.\" -*- nroff -*- .\" .\" sshd2_config.5 .\" .\" Author: Tatu Ylonen .\" Markku-Juhani Saarinen .\" Sami Lehtinen .\" .\" Copyright (C) 1997-2002 SSH Communications Security, Finland .\" All rights reserved .\" .TH SSHD2_CONFIG 5 "May 16, 2002" "SSH2" "SSH2" .SH NAME sshd2_config \- format of configuration file for sshd2 .SH CONFIGURATION FILE \fBSshd2\fR reads configuration data from .I /etc/ssh2/sshd2_config (or the file specified with -f on the command line). The file contains keyword-value pairs, one per line. For a description of the configuration file format, see \fBssh2_config\fR(5). However, configuration blocks are not allowed in .IR sshd2_config . Subconfiguration files can be specified in the main configuration file, see .BR HostSpecificConfig and .BR UserSpecificConfig . Note that if changes are made in the main configuration file, sshd2 will have to be restarted, for example by sending a signal to it: # kill -HUP `cat /var/run/sshd2_22.pid` or # kill -HUP `cat /etc/ssh2/sshd2_22.pid` if the directory /var/run/ does not exist. The following keywords are allowed: .de YN "\fByes\fR" or "\fBno\fR". .. .TP \fBAllowAgentForwarding\fR or \fBForwardAgent\fR Specifies whether agent forwarding is permitted. This parameter is implemented mainly for completeness. Usually, you should allow users to freely forward agent connections. The argument must be .YN The default is "\fByes\fR". .ne 3 .TP .B AllowedAuthentications This keyword specifies the authentication methods that are allowed. Known authentication methods are: .BR keyboard-interactive , .BR password , .BR publickey , .BR pam-1@ssh.com , .BR kerberos-2@ssh.com , .BR kerberos-tgt-2@ssh.com , and .BR securid-1@ssh.com . The default is "\fBpublickey, password\fR". \fBpam-1@ssh.com\fR and \fBsecurid-1@ssh.com\fR are legacy authentication methods, and you should use \fBkeyboard-interactive\fR instead, if possible (i.e. the clients that need to be able to connect support \fBkeyboard-interactive\fR). See .BR AuthKbdInt.Optional . With \fBRequiredAuthentications\fR, the system administrator can force the users to complete several authentications before they are considered authenticated. See .BR RequiredAuthentications . .TP .B AllowGroups This keyword can be followed by any number of group name patterns, separated by commas. If specified, login is allowed only if one of the groups the user belongs to matches one of the patterns. Patterns are matched using the egrep syntax (see \fBsshregex\fR(1)), or the syntax specified in the metaconfig header of the configuration file. You can use the comma \',\' character in the patterns by escaping it with '\\' (backslash). By default, all groups are allowed to log in. Note that all other authentication steps must still be successfully completed. \fBAllowGroups\fR and \fBDenyGroups\fR are additional restrictions and never increase the tolerance. .ne 3 .TP .B AllowHosts This keyword can be followed by any number of host name patterns, separated by commas. If specified, login is allowed only from hosts whose name matches one of the patterns. Patterns are matched using the egrep syntax (see \fBsshregex\fR(1)), or the syntax specified in the metaconfig section of the configuration file. If you wish that the pattern will only be matched with the host's IP address (ignoring the canonical host name), prefix your pattern with "\\i". You can also use subnet masks (e.g '127.0.0.0/8') by prefixing the pattern with "\\m". DNS is used to map the client's host name into a canonical host name. If the name cannot be mapped, the IP address is used as the host name. By default, all hosts are allowed to connect. Note that .B sshd2 can also be configured to use tcp_wrappers using the --with-libwrap compile-time configuration option. .ne 3 .TP .B AllowSHosts This keyword can be followed by any number of host name patterns, separated by commas, just as the option \fBAllowHosts\fR. The entries in \fI.shosts\fR, \fI.rhosts\fR, \fI/etc/hosts.equiv\fR and \fI/etc/shosts.equiv\fR are ignored if they do not match one of the patterns given here (if there are any). .ne 3 .TP .B AllowTcpForwarding Specifies whether TCP forwarding is permitted. Note that disabling TCP forwarding does not improve security at all unless you deny the user shell access at the same time (see \fBssh-dummy-shell\fR(1)): any user that has a shell can always install her own forwarders. The argument must be .YN The default is "\fByes\fR". .ne 3 .TP .B AllowTcpForwardingForGroups The syntax is the same as in \fBAllowGroups\fR, but