Config-Model-OpenSsh
10 results

 view release on metacpan or  search on metacpan

xt/sshd_config.html  view on Meta::CPAN 

directories to support the user’s session. For an
interactive session this requires at least a shell,
typically sh(1), and basic <i>/dev</i> nodes such as
null(4), zero(4), stdin(4), stdout(4), stderr(4), and tty(4)
devices. For file transfer sessions using SFTP no additional
configuration of the environment is necessary if the
in-process sftp-server is used, though sessions which use
logging may require <i>/dev/log</i> inside the chroot
directory on some operating systems (see sftp-server(8) for
details).</p>

<p style="margin-left:17%; margin-top: 1em">For safety, it
is very important that the directory hierarchy be prevented
from modification by other processes on the system
(especially those outside the jail). Misconfiguration can
lead to unsafe environments which sshd(8) cannot detect.</p>

<p style="margin-left:17%; margin-top: 1em">The default is
<b>none</b>, indicating not to chroot(2).</p>

<p style="margin-top: 1em"><b>Ciphers</b></p>

<p style="margin-left:17%;">Specifies the ciphers allowed.
Multiple ciphers must be comma-separated. If the specified
value begins with a &rsquo;+&rsquo; character, then the
specified ciphers will be appended to the default set
instead of replacing them. If the specified value begins
with a &rsquo;-&rsquo; character, then the specified ciphers
(including wildcards) will be removed from the default set
instead of replacing them.</p>

<p style="margin-left:17%; margin-top: 1em">The supported
ciphers are:</p>

<p style="margin-left:24%; margin-top: 1em">3des-cbc <br>
aes128-cbc <br>
aes192-cbc <br>
aes256-cbc <br>
aes128-ctr <br>
aes192-ctr <br>
aes256-ctr <br>
aes128-gcm@openssh.com <br>
aes256-gcm@openssh.com <br>
chacha20-poly1305@openssh.com</p>

<p style="margin-left:17%; margin-top: 1em">The default
is:</p>


<p style="margin-left:24%; margin-top: 1em">chacha20-poly1305@openssh.com,
<br>
aes128-ctr,aes192-ctr,aes256-ctr, <br>
aes128-gcm@openssh.com,aes256-gcm@openssh.com</p>

<p style="margin-left:17%; margin-top: 1em">The list of
available ciphers may also be obtained using &quot;ssh -Q
cipher&quot;.</p>

<p style="margin-top: 1em"><b>ClientAliveCountMax</b></p>

<p style="margin-left:17%;">Sets the number of client alive
messages which may be sent without sshd(8) receiving any
messages back from the client. If this threshold is reached
while client alive messages are being sent, sshd will
disconnect the client, terminating the session. It is
important to note that the use of client alive messages is
very different from <b>TCPKeepAlive</b>. The client alive
messages are sent through the encrypted channel and
therefore will not be spoofable. The TCP keepalive option
enabled by <b>TCPKeepAlive</b> is spoofable. The client
alive mechanism is valuable when the client or server depend
on knowing when a connection has become inactive.</p>

<p style="margin-left:17%; margin-top: 1em">The default
value is 3. If <b>ClientAliveInterval</b> is set to 15, and
<b>ClientAliveCountMax</b> is left at the default,
unresponsive SSH clients will be disconnected after
approximately 45 seconds.</p>

<p style="margin-top: 1em"><b>ClientAliveInterval</b></p>

<p style="margin-left:17%;">Sets a timeout interval in
seconds after which if no data has been received from the
client, sshd(8) will send a message through the encrypted
channel to request a response from the client. The default
is 0, indicating that these messages will not be sent to the
client.</p>

<p style="margin-top: 1em"><b>Compression</b></p>

<p style="margin-left:17%;">Specifies whether compression
is enabled after the user has authenticated successfully.
The argument must be <b>yes</b>, <b>delayed</b> (a legacy
synonym for <b>yes</b>) or <b>no</b>. The default is
<b>yes</b>.</p>

<p style="margin-top: 1em"><b>DebianBanner</b></p>

<p style="margin-left:17%;">Specifies whether the
distribution-specified extra version suffix is included
during initial protocol handshake. The default is
<b>yes</b>.</p>

<p style="margin-top: 1em"><b>DenyGroups</b></p>

<p style="margin-left:17%;">This keyword can be followed by
a list of group name patterns, separated by spaces. Login is
disallowed for users whose primary group or supplementary
group list matches one of the patterns. Only group names are
valid; a numerical group ID is not recognized. By default,
login is allowed for all groups. The allow/deny directives
are processed in the following order: <b>DenyUsers</b>,
<b>AllowUsers</b>, <b>DenyGroups</b>, and finally
<b>AllowGroups</b>.</p>

<p style="margin-left:17%; margin-top: 1em">See PATTERNS in
ssh_config(5) for more information on patterns.</p>

<p style="margin-top: 1em"><b>DenyUsers</b></p>

<p style="margin-left:17%;">This keyword can be followed by
a list of user name patterns, separated by spaces. Login is
disallowed for user names that match one of the patterns.
Only user names are valid; a numerical user ID is not
recognized. By default, login is allowed for all users. If
the pattern takes the form USER@HOST then USER and HOST are
separately checked, restricting logins to particular users
from particular hosts. HOST criteria may additionally
contain addresses to match in CIDR address/masklen format.
The allow/deny directives are processed in the following
order: <b>DenyUsers</b>, <b>AllowUsers</b>,

xt/sshd_config.html  view on Meta::CPAN 

is readable and writable only by the owner. Note that not
all operating systems honor the file mode on Unix-domain
socket files.</p>


