| Port |
| Specifies the port on which the server listens for connections (default: 22). Range: 1 to 65535 |
| LoginGraceTime |
| Gives the grace time for clients to authenticate themselves (default 600 seconds). If the client fails to authenticate the user within this many seconds, the server disconnects. This timer can't be disabled for security reasons. Range: 10 to 65535 |
| HostbasedAuthentication |
| Specifies whether ssh_known_hosts authentication together with successful public key client host authentication is allowed (hostbased authentication). This option applies to protocol version 2 only. The default is 'no'. Enumerations: |
| PubkeyAuthentication |
| Specifies whether public key authentication is allowed. The default is 'yes'. Note that this option applies to protocol version 2 only. Enumerations: |
| PasswordAuthentication |
| Specifies whether password authentication is allowed. The default is 'yes'. Enumerations: |
| ChallengeResponseAuthentication |
| Specifies whether challenge response authentication is allowed. The default is 'yes'. Enumerations: |
| KeepAlives |
| Specifies whether the system should send keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. However, this means that connections will die if the route is down tem- porarily, and some people find it annoying. On the other hand, if keepalives are not sent, sessions may hang indefinitely on the server, leaving 'ghost' users and consuming server resources. The default is 'yes' (to send keepalives), and the server will notice if the network goes down or the client host reboots. This avoids infinitely hanging sessions. To disable keepalives, the value should be set to 'no' in both the server and the client configuration files. Enumerations: |
| PermitEmptyPasswd |
| When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is 'no'. Enumerations: |
| Compression |
| Enables/disables the general use of compression. Enumerations: |
| VerifyReverseMapping |
| Specifies whether sshd should try to verify the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is 'no'. Enumerations: |
| LogFacility |
| Gives the facility code that is used when logging messages from sshd. The possible values are: 'daemon', 'user', 'auth', 'local0', 'local1', 'local2', 'local3', 'local4', 'local5', 'local6', 'local7'. The default is 'auth'. Enumerations: - daemon (1)
- user (2)
- auth (3)
- authPriv (4)
- local0 (7)
- local1 (8)
- local2 (9)
- local3 (10)
- local4 (11)
- local5 (12)
- local6 (13)
- local7 (14)
|
| LogLevel |
| Gives the verbosity level that is used when logging messages from sshd. The possible values are: 'quiet', 'fatal', 'error', 'info', 'verbose' and 'debug'. The default is 'info'. Logging with level 'debug' violates the privacy of users and is not recommended. Enumerations: - quiet (1)
- fatal (2)
- error (3)
- info (4)
- verbose (5)
- debug1 (6)
- debug2 (7)
- debug3 (8)
|
| Ciphers |
| Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. The default is 'aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc'. Length: 0 to 255 |
| Macs |
| Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. The default is 'hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,hmac-sha2-256,hmac-sha2-512'. Length: 0 to 255 |
| Protocol |
| Specifies the protocol versions sshd should support. The possible values are '1' and '2'. Multiple versions must be comma separated. Currently only protocol version 2 is supported by the BinTec implementation. The default is '2'. Length: 0 to 255 |
| MaxClients |
| Specifies the maximum number of concurrent unauthenticated connections to the sshd daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. The default is 1. Range: 1 to 100 |
| ClientAliveInterval |
| Sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. This option applies to protocol version 2 only. Range: 1 to 3600 |
| ClientAliveCountMax |
| Sets the number of client alive messages (see above) which may be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from KeepAlive (above). The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by KeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive. The default value is 3. If ClientAliveInterval (above) is set to 15, and ClientAliveCountMax is left at the default, unresponsive ssh clients will be disconnected after approximately 45 seconds. Range: 0 to 10 |
| AllowTcpForwarding |
| Specifies whether TCP forwarding is permitted. The default is 'no'. Enumerations: |
| GatewayPorts |
| Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd binds remote port forwardings to the loopback addresss. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should bind remote port forwardings to the wildcard address, thus allowing remote hosts to connect to forwarded ports. The argument must be 'yes' or 'no'. The default is 'no'. Enumerations: |
| UseLogin |
| Specifies whether login(1) is used for interactive login sessions. The default is 'yes'. Note that login(1) is never used for remote command execution. Note also, that if this is enabled, X11Forwarding will be disabled because login(1) does not know how to handle xauth(1) cookies. Enumerations: |
| X11Forwarding |
| Specifies whether X11 forwarding is permitted. The default is 'no'. X11 forwarding is automatically disabled if UseLogin is enabled. Enumerations: |
| X11DisplayOffset |
| Specifies the first display number available for sshd's X11 forwarding. This prevents sshd from interfering with real X11 servers. The default is 10. Range: 0 to 65535 |
| PrintMotd |
| Specifies whether sshd should print 'motd' when a user logs in interactively. (On some systems it is also printed by the shell, /etc/profile, or equivalent.) The default is 'yes'. Enumerations: |
| Banner |
| In some jurisdictions, sending a warning message before authentication may be relevant for getting legal protection. The contents of the specified file are sent to the remote user before authentication is allowed. This option is only available for protocol version 2. Length: 0 to 255 |
| PrintLastLog |
| Specifies whether sshd should print the date and time when the user last logged in. The default is 'no'. Enumerations: |
| LastLogin |
| In some jurisdictions, sending a warning message before authentication may be relevant for getting legal protection. The contents of the specified file are sent to the remote user before authentication is allowed. This option is only available for protocol version 2. Length: 0 to 255 |