1 files changed, 85 insertions, 28 deletions
diff --git a/sshd_config.0 b/sshd_config.0
index 641041852..1cc7459f8 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -262,7 +262,11 @@ DESCRIPTION
     Ciphers
             Specifies the ciphers allowed for protocol version 2.  Multiple
-             ciphers must be comma-separated.  The supported ciphers are:
+             ciphers must be comma-separated.  If the specified value begins
+             with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified ciphers will be appended
+             to the default set instead of replacing them.
+             The supported ciphers are:
                   3des-cbc
                   aes128-cbc
@@ -394,9 +398,20 @@ DESCRIPTION
     HostbasedAcceptedKeyTypes
             Specifies the key types that will be accepted for hostbased
-             authentication as a comma-separated pattern list.  The default
+             authentication as a comma-separated pattern list.  Alternately if
-             M-bM-^@M-^\*M-bM-^@M-^] will allow all key types.  The -Q option of ssh(1) may be
+             the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the
-             used to list supported key types.
+             specified key types will be appended to the default set instead
+             of replacing them.  The default for this option is:
+                ecdsa-sha2-nistp256-cert-v01@openssh.com,
+                ecdsa-sha2-nistp384-cert-v01@openssh.com,
+                ecdsa-sha2-nistp521-cert-v01@openssh.com,
+                ssh-ed25519-cert-v01@openssh.com,
+                ssh-rsa-cert-v01@openssh.com,
+                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+                ssh-ed25519,ssh-rsa
+             The -Q option of ssh(1) may be used to list supported key types.
     HostbasedAuthentication
             Specifies whether rhosts or /etc/hosts.equiv authentication
@@ -425,13 +440,17 @@ DESCRIPTION
             default is /etc/ssh/ssh_host_key for protocol version 1, and
             /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key,
             /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
-             protocol version 2.  Note that sshd(8) will refuse to use a file
+             protocol version 2.
-             if it is group/world-accessible.  It is possible to have multiple
-             host key files.  M-bM-^@M-^\rsa1M-bM-^@M-^] keys are used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^],
+             Note that sshd(8) will refuse to use a file if it is group/world-
-             M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] are used for version 2 of the SSH
+             accessible and that the HostKeyAlgorithms option restricts which
-             protocol.  It is also possible to specify public host key files
+             of the keys are actually used by sshd(8).
-             instead.  In this case operations on the private key will be
-             delegated to an ssh-agent(1).
+             It is possible to have multiple host key files.  M-bM-^@M-^\rsa1M-bM-^@M-^] keys are
+             used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] are
+             used for version 2 of the SSH protocol.  It is also possible to
+             specify public host key files instead.  In this case operations
+             on the private key will be delegated to an ssh-agent(1).
     HostKeyAgent
             Identifies the UNIX-domain socket used to communicate with an
@@ -439,6 +458,21 @@ DESCRIPTION
             M-bM-^@M-^\SSH_AUTH_SOCKM-bM-^@M-^] is specified, the location of the socket will be
             read from the SSH_AUTH_SOCK environment variable.
+     HostKeyAlgorithms
+             Specifies the protocol version 2 host key algorithms that the
+             server offers.  The default for this option is:
+                ecdsa-sha2-nistp256-cert-v01@openssh.com,
+                ecdsa-sha2-nistp384-cert-v01@openssh.com,
+                ecdsa-sha2-nistp521-cert-v01@openssh.com,
+                ssh-ed25519-cert-v01@openssh.com,
+                ssh-rsa-cert-v01@openssh.com,
+                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+                ssh-ed25519,ssh-rsa
+             The list of available key types may also be obtained using the -Q
+             option of ssh(1) with an argument of M-bM-^@M-^\keyM-bM-^@M-^].
     IgnoreRhosts
             Specifies that .rhosts and .shosts files will not be used in
             RhostsRSAAuthentication or HostbasedAuthentication.
@@ -493,8 +527,10 @@ DESCRIPTION
     KexAlgorithms
             Specifies the available KEX (Key Exchange) algorithms.  Multiple
-             algorithms must be comma-separated.  The supported algorithms
+             algorithms must be comma-separated.  Alternately if the specified
-             are:
+             value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods
+             will be appended to the default set instead of replacing them.
+             The supported algorithms are:
                   curve25519-sha256@libssh.org
                   diffie-hellman-group1-sha1
@@ -551,9 +587,13 @@ DESCRIPTION
     MACs    Specifies the available MAC (message authentication code)
             algorithms.  The MAC algorithm is used in protocol version 2 for
             data integrity protection.  Multiple algorithms must be comma-
-             separated.  The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC
+             separated.  If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character,
-             after encryption (encrypt-then-mac).  These are considered safer
+             then the specified algorithms will be appended to the default set
-             and their use recommended.  The supported MACs are:
+             instead of replacing them.
