SSHD2_CONFIG(5) SSH2 SSHD2_CONFIG(5)
NAME
sshd2_config - configuration file format for sshd2
CONFIGURATION FILE
sshd2 reads configuration data from /etc/ssh2/sshd2_config
(or the file specified with -f on the command line). The
file contains keyword-value pairs, one per line. For a
description of the configuration file format, see
ssh2_config(5). However, configuration blocks are not
allowed in sshd2_config.
Subconfiguration files can be specified in the main con-
figuration file, see HostSpecificConfig and UserSpecific-
Config. Note that if changes are made in the main config-
uration file, sshd2 will have to be restarted, for example
by sending a signal to it:
# kill -HUP `cat /var/run/sshd2_22.pid`
or, if the directory /var/run/ does not exist:
# kill -HUP `cat /etc/ssh2/sshd2_22.pid`
The following keywords are allowed:
AllowAgentForwarding or ForwardAgent
Specifies whether agent forwarding is permitted.
This parameter is implemented mainly for complete-
ness. Usually, you should allow users to freely
forward agent connections. The argument must be
yes or no. The default is yes.
AllowedAuthentications
This keyword specifies the authentication methods
that are allowed. Known authentication methods
are: keyboard-interactive, password, publickey, and
hostbased. If specifically enabled during compile
time, also pam-1@ssh.com, kerberos-2@ssh.com, ker-
beros-tgt-2@ssh.com, and securid-1@ssh.com can be
used. The default is "publickey,password".
pam-1@ssh.com and securid-1@ssh.com are legacy
authentication methods, and you should use key-
board-interactive instead if possible (i.e. the
clients that need to be able to connect support
keyboard-interactive). See AuthKbdInt.Optional.
With RequiredAuthentications, the system
SSH2 May 17, 2004 1
SSHD2_CONFIG(5) SSH2 SSHD2_CONFIG(5)
administrator can force the users to complete sev-
eral authentications before they are considered
authenticated. See RequiredAuthentications.
AllowGroups
This keyword can be followed by any number of group
name patterns, separated by commas. If specified,
login is allowed only if one of the groups the user
belongs to matches one of the patterns. Patterns
are matched using the egrep syntax (see
sshregex(1)), or the syntax specified in the meta-
configuration header of the configuration file.
You can use the comma character (,) in the patterns
by escaping it with backslash (\). By default, all
groups are allowed to log in.
Note that all other authentication steps must still
be successfully completed. AllowGroups and Deny-
Groups are additional restrictions and never
increase the tolerance.
AllowHosts
This keyword can be followed by any number of host-
name patterns, separated by commas. If specified,
login is allowed only from hosts whose name matches
one of the patterns. Patterns are matched using
the egrep syntax (see sshregex(1)), or the syntax
specified in the metaconfiguraion section of the
configuration file. If you want the pattern to be
matched with the host's IP address only (ignoring
the canonical hostname), prefix your pattern with
"\i". You can also use subnet masks (e.g
127.0.0.0/8) by prefixing the pattern with "\m".
DNS is used to map the client's hostname into a
canonical hostname. If the name cannot be mapped,
the IP address is used as the hostname. By
default, all hosts are allowed to connect.
Note that sshd2 can also be configured to use TCP
wrappers using the --with-libwrap compile-time con-
figuration option.
AllowSHosts
This keyword can be followed by any number of host-
name patterns, separated by commas, same as the
option AllowHosts. The entries in .shosts,
.rhosts, /etc/hosts.equiv and /etc/shosts.equiv are
ignored if they do not match one of the patterns
given here (if there are any).
SSH2 May 17, 2004 2
SSHD2_CONFIG(5) SSH2 SSHD2_CONFIG(5)
AllowTcpForwarding
Specifies whether TCP forwarding is permitted.
Note: Disabling TCP forwarding does not improve
security at all unless you deny the user shell
access at the same time (see ssh-dummy-shell(1)):
users that have a shell can always install their
own forwarders. The argument must be yes or no.
The default is yes.
AllowTcpForwardingForGroups
The syntax is the same as in AllowGroups, but
instead of login, this controls the ability to for-
ward ports in remote or local forwarding. See the
security note under option AllowTcpForwarding.
AllowTcpForwardingForUsers
The syntax is the same as in AllowUsers, but
instead of login, this controls the ability to for-
ward ports in remote or local forwarding. See the
security note under option AllowTcpForwarding.
