1 files changed, 80 insertions, 25 deletions
diff --git a/sshd_config.0 b/sshd_config.0
index d9c87b7a0..2648db3d4 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -53,10 +53,14 @@ DESCRIPTION
             See PATTERNS in ssh_config(5) for more information on patterns.
     AllowTcpForwarding
-             Specifies whether TCP forwarding is permitted.  The default is
+             Specifies whether TCP forwarding is permitted.  The available
-             ``yes''.  Note that disabling TCP forwarding does not improve
+             options are ``yes'' or ``all'' to allow TCP forwarding, ``no'' to
-             security unless users are also denied shell access, as they can
+             prevent all TCP forwarding, ``local'' to allow local (from the
-             always install their own forwarders.
+             perspective of ssh(1)) forwarding only or ``remote'' to allow
+             remote forwarding only.  The default is ``yes''.  Note that
+             disabling TCP forwarding does not improve security unless users
+             are also denied shell access, as they can always install their
+             own forwarders.
     AllowUsers
             This keyword can be followed by a list of user name patterns,
@@ -71,6 +75,44 @@ DESCRIPTION
             See PATTERNS in ssh_config(5) for more information on patterns.
+     AuthenticationMethods
+             Specifies the authentication methods that must be successfully
+             completed for a user to be granted access.  This option must be
+             followed by one or more comma-separated lists of authentication
+             method names.  Successful authentication requires completion of
+             every method in at least one of these lists.
+             For example, an argument of ``publickey,password
+             publickey,keyboard-interactive'' would require the user to
+             complete public key authentication, followed by either password
+             or keyboard interactive authentication.  Only methods that are
+             next in one or more lists are offered at each stage, so for this
+             example, it would not be possible to attempt password or
+             keyboard-interactive authentication before public key.
+             This option is only available for SSH protocol 2 and will yield a
+             fatal error if enabled if protocol 1 is also enabled.  Note that
+             each authentication method listed should also be explicitly
+             enabled in the configuration.  The default is not to require
+             multiple authentication; successful completion of a single
+             authentication method is sufficient.
+     AuthorizedKeysCommand
+             Specifies a program to be used to look up the user's public keys.
+             The program will be invoked with a single argument of the
+             username being authenticated, and should produce on standard
+             output zero or more lines of authorized_keys output (see
+             AUTHORIZED_KEYS in sshd(8)).  If a key supplied by
+             AuthorizedKeysCommand does not successfully authenticate and
+             authorize the user then public key authentication continues using
+             the usual AuthorizedKeysFile files.  By default, no
+             AuthorizedKeysCommand is run.
+     AuthorizedKeysCommandUser
+             Specifies the user under whose account the AuthorizedKeysCommand
+             is run.  It is recommended to use a dedicated user that has no
+             other role on the host than running authorized keys commands.
     AuthorizedKeysFile
             Specifies the file that contains the public keys that can be used
             for user authentication.  The format is described in the
@@ -150,11 +192,13 @@ DESCRIPTION
             Specifies the ciphers allowed for protocol version 2.  Multiple
             ciphers must be comma-separated.  The supported ciphers are
             ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
-             ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'',
+             ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
-             ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and
+             ``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'',
-             ``cast128-cbc''.  The default is:
+             ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'',
+             and ``cast128-cbc''.  The default is:
                aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
+                aes128-gcm@openssh.com,aes256-gcm@openssh.com,
                aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
                aes256-cbc,arcfour
@@ -373,9 +417,16 @@ DESCRIPTION
     MACs    Specifies the available MAC (message authentication code)
             algorithms.  The MAC algorithm is used in protocol version 2 for
             data integrity protection.  Multiple algorithms must be comma-
-             separated.  The default is:
+             separated.  The algorithms that contain ``-etm'' calculate the
+             MAC after encryption (encrypt-then-mac).  These are considered
