Attachment #1804 for bug #1663





/* return 1 if user allows given key */
static int
user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw)
{
	char line[SSH_MAX_PUBKEY_BYTES];
	const char *reason;
	int found_key = 0;
	FILE *f;
	u_long linenum = 0;
	Key *found;
	char *fp;

	/* Temporarily use the user's uid. */
	temporarily_use_uid(pw);

	debug("trying public key file %s", file);
	f = auth_openkeyfile(file, pw, options.strict_modes);

	if (!f) {
		restore_uid();
		return 0;
	}

	found_key = 0;
	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);


			break;
		}
	}
	restore_uid();
	fclose(f);
	key_free(found);
	if (!found_key)
		debug2("key not found");
	return found_key;
}


/* return 1 if user allows given key */
static int
user_key_allowed2(struct passwd *pw, Key *key, char *file)
{
	FILE *f;
	int found_key = 0;

	/* Temporarily use the user's uid. */
	temporarily_use_uid(pw);

	debug("trying public key file %s", file);
	f = auth_openkeyfile(file, pw, options.strict_modes);

 	if (f) {
 		found_key = user_search_key_in_file (f, file, key, pw);
		fclose(f);
	}

	restore_uid();
	return found_key;
}

#ifdef WITH_PUBKEY_AGENT

#define WHITESPACE " \t\r\n"

/* return 1 if user allows given key */
static int
user_key_via_agent_allowed2(struct passwd *pw, Key *key)
{
	FILE *f;
	int found_key = 0;
	char *pubkey_agent_string = NULL;
	char *tmp_pubkey_agent_string = NULL;
	char *progname;
	char *cp;
	struct passwd *runas_pw;
	struct stat st;

	if (options.pubkey_agent == NULL || options.pubkey_agent[0] != '/')
		return -1;

	/* get the run as identity from config */
	runas_pw = (options.pubkey_agent_runas == NULL)? pw
	    : getpwnam (options.pubkey_agent_runas);
	if (!runas_pw) {
		error("%s: getpwnam(\"%s\"): %s", __func__,
		    options.pubkey_agent_runas, strerror(errno));
		return 0;
	}

	/* Temporarily use the specified uid. */
	if (runas_pw->pw_uid != 0)
		temporarily_use_uid(runas_pw);

	pubkey_agent_string = percent_expand(options.pubkey_agent,
	    "h", pw->pw_dir, "u", pw->pw_name, (char *)NULL);

	/* Test whether agent can be modified by non root user */
	tmp_pubkey_agent_string = xstrdup (pubkey_agent_string);
	progname = strtok (tmp_pubkey_agent_string, WHITESPACE);

	debug3("%s: checking program '%s'", __func__, progname);

	if (stat (progname, &st) < 0) {
		error("%s: stat(\"%s\"): %s", __func__,
		    progname, strerror(errno));
		goto go_away;
	}

	if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
		error("bad ownership or modes for pubkey agent \"%s\"",
		    progname);
		goto go_away;
	}

	if (!S_ISREG(st.st_mode)) {
		error("pubkey agent \"%s\" is not a regular file",
		    progname);
		goto go_away;
	}

	/*
	 * Descend the path, checking that each component is a
	 * root-owned directory with strict permissions.
	 */
	do {
		if ((cp = strrchr(progname, '/')) == NULL)
			break;
		else 
			*cp = '\0';
	
		debug3("%s: checking component '%s'", __func__, progname);

		if (stat(progname, &st) != 0) {
			error("%s: stat(\"%s\"): %s", __func__,
			    progname, strerror(errno));
			goto go_away;
		}
		if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
			error("bad ownership or modes for pubkey agent path component \"%s\"",
			    progname);
			goto go_away;
		}
		if (!S_ISDIR(st.st_mode)) {
			error("pubkey agent path component \"%s\" is not a directory",
			    progname);
			goto go_away;
		}
	} while (0);

	/* open the pipe and read the keys */
	f = popen (pubkey_agent_string, "r");
	if (!f) {
		error("%s: popen (\"%s\", \"r\"): %s", __func__,
		    pubkey_agent_string, strerror (errno));
		goto go_away;
	}

	found_key = user_search_key_in_file (f, options.pubkey_agent, key, pw);
	pclose (f);

go_away:
	if (tmp_pubkey_agent_string)
		xfree (tmp_pubkey_agent_string);
	if (pubkey_agent_string)
		xfree (pubkey_agent_string);

	if (runas_pw->pw_uid != 0)
		restore_uid();
	return found_key;
}
#endif

/* check whether given key is in <pkey_agent or .ssh/authorized_keys* */
int
user_key_allowed(struct passwd *pw, Key *key)
{
	int success;
	char *file;

