11 files changed, 54 insertions, 189 deletions

diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 2901e0df4f5d..761aa7cc4ea4 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -2,8 +2,8 @@
 # $FreeBSD$
 
 PORTNAME=	openssh
-DISTVERSION=	6.8p1
-PORTREVISION=	8
+DISTVERSION=	6.9p1
+PORTREVISION=	0
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@@ -47,7 +47,6 @@ NONECIPHER_DESC=	NONE Cipher support
 
 OPTIONS_SUB=		yes
 
-EXTRA_PATCHES+=		${FILESDIR}/extra-patch-ttssh
 TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers
 
 LDNS_CONFIGURE_WITH=	ldns
@@ -61,9 +60,9 @@ HPN_CONFIGURE_WITH=		hpn
 NONECIPHER_CONFIGURE_WITH=	nonecipher
 
 # See http://www.roumenpetrov.info/openssh/
-X509_VERSION=		8.3
+X509_VERSION=		8.4
 X509_PATCH_SITES=	http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
-X509_PATCHFILES=	${PORTNAME}-6.8p1+x509-${X509_VERSION}.diff.gz:-p1:x509
+X509_PATCHFILES=	${PORTNAME}-6.9p1+x509-${X509_VERSION}.diff.gz:-p1:x509
 
 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
 # and https://bugzilla.mindrot.org/show_bug.cgi?id=1604
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index eafe5741060d..ccb41cef2a6e 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,7 +1,7 @@
-SHA256 (openssh-6.8p1.tar.gz) = 3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e
-SIZE (openssh-6.8p1.tar.gz) = 1475953
-SHA256 (openssh-6.8p1+x509-8.3.diff.gz) = 34dbefcce8509d3c876be3e7d8966455c7c3589a6872bdfb1f8ce3d133f4d304
-SIZE (openssh-6.8p1+x509-8.3.diff.gz) = 347942
+SHA256 (openssh-6.9p1.tar.gz) = 6e074df538f357d440be6cf93dc581a21f22d39e236f217fcd8eacbb6c896cfe
+SIZE (openssh-6.9p1.tar.gz) = 1487617
+SHA256 (openssh-6.9p1+x509-8.4.diff.gz) = 0ed8bfff0d2ecd9f3791ae1f168ca3270bb66d7ab7bc0a8ff2d61d2ab829c3fb
+SIZE (openssh-6.9p1+x509-8.4.diff.gz) = 425687
 SHA256 (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 9a361408269a542d28dae77320f30e94a44098acdbbbc552efb0bdeac6270dc8
 SIZE (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 25825
 SHA256 (openssh-6.8p1-sctp-2573.patch.gz) = 0348713ad4cb4463e90cf5202ed41c8f726d7d604f3f93922a9aa55b86abf04a
diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn
index 87c7bfadbeab..e4cc3f46d454 100644
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@@ -398,15 +398,14 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  			return check[i].bugs;
  		}
  	}
---- work.clean/openssh-6.8p1/compat.h	2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/compat.h	2015-04-03 16:39:34.780416000 -0500
-@@ -60,7 +60,10 @@
- #define SSH_NEW_OPENSSH		0x04000000
- #define SSH_BUG_DYNAMIC_RPORT	0x08000000
+--- work/openssh/compat.h.orig	2015-05-29 03:27:21.000000000 -0500
++++ work/openssh/compat.h	2015-06-02 09:55:04.208681000 -0500
+@@ -62,6 +62,9 @@
  #define SSH_BUG_CURVE25519PAD	0x10000000
  #define SSH_BUG_HOSTKEYS	0x20000000
+ #define SSH_BUG_DHGEX_LARGE	0x40000000
 +#ifdef HPN_ENABLED
-+#define SSH_BUG_LARGEWINDOW     0x40000000
++#define SSH_BUG_LARGEWINDOW     0x80000000
 +#endif
  
  void     enable_compat13(void);
@@ -718,12 +717,12 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	struct timeval tv[2];
  
