1 files changed, 78 insertions, 23 deletions
diff --git a/sshd_config.0 b/sshd_config.0
index 0b340ad20..15a6c9004 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -34,6 +34,12 @@ DESCRIPTION
             arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6''
             (use IPv6 only).  The default is ``any''.
+     AllowAgentForwarding
+             Specifies whether ssh-agent(1) forwarding is permitted.  The de-
+             fault is ``yes''.  Note that disabling agent forwarding does not
+             improve security unless users are also denied shell access, as
+             they can always install their own forwarders.
     AllowGroups
             This keyword can be followed by a list of group name patterns,
             separated by spaces.  If specified, login is allowed only for
@@ -76,10 +82,9 @@ DESCRIPTION
             path or one relative to the user's home directory.  The default
             is ``.ssh/authorized_keys''.
-     Banner  In some jurisdictions, sending a warning message before authenti-
+     Banner  The contents of the specified file are sent to the remote user
-             cation may be relevant for getting legal protection.  The con-
+             before authentication is allowed.  If the argument is ``none''
-             tents of the specified file are sent to the remote user before
+             then no banner is displayed.  This option is only available for
-             authentication is allowed.  This option is only available for
             protocol version 2.  By default, no banner is displayed.
     ChallengeResponseAuthentication
@@ -87,6 +92,28 @@ DESCRIPTION
             All authentication styles from login.conf(5) are supported.  The
             default is ``yes''.
+     ChrootDirectory
+             Specifies a path to chroot(2) to after authentication.  This
+             path, and all its components, must be root-owned directories that
+             are not writable by any other user or group.
+             The path may contain the following tokens that are expanded at
+             runtime once the connecting user has been authenticated: %% is
+             replaced by a literal '%', %h is replaced by the home directory
+             of the user being authenticated, and %u is replaced by the user-
+             name of that user.
+             The ChrootDirectory must contain the necessary files and directo-
+             ries to support the users' session.  For an interactive session
+             this requires at least a shell, typically sh(1), and basic /dev
+             nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4),
+             arandom(4) and tty(4) devices.  For file transfer sessions using
+             ``sftp'', no additional configuration of the environment is nec-
+             essary if the in-process sftp server is used (see Subsystem for
+             details).
+             The default is not to chroot(2).
     Ciphers
             Specifies the ciphers allowed for protocol version 2.  Multiple
             ciphers must be comma-separated.  The supported ciphers are
@@ -156,12 +183,15 @@ DESCRIPTION
     ForceCommand
             Forces the execution of the command specified by ForceCommand,
-             ignoring any command supplied by the client.  The command is in-
+             ignoring any command supplied by the client and ~/.ssh/rc if pre-
-             voked by using the user's login shell with the -c option.  This
+             sent.  The command is invoked by using the user's login shell
-             applies to shell, command, or subsystem execution.  It is most
+             with the -c option.  This applies to shell, command, or subsystem
-             useful inside a Match block.  The command originally supplied by
+             execution.  It is most useful inside a Match block.  The command
-             the client is available in the SSH_ORIGINAL_COMMAND environment
+             originally supplied by the client is available in the
-             variable.
+             SSH_ORIGINAL_COMMAND environment variable.  Specifying a command
+             of ``internal-sftp'' will force the use of an in-process sftp
+             server that requires no support files when used with
+             ChrootDirectory.
     GatewayPorts
             Specifies whether remote hosts are allowed to connect to ports
@@ -290,22 +320,40 @@ DESCRIPTION
     Match   Introduces a conditional block.  If all of the criteria on the
             Match line are satisfied, the keywords on the following lines
             override those set in the global section of the config file, un-
-             til either another Match line or the end of the file.  The argu-
+             til either another Match line or the end of the file.
-             ments to Match are one or more criteria-pattern pairs.  The
-             available criteria are User, Group, Host, and Address.  Only a
+             The arguments to Match are one or more criteria-pattern pairs.
-             subset of keywords may be used on the lines following a Match
+             The available criteria are User, Group, Host, and Address.  The
-             keyword.  Available keywords are AllowTcpForwarding, Banner,
+             match patterns may consist of single entries or comma-separated
-             ForceCommand, GatewayPorts, GSSApiAuthentication,
+             lists and may use the wildcard and negation operators described
+             in the PATTERNS section of ssh_config(5).
