diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 51 |
1 files changed, 49 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 06fd62de..f9208485 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.174 2014/07/03 22:40:43 djm Exp $ -.Dd $Mdocdate: July 3 2014 $ +.\" $OpenBSD: sshd_config.5,v 1.175 2014/07/15 15:54:14 millert Exp $ +.Dd $Mdocdate: July 15 2014 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -140,6 +140,26 @@ The default is Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders. +.It Cm AllowStreamLocalForwarding +Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted. +The available options are +.Dq yes +or +.Dq all +to allow StreamLocal forwarding, +.Dq no +to prevent all StreamLocal forwarding, +.Dq local +to allow local (from the perspective of +.Xr ssh 1 ) +forwarding only or +.Dq remote +to allow remote forwarding only. +The default is +.Dq yes . +Note that disabling StreamLocal forwarding does not improve security unless +users are also denied shell access, as they can always install their +own forwarders. .It Cm AllowUsers This keyword can be followed by a list of user name patterns, separated by spaces. @@ -1171,6 +1191,33 @@ This option applies to protocol version 1 only. .It Cm ServerKeyBits Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 1024. +.It Cm StreamLocalBindMask +Sets the octal file creation mode mask +.Pq umask +used when creating a Unix-domain socket file for local or remote +port forwarding. +This option is only used for port forwarding to a Unix-domain socket file. +.Pp +The default value is 0177, which creates a Unix-domain socket file that is +readable and writable only by the owner. +Note that not all operating systems honor the file mode on Unix-domain +socket files. +.It Cm StreamLocalBindUnlink +Specifies whether to remove an existing Unix-domain socket file for local +or remote port forwarding before creating a new one. +If the socket file already exists and +.Cm StreamLocalBindUnlink +is not enabled, +.Nm sshd +will be unable to forward the port to the Unix-domain socket file. +This option is only used for port forwarding to a Unix-domain socket file. +.Pp +The argument must be +.Dq yes +or +.Dq no . +The default is +.Dq no . .It Cm StrictModes Specifies whether .Xr sshd 8 |