+             The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC after
+             encryption (encrypt-then-mac).  These are considered safer and
+             their use recommended.  The supported MACs are:
                   hmac-md5
                   hmac-md5-96
@@ -673,11 +713,13 @@ DESCRIPTION
     PermitRootLogin
             Specifies whether root can log in using ssh(1).  The argument
-             must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^], M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], or
+             must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\prohibit-passwordM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^],
-             M-bM-^@M-^\noM-bM-^@M-^].  The default is M-bM-^@M-^\noM-bM-^@M-^].
+             M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], or M-bM-^@M-^\noM-bM-^@M-^].  The default is
+             M-bM-^@M-^\prohibit-passwordM-bM-^@M-^].
-             If this option is set to M-bM-^@M-^\without-passwordM-bM-^@M-^], password
+             If this option is set to M-bM-^@M-^\prohibit-passwordM-bM-^@M-^] or
-             authentication is disabled for root.
+             M-bM-^@M-^\without-passwordM-bM-^@M-^], password and keyboard-interactive
+             authentication are disabled for root.
             If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], root login with
             public key authentication will be allowed, but only if the
@@ -740,9 +782,20 @@ DESCRIPTION
     PubkeyAcceptedKeyTypes
             Specifies the key types that will be accepted for public key
-             authentication as a comma-separated pattern list.  The default
+             authentication as a comma-separated pattern list.  Alternately if
-             M-bM-^@M-^\*M-bM-^@M-^] will allow all key types.  The -Q option of ssh(1) may be
+             the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the
-             used to list supported key types.
+             specified key types will be appended to the default set instead
+             of replacing them.  The default for this option is:
+                ecdsa-sha2-nistp256-cert-v01@openssh.com,
+                ecdsa-sha2-nistp384-cert-v01@openssh.com,
+                ecdsa-sha2-nistp521-cert-v01@openssh.com,
+                ssh-ed25519-cert-v01@openssh.com,
+                ssh-rsa-cert-v01@openssh.com,
+                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+                ssh-ed25519,ssh-rsa
+             The -Q option of ssh(1) may be used to list supported key types.
     PubkeyAuthentication
             Specifies whether public key authentication is allowed.  The
@@ -786,7 +839,7 @@ DESCRIPTION
     ServerKeyBits
             Defines the number of bits in the ephemeral protocol version 1
-             server key.  The minimum value is 512, and the default is 1024.
+             server key.  The default and minimum value is 1024.
     StreamLocalBindMask
             Sets the octal file creation mode mask (umask) used when creating
@@ -868,9 +921,13 @@ DESCRIPTION
             TrustedUserCAKeys.  For more details on certificates, see the
             CERTIFICATES section in ssh-keygen(1).
-     UseDNS  Specifies whether sshd(8) should look up the remote host name and
+     UseDNS  Specifies whether sshd(8) should look up the remote host name,
-             check that the resolved host name for the remote IP address maps
+             and to check that the resolved host name for the remote IP
-             back to the very same IP address.  The default is M-bM-^@M-^\noM-bM-^@M-^].
+             address maps back to the very same IP address.
+             If this option is set to M-bM-^@M-^\noM-bM-^@M-^] (the default) then only addresses
+             and not host names may be used in ~/.ssh/known_hosts from and
+             sshd_config(5) Match Host directives.
     UseLogin
             Specifies whether login(1) is used for interactive login
@@ -992,4 +1049,4 @@ AUTHORS
     versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
     for privilege separation.
-OpenBSD 5.7                      June 5, 2015                      OpenBSD 5.7
+OpenBSD 5.8                     August 6, 2015                     OpenBSD 5.8

diff --git a/sshd_config.0 b/sshd_config.0 index 641041852..1cc7459f8 100644 --- a/sshd_config.0 +++ b/sshd_config.0
@@ -262,7 +262,11 @@ DESCRIPTION
262		262
263	Ciphers	263	Ciphers
264	Specifies the ciphers allowed for protocol version 2. Multiple	264	Specifies the ciphers allowed for protocol version 2. Multiple
265	ciphers must be comma-separated. The supported ciphers are:	265	ciphers must be comma-separated. If the specified value begins
		266	with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified ciphers will be appended
		267	to the default set instead of replacing them.
