apply updates from OpenSSH-4.3p1-hpn11-none.patch

[gssapi-openssh.git] / openssh / sshd_config.5

diff --git a/openssh/sshd_config.5 b/openssh/sshd_config.5
index 03503405645a021c937d12210a99898af17c0721..6b7724d8a56bd3e24c29fbb1f4fa48ff56484748 100644 (file)
--- a/openssh/sshd_config.5
+++ b/openssh/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"

-.\" $OpenBSD: sshd_config.5,v 1.40 2005/03/18 17:05:00 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.48 2006/01/02 17:09:49 jmc Exp $

 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os


@@ -168,26 +168,20 @@ The supported ciphers are
 .Dq aes128-ctr ,
 .Dq aes192-ctr ,
 .Dq aes256-ctr ,
 .Dq aes128-ctr ,
 .Dq aes192-ctr ,
 .Dq aes256-ctr ,

+.Dq arcfour128 ,
+.Dq arcfour256 ,

 .Dq arcfour ,
 .Dq blowfish-cbc ,
 and
 .Dq cast128-cbc .
 The default is
 .Bd -literal
 .Dq arcfour ,
 .Dq blowfish-cbc ,
 and
 .Dq cast128-cbc .
 The default is
 .Bd -literal

-  ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
-    aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr''
+  ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
+    arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
+    aes192-ctr,aes256-ctr''

 .Ed
 .Ed

-.It Cm ClientAliveInterval
-Sets a timeout interval in seconds after which if no data has been received
-from the client,
-.Nm sshd
-will send a message through the encrypted
-channel to request a response from the client.
-The default
-is 0, indicating that these messages will not be sent to the client.
-This option applies to protocol version 2 only.

 .It Cm ClientAliveCountMax
 .It Cm ClientAliveCountMax

-Sets the number of client alive messages (see above) which may be
+Sets the number of client alive messages (see below) which may be

 sent without
 .Nm sshd
 receiving any messages back from the client.
 sent without
 .Nm sshd
 receiving any messages back from the client.


@@ -209,18 +203,29 @@ server depend on knowing when a connection has become inactive.
 The default value is 3.
 If
 .Cm ClientAliveInterval
 The default value is 3.
 If
 .Cm ClientAliveInterval

-(above) is set to 15, and
+(see below) is set to 15, and

 .Cm ClientAliveCountMax
 is left at the default, unresponsive ssh clients
 will be disconnected after approximately 45 seconds.
 .Cm ClientAliveCountMax
 is left at the default, unresponsive ssh clients
 will be disconnected after approximately 45 seconds.

+.It Cm ClientAliveInterval
+Sets a timeout interval in seconds after which if no data has been received
+from the client,
+.Nm sshd
+will send a message through the encrypted
+channel to request a response from the client.
+The default
+is 0, indicating that these messages will not be sent to the client.
+This option applies to protocol version 2 only.

 .It Cm Compression
 .It Cm Compression

-Specifies whether compression is allowed.
+Specifies whether compression is allowed, or delayed until
+the user has authenticated successfully.

 The argument must be
 The argument must be

-.Dq yes
+.Dq yes ,
+.Dq delayed ,

 or
 .Dq no .
 The default is
 or
 .Dq no .
 The default is

-.Dq yes .
+.Dq delayed .

 .It Cm DenyGroups
 This keyword can be followed by a list of group name patterns, separated
 by spaces.
 .It Cm DenyGroups
 This keyword can be followed by a list of group name patterns, separated
 by spaces.


@@ -272,21 +277,15 @@ Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.

-.It Cm GSSAPICleanupCredentials
-Specifies whether to automatically destroy the user's credentials cache
-on logout.
-The default is
-.Dq yes .
-Note that this option applies to protocol version 2 only.

 .It Cm GSSAPIKeyExchange
 .It Cm GSSAPIKeyExchange

-Specifies whether key exchange based on GSSAPI may be used. When using
-GSSAPI key exchange the server need not have a host key.
+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange 
+doesn't rely on ssh keys to verify host identity.

 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.

-.It Cm GSSAPIUseSessionCredCache
-Specifies whether a unique credentials cache name should be generated per
-session for storing delegated credentials.
+.It Cm GSSAPICleanupCredentials
+Specifies whether to automatically destroy the user's credentials cache
+on logout.

 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.


@@ -339,7 +338,7 @@ The default is
 Specifies whether
 .Nm sshd
 should ignore the user's
 Specifies whether
 .Nm sshd
 should ignore the user's

-.Pa $HOME/.ssh/known_hosts
+.Pa ~/.ssh/known_hosts

 during
 .Cm RhostsRSAAuthentication
 or
 during
 .Cm RhostsRSAAuthentication
 or


@@ -355,7 +354,7 @@ Kerberos servtab which allows the verification of the KDC's identity.
 Default is
 .Dq no .
 .It Cm KerberosGetAFSToken
 Default is
 .Dq no .
 .It Cm KerberosGetAFSToken

-If AFS is active and the user has a Kerberos 5 TGT, attempt to aquire
+If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire

 an AFS token before accessing the user's home directory.
 Default is
 .Dq no .
 an AFS token before accessing the user's home directory.
 Default is
 .Dq no .


@@ -509,6 +508,18 @@ All other authentication methods are disabled for root.
 If this option is set to
 .Dq no
 root is not allowed to log in.
 If this option is set to
 .Dq no
 root is not allowed to log in.

+.It Cm PermitTunnel
+Specifies whether
+.Xr tun 4
+device forwarding is allowed.
+The argument must be
+.Dq yes ,
+.Dq point-to-point ,
+.Dq ethernet
+or
+.Dq no .
+The default is
+.Dq no .

 .It Cm PermitUserEnvironment
 Specifies whether
 .Pa ~/.ssh/environment
 .It Cm PermitUserEnvironment
 Specifies whether
 .Pa ~/.ssh/environment