sshd2_config(4)sshd2_config(4)NAMEsshd2_config - Configuration file for the sshd2 daemon
DESCRIPTION
The sshd2 daemon reads configuration data from the /etc/ssh2/sshd2_con‐
fig file (or the file specified with the sshd2 -f command). The file
contains keyword-argument pairs, one per line.
Empty lines and lines starting with the pound (#) sign are ignored as
comments. Otherwise a line is of the format keyword arguments. It is
possible to enclose arguments in quotes, and use the standard C conven‐
tion. Configuration files are case sensitive, but keywords are not
case sensitive.
Configuration blocks are not allowed in sshd2_config. Subconfiguration
files can be specified in the main configuration file. See the Host‐
SpecificConfig and UserSpecificConfig keyword explanations.
If changes are made in the main configuration file, sshd2 must be
restarted. For example, if the /var/run/ directory does not exist, you
can send a signal to it, such as # kill -HUP `cat
/var/run/sshd2_22.pid' or # kill -HUP `cat /etc/ssh2/sshd2_22.pid'.
The following sshd2_configfile keywords are allowed: Specifies whether
agent forwarding is permitted. Usually, you should allow users to
freely forward agent connections. The argument must be yes or no. The
default is yes. Specifies the authentication methods that the server
uses to authenticate users. Supported authentication methods are: key‐
board-interactive, password, publickey, kerberos-2@ssh.com, and ker‐
beros-tgt-2@ssh.com. The default is publickey,password.
You can specify any or all authentication methods. Use a comma-
separated list when specifying more than one argument. The order
in which authentication methods are listed is the order in which
they are used. For example, if hostbased is listed first, the
server will use hostbased authentication before trying the next
listed authentication. The first successful authentication is
the one used.
With the RequiredAuthentications keyword, you can force users to
complete several authentications before they are considered
authenticated. See the explanation for the RequiredAuthentica‐
tions keyword. Follows any number of group name patterns,
separated by commas. If specified, login is allowed only if one
of the groups the user belongs to matches one of the patterns.
Patterns are matched using the egrep syntax (see sshregex(5)),
or the syntax specified in the metaconfiguration header of the
configuration file. You can use the comma character in the
patterns by escaping it with a backslash. By default, all
groups are allowed to log in. However, all other authentication
steps must be successfully completed. The AllowGroups and Deny‐
Groups keywords are additional restrictions that never increase
the tolerance. Follows any number of host name patterns, sepa‐
rated by commas. If specified, log in is allowed only if a host
name matches one of the patterns. Patterns are matched using
the egrep syntax (see sshregex(5)), or the syntax specified in
the metaconfiguration section of the configuration file.
If you want the pattern to match the host's IP address (ignoring
the canonical host name), prefix your pattern with \i. You can
also use subnet masks (e.g. , 127.0.0.0/8) by prefixing the pat‐
tern with \m. DNS is used to map the client's host name into a
canonical host name. If the name cannot be mapped, the IP
address is used as the host name. By default, all hosts are
allowed to connect. The sshd2 daemon also can be configured to
use tcp_wrappers using the --with-libwrap compile-time configu‐
ration option. Follows any number of host name patterns, sepa‐
rated by commas. The entries in /etc/hosts.equiv and
/etc/shosts.equiv are ignored if they do not match one of the
patterns. Specifies whether TCP forwarding is permitted. Dis‐
abling TCP forwarding does not improve security, unless you deny
the user shell access at the same time. (See ssh-dummy-
shell(1)). Any user who has a shell can install forwarders. The
argument must be yes or no. The default is yes.
This option is required if EnforceSecureRutils is enabled.
Specifies the group names that can forward ports. Use a comma-
separated list when specifying more than one group name. Dis‐
abling TCP forwarding does not improve security, unless you deny
the user shell access at the same time. (See ssh-dummy-
shell(1)). Any user who has a shell can install forwarders. The
argument must be yes or no. The default is yes (enable forward‐
ing). Specifies the names of users who can forward ports. Use a
comma-separated list when specifying more than one user name.
