.\"  -*- nroff -*-
.\"
.\" sshd2_config.5
.\"
.\" Author:     Tatu Ylonen <ylo@ssh.com>
.\"             Markku-Juhani Saarinen <mjos@ssh.com>
.\"		Sami Lehtinen <sjl@ssh.com>
.\"
.\" Copyright (C) 1997-2002 SSH Communications Security, Finland
.\" All rights reserved
.\"
.TH SSHD2_CONFIG 5 "May 16, 2002" "SSH2" "SSH2"

.SH NAME
sshd2_config \- format of configuration file for sshd2

.SH CONFIGURATION FILE

\fBSshd2\fR reads configuration data from
.I /etc/ssh2/sshd2_config
(or the file specified with -f on the command line).  The file
contains keyword-value pairs, one per line.  For a description of the
configuration file format, see \fBssh2_config\fR(5).
However, configuration blocks are not allowed in
.IR sshd2_config .

Subconfiguration files can be specified in the main configuration file, see 
.BR HostSpecificConfig 
and
.BR UserSpecificConfig .
Note that if changes are made in the main configuration file, 
sshd2 will have to be restarted, for example by sending a signal to it:

# kill -HUP `cat /var/run/sshd2_22.pid`

or

# kill -HUP `cat /etc/ssh2/sshd2_22.pid`

if the directory /var/run/ does not exist. 


The following keywords are allowed:

.de YN
"\fByes\fR" or "\fBno\fR".
..
.TP
\fBAllowAgentForwarding\fR or \fBForwardAgent\fR
Specifies whether agent forwarding is permitted.  This parameter is
implemented mainly for completeness.  Usually, you should allow users to
freely forward agent connections.  The argument must be
.YN
The default is "\fByes\fR".
.ne 3

.TP
.B AllowedAuthentications
This keyword specifies the authentication methods that are allowed.
Known authentication methods are:
.BR keyboard-interactive ,
.BR password ,
.BR publickey , 
.BR pam-1@ssh.com ,
.BR kerberos-2@ssh.com ,
.BR kerberos-tgt-2@ssh.com ,
and
.BR securid-1@ssh.com .
The default is "\fBpublickey, password\fR".

\fBpam-1@ssh.com\fR and \fBsecurid-1@ssh.com\fR are legacy
authentication methods, and you should use \fBkeyboard-interactive\fR
instead, if possible (i.e. the clients that need to be able to connect
support \fBkeyboard-interactive\fR). See
.BR AuthKbdInt.Optional .

With \fBRequiredAuthentications\fR, the system administrator can force
the users to complete several authentications before they are
considered authenticated. See 
.BR RequiredAuthentications .

.TP
.B AllowGroups
This keyword can be followed by any number of group name patterns,
separated by commas.  If specified, login is allowed only if one of the
groups the user belongs to matches one of the patterns.  Patterns are
matched using the egrep syntax (see \fBsshregex\fR(1)), or the syntax
specified in the metaconfig header of the configuration file.  You can
use the comma \',\' character in the patterns by escaping it with '\\'
(backslash).  By default, all groups are allowed to log in.

Note that all other authentication steps must still be successfully
completed.  \fBAllowGroups\fR and \fBDenyGroups\fR are additional
restrictions and never increase the tolerance.
.ne 3

.TP
.B AllowHosts
This keyword can be followed by any number of host name patterns,
separated by commas.  If specified, login is allowed only from hosts
whose name matches one of the patterns.  Patterns are matched using
the egrep syntax (see \fBsshregex\fR(1)), or the syntax specified in
the metaconfig section of the configuration file.  If you wish that the
pattern will only be matched with the host's IP address (ignoring the
canonical host name), prefix your pattern with "\\i".  You can also
use subnet masks (e.g '127.0.0.0/8') by prefixing the pattern with
"\\m".  DNS is used to map the client's host name into a canonical
host name.  If the name cannot be mapped, the IP address is used as
the host name.  By default, all hosts are allowed to connect.

