Merge 3.8p1 to the trunk. This builds and runs, but I haven't tested it

extensively yet. ProtocolKeepAlives is now just a compatibility alias for ServerAliveInterval.
author: Colin Watson <cjwatson@debian.org> 2004-03-01 02:25:32 +0000
committer: Colin Watson <cjwatson@debian.org> 2004-03-01 02:25:32 +0000
commit: ea8116a11e3de70036dbc665ccb0d486cf89cac9 (patch)
tree: d73ccdff78d8608e156465af42e6a1b3527fb2d6 /sshd.8
parent: e39b311381a5609cc05acf298c42fba196dc524b (diff)
parent: f5bda272678ec6dccaa5f29379cf60cb855018e8 (diff)
1 files changed, 43 insertions, 42 deletions
diff --git a/sshd.8 b/sshd.8
index 27b1a3cf6..460263e92 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.199 2003/08/13 08:46:31 markus Exp $
+.\" $OpenBSD: sshd.8,v 1.200 2003/10/08 08:27:36 jmc Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -44,7 +44,7 @@
 .Sh SYNOPSIS
 .Nm sshd
 .Bk -words
-.Op Fl deiqtD46
+.Op Fl 46Ddeiqt
 .Op Fl b Ar bits
 .Op Fl f Ar config_file
 .Op Fl g Ar login_grace_time
@@ -78,9 +78,7 @@ This implementation of
 supports both SSH protocol version 1 and 2 simultaneously.
 .Nm
 works as follows:
-.Pp
 .Ss SSH protocol version 1
-.Pp
 Each host has a host-specific RSA key
 (normally 1024 bits) used to identify the host.
 Additionally, when
@@ -92,7 +90,7 @@ Whenever a client connects, the daemon responds with its public
 host and server keys.
 The client compares the
 RSA host key against its own database to verify that it has not changed.
-The client then generates a 256 bit random number.
+The client then generates a 256-bit random number.
 It encrypts this
 random number using both the host key and the server key, and sends
 the encrypted number to the server.
@@ -107,9 +105,9 @@ to use from those offered by the server.
 .Pp
 Next, the server and the client enter an authentication dialog.
 The client tries to authenticate itself using
-.Pa .rhosts
+.Em .rhosts
 authentication,
-.Pa .rhosts
+.Em .rhosts
 authentication combined with RSA host
 authentication, RSA challenge-response authentication, or password
 based authentication.
@@ -137,7 +135,8 @@ or
 .Ql \&*NP\&*
 ).
 .Pp
-Rhosts authentication is normally disabled
+.Em rhosts
+authentication is normally disabled
 because it is fundamentally insecure, but can be enabled in the server
 configuration file if desired.
 System security is not improved unless
@@ -150,9 +149,7 @@ are disabled (thus completely disabling
 and
 .Xr rsh
 into the machine).
-.Pp
 .Ss SSH protocol version 2
-.Pp
 Version 2 works similarly:
 Each host has a host-specific key (RSA or DSA) used to identify the host.
 However, when the daemon starts, it does not generate a server key.
@@ -160,7 +157,7 @@ Forward security is provided through a Diffie-Hellman key agreement.
 This key agreement results in a shared session key.
 .Pp
 The rest of the session is encrypted using a symmetric cipher, currently
-128 bit AES, Blowfish, 3DES, CAST128, Arcfour, 192 bit AES, or 256 bit AES.
+128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
 The client selects the encryption algorithm
 to use from those offered by the server.
 Additionally, session integrity is provided
@@ -171,9 +168,7 @@ Protocol version 2 provides a public key based
 user (PubkeyAuthentication) or
 client host (HostbasedAuthentication) authentication method,
 conventional password authentication and challenge response based methods.
-.Pp
 .Ss Command execution and data forwarding
-.Pp
 If the client successfully authenticates itself, a dialog for
 preparing the session is entered.
 At this time the client may request
@@ -192,8 +187,9 @@ connections have been closed, the server sends command exit status to
 the client, and both sides exit.
