1 files changed, 44 insertions, 11 deletions
diff --git a/sshd.8 b/sshd.8
index 17b917c06..4e7556736 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.280 2015/07/03 03:49:45 djm Exp $
+.\" $OpenBSD: sshd.8,v 1.284 2016/02/17 07:38:19 jmc Exp $
-.Dd $Mdocdate: July 3 2015 $
+.Dd $Mdocdate: February 17 2016 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -278,14 +278,12 @@ though this can be changed via the
 .Cm Protocol
 option in
 .Xr sshd_config 5 .
-Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys;
+Protocol 1 should not be used
-protocol 1 only supports RSA keys.
+and is only offered to support legacy devices.
-For both protocols,
-each host has a host-specific key,
-normally 2048 bits,
-used to identify the host.
 .Pp
-Forward security for protocol 1 is provided through
+Each host has a host-specific key,
+used to identify the host.
+Partial forward security for protocol 1 is provided through
 an additional server key,
 normally 1024 bits,
 generated when the server starts.
@@ -473,7 +471,7 @@ does not exist either, xauth is used to add the cookie.
 .Cm AuthorizedKeysFile
 specifies the files containing public keys for
 public key authentication;
-if none is specified, the default is
+if this option is not specified, the default is
 .Pa ~/.ssh/authorized_keys
 and
 .Pa ~/.ssh/authorized_keys2 .
@@ -525,6 +523,10 @@ No spaces are permitted, except within double quotes.
 The following option specifications are supported (note
 that option keywords are case-insensitive):
 .Bl -tag -width Ds
+.It Cm agent-forwarding
+Enable authentication agent forwarding previously disabled by the
+.Cm restrict
+option.
 .It Cm cert-authority
 Specifies that the listed key is a certification authority (CA) that is
 trusted to validate signed certificates for user authentication.
@@ -619,6 +621,9 @@ they must be literal domains or addresses.
 A port specification of
 .Cm *
 matches any port.
+.It Cm port-forwarding
+Enable port forwarding previously disabled by the
+.Cm restrict
 .It Cm principals="principals"
 On a
 .Cm cert-authority
@@ -630,12 +635,33 @@ This option is ignored for keys that are not marked as trusted certificate
 signers using the
 .Cm cert-authority
 option.
+.It Cm pty
+Permits tty allocation previously disabled by the
+.Cm restrict
+option.
+.It Cm restrict
+Enable all restrictions, i.e. disable port, agent and X11 forwarding,
+as well as disabling PTY allocation
+and execution of
+.Pa ~/.ssh/rc .
+If any future restriction capabilities are added to authorized_keys files
+they will be included in this set.
 .It Cm tunnel="n"
 Force a
 .Xr tun 4
 device on the server.
 Without this option, the next available device will be used if
 the client requests a tunnel.
+.It Cm user-rc
+Enables execution of
+.Pa ~/.ssh/rc
+previously disabled by the
+.Cm restrict
+option.
+.It Cm X11-forwarding
+Permits X11 forwarding previously disabled by the
+.Cm restrict
+option.
 .El
 .Pp
 An example authorized_keys file:
@@ -650,6 +676,10 @@ permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
 AAAAB5...21S==
 tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
 jane@example.net
+restrict,command="uptime" ssh-rsa AAAA1C8...32Tv==
+user@example.net
+restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5==
+user@example.net
 .Ed
 .Sh SSH_KNOWN_HOSTS FILE FORMAT
 The
@@ -865,9 +895,12 @@ This file is for host-based authentication (see
 It should only be writable by root.
 .Pp
 .It Pa /etc/ssh/moduli
-Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
+Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
+key exchange method.
 The file format is described in
 .Xr moduli 5 .
+If no usable groups are found in this file then fixed internal groups will
+be used.
 .Pp
 .It Pa /etc/motd
 See

diff --git a/sshd.8 b/sshd.8 index 17b917c06..4e7556736 100644 --- a/sshd.8 +++ b/sshd.8
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd.8,v 1.280 2015/07/03 03:49:45 djm Exp $	36	.\" $OpenBSD: sshd.8,v 1.284 2016/02/17 07:38:19 jmc Exp $
37	.Dd $Mdocdate: July 3 2015 $	37	.Dd $Mdocdate: February 17 2016 $
38	.Dt SSHD 8	38	.Dt SSHD 8
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -278,14 +278,12 @@ though this can be changed via the
278	.Cm Protocol	278	.Cm Protocol
279	option in	279	option in
280	.Xr sshd_config 5 .	280	.Xr sshd_config 5 .
281	Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys;	281	Protocol 1 should not be used
282	protocol 1 only supports RSA keys.	282	and is only offered to support legacy devices.
283	For both protocols,
284	each host has a host-specific key,
285	normally 2048 bits,
286	used to identify the host.
