Lines Matching +full:allow +full:- +full:set +full:- +full:time

50 The file contains keyword-argument pairs, one per line.
61 keywords are case-insensitive and arguments are case-sensitive):
62 .Bl -tag -width Ds
77 requests a pseudo-terminal as it is required by the protocol.
102 .Xr ssh-agent 1
116 The allow/deny groups directives are processed in the following order:
127 Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
133 to allow StreamLocal forwarding,
137 to allow local (from the perspective of
141 to allow remote forwarding only.
152 to allow TCP forwarding,
156 to allow local (from the perspective of
160 to allow remote forwarding only.
176 The allow/deny users directives are processed in the following order:
189 This option must be followed by one or more lists of comma-separated
198 .Qq publickey,password publickey,keyboard-interactive
203 keyboard-interactive authentication before public key.
213 .Qq keyboard-interactive:bsdauth
230 .Qq gssapi-with-mic ,
232 .Qq keyboard-interactive ,
234 (used for access to password-less accounts when
290 Alternately this option may be set to
385 .Bd -literal -offset indent
386 ssh-ed25519,ecdsa-sha2-nistp256,
387 ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
388 sk-ssh-ed25519@openssh.com,
389 sk-ecdsa-sha2-nistp256@openssh.com,
390 rsa-sha2-512,rsa-sha2-256
395 character, then the specified algorithms will be appended to the default set
398 .Sq -
400 from the default set instead of replacing them.
403 public key or host-based authentication.
420 .Sx TIME FORMATS
437 .Bl -tag -width Ds
438 .It Cm agent-connection
440 .Xr ssh-agent 1 .
441 .It Cm direct-tcpip , Cm direct-streamlocal@openssh.com
449 .It Cm forwarded-tcpip , Cm forwarded-streamlocal@openssh.com
462 .It Cm tun-connection
466 .It Cm x11-connection
487 checks that all components of the pathname are root-owned directories
516 no additional configuration of the environment is necessary if the in-process
517 sftp-server is used,
521 .Xr sftp-server 8
537 Multiple ciphers must be comma-separated.
540 character, then the specified ciphers will be appended to the default set
543 .Sq -
545 from the default set instead of replacing them.
549 default set.
553 .Bl -item -compact -offset indent
555 3des-cbc
557 aes128-cbc
559 aes192-cbc
561 aes256-cbc
563 aes128-ctr
565 aes192-ctr
567 aes256-ctr
569 aes128-gcm@openssh.com
571 aes256-gcm@openssh.com
573 chacha20-poly1305@openssh.com
577 .Bd -literal -offset indent
578 chacha20-poly1305@openssh.com,
579 aes128-ctr,aes192-ctr,aes256-ctr,
580 aes128-gcm@openssh.com,aes256-gcm@openssh.com
584 .Qq ssh -Q cipher .
605 is set to 15, and
639 The allow/deny groups directives are processed in the following order:
660 The allow/deny users directives are processed in the following order:
672 .Xr ssh-agent 1 ,
674 This option overrides all other forwarding-related options and may
698 The command is invoked by using the user's login shell with the -c option.
707 .Cm internal-sftp
708 will force the use of an in-process SFTP server that requires no support
722 should allow remote port forwardings to bind to non-loopback addresses, thus
730 to allow the client to select the address to which the forwarding is bound.
745 If set to
749 If set to
758 authentication as a list of comma-separated patterns.
762 the default set instead of replacing them.
764 .Sq -
766 will be removed from the default set instead of replacing them.
770 the head of the default set.
772 .Bd -literal -offset 3n
773 ssh-ed25519-cert-v01@openssh.com,
774 ecdsa-sha2-nistp256-cert-v01@openssh.com,
775 ecdsa-sha2-nistp384-cert-v01@openssh.com,
776 ecdsa-sha2-nistp521-cert-v01@openssh.com,
777 sk-ssh-ed25519-cert-v01@openssh.com,
778 sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
779 rsa-sha2-512-cert-v01@openssh.com,
780 rsa-sha2-256-cert-v01@openssh.com,
781 ssh-ed25519,
782 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
783 sk-ssh-ed25519@openssh.com,
784 sk-ecdsa-sha2-nistp256@openssh.com,
785 rsa-sha2-512,rsa-sha2-256
789 .Qq ssh -Q HostbasedAcceptedAlgorithms .
794 (host-based authentication).
833 will refuse to use a file if it is group/world-accessible
843 .Xr ssh-agent 1 .
