1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
|
From f8033f154f0fe23f974f67ba2f8a29754a5044af Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:09 +0000
Subject: Adjust various OpenBSD-specific references in manual pages
No single bug reference for this patch, but history includes:
https://bugs.debian.org/154434 (login.conf(5))
https://bugs.debian.org/513417 (/etc/rc)
https://bugs.debian.org/530692 (ssl(8))
https://bugs.launchpad.net/bugs/456660 (ssl(8))
https://bugs.debian.org/998069 (rdomain(4))
Forwarded: not-needed
Last-Update: 2021-11-05
Patch-Name: openbsd-docs.patch
---
moduli.5 | 4 ++--
ssh-keygen.1 | 12 ++++--------
ssh.1 | 4 ++++
sshd.8 | 5 ++---
sshd_config.5 | 40 ++--------------------------------------
5 files changed, 14 insertions(+), 51 deletions(-)
diff --git a/moduli.5 b/moduli.5
index 5086a6d42..6dffdc7e6 100644
--- a/moduli.5
+++ b/moduli.5
@@ -21,7 +21,7 @@
.Nd Diffie-Hellman moduli
.Sh DESCRIPTION
The
-.Pa /etc/moduli
+.Pa /etc/ssh/moduli
file contains prime numbers and generators for use by
.Xr sshd 8
in the Diffie-Hellman Group Exchange key exchange method.
@@ -110,7 +110,7 @@ first estimates the size of the modulus required to produce enough
Diffie-Hellman output to sufficiently key the selected symmetric cipher.
.Xr sshd 8
then randomly selects a modulus from
-.Fa /etc/moduli
+.Fa /etc/ssh/moduli
that best meets the size requirement.
.Sh SEE ALSO
.Xr ssh-keygen 1 ,
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 8b1f617d2..f2a021878 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -212,9 +212,7 @@ key in
.Pa ~/.ssh/id_ed25519_sk
or
.Pa ~/.ssh/id_rsa .
-Additionally, the system administrator may use this to generate host keys,
-as seen in
-.Pa /etc/rc .
+Additionally, the system administrator may use this to generate host keys.
.Pp
Normally this program generates the key and asks for a file in which
to store the private key.
@@ -279,9 +277,7 @@ If
.Fl f
has also been specified, its argument is used as a prefix to the
default path for the resulting host key files.
-This is used by
-.Pa /etc/rc
-to generate new host keys.
+This is used by system administration scripts to generate new host keys.
.It Fl a Ar rounds
When saving a private key, this option specifies the number of KDF
(key derivation function, currently
@@ -849,7 +845,7 @@ option.
Valid generator values are 2, 3, and 5.
.Pp
Screened DH groups may be installed in
-.Pa /etc/moduli .
+.Pa /etc/ssh/moduli .
It is important that this file contains moduli of a range of bit lengths.
.Pp
A number of options are available for moduli generation and screening via the
@@ -1307,7 +1303,7 @@ on all machines
where the user wishes to log in using public key authentication.
There is no need to keep the contents of this file secret.
.Pp
-.It Pa /etc/moduli
+.It Pa /etc/ssh/moduli
Contains Diffie-Hellman groups used for DH-GEX.
The file format is described in
.Xr moduli 5 .
diff --git a/ssh.1 b/ssh.1
index 4028f971a..6b56f5638 100644
--- a/ssh.1
+++ b/ssh.1
@@ -925,6 +925,10 @@ implements public key authentication protocol automatically,
using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
The HISTORY section of
.Xr ssl 8
+(on non-OpenBSD systems, see
+.nh
+http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY)
+.hy
contains a brief discussion of the DSA and RSA algorithms.
.Pp
The file
diff --git a/sshd.8 b/sshd.8
index 71da859dc..ec1687585 100644
--- a/sshd.8
+++ b/sshd.8
@@ -64,7 +64,7 @@ over an insecure network.
.Nm
listens for connections from clients.
It is normally started at boot from
-.Pa /etc/rc .
+.Pa /etc/init.d/ssh .
It forks a new
daemon for each incoming connection.