+             The patterns in an Address criteria may additionally contain ad-
+             dresses to match in CIDR address/masklen format, e.g.
+             ``192.0.2.0/24'' or ``3ffe:ffff::/32''.  Note that the mask
+             length provided must be consistent with the address - it is an
+             error to specify a mask length that is too long for the address
+             or one with bits set in this host portion of the address.  For
+             example, ``192.0.2.0/33'' and ``192.0.2.0/8'' respectively.
+             Only a subset of keywords may be used on the lines following a
+             Match keyword.  Available keywords are AllowTcpForwarding,
+             Banner, ChrootDirectory, ForceCommand, GatewayPorts,
+             GSSAPIAuthentication, HostbasedAuthentication,
             KbdInteractiveAuthentication, KerberosAuthentication,
-             PasswordAuthentication, PermitOpen, RhostsRSAAuthentication,
+             MaxAuthTries, MaxSessions, PasswordAuthentication, PermitOpen,
-             RSAAuthentication, X11DisplayOffset, X11Forwarding, and
+             PermitRootLogin, RhostsRSAAuthentication, RSAAuthentication,
-             X11UseLocalHost.
+             X11DisplayOffset, X11Forwarding, and X11UseLocalHost.
     MaxAuthTries
             Specifies the maximum number of authentication attempts permitted
             per connection.  Once the number of failures reaches half this
             value, additional failures are logged.  The default is 6.
+     MaxSessions
+             Specifies the maximum number of open sessions permitted per net-
+             work connection.  The default is 10.
     MaxStartups
             Specifies the maximum number of concurrent unauthenticated con-
             nections to the SSH daemon.  Additional connections will be
@@ -416,7 +464,7 @@ DESCRIPTION
     ServerKeyBits
             Defines the number of bits in the ephemeral protocol version 1
-             server key.  The minimum value is 512, and the default is 768.
+             server key.  The minimum value is 512, and the default is 1024.
     StrictModes
             Specifies whether sshd(8) should check file modes and ownership
@@ -428,8 +476,15 @@ DESCRIPTION
     Subsystem
             Configures an external subsystem (e.g. file transfer daemon).
             Arguments should be a subsystem name and a command (with optional
-             arguments) to execute upon subsystem request.  The command
+             arguments) to execute upon subsystem request.
-             sftp-server(8) implements the ``sftp'' file transfer subsystem.
+             The command sftp-server(8) implements the ``sftp'' file transfer
+             subsystem.
+             Alternately the name ``internal-sftp'' implements an in-process
+             ``sftp'' server.  This may simplify configurations using
+             ChrootDirectory to force a different filesystem root on clients.
             By default no subsystems are defined.  Note that this option ap-
             plies to protocol version 2 only.
@@ -572,4 +627,4 @@ AUTHORS
     versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
     for privilege separation.
-OpenBSD 4.2                      June 11, 2007                               9
+OpenBSD 4.4                      July 2, 2008                               10

diff --git a/sshd_config.0 b/sshd_config.0 index 0b340ad20..15a6c9004 100644 --- a/sshd_config.0 +++ b/sshd_config.0
@@ -34,6 +34,12 @@ DESCRIPTION
34	arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6''	34	arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6''
35	(use IPv6 only). The default is ``any''.	35	(use IPv6 only). The default is ``any''.
36		36
		37	AllowAgentForwarding
		38	Specifies whether ssh-agent(1) forwarding is permitted. The de-
		39	fault is ``yes''. Note that disabling agent forwarding does not
		40	improve security unless users are also denied shell access, as
		41	they can always install their own forwarders.
		42
37	AllowGroups	43	AllowGroups
38	This keyword can be followed by a list of group name patterns,	44	This keyword can be followed by a list of group name patterns,
39	separated by spaces. If specified, login is allowed only for	45	separated by spaces. If specified, login is allowed only for
@@ -76,10 +82,9 @@ DESCRIPTION
76	path or one relative to the user's home directory. The default	82	path or one relative to the user's home directory. The default
77	is ``.ssh/authorized_keys''.	83	is ``.ssh/authorized_keys''.
