1 files changed, 63 insertions, 54 deletions
diff --git a/sshd_config.0 b/sshd_config.0
index bc266317f..7800de312 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -15,11 +15,15 @@ DESCRIPTION
     The possible keywords and their meanings are as follows (note that key-
     words are case-insensitive and arguments are case-sensitive):
+     AFSTokenPassing
+             Specifies whether an AFS token may be forwarded to the server.
+             Default is M-bM-^@M-^\noM-bM-^@M-^].
     AllowGroups
             This keyword can be followed by a list of group name patterns,
             separated by spaces.  If specified, login is allowed only for
             users whose primary group or supplementary group list matches one
-             of the patterns.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards in the
+             of the patterns.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y?  can be used as wildcards in the
             patterns.  Only group names are valid; a numerical group ID is
             not recognized.  By default, login is allowed for all groups.
@@ -32,7 +36,7 @@ DESCRIPTION
     AllowUsers
             This keyword can be followed by a list of user name patterns,
             separated by spaces.  If specified, login is allowed only for
-             user names that match one of the patterns.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be
+             user names that match one of the patterns.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y?  can be
             used as wildcards in the patterns.  Only user names are valid; a
             numerical user ID is not recognized.  By default, login is
             allowed for all users.  If the pattern takes the form USER@HOST
@@ -66,7 +70,7 @@ DESCRIPTION
             ciphers must be comma-separated.  The default is
               M-bM-^@M-^XM-bM-^@M-^Xaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
-                 aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctrM-bM-^@M-^YM-bM-^@M-^Y
+                 aes192-cbc,aes256-cbcM-bM-^@M-^YM-bM-^@M-^Y
     ClientAliveInterval
             Sets a timeout interval in seconds after which if no data has
@@ -77,18 +81,18 @@ DESCRIPTION
     ClientAliveCountMax
             Sets the number of client alive messages (see above) which may be
-             sent without sshd receiving any messages back from the client.
+             sent without sshd receiving any messages back from the client. If
-             If this threshold is reached while client alive messages are
+             this threshold is reached while client alive messages are being
-             being sent, sshd will disconnect the client, terminating the ses-
+             sent, sshd will disconnect the client, terminating the session.
-             sion.  It is important to note that the use of client alive mes-
+             It is important to note that the use of client alive messages is
-             sages is very different from KeepAlive (below).  The client alive
+             very different from KeepAlive (below). The client alive messages
-             messages are sent through the encrypted channel and therefore
+             are sent through the encrypted channel and therefore will not be
-             will not be spoofable.  The TCP keepalive option enabled by
+             spoofable. The TCP keepalive option enabled by KeepAlive is
-             KeepAlive is spoofable.  The client alive mechanism is valuable
+             spoofable. The client alive mechanism is valuable when the client
-             when the client or server depend on knowing when a connection has
+             or server depend on knowing when a connection has become inac-
-             become inactive.
+             tive.
-             The default value is 3.  If ClientAliveInterval (above) is set to
+             The default value is 3. If ClientAliveInterval (above) is set to
             15, and ClientAliveCountMax is left at the default, unresponsive
             ssh clients will be disconnected after approximately 45 seconds.
@@ -100,14 +104,14 @@ DESCRIPTION
             This keyword can be followed by a list of group name patterns,
             separated by spaces.  Login is disallowed for users whose primary
             group or supplementary group list matches one of the patterns.
-             M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards in the patterns.  Only group
+             M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y?  can be used as wildcards in the patterns.  Only
-             names are valid; a numerical group ID is not recognized.  By
+             group names are valid; a numerical group ID is not recognized.
-             default, login is allowed for all groups.
+             By default, login is allowed for all groups.
     DenyUsers
             This keyword can be followed by a list of user name patterns,
             separated by spaces.  Login is disallowed for user names that
-             match one of the patterns.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards
+             match one of the patterns.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y?  can be used as wildcards
             in the patterns.  Only user names are valid; a numerical user ID
             is not recognized.  By default, login is allowed for all users.