AllowUsers
This option can be followed by any number of pat-
terns of the form user or user@host, separated by
commas. The details explained under option
AllowHosts apply accordingly. By default, all
users are allowed to log in.
Note that all the other login authentication steps
must still be successfully completed. AllowUsers
and DenyUsers are additional restrictions.
AllowX11Forwarding or X11Forwarding or ForwardX11
Specifies whether X11 forwarding is permitted. The
default is yes. See the security note under option
AllowTcpForwarding. The argument must be yes or
no.
AuthInteractiveFailureTimeout
Specifies the delay in seconds of the server after
a failed attempt to log in using keyboard-interac-
tive and password authentication. The default is 2.
AuthKbdInt.NumOptional
Specifies how many optional submethods must be
passed before the authentication is considered a
success (note that all required submethods must
always be passed). See AuthKbdInt.Optional for
SSH2 May 17, 2004 3
SSHD2_CONFIG(5) SSH2 SSHD2_CONFIG(5)
specifying optional submethods, and AuthKb-
dInt.Required for required submethods. The default
is 0, although if no required submethods are speci-
fied, the client must always pass at least one
optional submethod.
AuthKbdInt.Optional
Specifies the optional submethods keyboard-interac-
tive will use. Currently submethods pam, securid,
plugin, and password are defined. Note that pam and
securid require that you had the necessary
libraries and headers when you compiled the distri-
bution. The pam submethod is usually available in
binary packages, if the architecture supports PAM
(Pluggable Authentication Modules). AuthKb-
dInt.NumOptional specifies how many optional sub-
methods must be passed. The keyboard-interactive
authentication method is considered a success when
the specified number of optional submethods and all
required submethods are passed. The plugin sub-
method is special. It can be used if a system
administrator wants to create a new authentication
method. Also SecurID plug-ins are provided to
enable server-side SecurID support in binary dis-
tributions. See also AuthKbdInt.NumOptional and
AuthKbdInt.Required.
AuthKbdInt.Plugin
Specify this to point to a program that is used by
the plugin submethod in keyboard-interactive.
sshd2 converses with this program using a line-
based protocol, so it is easy to implement it, for
example as a shell script. If the plugin submethod
is used, and this is not set, or the specified pro-
gram does not exist or cannot be run, the submethod
will fail, which may cause the whole user authenti-
cation to fail. This will not be set by default.
More information about the protocol can be found in
the distribution package. RFC.kbdint_plugin_proto-
col has a description of the protocol used and an
example script is called kbdint_plugin_example.sh.
Note that the program is run with the privileges of
the sshd2 process, typically root, so be careful.
AuthKbdInt.Required
Specifies the required submethods that must be
passed before the keyboard-interactive authentica-
tion method can succeed. See AuthKbdInt.Optional.
SSH2 May 17, 2004 4
SSHD2_CONFIG(5) SSH2 SSHD2_CONFIG(5)
AuthKbdInt.Retries
Specifies how many times the user can retry key-
board-interactive. The default is 3.
AuthorizationFile
Specifies the name of the user's authorization
file.
AuthPassword.ChangePlugin
Set this to the path of the password change plug-
in, typically ssh-passwd-plugin (if you have the
binary packages or you have configured the source
with --with-passwd-plugin). This allows the pass-
word to be changed during the authentication phase,
instead of using a system's passwd command to do
it. This replaces the actual session, requiring the
user to login again. By default this is not set.
AuthPublicKey.MaxSize
Specifies the maximum size of a public key that can
be used to log in. Value 0 disables the check. The
default is 0 (disabled).
AuthPublicKey.MinSize
Specifies the minimum size of a public key that can
be used to log in. Value 0 disables the check. The
default is 0 (disabled).
BannerMessageFile
Specifies the path to the message that is sent to
the client before authentication. Note, however,
that the client is not obliged to show this mes-
sage. The default is /etc/ssh2/ssh_banner_message
(if defined).
Cert.RSA.Compat.HashScheme
SSH Secure Shell clients and servers prior to ver-
sion 3.2.9 used hashes in RSA certificate authenti-
cation in an incoherent manner (sometimes MD5,
sometimes SHA-1). With this option, you can set the
hash that is used when a signature is sent to old
versions. Valid values are md5 and sha1. The
default is md5 (works in most cases). This option
can also be set in HostSpecificConfig. It applies
to initial key exchange when the server authenti-
cates itself with an RSA certificate.
