Import openssh_7.4p1.orig.tar.gz

author: Colin Watson <cjwatson@debian.org> 2016-12-20 00:22:52 +0000
committer: Colin Watson <cjwatson@debian.org> 2016-12-20 00:22:52 +0000
commit: 971a7653746a6972b907dfe0ce139c06e4a6f482 (patch)
tree: 70fb964265d57ae4967be55b75dbb2a122e9b969 /sshd.0
parent: a8ed8d256b2e2c05b0c15565a7938028c5192277 (diff)
parent: 4a354fc231174901f2629437c2a6e924a2dd6772 (diff)
1 files changed, 56 insertions, 95 deletions
diff --git a/sshd.0 b/sshd.0
index 0f7db5fc3..089244c93 100644
--- a/sshd.0
+++ b/sshd.0
@@ -4,10 +4,9 @@ NAME
     sshd M-bM-^@M-^S OpenSSH SSH daemon
 SYNOPSIS
-     sshd [-46DdeiqTt] [-b bits] [-C connection_spec]
+     sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file]
-          [-c host_certificate_file] [-E log_file] [-f config_file]
+          [-E log_file] [-f config_file] [-g login_grace_time]
-          [-g login_grace_time] [-h host_key_file] [-k key_gen_time]
+          [-h host_key_file] [-o option] [-p port] [-u len]
-          [-o option] [-p port] [-u len]
 DESCRIPTION
     sshd (OpenSSH Daemon) is the daemon program for ssh(1).  Together these
@@ -31,10 +30,6 @@ DESCRIPTION
     -6      Forces sshd to use IPv6 addresses only.
-     -b bits
-             Specifies the number of bits in the ephemeral protocol version 1
-             server key (default 1024).
     -C connection_spec
             Specify the connection parameters to use for the -T extended test
             mode.  If provided, any Match directives in the configuration
@@ -80,28 +75,12 @@ DESCRIPTION
             Specifies a file from which a host key is read.  This option must
             be given if sshd is not run as root (as the normal host key files
             are normally not readable by anyone but root).  The default is
-             /etc/ssh/ssh_host_key for protocol version 1, and
+             /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key,
-             /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key.
+             /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key.  It
-             /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
+             is possible to have multiple host key files for the different
-             protocol version 2.  It is possible to have multiple host key
+             host key algorithms.
-             files for the different protocol versions and host key
-             algorithms.
+     -i      Specifies that sshd is being run from inetd(8).
-     -i      Specifies that sshd is being run from inetd(8).  If SSH protocol
-             1 is enabled, sshd should not  normally be run from inetd because
-             it needs to generate the server key before it can respond to the
-             client, and this may take some time.  Clients may have to wait
-             too long if the key was regenerated every time.
-     -k key_gen_time
-             Specifies how often the ephemeral protocol version 1 server key
-             is regenerated (default 3600 seconds, or one hour).  The
-             motivation for regenerating the key fairly often is that the key
-             is not stored anywhere, and after about an hour it becomes
-             impossible to recover the key for decrypting intercepted
-             communications even if the machine is cracked into or physically
-             seized.  A value of zero indicates that the key will never be
-             regenerated.
     -o option
             Can be used to give options in the format used in the
@@ -138,33 +117,17 @@ DESCRIPTION
             into the utmp file.  -u0 may also be used to prevent sshd from
             making DNS requests unless the authentication mechanism or
             configuration requires it.  Authentication mechanisms that may
-             require DNS include RhostsRSAAuthentication,
+             require DNS include HostbasedAuthentication and using a
-             HostbasedAuthentication, and using a from="pattern-list" option
+             from="pattern-list" option in a key file.  Configuration options
-             in a key file.  Configuration options that require DNS include
+             that require DNS include using a USER@HOST pattern in AllowUsers
-             using a USER@HOST pattern in AllowUsers or DenyUsers.
+             or DenyUsers.
