packages icon
 reads configuration data from (or the file specified with  on  the  command
 line).   The  file contains keyword-argument pairs, one per line.  For each
 keyword, the first obtained value will be used.  Lines  starting  with  and
 empty  lines  are  interpreted  as  comments.   Arguments may optionally be
 enclosed in double  quotes  in  order  to  represent  arguments  containing
 spaces.  The possible keywords and their meanings are as follows (note that
 keywords are case-insensitive and arguments are case-sensitive):  Specifies
 what  environment  variables  sent  by  the  client will be copied into the
 session's See in for how to configure the client.  The environment variable
 is  always  sent  whenever  the  client requests a pseudo-terminal as it is
 required by the protocol.  Variables  are  specified  by  name,  which  may
 contain  the  wildcard characters and Multiple environment variables may be
 separated by whitespace or spread across multiple  directives.   Be  warned
 that  some  environment  variables  could be used to bypass restricted user
 environments.  For this reason, care should be taken in  the  use  of  this
 directive.   The  default  is  not  to  accept  any  environment variables.
 Specifies which address family should be used by Valid arguments  are  (the
 default),   (use  IPv4  only),  or  (use  IPv6  only).   Specifies  whether
 forwarding  is  permitted.   The  default  is  Note  that  disabling  agent
 forwarding  does  not  improve  security unless users are also denied shell
 access, as they can always install their own forwarders.  This keyword  can
 be  followed  by  a  list  of group name patterns, separated by spaces.  If
 specified,  login  is  allowed  only  for  users  whose  primary  group  or
 supplementary group list matches one of the patterns.  Only group names are
 valid; a numerical group ID  is  not  recognized.   By  default,  login  is
 allowed  for  all  groups.   The allow/deny directives are processed in the
 following order: and finally  See  PATTERNS  in  for  more  information  on
 patterns.  Specifies whether StreamLocal (Unix-domain socket) forwarding is
 permitted.  The available options are (the default) or to allow StreamLocal
 forwarding, to prevent all StreamLocal forwarding, to allow local (from the
 perspective of forwarding only or to allow remote  forwarding  only.   Note
 that  disabling  StreamLocal  forwarding  does  not improve security unless
 users are also denied shell access, as they can always  install  their  own
 forwarders.   Specifies whether TCP forwarding is permitted.  The available
 options are (the default) or to allow TCP forwarding, to  prevent  all  TCP
 forwarding,  to  allow local (from the perspective of forwarding only or to
 allow remote forwarding only.  Note that disabling TCP forwarding does  not
 improve  security  unless  users  are also denied shell access, as they can
 always install their own forwarders.  This keyword can  be  followed  by  a
 list  of  user  name patterns, separated by spaces.  If specified, login is
 allowed only for user names that match one  of  the  patterns.   Only  user
 names  are valid; a numerical user ID is not recognized.  By default, login
 is allowed for all users.  If the pattern takes  the  form  USER@HOST  then
 USER  and  HOST  are  separately  checked, restricting logins to particular
 users from  particular  hosts.   HOST  criteria  may  additionally  contain
 addresses   to  match  in  CIDR  address/masklen  format.   The  allow/deny
 directives are processed in the following order: and finally  See  PATTERNS
 in  for more information on patterns.  Specifies the authentication methods
 that must be successfully completed for a user to be granted access.   This
 option   must   be  followed  by  one  or  more  comma-separated  lists  of
 authentication method names, or  by  the  single  string  to  indicate  the
 default  behaviour  of  accepting any single authentication method.  If the
 default is overridden, then successful authentication  requires  completion
 of every method in at least one of these lists.  For example, would require
 the user to complete public key authentication, followed by either password
 or  keyboard interactive authentication.  Only methods that are next in one
 or more lists are offered at each stage, so for this example it  would  not
 be  possible  to  attempt  password  or keyboard-interactive authentication
 before public key.  For keyboard  interactive  authentication  it  is  also
 possible  to  restrict  authentication  to a specific device by appending a
 colon followed  by  the  device  identifier  or  depending  on  the  server
 configuration.    For   example,   would   restrict   keyboard  interactive
 authentication to the device.  If the publickey method is listed more  than
 once,  verifies  that  keys that have been used successfully are not reused
 for  subsequent  authentications.    For   example,   requires   successful
 authentication   using   two   different   public  keys.   Note  that  each
 authentication method listed should  also  be  explicitly  enabled  in  the
 configuration.   The available authentication methods are: (used for access
 to password-less accounts when is enabled), and Specifies a program  to  be
 used to look up the user's public keys.  The program must be owned by root,
 not writable by  group  or  others  and  specified  by  an  absolute  path.
