Партнёры:
Хостинг:
NAME
sshd2_config - format of configuration file for sshd2
CONFIGURATION FILE
Sshd2 reads configuration data from /etc/ssh2/sshd2_config
(or the file specified with -f on the command line). The
file contains keyword-value pairs, one per line. Lines
starting with '#' and empty lines are interpreted as com-
ments.
The following keywords are possible. Keywords are case
insensitive.
AllowAgentForwarding or ForwardAgent
Specifies whether agent forwarding is permitted. This
parameter is implemented mainly for completeness. Usu-
ally, you should allow users to freely forward agent
connections. The argument must be "yes" or "no". The
default is "yes".
AllowedAuthentications
This keyword specifies the authentications methods that
are allowed. This is a comma-separated list currently
consisting of the following words: password, publickey
and hostbased. Each specifies an authentication
method. The default is "publickey,password". With
RequiredAuthentications, the system administrator can
force users to complete several authentications before
they are considered authenticated.
AllowCshrcSourcingWithSubsystems
If set to "no", gives additional "-f" argument to csh
or tcsh when executing subsystems to prevent commands
in .cshrc (or .tcshrc) from interfering with, for exam-
ple, the sftp-server subsystem. The default is "no".
The argument must be "yes" or "no".
AllowGroups
This keyword can be followed by any number of group
name patterns, separated by commas. If specified, login
is allowed only if one of the groups the user belongs
to matches one of the patterns. Patterns are matched
using the zsh-fileglob-syntax (see sshregex(1)). You
can use the comma ',' character in the patterns by
escaping it with '\' (backslash). If you want to use
the escape character in the patterns, you have to
escape it ('\\'). By default, all users are allowed to
log in.
Note that the all other login authentication steps must
still be successfully completed. AllowGroups and Deny-
Groups are additional restrictions.
AllowHosts
This keyword can be followed by any number of host name
patterns, separated by commas. If specified, login is
allowed only from hosts whose name matches one of the
patterns. Patterns are matched using the zsh-
fileglob-syntax (see sshregex(1)). Normal name servers
are used to map the client's host name into a canonical
host name. If the name cannot be mapped, the IP
address is used as the host name. By default, all
hosts are allowed to connect.
Note that sshd2 can also be configured to use
tcp_wrappers using the --with-libwrap compile-time con-
figuration option.
Note also, that to prevent people going around this
parameter and logging in from hosts like
130.233.evil.org, you should use the [:isdigit:] or
similar constructs.
AllowSHosts
This keyword can be followed by any number of host name
patterns, separated by commas. If specified, the
.shosts (and .rhosts, /etc/hosts.equiv and
/etc/shosts.equiv) entries are only honored for hosts
whose name matches one of the patterns. '*' and '?'
can be used as wildcards in the patterns. Normal name
servers are used to map the client's host name into a
canonical host name. If the name cannot be mapped, the
IP address is used as the host name. By default, all
hosts are allowed to connect.
AllowTcpForwarding
Specifies whether TCP forwarding is permitted. Note
that disabling TCP forwarding does not improve security
in any way, as users can always install their own for-
warders. The argument must be "yes" or "no". The
default is "yes".
AllowTcpForwardingForGroups
The syntax is the same as in AllowGroups, but instead
of login, this controls the ability to forward ports,
in remote or local forwarding. Note that disabling TCP
forwarding does not improve security in any way, as
users can always install their own forwarders. This
does, however, help if you deny the user shell access
at the same time. See ssh-dummy-shell(1). The argument
must be "yes" or "no". Forwarding is enabled by
default.
AllowTcpForwardingForUsers
Syntax is the same as in AllowUsers, but instead of
login, this controls the ability to forward ports, in
remote or local forwarding. Note that disabling TCP
forwarding does not improve security in any way, as
users can always install their own forwarders. This
does, however, help if you deny the user shell access
at the same time. See ssh-dummy-shell(1). The argument
must be "yes" or "no". Forwarding is enabled by
default.
AllowUsers
This keyword can be followed by any number of user name
patterns or user@host patterns, separated by commas.
Host name is handled as a pattern, so the rules below
apply. Host name can also be a pure DNS name or the IP
address. If specified, login is allowed as users whose
name matches one of the patterns. Patterns are matched
using the zsh-fileglob-syntax (see sshregex(1)). You
can use the comma ',' character in the patterns by
escaping it with '\' (backslash). If you want to use
the escape character in the patterns, you have to
escape it ('\\'). By default, all users are allowed to
log in.
