1 files changed, 159 insertions, 35 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 90fd3f4a8..7aa7b4733 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.172 2014/02/27 22:47:07 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.176 2014/07/28 15:40:08 schwarze Exp $
-.Dd $Mdocdate: February 27 2014 $
+.Dd $Mdocdate: July 28 2014 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -165,6 +165,26 @@ The default is
 Note that disabling TCP forwarding does not improve security unless
 users are also denied shell access, as they can always install their
 own forwarders.
+.It Cm AllowStreamLocalForwarding
+Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
+The available options are
+.Dq yes
+or
+.Dq all
+to allow StreamLocal forwarding,
+.Dq no
+to prevent all StreamLocal forwarding,
+.Dq local
+to allow local (from the perspective of
+.Xr ssh 1 )
+forwarding only or
+.Dq remote
+to allow remote forwarding only.
+The default is
+.Dq yes .
+Note that disabling StreamLocal forwarding does not improve security unless
+users are also denied shell access, as they can always install their
+own forwarders.
 .It Cm AllowUsers
 This keyword can be followed by a list of user name patterns, separated
 by spaces.
@@ -348,9 +368,9 @@ For file transfer sessions using
 .Dq sftp ,
 no additional configuration of the environment is necessary if the
 in-process sftp server is used,
-though sessions which use logging do require
+though sessions which use logging may require
 .Pa /dev/log
-inside the chroot directory (see
+inside the chroot directory on some operating systems (see
 .Xr sftp-server 8
 for details).
 .Pp
@@ -361,30 +381,44 @@ Specifies the ciphers allowed for protocol version 2.
 Multiple ciphers must be comma-separated.
 The supported ciphers are:
 .Pp
-.Dq 3des-cbc ,
+.Bl -item -compact -offset indent
-.Dq aes128-cbc ,
+.It
-.Dq aes192-cbc ,
+3des-cbc
-.Dq aes256-cbc ,
+.It
-.Dq aes128-ctr ,
+aes128-cbc
-.Dq aes192-ctr ,
+.It
-.Dq aes256-ctr ,
+aes192-cbc
-.Dq aes128-gcm@openssh.com ,
+.It
-.Dq aes256-gcm@openssh.com ,
+aes256-cbc
-.Dq arcfour128 ,
+.It
-.Dq arcfour256 ,
+aes128-ctr
-.Dq arcfour ,
+.It
-.Dq blowfish-cbc ,
+aes192-ctr
-.Dq cast128-cbc ,
+.It
-and
+aes256-ctr
-.Dq chacha20-poly1305@openssh.com .
+.It
+aes128-gcm@openssh.com
+.It
+aes256-gcm@openssh.com
+.It
+arcfour
+.It
+arcfour128
+.It
+arcfour256
+.It
+blowfish-cbc
+.It
+cast128-cbc
+.It
+chacha20-poly1305@openssh.com
+.El
 .Pp
 The default is:
-.Bd -literal -offset 3n
+.Bd -literal -offset indent
-aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
+aes128-ctr,aes192-ctr,aes256-ctr,
 aes128-gcm@openssh.com,aes256-gcm@openssh.com,
-chacha20-poly1305@openssh.com,
+chacha20-poly1305@openssh.com
-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
-aes256-cbc,arcfour
 .Ed
 .Pp
 The list of available ciphers may also be obtained using the
@@ -729,14 +763,33 @@ The default is
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
-The default is
+The supported algorithms are:
+.Pp
+.Bl -item -compact -offset indent
+.It
+curve25519-sha256@libssh.org
+.It
+diffie-hellman-group1-sha1
+.It
+diffie-hellman-group14-sha1
+.It
+diffie-hellman-group-exchange-sha1
+.It
+diffie-hellman-group-exchange-sha256
+.It
+ecdh-sha2-nistp256
+.It
+ecdh-sha2-nistp384
+.It
+ecdh-sha2-nistp521
+.El
+.Pp
+The default is:
 .Bd -literal -offset indent
 curve25519-sha256@libssh.org,
 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 diffie-hellman-group-exchange-sha256,
-diffie-hellman-group-exchange-sha1,
+diffie-hellman-group14-sha1
-diffie-hellman-group14-sha1,
-diffie-hellman-group1-sha1
 .Ed
 .It Cm KeyRegenerationInterval
 In protocol version 1, the ephemeral server key is automatically regenerated
@@ -808,16 +861,53 @@ The algorithms that contain
 .Dq -etm
 calculate the MAC after encryption (encrypt-then-mac).
 These are considered safer and their use recommended.
