm SecurityKeyProvider
1602Specifies a path to a library that will be used when loading
1603FIDO authenticator-hosted keys, overriding the default of using
1604the built-in USB HID support.
1605.It Cm SetEnv
1606Specifies one or more environment variables to set in child sessions started
1607by
1608.Xr sshd 8
1609as
1610.Dq NAME=VALUE .
1611The environment value may be quoted (e.g. if it contains whitespace
1612characters).
1613Environment variables set by
1614.Cm SetEnv
1615override the default environment and any variables specified by the user
1616via
1617.Cm AcceptEnv
1618or
1619.Cm PermitUserEnvironment .
1620.It Cm StreamLocalBindMask
1621Sets the octal file creation mode mask
1622.Pq umask
1623used when creating a Unix-domain socket file for local or remote
1624port forwarding.
1625This option is only used for port forwarding to a Unix-domain socket file.
1626.Pp
1627The default value is 0177, which creates a Unix-domain socket file that is
1628readable and writable only by the owner.
1629Note that not all operating systems honor the file mode on Unix-domain
1630socket files.
1631.It Cm StreamLocalBindUnlink
1632Specifies whether to remove an existing Unix-domain socket file for local
1633or remote port forwarding before creating a new one.
1634If the socket file already exists and
1635.Cm StreamLocalBindUnlink
1636is not enabled,
1637.Nm sshd
1638will be unable to forward the port to the Unix-domain socket file.
1639This option is only used for port forwarding to a Unix-domain socket file.
1640.Pp
1641The argument must be
1642.Cm yes
1643or
1644.Cm no .
1645The default is
1646.Cm no .
1647.It Cm StrictModes
1648Specifies whether
1649.Xr sshd 8
1650should check file modes and ownership of the
1651user's files and home directory before accepting login.
1652This is normally desirable because novices sometimes accidentally leave their
1653directory or files world-writable.
1654The default is
1655.Cm yes .
1656Note that this does not apply to
1657.Cm ChrootDirectory ,
1658whose permissions and ownership are checked unconditionally.
1659.It Cm Subsystem
1660Configures an external subsystem (e.g. file transfer daemon).
1661Arguments should be a subsystem name and a command (with optional arguments)
1662to execute upon subsystem request.
1663.Pp
1664The command
1665.Cm sftp-server
1666implements the SFTP file transfer subsystem.
1667.Pp
1668Alternately the name
1669.Cm internal-sftp
1670implements an in-process SFTP server.
1671This may simplify configurations using
1672.Cm ChrootDirectory
1673to force a different filesystem root on clients.
1674.Pp
1675By default no subsystems are defined.
1676.It Cm SyslogFacility
1677Gives the facility code that is used when logging messages from
1678.Xr sshd 8 .
1679The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
1680LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
1681The default is AUTH.
1682.It Cm TCPKeepAlive
1683Specifies whether the system should send TCP keepalive messages to the
1684other side.
1685If they are sent, death of the connection or crash of one
1686of the machines will be properly noticed.
1687However, this means that
1688connections will die if the route is down temporarily, and some people
1689find it annoying.
1690On the other hand, if TCP keepalives are not sent,
1691sessions may hang indefinitely on the server, leaving
1692.Qq ghost
1693users and consuming server resources.
1694.Pp
1695The default is
1696.Cm yes
1697(to send TCP keepalive messages), and the server will notice
1698if the network goes down or the client host crashes.
1699This avoids infinitely hanging sessions.
1700.Pp
1701To disable TCP keepalive messages, the value should be set to
1702.Cm no .
1703.It Cm TrustedUserCAKeys
1704Specifies a file containing public keys of certificate authorities that are
1705trusted to sign user certificates for authentication, or
1706.Cm none
1707to not use one.
1708Keys are listed one per line; empty lines and comments starting with
1709.Ql #
1710are allowed.
1711If a certificate is presented for authentication and has its signing CA key
1712listed in this file, then it may be used for authentication for any user
1713listed in the certificate's principals list.
