1 files changed, 54 insertions, 63 deletions
diff --git a/sshd_config.0 b/sshd_config.0
index 7800de312..bc266317f 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -15,15 +15,11 @@ DESCRIPTION
     The possible keywords and their meanings are as follows (note that key-
     words are case-insensitive and arguments are case-sensitive):
-     AFSTokenPassing
-             Specifies whether an AFS token may be forwarded to the server.
-             Default is M-bM-^@M-^\noM-bM-^@M-^].
     AllowGroups
             This keyword can be followed by a list of group name patterns,
             separated by spaces.  If specified, login is allowed only for
             users whose primary group or supplementary group list matches one
-             of the patterns.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y?  can be used as wildcards in the
+             of the patterns.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards in the
             patterns.  Only group names are valid; a numerical group ID is
             not recognized.  By default, login is allowed for all groups.
@@ -36,7 +32,7 @@ DESCRIPTION
     AllowUsers
             This keyword can be followed by a list of user name patterns,
             separated by spaces.  If specified, login is allowed only for
-             user names that match one of the patterns.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y?  can be
+             user names that match one of the patterns.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be
             used as wildcards in the patterns.  Only user names are valid; a
             numerical user ID is not recognized.  By default, login is
             allowed for all users.  If the pattern takes the form USER@HOST
@@ -70,7 +66,7 @@ DESCRIPTION
             ciphers must be comma-separated.  The default is
               M-bM-^@M-^XM-bM-^@M-^Xaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
-                 aes192-cbc,aes256-cbcM-bM-^@M-^YM-bM-^@M-^Y
+                 aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctrM-bM-^@M-^YM-bM-^@M-^Y
     ClientAliveInterval
             Sets a timeout interval in seconds after which if no data has
@@ -81,18 +77,18 @@ DESCRIPTION
     ClientAliveCountMax
             Sets the number of client alive messages (see above) which may be
-             sent without sshd receiving any messages back from the client. If
+             sent without sshd receiving any messages back from the client.
-             this threshold is reached while client alive messages are being
+             If this threshold is reached while client alive messages are
-             sent, sshd will disconnect the client, terminating the session.
+             being sent, sshd will disconnect the client, terminating the ses-
-             It is important to note that the use of client alive messages is
+             sion.  It is important to note that the use of client alive mes-
-             very different from KeepAlive (below). The client alive messages
+             sages is very different from KeepAlive (below).  The client alive
-             are sent through the encrypted channel and therefore will not be
+             messages are sent through the encrypted channel and therefore
-             spoofable. The TCP keepalive option enabled by KeepAlive is
+             will not be spoofable.  The TCP keepalive option enabled by
-             spoofable. The client alive mechanism is valuable when the client
+             KeepAlive is spoofable.  The client alive mechanism is valuable
-             or server depend on knowing when a connection has become inac-
+             when the client or server depend on knowing when a connection has
-             tive.
+             become inactive.
-             The default value is 3. If ClientAliveInterval (above) is set to
+             The default value is 3.  If ClientAliveInterval (above) is set to
             15, and ClientAliveCountMax is left at the default, unresponsive
             ssh clients will be disconnected after approximately 45 seconds.
@@ -104,14 +100,14 @@ DESCRIPTION
             This keyword can be followed by a list of group name patterns,
             separated by spaces.  Login is disallowed for users whose primary
             group or supplementary group list matches one of the patterns.
-             M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y?  can be used as wildcards in the patterns.  Only
+             M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards in the patterns.  Only group
-             group names are valid; a numerical group ID is not recognized.
+             names are valid; a numerical group ID is not recognized.  By
-             By default, login is allowed for all groups.
+             default, login is allowed for all groups.
     DenyUsers
             This keyword can be followed by a list of user name patterns,
             separated by spaces.  Login is disallowed for user names that
-             match one of the patterns.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y?  can be used as wildcards
+             match one of the patterns.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards
             in the patterns.  Only user names are valid; a numerical user ID
             is not recognized.  By default, login is allowed for all users.
