- naddy@cvs.openbsd.org 2014/03/28 05:17:11

[ssh_config.5 sshd_config.5] sync available and default algorithms, improve algorithm list formatting help from jmc@ and schwarze@, ok deraadt@
author: Damien Miller <djm@mindrot.org> 2014-04-20 13:22:46 +1000
committer: Damien Miller <djm@mindrot.org> 2014-04-20 13:22:46 +1000
commit: c1621c84f2dc1279065ab9fde2aa9327af418900 (patch)
tree: 7e5f4ec6d7024c98ec9209541db0ff20983627e7
parent: f2719b7c2b8a3b14d778d8a6d8dc729b5174b054 (diff)
3 files changed, 153 insertions, 61 deletions
diff --git a/ChangeLog b/ChangeLog
index 1781b44bd..e7a6e97c6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -61,6 +61,10 @@
   - tedu@cvs.openbsd.org 2014/03/26 19:58:37
     [sshd.8 sshd.c]
     remove libwrap support. ok deraadt djm mfriedl
+   - naddy@cvs.openbsd.org 2014/03/28 05:17:11
+     [ssh_config.5 sshd_config.5]
+     sync available and default algorithms, improve algorithm list formatting
+     help from jmc@ and schwarze@, ok deraadt@
 20140401
 - (djm) On platforms that support it, use prctl() to prevent sftp-server
diff --git a/ssh_config.5 b/ssh_config.5
index b5803920f..f96f37ba3 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.185 2014/02/23 20:11:36 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.186 2014/03/28 05:17:11 naddy Exp $
-.Dd $Mdocdate: February 23 2014 $
+.Dd $Mdocdate: March 28 2014 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -342,30 +342,47 @@ in order of preference.
 Multiple ciphers must be comma-separated.
 The supported ciphers are:
 .Pp
-.Dq 3des-cbc ,
+.Bl -item -compact -offset indent
-.Dq aes128-cbc ,
+.It
-.Dq aes192-cbc ,
+3des-cbc
-.Dq aes256-cbc ,
+.It
-.Dq aes128-ctr ,
+aes128-cbc
-.Dq aes192-ctr ,
+.It
-.Dq aes256-ctr ,
+aes192-cbc
-.Dq aes128-gcm@openssh.com ,
+.It
-.Dq aes256-gcm@openssh.com ,
+aes256-cbc
-.Dq arcfour128 ,
+.It
-.Dq arcfour256 ,
+aes128-ctr
-.Dq arcfour ,
+.It
-.Dq blowfish-cbc ,
+aes192-ctr
-.Dq cast128-cbc ,
+.It
-and
+aes256-ctr
-.Dq chacha20-poly1305@openssh.com .
+.It
+aes128-gcm@openssh.com
+.It
+aes256-gcm@openssh.com
+.It
+arcfour
+.It
+arcfour128
+.It
+arcfour256
+.It
+blowfish-cbc
+.It
+cast128-cbc
+.It
+chacha20-poly1305@openssh.com
+.El
 .Pp
 The default is:
-.Bd -literal -offset 3n
+.Bd -literal -offset indent
-aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
+aes128-ctr,aes192-ctr,aes256-ctr,
 aes128-gcm@openssh.com,aes256-gcm@openssh.com,
 chacha20-poly1305@openssh.com,
-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
+arcfour256,arcfour128,
-aes256-cbc,arcfour
+aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
+aes192-cbc,aes256-cbc,arcfour
 .Ed
 .Pp
 The list of available ciphers may also be obtained using the
@@ -893,8 +910,8 @@ The default is:
 curve25519-sha256@libssh.org,
 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 diffie-hellman-group-exchange-sha256,
-diffie-hellman-group-exchange-sha1,
 diffie-hellman-group14-sha1,
+diffie-hellman-group-exchange-sha1,
 diffie-hellman-group1-sha1
 .Ed
 .It Cm LocalCommand
@@ -974,13 +991,14 @@ calculate the MAC after encryption (encrypt-then-mac).
 These are considered safer and their use recommended.