SSH2 May 17, 2004 5
SSHD2_CONFIG(5) SSH2 SSHD2_CONFIG(5)
CertdListenerPath
Specifies the path where server tries to connect to
the certificate validation daemon. Mainly intended
for debugging and testing. Default is /var/run/ssh-
certd-listener or /etc/ssh2/ssh-certd-listener on
systems where /var/run doesn't exist.
CheckMail
Makes sshd2 print information on whether there is
new mail or not when a user logs in interactively.
(On some systems this information is also printed
by the shell, /etc/profile, or equivalent.) The
argument must be yes or no. The default is yes.
ChRootGroups
This option works like ChRootUsers, except that it
can be used to list groups instead of single users.
Groups are listed on the server in /etc/group.
Follows the logic of DenyGroups.
ChRootUsers
sshd2 gives all users listed here a chrooted envi-
ronment (e.g. /home). This stops users from
accessing sensitive information on the server's
file system. Users are defined on the server in
/etc/group. More than one group can be listed,
separated by a comma. This is not a default
option. The logic follows that of DenyUsers.
Ciphers
Specifies the ciphers to use for encrypting the
session. The supported ciphers are aes128-cbc,
aes192-cbc, aes256-cbc, 3des-cbc, blowfish-cbc,
cast128-cbc, twofish-cbc, twofish128-cbc,
twofish192-cbc, twofish256-cbc, arcfour, rijndael-
cbc@ssh.com, des-cbc@ssh.com, and
cast128-12-cbc@ssh.com. In the FIPS mode, the sup-
ported ciphers are aes128-cbc, 3des-cbc,
aes192-cbc, aes256-cbc, and des-cbc@ssh.com.
Multiple ciphers can be specified as a comma-sepa-
rated list. Special values for this option are
Any, AnyStd, none, AnyCipher, and AnyStdCipher.
Any allows all ciphers including none; AnyStd
allows only those mentioned in the IETF-SecSh draft
plus none; none forbids any use of encryption; Any-
Cipher and AnyStdCipher are analogous to the first
two cases but exclude none. AnyStdCipher is the
SSH2 May 17, 2004 6
SSHD2_CONFIG(5) SSH2 SSHD2_CONFIG(5)
default.
DenyGroups
This keyword can be followed by any number of group
name patterns, separated by commas. If specified,
login is denied if one of the groups the user
belongs to matches one of the patterns. Otherwise,
this option is parsed and matched identically to
AllowGroups. By default, all users are allowed to
log in.
If a user's group matches a pattern in both Deny-
Groups and AllowGroups, login is denied.
Note that all other authentication steps must still
be successfully completed. AllowGroups and Deny-
Groups are additional restrictions and never
increase the tolerance.
DenyHosts
This keyword can be followed by any number of host-
name patterns, separated by commas. If specified,
login is denied from hosts whose names match any of
the patterns. See AllowHosts.
DenySHosts
This keyword can be followed by any number of host-
name patterns, separated by commas, just as the
option DenyHosts. The entries in .shosts, .rhosts,
/etc/hosts.equiv and /etc/shosts.equiv are ignored
if they match one of the patterns given here (if
there are any). See AllowSHosts.
DenyTcpForwardingForGroups
The syntax is the same as in DenyGroups, but
instead of login, this controls the ability to for-
ward ports, in remote or local forwarding. See
security note under option AllowTcpForwarding.
DenyTcpForwardingForUsers
The syntax is the same as in DenyUsers, but instead
of login, this controls the ability to forward
ports, in remote or local forwarding. See security
note under option AllowTcpForwarding.
DenyUsers
This is the opposite of AllowUsers and works
accordingly. If a user's name matches a pattern in
SSH2 May 17, 2004 7
SSHD2_CONFIG(5) SSH2 SSHD2_CONFIG(5)
both DenyUsers and AllowUsers, login is denied.
Note that all other authentication steps must still
be successfully completed. AllowUsers and
DenyUsers are additional restrictions.
DisableVersionFallback
Selects whether to disable fallback compatibility
code for earlier, or otherwise incompatible ver-
sions of software. Do not disable this unless you
know what you are doing. The argument must be yes
or no. The default is no.
