1 files changed, 68 insertions, 1 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 7255b1c22..d5f19ea3d 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -58,6 +58,33 @@ Arguments may optionally be enclosed in double quotes
 .Pq \&"
 in order to represent arguments containing spaces.
 .Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 .
+The exact list depends on whether the package was installed fresh or
+upgraded from various possible previous versions, but includes at least the
+following:
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm Protocol No 2
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_*
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
 The possible
 keywords and their meanings are as follows (note that
 keywords are case-insensitive and arguments are case-sensitive):
@@ -374,12 +401,35 @@ Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange 
+doesn't rely on ssh keys to verify host identity.
+The default is
+.Dq no .
+Note that this option applies to protocol version 2 only.
 .It Cm GSSAPICleanupCredentials
 Specifies whether to automatically destroy the user's credentials cache
 on logout.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIStrictAcceptorCheck
+Determines whether to be strict about the identity of the GSSAPI acceptor 
+a client authenticates against. If
+.Dq yes
+then the client must authenticate against the
+.Pa host
+service on the current hostname. If 
+.Dq no
+then the client may authenticate against any service key stored in the 
+machine's default store. This facility is provided to assist with operation 
+on multi homed machines. 
+The default is
+.Dq yes .
+Note that this option applies only to protocol version 2 GSSAPI connections,
+and setting it to 
+.Dq no
+may only work with recent Kerberos GSSAPI libraries.
 .It Cm HostbasedAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful public key client host authentication is allowed
@@ -534,7 +584,7 @@ The default is 120 seconds.
 Gives the verbosity level that is used when logging messages from
 .Xr sshd 8 .
 The possible values are:
-QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
+SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
 The default is INFO.
 DEBUG and DEBUG1 are equivalent.
 DEBUG2 and DEBUG3 each specify higher levels of debugging output.
@@ -650,6 +700,20 @@ are refused if the number of unauthenticated connections reaches
 Specifies whether password authentication is allowed.
 The default is
 .Dq yes .
+.It Cm PermitBlacklistedKeys
+Specifies whether
+.Xr sshd 8
+should allow keys recorded in its blacklist of known-compromised keys (see
+.Xr ssh-vulnkey 1 ) .
+If
+.Dq yes ,
+then attempts to authenticate with compromised keys will be logged but
+accepted.
+If
+.Dq no ,
+then attempts to authenticate with compromised keys will be rejected.
+The default is
+.Dq no .
 .It Cm PermitEmptyPasswords
 When password authentication is allowed, it specifies whether the
 server allows login to accounts with empty password strings.
@@ -870,6 +934,9 @@ This avoids infinitely hanging sessions.
 .Pp
 To disable TCP keepalive messages, the value should be set to
 .Dq no .
+.Pp
+This option was formerly called
+.Cm KeepAlive .
 .It Cm UseDNS
 Specifies whether
 .Xr sshd 8

diff --git a/sshd_config.5 b/sshd_config.5 index 7255b1c22..d5f19ea3d 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -58,6 +58,33 @@ Arguments may optionally be enclosed in double quotes
58	.Pq \&"	58	.Pq \&"
59	in order to represent arguments containing spaces.	59	in order to represent arguments containing spaces.
60	.Pp	60	.Pp
		61	Note that the Debian
		62	.Ic openssh-server
		63	package sets several options as standard in
		64	.Pa /etc/ssh/sshd_config
		65	which are not the default in
		66	.Xr sshd 8 .
		67	The exact list depends on whether the package was installed fresh or
		68	upgraded from various possible previous versions, but includes at least the
		69	following:
		70	.Pp
		71	.Bl -bullet -offset indent -compact
		72	.It
		73	.Cm Protocol No 2
		74	.It
		75	.Cm ChallengeResponseAuthentication No no
		76	.It
		77	.Cm X11Forwarding No yes
		78	.It
		79	.Cm PrintMotd No no
		80	.It
		81	.Cm AcceptEnv No LANG LC_*
		82	.It
		83	.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
		84	.It
		85	.Cm UsePAM No yes
		86	.El
		87	.Pp
61	The possible	88	The possible
62	keywords and their meanings are as follows (note that	89	keywords and their meanings are as follows (note that
63	keywords are case-insensitive and arguments are case-sensitive):	90	keywords are case-insensitive and arguments are case-sensitive):
@@ -374,12 +401,35 @@ Specifies whether user authentication based on GSSAPI is allowed.
