1 files changed, 78 insertions, 4 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index de2b776fd..251d847fd 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.144 2012/06/29 13:57:25 naddy Exp $
+.\" $OpenBSD: sshd_config.5,v 1.156 2013/02/06 00:20:42 dtucker Exp $
-.Dd $Mdocdate: June 29 2012 $
+.Dd $Mdocdate: February 6 2013 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -151,6 +151,19 @@ in
 for more information on patterns.
 .It Cm AllowTcpForwarding
 Specifies whether TCP forwarding is permitted.
+The available options are
+.Dq yes
+or
+.Dq all
+to allow TCP forwarding,
+.Dq no
+to prevent all TCP forwarding,
+.Dq local
+to allow local (from the perspective of
+.Xr ssh 1 )
+forwarding only or
+.Dq remote
+to allow remote forwarding only.
 The default is
 .Dq yes .
 Note that disabling TCP forwarding does not improve security unless
@@ -178,6 +191,45 @@ See
 in
 .Xr ssh_config 5
 for more information on patterns.
+.It Cm AuthenticationMethods
+Specifies the authentication methods that must be successfully completed
+for a user to be granted access.
+This option must be followed by one or more comma-separated lists of
+authentication method names.
+Successful authentication requires completion of every method in at least
+one of these lists.
+.Pp
+For example, an argument of
+.Dq publickey,password publickey,keyboard-interactive
+would require the user to complete public key authentication, followed by
+either password or keyboard interactive authentication.
+Only methods that are next in one or more lists are offered at each stage,
+so for this example, it would not be possible to attempt password or
+keyboard-interactive authentication before public key.
+.Pp
+This option is only available for SSH protocol 2 and will yield a fatal
+error if enabled if protocol 1 is also enabled.
+Note that each authentication method listed should also be explicitly enabled
+in the configuration.
+The default is not to require multiple authentication; successful completion
+of a single authentication method is sufficient.
+.It Cm AuthorizedKeysCommand
+Specifies a program to be used to look up the user's public keys.
+The program will be invoked with a single argument of the username
+being authenticated, and should produce on standard output zero or
+more lines of authorized_keys output (see
+.Sx AUTHORIZED_KEYS
+in
+.Xr sshd 8 ) .
+If a key supplied by AuthorizedKeysCommand does not successfully authenticate
+and authorize the user then public key authentication continues using the usual
+.Cm AuthorizedKeysFile
+files.
+By default, no AuthorizedKeysCommand is run.
+.It Cm AuthorizedKeysCommandUser
+Specifies the user under whose account the AuthorizedKeysCommand is run.
+It is recommended to use a dedicated user that has no other role on the host
+than running authorized keys commands.
 .It Cm AuthorizedKeysFile
 Specifies the file that contains the public keys that can be used
 for user authentication.
@@ -310,6 +362,8 @@ The supported ciphers are
 .Dq aes128-ctr ,
 .Dq aes192-ctr ,
 .Dq aes256-ctr ,
+.Dq aes128-gcm@openssh.com ,
+.Dq aes256-gcm@openssh.com ,
 .Dq arcfour128 ,
 .Dq arcfour256 ,
 .Dq arcfour ,
@@ -319,6 +373,7 @@ and
 The default is:
 .Bd -literal -offset 3n
 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
+aes128-gcm@openssh.com,aes256-gcm@openssh.com,
 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
 aes256-cbc,arcfour
 .Ed
@@ -713,9 +768,18 @@ Specifies the available MAC (message authentication code) algorithms.
 The MAC algorithm is used in protocol version 2
 for data integrity protection.
 Multiple algorithms must be comma-separated.
+The algorithms that contain
+.Dq -etm
+calculate the MAC after encryption (encrypt-then-mac).
+These are considered safer and their use recommended.
 The default is:
 .Bd -literal -offset indent
-hmac-md5,hmac-sha1,umac-64@openssh.com,
+hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
+umac-64-etm@openssh.com,umac-128-etm@openssh.com,
+hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
+hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
+hmac-md5-96-etm@openssh.com,
+hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
 hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
 hmac-sha1-96,hmac-md5-96
 .Ed
@@ -770,6 +834,9 @@ Available keywords are
 .Cm AllowGroups ,
 .Cm AllowTcpForwarding ,
 .Cm AllowUsers ,
+.Cm AuthenticationMethods ,
+.Cm AuthorizedKeysCommand ,
+.Cm AuthorizedKeysCommandUser ,
 .Cm AuthorizedKeysFile ,
 .Cm AuthorizedPrincipalsFile ,
 .Cm Banner ,
@@ -1000,10 +1067,17 @@ The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
 .It Cm RevokedKeys
-Specifies a list of revoked public keys.
