1 files changed, 60 insertions, 14 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 251b7467f..e3c7c3936 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.253 2017/09/27 06:45:53 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.263 2018/02/16 02:40:45 djm Exp $
-.Dd $Mdocdate: September 27 2017 $
+.Dd $Mdocdate: February 16 2018 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -48,6 +48,7 @@ reads configuration data from
 .Fl f
 on the command line).
 The file contains keyword-argument pairs, one per line.
+For each keyword, the first obtained value will be used.
 Lines starting with
 .Ql #
 and empty lines are interpreted as comments.
@@ -713,7 +714,6 @@ is not to load any certificates.
 Specifies a file containing a private host key
 used by SSH.
 The defaults are
-.Pa /etc/ssh/ssh_host_dsa_key ,
 .Pa /etc/ssh/ssh_host_ecdsa_key ,
 .Pa /etc/ssh/ssh_host_ed25519_key
 and
@@ -776,7 +776,9 @@ Specifies whether
 should ignore the user's
 .Pa ~/.ssh/known_hosts
 during
-.Cm HostbasedAuthentication .
+.Cm HostbasedAuthentication
+and use only the system-wide known hosts file
+.Pa /etc/ssh/known_hosts .
 The default is
 .Cm no .
 .It Cm IPQoS
@@ -877,6 +879,12 @@ diffie-hellman-group1-sha1
 .It
 diffie-hellman-group14-sha1
 .It
+diffie-hellman-group14-sha256
+.It
+diffie-hellman-group16-sha512
+.It
+diffie-hellman-group18-sha512
+.It
 diffie-hellman-group-exchange-sha1
 .It
 diffie-hellman-group-exchange-sha256
@@ -893,7 +901,8 @@ The default is:
 curve25519-sha256,curve25519-sha256@libssh.org,
 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 diffie-hellman-group-exchange-sha256,
-diffie-hellman-group14-sha1
+diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
+diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
 .Ed
 .Pp
 The list of available key exchange algorithms may also be obtained using
@@ -908,31 +917,47 @@ The following forms may be used:
 .It
 .Cm ListenAddress
 .Sm off
-.Ar host | Ar IPv4_addr | Ar IPv6_addr
+.Ar hostname | address
+.Sm on
+.Op Cm rdomain Ar domain
+.It
+.Cm ListenAddress
+.Sm off
+.Ar hostname : port
 .Sm on
+.Op Cm rdomain Ar domain
 .It
 .Cm ListenAddress
 .Sm off
-.Ar host | Ar IPv4_addr : Ar port
+.Ar IPv4_address : port
 .Sm on
+.Op Cm rdomain Ar domain
 .It
 .Cm ListenAddress
 .Sm off
-.Oo
+.Oo Ar hostname | address Oc : Ar port
-.Ar host | Ar IPv6_addr Oc : Ar port
 .Sm on
+.Op Cm rdomain Ar domain
 .El
 .Pp
+The optional
+.Cm rdomain
+qualifier requests
+.Xr sshd 8
+listen in an explicit routing domain.
 If
 .Ar port
 is not specified,
 sshd will listen on the address and all
 .Cm Port
 options specified.
-The default is to listen on all local addresses.
+The default is to listen on all local addresses on the current default
+routing domain.
 Multiple
 .Cm ListenAddress
 options are permitted.
+For more information on routing domains, see
+.Xr rdomain 4 .
 .It Cm LoginGraceTime
 The server disconnects after this time if the user has not
 successfully logged in.
@@ -1036,8 +1061,15 @@ The available criteria are
 .Cm Host ,
 .Cm LocalAddress ,
 .Cm LocalPort ,
+.Cm RDomain ,
 and
-.Cm Address .
+.Cm Address
+(with
+.Cm RDomain
+representing the
+.Xr rdomain 4
+on which the connection was received.)
