PSARC 2012/335 OpenSSH migration
PSARC 2013/115 Shared configuration for SunSSH & OpenSSH
PSARC 2014/078 OpenSSH 6.5
PSARC 2014/342 pam_unix_session lastlog support
15769261 SUNBT7135649 Deliver OpenSSH 6.0P1 in the userland gate
18205826 upgrade OpenSSH to 6.5p1
19579776 OpenSSH doesn't need to reference lastlog anymore now that PAM session mgmt does
18267729 Delegating credentials in OpenSSH
18828925 migrate the disablebanner feature from SunSSH to OpenSSH
18890096 migrate PAM enhancements from SunSSH to OpenSSH
19629847 OpenSSH does not support Solaris Audit for login/logout.
17997193 misc. problems in Makefile and openssh.p5m
18268681 openssh has non-existent /usr/local/lib in its runpath
18528305 /var/empty should be delivered readonly
19034156 PAM coversation function for passwd auth method has an incorrect assumption
19906401 should set AUTHTOK to NULL after pam_authenticate in sshpam_auth_passwd()
19517432 OpenSSH does not update utmpx on login
19570656 GSSAPIAuthentication option should default to yes
19591379 X11Forwarding and ForwardX11Trusted should default to yes
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
18898794 ssh connections fail with openssh, same config works with sunssh
20549448 OpenSSH X86 server core dump at audit_event
20656125 OpenSSH ed25519 algorithm signature verification failure
18435439 problem in UTILITY/OPENSSH
18491957 problem in UTILITY/OPENSSH
# This change is Solaris-specific and thus is not being contributed back
# to the upstream community. Details:
#
# OpenSSH uses the BSD/Linux man page scheme which is different from the SysV
# man page scheme used in Solaris. In order to comply to the Solaris man page
# policy and also use the IPS mediator to switch between SunSSH and OpenSSH man
# pages, the section numbers of some OpenSSH man pages are changed to be the
# same as their corresponding ones in SunSSH.
#
--- orig/moduli.5 Thu Feb 6 10:00:17 2014
+++ new/moduli.5 Thu Feb 6 10:08:07 2014
@@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.Dd $Mdocdate: September 26 2012 $
-.Dt MODULI 5
+.Dt MODULI 4
.Os
.Sh NAME
.Nm moduli
@@ -23,7 +23,7 @@
The
.Pa /etc/moduli
file contains prime numbers and generators for use by
-.Xr sshd 8
+.Xr sshd 1M
in the Diffie-Hellman Group Exchange key exchange method.
.Pp
New moduli may be generated with
@@ -40,7 +40,7 @@
.Ic ssh-keygen -T ,
provides a high degree of assurance that the numbers are prime and are
safe for use in Diffie-Hellman operations by
-.Xr sshd 8 .
+.Xr sshd 1M .
This
.Nm
format is used as the output from each pass.
@@ -70,7 +70,7 @@
Further primality testing with
.Xr ssh-keygen 1
produces safe prime moduli (type 2) that are ready for use in
-.Xr sshd 8 .
+.Xr sshd 1M .
Other types are not used by OpenSSH.
.It tests
Decimal number indicating the type of primality tests that the number
@@ -105,16 +105,16 @@
.El
.Pp
When performing Diffie-Hellman Group Exchange,
-.Xr sshd 8
+.Xr sshd 1M
first estimates the size of the modulus required to produce enough
Diffie-Hellman output to sufficiently key the selected symmetric cipher.
-.Xr sshd 8
+.Xr sshd 1M
then randomly selects a modulus from
.Fa /etc/moduli
that best meets the size requirement.
.Sh SEE ALSO
.Xr ssh-keygen 1 ,
-.Xr sshd 8
+.Xr sshd 1M
.Sh STANDARDS
.Rs
.%A M. Friedl
--- orig/sftp-server.8 Thu Feb 6 10:01:20 2014
+++ new/sftp-server.8 Thu Feb 6 10:09:59 2014
@@ -23,7 +23,7 @@
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: October 14 2013 $
-.Dt SFTP-SERVER 8
+.Dt SFTP-SERVER 1M
.Os
.Sh NAME
.Nm sftp-server
@@ -47,7 +47,7 @@
to stdout and expects client requests from stdin.
.Nm
is not intended to be called directly, but from
-.Xr sshd 8
+.Xr sshd 1M
using the
.Cm Subsystem
option.
@@ -58,7 +58,7 @@
.Cm Subsystem
declaration.
See
-.Xr sshd_config 5
+.Xr sshd_config 4
for more information.
