1 files changed, 24 insertions, 26 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 32b29d240..ac6ccc793 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.239 2016/11/30 03:00:05 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.243 2017/03/14 07:19:07 djm Exp $
-.Dd $Mdocdate: November 30 2016 $
+.Dd $Mdocdate: March 14 2017 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -437,6 +437,10 @@ If the specified value begins with a
 .Sq +
 character, then the specified ciphers will be appended to the default set
 instead of replacing them.
+If the specified value begins with a
+.Sq -
+character, then the specified ciphers (including wildcards) will be removed
+from the default set instead of replacing them.
 .Pp
 The supported ciphers are:
 .Pp
@@ -649,6 +653,10 @@ Alternately if the specified value begins with a
 .Sq +
 character, then the specified key types will be appended to the default set
 instead of replacing them.
+If the specified value begins with a
+.Sq -
+character, then the specified key types (including wildcards) will be removed
+from the default set instead of replacing them.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -843,6 +851,10 @@ Alternately if the specified value begins with a
 .Sq +
 character, then the specified methods will be appended to the default set
 instead of replacing them.
+If the specified value begins with a
+.Sq -
+character, then the specified methods (including wildcards) will be removed
+from the default set instead of replacing them.
 The supported algorithms are:
 .Pp
 .Bl -item -compact -offset indent
@@ -933,6 +945,10 @@ If the specified value begins with a
 .Sq +
 character, then the specified algorithms will be appended to the default set
 instead of replacing them.
+If the specified value begins with a
+.Sq -
+character, then the specified algorithms (including wildcards) will be removed
+from the default set instead of replacing them.
 .Pp
 The algorithms that contain
 .Qq -etm
@@ -1280,6 +1296,10 @@ Alternately if the specified value begins with a
 .Sq +
 character, then the specified key types will be appended to the default set
 instead of replacing them.
+If the specified value begins with a
+.Sq -
+character, then the specified key types (including wildcards) will be removed
+from the default set instead of replacing them.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -1474,28 +1494,6 @@ is enabled, you will not be able to run
 as a non-root user.
 The default is
 .Cm no .
-.It Cm UsePrivilegeSeparation
-Specifies whether
-.Xr sshd 8
-separates privileges by creating an unprivileged child process
-to deal with incoming network traffic.
-After successful authentication, another process will be created that has
-the privilege of the authenticated user.
-The goal of privilege separation is to prevent privilege
-escalation by containing any corruption within the unprivileged processes.
-The argument must be
-.Cm yes ,
-.Cm no ,
-or
-.Cm sandbox .
-If
-.Cm UsePrivilegeSeparation
-is set to
-.Cm sandbox
-then the pre-authentication unprivileged process is subject to additional
-restrictions.
-The default is
-.Cm sandbox .
 .It Cm VersionAddendum
 Optionally specifies additional text to append to the SSH protocol banner
 sent by the server upon connection.
@@ -1644,13 +1642,13 @@ The username.
 .El
 .Pp
 .Cm AuthorizedKeysCommand
-accepts the tokens %%, %f, %h, %t, and %u.
+accepts the tokens %%, %f, %h, %k, %t, and %u.
 .Pp
 .Cm AuthorizedKeysFile
 accepts the tokens %%, %h, and %u.
 .Pp
 .Cm AuthorizedPrincipalsCommand
-accepts the tokens %%, %F, %f, %K, %k, %h, %i, %s, %T, %t, and %u.
+accepts the tokens %%, %F, %f, %h, %i, %K, %k, %s, %T, %t, and %u.
 .Pp
 .Cm AuthorizedPrincipalsFile
 accepts the tokens %%, %h, and %u.

diff --git a/sshd_config.5 b/sshd_config.5 index 32b29d240..ac6ccc793 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.239 2016/11/30 03:00:05 djm Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.243 2017/03/14 07:19:07 djm Exp $
37	.Dd $Mdocdate: November 30 2016 $	37	.Dd $Mdocdate: March 14 2017 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -437,6 +437,10 @@ If the specified value begins with a
437	.Sq +	437	.Sq +
438	character, then the specified ciphers will be appended to the default set	438	character, then the specified ciphers will be appended to the default set
439	instead of replacing them.	439	instead of replacing them.
		440	If the specified value begins with a
		441	.Sq -
		442	character, then the specified ciphers (including wildcards) will be removed
		443	from the default set instead of replacing them.
440	.Pp	444	.Pp
441	The supported ciphers are:	445	The supported ciphers are:
442	.Pp	446	.Pp
@@ -649,6 +653,10 @@ Alternately if the specified value begins with a
649	.Sq +	653	.Sq +
650	character, then the specified key types will be appended to the default set	654	character, then the specified key types will be appended to the default set
651	instead of replacing them.	655	instead of replacing them.