		268
		269	The supported ciphers are:
266		270
267	3des-cbc	271	3des-cbc
268	aes128-cbc	272	aes128-cbc
@@ -394,9 +398,20 @@ DESCRIPTION
394		398
395	HostbasedAcceptedKeyTypes	399	HostbasedAcceptedKeyTypes
396	Specifies the key types that will be accepted for hostbased	400	Specifies the key types that will be accepted for hostbased
397	authentication as a comma-separated pattern list. The default	401	authentication as a comma-separated pattern list. Alternately if
398	M-bM-^@M-^\*M-bM-^@M-^] will allow all key types. The -Q option of ssh(1) may be	402	the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the
399	used to list supported key types.	403	specified key types will be appended to the default set instead
		404	of replacing them. The default for this option is:
		405
		406	ecdsa-sha2-nistp256-cert-v01@openssh.com,
		407	ecdsa-sha2-nistp384-cert-v01@openssh.com,
		408	ecdsa-sha2-nistp521-cert-v01@openssh.com,
		409	ssh-ed25519-cert-v01@openssh.com,
		410	ssh-rsa-cert-v01@openssh.com,
		411	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
		412	ssh-ed25519,ssh-rsa
		413
		414	The -Q option of ssh(1) may be used to list supported key types.
400		415
401	HostbasedAuthentication	416	HostbasedAuthentication
402	Specifies whether rhosts or /etc/hosts.equiv authentication	417	Specifies whether rhosts or /etc/hosts.equiv authentication
@@ -425,13 +440,17 @@ DESCRIPTION
425	default is /etc/ssh/ssh_host_key for protocol version 1, and	440	default is /etc/ssh/ssh_host_key for protocol version 1, and
426	/etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key,	441	/etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key,
427	/etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for	442	/etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
428	protocol version 2. Note that sshd(8) will refuse to use a file	443	protocol version 2.
429	if it is group/world-accessible. It is possible to have multiple	444
430	host key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^],	445	Note that sshd(8) will refuse to use a file if it is group/world-
431	M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] are used for version 2 of the SSH	446	accessible and that the HostKeyAlgorithms option restricts which
432	protocol. It is also possible to specify public host key files	447	of the keys are actually used by sshd(8).
433	instead. In this case operations on the private key will be	448
434	delegated to an ssh-agent(1).	449	It is possible to have multiple host key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are
		450	used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] are
		451	used for version 2 of the SSH protocol. It is also possible to
		452	specify public host key files instead. In this case operations
		453	on the private key will be delegated to an ssh-agent(1).
435		454
436	HostKeyAgent	455	HostKeyAgent
437	Identifies the UNIX-domain socket used to communicate with an	456	Identifies the UNIX-domain socket used to communicate with an
@@ -439,6 +458,21 @@ DESCRIPTION
439	M-bM-^@M-^\SSH_AUTH_SOCKM-bM-^@M-^] is specified, the location of the socket will be	458	M-bM-^@M-^\SSH_AUTH_SOCKM-bM-^@M-^] is specified, the location of the socket will be
440	read from the SSH_AUTH_SOCK environment variable.	459	read from the SSH_AUTH_SOCK environment variable.
441		460
		461	HostKeyAlgorithms
		462	Specifies the protocol version 2 host key algorithms that the
		463	server offers. The default for this option is:
		464
		465	ecdsa-sha2-nistp256-cert-v01@openssh.com,
		466	ecdsa-sha2-nistp384-cert-v01@openssh.com,
		467	ecdsa-sha2-nistp521-cert-v01@openssh.com,
		468	ssh-ed25519-cert-v01@openssh.com,
		469	ssh-rsa-cert-v01@openssh.com,
		470	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
		471	ssh-ed25519,ssh-rsa
		472
		473	The list of available key types may also be obtained using the -Q
		474	option of ssh(1) with an argument of M-bM-^@M-^\keyM-bM-^@M-^].
		475
442	IgnoreRhosts	476	IgnoreRhosts
443	Specifies that .rhosts and .shosts files will not be used in	477	Specifies that .rhosts and .shosts files will not be used in
444	RhostsRSAAuthentication or HostbasedAuthentication.	478	RhostsRSAAuthentication or HostbasedAuthentication.
@@ -493,8 +527,10 @@ DESCRIPTION
493		527
494	KexAlgorithms	528	KexAlgorithms
495	Specifies the available KEX (Key Exchange) algorithms. Multiple	529	Specifies the available KEX (Key Exchange) algorithms. Multiple
496	algorithms must be comma-separated. The supported algorithms	530	algorithms must be comma-separated. Alternately if the specified
497	are:	531	value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods
		532	will be appended to the default set instead of replacing them.
		533	The supported algorithms are:
498		534
499	curve25519-sha256@libssh.org	535	curve25519-sha256@libssh.org
500	diffie-hellman-group1-sha1	536	diffie-hellman-group1-sha1
@@ -551,9 +587,13 @@ DESCRIPTION
551	MACs Specifies the available MAC (message authentication code)	587	MACs Specifies the available MAC (message authentication code)
552	algorithms. The MAC algorithm is used in protocol version 2 for	588	algorithms. The MAC algorithm is used in protocol version 2 for
553	data integrity protection. Multiple algorithms must be comma-	589	data integrity protection. Multiple algorithms must be comma-
554	separated. The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC	590	separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character,
555	after encryption (encrypt-then-mac). These are considered safer	591	then the specified algorithms will be appended to the default set
556	and their use recommended. The supported MACs are:	592	instead of replacing them.