+.Pp
 The match patterns may consist of single entries or comma-separated
 lists and may use the wildcard and negation operators described in the
 .Sx PATTERNS
@@ -1100,6 +1132,7 @@ Available keywords are
 .Cm PubkeyAuthentication ,
 .Cm RekeyLimit ,
 .Cm RevokedKeys ,
+.Cm RDomain ,
 .Cm StreamLocalBindMask ,
 .Cm StreamLocalBindUnlink ,
 .Cm TrustedUserCAKeys ,
@@ -1188,7 +1221,6 @@ Specifies whether root can log in using
 The argument must be
 .Cm yes ,
 .Cm prohibit-password ,
-.Cm without-password ,
 .Cm forced-commands-only ,
 or
 .Cm no .
@@ -1197,8 +1229,8 @@ The default is
 .Pp
 If this option is set to
 .Cm prohibit-password
-or
+(or its deprecated alias,
-.Cm without-password ,
+.Cm without-password ) ,
 password and keyboard-interactive authentication are disabled for root.
 .Pp
 If this option is set to
@@ -1361,6 +1393,15 @@ an OpenSSH Key Revocation List (KRL) as generated by
 .Xr ssh-keygen 1 .
 For more information on KRLs, see the KEY REVOCATION LISTS section in
 .Xr ssh-keygen 1 .
+.It Cm RDomain
+Specifies an explicit routing domain that is applied after authentication
+has completed.
+The user session, as well and any forwarded or listening IP sockets,
+will be bound to this
+.Xr rdomain 4 .
+If the routing domain is set to
+.Cm \&%D ,
+then the domain in which the incoming connection was received will be applied.
 .It Cm StreamLocalBindMask
 Sets the octal file creation mode mask
 .Pq umask
@@ -1626,6 +1667,8 @@ which are expanded at runtime:
 .It %%
 A literal
 .Sq % .
+.It \&%D
+The routing domain in which the incoming connection was received.
 .It %F
 The fingerprint of the CA key.
 .It %f
@@ -1662,6 +1705,9 @@ accepts the tokens %%, %h, and %u.
 .Pp
 .Cm ChrootDirectory
 accepts the tokens %%, %h, and %u.
+.Pp
+.Cm RoutingDomain
+accepts the token %D.
 .Sh FILES
 .Bl -tag -width Ds
 .It Pa /etc/ssh/sshd_config

diff --git a/sshd_config.5 b/sshd_config.5 index 251b7467f..e3c7c3936 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.253 2017/09/27 06:45:53 jmc Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.263 2018/02/16 02:40:45 djm Exp $
37	.Dd $Mdocdate: September 27 2017 $	37	.Dd $Mdocdate: February 16 2018 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -48,6 +48,7 @@ reads configuration data from
48	.Fl f	48	.Fl f
49	on the command line).	49	on the command line).
50	The file contains keyword-argument pairs, one per line.	50	The file contains keyword-argument pairs, one per line.
		51	For each keyword, the first obtained value will be used.
51	Lines starting with	52	Lines starting with
52	.Ql #	53	.Ql #
53	and empty lines are interpreted as comments.	54	and empty lines are interpreted as comments.
@@ -713,7 +714,6 @@ is not to load any certificates.
713	Specifies a file containing a private host key	714	Specifies a file containing a private host key
714	used by SSH.	715	used by SSH.
715	The defaults are	716	The defaults are
716	.Pa /etc/ssh/ssh_host_dsa_key ,
717	.Pa /etc/ssh/ssh_host_ecdsa_key ,	717	.Pa /etc/ssh/ssh_host_ecdsa_key ,
718	.Pa /etc/ssh/ssh_host_ed25519_key	718	.Pa /etc/ssh/ssh_host_ed25519_key
719	and	719	and
@@ -776,7 +776,9 @@ Specifies whether
776	should ignore the user's	776	should ignore the user's
777	.Pa ~/.ssh/known_hosts	777	.Pa ~/.ssh/known_hosts
778	during	778	during
779	.Cm HostbasedAuthentication .	779	.Cm HostbasedAuthentication
		780	and use only the system-wide known hosts file
		781	.Pa /etc/ssh/known_hosts .
780	The default is	782	The default is
781	.Cm no .	783	.Cm no .
