1 files changed, 67 insertions, 30 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 935bb62fa..525d9c858 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.156 2013/02/06 00:20:42 dtucker Exp $
+.\" $OpenBSD: sshd_config.5,v 1.162 2013/07/19 07:37:48 markus Exp $
-.Dd $Mdocdate: February 6 2013 $
+.Dd $Mdocdate: July 19 2013 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -117,9 +117,7 @@ The allow/deny directives are processed in the following order:
 and finally
 .Cm AllowGroups .
 .Pp
-See
+See PATTERNS in
-.Sx PATTERNS
-in
 .Xr ssh_config 5
 for more information on patterns.
 .It Cm AllowTcpForwarding
@@ -159,9 +157,7 @@ The allow/deny directives are processed in the following order:
 and finally
 .Cm AllowGroups .
 .Pp
-See
+See PATTERNS in
-.Sx PATTERNS
-in
 .Xr ssh_config 5
 for more information on patterns.
 .It Cm AuthenticationMethods
@@ -180,6 +176,20 @@ Only methods that are next in one or more lists are offered at each stage,
 so for this example, it would not be possible to attempt password or
 keyboard-interactive authentication before public key.
 .Pp
+For keyboard interactive authentication it is also possible to
+restrict authentication to a specific device by appending a
+colon followed by the device identifier
+.Dq bsdauth ,
+.Dq pam ,
+or
+.Dq skey ,
+depending on the server configuration.
+For example,
+.Dq keyboard-interactive:bsdauth
+would restrict keyboard interactive authentication to the
+.Dq bsdauth
+device.
+.Pp
 This option is only available for SSH protocol 2 and will yield a fatal
 error if enabled if protocol 1 is also enabled.
 Note that each authentication method listed should also be explicitly enabled
@@ -188,11 +198,10 @@ The default is not to require multiple authentication; successful completion
 of a single authentication method is sufficient.
 .It Cm AuthorizedKeysCommand
 Specifies a program to be used to look up the user's public keys.
-The program will be invoked with a single argument of the username
+The program must be owned by root and not writable by group or others.
+It will be invoked with a single argument of the username
 being authenticated, and should produce on standard output zero or
-more lines of authorized_keys output (see
+more lines of authorized_keys output (see AUTHORIZED_KEYS in
-.Sx AUTHORIZED_KEYS
-in
 .Xr sshd 8 ) .
 If a key supplied by AuthorizedKeysCommand does not successfully authenticate
 and authorize the user then public key authentication continues using the usual
@@ -207,7 +216,7 @@ than running authorized keys commands.
 Specifies the file that contains the public keys that can be used
 for user authentication.
 The format is described in the
-.Sx AUTHORIZED_KEYS FILE FORMAT
+AUTHORIZED_KEYS FILE FORMAT
 section of
 .Xr sshd 8 .
 .Cm AuthorizedKeysFile
@@ -231,9 +240,7 @@ When using certificates signed by a key listed in
 this file lists names, one of which must appear in the certificate for it
 to be accepted for authentication.
 Names are listed one per line preceded by key options (as described
-in
+in AUTHORIZED_KEYS FILE FORMAT in
-.Sx AUTHORIZED_KEYS FILE FORMAT
-in
 .Xr sshd 8 ) .
 Empty lines and comments starting with
 .Ql #
@@ -411,9 +418,7 @@ The allow/deny directives are processed in the following order:
 and finally
 .Cm AllowGroups .
 .Pp
-See
+See PATTERNS in
-.Sx PATTERNS
-in
 .Xr ssh_config 5
 for more information on patterns.
 .It Cm DenyUsers
@@ -432,9 +437,7 @@ The allow/deny directives are processed in the following order:
 and finally
 .Cm AllowGroups .
 .Pp
-See
+See PATTERNS in
-.Sx PATTERNS
-in
 .Xr ssh_config 5
 for more information on patterns.
 .It Cm ForceCommand
@@ -571,6 +574,18 @@ keys are used for version 1 and
 or
 .Dq rsa
 are used for version 2 of the SSH protocol.
+It is also possible to specify public host key files instead.
+In this case operations on the private key will be delegated
+to an
+.Xr ssh-agent 1 .
+.It Cm HostKeyAgent
+Identifies the UNIX-domain socket used to communicate
+with an agent that has access to the private host keys.
+If
+.Dq SSH_AUTH_SOCK
+is specified, the location of the socket will be read from the
+.Ev SSH_AUTH_SOCK
+environment variable.
