trash

2 files changed, 0 insertions, 1737 deletions

diff --git a/usr.bin/ssh/ssh.1.in b/usr.bin/ssh/ssh.1.in
deleted file mode 100644
index 74a1255eb7d..00000000000
--- a/usr.bin/ssh/ssh.1.in
+++ /dev/null
@@ -1,1003 +0,0 @@
-.\"  -*- nroff -*-
-.\"
-.\" ssh.1.in
-.\"
-.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
-.\"
-.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-.\"                    All rights reserved
-.\"
-.\" Created: Sat Apr 22 21:55:14 1995 ylo
-.\"
-.\" $Id: ssh.1.in,v 1.1 1999/09/26 20:53:37 deraadt Exp $
-.\"
-.TH SSH 1 "November 8, 1995" "SSH" "SSH"
-
-.SH NAME
-ssh \- secure shell client (remote login program)
-
-.SH SYNOPSIS
-.B ssh
-[\c
-.BI \-l \ login_name\fR\c
-]
-.B hostname
-[\c
-.IR command \c
-]
-
-.B ssh
-[\c
-.BR \-k \c
-]
-[\c
-.B \-c
-\fIblowfish\fR\||\|\fIidea\fR\||\|\fIdes\fR\||\|\fI3des\fR\||\|\fInone\fR\c
-]
-[\c
-.BI \-e \ escape_char\fR\c
-]
-[\c
-.BI \-i \ identity_file\fR\c
-]
-[\c
-.BI \-l \ login_name\fR\c
-]
-[\c
-.BR \-n \c
-]
-[\c
-.BI \-o \ option\fR\c
-]
-[\c
-.BI \-p \ port\fR\c
-]
-[\c
-.BR \-q \c
-]
-[\c
-.BR \-t \c
-]
-[\c
-.BR \-v \c
-]
-[\c
-.BR \-x \c
-]
-[\c
-.BR \-X \c
-]
-[\c
-.BR \-C \c
-]
-[\c
-.BI \-L \ port\fB:\fIhost\fB:\fIhostport\fR\c
-]
-[\c
-.BI \-R \ port\fB:\fIhost\fB:\fIhostport\fR\c
-]
-.I hostname
-[\c
-.IR command \c
-]
-
-.SH DESCRIPTION 
-.LP
-.B Ssh
-(Secure Shell) a program for logging into a remote machine and for
-executing commands in a remote machine.  It is intended to replace
-rlogin and rsh, and provide secure encrypted communications between
-two untrusted hosts over an insecure network.  X11 connections and
-arbitrary TCP/IP ports can also be forwarded over the secure channel.
-.LP
-.B Ssh 
-connects and logs into the specified 
-.IR hostname .  
-The user must prove
-his/her identity to the remote machine using one of several methods.
-.LP
-First, if the machine the user logs in from is listed in
-.I /etc/hosts.equiv
-or
-.I @ETCDIR@/shosts.equiv
-on the remote machine, and the user names are
-the same on both sides, the user is immediately permitted to log in.
-Second, if 
-.I \&\s+2.\s0rhosts
-or
-.I \&\s+2.\s0shosts
-exists in the user's home directory on the
-remote machine and contains a line containing the name of the client
-machine and the name of the user on that machine, the user is
-permitted to log in.  This form of authentication alone is normally not
-allowed by the server because it is not secure.
-.LP
-The second (and primary) authentication method is the
-.B rhosts
-or
-.B hosts.equiv
-method combined with RSA-based host authentication.  It
-means that if the login would be permitted by
-.I \&\s+2.\s0rhosts\c
-\|,
-.I \&\s+2.\s0shosts\c
-\|,
-.IR /etc/hosts.equiv\c
-\|,
-or
-.IR @ETCDIR@/shosts.equiv ",
-and additionally it can verify the client's
-host key (see 
-.I \&$HOME/\s+2.\s0ssh/known_hosts
-and
-.I @ETCDIR@/ssh_known_hosts
-in the
-.B \s-1FILES\s0
-section), only then login is
-permitted.  This authentication method closes security holes due to IP
-spoofing, DNS spoofing and routing spoofing.  [Note to the
-administrator:
-.IR /etc/hosts.equiv ", 
-.IR \&\s+2.\s0rhosts ",
-and the rlogin/rsh protocol in general, are inherently insecure and should be
-disabled if security is desired.]
-.LP
-As a third authentication method, 
-.B ssh 
-supports RSA based authentication.
-The scheme is based on public-key cryptography: there are cryptosystems
-where encryption and decryption are done using separate keys, and it
-is not possible to derive the decryption key from the encryption key.
-RSA is one such system.  The idea is that each user creates a public/private 
-key pair for authentication purposes.  The
-server knows the public key, and only the user knows the private key.
-The file 
-.I \&$HOME/\s+2.\s0ssh/authorized_keys
-lists the public keys that are permitted for logging
-in.  When the user logs in, the
-.B ssh 
-program tells the server which key pair it would like to use for
-authentication.  The server checks if this key is permitted, and if
-so, sends the user (actually the
-.B ssh
-program running on behalf of the user) a challenge, a random number,
-encrypted by the user's public key.  The challenge can only be
-decrypted using the proper private key.  The user's client then decrypts the
-challenge using the private key, proving that he/she knows the private
-key but without disclosing it to the server.
-.LP
-.B Ssh
-implements the RSA authentication protocol automatically.  The user
-creates his/her RSA key pair by running
-.BR ssh-keygen (1).
-This stores the private key in 
-.I \&\s+2.\s0ssh/identity
-and the public key in
-.I \&\s+2.\s0ssh/identity.pub
-in the user's home directory.  The user should then
-copy the 
-.I identity.pub
-to 
-.I \&\s+2.\s0ssh/authorized_keys
-in his/her home directory on the remote machine (the 
-.I authorized_keys
-file corresponds to the conventional 
-.I \&\s+2.\s0rhosts
-file, and has one key
-per line, though the lines can be very long).  After this, the user
-can log in without giving the password.  RSA authentication is much
-more secure than rhosts authentication.
-.LP
-The most convenient way to use RSA authentication may be with an
-authentication agent.  See
-.BR ssh-agent (1)
-for more information.
-.LP
-If other authentication methods fail, 
-.B ssh
-prompts the user for a password.  The password is sent to the remote
-host for checking; however, since all communications are encrypted,
-the password cannot be seen by someone listening on the network.
-.LP
-When the user's identity has been accepted by the server, the server
-either executes the given command, or logs into the machine and gives
-the user a normal shell on the remote machine.  All communication with
-the remote command or shell will be automatically encrypted.
-.LP
-If a pseudo-terminal has been allocated (normal login session), the
-user can disconnect with "~.", and suspend
-.B ssh
-with "~^Z".  All forwarded connections can be listed with "~#", and if
-the session blocks waiting for forwarded X11 or TCP/IP
-connections to terminate, it can be backgrounded with "~&" (this
-should not be used while the user shell is active, as it can cause the
-shell to hang).  All available escapes can be listed with "~?".
-.LP
-A single tilde character can be sent as "~~" (or by
-following the tilde by a character other than those described above).
-The escape character must always follow a newline to be interpreted as
-special.  The escape character can be changed in configuration files
-or on the command line.  
-.LP
-If no pseudo tty has been allocated, the
-session is transparent and can be used to reliably transfer binary
-data.  On most systems, setting the escape character to ``none'' will
-also make the session transparent even if a tty is used.
-.LP
-The session terminates when the command or shell in on the remote
-machine exists and all X11 and TCP/IP connections have been closed.