instead of login, this controls the ability to forward ports in remote or local forwarding. See the security note under option \fBAllowTcpForwarding\fR. The argument must be .YN The default is "\fByes\fR". .ne 3 .TP .B AllowTcpForwardingForUsers Syntax is the same as in \fBAllowUsers\fR, but instead of login, this controls the ability to forward ports in remote or local forwarding. See the security note under option \fBAllowTcpForwarding\fR. The argument must be .YN The default is "\fByes\fR". .ne 3 .TP .B AllowUsers This option can be followed by any number of patterns of the form \fIuser\fR or \fIuser@host\fR, separated by commas. The details explained under option \fBAllowHosts\fR apply accordingly. By default, all users are allowed to log in. Note that all the other login authentication steps must still be successfully completed. \fBAllowUsers\fR and \fBDenyUsers\fR are additional restrictions. .ne 3 .TP \fBAllowX11Forwarding\fR or \fBX11Forwarding\fR or \fBForwardX11\fR Specifies whether X11 forwarding is permitted. The default is "\fByes\fR". See the security note under option \fBAllowTcpForwarding\fR. The argument must be .YN .ne 3 .TP .B AuthInteractiveFailureTimeout Specifies the delay, in seconds, that the server delays after a failed attempt to log in using \fBkeyboard-interactive\fR and \fBpassword\fR authentication. The default is 2. .ne 3 .TP .B AuthKbdInt.NumOptional Specifies how many optional submethods must be passed before the authentication is considered a success (note that all required submethods must always be passed). See .B AuthKbdInt.Optional for specifying optional submethods, and .B AuthKbdInt.Required for required submethods. The default is 0, although if no required submethods are specified, the client must always pass at least one optional submethod. .ne 3 .TP .B AuthKbdInt.Optional Specifies the optional submethods \fBkeyboard-interactive\fR will use. Currently submethods .BR pam , .BR securid, .BR plugin, and .B password are defined. Note that .BR pam and .B securid require that you had the necessary libraries and headers when you compiled the distribution. .B pam submethod is usually available in binary packages, if the architecture supports PAM (Pluggable Authentication Modules). .B AuthKbdInt.NumOptional specifies how many optional submethods must be passed. The \fBkeyboard-interactive\fR authentication method is considered a success when the specified amount of optional submethods and all required submethods are passed. The \fBplugin\fR submethod is special, it can be used if a sysadmin wants to create a new authentication method. See option .BR AuthKbdInt.Plugin . See also .B AuthKbdInt.NumOptional and .BR AuthKbdInt.Required . .ne 3 .TP .B AuthKbdInt.Plugin Specify this to point to a program which is used by the .B plugin submethod in .BR keyboard-interactive . .B sshd2 converses with this program using a line-based protocol, so it is easy to implement it, for example as a shell-script. If the \fBplugin\fR submethod is used, and this is not set, or the specified program does not exist, or cannot be run, the submethod will fail, which may cause the whole authentication for the user to fail. This will not be set by default. More information about the protocol can be found in the distribution package, .I RFC.kbdint_plugin_protocol has a description of the protocol used and an example script is called .IR kbdint_plugin_example.sh . Note that the program is run with the privileges of the .B sshd2 process, typically root. So be careful. .ne 3 .TP .B AuthKbdInt.Required Specifies the required submethods that must be passed before the \fBkeyboard-interactive\fR authentication method can succeed. See .BR AuthKbdInt.Optional . .ne 3 .TP .B AuthKbdInt.Retries Specified how many times the user can retry \fBkeyboard-interactive\fR. The default is 3. .ne 3 .TP .B AuthorizationFile Specifies the name of the user's authorization file. .ne 3 .TP .B AuthPublicKey.MaxSize Specifies the maximum size of a publickey that can be used to log in. Value 0 disables the check. The default is 0 (disabled). .ne 3 .TP .B AuthPublicKey.MinSize Specifies the minimum size of a publickey that can be used to log in. Value 0 disables the check. The default is 0 (disabled). .ne 3 .TP .B BannerMessageFile Specifies the path to the message that is sent to the client before authentication. Note, however, that the client is not obliged to show this message. The default is \fI/etc/ssh2/ssh_banner_message\fR (if existing). .ne 3 .TP .B Cert.RSA.Compat.HashScheme