The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

Интерактивная система просмотра системных руководств (man-ов)

 ТемаНаборКатегория 
 
 [Cписок руководств | Печать]

sshd2_config (5)
  • >> sshd2_config (5) ( Solaris man: Форматы файлов )
  • 
    NAME
         sshd2_config - format of configuration file for sshd2
    
    
    CONFIGURATION FILE
         Sshd2 reads configuration data  from  /etc/ssh2/sshd2_config
         (or  the  file  specified with -f on the command line).  The
         file contains keyword-value  pairs,  one  per  line.   Lines
         starting  with  '#'  and empty lines are interpreted as com-
         ments.
    
         The following  keywords  are  possible.  Keywords  are  case
         insensitive.
    
    
    
         AllowAgentForwarding or ForwardAgent
              Specifies whether agent forwarding is  permitted.  This
              parameter  is implemented mainly for completeness. Usu-
              ally, you should allow users to  freely  forward  agent
              connections.  The  argument must be "yes" or "no".  The
              default is "yes".
    
    
         AllowedAuthentications
              This keyword specifies the authentications methods that
              are  allowed.  This is a comma-separated list currently
              consisting of the following words:  password, publickey
              and   hostbased.    Each  specifies  an  authentication
              method.  The  default  is  "publickey,password".   With
              RequiredAuthentications,  the  system administrator can
              force users to complete several authentications  before
              they are considered authenticated.
    
    
         AllowCshrcSourcingWithSubsystems
              If set to "no", gives additional "-f" argument  to  csh
              or  tcsh  when executing subsystems to prevent commands
              in .cshrc (or .tcshrc) from interfering with, for exam-
              ple,  the  sftp-server subsystem.  The default is "no".
              The argument must be "yes" or "no".
    
    
         AllowGroups
              This keyword can be followed by  any  number  of  group
              name patterns, separated by commas. If specified, login
              is allowed only if one of the groups the  user  belongs
              to  matches  one  of the patterns. Patterns are matched
              using the zsh-fileglob-syntax  (see  sshregex(1)).  You
              can  use  the  comma  ','  character in the patterns by
              escaping it with '\' (backslash). If you  want  to  use
              the  escape  character  in  the  patterns,  you have to
              escape it ('\\'). By default, all users are allowed  to
              log in.
    
              Note that the all other login authentication steps must
              still be successfully completed.  AllowGroups and Deny-
              Groups are additional restrictions.
    
    
         AllowHosts
              This keyword can be followed by any number of host name
              patterns,  separated by commas.  If specified, login is
              allowed only from hosts whose name matches one  of  the
              patterns.    Patterns   are   matched  using  the  zsh-
              fileglob-syntax (see sshregex(1)). Normal name  servers
              are used to map the client's host name into a canonical
              host name.  If  the  name  cannot  be  mapped,  the  IP
              address  is  used  as  the  host name.  By default, all
              hosts are allowed to connect.
    
              Note  that  sshd2  can  also  be  configured   to   use
              tcp_wrappers using the --with-libwrap compile-time con-
              figuration option.
    
              Note also, that to prevent  people  going  around  this
              parameter    and    logging    in   from   hosts   like
              130.233.evil.org, you should  use  the  [:isdigit:]  or
              similar constructs.
    
    
         AllowSHosts
              This keyword can be followed by any number of host name
              patterns,   separated  by  commas.  If  specified,  the
              .shosts    (and    .rhosts,    /etc/hosts.equiv     and
              /etc/shosts.equiv)  entries  are only honored for hosts
              whose name matches one of the patterns.   '*'  and  '?'
              can  be used as wildcards in the patterns.  Normal name
              servers are used to map the client's host name  into  a
              canonical host name.  If the name cannot be mapped, the
              IP address is used as the host name.  By  default,  all
              hosts are allowed to connect.
    
    
         AllowTcpForwarding
              Specifies whether TCP  forwarding  is  permitted.  Note
              that disabling TCP forwarding does not improve security
              in any way, as users can always install their own  for-
              warders.   The  argument  must  be  "yes" or "no".  The
              default is "yes".
    
    
         AllowTcpForwardingForGroups
              The syntax is the same as in AllowGroups,  but  instead
              of  login,  this controls the ability to forward ports,
              in remote or local forwarding. Note that disabling  TCP
              forwarding  does  not  improve  security in any way, as
              users can always install  their  own  forwarders.  This
              does,  however,  help if you deny the user shell access
              at the same time. See ssh-dummy-shell(1).  The argument
              must  be  "yes"  or  "no".   Forwarding  is  enabled by
              default.
    