287	.Pp	283	.Pp
288	Forward security for protocol 1 is provided through	284	Each host has a host-specific key,
		285	used to identify the host.
		286	Partial forward security for protocol 1 is provided through
289	an additional server key,	287	an additional server key,
290	normally 1024 bits,	288	normally 1024 bits,
291	generated when the server starts.	289	generated when the server starts.
@@ -473,7 +471,7 @@ does not exist either, xauth is used to add the cookie.
473	.Cm AuthorizedKeysFile	471	.Cm AuthorizedKeysFile
474	specifies the files containing public keys for	472	specifies the files containing public keys for
475	public key authentication;	473	public key authentication;
476	if none is specified, the default is	474	if this option is not specified, the default is
477	.Pa ~/.ssh/authorized_keys	475	.Pa ~/.ssh/authorized_keys
478	and	476	and
479	.Pa ~/.ssh/authorized_keys2 .	477	.Pa ~/.ssh/authorized_keys2 .
@@ -525,6 +523,10 @@ No spaces are permitted, except within double quotes.
525	The following option specifications are supported (note	523	The following option specifications are supported (note
526	that option keywords are case-insensitive):	524	that option keywords are case-insensitive):
527	.Bl -tag -width Ds	525	.Bl -tag -width Ds
		526	.It Cm agent-forwarding
		527	Enable authentication agent forwarding previously disabled by the
		528	.Cm restrict
		529	option.
528	.It Cm cert-authority	530	.It Cm cert-authority
529	Specifies that the listed key is a certification authority (CA) that is	531	Specifies that the listed key is a certification authority (CA) that is
530	trusted to validate signed certificates for user authentication.	532	trusted to validate signed certificates for user authentication.
@@ -619,6 +621,9 @@ they must be literal domains or addresses.
619	A port specification of	621	A port specification of
620	.Cm *	622	.Cm *
621	matches any port.	623	matches any port.
		624	.It Cm port-forwarding
		625	Enable port forwarding previously disabled by the
		626	.Cm restrict
622	.It Cm principals="principals"	627	.It Cm principals="principals"
623	On a	628	On a
624	.Cm cert-authority	629	.Cm cert-authority
@@ -630,12 +635,33 @@ This option is ignored for keys that are not marked as trusted certificate
630	signers using the	635	signers using the
631	.Cm cert-authority	636	.Cm cert-authority
632	option.	637	option.
		638	.It Cm pty
		639	Permits tty allocation previously disabled by the
		640	.Cm restrict
		641	option.
		642	.It Cm restrict
		643	Enable all restrictions, i.e. disable port, agent and X11 forwarding,
		644	as well as disabling PTY allocation
		645	and execution of
		646	.Pa ~/.ssh/rc .
		647	If any future restriction capabilities are added to authorized_keys files
		648	they will be included in this set.
633	.It Cm tunnel="n"	649	.It Cm tunnel="n"
634	Force a	650	Force a
635	.Xr tun 4	651	.Xr tun 4
636	device on the server.	652	device on the server.
637	Without this option, the next available device will be used if	653	Without this option, the next available device will be used if
638	the client requests a tunnel.	654	the client requests a tunnel.
		655	.It Cm user-rc
		656	Enables execution of
		657	.Pa ~/.ssh/rc
		658	previously disabled by the
		659	.Cm restrict
		660	option.
		661	.It Cm X11-forwarding
		662	Permits X11 forwarding previously disabled by the
		663	.Cm restrict
		664	option.
639	.El	665	.El
640	.Pp	666	.Pp
641	An example authorized_keys file:	667	An example authorized_keys file:
@@ -650,6 +676,10 @@ permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
650	AAAAB5...21S==	676	AAAAB5...21S==
651	tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==	677	tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
652	jane@example.net	678	jane@example.net
		679	restrict,command="uptime" ssh-rsa AAAA1C8...32Tv==
		680	user@example.net
		681	restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5==
		682	user@example.net
653	.Ed	683	.Ed
654	.Sh SSH_KNOWN_HOSTS FILE FORMAT	684	.Sh SSH_KNOWN_HOSTS FILE FORMAT
655	The	685	The
@@ -865,9 +895,12 @@ This file is for host-based authentication (see
865	It should only be writable by root.	895	It should only be writable by root.
866	.Pp	896	.Pp
867	.It Pa /etc/ssh/moduli	897	.It Pa /etc/ssh/moduli
868	Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".	898	Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
		899	key exchange method.
869	The file format is described in	900	The file format is described in
870	.Xr moduli 5 .	901	.Xr moduli 5 .
		902	If no usable groups are found in this file then fixed internal groups will
		903	be used.
871	.Pp	904	.Pp
872	.It Pa /etc/motd	905	.It Pa /etc/motd
873	See	906	See