<p>PasswordAuthentication setting for sshd_config. Default is ‘no’, which requires key-based authentication. This is a recommended security setting, so passwords do not show up in logs, but can be set to ‘yes’ if password authentication is desired.</p>
<emclass="default">(defaults to: <tt>'no'</tt>)</em>
—
<divclass='inline'>
<p>PermitEmptyPasswords setting for sshd_config. Default is ‘no’, which is a recommended security setting and works in connection with key-based authentication, but can be set to ‘yes’ if password authentication should be allowed and empty passwords should be allowed. Again, this should be used with caution if enabled.</p>
<p>setting for sshd_config. Default is ‘no’, which is a recommended security setting together with password authentication, but can be set to ‘yes’ if keyboard-interactive authentication should be allowed. (not recommended)</p>
<emclass="default">(defaults to: <tt>'yes'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘no’. Kerberos authentication is not commonly used and requires a lot of other settings, so it is disabled by default, but can be set to ‘yes’ if desired.</p>
<emclass="default">(defaults to: <tt>'yes'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘no’. This setting is only relevant if Kerberos authentication is enabled, and should be set to ‘yes’ if you want to allow local password authentication as a fallback if Kerberos authentication fails, but can be set to ‘no’ if you want to only allow Kerberos authentication.</p>
<emclass="default">(defaults to: <tt>'yes'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘no’. This setting is only relevant if Kerberos authentication is enabled, and should be set to ‘yes’ if you want to enable ticket cleanup, but can be set to ‘no’ if you want to disable it.</p>
<emclass="default">(defaults to: <tt>'no'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘no’. This setting is only relevant if Kerberos authentication is enabled, and should be set to ‘yes’ if you want to enable AFS token retrieval, but can be set to ‘no’ if you want to disable it.</p>
</div>
</li>
<li>
<spanclass='name'>ssh_kerberos_use_kuserok</span>
<spanclass='type'>(<tt>String</tt>)</span>
<emclass="default">(defaults to: <tt>'yes'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘no’. This setting is only relevant if Kerberos authentication is enabled, and should be set to ‘yes’ if you want to enable userok with Kerberos, but can be set to ‘no’ if you want to disable it.</p>
</div>
</li>
<li>
<spanclass='name'>ssh_use_kerberos</span>
<spanclass='type'>(<tt>Boolean</tt>)</span>
<emclass="default">(defaults to: <tt>false</tt>)</em>
—
<divclass='inline'>
<p>whether to use Kerberos authentication. If true, the relevant Kerberos settings will be included in the sshd_config, otherwise they will be ignored.</p>
</div>
</li>
<li>
<spanclass='name'>ssh_use_gssapi</span>
<spanclass='type'>(<tt>Boolean</tt>)</span>
<emclass="default">(defaults to: <tt>false</tt>)</em>
—
<divclass='inline'>
<p>whether to use GSSAPI authentication. If true, GSSAPI authentication will be enabled in sshd_config, otherwise it will be disabled. GSSAPI authentication is not commonly used and requires a lot of other settings, so it is disabled by default, but can be set to true if desired.</p>
<emclass="default">(defaults to: <tt>'yes'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘no’. This setting is only relevant if GSSAPI authentication is enabled, and should be set to ‘yes’ if you want to enable GSS authentication, but can be set to ‘no’ if you want to disable it.</p>
<emclass="default">(defaults to: <tt>'yes'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘no’. This setting is only relevant if GSSAPI authentication is enabled, and should be set to ‘yes’ if you want to enable GSS credential cleanup, but can be set to ‘no’ if you want to disable it.</p>
</div>
</li>
<li>
<spanclass='name'>ssh_gssapi_key_exchange</span>
<spanclass='type'>(<tt>String</tt>)</span>
<emclass="default">(defaults to: <tt>'no'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘no’. This setting is only relevant if GSSAPI authentication is enabled, and should be set to ‘yes’ if you want to enable GSS key exchange.</p>
</div>
</li>
<li>
<spanclass='name'>ssh_gssapi_enablek5users</span>
<spanclass='type'>(<tt>String</tt>)</span>
<emclass="default">(defaults to: <tt>'no'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘no’. This setting is only relevant if GSSAPI authentication is enabled, and should be set to ‘yes’ if you want to enable GSSAPI for k5users.</p>