Older SSH Secure Shell clients and servers used hashes in an incoherent manner (sometimes MD5, sometimes SHA-1). With this option, you can set what hash is used. This option can be set in .BR HostSpecificConfig , and then reset in .BR UserSpecificConfig , in which case the value set in host-specific configuration will apply to the initial key exchange and during authentication the value in the user-specific configuration will be used. Valid values are "\fBmd5\fR" and "\fBsha1\fR". The default is "\fBmd5\fR" (works in most cases). .ne 3 .TP .B CheckMail Makes \fBsshd2\fR print information whether there is new mail or not when a user logs in interactively. (On some systems this information is also printed by the shell, /etc/profile, or equivalent.) The argument must be .YN The default is "\fByes\fR". .ne 3 .TP .B ChRootGroups This option works like \fBChRootUsers\fR, except that it can be used to list groups instead of single users. Groups are listed on the server in \fI/etc/group\fR. Follows the logic of \fBDenyGroups\fR. .ne 3 .TP .B ChRootUsers .B sshd2 gives all users listed here a chrooted environment (e.g. "/home"). This establishes a "jail" that keeps users from sneaking into sensitive areas of the server's file system. Users are defined on the server in \fI/etc/group\fR. More than one group can be listed, separated by a comma. This is not a default option. The logic follows that of .BR DenyUsers . .ne 3 .TP .B Ciphers Specifies the ciphers to use for encrypting the session. Supported values are .\" XXX Could this be made dist-dependent ? .IR aes , .IR blowfish , .IR twofish , .IR arcfour , .IR cast , .IR 3des , and .IR des . Multiple ciphers can be specified as a comma-separated list. Special values for this option are .IR Any, .IR AnyStd, .IR none, .IR AnyCipher, and \fIAnyStdCipher\fR. \fIAny\fR allows all ciphers including \fInone\fR; \fIAnyStd\fR allows only those mentioned in the IETF-SecSH draft plus \fInone\fR; \fInone\fR forbids any use of encryption; \fIAnyCipher\fR and \fIAnyStdCipher\fR are analogous to the first two cases but exclude \fInone\fR. \fIAnyStdCipher\fR is the default. .ne 3 .TP .B DenyGroups This keyword can be followed by any number of group name patterns, separated by commas. If specified, login is denied if one of the groups the user belongs to matches one of the patterns. Otherwise, this option is parsed and matched identically with .BR AllowGroups . By default, all users are allowed to log in. If a user's group matches a pattern in both .B DenyGroups and .BR AllowGroups , login will be denied. Note that all other authentication steps must still be successfully completed. \fBAllowGroups\fR and \fBDenyGroups\fR are additional restrictions and never increase the tolerance. .ne 3 .TP .B DenyHosts This keyword can be followed by any number of host name patterns, separated by commas. If specified, login is disallowed from hosts whose names match any of the patterns. See .BR AllowHosts . .ne 3 .TP .B DenySHosts This keyword can be followed by any number of host name patterns, separated by commas, just as the option \fBDenyHosts\fR. The entries in \fI.shosts\fR, \fI.rhosts\fR, \fI/etc/hosts.equiv\fR and \fI/etc/shosts.equiv\fR are ignored if they match one of the patterns given here (if there are any). See .BR AllowSHosts . .ne 3 .TP .B DenyTcpForwardingForGroups The syntax is the same as in \fBDenyGroups\fR, but instead of login, this controls the ability to forward ports, in remote or local forwarding. See security note under option \fBAllowTcpForwarding\fR. The argument must be .YN Forwarding is enabled by default. .ne 3 .TP .B DenyTcpForwardingForUsers The syntax is the same as in \fBDenyUsers\fR, but instead of login, this controls the ability to forward ports, in remote or local forwarding. See security note under option \fBAllowTcpForwarding\fR. The argument must be .YN Forwarding is enabled by default. .ne 3 .TP .B DenyUsers This is the opposite of \fBAllowUsers\fR and works accordingly. If a user's name matches a pattern in both .B DenyUsers and .BR AllowUsers , login is denied. Note that the all other login authentication steps must still be successfully completed. \fBAllowUsers\fR and \fBDenyUsers\fR are additional restrictions. .ne 3 .TP .B DisableVersionFallback Whether to disable fallback compatibility code for older, or otherwise incompatible versions of software. Don't disable unless you know what you're doing. The argument must be .YN The default is "\fBno\fR". .ne 3 .TP .B ExternalAuthorizationProgram