 |
Index for
Section 4 |
|
 |
Alphabetical
listing for S |
|
 |
Bottom of
page |
|
sshd2_config(4)
NAME
sshd2_config - Configuration file for the sshd2 daemon
DESCRIPTION
The sshd2 daemon reads configuration data from the /etc/ssh2/sshd2_config
file (or the file specified with the sshd2 -f command). The file contains
keyword-argument pairs, one per line.
Empty lines and lines starting with the pound (#) sign are ignored as
comments. Otherwise a line is of the format keyword arguments. It is
possible to enclose arguments in quotes, and use the standard C convention.
Configuration files are case sensitive, but keywords are not case
sensitive.
Configuration blocks are not allowed in sshd2_config. Subconfiguration
files can be specified in the main configuration file. See the
HostSpecificConfig and UserSpecificConfig keyword explanations.
If changes are made in the main configuration file, sshd2 must be
restarted. For example, if the /var/run/ directory does not exist, you can
send a signal to it, such as # kill -HUP `cat /var/run/sshd2_22.pid' or #
kill -HUP `cat /etc/ssh2/sshd2_22.pid'.
The following sshd2_configfile keywords are allowed:
AllowAgentForwarding or ForwardAgent
Specifies whether agent forwarding is permitted. Usually, you should
allow users to freely forward agent connections. The argument must be
yes or no. The default is yes.
AllowedAuthentications
Specifies the authentication methods that the server uses to
authenticate users. Supported authentication methods are: keyboard-
interactive, password, publickey, kerberos-2@ssh.com, and kerberos-
tgt-2@ssh.com. The default is publickey,password.
You can specify any or all authentication methods. Use a comma-
separated list when specifying more than one argument. The order in
which authentication methods are listed is the order in which they are
used. For example, if hostbased is listed first, the server will use
hostbased authentication before trying the next listed authentication.
The first successful authentication is the one used.
With the RequiredAuthentications keyword, you can force users to
complete several authentications before they are considered
authenticated. See the explanation for the RequiredAuthentications
keyword.
AllowGroups
Follows any number of group name patterns, separated by commas.
If specified, login is allowed only if one of the groups the user
belongs to matches one of the patterns. Patterns are matched using the
egrep syntax (see sshregex(5)), or the syntax specified in the
metaconfiguration header of the configuration file. You can use the
comma character in the patterns by escaping it with a backslash. By
default, all groups are allowed to log in. However, all other
authentication steps must be successfully completed. The AllowGroups
and DenyGroups keywords are additional restrictions that never increase
the tolerance.
AllowHosts
Follows any number of host name patterns, separated by commas. If
specified, log in is allowed only if a host name matches one of the
patterns. Patterns are matched using the egrep syntax (see
sshregex(5)), or the syntax specified in the metaconfiguration section
of the configuration file.
If you want the pattern to match the host's IP address (ignoring the
canonical host name), prefix your pattern with \i. You can also use
subnet masks (e.g. , 127.0.0.0/8) by prefixing the pattern with \m.
DNS is used to map the client's host name into a canonical host name.
If the name cannot be mapped, the IP address is used as the host name.
By default, all hosts are allowed to connect. The sshd2 daemon also can
be configured to use tcp_wrappers using the --with-libwrap compile-time
configuration option.
AllowSHosts
Follows any number of host name patterns, separated by commas. The
entries in .shosts, .rhosts, /etc/hosts.equiv and /etc/shosts.equiv are
ignored if they do not match one of the patterns.
AllowTcpForwarding
Specifies whether TCP forwarding is permitted. Disabling TCP forwarding
does not improve security, unless you deny the user shell access at the
same time. (See ssh-dummy-shell(1)). Any user who has a shell can
install forwarders. The argument must be yes or no. The default is
yes.
This option is required if EnforceSecureRutils is enabled.
AllowTcpForwardingForGroups
Specifies the group names that can forward ports. Use a comma-separated
list when specifying more than one group name. Disabling TCP forwarding
does not improve security, unless you deny the user shell access at the
same time. (See ssh-dummy-shell(1)). Any user who has a shell can
install forwarders. The argument must be yes or no. The default is yes
(enable forwarding).
AllowTcpForwardingForUsers
Specifies the names of users who can forward ports. Use a comma-
separated list when specifying more than one user name. Disabling TCP
forwarding does not improve security, unless you deny the user shell
access at the same time. (See ssh-dummy-shell(1)). Any user who has a
shell can install forwarders. The argument must be yes or no. The
default is yes (enable forwarding).
