1 files changed, 80 insertions, 25 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index db1f2fd69..eb6bff85f 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.194 2015/02/20 23:46:01 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.204 2015/06/05 03:44:14 djm Exp $
-.Dd $Mdocdate: February 20 2015 $
+.Dd $Mdocdate: June 5 2015 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -95,7 +95,11 @@ See
 in
 .Xr ssh_config 5
 for how to configure the client.
-Note that environment passing is only supported for protocol 2.
+Note that environment passing is only supported for protocol 2, and
+that the
+.Ev TERM
+environment variable is always sent whenever the client
+requests a pseudo-terminal as it is required by the protocol.
 Variables are specified by name, which may contain the wildcard characters
 .Ql *
 and
@@ -255,9 +259,21 @@ The default is not to require multiple authentication; successful completion
 of a single authentication method is sufficient.
 .It Cm AuthorizedKeysCommand
 Specifies a program to be used to look up the user's public keys.
-The program must be owned by root and not writable by group or others.
+The program must be owned by root, not writable by group or others and
-It will be invoked with a single argument of the username
+specified by an absolute path.
-being authenticated, and should produce on standard output zero or
+.Pp
+Arguments to
+.Cm AuthorizedKeysCommand
+may be provided using the following tokens, which will be expanded
+at runtime: %% is replaced by a literal '%', %u is replaced by the
+username being authenticated, %h is replaced by the home directory
+of the user being authenticated, %t is replaced with the key type
+offered for authentication, %f is replaced with the fingerprint of
+the key, and %k is replaced with the key being offered for authentication.
+If no arguments are specified then the username of the target user
+will be supplied.
+.Pp
+The program should produce on standard output zero or
 more lines of authorized_keys output (see AUTHORIZED_KEYS in
 .Xr sshd 8 ) .
 If a key supplied by AuthorizedKeysCommand does not successfully authenticate
@@ -296,6 +312,42 @@ directory.
 Multiple files may be listed, separated by whitespace.
 The default is
 .Dq .ssh/authorized_keys .ssh/authorized_keys2 .
+.It Cm AuthorizedPrincipalsCommand
+Specifies a program to be used to generate the list of allowed
+certificate principals as per
+.Cm AuthorizedPrincipalsFile .
+The program must be owned by root, not writable by group or others and
+specified by an absolute path.
+.Pp
+Arguments to
+.Cm AuthorizedPrincipalsCommand
+may be provided using the following tokens, which will be expanded
+at runtime: %% is replaced by a literal '%', %u is replaced by the
+username being authenticated and %h is replaced by the home directory
+of the user being authenticated.
+.Pp
+The program should produce on standard output zero or
+more lines of
+.Cm AuthorizedPrincipalsFile
+output.
+If either
+.Cm AuthorizedPrincipalsCommand
+or
+.Cm AuthorizedPrincipalsFile
+is specified, then certificates offered by the client for authentication
+must contain a principal that is listed.
+By default, no AuthorizedPrincipalsCommand is run.
+.It Cm AuthorizedPrincipalsCommandUser
+Specifies the user under whose account the AuthorizedPrincipalsCommand is run.
+It is recommended to use a dedicated user that has no other role on the host
+than running authorized principals commands.
+If
+.Cm AuthorizedPrincipalsCommand
+is specified but
+.Cm AuthorizedPrincipalsCommandUser
+is not, then
+.Xr sshd 8
+will refuse to start.
 .It Cm AuthorizedPrincipalsFile
 Specifies a file that lists principal names that are accepted for
 certificate authentication.
@@ -606,22 +658,20 @@ The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
 .It Cm GSSAPIStrictAcceptorCheck
-Determines whether to be strict about the identity of the GSSAPI acceptor 
+Determines whether to be strict about the identity of the GSSAPI acceptor
-a client authenticates against. If
+a client authenticates against.
+If set to
 .Dq yes
 then the client must authenticate against the
 .Pa host
-service on the current hostname. If 
+service on the current hostname.
+If set to
 .Dq no
-then the client may authenticate against any service key stored in the 
+then the client may authenticate against any service key stored in the
-machine's default store. This facility is provided to assist with operation 
+machine's default store.
-on multi homed machines. 
+This facility is provided to assist with operation on multi homed machines.
 The default is
 .Dq yes .
