- Merged OpenBSD updates to include paths.

author: Damien Miller <djm@mindrot.org> 2000-04-13 12:26:34 +1000
committer: Damien Miller <djm@mindrot.org> 2000-04-13 12:26:34 +1000
commit: 22c772609aa0e97fb39a6ec609c2f16445644055 (patch)
tree: 5246a2a1ab8e761fe1a22ec2c8d5fe52fe139e36 /sshd.8
parent: e71eb91259388de4aea7d46738f3b8b5593bccbe (diff)
1 files changed, 36 insertions, 20 deletions
diff --git a/sshd.8 b/sshd.8
index 0de3cef4a..a59bd22fb 100644
--- a/sshd.8
+++ b/sshd.8
@@ -9,7 +9,7 @@
 .\"
 .\" Created: Sat Apr 22 21:55:14 1995 ylo
 .\"
-.\" $Id: sshd.8,v 1.16 2000/04/01 01:09:27 damien Exp $
+.\" $Id: sshd.8,v 1.17 2000/04/13 02:26:38 damien Exp $
 .\"
 .Dd September 25, 1999
 .Dt SSHD 8
@@ -27,9 +27,9 @@
 .Op Fl k Ar key_gen_time
 .Op Fl p Ar port
 .Op Fl V Ar client_protocol_id
-.Sh DESCRIPTION 
+.Sh DESCRIPTION
 .Nm
-(Secure Shell Daemon) is the daemon program for 
+(Secure Shell Daemon) is the daemon program for
 .Xr ssh 1 .
 Together these programs replace rlogin and rsh programs, and
 provide secure encrypted communications between two untrusted hosts
@@ -39,7 +39,7 @@ install and use as possible.
 .Pp
 .Nm
 is the daemon that listens for connections from clients.
-It is normally started at boot from 
+It is normally started at boot from
 .Pa /etc/rc .
 It forks a new
 daemon for each incoming connection.
@@ -157,7 +157,7 @@ host file is normally not readable by anyone but root).
 .It Fl i
 Specifies that
 .Nm
-is being run from inetd. 
+is being run from inetd.
 .Nm
 is normally not run
 from inetd because it needs to generate the server key before it can
@@ -204,7 +204,7 @@ to use IPv6 addresses only.
 .El
 .Sh CONFIGURATION FILE
 .Nm
-reads configuration data from 
+reads configuration data from
 .Pa /etc/sshd_config
 (or the file specified with
 .Fl f
@@ -246,6 +246,11 @@ wildcards in the patterns.
 Only user names are valid, a numerical user ID isn't recognized.
 By default login is allowed regardless of the user name.
 .Pp
+.It Cm Ciphers
+Specifies the ciphers allowed for protocol version 2.
+Multiple ciphers must be comma-separated.
+The default is
+.Dq blowfish-cbc,3des-cbc,arcfour,cast128-cbc .
 .It Cm CheckMail
 Specifies whether
 .Nm
@@ -284,14 +289,14 @@ does not start if this file is group/world-accessible.
 .It Cm IgnoreRhosts
 Specifies that
 .Pa .rhosts
-and 
+and
 .Pa .shosts
 files will not be used in authentication.
 .Pa /etc/hosts.equiv
 and
-.Pa /etc/shosts.equiv 
+.Pa /etc/shosts.equiv
 are still used.
-The default is 
+The default is
 .Dq yes .
 .It Cm IgnoreUserKnownHosts
 Specifies whether
@@ -342,7 +347,7 @@ Default is
 .Dq yes .
 .It Cm KerberosTgtPassing
 Specifies whether a Kerberos TGT may be forwarded to the server.
-Default is 
+Default is
 .Dq no ,
 as this only works when the Kerberos KDC is actually an AFS kaserver.
 .It Cm KerberosTicketCleanup
@@ -419,7 +424,7 @@ Multiple options of this type are permitted.
 .It Cm PrintMotd
 Specifies whether
 .Nm
-should print 
+should print
 .Pa /etc/motd
 when a user logs in interactively.
 (On some systems it is also printed by the shell,
@@ -427,6 +432,17 @@ when a user logs in interactively.
 or equivalent.)
 The default is
 .Dq yes .
+.It Cm Protocol
+Specifies the protocol versions
+.Nm
+should support.
+The possible values are
+.Dq 1
+and
+.Dq 2 .
+Multiple versions must be comma-separated.
+The default is
+.Dq 1 .
 .It Cm RandomSeed
 Obsolete.
 Random number generation uses other techniques.