 .Pp
 .Nm
-can be configured using command-line options or a configuration
+can be configured using command-line options or a configuration file
-file.
+(by default
+.Xr sshd_config 5 ) .
 Command-line options override values specified in the
 configuration file.
 .Pp
@@ -205,9 +201,23 @@ by executing itself with the name it was started as, i.e.,
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
+.It Fl 4
+Forces
+.Nm
+to use IPv4 addresses only.
+.It Fl 6
+Forces
+.Nm
+to use IPv6 addresses only.
 .It Fl b Ar bits
 Specifies the number of bits in the ephemeral protocol version 1
 server key (default 768).
+.It Fl D
+When this option is specified,
+.Nm
+will not detach and does not become a daemon.
+This allows easy monitoring of
+.Nm sshd .
 .It Fl d
 Debug mode.
 The server sends verbose debug output to the system
@@ -267,7 +277,7 @@ be feasible.
 Specifies how often the ephemeral protocol version 1 server key is
 regenerated (default 3600 seconds, or one hour).
 The motivation for regenerating the key fairly
-often is that the key is not stored anywhere, and after about an hour,
+often is that the key is not stored anywhere, and after about an hour
 it becomes impossible to recover the key for decrypting intercepted
 communications even if the machine is cracked into or physically
 seized.
@@ -276,6 +286,8 @@ A value of zero indicates that the key will never be regenerated.
 Can be used to give options in the format used in the configuration file.
 This is useful for specifying options for which there is no separate
 command-line flag.
+For full details of the options, and their values, see
+.Xr sshd_config 5 .
 .It Fl p Ar port
 Specifies the port on which the server listens for connections
 (default 22).
@@ -328,20 +340,6 @@ USER@HOST pattern in
 .Cm AllowUsers
 or
 .Cm DenyUsers .
-.It Fl D
-When this option is specified
-.Nm
-will not detach and does not become a daemon.
-This allows easy monitoring of
-.Nm sshd .
-.It Fl 4
-Forces
-.Nm
-to use IPv4 addresses only.
-.It Fl 6
-Forces
-.Nm
-to use IPv6 addresses only.
 .El
 .Sh CONFIGURATION FILE
 .Nm
@@ -378,9 +376,9 @@ Changes to run with normal user privileges.
 .It
 Sets up basic environment.
 .It
-Reads
+Reads the file
-.Pa $HOME/.ssh/environment
+.Pa $HOME/.ssh/environment ,
-if it exists and users are allowed to change their environment.
+if it exists, and users are allowed to change their environment.
 See the
 .Cm PermitUserEnvironment
 option in
@@ -519,7 +517,7 @@ Limit local
 port forwarding such that it may only connect to the specified host and
 port.
 IPv6 addresses can be specified with an alternative syntax:
-.Ar host/port .
+.Ar host Ns / Ns Ar port .
 Multiple
 .Cm permitopen
 options may be applied separated by commas.
@@ -527,13 +525,13 @@ No pattern matching is performed on the specified hostnames,
 they must be literal domains or addresses.
 .El
 .Ss Examples
-1024 33 12121.\|.\|.\|312314325 ylo@foo.bar
+1024 33 12121...312314325 ylo@foo.bar
 .Pp
-from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula
+from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula
 .Pp
-command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi
+command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi
 .Pp
-permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323
+permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323
 .Sh SSH_KNOWN_HOSTS FILE FORMAT
 The
 .Pa /etc/ssh/ssh_known_hosts
@@ -591,7 +589,7 @@ or by taking
 and adding the host names at the front.
 .Ss Examples
 .Bd -literal
-closenet,.\|.\|.\|,130.233.208.41 1024 37 159.\|.\|.93 closenet.hut.fi
+closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi
 cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....=
 .Ed
 .Sh FILES
@@ -650,7 +648,7 @@ and/or
 .Pa id_rsa.pub
 files into this file, as described in
 .Xr ssh-keygen 1 .
