- markus@cvs.openbsd.org 2001/02/12 16:16:23

     [auth-passwd.c auth.c auth.h auth1.c auth2.c servconf.c servconf.h
      ssh-keygen.c sshd.8]
     PermitRootLogin={yes,without-password,forced-commands-only,no}
     (before this change, root could login even if PermitRootLogin==no)

1 files changed, 13 insertions, 8 deletions

diff --git a/sshd.8 b/sshd.8
index 1b1e9645c..79c184330 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.93 2001/02/11 12:59:25 markus Exp $
+.\" $OpenBSD: sshd.8,v 1.94 2001/02/12 16:16:24 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -552,21 +552,26 @@ Specifies whether the root can log in using
 .Xr ssh 1 .
 The argument must be
 .Dq yes ,
-.Dq without-password
+.Dq without-password ,
+.Dq forced-commands-only
 or
 .Dq no .
 The default is
 .Dq yes .
-If this options is set to
+.Pp
+If this option is set to
 .Dq without-password
-only password authentication is disabled for root.
+password authentication is disabled for root.
 .Pp
-Root login with RSA authentication when the
+If this option is set to
+.Dq forced-commands-only
+root login with public key authentication will be allowed,
+but only if the
 .Ar command
-option has been
-specified will be allowed regardless of the value of this setting
+option has been specified
 (which may be useful for taking remote backups even if root login is
-normally not allowed).
+normally not allowed). All other authentication methods are disabled
+for root.
 .It Cm PidFile
 Specifies the file that contains the process identifier of the
 .Nm