Import openssh_7.7p1.orig.tar.gz

author: Colin Watson <cjwatson@debian.org> 2018-04-03 08:20:28 +0100
committer: Colin Watson <cjwatson@debian.org> 2018-04-03 08:20:28 +0100
commit: ed6ae9c1a014a08ff5db3d768f01f2e427eeb476 (patch)
tree: 601025e307745d351946c01ab13f419ddb6dae29 /sshd_config.0
parent: 62f54f20bf351468e0124f63cc2902ee40d9b0e9 (diff)
parent: a0349a1cc4a18967ad1dbff5389bcdf9da098814 (diff)
1 files changed, 50 insertions, 26 deletions
diff --git a/sshd_config.0 b/sshd_config.0
index 678ee14b4..95c17fc8d 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -6,9 +6,10 @@ NAME
 DESCRIPTION
     sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file
     specified with -f on the command line).  The file contains keyword-
-     argument pairs, one per line.  Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines
+     argument pairs, one per line.  For each keyword, the first obtained value
-     are interpreted as comments.  Arguments may optionally be enclosed in
+     will be used.  Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are interpreted as
-     double quotes (") in order to represent arguments containing spaces.
+     comments.  Arguments may optionally be enclosed in double quotes (") in
+     order to represent arguments containing spaces.
     The possible keywords and their meanings are as follows (note that
     keywords are case-insensitive and arguments are case-sensitive):
@@ -422,9 +423,8 @@ DESCRIPTION
     HostKey
             Specifies a file containing a private host key used by SSH.  The
-             defaults are /etc/ssh/ssh_host_dsa_key,
+             defaults are /etc/ssh/ssh_host_ecdsa_key,
-             /etc/ssh/ssh_host_ecdsa_key, /etc/ssh/ssh_host_ed25519_key and
+             /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key.
-             /etc/ssh/ssh_host_rsa_key.
             Note that sshd(8) will refuse to use a file if it is group/world-
             accessible and that the HostKeyAlgorithms option restricts which
@@ -465,8 +465,9 @@ DESCRIPTION
     IgnoreUserKnownHosts
             Specifies whether sshd(8) should ignore the user's
-             ~/.ssh/known_hosts during HostbasedAuthentication.  The default
+             ~/.ssh/known_hosts during HostbasedAuthentication and use only
-             is no.
+             the system-wide known hosts file /etc/ssh/known_hosts.  The
+             default is no.
     IPQoS   Specifies the IPv4 type-of-service or DSCP class for the
             connection.  Accepted values are af11, af12, af13, af21, af22,
@@ -521,6 +522,9 @@ DESCRIPTION
                   curve25519-sha256@libssh.org
                   diffie-hellman-group1-sha1
                   diffie-hellman-group14-sha1
+                   diffie-hellman-group14-sha256
+                   diffie-hellman-group16-sha512
+                   diffie-hellman-group18-sha512
                   diffie-hellman-group-exchange-sha1
                   diffie-hellman-group-exchange-sha256
                   ecdh-sha2-nistp256
@@ -532,7 +536,8 @@ DESCRIPTION
                   curve25519-sha256,curve25519-sha256@libssh.org,
                   ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
                   diffie-hellman-group-exchange-sha256,
-                   diffie-hellman-group14-sha1
+                   diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
+                   diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
             The list of available key exchange algorithms may also be
             obtained using "ssh -Q kex".
@@ -541,13 +546,18 @@ DESCRIPTION
             Specifies the local addresses sshd(8) should listen on.  The
             following forms may be used:
-                   ListenAddress host|IPv4_addr|IPv6_addr
+                   ListenAddress hostname|address [rdomain domain]
-                   ListenAddress host|IPv4_addr:port
+                   ListenAddress hostname:port [rdomain domain]
-                   ListenAddress [host|IPv6_addr]:port
+                   ListenAddress IPv4_address:port [rdomain domain]
+                   ListenAddress [hostname|address]:port [rdomain domain]
-             If port is not specified, sshd will listen on the address and all
+             The optional rdomain qualifier requests sshd(8) listen in an
-             Port options specified.  The default is to listen on all local
+             explicit routing domain.  If port is not specified, sshd will
-             addresses.  Multiple ListenAddress options are permitted.