ExternalAuthorizationProgram
If set, this program is run to verify whether the
user is authorized to log in. sshd2 converses with
this program using a line-based protocol, so it is
easy to implement for example as a shell script. If
this is set, and the program does not exist or can-
not be run, authorization (user login) will be
denied. This will not be set by default. More
information about the protocol can be found in the
distribution package, RFC.authorization_pro-
gram_protocol has a description of the protocol
used and an example script is called ext_authoriza-
tion_example.sh. Note that the program is run with
the privileges of the sshd2 process, typically
root, so be careful.
ForwardACL
With this option, you can have more fine-grained
control over what the client is allowed to forward
and where. The format for this option is
(allow|deny) (local|remote) user-pat forward-pat
[originator-pat]
user-pat will be used to match the client user, as
specified under option UserSpecificConfig. for-
ward-pat is a pattern of format host-id[%port].
This has different interpretations depending on
whether the ACL is specified for local or remote
forwardings. For local forwardings, the host-id
will match with target host of the forwarding, as
specified under option AllowHosts. port will match
the target port. Also, if the client sent a host-
name, the IP is looked up from the DNS, which will
be used to match the pattern. For remote forward-
ings, where the forwarding target is not known (the
client handles that end of the connection), this
will be used to match the listen address specified
SSH2 May 17, 2004 8
SSHD2_CONFIG(5) SSH2 SSHD2_CONFIG(5)
by the user (and as such is not as usable as with
local forwardings). port will match the port the
server is supposed to be listening to with this
forwarding. With local forwards, originator-pat
will match the originator address that the client
has reported. Remember, if you do not administer
the client machine, or the users on that machine
have shell access, they may use a modified copy of
ssh that can be used to lie about the originator
address. Also, with NATs (Network Address Transla-
tion) the originator address will not be meaningful
(it will probably be an internal network address).
Therefore you should not rely on the originator
address with local forwardings, unless you know
exactly what you are doing. With remote forward-
ings, on the other hand, originator-pat will match
with the IP address of the host connecting to the
forwarded port. This will be valid information, as
it is the server checking the information.
If you specify any allow directives, all forward-
ings in that class (local or remote) not specifi-
cally allowed will be denied. (Note that local and
remote forwardings are separate in this respect;
e.g. if you have one "allow remote" definition,
local forwardings are still allowed, pending other
restrictions.) If a forwarding matches both allow
and deny directives, the forwarding will be denied.
Also, if you have specified any of the options
{Allow,Deny}TcpForwardingFor{Users,Groups} or
AllowTcpForwarding, and the forwarding for the user
is disabled with those, an allow directive will not
re-enable the forwarding for the user. Forwarding
is enabled by default.
ForwardAgent
See AllowAgentForwarding.
HostbasedAuthForceClientHostnameDNSMatch
If the hostname given by the client does not match
the one found in DNS, fail host-based authentica-
tion. Defaults to "no". Note that this differs
from 2.4 and earlier releases.
HostCertificateFile certificate
This keyword works very much like PublicHostKey-
File, except that the file is assumed to contain an
X.509 certificate in binary format. The keyword
must be paired with a corresponding HostKeyFile
option. If multiple certificates with the same
public-key type (DSA or RSA) are specified, only
SSH2 May 17, 2004 9
SSHD2_CONFIG(5) SSH2 SSHD2_CONFIG(5)
the first one is used.
HostKeyEkInitString
Specifies the initialization string for the exter-
nal host key provider. This is ignored when the
keyword HostKeyEkProvider is not present or when
external key support is not included in the soft-
ware. See ssh-externalkeys(5) for details about
specifying initialization strings.
HostKeyEkProvider
Specifies the external host key provider. This is
ignored when external key support is not included
in the software. See ssh-externalkeys(5) for
details about specifying providers.
HostKeyEkTimeOut
Specifies the maximum time in seconds to wait for
the keys from the external host key provider. This
is ignored when external key support is not
included in the software.
HostKeyFile
Specifies the file containing the private host key
(default /etc/ssh2/hostkey).
HostSpecificConfig
Specifies a subconfiguration file for sshd2. The
syntax for this option is
pattern subconfig-file
pattern is used to match the client host, as speci-
fied under option AllowHosts. The file subconfig-
file is read, and configuration data is amended
accordingly. The file is read before any actual
protocol transactions begin, and you can specify
most of the options allowed in the main configura-
tion file. You can specify more than one subconfig-
uration file, in which case the patterns are
matched and the files read in the specified order.
