Import openssh_8.2p1.orig.tar.gz

author: Colin Watson <cjwatson@debian.org> 2020-02-21 11:57:14 +0000
committer: Colin Watson <cjwatson@debian.org> 2020-02-21 11:57:14 +0000
commit: f0de78bd4f29fa688c5df116f3f9cd43543a76d0 (patch)
tree: 856b0dee3f2764c13a32dad5ffe2424fab7fef41 /sshd.0
parent: 4213eec74e74de6310c27a40c3e9759a08a73996 (diff)
parent: 8aa3455b16fddea4c0144a7c4a1edb10ec67dcc8 (diff)
1 files changed, 33 insertions, 19 deletions
diff --git a/sshd.0 b/sshd.0
index 1b0d5ce2e..15ef5dd3b 100644
--- a/sshd.0
+++ b/sshd.0
@@ -1,7 +1,7 @@
 SSHD(8)                     System Manager's Manual                    SSHD(8)
 NAME
-     sshd M-bM-^@M-^S OpenSSH SSH daemon
+     sshd M-bM-^@M-^S OpenSSH daemon
 SYNOPSIS
     sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file]
@@ -128,14 +128,12 @@ AUTHENTICATION
     host-specific key, used to identify the host.  Whenever a client
     connects, the daemon responds with its public host key.  The client
     compares the host key against its own database to verify that it has not
-     changed.  Forward security is provided through a Diffie-Hellman key
+     changed.  Forward secrecy is provided through a Diffie-Hellman key
     agreement.  This key agreement results in a shared session key.  The rest
-     of the session is encrypted using a symmetric cipher, currently 128-bit
+     of the session is encrypted using a symmetric cipher.  The client selects
-     AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.  The
+     the encryption algorithm to use from those offered by the server.
-     client selects the encryption algorithm to use from those offered by the
+     Additionally, session integrity is provided through a cryptographic
-     server.  Additionally, session integrity is provided through a
+     message authentication code (MAC).
-     cryptographic message authentication code (hmac-md5, hmac-sha1, umac-64,
-     umac-128, hmac-sha2-256 or hmac-sha2-512).
     Finally, the server and the client enter an authentication dialog.  The
     client tries to authenticate itself using host-based authentication,
@@ -237,16 +235,25 @@ AUTHORIZED_KEYS FILE FORMAT
     file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are
     ignored as comments).  Public keys consist of the following space-
     separated fields: options, keytype, base64-encoded key, comment.  The
-     options field is optional.  The keytype is M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^],
+     options field is optional.  The supported key types are:
-     M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or
-     M-bM-^@M-^\ssh-rsaM-bM-^@M-^]; the comment field is not used for anything (but may be
+           sk-ecdsa-sha2-nistp256@openssh.com
-     convenient for the user to identify the key).
+           ecdsa-sha2-nistp256
+           ecdsa-sha2-nistp384
+           ecdsa-sha2-nistp521
+           sk-ssh-ed25519@openssh.com
+           ssh-ed25519
+           ssh-dss
+           ssh-rsa
+     The comment field is not used for anything (but may be convenient for the
+     user to identify the key).
     Note that lines in this file can be several hundred bytes long (because
     of the size of the public key encoding) up to a limit of 8 kilobytes,
-     which permits DSA keys up to 8 kilobits and RSA keys up to 16 kilobits.
+     which permits RSA keys up to 16 kilobits.  You don't want to type them
-     You don't want to type them in; instead, copy the id_dsa.pub,
+     in; instead, copy the id_dsa.pub, id_ecdsa.pub, id_ecdsa_sk.pub,
-     id_ecdsa.pub, id_ed25519.pub, or the id_rsa.pub file and edit it.
+     id_ed25519.pub, id_ed25519_sk.pub, or the id_rsa.pub file and edit it.
     sshd enforces a minimum RSA key modulus size of 1024 bits.
@@ -360,9 +367,9 @@ AUTHORIZED_KEYS FILE FORMAT
             it may only connect to the specified host and port.  IPv6
             addresses can be specified by enclosing the address in square
             brackets.  Multiple permitopen options may be applied separated
-             by commas.  No pattern matching is performed on the specified
+             by commas.  No pattern matching or name lookup is performed on
-             hostnames, they must be literal domains or addresses.  A port
+             the specified hostnames, they must be literal host names and/or
-             specification of * matches any port.