-.It Pa "/etc/ssh/ssh_known_hosts" and "$HOME/.ssh/known_hosts"
+.It Pa "/etc/ssh/ssh_known_hosts", "$HOME/.ssh/known_hosts"
 These files are consulted when using rhosts with RSA host
 authentication or protocol version 2 hostbased authentication
 to check the public key of the host.
@@ -684,7 +682,7 @@ The file must
 be writable only by the user; it is recommended that it not be
 accessible by others.
 .Pp
-If is also possible to use netgroups in the file.
+It is also possible to use netgroups in the file.
 Either host or user
 name may be of the form +@groupname to specify all hosts or all users
 in the group.
@@ -696,7 +694,7 @@ However, this file is
 not used by rlogin and rshd, so using this permits access using SSH only.
 .It Pa /etc/hosts.equiv
 This file is used during
-.Pa .rhosts
+.Em rhosts
 authentication.
 In the simplest form, this file contains host names, one per line.
 Users on
@@ -803,9 +801,12 @@ This file should be writable only by root, and should be world-readable.
 .Xr ssh-add 1 ,
 .Xr ssh-agent 1 ,
 .Xr ssh-keygen 1 ,
+.Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
+.Xr inetd 8 ,
 .Xr sftp-server 8
 .Rs
 .%A T. Ylonen
author	Colin Watson <cjwatson@debian.org>	2004-03-01 02:25:32 +0000
committer	Colin Watson <cjwatson@debian.org>	2004-03-01 02:25:32 +0000
commit	ea8116a11e3de70036dbc665ccb0d486cf89cac9 (patch)
tree	d73ccdff78d8608e156465af42e6a1b3527fb2d6 /sshd.8
parent	e39b311381a5609cc05acf298c42fba196dc524b (diff)
parent	f5bda272678ec6dccaa5f29379cf60cb855018e8 (diff)

diff --git a/sshd.8 b/sshd.8 index 27b1a3cf6..460263e92 100644 --- a/sshd.8 +++ b/sshd.8
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd.8,v 1.199 2003/08/13 08:46:31 markus Exp $	37	.\" $OpenBSD: sshd.8,v 1.200 2003/10/08 08:27:36 jmc Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSHD 8	39	.Dt SSHD 8
40	.Os	40	.Os
@@ -44,7 +44,7 @@
44	.Sh SYNOPSIS	44	.Sh SYNOPSIS
45	.Nm sshd	45	.Nm sshd
46	.Bk -words	46	.Bk -words
47	.Op Fl deiqtD46	47	.Op Fl 46Ddeiqt
48	.Op Fl b Ar bits	48	.Op Fl b Ar bits
49	.Op Fl f Ar config_file	49	.Op Fl f Ar config_file
50	.Op Fl g Ar login_grace_time	50	.Op Fl g Ar login_grace_time
@@ -78,9 +78,7 @@ This implementation of
78	supports both SSH protocol version 1 and 2 simultaneously.	78	supports both SSH protocol version 1 and 2 simultaneously.
79	.Nm	79	.Nm
80	works as follows:	80	works as follows:
81	.Pp
82	.Ss SSH protocol version 1	81	.Ss SSH protocol version 1
83	.Pp
84	Each host has a host-specific RSA key	82	Each host has a host-specific RSA key
85	(normally 1024 bits) used to identify the host.	83	(normally 1024 bits) used to identify the host.
86	Additionally, when	84	Additionally, when
@@ -92,7 +90,7 @@ Whenever a client connects, the daemon responds with its public
92	host and server keys.	90	host and server keys.
93	The client compares the	91	The client compares the
94	RSA host key against its own database to verify that it has not changed.	92	RSA host key against its own database to verify that it has not changed.
95	The client then generates a 256 bit random number.	93	The client then generates a 256-bit random number.
96	It encrypts this	94	It encrypts this
97	random number using both the host key and the server key, and sends	95	random number using both the host key and the server key, and sends
98	the encrypted number to the server.	96	the encrypted number to the server.
@@ -107,9 +105,9 @@ to use from those offered by the server.
107	.Pp	105	.Pp
108	Next, the server and the client enter an authentication dialog.	106	Next, the server and the client enter an authentication dialog.