             If the pattern takes the form USER@HOST then USER and HOST are
@@ -128,6 +124,16 @@ DESCRIPTION
             forwarded ports.  The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The
             default is M-bM-^@M-^\noM-bM-^@M-^].
+     GSSAPIAuthentication
+             Specifies whether user authentication based on GSSAPI is allowed.
+             The default is M-bM-^@M-^\noM-bM-^@M-^].  Note that this option applies to protocol
+             version 2 only.
+     GSSAPICleanupCredentials
+             Specifies whether to automatically destroy the userM-bM-^@M-^Ys credentials
+             cache on logout.  The default is M-bM-^@M-^\yesM-bM-^@M-^].  Note that this option
+             applies to protocol version 2 only.
     HostbasedAuthentication
             Specifies whether rhosts or /etc/hosts.equiv authentication
             together with successful public key client host authentication is
@@ -146,8 +152,7 @@ DESCRIPTION
     IgnoreRhosts
             Specifies that .rhosts and .shosts files will not be used in
-             RhostsAuthentication, RhostsRSAAuthentication or
+             RhostsRSAAuthentication or HostbasedAuthentication.
-             HostbasedAuthentication.
             /etc/hosts.equiv and /etc/shosts.equiv are still used.  The
             default is M-bM-^@M-^\yesM-bM-^@M-^].
@@ -173,23 +178,17 @@ DESCRIPTION
             To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^].
     KerberosAuthentication
-             Specifies whether Kerberos authentication is allowed.  This can
+             Specifies whether the password provided by the user for
-             be in the form of a Kerberos ticket, or if PasswordAuthentication
+             PasswordAuthentication will be validated through the Kerberos
-             is yes, the password provided by the user will be validated
+             KDC.  To use this option, the server needs a Kerberos servtab
-             through the Kerberos KDC.  To use this option, the server needs a
+             which allows the verification of the KDCM-bM-^@M-^Ys identity.  Default is
-             Kerberos servtab which allows the verification of the KDCM-bM-^@M-^Ys iden-
+             M-bM-^@M-^\noM-bM-^@M-^].
-             tity.  Default is M-bM-^@M-^\noM-bM-^@M-^].
     KerberosOrLocalPasswd
             If set then if password authentication through Kerberos fails
             then the password will be validated via any additional local
             mechanism such as /etc/passwd.  Default is M-bM-^@M-^\yesM-bM-^@M-^].
-     KerberosTgtPassing
-             Specifies whether a Kerberos TGT may be forwarded to the server.
-             Default is M-bM-^@M-^\noM-bM-^@M-^], as this only works when the Kerberos KDC is
-             actually an AFS kaserver.
     KerberosTicketCleanup
             Specifies whether to automatically destroy the userM-bM-^@M-^Ys ticket
             cache file on logout.  Default is M-bM-^@M-^\yesM-bM-^@M-^].
@@ -211,7 +210,7 @@ DESCRIPTION
                   ListenAddress [host|IPv6_addr]:port
             If port is not specified, sshd will listen on the address and all
-             prior Port options specified. The default is to listen on all
+             prior Port options specified.  The default is to listen on all
             local addresses.  Multiple ListenAddress options are permitted.
             Additionally, any Port options must precede this option for non
             port qualified addresses.
@@ -249,12 +248,6 @@ DESCRIPTION
             and all connection attempts are refused if the number of unau-
             thenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60).
-     PAMAuthenticationViaKbdInt
-             Specifies whether PAM challenge response authentication is
-             allowed. This allows the use of most PAM challenge response
-             authentication modules, but it will allow password authentication
-             regardless of whether PasswordAuthentication is enabled.
     PasswordAuthentication
             Specifies whether password authentication is allowed.  The
             default is M-bM-^@M-^\yesM-bM-^@M-^].
@@ -275,7 +268,7 @@ DESCRIPTION
             If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^] root login with
             public key authentication will be allowed, but only if the
             command option has been specified (which may be useful for taking
-             remote backups even if root login is normally not allowed). All
+             remote backups even if root login is normally not allowed).  All
             other authentication methods are disabled for root.
             If this option is set to M-bM-^@M-^\noM-bM-^@M-^] root is not allowed to login.
