1 files changed, 93 insertions, 20 deletions

diff --git a/sshd_config.5 b/sshd_config.5
index e3c7c3936..e1b54ba20 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.263 2018/02/16 02:40:45 djm Exp $
-.Dd $Mdocdate: February 16 2018 $
+.\" $OpenBSD: sshd_config.5,v 1.281 2018/07/20 05:01:10 djm Exp $
+.Dd $Mdocdate: July 20 2018 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -66,12 +66,14 @@ the session's
 .Xr environ 7 .
 See
 .Cm SendEnv
+and
+.Cm SetEnv
 in
 .Xr ssh_config 5
 for how to configure the client.
 The
 .Ev TERM
-environment variable is always sent whenever the client
+environment variable is always accepted whenever the client
 requests a pseudo-terminal as it is required by the protocol.
 Variables are specified by name, which may contain the wildcard characters
 .Ql *
@@ -184,7 +186,7 @@ for more information on patterns.
 .It Cm AuthenticationMethods
 Specifies the authentication methods that must be successfully completed
 for a user to be granted access.
-This option must be followed by one or more comma-separated lists of
+This option must be followed by one or more lists of comma-separated
 authentication method names, or by the single string
 .Cm any
 to indicate the default behaviour of accepting any single authentication
@@ -203,10 +205,9 @@ keyboard-interactive authentication before public key.
 For keyboard interactive authentication it is also possible to
 restrict authentication to a specific device by appending a
 colon followed by the device identifier
-.Cm bsdauth ,
-.Cm pam ,
+.Cm bsdauth
 or
-.Cm skey ,
+.Cm pam .
 depending on the server configuration.
 For example,
 .Qq keyboard-interactive:bsdauth
@@ -231,7 +232,7 @@ The available authentication methods are:
 .Qq keyboard-interactive ,
 .Qq none
 (used for access to password-less accounts when
-.Cm PermitEmptyPassword
+.Cm PermitEmptyPasswords
 is enabled),
 .Qq password
 and
@@ -657,7 +658,7 @@ The default is
 .Cm yes .
 .It Cm HostbasedAcceptedKeyTypes
 Specifies the key types that will be accepted for hostbased authentication
-as a comma-separated pattern list.
+as a list of comma-separated patterns.
 Alternately if the specified value begins with a
 .Sq +
 character, then the specified key types will be appended to the default set
@@ -672,9 +673,10 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ecdsa-sha2-nistp384-cert-v01@openssh.com,
 ecdsa-sha2-nistp521-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,
+rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
 ssh-rsa-cert-v01@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa
+ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 The list of available key types may also be obtained using
@@ -749,9 +751,10 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ecdsa-sha2-nistp384-cert-v01@openssh.com,
 ecdsa-sha2-nistp521-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,
+rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
 ssh-rsa-cert-v01@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa
+ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 The list of available key types may also be obtained using
@@ -816,9 +819,11 @@ If one argument is specified, it is used as the packet class unconditionally.
 If two values are specified, the first is automatically selected for
 interactive sessions and the second for non-interactive sessions.
 The default is
-.Cm lowdelay
+.Cm af21
+(Low-Latency Data)
 for interactive sessions and
-.Cm throughput
+.Cm cs1
+(Lower Effort)
 for non-interactive sessions.
 .It Cm KbdInteractiveAuthentication
 Specifies whether to allow keyboard-interactive authentication.
@@ -1123,6 +1128,7 @@ Available keywords are
 .Cm MaxSessions ,
 .Cm PasswordAuthentication ,
 .Cm PermitEmptyPasswords ,
+.Cm PermitListen ,
 .Cm PermitOpen ,
 .Cm PermitRootLogin ,
 .Cm PermitTTY ,
@@ -1133,6 +1139,7 @@ Available keywords are
 .Cm RekeyLimit ,
 .Cm RevokedKeys ,
 .Cm RDomain ,
+.Cm SetEnv ,
 .Cm StreamLocalBindMask ,
 .Cm StreamLocalBindUnlink ,
 .Cm TrustedUserCAKeys ,
@@ -1182,6 +1189,48 @@ When password authentication is allowed, it specifies whether the
 server allows login to accounts with empty password strings.
 The default is
 .Cm no .
+.It Cm PermitListen
+Specifies the addresses/ports on which a remote TCP port forwarding may listen.
