1 files changed, 51 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index de447bce5..a5e20d1e8 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.120 2010/03/04 23:17:25 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.125 2010/06/30 07:28:34 jmc Exp $
-.Dd $Mdocdate: March 4 2010 $
+.Dd $Mdocdate: June 30 2010 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -182,6 +182,10 @@ for more information on patterns.
 .It Cm AuthorizedKeysFile
 Specifies the file that contains the public keys that can be used
 for user authentication.
+The format is described in the
+.Sx AUTHORIZED_KEYS FILE FORMAT
+section of
+.Xr sshd 8 .
 .Cm AuthorizedKeysFile
 may contain tokens of the form %T which are substituted during connection
 setup.
@@ -194,6 +198,47 @@ is taken to be an absolute path or one relative to the user's home
 directory.
 The default is
 .Dq .ssh/authorized_keys .
+.It Cm AuthorizedPrincipalsFile
+Specifies a file that lists principal names that are accepted for
+certificate authentication.
+When using certificates signed by a key listed in
+.Cm TrustedUserCAKeys ,
+this file lists names, one of which must appear in the certificate for it
+to be accepted for authentication.
+Names are listed one per line preceded by key options (as described
+in
+.Sx AUTHORIZED_KEYS FILE FORMAT
+in
+.Xr sshd 8 ) .
+Empty lines and comments starting with
+.Ql #
+are ignored.
+.Pp
+.Cm AuthorizedPrincipalsFile
+may contain tokens of the form %T which are substituted during connection
+setup.
+The following tokens are defined: %% is replaced by a literal '%',
+%h is replaced by the home directory of the user being authenticated, and
+%u is replaced by the username of that user.
+After expansion,
+.Cm AuthorizedPrincipalsFile
+is taken to be an absolute path or one relative to the user's home
+directory.
+.Pp
+The default is not to use a principals file \(en in this case, the username
+of the user must appear in a certificate's principals list for it to be
+accepted.
+Note that
+.Cm AuthorizedPrincipalsFile
+is only used when authentication proceeds using a CA listed in
+.Cm TrustedUserCAKeys
+and is not consulted for certification authorities trusted via
+.Pa ~/.ssh/authorized_keys ,
+though the
+.Cm principals=
+key option offers a similar facility (see
+.Xr sshd 8
+for details).
 .It Cm Banner
 The contents of the specified file are sent to the remote user before
 authentication is allowed.
@@ -667,12 +712,15 @@ keyword.
 Available keywords are
 .Cm AllowAgentForwarding ,
 .Cm AllowTcpForwarding ,
+.Cm AuthorizedKeysFile ,
+.Cm AuthorizedPrincipalsFile ,
 .Cm Banner ,
 .Cm ChrootDirectory ,
 .Cm ForceCommand ,
 .Cm GatewayPorts ,
 .Cm GSSAPIAuthentication ,
 .Cm HostbasedAuthentication ,
+.Cm HostbasedUsesNameFromPacketOnly ,
 .Cm KbdInteractiveAuthentication ,
 .Cm KerberosAuthentication ,
 .Cm MaxAuthTries ,
@@ -681,6 +729,7 @@ Available keywords are
 .Cm PermitEmptyPasswords ,
 .Cm PermitOpen ,
 .Cm PermitRootLogin ,
+.Cm PermitTunnel ,
 .Cm PubkeyAuthentication ,
 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,

diff --git a/sshd_config.5 b/sshd_config.5 index de447bce5..a5e20d1e8 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -34,8 +34,8 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd_config.5,v 1.120 2010/03/04 23:17:25 djm Exp $	37	.\" $OpenBSD: sshd_config.5,v 1.125 2010/06/30 07:28:34 jmc Exp $
38	.Dd $Mdocdate: March 4 2010 $	38	.Dd $Mdocdate: June 30 2010 $
39	.Dt SSHD_CONFIG 5	39	.Dt SSHD_CONFIG 5
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -182,6 +182,10 @@ for more information on patterns.
182	.It Cm AuthorizedKeysFile	182	.It Cm AuthorizedKeysFile
183	Specifies the file that contains the public keys that can be used	183	Specifies the file that contains the public keys that can be used
184	for user authentication.	184	for user authentication.
		185	The format is described in the
		186	.Sx AUTHORIZED_KEYS FILE FORMAT
		187	section of
		188	.Xr sshd 8 .