 The default is:
 .Bd -literal -offset indent
-hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
-hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
+umac-64@openssh.com,umac-128@openssh.com,
-hmac-md5-96-etm@openssh.com,
+hmac-sha2-256,hmac-sha2-512,
-hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
+hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
-hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
+hmac-ripemd160-etm@openssh.com,
+hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,
+hmac-md5,hmac-sha1,hmac-ripemd160,
 hmac-sha1-96,hmac-md5-96
 .Ed
 .It Cm NoHostAuthenticationForLocalhost
diff --git a/sshd_config.5 b/sshd_config.5
index ce71efe3c..88be8d984 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.172 2014/02/27 22:47:07 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.173 2014/03/28 05:17:11 naddy Exp $
-.Dd $Mdocdate: February 27 2014 $
+.Dd $Mdocdate: March 28 2014 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -337,30 +337,44 @@ Specifies the ciphers allowed for protocol version 2.
 Multiple ciphers must be comma-separated.
 The supported ciphers are:
 .Pp
-.Dq 3des-cbc ,
+.Bl -item -compact -offset indent
-.Dq aes128-cbc ,
+.It
-.Dq aes192-cbc ,
+3des-cbc
-.Dq aes256-cbc ,
+.It
-.Dq aes128-ctr ,
+aes128-cbc
-.Dq aes192-ctr ,
+.It
-.Dq aes256-ctr ,
+aes192-cbc
-.Dq aes128-gcm@openssh.com ,
+.It
-.Dq aes256-gcm@openssh.com ,
+aes256-cbc
-.Dq arcfour128 ,
+.It
-.Dq arcfour256 ,
+aes128-ctr
-.Dq arcfour ,
+.It
-.Dq blowfish-cbc ,
+aes192-ctr
-.Dq cast128-cbc ,
+.It
-and
+aes256-ctr
-.Dq chacha20-poly1305@openssh.com .
+.It
+aes128-gcm@openssh.com
+.It
+aes256-gcm@openssh.com
+.It
+arcfour
+.It
+arcfour128
+.It
+arcfour256
+.It
+blowfish-cbc
+.It
+cast128-cbc
+.It
+chacha20-poly1305@openssh.com
+.El
 .Pp
 The default is:
-.Bd -literal -offset 3n
+.Bd -literal -offset indent
-aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
+aes128-ctr,aes192-ctr,aes256-ctr,
 aes128-gcm@openssh.com,aes256-gcm@openssh.com,
-chacha20-poly1305@openssh.com,
+chacha20-poly1305@openssh.com
-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
-aes256-cbc,arcfour
 .Ed
 .Pp
 The list of available ciphers may also be obtained using the
@@ -672,14 +686,33 @@ The default is
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
-The default is
+The supported algorithms are:
+.Pp
+.Bl -item -compact -offset indent
+.It
+curve25519-sha256@libssh.org
+.It
+diffie-hellman-group1-sha1
+.It
+diffie-hellman-group14-sha1
+.It
+diffie-hellman-group-exchange-sha1
+.It
+diffie-hellman-group-exchange-sha256
+.It
+ecdh-sha2-nistp256
+.It
+ecdh-sha2-nistp384
+.It
+ecdh-sha2-nistp521
+.El
+.Pp
+The default is:
 .Bd -literal -offset indent
 curve25519-sha256@libssh.org,
 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 diffie-hellman-group-exchange-sha256,
-diffie-hellman-group-exchange-sha1,
+diffie-hellman-group14-sha1
-diffie-hellman-group14-sha1,
-diffie-hellman-group1-sha1
 .Ed
 .It Cm KeyRegenerationInterval
 In protocol version 1, the ephemeral server key is automatically regenerated
@@ -751,16 +784,53 @@ The algorithms that contain
 .Dq -etm
 calculate the MAC after encryption (encrypt-then-mac).
 These are considered safer and their use recommended.
+The supported MACs are:
+.Pp
+.Bl -item -compact -offset indent
+.It
+hmac-md5
+.It
+hmac-md5-96
+.It
+hmac-ripemd160
+.It
+hmac-sha1
+.It
+hmac-sha1-96
+.It
+hmac-sha2-256
+.It
+hmac-sha2-512
+.It
+umac-64@openssh.com
+.It
+umac-128@openssh.com
+.It
+hmac-md5-etm@openssh.com
+.It
+hmac-md5-96-etm@openssh.com
+.It
+hmac-ripemd160-etm@openssh.com
+.It
+hmac-sha1-etm@openssh.com
+.It
+hmac-sha1-96-etm@openssh.com
+.It
+hmac-sha2-256-etm@openssh.com
+.It
+hmac-sha2-512-etm@openssh.com
+.It
+umac-64-etm@openssh.com
+.It
+umac-128-etm@openssh.com
+.El
+.Pp
 The default is:
 .Bd -literal -offset indent
-hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
-hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
+umac-64@openssh.com,umac-128@openssh.com,
-hmac-md5-96-etm@openssh.com,
+hmac-sha2-256,hmac-sha2-512
-hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
-hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
-hmac-sha1-96,hmac-md5-96
 .Ed
 .It Cm Match
 Introduces a conditional block.
