Most of these descriptions were extracted from the man pages of sshd.
Specifies the port number that sshd listens on. The default is 22.
Specifies what local address sshd should listen on. The default is to listen to all local addresses.
Specifies the protocol versions sshd should support. The possible values are ``1'' and ``2''. Multiple versions must be comma separated. The default is ``1''.
Specifies the file containing the private RSA host key. Note that sshd does not start if this file is group/world-accessible.
Specifies the file containing the private DSA host key. Note that sshd disables protocol 2.0 if this file is group/world-accessible.
Defines the number of bits in the server key. The minimum value is 512, and the default is 768.
The server key is automatically regenerated after this many seconds (if it has been used). The purpose of regeneration is to prevent decrypting captured sessions by later breaking into the machine and stealing the keys. The key is never stored anywhere. If the value is 0, the key is never regenerated. The default is 3600 (seconds).
This keyword can be followed by a number of group names, separated by spaces. If specified, login is allowed only for users whose primary group matches one of the patterns. `*' and `?' can be used as wildcards in the patterns. Only group names are valid, a numerical group id isn't recognized. By default login is allowed regardless of the primary group.
This keyword can be followed by a number of user names, separated by spaces. If specified, login is allowed only for users names If specified, login is allowed only for users names that match one of the patterns. `*' and `?' can be used as wildcards in the patterns. Only user names are valid, a numerical user id isn't recognized. By default login is allowed regardless of the user name.
This keyword can be followed by a number of group names, separated by spaces. Users whose primary group matches one of the patterns aren't allowed to log in. `*' and `?' can be used as wildcards in the patterns. Only group names are valid, a numerical group id isn't recognized. By default login is allowed regardless of the primary group.
This keyword can be followed by a number of user names, separated by spaces. Login is disallowed for user names that match one of the patterns. `*' and `?' can be used as wildcards in the patterns. Only user names are valid, a numerical user id isn't recognized. By default login is allowed regardless of the user name.
Specifies whether the root can log in using ssh. The argument must be ``yes'', ``without-password'' or ``no''. The default is ``yes''. If this options is set to ``without-password'' only password authentication is disabled for root.
Specifies whether password authentication is allowed. The default is ``yes''.
When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is ``yes''.
Specifies whether pure RSA authentication is allowed. The default is ``yes''.
Specifies whether DSA authentication is allowed. The default is ``yes''.
Specifies that rhosts and shosts files will not be used in authentication. /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used. The default is ``no''.
Specifies whether sshd should ignore the user's $HOME/.ssh/known_hosts during RhostsRSAAuthentication. The default is ``no''.
Specifies whether authentication using rhosts or /etc/hosts.equiv files is sufficient. Normally, this method should not be permitted because it is insecure. Rhosts RSA Authentication should be used instead, because it performs RSA-based host authentication in addition to normal rhosts or /etc/hosts.equiv authentication. The default is ``no''.
Specifies whether rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is allowed. The default is ``yes''.
Specifies whether sshd should check file modes and ownership of the user's files and home directory before accepting login. This is normally desirable because novices sometimes accidentally leave their directory or files world-writable. The default is ``yes''.
The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. The default is 600 (seconds).
Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. The default is ``3des-cbc,blowfish-cbc,arcfour,cast128-cbc''.
Specifies whether sshd should check for new mail for interactive logins. The default is ``no''.
Specifies whether the system should send keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. However, this means that connections will die if the route is down temporarily, and some people find it annoying. On the other hand, if keepalives are not send, sessions may hang indefinitely on the server, leaving ``ghost'' users and consuming server resources.
The default is ``yes'' (to send keepalives), and the server will notice if the network goes down or the client host reboots. This avoids infinitely hanging sessions.
To disable keepalives, the value should be set to ``no'' in both the server and the client.
Specifies whether sshd should print /etc/motd when a user logs in interactively (on some systems it is also printed by the shell, /etc/profile, or equivalent). The default is ``yes''.
Specifies whether ``login'' is used. The default is ``no''.
Specifies whether remote hosts are allowed to connect to ports forwarded for the client. The default is ``no''.
Specifies the file that contains the process identifier of the sshd daemon. The default is ``/var/run/sshd.pid''.
Gives the verbosity level that is used when logging messages from sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. The default is INFO. Logging with level DEBUG violates the privacy of users and is not recommended.
Gives the facility code that is used when logging messages from sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH.
Specifies whether X11 forwarding is permitted. The default is ``yes''. Note that disabling X11 forwarding does not improve security in any way, as users can always install their own forwarders.
Specifies the first display number available for sshd's X11 forwarding. This prevents sshd from interfering with real X11 servers.
Specifies whether ``skey'' authentication is allowed. The default is ``yes''. Note that ``skey'' authentication is enabled only if Password Authentication is allowed, too.
Specifies whether Kerberos authentication is allowed. This can be in the form of a Kerberos ticket, or if Password Authentication is yes, the password provided by the user will be validated through the Kerberos KDC. Default is ``yes''.
If set then if password authentication through Kerberos fails then the password will be validated via any additional local mechanism such as /etc/passwd or SecurID. Default is ``yes''.
Specifies whether a Kerberos TGT may be forwarded to the server. Default is ``no'', as this only works when the Kerberos KDC is actually an AFS kaserver.
Specifies whether to automatically destroy the user's ticket cache file on logout. Default is ``yes''.
Specifies whether an AFS token may be forwarded to the server. Default is ``yes''.