If set, this program is run to verify whether the user is authorized to log in. .B sshd2 converses with this program using a line-based protocol, so it is easy to implement as a shell-script, for example. If this is set, and the program does not exist, or cannot be run, authorization (user login) will be denied. This will not be set by default. More information about the protocol can be found in the distribution package, .I RFC.authorization_program_protocol has a description of the protocol used and an example script is called .IR ext_authorization_example.sh . Note that the program is run with the privileges of the .B sshd2 process, typically root. So be careful. .ne 3 .TP .B ForwardACL With this option, you can have more fine-grained control over what the client is allowed to forward, and to where. Format for this option is .I (allow|deny) (local|remote) user-pat forward-pat \fB[\fIoriginator-pat\fB] .I user-pat will be used to match the client user, as specified under option .BR UserSpecificConfig . .I forward-pat is a pattern of format .IR host-id\fB[\fI%port\fB]\fI . This has different interpretations depending on whether the ACL is specified for local or remote forwards. For local forwards, the .I host-id will match with the target host of the forwarding, as specified under option .BR AllowHosts . .I port will match with the target port. Also, if the client sent a host name, the IP will be looked up from the DNS, which will be used to match the pattern. For remote forwardings, where the forward target is not known (the client handles that end of the connection), this will be used to match with the listen address specified by the user (and as such is not as usable as with local forwards). .I port will match the port the server is supposed to be listening with this forward. With local forwards, .I originator-pat will match with originator address that the client has reported. Remember, if you do not administer the client machine, or the users on that machine have shell access, they may use a modified copy of .B ssh that can be used to lie about the originator address. Also, with NATs (Network Address Translation) the originator address will not be meaningful (it will probably be an internal network address). So, you should not rely on the originator address with local forwards, unless you know exactly what you are doing. With remote forwards, on the other hand, .I originator-pat will match with the IP address of the host connecting to the forwarded port. This will be valid information, as it is the server checking that information. If you specify any .I allow directives, all forwards in that class (local or remote) not specifically allowed will be denied (note that local and remote forwards are separate in this respect; e.g. if you have one "allow remote" definition, local forwards are still allowed, pending other restrictions). If a forward matches with both .I allow and .I deny directives, the forwarding will be denied. Also, if you have specified any of the options .B {Allow,Deny}TcpForwardingFor{Users,Groups} or .BR AllowTcpForwarding , and the forwarding for the user is disabled with those, an .I allow directive will not re-enable the forwarding for the user. Forwarding is enabled by default. .ne 3 .TP .B ForwardAgent See \fBAllowAgentForwarding\fR. .ne 3 .TP .B HostbasedAuthForceClientHostnameDNSMatch If the host name given by the client does not match the one found in DNS, fail host-based authentication. Defaults to "\fBno\fR". Note that this differs from 2.4 and earlier releases. .ne 3 .TP .B HostKeyEkInitString Specifies the initialization string for the external host key provider. This is ignored when the keyword \fBHostKeyEkProvider\fR is not present or when external key support is not included in the software. See .BR ssh-externalkeys (5) for details about specifying initialization strings. .ne 3 .TP .B HostKeyEkProvider Specifies the external host key provider. This is ignored when external key support is not included in the software. See .BR ssh-externalkeys (5) for details about specifying providers. .ne 3 .TP .B HostKeyEkTimeOut Specifies the maximum time in seconds to wait for the keys from the external host key provider. This is ignored when external key support is not included in the software. .ne 3 .TP .B HostKeyFile Specifies the file containing the private host key (default .IR /etc/ssh2/hostkey ). .ne 3 .TP .B HostSpecificConfig Specifies a subconfiguration file for .BR sshd2 . The syntax for this option is .LP .RS .I