             If the pattern takes the form USER@HOST then USER and HOST are
@@ -124,16 +128,6 @@ DESCRIPTION
             forwarded ports.  The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The
             default is M-bM-^@M-^\noM-bM-^@M-^].
-     GSSAPIAuthentication
-             Specifies whether user authentication based on GSSAPI is allowed.
-             The default is M-bM-^@M-^\noM-bM-^@M-^].  Note that this option applies to protocol
-             version 2 only.
-     GSSAPICleanupCredentials
-             Specifies whether to automatically destroy the userM-bM-^@M-^Ys credentials
-             cache on logout.  The default is M-bM-^@M-^\yesM-bM-^@M-^].  Note that this option
-             applies to protocol version 2 only.
     HostbasedAuthentication
             Specifies whether rhosts or /etc/hosts.equiv authentication
             together with successful public key client host authentication is
@@ -152,7 +146,8 @@ DESCRIPTION
     IgnoreRhosts
             Specifies that .rhosts and .shosts files will not be used in
-             RhostsRSAAuthentication or HostbasedAuthentication.
+             RhostsAuthentication, RhostsRSAAuthentication or
+             HostbasedAuthentication.
             /etc/hosts.equiv and /etc/shosts.equiv are still used.  The
             default is M-bM-^@M-^\yesM-bM-^@M-^].
@@ -178,17 +173,23 @@ DESCRIPTION
             To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^].
     KerberosAuthentication
-             Specifies whether the password provided by the user for
+             Specifies whether Kerberos authentication is allowed.  This can
-             PasswordAuthentication will be validated through the Kerberos
+             be in the form of a Kerberos ticket, or if PasswordAuthentication
-             KDC.  To use this option, the server needs a Kerberos servtab
+             is yes, the password provided by the user will be validated
-             which allows the verification of the KDCM-bM-^@M-^Ys identity.  Default is
+             through the Kerberos KDC.  To use this option, the server needs a
-             M-bM-^@M-^\noM-bM-^@M-^].
+             Kerberos servtab which allows the verification of the KDCM-bM-^@M-^Ys iden-
+             tity.  Default is M-bM-^@M-^\noM-bM-^@M-^].
     KerberosOrLocalPasswd
             If set then if password authentication through Kerberos fails
             then the password will be validated via any additional local
             mechanism such as /etc/passwd.  Default is M-bM-^@M-^\yesM-bM-^@M-^].
+     KerberosTgtPassing
+             Specifies whether a Kerberos TGT may be forwarded to the server.
+             Default is M-bM-^@M-^\noM-bM-^@M-^], as this only works when the Kerberos KDC is
+             actually an AFS kaserver.
     KerberosTicketCleanup
             Specifies whether to automatically destroy the userM-bM-^@M-^Ys ticket
             cache file on logout.  Default is M-bM-^@M-^\yesM-bM-^@M-^].
@@ -210,7 +211,7 @@ DESCRIPTION
                   ListenAddress [host|IPv6_addr]:port
             If port is not specified, sshd will listen on the address and all
-             prior Port options specified.  The default is to listen on all
+             prior Port options specified. The default is to listen on all
             local addresses.  Multiple ListenAddress options are permitted.
             Additionally, any Port options must precede this option for non
             port qualified addresses.
@@ -248,6 +249,12 @@ DESCRIPTION
             and all connection attempts are refused if the number of unau-
             thenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60).
+     PAMAuthenticationViaKbdInt
+             Specifies whether PAM challenge response authentication is
+             allowed. This allows the use of most PAM challenge response
+             authentication modules, but it will allow password authentication
+             regardless of whether PasswordAuthentication is enabled.
     PasswordAuthentication
             Specifies whether password authentication is allowed.  The
             default is M-bM-^@M-^\yesM-bM-^@M-^].
@@ -268,7 +275,7 @@ DESCRIPTION
             If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^] root login with
             public key authentication will be allowed, but only if the
             command option has been specified (which may be useful for taking
-             remote backups even if root login is normally not allowed).  All
+             remote backups even if root login is normally not allowed). All
             other authentication methods are disabled for root.
             If this option is set to M-bM-^@M-^\noM-bM-^@M-^] root is not allowed to login.
