From 5be9d9e3cbd9c66f24745d25bf2e809c1d158ee0 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Sat, 7 Dec 2013 11:24:01 +1100
Subject:    - markus@cvs.openbsd.org 2013/12/06 13:39:49      [authfd.c
 authfile.c key.c key.h myproposal.h pathnames.h readconf.c]      [servconf.c
 ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c]      [ssh-keysign.c
 ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c]      [sc25519.h
 sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c]      [fe25519.h
 fe25519.c ed25519.c crypto_api.h blocks.c]      support ed25519 keys
 (hostkeys and user identities) using the public      domain ed25519 reference
 code from SUPERCOP, see      http://ed25519.cr.yp.to/software.html     
 feedback, help & ok djm@

---
 sshd.8 | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'sshd.8')

diff --git a/sshd.8 b/sshd.8
index b0c7ab6bd..b5d614c50 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.270 2013/06/27 14:05:37 jmc Exp $
-.Dd $Mdocdate: June 27 2013 $
+.\" $OpenBSD: sshd.8,v 1.271 2013/12/06 13:39:49 markus Exp $
+.Dd $Mdocdate: December 6 2013 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -494,6 +494,7 @@ For protocol version 2 the keytype is
 .Dq ecdsa-sha2-nistp256 ,
 .Dq ecdsa-sha2-nistp384 ,
 .Dq ecdsa-sha2-nistp521 ,
+.Dq ssh-ed25519
 .Dq ssh-dss
 or
 .Dq ssh-rsa .
-- 
cgit v1.2.3


From a7827c11b3f0380b7e593664bd62013ff9c131db Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Sat, 7 Dec 2013 11:24:30 +1100
Subject:    - jmc@cvs.openbsd.org 2013/12/06 15:29:07      [sshd.8]     
 missing comma;

---
 ChangeLog | 3 +++
 sshd.8    | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

(limited to 'sshd.8')

diff --git a/ChangeLog b/ChangeLog
index 42e00382b..0d0f54508 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -27,6 +27,9 @@
      domain ed25519 reference code from SUPERCOP, see
      http://ed25519.cr.yp.to/software.html
      feedback, help & ok djm@
+   - jmc@cvs.openbsd.org 2013/12/06 15:29:07
+     [sshd.8]
+     missing comma;
 
 20131205
  - (djm) OpenBSD CVS Sync
diff --git a/sshd.8 b/sshd.8
index b5d614c50..62615bf6d 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,7 +33,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.271 2013/12/06 13:39:49 markus Exp $
+.\" $OpenBSD: sshd.8,v 1.272 2013/12/06 15:29:07 jmc Exp $
 .Dd $Mdocdate: December 6 2013 $
 .Dt SSHD 8
 .Os
@@ -494,7 +494,7 @@ For protocol version 2 the keytype is
 .Dq ecdsa-sha2-nistp256 ,
 .Dq ecdsa-sha2-nistp384 ,
 .Dq ecdsa-sha2-nistp521 ,
-.Dq ssh-ed25519
+.Dq ssh-ed25519 ,
 .Dq ssh-dss
 or
 .Dq ssh-rsa .
-- 
cgit v1.2.3


From 8ba0ead6985ea14999265136b14ffd5aeec516f9 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Wed, 18 Dec 2013 17:46:27 +1100
Subject:    - naddy@cvs.openbsd.org 2013/12/07 11:58:46      [ssh-add.1
 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1]     
 [ssh_config.5 sshd.8 sshd_config.5]      add missing mentions of ed25519; ok
 djm@

---
 ChangeLog     |  4 ++++
 ssh-add.1     |  9 ++++++---
 ssh-agent.1   | 11 +++++++----
 ssh-keygen.1  | 26 ++++++++++++++++++--------
 ssh-keyscan.1 |  7 ++++---
 ssh-keysign.8 |  6 ++++--
 ssh.1         | 20 ++++++++++++++------
 ssh_config.5  | 10 ++++++----
 sshd.8        | 16 ++++++++++------
 sshd_config.5 | 10 ++++++----
 10 files changed, 79 insertions(+), 40 deletions(-)

