diff options
author | Bryan Drewery <bdrewery@FreeBSD.org> | 2015-07-27 18:30:24 +0000 |
---|---|---|
committer | Bryan Drewery <bdrewery@FreeBSD.org> | 2015-07-27 18:30:24 +0000 |
commit | 252029117376a7f5b20a5a0fb07916546daeb366 (patch) | |
tree | ade11063c789f9c0805225c89294dd5070c25bb4 /security/openssh-portable | |
parent | 85db98685f29200ea0d4f873a758aebbbe1bedc9 (diff) | |
download | ports-252029117376a7f5b20a5a0fb07916546daeb366.tar.gz ports-252029117376a7f5b20a5a0fb07916546daeb366.zip |
Notes
Diffstat (limited to 'security/openssh-portable')
-rw-r--r-- | security/openssh-portable/Makefile | 9 | ||||
-rw-r--r-- | security/openssh-portable/distinfo | 8 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-hpn | 31 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-ttssh | 78 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-compat.c | 17 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-monitor_wrap.c | 16 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-servconf.c | 9 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-ssh-agent.1 | 16 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-ssh-agent.c | 28 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-sshd_config | 9 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-sshd_config.5 | 22 |
11 files changed, 54 insertions, 189 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 2901e0df4f5d..761aa7cc4ea4 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -2,8 +2,8 @@ # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 6.8p1 -PORTREVISION= 8 +DISTVERSION= 6.9p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable @@ -47,7 +47,6 @@ NONECIPHER_DESC= NONE Cipher support OPTIONS_SUB= yes -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-ttssh TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers LDNS_CONFIGURE_WITH= ldns @@ -61,9 +60,9 @@ HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher # See http://www.roumenpetrov.info/openssh/ -X509_VERSION= 8.3 +X509_VERSION= 8.4 X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 -X509_PATCHFILES= ${PORTNAME}-6.8p1+x509-${X509_VERSION}.diff.gz:-p1:x509 +X509_PATCHFILES= ${PORTNAME}-6.9p1+x509-${X509_VERSION}.diff.gz:-p1:x509 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016 # and https://bugzilla.mindrot.org/show_bug.cgi?id=1604 diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index eafe5741060d..ccb41cef2a6e 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,7 +1,7 @@ -SHA256 (openssh-6.8p1.tar.gz) = 3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e -SIZE (openssh-6.8p1.tar.gz) = 1475953 -SHA256 (openssh-6.8p1+x509-8.3.diff.gz) = 34dbefcce8509d3c876be3e7d8966455c7c3589a6872bdfb1f8ce3d133f4d304 -SIZE (openssh-6.8p1+x509-8.3.diff.gz) = 347942 +SHA256 (openssh-6.9p1.tar.gz) = 6e074df538f357d440be6cf93dc581a21f22d39e236f217fcd8eacbb6c896cfe +SIZE (openssh-6.9p1.tar.gz) = 1487617 +SHA256 (openssh-6.9p1+x509-8.4.diff.gz) = 0ed8bfff0d2ecd9f3791ae1f168ca3270bb66d7ab7bc0a8ff2d61d2ab829c3fb +SIZE (openssh-6.9p1+x509-8.4.diff.gz) = 425687 SHA256 (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 9a361408269a542d28dae77320f30e94a44098acdbbbc552efb0bdeac6270dc8 SIZE (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 25825 SHA256 (openssh-6.8p1-sctp-2573.patch.gz) = 0348713ad4cb4463e90cf5202ed41c8f726d7d604f3f93922a9aa55b86abf04a diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn index 87c7bfadbeab..e4cc3f46d454 100644 --- a/security/openssh-portable/files/extra-patch-hpn +++ b/security/openssh-portable/files/extra-patch-hpn @@ -398,15 +398,14 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o return check[i].bugs; } } ---- work.clean/openssh-6.8p1/compat.h 2015-03-17 00:49:20.000000000 -0500 -+++ work/openssh-6.8p1/compat.h 2015-04-03 16:39:34.780416000 -0500 -@@ -60,7 +60,10 @@ - #define SSH_NEW_OPENSSH 0x04000000 - #define SSH_BUG_DYNAMIC_RPORT 0x08000000 +--- work/openssh/compat.h.orig 2015-05-29 03:27:21.000000000 -0500 ++++ work/openssh/compat.h 2015-06-02 09:55:04.208681000 -0500 +@@ -62,6 +62,9 @@ #define SSH_BUG_CURVE25519PAD 0x10000000 #define SSH_BUG_HOSTKEYS 0x20000000 + #define SSH_BUG_DHGEX_LARGE 0x40000000 +#ifdef HPN_ENABLED -+#define SSH_BUG_LARGEWINDOW 0x40000000 ++#define SSH_BUG_LARGEWINDOW 0x80000000 +#endif void enable_compat13(void); @@ -718,12 +717,12 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o struct timeval tv[2]; #define atime tv[0] ---- work.clean/openssh-6.8p1/servconf.c 2015-04-01 22:07:18.142441000 -0500 -+++ work/openssh-6.8p1/servconf.c 2015-04-03 16:32:16.114236000 -0500 -@@ -160,6 +160,14 @@ - options->revoked_keys_file = NULL; - options->trusted_user_ca_keys = NULL; +--- work/openssh/servconf.c.orig 2015-05-29 03:27:21.000000000 -0500 ++++ work/openssh/servconf.c 2015-06-02 09:56:36.041601000 -0500 +@@ -163,6 +163,14 @@ initialize_server_options(ServerOptions options->authorized_principals_file = NULL; + options->authorized_principals_command = NULL; + options->authorized_principals_command_user = NULL; +#ifdef NONE_CIPHER_ENABLED + options->none_enabled = -1; +#endif @@ -735,7 +734,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->version_addendum = NULL; -@@ -326,6 +334,57 @@ +@@ -329,6 +337,57 @@ fill_default_server_options(ServerOption } if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; @@ -793,7 +792,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o if (options->ip_qos_interactive == -1) options->ip_qos_interactive = IPTOS_LOWDELAY; if (options->ip_qos_bulk == -1) -@@ -401,6 +460,12 @@ +@@ -406,6 +465,12 @@ typedef enum { sUsePrivilegeSeparation, sAllowAgentForwarding, sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, @@ -803,10 +802,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o +#ifdef HPN_ENABLED + sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, +#endif + sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, - sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, -@@ -529,6 +594,14 @@ +@@ -537,6 +602,14 @@ static struct { { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, @@ -821,7 +820,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, { "ipqos", sIPQoS, SSHCFG_ALL }, { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, -@@ -1113,6 +1186,25 @@ +@@ -1156,6 +1229,25 @@ process_server_config_line(ServerOptions intptr = &options->ignore_user_known_hosts; goto parse_flag; diff --git a/security/openssh-portable/files/extra-patch-ttssh b/security/openssh-portable/files/extra-patch-ttssh deleted file mode 100644 index 6904498a1ebc..000000000000 --- a/security/openssh-portable/files/extra-patch-ttssh +++ /dev/null @@ -1,78 +0,0 @@ -commit d8f391caef62378463a0e6b36f940170dadfe605 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Apr 10 05:16:50 2015 +0000 - - upstream commit - - Don't send hostkey advertisments - (hostkeys-00@openssh.com) to current versions of Tera Term as they can't - handle them. Newer versions should be OK. Patch from Bryan Drewery and - IWAMOTO Kouichi, ok djm@ - -diff --git compat.c compat.c -index 2498168..0934de9 100644 ---- compat.c -+++ compat.