pattern subconfig-file .LP .I pattern will be used to match the client host, as specified under option .BR AllowHosts . The file .I subconfig-file will then be read, and configuration data amended accordingly. The file is read before any actual protocol transactions begin, and you can specify most of the options allowed in the main configuration file. You can specify more than one subconfiguration file, in which case the patterns are matched and the files read in the order specified. Later defined values of configuration options will either override or amend the previous value depending on which option it is. The effect of redefining an option is described in the documentation for that option. For example, setting .B Ciphers in the subconfiguration file will override the old value, but setting .B AllowUsers will amend the value. See .BR sshd2_subconfig (5) for more thorough documentation on what you can set in this subconfiguration file. .LP See also option .BR UserSpecificConfig . .RE .ne 3 .TP .B IdleTimeOut Sets the idle timeout limit to time in seconds (s or nothing after number), in minutes (m), in hours (h), in days (d), or in weeks (w). If the connection has been idle (all channels) this long, the connection is closed. Default is 0 (zero), which disables idle timeouts. .ne 3 .TP .B IgnoreRhosts Specifies that the .I .rhosts and .I .shosts files will not be used in \fBhostbased\fR authentication (see .BR AllowedAuthentications ). .I /etc/hosts.equiv and .I /etc/shosts.equiv are still used as before. The argument must be .YN The default is "\fBno\fR". .ne 3 .TP .B IgnoreRootRhosts Specifies that the .I rhosts and .I shosts files will not be used in authentication for root. The default is the value of .B IgnoreRhosts\fR. .TP .B KeepAlive Specifies whether the system should send keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. However, this means that connections will die if the route is down temporarily, and some people find it annoying. On the other hand, if keepalives are not sent, sessions may hang indefinitely on the server, leaving "ghost" users and consuming server resources. The default is "\fByes\fR" (to send keepalives), and the server will notice if the network goes down or the client host reboots. This avoids infinitely hanging sessions. To disable keepalives, the value should be set to "\fBno\fR" in both the server and the client configuration files. .ne 3 .TP .B ListenAddress Specifies the IP address of the interface where the .B sshd2 server socket is bound. .ne 3 .TP .B LoginGraceTime The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. The default is 600 (seconds). .ne 3 .TP .B MACs Specifies the MAC (Message Authentication Code) algorithm to use for data integrity verification. Currently, .\" XXX Could this be made dist-dependent ? .IR hmac-sha1 , .IR hmac-sha1-96 , .IR hmac-md5 , .IR hmac-md5-96 , .IR hmac-ripemd160 , and .I hmac-ripemd160-96 are supported, of which .IR hmac-sha1 , .IR hmac-sha1-96 , .IR hmac-md5 , and .I hmac-md5-96 are included in all distributions. Multiple MACs can be specified as a comma-separated list. Special values for this option are .IR Any, .IR AnyStd, .IR none, .IR AnyMac, and \fIAnyStdMac\fR. \fIAny\fR allows all MACs including \fInone\fR; \fIAnyStd\fR allows only those mentioned in the IETF-SecSH draft and \fInone\fR; \fInone\fR forbids any use of MACs; \fIAnyMac\fR and \fIAnyStdMac\fR are analogous to the first two cases but exclude \fInone\fR. \fIAnyStdMac\fR is the default. .ne 3 .TP .B MaxBroadcastsPerSecond Specifies how many UDP broadcasts server handles per second. The default value is 0 and no broadcasts are handled at all. Broadcasts that exceed the limit are silently ignored. Received unrecognized UDP datagrams also consume the capacity defined by this option. .ne 3 .TP .B MaxConnections Specifies the maximum number of connections .B sshd2 will handle simultaneously. This is useful against flooding attacks (attempts to interrupt the server from working properly by opening a high amount of new connections). The argument is a positive number (0 means only system limits). Note that by using (at least) xinetd you achieve the same effect on a more generic level. .ne 3 .TP .B NoDelay If "\fByes\fR", enable socket option TCP_NODELAY. The argument must be .YN The default is "\fBno\fR". .ne 3 .TP .B PasswdPath Specifies the location of the .B passwd program (or equivalent). By default this is set to where the .B configure script found it. This program will be run with the privileges of the