1 files changed, 26 insertions, 14 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index d25b2f3d5..88db4db07 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.307 2020/02/07 03:54:44 dtucker Exp $
+.\" $OpenBSD: sshd_config.5,v 1.311 2020/04/17 06:12:41 jmc Exp $
-.Dd $Mdocdate: February 7 2020 $
+.Dd $Mdocdate: April 17 2020 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -276,12 +276,10 @@ more lines of authorized_keys output (see
 .Sx AUTHORIZED_KEYS
 in
 .Xr sshd 8 ) .
-If a key supplied by
 .Cm AuthorizedKeysCommand
-does not successfully authenticate
+is tried after the usual
-and authorize the user then public key authentication continues using the usual
 .Cm AuthorizedKeysFile
-files.
+files and will not be executed if a matching key is found there.
 By default, no
 .Cm AuthorizedKeysCommand
 is run.
@@ -721,8 +719,8 @@ gss-curve25519-sha256-
 .Ed
 .Pp
 The default is
-.Dq gss-gex-sha1-,gss-group14-sha1- .
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- .
-This option only applies to protocol version 2 connections using GSSAPI.
+This option only applies to connections using GSSAPI.
 .It Cm HostbasedAcceptedKeyTypes
 Specifies the key types that will be accepted for hostbased authentication
 as a list of comma-separated patterns.
@@ -841,19 +839,32 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa
 The list of available key types may also be obtained using
 .Qq ssh -Q HostKeyAlgorithms .
 .It Cm IgnoreRhosts
-Specifies that
+Specifies whether to ignore per-user
 .Pa .rhosts
 and
 .Pa .shosts
-files will not be used in
+files during
 .Cm HostbasedAuthentication .
-.Pp
+The system-wide
 .Pa /etc/hosts.equiv
 and
 .Pa /etc/shosts.equiv
-are still used.
+are still used regardless of this setting.
-The default is
+.Pp
-.Cm yes .
+Accepted values are
+.Cm yes
+(the default) to ignore all per-user files,
+.Cm shosts-only
+to allow the use of
+.Pa .shosts
+but to ignore
+.Pa .rhosts
+or
+.Cm no
+to allow both
+.Pa .shosts
+and
+.Pa rhosts .
 .It Cm IgnoreUserKnownHosts
 Specifies whether
 .Xr sshd 8
@@ -1223,6 +1234,7 @@ Available keywords are
 .Cm HostbasedAcceptedKeyTypes ,
 .Cm HostbasedAuthentication ,
 .Cm HostbasedUsesNameFromPacketOnly ,
+.Cm IgnoreRhosts ,
 .Cm Include ,
 .Cm IPQoS ,
 .Cm KbdInteractiveAuthentication ,

diff --git a/sshd_config.5 b/sshd_config.5 index d25b2f3d5..88db4db07 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.307 2020/02/07 03:54:44 dtucker Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.311 2020/04/17 06:12:41 jmc Exp $
37	.Dd $Mdocdate: February 7 2020 $	37	.Dd $Mdocdate: April 17 2020 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -276,12 +276,10 @@ more lines of authorized_keys output (see
276	.Sx AUTHORIZED_KEYS	276	.Sx AUTHORIZED_KEYS
277	in	277	in
278	.Xr sshd 8 ) .	278	.Xr sshd 8 ) .
279	If a key supplied by
280	.Cm AuthorizedKeysCommand	279	.Cm AuthorizedKeysCommand
281	does not successfully authenticate	280	is tried after the usual
282	and authorize the user then public key authentication continues using the usual
283	.Cm AuthorizedKeysFile	281	.Cm AuthorizedKeysFile
284	files.	282	files and will not be executed if a matching key is found there.
285	By default, no	283	By default, no
286	.Cm AuthorizedKeysCommand	284	.Cm AuthorizedKeysCommand
287	is run.	285	is run.
@@ -721,8 +719,8 @@ gss-curve25519-sha256-
721	.Ed	719	.Ed
722	.Pp	720	.Pp
723	The default is	721	The default is
724	.Dq gss-gex-sha1-,gss-group14-sha1- .	722	.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- .
725	This option only applies to protocol version 2 connections using GSSAPI.	723	This option only applies to connections using GSSAPI.
726	.It Cm HostbasedAcceptedKeyTypes	724	.It Cm HostbasedAcceptedKeyTypes
727	Specifies the key types that will be accepted for hostbased authentication	725	Specifies the key types that will be accepted for hostbased authentication
728	as a list of comma-separated patterns.	726	as a list of comma-separated patterns.
@@ -841,19 +839,32 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa
841	The list of available key types may also be obtained using	839	The list of available key types may also be obtained using
842	.Qq ssh -Q HostKeyAlgorithms .	840	.Qq ssh -Q HostKeyAlgorithms .
843	.It Cm IgnoreRhosts	841	.It Cm IgnoreRhosts
844	Specifies that	842	Specifies whether to ignore per-user
845	.Pa .rhosts	843	.Pa .rhosts
846	and	844	and
847	.Pa .shosts	845	.Pa .shosts
848	files will not be used in	846	files during
849	.Cm HostbasedAuthentication .	847	.Cm HostbasedAuthentication .
850	.Pp	848	The system-wide
851	.Pa /etc/hosts.equiv	849	.Pa /etc/hosts.equiv
852	and	850	and
853	.Pa /etc/shosts.equiv	851	.Pa /etc/shosts.equiv
854	are still used.	852	are still used regardless of this setting.
855	The default is	853	.Pp
856	.Cm yes .	854	Accepted values are
		855	.Cm yes
		856	(the default) to ignore all per-user files,
		857	.Cm shosts-only
		858	to allow the use of
		859	.Pa .shosts
		860	but to ignore
		861	.Pa .rhosts
		862	or
		863	.Cm no
		864	to allow both
		865	.Pa .shosts
		866	and
		867	.Pa rhosts .
857	.It Cm IgnoreUserKnownHosts	868	.It Cm IgnoreUserKnownHosts
858	Specifies whether	869	Specifies whether
859	.Xr sshd 8	870	.Xr sshd 8
@@ -1223,6 +1234,7 @@ Available keywords are
1223	.Cm HostbasedAcceptedKeyTypes ,	1234	.Cm HostbasedAcceptedKeyTypes ,
1224	.Cm HostbasedAuthentication ,	1235	.Cm HostbasedAuthentication ,
1225	.Cm HostbasedUsesNameFromPacketOnly ,	1236	.Cm HostbasedUsesNameFromPacketOnly ,
		1237	.Cm IgnoreRhosts ,
1226	.Cm Include ,	1238	.Cm Include ,
1227	.Cm IPQoS ,	1239	.Cm IPQoS ,
1228	.Cm KbdInteractiveAuthentication ,	1240	.Cm KbdInteractiveAuthentication ,