1 files changed, 103 insertions, 33 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index ce71efe3c..88be8d984 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.172 2014/02/27 22:47:07 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.173 2014/03/28 05:17:11 naddy Exp $
-.Dd $Mdocdate: February 27 2014 $
+.Dd $Mdocdate: March 28 2014 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -337,30 +337,44 @@ Specifies the ciphers allowed for protocol version 2.
 Multiple ciphers must be comma-separated.
 The supported ciphers are:
 .Pp
-.Dq 3des-cbc ,
+.Bl -item -compact -offset indent
-.Dq aes128-cbc ,
+.It
-.Dq aes192-cbc ,
+3des-cbc
-.Dq aes256-cbc ,
+.It
-.Dq aes128-ctr ,
+aes128-cbc
-.Dq aes192-ctr ,
+.It
-.Dq aes256-ctr ,
+aes192-cbc
-.Dq aes128-gcm@openssh.com ,
+.It
-.Dq aes256-gcm@openssh.com ,
+aes256-cbc
-.Dq arcfour128 ,
+.It
-.Dq arcfour256 ,
+aes128-ctr
-.Dq arcfour ,
+.It
-.Dq blowfish-cbc ,
+aes192-ctr
-.Dq cast128-cbc ,
+.It
-and
+aes256-ctr
-.Dq chacha20-poly1305@openssh.com .
+.It
+aes128-gcm@openssh.com
+.It
+aes256-gcm@openssh.com
+.It
+arcfour
+.It
+arcfour128
+.It
+arcfour256
+.It
+blowfish-cbc
+.It
+cast128-cbc
+.It
+chacha20-poly1305@openssh.com
+.El
 .Pp
 The default is:
-.Bd -literal -offset 3n
+.Bd -literal -offset indent
-aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
+aes128-ctr,aes192-ctr,aes256-ctr,
 aes128-gcm@openssh.com,aes256-gcm@openssh.com,
-chacha20-poly1305@openssh.com,
+chacha20-poly1305@openssh.com
-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
-aes256-cbc,arcfour
 .Ed
 .Pp
 The list of available ciphers may also be obtained using the
@@ -672,14 +686,33 @@ The default is
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
-The default is
+The supported algorithms are:
+.Pp
+.Bl -item -compact -offset indent
+.It
+curve25519-sha256@libssh.org
+.It
+diffie-hellman-group1-sha1
+.It
+diffie-hellman-group14-sha1
+.It
+diffie-hellman-group-exchange-sha1
+.It
+diffie-hellman-group-exchange-sha256
+.It
+ecdh-sha2-nistp256
+.It
+ecdh-sha2-nistp384
+.It
+ecdh-sha2-nistp521
+.El
+.Pp
+The default is:
 .Bd -literal -offset indent
 curve25519-sha256@libssh.org,
 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 diffie-hellman-group-exchange-sha256,
-diffie-hellman-group-exchange-sha1,
+diffie-hellman-group14-sha1
-diffie-hellman-group14-sha1,
-diffie-hellman-group1-sha1
 .Ed
 .It Cm KeyRegenerationInterval
 In protocol version 1, the ephemeral server key is automatically regenerated
@@ -751,16 +784,53 @@ The algorithms that contain
 .Dq -etm
 calculate the MAC after encryption (encrypt-then-mac).
 These are considered safer and their use recommended.
+The supported MACs are:
+.Pp
+.Bl -item -compact -offset indent
+.It
+hmac-md5
+.It
+hmac-md5-96
+.It
+hmac-ripemd160
+.It
+hmac-sha1
+.It
+hmac-sha1-96
+.It
+hmac-sha2-256
+.It
+hmac-sha2-512
+.It
+umac-64@openssh.com
+.It
+umac-128@openssh.com
+.It
+hmac-md5-etm@openssh.com
+.It
+hmac-md5-96-etm@openssh.com
+.It
+hmac-ripemd160-etm@openssh.com
+.It
+hmac-sha1-etm@openssh.com
+.It
+hmac-sha1-96-etm@openssh.com
+.It
+hmac-sha2-256-etm@openssh.com
+.It
+hmac-sha2-512-etm@openssh.com
+.It
+umac-64-etm@openssh.com
+.It
+umac-128-etm@openssh.com
+.El
+.Pp
 The default is:
 .Bd -literal -offset indent
-hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
-hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
+umac-64@openssh.com,umac-128@openssh.com,
-hmac-md5-96-etm@openssh.com,
+hmac-sha2-256,hmac-sha2-512
-hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
-hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
-hmac-sha1-96,hmac-md5-96
 .Ed
 .It Cm Match
 Introduces a conditional block.

diff --git a/sshd_config.5 b/sshd_config.5 index ce71efe3c..88be8d984 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.172 2014/02/27 22:47:07 djm Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.173 2014/03/28 05:17:11 naddy Exp $
37	.Dd $Mdocdate: February 27 2014 $	37	.Dd $Mdocdate: March 28 2014 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -337,30 +337,44 @@ Specifies the ciphers allowed for protocol version 2.
