1 files changed, 21 insertions, 47 deletions
diff --git a/sshd.8 b/sshd.8
index 27b1a3cf6..46660b16c 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.199 2003/08/13 08:46:31 markus Exp $
+.\" $OpenBSD: sshd.8,v 1.194 2003/01/31 21:54:40 jmc Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -114,29 +114,6 @@ authentication combined with RSA host
 authentication, RSA challenge-response authentication, or password
 based authentication.
 .Pp
-Regardless of the authentication type, the account is checked to
-ensure that it is accessible.  An account is not accessible if it is
-locked, listed in
-.Cm DenyUsers
-or its group is listed in
-.Cm DenyGroups
-\&.  The definition of a locked account is system dependant. Some platforms
-have their own account database (eg AIX) and some modify the passwd field (
-.Ql \&*LK\&*
-on Solaris,
-.Ql \&*
-on HP-UX, containing
-.Ql Nologin
-on Tru64 and a leading
-.Ql \&!!
-on Linux).  If there is a requirement to disable password authentication
-for the account while allowing still public-key, then the passwd field
-should be set to something other than these values (eg
-.Ql NP
-or
-.Ql \&*NP\&*
-).
-.Pp
 Rhosts authentication is normally disabled
 because it is fundamentally insecure, but can be enabled in the server
 configuration file if desired.
@@ -318,6 +295,7 @@ may also be used to prevent
 from making DNS requests unless the authentication
 mechanism or configuration requires it.
 Authentication mechanisms that may require DNS include
+.Cm RhostsAuthentication ,
 .Cm RhostsRSAAuthentication ,
 .Cm HostbasedAuthentication
 and using a
@@ -454,13 +432,13 @@ that option keywords are case-insensitive):
 Specifies that in addition to public key authentication, the canonical name
 of the remote host must be present in the comma-separated list of
 patterns
-.Pf ( Ql \&*
+.Pf ( Ql *
 and
-.Ql \&?
+.Ql ?
 serve as wildcards).
 The list may also contain
 patterns negated by prefixing them with
-.Ql \&! ;
+.Ql ! ;
 if the canonical host name matches a negated pattern, the key is not accepted.
 The purpose
 of this option is to optionally increase security: public key authentication
@@ -522,9 +500,9 @@ IPv6 addresses can be specified with an alternative syntax:
 .Ar host/port .
 Multiple
 .Cm permitopen
-options may be applied separated by commas.
+options may be applied separated by commas. No pattern matching is
-No pattern matching is performed on the specified hostnames,
+performed on the specified hostnames, they must be literal domains or
-they must be literal domains or addresses.
+addresses.
 .El
 .Ss Examples
 1024 33 12121.\|.\|.\|312314325 ylo@foo.bar
@@ -549,16 +527,12 @@ Each line in these files contains the following fields: hostnames,
 bits, exponent, modulus, comment.
 The fields are separated by spaces.
 .Pp
-Hostnames is a comma-separated list of patterns
+Hostnames is a comma-separated list of patterns ('*' and '?' act as
-.Pf ( Ql \&*
-and
-.Ql \&?
-act as
 wildcards); each pattern in turn is matched against the canonical host
 name (when authenticating a client) or against the user-supplied
 name (when authenticating a server).
 A pattern may also be preceded by
-.Ql \&!
+.Ql !
 to indicate negation: if the host name matches a negated
 pattern, it is not accepted (by that line) even if it matched another
 pattern on the line.
@@ -796,6 +770,17 @@ This can be used to specify
 machine-specific login-time initializations globally.
 This file should be writable only by root, and should be world-readable.
 .El
+.Sh AUTHORS
+OpenSSH is a derivative of the original and free
+ssh 1.2.12 release by Tatu Ylonen.
+Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
+Theo de Raadt and Dug Song
+removed many bugs, re-added newer features and
+created OpenSSH.
+Markus Friedl contributed the support for SSH
+protocol versions 1.5 and 2.0.
+Niels Provos and Markus Friedl contributed support
+for privilege separation.
 .Sh SEE ALSO
 .Xr scp 1 ,
 .Xr sftp 1 ,
@@ -827,14 +812,3 @@ This file should be writable only by root, and should be world-readable.
 .%D January 2002
 .%O work in progress material
 .Re
-.Sh AUTHORS
-OpenSSH is a derivative of the original and free
-ssh 1.2.12 release by Tatu Ylonen.
-Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
-Theo de Raadt and Dug Song
-removed many bugs, re-added newer features and
-created OpenSSH.
-Markus Friedl contributed the support for SSH
-protocol versions 1.5 and 2.0.
-Niels Provos and Markus Friedl contributed support
-for privilege separation.

diff --git a/sshd.8 b/sshd.8 index 27b1a3cf6..46660b16c 100644 --- a/sshd.8 +++ b/sshd.8
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd.8,v 1.199 2003/08/13 08:46:31 markus Exp $	37	.\" $OpenBSD: sshd.8,v 1.194 2003/01/31 21:54:40 jmc Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSHD 8	39	.Dt SSHD 8
40	.Os	40	.Os
@@ -114,29 +114,6 @@ authentication combined with RSA host
114	authentication, RSA challenge-response authentication, or password	114	authentication, RSA challenge-response authentication, or password
115	based authentication.	115	based authentication.
116	.Pp	116	.Pp
117	Regardless of the authentication type, the account is checked to
118	ensure that it is accessible. An account is not accessible if it is
119	locked, listed in
120	.Cm DenyUsers
121	or its group is listed in
122	.Cm DenyGroups
123	\&. The definition of a locked account is system dependant. Some platforms
124	have their own account database (eg AIX) and some modify the passwd field (
125	.Ql \&LK\&
126	on Solaris,
127	.Ql \&*
128	on HP-UX, containing
129	.Ql Nologin
130	on Tru64 and a leading
131	.Ql \&!!
