- markus@cvs.openbsd.org 2001/03/17 17:27:59

[openssh.git] / sshd.8

diff --git a/sshd.8 b/sshd.8
index 0ab509467e8264c015ecd0e67de6004b62829f9f..da81de11d9250bba5ec2ad558615e49f6246142a 100644 (file)
--- a/sshd.8
+++ b/sshd.8
@@ -10,9 +10,9 @@
 .\" incompatible with the protocol description in the RFC file, it must be
 .\" called by a name other than "ssh" or "Secure Shell".
 .\"
-.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
-.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
-.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
+.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
+.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
+.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
@@ -34,13 +34,13 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.98 2001/03/02 09:42:49 deraadt Exp $
+.\" $OpenBSD: sshd.8,v 1.106 2001/03/07 01:19:06 deraadt Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
 .Sh NAME
 .Nm sshd
-.Nd OpenSSH secure shell daemon
+.Nd OpenSSH ssh daemon
 .Sh SYNOPSIS
 .Nm sshd
 .Op Fl diqD46
@@ -54,7 +54,7 @@
 .Op Fl V Ar client_protocol_id
 .Sh DESCRIPTION
 .Nm
-(Secure Shell Daemon) is the daemon program for
+(SSH Daemon) is the daemon program for
 .Xr ssh 1 .
 Together these programs replace rlogin and rsh, and
 provide secure encrypted communications between two untrusted hosts
@@ -134,9 +134,8 @@ Each host has a host-specific DSA key used to identify the host.
 However, when the daemon starts, it does not generate a server key.
 Forward security is provided through a Diffie-Hellman key agreement.
 This key agreement results in a shared session key.
-The rest of the session is encrypted
-using a symmetric cipher, currently
-Blowfish, 3DES or CAST128 in CBC mode or Arcfour.
+The rest of the session is encrypted using a symmetric cipher, currently
+Blowfish, 3DES, CAST128, Arcfour, 128 bit AES, or 256 bit AES.
 The client selects the encryption algorithm
 to use from those offered by the server.
 Additionally, session integrity is provided
@@ -340,11 +339,20 @@ The contents of the specified file are sent to the remote user before
 authentication is allowed.
 This option is only available for protocol version 2.
 .Pp
+.It Cm ChallengeResponseAuthentication
+Specifies whether
+challenge response
+authentication is allowed.
+Currently there is only support for
+.Xr skey 1
+authentication.
+The default is
+.Dq yes .
 .It Cm Ciphers
 Specifies the ciphers allowed for protocol version 2.
 Multiple ciphers must be comma-separated.
 The default is
-.Dq 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc .
+.Dq aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour.
 .It Cm CheckMail
 Specifies whether
 .Nm
@@ -374,11 +382,6 @@ and
 can be used as wildcards in the patterns.
 Only user names are valid; a numerical user ID isn't recognized.
 By default login is allowed regardless of the user name.
-.It Cm PubkeyAuthentication
-Specifies whether public key authentication is allowed.
-The default is
-.Dq yes .
-Note that this option applies to protocol version 2 only.
 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to ports
 forwarded for the client.
@@ -511,7 +514,7 @@ Multiple algorithms must be comma-separated.
 The default is
 .Pp
 .Bd -literal
-  ``hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,
+  ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,
     hmac-sha1-96,hmac-md5-96''
 .Ed
 .It Cm MaxStartups
@@ -550,7 +553,7 @@ server allows login to accounts with empty password strings.
 The default is
 .Dq no .
 .It Cm PermitRootLogin
-Specifies whether the root can log in using
+Specifies whether root can login using
 .Xr ssh 1 .
 The argument must be
 .Dq yes ,
@@ -574,6 +577,10 @@ option has been specified
 (which may be useful for taking remote backups even if root login is
 normally not allowed). All other authentication methods are disabled
 for root.
+.Pp
+If this option is set to
+.Dq no
+root is not allowed to login.
 .It Cm PidFile
 Specifies the file that contains the process identifier of the
 .Nm
@@ -608,9 +615,11 @@ and
 Multiple versions must be comma-separated.
 The default is
 .Dq 1 .
-.It Cm RandomSeed
-Obsolete.
-Random number generation uses other techniques.
+.It Cm PubkeyAuthentication
+Specifies whether public key authentication is allowed.
+The default is
+.Dq yes .
+Note that this option applies to protocol version 2 only.
 .It Cm ReverseMappingCheck
 Specifies whether
 .Nm
@@ -642,21 +651,6 @@ Note that this option applies to protocol version 1 only.
 .It Cm ServerKeyBits
 Defines the number of bits in the server key.
 The minimum value is 512, and the default is 768.
-.It Cm ChallengeResponseAuthentication
-Specifies whether
-challenge reponse
-authentication is allowed.
-Currently there is support for
-.Xr skey 1
-and PAM authentication.
-The default is
-.Dq yes .
-Note that enabling ChallengeResponseAuthentication for PAM bypasses 
-OpenSSH's password checking code, thus rendering options such as 
-.Cm PasswordAuthentication 
-and
-.Cm PermitEmptyPasswords
-ineffective.
 .It Cm StrictModes
 Specifies whether
 .Nm