1 files changed, 67 insertions, 30 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 251d847fd..faf93fc90 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.156 2013/02/06 00:20:42 dtucker Exp $
+.\" $OpenBSD: sshd_config.5,v 1.162 2013/07/19 07:37:48 markus Exp $
-.Dd $Mdocdate: February 6 2013 $
+.Dd $Mdocdate: July 19 2013 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -144,9 +144,7 @@ The allow/deny directives are processed in the following order:
 and finally
 .Cm AllowGroups .
 .Pp
-See
+See PATTERNS in
-.Sx PATTERNS
-in
 .Xr ssh_config 5
 for more information on patterns.
 .It Cm AllowTcpForwarding
@@ -186,9 +184,7 @@ The allow/deny directives are processed in the following order:
 and finally
 .Cm AllowGroups .
 .Pp
-See
+See PATTERNS in
-.Sx PATTERNS
-in
 .Xr ssh_config 5
 for more information on patterns.
 .It Cm AuthenticationMethods
@@ -207,6 +203,20 @@ Only methods that are next in one or more lists are offered at each stage,
 so for this example, it would not be possible to attempt password or
 keyboard-interactive authentication before public key.
 .Pp
+For keyboard interactive authentication it is also possible to
+restrict authentication to a specific device by appending a
+colon followed by the device identifier
+.Dq bsdauth ,
+.Dq pam ,
+or
+.Dq skey ,
+depending on the server configuration.
+For example,
+.Dq keyboard-interactive:bsdauth
+would restrict keyboard interactive authentication to the
+.Dq bsdauth
+device.
+.Pp
 This option is only available for SSH protocol 2 and will yield a fatal
 error if enabled if protocol 1 is also enabled.
 Note that each authentication method listed should also be explicitly enabled
@@ -215,11 +225,10 @@ The default is not to require multiple authentication; successful completion
 of a single authentication method is sufficient.
 .It Cm AuthorizedKeysCommand
 Specifies a program to be used to look up the user's public keys.
-The program will be invoked with a single argument of the username
+The program must be owned by root and not writable by group or others.
+It will be invoked with a single argument of the username
 being authenticated, and should produce on standard output zero or
-more lines of authorized_keys output (see
+more lines of authorized_keys output (see AUTHORIZED_KEYS in
-.Sx AUTHORIZED_KEYS
-in
 .Xr sshd 8 ) .
 If a key supplied by AuthorizedKeysCommand does not successfully authenticate
 and authorize the user then public key authentication continues using the usual
@@ -234,7 +243,7 @@ than running authorized keys commands.
 Specifies the file that contains the public keys that can be used
 for user authentication.
 The format is described in the
-.Sx AUTHORIZED_KEYS FILE FORMAT
+AUTHORIZED_KEYS FILE FORMAT
 section of
 .Xr sshd 8 .
 .Cm AuthorizedKeysFile
@@ -258,9 +267,7 @@ When using certificates signed by a key listed in
 this file lists names, one of which must appear in the certificate for it
 to be accepted for authentication.
 Names are listed one per line preceded by key options (as described
-in
+in AUTHORIZED_KEYS FILE FORMAT in
-.Sx AUTHORIZED_KEYS FILE FORMAT
-in
 .Xr sshd 8 ) .
 Empty lines and comments starting with
 .Ql #
@@ -442,9 +449,7 @@ The allow/deny directives are processed in the following order:
 and finally
 .Cm AllowGroups .
 .Pp
-See
+See PATTERNS in
-.Sx PATTERNS
-in
 .Xr ssh_config 5
 for more information on patterns.
 .It Cm DenyUsers
@@ -463,9 +468,7 @@ The allow/deny directives are processed in the following order:
 and finally
 .Cm AllowGroups .
 .Pp
-See
+See PATTERNS in
-.Sx PATTERNS
-in
 .Xr ssh_config 5
 for more information on patterns.
 .It Cm ForceCommand
@@ -602,6 +605,18 @@ keys are used for version 1 and
 or
 .Dq rsa
 are used for version 2 of the SSH protocol.
+It is also possible to specify public host key files instead.
+In this case operations on the private key will be delegated
+to an
+.Xr ssh-agent 1 .
+.It Cm HostKeyAgent
+Identifies the UNIX-domain socket used to communicate
+with an agent that has access to the private host keys.
+If
+.Dq SSH_AUTH_SOCK
+is specified, the location of the socket will be read from the
+.Ev SSH_AUTH_SOCK
+environment variable.
