===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshd_config.5,v
retrieving revision 1.13.2.3
retrieving revision 1.14
diff -u -r1.13.2.3 -r1.14
--- src/usr.bin/ssh/sshd_config.5	2003/09/16 21:20:29	1.13.2.3
+++ src/usr.bin/ssh/sshd_config.5	2003/01/23 08:58:47	1.14
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.13.2.3 2003/09/16 21:20:29 brad Exp $
+.\" $OpenBSD: sshd_config.5,v 1.14 2003/01/23 08:58:47 jmc Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -61,6 +61,10 @@
 keywords and their meanings are as follows (note that
 keywords are case-insensitive and arguments are case-sensitive):
 .Bl -tag -width Ds
+.It Cm AFSTokenPassing
+Specifies whether an AFS token may be forwarded to the server.
+Default is
+.Dq no .
 .It Cm AllowGroups
 This keyword can be followed by a list of group name patterns, separated
 by spaces.
@@ -68,7 +72,7 @@
 group or supplementary group list matches one of the patterns.
 .Ql \&*
 and
-.Ql \&?
+.Ql ?
 can be used as
 wildcards in the patterns.
 Only group names are valid; a numerical group ID is not recognized.
@@ -89,7 +93,7 @@
 match one of the patterns.
 .Ql \&*
 and
-.Ql \&?
+.Ql ?
 can be used as
 wildcards in the patterns.
 Only user names are valid; a numerical user ID is not recognized.
@@ -103,8 +107,7 @@
 for user authentication.
 .Cm AuthorizedKeysFile
 may contain tokens of the form %T which are substituted during connection
-set-up.
-The following tokens are defined: %% is replaced by a literal '%',
+set-up. The following tokens are defined: %% is replaced by a literal '%',
 %h is replaced by the home directory of the user being authenticated and
 %u is replaced by the username of that user.
 After expansion,
@@ -135,7 +138,7 @@
 .Pp
 .Bd -literal
   ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
-    aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr''
+    aes192-cbc,aes256-cbc''
 .Ed
 .It Cm ClientAliveInterval
 Sets a timeout interval in seconds after which if no data has been received
@@ -150,24 +153,20 @@
 Sets the number of client alive messages (see above) which may be
 sent without
 .Nm sshd
-receiving any messages back from the client.
-If this threshold is reached while client alive messages are being sent,
+receiving any messages back from the client. If this threshold is
+reached while client alive messages are being sent,
 .Nm sshd
-will disconnect the client, terminating the session.
-It is important to note that the use of client alive messages is very
-different from
+will disconnect the client, terminating the session. It is important
+to note that the use of client alive messages is very different from
 .Cm KeepAlive
-(below).
-The client alive messages are sent through the encrypted channel
-and therefore will not be spoofable.
-The TCP keepalive option enabled by
+(below). The client alive messages are sent through the
+encrypted channel and therefore will not be spoofable. The TCP keepalive
+option enabled by
 .Cm KeepAlive
-is spoofable.
-The client alive mechanism is valuable when the client or
+is spoofable. The client alive mechanism is valuable when the client or
 server depend on knowing when a connection has become inactive.
 .Pp
-The default value is 3.
-If
+The default value is 3. If
 .Cm ClientAliveInterval
 (above) is set to 15, and
 .Cm ClientAliveCountMax
@@ -188,7 +187,7 @@
 group list matches one of the patterns.
 .Ql \&*
 and
-.Ql \&?
+.Ql ?
 can be used as
 wildcards in the patterns.
 Only group names are valid; a numerical group ID is not recognized.
@@ -200,7 +199,7 @@
 Login is disallowed for user names that match one of the patterns.
 .Ql \&*
 and
-.Ql \&?
+.Ql ?
 can be used as wildcards in the patterns.
 Only user names are valid; a numerical user ID is not recognized.
 By default, login is allowed for all users.
@@ -212,8 +211,8 @@
 forwarded for the client.
 By default,
 .Nm sshd
-binds remote port forwardings to the loopback address.
-This prevents other remote hosts from connecting to forwarded ports.
+binds remote port forwardings to the loopback address.  This
+prevents other remote hosts from connecting to forwarded ports.
 .Cm GatewayPorts
 can be used to specify that
 .Nm sshd
@@ -225,17 +224,6 @@
 .Dq no .
 The default is
 .Dq no .
-.It Cm GSSAPIAuthentication
-Specifies whether user authentication based on GSSAPI is allowed.
-The default is 
-.Dq no .
-Note that this option applies to protocol version 2 only.
-.It Cm GSSAPICleanupCredentials
-Specifies whether to automatically destroy the user's credentials cache
-on logout.
-The default is
-.Dq yes .
-Note that this option applies to protocol version 2 only.
 .It Cm HostbasedAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful public key client host authentication is allowed
@@ -271,6 +259,7 @@
 and
 .Pa .shosts
 files will not be used in
+.Cm RhostsAuthentication ,
 .Cm RhostsRSAAuthentication
 or
 .Cm HostbasedAuthentication .
@@ -314,9 +303,11 @@
 To disable keepalives, the value should be set to
 .Dq no .
 .It Cm KerberosAuthentication
-Specifies whether the password provided by the user for
+Specifies whether Kerberos authentication is allowed.
+This can be in the form of a Kerberos ticket, or if
 .Cm PasswordAuthentication
-will be validated through the Kerberos KDC.
