1 files changed, 39 insertions, 26 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 0be7250b0..2387b51b8 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.211 2015/08/14 15:32:41 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.220 2016/02/17 08:57:34 djm Exp $
-.Dd $Mdocdate: August 14 2015 $
+.Dd $Mdocdate: February 17 2016 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -95,8 +95,7 @@ See
 in
 .Xr ssh_config 5
 for how to configure the client.
-Note that environment passing is only supported for protocol 2, and
+The
-that the
 .Ev TERM
 environment variable is always sent whenever the client
 requests a pseudo-terminal as it is required by the protocol.
@@ -251,7 +250,7 @@ of
 .Dq publickey,publickey
 will require successful authentication using two different public keys.
 .Pp
-This option is only available for SSH protocol 2 and will yield a fatal
+This option will yield a fatal
 error if enabled if protocol 1 is also enabled.
 Note that each authentication method listed should also be explicitly enabled
 in the configuration.
@@ -310,6 +309,9 @@ After expansion,
 is taken to be an absolute path or one relative to the user's home
 directory.
 Multiple files may be listed, separated by whitespace.
+Alternately this option may be set to
+.Dq none
+to skip checking for user keys in files.
 The default is
 .Dq .ssh/authorized_keys .ssh/authorized_keys2 .
 .It Cm AuthorizedPrincipalsCommand
@@ -395,7 +397,6 @@ authentication is allowed.
 If the argument is
 .Dq none
 then no banner is displayed.
-This option is only available for protocol version 2.
 By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication
 Specifies whether challenge-response authentication is allowed (e.g. via
@@ -453,10 +454,12 @@ Misconfiguration can lead to unsafe environments which
 .Xr sshd 8
 cannot detect.
 .Pp
-The default is not to
+The default is
+.Dq none ,
+indicating not to
 .Xr chroot 2 .
 .It Cm Ciphers
-Specifies the ciphers allowed for protocol version 2.
+Specifies the ciphers allowed.
 Multiple ciphers must be comma-separated.
 If the specified value begins with a
 .Sq +
@@ -537,7 +540,6 @@ If
 .Cm ClientAliveCountMax
 is left at the default, unresponsive SSH clients
 will be disconnected after approximately 45 seconds.
-This option applies to protocol version 2 only.
 .It Cm ClientAliveInterval
 Sets a timeout interval in seconds after which if no data has been received
 from the client,
@@ -546,7 +548,6 @@ will send a message through the encrypted
 channel to request a response from the client.
 The default
 is 0, indicating that these messages will not be sent to the client.
-This option applies to protocol version 2 only.
 .It Cm Compression
 Specifies whether compression is allowed, or delayed until
 the user has authenticated successfully.
@@ -625,6 +626,8 @@ Specifying a command of
 will force the use of an in-process sftp server that requires no support
 files when used with
 .Cm ChrootDirectory .
+The default is
+.Dq none .
 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to ports
 forwarded for the client.
@@ -649,19 +652,16 @@ The default is
 Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Dq no .
-Note that this option applies to protocol version 2 only.
 .It Cm GSSAPIKeyExchange
 Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
 doesn't rely on ssh keys to verify host identity.
 The default is
 .Dq no .
-Note that this option applies to protocol version 2 only.
 .It Cm GSSAPICleanupCredentials
 Specifies whether to automatically destroy the user's credentials cache
 on logout.
 The default is
 .Dq yes .
-Note that this option applies to protocol version 2 only.
 .It Cm GSSAPIStrictAcceptorCheck
 Determines whether to be strict about the identity of the GSSAPI acceptor
 a client authenticates against.
@@ -709,9 +709,6 @@ may be used to list supported key types.
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful public key client host authentication is allowed
 (host-based authentication).
-This option is similar to
-.Cm RhostsRSAAuthentication
-and applies to protocol version 2 only.
 The default is
 .Dq no .