 Arguments  to  accept the tokens described in the section.  If no arguments
 are specified then the username of the target user is  used.   The  program
 should  produce  on  standard  output zero or more lines of authorized_keys
 output (see in If a key supplied by does not successfully authenticate  and
 authorize the user then public key authentication continues using the usual
 files.  By default, no is run.  Specifies the user under whose account  the
 is  run.   It is recommended to use a dedicated user that has no other role
 on the host than running authorized keys commands.  If is specified but  is
 not,  then  will  refuse  to  start.   Specifies the file that contains the
 public keys used for user authentication.  The format is described  in  the
 section  of Arguments to accept the tokens described in the section.  After
 expansion, is taken to be an absolute path or one relative  to  the  user's
 home  directory.   Multiple  files  may be listed, separated by whitespace.
 Alternately this option may be set to to skip checking  for  user  keys  in
 files.   The default is Specifies a program to be used to generate the list
 of allowed certificate principals as per The program must be owned by root,
 not  writable  by  group  or  others  and  specified  by  an absolute path.
 Arguments to accept the tokens described in the section.  If  no  arguments
 are  specified  then  the username of the target user is used.  The program
 should produce on standard output zero or more lines of output.  If  either
 or is specified, then certificates offered by the client for authentication
 must contain a principal that is listed.  By default, no is run.  Specifies
 the  user  under  whose  account  the  is  run.  It is recommended to use a
 dedicated user that has no other role on the host than  running  authorized
 principals  commands.   If  is  specified  but  is not, then will refuse to
 start.  Specifies a file that lists principal names that are  accepted  for
 certificate authentication.  When using certificates signed by a key listed
 in this file lists names, one of which must appear in the  certificate  for
 it  to  be  accepted  for  authentication.   Names  are listed one per line
 preceded by key options (as  described  in  in  Empty  lines  and  comments
 starting with are ignored.  Arguments to accept the tokens described in the
 section.  After expansion, is taken to be an absolute path or one  relative
 to  the user's home directory.  The default is i.e. not to use a principals
 file  in this case, the username of the user must appear in a certificate's
 principals  list  for  it  to  be  accepted.   Note  that is only used when
 authentication proceeds using a CA listed  in  and  is  not  consulted  for
 certification  authorities  trusted  via  though  the  key  option offers a
 similar facility (see for details).  The contents of the specified file are
 sent  to the remote user before authentication is allowed.  If the argument
 is then no banner is  displayed.   By  default,  no  banner  is  displayed.
 Specifies  whether  challenge-response  authentication is allowed (e.g. via
 PAM or through authentication styles supported in The default is  Specifies
 the pathname of a directory to to after authentication.  At session startup
 checks that all components of the pathname are root-owned directories which
 are not writable by any other user or group.  After the chroot, changes the
 working directory to the user's home directory.  Arguments  to  accept  the
 tokens  described in the section.  The must contain the necessary files and
 directories to support the user's session.  For an interactive session this
 requires  at  least a shell, typically and basic nodes such as and devices.