  #define	atime	tv[0]
---- work.clean/openssh-6.8p1/servconf.c	2015-04-01 22:07:18.142441000 -0500
-+++ work/openssh-6.8p1/servconf.c	2015-04-03 16:32:16.114236000 -0500
-@@ -160,6 +160,14 @@
- 	options->revoked_keys_file = NULL;
- 	options->trusted_user_ca_keys = NULL;
+--- work/openssh/servconf.c.orig	2015-05-29 03:27:21.000000000 -0500
++++ work/openssh/servconf.c	2015-06-02 09:56:36.041601000 -0500
+@@ -163,6 +163,14 @@ initialize_server_options(ServerOptions 
  	options->authorized_principals_file = NULL;
+ 	options->authorized_principals_command = NULL;
+ 	options->authorized_principals_command_user = NULL;
 +#ifdef NONE_CIPHER_ENABLED
 +	options->none_enabled = -1;
 +#endif
@@ -735,7 +734,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	options->ip_qos_interactive = -1;
  	options->ip_qos_bulk = -1;
  	options->version_addendum = NULL;
-@@ -326,6 +334,57 @@
+@@ -329,6 +337,57 @@ fill_default_server_options(ServerOption
  	}
  	if (options->permit_tun == -1)
  		options->permit_tun = SSH_TUNMODE_NO;
@@ -793,7 +792,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	if (options->ip_qos_interactive == -1)
  		options->ip_qos_interactive = IPTOS_LOWDELAY;
  	if (options->ip_qos_bulk == -1)
-@@ -401,6 +460,12 @@
+@@ -406,6 +465,12 @@ typedef enum {
  	sUsePrivilegeSeparation, sAllowAgentForwarding,
  	sHostCertificate,
  	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
@@ -803,10 +802,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +#ifdef HPN_ENABLED
 +	sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
 +#endif
+ 	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
  	sKexAlgorithms, sIPQoS, sVersionAddendum,
  	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
- 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
-@@ -529,6 +594,14 @@
+@@ -537,6 +602,14 @@ static struct {
  	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
  	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
@@ -821,7 +820,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
  	{ "ipqos", sIPQoS, SSHCFG_ALL },
  	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
-@@ -1113,6 +1186,25 @@
+@@ -1156,6 +1229,25 @@ process_server_config_line(ServerOptions
  		intptr = &options->ignore_user_known_hosts;
  		goto parse_flag;
  