Note that
.B sshd2
can also be configured to use tcp_wrappers using the --with-libwrap
compile-time configuration option.
.ne 3

.TP
.B AllowSHosts
This keyword can be followed by any number of host name patterns,
separated by commas, just as the option \fBAllowHosts\fR.  The entries
in \fI.shosts\fR, \fI.rhosts\fR, \fI/etc/hosts.equiv\fR and
\fI/etc/shosts.equiv\fR are ignored if they do not match one of the
patterns given here (if there are any).
.ne 3

.TP
.B AllowTcpForwarding
Specifies whether TCP forwarding is permitted.  Note that disabling
TCP forwarding does not improve security at all unless you deny the
user shell access at the same time (see \fBssh-dummy-shell\fR(1)): any
user that has a shell can always install her own forwarders.  The
argument must be
.YN
The default is "\fByes\fR".
.ne 3

.TP
.B AllowTcpForwardingForGroups
The syntax is the same as in \fBAllowGroups\fR, but instead of login,
this controls the ability to forward ports in remote or local
forwarding.  See the security note under option \fBAllowTcpForwarding\fR.
The argument must be
.YN
The default is "\fByes\fR".
.ne 3

.TP
.B AllowTcpForwardingForUsers
Syntax is the same as in \fBAllowUsers\fR, but instead of login, this
controls the ability to forward ports in remote or local
forwarding.  See the security note under option \fBAllowTcpForwarding\fR.
The argument must be
.YN
The default is "\fByes\fR".
.ne 3

.TP
.B AllowUsers
This option can be followed by any number of patterns of the form
\fIuser\fR or \fIuser@host\fR, separated by commas.  The details
explained under option \fBAllowHosts\fR apply accordingly.  By
default, all users are allowed to log in.

Note that all the other login authentication steps must still be
successfully completed.  \fBAllowUsers\fR and \fBDenyUsers\fR are
additional restrictions.
.ne 3

.TP
\fBAllowX11Forwarding\fR or \fBX11Forwarding\fR or \fBForwardX11\fR
Specifies whether X11 forwarding is permitted.  The default is
"\fByes\fR".  See the security note under option \fBAllowTcpForwarding\fR.
The argument must be
.YN
.ne 3

.TP
.B AuthInteractiveFailureTimeout
Specifies the delay, in seconds, that the server delays after a failed
attempt to log in using \fBkeyboard-interactive\fR and \fBpassword\fR
authentication. The default is 2.
.ne 3

.TP
.B AuthKbdInt.NumOptional
Specifies how many optional submethods must be passed before the
authentication is considered a success (note that all required
submethods must always be passed). See
.B AuthKbdInt.Optional
for specifying optional submethods, and
.B AuthKbdInt.Required
for required submethods. The default is 0, although if no required
submethods are specified, the client must always pass at least one
optional submethod.
.ne 3

.TP
.B AuthKbdInt.Optional
Specifies the optional submethods \fBkeyboard-interactive\fR will
use. Currently submethods
.BR pam ,
.BR securid,
.BR plugin, 
and
.B password
are defined. Note that
.BR pam 
and
.B securid
require that you had the necessary libraries and headers when you
compiled the distribution.
.B pam
submethod is usually available in binary packages, if the architecture
supports PAM (Pluggable Authentication Modules).
.B AuthKbdInt.NumOptional
specifies how many optional submethods must be passed.
The \fBkeyboard-interactive\fR authentication method is considered a
success when the specified amount of optional submethods and all
required submethods are passed. The \fBplugin\fR submethod is special,
it can be used if a sysadmin wants to create a new authentication
method. See option
.BR AuthKbdInt.Plugin .
See also
.B AuthKbdInt.NumOptional
and 
.BR AuthKbdInt.Required .
.ne 3

.TP
.B AuthKbdInt.Plugin
Specify this to point to a program which is used by the
.B plugin
submethod in 
.BR keyboard-interactive .
.B sshd2
converses with this program using a line-based protocol, so it is easy
to implement it, for example as a shell-script. If the \fBplugin\fR
submethod is used, and this is not set, or the specified program does not
exist, or cannot be run, the submethod will fail, which may cause the
whole authentication for the user to fail. This will not be set by
default. More information about the protocol can be found in the
distribution package,
.I RFC.kbdint_plugin_protocol
has a description of the protocol used and an example script is called
.IR kbdint_plugin_example.sh .
Note that the program is run with the privileges of the
.B sshd2
process, typically root. So be careful.
.ne 3