@@ -315,16 +308,10 @@ DESCRIPTION
     PubkeyAuthentication
             Specifies whether public key authentication is allowed.  The
             default is M-bM-^@M-^\yesM-bM-^@M-^].  Note that this option applies to protocol ver-
-             sion 2 only.
+             sion 2 only.  RhostsRSAAuthentication should be used instead,
+             because it performs RSA-based host authentication in addition to
-     RhostsAuthentication
+             normal rhosts or /etc/hosts.equiv authentication.  The default is
-             Specifies whether authentication using rhosts or /etc/hosts.equiv
+             M-bM-^@M-^\noM-bM-^@M-^].  This option applies to protocol version 1 only.
-             files is sufficient.  Normally, this method should not be permit-
-             ted because it is insecure.  RhostsRSAAuthentication should be
-             used instead, because it performs RSA-based host authentication
-             in addition to normal rhosts or /etc/hosts.equiv authentication.
-             The default is M-bM-^@M-^\noM-bM-^@M-^].  This option applies to protocol version 1
-             only.
     RhostsRSAAuthentication
             Specifies whether rhosts or /etc/hosts.equiv authentication
@@ -361,6 +348,10 @@ DESCRIPTION
             LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The
             default is AUTH.
+     UseDNS  Specifies whether sshd should lookup the remote host name and
+             check that the resolved host name for the remote IP address maps
+             back to the very same IP address.  The default is M-bM-^@M-^\yesM-bM-^@M-^].
     UseLogin
             Specifies whether login(1) is used for interactive login ses-
             sions.  The default is M-bM-^@M-^\noM-bM-^@M-^].  Note that login(1) is never used
@@ -369,6 +360,11 @@ DESCRIPTION
             know how to handle xauth(1) cookies.  If UsePrivilegeSeparation
             is specified, it will be disabled after authentication.
+     UsePAM  Enables PAM authentication (via challenge-response) and session
+             set up.  If you enable this, you should probably disable
+             PasswordAuthentication.  If you enable then you will not be able
+             to run sshd as a non-root user.
     UsePrivilegeSeparation
             Specifies whether sshd separates privileges by creating an
             unprivileged child process to deal with incoming network traffic.
@@ -378,11 +374,6 @@ DESCRIPTION
             taining any corruption within the unprivileged processes.  The
             default is M-bM-^@M-^\yesM-bM-^@M-^].
-     VerifyReverseMapping
-             Specifies whether sshd should try to verify the remote host name
-             and check that the resolved host name for the remote IP address
-             maps back to the very same IP address.  The default is M-bM-^@M-^\noM-bM-^@M-^].
     X11DisplayOffset
             Specifies the first display number available for sshdM-bM-^@M-^Ys X11 for-
             warding.  This prevents sshd from interfering with real X11
@@ -400,7 +391,7 @@ DESCRIPTION
             substitution occur on the client side.  The security risk of
             using X11 forwarding is that the clientM-bM-^@M-^Ys X11 display server may
             be exposed to attack when the ssh client requests forwarding (see
-             the warnings for ForwardX11 in ssh_config(5) ). A system adminis-
+             the warnings for ForwardX11 in ssh_config(5)).  A system adminis-
             trator may have a stance in which they want to protect clients
             that may expose themselves to attack by unwittingly requesting
             X11 forwarding, which can warrant a M-bM-^@M-^\noM-bM-^@M-^] setting.
@@ -454,6 +445,9 @@ FILES
             writable by root only, but it is recommended (though not neces-
             sary) that it be world-readable.
+SEE ALSO
+     sshd(8)
 AUTHORS
     OpenSSH is a derivative of the original and free ssh 1.2.12 release by
     Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
@@ -462,7 +456,4 @@ AUTHORS
     versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
     for privilege separation.