-The exit status of the remote program is returned as the exit status
-of
-.B ssh.
-.LP
-If the user is using X11 (the
-.B \s-1DISPLAY\s0
-environment variable is set), the connection to the X11 display is
-automatically forwarded to the remote side in such a way that any X11
-programs started from the shell (or command) will go through the
-encrypted channel, and the connection to the real X server will be made
-from the local machine.  The user should not manually set
-.BR \s-1DISPLAY\s0 ".
-Forwarding of X11 connections can be
-configured on the command line or in configuration files.
-.LP
-The DISPLAY value set by
-.B ssh
-will point to the server machine, but with a display number greater
-than zero.  This is normal, and happens because
-.B ssh
-creates a "proxy" X server on the server machine for forwarding the
-connections over the encrypted channel.
-.LP
-.B Ssh
-will also automatically set up Xauthority data on the server machine.
-For this purpose, it will generate a random authorization cookie,
-store it in Xauthority on the server, and verify that any forwarded
-connections carry this cookie and replace it by the real cookie when
-the connection is opened.  The real authentication cookie is never
-sent to the server machine (and no cookies are sent in the plain).
-.LP
-If the user is using an authentication agent, the connection to the agent
-is automatically forwarded to the remote side unless disabled on
-command line or in a configuration file.
-.LP
-Forwarding of arbitrary TCP/IP connections over the secure channel can
-be specified either on command line or in a configuration file.  One
-possible application of TCP/IP forwarding is a secure connection to an
-electronic purse; another is going trough firewalls.
-.LP
-.B Ssh
-automatically maintains and checks a database containing RSA-based
-identifications for all hosts it has ever been used with.  The
-database is stored in 
-.I \&\s+2.\s0ssh/known_hosts
-in the user's home directory.  Additionally, the file 
-.I @ETCDIR@/ssh_known_hosts
-is automatically checked for known hosts.  Any new hosts are
-automatically added to the user's file.  If a host's identification
-ever changes,
-.B ssh
-warns about this and disables password authentication to prevent a
-trojan horse from getting the user's password.  Another purpose of
-this mechanism is to prevent man-in-the-middle attacks which could
-otherwise be used to circumvent the encryption.  The
-.B StrictHostKeyChecking
-option (see below) can be used to prevent logins to machines whose
-host key is not known or has changed.
-
-
-.ne 5
-.SH OPTIONS
-.TP
-.BI \-c \ \fIblowfish\fR\||\|\fIidea\fR\||\|\fIdes\fR\||\|\fI3des\fR\||\|\fInone\fR
-Selects the cipher to use for encrypting the session. 
-.B \s-13DES\s0
-is used by default.  It is believed to be secure. 
-.B \s-1DES\s0
-is the data encryption standard, but is breakable by 
-governments, large corporations, and major criminal organizations.
-.B \s-13DES\s0
-(triple-des) is encrypt-decrypt-encrypt triple with three different
-keys.  It is presumably more secure than
-DES.
-.B none
-disables encryption entirely; it is only intended for debugging, and
-it renders the connection insecure.
-.ne 3
-.TP
-.B \-e \fIch\fR\||\|\fI^ch\fR\||\|\fInone\fR
-Sets the escape character for sessions with a pty (default: ~).  The
-escape character is only recognized at the beginning of a line.  The
-escape character followed by a dot (.) closes the connection, followed
-by control-Z suspends the connection, and followed by itself sends the
-escape character once.  Setting the character to 'none' disables any
-escapes and makes the session fully transparent.
-.ne 3
-.TP
-.B \-f
-Requests ssh to go to background after authentication.  This is useful
-if ssh is going to ask for passwords or passphrases, but the user
-wants it in the background.  This implies 
-.B \-n.
-The recommended way to start X11 programs at a remote site is with
-something like "ssh -f host xterm".
-.ne 3
-.TP
-.BI \-i \ identity_file
-Selects the file from which the identity (private key) for 
-.B \s-1RSA\s0
-authentication is read.  Default is 
-.I \&\s+2.\s0ssh/identity
-in the user's home directory.  Identity files may also be specified on
-a per-host basis in the configuration file.  It is possible to have
-multiple \-i options (and multiple identities specified in
-configuration files).
-.ne 3
-.TP
-.B \-k
-Disables forwarding of Kerberos tickets / AFS tokens. This may
-also be specified on a per-host basis in the configuration file.
-.ne 3
-.TP
-.BI -l \ login_name
-Specifies the user to log in as on the remote machine.  This may also
-be specified on a per-host basis in the configuration file.
-.ne 3
-.TP
-.B \-n
-Redirects stdin from /dev/null (actually, prevents reading from stdin).
-This must be used when
-.B ssh
-is run in the background.  A common trick is to use this to run X11
-programs in a remote machine.  For example, "ssh -n shadows.cs.hut.fi
-emacs &" will start an emacs on shadows.cs.hut.fi, and the X11
-connection will be automatically forwarded over an encrypted channel.
-The
-.B ssh
-program will be put in the background.
-(This does not work if
-.B ssh
-needs to ask for a password or passphrase; see also the -f option.)
-.ne 3
-.TP
-.BI \-o "\ 'option'
-Can be used to give options in the format used in the config file.
-This is useful for specifying options for which there is no separate
-command-line flag.  The option has the same format as a line in the
-configuration file.
-.ne 3
-.TP
-.BI \-p "\ port
-Port to connect to on the remote host.  This can be specified on a
-per-host basis in the configuration file.
-.ne 3
-.TP
-.B \-q
-Quiet mode.  Causes all warning and diagnostic messages to be
-suppressed.  Only fatal errors are displayed.
-.ne 3
-.TP
-.B \-t
-Force pseudo-tty allocation.  This can be used to execute arbitary
-screen-based programs on a remote machine, which can be very useful
-e.g. when implementing menu services.
-.ne 3
-.TP
-.B \-v
-Verbose mode.  Causes
-.B ssh
-to print debugging messages about its progress.  This is helpful in
-debugging connection, authentication, and configuration problems.
-.ne 3
-.TP
-.B \-x
-Disables X11 forwarding.  This can also be specified on a per-host
-basis in a configuration file.
-.ne 3
-.TP
-.B \-X
-Enables X11 forwarding.
-.ne 3
-.TP
-.B \-C
-Requests compression of all data (including stdin, stdout, stderr, and
-data for forwarded X11 and TCP/IP connections).  The compression
-algorithm is the same used by gzip, and the "level" can be controlled
-by the
-.B CompressionLevel
-option (see below).  Compression is desirable on modem lines and other
-slow connections, but will only slow down things on fast networks.
-The default value can be set on a host-by-host basis in the
-configuration files; see the
-.B Compress
-option below.
-.ne 3
-.TP
-.BI \-L "\ port:host:hostport
-Specifies that the given port on the local (client) host is to be
-forwarded to the given host and port on the remote side.  This works
-by allocating a socket to listen to
-.B port
-on the local side, and whenever a connection is made to this port, the
-connection is forwarded over the secure channel, and a connection is
-made to
-.B host:hostport
-from the remote machine.  Port forwardings can also be specified in the
-configuration file.  Only root can forward privileged ports.
-.ne 3
-.TP
-.BI \-R "\ port:host:hostport
-Specifies that the given port on the remote (server) host is to be
-forwarded to the given host and port on the local side.  This works
-by allocating a socket to listen to
-.B port
-on the remote side, and whenever a connection is made to this port, the
-connection is forwarded over the secure channel, and a connection is
-made to
-.B host:hostport
-from the local machine.  Port forwardings can also be specified in the
-configuration file.  Privileged ports can be forwarded only when
-logging in as root on the remote machine.