+is yes, the password provided by the user will be validated through
+the Kerberos KDC.
 To use this option, the server needs a
 Kerberos servtab which allows the verification of the KDC's identity.
 Default is
@@ -328,6 +319,11 @@
 .Pa /etc/passwd .
 Default is
 .Dq yes .
+.It Cm KerberosTgtPassing
+Specifies whether a Kerberos TGT may be forwarded to the server.
+Default is
+.Dq no ,
+as this only works when the Kerberos KDC is actually an AFS kaserver.
 .It Cm KerberosTicketCleanup
 Specifies whether to automatically destroy the user's ticket cache
 file on logout.
@@ -373,12 +369,10 @@
 .Nm sshd
 will listen on the address and all prior
 .Cm Port
-options specified.
-The default is to listen on all local addresses.
-Multiple
+options specified. The default is to listen on all local
+addresses.  Multiple
 .Cm ListenAddress
-options are permitted.
-Additionally, any
+options are permitted. Additionally, any
 .Cm Port
 options must precede this option for non port qualified addresses.
 .It Cm LoginGraceTime
@@ -391,10 +385,10 @@
 .Nm sshd .
 The possible values are:
 QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
-The default is INFO.
-DEBUG and DEBUG1 are equivalent.
-DEBUG2 and DEBUG3 each specify higher levels of debugging output.
-Logging with a DEBUG level violates the privacy of users and is not recommended.
+The default is INFO.  DEBUG and DEBUG1 are equivalent.  DEBUG2
+and DEBUG3 each specify higher levels of debugging output.
+Logging with a DEBUG level violates the privacy of users
+and is not recommended.
 .It Cm MACs
 Specifies the available MAC (message authentication code) algorithms.
 The MAC algorithm is used in protocol version 2
@@ -459,8 +453,8 @@
 .Ar command
 option has been specified
 (which may be useful for taking remote backups even if root login is
-normally not allowed).
-All other authentication methods are disabled for root.
+normally not allowed). All other authentication methods are disabled
+for root.
 .Pp
 If this option is set to
 .Dq no
@@ -533,6 +527,10 @@
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm RhostsAuthentication
+Specifies whether authentication using rhosts or /etc/hosts.equiv
+files is sufficient.
+Normally, this method should not be permitted because it is insecure.
 .Cm RhostsRSAAuthentication
 should be used
 instead, because it performs RSA-based host authentication in addition
@@ -580,14 +578,6 @@
 The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
-.It Cm UseDNS
-Specifies whether
-.Nm sshd
-should lookup the remote host name and check that
-the resolved host name for the remote IP address maps back to the
-very same IP address.
-The default is
-.Dq yes .
 .It Cm UseLogin
 Specifies whether
 .Xr login 1
@@ -603,21 +593,27 @@
 .Xr login 1
 does not know how to handle
 .Xr xauth 1
-cookies.
-If
+cookies.  If
 .Cm UsePrivilegeSeparation
 is specified, it will be disabled after authentication.
 .It Cm UsePrivilegeSeparation
 Specifies whether
 .Nm sshd
 separates privileges by creating an unprivileged child process
-to deal with incoming network traffic.
-After successful authentication, another process will be created that has
-the privilege of the authenticated user.
-The goal of privilege separation is to prevent privilege
+to deal with incoming network traffic.  After successful authentication,
+another process will be created that has the privilege of the authenticated
+user.  The goal of privilege separation is to prevent privilege
 escalation by containing any corruption within the unprivileged processes.
 The default is
 .Dq yes .
+.It Cm VerifyReverseMapping
+Specifies whether
+.Nm sshd
+should try to verify the remote host name and check that
+the resolved host name for the remote IP address maps back to the
+very same IP address.
+The default is
+.Dq no .
 .It Cm X11DisplayOffset
 Specifies the first display number available for
 .Nm sshd Ns 's
@@ -648,7 +644,7 @@
 forwarding (see the warnings for
 .Cm ForwardX11
 in
-.Xr ssh_config 5 ) .
+.Xr ssh_config 5 ).
 A system administrator may have a stance in which they want to
 protect clients that may expose themselves to attack by unwittingly
 requesting X11 forwarding, which can warrant a
@@ -664,8 +660,7 @@
 Specifies whether
 .Nm sshd
 should bind the X11 forwarding server to the loopback address or to
-the wildcard address.
-By default,
+the wildcard address.  By default,
 .Nm sshd
 binds the forwarding server to the loopback address and sets the
 hostname part of the
@@ -694,6 +689,7 @@
 .Pa /usr/X11R6/bin/xauth .
 .El
 .Ss Time Formats
+.Pp
 .Nm sshd
 command-line arguments and configuration file options that specify time
 may be expressed using a sequence of the form:
@@ -742,8 +738,6 @@
 This file should be writable by root only, but it is recommended
 (though not necessary) that it be world-readable.
 .El
-.Sh SEE ALSO
-.Xr sshd 8
 .Sh AUTHORS
 OpenSSH is a derivative of the original and free
 ssh 1.2.12 release by Tatu Ylonen.
@@ -755,3 +749,5 @@
 protocol versions 1.5 and 2.0.
 Niels Provos and Markus Friedl contributed support
 for privilege separation.
+.Sh SEE ALSO
+.Xr sshd 8