Disabling TCP forwarding does not improve security, unless you
deny the user shell access at the same time. (See ssh-dummy-
shell(1)). Any user who has a shell can install forwarders. The
argument must be yes or no. The default is yes (enable forward‐
ing). Specifies the names of users who can log in. Use a comma-
separated list when specifying more than one user name. User
names can be entered as user@host_name where host_name is a DNS
name or an IP address. By default, all users are allowed to log
in. However, all other login authentication steps must be suc‐
cessfully completed. The AllowUsers and DenyUsers keywords
specify additional restrictions. Specifies whether X11 forward‐
ing is permitted. Disabling X11 forwarding does not improve
security, unless you deny the user shell access at the same
time. (See ssh-dummy-shell(1)). Any user who has a shell can
install forwarders.. The argument must be yes or no. The default
is yes. Specifies the server delay, in seconds, after a failed
attempt to log in using keyboard-interactive, password authenti‐
cation. The default is 2. Specifies how many optional submeth‐
ods must be passed before the authentication is considered a
success ( all required submethods must be passed). See the
AuthKbdInt.Optional explanation for specifying optional submeth‐
ods, and the AuthKbdInt.Required explanation for required sub‐
methods. The default is 0. If no required submethods are speci‐
fied, the client must pass at least one optional submethod.
Specifies the optional submethods keyboard-interactive will use.
Defined submethods are: pam, securid, plugin, and password. The
pam and securid submethods must have the necessary libraries and
headers when the distribution is compiled. The pam submethod is
usually available in binary packages if the architecture sup‐
ports Pluggable Authentication Modules (PAM). The keyboard-
interactive authentication method is considered a success when
the specified amount of optional submethods and all required
submethods are passed. The plugin submethod can be used if a
system administrator wants to create a new authentication
method. (See AuthKbdInt.Plugin, AuthKbdInt.NumOptional and
AuthKbdInt.Required. ) Specifies the program used by the key‐
board-interactive plugin submethod. The sshd2 daemon, running as
root, communicates with this program using a line-based proto‐
col. There is no default for this keyword. It must be set if the
plugin submethod is used. Otherwise, the submethod will fail and
authentication could fail.
More information about the protocol can be found in the distri‐
bution package. The RFC.kbdint_plugin_protocol file has a
description of the protocol used; the kbdint_plugin_example.sh
file is a sample script. Specifies the required submethods that
must be passed before the keyboard-interactive authentication
method can succeed. See AuthKbdInt.Optional. Specifies how
many times the user can retry keyboard-interactive. The default
is 3. Specifies the name of the user's authorization file.
Specifies the maximum size of a publickey that can be used to
log in. Value 0 disables the check. The default is 0. Specifies
the minimum size of a publickey that can be used to log in.
Value 0 disables the check. The default is 0. Specifies the
path to the message that is sent to the client before authenti‐
cation. The default path is /etc/ssh2/ssh_banner_message.
Specifies whether information is displayed when there is new
mail when a user logs in. The argument must be yes or no. The
default is yes. Specifies the names of groups in which users
who belong to those groups have a chrooted environment. A
chrooted environment is one in which users are restricted to
their home directory and its subdirectories. Groups are defined
on the server in the /etc/group file. Use a comma-separated
list when specifying more than one group name. Specifies the
names of users who have a chrooted environment. A chrooted envi‐
ronment is one in which users are restricted to their home
directory and its subdirectories. Users are defined on the
server in the /etc/group file. Use a comma-separated list when
specifying more than one user name. Specifies the Secure Shell
ciphers to use for encrypting the session. Supported ciphers
are: aes, blowfish, twofish, arcfour, cast, 3des, and des. Mul‐
tiple ciphers can be specified as a comma-separated list. Spe‐
cial values for this option are: Any, AnyStd, none, AnyCipher,
and AnyStdCipher. The Any value allows all ciphers including
none. TheAnyStd value allows only those mentioned in the IETF-
SecSH draft plus none; none forbids any use of encryption. The
AnyCipher and AnyStdCipher values are analogous to the first two
cases but exclude none. The AnyStdCipher value is the default.
Follows any number of group name patterns, separated by commas.
