===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshd.8,v
retrieving revision 1.153.2.4
retrieving revision 1.153.2.5
diff -u -r1.153.2.4 -r1.153.2.5
--- src/usr.bin/ssh/sshd.8	2002/03/08 15:17:18	1.153.2.4
+++ src/usr.bin/ssh/sshd.8	2002/05/17 00:03:24	1.153.2.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.153.2.4 2002/03/08 15:17:18 brad Exp $
+.\" $OpenBSD: sshd.8,v 1.153.2.5 2002/05/17 00:03:24 miod Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -116,14 +116,14 @@
 because it is fundamentally insecure, but can be enabled in the server
 configuration file if desired.
 System security is not improved unless
-.Xr rshd 8 ,
-.Xr rlogind 8 ,
+.Nm rshd ,
+.Nm rlogind ,
 and
-.Xr rexecd 8
+.Xr rexecd
 are disabled (thus completely disabling
-.Xr rlogin 1
+.Xr rlogin
 and
-.Xr rsh 1
+.Xr rsh
 into the machine).
 .Pp
 .Ss SSH protocol version 2
@@ -332,7 +332,7 @@
 .It Cm AFSTokenPassing
 Specifies whether an AFS token may be forwarded to the server.
 Default is
-.Dq yes .
+.Dq no .
 .It Cm AllowGroups
 This keyword can be followed by a list of group name patterns, separated
 by spaces.
@@ -390,6 +390,7 @@
 The contents of the specified file are sent to the remote user before
 authentication is allowed.
 This option is only available for protocol version 2.
+By default, no banner is displayed.
 .Pp
 .It Cm ChallengeResponseAuthentication
 Specifies whether challenge response authentication is allowed.
@@ -570,7 +571,7 @@
 To use this option, the server needs a
 Kerberos servtab which allows the verification of the KDC's identity.
 Default is
-.Dq yes .
+.Dq no .
 .It Cm KerberosOrLocalPasswd
 If set then if password authentication through Kerberos fails then
 the password will be validated via any additional local mechanism
@@ -831,7 +832,19 @@
 .Xr login 1
 does not know how to handle
 .Xr xauth 1
-cookies.
+cookies.  If
+.Cm UsePrivilegeSeparation
+is specified, it will be disabled after authentication.
+.It Cm UsePrivilegeSeparation
+Specifies whether
+.Nm
+separated privileges by creating an unprivileged child process
+to deal with incoming network traffic.  After successful authentication,
+another process will be created that has the privilege of the authenticated
+user.  The goal of privilege separation is to prevent privilege
+escalation by containing any corruption within the unprivileged processes.
+The default is
+.Dq no .
 .It Cm VerifyReverseMapping
 Specifies whether
 .Nm
@@ -1015,6 +1028,10 @@
 .Pa id_rsa.pub
 file and edit it.
 .Pp
+.Nm
+enforces a minimum RSA key modulus size for protocol 1
+and protocol 2 keys of 768 bits.
+.Pp
 The options (if present) consist of comma-separated option
 specifications.
 No spaces are permitted, except within double quotes.
@@ -1299,13 +1316,17 @@
 .It Pa $HOME/.ssh/rc
 If this file exists, it is run with /bin/sh after reading the
 environment files but before starting the user's shell or command.
-If X11 spoofing is in use, this will receive the "proto cookie" pair in
-standard input (and
+It must not produce any output on stdout; stderr must be used
+instead.
+If X11 forwarding is in use, it will receive the "proto cookie" pair in
+its standard input (and
 .Ev DISPLAY
-in environment).
-This must call
+in its environment).
+The script must call
 .Xr xauth 1
-in that case.
+because
+.Nm
+will not run xauth automatically to add X11 cookies.
 .Pp
 The primary purpose of this file is to run any initialization routines
 which may be needed before the user's home directory becomes
@@ -1314,15 +1335,22 @@
 This file will probably contain some initialization code followed by
 something similar to:
 .Bd -literal
-	if read proto cookie; then
-		echo add $DISPLAY $proto $cookie | xauth -q -
+if read proto cookie && [ -n "$DISPLAY" ]; then
+	if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
+		# X11UseLocalhost=yes
+		xauth add unix:`echo $DISPLAY |
+		    cut -c11-` $proto $cookie
+	else
+		# X11UseLocalhost=no
+		xauth add $DISPLAY $proto $cookie
 	fi
+fi
 .Ed
 .Pp
 If this file does not exist,
 .Pa /etc/sshrc
 is run, and if that
-does not exist either, xauth is used to store the cookie.
+does not exist either, xauth is used to add the cookie.
 .Pp
 This file should be writable only by the user, and need not be
 readable by anyone else.
@@ -1342,6 +1370,8 @@
 created OpenSSH.
 Markus Friedl contributed the support for SSH
 protocol versions 1.5 and 2.0.
+Niels Provos and Markus Friedl contributed support
+for privilege separation.
 .Sh SEE ALSO
 .Xr scp 1 ,
 .Xr sftp 1 ,
@@ -1359,8 +1389,8 @@
 .%A T. Rinne
 .%A S. Lehtinen
 .%T "SSH Protocol Architecture"
-.%N draft-ietf-secsh-architecture-09.txt
-.%D July 2001
+.%N draft-ietf-secsh-architecture-12.txt
+.%D January 2002
 .%O work in progress material
 .Re
 .Rs
@@ -1368,7 +1398,7 @@
 .%A N. Provos
 .%A W. A. Simpson
 .%T "Diffie-Hellman Group Exchange for the SSH Transport Layer Protocol"
-.%N draft-ietf-secsh-dh-group-exchange-01.txt
-.%D April 2001
+.%N draft-ietf-secsh-dh-group-exchange-02.txt
+.%D January 2002
 .%O work in progress material
 .Re