1 files changed, 21 insertions, 16 deletions

diff --git a/sshd.8 b/sshd.8
index 8c2306579..378aeb9f5 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.291 2017/06/24 06:28:50 jmc Exp $
-.Dd $Mdocdate: June 24 2017 $
+.\" $OpenBSD: sshd.8,v 1.299 2018/03/14 06:56:20 jmc Exp $
+.Dd $Mdocdate: March 14 2018 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -100,20 +100,22 @@ Specify the connection parameters to use for the
 extended test mode.
 If provided, any
 .Cm Match
-directives in the configuration file
-that would apply to the specified user, host, and address will be set before
-the configuration is written to standard output.
-The connection parameters are supplied as keyword=value pairs.
+directives in the configuration file that would apply are applied before the
+configuration is written to standard output.
+The connection parameters are supplied as keyword=value pairs and may be
+supplied in any order, either with multiple
+.Fl C
+options or as a comma-separated list.
 The keywords are
+.Dq addr,
 .Dq user ,
 .Dq host ,
 .Dq laddr ,
 .Dq lport ,
 and
-.Dq addr .
-All are required and may be supplied in any order, either with multiple
-.Fl C
-options or as a comma-separated list.
+.Dq rdomain
+and correspond to source address, user, resolved source host name,
+local address, local port number and routing domain respectively.
 .It Fl c Ar host_certificate_file
 Specifies a path to a certificate file to identify
 .Nm
@@ -164,10 +166,10 @@ This option must be given if
 is not run as root (as the normal
 host key files are normally not readable by anyone but root).
 The default is
-.Pa /etc/ssh/ssh_host_rsa_key ,
-.Pa /etc/ssh/ssh_host_ecdsa_key
+.Pa /etc/ssh/ssh_host_ecdsa_key ,
+.Pa /etc/ssh/ssh_host_ed25519_key
 and
-.Pa /etc/ssh/ssh_host_ed25519_key .
+.Pa /etc/ssh/ssh_host_rsa_key .
 It is possible to have multiple host key files for
 the different host key algorithms.
 .It Fl i
@@ -451,7 +453,7 @@ or the
 file and edit it.
 .Pp
 .Nm
-enforces a minimum RSA key modulus size of 768 bits.
+enforces a minimum RSA key modulus size of 1024 bits.
 .Pp
 The options (if present) consist of comma-separated option
 specifications.
@@ -511,6 +513,10 @@ Environment processing is disabled by default and is
 controlled via the
 .Cm PermitUserEnvironment
 option.
+.It Cm expiry-time="timespec"
+Specifies a time after which the key will not be accepted.
+The time may be specified as a YYYYMMDD date or a YYYYMMDDHHMM[SS] time
+in the system time-zone.
 .It Cm from="pattern-list"
 Specifies that in addition to public key authentication, either the canonical
 name of the remote host or its IP address must be present in the
@@ -565,6 +571,7 @@ matches any port.
 .It Cm port-forwarding
 Enable port forwarding previously disabled by the
 .Cm restrict
+option.
 .It Cm principals="principals"
 On a
 .Cm cert-authority
@@ -876,7 +883,6 @@ This file is used in exactly the same way as
 but allows host-based authentication without permitting login with
 rlogin/rsh.
 .Pp
-.It Pa /etc/ssh/ssh_host_dsa_key
 .It Pa /etc/ssh/ssh_host_ecdsa_key
 .It Pa /etc/ssh/ssh_host_ed25519_key
 .It Pa /etc/ssh/ssh_host_rsa_key
@@ -887,7 +893,6 @@ Note that
 .Nm
 does not start if these files are group/world-accessible.
 .Pp
-.It Pa /etc/ssh/ssh_host_dsa_key.pub
 .It Pa /etc/ssh/ssh_host_ecdsa_key.pub
 .It Pa /etc/ssh/ssh_host_ed25519_key.pub
 .It Pa /etc/ssh/ssh_host_rsa_key.pub