-
-.SH CONFIGURATION FILES
-.LP
-.B Ssh
-obtains configuration data from the following sources (in this order):
-command line options, user's configuration file
-(\fI\&$HOME/\s+2.\s0ssh/config\fR), and system-wide configuration file
-(\fI@ETCDIR@/ssh_config\fR).  For each parameter, the first obtained value
-will be used.  The configuration files contain sections bracketed by
-"Host" specifications, and that section is only applied for hosts that
-match one of the patterns given in the specification.  The matched
-host name is the one given on the command line.
-.LP
-Since the first obtained value for each parameter is used, more
-host-specific declarations should be given near the beginning of the
-file, and general defaults at the end.
-.LP
-The configuration file has the following format:
-.IP
-Empty lines and lines starting with '#' are comments.
-.IP
-Otherwise a line is of the format "keyword arguments".  The possible
-keywords and their meanings are as follows (note that the
-configuration files are case-sensitive):
-.ne 3
-.TP
-.de YN
-"\fByes\fR" or "\fBno\fR".
-..
-
-.B Host
-Restricts the following declarations (up to the next
-.B Host
-keyword) to be only for those hosts that match one of the patterns
-given after the keyword.  '*' and '?' can be as wildcards in the
-patterns.  A single '*' as a pattern can be used to provide global
-defaults for all hosts.  The host is the
-.IR hostname
-argument given on the command line (i.e., the name is not converted to
-a canonicalized host name before matching).
-.ne 3
-.TP
-.B AFSTokenPassing
-Specifies whether to pass AFS tokens to remote host. The argument to 
-this keyword must be
-.YN
-.ne 3
-.TP
-.B BatchMode
-If set to "yes", passphrase/password querying will be disabled.  This
-option is useful in scripts and other batch jobs where you have no
-user to supply the password.  The argument must be
-.YN
-.ne 3
-.TP
-.B Cipher
-Specifies the cipher to use for encrypting the session.  Currently,
-.IR blowfish ",
-.IR idea ",
-.IR des ",
-.IR 3des ",
-and
-.I none
-are supported.  The default is "3des". Using "none" (no encryption) is intended
-only for debugging, and will render the connection insecure.
-.ne 3
-.TP
-.B Compression
-Specifies whether to use compression.  The argument must be
-.YN
-.ne 3
-.TP
-.B CompressionLevel
-Specifies the compression level to use if compression is enable.  The
-argument must be an integer from 1 (fast) to 9 (slow, best).  The
-default level is 6, which is good for most applications.  The meaning
-of the values is the same as in GNU GZIP.
-.ne 3
-.TP
-.B ConnectionAttempts
-Specifies the number of tries (one per second) to make before falling
-back to rsh or exiting.  The argument must be an integer.  This may be
-useful in scripts if the connection sometimes fails.
-.ne 3
-.TP
-.B EscapeChar
-Sets the escape character (default: ~).  The escape character can also
-be set on the command line.  The argument should be a single
-character, '^' followed by a letter, or ``none'' to disable the escape
-character entirely (making the connection transparent for binary
-data).
-.ne 3
-.TP
-.B FallBackToRsh 
-Specifies that if connecting via
-.B ssh
-fails due to a connection refused error (there is no
-.B sshd
-listening on the remote host), 
-.B rsh
-should automatically be used instead (after a suitable warning about
-the session being unencrypted).  The argument must be
-.YN
-.ne 3
-.TP
-.B ForwardAgent
-Specifies whether the connection to the authentication agent (if any)
-will be forwarded to the remote machine.  The argument must be
-.YN
-.ne 3
-.TP
-.B ForwardX11
-Specifies whether X11 connections will be automatically redirected
-over the secure channel and 
-.B \s-1DISPLAY\s0
-set.  The argument must be 
-.YN
-.ne 3
-.TP
-.B GlobalKnownHostsFile
-Specifies a file to use instead of 
-.IR @ETCDIR@/ssh_known_hosts ".
-.ne 3
-.TP
-.B HostName
-Specifies the real host name to log into.  This can be used to specify
-nicnames or abbreviations for hosts.  Default is the name given on the
-command line.  Numeric IP addresses are also permitted (both on the
-command line and in
-.B HostName
-specifications).
-.ne 3
-.TP
-.B IdentityFile
-Specifies the file from which the user's RSA authentication identity
-is read (default \fI\s+2.\s0ssh/identity\fR in the user's home directory).
-Additionally, any identities represented by the authentication agent
-will be used for authentication.  The file name may use the tilde
-syntax to refer to a user's home directory.  It is possible to have
-multiple identity files specified in configuration files; all these
-identities will be tried in sequence.
-.ne 3
-.TP
-.B KeepAlive
-Specifies whether the system should send keepalive messages to the
-other side.  If they are sent, death of the connection or crash of one
-of the machines will be properly noticed.  However, this means that
-connections will die if the route is down temporarily, and some people
-find it annoying.  
-
-The default is "yes" (to send keepalives), and the client will notice
-if the network goes down or the remote host dies.  This is important
-in scripts, and many users want it too.
-
-To disable keepalives, the value should be set to "no" in both the
-server and the client configuration files.
-.ne 3
-.TP
-.B KerberosAuthentication
-Specifies whether Kerberos authentication will be used. 
-.TP
-.B KerberosTgtPassing
-Specifies whether a Kerberos TGT will be forwarded to the server.
-Note that TGT forwarding is normally not enabled in the server.
-.TP
-.B LocalForward
-Specifies that a TCP/IP port on the local machine be forwarded over
-the secure channel to given host:port from the remote machine.  The
-first argument must be a port number, and the second must be
-host:port.  Multiple forwardings may be specified, and additional
-forwardings can be given on the command line.  Only the root can
-forward privileged ports.
-.ne 3
-.TP
-.B PasswordAuthentication
-Specifies whether to use password authentication.  The argument to
-this keyword must be
-.YN
-.ne 3
-.TP
-.B Port
-Specifies the port number to connect on the remote host.  Default is
-22.
-.ne 3
-.TP
-.B ProxyCommand
-Specifies the command to use to connect to the server.  The command
-string extends to the end of the line, and is executed with /bin/sh.
-In the command string, %h will be substituted by the host name to
-connect and %p by the port.  The command can be basically anything,
-and should read from its stdin and write to its stdout.  It should
-eventually connect an
-.B sshd
-server running on some machine, or execute
-"sshd -i" somewhere.  Host key management will be done using the
-HostName of the host being connected (defaulting to the name typed by
-the user).
-
-Note that
-.B ssh
-can also be configured to support the SOCKS system using the
---with-socks compile-time configuration option.
-.ne 3
-.TP
-.B RemoteForward
-Specifies that a TCP/IP port on the remote machine be forwarded over
-the secure channel to given host:port from the local machine.  The
-first argument must be a port number, and the second must be
-host:port.  Multiple forwardings may be specified, and additional
-forwardings can be given on the command line.  Only the root can
-forward privileged ports.
-.ne 3
-.TP
-.B RhostsAuthentication
-Specifies whether to try rhosts based authentication.  Note that this
-declaration only affects the client side and has no effect whatsoever
-on security.  Disabling rhosts authentication may reduce
-authentication time on slow connections when rhosts authentication is
-not used.  Most servers do not permit RhostsAuthentication because it
-is not secure (see RhostsRSAAuthentication).  The argument to this
-keyword must be
-.YN
-.ne 3
-.TP
-.B RhostsRSAAuthentication
-Specifies whether to try rhosts based authentication with RSA host
-authentication.  This is the primary authentication method for most
-sites.  The argument must be
-.YN
-.ne 3
-.TP
-.B RSAAuthentication
-Specifies whether to try RSA authentication.  The argument to this
-keyword must be
-.YN
-RSA authentication will only be
-attempted if the identity file exists, or an authentication agent is
-running.