@@ -454,7 +470,7 @@ Defines the number of bits in the server key.
 The minimum value is 512, and the default is 768.
 .It Cm SkeyAuthentication
 Specifies whether
-.Xr skey 1 
+.Xr skey 1
 authentication is allowed.
 The default is
 .Dq yes .
@@ -504,12 +520,12 @@ does the following:
 .Bl -enum -offset indent
 .It
 If the login is on a tty, and no command has been specified,
-prints last login time and 
+prints last login time and
 .Pa /etc/motd
 (unless prevented in the configuration file or by
 .Pa $HOME/.hushlogin ;
 see the
-.Sx FILES 
+.Sx FILES
 section).
 .It
 If the login is on a tty, records login time.
@@ -543,7 +559,7 @@ authentication protocol and cookie in standard input.
 Runs user's shell or command.
 .El
 .Sh AUTHORIZED_KEYS FILE FORMAT
-The 
+The
 .Pa $HOME/.ssh/authorized_keys
 file lists the RSA keys that are
 permitted for RSA authentication.
@@ -632,9 +648,9 @@ from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula
 .Pp
 command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi
 .Sh SSH_KNOWN_HOSTS FILE FORMAT
-The 
+The
 .Pa /etc/ssh_known_hosts
-and 
+and
 .Pa $HOME/.ssh/known_hosts
 files contain host public keys for all known hosts.
 The global file should
@@ -679,7 +695,7 @@ accepted if valid information can be found from either file.
 Note that the lines in these files are typically hundreds of characters
 long, and you definitely don't want to type in the host keys by hand.
 Rather, generate them by a script
-or by taking 
+or by taking
 .Pa /etc/ssh_host_key.pub
 and adding the host names at the front.
 .Ss Examples
@@ -734,7 +750,7 @@ should be world-readable, and
 .Pa $HOME/.ssh/known_hosts
 can but need not be world-readable.
 .It Pa /etc/nologin
-If this file exists, 
+If this file exists,
 .Nm
 refuses to let anyone except root log in.
 The contents of the file
@@ -865,7 +881,7 @@ external libraries.
 has been updated to support ssh protocol 1.5, making it compatible with
 all other ssh protocol 1 clients and servers.
 .It
-contains added support for 
+contains added support for
 .Xr kerberos 8
 authentication and ticket passing.
 .It
author	Damien Miller <djm@mindrot.org>	2000-04-13 12:26:34 +1000
committer	Damien Miller <djm@mindrot.org>	2000-04-13 12:26:34 +1000
commit	22c772609aa0e97fb39a6ec609c2f16445644055 (patch)
tree	5246a2a1ab8e761fe1a22ec2c8d5fe52fe139e36 /sshd.8
parent	e71eb91259388de4aea7d46738f3b8b5593bccbe (diff)

diff --git a/sshd.8 b/sshd.8 index 0de3cef4a..a59bd22fb 100644 --- a/sshd.8 +++ b/sshd.8
@@ -9,7 +9,7 @@
9	.\"	9	.\"
10	.\" Created: Sat Apr 22 21:55:14 1995 ylo	10	.\" Created: Sat Apr 22 21:55:14 1995 ylo
11	.\"	11	.\"
12	.\" $Id: sshd.8,v 1.16 2000/04/01 01:09:27 damien Exp $	12	.\" $Id: sshd.8,v 1.17 2000/04/13 02:26:38 damien Exp $
13	.\"	13	.\"
14	.Dd September 25, 1999	14	.Dd September 25, 1999
15	.Dt SSHD 8	15	.Dt SSHD 8
@@ -27,9 +27,9 @@
27	.Op Fl k Ar key_gen_time	27	.Op Fl k Ar key_gen_time
28	.Op Fl p Ar port	28	.Op Fl p Ar port
29	.Op Fl V Ar client_protocol_id	29	.Op Fl V Ar client_protocol_id
30	.Sh DESCRIPTION	30	.Sh DESCRIPTION
31	.Nm	31	.Nm
32	(Secure Shell Daemon) is the daemon program for	32	(Secure Shell Daemon) is the daemon program for
33	.Xr ssh 1 .	33	.Xr ssh 1 .
34	Together these programs replace rlogin and rsh programs, and	34	Together these programs replace rlogin and rsh programs, and
35	provide secure encrypted communications between two untrusted hosts	35	provide secure encrypted communications between two untrusted hosts
@@ -39,7 +39,7 @@ install and use as possible.
