summaryrefslogtreecommitdiffstats
path: root/sshd_config.0
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--sshd_config.0137
1 files changed, 117 insertions, 20 deletions
diff --git a/sshd_config.0 b/sshd_config.0
index 8b39739..6883dda 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -616,16 +616,21 @@ DESCRIPTION
cache file on logout. The default is yes.
KexAlgorithms
- Specifies the available KEX (Key Exchange) algorithms. Multiple
- algorithms must be comma-separated. Alternately if the specified
- list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified algorithms
- will be appended to the default set instead of replacing them.
- If the specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the
- specified algorithms (including wildcards) will be removed from
- the default set instead of replacing them. If the specified list
- begins with a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified algorithms will
- be placed at the head of the default set. The supported
- algorithms are:
+ Specifies the permitted KEX (Key Exchange) algorithms that the
+ server will offer to clients. The ordering of this list is not
+ important, as the client specifies the preference order.
+ Multiple algorithms must be comma-separated.
+
+ If the specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the
+ specified algorithms will be appended to the default set instead
+ of replacing them. If the specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y
+ character, then the specified algorithms (including wildcards)
+ will be removed from the default set instead of replacing them.
+ If the specified list begins with a M-bM-^@M-^X^M-bM-^@M-^Y character, then the
+ specified algorithms will be placed at the head of the default
+ set.
+
+ The supported algorithms are:
curve25519-sha256
curve25519-sha256@libssh.org
@@ -650,7 +655,7 @@ DESCRIPTION
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
diffie-hellman-group14-sha256
- The list of available key exchange algorithms may also be
+ The list of supported key exchange algorithms may also be
obtained using "ssh -Q KexAlgorithms".
ListenAddress
@@ -779,13 +784,13 @@ DESCRIPTION
HostbasedAuthentication, HostbasedUsesNameFromPacketOnly,
IgnoreRhosts, Include, IPQoS, KbdInteractiveAuthentication,
KerberosAuthentication, LogLevel, MaxAuthTries, MaxSessions,
- PasswordAuthentication, PermitEmptyPasswords, PermitListen,
- PermitOpen, PermitRootLogin, PermitTTY, PermitTunnel,
- PermitUserRC, PubkeyAcceptedAlgorithms, PubkeyAuthentication,
- PubkeyAuthOptions, RekeyLimit, RevokedKeys, RDomain, SetEnv,
- StreamLocalBindMask, StreamLocalBindUnlink, TrustedUserCAKeys,
- UnusedConnectionTimeout, X11DisplayOffset, X11Forwarding and
- X11UseLocalhost.
+ PAMServiceName, PasswordAuthentication, PermitEmptyPasswords,
+ PermitListen, PermitOpen, PermitRootLogin, PermitTTY,
+ PermitTunnel, PermitUserRC, PubkeyAcceptedAlgorithms,
+ PubkeyAuthentication, PubkeyAuthOptions, RekeyLimit, RevokedKeys,
+ RDomain, SetEnv, StreamLocalBindMask, StreamLocalBindUnlink,
+ TrustedUserCAKeys, UnusedConnectionTimeout, X11DisplayOffset,
+ X11Forwarding and X11UseLocalhost.
MaxAuthTries
Specifies the maximum number of authentication attempts permitted
@@ -821,9 +826,14 @@ DESCRIPTION
M-bM-^@M-^\diffie-hellman-group-exchange-sha256M-bM-^@M-^] key exchange methods. The
default is /etc/moduli.
+ PAMServiceName
+ Specifies the service name used for Pluggable Authentication
+ Modules (PAM) authentication, authorisation and session controls
+ when UsePAM is enabled. The default is sshd.
+
PasswordAuthentication
Specifies whether password authentication is allowed. The
- default is yes.
+ default is sshd.
PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
@@ -926,6 +936,87 @@ DESCRIPTION
separated by a colon. The default is 32:128, which means each
address is considered individually.
