Debian release 3.6p1-1.

1 files changed, 238 insertions, 239 deletions

diff --git a/sshd_config.0 b/sshd_config.0
index a4e31be0f..e234efdb4 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -1,445 +1,444 @@
-SSHD_CONFIG(5)            System File Formats Manual            SSHD_CONFIG(5)
+SSHD_CONFIG(5)              BSD File Formats Manual             SSHD_CONFIG(5)
 
-NAME
-     sshd_config - OpenSSH SSH daemon configuration file
+^[[1mNAME^[[0m
+     ^[[1msshd_config ^[[22mM-bMM-^R OpenSSH SSH daemon configuration file
 
-SYNOPSIS
-     /etc/ssh/sshd_config
+^[[1mSYNOPSIS^[[0m
+     ^[[4m/etc/ssh/sshd_config^[[0m
 
-DESCRIPTION
-     sshd reads configuration data from /etc/ssh/sshd_config (or the file
-     specified with -f on the command line).  The file contains keyword-arguM--
-     ment pairs, one per line.  Lines starting with `#' and empty lines are
+^[[1mDESCRIPTION^[[0m
+     ^[[1msshd ^[[22mreads configuration data from ^[[4m/etc/ssh/sshd_config^[[24m (or the file
+     specified with ^[[1mM-bMM-^Rf ^[[22mon the command line).  The file contains keywordM-bM-^@M-^ParguM-bM-^@M-^P
+     ment pairs, one per line.  Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are
      interpreted as comments.
 
-     The possible keywords and their meanings are as follows (note that keyM--
-     words are case-insensitive and arguments are case-sensitive):
+     The possible keywords and their meanings are as follows (note that keyM-bM-^@M-^P
+     words are caseM-bM-^@M-^Pinsensitive and arguments are caseM-bM-^@M-^Psensitive):
 
-     AFSTokenPassing
+     ^[[1mAFSTokenPassing^[[0m
              Specifies whether an AFS token may be forwarded to the server.
-             Default is ``no''.
+             Default is M-bM-^@M-^\noM-bM-^@M-^].
 
-     AllowGroups
+     ^[[1mAllowGroups^[[0m
              This keyword can be followed by a list of group name patterns,
              separated by spaces.  If specified, login is allowed only for
              users whose primary group or supplementary group list matches one
-             of the patterns.  `*' and `'?  can be used as wildcards in the
+             of the patterns.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y?  can be used as wildcards in the
              patterns.  Only group names are valid; a numerical group ID is
              not recognized.  By default, login is allowed for all groups.
 
-     AllowTcpForwarding
+     ^[[1mAllowTcpForwarding^[[0m
              Specifies whether TCP forwarding is permitted.  The default is
-             ``yes''.  Note that disabling TCP forwarding does not improve
-             security unless users are also denied shell access, as they can
+             M-bM-^@M-^\yesM-bM-^@M-^].  Note that disabling TCP forwarding does not improve secuM-bM-^@M-^P
+             rity unless users are also denied shell access, as they can
              always install their own forwarders.
 
-     AllowUsers
+     ^[[1mAllowUsers^[[0m
              This keyword can be followed by a list of user name patterns,
              separated by spaces.  If specified, login is allowed only for
-             users names that match one of the patterns.  `*' and `'?  can be
+             user names that match one of the patterns.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y?  can be
              used as wildcards in the patterns.  Only user names are valid; a
              numerical user ID is not recognized.  By default, login is
              allowed for all users.  If the pattern takes the form USER@HOST
              then USER and HOST are separately checked, restricting logins to
              particular users from particular hosts.
 
-     AuthorizedKeysFile
+     ^[[1mAuthorizedKeysFile^[[0m
              Specifies the file that contains the public keys that can be used
-             for user authentication.  AuthorizedKeysFile may contain tokens
-             of the form %T which are substituted during connection set-up.
+             for user authentication.  ^[[1mAuthorizedKeysFile ^[[22mmay contain tokens
+             of the form %T which are substituted during connection setM-bM-^@M-^Pup.
              The following tokens are defined: %% is replaced by a literal
-             '%', %h is replaced by the home directory of the user being
+             M-bM-^@M-^Y%M-bM-^@M-^Y, %h is replaced by the home directory of the user being
              authenticated and %u is replaced by the username of that user.
-             After expansion, AuthorizedKeysFile is taken to be an absolute
-             path or one relative to the user's home directory.  The default
-             is ``.ssh/authorized_keys''.
+             After expansion, ^[[1mAuthorizedKeysFile ^[[22mis taken to be an absolute
+             path or one relative to the userM-bM-^@M-^Ys home directory.  The default
+             is M-bM-^@M-^\.ssh/authorized_keysM-bM-^@M-^].
 
