diff options
Diffstat (limited to 'sshd_config.0')
| -rw-r--r-- | sshd_config.0 | 1393 |
1 files changed, 1393 insertions, 0 deletions
diff --git a/sshd_config.0 b/sshd_config.0 new file mode 100644 index 00000000..6883dda4 --- /dev/null +++ b/sshd_config.0 @@ -0,0 +1,1393 @@ +SSHD_CONFIG(5) File Formats Manual SSHD_CONFIG(5) + +NAME + sshd_config M-bM-^@M-^S OpenSSH daemon configuration file + +DESCRIPTION + sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file + specified with -f on the command line). The file contains keyword- + argument pairs, one per line. Unless noted otherwise, for each keyword, + the first obtained value will be used. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty + lines are interpreted as comments. Arguments may optionally be enclosed + in double quotes (") in order to represent arguments containing spaces. + + The possible keywords and their meanings are as follows (note that + keywords are case-insensitive and arguments are case-sensitive): + + AcceptEnv + Specifies what environment variables sent by the client will be + copied into the session's environ(7). See SendEnv and SetEnv in + ssh_config(5) for how to configure the client. The TERM + environment variable is always accepted whenever the client + requests a pseudo-terminal as it is required by the protocol. + Variables are specified by name, which may contain the wildcard + characters M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y. Multiple environment variables may be + separated by whitespace or spread across multiple AcceptEnv + directives. Be warned that some environment variables could be + used to bypass restricted user environments. For this reason, + care should be taken in the use of this directive. The default + is not to accept any environment variables. + + AddressFamily + Specifies which address family should be used by sshd(8). Valid + arguments are any (the default), inet (use IPv4 only), or inet6 + (use IPv6 only). + + AllowAgentForwarding + Specifies whether ssh-agent(1) forwarding is permitted. The + default is yes. Note that disabling agent forwarding does not + improve security unless users are also denied shell access, as + they can always install their own forwarders. + + AllowGroups + This keyword can be followed by a list of group name patterns, + separated by spaces. If specified, login is allowed only for + users whose primary group or supplementary group list matches one + of the patterns. Only group names are valid; a numerical group + ID is not recognized. By default, login is allowed for all + groups. The allow/deny groups directives are processed in the + following order: DenyGroups, AllowGroups. + + See PATTERNS in ssh_config(5) for more information on patterns. + This keyword may appear multiple times in sshd_config with each + instance appending to the list. + + AllowStreamLocalForwarding + Specifies whether StreamLocal (Unix-domain socket) forwarding is + permitted. The available options are yes (the default) or all to + allow StreamLocal forwarding, no to prevent all StreamLocal + forwarding, local to allow local (from the perspective of ssh(1)) + forwarding only or remote to allow remote forwarding only. Note + that disabling StreamLocal forwarding does not improve security + unless users are also denied shell access, as they can always + install their own forwarders. + + AllowTcpForwarding + Specifies whether TCP forwarding is permitted. The available + options are yes (the default) or all to allow TCP forwarding, no + to prevent all TCP forwarding, local to allow local (from the + perspective of ssh(1)) forwarding only or remote to allow remote + forwarding only. Note that disabling TCP forwarding does not + improve security unless users are also denied shell access, as + they can always install their own forwarders. + + AllowUsers + This keyword can be followed by a list of user name patterns, + separated by spaces. If specified, login is allowed only for + user names that match one of the patterns. Only user names are + valid; a numerical user ID is not recognized. By default, login + is allowed for all users. If the pattern takes the form + USER@HOST then USER and HOST are separately checked, restricting + logins to particular users from particular hosts. HOST criteria + may additionally contain addresses to match in CIDR + address/masklen format. The allow/deny users directives are + processed in the following order: DenyUsers, AllowUsers. + + See PATTERNS in ssh_config(5) for more information on patterns. + This keyword may appear multiple times in sshd_config with each + instance appending to the list. + + AuthenticationMethods + Specifies the authentication methods that must be successfully + completed for a user to be granted access. This