-.ne 3
-.TP
-.B StrictHostKeyChecking
-If this flag is set to "yes", 
-.B ssh
-ssh will never automatically add host keys to the
-.I $HOME/.ssh/known_hosts
-file, and refuses to connect hosts whose host key has changed.  This
-provides maximum protection against trojan horse attacks.  However, it
-can be somewhat annoying if you don't have good
-.I /etc/ssh_known_hosts
-files installed and frequently
-connect new hosts.  Basically this option forces the user to manually
-add any new hosts.  Normally this option is disabled, and new hosts
-will automatically be added to the known host files.  The host keys of
-known hosts will be verified automatically in either case.  The
-argument must be
-.YN
-.ne3
-.TP
-.B User
-Specifies the user to log in as.  This can be useful if you have a
-different user name in different machines.  This saves the trouble of
-having to remember to give the user name on the command line.
-.ne 3
-.TP
-.B UserKnownHostsFile
-Specifies a file to use instead of \fI$HOME/\s+2.\s0ssh/known_hosts\fR.
-.ne 3
-.TP
-.B UseRsh
-Specifies that rlogin/rsh should be used for this host.  It is
-possible that the host does not at all support the
-.B ssh
-protocol.  This causes
-.B ssh
-to immediately exec 
-.B rsh.
-All other options (except
-.BR HostName )
-are ignored if this has been specified.  The argument must be
-.YN
-
-.SH ENVIRONMENT
-.LP
-.B Ssh 
-will normally set the following environment variables:
-.TP
-.B DISPLAY
-The DISPLAY variable indicates the location of the X11 server.  It is
-automatically set by 
-.B ssh
-to point to a value of the form "hostname:n" where hostname indicates
-the host where the shell runs, and n is an integer >= 1.  Ssh uses
-this special value to forward X11 connections over the secure
-channel.  The user should normally not set DISPLAY explicitly, as that
-will render the X11 connection insecure (and will require the user to
-manually copy any required authorization cookies).
-.ne 3
-.TP
-.B HOME
-Set to the path of the user's home directory.
-.ne 3
-.TP
-.B LOGNAME
-Synonym for USER; set for compatibility with systems that use
-this variable.
-.ne 3
-.TP
-.B MAIL
-Set to point the user's mailbox.
-.ne 3
-.TP
-.B PATH
-Set to the default PATH, as specified when compiling
-.B ssh
-or, on some systems, 
-.I /etc/environment 
-or 
-.IR /etc/default/login ".
-.ne 3
-.TP
-.B SSH_AUTHENTICATION_FD
-This is set to an integer value if you are using the authentication
-agent and a connection to it has been forwarded.  The value indicates
-a file descriptor number used for communicating with the agent.  On
-some systems, 
-.B SSH_AUTHENTICATION_SOCKET
-may be used instead to
-indicate the path of a unix-domain socket used to communicate with the
-agent (this method is less secure, and is only used on systems that
-don't support the first method).
-.ne 3
-.TP
-.B SSH_CLIENT
-Identifies the client end of the connection.  The variable contains
-three space-separated values: client ip-address, client port number,
-and server port number.
-.ne 3
-.TP
-.B SSH_TTY
-This is set to the name of the tty (path to the device) associated
-with the current shell or command.  If the current session has no tty,
-this variable is not set.
-.ne 3
-.TP
-.B TZ
-The timezone variable is set to indicate the present timezone if it
-was set when the daemon was started (e.i., the daemon passes the value
-on to new connections).
-.ne 3
-.TP
-.B USER
-Set to the name of the user logging in.
-.LP
-.RT
-Additionally, 
-.B ssh
-reads 
-.I /etc/environment 
-and 
-.IR $HOME/.ssh/environment ", 
-and adds lines of
-the format 
-.I VARNAME=value
-to the environment.  Some systems may have
-still additional mechanisms for setting up the environment, such as
-.I /etc/default/login
-on Solaris.
-
-.ne 3
-.SH FILES
-.TP
-.I \&$HOME/\s+2.\s0ssh/known_hosts
-Records host keys for all hosts the user has logged into (that are not
-in \fI@ETCDIR@/ssh_known_hosts\fR).  See
-.B sshd
-manual page.
-.ne 3
-.TP
-.I \&$HOME/\s+2.\s0ssh/random_seed
-Used for seeding the random number generator.  This file contains
-sensitive data and should read/write for the user and not accessible
-for others.  This file is created the first time the program is run
-and updated automatically.  The user should never need to read or
-modify this file.
-.ne 5
-.TP
-.I \&$HOME/\s+2.\s0ssh/identity
-Contains the RSA authentication identity of the user.  This file
-contains sensitive data and should be readable by the user but not
-accessible by others.  It is possible to specify a passphrase when
-generating the key; the passphrase will be used to encrypt the
-sensitive part of this file using
-.BR \s-1IDEA\s0 ".
-.ne 3
-.TP
-.I \&$HOME/\s+2.\s0ssh/identity.pub 
-Contains the public key for authentication (public part of the
-identity file in human-readable form).  The contents of this file
-should be added to \fI$HOME/\s+2.\s0ssh/authorized_keys\fR on all machines
-where you wish to log in using RSA authentication.  This file is not
-sensitive and can (but need not) be readable by anyone.  This file is
-never used automatically and is not necessary; it is only provided for
-the convenience of the user.
-.ne 3
-.TP
-.I \&$HOME/\s+2.\s0ssh/config
-This is the per-user configuration file.  The format of this file is
-described above.  This file is used by the
-.B ssh
-client.  This file does not usually contain any sensitive information,
-but the recommended permissions are read/write for the user, and not
-accessible by others.
-.ne 3
-.TP
-.I \&$HOME/\s+2.\s0ssh/authorized_keys
-Lists the RSA keys that can be used for logging in as this user.  The
-format of this file is described in the
-.B sshd
-manual page.  In the simplest form the format is the same as the .pub
-identity files (that is, each line contains the number of bits in
-modulus, public exponent, modulus, and comment fields, separated by
-spaces).  This file is not highly sensitive, but the recommended
-permissions are read/write for the user, and not accessible by others.
-.ne 3
-.TP
-.I @ETCDIR@/ssh_known_hosts
-Systemwide list of known host keys.  This file should be prepared by the
-system administrator to contain the public host keys of all machines in the
-organization.  This file should be world-readable.  This file contains
-public keys, one per line, in the following format (fields separated
-by spaces): system name, number of bits in modulus, public exponent,
-modulus, and optional comment field.  When different names are used
-for the same machine, all such names should be listed, separated by
-commas.  The format is described on the
-.B sshd 
-manual page.
-.IP
-The canonical system name (as returned by name servers) is used by
-.B sshd
-to verify the client host when logging in; other names are needed because
-.B ssh
-does not convert the user-supplied name to a canonical name before
-checking the key, because someone with access to the name servers
-would then be able to fool host authentication.
-.ne 3
-.TP
-.I @ETCDIR@/ssh_config
-Systemwide configuration file.  This file provides defaults for those
-values that are not specified in the user's configuration file, and
-for those users who do not have a configuration file.  This file must
-be world-readable.
