* New upstream release (http://www.openssh.org/txt/release-5.7):

  - Implement Elliptic Curve Cryptography modes for key exchange (ECDH)
    and host/user keys (ECDSA) as specified by RFC5656.  ECDH and ECDSA
    offer better performance than plain DH and DSA at the same equivalent
    symmetric key length, as well as much shorter keys.
  - sftp(1)/sftp-server(8): add a protocol extension to support a hard
    link operation.  It is available through the "ln" command in the
    client.  The old "ln" behaviour of creating a symlink is available
    using its "-s" option or through the preexisting "symlink" command.
  - scp(1): Add a new -3 option to scp: Copies between two remote hosts
    are transferred through the local host (closes: #508613).
  - ssh(1): "atomically" create the listening mux socket by binding it on
    a temporary name and then linking it into position after listen() has
    succeeded.  This allows the mux clients to determine that the server
    socket is either ready or stale without races (closes: #454784).
    Stale server sockets are now automatically removed (closes: #523250).
  - ssh(1): install a SIGCHLD handler to reap expired child process
    (closes: #594687).
  - ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent
    temporary directories (closes: #357469, although only if you arrange
    for ssh-agent to actually see $TMPDIR since the setgid bit will cause
    it to be stripped off).

1 files changed, 40 insertions, 33 deletions

diff --git a/sshd.8 b/sshd.8
index 835a56344..3466aeda1 100644
--- a/sshd.8
+++ b/sshd.8
@@ -1,4 +1,3 @@
-.\"  -*- nroff -*-
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.257 2010/08/04 05:37:01 djm Exp $
-.Dd $Mdocdate: August 4 2010 $
+.\" $OpenBSD: sshd.8,v 1.260 2010/10/28 18:33:28 jmc Exp $
+.Dd $Mdocdate: October 28 2010 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -170,9 +169,10 @@ host key files are normally not readable by anyone but root).
 The default is
 .Pa /etc/ssh/ssh_host_key
 for protocol version 1, and
-.Pa /etc/ssh/ssh_host_rsa_key
+.Pa /etc/ssh/ssh_host_dsa_key ,
+.Pa /etc/ssh/ssh_host_ecdsa_key
 and
-.Pa /etc/ssh/ssh_host_dsa_key
+.Pa /etc/ssh/ssh_host_rsa_key
 for protocol version 2.
 It is possible to have multiple host key files for
 the different protocol versions and host key algorithms.
@@ -275,7 +275,7 @@ though this can be changed via the
 .Cm Protocol
 option in
 .Xr sshd_config 5 .
-Protocol 2 supports both RSA and DSA keys;
+Protocol 2 supports DSA, ECDSA and RSA keys;
 protocol 1 only supports RSA keys.
 For both protocols,
 each host has a host-specific key,
@@ -483,6 +483,9 @@ protocol version 1; the
 comment field is not used for anything (but may be convenient for the
 user to identify the key).
 For protocol version 2 the keytype is
+.Dq ecdsa-sha2-nistp256 ,
+.Dq ecdsa-sha2-nistp384 ,
+.Dq ecdsa-sha2-nistp521 ,
 .Dq ssh-dss
 or
 .Dq ssh-rsa .
@@ -494,6 +497,7 @@ keys up to 16 kilobits.
 You don't want to type them in; instead, copy the
 .Pa identity.pub ,
 .Pa id_dsa.pub ,
+.Pa id_ecdsa.pub ,
 or the
 .Pa id_rsa.pub
 file and edit it.
@@ -751,7 +755,7 @@ AAAA1234.....=
 .Ed
 .Sh FILES
 .Bl -tag -width Ds -compact
-.It ~/.hushlogin
+.It Pa ~/.hushlogin
 This file is used to suppress printing the last login time and
 .Pa /etc/motd ,
 if
@@ -763,7 +767,7 @@ are enabled.
 It does not suppress printing of the banner specified by
 .Cm Banner .
 .Pp
-.It ~/.rhosts
+.It Pa ~/.rhosts
 This file is used for host-based authentication (see
 .Xr ssh 1
 for more information).
@@ -778,21 +782,22 @@ The recommended
 permission for most machines is read/write for the user, and not
 accessible by others.
 .Pp
-.It ~/.shosts
+.It Pa ~/.shosts
 This file is used in exactly the same way as
 .Pa .rhosts ,
 but allows host-based authentication without permitting login with
 rlogin/rsh.
 .Pp
-.It ~/.ssh/
+.It Pa ~/.ssh/
 This directory is the default location for all user-specific configuration
 and authentication information.
 There is no general requirement to keep the entire contents of this directory
 secret, but the recommended permissions are read/write/execute for the user,
 and not accessible by others.
 .Pp
-.It ~/.ssh/authorized_keys
-Lists the public keys (RSA/DSA) that can be used for logging in as this user.
+.It Pa ~/.ssh/authorized_keys
+Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in
+as this user.
 The format of this file is described above.
 The content of the file is not highly sensitive, but the recommended
 permissions are read/write for the user, and not accessible by others.
@@ -809,7 +814,7 @@ will not allow it to be used unless the
 option has been set to
 .Dq no .
 .Pp
-.It ~/.ssh/environment
+.It Pa ~/.ssh/environment
 This file is read into the environment at login (if it exists).
 It can only contain empty lines, comment lines (that start with
 .Ql # ) ,
@@ -821,40 +826,40 @@ controlled via the
 .Cm PermitUserEnvironment
 option.
 .Pp
-.It ~/.ssh/known_hosts
+.It Pa ~/.ssh/known_hosts
 Contains a list of host keys for all hosts the user has logged into
 that are not already in the systemwide list of known host keys.
 The format of this file is described above.
 This file should be writable only by root/the owner and
 can, but need not be, world-readable.
 .Pp
-.It ~/.ssh/rc
+.It Pa ~/.ssh/rc
 Contains initialization routines to be run before
 the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
-.It /etc/hosts.allow
-.It /etc/hosts.deny
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
 Access controls that should be enforced by tcp-wrappers are defined here.
 Further details are described in
 .Xr hosts_access 5 .
 .Pp
-.It /etc/hosts.equiv
+.It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
 It should only be writable by root.
 .Pp
-.It /etc/ssh/moduli
+.It Pa /etc/ssh/moduli
 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
 The file format is described in
 .Xr moduli 5 .
 .Pp
-.It /etc/motd
+.It Pa /etc/motd
 See
 .Xr motd 5 .
 .Pp
-.It /etc/nologin
+.It Pa /etc/nologin
 If this file exists,
 .Nm
 refuses to let anyone except root log in.
@@ -863,15 +868,16 @@ are displayed to anyone trying to log in, and non-root connections are
 refused.
 The file should be world-readable.
 .Pp
-.It /etc/shosts.equiv
+.It Pa /etc/shosts.equiv
 This file is used in exactly the same way as
 .Pa hosts.equiv ,
 but allows host-based authentication without permitting login with
 rlogin/rsh.
 .Pp
-.It /etc/ssh/ssh_host_key
-.It /etc/ssh/ssh_host_dsa_key
-.It /etc/ssh/ssh_host_rsa_key
+.It Pa /etc/ssh/ssh_host_key
+.It Pa /etc/ssh/ssh_host_dsa_key
+.It Pa /etc/ssh/ssh_host_ecdsa_key
+.It Pa /etc/ssh/ssh_host_rsa_key
 These three files contain the private parts of the host keys.
 These files should only be owned by root, readable only by root, and not
 accessible to others.
@@ -879,9 +885,10 @@ Note that
 .Nm
 does not start if these files are group/world-accessible.
 .Pp
-.It /etc/ssh/ssh_host_key.pub
-.It /etc/ssh/ssh_host_dsa_key.pub
-.It /etc/ssh/ssh_host_rsa_key.pub
+.It Pa /etc/ssh/ssh_host_key.pub
+.It Pa /etc/ssh/ssh_host_dsa_key.pub
+.It Pa /etc/ssh/ssh_host_ecdsa_key.pub
+.It Pa /etc/ssh/ssh_host_rsa_key.pub
 These three files contain the public parts of the host keys.
 These files should be world-readable but writable only by
 root.
@@ -892,7 +899,7 @@ the user so their contents can be copied to known hosts files.
 These files are created using
 .Xr ssh-keygen 1 .
 .Pp
-.It /etc/ssh/ssh_known_hosts
+.It Pa /etc/ssh/ssh_known_hosts
 Systemwide list of known host keys.
 This file should be prepared by the
 system administrator to contain the public host keys of all machines in the
@@ -901,20 +908,20 @@ The format of this file is described above.
 This file should be writable only by root/the owner and
 should be world-readable.
 .Pp
-.It /etc/ssh/sshd_config
+.It Pa /etc/ssh/sshd_config
 Contains configuration data for
 .Nm sshd .
 The file format and configuration options are described in
 .Xr sshd_config 5 .
 .Pp
-.It /etc/ssh/sshrc
+.It Pa /etc/ssh/sshrc
 Similar to
 .Pa ~/.ssh/rc ,
 it can be used to specify
 machine-specific login-time initializations globally.
 This file should be writable only by root, and should be world-readable.
 .Pp
-.It /var/empty
+.It Pa /var/empty
 .Xr chroot 2
 directory used by
 .Nm
@@ -922,7 +929,7 @@ during privilege separation in the pre-authentication phase.
 The directory should not contain any files and must be owned by root
 and not group or world-writable.
 .Pp
-.It /var/run/sshd.pid
+.It Pa /var/run/sshd.pid
 Contains the process ID of the
 .Nm
 listening for connections (if there are several daemons running