Configuration option values defined later will
either override or amend the previous value,
depending on the option. The effect of redefining
an option is described in the documentation for
each option. For example, setting Ciphers in the
subconfiguration file will override the old value,
but setting AllowUsers will amend the value. See
sshd2_subconfig(5) for more thorough documentation
SSH2 May 17, 2004 10
SSHD2_CONFIG(5) SSH2 SSHD2_CONFIG(5)
on what you can set in this subconfiguration file.
See also option UserSpecificConfig.
IdleTimeOut
Sets the idle timeout limit to time either in sec-
onds (s or nothing after the number), in minutes
(m), in hours (h), in days (d), or in weeks (w).
If the connection has been idle (all channels) this
long, the connection is closed. Default is 0
(zero), which disables idle timeouts.
IgnoreRhosts
Specifies that the .rhosts and .shosts files will
not be used in hostbased authentication (see
AllowedAuthentications). /etc/hosts.equiv and
/etc/shosts.equiv are still used as before. The
argument must be yes or no. The default is no.
IgnoreRootRhosts
Specifies that the .rhosts and .shosts files will
not be used in authentication for root. The
default is the value of IgnoreRhosts.
KeepAlive
Specifies whether the system should send keepalive
messages to the other side. If they are sent, a
broken connection or crash of one of the machines
will be properly noticed. However, this means that
connections will die if the route is down temporar-
ily, and some people find it annoying. On the
other hand, if keepalives are not sent, sessions
may hang indefinitely on the server, leaving
"ghost" users and consuming server resources.
The default is yes (to send keepalives), and the
server will notice if the network goes down or the
client host reboots. This avoids infinitely hang-
ing sessions.
To disable keepalives, the value should be set to
no in both the server and the client configuration
files.
ListenAddress
Specifies the IP address of the interface where the
sshd2 server socket is bound. The format for this
option is
SSH2 May 17, 2004 11
SSHD2_CONFIG(5) SSH2 SSHD2_CONFIG(5)
ip-address [port] ,
where port is optional. This is to allow the option
to be backwards compatible. The port, if not
defined here, will be the value of the last Port
definition (or the default, 22, if Port has not
been defined). If the specified IP address is any,
sshd2 will listen to all interfaces. If sshd2
should listen to only some interfaces, specify the
ListenAddress parameter for each interface. The
default is any.
LoginGraceTime
The server disconnects after this time if the user
has not successfully logged in. If the value is 0,
there is no time limit. The default is 600 (sec-
onds).
MACs Specifies the MAC (Message Authentication Code)
algorithm to use for data integrity verification.
The supported algorithms are hmac-md5, hmac-md5-96,
hmac-sha1, hmac-sha1-96, hmac-sha256@ssh.com, and
hmac-sha256-96@ssh.com. In the FIPS mode, only
hmac-sha1 is supported.
Multiple MACs can be specified as a comma-separated
list. Special values for this option are Any,
AnyStd, none, AnyMac, and AnyStdMac. Any allows
all MACs including none; AnyStd allows only those
mentioned in the IETF-SecSh draft and none; none
forbids any use of MACs; AnyMac and AnyStdMac are
analogous to the first two cases but exclude none.
AnyStdMac is the default.
MaxBroadcastsPerSecond
Specifies how many UDP broadcasts the server han-
dles per second. The default value is 0 and no
broadcasts are handled at all. Broadcasts that
exceed the limit are silently ignored. Received
unrecognized UDP datagrams also consume the capac-
ity defined by this option.
MaxConnections
Specifies the maximum number of connections that
sshd2 will handle simultaneously. This is useful
against flooding attacks (attempts to interrupt the
server from working properly by opening a high num-
ber of new connections). The argument is a posi-
tive number (0 means only system limits).
SSH2 May 17, 2004 12
SSHD2_CONFIG(5) SSH2 SSHD2_CONFIG(5)
Note that by using (at least) xinetd you achieve
the same effect on a more generic level.
NoDelay
If yes, enables socket option TCP_NODELAY. The
argument must be yes or no. The default is no.