374	The default is	401	The default is
375	.Dq no .	402	.Dq no .
376	Note that this option applies to protocol version 2 only.	403	Note that this option applies to protocol version 2 only.
		404	.It Cm GSSAPIKeyExchange
		405	Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
		406	doesn't rely on ssh keys to verify host identity.
		407	The default is
		408	.Dq no .
		409	Note that this option applies to protocol version 2 only.
377	.It Cm GSSAPICleanupCredentials	410	.It Cm GSSAPICleanupCredentials
378	Specifies whether to automatically destroy the user's credentials cache	411	Specifies whether to automatically destroy the user's credentials cache
379	on logout.	412	on logout.
380	The default is	413	The default is
381	.Dq yes .	414	.Dq yes .
382	Note that this option applies to protocol version 2 only.	415	Note that this option applies to protocol version 2 only.
		416	.It Cm GSSAPIStrictAcceptorCheck
		417	Determines whether to be strict about the identity of the GSSAPI acceptor
		418	a client authenticates against. If
		419	.Dq yes
		420	then the client must authenticate against the
		421	.Pa host
		422	service on the current hostname. If
		423	.Dq no
		424	then the client may authenticate against any service key stored in the
		425	machine's default store. This facility is provided to assist with operation
		426	on multi homed machines.
		427	The default is
		428	.Dq yes .
		429	Note that this option applies only to protocol version 2 GSSAPI connections,
		430	and setting it to
		431	.Dq no
		432	may only work with recent Kerberos GSSAPI libraries.
383	.It Cm HostbasedAuthentication	433	.It Cm HostbasedAuthentication
384	Specifies whether rhosts or /etc/hosts.equiv authentication together	434	Specifies whether rhosts or /etc/hosts.equiv authentication together
385	with successful public key client host authentication is allowed	435	with successful public key client host authentication is allowed
@@ -534,7 +584,7 @@ The default is 120 seconds.
534	Gives the verbosity level that is used when logging messages from	584	Gives the verbosity level that is used when logging messages from
535	.Xr sshd 8 .	585	.Xr sshd 8 .
536	The possible values are:	586	The possible values are:
537	QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.	587	SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
538	The default is INFO.	588	The default is INFO.
539	DEBUG and DEBUG1 are equivalent.	589	DEBUG and DEBUG1 are equivalent.
540	DEBUG2 and DEBUG3 each specify higher levels of debugging output.	590	DEBUG2 and DEBUG3 each specify higher levels of debugging output.
@@ -650,6 +700,20 @@ are refused if the number of unauthenticated connections reaches
650	Specifies whether password authentication is allowed.	700	Specifies whether password authentication is allowed.
651	The default is	701	The default is
652	.Dq yes .	702	.Dq yes .
		703	.It Cm PermitBlacklistedKeys
		704	Specifies whether
		705	.Xr sshd 8
		706	should allow keys recorded in its blacklist of known-compromised keys (see
		707	.Xr ssh-vulnkey 1 ) .
		708	If
		709	.Dq yes ,
		710	then attempts to authenticate with compromised keys will be logged but
		711	accepted.
		712	If
		713	.Dq no ,
		714	then attempts to authenticate with compromised keys will be rejected.
		715	The default is
		716	.Dq no .
653	.It Cm PermitEmptyPasswords	717	.It Cm PermitEmptyPasswords
654	When password authentication is allowed, it specifies whether the	718	When password authentication is allowed, it specifies whether the
655	server allows login to accounts with empty password strings.	719	server allows login to accounts with empty password strings.
@@ -870,6 +934,9 @@ This avoids infinitely hanging sessions.
870	.Pp	934	.Pp
871	To disable TCP keepalive messages, the value should be set to	935	To disable TCP keepalive messages, the value should be set to
872	.Dq no .	936	.Dq no .
		937	.Pp
		938	This option was formerly called
		939	.Cm KeepAlive .
873	.It Cm UseDNS	940	.It Cm UseDNS
874	Specifies whether	941	Specifies whether
875	.Xr sshd 8	942	.Xr sshd 8