- jmc@cvs.openbsd.org 2006/02/12 17:57:19
[sshd.8]
sort the list of options permissable w/ authorized_keys;
ok djm dtucker
diff --git a/sshd.8 b/sshd.8
index 909339f..58bf906 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.217 2006/02/12 10:52:41 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.218 2006/02/12 17:57:19 jmc Exp $
.Dd September 25, 1999
.Dt SSHD 8
.Os
@@ -421,26 +421,6 @@
The following option specifications are supported (note
that option keywords are case-insensitive):
.Bl -tag -width Ds
-.It Cm from="pattern-list"
-Specifies that in addition to public key authentication, the canonical name
-of the remote host must be present in the comma-separated list of
-patterns
-.Pf ( Ql \&*
-and
-.Ql \&?
-serve as wildcards).
-The list may also contain
-patterns negated by prefixing them with
-.Ql \&! ;
-if the canonical host name matches a negated pattern, the key is not accepted.
-The purpose
-of this option is to optionally increase security: public key authentication
-by itself does not trust the network or name servers or anything (but
-the key); however, if somebody somehow steals the key, the key
-permits an intruder to log in from anywhere in the world.
-This additional option makes using a stolen key more difficult (name
-servers and/or routers would have to be compromised in addition to
-just the key).
.It Cm command="command"
Specifies that the command is executed whenever this key is used for
authentication.
@@ -470,20 +450,40 @@
This option is automatically disabled if
.Cm UseLogin
is enabled.
+.It Cm from="pattern-list"
+Specifies that in addition to public key authentication, the canonical name
+of the remote host must be present in the comma-separated list of
+patterns
+.Pf ( Ql \&*
+and
+.Ql \&?
+serve as wildcards).
+The list may also contain
+patterns negated by prefixing them with
+.Ql \&! ;
+if the canonical host name matches a negated pattern, the key is not accepted.
+The purpose
+of this option is to optionally increase security: public key authentication
+by itself does not trust the network or name servers or anything (but
+the key); however, if somebody somehow steals the key, the key
+permits an intruder to log in from anywhere in the world.
+This additional option makes using a stolen key more difficult (name
+servers and/or routers would have to be compromised in addition to
+just the key).
+.It Cm no-agent-forwarding
+Forbids authentication agent forwarding when this key is used for
+authentication.
.It Cm no-port-forwarding
Forbids TCP forwarding when this key is used for authentication.
Any port forward requests by the client will return an error.
This might be used, e.g., in connection with the
.Cm command
option.
+.It Cm no-pty
+Prevents tty allocation (a request to allocate a pty will fail).
.It Cm no-X11-forwarding
Forbids X11 forwarding when this key is used for authentication.
Any X11 forward requests by the client will return an error.
-.It Cm no-agent-forwarding
-Forbids authentication agent forwarding when this key is used for
-authentication.
-.It Cm no-pty
-Prevents tty allocation (a request to allocate a pty will fail).
.It Cm permitopen="host:port"
Limit local
.Li ``ssh -L''