1 files changed, 105 insertions, 7 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 5e1c7943c..e58b7cfc7 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.77 2007/06/08 07:48:09 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.96 2008/07/02 02:24:18 djm Exp $
-.Dd $Mdocdate: June 11 2007 $
+.Dd $Mdocdate: July 2 2008 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -95,6 +95,15 @@ Valid arguments are
 (use IPv6 only).
 The default is
 .Dq any .
+.It Cm AllowAgentForwarding
+Specifies whether
+.Xr ssh-agent 1
+forwarding is permitted.
+The default is
+.Dq yes .
+Note that disabling agent forwarding does not improve security
+unless users are also denied shell access, as they can always install
+their own forwarders.
 .It Cm AllowGroups
 This keyword can be followed by a list of group name patterns, separated
 by spaces.
@@ -159,10 +168,11 @@ directory.
 The default is
 .Dq .ssh/authorized_keys .
 .It Cm Banner
-In some jurisdictions, sending a warning message before authentication
-may be relevant for getting legal protection.
 The contents of the specified file are sent to the remote user before
 authentication is allowed.
+If the argument is
+.Dq none
+then no banner is displayed.
 This option is only available for protocol version 2.
 By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication
@@ -172,6 +182,45 @@ All authentication styles from
 are supported.
 The default is
 .Dq yes .
+.It Cm ChrootDirectory
+Specifies a path to
+.Xr chroot 2
+to after authentication.
+This path, and all its components, must be root-owned directories that are
+not writable by any other user or group.
+.Pp
+The path may contain the following tokens that are expanded at runtime once
+the connecting user has been authenticated: %% is replaced by a literal '%',
+%h is replaced by the home directory of the user being authenticated, and
+%u is replaced by the username of that user.
+.Pp
+The
+.Cm ChrootDirectory
+must contain the necessary files and directories to support the
+users' session.
+For an interactive session this requires at least a shell, typically
+.Xr sh 1 ,
+and basic
+.Pa /dev
+nodes such as
+.Xr null 4 ,
+.Xr zero 4 ,
+.Xr stdin 4 ,
+.Xr stdout 4 ,
+.Xr stderr 4 ,
+.Xr arandom 4
+and
+.Xr tty 4
+devices.
+For file transfer sessions using
+.Dq sftp ,
+no additional configuration of the environment is necessary if the
+in-process sftp server is used (see
+.Cm Subsystem
+for details).
+.Pp
+The default is not to
+.Xr chroot 2 .
 .It Cm Ciphers
 Specifies the ciphers allowed for protocol version 2.
 Multiple ciphers must be comma-separated.
@@ -284,7 +333,9 @@ for more information on patterns.
 .It Cm ForceCommand
 Forces the execution of the command specified by
 .Cm ForceCommand ,
-ignoring any command supplied by the client.
+ignoring any command supplied by the client and
+.Pa ~/.ssh/rc
+if present.
 The command is invoked by using the user's login shell with the -c option.
 This applies to shell, command, or subsystem execution.
 It is most useful inside a
@@ -293,6 +344,11 @@ block.
 The command originally supplied by the client is available in the
 .Ev SSH_ORIGINAL_COMMAND
 environment variable.
+Specifying a command of
+.Dq internal-sftp
+will force the use of an in-process sftp server that requires no support
+files when used with
+.Cm ChrootDirectory .
 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to ports
 forwarded for the client.
@@ -524,6 +580,7 @@ line are satisfied, the keywords on the following lines override those
 set in the global section of the config file, until either another
 .Cm Match
 line or the end of the file.
+.Pp
 The arguments to
 .Cm Match
 are one or more criteria-pattern pairs.
@@ -533,19 +590,46 @@ The available criteria are
 .Cm Host ,
 and
 .Cm Address .
+The match patterns may consist of single entries or comma-separated
+lists and may use the wildcard and negation operators described in the
+.Sx PATTERNS
+section of
+.Xr ssh_config 5 .
+.Pp
+The patterns in an
+.Cm Address
+criteria may additionally contain addresses to match in CIDR
+address/masklen format, e.g.\&
+.Dq 192.0.2.0/24
+or
+.Dq 3ffe:ffff::/32 .
+Note that the mask length provided must be consistent with the address -
+it is an error to specify a mask length that is too long for the address
+or one with bits set in this host portion of the address.