.TP
.B AuthKbdInt.Required
Specifies the required submethods that must be passed before the
\fBkeyboard-interactive\fR authentication method can succeed.
See
.BR AuthKbdInt.Optional .
.ne 3

.TP
.B AuthKbdInt.Retries
Specified how many times the user can retry \fBkeyboard-interactive\fR.
The default is 3.
.ne 3

.TP 
.B AuthorizationFile
Specifies the name of the user's authorization file.
.ne 3

.TP
.B AuthPublicKey.MaxSize
Specifies the maximum size of a publickey that can be used to log in. 
Value 0 disables the check. The default is 0 (disabled).
.ne 3

.TP
.B AuthPublicKey.MinSize
Specifies the minimum size of a publickey that can be used to log in. 
Value 0 disables the check. The default is 0 (disabled).
.ne 3

.TP 
.B BannerMessageFile
Specifies the path to the message that is sent to the client before
authentication.  Note, however, that the client is not obliged to show
this message.  The default is \fI/etc/ssh2/ssh_banner_message\fR (if
existing).
.ne 3

.TP
.B Cert.RSA.Compat.HashScheme
Older SSH Secure Shell clients and servers used hashes in an incoherent
manner (sometimes MD5, sometimes SHA-1). With this option, you can set
what hash is used. This option can be set in 
.BR HostSpecificConfig ,
and then reset in 
.BR UserSpecificConfig ,
in which case the value set in host-specific configuration will apply to
the initial key exchange and during authentication the value in the
user-specific configuration will be used. Valid values are "\fBmd5\fR"
and "\fBsha1\fR". The default is "\fBmd5\fR" (works in most cases).
.ne 3

.TP
.B CheckMail
Makes \fBsshd2\fR print information whether there is new mail or not
when a user logs in interactively.  (On some systems this information
is also printed by the shell, /etc/profile, or equivalent.)  The
argument must be
.YN
The default is "\fByes\fR".
.ne 3

.TP
.B ChRootGroups
This option works like \fBChRootUsers\fR, except that it can be used
to list groups instead of single users.  Groups are listed on the
server in \fI/etc/group\fR.  Follows the logic of \fBDenyGroups\fR.
.ne 3

.TP
.B ChRootUsers
.B sshd2
gives all users listed here a chrooted environment (e.g. "/home").
This establishes a "jail" that keeps users from sneaking into
sensitive areas of the server's file system.  Users are defined on the
server in \fI/etc/group\fR.  More than one group can be listed,
separated by a comma.  This is not a default option.  The logic
follows that of
.BR DenyUsers .
.ne 3

.TP
.B Ciphers
Specifies the ciphers to use for encrypting the
session.  Supported values are
.\" XXX Could this be made dist-dependent ?
.IR aes ,
.IR blowfish , 
.IR twofish ,
.IR arcfour ,
.IR cast ,
.IR 3des ,
and
.IR des .
Multiple ciphers can be specified as a comma-separated list.  Special
values for this option are
.IR Any,
.IR AnyStd,
.IR none,
.IR AnyCipher,
and \fIAnyStdCipher\fR.  \fIAny\fR allows all ciphers including
\fInone\fR; \fIAnyStd\fR allows only those mentioned in the IETF-SecSH
draft plus \fInone\fR; \fInone\fR forbids any use of encryption;
\fIAnyCipher\fR and \fIAnyStdCipher\fR are analogous to the first two
cases but exclude \fInone\fR. \fIAnyStdCipher\fR is the default.
.ne 3

.TP
.B DenyGroups
This keyword can be followed by any number of group name patterns,
separated by commas.  If specified, login is denied if one of the
groups the user belongs to matches one of the patterns.  Otherwise,
this option is parsed and matched identically with
.BR AllowGroups .
By default, all users are allowed to
log in.

