1 files changed, 85 insertions, 53 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 6c30f7084..59c9ea471 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,7 +33,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.234 2016/09/22 17:55:13 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.235 2016/09/22 19:19:01 jmc Exp $
 .Dd $Mdocdate: September 22 2016 $
 .Dt SSHD_CONFIG 5
 .Os
@@ -240,22 +240,21 @@ of a single authentication method is sufficient.
 Specifies a program to be used to look up the user's public keys.
 The program must be owned by root, not writable by group or others and
 specified by an absolute path.
-.Pp
 Arguments to
 .Cm AuthorizedKeysCommand
-may be provided using the following tokens, which will be expanded
+accept the tokens described in the
-at runtime: %% is replaced by a literal '%', %u is replaced by the
+.Sx TOKENS
-username being authenticated, %h is replaced by the home directory
+section.
-of the user being authenticated, %t is replaced with the key type
+If no arguments are specified then the username of the target user is used.
-offered for authentication, %f is replaced with the fingerprint of
-the key, and %k is replaced with the key being offered for authentication.
-If no arguments are specified then the username of the target user
-will be supplied.
 .Pp
 The program should produce on standard output zero or
-more lines of authorized_keys output (see AUTHORIZED_KEYS in
+more lines of authorized_keys output (see
+.Sx AUTHORIZED_KEYS
+in
 .Xr sshd 8 ) .
-If a key supplied by AuthorizedKeysCommand does not successfully authenticate
+If a key supplied by
+.Cm AuthorizedKeysCommand
+does not successfully authenticate
 and authorize the user then public key authentication continues using the usual
 .Cm AuthorizedKeysFile
 files.
@@ -272,18 +271,16 @@ is not, then
 .Xr sshd 8
 will refuse to start.
 .It Cm AuthorizedKeysFile
-Specifies the file that contains the public keys that can be used
+Specifies the file that contains the public keys used for user authentication.
-for user authentication.
 The format is described in the
-AUTHORIZED_KEYS FILE FORMAT
+.Sx AUTHORIZED_KEYS FILE FORMAT
 section of
 .Xr sshd 8 .
+Arguments to
 .Cm AuthorizedKeysFile
-may contain tokens of the form %T which are substituted during connection
+accept the tokens described in the
-setup.
+.Sx TOKENS
-The following tokens are defined: %% is replaced by a literal '%',
+section.
-%h is replaced by the home directory of the user being authenticated, and
-%u is replaced by the username of that user.
 After expansion,
 .Cm AuthorizedKeysFile
 is taken to be an absolute path or one relative to the user's home
@@ -300,24 +297,12 @@ certificate principals as per
 .Cm AuthorizedPrincipalsFile .
 The program must be owned by root, not writable by group or others and
 specified by an absolute path.
-.Pp
 Arguments to
 .Cm AuthorizedPrincipalsCommand
-may be provided using the following tokens, which will be expanded
+accept the tokens described in the
-at runtime:
+.Sx TOKENS
-%% is replaced by a literal '%',
+section.
-%F with the fingerprint of the CA key,
+If no arguments are specified then the username of the target user is used.
-%f is replaced with certificate fingerprint,
-%K is replaced with the base-64 encoded CA key.
-%k is replaced with the full base-64 encoded certificate,
-%h is replaced with the home directory of the user being authenticated,
-%i is replaced with key ID in the certificate,
-%s is replaced with the serial number of the certificate,
-%T with the type of the CA key,
-%t is replaced with type of the certificate being offered, and
-%u is replaced by the username being authenticated,
-If no arguments are specified then the username of the target user
-will be supplied.
 .Pp
 The program should produce on standard output zero or
 more lines of
@@ -329,9 +314,13 @@ or
 .Cm AuthorizedPrincipalsFile
 is specified, then certificates offered by the client for authentication
 must contain a principal that is listed.
-By default, no AuthorizedPrincipalsCommand is run.
+By default, no
+.Cm AuthorizedPrincipalsCommand
+is run.
 .It Cm AuthorizedPrincipalsCommandUser
-Specifies the user under whose account the AuthorizedPrincipalsCommand is run.
+Specifies the user under whose account the
+.Cm AuthorizedPrincipalsCommand
+is run.
 It is recommended to use a dedicated user that has no other role on the host
 than running authorized principals commands.
 If
@@ -348,29 +337,28 @@ When using certificates signed by a key listed in
 .Cm TrustedUserCAKeys ,
 this file lists names, one of which must appear in the certificate for it
 to be accepted for authentication.
-Names are listed one per line preceded by key options (as described
+Names are listed one per line preceded by key options (as described in
-in AUTHORIZED_KEYS FILE FORMAT in
+.Sx AUTHORIZED_KEYS FILE FORMAT
+in
 .Xr sshd 8 ) .