-Note that this option applies only to protocol version 2 GSSAPI connections,
-and setting it to 
-.Dq no
-may only work with recent Kerberos GSSAPI libraries.
 .It Cm GSSAPIStoreCredentialsOnRekey
 Controls whether the user's GSSAPI credentials should be updated following a 
 successful connection rekeying. This option can be used to accepted renewed 
@@ -883,16 +933,13 @@ The following forms may be used:
 If
 .Ar port
 is not specified,
-sshd will listen on the address and all prior
+sshd will listen on the address and all
 .Cm Port
 options specified.
 The default is to listen on all local addresses.
 Multiple
 .Cm ListenAddress
 options are permitted.
-Additionally, any
-.Cm Port
-options must precede this option for non-port qualified addresses.
 .It Cm LoginGraceTime
 The server disconnects after this time if the user has not
 successfully logged in.
@@ -1150,7 +1197,7 @@ The argument must be
 or
 .Dq no .
 The default is
-.Dq yes .
+.Dq no .
 .Pp
 If this option is set to
 .Dq without-password ,
@@ -1220,7 +1267,9 @@ The default is
 .Dq yes .
 .It Cm PidFile
 Specifies the file that contains the process ID of the
-SSH daemon.
+SSH daemon, or
+.Dq none
+to not write one.
 The default is
 .Pa /var/run/sshd.pid .
 .It Cm Port
@@ -1310,7 +1359,9 @@ which means that rekeying is performed after the cipher's default amount
 of data has been sent or received and no time based rekeying is done.
 This option applies to protocol version 2 only.
 .It Cm RevokedKeys
-Specifies revoked public keys.
+Specifies revoked public keys file, or
+.Dq none
+to not use one.
 Keys listed in this file will be refused for public key authentication.
 Note that if this file is not readable, then public key authentication will
 be refused for all users.
@@ -1426,7 +1477,9 @@ This option was formerly called
 .Cm KeepAlive .
 .It Cm TrustedUserCAKeys
 Specifies a file containing public keys of certificate authorities that are
-trusted to sign user certificates for authentication.
+trusted to sign user certificates for authentication, or
+.Dq none
+to not use one.
 Keys are listed one per line; empty lines and comments starting with
 .Ql #
 are allowed.
@@ -1579,7 +1632,9 @@ The default is
 .It Cm XAuthLocation
 Specifies the full pathname of the
 .Xr xauth 1
-program.
+program, or
+.Dq none
+to not use one.
 The default is
 .Pa /usr/X11R6/bin/xauth .
 .El

diff --git a/sshd_config.5 b/sshd_config.5 index db1f2fd69..eb6bff85f 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.194 2015/02/20 23:46:01 djm Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.204 2015/06/05 03:44:14 djm Exp $
37	.Dd $Mdocdate: February 20 2015 $	37	.Dd $Mdocdate: June 5 2015 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -95,7 +95,11 @@ See
95	in	95	in
96	.Xr ssh_config 5	96	.Xr ssh_config 5
97	for how to configure the client.	97	for how to configure the client.
98	Note that environment passing is only supported for protocol 2.	98	Note that environment passing is only supported for protocol 2, and
		99	that the
		100	.Ev TERM
		101	environment variable is always sent whenever the client
		102	requests a pseudo-terminal as it is required by the protocol.
99	Variables are specified by name, which may contain the wildcard characters	103	Variables are specified by name, which may contain the wildcard characters
100	.Ql *	104	.Ql *
101	and	105	and
@@ -255,9 +259,21 @@ The default is not to require multiple authentication; successful completion
255	of a single authentication method is sufficient.	259	of a single authentication method is sufficient.
256	.It Cm AuthorizedKeysCommand	260	.It Cm AuthorizedKeysCommand
257	Specifies a program to be used to look up the user's public keys.	261	Specifies a program to be used to look up the user's public keys.
258	The program must be owned by root and not writable by group or others.	262	The program must be owned by root, not writable by group or others and
259	It will be invoked with a single argument of the username	263	specified by an absolute path.
260	being authenticated, and should produce on standard output zero or	264	.Pp
		265	Arguments to
		266	.Cm AuthorizedKeysCommand
		267	may be provided using the following tokens, which will be expanded
		268	at runtime: %% is replaced by a literal '%', %u is replaced by the
		269	username being authenticated, %h is replaced by the home directory
		270	of the user being authenticated, %t is replaced with the key type
		271	offered for authentication, %f is replaced with the fingerprint of
		272	the key, and %k is replaced with the key being offered for authentication.
