===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshd.8,v
retrieving revision 1.199
retrieving revision 1.199.2.2
diff -u -r1.199 -r1.199.2.2
--- src/usr.bin/ssh/sshd.8	2003/08/13 08:46:31	1.199
+++ src/usr.bin/ssh/sshd.8	2004/08/19 22:37:33	1.199.2.2
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.199 2003/08/13 08:46:31 markus Exp $
+.\" $OpenBSD: sshd.8,v 1.199.2.2 2004/08/19 22:37:33 brad Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -44,7 +44,7 @@
 .Sh SYNOPSIS
 .Nm sshd
 .Bk -words
-.Op Fl deiqtD46
+.Op Fl 46Ddeiqt
 .Op Fl b Ar bits
 .Op Fl f Ar config_file
 .Op Fl g Ar login_grace_time
@@ -78,9 +78,7 @@
 supports both SSH protocol version 1 and 2 simultaneously.
 .Nm
 works as follows:
-.Pp
 .Ss SSH protocol version 1
-.Pp
 Each host has a host-specific RSA key
 (normally 1024 bits) used to identify the host.
 Additionally, when
@@ -92,7 +90,7 @@
 host and server keys.
 The client compares the
 RSA host key against its own database to verify that it has not changed.
-The client then generates a 256 bit random number.
+The client then generates a 256-bit random number.
 It encrypts this
 random number using both the host key and the server key, and sends
 the encrypted number to the server.
@@ -107,14 +105,15 @@
 .Pp
 Next, the server and the client enter an authentication dialog.
 The client tries to authenticate itself using
-.Pa .rhosts
+.Em rhosts
 authentication,
-.Pa .rhosts
+.Em rhosts
 authentication combined with RSA host
 authentication, RSA challenge-response authentication, or password
 based authentication.
 .Pp
-Rhosts authentication is normally disabled
+.Em rhosts
+authentication is normally disabled
 because it is fundamentally insecure, but can be enabled in the server
 configuration file if desired.
 System security is not improved unless
@@ -127,9 +126,7 @@
 and
 .Xr rsh
 into the machine).
-.Pp
 .Ss SSH protocol version 2
-.Pp
 Version 2 works similarly:
 Each host has a host-specific key (RSA or DSA) used to identify the host.
 However, when the daemon starts, it does not generate a server key.
@@ -137,7 +134,7 @@
 This key agreement results in a shared session key.
 .Pp
 The rest of the session is encrypted using a symmetric cipher, currently
-128 bit AES, Blowfish, 3DES, CAST128, Arcfour, 192 bit AES, or 256 bit AES.
+128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
 The client selects the encryption algorithm
 to use from those offered by the server.
 Additionally, session integrity is provided
@@ -148,9 +145,7 @@
 user (PubkeyAuthentication) or
 client host (HostbasedAuthentication) authentication method,
 conventional password authentication and challenge response based methods.
-.Pp
 .Ss Command execution and data forwarding
-.Pp
 If the client successfully authenticates itself, a dialog for
 preparing the session is entered.
 At this time the client may request
@@ -169,22 +164,37 @@
 the client, and both sides exit.
 .Pp
 .Nm
-can be configured using command-line options or a configuration
-file.
+can be configured using command-line options or a configuration file
+(by default
+.Xr sshd_config 5 ) .
 Command-line options override values specified in the
 configuration file.
 .Pp
 .Nm
 rereads its configuration file when it receives a hangup signal,
 .Dv SIGHUP ,
-by executing itself with the name it was started as, i.e.,
+by executing itself with the name and options it was started with, e.g.,
 .Pa /usr/sbin/sshd .
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
+.It Fl 4
+Forces
+.Nm
+to use IPv4 addresses only.
+.It Fl 6
+Forces
+.Nm
+to use IPv6 addresses only.
 .It Fl b Ar bits
 Specifies the number of bits in the ephemeral protocol version 1
 server key (default 768).
+.It Fl D
+When this option is specified,
+.Nm
+will not detach and does not become a daemon.
+This allows easy monitoring of
+.Nm sshd .
 .It Fl d
 Debug mode.
