1 files changed, 37 insertions, 12 deletions
diff --git a/sshd_config.0 b/sshd_config.0
index 720cc3f80..a4e31be0f 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -219,7 +219,7 @@ DESCRIPTION
     LoginGraceTime
             The server disconnects after this time if the user has not sucM--
             cessfully logged in.  If the value is 0, there is no time limit.
-             The default is 600 (seconds).
+             The default is 120 seconds.
     LogLevel
             Gives the verbosity level that is used when logging messages from
@@ -280,6 +280,13 @@ DESCRIPTION
             If this option is set to ``no'' root is not allowed to login.
+     PermitUserEnvironment
+             Specifies whether ~/.ssh/environment and environment= options in
+             ~/.ssh/authorized_keys are processed by sshd.  The default is
+             ``no''.  Enabling environment processing may enable users to
+             bypass access restrictions in some configurations using mechaM--
+             nisms such as LD_PRELOAD.
     PidFile
             Specifies the file that contains the process ID of the sshd daeM--
             mon.  The default is /var/run/sshd.pid.
@@ -298,9 +305,12 @@ DESCRIPTION
             /etc/profile, or equivalent.)  The default is ``yes''.
     Protocol
-             Specifies the protocol versions sshd should support.  The possiM--
+             Specifies the protocol versions sshd supports.  The possible valM--
-             ble values are ``1'' and ``2''.  Multiple versions must be comma-
+             ues are ``1'' and ``2''.  Multiple versions must be comma-sepaM--
-             separated.  The default is ``2,1''.
+             rated.  The default is ``2,1''.  Note that the order of the proM--
+             tocol list does not indicate preference, because the client
+             selects among multiple protocol versions offered by the server.
+             Specifying ``2,1'' is identical to ``1,2''.
     PubkeyAuthentication
             Specifies whether public key authentication is allowed.  The
@@ -380,11 +390,26 @@ DESCRIPTION
             servers.  The default is 10.
     X11Forwarding
-             Specifies whether X11 forwarding is permitted.  The default is
+             Specifies whether X11 forwarding is permitted.  The argument must
-             ``no''.  Note that disabling X11 forwarding does not improve
+             be ``yes'' or ``no''.  The default is ``no''.
-             security in any way, as users can always install their own forM--
-             warders.  X11 forwarding is automatically disabled if UseLogin is
+             When X11 forwarding is enabled, there may be additional exposure
-             enabled.
+             to the server and to client displays if the sshd proxy display is
+             configured to listen on the wildcard address (see X11UseLocalhost
+             below), however this is not the default.  Additionally, the
+             authentication spoofing and authentication data verification and
+             substitution occur on the client side.  The security risk of
+             using X11 forwarding is that the client's X11 display server may
+             be exposed to attack when the ssh client requests forwarding (see
+             the warnings for ForwardX11 in ssh_config(5) ). A system adminisM--
+             trator may have a stance in which they want to protect clients
+             that may expose themselves to attack by unwittingly requesting
+             X11 forwarding, which can warrant a ``no'' setting.
+             Note that disabling X11 forwarding does not prevent users from
+             forwarding X11 traffic, as users can always install their own
+             forwarders.  X11 forwarding is automatically disabled if UseLogin
+             is enabled.
     X11UseLocalhost
             Specifies whether sshd should bind the X11 forwarding server to
@@ -392,15 +417,15 @@ DESCRIPTION
             sshd binds the forwarding server to the loopback address and sets
             the hostname part of the DISPLAY environment variable to
             ``localhost''.  This prevents remote hosts from connecting to the
-             fake display.  However, some older X11 clients may not function
+             proxy display.  However, some older X11 clients may not function
             with this configuration.  X11UseLocalhost may be set to ``no'' to
             specify that the forwarding server should be bound to the wildM--
             card address.  The argument must be ``yes'' or ``no''.  The
             default is ``yes''.
     XAuthLocation
-             Specifies the location of the xauth(1) program.  The default is
+             Specifies the full pathname of the xauth(1) program.  The default
-             /usr/X11R6/bin/xauth.
+             is /usr/X11R6/bin/xauth.
   Time Formats

diff --git a/sshd_config.0 b/sshd_config.0 index 720cc3f80..a4e31be0f 100644 --- a/sshd_config.0 +++ b/sshd_config.0
@@ -219,7 +219,7 @@ DESCRIPTION
219	LoginGraceTime	219	LoginGraceTime
220	The server disconnects after this time if the user has not sucM--	220	The server disconnects after this time if the user has not sucM--
221	cessfully logged in. If the value is 0, there is no time limit.	221	cessfully logged in. If the value is 0, there is no time limit.
