- djm@cvs.openbsd.org 2008/04/04 06:44:26

     [sshd_config.5]
     oops, some unrelated stuff crept into that commit - backout.
     spotted by jmc@

diff --git a/ChangeLog b/ChangeLog
index 4941a1deda972baf1d9497d25649535ca5356fbe..e6e7acbfdad70a9129323472d45fd3289345b534 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,10 @@
      [sshd_config.5]
      ChrootDirectory is supported in Match blocks (in fact, it is most useful
      there). Spotted by Minstrel AT minstrel.org.uk
      [sshd_config.5]
      ChrootDirectory is supported in Match blocks (in fact, it is most useful
      there). Spotted by Minstrel AT minstrel.org.uk

+   - djm@cvs.openbsd.org 2008/04/04 06:44:26
+     [sshd_config.5]
+     oops, some unrelated stuff crept into that commit - backout.
+     spotted by jmc@

 
 20080403
  - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile-
 
 20080403
  - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile-

diff --git a/sshd_config.5 b/sshd_config.5
index ea1ed4fe95c941e9dbc31102ae191242d07de33f..262cefb784ffa75591a5f349ee2bc8e1036a9804 100644 (file)
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"

-.\" $OpenBSD: sshd_config.5,v 1.85 2008/04/04 05:14:38 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.86 2008/04/04 06:44:26 djm Exp $

 .Dd $Mdocdate$
 .Dt SSHD_CONFIG 5
 .Os
 .Dd $Mdocdate$
 .Dt SSHD_CONFIG 5
 .Os


@@ -210,29 +210,6 @@ in-process sftp server is used (see
 .Cm Subsystem
 for details).
 .Pp
 .Cm Subsystem
 for details).
 .Pp

-Please note that there are many ways to misconfigure a chroot environment
-in ways that compromise security.
-These include:
-.Pp
-.Bl -dash -offset indent -compact
-.It
-Making unsafe setuid binaries available;
-.It
-Having missing or incorrect configuration files in the chroot's
-.Pa /etc
-directory;
-.It
-Hard-linking files between the chroot and outside;
-.It
-Leaving unnecessary
-.Pa /dev
-nodes accessible inside the chroot (especially those for physical drives);
-.It
-Executing scripts or binaries inside the chroot from outside, either
-directly or through facilities such as
-.Xr cron 8 .
-.El
-.Pp

 The default is not to
 .Xr chroot 2 .
 .It Cm Ciphers
 The default is not to
 .Xr chroot 2 .
 .It Cm Ciphers


@@ -363,11 +340,6 @@ Specifying a command of
 will force the use of an in-process sftp server that requires no support
 files when used with
 .Cm ChrootDirectory .
 will force the use of an in-process sftp server that requires no support
 files when used with
 .Cm ChrootDirectory .

-Note that
-.Dq internal-sftp
-is only supported when
-.Cm UsePrivilegeSeparation
-is enabled.

 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to ports
 forwarded for the client.
 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to ports
 forwarded for the client.


@@ -830,11 +802,6 @@ server.
 This may simplify configurations using
 .Cm ChrootDirectory
 to force a different filesystem root on clients.
 This may simplify configurations using
 .Cm ChrootDirectory
 to force a different filesystem root on clients.

-Note that
-.Dq internal-sftp
-is only supported when
-.Cm UsePrivilegeSeparation
-is enabled.

 .Pp
 By default no subsystems are defined.
 Note that this option applies to protocol version 2 only.
 .Pp
 By default no subsystems are defined.
 Note that this option applies to protocol version 2 only.