+The listen specification must be one of the following forms:
+.Pp
+.Bl -item -offset indent -compact
+.It
+.Cm PermitListen
+.Sm off
+.Ar port
+.Sm on
+.It
+.Cm PermitListen
+.Sm off
+.Ar host : port
+.Sm on
+.El
+.Pp
+Multiple permissions may be specified by separating them with whitespace.
+An argument of
+.Cm any
+can be used to remove all restrictions and permit any listen requests.
+An argument of
+.Cm none
+can be used to prohibit all listen requests.
+The host name may contain wildcards as described in the PATTERNS section in
+.Xr ssh_config 5 .
+The wildcard
+.Sq *
+can also be used in place of a port number to allow all ports.
+By default all port forwarding listen requests are permitted.
+Note that the
+.Cm GatewayPorts
+option may further restrict which addresses may be listened on.
+Note also that
+.Xr ssh 1
+will request a listen host of
+.Dq localhost
+if no listen host was specifically requested, and this this name is
+treated differently to explicit localhost addresses of
+.Dq 127.0.0.1
+and
+.Dq ::1 .
 .It Cm PermitOpen
 Specifies the destinations to which TCP port forwarding is permitted.
 The forwarding specification must be one of the following forms:
@@ -1284,6 +1333,12 @@ options in
 .Pa ~/.ssh/authorized_keys
 are processed by
 .Xr sshd 8 .
+Valid options are
+.Cm yes ,
+.Cm no
+or a pattern-list specifying which environment variable names to accept
+(for example
+.Qq LANG,LC_* ) .
 The default is
 .Cm no .
 Enabling environment processing may enable users to bypass access
@@ -1330,7 +1385,7 @@ The default is
 .Cm yes .
 .It Cm PubkeyAcceptedKeyTypes
 Specifies the key types that will be accepted for public key authentication
-as a comma-separated pattern list.
+as a list of comma-separated patterns.
 Alternately if the specified value begins with a
 .Sq +
 character, then the specified key types will be appended to the default set
@@ -1345,9 +1400,10 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ecdsa-sha2-nistp384-cert-v01@openssh.com,
 ecdsa-sha2-nistp521-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,
+rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
 ssh-rsa-cert-v01@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa
+ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 The list of available key types may also be obtained using
@@ -1402,6 +1458,21 @@ will be bound to this
 If the routing domain is set to
 .Cm \&%D ,
 then the domain in which the incoming connection was received will be applied.
+.It Cm SetEnv
+Specifies one or more environment variables to set in child sessions started
+by
+.Xr sshd 8
+as
+.Dq NAME=VALUE .
+The environment value may be quoted (e.g. if it contains whitespace
+characters).
+Environment variables set by
+.Cm SetEnv
+override the default environment and any variables specified by the user
+via
+.Cm AcceptEnv
+or
+.Cm PermitUserEnvironment .
 .It Cm StreamLocalBindMask
 Sets the octal file creation mode mask
 .Pq umask
@@ -1687,24 +1758,26 @@ The serial number of the certificate.
 The type of the CA key.
 .It %t
 The key or certificate type.
+.It \&%U
+The numeric user ID of the target user.
 .It %u
 The username.
 .El
 .Pp
 .Cm AuthorizedKeysCommand
-accepts the tokens %%, %f, %h, %k, %t, and %u.
+accepts the tokens %%, %f, %h, %k, %t, %U, and %u.
 .Pp
 .Cm AuthorizedKeysFile
-accepts the tokens %%, %h, and %u.
+accepts the tokens %%, %h, %U, and %u.
 .Pp
 .Cm AuthorizedPrincipalsCommand
-accepts the tokens %%, %F, %f, %h, %i, %K, %k, %s, %T, %t, and %u.
+accepts the tokens %%, %F, %f, %h, %i, %K, %k, %s, %T, %t, %U, and %u.
 .Pp
 .Cm AuthorizedPrincipalsFile
-accepts the tokens %%, %h, and %u.
+accepts the tokens %%, %h, %U, and %u.
 .Pp
 .Cm ChrootDirectory
-accepts the tokens %%, %h, and %u.
+accepts the tokens %%, %h, %U, and %u.
 .Pp
 .Cm RoutingDomain
 accepts the token %D.