39	.Pp	39	.Pp
40	.Nm	40	.Nm
41	is the daemon that listens for connections from clients.	41	is the daemon that listens for connections from clients.
42	It is normally started at boot from	42	It is normally started at boot from
43	.Pa /etc/rc .	43	.Pa /etc/rc .
44	It forks a new	44	It forks a new
45	daemon for each incoming connection.	45	daemon for each incoming connection.
@@ -157,7 +157,7 @@ host file is normally not readable by anyone but root).
157	.It Fl i	157	.It Fl i
158	Specifies that	158	Specifies that
159	.Nm	159	.Nm
160	is being run from inetd.	160	is being run from inetd.
161	.Nm	161	.Nm
162	is normally not run	162	is normally not run
163	from inetd because it needs to generate the server key before it can	163	from inetd because it needs to generate the server key before it can
@@ -204,7 +204,7 @@ to use IPv6 addresses only.
204	.El	204	.El
205	.Sh CONFIGURATION FILE	205	.Sh CONFIGURATION FILE
206	.Nm	206	.Nm
207	reads configuration data from	207	reads configuration data from
208	.Pa /etc/sshd_config	208	.Pa /etc/sshd_config
209	(or the file specified with	209	(or the file specified with
210	.Fl f	210	.Fl f
@@ -246,6 +246,11 @@ wildcards in the patterns.
246	Only user names are valid, a numerical user ID isn't recognized.	246	Only user names are valid, a numerical user ID isn't recognized.
247	By default login is allowed regardless of the user name.	247	By default login is allowed regardless of the user name.
248	.Pp	248	.Pp
		249	.It Cm Ciphers
		250	Specifies the ciphers allowed for protocol version 2.
		251	Multiple ciphers must be comma-separated.
		252	The default is
		253	.Dq blowfish-cbc,3des-cbc,arcfour,cast128-cbc .
249	.It Cm CheckMail	254	.It Cm CheckMail
250	Specifies whether	255	Specifies whether
251	.Nm	256	.Nm
@@ -284,14 +289,14 @@ does not start if this file is group/world-accessible.
284	.It Cm IgnoreRhosts	289	.It Cm IgnoreRhosts
285	Specifies that	290	Specifies that
286	.Pa .rhosts	291	.Pa .rhosts
287	and	292	and
288	.Pa .shosts	293	.Pa .shosts
289	files will not be used in authentication.	294	files will not be used in authentication.
290	.Pa /etc/hosts.equiv	295	.Pa /etc/hosts.equiv
291	and	296	and
292	.Pa /etc/shosts.equiv	297	.Pa /etc/shosts.equiv
293	are still used.	298	are still used.
294	The default is	299	The default is
295	.Dq yes .	300	.Dq yes .
296	.It Cm IgnoreUserKnownHosts	301	.It Cm IgnoreUserKnownHosts
297	Specifies whether	302	Specifies whether
@@ -342,7 +347,7 @@ Default is
342	.Dq yes .	347	.Dq yes .
343	.It Cm KerberosTgtPassing	348	.It Cm KerberosTgtPassing
344	Specifies whether a Kerberos TGT may be forwarded to the server.	349	Specifies whether a Kerberos TGT may be forwarded to the server.
345	Default is	350	Default is
346	.Dq no ,	351	.Dq no ,
347	as this only works when the Kerberos KDC is actually an AFS kaserver.	352	as this only works when the Kerberos KDC is actually an AFS kaserver.
348	.It Cm KerberosTicketCleanup	353	.It Cm KerberosTicketCleanup
@@ -419,7 +424,7 @@ Multiple options of this type are permitted.
419	.It Cm PrintMotd	424	.It Cm PrintMotd
420	Specifies whether	425	Specifies whether
421	.Nm	426	.Nm
422	should print	427	should print
423	.Pa /etc/motd	428	.Pa /etc/motd
424	when a user logs in interactively.	429	when a user logs in interactively.
425	(On some systems it is also printed by the shell,	430	(On some systems it is also printed by the shell,
@@ -427,6 +432,17 @@ when a user logs in interactively.
427	or equivalent.)	432	or equivalent.)
428	The default is	433	The default is
429	.Dq yes .	434	.Dq yes .
		435	.It Cm Protocol
		436	Specifies the protocol versions
		437	.Nm
		438	should support.
		439	The possible values are
		440	.Dq 1
		441	and
		442	.Dq 2 .
		443	Multiple versions must be comma-separated.
		444	The default is
		445	.Dq 1 .