 .It Cm IgnoreRhosts
 Specifies that
 .Pa .rhosts
@@ -805,8 +820,7 @@ and
 .Cm Address .
 The match patterns may consist of single entries or comma-separated
 lists and may use the wildcard and negation operators described in the
-.Sx PATTERNS
+PATTERNS section of
-section of
 .Xr ssh_config 5 .
 .Pp
 The patterns in an
@@ -858,6 +872,7 @@ Available keywords are
 .Cm PermitRootLogin ,
 .Cm PermitTunnel ,
 .Cm PubkeyAuthentication ,
+.Cm RekeyLimit ,
 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,
 .Cm X11DisplayOffset ,
@@ -1066,6 +1081,32 @@ Specifies whether public key authentication is allowed.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm RekeyLimit
+Specifies the maximum amount of data that may be transmitted before the
+session key is renegotiated, optionally followed a maximum amount of
+time that may pass before the session key is renegotiated.
+The first argument is specified in bytes and may have a suffix of
+.Sq K ,
+.Sq M ,
+or
+.Sq G
+to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
+The default is between
+.Sq 1G
+and
+.Sq 4G ,
+depending on the cipher.
+The optional second value is specified in seconds and may use any of the
+units documented in the
+.Sx TIME FORMATS
+section.
+The default value for
+.Cm RekeyLimit
+is
+.Dq default none ,
+which means that rekeying is performed after the cipher's default amount
+of data has been sent or received and no time based rekeying is done.
+This option applies to protocol version 2 only.
 .It Cm RevokedKeys
 Specifies revoked public keys.
 Keys listed in this file will be refused for public key authentication.
@@ -1074,9 +1115,7 @@ be refused for all users.
 Keys may be specified as a text file, listing one public key per line, or as
 an OpenSSH Key Revocation List (KRL) as generated by
 .Xr ssh-keygen 1 .
-For more information on KRLs, see the
+For more information on KRLs, see the KEY REVOCATION LISTS section in
-.Sx KEY REVOCATION LISTS
-section in
 .Xr ssh-keygen 1 .
 .It Cm RhostsRSAAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
@@ -1168,9 +1207,7 @@ listed in the certificate's principals list.
 Note that certificates that lack a list of principals will not be permitted
 for authentication using
 .Cm TrustedUserCAKeys .
-For more details on certificates, see the
+For more details on certificates, see the CERTIFICATES section in
-.Sx CERTIFICATES
-section in
 .Xr ssh-keygen 1 .
 .It Cm UseDNS
 Specifies whether

diff --git a/sshd_config.5 b/sshd_config.5 index 251d847fd..faf93fc90 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.156 2013/02/06 00:20:42 dtucker Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.162 2013/07/19 07:37:48 markus Exp $
37	.Dd $Mdocdate: February 6 2013 $	37	.Dd $Mdocdate: July 19 2013 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -144,9 +144,7 @@ The allow/deny directives are processed in the following order:
144	and finally	144	and finally
145	.Cm AllowGroups .	145	.Cm AllowGroups .
146	.Pp	146	.Pp
147	See	147	See PATTERNS in
148	.Sx PATTERNS
149	in
150	.Xr ssh_config 5	148	.Xr ssh_config 5
151	for more information on patterns.	149	for more information on patterns.
152	.It Cm AllowTcpForwarding	150	.It Cm AllowTcpForwarding
@@ -186,9 +184,7 @@ The allow/deny directives are processed in the following order:
186	and finally	184	and finally
187	.Cm AllowGroups .	185	.Cm AllowGroups .
188	.Pp	186	.Pp
189	See	187	See PATTERNS in
190	.Sx PATTERNS
191	in
192	.Xr ssh_config 5	188	.Xr ssh_config 5
193	for more information on patterns.	189	for more information on patterns.
194	.It Cm AuthenticationMethods	190	.It Cm AuthenticationMethods
@@ -207,6 +203,20 @@ Only methods that are next in one or more lists are offered at each stage,
207	so for this example, it would not be possible to attempt password or	203	so for this example, it would not be possible to attempt password or
208	keyboard-interactive authentication before public key.	204	keyboard-interactive authentication before public key.
209	.Pp	205	.Pp
		206	For keyboard interactive authentication it is also possible to
		207	restrict authentication to a specific device by appending a
		208	colon followed by the device identifier
		209	.Dq bsdauth ,
		210	.Dq pam ,
		211	or
		212	.Dq skey ,
		213	depending on the server configuration.
		214	For example,
		215	.Dq keyboard-interactive:bsdauth
		216	would restrict keyboard interactive authentication to the
		217	.Dq bsdauth
		218	device.