AllowUsers
Specifies the names of users who can log in. Use a comma-separated list
when specifying more than one user name. User names can be entered as
user@host_name where host_name is a DNS name or an IP address. By
default, all users are allowed to log in. However, all other login
authentication steps must be successfully completed. The AllowUsers
and DenyUsers keywords specify additional restrictions.
AllowX11Forwarding, X11Forwarding, or ForwardX11
Specifies whether X11 forwarding is permitted. Disabling X11 forwarding
does not improve security, unless you deny the user shell access at the
same time. (See ssh-dummy-shell(1)). Any user who has a shell can
install forwarders.. The argument must be yes or no. The default is
yes.
AuthInteractiveFailureTimeout
Specifies the server delay, in seconds, after a failed attempt to log
in using keyboard-interactive, password authentication. The default is
2.
AuthKbdInt.NumOptional
Specifies how many optional submethods must be passed before the
authentication is considered a success ( all required submethods must
be passed). See the AuthKbdInt.Optional explanation for specifying
optional submethods, and the AuthKbdInt.Required explanation for
required submethods. The default is 0. If no required submethods are
specified, the client must pass at least one optional submethod.
AuthKbdInt.Optional
Specifies the optional submethods keyboard-interactive will use.
Defined submethods are: pam, securid, plugin, and password. The pam and
securid submethods must have the necessary libraries and headers when
the distribution is compiled. The pam submethod is usually available
in binary packages if the architecture supports Pluggable
Authentication Modules (PAM). The keyboard-interactive authentication
method is considered a success when the specified amount of optional
submethods and all required submethods are passed. The plugin submethod
can be used if a system administrator wants to create a new
authentication method. (See AuthKbdInt.Plugin, AuthKbdInt.NumOptional
and AuthKbdInt.Required. )
AuthKbdInt.Plugin
Specifies the program used by the keyboard-interactive plugin
submethod. The sshd2 daemon, running as root, communicates with this
program using a line-based protocol. There is no default for this
keyword. It must be set if the plugin submethod is used. Otherwise, the
submethod will fail and authentication could fail.
More information about the protocol can be found in the distribution
package. The RFC.kbdint_plugin_protocol file has a description of the
protocol used; the kbdint_plugin_example.sh file is a sample script.
AuthKbdInt.Required
Specifies the required submethods that must be passed before the
keyboard-interactive authentication method can succeed. See
AuthKbdInt.Optional.
AuthKbdInt.Retries
Specifies how many times the user can retry keyboard-interactive. The
default is 3.
AuthorizationFile
Specifies the name of the user's authorization file.
AuthPublicKey.MaxSize
Specifies the maximum size of a publickey that can be used to log in.
Value 0 disables the check. The default is 0.
AuthPublicKey.MinSize
Specifies the minimum size of a publickey that can be used to log in.
Value 0 disables the check. The default is 0.
BannerMessageFile
Specifies the path to the message that is sent to the client before
authentication. The default path is /etc/ssh2/ssh_banner_message.
CheckMail
Specifies whether information is displayed when there is new mail when
a user logs in. The argument must be yes or no. The default is yes.
ChRootGroups
Specifies the names of groups in which users who belong to those groups
have a chrooted environment. A chrooted environment is one in which
users are restricted to their home directory and its subdirectories.
Groups are defined on the server in the /etc/group file. Use a comma-
separated list when specifying more than one group name.
ChRootUsers
Specifies the names of users who have a chrooted environment. A
chrooted environment is one in which users are restricted to their home
directory and its subdirectories. Users are defined on the server in
the /etc/group file. Use a comma-separated list when specifying more
than one user name.
Ciphers
Specifies the Secure Shell ciphers to use for encrypting the session.
Supported ciphers are: aes, blowfish, twofish, arcfour, cast, 3des, and
des. Multiple ciphers can be specified as a comma-separated list.
Special values for this option are: Any, AnyStd, none, AnyCipher, and
AnyStdCipher. The Any value allows all ciphers including none.
TheAnyStd value allows only those mentioned in the IETF-SecSH draft
plus none; none forbids any use of encryption. The AnyCipher and
AnyStdCipher values are analogous to the first two cases but exclude
none. The AnyStdCipher value is the default.