78		84
79	Banner In some jurisdictions, sending a warning message before authenti-	85	Banner The contents of the specified file are sent to the remote user
80	cation may be relevant for getting legal protection. The con-	86	before authentication is allowed. If the argument is ``none''
81	tents of the specified file are sent to the remote user before	87	then no banner is displayed. This option is only available for
82	authentication is allowed. This option is only available for
83	protocol version 2. By default, no banner is displayed.	88	protocol version 2. By default, no banner is displayed.
84		89
85	ChallengeResponseAuthentication	90	ChallengeResponseAuthentication
@@ -87,6 +92,28 @@ DESCRIPTION
87	All authentication styles from login.conf(5) are supported. The	92	All authentication styles from login.conf(5) are supported. The
88	default is ``yes''.	93	default is ``yes''.
89		94
		95	ChrootDirectory
		96	Specifies a path to chroot(2) to after authentication. This
		97	path, and all its components, must be root-owned directories that
		98	are not writable by any other user or group.
		99
		100	The path may contain the following tokens that are expanded at
		101	runtime once the connecting user has been authenticated: %% is
		102	replaced by a literal '%', %h is replaced by the home directory
		103	of the user being authenticated, and %u is replaced by the user-
		104	name of that user.
		105
		106	The ChrootDirectory must contain the necessary files and directo-
		107	ries to support the users' session. For an interactive session
		108	this requires at least a shell, typically sh(1), and basic /dev
		109	nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4),
		110	arandom(4) and tty(4) devices. For file transfer sessions using
		111	``sftp'', no additional configuration of the environment is nec-
		112	essary if the in-process sftp server is used (see Subsystem for
		113	details).
		114
		115	The default is not to chroot(2).
		116
90	Ciphers	117	Ciphers
91	Specifies the ciphers allowed for protocol version 2. Multiple	118	Specifies the ciphers allowed for protocol version 2. Multiple
92	ciphers must be comma-separated. The supported ciphers are	119	ciphers must be comma-separated. The supported ciphers are
@@ -156,12 +183,15 @@ DESCRIPTION
156		183
157	ForceCommand	184	ForceCommand
158	Forces the execution of the command specified by ForceCommand,	185	Forces the execution of the command specified by ForceCommand,
159	ignoring any command supplied by the client. The command is in-	186	ignoring any command supplied by the client and ~/.ssh/rc if pre-
160	voked by using the user's login shell with the -c option. This	187	sent. The command is invoked by using the user's login shell
161	applies to shell, command, or subsystem execution. It is most	188	with the -c option. This applies to shell, command, or subsystem
162	useful inside a Match block. The command originally supplied by	189	execution. It is most useful inside a Match block. The command
163	the client is available in the SSH_ORIGINAL_COMMAND environment	190	originally supplied by the client is available in the
164	variable.	191	SSH_ORIGINAL_COMMAND environment variable. Specifying a command
		192	of ``internal-sftp'' will force the use of an in-process sftp
		193	server that requires no support files when used with
		194	ChrootDirectory.
165		195
166	GatewayPorts	196	GatewayPorts
167	Specifies whether remote hosts are allowed to connect to ports	197	Specifies whether remote hosts are allowed to connect to ports
@@ -290,22 +320,40 @@ DESCRIPTION
290	Match Introduces a conditional block. If all of the criteria on the	320	Match Introduces a conditional block. If all of the criteria on the
291	Match line are satisfied, the keywords on the following lines	321	Match line are satisfied, the keywords on the following lines
292	override those set in the global section of the config file, un-	322	override those set in the global section of the config file, un-
293	til either another Match line or the end of the file. The argu-	323	til either another Match line or the end of the file.
294	ments to Match are one or more criteria-pattern pairs. The	324
295	available criteria are User, Group, Host, and Address. Only a	325	The arguments to Match are one or more criteria-pattern pairs.