845 Identifies the UNIX-domain socket used to communicate
856 .Bd -literal -offset 3n
857 ssh-ed25519-cert-v01@openssh.com,
858 ecdsa-sha2-nistp256-cert-v01@openssh.com,
859 ecdsa-sha2-nistp384-cert-v01@openssh.com,
860 ecdsa-sha2-nistp521-cert-v01@openssh.com,
861 sk-ssh-ed25519-cert-v01@openssh.com,
862 sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
863 rsa-sha2-512-cert-v01@openssh.com,
864 rsa-sha2-256-cert-v01@openssh.com,
865 ssh-ed25519,
866 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
867 sk-ssh-ed25519@openssh.com,
868 sk-ecdsa-sha2-nistp256@openssh.com,
869 rsa-sha2-512,rsa-sha2-256
873 .Qq ssh -Q HostKeyAlgorithms .
875 Specifies whether to ignore per-user
881 The system-wide
889 (the default) to ignore all per-user files,
890 .Cm shosts-only
891 to allow the use of
897 to allow both
908 and use only the system-wide known hosts file
926 Specifies the IPv4 type-of-service or DSCP class for the connection.
959 interactive sessions and the second for non-interactive sessions.
962 (Low-Latency Data)
966 for non-interactive sessions.
968 Specifies whether to allow keyboard-interactive authentication.
1007 Multiple algorithms must be comma-separated.
1010 character, then the specified algorithms will be appended to the default set
1013 .Sq -
1015 from the default set instead of replacing them.
1019 default set.
1022 .Bl -item -compact -offset indent
1024 curve25519-sha256
1026 curve25519-sha256@libssh.org
1028 diffie-hellman-group1-sha1
1030 diffie-hellman-group14-sha1
1032 diffie-hellman-group14-sha256
1034 diffie-hellman-group16-sha512
1036 diffie-hellman-group18-sha512
1038 diffie-hellman-group-exchange-sha1
1040 diffie-hellman-group-exchange-sha256
1042 ecdh-sha2-nistp256
1044 ecdh-sha2-nistp384
1046 ecdh-sha2-nistp521
1048 sntrup761x25519-sha512@openssh.com
1052 .Bd -literal -offset indent
1053 sntrup761x25519-sha512@openssh.com,
1054 curve25519-sha256,curve25519-sha256@libssh.org,
1055 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
1056 diffie-hellman-group-exchange-sha256,
1057 diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
1058 diffie-hellman-group14-sha256
1062 .Qq ssh -Q KexAlgorithms .
1069 .Bl -item -offset indent -compact
1115 The server disconnects after this time if the user has not
1117 If the value is 0, there is no time limit.
1134 .Bd -literal -offset indent
1149 Multiple algorithms must be comma-separated.
1152 character, then the specified algorithms will be appended to the default set
1155 .Sq -
1157 from the default set instead of replacing them.
1161 default set.
1164 .Qq -etm
1165 calculate the MAC after encryption (encrypt-then-mac).
1169 .Bl -item -compact -offset indent
1171 hmac-md5
1173 hmac-md5-96
1175 hmac-sha1
1177 hmac-sha1-96
1179 hmac-sha2-256
1181 hmac-sha2-512
1183 umac-64@openssh.com
1185 umac-128@openssh.com
1187 hmac-md5-etm@openssh.com
1189 hmac-md5-96-etm@openssh.com
1191 hmac-sha1-etm@openssh.com
1193 hmac-sha1-96-etm@openssh.com
1195 hmac-sha2-256-etm@openssh.com
1197 hmac-sha2-512-etm@openssh.com
1199 umac-64-etm@openssh.com
1201 umac-128-etm@openssh.com
1205 .Bd -literal -offset indent
1206 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
1207 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
1208 hmac-sha1-etm@openssh.com,
1209 umac-64@openssh.com,umac-128@openssh.com,
1210 hmac-sha2-256,hmac-sha2-512,hmac-sha1
1214 .Qq ssh -Q mac .
1220 set in the global section of the config file, until either another
1230 are one or more criteria-pattern pairs or the single token
1248 The match patterns may consist of single entries or comma-separated
1259 Note that the mask length provided must be consistent with the address -
1261 or one with bits set in this host portion of the address.
1364 file that contains the Diffie-Hellman groups used for the
1365 .Dq diffie-hellman-group-exchange-sha1
1367 .Dq diffie-hellman-group-exchange-sha256
1388 .Bl -item -offset indent -compact
1412 can also be used in place of a port number to allow all ports.