		656	If the specified value begins with a
		657	.Sq -
		658	character, then the specified key types (including wildcards) will be removed
		659	from the default set instead of replacing them.
652	The default for this option is:	660	The default for this option is:
653	.Bd -literal -offset 3n	661	.Bd -literal -offset 3n
654	ecdsa-sha2-nistp256-cert-v01@openssh.com,	662	ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -843,6 +851,10 @@ Alternately if the specified value begins with a
843	.Sq +	851	.Sq +
844	character, then the specified methods will be appended to the default set	852	character, then the specified methods will be appended to the default set
845	instead of replacing them.	853	instead of replacing them.
		854	If the specified value begins with a
		855	.Sq -
		856	character, then the specified methods (including wildcards) will be removed
		857	from the default set instead of replacing them.
846	The supported algorithms are:	858	The supported algorithms are:
847	.Pp	859	.Pp
848	.Bl -item -compact -offset indent	860	.Bl -item -compact -offset indent
@@ -933,6 +945,10 @@ If the specified value begins with a
933	.Sq +	945	.Sq +
934	character, then the specified algorithms will be appended to the default set	946	character, then the specified algorithms will be appended to the default set
935	instead of replacing them.	947	instead of replacing them.
		948	If the specified value begins with a
		949	.Sq -
		950	character, then the specified algorithms (including wildcards) will be removed
		951	from the default set instead of replacing them.
936	.Pp	952	.Pp
937	The algorithms that contain	953	The algorithms that contain
938	.Qq -etm	954	.Qq -etm
@@ -1280,6 +1296,10 @@ Alternately if the specified value begins with a
1280	.Sq +	1296	.Sq +
1281	character, then the specified key types will be appended to the default set	1297	character, then the specified key types will be appended to the default set
1282	instead of replacing them.	1298	instead of replacing them.
		1299	If the specified value begins with a
		1300	.Sq -
		1301	character, then the specified key types (including wildcards) will be removed
		1302	from the default set instead of replacing them.
1283	The default for this option is:	1303	The default for this option is:
1284	.Bd -literal -offset 3n	1304	.Bd -literal -offset 3n
1285	ecdsa-sha2-nistp256-cert-v01@openssh.com,	1305	ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -1474,28 +1494,6 @@ is enabled, you will not be able to run
1474	as a non-root user.	1494	as a non-root user.
1475	The default is	1495	The default is
1476	.Cm no .	1496	.Cm no .
1477	.It Cm UsePrivilegeSeparation
1478	Specifies whether
1479	.Xr sshd 8
1480	separates privileges by creating an unprivileged child process
1481	to deal with incoming network traffic.
1482	After successful authentication, another process will be created that has
1483	the privilege of the authenticated user.
1484	The goal of privilege separation is to prevent privilege
1485	escalation by containing any corruption within the unprivileged processes.
1486	The argument must be
1487	.Cm yes ,
1488	.Cm no ,
1489	or
1490	.Cm sandbox .
1491	If
1492	.Cm UsePrivilegeSeparation
1493	is set to
1494	.Cm sandbox
1495	then the pre-authentication unprivileged process is subject to additional
1496	restrictions.
1497	The default is
1498	.Cm sandbox .
1499	.It Cm VersionAddendum	1497	.It Cm VersionAddendum
1500	Optionally specifies additional text to append to the SSH protocol banner	1498	Optionally specifies additional text to append to the SSH protocol banner
1501	sent by the server upon connection.	1499	sent by the server upon connection.
@@ -1644,13 +1642,13 @@ The username.
1644	.El	1642	.El
1645	.Pp	1643	.Pp
1646	.Cm AuthorizedKeysCommand	1644	.Cm AuthorizedKeysCommand
1647	accepts the tokens %%, %f, %h, %t, and %u.	1645	accepts the tokens %%, %f, %h, %k, %t, and %u.
1648	.Pp	1646	.Pp
1649	.Cm AuthorizedKeysFile	1647	.Cm AuthorizedKeysFile
1650	accepts the tokens %%, %h, and %u.	1648	accepts the tokens %%, %h, and %u.
1651	.Pp	1649	.Pp
1652	.Cm AuthorizedPrincipalsCommand	1650	.Cm AuthorizedPrincipalsCommand
1653	accepts the tokens %%, %F, %f, %K, %k, %h, %i, %s, %T, %t, and %u.	1651	accepts the tokens %%, %F, %f, %h, %i, %K, %k, %s, %T, %t, and %u.
1654	.Pp	1652	.Pp
1655	.Cm AuthorizedPrincipalsFile	1653	.Cm AuthorizedPrincipalsFile
1656	accepts the tokens %%, %h, and %u.	1654	accepts the tokens %%, %h, and %u.