@@ -308,10 +315,16 @@ DESCRIPTION
     PubkeyAuthentication
             Specifies whether public key authentication is allowed.  The
             default is M-bM-^@M-^\yesM-bM-^@M-^].  Note that this option applies to protocol ver-
-             sion 2 only.  RhostsRSAAuthentication should be used instead,
+             sion 2 only.
-             because it performs RSA-based host authentication in addition to
-             normal rhosts or /etc/hosts.equiv authentication.  The default is
+     RhostsAuthentication
-             M-bM-^@M-^\noM-bM-^@M-^].  This option applies to protocol version 1 only.
+             Specifies whether authentication using rhosts or /etc/hosts.equiv
+             files is sufficient.  Normally, this method should not be permit-
+             ted because it is insecure.  RhostsRSAAuthentication should be
+             used instead, because it performs RSA-based host authentication
+             in addition to normal rhosts or /etc/hosts.equiv authentication.
+             The default is M-bM-^@M-^\noM-bM-^@M-^].  This option applies to protocol version 1
+             only.
     RhostsRSAAuthentication
             Specifies whether rhosts or /etc/hosts.equiv authentication
@@ -348,10 +361,6 @@ DESCRIPTION
             LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The
             default is AUTH.
-     UseDNS  Specifies whether sshd should lookup the remote host name and
-             check that the resolved host name for the remote IP address maps
-             back to the very same IP address.  The default is M-bM-^@M-^\yesM-bM-^@M-^].
     UseLogin
             Specifies whether login(1) is used for interactive login ses-
             sions.  The default is M-bM-^@M-^\noM-bM-^@M-^].  Note that login(1) is never used
@@ -360,11 +369,6 @@ DESCRIPTION
             know how to handle xauth(1) cookies.  If UsePrivilegeSeparation
             is specified, it will be disabled after authentication.
-     UsePAM  Enables PAM authentication (via challenge-response) and session
-             set up.  If you enable this, you should probably disable
-             PasswordAuthentication.  If you enable then you will not be able
-             to run sshd as a non-root user.
     UsePrivilegeSeparation
             Specifies whether sshd separates privileges by creating an
             unprivileged child process to deal with incoming network traffic.
@@ -374,6 +378,11 @@ DESCRIPTION
             taining any corruption within the unprivileged processes.  The
             default is M-bM-^@M-^\yesM-bM-^@M-^].
+     VerifyReverseMapping
+             Specifies whether sshd should try to verify the remote host name
+             and check that the resolved host name for the remote IP address
+             maps back to the very same IP address.  The default is M-bM-^@M-^\noM-bM-^@M-^].
     X11DisplayOffset
             Specifies the first display number available for sshdM-bM-^@M-^Ys X11 for-
             warding.  This prevents sshd from interfering with real X11
@@ -391,7 +400,7 @@ DESCRIPTION
             substitution occur on the client side.  The security risk of
             using X11 forwarding is that the clientM-bM-^@M-^Ys X11 display server may
             be exposed to attack when the ssh client requests forwarding (see
-             the warnings for ForwardX11 in ssh_config(5)).  A system adminis-
+             the warnings for ForwardX11 in ssh_config(5) ). A system adminis-
             trator may have a stance in which they want to protect clients
             that may expose themselves to attack by unwittingly requesting
             X11 forwarding, which can warrant a M-bM-^@M-^\noM-bM-^@M-^] setting.
@@ -445,9 +454,6 @@ FILES
             writable by root only, but it is recommended (though not neces-
             sary) that it be world-readable.
-SEE ALSO
-     sshd(8)
 AUTHORS
     OpenSSH is a derivative of the original and free ssh 1.2.12 release by
     Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
@@ -456,4 +462,7 @@ AUTHORS
     versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
     for privilege separation.