-     Banner  In some jurisdictions, sending a warning message before authentiM--
-             cation may be relevant for getting legal protection.  The conM--
+     ^[[1mBanner  ^[[22mIn some jurisdictions, sending a warning message before authentiM-bM-^@M-^P
+             cation may be relevant for getting legal protection.  The conM-bM-^@M-^P
              tents of the specified file are sent to the remote user before
              authentication is allowed.  This option is only available for
              protocol version 2.  By default, no banner is displayed.
 
-     ChallengeResponseAuthentication
+     ^[[1mChallengeResponseAuthentication^[[0m
              Specifies whether challenge response authentication is allowed.
              All authentication styles from login.conf(5) are supported.  The
-             default is ``yes''.
+             default is M-bM-^@M-^\yesM-bM-^@M-^].
 
-     Ciphers
+     ^[[1mCiphers^[[0m
              Specifies the ciphers allowed for protocol version 2.  Multiple
-             ciphers must be comma-separated.  The default is
+             ciphers must be commaM-bM-^@M-^Pseparated.  The default is
 
-               ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
-                 aes192-cbc,aes256-cbc''
+               M-bM-^@M-^XM-bM-^@M-^Xaes128M-bM-^@M-^Pcbc,3desM-bM-^@M-^Pcbc,blowfishM-bM-^@M-^Pcbc,cast128M-bM-^@M-^Pcbc,arcfour,
+                 aes192M-bM-^@M-^Pcbc,aes256M-bM-^@M-^PcbcM-bM-^@M-^YM-bM-^@M-^Y
 
-     ClientAliveInterval
+     ^[[1mClientAliveInterval^[[0m
              Sets a timeout interval in seconds after which if no data has
-             been received from the client, sshd will send a message through
+             been received from the client, ^[[1msshd ^[[22mwill send a message through
              the encrypted channel to request a response from the client.  The
              default is 0, indicating that these messages will not be sent to
              the client.  This option applies to protocol version 2 only.
 
-     ClientAliveCountMax
+     ^[[1mClientAliveCountMax^[[0m
              Sets the number of client alive messages (see above) which may be
-             sent without sshd receiving any messages back from the client. If
+             sent without ^[[1msshd ^[[22mreceiving any messages back from the client. If
              this threshold is reached while client alive messages are being
-             sent, sshd will disconnect the client, terminating the session.
+             sent, ^[[1msshd ^[[22mwill disconnect the client, terminating the session.
              It is important to note that the use of client alive messages is
-             very different from KeepAlive (below). The client alive messages
+             very different from ^[[1mKeepAlive ^[[22m(below). The client alive messages
              are sent through the encrypted channel and therefore will not be
-             spoofable. The TCP keepalive option enabled by KeepAlive is
+             spoofable. The TCP keepalive option enabled by ^[[1mKeepAlive ^[[22mis
              spoofable. The client alive mechanism is valuable when the client
-             or server depend on knowing when a connection has become inacM--
+             or server depend on knowing when a connection has become inacM-bM-^@M-^P
              tive.
 
-             The default value is 3. If ClientAliveInterval (above) is set to
-             15, and ClientAliveCountMax is left at the default, unresponsive
+             The default value is 3. If ^[[1mClientAliveInterval ^[[22m(above) is set to
+             15, and ^[[1mClientAliveCountMax ^[[22mis left at the default, unresponsive
              ssh clients will be disconnected after approximately 45 seconds.
 
-     Compression
+     ^[[1mCompression^[[0m
              Specifies whether compression is allowed.  The argument must be
-             ``yes'' or ``no''.  The default is ``yes''.
+             M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The default is M-bM-^@M-^\yesM-bM-^@M-^].
 
-     DenyGroups
+     ^[[1mDenyGroups^[[0m
              This keyword can be followed by a list of group name patterns,
              separated by spaces.  Login is disallowed for users whose primary
              group or supplementary group list matches one of the patterns.
-             `*' and `'?  can be used as wildcards in the patterns.  Only
+             M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y?  can be used as wildcards in the patterns.  Only
              group names are valid; a numerical group ID is not recognized.
              By default, login is allowed for all groups.
 
-     DenyUsers
+     ^[[1mDenyUsers^[[0m
              This keyword can be followed by a list of user name patterns,
              separated by spaces.  Login is disallowed for user names that
-             match one of the patterns.  `*' and `'?  can be used as wildcards
+             match one of the patterns.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y?  can be used as wildcards
              in the patterns.  Only user names are valid; a numerical user ID
              is not recognized.  By default, login is allowed for all users.
              If the pattern takes the form USER@HOST then USER and HOST are
              separately checked, restricting logins to particular users from
              particular hosts.
 
-     GatewayPorts
+     ^[[1mGatewayPorts^[[0m
              Specifies whether remote hosts are allowed to connect to ports
-             forwarded for the client.  By default, sshd binds remote port
+             forwarded for the client.  By default, ^[[1msshd ^[[22mbinds remote port
              forwardings to the loopback address.  This prevents other remote
-             hosts from connecting to forwarded ports.  GatewayPorts can be
-             used to specify that sshd should bind remote port forwardings to
+             hosts from connecting to forwarded ports.  ^[[1mGatewayPorts ^[[22mcan be
+             used to specify that ^[[1msshd ^[[22mshould bind remote port forwardings to
              the wildcard address, thus allowing remote hosts to connect to
-             forwarded ports.  The argument must be ``yes'' or ``no''.  The
-             default is ``no''.
+             forwarded ports.  The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The
+             default is M-bM-^@M-^\noM-bM-^@M-^].
 