 .It Cm IgnoreRhosts
 Specifies that
 .Pa .rhosts
@@ -774,8 +789,7 @@ and
 .Cm Address .
 The match patterns may consist of single entries or comma-separated
 lists and may use the wildcard and negation operators described in the
-.Sx PATTERNS
+PATTERNS section of
-section of
 .Xr ssh_config 5 .
 .Pp
 The patterns in an
@@ -827,6 +841,7 @@ Available keywords are
 .Cm PermitRootLogin ,
 .Cm PermitTunnel ,
 .Cm PubkeyAuthentication ,
+.Cm RekeyLimit ,
 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,
 .Cm X11DisplayOffset ,
@@ -1021,6 +1036,32 @@ Specifies whether public key authentication is allowed.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm RekeyLimit
+Specifies the maximum amount of data that may be transmitted before the
+session key is renegotiated, optionally followed a maximum amount of
+time that may pass before the session key is renegotiated.
+The first argument is specified in bytes and may have a suffix of
+.Sq K ,
+.Sq M ,
+or
+.Sq G
+to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
+The default is between
+.Sq 1G
+and
+.Sq 4G ,
+depending on the cipher.
+The optional second value is specified in seconds and may use any of the
+units documented in the
+.Sx TIME FORMATS
+section.
+The default value for
+.Cm RekeyLimit
+is
+.Dq default none ,
+which means that rekeying is performed after the cipher's default amount
+of data has been sent or received and no time based rekeying is done.
+This option applies to protocol version 2 only.
 .It Cm RevokedKeys
 Specifies revoked public keys.
 Keys listed in this file will be refused for public key authentication.
@@ -1029,9 +1070,7 @@ be refused for all users.
 Keys may be specified as a text file, listing one public key per line, or as
 an OpenSSH Key Revocation List (KRL) as generated by
 .Xr ssh-keygen 1 .
-For more information on KRLs, see the
+For more information on KRLs, see the KEY REVOCATION LISTS section in
-.Sx KEY REVOCATION LISTS
-section in
 .Xr ssh-keygen 1 .
 .It Cm RhostsRSAAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
@@ -1120,9 +1159,7 @@ listed in the certificate's principals list.
 Note that certificates that lack a list of principals will not be permitted
 for authentication using
 .Cm TrustedUserCAKeys .
-For more details on certificates, see the
+For more details on certificates, see the CERTIFICATES section in
-.Sx CERTIFICATES
-section in
 .Xr ssh-keygen 1 .
 .It Cm UseDNS
 Specifies whether

diff --git a/sshd_config.5 b/sshd_config.5 index 935bb62fa..525d9c858 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.156 2013/02/06 00:20:42 dtucker Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.162 2013/07/19 07:37:48 markus Exp $
37	.Dd $Mdocdate: February 6 2013 $	37	.Dd $Mdocdate: July 19 2013 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -117,9 +117,7 @@ The allow/deny directives are processed in the following order:
117	and finally	117	and finally
118	.Cm AllowGroups .	118	.Cm AllowGroups .
119	.Pp	119	.Pp
120	See	120	See PATTERNS in
121	.Sx PATTERNS
122	in
123	.Xr ssh_config 5	121	.Xr ssh_config 5
124	for more information on patterns.	122	for more information on patterns.
125	.It Cm AllowTcpForwarding	123	.It Cm AllowTcpForwarding
@@ -159,9 +157,7 @@ The allow/deny directives are processed in the following order:
159	and finally	157	and finally
160	.Cm AllowGroups .	158	.Cm AllowGroups .
161	.Pp	159	.Pp
162	See	160	See PATTERNS in
163	.Sx PATTERNS
164	in
165	.Xr ssh_config 5	161	.Xr ssh_config 5
166	for more information on patterns.	162	for more information on patterns.
167	.It Cm AuthenticationMethods	163	.It Cm AuthenticationMethods
@@ -180,6 +176,20 @@ Only methods that are next in one or more lists are offered at each stage,
180	so for this example, it would not be possible to attempt password or	176	so for this example, it would not be possible to attempt password or
181	keyboard-interactive authentication before public key.	177	keyboard-interactive authentication before public key.
182	.Pp	178	.Pp
		179	For keyboard interactive authentication it is also possible to
		180	restrict authentication to a specific device by appending a
		181	colon followed by the device identifier
		182	.Dq bsdauth ,
		183	.Dq pam ,
		184	or
		185	.Dq skey ,
		186	depending on the server configuration.
		187	For example,
		188	.Dq keyboard-interactive:bsdauth
		189	would restrict keyboard interactive authentication to the
		190	.Dq bsdauth
		191	device.
