1 files changed, 26 insertions, 19 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 0747cc8b5..ef520680f 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,15 +33,13 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.243 2017/03/14 07:19:07 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.253 2017/09/27 06:45:53 jmc Exp $
-.Dd $Mdocdate: March 14 2017 $
+.Dd $Mdocdate: September 27 2017 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
 .Nm sshd_config
 .Nd OpenSSH SSH daemon configuration file
-.Sh SYNOPSIS
-.Nm /etc/ssh/sshd_config
 .Sh DESCRIPTION
 .Xr sshd 8
 reads configuration data from
@@ -247,6 +245,18 @@ requires successful authentication using two different public keys.
 .Pp
 Note that each authentication method listed should also be explicitly enabled
 in the configuration.
+.Pp
+The available authentication methods are:
+.Qq gssapi-with-mic ,
+.Qq hostbased ,
+.Qq keyboard-interactive ,
+.Qq none
+(used for access to password-less accounts when
+.Cm PermitEmptyPassword
+is enabled),
+.Qq password
+and
+.Qq publickey .
 .It Cm AuthorizedKeysCommand
 Specifies a program to be used to look up the user's public keys.
 The program must be owned by root, not writable by group or others and
@@ -485,16 +495,6 @@ aes128-gcm@openssh.com
 .It
 aes256-gcm@openssh.com
 .It
-arcfour
-.It
-arcfour128
-.It
-arcfour256
-.It
-blowfish-cbc
-.It
-cast128-cbc
-.It
 chacha20-poly1305@openssh.com
 .El
 .Pp
@@ -600,6 +600,14 @@ Disables all forwarding features, including X11,
 TCP and StreamLocal.
 This option overrides all other forwarding-related options and may
 simplify restricted configurations.
+.It Cm ExposeAuthInfo
+Writes a temporary file containing a list of authentication methods and
+public credentials (e.g. keys) used to authenticate the user.
+The location of the file is exposed to the user session through the
+.Ev SSH_USER_AUTH
+environment variable.
+The default is
+.Cm no .
 .It Cm FingerprintHash
 Specifies the hash algorithm used when logging key fingerprints.
 Valid options are:
@@ -833,7 +841,9 @@ Accepted values are
 .Cm lowdelay ,
 .Cm throughput ,
 .Cm reliability ,
-or a numeric value.
+a numeric value, or
+.Cm none
+to use the operating system default.
 This option may take one or two arguments, separated by whitespace.
 If one argument is specified, it is used as the packet class unconditionally.
 If two values are specified, the first is automatically selected for
@@ -997,8 +1007,6 @@ hmac-md5
 .It
 hmac-md5-96
 .It
-hmac-ripemd160
-.It
 hmac-sha1
 .It
 hmac-sha1-96
@@ -1015,8 +1023,6 @@ hmac-md5-etm@openssh.com
 .It
 hmac-md5-96-etm@openssh.com
 .It
-hmac-ripemd160-etm@openssh.com
-.It
 hmac-sha1-etm@openssh.com
 .It
 hmac-sha1-96-etm@openssh.com
@@ -1115,6 +1121,7 @@ Available keywords are
 .Cm IPQoS ,
 .Cm KbdInteractiveAuthentication ,
 .Cm KerberosAuthentication ,
+.Cm LogLevel ,
 .Cm MaxAuthTries ,
 .Cm MaxSessions ,
 .Cm PasswordAuthentication ,

diff --git a/sshd_config.5 b/sshd_config.5 index 0747cc8b5..ef520680f 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,15 +33,13 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.243 2017/03/14 07:19:07 djm Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.253 2017/09/27 06:45:53 jmc Exp $
37	.Dd $Mdocdate: March 14 2017 $	37	.Dd $Mdocdate: September 27 2017 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
41	.Nm sshd_config	41	.Nm sshd_config
42	.Nd OpenSSH SSH daemon configuration file	42	.Nd OpenSSH SSH daemon configuration file
43	.Sh SYNOPSIS
44	.Nm /etc/ssh/sshd_config
45	.Sh DESCRIPTION	43	.Sh DESCRIPTION
46	.Xr sshd 8	44	.Xr sshd 8
47	reads configuration data from	45	reads configuration data from
@@ -247,6 +245,18 @@ requires successful authentication using two different public keys.
247	.Pp	245	.Pp
248	Note that each authentication method listed should also be explicitly enabled	246	Note that each authentication method listed should also be explicitly enabled
249	in the configuration.	247	in the configuration.
