78 lines
2.2 KiB
Groff
78 lines
2.2 KiB
Groff
--- sshd_config.5.orig 2017-03-19 19:39:27.000000000 -0700
|
|
+++ sshd_config.5 2017-03-20 11:48:37.553620000 -0700
|
|
@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa
|
|
The list of available key types may also be obtained using
|
|
.Qq ssh -Q key .
|
|
.It Cm HostbasedAuthentication
|
|
-Specifies whether rhosts or /etc/hosts.equiv authentication together
|
|
+Specifies whether rhosts or
|
|
+.Pa /etc/hosts.equiv
|
|
+authentication together
|
|
with successful public key client host authentication is allowed
|
|
(host-based authentication).
|
|
The default is
|
|
@@ -1136,7 +1140,22 @@ are refused if the number of unauthentic
|
|
.It Cm PasswordAuthentication
|
|
Specifies whether password authentication is allowed.
|
|
The default is
|
|
+.Cm no ,
|
|
+unless
|
|
+.Nm sshd
|
|
+was built without PAM support, in which case the default is
|
|
.Cm yes .
|
|
+Note that if
|
|
+.Cm ChallengeResponseAuthentication
|
|
+is
|
|
+.Cm yes ,
|
|
+and the PAM authentication policy for
|
|
+.Nm sshd
|
|
+includes
|
|
+.Xr pam_unix 8 ,
|
|
+password authentication will be allowed through the challenge-response
|
|
+mechanism regardless of the value of
|
|
+.Cm PasswordAuthentication .
|
|
.It Cm PermitEmptyPasswords
|
|
When password authentication is allowed, it specifies whether the
|
|
server allows login to accounts with empty password strings.
|
|
@@ -1232,6 +1251,13 @@ and
|
|
.Cm ethernet .
|
|
The default is
|
|
.Cm no .
|
|
+Note that if
|
|
+.Cm ChallengeResponseAuthentication
|
|
+is
|
|
+.Cm yes ,
|
|
+the root user may be allowed in with its password even if
|
|
+.Cm PermitRootLogin is set to
|
|
+.Cm without-password .
|
|
.Pp
|
|
Independent of this setting, the permissions of the selected
|
|
.Xr tun 4
|
|
@@ -1493,12 +1519,15 @@ is enabled, you will not be able to run
|
|
.Xr sshd 8
|
|
as a non-root user.
|
|
The default is
|
|
-.Cm no .
|
|
+.Cm yes .
|
|
.It Cm VersionAddendum
|
|
Optionally specifies additional text to append to the SSH protocol banner
|
|
sent by the server upon connection.
|
|
The default is
|
|
-.Cm none .
|
|
+.Cm %%SSH_VERSION_FREEBSD_PORT%% .
|
|
+The value
|
|
+.Cm none
|
|
+may be used to disable this.
|
|
.It Cm X11DisplayOffset
|
|
Specifies the first display number available for
|
|
.Xr sshd 8 Ns 's
|
|
@@ -1512,7 +1541,7 @@ The argument must be
|
|
or
|
|
.Cm no .
|
|
The default is
|
|
-.Cm no .
|
|
+.Cm yes .
|
|
.Pp
|
|
When X11 forwarding is enabled, there may be additional exposure to
|
|
the server and to client displays if the
|