 AUTHENTICATION
-     The OpenSSH SSH daemon supports SSH protocols 1 and 2.  The default is to
+     The OpenSSH SSH daemon supports SSH protocol 2 only.  Each host has a
-     use protocol 2 only, though this can be changed via the Protocol option
+     host-specific key, used to identify the host.  Whenever a client
-     in sshd_config(5).  Protocol 1 should not be used and is only offered to
+     connects, the daemon responds with its public host key.  The client
-     support legacy devices.
+     compares the host key against its own database to verify that it has not
+     changed.  Forward security is provided through a Diffie-Hellman key
-     Each host has a host-specific key, used to identify the host.  Partial
-     forward security for protocol 1 is provided through an additional server
-     key, normally 1024 bits, generated when the server starts.  This key is
-     normally regenerated every hour if it has been used, and is never stored
-     on disk.  Whenever a client connects, the daemon responds with its public
-     host and server keys.  The client compares the RSA host key against its
-     own database to verify that it has not changed.  The client then
-     generates a 256-bit random number.  It encrypts this random number using
-     both the host key and the server key, and sends the encrypted number to
-     the server.  Both sides then use this random number as a session key
-     which is used to encrypt all further communications in the session.  The
-     rest of the session is encrypted using a conventional cipher, currently
-     Blowfish or 3DES, with 3DES being used by default.  The client selects
-     the encryption algorithm to use from those offered by the server.
-     For protocol 2, forward security is provided through a Diffie-Hellman key
     agreement.  This key agreement results in a shared session key.  The rest
     of the session is encrypted using a symmetric cipher, currently 128-bit
     AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.  The
@@ -271,27 +234,20 @@ AUTHORIZED_KEYS FILE FORMAT
     key authentication; if this option is not specified, the default is
     ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2.  Each line of the
     file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are
-     ignored as comments).  Protocol 1 public keys consist of the following
+     ignored as comments).  Public keys consist of the following space-
-     space-separated fields: options, bits, exponent, modulus, comment.
+     separated fields: options, keytype, base64-encoded key, comment.  The
-     Protocol 2 public key consist of: options, keytype, base64-encoded key,
+     options field is optional.  The keytype is M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^],
-     comment.  The options field is optional; its presence is determined by
-     whether the line starts with a number or not (the options field never
-     starts with a number).  The bits, exponent, modulus, and comment fields
-     give the RSA key for protocol version 1; the comment field is not used
-     for anything (but may be convenient for the user to identify the key).
-     For protocol version 2 the keytype is M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^],
     M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or
-     M-bM-^@M-^\ssh-rsaM-bM-^@M-^].
+     M-bM-^@M-^\ssh-rsaM-bM-^@M-^]; the comment field is not used for anything (but may be
+     convenient for the user to identify the key).
-     Note that lines in this file are usually several hundred bytes long
+     Note that lines in this file can be several hundred bytes long (because
-     (because of the size of the public key encoding) up to a limit of 8
+     of the size of the public key encoding) up to a limit of 8 kilobytes,
-     kilobytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16
+     which permits DSA keys up to 8 kilobits and RSA keys up to 16 kilobits.
-     kilobits.  You don't want to type them in; instead, copy the
+     You don't want to type them in; instead, copy the id_dsa.pub,
-     identity.pub, id_dsa.pub, id_ecdsa.pub, id_ed25519.pub, or the id_rsa.pub
+     id_ecdsa.pub, id_ed25519.pub, or the id_rsa.pub file and edit it.
-     file and edit it.
-     sshd enforces a minimum RSA key modulus size for protocol 1 and protocol
+     sshd enforces a minimum RSA key modulus size of 768 bits.
-     2 keys of 768 bits.
     The options (if present) consist of comma-separated option
     specifications.  No spaces are permitted, except within double quotes.
@@ -318,16 +274,23 @@ AUTHORIZED_KEYS FILE FORMAT
             pty; otherwise it is run without a tty.  If an 8-bit clean
             channel is required, one must not request a pty or should specify
             no-pty.  A quote may be included in the command by quoting it
-             with a backslash.  This option might be useful to restrict
+             with a backslash.
