view release on metacpan or  search on metacpan

xt/sshd_config.html  view on Meta::CPAN

<p style="margin-left:6%; margin-top: 1em">Note that the
Debian <b>openssh-server</b> package sets several options as
standard in <i>/etc/ssh/sshd_config</i> which are not the
default in sshd(8):</p>

<p style="margin-top: 1em"><b>&bull;</b></p>


<p style="margin-left:19%;"><b>ChallengeResponseAuthentication</b>
no</p>

<p><b>&bull;</b></p>

<p style="margin-left:19%;"><b>X11Forwarding</b> yes</p>

<p><b>&bull;</b></p>

<p style="margin-left:19%;"><b>PrintMotd</b> no</p>

<p><b>&bull;</b></p>

<p style="margin-left:19%;"><b>AcceptEnv</b> LANG LC_*</p>

<p><b>&bull;</b></p>

<p style="margin-left:19%;"><b>Subsystem</b> sftp
/usr/lib/openssh/sftp-server</p>

<p><b>&bull;</b></p>

<p style="margin-left:19%;"><b>UsePAM</b> yes</p>

<p style="margin-left:6%; margin-top: 1em">The possible
keywords and their meanings are as follows (note that
keywords are case-insensitive and arguments are
case-sensitive):</p>

<p style="margin-top: 1em"><b>AcceptEnv</b></p>

<p style="margin-left:17%;">Specifies what environment
variables sent by the client will be copied into the
session&rsquo;s environ(7). See <b>SendEnv</b> and
<b>SetEnv</b> in ssh_config(5) for how to configure the
client. The TERM environment variable is always accepted
whenever the client requests a pseudo-terminal as it is
required by the protocol. Variables are specified by name,
which may contain the wildcard characters &rsquo;*&rsquo;
and &rsquo;?&rsquo;. Multiple environment variables may be
separated by whitespace or spread across multiple
<b>AcceptEnv</b> directives. Be warned that some environment
variables could be used to bypass restricted user
environments. For this reason, care should be taken in the
use of this directive. The default is not to accept any
environment variables.</p>

<p style="margin-top: 1em"><b>AddressFamily</b></p>

<p style="margin-left:17%;">Specifies which address family
should be used by sshd(8). Valid arguments are <b>any</b>
(the default), <b>inet</b> (use IPv4 only), or <b>inet6</b>
(use IPv6 only).</p>

<p style="margin-top: 1em"><b>AllowAgentForwarding</b></p>

<p style="margin-left:17%;">Specifies whether ssh-agent(1)
forwarding is permitted. The default is <b>yes</b>. Note
that disabling agent forwarding does not improve security
unless users are also denied shell access, as they can
always install their own forwarders.</p>

<p style="margin-top: 1em"><b>AllowGroups</b></p>

<p style="margin-left:17%;">This keyword can be followed by
a list of group name patterns, separated by spaces. If
specified, login is allowed only for users whose primary
group or supplementary group list matches one of the
patterns. Only group names are valid; a numerical group ID
is not recognized. By default, login is allowed for all
groups. The allow/deny directives are processed in the
following order: <b>DenyUsers</b>, <b>AllowUsers</b>,
<b>DenyGroups</b>, and finally <b>AllowGroups</b>.</p>

<p style="margin-left:17%; margin-top: 1em">See PATTERNS in
ssh_config(5) for more information on patterns.</p>


<p style="margin-top: 1em"><b>AllowStreamLocalForwarding</b></p>

<p style="margin-left:17%;">Specifies whether StreamLocal
(Unix-domain socket) forwarding is permitted. The available
options are <b>yes</b> (the default) or <b>all</b> to allow
StreamLocal forwarding, <b>no</b> to prevent all StreamLocal
forwarding, <b>local</b> to allow local (from the
perspective of ssh(1)) forwarding only or <b>remote</b> to
allow remote forwarding only. Note that disabling
StreamLocal forwarding does not improve security unless
users are also denied shell access, as they can always
install their own forwarders.</p>

<p style="margin-top: 1em"><b>AllowTcpForwarding</b></p>

<p style="margin-left:17%;">Specifies whether TCP
forwarding is permitted. The available options are
<b>yes</b> (the default) or <b>all</b> to allow TCP
forwarding, <b>no</b> to prevent all TCP forwarding,
<b>local</b> to allow local (from the perspective of ssh(1))
forwarding only or <b>remote</b> to allow remote forwarding
only. Note that disabling TCP forwarding does not improve
security unless users are also denied shell access, as they
can always install their own forwarders.</p>

<p style="margin-top: 1em"><b>AllowUsers</b></p>

<p style="margin-left:17%;">This keyword can be followed by
a list of user name patterns, separated by spaces. If
specified, login is allowed only for user names that match
one of the patterns. Only user names are valid; a numerical
user ID is not recognized. By default, login is allowed for
all users. If the pattern takes the form USER@HOST then USER
and HOST are separately checked, restricting logins to