1 files changed, 24 insertions, 12 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 70ccea449..b294efc2d 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.307 2020/02/07 03:54:44 dtucker Exp $
+.\" $OpenBSD: sshd_config.5,v 1.311 2020/04/17 06:12:41 jmc Exp $
-.Dd $Mdocdate: February 7 2020 $
+.Dd $Mdocdate: April 17 2020 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -247,12 +247,10 @@ more lines of authorized_keys output (see
 .Sx AUTHORIZED_KEYS
 in
 .Xr sshd 8 ) .
-If a key supplied by
 .Cm AuthorizedKeysCommand
-does not successfully authenticate
+is tried after the usual
-and authorize the user then public key authentication continues using the usual
 .Cm AuthorizedKeysFile
-files.
+files and will not be executed if a matching key is found there.
 By default, no
 .Cm AuthorizedKeysCommand
 is run.
@@ -778,19 +776,32 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa
 The list of available key types may also be obtained using
 .Qq ssh -Q HostKeyAlgorithms .
 .It Cm IgnoreRhosts
-Specifies that
+Specifies whether to ignore per-user
 .Pa .rhosts
 and
 .Pa .shosts
-files will not be used in
+files during
 .Cm HostbasedAuthentication .
-.Pp
+The system-wide
 .Pa /etc/hosts.equiv
 and
 .Pa /etc/shosts.equiv
-are still used.
+are still used regardless of this setting.
-The default is
+.Pp
-.Cm yes .
+Accepted values are
+.Cm yes
+(the default) to ignore all per-user files,
+.Cm shosts-only
+to allow the use of
+.Pa .shosts
+but to ignore
+.Pa .rhosts
+or
+.Cm no
+to allow both
+.Pa .shosts
+and
+.Pa rhosts .
 .It Cm IgnoreUserKnownHosts
 Specifies whether
 .Xr sshd 8
@@ -1162,6 +1173,7 @@ Available keywords are
 .Cm HostbasedAcceptedKeyTypes ,
 .Cm HostbasedAuthentication ,
 .Cm HostbasedUsesNameFromPacketOnly ,
+.Cm IgnoreRhosts ,
 .Cm Include ,
 .Cm IPQoS ,
 .Cm KbdInteractiveAuthentication ,

diff --git a/sshd_config.5 b/sshd_config.5 index 70ccea449..b294efc2d 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.307 2020/02/07 03:54:44 dtucker Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.311 2020/04/17 06:12:41 jmc Exp $
37	.Dd $Mdocdate: February 7 2020 $	37	.Dd $Mdocdate: April 17 2020 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -247,12 +247,10 @@ more lines of authorized_keys output (see
247	.Sx AUTHORIZED_KEYS	247	.Sx AUTHORIZED_KEYS
248	in	248	in
249	.Xr sshd 8 ) .	249	.Xr sshd 8 ) .
250	If a key supplied by
251	.Cm AuthorizedKeysCommand	250	.Cm AuthorizedKeysCommand
252	does not successfully authenticate	251	is tried after the usual
253	and authorize the user then public key authentication continues using the usual
254	.Cm AuthorizedKeysFile	252	.Cm AuthorizedKeysFile
255	files.	253	files and will not be executed if a matching key is found there.
256	By default, no	254	By default, no
257	.Cm AuthorizedKeysCommand	255	.Cm AuthorizedKeysCommand
258	is run.	256	is run.
@@ -778,19 +776,32 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa
778	The list of available key types may also be obtained using	776	The list of available key types may also be obtained using
779	.Qq ssh -Q HostKeyAlgorithms .	777	.Qq ssh -Q HostKeyAlgorithms .
780	.It Cm IgnoreRhosts	778	.It Cm IgnoreRhosts
781	Specifies that	779	Specifies whether to ignore per-user
782	.Pa .rhosts	780	.Pa .rhosts
783	and	781	and
784	.Pa .shosts	782	.Pa .shosts
785	files will not be used in	783	files during
786	.Cm HostbasedAuthentication .	784	.Cm HostbasedAuthentication .
787	.Pp	785	The system-wide
788	.Pa /etc/hosts.equiv	786	.Pa /etc/hosts.equiv
789	and	787	and
790	.Pa /etc/shosts.equiv	788	.Pa /etc/shosts.equiv
791	are still used.	789	are still used regardless of this setting.
792	The default is	790	.Pp
793	.Cm yes .	791	Accepted values are
		792	.Cm yes
		793	(the default) to ignore all per-user files,
		794	.Cm shosts-only
		795	to allow the use of
		796	.Pa .shosts
		797	but to ignore
		798	.Pa .rhosts
		799	or
		800	.Cm no
		801	to allow both
		802	.Pa .shosts
		803	and
		804	.Pa rhosts .
794	.It Cm IgnoreUserKnownHosts	805	.It Cm IgnoreUserKnownHosts
795	Specifies whether	806	Specifies whether
796	.Xr sshd 8	807	.Xr sshd 8
@@ -1162,6 +1173,7 @@ Available keywords are
1162	.Cm HostbasedAcceptedKeyTypes ,	1173	.Cm HostbasedAcceptedKeyTypes ,
1163	.Cm HostbasedAuthentication ,	1174	.Cm HostbasedAuthentication ,
1164	.Cm HostbasedUsesNameFromPacketOnly ,	1175	.Cm HostbasedUsesNameFromPacketOnly ,
		1176	.Cm IgnoreRhosts ,
1165	.Cm Include ,	1177	.Cm Include ,
1166	.Cm IPQoS ,	1178	.Cm IPQoS ,
1167	.Cm KbdInteractiveAuthentication ,	1179	.Cm KbdInteractiveAuthentication ,