		219	.Pp
210	This option is only available for SSH protocol 2 and will yield a fatal	220	This option is only available for SSH protocol 2 and will yield a fatal
211	error if enabled if protocol 1 is also enabled.	221	error if enabled if protocol 1 is also enabled.
212	Note that each authentication method listed should also be explicitly enabled	222	Note that each authentication method listed should also be explicitly enabled
@@ -215,11 +225,10 @@ The default is not to require multiple authentication; successful completion
215	of a single authentication method is sufficient.	225	of a single authentication method is sufficient.
216	.It Cm AuthorizedKeysCommand	226	.It Cm AuthorizedKeysCommand
217	Specifies a program to be used to look up the user's public keys.	227	Specifies a program to be used to look up the user's public keys.
218	The program will be invoked with a single argument of the username	228	The program must be owned by root and not writable by group or others.
		229	It will be invoked with a single argument of the username
219	being authenticated, and should produce on standard output zero or	230	being authenticated, and should produce on standard output zero or
220	more lines of authorized_keys output (see	231	more lines of authorized_keys output (see AUTHORIZED_KEYS in
221	.Sx AUTHORIZED_KEYS
222	in
223	.Xr sshd 8 ) .	232	.Xr sshd 8 ) .
224	If a key supplied by AuthorizedKeysCommand does not successfully authenticate	233	If a key supplied by AuthorizedKeysCommand does not successfully authenticate
225	and authorize the user then public key authentication continues using the usual	234	and authorize the user then public key authentication continues using the usual
@@ -234,7 +243,7 @@ than running authorized keys commands.
234	Specifies the file that contains the public keys that can be used	243	Specifies the file that contains the public keys that can be used
235	for user authentication.	244	for user authentication.
236	The format is described in the	245	The format is described in the
237	.Sx AUTHORIZED_KEYS FILE FORMAT	246	AUTHORIZED_KEYS FILE FORMAT
238	section of	247	section of
239	.Xr sshd 8 .	248	.Xr sshd 8 .
240	.Cm AuthorizedKeysFile	249	.Cm AuthorizedKeysFile
@@ -258,9 +267,7 @@ When using certificates signed by a key listed in
258	this file lists names, one of which must appear in the certificate for it	267	this file lists names, one of which must appear in the certificate for it
259	to be accepted for authentication.	268	to be accepted for authentication.
260	Names are listed one per line preceded by key options (as described	269	Names are listed one per line preceded by key options (as described
261	in	270	in AUTHORIZED_KEYS FILE FORMAT in
262	.Sx AUTHORIZED_KEYS FILE FORMAT
263	in
264	.Xr sshd 8 ) .	271	.Xr sshd 8 ) .
265	Empty lines and comments starting with	272	Empty lines and comments starting with
266	.Ql #	273	.Ql #
@@ -442,9 +449,7 @@ The allow/deny directives are processed in the following order:
442	and finally	449	and finally
443	.Cm AllowGroups .	450	.Cm AllowGroups .
444	.Pp	451	.Pp
445	See	452	See PATTERNS in
446	.Sx PATTERNS
447	in
448	.Xr ssh_config 5	453	.Xr ssh_config 5
449	for more information on patterns.	454	for more information on patterns.
450	.It Cm DenyUsers	455	.It Cm DenyUsers
@@ -463,9 +468,7 @@ The allow/deny directives are processed in the following order:
463	and finally	468	and finally
464	.Cm AllowGroups .	469	.Cm AllowGroups .
465	.Pp	470	.Pp
466	See	471	See PATTERNS in
467	.Sx PATTERNS
468	in
469	.Xr ssh_config 5	472	.Xr ssh_config 5
470	for more information on patterns.	473	for more information on patterns.
471	.It Cm ForceCommand	474	.It Cm ForceCommand
@@ -602,6 +605,18 @@ keys are used for version 1 and
602	or	605	or
603	.Dq rsa	606	.Dq rsa
604	are used for version 2 of the SSH protocol.	607	are used for version 2 of the SSH protocol.
		608	It is also possible to specify public host key files instead.
		609	In this case operations on the private key will be delegated
		610	to an
		611	.Xr ssh-agent 1 .
		612	.It Cm HostKeyAgent
		613	Identifies the UNIX-domain socket used to communicate
		614	with an agent that has access to the private host keys.
		615	If
		616	.Dq SSH_AUTH_SOCK
		617	is specified, the location of the socket will be read from the
		618	.Ev SSH_AUTH_SOCK
		619	environment variable.