109	The client tries to authenticate itself using	107	The client tries to authenticate itself using
110	.Pa .rhosts	108	.Em .rhosts
111	authentication,	109	authentication,
112	.Pa .rhosts	110	.Em .rhosts
113	authentication combined with RSA host	111	authentication combined with RSA host
114	authentication, RSA challenge-response authentication, or password	112	authentication, RSA challenge-response authentication, or password
115	based authentication.	113	based authentication.
@@ -137,7 +135,8 @@ or
137	.Ql \&NP\&	135	.Ql \&NP\&
138	).	136	).
139	.Pp	137	.Pp
140	Rhosts authentication is normally disabled	138	.Em rhosts
		139	authentication is normally disabled
141	because it is fundamentally insecure, but can be enabled in the server	140	because it is fundamentally insecure, but can be enabled in the server
142	configuration file if desired.	141	configuration file if desired.
143	System security is not improved unless	142	System security is not improved unless
@@ -150,9 +149,7 @@ are disabled (thus completely disabling
150	and	149	and
151	.Xr rsh	150	.Xr rsh
152	into the machine).	151	into the machine).
153	.Pp
154	.Ss SSH protocol version 2	152	.Ss SSH protocol version 2
155	.Pp
156	Version 2 works similarly:	153	Version 2 works similarly:
157	Each host has a host-specific key (RSA or DSA) used to identify the host.	154	Each host has a host-specific key (RSA or DSA) used to identify the host.
158	However, when the daemon starts, it does not generate a server key.	155	However, when the daemon starts, it does not generate a server key.
@@ -160,7 +157,7 @@ Forward security is provided through a Diffie-Hellman key agreement.
160	This key agreement results in a shared session key.	157	This key agreement results in a shared session key.
161	.Pp	158	.Pp
162	The rest of the session is encrypted using a symmetric cipher, currently	159	The rest of the session is encrypted using a symmetric cipher, currently
163	128 bit AES, Blowfish, 3DES, CAST128, Arcfour, 192 bit AES, or 256 bit AES.	160	128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
164	The client selects the encryption algorithm	161	The client selects the encryption algorithm
165	to use from those offered by the server.	162	to use from those offered by the server.
166	Additionally, session integrity is provided	163	Additionally, session integrity is provided
@@ -171,9 +168,7 @@ Protocol version 2 provides a public key based
171	user (PubkeyAuthentication) or	168	user (PubkeyAuthentication) or
172	client host (HostbasedAuthentication) authentication method,	169	client host (HostbasedAuthentication) authentication method,
173	conventional password authentication and challenge response based methods.	170	conventional password authentication and challenge response based methods.
174	.Pp
175	.Ss Command execution and data forwarding	171	.Ss Command execution and data forwarding
176	.Pp
177	If the client successfully authenticates itself, a dialog for	172	If the client successfully authenticates itself, a dialog for
178	preparing the session is entered.	173	preparing the session is entered.
179	At this time the client may request	174	At this time the client may request
@@ -192,8 +187,9 @@ connections have been closed, the server sends command exit status to
192	the client, and both sides exit.	187	the client, and both sides exit.
193	.Pp	188	.Pp
194	.Nm	189	.Nm
195	can be configured using command-line options or a configuration	190	can be configured using command-line options or a configuration file
196	file.	191	(by default
		192	.Xr sshd_config 5 ) .
197	Command-line options override values specified in the	193	Command-line options override values specified in the
198	configuration file.	194	configuration file.
199	.Pp	195	.Pp
@@ -205,9 +201,23 @@ by executing itself with the name it was started as, i.e.,
205	.Pp	201	.Pp
206	The options are as follows:	202	The options are as follows:
207	.Bl -tag -width Ds	203	.Bl -tag -width Ds
		204	.It Fl 4
		205	Forces
		206	.Nm
		207	to use IPv4 addresses only.
		208	.It Fl 6
		209	Forces
		210	.Nm
		211	to use IPv6 addresses only.
