* New upstream release (LP: #535029).

  - After a transition period of about 10 years, this release disables SSH
    protocol 1 by default.  Clients and servers that need to use the
    legacy protocol must explicitly enable it in ssh_config / sshd_config
    or on the command-line.
  - Remove the libsectok/OpenSC-based smartcard code and add support for
    PKCS#11 tokens.  This support is enabled by default in the Debian
    packaging, since it now doesn't involve additional library
    dependencies (closes: #231472, LP: #16918).
  - Add support for certificate authentication of users and hosts using a
    new, minimal OpenSSH certificate format (closes: #482806).
  - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
  - Add the ability to revoke keys in sshd(8) and ssh(1).  (For the Debian
    package, this overlaps with the key blacklisting facility added in
    openssh 1:4.7p1-9, but with different file formats and slightly
    different scopes; for the moment, I've roughly merged the two.)
  - Various multiplexing improvements, including support for requesting
    port-forwardings via the multiplex protocol (closes: #360151).
  - Allow setting an explicit umask on the sftp-server(8) commandline to
    override whatever default the user has (closes: #496843).
  - Many sftp client improvements, including tab-completion, more options,
    and recursive transfer support for get/put (LP: #33378).  The old
    mget/mput commands never worked properly and have been removed
    (closes: #270399, #428082).
  - Do not prompt for a passphrase if we fail to open a keyfile, and log
    the reason why the open failed to debug (closes: #431538).
  - Prevent sftp from crashing when given a "-" without a command.  Also,
    allow whitespace to follow a "-" (closes: #531561).

1 files changed, 15 insertions, 2 deletions

diff --git a/sftp-server.0 b/sftp-server.0
index d47fc0ceb..6628dcfca 100644
--- a/sftp-server.0
+++ b/sftp-server.0
@@ -4,7 +4,7 @@ NAME
      sftp-server - SFTP server subsystem
 
 SYNOPSIS
-     sftp-server [-f log_facility] [-l log_level]
+     sftp-server [-ehR] [-f log_facility] [-l log_level] [-u umask]
 
 DESCRIPTION
      sftp-server is a program that speaks the server side of SFTP protocol to
@@ -17,12 +17,17 @@ DESCRIPTION
 
      Valid options are:
 
+     -e      Causes sftp-server to print logging information to stderr instead
+             of syslog for debugging.
+
      -f log_facility
              Specifies the facility code that is used when logging messages
              from sftp-server.  The possible values are: DAEMON, USER, AUTH,
              LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
              The default is AUTH.
 
+     -h      Displays sftp-server usage information.
+
      -l log_level
              Specifies which messages will be logged by sftp-server.  The pos-
              sible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DE-
@@ -31,6 +36,14 @@ DESCRIPTION
              are equivalent.  DEBUG2 and DEBUG3 each specify higher levels of
              debugging output.  The default is ERROR.
 
+     -R      Places this instance of sftp-server into a read-only mode.  At-
+             tempts to open files for writing, as well as other operations
+             that change the state of the filesystem, will be denied.
+
+     -u umask
+             Sets an explicit umask(2) to be applied to newly-created files
+             and directories, instead of the user's default mask.
+
      For logging to work, sftp-server must be able to access /dev/log.  Use of
      sftp-server in a chroot configuration therefore requires that syslogd(8)
      establish a logging socket inside the chroot directory.
@@ -47,4 +60,4 @@ HISTORY
 AUTHORS
      Markus Friedl <markus@openbsd.org>
 
-OpenBSD 4.6                     March 26, 2009                               1
+OpenBSD 4.6                     January 9, 2010                              1