-     HostbasedAuthentication
+     ^[[1mHostbasedAuthentication^[[0m
              Specifies whether rhosts or /etc/hosts.equiv authentication
              together with successful public key client host authentication is
              allowed (hostbased authentication).  This option is similar to
-             RhostsRSAAuthentication and applies to protocol version 2 only.
-             The default is ``no''.
+             ^[[1mRhostsRSAAuthentication ^[[22mand applies to protocol version 2 only.
+             The default is M-bM-^@M-^\noM-bM-^@M-^].
 
-     HostKey
+     ^[[1mHostKey^[[0m
              Specifies a file containing a private host key used by SSH.  The
-             default is /etc/ssh/ssh_host_key for protocol version 1, and
-             /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for proM--
-             tocol version 2.  Note that sshd will refuse to use a file if it
-             is group/world-accessible.  It is possible to have multiple host
-             key files.  ``rsa1'' keys are used for version 1 and ``dsa'' or
-             ``rsa'' are used for version 2 of the SSH protocol.
-
-     IgnoreRhosts
-             Specifies that .rhosts and .shosts files will not be used in
-             RhostsAuthentication, RhostsRSAAuthentication or
-             HostbasedAuthentication.
-
-             /etc/hosts.equiv and /etc/shosts.equiv are still used.  The
-             default is ``yes''.
-
-     IgnoreUserKnownHosts
-             Specifies whether sshd should ignore the user's
-             $HOME/.ssh/known_hosts during RhostsRSAAuthentication or
-             HostbasedAuthentication.  The default is ``no''.
-
-     KeepAlive
+             default is ^[[4m/etc/ssh/ssh_host_key^[[24m for protocol version 1, and
+             ^[[4m/etc/ssh/ssh_host_rsa_key^[[24m and ^[[4m/etc/ssh/ssh_host_dsa_key^[[24m for proM-bM-^@M-^P
+             tocol version 2.  Note that ^[[1msshd ^[[22mwill refuse to use a file if it
+             is group/worldM-bM-^@M-^Paccessible.  It is possible to have multiple host
+             key files.  M-bM-^@M-^\rsa1M-bM-^@M-^] keys are used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^]
+             are used for version 2 of the SSH protocol.
+
+     ^[[1mIgnoreRhosts^[[0m
+             Specifies that ^[[4m.rhosts^[[24m and ^[[4m.shosts^[[24m files will not be used in
+             ^[[1mRhostsAuthentication^[[22m, ^[[1mRhostsRSAAuthentication ^[[22mor
+             ^[[1mHostbasedAuthentication^[[22m.
+
+             ^[[4m/etc/hosts.equiv^[[24m and ^[[4m/etc/shosts.equiv^[[24m are still used.  The
+             default is M-bM-^@M-^\yesM-bM-^@M-^].
+
+     ^[[1mIgnoreUserKnownHosts^[[0m
+             Specifies whether ^[[1msshd ^[[22mshould ignore the userM-bM-^@M-^Ys
+             ^[[4m$HOME/.ssh/known_hosts^[[24m during ^[[1mRhostsRSAAuthentication ^[[22mor
+             ^[[1mHostbasedAuthentication^[[22m.  The default is M-bM-^@M-^\noM-bM-^@M-^].
+
+     ^[[1mKeepAlive^[[0m
              Specifies whether the system should send TCP keepalive messages
              to the other side.  If they are sent, death of the connection or
              crash of one of the machines will be properly noticed.  However,
-             this means that connections will die if the route is down temM--
+             this means that connections will die if the route is down temM-bM-^@M-^P
              porarily, and some people find it annoying.  On the other hand,
              if keepalives are not sent, sessions may hang indefinitely on the
-             server, leaving ``ghost'' users and consuming server resources.
+             server, leaving M-bM-^@M-^\ghostM-bM-^@M-^] users and consuming server resources.
 
-             The default is ``yes'' (to send keepalives), and the server will
+             The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send keepalives), and the server will
              notice if the network goes down or the client host crashes.  This
              avoids infinitely hanging sessions.
 
-             To disable keepalives, the value should be set to ``no''.
+             To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^].
 
-     KerberosAuthentication
+     ^[[1mKerberosAuthentication^[[0m
              Specifies whether Kerberos authentication is allowed.  This can
-             be in the form of a Kerberos ticket, or if PasswordAuthentication
+             be in the form of a Kerberos ticket, or if ^[[1mPasswordAuthentication^[[0m
              is yes, the password provided by the user will be validated
              through the Kerberos KDC.  To use this option, the server needs a
-             Kerberos servtab which allows the verification of the KDC's idenM--
-             tity.  Default is ``no''.
+             Kerberos servtab which allows the verification of the KDCM-bM-^@M-^Ys idenM-bM-^@M-^P
+             tity.  Default is M-bM-^@M-^\noM-bM-^@M-^].
 
-     KerberosOrLocalPasswd
+     ^[[1mKerberosOrLocalPasswd^[[0m
              If set then if password authentication through Kerberos fails
              then the password will be validated via any additional local
-             mechanism such as /etc/passwd.  Default is ``yes''.
+             mechanism such as ^[[4m/etc/passwd^[[24m.  Default is M-bM-^@M-^\yesM-bM-^@M-^].
 
-     KerberosTgtPassing
+     ^[[1mKerberosTgtPassing^[[0m
              Specifies whether a Kerberos TGT may be forwarded to the server.
-             Default is ``no'', as this only works when the Kerberos KDC is
+             Default is M-bM-^@M-^\noM-bM-^@M-^], as this only works when the Kerberos KDC is
              actually an AFS kaserver.
 
-     KerberosTicketCleanup
-             Specifies whether to automatically destroy the user's ticket
-             cache file on logout.  Default is ``yes''.
+     ^[[1mKerberosTicketCleanup^[[0m
+             Specifies whether to automatically destroy the userM-bM-^@M-^Ys ticket
+             cache file on logout.  Default is M-bM-^@M-^\yesM-bM-^@M-^].
 
-     KeyRegenerationInterval
+     ^[[1mKeyRegenerationInterval^[[0m
              In protocol version 1, the ephemeral server key is automatically
              regenerated after this many seconds (if it has been used).  The
-             purpose of regeneration is to prevent decrypting captured sesM--
+             purpose of regeneration is to prevent decrypting captured sesM-bM-^@M-^P
              sions by later breaking into the machine and stealing the keys.
              The key is never stored anywhere.  If the value is 0, the key is
              never regenerated.  The default is 3600 (seconds).
 
-     ListenAddress
-             Specifies the local addresses sshd should listen on.  The followM--
+     ^[[1mListenAddress^[[0m
+             Specifies the local addresses ^[[1msshd ^[[22mshould listen on.  The followM-bM-^@M-^P
              ing forms may be used:
 
-                   ListenAddress host|IPv4_addr|IPv6_addr
-                   ListenAddress host|IPv4_addr:port
-                   ListenAddress [host|IPv6_addr]:port
+                   ^[[1mListenAddress ^[[4m^[[22mhost^[[24m|^[[4mIPv4_addr^[[24m|^[[4mIPv6_addr^[[0m
+                   ^[[1mListenAddress ^[[4m^[[22mhost^[[24m|^[[4mIPv4_addr^[[24m:^[[4mport^[[0m
+                   ^[[1mListenAddress ^[[22m[^[[4mhost^[[24m|^[[4mIPv6_addr^[[24m]:^[[4mport^[[0m
 
-             If port is not specified, sshd will listen on the address and all
-             prior Port options specified. The default is to listen on all
-             local addresses.  Multiple ListenAddress options are permitted.
-             Additionally, any Port options must precede this option for non
+             If ^[[4mport^[[24m is not specified, ^[[1msshd ^[[22mwill listen on the address and all
+             prior ^[[1mPort ^[[22moptions specified. The default is to listen on all
+             local addresses.  Multiple ^[[1mListenAddress ^[[22moptions are permitted.
+             Additionally, any ^[[1mPort ^[[22moptions must precede this option for non
              port qualified addresses.
 
-     LoginGraceTime
-             The server disconnects after this time if the user has not sucM--
+     ^[[1mLoginGraceTime^[[0m
+             The server disconnects after this time if the user has not sucM-bM-^@M-^P
              cessfully logged in.  If the value is 0, there is no time limit.
              The default is 120 seconds.
 
-     LogLevel
+     ^[[1mLogLevel^[[0m
              Gives the verbosity level that is used when logging messages from
-             sshd.  The possible values are: QUIET, FATAL, ERROR, INFO, VERM--
+             ^[[1msshd^[[22m.  The possible values are: QUIET, FATAL, ERROR, INFO, VERM-bM-^@M-^P
              BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.  The default is INFO.
              DEBUG and DEBUG1 are equivalent.  DEBUG2 and DEBUG3 each specify
              higher levels of debugging output.  Logging with a DEBUG level
              violates the privacy of users and is not recommended.
 
-     MACs    Specifies the available MAC (message authentication code) algoM--
+     ^[[1mMACs    ^[[22mSpecifies the available MAC (message authentication code) algoM-bM-^@M-^P
              rithms.  The MAC algorithm is used in protocol version 2 for data
-             integrity protection.  Multiple algorithms must be comma-sepaM--
+             integrity protection.  Multiple algorithms must be commaM-bM-^@M-^PsepaM-bM-^@M-^P
              rated.  The default is
-             ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''.
+             M-bM-^@M-^\hmacM-bM-^@M-^Pmd5,hmacM-bM-^@M-^Psha1,hmacM-bM-^@M-^Pripemd160,hmacM-bM-^@M-^Psha1M-bM-^@M-^P96,hmacM-bM-^@M-^Pmd5M-bM-^@M-^P96M-bM-^@M-^].
 
