*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->Tru64 Unix man pages -> sshd2_config (4)              
Title
Content
Arch
Section
 

sshd2_config(4)

Contents


NAME    [Toc]    [Back]

       sshd2_config - Configuration file for the sshd2 daemon

DESCRIPTION    [Toc]    [Back]

       The   sshd2  daemon  reads  configuration  data  from  the
       /etc/ssh2/sshd2_config file (or the  file  specified  with
       the sshd2 -f command).  The file contains keyword-argument
       pairs, one per line.

       Empty lines and lines starting with the pound (#) sign are
       ignored  as  comments.   Otherwise a line is of the format
       keyword arguments.  It is possible to enclose arguments in
       quotes,  and use the standard C convention.  Configuration
       files are case sensitive, but keywords are not case sensitive.


       Configuration  blocks  are  not  allowed  in sshd2_config.
       Subconfiguration files can be specified in the  main  configuration
 file. See the HostSpecificConfig and UserSpecificConfig
 keyword explanations.

       If changes are made in the main configuration file,  sshd2
       must be restarted. For example, if the /var/run/ directory
       does not exist, you can send a signal to  it,  such  as  #
       kill  -HUP `cat /var/run/sshd2_22.pid' or # kill -HUP `cat
       /etc/ssh2/sshd2_22.pid'.

       The following sshd2_configfile keywords are allowed: Specifies
  whether agent forwarding is permitted. Usually, you
       should allow users to freely  forward  agent  connections.
       The argument must be yes or no. The default is yes.  Specifies
 the authentication methods that the server  uses  to
       authenticate  users. Supported authentication methods are:
       keyboard-interactive,    password,     publickey,     kerberos-2@ssh.com,  and kerberos-tgt-2@ssh.com.  The default
       is publickey,password.

              You can specify any or all authentication  methods.
              Use  a  comma-separated  list  when specifying more
              than one argument. The order in  which  authentication
  methods are listed is the order in which they
              are used.  For  example,  if  hostbased  is  listed
              first, the server will use hostbased authentication
              before trying the next listed  authentication.  The
              first successful authentication is the one used.

              With  the  RequiredAuthentications keyword, you can
              force users  to  complete  several  authentications
              before  they  are considered authenticated. See the
              explanation for  the  RequiredAuthentications  keyword.
   Follows  any number of group name patterns,
              separated  by  commas.   If  specified,  login   is
              allowed  only if one of the groups the user belongs
              to matches  one  of  the  patterns.   Patterns  are
              matched  using  the egrep syntax (see sshregex(5)),
              or the syntax specified  in  the  metaconfiguration
              header of the configuration file.  You can  use the
              comma character in the patterns by escaping it with
              a backslash.  By default, all groups are allowed to
              log in.  However, all  other  authentication  steps
              must  be  successfully  completed.  The AllowGroups
              and DenyGroups keywords are additional restrictions
              that  never  increase  the  tolerance.  Follows any
              number of host name patterns, separated by  commas.
              If specified, log in is allowed only if a host name
              matches one of the patterns.  Patterns are  matched
              using  the  egrep  syntax (see sshregex(5)), or the
              syntax specified in the  metaconfiguration  section
              of the configuration file.

              If  you  want  the  pattern  to match the host's IP
              address (ignoring the canonical host name),  prefix
              your  pattern  with  \i.   You  can also use subnet
              masks (e.g. , 127.0.0.0/8) by prefixing the pattern
              with \m.  DNS is used to map the client's host name
              into a canonical host name. If the name  cannot  be
              mapped,  the  IP  address is used as the host name.
              By default, all hosts are allowed to  connect.  The
              sshd2   daemon   also  can  be  configured  to  use
              tcp_wrappers using the --with-libwrap  compile-time
              configuration  option.   Follows any number of host
              name patterns, separated by commas.  The entries in
              /etc/hosts.equiv  and /etc/shosts.equiv are ignored
              if they do not match one of the  patterns.   Specifies
 whether TCP forwarding is permitted. Disabling
              TCP forwarding does not  improve  security,  unless
              you  deny  the  user shell access at the same time.
              (See ssh-dummy-shell(1)). Any user who has a  shell
              can  install  forwarders.  The argument must be yes
              or no. The default is yes.