1714Note that certificates that lack a list of principals will not be permitted
1715for authentication using
1716.Cm TrustedUserCAKeys .
1717For more details on certificates, see the CERTIFICATES section in
1718.Xr ssh-keygen 1 .
1719.It Cm UseDNS
1720Specifies whether
1721.Xr sshd 8
1722should look up the remote host name, and to check that
1723the resolved host name for the remote IP address maps back to the
1724very same IP address.
1725.Pp
1726If this option is set to
1727.Cm no
1728(the default) then only addresses and not host names may be used in
1729.Pa ~/.ssh/authorized_keys
1730.Cm from
1731and
1732.Nm
1733.Cm Match
1734.Cm Host
1735directives.
1736.It Cm UsePAM
1737Enables the Pluggable Authentication Module interface.
1738If set to
1739.Cm yes
1740this will enable PAM authentication using
1741.Cm ChallengeResponseAuthentication
1742and
1743.Cm PasswordAuthentication
1744in addition to PAM account and session module processing for all
1745authentication types.
1746.Pp
1747Because PAM challenge-response authentication usually serves an equivalent
1748role to password authentication, you should disable either
1749.Cm PasswordAuthentication
1750or
1751.Cm ChallengeResponseAuthentication.
1752.Pp
1753If
1754.Cm UsePAM
1755is enabled, you will not be able to run
1756.Xr sshd 8
1757as a non-root user.
1758The default is
1759.Cm no .
1760.It Cm VersionAddendum
1761Optionally specifies additional text to append to the SSH protocol banner
1762sent by the server upon connection.
1763The default is
1764.Cm none .
1765.It Cm X11DisplayOffset
1766Specifies the first display number available for
1767.Xr sshd 8 Ns 's
1768X11 forwarding.
1769This prevents sshd from interfering with real X11 servers.
1770The default is 10.
1771.It Cm X11Forwarding
1772Specifies whether X11 forwarding is permitted.
1773The argument must be
1774.Cm yes
1775or
1776.Cm no .
1777The default is
1778.Cm no .
1779.Pp
1780When X11 forwarding is enabled, there may be additional exposure to
1781the server and to client displays if the
1782.Xr sshd 8
1783proxy display is configured to listen on the wildcard address (see
1784.Cm X11UseLocalhost ) ,
1785though this is not the default.
1786Additionally, the authentication spoofing and authentication data
1787verification and substitution occur on the client side.
1788The security risk of using X11 forwarding is that the client's X11
1789display server may be exposed to attack when the SSH client requests
1790forwarding (see the warnings for
1791.Cm ForwardX11
1792in
1793.Xr ssh_config 5 ) .
1794A system administrator may have a stance in which they want to
1795protect clients that may expose themselves to attack by unwittingly
1796requesting X11 forwarding, which can warrant a
1797.Cm no
1798setting.
1799.Pp
1800Note that disabling X11 forwarding does not prevent users from
1801forwarding X11 traffic, as users can always install their own forwarders.
1802.It Cm X11UseLocalhost
1803Specifies whether
1804.Xr sshd 8
1805should bind the X11 forwarding server to the loopback address or to
1806the wildcard address.
1807By default,
1808sshd binds the forwarding server to the loopback address and sets the
1809hostname part of the
1810.Ev DISPLAY
1811environment variable to
1812.Cm localhost .
1813This prevents remote hosts from connecting to the proxy display.
1814However, some older X11 clients may not function with this
1815configuration.
1816.Cm X11UseLocalhost
1817may be set to
1818.Cm no
1819to specify that the forwarding server should be bound to the wildcard
1820address.
1821The argument must be
1822.Cm yes
1823or
1824.Cm no .
1825The default is
1826.Cm yes .
1827.It Cm XAuthLocation
1828Specifies the full pathname of the
1829.Xr xauth 1
1830program, or
1831.Cm none
1832to not use one.