user logging in. .ne 3 .TP .B PasswordGuesses Specifies the number of tries that the user has when using password authentication. The default is 3. Then, shalt thou count to three. No more. No less. .ne 3 .TP .B PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The argument must be .YN The default is "\fByes\fR". .ne 3 .TP .B PermitRootLogin Specifies whether root can log in using .BR ssh2 . May be set to "\fByes\fR", "\fBnopwd\fR", or "\fBno\fR". The default is "\fByes\fR", allowing root logins through any of the authentication types allowed for other users. The "\fBnopwd\fR" value disables password-authenticated root logins. The "\fBno\fR" value disables root logins through any of the authentication methods. ("\fBnopwd\fR" and "\fBno\fR" are equivalent unless you have some other means of authentication for root, e.g. public key.) Root login with public-key authentication when the "\fBcommand\fR" option has been specified will be allowed regardless of the value of this setting (which may be useful for taking remote backups even if root login is normally not allowed). .ne 3 .TP .B Port Specifies the port number that .B sshd2 listens on. The current default is 22. .ne 3 .TP .B PrintMotd Specifies whether .B sshd2 should print .I /etc/motd when a user logs in interactively. The default is "\fByes\fR". The argument must be .YN .ne 3 .TP .B PublicHostKeyFile Specifies the file containing the public host key (default .IR /etc/ssh2/hostkey.pub ). .ne 3 .TP .B QuietMode Nothing is logged in the system log, except fatal errors. The argument must be .YN The default is "\fBno\fR". .ne 3 .TP .B RandomSeedFile Specifies the name of the random seed file. .ne 3 .TP .B RekeyIntervalSeconds The number of seconds after which the key exchange is done again. The default is 3600 seconds (1 hour). Value '0' turns rekey requests off. This does not prevent the client from requesting rekeys. Other clients (not .BR ssh2 ) may not have rekey capabilities implemented correctly, and they might not like rekey requests. This means that they may possibly close the connection or even crash. .ne 3 .TP .B RequiredAuthentications Analogon to \fBAllowedAuthentications\fR, with one differenece: the authentication methods listed here \fImust all\fR succeed before a user is considered authenticated. Leaving this list empty is equivalent to not using the option at all. If this option is set, \fBAllowedAuthentications\fR is ignored. \fBNOTE:\fR versions of \fBsshd2\fR before 3.1.0 required \fBRequiredAuthentications\fR to be a subset of \fBAllowedAuthentications\fR. This is no longer the case. .ne 3 .TP .B RequireReverseMapping This is used to check whether hostname DNS lookup .I must succeed when checking whether connections from host are allowed using .B AllowHosts and .BR DenyHosts . If this is set to .BR yes , and if name lookup fails, the connection is denied. If set to .BR no , and name lookup fails, the remote host's IP address is used to check whether it is allowed to connect. This is probably not what you want if you have specified only host names (not IP addresses) with .BR {Allow,Deny}Hosts . See also .BR ResolveClientHostName . The default is "\fBno\fR". The argument must be .YN .ne 3 .TP .B ResolveClientHostName This parameter controls whether .B sshd2 will try to resolve the client ip at all, or not. This is useful when you know that the DNS cannot be reached, and the query would cause additional delay in logging in. Note that if you set this to "\fBno\fR", you should not set .B RequireReverseMapping to "\fByes\fR". The default is "\fByes\fR". The argument must be .YN .ne 3 .TP .B SettableEnvironmentVars This keyword can be followed by any number of patterns, separated by commas. Patterns are matched using the egrep syntax (see \fBsshregex\fR(1)), or the syntax specified in the metaconfig header of the configuration file. You can use the comma \',\' character in the patterns by escaping it with '\\' (backslash). By default, no environment variables can be set (but the default .I /etc/ssh2/sshd2_config file specifies some common and safe environment variables). With this option, you can allow setting of some or all environment variables. This option is used to check whether setting is allowed by the client (\fBssh2\fR), by the user's .I $HOME/.ssh2/environment file or public key options. This is not used when setting variables from .I /etc/environment or other "root-only" files, as the user does not have control over those anyway. Note that this option only changes the setting