 For file transfer sessions using SFTP no additional  configuration  of  the
 environment  is  necessary  if  the  in-process sftp-server is used, though
 sessions which use logging may require inside the chroot directory on  some
 operating systems (see for details).  For safety, it is very important that
 the directory hierarchy be prevented from modification by  other  processes
 on  the  system  (especially those outside the jail).  Misconfiguration can
 lead to unsafe environments which cannot detect.  The default is indicating
 not  to  Specifies  the  ciphers  allowed.  Multiple ciphers must be comma-
 separated.  If the specified  value  begins  with  a  character,  then  the
 specified  ciphers will be appended to the default set instead of replacing
 them.  If the specified value begins with a character, then  the  specified
 ciphers  (including wildcards) will be removed from the default set instead
 of replacing them.  The supported ciphers are: 3des-cbc aes128-cbc  aes192-
 cbc  aes256-cbc  aes128-ctr  aes192-ctr  aes256-ctr  aes128-gcm@openssh.com
 aes256-gcm@openssh.com  chacha20-poly1305@openssh.com   The   default   is:
 chacha20-poly1305@openssh.com,   aes128-ctr,aes192-ctr,aes256-ctr,  aes128-
 gcm@openssh.com,aes256-gcm@openssh.com The list of  available  ciphers  may
 also  be  obtained using Sets the number of client alive messages which may
 be sent without receiving any messages  back  from  the  client.   If  this
 threshold  is reached while client alive messages are being sent, sshd will
 disconnect the client, terminating the session.  It is  important  to  note
 that  the  use  of  client alive messages is very different from The client
 alive messages are sent through the encrypted channel  and  therefore  will
 not  be  spoofable.  The TCP keepalive option enabled by is spoofable.  The
 client alive mechanism is valuable when the  client  or  server  depend  on
 knowing when a connection has become inactive.  The default value is 3.  If
 is set to 15, and is left at the default, unresponsive SSH clients will  be
 disconnected  after  approximately  45 seconds.  Sets a timeout interval in
 seconds after which if no data has been received from the client, will send
 a  message  through  the  encrypted  channel to request a response from the
 client.  The default is 0, indicating that these messages will not be  sent
 to the client.  Specifies whether compression is enabled after the user has
 authenticated successfully.  The argument must be (a legacy synonym for  or
 The  default  is  This  keyword  can  be  followed  by a list of group name
 patterns, separated by spaces.  Login is disallowed for users whose primary
 group  or supplementary group list matches one of the patterns.  Only group
 names are valid; a numerical group ID is not recognized.  By default, login
 is  allowed for all groups.  The allow/deny directives are processed in the
 following order: and finally  See  PATTERNS  in  for  more  information  on
 patterns.   This  keyword  can be followed by a list of user name patterns,
 separated by spaces.  Login is disallowed for user names that match one  of
 the  patterns.   Only  user  names  are  valid;  a numerical user ID is not
 recognized.  By default, login is allowed for all users.   If  the  pattern
 takes  the  form  USER@HOST  then  USER  and  HOST  are separately checked,
 restricting  logins  to  particular  users  from  particular  hosts.   HOST
 criteria   may   additionally   contain   addresses   to   match   in  CIDR
 address/masklen format.  The allow/deny directives  are  processed  in  the
 following  order:  and  finally  See  PATTERNS  in  for more information on
 patterns.   Disables  all  forwarding  features,  including  X11,  TCP  and
 StreamLocal.   This  option  overrides all other forwarding-related options
 and may  simplify  restricted  configurations.   Writes  a  temporary  file
 containing  a  list  of authentication methods and public credentials (e.g.
 keys) used to authenticate the user.  The location of the file  is  exposed
 to  the  user  session  through  the  environment variable.  The default is
 Specifies the hash algorithm used when  logging  key  fingerprints.   Valid
 options  are:  and  The  default  is  Forces  the  execution of the command
 specified by ignoring any command supplied by the client  and  if  present.
 The  command is invoked by using the user's login shell with the -c option.
 This applies to shell, command, or subsystem execution.  It is most  useful
 inside a block.  The command originally supplied by the client is available
 in the environment variable.  Specifying a command of will force the use of
 an in-process SFTP server that requires no support files when used with The
 default is Specifies whether remote hosts are allowed to connect  to  ports
 forwarded for the client.  By default, binds remote port forwardings to the
 loopback address.  This prevents other  remote  hosts  from  connecting  to
 forwarded ports.  can be used to specify that sshd should allow remote port
 forwardings to bind to non-loopback addresses, thus allowing other hosts to
 connect.   The  argument  may  be  to  force  remote port forwardings to be
 available to the local host only, to force remote port forwardings to  bind
 to  the  wildcard  address, or to allow the client to select the address to
 which the forwarding is bound.   The  default  is  Specifies  whether  user
 authentication  based  on  GSSAPI  is  allowed.   The  default is Specifies
 whether to automatically destroy the user's credentials  cache  on  logout.