Note that the all other login authentication steps must
still be successfully completed. AllowUsers and Den-
yUsers are additional restrictions.
AllowX11Forwarding or X11Forwarding or ForwardX11
Specifies whether X11 forwarding is permitted. The
default is "yes". Note that disabling X11 forwarding
does not improve security in any way, as users can
always install their own forwarders. The argument must
be "yes" or "no".
AuthorizationFile
Specifies the name of the user's authorization file.
BannerMessageFile
Specifies the path to the message that is sent to the
client before authentication. Note, however, that the
client isn't obliged to show this message. The default
is /etc/ssh2/ssh_banner_message.
CheckMail
Specifies if sshd should print information whether
there is new mail or not when a user logs in interac-
tively. (On some systems this information is also
printed by the shell, /etc/profile, or equivalent.)
The argument must be "yes" or "no". The default is
"yes".
ChRootGroups
Specifies whether sshd should give the user who belongs
to the defined group a chrooted environment. This keeps
the user who belongs to this group in a "jail" where
they can only move around in their home directory and
lower. This is not a default option, but it can be
added, and the groups are defined on the server in
/etc/group. More than one group can be listed, and the
groups must be separated by a comma.
ChRootUsers
Specifies whether sshd should give the user a chrooted
environment. This keeps the user in a "jail" where they
can only move around in their home directory and lower.
This is not a default option, but it can be added, and
the users are defined on the server in /etc/passwd.
More than one user can be listed, and the users must be
separated by a comma.
Ciphers
Specifies the ciphers to use for encrypting the ses-
sion. Currently, des, 3des, blowfish, arcfour, twofish
and cast are supported. Multiple ciphers can be speci-
fied as a comma-separated list. Special values to this
option are any, anystd that allows only standard (see
below) ciphers (and 'none'), and anycipher that allows
either any available cipher or excludes nonencrypting
cipher mode none but allows all others. anystdcipher
is the same as anycipher above, but includes only those
ciphers mentioned in the IETF-SecSH-draft (excluding
'none').
DenyGroups
This keyword can be followed by any number of group
name patterns, separated by commas. If specified, login
is denied if one of the groups the user belongs to
matches one of the patterns. Patterns are matched using
the zsh-fileglob-syntax (see sshregex(1)). You can use
the comma ',' character in the patterns by escaping it
with '\' (backslash). If you want to use the escape
character in the patterns, you have to escape it
('\\'). By default, all users are allowed to log in.
If a user's group matches with both a pattern in Deny-
Groups and one in AllowGroups, login will be denied.
Note that the all other login authentication steps must
still be successfully completed. AllowGroups and Deny-
Groups are additional restrictions.
DenyHosts
This keyword can be followed by any number of host name
patterns, separated by commas. If specified, login is
disallowed from hosts whose names match any of the pat-
terns. See AllowHosts.
DenySHosts
This keyword can be followed by any number of host name
patterns, separated by commas. If specified, .shosts
(and .rhosts, /etc/hosts.equiv and /etc/shosts.equiv)
entries whose name matches any of the patterns will be
ignored.
DenyTcpForwardingForGroups
The syntax is the same as in DenyGroups, but instead of
login, this controls the ability to forward ports, in
remote or local forwarding. Note that disabling TCP
forwarding does not improve security in any way, as
users can always install their own forwarders. This
does, however, help if you deny the user shell access
at the same time. See ssh-dummy-shell(1). The argument
must be "yes" or "no". Forwarding is enabled by
default.
DenyTcpForwardingForUsers
The syntax is the same as in DenyUsers, but instead of
login, this controls the ability to forward ports, in
remote or local forwarding. Note that disabling TCP
forwarding does not improve security in any way, as
users can always install their own forwarders. This
does, however, help if you deny the user shell access
at the same time. See ssh-dummy-shell(1). The argument
must be "yes" or "no". Forwarding is enabled by
default.
DenyUsers
This keyword can be followed by any number of user name
patterns or user@host patterns, separated by commas.
Host name is handled as a pattern, so the rules below
apply. Host name can also be a pure DNS name or the IP
address. If specified, login is disallowed as users
whose name matches one of the patterns. Patterns are
matched using the zsh-fileglob-syntax (see sshre-
gex(1)). You can use the comma ',' character in the
patterns by escaping it with '\' (backslash). If you
want to use the escape character in the patterns, you
have to escape it ('\\'). By default, all users are
allowed to log in.