-SEE ALSO
-     sshd(8)
 BSD                           September 25, 1999                           BSD

diff --git a/sshd_config.0 b/sshd_config.0 index 7800de312..bc266317f 100644 --- a/sshd_config.0 +++ b/sshd_config.0
@@ -15,15 +15,11 @@ DESCRIPTION
15	The possible keywords and their meanings are as follows (note that key-	15	The possible keywords and their meanings are as follows (note that key-
16	words are case-insensitive and arguments are case-sensitive):	16	words are case-insensitive and arguments are case-sensitive):
17		17
18	AFSTokenPassing
19	Specifies whether an AFS token may be forwarded to the server.
20	Default is M-bM-^@M-^\noM-bM-^@M-^].
21
22	AllowGroups	18	AllowGroups
23	This keyword can be followed by a list of group name patterns,	19	This keyword can be followed by a list of group name patterns,
24	separated by spaces. If specified, login is allowed only for	20	separated by spaces. If specified, login is allowed only for
25	users whose primary group or supplementary group list matches one	21	users whose primary group or supplementary group list matches one
26	of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards in the	22	of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards in the
27	patterns. Only group names are valid; a numerical group ID is	23	patterns. Only group names are valid; a numerical group ID is
28	not recognized. By default, login is allowed for all groups.	24	not recognized. By default, login is allowed for all groups.
29		25
@@ -36,7 +32,7 @@ DESCRIPTION
36	AllowUsers	32	AllowUsers
37	This keyword can be followed by a list of user name patterns,	33	This keyword can be followed by a list of user name patterns,
38	separated by spaces. If specified, login is allowed only for	34	separated by spaces. If specified, login is allowed only for
39	user names that match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be	35	user names that match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be
40	used as wildcards in the patterns. Only user names are valid; a	36	used as wildcards in the patterns. Only user names are valid; a
41	numerical user ID is not recognized. By default, login is	37	numerical user ID is not recognized. By default, login is
42	allowed for all users. If the pattern takes the form USER@HOST	38	allowed for all users. If the pattern takes the form USER@HOST
@@ -70,7 +66,7 @@ DESCRIPTION
70	ciphers must be comma-separated. The default is	66	ciphers must be comma-separated. The default is
71		67
72	M-bM-^@M-^XM-bM-^@M-^Xaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,	68	M-bM-^@M-^XM-bM-^@M-^Xaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
73	aes192-cbc,aes256-cbcM-bM-^@M-^YM-bM-^@M-^Y	69	aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctrM-bM-^@M-^YM-bM-^@M-^Y
74		70
75	ClientAliveInterval	71	ClientAliveInterval
76	Sets a timeout interval in seconds after which if no data has	72	Sets a timeout interval in seconds after which if no data has
@@ -81,18 +77,18 @@ DESCRIPTION
81		77
82	ClientAliveCountMax	78	ClientAliveCountMax
83	Sets the number of client alive messages (see above) which may be	79	Sets the number of client alive messages (see above) which may be
84	sent without sshd receiving any messages back from the client. If	80	sent without sshd receiving any messages back from the client.
85	this threshold is reached while client alive messages are being	81	If this threshold is reached while client alive messages are
86	sent, sshd will disconnect the client, terminating the session.	82	being sent, sshd will disconnect the client, terminating the ses-
87	It is important to note that the use of client alive messages is	83	sion. It is important to note that the use of client alive mes-
88	very different from KeepAlive (below). The client alive messages	84	sages is very different from KeepAlive (below). The client alive
89	are sent through the encrypted channel and therefore will not be	85	messages are sent through the encrypted channel and therefore
90	spoofable. The TCP keepalive option enabled by KeepAlive is	86	will not be spoofable. The TCP keepalive option enabled by
91	spoofable. The client alive mechanism is valuable when the client	87	KeepAlive is spoofable. The client alive mechanism is valuable
92	or server depend on knowing when a connection has become inac-	88	when the client or server depend on knowing when a connection has
93	tive.	89	become inactive.
94		90
95	The default value is 3. If ClientAliveInterval (above) is set to	91	The default value is 3. If ClientAliveInterval (above) is set to
96	15, and ClientAliveCountMax is left at the default, unresponsive	92	15, and ClientAliveCountMax is left at the default, unresponsive
97	ssh clients will be disconnected after approximately 45 seconds.	93	ssh clients will be disconnected after approximately 45 seconds.