782	.It Cm IPQoS	784	.It Cm IPQoS
@@ -877,6 +879,12 @@ diffie-hellman-group1-sha1
877	.It	879	.It
878	diffie-hellman-group14-sha1	880	diffie-hellman-group14-sha1
879	.It	881	.It
		882	diffie-hellman-group14-sha256
		883	.It
		884	diffie-hellman-group16-sha512
		885	.It
		886	diffie-hellman-group18-sha512
		887	.It
880	diffie-hellman-group-exchange-sha1	888	diffie-hellman-group-exchange-sha1
881	.It	889	.It
882	diffie-hellman-group-exchange-sha256	890	diffie-hellman-group-exchange-sha256
@@ -893,7 +901,8 @@ The default is:
893	curve25519-sha256,curve25519-sha256@libssh.org,	901	curve25519-sha256,curve25519-sha256@libssh.org,
894	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,	902	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
895	diffie-hellman-group-exchange-sha256,	903	diffie-hellman-group-exchange-sha256,
896	diffie-hellman-group14-sha1	904	diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
		905	diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
897	.Ed	906	.Ed
898	.Pp	907	.Pp
899	The list of available key exchange algorithms may also be obtained using	908	The list of available key exchange algorithms may also be obtained using
@@ -908,31 +917,47 @@ The following forms may be used:
908	.It	917	.It
909	.Cm ListenAddress	918	.Cm ListenAddress
910	.Sm off	919	.Sm off
911	.Ar host \| Ar IPv4_addr \| Ar IPv6_addr	920	.Ar hostname \| address
		921	.Sm on
		922	.Op Cm rdomain Ar domain
		923	.It
		924	.Cm ListenAddress
		925	.Sm off
		926	.Ar hostname : port
912	.Sm on	927	.Sm on
		928	.Op Cm rdomain Ar domain
913	.It	929	.It
914	.Cm ListenAddress	930	.Cm ListenAddress
915	.Sm off	931	.Sm off
916	.Ar host \| Ar IPv4_addr : Ar port	932	.Ar IPv4_address : port
917	.Sm on	933	.Sm on
		934	.Op Cm rdomain Ar domain
918	.It	935	.It
919	.Cm ListenAddress	936	.Cm ListenAddress
920	.Sm off	937	.Sm off
921	.Oo	938	.Oo Ar hostname \| address Oc : Ar port
922	.Ar host \| Ar IPv6_addr Oc : Ar port
923	.Sm on	939	.Sm on
		940	.Op Cm rdomain Ar domain
924	.El	941	.El
925	.Pp	942	.Pp
		943	The optional
		944	.Cm rdomain
		945	qualifier requests
		946	.Xr sshd 8
		947	listen in an explicit routing domain.
926	If	948	If
927	.Ar port	949	.Ar port
928	is not specified,	950	is not specified,
929	sshd will listen on the address and all	951	sshd will listen on the address and all
930	.Cm Port	952	.Cm Port
931	options specified.	953	options specified.
932	The default is to listen on all local addresses.	954	The default is to listen on all local addresses on the current default
		955	routing domain.
933	Multiple	956	Multiple
934	.Cm ListenAddress	957	.Cm ListenAddress
935	options are permitted.	958	options are permitted.
		959	For more information on routing domains, see
		960	.Xr rdomain 4 .
936	.It Cm LoginGraceTime	961	.It Cm LoginGraceTime
937	The server disconnects after this time if the user has not	962	The server disconnects after this time if the user has not
938	successfully logged in.	963	successfully logged in.
@@ -1036,8 +1061,15 @@ The available criteria are
1036	.Cm Host ,	1061	.Cm Host ,
1037	.Cm LocalAddress ,	1062	.Cm LocalAddress ,
1038	.Cm LocalPort ,	1063	.Cm LocalPort ,
		1064	.Cm RDomain ,
1039	and	1065	and
1040	.Cm Address .	1066	.Cm Address
		1067	(with
		1068	.Cm RDomain
		1069	representing the
		1070	.Xr rdomain 4
		1071	on which the connection was received.)
