===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshd_config.5,v
retrieving revision 1.25.2.2
retrieving revision 1.26
diff -u -r1.25.2.2 -r1.26
--- src/usr.bin/ssh/sshd_config.5	2004/08/19 22:37:33	1.25.2.2
+++ src/usr.bin/ssh/sshd_config.5	2003/11/21 11:57:03	1.26
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.25.2.2 2004/08/19 22:37:33 brad Exp $
+.\" $OpenBSD: sshd_config.5,v 1.26 2003/11/21 11:57:03 djm Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -61,28 +61,6 @@
 keywords and their meanings are as follows (note that
 keywords are case-insensitive and arguments are case-sensitive):
 .Bl -tag -width Ds
-.It Cm AcceptEnv
-Specifies what environment variables sent by the client will be copied into
-the session's
-.Xr environ 7 .
-See
-.Cm SendEnv
-in
-.Xr ssh_config 5
-for how to configure the client.
-Note that environment passing is only supported for protocol 2.
-Variables are specified by name, which may contain the wildcard characters
-.Ql \&*
-and
-.Ql \&? .
-Multiple environment variables may be separated by whitespace or spread
-across multiple
-.Cm AcceptEnv
-directives.
-Be warned that some environment variables could be used to bypass restricted
-user environments.
-For this reason, care should be taken in the use of this directive.
-The default is not to accept any environment variables.
 .It Cm AllowGroups
 This keyword can be followed by a list of group name patterns, separated
 by spaces.
@@ -95,6 +73,7 @@
 wildcards in the patterns.
 Only group names are valid; a numerical group ID is not recognized.
 By default, login is allowed for all groups.
+.Pp
 .It Cm AllowTcpForwarding
 Specifies whether TCP forwarding is permitted.
 The default is
@@ -102,6 +81,7 @@
 Note that disabling TCP forwarding does not improve security unless
 users are also denied shell access, as they can always install their
 own forwarders.
+.Pp
 .It Cm AllowUsers
 This keyword can be followed by a list of user name patterns, separated
 by spaces.
@@ -117,6 +97,7 @@
 If the pattern takes the form USER@HOST then USER and HOST
 are separately checked, restricting logins to particular
 users from particular hosts.
+.Pp
 .It Cm AuthorizedKeysFile
 Specifies the file that contains the public keys that can be used
 for user authentication.
@@ -139,6 +120,7 @@
 authentication is allowed.
 This option is only available for protocol version 2.
 By default, no banner is displayed.
+.Pp
 .It Cm ChallengeResponseAuthentication
 Specifies whether challenge response authentication is allowed.
 All authentication styles from
@@ -149,19 +131,8 @@
 .It Cm Ciphers
 Specifies the ciphers allowed for protocol version 2.
 Multiple ciphers must be comma-separated.
-The supported ciphers are
-.Dq 3des-cbc ,
-.Dq aes128-cbc ,
-.Dq aes192-cbc ,
-.Dq aes256-cbc ,
-.Dq aes128-ctr ,
-.Dq aes192-ctr ,
-.Dq aes256-ctr ,
-.Dq arcfour ,
-.Dq blowfish-cbc ,
-and
-.Dq cast128-cbc .
 The default is
+.Pp
 .Bd -literal
   ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
     aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr''
@@ -185,12 +156,12 @@
 will disconnect the client, terminating the session.
 It is important to note that the use of client alive messages is very
 different from
-.Cm TCPKeepAlive
+.Cm KeepAlive
 (below).
 The client alive messages are sent through the encrypted channel
 and therefore will not be spoofable.
 The TCP keepalive option enabled by
-.Cm TCPKeepAlive
+.Cm KeepAlive
 is spoofable.
 The client alive mechanism is valuable when the client or
 server depend on knowing when a connection has become inactive.
@@ -222,6 +193,7 @@
 wildcards in the patterns.
 Only group names are valid; a numerical group ID is not recognized.
 By default, login is allowed for all groups.
+.Pp
 .It Cm DenyUsers
 This keyword can be followed by a list of user name patterns, separated
 by spaces.
@@ -320,6 +292,27 @@
 .Cm HostbasedAuthentication .
 The default is
 .Dq no .
+.It Cm KeepAlive
+Specifies whether the system should send TCP keepalive messages to the
+other side.
+If they are sent, death of the connection or crash of one
+of the machines will be properly noticed.
+However, this means that
+connections will die if the route is down temporarily, and some people
+find it annoying.
+On the other hand, if keepalives are not sent,
+sessions may hang indefinitely on the server, leaving
+.Dq ghost
+users and consuming server resources.
+.Pp
+The default is
+.Dq yes
+(to send keepalives), and the server will notice
+if the network goes down or the client host crashes.
+This avoids infinitely hanging sessions.
+.Pp
+To disable keepalives, the value should be set to
+.Dq no .
 .It Cm KerberosAuthentication
 Specifies whether the password provided by the user for
 .Cm PasswordAuthentication
@@ -328,11 +321,6 @@
 Kerberos servtab which allows the verification of the KDC's identity.
 Default is
 .Dq no .
-.It Cm KerberosGetAFSToken
-If AFS is active and the user has a Kerberos 5 TGT, attempt to aquire
-an AFS token before accessing the user's home directory.
-Default is
-.Dq no .
 .It Cm KerberosOrLocalPasswd
 If set then if password authentication through Kerberos fails then
 the password will be validated via any additional local mechanism
@@ -414,12 +402,6 @@
 Multiple algorithms must be comma-separated.
 The default is
 .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
-.It Cm MaxAuthTries
-Specifies the maximum number of authentication attempts permitted per
-connection.
-Once the number of failures reaches half this value,
-additional failures are logged.
-The default is 6.
 .It Cm MaxStartups
 Specifies the maximum number of concurrent unauthenticated connections to the
 .Nm sshd
@@ -551,6 +533,13 @@
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.Cm RhostsRSAAuthentication
+should be used
+instead, because it performs RSA-based host authentication in addition
+to normal rhosts or /etc/hosts.equiv authentication.
+The default is
+.Dq no .
+This option applies to protocol version 1 only.
 .It Cm RhostsRSAAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful RSA host authentication is allowed.
@@ -591,27 +580,6 @@
 The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
-.It Cm TCPKeepAlive
-Specifies whether the system should send TCP keepalive messages to the
-other side.
-If they are sent, death of the connection or crash of one
-of the machines will be properly noticed.
-However, this means that
-connections will die if the route is down temporarily, and some people
-find it annoying.
-On the other hand, if TCP keepalives are not sent,
-sessions may hang indefinitely on the server, leaving
-.Dq ghost
-users and consuming server resources.
-.Pp
-The default is
-.Dq yes
-(to send TCP keepalive messages), and the server will notice
-if the network goes down or the client host crashes.
-This avoids infinitely hanging sessions.
-.Pp
-To disable TCP keepalive messages, the value should be set to
-.Dq no .
 .It Cm UseDNS
 Specifies whether
 .Nm sshd