-             certain public keys to perform just a specific operation.  An
-             example might be a key that permits remote backups but nothing
+             This option might be useful to restrict certain public keys to
-             else.  Note that the client may specify TCP and/or X11 forwarding
+             perform just a specific operation.  An example might be a key
-             unless they are explicitly prohibited.  The command originally
+             that permits remote backups but nothing else.  Note that the
-             supplied by the client is available in the SSH_ORIGINAL_COMMAND
+             client may specify TCP and/or X11 forwarding unless they are
-             environment variable.  Note that this option applies to shell,
+             explicitly prohibited, e.g. using the restrict key option.
-             command or subsystem execution.  Also note that this command may
-             be superseded by either a sshd_config(5) ForceCommand directive
+             The command originally supplied by the client is available in the
-             or a command embedded in a certificate.
+             SSH_ORIGINAL_COMMAND environment variable.  Note that this option
+             applies to shell, command or subsystem execution.  Also note that
+             this command may be superseded by a sshd_config(5) ForceCommand
+             directive.
+             If a command is specified and a forced-command is embedded in a
+             certificate used for authentication, then the certificate will be
+             accepted only if the two commands are identical.
     environment="NAME=value"
             Specifies that the string is to be added to the environment when
@@ -335,7 +298,6 @@ AUTHORIZED_KEYS FILE FORMAT
             override other default environment values.  Multiple options of
             this type are permitted.  Environment processing is disabled by
             default and is controlled via the PermitUserEnvironment option.
-             This option is automatically disabled if UseLogin is enabled.
     from="pattern-list"
             Specifies that in addition to public key authentication, either
@@ -440,8 +402,8 @@ SSH_KNOWN_HOSTS FILE FORMAT
     is added to the per-user file.
     Each line in these files contains the following fields: markers
-     (optional), hostnames, bits, exponent, modulus, comment.  The fields are
+     (optional), hostnames, keytype, base64-encoded key, comment.  The fields
-     separated by spaces.
+     are separated by spaces.
     The marker is optional, but if it is present then it must be one of
     M-bM-^@M-^\@cert-authorityM-bM-^@M-^], to indicate that the line contains a certification
@@ -464,9 +426,10 @@ SSH_KNOWN_HOSTS FILE FORMAT
     appear on a single line and none of the above negation or wildcard
     operators may be applied.
-     Bits, exponent, and modulus are taken directly from the RSA host key;
+     The keytype and base64-encoded key are taken directly from the host key;
-     they can be obtained, for example, from /etc/ssh/ssh_host_key.pub.  The
+     they can be obtained, for example, from /etc/ssh/ssh_host_rsa_key.pub.
-     optional comment field continues to the end of the line, and is not used.
+     The optional comment field continues to the end of the line, and is not
+     used.
     Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are ignored as comments.
@@ -493,9 +456,9 @@ SSH_KNOWN_HOSTS FILE FORMAT
     Note that the lines in these files are typically hundreds of characters
     long, and you definitely don't want to type in the host keys by hand.
-     Rather, generate them by a script, ssh-keyscan(1) or by taking
+     Rather, generate them by a script, ssh-keyscan(1) or by taking, for
-     /etc/ssh/ssh_host_key.pub and adding the host names at the front.
+     example, /etc/ssh/ssh_host_rsa_key.pub and adding the host names at the
-     ssh-keygen(1) also offers some basic automated editing for
+     front.  ssh-keygen(1) also offers some basic automated editing for
     ~/.ssh/known_hosts including removing hosts matching a host name and
     converting all host names to their hashed representations.
@@ -598,7 +561,6 @@ FILES
             allows host-based authentication without permitting login with
             rlogin/rsh.
-     /etc/ssh/ssh_host_key
     /etc/ssh/ssh_host_dsa_key
     /etc/ssh/ssh_host_ecdsa_key
     /etc/ssh/ssh_host_ed25519_key
@@ -608,7 +570,6 @@ FILES
             not accessible to others.  Note that sshd does not start if these
             files are group/world-accessible.