author	Damien Miller <djm@mindrot.org>	2014-04-20 13:22:46 +1000
committer	Damien Miller <djm@mindrot.org>	2014-04-20 13:22:46 +1000
commit	c1621c84f2dc1279065ab9fde2aa9327af418900 (patch)
tree	7e5f4ec6d7024c98ec9209541db0ff20983627e7
parent	f2719b7c2b8a3b14d778d8a6d8dc729b5174b054 (diff)

diff --git a/ChangeLog b/ChangeLog index 1781b44bd..e7a6e97c6 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -61,6 +61,10 @@
61	- tedu@cvs.openbsd.org 2014/03/26 19:58:37	61	- tedu@cvs.openbsd.org 2014/03/26 19:58:37
62	[sshd.8 sshd.c]	62	[sshd.8 sshd.c]
63	remove libwrap support. ok deraadt djm mfriedl	63	remove libwrap support. ok deraadt djm mfriedl
		64	- naddy@cvs.openbsd.org 2014/03/28 05:17:11
		65	[ssh_config.5 sshd_config.5]
		66	sync available and default algorithms, improve algorithm list formatting
		67	help from jmc@ and schwarze@, ok deraadt@
64		68
65	20140401	69	20140401
66	- (djm) On platforms that support it, use prctl() to prevent sftp-server	70	- (djm) On platforms that support it, use prctl() to prevent sftp-server


diff --git a/ssh_config.5 b/ssh_config.5 index b5803920f..f96f37ba3 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.185 2014/02/23 20:11:36 djm Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.186 2014/03/28 05:17:11 naddy Exp $
37	.Dd $Mdocdate: February 23 2014 $	37	.Dd $Mdocdate: March 28 2014 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -342,30 +342,47 @@ in order of preference.
342	Multiple ciphers must be comma-separated.	342	Multiple ciphers must be comma-separated.
343	The supported ciphers are:	343	The supported ciphers are:
344	.Pp	344	.Pp
345	.Dq 3des-cbc ,	345	.Bl -item -compact -offset indent
346	.Dq aes128-cbc ,	346	.It
347	.Dq aes192-cbc ,	347	3des-cbc
348	.Dq aes256-cbc ,	348	.It
349	.Dq aes128-ctr ,	349	aes128-cbc
350	.Dq aes192-ctr ,	350	.It
351	.Dq aes256-ctr ,	351	aes192-cbc
352	.Dq aes128-gcm@openssh.com ,	352	.It
353	.Dq aes256-gcm@openssh.com ,	353	aes256-cbc
354	.Dq arcfour128 ,	354	.It
355	.Dq arcfour256 ,	355	aes128-ctr
356	.Dq arcfour ,	356	.It
357	.Dq blowfish-cbc ,	357	aes192-ctr
358	.Dq cast128-cbc ,	358	.It
359	and	359	aes256-ctr
360	.Dq chacha20-poly1305@openssh.com .	360	.It
		361	aes128-gcm@openssh.com
		362	.It
		363	aes256-gcm@openssh.com
		364	.It
		365	arcfour
		366	.It
		367	arcfour128
		368	.It
		369	arcfour256
		370	.It
		371	blowfish-cbc
		372	.It
		373	cast128-cbc
		374	.It
		375	chacha20-poly1305@openssh.com
		376	.El
361	.Pp	377	.Pp
362	The default is:	378	The default is:
363	.Bd -literal -offset 3n	379	.Bd -literal -offset indent
364	aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,	380	aes128-ctr,aes192-ctr,aes256-ctr,
365	aes128-gcm@openssh.com,aes256-gcm@openssh.com,	381	aes128-gcm@openssh.com,aes256-gcm@openssh.com,
366	chacha20-poly1305@openssh.com,	382	chacha20-poly1305@openssh.com,
367	aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,	383	arcfour256,arcfour128,
368	aes256-cbc,arcfour	384	aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
		385	aes192-cbc,aes256-cbc,arcfour
369	.Ed	386	.Ed
370	.Pp	387	.Pp
371	The list of available ciphers may also be obtained using the	388	The list of available ciphers may also be obtained using the
@@ -893,8 +910,8 @@ The default is:
893	curve25519-sha256@libssh.org,	910	curve25519-sha256@libssh.org,
894	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,	911	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
895	diffie-hellman-group-exchange-sha256,	912	diffie-hellman-group-exchange-sha256,
896	diffie-hellman-group-exchange-sha1,
897	diffie-hellman-group14-sha1,	913	diffie-hellman-group14-sha1,
		914	diffie-hellman-group-exchange-sha1,
898	diffie-hellman-group1-sha1	915	diffie-hellman-group1-sha1
899	.Ed	916	.Ed
900	.It Cm LocalCommand	917	.It Cm LocalCommand
@@ -974,13 +991,14 @@ calculate the MAC after encryption (encrypt-then-mac).