 The server sends verbose debug output to the system
@@ -244,7 +254,7 @@
 Specifies how often the ephemeral protocol version 1 server key is
 regenerated (default 3600 seconds, or one hour).
 The motivation for regenerating the key fairly
-often is that the key is not stored anywhere, and after about an hour,
+often is that the key is not stored anywhere, and after about an hour
 it becomes impossible to recover the key for decrypting intercepted
 communications even if the machine is cracked into or physically
 seized.
@@ -253,6 +263,8 @@
 Can be used to give options in the format used in the configuration file.
 This is useful for specifying options for which there is no separate
 command-line flag.
+For full details of the options, and their values, see
+.Xr sshd_config 5 .
 .It Fl p Ar port
 Specifies the port on which the server listens for connections
 (default 22).
@@ -302,20 +314,6 @@
 .Cm AllowUsers
 or
 .Cm DenyUsers .
-.It Fl D
-When this option is specified
-.Nm
-will not detach and does not become a daemon.
-This allows easy monitoring of
-.Nm sshd .
-.It Fl 4
-Forces
-.Nm
-to use IPv4 addresses only.
-.It Fl 6
-Forces
-.Nm
-to use IPv6 addresses only.
 .El
 .Sh CONFIGURATION FILE
 .Nm
@@ -352,9 +350,9 @@
 .It
 Sets up basic environment.
 .It
-Reads
-.Pa $HOME/.ssh/environment
-if it exists and users are allowed to change their environment.
+Reads the file
+.Pa $HOME/.ssh/environment ,
+if it exists, and users are allowed to change their environment.
 See the
 .Cm PermitUserEnvironment
 option in
@@ -493,7 +491,7 @@
 port forwarding such that it may only connect to the specified host and
 port.
 IPv6 addresses can be specified with an alternative syntax:
-.Ar host/port .
+.Ar host Ns / Ns Ar port .
 Multiple
 .Cm permitopen
 options may be applied separated by commas.
@@ -501,13 +499,13 @@
 they must be literal domains or addresses.
 .El
 .Ss Examples
-1024 33 12121.\|.\|.\|312314325 ylo@foo.bar
+1024 33 12121...312314325 ylo@foo.bar
 .Pp
-from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula
+from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula
 .Pp
-command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi
+command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi
 .Pp
-permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323
+permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323
 .Sh SSH_KNOWN_HOSTS FILE FORMAT
 The
 .Pa /etc/ssh/ssh_known_hosts
@@ -565,7 +563,7 @@
 and adding the host names at the front.
 .Ss Examples
 .Bd -literal
-closenet,.\|.\|.\|,130.233.208.41 1024 37 159.\|.\|.93 closenet.hut.fi
+closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi
 cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....=
 .Ed
 .Sh FILES
@@ -624,7 +622,7 @@
 .Pa id_rsa.pub
 files into this file, as described in
 .Xr ssh-keygen 1 .
-.It Pa "/etc/ssh/ssh_known_hosts" and "$HOME/.ssh/known_hosts"
+.It Pa "/etc/ssh/ssh_known_hosts", "$HOME/.ssh/known_hosts"
 These files are consulted when using rhosts with RSA host
 authentication or protocol version 2 hostbased authentication
 to check the public key of the host.
@@ -658,7 +656,7 @@
 be writable only by the user; it is recommended that it not be
 accessible by others.
 .Pp
-If is also possible to use netgroups in the file.
+It is also possible to use netgroups in the file.
 Either host or user
 name may be of the form +@groupname to specify all hosts or all users
 in the group.
@@ -670,7 +668,7 @@
 not used by rlogin and rshd, so using this permits access using SSH only.
 .It Pa /etc/hosts.equiv
 This file is used during
-.Pa .rhosts
+.Em rhosts
 authentication.
 In the simplest form, this file contains host names, one per line.
 Users on
@@ -777,9 +775,12 @@
 .Xr ssh-add 1 ,
 .Xr ssh-agent 1 ,
 .Xr ssh-keygen 1 ,
+.Xr chroot 2 ,
+.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
+.Xr inetd 8 ,
 .Xr sftp-server 8
 .Rs
 .%A T. Ylonen