		248	.Pp
		249	The available authentication methods are:
		250	.Qq gssapi-with-mic ,
		251	.Qq hostbased ,
		252	.Qq keyboard-interactive ,
		253	.Qq none
		254	(used for access to password-less accounts when
		255	.Cm PermitEmptyPassword
		256	is enabled),
		257	.Qq password
		258	and
		259	.Qq publickey .
250	.It Cm AuthorizedKeysCommand	260	.It Cm AuthorizedKeysCommand
251	Specifies a program to be used to look up the user's public keys.	261	Specifies a program to be used to look up the user's public keys.
252	The program must be owned by root, not writable by group or others and	262	The program must be owned by root, not writable by group or others and
@@ -485,16 +495,6 @@ aes128-gcm@openssh.com
485	.It	495	.It
486	aes256-gcm@openssh.com	496	aes256-gcm@openssh.com
487	.It	497	.It
488	arcfour
489	.It
490	arcfour128
491	.It
492	arcfour256
493	.It
494	blowfish-cbc
495	.It
496	cast128-cbc
497	.It
498	chacha20-poly1305@openssh.com	498	chacha20-poly1305@openssh.com
499	.El	499	.El
500	.Pp	500	.Pp
@@ -600,6 +600,14 @@ Disables all forwarding features, including X11,
600	TCP and StreamLocal.	600	TCP and StreamLocal.
601	This option overrides all other forwarding-related options and may	601	This option overrides all other forwarding-related options and may
602	simplify restricted configurations.	602	simplify restricted configurations.
		603	.It Cm ExposeAuthInfo
		604	Writes a temporary file containing a list of authentication methods and
		605	public credentials (e.g. keys) used to authenticate the user.
		606	The location of the file is exposed to the user session through the
		607	.Ev SSH_USER_AUTH
		608	environment variable.
		609	The default is
		610	.Cm no .
603	.It Cm FingerprintHash	611	.It Cm FingerprintHash
604	Specifies the hash algorithm used when logging key fingerprints.	612	Specifies the hash algorithm used when logging key fingerprints.
605	Valid options are:	613	Valid options are:
@@ -833,7 +841,9 @@ Accepted values are
833	.Cm lowdelay ,	841	.Cm lowdelay ,
834	.Cm throughput ,	842	.Cm throughput ,
835	.Cm reliability ,	843	.Cm reliability ,
836	or a numeric value.	844	a numeric value, or
		845	.Cm none
		846	to use the operating system default.
837	This option may take one or two arguments, separated by whitespace.	847	This option may take one or two arguments, separated by whitespace.
838	If one argument is specified, it is used as the packet class unconditionally.	848	If one argument is specified, it is used as the packet class unconditionally.
839	If two values are specified, the first is automatically selected for	849	If two values are specified, the first is automatically selected for
@@ -997,8 +1007,6 @@ hmac-md5
997	.It	1007	.It
998	hmac-md5-96	1008	hmac-md5-96
999	.It	1009	.It
1000	hmac-ripemd160
1001	.It
1002	hmac-sha1	1010	hmac-sha1
1003	.It	1011	.It
1004	hmac-sha1-96	1012	hmac-sha1-96
@@ -1015,8 +1023,6 @@ hmac-md5-etm@openssh.com
1015	.It	1023	.It
1016	hmac-md5-96-etm@openssh.com	1024	hmac-md5-96-etm@openssh.com
1017	.It	1025	.It
1018	hmac-ripemd160-etm@openssh.com
1019	.It
1020	hmac-sha1-etm@openssh.com	1026	hmac-sha1-etm@openssh.com
1021	.It	1027	.It
1022	hmac-sha1-96-etm@openssh.com	1028	hmac-sha1-96-etm@openssh.com
@@ -1115,6 +1121,7 @@ Available keywords are
1115	.Cm IPQoS ,	1121	.Cm IPQoS ,
1116	.Cm KbdInteractiveAuthentication ,	1122	.Cm KbdInteractiveAuthentication ,
1117	.Cm KerberosAuthentication ,	1123	.Cm KerberosAuthentication ,
		1124	.Cm LogLevel ,
1118	.Cm MaxAuthTries ,	1125	.Cm MaxAuthTries ,
1119	.Cm MaxSessions ,	1126	.Cm MaxSessions ,
1120	.Cm PasswordAuthentication ,	1127	.Cm PasswordAuthentication ,