+SEE ALSO
+     sshd(8)
 BSD                           September 25, 1999                           BSD

diff --git a/sshd_config.0 b/sshd_config.0 index bc266317f..7800de312 100644 --- a/sshd_config.0 +++ b/sshd_config.0
@@ -15,11 +15,15 @@ DESCRIPTION
15	The possible keywords and their meanings are as follows (note that key-	15	The possible keywords and their meanings are as follows (note that key-
16	words are case-insensitive and arguments are case-sensitive):	16	words are case-insensitive and arguments are case-sensitive):
17		17
		18	AFSTokenPassing
		19	Specifies whether an AFS token may be forwarded to the server.
		20	Default is M-bM-^@M-^\noM-bM-^@M-^].
		21
18	AllowGroups	22	AllowGroups
19	This keyword can be followed by a list of group name patterns,	23	This keyword can be followed by a list of group name patterns,
20	separated by spaces. If specified, login is allowed only for	24	separated by spaces. If specified, login is allowed only for
21	users whose primary group or supplementary group list matches one	25	users whose primary group or supplementary group list matches one
22	of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards in the	26	of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards in the
23	patterns. Only group names are valid; a numerical group ID is	27	patterns. Only group names are valid; a numerical group ID is
24	not recognized. By default, login is allowed for all groups.	28	not recognized. By default, login is allowed for all groups.
25		29
@@ -32,7 +36,7 @@ DESCRIPTION
32	AllowUsers	36	AllowUsers
33	This keyword can be followed by a list of user name patterns,	37	This keyword can be followed by a list of user name patterns,
34	separated by spaces. If specified, login is allowed only for	38	separated by spaces. If specified, login is allowed only for
35	user names that match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be	39	user names that match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be
36	used as wildcards in the patterns. Only user names are valid; a	40	used as wildcards in the patterns. Only user names are valid; a
37	numerical user ID is not recognized. By default, login is	41	numerical user ID is not recognized. By default, login is
38	allowed for all users. If the pattern takes the form USER@HOST	42	allowed for all users. If the pattern takes the form USER@HOST
@@ -66,7 +70,7 @@ DESCRIPTION
66	ciphers must be comma-separated. The default is	70	ciphers must be comma-separated. The default is
67		71
68	M-bM-^@M-^XM-bM-^@M-^Xaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,	72	M-bM-^@M-^XM-bM-^@M-^Xaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
69	aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctrM-bM-^@M-^YM-bM-^@M-^Y	73	aes192-cbc,aes256-cbcM-bM-^@M-^YM-bM-^@M-^Y
70		74
71	ClientAliveInterval	75	ClientAliveInterval
72	Sets a timeout interval in seconds after which if no data has	76	Sets a timeout interval in seconds after which if no data has
@@ -77,18 +81,18 @@ DESCRIPTION
77		81
78	ClientAliveCountMax	82	ClientAliveCountMax
79	Sets the number of client alive messages (see above) which may be	83	Sets the number of client alive messages (see above) which may be
80	sent without sshd receiving any messages back from the client.	84	sent without sshd receiving any messages back from the client. If
81	If this threshold is reached while client alive messages are	85	this threshold is reached while client alive messages are being
82	being sent, sshd will disconnect the client, terminating the ses-	86	sent, sshd will disconnect the client, terminating the session.
83	sion. It is important to note that the use of client alive mes-	87	It is important to note that the use of client alive messages is
84	sages is very different from KeepAlive (below). The client alive	88	very different from KeepAlive (below). The client alive messages
85	messages are sent through the encrypted channel and therefore	89	are sent through the encrypted channel and therefore will not be
86	will not be spoofable. The TCP keepalive option enabled by	90	spoofable. The TCP keepalive option enabled by KeepAlive is
87	KeepAlive is spoofable. The client alive mechanism is valuable	91	spoofable. The client alive mechanism is valuable when the client
88	when the client or server depend on knowing when a connection has	92	or server depend on knowing when a connection has become inac-
89	become inactive.	93	tive.
90		94
91	The default value is 3. If ClientAliveInterval (above) is set to	95	The default value is 3. If ClientAliveInterval (above) is set to
92	15, and ClientAliveCountMax is left at the default, unresponsive	96	15, and ClientAliveCountMax is left at the default, unresponsive
93	ssh clients will be disconnected after approximately 45 seconds.	97	ssh clients will be disconnected after approximately 45 seconds.