 .It Cm HostbasedUsesNameFromPacketOnly
@@ -782,7 +779,7 @@ is specified, the location of the socket will be read from the
 .Ev SSH_AUTH_SOCK
 environment variable.
 .It Cm HostKeyAlgorithms
-Specifies the protocol version 2 host key algorithms
+Specifies the host key algorithms
 that the server offers.
 The default for this option is:
 .Bd -literal -offset 3n
@@ -1003,8 +1000,7 @@ DEBUG2 and DEBUG3 each specify higher levels of debugging output.
 Logging with a DEBUG level violates the privacy of users and is not recommended.
 .It Cm MACs
 Specifies the available MAC (message authentication code) algorithms.
-The MAC algorithm is used in protocol version 2
+The MAC algorithm is used for data integrity protection.
-for data integrity protection.
 Multiple algorithms must be comma-separated.
 If the specified value begins with a
 .Sq +
@@ -1060,8 +1056,9 @@ The default is:
 .Bd -literal -offset indent
 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
+hmac-sha1-etm@openssh.com,
 umac-64@openssh.com,umac-128@openssh.com,
-hmac-sha2-256,hmac-sha2-512
+hmac-sha2-256,hmac-sha2-512,hmac-sha1
 .Ed
 .Pp
 The list of available MAC algorithms may also be obtained using the
@@ -1131,6 +1128,8 @@ Available keywords are
 .Cm AuthorizedKeysCommand ,
 .Cm AuthorizedKeysCommandUser ,
 .Cm AuthorizedKeysFile ,
+.Cm AuthorizedPrincipalsCommand ,
+.Cm AuthorizedPrincipalsCommandUser ,
 .Cm AuthorizedPrincipalsFile ,
 .Cm Banner ,
 .Cm ChrootDirectory ,
@@ -1174,7 +1173,15 @@ Once the number of failures reaches half this value,
 additional failures are logged.
 The default is 6.
 .It Cm MaxSessions
-Specifies the maximum number of open sessions permitted per network connection.
+Specifies the maximum number of open shell, login or subsystem (e.g. sftp)
+sessions permitted per network connection.
+Multiple sessions may be established by clients that support connection
+multiplexing.
+Setting
+.Cm MaxSessions
+to 1 will effectively disable session multiplexing, whereas setting it to 0
+will prevent all shell, login and subsystem sessions while still permitting
+forwarding.
 The default is 10.
 .It Cm MaxStartups
 Specifies the maximum number of concurrent unauthenticated connections to the
@@ -1364,6 +1371,10 @@ and
 Multiple versions must be comma-separated.
 The default is
 .Sq 2 .
+Protocol 1 suffers from a number of cryptographic weaknesses and should
+not be used.
+It is only offered to support legacy devices.
+.Pp
 Note that the order of the protocol list does not indicate preference,
 because the client selects among multiple protocol versions offered
 by the server.
@@ -1398,7 +1409,6 @@ may be used to list supported key types.
 Specifies whether public key authentication is allowed.
 The default is
 .Dq yes .
-Note that this option applies to protocol version 2 only.
 .It Cm RekeyLimit
 Specifies the maximum amount of data that may be transmitted before the
 session key is renegotiated, optionally followed a maximum amount of
@@ -1424,7 +1434,6 @@ is
 .Dq default none ,
 which means that rekeying is performed after the cipher's default amount
 of data has been sent or received and no time based rekeying is done.
-This option applies to protocol version 2 only.
 .It Cm RevokedKeys
 Specifies revoked public keys file, or
 .Dq none
@@ -1511,7 +1520,6 @@ This may simplify configurations using
 to force a different filesystem root on clients.
 .Pp
 By default no subsystems are defined.
-Note that this option applies to protocol version 2 only.
 .It Cm SyslogFacility
 Gives the facility code that is used when logging messages from
 .Xr sshd 8 .
@@ -1627,14 +1635,19 @@ After successful authentication, another process will be created that has
 the privilege of the authenticated user.