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: compat.c,v 1.88 2015/04/07 23:00:42 djm Exp $ */ -+/* $OpenBSD: compat.c,v 1.89 2015/04/10 05:16:50 dtucker Exp $ */ - /* - * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. - * -@@ -167,6 +167,17 @@ compat_datafellows(const char *version) - SSH_BUG_SCANNER }, - { "Probe-*", - SSH_BUG_PROBE }, -+ { "TeraTerm SSH*," -+ "TTSSH/1.5.*," -+ "TTSSH/2.1*," -+ "TTSSH/2.2*," -+ "TTSSH/2.3*," -+ "TTSSH/2.4*," -+ "TTSSH/2.5*," -+ "TTSSH/2.6*," -+ "TTSSH/2.70*," -+ "TTSSH/2.71*," -+ "TTSSH/2.72*", SSH_BUG_HOSTKEYS }, - { NULL, 0 } - }; - -diff --git compat.h compat.h -index af2f007..83507f0 100644 ---- compat.h -+++ compat.h -@@ -1,4 +1,4 @@ --/* $OpenBSD: compat.h,v 1.46 2015/01/19 20:20:20 markus Exp $ */ -+/* $OpenBSD: compat.h,v 1.47 2015/04/10 05:16:50 dtucker Exp $ */ - - /* - * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. -@@ -60,6 +60,7 @@ - #define SSH_NEW_OPENSSH 0x04000000 - #define SSH_BUG_DYNAMIC_RPORT 0x08000000 - #define SSH_BUG_CURVE25519PAD 0x10000000 -+#define SSH_BUG_HOSTKEYS 0x20000000 - - void enable_compat13(void); - void enable_compat20(void); -diff --git sshd.c sshd.c -index 6aa17fa..60b0cd4 100644 ---- sshd.c -+++ sshd.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: sshd.c,v 1.445 2015/03/31 22:55:24 djm Exp $ */ -+/* $OpenBSD: sshd.c,v 1.446 2015/04/10 05:16:50 dtucker Exp $ */ - /* - * Author: Tatu Ylonen <ylo@cs.hut.fi> - * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland -@@ -928,6 +928,10 @@ notify_hostkeys(struct ssh *ssh) - int i, nkeys, r; - char *fp; - -+ /* Some clients cannot cope with the hostkeys message, skip those. */ -+ if (datafellows & SSH_BUG_HOSTKEYS) -+ return; -+ - if ((buf = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new", __func__); - for (i = nkeys = 0; i < options.num_host_key_files; i++) { diff --git a/security/openssh-portable/files/patch-compat.c b/security/openssh-portable/files/patch-compat.c deleted file mode 100644 index a0a873efb89c..000000000000 --- a/security/openssh-portable/files/patch-compat.c +++ /dev/null @@ -1,17 +0,0 @@ -Avoid a heap overflow. Upstream did not deem this a security issue. It appears -to be mostly harmless too. - -http://www.openwall.com/lists/oss-security/2015/05/16/3 -https://anongit.mindrot.org/openssh.git/commit/?id=77199d6ec8986d470487e66f8ea8f4cf43d2e20c - ---- compat.c 2015-03-17 06:49:20.000000000 +0100 -+++ compat.c 2015-05-03 17:51:32.251293388 +0200 -@@ -229,7 +229,7 @@ - buffer_init(&b); - tmp = orig_prop = xstrdup(proposal); - while ((cp = strsep(&tmp, ",")) != NULL) { -- if (match_pattern_list(cp, filter, strlen(cp), 0) != 1) { -+ if (match_pattern_list(cp, filter, strlen(filter), 0) != 1) { - if (buffer_len(&b) > 0) - buffer_append(&b, ",", 1); - buffer_append(&b, cp, strlen(cp)); diff --git a/security/openssh-portable/files/patch-monitor_wrap.c b/security/openssh-portable/files/patch-monitor_wrap.c deleted file mode 100644 index 67e0b979c138..000000000000 --- a/security/openssh-portable/files/patch-monitor_wrap.c +++ /dev/null @@ -1,16 +0,0 @@ -diff --git a/monitor_wrap.c b/monitor_wrap.c -index b379f05..d39d491 100644 ---- monitor_wrap.c -+++ monitor_wrap.c -@@ -153,10 +153,8 @@ mm_request_receive(int sock, Buffer *m) - debug3("%s entering", __func__); - - if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) { -- if (errno == EPIPE) { -- error("%s: socket closed", __func__); -+ if (errno == EPIPE) - cleanup_exit(255); -- } - fatal("%s: read: %s", __func__, strerror(errno)); - } - msg_len = get_u32(buf); diff --git a/security/openssh-portable/files/patch-servconf.c b/security/openssh-portable/files/patch-servconf.c index 229ab3c12310..8a0b4086683f 100644 --- a/security/openssh-portable/files/patch-servconf.c +++ b/security/openssh-portable/files/patch-servconf.c @@ -17,15 +17,6 @@ /* X.509 Standard Options */ #ifdef OPENSSL_FIPS -@@ -277,7 +278,7 @@ fill_default_server_options(ServerOption - if (options->key_regeneration_time == -1) - options->key_regeneration_time = 3600; - if (options->permit_root_login == PERMIT_NOT_SET) -- options->permit_root_login = PERMIT_YES; -+ options->permit_root_login = PERMIT_NO; - if (options->ignore_rhosts == -1) - options->ignore_rhosts = 1; - if (options->ignore_user_known_hosts == -1) @@ -287,7 +288,7 @@ fill_default_server_options(ServerOption if (options->print_lastlog == -1) options->print_lastlog = 1; diff --git a/security/openssh-portable/files/patch-ssh-agent.1 b/security/openssh-portable/files/patch-ssh-agent.1 index 7d1e2a68ddf0..dcebf47abf7a 100644 --- a/security/openssh-portable/files/patch-ssh-agent.1 +++ b/security/openssh-portable/files/patch-ssh-agent.1 @@ -3,20 +3,18 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. -Index: ssh-agent.1 -=================================================================== ---- ssh-agent.1 (revision 226102) -+++ ssh-agent.1 (revision 226103) -@@ -44,7 +44,7 @@ +--- ssh-agent.1.orig 2015-05-29 03:27:21.000000000 -0500 ++++ ssh-agent.1 2015-06-02 09:45:37.025390000 -0500 +@@ -43,7 +43,7 @@ .Sh SYNOPSIS .Nm ssh-agent .Op Fl c | s --.Op Fl d -+.Op Fl dx +-.Op Fl Dd ++.Op Fl Ddx .Op Fl a Ar bind_address + .Op Fl E Ar fingerprint_hash .Op Fl t Ar life - .Op Ar command Op Ar arg ... -@@ -103,6 +103,8 @@ +@@ -128,6 +128,8 @@ .Xr ssh-add 1 overrides this value. Without this option the default maximum lifetime is forever. diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c index f9699800c7e2..efe297d3c45c 100644 --- a/security/openssh-portable/files/patch-ssh-agent.c +++ b/security/openssh-portable/files/patch-ssh-agent.c @@ -7,9 +7,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.c.orig 2015-03-17 00:49:20.000000000 -0500 -+++ ssh-agent.c 2015-03-20 00:00:48.800352000 -0500 -@@ -150,15 +150,34 @@ static long lifetime = 0; +--- ssh-agent.c.orig 2015-05-29 03:27:21.000000000 -0500 ++++ ssh-agent.c 2015-06-02 09:46:54.719580000 -0500 +@@ -157,15 +157,34 @@ static long lifetime = 0; static int fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -44,7 +44,7 @@ disconnected. } static void -@@ -910,6 +929,10 @@ new_socket(sock_type type, int fd) +@@ -939,6 +958,10 @@ new_socket(sock_type type, int fd) { u_int i, old_alloc, new_alloc; @@ -55,16 +55,16 @@ disconnected. set_nonblock(fd); if (fd > max_fd) -@@ -1138,7 +1161,7 @@ usage(void) +@@ -1166,7 +1189,7 @@ static void + usage(void) { fprintf(stderr, - "usage: ssh-agent [-c | -s] [-d] [-a bind_address] [-E fingerprint_hash]\n" -- " [-t life] [command [arg ...]]\n" -+ " [-t life] [-x] [command [arg ...]]\n" +- "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" ++ "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n" + " [-t life] [command [arg ...]]