diff options
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 27 |
1 files changed, 17 insertions, 10 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index e75ed1b32..8132c3f15 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -497,10 +497,11 @@ DESCRIPTION | |||
497 | 497 | ||
498 | Include | 498 | Include |
499 | Include the specified configuration file(s). Multiple pathnames | 499 | Include the specified configuration file(s). Multiple pathnames |
500 | may be specified and each pathname may contain glob(7) wildcards. | 500 | may be specified and each pathname may contain glob(7) wildcards |
501 | Files without absolute paths are assumed to be in /etc/ssh. An | 501 | that will be expanded and processed in lexical order. Files |
502 | Include directive may appear inside a Match block to perform | 502 | without absolute paths are assumed to be in /etc/ssh. An Include |
503 | conditional inclusion. | 503 | directive may appear inside a Match block to perform conditional |
504 | inclusion. | ||
504 | 505 | ||
505 | IPQoS Specifies the IPv4 type-of-service or DSCP class for the | 506 | IPQoS Specifies the IPv4 type-of-service or DSCP class for the |
506 | connection. Accepted values are af11, af12, af13, af21, af22, | 507 | connection. Accepted values are af11, af12, af13, af21, af22, |
@@ -866,9 +867,10 @@ DESCRIPTION | |||
866 | -Q PubkeyAcceptedKeyTypes". | 867 | -Q PubkeyAcceptedKeyTypes". |
867 | 868 | ||
868 | PubkeyAuthOptions | 869 | PubkeyAuthOptions |
869 | Sets one or more public key authentication options. Two option | 870 | Sets one or more public key authentication options. The |
870 | keywords are currently supported: none (the default; indicating | 871 | supported keywords are: none (the default; indicating no |
871 | no additional options are enabled) and touch-required. | 872 | additional options are enabled), touch-required and |
873 | verify-required. | ||
872 | 874 | ||
873 | The touch-required option causes public key authentication using | 875 | The touch-required option causes public key authentication using |
874 | a FIDO authenticator algorithm (i.e. ecdsa-sk or ed25519-sk) to | 876 | a FIDO authenticator algorithm (i.e. ecdsa-sk or ed25519-sk) to |
@@ -876,8 +878,13 @@ DESCRIPTION | |||
876 | user explicitly confirmed the authentication (usually by touching | 878 | user explicitly confirmed the authentication (usually by touching |
877 | the authenticator). By default, sshd(8) requires user presence | 879 | the authenticator). By default, sshd(8) requires user presence |
878 | unless overridden with an authorized_keys option. The | 880 | unless overridden with an authorized_keys option. The |
879 | touch-required flag disables this override. This option has no | 881 | touch-required flag disables this override. |
880 | effect for other, non-authenticator public key types. | 882 | |
883 | The verify-required option requires a FIDO key signature attest | ||
884 | that the user was verified, e.g. via a PIN. | ||
885 | |||
886 | Neither the touch-required or verify-required options have any | ||
887 | effect for other, non-FIDO, public key types. | ||
881 | 888 | ||
882 | PubkeyAuthentication | 889 | PubkeyAuthentication |
883 | Specifies whether public key authentication is allowed. The | 890 | Specifies whether public key authentication is allowed. The |
@@ -1143,4 +1150,4 @@ AUTHORS | |||
1143 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 1150 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
1144 | for privilege separation. | 1151 | for privilege separation. |
1145 | 1152 | ||
1146 | OpenBSD 6.7 April 17, 2020 OpenBSD 6.7 | 1153 | OpenBSD 6.8 August 27, 2020 OpenBSD 6.8 |