              This option is required if  EnforceSecureRutils  is
              enabled.   Specifies  the group names that can forward
 ports. Use a comma-separated list when  specifying
  more than one group name. Disabling TCP forwarding
 does not improve security, unless you  deny
              the  user shell access at the same time.  (See sshdummy-shell(1)). Any  user  who  has  a  shell  can
              install  forwarders.   The  argument must be yes or
              no. The default is yes (enable forwarding).  Specifies
  the names of users who can forward ports. Use
              a comma-separated list when  specifying  more  than
              one  user  name.  Disabling TCP forwarding does not
              improve security, unless you deny  the  user  shell
              access at the same time.  (See ssh-dummy-shell(1)).
              Any user who has a shell  can  install  forwarders.
              The  argument must be yes or no. The default is yes
              (enable forwarding).  Specifies the names of  users
              who  can  log  in.  Use a comma-separated list when
              specifying more than one user name. User names  can
              be  entered  as user@host_name where host_name is a
              DNS name or an IP address. By  default,  all  users
              are  allowed  to  log in.  However, all other login
              authentication  steps  must  be  successfully  completed.
   The  AllowUsers  and  DenyUsers  keywords
              specify additional restrictions.  Specifies whether
              X11 forwarding is permitted. Disabling X11 forwarding
 does not improve security, unless you deny  the
              user shell access at the same time. (See ssh-dummyshell(1)). Any user who has  a  shell  can  install
              forwarders..  The  argument  must be yes or no. The
              default is yes.  Specifies  the  server  delay,  in
              seconds,  after  a  failed  attempt to log in using
              keyboard-interactive, password authentication.  The
              default is 2.  Specifies how many optional submethods
 must be passed  before  the  authentication  is
              considered a success ( all required submethods must
              be passed). See the AuthKbdInt.Optional explanation
              for specifying optional submethods, and the AuthKbdInt.Required
 explanation for required  submethods.
              The  default  is  0.  If no required submethods are
              specified,  the  client  must  pass  at  least  one
              optional  submethod.   Specifies  the optional submethods
  keyboard-interactive  will  use.   Defined
              submethods are: pam, securid, plugin, and password.
              The pam and securid submethods must have the necessary
 libraries and headers when the distribution is
              compiled.  The pam submethod is  usually  available
              in  binary  packages  if  the architecture supports
              Pluggable Authentication Modules (PAM).   The  keyboard-interactive
  authentication method is considered
  a  success  when  the  specified   amount  of
              optional submethods and all required submethods are
              passed. The plugin submethod can be used if a  system
  administrator wants to  create a new authentication
  method.  (See  AuthKbdInt.Plugin,   AuthKbdInt.NumOptional
  and AuthKbdInt.Required. ) Specifies
 the program used by  the  keyboard-interactive
              plugin  submethod.  The  sshd2  daemon,  running as
              root, communicates with this program using a  linebased
  protocol.  There is no default for this keyword.
 It must be set if  the  plugin  submethod  is
              used.   Otherwise,  the  submethod  will  fail  and
              authentication could fail.