94		98
@@ -100,14 +104,14 @@ DESCRIPTION
100	This keyword can be followed by a list of group name patterns,	104	This keyword can be followed by a list of group name patterns,
101	separated by spaces. Login is disallowed for users whose primary	105	separated by spaces. Login is disallowed for users whose primary
102	group or supplementary group list matches one of the patterns.	106	group or supplementary group list matches one of the patterns.
103	M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards in the patterns. Only group	107	M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards in the patterns. Only
104	names are valid; a numerical group ID is not recognized. By	108	group names are valid; a numerical group ID is not recognized.
105	default, login is allowed for all groups.	109	By default, login is allowed for all groups.
106		110
107	DenyUsers	111	DenyUsers
108	This keyword can be followed by a list of user name patterns,	112	This keyword can be followed by a list of user name patterns,
109	separated by spaces. Login is disallowed for user names that	113	separated by spaces. Login is disallowed for user names that
110	match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards	114	match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards
111	in the patterns. Only user names are valid; a numerical user ID	115	in the patterns. Only user names are valid; a numerical user ID
112	is not recognized. By default, login is allowed for all users.	116	is not recognized. By default, login is allowed for all users.
113	If the pattern takes the form USER@HOST then USER and HOST are	117	If the pattern takes the form USER@HOST then USER and HOST are
@@ -124,16 +128,6 @@ DESCRIPTION
124	forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The	128	forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The
125	default is M-bM-^@M-^\noM-bM-^@M-^].	129	default is M-bM-^@M-^\noM-bM-^@M-^].
126		130
127	GSSAPIAuthentication
128	Specifies whether user authentication based on GSSAPI is allowed.
129	The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol
130	version 2 only.
131
132	GSSAPICleanupCredentials
133	Specifies whether to automatically destroy the userM-bM-^@M-^Ys credentials
134	cache on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option
135	applies to protocol version 2 only.
136
137	HostbasedAuthentication	131	HostbasedAuthentication
138	Specifies whether rhosts or /etc/hosts.equiv authentication	132	Specifies whether rhosts or /etc/hosts.equiv authentication
139	together with successful public key client host authentication is	133	together with successful public key client host authentication is
@@ -152,7 +146,8 @@ DESCRIPTION
152		146
153	IgnoreRhosts	147	IgnoreRhosts
154	Specifies that .rhosts and .shosts files will not be used in	148	Specifies that .rhosts and .shosts files will not be used in
155	RhostsRSAAuthentication or HostbasedAuthentication.	149	RhostsAuthentication, RhostsRSAAuthentication or
		150	HostbasedAuthentication.
156		151
157	/etc/hosts.equiv and /etc/shosts.equiv are still used. The	152	/etc/hosts.equiv and /etc/shosts.equiv are still used. The
158	default is M-bM-^@M-^\yesM-bM-^@M-^].	153	default is M-bM-^@M-^\yesM-bM-^@M-^].
@@ -178,17 +173,23 @@ DESCRIPTION
178	To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^].	173	To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^].
179		174
180	KerberosAuthentication	175	KerberosAuthentication
181	Specifies whether the password provided by the user for	176	Specifies whether Kerberos authentication is allowed. This can
182	PasswordAuthentication will be validated through the Kerberos	177	be in the form of a Kerberos ticket, or if PasswordAuthentication
183	KDC. To use this option, the server needs a Kerberos servtab	178	is yes, the password provided by the user will be validated
184	which allows the verification of the KDCM-bM-^@M-^Ys identity. Default is	179	through the Kerberos KDC. To use this option, the server needs a
185	M-bM-^@M-^\noM-bM-^@M-^].	180	Kerberos servtab which allows the verification of the KDCM-bM-^@M-^Ys iden-
		181	tity. Default is M-bM-^@M-^\noM-bM-^@M-^].
186		182
187	KerberosOrLocalPasswd	183	KerberosOrLocalPasswd
188	If set then if password authentication through Kerberos fails	184	If set then if password authentication through Kerberos fails
189	then the password will be validated via any additional local	185	then the password will be validated via any additional local
190	mechanism such as /etc/passwd. Default is M-bM-^@M-^\yesM-bM-^@M-^].	186	mechanism such as /etc/passwd. Default is M-bM-^@M-^\yesM-bM-^@M-^].