		273	If no arguments are specified then the username of the target user
		274	will be supplied.
		275	.Pp
		276	The program should produce on standard output zero or
261	more lines of authorized_keys output (see AUTHORIZED_KEYS in	277	more lines of authorized_keys output (see AUTHORIZED_KEYS in
262	.Xr sshd 8 ) .	278	.Xr sshd 8 ) .
263	If a key supplied by AuthorizedKeysCommand does not successfully authenticate	279	If a key supplied by AuthorizedKeysCommand does not successfully authenticate
@@ -296,6 +312,42 @@ directory.
296	Multiple files may be listed, separated by whitespace.	312	Multiple files may be listed, separated by whitespace.
297	The default is	313	The default is
298	.Dq .ssh/authorized_keys .ssh/authorized_keys2 .	314	.Dq .ssh/authorized_keys .ssh/authorized_keys2 .
		315	.It Cm AuthorizedPrincipalsCommand
		316	Specifies a program to be used to generate the list of allowed
		317	certificate principals as per
		318	.Cm AuthorizedPrincipalsFile .
		319	The program must be owned by root, not writable by group or others and
		320	specified by an absolute path.
		321	.Pp
		322	Arguments to
		323	.Cm AuthorizedPrincipalsCommand
		324	may be provided using the following tokens, which will be expanded
		325	at runtime: %% is replaced by a literal '%', %u is replaced by the
		326	username being authenticated and %h is replaced by the home directory
		327	of the user being authenticated.
		328	.Pp
		329	The program should produce on standard output zero or
		330	more lines of
		331	.Cm AuthorizedPrincipalsFile
		332	output.
		333	If either
		334	.Cm AuthorizedPrincipalsCommand
		335	or
		336	.Cm AuthorizedPrincipalsFile
		337	is specified, then certificates offered by the client for authentication
		338	must contain a principal that is listed.
		339	By default, no AuthorizedPrincipalsCommand is run.
		340	.It Cm AuthorizedPrincipalsCommandUser
		341	Specifies the user under whose account the AuthorizedPrincipalsCommand is run.
		342	It is recommended to use a dedicated user that has no other role on the host
		343	than running authorized principals commands.
		344	If
		345	.Cm AuthorizedPrincipalsCommand
		346	is specified but
		347	.Cm AuthorizedPrincipalsCommandUser
		348	is not, then
		349	.Xr sshd 8
		350	will refuse to start.
299	.It Cm AuthorizedPrincipalsFile	351	.It Cm AuthorizedPrincipalsFile
300	Specifies a file that lists principal names that are accepted for	352	Specifies a file that lists principal names that are accepted for
301	certificate authentication.	353	certificate authentication.
@@ -606,22 +658,20 @@ The default is
606	.Dq yes .	658	.Dq yes .
607	Note that this option applies to protocol version 2 only.	659	Note that this option applies to protocol version 2 only.
608	.It Cm GSSAPIStrictAcceptorCheck	660	.It Cm GSSAPIStrictAcceptorCheck
609	Determines whether to be strict about the identity of the GSSAPI acceptor	661	Determines whether to be strict about the identity of the GSSAPI acceptor
610	a client authenticates against. If	662	a client authenticates against.
		663	If set to
611	.Dq yes	664	.Dq yes
612	then the client must authenticate against the	665	then the client must authenticate against the
613	.Pa host	666	.Pa host
614	service on the current hostname. If	667	service on the current hostname.
		668	If set to
615	.Dq no	669	.Dq no
616	then the client may authenticate against any service key stored in the	670	then the client may authenticate against any service key stored in the
617	machine's default store. This facility is provided to assist with operation	671	machine's default store.
618	on multi homed machines.	672	This facility is provided to assist with operation on multi homed machines.
619	The default is	673	The default is
620	.Dq yes .	674	.Dq yes .
621	Note that this option applies only to protocol version 2 GSSAPI connections,
622	and setting it to
623	.Dq no
624	may only work with recent Kerberos GSSAPI libraries.
