1 files changed, 56 insertions, 17 deletions
diff --git a/sshd.8 b/sshd.8
index b53456f1a..ae7957648 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.237 2007/06/07 19:37:34 pvalchev Exp $
+.\" $OpenBSD: sshd.8,v 1.246 2008/07/02 02:24:18 djm Exp $
-.Dd $Mdocdate: August 16 2007 $
+.Dd $Mdocdate: July 2 2008 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -44,8 +44,9 @@
 .Sh SYNOPSIS
 .Nm sshd
 .Bk -words
-.Op Fl 46Ddeiqt
+.Op Fl 46DdeiqTt
 .Op Fl b Ar bits
+.Op Fl C Ar connection_spec
 .Op Fl f Ar config_file
 .Op Fl g Ar login_grace_time
 .Op Fl h Ar host_key_file
@@ -99,7 +100,25 @@ Forces
 to use IPv6 addresses only.
 .It Fl b Ar bits
 Specifies the number of bits in the ephemeral protocol version 1
-server key (default 768).
+server key (default 1024).
+.It Fl C Ar connection_spec
+Specify the connection parameters to use for the
+.Fl T
+extended test mode.
+If provided, any
+.Cm Match
+directives in the configuration file
+that would apply to the specified user, host, and address will be set before
+the configuration is written to standard output.
+The connection parameters are supplied as keyword=value pairs.
+The keywords are
+.Dq user ,
+.Dq host ,
+and
+.Dq addr .
+All are required and may be supplied in any order, either with multiple
+.Fl C
+options or as a comma-separated list.
 .It Fl D
 When this option is specified,
 .Nm
@@ -194,6 +213,15 @@ authentication, and termination of each connection is logged.
 If a second 
 .Fl q
 is given then nothing is sent to the system log.
+.It Fl T
+Extended test mode.
+Check the validity of the configuration file, output the effective configuration
+to stdout and then exit.
+Optionally,
+.Cm Match
+rules may be applied by specifying the connection parameters using one or more
+.Fl C
+options.
 .It Fl t
 Test mode.
 Only check the validity of the configuration file and sanity of the keys.
@@ -506,23 +534,27 @@ This option is automatically disabled if
 .Cm UseLogin
 is enabled.
 .It Cm from="pattern-list"
-Specifies that in addition to public key authentication, the canonical name
+Specifies that in addition to public key authentication, either the canonical
-of the remote host must be present in the comma-separated list of
+name of the remote host or its IP address must be present in the
-patterns.
+comma-separated list of patterns.
-The purpose
-of this option is to optionally increase security: public key authentication
-by itself does not trust the network or name servers or anything (but
-the key); however, if somebody somehow steals the key, the key
-permits an intruder to log in from anywhere in the world.
-This additional option makes using a stolen key more difficult (name
-servers and/or routers would have to be compromised in addition to
-just the key).
-.Pp
 See
 .Sx PATTERNS
 in
 .Xr ssh_config 5
 for more information on patterns.
+.Pp
+In addition to the wildcard matching that may be applied to hostnames or
+addresses, a
+.Cm from
+stanza may match IP addressess using CIDR address/masklen notation.
+.Pp
+The purpose of this option is to optionally increase security: public key
+authentication by itself does not trust the network or name servers or
+anything (but the key); however, if somebody somehow steals the key, the key
+permits an intruder to log in from anywhere in the world.
+This additional option makes using a stolen key more difficult (name
+servers and/or routers would have to be compromised in addition to
+just the key).
 .It Cm no-agent-forwarding
 Forbids authentication agent forwarding when this key is used for
 authentication.
@@ -535,7 +567,7 @@ option.
 .It Cm no-pty
 Prevents tty allocation (a request to allocate a pty will fail).
 .It Cm no-user-rc
-Disables execution of 
+Disables execution of
 .Pa ~/.ssh/rc .
 .It Cm no-X11-forwarding
 Forbids X11 forwarding when this key is used for authentication.
@@ -688,6 +720,13 @@ This file is used in exactly the same way as
 but allows host-based authentication without permitting login with
 rlogin/rsh.
 .Pp
+.It ~/.ssh/
+This directory is the default location for all user-specific configuration
+and authentication information.
+There is no general requirement to keep the entire contents of this directory
+secret, but the recommended permissions are read/write/execute for the user,
+and not accessible by others.
+.Pp
 .It ~/.ssh/authorized_keys
 Lists the public keys (RSA/DSA) that can be used for logging in as this user.
 The format of this file is described above.

diff --git a/sshd.8 b/sshd.8 index b53456f1a..ae7957648 100644 --- a/sshd.8 +++ b/sshd.8
@@ -34,8 +34,8 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd.8,v 1.237 2007/06/07 19:37:34 pvalchev Exp $	37	.\" $OpenBSD: sshd.8,v 1.246 2008/07/02 02:24:18 djm Exp $
38	.Dd $Mdocdate: August 16 2007 $	38	.Dd $Mdocdate: July 2 2008 $
39	.Dt SSHD 8	39	.Dt SSHD 8
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -44,8 +44,9 @@
44	.Sh SYNOPSIS	44	.Sh SYNOPSIS
45	.Nm sshd	45	.Nm sshd
46	.Bk -words	46	.Bk -words
47	.Op Fl 46Ddeiqt	47	.Op Fl 46DdeiqTt
48	.Op Fl b Ar bits	48	.Op Fl b Ar bits
		49	.Op Fl C Ar connection_spec
49	.Op Fl f Ar config_file	50	.Op Fl f Ar config_file
50	.Op Fl g Ar login_grace_time	51	.Op Fl g Ar login_grace_time
51	.Op Fl h Ar host_key_file	52	.Op Fl h Ar host_key_file
@@ -99,7 +100,25 @@ Forces
99	to use IPv6 addresses only.	100	to use IPv6 addresses only.
