Config-Model-OpenSsh
view release on metacpan or search on metacpan
xt/sshd_config.html view on Meta::CPAN
<p style="margin-top: 1em"><b>Compression</b></p>
<p style="margin-left:17%;">Specifies whether compression
is enabled after the user has authenticated successfully.
The argument must be <b>yes</b>, <b>delayed</b> (a legacy
synonym for <b>yes</b>) or <b>no</b>. The default is
<b>yes</b>.</p>
<p style="margin-top: 1em"><b>DebianBanner</b></p>
<p style="margin-left:17%;">Specifies whether the
distribution-specified extra version suffix is included
during initial protocol handshake. The default is
<b>yes</b>.</p>
<p style="margin-top: 1em"><b>DenyGroups</b></p>
<p style="margin-left:17%;">This keyword can be followed by
a list of group name patterns, separated by spaces. Login is
disallowed for users whose primary group or supplementary
group list matches one of the patterns. Only group names are
valid; a numerical group ID is not recognized. By default,
login is allowed for all groups. The allow/deny directives
are processed in the following order: <b>DenyUsers</b>,
<b>AllowUsers</b>, <b>DenyGroups</b>, and finally
<b>AllowGroups</b>.</p>
<p style="margin-left:17%; margin-top: 1em">See PATTERNS in
ssh_config(5) for more information on patterns.</p>
<p style="margin-top: 1em"><b>DenyUsers</b></p>
<p style="margin-left:17%;">This keyword can be followed by
a list of user name patterns, separated by spaces. Login is
disallowed for user names that match one of the patterns.
Only user names are valid; a numerical user ID is not
recognized. By default, login is allowed for all users. If
the pattern takes the form USER@HOST then USER and HOST are
separately checked, restricting logins to particular users
from particular hosts. HOST criteria may additionally
contain addresses to match in CIDR address/masklen format.
The allow/deny directives are processed in the following
order: <b>DenyUsers</b>, <b>AllowUsers</b>,
<b>DenyGroups</b>, and finally <b>AllowGroups</b>.</p>
<p style="margin-left:17%; margin-top: 1em">See PATTERNS in
ssh_config(5) for more information on patterns.</p>
<p style="margin-top: 1em"><b>DisableForwarding</b></p>
<p style="margin-left:17%;">Disables all forwarding
features, including X11, ssh-agent(1), TCP and StreamLocal.
This option overrides all other forwarding-related options
and may simplify restricted configurations.</p>
<p style="margin-top: 1em"><b>ExposeAuthInfo</b></p>
<p style="margin-left:17%;">Writes a temporary file
containing a list of authentication methods and public
credentials (e.g. keys) used to authenticate the user. The
location of the file is exposed to the user session through
the SSH_USER_AUTH environment variable. The default is
<b>no</b>.</p>
<p style="margin-top: 1em"><b>FingerprintHash</b></p>
<p style="margin-left:17%;">Specifies the hash algorithm
used when logging key fingerprints. Valid options are:
<b>md5</b> and <b>sha256</b>. The default is
<b>sha256</b>.</p>
<p style="margin-top: 1em"><b>ForceCommand</b></p>
<p style="margin-left:17%;">Forces the execution of the
command specified by <b>ForceCommand</b>, ignoring any
command supplied by the client and <i>~/.ssh/rc</i> if
present. The command is invoked by using the user’s
login shell with the -c option. This applies to shell,
command, or subsystem execution. It is most useful inside a
<b>Match</b> block. The command originally supplied by the
client is available in the SSH_ORIGINAL_COMMAND environment
variable. Specifying a command of <b>internal-sftp</b> will
force the use of an in-process SFTP server that requires no
support files when used with <b>ChrootDirectory</b>. The
default is <b>none</b>.</p>
<p style="margin-top: 1em"><b>GatewayPorts</b></p>
<p style="margin-left:17%;">Specifies whether remote hosts
are allowed to connect to ports forwarded for the client. By
default, sshd(8) binds remote port forwardings to the
loopback address. This prevents other remote hosts from
connecting to forwarded ports. <b>GatewayPorts</b> can be
used to specify that sshd should allow remote port