625	.It Cm GSSAPIStoreCredentialsOnRekey	675	.It Cm GSSAPIStoreCredentialsOnRekey
626	Controls whether the user's GSSAPI credentials should be updated following a	676	Controls whether the user's GSSAPI credentials should be updated following a
627	successful connection rekeying. This option can be used to accepted renewed	677	successful connection rekeying. This option can be used to accepted renewed
@@ -883,16 +933,13 @@ The following forms may be used:
883	If	933	If
884	.Ar port	934	.Ar port
885	is not specified,	935	is not specified,
886	sshd will listen on the address and all prior	936	sshd will listen on the address and all
887	.Cm Port	937	.Cm Port
888	options specified.	938	options specified.
889	The default is to listen on all local addresses.	939	The default is to listen on all local addresses.
890	Multiple	940	Multiple
891	.Cm ListenAddress	941	.Cm ListenAddress
892	options are permitted.	942	options are permitted.
893	Additionally, any
894	.Cm Port
895	options must precede this option for non-port qualified addresses.
896	.It Cm LoginGraceTime	943	.It Cm LoginGraceTime
897	The server disconnects after this time if the user has not	944	The server disconnects after this time if the user has not
898	successfully logged in.	945	successfully logged in.
@@ -1150,7 +1197,7 @@ The argument must be
1150	or	1197	or
1151	.Dq no .	1198	.Dq no .
1152	The default is	1199	The default is
1153	.Dq yes .	1200	.Dq no .
1154	.Pp	1201	.Pp
1155	If this option is set to	1202	If this option is set to
1156	.Dq without-password ,	1203	.Dq without-password ,
@@ -1220,7 +1267,9 @@ The default is
1220	.Dq yes .	1267	.Dq yes .
1221	.It Cm PidFile	1268	.It Cm PidFile
1222	Specifies the file that contains the process ID of the	1269	Specifies the file that contains the process ID of the
1223	SSH daemon.	1270	SSH daemon, or
		1271	.Dq none
		1272	to not write one.
1224	The default is	1273	The default is
1225	.Pa /var/run/sshd.pid .	1274	.Pa /var/run/sshd.pid .
1226	.It Cm Port	1275	.It Cm Port
@@ -1310,7 +1359,9 @@ which means that rekeying is performed after the cipher's default amount
1310	of data has been sent or received and no time based rekeying is done.	1359	of data has been sent or received and no time based rekeying is done.
1311	This option applies to protocol version 2 only.	1360	This option applies to protocol version 2 only.
1312	.It Cm RevokedKeys	1361	.It Cm RevokedKeys
1313	Specifies revoked public keys.	1362	Specifies revoked public keys file, or
		1363	.Dq none
		1364	to not use one.
1314	Keys listed in this file will be refused for public key authentication.	1365	Keys listed in this file will be refused for public key authentication.
1315	Note that if this file is not readable, then public key authentication will	1366	Note that if this file is not readable, then public key authentication will
1316	be refused for all users.	1367	be refused for all users.
@@ -1426,7 +1477,9 @@ This option was formerly called
1426	.Cm KeepAlive .	1477	.Cm KeepAlive .
1427	.It Cm TrustedUserCAKeys	1478	.It Cm TrustedUserCAKeys
1428	Specifies a file containing public keys of certificate authorities that are	1479	Specifies a file containing public keys of certificate authorities that are
1429	trusted to sign user certificates for authentication.	1480	trusted to sign user certificates for authentication, or
		1481	.Dq none
		1482	to not use one.
1430	Keys are listed one per line; empty lines and comments starting with	1483	Keys are listed one per line; empty lines and comments starting with
1431	.Ql #	1484	.Ql #
1432	are allowed.	1485	are allowed.
@@ -1579,7 +1632,9 @@ The default is
1579	.It Cm XAuthLocation	1632	.It Cm XAuthLocation
1580	Specifies the full pathname of the	1633	Specifies the full pathname of the
1581	.Xr xauth 1	1634	.Xr xauth 1
1582	program.	1635	program, or
		1636	.Dq none
		1637	to not use one.
1583	The default is	1638	The default is
1584	.Pa /usr/X11R6/bin/xauth .	1639	.Pa /usr/X11R6/bin/xauth .
1585	.El	1640	.El