-     MaxStartups
-             Specifies the maximum number of concurrent unauthenticated conM--
-             nections to the sshd daemon.  Additional connections will be
-             dropped until authentication succeeds or the LoginGraceTime
+     ^[[1mMaxStartups^[[0m
+             Specifies the maximum number of concurrent unauthenticated conM-bM-^@M-^P
+             nections to the ^[[1msshd ^[[22mdaemon.  Additional connections will be
+             dropped until authentication succeeds or the ^[[1mLoginGraceTime^[[0m
              expires for a connection.  The default is 10.
 
              Alternatively, random early drop can be enabled by specifying the
-             three colon separated values ``start:rate:full'' (e.g.,
-             "10:30:60").  sshd will refuse connection attempts with a probaM--
-             bility of ``rate/100'' (30%) if there are currently ``start''
-             (10) unauthenticated connections.  The probability increases linM--
-             early and all connection attempts are refused if the number of
-             unauthenticated connections reaches ``full'' (60).
-
-     PAMAuthenticationViaKbdInt
+             three colon separated values M-bM-^@M-^\start:rate:fullM-bM-^@M-^] (e.g.,
+             "10:30:60").  ^[[1msshd ^[[22mwill refuse connection attempts with a probaM-bM-^@M-^P
+             bility of M-bM-^@M-^\rate/100M-bM-^@M-^] (30%) if there are currently M-bM-^@M-^\startM-bM-^@M-^] (10)
+             unauthenticated connections.  The probability increases linearly
+             and all connection attempts are refused if the number of unauM-bM-^@M-^P
+             thenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60).
+
+     ^[[1mPAMAuthenticationViaKbdInt^[[0m
              Specifies whether PAM challenge response authentication is
              allowed. This allows the use of most PAM challenge response
              authentication modules, but it will allow password authentication
-             regardless of whether PasswordAuthentication is enabled.
+             regardless of whether ^[[1mPasswordAuthentication ^[[22mis enabled.
 
-     PasswordAuthentication
+     ^[[1mPasswordAuthentication^[[0m
              Specifies whether password authentication is allowed.  The
-             default is ``yes''.
+             default is M-bM-^@M-^\yesM-bM-^@M-^].
 
-     PermitEmptyPasswords
+     ^[[1mPermitEmptyPasswords^[[0m
              When password authentication is allowed, it specifies whether the
              server allows login to accounts with empty password strings.  The
-             default is ``no''.
+             default is M-bM-^@M-^\noM-bM-^@M-^].
 
-     PermitRootLogin
+     ^[[1mPermitRootLogin^[[0m
              Specifies whether root can login using ssh(1).  The argument must
-             be ``yes'', ``without-password'', ``forced-commands-only'' or
-             ``no''.  The default is ``yes''.
+             be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\withoutM-bM-^@M-^PpasswordM-bM-^@M-^], M-bM-^@M-^\forcedM-bM-^@M-^PcommandsM-bM-^@M-^PonlyM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].
+             The default is M-bM-^@M-^\yesM-bM-^@M-^].
 
-             If this option is set to ``without-password'' password authentiM--
-             cation is disabled for root.
+             If this option is set to M-bM-^@M-^\withoutM-bM-^@M-^PpasswordM-bM-^@M-^] password authenticaM-bM-^@M-^P
+             tion is disabled for root.
 
-             If this option is set to ``forced-commands-only'' root login with
+             If this option is set to M-bM-^@M-^\forcedM-bM-^@M-^PcommandsM-bM-^@M-^PonlyM-bM-^@M-^] root login with
              public key authentication will be allowed, but only if the
-             command option has been specified (which may be useful for taking
+             ^[[4mcommand^[[24m option has been specified (which may be useful for taking
              remote backups even if root login is normally not allowed). All
              other authentication methods are disabled for root.
 
-             If this option is set to ``no'' root is not allowed to login.
+             If this option is set to M-bM-^@M-^\noM-bM-^@M-^] root is not allowed to login.
 
-     PermitUserEnvironment
-             Specifies whether ~/.ssh/environment and environment= options in
-             ~/.ssh/authorized_keys are processed by sshd.  The default is
-             ``no''.  Enabling environment processing may enable users to
-             bypass access restrictions in some configurations using mechaM--
-             nisms such as LD_PRELOAD.
+     ^[[1mPermitUserEnvironment^[[0m
+             Specifies whether ^[[4m~/.ssh/environment^[[24m and ^[[1menvironment= ^[[22moptions in
+             ^[[4m~/.ssh/authorized_keys^[[24m are processed by ^[[1msshd^[[22m.  The default is
+             M-bM-^@M-^\noM-bM-^@M-^].  Enabling environment processing may enable users to bypass
+             access restrictions in some configurations using mechanisms such
+             as LD_PRELOAD.
 
