Sshd_config

Sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file
specified with – f on the command line). The file contains keyword-
argument pairs, one per line. Lines starting with `#’ and empty lines
are interpreted as comments. Arguments may optionally be enclosed in
double quotes (“) in order to represent arguments containing spaces.

The possible keywords and their meanings are as follows (note that
keywords are case-insensitive and arguments are case-sensitive):

AcceptEnv
Specifies what environment variables sent by the client will be
copied into the session’s environ(7). See SendEnv in
ssh_config(5) for how to configure the client. Note that
environment passing is only supported for protocol 2. Variables
are specified by name, which may contain the wildcard characters
`*’ and `?’. Multiple environment variables may be separated by
whitespace or spread

across multiple AcceptEnv directives. Be
warned that some environment variables could be used to bypass
restricted user environments. For this reason, care should be
taken in the use of this directive. The default is not to accept
any environment variables.

AddressFamily
Specifies which address family should be used by sshd(8). Valid
arguments are “any”, “inet” (use IPv4 only), or “inet6”
(use IPv6 only). The default is “any”.

AllowAgentForwarding
Specifies whether ssh-agent(1) forwarding is permitted. The
default is “yes”. Note that disabling agent forwarding does
not improve security unless users are also denied shell access,
as they can always install their own forwarders.

AllowGroups
This keyword can be followed by a list of group name patterns,
separated by spaces. If specified, login is allowed only for
users whose primary group or supplementary group list matches one
of the patterns. Only group names are valid; a numerical group
ID is not recognized. By default, login is allowed for all
groups. The allow/deny directives are processed in the following
order: DenyUsers, AllowUsers, DenyGroups, and finally
AllowGroups.

See PATTERNS in ssh_config(5) for more information on patterns.

AllowTcpForwarding
Specifies whether TCP forwarding is permitted. The default is
“yes”. Note that disabling TCP forwarding does not improve
security unless users are also denied shell access, as they can
always install their own forwarders.

AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for
user names that match one of the patterns. Only user names are
valid; a numerical user ID is not recognized. By default, login
is allowed for all users. If the pattern takes the form
USER@HOST then USER and HOST are separately checked, restricting
logins to particular users from particular hosts. The allow/deny
directives are processed in the following order: DenyUsers,
AllowUsers, DenyGroups, and finally AllowGroups.

See PATTERNS in ssh_config(5) for more information on patterns.

AuthorizedKeysFile
Specifies the file that contains the public keys that can be used
for user authentication. The format is described in the
AUTHORIZED_KEYS FILE FORMAT section of sshd(8).
AuthorizedKeysFile may contain tokens of the form %T which are



Sshd_config