- markus@cvs.openbsd.org 2001/02/12 16:16:23
[auth-passwd.c auth.c auth.h auth1.c auth2.c servconf.c servconf.h
ssh-keygen.c sshd.8]
PermitRootLogin={yes,without-password,forced-commands-only,no}
(before this change, root could login even if PermitRootLogin==no)
diff --git a/sshd.8 b/sshd.8
index 1b1e964..79c1843 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.93 2001/02/11 12:59:25 markus Exp $
+.\" $OpenBSD: sshd.8,v 1.94 2001/02/12 16:16:24 markus Exp $
.Dd September 25, 1999
.Dt SSHD 8
.Os
@@ -552,21 +552,26 @@
.Xr ssh 1 .
The argument must be
.Dq yes ,
-.Dq without-password
+.Dq without-password ,
+.Dq forced-commands-only
or
.Dq no .
The default is
.Dq yes .
-If this options is set to
-.Dq without-password
-only password authentication is disabled for root.
.Pp
-Root login with RSA authentication when the
+If this option is set to
+.Dq without-password
+password authentication is disabled for root.
+.Pp
+If this option is set to
+.Dq forced-commands-only
+root login with public key authentication will be allowed,
+but only if the
.Ar command
-option has been
-specified will be allowed regardless of the value of this setting
+option has been specified
(which may be useful for taking remote backups even if root login is
-normally not allowed).
+normally not allowed). All other authentication methods are disabled
+for root.
.It Cm PidFile
Specifies the file that contains the process identifier of the
.Nm