-     PidFile
-             Specifies the file that contains the process ID of the sshd daeM--
-             mon.  The default is /var/run/sshd.pid.
+     ^[[1mPidFile^[[0m
+             Specifies the file that contains the process ID of the ^[[1msshd ^[[22mdaeM-bM-^@M-^P
+             mon.  The default is ^[[4m/var/run/sshd.pid^[[24m.
 
-     Port    Specifies the port number that sshd listens on.  The default is
+     ^[[1mPort    ^[[22mSpecifies the port number that ^[[1msshd ^[[22mlistens on.  The default is
              22.  Multiple options of this type are permitted.  See also
-             ListenAddress.
+             ^[[1mListenAddress^[[22m.
 
-     PrintLastLog
-             Specifies whether sshd should print the date and time when the
-             user last logged in.  The default is ``yes''.
+     ^[[1mPrintLastLog^[[0m
+             Specifies whether ^[[1msshd ^[[22mshould print the date and time when the
+             user last logged in.  The default is M-bM-^@M-^\yesM-bM-^@M-^].
 
-     PrintMotd
-             Specifies whether sshd should print /etc/motd when a user logs in
+     ^[[1mPrintMotd^[[0m
+             Specifies whether ^[[1msshd ^[[22mshould print ^[[4m/etc/motd^[[24m when a user logs in
              interactively.  (On some systems it is also printed by the shell,
-             /etc/profile, or equivalent.)  The default is ``yes''.
+             ^[[4m/etc/profile^[[24m, or equivalent.)  The default is M-bM-^@M-^\yesM-bM-^@M-^].
 
-     Protocol
-             Specifies the protocol versions sshd supports.  The possible valM--
-             ues are ``1'' and ``2''.  Multiple versions must be comma-sepaM--
-             rated.  The default is ``2,1''.  Note that the order of the proM--
-             tocol list does not indicate preference, because the client
-             selects among multiple protocol versions offered by the server.
-             Specifying ``2,1'' is identical to ``1,2''.
+     ^[[1mProtocol^[[0m
+             Specifies the protocol versions ^[[1msshd ^[[22msupports.  The possible valM-bM-^@M-^P
+             ues are M-bM-^@M-^\1M-bM-^@M-^] and M-bM-^@M-^\2M-bM-^@M-^].  Multiple versions must be commaM-bM-^@M-^Pseparated.
+             The default is M-bM-^@M-^\2,1M-bM-^@M-^].  Note that the order of the protocol list
+             does not indicate preference, because the client selects among
+             multiple protocol versions offered by the server.  Specifying
+             M-bM-^@M-^\2,1M-bM-^@M-^] is identical to M-bM-^@M-^\1,2M-bM-^@M-^].
 
-     PubkeyAuthentication
+     ^[[1mPubkeyAuthentication^[[0m
              Specifies whether public key authentication is allowed.  The
-             default is ``yes''.  Note that this option applies to protocol
-             version 2 only.
+             default is M-bM-^@M-^\yesM-bM-^@M-^].  Note that this option applies to protocol verM-bM-^@M-^P
+             sion 2 only.
 
-     RhostsAuthentication
+     ^[[1mRhostsAuthentication^[[0m
              Specifies whether authentication using rhosts or /etc/hosts.equiv
-             files is sufficient.  Normally, this method should not be permitM--
-             ted because it is insecure.  RhostsRSAAuthentication should be
-             used instead, because it performs RSA-based host authentication
+             files is sufficient.  Normally, this method should not be permitM-bM-^@M-^P
+             ted because it is insecure.  ^[[1mRhostsRSAAuthentication ^[[22mshould be
+             used instead, because it performs RSAM-bM-^@M-^Pbased host authentication
              in addition to normal rhosts or /etc/hosts.equiv authentication.
-             The default is ``no''.  This option applies to protocol version 1
+             The default is M-bM-^@M-^\noM-bM-^@M-^].  This option applies to protocol version 1
              only.
 
-     RhostsRSAAuthentication
+     ^[[1mRhostsRSAAuthentication^[[0m
              Specifies whether rhosts or /etc/hosts.equiv authentication
              together with successful RSA host authentication is allowed.  The
-             default is ``no''.  This option applies to protocol version 1
-             only.
+             default is M-bM-^@M-^\noM-bM-^@M-^].  This option applies to protocol version 1 only.
 
-     RSAAuthentication
+     ^[[1mRSAAuthentication^[[0m
              Specifies whether pure RSA authentication is allowed.  The
-             default is ``yes''.  This option applies to protocol version 1
+             default is M-bM-^@M-^\yesM-bM-^@M-^].  This option applies to protocol version 1
              only.
 