    
         AllowTcpForwardingForUsers
              Syntax is the same as in  AllowUsers,  but  instead  of
              login,  this  controls the ability to forward ports, in
              remote or local forwarding.  Note  that  disabling  TCP
              forwarding  does  not  improve  security in any way, as
              users can always install  their  own  forwarders.  This
              does,  however,  help if you deny the user shell access
              at the same time. See ssh-dummy-shell(1).  The argument
              must  be  "yes"  or  "no".   Forwarding  is  enabled by
              default.
    
    
         AllowUsers
              This keyword can be followed by any number of user name
              patterns  or  user@host  patterns, separated by commas.
              Host name is handled as a pattern, so the  rules  below
              apply.  Host name can also be a pure DNS name or the IP
              address. If specified, login is allowed as users  whose
              name  matches one of the patterns. Patterns are matched
              using the zsh-fileglob-syntax  (see  sshregex(1)).  You
              can  use  the  comma  ','  character in the patterns by
              escaping it with '\' (backslash). If you  want  to  use
              the  escape  character  in  the  patterns,  you have to
              escape it ('\\'). By default, all users are allowed  to
              log in.
    
              Note that the all other login authentication steps must
              still  be  successfully completed.  AllowUsers and Den-
              yUsers are additional restrictions.
    
    
         AllowX11Forwarding or X11Forwarding or ForwardX11
              Specifies whether  X11  forwarding  is  permitted.  The
              default  is  "yes".  Note that disabling X11 forwarding
              does not improve security in  any  way,  as  users  can
              always  install their own forwarders. The argument must
              be "yes" or "no".
    
    
         AuthorizationFile
    
    
              Specifies the name of the user's authorization file.
    
    
         BannerMessageFile
              Specifies the path to the message that is sent  to  the
              client  before  authentication. Note, however, that the
              client isn't obliged to show this message. The  default
              is /etc/ssh2/ssh_banner_message.
    
    
         CheckMail
              Specifies if  sshd  should  print  information  whether
              there  is  new mail or not when a user logs in interac-
              tively.  (On some  systems  this  information  is  also
              printed  by  the  shell,  /etc/profile, or equivalent.)
              The argument must be "yes" or  "no".   The  default  is
              "yes".
    
    
         ChRootGroups
              Specifies whether sshd should give the user who belongs
              to the defined group a chrooted environment. This keeps
              the user who belongs to this group in  a  "jail"  where
              they  can  only move around in their home directory and
              lower. This is not a default  option,  but  it  can  be
              added,  and  the  groups  are  defined on the server in
              /etc/group. More than one group can be listed, and  the
              groups must be separated by a comma.
    
    
         ChRootUsers
              Specifies whether sshd should give the user a  chrooted
              environment. This keeps the user in a "jail" where they
              can only move around in their home directory and lower.
              This  is not a default option, but it can be added, and
              the users are defined on  the  server  in  /etc/passwd.
              More than one user can be listed, and the users must be
              separated by a comma.
    
    
         Ciphers
              Specifies the ciphers to use for  encrypting  the  ses-
              sion.  Currently, des, 3des, blowfish, arcfour, twofish
              and cast are supported. Multiple ciphers can be  speci-
              fied  as a comma-separated list. Special values to this
              option are any, anystd that allows only  standard  (see
              below)  ciphers (and 'none'), and anycipher that allows
              either any available cipher or  excludes  nonencrypting
              cipher  mode  none but allows all others.  anystdcipher
              is the same as anycipher above, but includes only those
              ciphers  mentioned  in  the IETF-SecSH-draft (excluding
    
              'none').
    
    
         DenyGroups
              This keyword can be followed by  any  number  of  group
              name patterns, separated by commas. If specified, login
              is denied if one of the  groups  the  user  belongs  to
              matches one of the patterns. Patterns are matched using
              the zsh-fileglob-syntax (see sshregex(1)). You can  use
              the  comma ',' character in the patterns by escaping it
              with '\' (backslash). If you want  to  use  the  escape
              character  in  the  patterns,  you  have  to  escape it
              ('\\'). By default, all users are allowed to log in.
    
              If a user's group matches with both a pattern in  Deny-
              Groups and one in AllowGroups, login will be denied.
    
              Note that the all other login authentication steps must
              still be successfully completed.  AllowGroups and Deny-
              Groups are additional restrictions.
    