(limited to 'sshd.8')

diff --git a/ChangeLog b/ChangeLog
index 351bd0386..c162b7f5c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,10 @@
    - djm@cvs.openbsd.org 2013/12/07 08:08:26
      [ssh-keygen.1]
      document -a and -o wrt new key format
+   - naddy@cvs.openbsd.org 2013/12/07 11:58:46
+     [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1]
+     [ssh_config.5 sshd.8 sshd_config.5]
+     add missing mentions of ed25519; ok djm@
 
 20131208
  - (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna
diff --git a/ssh-add.1 b/ssh-add.1
index 44846b67e..4812448fa 100644
--- a/ssh-add.1
+++ b/ssh-add.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-add.1,v 1.58 2012/12/03 08:33:02 jmc Exp $
+.\"	$OpenBSD: ssh-add.1,v 1.59 2013/12/07 11:58:46 naddy Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 3 2012 $
+.Dd $Mdocdate: December 7 2013 $
 .Dt SSH-ADD 1
 .Os
 .Sh NAME
@@ -57,7 +57,8 @@ adds private key identities to the authentication agent,
 When run without arguments, it adds the files
 .Pa ~/.ssh/id_rsa ,
 .Pa ~/.ssh/id_dsa ,
-.Pa ~/.ssh/id_ecdsa
+.Pa ~/.ssh/id_ecdsa ,
+.Pa ~/.ssh/id_ed25519
 and
 .Pa ~/.ssh/identity .
 After loading a private key,
@@ -169,6 +170,8 @@ Contains the protocol version 1 RSA authentication identity of the user.
 Contains the protocol version 2 DSA authentication identity of the user.
 .It Pa ~/.ssh/id_ecdsa
 Contains the protocol version 2 ECDSA authentication identity of the user.
+.It Pa ~/.ssh/id_ed25519
+Contains the protocol version 2 ED25519 authentication identity of the user.
 .It Pa ~/.ssh/id_rsa
 Contains the protocol version 2 RSA authentication identity of the user.
 .El
diff --git a/ssh-agent.1 b/ssh-agent.1
index bb801c902..281ecbdcf 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.53 2010/11/21 01:01:13 djm Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.54 2013/12/07 11:58:46 naddy Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 21 2010 $
+.Dd $Mdocdate: December 7 2013 $
 .Dt SSH-AGENT 1
 .Os
 .Sh NAME
@@ -53,7 +53,7 @@
 .Sh DESCRIPTION
 .Nm
 is a program to hold private keys used for public key authentication
-(RSA, DSA, ECDSA).
+(RSA, DSA, ECDSA, ED25519).
 The idea is that
 .Nm
 is started in the beginning of an X-session or a login session, and
@@ -115,7 +115,8 @@ When executed without arguments,
 adds the files
 .Pa ~/.ssh/id_rsa ,
 .Pa ~/.ssh/id_dsa ,
-.Pa ~/.ssh/id_ecdsa
+.Pa ~/.ssh/id_ecdsa ,
+.Pa ~/.ssh/id_ed25519
 and
 .Pa ~/.ssh/identity .
 If the identity has a passphrase,
@@ -190,6 +191,8 @@ Contains the protocol version 1 RSA authentication identity of the user.
 Contains the protocol version 2 DSA authentication identity of the user.
 .It Pa ~/.ssh/id_ecdsa
 Contains the protocol version 2 ECDSA authentication identity of the user.
+.It Pa ~/.ssh/id_ed25519
+Contains the protocol version 2 ED25519 authentication identity of the user.
 .It Pa ~/.ssh/id_rsa
 Contains the protocol version 2 RSA authentication identity of the user.
 .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 689db22ff..09e401bf8 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.117 2013/12/07 08:08:26 djm Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.118 2013/12/07 11:58:46 naddy Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -139,8 +139,8 @@
 generates, manages and converts authentication keys for
 .Xr ssh 1 .
 .Nm
-can create RSA keys for use by SSH protocol version 1 and DSA, ECDSA or RSA
-keys for use by SSH protocol version 2.
+can create RSA keys for use by SSH protocol version 1 and
+DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2.
 The type of key to be generated is specified with the
 .Fl t
 option.
@@ -167,8 +167,9 @@ Normally each user wishing to use SSH