If specified, login is denied if one of the groups the user
belongs to matches one of the patterns. Otherwise, this option
is parsed and matched identically with AllowGroups. By
default, all users are allowed to log in. If a user's group
matches a pattern in both DenyGroups and AllowGroups, login will
be denied. All other authentication steps must be successfully
completed. The AllowGroups and DenyGroups keywords are addi‐
tional restrictions and never increase the tolerance. Groups are
defined on the server in the /etc/group file. Specifies the
names of hosts from which users can not log in. Use a comma-sep‐
arated list when specifying more than one host name. By default,
all hosts are allowed to log in. Specifies the names of hosts
from which users can not connect. The host name must be speci‐
fied in the file, the file, the /etc/hosts.equiv file, or the
/etc/shosts.equiv file. Use a comma-separated list when specify‐
ing more than one host name. Specifies the names of groups who
cannot forward ports. Use a comma-separated list when specifying
more than one group name. Disabling TCP forwarding does not
improve security, unless you deny the user shell access at the
same time. (See ssh-dummy-shell(1)). Any user who has a shell
can install forwarders. The argument must be yes or no. Speci‐
fies the names of users who cannot forward ports. Use a comma-
separated list when specifying more than one user name. Dis‐
abling TCP forwarding does not improve security, unless you deny
the user shell access at the same time. (See ssh-dummy-
shell(1)). Any user who has a shell can install forwarders. The
argument must be yes or no. Specifies the names of users who
cannot log in. Use a comma-separated list when specifying more
than one user name. User names can be entered as user@host_name
where host_name is a DNS name or the IP address. By default, all
users are allowed to log in. Note that all other login authen‐
tication steps must still be successfully completed. If a
user's name matches a pattern in both DenyUsers and AllowUsers,
login is denied. Verifies whether the user is authorized to log
in. The sshd2 daemon, running as root, communicates with this
program using a line-based protocol. There is no default for
this keyword. It must be set if the plugin submethod is used.
Otherwise, the submethod will fail and authentication could
fail.
More information about the protocol can be found in the distri‐
bution package. The RFC.kbdint_plugin_protocol file has a
description of the protocol used; the kbdint_plugin_example.sh
file is a sample script. Specifies an external mapper program
for the preceding Pki keyword. When a certificate is received
and is valid under the Pki block in question, the external map‐
per is executed and the certificate is written to its standard
input. The external mapper is expected to output a newline-sepa‐
rated list of user names. If the user name is found in the list,
the authentication succeeds; otherwise, the authentication using
the certificate in question fails. The ExternalMapper keyword
will override all MapFile keywords for the current (preceding)
Pki keyword. If multiple ExternalMapper keywords are specified
for a Pki block, the first one is used. Specifies an external
mapper timeout for the preceding Pki keyword. If the server is
unable to read the full output from an external mapper in the
given period, the operation will fail and the external mapper
program will be terminated. The default timeout is 10 seconds.
If multiple ExternalMapperTimeout keywords are specified for a
Pki block, the first one is used. Controls what the client is
allowed to forward and where it is forwarded. The format for
this option is: (allow|deny) (local|remote) user-pat forward-pat
[originator-pat]
The user-pat pattern will be used to match the client user, as
specified under the UserSpecificConfig option. The format for
the forward-pat pattern is : host-id[%port]
This has different interpretations depending on whether the ACL
is specified for local or remote forwards. For local forwards,
the host-id will match the target host of the forwarding, as
specified under the AllowHosts option. The port will match with
the target port. If the client sends a host name, the IP will be
looked up from the DNS, which will be used to match the pattern.
For remote forwardings, where the forward target is not known
(the client handles that end of the connection), ForwardACL will
be used to match the listen address specified by the user. The
port will match the server port designated by the forward. With
local forwards, the originator-pat pattern will match the origi‐
nator address that the client reported.
If you do not administer the client machine, or the users on
that machine have shell access, they can use a modified copy of
Secure Shell to lie about the originator address. Also, with
Network Address Translation (NAT) the originator address will
not be meaningful; it probably will be an internal network
address. So, you should not rely on the originator address with
local forwards.
With remote forwards, the originator-pat will match the IP
address of the host connecting to the forwarded port. This will
be valid information, because the server checks the information.