974	These are considered safer and their use recommended.	991	These are considered safer and their use recommended.
975	The default is:	992	The default is:
976	.Bd -literal -offset indent	993	.Bd -literal -offset indent
977	hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
978	umac-64-etm@openssh.com,umac-128-etm@openssh.com,	994	umac-64-etm@openssh.com,umac-128-etm@openssh.com,
979	hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,	995	hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
980	hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,	996	umac-64@openssh.com,umac-128@openssh.com,
981	hmac-md5-96-etm@openssh.com,	997	hmac-sha2-256,hmac-sha2-512,
982	hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,	998	hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
983	hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,	999	hmac-ripemd160-etm@openssh.com,
		1000	hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,
		1001	hmac-md5,hmac-sha1,hmac-ripemd160,
984	hmac-sha1-96,hmac-md5-96	1002	hmac-sha1-96,hmac-md5-96
985	.Ed	1003	.Ed
986	.It Cm NoHostAuthenticationForLocalhost	1004	.It Cm NoHostAuthenticationForLocalhost


diff --git a/sshd_config.5 b/sshd_config.5 index ce71efe3c..88be8d984 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.172 2014/02/27 22:47:07 djm Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.173 2014/03/28 05:17:11 naddy Exp $
37	.Dd $Mdocdate: February 27 2014 $	37	.Dd $Mdocdate: March 28 2014 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -337,30 +337,44 @@ Specifies the ciphers allowed for protocol version 2.
337	Multiple ciphers must be comma-separated.	337	Multiple ciphers must be comma-separated.
338	The supported ciphers are:	338	The supported ciphers are:
339	.Pp	339	.Pp
340	.Dq 3des-cbc ,	340	.Bl -item -compact -offset indent
341	.Dq aes128-cbc ,	341	.It
342	.Dq aes192-cbc ,	342	3des-cbc
343	.Dq aes256-cbc ,	343	.It
344	.Dq aes128-ctr ,	344	aes128-cbc
345	.Dq aes192-ctr ,	345	.It
346	.Dq aes256-ctr ,	346	aes192-cbc
347	.Dq aes128-gcm@openssh.com ,	347	.It
348	.Dq aes256-gcm@openssh.com ,	348	aes256-cbc
349	.Dq arcfour128 ,	349	.It
350	.Dq arcfour256 ,	350	aes128-ctr
351	.Dq arcfour ,	351	.It
352	.Dq blowfish-cbc ,	352	aes192-ctr
353	.Dq cast128-cbc ,	353	.It
354	and	354	aes256-ctr
355	.Dq chacha20-poly1305@openssh.com .	355	.It
		356	aes128-gcm@openssh.com
		357	.It
		358	aes256-gcm@openssh.com
		359	.It
		360	arcfour
		361	.It
		362	arcfour128
		363	.It
		364	arcfour256
		365	.It
		366	blowfish-cbc
		367	.It
		368	cast128-cbc
		369	.It
		370	chacha20-poly1305@openssh.com
		371	.El
356	.Pp	372	.Pp
357	The default is:	373	The default is:
358	.Bd -literal -offset 3n	374	.Bd -literal -offset indent
359	aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,	375	aes128-ctr,aes192-ctr,aes256-ctr,
360	aes128-gcm@openssh.com,aes256-gcm@openssh.com,	376	aes128-gcm@openssh.com,aes256-gcm@openssh.com,
361	chacha20-poly1305@openssh.com,	377	chacha20-poly1305@openssh.com
362	aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
363	aes256-cbc,arcfour
364	.Ed	378	.Ed
365	.Pp	379	.Pp
366	The list of available ciphers may also be obtained using the	380	The list of available ciphers may also be obtained using the