98		94
@@ -104,14 +100,14 @@ DESCRIPTION
104	This keyword can be followed by a list of group name patterns,	100	This keyword can be followed by a list of group name patterns,
105	separated by spaces. Login is disallowed for users whose primary	101	separated by spaces. Login is disallowed for users whose primary
106	group or supplementary group list matches one of the patterns.	102	group or supplementary group list matches one of the patterns.
107	M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards in the patterns. Only	103	M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards in the patterns. Only group
108	group names are valid; a numerical group ID is not recognized.	104	names are valid; a numerical group ID is not recognized. By
109	By default, login is allowed for all groups.	105	default, login is allowed for all groups.
110		106
111	DenyUsers	107	DenyUsers
112	This keyword can be followed by a list of user name patterns,	108	This keyword can be followed by a list of user name patterns,
113	separated by spaces. Login is disallowed for user names that	109	separated by spaces. Login is disallowed for user names that
114	match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards	110	match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards
115	in the patterns. Only user names are valid; a numerical user ID	111	in the patterns. Only user names are valid; a numerical user ID
116	is not recognized. By default, login is allowed for all users.	112	is not recognized. By default, login is allowed for all users.
117	If the pattern takes the form USER@HOST then USER and HOST are	113	If the pattern takes the form USER@HOST then USER and HOST are
@@ -128,6 +124,16 @@ DESCRIPTION
128	forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The	124	forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The
129	default is M-bM-^@M-^\noM-bM-^@M-^].	125	default is M-bM-^@M-^\noM-bM-^@M-^].
130		126
		127	GSSAPIAuthentication
		128	Specifies whether user authentication based on GSSAPI is allowed.
		129	The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol
		130	version 2 only.
		131
		132	GSSAPICleanupCredentials
		133	Specifies whether to automatically destroy the userM-bM-^@M-^Ys credentials
		134	cache on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option
		135	applies to protocol version 2 only.
		136
131	HostbasedAuthentication	137	HostbasedAuthentication
132	Specifies whether rhosts or /etc/hosts.equiv authentication	138	Specifies whether rhosts or /etc/hosts.equiv authentication
133	together with successful public key client host authentication is	139	together with successful public key client host authentication is
@@ -146,8 +152,7 @@ DESCRIPTION
146		152
147	IgnoreRhosts	153	IgnoreRhosts
148	Specifies that .rhosts and .shosts files will not be used in	154	Specifies that .rhosts and .shosts files will not be used in
149	RhostsAuthentication, RhostsRSAAuthentication or	155	RhostsRSAAuthentication or HostbasedAuthentication.
150	HostbasedAuthentication.
151		156
152	/etc/hosts.equiv and /etc/shosts.equiv are still used. The	157	/etc/hosts.equiv and /etc/shosts.equiv are still used. The
153	default is M-bM-^@M-^\yesM-bM-^@M-^].	158	default is M-bM-^@M-^\yesM-bM-^@M-^].
@@ -173,23 +178,17 @@ DESCRIPTION
173	To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^].	178	To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^].
174		179
175	KerberosAuthentication	180	KerberosAuthentication
176	Specifies whether Kerberos authentication is allowed. This can	181	Specifies whether the password provided by the user for
177	be in the form of a Kerberos ticket, or if PasswordAuthentication	182	PasswordAuthentication will be validated through the Kerberos
178	is yes, the password provided by the user will be validated	183	KDC. To use this option, the server needs a Kerberos servtab
179	through the Kerberos KDC. To use this option, the server needs a	184	which allows the verification of the KDCM-bM-^@M-^Ys identity. Default is
180	Kerberos servtab which allows the verification of the KDCM-bM-^@M-^Ys iden-	185	M-bM-^@M-^\noM-bM-^@M-^].
181	tity. Default is M-bM-^@M-^\noM-bM-^@M-^].
182		186
183	KerberosOrLocalPasswd	187	KerberosOrLocalPasswd
184	If set then if password authentication through Kerberos fails	188	If set then if password authentication through Kerberos fails
185	then the password will be validated via any additional local	189	then the password will be validated via any additional local
186	mechanism such as /etc/passwd. Default is M-bM-^@M-^\yesM-bM-^@M-^].	190	mechanism such as /etc/passwd. Default is M-bM-^@M-^\yesM-bM-^@M-^].
