summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorsobrado@openbsd.org <sobrado@openbsd.org>2015-10-07 14:45:30 +0000
committerDamien Miller <djm@mindrot.org>2015-10-08 04:01:05 +1100
commitbdcb73fb7641b1cf73c0065d1a0dd57b1e8b778e (patch)
tree48d9a4e57c8a5fee40396e5e22d32adf9ae0808e
parent2905d6f99c837bb699b6ebc61711b19acd030709 (diff)
upstream commit
UsePrivilegeSeparation defaults to sandbox now. ok djm@ Upstream-ID: bff136c38bcae89df82e044d2f42de21e1ad914f
-rw-r--r--sshd_config.513
1 files changed, 9 insertions, 4 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index cd3b5cfe3..149dc7e14 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd_config.5,v 1.212 2015/09/11 03:13:36 djm Exp $ 36.\" $OpenBSD: sshd_config.5,v 1.213 2015/10/07 14:45:30 sobrado Exp $
37.Dd $Mdocdate: September 11 2015 $ 37.Dd $Mdocdate: October 7 2015 $
38.Dt SSHD_CONFIG 5 38.Dt SSHD_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -1587,14 +1587,19 @@ After successful authentication, another process will be created that has
1587the privilege of the authenticated user. 1587the privilege of the authenticated user.
1588The goal of privilege separation is to prevent privilege 1588The goal of privilege separation is to prevent privilege
1589escalation by containing any corruption within the unprivileged processes. 1589escalation by containing any corruption within the unprivileged processes.
1590The default is 1590The argument must be
1591.Dq yes . 1591.Dq yes ,
1592.Dq no ,
1593or
1594.Dq sandbox .
1592If 1595If
1593.Cm UsePrivilegeSeparation 1596.Cm UsePrivilegeSeparation
1594is set to 1597is set to
1595.Dq sandbox 1598.Dq sandbox
1596then the pre-authentication unprivileged process is subject to additional 1599then the pre-authentication unprivileged process is subject to additional
1597restrictions. 1600restrictions.
1601The default is
1602.Dq sandbox .
1598.It Cm VersionAddendum 1603.It Cm VersionAddendum
1599Optionally specifies additional text to append to the SSH protocol banner 1604Optionally specifies additional text to append to the SSH protocol banner
1600sent by the server upon connection. 1605sent by the server upon connection.