@@ -672,14 +686,33 @@ The default is
672	.It Cm KexAlgorithms	686	.It Cm KexAlgorithms
673	Specifies the available KEX (Key Exchange) algorithms.	687	Specifies the available KEX (Key Exchange) algorithms.
674	Multiple algorithms must be comma-separated.	688	Multiple algorithms must be comma-separated.
675	The default is	689	The supported algorithms are:
		690	.Pp
		691	.Bl -item -compact -offset indent
		692	.It
		693	curve25519-sha256@libssh.org
		694	.It
		695	diffie-hellman-group1-sha1
		696	.It
		697	diffie-hellman-group14-sha1
		698	.It
		699	diffie-hellman-group-exchange-sha1
		700	.It
		701	diffie-hellman-group-exchange-sha256
		702	.It
		703	ecdh-sha2-nistp256
		704	.It
		705	ecdh-sha2-nistp384
		706	.It
		707	ecdh-sha2-nistp521
		708	.El
		709	.Pp
		710	The default is:
676	.Bd -literal -offset indent	711	.Bd -literal -offset indent
677	curve25519-sha256@libssh.org,	712	curve25519-sha256@libssh.org,
678	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,	713	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
679	diffie-hellman-group-exchange-sha256,	714	diffie-hellman-group-exchange-sha256,
680	diffie-hellman-group-exchange-sha1,	715	diffie-hellman-group14-sha1
681	diffie-hellman-group14-sha1,
682	diffie-hellman-group1-sha1
683	.Ed	716	.Ed
684	.It Cm KeyRegenerationInterval	717	.It Cm KeyRegenerationInterval
685	In protocol version 1, the ephemeral server key is automatically regenerated	718	In protocol version 1, the ephemeral server key is automatically regenerated
@@ -751,16 +784,53 @@ The algorithms that contain
751	.Dq -etm	784	.Dq -etm
752	calculate the MAC after encryption (encrypt-then-mac).	785	calculate the MAC after encryption (encrypt-then-mac).
753	These are considered safer and their use recommended.	786	These are considered safer and their use recommended.
		787	The supported MACs are:
		788	.Pp
		789	.Bl -item -compact -offset indent
		790	.It
		791	hmac-md5
		792	.It
		793	hmac-md5-96
		794	.It
		795	hmac-ripemd160
		796	.It
		797	hmac-sha1
		798	.It
		799	hmac-sha1-96
		800	.It
		801	hmac-sha2-256
		802	.It
		803	hmac-sha2-512
		804	.It
		805	umac-64@openssh.com
		806	.It
		807	umac-128@openssh.com
		808	.It
		809	hmac-md5-etm@openssh.com
		810	.It
		811	hmac-md5-96-etm@openssh.com
		812	.It
		813	hmac-ripemd160-etm@openssh.com
		814	.It
		815	hmac-sha1-etm@openssh.com
		816	.It
		817	hmac-sha1-96-etm@openssh.com
		818	.It
		819	hmac-sha2-256-etm@openssh.com
		820	.It
		821	hmac-sha2-512-etm@openssh.com
		822	.It
		823	umac-64-etm@openssh.com
		824	.It
		825	umac-128-etm@openssh.com
		826	.El
		827	.Pp
754	The default is:	828	The default is:
755	.Bd -literal -offset indent	829	.Bd -literal -offset indent
756	hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
757	umac-64-etm@openssh.com,umac-128-etm@openssh.com,	830	umac-64-etm@openssh.com,umac-128-etm@openssh.com,
758	hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,	831	hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
759	hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,	832	umac-64@openssh.com,umac-128@openssh.com,
760	hmac-md5-96-etm@openssh.com,	833	hmac-sha2-256,hmac-sha2-512
761	hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
762	hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
763	hmac-sha1-96,hmac-md5-96
764	.Ed	834	.Ed
765	.It Cm Match	835	.It Cm Match
766	Introduces a conditional block.	836	Introduces a conditional block.