1 files changed, 36 insertions, 18 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index b224f2929..9486f2a1c 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.284 2019/03/22 20:58:34 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.290 2019/09/06 14:45:34 naddy Exp $
-.Dd $Mdocdate: March 22 2019 $
+.Dd $Mdocdate: September 6 2019 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -277,9 +277,7 @@ is not, then
 will refuse to start.
 .It Cm AuthorizedKeysFile
 Specifies the file that contains the public keys used for user authentication.
-The format is described in the
+The format is described in the AUTHORIZED_KEYS FILE FORMAT section of
-.Sx AUTHORIZED_KEYS FILE FORMAT
-section of
 .Xr sshd 8 .
 Arguments to
 .Cm AuthorizedKeysFile
@@ -387,7 +385,7 @@ Specifies which algorithms are allowed for signing of certificates
 by certificate authorities (CAs).
 The default is:
 .Bd -literal -offset indent
-ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
@@ -456,14 +454,18 @@ indicating not to
 .It Cm Ciphers
 Specifies the ciphers allowed.
 Multiple ciphers must be comma-separated.
-If the specified value begins with a
+If the specified list begins with a
 .Sq +
 character, then the specified ciphers will be appended to the default set
 instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified ciphers (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified ciphers will be placed at the head of the
+default set.
 .Pp
 The supported ciphers are:
 .Pp
@@ -514,7 +516,7 @@ The TCP keepalive option enabled by
 .Cm TCPKeepAlive
 is spoofable.
 The client alive mechanism is valuable when the client or
-server depend on knowing when a connection has become inactive.
+server depend on knowing when a connection has become unresponsive.
 .Pp
 The default value is 3.
 If
@@ -670,14 +672,18 @@ The default is
 .It Cm HostbasedAcceptedKeyTypes
 Specifies the key types that will be accepted for hostbased authentication
 as a list of comma-separated patterns.
-Alternately if the specified value begins with a
+Alternately if the specified list begins with a
 .Sq +
 character, then the specified key types will be appended to the default set
 instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified key types (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -875,14 +881,18 @@ The default is
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
-Alternately if the specified value begins with a
+Alternately if the specified list begins with a
 .Sq +
 character, then the specified methods will be appended to the default set
 instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified methods (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified methods will be placed at the head of the
+default set.
 The supported algorithms are:
 .Pp
 .Bl -item -compact -offset indent
@@ -992,14 +1002,18 @@ Logging with a DEBUG level violates the privacy of users and is not recommended.
 Specifies the available MAC (message authentication code) algorithms.
 The MAC algorithm is used for data integrity protection.
 Multiple algorithms must be comma-separated.
-If the specified value begins with a
+If the specified list begins with a
 .Sq +
 character, then the specified algorithms will be appended to the default set
 instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified algorithms (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified algorithms will be placed at the head of the
+default set.
 .Pp
 The algorithms that contain
 .Qq -etm
@@ -1157,7 +1171,7 @@ Available keywords are
 .Cm X11DisplayOffset ,
 .Cm X11Forwarding
 and
-.Cm X11UseLocalHost .
+.Cm X11UseLocalhost .
 .It Cm MaxAuthTries
 Specifies the maximum number of authentication attempts permitted per
 connection.
@@ -1397,14 +1411,18 @@ The default is
 .It Cm PubkeyAcceptedKeyTypes
 Specifies the key types that will be accepted for public key authentication
 as a list of comma-separated patterns.
-Alternately if the specified value begins with a
+Alternately if the specified list begins with a
 .Sq +
 character, then the specified key types will be appended to the default set
 instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified key types (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,

diff --git a/sshd_config.5 b/sshd_config.5 index b224f2929..9486f2a1c 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.284 2019/03/22 20:58:34 jmc Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.290 2019/09/06 14:45:34 naddy Exp $
37	.Dd $Mdocdate: March 22 2019 $	37	.Dd $Mdocdate: September 6 2019 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -277,9 +277,7 @@ is not, then
277	will refuse to start.	277	will refuse to start.
278	.It Cm AuthorizedKeysFile	278	.It Cm AuthorizedKeysFile
279	Specifies the file that contains the public keys used for user authentication.	279	Specifies the file that contains the public keys used for user authentication.
