1 files changed, 36 insertions, 18 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index e5380f5dc..ba533af9e 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.284 2019/03/22 20:58:34 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.290 2019/09/06 14:45:34 naddy Exp $
-.Dd $Mdocdate: March 22 2019 $
+.Dd $Mdocdate: September 6 2019 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -299,9 +299,7 @@ is not, then
 will refuse to start.
 .It Cm AuthorizedKeysFile
 Specifies the file that contains the public keys used for user authentication.
-The format is described in the
+The format is described in the AUTHORIZED_KEYS FILE FORMAT section of
-.Sx AUTHORIZED_KEYS FILE FORMAT
-section of
 .Xr sshd 8 .
 Arguments to
 .Cm AuthorizedKeysFile
@@ -409,7 +407,7 @@ Specifies which algorithms are allowed for signing of certificates
 by certificate authorities (CAs).
 The default is:
 .Bd -literal -offset indent
-ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
@@ -477,14 +475,18 @@ indicating not to
 .It Cm Ciphers
 Specifies the ciphers allowed.
 Multiple ciphers must be comma-separated.
-If the specified value begins with a
+If the specified list begins with a
 .Sq +
 character, then the specified ciphers will be appended to the default set
 instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified ciphers (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified ciphers will be placed at the head of the
+default set.
 .Pp
 The supported ciphers are:
 .Pp
@@ -535,7 +537,7 @@ The TCP keepalive option enabled by
 .Cm TCPKeepAlive
 is spoofable.
 The client alive mechanism is valuable when the client or
-server depend on knowing when a connection has become inactive.
+server depend on knowing when a connection has become unresponsive.
 .Pp
 The default value is 3.
 If
@@ -726,14 +728,18 @@ This option only applies to protocol version 2 connections using GSSAPI.
 .It Cm HostbasedAcceptedKeyTypes
 Specifies the key types that will be accepted for hostbased authentication
 as a list of comma-separated patterns.
-Alternately if the specified value begins with a
+Alternately if the specified list begins with a
 .Sq +
 character, then the specified key types will be appended to the default set
 instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified key types (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -929,14 +935,18 @@ The default is
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
-Alternately if the specified value begins with a
+Alternately if the specified list begins with a
 .Sq +
 character, then the specified methods will be appended to the default set
 instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified methods (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified methods will be placed at the head of the
+default set.
 The supported algorithms are:
 .Pp
 .Bl -item -compact -offset indent
@@ -1046,14 +1056,18 @@ Logging with a DEBUG level violates the privacy of users and is not recommended.
 Specifies the available MAC (message authentication code) algorithms.
 The MAC algorithm is used for data integrity protection.
 Multiple algorithms must be comma-separated.
-If the specified value begins with a
+If the specified list begins with a
 .Sq +
 character, then the specified algorithms will be appended to the default set
 instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified algorithms (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified algorithms will be placed at the head of the
+default set.
 .Pp
 The algorithms that contain
 .Qq -etm
@@ -1211,7 +1225,7 @@ Available keywords are
 .Cm X11DisplayOffset ,
 .Cm X11Forwarding
 and
-.Cm X11UseLocalHost .
+.Cm X11UseLocalhost .
 .It Cm MaxAuthTries
 Specifies the maximum number of authentication attempts permitted per
 connection.
@@ -1451,14 +1465,18 @@ The default is
 .It Cm PubkeyAcceptedKeyTypes
 Specifies the key types that will be accepted for public key authentication
 as a list of comma-separated patterns.
-Alternately if the specified value begins with a
+Alternately if the specified list begins with a
 .Sq +
 character, then the specified key types will be appended to the default set
 instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified key types (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,

diff --git a/sshd_config.5 b/sshd_config.5 index e5380f5dc..ba533af9e 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.284 2019/03/22 20:58:34 jmc Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.290 2019/09/06 14:45:34 naddy Exp $
37	.Dd $Mdocdate: March 22 2019 $	37	.Dd $Mdocdate: September 6 2019 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -299,9 +299,7 @@ is not, then
299	will refuse to start.	299	will refuse to start.