 The  default  is  Determines whether to be strict about the identity of the
 GSSAPI acceptor a client authenticates against.  If set to then the  client
 must authenticate against the host service on the current hostname.  If set
 to then the client may authenticate against any service key stored  in  the
 machine's  default  store.   This  facility  is  provided  to  assist  with
 operation on multi homed machines.  The default is Specifies the key  types
 that  will  be  accepted  for hostbased authentication as a comma-separated
 pattern list.  Alternately if the specified value begins with a  character,
 then the specified key types will be appended to the default set instead of
 replacing them.  If the specified value begins with a character,  then  the
 specified  key types (including wildcards) will be removed from the default
 set instead of replacing them.  The default  for  this  option  is:  ecdsa-
 sha2-nistp256-cert-v01@openssh.com,               ecdsa-sha2-nistp384-cert-
 v01@openssh.com,   ecdsa-sha2-nistp521-cert-v01@openssh.com,   ssh-ed25519-
 cert-v01@openssh.com,       ssh-rsa-cert-v01@openssh.com,       ecdsa-sha2-
 nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,  ssh-ed25519,ssh-rsa  The
 list  of  available  key types may also be obtained using Specifies whether
 rhosts or /etc/hosts.equiv authentication together with  successful  public
 key client host authentication is allowed (host-based authentication).  The
 default is Specifies whether or not the server will attempt  to  perform  a
 reverse  name  lookup  when  matching  the  name  in the and files during A
 setting of means that uses the name supplied  by  the  client  rather  than
 attempting to resolve the name from the TCP connection itself.  The default
 is  Specifies  a  file  containing  a   public   host   certificate.    The
 certificate's public key must match a private host key already specified by
 The default behaviour of is not to load any certificates.  Specifies a file
 containing  a private host key used by SSH.  The defaults are and Note that
 will refuse to use a file if it  is  group/world-accessible  and  that  the
 option  restricts  which of the keys are actually used by It is possible to
 have multiple host key files.  It is also possible to specify  public  host
 key  files  instead.   In  this  case operations on the private key will be
 delegated to an Identifies the UNIX-domain socket used to communicate  with
 an  agent  that  has  access  to  the  private host keys.  If the string is
 specified, the location of the socket will be  read  from  the  environment
 variable.   Specifies  the host key algorithms that the server offers.  The
 default  for  this  option  is:   ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ecdsa-sha2-nistp384-cert-v01@openssh.com,         ecdsa-sha2-nistp521-cert-
 v01@openssh.com,      ssh-ed25519-cert-v01@openssh.com,       ssh-rsa-cert-
 v01@openssh.com,        ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-
 nistp521, ssh-ed25519,ssh-rsa The list of available key types may  also  be
 obtained  using  Specifies that and files will not be used in and are still
 used.  The default is Specifies whether should ignore the user's during and
 use only the system-wide known hosts file The default is Specifies the IPv4
 type-of-service or DSCP class for the connection.  Accepted  values  are  a
 numeric  value,  or  to  use the operating system default.  This option may
 take one or two arguments, separated by whitespace.   If  one  argument  is
 specified,  it  is used as the packet class unconditionally.  If two values
 are specified, the first is automatically selected for interactive sessions
 and   the   second  for  non-interactive  sessions.   The  default  is  for
 interactive sessions and for non-interactive sessions.   Specifies  whether
 to allow keyboard-interactive authentication.  The argument to this keyword
 must be or The default is to use whatever  value  is  set  to  (by  default
 Specifies  whether  the password provided by the user for will be validated
 through the Kerberos KDC.  To use this option, the server needs a  Kerberos
