  Linuxconf Secure Shell Daemon Module
  Gustavo Niemeyer


  This is the configuration dialog to the OpenSSH Secure Shell Daemon
  (sshd). Together, sshd and ssh, replace rlogin and rsh programs, and
  provide secure encrypted communications between two untrusted hosts
  over an insecure network.

  11..  IInnttrroodduuccttiioonn

  11..11..  BBllaannkk ooppttiioonnss

  Every blank option will be set to default.


  11..22..  OOppeennSSSSHH 22..XX ooppttiioonnss

  Options marked with (2) are specific to OpenSSH 2.X versions.


  22..  OOppttiioonnss

  Most of these descriptions were extracted from the man pages of sshd.


  22..11..  PPoorrtt

  Specifies the port number that sshd listens on.  The default is 22.


  22..22..  LLiisstteenn AAddddrreessss

  Specifies what local address sshd should listen on.  The default is to
  listen to all local addresses.


  22..33..  PPrroottooccooll ((22))

  Specifies the protocol versions sshd should support. The possible
  values are ``1'' and ``2''. Multiple versions must be comma separated.
  The default is ``1''.


  22..44..  HHoosstt RRSSAA KKeeyy

  Specifies the file containing the private RSA host key.  Note that
  sshd does not start if this file is group/world-accessible.


  22..55..  HHoosstt DDSSAA KKeeyy ((22))

  Specifies the file containing the private DSA host key.  Note that
  sshd disables protocol 2.0 if this file is group/world-accessible.


  22..66..  SSeerrvveerr KKeeyy BBiittss

  Defines the number of bits in the server key.  The minimum value is
  512, and the default is 768.


  22..77..  KKeeyy RReeggeenneerraattiioonn IInntteerrvvaall

  The server key is automatically regenerated after this many seconds
  (if it has been used).  The purpose of regeneration is to prevent
  decrypting captured sessions by later breaking into the machine and
  stealing the keys.  The key is never stored anywhere. If the value is
  0, the key is never regenerated.  The default is 3600 (seconds).


  22..88..  AAllllooww GGrroouuppss

  This keyword can be followed by a number of group names, separated by
  spaces.  If specified, login is allowed only for users whose primary
  group matches one of the patterns.  `*' and `?' can be used as
  wildcards in the patterns.  Only group names are valid, a numerical
  group id isn't recognized.  By default login is allowed regardless of
  the primary group.


  22..99..  AAllllooww UUsseerrss

  This keyword can be followed by a number of user names, separated by
  spaces.  If specified, login is allowed only for users names If
  specified, login is allowed only for users names that match one of the
  patterns.  `*' and `?' can be used as wildcards in the patterns.  Only
  user names are valid, a numerical user id isn't recognized.  By
  default login is allowed regardless of the user name.


  22..1100..  DDeennyy GGrroouuppss

  This keyword can be followed by a number of group names, separated by
  spaces.  Users whose primary group matches one of the patterns aren't
  allowed to log in.  `*' and `?' can be used as wildcards in the
  patterns.  Only group names are valid, a numerical group id isn't
  recognized. By default login is allowed regardless of the primary
  group.


  22..1111..  DDeennyy UUsseerrss

  This keyword can be followed by a number of user names, separated by
  spaces.  Login is disallowed for user names that match one of the
  patterns.  `*' and `?' can be used as wildcards in the patterns.  Only
  user names are valid, a numerical user id isn't recognized.  By
  default login is allowed regardless of the user name.


  22..1122..  PPeerrmmiitt RRoooott LLooggiinn

  Specifies whether the root can log in using ssh. The argument must be
  ``yes'', ``without-password'' or ``no''. The default is ``yes''.  If
  this options is set to ``without-password'' only password
  authentication is disabled for root.


  22..1133..  PPaasssswwoorrdd AAuutthheennttiiccaattiioonn

  Specifies whether password authentication is allowed. The default is
  ``yes''.


  22..1144..  PPeerrmmiitt EEmmppttyy PPaasssswwoorrddss

  When password authentication is allowed, it specifies whether the
  server allows login to accounts with empty password strings. The
  default is ``yes''.


  22..1155..  RRSSAA AAuutthheennttiiccaattiioonn

  Specifies whether pure RSA authentication is allowed. The default is
  ``yes''.


  22..1166..  DDSSAA AAuutthheennttiiccaattiioonn ((22))

  Specifies whether DSA authentication is allowed. The default is
  ``yes''.


  22..1177..  IIggnnoorree RRhhoossttss

  Specifies that rhosts and shosts files will not be used in
  authentication. /etc/hosts.equiv and /etc/ssh/shosts.equiv are still
  used. The default is ``no''.


  22..1188..  IIggnnoorree UUsseerr KKnnoowwnn HHoossttss

  Specifies whether sshd should ignore the user's $HOME/.ssh/known_hosts
  during RhostsRSAAuthentication. The default is ``no''.


