Document FreeBSD defaults and paths.

Sponsored by:	DARPA, NAI Labs

crypto/openssh/ssh.1

@@ -35,6 +35,7 @@
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\" $OpenBSD: ssh.1,v 1.158 2002/06/20 19:56:07 stevesk Exp $
+.\" $FreeBSD$
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -99,7 +100,7 @@ depending on the protocol version used:
 First, if the machine the user logs in from is listed in
 .Pa /etc/hosts.equiv
 or
-.Pa /etc/shosts.equiv
+.Pa /etc/ssh/shosts.equiv
 on the remote machine, and the user names are
 the same on both sides, the user is immediately permitted to log in.
 Second, if
@@ -123,7 +124,7 @@ It means that if the login would be permitted by
 .Pa $HOME/.shosts ,
 .Pa /etc/hosts.equiv ,
 or
-.Pa /etc/shosts.equiv ,
+.Pa /etc/ssh/shosts.equiv ,
 and if additionally the server can verify the client's
 host key (see
 .Pa /etc/ssh/ssh_known_hosts
@@ -330,6 +331,7 @@ The user should not manually set
 .Ev DISPLAY .
 Forwarding of X11 connections can be
 configured on the command line or in configuration files.
+Take note that X11 forwarding can represent a security hazard.
 .Pp
 The
 .Ev DISPLAY
@@ -666,7 +668,7 @@ It is automatically set by
 to point to a value of the form
 .Dq hostname:n
 where hostname indicates
-the host where the shell runs, and n is an integer >= 1.
+the host where the shell runs, and n is an integer \*(>= 1.
 .Nm
 uses this special value to forward X11 connections over the secure
 channel.
@@ -893,7 +895,8 @@ or
 .Xr rsh 1 .
 .It Pa /etc/hosts.equiv
 This file is used during
-.Pa \&.rhosts authentication.
+.Pa \&.rhosts
+authentication.
 It contains
 canonical hosts names, one per line (the full format is described on
 the
@@ -905,7 +908,7 @@ same.
 Additionally, successful RSA host authentication is normally
 required.
 This file should only be writable by root.
-.It Pa /etc/shosts.equiv
+.It Pa /etc/ssh/shosts.equiv
 This file is processed exactly as
 .Pa /etc/hosts.equiv .
 This file may be useful to permit logins using

crypto/openssh/ssh_config.5

@@ -35,6 +35,7 @@
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\" $OpenBSD: ssh_config.5,v 1.1 2002/06/20 19:56:07 stevesk Exp $
+.\" $FreeBSD$
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -583,6 +584,9 @@ having to remember to give the user name on the command line.
 Specifies a file to use for the user
 host key database instead of
 .Pa $HOME/.ssh/known_hosts .
+.It Cm VersionAddendum
+Specifies a string to append to the regular version string to identify
+OS- or site-specific modifications.
 .It Cm XAuthLocation
 Specifies the location of the
 .Xr xauth 1