If you specify any allow directives, all forwards in that class
(local or remote) not specifically allowed will be denied. Local
and remote forwards are separate in this respect. For example,
if you have one "allow remote" definition, local forwards are
still allowed, pending other restrictions. If a forward matches
allow and deny directives, the forwarding will be denied. If you
specify {Allow,Deny}TcpForwardingFor{Users,Groups} or AllowTcp‐
Forwarding, and the forwarding for the user is disabled, an
allow directive will not re-enable the forwarding for the user.
Forwarding is enabled by default. See AllowAgentForwarding.
Fails host-based authentication if the host name given by the
client does not match the one found in DNS . Defaults to no.
Works the same as in the ssh2_config file, but DefaultDomain is
not used. Works the same as in the ssh2_config file, but
DefaultDomain is not used. Similar to PublicHostKeyFile, except
that the file is assumed to contain an X.509 certificate in
binary format. The keyword must be paired with a corresponding
HostKeyFile keyword. If multiple certificates with the same
public key type (dss or rsa) are specified, only the first one
is used. Specifies the initialization string for the external
host key provider. This is ignored when the keyword
HostKeyEkProvider is not present or when external key support is
not included in the software. See ssh-externalkeys(4) for
details about specifying initialization strings. Specifies the
external host key provider. This is ignored when external key
support is not included in the software. See ssh-externalkeys(4)
for details about specifying providers. Specifies the maximum
time in seconds to wait for the keys from the external host key
provider. This is ignored when external key support is not
included in the software. Specifies the file containing the
private host key. The default file is /etc/ssh2/hostkey. Speci‐
fies a subconfiguration file for the sshd2 daemon. The syntax
for this option is pattern subconfig-file. The pattern will be
used to match the client host, as specified under the AllowHost‐
soption. The subconfig-file will then be read, and configura‐
tion data amended accordingly. The file is read before any pro‐
tocol transactions begin. You can specify most of the options
allowed in the main configuration file, and you can specify more
than one subconfiguration file, in which case the patterns are
matched and the files read in the order specified. Later
defined values of configuration options will either override or
amend the previous value depending on which option it is. The
effect of redefining an option is described in the documentation
for that option. For example, setting Ciphers in the subconfigu‐
ration file will override the old value, but setting AllowUsers
will amend the value. See sshd2_subconfig(4) for information on
subconfiguration settings. See also the UserSpecificConfig
option. Sets the idle timeout limit to time in seconds (s or
nothing after number), in minutes (m), in hours (h), in days
(d), or in weeks (w). If the connection has been idle (all
channels) for weeks, the connection is closed. The default is
zero, which disables idle timeouts. Specifies that the rhosts
and shosts files will not be used in hostbased authentication
(See AllowedAuthentications.) The /etc/hosts.equiv and the
/etc/shosts.equiv files are used (if hostbased authentication is
used). The argument must be yes or no. The default is no. Spec‐
ifies that the rhosts and shosts files will not be used in
authentication for root. The default is the value of the Ignor‐
eRhosts keyword. Specifies whether the system should send
keepalive messages. If they are sent, the loss of a connection
or crash of a system will be noticed. However, this means that
connections will die if the route is down temporarily. The
argument must be yes or no. The default is yes (send keepalive
messages). If keepalive messages are not sent, sessions may hang
indefinitely on the server, leaving ghost users and consuming
server resources. To disable keepalive messages, set the value
to no in both the server and the client configuration files.
Works the same as in the ssh2_config file. Specifies the IP
address of the interface where the sshd2 server socket is bound.
Specifies the time, in seconds, that the server disconnects
after a user has not successfully logged in. If the value is 0,
there is no time limit. The default is 600 (seconds). Specifies
the Message Authentication Code (MAC) algorithm to use for data
integrity verification. Supported MAC algorithms are: hmac-
sha1, hmac-sha1-96, hmac-md5, hmac-md5-96, hmac-ripemd160, and
hmac-ripemd160-96, of which hmac-sha1, hmac-sha1-96, hmac-md5
and hmac-md5-96 are included in all distributions.
Use a comma-separated list when specifying more than one MAC.
Special arguments to this keyword are Any, AnyStd, none, AnyMac,
and AnyStdMac. The Any argument allows all MACs including none.