 Empty lines and comments starting with
 .Ql #
 are ignored.
 .Pp
+Arguments to
 .Cm AuthorizedPrincipalsFile
-may contain tokens of the form %T which are substituted during connection
+accept the tokens described in the
-setup.
+.Sx TOKENS
-The following tokens are defined: %% is replaced by a literal '%',
+section.
-%h is replaced by the home directory of the user being authenticated, and
-%u is replaced by the username of that user.
 After expansion,
 .Cm AuthorizedPrincipalsFile
-is taken to be an absolute path or one relative to the user's home
+is taken to be an absolute path or one relative to the user's home directory.
-directory.
-.Pp
 The default is
 .Dq none ,
 i.e. not to use a principals file \(en in this case, the username
 of the user must appear in a certificate's principals list for it to be
 accepted.
+.Pp
 Note that
 .Cm AuthorizedPrincipalsFile
 is only used when authentication proceeds using a CA listed in
@@ -406,11 +394,11 @@ which are not writable by any other user or group.
 After the chroot,
 .Xr sshd 8
 changes the working directory to the user's home directory.
-.Pp
+Arguments to
-The pathname may contain the following tokens that are expanded at runtime once
+.Cm ChrootDirectory
-the connecting user has been authenticated: %% is replaced by a literal '%',
+accept the tokens described in the
-%h is replaced by the home directory of the user being authenticated, and
+.Sx TOKENS
-%u is replaced by the username of that user.
+section.
 .Pp
 The
 .Cm ChrootDirectory
@@ -1665,6 +1653,50 @@ Time format examples:
 .It 1h30m
 1 hour 30 minutes (90 minutes)
 .El
+.Sh TOKENS
+Arguments to some keywords can make use of tokens,
+which are expanded at runtime:
+.Pp
+.Bl -tag -width XXXX -offset indent -compact
+.It %%
+A literal
+.Sq % .
+.It %F
+The fingerprint of the CA key.
+.It %f
+The fingerprint of the key or certificate.
+.It %h
+The home directory of the user.
+.It %i
+The key ID in the certificate.
+.It %K
+The base64-encoded CA key.
+.It %k
+The base64-encoded key or certificate for authentication.
+.It %s
+The serial number of the certificate.
+.It \&%T
+The type of the CA key.
+.It %t
+The key or certificate type.
+.It %u
+The username.
+.El
+.Pp
+.Cm AuthorizedKeysCommand
+accepts the tokens %%, %f, %h, %t, and %u.
+.Pp
+.Cm AuthorizedKeysFile
+accepts the tokens %%, %h, and %u.
+.Pp
+.Cm AuthorizedPrincipalsCommand
+accepts the tokens %%, %F, %f, %K, %k, %h, %i, %s, %T, %t, and %u.
+.Pp
+.Cm AuthorizedPrincipalsFile
+accepts the tokens %%, %h, and %u.
+.Pp
+.Cm ChrootDirectory
+accepts the tokens %%, %h, and %u.
 .Sh FILES
 .Bl -tag -width Ds
 .It Pa /etc/ssh/sshd_config

diff --git a/sshd_config.5 b/sshd_config.5 index 6c30f7084..59c9ea471 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,7 +33,7 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.234 2016/09/22 17:55:13 djm Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.235 2016/09/22 19:19:01 jmc Exp $
37	.Dd $Mdocdate: September 22 2016 $	37	.Dd $Mdocdate: September 22 2016 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
@@ -240,22 +240,21 @@ of a single authentication method is sufficient.
240	Specifies a program to be used to look up the user's public keys.	240	Specifies a program to be used to look up the user's public keys.
241	The program must be owned by root, not writable by group or others and	241	The program must be owned by root, not writable by group or others and
242	specified by an absolute path.	242	specified by an absolute path.
243	.Pp
244	Arguments to	243	Arguments to
245	.Cm AuthorizedKeysCommand	244	.Cm AuthorizedKeysCommand
246	may be provided using the following tokens, which will be expanded	245	accept the tokens described in the
247	at runtime: %% is replaced by a literal '%', %u is replaced by the	246	.Sx TOKENS
248	username being authenticated, %h is replaced by the home directory	247	section.
249	of the user being authenticated, %t is replaced with the key type	248	If no arguments are specified then the username of the target user is used.
250	offered for authentication, %f is replaced with the fingerprint of
251	the key, and %k is replaced with the key being offered for authentication.
252	If no arguments are specified then the username of the target user
253	will be supplied.
254	.Pp	249	.Pp
255	The program should produce on standard output zero or	250	The program should produce on standard output zero or
256	more lines of authorized_keys output (see AUTHORIZED_KEYS in	251	more lines of authorized_keys output (see
		252	.Sx AUTHORIZED_KEYS
		253	in
257	.Xr sshd 8 ) .	254	.Xr sshd 8 ) .