.Pp
Valid options are:
@@ -71,7 +71,7 @@
and %u is replaced by the username of that user.
The default is to use the user's home directory.
This option is useful in conjunction with the
-.Xr sshd_config 5
+.Xr sshd_config 4
.Cm ChrootDirectory
option.
.It Fl e
@@ -152,8 +152,8 @@
.Sh SEE ALSO
.Xr sftp 1 ,
.Xr ssh 1 ,
-.Xr sshd_config 5 ,
-.Xr sshd 8
+.Xr sshd_config 4 ,
+.Xr sshd 1M
.Rs
.%A T. Ylonen
.%A S. Lehtinen
--- orig/ssh_config.5 Thu Feb 6 10:01:20 2014
+++ new/ssh_config.5 Thu Mar 27 16:37:50 2014
@@ -35,7 +35,7 @@
.\"
.\" $OpenBSD: ssh_config.5,v 1.184 2014/01/19 04:48:08 djm Exp $
.Dd $Mdocdate: January 19 2014 $
-.Dt SSH_CONFIG 5
+.Dt SSH_CONFIG 4
.Os
.Sh NAME
.Nm ssh_config
@@ -503,7 +503,7 @@
.Dq Fl O No exit
option).
If set to a time in seconds, or a time in any of the formats documented in
-.Xr sshd_config 5 ,
+.Xr sshd_config 4 ,
then the backgrounded master connection will automatically terminate
after it has remained idle (with no client connections) for the
specified time.
@@ -622,7 +622,7 @@
Specify a timeout for untrusted X11 forwarding
using the format described in the
TIME FORMATS section of
-.Xr sshd_config 5 .
+.Xr sshd_config 4 .
X11 connections received by
.Xr ssh 1
after this time will be refused.
@@ -689,7 +689,7 @@
These hashed names may be used normally by
.Xr ssh 1
and
-.Xr sshd 8 ,
+.Xr sshd 1M ,
but they do not reveal identifying information should the file's contents
be disclosed.
The default is
@@ -1122,7 +1122,7 @@
The optional second value is specified in seconds and may use any of the
units documented in the
TIME FORMATS section of
-.Xr sshd_config 5 .
+.Xr sshd_config 4 .
The default value for
.Cm RekeyLimit
is
@@ -1166,7 +1166,7 @@
will only succeed if the server's
.Cm GatewayPorts
option is enabled (see
-.Xr sshd_config 5 ) .
+.Xr sshd_config 4 ) .
.It Cm RequestTTY
Specifies whether to request a pseudo-tty for the session.
The argument may be one of:
@@ -1218,7 +1218,7 @@
Refer to
.Cm AcceptEnv
in
-.Xr sshd_config 5
+.Xr sshd_config 4
for how to configure the server.
Variables are specified by name, which may contain wildcard characters.
Multiple environment variables may be separated by whitespace or spread
--- orig/ssh-keysign.8 Thu Feb 6 10:01:20 2014
+++ new/ssh-keysign.8 Thu Feb 6 10:13:05 2014
@@ -23,7 +23,7 @@
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: December 7 2013 $
-.Dt SSH-KEYSIGN 8
+.Dt SSH-KEYSIGN 1M
.Os
.Sh NAME
.Nm ssh-keysign
@@ -52,7 +52,7 @@
See
.Xr ssh 1
and
-.Xr sshd 8
+.Xr sshd 1M
for more information about host-based authentication.
.Sh FILES
.Bl -tag -width Ds -compact
@@ -83,8 +83,8 @@
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-keygen 1 ,
-.Xr ssh_config 5 ,
-.Xr sshd 8
+.Xr ssh_config 4 ,
+.Xr sshd 1M
.Sh HISTORY
.Nm
first appeared in
--- orig/ssh-pkcs11-helper.8 Thu Feb 6 10:01:20 2014
+++ new/ssh-pkcs11-helper.8 Thu Feb 6 10:14:40 2014
@@ -15,7 +15,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: July 16 2013 $
-.Dt SSH-PKCS11-HELPER 8
+.Dt SSH-PKCS11-HELPER 1M
.Os
.Sh NAME
.Nm ssh-pkcs11-helper
--- orig/sshd_config.5 Thu Feb 6 10:01:20 2014
+++ new/sshd_config.5 Thu Feb 6 10:17:21 2014
@@ -35,7 +35,7 @@
.\"
.\" $OpenBSD: sshd_config.5,v 1.170 2013/12/08 09:53:27 dtucker Exp $
.Dd $Mdocdate: December 8 2013 $
-.Dt SSHD_CONFIG 5
+.Dt SSHD_CONFIG 4
.Os
.Sh NAME
.Nm sshd_config
@@ -43,7 +43,7 @@
.Sh SYNOPSIS
.Nm /etc/ssh/sshd_config
.Sh DESCRIPTION
-.Xr sshd 8
+.Xr sshd 1M
reads configuration data from
.Pa /etc/ssh/sshd_config
(or the file specified with
@@ -68,7 +68,7 @@
See
.Cm SendEnv
in
-.Xr ssh_config 5
+.Xr ssh_config 4
for how to configure the client.
