1 files changed, 39 insertions, 6 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 588aed56e..2f5410281 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.106 2009/04/21 15:13:17 stevesk Exp $
+.\" $OpenBSD: sshd_config.5,v 1.120 2010/03/04 23:17:25 djm Exp $
-.Dd $Mdocdate: April 21 2009 $
+.Dd $Mdocdate: March 4 2010 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -182,16 +182,16 @@ PAM or though authentication styles supported in
 The default is
 .Dq yes .
 .It Cm ChrootDirectory
-Specifies a path to
+Specifies the pathname of a directory to
 .Xr chroot 2
 to after authentication.
-This path, and all its components, must be root-owned directories that are
+All components of the pathname must be root-owned directories that are
 not writable by any other user or group.
 After the chroot,
 .Xr sshd 8
 changes the working directory to the user's home directory.
 .Pp
-The path may contain the following tokens that are expanded at runtime once
+The pathname may contain the following tokens that are expanded at runtime once
 the connecting user has been authenticated: %% is replaced by a literal '%',
 %h is replaced by the home directory of the user being authenticated, and
 %u is replaced by the username of that user.
@@ -411,6 +411,14 @@ uses the name supplied by the client rather than
 attempting to resolve the name from the TCP connection itself.
 The default is
 .Dq no .
+.It Cm HostCertificate
+Specifies a file containing a public host certificate.
+The certificate's public key must match a private host key already specified
+by
+.Cm HostKey .
+The default behaviour of
+.Xr sshd 8
+is not to load any certificates.
 .It Cm HostKey
 Specifies a file containing a private host key
 used by SSH.
@@ -614,6 +622,7 @@ Available keywords are
 .Cm PermitEmptyPasswords ,
 .Cm PermitOpen ,
 .Cm PermitRootLogin ,
+.Cm PubkeyAuthentication ,
 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,
 .Cm X11DisplayOffset ,
@@ -792,7 +801,7 @@ and
 .Sq 2 .
 Multiple versions must be comma-separated.
 The default is
-.Dq 2,1 .
+.Sq 2 .
 Note that the order of the protocol list does not indicate preference,
 because the client selects among multiple protocol versions offered
 by the server.
@@ -805,6 +814,11 @@ Specifies whether public key authentication is allowed.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm RevokedKeys
+Specifies a list of revoked public keys.
+Keys listed in this file will be refused for public key authentication.
+Note that if this file is not readable, then public key authentication will
+be refused for all users.
 .It Cm RhostsRSAAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful RSA host authentication is allowed.
@@ -828,6 +842,9 @@ This is normally desirable because novices sometimes accidentally leave their
 directory or files world-writable.
 The default is
 .Dq yes .
+Note that this does not apply to
+.Cm ChrootDirectory ,
+whose permissions and ownership are checked unconditionally.
 .It Cm Subsystem
 Configures an external subsystem (e.g. file transfer daemon).
 Arguments should be a subsystem name and a command (with optional arguments)
@@ -877,6 +894,22 @@ This avoids infinitely hanging sessions.
 .Pp
 To disable TCP keepalive messages, the value should be set to
 .Dq no .
+.It Cm TrustedUserCAKeys
+Specifies a file containing public keys of certificate authorities that are
+trusted to sign user certificates for authentication.
+Keys are listed one per line; empty lines and comments starting with
+.Ql #
+are allowed.
+If a certificate is presented for authentication and has its signing CA key
+listed in this file, then it may be used for authentication for any user
+listed in the certificate's principals list.
+Note that certificates that lack a list of principals will not be permitted
+for authentication using
+.Cm TrustedUserCAKeys .
+For more details on certificates, see the
+.Sx CERTIFICATES
+section in
+.Xr ssh-keygen 1 .
 .It Cm UseDNS
 Specifies whether
 .Xr sshd 8

diff --git a/sshd_config.5 b/sshd_config.5 index 588aed56e..2f5410281 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -34,8 +34,8 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd_config.5,v 1.106 2009/04/21 15:13:17 stevesk Exp $	37	.\" $OpenBSD: sshd_config.5,v 1.120 2010/03/04 23:17:25 djm Exp $
38	.Dd $Mdocdate: April 21 2009 $	38	.Dd $Mdocdate: March 4 2010 $
39	.Dt SSHD_CONFIG 5	39	.Dt SSHD_CONFIG 5
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -182,16 +182,16 @@ PAM or though authentication styles supported in
182	The default is	182	The default is
183	.Dq yes .	183	.Dq yes .
184	.It Cm ChrootDirectory	184	.It Cm ChrootDirectory
185	Specifies a path to	185	Specifies the pathname of a directory to
186	.Xr chroot 2	186	.Xr chroot 2
187	to after authentication.	187	to after authentication.
188	This path, and all its components, must be root-owned directories that are	188	All components of the pathname must be root-owned directories that are
189	not writable by any other user or group.	189	not writable by any other user or group.
190	After the chroot,	190	After the chroot,
191	.Xr sshd 8	191	.Xr sshd 8
192	changes the working directory to the user's home directory.	192	changes the working directory to the user's home directory.