DenyGroups
Follows any number of group name patterns, separated by commas. If
specified, login is denied if one of the groups the user belongs to
matches one of the patterns. Otherwise, this option is parsed and
matched identically with AllowGroups. By default, all users are
allowed to log in. If a user's group matches a pattern in both
DenyGroups and AllowGroups, login will be denied. All other
authentication steps must be successfully completed. The AllowGroups
and DenyGroups keywords are additional restrictions and never increase
the tolerance. Groups are defined on the server in the /etc/group file.
DenyHosts
Specifies the names of hosts from which users can not log in. Use a
comma-separated list when specifying more than one host name. By
default, all hosts are allowed to log in.
DenySHosts
Specifies the names of hosts from which users can not connect. The host
name must be specified in the .shosts file, the .rhosts file, the
/etc/hosts.equiv file, or the /etc/shosts.equiv file. Use a comma-
separated list when specifying more than one host name.
DenyTcpForwardingForGroups
Specifies the names of groups who cannot forward ports. Use a comma-
separated list when specifying more than one group name. Disabling TCP
forwarding does not improve security, unless you deny the user shell
access at the same time. (See ssh-dummy-shell(1)). Any user who has a
shell can install forwarders. The argument must be yes or no.
DenyTcpForwardingForUsers
Specifies the names of users who cannot forward ports. Use a comma-
separated list when specifying more than one user name. Disabling TCP
forwarding does not improve security, unless you deny the user shell
access at the same time. (See ssh-dummy-shell(1)). Any user who has a
shell can install forwarders. The argument must be yes or no.
DenyUsers
Specifies the names of users who cannot log in. Use a comma-separated
list when specifying more than one user name. User names can be entered
as user@host_name where host_name is a DNS name or the IP address. By
default, all users are allowed to log in. Note that all other login
authentication steps must still be successfully completed. If a
user's name matches a pattern in both DenyUsers and AllowUsers, login
is denied.
ExternalAuthorizationProgram
Verifies whether the user is authorized to log in. The sshd2 daemon,
running as root, communicates with this program using a line-based
protocol. There is no default for this keyword. It must be set if the
plugin submethod is used. Otherwise, the submethod will fail and
authentication could fail.
More information about the protocol can be found in the distribution
package. The RFC.kbdint_plugin_protocol file has a description of the
protocol used; the kbdint_plugin_example.sh file is a sample script.
ExternalMapper filename
Specifies an external mapper program for the preceding Pki keyword.
When a certificate is received and is valid under the Pki block in
question, the external mapper is executed and the certificate is
written to its standard input. The external mapper is expected to
output a newline-separated list of user names. If the user name is
found in the list, the authentication succeeds; otherwise, the
authentication using the certificate in question fails. The
ExternalMapper keyword will override all MapFile keywords for the
current (preceding) Pki keyword. If multiple ExternalMapper keywords
are specified for a Pki block, the first one is used.
ExternalMapperTimeout seconds
Specifies an external mapper timeout for the preceding Pki keyword. If
the server is unable to read the full output from an external mapper in
the given period, the operation will fail and the external mapper
program will be terminated. The default timeout is 10 seconds. If
multiple ExternalMapperTimeout keywords are specified for a Pki block,
the first one is used.
ForwardACL
Controls what the client is allowed to forward and where it is
forwarded. The format for this option is:
(allow|deny) (local|remote) user-pat forward-pat [originator-pat]
The user-pat pattern will be used to match the client user, as
specified under the UserSpecificConfig option. The format for the
forward-pat pattern is :
host-id[%port]
This has different interpretations depending on whether the ACL is
specified for local or remote forwards. For local forwards, the host-id
will match the target host of the forwarding, as specified under the
AllowHosts option. The port will match with the target port. If the
client sends a host name, the IP will be looked up from the DNS, which
will be used to match the pattern. For remote forwardings, where the
forward target is not known (the client handles that end of the
connection), ForwardACL will be used to match the listen address
specified by the user. The port will match the server port designated
by the forward. With local forwards, the originator-pat pattern will
match the originator address that the client reported.
If you do not administer the client machine, or the users on that
machine have shell access, they can use a modified copy of Secure Shell
to lie about the originator address. Also, with Network Address
Translation (NAT) the originator address will not be meaningful; it
probably will be an internal network address. So, you should not rely
on the originator address with local forwards.
With remote forwards, the originator-pat will match the IP address of
the host connecting to the forwarded port. This will be valid
information, because the server checks the information. If you specify
any allow directives, all forwards in that class (local or remote) not
specifically allowed will be denied. Local and remote forwards are
separate in this respect. For example, if you have one "allow remote"
definition, local forwards are still allowed, pending other
restrictions. If a forward matches allow and deny directives, the
forwarding will be denied. If you specify
{Allow,Deny}TcpForwardingFor{Users,Groups} or AllowTcpForwarding, and
the forwarding for the user is disabled, an allow directive will not
re-enable the forwarding for the user. Forwarding is enabled by
default.