If a user's group matches a pattern in both
.B DenyGroups
and 
.BR AllowGroups ,
login will be denied.

Note that all other authentication steps must still be successfully
completed.  \fBAllowGroups\fR and \fBDenyGroups\fR are additional
restrictions and never increase the tolerance.
.ne 3

.TP
.B DenyHosts
This keyword can be followed by any number of host name patterns,
separated by commas.  If specified, login is disallowed from hosts
whose names match any of the patterns.  See
.BR AllowHosts .
.ne 3

.TP
.B DenySHosts
This keyword can be followed by any number of host name patterns,
separated by commas, just as the option \fBDenyHosts\fR.  The entries
in \fI.shosts\fR, \fI.rhosts\fR, \fI/etc/hosts.equiv\fR and
\fI/etc/shosts.equiv\fR are ignored if they match one of the patterns
given here (if there are any).  See
.BR AllowSHosts .
.ne 3

.TP
.B DenyTcpForwardingForGroups
The syntax is the same as in \fBDenyGroups\fR, but instead of login, 
this controls the ability to forward ports, in remote or local
forwarding.  See security note under option \fBAllowTcpForwarding\fR.
The argument must be
.YN
Forwarding is enabled by default.
.ne 3

.TP
.B DenyTcpForwardingForUsers
The syntax is the same as in \fBDenyUsers\fR, but instead of login, 
this controls the ability to forward ports, in remote or local
forwarding.  See security note under option \fBAllowTcpForwarding\fR.
The argument must be
.YN
Forwarding is enabled by default.
.ne 3

.TP
.B DenyUsers
This is the opposite of \fBAllowUsers\fR and works accordingly.
If a user's name matches a pattern in both
.B DenyUsers
and 
.BR AllowUsers ,
login is denied.

Note that the all other login authentication steps must still be
successfully completed.  \fBAllowUsers\fR and \fBDenyUsers\fR are
additional restrictions.
.ne 3

.TP
.B DisableVersionFallback
Whether to disable fallback compatibility code for older, or otherwise
incompatible versions of software. Don't disable unless you know what
you're doing.  The argument must be
.YN
The default is "\fBno\fR".
.ne 3

.TP
.B ExternalAuthorizationProgram
If set, this program is run to verify whether the user is authorized to
log in.
.B sshd2
converses with this program using a line-based protocol, so it is easy
to implement as a shell-script, for example. If this is set, and the
program does not exist, or cannot be run, authorization (user login) will
be denied. This will not be set by default. More information about the
protocol can be found in the distribution package, 
.I RFC.authorization_program_protocol
has a description of the protocol used and an example script is called
.IR ext_authorization_example.sh .
Note that the program is run with the privileges of the
.B sshd2
process, typically root. So be careful.
.ne 3

.TP
.B ForwardACL
With this option, you can have more fine-grained control over what the
client is allowed to forward, and to where. Format for this option is 

.I (allow|deny) (local|remote) user-pat forward-pat \fB[\fIoriginator-pat\fB]

.I user-pat
will be used to match the client user, as specified under option
.BR UserSpecificConfig .
.I forward-pat
is a pattern of format
.IR host-id\fB[\fI%port\fB]\fI .
This has different interpretations depending on whether the ACL is
specified for local or remote forwards. For local forwards, the
.I host-id
will match with the target host of the forwarding, as specified under
option
.BR AllowHosts .
.I port
will match with the target port. Also, if the client sent a host name,
the IP will be looked up from the DNS, which will be used to match the
pattern.  For remote forwardings, where the forward target is not known
(the client handles that end of the connection), this will be used to
match with the listen address specified by the user (and as such is not
as usable as with local forwards).
.I port
will match the port the server is supposed to be listening with this
forward.
With local forwards,
.I originator-pat
will match with originator address that the client has
reported. Remember, if you do not administer the client machine, or
the users on that machine have shell access, they may use a modified
copy of
.B ssh
that can be used to lie about the originator address. Also, with NATs
(Network Address Translation) the originator address will not be meaningful
(it will probably be an internal network address). So, you should not
rely on the originator address with local forwards, unless you know
exactly what you are doing.  With remote forwards, on the other hand,
.I originator-pat
will match with the IP address of the host connecting to the forwarded
port. This will be valid information, as it is the server checking that
information.

