Show Contents / Index / Search

Server Configuration Keywords

You can configure the following settings in the client configuration file. The default file is /etc/ssh2/sshd2_config.

AccountManagement

Configures the account management system that sshd uses to validate a user account. Account management services determine if an account is active, and whether or not a password is still valid. The allowed values are `password', `pam', and `none'. The default is `password'.

pam - Use PAM for account management. PAM account management applies to all sessions, regardless of the authentication method (or methods) used. If an account is locked, the connection is refused.

password - Use the password database to validate the account.

none - Use no account validation. Use this only for troubleshooting.

AllowAgentForwarding

Specifies whether agent forwarding is allowed. The allowed values are `yes' and `no'. The default is `yes'.

AllowedAuthentications

Specifies which authentication methods the server supports. The client and server agree on one or more authentication methods during the initial connection process, based on both client and server configuration. (Use RequiredAuthentications to require one or more authentication methods. RequiredAuthentications overrides AllowedAuthentications.)

The supported authentication methods are `gssapi-keyex', `gssapi-with-mic', `publickey', `keyboard-interactive', and `password'. The default is `gssapi-with-mic, publickey, keyboard-interactive, password'.

AllowGroups

Use this keyword to allow login only for users who are members of a specified group. Regular expressions are supported. For details, see Configuring Group Access. If this keyword is not configured, all groups are allowed to log in.

AllowHosts

Use this keyword to allow login only for specified client hosts. Regular expressions are supported. For details, see Configuring Client Host Access. If this keyword is not configured, all client hosts are allowed.

Notes:

If you configure a host expression using the domain name (rather than IP address), you must also set ResolveClientHostName to `yes'.

When ResolveClientHostName is `yes', the resolved name is the fully qualified domain name. This means that when RequireReverseMapping is `yes', you must specify a fully qualified domain name or use a regular expression for the host name to ensure that connections from an IP address are handled correctly.

AllowTCPForwarding

Use this keyword to allow or deny port forwarding to all client users. The allowed values are `yes' and `no'. The default is `yes'. This keyword controls both local (client to server) and remote (server to client forwarding). Use ForwardAcl for more fine-grained control.

AllowTCPForwardingForGroups

Use this keyword to allow port forwarding only for users who are members of a specified group. Regular expressions are supported.

AllowTCPForwardingForUsers

Use this keyword to allow port forwarding only for specified users. Regular expressions are supported.

AllowUsers

Use this keyword to allow login only for specified users. Regular expressions are supported. For details, see Configuring User Access.

AllowX11Forwarding

Specifies whether X11 forwarding is allowed. The allowed values are `yes' and `no'. The default is `yes'.

AuthKbdInt.Required

Specifies which authentication method to use for keyboard-interactive authentication. The specified authentication method must succeed for the user to be successfully authenticated. The allowed values are `pam' and `password'. The default is `password', which handles the user response as a standard login password. When `pam' is specified, PAM modules are used for authentication, password management, and session management.

AuthKbdInt.Retries

Sets the maximum number of attempts allowed for keyboard interactive authentication. The default is 3.

AuthKbdInt.Verbose

Specifies whether the server uses verbose keyboard interactive prompts. The allowed values are `yes' and `no'. The default is `no'.

AuthorizationFile

Specifies the name of the file used for configuring user keys for public key authentication. The file is assumed to be relative to $HOME/.ssh2 (or whatever location is set for UserConfigDirectory) unless you specify an absolute path. For public key authentication to succeed, a key presented by a client user for authentication must be correctly identified in this file. For file syntax, see the FILES section below.

The default file is $HOME/.ssh2/authorization.

AuthPublicKey.MaxSize

Sets the largest public key size allowed for user authentication. The default is 32768, and values larger than this are not allowed. The range of accepted values is 512-32769. Using zero (0) is equivalent to using the default.

AuthPublicKey.MinSize

Sets the smallest public key size allowed for user authentication. The default is 512, and values smaller than this are not allowed. Using zero (0) is equivalent to using the default.

AuthPublicKey.Retries

Specifies the maximum number of attempts the server accepts for public key authentication. Once this number is reached, further attempts to authenticate using a public key are rejected, but the connection is not broken. This allows the client to attempt authentication using the next allowed method. The default is 100.

BannerMessageFile

Identifies a file that contains text for a banner message. The server sends this text to the client before the client authenticates. Note: Some clients do not support banner display. If you configure a banner, you should ensure that your Secure Shell client supports this feature. The default is /etc/ssh2/ssh_banner_message.

ChrootSftpGroups

Specifies groups whose users are restricted to their home directory for sftp protocol connections. Any sftp protocol request that operates on a file or directory is checked to ensure it is not outside of the confined directory or any of its child directories. Regular expressions are supported. Patterns match against group names, not GID's.