 servtab  which  allows the verification of the KDC's identity.  The default
 is If AFS is active and the user has a Kerberos 5 TGT, attempt  to  acquire
 an AFS token before accessing the user's home directory.  The default is If
 password authentication through Kerberos fails then the  password  will  be
 validated  via  any  additional  local  mechanism  such  as  The default is
 Specifies whether to automatically destroy the user's ticket cache file  on
 logout.   The  default  is  Specifies  the  available  KEX  (Key  Exchange)
 algorithms.  Multiple algorithms must be comma-separated.   Alternately  if
 the  specified  value  begins  with a character, then the specified methods
 will be appended to the default set instead  of  replacing  them.   If  the
 specified  value  begins  with  a  character,  then  the  specified methods
 (including wildcards) will be removed  from  the  default  set  instead  of
 replacing   them.    The   supported   algorithms   are:  curve25519-sha256
 curve25519-sha256@libssh.org   diffie-hellman-group1-sha1   diffie-hellman-
 group14-sha1   diffie-hellman-group14-sha256  diffie-hellman-group16-sha512
 diffie-hellman-group18-sha512  diffie-hellman-group-exchange-sha1   diffie-
 hellman-group-exchange-sha256  ecdh-sha2-nistp256  ecdh-sha2-nistp384 ecdh-
 sha2-nistp521     The     default     is:     curve25519-sha256,curve25519-
 sha256@libssh.org,         ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-
 nistp521,   diffie-hellman-group-exchange-sha256,   diffie-hellman-group16-
 sha512,diffie-hellman-group18-sha512,               diffie-hellman-group14-
 sha256,diffie-hellman-group14-sha1  The  list  of  available  key  exchange
 algorithms  may also be obtained using Specifies the local addresses should
 listen on.  The  following  forms  may  be  used:  The  optional  qualifier
 requests  listen  in an explicit routing domain.  If is not specified, sshd
 will listen on the address and all options specified.  The  default  is  to
 listen  on  all  local  addresses  on  the  current default routing domain.
 Multiple options are permitted.  For more information on  routing  domains,
 see The server disconnects after this time if the user has not successfully
 logged in.  If the value is 0, there is no time limit.  The default is  120
 seconds.  Gives the verbosity level that is used when logging messages from
 The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1,
 DEBUG2, and DEBUG3.  The default is INFO.  DEBUG and DEBUG1 are equivalent.
 DEBUG2 and DEBUG3 each specify higher levels of debugging output.   Logging
 with  a  DEBUG  level violates the privacy of users and is not recommended.
 Specifies the available MAC (message authentication code) algorithms.   The
 MAC  algorithm  is used for data integrity protection.  Multiple algorithms
 must be comma-separated.  If the specified value begins with  a  character,
 then  the  specified algorithms will be appended to the default set instead
 of replacing them.  If the specified value begins with  a  character,  then
 the  specified  algorithms  (including  wildcards) will be removed from the
 default set  instead  of  replacing  them.   The  algorithms  that  contain
 calculate   the   MAC   after  encryption  (encrypt-then-mac).   These  are
 considered safer and their use recommended.  The supported MACs are:  hmac-
 md5  hmac-md5-96  hmac-sha1  hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 umac-
 64@openssh.com umac-128@openssh.com  hmac-md5-etm@openssh.com  hmac-md5-96-
 etm@openssh.com    hmac-sha1-etm@openssh.com   hmac-sha1-96-etm@openssh.com
 hmac-sha2-256-etm@openssh.com    hmac-sha2-512-etm@openssh.com     umac-64-
 etm@openssh.com   umac-128-etm@openssh.com   The   default   is:   umac-64-
 etm@openssh.com,umac-128-etm@openssh.com,                    hmac-sha2-256-
 etm@openssh.com,hmac-sha2-512-etm@openssh.com,   hmac-sha1-etm@openssh.com,
 umac-64@openssh.com,umac-128@openssh.com,          hmac-sha2-256,hmac-sha2-
 512,hmac-sha1  The  list  of  available MAC algorithms may also be obtained
 using Introduces a conditional block.  If all of the criteria on  the  line