		1072	.Pp
1041	The match patterns may consist of single entries or comma-separated	1073	The match patterns may consist of single entries or comma-separated
1042	lists and may use the wildcard and negation operators described in the	1074	lists and may use the wildcard and negation operators described in the
1043	.Sx PATTERNS	1075	.Sx PATTERNS
@@ -1100,6 +1132,7 @@ Available keywords are
1100	.Cm PubkeyAuthentication ,	1132	.Cm PubkeyAuthentication ,
1101	.Cm RekeyLimit ,	1133	.Cm RekeyLimit ,
1102	.Cm RevokedKeys ,	1134	.Cm RevokedKeys ,
		1135	.Cm RDomain ,
1103	.Cm StreamLocalBindMask ,	1136	.Cm StreamLocalBindMask ,
1104	.Cm StreamLocalBindUnlink ,	1137	.Cm StreamLocalBindUnlink ,
1105	.Cm TrustedUserCAKeys ,	1138	.Cm TrustedUserCAKeys ,
@@ -1188,7 +1221,6 @@ Specifies whether root can log in using
1188	The argument must be	1221	The argument must be
1189	.Cm yes ,	1222	.Cm yes ,
1190	.Cm prohibit-password ,	1223	.Cm prohibit-password ,
1191	.Cm without-password ,
1192	.Cm forced-commands-only ,	1224	.Cm forced-commands-only ,
1193	or	1225	or
1194	.Cm no .	1226	.Cm no .
@@ -1197,8 +1229,8 @@ The default is
1197	.Pp	1229	.Pp
1198	If this option is set to	1230	If this option is set to
1199	.Cm prohibit-password	1231	.Cm prohibit-password
1200	or	1232	(or its deprecated alias,
1201	.Cm without-password ,	1233	.Cm without-password ) ,
1202	password and keyboard-interactive authentication are disabled for root.	1234	password and keyboard-interactive authentication are disabled for root.
1203	.Pp	1235	.Pp
1204	If this option is set to	1236	If this option is set to
@@ -1361,6 +1393,15 @@ an OpenSSH Key Revocation List (KRL) as generated by
1361	.Xr ssh-keygen 1 .	1393	.Xr ssh-keygen 1 .
1362	For more information on KRLs, see the KEY REVOCATION LISTS section in	1394	For more information on KRLs, see the KEY REVOCATION LISTS section in
1363	.Xr ssh-keygen 1 .	1395	.Xr ssh-keygen 1 .
		1396	.It Cm RDomain
		1397	Specifies an explicit routing domain that is applied after authentication
		1398	has completed.
		1399	The user session, as well and any forwarded or listening IP sockets,
		1400	will be bound to this
		1401	.Xr rdomain 4 .
		1402	If the routing domain is set to
		1403	.Cm \&%D ,
		1404	then the domain in which the incoming connection was received will be applied.
1364	.It Cm StreamLocalBindMask	1405	.It Cm StreamLocalBindMask
1365	Sets the octal file creation mode mask	1406	Sets the octal file creation mode mask
1366	.Pq umask	1407	.Pq umask
@@ -1626,6 +1667,8 @@ which are expanded at runtime:
1626	.It %%	1667	.It %%
1627	A literal	1668	A literal
1628	.Sq % .	1669	.Sq % .
		1670	.It \&%D
		1671	The routing domain in which the incoming connection was received.
1629	.It %F	1672	.It %F
1630	The fingerprint of the CA key.	1673	The fingerprint of the CA key.
1631	.It %f	1674	.It %f
@@ -1662,6 +1705,9 @@ accepts the tokens %%, %h, and %u.
1662	.Pp	1705	.Pp
1663	.Cm ChrootDirectory	1706	.Cm ChrootDirectory
1664	accepts the tokens %%, %h, and %u.	1707	accepts the tokens %%, %h, and %u.
		1708	.Pp
		1709	.Cm RoutingDomain
		1710	accepts the token %D.
1665	.Sh FILES	1711	.Sh FILES
1666	.Bl -tag -width Ds	1712	.Bl -tag -width Ds
1667	.It Pa /etc/ssh/sshd_config	1713	.It Pa /etc/ssh/sshd_config