crypto/openssh/sshd.8

@@ -35,6 +35,7 @@
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\" $OpenBSD: sshd.8,v 1.184 2002/06/20 19:56:07 stevesk Exp $
+.\" $FreeBSD$
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -65,7 +66,7 @@ install and use as possible.
 .Nm
 is the daemon that listens for connections from clients.
 It is normally started at boot from
-.Pa /etc/rc .
+.Pa /etc/rc.d/sshd .
 It forks a new
 daemon for each incoming connection.
 The forked daemons handle
@@ -340,8 +341,9 @@ section).
 If the login is on a tty, records login time.
 .It
 Checks
-.Pa /etc/nologin ;
-if it exists, prints contents and quits
+.Pa /etc/nologin and
+.Pa /var/run/nologin ;
+if one exists, it prints the contents and quits
 (unless root).
 .It
 Changes to run with normal user privileges.
@@ -359,11 +361,12 @@ If
 exists, runs it; else if
 .Pa /etc/ssh/sshrc
 exists, runs
-it; otherwise runs xauth.
+it; otherwise runs
+.Xr xauth 1 .
 The
 .Dq rc
 files are given the X11
-authentication protocol and cookie in standard input.
+authentication protocol and cookie (if applicable) in standard input.
 .It
 Runs user's shell or command.
 .El
@@ -498,7 +501,7 @@ command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hu
 permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323
 .Sh SSH_KNOWN_HOSTS FILE FORMAT
 The
-.Pa /etc/ssh/ssh_known_hosts ,
+.Pa /etc/ssh/ssh_known_hosts
 and
 .Pa $HOME/.ssh/known_hosts
 files contain host public keys for all known hosts.
@@ -576,7 +579,7 @@ really used for anything; they are provided for the convenience of
 the user so their contents can be copied to known hosts files.
 These files are created using
 .Xr ssh-keygen 1 .
-.It Pa /etc/moduli
+.It Pa /etc/ssh/moduli
 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
 .It Pa /var/run/sshd.pid
 Contains the process ID of the
@@ -679,7 +682,7 @@ The only valid use for user names that I can think
 of is in negative entries.
 .Pp
 Note that this warning also applies to rsh/rlogin.
-.It Pa /etc/shosts.equiv
+.It Pa /etc/ssh/shosts.equiv
 This is processed exactly as
 .Pa /etc/hosts.equiv .
 However, this file may be useful in environments that want to run both
@@ -692,7 +695,9 @@ and assignment lines of the form name=value.
 The file should be writable
 only by the user; it need not be readable by anyone else.
 .It Pa $HOME/.ssh/rc
-If this file exists, it is run with /bin/sh after reading the
+If this file exists, it is run with
+.Pa /bin/sh
+after reading the
 environment files but before starting the user's shell or command.
 It must not produce any output on stdout; stderr must be used
 instead.

crypto/openssh/sshd_config.5

@@ -35,6 +35,7 @@
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\" $OpenBSD: sshd_config.5,v 1.3 2002/06/20 23:37:12 markus Exp $
+.\" $FreeBSD$
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -266,7 +267,7 @@ or
 .Pp
 .Pa /etc/hosts.equiv
 and
-.Pa /etc/shosts.equiv
+.Pa /etc/ssh/shosts.equiv 
 are still used.
 The default is
 .Dq yes .
@@ -305,10 +306,6 @@ To disable keepalives, the value should be set to
 .It Cm KerberosAuthentication
 Specifies whether Kerberos authentication is allowed.
 This can be in the form of a Kerberos ticket, or if
-.It Cm PAMAuthenticationViaKbdInt
-Specifies whether PAM challenge response authentication is allowed. This
-allows the use of most PAM challenge response authentication modules, but
-it will allow password authentication regardless of whether
 .Cm PasswordAuthentication
 is yes, the password provided by the user will be validated through
 the Kerberos KDC.
@@ -383,7 +380,7 @@ options must precede this option for non port qualified addresses.
 The server disconnects after this time if the user has not
 successfully logged in.
 If the value is 0, there is no time limit.
-The default is 600 (seconds).
+The default is 120 (seconds).
 .It Cm LogLevel
 Gives the verbosity level that is used when logging messages from
 .Nm sshd .
@@ -444,7 +441,7 @@ The argument must be
 or
 .Dq no .
 The default is
-.Dq yes .
+.Dq no .
 .Pp
 If this option is set to
 .Dq without-password
@@ -511,18 +508,23 @@ The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
 .It Cm RhostsAuthentication
-Specifies whether authentication using rhosts or /etc/hosts.equiv
+Specifies whether authentication using rhosts or
+.Pa /etc/hosts.equiv
 files is sufficient.
 Normally, this method should not be permitted because it is insecure.
 .Cm RhostsRSAAuthentication
 should be used
 instead, because it performs RSA-based host authentication in addition
-to normal rhosts or /etc/hosts.equiv authentication.
+to normal rhosts or
+.Pa /etc/hosts.equiv
+authentication.
 The default is
 .Dq no .
 This option applies to protocol version 1 only.
 .It Cm RhostsRSAAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
+Specifies whether rhosts or
+.Pa /etc/hosts.equiv
+authentication together
 with successful RSA host authentication is allowed.
 The default is
 .Dq no .
@@ -597,6 +599,9 @@ the resolved host name for the remote IP address maps back to the
 very same IP address.
 The default is
 .Dq no .
+.It Cm VersionAddendum
+Specifies a string to append to the regular version string to identify
+OS- or site-specific modifications.
 .It Cm X11DisplayOffset
 Specifies the first display number available for
 .Nm sshd Ns 's