X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/72c35df7c8e77e600695aea4a0a3824e76f92d24..1c59025848be8ebfcd37d2ba3dbf73600643675d:/sshd_config.5

diff --git a/sshd_config.5 b/sshd_config.5
index 8250be8d..223ff8aa 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.16 2003/04/30 01:16:20 mouring Exp $
+.\" $OpenBSD: sshd_config.5,v 1.21 2003/07/22 13:35:22 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -61,10 +61,6 @@ The possible
 keywords and their meanings are as follows (note that
 keywords are case-insensitive and arguments are case-sensitive):
 .Bl -tag -width Ds
-.It Cm AFSTokenPassing
-Specifies whether an AFS token may be forwarded to the server.
-Default is
-.Dq no .
 .It Cm AllowGroups
 This keyword can be followed by a list of group name patterns, separated
 by spaces.
@@ -107,7 +103,8 @@ Specifies the file that contains the public keys that can be used
 for user authentication.
 .Cm AuthorizedKeysFile
 may contain tokens of the form %T which are substituted during connection
-set-up. The following tokens are defined: %% is replaced by a literal '%',
+set-up.
+The following tokens are defined: %% is replaced by a literal '%',
 %h is replaced by the home directory of the user being authenticated and
 %u is replaced by the username of that user.
 After expansion,
@@ -138,7 +135,7 @@ The default is
 .Pp
 .Bd -literal
   ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
-    aes192-cbc,aes256-cbc''
+    aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr''
 .Ed
 .It Cm ClientAliveInterval
 Sets a timeout interval in seconds after which if no data has been received
@@ -153,20 +150,24 @@ This option applies to protocol version 2 only.
 Sets the number of client alive messages (see above) which may be
 sent without
 .Nm sshd
-receiving any messages back from the client. If this threshold is
-reached while client alive messages are being sent,
+receiving any messages back from the client.
+If this threshold is reached while client alive messages are being sent,
 .Nm sshd
-will disconnect the client, terminating the session. It is important
-to note that the use of client alive messages is very different from
+will disconnect the client, terminating the session.
+It is important to note that the use of client alive messages is very
+different from
 .Cm KeepAlive
-(below). The client alive messages are sent through the
-encrypted channel and therefore will not be spoofable. The TCP keepalive
-option enabled by
+(below).
+The client alive messages are sent through the encrypted channel
+and therefore will not be spoofable.
+The TCP keepalive option enabled by
 .Cm KeepAlive
-is spoofable. The client alive mechanism is valuable when the client or
+is spoofable.
+The client alive mechanism is valuable when the client or
 server depend on knowing when a connection has become inactive.
 .Pp
-The default value is 3. If
+The default value is 3.
+If
 .Cm ClientAliveInterval
 (above) is set to 15, and
 .Cm ClientAliveCountMax
@@ -322,8 +323,7 @@ Default is
 .It Cm KerberosTgtPassing
 Specifies whether a Kerberos TGT may be forwarded to the server.
 Default is
-.Dq no ,
-as this only works when the Kerberos KDC is actually an AFS kaserver.
+.Dq no .
 .It Cm KerberosTicketCleanup
 Specifies whether to automatically destroy the user's ticket cache
 file on logout.
@@ -369,11 +369,12 @@ is not specified,
 .Nm sshd
 will listen on the address and all prior
 .Cm Port
-options specified. The default is to listen on all local
-addresses.
+options specified.
+The default is to listen on all local addresses.
 Multiple
 .Cm ListenAddress
-options are permitted. Additionally, any
+options are permitted.
+Additionally, any
 .Cm Port
 options must precede this option for non port qualified addresses.
 .It Cm LoginGraceTime
@@ -454,8 +455,8 @@ but only if the
 .Ar command
 option has been specified
 (which may be useful for taking remote backups even if root login is
-normally not allowed). All other authentication methods are disabled
-for root.
+normally not allowed).
+All other authentication methods are disabled for root.
 .Pp
 If this option is set to
 .Dq no
@@ -579,6 +580,14 @@ Gives the facility code that is used when logging messages from
 The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
+.It Cm UseDNS
+Specifies whether
+.Nm sshd
+should lookup the remote host name and check that
+the resolved host name for the remote IP address maps back to the
+very same IP address.
+The default is
+.Dq yes .
 .It Cm UseLogin
 Specifies whether
 .Xr login 1
@@ -616,14 +625,6 @@ The goal of privilege separation is to prevent privilege
 escalation by containing any corruption within the unprivileged processes.
 The default is
 .Dq yes .
-.It Cm VerifyReverseMapping
-Specifies whether
-.Nm sshd
-should try to verify the remote host name and check that
-the resolved host name for the remote IP address maps back to the
-very same IP address.
-The default is
-.Dq no .
 .It Cm X11DisplayOffset
 Specifies the first display number available for
 .Nm sshd Ns 's
@@ -654,7 +655,7 @@ display server may be exposed to attack when the ssh client requests
 forwarding (see the warnings for
 .Cm ForwardX11
 in
-.Xr ssh_config 5 ).
+.Xr ssh_config 5 ) .
 A system administrator may have a stance in which they want to
 protect clients that may expose themselves to attack by unwittingly
 requesting X11 forwarding, which can warrant a
@@ -700,7 +701,6 @@ The default is
 .Pa /usr/X11R6/bin/xauth .
 .El
 .Ss Time Formats
-.Pp
 .Nm sshd
 command-line arguments and configuration file options that specify time
 may be expressed using a sequence of the form:
@@ -749,6 +749,8 @@ Contains configuration data for
 This file should be writable by root only, but it is recommended
 (though not necessary) that it be world-readable.
 .El
+.Sh SEE ALSO
+.Xr sshd 8
 .Sh AUTHORS
 OpenSSH is a derivative of the original and free
 ssh 1.2.12 release by Tatu Ylonen.
@@ -760,5 +762,3 @@ Markus Friedl contributed the support for SSH
 protocol versions 1.5 and 2.0.
 Niels Provos and Markus Friedl contributed support
 for privilege separation.
-.Sh SEE ALSO
-.Xr sshd 8