1 files changed, 63 insertions, 16 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index ef520680f..4c7ee4254 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.253 2017/09/27 06:45:53 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.263 2018/02/16 02:40:45 djm Exp $
-.Dd $Mdocdate: September 27 2017 $
+.Dd $Mdocdate: February 16 2018 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -48,6 +48,7 @@ reads configuration data from
 .Fl f
 on the command line).
 The file contains keyword-argument pairs, one per line.
+For each keyword, the first obtained value will be used.
 Lines starting with
 .Ql #
 and empty lines are interpreted as comments.
@@ -749,10 +750,10 @@ is not to load any certificates.
 Specifies a file containing a private host key
 used by SSH.
 The defaults are
-.Pa /etc/ssh/ssh_host_rsa_key ,
+.Pa /etc/ssh/ssh_host_ecdsa_key ,
-.Pa /etc/ssh/ssh_host_ecdsa_key
+.Pa /etc/ssh/ssh_host_ed25519_key
 and
-.Pa /etc/ssh/ssh_host_ed25519_key .
+.Pa /etc/ssh/ssh_host_rsa_key .
 .Pp
 Note that
 .Xr sshd 8
@@ -811,7 +812,9 @@ Specifies whether
 should ignore the user's
 .Pa ~/.ssh/known_hosts
 during
-.Cm HostbasedAuthentication .
+.Cm HostbasedAuthentication
+and use only the system-wide known hosts file
+.Pa /etc/ssh/known_hosts .
 The default is
 .Cm no .
 .It Cm IPQoS
@@ -912,6 +915,12 @@ diffie-hellman-group1-sha1
 .It
 diffie-hellman-group14-sha1
 .It
+diffie-hellman-group14-sha256
+.It
+diffie-hellman-group16-sha512
+.It
+diffie-hellman-group18-sha512
+.It
 diffie-hellman-group-exchange-sha1
 .It
 diffie-hellman-group-exchange-sha256
@@ -928,7 +937,8 @@ The default is:
 curve25519-sha256,curve25519-sha256@libssh.org,
 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 diffie-hellman-group-exchange-sha256,
-diffie-hellman-group14-sha1
+diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
+diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
 .Ed
 .Pp
 The list of available key exchange algorithms may also be obtained using
@@ -943,31 +953,47 @@ The following forms may be used:
 .It
 .Cm ListenAddress
 .Sm off
-.Ar host | Ar IPv4_addr | Ar IPv6_addr
+.Ar hostname | address
+.Sm on
+.Op Cm rdomain Ar domain
+.It
+.Cm ListenAddress
+.Sm off
+.Ar hostname : port
 .Sm on
+.Op Cm rdomain Ar domain
 .It
 .Cm ListenAddress
 .Sm off
-.Ar host | Ar IPv4_addr : Ar port
+.Ar IPv4_address : port
 .Sm on
+.Op Cm rdomain Ar domain
 .It
 .Cm ListenAddress
 .Sm off
-.Oo
+.Oo Ar hostname | address Oc : Ar port
-.Ar host | Ar IPv6_addr Oc : Ar port
 .Sm on
+.Op Cm rdomain Ar domain
 .El
 .Pp
+The optional
+.Cm rdomain
+qualifier requests
+.Xr sshd 8
+listen in an explicit routing domain.
 If
 .Ar port
 is not specified,
 sshd will listen on the address and all
 .Cm Port
 options specified.
-The default is to listen on all local addresses.
+The default is to listen on all local addresses on the current default
+routing domain.
 Multiple
 .Cm ListenAddress
 options are permitted.
+For more information on routing domains, see
+.Xr rdomain 4 .
 .It Cm LoginGraceTime
 The server disconnects after this time if the user has not
 successfully logged in.
@@ -1071,8 +1097,15 @@ The available criteria are
 .Cm Host ,
 .Cm LocalAddress ,
 .Cm LocalPort ,
+.Cm RDomain ,
 and
-.Cm Address .
+.Cm Address
+(with
+.Cm RDomain
+representing the
+.Xr rdomain 4
+on which the connection was received.)
