1 files changed, 47 insertions, 21 deletions
diff --git a/sshd.8 b/sshd.8
index 46660b16c..27b1a3cf6 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.194 2003/01/31 21:54:40 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.199 2003/08/13 08:46:31 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -114,6 +114,29 @@ authentication combined with RSA host
 authentication, RSA challenge-response authentication, or password
 based authentication.
 .Pp
+Regardless of the authentication type, the account is checked to
+ensure that it is accessible.  An account is not accessible if it is
+locked, listed in
+.Cm DenyUsers
+or its group is listed in
+.Cm DenyGroups
+\&.  The definition of a locked account is system dependant. Some platforms
+have their own account database (eg AIX) and some modify the passwd field (
+.Ql \&*LK\&*
+on Solaris,
+.Ql \&*
+on HP-UX, containing
+.Ql Nologin
+on Tru64 and a leading
+.Ql \&!!
+on Linux).  If there is a requirement to disable password authentication
+for the account while allowing still public-key, then the passwd field
+should be set to something other than these values (eg
+.Ql NP
+or
+.Ql \&*NP\&*
+).
+.Pp
 Rhosts authentication is normally disabled
 because it is fundamentally insecure, but can be enabled in the server
 configuration file if desired.
@@ -295,7 +318,6 @@ may also be used to prevent
 from making DNS requests unless the authentication
 mechanism or configuration requires it.
 Authentication mechanisms that may require DNS include
-.Cm RhostsAuthentication ,
 .Cm RhostsRSAAuthentication ,
 .Cm HostbasedAuthentication
 and using a
@@ -432,13 +454,13 @@ that option keywords are case-insensitive):
 Specifies that in addition to public key authentication, the canonical name
 of the remote host must be present in the comma-separated list of
 patterns
-.Pf ( Ql *
+.Pf ( Ql \&*
 and
-.Ql ?
+.Ql \&?
 serve as wildcards).
 The list may also contain
 patterns negated by prefixing them with
-.Ql ! ;
+.Ql \&! ;
 if the canonical host name matches a negated pattern, the key is not accepted.
 The purpose
 of this option is to optionally increase security: public key authentication
@@ -500,9 +522,9 @@ IPv6 addresses can be specified with an alternative syntax:
 .Ar host/port .
 Multiple
 .Cm permitopen
-options may be applied separated by commas. No pattern matching is
+options may be applied separated by commas.
-performed on the specified hostnames, they must be literal domains or
+No pattern matching is performed on the specified hostnames,
-addresses.
+they must be literal domains or addresses.
 .El
 .Ss Examples
 1024 33 12121.\|.\|.\|312314325 ylo@foo.bar
@@ -527,12 +549,16 @@ Each line in these files contains the following fields: hostnames,
 bits, exponent, modulus, comment.
 The fields are separated by spaces.
 .Pp
-Hostnames is a comma-separated list of patterns ('*' and '?' act as
+Hostnames is a comma-separated list of patterns
+.Pf ( Ql \&*
+and
+.Ql \&?
+act as
 wildcards); each pattern in turn is matched against the canonical host
 name (when authenticating a client) or against the user-supplied
 name (when authenticating a server).
 A pattern may also be preceded by
-.Ql !
+.Ql \&!
 to indicate negation: if the host name matches a negated
 pattern, it is not accepted (by that line) even if it matched another
 pattern on the line.
@@ -770,17 +796,6 @@ This can be used to specify
 machine-specific login-time initializations globally.
 This file should be writable only by root, and should be world-readable.
 .El
-.Sh AUTHORS
-OpenSSH is a derivative of the original and free
-ssh 1.2.12 release by Tatu Ylonen.
-Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
-Theo de Raadt and Dug Song
-removed many bugs, re-added newer features and
-created OpenSSH.
-Markus Friedl contributed the support for SSH
-protocol versions 1.5 and 2.0.
-Niels Provos and Markus Friedl contributed support
-for privilege separation.
 .Sh SEE ALSO
 .Xr scp 1 ,
 .Xr sftp 1 ,
@@ -812,3 +827,14 @@ for privilege separation.
 .%D January 2002
 .%O work in progress material
 .Re
+.Sh AUTHORS
+OpenSSH is a derivative of the original and free
+ssh 1.2.12 release by Tatu Ylonen.
+Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
+Theo de Raadt and Dug Song
+removed many bugs, re-added newer features and
+created OpenSSH.
+Markus Friedl contributed the support for SSH
+protocol versions 1.5 and 2.0.
+Niels Provos and Markus Friedl contributed support
+for privilege separation.

diff --git a/sshd.8 b/sshd.8 index 46660b16c..27b1a3cf6 100644 --- a/sshd.8 +++ b/sshd.8
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd.8,v 1.194 2003/01/31 21:54:40 jmc Exp $	37	.\" $OpenBSD: sshd.8,v 1.199 2003/08/13 08:46:31 markus Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSHD 8	39	.Dt SSHD 8
40	.Os	40	.Os
@@ -114,6 +114,29 @@ authentication combined with RSA host
114	authentication, RSA challenge-response authentication, or password	114	authentication, RSA challenge-response authentication, or password
115	based authentication.	115	based authentication.
116	.Pp	116	.Pp
		117	Regardless of the authentication type, the account is checked to
		118	ensure that it is accessible. An account is not accessible if it is
		119	locked, listed in
		120	.Cm DenyUsers
		121	or its group is listed in
		122	.Cm DenyGroups
		123	\&. The definition of a locked account is system dependant. Some platforms
		124	have their own account database (eg AIX) and some modify the passwd field (
		125	.Ql \&LK\&
		126	on Solaris,
		127	.Ql \&*
		128	on HP-UX, containing
		129	.Ql Nologin
		130	on Tru64 and a leading
		131	.Ql \&!!