option must be + followed by one or more lists of comma-separated authentication + method names, or by the single string any to indicate the default + behaviour of accepting any single authentication method. If the + default is overridden, then successful authentication requires + completion of every method in at least one of these lists. + + For example, "publickey,password publickey,keyboard-interactive" + would require the user to complete public key authentication, + followed by either password or keyboard interactive + authentication. Only methods that are next in one or more lists + are offered at each stage, so for this example it would not be + possible to attempt password or keyboard-interactive + authentication before public key. + + For keyboard interactive authentication it is also possible to + restrict authentication to a specific device by appending a colon + followed by the device identifier bsdauth or pam. depending on + the server configuration. For example, + "keyboard-interactive:bsdauth" would restrict keyboard + interactive authentication to the bsdauth device. + + If the publickey method is listed more than once, sshd(8) + verifies that keys that have been used successfully are not + reused for subsequent authentications. For example, + "publickey,publickey" requires successful authentication using + two different public keys. + + Note that each authentication method listed should also be + explicitly enabled in the configuration. + + The available authentication methods are: "gssapi-with-mic", + "hostbased", "keyboard-interactive", "none" (used for access to + password-less accounts when PermitEmptyPasswords is enabled), + "password" and "publickey". + + AuthorizedKeysCommand + Specifies a program to be used to look up the user's public keys. + The program must be owned by root, not writable by group or + others and specified by an absolute path. Arguments to + AuthorizedKeysCommand accept the tokens described in the TOKENS + section. If no arguments are specified then the username of the + target user is used. + + The program should produce on standard output zero or more lines + of authorized_keys output (see AUTHORIZED_KEYS in sshd(8)). + AuthorizedKeysCommand is tried after the usual AuthorizedKeysFile + files and will not be executed if a matching key is found there. + By default, no AuthorizedKeysCommand is run. + + AuthorizedKeysCommandUser + Specifies the user under whose account the AuthorizedKeysCommand + is run. It is recommended to use a dedicated user that has no + other role on the host than running authorized keys commands. If + AuthorizedKeysCommand is specified but AuthorizedKeysCommandUser + is not, then sshd(8) will refuse to start. + + AuthorizedKeysFile + Specifies the file that contains the public keys used for user + authentication. The format is described in the AUTHORIZED_KEYS + FILE FORMAT section of sshd(8). Arguments to AuthorizedKeysFile + accept the tokens described in the TOKENS section. After + expansion, AuthorizedKeysFile is taken to be an absolute path or + one relative to the user's home directory. Multiple files may be + listed, separated by whitespace. Alternately this option may be + set to none to skip checking for user keys in files. The default + is ".ssh/authorized_keys .ssh/authorized_keys2". + + AuthorizedPrincipalsCommand + Specifies a program to be used to generate the list of allowed + certificate principals as per AuthorizedPrincipalsFile. The + program must be owned by root, not writable by group or others + and specified by an absolute path. Arguments to + AuthorizedPrincipalsCommand accept the tokens described in the + TOKENS section. If no arguments are specified then the username + of the target user is used. + + The program should produce on standard output zero or more lines + of AuthorizedPrincipalsFile output. If either + AuthorizedPrincipalsCommand or AuthorizedPrincipalsFile is + specified, then certificates offered by the client for + authentication must contain a principal that is listed. By + default, no AuthorizedPrincipalsCommand is run. + + AuthorizedPrincipalsCommandUser + Specifies the user under whose account the + AuthorizedPrincipalsCommand is run. It is recommended to use a + dedicated user that has no other role on the host than running + authorized principals commands. If AuthorizedPrincipalsCommand + is specified but AuthorizedPrincipalsCommandUser is not, then + sshd(8) will refuse to start. + + AuthorizedPrincipalsFile + Specifies a file that lists principal names that are accepted for + certificate authentication. When using certificates signed by a + key listed in TrustedUserCAKeys, this file lists names, one of + which must appear in the certificate for it to be accepted for + authentication. Names