+.Pp
 The match patterns may consist of single entries or comma-separated
 lists and may use the wildcard and negation operators described in the
 .Sx PATTERNS
@@ -1135,6 +1168,7 @@ Available keywords are
 .Cm PubkeyAuthentication ,
 .Cm RekeyLimit ,
 .Cm RevokedKeys ,
+.Cm RDomain ,
 .Cm StreamLocalBindMask ,
 .Cm StreamLocalBindUnlink ,
 .Cm TrustedUserCAKeys ,
@@ -1223,7 +1257,6 @@ Specifies whether root can log in using
 The argument must be
 .Cm yes ,
 .Cm prohibit-password ,
-.Cm without-password ,
 .Cm forced-commands-only ,
 or
 .Cm no .
@@ -1232,8 +1265,8 @@ The default is
 .Pp
 If this option is set to
 .Cm prohibit-password
-or
+(or its deprecated alias,
-.Cm without-password ,
+.Cm without-password ) ,
 password and keyboard-interactive authentication are disabled for root.
 .Pp
 If this option is set to
@@ -1396,6 +1429,15 @@ an OpenSSH Key Revocation List (KRL) as generated by
 .Xr ssh-keygen 1 .
 For more information on KRLs, see the KEY REVOCATION LISTS section in
 .Xr ssh-keygen 1 .
+.It Cm RDomain
+Specifies an explicit routing domain that is applied after authentication
+has completed.
+The user session, as well and any forwarded or listening IP sockets,
+will be bound to this
+.Xr rdomain 4 .
+If the routing domain is set to
+.Cm \&%D ,
+then the domain in which the incoming connection was received will be applied.
 .It Cm StreamLocalBindMask
 Sets the octal file creation mode mask
 .Pq umask
@@ -1664,6 +1706,8 @@ which are expanded at runtime:
 .It %%
 A literal
 .Sq % .
+.It \&%D
+The routing domain in which the incoming connection was received.
 .It %F
 The fingerprint of the CA key.
 .It %f
@@ -1700,6 +1744,9 @@ accepts the tokens %%, %h, and %u.
 .Pp
 .Cm ChrootDirectory
 accepts the tokens %%, %h, and %u.
+.Pp
+.Cm RoutingDomain
+accepts the token %D.
 .Sh FILES
 .Bl -tag -width Ds
 .It Pa /etc/ssh/sshd_config

diff --git a/sshd_config.5 b/sshd_config.5 index ef520680f..4c7ee4254 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.253 2017/09/27 06:45:53 jmc Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.263 2018/02/16 02:40:45 djm Exp $
37	.Dd $Mdocdate: September 27 2017 $	37	.Dd $Mdocdate: February 16 2018 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -48,6 +48,7 @@ reads configuration data from
48	.Fl f	48	.Fl f
49	on the command line).	49	on the command line).
50	The file contains keyword-argument pairs, one per line.	50	The file contains keyword-argument pairs, one per line.
		51	For each keyword, the first obtained value will be used.
51	Lines starting with	52	Lines starting with
52	.Ql #	53	.Ql #
53	and empty lines are interpreted as comments.	54	and empty lines are interpreted as comments.
@@ -749,10 +750,10 @@ is not to load any certificates.
749	Specifies a file containing a private host key	750	Specifies a file containing a private host key
750	used by SSH.	751	used by SSH.
751	The defaults are	752	The defaults are
752	.Pa /etc/ssh/ssh_host_rsa_key ,	753	.Pa /etc/ssh/ssh_host_ecdsa_key ,
753	.Pa /etc/ssh/ssh_host_ecdsa_key	754	.Pa /etc/ssh/ssh_host_ed25519_key
754	and	755	and
755	.Pa /etc/ssh/ssh_host_ed25519_key .	756	.Pa /etc/ssh/ssh_host_rsa_key .
756	.Pp	757	.Pp
757	Note that	758	Note that
758	.Xr sshd 8	759	.Xr sshd 8
@@ -811,7 +812,9 @@ Specifies whether
811	should ignore the user's	812	should ignore the user's
812	.Pa ~/.ssh/known_hosts	813	.Pa ~/.ssh/known_hosts
813	during	814	during
814	.Cm HostbasedAuthentication .	815	.Cm HostbasedAuthentication
		816	and use only the system-wide known hosts file
		817	.Pa /etc/ssh/known_hosts .