+Specifies revoked public keys.
 Keys listed in this file will be refused for public key authentication.
 Note that if this file is not readable, then public key authentication will
 be refused for all users.
+Keys may be specified as a text file, listing one public key per line, or as
+an OpenSSH Key Revocation List (KRL) as generated by
+.Xr ssh-keygen 1 .
+For more information on KRLs, see the
+.Sx KEY REVOCATION LISTS
+section in
+.Xr ssh-keygen 1 .
 .It Cm RhostsRSAAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful RSA host authentication is allowed.

diff --git a/sshd_config.5 b/sshd_config.5 index de2b776fd..251d847fd 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.144 2012/06/29 13:57:25 naddy Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.156 2013/02/06 00:20:42 dtucker Exp $
37	.Dd $Mdocdate: June 29 2012 $	37	.Dd $Mdocdate: February 6 2013 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -151,6 +151,19 @@ in
151	for more information on patterns.	151	for more information on patterns.
152	.It Cm AllowTcpForwarding	152	.It Cm AllowTcpForwarding
153	Specifies whether TCP forwarding is permitted.	153	Specifies whether TCP forwarding is permitted.
		154	The available options are
		155	.Dq yes
		156	or
		157	.Dq all
		158	to allow TCP forwarding,
		159	.Dq no
		160	to prevent all TCP forwarding,
		161	.Dq local
		162	to allow local (from the perspective of
		163	.Xr ssh 1 )
		164	forwarding only or
		165	.Dq remote
		166	to allow remote forwarding only.
154	The default is	167	The default is
155	.Dq yes .	168	.Dq yes .
156	Note that disabling TCP forwarding does not improve security unless	169	Note that disabling TCP forwarding does not improve security unless
@@ -178,6 +191,45 @@ See
178	in	191	in
179	.Xr ssh_config 5	192	.Xr ssh_config 5
180	for more information on patterns.	193	for more information on patterns.
		194	.It Cm AuthenticationMethods
		195	Specifies the authentication methods that must be successfully completed
		196	for a user to be granted access.
		197	This option must be followed by one or more comma-separated lists of
		198	authentication method names.
		199	Successful authentication requires completion of every method in at least
		200	one of these lists.
		201	.Pp
		202	For example, an argument of
		203	.Dq publickey,password publickey,keyboard-interactive
		204	would require the user to complete public key authentication, followed by
		205	either password or keyboard interactive authentication.
		206	Only methods that are next in one or more lists are offered at each stage,
		207	so for this example, it would not be possible to attempt password or
		208	keyboard-interactive authentication before public key.
		209	.Pp
		210	This option is only available for SSH protocol 2 and will yield a fatal
		211	error if enabled if protocol 1 is also enabled.
		212	Note that each authentication method listed should also be explicitly enabled
		213	in the configuration.
		214	The default is not to require multiple authentication; successful completion
		215	of a single authentication method is sufficient.
		216	.It Cm AuthorizedKeysCommand
		217	Specifies a program to be used to look up the user's public keys.
		218	The program will be invoked with a single argument of the username
		219	being authenticated, and should produce on standard output zero or
		220	more lines of authorized_keys output (see
		221	.Sx AUTHORIZED_KEYS
		222	in
		223	.Xr sshd 8 ) .
		224	If a key supplied by AuthorizedKeysCommand does not successfully authenticate
		225	and authorize the user then public key authentication continues using the usual
		226	.Cm AuthorizedKeysFile
		227	files.
		228	By default, no AuthorizedKeysCommand is run.
		229	.It Cm AuthorizedKeysCommandUser
		230	Specifies the user under whose account the AuthorizedKeysCommand is run.
		231	It is recommended to use a dedicated user that has no other role on the host
		232	than running authorized keys commands.
181	.It Cm AuthorizedKeysFile	233	.It Cm AuthorizedKeysFile
182	Specifies the file that contains the public keys that can be used	234	Specifies the file that contains the public keys that can be used
183	for user authentication.	235	for user authentication.
@@ -310,6 +362,8 @@ The supported ciphers are
310	.Dq aes128-ctr ,	362	.Dq aes128-ctr ,
311	.Dq aes192-ctr ,	363	.Dq aes192-ctr ,
312	.Dq aes256-ctr ,	364	.Dq aes256-ctr ,
		365	.Dq aes128-gcm@openssh.com ,
		366	.Dq aes256-gcm@openssh.com ,
313	.Dq arcfour128 ,	367	.Dq arcfour128 ,
314	.Dq arcfour256 ,	368	.Dq arcfour256 ,
315	.Dq arcfour ,	369	.Dq arcfour ,
@@ -319,6 +373,7 @@ and
319	The default is:	373	The default is:
320	.Bd -literal -offset 3n	374	.Bd -literal -offset 3n
321	aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,	375	aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
		376	aes128-gcm@openssh.com,aes256-gcm@openssh.com,
322	aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,	377	aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
323	aes256-cbc,arcfour	378	aes256-cbc,arcfour
324	.Ed	379	.Ed
@@ -713,9 +768,18 @@ Specifies the available MAC (message authentication code) algorithms.
713	The MAC algorithm is used in protocol version 2	768	The MAC algorithm is used in protocol version 2
714	for data integrity protection.	769	for data integrity protection.
715	Multiple algorithms must be comma-separated.	770	Multiple algorithms must be comma-separated.
		771	The algorithms that contain
		772	.Dq -etm
		773	calculate the MAC after encryption (encrypt-then-mac).
		774	These are considered safer and their use recommended.
716	The default is:	775	The default is:
717	.Bd -literal -offset indent	776	.Bd -literal -offset indent
718	hmac-md5,hmac-sha1,umac-64@openssh.com,	777	hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
		778	umac-64-etm@openssh.com,umac-128-etm@openssh.com,
		779	hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
		780	hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
		781	hmac-md5-96-etm@openssh.com,
		782	hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
719	hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,	783	hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
720	hmac-sha1-96,hmac-md5-96	784	hmac-sha1-96,hmac-md5-96
721	.Ed	785	.Ed
@@ -770,6 +834,9 @@ Available keywords are
770	.Cm AllowGroups ,	834	.Cm AllowGroups ,
771	.Cm AllowTcpForwarding ,	835	.Cm AllowTcpForwarding ,
772	.Cm AllowUsers ,	836	.Cm AllowUsers ,
		837	.Cm AuthenticationMethods ,
		838	.Cm AuthorizedKeysCommand ,
		839	.Cm AuthorizedKeysCommandUser ,
773	.Cm AuthorizedKeysFile ,	840	.Cm AuthorizedKeysFile ,
774	.Cm AuthorizedPrincipalsFile ,	841	.Cm AuthorizedPrincipalsFile ,
775	.Cm Banner ,	842	.Cm Banner ,
@@ -1000,10 +1067,17 @@ The default is
1000	.Dq yes .	1067	.Dq yes .
1001	Note that this option applies to protocol version 2 only.	1068	Note that this option applies to protocol version 2 only.
1002	.It Cm RevokedKeys	1069	.It Cm RevokedKeys
1003	Specifies a list of revoked public keys.	1070	Specifies revoked public keys.
1004	Keys listed in this file will be refused for public key authentication.	1071	Keys listed in this file will be refused for public key authentication.
1005	Note that if this file is not readable, then public key authentication will	1072	Note that if this file is not readable, then public key authentication will
1006	be refused for all users.	1073	be refused for all users.
		1074	Keys may be specified as a text file, listing one public key per line, or as
		1075	an OpenSSH Key Revocation List (KRL) as generated by
		1076	.Xr ssh-keygen 1 .
		1077	For more information on KRLs, see the
		1078	.Sx KEY REVOCATION LISTS
		1079	section in
		1080	.Xr ssh-keygen 1 .
1007	.It Cm RhostsRSAAuthentication	1081	.It Cm RhostsRSAAuthentication
1008	Specifies whether rhosts or /etc/hosts.equiv authentication together	1082	Specifies whether rhosts or /etc/hosts.equiv authentication together
1009	with successful RSA host authentication is allowed.	1083	with successful RSA host authentication is allowed.