ForwardAgent
See AllowAgentForwarding.
HostbasedAuthForceClientHostnameDNSMatch
Fails host-based authentication if the host name given by the client
does not match the one found in DNS . Defaults to no.
HostCA ca-certificate
Works the same as in the ssh2_config file, but DefaultDomain is not
used.
HostCANoCRLs ca-certificate
Works the same as in the ssh2_config file, but DefaultDomain is not
used.
HostCertificateFile ca-certificate
Similar to PublicHostKeyFile, except that the file is assumed to
contain an X.509 certificate in binary format. The keyword must be
paired with a corresponding HostKeyFile keyword. If multiple
certificates with the same public key type (dss or rsa) are specified,
only the first one is used.
HostKeyEkInitString
Specifies the initialization string for the external host key provider.
This is ignored when the keyword HostKeyEkProvider is not present or
when external key support is not included in the software. See ssh-
externalkeys(4) for details about specifying initialization strings.
HostKeyEkProvider
Specifies the external host key provider. This is ignored when external
key support is not included in the software. See ssh-externalkeys(4)
for details about specifying providers.
HostKeyEkTimeOut
Specifies the maximum time in seconds to wait for the keys from the
external host key provider. This is ignored when external key support
is not included in the software.
HostKeyFile
Specifies the file containing the private host key. The default file is
/etc/ssh2/hostkey.
HostSpecificConfig
Specifies a subconfiguration file for the sshd2 daemon. The syntax for
this option is pattern subconfig-file. The pattern will be used to
match the client host, as specified under the AllowHostsoption. The
subconfig-file will then be read, and configuration data amended
accordingly. The file is read before any protocol transactions begin.
You can specify most of the options allowed in the main configuration
file, and you can specify more than one subconfiguration file, in which
case the patterns are matched and the files read in the order
specified. Later defined values of configuration options will either
override or amend the previous value depending on which option it is.
The effect of redefining an option is described in the
documentation for that option. For example, setting Ciphers in the
subconfiguration file will override the old value, but setting
AllowUsers will amend the value. See sshd2_subconfig(4) for
information on subconfiguration settings. See also the
UserSpecificConfig option.
IdleTimeOut
Sets the idle timeout limit to time in seconds (s or nothing after
number), in minutes (m), in hours (h), in days (d), or in weeks (w).
If the connection has been idle (all channels) for weeks, the
connection is closed. The default is zero, which disables idle
timeouts.
IgnoreRhosts
Specifies that the rhosts and shosts files will not be used in
hostbased authentication (See AllowedAuthentications.) The
/etc/hosts.equiv and the /etc/shosts.equiv files are used (if hostbased
authentication is used). The argument must be yes or no. The default is
no.
IgnoreRootRhosts
Specifies that the rhosts and shosts files will not be used in
authentication for root. The default is the value of the IgnoreRhosts
keyword.
KeepAlive
Specifies whether the system should send keepalive messages. If they
are sent, the loss of a connection or crash of a system will be
noticed. However, this means that connections will die if the route is
down temporarily. The argument must be yes or no. The default is yes
(send keepalive messages). If keepalive messages are not sent, sessions
may hang indefinitely on the server, leaving ghost users and consuming
server resources. To disable keepalive messages, set the value to no
in both the server and the client configuration files.
LdapServers ldap://server.domain-name:389
Works the same as in the ssh2_config file.
ListenAddress
Specifies the IP address of the interface where the sshd2 server socket
is bound.
LoginGraceTime
Specifies the time, in seconds, that the server disconnects after a
user has not successfully logged in. If the value is 0, there is no
time limit. The default is 600 (seconds).
MACs
Specifies the Message Authentication Code (MAC) algorithm to use for
data integrity verification. Supported MAC algorithms are: hmac-sha1,
hmac-sha1-96, hmac-md5, hmac-md5-96, hmac-ripemd160, and hmac-
ripemd160-96, of which hmac-sha1, hmac-sha1-96, hmac-md5 and hmac-md5-
96 are included in all distributions.
Use a comma-separated list when specifying more than one MAC. Special
arguments to this keyword are Any, AnyStd, none, AnyMac, and AnyStdMac.
