- (dtucker) [contrib/cygwin/ssh-host-config] better support for automated

[openssh.git] / sshd.8

diff --git a/sshd.8 b/sshd.8
index d6535dd6d1c1649ed1e804b2702ba69e8051c575..efd3597c0d0a0aba6e1e81b1c9e9c39126e4f93a 100644 (file)
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"

-.\" $OpenBSD: sshd.8,v 1.242 2008/06/10 04:50:25 dtucker Exp $
+.\" $OpenBSD: sshd.8,v 1.248 2009/03/26 08:38:39 sobrado Exp $

 .Dd $Mdocdate$
 .Dt SSHD 8
 .Os
 .Dd $Mdocdate$
 .Dt SSHD 8
 .Os


@@ -44,7 +44,7 @@
 .Sh SYNOPSIS
 .Nm sshd
 .Bk -words
 .Sh SYNOPSIS
 .Nm sshd
 .Bk -words

-.Op Fl 46DTdeiqt
+.Op Fl 46DdeiqTt

 .Op Fl b Ar bits
 .Op Fl C Ar connection_spec
 .Op Fl f Ar config_file
 .Op Fl b Ar bits
 .Op Fl C Ar connection_spec
 .Op Fl f Ar config_file


@@ -100,7 +100,25 @@ Forces
 to use IPv6 addresses only.
 .It Fl b Ar bits
 Specifies the number of bits in the ephemeral protocol version 1
 to use IPv6 addresses only.
 .It Fl b Ar bits
 Specifies the number of bits in the ephemeral protocol version 1

-server key (default 768).
+server key (default 1024).
+.It Fl C Ar connection_spec
+Specify the connection parameters to use for the
+.Fl T
+extended test mode.
+If provided, any
+.Cm Match
+directives in the configuration file
+that would apply to the specified user, host, and address will be set before
+the configuration is written to standard output.
+The connection parameters are supplied as keyword=value pairs.
+The keywords are
+.Dq user ,
+.Dq host ,
+and
+.Dq addr .
+All are required and may be supplied in any order, either with multiple
+.Fl C
+options or as a comma-separated list.

 .It Fl D
 When this option is specified,
 .Nm
 .It Fl D
 When this option is specified,
 .Nm


@@ -192,12 +210,6 @@ Quiet mode.
 Nothing is sent to the system log.
 Normally the beginning,
 authentication, and termination of each connection is logged.
 Nothing is sent to the system log.
 Normally the beginning,
 authentication, and termination of each connection is logged.

-.It Fl t
-Test mode.
-Only check the validity of the configuration file and sanity of the keys.
-This is useful for updating
-.Nm
-reliably as configuration options may change.

 .It Fl T
 Extended test mode.
 Check the validity of the configuration file, output the effective configuration
 .It Fl T
 Extended test mode.
 Check the validity of the configuration file, output the effective configuration


@@ -207,24 +219,12 @@ Optionally,
 rules may be applied by specifying the connection parameters using one or more
 .Fl C
 options.
 rules may be applied by specifying the connection parameters using one or more
 .Fl C
 options.

-.It Fl C
-Specify the connection parameters to use for the the
-.Fl T
-extended test mode.
-If provided, any
-.Cm Match
-directives in the configuration file
-that would apply to the specified user, host and address will be set before
-the configuration is written to standard output.
-The connection parameters are supplied as keyword=value pairs.
-The keywords are
-.Dq user ,
-.Dq host
-and 
-.Dq addr
-All are required and may be supplied in any order, either with multiple
-.Fl C
-options or as a comma-separated list.
+.It Fl t
+Test mode.
+Only check the validity of the configuration file and sanity of the keys.
+This is useful for updating
+.Nm
+reliably as configuration options may change.

 .It Fl u Ar len
 This option is used to specify the size of the field
 in the
 .It Fl u Ar len
 This option is used to specify the size of the field
 in the


@@ -531,23 +531,27 @@ This option is automatically disabled if
 .Cm UseLogin
 is enabled.
 .It Cm from="pattern-list"
 .Cm UseLogin
 is enabled.
 .It Cm from="pattern-list"

-Specifies that in addition to public key authentication, the canonical name
-of the remote host must be present in the comma-separated list of
-patterns.
-The purpose
-of this option is to optionally increase security: public key authentication
-by itself does not trust the network or name servers or anything (but
-the key); however, if somebody somehow steals the key, the key
-permits an intruder to log in from anywhere in the world.
-This additional option makes using a stolen key more difficult (name
-servers and/or routers would have to be compromised in addition to
-just the key).
-.Pp
+Specifies that in addition to public key authentication, either the canonical
+name of the remote host or its IP address must be present in the
+comma-separated list of patterns.

 See
 .Sx PATTERNS
 in
 .Xr ssh_config 5
 for more information on patterns.
 See
 .Sx PATTERNS
 in
 .Xr ssh_config 5
 for more information on patterns.

+.Pp
+In addition to the wildcard matching that may be applied to hostnames or
+addresses, a
+.Cm from
+stanza may match IP addresses using CIDR address/masklen notation.
+.Pp
+The purpose of this option is to optionally increase security: public key
+authentication by itself does not trust the network or name servers or
+anything (but the key); however, if somebody somehow steals the key, the key
+permits an intruder to log in from anywhere in the world.
+This additional option makes using a stolen key more difficult (name
+servers and/or routers would have to be compromised in addition to
+just the key).

 .It Cm no-agent-forwarding
 Forbids authentication agent forwarding when this key is used for
 authentication.
 .It Cm no-agent-forwarding
 Forbids authentication agent forwarding when this key is used for
 authentication.


@@ -737,8 +741,6 @@ will not allow it to be used unless the
 .Cm StrictModes
 option has been set to
 .Dq no .
 .Cm StrictModes
 option has been set to
 .Dq no .

-The recommended permissions can be set by executing
-.Dq chmod go-w ~/ ~/.ssh ~/.ssh/authorized_keys .

 .Pp
 .It ~/.ssh/environment
 This file is read into the environment at login (if it exists).
 .Pp
 .It ~/.ssh/environment
 This file is read into the environment at login (if it exists).