If you specify any
.I allow
directives, all forwards in that class (local or remote) not
specifically allowed will be denied (note that local and remote forwards
are separate in this respect; e.g. if you have one "allow remote"
definition, local forwards are still allowed, pending other
restrictions).  If a forward matches with both
.I allow
and
.I deny
directives, the forwarding will be denied. Also, if you have specified
any of the options
.B {Allow,Deny}TcpForwardingFor{Users,Groups}
or
.BR AllowTcpForwarding ,
and the forwarding for the user is disabled with those, an
.I allow
directive will not re-enable the forwarding for the user. Forwarding is
enabled by default.
.ne 3

.TP
.B ForwardAgent
See \fBAllowAgentForwarding\fR.
.ne 3

.TP
.B HostbasedAuthForceClientHostnameDNSMatch
If the host name given by the client does not match the one found in
DNS, fail host-based authentication.  Defaults to "\fBno\fR".  Note
that this differs from 2.4 and earlier releases.
.ne 3

.TP
.B HostKeyEkInitString
Specifies the initialization string for the external host key
provider. This is ignored when the keyword \fBHostKeyEkProvider\fR
is not present or when external key support is not included in
the software. See
.BR ssh-externalkeys (5)
for details about specifying initialization strings. 
.ne 3

.TP
.B HostKeyEkProvider
Specifies the external host key provider. This is ignored when
external key support is not included in the software. See
.BR ssh-externalkeys (5)
for details about specifying providers. 
.ne 3

.TP
.B HostKeyEkTimeOut
Specifies the maximum time in seconds to wait for the keys from
the external host key provider. This is ignored when
external key support is not included in the software. 
.ne 3

.TP
.B HostKeyFile
Specifies the file containing the private host key (default
.IR /etc/ssh2/hostkey ).
.ne 3

.TP
.B HostSpecificConfig
Specifies a subconfiguration file for
.BR sshd2 .
The syntax for this option is
.LP
.RS
.I pattern subconfig-file
.LP
.I pattern
will be used to match the client host, as specified under option
.BR AllowHosts .
The file
.I subconfig-file
will then be read, and configuration data amended accordingly. The file
is read before any actual protocol transactions begin, and you can
specify most of the options allowed in the main configuration file. You
can specify more than one subconfiguration file, in which case the
patterns are matched and the files read in the order specified. Later
defined values of configuration options will either override or amend
the previous value depending on which option it is. The effect of
redefining an option is described in the documentation for that
option. For example, setting
.B Ciphers
in the subconfiguration file will override the old value, but setting
.B AllowUsers
will amend the value.
See
.BR sshd2_subconfig (5)
for more thorough documentation on what you can set in this
subconfiguration file.
.LP
See also option
.BR UserSpecificConfig .
.RE
.ne 3

.TP
.B IdleTimeOut
Sets the idle timeout limit to time in seconds (s or nothing after
number), in minutes (m), in hours (h), in days (d), or in weeks (w).
If the connection has been idle (all channels) this long,
the connection is closed. Default is 0 (zero), which disables idle timeouts.
.ne 3

.TP
.B IgnoreRhosts
Specifies that the
.I .rhosts
and
.I .shosts
files will not be used in
\fBhostbased\fR authentication (see
.BR AllowedAuthentications ).
.I /etc/hosts.equiv
and
.I /etc/shosts.equiv 
are still used as before.  The
argument must be
.YN
The default is "\fBno\fR".
.ne 3

.TP 
.B IgnoreRootRhosts
Specifies that the
.I rhosts 
and 
.I shosts 
files will not be used in authentication for root.  The default is the
value of 
.B IgnoreRhosts\fR.

.TP
.B KeepAlive
Specifies whether the system should send keepalive messages to
the other side.  If they are sent, death of the connection or
crash of one of the machines will be properly noticed.  However,
this means that connections will die if the route is down
temporarily, and some people find it annoying.  On the other hand,
if keepalives are not sent, sessions may hang indefinitely on the
server, leaving "ghost" users and consuming server resources.