-                   hmac-md5,hmac-sha1,umac-64@openssh.com,
+             safer and their use recommended.  The default is:
+                   hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
+                   umac-64-etm@openssh.com,umac-128-etm@openssh.com,
+                   hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
+                   hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
+                   hmac-md5-96-etm@openssh.com,
+                   hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
                   hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
                   hmac-sha1-96,hmac-md5-96
@@ -402,15 +453,16 @@ DESCRIPTION
             Only a subset of keywords may be used on the lines following a
             Match keyword.  Available keywords are AcceptEnv,
             AllowAgentForwarding, AllowGroups, AllowTcpForwarding,
-             AllowUsers, AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner,
+             AllowUsers, AuthenticationMethods, AuthorizedKeysCommand,
-             ChrootDirectory, DenyGroups, DenyUsers, ForceCommand,
+             AuthorizedKeysCommandUser, AuthorizedKeysFile,
-             GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
+             AuthorizedPrincipalsFile, Banner, ChrootDirectory, DenyGroups,
-             HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
+             DenyUsers, ForceCommand, GatewayPorts, GSSAPIAuthentication,
-             KerberosAuthentication, MaxAuthTries, MaxSessions,
+             HostbasedAuthentication, HostbasedUsesNameFromPacketOnly,
-             PasswordAuthentication, PermitEmptyPasswords, PermitOpen,
+             KbdInteractiveAuthentication, KerberosAuthentication,
-             PermitRootLogin, PermitTunnel, PubkeyAuthentication,
+             MaxAuthTries, MaxSessions, PasswordAuthentication,
-             RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,
+             PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTunnel,
-             X11Forwarding and X11UseLocalHost.
+             PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication,
+             X11DisplayOffset, X11Forwarding and X11UseLocalHost.
     MaxAuthTries
             Specifies the maximum number of authentication attempts permitted
@@ -425,7 +477,7 @@ DESCRIPTION
             Specifies the maximum number of concurrent unauthenticated
             connections to the SSH daemon.  Additional connections will be
             dropped until authentication succeeds or the LoginGraceTime
-             expires for a connection.  The default is 10.
+             expires for a connection.  The default is 10:30:100.
             Alternatively, random early drop can be enabled by specifying the
             three colon separated values ``start:rate:full'' (e.g.
@@ -520,10 +572,13 @@ DESCRIPTION
             version 2 only.
     RevokedKeys
-             Specifies a list of revoked public keys.  Keys listed in this
+             Specifies revoked public keys.  Keys listed in this file will be
-             file will be refused for public key authentication.  Note that if
+             refused for public key authentication.  Note that if this file is
-             this file is not readable, then public key authentication will be
+             not readable, then public key authentication will be refused for
-             refused for all users.
+             all users.  Keys may be specified as a text file, listing one
+             public key per line, or as an OpenSSH Key Revocation List (KRL)
+             as generated by ssh-keygen(1).  For more information on KRLs, see
+             the KEY REVOCATION LISTS section in ssh-keygen(1).
     RhostsRSAAuthentication
             Specifies whether rhosts or /etc/hosts.equiv authentication
@@ -722,4 +777,4 @@ AUTHORS
     versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
     for privilege separation.
-OpenBSD 5.2                      June 29, 2012                     OpenBSD 5.2
+OpenBSD 5.3                    February 6, 2013                    OpenBSD 5.3

diff --git a/sshd_config.0 b/sshd_config.0 index d9c87b7a0..2648db3d4 100644 --- a/sshd_config.0 +++ b/sshd_config.0
@@ -53,10 +53,14 @@ DESCRIPTION
53	See PATTERNS in ssh_config(5) for more information on patterns.	53	See PATTERNS in ssh_config(5) for more information on patterns.
54		54
55	AllowTcpForwarding	55	AllowTcpForwarding
56	Specifies whether TCP forwarding is permitted. The default is	56	Specifies whether TCP forwarding is permitted. The available
57	``yes''. Note that disabling TCP forwarding does not improve	57	options are ``yes'' or ``all'' to allow TCP forwarding, ``no'' to
58	security unless users are also denied shell access, as they can	58	prevent all TCP forwarding, ``local'' to allow local (from the
59	always install their own forwarders.	59	perspective of ssh(1)) forwarding only or ``remote'' to allow
		60	remote forwarding only. The default is ``yes''. Note that
		61	disabling TCP forwarding does not improve security unless users
		62	are also denied shell access, as they can always install their
		63	own forwarders.
