- dtucker@cvs.openbsd.org 2010/01/08 21:50:49

[openssh.git] / sshd_config.5

diff --git a/sshd_config.5 b/sshd_config.5
index 98eefd9a4a3c9b357970e05ab3da47ea4dd3cb4e..b74ab5b8cfb03b8d90f6e3d329d53a504e305439 100644 (file)
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"

-.\" $OpenBSD: sshd_config.5,v 1.111 2009/10/28 21:45:08 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.115 2009/12/29 18:03:32 jmc Exp $

 .Dd $Mdocdate$
 .Dt SSHD_CONFIG 5
 .Os
 .Dd $Mdocdate$
 .Dt SSHD_CONFIG 5
 .Os


@@ -182,16 +182,16 @@ PAM or though authentication styles supported in
 The default is
 .Dq yes .
 .It Cm ChrootDirectory
 The default is
 .Dq yes .
 .It Cm ChrootDirectory

-Specifies a path to
+Specifies the pathname of a directory to

 .Xr chroot 2
 to after authentication.
 .Xr chroot 2
 to after authentication.

-This path, and all its components, must be root-owned directories that are
+All components of the pathname must be root-owned directories that are

 not writable by any other user or group.
 After the chroot,
 .Xr sshd 8
 changes the working directory to the user's home directory.
 .Pp
 not writable by any other user or group.
 After the chroot,
 .Xr sshd 8
 changes the working directory to the user's home directory.
 .Pp

-The path may contain the following tokens that are expanded at runtime once
+The pathname may contain the following tokens that are expanded at runtime once

 the connecting user has been authenticated: %% is replaced by a literal '%',
 %h is replaced by the home directory of the user being authenticated, and
 %u is replaced by the username of that user.
 the connecting user has been authenticated: %% is replaced by a literal '%',
 %h is replaced by the home directory of the user being authenticated, and
 %u is replaced by the username of that user.


@@ -806,15 +806,15 @@ Specifies whether public key authentication is allowed.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.

-.It Cm RDomain
-Set the routing domain number.
-The default routing domain is set by the system.

 .It Cm RhostsRSAAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful RSA host authentication is allowed.
 The default is
 .Dq no .
 This option applies to protocol version 1 only.
 .It Cm RhostsRSAAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful RSA host authentication is allowed.
 The default is
 .Dq no .
 This option applies to protocol version 1 only.

+.It Cm RoutingDomain
+Set the routing domain number.
+The default routing domain is set by the system.

 .It Cm RSAAuthentication
 Specifies whether pure RSA authentication is allowed.
 The default is
 .It Cm RSAAuthentication
 Specifies whether pure RSA authentication is allowed.
 The default is


@@ -832,6 +832,9 @@ This is normally desirable because novices sometimes accidentally leave their
 directory or files world-writable.
 The default is
 .Dq yes .
 directory or files world-writable.
 The default is
 .Dq yes .

+Note that this does not apply to
+.Cm ChrootDirectory ,
+whose permissions and ownership are checked unconditionally.

 .It Cm Subsystem
 Configures an external subsystem (e.g. file transfer daemon).
 Arguments should be a subsystem name and a command (with optional arguments)
 .It Cm Subsystem
 Configures an external subsystem (e.g. file transfer daemon).
 Arguments should be a subsystem name and a command (with optional arguments)