1 files changed, 50 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 449afb302..e7a5f0a08 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -57,6 +57,33 @@ Arguments may optionally be enclosed in double quotes
 .Pq \&"
 in order to represent arguments containing spaces.
 .Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 .
+The exact list depends on whether the package was installed fresh or
+upgraded from various possible previous versions, but includes at least the
+following:
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm Protocol No 2
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_*
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
 The possible
 keywords and their meanings are as follows (note that
 keywords are case-insensitive and arguments are case-sensitive):
@@ -221,8 +248,7 @@ This option is only available for protocol version 2.
 By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication
 Specifies whether challenge-response authentication is allowed (e.g. via
-PAM or though authentication styles supported in
+PAM).
-.Xr login.conf 5 )
 The default is
 .Dq yes .
 .It Cm ChrootDirectory
@@ -339,6 +365,11 @@ or
 .Dq no .
 The default is
 .Dq delayed .
+.It Cm DebianBanner
+Specifies whether the distribution-specified extra version suffix is
+included during initial protocol handshake.
+The default is
+.Dq yes .
 .It Cm DenyGroups
 This keyword can be followed by a list of group name patterns, separated
 by spaces.
@@ -792,6 +823,20 @@ are refused if the number of unauthenticated connections reaches
 Specifies whether password authentication is allowed.
 The default is
 .Dq yes .
+.It Cm PermitBlacklistedKeys
+Specifies whether
+.Xr sshd 8
+should allow keys recorded in its blacklist of known-compromised keys (see
+.Xr ssh-vulnkey 1 ) .
+If
+.Dq yes ,
+then attempts to authenticate with compromised keys will be logged but
+accepted.
+If
+.Dq no ,
+then attempts to authenticate with compromised keys will be rejected.
+The default is
+.Dq no .
 .It Cm PermitEmptyPasswords
 When password authentication is allowed, it specifies whether the
 server allows login to accounts with empty password strings.
@@ -1020,6 +1065,9 @@ This avoids infinitely hanging sessions.
 .Pp
 To disable TCP keepalive messages, the value should be set to
 .Dq no .
+.Pp
+This option was formerly called
+.Cm KeepAlive .
 .It Cm TrustedUserCAKeys
 Specifies a file containing public keys of certificate authorities that are
 trusted to sign user certificates for authentication.

diff --git a/sshd_config.5 b/sshd_config.5 index 449afb302..e7a5f0a08 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -57,6 +57,33 @@ Arguments may optionally be enclosed in double quotes
57	.Pq \&"	57	.Pq \&"
58	in order to represent arguments containing spaces.	58	in order to represent arguments containing spaces.
59	.Pp	59	.Pp
		60	Note that the Debian
		61	.Ic openssh-server
		62	package sets several options as standard in
		63	.Pa /etc/ssh/sshd_config
		64	which are not the default in
		65	.Xr sshd 8 .
		66	The exact list depends on whether the package was installed fresh or
		67	upgraded from various possible previous versions, but includes at least the
		68	following:
		69	.Pp
		70	.Bl -bullet -offset indent -compact
		71	.It
		72	.Cm Protocol No 2
		73	.It
		74	.Cm ChallengeResponseAuthentication No no
		75	.It
		76	.Cm X11Forwarding No yes
		77	.It
		78	.Cm PrintMotd No no
		79	.It
		80	.Cm AcceptEnv No LANG LC_*
		81	.It
		82	.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
		83	.It
		84	.Cm UsePAM No yes
		85	.El
		86	.Pp
60	The possible	87	The possible
61	keywords and their meanings are as follows (note that	88	keywords and their meanings are as follows (note that
62	keywords are case-insensitive and arguments are case-sensitive):	89	keywords are case-insensitive and arguments are case-sensitive):
@@ -221,8 +248,7 @@ This option is only available for protocol version 2.
221	By default, no banner is displayed.	248	By default, no banner is displayed.
222	.It Cm ChallengeResponseAuthentication	249	.It Cm ChallengeResponseAuthentication
223	Specifies whether challenge-response authentication is allowed (e.g. via	250	Specifies whether challenge-response authentication is allowed (e.g. via
224	PAM or though authentication styles supported in	251	PAM).
225	.Xr login.conf 5 )
226	The default is	252	The default is
227	.Dq yes .	253	.Dq yes .
228	.It Cm ChrootDirectory	254	.It Cm ChrootDirectory
@@ -339,6 +365,11 @@ or
339	.Dq no .	365	.Dq no .
340	The default is	366	The default is
341	.Dq delayed .	367	.Dq delayed .
		368	.It Cm DebianBanner
		369	Specifies whether the distribution-specified extra version suffix is
		370	included during initial protocol handshake.
		371	The default is
		372	.Dq yes .
342	.It Cm DenyGroups	373	.It Cm DenyGroups
343	This keyword can be followed by a list of group name patterns, separated	374	This keyword can be followed by a list of group name patterns, separated
344	by spaces.	375	by spaces.
@@ -792,6 +823,20 @@ are refused if the number of unauthenticated connections reaches
792	Specifies whether password authentication is allowed.	823	Specifies whether password authentication is allowed.
793	The default is	824	The default is
794	.Dq yes .	825	.Dq yes .
		826	.It Cm PermitBlacklistedKeys
		827	Specifies whether
		828	.Xr sshd 8
		829	should allow keys recorded in its blacklist of known-compromised keys (see
		830	.Xr ssh-vulnkey 1 ) .
		831	If
		832	.Dq yes ,
		833	then attempts to authenticate with compromised keys will be logged but
		834	accepted.
		835	If
		836	.Dq no ,
		837	then attempts to authenticate with compromised keys will be rejected.
		838	The default is
		839	.Dq no .
795	.It Cm PermitEmptyPasswords	840	.It Cm PermitEmptyPasswords
796	When password authentication is allowed, it specifies whether the	841	When password authentication is allowed, it specifies whether the
797	server allows login to accounts with empty password strings.	842	server allows login to accounts with empty password strings.
@@ -1020,6 +1065,9 @@ This avoids infinitely hanging sessions.
1020	.Pp	1065	.Pp
1021	To disable TCP keepalive messages, the value should be set to	1066	To disable TCP keepalive messages, the value should be set to
1022	.Dq no .	1067	.Dq no .
		1068	.Pp
		1069	This option was formerly called
		1070	.Cm KeepAlive .
1023	.It Cm TrustedUserCAKeys	1071	.It Cm TrustedUserCAKeys
1024	Specifies a file containing public keys of certificate authorities that are	1072	Specifies a file containing public keys of certificate authorities that are
1025	trusted to sign user certificates for authentication.	1073	trusted to sign user certificates for authentication.