-     /etc/ssh/ssh_host_key.pub
     /etc/ssh/ssh_host_dsa_key.pub
     /etc/ssh/ssh_host_ecdsa_key.pub
     /etc/ssh/ssh_host_ed25519_key.pub
@@ -662,4 +623,4 @@ AUTHORS
     versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
     for privilege separation.
-OpenBSD 6.0                    February 17, 2016                   OpenBSD 6.0
+OpenBSD 6.0                    November 30, 2016                   OpenBSD 6.0
author	Colin Watson <cjwatson@debian.org>	2016-12-20 00:22:52 +0000
committer	Colin Watson <cjwatson@debian.org>	2016-12-20 00:22:52 +0000
commit	971a7653746a6972b907dfe0ce139c06e4a6f482 (patch)
tree	70fb964265d57ae4967be55b75dbb2a122e9b969 /sshd.0
parent	a8ed8d256b2e2c05b0c15565a7938028c5192277 (diff)
parent	4a354fc231174901f2629437c2a6e924a2dd6772 (diff)

diff --git a/sshd.0 b/sshd.0 index 0f7db5fc3..089244c93 100644 --- a/sshd.0 +++ b/sshd.0
@@ -4,10 +4,9 @@ NAME
4	sshd M-bM-^@M-^S OpenSSH SSH daemon	4	sshd M-bM-^@M-^S OpenSSH SSH daemon
5		5
6	SYNOPSIS	6	SYNOPSIS
7	sshd [-46DdeiqTt] [-b bits] [-C connection_spec]	7	sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file]
8	[-c host_certificate_file] [-E log_file] [-f config_file]	8	[-E log_file] [-f config_file] [-g login_grace_time]
9	[-g login_grace_time] [-h host_key_file] [-k key_gen_time]	9	[-h host_key_file] [-o option] [-p port] [-u len]
10	[-o option] [-p port] [-u len]
11		10
12	DESCRIPTION	11	DESCRIPTION
13	sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these	12	sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these
@@ -31,10 +30,6 @@ DESCRIPTION
31		30
32	-6 Forces sshd to use IPv6 addresses only.	31	-6 Forces sshd to use IPv6 addresses only.
33		32
34	-b bits
35	Specifies the number of bits in the ephemeral protocol version 1
36	server key (default 1024).
37
38	-C connection_spec	33	-C connection_spec
39	Specify the connection parameters to use for the -T extended test	34	Specify the connection parameters to use for the -T extended test
40	mode. If provided, any Match directives in the configuration	35	mode. If provided, any Match directives in the configuration
@@ -80,28 +75,12 @@ DESCRIPTION
80	Specifies a file from which a host key is read. This option must	75	Specifies a file from which a host key is read. This option must
81	be given if sshd is not run as root (as the normal host key files	76	be given if sshd is not run as root (as the normal host key files
82	are normally not readable by anyone but root). The default is	77	are normally not readable by anyone but root). The default is
83	/etc/ssh/ssh_host_key for protocol version 1, and	78	/etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key,
84	/etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key.	79	/etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key. It
85	/etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for	80	is possible to have multiple host key files for the different
86	protocol version 2. It is possible to have multiple host key	81	host key algorithms.
87	files for the different protocol versions and host key	82
88	algorithms.	83	-i Specifies that sshd is being run from inetd(8).
89
90	-i Specifies that sshd is being run from inetd(8). If SSH protocol
91	1 is enabled, sshd should not normally be run from inetd because
92	it needs to generate the server key before it can respond to the
93	client, and this may take some time. Clients may have to wait
94	too long if the key was regenerated every time.
95
96	-k key_gen_time
97	Specifies how often the ephemeral protocol version 1 server key
98	is regenerated (default 3600 seconds, or one hour). The
99	motivation for regenerating the key fairly often is that the key
100	is not stored anywhere, and after about an hour it becomes
101	impossible to recover the key for decrypting intercepted
102	communications even if the machine is cracked into or physically
103	seized. A value of zero indicates that the key will never be
104	regenerated.