		132	on Linux). If there is a requirement to disable password authentication
		133	for the account while allowing still public-key, then the passwd field
		134	should be set to something other than these values (eg
		135	.Ql NP
		136	or
		137	.Ql \&NP\&
		138	).
		139	.Pp
117	Rhosts authentication is normally disabled	140	Rhosts authentication is normally disabled
118	because it is fundamentally insecure, but can be enabled in the server	141	because it is fundamentally insecure, but can be enabled in the server
119	configuration file if desired.	142	configuration file if desired.
@@ -295,7 +318,6 @@ may also be used to prevent
295	from making DNS requests unless the authentication	318	from making DNS requests unless the authentication
296	mechanism or configuration requires it.	319	mechanism or configuration requires it.
297	Authentication mechanisms that may require DNS include	320	Authentication mechanisms that may require DNS include
298	.Cm RhostsAuthentication ,
299	.Cm RhostsRSAAuthentication ,	321	.Cm RhostsRSAAuthentication ,
300	.Cm HostbasedAuthentication	322	.Cm HostbasedAuthentication
301	and using a	323	and using a
@@ -432,13 +454,13 @@ that option keywords are case-insensitive):
432	Specifies that in addition to public key authentication, the canonical name	454	Specifies that in addition to public key authentication, the canonical name
433	of the remote host must be present in the comma-separated list of	455	of the remote host must be present in the comma-separated list of
434	patterns	456	patterns
435	.Pf ( Ql *	457	.Pf ( Ql \&*
436	and	458	and
437	.Ql ?	459	.Ql \&?
438	serve as wildcards).	460	serve as wildcards).
439	The list may also contain	461	The list may also contain
440	patterns negated by prefixing them with	462	patterns negated by prefixing them with
441	.Ql ! ;	463	.Ql \&! ;
442	if the canonical host name matches a negated pattern, the key is not accepted.	464	if the canonical host name matches a negated pattern, the key is not accepted.
443	The purpose	465	The purpose
444	of this option is to optionally increase security: public key authentication	466	of this option is to optionally increase security: public key authentication
@@ -500,9 +522,9 @@ IPv6 addresses can be specified with an alternative syntax:
500	.Ar host/port .	522	.Ar host/port .
501	Multiple	523	Multiple
502	.Cm permitopen	524	.Cm permitopen
503	options may be applied separated by commas. No pattern matching is	525	options may be applied separated by commas.
504	performed on the specified hostnames, they must be literal domains or	526	No pattern matching is performed on the specified hostnames,
505	addresses.	527	they must be literal domains or addresses.
506	.El	528	.El
507	.Ss Examples	529	.Ss Examples
508	1024 33 12121.\\|.\\|.\\|312314325 ylo@foo.bar	530	1024 33 12121.\\|.\\|.\\|312314325 ylo@foo.bar
@@ -527,12 +549,16 @@ Each line in these files contains the following fields: hostnames,
527	bits, exponent, modulus, comment.	549	bits, exponent, modulus, comment.
528	The fields are separated by spaces.	550	The fields are separated by spaces.
529	.Pp	551	.Pp
530	Hostnames is a comma-separated list of patterns ('*' and '?' act as	552	Hostnames is a comma-separated list of patterns
		553	.Pf ( Ql \&*
		554	and
		555	.Ql \&?
		556	act as
531	wildcards); each pattern in turn is matched against the canonical host	557	wildcards); each pattern in turn is matched against the canonical host
532	name (when authenticating a client) or against the user-supplied	558	name (when authenticating a client) or against the user-supplied
533	name (when authenticating a server).	559	name (when authenticating a server).
534	A pattern may also be preceded by	560	A pattern may also be preceded by
535	.Ql !	561	.Ql \&!
536	to indicate negation: if the host name matches a negated	562	to indicate negation: if the host name matches a negated
537	pattern, it is not accepted (by that line) even if it matched another	563	pattern, it is not accepted (by that line) even if it matched another
538	pattern on the line.	564	pattern on the line.
@@ -770,17 +796,6 @@ This can be used to specify
770	machine-specific login-time initializations globally.	796	machine-specific login-time initializations globally.
771	This file should be writable only by root, and should be world-readable.	797	This file should be writable only by root, and should be world-readable.
772	.El	798	.El
773	.Sh AUTHORS
774	OpenSSH is a derivative of the original and free
775	ssh 1.2.12 release by Tatu Ylonen.
776	Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
777	Theo de Raadt and Dug Song
778	removed many bugs, re-added newer features and
779	created OpenSSH.
780	Markus Friedl contributed the support for SSH
781	protocol versions 1.5 and 2.0.
782	Niels Provos and Markus Friedl contributed support
783	for privilege separation.
784	.Sh SEE ALSO	799	.Sh SEE ALSO
785	.Xr scp 1 ,	800	.Xr scp 1 ,
786	.Xr sftp 1 ,	801	.Xr sftp 1 ,
@@ -812,3 +827,14 @@ for privilege separation.
812	.%D January 2002	827	.%D January 2002
813	.%O work in progress material	828	.%O work in progress material
814	.Re	829	.Re
		830	.Sh AUTHORS
		831	OpenSSH is a derivative of the original and free
		832	ssh 1.2.12 release by Tatu Ylonen.
		833	Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
		834	Theo de Raadt and Dug Song
		835	removed many bugs, re-added newer features and
		836	created OpenSSH.
		837	Markus Friedl contributed the support for SSH
		838	protocol versions 1.5 and 2.0.
		839	Niels Provos and Markus Friedl contributed support
		840	for privilege separation.