Skip to content

sshd_config

Manoj Ampalam edited this page May 31, 2018 · 43 revisions

Listed here are Windows specific details that supplement or override the original sshd configuration manual documented in OpenBSD manual. If you don't see a configuration entry here, the original man page reference holds true.

On Windows, sshd reads configuration data from %ProgramData%\ssh\sshd_config (or the file specified with -f on the command line)


The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

See PATTERNS in ssh_config for more information on patterns.

User and group names are case insensitive in Windows (unlike in Unix). You should always use lower case while specifying these irrespective of their original case.

Note the following for domain accounts:

Prior to v7.7.0.0, there was no well defined way to specify domain principals (users and groups). To account for a domain principal in various forms, it is recommended to use the following format while configuring user/group based rules - user?domain* - note the ? instead of @ to avoid conflict with username@host format and * added to cover FQDNs.

From v7.7.0.0 on wards, work group users/groups and internet-connected accounts are strictly resolved to their local account name (no domain part, similar to standard Unix names). Domain users and groups are strictly resolved to NameSamCompatible format - domain_short_name\user_name. All user/group based configuration rules need to adhere to this format.

  • Ex. for domain users
    • DenyUsers contoso\[email protected] : blocks contoso\admin from 192.168.2.23
    • DenyUsers contoso\* : blocks all users from contoso domain
  • Ex. for local users

Note that user names are in lower case


Available authentication methods are "password" and "publickey".


Support added in v7.7.0.0

To setup a sftp-only chroot server, set ForceCommand to internal-sftp. You may also set up scp with chroot, by implementing a custom shell that would only allow scp and sftp.


Note that pattern rules in [this] section. User and group names should be in *lower case.


Not supported

AcceptEnv

AllowStreamLocalForwarding

AuthorizedKeysCommand

AuthorizedKeysCommandUser

AuthorizedPrincipalsCommand

AuthorizedPrincipalsCommandUser

ChrootDirectory

Compression

DenyGroups

DenyUsers

ExposeAuthInfo

GSSAPIAuthentication

GSSAPICleanupCredentials

GSSAPIStrictAcceptorCheck

HostbasedAcceptedKeyTypes

HostbasedAuthentication

HostbasedUsesNameFromPacketOnly

IgnoreRhosts

IgnoreUserKnownHosts

KbdInteractiveAuthentication

KerberosAuthentication

KerberosGetAFSToken

KerberosOrLocalPasswd

KerberosTicketCleanup

PermitRootLogin

PermitTunnel

PermitUserEnvironment

PermitUserRC

PidFile

PrintLastLog

RDomain

StreamLocalBindMask

StreamLocalBindUnlink

StrictModes

X11DisplayOffset

X11Forwarding

X11UseLocalhost

XAuthLocation

Clone this wiki locally