The forked daemons handle
@@ -921,7 +921,7 @@ This file is for host-based authentication (see
.Xr ssh 1 ) .
It should only be writable by root.
.Pp
-.It Pa /etc/moduli
+.It Pa /etc/ssh/moduli
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
key exchange method.
The file format is described in
@@ -1019,7 +1019,6 @@ The content of this file is not sensitive; it can be world-readable.
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
.Xr hosts_access 5 ,
-.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,
.Xr inetd 8 ,
diff --git a/sshd_config.5 b/sshd_config.5
index 2c6ec76cb..b9a19c7bd 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -981,9 +981,6 @@ for interactive sessions and
for non-interactive sessions.
.It Cm KbdInteractiveAuthentication
Specifies whether to allow keyboard-interactive authentication.
-All authentication styles from
-.Xr login.conf 5
-are supported.
The default is
.Cm yes .
The argument to this keyword must be
@@ -1087,45 +1084,33 @@ The following forms may be used:
.Sm off
.Ar hostname | address
.Sm on
-.Op Cm rdomain Ar domain
.It
.Cm ListenAddress
.Sm off
.Ar hostname : port
.Sm on
-.Op Cm rdomain Ar domain
.It
.Cm ListenAddress
.Sm off
.Ar IPv4_address : port
.Sm on
-.Op Cm rdomain Ar domain
.It
.Cm ListenAddress
.Sm off
.Oo Ar hostname | address Oc : Ar port
.Sm on
-.Op Cm rdomain Ar domain
.El
.Pp
-The optional
-.Cm rdomain
-qualifier requests
-.Xr sshd 8
-listen in an explicit routing domain.
If
.Ar port
is not specified,
sshd will listen on the address and all
.Cm Port
options specified.
-The default is to listen on all local addresses on the current default
-routing domain.
+The default is to listen on all local addresses.
Multiple
.Cm ListenAddress
options are permitted.
-For more information on routing domains, see
-.Xr rdomain 4 .
.It Cm LoginGraceTime
The server disconnects after this time if the user has not
successfully logged in.
@@ -1250,14 +1235,8 @@ The available criteria are
.Cm Host ,
.Cm LocalAddress ,
.Cm LocalPort ,
-.Cm RDomain ,
and
-.Cm Address
-(with
-.Cm RDomain
-representing the
-.Xr rdomain 4
-on which the connection was received).
+.Cm Address .
.Pp
The match patterns may consist of single entries or comma-separated
lists and may use the wildcard and negation operators described in the
@@ -1329,7 +1308,6 @@ Available keywords are
.Cm PubkeyAuthOptions ,
.Cm RekeyLimit ,
.Cm RevokedKeys ,
-.Cm RDomain ,
.Cm SetEnv ,
.Cm StreamLocalBindMask ,
.Cm StreamLocalBindUnlink ,
@@ -1724,15 +1702,6 @@ an OpenSSH Key Revocation List (KRL) as generated by
.Xr ssh-keygen 1 .
For more information on KRLs, see the KEY REVOCATION LISTS section in
.Xr ssh-keygen 1 .
-.It Cm RDomain
-Specifies an explicit routing domain that is applied after authentication
-has completed.
-The user session, as well as any forwarded or listening IP sockets,
-will be bound to this
-.Xr rdomain 4 .
-If the routing domain is set to
-.Cm \&%D ,
-then the domain in which the incoming connection was received will be applied.
.It Cm SecurityKeyProvider
Specifies a path to a library that will be used when loading
FIDO authenticator-hosted keys, overriding the default of using
@@ -2047,8 +2016,6 @@ which are expanded at runtime:
.It %%
A literal
.Sq % .
-.It \&%D
-The routing domain in which the incoming connection was received.
.It %F
The fingerprint of the CA key.
.It %f
@@ -2087,9 +2054,6 @@ accepts the tokens %%, %h, %U, and %u.
.Pp
.Cm ChrootDirectory
accepts the tokens %%, %h, %U, and %u.
-.Pp
-.Cm RoutingDomain
-accepts the token %D.
.Sh FILES
.Bl -tag -width Ds
.It Pa /etc/ssh/sshd_config
|