If a user's name matches with both a pattern in Den-
yUsers and one in AllowUsers, login is denied.
Note that the all other login authentication steps must
still be successfully completed. AllowUsers and Den-
yUsers are additional restrictions.
ForcePTTYAllocation
Force tty allocation, i.e., allocate a tty even if a
command is given. The argument must be "yes" or "no".
(not yet implemented)
ForwardAgent
See AllowAgentForwarding.
HostKeyFile
Specifies the file containing the private host key
(default /etc/ssh2/hostkey).
IdentityFile
Specifies the file containing the identity user public
key (default identification).
IgnoreRhosts
Specifies that the rhosts and shosts files will not be
used in "hostbased" authentication (see AllowedAuthen-
tications). /etc/hosts.equiv and /etc/shosts.equiv are
still used (if "hostbased" authentication is used). The
argument must be "yes" or "no". The default is "no".
IgnoreRootRhosts
Specifies that the rhosts and shosts files will not be
used in authentication for root. The default is the
value of IgnoreRhosts.
KeepAlive
Specifies whether the system should send keepalive mes-
sages to the other side. If they are sent, death of the
connection or crash of one of the machines will be
properly noticed. However, this means that connections
will die if the route is down temporarily, and some
people find it annoying. On the other hand, if
keepalives are not sent, sessions may hang indefinitely
on the server, leaving "ghost" users and consuming
server resources.
The default is "yes" (to send keepalives), and the
server will notice if the network goes down or the
client host reboots. This avoids infinitely hanging
sessions.
To disable keepalives, the value should be set to "no"
in both the server and the client configuration files.
ListenAddress
Specifies the IP address of the interface where the
sshd2 server socket is bound.
LoginGraceTime
The server disconnects after this time if the user has
not successfully logged in. If the value is 0, there
is no time limit. The default is 600 (seconds).
MACs Specifies the MAC (Message Authentication Code) algo-
rithm to use for data integrity verification.
Currently, hmac-sha1, hmac-sha1-96, hmac-md5, hmac-
md5-96, hmac-ripemd160 and hmac-ripemd160-96 are sup-
ported, of which hmac-sha1, hmac-sha1-96, hmac-md5 and
hmac-md5-96 are included in all distributions. Multiple
MACs can be specified as a comma-separated list. Spe-
cial values to this option are any, anystd, that allows
only standard (see below) MACs (and 'none'), and anymac
that allows either any available MAC or excludes none
but allows all others. anystdmac is the same as anymac
above, but includes only those MACs mentioned in the
IETF-SecSH-draft (excluding 'none').
MaxBroadcastsPerSecond
Specifies how many UDP broadcasts server handles per
second. The default value is 0 and no broadcasts are
handled at all. Broadcasts that exceed the limit are
silently ignored. Received unrecognized UDP datagrams
also consume the capacity defined by this option.
MaxConnections
Specifies the maximum number of connections sshd2 will
handle simultaneously. This is useful in systems where
spamming sshd2 with new connections can cause the sys-
tem to become unstable or crash. The argument is a
positive number. 0 means that number of connections is
unlimited (by sshd2).
Note that by using (at least) xinetd you achieve the
same effect.
NoDelay
If "yes", enable socket option TCP_NODELAY. The argu-
ment must be "yes" or "no". Default is "no".
PasswordAuthentication
Specifies whether to use password authentication. The
argument must be "yes" or "no". Note: This keyword is
deprecated. Use AllowedAuthentications and RequiredAu-
thentications.
PasswordGuesses
Specifies the number of tries that the user has when
using password authentication. The default is 3. Then,
shalt thou count to three. No more. No less.
PermitEmptyPasswords
When password authentication is allowed, it specifies
whether the server allows login to accounts with empty
password strings. The argument must be "yes" or "no".
PermitRootLogin
Specifies whether the root can log in using ssh2. May
be set to "yes", "nopwd", or "no". The default is
"yes", allowing root logins through any of the authen-
tication types allowed for other users. The "nopwd"
value disables password-authenticated root logins. The
"no" value disables root logins through any of the
authentication methods. ("nopwd" and "no" are
equivalent unless you have a .rhosts or .shosts in the
root home directory and you haven't set up public key
authentication for root.)
Root login with public key authentication when the
"command" option has been specified will be allowed
regardless of the value of this setting (which may be
useful for taking remote backups even if root login is
normally not allowed).
Port Specifies the port number that sshd2 listens on. The
current default is 22.