+             addresses.  A port specification of * matches any port.
     port-forwarding
             Enable port forwarding previously disabled by the restrict
@@ -379,6 +386,11 @@ AUTHORIZED_KEYS FILE FORMAT
     pty     Permits tty allocation previously disabled by the restrict
             option.
+     no-touch-required
+             Do not require demonstration of user presence for signatures made
+             using this key.  This option only makes sense for the FIDO
+             authenticator algorithms ecdsa-sk and ed25519-sk.
     restrict
             Enable all restrictions, i.e. disable port, agent and X11
             forwarding, as well as disabling PTY allocation and execution of
@@ -416,6 +428,8 @@ AUTHORIZED_KEYS FILE FORMAT
        user@example.net
        restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5==
        user@example.net
+        no-touch-required sk-ecdsa-sha2-nistp256@openssh.com AAAAInN...Ko==
+        user@example.net
 SSH_KNOWN_HOSTS FILE FORMAT
     The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host
@@ -650,4 +664,4 @@ AUTHORS
     versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
     for privilege separation.
-OpenBSD 6.6                      July 22, 2018                     OpenBSD 6.6
+OpenBSD 6.6                    January 25, 2020                    OpenBSD 6.6
author	Colin Watson <cjwatson@debian.org>	2020-02-21 11:57:14 +0000
committer	Colin Watson <cjwatson@debian.org>	2020-02-21 11:57:14 +0000
commit	f0de78bd4f29fa688c5df116f3f9cd43543a76d0 (patch)
tree	856b0dee3f2764c13a32dad5ffe2424fab7fef41 /sshd.0
parent	4213eec74e74de6310c27a40c3e9759a08a73996 (diff)
parent	8aa3455b16fddea4c0144a7c4a1edb10ec67dcc8 (diff)

diff --git a/sshd.0 b/sshd.0 index 1b0d5ce2e..15ef5dd3b 100644 --- a/sshd.0 +++ b/sshd.0
@@ -1,7 +1,7 @@
1	SSHD(8) System Manager's Manual SSHD(8)	1	SSHD(8) System Manager's Manual SSHD(8)
2		2
3	NAME	3	NAME
4	sshd M-bM-^@M-^S OpenSSH SSH daemon	4	sshd M-bM-^@M-^S OpenSSH daemon
5		5
6	SYNOPSIS	6	SYNOPSIS
7	sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file]	7	sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file]
@@ -128,14 +128,12 @@ AUTHENTICATION
128	host-specific key, used to identify the host. Whenever a client	128	host-specific key, used to identify the host. Whenever a client
129	connects, the daemon responds with its public host key. The client	129	connects, the daemon responds with its public host key. The client
130	compares the host key against its own database to verify that it has not	130	compares the host key against its own database to verify that it has not
131	changed. Forward security is provided through a Diffie-Hellman key	131	changed. Forward secrecy is provided through a Diffie-Hellman key
132	agreement. This key agreement results in a shared session key. The rest	132	agreement. This key agreement results in a shared session key. The rest
133	of the session is encrypted using a symmetric cipher, currently 128-bit	133	of the session is encrypted using a symmetric cipher. The client selects
134	AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The	134	the encryption algorithm to use from those offered by the server.
135	client selects the encryption algorithm to use from those offered by the	135	Additionally, session integrity is provided through a cryptographic
136	server. Additionally, session integrity is provided through a	136	message authentication code (MAC).
137	cryptographic message authentication code (hmac-md5, hmac-sha1, umac-64,
138	umac-128, hmac-sha2-256 or hmac-sha2-512).