		192	.Pp
183	This option is only available for SSH protocol 2 and will yield a fatal	193	This option is only available for SSH protocol 2 and will yield a fatal
184	error if enabled if protocol 1 is also enabled.	194	error if enabled if protocol 1 is also enabled.
185	Note that each authentication method listed should also be explicitly enabled	195	Note that each authentication method listed should also be explicitly enabled
@@ -188,11 +198,10 @@ The default is not to require multiple authentication; successful completion
188	of a single authentication method is sufficient.	198	of a single authentication method is sufficient.
189	.It Cm AuthorizedKeysCommand	199	.It Cm AuthorizedKeysCommand
190	Specifies a program to be used to look up the user's public keys.	200	Specifies a program to be used to look up the user's public keys.
191	The program will be invoked with a single argument of the username	201	The program must be owned by root and not writable by group or others.
		202	It will be invoked with a single argument of the username
192	being authenticated, and should produce on standard output zero or	203	being authenticated, and should produce on standard output zero or
193	more lines of authorized_keys output (see	204	more lines of authorized_keys output (see AUTHORIZED_KEYS in
194	.Sx AUTHORIZED_KEYS
195	in
196	.Xr sshd 8 ) .	205	.Xr sshd 8 ) .
197	If a key supplied by AuthorizedKeysCommand does not successfully authenticate	206	If a key supplied by AuthorizedKeysCommand does not successfully authenticate
198	and authorize the user then public key authentication continues using the usual	207	and authorize the user then public key authentication continues using the usual
@@ -207,7 +216,7 @@ than running authorized keys commands.
207	Specifies the file that contains the public keys that can be used	216	Specifies the file that contains the public keys that can be used
208	for user authentication.	217	for user authentication.
209	The format is described in the	218	The format is described in the
210	.Sx AUTHORIZED_KEYS FILE FORMAT	219	AUTHORIZED_KEYS FILE FORMAT
211	section of	220	section of
212	.Xr sshd 8 .	221	.Xr sshd 8 .
213	.Cm AuthorizedKeysFile	222	.Cm AuthorizedKeysFile
@@ -231,9 +240,7 @@ When using certificates signed by a key listed in
231	this file lists names, one of which must appear in the certificate for it	240	this file lists names, one of which must appear in the certificate for it
232	to be accepted for authentication.	241	to be accepted for authentication.
233	Names are listed one per line preceded by key options (as described	242	Names are listed one per line preceded by key options (as described
234	in	243	in AUTHORIZED_KEYS FILE FORMAT in
235	.Sx AUTHORIZED_KEYS FILE FORMAT
236	in
237	.Xr sshd 8 ) .	244	.Xr sshd 8 ) .
238	Empty lines and comments starting with	245	Empty lines and comments starting with
239	.Ql #	246	.Ql #
@@ -411,9 +418,7 @@ The allow/deny directives are processed in the following order:
411	and finally	418	and finally
412	.Cm AllowGroups .	419	.Cm AllowGroups .
413	.Pp	420	.Pp
414	See	421	See PATTERNS in
415	.Sx PATTERNS
416	in
417	.Xr ssh_config 5	422	.Xr ssh_config 5
418	for more information on patterns.	423	for more information on patterns.
419	.It Cm DenyUsers	424	.It Cm DenyUsers
@@ -432,9 +437,7 @@ The allow/deny directives are processed in the following order:
432	and finally	437	and finally
433	.Cm AllowGroups .	438	.Cm AllowGroups .
434	.Pp	439	.Pp
435	See	440	See PATTERNS in
436	.Sx PATTERNS
437	in
438	.Xr ssh_config 5	441	.Xr ssh_config 5
439	for more information on patterns.	442	for more information on patterns.
440	.It Cm ForceCommand	443	.It Cm ForceCommand
@@ -571,6 +574,18 @@ keys are used for version 1 and
571	or	574	or
572	.Dq rsa	575	.Dq rsa
573	are used for version 2 of the SSH protocol.	576	are used for version 2 of the SSH protocol.
		577	It is also possible to specify public host key files instead.
		578	In this case operations on the private key will be delegated
		579	to an
		580	.Xr ssh-agent 1 .
		581	.It Cm HostKeyAgent
		582	Identifies the UNIX-domain socket used to communicate
		583	with an agent that has access to the private host keys.
		584	If
		585	.Dq SSH_AUTH_SOCK
		586	is specified, the location of the socket will be read from the
		587	.Ev SSH_AUTH_SOCK
		588	environment variable.