-.ne 3
-.TP
-.I $HOME/\s+2.\s0rhosts
-This file is used in \s+2.\s0rhosts authentication to list the
-host/user pairs that are permitted to log in.  (Note that this file is
-also used by rlogin and rsh, which makes using this file insecure.)
-Each line of the file contains a host name (in the canonical form
-returned by name servers), and then a user name on that host,
-separated by a space.  One some machines this file may need to be
-world-readable if the user's home directory is on a NFS partition,
-because
-.B sshd 
-reads it as root.  Additionally, this file must be owned by the user,
-and must not have write permissions for anyone else.  The recommended
-permission for most machines is read/write for the user, and not
-accessible by others.
-.IP
-Note that by default
-.B sshd
-will be installed so that it requires successful RSA host
-authentication before permitting \s+2.\s0rhosts authentication.  If your
-server machine does not have the client's host key in
-\fI@ETCDIR@/ssh_known_hosts\fR, you can store it in
-\fI$HOME/\s+2.\s0ssh/known_hosts\fR.  The easiest way to do this is to
-connect back to the client from the server machine using ssh; this
-will automatically add the host key in \fI$HOME/\s+2.\s0ssh/known_hosts\fR.
-.ne 3
-.TP
-.I $HOME/\s+2.\s0shosts
-This file is used exactly the same way as \s+2.\s0rhosts.  The purpose for
-having this file is to be able to use rhosts authentication with
-.B ssh
-without permitting login with rlogin or rsh.
-.ne 3
-.TP
-.I /etc/hosts.equiv
-This file is used during \s+2.\s0rhosts authentication.  It contains
-canonical hosts names, one per line (the full format is described on
-the
-.B sshd
-manual page).  If the client host is found in this file, login is
-automatically permitted provided client and server user names are the
-same.  Additionally, successful RSA host authentication is normally
-required.  This file should only be writable by root.
-.TP
-.I @ETCDIR@/shosts.equiv
-This file is processed exactly as 
-.IR /etc/hosts.equiv ".  
-This file may be useful to permit logins using
-.B ssh
-but not using rsh/rlogin.
-.ne 3
-.TP
-.I @ETCDIR@/sshrc
-Commands in this file are executed by
-.B ssh
-when the user logs in just before the user's shell (or command) is started.
-See the
-.B sshd
-manual page for more information.
-.ne 3
-.TP
-.I $HOME/.ssh/rc
-Commands in this file are executed by
-.B ssh
-when the user logs in just before the user's shell (or command) is
-started.
-See the 
-.B sshd
-manual page for more information.
-
-.SH INSTALLATION
-.LP
-.B Ssh
-is normally installed as suid root.  It needs root privileges only for
-rhosts authentication (rhosts authentication requires that the
-connection must come from a privileged port, and allocating such a
-port requires root privileges).  It also needs to be able to read
-\fI@ETCDIR@/ssh_host_key\fR to perform
-.B \s-1RSA\s0
-host authentication.  It is possible to use
-.B ssh
-without root privileges, but rhosts authentication will then be
-disabled.  
-.B Ssh
-drops any extra privileges immediately after the connection to the
-remote host has been made.
-.LP
-Considerable work has been put into making
-.B sshd
-secure.  However, if you find a security problem, please report it
-immediately to <ssh-bugs@cs.hut.fi>.
-
-
-.SH AUTHOR
-.LP
-Tatu Ylonen <ylo@cs.hut.fi>
-.LP
-Information about new releases, mailing lists, and other related
-issues can be found from the ssh WWW home page at
-http://www.cs.hut.fi/ssh.
-
-.SH SEE ALSO
-.BR sshd (8),
-.BR ssh-keygen (1),
-.BR ssh-agent (1),
-.BR ssh-add (1),
-.BR scp (1),
-.BR make-ssh-known-hosts (1),
-.BR rlogin (1),
-.BR rsh (1),
-.BR telnet (1)
diff --git a/usr.bin/ssh/sshd.8.in b/usr.bin/ssh/sshd.8.in
deleted file mode 100644
index 419c132144c..00000000000
--- a/usr.bin/ssh/sshd.8.in
+++ /dev/null
@@ -1,734 +0,0 @@
-.\"  -*- nroff -*-
-.\"
-.\" sshd.8.in
-.\"
-.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
-.\"
-.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-.\"                    All rights reserved
-.\"
-.\" Created: Sat Apr 22 21:55:14 1995 ylo
-.\"
-.\" $Id: sshd.8.in,v 1.1 1999/09/26 20:53:38 deraadt Exp $
-.\"
-.TH SSHD 8 "November 8, 1995" "SSH" "SSH"
-
-.SH NAME
-sshd \- secure shell daemon
-
-.SH SYNOPSIS
-.na
-.B sshd
-[\c
-.BI \-b \ bits\fR\c
-]
-[\c
-.B \-d \c
-]
-[\c
-.BI \-f \ config_file\fR\c
-]
-[\c
-.BI \-g \ login_grace_time\fR\c
-]
-[\c
-.BI \-h \ host_key_file\fR\c
-]
-[\c
-.B \-i \c
-]
-[\c
-.BI \-k \ key_gen_time\fR\c
-]
-[\c
-.BI \-p \ port\fR\c
-]
-[\c
-.B \-q \c
-]
-.ad
-
-
-.SH DESCRIPTION 
-.LP
-.B Sshd 
-(Secure Shell Daemon) is the daemon program for 
-.BR ssh ".
-Together these programs replace rlogin and rsh programs, and
-provide secure encrypted communications between two untrusted hosts
-over an insecure network.  The programs are intended to be as easy to
-install and use as possible.
-.LP
-.B Sshd
-is the daemon that listens for connections from clients.  It is
-normally started at boot from 
-.I /etc/rc.local
-or equivalent.  It forks a new
-daemon for each incoming connection.  The forked daemons handle
-key exchange, encryption, authentication, command execution,
-and data exchange.
-.LP
-Sshd works as follows.  Each host has a host-specific RSA key
-(normally 1024 bits) used to identify the host.  Additionally, when
-the daemon starts, it generates a server RSA key (normally 768 bits).
-This key is normally regenerated every hour if it has been used, and
-is never stored on disk.
-.LP
-Whenever a client connects the daemon, the daemon sends its host
-and server public keys to the client.  The client compares the
-host key against its own database to verify that it has not changed.
-The client then generates a 256 bit random number.  It encrypts this
-random number using both the host key and the server key, and sends
-the encrypted number to the server.  Both sides then start to use this
-random number as a session key which is used to encrypt all further
-communications in the session.  The rest of the session is encrypted
-using a conventional cipher.  Currently, 
-.BR \s-1Blowfish\s0 ",
-.BR \s-1IDEA\s0 ",
-.BR \s-1DES\s0 ",
-.BR \s-1\&3DES\s0 ",
-.B \s-13DES\s0
-is used by default.  The client selects the encryption algorithm to use
-from those offered by the server.
-.LP
-Next, the server and the client enter an authentication dialog.  The
-client tries to authenticate itself using \|\s+2.\s0rhosts
-authentication, \|\s+2.\s0rhosts authentication combined with RSA host
-authentication, RSA challenge-response authentication, or password
-based authentication.
-.LP
-Rhosts authentication is normally disabled
-because it is fundamentally insecure, but can be enabled in the server
-configuration file if desired.  System security is not improved unless
-.BR rshd "(8),
-.BR rlogind "(8),
-.BR rexecd "(8), and
-.B rexd "(8)
-are disabled (thus completely disabling
-.BR rlogin (1)
-and
-.BR rsh (1)
-into that machine).
