2 files changed, 31 insertions, 27 deletions

diff --git a/ChangeLog b/ChangeLog
index 608a438cd..9928e171c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -85,6 +85,10 @@
    - jmc@cvs.openbsd.org 2006/02/12 10:52:41
      [sshd.8]
      rework the description of authorized_keys a little;
+   - jmc@cvs.openbsd.org 2006/02/12 17:57:19
+     [sshd.8]
+     sort the list of options permissable w/ authorized_keys;
+     ok djm dtucker
 
 20060313
  - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)
@@ -3986,4 +3990,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.4163 2006/03/15 00:31:22 djm Exp $
+$Id: ChangeLog,v 1.4164 2006/03/15 00:31:44 djm Exp $
diff --git a/sshd.8 b/sshd.8
index 909339f07..58bf9062a 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.217 2006/02/12 10:52:41 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.218 2006/02/12 17:57:19 jmc Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -421,26 +421,6 @@ No spaces are permitted, except within double quotes.
 The following option specifications are supported (note
 that option keywords are case-insensitive):
 .Bl -tag -width Ds
-.It Cm from="pattern-list"
-Specifies that in addition to public key authentication, the canonical name
-of the remote host must be present in the comma-separated list of
-patterns
-.Pf ( Ql \&*
-and
-.Ql \&?
-serve as wildcards).
-The list may also contain
-patterns negated by prefixing them with
-.Ql \&! ;
-if the canonical host name matches a negated pattern, the key is not accepted.
-The purpose
-of this option is to optionally increase security: public key authentication
-by itself does not trust the network or name servers or anything (but
-the key); however, if somebody somehow steals the key, the key
-permits an intruder to log in from anywhere in the world.
-This additional option makes using a stolen key more difficult (name
-servers and/or routers would have to be compromised in addition to
-just the key).
 .It Cm command="command"
 Specifies that the command is executed whenever this key is used for
 authentication.
@@ -470,20 +450,40 @@ option.
 This option is automatically disabled if
 .Cm UseLogin
 is enabled.
+.It Cm from="pattern-list"
+Specifies that in addition to public key authentication, the canonical name
+of the remote host must be present in the comma-separated list of
+patterns
+.Pf ( Ql \&*
+and
+.Ql \&?
+serve as wildcards).
+The list may also contain
+patterns negated by prefixing them with
+.Ql \&! ;
+if the canonical host name matches a negated pattern, the key is not accepted.
+The purpose
+of this option is to optionally increase security: public key authentication
+by itself does not trust the network or name servers or anything (but
+the key); however, if somebody somehow steals the key, the key
+permits an intruder to log in from anywhere in the world.
+This additional option makes using a stolen key more difficult (name
+servers and/or routers would have to be compromised in addition to
+just the key).
+.It Cm no-agent-forwarding
+Forbids authentication agent forwarding when this key is used for
+authentication.
 .It Cm no-port-forwarding
 Forbids TCP forwarding when this key is used for authentication.
 Any port forward requests by the client will return an error.
 This might be used, e.g., in connection with the
 .Cm command
 option.
+.It Cm no-pty
+Prevents tty allocation (a request to allocate a pty will fail).
 .It Cm no-X11-forwarding
 Forbids X11 forwarding when this key is used for authentication.
 Any X11 forward requests by the client will return an error.
-.It Cm no-agent-forwarding
-Forbids authentication agent forwarding when this key is used for
-authentication.
-.It Cm no-pty
-Prevents tty allocation (a request to allocate a pty will fail).
 .It Cm permitopen="host:port"
 Limit local
 .Li ``ssh -L''