The Any argument allows all MACs including none. The AnyStd argument
allows onlythose mentioned in the IETF-SecSH draft and none. The none
argument forbids any use of MACs. The AnyMac and AnyStdMac arguments
are analogous to the first two cases but exclude none. The AnyStdMac
argument is the default.
MapFile filename
Specifies a mapping file for the preceding Pki keyword. Multiple
mapping files are permitted for Pki keywords.
MaxBroadcastsPerSecond
Specifies the maximum number of UDP broadcasts that the server will
handle per second. The default value is 0 (i.e., no broadcasts are
handled). Broadcasts that exceed the limit are silently ignored.
Received unrecognized UDP datagrams also consume the capacity defined
by this keyword.
MaxConnections
Specifies the maximum number of connections that the sshd2 daemon will
handle simultaneously. This is useful in systems where spamming the
sshd2 daemon with new connections can cause the system to become
unstable or crash. The argument is a positive number. An argument of
zero means that the number of connections is unlimited. The same
effect is achieved by using xinetd.
NoDelay
Specifies whether to enable the TCP_NODELAY socket option. The argument
must be yes or no. The default is no.
PasswdPath
Specifies the location of the passwd program (or equivalent). By
default this is set to where the configure script found it. This pro-
gram will be run with the privileges of the user logging in.
PasswordGuesses
Specifies the number of login attempts that the user is permitted when
using password authentication. The default is 3 attempts.
PermitEmptyPasswords
Specifies whether the server allows login to accounts with empty
password strings when using password authentication. The argument must
be yes or no. The default is yes.
PermitRootLogin
Specifies whether root can log in using the ssh2 command.
The argument must be yes, no, or nopwd. The default is yes.
The nopwd value disables password-authenticated root logins. The no
value disables root logins. The nopwd and no are equivalent unless you
have an .rhosts or .shosts file in the root home directory and you have
not set up public key authentication for root. Root login with public
key authentication will be allowed regardless of the value of this
setting (which may be useful for taking remote backups even if root
login is usually not allowed).
Pki ca-certificate
Enables user authentication using certificates. The ca-certificate must
be an X.509 certificate in binary format. This keyword must be followed
by one or more MapFile keywords.
The validity of a received certificate is checked separately using each
of the defined Pki keywords in turn until they are exhausted (in which
case the authentication fails), or a positive result is achieved. If
the certificate is valid, the mapping files are examined to determine
whether the certificate allows the user to log in. Correct signature
generated by a matching private key is always required.
PkiDisableCrls argument
Disables CRL checking for the preceding Pki keyword, if argument is y.
By default, CRL checking is y.
Port
Specifies the port number where the sshd2 daemon listens. The default
is port number 22.
PrintMotd
Specifies whether the /etc/motd file is displayed when a user logs in.
The argument must be yes or no. The default is yes.
PublicHostKeyFile
Specifies the name of the file containing the public host key. The
default is the /etc/ssh2/hostkey.pub file.
QuietMode
Displays nothing in the system log except fatal errors. The argument
must be yes or no. The default is no.
RandomSeedFile
Specifies the name of the random seed file.
RekeyIntervalSeconds
Specifies the number of seconds between key exchanges. The default is
3600 seconds (one hour). A value of zero turns rekey requests off. This
does not prevent the client from requesting rekeys. Other clients might
not have rekey capabilities implemented correctly, and might not
support rekey requests. This means that they might terminate the
connection or crash.
RequiredAuthentications
Specifies the authentication methods that users must pass before
connecting. Supported authentication methods are password, publickey,
and hostbased. Use a comma-separated list when specifying more than
one argument. If the value to this argument is not specified, the
client can authenticate users by using any of the authentications
methods specified by the AllowedAuthentications keyword. If a value is
specified, the client must use the specified authentication method, and
AllowedAuthentications is ignored.
Note
Prior to Secure Shell version 3.1.0, the RequiredAuthentications
option was a required subset of AllowedAuthentications. This is no
longer a requirement.
RequireReverseMapping
Specifies whether a hostname DNS lookup must succeed when checking host
connections from hosts that are defined by the AllowHosts and DenyHosts
keywords.
The argument must be yes or no. The default is no. If the argument is
yes and the DNS name lookup fails, the connection is denied. If the
argument is noand the DNS name lookup fails, the remote host's IP
address is used to check whether it is allowed to connect. This might
not be desirable if you defined only host names (not IP addresses) with
AllowHosts and DenyHosts keywords.