PrintMotd
Specifies whether sshd2 should print /etc/motd when a
user logs in interactively. The default is "yes". The
argument must be "yes" or "no".
PubKeyAuthentication
Specifies whether to try public key authentication.
RSAAuthentication is a synonym for this keyword, and it
is defined for backwards compatibility with ssh1. The
argument must be "yes" or "no". Note: This keyword is
deprecated. Use AllowedAuthentications and RequiredAu-
thentications.
PublicHostKeyFile
Specifies the file containing the public host key
(default /etc/ssh2/hostkey.pub). Note: In most cases,
the order of configuration parameters is not an issue.
Here, it is safe if you specify HostKeyFile first
before this parameter.
RandomSeedFile
Specifies the name of the random seed file.
RekeyIntervalSeconds
Specifies the interval in seconds at which the key
exchange will be done again. The default is 3600
seconds (1 hour). A value of '0' turns rekey requests
off. This doesn't prevent the client from requesting
rekeys. Other clients (not ssh2) may not have rekey
capabilities implemented correctly, and they might not
like rekey requests. This means that they may possibly
close the connection or even crash.
RequiredAuthentications
Related to AllowedAuthentications, this is used to
specify what authentication methods the users must com-
plete before continuing. If this value is left empty,
it does not mean that no authentications are required.
It means that the client can authenticate itself with
any of the authentications given in AllowedAuthentica-
tions. This parameter has no default. Note: This
parameter has to be a subset of AllowedAuthentications.
Otherwise, the server denies connection every time.
RequireReverseMapping
This is used to check whether hostname DNS lookup must
succeed when checking whether connections from host are
allowed using AllowHosts and DenyHosts. If this is set
to yes, then if name lookup fails, the connection is
denied. If set to no, if name lookup fails, the remote
host's IP address is used to check whether it is
allowed to connect. This is probably not what you want
if you have specified only host names (not IP
addresses) with {Allow,Deny}Hosts. The default is
"no". The argument must be "yes" or "no".
Subsystem-<subsystem name>
Specifies a subsystem. The argument is a command which
will be executed when the subsystem is requested.
Sftp uses a subsystem of sshd2 to transfer files
securely. In order to use the sftp server, you must
have the following subsystem definition:
subsystem-sftp sftp-server
QuietMode
Specifies whether the system runs in quiet mode. In
quiet mode, nothing is logged in the system log, except
fatal errors. The argument must be "yes" or "no".
Ssh1Compatibility
Specifies whether to use SSH1 compatibility code. With
this option, sshd1 is executed when the client supports
only SSH 1.x protocols. The argument must be "yes" or
"no".
Sshd1Path
Specifies the path to sshd1 daemon which will be exe-
cuted if the client supports only SSH 1.x protocols.
The arguments for sshd2 are passed on to sshd1.
SshPAMClientPath
Specifies the path to ssh-pam-client, which is used as
a helper application to converse with the PAM modules
by sshd2.
StrictModes
Specifies whether sshd2 should check file modes and
ownership of the user's home directory and rhosts files
before accepting login. This is normally desirable
because novices sometimes accidentally leave their
directory or files world-writable. The argument must be
"yes" or "no". The default is "yes". (not yet imple-
mented)
SyslogFacility
Gives the facility code that is used when logging mes-
sages from sshd2. The possible values are: DAEMON,
USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4,
LOCAL5, LOCAL6, LOCAL7. The default is AUTH.
UserConfigDirectory
Specifies where user-specific configuration data should
be fetched from. With this the administration can con-
trol whatever configuration parameters they wish that
are normally the users' domain. This is given as a pat-
tern string which is expanded by sshd2. %D is the
user's home directory, %U is user's login name, %IU is
the user's user ID (uid) and %IG is his group ID (gid).
The default is %D/.ssh2.
UserKnownHosts
Specifies whether the user's $HOME/.ssh2/knownhosts/
directory can be used to fetch host public keys when
using "hostbased" authentication. The argument must be
"yes" or "no". The default is "yes".
VerboseMode
Verbose mode. Causes sshd2 to print debugging messages
about its progress. This is helpful in debugging con-
nection, authentication, and configuration problems.
Also causes sshd2 to not fork on connection, so only
one connection is handled.
AUTHORS
SSH Communications Security Corp
For more information, see http://www.ssh.com.
SEE ALSO
sshd2(8)
|
Закладки на сайте Проследить за страницей |
Created 1996-2025 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |