6 files changed, 32 insertions, 55 deletions
diff --git a/ChangeLog b/ChangeLog
index 1502ec873..9cabcb46d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -29,6 +29,11 @@
   - djm@cvs.openbsd.org 2013/06/22 06:31:57
     [scp.c]
     improved time_t overflow check suggested by guenther@
+   - jmc@cvs.openbsd.org 2013/06/27 14:05:37
+     [ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
+     do not use Sx for sections outwith the man page - ingo informs me that
+     stuff like html will render with broken links;
+     issue reported by Eric S. Raymond, via djm
 20130702
 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 7da73e07c..0d55854e9 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.115 2013/01/19 07:13:25 jmc Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.116 2013/06/27 14:05:37 jmc Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 19 2013 $
+.Dd $Mdocdate: June 27 2013 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -516,8 +516,7 @@ of two times separated by a colon to indicate an explicit time interval.
 The start time may be specified as a date in YYYYMMDD format, a time
 in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
 of a minus sign followed by a relative time in the format described in the
-.Sx TIME FORMATS
+TIME FORMATS section of
-section of
 .Xr sshd_config 5 .
 The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
 a relative time starting with a plus character.
diff --git a/ssh.1 b/ssh.1
index dc7af4864..3cb4254eb 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.332 2013/04/19 01:06:50 djm Exp $
+.\" $OpenBSD: ssh.1,v 1.333 2013/06/27 14:05:37 jmc Exp $
-.Dd $Mdocdate: April 19 2013 $
+.Dd $Mdocdate: June 27 2013 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -754,9 +754,7 @@ implements public key authentication protocol automatically,
 using one of the DSA, ECDSA or RSA algorithms.
 Protocol 1 is restricted to using only RSA keys,
 but protocol 2 may use any.
-The
+The HISTORY section of
-.Sx HISTORY
-section of
 .Xr ssl 8
 contains a brief discussion of the DSA and RSA algorithms.
 .Pp
@@ -812,9 +810,7 @@ instead of a set of public/private keys,
 signed certificates are used.
 This has the advantage that a single trusted certification authority
 can be used in place of many public/private keys.
-See the
+See the CERTIFICATES section of
-.Sx CERTIFICATES
-section of
 .Xr ssh-keygen 1
 for more information.
 .Pp
diff --git a/ssh_config.5 b/ssh_config.5
index 86906a488..5d76c6d2d 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.165 2013/06/21 00:37:49 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.166 2013/06/27 14:05:37 jmc Exp $
-.Dd $Mdocdate: June 21 2013 $
+.Dd $Mdocdate: June 27 2013 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -474,8 +474,7 @@ option is also enabled.
 .It Cm ForwardX11Timeout
 Specify a timeout for untrusted X11 forwarding
 using the format described in the
-.Sx TIME FORMATS
+TIME FORMATS section of
-section of
 .Xr sshd_config 5 .
 X11 connections received by
 .Xr ssh 1
@@ -964,8 +963,7 @@ and
 depending on the cipher.
 The optional second value is specified in seconds and may use any of the
 units documented in the
-.Sx TIME FORMATS
+TIME FORMATS section of
-section of
 .Xr sshd_config 5 .
 The default value for
 .Cm RekeyLimit
@@ -1251,9 +1249,7 @@ The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
 .Pp
-See also
+See also VERIFYING HOST KEYS in
-.Sx VERIFYING HOST KEYS
-in
 .Xr ssh 1 .
 .It Cm VisualHostKey
 If this flag is set to
diff --git a/sshd.8 b/sshd.8
index 03b77b04e..b0c7ab6bd 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.269 2013/04/07 09:40:27 dtucker Exp $
+.\" $OpenBSD: sshd.8,v 1.270 2013/06/27 14:05:37 jmc Exp $
-.Dd $Mdocdate: April 7 2013 $
+.Dd $Mdocdate: June 27 2013 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -567,9 +567,7 @@ is enabled.
 Specifies that in addition to public key authentication, either the canonical
 name of the remote host or its IP address must be present in the
 comma-separated list of patterns.
-See
+See PATTERNS in
-.Sx PATTERNS
-in
 .Xr ssh_config 5
 for more information on patterns.
 .Pp
diff --git a/sshd_config.5 b/sshd_config.5
index 18b1d81a0..3807c0f3c 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.160 2013/05/16 06:30:06 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.161 2013/06/27 14:05:37 jmc Exp $
-.Dd $Mdocdate: May 16 2013 $
+.Dd $Mdocdate: June 27 2013 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -117,9 +117,7 @@ The allow/deny directives are processed in the following order:
 and finally
 .Cm AllowGroups .
 .Pp
-See
+See PATTERNS in
-.Sx PATTERNS
-in
 .Xr ssh_config 5
 for more information on patterns.
 .It Cm AllowTcpForwarding
@@ -159,9 +157,7 @@ The allow/deny directives are processed in the following order:
 and finally
 .Cm AllowGroups .
 .Pp
-See
+See PATTERNS in
-.Sx PATTERNS
-in
 .Xr ssh_config 5
 for more information on patterns.
 .It Cm AuthenticationMethods
@@ -205,9 +201,7 @@ Specifies a program to be used to look up the user's public keys.
 The program must be owned by root and not writable by group or others.
 It will be invoked with a single argument of the username
 being authenticated, and should produce on standard output zero or
-more lines of authorized_keys output (see
+more lines of authorized_keys output (see AUTHORIZED_KEYS in
-.Sx AUTHORIZED_KEYS
-in
 .Xr sshd 8 ) .
 If a key supplied by AuthorizedKeysCommand does not successfully authenticate
 and authorize the user then public key authentication continues using the usual
@@ -222,7 +216,7 @@ than running authorized keys commands.
 Specifies the file that contains the public keys that can be used
 for user authentication.
 The format is described in the
-.Sx AUTHORIZED_KEYS FILE FORMAT
+AUTHORIZED_KEYS FILE FORMAT
 section of
 .Xr sshd 8 .
 .Cm AuthorizedKeysFile
@@ -246,9 +240,7 @@ When using certificates signed by a key listed in
 this file lists names, one of which must appear in the certificate for it
 to be accepted for authentication.
 Names are listed one per line preceded by key options (as described
-in
+in AUTHORIZED_KEYS FILE FORMAT in
-.Sx AUTHORIZED_KEYS FILE FORMAT
-in
 .Xr sshd 8 ) .
 Empty lines and comments starting with
 .Ql #
@@ -426,9 +418,7 @@ The allow/deny directives are processed in the following order:
 and finally
 .Cm AllowGroups .
 .Pp
-See
+See PATTERNS in
-.Sx PATTERNS
-in
 .Xr ssh_config 5
 for more information on patterns.
 .It Cm DenyUsers
@@ -447,9 +437,7 @@ The allow/deny directives are processed in the following order:
 and finally
 .Cm AllowGroups .
 .Pp
-See
+See PATTERNS in
-.Sx PATTERNS
-in
 .Xr ssh_config 5
 for more information on patterns.
 .It Cm ForceCommand
@@ -761,8 +749,7 @@ and
 .Cm Address .
 The match patterns may consist of single entries or comma-separated
 lists and may use the wildcard and negation operators described in the
-.Sx PATTERNS
+PATTERNS section of
-section of
 .Xr ssh_config 5 .
 .Pp
 The patterns in an
@@ -1043,9 +1030,7 @@ be refused for all users.
 Keys may be specified as a text file, listing one public key per line, or as
 an OpenSSH Key Revocation List (KRL) as generated by
 .Xr ssh-keygen 1 .
-For more information on KRLs, see the
+For more information on KRLs, see the KEY REVOCATION LISTS section in
-.Sx KEY REVOCATION LISTS
-section in
 .Xr ssh-keygen 1 .
 .It Cm RhostsRSAAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
@@ -1134,9 +1119,7 @@ listed in the certificate's principals list.
 Note that certificates that lack a list of principals will not be permitted
 for authentication using
 .Cm TrustedUserCAKeys .
-For more details on certificates, see the
+For more details on certificates, see the CERTIFICATES section in
-.Sx CERTIFICATES
-section in
 .Xr ssh-keygen 1 .
 .It Cm UseDNS
 Specifies whether

diff --git a/ChangeLog b/ChangeLog index 1502ec873..9cabcb46d 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -29,6 +29,11 @@
29	- djm@cvs.openbsd.org 2013/06/22 06:31:57	29	- djm@cvs.openbsd.org 2013/06/22 06:31:57
30	[scp.c]	30	[scp.c]
31	improved time_t overflow check suggested by guenther@	31	improved time_t overflow check suggested by guenther@
		32	- jmc@cvs.openbsd.org 2013/06/27 14:05:37
		33	[ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
		34	do not use Sx for sections outwith the man page - ingo informs me that
		35	stuff like html will render with broken links;
		36	issue reported by Eric S. Raymond, via djm
32		37
33	20130702	38	20130702
34	- (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config	39	- (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config


diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 7da73e07c..0d55854e9 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.115 2013/01/19 07:13:25 jmc Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.116 2013/06/27 14:05:37 jmc Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37	.\"	37	.\"
38	.Dd $Mdocdate: January 19 2013 $	38	.Dd $Mdocdate: June 27 2013 $
39	.Dt SSH-KEYGEN 1	39	.Dt SSH-KEYGEN 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -516,8 +516,7 @@ of two times separated by a colon to indicate an explicit time interval.
516	The start time may be specified as a date in YYYYMMDD format, a time	516	The start time may be specified as a date in YYYYMMDD format, a time
517	in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting	517	in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
518	of a minus sign followed by a relative time in the format described in the	518	of a minus sign followed by a relative time in the format described in the
519	.Sx TIME FORMATS	519	TIME FORMATS section of
520	section of
521	.Xr sshd_config 5 .	520	.Xr sshd_config 5 .
522	The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or	521	The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
523	a relative time starting with a plus character.	522	a relative time starting with a plus character.


diff --git a/ssh.1 b/ssh.1 index dc7af4864..3cb4254eb 100644 --- a/ssh.1 +++ b/ssh.1
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh.1,v 1.332 2013/04/19 01:06:50 djm Exp $	36	.\" $OpenBSD: ssh.1,v 1.333 2013/06/27 14:05:37 jmc Exp $
37	.Dd $Mdocdate: April 19 2013 $	37	.Dd $Mdocdate: June 27 2013 $
38	.Dt SSH 1	38	.Dt SSH 1
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -754,9 +754,7 @@ implements public key authentication protocol automatically,
754	using one of the DSA, ECDSA or RSA algorithms.	754	using one of the DSA, ECDSA or RSA algorithms.
755	Protocol 1 is restricted to using only RSA keys,	755	Protocol 1 is restricted to using only RSA keys,
756	but protocol 2 may use any.	756	but protocol 2 may use any.
757	The	757	The HISTORY section of
758	.Sx HISTORY
759	section of
760	.Xr ssl 8	758	.Xr ssl 8
761	contains a brief discussion of the DSA and RSA algorithms.	759	contains a brief discussion of the DSA and RSA algorithms.
762	.Pp	760	.Pp
@@ -812,9 +810,7 @@ instead of a set of public/private keys,
812	signed certificates are used.	810	signed certificates are used.
813	This has the advantage that a single trusted certification authority	811	This has the advantage that a single trusted certification authority
814	can be used in place of many public/private keys.	812	can be used in place of many public/private keys.
815	See the	813	See the CERTIFICATES section of
816	.Sx CERTIFICATES
817	section of
818	.Xr ssh-keygen 1	814	.Xr ssh-keygen 1
819	for more information.	815	for more information.
820	.Pp	816	.Pp


diff --git a/ssh_config.5 b/ssh_config.5 index 86906a488..5d76c6d2d 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.165 2013/06/21 00:37:49 djm Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.166 2013/06/27 14:05:37 jmc Exp $
37	.Dd $Mdocdate: June 21 2013 $	37	.Dd $Mdocdate: June 27 2013 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -474,8 +474,7 @@ option is also enabled.
474	.It Cm ForwardX11Timeout	474	.It Cm ForwardX11Timeout
475	Specify a timeout for untrusted X11 forwarding	475	Specify a timeout for untrusted X11 forwarding
476	using the format described in the	476	using the format described in the
477	.Sx TIME FORMATS	477	TIME FORMATS section of
478	section of
479	.Xr sshd_config 5 .	478	.Xr sshd_config 5 .
480	X11 connections received by	479	X11 connections received by
481	.Xr ssh 1	480	.Xr ssh 1
@@ -964,8 +963,7 @@ and
964	depending on the cipher.	963	depending on the cipher.
965	The optional second value is specified in seconds and may use any of the	964	The optional second value is specified in seconds and may use any of the
966	units documented in the	965	units documented in the
967	.Sx TIME FORMATS	966	TIME FORMATS section of
968	section of
969	.Xr sshd_config 5 .	967	.Xr sshd_config 5 .
970	The default value for	968	The default value for
971	.Cm RekeyLimit	969	.Cm RekeyLimit
@@ -1251,9 +1249,7 @@ The default is
1251	.Dq no .	1249	.Dq no .
1252	Note that this option applies to protocol version 2 only.	1250	Note that this option applies to protocol version 2 only.
1253	.Pp	1251	.Pp
1254	See also	1252	See also VERIFYING HOST KEYS in
1255	.Sx VERIFYING HOST KEYS
1256	in
1257	.Xr ssh 1 .	1253	.Xr ssh 1 .
1258	.It Cm VisualHostKey	1254	.It Cm VisualHostKey
1259	If this flag is set to	1255	If this flag is set to


diff --git a/sshd.8 b/sshd.8 index 03b77b04e..b0c7ab6bd 100644 --- a/sshd.8 +++ b/sshd.8
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd.8,v 1.269 2013/04/07 09:40:27 dtucker Exp $	36	.\" $OpenBSD: sshd.8,v 1.270 2013/06/27 14:05:37 jmc Exp $
37	.Dd $Mdocdate: April 7 2013 $	37	.Dd $Mdocdate: June 27 2013 $
38	.Dt SSHD 8	38	.Dt SSHD 8
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -567,9 +567,7 @@ is enabled.
567	Specifies that in addition to public key authentication, either the canonical	567	Specifies that in addition to public key authentication, either the canonical
568	name of the remote host or its IP address must be present in the	568	name of the remote host or its IP address must be present in the
569	comma-separated list of patterns.	569	comma-separated list of patterns.
570	See	570	See PATTERNS in
571	.Sx PATTERNS
572	in
573	.Xr ssh_config 5	571	.Xr ssh_config 5
574	for more information on patterns.	572	for more information on patterns.
575	.Pp	573	.Pp


diff --git a/sshd_config.5 b/sshd_config.5 index 18b1d81a0..3807c0f3c 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.160 2013/05/16 06:30:06 jmc Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.161 2013/06/27 14:05:37 jmc Exp $
37	.Dd $Mdocdate: May 16 2013 $	37	.Dd $Mdocdate: June 27 2013 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -117,9 +117,7 @@ The allow/deny directives are processed in the following order:
117	and finally	117	and finally
118	.Cm AllowGroups .	118	.Cm AllowGroups .
119	.Pp	119	.Pp
120	See	120	See PATTERNS in
121	.Sx PATTERNS
122	in
123	.Xr ssh_config 5	121	.Xr ssh_config 5
124	for more information on patterns.	122	for more information on patterns.
125	.It Cm AllowTcpForwarding	123	.It Cm AllowTcpForwarding
@@ -159,9 +157,7 @@ The allow/deny directives are processed in the following order:
159	and finally	157	and finally
160	.Cm AllowGroups .	158	.Cm AllowGroups .
161	.Pp	159	.Pp
162	See	160	See PATTERNS in
163	.Sx PATTERNS
164	in
165	.Xr ssh_config 5	161	.Xr ssh_config 5
166	for more information on patterns.	162	for more information on patterns.
167	.It Cm AuthenticationMethods	163	.It Cm AuthenticationMethods
@@ -205,9 +201,7 @@ Specifies a program to be used to look up the user's public keys.
205	The program must be owned by root and not writable by group or others.	201	The program must be owned by root and not writable by group or others.
206	It will be invoked with a single argument of the username	202	It will be invoked with a single argument of the username
207	being authenticated, and should produce on standard output zero or	203	being authenticated, and should produce on standard output zero or
208	more lines of authorized_keys output (see	204	more lines of authorized_keys output (see AUTHORIZED_KEYS in
209	.Sx AUTHORIZED_KEYS
210	in
211	.Xr sshd 8 ) .	205	.Xr sshd 8 ) .
212	If a key supplied by AuthorizedKeysCommand does not successfully authenticate	206	If a key supplied by AuthorizedKeysCommand does not successfully authenticate
213	and authorize the user then public key authentication continues using the usual	207	and authorize the user then public key authentication continues using the usual
@@ -222,7 +216,7 @@ than running authorized keys commands.