Note that environment passing is only supported for protocol 2.
Variables are specified by name, which may contain the wildcard characters
@@ -85,7 +85,7 @@
The default is not to accept any environment variables.
.It Cm AddressFamily
Specifies which address family should be used by
-.Xr sshd 8 .
+.Xr sshd 1M .
Valid arguments are
.Dq any ,
.Dq inet
@@ -118,7 +118,7 @@
.Cm AllowGroups .
.Pp
See PATTERNS in
-.Xr ssh_config 5
+.Xr ssh_config 4
for more information on patterns.
.It Cm AllowTcpForwarding
Specifies whether TCP forwarding is permitted.
@@ -158,7 +158,7 @@
.Cm AllowGroups .
.Pp
See PATTERNS in
-.Xr ssh_config 5
+.Xr ssh_config 4
for more information on patterns.
.It Cm AuthenticationMethods
Specifies the authentication methods that must be successfully completed
@@ -202,7 +202,7 @@
It will be invoked with a single argument of the username
being authenticated, and should produce on standard output zero or
more lines of authorized_keys output (see AUTHORIZED_KEYS in
-.Xr sshd 8 ) .
+.Xr sshd 1M ) .
If a key supplied by AuthorizedKeysCommand does not successfully authenticate
and authorize the user then public key authentication continues using the usual
.Cm AuthorizedKeysFile
@@ -218,7 +218,7 @@
The format is described in the
AUTHORIZED_KEYS FILE FORMAT
section of
-.Xr sshd 8 .
+.Xr sshd 1M .
.Cm AuthorizedKeysFile
may contain tokens of the form %T which are substituted during connection
setup.
@@ -241,7 +241,7 @@
to be accepted for authentication.
Names are listed one per line preceded by key options (as described
in AUTHORIZED_KEYS FILE FORMAT in
-.Xr sshd 8 ) .
+.Xr sshd 1M ) .
Empty lines and comments starting with
.Ql #
are ignored.
@@ -271,7 +271,7 @@
though the
.Cm principals=
key option offers a similar facility (see
-.Xr sshd 8
+.Xr sshd 1M
for details).
.It Cm Banner
The contents of the specified file are sent to the remote user before
@@ -294,7 +294,7 @@
All components of the pathname must be root-owned directories that are
not writable by any other user or group.
After the chroot,
-.Xr sshd 8
+.Xr sshd 1M
changes the working directory to the user's home directory.
.Pp
The pathname may contain the following tokens that are expanded at runtime once
@@ -370,7 +370,7 @@
.It Cm ClientAliveCountMax
Sets the number of client alive messages (see below) which may be
sent without
-.Xr sshd 8
+.Xr sshd 1M
receiving any messages back from the client.
If this threshold is reached while client alive messages are being sent,
sshd will disconnect the client, terminating the session.
@@ -397,7 +397,7 @@
.It Cm ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received
from the client,
-.Xr sshd 8
+.Xr sshd 1M
will send a message through the encrypted
channel to request a response from the client.
The default
@@ -428,7 +428,7 @@
.Cm AllowGroups .
.Pp
See PATTERNS in
-.Xr ssh_config 5
+.Xr ssh_config 4
for more information on patterns.
.It Cm DenyUsers
This keyword can be followed by a list of user name patterns, separated
@@ -447,7 +447,7 @@
.Cm AllowGroups .
.Pp
See PATTERNS in
-.Xr ssh_config 5
+.Xr ssh_config 4
for more information on patterns.
.It Cm ForceCommand
Forces the execution of the command specified by
@@ -472,7 +472,7 @@
Specifies whether remote hosts are allowed to connect to ports
forwarded for the client.
By default,
-.Xr sshd 8
+.Xr sshd 1M
binds remote port forwardings to the loopback address.
This prevents other remote hosts from connecting to forwarded ports.
.Cm GatewayPorts
@@ -520,7 +520,7 @@
A setting of
.Dq yes
means that
-.Xr sshd 8
+.Xr sshd 1M
uses the name supplied by the client rather than
attempting to resolve the name from the TCP connection itself.