 with public key authentication runs this once to create the authentication
 key in
 .Pa ~/.ssh/identity ,
+.Pa ~/.ssh/id_dsa ,
 .Pa ~/.ssh/id_ecdsa ,
-.Pa ~/.ssh/id_dsa
+.Pa ~/.ssh/id_ed25519
 or
 .Pa ~/.ssh/id_rsa .
 Additionally, the system administrator may use this to generate host keys,
@@ -216,7 +217,8 @@ should be placed to be activated.
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl A
-For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys
+For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519)
+for which host keys
 do not exist, generate the host keys with the default key file path,
 an empty passphrase, default bits for the key type, and default comment.
 This is used by
@@ -249,6 +251,9 @@ flag determines the key length by selecting from one of three elliptic
 curve sizes: 256, 384 or 521 bits.
 Attempting to use bit lengths other than these three values for ECDSA keys
 will fail.
+ED25519 keys have a fixed length and the
+.Fl b
+flag will be ignored.
 .It Fl C Ar comment
 Provides a new comment.
 .It Fl c
@@ -515,7 +520,8 @@ The possible values are
 .Dq rsa1
 for protocol version 1 and
 .Dq dsa ,
-.Dq ecdsa
+.Dq ecdsa ,
+.Dq ed25519 ,
 or
 .Dq rsa
 for protocol version 2.
@@ -795,8 +801,10 @@ There is no need to keep the contents of this file secret.
 .Pp
 .It Pa ~/.ssh/id_dsa
 .It Pa ~/.ssh/id_ecdsa
+.It Pa ~/.ssh/id_ed25519
 .It Pa ~/.ssh/id_rsa
-Contains the protocol version 2 DSA, ECDSA or RSA authentication identity of the user.
+Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA
+authentication identity of the user.
 This file should not be readable by anyone but the user.
 It is possible to
 specify a passphrase when generating the key; that passphrase will be
@@ -809,8 +817,10 @@ will read this file when a login attempt is made.
 .Pp
 .It Pa ~/.ssh/id_dsa.pub
 .It Pa ~/.ssh/id_ecdsa.pub
+.It Pa ~/.ssh/id_ed25519.pub
 .It Pa ~/.ssh/id_rsa.pub
-Contains the protocol version 2 DSA, ECDSA or RSA public key for authentication.
+Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA
+public key for authentication.
 The contents of this file should be added to
 .Pa ~/.ssh/authorized_keys
 on all machines
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index 79dd6aa1c..65ef43efd 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keyscan.1,v 1.32 2013/12/06 13:39:49 markus Exp $
+.\"	$OpenBSD: ssh-keyscan.1,v 1.33 2013/12/07 11:58:46 naddy Exp $
 .\"
 .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 .\"
@@ -6,7 +6,7 @@
 .\" permitted provided that due credit is given to the author and the
 .\" OpenBSD project by leaving this copyright notice intact.
 .\"
-.Dd $Mdocdate: December 6 2013 $
+.Dd $Mdocdate: December 7 2013 $
 .Dt SSH-KEYSCAN 1
 .Os
 .Sh NAME
@@ -89,7 +89,8 @@ The possible values are
 .Dq rsa1
 for protocol version 1 and
 .Dq dsa ,
-.Dq ecdsa
+.Dq ecdsa ,
+.Dq ed25519 ,
 or
 .Dq rsa
 for protocol version 2.
diff --git a/ssh-keysign.8 b/ssh-keysign.8
index 5e0b2d232..69d082954 100644
--- a/ssh-keysign.8
+++ b/ssh-keysign.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keysign.8,v 1.13 2013/07/16 00:07:52 schwarze Exp $
+.\" $OpenBSD: ssh-keysign.8,v 1.14 2013/12/07 11:58:46 naddy Exp $
 .\"
 .\" Copyright (c) 2002 Markus Friedl.  All rights reserved.
 .\"
@@ -22,7 +22,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 16 2013 $
+.Dd $Mdocdate: December 7 2013 $
 .Dt SSH-KEYSIGN 8
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@ is enabled.
 .Pp
 .It Pa /etc/ssh/ssh_host_dsa_key
 .It Pa /etc/ssh/ssh_host_ecdsa_key
+.It Pa /etc/ssh/ssh_host_ed25519_key
 .It Pa /etc/ssh/ssh_host_rsa_key
 These files contain the private parts of the host keys used to