diff --git a/security/openssh-portable/files/extra-patch-ttssh b/security/openssh-portable/files/extra-patch-ttssh
deleted file mode 100644
index 6904498a1ebc..000000000000
--- a/security/openssh-portable/files/extra-patch-ttssh
+++ /dev/null
@@ -1,78 +0,0 @@
-commit d8f391caef62378463a0e6b36f940170dadfe605
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri Apr 10 05:16:50 2015 +0000
-
-    upstream commit
-    
-    Don't send hostkey advertisments
-     (hostkeys-00@openssh.com) to current versions of Tera Term as they can't
-     handle them.  Newer versions should be OK.  Patch from Bryan Drewery and
-     IWAMOTO Kouichi, ok djm@
-
-diff --git compat.c compat.c
-index 2498168..0934de9 100644
---- compat.c
-+++ compat.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: compat.c,v 1.88 2015/04/07 23:00:42 djm Exp $ */
-+/* $OpenBSD: compat.c,v 1.89 2015/04/10 05:16:50 dtucker Exp $ */
- /*
-  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
-  *
-@@ -167,6 +167,17 @@ compat_datafellows(const char *version)
- 					SSH_BUG_SCANNER },
- 		{ "Probe-*",
- 					SSH_BUG_PROBE },
-+		{ "TeraTerm SSH*,"
-+		  "TTSSH/1.5.*,"
-+		  "TTSSH/2.1*,"
-+		  "TTSSH/2.2*,"
-+		  "TTSSH/2.3*,"
-+		  "TTSSH/2.4*,"
-+		  "TTSSH/2.5*,"
-+		  "TTSSH/2.6*,"
-+		  "TTSSH/2.70*,"
-+		  "TTSSH/2.71*,"
-+		  "TTSSH/2.72*",	SSH_BUG_HOSTKEYS },
- 		{ NULL,			0 }
- 	};
- 
-diff --git compat.h compat.h
-index af2f007..83507f0 100644
---- compat.h
-+++ compat.h
-@@ -1,4 +1,4 @@
--/* $OpenBSD: compat.h,v 1.46 2015/01/19 20:20:20 markus Exp $ */
-+/* $OpenBSD: compat.h,v 1.47 2015/04/10 05:16:50 dtucker Exp $ */
- 
- /*
-  * Copyright (c) 1999, 2000, 2001 Markus Friedl.  All rights reserved.
-@@ -60,6 +60,7 @@
- #define SSH_NEW_OPENSSH		0x04000000
- #define SSH_BUG_DYNAMIC_RPORT	0x08000000
- #define SSH_BUG_CURVE25519PAD	0x10000000
-+#define SSH_BUG_HOSTKEYS	0x20000000
- 
- void     enable_compat13(void);
- void     enable_compat20(void);
-diff --git sshd.c sshd.c
-index 6aa17fa..60b0cd4 100644
---- sshd.c
-+++ sshd.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: sshd.c,v 1.445 2015/03/31 22:55:24 djm Exp $ */
-+/* $OpenBSD: sshd.c,v 1.446 2015/04/10 05:16:50 dtucker Exp $ */
- /*
-  * Author: Tatu Ylonen <ylo@cs.hut.fi>
-  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-@@ -928,6 +928,10 @@ notify_hostkeys(struct ssh *ssh)
- 	int i, nkeys, r;
- 	char *fp;
- 
-+	/* Some clients cannot cope with the hostkeys message, skip those. */
-+	if (datafellows & SSH_BUG_HOSTKEYS)
-+		return;
-+
- 	if ((buf = sshbuf_new()) == NULL)
- 		fatal("%s: sshbuf_new", __func__);
- 	for (i = nkeys = 0; i < options.num_host_key_files; i++) {
diff --git a/security/openssh-portable/files/patch-compat.c b/security/openssh-portable/files/patch-compat.c
deleted file mode 100644
index a0a873efb89c..000000000000
--- a/security/openssh-portable/files/patch-compat.c
+++ /dev/null
@@ -1,17 +0,0 @@
-Avoid a heap overflow. Upstream did not deem this a security issue. It appears
-to be mostly harmless too.
-
-http://www.openwall.com/lists/oss-security/2015/05/16/3
-https://anongit.mindrot.org/openssh.git/commit/?id=77199d6ec8986d470487e66f8ea8f4cf43d2e20c
-
---- compat.c	2015-03-17 06:49:20.000000000 +0100
-+++ compat.c	2015-05-03 17:51:32.251293388 +0200
-@@ -229,7 +229,7 @@
- 	buffer_init(&b);
- 	tmp = orig_prop = xstrdup(proposal);
- 	while ((cp = strsep(&tmp, ",")) != NULL) {
--		if (match_pattern_list(cp, filter, strlen(cp), 0) != 1) {
-+		if (match_pattern_list(cp, filter, strlen(filter), 0) != 1) {
- 			if (buffer_len(&b) > 0)
- 				buffer_append(&b, ",", 1);
- 			buffer_append(&b, cp, strlen(cp));
diff --git a/security/openssh-portable/files/patch-monitor_wrap.c b/security/openssh-portable/files/patch-monitor_wrap.c
deleted file mode 100644
index 67e0b979c138..000000000000
--- a/security/openssh-portable/files/patch-monitor_wrap.c
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git a/monitor_wrap.c b/monitor_wrap.c
-index b379f05..d39d491 100644
---- monitor_wrap.c
-+++ monitor_wrap.c
-@@ -153,10 +153,8 @@ mm_request_receive(int sock, Buffer *m)
- 	debug3("%s entering", __func__);
- 
- 	if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) {
--		if (errno == EPIPE) {
--			error("%s: socket closed", __func__);
-+		if (errno == EPIPE)
- 			cleanup_exit(255);
--		}
- 		fatal("%s: read: %s", __func__, strerror(errno));
- 	}
- 	msg_len = get_u32(buf);
diff --git a/security/openssh-portable/files/patch-servconf.c b/security/openssh-portable/files/patch-servconf.c
index 229ab3c12310..8a0b4086683f 100644
--- a/security/openssh-portable/files/patch-servconf.c
+++ b/security/openssh-portable/files/patch-servconf.c
@@ -17,15 +17,6 @@
  
