Merge 3.8p1 to the trunk. This builds and runs, but I haven't tested it

extensively yet. ProtocolKeepAlives is now just a compatibility alias for ServerAliveInterval.
author: Colin Watson <cjwatson@debian.org> 2004-03-01 02:25:32 +0000
committer: Colin Watson <cjwatson@debian.org> 2004-03-01 02:25:32 +0000
commit: ea8116a11e3de70036dbc665ccb0d486cf89cac9 (patch)
tree: d73ccdff78d8608e156465af42e6a1b3527fb2d6 /sshd_config.5
parent: e39b311381a5609cc05acf298c42fba196dc524b (diff)
parent: f5bda272678ec6dccaa5f29379cf60cb855018e8 (diff)
1 files changed, 30 insertions, 36 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 727fdb12a..41228248c 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.25 2003/09/01 09:50:04 markus Exp $
+.\" $OpenBSD: sshd_config.5,v 1.28 2004/02/17 19:35:21 jmc Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -156,12 +156,12 @@ If this threshold is reached while client alive messages are being sent,
 will disconnect the client, terminating the session.
 It is important to note that the use of client alive messages is very
 different from
-.Cm KeepAlive
+.Cm TCPKeepAlive
 (below).
 The client alive messages are sent through the encrypted channel
 and therefore will not be spoofable.
 The TCP keepalive option enabled by
-.Cm KeepAlive
+.Cm TCPKeepAlive
 is spoofable.
 The client alive mechanism is valuable when the client or
 server depend on knowing when a connection has become inactive.
@@ -227,7 +227,7 @@ The default is
 .Dq no .
 .It Cm GSSAPIAuthentication
 Specifies whether user authentication based on GSSAPI is allowed.
-The default is 
+The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
 .It Cm GSSAPICleanupCredentials
@@ -292,27 +292,6 @@ or
 .Cm HostbasedAuthentication .
 The default is
 .Dq no .
-.It Cm KeepAlive
-Specifies whether the system should send TCP keepalive messages to the
-other side.
-If they are sent, death of the connection or crash of one
-of the machines will be properly noticed.
-However, this means that
-connections will die if the route is down temporarily, and some people
-find it annoying.
-On the other hand, if keepalives are not sent,
-sessions may hang indefinitely on the server, leaving
-.Dq ghost
-users and consuming server resources.
-.Pp
-The default is
-.Dq yes
-(to send keepalives), and the server will notice
-if the network goes down or the client host crashes.
-This avoids infinitely hanging sessions.
-.Pp
-To disable keepalives, the value should be set to
-.Dq no .
 .It Cm KerberosAuthentication
 Specifies whether the password provided by the user for
 .Cm PasswordAuthentication
@@ -533,13 +512,6 @@ Specifies whether public key authentication is allowed.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
-.Cm RhostsRSAAuthentication
-should be used
-instead, because it performs RSA-based host authentication in addition
-to normal rhosts or /etc/hosts.equiv authentication.
-The default is
-.Dq no .
-This option applies to protocol version 1 only.
 .It Cm RhostsRSAAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful RSA host authentication is allowed.
@@ -580,6 +552,27 @@ Gives the facility code that is used when logging messages from
 The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
+.It Cm TCPKeepAlive
+Specifies whether the system should send TCP keepalive messages to the
+other side.
+If they are sent, death of the connection or crash of one
+of the machines will be properly noticed.
+However, this means that
+connections will die if the route is down temporarily, and some people
+find it annoying.
+On the other hand, if TCP keepalives are not sent,
+sessions may hang indefinitely on the server, leaving
+.Dq ghost
+users and consuming server resources.
+.Pp
+The default is
+.Dq yes
+(to send TCP keepalive messages), and the server will notice
+if the network goes down or the client host crashes.
+This avoids infinitely hanging sessions.
+.Pp
+To disable TCP keepalive messages, the value should be set to
+.Dq no .
 .It Cm UseDNS
 Specifies whether
 .Nm sshd
@@ -608,12 +601,13 @@ If
 .Cm UsePrivilegeSeparation
 is specified, it will be disabled after authentication.
 .It Cm UsePAM
-Enables PAM authentication (via challenge-response) and session set up. 
+Enables PAM authentication (via challenge-response) and session set up.
-If you enable this, you should probably disable 
+If you enable this, you should probably disable
 .Cm PasswordAuthentication .
-If you enable 
+If you enable
 .CM UsePAM
-then you will not be able to run sshd as a non-root user.
+then you will not be able to run sshd as a non-root user.  The default is
+.Dq no .
 .It Cm UsePrivilegeSeparation
 Specifies whether
 .Nm sshd
author	Colin Watson <cjwatson@debian.org>	2004-03-01 02:25:32 +0000
committer	Colin Watson <cjwatson@debian.org>	2004-03-01 02:25:32 +0000
commit	ea8116a11e3de70036dbc665ccb0d486cf89cac9 (patch)
tree	d73ccdff78d8608e156465af42e6a1b3527fb2d6 /sshd_config.5
parent	e39b311381a5609cc05acf298c42fba196dc524b (diff)
parent	f5bda272678ec6dccaa5f29379cf60cb855018e8 (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index 727fdb12a..41228248c 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd_config.5,v 1.25 2003/09/01 09:50:04 markus Exp $	37	.\" $OpenBSD: sshd_config.5,v 1.28 2004/02/17 19:35:21 jmc Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSHD_CONFIG 5	39	.Dt SSHD_CONFIG 5
40	.Os	40	.Os
@@ -156,12 +156,12 @@ If this threshold is reached while client alive messages are being sent,
156	will disconnect the client, terminating the session.	156	will disconnect the client, terminating the session.