PasswdPath
Specifies the location of the passwd program (or
equivalent). By default this is set to where the
configure script found it. This program will be run
with the privileges of the user logging in.
PasswordGuesses
Specifies the number of tries that the user has
when using password authentication. The default is
3.
PermitEmptyPasswords
When password authentication is allowed, this spec-
ifies whether the server allows login to accounts
with empty password strings. The argument must be
yes or no. The default is yes.
PermitRootLogin
Specifies whether root can log in using ssh2. The
options are yes, nopwd, or no. The default is yes,
allowing root logins through any of the authentica-
tion types allowed for other users. The nopwd
value disables password-authenticated root logins.
The no value disables root logins through any of
the authentication methods. (nopwd and no are
equivalent unless you have some other means of
authentication for root, e.g. public key.)
Root login with public-key authentication when the
command option has been specified will be allowed
regardless of the value of this setting (which may
be useful for taking remote backups even if root
login is normally not allowed).
Port Specifies the port number that sshd2 listens to.
The current default is 22.
PrintMotd
Specifies whether sshd2 should print /etc/motd when
a user logs in interactively. The default is yes.
SSH2 May 17, 2004 13
SSHD2_CONFIG(5) SSH2 SSHD2_CONFIG(5)
The argument must be yes or no.
PublicHostKeyFile
Specifies the file containing the public host key
(default /etc/ssh2/hostkey.pub).
QuietMode
Nothing is logged in the system log, except fatal
errors. The argument must be yes or no. The
default is no.
RandomSeedFile
Specifies the name of the random seed file.
RekeyIntervalSeconds
The number of seconds after which the key exchange
is done again. The default is 3600 seconds (1
hour). The value 0 (zero) turns rekey requests
off. This does not prevent the client from
requesting rekeys. Other clients (not ssh2) may
not have rekey capabilities implemented correctly,
and they might not be able to handle rekey
requests. This means that they may possibly close
the connection or even crash.
RequiredAuthentications
Analogous to AllowedAuthentications, with one dif-
ference: the authentication methods listed here
must all succeed before a user is considered
authenticated. Leaving this list empty is equiva-
lent to not using the option at all.
If this option is set, AllowedAuthentications is
ignored. Note: Versions of sshd2 before 3.1.0
required RequiredAuthentications to be a subset of
AllowedAuthentications. This is no longer the
case.
RequireReverseMapping
This is used to check whether the hostname DNS
lookup must succeed when checking whether connec-
tions from hosts are allowed using AllowHosts and
DenyHosts. If this is set to yes, and the name
lookup fails, the connection is denied. If set to
no, and name lookup fails, the remote host's IP
address is used to check whether it is allowed to
connect. This is probably not what you want if you
have specified only hostnames (not IP addresses)
SSH2 May 17, 2004 14
SSHD2_CONFIG(5) SSH2 SSHD2_CONFIG(5)
with {Allow,Deny}Hosts. See also ResolveClien-
tHostName. The argument must be yes or no. The
default is no.
ResolveClientHostName
This parameter controls whether sshd2 will try to
resolve the client IP at all. This is useful when
you know that the DNS cannot be reached, and the
query would cause additional delay in logging in.
Note that if you set this to no, you should not set
RequireReverseMapping to yes. The default is yes.
The argument must be yes or no.
SettableEnvironmentVars
This keyword can be followed by any number of pat-
terns, separated by commas. Patterns are matched
using the egrep syntax (see sshregex(1)), or the
syntax specified in the metaconfiguration header of
the configuration file. You can use the comma ','
character in the patterns by escaping it with a
backslash '\'. By default, no environment vari-
ables can be set (but the default
/etc/ssh2/sshd2_config file specifies some common
and safe environment variables).
With this option, you can allow setting some or all
environment variables. This option is used to
check whether setting is allowed by the client
(ssh2), by the user's $HOME/.ssh2/environment file
or public key options. This is not used when set-
ting variables from /etc/environment or other
"root-only" files, as the user does not have con-
trol over those anyway.
Note that this option only changes the settings of
environment variables before the user's shell is
run. After that, the users are of course free to
set whichever variables they want in the environ-
ment.
SftpSysLogFacility
As SysLogFacility, but defines the log facility the
sftp-server (internal or otherwise) will use. By
default, this has no value, i.e. no logging is per-
formed by the subsystem.