208	.It Fl b Ar bits	212	.It Fl b Ar bits
209	Specifies the number of bits in the ephemeral protocol version 1	213	Specifies the number of bits in the ephemeral protocol version 1
210	server key (default 768).	214	server key (default 768).
		215	.It Fl D
		216	When this option is specified,
		217	.Nm
		218	will not detach and does not become a daemon.
		219	This allows easy monitoring of
		220	.Nm sshd .
211	.It Fl d	221	.It Fl d
212	Debug mode.	222	Debug mode.
213	The server sends verbose debug output to the system	223	The server sends verbose debug output to the system
@@ -267,7 +277,7 @@ be feasible.
267	Specifies how often the ephemeral protocol version 1 server key is	277	Specifies how often the ephemeral protocol version 1 server key is
268	regenerated (default 3600 seconds, or one hour).	278	regenerated (default 3600 seconds, or one hour).
269	The motivation for regenerating the key fairly	279	The motivation for regenerating the key fairly
270	often is that the key is not stored anywhere, and after about an hour,	280	often is that the key is not stored anywhere, and after about an hour
271	it becomes impossible to recover the key for decrypting intercepted	281	it becomes impossible to recover the key for decrypting intercepted
272	communications even if the machine is cracked into or physically	282	communications even if the machine is cracked into or physically
273	seized.	283	seized.
@@ -276,6 +286,8 @@ A value of zero indicates that the key will never be regenerated.
276	Can be used to give options in the format used in the configuration file.	286	Can be used to give options in the format used in the configuration file.
277	This is useful for specifying options for which there is no separate	287	This is useful for specifying options for which there is no separate
278	command-line flag.	288	command-line flag.
		289	For full details of the options, and their values, see
		290	.Xr sshd_config 5 .
279	.It Fl p Ar port	291	.It Fl p Ar port
280	Specifies the port on which the server listens for connections	292	Specifies the port on which the server listens for connections
281	(default 22).	293	(default 22).
@@ -328,20 +340,6 @@ USER@HOST pattern in
328	.Cm AllowUsers	340	.Cm AllowUsers
329	or	341	or
330	.Cm DenyUsers .	342	.Cm DenyUsers .
331	.It Fl D
332	When this option is specified
333	.Nm
334	will not detach and does not become a daemon.
335	This allows easy monitoring of
336	.Nm sshd .
337	.It Fl 4
338	Forces
339	.Nm
340	to use IPv4 addresses only.
341	.It Fl 6
342	Forces
343	.Nm
344	to use IPv6 addresses only.
345	.El	343	.El
346	.Sh CONFIGURATION FILE	344	.Sh CONFIGURATION FILE
347	.Nm	345	.Nm
@@ -378,9 +376,9 @@ Changes to run with normal user privileges.
378	.It	376	.It
379	Sets up basic environment.	377	Sets up basic environment.
380	.It	378	.It
381	Reads	379	Reads the file
382	.Pa $HOME/.ssh/environment	380	.Pa $HOME/.ssh/environment ,
383	if it exists and users are allowed to change their environment.	381	if it exists, and users are allowed to change their environment.
384	See the	382	See the
385	.Cm PermitUserEnvironment	383	.Cm PermitUserEnvironment
386	option in	384	option in
@@ -519,7 +517,7 @@ Limit local
519	port forwarding such that it may only connect to the specified host and	517	port forwarding such that it may only connect to the specified host and
520	port.	518	port.
521	IPv6 addresses can be specified with an alternative syntax:	519	IPv6 addresses can be specified with an alternative syntax:
522	.Ar host/port .	520	.Ar host Ns / Ns Ar port .
523	Multiple	521	Multiple
524	.Cm permitopen	522	.Cm permitopen
525	options may be applied separated by commas.	523	options may be applied separated by commas.
@@ -527,13 +525,13 @@ No pattern matching is performed on the specified hostnames,
527	they must be literal domains or addresses.	525	they must be literal domains or addresses.