222	The default is 600 (seconds).	222	The default is 120 seconds.
223		223
224	LogLevel	224	LogLevel
225	Gives the verbosity level that is used when logging messages from	225	Gives the verbosity level that is used when logging messages from
@@ -280,6 +280,13 @@ DESCRIPTION
280		280
281	If this option is set to ``no'' root is not allowed to login.	281	If this option is set to ``no'' root is not allowed to login.
282		282
		283	PermitUserEnvironment
		284	Specifies whether ~/.ssh/environment and environment= options in
		285	~/.ssh/authorized_keys are processed by sshd. The default is
		286	``no''. Enabling environment processing may enable users to
		287	bypass access restrictions in some configurations using mechaM--
		288	nisms such as LD_PRELOAD.
		289
283	PidFile	290	PidFile
284	Specifies the file that contains the process ID of the sshd daeM--	291	Specifies the file that contains the process ID of the sshd daeM--
285	mon. The default is /var/run/sshd.pid.	292	mon. The default is /var/run/sshd.pid.
@@ -298,9 +305,12 @@ DESCRIPTION
298	/etc/profile, or equivalent.) The default is ``yes''.	305	/etc/profile, or equivalent.) The default is ``yes''.
299		306
300	Protocol	307	Protocol
301	Specifies the protocol versions sshd should support. The possiM--	308	Specifies the protocol versions sshd supports. The possible valM--
302	ble values are ``1'' and ``2''. Multiple versions must be comma-	309	ues are ``1'' and ``2''. Multiple versions must be comma-sepaM--
303	separated. The default is ``2,1''.	310	rated. The default is ``2,1''. Note that the order of the proM--
		311	tocol list does not indicate preference, because the client
		312	selects among multiple protocol versions offered by the server.
		313	Specifying ``2,1'' is identical to ``1,2''.
304		314
305	PubkeyAuthentication	315	PubkeyAuthentication
306	Specifies whether public key authentication is allowed. The	316	Specifies whether public key authentication is allowed. The
@@ -380,11 +390,26 @@ DESCRIPTION
380	servers. The default is 10.	390	servers. The default is 10.
381		391
382	X11Forwarding	392	X11Forwarding
383	Specifies whether X11 forwarding is permitted. The default is	393	Specifies whether X11 forwarding is permitted. The argument must
384	``no''. Note that disabling X11 forwarding does not improve	394	be ``yes'' or ``no''. The default is ``no''.
385	security in any way, as users can always install their own forM--	395
386	warders. X11 forwarding is automatically disabled if UseLogin is	396	When X11 forwarding is enabled, there may be additional exposure
387	enabled.	397	to the server and to client displays if the sshd proxy display is
		398	configured to listen on the wildcard address (see X11UseLocalhost
		399	below), however this is not the default. Additionally, the
		400	authentication spoofing and authentication data verification and
		401	substitution occur on the client side. The security risk of
		402	using X11 forwarding is that the client's X11 display server may
		403	be exposed to attack when the ssh client requests forwarding (see
		404	the warnings for ForwardX11 in ssh_config(5) ). A system adminisM--
		405	trator may have a stance in which they want to protect clients
		406	that may expose themselves to attack by unwittingly requesting
		407	X11 forwarding, which can warrant a ``no'' setting.
		408
		409	Note that disabling X11 forwarding does not prevent users from
		410	forwarding X11 traffic, as users can always install their own
		411	forwarders. X11 forwarding is automatically disabled if UseLogin
		412	is enabled.
388		413
389	X11UseLocalhost	414	X11UseLocalhost
390	Specifies whether sshd should bind the X11 forwarding server to	415	Specifies whether sshd should bind the X11 forwarding server to
@@ -392,15 +417,15 @@ DESCRIPTION
392	sshd binds the forwarding server to the loopback address and sets	417	sshd binds the forwarding server to the loopback address and sets
393	the hostname part of the DISPLAY environment variable to	418	the hostname part of the DISPLAY environment variable to
394	``localhost''. This prevents remote hosts from connecting to the	419	``localhost''. This prevents remote hosts from connecting to the
395	fake display. However, some older X11 clients may not function	420	proxy display. However, some older X11 clients may not function
396	with this configuration. X11UseLocalhost may be set to ``no'' to	421	with this configuration. X11UseLocalhost may be set to ``no'' to
397	specify that the forwarding server should be bound to the wildM--	422	specify that the forwarding server should be bound to the wildM--
398	card address. The argument must be ``yes'' or ``no''. The	423	card address. The argument must be ``yes'' or ``no''. The
399	default is ``yes''.	424	default is ``yes''.
400		425
401	XAuthLocation	426	XAuthLocation
402	Specifies the location of the xauth(1) program. The default is	427	Specifies the full pathname of the xauth(1) program. The default
403	/usr/X11R6/bin/xauth.	428	is /usr/X11R6/bin/xauth.
404		429
405	Time Formats	430	Time Formats
406		431