+For example,
+.Dq 192.0.2.0/33
+and
+.Dq 192.0.2.0/8
+respectively.
+.Pp
 Only a subset of keywords may be used on the lines following a
 .Cm Match
 keyword.
 Available keywords are
 .Cm AllowTcpForwarding ,
 .Cm Banner ,
+.Cm ChrootDirectory ,
 .Cm ForceCommand ,
 .Cm GatewayPorts ,
-.Cm GSSApiAuthentication ,
+.Cm GSSAPIAuthentication ,
+.Cm HostbasedAuthentication ,
 .Cm KbdInteractiveAuthentication ,
 .Cm KerberosAuthentication ,
+.Cm MaxAuthTries ,
+.Cm MaxSessions ,
 .Cm PasswordAuthentication ,
 .Cm PermitOpen ,
+.Cm PermitRootLogin ,
 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,
 .Cm X11DisplayOffset ,
@@ -558,6 +642,9 @@ connection.
 Once the number of failures reaches half this value,
 additional failures are logged.
 The default is 6.
+.It Cm MaxSessions
+Specifies the maximum number of open sessions permitted per network connection.
+The default is 10.
 .It Cm MaxStartups
 Specifies the maximum number of concurrent unauthenticated connections to the
 SSH daemon.
@@ -747,7 +834,7 @@ The default is
 This option applies to protocol version 1 only.
 .It Cm ServerKeyBits
 Defines the number of bits in the ephemeral protocol version 1 server key.
-The minimum value is 512, and the default is 768.
+The minimum value is 512, and the default is 1024.
 .It Cm StrictModes
 Specifies whether
 .Xr sshd 8
@@ -761,11 +848,22 @@ The default is
 Configures an external subsystem (e.g. file transfer daemon).
 Arguments should be a subsystem name and a command (with optional arguments)
 to execute upon subsystem request.
+.Pp
 The command
 .Xr sftp-server 8
 implements the
 .Dq sftp
 file transfer subsystem.
+.Pp
+Alternately the name
+.Dq internal-sftp
+implements an in-process
+.Dq sftp
+server.
+This may simplify configurations using
+.Cm ChrootDirectory
+to force a different filesystem root on clients.
+.Pp
 By default no subsystems are defined.
 Note that this option applies to protocol version 2 only.
 .It Cm SyslogFacility

diff --git a/sshd_config.5 b/sshd_config.5 index 5e1c7943c..e58b7cfc7 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -34,8 +34,8 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd_config.5,v 1.77 2007/06/08 07:48:09 jmc Exp $	37	.\" $OpenBSD: sshd_config.5,v 1.96 2008/07/02 02:24:18 djm Exp $
38	.Dd $Mdocdate: June 11 2007 $	38	.Dd $Mdocdate: July 2 2008 $
39	.Dt SSHD_CONFIG 5	39	.Dt SSHD_CONFIG 5
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -95,6 +95,15 @@ Valid arguments are
95	(use IPv6 only).	95	(use IPv6 only).
96	The default is	96	The default is
97	.Dq any .	97	.Dq any .
		98	.It Cm AllowAgentForwarding
		99	Specifies whether
		100	.Xr ssh-agent 1
		101	forwarding is permitted.
		102	The default is
		103	.Dq yes .
		104	Note that disabling agent forwarding does not improve security
		105	unless users are also denied shell access, as they can always install
		106	their own forwarders.
98	.It Cm AllowGroups	107	.It Cm AllowGroups
99	This keyword can be followed by a list of group name patterns, separated	108	This keyword can be followed by a list of group name patterns, separated
100	by spaces.	109	by spaces.
@@ -159,10 +168,11 @@ directory.
159	The default is	168	The default is
160	.Dq .ssh/authorized_keys .	169	.Dq .ssh/authorized_keys .
161	.It Cm Banner	170	.It Cm Banner
162	In some jurisdictions, sending a warning message before authentication
163	may be relevant for getting legal protection.
164	The contents of the specified file are sent to the remote user before	171	The contents of the specified file are sent to the remote user before
165	authentication is allowed.	172	authentication is allowed.
		173	If the argument is
		174	.Dq none
		175	then no banner is displayed.
166	This option is only available for protocol version 2.	176	This option is only available for protocol version 2.
167	By default, no banner is displayed.	177	By default, no banner is displayed.
168	.It Cm ChallengeResponseAuthentication	178	.It Cm ChallengeResponseAuthentication
@@ -172,6 +182,45 @@ All authentication styles from
172	are supported.	182	are supported.