-     ServerKeyBits
+     ^[[1mServerKeyBits^[[0m
              Defines the number of bits in the ephemeral protocol version 1
              server key.  The minimum value is 512, and the default is 768.
 
-     StrictModes
-             Specifies whether sshd should check file modes and ownership of
-             the user's files and home directory before accepting login.  This
+     ^[[1mStrictModes^[[0m
+             Specifies whether ^[[1msshd ^[[22mshould check file modes and ownership of
+             the userM-bM-^@M-^Ys files and home directory before accepting login.  This
              is normally desirable because novices sometimes accidentally
-             leave their directory or files world-writable.  The default is
-             ``yes''.
+             leave their directory or files worldM-bM-^@M-^Pwritable.  The default is
+             M-bM-^@M-^\yesM-bM-^@M-^].
 
-     Subsystem
+     ^[[1mSubsystem^[[0m
              Configures an external subsystem (e.g., file transfer daemon).
              Arguments should be a subsystem name and a command to execute
-             upon subsystem request.  The command sftp-server(8) implements
-             the ``sftp'' file transfer subsystem.  By default no subsystems
-             are defined.  Note that this option applies to protocol version 2
+             upon subsystem request.  The command sftpM-bM-^@M-^Pserver(8) implements
+             the M-bM-^@M-^\sftpM-bM-^@M-^] file transfer subsystem.  By default no subsystems are
+             defined.  Note that this option applies to protocol version 2
              only.
 
-     SyslogFacility
+     ^[[1mSyslogFacility^[[0m
              Gives the facility code that is used when logging messages from
-             sshd.  The possible values are: DAEMON, USER, AUTH, LOCAL0,
+             ^[[1msshd^[[22m.  The possible values are: DAEMON, USER, AUTH, LOCAL0,
              LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The
              default is AUTH.
 
-     UseLogin
-             Specifies whether login(1) is used for interactive login sesM--
-             sions.  The default is ``no''.  Note that login(1) is never used
+     ^[[1mUseLogin^[[0m
+             Specifies whether login(1) is used for interactive login sesM-bM-^@M-^P
+             sions.  The default is M-bM-^@M-^\noM-bM-^@M-^].  Note that login(1) is never used
              for remote command execution.  Note also, that if this is
-             enabled, X11Forwarding will be disabled because login(1) does not
-             know how to handle xauth(1) cookies.  If UsePrivilegeSeparation
+             enabled, ^[[1mX11Forwarding ^[[22mwill be disabled because login(1) does not
+             know how to handle xauth(1) cookies.  If ^[[1mUsePrivilegeSeparation^[[0m
              is specified, it will be disabled after authentication.
 
-     UsePrivilegeSeparation
-             Specifies whether sshd separates privileges by creating an
+     ^[[1mUsePrivilegeSeparation^[[0m
+             Specifies whether ^[[1msshd ^[[22mseparates privileges by creating an
              unprivileged child process to deal with incoming network traffic.
              After successful authentication, another process will be created
              that has the privilege of the authenticated user.  The goal of
-             privilege separation is to prevent privilege escalation by conM--
+             privilege separation is to prevent privilege escalation by conM-bM-^@M-^P
              taining any corruption within the unprivileged processes.  The
-             default is ``yes''.
+             default is M-bM-^@M-^\yesM-bM-^@M-^].
 
-     VerifyReverseMapping
-             Specifies whether sshd should try to verify the remote host name
+     ^[[1mVerifyReverseMapping^[[0m
+             Specifies whether ^[[1msshd ^[[22mshould try to verify the remote host name
              and check that the resolved host name for the remote IP address
-             maps back to the very same IP address.  The default is ``no''.
+             maps back to the very same IP address.  The default is M-bM-^@M-^\noM-bM-^@M-^].
 
-     X11DisplayOffset
-             Specifies the first display number available for sshd's X11 forM--
-             warding.  This prevents sshd from interfering with real X11
+     ^[[1mX11DisplayOffset^[[0m
+             Specifies the first display number available for ^[[1msshd^[[22mM-bM-^@M-^Ys X11 forM-bM-^@M-^P
+             warding.  This prevents ^[[1msshd ^[[22mfrom interfering with real X11
              servers.  The default is 10.
 
-     X11Forwarding
+     ^[[1mX11Forwarding^[[0m
              Specifies whether X11 forwarding is permitted.  The argument must
-             be ``yes'' or ``no''.  The default is ``no''.
+             be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The default is M-bM-^@M-^\noM-bM-^@M-^].
 
