1 files changed, 44 insertions, 11 deletions
diff --git a/sshd.8 b/sshd.8
index 213b5fc43..6c521f23e 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.280 2015/07/03 03:49:45 djm Exp $
+.\" $OpenBSD: sshd.8,v 1.284 2016/02/17 07:38:19 jmc Exp $
-.Dd $Mdocdate: July 3 2015 $
+.Dd $Mdocdate: February 17 2016 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -275,14 +275,12 @@ though this can be changed via the
 .Cm Protocol
 option in
 .Xr sshd_config 5 .
-Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys;
+Protocol 1 should not be used
-protocol 1 only supports RSA keys.
+and is only offered to support legacy devices.
-For both protocols,
-each host has a host-specific key,
-normally 2048 bits,
-used to identify the host.
 .Pp
-Forward security for protocol 1 is provided through
+Each host has a host-specific key,
+used to identify the host.
+Partial forward security for protocol 1 is provided through
 an additional server key,
 normally 1024 bits,
 generated when the server starts.
@@ -470,7 +468,7 @@ does not exist either, xauth is used to add the cookie.
 .Cm AuthorizedKeysFile
 specifies the files containing public keys for
 public key authentication;
-if none is specified, the default is
+if this option is not specified, the default is
 .Pa ~/.ssh/authorized_keys
 and
 .Pa ~/.ssh/authorized_keys2 .
@@ -522,6 +520,10 @@ No spaces are permitted, except within double quotes.
 The following option specifications are supported (note
 that option keywords are case-insensitive):
 .Bl -tag -width Ds
+.It Cm agent-forwarding
+Enable authentication agent forwarding previously disabled by the
+.Cm restrict
+option.
 .It Cm cert-authority
 Specifies that the listed key is a certification authority (CA) that is
 trusted to validate signed certificates for user authentication.
@@ -616,6 +618,9 @@ they must be literal domains or addresses.
 A port specification of
 .Cm *
 matches any port.
+.It Cm port-forwarding
+Enable port forwarding previously disabled by the
+.Cm restrict
 .It Cm principals="principals"
 On a
 .Cm cert-authority
@@ -627,12 +632,33 @@ This option is ignored for keys that are not marked as trusted certificate
 signers using the
 .Cm cert-authority
 option.
+.It Cm pty
+Permits tty allocation previously disabled by the
+.Cm restrict
+option.
+.It Cm restrict
+Enable all restrictions, i.e. disable port, agent and X11 forwarding,
+as well as disabling PTY allocation
+and execution of
+.Pa ~/.ssh/rc .
+If any future restriction capabilities are added to authorized_keys files
+they will be included in this set.
 .It Cm tunnel="n"
 Force a
 .Xr tun 4
 device on the server.
 Without this option, the next available device will be used if
 the client requests a tunnel.
+.It Cm user-rc
+Enables execution of
+.Pa ~/.ssh/rc
+previously disabled by the
+.Cm restrict
+option.
+.It Cm X11-forwarding
+Permits X11 forwarding previously disabled by the
+.Cm restrict
+option.
 .El
 .Pp
 An example authorized_keys file:
@@ -647,6 +673,10 @@ permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
 AAAAB5...21S==
 tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
 jane@example.net
+restrict,command="uptime" ssh-rsa AAAA1C8...32Tv==
+user@example.net
+restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5==
+user@example.net
 .Ed
 .Sh SSH_KNOWN_HOSTS FILE FORMAT
 The
@@ -856,9 +886,12 @@ This file is for host-based authentication (see
 It should only be writable by root.
 .Pp
 .It Pa /etc/moduli
-Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
+Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
+key exchange method.
 The file format is described in
 .Xr moduli 5 .
+If no usable groups are found in this file then fixed internal groups will
+be used.
 .Pp
 .It Pa /etc/motd
 See

diff --git a/sshd.8 b/sshd.8 index 213b5fc43..6c521f23e 100644 --- a/sshd.8 +++ b/sshd.8
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd.8,v 1.280 2015/07/03 03:49:45 djm Exp $	36	.\" $OpenBSD: sshd.8,v 1.284 2016/02/17 07:38:19 jmc Exp $
37	.Dd $Mdocdate: July 3 2015 $	37	.Dd $Mdocdate: February 17 2016 $
38	.Dt SSHD 8	38	.Dt SSHD 8
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -275,14 +275,12 @@ though this can be changed via the
275	.Cm Protocol	275	.Cm Protocol
276	option in	276	option in
277	.Xr sshd_config 5 .	277	.Xr sshd_config 5 .
278	Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys;	278	Protocol 1 should not be used
279	protocol 1 only supports RSA keys.	279	and is only offered to support legacy devices.
280	For both protocols,
281	each host has a host-specific key,
282	normally 2048 bits,
283	used to identify the host.