187		191
188	KerberosTgtPassing
189	Specifies whether a Kerberos TGT may be forwarded to the server.
190	Default is M-bM-^@M-^\noM-bM-^@M-^], as this only works when the Kerberos KDC is
191	actually an AFS kaserver.
192
193	KerberosTicketCleanup	192	KerberosTicketCleanup
194	Specifies whether to automatically destroy the userM-bM-^@M-^Ys ticket	193	Specifies whether to automatically destroy the userM-bM-^@M-^Ys ticket
195	cache file on logout. Default is M-bM-^@M-^\yesM-bM-^@M-^].	194	cache file on logout. Default is M-bM-^@M-^\yesM-bM-^@M-^].
@@ -211,7 +210,7 @@ DESCRIPTION
211	ListenAddress [host\|IPv6_addr]:port	210	ListenAddress [host\|IPv6_addr]:port
212		211
213	If port is not specified, sshd will listen on the address and all	212	If port is not specified, sshd will listen on the address and all
214	prior Port options specified. The default is to listen on all	213	prior Port options specified. The default is to listen on all
215	local addresses. Multiple ListenAddress options are permitted.	214	local addresses. Multiple ListenAddress options are permitted.
216	Additionally, any Port options must precede this option for non	215	Additionally, any Port options must precede this option for non
217	port qualified addresses.	216	port qualified addresses.
@@ -249,12 +248,6 @@ DESCRIPTION
249	and all connection attempts are refused if the number of unau-	248	and all connection attempts are refused if the number of unau-
250	thenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60).	249	thenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60).
251		250
252	PAMAuthenticationViaKbdInt
253	Specifies whether PAM challenge response authentication is
254	allowed. This allows the use of most PAM challenge response
255	authentication modules, but it will allow password authentication
256	regardless of whether PasswordAuthentication is enabled.
257
258	PasswordAuthentication	251	PasswordAuthentication
259	Specifies whether password authentication is allowed. The	252	Specifies whether password authentication is allowed. The
260	default is M-bM-^@M-^\yesM-bM-^@M-^].	253	default is M-bM-^@M-^\yesM-bM-^@M-^].
@@ -275,7 +268,7 @@ DESCRIPTION
275	If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^] root login with	268	If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^] root login with
276	public key authentication will be allowed, but only if the	269	public key authentication will be allowed, but only if the
277	command option has been specified (which may be useful for taking	270	command option has been specified (which may be useful for taking
278	remote backups even if root login is normally not allowed). All	271	remote backups even if root login is normally not allowed). All
279	other authentication methods are disabled for root.	272	other authentication methods are disabled for root.
280		273
281	If this option is set to M-bM-^@M-^\noM-bM-^@M-^] root is not allowed to login.	274	If this option is set to M-bM-^@M-^\noM-bM-^@M-^] root is not allowed to login.
@@ -315,16 +308,10 @@ DESCRIPTION
315	PubkeyAuthentication	308	PubkeyAuthentication
316	Specifies whether public key authentication is allowed. The	309	Specifies whether public key authentication is allowed. The
317	default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol ver-	310	default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol ver-
318	sion 2 only.	311	sion 2 only. RhostsRSAAuthentication should be used instead,
319		312	because it performs RSA-based host authentication in addition to
320	RhostsAuthentication	313	normal rhosts or /etc/hosts.equiv authentication. The default is
321	Specifies whether authentication using rhosts or /etc/hosts.equiv	314	M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only.
322	files is sufficient. Normally, this method should not be permit-
323	ted because it is insecure. RhostsRSAAuthentication should be
324	used instead, because it performs RSA-based host authentication
325	in addition to normal rhosts or /etc/hosts.equiv authentication.
326	The default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1
327	only.
328		315
329	RhostsRSAAuthentication	316	RhostsRSAAuthentication
330	Specifies whether rhosts or /etc/hosts.equiv authentication	317	Specifies whether rhosts or /etc/hosts.equiv authentication
@@ -361,6 +348,10 @@ DESCRIPTION
361	LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The	348	LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
362	default is AUTH.	349	default is AUTH.