+             listen on the address and all Port options specified.  The
+             default is to listen on all local addresses on the current
+             default routing domain.  Multiple ListenAddress options are
+             permitted.  For more information on routing domains, see
+             rdomain(4).
     LoginGraceTime
             The server disconnects after this time if the user has not
@@ -612,10 +622,13 @@ DESCRIPTION
             The arguments to Match are one or more criteria-pattern pairs or
             the single token All which matches all criteria.  The available
-             criteria are User, Group, Host, LocalAddress, LocalPort, and
+             criteria are User, Group, Host, LocalAddress, LocalPort, RDomain,
-             Address.  The match patterns may consist of single entries or
+             and Address (with RDomain representing the rdomain(4) on which
-             comma-separated lists and may use the wildcard and negation
+             the connection was received.)
-             operators described in the PATTERNS section of ssh_config(5).
+             The match patterns may consist of single entries or comma-
+             separated lists and may use the wildcard and negation operators
+             described in the PATTERNS section of ssh_config(5).
             The patterns in an Address criteria may additionally contain
             addresses to match in CIDR address/masklen format, such as
@@ -640,7 +653,7 @@ DESCRIPTION
             MaxAuthTries, MaxSessions, PasswordAuthentication,
             PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY,
             PermitTunnel, PermitUserRC, PubkeyAcceptedKeyTypes,
-             PubkeyAuthentication, RekeyLimit, RevokedKeys,
+             PubkeyAuthentication, RekeyLimit, RevokedKeys, RDomain,
             StreamLocalBindMask, StreamLocalBindUnlink, TrustedUserCAKeys,
             X11DisplayOffset, X11Forwarding and X11UseLocalHost.
@@ -700,12 +713,12 @@ DESCRIPTION
     PermitRootLogin
             Specifies whether root can log in using ssh(1).  The argument
-             must be yes, prohibit-password, without-password,
+             must be yes, prohibit-password, forced-commands-only, or no.  The
-             forced-commands-only, or no.  The default is prohibit-password.
+             default is prohibit-password.
-             If this option is set to prohibit-password or without-password,
+             If this option is set to prohibit-password (or its deprecated
-             password and keyboard-interactive authentication are disabled for
+             alias, without-password), password and keyboard-interactive
-             root.
+             authentication are disabled for root.
             If this option is set to forced-commands-only, root login with
             public key authentication will be allowed, but only if the
@@ -807,6 +820,13 @@ DESCRIPTION
             ssh-keygen(1).  For more information on KRLs, see the KEY
             REVOCATION LISTS section in ssh-keygen(1).
+     RDomain
+             Specifies an explicit routing domain that is applied after
+             authentication has completed.  The user session, as well and any
+             forwarded or listening IP sockets, will be bound to this
+             rdomain(4).  If the routing domain is set to %D, then the domain
+             in which the incoming connection was received will be applied.
     StreamLocalBindMask
             Sets the octal file creation mode mask (umask) used when creating
             a Unix-domain socket file for local or remote port forwarding.
@@ -980,6 +1000,8 @@ TOKENS
     runtime:
           %%    A literal M-bM-^@M-^X%M-bM-^@M-^Y.
+           %D    The routing domain in which the incoming connection was
+                 received.
           %F    The fingerprint of the CA key.
           %f    The fingerprint of the key or certificate.
           %h    The home directory of the user.
@@ -1002,6 +1024,8 @@ TOKENS
     ChrootDirectory accepts the tokens %%, %h, and %u.
+     RoutingDomain accepts the token %D.