+The supported MACs are:
+.Pp
+.Bl -item -compact -offset indent
+.It
+hmac-md5
+.It
+hmac-md5-96
+.It
+hmac-ripemd160
+.It
+hmac-sha1
+.It
+hmac-sha1-96
+.It
+hmac-sha2-256
+.It
+hmac-sha2-512
+.It
+umac-64@openssh.com
+.It
+umac-128@openssh.com
+.It
+hmac-md5-etm@openssh.com
+.It
+hmac-md5-96-etm@openssh.com
+.It
+hmac-ripemd160-etm@openssh.com
+.It
+hmac-sha1-etm@openssh.com
+.It
+hmac-sha1-96-etm@openssh.com
+.It
+hmac-sha2-256-etm@openssh.com
+.It
+hmac-sha2-512-etm@openssh.com
+.It
+umac-64-etm@openssh.com
+.It
+umac-128-etm@openssh.com
+.El
+.Pp
 The default is:
 .Bd -literal -offset indent
-hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
-hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
+umac-64@openssh.com,umac-128@openssh.com,
-hmac-md5-96-etm@openssh.com,
+hmac-sha2-256,hmac-sha2-512
-hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
-hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
-hmac-sha1-96,hmac-md5-96
 .Ed
 .It Cm Match
 Introduces a conditional block.
@@ -899,6 +989,7 @@ Available keywords are
 .Cm PermitRootLogin ,
 .Cm PermitTTY ,
 .Cm PermitTunnel ,
+.Cm PermitUserRC ,
 .Cm PubkeyAuthentication ,
 .Cm RekeyLimit ,
 .Cm RhostsRSAAuthentication ,
@@ -1047,6 +1138,12 @@ The default is
 Enabling environment processing may enable users to bypass access
 restrictions in some configurations using mechanisms such as
 .Ev LD_PRELOAD .
+.It Cm PermitUserRC
+Specifies whether any
+.Pa ~/.ssh/rc
+file is executed.
+The default is
+.Dq yes .
 .It Cm PidFile
 Specifies the file that contains the process ID of the
 SSH daemon.
@@ -1151,6 +1248,33 @@ This option applies to protocol version 1 only.
 .It Cm ServerKeyBits
 Defines the number of bits in the ephemeral protocol version 1 server key.
 The minimum value is 512, and the default is 1024.
+.It Cm StreamLocalBindMask
+Sets the octal file creation mode mask
+.Pq umask
+used when creating a Unix-domain socket file for local or remote
+port forwarding.
+This option is only used for port forwarding to a Unix-domain socket file.
+.Pp
+The default value is 0177, which creates a Unix-domain socket file that is
+readable and writable only by the owner.
+Note that not all operating systems honor the file mode on Unix-domain
+socket files.
+.It Cm StreamLocalBindUnlink
+Specifies whether to remove an existing Unix-domain socket file for local
+or remote port forwarding before creating a new one.
+If the socket file already exists and
+.Cm StreamLocalBindUnlink
+is not enabled,
+.Nm sshd
+will be unable to forward the port to the Unix-domain socket file.
+This option is only used for port forwarding to a Unix-domain socket file.
+.Pp
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
 .It Cm StrictModes
 Specifies whether
 .Xr sshd 8

diff --git a/sshd_config.5 b/sshd_config.5 index 90fd3f4a8..7aa7b4733 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.172 2014/02/27 22:47:07 djm Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.176 2014/07/28 15:40:08 schwarze Exp $
37	.Dd $Mdocdate: February 27 2014 $	37	.Dd $Mdocdate: July 28 2014 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -165,6 +165,26 @@ The default is
165	Note that disabling TCP forwarding does not improve security unless	165	Note that disabling TCP forwarding does not improve security unless
166	users are also denied shell access, as they can always install their	166	users are also denied shell access, as they can always install their
167	own forwarders.	167	own forwarders.
		168	.It Cm AllowStreamLocalForwarding
		169	Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
		170	The available options are
		171	.Dq yes
		172	or
		173	.Dq all
		174	to allow StreamLocal forwarding,
		175	.Dq no
		176	to prevent all StreamLocal forwarding,
		177	.Dq local
		178	to allow local (from the perspective of
		179	.Xr ssh 1 )
		180	forwarding only or
		181	.Dq remote
		182	to allow remote forwarding only.
		183	The default is
		184	.Dq yes .
		185	Note that disabling StreamLocal forwarding does not improve security unless
		186	users are also denied shell access, as they can always install their
		187	own forwarders.
168	.It Cm AllowUsers	188	.It Cm AllowUsers
169	This keyword can be followed by a list of user name patterns, separated	189	This keyword can be followed by a list of user name patterns, separated
170	by spaces.	190	by spaces.
@@ -348,9 +368,9 @@ For file transfer sessions using
348	.Dq sftp ,	368	.Dq sftp ,
349	no additional configuration of the environment is necessary if the	369	no additional configuration of the environment is necessary if the
350	in-process sftp server is used,	370	in-process sftp server is used,
351	though sessions which use logging do require	371	though sessions which use logging may require
352	.Pa /dev/log	372	.Pa /dev/log
353	inside the chroot directory (see	373	inside the chroot directory on some operating systems (see
354	.Xr sftp-server 8	374	.Xr sftp-server 8
355	for details).	375	for details).