139		137
140	Finally, the server and the client enter an authentication dialog. The	138	Finally, the server and the client enter an authentication dialog. The
141	client tries to authenticate itself using host-based authentication,	139	client tries to authenticate itself using host-based authentication,
@@ -237,16 +235,25 @@ AUTHORIZED_KEYS FILE FORMAT
237	file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are	235	file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are
238	ignored as comments). Public keys consist of the following space-	236	ignored as comments). Public keys consist of the following space-
239	separated fields: options, keytype, base64-encoded key, comment. The	237	separated fields: options, keytype, base64-encoded key, comment. The
240	options field is optional. The keytype is M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^],	238	options field is optional. The supported key types are:
241	M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or	239
242	M-bM-^@M-^\ssh-rsaM-bM-^@M-^]; the comment field is not used for anything (but may be	240	sk-ecdsa-sha2-nistp256@openssh.com
243	convenient for the user to identify the key).	241	ecdsa-sha2-nistp256
		242	ecdsa-sha2-nistp384
		243	ecdsa-sha2-nistp521
		244	sk-ssh-ed25519@openssh.com
		245	ssh-ed25519
		246	ssh-dss
		247	ssh-rsa
		248
		249	The comment field is not used for anything (but may be convenient for the
		250	user to identify the key).
244		251
245	Note that lines in this file can be several hundred bytes long (because	252	Note that lines in this file can be several hundred bytes long (because
246	of the size of the public key encoding) up to a limit of 8 kilobytes,	253	of the size of the public key encoding) up to a limit of 8 kilobytes,
247	which permits DSA keys up to 8 kilobits and RSA keys up to 16 kilobits.	254	which permits RSA keys up to 16 kilobits. You don't want to type them
248	You don't want to type them in; instead, copy the id_dsa.pub,	255	in; instead, copy the id_dsa.pub, id_ecdsa.pub, id_ecdsa_sk.pub,
249	id_ecdsa.pub, id_ed25519.pub, or the id_rsa.pub file and edit it.	256	id_ed25519.pub, id_ed25519_sk.pub, or the id_rsa.pub file and edit it.
250		257
251	sshd enforces a minimum RSA key modulus size of 1024 bits.	258	sshd enforces a minimum RSA key modulus size of 1024 bits.
252		259
@@ -360,9 +367,9 @@ AUTHORIZED_KEYS FILE FORMAT
360	it may only connect to the specified host and port. IPv6	367	it may only connect to the specified host and port. IPv6
361	addresses can be specified by enclosing the address in square	368	addresses can be specified by enclosing the address in square
362	brackets. Multiple permitopen options may be applied separated	369	brackets. Multiple permitopen options may be applied separated
363	by commas. No pattern matching is performed on the specified	370	by commas. No pattern matching or name lookup is performed on
364	hostnames, they must be literal domains or addresses. A port	371	the specified hostnames, they must be literal host names and/or
365	specification of * matches any port.	372	addresses. A port specification of * matches any port.
366		373
367	port-forwarding	374	port-forwarding
368	Enable port forwarding previously disabled by the restrict	375	Enable port forwarding previously disabled by the restrict
@@ -379,6 +386,11 @@ AUTHORIZED_KEYS FILE FORMAT
379	pty Permits tty allocation previously disabled by the restrict	386	pty Permits tty allocation previously disabled by the restrict
380	option.	387	option.
381		388
		389	no-touch-required
		390	Do not require demonstration of user presence for signatures made
		391	using this key. This option only makes sense for the FIDO
		392	authenticator algorithms ecdsa-sk and ed25519-sk.
		393
382	restrict	394	restrict
383	Enable all restrictions, i.e. disable port, agent and X11	395	Enable all restrictions, i.e. disable port, agent and X11
384	forwarding, as well as disabling PTY allocation and execution of	396	forwarding, as well as disabling PTY allocation and execution of
@@ -416,6 +428,8 @@ AUTHORIZED_KEYS FILE FORMAT
416	user@example.net	428	user@example.net
417	restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5==	429	restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5==
418	user@example.net	430	user@example.net
		431	no-touch-required sk-ecdsa-sha2-nistp256@openssh.com AAAAInN...Ko==
		432	user@example.net
419		433
420	SSH_KNOWN_HOSTS FILE FORMAT	434	SSH_KNOWN_HOSTS FILE FORMAT
421	The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host	435	The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host
@@ -650,4 +664,4 @@ AUTHORS
650	versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support	664	versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
651	for privilege separation.	665	for privilege separation.
652		666
653	OpenBSD 6.6 July 22, 2018 OpenBSD 6.6	667	OpenBSD 6.6 January 25, 2020 OpenBSD 6.6