60		64
61	AllowUsers	65	AllowUsers
62	This keyword can be followed by a list of user name patterns,	66	This keyword can be followed by a list of user name patterns,
@@ -71,6 +75,44 @@ DESCRIPTION
71		75
72	See PATTERNS in ssh_config(5) for more information on patterns.	76	See PATTERNS in ssh_config(5) for more information on patterns.
73		77
		78	AuthenticationMethods
		79	Specifies the authentication methods that must be successfully
		80	completed for a user to be granted access. This option must be
		81	followed by one or more comma-separated lists of authentication
		82	method names. Successful authentication requires completion of
		83	every method in at least one of these lists.
		84
		85	For example, an argument of ``publickey,password
		86	publickey,keyboard-interactive'' would require the user to
		87	complete public key authentication, followed by either password
		88	or keyboard interactive authentication. Only methods that are
		89	next in one or more lists are offered at each stage, so for this
		90	example, it would not be possible to attempt password or
		91	keyboard-interactive authentication before public key.
		92
		93	This option is only available for SSH protocol 2 and will yield a
		94	fatal error if enabled if protocol 1 is also enabled. Note that
		95	each authentication method listed should also be explicitly
		96	enabled in the configuration. The default is not to require
		97	multiple authentication; successful completion of a single
		98	authentication method is sufficient.
		99
		100	AuthorizedKeysCommand
		101	Specifies a program to be used to look up the user's public keys.
		102	The program will be invoked with a single argument of the
		103	username being authenticated, and should produce on standard
		104	output zero or more lines of authorized_keys output (see
		105	AUTHORIZED_KEYS in sshd(8)). If a key supplied by
		106	AuthorizedKeysCommand does not successfully authenticate and
		107	authorize the user then public key authentication continues using
		108	the usual AuthorizedKeysFile files. By default, no
		109	AuthorizedKeysCommand is run.
		110
		111	AuthorizedKeysCommandUser
		112	Specifies the user under whose account the AuthorizedKeysCommand
		113	is run. It is recommended to use a dedicated user that has no
		114	other role on the host than running authorized keys commands.
		115
74	AuthorizedKeysFile	116	AuthorizedKeysFile
75	Specifies the file that contains the public keys that can be used	117	Specifies the file that contains the public keys that can be used
76	for user authentication. The format is described in the	118	for user authentication. The format is described in the
@@ -150,11 +192,13 @@ DESCRIPTION
150	Specifies the ciphers allowed for protocol version 2. Multiple	192	Specifies the ciphers allowed for protocol version 2. Multiple
151	ciphers must be comma-separated. The supported ciphers are	193	ciphers must be comma-separated. The supported ciphers are
152	``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',	194	``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
153	``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'',	195	``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
154	``arcfour256'', ``arcfour'', ``blowfish-cbc'', and	196	``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'',
155	``cast128-cbc''. The default is:	197	``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'',
		198	and ``cast128-cbc''. The default is:
156		199
157	aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,	200	aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
		201	aes128-gcm@openssh.com,aes256-gcm@openssh.com,
158	aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,	202	aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
159	aes256-cbc,arcfour	203	aes256-cbc,arcfour
160		204
@@ -373,9 +417,16 @@ DESCRIPTION
373	MACs Specifies the available MAC (message authentication code)	417	MACs Specifies the available MAC (message authentication code)
374	algorithms. The MAC algorithm is used in protocol version 2 for	418	algorithms. The MAC algorithm is used in protocol version 2 for
375	data integrity protection. Multiple algorithms must be comma-	419	data integrity protection. Multiple algorithms must be comma-
376	separated. The default is:	420	separated. The algorithms that contain ``-etm'' calculate the
377		421	MAC after encryption (encrypt-then-mac). These are considered
