summaryrefslogtreecommitdiffstats
path: root/sshd_config.0
diff options
context:
space:
mode:
Diffstat (limited to 'sshd_config.0')
-rw-r--r--sshd_config.052
1 files changed, 35 insertions, 17 deletions
diff --git a/sshd_config.0 b/sshd_config.0
index 6883dda..f4a8f99 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -644,11 +644,14 @@ DESCRIPTION
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
+ mlkem768x25519-sha256
+ sntrup761x25519-sha512
sntrup761x25519-sha512@openssh.com
The default is:
- sntrup761x25519-sha512@openssh.com,
+ sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
+ mlkem768x25519-sha256,
curve25519-sha256,curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
@@ -690,9 +693,9 @@ DESCRIPTION
LogVerbose
Specify one or more overrides to LogLevel. An override consists
- of a pattern lists that matches the source file, function and
- line number to force detailed logging for. For example, an
- override pattern of:
+ of one or more pattern lists that matches the source file,
+ function and line number to force detailed logging for. For
+ example, an override pattern of:
kex.c:*:1000,*:kex_exchange_identification():*,packet.c:*
@@ -753,10 +756,12 @@ DESCRIPTION
the first instance of the keyword is applied.
The arguments to Match are one or more criteria-pattern pairs or
- the single token All which matches all criteria. The available
- criteria are User, Group, Host, LocalAddress, LocalPort, RDomain,
- and Address (with RDomain representing the rdomain(4) on which
- the connection was received).
+ one of the single token criteria: All, which matches all
+ criteria, or Invalid-User, which matches when the requested user-
+ name does not match any known account. The available criteria
+ are User, Group, Host, LocalAddress, LocalPort, RDomain, and
+ Address (with RDomain representing the rdomain(4) on which the
+ connection was received).
The match patterns may consist of single entries or comma-
separated lists and may use the wildcard and negation operators
@@ -787,10 +792,11 @@ DESCRIPTION
PAMServiceName, PasswordAuthentication, PermitEmptyPasswords,
PermitListen, PermitOpen, PermitRootLogin, PermitTTY,
PermitTunnel, PermitUserRC, PubkeyAcceptedAlgorithms,
- PubkeyAuthentication, PubkeyAuthOptions, RekeyLimit, RevokedKeys,
- RDomain, SetEnv, StreamLocalBindMask, StreamLocalBindUnlink,
- TrustedUserCAKeys, UnusedConnectionTimeout, X11DisplayOffset,
- X11Forwarding and X11UseLocalhost.
+ PubkeyAuthentication, PubkeyAuthOptions, RefuseConnection,
+ RekeyLimit, RevokedKeys, RDomain, SetEnv, StreamLocalBindMask,
+ StreamLocalBindUnlink, TrustedUserCAKeys,
+ UnusedConnectionTimeout, X11DisplayOffset, X11Forwarding and
+ X11UseLocalhost.
MaxAuthTries
Specifies the maximum number of authentication attempts permitted
@@ -833,7 +839,7 @@ DESCRIPTION
PasswordAuthentication
Specifies whether password authentication is allowed. The
- default is sshd.
+ default is yes.
PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
@@ -950,8 +956,8 @@ DESCRIPTION
accumulated.
Penalties are enabled by default with the default settings listed
- below but may disabled using the off keyword. The defaults may
- be overridden by specifying one or more of the keywords below,
+ below but may disabled using the no keyword. The defaults may be
+ overridden by specifying one or more of the keywords below,
separated by whitespace. All keywords accept arguments, e.g.
"crash:2m".
@@ -964,6 +970,11 @@ DESCRIPTION
after making one or more unsuccessful authentication
attempts (default: 5s).
+ refuseconnection:duration
+ Specifies how long to refuse clients that were
+ administratively prohibited connection via the
+ RefuseConnection option (default: 10s).
+
noauth:duration
Specifies how long to refuse clients that disconnect
without attempting authentication (default: 1s). This
@@ -973,7 +984,7 @@ DESCRIPTION
grace-exceeded:duration
Specifies how long to refuse clients that fail to
- authenticate after LoginGraceTime (default: 20s).
+ authenticate after LoginGraceTime (default: 10s).
max:duration
Specifies the maximum time a particular source address
@@ -1089,6 +1100,13 @@ DESCRIPTION
Specifies whether public key authentication is allowed. The
default is yes.
+ RefuseConnection
+ Indicates that sshd(8) should unconditionally terminate the
+ connection. Additionally, a refuseconnection penalty may be
+ recorded against the source of the connection if
+ PerSourcePenalties are enabled. This option is only really
+ useful in a Match block.
+
RekeyLimit
Specifies the maximum amount of data that may be transmitted or
received before the session key is renegotiated, optionally
@@ -1390,4 +1408,4 @@ AUTHORS
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
for privilege separation.
-OpenBSD 7.5 June 24, 2024 OpenBSD 7.5
+OpenBSD 7.5 September 15, 2024 OpenBSD 7.5