diff options
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 52 |
1 files changed, 35 insertions, 17 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index 6883dda..f4a8f99 100644 --- a/sshd_config.0 +++ b/sshd_config.0 @@ -644,11 +644,14 @@ DESCRIPTION ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 + mlkem768x25519-sha256 + sntrup761x25519-sha512 sntrup761x25519-sha512@openssh.com The default is: - sntrup761x25519-sha512@openssh.com, + sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com, + mlkem768x25519-sha256, curve25519-sha256,curve25519-sha256@libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, @@ -690,9 +693,9 @@ DESCRIPTION LogVerbose Specify one or more overrides to LogLevel. An override consists - of a pattern lists that matches the source file, function and - line number to force detailed logging for. For example, an - override pattern of: + of one or more pattern lists that matches the source file, + function and line number to force detailed logging for. For + example, an override pattern of: kex.c:*:1000,*:kex_exchange_identification():*,packet.c:* @@ -753,10 +756,12 @@ DESCRIPTION the first instance of the keyword is applied. The arguments to Match are one or more criteria-pattern pairs or - the single token All which matches all criteria. The available - criteria are User, Group, Host, LocalAddress, LocalPort, RDomain, - and Address (with RDomain representing the rdomain(4) on which - the connection was received). + one of the single token criteria: All, which matches all + criteria, or Invalid-User, which matches when the requested user- + name does not match any known account. The available criteria + are User, Group, Host, LocalAddress, LocalPort, RDomain, and + Address (with RDomain representing the rdomain(4) on which the + connection was received). The match patterns may consist of single entries or comma- separated lists and may use the wildcard and negation operators @@ -787,10 +792,11 @@ DESCRIPTION PAMServiceName, PasswordAuthentication, PermitEmptyPasswords, PermitListen, PermitOpen, PermitRootLogin, PermitTTY, PermitTunnel, PermitUserRC, PubkeyAcceptedAlgorithms, - PubkeyAuthentication, PubkeyAuthOptions, RekeyLimit, RevokedKeys, - RDomain, SetEnv, StreamLocalBindMask, StreamLocalBindUnlink, - TrustedUserCAKeys, UnusedConnectionTimeout, X11DisplayOffset, - X11Forwarding and X11UseLocalhost. + PubkeyAuthentication, PubkeyAuthOptions, RefuseConnection, + RekeyLimit, RevokedKeys, RDomain, SetEnv, StreamLocalBindMask, + StreamLocalBindUnlink, TrustedUserCAKeys, + UnusedConnectionTimeout, X11DisplayOffset, X11Forwarding and + X11UseLocalhost. MaxAuthTries Specifies the maximum number of authentication attempts permitted @@ -833,7 +839,7 @@ DESCRIPTION PasswordAuthentication Specifies whether password authentication is allowed. The - default is sshd. + default is yes. PermitEmptyPasswords When password authentication is allowed, it specifies whether the @@ -950,8 +956,8 @@ DESCRIPTION accumulated. Penalties are enabled by default with the default settings listed - below but may disabled using the off keyword. The defaults may - be overridden by specifying one or more of the keywords below, + below but may disabled using the no keyword. The defaults may be + overridden by specifying one or more of the keywords below, separated by whitespace. All keywords accept arguments, e.g. "crash:2m". @@ -964,6 +970,11 @@ DESCRIPTION after making one or more unsuccessful authentication attempts (default: 5s). + refuseconnection:duration + Specifies how long to refuse clients that were + administratively prohibited connection via the + RefuseConnection option (default: 10s). + noauth:duration Specifies how long to refuse clients that disconnect without attempting authentication (default: 1s). This @@ -973,7 +984,7 @@ DESCRIPTION grace-exceeded:duration Specifies how long to refuse clients that fail to - authenticate after LoginGraceTime (default: 20s). + authenticate after LoginGraceTime (default: 10s). max:duration Specifies the maximum time a particular source address @@ -1089,6 +1100,13 @@ DESCRIPTION Specifies whether public key authentication is allowed. The default is yes. + RefuseConnection + Indicates that sshd(8) should unconditionally terminate the + connection. Additionally, a refuseconnection penalty may be + recorded against the source of the connection if + PerSourcePenalties are enabled. This option is only really + useful in a Match block. + RekeyLimit Specifies the maximum amount of data that may be transmitted or received before the session key is renegotiated, optionally @@ -1390,4 +1408,4 @@ AUTHORS versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 7.5 June 24, 2024 OpenBSD 7.5 +OpenBSD 7.5 September 15, 2024 OpenBSD 7.5 |