SocksServer
With this option, sshd2 can use a SOCKS4 or SOCKS5
server when a client forwards a connection. The
server will use the value of this option when
SSH2 May 17, 2004 15
SSHD2_CONFIG(5) SSH2 SSHD2_CONFIG(5)
connecting. You can specify whether to use SOCKS5
by the option UseSocks5.
The argument syntax is described in the ssh2(1) man
page, under the heading of SSH_SOCKS_SERVER envi-
ronment variable. (Note, however, that sshd2 does
not use the environment variable, it only uses the
configuration option (and the ./configure time
--with-socks-server option).
Ssh1Compatibility
With this option, sshd1 is executed when the client
supports only the SSH1 protocols. The argument
must be yes or no.
Sshd1ConfigFile
This is only used if sshd2 is executed with the -f
command-line option. Specifies an alternate con-
figuration file for sshd1 for the case that sshd2
runs in compatibility mode. (If -f is not speci-
fied, sshd1 will read its configuration from the
standard location, typically /etc/sshd_config.)
Sshd1Path
Specifies the path to the sshd1 executable to be
executed in SSH1 compatibility mode. The arguments
for sshd2 are passed on to sshd1.
StrictModes
Specifies whether sshd2 should check file modes and
ownership of the user's home directory and .rhosts
files before accepting login. This is normally
desirable because novices sometimes accidentally
leave their directory or files world-writable. The
argument must be yes or no. The default is yes.
(Only done with host-based authentication.)
Subsystem-<subsystem name>
Specifies a subsystem. The argument is a command
that is executed when the subsystem is requested.
sftp2 uses a subsystem of sshd2 to transfer files
securely. In order to use the SFTP server, you
must have the following subsystem definition:
subsystem-sftp sftp-server
(the default way, with the defined command) or
SSH2 May 17, 2004 16
SSHD2_CONFIG(5) SSH2 SSHD2_CONFIG(5)
subsystem-sftp internal://sftp-server
which will execute an SFTP service internally in
the child process. Normally, the child process
would execute a command using the user's shell, but
in this case it will start to handle SFTP requests.
This enables better logging in chrooted environ-
ments, and does not require any static binaries to
be built, as the only binary needed will be sshd2
itself.
SysLogFacility
Gives the facility code that is used when logging
messages from sshd2. The possible values are: DAE-
MON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3,
LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is
AUTH.
UserConfigDirectory
Specifies where user-specific configuration data is
found. With this the administrator can control
those options that are usually controlled by the
user. This is given as a pattern string which is
expanded by sshd2. %D is the user's home direc-
tory, %U is user's login name, %IU is the user's
user ID (uid) and %IG is user's group ID (gid).
The default is %D/.ssh2.
UserKnownHosts
Specifies whether $HOME/.ssh2/knownhosts/ can be
used to fetch host public keys when using hostbased
authentication. The argument must be yes or no.
The default is yes.
UserSpecificConfig
As HostSpecificConfig, but these configuration
files are read later, when the username that the
client is trying to log in as is known. Also the
range of configuration options available is
smaller, due to the fact that they would not make
sense in these files. You can use patterns of form
"user[%group][@host]", where the pattern user is
matched with the username and UID, group is matched
with the user's primary and any secondary groups,
both group name and GID, and host is matched as
described under option AllowHosts. See sshd2_sub-
config(5) for more thorough documentation on what
you can set in this subconfiguration file.
SSH2 May 17, 2004 17
SSHD2_CONFIG(5) SSH2 SSHD2_CONFIG(5)
UseSocks5
Use SOCKS5 instead of SOCKS4 when connecting to
remote host. Note that you have to set SocksServer
to a meaningful value. The argument must be yes or
no. The default is no (i.e. use SOCKS4).
VerboseMode
Causes sshd2 to print debugging messages about its
progress. This is helpful in debugging connection,
authentication, and configuration problems. Also
causes sshd2 to not fork on connection, so only one
connection is handled at the time.
XauthPath
Specifies where to find the xauth program. This
option is mostly useful if you are using binaries
and your X11 programs are installed in a location
unknown to ssh2. The default is set by the config-
ure script.
AUTHORS
SSH Communications Security Corp.
For more information, see http://www.ssh.com.
SEE ALSO
sshd2_subconfig(5), sshd2(8), sshd-check-conf(5),
sshregex(1)
SSH2 May 17, 2004 18