of environment variables \fIbefore\fR the user's shell is run. After that, the user is of course free to set whatever variables she wants on that environment. .ne 3 .TP .B SftpSysLogFacility As .BR SysLogFacility , but defines what log facility the .B sftp-server (internal or otherwise) will use. By default, this has no value, i.e. no logging is performed by the subsystem. .ne 3 .TP .B Ssh1Compatibility With this option, .B sshd1 is executed when the client supports only SSH 1.x protocols. The argument must be .YN .ne 3 .TP .B Sshd1ConfigFile This is only used if .B sshd2 is executed with the \fB-f\fR command line option. Specifies alternate config file for \fBsshd1\fR for the case that \fBsshd2\fR runs in compatibility mode. (if \fB-f\fR is not specified, \fBsshd1\fR will read its configuration from the standard location, typically \fI/etc/sshd_config\fR .) .ne 3 .TP .B Sshd1Path Specifies the path to the .B sshd1 executable to be executed in SSH1 compatibility mode. The arguments for .B sshd2 are passed on to .BR sshd1 . .ne 3 .TP .B StrictModes Specifies whether .B sshd2 should check file modes and ownership of the user's home directory and rhosts files before accepting login. This is normally desirable because novices sometimes accidentally leave their directory or files world-writable. The argument must be .YN The default is "\fByes\fR". (Only done with host-based authentication.) .ne 3 .TP .B Subsystem- Specifies a subsystem. The argument is a command which will be executed when the subsystem is requested. \fBsftp\fR uses a subsystem of \fBsshd2\fR to transfer files securely. In order to use the sftp server, you must have the following subsystem definition: \fBsubsystem-sftp\fR \fIsftp-server\fR (the default way, with the defined command) or \fBsubsystem-sftp\fR \fIinternal://sftp-server\fR which will execute an sftp-service internally in the child process. Normally, the child process would execute a command using the user's shell, but in this case it will start to handle SFTP requests. This enables better logging in chrooted environments, and does not require any static binaries to be build, as the only binary needed will be .B sshd2 itself. .ne 3 .TP .B SyslogFacility Gives the facility code that is used when logging messages from .B sshd2. The possible values are: \fIDAEMON\fR, \fIUSER\fR, \fIAUTH\fR, \fILOCAL0\fR, \fILOCAL1\fR, \fILOCAL2\fR, \fILOCAL3\fR, \fILOCAL4\fR, \fILOCAL5\fR, \fILOCAL6\fR, \fILOCAL7\fR. The default is \fIAUTH\fR. .ne 3 .TP .B UserConfigDirectory Specifies where user-specific configuration data is found. With this the administration can control those options that are usually controlled by the user. This is given as a pattern string which is expanded by \fBsshd2\fR. %D is the user's home directory, %U is user's login name, %IU is the user's user ID (uid) and %IG is his group ID (gid). The default is .IR %D/.ssh2 . .TP .B UserKnownHosts Specifies whether \fI\&$HOME/\s+2.\s0ssh2/knownhosts/\fR can be used to fetch host public keys when using \fBhostbased\fR authentication. The argument must be .YN The default is "\fByes\fR". .ne 3 .TP .B UserSpecificConfig As .BR HostSpecificConfig , but these configuration files are read later, when the user name that client is trying to log into is known. Also the range of configuration options available is smaller, due to the fact that they would not make sense in these files. You can use patterns of form "\fIuser\fB[\fI%group\fB][\fI@host\fB]\fR", where the pattern .I user is matched with the user name and UID, .I group is matched with the user's primary and any secondary groups, both group name and GID, and .I host is matched as described under option .BR AllowHosts . See .BR sshd2_subconfig (5) for more thorough documentation on what you can set in this subconfiguration file. .ne 3 .TP .B VerboseMode Causes .B sshd2 to print debugging messages about its progress. This is helpful in debugging connection, authentication, and configuration problems. Also causes .B sshd2 to not fork on connection, so only one connection is handled at the time. .ne 3 .TP .B XauthPath Specifies where to find the "xauth" program. This option is mostly useful, if you are using binaries, and your X11 programs are installed to somewhere that .B ssh2 does not know about. The default is set by the .B configure script. .ne 3 .SH AUTHORS .LP SSH Communications Security Corp. For more information, see http://www.ssh.com. .SH SEE ALSO .BR sshd2_subconfig (5), .BR sshd2 (8), .BR sshd-check-conf (5), .BR sshregex (1)