 FILES
     /etc/ssh/sshd_config
             Contains configuration data for sshd(8).  This file should be
@@ -1019,4 +1043,4 @@ AUTHORS
     versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
     for privilege separation.
-OpenBSD 6.2                   September 27, 2017                   OpenBSD 6.2
+OpenBSD 6.2                    February 16, 2018                   OpenBSD 6.2
author	Colin Watson <cjwatson@debian.org>	2018-04-03 08:20:28 +0100
committer	Colin Watson <cjwatson@debian.org>	2018-04-03 08:20:28 +0100
commit	ed6ae9c1a014a08ff5db3d768f01f2e427eeb476 (patch)
tree	601025e307745d351946c01ab13f419ddb6dae29 /sshd_config.0
parent	62f54f20bf351468e0124f63cc2902ee40d9b0e9 (diff)
parent	a0349a1cc4a18967ad1dbff5389bcdf9da098814 (diff)

diff --git a/sshd_config.0 b/sshd_config.0 index 678ee14b4..95c17fc8d 100644 --- a/sshd_config.0 +++ b/sshd_config.0
@@ -6,9 +6,10 @@ NAME
6	DESCRIPTION	6	DESCRIPTION
7	sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file	7	sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file
8	specified with -f on the command line). The file contains keyword-	8	specified with -f on the command line). The file contains keyword-
9	argument pairs, one per line. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines	9	argument pairs, one per line. For each keyword, the first obtained value
10	are interpreted as comments. Arguments may optionally be enclosed in	10	will be used. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are interpreted as
11	double quotes (") in order to represent arguments containing spaces.	11	comments. Arguments may optionally be enclosed in double quotes (") in
		12	order to represent arguments containing spaces.
12		13
13	The possible keywords and their meanings are as follows (note that	14	The possible keywords and their meanings are as follows (note that
14	keywords are case-insensitive and arguments are case-sensitive):	15	keywords are case-insensitive and arguments are case-sensitive):
@@ -422,9 +423,8 @@ DESCRIPTION
422		423
423	HostKey	424	HostKey
424	Specifies a file containing a private host key used by SSH. The	425	Specifies a file containing a private host key used by SSH. The
425	defaults are /etc/ssh/ssh_host_dsa_key,	426	defaults are /etc/ssh/ssh_host_ecdsa_key,
426	/etc/ssh/ssh_host_ecdsa_key, /etc/ssh/ssh_host_ed25519_key and	427	/etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key.
427	/etc/ssh/ssh_host_rsa_key.
428		428
429	Note that sshd(8) will refuse to use a file if it is group/world-	429	Note that sshd(8) will refuse to use a file if it is group/world-
430	accessible and that the HostKeyAlgorithms option restricts which	430	accessible and that the HostKeyAlgorithms option restricts which
@@ -465,8 +465,9 @@ DESCRIPTION
465		465
466	IgnoreUserKnownHosts	466	IgnoreUserKnownHosts
467	Specifies whether sshd(8) should ignore the user's	467	Specifies whether sshd(8) should ignore the user's
468	~/.ssh/known_hosts during HostbasedAuthentication. The default	468	~/.ssh/known_hosts during HostbasedAuthentication and use only
469	is no.	469	the system-wide known hosts file /etc/ssh/known_hosts. The
		470	default is no.