 generate the digital signature.
@@ -74,6 +75,7 @@ must be set-uid root if host-based authentication is used.
 .Pp
 .It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
 .It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
+.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
 .It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
 If these files exist they are assumed to contain public certificate
 information corresponding with the private keys above.
diff --git a/ssh.1 b/ssh.1
index fc56997f4..27794e2d0 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.342 2013/11/26 12:14:54 jmc Exp $
-.Dd $Mdocdate: November 26 2013 $
+.\" $OpenBSD: ssh.1,v 1.343 2013/12/07 11:58:46 naddy Exp $
+.Dd $Mdocdate: December 7 2013 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -279,7 +279,8 @@ The default is
 .Pa ~/.ssh/identity
 for protocol version 1, and
 .Pa ~/.ssh/id_dsa ,
-.Pa ~/.ssh/id_ecdsa
+.Pa ~/.ssh/id_ecdsa ,
+.Pa ~/.ssh/id_ed25519
 and
 .Pa ~/.ssh/id_rsa
 for protocol version 2.
@@ -757,7 +758,7 @@ key pair for authentication purposes.
 The server knows the public key, and only the user knows the private key.
 .Nm
 implements public key authentication protocol automatically,
-using one of the DSA, ECDSA or RSA algorithms.
+using one of the DSA, ECDSA, ED25519 or RSA algorithms.
 Protocol 1 is restricted to using only RSA keys,
 but protocol 2 may use any.
 The HISTORY section of
@@ -784,6 +785,8 @@ This stores the private key in
 (protocol 2 DSA),
 .Pa ~/.ssh/id_ecdsa
 (protocol 2 ECDSA),
+.Pa ~/.ssh/id_ed25519
+(protocol 2 ED25519),
 or
 .Pa ~/.ssh/id_rsa
 (protocol 2 RSA)
@@ -794,6 +797,8 @@ and stores the public key in
 (protocol 2 DSA),
 .Pa ~/.ssh/id_ecdsa.pub
 (protocol 2 ECDSA),
+.Pa ~/.ssh/id_ed25519.pub
+(protocol 2 ED25519),
 or
 .Pa ~/.ssh/id_rsa.pub
 (protocol 2 RSA)
@@ -1333,8 +1338,8 @@ secret, but the recommended permissions are read/write/execute for the user,
 and not accessible by others.
 .Pp
 .It Pa ~/.ssh/authorized_keys
-Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in as
-this user.
+Lists the public keys (DSA, ECDSA, ED25519, RSA)
+that can be used for logging in as this user.
 The format of this file is described in the
 .Xr sshd 8
 manual page.
@@ -1356,6 +1361,7 @@ above.
 .It Pa ~/.ssh/identity
 .It Pa ~/.ssh/id_dsa
 .It Pa ~/.ssh/id_ecdsa
+.It Pa ~/.ssh/id_ed25519
 .It Pa ~/.ssh/id_rsa
 Contains the private key for authentication.
 These files
@@ -1370,6 +1376,7 @@ sensitive part of this file using 3DES.
 .It Pa ~/.ssh/identity.pub
 .It Pa ~/.ssh/id_dsa.pub
 .It Pa ~/.ssh/id_ecdsa.pub
+.It Pa ~/.ssh/id_ed25519.pub
 .It Pa ~/.ssh/id_rsa.pub
 Contains the public key for authentication.
 These files are not
@@ -1409,6 +1416,7 @@ The file format and configuration options are described in
 .It Pa /etc/ssh/ssh_host_key
 .It Pa /etc/ssh/ssh_host_dsa_key
 .It Pa /etc/ssh/ssh_host_ecdsa_key
+.It Pa /etc/ssh/ssh_host_ed25519_key
 .It Pa /etc/ssh/ssh_host_rsa_key
 These files contain the private parts of the host keys
 and are used for host-based authentication.
diff --git a/ssh_config.5 b/ssh_config.5
index 43455342a..7b2fdacbb 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.182 2013/12/06 13:39:49 markus Exp $
-.Dd $Mdocdate: December 6 2013 $
+.\" $OpenBSD: ssh_config.5,v 1.183 2013/12/07 11:58:46 naddy Exp $
+.Dd $Mdocdate: December 7 2013 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -718,6 +718,7 @@ The default for this option is:
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ecdsa-sha2-nistp384-cert-v01@openssh.com,
 ecdsa-sha2-nistp521-cert-v01@openssh.com,
+ssh-ed25519-cert-v01@openssh.com,
 ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
 ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
@@ -763,13 +764,14 @@ offers many different identities.
 The default is
 .Dq no .
 .It Cm IdentityFile
-Specifies a file from which the user's DSA, ECDSA or RSA authentication
+Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA authentication
 identity is read.
 The default is
 .Pa ~/.ssh/identity
 for protocol version 1, and
 .Pa ~/.ssh/id_dsa ,
-.Pa ~/.ssh/id_ecdsa
+.Pa ~/.ssh/id_ecdsa ,
+.Pa ~/.ssh/id_ed25519
 and
 .Pa ~/.ssh/id_rsa
 for protocol version 2.
diff --git a/sshd.8 b/sshd.8
index 62615bf6d..e6a900b06 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.272 2013/12/06 15:29:07 jmc Exp $
-.Dd $Mdocdate: December 6 2013 $
+.\" $OpenBSD: sshd.8,v 1.273 2013/12/07 11:58:46 naddy Exp $
+.Dd $Mdocdate: December 7 2013 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -175,7 +175,8 @@ The default is
 .Pa /etc/ssh/ssh_host_key
 for protocol version 1, and
 .Pa /etc/ssh/ssh_host_dsa_key ,
-.Pa /etc/ssh/ssh_host_ecdsa_key
+.Pa /etc/ssh/ssh_host_ecdsa_key .
+.Pa /etc/ssh/ssh_host_ed25519_key
 and
 .Pa /etc/ssh/ssh_host_rsa_key
 for protocol version 2.
@@ -280,7 +281,7 @@ though this can be changed via the
 .Cm Protocol
 option in
 .Xr sshd_config 5 .
-Protocol 2 supports DSA, ECDSA and RSA keys;
+Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys;
 protocol 1 only supports RSA keys.
 For both protocols,
 each host has a host-specific key,
@@ -507,6 +508,7 @@ You don't want to type them in; instead, copy the
 .Pa identity.pub ,
 .Pa id_dsa.pub ,
 .Pa id_ecdsa.pub ,
+.Pa id_ed25519.pub ,
 or the
 .Pa id_rsa.pub
 file and edit it.
@@ -806,8 +808,8 @@ secret, but the recommended permissions are read/write/execute for the user,
 and not accessible by others.
 .Pp
 .It Pa ~/.ssh/authorized_keys
-Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in
-as this user.
+Lists the public keys (DSA, ECDSA, ED25519, RSA)
+that can be used for logging in as this user.
 The format of this file is described above.
 The content of the file is not highly sensitive, but the recommended
 permissions are read/write for the user, and not accessible by others.
@@ -887,6 +889,7 @@ rlogin/rsh.
 .It Pa /etc/ssh/ssh_host_key
 .It Pa /etc/ssh/ssh_host_dsa_key
 .It Pa /etc/ssh/ssh_host_ecdsa_key
+.It Pa /etc/ssh/ssh_host_ed25519_key
 .It Pa /etc/ssh/ssh_host_rsa_key
 These files contain the private parts of the host keys.
 These files should only be owned by root, readable only by root, and not
@@ -898,6 +901,7 @@ does not start if these files are group/world-accessible.
 .It Pa /etc/ssh/ssh_host_key.pub
 .It Pa /etc/ssh/ssh_host_dsa_key.pub
 .It Pa /etc/ssh/ssh_host_ecdsa_key.pub
+.It Pa /etc/ssh/ssh_host_ed25519_key.pub
 .It Pa /etc/ssh/ssh_host_rsa_key.pub
 These files contain the public parts of the host keys.
 These files should be world-readable but writable only by
diff --git a/sshd_config.5 b/sshd_config.5
index 0418c86ed..0ae1740bb 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.168 2013/11/21 08:05:09 jmc Exp $
-.Dd $Mdocdate: November 21 2013 $
+.\" $OpenBSD: sshd_config.5,v 1.169 2013/12/07 11:58:46 naddy Exp $
+.Dd $Mdocdate: December 7 2013 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -540,7 +540,8 @@ The default is
 .Pa /etc/ssh/ssh_host_key
 for protocol version 1, and
 .Pa /etc/ssh/ssh_host_dsa_key ,
-.Pa /etc/ssh/ssh_host_ecdsa_key
+.Pa /etc/ssh/ssh_host_ecdsa_key ,
+.Pa /etc/ssh/ssh_host_ed25519_key
 and
 .Pa /etc/ssh/ssh_host_rsa_key
 for protocol version 2.
@@ -551,7 +552,8 @@ It is possible to have multiple host key files.
 .Dq rsa1
 keys are used for version 1 and
 .Dq dsa ,
-.Dq ecdsa
+.Dq ecdsa ,
+.Dq ed25519
 or
 .Dq rsa
 are used for version 2 of the SSH protocol.
-- 
cgit v1.2.3


