1 files changed, 58 insertions, 16 deletions
diff --git a/sshd.8 b/sshd.8
index 12c2cefec..c4c4181fc 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.237 2007/06/07 19:37:34 pvalchev Exp $
+.\" $OpenBSD: sshd.8,v 1.246 2008/07/02 02:24:18 djm Exp $
-.Dd $Mdocdate: August 16 2007 $
+.Dd $Mdocdate: July 2 2008 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -44,8 +44,9 @@
 .Sh SYNOPSIS
 .Nm sshd
 .Bk -words
-.Op Fl 46Ddeiqt
+.Op Fl 46DdeiqTt
 .Op Fl b Ar bits
+.Op Fl C Ar connection_spec
 .Op Fl f Ar config_file
 .Op Fl g Ar login_grace_time
 .Op Fl h Ar host_key_file
@@ -99,7 +100,25 @@ Forces
 to use IPv6 addresses only.
 .It Fl b Ar bits
 Specifies the number of bits in the ephemeral protocol version 1
-server key (default 768).
+server key (default 1024).
+.It Fl C Ar connection_spec
+Specify the connection parameters to use for the
+.Fl T
+extended test mode.
+If provided, any
+.Cm Match
+directives in the configuration file
+that would apply to the specified user, host, and address will be set before
+the configuration is written to standard output.
+The connection parameters are supplied as keyword=value pairs.
+The keywords are
+.Dq user ,
+.Dq host ,
+and
+.Dq addr .
+All are required and may be supplied in any order, either with multiple
+.Fl C
+options or as a comma-separated list.
 .It Fl D
 When this option is specified,
 .Nm
@@ -191,6 +210,15 @@ Quiet mode.
 Nothing is sent to the system log.
 Normally the beginning,
 authentication, and termination of each connection is logged.
+.It Fl T
+Extended test mode.
+Check the validity of the configuration file, output the effective configuration
+to stdout and then exit.
+Optionally,
+.Cm Match
+rules may be applied by specifying the connection parameters using one or more
+.Fl C
+options.
 .It Fl t
 Test mode.
 Only check the validity of the configuration file and sanity of the keys.
@@ -503,23 +531,27 @@ This option is automatically disabled if
 .Cm UseLogin
 is enabled.
 .It Cm from="pattern-list"
-Specifies that in addition to public key authentication, the canonical name
+Specifies that in addition to public key authentication, either the canonical
-of the remote host must be present in the comma-separated list of
+name of the remote host or its IP address must be present in the
-patterns.
+comma-separated list of patterns.
-The purpose
-of this option is to optionally increase security: public key authentication
-by itself does not trust the network or name servers or anything (but
-the key); however, if somebody somehow steals the key, the key
-permits an intruder to log in from anywhere in the world.
-This additional option makes using a stolen key more difficult (name
-servers and/or routers would have to be compromised in addition to
-just the key).
-.Pp
 See
 .Sx PATTERNS
 in
 .Xr ssh_config 5
 for more information on patterns.
+.Pp
+In addition to the wildcard matching that may be applied to hostnames or
+addresses, a
+.Cm from
+stanza may match IP addressess using CIDR address/masklen notation.
+.Pp
+The purpose of this option is to optionally increase security: public key
+authentication by itself does not trust the network or name servers or
+anything (but the key); however, if somebody somehow steals the key, the key
+permits an intruder to log in from anywhere in the world.
+This additional option makes using a stolen key more difficult (name
+servers and/or routers would have to be compromised in addition to
+just the key).
 .It Cm no-agent-forwarding
 Forbids authentication agent forwarding when this key is used for
 authentication.
@@ -531,6 +563,9 @@ This might be used, e.g. in connection with the
 option.
 .It Cm no-pty
 Prevents tty allocation (a request to allocate a pty will fail).
+.It Cm no-user-rc
+Disables execution of
+.Pa ~/.ssh/rc .
 .It Cm no-X11-forwarding
 Forbids X11 forwarding when this key is used for authentication.
 Any X11 forward requests by the client will return an error.
@@ -682,6 +717,13 @@ This file is used in exactly the same way as
 but allows host-based authentication without permitting login with
 rlogin/rsh.
 .Pp
+.It ~/.ssh/
+This directory is the default location for all user-specific configuration
+and authentication information.
+There is no general requirement to keep the entire contents of this directory
+secret, but the recommended permissions are read/write/execute for the user,
+and not accessible by others.
+.Pp
 .It ~/.ssh/authorized_keys
 Lists the public keys (RSA/DSA) that can be used for logging in as this user.
 The format of this file is described above.

diff --git a/sshd.8 b/sshd.8 index 12c2cefec..c4c4181fc 100644 --- a/sshd.8 +++ b/sshd.8
@@ -34,8 +34,8 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd.8,v 1.237 2007/06/07 19:37:34 pvalchev Exp $	37	.\" $OpenBSD: sshd.8,v 1.246 2008/07/02 02:24:18 djm Exp $
38	.Dd $Mdocdate: August 16 2007 $	38	.Dd $Mdocdate: July 2 2008 $
39	.Dt SSHD 8	39	.Dt SSHD 8
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -44,8 +44,9 @@
44	.Sh SYNOPSIS	44	.Sh SYNOPSIS
45	.Nm sshd	45	.Nm sshd
46	.Bk -words	46	.Bk -words
47	.Op Fl 46Ddeiqt	47	.Op Fl 46DdeiqTt
48	.Op Fl b Ar bits	48	.Op Fl b Ar bits
		49	.Op Fl C Ar connection_spec
49	.Op Fl f Ar config_file	50	.Op Fl f Ar config_file
50	.Op Fl g Ar login_grace_time	51	.Op Fl g Ar login_grace_time
51	.Op Fl h Ar host_key_file	52	.Op Fl h Ar host_key_file
@@ -99,7 +100,25 @@ Forces
99	to use IPv6 addresses only.	100	to use IPv6 addresses only.
