.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.102 2001/03/04 12:54:04 stevesk Exp $
+.\" $OpenBSD: sshd.8,v 1.106 2001/03/07 01:19:06 deraadt Exp $
.Dd September 25, 1999
.Dt SSHD 8
.Os
.Sh NAME
.Nm sshd
-.Nd OpenSSH secure shell daemon
+.Nd OpenSSH ssh daemon
.Sh SYNOPSIS
.Nm sshd
.Op Fl diqD46
.Op Fl V Ar client_protocol_id
.Sh DESCRIPTION
.Nm
-(Secure Shell Daemon) is the daemon program for
+(SSH Daemon) is the daemon program for
.Xr ssh 1 .
Together these programs replace rlogin and rsh, and
provide secure encrypted communications between two untrusted hosts
However, when the daemon starts, it does not generate a server key.
Forward security is provided through a Diffie-Hellman key agreement.
This key agreement results in a shared session key.
-The rest of the session is encrypted
-using a symmetric cipher, currently
-Blowfish, 3DES or CAST128 in CBC mode or Arcfour.
+The rest of the session is encrypted using a symmetric cipher, currently
+Blowfish, 3DES, CAST128, Arcfour, 128 bit AES, or 256 bit AES.
The client selects the encryption algorithm
to use from those offered by the server.
Additionally, session integrity is provided
authentication is allowed.
This option is only available for protocol version 2.
.Pp
+.It Cm ChallengeResponseAuthentication
+Specifies whether
+challenge response
+authentication is allowed.
+Currently there is only support for
+.Xr skey 1
+authentication.
+The default is
+.Dq yes .
.It Cm Ciphers
Specifies the ciphers allowed for protocol version 2.
Multiple ciphers must be comma-separated.
The default is
-.Dq 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc .
+.Dq aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour.
.It Cm CheckMail
Specifies whether
.Nm
can be used as wildcards in the patterns.
Only user names are valid; a numerical user ID isn't recognized.
By default login is allowed regardless of the user name.
-.It Cm PubkeyAuthentication
-Specifies whether public key authentication is allowed.
-The default is
-.Dq yes .
-Note that this option applies to protocol version 2 only.
.It Cm GatewayPorts
Specifies whether remote hosts are allowed to connect to ports
forwarded for the client.
The default is
.Pp
.Bd -literal
- ``hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,
+ ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,
hmac-sha1-96,hmac-md5-96''
.Ed
.It Cm MaxStartups
Multiple versions must be comma-separated.
The default is
.Dq 1 .
+.It Cm PubkeyAuthentication
+Specifies whether public key authentication is allowed.
+The default is
+.Dq yes .
+Note that this option applies to protocol version 2 only.
.It Cm ReverseMappingCheck
Specifies whether
.Nm
.It Cm ServerKeyBits
Defines the number of bits in the server key.
The minimum value is 512, and the default is 768.
-.It Cm ChallengeResponseAuthentication
-Specifies whether
-challenge response
-authentication is allowed.
-Currently there is support for
-.Xr skey 1
-and PAM authentication.
-The default is
-.Dq yes .
-Note that enabling ChallengeResponseAuthentication for PAM bypasses
-OpenSSH's password checking code, thus rendering options such as
-.Cm PasswordAuthentication
-and
-.Cm PermitEmptyPasswords
-ineffective.
.It Cm StrictModes
Specifies whether
.Nm