363		350
		351	UseDNS Specifies whether sshd should lookup the remote host name and
		352	check that the resolved host name for the remote IP address maps
		353	back to the very same IP address. The default is M-bM-^@M-^\yesM-bM-^@M-^].
		354
364	UseLogin	355	UseLogin
365	Specifies whether login(1) is used for interactive login ses-	356	Specifies whether login(1) is used for interactive login ses-
366	sions. The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that login(1) is never used	357	sions. The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that login(1) is never used
@@ -369,6 +360,11 @@ DESCRIPTION
369	know how to handle xauth(1) cookies. If UsePrivilegeSeparation	360	know how to handle xauth(1) cookies. If UsePrivilegeSeparation
370	is specified, it will be disabled after authentication.	361	is specified, it will be disabled after authentication.
371		362
		363	UsePAM Enables PAM authentication (via challenge-response) and session
		364	set up. If you enable this, you should probably disable
		365	PasswordAuthentication. If you enable then you will not be able
		366	to run sshd as a non-root user.
		367
372	UsePrivilegeSeparation	368	UsePrivilegeSeparation
373	Specifies whether sshd separates privileges by creating an	369	Specifies whether sshd separates privileges by creating an
374	unprivileged child process to deal with incoming network traffic.	370	unprivileged child process to deal with incoming network traffic.
@@ -378,11 +374,6 @@ DESCRIPTION
378	taining any corruption within the unprivileged processes. The	374	taining any corruption within the unprivileged processes. The
379	default is M-bM-^@M-^\yesM-bM-^@M-^].	375	default is M-bM-^@M-^\yesM-bM-^@M-^].
380		376
381	VerifyReverseMapping
382	Specifies whether sshd should try to verify the remote host name
383	and check that the resolved host name for the remote IP address
384	maps back to the very same IP address. The default is M-bM-^@M-^\noM-bM-^@M-^].
385
386	X11DisplayOffset	377	X11DisplayOffset
387	Specifies the first display number available for sshdM-bM-^@M-^Ys X11 for-	378	Specifies the first display number available for sshdM-bM-^@M-^Ys X11 for-
388	warding. This prevents sshd from interfering with real X11	379	warding. This prevents sshd from interfering with real X11
@@ -400,7 +391,7 @@ DESCRIPTION
400	substitution occur on the client side. The security risk of	391	substitution occur on the client side. The security risk of
401	using X11 forwarding is that the clientM-bM-^@M-^Ys X11 display server may	392	using X11 forwarding is that the clientM-bM-^@M-^Ys X11 display server may
402	be exposed to attack when the ssh client requests forwarding (see	393	be exposed to attack when the ssh client requests forwarding (see
403	the warnings for ForwardX11 in ssh_config(5) ). A system adminis-	394	the warnings for ForwardX11 in ssh_config(5)). A system adminis-
404	trator may have a stance in which they want to protect clients	395	trator may have a stance in which they want to protect clients
405	that may expose themselves to attack by unwittingly requesting	396	that may expose themselves to attack by unwittingly requesting
406	X11 forwarding, which can warrant a M-bM-^@M-^\noM-bM-^@M-^] setting.	397	X11 forwarding, which can warrant a M-bM-^@M-^\noM-bM-^@M-^] setting.
@@ -454,6 +445,9 @@ FILES
454	writable by root only, but it is recommended (though not neces-	445	writable by root only, but it is recommended (though not neces-
455	sary) that it be world-readable.	446	sary) that it be world-readable.
456		447
		448	SEE ALSO
		449	sshd(8)
		450
457	AUTHORS	451	AUTHORS
458	OpenSSH is a derivative of the original and free ssh 1.2.12 release by	452	OpenSSH is a derivative of the original and free ssh 1.2.12 release by
459	Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo	453	Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
@@ -462,7 +456,4 @@ AUTHORS
462	versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support	456	versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
463	for privilege separation.	457	for privilege separation.
464		458
465	SEE ALSO
466	sshd(8)
467
468	BSD September 25, 1999 BSD	459	BSD September 25, 1999 BSD