The AnyStd argument allows onlythose mentioned in the IETF-SecSH
draft and none. The none argument forbids any use of MACs. The
AnyMac and AnyStdMac arguments are analogous to the first two
cases but exclude none. The AnyStdMac argument is the default.
Specifies a mapping file for the preceding Pki keyword. Multiple
mapping files are permitted for Pki keywords. Specifies the
maximum number of UDP broadcasts that the server will handle per
second. The default value is 0 (i.e., no broadcasts are han‐
dled). Broadcasts that exceed the limit are silently ignored.
Received unrecognized UDP datagrams also consume the capacity
defined by this keyword. Specifies the maximum number of con‐
nections that the sshd2 daemon will handle simultaneously. This
is useful in systems where spamming the sshd2 daemon with new
connections can cause the system to become unstable or crash.
The argument is a positive number. An argument of zero means
that the number of connections is unlimited. The same effect is
achieved by using xinetd. Specifies whether to enable the
TCP_NODELAY socket option. The argument must be yes or no. The
default is no. Specifies the location of the passwd program (or
equivalent). By default this is set to where the configure
script found it. This pro- gram will be run with the
privileges of the user logging in. Specifies the number of
login attempts that the user is permitted when using password
authentication. The default is 3 attempts. Specifies whether
the server allows login to accounts with empty password strings
when using password authentication. The argument must be yes or
no. The default is yes. Specifies whether root can log in using
the ssh2 command.
The argument must be yes, no, or nopwd. The default is yes.
The nopwd value disables password-authenticated root logins.
The no value disables root logins. The nopwd and no are equiva‐
lent unless you have an or file in the root home directory and
you have not set up public key authentication for root. Root
login with public key authentication will be allowed regardless
of the value of this setting (which may be useful for taking
remote backups even if root login is usually not allowed).
Enables user authentication using certificates. The ca-certifi‐
cate must be an X.509 certificate in binary format. This keyword
must be followed by one or more MapFile keywords.
The validity of a received certificate is checked separately
using each of the defined Pki keywords in turn until they are
exhausted (in which case the authentication fails), or a posi‐
tive result is achieved. If the certificate is valid, the map‐
ping files are examined to determine whether the certificate
allows the user to log in. Correct signature generated by a
matching private key is always required. Disables CRL checking
for the preceding Pki keyword, if argument is y. By default,
CRL checking is y. Specifies the port number where the sshd2
daemon listens. The default is port number 22. Specifies
whether the /etc/motd file is displayed when a user logs in.
The argument must be yes or no. The default is yes. Specifies
the name of the file containing the public host key. The default
is the /etc/ssh2/hostkey.pub file. Displays nothing in the sys‐
tem log except fatal errors. The argument must be yes or no. The
default is no. Specifies the name of the random seed file.
Specifies the number of seconds between key exchanges. The
default is 3600 seconds (one hour). A value of zero turns rekey
requests off. This does not prevent the client from requesting
rekeys. Other clients might not have rekey capabilities imple‐
mented correctly, and might not support rekey requests. This
means that they might terminate the connection or crash. Speci‐
fies the authentication methods that users must pass before con‐
necting. Supported authentication methods are password, pub‐
lickey, and hostbased. Use a comma-separated list when specify‐
ing more than one argument. If the value to this argument is not
specified, the client can authenticate users by using any of the
authentications methods specified by the AllowedAuthentications
keyword. If a value is specified, the client must use the spec‐
ified authentication method, and AllowedAuthentications is
ignored.
Note
Prior to Secure Shell version 3.1.0, the RequiredAuthentications
option was a required subset of AllowedAuthentications. This is
no longer a requirement. Specifies whether a hostname DNS
lookup must succeed when checking host connections from hosts
that are defined by the AllowHosts and DenyHosts keywords.
The argument must be yes or no. The default is no. If the argu‐
ment is yes and the DNS name lookup fails, the connection is
denied. If the argument is noand the DNS name lookup fails, the
remote host's IP address is used to check whether it is allowed
to connect. This might not be desirable if you defined only host
names (not IP addresses) with AllowHosts and DenyHosts keywords.