    
         DenyHosts
              This keyword can be followed by any number of host name
              patterns,  separated by commas.  If specified, login is
              disallowed from hosts whose names match any of the pat-
              terns. See AllowHosts.
    
    
         DenySHosts
              This keyword can be followed by any number of host name
              patterns,  separated  by  commas. If specified, .shosts
              (and .rhosts, /etc/hosts.equiv  and  /etc/shosts.equiv)
              entries  whose name matches any of the patterns will be
              ignored.
    
    
         DenyTcpForwardingForGroups
              The syntax is the same as in DenyGroups, but instead of
              login,  this  controls the ability to forward ports, in
              remote or local forwarding.  Note  that  disabling  TCP
              forwarding  does  not  improve  security in any way, as
              users can always install  their  own  forwarders.  This
              does,  however,  help if you deny the user shell access
              at the same time. See ssh-dummy-shell(1).  The argument
              must  be  "yes"  or  "no".   Forwarding  is  enabled by
              default.
    
    
         DenyTcpForwardingForUsers
              The syntax is the same as in DenyUsers, but instead  of
              login,  this  controls the ability to forward ports, in
              remote or local forwarding.  Note  that  disabling  TCP
              forwarding  does  not  improve  security in any way, as
              users can always install  their  own  forwarders.  This
              does,  however,  help if you deny the user shell access
              at the same time. See ssh-dummy-shell(1).  The argument
              must  be  "yes"  or  "no".   Forwarding  is  enabled by
              default.
    
    
         DenyUsers
              This keyword can be followed by any number of user name
              patterns  or  user@host  patterns, separated by commas.
              Host name is handled as a pattern, so the  rules  below
              apply.  Host name can also be a pure DNS name or the IP
              address. If specified, login  is  disallowed  as  users
              whose  name  matches  one of the patterns. Patterns are
              matched  using  the  zsh-fileglob-syntax  (see   sshre-
              gex(1)).  You  can  use  the comma ',' character in the
              patterns by escaping it with '\'  (backslash).  If  you
              want  to  use the escape character in the patterns, you
              have to escape it ('\\'). By  default,  all  users  are
              allowed to log in.
    
              If a user's name matches with both a  pattern  in  Den-
              yUsers and one in AllowUsers, login is denied.
    
              Note that the all other login authentication steps must
              still  be  successfully completed.  AllowUsers and Den-
              yUsers are additional restrictions.
    
    
         ForcePTTYAllocation
              Force tty allocation, i.e., allocate a tty  even  if  a
              command  is  given. The argument must be "yes" or "no".
              (not yet implemented)
    
    
         ForwardAgent
              See AllowAgentForwarding.
    
    
         HostKeyFile
              Specifies the file  containing  the  private  host  key
              (default /etc/ssh2/hostkey).
    
    
         IdentityFile
              Specifies the file containing the identity user  public
              key (default identification).
    
    
         IgnoreRhosts
              Specifies that the rhosts and shosts files will not  be
              used  in "hostbased" authentication (see AllowedAuthen-
              tications).  /etc/hosts.equiv and /etc/shosts.equiv are
              still used (if "hostbased" authentication is used). The
              argument must be "yes" or "no".  The default is "no".
    
    
         IgnoreRootRhosts
              Specifies that the rhosts and shosts files will not  be
              used  in  authentication  for  root. The default is the
              value of IgnoreRhosts.
    
    
         KeepAlive
              Specifies whether the system should send keepalive mes-
              sages to the other side. If they are sent, death of the
              connection or crash of one  of  the  machines  will  be
              properly  noticed. However, this means that connections
              will die if the route is  down  temporarily,  and  some
              people   find  it  annoying.  On  the  other  hand,  if
              keepalives are not sent, sessions may hang indefinitely
              on  the  server,  leaving  "ghost"  users and consuming
              server resources.
    
              The default is "yes"  (to  send  keepalives),  and  the
              server  will  notice  if  the  network goes down or the
              client host reboots.  This  avoids  infinitely  hanging
              sessions.
    
              To disable keepalives, the value should be set to  "no"
              in both the server and the client configuration files.
    
    
         ListenAddress
              Specifies the IP address of  the  interface  where  the
              sshd2 server socket is bound.
    
    
         LoginGraceTime
              The server disconnects after this time if the user  has
              not  successfully  logged in.  If the value is 0, there
              is no time limit.  The default is 600 (seconds).
    