 The goal of privilege separation is to prevent privilege
 escalation by containing any corruption within the unprivileged processes.
-The default is
+The argument must be
-.Dq yes .
+.Dq yes ,
+.Dq no ,
+or
+.Dq sandbox .
 If
 .Cm UsePrivilegeSeparation
 is set to
 .Dq sandbox
 then the pre-authentication unprivileged process is subject to additional
 restrictions.
+The default is
+.Dq sandbox .
 .It Cm VersionAddendum
 Optionally specifies additional text to append to the SSH protocol banner
 sent by the server upon connection.

diff --git a/sshd_config.5 b/sshd_config.5 index 0be7250b0..2387b51b8 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.211 2015/08/14 15:32:41 jmc Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.220 2016/02/17 08:57:34 djm Exp $
37	.Dd $Mdocdate: August 14 2015 $	37	.Dd $Mdocdate: February 17 2016 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -95,8 +95,7 @@ See
95	in	95	in
96	.Xr ssh_config 5	96	.Xr ssh_config 5
97	for how to configure the client.	97	for how to configure the client.
98	Note that environment passing is only supported for protocol 2, and	98	The
99	that the
100	.Ev TERM	99	.Ev TERM
101	environment variable is always sent whenever the client	100	environment variable is always sent whenever the client
102	requests a pseudo-terminal as it is required by the protocol.	101	requests a pseudo-terminal as it is required by the protocol.
@@ -251,7 +250,7 @@ of
251	.Dq publickey,publickey	250	.Dq publickey,publickey
252	will require successful authentication using two different public keys.	251	will require successful authentication using two different public keys.
253	.Pp	252	.Pp
254	This option is only available for SSH protocol 2 and will yield a fatal	253	This option will yield a fatal
255	error if enabled if protocol 1 is also enabled.	254	error if enabled if protocol 1 is also enabled.
256	Note that each authentication method listed should also be explicitly enabled	255	Note that each authentication method listed should also be explicitly enabled
257	in the configuration.	256	in the configuration.
@@ -310,6 +309,9 @@ After expansion,
310	is taken to be an absolute path or one relative to the user's home	309	is taken to be an absolute path or one relative to the user's home
311	directory.	310	directory.
312	Multiple files may be listed, separated by whitespace.	311	Multiple files may be listed, separated by whitespace.
		312	Alternately this option may be set to
		313	.Dq none
		314	to skip checking for user keys in files.
313	The default is	315	The default is
314	.Dq .ssh/authorized_keys .ssh/authorized_keys2 .	316	.Dq .ssh/authorized_keys .ssh/authorized_keys2 .
315	.It Cm AuthorizedPrincipalsCommand	317	.It Cm AuthorizedPrincipalsCommand
@@ -395,7 +397,6 @@ authentication is allowed.
395	If the argument is	397	If the argument is
396	.Dq none	398	.Dq none
397	then no banner is displayed.	399	then no banner is displayed.
398	This option is only available for protocol version 2.
399	By default, no banner is displayed.	400	By default, no banner is displayed.
400	.It Cm ChallengeResponseAuthentication	401	.It Cm ChallengeResponseAuthentication
401	Specifies whether challenge-response authentication is allowed (e.g. via	402	Specifies whether challenge-response authentication is allowed (e.g. via
@@ -453,10 +454,12 @@ Misconfiguration can lead to unsafe environments which
453	.Xr sshd 8	454	.Xr sshd 8
454	cannot detect.	455	cannot detect.
455	.Pp	456	.Pp
456	The default is not to	457	The default is
		458	.Dq none ,
		459	indicating not to
457	.Xr chroot 2 .	460	.Xr chroot 2 .