-.LP
-If the client successfully authenticates itself, a dialog for
-preparing the session is entered.  At this time the client may request
-things like allocating a pseudo-tty, forwarding X11 connections,
-forwarding TCP/IP connections, or forwarding the authentication agent
-connection over the secure channel.
-.LP
-Finally, the client either requests a shell or execution of a command.
-The sides then enter session mode.  In this mode, either side may send
-data at any time, and such data is forwarded to/from the shell or
-command on the server side, and the user terminal in the client side.
-.LP
-When the user program terminates and all forwarded X11 and other
-connections have been closed, the server sends command exit status to
-the client, and both sides exit.
-.LP
-.B Sshd 
-can be configured using command-line options or a configuration
-file.  Command-line options override values specified in the
-configuration file.
-
-
-.SH OPTIONS
-.TP
-.BI \-b \ bits
-Specifies the number of bits in the server key (default 768).
-.TP
-.B \-d
-Debug mode.  The server sends verbose debug output to the system
-log, and does not put itself in the background.  The server also will
-not fork and will only process one connection.  This option is only
-intended for debugging for the server.
-.TP
-.BI \-f \ configuration_file
-Specifies the name of the configuration file.  The default is
-.IR @ETCDIR@/sshd_config ".
-.TP
-.BI \-g \ login_grace_time
-Gives the grace time for clients to authenticate themselves (default
-300 seconds).  If the client fails to authenticate the user within
-this many seconds, the server disconnects and exits.  A value of zero
-indicates no limit.
-.TP
-.BI \-h \ host_key_file
-Specifies the file from which the host key is read (default
-.IR @ETCDIR@/ssh_host_key).  
-This option must be given if sshd is not run as root (as the normal
-host file is normally not readable by anyone but root).
-.TP
-.B \-i
-Specifies that sshd is being run from inetd.  Sshd is normally not run
-from inetd because it needs to generate the server key before it can
-respond to the client, and this may take tens of seconds.  Clients
-would have to wait too long if the key was regenerated every time.
-However, with small key sizes (e.g.  512) using sshd from inetd may
-be feasible.
-.TP
-.BI \-k \ key_gen_time
-Specifies how often the server key is regenerated (default 3600
-seconds, or one hour).  The motivation for regenerating the key fairly
-often is that the key is not stored anywhere, and after about an hour,
-it becomes impossible to recover the key for decrypting intercepted
-communications even if the machine is cracked into or physically
-seized.  A value of zero indicates that the key will never be regenerated.
-.TP
-.BI \-p \ port
-Specifies the port on which the server listens for connections
-(default 22).
-.TP
-.B \-q
-Quiet mode.  Nothing is sent to the system log.  Normally the beginning,
-authentication, and termination of each connection is logged.
-
-.SH CONFIGURATION FILE
-
-.B Sshd
-reads configuration data from 
-.I @ETCDIR@/sshd_config
-(or the file specified with -f on the command line).  The file
-contains keyword-value pairs, one per line.  Lines starting with '#'
-and empty lines are interpreted as comments.
-
-The following keywords are possible.
-.TP
-.B AFSTokenPassing
-Specifies whether to accept AFS tokens passed from the client. Default
-is "yes".
-.TP
-.B AllowHosts
-This keyword can be followed by any number of host name patterns,
-separated by spaces.  If specified, login is allowed only from hosts
-whose name matches one of the patterns.  '*' and '?' can be used as
-wildcards in the patterns.  Normal name servers are used to map the
-client's host into a canonical host name.  If the name cannot be
-mapped, its IP-address is used as the host name.  By default all hosts
-are allowed to connect.
-
-Note that
-.B sshd
-can also be configured to use tcp_wrappers using the --with-libwrap
-compile-time configuration option.
-.TP
-.B DenyHosts
-This keyword can be followed by any number of host name patterns,
-separated by spaces.  If specified, login is disallowed from the hosts
-whose name matches any of the patterns.
-.TP
-.B FascistLogging
-Specifies whether to use verbose logging.  Verbose logging violates
-the privacy of users and is not recommended.  The argument must be
-"yes" or "no" (without the quotes).  The default is "no".
-.TP
-.B HostKey
-Specifies the file containing the private host key (default
-.IR @ETCDIR@/ssh_host_key ").
-.TP
-.B IgnoreRhosts
-Specifies that rhosts and shosts files will not be used in
-authentication.
-.I /etc/hosts.equiv
-and
-.I @ETCDIR@/shosts.equiv 
-are still used.  The default is "no".
-.TP
-.B KeepAlive
-Specifies whether the system should send keepalive messages to the
-other side.  If they are sent, death of the connection or crash of one
-of the machines will be properly noticed.  However, this means that
-connections will die if the route is down temporarily, and some people
-find it annoying.  On the other hand, if keepalives are not send,
-sessions may hang indefinitely on the server, leaving "ghost" users
-and consuming server resources.
-
-The default is "yes" (to send keepalives), and the server will notice
-if the network goes down or the client host reboots.  This avoids
-infinitely hanging sessions.
-
-To disable keepalives, the value should be set to "no" in both the
-server and the client configuration files.
-.TP
-.B KerberosAuthentication
-Specifies whether Kerberos authentication is allowed. This can
-be in the form of a Kerberos ticket, or if PasswordAuthentication
-is yes, the password provided by the user will be validated through
-the Kerberos KDC / AFS kaserver / DCE Security Server. Default is yes.
-.TP
-.B KerberosOrLocalPasswd
-If set then if password authentication through Kerberos fails then
-the password will be validated via any additional local mechanism
-such as /etc/passwd or SecurID. Default is no.
-.TP
-.B KerberosTgtPassing
-Specifies whether a Kerberos TGT may be forwarded to the server.
-Default is no, TGT forwarding does only work with the AFS kaserver.
-.TP
-.B KerberosTicketCleanup
-Specifies whether to automatically destroy the user's
-ticket cache file on logout. Default is yes.
-.TP
-.B KeyRegenerationInterval
-The server key is automatically regenerated after this many seconds
-(if it has been used).  The purpose of regeneration is to prevent
-decrypting captured sessions by later breaking into the machine and
-stealing the keys.  The key is never stored anywhere.  If the value is
-0, the key is never regenerated.  The default is 3600
-(seconds).
-.TP
-.B LoginGraceTime
-The server disconnects after this time if the user has not
-successfully logged in.  If the value is 0, there is no time limit.
-The default is 600 (seconds).
-.TP
-.B PasswordAuthentication
-Specifies whether password authentication is allowed.
-The default is "yes".
-.TP
-.B PermitEmptyPasswords
-When password authentication is allowed, it specifies whether the
-server allows login to accounts with empty password strings.  The default
-is "yes".
-.TP
-.B PermitRootLogin
-Specifies whether the root can log in using
-.BR ssh .
-The default is "yes".
-
-Root login with RSA authentication when the "command" option has been
-specified will be allowed regardless of the value of this setting
-(which may be useful for taking remote backups even if root login is
-normally not allowed).
-.TP
-.B Port
-Specifies the port number that
-.B sshd
-listens on.  The default is 22.
-.TP
-.B PrintMotd
-Specifies whether
-.B sshd
-should print 
-.I /etc/motd
-when a user logs in interactively.  (On some systems it is also
-printed by the shell, /etc/profile, or equivalent.)  The default is
-"yes".
-.TP
-.B QuietMode
-Specifies whether the system runs in quiet mode.  In quiet mode,
-nothing is logged in the system log, except fatal errors.  The default
-is "no".
-.TP
-.B RandomSeed
-Specifies the file containing the random seed for the server; this
-file is created automatically and updated regularly.  The default is
-.IR @ETCDIR@/ssh_random_seed ".