157	It is important to note that the use of client alive messages is very	157	It is important to note that the use of client alive messages is very
158	different from	158	different from
159	.Cm KeepAlive	159	.Cm TCPKeepAlive
160	(below).	160	(below).
161	The client alive messages are sent through the encrypted channel	161	The client alive messages are sent through the encrypted channel
162	and therefore will not be spoofable.	162	and therefore will not be spoofable.
163	The TCP keepalive option enabled by	163	The TCP keepalive option enabled by
164	.Cm KeepAlive	164	.Cm TCPKeepAlive
165	is spoofable.	165	is spoofable.
166	The client alive mechanism is valuable when the client or	166	The client alive mechanism is valuable when the client or
167	server depend on knowing when a connection has become inactive.	167	server depend on knowing when a connection has become inactive.
@@ -227,7 +227,7 @@ The default is
227	.Dq no .	227	.Dq no .
228	.It Cm GSSAPIAuthentication	228	.It Cm GSSAPIAuthentication
229	Specifies whether user authentication based on GSSAPI is allowed.	229	Specifies whether user authentication based on GSSAPI is allowed.
230	The default is	230	The default is
231	.Dq no .	231	.Dq no .
232	Note that this option applies to protocol version 2 only.	232	Note that this option applies to protocol version 2 only.
233	.It Cm GSSAPICleanupCredentials	233	.It Cm GSSAPICleanupCredentials
@@ -292,27 +292,6 @@ or
292	.Cm HostbasedAuthentication .	292	.Cm HostbasedAuthentication .
293	The default is	293	The default is
294	.Dq no .	294	.Dq no .
295	.It Cm KeepAlive
296	Specifies whether the system should send TCP keepalive messages to the
297	other side.
298	If they are sent, death of the connection or crash of one
299	of the machines will be properly noticed.
300	However, this means that
301	connections will die if the route is down temporarily, and some people
302	find it annoying.
303	On the other hand, if keepalives are not sent,
304	sessions may hang indefinitely on the server, leaving
305	.Dq ghost
306	users and consuming server resources.
307	.Pp
308	The default is
309	.Dq yes
310	(to send keepalives), and the server will notice
311	if the network goes down or the client host crashes.
312	This avoids infinitely hanging sessions.
313	.Pp
314	To disable keepalives, the value should be set to
315	.Dq no .
316	.It Cm KerberosAuthentication	295	.It Cm KerberosAuthentication
317	Specifies whether the password provided by the user for	296	Specifies whether the password provided by the user for
318	.Cm PasswordAuthentication	297	.Cm PasswordAuthentication
@@ -533,13 +512,6 @@ Specifies whether public key authentication is allowed.
533	The default is	512	The default is
534	.Dq yes .	513	.Dq yes .
535	Note that this option applies to protocol version 2 only.	514	Note that this option applies to protocol version 2 only.
536	.Cm RhostsRSAAuthentication
537	should be used
538	instead, because it performs RSA-based host authentication in addition
539	to normal rhosts or /etc/hosts.equiv authentication.
540	The default is
541	.Dq no .
542	This option applies to protocol version 1 only.
543	.It Cm RhostsRSAAuthentication	515	.It Cm RhostsRSAAuthentication
544	Specifies whether rhosts or /etc/hosts.equiv authentication together	516	Specifies whether rhosts or /etc/hosts.equiv authentication together
545	with successful RSA host authentication is allowed.	517	with successful RSA host authentication is allowed.
@@ -580,6 +552,27 @@ Gives the facility code that is used when logging messages from
580	The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,	552	The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
581	LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.	553	LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
582	The default is AUTH.	554	The default is AUTH.
		555	.It Cm TCPKeepAlive
		556	Specifies whether the system should send TCP keepalive messages to the
		557	other side.
		558	If they are sent, death of the connection or crash of one
		559	of the machines will be properly noticed.
		560	However, this means that
		561	connections will die if the route is down temporarily, and some people
		562	find it annoying.
		563	On the other hand, if TCP keepalives are not sent,
		564	sessions may hang indefinitely on the server, leaving
		565	.Dq ghost
		566	users and consuming server resources.
		567	.Pp
		568	The default is
		569	.Dq yes
		570	(to send TCP keepalive messages), and the server will notice
		571	if the network goes down or the client host crashes.
		572	This avoids infinitely hanging sessions.
		573	.Pp
		574	To disable TCP keepalive messages, the value should be set to
		575	.Dq no .
583	.It Cm UseDNS	576	.It Cm UseDNS
584	Specifies whether	577	Specifies whether
585	.Nm sshd	578	.Nm sshd
@@ -608,12 +601,13 @@ If
608	.Cm UsePrivilegeSeparation	601	.Cm UsePrivilegeSeparation
609	is specified, it will be disabled after authentication.	602	is specified, it will be disabled after authentication.
610	.It Cm UsePAM	603	.It Cm UsePAM
611	Enables PAM authentication (via challenge-response) and session set up.	604	Enables PAM authentication (via challenge-response) and session set up.
612	If you enable this, you should probably disable	605	If you enable this, you should probably disable
613	.Cm PasswordAuthentication .	606	.Cm PasswordAuthentication .
614	If you enable	607	If you enable
615	.CM UsePAM	608	.CM UsePAM
616	then you will not be able to run sshd as a non-root user.	609	then you will not be able to run sshd as a non-root user. The default is
		610	.Dq no .
617	.It Cm UsePrivilegeSeparation	611	.It Cm UsePrivilegeSeparation
618	Specifies whether	612	Specifies whether
619	.Nm sshd	613	.Nm sshd