574	.It Cm IgnoreRhosts	589	.It Cm IgnoreRhosts
575	Specifies that	590	Specifies that
576	.Pa .rhosts	591	.Pa .rhosts
@@ -774,8 +789,7 @@ and
774	.Cm Address .	789	.Cm Address .
775	The match patterns may consist of single entries or comma-separated	790	The match patterns may consist of single entries or comma-separated
776	lists and may use the wildcard and negation operators described in the	791	lists and may use the wildcard and negation operators described in the
777	.Sx PATTERNS	792	PATTERNS section of
778	section of
779	.Xr ssh_config 5 .	793	.Xr ssh_config 5 .
780	.Pp	794	.Pp
781	The patterns in an	795	The patterns in an
@@ -827,6 +841,7 @@ Available keywords are
827	.Cm PermitRootLogin ,	841	.Cm PermitRootLogin ,
828	.Cm PermitTunnel ,	842	.Cm PermitTunnel ,
829	.Cm PubkeyAuthentication ,	843	.Cm PubkeyAuthentication ,
		844	.Cm RekeyLimit ,
830	.Cm RhostsRSAAuthentication ,	845	.Cm RhostsRSAAuthentication ,
831	.Cm RSAAuthentication ,	846	.Cm RSAAuthentication ,
832	.Cm X11DisplayOffset ,	847	.Cm X11DisplayOffset ,
@@ -1021,6 +1036,32 @@ Specifies whether public key authentication is allowed.
1021	The default is	1036	The default is
1022	.Dq yes .	1037	.Dq yes .
1023	Note that this option applies to protocol version 2 only.	1038	Note that this option applies to protocol version 2 only.
		1039	.It Cm RekeyLimit
		1040	Specifies the maximum amount of data that may be transmitted before the
		1041	session key is renegotiated, optionally followed a maximum amount of
		1042	time that may pass before the session key is renegotiated.
		1043	The first argument is specified in bytes and may have a suffix of
		1044	.Sq K ,
		1045	.Sq M ,
		1046	or
		1047	.Sq G
		1048	to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
		1049	The default is between
		1050	.Sq 1G
		1051	and
		1052	.Sq 4G ,
		1053	depending on the cipher.
		1054	The optional second value is specified in seconds and may use any of the
		1055	units documented in the
		1056	.Sx TIME FORMATS
		1057	section.
		1058	The default value for
		1059	.Cm RekeyLimit
		1060	is
		1061	.Dq default none ,
		1062	which means that rekeying is performed after the cipher's default amount
		1063	of data has been sent or received and no time based rekeying is done.
		1064	This option applies to protocol version 2 only.
1024	.It Cm RevokedKeys	1065	.It Cm RevokedKeys
1025	Specifies revoked public keys.	1066	Specifies revoked public keys.
1026	Keys listed in this file will be refused for public key authentication.	1067	Keys listed in this file will be refused for public key authentication.
@@ -1029,9 +1070,7 @@ be refused for all users.
1029	Keys may be specified as a text file, listing one public key per line, or as	1070	Keys may be specified as a text file, listing one public key per line, or as
1030	an OpenSSH Key Revocation List (KRL) as generated by	1071	an OpenSSH Key Revocation List (KRL) as generated by
1031	.Xr ssh-keygen 1 .	1072	.Xr ssh-keygen 1 .
1032	For more information on KRLs, see the	1073	For more information on KRLs, see the KEY REVOCATION LISTS section in
1033	.Sx KEY REVOCATION LISTS
1034	section in
1035	.Xr ssh-keygen 1 .	1074	.Xr ssh-keygen 1 .
1036	.It Cm RhostsRSAAuthentication	1075	.It Cm RhostsRSAAuthentication
1037	Specifies whether rhosts or /etc/hosts.equiv authentication together	1076	Specifies whether rhosts or /etc/hosts.equiv authentication together
@@ -1120,9 +1159,7 @@ listed in the certificate's principals list.
1120	Note that certificates that lack a list of principals will not be permitted	1159	Note that certificates that lack a list of principals will not be permitted
1121	for authentication using	1160	for authentication using
1122	.Cm TrustedUserCAKeys .	1161	.Cm TrustedUserCAKeys .
1123	For more details on certificates, see the	1162	For more details on certificates, see the CERTIFICATES section in
1124	.Sx CERTIFICATES
1125	section in
1126	.Xr ssh-keygen 1 .	1163	.Xr ssh-keygen 1 .
1127	.It Cm UseDNS	1164	.It Cm UseDNS
1128	Specifies whether	1165	Specifies whether