300	.It Cm AuthorizedKeysFile	300	.It Cm AuthorizedKeysFile
301	Specifies the file that contains the public keys used for user authentication.	301	Specifies the file that contains the public keys used for user authentication.
302	The format is described in the	302	The format is described in the AUTHORIZED_KEYS FILE FORMAT section of
303	.Sx AUTHORIZED_KEYS FILE FORMAT
304	section of
305	.Xr sshd 8 .	303	.Xr sshd 8 .
306	Arguments to	304	Arguments to
307	.Cm AuthorizedKeysFile	305	.Cm AuthorizedKeysFile
@@ -409,7 +407,7 @@ Specifies which algorithms are allowed for signing of certificates
409	by certificate authorities (CAs).	407	by certificate authorities (CAs).
410	The default is:	408	The default is:
411	.Bd -literal -offset indent	409	.Bd -literal -offset indent
412	ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,	410	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
413	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa	411	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
414	.Ed	412	.Ed
415	.Pp	413	.Pp
@@ -477,14 +475,18 @@ indicating not to
477	.It Cm Ciphers	475	.It Cm Ciphers
478	Specifies the ciphers allowed.	476	Specifies the ciphers allowed.
479	Multiple ciphers must be comma-separated.	477	Multiple ciphers must be comma-separated.
480	If the specified value begins with a	478	If the specified list begins with a
481	.Sq +	479	.Sq +
482	character, then the specified ciphers will be appended to the default set	480	character, then the specified ciphers will be appended to the default set
483	instead of replacing them.	481	instead of replacing them.
484	If the specified value begins with a	482	If the specified list begins with a
485	.Sq -	483	.Sq -
486	character, then the specified ciphers (including wildcards) will be removed	484	character, then the specified ciphers (including wildcards) will be removed
487	from the default set instead of replacing them.	485	from the default set instead of replacing them.
		486	If the specified list begins with a
		487	.Sq ^
		488	character, then the specified ciphers will be placed at the head of the
		489	default set.
488	.Pp	490	.Pp
489	The supported ciphers are:	491	The supported ciphers are:
490	.Pp	492	.Pp
@@ -535,7 +537,7 @@ The TCP keepalive option enabled by
535	.Cm TCPKeepAlive	537	.Cm TCPKeepAlive
536	is spoofable.	538	is spoofable.
537	The client alive mechanism is valuable when the client or	539	The client alive mechanism is valuable when the client or
538	server depend on knowing when a connection has become inactive.	540	server depend on knowing when a connection has become unresponsive.
539	.Pp	541	.Pp
540	The default value is 3.	542	The default value is 3.
541	If	543	If
@@ -726,14 +728,18 @@ This option only applies to protocol version 2 connections using GSSAPI.
726	.It Cm HostbasedAcceptedKeyTypes	728	.It Cm HostbasedAcceptedKeyTypes
727	Specifies the key types that will be accepted for hostbased authentication	729	Specifies the key types that will be accepted for hostbased authentication
728	as a list of comma-separated patterns.	730	as a list of comma-separated patterns.
729	Alternately if the specified value begins with a	731	Alternately if the specified list begins with a
730	.Sq +	732	.Sq +
731	character, then the specified key types will be appended to the default set	733	character, then the specified key types will be appended to the default set
732	instead of replacing them.	734	instead of replacing them.
733	If the specified value begins with a	735	If the specified list begins with a
734	.Sq -	736	.Sq -
735	character, then the specified key types (including wildcards) will be removed	737	character, then the specified key types (including wildcards) will be removed
736	from the default set instead of replacing them.	738	from the default set instead of replacing them.
		739	If the specified list begins with a
		740	.Sq ^
		741	character, then the specified key types will be placed at the head of the
		742	default set.
737	The default for this option is:	743	The default for this option is:
738	.Bd -literal -offset 3n	744	.Bd -literal -offset 3n
739	ecdsa-sha2-nistp256-cert-v01@openssh.com,	745	ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -929,14 +935,18 @@ The default is
929	.It Cm KexAlgorithms	935	.It Cm KexAlgorithms
930	Specifies the available KEX (Key Exchange) algorithms.	936	Specifies the available KEX (Key Exchange) algorithms.
931	Multiple algorithms must be comma-separated.	937	Multiple algorithms must be comma-separated.
932	Alternately if the specified value begins with a	938	Alternately if the specified list begins with a
933	.Sq +	939	.Sq +
934	character, then the specified methods will be appended to the default set	940	character, then the specified methods will be appended to the default set
935	instead of replacing them.	941	instead of replacing them.