    
         MACs Specifies the MAC (Message Authentication  Code)  algo-
              rithm   to   use   for   data  integrity  verification.
              Currently,  hmac-sha1,  hmac-sha1-96,  hmac-md5,  hmac-
              md5-96,  hmac-ripemd160  and hmac-ripemd160-96 are sup-
              ported, of which hmac-sha1, hmac-sha1-96, hmac-md5  and
              hmac-md5-96 are included in all distributions. Multiple
              MACs can be specified as a comma-separated list.   Spe-
              cial values to this option are any, anystd, that allows
              only standard (see below) MACs (and 'none'), and anymac
              that  allows  either any available MAC or excludes none
              but allows all others.  anystdmac is the same as anymac
              above,  but  includes  only those MACs mentioned in the
              IETF-SecSH-draft (excluding 'none').
    
    
         MaxBroadcastsPerSecond
              Specifies how many UDP broadcasts  server  handles  per
              second.  The  default  value is 0 and no broadcasts are
              handled at all. Broadcasts that exceed  the  limit  are
              silently  ignored.  Received unrecognized UDP datagrams
              also consume the capacity defined by this option.
    
    
         MaxConnections
              Specifies the maximum number of connections sshd2  will
              handle  simultaneously. This is useful in systems where
              spamming sshd2 with new connections can cause the  sys-
              tem  to  become  unstable  or  crash. The argument is a
              positive number. 0 means that number of connections  is
              unlimited (by sshd2).
    
              Note that by using (at least) xinetd  you  achieve  the
              same effect.
    
    
         NoDelay
              If "yes", enable socket option TCP_NODELAY.  The  argu-
              ment must be "yes" or "no".  Default is "no".
    
    
         PasswordAuthentication
              Specifies whether to use password  authentication.  The
              argument  must be "yes" or "no".  Note: This keyword is
              deprecated. Use AllowedAuthentications and  RequiredAu-
              thentications.
    
    
         PasswordGuesses
              Specifies the number of tries that the  user  has  when
              using  password authentication. The default is 3. Then,
              shalt thou count to three. No more. No less.
    
    
         PermitEmptyPasswords
              When password authentication is allowed,  it  specifies
              whether  the server allows login to accounts with empty
              password strings. The argument must be "yes" or "no".
    
    
         PermitRootLogin
              Specifies whether the root can log in using ssh2.   May
              be  set  to  "yes",  "nopwd",  or "no".  The default is
              "yes", allowing root logins through any of the  authen-
              tication  types  allowed  for other users.  The "nopwd"
              value disables password-authenticated root logins.  The
              "no"  value  disables  root  logins  through any of the
              authentication   methods.   ("nopwd"   and   "no"   are
              equivalent  unless you have a .rhosts or .shosts in the
              root home directory and you haven't set up  public  key
              authentication for root.)
    
              Root login with  public  key  authentication  when  the
              "command"  option  has  been  specified will be allowed
              regardless of the value of this setting (which  may  be
              useful  for taking remote backups even if root login is
              normally not allowed).
    
    
         Port Specifies the port number that sshd2 listens  on.   The
              current default is 22.
    
    
         PrintMotd
              Specifies whether sshd2 should print /etc/motd  when  a
              user  logs in interactively. The default is "yes".  The
              argument must be "yes" or "no".
    
    
         PubKeyAuthentication
              Specifies whether to  try  public  key  authentication.
              RSAAuthentication is a synonym for this keyword, and it
              is defined for backwards compatibility with  ssh1.  The
              argument  must be "yes" or "no".  Note: This keyword is
              deprecated. Use AllowedAuthentications and  RequiredAu-
              thentications.
    
    
         PublicHostKeyFile
              Specifies the  file  containing  the  public  host  key
              (default  /etc/ssh2/hostkey.pub).  Note: In most cases,
              the order of configuration parameters is not an  issue.
              Here,  it  is  safe  if  you  specify HostKeyFile first
              before this parameter.
    
    
         RandomSeedFile
              Specifies the name of the random seed file.
    
    
         RekeyIntervalSeconds
              Specifies the interval in  seconds  at  which  the  key
              exchange  will  be  done  again.   The  default is 3600
              seconds (1 hour). A value of '0' turns  rekey  requests
              off.  This  doesn't  prevent the client from requesting
              rekeys. Other clients (not ssh2)  may  not  have  rekey
              capabilities  implemented correctly, and they might not
              like rekey requests. This means that they may  possibly
              close the connection or even crash.
    