From 1c4af29874fe7bd1cec92ee90fc613c3cf83f571 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:09 +0000
Subject: Adjust various OpenBSD-specific references in manual pages

No single bug reference for this patch, but history includes:
 http://bugs.debian.org/154434 (login.conf(5))
 http://bugs.debian.org/513417 (/etc/rc)
 http://bugs.debian.org/530692 (ssl(8))
 https://bugs.launchpad.net/bugs/456660 (ssl(8))

Forwarded: not-needed
Last-Update: 2013-09-14

Patch-Name: openbsd-docs.patch
---
 moduli.5      |  4 ++--
 ssh-keygen.1  | 12 ++++--------
 ssh.1         |  4 ++++
 sshd.8        |  5 ++---
 sshd_config.5 |  3 +--
 5 files changed, 13 insertions(+), 15 deletions(-)

(limited to 'sshd.8')

diff --git a/moduli.5 b/moduli.5
index ef0de0850..149846c8c 100644
--- a/moduli.5
+++ b/moduli.5
@@ -21,7 +21,7 @@
 .Nd Diffie-Hellman moduli
 .Sh DESCRIPTION
 The
-.Pa /etc/moduli
+.Pa /etc/ssh/moduli
 file contains prime numbers and generators for use by
 .Xr sshd 8
 in the Diffie-Hellman Group Exchange key exchange method.
@@ -110,7 +110,7 @@ first estimates the size of the modulus required to produce enough
 Diffie-Hellman output to sufficiently key the selected symmetric cipher.
 .Xr sshd 8
 then randomly selects a modulus from
-.Fa /etc/moduli
+.Fa /etc/ssh/moduli
 that best meets the size requirement.
 .Sh SEE ALSO
 .Xr ssh-keygen 1 ,
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 0e0ed989f..299ccf8dd 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -172,9 +172,7 @@ key in
 .Pa ~/.ssh/id_ed25519
 or
 .Pa ~/.ssh/id_rsa .
-Additionally, the system administrator may use this to generate host keys,
-as seen in
-.Pa /etc/rc .
+Additionally, the system administrator may use this to generate host keys.
 .Pp
 Normally this program generates the key and asks for a file in which
 to store the private key.
@@ -221,9 +219,7 @@ For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519)
 for which host keys
 do not exist, generate the host keys with the default key file path,
 an empty passphrase, default bits for the key type, and default comment.
-This is used by
-.Pa /etc/rc
-to generate new host keys.
+This is used by system administration scripts to generate new host keys.
 .It Fl a Ar rounds
 When saving a new-format private key (i.e. an ed25519 key or any SSH protocol
 2 key when the
@@ -628,7 +624,7 @@ option.
 Valid generator values are 2, 3, and 5.
 .Pp
 Screened DH groups may be installed in
-.Pa /etc/moduli .
+.Pa /etc/ssh/moduli .
 It is important that this file contains moduli of a range of bit lengths and
 that both ends of a connection share common moduli.
 .Sh CERTIFICATES
@@ -827,7 +823,7 @@ on all machines
