X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/1760c9822376b69f97e71321cc2740190762940a..HEAD:/sshd.8 diff --git a/sshd.8 b/sshd.8 index d6535dd6..8563e021 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.242 2008/06/10 04:50:25 dtucker Exp $ +.\" $OpenBSD: sshd.8,v 1.249 2009/10/08 20:42:13 jmc Exp $ .Dd $Mdocdate$ .Dt SSHD 8 .Os @@ -44,7 +44,7 @@ .Sh SYNOPSIS .Nm sshd .Bk -words -.Op Fl 46DTdeiqt +.Op Fl 46DdeiqTt .Op Fl b Ar bits .Op Fl C Ar connection_spec .Op Fl f Ar config_file @@ -100,7 +100,25 @@ Forces to use IPv6 addresses only. .It Fl b Ar bits Specifies the number of bits in the ephemeral protocol version 1 -server key (default 768). +server key (default 1024). +.It Fl C Ar connection_spec +Specify the connection parameters to use for the +.Fl T +extended test mode. +If provided, any +.Cm Match +directives in the configuration file +that would apply to the specified user, host, and address will be set before +the configuration is written to standard output. +The connection parameters are supplied as keyword=value pairs. +The keywords are +.Dq user , +.Dq host , +and +.Dq addr . +All are required and may be supplied in any order, either with multiple +.Fl C +options or as a comma-separated list. .It Fl D When this option is specified, .Nm @@ -192,12 +210,6 @@ Quiet mode. Nothing is sent to the system log. Normally the beginning, authentication, and termination of each connection is logged. -.It Fl t -Test mode. -Only check the validity of the configuration file and sanity of the keys. -This is useful for updating -.Nm -reliably as configuration options may change. .It Fl T Extended test mode. Check the validity of the configuration file, output the effective configuration @@ -207,24 +219,12 @@ Optionally, rules may be applied by specifying the connection parameters using one or more .Fl C options. -.It Fl C -Specify the connection parameters to use for the the -.Fl T -extended test mode. -If provided, any -.Cm Match -directives in the configuration file -that would apply to the specified user, host and address will be set before -the configuration is written to standard output. -The connection parameters are supplied as keyword=value pairs. -The keywords are -.Dq user , -.Dq host -and -.Dq addr -All are required and may be supplied in any order, either with multiple -.Fl C -options or as a comma-separated list. +.It Fl t +Test mode. +Only check the validity of the configuration file and sanity of the keys. +This is useful for updating +.Nm +reliably as configuration options may change. .It Fl u Ar len This option is used to specify the size of the field in the @@ -260,7 +260,7 @@ or .El .Sh AUTHENTICATION The OpenSSH SSH daemon supports SSH protocols 1 and 2. -Both protocols are supported by default, +The default is to use protocol 2 only, though this can be changed via the .Cm Protocol option in @@ -531,23 +531,27 @@ This option is automatically disabled if .Cm UseLogin is enabled. .It Cm from="pattern-list" -Specifies that in addition to public key authentication, the canonical name -of the remote host must be present in the comma-separated list of -patterns. -The purpose -of this option is to optionally increase security: public key authentication -by itself does not trust the network or name servers or anything (but -the key); however, if somebody somehow steals the key, the key -permits an intruder to log in from anywhere in the world. -This additional option makes using a stolen key more difficult (name -servers and/or routers would have to be compromised in addition to -just the key). -.Pp +Specifies that in addition to public key authentication, either the canonical +name of the remote host or its IP address must be present in the +comma-separated list of patterns. See .Sx PATTERNS in .Xr ssh_config 5 for more information on patterns. +.Pp +In addition to the wildcard matching that may be applied to hostnames or +addresses, a +.Cm from +stanza may match IP addresses using CIDR address/masklen notation. +.Pp +The purpose of this option is to optionally increase security: public key +authentication by itself does not trust the network or name servers or +anything (but the key); however, if somebody somehow steals the key, the key +permits an intruder to log in from anywhere in the world. +This additional option makes using a stolen key more difficult (name +servers and/or routers would have to be compromised in addition to +just the key). .It Cm no-agent-forwarding Forbids authentication agent forwarding when this key is used for authentication. @@ -737,8 +741,6 @@ will not allow it to be used unless the .Cm StrictModes option has been set to .Dq no . -The recommended permissions can be set by executing -.Dq chmod go-w ~/ ~/.ssh ~/.ssh/authorized_keys . .Pp .It ~/.ssh/environment This file is read into the environment at login (if it exists).