Note: This setting affects both sftp and scp connections from Reflection for Secure IT clients. Terminal sessions and OpenSSH scp connections will not work for a client user who matches a specified expression. (Reflection for Secure IT scp connections use the sftp subsystem. OpenSSH scp connections do not use this subsystem.)

ChrootSftpUsers

Specifies users who are restricted to their home directory for sftp protocol connections. Any sftp protocol request that operates on a file or directory is checked to ensure it is not outside of the confined directory or any of its child directories. Regular expressions are supported. Patterns match against user names, not UID's.

Note: This setting affects both sftp and scp connections from Reflection for Secure IT clients. Terminal sessions and OpenSSH scp connections will not work for a client user who matches a specified expression. (Reflection for Secure IT scp connections use the sftp subsystem. OpenSSH scp connections do not use this subsystem.)

Ciphers

Specifies one or more (comma separated) encryption algorithms the server supports. The client and server agree on a cipher during the key exchange portion of the connection process. The client presents a list of supported ciphers in order of preference. The cipher used for a given session is the first item in this list that is also supported by the server. Allowed values are `aes128-cbc', `blowfish-cbc', `arcfour', `arcfour128', `arcfour256', `aes192-cbc', `aes256-cbc', `cast128-cbc', and `3des-cbc'.

You can also set this value to `none'. When `none' is the agreed on cipher, data is not encrypted. Note that this method provides no confidentiality protection, and is not recommended.

The following values are provided for convenience: `aes' (which combines `aes128-cbc', `aes192-cbc', and `aes256-cbc'), `blowfish' (equivalent to `blowfish-cbc'), `cast' (equivalent to `cast128-cbc'), `3des' (equivalent to `3des-cbc'), `Any' or `AnyStd' (all available ciphers plus `none'), and `AnyCipher' or `AnyStdCipher' (all available ciphers). The default is anystdcipher.

ClientAliveCountMax

The client alive mechanism enables the server to determine when the client has become inactive. ClientAliveCountMax sets the maximum number of client alive messages the server sends through the encrypted channel to request a response from the client. If this number is reached with no response from the client, the server ends the session and disconnects the client. Specify the message interval using ClientAliveInterval. The default is 3.

Note: These settings affect the SSH connection and messages are sent through the SSH tunnel.

ClientAliveInterval

Sets the interval, in seconds, for sending client alive messages to the client. If the client is unresponsive for this interval, the server sends a message through the encrypted channel to request a response from the client. Use ClientAliveCountMax to specify how many messages the server sends without response before it ends the session and disconnects the client. The default is 0 (disabled).

Compression

Specifies whether compression is enabled. Compression is desirable on modem lines and other slow connections, but will slow down response rates on fast networks. Compression also adds extra randomness to the packet, making it harder for a malicious person to decrypt the packet. The allowed values are `yes' and `no'. The default is `yes'.

DenyGroups

Use this keyword to deny login for specified user groups. Regular expressions are supported. For details, see Configuring Group Access. If this keyword is not configured, all groups are allowed to log in.

DenyHosts

Use this keyword to deny login for specified client hosts. Regular expressions are supported. For details, see Configuring Client Host Access. If this keyword is not used, all client hosts are allowed.

Notes:

If you configure a host expression using the domain name (rather than IP address), you must also set ResolveClientHostName to `yes'. You should also set RequireReverseMapping to `yes' to prevent access from hosts whose domain name could not be resolved.

When ResolveClientHostName is `yes', the resolved name is the fully qualified domain name. This means that when RequireReverseMapping is `yes', you must specify a fully qualified domain name or use a regular expression for the host name to ensure that connections from an IP address are handled correctly.

DenyTCPForwardingForGroups

Use this keyword to deny port forwarding for specified user groups. Regular expressions are supported. For details, see Configuring Group Access.

DenyTCPForwardingForUsers

Use this keyword to deny login for specified users. Regular expressions are supported. For details, see Configuring User Access.

DenyUsers

Use this keyword to deny login for specified users. Regular expressions are supported. For details, see Configuring User Access. If this keyword is not configured, all users are allowed to log in.

ForwardACL

Use this keyword for detailed control over client access to port forwarding. Regular expressions are supported. The syntax is:

ForwardACL allow|deny local|remote user_ex forward_ex [origin_ex]

user_ex is a regular expression that determines which users are allowed or denied access to port forwarding. For details, see Configuring User Access."

forward_ex is a regular expression in the form host%port. Its meaning depends on whether you are configuring restrictions on local or remote forwards. If you are configuring local forwarding control, it specifies the target host and port. If you are configuring remote forwarding control, the host is the server computer and the port is the port that server is forwarding to the client.

origin_ex is a regular expression that identifies an IP address. Its meaning depends on whether you are configuring restrictions on local or remote forwards. If you are configuring local forwarding control, it specifies the client machine making the forward request. If you are configuring remote forwarding control, it specifies the computer that is connecting to the forwarded port on the server.