Controls whether sshd2 will try to resolve the client ip. This
is useful when you know that the DNS cannot be reached, and the
query would cause additional delay in logging in. If you set
this to no, you should not set RequireReverseMapping to yes.
The default is yes. The argument must be yes or no. Follows
any number of patterns, separated by commas. Patterns are
matched using the egrep syntax (see sshregex(5)), or the syntax
specified in the metaconfiguration header of the configuration
file. You can use the comma character in the patterns by escap‐
ing it with the default. The /etc/ssh2/sshd2_config file speci‐
fies some common and safe environment variables. You can set
some or all environment variables with this option. You can
check whether a setting is allowed by the client (ssh2), by the
user's $HOME/.ssh2/environment file or public key options. This
option is not used when setting variables from /etc/environment
or other root-only files. It only changes the setting of envi‐
ronment variables before the user's shell is run. After that,
the user can set any environment variables. Defines what log
facility the sftp-server will use. By default this has no value
(i.e., no logging is performed by the subsystem). Specifies the
name of a socks server. Used when fetching certificates or CRLs
from remote servers. Specifies whether the sshd1 daemon is
executed when the client supports only SSH 1.x protocols. The
argument must be yes or no. Specifies an alternate configura‐
tion file for sshd1 for the case that sshd2 runs in compatibil‐
ity mode. This is only used if sshd2 is executed with the -f
command line option. If -fis not specified, sshd1 will read its
configuration from the standard location, typically
/etc/sshd_config. Specifies the path to the sshd1 daemon which
will be executed if the client supports only SSH 1.x protocols.
The arguments for the sshd2 daemon are passed to the sshd1 dae‐
mon. Specifies whether the sshd2 daemon should check file modes
and ownership of the user's home directory and rhosts files
before accepting login. This is desirable because novices some‐
times leave their directory or files world-writable. The argu‐
ment must be yes or no. The default is yes. (This only used
with host-based authentication.) Specifies a subsystem. The
argument is a commd that will be executed when the subsystem is
requested. The sftp command uses a subsystem of the sshd2 dae‐
mon to transfer files securely. In order to use the sftp server
you must have the subsystem-sftp sftp-server definition (the
default) or subsystem-sftp internal://sftp-server which will
execute an sftp-service internally in the child process.
The child process usually executes a command using the user's
shell, but in this case it will start to handle SFTP requests.
This enables better logging in chrooted environments, and does
not require any static binaries to be built. The only binary
needed will be the sshd2 daemon. Specifies the facility code
that is used when logging messages from the sshd2 daemon. The
possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH.
Specifies where user-specific configuration data can be
retrieved. With this keyword, administrators can control config‐
uration parameters that are usually the users' domain. This
argument is a pattern string which is expanded by the sshd2 dae‐
mon. Argument %D is the user's home directory, %U is the user's
login name, %IU is the user's user ID (uid), and %IG is the
user's group ID (gid). The default is %D/.ssh2. Specifies
whether the user's $HOME/.ssh2/knownhosts/ directory can be used
to get host public keys when using hostbased authentication.
The argument must be yes or no. The default is yes. Reads con‐
figuration files when the user name the client is trying to log
into is known. You can use patterns of the form
user[%group][@host], where the pattern user is matched with the
user name and UID, group is matched with the user's primary and
any secondary groups, both group name and GID, and host is
matched as described under option AllowHosts. See sshd2_subcon‐
fig(4) for more information on what you can set in this subcon‐
figuration file. Prompts the sshd2 daemon to print debugging
messages about its progress, and prevents it from handling more
than one connecton at a time. This is helpful in debugging con‐
nection, authentication, and configuration problems.
Use the VerboseMode keyword only during interactive debugging.
Do not use it when starting the sshd2 daemon via init.d. Speci‐
fies where to find the xauth program. This option is useful if
you are using binaries and your X11 programs are installed where
ssh2 might not find them. The default is set by the configure
script.
LEGAL NOTICES
SSH is a registered trademark of SSH Communication Security Ltd.
SEE ALSO
Commands: sshd2(8)
Files: Files: ssh_certificates(4), sshd2_subconfig(4), sshd-check-
conf(4)
Others: sshregex(5)sshd2_config(4)