    
         RequiredAuthentications
              Related to  AllowedAuthentications,  this  is  used  to
              specify what authentication methods the users must com-
              plete before continuing. If this value is  left  empty,
              it  does not mean that no authentications are required.
              It means that the client can authenticate  itself  with
              any  of the authentications given in AllowedAuthentica-
              tions.  This  parameter  has  no  default.  Note:  This
              parameter has to be a subset of AllowedAuthentications.
              Otherwise, the server denies connection every time.
    
    
         RequireReverseMapping
              This is used to check whether hostname DNS lookup  must
              succeed when checking whether connections from host are
              allowed using AllowHosts and DenyHosts.  If this is set
              to  yes,  then  if name lookup fails, the connection is
              denied. If set to no, if name lookup fails, the  remote
              host's  IP  address  is  used  to  check  whether it is
              allowed to connect. This is probably not what you  want
              if   you   have  specified  only  host  names  (not  IP
              addresses)  with  {Allow,Deny}Hosts.   The  default  is
              "no". The argument must be "yes" or "no".
    
    
         Subsystem-<subsystem name>
              Specifies a subsystem. The argument is a command  which
              will be executed when the subsystem is requested.
    
              Sftp uses  a  subsystem  of  sshd2  to  transfer  files
              securely.  In  order  to  use the sftp server, you must
              have the following subsystem definition:
    
              subsystem-sftp      sftp-server
    
    
         QuietMode
              Specifies whether the system runs in  quiet  mode.   In
              quiet mode, nothing is logged in the system log, except
              fatal errors.  The argument must be "yes" or "no".
    
    
         Ssh1Compatibility
              Specifies whether to use SSH1 compatibility code.  With
              this option, sshd1 is executed when the client supports
              only SSH 1.x protocols. The argument must be  "yes"  or
              "no".
    
    
         Sshd1Path
              Specifies the path to sshd1 daemon which will  be  exe-
              cuted  if  the  client supports only SSH 1.x protocols.
              The arguments for sshd2 are passed on to sshd1.
    
    
         SshPAMClientPath
              Specifies the path to ssh-pam-client, which is used  as
              a  helper  application to converse with the PAM modules
              by sshd2.
    
    
         StrictModes
              Specifies whether sshd2 should  check  file  modes  and
              ownership of the user's home directory and rhosts files
              before accepting  login.  This  is  normally  desirable
              because  novices  sometimes  accidentally  leave  their
              directory or files world-writable. The argument must be
              "yes"  or  "no".  The default is "yes". (not yet imple-
              mented)
    
    
         SyslogFacility
              Gives the facility code that is used when logging  mes-
              sages  from  sshd2.  The  possible  values are: DAEMON,
              USER, AUTH, LOCAL0,  LOCAL1,  LOCAL2,  LOCAL3,  LOCAL4,
              LOCAL5, LOCAL6, LOCAL7.  The default is AUTH.
    
    
         UserConfigDirectory
              Specifies where user-specific configuration data should
              be  fetched from. With this the administration can con-
              trol whatever configuration parameters they  wish  that
              are normally the users' domain. This is given as a pat-
              tern string which is  expanded  by  sshd2.  %D  is  the
              user's  home directory, %U is user's login name, %IU is
              the user's user ID (uid) and %IG is his group ID (gid).
              The default is %D/.ssh2.
    
    
         UserKnownHosts
              Specifies whether  the  user's  $HOME/.ssh2/knownhosts/
              directory  can  be  used to fetch host public keys when
              using "hostbased" authentication.  The argument must be
              "yes" or "no".  The default is "yes".
    
    
         VerboseMode
              Verbose mode.  Causes sshd2 to print debugging messages
              about  its  progress. This is helpful in debugging con-
              nection, authentication,  and  configuration  problems.
              Also  causes  sshd2  to not fork on connection, so only
              one connection is handled.
    
    
    AUTHORS
         SSH Communications Security Corp
    
         For more information, see http://www.ssh.com.
    
    
    SEE ALSO
         sshd2(8)
    
    
    
    


    Поиск по тексту MAN-ов: 




    Партнёры:
    PostgresPro
    Inferno Solutions
    Hosting by Hoster.ru
    Хостинг:

    Закладки на сайте
    Проследить за страницей
    Created 1996-2025 by Maxim Chirkov
    Добавить, Поддержать, Вебмастеру