The default is "\fByes\fR" (to send keepalives), and the server
will notice if the network goes down or the client host reboots.
This avoids infinitely hanging sessions.

To disable keepalives, the value should be set to "\fBno\fR" in
both the server and the client configuration files.
.ne 3

.TP
.B ListenAddress
Specifies the IP address of the interface where the
.B sshd2 
server socket is bound.
.ne 3

.TP
.B LoginGraceTime
The server disconnects after this time if the user has not
successfully logged in.  If the value is 0, there is no time limit.
The default is 600 (seconds).
.ne 3

.TP
.B MACs
Specifies the MAC (Message Authentication Code) algorithm to use for
data integrity verification.  Currently,
.\" XXX Could this be made dist-dependent ?
.IR hmac-sha1 ,
.IR hmac-sha1-96 ,
.IR hmac-md5 , 
.IR hmac-md5-96 ,
.IR hmac-ripemd160 ,
and
.I hmac-ripemd160-96
are supported, of which
.IR hmac-sha1 ,
.IR hmac-sha1-96 ,
.IR hmac-md5 , 
and
.I hmac-md5-96
are included in all distributions.  Multiple MACs can be specified 
as a comma-separated list.

Special values for this option are
.IR Any,
.IR AnyStd,
.IR none,
.IR AnyMac,
and \fIAnyStdMac\fR.  \fIAny\fR allows all MACs including \fInone\fR;
\fIAnyStd\fR allows only those mentioned in the IETF-SecSH draft and
\fInone\fR; \fInone\fR forbids any use of MACs; \fIAnyMac\fR and
\fIAnyStdMac\fR are analogous to the first two cases but exclude
\fInone\fR. \fIAnyStdMac\fR is the default.
.ne 3

.TP
.B MaxBroadcastsPerSecond
Specifies how many UDP broadcasts server handles per second.  The default
value is 0 and no broadcasts are handled at all.  Broadcasts that
exceed the limit are silently ignored.  Received unrecognized UDP
datagrams also consume the capacity defined by this option.
.ne 3

.TP
.B MaxConnections
Specifies the maximum number of connections
.B sshd2
will handle simultaneously.  This is useful against flooding attacks
(attempts to interrupt the server from working properly by opening a
high amount of new connections).  The argument is a positive number (0
means only system limits).

Note that by using (at least) xinetd you achieve the same effect on a
more generic level.
.ne 3

.TP
.B NoDelay
If "\fByes\fR", enable socket option TCP_NODELAY.  The argument must be
.YN
The default is "\fBno\fR".
.ne 3

.TP
.B PasswdPath
Specifies the location of the
.B passwd
program (or equivalent). By default this is set to where the
.B configure
script found it. This program will be run with the privileges of the
user logging in.
.ne 3

.TP
.B PasswordGuesses
Specifies the number of tries that the user has when using
password authentication.  The default is 3.  Then, shalt thou 
count to three.  No more.  No less.
.ne 3

.TP
.B PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.  The
argument must be
.YN
The default is "\fByes\fR".
.ne 3

.TP
.B PermitRootLogin
Specifies whether root can log in using
.BR ssh2 .
May be set to "\fByes\fR", "\fBnopwd\fR", or "\fBno\fR".  The default
is "\fByes\fR", allowing root logins through any of the authentication
types allowed for other users.  The "\fBnopwd\fR" value disables
password-authenticated root logins.  The "\fBno\fR" value disables
root logins through any of the authentication methods.  ("\fBnopwd\fR"
and "\fBno\fR" are equivalent unless you have some other means of
authentication for root, e.g. public key.)