280	The format is described in the	280	The format is described in the AUTHORIZED_KEYS FILE FORMAT section of
281	.Sx AUTHORIZED_KEYS FILE FORMAT
282	section of
283	.Xr sshd 8 .	281	.Xr sshd 8 .
284	Arguments to	282	Arguments to
285	.Cm AuthorizedKeysFile	283	.Cm AuthorizedKeysFile
@@ -387,7 +385,7 @@ Specifies which algorithms are allowed for signing of certificates
387	by certificate authorities (CAs).	385	by certificate authorities (CAs).
388	The default is:	386	The default is:
389	.Bd -literal -offset indent	387	.Bd -literal -offset indent
390	ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,	388	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
391	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa	389	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
392	.Ed	390	.Ed
393	.Pp	391	.Pp
@@ -456,14 +454,18 @@ indicating not to
456	.It Cm Ciphers	454	.It Cm Ciphers
457	Specifies the ciphers allowed.	455	Specifies the ciphers allowed.
458	Multiple ciphers must be comma-separated.	456	Multiple ciphers must be comma-separated.
459	If the specified value begins with a	457	If the specified list begins with a
460	.Sq +	458	.Sq +
461	character, then the specified ciphers will be appended to the default set	459	character, then the specified ciphers will be appended to the default set
462	instead of replacing them.	460	instead of replacing them.
463	If the specified value begins with a	461	If the specified list begins with a
464	.Sq -	462	.Sq -
465	character, then the specified ciphers (including wildcards) will be removed	463	character, then the specified ciphers (including wildcards) will be removed
466	from the default set instead of replacing them.	464	from the default set instead of replacing them.
		465	If the specified list begins with a
		466	.Sq ^
		467	character, then the specified ciphers will be placed at the head of the
		468	default set.
467	.Pp	469	.Pp
468	The supported ciphers are:	470	The supported ciphers are:
469	.Pp	471	.Pp
@@ -514,7 +516,7 @@ The TCP keepalive option enabled by
514	.Cm TCPKeepAlive	516	.Cm TCPKeepAlive
515	is spoofable.	517	is spoofable.
516	The client alive mechanism is valuable when the client or	518	The client alive mechanism is valuable when the client or
517	server depend on knowing when a connection has become inactive.	519	server depend on knowing when a connection has become unresponsive.
518	.Pp	520	.Pp
519	The default value is 3.	521	The default value is 3.
520	If	522	If
@@ -670,14 +672,18 @@ The default is
670	.It Cm HostbasedAcceptedKeyTypes	672	.It Cm HostbasedAcceptedKeyTypes
671	Specifies the key types that will be accepted for hostbased authentication	673	Specifies the key types that will be accepted for hostbased authentication
672	as a list of comma-separated patterns.	674	as a list of comma-separated patterns.
673	Alternately if the specified value begins with a	675	Alternately if the specified list begins with a
674	.Sq +	676	.Sq +
675	character, then the specified key types will be appended to the default set	677	character, then the specified key types will be appended to the default set
676	instead of replacing them.	678	instead of replacing them.
677	If the specified value begins with a	679	If the specified list begins with a
678	.Sq -	680	.Sq -
679	character, then the specified key types (including wildcards) will be removed	681	character, then the specified key types (including wildcards) will be removed
680	from the default set instead of replacing them.	682	from the default set instead of replacing them.
		683	If the specified list begins with a
		684	.Sq ^
		685	character, then the specified key types will be placed at the head of the
		686	default set.
681	The default for this option is:	687	The default for this option is:
682	.Bd -literal -offset 3n	688	.Bd -literal -offset 3n
683	ecdsa-sha2-nistp256-cert-v01@openssh.com,	689	ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -875,14 +881,18 @@ The default is
875	.It Cm KexAlgorithms	881	.It Cm KexAlgorithms
876	Specifies the available KEX (Key Exchange) algorithms.	882	Specifies the available KEX (Key Exchange) algorithms.
877	Multiple algorithms must be comma-separated.	883	Multiple algorithms must be comma-separated.
878	Alternately if the specified value begins with a	884	Alternately if the specified list begins with a
879	.Sq +	885	.Sq +
880	character, then the specified methods will be appended to the default set	886	character, then the specified methods will be appended to the default set
881	instead of replacing them.	887	instead of replacing them.
882	If the specified value begins with a	888	If the specified list begins with a
883	.Sq -	889	.Sq -
884	character, then the specified methods (including wildcards) will be removed	890	character, then the specified methods (including wildcards) will be removed
885	from the default set instead of replacing them.	891	from the default set instead of replacing them.
		892	If the specified list begins with a
		893	.Sq ^
		894	character, then the specified methods will be placed at the head of the
		895	default set.
886	The supported algorithms are:	896	The supported algorithms are:
887	.Pp	897	.Pp
888	.Bl -item -compact -offset indent	898	.Bl -item -compact -offset indent
@@ -992,14 +1002,18 @@ Logging with a DEBUG level violates the privacy of users and is not recommended.
992	Specifies the available MAC (message authentication code) algorithms.	1002	Specifies the available MAC (message authentication code) algorithms.
993	The MAC algorithm is used for data integrity protection.	1003	The MAC algorithm is used for data integrity protection.
994	Multiple algorithms must be comma-separated.	1004	Multiple algorithms must be comma-separated.
995	If the specified value begins with a	1005	If the specified list begins with a
996	.Sq +	1006	.Sq +
997	character, then the specified algorithms will be appended to the default set	1007	character, then the specified algorithms will be appended to the default set
998	instead of replacing them.	1008	instead of replacing them.
999	If the specified value begins with a	1009	If the specified list begins with a
1000	.Sq -	1010	.Sq -
1001	character, then the specified algorithms (including wildcards) will be removed	1011	character, then the specified algorithms (including wildcards) will be removed
1002	from the default set instead of replacing them.	1012	from the default set instead of replacing them.
		1013	If the specified list begins with a
		1014	.Sq ^
		1015	character, then the specified algorithms will be placed at the head of the
		1016	default set.
1003	.Pp	1017	.Pp
1004	The algorithms that contain	1018	The algorithms that contain
1005	.Qq -etm	1019	.Qq -etm
@@ -1157,7 +1171,7 @@ Available keywords are
1157	.Cm X11DisplayOffset ,	1171	.Cm X11DisplayOffset ,
1158	.Cm X11Forwarding	1172	.Cm X11Forwarding
1159	and	1173	and
1160	.Cm X11UseLocalHost .	1174	.Cm X11UseLocalhost .
1161	.It Cm MaxAuthTries	1175	.It Cm MaxAuthTries
1162	Specifies the maximum number of authentication attempts permitted per	1176	Specifies the maximum number of authentication attempts permitted per
1163	connection.	1177	connection.
@@ -1397,14 +1411,18 @@ The default is
1397	.It Cm PubkeyAcceptedKeyTypes	1411	.It Cm PubkeyAcceptedKeyTypes
1398	Specifies the key types that will be accepted for public key authentication	1412	Specifies the key types that will be accepted for public key authentication
1399	as a list of comma-separated patterns.	1413	as a list of comma-separated patterns.
1400	Alternately if the specified value begins with a	1414	Alternately if the specified list begins with a
1401	.Sq +	1415	.Sq +
1402	character, then the specified key types will be appended to the default set	1416	character, then the specified key types will be appended to the default set
1403	instead of replacing them.	1417	instead of replacing them.
1404	If the specified value begins with a	1418	If the specified list begins with a
1405	.Sq -	1419	.Sq -
1406	character, then the specified key types (including wildcards) will be removed	1420	character, then the specified key types (including wildcards) will be removed
1407	from the default set instead of replacing them.	1421	from the default set instead of replacing them.
		1422	If the specified list begins with a
		1423	.Sq ^
		1424	character, then the specified key types will be placed at the head of the
		1425	default set.
1408	The default for this option is:	1426	The default for this option is:
1409	.Bd -literal -offset 3n	1427	.Bd -literal -offset 3n
1410	ecdsa-sha2-nistp256-cert-v01@openssh.com,	1428	ecdsa-sha2-nistp256-cert-v01@openssh.com,