The default is
@@ -531,7 +531,7 @@
by
.Cm HostKey .
The default behaviour of
-.Xr sshd 8
+.Xr sshd 1M
is not to load any certificates.
.It Cm HostKey
Specifies a file containing a private host key
@@ -546,7 +546,7 @@
.Pa /etc/ssh/ssh_host_rsa_key
for protocol version 2.
Note that
-.Xr sshd 8
+.Xr sshd 1M
will refuse to use a file if it is group/world-accessible.
It is possible to have multiple host key files.
.Dq rsa1
@@ -587,7 +587,7 @@
.Dq yes .
.It Cm IgnoreUserKnownHosts
Specifies whether
-.Xr sshd 8
+.Xr sshd 1M
should ignore the user's
.Pa ~/.ssh/known_hosts
during
@@ -681,7 +681,7 @@
The default is 3600 (seconds).
.It Cm ListenAddress
Specifies the local addresses
-.Xr sshd 8
+.Xr sshd 1M
should listen on.
The following forms may be used:
.Pp
@@ -724,7 +724,7 @@
The default is 120 seconds.
.It Cm LogLevel
Gives the verbosity level that is used when logging messages from
-.Xr sshd 8 .
+.Xr sshd 1M .
The possible values are:
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
The default is INFO.
@@ -776,7 +776,7 @@
The match patterns may consist of single entries or comma-separated
lists and may use the wildcard and negation operators described in the
PATTERNS section of
-.Xr ssh_config 5 .
+.Xr ssh_config 4 .
.Pp
The patterns in an
.Cm Address
@@ -856,7 +856,7 @@
the three colon separated values
.Dq start:rate:full
(e.g. "10:30:60").
-.Xr sshd 8
+.Xr sshd 1M
will refuse connection attempts with a probability of
.Dq rate/100
(30%)
@@ -969,7 +969,7 @@
options in
.Pa ~/.ssh/authorized_keys
are processed by
-.Xr sshd 8 .
+.Xr sshd 1M .
The default is
.Dq no .
Enabling environment processing may enable users to bypass access
@@ -982,7 +982,7 @@
.Pa /var/run/sshd.pid .
.It Cm Port
Specifies the port number that
-.Xr sshd 8
+.Xr sshd 1M
listens on.
The default is 22.
Multiple options of this type are permitted.
@@ -990,7 +990,7 @@
.Cm ListenAddress .
.It Cm PrintLastLog
Specifies whether
-.Xr sshd 8
+.Xr sshd 1M
should print the date and time of the last user login when a user logs
in interactively.
The default is
@@ -997,7 +997,7 @@
.Dq yes .
.It Cm PrintMotd
Specifies whether
-.Xr sshd 8
+.Xr sshd 1M
should print
.Pa /etc/motd
when a user logs in interactively.
@@ -1008,7 +1008,7 @@
.Dq yes .
.It Cm Protocol
Specifies the protocol versions
-.Xr sshd 8
+.Xr sshd 1M
supports.
The possible values are
.Sq 1
@@ -1081,7 +1081,7 @@
The minimum value is 512, and the default is 1024.
.It Cm StrictModes
Specifies whether
-.Xr sshd 8
+.Xr sshd 1M
should check file modes and ownership of the
user's files and home directory before accepting login.
This is normally desirable because novices sometimes accidentally leave their
@@ -1115,7 +1115,7 @@
Note that this option applies to protocol version 2 only.
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
-.Xr sshd 8 .
+.Xr sshd 1M .
The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
@@ -1156,7 +1156,7 @@
.Xr ssh-keygen 1 .
.It Cm UseDNS
Specifies whether
-.Xr sshd 8
+.Xr sshd 1M
should look up the remote host name and check that
the resolved host name for the remote IP address maps back to the
very same IP address.
@@ -1201,13 +1201,13 @@
If
.Cm UsePAM
is enabled, you will not be able to run
-.Xr sshd 8
+.Xr sshd 1M
as a non-root user.
The default is
.Dq no .
.It Cm UsePrivilegeSeparation
Specifies whether
-.Xr sshd 8
+.Xr sshd 1M
separates privileges by creating an unprivileged child process
to deal with incoming network traffic.
After successful authentication, another process will be created that has
@@ -1229,7 +1229,7 @@
.Dq none .
.It Cm X11DisplayOffset
Specifies the first display number available for
-.Xr sshd 8 Ns 's
+.Xr sshd 1M Ns 's
X11 forwarding.
This prevents sshd from interfering with real X11 servers.
The default is 10.
