1 files changed, 39 insertions, 6 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 6c3ef6947..6e3c69d05 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.106 2009/04/21 15:13:17 stevesk Exp $
+.\" $OpenBSD: sshd_config.5,v 1.120 2010/03/04 23:17:25 djm Exp $
-.Dd $Mdocdate: April 21 2009 $
+.Dd $Mdocdate: March 4 2010 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -182,16 +182,16 @@ PAM or though authentication styles supported in
 The default is
 .Dq yes .
 .It Cm ChrootDirectory
-Specifies a path to
+Specifies the pathname of a directory to
 .Xr chroot 2
 to after authentication.
-This path, and all its components, must be root-owned directories that are
+All components of the pathname must be root-owned directories that are
 not writable by any other user or group.
 After the chroot,
 .Xr sshd 8
 changes the working directory to the user's home directory.
 .Pp
-The path may contain the following tokens that are expanded at runtime once
+The pathname may contain the following tokens that are expanded at runtime once
 the connecting user has been authenticated: %% is replaced by a literal '%',
 %h is replaced by the home directory of the user being authenticated, and
 %u is replaced by the username of that user.
@@ -439,6 +439,14 @@ uses the name supplied by the client rather than
 attempting to resolve the name from the TCP connection itself.
 The default is
 .Dq no .
+.It Cm HostCertificate
+Specifies a file containing a public host certificate.
+The certificate's public key must match a private host key already specified
+by
+.Cm HostKey .
+The default behaviour of
+.Xr sshd 8
+is not to load any certificates.
 .It Cm HostKey
 Specifies a file containing a private host key
 used by SSH.
@@ -642,6 +650,7 @@ Available keywords are
 .Cm PermitEmptyPasswords ,
 .Cm PermitOpen ,
 .Cm PermitRootLogin ,
+.Cm PubkeyAuthentication ,
 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,
 .Cm X11DisplayOffset ,
@@ -820,7 +829,7 @@ and
 .Sq 2 .
 Multiple versions must be comma-separated.
 The default is
-.Dq 2,1 .
+.Sq 2 .
 Note that the order of the protocol list does not indicate preference,
 because the client selects among multiple protocol versions offered
 by the server.
@@ -833,6 +842,11 @@ Specifies whether public key authentication is allowed.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm RevokedKeys
+Specifies a list of revoked public keys.
+Keys listed in this file will be refused for public key authentication.
+Note that if this file is not readable, then public key authentication will
+be refused for all users.
 .It Cm RhostsRSAAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful RSA host authentication is allowed.
@@ -856,6 +870,9 @@ This is normally desirable because novices sometimes accidentally leave their
 directory or files world-writable.
 The default is
 .Dq yes .
+Note that this does not apply to
+.Cm ChrootDirectory ,
+whose permissions and ownership are checked unconditionally.
 .It Cm Subsystem
 Configures an external subsystem (e.g. file transfer daemon).
 Arguments should be a subsystem name and a command (with optional arguments)
@@ -905,6 +922,22 @@ This avoids infinitely hanging sessions.
 .Pp
 To disable TCP keepalive messages, the value should be set to
 .Dq no .
+.It Cm TrustedUserCAKeys
+Specifies a file containing public keys of certificate authorities that are
+trusted to sign user certificates for authentication.
+Keys are listed one per line; empty lines and comments starting with
+.Ql #
+are allowed.
+If a certificate is presented for authentication and has its signing CA key
+listed in this file, then it may be used for authentication for any user
+listed in the certificate's principals list.
+Note that certificates that lack a list of principals will not be permitted
+for authentication using
+.Cm TrustedUserCAKeys .
+For more details on certificates, see the
+.Sx CERTIFICATES
+section in
+.Xr ssh-keygen 1 .
 .It Cm UseDNS
 Specifies whether
 .Xr sshd 8

diff --git a/sshd_config.5 b/sshd_config.5 index 6c3ef6947..6e3c69d05 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -34,8 +34,8 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd_config.5,v 1.106 2009/04/21 15:13:17 stevesk Exp $	37	.\" $OpenBSD: sshd_config.5,v 1.120 2010/03/04 23:17:25 djm Exp $
38	.Dd $Mdocdate: April 21 2009 $	38	.Dd $Mdocdate: March 4 2010 $
39	.Dt SSHD_CONFIG 5	39	.Dt SSHD_CONFIG 5
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -182,16 +182,16 @@ PAM or though authentication styles supported in
182	The default is	182	The default is
183	.Dq yes .	183	.Dq yes .
184	.It Cm ChrootDirectory	184	.It Cm ChrootDirectory
185	Specifies a path to	185	Specifies the pathname of a directory to
186	.Xr chroot 2	186	.Xr chroot 2
187	to after authentication.	187	to after authentication.
188	This path, and all its components, must be root-owned directories that are	188	All components of the pathname must be root-owned directories that are
189	not writable by any other user or group.	189	not writable by any other user or group.
190	After the chroot,	190	After the chroot,
191	.Xr sshd 8	191	.Xr sshd 8
192	changes the working directory to the user's home directory.	192	changes the working directory to the user's home directory.