605	.It Cm IgnoreRhosts	620	.It Cm IgnoreRhosts
606	Specifies that	621	Specifies that
607	.Pa .rhosts	622	.Pa .rhosts
@@ -805,8 +820,7 @@ and
805	.Cm Address .	820	.Cm Address .
806	The match patterns may consist of single entries or comma-separated	821	The match patterns may consist of single entries or comma-separated
807	lists and may use the wildcard and negation operators described in the	822	lists and may use the wildcard and negation operators described in the
808	.Sx PATTERNS	823	PATTERNS section of
809	section of
810	.Xr ssh_config 5 .	824	.Xr ssh_config 5 .
811	.Pp	825	.Pp
812	The patterns in an	826	The patterns in an
@@ -858,6 +872,7 @@ Available keywords are
858	.Cm PermitRootLogin ,	872	.Cm PermitRootLogin ,
859	.Cm PermitTunnel ,	873	.Cm PermitTunnel ,
860	.Cm PubkeyAuthentication ,	874	.Cm PubkeyAuthentication ,
		875	.Cm RekeyLimit ,
861	.Cm RhostsRSAAuthentication ,	876	.Cm RhostsRSAAuthentication ,
862	.Cm RSAAuthentication ,	877	.Cm RSAAuthentication ,
863	.Cm X11DisplayOffset ,	878	.Cm X11DisplayOffset ,
@@ -1066,6 +1081,32 @@ Specifies whether public key authentication is allowed.
1066	The default is	1081	The default is
1067	.Dq yes .	1082	.Dq yes .
1068	Note that this option applies to protocol version 2 only.	1083	Note that this option applies to protocol version 2 only.
		1084	.It Cm RekeyLimit
		1085	Specifies the maximum amount of data that may be transmitted before the
		1086	session key is renegotiated, optionally followed a maximum amount of
		1087	time that may pass before the session key is renegotiated.
		1088	The first argument is specified in bytes and may have a suffix of
		1089	.Sq K ,
		1090	.Sq M ,
		1091	or
		1092	.Sq G
		1093	to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
		1094	The default is between
		1095	.Sq 1G
		1096	and
		1097	.Sq 4G ,
		1098	depending on the cipher.
		1099	The optional second value is specified in seconds and may use any of the
		1100	units documented in the
		1101	.Sx TIME FORMATS
		1102	section.
		1103	The default value for
		1104	.Cm RekeyLimit
		1105	is
		1106	.Dq default none ,
		1107	which means that rekeying is performed after the cipher's default amount
		1108	of data has been sent or received and no time based rekeying is done.
		1109	This option applies to protocol version 2 only.
1069	.It Cm RevokedKeys	1110	.It Cm RevokedKeys
1070	Specifies revoked public keys.	1111	Specifies revoked public keys.
1071	Keys listed in this file will be refused for public key authentication.	1112	Keys listed in this file will be refused for public key authentication.
@@ -1074,9 +1115,7 @@ be refused for all users.
1074	Keys may be specified as a text file, listing one public key per line, or as	1115	Keys may be specified as a text file, listing one public key per line, or as
1075	an OpenSSH Key Revocation List (KRL) as generated by	1116	an OpenSSH Key Revocation List (KRL) as generated by
1076	.Xr ssh-keygen 1 .	1117	.Xr ssh-keygen 1 .
1077	For more information on KRLs, see the	1118	For more information on KRLs, see the KEY REVOCATION LISTS section in
1078	.Sx KEY REVOCATION LISTS
1079	section in
1080	.Xr ssh-keygen 1 .	1119	.Xr ssh-keygen 1 .
1081	.It Cm RhostsRSAAuthentication	1120	.It Cm RhostsRSAAuthentication
1082	Specifies whether rhosts or /etc/hosts.equiv authentication together	1121	Specifies whether rhosts or /etc/hosts.equiv authentication together
@@ -1168,9 +1207,7 @@ listed in the certificate's principals list.
1168	Note that certificates that lack a list of principals will not be permitted	1207	Note that certificates that lack a list of principals will not be permitted
1169	for authentication using	1208	for authentication using
1170	.Cm TrustedUserCAKeys .	1209	.Cm TrustedUserCAKeys .
1171	For more details on certificates, see the	1210	For more details on certificates, see the CERTIFICATES section in
1172	.Sx CERTIFICATES
1173	section in
1174	.Xr ssh-keygen 1 .	1211	.Xr ssh-keygen 1 .
1175	.It Cm UseDNS	1212	.It Cm UseDNS
1176	Specifies whether	1213	Specifies whether