are listed one per line preceded by key + options (as described in AUTHORIZED_KEYS FILE FORMAT in sshd(8)). + Empty lines and comments starting with M-bM-^@M-^X#M-bM-^@M-^Y are ignored. + + Arguments to AuthorizedPrincipalsFile accept the tokens described + in the TOKENS section. After expansion, AuthorizedPrincipalsFile + is taken to be an absolute path or one relative to the user's + home directory. The default is none, i.e. not to use a + principals file M-bM-^@M-^S in this case, the username of the user must + appear in a certificate's principals list for it to be accepted. + + Note that AuthorizedPrincipalsFile is only used when + authentication proceeds using a CA listed in TrustedUserCAKeys + and is not consulted for certification authorities trusted via + ~/.ssh/authorized_keys, though the principals= key option offers + a similar facility (see sshd(8) for details). + + Banner The contents of the specified file are sent to the remote user + before authentication is allowed. If the argument is none then + no banner is displayed. By default, no banner is displayed. + + CASignatureAlgorithms + Specifies which algorithms are allowed for signing of + certificates by certificate authorities (CAs). The default is: + + ssh-ed25519,ecdsa-sha2-nistp256, + ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, + sk-ssh-ed25519@openssh.com, + sk-ecdsa-sha2-nistp256@openssh.com, + rsa-sha2-512,rsa-sha2-256 + + If the specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the + specified algorithms will be appended to the default set instead + of replacing them. If the specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y + character, then the specified algorithms (including wildcards) + will be removed from the default set instead of replacing them. + + Certificates signed using other algorithms will not be accepted + for public key or host-based authentication. + + ChannelTimeout + Specifies whether and how quickly sshd(8) should close inactive + channels. Timeouts are specified as one or more M-bM-^@M-^\type=intervalM-bM-^@M-^] + pairs separated by whitespace, where the M-bM-^@M-^\typeM-bM-^@M-^] must be the + special keyword M-bM-^@M-^\globalM-bM-^@M-^] or a channel type name from the list + below, optionally containing wildcard characters. + + The timeout value M-bM-^@M-^\intervalM-bM-^@M-^] is specified in seconds or may use + any of the units documented in the TIME FORMATS section. For + example, M-bM-^@M-^\session=5mM-bM-^@M-^] would cause interactive sessions to + terminate after five minutes of inactivity. Specifying a zero + value disables the inactivity timeout. + + The special timeout M-bM-^@M-^\globalM-bM-^@M-^] applies to all active channels, + taken together. Traffic on any active channel will reset the + timeout, but when the timeout expires then all open channels will + be closed. Note that this global timeout is not matched by + wildcards and must be specified explicitly. + + The available channel type names include: + + agent-connection + Open connections to ssh-agent(1). + + direct-tcpip, direct-streamlocal@openssh.com + Open TCP or Unix socket (respectively) connections that + have been established from a ssh(1) local forwarding, + i.e. LocalForward or DynamicForward. + + forwarded-tcpip, forwarded-streamlocal@openssh.com + Open TCP or Unix socket (respectively) connections that + have been established to a sshd(8) listening on behalf of + a ssh(1) remote forwarding, i.e. RemoteForward. + + session + The interactive main session, including shell session, + command execution, scp(1), sftp(1), etc. + + tun-connection + Open TunnelForward connections. + + x11-connection + Open X11 forwarding sessions. + + Note that in all the above cases, terminating an inactive session + does not guarantee to remove all resources associated with the + session, e.g. shell processes or X11 clients relating to the + session may continue to execute. + + Moreover, terminating an inactive channel or session does not + necessarily close the SSH connection, nor does it prevent a + client from requesting another channel of the same type. In + particular, expiring an inactive forwarding session does not + prevent another identical forwarding from being subsequently + created. + + The default is not to expire channels of any type for inactivity. + + ChrootDirectory + Specifies the pathname of a directory to chroot(2) to after + authentication. At session startup sshd(8) checks that all + components of the pathname are root-owned directories which are + not writable by group or others. After the chroot, sshd(8) + changes the working directory to the user's home directory. + Arguments to ChrootDirectory accept the tokens described in the + TOKENS section. + + The ChrootDirectory must contain the