  	/* X.509 Standard Options */
  #ifdef OPENSSL_FIPS
-@@ -277,7 +278,7 @@ fill_default_server_options(ServerOption
- 	if (options->key_regeneration_time == -1)
- 		options->key_regeneration_time = 3600;
- 	if (options->permit_root_login == PERMIT_NOT_SET)
--		options->permit_root_login = PERMIT_YES;
-+		options->permit_root_login = PERMIT_NO;
- 	if (options->ignore_rhosts == -1)
- 		options->ignore_rhosts = 1;
- 	if (options->ignore_user_known_hosts == -1)
 @@ -287,7 +288,7 @@ fill_default_server_options(ServerOption
  	if (options->print_lastlog == -1)
  		options->print_lastlog = 1;
diff --git a/security/openssh-portable/files/patch-ssh-agent.1 b/security/openssh-portable/files/patch-ssh-agent.1
index 7d1e2a68ddf0..dcebf47abf7a 100644
--- a/security/openssh-portable/files/patch-ssh-agent.1
+++ b/security/openssh-portable/files/patch-ssh-agent.1
@@ -3,20 +3,18 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
 Add a -x option that causes ssh-agent(1) to exit when all clients have
 disconnected.
 
-Index: ssh-agent.1
-===================================================================
---- ssh-agent.1	(revision 226102)
-+++ ssh-agent.1	(revision 226103)
-@@ -44,7 +44,7 @@
+--- ssh-agent.1.orig	2015-05-29 03:27:21.000000000 -0500
++++ ssh-agent.1	2015-06-02 09:45:37.025390000 -0500
+@@ -43,7 +43,7 @@
  .Sh SYNOPSIS
  .Nm ssh-agent
  .Op Fl c | s
--.Op Fl d
-+.Op Fl dx
+-.Op Fl Dd
++.Op Fl Ddx
  .Op Fl a Ar bind_address
+ .Op Fl E Ar fingerprint_hash
  .Op Fl t Ar life
- .Op Ar command Op Ar arg ...
-@@ -103,6 +103,8 @@
+@@ -128,6 +128,8 @@
  .Xr ssh-add 1
  overrides this value.
  Without this option the default maximum lifetime is forever.
diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c
index f9699800c7e2..efe297d3c45c 100644
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@@ -7,9 +7,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
 Add a -x option that causes ssh-agent(1) to exit when all clients have
 disconnected.
 
---- ssh-agent.c.orig	2015-03-17 00:49:20.000000000 -0500
-+++ ssh-agent.c	2015-03-20 00:00:48.800352000 -0500
-@@ -150,15 +150,34 @@ static long lifetime = 0;
+--- ssh-agent.c.orig	2015-05-29 03:27:21.000000000 -0500
++++ ssh-agent.c	2015-06-02 09:46:54.719580000 -0500
+@@ -157,15 +157,34 @@ static long lifetime = 0;
  
  static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
  
@@ -44,7 +44,7 @@ disconnected.
  }
  
  static void
-@@ -910,6 +929,10 @@ new_socket(sock_type type, int fd)
+@@ -939,6 +958,10 @@ new_socket(sock_type type, int fd)
  {
  	u_int i, old_alloc, new_alloc;
  
@@ -55,16 +55,16 @@ disconnected.
  	set_nonblock(fd);
  
  	if (fd > max_fd)
-@@ -1138,7 +1161,7 @@ usage(void)
+@@ -1166,7 +1189,7 @@ static void
+ usage(void)
  {
  	fprintf(stderr,
- 	    "usage: ssh-agent [-c | -s] [-d] [-a bind_address] [-E fingerprint_hash]\n"
--	    "                 [-t life] [command [arg ...]]\n"
-+	    "                 [-t life] [-x] [command [arg ...]]\n"
+-	    "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
++	    "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
+ 	    "                 [-t life] [command [arg ...]]\n"
  	    "       ssh-agent [-c | -s] -k\n");
  	exit(1);
- }
-@@ -1168,6 +1191,7 @@ main(int ac, char **av)
+@@ -1197,6 +1220,7 @@ main(int ac, char **av)
  	/* drop */
  	setegid(getgid());
  	setgid(getgid());
@@ -72,16 +72,16 @@ disconnected.
  
