1 files changed, 45 insertions, 1 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index a3357d445..15bd8d988 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -58,6 +58,33 @@ Arguments may optionally be enclosed in double quotes
 .Pq \&"
 in order to represent arguments containing spaces.
 .Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 .
+The exact list depends on whether the package was installed fresh or
+upgraded from various possible previous versions, but includes at least the
+following:
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm Protocol No 2
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_*
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
 The possible
 keywords and their meanings are as follows (note that
 keywords are case-insensitive and arguments are case-sensitive):
@@ -562,7 +589,7 @@ The default is 120 seconds.
 Gives the verbosity level that is used when logging messages from
 .Xr sshd 8 .
 The possible values are:
-QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
+SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
 The default is INFO.
 DEBUG and DEBUG1 are equivalent.
 DEBUG2 and DEBUG3 each specify higher levels of debugging output.
@@ -680,6 +707,20 @@ are refused if the number of unauthenticated connections reaches
 Specifies whether password authentication is allowed.
 The default is
 .Dq yes .
+.It Cm PermitBlacklistedKeys
+Specifies whether
+.Xr sshd 8
+should allow keys recorded in its blacklist of known-compromised keys (see
+.Xr ssh-vulnkey 1 ) .
+If
+.Dq yes ,
+then attempts to authenticate with compromised keys will be logged but
+accepted.
+If
+.Dq no ,
+then attempts to authenticate with compromised keys will be rejected.
+The default is
+.Dq no .
 .It Cm PermitEmptyPasswords
 When password authentication is allowed, it specifies whether the
 server allows login to accounts with empty password strings.
@@ -900,6 +941,9 @@ This avoids infinitely hanging sessions.
 .Pp
 To disable TCP keepalive messages, the value should be set to
 .Dq no .
+.Pp
+This option was formerly called
+.Cm KeepAlive .
 .It Cm UseDNS
 Specifies whether
 .Xr sshd 8

diff --git a/sshd_config.5 b/sshd_config.5 index a3357d445..15bd8d988 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -58,6 +58,33 @@ Arguments may optionally be enclosed in double quotes
58	.Pq \&"	58	.Pq \&"
59	in order to represent arguments containing spaces.	59	in order to represent arguments containing spaces.
60	.Pp	60	.Pp
		61	Note that the Debian
		62	.Ic openssh-server
		63	package sets several options as standard in
		64	.Pa /etc/ssh/sshd_config
		65	which are not the default in
		66	.Xr sshd 8 .
		67	The exact list depends on whether the package was installed fresh or
		68	upgraded from various possible previous versions, but includes at least the
		69	following:
		70	.Pp
		71	.Bl -bullet -offset indent -compact
		72	.It
		73	.Cm Protocol No 2
		74	.It
		75	.Cm ChallengeResponseAuthentication No no
		76	.It
		77	.Cm X11Forwarding No yes
		78	.It
		79	.Cm PrintMotd No no
		80	.It
		81	.Cm AcceptEnv No LANG LC_*
		82	.It
		83	.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
		84	.It
		85	.Cm UsePAM No yes
		86	.El
		87	.Pp
61	The possible	88	The possible
62	keywords and their meanings are as follows (note that	89	keywords and their meanings are as follows (note that
63	keywords are case-insensitive and arguments are case-sensitive):	90	keywords are case-insensitive and arguments are case-sensitive):
@@ -562,7 +589,7 @@ The default is 120 seconds.
562	Gives the verbosity level that is used when logging messages from	589	Gives the verbosity level that is used when logging messages from
563	.Xr sshd 8 .	590	.Xr sshd 8 .
564	The possible values are:	591	The possible values are:
565	QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.	592	SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
566	The default is INFO.	593	The default is INFO.
567	DEBUG and DEBUG1 are equivalent.	594	DEBUG and DEBUG1 are equivalent.
568	DEBUG2 and DEBUG3 each specify higher levels of debugging output.	595	DEBUG2 and DEBUG3 each specify higher levels of debugging output.
@@ -680,6 +707,20 @@ are refused if the number of unauthenticated connections reaches
680	Specifies whether password authentication is allowed.	707	Specifies whether password authentication is allowed.
681	The default is	708	The default is
682	.Dq yes .	709	.Dq yes .
		710	.It Cm PermitBlacklistedKeys
		711	Specifies whether
		712	.Xr sshd 8
		713	should allow keys recorded in its blacklist of known-compromised keys (see
		714	.Xr ssh-vulnkey 1 ) .
		715	If
		716	.Dq yes ,
		717	then attempts to authenticate with compromised keys will be logged but
		718	accepted.
		719	If
		720	.Dq no ,
		721	then attempts to authenticate with compromised keys will be rejected.
		722	The default is
		723	.Dq no .
683	.It Cm PermitEmptyPasswords	724	.It Cm PermitEmptyPasswords
684	When password authentication is allowed, it specifies whether the	725	When password authentication is allowed, it specifies whether the
685	server allows login to accounts with empty password strings.	726	server allows login to accounts with empty password strings.
@@ -900,6 +941,9 @@ This avoids infinitely hanging sessions.
900	.Pp	941	.Pp
901	To disable TCP keepalive messages, the value should be set to	942	To disable TCP keepalive messages, the value should be set to
902	.Dq no .	943	.Dq no .
		944	.Pp
		945	This option was formerly called
		946	.Cm KeepAlive .
903	.It Cm UseDNS	947	.It Cm UseDNS
904	Specifies whether	948	Specifies whether
905	.Xr sshd 8	949	.Xr sshd 8