necessary files and + directories to support the user's session. For an interactive + session this requires at least a shell, typically sh(1), and + basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), + stderr(4), and tty(4) devices. For file transfer sessions using + SFTP no additional configuration of the environment is necessary + if the in-process sftp-server is used, though sessions which use + logging may require /dev/log inside the chroot directory on some + operating systems (see sftp-server(8) for details). + + For safety, it is very important that the directory hierarchy be + prevented from modification by other processes on the system + (especially those outside the jail). Misconfiguration can lead + to unsafe environments which sshd(8) cannot detect. + + The default is none, indicating not to chroot(2). + + Ciphers + Specifies the ciphers allowed. Multiple ciphers must be comma- + separated. If the specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, + then the specified ciphers will be appended to the default set + instead of replacing them. If the specified list begins with a + M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified ciphers (including wildcards) + will be removed from the default set instead of replacing them. + If the specified list begins with a M-bM-^@M-^X^M-bM-^@M-^Y character, then the + specified ciphers will be placed at the head of the default set. + + The supported ciphers are: + + 3des-cbc + aes128-cbc + aes192-cbc + aes256-cbc + aes128-ctr + aes192-ctr + aes256-ctr + aes128-gcm@openssh.com + aes256-gcm@openssh.com + chacha20-poly1305@openssh.com + + The default is: + + chacha20-poly1305@openssh.com, + aes128-ctr,aes192-ctr,aes256-ctr, + aes128-gcm@openssh.com,aes256-gcm@openssh.com + + The list of available ciphers may also be obtained using "ssh -Q + cipher". + + ClientAliveCountMax + Sets the number of client alive messages which may be sent + without sshd(8) receiving any messages back from the client. If + this threshold is reached while client alive messages are being + sent, sshd will disconnect the client, terminating the session. + It is important to note that the use of client alive messages is + very different from TCPKeepAlive. The client alive messages are + sent through the encrypted channel and therefore will not be + spoofable. The TCP keepalive option enabled by TCPKeepAlive is + spoofable. The client alive mechanism is valuable when the + client or server depend on knowing when a connection has become + unresponsive. + + The default value is 3. If ClientAliveInterval is set to 15, and + ClientAliveCountMax is left at the default, unresponsive SSH + clients will be disconnected after approximately 45 seconds. + Setting a zero ClientAliveCountMax disables connection + termination. + + ClientAliveInterval + Sets a timeout interval in seconds after which if no data has + been received from the client, sshd(8) will send a message + through the encrypted channel to request a response from the + client. The default is 0, indicating that these messages will + not be sent to the client. + + Compression + Specifies whether compression is enabled after the user has + authenticated successfully. The argument must be yes, delayed (a + legacy synonym for yes) or no. The default is yes. + + DenyGroups + This keyword can be followed by a list of group name patterns, + separated by spaces. Login is disallowed for users whose primary + group or supplementary group list matches one of the patterns. + Only group names are valid; a numerical group ID is not + recognized. By default, login is allowed for all groups. The + allow/deny groups directives are processed in the following + order: DenyGroups, AllowGroups. + + See PATTERNS in ssh_config(5) for more information on patterns. + This keyword may appear multiple times in sshd_config with each + instance appending to the list. + + DenyUsers + This keyword can be followed by a list of user name patterns, + separated by spaces. Login is disallowed for user names that + match one of the patterns. Only user names are valid; a + numerical user ID is not recognized. By default, login is + allowed for all users. If the pattern takes the form USER@HOST + then USER and HOST are separately checked, restricting logins to + particular users from particular hosts. HOST criteria may + additionally contain addresses to match in CIDR address/masklen + format. The allow/deny users directives are processed in the + following order: DenyUsers, AllowUsers. + + See PATTERNS in ssh_config(5) for more information on patterns. + This keyword may appear multiple times in sshd_config with each + instance appending to the list. + + DisableForwarding + Disables all forwarding features, including X11, ssh-agent(1), + TCP