284	.Pp	280	.Pp
285	Forward security for protocol 1 is provided through	281	Each host has a host-specific key,
		282	used to identify the host.
		283	Partial forward security for protocol 1 is provided through
286	an additional server key,	284	an additional server key,
287	normally 1024 bits,	285	normally 1024 bits,
288	generated when the server starts.	286	generated when the server starts.
@@ -470,7 +468,7 @@ does not exist either, xauth is used to add the cookie.
470	.Cm AuthorizedKeysFile	468	.Cm AuthorizedKeysFile
471	specifies the files containing public keys for	469	specifies the files containing public keys for
472	public key authentication;	470	public key authentication;
473	if none is specified, the default is	471	if this option is not specified, the default is
474	.Pa ~/.ssh/authorized_keys	472	.Pa ~/.ssh/authorized_keys
475	and	473	and
476	.Pa ~/.ssh/authorized_keys2 .	474	.Pa ~/.ssh/authorized_keys2 .
@@ -522,6 +520,10 @@ No spaces are permitted, except within double quotes.
522	The following option specifications are supported (note	520	The following option specifications are supported (note
523	that option keywords are case-insensitive):	521	that option keywords are case-insensitive):
524	.Bl -tag -width Ds	522	.Bl -tag -width Ds
		523	.It Cm agent-forwarding
		524	Enable authentication agent forwarding previously disabled by the
		525	.Cm restrict
		526	option.
525	.It Cm cert-authority	527	.It Cm cert-authority
526	Specifies that the listed key is a certification authority (CA) that is	528	Specifies that the listed key is a certification authority (CA) that is
527	trusted to validate signed certificates for user authentication.	529	trusted to validate signed certificates for user authentication.
@@ -616,6 +618,9 @@ they must be literal domains or addresses.
616	A port specification of	618	A port specification of
617	.Cm *	619	.Cm *
618	matches any port.	620	matches any port.
		621	.It Cm port-forwarding
		622	Enable port forwarding previously disabled by the
		623	.Cm restrict
619	.It Cm principals="principals"	624	.It Cm principals="principals"
620	On a	625	On a
621	.Cm cert-authority	626	.Cm cert-authority
@@ -627,12 +632,33 @@ This option is ignored for keys that are not marked as trusted certificate
627	signers using the	632	signers using the
628	.Cm cert-authority	633	.Cm cert-authority
629	option.	634	option.
		635	.It Cm pty
		636	Permits tty allocation previously disabled by the
		637	.Cm restrict
		638	option.
		639	.It Cm restrict
		640	Enable all restrictions, i.e. disable port, agent and X11 forwarding,
		641	as well as disabling PTY allocation
		642	and execution of
		643	.Pa ~/.ssh/rc .
		644	If any future restriction capabilities are added to authorized_keys files
		645	they will be included in this set.
630	.It Cm tunnel="n"	646	.It Cm tunnel="n"
631	Force a	647	Force a
632	.Xr tun 4	648	.Xr tun 4
633	device on the server.	649	device on the server.
634	Without this option, the next available device will be used if	650	Without this option, the next available device will be used if
635	the client requests a tunnel.	651	the client requests a tunnel.
		652	.It Cm user-rc
		653	Enables execution of
		654	.Pa ~/.ssh/rc
		655	previously disabled by the
		656	.Cm restrict
		657	option.
		658	.It Cm X11-forwarding
		659	Permits X11 forwarding previously disabled by the
		660	.Cm restrict
		661	option.
636	.El	662	.El
637	.Pp	663	.Pp
638	An example authorized_keys file:	664	An example authorized_keys file:
@@ -647,6 +673,10 @@ permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
647	AAAAB5...21S==	673	AAAAB5...21S==
648	tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==	674	tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
649	jane@example.net	675	jane@example.net
		676	restrict,command="uptime" ssh-rsa AAAA1C8...32Tv==
		677	user@example.net
		678	restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5==
		679	user@example.net
650	.Ed	680	.Ed
651	.Sh SSH_KNOWN_HOSTS FILE FORMAT	681	.Sh SSH_KNOWN_HOSTS FILE FORMAT
652	The	682	The
@@ -856,9 +886,12 @@ This file is for host-based authentication (see
856	It should only be writable by root.	886	It should only be writable by root.
857	.Pp	887	.Pp
858	.It Pa /etc/moduli	888	.It Pa /etc/moduli
859	Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".	889	Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
		890	key exchange method.
860	The file format is described in	891	The file format is described in
861	.Xr moduli 5 .	892	.Xr moduli 5 .
		893	If no usable groups are found in this file then fixed internal groups will
		894	be used.
862	.Pp	895	.Pp
863	.It Pa /etc/motd	896	.It Pa /etc/motd
864	See	897	See