1833The default is
1834.Pa /usr/X11R6/bin/xauth .
1835.El
1836.Sh TIME FORMATS
1837.Xr sshd 8
1838command-line arguments and configuration file options that specify time
1839may be expressed using a sequence of the form:
1840.Sm off
1841.Ar time Op Ar qualifier ,
1842.Sm on
1843where
1844.Ar time
1845is a positive integer value and
1846.Ar qualifier
1847is one of the following:
1848.Pp
1849.Bl -tag -width Ds -compact -offset indent
1850.It Aq Cm none
1851seconds
1852.It Cm s | Cm S
1853seconds
1854.It Cm m | Cm M
1855minutes
1856.It Cm h | Cm H
1857hours
1858.It Cm d | Cm D
1859days
1860.It Cm w | Cm W
1861weeks
1862.El
1863.Pp
1864Each member of the sequence is added together to calculate
1865the total time value.
1866.Pp
1867Time format examples:
1868.Pp
1869.Bl -tag -width Ds -compact -offset indent
1870.It 600
1871600 seconds (10 minutes)
1872.It 10m
187310 minutes
1874.It 1h30m
18751 hour 30 minutes (90 minutes)
1876.El
1877.Sh TOKENS
1878Arguments to some keywords can make use of tokens,
1879which are expanded at runtime:
1880.Pp
1881.Bl -tag -width XXXX -offset indent -compact
1882.It %%
1883A literal
1884.Sq % .
1885.It \&%D
1886The routing domain in which the incoming connection was received.
1887.It %F
1888The fingerprint of the CA key.
1889.It %f
1890The fingerprint of the key or certificate.
1891.It %h
1892The home directory of the user.
1893.It %i
1894The key ID in the certificate.
1895.It %K
1896The base64-encoded CA key.
1897.It %k
1898The base64-encoded key or certificate for authentication.
1899.It %s
1900The serial number of the certificate.
1901.It \&%T
1902The type of the CA key.
1903.It %t
1904The key or certificate type.
1905.It \&%U
1906The numeric user ID of the target user.
1907.It %u
1908The username.
1909.El
1910.Pp
1911.Cm AuthorizedKeysCommand
1912accepts the tokens %%, %f, %h, %k, %t, %U, and %u.
1913.Pp
1914.Cm AuthorizedKeysFile
1915accepts the tokens %%, %h, %U, and %u.
1916.Pp
1917.Cm AuthorizedPrincipalsCommand
1918accepts the tokens %%, %F, %f, %h, %i, %K, %k, %s, %T, %t, %U, and %u.
1919.Pp
1920.Cm AuthorizedPrincipalsFile
1921accepts the tokens %%, %h, %U, and %u.
1922.Pp
1923.Cm ChrootDirectory
1924accepts the tokens %%, %h, %U, and %u.
1925.Pp
1926.Cm RoutingDomain
1927accepts the token %D.
1928.Sh FILES
1929.Bl -tag -width Ds
1930.It Pa /etc/ssh/sshd_config
1931Contains configuration data for
1932.Xr sshd 8 .
1933This file should be writable by root only, but it is recommended
1934(though not necessary) that it be world-readable.
1935.El
1936.Sh SEE ALSO
1937.Xr sftp-server 8 ,
1938.Xr sshd 8
1939.Sh AUTHORS
1940.An -nosplit
1941OpenSSH is a derivative of the original and free
1942ssh 1.2.12 release by
1943.An Tatu Ylonen .
1944.An Aaron Campbell , Bob Beck , Markus Friedl , Niels Provos ,
1945.An Theo de Raadt
1946and
1947.An Dug Song
1948removed many bugs, re-added newer features and
1949created OpenSSH.
1950.An Markus Friedl
1951contributed the support for SSH protocol versions 1.5 and 2.0.
1952.An Niels Provos
1953and
1954.An Markus Friedl
1955contributed support for privilege separation.
1956