 where the user wishes to log in using public key authentication.
 There is no need to keep the contents of this file secret.
 .Pp
-.It Pa /etc/moduli
+.It Pa /etc/ssh/moduli
 Contains Diffie-Hellman groups used for DH-GEX.
 The file format is described in
 .Xr moduli 5 .
diff --git a/ssh.1 b/ssh.1
index ff5e6acab..67b4f44b2 100644
--- a/ssh.1
+++ b/ssh.1
@@ -763,6 +763,10 @@ Protocol 1 is restricted to using only RSA keys,
 but protocol 2 may use any.
 The HISTORY section of
 .Xr ssl 8
+(on non-OpenBSD systems, see
+.nh
+http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY)
+.hy
 contains a brief discussion of the DSA and RSA algorithms.
 .Pp
 The file
diff --git a/sshd.8 b/sshd.8
index e6a900b06..b016e9096 100644
--- a/sshd.8
+++ b/sshd.8
@@ -70,7 +70,7 @@ over an insecure network.
 .Nm
 listens for connections from clients.
 It is normally started at boot from
-.Pa /etc/rc .
+.Pa /etc/init.d/ssh .
 It forks a new
 daemon for each incoming connection.
 The forked daemons handle
@@ -862,7 +862,7 @@ This file is for host-based authentication (see
 .Xr ssh 1 ) .
 It should only be writable by root.
 .Pp
-.It Pa /etc/moduli
+.It Pa /etc/ssh/moduli
 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
 The file format is described in
 .Xr moduli 5 .
@@ -961,7 +961,6 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
 .Xr hosts_access 5 ,
-.Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
 .Xr inetd 8 ,
diff --git a/sshd_config.5 b/sshd_config.5
index bdca79724..9fa608698 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -283,8 +283,7 @@ This option is only available for protocol version 2.
 By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication
 Specifies whether challenge-response authentication is allowed (e.g. via
-PAM or though authentication styles supported in
-.Xr login.conf 5 )
+PAM).
 The default is
 .Dq yes .
 .It Cm ChrootDirectory
-- 
cgit v1.2.3


From 61466f681be917753b4ae82f3b6b16cbb44047ae Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@ubuntu.com>
Date: Sun, 9 Feb 2014 16:10:12 +0000
Subject: Refer to ssh's Upstart job as well as its init script

Forwarded: not-needed
Last-Update: 2013-09-14

Patch-Name: doc-upstart.patch
---
 sshd.8 | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'sshd.8')

diff --git a/sshd.8 b/sshd.8
index b016e9096..cba168a8e 100644
--- a/sshd.8
+++ b/sshd.8
@@ -70,7 +70,10 @@ over an insecure network.
 .Nm
 listens for connections from clients.
 It is normally started at boot from
-.Pa /etc/init.d/ssh .
+.Pa /etc/init.d/ssh
+(or
+.Pa /etc/init/ssh.conf
+on systems using the Upstart init daemon).
 It forks a new
 daemon for each incoming connection.
 The forked daemons handle
-- 
cgit v1.2.3