  22..1199..  RRhhoossttss AAuutthheennttiiccaattiioonn

  Specifies whether authentication using rhosts or /etc/hosts.equiv
  files is sufficient.  Normally, this method should not be permitted
  because it is insecure.  Rhosts RSA Authentication should be used
  instead, because it performs RSA-based host authentication in addition
  to normal rhosts or /etc/hosts.equiv authentication. The default is
  ``no''.


  22..2200..  RRhhoossttss RRSSAA AAuutthheennttiiccaattiioonn

  Specifies whether rhosts or /etc/hosts.equiv authentication together
  with successful RSA host authentication is allowed. The default is
  ``yes''.


  22..2211..  SSttrriicctt MMooddeess

  Specifies whether sshd should check file modes and ownership of the
  user's files and home directory before accepting login. This is
  normally desirable because novices sometimes accidentally leave their
  directory or files world-writable.  The default is ``yes''.


  22..2222..  LLooggiinn GGrraaccee TTiimmee

  The server disconnects after this time if the user has not
  successfully logged in.  If the value is 0, there is no time limit.
  The default is 600 (seconds).


  22..2233..  CCiipphheerrss ((22))

  Specifies the ciphers allowed for protocol version 2. Multiple ciphers
  must be comma-separated.  The default is ``3des-cbc,blowfish-
  cbc,arcfour,cast128-cbc''.


  22..2244..  CChheecckk MMaaiill

  Specifies whether sshd should check for new mail for interactive
  logins. The default is ``no''.


  22..2255..  KKeeeepp AAlliivvee

  Specifies whether the system should send keepalive messages to the
  other side.  If they are sent, death of the connection or crash of one
  of the machines will be properly noticed.  However, this means that
  connections will die if the route is down temporarily, and some people
  find it annoying.  On the other hand, if keepalives are not send,
  sessions may hang indefinitely on the server, leaving ``ghost'' users
  and consuming server resources.

  The default is ``yes'' (to send keepalives), and the server will
  notice if the network goes down or the client host reboots.  This
  avoids infinitely hanging sessions.

  To disable keepalives, the value should be set to ``no'' in both the
  server and the client.


  22..2266..  PPrriinntt MMoottdd

  Specifies whether sshd should print /etc/motd when a user logs in
  interactively (on some systems it is also printed by the shell,
  /etc/profile, or equivalent). The default is ``yes''.


  22..2277..  UUssee LLooggiinn

  Specifies whether ``login'' is used. The default is ``no''.


  22..2288..  GGaatteewwaayy PPoorrttss ((22))

  Specifies whether remote hosts are allowed to connect to ports
  forwarded for the client. The default is ``no''.


  22..2299..  PPiidd FFiillee ((22))

  Specifies the file that contains the process identifier of the sshd
  daemon. The default is ``/var/run/sshd.pid''.


  22..3300..  LLoogg LLeevveell

  Gives the verbosity level that is used when logging messages from
  sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE and
  DEBUG.  The default is INFO.  Logging with level DEBUG violates the
  privacy of users and is not recommended.


  22..3311..  SSyysslloogg FFaacciilliittyy

  Gives the facility code that is used when logging messages from sshd.
  The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
  LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The default is AUTH.


  22..3322..  XX1111 FFoorrwwaarrddiinngg

  Specifies whether X11 forwarding is permitted.  The default is
  ``yes''. Note that disabling X11 forwarding does not improve security
  in any way, as users can always install their own forwarders.


  22..3333..  XX1111 DDiissppllaayy OOffffsseett

  Specifies the first display number available for sshd's X11
  forwarding.  This prevents sshd from interfering with real X11
  servers.


  22..3344..  SSkkeeyy AAuutthheennttiiccaattiioonn

  Specifies whether ``skey'' authentication is allowed. The default is
  ``yes''. Note that ``skey'' authentication is enabled only if Password
  Authentication is allowed, too.


  22..3355..  KKeerrbbeerrooss AAuutthheennttiiccaattiioonn

  Specifies whether Kerberos authentication is allowed. This can be in
  the form of a Kerberos ticket, or if Password Authentication is yes,
  the password provided by the user will be validated through the
  Kerberos KDC. Default is ``yes''.


  22..3366..  KKeerrbbeerrooss OOrr LLooccaall PPaasssswwdd

  If set then if password authentication through Kerberos fails then the
  password will be validated via any additional local mechanism such as
  /etc/passwd or SecurID. Default is ``yes''.


  22..3377..  KKeerrbbeerrooss TTggtt PPaassssiinngg

  Specifies whether a Kerberos TGT may be forwarded to the server.
  Default is ``no'', as this only works when the Kerberos KDC is
  actually an AFS kaserver.


  22..3388..  KKeerrbbeerrooss TTiicckkeett CClleeaannuupp

  Specifies whether to automatically destroy the user's ticket cache
  file on logout. Default is ``yes''.


  22..3399..  AAFFSS TTookkeenn PPaassssiinngg

  Specifies whether an AFS token may be forwarded to the server.
  Default is ``yes''.