173	The default is	183	The default is
174	.Dq yes .	184	.Dq yes .
		185	.It Cm ChrootDirectory
		186	Specifies a path to
		187	.Xr chroot 2
		188	to after authentication.
		189	This path, and all its components, must be root-owned directories that are
		190	not writable by any other user or group.
		191	.Pp
		192	The path may contain the following tokens that are expanded at runtime once
		193	the connecting user has been authenticated: %% is replaced by a literal '%',
		194	%h is replaced by the home directory of the user being authenticated, and
		195	%u is replaced by the username of that user.
		196	.Pp
		197	The
		198	.Cm ChrootDirectory
		199	must contain the necessary files and directories to support the
		200	users' session.
		201	For an interactive session this requires at least a shell, typically
		202	.Xr sh 1 ,
		203	and basic
		204	.Pa /dev
		205	nodes such as
		206	.Xr null 4 ,
		207	.Xr zero 4 ,
		208	.Xr stdin 4 ,
		209	.Xr stdout 4 ,
		210	.Xr stderr 4 ,
		211	.Xr arandom 4
		212	and
		213	.Xr tty 4
		214	devices.
		215	For file transfer sessions using
		216	.Dq sftp ,
		217	no additional configuration of the environment is necessary if the
		218	in-process sftp server is used (see
		219	.Cm Subsystem
		220	for details).
		221	.Pp
		222	The default is not to
		223	.Xr chroot 2 .
175	.It Cm Ciphers	224	.It Cm Ciphers
176	Specifies the ciphers allowed for protocol version 2.	225	Specifies the ciphers allowed for protocol version 2.
177	Multiple ciphers must be comma-separated.	226	Multiple ciphers must be comma-separated.
@@ -284,7 +333,9 @@ for more information on patterns.
284	.It Cm ForceCommand	333	.It Cm ForceCommand
285	Forces the execution of the command specified by	334	Forces the execution of the command specified by
286	.Cm ForceCommand ,	335	.Cm ForceCommand ,
287	ignoring any command supplied by the client.	336	ignoring any command supplied by the client and
		337	.Pa ~/.ssh/rc
		338	if present.
288	The command is invoked by using the user's login shell with the -c option.	339	The command is invoked by using the user's login shell with the -c option.
289	This applies to shell, command, or subsystem execution.	340	This applies to shell, command, or subsystem execution.
290	It is most useful inside a	341	It is most useful inside a
@@ -293,6 +344,11 @@ block.
293	The command originally supplied by the client is available in the	344	The command originally supplied by the client is available in the
294	.Ev SSH_ORIGINAL_COMMAND	345	.Ev SSH_ORIGINAL_COMMAND
295	environment variable.	346	environment variable.
		347	Specifying a command of
		348	.Dq internal-sftp
		349	will force the use of an in-process sftp server that requires no support
		350	files when used with
		351	.Cm ChrootDirectory .
296	.It Cm GatewayPorts	352	.It Cm GatewayPorts
297	Specifies whether remote hosts are allowed to connect to ports	353	Specifies whether remote hosts are allowed to connect to ports
298	forwarded for the client.	354	forwarded for the client.
@@ -524,6 +580,7 @@ line are satisfied, the keywords on the following lines override those
524	set in the global section of the config file, until either another	580	set in the global section of the config file, until either another
525	.Cm Match	581	.Cm Match
526	line or the end of the file.	582	line or the end of the file.
		583	.Pp
527	The arguments to	584	The arguments to
528	.Cm Match	585	.Cm Match
529	are one or more criteria-pattern pairs.	586	are one or more criteria-pattern pairs.
@@ -533,19 +590,46 @@ The available criteria are
533	.Cm Host ,	590	.Cm Host ,
534	and	591	and
535	.Cm Address .	592	.Cm Address .
		593	The match patterns may consist of single entries or comma-separated
		594	lists and may use the wildcard and negation operators described in the
		595	.Sx PATTERNS
		596	section of
		597	.Xr ssh_config 5 .
		598	.Pp
		599	The patterns in an
		600	.Cm Address
		601	criteria may additionally contain addresses to match in CIDR
		602	address/masklen format, e.g.\&
		603	.Dq 192.0.2.0/24
		604	or
		605	.Dq 3ffe:ffff::/32 .