 are  satisfied,  the  keywords on the following lines override those set in
 the global section of the config file, until either another line or the end
 of  the  file.  If a keyword appears in multiple blocks that are satisfied,
 only the first instance of the keyword is applied.  The  arguments  to  are
 one  or  more  criteria-pattern pairs or the single token which matches all
 criteria.  The available criteria are and (with representing the  on  which
 the  connection  was  received.)  The  match patterns may consist of single
 entries or comma-separated lists and may  use  the  wildcard  and  negation
 operators  described  in  the  section  of  The patterns in an criteria may
 additionally contain addresses to match  in  CIDR  address/masklen  format,
 such  as 192.0.2.0/24 or 2001:db8::/32.  Note that the mask length provided
 must be consistent with the address - it is an  error  to  specify  a  mask
 length  that  is too long for the address or one with bits set in this host
 portion  of  the  address.   For  example,  192.0.2.0/33  and  192.0.2.0/8,
 respectively.  Only a subset of keywords may be used on the lines following
 a keyword.  Available keywords are and  Specifies  the  maximum  number  of
 authentication  attempts  permitted  per  connection.   Once  the number of
 failures reaches half this value,  additional  failures  are  logged.   The
 default  is  6.   Specifies  the  maximum  number  of  open shell, login or
 subsystem (e.g. sftp) sessions permitted per network connection.   Multiple
 sessions   may   be   established   by   clients  that  support  connection
 multiplexing.  Setting to 1 will effectively disable session  multiplexing,
 whereas  setting  it  to  0  will  prevent  all  shell, login and subsystem
 sessions while still permitting forwarding.  The default is 10.   Specifies
 the  maximum  number  of  concurrent unauthenticated connections to the SSH
 daemon.   Additional  connections  will  be  dropped  until  authentication
 succeeds  or  the  expires  for  a  connection.   The default is 10:30:100.
 Alternatively, random early drop can be enabled  by  specifying  the  three
 colon  separated  values  start:rate:full  (e.g.  "10:30:60").  will refuse
 connection attempts with a probability  of  rate/100  (30%)  if  there  are
 currently   start   (10)   unauthenticated  connections.   The  probability
 increases linearly and all connection attempts are refused if the number of
 unauthenticated  connections reaches full (60).  Specifies whether password
 authentication is allowed.  The default is When password authentication  is
 allowed,  it  specifies  whether  the  server allows login to accounts with
 empty password strings.  The default is Specifies the destinations to which
 TCP port forwarding is permitted.  The forwarding specification must be one
 of the following forms: Multiple forwards may be  specified  by  separating
 them   with  whitespace.   An  argument  of  can  be  used  to  remove  all
 restrictions and permit any forwarding requests.  An  argument  of  can  be
 used  to  prohibit  all  forwarding requests.  The wildcard can be used for
 host or port to allow all hosts or ports,  respectively.   By  default  all
 port  forwarding requests are permitted.  Specifies whether root can log in
 using The argument must be or The default is If this option is set  to  (or
 its  deprecated alias, password and keyboard-interactive authentication are
 disabled for root.  If this option is set to root  login  with  public  key
 authentication  will  be allowed, but only if the option has been specified
 (which may be useful for taking  remote  backups  even  if  root  login  is
 normally  not  allowed).  All other authentication methods are disabled for
 root.  If this option is set to root is not allowed to log  in.   Specifies
 whether  allocation  is permitted.  The default is Specifies whether device
 forwarding is allowed.  The argument must  be  (layer  3),  (layer  2),  or
 Specifying permits both and The default is Independent of this setting, the
 permissions  of  the  selected  device  must  allow  access  to  the  user.