193	.Pp	193	.Pp
194	The path may contain the following tokens that are expanded at runtime once	194	The pathname may contain the following tokens that are expanded at runtime once
195	the connecting user has been authenticated: %% is replaced by a literal '%',	195	the connecting user has been authenticated: %% is replaced by a literal '%',
196	%h is replaced by the home directory of the user being authenticated, and	196	%h is replaced by the home directory of the user being authenticated, and
197	%u is replaced by the username of that user.	197	%u is replaced by the username of that user.
@@ -411,6 +411,14 @@ uses the name supplied by the client rather than
411	attempting to resolve the name from the TCP connection itself.	411	attempting to resolve the name from the TCP connection itself.
412	The default is	412	The default is
413	.Dq no .	413	.Dq no .
		414	.It Cm HostCertificate
		415	Specifies a file containing a public host certificate.
		416	The certificate's public key must match a private host key already specified
		417	by
		418	.Cm HostKey .
		419	The default behaviour of
		420	.Xr sshd 8
		421	is not to load any certificates.
414	.It Cm HostKey	422	.It Cm HostKey
415	Specifies a file containing a private host key	423	Specifies a file containing a private host key
416	used by SSH.	424	used by SSH.
@@ -614,6 +622,7 @@ Available keywords are
614	.Cm PermitEmptyPasswords ,	622	.Cm PermitEmptyPasswords ,
615	.Cm PermitOpen ,	623	.Cm PermitOpen ,
616	.Cm PermitRootLogin ,	624	.Cm PermitRootLogin ,
		625	.Cm PubkeyAuthentication ,
617	.Cm RhostsRSAAuthentication ,	626	.Cm RhostsRSAAuthentication ,
618	.Cm RSAAuthentication ,	627	.Cm RSAAuthentication ,
619	.Cm X11DisplayOffset ,	628	.Cm X11DisplayOffset ,
@@ -792,7 +801,7 @@ and
792	.Sq 2 .	801	.Sq 2 .
793	Multiple versions must be comma-separated.	802	Multiple versions must be comma-separated.
794	The default is	803	The default is
795	.Dq 2,1 .	804	.Sq 2 .
796	Note that the order of the protocol list does not indicate preference,	805	Note that the order of the protocol list does not indicate preference,
797	because the client selects among multiple protocol versions offered	806	because the client selects among multiple protocol versions offered
798	by the server.	807	by the server.
@@ -805,6 +814,11 @@ Specifies whether public key authentication is allowed.
805	The default is	814	The default is
806	.Dq yes .	815	.Dq yes .
807	Note that this option applies to protocol version 2 only.	816	Note that this option applies to protocol version 2 only.
		817	.It Cm RevokedKeys
		818	Specifies a list of revoked public keys.
		819	Keys listed in this file will be refused for public key authentication.
		820	Note that if this file is not readable, then public key authentication will
		821	be refused for all users.
808	.It Cm RhostsRSAAuthentication	822	.It Cm RhostsRSAAuthentication
809	Specifies whether rhosts or /etc/hosts.equiv authentication together	823	Specifies whether rhosts or /etc/hosts.equiv authentication together
810	with successful RSA host authentication is allowed.	824	with successful RSA host authentication is allowed.
@@ -828,6 +842,9 @@ This is normally desirable because novices sometimes accidentally leave their
828	directory or files world-writable.	842	directory or files world-writable.
829	The default is	843	The default is
830	.Dq yes .	844	.Dq yes .
		845	Note that this does not apply to
		846	.Cm ChrootDirectory ,
		847	whose permissions and ownership are checked unconditionally.
831	.It Cm Subsystem	848	.It Cm Subsystem
832	Configures an external subsystem (e.g. file transfer daemon).	849	Configures an external subsystem (e.g. file transfer daemon).
833	Arguments should be a subsystem name and a command (with optional arguments)	850	Arguments should be a subsystem name and a command (with optional arguments)
@@ -877,6 +894,22 @@ This avoids infinitely hanging sessions.
877	.Pp	894	.Pp
878	To disable TCP keepalive messages, the value should be set to	895	To disable TCP keepalive messages, the value should be set to
879	.Dq no .	896	.Dq no .
		897	.It Cm TrustedUserCAKeys
		898	Specifies a file containing public keys of certificate authorities that are
		899	trusted to sign user certificates for authentication.
		900	Keys are listed one per line; empty lines and comments starting with
		901	.Ql #
		902	are allowed.
		903	If a certificate is presented for authentication and has its signing CA key
		904	listed in this file, then it may be used for authentication for any user
		905	listed in the certificate's principals list.
		906	Note that certificates that lack a list of principals will not be permitted
		907	for authentication using
		908	.Cm TrustedUserCAKeys .
		909	For more details on certificates, see the
		910	.Sx CERTIFICATES
		911	section in
		912	.Xr ssh-keygen 1 .
880	.It Cm UseDNS	913	.It Cm UseDNS
881	Specifies whether	914	Specifies whether
882	.Xr sshd 8	915	.Xr sshd 8