              More information about the protocol can be found in
              the   distribution   package.  The  RFC.kbdint_plugin_protocol
 file has a description of the protocol
              used; the kbdint_plugin_example.sh file is a sample
              script.  Specifies  the  required  submethods  that
              must  be  passed  before  the  keyboard-interactive
              authentication method  can  succeed.   See  AuthKbdInt.Optional.
   Specifies  how many times the user
              can retry keyboard-interactive.  The default is  3.
              Specifies  the  name  of  the  user's authorization
              file.  Specifies the maximum size  of  a  publickey
              that  can  be  used to log in. Value 0 disables the
              check. The default is  0.   Specifies  the  minimum
              size  of  a  publickey  that can be used to log in.
              Value 0 disables  the  check.  The  default  is  0.
              Specifies  the  path to the message that is sent to
              the client before authentication.  The default path
              is /etc/ssh2/ssh_banner_message.  Specifies whether
              information is displayed when  there  is  new  mail
              when  a  user logs in.  The argument must be yes or
              no. The default is yes.   Specifies  the  names  of
              groups  in  which  users who belong to those groups
              have a chrooted environment. A chrooted environment
              is  one in which users are restricted to their home
              directory  and  its  subdirectories.   Groups   are
              defined  on the server in the /etc/group file.  Use
              a comma-separated list when  specifying  more  than
              one  group  name.  Specifies the names of users who
              have a chrooted environment. A chrooted environment
              is  one in which users are restricted to their home
              directory and its subdirectories. Users are defined
              on  the server in the /etc/group file. Use a commaseparated
 list when specifying more than  one  user
              name.   Specifies  the  Secure Shell ciphers to use
              for encrypting the session.  Supported ciphers are:
              aes,  blowfish,  twofish,  arcfour, cast, 3des, and
              des.  Multiple ciphers can be specified as a commaseparated
  list.   Special  values  for this option
              are:   Any,   AnyStd,    none,    AnyCipher,    and
              AnyStdCipher.   The  Any  value  allows all ciphers
              including none. TheAnyStd value allows  only  those
              mentioned  in  the IETF-SecSH draft plus none; none
              forbids any use of encryption.  The  AnyCipher  and
              AnyStdCipher  values are analogous to the first two
              cases but exclude none. The AnyStdCipher  value  is
              the default.  Follows any number of group name patterns,
  separated by commas.  If  specified,  login
              is  denied if one of the groups the user belongs to
              matches  one  of  the  patterns.   Otherwise,  this
              option  is  parsed  and  matched  identically  with
              AllowGroups.  By  default, all users are allowed to
              log in. If a user's group matches a pattern in both
              DenyGroups and AllowGroups, login will  be  denied.
              All other authentication steps must be successfully
              completed.  The AllowGroups and DenyGroups keywords
              are  additional restrictions and never increase the
              tolerance. Groups are defined on the server in  the
              /etc/group file.  Specifies the names of hosts from
              which users can not log in. Use  a  comma-separated
              list  when  specifying  more than one host name. By
              default,  all hosts are allowed to log in.   Specifies
  the  names  of hosts from which users can not
              connect. The host name must  be  specified  in  the
              file,  the  file, the /etc/hosts.equiv file, or the
              /etc/shosts.equiv file. Use a comma-separated  list
              when specifying more than one host name.  Specifies
              the names of groups who cannot forward ports. Use a
              comma-separated  list when specifying more than one
              group  name.  Disabling  TCP  forwarding  does  not
              improve  security,  unless  you deny the user shell
              access at the same time.  (See ssh-dummy-shell(1)).
              Any  user  who  has a shell can install forwarders.
              The argument must be  yes  or  no.   Specifies  the
              names  of  users  who  cannot  forward ports. Use a
              comma-separated list when specifying more than  one
              user   name.  Disabling  TCP  forwarding  does  not
              improve security, unless you deny  the  user  shell
              access at the same time.  (See ssh-dummy-shell(1)).
              Any user who has a shell  can  install  forwarders.
              The  argument  must  be  yes  or no.  Specifies the
              names of users who cannot log in. Use a comma-separated
 list when specifying more than one user name.
              User names can be entered as  user@host_name  where
              host_name  is  a  DNS  name  or  the IP address. By
              default, all users are allowed  to  log  in.   Note
              that  all  other  login  authentication  steps must
              still be successfully completed.   If a user's name
              matches a pattern in both DenyUsers and AllowUsers,
              login is denied.   Verifies  whether  the  user  is
              authorized to log in.  The sshd2 daemon, running as
              root, communicates with this program using a  linebased
  protocol.  There is no default for this keyword.
 It must be set if  the  plugin  submethod  is
              used.   Otherwise,  the  submethod  will  fail  and
              authentication could fail.

              More information about the protocol can be found in
              the   distribution   package.  The  RFC.kbdint_plugin_protocol
 file has a description of the protocol
              used; the kbdint_plugin_example.sh file is a sample
              script.  Specifies an external mapper  program  for
              the  preceding  Pki  keyword. When a certificate is
              received and is valid under the Pki block in  question,
  the external mapper is executed and the certificate
 is written  to  its  standard  input.  The
              external  mapper  is  expected to output a newlineseparated
 list of user names. If the user  name  is
              found  in  the  list,  the authentication succeeds;
              otherwise, the authentication using the certificate
              in  question fails. The ExternalMapper keyword will
              override all MapFile keywords for the current (preceding)
  Pki  keyword.  If  multiple ExternalMapper
              keywords are specified for a Pki block,  the  first
              one  is used.  Specifies an external mapper timeout
              for the preceding Pki keyword.  If  the  server  is
              unable  to  read  the  full output from an external
              mapper in the given period, the operation will fail
              and  the   external  mapper  program will be terminated.
  The default timeout is 10 seconds. If  multiple
  ExternalMapperTimeout keywords are specified
              for a Pki block, the first one is  used.   Controls
              what the client is allowed to forward and  where it
              is  forwarded.  The  format  for  this  option  is:
              (allow|deny)  (local|remote)  user-pat  forward-pat
              [originator-pat]