-.TP
-.B RhostsAuthentication
-Specifies whether authentication using rhosts or /etc/hosts.equiv
-files is sufficient.  Normally, this method should not be permitted
-because it is insecure.  RhostsRSAAuthentication should be used
-instead, because it performs RSA-based host authentication in addition
-to normal rhosts or /etc/hosts.equiv authentication.
-The default is "no".
-.TP
-.B RhostsRSAAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
-with successful RSA host authentication is allowed.  The default is "yes".
-.TP
-.B RSAAuthentication
-Specifies whether pure RSA authentication is allowed.  The default is "yes".
-.TP
-.B ServerKeyBits
-Defines the number of bits in the server key.  The minimum value is
-512, and the default is 768.
-.TP
-.B StrictModes
-Specifies whether ssh should check file modes and ownership of the
-user's home directory and rhosts files before accepting login.  This
-is normally desirable because novices sometimes accidentally leave their
-directory or files world-writable.  The default is "yes".
-.TP
-.B SyslogFacility
-Gives the facility code that is used when logging messages from
-.B sshd.
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
-LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The default is DAEMON.
-.TP
-.B X11Forwarding
-Specifies whether X11 forwarding is permitted.  The default is "yes".
-Note that disabling X11 forwarding does not improve security in any
-way, as users can always install their own forwarders.
-
-.SH LOGIN PROCESS
-
-When a user successfully logs in,
-.B sshd
-does the following:
-.IP 1.
-If the login is on a tty, and no command has been specified,
-prints last login time and 
-.B /etc/motd
-(unless prevented in the configuration file or by
-.IR $HOME/\s+2.\s0hushlogin ;
-see the FILES section).
-.IP 2.
-If the login is on a tty, records login time.
-.IP 3.
-Checks /etc/nologin; if it exists, prints contents and quits
-(unless root).
-.IP 4.
-Changes to run with normal user privileges.
-.IP 5.
-Sets up basic environment.
-.IP 6.
-Reads /etc/environment if it exists.
-.IP 7.
-Reads $HOME/.ssh/environment if it exists.
-.IP 8.
-Changes to user's home directory.
-.IP 9.
-If $HOME/.ssh/rc exists, runs it; else if @ETCDIR@/sshrc exists, runs
-it; otherwise runs xauth.  The "rc" files are given the X11
-authentication protocol and cookie in standard input.
-.IP 10.
-Runs user's shell or command.
-.RT
-
-
-.SH AUTHORIZED_KEYS FILE FORMAT
-.LP
-The 
-.I \&$HOME/\s+2.\s0ssh/authorized_keys
-file lists the RSA keys that are
-permitted for RSA authentication.  Each line of the file contains one
-key (empty lines and lines starting with a '#' are ignored as
-comments).  Each line consists of the following fields, separated by
-spaces: options, bits, exponent, modulus, comment.  The options field
-is optional; its presence is determined by whether the line starts
-with a number or not (the option field never starts with a number).
-The bits, exponent, modulus and comment fields give the RSA key; the
-comment field is not used for anything (but may be convenient for the
-user to identify the key).
-.LP
-Note that lines in this file are usually several hundred bytes long
-(because of the size of the RSA key modulus).  You don't want to type
-them in; instead, copy the 
-.I identity.pub
-file and edit it.
-.LP
-The options (if present) consists of comma-separated option
-specifications.  No spaces are permitted, except within double quotes.
-The following option specifications are supported:
-.IP
-.ti -.5i
-\fBfrom="pattern-list" \fR
-.br
-Specifies that in addition to RSA authentication, the canonical name
-of the remote host must be present in the comma-separated list of
-patterns ('*' and '?' serve as wildcards).  The list may also contain
-patterns negated by prefixing them with '!'; if the canonical host
-name matches a negated pattern, the key is not accepted.  The purpose
-of this option is to optionally increase security: RSA authentication
-by itself does not trust the network or name servers or anything (but
-the key); however, if somebody somehow steals the key, the key
-permits an intruder to log in from anywhere in the world.  This
-additional option makes using a stolen key more difficult (name
-servers and/or routers would have to be compromised in addition to
-just the key).
-.IP
-.ti -.5i
-\fBcommand="command"\fR
-.br
-Specifies that the command is executed whenever this key is used for
-authentication.  The command supplied by the user (if any) is ignored.
-The command is run on a pty if the connection requests a pty;
-otherwise it is run without a tty.  A quote may be included in the
-command by quoting it with a backslash.  This option might be useful
-to restrict certain RSA keys to perform just a specific operation.  An
-example might be a key that permits remote backups but nothing
-else.  Notice that the client may specify TCP/IP and/or X11
-forwardings unless they are explicitly prohibited.
-.IP
-.ti -.5i
-\fBenvironment="NAME=value"\fR
-.br
-Specifies that the string is to be added to the environment when
-logging in using this key.  Environment variables set this way
-override other default environment values.  Multiple options of this
-type are permitted.
-.TP
-.B no-port-forwarding
-Forbids TCP/IP forwarding when this key is used for authentication.
-Any port forward requests by the client will return an error.  This
-might be used e.g.  in connection with the
-.B command
-option.
-.TP
-.B no-X11-forwarding
-Forbids X11 forwarding when this key is used for authentication.
-Any X11 forward requests by the client will return an error.
-.TP
-.B no-agent-forwarding
-Forbids authentication agent forwarding when this key is used for
-authentication.
-.TP
-.B no-pty
-Prevents tty allocation (a request to allocate a pty will fail).
-
-.SS Examples
-.LP
-1024 33 12121.\|.\|.\|312314325 ylo@foo.bar
-.LP
-from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula
-.LP
-command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi
-
-
-
-.SH SSH_KNOWN_HOSTS FILE FORMAT
-.LP
-The 
-.I @ETCDIR@/ssh_known_hosts
-and 
-.I \&$HOME/\s+2.\s0ssh/known_hosts
-files contain host public keys for all known hosts.  The global file should
-be prepared by the admistrator (optional), and the per-user file is
-maintained automatically: whenever the user connects an unknown host
-its key is added to the per-user file.  The recommended way to create
-.I @ETCDIR@/ssh_known_hosts
-is to use the
-.B make-ssh-known-hosts
-command.
-.LP
-Each line in these files contains the following fields: hostnames,
-bits, exponent, modulus, comment.  The fields are separated by spaces.
-.LP
-Hostnames is a comma-separated list of patterns ('*' and '?' act as
-wildcards); each pattern in turn is matched against the canonical host
-name (when authenticating a client) or against the user-supplied
-name (when authenticating a server).  A pattern may also be preceded
-by '!' to indicate negation: if the host name matches a negated
-pattern, it is not accepted (by that line) even if it matched another
-pattern on the line.
-.LP
-Bits, exponent, and modulus are taken directly from the host key; they
-can be obtained e.g.  from
-.IR @ETCDIR@/ssh_host_key.pub ".
-The optional comment field continues to the end of the line, and is not used.
-.LP
-Lines starting with '#' and empty lines are ignored as comments.
-.LP
-When performing host authentication, authentication is accepted if any
-matching line has the proper key.  It is thus permissible (but not
-recommended) to have several lines or different host keys for the same
-names.  This will inevitably happen when short forms of host names
-from different domains are put in the file.  It is possible
-that the files contain conflicting information; authentication is
-accepted if valid information can be found from either file.
-.LP
-Note that the lines in these files are typically hundreds of characters
-long, and you definitely don't want to type in the host keys by hand.