Root login with public-key authentication when the "\fBcommand\fR"
option has been specified will be allowed regardless of the value of
this setting (which may be useful for taking remote backups even if
root login is normally not allowed).
.ne 3

.TP
.B Port
Specifies the port number that
.B sshd2
listens on.  The current default is 22.
.ne 3

.TP
.B PrintMotd
Specifies whether
.B sshd2
should print 
.I /etc/motd
when a user logs in interactively.  The default is "\fByes\fR".  The
argument must be
.YN
.ne 3

.TP
.B PublicHostKeyFile
Specifies the file containing the public host key (default
.IR /etc/ssh2/hostkey.pub ).
.ne 3

.TP
.B QuietMode
Nothing is logged in the system log, except fatal errors.  The
argument must be
.YN
The default is "\fBno\fR".
.ne 3

.TP
.B RandomSeedFile
Specifies the name of the random seed file.
.ne 3

.TP
.B RekeyIntervalSeconds
The number of seconds after which the key exchange is done again.
The default is 3600 seconds (1 hour).  Value '0' turns rekey requests
off.  This does not prevent the client from requesting rekeys.  Other
clients (not
.BR ssh2 )
may not have rekey capabilities implemented correctly, and
they might not like rekey requests.  This means that they may possibly close
the connection or even crash.
.ne 3

.TP
.B RequiredAuthentications
Analogon to \fBAllowedAuthentications\fR, with one differenece: the
authentication methods listed here \fImust all\fR succeed before a
user is considered authenticated.  Leaving this list empty is
equivalent to not using the option at all.

If this option is set, \fBAllowedAuthentications\fR is
ignored.  \fBNOTE:\fR versions of \fBsshd2\fR before 3.1.0 required
\fBRequiredAuthentications\fR to be a subset of
\fBAllowedAuthentications\fR.  This is no longer the case.
.ne 3

.TP
.B RequireReverseMapping
This is used to check whether hostname DNS lookup
.I must
succeed when checking whether connections from host are allowed using
.B AllowHosts
and
.BR DenyHosts .
If this is set to
.BR yes ,
and if name lookup fails, the connection is denied.  If set to
.BR no ,
and name lookup fails, the remote host's IP address is used to check
whether it is allowed to connect.  This is probably not what you want
if you have specified only host names (not IP addresses) with
.BR {Allow,Deny}Hosts .
See also
.BR ResolveClientHostName .
The default is "\fBno\fR".  The argument must be
.YN
.ne 3

.TP
.B ResolveClientHostName
This parameter controls whether
.B sshd2
will try to resolve the client ip at all, or not. This is useful when you know that the DNS cannot be reached, and the query
would cause additional delay in logging in.  Note that if you set this
to "\fBno\fR", you should not set
.B RequireReverseMapping
to "\fByes\fR".  The default is "\fByes\fR".  The argument must be
.YN
.ne 3

.TP
.B SettableEnvironmentVars
This keyword can be followed by any number of patterns, separated by
commas.  Patterns are matched using the egrep syntax (see
\fBsshregex\fR(1)), or the syntax specified in the metaconfig header
of the configuration file.  You can use the comma \',\' character in
the patterns by escaping it with
'\\' (backslash).  By default, no environment variables can be set (but
the default
.I /etc/ssh2/sshd2_config
file specifies some common and safe environment variables).

With this option, you can allow setting of some or all environment
variables.  This option is used to check whether setting is allowed by
the client (\fBssh2\fR), by the user's
.I $HOME/.ssh2/environment
file or public key options.  This is not used when setting variables
from
.I /etc/environment
or other "root-only" files, as the user does not have control over those
anyway.

Note that this option only changes the setting of environment variables
\fIbefore\fR the user's shell is run.  After that, the user is of course
free to set whatever variables she wants on that environment.
.ne 3

.TP
.B SftpSysLogFacility
As
.BR SysLogFacility ,
but defines what log facility the
.B sftp-server
(internal or otherwise) will use. By default, this has no value, i.e. no
logging is performed by the subsystem.
.ne 3

.TP
.B Ssh1Compatibility
With this option,
.B sshd1
is executed when the client supports only SSH 1.x protocols.  The argument
must be
.YN
.ne 3

.TP
.B Sshd1ConfigFile
This is only used if 
.B sshd2
is executed with the \fB-f\fR command line option.  Specifies
alternate config file for \fBsshd1\fR for the case that \fBsshd2\fR
runs in compatibility mode. (if \fB-f\fR is not specified, \fBsshd1\fR
will read its configuration from the standard location, typically
\fI/etc/sshd_config\fR .)
.ne 3