              The user-pat pattern will  be  used  to  match  the
              client  user, as specified under  the UserSpecificConfig
 option.  The format for the forward-pat pattern
 is : host-id[%port]

              This  has  different  interpretations  depending on
              whether the ACL is specified for  local  or  remote
              forwards.  For  local  forwards,  the  host-id will
              match the target host of the forwarding, as  specified
  under  the  AllowHosts option.  The port will
              match with the target port. If the client  sends  a
              host  name,  the IP will be looked up from the DNS,
              which will be  used  to  match  the  pattern.   For
              remote forwardings, where the forward target is not
              known (the client handles that end of  the  connection),
  ForwardACL will be used to match the listen
              address specified by the user.  The port will match
              the  server  port  designated  by the forward. With
              local forwards,  the  originator-pat  pattern  will
              match   the  originator  address  that  the  client
              reported.

              If you do not administer the client machine, or the
              users  on  that machine have shell access, they can
              use a modified copy of Secure Shell  to  lie  about
              the  originator address. Also, with Network Address
              Translation (NAT) the originator address  will  not
              be meaningful; it probably will be an internal network
 address.  So, you should not rely on the originator
 address with local  forwards.

              With  remote   forwards,  the  originator-pat  will
              match the IP  address of the host connecting to the
              forwarded  port.  This  will  be valid information,
              because the server checks the information.  If  you
              specify  any allow directives, all forwards in that
              class (local or remote)  not  specifically  allowed
              will be denied. Local  and remote forwards are separate
 in this respect.  For example,  if  you  have
              one  "allow  remote" definition, local forwards are
              still allowed, pending other  restrictions.   If  a
              forward matches allow and deny directives, the forwarding
   will   be   denied.   If   you    specify
              {Allow,Deny}TcpForwardingFor{Users,Groups}       or
              AllowTcpForwarding, and the forwarding for the user
              is  disabled, an allow directive will not re-enable
              the forwarding for the user. Forwarding is  enabled
              by default.  See AllowAgentForwarding.  Fails hostbased
 authentication if the host name given by  the
              client  does  not  match  the  one  found  in DNS .
              Defaults to no.  Works the same as in the ssh2_config
 file, but DefaultDomain is not used.  Works the
              same as in the ssh2_config file, but  DefaultDomain
              is  not used.  Similar to PublicHostKeyFile, except
              that the file is assumed to contain an  X.509  certificate
  in  binary  format.   The keyword must be
              paired with a  corresponding  HostKeyFile  keyword.
              If  multiple  certificates with the same public key
              type (dss or rsa) are specified, only the first one
              is  used.   Specifies the initialization string for
              the external host key  provider.  This  is  ignored
              when  the  keyword HostKeyEkProvider is not present
              or when external key support is not included in the
              software. See ssh-externalkeys(4) for details about
              specifying initialization strings.   Specifies  the
              external  host  key  provider. This is ignored when
              external key support is not included in  the  software.
  See  ssh-externalkeys(4)  for  details about
              specifying providers.  Specifies the  maximum  time
              in  seconds  to wait for the keys from the external
              host key provider. This is  ignored  when  external
              key support is not included in the software.  Specifies
 the file containing the private host key. The
              default  file  is  /etc/ssh2/hostkey.   Specifies a
              subconfiguration file for the  sshd2  daemon.   The
              syntax  for  this option is pattern subconfig-file.
              The pattern will be used to match the client  host,
              as  specified under the AllowHostsoption.  The subconfig-file
 will then be  read,  and  configuration
              data  amended  accordingly. The file is read before
              any protocol transactions begin.  You  can  specify
              most  of the options allowed in the main configuration
 file, and you can specify more than  one  subconfiguration
  file, in which case the patterns are
              matched and the files read in the order  specified.
              Later  defined values of configuration options will
              either  override  or  amend  the   previous   value
              depending  on  which  option  it  is. The effect of
              redefining an option is          described  in  the
              documentation for that option. For example, setting
              Ciphers in the subconfiguration file will  override
              the  old  value, but  setting AllowUsers will amend
              the value.  See sshd2_subconfig(4) for  information
              on  subconfiguration  settings.  See also the UserSpecificConfig
 option.  Sets the idle timeout limit
              to time in seconds (s or nothing after  number), in
              minutes (m), in hours (h), in days (d), or in weeks
              (w).   If  the  connection has been idle (all channels)
 for weeks,  the  connection  is  closed.  The
              default  is  zero,  which  disables  idle timeouts.
              Specifies that the rhosts and shosts files will not
              be used in hostbased authentication (See AllowedAuthentications.)
  The   /etc/hosts.equiv   and   the
              /etc/shosts.equiv  files  are  used  (if  hostbased
              authentication is used). The argument must  be  yes
              or  no.  The  default  is  no.   Specifies that the
              rhosts and shosts files will not be used in authentication
  for root. The default is the value of the
              IgnoreRhosts keyword.  Specifies whether the system
              should  send keepalive messages.  If they are sent,
              the loss of a connection or crash of  a system will
              be  noticed.   However, this means that connections
              will die if the route  is  down  temporarily.   The
              argument  must  be  yes  or  no. The default is yes
              (send keepalive messages).  If  keepalive  messages
              are not sent, sessions may hang indefinitely on the
              server, leaving ghost users  and  consuming  server
              resources.   To disable keepalive messages, set the
              value to no in both the server and the client  configuration
   files.   Works  the  same  as  in  the
              ssh2_config file.  Specifies the IP address of  the
              interface  where  the sshd2 server socket is bound.
              Specifies the time, in  seconds,  that  the  server
              disconnects  after  a  user  has  not  successfully
              logged in.  If the value is 0,  there  is  no  time
              limit. The default is 600 (seconds).  Specifies the
              Message Authentication Code (MAC) algorithm to  use
              for  data  integrity  verification.   Supported MAC
              algorithms are: hmac-sha1, hmac-sha1-96,  hmac-md5,
              hmac-md5-96, hmac-ripemd160, and hmac-ripemd160-96,
              of  which  hmac-sha1,  hmac-sha1-96,  hmac-md5  and
              hmac-md5-96 are included in all distributions.

              Use  a  comma-separated  list  when specifying more
              than one MAC. Special arguments to this keyword are
              Any,  AnyStd, none, AnyMac, and AnyStdMac.  The Any
              argument allows all MACs including none. The AnyStd
              argument  allows  onlythose  mentioned in the IETFSecSH
 draft and none. The none argument forbids any
              use of MACs. The AnyMac and AnyStdMac arguments are
              analogous to the first two cases but exclude  none.
              The AnyStdMac argument is the default.  Specifies a
              mapping file for the preceding Pki keyword.  Multiple
  mapping  files are permitted for Pki keywords.
              Specifies the maximum number of UDP broadcasts that
              the  server  will  handle  per second.  The default
              value is  0  (i.e.,  no  broadcasts  are  handled).
              Broadcasts  that  exceed  the  limit  are  silently
              ignored. Received unrecognized UDP  datagrams  also
              consume  the  capacity  defined  by  this  keyword.
              Specifies the maximum number  of  connections  that
              the  sshd2  daemon will handle simultaneously. This
              is useful in systems where spamming the sshd2  daemon
  with  new  connections can cause the system to
              become unstable or crash. The argument is  a  positive
  number.  An  argument  of zero means that the
              number  of  connections  is  unlimited.   The  same
              effect  is  achieved  by  using  xinetd.  Specifies
              whether to enable the  TCP_NODELAY  socket  option.
              The  argument must be yes or no. The default is no.
              Specifies the location of the  passwd  program  (or
              equivalent).  By  default  this is set to where the
              configure script found it. This  pro-          gram
              will be run with the privileges of the user logging
              in.  Specifies the number of  login  attempts  that
              the user is permitted when using password authentication.
  The  default  is  3  attempts.   Specifies
              whether  the  server  allows login to accounts with
              empty password strings when using password  authentication.
  The  argument  must  be  yes  or no. The
              default is yes.  Specifies whether root can log  in
              using the ssh2 command.

              The argument must be yes, no, or nopwd. The default
              is yes.