forwardings to bind to non-loopback addresses, thus allowing
other hosts to connect. The argument may be <b>no</b> to
force remote port forwardings to be available to the local
host only, <b>yes</b> to force remote port forwardings to
bind to the wildcard address, or <b>clientspecified</b> to
allow the client to select the address to which the
forwarding is bound. The default is <b>no</b>.</p>
<p style="margin-top: 1em"><b>GSSAPIAuthentication</b></p>
<p style="margin-left:17%;">Specifies whether user
authentication based on GSSAPI is allowed. The default is
<b>no</b>.</p>
<p style="margin-top: 1em"><b>GSSAPIKeyExchange</b></p>
<p style="margin-left:17%;">Specifies whether key exchange
based on GSSAPI is allowed. GSSAPI key exchange
doesn’t rely on ssh keys to verify host identity. The
default is <b>no</b>.</p>
<p style="margin-top: 1em"><b>GSSAPICleanupCredentials</b></p>
<p style="margin-left:17%;">Specifies whether to
automatically destroy the user’s credentials cache on
logout. The default is <b>yes</b>.</p>
<p style="margin-top: 1em"><b>GSSAPIStrictAcceptorCheck</b></p>
<p style="margin-left:17%;">Determines whether to be strict
about the identity of the GSSAPI acceptor a client
authenticates against. If set to <b>yes</b> then the client
must authenticate against the host service on the current
hostname. If set to <b>no</b> then the client may
authenticate against any service key stored in the
machine’s default store. This facility is provided to
assist with operation on multi homed machines. The default
is <b>yes</b>.</p>
<p style="margin-top: 1em"><b>GSSAPIStoreCredentialsOnRekey</b></p>
<p style="margin-left:17%;">Controls whether the
user’s GSSAPI credentials should be updated following
a successful connection rekeying. This option can be used to
accepted renewed or updated credentials from a compatible
client. The default is <b>no</b>.</p>
<p style="margin-top: 1em"><b>HostbasedAcceptedKeyTypes</b></p>
<p style="margin-left:17%;">Specifies the key types that
will be accepted for hostbased authentication as a list of
comma-separated patterns. Alternately if the specified value
begins with a ’+’ character, then the specified
key types will be appended to the default set instead of
replacing them. If the specified value begins with a
’-’ character, then the specified key types
(including wildcards) will be removed from the default set
instead of replacing them. The default for this option
is:</p>
<p style="margin-left:21%; margin-top: 1em">ecdsa-sha2-nistp256-cert-v01@openssh.com,
<br>
ecdsa-sha2-nistp384-cert-v01@openssh.com, <br>
ecdsa-sha2-nistp521-cert-v01@openssh.com, <br>
ssh-ed25519-cert-v01@openssh.com, <br>
rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
<br>
ssh-rsa-cert-v01@openssh.com, <br>
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
<br>
ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa</p>
<p style="margin-left:17%; margin-top: 1em">The list of
available key types may also be obtained using "ssh -Q
key".</p>
<p style="margin-top: 1em"><b>HostbasedAuthentication</b></p>
<p style="margin-left:17%;">Specifies whether rhosts or
/etc/hosts.equiv authentication together with successful
public key client host authentication is allowed (host-based
authentication). The default is <b>no</b>.</p>
<p style="margin-top: 1em"><b>HostbasedUsesNameFromPacketOnly</b></p>
<p style="margin-left:17%;">Specifies whether or not the
server will attempt to perform a reverse name lookup when
matching the name in the <i>~/.shosts</i>, <i>~/.rhosts</i>,
and <i>/etc/hosts.equiv</i> files during
<b>HostbasedAuthentication</b>. A setting of <b>yes</b>
means that sshd(8) uses the name supplied by the client
rather than attempting to resolve the name from the TCP
connection itself. The default is <b>no</b>.</p>
<p style="margin-top: 1em"><b>HostCertificate</b></p>
<p style="margin-left:17%;">Specifies a file containing a
public host certificate. The certificate’s public key
must match a private host key already specified by
( run in 1.392 second using v1.01-cache-2.11-cpan-d7f47b0818f )