		593
		594	The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC after
		595	encryption (encrypt-then-mac). These are considered safer and
		596	their use recommended. The supported MACs are:
557		597
558	hmac-md5	598	hmac-md5
559	hmac-md5-96	599	hmac-md5-96
@@ -673,11 +713,13 @@ DESCRIPTION
673		713
674	PermitRootLogin	714	PermitRootLogin
675	Specifies whether root can log in using ssh(1). The argument	715	Specifies whether root can log in using ssh(1). The argument
676	must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^], M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], or	716	must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\prohibit-passwordM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^],
677	M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^].	717	M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], or M-bM-^@M-^\noM-bM-^@M-^]. The default is
		718	M-bM-^@M-^\prohibit-passwordM-bM-^@M-^].
678		719
679	If this option is set to M-bM-^@M-^\without-passwordM-bM-^@M-^], password	720	If this option is set to M-bM-^@M-^\prohibit-passwordM-bM-^@M-^] or
680	authentication is disabled for root.	721	M-bM-^@M-^\without-passwordM-bM-^@M-^], password and keyboard-interactive
		722	authentication are disabled for root.
681		723
682	If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], root login with	724	If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], root login with
683	public key authentication will be allowed, but only if the	725	public key authentication will be allowed, but only if the
@@ -740,9 +782,20 @@ DESCRIPTION
740		782
741	PubkeyAcceptedKeyTypes	783	PubkeyAcceptedKeyTypes
742	Specifies the key types that will be accepted for public key	784	Specifies the key types that will be accepted for public key
743	authentication as a comma-separated pattern list. The default	785	authentication as a comma-separated pattern list. Alternately if
744	M-bM-^@M-^\*M-bM-^@M-^] will allow all key types. The -Q option of ssh(1) may be	786	the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the
745	used to list supported key types.	787	specified key types will be appended to the default set instead
		788	of replacing them. The default for this option is:
		789
		790	ecdsa-sha2-nistp256-cert-v01@openssh.com,
		791	ecdsa-sha2-nistp384-cert-v01@openssh.com,
		792	ecdsa-sha2-nistp521-cert-v01@openssh.com,
		793	ssh-ed25519-cert-v01@openssh.com,
		794	ssh-rsa-cert-v01@openssh.com,
		795	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
		796	ssh-ed25519,ssh-rsa
		797
		798	The -Q option of ssh(1) may be used to list supported key types.
746		799
747	PubkeyAuthentication	800	PubkeyAuthentication
748	Specifies whether public key authentication is allowed. The	801	Specifies whether public key authentication is allowed. The
@@ -786,7 +839,7 @@ DESCRIPTION
786		839
787	ServerKeyBits	840	ServerKeyBits
788	Defines the number of bits in the ephemeral protocol version 1	841	Defines the number of bits in the ephemeral protocol version 1
789	server key. The minimum value is 512, and the default is 1024.	842	server key. The default and minimum value is 1024.
790		843
791	StreamLocalBindMask	844	StreamLocalBindMask
792	Sets the octal file creation mode mask (umask) used when creating	845	Sets the octal file creation mode mask (umask) used when creating
@@ -868,9 +921,13 @@ DESCRIPTION
868	TrustedUserCAKeys. For more details on certificates, see the	921	TrustedUserCAKeys. For more details on certificates, see the
869	CERTIFICATES section in ssh-keygen(1).	922	CERTIFICATES section in ssh-keygen(1).
870		923
871	UseDNS Specifies whether sshd(8) should look up the remote host name and	924	UseDNS Specifies whether sshd(8) should look up the remote host name,
872	check that the resolved host name for the remote IP address maps	925	and to check that the resolved host name for the remote IP
873	back to the very same IP address. The default is M-bM-^@M-^\noM-bM-^@M-^].	926	address maps back to the very same IP address.
		927
		928	If this option is set to M-bM-^@M-^\noM-bM-^@M-^] (the default) then only addresses
		929	and not host names may be used in ~/.ssh/known_hosts from and
		930	sshd_config(5) Match Host directives.
874		931
875	UseLogin	932	UseLogin
876	Specifies whether login(1) is used for interactive login	933	Specifies whether login(1) is used for interactive login
@@ -992,4 +1049,4 @@ AUTHORS
992	versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support	1049	versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
993	for privilege separation.	1050	for privilege separation.
994		1051
995	OpenBSD 5.7 June 5, 2015 OpenBSD 5.7	1052	OpenBSD 5.8 August 6, 2015 OpenBSD 5.8