              The  nopwd  value  disables  password-authenticated
              root  logins.   The  no value disables root logins.
              The nopwd and no are equivalent unless you have  an
              or file in the root home directory and you have not
              set up public key authentication  for  root.   Root
              login   with  public  key  authentication  will  be
              allowed regardless of the  value  of  this  setting
              (which may be useful for taking remote backups even
              if root login is  usually  not  allowed).   Enables
              user authentication using certificates. The ca-certificate
 must be an  X.509  certificate  in  binary
              format.  This  keyword  must  be followed by one or
              more MapFile keywords.

              The validity of a received certificate  is  checked
              separately  using  each of the defined Pki keywords
              in turn until they are exhausted (in which case the
              authentication  fails),  or  a  positive  result is
              achieved.  If the certificate is valid, the mapping
              files  are  examined  to determine whether the certificate
 allows the user to log in. Correct  signature
  generated by a matching private key is always
              required.  Disables CRL checking for the  preceding
              Pki  keyword,  if   argument is y.  By default, CRL
              checking is y.  Specifies the port number where the
              sshd2  daemon  listens.  The default is port number
              22.  Specifies whether the /etc/motd file  is  displayed
  when  a user logs in.  The argument must be
              yes or no. The default is yes.  Specifies the  name
              of  the  file  containing  the public host key. The
              default is the  /etc/ssh2/hostkey.pub  file.   Displays
  nothing  in  the  system  log  except  fatal
              errors. The argument must be yes or no. The default
              is no.  Specifies the name of the random seed file.
              Specifies  the  number  of  seconds   between   key
              exchanges.  The default is 3600 seconds (one hour).
              A value of zero turns rekey requests off. This does
              not  prevent  the  client  from  requesting rekeys.
              Other clients might  not  have  rekey  capabilities
              implemented  correctly, and might not support rekey
              requests. This means that they might terminate  the
              connection  or crash.  Specifies the authentication
              methods that users  must  pass  before  connecting.
              Supported authentication methods are password, publickey,
 and hostbased.  Use a comma-separated  list
              when  specifying  more  than  one  argument. If the
              value to this argument is not specified, the client
              can  authenticate users by using any of the authentications
 methods specified by the AllowedAuthentications
  keyword.   If  a  value  is specified, the
              client  must  use  the   specified   authentication
              method, and AllowedAuthentications is ignored.

                                     Note

              Prior   to   Secure   Shell   version   3.1.0,  the
              RequiredAuthentications option was a required  subset
  of AllowedAuthentications. This is no longer a
              requirement.   Specifies  whether  a  hostname  DNS
              lookup  must succeed when checking host connections
              from hosts that are defined by the  AllowHosts  and
              DenyHosts keywords.

              The argument must be yes or no.  The default is no.
              If the argument is yes  and  the  DNS  name  lookup
              fails, the connection is denied. If the argument is
              noand the DNS name lookup fails, the remote  host's
              IP  address  is used to check whether it is allowed
              to connect. This might  not  be  desirable  if  you
              defined  only  host  names  (not IP addresses) with
              AllowHosts  and   DenyHosts   keywords.    Controls
              whether  sshd2  will  try to resolve the client ip.
              This is useful when you know that the DNS cannot be
              reached, and the query would cause additional delay
              in logging in. If you set this to  no,  you  should
              not  set RequireReverseMapping to yes.  The default
              is yes.  The argument must be yes or  no.   Follows
              any  number of patterns, separated by commas.  Patterns
 are  matched  using  the  egrep  syntax  (see
              sshregex(5)),  or the syntax specified in the metaconfiguration
 header of  the   configuration  file.
              You  can use the comma character in the patterns by
              escaping    it    with     the     default.     The
              /etc/ssh2/sshd2_config  file  specifies some common
              and safe environment variables.  You can  set  some
              or  all environment variables with this option. You
              can check whether  a  setting  is  allowed  by  the
              client  (ssh2),  by the user's $HOME/.ssh2/environment
 file or public key options.   This  option  is
              not  used when setting variables from /etc/environment
 or other root-only files.  It only changes the
              setting  of environment variables before the user's
              shell is run.  After that, the  user  can  set  any
              environment  variables.   Defines what log facility
              the sftp-server  will use. By default this  has  no
              value (i.e., no logging is performed by the subsystem).
  Specifies the name of a socks  server.  Used
              when  fetching  certificates  or  CRLs  from remote
              servers.  Specifies whether the  sshd1  daemon   is
              executed when the client supports only SSH 1.x protocols.
 The argument must be yes or no.   Specifies
              an  alternate  configuration file for sshd1 for the
              case that sshd2 runs in compatibility mode. This is
              only  used if sshd2 is executed with the -f command
              line option.  If -fis  not  specified,  sshd1  will
              read  its configuration from the standard location,
              typically /etc/sshd_config.  Specifies the path  to
              the  sshd1  daemon  which  will  be executed if the
              client supports only SSH 1.x protocols.  The  arguments
  for the sshd2 daemon are passed to the sshd1
              daemon.  Specifies whether the sshd2 daemon  should
              check  file  modes and ownership of the user's home
              directory and rhosts files before accepting  login.
              This  is  desirable because novices sometimes leave
              their directory or files world-writable.  The argument
 must be yes or no.  The default is yes.  (This
              only used with host-based authentication.)   Specifies
 a subsystem. The argument is a commd that will
              be executed when the subsystem is  requested.   The
              sftp  command  uses a subsystem of the sshd2 daemon
              to transfer files securely. In  order  to  use  the
              sftp  server you must have the subsystem-sftp sftpserver
 definition (the default)  or  subsystem-sftp
              internal://sftp-server  which will execute an sftpservice
 internally in the child process.