458	.It Cm Ciphers	461	.It Cm Ciphers
459	Specifies the ciphers allowed for protocol version 2.	462	Specifies the ciphers allowed.
460	Multiple ciphers must be comma-separated.	463	Multiple ciphers must be comma-separated.
461	If the specified value begins with a	464	If the specified value begins with a
462	.Sq +	465	.Sq +
@@ -537,7 +540,6 @@ If
537	.Cm ClientAliveCountMax	540	.Cm ClientAliveCountMax
538	is left at the default, unresponsive SSH clients	541	is left at the default, unresponsive SSH clients
539	will be disconnected after approximately 45 seconds.	542	will be disconnected after approximately 45 seconds.
540	This option applies to protocol version 2 only.
541	.It Cm ClientAliveInterval	543	.It Cm ClientAliveInterval
542	Sets a timeout interval in seconds after which if no data has been received	544	Sets a timeout interval in seconds after which if no data has been received
543	from the client,	545	from the client,
@@ -546,7 +548,6 @@ will send a message through the encrypted
546	channel to request a response from the client.	548	channel to request a response from the client.
547	The default	549	The default
548	is 0, indicating that these messages will not be sent to the client.	550	is 0, indicating that these messages will not be sent to the client.
549	This option applies to protocol version 2 only.
550	.It Cm Compression	551	.It Cm Compression
551	Specifies whether compression is allowed, or delayed until	552	Specifies whether compression is allowed, or delayed until
552	the user has authenticated successfully.	553	the user has authenticated successfully.
@@ -625,6 +626,8 @@ Specifying a command of
625	will force the use of an in-process sftp server that requires no support	626	will force the use of an in-process sftp server that requires no support
626	files when used with	627	files when used with
627	.Cm ChrootDirectory .	628	.Cm ChrootDirectory .
		629	The default is
		630	.Dq none .
628	.It Cm GatewayPorts	631	.It Cm GatewayPorts
629	Specifies whether remote hosts are allowed to connect to ports	632	Specifies whether remote hosts are allowed to connect to ports
630	forwarded for the client.	633	forwarded for the client.
@@ -649,19 +652,16 @@ The default is
649	Specifies whether user authentication based on GSSAPI is allowed.	652	Specifies whether user authentication based on GSSAPI is allowed.
650	The default is	653	The default is
651	.Dq no .	654	.Dq no .
652	Note that this option applies to protocol version 2 only.
653	.It Cm GSSAPIKeyExchange	655	.It Cm GSSAPIKeyExchange
654	Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange	656	Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
655	doesn't rely on ssh keys to verify host identity.	657	doesn't rely on ssh keys to verify host identity.
656	The default is	658	The default is
657	.Dq no .	659	.Dq no .
658	Note that this option applies to protocol version 2 only.
659	.It Cm GSSAPICleanupCredentials	660	.It Cm GSSAPICleanupCredentials
660	Specifies whether to automatically destroy the user's credentials cache	661	Specifies whether to automatically destroy the user's credentials cache
661	on logout.	662	on logout.
662	The default is	663	The default is
663	.Dq yes .	664	.Dq yes .
664	Note that this option applies to protocol version 2 only.
665	.It Cm GSSAPIStrictAcceptorCheck	665	.It Cm GSSAPIStrictAcceptorCheck
666	Determines whether to be strict about the identity of the GSSAPI acceptor	666	Determines whether to be strict about the identity of the GSSAPI acceptor
667	a client authenticates against.	667	a client authenticates against.
@@ -709,9 +709,6 @@ may be used to list supported key types.
709	Specifies whether rhosts or /etc/hosts.equiv authentication together	709	Specifies whether rhosts or /etc/hosts.equiv authentication together
710	with successful public key client host authentication is allowed	710	with successful public key client host authentication is allowed
711	(host-based authentication).	711	(host-based authentication).
712	This option is similar to
713	.Cm RhostsRSAAuthentication
714	and applies to protocol version 2 only.
715	The default is	712	The default is
716	.Dq no .	713	.Dq no .
