.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.46 2005/12/06 22:38:28 reyk Exp $
+.\" $OpenBSD: sshd_config.5,v 1.48 2006/01/02 17:09:49 jmc Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
aes192-ctr,aes256-ctr''
.Ed
.It Cm ClientAliveCountMax
-Sets the number of client alive messages (see above) which may be
+Sets the number of client alive messages (see below) which may be
sent without
.Nm sshd
receiving any messages back from the client.
The default value is 3.
If
.Cm ClientAliveInterval
-(above) is set to 15, and
+(see below) is set to 15, and
.Cm ClientAliveCountMax
is left at the default, unresponsive ssh clients
will be disconnected after approximately 45 seconds.
Specifies whether
.Xr tun 4
device forwarding is allowed.
+The argument must be
+.Dq yes ,
+.Dq point-to-point ,
+.Dq ethernet
+or
+.Dq no .
The default is
.Dq no .
.It Cm PermitUserEnvironment
.Dq yes
this will enable PAM authentication using
.Cm ChallengeResponseAuthentication
-and PAM account and session module processing for all authentication types.
+and
+.Cm PasswordAuthentication
+in addition to PAM account and session module processing for all
+authentication types.
.Pp
Because PAM challenge-response authentication usually serves an equivalent
role to password authentication, you should disable either