ResolveClientHostName
Controls whether sshd2 will try to resolve the client ip. This is
useful when you know that the DNS cannot be reached, and the query
would cause additional delay in logging in. If you set this to no, you
should not set RequireReverseMapping to yes. The default is yes. The
argument must be yes or no.
SettableEnvironmentVar
Follows any number of patterns, separated by commas. Patterns are
matched using the egrep syntax (see sshregex(5)), or the syntax
specified in the metaconfiguration header of the configuration file.
You can use the comma character in the patterns by escaping it with the
default. The /etc/ssh2/sshd2_config file specifies some common and safe
environment variables. You can set some or all environment variables
with this option. You can check whether a setting is allowed by the
client (ssh2), by the user's $HOME/.ssh2/environment file or public key
options. This option is not used when setting variables from
/etc/environment or other root-only files. It only changes the setting
of environment variables before the user's shell is run. After that,
the user can set any environment variables.
SftpSysLogFacility
Defines what log facility the sftp-server will use. By default this
has no value (i.e., no logging is performed by the subsystem).
SocksServer socks_server_name
Specifies the name of a socks server. Used when fetching certificates
or CRLs from remote servers.
Ssh1Compatibility
Specifies whether the sshd1 daemon is executed when the client
supports only SSH 1.x protocols. The argument must be yes or no.
Sshd1ConfigFile
Specifies an alternate configuration file for sshd1 for the case that
sshd2 runs in compatibility mode. This is only used if sshd2 is
executed with the -f command line option. If -fis not specified, sshd1
will read its configuration from the standard location, typically
/etc/sshd_config.
Sshd1Path
Specifies the path to the sshd1 daemon which will be executed if the
client supports only SSH 1.x protocols. The arguments for the sshd2
daemon are passed to the sshd1 daemon.
StrictModes
Specifies whether the sshd2 daemon should check file modes and
ownership of the user's home directory and rhosts files before
accepting login. This is desirable because novices sometimes leave
their directory or files world-writable. The argument must be yes or
no. The default is yes. (This only used with host-based
authentication.)
Subsystem-<subsystem name>
Specifies a subsystem. The argument is a commd that will be executed
when the subsystem is requested. The sftp command uses a subsystem of
the sshd2 daemon to transfer files securely. In order to use the sftp
server you must have the subsystem-sftp sftp-server definition (the
default) or subsystem-sftp internal://sftp-server which will execute an
sftp-service internally in the child process.
The child process usually executes a command using the user's shell,
but in this case it will start to handle SFTP requests. This enables
better logging in chrooted environments, and does not require any
static binaries to be built. The only binary needed will be the sshd2
daemon.
SyslogFacility
Specifies the facility code that is used when logging messages from the
sshd2 daemon. The possible values are: DAEMON, USER, AUTH, LOCAL0,
LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is
AUTH.
UserConfigDirectory
Specifies where user-specific configuration data can be retrieved. With
this keyword, administrators can control configuration parameters that
are usually the users' domain. This argument is a pattern string which
is expanded by the sshd2 daemon. Argument %D is the user's home
directory, %U is the user's login name, %IU is the user's user ID
(uid), and %IG is the user's group ID (gid). The default is %D/.ssh2.
UserKnownHosts
Specifies whether the user's $HOME/.ssh2/knownhosts/ directory can be
used to get host public keys when using hostbased authentication. The
argument must be yes or no. The default is yes.
UserSpecificConfig
Reads configuration files when the user name the client is trying to
log into is known. You can use patterns of the form
user[%group][@host], where the pattern user is matched with the user
name and UID, group is matched with the user's primary and any
secondary groups, both group name and GID, and host is matched as
described under option AllowHosts. See sshd2_subconfig(4) for more
information on what you can set in this subconfiguration file.
VerboseMode
Prompts the sshd2 daemon to print debugging messages about its
progress, and prevents it from handling more than one connecton at a
time. This is helpful in debugging connection, authentication, and
configuration problems.
XauthPath
Specifies where to find the xauth program. This option is useful if you
are using binaries and your X11 programs are installed where ssh2 might
not find them. The default is set by the configure script.
LEGAL NOTICES
SSH is a registered trademark of SSH Communication Security Ltd.
SEE ALSO
Commands: sshd2(8)
Files: Files: ssh_certificates(4), sshd2_subconfig(4), sshd-check-conf(4)
Others: sshregex(5)
|
Index for
Section 4 |
|
|
Alphabetical
listing for S |
|
 |
Top of
page |
|