337	Multiple ciphers must be comma-separated.	337	Multiple ciphers must be comma-separated.
338	The supported ciphers are:	338	The supported ciphers are:
339	.Pp	339	.Pp
340	.Dq 3des-cbc ,	340	.Bl -item -compact -offset indent
341	.Dq aes128-cbc ,	341	.It
342	.Dq aes192-cbc ,	342	3des-cbc
343	.Dq aes256-cbc ,	343	.It
344	.Dq aes128-ctr ,	344	aes128-cbc
345	.Dq aes192-ctr ,	345	.It
346	.Dq aes256-ctr ,	346	aes192-cbc
347	.Dq aes128-gcm@openssh.com ,	347	.It
348	.Dq aes256-gcm@openssh.com ,	348	aes256-cbc
349	.Dq arcfour128 ,	349	.It
350	.Dq arcfour256 ,	350	aes128-ctr
351	.Dq arcfour ,	351	.It
352	.Dq blowfish-cbc ,	352	aes192-ctr
353	.Dq cast128-cbc ,	353	.It
354	and	354	aes256-ctr
355	.Dq chacha20-poly1305@openssh.com .	355	.It
		356	aes128-gcm@openssh.com
		357	.It
		358	aes256-gcm@openssh.com
		359	.It
		360	arcfour
		361	.It
		362	arcfour128
		363	.It
		364	arcfour256
		365	.It
		366	blowfish-cbc
		367	.It
		368	cast128-cbc
		369	.It
		370	chacha20-poly1305@openssh.com
		371	.El
356	.Pp	372	.Pp
357	The default is:	373	The default is:
358	.Bd -literal -offset 3n	374	.Bd -literal -offset indent
359	aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,	375	aes128-ctr,aes192-ctr,aes256-ctr,
360	aes128-gcm@openssh.com,aes256-gcm@openssh.com,	376	aes128-gcm@openssh.com,aes256-gcm@openssh.com,
361	chacha20-poly1305@openssh.com,	377	chacha20-poly1305@openssh.com
362	aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
363	aes256-cbc,arcfour
364	.Ed	378	.Ed
365	.Pp	379	.Pp
366	The list of available ciphers may also be obtained using the	380	The list of available ciphers may also be obtained using the
@@ -672,14 +686,33 @@ The default is
672	.It Cm KexAlgorithms	686	.It Cm KexAlgorithms
673	Specifies the available KEX (Key Exchange) algorithms.	687	Specifies the available KEX (Key Exchange) algorithms.
674	Multiple algorithms must be comma-separated.	688	Multiple algorithms must be comma-separated.
675	The default is	689	The supported algorithms are:
		690	.Pp
		691	.Bl -item -compact -offset indent
		692	.It
		693	curve25519-sha256@libssh.org
		694	.It
		695	diffie-hellman-group1-sha1
		696	.It
		697	diffie-hellman-group14-sha1
		698	.It
		699	diffie-hellman-group-exchange-sha1
		700	.It
		701	diffie-hellman-group-exchange-sha256
		702	.It
		703	ecdh-sha2-nistp256
		704	.It
		705	ecdh-sha2-nistp384
		706	.It
		707	ecdh-sha2-nistp521
		708	.El
		709	.Pp
		710	The default is:
676	.Bd -literal -offset indent	711	.Bd -literal -offset indent
677	curve25519-sha256@libssh.org,	712	curve25519-sha256@libssh.org,
678	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,	713	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
679	diffie-hellman-group-exchange-sha256,	714	diffie-hellman-group-exchange-sha256,
680	diffie-hellman-group-exchange-sha1,	715	diffie-hellman-group14-sha1
681	diffie-hellman-group14-sha1,
682	diffie-hellman-group1-sha1
683	.Ed	716	.Ed
684	.It Cm KeyRegenerationInterval	717	.It Cm KeyRegenerationInterval
685	In protocol version 1, the ephemeral server key is automatically regenerated	718	In protocol version 1, the ephemeral server key is automatically regenerated
@@ -751,16 +784,53 @@ The algorithms that contain
751	.Dq -etm	784	.Dq -etm
752	calculate the MAC after encryption (encrypt-then-mac).	785	calculate the MAC after encryption (encrypt-then-mac).
753	These are considered safer and their use recommended.	786	These are considered safer and their use recommended.
		787	The supported MACs are:
		788	.Pp
		789	.Bl -item -compact -offset indent
		790	.It
		791	hmac-md5
		792	.It
		793	hmac-md5-96
		794	.It
		795	hmac-ripemd160
		796	.It
		797	hmac-sha1
		798	.It
		799	hmac-sha1-96
		800	.It
		801	hmac-sha2-256
		802	.It
		803	hmac-sha2-512
		804	.It
		805	umac-64@openssh.com
		806	.It
		807	umac-128@openssh.com
		808	.It
		809	hmac-md5-etm@openssh.com
		810	.It
		811	hmac-md5-96-etm@openssh.com
		812	.It
		813	hmac-ripemd160-etm@openssh.com
		814	.It
		815	hmac-sha1-etm@openssh.com
		816	.It
		817	hmac-sha1-96-etm@openssh.com
		818	.It
		819	hmac-sha2-256-etm@openssh.com
		820	.It
		821	hmac-sha2-512-etm@openssh.com
		822	.It
		823	umac-64-etm@openssh.com
		824	.It
		825	umac-128-etm@openssh.com
		826	.El
		827	.Pp
754	The default is:	828	The default is:
755	.Bd -literal -offset indent	829	.Bd -literal -offset indent
756	hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
757	umac-64-etm@openssh.com,umac-128-etm@openssh.com,	830	umac-64-etm@openssh.com,umac-128-etm@openssh.com,
758	hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,	831	hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
759	hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,	832	umac-64@openssh.com,umac-128@openssh.com,
760	hmac-md5-96-etm@openssh.com,	833	hmac-sha2-256,hmac-sha2-512
761	hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
762	hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
763	hmac-sha1-96,hmac-md5-96
764	.Ed	834	.Ed
765	.It Cm Match	835	.It Cm Match
766	Introduces a conditional block.	836	Introduces a conditional block.