              When X11 forwarding is enabled, there may be additional exposure
-             to the server and to client displays if the sshd proxy display is
-             configured to listen on the wildcard address (see X11UseLocalhost
+             to the server and to client displays if the ^[[1msshd ^[[22mproxy display is
+             configured to listen on the wildcard address (see ^[[1mX11UseLocalhost^[[0m
              below), however this is not the default.  Additionally, the
              authentication spoofing and authentication data verification and
              substitution occur on the client side.  The security risk of
-             using X11 forwarding is that the client's X11 display server may
+             using X11 forwarding is that the clientM-bM-^@M-^Ys X11 display server may
              be exposed to attack when the ssh client requests forwarding (see
-             the warnings for ForwardX11 in ssh_config(5) ). A system adminisM--
+             the warnings for ^[[1mForwardX11 ^[[22min ssh_config(5) ). A system adminisM-bM-^@M-^P
              trator may have a stance in which they want to protect clients
              that may expose themselves to attack by unwittingly requesting
-             X11 forwarding, which can warrant a ``no'' setting.
+             X11 forwarding, which can warrant a M-bM-^@M-^\noM-bM-^@M-^] setting.
 
              Note that disabling X11 forwarding does not prevent users from
              forwarding X11 traffic, as users can always install their own
-             forwarders.  X11 forwarding is automatically disabled if UseLogin
+             forwarders.  X11 forwarding is automatically disabled if ^[[1mUseLogin^[[0m
              is enabled.
 
-     X11UseLocalhost
-             Specifies whether sshd should bind the X11 forwarding server to
+     ^[[1mX11UseLocalhost^[[0m
+             Specifies whether ^[[1msshd ^[[22mshould bind the X11 forwarding server to
              the loopback address or to the wildcard address.  By default,
-             sshd binds the forwarding server to the loopback address and sets
+             ^[[1msshd ^[[22mbinds the forwarding server to the loopback address and sets
              the hostname part of the DISPLAY environment variable to
-             ``localhost''.  This prevents remote hosts from connecting to the
+             M-bM-^@M-^\localhostM-bM-^@M-^].  This prevents remote hosts from connecting to the
              proxy display.  However, some older X11 clients may not function
-             with this configuration.  X11UseLocalhost may be set to ``no'' to
-             specify that the forwarding server should be bound to the wildM--
-             card address.  The argument must be ``yes'' or ``no''.  The
-             default is ``yes''.
+             with this configuration.  ^[[1mX11UseLocalhost ^[[22mmay be set to M-bM-^@M-^\noM-bM-^@M-^] to
+             specify that the forwarding server should be bound to the wildM-bM-^@M-^P
+             card address.  The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The default
+             is M-bM-^@M-^\yesM-bM-^@M-^].
 
-     XAuthLocation
+     ^[[1mXAuthLocation^[[0m
              Specifies the full pathname of the xauth(1) program.  The default
-             is /usr/X11R6/bin/xauth.
+             is ^[[4m/usr/X11R6/bin/xauth^[[24m.
 
-   Time Formats
+   ^[[1mTime Formats^[[0m
 
-     sshd command-line arguments and configuration file options that specify
-     time may be expressed using a sequence of the form: time[qualifier],
-     where time is a positive integer value and qualifier is one of the folM--
+     ^[[1msshd ^[[22mcommandM-bM-^@M-^Pline arguments and configuration file options that specify
+     time may be expressed using a sequence of the form: ^[[4mtime^[[24m[^[[4mqualifier^[[24m],
+     where ^[[4mtime^[[24m is a positive integer value and ^[[4mqualifier^[[24m is one of the folM-bM-^@M-^P
      lowing:
 
-           <none>  seconds
-           s | S   seconds
-           m | M   minutes
-           h | H   hours
-           d | D   days
-           w | W   weeks
+           ^[[1m<none>  ^[[22mseconds
+           ^[[1ms ^[[22m| ^[[1mS   ^[[22mseconds
+           ^[[1mm ^[[22m| ^[[1mM   ^[[22mminutes
+           ^[[1mh ^[[22m| ^[[1mH   ^[[22mhours
+           ^[[1md ^[[22m| ^[[1mD   ^[[22mdays
+           ^[[1mw ^[[22m| ^[[1mW   ^[[22mweeks
 
      Each member of the sequence is added together to calculate the total time
      value.
@@ -450,21 +449,21 @@ DESCRIPTION
            10m     10 minutes
            1h30m   1 hour 30 minutes (90 minutes)
 
-FILES
+^[[1mFILES^[[0m
      /etc/ssh/sshd_config
-             Contains configuration data for sshd.  This file should be
-             writable by root only, but it is recommended (though not necesM--
-             sary) that it be world-readable.
+             Contains configuration data for ^[[1msshd^[[22m.  This file should be
+             writable by root only, but it is recommended (though not necesM-bM-^@M-^P
+             sary) that it be worldM-bM-^@M-^Preadable.
 
-AUTHORS
+^[[1mAUTHORS^[[0m
      OpenSSH is a derivative of the original and free ssh 1.2.12 release by
      Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
-     de Raadt and Dug Song removed many bugs, re-added newer features and creM--
+     de Raadt and Dug Song removed many bugs, reM-bM-^@M-^Padded newer features and creM-bM-^@M-^P
      ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
      for privilege separation.
 
-SEE ALSO
+^[[1mSEE ALSO^[[0m
      sshd(8)
 
 BSD                           September 25, 1999                           BSD