470		471
471	IPQoS Specifies the IPv4 type-of-service or DSCP class for the	472	IPQoS Specifies the IPv4 type-of-service or DSCP class for the
472	connection. Accepted values are af11, af12, af13, af21, af22,	473	connection. Accepted values are af11, af12, af13, af21, af22,
@@ -521,6 +522,9 @@ DESCRIPTION
521	curve25519-sha256@libssh.org	522	curve25519-sha256@libssh.org
522	diffie-hellman-group1-sha1	523	diffie-hellman-group1-sha1
523	diffie-hellman-group14-sha1	524	diffie-hellman-group14-sha1
		525	diffie-hellman-group14-sha256
		526	diffie-hellman-group16-sha512
		527	diffie-hellman-group18-sha512
524	diffie-hellman-group-exchange-sha1	528	diffie-hellman-group-exchange-sha1
525	diffie-hellman-group-exchange-sha256	529	diffie-hellman-group-exchange-sha256
526	ecdh-sha2-nistp256	530	ecdh-sha2-nistp256
@@ -532,7 +536,8 @@ DESCRIPTION
532	curve25519-sha256,curve25519-sha256@libssh.org,	536	curve25519-sha256,curve25519-sha256@libssh.org,
533	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,	537	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
534	diffie-hellman-group-exchange-sha256,	538	diffie-hellman-group-exchange-sha256,
535	diffie-hellman-group14-sha1	539	diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
		540	diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
536		541
537	The list of available key exchange algorithms may also be	542	The list of available key exchange algorithms may also be
538	obtained using "ssh -Q kex".	543	obtained using "ssh -Q kex".
@@ -541,13 +546,18 @@ DESCRIPTION
541	Specifies the local addresses sshd(8) should listen on. The	546	Specifies the local addresses sshd(8) should listen on. The
542	following forms may be used:	547	following forms may be used:
543		548
544	ListenAddress host\|IPv4_addr\|IPv6_addr	549	ListenAddress hostname\|address [rdomain domain]
545	ListenAddress host\|IPv4_addr:port	550	ListenAddress hostname:port [rdomain domain]
546	ListenAddress [host\|IPv6_addr]:port	551	ListenAddress IPv4_address:port [rdomain domain]
		552	ListenAddress [hostname\|address]:port [rdomain domain]
547		553
548	If port is not specified, sshd will listen on the address and all	554	The optional rdomain qualifier requests sshd(8) listen in an
549	Port options specified. The default is to listen on all local	555	explicit routing domain. If port is not specified, sshd will
550	addresses. Multiple ListenAddress options are permitted.	556	listen on the address and all Port options specified. The
		557	default is to listen on all local addresses on the current
		558	default routing domain. Multiple ListenAddress options are
		559	permitted. For more information on routing domains, see
		560	rdomain(4).
551		561
552	LoginGraceTime	562	LoginGraceTime
553	The server disconnects after this time if the user has not	563	The server disconnects after this time if the user has not
@@ -612,10 +622,13 @@ DESCRIPTION
612		622
613	The arguments to Match are one or more criteria-pattern pairs or	623	The arguments to Match are one or more criteria-pattern pairs or
614	the single token All which matches all criteria. The available	624	the single token All which matches all criteria. The available
615	criteria are User, Group, Host, LocalAddress, LocalPort, and	625	criteria are User, Group, Host, LocalAddress, LocalPort, RDomain,
616	Address. The match patterns may consist of single entries or	626	and Address (with RDomain representing the rdomain(4) on which
617	comma-separated lists and may use the wildcard and negation	627	the connection was received.)
618	operators described in the PATTERNS section of ssh_config(5).	628
		629	The match patterns may consist of single entries or comma-
		630	separated lists and may use the wildcard and negation operators
		631	described in the PATTERNS section of ssh_config(5).
619		632
620	The patterns in an Address criteria may additionally contain	633	The patterns in an Address criteria may additionally contain
621	addresses to match in CIDR address/masklen format, such as	634	addresses to match in CIDR address/masklen format, such as
@@ -640,7 +653,7 @@ DESCRIPTION
640	MaxAuthTries, MaxSessions, PasswordAuthentication,	653	MaxAuthTries, MaxSessions, PasswordAuthentication,
641	PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY,	654	PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY,
642	PermitTunnel, PermitUserRC, PubkeyAcceptedKeyTypes,	655	PermitTunnel, PermitUserRC, PubkeyAcceptedKeyTypes,
643	PubkeyAuthentication, RekeyLimit, RevokedKeys,	656	PubkeyAuthentication, RekeyLimit, RevokedKeys, RDomain,
644	StreamLocalBindMask, StreamLocalBindUnlink, TrustedUserCAKeys,	657	StreamLocalBindMask, StreamLocalBindUnlink, TrustedUserCAKeys,