378	hmac-md5,hmac-sha1,umac-64@openssh.com,	422	safer and their use recommended. The default is:
		423
		424	hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
		425	umac-64-etm@openssh.com,umac-128-etm@openssh.com,
		426	hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
		427	hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
		428	hmac-md5-96-etm@openssh.com,
		429	hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
379	hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,	430	hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
380	hmac-sha1-96,hmac-md5-96	431	hmac-sha1-96,hmac-md5-96
381		432
@@ -402,15 +453,16 @@ DESCRIPTION
402	Only a subset of keywords may be used on the lines following a	453	Only a subset of keywords may be used on the lines following a
403	Match keyword. Available keywords are AcceptEnv,	454	Match keyword. Available keywords are AcceptEnv,
404	AllowAgentForwarding, AllowGroups, AllowTcpForwarding,	455	AllowAgentForwarding, AllowGroups, AllowTcpForwarding,
405	AllowUsers, AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner,	456	AllowUsers, AuthenticationMethods, AuthorizedKeysCommand,
406	ChrootDirectory, DenyGroups, DenyUsers, ForceCommand,	457	AuthorizedKeysCommandUser, AuthorizedKeysFile,
407	GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,	458	AuthorizedPrincipalsFile, Banner, ChrootDirectory, DenyGroups,
408	HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,	459	DenyUsers, ForceCommand, GatewayPorts, GSSAPIAuthentication,
409	KerberosAuthentication, MaxAuthTries, MaxSessions,	460	HostbasedAuthentication, HostbasedUsesNameFromPacketOnly,
410	PasswordAuthentication, PermitEmptyPasswords, PermitOpen,	461	KbdInteractiveAuthentication, KerberosAuthentication,
411	PermitRootLogin, PermitTunnel, PubkeyAuthentication,	462	MaxAuthTries, MaxSessions, PasswordAuthentication,
412	RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,	463	PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTunnel,
413	X11Forwarding and X11UseLocalHost.	464	PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication,
		465	X11DisplayOffset, X11Forwarding and X11UseLocalHost.
414		466
415	MaxAuthTries	467	MaxAuthTries
416	Specifies the maximum number of authentication attempts permitted	468	Specifies the maximum number of authentication attempts permitted
@@ -425,7 +477,7 @@ DESCRIPTION
425	Specifies the maximum number of concurrent unauthenticated	477	Specifies the maximum number of concurrent unauthenticated
426	connections to the SSH daemon. Additional connections will be	478	connections to the SSH daemon. Additional connections will be
427	dropped until authentication succeeds or the LoginGraceTime	479	dropped until authentication succeeds or the LoginGraceTime
428	expires for a connection. The default is 10.	480	expires for a connection. The default is 10:30:100.
429		481
430	Alternatively, random early drop can be enabled by specifying the	482	Alternatively, random early drop can be enabled by specifying the
431	three colon separated values ``start:rate:full'' (e.g.	483	three colon separated values ``start:rate:full'' (e.g.
@@ -520,10 +572,13 @@ DESCRIPTION
520	version 2 only.	572	version 2 only.
521		573
522	RevokedKeys	574	RevokedKeys
523	Specifies a list of revoked public keys. Keys listed in this	575	Specifies revoked public keys. Keys listed in this file will be
524	file will be refused for public key authentication. Note that if	576	refused for public key authentication. Note that if this file is
525	this file is not readable, then public key authentication will be	577	not readable, then public key authentication will be refused for
526	refused for all users.	578	all users. Keys may be specified as a text file, listing one
		579	public key per line, or as an OpenSSH Key Revocation List (KRL)
		580	as generated by ssh-keygen(1). For more information on KRLs, see
		581	the KEY REVOCATION LISTS section in ssh-keygen(1).
527		582
528	RhostsRSAAuthentication	583	RhostsRSAAuthentication
529	Specifies whether rhosts or /etc/hosts.equiv authentication	584	Specifies whether rhosts or /etc/hosts.equiv authentication
@@ -722,4 +777,4 @@ AUTHORS
722	versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support	777	versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
723	for privilege separation.	778	for privilege separation.
724		779
725	OpenBSD 5.2 June 29, 2012 OpenBSD 5.2	780	OpenBSD 5.3 February 6, 2013 OpenBSD 5.3