430	.It Cm RandomSeed	446	.It Cm RandomSeed
431	Obsolete.	447	Obsolete.
432	Random number generation uses other techniques.	448	Random number generation uses other techniques.
@@ -454,7 +470,7 @@ Defines the number of bits in the server key.
454	The minimum value is 512, and the default is 768.	470	The minimum value is 512, and the default is 768.
455	.It Cm SkeyAuthentication	471	.It Cm SkeyAuthentication
456	Specifies whether	472	Specifies whether
457	.Xr skey 1	473	.Xr skey 1
458	authentication is allowed.	474	authentication is allowed.
459	The default is	475	The default is
460	.Dq yes .	476	.Dq yes .
@@ -504,12 +520,12 @@ does the following:
504	.Bl -enum -offset indent	520	.Bl -enum -offset indent
505	.It	521	.It
506	If the login is on a tty, and no command has been specified,	522	If the login is on a tty, and no command has been specified,
507	prints last login time and	523	prints last login time and
508	.Pa /etc/motd	524	.Pa /etc/motd
509	(unless prevented in the configuration file or by	525	(unless prevented in the configuration file or by
510	.Pa $HOME/.hushlogin ;	526	.Pa $HOME/.hushlogin ;
511	see the	527	see the
512	.Sx FILES	528	.Sx FILES
513	section).	529	section).
514	.It	530	.It
515	If the login is on a tty, records login time.	531	If the login is on a tty, records login time.
@@ -543,7 +559,7 @@ authentication protocol and cookie in standard input.
543	Runs user's shell or command.	559	Runs user's shell or command.
544	.El	560	.El
545	.Sh AUTHORIZED_KEYS FILE FORMAT	561	.Sh AUTHORIZED_KEYS FILE FORMAT
546	The	562	The
547	.Pa $HOME/.ssh/authorized_keys	563	.Pa $HOME/.ssh/authorized_keys
548	file lists the RSA keys that are	564	file lists the RSA keys that are
549	permitted for RSA authentication.	565	permitted for RSA authentication.
@@ -632,9 +648,9 @@ from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\\|.\\|.\\|2334 ylo@niksula
632	.Pp	648	.Pp
633	command="dump /home",no-pty,no-port-forwarding 1024 33 23.\\|.\\|.\\|2323 backup.hut.fi	649	command="dump /home",no-pty,no-port-forwarding 1024 33 23.\\|.\\|.\\|2323 backup.hut.fi
634	.Sh SSH_KNOWN_HOSTS FILE FORMAT	650	.Sh SSH_KNOWN_HOSTS FILE FORMAT
635	The	651	The
636	.Pa /etc/ssh_known_hosts	652	.Pa /etc/ssh_known_hosts
637	and	653	and
638	.Pa $HOME/.ssh/known_hosts	654	.Pa $HOME/.ssh/known_hosts
639	files contain host public keys for all known hosts.	655	files contain host public keys for all known hosts.
640	The global file should	656	The global file should
@@ -679,7 +695,7 @@ accepted if valid information can be found from either file.
679	Note that the lines in these files are typically hundreds of characters	695	Note that the lines in these files are typically hundreds of characters
680	long, and you definitely don't want to type in the host keys by hand.	696	long, and you definitely don't want to type in the host keys by hand.
681	Rather, generate them by a script	697	Rather, generate them by a script
682	or by taking	698	or by taking
683	.Pa /etc/ssh_host_key.pub	699	.Pa /etc/ssh_host_key.pub
684	and adding the host names at the front.	700	and adding the host names at the front.
685	.Ss Examples	701	.Ss Examples
@@ -734,7 +750,7 @@ should be world-readable, and
734	.Pa $HOME/.ssh/known_hosts	750	.Pa $HOME/.ssh/known_hosts
735	can but need not be world-readable.	751	can but need not be world-readable.
736	.It Pa /etc/nologin	752	.It Pa /etc/nologin
737	If this file exists,	753	If this file exists,
738	.Nm	754	.Nm
739	refuses to let anyone except root log in.	755	refuses to let anyone except root log in.
740	The contents of the file	756	The contents of the file
@@ -865,7 +881,7 @@ external libraries.
865	has been updated to support ssh protocol 1.5, making it compatible with	881	has been updated to support ssh protocol 1.5, making it compatible with
866	all other ssh protocol 1 clients and servers.	882	all other ssh protocol 1 clients and servers.
867	.It	883	.It
868	contains added support for	884	contains added support for
869	.Xr kerberos 8	885	.Xr kerberos 8
870	authentication and ticket passing.	886	authentication and ticket passing.
871	.It	887	.It