191		187
		188	KerberosTgtPassing
		189	Specifies whether a Kerberos TGT may be forwarded to the server.
		190	Default is M-bM-^@M-^\noM-bM-^@M-^], as this only works when the Kerberos KDC is
		191	actually an AFS kaserver.
		192
192	KerberosTicketCleanup	193	KerberosTicketCleanup
193	Specifies whether to automatically destroy the userM-bM-^@M-^Ys ticket	194	Specifies whether to automatically destroy the userM-bM-^@M-^Ys ticket
194	cache file on logout. Default is M-bM-^@M-^\yesM-bM-^@M-^].	195	cache file on logout. Default is M-bM-^@M-^\yesM-bM-^@M-^].
@@ -210,7 +211,7 @@ DESCRIPTION
210	ListenAddress [host\|IPv6_addr]:port	211	ListenAddress [host\|IPv6_addr]:port
211		212
212	If port is not specified, sshd will listen on the address and all	213	If port is not specified, sshd will listen on the address and all
213	prior Port options specified. The default is to listen on all	214	prior Port options specified. The default is to listen on all
214	local addresses. Multiple ListenAddress options are permitted.	215	local addresses. Multiple ListenAddress options are permitted.
215	Additionally, any Port options must precede this option for non	216	Additionally, any Port options must precede this option for non
216	port qualified addresses.	217	port qualified addresses.
@@ -248,6 +249,12 @@ DESCRIPTION
248	and all connection attempts are refused if the number of unau-	249	and all connection attempts are refused if the number of unau-
249	thenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60).	250	thenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60).
250		251
		252	PAMAuthenticationViaKbdInt
		253	Specifies whether PAM challenge response authentication is
		254	allowed. This allows the use of most PAM challenge response
		255	authentication modules, but it will allow password authentication
		256	regardless of whether PasswordAuthentication is enabled.
		257
251	PasswordAuthentication	258	PasswordAuthentication
252	Specifies whether password authentication is allowed. The	259	Specifies whether password authentication is allowed. The
253	default is M-bM-^@M-^\yesM-bM-^@M-^].	260	default is M-bM-^@M-^\yesM-bM-^@M-^].
@@ -268,7 +275,7 @@ DESCRIPTION
268	If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^] root login with	275	If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^] root login with
269	public key authentication will be allowed, but only if the	276	public key authentication will be allowed, but only if the
270	command option has been specified (which may be useful for taking	277	command option has been specified (which may be useful for taking
271	remote backups even if root login is normally not allowed). All	278	remote backups even if root login is normally not allowed). All
272	other authentication methods are disabled for root.	279	other authentication methods are disabled for root.
273		280
274	If this option is set to M-bM-^@M-^\noM-bM-^@M-^] root is not allowed to login.	281	If this option is set to M-bM-^@M-^\noM-bM-^@M-^] root is not allowed to login.
@@ -308,10 +315,16 @@ DESCRIPTION
308	PubkeyAuthentication	315	PubkeyAuthentication
309	Specifies whether public key authentication is allowed. The	316	Specifies whether public key authentication is allowed. The
310	default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol ver-	317	default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol ver-
311	sion 2 only. RhostsRSAAuthentication should be used instead,	318	sion 2 only.
312	because it performs RSA-based host authentication in addition to	319
313	normal rhosts or /etc/hosts.equiv authentication. The default is	320	RhostsAuthentication
314	M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only.	321	Specifies whether authentication using rhosts or /etc/hosts.equiv
		322	files is sufficient. Normally, this method should not be permit-
		323	ted because it is insecure. RhostsRSAAuthentication should be
		324	used instead, because it performs RSA-based host authentication
		325	in addition to normal rhosts or /etc/hosts.equiv authentication.
		326	The default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1
		327	only.
315		328
316	RhostsRSAAuthentication	329	RhostsRSAAuthentication
317	Specifies whether rhosts or /etc/hosts.equiv authentication	330	Specifies whether rhosts or /etc/hosts.equiv authentication
@@ -348,10 +361,6 @@ DESCRIPTION
348	LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The	361	LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
349	default is AUTH.	362	default is AUTH.
