upstream commit

add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
author: deraadt@openbsd.org <deraadt@openbsd.org> 2015-08-06 14:53:21 +0000
committer: Damien Miller <djm@mindrot.org> 2015-08-11 18:57:29 +1000
commit: 1dc8d93ce69d6565747eb44446ed117187621b26 (patch)
tree: 68e850b1c037c7d744836000527320d11b143168 /sshd_config.5
parent: 90a95a4745a531b62b81ce3b025e892bdc434de5 (diff)
1 files changed, 7 insertions, 4 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 6eec1f668..58e277f95 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.209 2015/07/30 19:23:02 deraadt Exp $
+.\" $OpenBSD: sshd_config.5,v 1.210 2015/08/06 14:53:21 deraadt Exp $
-.Dd $Mdocdate: July 30 2015 $
+.Dd $Mdocdate: August 6 2015 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1204,16 +1204,19 @@ Specifies whether root can log in using
 .Xr ssh 1 .
 The argument must be
 .Dq yes ,
+.Dq prohibit-password ,
 .Dq without-password ,
 .Dq forced-commands-only ,
 or
 .Dq no .
 The default is
-.Dq without-password .
+.Dq prohibit-password .
 .Pp
 If this option is set to
+.Dq prohibit-password
+or
 .Dq without-password ,
-password authentication is disabled for root.
+password and keyboard-interactive authentication are disabled for root.
 .Pp
 If this option is set to
 .Dq forced-commands-only ,
author	deraadt@openbsd.org <deraadt@openbsd.org>	2015-08-06 14:53:21 +0000
committer	Damien Miller <djm@mindrot.org>	2015-08-11 18:57:29 +1000
commit	1dc8d93ce69d6565747eb44446ed117187621b26 (patch)
tree	68e850b1c037c7d744836000527320d11b143168 /sshd_config.5
parent	90a95a4745a531b62b81ce3b025e892bdc434de5 (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index 6eec1f668..58e277f95 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.209 2015/07/30 19:23:02 deraadt Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.210 2015/08/06 14:53:21 deraadt Exp $
37	.Dd $Mdocdate: July 30 2015 $	37	.Dd $Mdocdate: August 6 2015 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -1204,16 +1204,19 @@ Specifies whether root can log in using
1204	.Xr ssh 1 .	1204	.Xr ssh 1 .
1205	The argument must be	1205	The argument must be
1206	.Dq yes ,	1206	.Dq yes ,
		1207	.Dq prohibit-password ,
1207	.Dq without-password ,	1208	.Dq without-password ,
1208	.Dq forced-commands-only ,	1209	.Dq forced-commands-only ,
1209	or	1210	or
1210	.Dq no .	1211	.Dq no .
1211	The default is	1212	The default is
1212	.Dq without-password .	1213	.Dq prohibit-password .
1213	.Pp	1214	.Pp
1214	If this option is set to	1215	If this option is set to
		1216	.Dq prohibit-password
		1217	or
1215	.Dq without-password ,	1218	.Dq without-password ,
1216	password authentication is disabled for root.	1219	password and keyboard-interactive authentication are disabled for root.
1217	.Pp	1220	.Pp
1218	If this option is set to	1221	If this option is set to
1219	.Dq forced-commands-only ,	1222	.Dq forced-commands-only ,