356	.Pp	376	.Pp
@@ -361,30 +381,44 @@ Specifies the ciphers allowed for protocol version 2.
361	Multiple ciphers must be comma-separated.	381	Multiple ciphers must be comma-separated.
362	The supported ciphers are:	382	The supported ciphers are:
363	.Pp	383	.Pp
364	.Dq 3des-cbc ,	384	.Bl -item -compact -offset indent
365	.Dq aes128-cbc ,	385	.It
366	.Dq aes192-cbc ,	386	3des-cbc
367	.Dq aes256-cbc ,	387	.It
368	.Dq aes128-ctr ,	388	aes128-cbc
369	.Dq aes192-ctr ,	389	.It
370	.Dq aes256-ctr ,	390	aes192-cbc
371	.Dq aes128-gcm@openssh.com ,	391	.It
372	.Dq aes256-gcm@openssh.com ,	392	aes256-cbc
373	.Dq arcfour128 ,	393	.It
374	.Dq arcfour256 ,	394	aes128-ctr
375	.Dq arcfour ,	395	.It
376	.Dq blowfish-cbc ,	396	aes192-ctr
377	.Dq cast128-cbc ,	397	.It
378	and	398	aes256-ctr
379	.Dq chacha20-poly1305@openssh.com .	399	.It
		400	aes128-gcm@openssh.com
		401	.It
		402	aes256-gcm@openssh.com
		403	.It
		404	arcfour
		405	.It
		406	arcfour128
		407	.It
		408	arcfour256
		409	.It
		410	blowfish-cbc
		411	.It
		412	cast128-cbc
		413	.It
		414	chacha20-poly1305@openssh.com
		415	.El
380	.Pp	416	.Pp
381	The default is:	417	The default is:
382	.Bd -literal -offset 3n	418	.Bd -literal -offset indent
383	aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,	419	aes128-ctr,aes192-ctr,aes256-ctr,
384	aes128-gcm@openssh.com,aes256-gcm@openssh.com,	420	aes128-gcm@openssh.com,aes256-gcm@openssh.com,
385	chacha20-poly1305@openssh.com,	421	chacha20-poly1305@openssh.com
386	aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
387	aes256-cbc,arcfour
388	.Ed	422	.Ed
389	.Pp	423	.Pp
390	The list of available ciphers may also be obtained using the	424	The list of available ciphers may also be obtained using the
@@ -729,14 +763,33 @@ The default is
729	.It Cm KexAlgorithms	763	.It Cm KexAlgorithms
730	Specifies the available KEX (Key Exchange) algorithms.	764	Specifies the available KEX (Key Exchange) algorithms.
731	Multiple algorithms must be comma-separated.	765	Multiple algorithms must be comma-separated.
732	The default is	766	The supported algorithms are:
		767	.Pp
		768	.Bl -item -compact -offset indent
		769	.It
		770	curve25519-sha256@libssh.org
		771	.It
		772	diffie-hellman-group1-sha1
		773	.It
		774	diffie-hellman-group14-sha1
		775	.It
		776	diffie-hellman-group-exchange-sha1
		777	.It
		778	diffie-hellman-group-exchange-sha256
		779	.It
		780	ecdh-sha2-nistp256
		781	.It
		782	ecdh-sha2-nistp384
		783	.It
		784	ecdh-sha2-nistp521
		785	.El
		786	.Pp
		787	The default is:
733	.Bd -literal -offset indent	788	.Bd -literal -offset indent
734	curve25519-sha256@libssh.org,	789	curve25519-sha256@libssh.org,
735	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,	790	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
736	diffie-hellman-group-exchange-sha256,	791	diffie-hellman-group-exchange-sha256,
737	diffie-hellman-group-exchange-sha1,	792	diffie-hellman-group14-sha1
738	diffie-hellman-group14-sha1,
739	diffie-hellman-group1-sha1
740	.Ed	793	.Ed
741	.It Cm KeyRegenerationInterval	794	.It Cm KeyRegenerationInterval
742	In protocol version 1, the ephemeral server key is automatically regenerated	795	In protocol version 1, the ephemeral server key is automatically regenerated
@@ -808,16 +861,53 @@ The algorithms that contain
808	.Dq -etm	861	.Dq -etm
809	calculate the MAC after encryption (encrypt-then-mac).	862	calculate the MAC after encryption (encrypt-then-mac).