105		84
106	-o option	85	-o option
107	Can be used to give options in the format used in the	86	Can be used to give options in the format used in the
@@ -138,33 +117,17 @@ DESCRIPTION
138	into the utmp file. -u0 may also be used to prevent sshd from	117	into the utmp file. -u0 may also be used to prevent sshd from
139	making DNS requests unless the authentication mechanism or	118	making DNS requests unless the authentication mechanism or
140	configuration requires it. Authentication mechanisms that may	119	configuration requires it. Authentication mechanisms that may
141	require DNS include RhostsRSAAuthentication,	120	require DNS include HostbasedAuthentication and using a
142	HostbasedAuthentication, and using a from="pattern-list" option	121	from="pattern-list" option in a key file. Configuration options
143	in a key file. Configuration options that require DNS include	122	that require DNS include using a USER@HOST pattern in AllowUsers
144	using a USER@HOST pattern in AllowUsers or DenyUsers.	123	or DenyUsers.
145		124
146	AUTHENTICATION	125	AUTHENTICATION
147	The OpenSSH SSH daemon supports SSH protocols 1 and 2. The default is to	126	The OpenSSH SSH daemon supports SSH protocol 2 only. Each host has a
148	use protocol 2 only, though this can be changed via the Protocol option	127	host-specific key, used to identify the host. Whenever a client
149	in sshd_config(5). Protocol 1 should not be used and is only offered to	128	connects, the daemon responds with its public host key. The client
150	support legacy devices.	129	compares the host key against its own database to verify that it has not
151		130	changed. Forward security is provided through a Diffie-Hellman key
152	Each host has a host-specific key, used to identify the host. Partial
153	forward security for protocol 1 is provided through an additional server
154	key, normally 1024 bits, generated when the server starts. This key is
155	normally regenerated every hour if it has been used, and is never stored
156	on disk. Whenever a client connects, the daemon responds with its public
157	host and server keys. The client compares the RSA host key against its
158	own database to verify that it has not changed. The client then
159	generates a 256-bit random number. It encrypts this random number using
160	both the host key and the server key, and sends the encrypted number to
161	the server. Both sides then use this random number as a session key
162	which is used to encrypt all further communications in the session. The
163	rest of the session is encrypted using a conventional cipher, currently
164	Blowfish or 3DES, with 3DES being used by default. The client selects
165	the encryption algorithm to use from those offered by the server.
166
167	For protocol 2, forward security is provided through a Diffie-Hellman key
168	agreement. This key agreement results in a shared session key. The rest	131	agreement. This key agreement results in a shared session key. The rest
169	of the session is encrypted using a symmetric cipher, currently 128-bit	132	of the session is encrypted using a symmetric cipher, currently 128-bit
170	AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The	133	AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The
@@ -271,27 +234,20 @@ AUTHORIZED_KEYS FILE FORMAT
271	key authentication; if this option is not specified, the default is	234	key authentication; if this option is not specified, the default is
272	~/.ssh/authorized_keys and ~/.ssh/authorized_keys2. Each line of the	235	~/.ssh/authorized_keys and ~/.ssh/authorized_keys2. Each line of the
273	file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are	236	file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are
274	ignored as comments). Protocol 1 public keys consist of the following	237	ignored as comments). Public keys consist of the following space-
275	space-separated fields: options, bits, exponent, modulus, comment.	238	separated fields: options, keytype, base64-encoded key, comment. The
276	Protocol 2 public key consist of: options, keytype, base64-encoded key,	239	options field is optional. The keytype is M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^],
277	comment. The options field is optional; its presence is determined by
278	whether the line starts with a number or not (the options field never
279	starts with a number). The bits, exponent, modulus, and comment fields
280	give the RSA key for protocol version 1; the comment field is not used
281	for anything (but may be convenient for the user to identify the key).