<emclass="default">(defaults to: <tt>'no'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘no’. PAM is not commonly used for SSH authentication and can introduce security risks if not configured properly, so it is disabled by default. Thi setting is related to PasswordAuthentication and KbdInteractiveAuthentication, and should be set to ‘yes’ only if you want to use PAM for authentication together with those settings.</p>
<emclass="default">(defaults to: <tt>'yes'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘yes’, which allows SSH agent forwarding, but can be set to ‘no’ if you want to disable this feature for security reasons.</p>
</div>
</li>
<li>
<spanclass='name'>ssh_allow_tcp_forwarding</span>
<spanclass='type'>(<tt>String</tt>)</span>
<emclass="default">(defaults to: <tt>'yes'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘yes’, which allows TCP forwarding, but can be set to ‘no’ if you want to disable this feature for security reasons.</p>
</div>
</li>
<li>
<spanclass='name'>ssh_gateway_ports</span>
<spanclass='type'>(<tt>String</tt>)</span>
<emclass="default">(defaults to: <tt>'no'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘no’, which means that remote hosts cannot connect to forwarded ports, but can be set to ‘yes’ or ‘clientspecified’ if you want to allow remote hosts to connect to forwarded ports. This setting should be used with caution if enabled, as it can introduce security risks.</p>
</div>
</li>
<li>
<spanclass='name'>ssh_x11_forwarding</span>
<spanclass='type'>(<tt>String</tt>)</span>
<emclass="default">(defaults to: <tt>'no'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘no’, which disables X11 forwarding, but can be set to ‘yes’ if you want to allow X11 forwarding. This setting should be used with caution if enabled.</p>
</div>
</li>
<li>
<spanclass='name'>ssh_x11_display_offset</span>
<spanclass='type'>(<tt>String</tt>)</span>
<emclass="default">(defaults to: <tt>'10'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘10’. This setting is only relevant if X11 forwarding is enabled, and specifies the first display number available for X11 forwarding. The default of ‘10’ means that the first forwarded display will be :10, the second will be :11, and so on. This setting can be adjusted if you want to use a different range of display numbers for X11 forwarding.</p>
</div>
</li>
<li>
<spanclass='name'>ssh_x11_use_localhost</span>
<spanclass='type'>(<tt>String</tt>)</span>
<emclass="default">(defaults to: <tt>'yes'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘yes’, which means that X11 forwarding will only be available on the loopback interface, but can be set to ‘no’ if you want to allow X11 forwarding on all network interfaces.</p>
</div>
</li>
<li>
<spanclass='name'>ssh_permit_tty</span>
<spanclass='type'>(<tt>String</tt>)</span>
<emclass="default">(defaults to: <tt>'yes'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘yes’, which allows TTY allocation, but can be set to ‘no’ if you want to disable TTY allocation.</p>
</div>
</li>
<li>
<spanclass='name'>ssh_print_motd</span>
<spanclass='type'>(<tt>String</tt>)</span>
<emclass="default">(defaults to: <tt>'yes'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘yes’, which means that the message of the day will be printed when users log in, but can be set to ‘no’ if you want to disable this feature.</p>
</div>
</li>
<li>
<spanclass='name'>ssh_print_lastlog</span>
<spanclass='type'>(<tt>String</tt>)</span>
<emclass="default">(defaults to: <tt>'yes'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘yes’, which means that the last login information will be printed when users log in, but can be set to ‘no’ if you want to disable this feature.</p>
</div>
</li>
<li>
<spanclass='name'>ssh_tcp_keepalive</span>
<spanclass='type'>(<tt>String</tt>)</span>
<emclass="default">(defaults to: <tt>'yes'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘yes’, which means that TCP keepalive messages will be sent, but can be set to ‘no’ if you want to disable this feature. This setting can be useful to disable if you have issues with dropped connections, but in general it is recommended to keep it enabled.</p>
<emclass="default">(defaults to: <tt>'no'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘no’, which means that user environment variables will not be processed, but can be set to ‘yes’ if you want to allow users to specify environment variables in their ~/.ssh/environment file.</p>
</div>
</li>
<li>
<spanclass='name'>ssh_compression</span>
<spanclass='type'>(<tt>String</tt>)</span>