350		363
351	UseDNS Specifies whether sshd should lookup the remote host name and
352	check that the resolved host name for the remote IP address maps
353	back to the very same IP address. The default is M-bM-^@M-^\yesM-bM-^@M-^].
354
355	UseLogin	364	UseLogin
356	Specifies whether login(1) is used for interactive login ses-	365	Specifies whether login(1) is used for interactive login ses-
357	sions. The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that login(1) is never used	366	sions. The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that login(1) is never used
@@ -360,11 +369,6 @@ DESCRIPTION
360	know how to handle xauth(1) cookies. If UsePrivilegeSeparation	369	know how to handle xauth(1) cookies. If UsePrivilegeSeparation
361	is specified, it will be disabled after authentication.	370	is specified, it will be disabled after authentication.
362		371
363	UsePAM Enables PAM authentication (via challenge-response) and session
364	set up. If you enable this, you should probably disable
365	PasswordAuthentication. If you enable then you will not be able
366	to run sshd as a non-root user.
367
368	UsePrivilegeSeparation	372	UsePrivilegeSeparation
369	Specifies whether sshd separates privileges by creating an	373	Specifies whether sshd separates privileges by creating an
370	unprivileged child process to deal with incoming network traffic.	374	unprivileged child process to deal with incoming network traffic.
@@ -374,6 +378,11 @@ DESCRIPTION
374	taining any corruption within the unprivileged processes. The	378	taining any corruption within the unprivileged processes. The
375	default is M-bM-^@M-^\yesM-bM-^@M-^].	379	default is M-bM-^@M-^\yesM-bM-^@M-^].
376		380
		381	VerifyReverseMapping
		382	Specifies whether sshd should try to verify the remote host name
		383	and check that the resolved host name for the remote IP address
		384	maps back to the very same IP address. The default is M-bM-^@M-^\noM-bM-^@M-^].
		385
377	X11DisplayOffset	386	X11DisplayOffset
378	Specifies the first display number available for sshdM-bM-^@M-^Ys X11 for-	387	Specifies the first display number available for sshdM-bM-^@M-^Ys X11 for-
379	warding. This prevents sshd from interfering with real X11	388	warding. This prevents sshd from interfering with real X11
@@ -391,7 +400,7 @@ DESCRIPTION
391	substitution occur on the client side. The security risk of	400	substitution occur on the client side. The security risk of
392	using X11 forwarding is that the clientM-bM-^@M-^Ys X11 display server may	401	using X11 forwarding is that the clientM-bM-^@M-^Ys X11 display server may
393	be exposed to attack when the ssh client requests forwarding (see	402	be exposed to attack when the ssh client requests forwarding (see
394	the warnings for ForwardX11 in ssh_config(5)). A system adminis-	403	the warnings for ForwardX11 in ssh_config(5) ). A system adminis-
395	trator may have a stance in which they want to protect clients	404	trator may have a stance in which they want to protect clients
396	that may expose themselves to attack by unwittingly requesting	405	that may expose themselves to attack by unwittingly requesting
397	X11 forwarding, which can warrant a M-bM-^@M-^\noM-bM-^@M-^] setting.	406	X11 forwarding, which can warrant a M-bM-^@M-^\noM-bM-^@M-^] setting.
@@ -445,9 +454,6 @@ FILES
445	writable by root only, but it is recommended (though not neces-	454	writable by root only, but it is recommended (though not neces-
446	sary) that it be world-readable.	455	sary) that it be world-readable.
447		456
448	SEE ALSO
449	sshd(8)
450
451	AUTHORS	457	AUTHORS
452	OpenSSH is a derivative of the original and free ssh 1.2.12 release by	458	OpenSSH is a derivative of the original and free ssh 1.2.12 release by
453	Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo	459	Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
@@ -456,4 +462,7 @@ AUTHORS
456	versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support	462	versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
457	for privilege separation.	463	for privilege separation.
458		464
		465	SEE ALSO
		466	sshd(8)
		467
459	BSD September 25, 1999 BSD	468	BSD September 25, 1999 BSD