1430 .Bl -item -offset indent -compact
1457 can be used for host or port to allow all hosts or ports respectively.
1466 .Cm prohibit-password ,
1467 .Cm forced-commands-only ,
1480 If this option is set to
1481 .Cm prohibit-password
1483 .Cm without-password ) ,
1484 password and keyboard-interactive authentication are disabled for root.
1486 If this option is set to
1487 .Cm forced-commands-only ,
1496 If this option is set to
1511 .Cm point-to-point
1519 .Cm point-to-point
1527 device must allow access to the user.
1540 or a pattern-list specifying which environment variable names to accept
1589 should print the date and time of the last user login when a user logs
1606 authentication as a list of comma-separated patterns.
1609 character, then the specified algorithms will be appended to the default set
1612 .Sq -
1614 from the default set instead of replacing them.
1618 default set.
1620 .Bd -literal -offset 3n
1621 ssh-ed25519-cert-v01@openssh.com,
1622 ecdsa-sha2-nistp256-cert-v01@openssh.com,
1623 ecdsa-sha2-nistp384-cert-v01@openssh.com,
1624 ecdsa-sha2-nistp521-cert-v01@openssh.com,
1625 sk-ssh-ed25519-cert-v01@openssh.com,
1626 sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
1627 rsa-sha2-512-cert-v01@openssh.com,
1628 rsa-sha2-256-cert-v01@openssh.com,
1629 ssh-ed25519,
1630 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1631 sk-ssh-ed25519@openssh.com,
1632 sk-ecdsa-sha2-nistp256@openssh.com,
1633 rsa-sha2-512,rsa-sha2-256
1637 .Qq ssh -Q PubkeyAcceptedAlgorithms .
1643 .Cm touch-required
1645 .Cm verify-required .
1648 .Cm touch-required
1651 .Cm ecdsa-sk
1653 .Cm ed25519-sk )
1660 .Cm touch-required
1664 .Cm verify-required
1669 .Cm touch-required
1671 .Cm verify-required
1672 options have any effect for other, non-FIDO, public key types.
1680 amount of time that may pass before the session key is renegotiated.
1694 .Sx TIME FORMATS
1701 of data has been sent or received and no time based rekeying is done.
1706 User and host-based authentication keys smaller than this limit will be
1721 .Xr ssh-keygen 1 .
1723 .Xr ssh-keygen 1 .
1730 If the routing domain is set to
1735 FIDO authenticator-hosted keys, overriding the default of using
1736 the built-in USB HID support.
1738 Specifies one or more environment variables to set in child sessions started
1745 Environment variables set by
1755 used when creating a Unix-domain socket file for local or remote
1757 This option is only used for port forwarding to a Unix-domain socket file.
1759 The default value is 0177, which creates a Unix-domain socket file that is
1761 Note that not all operating systems honor the file mode on Unix-domain
1764 Specifies whether to remove an existing Unix-domain socket file for local
1770 will be unable to forward the port to the Unix-domain socket file.
1771 This option is only used for port forwarding to a Unix-domain socket file.
1785 directory or files world-writable.
1797 .Cm sftp-server
1801 .Cm internal-sftp
1802 implements an in-process SFTP server.
1807 .Cm sftp-server
1808 and even though it is in-process, settings such as
1812 do not apply to it and must be set explicitly via
1841 To disable TCP keepalive messages, the value should be set to
1858 .Xr ssh-keygen 1 .
1871 .Sx TIME FORMATS
1878 provide sufficient time for the client to request and open its channels
1907 If this option is set to
1921 If set to
1930 Because PAM keyboard-interactive authentication usually serves an equivalent
1940 as a non-root user.
1947 .Qq FreeBSD-20240806 .
2003 may be set to
2022 .Sh TIME FORMATS
2024 command-line arguments and configuration file options that specify time
2027 .Ar time Op Ar qualifier ,
2030 .Ar time
2035 .Bl -tag -width Ds -compact -offset indent
2051 the total time value.
2053 Time format examples:
2055 .Bl -tag -width Ds -compact -offset indent
2067 .Bl -tag -width XXXX -offset indent -compact
2073 four space-separated values: client address, client port number,
2086 The base64-encoded CA key.
2088 The base64-encoded key or certificate for authentication.
2119 .Bl -tag -width Ds
2124 (though not necessary) that it be world-readable.
2127 .Xr sftp-server 8 ,
2130 .An -nosplit
2138 removed many bugs, re-added newer features and