 Specifies  whether  and options in are processed by The default is Enabling
 environment processing may enable users to bypass  access  restrictions  in
 some  configurations using mechanisms such as Specifies whether any file is
 executed.  The default is Specifies the file that contains the  process  ID
 of  the SSH daemon, or to not write one.  The default is Specifies the port
 number that listens on.  The default is 22.  Multiple options of this  type
 are  permitted.   See also Specifies whether should print the date and time
 of the last user login when a user logs in interactively.  The  default  is
 Specifies whether should print when a user logs in interactively.  (On some
 systems it is also printed by the shell, or  equivalent.)  The  default  is
 Specifies the key types that will be accepted for public key authentication
 as a comma-separated pattern list.   Alternately  if  the  specified  value
 begins  with  a character, then the specified key types will be appended to
 the default set instead of replacing them.  If the specified  value  begins
 with  a  character, then the specified key types (including wildcards) will
 be removed from the default set instead of replacing them.  The default for
 this   option   is:  ecdsa-sha2-nistp256-cert-v01@openssh.com,  ecdsa-sha2-
 nistp384-cert-v01@openssh.com,    ecdsa-sha2-nistp521-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,    ssh-rsa-cert-v01@openssh.com,   ecdsa-
 sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,  ssh-ed25519,ssh-rsa
 The  list  of  available  key  types  may  also be obtained using Specifies
 whether public key authentication is allowed.  The default is Specifies the
 maximum  amount  of  data that may be transmitted before the session key is
 renegotiated, optionally followed a maximum amount of time  that  may  pass
 before the session key is renegotiated.  The first argument is specified in
 bytes and may have a suffix of or  to  indicate  Kilobytes,  Megabytes,  or
 Gigabytes,  respectively.   The  default  is  between  and depending on the
 cipher.  The optional second value is specified in seconds and may use  any
 of  the  units  documented  in the section.  The default value for is which
 means that rekeying is performed after the cipher's default amount of  data
 has  been  sent  or received and no time based rekeying is done.  Specifies
 revoked public keys file, or to not use one.  Keys listed in this file will
 be  refused  for  public key authentication.  Note that if this file is not
 readable, then public key authentication will be  refused  for  all  users.
 Keys  may  be specified as a text file, listing one public key per line, or
 as  an  OpenSSH  Key  Revocation  List  (KRL)  as  generated  by  For  more
 information  on  KRLs, see the KEY REVOCATION LISTS section in Specifies an
 explicit routing domain that is applied after authentication has completed.
 The  user  session, as well and any forwarded or listening IP sockets, will
 be bound to this If the routing domain is set to then the domain  in  which
 the  incoming connection was received will be applied.  Sets the octal file
 creation mode mask used when creating a Unix-domain socket file  for  local
 or remote port forwarding.  This option is only used for port forwarding to
 a Unix-domain socket file.  The default value  is  0177,  which  creates  a
 Unix-domain  socket  file  that is readable and writable only by the owner.
 Note that not all operating systems honor  the  file  mode  on  Unix-domain
 socket  files.   Specifies whether to remove an existing Unix-domain socket
 file for local or remote port forwarding before creating a new one.  If the
 socket  file  already  exists and is not enabled, will be unable to forward
 the port to the Unix-domain socket file.  This option is only used for port
 forwarding  to  a  Unix-domain  socket  file.   The argument must be or The
 default is Specifies whether should check file modes and ownership  of  the
 user's  files  and home directory before accepting login.  This is normally
 desirable because novices sometimes accidentally leave their  directory  or
 files  world-writable.   The  default  is  Note that this does not apply to
 whose permissions and ownership are checked unconditionally.  Configures an
 external  subsystem  (e.g.  file  transfer  daemon).  Arguments should be a
 subsystem name and a command (with  optional  arguments)  to  execute  upon
 subsystem   request.    The  command  implements  the  SFTP  file  transfer
 subsystem.  Alternately the name  implements  an  in-process  SFTP  server.
 This may simplify configurations using to force a different filesystem root
 on clients.  By default no subsystems are defined.  Gives the facility code
 that  is  used  when logging messages from The possible values are: DAEMON,
 USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The  default  is  AUTH.   Specifies  whether  the  system  should  send TCP
 keepalive messages to the other side.  If  they  are  sent,  death  of  the
 connection  or  crash  of  one  of  the  machines will be properly noticed.
 However, this means  that  connections  will  die  if  the  route  is  down
 temporarily,  and  some people find it annoying.  On the other hand, if TCP
 keepalives are not sent, sessions may  hang  indefinitely  on  the  server,
 leaving  users and consuming server resources.  The default is (to send TCP
 keepalive messages), and the server will notice if the network goes down or
 the  client  host  crashes.   This  avoids infinitely hanging sessions.  To
 disable TCP keepalive messages, the value should be set to Specifies a file
 containing  public keys of certificate authorities that are trusted to sign
 user certificates for authentication, or to not use one.  Keys  are  listed
 one  per  line;  empty  lines and comments starting with are allowed.  If a
 certificate is presented for authentication and  has  its  signing  CA  key
 listed  in  this  file, then it may be used for authentication for any user
 listed in the certificate's principals list.  Note that  certificates  that
 lack  a  list  of principals will not be permitted for authentication using
 For more details on certificates, see the CERTIFICATES section in Specifies
 whether should look up the remote host name, and to check that the resolved
 host name for the remote IP address maps back to the very same IP  address.