and StreamLocal. This option overrides all other forwarding- + related options and may simplify restricted configurations. + + ExposeAuthInfo + Writes a temporary file containing a list of authentication + methods and public credentials (e.g. keys) used to authenticate + the user. The location of the file is exposed to the user + session through the SSH_USER_AUTH environment variable. The + default is no. + + FingerprintHash + Specifies the hash algorithm used when logging key fingerprints. + Valid options are: md5 and sha256. The default is sha256. + + ForceCommand + Forces the execution of the command specified by ForceCommand, + ignoring any command supplied by the client and ~/.ssh/rc if + present. The command is invoked by using the user's login shell + with the -c option. This applies to shell, command, or subsystem + execution. It is most useful inside a Match block. The command + originally supplied by the client is available in the + SSH_ORIGINAL_COMMAND environment variable. Specifying a command + of internal-sftp will force the use of an in-process SFTP server + that requires no support files when used with ChrootDirectory. + The default is none. + + GatewayPorts + Specifies whether remote hosts are allowed to connect to ports + forwarded for the client. By default, sshd(8) binds remote port + forwardings to the loopback address. This prevents other remote + hosts from connecting to forwarded ports. GatewayPorts can be + used to specify that sshd should allow remote port forwardings to + bind to non-loopback addresses, thus allowing other hosts to + connect. The argument may be no to force remote port forwardings + to be available to the local host only, yes to force remote port + forwardings to bind to the wildcard address, or clientspecified + to allow the client to select the address to which the forwarding + is bound. The default is no. + + GSSAPIAuthentication + Specifies whether user authentication based on GSSAPI is allowed. + The default is no. + + GSSAPICleanupCredentials + Specifies whether to automatically destroy the user's credentials + cache on logout. The default is yes. + + GSSAPIStrictAcceptorCheck + Determines whether to be strict about the identity of the GSSAPI + acceptor a client authenticates against. If set to yes then the + client must authenticate against the host service on the current + hostname. If set to no then the client may authenticate against + any service key stored in the machine's default store. This + facility is provided to assist with operation on multi homed + machines. The default is yes. + + HostbasedAcceptedAlgorithms + Specifies the signature algorithms that will be accepted for + hostbased authentication as a list of comma-separated patterns. + Alternately if the specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, + then the specified signature algorithms will be appended to the + default set instead of replacing them. If the specified list + begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified signature + algorithms (including wildcards) will be removed from the default + set instead of replacing them. If the specified list begins with + a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified signature algorithms will be + placed at the head of the default set. The default for this + option is: + + ssh-ed25519-cert-v01@openssh.com, + ecdsa-sha2-nistp256-cert-v01@openssh.com, + ecdsa-sha2-nistp384-cert-v01@openssh.com, + ecdsa-sha2-nistp521-cert-v01@openssh.com, + sk-ssh-ed25519-cert-v01@openssh.com, + sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, + rsa-sha2-512-cert-v01@openssh.com, + rsa-sha2-256-cert-v01@openssh.com, + ssh-ed25519, + ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, + sk-ssh-ed25519@openssh.com, + sk-ecdsa-sha2-nistp256@openssh.com, + rsa-sha2-512,rsa-sha2-256 + + The list of available signature algorithms may also be obtained + using "ssh -Q HostbasedAcceptedAlgorithms". This was formerly + named HostbasedAcceptedKeyTypes. + + HostbasedAuthentication + Specifies whether rhosts or /etc/hosts.equiv authentication + together with successful public key client host authentication is + allowed (host-based authentication). The default is no. + + HostbasedUsesNameFromPacketOnly + Specifies whether or not the server will attempt to perform a + reverse name lookup when matching the name in the ~/.shosts, + ~/.rhosts, and /etc/hosts.equiv files during + HostbasedAuthentication. A setting of yes means that sshd(8) + uses the name supplied by the client rather than attempting to + resolve the name from the TCP connection itself. The default is + no. + + HostCertificate + Specifies a file containing a public host certificate. The + certificate's public key must match a private host key already + specified by HostKey. The default behaviour of sshd(8) is not to + load any certificates. + + HostKey + Specifies a file containing a private host key used by SSH. The + defaults are /etc/ssh/ssh_host_ecdsa_key, + /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key. + + Note that sshd(8) will refuse to use a file if it is group/world- + accessible and that the HostKeyAlgorithms option restricts which + of the keys are actually used by sshd(8). + + It is possible to have multiple host key files. It is also + possible to specify public host key files instead. In this case + operations on the private key will be delegated to an + ssh-agent(1). + + HostKeyAgent + Identifies the UNIX-domain socket used to communicate with an + agent that has access to the private host keys. If the string + "SSH_AUTH_SOCK" is specified, the location of the socket will be + read from the SSH_AUTH_SOCK environment variable. + + HostKeyAlgorithms + Specifies the host key signature algorithms that the server + offers. The default for this option is: + + ssh-ed25519-cert-v01@openssh.com, + ecdsa-sha2-nistp256-cert-v01@openssh.com, + ecdsa-sha2-nistp384-cert-v01@openssh.com, + ecdsa-sha2-nistp521-cert-v01@openssh.com, + sk-ssh-ed25519-cert-v01@openssh.com, + sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, + rsa-sha2-512-cert-v01@openssh.com, + rsa-sha2-256-cert-v01@openssh.com, + ssh-ed25519, + ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, + sk-ssh-ed25519@openssh.com, + sk-ecdsa-sha2-nistp256@openssh.com, + rsa-sha2-512,rsa-sha2-256 + + The list of available signature algorithms may also be obtained + using "ssh -Q HostKeyAlgorithms". + + IgnoreRhosts + Specifies whether to ignore per-user .rhosts and .shosts files + during HostbasedAuthentication. The system-wide /etc/hosts.equiv + and /etc/shosts.equiv are still used regardless of this setting. + + Accepted values are yes (the default) to ignore all per-user + files, shosts-only to allow the use of .shosts but to ignore + .rhosts or no to allow both .shosts and rhosts. + + IgnoreUserKnownHosts + Specifies whether sshd(8) should ignore the user's + ~/.ssh/known_hosts during HostbasedAuthentication and use only + the system-wide known hosts file /etc/ssh/ssh_known_hosts. The + default is M-bM-^@M-^\noM-bM-^@M-^]. + + Include + Include the specified configuration file(s). Multiple pathnames + may be specified and each pathname may contain glob(7) wildcards + that will be expanded and processed in lexical order. Files + without absolute paths are assumed to be in /etc/ssh. An Include + directive may appear inside a Match block to perform conditional + inclusion. + + IPQoS Specifies the IPv4 type-of-service or DSCP class for the + connection. Accepted values are af11, af12, af13, af21, af22, + af23, af31, af32, af33, af41, af42, af43, cs0, cs1, cs2, cs3, + cs4, cs5, cs6, cs7, ef, le, lowdelay, throughput, reliability, a + numeric value, or none to use the operating system default. This + option may take one or two arguments, separated by whitespace. + If one argument is specified, it is used as the packet class + unconditionally. If two values are specified, the first is + automatically selected for interactive sessions and the second + for non-interactive sessions. The default is af21 (Low-Latency + Data) for interactive sessions and cs1 (Lower Effort) for non- + interactive sessions. + + KbdInteractiveAuthentication + Specifies whether to allow keyboard-interactive authentication. + All authentication styles from login.conf(5) are supported. The + default is yes. The argument to this keyword must be yes or no. + ChallengeResponseAuthentication is a deprecated alias for this. + + KerberosAuthentication + Specifies whether the password provided by the user for + PasswordAuthentication will be validated through the Kerberos + KDC. To use this option, the server needs a Kerberos servtab + which allows the verification of the KDC's identity. The default + is no. + + KerberosGetAFSToken + If AFS is active and the user has a Kerberos 5 TGT, attempt to + acquire an AFS token before accessing the user's home directory. + The default is no. + + KerberosOrLocalPasswd + If password authentication through Kerberos fails then the + password will be validated via any additional local mechanism + such as /etc/passwd. The default is yes. + + KerberosTicketCleanup + Specifies whether to automatically destroy the user's ticket + cache file on logout. The default is yes. + + KexAlgorithms + Specifies the permitted KEX (Key Exchange) algorithms that the + server will offer to clients. The ordering of this list is not + important, as the client specifies the preference order. + Multiple algorithms must be comma-separated. + + If the specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the + specified algorithms will be appended to the default set instead + of replacing them. If the specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y + character, then the specified algorithms (including wildcards) + will be removed from the default set instead of replacing them. + If the specified list begins with a M-bM-^@M-^X^M-bM-^@M-^Y character, then the + specified algorithms will be placed at the head of the default + set. + + The supported algorithms are: + + curve25519-sha256 + curve25519-sha256@libssh.org + diffie-hellman-group1-sha1 + diffie-hellman-group14-sha1 + diffie-hellman-group14-sha256 + diffie-hellman-group16-sha512 + diffie-hellman-group18-sha512 + diffie-hellman-group-exchange-sha1 + diffie-hellman-group-exchange-sha256 + ecdh-sha2-nistp256 + ecdh-sha2-nistp384 + ecdh-sha2-nistp521 + sntrup761x25519-sha512@openssh.com + + The default is: + + sntrup761x25519-sha512@openssh.com, + curve25519-sha256,curve25519-sha256@libssh.org, + ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, + diffie-hellman-group-exchange-sha256, + diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, + diffie-hellman-group14-sha256 + + The list of supported key exchange algorithms may also be + obtained using "ssh -Q KexAlgorithms". + + ListenAddress + Specifies the local addresses sshd(8) should listen on. The + following forms may be used: + + ListenAddress hostname|address [rdomain domain] + ListenAddress hostname:port [rdomain domain] + ListenAddress IPv4_address:port [rdomain domain] + ListenAddress [hostname|address]:port [rdomain domain] + + The optional rdomain qualifier requests sshd(8) listen in an + explicit routing domain. If port is not specified, sshd will + listen on the address and all Port options specified. The + default is to listen on all local addresses on the current + default routing domain. Multiple ListenAddress options are + permitted. For more information on routing domains, see + rdomain(4). + + LoginGraceTime + The server disconnects after this time if the user has not + successfully logged in. If the value is 0, there is no time + limit. The default is 120 seconds. + + LogLevel + Gives the verbosity level that is used when logging messages from + sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, + VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. + DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify + higher levels of debugging output. Logging with a DEBUG level + violates the privacy of users and is not recommended. + + LogVerbose + Specify one or more overrides to LogLevel. An override consists + of a pattern lists that matches the source file, function and + line number to force detailed logging for. For example, an + override pattern of: + + kex.c:*:1000,*:kex_exchange_identification():*,packet.c:* + + would enable detailed logging for line 1000 of kex.c, everything + in the kex_exchange_identification() function, and all code in + the packet.c file. This option is intended for debugging and no + overrides are enabled by default. + + MACs Specifies the available MAC (message authentication code) + algorithms. The MAC algorithm is used for data integrity + protection. Multiple algorithms must be comma-separated. If the + specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified + algorithms will be appended to the default set instead of + replacing them. If the specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y + character, then the specified algorithms (including wildcards) + will be removed from the default set instead of replacing them. + If the specified list begins with a M-bM-^@M-^X^M-bM-^@M-^Y character, then the + specified algorithms will be placed at the head of the default + set. + + The algorithms that contain "-etm" calculate the MAC after + encryption (encrypt-then-mac). These are considered safer and + their use recommended. The supported MACs are: + + hmac-md5 + hmac-md5-96 + hmac-sha1 + hmac-sha1-96 + hmac-sha2-256 + hmac-sha2-512 + umac-64@openssh.com + umac-128@openssh.com + hmac-md5-etm@openssh.com + hmac-md5-96-etm@openssh.com + hmac-sha1-etm@openssh.com + hmac-sha1-96-etm@openssh.com + hmac-sha2-256-etm@openssh.com + hmac-sha2-512-etm@openssh.com + umac-64-etm@openssh.com + umac-128-etm@openssh.com + + The default is: + + umac-64-etm@openssh.com,umac-128-etm@openssh.com, + hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, + hmac-sha1-etm@openssh.com, + umac-64@openssh.com,umac-128@openssh.com, + hmac-sha2-256,hmac-sha2-512,hmac-sha1 + + The list of available MAC algorithms may also be obtained using + "ssh -Q mac". + + Match Introduces a conditional block. If all of the criteria on the + Match line are satisfied, the keywords on the following lines + override those set in t |