<p style="margin-top: 1em"><b>StreamLocalBindUnlink</b></p>

<p style="margin-left:17%;">Specifies whether to remove an
existing Unix-domain socket file for local or remote port
forwarding before creating a new one. If the socket file
already exists and <b>StreamLocalBindUnlink</b> is not
enabled, <b>sshd</b> will be unable to forward the port to
the Unix-domain socket file. This option is only used for
port forwarding to a Unix-domain socket file.</p>

<p style="margin-left:17%; margin-top: 1em">The argument
must be <b>yes</b> or <b>no</b>. The default is
<b>no</b>.</p>

<p style="margin-top: 1em"><b>StrictModes</b></p>

<p style="margin-left:17%;">Specifies whether sshd(8)
should check file modes and ownership of the user&rsquo;s
files and home directory before accepting login. This is
normally desirable because novices sometimes accidentally
leave their directory or files world-writable. The default
is <b>yes</b>. Note that this does not apply to
<b>ChrootDirectory</b>, whose permissions and ownership are
checked unconditionally.</p>

<p style="margin-top: 1em"><b>Subsystem</b></p>

<p style="margin-left:17%;">Configures an external
subsystem (e.g. file transfer daemon). Arguments should be a
subsystem name and a command (with optional arguments) to
execute upon subsystem request.</p>

<p style="margin-left:17%; margin-top: 1em">The command
<b>sftp-server</b> implements the SFTP file transfer
subsystem.</p>

<p style="margin-left:17%; margin-top: 1em">Alternately the
name <b>internal-sftp</b> implements an in-process SFTP
server. This may simplify configurations using
<b>ChrootDirectory</b> to force a different filesystem root
on clients.</p>

<p style="margin-left:17%; margin-top: 1em">By default no
subsystems are defined.</p>

<p style="margin-top: 1em"><b>SyslogFacility</b></p>

<p style="margin-left:17%;">Gives the facility code that is
used when logging messages from sshd(8). The possible values
are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3,
LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH.</p>

<p style="margin-top: 1em"><b>TCPKeepAlive</b></p>

<p style="margin-left:17%;">Specifies whether the system
should send TCP keepalive messages to the other side. If
they are sent, death of the connection or crash of one of
the machines will be properly noticed. However, this means
that connections will die if the route is down temporarily,
and some people find it annoying. On the other hand, if TCP
keepalives are not sent, sessions may hang indefinitely on
the server, leaving &quot;ghost&quot; users and consuming
server resources.</p>

<p style="margin-left:17%; margin-top: 1em">The default is
<b>yes</b> (to send TCP keepalive messages), and the server
will notice if the network goes down or the client host
crashes. This avoids infinitely hanging sessions.</p>

<p style="margin-left:17%; margin-top: 1em">To disable TCP
keepalive messages, the value should be set to
<b>no</b>.</p>

<p style="margin-left:17%; margin-top: 1em">This option was
formerly called <b>KeepAlive</b>.</p>

<p style="margin-top: 1em"><b>TrustedUserCAKeys</b></p>

<p style="margin-left:17%;">Specifies a file containing
public keys of certificate authorities that are trusted to
sign user certificates for authentication, or <b>none</b> to
not use one. Keys are listed one per line; empty lines and
comments starting with &rsquo;#&rsquo; are allowed. If a
certificate is presented for authentication and has its
signing CA key listed in this file, then it may be used for
authentication for any user listed in the
certificate&rsquo;s principals list. Note that certificates
that lack a list of principals will not be permitted for
authentication using <b>TrustedUserCAKeys</b>. For more
details on certificates, see the CERTIFICATES section in
ssh-keygen(1).</p>

<p style="margin-top: 1em"><b>UseDNS</b></p>

<p style="margin-left:17%; margin-top: 1em">Specifies
whether sshd(8) should look up the remote host name, and to
check that the resolved host name for the remote IP address
maps back to the very same IP address.</p>

<p style="margin-left:17%; margin-top: 1em">If this option
is set to <b>no</b> (the default) then only addresses and
not host names may be used in <i>~/.ssh/authorized_keys</i>
<b>from</b> and <b>sshd_config Match Host</b>
directives.</p>

<p style="margin-top: 1em"><b>UsePAM</b></p>

<p style="margin-left:17%; margin-top: 1em">Enables the
Pluggable Authentication Module interface. If set to
<b>yes</b> this will enable PAM authentication using
<b>ChallengeResponseAuthentication</b> and
<b>PasswordAuthentication</b> in addition to PAM account and
session module processing for all authentication types.</p>

<p style="margin-left:17%; margin-top: 1em">Because PAM
challenge-response authentication usually serves an
equivalent role to password authentication, you should
disable either <b>PasswordAuthentication</b> or
<b>ChallengeResponseAuthentication.</b></p>

<p style="margin-left:17%; margin-top: 1em">If
<b>UsePAM</b> is enabled, you will not be able to run
sshd(8) as a non-root user. The default is <b>no</b>.</p>

<p style="margin-top: 1em"><b>VersionAddendum</b></p>

<p style="margin-left:17%;">Optionally specifies additional
text to append to the SSH protocol banner sent by the server
upon connection. The default is <b>none</b>.</p>

<p style="margin-top: 1em"><b>X11DisplayOffset</b></p>



( run in 2.392 seconds using v1.01-cache-2.11-cpan-39bf76dae61 )