132	on Linux). If there is a requirement to disable password authentication
133	for the account while allowing still public-key, then the passwd field
134	should be set to something other than these values (eg
135	.Ql NP
136	or
137	.Ql \&NP\&
138	).
139	.Pp
140	Rhosts authentication is normally disabled	117	Rhosts authentication is normally disabled
141	because it is fundamentally insecure, but can be enabled in the server	118	because it is fundamentally insecure, but can be enabled in the server
142	configuration file if desired.	119	configuration file if desired.
@@ -318,6 +295,7 @@ may also be used to prevent
318	from making DNS requests unless the authentication	295	from making DNS requests unless the authentication
319	mechanism or configuration requires it.	296	mechanism or configuration requires it.
320	Authentication mechanisms that may require DNS include	297	Authentication mechanisms that may require DNS include
		298	.Cm RhostsAuthentication ,
321	.Cm RhostsRSAAuthentication ,	299	.Cm RhostsRSAAuthentication ,
322	.Cm HostbasedAuthentication	300	.Cm HostbasedAuthentication
323	and using a	301	and using a
@@ -454,13 +432,13 @@ that option keywords are case-insensitive):
454	Specifies that in addition to public key authentication, the canonical name	432	Specifies that in addition to public key authentication, the canonical name
455	of the remote host must be present in the comma-separated list of	433	of the remote host must be present in the comma-separated list of
456	patterns	434	patterns
457	.Pf ( Ql \&*	435	.Pf ( Ql *
458	and	436	and
459	.Ql \&?	437	.Ql ?
460	serve as wildcards).	438	serve as wildcards).
461	The list may also contain	439	The list may also contain
462	patterns negated by prefixing them with	440	patterns negated by prefixing them with
463	.Ql \&! ;	441	.Ql ! ;
464	if the canonical host name matches a negated pattern, the key is not accepted.	442	if the canonical host name matches a negated pattern, the key is not accepted.
465	The purpose	443	The purpose
466	of this option is to optionally increase security: public key authentication	444	of this option is to optionally increase security: public key authentication
@@ -522,9 +500,9 @@ IPv6 addresses can be specified with an alternative syntax:
522	.Ar host/port .	500	.Ar host/port .
523	Multiple	501	Multiple
524	.Cm permitopen	502	.Cm permitopen
525	options may be applied separated by commas.	503	options may be applied separated by commas. No pattern matching is
526	No pattern matching is performed on the specified hostnames,	504	performed on the specified hostnames, they must be literal domains or
527	they must be literal domains or addresses.	505	addresses.
528	.El	506	.El
529	.Ss Examples	507	.Ss Examples
530	1024 33 12121.\\|.\\|.\\|312314325 ylo@foo.bar	508	1024 33 12121.\\|.\\|.\\|312314325 ylo@foo.bar
@@ -549,16 +527,12 @@ Each line in these files contains the following fields: hostnames,
549	bits, exponent, modulus, comment.	527	bits, exponent, modulus, comment.
550	The fields are separated by spaces.	528	The fields are separated by spaces.
551	.Pp	529	.Pp
552	Hostnames is a comma-separated list of patterns	530	Hostnames is a comma-separated list of patterns ('*' and '?' act as
553	.Pf ( Ql \&*
554	and
555	.Ql \&?
556	act as
557	wildcards); each pattern in turn is matched against the canonical host	531	wildcards); each pattern in turn is matched against the canonical host
558	name (when authenticating a client) or against the user-supplied	532	name (when authenticating a client) or against the user-supplied
559	name (when authenticating a server).	533	name (when authenticating a server).
560	A pattern may also be preceded by	534	A pattern may also be preceded by
561	.Ql \&!	535	.Ql !
562	to indicate negation: if the host name matches a negated	536	to indicate negation: if the host name matches a negated
563	pattern, it is not accepted (by that line) even if it matched another	537	pattern, it is not accepted (by that line) even if it matched another
564	pattern on the line.	538	pattern on the line.
@@ -796,6 +770,17 @@ This can be used to specify
796	machine-specific login-time initializations globally.	770	machine-specific login-time initializations globally.
797	This file should be writable only by root, and should be world-readable.	771	This file should be writable only by root, and should be world-readable.
798	.El	772	.El
		773	.Sh AUTHORS
		774	OpenSSH is a derivative of the original and free
		775	ssh 1.2.12 release by Tatu Ylonen.
		776	Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
		777	Theo de Raadt and Dug Song
		778	removed many bugs, re-added newer features and
		779	created OpenSSH.
		780	Markus Friedl contributed the support for SSH
		781	protocol versions 1.5 and 2.0.
		782	Niels Provos and Markus Friedl contributed support
		783	for privilege separation.
799	.Sh SEE ALSO	784	.Sh SEE ALSO
800	.Xr scp 1 ,	785	.Xr scp 1 ,
801	.Xr sftp 1 ,	786	.Xr sftp 1 ,
@@ -827,14 +812,3 @@ This file should be writable only by root, and should be world-readable.
827	.%D January 2002	812	.%D January 2002
828	.%O work in progress material	813	.%O work in progress material
829	.Re	814	.Re
830	.Sh AUTHORS
831	OpenSSH is a derivative of the original and free
832	ssh 1.2.12 release by Tatu Ylonen.
833	Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
834	Theo de Raadt and Dug Song
835	removed many bugs, re-added newer features and
836	created OpenSSH.
837	Markus Friedl contributed the support for SSH
838	protocol versions 1.5 and 2.0.
839	Niels Provos and Markus Friedl contributed support
840	for privilege separation.