summaryrefslogtreecommitdiffstats
path: root/sshd_config.5
diff options
context:
space:
mode:
Diffstat (limited to 'sshd_config.5')
-rw-r--r--sshd_config.547
1 files changed, 36 insertions, 11 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 1ab0f41..dbed44f 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.365 2024/06/24 06:59:39 jmc Exp $
-.Dd $Mdocdate: June 24 2024 $
+.\" $OpenBSD: sshd_config.5,v 1.374 2024/09/15 08:27:38 jmc Exp $
+.Dd $Mdocdate: September 15 2024 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -1050,12 +1050,17 @@ ecdh-sha2-nistp384
.It
ecdh-sha2-nistp521
.It
+mlkem768x25519-sha256
+.It
+sntrup761x25519-sha512
+.It
sntrup761x25519-sha512@openssh.com
.El
.Pp
The default is:
.Bd -literal -offset indent
-sntrup761x25519-sha512@openssh.com,
+sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
+mlkem768x25519-sha256,
curve25519-sha256,curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
@@ -1133,8 +1138,8 @@ Logging with a DEBUG level violates the privacy of users and is not recommended.
.It Cm LogVerbose
Specify one or more overrides to
.Cm LogLevel .
-An override consists of a pattern lists that matches the source file, function
-and line number to force detailed logging for.
+An override consists of one or more pattern lists that matches the
+source file, function and line number to force detailed logging for.
For example, an override pattern of:
.Bd -literal -offset indent
kex.c:*:1000,*:kex_exchange_identification():*,packet.c:*
@@ -1232,9 +1237,11 @@ applied.
.Pp
The arguments to
.Cm Match
-are one or more criteria-pattern pairs or the single token
-.Cm All
-which matches all criteria.
+are one or more criteria-pattern pairs or one of the single token criteria:
+.Cm All ,
+which matches all criteria, or
+.Cm Invalid-User ,
+which matches when the requested user-name does not match any known account.
The available criteria are
.Cm User ,
.Cm Group ,
@@ -1319,6 +1326,7 @@ Available keywords are
.Cm PubkeyAcceptedAlgorithms ,
.Cm PubkeyAuthentication ,
.Cm PubkeyAuthOptions ,
+.Cm RefuseConnection ,
.Cm RekeyLimit ,
.Cm RevokedKeys ,
.Cm RDomain ,
@@ -1384,7 +1392,7 @@ The default is
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
-.Cm sshd .
+.Cm yes .
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
@@ -1586,7 +1594,7 @@ accumulated.
.Pp
Penalties are enabled by default with the default settings listed below
but may disabled using the
-.Cm off
+.Cm no
keyword.
The defaults may be overridden by specifying one or more of the keywords below,
separated by whitespace.
@@ -1599,6 +1607,11 @@ Specifies how long to refuse clients that cause a crash of
.It Cm authfail:duration
Specifies how long to refuse clients that disconnect after making one or more
unsuccessful authentication attempts (default: 5s).
+.It Cm refuseconnection:duration
+Specifies how long to refuse clients that were administratively prohibited
+connection via the
+.Cm RefuseConnection
+option (default: 10s).
.It Cm noauth:duration
Specifies how long to refuse clients that disconnect without attempting
authentication (default: 1s).
@@ -1608,7 +1621,7 @@ scanning tools such as
.It Cm grace-exceeded:duration
Specifies how long to refuse clients that fail to authenticate after
.Cm LoginGraceTime
-(default: 20s).
+(default: 10s).
.It Cm max:duration
Specifies the maximum time a particular source address range will be refused
access for (default: 10m).
@@ -1756,6 +1769,18 @@ options have any effect for other, non-FIDO, public key types.
Specifies whether public key authentication is allowed.
The default is
.Cm yes .
+.It Cm RefuseConnection
+Indicates that
+.Xr sshd 8
+should unconditionally terminate the connection.
+Additionally, a
+.Cm refuseconnection
+penalty may be recorded against the source of the connection if
+.Cm PerSourcePenalties
+are enabled.
+This option is only really useful in a
+.Cm Match
+block.
.It Cm RekeyLimit
Specifies the maximum amount of data that may be transmitted or received
before the session key is renegotiated, optionally followed by a maximum