		606	Note that the mask length provided must be consistent with the address -
		607	it is an error to specify a mask length that is too long for the address
		608	or one with bits set in this host portion of the address.
		609	For example,
		610	.Dq 192.0.2.0/33
		611	and
		612	.Dq 192.0.2.0/8
		613	respectively.
		614	.Pp
536	Only a subset of keywords may be used on the lines following a	615	Only a subset of keywords may be used on the lines following a
537	.Cm Match	616	.Cm Match
538	keyword.	617	keyword.
539	Available keywords are	618	Available keywords are
540	.Cm AllowTcpForwarding ,	619	.Cm AllowTcpForwarding ,
541	.Cm Banner ,	620	.Cm Banner ,
		621	.Cm ChrootDirectory ,
542	.Cm ForceCommand ,	622	.Cm ForceCommand ,
543	.Cm GatewayPorts ,	623	.Cm GatewayPorts ,
544	.Cm GSSApiAuthentication ,	624	.Cm GSSAPIAuthentication ,
		625	.Cm HostbasedAuthentication ,
545	.Cm KbdInteractiveAuthentication ,	626	.Cm KbdInteractiveAuthentication ,
546	.Cm KerberosAuthentication ,	627	.Cm KerberosAuthentication ,
		628	.Cm MaxAuthTries ,
		629	.Cm MaxSessions ,
547	.Cm PasswordAuthentication ,	630	.Cm PasswordAuthentication ,
548	.Cm PermitOpen ,	631	.Cm PermitOpen ,
		632	.Cm PermitRootLogin ,
549	.Cm RhostsRSAAuthentication ,	633	.Cm RhostsRSAAuthentication ,
550	.Cm RSAAuthentication ,	634	.Cm RSAAuthentication ,
551	.Cm X11DisplayOffset ,	635	.Cm X11DisplayOffset ,
@@ -558,6 +642,9 @@ connection.
558	Once the number of failures reaches half this value,	642	Once the number of failures reaches half this value,
559	additional failures are logged.	643	additional failures are logged.
560	The default is 6.	644	The default is 6.
		645	.It Cm MaxSessions
		646	Specifies the maximum number of open sessions permitted per network connection.
		647	The default is 10.
561	.It Cm MaxStartups	648	.It Cm MaxStartups
562	Specifies the maximum number of concurrent unauthenticated connections to the	649	Specifies the maximum number of concurrent unauthenticated connections to the
563	SSH daemon.	650	SSH daemon.
@@ -747,7 +834,7 @@ The default is
747	This option applies to protocol version 1 only.	834	This option applies to protocol version 1 only.
748	.It Cm ServerKeyBits	835	.It Cm ServerKeyBits
749	Defines the number of bits in the ephemeral protocol version 1 server key.	836	Defines the number of bits in the ephemeral protocol version 1 server key.
750	The minimum value is 512, and the default is 768.	837	The minimum value is 512, and the default is 1024.
751	.It Cm StrictModes	838	.It Cm StrictModes
752	Specifies whether	839	Specifies whether
753	.Xr sshd 8	840	.Xr sshd 8
@@ -761,11 +848,22 @@ The default is
761	Configures an external subsystem (e.g. file transfer daemon).	848	Configures an external subsystem (e.g. file transfer daemon).
762	Arguments should be a subsystem name and a command (with optional arguments)	849	Arguments should be a subsystem name and a command (with optional arguments)
763	to execute upon subsystem request.	850	to execute upon subsystem request.
		851	.Pp
764	The command	852	The command
765	.Xr sftp-server 8	853	.Xr sftp-server 8
766	implements the	854	implements the
767	.Dq sftp	855	.Dq sftp
768	file transfer subsystem.	856	file transfer subsystem.
		857	.Pp
		858	Alternately the name
		859	.Dq internal-sftp
		860	implements an in-process
		861	.Dq sftp
		862	server.
		863	This may simplify configurations using
		864	.Cm ChrootDirectory
		865	to force a different filesystem root on clients.
		866	.Pp
769	By default no subsystems are defined.	867	By default no subsystems are defined.
770	Note that this option applies to protocol version 2 only.	868	Note that this option applies to protocol version 2 only.
771	.It Cm SyslogFacility	869	.It Cm SyslogFacility