100	.It Fl b Ar bits	101	.It Fl b Ar bits
101	Specifies the number of bits in the ephemeral protocol version 1	102	Specifies the number of bits in the ephemeral protocol version 1
102	server key (default 768).	103	server key (default 1024).
		104	.It Fl C Ar connection_spec
		105	Specify the connection parameters to use for the
		106	.Fl T
		107	extended test mode.
		108	If provided, any
		109	.Cm Match
		110	directives in the configuration file
		111	that would apply to the specified user, host, and address will be set before
		112	the configuration is written to standard output.
		113	The connection parameters are supplied as keyword=value pairs.
		114	The keywords are
		115	.Dq user ,
		116	.Dq host ,
		117	and
		118	.Dq addr .
		119	All are required and may be supplied in any order, either with multiple
		120	.Fl C
		121	options or as a comma-separated list.
103	.It Fl D	122	.It Fl D
104	When this option is specified,	123	When this option is specified,
105	.Nm	124	.Nm
@@ -194,6 +213,15 @@ authentication, and termination of each connection is logged.
194	If a second	213	If a second
195	.Fl q	214	.Fl q
196	is given then nothing is sent to the system log.	215	is given then nothing is sent to the system log.
		216	.It Fl T
		217	Extended test mode.
		218	Check the validity of the configuration file, output the effective configuration
		219	to stdout and then exit.
		220	Optionally,
		221	.Cm Match
		222	rules may be applied by specifying the connection parameters using one or more
		223	.Fl C
		224	options.
197	.It Fl t	225	.It Fl t
198	Test mode.	226	Test mode.
199	Only check the validity of the configuration file and sanity of the keys.	227	Only check the validity of the configuration file and sanity of the keys.
@@ -506,23 +534,27 @@ This option is automatically disabled if
506	.Cm UseLogin	534	.Cm UseLogin
507	is enabled.	535	is enabled.
508	.It Cm from="pattern-list"	536	.It Cm from="pattern-list"
509	Specifies that in addition to public key authentication, the canonical name	537	Specifies that in addition to public key authentication, either the canonical
510	of the remote host must be present in the comma-separated list of	538	name of the remote host or its IP address must be present in the
511	patterns.	539	comma-separated list of patterns.
512	The purpose
513	of this option is to optionally increase security: public key authentication
514	by itself does not trust the network or name servers or anything (but
515	the key); however, if somebody somehow steals the key, the key
516	permits an intruder to log in from anywhere in the world.
517	This additional option makes using a stolen key more difficult (name
518	servers and/or routers would have to be compromised in addition to
519	just the key).
520	.Pp
521	See	540	See
522	.Sx PATTERNS	541	.Sx PATTERNS
523	in	542	in
524	.Xr ssh_config 5	543	.Xr ssh_config 5
525	for more information on patterns.	544	for more information on patterns.
		545	.Pp
		546	In addition to the wildcard matching that may be applied to hostnames or
		547	addresses, a
		548	.Cm from
		549	stanza may match IP addressess using CIDR address/masklen notation.
		550	.Pp
		551	The purpose of this option is to optionally increase security: public key
		552	authentication by itself does not trust the network or name servers or
		553	anything (but the key); however, if somebody somehow steals the key, the key
		554	permits an intruder to log in from anywhere in the world.
		555	This additional option makes using a stolen key more difficult (name
		556	servers and/or routers would have to be compromised in addition to
		557	just the key).
526	.It Cm no-agent-forwarding	558	.It Cm no-agent-forwarding
527	Forbids authentication agent forwarding when this key is used for	559	Forbids authentication agent forwarding when this key is used for
528	authentication.	560	authentication.
@@ -535,7 +567,7 @@ option.
535	.It Cm no-pty	567	.It Cm no-pty
536	Prevents tty allocation (a request to allocate a pty will fail).	568	Prevents tty allocation (a request to allocate a pty will fail).
537	.It Cm no-user-rc	569	.It Cm no-user-rc
538	Disables execution of	570	Disables execution of
539	.Pa ~/.ssh/rc .	571	.Pa ~/.ssh/rc .
540	.It Cm no-X11-forwarding	572	.It Cm no-X11-forwarding
541	Forbids X11 forwarding when this key is used for authentication.	573	Forbids X11 forwarding when this key is used for authentication.
@@ -688,6 +720,13 @@ This file is used in exactly the same way as
688	but allows host-based authentication without permitting login with	720	but allows host-based authentication without permitting login with
689	rlogin/rsh.	721	rlogin/rsh.
690	.Pp	722	.Pp
		723	.It ~/.ssh/
		724	This directory is the default location for all user-specific configuration
		725	and authentication information.
		726	There is no general requirement to keep the entire contents of this directory
		727	secret, but the recommended permissions are read/write/execute for the user,
		728	and not accessible by others.
		729	.Pp
691	.It ~/.ssh/authorized_keys	730	.It ~/.ssh/authorized_keys
692	Lists the public keys (RSA/DSA) that can be used for logging in as this user.	731	Lists the public keys (RSA/DSA) that can be used for logging in as this user.
693	The format of this file is described above.	732	The format of this file is described above.