              The child process usually executes a command  using
              the user's shell, but in this case it will start to
              handle SFTP requests. This enables  better  logging
              in  chrooted environments, and does not require any
              static binaries to be built. The only binary needed
              will  be  the sshd2 daemon.  Specifies the facility
              code that is used when logging  messages  from  the
              sshd2  daemon.  The  possible  values  are: DAEMON,
              USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4,
              LOCAL5,  LOCAL6,  LOCAL7.   The  default  is  AUTH.
              Specifies where  user-specific  configuration  data
              can be retrieved. With this keyword, administrators
              can control configuration parameters that are  usually
  the users' domain. This argument is a pattern
              string which is expanded by the sshd2 daemon. Argument
  %D  is  the  user's home directory, %U is the
              user's login name, %IU is the user's user ID (uid),
              and  %IG  is the user's group ID (gid). The default
              is  %D/.ssh2.    Specifies   whether   the   user's
              $HOME/.ssh2/knownhosts/  directory  can  be used to
              get host public keys when using hostbased authentication.
   The  argument  must  be  yes  or  no. The
              default is yes.  Reads configuration files when the
              user  name  the  client  is  trying  to log into is
              known.   You  can  use   patterns   of   the   form
              user[%group][@host],  where  the  pattern  user  is
              matched with  the  user  name  and  UID,  group  is
              matched  with  the user's primary and any secondary
              groups, both  group  name  and  GID,  and  host  is
              matched  as described under option AllowHosts.  See
              sshd2_subconfig(4) for more information on what you
              can set in this subconfiguration file.  Prompts the
              sshd2 daemon to print debugging messages about  its
              progress,  and  prevents it from handling more than
              one connecton at a time.  This is helpful in debugging
  connection, authentication, and configuration
              problems.  Specifies where to find the  xauth  program.
  This option is useful if you are using binaries
 and your X11 programs are installed where ssh2
              might not find them. The default is set by the configure
 script.

LEGAL NOTICES    [Toc]    [Back]

       SSH is a registered trademark of SSH  Communication  Security
 Ltd.

SEE ALSO    [Toc]    [Back]

      
      
       Commands: sshd2(8)

       Files:   Files:  ssh_certificates(4),  sshd2_subconfig(4),
       sshd-check-conf(4)

       Others: sshregex(5)



                                                  sshd2_config(4)
[ Back ]
 Similar pages
Name OS Title
sshd2_subconfig Tru64 Describes the subconfiguration that can be used for the sshd2 daemon
evmdaemon.conf Tru64 EVM daemon configuration file
sshd_config OpenBSD OpenSSH SSH daemon configuration file
sshd_config FreeBSD OpenSSH SSH daemon configuration file
rrenumd.conf FreeBSD configuration file for router renumbering daemon
rtradvd.conf HP-UX configuration file for router advertisement daemon
gated.control Tru64 Gate daemon configuration file (control statements)
gated.proto Tru64 Gate daemon configuration file (protocol statements)
ntpd.conf OpenBSD Network Time Protocol daemon configuration file
ip6rtrd.conf Tru64 IPv6 router daemon (ip6rtrd) configuration file
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service