282	For protocol version 2 the keytype is M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^],
283	M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or	240	M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or
284	M-bM-^@M-^\ssh-rsaM-bM-^@M-^].	241	M-bM-^@M-^\ssh-rsaM-bM-^@M-^]; the comment field is not used for anything (but may be
		242	convenient for the user to identify the key).
285		243
286	Note that lines in this file are usually several hundred bytes long	244	Note that lines in this file can be several hundred bytes long (because
287	(because of the size of the public key encoding) up to a limit of 8	245	of the size of the public key encoding) up to a limit of 8 kilobytes,
288	kilobytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16	246	which permits DSA keys up to 8 kilobits and RSA keys up to 16 kilobits.
289	kilobits. You don't want to type them in; instead, copy the	247	You don't want to type them in; instead, copy the id_dsa.pub,
290	identity.pub, id_dsa.pub, id_ecdsa.pub, id_ed25519.pub, or the id_rsa.pub	248	id_ecdsa.pub, id_ed25519.pub, or the id_rsa.pub file and edit it.
291	file and edit it.
292		249
293	sshd enforces a minimum RSA key modulus size for protocol 1 and protocol	250	sshd enforces a minimum RSA key modulus size of 768 bits.
294	2 keys of 768 bits.
295		251
296	The options (if present) consist of comma-separated option	252	The options (if present) consist of comma-separated option
297	specifications. No spaces are permitted, except within double quotes.	253	specifications. No spaces are permitted, except within double quotes.
@@ -318,16 +274,23 @@ AUTHORIZED_KEYS FILE FORMAT
318	pty; otherwise it is run without a tty. If an 8-bit clean	274	pty; otherwise it is run without a tty. If an 8-bit clean
319	channel is required, one must not request a pty or should specify	275	channel is required, one must not request a pty or should specify
320	no-pty. A quote may be included in the command by quoting it	276	no-pty. A quote may be included in the command by quoting it
321	with a backslash. This option might be useful to restrict	277	with a backslash.
322	certain public keys to perform just a specific operation. An	278
323	example might be a key that permits remote backups but nothing	279	This option might be useful to restrict certain public keys to
324	else. Note that the client may specify TCP and/or X11 forwarding	280	perform just a specific operation. An example might be a key
325	unless they are explicitly prohibited. The command originally	281	that permits remote backups but nothing else. Note that the
326	supplied by the client is available in the SSH_ORIGINAL_COMMAND	282	client may specify TCP and/or X11 forwarding unless they are
327	environment variable. Note that this option applies to shell,	283	explicitly prohibited, e.g. using the restrict key option.
328	command or subsystem execution. Also note that this command may	284
329	be superseded by either a sshd_config(5) ForceCommand directive	285	The command originally supplied by the client is available in the
330	or a command embedded in a certificate.	286	SSH_ORIGINAL_COMMAND environment variable. Note that this option
		287	applies to shell, command or subsystem execution. Also note that
		288	this command may be superseded by a sshd_config(5) ForceCommand
		289	directive.
		290
		291	If a command is specified and a forced-command is embedded in a
		292	certificate used for authentication, then the certificate will be
		293	accepted only if the two commands are identical.
331		294
332	environment="NAME=value"	295	environment="NAME=value"
333	Specifies that the string is to be added to the environment when	296	Specifies that the string is to be added to the environment when
@@ -335,7 +298,6 @@ AUTHORIZED_KEYS FILE FORMAT
335	override other default environment values. Multiple options of	298	override other default environment values. Multiple options of
336	this type are permitted. Environment processing is disabled by	299	this type are permitted. Environment processing is disabled by
337	default and is controlled via the PermitUserEnvironment option.	300	default and is controlled via the PermitUserEnvironment option.
338	This option is automatically disabled if UseLogin is enabled.
339		301
340	from="pattern-list"	302	from="pattern-list"
341	Specifies that in addition to public key authentication, either	303	Specifies that in addition to public key authentication, either
@@ -440,8 +402,8 @@ SSH_KNOWN_HOSTS FILE FORMAT
440	is added to the per-user file.	402	is added to the per-user file.