185	.Cm AuthorizedKeysFile	189	.Cm AuthorizedKeysFile
186	may contain tokens of the form %T which are substituted during connection	190	may contain tokens of the form %T which are substituted during connection
187	setup.	191	setup.
@@ -194,6 +198,47 @@ is taken to be an absolute path or one relative to the user's home
194	directory.	198	directory.
195	The default is	199	The default is
196	.Dq .ssh/authorized_keys .	200	.Dq .ssh/authorized_keys .
		201	.It Cm AuthorizedPrincipalsFile
		202	Specifies a file that lists principal names that are accepted for
		203	certificate authentication.
		204	When using certificates signed by a key listed in
		205	.Cm TrustedUserCAKeys ,
		206	this file lists names, one of which must appear in the certificate for it
		207	to be accepted for authentication.
		208	Names are listed one per line preceded by key options (as described
		209	in
		210	.Sx AUTHORIZED_KEYS FILE FORMAT
		211	in
		212	.Xr sshd 8 ) .
		213	Empty lines and comments starting with
		214	.Ql #
		215	are ignored.
		216	.Pp
		217	.Cm AuthorizedPrincipalsFile
		218	may contain tokens of the form %T which are substituted during connection
		219	setup.
		220	The following tokens are defined: %% is replaced by a literal '%',
		221	%h is replaced by the home directory of the user being authenticated, and
		222	%u is replaced by the username of that user.
		223	After expansion,
		224	.Cm AuthorizedPrincipalsFile
		225	is taken to be an absolute path or one relative to the user's home
		226	directory.
		227	.Pp
		228	The default is not to use a principals file \(en in this case, the username
		229	of the user must appear in a certificate's principals list for it to be
		230	accepted.
		231	Note that
		232	.Cm AuthorizedPrincipalsFile
		233	is only used when authentication proceeds using a CA listed in
		234	.Cm TrustedUserCAKeys
		235	and is not consulted for certification authorities trusted via
		236	.Pa ~/.ssh/authorized_keys ,
		237	though the
		238	.Cm principals=
		239	key option offers a similar facility (see
		240	.Xr sshd 8
		241	for details).
197	.It Cm Banner	242	.It Cm Banner
198	The contents of the specified file are sent to the remote user before	243	The contents of the specified file are sent to the remote user before
199	authentication is allowed.	244	authentication is allowed.
@@ -667,12 +712,15 @@ keyword.
667	Available keywords are	712	Available keywords are
668	.Cm AllowAgentForwarding ,	713	.Cm AllowAgentForwarding ,
669	.Cm AllowTcpForwarding ,	714	.Cm AllowTcpForwarding ,
		715	.Cm AuthorizedKeysFile ,
		716	.Cm AuthorizedPrincipalsFile ,
670	.Cm Banner ,	717	.Cm Banner ,
671	.Cm ChrootDirectory ,	718	.Cm ChrootDirectory ,
672	.Cm ForceCommand ,	719	.Cm ForceCommand ,
673	.Cm GatewayPorts ,	720	.Cm GatewayPorts ,
674	.Cm GSSAPIAuthentication ,	721	.Cm GSSAPIAuthentication ,
675	.Cm HostbasedAuthentication ,	722	.Cm HostbasedAuthentication ,
		723	.Cm HostbasedUsesNameFromPacketOnly ,
676	.Cm KbdInteractiveAuthentication ,	724	.Cm KbdInteractiveAuthentication ,
677	.Cm KerberosAuthentication ,	725	.Cm KerberosAuthentication ,
678	.Cm MaxAuthTries ,	726	.Cm MaxAuthTries ,
@@ -681,6 +729,7 @@ Available keywords are
681	.Cm PermitEmptyPasswords ,	729	.Cm PermitEmptyPasswords ,
682	.Cm PermitOpen ,	730	.Cm PermitOpen ,
683	.Cm PermitRootLogin ,	731	.Cm PermitRootLogin ,
		732	.Cm PermitTunnel ,
684	.Cm PubkeyAuthentication ,	733	.Cm PubkeyAuthentication ,
685	.Cm RhostsRSAAuthentication ,	734	.Cm RhostsRSAAuthentication ,
686	.Cm RSAAuthentication ,	735	.Cm RSAAuthentication ,