-Rather, generate them by a script (see 
-.BR make-ssh-known-hosts (1))
-or by taking 
-.I @ETCDIR@/ssh_host_key.pub
-and adding the host names at the front.
-
-.SS Examples
-
-closenet,closenet.hut.fi,.\|.\|.\|,130.233.208.41 1024 37 159.\|.\|.93 closenet.hut.fi
-
-.SH FILES
-.TP
-.I @ETCDIR@/sshd_config
-Contains configuration data for
-.BR sshd .  
-This file should be writable by root only, but it is recommended
-(though not necessary) that it be world-readable.
-.TP
-.I @ETCDIR@/ssh_host_key
-Contains the private part of the host key.  This file is normally
-created automatically by "make install", but can also be created
-manually using
-.BR ssh-keygen (1).
-This file should only be owned by root, readable only by root, and not
-accessible to others.
-.TP
-.I @ETCDIR@/ssh_host_key.pub
-Contains the public part of the host key.  This file is normally
-created automatically by "make install", but can also be created
-manually.  This file should be world-readable but writable only by
-root.  Its contents should match the private part.  This file is not
-really used for anything; it is only provided for the convenience of
-the user so its contents can be copied to known hosts files.
-.TP
-.I @ETCDIR@/ssh_random_seed
-This file contains a seed for the random number generator.  This file
-should only be accessible by root.
-.TP
-.I @PIDDIR@/sshd.pid
-Contains the process id of the
-.B sshd
-listening for connections (if there are several daemons running
-concurrently for different ports, this contains the pid of the one
-started last).  The contents of this file are not sensitive; it can be
-world-readable.
-.TP
-.I \&$HOME/\s+2.\s0ssh/authorized_keys
-Lists the RSA keys that can be used to log into the user's account.
-This file must be readable by root (which may on some machines imply
-it being world-readable if the user's home directory resides on an NFS
-volume).  It is recommended that it not be accessible by others.  The
-format of this file is described above.
-.TP
-.I "@ETCDIR@/ssh_known_hosts\fR and \fI$HOME/\s+2.\s0ssh/known_hosts\fR
-These files are consulted when using rhosts with RSA host
-authentication to check the public key of the host.  The key must be
-listed in one of these files to be accepted.  (The client uses the
-same files to verify that the remote host is the one we intended to
-connect.)  These files should be writable only by root/the owner.
-.I @ETCDIR@/ssh_known_hosts
-should be world-readable, and \fI$HOME/\s+2.\s0ssh/known_hosts\fR can
-but need not be world-readable.
-.TP
-.I /etc/nologin
-If this file exists, 
-.B sshd
-refuses to let anyone except root log in.  The contents of the file
-are displayed to anyone trying to log in, and non-root connections are
-refused.  The file should be world-readable.
-.TP
-.I \&$HOME/\s+2.\s0rhosts
-This file contains host-username pairs, separated by a space, one per
-line.  The given user on the corresponding host is permitted to log in
-without password.  The same file is used by rlogind and rshd.
-.B Ssh 
-differs from rlogind
-and rshd in that it requires RSA host authentication in addition to
-validating the host name retrieved from domain name servers (unless
-compiled with the \-\-with\-rhosts configuration option).  The file must
-be writable only by the user; it is recommended that it not be
-accessible by others.
-
-If is also possible to use netgroups in the file.  Either host or user
-name may be of the form +@groupname to specify all hosts or all users
-in the group.
-.TP
-.I \&$HOME/\s+2.\s0shosts
-For
-.B ssh,
-this file is exactly the same as for \s+2.\s0rhosts.  However, this file is
-not used by rlogin and rshd, so using this permits access using
-.B ssh
-only.
-.TP
-.I /etc/hosts.equiv
-This file is used during \s+2.\s0rhosts authentication.  In the
-simplest form, this file contains host names, one per line.  Users on
-those hosts are permitted to log in without a password, provided they
-have the same user name on both machines.  The host name may also be
-followed by a user name; such users are permitted to log in as
-.B any
-user on this machine (except root).  Additionally, the syntax +@group
-can be used to specify netgroups.  Negated entries start with '-'.
-
-If the client host/user is successfully matched in this file, login is
-automatically permitted provided the client and server user names are the
-same.  Additionally, successful RSA host authentication is normally
-required.  This file must be writable only by root; it is recommended
-that it be world-readable.
-
-\fBWarning: It is almost never a good idea to use user names in 
-hosts.equiv.\fR
-Beware that it really means that the named user(s) can log in as
-\fBanybody\fR,
-which includes bin, daemon, adm, and other accounts that own critical
-binaries and directories.  Using a user name practically grants the
-user root access.  The only valid use for user names that I can think
-of is in negative entries.
-\fBNote that this warning also applies to rsh/rlogin.\fR
-.TP
-.I @ETCDIR@/shosts.equiv
-This is processed exactly as
-.I /etc/hosts.equiv.
-However, this file may be useful in environments that want to run both
-rsh/rlogin and
-.B ssh.
-.TP
-.I /etc/environment
-This file is read into the environment at login (if it exists).  It
-can only contain empty lines, comment lines (that start with '#'), and
-assignment lines of the form name=value.  This file is processed in
-all environments (normal rsh/rlogin only process it on AIX and
-potentially some other systems).  The file should be writable only by
-root, and should be world-readable.
-.TP
-.I \&$HOME/\s+2.\s0ssh/environment
-This file is read into the environment after /etc/environment.  It has
-the same format.  The file should be writable only by the user; it
-need not be readable by anyone else.
-.TP
-.I \&$HOME/\s+2.\s0ssh/rc
-If this file exists, it is run with /bin/sh after reading the
-environment files but before starting the user's shell or command.  If
-X11 spoofing is in use, this will receive the "proto cookie" pair in
-standard input (and DISPLAY in environment).  This must call xauth in
-that case. 
-
-The primary purpose of this file is to run any initialization routines
-which may be needed before the user's home directory becomes
-accessible; AFS is a particular example of such an environment.
-
-This file will probably contain some initialization code followed by
-something similar to: "if read proto cookie; then echo add $DISPLAY
-$proto $cookie | xauth -q -; fi".
-
-If this file does not exist, @ETCDIR@/sshrc is run, and if that
-does not exist either, xauth is used to store the cookie.
-
-This file should be writable only by the user, and need not be
-readable by anyone else.
-.TP
-.I @ETCDIR@/sshrc
-Like $HOME/\s+2.\s0ssh/rc.  This can be used to specify
-machine-specific login-time initializations globally.  This file
-should be writable only by root, and should be world-readable.
-
-
-.SH INSTALLATION
-.LP
-.B Sshd 
-is normally run as root.  If it is not run as root, it can
-only log in as the user it is running as, and password authentication
-may not work if the system uses shadow passwords.  An alternative
-host key file must also be used.
-.LP
-.B Sshd 
-is normally started from 
-.I /etc/rc.local
-or equivalent at system boot.
-.LP
-Considerable work has been put to making
-.B sshd
-secure.  However, if you find a security problem, please report it
-immediately to <ssh-bugs@cs.hut.fi>.
-
-.SH AUTHOR
-.LP
-Tatu Ylonen <ylo@cs.hut.fi>
-.LP
-Information about new releases, mailing lists, and other related
-issues can be found from the ssh WWW home page at
-http://www.cs.hut.fi/ssh.
-
-.SH SEE ALSO
-.LP
-.BR ssh (1),
-.BR make-ssh-known-hosts (1),
-.BR ssh-keygen (1),
-.BR ssh-agent (1),
-.BR ssh-add (1),
-.BR scp (1),
-.BR rlogin (1),
-.BR rsh (1)