441		403
442	Each line in these files contains the following fields: markers	404	Each line in these files contains the following fields: markers
443	(optional), hostnames, bits, exponent, modulus, comment. The fields are	405	(optional), hostnames, keytype, base64-encoded key, comment. The fields
444	separated by spaces.	406	are separated by spaces.
445		407
446	The marker is optional, but if it is present then it must be one of	408	The marker is optional, but if it is present then it must be one of
447	M-bM-^@M-^\@cert-authorityM-bM-^@M-^], to indicate that the line contains a certification	409	M-bM-^@M-^\@cert-authorityM-bM-^@M-^], to indicate that the line contains a certification
@@ -464,9 +426,10 @@ SSH_KNOWN_HOSTS FILE FORMAT
464	appear on a single line and none of the above negation or wildcard	426	appear on a single line and none of the above negation or wildcard
465	operators may be applied.	427	operators may be applied.
466		428
467	Bits, exponent, and modulus are taken directly from the RSA host key;	429	The keytype and base64-encoded key are taken directly from the host key;
468	they can be obtained, for example, from /etc/ssh/ssh_host_key.pub. The	430	they can be obtained, for example, from /etc/ssh/ssh_host_rsa_key.pub.
469	optional comment field continues to the end of the line, and is not used.	431	The optional comment field continues to the end of the line, and is not
		432	used.
470		433
471	Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are ignored as comments.	434	Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are ignored as comments.
472		435
@@ -493,9 +456,9 @@ SSH_KNOWN_HOSTS FILE FORMAT
493		456
494	Note that the lines in these files are typically hundreds of characters	457	Note that the lines in these files are typically hundreds of characters
495	long, and you definitely don't want to type in the host keys by hand.	458	long, and you definitely don't want to type in the host keys by hand.
496	Rather, generate them by a script, ssh-keyscan(1) or by taking	459	Rather, generate them by a script, ssh-keyscan(1) or by taking, for
497	/etc/ssh/ssh_host_key.pub and adding the host names at the front.	460	example, /etc/ssh/ssh_host_rsa_key.pub and adding the host names at the
498	ssh-keygen(1) also offers some basic automated editing for	461	front. ssh-keygen(1) also offers some basic automated editing for
499	~/.ssh/known_hosts including removing hosts matching a host name and	462	~/.ssh/known_hosts including removing hosts matching a host name and
500	converting all host names to their hashed representations.	463	converting all host names to their hashed representations.
501		464
@@ -598,7 +561,6 @@ FILES
598	allows host-based authentication without permitting login with	561	allows host-based authentication without permitting login with
599	rlogin/rsh.	562	rlogin/rsh.
600		563
601	/etc/ssh/ssh_host_key
602	/etc/ssh/ssh_host_dsa_key	564	/etc/ssh/ssh_host_dsa_key
603	/etc/ssh/ssh_host_ecdsa_key	565	/etc/ssh/ssh_host_ecdsa_key
604	/etc/ssh/ssh_host_ed25519_key	566	/etc/ssh/ssh_host_ed25519_key
@@ -608,7 +570,6 @@ FILES
608	not accessible to others. Note that sshd does not start if these	570	not accessible to others. Note that sshd does not start if these
609	files are group/world-accessible.	571	files are group/world-accessible.
610		572
611	/etc/ssh/ssh_host_key.pub
612	/etc/ssh/ssh_host_dsa_key.pub	573	/etc/ssh/ssh_host_dsa_key.pub
613	/etc/ssh/ssh_host_ecdsa_key.pub	574	/etc/ssh/ssh_host_ecdsa_key.pub
614	/etc/ssh/ssh_host_ed25519_key.pub	575	/etc/ssh/ssh_host_ed25519_key.pub
@@ -662,4 +623,4 @@ AUTHORS
662	versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support	623	versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
663	for privilege separation.	624	for privilege separation.
664		625
665	OpenBSD 6.0 February 17, 2016 OpenBSD 6.0	626	OpenBSD 6.0 November 30, 2016 OpenBSD 6.0