GatewayPorts

Specifies whether remote hosts are allowed to connect to ports forwarded for the client. The allowed values are `yes' and `no'. The default is `no'.

HostKeyFile

Specifies the file name and location of the private key used to authenticate the server. The default is /etc/ssh2/hostkey.

HostSpecificConfig

Specifies a host-specific subconfiguration file. The syntax is:

HostSpecificConfig host_expression subconfig_file

If the host expression matches the client host, the server uses the specified subconfiguration file.

If you configure a host expression using the domain name (rather than IP address), you must also set ResolveClientHostName to `yes'.

IdleTimeout

Specifies how long a connection can remain inactive before the server terminates the connection. To set the time in seconds use an s or nothing after the number. You can also specify a time in minutes (m), hours (h), days (d), or weeks (w). Use zero (0) to set no limit. The default is 0.

KeepAlive

Specifies whether the system should send TCP keep alive messages to the other side. The server uses the system-wide value for how often the message is sent. The allowed values are `yes' and `no'. The default is `yes'. Note: ClientAliveCountMax and ClientAliveInterval affect the SSH connection and messages are sent through the SSH tunnel. The KeepAlive setting affects the TCP connection, and is more vulnerable to spoofing because TCP messages are not sent in the secure tunnel.

LibGssKrb5

Use this setting if you use GSSAPI (Kerberos 5) authentication. It specifies the fully-qualified path to the Kerberos library called libgssapi_krb5.so

LibKrb5

Use this setting if you use GSSAPI (Kerberos 5) authentication. It specifies the fully-qualified path to the Kerberos library called libkrb5.so.

Note: The server requires a library named libkrb5.so (or .sl on HP-UX PARISC). If a library of this name is not present, you need to create a symbolic link named libkrb5.so pointing to the actual library.

ListenAddress

Specifies the IP address of the interface to which the sshd server socket is bound. You can specify an IP address or use `any' (the default). The value `any' is equivalent to 0.0.0.0, and configures the server to listen to any available IP address. You can specify an IP address plus port by using a space or colon between the IP address and port. For example:

ListenAddress=123.45.67.89:1234

LoginGraceTime

Sets the number of seconds allowed for client authentication. If the client fails to authenticate the user within the specified number of seconds, the server disconnects and exits. Use zero (0) to set no limit. The default is 120.

LogLevel

Sets the verbosity level used for sshd messages logged to syslog. Allowed values are `fatal', `error',`quiet', `info', `verbose', `debug1' (equivalent to `debug'), `debug2', `debug3', and `trace' (equivalent to `debug99'). The default is `error'.

MACs

Specifies which MACs (hashed message authentication codes) the server allows for verifying data integrity. Allowed values are `hmac-sha1', `hmac-sha1-96', `hmac-md5', `hmac-md5-96'; and `hmac-ripemd160'. Use `AnyMac' to support all of these. Use `AnyStdMac' to support `hmac-sha1', `hmac-sha1-96', `hmac-md5', and `hmac-md5-96'. Additional options are `none', `any' (equivalent to AnyMac plus `none'), and `AnyStd' (equivalent to `AnyStdMac' plus `none'). Multiple MACs can also be specified as a comma-separated list. When `none' is the agreed on MAC, no message authentication code is used. Because this provides no data integrity protection, options that include `none' are not recommended. The default is `AnyStdMac'.

MaxConnections

Sets the maximum number of client connections allowed. Use zero (0) to set no limit. The default is 50.

PamServiceName

Specifies the name of the PAM (Pluggable Authentication Modules) service used for authentication and sessions. The default is `ssh'.

PasswordGuesses

Sets the maximum number of attemps the user is allowed for password authentication. The default is 3.

PermitEmptyPasswords

Specifies whether the server allows password authentication by users with empty (null) passwords. The allowed values are `yes' and `no'. The default is `yes'.

PermitRootLogin

Specifies whether client users with root privileges can log in. The allowed values are `yes' and `no'. The default is `yes'.

PidFile

Specifies the file that contains the process ID of the sshd daemon. Use a fully qualified path. If the file name contains the string %s, the string will be replaced by the server port number.

Port

Specifies the port on which the server listens. The default is 22, which is the standard port for Secure Shell connections.

QuietMode

This keyword is deprecated. Use LogLevel.