\n" " ssh-agent [-c | -s] -k\n"); exit(1); - } -@@ -1168,6 +1191,7 @@ main(int ac, char **av) +@@ -1197,6 +1220,7 @@ main(int ac, char **av) /* drop */ setegid(getgid()); setgid(getgid()); @@ -72,16 +72,16 @@ disconnected. #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) /* Disable ptrace on Linux without sgid bit */ -@@ -1181,7 +1205,7 @@ main(int ac, char **av) +@@ -1210,7 +1234,7 @@ main(int ac, char **av) __progname = ssh_get_progname(av[0]); seed_rng(); -- while ((ch = getopt(ac, av, "cdksE:a:t:")) != -1) { -+ while ((ch = getopt(ac, av, "cdksE:a:t:x")) != -1) { +- while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) { ++ while ((ch = getopt(ac, av, "cDdksE:a:t:x")) != -1) { switch (ch) { case 'E': fingerprint_hash = ssh_digest_alg_by_name(optarg); -@@ -1215,6 +1239,9 @@ main(int ac, char **av) +@@ -1249,6 +1273,9 @@ main(int ac, char **av) usage(); } break; diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config index 8e2ca0e2b48c..65e8f6cc6947 100644 --- a/security/openssh-portable/files/patch-sshd_config +++ b/security/openssh-portable/files/patch-sshd_config @@ -10,15 +10,6 @@ #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 -@@ -41,7 +44,7 @@ - # Authentication: - - #LoginGraceTime 2m --#PermitRootLogin yes -+#PermitRootLogin no - #StrictModes yes - #MaxAuthTries 6 - #MaxSessions 10 @@ -50,8 +53,7 @@ #PubkeyAuthentication yes diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5 index 85d213a8a791..90a0351f1698 100644 --- a/security/openssh-portable/files/patch-sshd_config.5 +++ b/security/openssh-portable/files/patch-sshd_config.5 @@ -1,6 +1,6 @@ ---- sshd_config.5.orig 2014-10-02 18:24:57.000000000 -0500 -+++ sshd_config.5 2015-03-22 21:57:45.538655000 -0500 -@@ -304,7 +304,9 @@ By default, no banner is displayed. +--- sshd_config.5.orig 2015-05-29 03:27:21.000000000 -0500 ++++ sshd_config.5 2015-06-02 09:49:08.463186000 -0500 +@@ -375,7 +375,9 @@ By default, no banner is displayed. .It Cm ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed (e.g. via PAM or through authentication styles supported in @@ -11,7 +11,7 @@ The default is .Dq yes . .It Cm ChrootDirectory -@@ -977,7 +979,22 @@ are refused if the number of unauthentic +@@ -1111,7 +1113,22 @@ are refused if the number of unauthentic .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is @@ -34,12 +34,10 @@ .It Cm PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. -@@ -1023,7 +1040,14 @@ The argument must be - or +@@ -1158,6 +1175,13 @@ or .Dq no . The default is --.Dq yes . -+.Dq no . + .Dq no . +Note that if +.Cm ChallengeResponseAuthentication +is @@ -50,7 +48,7 @@ .Pp If this option is set to .Dq without-password , -@@ -1178,7 +1202,9 @@ an OpenSSH Key Revocation List (KRL) as +@@ -1331,7 +1355,9 @@ an OpenSSH Key Revocation List (KRL) as For more information on KRLs, see the KEY REVOCATION LISTS section in .Xr ssh-keygen 1 . .It Cm RhostsRSAAuthentication @@ -61,7 +59,7 @@ with successful RSA host authentication is allowed. The default is .Dq no . -@@ -1343,7 +1369,7 @@ is enabled, you will not be able to run +@@ -1498,7 +1524,7 @@ is enabled, you will not be able to run .Xr sshd 8 as a non-root user. The default is @@ -70,7 +68,7 @@ .It Cm UsePrivilegeSeparation Specifies whether .Xr sshd 8 -@@ -1365,7 +1391,10 @@ restrictions. +@@ -1520,7 +1546,10 @@ restrictions. Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default is @@ -82,7 +80,7 @@ .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's -@@ -1379,7 +1408,7 @@ The argument must be +@@ -1534,7 +1563,7 @@ The argument must be or .Dq no . The default is |