717	.It Cm HostbasedUsesNameFromPacketOnly	714	.It Cm HostbasedUsesNameFromPacketOnly
@@ -782,7 +779,7 @@ is specified, the location of the socket will be read from the
782	.Ev SSH_AUTH_SOCK	779	.Ev SSH_AUTH_SOCK
783	environment variable.	780	environment variable.
784	.It Cm HostKeyAlgorithms	781	.It Cm HostKeyAlgorithms
785	Specifies the protocol version 2 host key algorithms	782	Specifies the host key algorithms
786	that the server offers.	783	that the server offers.
787	The default for this option is:	784	The default for this option is:
788	.Bd -literal -offset 3n	785	.Bd -literal -offset 3n
@@ -1003,8 +1000,7 @@ DEBUG2 and DEBUG3 each specify higher levels of debugging output.
1003	Logging with a DEBUG level violates the privacy of users and is not recommended.	1000	Logging with a DEBUG level violates the privacy of users and is not recommended.
1004	.It Cm MACs	1001	.It Cm MACs
1005	Specifies the available MAC (message authentication code) algorithms.	1002	Specifies the available MAC (message authentication code) algorithms.
1006	The MAC algorithm is used in protocol version 2	1003	The MAC algorithm is used for data integrity protection.
1007	for data integrity protection.
1008	Multiple algorithms must be comma-separated.	1004	Multiple algorithms must be comma-separated.
1009	If the specified value begins with a	1005	If the specified value begins with a
1010	.Sq +	1006	.Sq +
@@ -1060,8 +1056,9 @@ The default is:
1060	.Bd -literal -offset indent	1056	.Bd -literal -offset indent
1061	umac-64-etm@openssh.com,umac-128-etm@openssh.com,	1057	umac-64-etm@openssh.com,umac-128-etm@openssh.com,
1062	hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,	1058	hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
		1059	hmac-sha1-etm@openssh.com,
1063	umac-64@openssh.com,umac-128@openssh.com,	1060	umac-64@openssh.com,umac-128@openssh.com,
1064	hmac-sha2-256,hmac-sha2-512	1061	hmac-sha2-256,hmac-sha2-512,hmac-sha1
1065	.Ed	1062	.Ed
1066	.Pp	1063	.Pp
1067	The list of available MAC algorithms may also be obtained using the	1064	The list of available MAC algorithms may also be obtained using the
@@ -1131,6 +1128,8 @@ Available keywords are
1131	.Cm AuthorizedKeysCommand ,	1128	.Cm AuthorizedKeysCommand ,
1132	.Cm AuthorizedKeysCommandUser ,	1129	.Cm AuthorizedKeysCommandUser ,
1133	.Cm AuthorizedKeysFile ,	1130	.Cm AuthorizedKeysFile ,
		1131	.Cm AuthorizedPrincipalsCommand ,
		1132	.Cm AuthorizedPrincipalsCommandUser ,
1134	.Cm AuthorizedPrincipalsFile ,	1133	.Cm AuthorizedPrincipalsFile ,
1135	.Cm Banner ,	1134	.Cm Banner ,
1136	.Cm ChrootDirectory ,	1135	.Cm ChrootDirectory ,
@@ -1174,7 +1173,15 @@ Once the number of failures reaches half this value,
1174	additional failures are logged.	1173	additional failures are logged.
1175	The default is 6.	1174	The default is 6.
1176	.It Cm MaxSessions	1175	.It Cm MaxSessions
1177	Specifies the maximum number of open sessions permitted per network connection.	1176	Specifies the maximum number of open shell, login or subsystem (e.g. sftp)
		1177	sessions permitted per network connection.
		1178	Multiple sessions may be established by clients that support connection
		1179	multiplexing.
		1180	Setting
		1181	.Cm MaxSessions
		1182	to 1 will effectively disable session multiplexing, whereas setting it to 0
		1183	will prevent all shell, login and subsystem sessions while still permitting
		1184	forwarding.