RekeyIntervalSeconds

Specify the interval (in seconds) after which the server initiates a new key exchange. Setting this value too low can make communication between the client and server impossible. To avoid this problem, it is recommended that you avoid specifying an interval of less than 200 seconds. Use 0 (zero) to turn off rekey requests initiated by the server. Using 0 does not prevent the client from requesting a rekey. The default is 3600.

RequiredAuthentications

Use this keyword to require one or more client authentication methods. All specified authentication methods must succeed before a user is considered authenticated. The supported authentication methods are `gssapi-keyex', `gssapi-with-mic', `publickey', `keyboard-interactive', and `password'.

Note: RequiredAuthentications overrides AllowedAuthentications.

RequireReverseMapping

Specifies whether DNS lookup must succeed when checking whether connections from client hosts are allowed. To enable this feature you also need to set ResolveClientHostName to `yes'. The allowed values are `yes' and `no'. The default is `no'.

ResolveClientHostname

Specifies whether the server attempts to resolve the client IP address to a domain name. Setting this to `yes' may slow down the connection time, but is required if you configure any keywords to match host names based on domain name, rather than IP address. (See AllowHosts, DenyHosts, UserSpecificConfig, and HostSpecificConfig.) Setting this keyword to `yes' also means that DNS names appear in the log rather than IP addresses. The allowed values are `yes' and `no'. The default is `yes'.

Note: When ResolveClientHostname is `yes', the resolved name is always the fully qualified domain name. This means that you must use a fully qualified domain name with any keywords in which you specify a host name, or use a regular expression to ensure that host names are handled correctly.

SessionRestricted

Specifies what session types the server allows. The possible values are `shell' (which allows terminal shell sessions), `exec' (which allows the client to execute commands on the server), and `subsystem' (which is required to support sftp and scp transfers). The default is `shell, exec, subsystem'.

SettableEnvironmentVars

Specifies which environment variables can be set by the ssh client or by the user's $HOME/.ssh2/environment file. This keyword is enabled in the default configuration file and set to the following value: 'LANG,LC_ALL,LC_COLLATE,LC_CTYPE,LC_MONETARY,LC_NUMERIC,LC_TIME,

PATH,TERM,TZ'

SftpSysLogFacility

Specifies the facility code used for logging messages from the sftp-server subsystem. This value is empty by default, which means no logging. Valid values are platform-dependent. See syslog(3).

StrictModes

Specifies how the server checks file modes and ownership during public key authentication. When set to `yes', the user's .ssh2 folder must be world and group read-only (no less protected than permissions=744), and the authorization file and key files must have a mode no less protected than 644. Ownership must be by root or the current user. If these conditions aren't met, public key authentication fails. The allowed values are `yes' and `no'. The default is `yes'.

Subsystem

Specifies a subsystem to export to the client. The argument specifies the command to execute when the client requests the subsystem. The separator character following the keyword can be a dash, an equals sign, or a space.

To support sftp and scp transfers, the sftp-server subsystem must be specified. The default configuration shown below executes the sftp service internally in the child process.

Subsystem-sftp internal://sftp-server

SyslogFacility

Specifies the facility code used for logging messages from the server. The default is `AUTH'. Valid values are platform-dependent. See syslog(3).

UsePAM

This keyword is deprecated. Setting it to `yes' is equivalent to setting AuthKbdInt.Required=pam and AccountManagement=pam.

UsePAMAcctMgt

This keyword is deprecated. Setting it to `yes' is equivalent to setting AccountManagement=pam.

UsePrivilegeSeparation

Specifies whether the server separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, a new process is created that has the privileges of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The allowed values are `yes' and `no'. The default is `yes'.

UserConfigDirectory

Specifies the directory used for user-specific information. This directory contains the authentication file (required for key authentication) and other user-specific files listed in the FILES section below. The following macros are recognized: %U = user log-in name, %D = user's home directory, %IU = UID for user, %IG = GID for user. The default is `%D/.ssh2'.

UserSpecificConfig

Specifies a user-specific configuration file. The syntax is:

UserSpecificConfig user_expression subconfig_file

If the user expression matches the user attempting a connection, the server uses the specified subconfiguration file.

Note: If you configure the host portion of this expression to match based on host domain name (rather than IP address), you must also set ResolveClientHostName to `yes'.

VerboseMode

This keyword is deprecated. Use LogLevel.

X11DisplayOffset

Sets the first display number available for X11 forwarding by the server. The default is 10.

X11UseLocalHost

Specifies whether the server should bind X11 forwarding to the loopback address or to the wildcard address. The allowed values are `yes' and `no'. The default is `yes'.

XAuthPath

Specifies the location of the xauth(1) program. The default (for example /usr/X11R6/bin/xauth) is system-dependent.