222	Specifies the file that contains the public keys that can be used	216	Specifies the file that contains the public keys that can be used
223	for user authentication.	217	for user authentication.
224	The format is described in the	218	The format is described in the
225	.Sx AUTHORIZED_KEYS FILE FORMAT	219	AUTHORIZED_KEYS FILE FORMAT
226	section of	220	section of
227	.Xr sshd 8 .	221	.Xr sshd 8 .
228	.Cm AuthorizedKeysFile	222	.Cm AuthorizedKeysFile
@@ -246,9 +240,7 @@ When using certificates signed by a key listed in
246	this file lists names, one of which must appear in the certificate for it	240	this file lists names, one of which must appear in the certificate for it
247	to be accepted for authentication.	241	to be accepted for authentication.
248	Names are listed one per line preceded by key options (as described	242	Names are listed one per line preceded by key options (as described
249	in	243	in AUTHORIZED_KEYS FILE FORMAT in
250	.Sx AUTHORIZED_KEYS FILE FORMAT
251	in
252	.Xr sshd 8 ) .	244	.Xr sshd 8 ) .
253	Empty lines and comments starting with	245	Empty lines and comments starting with
254	.Ql #	246	.Ql #
@@ -426,9 +418,7 @@ The allow/deny directives are processed in the following order:
426	and finally	418	and finally
427	.Cm AllowGroups .	419	.Cm AllowGroups .
428	.Pp	420	.Pp
429	See	421	See PATTERNS in
430	.Sx PATTERNS
431	in
432	.Xr ssh_config 5	422	.Xr ssh_config 5
433	for more information on patterns.	423	for more information on patterns.
434	.It Cm DenyUsers	424	.It Cm DenyUsers
@@ -447,9 +437,7 @@ The allow/deny directives are processed in the following order:
447	and finally	437	and finally
448	.Cm AllowGroups .	438	.Cm AllowGroups .
449	.Pp	439	.Pp
450	See	440	See PATTERNS in
451	.Sx PATTERNS
452	in
453	.Xr ssh_config 5	441	.Xr ssh_config 5
454	for more information on patterns.	442	for more information on patterns.
455	.It Cm ForceCommand	443	.It Cm ForceCommand
@@ -761,8 +749,7 @@ and
761	.Cm Address .	749	.Cm Address .
762	The match patterns may consist of single entries or comma-separated	750	The match patterns may consist of single entries or comma-separated
763	lists and may use the wildcard and negation operators described in the	751	lists and may use the wildcard and negation operators described in the
764	.Sx PATTERNS	752	PATTERNS section of
765	section of
766	.Xr ssh_config 5 .	753	.Xr ssh_config 5 .
767	.Pp	754	.Pp
768	The patterns in an	755	The patterns in an
@@ -1043,9 +1030,7 @@ be refused for all users.
1043	Keys may be specified as a text file, listing one public key per line, or as	1030	Keys may be specified as a text file, listing one public key per line, or as
1044	an OpenSSH Key Revocation List (KRL) as generated by	1031	an OpenSSH Key Revocation List (KRL) as generated by
1045	.Xr ssh-keygen 1 .	1032	.Xr ssh-keygen 1 .
1046	For more information on KRLs, see the	1033	For more information on KRLs, see the KEY REVOCATION LISTS section in
1047	.Sx KEY REVOCATION LISTS
1048	section in
1049	.Xr ssh-keygen 1 .	1034	.Xr ssh-keygen 1 .
1050	.It Cm RhostsRSAAuthentication	1035	.It Cm RhostsRSAAuthentication
1051	Specifies whether rhosts or /etc/hosts.equiv authentication together	1036	Specifies whether rhosts or /etc/hosts.equiv authentication together
@@ -1134,9 +1119,7 @@ listed in the certificate's principals list.
1134	Note that certificates that lack a list of principals will not be permitted	1119	Note that certificates that lack a list of principals will not be permitted
1135	for authentication using	1120	for authentication using
1136	.Cm TrustedUserCAKeys .	1121	.Cm TrustedUserCAKeys .
1137	For more details on certificates, see the	1122	For more details on certificates, see the CERTIFICATES section in
1138	.Sx CERTIFICATES
1139	section in
1140	.Xr ssh-keygen 1 .	1123	.Xr ssh-keygen 1 .
1141	.It Cm UseDNS	1124	.It Cm UseDNS
1142	Specifies whether	1125	Specifies whether