 If  this  option  is  set to (the default) then only addresses and not host
 names may be used in and directives.  Enables the Pluggable  Authentication
 Module  interface.  If set to this will enable PAM authentication using and
 in  addition  to  PAM  account  and  session  module  processing  for   all
 authentication   types.    Because  PAM  challenge-response  authentication
 usually serves an equivalent role to password  authentication,  you  should
 disable  either or If is enabled, you will not be able to run as a non-root
 user.  The default is Optionally specifies additional text to append to the
 SSH  protocol  banner  sent  by the server upon connection.  The default is
 Specifies the first display number  available  for  X11  forwarding.   This
 prevents  sshd  from interfering with real X11 servers.  The default is 10.
 Specifies whether X11 forwarding is permitted.  The argument must be or The
 default is When X11 forwarding is enabled, there may be additional exposure
 to the server and to client displays if the proxy display is configured  to
 listen  on  the  wildcard  address  (see  though  this  is not the default.
 Additionally,  the  authentication   spoofing   and   authentication   data
 verification  and substitution occur on the client side.  The security risk
 of using X11 forwarding is that the client's  X11  display  server  may  be
 exposed to attack when the SSH client requests forwarding (see the warnings
 for in A system administrator may have a  stance  in  which  they  want  to
 protect  clients  that  may  expose  themselves  to  attack  by unwittingly
 requesting  X11  forwarding,  which  can  warrant  a  setting.   Note  that
 disabling  X11  forwarding  does  not  prevent  users  from  forwarding X11
 traffic, as users can  always  install  their  own  forwarders.   Specifies
 whether should bind the X11 forwarding server to the loopback address or to
 the wildcard address.  By default, sshd binds the forwarding server to  the
 loopback  address and sets the hostname part of the environment variable to
 This prevents remote hosts from connecting to the proxy display.   However,
 some  older  X11  clients may not function with this configuration.  may be
 set to to specify that  the  forwarding  server  should  be  bound  to  the
 wildcard  address.   The  argument  must be or The default is Specifies the
 full pathname of the program, or to not use one.  The default  is  command-
 line  arguments  and  configuration  file  options that specify time may be
 expressed using a sequence of the form: where is a positive  integer  value
 and  is one of the following: seconds seconds minutes hours days weeks Each
 member of the sequence is added together to calculate the total time value.
 Time format examples: 600 seconds (10 minutes) 10 minutes 1 hour 30 minutes
 (90 minutes) Arguments to some keywords can make use of tokens,  which  are
 expanded  at  runtime:  A  literal The routing domain in which the incoming
 connection was received.  The fingerprint of the CA key.   The  fingerprint
 of  the key or certificate.  The home directory of the user.  The key ID in
 the certificate.  The base64-encoded CA key.   The  base64-encoded  key  or
 certificate for authentication.  The serial number of the certificate.  The
 type of the CA key.  The key or certificate type.  The  username.   accepts
 the  tokens %%, %f, %h, %k, %t, and %u.  accepts the tokens %%, %h, and %u.
 accepts the tokens %%, %F, %f, %h, %i, %K, %k, %s, %T, %t, and %u.  accepts
 the tokens %%, %h, and %u.  accepts the tokens %%, %h, and %u.  accepts the
 token %D.  Contains configuration data for This file should be writable  by
 root  only,  but it is recommended (though not necessary) that it be world-
 readable.  OpenSSH is a derivative of the  original  and  free  ssh  1.2.12
 release  by  and  removed  many  bugs,  re-added newer features and created
 OpenSSH.  contributed the support for SSH protocol versions  1.5  and  2.0.
 and contributed support for privilege separation.