  #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
  	/* Disable ptrace on Linux without sgid bit */
-@@ -1181,7 +1205,7 @@ main(int ac, char **av)
+@@ -1210,7 +1234,7 @@ main(int ac, char **av)
  	__progname = ssh_get_progname(av[0]);
  	seed_rng();
  
--	while ((ch = getopt(ac, av, "cdksE:a:t:")) != -1) {
-+	while ((ch = getopt(ac, av, "cdksE:a:t:x")) != -1) {
+-	while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) {
++	while ((ch = getopt(ac, av, "cDdksE:a:t:x")) != -1) {
  		switch (ch) {
  		case 'E':
  			fingerprint_hash = ssh_digest_alg_by_name(optarg);
-@@ -1215,6 +1239,9 @@ main(int ac, char **av)
+@@ -1249,6 +1273,9 @@ main(int ac, char **av)
  				usage();
  			}
  			break;
diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config
index 8e2ca0e2b48c..65e8f6cc6947 100644
--- a/security/openssh-portable/files/patch-sshd_config
+++ b/security/openssh-portable/files/patch-sshd_config
@@ -10,15 +10,6 @@
  #Port 22
  #AddressFamily any
  #ListenAddress 0.0.0.0
-@@ -41,7 +44,7 @@
- # Authentication:
- 
- #LoginGraceTime 2m
--#PermitRootLogin yes
-+#PermitRootLogin no
- #StrictModes yes
- #MaxAuthTries 6
- #MaxSessions 10
 @@ -50,8 +53,7 @@
  #PubkeyAuthentication yes
  
diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5
index 85d213a8a791..90a0351f1698 100644
--- a/security/openssh-portable/files/patch-sshd_config.5
+++ b/security/openssh-portable/files/patch-sshd_config.5
@@ -1,6 +1,6 @@
---- sshd_config.5.orig	2014-10-02 18:24:57.000000000 -0500
-+++ sshd_config.5	2015-03-22 21:57:45.538655000 -0500
-@@ -304,7 +304,9 @@ By default, no banner is displayed.
+--- sshd_config.5.orig	2015-05-29 03:27:21.000000000 -0500
++++ sshd_config.5	2015-06-02 09:49:08.463186000 -0500
+@@ -375,7 +375,9 @@ By default, no banner is displayed.
  .It Cm ChallengeResponseAuthentication
  Specifies whether challenge-response authentication is allowed (e.g. via
  PAM or through authentication styles supported in
@@ -11,7 +11,7 @@
  The default is
  .Dq yes .
  .It Cm ChrootDirectory
-@@ -977,7 +979,22 @@ are refused if the number of unauthentic
+@@ -1111,7 +1113,22 @@ are refused if the number of unauthentic
  .It Cm PasswordAuthentication
  Specifies whether password authentication is allowed.
  The default is
@@ -34,12 +34,10 @@
  .It Cm PermitEmptyPasswords
  When password authentication is allowed, it specifies whether the
  server allows login to accounts with empty password strings.
-@@ -1023,7 +1040,14 @@ The argument must be
- or
+@@ -1158,6 +1175,13 @@ or
  .Dq no .
  The default is
--.Dq yes .
-+.Dq no .
+ .Dq no .
 +Note that if
 +.Cm ChallengeResponseAuthentication
 +is
@@ -50,7 +48,7 @@
  .Pp
  If this option is set to
  .Dq without-password ,
-@@ -1178,7 +1202,9 @@ an OpenSSH Key Revocation List (KRL) as 
+@@ -1331,7 +1355,9 @@ an OpenSSH Key Revocation List (KRL) as 
  For more information on KRLs, see the KEY REVOCATION LISTS section in
  .Xr ssh-keygen 1 .
  .It Cm RhostsRSAAuthentication
@@ -61,7 +59,7 @@
  with successful RSA host authentication is allowed.
  The default is
  .Dq no .
-@@ -1343,7 +1369,7 @@ is enabled, you will not be able to run
+@@ -1498,7 +1524,7 @@ is enabled, you will not be able to run
  .Xr sshd 8
  as a non-root user.
  The default is
@@ -70,7 +68,7 @@
  .It Cm UsePrivilegeSeparation
  Specifies whether
  .Xr sshd 8
-@@ -1365,7 +1391,10 @@ restrictions.
+@@ -1520,7 +1546,10 @@ restrictions.
  Optionally specifies additional text to append to the SSH protocol banner
  sent by the server upon connection.
  The default is
@@ -82,7 +80,7 @@
  .It Cm X11DisplayOffset
  Specifies the first display number available for
  .Xr sshd 8 Ns 's
-@@ -1379,7 +1408,7 @@ The argument must be
+@@ -1534,7 +1563,7 @@ The argument must be
  or
  .Dq no .
  The default is