@@ -1244,7 +1244,7 @@
.Pp
When X11 forwarding is enabled, there may be additional exposure to
the server and to client displays if the
-.Xr sshd 8
+.Xr sshd 1M
proxy display is configured to listen on the wildcard address (see
.Cm X11UseLocalhost
below), though this is not the default.
@@ -1255,7 +1255,7 @@
forwarding (see the warnings for
.Cm ForwardX11
in
-.Xr ssh_config 5 ) .
+.Xr ssh_config 4 ) .
A system administrator may have a stance in which they want to
protect clients that may expose themselves to attack by unwittingly
requesting X11 forwarding, which can warrant a
@@ -1269,7 +1269,7 @@
is enabled.
.It Cm X11UseLocalhost
Specifies whether
-.Xr sshd 8
+.Xr sshd 1M
should bind the X11 forwarding server to the loopback address or to
the wildcard address.
By default,
@@ -1300,7 +1300,7 @@
.Pa /usr/X11R6/bin/xauth .
.El
.Sh TIME FORMATS
-.Xr sshd 8
+.Xr sshd 1M
command-line arguments and configuration file options that specify time
may be expressed using a sequence of the form:
.Sm off
@@ -1344,12 +1344,12 @@
.Bl -tag -width Ds
.It Pa /etc/ssh/sshd_config
Contains configuration data for
-.Xr sshd 8 .
+.Xr sshd 1M .
This file should be writable by root only, but it is recommended
(though not necessary) that it be world-readable.
.El
.Sh SEE ALSO
-.Xr sshd 8 ,
+.Xr sshd 1M ,
.Xr pam_unix_session 5
.Sh AUTHORS
OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen.
--- orig/sshd.8 Thu Feb 6 10:01:20 2014
+++ new/sshd.8 Thu Feb 6 10:22:35 2014
@@ -35,7 +35,7 @@
.\"
.\" $OpenBSD: sshd.8,v 1.273 2013/12/07 11:58:46 naddy Exp $
.Dd $Mdocdate: December 7 2013 $
-.Dt SSHD 8
+.Dt SSHD 1M
.Os
.Sh NAME
.Nm sshd
@@ -80,7 +80,7 @@
.Nm
can be configured using command-line options or a configuration file
(by default
-.Xr sshd_config 5 ) ;
+.Xr sshd_config 4 ) ;
command-line options override values specified in the
configuration file.
.Nm
@@ -210,7 +210,7 @@
This is useful for specifying options for which there is no separate
command-line flag.
For full details of the options, and their values, see
-.Xr sshd_config 5 .
+.Xr sshd_config 4 .
.It Fl p Ar port
Specifies the port on which the server listens for connections
(default 22).
@@ -280,7 +280,7 @@
though this can be changed via the
.Cm Protocol
option in
-.Xr sshd_config 5 .
+.Xr sshd_config 4 .
Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys;
protocol 1 only supports RSA keys.
For both protocols,
@@ -405,7 +405,7 @@
See the
.Cm PermitUserEnvironment
option in
-.Xr sshd_config 5 .
+.Xr sshd_config 4 .
.It
Changes to user's home directory.
.It
@@ -550,7 +550,7 @@
environment variable.
Note that this option applies to shell, command or subsystem execution.
Also note that this command may be superseded by either a
-.Xr sshd_config 5
+.Xr sshd_config 4
.Cm ForceCommand
directive or a command embedded in a certificate.
.It Cm environment="NAME=value"
@@ -571,7 +571,7 @@
name of the remote host or its IP address must be present in the
comma-separated list of patterns.
See PATTERNS in
-.Xr ssh_config 5
+.Xr ssh_config 4
for more information on patterns.
.Pp
In addition to the wildcard matching that may be applied to hostnames or
@@ -865,7 +865,7 @@
.It Pa /etc/moduli
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
The file format is described in
-.Xr moduli 5 .
+.Xr moduli 4 .
.Pp
.It Pa /etc/motd
See
@@ -926,7 +926,7 @@
Contains configuration data for
.Nm sshd .
The file format and configuration options are described in
-.Xr sshd_config 5 .
+.Xr sshd_config 4 .
.Pp
.It Pa /etc/ssh/sshrc
Similar to
@@ -962,10 +962,10 @@
.Xr chroot 2 ,
.Xr hosts_access 5 ,
.Xr login.conf 5 ,
-.Xr moduli 5 ,
-.Xr sshd_config 5 ,
-.Xr inetd 8 ,
-.Xr sftp-server 8
+.Xr moduli 4 ,
+.Xr sshd_config 4 ,
+.Xr inetd 1M ,
+.Xr sftp-server 1M
.Sh AUTHORS
OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen.