- naddy@cvs.openbsd.org 2014/03/28 05:17:11
[ssh_config.5 sshd_config.5]
sync available and default algorithms, improve algorithm list formatting
help from jmc@ and schwarze@, ok deraadt@
diff --git a/sshd_config.5 b/sshd_config.5
index ce71efe..88be8d9 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.172 2014/02/27 22:47:07 djm Exp $
-.Dd $Mdocdate: February 27 2014 $
+.\" $OpenBSD: sshd_config.5,v 1.173 2014/03/28 05:17:11 naddy Exp $
+.Dd $Mdocdate: March 28 2014 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -337,30 +337,44 @@
Multiple ciphers must be comma-separated.
The supported ciphers are:
.Pp
-.Dq 3des-cbc ,
-.Dq aes128-cbc ,
-.Dq aes192-cbc ,
-.Dq aes256-cbc ,
-.Dq aes128-ctr ,
-.Dq aes192-ctr ,
-.Dq aes256-ctr ,
-.Dq aes128-gcm@openssh.com ,
-.Dq aes256-gcm@openssh.com ,
-.Dq arcfour128 ,
-.Dq arcfour256 ,
-.Dq arcfour ,
-.Dq blowfish-cbc ,
-.Dq cast128-cbc ,
-and
-.Dq chacha20-poly1305@openssh.com .
+.Bl -item -compact -offset indent
+.It
+3des-cbc
+.It
+aes128-cbc
+.It
+aes192-cbc
+.It
+aes256-cbc
+.It
+aes128-ctr
+.It
+aes192-ctr
+.It
+aes256-ctr
+.It
+aes128-gcm@openssh.com
+.It
+aes256-gcm@openssh.com
+.It
+arcfour
+.It
+arcfour128
+.It
+arcfour256
+.It
+blowfish-cbc
+.It
+cast128-cbc
+.It
+chacha20-poly1305@openssh.com
+.El
.Pp
The default is:
-.Bd -literal -offset 3n
-aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
+.Bd -literal -offset indent
+aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@openssh.com,aes256-gcm@openssh.com,
-chacha20-poly1305@openssh.com,
-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
-aes256-cbc,arcfour
+chacha20-poly1305@openssh.com
.Ed
.Pp
The list of available ciphers may also be obtained using the
@@ -672,14 +686,33 @@
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
-The default is
+The supported algorithms are:
+.Pp
+.Bl -item -compact -offset indent
+.It
+curve25519-sha256@libssh.org
+.It
+diffie-hellman-group1-sha1
+.It
+diffie-hellman-group14-sha1
+.It
+diffie-hellman-group-exchange-sha1
+.It
+diffie-hellman-group-exchange-sha256
+.It
+ecdh-sha2-nistp256
+.It
+ecdh-sha2-nistp384
+.It
+ecdh-sha2-nistp521
+.El
+.Pp
+The default is:
.Bd -literal -offset indent
curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
-diffie-hellman-group-exchange-sha1,
-diffie-hellman-group14-sha1,
-diffie-hellman-group1-sha1
+diffie-hellman-group14-sha1
.Ed
.It Cm KeyRegenerationInterval
In protocol version 1, the ephemeral server key is automatically regenerated
@@ -751,16 +784,53 @@
.Dq -etm
calculate the MAC after encryption (encrypt-then-mac).
These are considered safer and their use recommended.
+The supported MACs are:
+.Pp
+.Bl -item -compact -offset indent
+.It
+hmac-md5
+.It
+hmac-md5-96
+.It
+hmac-ripemd160
+.It
+hmac-sha1
+.It
+hmac-sha1-96
+.It
+hmac-sha2-256
+.It
+hmac-sha2-512
+.It
+umac-64@openssh.com
+.It
+umac-128@openssh.com
+.It
+hmac-md5-etm@openssh.com
+.It
+hmac-md5-96-etm@openssh.com
+.It
+hmac-ripemd160-etm@openssh.com
+.It
+hmac-sha1-etm@openssh.com
+.It
+hmac-sha1-96-etm@openssh.com
+.It
+hmac-sha2-256-etm@openssh.com
+.It
+hmac-sha2-512-etm@openssh.com
+.It
+umac-64-etm@openssh.com
+.It
+umac-128-etm@openssh.com
+.El
+.Pp
The default is:
.Bd -literal -offset indent
-hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
umac-64-etm@openssh.com,umac-128-etm@openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
-hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
-hmac-md5-96-etm@openssh.com,
-hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
-hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
-hmac-sha1-96,hmac-md5-96
+umac-64@openssh.com,umac-128@openssh.com,
+hmac-sha2-256,hmac-sha2-512
.Ed
.It Cm Match
Introduces a conditional block.