936	If the specified value begins with a	942	If the specified list begins with a
937	.Sq -	943	.Sq -
938	character, then the specified methods (including wildcards) will be removed	944	character, then the specified methods (including wildcards) will be removed
939	from the default set instead of replacing them.	945	from the default set instead of replacing them.
		946	If the specified list begins with a
		947	.Sq ^
		948	character, then the specified methods will be placed at the head of the
		949	default set.
940	The supported algorithms are:	950	The supported algorithms are:
941	.Pp	951	.Pp
942	.Bl -item -compact -offset indent	952	.Bl -item -compact -offset indent
@@ -1046,14 +1056,18 @@ Logging with a DEBUG level violates the privacy of users and is not recommended.
1046	Specifies the available MAC (message authentication code) algorithms.	1056	Specifies the available MAC (message authentication code) algorithms.
1047	The MAC algorithm is used for data integrity protection.	1057	The MAC algorithm is used for data integrity protection.
1048	Multiple algorithms must be comma-separated.	1058	Multiple algorithms must be comma-separated.
1049	If the specified value begins with a	1059	If the specified list begins with a
1050	.Sq +	1060	.Sq +
1051	character, then the specified algorithms will be appended to the default set	1061	character, then the specified algorithms will be appended to the default set
1052	instead of replacing them.	1062	instead of replacing them.
1053	If the specified value begins with a	1063	If the specified list begins with a
1054	.Sq -	1064	.Sq -
1055	character, then the specified algorithms (including wildcards) will be removed	1065	character, then the specified algorithms (including wildcards) will be removed
1056	from the default set instead of replacing them.	1066	from the default set instead of replacing them.
		1067	If the specified list begins with a
		1068	.Sq ^
		1069	character, then the specified algorithms will be placed at the head of the
		1070	default set.
1057	.Pp	1071	.Pp
1058	The algorithms that contain	1072	The algorithms that contain
1059	.Qq -etm	1073	.Qq -etm
@@ -1211,7 +1225,7 @@ Available keywords are
1211	.Cm X11DisplayOffset ,	1225	.Cm X11DisplayOffset ,
1212	.Cm X11Forwarding	1226	.Cm X11Forwarding
1213	and	1227	and
1214	.Cm X11UseLocalHost .	1228	.Cm X11UseLocalhost .
1215	.It Cm MaxAuthTries	1229	.It Cm MaxAuthTries
1216	Specifies the maximum number of authentication attempts permitted per	1230	Specifies the maximum number of authentication attempts permitted per
1217	connection.	1231	connection.
@@ -1451,14 +1465,18 @@ The default is
1451	.It Cm PubkeyAcceptedKeyTypes	1465	.It Cm PubkeyAcceptedKeyTypes
1452	Specifies the key types that will be accepted for public key authentication	1466	Specifies the key types that will be accepted for public key authentication
1453	as a list of comma-separated patterns.	1467	as a list of comma-separated patterns.
1454	Alternately if the specified value begins with a	1468	Alternately if the specified list begins with a
1455	.Sq +	1469	.Sq +
1456	character, then the specified key types will be appended to the default set	1470	character, then the specified key types will be appended to the default set
1457	instead of replacing them.	1471	instead of replacing them.
1458	If the specified value begins with a	1472	If the specified list begins with a
1459	.Sq -	1473	.Sq -
1460	character, then the specified key types (including wildcards) will be removed	1474	character, then the specified key types (including wildcards) will be removed
1461	from the default set instead of replacing them.	1475	from the default set instead of replacing them.
		1476	If the specified list begins with a
		1477	.Sq ^
		1478	character, then the specified key types will be placed at the head of the
		1479	default set.
1462	The default for this option is:	1480	The default for this option is:
1463	.Bd -literal -offset 3n	1481	.Bd -literal -offset 3n
1464	ecdsa-sha2-nistp256-cert-v01@openssh.com,	1482	ecdsa-sha2-nistp256-cert-v01@openssh.com,