1178	The default is 10.	1185	The default is 10.
1179	.It Cm MaxStartups	1186	.It Cm MaxStartups
1180	Specifies the maximum number of concurrent unauthenticated connections to the	1187	Specifies the maximum number of concurrent unauthenticated connections to the
@@ -1364,6 +1371,10 @@ and
1364	Multiple versions must be comma-separated.	1371	Multiple versions must be comma-separated.
1365	The default is	1372	The default is
1366	.Sq 2 .	1373	.Sq 2 .
		1374	Protocol 1 suffers from a number of cryptographic weaknesses and should
		1375	not be used.
		1376	It is only offered to support legacy devices.
		1377	.Pp
1367	Note that the order of the protocol list does not indicate preference,	1378	Note that the order of the protocol list does not indicate preference,
1368	because the client selects among multiple protocol versions offered	1379	because the client selects among multiple protocol versions offered
1369	by the server.	1380	by the server.
@@ -1398,7 +1409,6 @@ may be used to list supported key types.
1398	Specifies whether public key authentication is allowed.	1409	Specifies whether public key authentication is allowed.
1399	The default is	1410	The default is
1400	.Dq yes .	1411	.Dq yes .
1401	Note that this option applies to protocol version 2 only.
1402	.It Cm RekeyLimit	1412	.It Cm RekeyLimit
1403	Specifies the maximum amount of data that may be transmitted before the	1413	Specifies the maximum amount of data that may be transmitted before the
1404	session key is renegotiated, optionally followed a maximum amount of	1414	session key is renegotiated, optionally followed a maximum amount of
@@ -1424,7 +1434,6 @@ is
1424	.Dq default none ,	1434	.Dq default none ,
1425	which means that rekeying is performed after the cipher's default amount	1435	which means that rekeying is performed after the cipher's default amount
1426	of data has been sent or received and no time based rekeying is done.	1436	of data has been sent or received and no time based rekeying is done.
1427	This option applies to protocol version 2 only.
1428	.It Cm RevokedKeys	1437	.It Cm RevokedKeys
1429	Specifies revoked public keys file, or	1438	Specifies revoked public keys file, or
1430	.Dq none	1439	.Dq none
@@ -1511,7 +1520,6 @@ This may simplify configurations using
1511	to force a different filesystem root on clients.	1520	to force a different filesystem root on clients.
1512	.Pp	1521	.Pp
1513	By default no subsystems are defined.	1522	By default no subsystems are defined.
1514	Note that this option applies to protocol version 2 only.
1515	.It Cm SyslogFacility	1523	.It Cm SyslogFacility
1516	Gives the facility code that is used when logging messages from	1524	Gives the facility code that is used when logging messages from
1517	.Xr sshd 8 .	1525	.Xr sshd 8 .
@@ -1627,14 +1635,19 @@ After successful authentication, another process will be created that has
1627	the privilege of the authenticated user.	1635	the privilege of the authenticated user.
1628	The goal of privilege separation is to prevent privilege	1636	The goal of privilege separation is to prevent privilege
1629	escalation by containing any corruption within the unprivileged processes.	1637	escalation by containing any corruption within the unprivileged processes.
1630	The default is	1638	The argument must be
1631	.Dq yes .	1639	.Dq yes ,
		1640	.Dq no ,
		1641	or
		1642	.Dq sandbox .
1632	If	1643	If
1633	.Cm UsePrivilegeSeparation	1644	.Cm UsePrivilegeSeparation
1634	is set to	1645	is set to
1635	.Dq sandbox	1646	.Dq sandbox
1636	then the pre-authentication unprivileged process is subject to additional	1647	then the pre-authentication unprivileged process is subject to additional
1637	restrictions.	1648	restrictions.
		1649	The default is
		1650	.Dq sandbox .
1638	.It Cm VersionAddendum	1651	.It Cm VersionAddendum
1639	Optionally specifies additional text to append to the SSH protocol banner	1652	Optionally specifies additional text to append to the SSH protocol banner
1640	sent by the server upon connection.	1653	sent by the server upon connection.