<emclass="default">(defaults to: <tt>'delayed'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘delayed’, which means that compression will be enabled after successful authentication, but can be set to ‘yes’ if you want to enable compression from the start of the connection. The ‘delayed’ setting is a good compromise that allows for faster authentication while still providing the benefits of compression for the rest of the session.</p>
<emclass="default">(defaults to: <tt>'0'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘0’, which means that no keepalive messages will be sent by the server, but can be set to a positive integer to specify the interval in seconds between keepalive messages sent by the server to the client. This can be useful to detect and close stale connections, but should be used with caution as it can cause unexpected disconnections if set too aggressively.</p>
<emclass="default">(defaults to: <tt>'3'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘3’. This setting is only relevant if ssh_client_alive_interval is set to a positive integer, and specifies the number of consecutive keepalive messages that can be sent without receiving a response from the client before the server considers the connection to be stale and disconnects it.</p>
</div>
</li>
<li>
<spanclass='name'>ssh_use_dns</span>
<spanclass='type'>(<tt>String</tt>)</span>
<emclass="default">(defaults to: <tt>'no'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘no’, which means that the server will not perform DNS lookups on connecting clients, but can be set to ‘yes’ if you want the server to perform DNS lookups. Disabling DNS lookups can improve connection times and reduce the risk of DNS spoofing attacks, so it is generally recommended to keep this setting disabled unless you have a specific need for it.</p>
</div>
</li>
<li>
<spanclass='name'>ssh_pid_file</span>
<spanclass='type'>(<tt>String</tt>)</span>
<emclass="default">(defaults to: <tt>'/var/run/sshd.pid'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘/var/run/sshd.pid’, which is the common location for the sshd PID file, but can be set to a different path if desired. This setting specifies the location of the sshd PID file.</p>
</div>
</li>
<li>
<spanclass='name'>ssh_max_startups</span>
<spanclass='type'>(<tt>String</tt>)</span>
<emclass="default">(defaults to: <tt>'10:30:100'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘10:30:100’, which means that the server will allow up to 10 concurrent unauthenticated connections, and will start dropping connections with a probability that increases linearly.</p>
</div>
</li>
<li>
<spanclass='name'>ssh_permit_tunnel</span>
<spanclass='type'>(<tt>String</tt>)</span>
<emclass="default">(defaults to: <tt>'no'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘no’, which means that tunneling is not allowed, but can be set to ‘yes’ if you want to allow tunneling, or ‘point-to-point’ to allow only point-to-point tunneling. This setting should be used with caution if enabled.</p>
</div>
</li>
<li>
<spanclass='name'>ssh_chroot_directory</span>
<spanclass='type'>(<tt>String</tt>)</span>
<emclass="default">(defaults to: <tt>'none'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘none’, which means that no chroot directory will be used, but can be set to a valid directory path if you want to use chroot for SSH sessions.</p>
</div>
</li>
<li>
<spanclass='name'>ssh_version_addendum</span>
<spanclass='type'>(<tt>String</tt>)</span>
<emclass="default">(defaults to: <tt>'none'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘none’, which means that no version addendum will be included in the SSH banner, but can be set to a custom string if you want to include additional information in the SSH version banner. This can be used for branding purposes, but should be used with caution as it can potentially leak information about the server that could be useful to attackers.</p>
<emclass="default">(defaults to: <tt>'none'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘none’, which means that no banner will be displayed to users when they connect, but can be set to a valid file path if you want to display a custom banner message to users when they connect. This can be used to display legal notices, security warnings, or other information to users when they connect to the SSH server.</p>
<emclass="default">(defaults to: <tt>'2m'</tt>)</em>
—
<divclass='inline'>
<p>setting for sshd_config. Default is ‘2m’, which means that users have 2 minutes to successfully authenticate before the server disconnects them, but can be set to a different time interval if desired. This setting can be used to limit the amount of time that attackers have to attempt to brute-force authentication, but should be set to a reasonable value to avoid disconnecting legitimate users who may need more time to log</p>
