- jmc@cvs.openbsd.org 2006/02/12 17:57:19

     [sshd.8]
     sort the list of options permissable w/ authorized_keys;
     ok djm dtucker

diff --git a/ChangeLog b/ChangeLog
index 8b44dd41ad5edb248be9ca0bce3dd57b4df24ee1..9be3df73ec70016b22e46d6c7b3df31868b4a4d0 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -85,6 +85,10 @@
    - jmc@cvs.openbsd.org 2006/02/12 10:52:41
      [sshd.8]
      rework the description of authorized_keys a little;
+   - jmc@cvs.openbsd.org 2006/02/12 17:57:19
+     [sshd.8]
+     sort the list of options permissable w/ authorized_keys;
+     ok djm dtucker
 
 20060313
  - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)

diff --git a/sshd.8 b/sshd.8
index 909339f075106a8dd0eac761c4ff02cd06da6f98..58bf9062ac848314e57e023c6219796bd51f4cb1 100644 (file)
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.217 2006/02/12 10:52:41 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.218 2006/02/12 17:57:19 jmc Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -421,26 +421,6 @@ No spaces are permitted, except within double quotes.
 The following option specifications are supported (note
 that option keywords are case-insensitive):
 .Bl -tag -width Ds
-.It Cm from="pattern-list"
-Specifies that in addition to public key authentication, the canonical name
-of the remote host must be present in the comma-separated list of
-patterns
-.Pf ( Ql \&*
-and
-.Ql \&?
-serve as wildcards).
-The list may also contain
-patterns negated by prefixing them with
-.Ql \&! ;
-if the canonical host name matches a negated pattern, the key is not accepted.
-The purpose
-of this option is to optionally increase security: public key authentication
-by itself does not trust the network or name servers or anything (but
-the key); however, if somebody somehow steals the key, the key
-permits an intruder to log in from anywhere in the world.
-This additional option makes using a stolen key more difficult (name
-servers and/or routers would have to be compromised in addition to
-just the key).
 .It Cm command="command"
 Specifies that the command is executed whenever this key is used for
 authentication.
@@ -470,20 +450,40 @@ option.
 This option is automatically disabled if
 .Cm UseLogin
 is enabled.
+.It Cm from="pattern-list"
+Specifies that in addition to public key authentication, the canonical name
+of the remote host must be present in the comma-separated list of
+patterns
+.Pf ( Ql \&*
+and
+.Ql \&?
+serve as wildcards).
+The list may also contain
+patterns negated by prefixing them with
+.Ql \&! ;
+if the canonical host name matches a negated pattern, the key is not accepted.
+The purpose
+of this option is to optionally increase security: public key authentication
+by itself does not trust the network or name servers or anything (but
+the key); however, if somebody somehow steals the key, the key
+permits an intruder to log in from anywhere in the world.
+This additional option makes using a stolen key more difficult (name
+servers and/or routers would have to be compromised in addition to
+just the key).
+.It Cm no-agent-forwarding
+Forbids authentication agent forwarding when this key is used for
+authentication.
 .It Cm no-port-forwarding
 Forbids TCP forwarding when this key is used for authentication.
 Any port forward requests by the client will return an error.
 This might be used, e.g., in connection with the
 .Cm command
 option.
+.It Cm no-pty
+Prevents tty allocation (a request to allocate a pty will fail).
 .It Cm no-X11-forwarding
 Forbids X11 forwarding when this key is used for authentication.
 Any X11 forward requests by the client will return an error.
-.It Cm no-agent-forwarding
-Forbids authentication agent forwarding when this key is used for
-authentication.
-.It Cm no-pty
-Prevents tty allocation (a request to allocate a pty will fail).
 .It Cm permitopen="host:port"
 Limit local
 .Li ``ssh -L''