645	X11DisplayOffset, X11Forwarding and X11UseLocalHost.	658	X11DisplayOffset, X11Forwarding and X11UseLocalHost.
646		659
@@ -700,12 +713,12 @@ DESCRIPTION
700		713
701	PermitRootLogin	714	PermitRootLogin
702	Specifies whether root can log in using ssh(1). The argument	715	Specifies whether root can log in using ssh(1). The argument
703	must be yes, prohibit-password, without-password,	716	must be yes, prohibit-password, forced-commands-only, or no. The
704	forced-commands-only, or no. The default is prohibit-password.	717	default is prohibit-password.
705		718
706	If this option is set to prohibit-password or without-password,	719	If this option is set to prohibit-password (or its deprecated
707	password and keyboard-interactive authentication are disabled for	720	alias, without-password), password and keyboard-interactive
708	root.	721	authentication are disabled for root.
709		722
710	If this option is set to forced-commands-only, root login with	723	If this option is set to forced-commands-only, root login with
711	public key authentication will be allowed, but only if the	724	public key authentication will be allowed, but only if the
@@ -807,6 +820,13 @@ DESCRIPTION
807	ssh-keygen(1). For more information on KRLs, see the KEY	820	ssh-keygen(1). For more information on KRLs, see the KEY
808	REVOCATION LISTS section in ssh-keygen(1).	821	REVOCATION LISTS section in ssh-keygen(1).
809		822
		823	RDomain
		824	Specifies an explicit routing domain that is applied after
		825	authentication has completed. The user session, as well and any
		826	forwarded or listening IP sockets, will be bound to this
		827	rdomain(4). If the routing domain is set to %D, then the domain
		828	in which the incoming connection was received will be applied.
		829
810	StreamLocalBindMask	830	StreamLocalBindMask
811	Sets the octal file creation mode mask (umask) used when creating	831	Sets the octal file creation mode mask (umask) used when creating
812	a Unix-domain socket file for local or remote port forwarding.	832	a Unix-domain socket file for local or remote port forwarding.
@@ -980,6 +1000,8 @@ TOKENS
980	runtime:	1000	runtime:
981		1001
982	%% A literal M-bM-^@M-^X%M-bM-^@M-^Y.	1002	%% A literal M-bM-^@M-^X%M-bM-^@M-^Y.
		1003	%D The routing domain in which the incoming connection was
		1004	received.
983	%F The fingerprint of the CA key.	1005	%F The fingerprint of the CA key.
984	%f The fingerprint of the key or certificate.	1006	%f The fingerprint of the key or certificate.
985	%h The home directory of the user.	1007	%h The home directory of the user.
@@ -1002,6 +1024,8 @@ TOKENS
1002		1024
1003	ChrootDirectory accepts the tokens %%, %h, and %u.	1025	ChrootDirectory accepts the tokens %%, %h, and %u.
1004		1026
		1027	RoutingDomain accepts the token %D.
		1028
1005	FILES	1029	FILES
1006	/etc/ssh/sshd_config	1030	/etc/ssh/sshd_config
1007	Contains configuration data for sshd(8). This file should be	1031	Contains configuration data for sshd(8). This file should be
@@ -1019,4 +1043,4 @@ AUTHORS
1019	versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support	1043	versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
1020	for privilege separation.	1044	for privilege separation.
1021		1045
1022	OpenBSD 6.2 September 27, 2017 OpenBSD 6.2	1046	OpenBSD 6.2 February 16, 2018 OpenBSD 6.2