1 files changed, 51 insertions, 3 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 6e3c69d05..39ef781ff 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -58,6 +58,33 @@ Arguments may optionally be enclosed in double quotes
 .Pq \&"
 in order to represent arguments containing spaces.
 .Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 .
+The exact list depends on whether the package was installed fresh or
+upgraded from various possible previous versions, but includes at least the
+following:
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm Protocol No 2
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_*
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
 The possible
 keywords and their meanings are as follows (note that
 keywords are case-insensitive and arguments are case-sensitive):
@@ -177,8 +204,7 @@ This option is only available for protocol version 2.
 By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication
 Specifies whether challenge-response authentication is allowed (e.g. via
-PAM or though authentication styles supported in
+PAM).
-.Xr login.conf 5 )
 The default is
 .Dq yes .
 .It Cm ChrootDirectory
@@ -295,6 +321,11 @@ or
 .Dq no .
 The default is
 .Dq delayed .
+.It Cm DebianBanner
+Specifies whether the distribution-specified extra version suffix is
+included during initial protocol handshake.
+The default is
+.Dq yes .
 .It Cm DenyGroups
 This keyword can be followed by a list of group name patterns, separated
 by spaces.
@@ -575,7 +606,7 @@ The default is 120 seconds.
 Gives the verbosity level that is used when logging messages from
 .Xr sshd 8 .
 The possible values are:
-QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
+SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
 The default is INFO.
 DEBUG and DEBUG1 are equivalent.
 DEBUG2 and DEBUG3 each specify higher levels of debugging output.
@@ -694,6 +725,20 @@ are refused if the number of unauthenticated connections reaches
 Specifies whether password authentication is allowed.
 The default is
 .Dq yes .
+.It Cm PermitBlacklistedKeys
+Specifies whether
+.Xr sshd 8
+should allow keys recorded in its blacklist of known-compromised keys (see
+.Xr ssh-vulnkey 1 ) .
+If
+.Dq yes ,
+then attempts to authenticate with compromised keys will be logged but
+accepted.
+If
+.Dq no ,
+then attempts to authenticate with compromised keys will be rejected.
+The default is
+.Dq no .
 .It Cm PermitEmptyPasswords
 When password authentication is allowed, it specifies whether the
 server allows login to accounts with empty password strings.
@@ -922,6 +967,9 @@ This avoids infinitely hanging sessions.
 .Pp
 To disable TCP keepalive messages, the value should be set to
 .Dq no .
+.Pp
+This option was formerly called
+.Cm KeepAlive .
 .It Cm TrustedUserCAKeys
 Specifies a file containing public keys of certificate authorities that are
 trusted to sign user certificates for authentication.

diff --git a/sshd_config.5 b/sshd_config.5 index 6e3c69d05..39ef781ff 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -58,6 +58,33 @@ Arguments may optionally be enclosed in double quotes
58	.Pq \&"	58	.Pq \&"
59	in order to represent arguments containing spaces.	59	in order to represent arguments containing spaces.
60	.Pp	60	.Pp
		61	Note that the Debian
		62	.Ic openssh-server
		63	package sets several options as standard in
		64	.Pa /etc/ssh/sshd_config
		65	which are not the default in
		66	.Xr sshd 8 .
		67	The exact list depends on whether the package was installed fresh or
		68	upgraded from various possible previous versions, but includes at least the
		69	following:
		70	.Pp
		71	.Bl -bullet -offset indent -compact
		72	.It
		73	.Cm Protocol No 2
		74	.It
		75	.Cm ChallengeResponseAuthentication No no
		76	.It
		77	.Cm X11Forwarding No yes
		78	.It
		79	.Cm PrintMotd No no
		80	.It
		81	.Cm AcceptEnv No LANG LC_*
		82	.It
		83	.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
		84	.It
		85	.Cm UsePAM No yes
		86	.El
		87	.Pp
61	The possible	88	The possible
62	keywords and their meanings are as follows (note that	89	keywords and their meanings are as follows (note that
63	keywords are case-insensitive and arguments are case-sensitive):	90	keywords are case-insensitive and arguments are case-sensitive):
@@ -177,8 +204,7 @@ This option is only available for protocol version 2.
177	By default, no banner is displayed.	204	By default, no banner is displayed.
178	.It Cm ChallengeResponseAuthentication	205	.It Cm ChallengeResponseAuthentication
179	Specifies whether challenge-response authentication is allowed (e.g. via	206	Specifies whether challenge-response authentication is allowed (e.g. via
180	PAM or though authentication styles supported in	207	PAM).
181	.Xr login.conf 5 )
182	The default is	208	The default is
183	.Dq yes .	209	.Dq yes .
184	.It Cm ChrootDirectory	210	.It Cm ChrootDirectory
@@ -295,6 +321,11 @@ or
295	.Dq no .	321	.Dq no .
296	The default is	322	The default is
297	.Dq delayed .	323	.Dq delayed .
		324	.It Cm DebianBanner
		325	Specifies whether the distribution-specified extra version suffix is
		326	included during initial protocol handshake.
		327	The default is
		328	.Dq yes .
298	.It Cm DenyGroups	329	.It Cm DenyGroups
299	This keyword can be followed by a list of group name patterns, separated	330	This keyword can be followed by a list of group name patterns, separated
300	by spaces.	331	by spaces.
@@ -575,7 +606,7 @@ The default is 120 seconds.
575	Gives the verbosity level that is used when logging messages from	606	Gives the verbosity level that is used when logging messages from
576	.Xr sshd 8 .	607	.Xr sshd 8 .
577	The possible values are:	608	The possible values are:
578	QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.	609	SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
579	The default is INFO.	610	The default is INFO.
580	DEBUG and DEBUG1 are equivalent.	611	DEBUG and DEBUG1 are equivalent.
581	DEBUG2 and DEBUG3 each specify higher levels of debugging output.	612	DEBUG2 and DEBUG3 each specify higher levels of debugging output.
@@ -694,6 +725,20 @@ are refused if the number of unauthenticated connections reaches
694	Specifies whether password authentication is allowed.	725	Specifies whether password authentication is allowed.
695	The default is	726	The default is
696	.Dq yes .	727	.Dq yes .
		728	.It Cm PermitBlacklistedKeys
		729	Specifies whether
		730	.Xr sshd 8
		731	should allow keys recorded in its blacklist of known-compromised keys (see
		732	.Xr ssh-vulnkey 1 ) .
		733	If
		734	.Dq yes ,
		735	then attempts to authenticate with compromised keys will be logged but
		736	accepted.
		737	If
		738	.Dq no ,
		739	then attempts to authenticate with compromised keys will be rejected.
		740	The default is
		741	.Dq no .
697	.It Cm PermitEmptyPasswords	742	.It Cm PermitEmptyPasswords
698	When password authentication is allowed, it specifies whether the	743	When password authentication is allowed, it specifies whether the
699	server allows login to accounts with empty password strings.	744	server allows login to accounts with empty password strings.
@@ -922,6 +967,9 @@ This avoids infinitely hanging sessions.
922	.Pp	967	.Pp
923	To disable TCP keepalive messages, the value should be set to	968	To disable TCP keepalive messages, the value should be set to
924	.Dq no .	969	.Dq no .
		970	.Pp
		971	This option was formerly called
		972	.Cm KeepAlive .
925	.It Cm TrustedUserCAKeys	973	.It Cm TrustedUserCAKeys
926	Specifies a file containing public keys of certificate authorities that are	974	Specifies a file containing public keys of certificate authorities that are
927	trusted to sign user certificates for authentication.	975	trusted to sign user certificates for authentication.