193	.Pp	193	.Pp
194	The path may contain the following tokens that are expanded at runtime once	194	The pathname may contain the following tokens that are expanded at runtime once
195	the connecting user has been authenticated: %% is replaced by a literal '%',	195	the connecting user has been authenticated: %% is replaced by a literal '%',
196	%h is replaced by the home directory of the user being authenticated, and	196	%h is replaced by the home directory of the user being authenticated, and
197	%u is replaced by the username of that user.	197	%u is replaced by the username of that user.
@@ -439,6 +439,14 @@ uses the name supplied by the client rather than
439	attempting to resolve the name from the TCP connection itself.	439	attempting to resolve the name from the TCP connection itself.
440	The default is	440	The default is
441	.Dq no .	441	.Dq no .
		442	.It Cm HostCertificate
		443	Specifies a file containing a public host certificate.
		444	The certificate's public key must match a private host key already specified
		445	by
		446	.Cm HostKey .
		447	The default behaviour of
		448	.Xr sshd 8
		449	is not to load any certificates.
442	.It Cm HostKey	450	.It Cm HostKey
443	Specifies a file containing a private host key	451	Specifies a file containing a private host key
444	used by SSH.	452	used by SSH.
@@ -642,6 +650,7 @@ Available keywords are
642	.Cm PermitEmptyPasswords ,	650	.Cm PermitEmptyPasswords ,
643	.Cm PermitOpen ,	651	.Cm PermitOpen ,
644	.Cm PermitRootLogin ,	652	.Cm PermitRootLogin ,
		653	.Cm PubkeyAuthentication ,
645	.Cm RhostsRSAAuthentication ,	654	.Cm RhostsRSAAuthentication ,
646	.Cm RSAAuthentication ,	655	.Cm RSAAuthentication ,
647	.Cm X11DisplayOffset ,	656	.Cm X11DisplayOffset ,
@@ -820,7 +829,7 @@ and
820	.Sq 2 .	829	.Sq 2 .
821	Multiple versions must be comma-separated.	830	Multiple versions must be comma-separated.
822	The default is	831	The default is
823	.Dq 2,1 .	832	.Sq 2 .
824	Note that the order of the protocol list does not indicate preference,	833	Note that the order of the protocol list does not indicate preference,
825	because the client selects among multiple protocol versions offered	834	because the client selects among multiple protocol versions offered
826	by the server.	835	by the server.
@@ -833,6 +842,11 @@ Specifies whether public key authentication is allowed.
833	The default is	842	The default is
834	.Dq yes .	843	.Dq yes .
835	Note that this option applies to protocol version 2 only.	844	Note that this option applies to protocol version 2 only.
		845	.It Cm RevokedKeys
		846	Specifies a list of revoked public keys.
		847	Keys listed in this file will be refused for public key authentication.
		848	Note that if this file is not readable, then public key authentication will
		849	be refused for all users.
836	.It Cm RhostsRSAAuthentication	850	.It Cm RhostsRSAAuthentication
837	Specifies whether rhosts or /etc/hosts.equiv authentication together	851	Specifies whether rhosts or /etc/hosts.equiv authentication together
838	with successful RSA host authentication is allowed.	852	with successful RSA host authentication is allowed.
@@ -856,6 +870,9 @@ This is normally desirable because novices sometimes accidentally leave their
856	directory or files world-writable.	870	directory or files world-writable.
857	The default is	871	The default is
858	.Dq yes .	872	.Dq yes .
		873	Note that this does not apply to
		874	.Cm ChrootDirectory ,
		875	whose permissions and ownership are checked unconditionally.
859	.It Cm Subsystem	876	.It Cm Subsystem
860	Configures an external subsystem (e.g. file transfer daemon).	877	Configures an external subsystem (e.g. file transfer daemon).
861	Arguments should be a subsystem name and a command (with optional arguments)	878	Arguments should be a subsystem name and a command (with optional arguments)
@@ -905,6 +922,22 @@ This avoids infinitely hanging sessions.
905	.Pp	922	.Pp
906	To disable TCP keepalive messages, the value should be set to	923	To disable TCP keepalive messages, the value should be set to
907	.Dq no .	924	.Dq no .
		925	.It Cm TrustedUserCAKeys
		926	Specifies a file containing public keys of certificate authorities that are
		927	trusted to sign user certificates for authentication.
		928	Keys are listed one per line; empty lines and comments starting with
		929	.Ql #
		930	are allowed.
		931	If a certificate is presented for authentication and has its signing CA key
		932	listed in this file, then it may be used for authentication for any user
		933	listed in the certificate's principals list.
		934	Note that certificates that lack a list of principals will not be permitted
		935	for authentication using
		936	.Cm TrustedUserCAKeys .
		937	For more details on certificates, see the
		938	.Sx CERTIFICATES
		939	section in
		940	.Xr ssh-keygen 1 .
908	.It Cm UseDNS	941	.It Cm UseDNS
909	Specifies whether	942	Specifies whether
910	.Xr sshd 8	943	.Xr sshd 8