810	These are considered safer and their use recommended.	863	These are considered safer and their use recommended.
		864	The supported MACs are:
		865	.Pp
		866	.Bl -item -compact -offset indent
		867	.It
		868	hmac-md5
		869	.It
		870	hmac-md5-96
		871	.It
		872	hmac-ripemd160
		873	.It
		874	hmac-sha1
		875	.It
		876	hmac-sha1-96
		877	.It
		878	hmac-sha2-256
		879	.It
		880	hmac-sha2-512
		881	.It
		882	umac-64@openssh.com
		883	.It
		884	umac-128@openssh.com
		885	.It
		886	hmac-md5-etm@openssh.com
		887	.It
		888	hmac-md5-96-etm@openssh.com
		889	.It
		890	hmac-ripemd160-etm@openssh.com
		891	.It
		892	hmac-sha1-etm@openssh.com
		893	.It
		894	hmac-sha1-96-etm@openssh.com
		895	.It
		896	hmac-sha2-256-etm@openssh.com
		897	.It
		898	hmac-sha2-512-etm@openssh.com
		899	.It
		900	umac-64-etm@openssh.com
		901	.It
		902	umac-128-etm@openssh.com
		903	.El
		904	.Pp
811	The default is:	905	The default is:
812	.Bd -literal -offset indent	906	.Bd -literal -offset indent
813	hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
814	umac-64-etm@openssh.com,umac-128-etm@openssh.com,	907	umac-64-etm@openssh.com,umac-128-etm@openssh.com,
815	hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,	908	hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
816	hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,	909	umac-64@openssh.com,umac-128@openssh.com,
817	hmac-md5-96-etm@openssh.com,	910	hmac-sha2-256,hmac-sha2-512
818	hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
819	hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
820	hmac-sha1-96,hmac-md5-96
821	.Ed	911	.Ed
822	.It Cm Match	912	.It Cm Match
823	Introduces a conditional block.	913	Introduces a conditional block.
@@ -899,6 +989,7 @@ Available keywords are
899	.Cm PermitRootLogin ,	989	.Cm PermitRootLogin ,
900	.Cm PermitTTY ,	990	.Cm PermitTTY ,
901	.Cm PermitTunnel ,	991	.Cm PermitTunnel ,
		992	.Cm PermitUserRC ,
902	.Cm PubkeyAuthentication ,	993	.Cm PubkeyAuthentication ,
903	.Cm RekeyLimit ,	994	.Cm RekeyLimit ,
904	.Cm RhostsRSAAuthentication ,	995	.Cm RhostsRSAAuthentication ,
@@ -1047,6 +1138,12 @@ The default is
1047	Enabling environment processing may enable users to bypass access	1138	Enabling environment processing may enable users to bypass access
1048	restrictions in some configurations using mechanisms such as	1139	restrictions in some configurations using mechanisms such as
1049	.Ev LD_PRELOAD .	1140	.Ev LD_PRELOAD .
		1141	.It Cm PermitUserRC
		1142	Specifies whether any
		1143	.Pa ~/.ssh/rc
		1144	file is executed.
		1145	The default is
		1146	.Dq yes .
1050	.It Cm PidFile	1147	.It Cm PidFile
1051	Specifies the file that contains the process ID of the	1148	Specifies the file that contains the process ID of the
1052	SSH daemon.	1149	SSH daemon.
@@ -1151,6 +1248,33 @@ This option applies to protocol version 1 only.
1151	.It Cm ServerKeyBits	1248	.It Cm ServerKeyBits
1152	Defines the number of bits in the ephemeral protocol version 1 server key.	1249	Defines the number of bits in the ephemeral protocol version 1 server key.
1153	The minimum value is 512, and the default is 1024.	1250	The minimum value is 512, and the default is 1024.
		1251	.It Cm StreamLocalBindMask
		1252	Sets the octal file creation mode mask
		1253	.Pq umask
		1254	used when creating a Unix-domain socket file for local or remote
		1255	port forwarding.
		1256	This option is only used for port forwarding to a Unix-domain socket file.
		1257	.Pp
		1258	The default value is 0177, which creates a Unix-domain socket file that is
		1259	readable and writable only by the owner.
		1260	Note that not all operating systems honor the file mode on Unix-domain
		1261	socket files.
		1262	.It Cm StreamLocalBindUnlink
		1263	Specifies whether to remove an existing Unix-domain socket file for local
		1264	or remote port forwarding before creating a new one.
		1265	If the socket file already exists and
		1266	.Cm StreamLocalBindUnlink
		1267	is not enabled,
		1268	.Nm sshd
		1269	will be unable to forward the port to the Unix-domain socket file.
		1270	This option is only used for port forwarding to a Unix-domain socket file.
		1271	.Pp
		1272	The argument must be
		1273	.Dq yes
		1274	or
		1275	.Dq no .
		1276	The default is
		1277	.Dq no .
1154	.It Cm StrictModes	1278	.It Cm StrictModes
1155	Specifies whether	1279	Specifies whether
1156	.Xr sshd 8	1280	.Xr sshd 8