258	If a key supplied by AuthorizedKeysCommand does not successfully authenticate	255	If a key supplied by
		256	.Cm AuthorizedKeysCommand
		257	does not successfully authenticate
259	and authorize the user then public key authentication continues using the usual	258	and authorize the user then public key authentication continues using the usual
260	.Cm AuthorizedKeysFile	259	.Cm AuthorizedKeysFile
261	files.	260	files.
@@ -272,18 +271,16 @@ is not, then
272	.Xr sshd 8	271	.Xr sshd 8
273	will refuse to start.	272	will refuse to start.
274	.It Cm AuthorizedKeysFile	273	.It Cm AuthorizedKeysFile
275	Specifies the file that contains the public keys that can be used	274	Specifies the file that contains the public keys used for user authentication.
276	for user authentication.
277	The format is described in the	275	The format is described in the
278	AUTHORIZED_KEYS FILE FORMAT	276	.Sx AUTHORIZED_KEYS FILE FORMAT
279	section of	277	section of
280	.Xr sshd 8 .	278	.Xr sshd 8 .
		279	Arguments to
281	.Cm AuthorizedKeysFile	280	.Cm AuthorizedKeysFile
282	may contain tokens of the form %T which are substituted during connection	281	accept the tokens described in the
283	setup.	282	.Sx TOKENS
284	The following tokens are defined: %% is replaced by a literal '%',	283	section.
285	%h is replaced by the home directory of the user being authenticated, and
286	%u is replaced by the username of that user.
287	After expansion,	284	After expansion,
288	.Cm AuthorizedKeysFile	285	.Cm AuthorizedKeysFile
289	is taken to be an absolute path or one relative to the user's home	286	is taken to be an absolute path or one relative to the user's home
@@ -300,24 +297,12 @@ certificate principals as per
300	.Cm AuthorizedPrincipalsFile .	297	.Cm AuthorizedPrincipalsFile .
301	The program must be owned by root, not writable by group or others and	298	The program must be owned by root, not writable by group or others and
302	specified by an absolute path.	299	specified by an absolute path.
303	.Pp
304	Arguments to	300	Arguments to
305	.Cm AuthorizedPrincipalsCommand	301	.Cm AuthorizedPrincipalsCommand
306	may be provided using the following tokens, which will be expanded	302	accept the tokens described in the
307	at runtime:	303	.Sx TOKENS
308	%% is replaced by a literal '%',	304	section.
309	%F with the fingerprint of the CA key,	305	If no arguments are specified then the username of the target user is used.
310	%f is replaced with certificate fingerprint,
311	%K is replaced with the base-64 encoded CA key.
312	%k is replaced with the full base-64 encoded certificate,
313	%h is replaced with the home directory of the user being authenticated,
314	%i is replaced with key ID in the certificate,
315	%s is replaced with the serial number of the certificate,
316	%T with the type of the CA key,
317	%t is replaced with type of the certificate being offered, and
318	%u is replaced by the username being authenticated,
319	If no arguments are specified then the username of the target user
320	will be supplied.
321	.Pp	306	.Pp
322	The program should produce on standard output zero or	307	The program should produce on standard output zero or
323	more lines of	308	more lines of
@@ -329,9 +314,13 @@ or
329	.Cm AuthorizedPrincipalsFile	314	.Cm AuthorizedPrincipalsFile
330	is specified, then certificates offered by the client for authentication	315	is specified, then certificates offered by the client for authentication
331	must contain a principal that is listed.	316	must contain a principal that is listed.
332	By default, no AuthorizedPrincipalsCommand is run.	317	By default, no
		318	.Cm AuthorizedPrincipalsCommand
		319	is run.
333	.It Cm AuthorizedPrincipalsCommandUser	320	.It Cm AuthorizedPrincipalsCommandUser
334	Specifies the user under whose account the AuthorizedPrincipalsCommand is run.	321	Specifies the user under whose account the
		322	.Cm AuthorizedPrincipalsCommand
		323	is run.
335	It is recommended to use a dedicated user that has no other role on the host	324	It is recommended to use a dedicated user that has no other role on the host
336	than running authorized principals commands.	325	than running authorized principals commands.
337	If	326	If
@@ -348,29 +337,28 @@ When using certificates signed by a key listed in
348	.Cm TrustedUserCAKeys ,	337	.Cm TrustedUserCAKeys ,
349	this file lists names, one of which must appear in the certificate for it	338	this file lists names, one of which must appear in the certificate for it
350	to be accepted for authentication.	339	to be accepted for authentication.