528	.El	526	.El
529	.Ss Examples	527	.Ss Examples
530	1024 33 12121.\\|.\\|.\\|312314325 ylo@foo.bar	528	1024 33 12121...312314325 ylo@foo.bar
531	.Pp	529	.Pp
532	from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\\|.\\|.\\|2334 ylo@niksula	530	from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula
533	.Pp	531	.Pp
534	command="dump /home",no-pty,no-port-forwarding 1024 33 23.\\|.\\|.\\|2323 backup.hut.fi	532	command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi
535	.Pp	533	.Pp
536	permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\\|.\\|.\\|2323	534	permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323
537	.Sh SSH_KNOWN_HOSTS FILE FORMAT	535	.Sh SSH_KNOWN_HOSTS FILE FORMAT
538	The	536	The
539	.Pa /etc/ssh/ssh_known_hosts	537	.Pa /etc/ssh/ssh_known_hosts
@@ -591,7 +589,7 @@ or by taking
591	and adding the host names at the front.	589	and adding the host names at the front.
592	.Ss Examples	590	.Ss Examples
593	.Bd -literal	591	.Bd -literal
594	closenet,.\\|.\\|.\\|,130.233.208.41 1024 37 159.\\|.\\|.93 closenet.hut.fi	592	closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi
595	cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....=	593	cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....=
596	.Ed	594	.Ed
597	.Sh FILES	595	.Sh FILES
@@ -650,7 +648,7 @@ and/or
650	.Pa id_rsa.pub	648	.Pa id_rsa.pub
651	files into this file, as described in	649	files into this file, as described in
652	.Xr ssh-keygen 1 .	650	.Xr ssh-keygen 1 .
653	.It Pa "/etc/ssh/ssh_known_hosts" and "$HOME/.ssh/known_hosts"	651	.It Pa "/etc/ssh/ssh_known_hosts", "$HOME/.ssh/known_hosts"
654	These files are consulted when using rhosts with RSA host	652	These files are consulted when using rhosts with RSA host
655	authentication or protocol version 2 hostbased authentication	653	authentication or protocol version 2 hostbased authentication
656	to check the public key of the host.	654	to check the public key of the host.
@@ -684,7 +682,7 @@ The file must
684	be writable only by the user; it is recommended that it not be	682	be writable only by the user; it is recommended that it not be
685	accessible by others.	683	accessible by others.
686	.Pp	684	.Pp
687	If is also possible to use netgroups in the file.	685	It is also possible to use netgroups in the file.
688	Either host or user	686	Either host or user
689	name may be of the form +@groupname to specify all hosts or all users	687	name may be of the form +@groupname to specify all hosts or all users
690	in the group.	688	in the group.
@@ -696,7 +694,7 @@ However, this file is
696	not used by rlogin and rshd, so using this permits access using SSH only.	694	not used by rlogin and rshd, so using this permits access using SSH only.
697	.It Pa /etc/hosts.equiv	695	.It Pa /etc/hosts.equiv
698	This file is used during	696	This file is used during
699	.Pa .rhosts	697	.Em rhosts
700	authentication.	698	authentication.
701	In the simplest form, this file contains host names, one per line.	699	In the simplest form, this file contains host names, one per line.
702	Users on	700	Users on
@@ -803,9 +801,12 @@ This file should be writable only by root, and should be world-readable.
803	.Xr ssh-add 1 ,	801	.Xr ssh-add 1 ,
804	.Xr ssh-agent 1 ,	802	.Xr ssh-agent 1 ,
805	.Xr ssh-keygen 1 ,	803	.Xr ssh-keygen 1 ,
		804	.Xr chroot 2 ,
		805	.Xr hosts_access 5 ,
806	.Xr login.conf 5 ,	806	.Xr login.conf 5 ,
807	.Xr moduli 5 ,	807	.Xr moduli 5 ,
808	.Xr sshd_config 5 ,	808	.Xr sshd_config 5 ,
		809	.Xr inetd 8 ,
809	.Xr sftp-server 8	810	.Xr sftp-server 8
810	.Rs	811	.Rs
811	.%A T. Ylonen	812	.%A T. Ylonen