.TP
.B Sshd1Path
Specifies the path to the
.B sshd1 
executable to be executed in SSH1 compatibility mode.  The arguments for 
.B sshd2 
are passed on to 
.BR sshd1 .
.ne 3

.TP
.B StrictModes
Specifies whether 
.B sshd2 
should check file modes and ownership of the user's home directory and
rhosts files before accepting login.  This is normally desirable because
novices sometimes accidentally leave their directory or files
world-writable.  The argument must be
.YN 
The default is "\fByes\fR".  (Only done with host-based authentication.)
.ne 3

.TP
.B Subsystem-<subsystem name>
Specifies a subsystem.  The argument is a command which will be
executed when the subsystem is requested.

\fBsftp\fR uses a subsystem of \fBsshd2\fR to transfer files securely.  In order
to use the sftp server, you must have the following subsystem definition:

\fBsubsystem-sftp\fR \fIsftp-server\fR

(the default way, with the defined command) or

\fBsubsystem-sftp\fR \fIinternal://sftp-server\fR

which will execute an sftp-service internally in the child
process. Normally, the child process would execute a command using the
user's shell, but in this case it will start to handle SFTP
requests. This enables better logging in chrooted environments, and
does not require any static binaries to be build, as the only binary
needed will be
.B sshd2
itself.
.ne 3

.TP
.B SyslogFacility
Gives the facility code that is used when logging messages from
.B sshd2.
The possible values are: \fIDAEMON\fR, \fIUSER\fR, \fIAUTH\fR,
\fILOCAL0\fR, \fILOCAL1\fR, \fILOCAL2\fR,
\fILOCAL3\fR, \fILOCAL4\fR, \fILOCAL5\fR,
\fILOCAL6\fR, \fILOCAL7\fR.  The default is \fIAUTH\fR.
.ne 3

.TP
.B UserConfigDirectory
Specifies where user-specific configuration data is found.  With this
the administration can control those options that are usually
controlled by the user.  This is given as a pattern string which is
expanded by \fBsshd2\fR.  %D is the user's home directory, %U is
user's login name, %IU is the user's user ID (uid) and %IG is his
group ID (gid).  The default is
.IR %D/.ssh2 .

.TP
.B UserKnownHosts
Specifies whether \fI\&$HOME/\s+2.\s0ssh2/knownhosts/\fR can be used
to fetch host public keys when using \fBhostbased\fR authentication.
The argument must be
.YN
The default is "\fByes\fR".
.ne 3

.TP
.B UserSpecificConfig
As
.BR HostSpecificConfig ,
but these configuration files are read later, when the user name that
client is trying to log into is known.  Also the range of configuration
options available is smaller, due to the fact that they would not make
sense in these files. You can use patterns of form
"\fIuser\fB[\fI%group\fB][\fI@host\fB]\fR", where the pattern
.I user
is
matched with the user name and UID, 
.I group
is matched with the
user's primary and any secondary groups, both group name and GID, and
.I host
is matched as described under option 
.BR AllowHosts .
See
.BR sshd2_subconfig (5)
for more thorough documentation on what you can set in this
subconfiguration file.
.ne 3

.TP
.B VerboseMode
Causes 
.B sshd2 
to print debugging messages about its progress.  This is helpful in
debugging connection, authentication, and configuration problems.  Also
causes
.B sshd2
to not fork on connection, so only one connection is handled at the time.
.ne 3

.TP
.B XauthPath
Specifies where to find the "xauth" program. This option is mostly
useful, if you are using binaries, and your X11 programs are installed
to somewhere that
.B ssh2
does not know about. The default is set by the
.B configure
script.
.ne 3

.SH AUTHORS
.LP

SSH Communications Security Corp.

For more information, see http://www.ssh.com.

.SH SEE ALSO
.BR sshd2_subconfig (5),
.BR sshd2 (8),
.BR sshd-check-conf (5),
.BR sshregex (1)