815	The default is	818	The default is
816	.Cm no .	819	.Cm no .
817	.It Cm IPQoS	820	.It Cm IPQoS
@@ -912,6 +915,12 @@ diffie-hellman-group1-sha1
912	.It	915	.It
913	diffie-hellman-group14-sha1	916	diffie-hellman-group14-sha1
914	.It	917	.It
		918	diffie-hellman-group14-sha256
		919	.It
		920	diffie-hellman-group16-sha512
		921	.It
		922	diffie-hellman-group18-sha512
		923	.It
915	diffie-hellman-group-exchange-sha1	924	diffie-hellman-group-exchange-sha1
916	.It	925	.It
917	diffie-hellman-group-exchange-sha256	926	diffie-hellman-group-exchange-sha256
@@ -928,7 +937,8 @@ The default is:
928	curve25519-sha256,curve25519-sha256@libssh.org,	937	curve25519-sha256,curve25519-sha256@libssh.org,
929	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,	938	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
930	diffie-hellman-group-exchange-sha256,	939	diffie-hellman-group-exchange-sha256,
931	diffie-hellman-group14-sha1	940	diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
		941	diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
932	.Ed	942	.Ed
933	.Pp	943	.Pp
934	The list of available key exchange algorithms may also be obtained using	944	The list of available key exchange algorithms may also be obtained using
@@ -943,31 +953,47 @@ The following forms may be used:
943	.It	953	.It
944	.Cm ListenAddress	954	.Cm ListenAddress
945	.Sm off	955	.Sm off
946	.Ar host \| Ar IPv4_addr \| Ar IPv6_addr	956	.Ar hostname \| address
		957	.Sm on
		958	.Op Cm rdomain Ar domain
		959	.It
		960	.Cm ListenAddress
		961	.Sm off
		962	.Ar hostname : port
947	.Sm on	963	.Sm on
		964	.Op Cm rdomain Ar domain
948	.It	965	.It
949	.Cm ListenAddress	966	.Cm ListenAddress
950	.Sm off	967	.Sm off
951	.Ar host \| Ar IPv4_addr : Ar port	968	.Ar IPv4_address : port
952	.Sm on	969	.Sm on
		970	.Op Cm rdomain Ar domain
953	.It	971	.It
954	.Cm ListenAddress	972	.Cm ListenAddress
955	.Sm off	973	.Sm off
956	.Oo	974	.Oo Ar hostname \| address Oc : Ar port
957	.Ar host \| Ar IPv6_addr Oc : Ar port
958	.Sm on	975	.Sm on
		976	.Op Cm rdomain Ar domain
959	.El	977	.El
960	.Pp	978	.Pp
		979	The optional
		980	.Cm rdomain
		981	qualifier requests
		982	.Xr sshd 8
		983	listen in an explicit routing domain.
961	If	984	If
962	.Ar port	985	.Ar port
963	is not specified,	986	is not specified,
964	sshd will listen on the address and all	987	sshd will listen on the address and all
965	.Cm Port	988	.Cm Port
966	options specified.	989	options specified.
967	The default is to listen on all local addresses.	990	The default is to listen on all local addresses on the current default
		991	routing domain.
968	Multiple	992	Multiple
969	.Cm ListenAddress	993	.Cm ListenAddress
970	options are permitted.	994	options are permitted.
		995	For more information on routing domains, see
		996	.Xr rdomain 4 .
971	.It Cm LoginGraceTime	997	.It Cm LoginGraceTime
972	The server disconnects after this time if the user has not	998	The server disconnects after this time if the user has not
973	successfully logged in.	999	successfully logged in.
@@ -1071,8 +1097,15 @@ The available criteria are
1071	.Cm Host ,	1097	.Cm Host ,
1072	.Cm LocalAddress ,	1098	.Cm LocalAddress ,
1073	.Cm LocalPort ,	1099	.Cm LocalPort ,
		1100	.Cm RDomain ,
1074	and	1101	and
1075	.Cm Address .	1102	.Cm Address
		1103	(with
		1104	.Cm RDomain
		1105	representing the
		1106	.Xr rdomain 4
		1107	on which the connection was received.)