296	subset of keywords may be used on the lines following a Match	326	The available criteria are User, Group, Host, and Address. The
297	keyword. Available keywords are AllowTcpForwarding, Banner,	327	match patterns may consist of single entries or comma-separated
298	ForceCommand, GatewayPorts, GSSApiAuthentication,	328	lists and may use the wildcard and negation operators described
		329	in the PATTERNS section of ssh_config(5).
		330
		331	The patterns in an Address criteria may additionally contain ad-
		332	dresses to match in CIDR address/masklen format, e.g.
		333	``192.0.2.0/24'' or ``3ffe:ffff::/32''. Note that the mask
		334	length provided must be consistent with the address - it is an
		335	error to specify a mask length that is too long for the address
		336	or one with bits set in this host portion of the address. For
		337	example, ``192.0.2.0/33'' and ``192.0.2.0/8'' respectively.
		338
		339	Only a subset of keywords may be used on the lines following a
		340	Match keyword. Available keywords are AllowTcpForwarding,
		341	Banner, ChrootDirectory, ForceCommand, GatewayPorts,
		342	GSSAPIAuthentication, HostbasedAuthentication,
299	KbdInteractiveAuthentication, KerberosAuthentication,	343	KbdInteractiveAuthentication, KerberosAuthentication,
300	PasswordAuthentication, PermitOpen, RhostsRSAAuthentication,	344	MaxAuthTries, MaxSessions, PasswordAuthentication, PermitOpen,
301	RSAAuthentication, X11DisplayOffset, X11Forwarding, and	345	PermitRootLogin, RhostsRSAAuthentication, RSAAuthentication,
302	X11UseLocalHost.	346	X11DisplayOffset, X11Forwarding, and X11UseLocalHost.
303		347
304	MaxAuthTries	348	MaxAuthTries
305	Specifies the maximum number of authentication attempts permitted	349	Specifies the maximum number of authentication attempts permitted
306	per connection. Once the number of failures reaches half this	350	per connection. Once the number of failures reaches half this
307	value, additional failures are logged. The default is 6.	351	value, additional failures are logged. The default is 6.
308		352
		353	MaxSessions
		354	Specifies the maximum number of open sessions permitted per net-
		355	work connection. The default is 10.
		356
309	MaxStartups	357	MaxStartups
310	Specifies the maximum number of concurrent unauthenticated con-	358	Specifies the maximum number of concurrent unauthenticated con-
311	nections to the SSH daemon. Additional connections will be	359	nections to the SSH daemon. Additional connections will be
@@ -416,7 +464,7 @@ DESCRIPTION
416		464
417	ServerKeyBits	465	ServerKeyBits
418	Defines the number of bits in the ephemeral protocol version 1	466	Defines the number of bits in the ephemeral protocol version 1
419	server key. The minimum value is 512, and the default is 768.	467	server key. The minimum value is 512, and the default is 1024.
420		468
421	StrictModes	469	StrictModes
422	Specifies whether sshd(8) should check file modes and ownership	470	Specifies whether sshd(8) should check file modes and ownership
@@ -428,8 +476,15 @@ DESCRIPTION
428	Subsystem	476	Subsystem
429	Configures an external subsystem (e.g. file transfer daemon).	477	Configures an external subsystem (e.g. file transfer daemon).
430	Arguments should be a subsystem name and a command (with optional	478	Arguments should be a subsystem name and a command (with optional
431	arguments) to execute upon subsystem request. The command	479	arguments) to execute upon subsystem request.
432	sftp-server(8) implements the ``sftp'' file transfer subsystem.	480
		481	The command sftp-server(8) implements the ``sftp'' file transfer
		482	subsystem.
		483
		484	Alternately the name ``internal-sftp'' implements an in-process
		485	``sftp'' server. This may simplify configurations using
		486	ChrootDirectory to force a different filesystem root on clients.
		487
433	By default no subsystems are defined. Note that this option ap-	488	By default no subsystems are defined. Note that this option ap-
434	plies to protocol version 2 only.	489	plies to protocol version 2 only.
435		490
@@ -572,4 +627,4 @@ AUTHORS
572	versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support	627	versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
573	for privilege separation.	628	for privilege separation.
574		629
575	OpenBSD 4.2 June 11, 2007 9	630	OpenBSD 4.4 July 2, 2008 10