351	Names are listed one per line preceded by key options (as described	340	Names are listed one per line preceded by key options (as described in
352	in AUTHORIZED_KEYS FILE FORMAT in	341	.Sx AUTHORIZED_KEYS FILE FORMAT
		342	in
353	.Xr sshd 8 ) .	343	.Xr sshd 8 ) .
354	Empty lines and comments starting with	344	Empty lines and comments starting with
355	.Ql #	345	.Ql #
356	are ignored.	346	are ignored.
357	.Pp	347	.Pp
		348	Arguments to
358	.Cm AuthorizedPrincipalsFile	349	.Cm AuthorizedPrincipalsFile
359	may contain tokens of the form %T which are substituted during connection	350	accept the tokens described in the
360	setup.	351	.Sx TOKENS
361	The following tokens are defined: %% is replaced by a literal '%',	352	section.
362	%h is replaced by the home directory of the user being authenticated, and
363	%u is replaced by the username of that user.
364	After expansion,	353	After expansion,
365	.Cm AuthorizedPrincipalsFile	354	.Cm AuthorizedPrincipalsFile
366	is taken to be an absolute path or one relative to the user's home	355	is taken to be an absolute path or one relative to the user's home directory.
367	directory.
368	.Pp
369	The default is	356	The default is
370	.Dq none ,	357	.Dq none ,
371	i.e. not to use a principals file \(en in this case, the username	358	i.e. not to use a principals file \(en in this case, the username
372	of the user must appear in a certificate's principals list for it to be	359	of the user must appear in a certificate's principals list for it to be
373	accepted.	360	accepted.
		361	.Pp
374	Note that	362	Note that
375	.Cm AuthorizedPrincipalsFile	363	.Cm AuthorizedPrincipalsFile
376	is only used when authentication proceeds using a CA listed in	364	is only used when authentication proceeds using a CA listed in
@@ -406,11 +394,11 @@ which are not writable by any other user or group.
406	After the chroot,	394	After the chroot,
407	.Xr sshd 8	395	.Xr sshd 8
408	changes the working directory to the user's home directory.	396	changes the working directory to the user's home directory.
409	.Pp	397	Arguments to
410	The pathname may contain the following tokens that are expanded at runtime once	398	.Cm ChrootDirectory
411	the connecting user has been authenticated: %% is replaced by a literal '%',	399	accept the tokens described in the
412	%h is replaced by the home directory of the user being authenticated, and	400	.Sx TOKENS
413	%u is replaced by the username of that user.	401	section.
414	.Pp	402	.Pp
415	The	403	The
416	.Cm ChrootDirectory	404	.Cm ChrootDirectory
@@ -1665,6 +1653,50 @@ Time format examples:
1665	.It 1h30m	1653	.It 1h30m
1666	1 hour 30 minutes (90 minutes)	1654	1 hour 30 minutes (90 minutes)
1667	.El	1655	.El
		1656	.Sh TOKENS
		1657	Arguments to some keywords can make use of tokens,
		1658	which are expanded at runtime:
		1659	.Pp
		1660	.Bl -tag -width XXXX -offset indent -compact
		1661	.It %%
		1662	A literal
		1663	.Sq % .
		1664	.It %F
		1665	The fingerprint of the CA key.
		1666	.It %f
		1667	The fingerprint of the key or certificate.
		1668	.It %h
		1669	The home directory of the user.
		1670	.It %i
		1671	The key ID in the certificate.
		1672	.It %K
		1673	The base64-encoded CA key.
		1674	.It %k
		1675	The base64-encoded key or certificate for authentication.
		1676	.It %s
		1677	The serial number of the certificate.
		1678	.It \&%T
		1679	The type of the CA key.
		1680	.It %t
		1681	The key or certificate type.
		1682	.It %u
		1683	The username.
		1684	.El
		1685	.Pp
		1686	.Cm AuthorizedKeysCommand
		1687	accepts the tokens %%, %f, %h, %t, and %u.
		1688	.Pp
		1689	.Cm AuthorizedKeysFile
		1690	accepts the tokens %%, %h, and %u.
		1691	.Pp
		1692	.Cm AuthorizedPrincipalsCommand
		1693	accepts the tokens %%, %F, %f, %K, %k, %h, %i, %s, %T, %t, and %u.
		1694	.Pp
		1695	.Cm AuthorizedPrincipalsFile
		1696	accepts the tokens %%, %h, and %u.
		1697	.Pp
		1698	.Cm ChrootDirectory
		1699	accepts the tokens %%, %h, and %u.
1668	.Sh FILES	1700	.Sh FILES
1669	.Bl -tag -width Ds	1701	.Bl -tag -width Ds
1670	.It Pa /etc/ssh/sshd_config	1702	.It Pa /etc/ssh/sshd_config