100	.It Fl b Ar bits	101	.It Fl b Ar bits
101	Specifies the number of bits in the ephemeral protocol version 1	102	Specifies the number of bits in the ephemeral protocol version 1
102	server key (default 768).	103	server key (default 1024).
		104	.It Fl C Ar connection_spec
		105	Specify the connection parameters to use for the
		106	.Fl T
		107	extended test mode.
		108	If provided, any
		109	.Cm Match
		110	directives in the configuration file
		111	that would apply to the specified user, host, and address will be set before
		112	the configuration is written to standard output.
		113	The connection parameters are supplied as keyword=value pairs.
		114	The keywords are
		115	.Dq user ,
		116	.Dq host ,
		117	and
		118	.Dq addr .
		119	All are required and may be supplied in any order, either with multiple
		120	.Fl C
		121	options or as a comma-separated list.
103	.It Fl D	122	.It Fl D
104	When this option is specified,	123	When this option is specified,
105	.Nm	124	.Nm
@@ -191,6 +210,15 @@ Quiet mode.
191	Nothing is sent to the system log.	210	Nothing is sent to the system log.
192	Normally the beginning,	211	Normally the beginning,
193	authentication, and termination of each connection is logged.	212	authentication, and termination of each connection is logged.
		213	.It Fl T
		214	Extended test mode.
		215	Check the validity of the configuration file, output the effective configuration
		216	to stdout and then exit.
		217	Optionally,
		218	.Cm Match
		219	rules may be applied by specifying the connection parameters using one or more
		220	.Fl C
		221	options.
194	.It Fl t	222	.It Fl t
195	Test mode.	223	Test mode.
196	Only check the validity of the configuration file and sanity of the keys.	224	Only check the validity of the configuration file and sanity of the keys.
@@ -503,23 +531,27 @@ This option is automatically disabled if
503	.Cm UseLogin	531	.Cm UseLogin
504	is enabled.	532	is enabled.
505	.It Cm from="pattern-list"	533	.It Cm from="pattern-list"
506	Specifies that in addition to public key authentication, the canonical name	534	Specifies that in addition to public key authentication, either the canonical
507	of the remote host must be present in the comma-separated list of	535	name of the remote host or its IP address must be present in the
508	patterns.	536	comma-separated list of patterns.
509	The purpose
510	of this option is to optionally increase security: public key authentication
511	by itself does not trust the network or name servers or anything (but
512	the key); however, if somebody somehow steals the key, the key
513	permits an intruder to log in from anywhere in the world.
514	This additional option makes using a stolen key more difficult (name
515	servers and/or routers would have to be compromised in addition to
516	just the key).
517	.Pp
518	See	537	See
519	.Sx PATTERNS	538	.Sx PATTERNS
520	in	539	in
521	.Xr ssh_config 5	540	.Xr ssh_config 5
522	for more information on patterns.	541	for more information on patterns.
		542	.Pp
		543	In addition to the wildcard matching that may be applied to hostnames or
		544	addresses, a
		545	.Cm from
		546	stanza may match IP addressess using CIDR address/masklen notation.
		547	.Pp
		548	The purpose of this option is to optionally increase security: public key
		549	authentication by itself does not trust the network or name servers or
		550	anything (but the key); however, if somebody somehow steals the key, the key
		551	permits an intruder to log in from anywhere in the world.
		552	This additional option makes using a stolen key more difficult (name
		553	servers and/or routers would have to be compromised in addition to
		554	just the key).
523	.It Cm no-agent-forwarding	555	.It Cm no-agent-forwarding
524	Forbids authentication agent forwarding when this key is used for	556	Forbids authentication agent forwarding when this key is used for
525	authentication.	557	authentication.
@@ -531,6 +563,9 @@ This might be used, e.g. in connection with the
531	option.	563	option.
532	.It Cm no-pty	564	.It Cm no-pty
533	Prevents tty allocation (a request to allocate a pty will fail).	565	Prevents tty allocation (a request to allocate a pty will fail).
		566	.It Cm no-user-rc
		567	Disables execution of
		568	.Pa ~/.ssh/rc .
534	.It Cm no-X11-forwarding	569	.It Cm no-X11-forwarding
535	Forbids X11 forwarding when this key is used for authentication.	570	Forbids X11 forwarding when this key is used for authentication.
536	Any X11 forward requests by the client will return an error.	571	Any X11 forward requests by the client will return an error.
@@ -682,6 +717,13 @@ This file is used in exactly the same way as
682	but allows host-based authentication without permitting login with	717	but allows host-based authentication without permitting login with
683	rlogin/rsh.	718	rlogin/rsh.
684	.Pp	719	.Pp
		720	.It ~/.ssh/
		721	This directory is the default location for all user-specific configuration
		722	and authentication information.
		723	There is no general requirement to keep the entire contents of this directory
		724	secret, but the recommended permissions are read/write/execute for the user,
		725	and not accessible by others.
		726	.Pp
685	.It ~/.ssh/authorized_keys	727	.It ~/.ssh/authorized_keys
686	Lists the public keys (RSA/DSA) that can be used for logging in as this user.	728	Lists the public keys (RSA/DSA) that can be used for logging in as this user.
687	The format of this file is described above.	729	The format of this file is described above.