+ PerSourcePenalties
+ Controls penalties for various conditions that may represent
+ attacks on sshd(8). If a penalty is enforced against a client
+ then its source address and any others in the same network, as
+ defined by PerSourceNetBlockSize, will be refused connection for
+ a period.
+
+ A penalty doesn't affect concurrent connections in progress, but
+ multiple penalties from the same source from concurrent
+ connections will accumulate up to a maximum. Conversely,
+ penalties are not applied until a minimum threshold time has been
+ accumulated.
+
+ Penalties are enabled by default with the default settings listed
+ below but may disabled using the off keyword. The defaults may
+ be overridden by specifying one or more of the keywords below,
+ separated by whitespace. All keywords accept arguments, e.g.
+ "crash:2m".
+
+ crash:duration
+ Specifies how long to refuse clients that cause a crash
+ of sshd(8) (default: 90s).
+
+ authfail:duration
+ Specifies how long to refuse clients that disconnect
+ after making one or more unsuccessful authentication
+ attempts (default: 5s).
+
+ noauth:duration
+ Specifies how long to refuse clients that disconnect
+ without attempting authentication (default: 1s). This
+ timeout should be used cautiously otherwise it may
+ penalise legitimate scanning tools such as
+ ssh-keyscan(1).
+
+ grace-exceeded:duration
+ Specifies how long to refuse clients that fail to
+ authenticate after LoginGraceTime (default: 20s).
+
+ max:duration
+ Specifies the maximum time a particular source address
+ range will be refused access for (default: 10m).
+ Repeated penalties will accumulate up to this maximum.
+
+ min:duration
+ Specifies the minimum penalty that must accrue before
+ enforcement begins (default: 15s).
+
+ max-sources4:number, max-sources6:number
+ Specifies the maximum number of client IPv4 and IPv6
+ address ranges to track for penalties (default: 65536 for
+ both).
+
+ overflow:mode
+ Controls how the server behaves when max-sources4 or
+ max-sources6 is exceeded. There are two operating modes:
+ deny-all, which denies all incoming connections other
+ than those exempted via PerSourcePenaltyExemptList until
+ a penalty expires, and permissive, which allows new
+ connections by removing existing penalties early
+ (default: permissive). Note that client penalties below
+ the min threshold count against the total number of
+ tracked penalties. IPv4 and IPv6 addresses are tracked
+ separately, so an overflow in one will not affect the
+ other.
+
+ overflow6:mode
+ Allows specifying a different overflow mode for IPv6
+ addresses. The default it to use the same overflow mode
+ as was specified for IPv4.
+
+ PerSourcePenaltyExemptList
+ Specifies a comma-separated list of addresses to exempt from
+ penalties. This list may contain wildcards and CIDR
+ address/masklen ranges. Note that the mask length provided must
+ be consistent with the address - it is an error to specify a mask
+ length that is too long for the address or one with bits set in
+ this host portion of the address. For example, 192.0.2.0/33 and
+ 192.0.2.0/8, respectively. The default is not to exempt any
+ addresses.
+
PidFile
Specifies the file that contains the process ID of the SSH
daemon, or none to not write one. The default is
@@ -1047,6 +1138,12 @@ DESCRIPTION
environment and any variables specified by the user via AcceptEnv
or PermitUserEnvironment.
+ SshdSessionPath
+ Overrides the default path to the sshd-session binary that is
+ invoked to handle each connection. The default is
+ /usr/libexec/sshd-session. This option is intended for use by
+ tests.
+
StreamLocalBindMask
Sets the octal file creation mode mask (umask) used when creating
a Unix-domain socket file for local or remote port forwarding.
@@ -1293,4 +1390,4 @@ AUTHORS
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
for privilege separation.
-OpenBSD 7.5 February 21, 2024 OpenBSD 7.5
+OpenBSD 7.5 June 24, 2024 OpenBSD 7.5