		1108	.Pp
1076	The match patterns may consist of single entries or comma-separated	1109	The match patterns may consist of single entries or comma-separated
1077	lists and may use the wildcard and negation operators described in the	1110	lists and may use the wildcard and negation operators described in the
1078	.Sx PATTERNS	1111	.Sx PATTERNS
@@ -1135,6 +1168,7 @@ Available keywords are
1135	.Cm PubkeyAuthentication ,	1168	.Cm PubkeyAuthentication ,
1136	.Cm RekeyLimit ,	1169	.Cm RekeyLimit ,
1137	.Cm RevokedKeys ,	1170	.Cm RevokedKeys ,
		1171	.Cm RDomain ,
1138	.Cm StreamLocalBindMask ,	1172	.Cm StreamLocalBindMask ,
1139	.Cm StreamLocalBindUnlink ,	1173	.Cm StreamLocalBindUnlink ,
1140	.Cm TrustedUserCAKeys ,	1174	.Cm TrustedUserCAKeys ,
@@ -1223,7 +1257,6 @@ Specifies whether root can log in using
1223	The argument must be	1257	The argument must be
1224	.Cm yes ,	1258	.Cm yes ,
1225	.Cm prohibit-password ,	1259	.Cm prohibit-password ,
1226	.Cm without-password ,
1227	.Cm forced-commands-only ,	1260	.Cm forced-commands-only ,
1228	or	1261	or
1229	.Cm no .	1262	.Cm no .
@@ -1232,8 +1265,8 @@ The default is
1232	.Pp	1265	.Pp
1233	If this option is set to	1266	If this option is set to
1234	.Cm prohibit-password	1267	.Cm prohibit-password
1235	or	1268	(or its deprecated alias,
1236	.Cm without-password ,	1269	.Cm without-password ) ,
1237	password and keyboard-interactive authentication are disabled for root.	1270	password and keyboard-interactive authentication are disabled for root.
1238	.Pp	1271	.Pp
1239	If this option is set to	1272	If this option is set to
@@ -1396,6 +1429,15 @@ an OpenSSH Key Revocation List (KRL) as generated by
1396	.Xr ssh-keygen 1 .	1429	.Xr ssh-keygen 1 .
1397	For more information on KRLs, see the KEY REVOCATION LISTS section in	1430	For more information on KRLs, see the KEY REVOCATION LISTS section in
1398	.Xr ssh-keygen 1 .	1431	.Xr ssh-keygen 1 .
		1432	.It Cm RDomain
		1433	Specifies an explicit routing domain that is applied after authentication
		1434	has completed.
		1435	The user session, as well and any forwarded or listening IP sockets,
		1436	will be bound to this
		1437	.Xr rdomain 4 .
		1438	If the routing domain is set to
		1439	.Cm \&%D ,
		1440	then the domain in which the incoming connection was received will be applied.
1399	.It Cm StreamLocalBindMask	1441	.It Cm StreamLocalBindMask
1400	Sets the octal file creation mode mask	1442	Sets the octal file creation mode mask
1401	.Pq umask	1443	.Pq umask
@@ -1664,6 +1706,8 @@ which are expanded at runtime:
1664	.It %%	1706	.It %%
1665	A literal	1707	A literal
1666	.Sq % .	1708	.Sq % .
		1709	.It \&%D
		1710	The routing domain in which the incoming connection was received.
1667	.It %F	1711	.It %F
1668	The fingerprint of the CA key.	1712	The fingerprint of the CA key.
1669	.It %f	1713	.It %f
@@ -1700,6 +1744,9 @@ accepts the tokens %%, %h, and %u.
1700	.Pp	1744	.Pp
1701	.Cm ChrootDirectory	1745	.Cm ChrootDirectory
1702	accepts the tokens %%, %h, and %u.	1746	accepts the tokens %%, %h, and %u.
		1747	.Pp
		1748	.Cm RoutingDomain
		1749	accepts the token %D.
1703	.Sh FILES	1750	.Sh FILES
1704	.Bl -tag -width Ds	1751	.Bl -tag -width Ds
1705	.It Pa /etc/ssh/sshd_config	1752	.It Pa /etc/ssh/sshd_config