diff options
Diffstat (limited to '')
-rw-r--r-- | sshd_config.0 | 137 |
1 files changed, 117 insertions, 20 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index 8b39739..6883dda 100644 --- a/sshd_config.0 +++ b/sshd_config.0 @@ -616,16 +616,21 @@ DESCRIPTION cache file on logout. The default is yes. KexAlgorithms - Specifies the available KEX (Key Exchange) algorithms. Multiple - algorithms must be comma-separated. Alternately if the specified - list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified algorithms - will be appended to the default set instead of replacing them. - If the specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the - specified algorithms (including wildcards) will be removed from - the default set instead of replacing them. If the specified list - begins with a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified algorithms will - be placed at the head of the default set. The supported - algorithms are: + Specifies the permitted KEX (Key Exchange) algorithms that the + server will offer to clients. The ordering of this list is not + important, as the client specifies the preference order. + Multiple algorithms must be comma-separated. + + If the specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the + specified algorithms will be appended to the default set instead + of replacing them. If the specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y + character, then the specified algorithms (including wildcards) + will be removed from the default set instead of replacing them. + If the specified list begins with a M-bM-^@M-^X^M-bM-^@M-^Y character, then the + specified algorithms will be placed at the head of the default + set. + + The supported algorithms are: curve25519-sha256 curve25519-sha256@libssh.org @@ -650,7 +655,7 @@ DESCRIPTION diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, diffie-hellman-group14-sha256 - The list of available key exchange algorithms may also be + The list of supported key exchange algorithms may also be obtained using "ssh -Q KexAlgorithms". ListenAddress @@ -779,13 +784,13 @@ DESCRIPTION HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IgnoreRhosts, Include, IPQoS, KbdInteractiveAuthentication, KerberosAuthentication, LogLevel, MaxAuthTries, MaxSessions, - PasswordAuthentication, PermitEmptyPasswords, PermitListen, - PermitOpen, PermitRootLogin, PermitTTY, PermitTunnel, - PermitUserRC, PubkeyAcceptedAlgorithms, PubkeyAuthentication, - PubkeyAuthOptions, RekeyLimit, RevokedKeys, RDomain, SetEnv, - StreamLocalBindMask, StreamLocalBindUnlink, TrustedUserCAKeys, - UnusedConnectionTimeout, X11DisplayOffset, X11Forwarding and - X11UseLocalhost. + PAMServiceName, PasswordAuthentication, PermitEmptyPasswords, + PermitListen, PermitOpen, PermitRootLogin, PermitTTY, + PermitTunnel, PermitUserRC, PubkeyAcceptedAlgorithms, + PubkeyAuthentication, PubkeyAuthOptions, RekeyLimit, RevokedKeys, + RDomain, SetEnv, StreamLocalBindMask, StreamLocalBindUnlink, + TrustedUserCAKeys, UnusedConnectionTimeout, X11DisplayOffset, + X11Forwarding and X11UseLocalhost. MaxAuthTries Specifies the maximum number of authentication attempts permitted @@ -821,9 +826,14 @@ DESCRIPTION M-bM-^@M-^\diffie-hellman-group-exchange-sha256M-bM-^@M-^] key exchange methods. The default is /etc/moduli. + PAMServiceName + Specifies the service name used for Pluggable Authentication + Modules (PAM) authentication, authorisation and session controls + when UsePAM is enabled. The default is sshd. + PasswordAuthentication Specifies whether password authentication is allowed. The - default is yes. + default is sshd. PermitEmptyPasswords When password authentication is allowed, it specifies whether the @@ -926,6 +936,87 @@ DESCRIPTION separated by a colon. The default is 32:128, which means each address is considered individually. + PerSourcePenalties + Controls penalties for various conditions that may represent + attacks on sshd(8). If a penalty is enforced against a client + then its source address and any others in the same network, as + defined by PerSourceNetBlockSize, will be refused connection for + a period. + + A penalty doesn't affect concurrent connections in progress, but + multiple penalties from the same source from concurrent + connections will accumulate up to a maximum. Conversely, + penalties are not applied until a minimum threshold time has been + accumulated. + + Penalties are enabled by default with the default settings listed + below but may disabled using the off keyword. The defaults may + be overridden by specifying one or more of the keywords below, + separated by whitespace. All keywords accept arguments, e.g. + "crash:2m". + + crash:duration + Specifies how long to refuse clients that cause a crash + of sshd(8) (default: 90s). + + authfail:duration + Specifies how long to refuse clients that disconnect + after making one or more unsuccessful authentication + attempts (default: 5s). + + noauth:duration + Specifies how long to refuse clients that disconnect + without attempting authentication (default: 1s). This + timeout should be used cautiously otherwise it may + penalise legitimate scanning tools such as + ssh-keyscan(1). + + grace-exceeded:duration + Specifies how long to refuse clients that fail to + authenticate after LoginGraceTime (default: 20s). + + max:duration + Specifies the maximum time a particular source address + range will be refused access for (default: 10m). + Repeated penalties will accumulate up to this maximum. + + min:duration + Specifies the minimum penalty that must accrue before + enforcement begins (default: 15s). + + max-sources4:number, max-sources6:number + Specifies the maximum number of client IPv4 and IPv6 + address ranges to track for penalties (default: 65536 for + both). + + overflow:mode + Controls how the server behaves when max-sources4 or + max-sources6 is exceeded. There are two operating modes: + deny-all, which denies all incoming connections other + than those exempted via PerSourcePenaltyExemptList until + a penalty expires, and permissive, which allows new + connections by removing existing penalties early + (default: permissive). Note that client penalties below + the min threshold count against the total number of + tracked penalties. IPv4 and IPv6 addresses are tracked + separately, so an overflow in one will not affect the + other. + + overflow6:mode + Allows specifying a different overflow mode for IPv6 + addresses. The default it to use the same overflow mode + as was specified for IPv4. + + PerSourcePenaltyExemptList + Specifies a comma-separated list of addresses to exempt from + penalties. This list may contain wildcards and CIDR + address/masklen ranges. Note that the mask length provided must + be consistent with the address - it is an error to specify a mask + length that is too long for the address or one with bits set in + this host portion of the address. For example, 192.0.2.0/33 and + 192.0.2.0/8, respectively. The default is not to exempt any + addresses. + PidFile Specifies the file that contains the process ID of the SSH daemon, or none to not write one. The default is @@ -1047,6 +1138,12 @@ DESCRIPTION environment and any variables specified by the user via AcceptEnv or PermitUserEnvironment. + SshdSessionPath + Overrides the default path to the sshd-session binary that is + invoked to handle each connection. The default is + /usr/libexec/sshd-session. This option is intended for use by + tests. + StreamLocalBindMask Sets the octal file creation mode mask (umask) used when creating a Unix-domain socket file for local or remote port forwarding. @@ -1293,4 +1390,4 @@ AUTHORS versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 7.5 February 21, 2024 OpenBSD 7.5 +OpenBSD 7.5 June 24, 2024 OpenBSD 7.5 |