#ifdef WITH_PUBKEY_AGENT
	success = user_key_via_agent_allowed2(pw, key);
	if (success >= 0)
		return success;
#endif

	file = authorized_keys_file(pw);
	success = user_key_allowed2(pw, key, file);
	xfree(file);




	esac ]
)

# Check whether user wants pubkey agent support
PKA_MSG="no"
AC_ARG_WITH(pka,
	[  --with-pka      Enable pubkey agent support],
	[
		if test "x$withval" != "xno" ; then
			AC_DEFINE([WITH_PUBKEY_AGENT], 1, [Enable pubkey agent support])
			PKA_MSG="yes"
		fi
	]
)

dnl    Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS( \
	arc4random \

echo "                 Smartcard support: $SCARD_MSG"
echo "                     S/KEY support: $SKEY_MSG"
echo "              TCP Wrappers support: $TCPW_MSG"
echo "                       PKA support: $PKA_MSG"
echo "              MD5 password support: $MD5_MSG"
echo "                   libedit support: $LIBEDIT_MSG"
echo "  Solaris process contract support: $SPC_MSG"

Lines 129-134 initialize_server_options(ServerOptions Link Here

(-)openssh-5.4p1/servconf.c.pka (+30 lines)
129	options->num_permitted_opens = -1;	129	options->num_permitted_opens = -1;
130	options->adm_forced_command = NULL;	130	options->adm_forced_command = NULL;
131	options->chroot_directory = NULL;	131	options->chroot_directory = NULL;
		132	options->pubkey_agent = NULL;
		133	options->pubkey_agent_runas = NULL;
132	options->zero_knowledge_password_authentication = -1;	134	options->zero_knowledge_password_authentication = -1;
133	}	135	}
134		136
Lines 312-317 typedef enum { Link Here
312	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,	314	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
313	sUsePrivilegeSeparation, sAllowAgentForwarding,	315	sUsePrivilegeSeparation, sAllowAgentForwarding,
314	sZeroKnowledgePasswordAuthentication, sHostCertificate,	316	sZeroKnowledgePasswordAuthentication, sHostCertificate,
		317	sPubkeyAgent, sPubkeyAgentRunAs,
315	sDeprecated, sUnsupported	318	sDeprecated, sUnsupported
316	} ServerOpCodes;	319	} ServerOpCodes;
317		320
Lines 432-437 static struct { Link Here
432	{ "forcecommand", sForceCommand, SSHCFG_ALL },	435	{ "forcecommand", sForceCommand, SSHCFG_ALL },
433	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },	436	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
434	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },	437	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
		438	#ifdef WITH_PUBKEY_AGENT
		439	{ "pubkeyagent", sPubkeyAgent, SSHCFG_ALL },
		440	{ "pubkeyagentrunas", sPubkeyAgentRunAs, SSHCFG_ALL },
		441	#else
		442	{ "pubkeyagent", sUnsupported, SSHCFG_ALL },
		443	{ "pubkeyagentrunas", sUnsupported, SSHCFG_ALL },
		444	#endif
435	{ NULL, sBadOption, 0 }	445	{ NULL, sBadOption, 0 }
436	};	446	};
437		447
Lines 1332-1337 process_server_config_line(ServerOptions Link Here
1332	*charptr = xstrdup(arg);	1342	*charptr = xstrdup(arg);
1333	break;	1343	break;
1334		1344
		1345	case sPubkeyAgent:
		1346	len = strspn(cp, WHITESPACE);
		1347	if (*activep && options->pubkey_agent == NULL)
		1348	options->pubkey_agent = xstrdup(cp + len);
		1349	return 0;
		1350
		1351	case sPubkeyAgentRunAs:
		1352	charptr = &options->pubkey_agent_runas;
		1353
		1354	arg = strdelim(&cp);
		1355	if (activep && charptr == NULL)
		1356	*charptr = xstrdup(arg);
		1357	break;
		1358
1335	case sDeprecated:	1359	case sDeprecated:
1336	logit("%s line %d: Deprecated option %s",	1360	logit("%s line %d: Deprecated option %s",
1337	filename, linenum, arg);	1361	filename, linenum, arg);
Lines 1425-1430 copy_set_server_options(ServerOptions *d Link Here
1425	M_CP_INTOPT(gss_authentication);	1449	M_CP_INTOPT(gss_authentication);
1426	M_CP_INTOPT(rsa_authentication);	1450	M_CP_INTOPT(rsa_authentication);
1427	M_CP_INTOPT(pubkey_authentication);	1451	M_CP_INTOPT(pubkey_authentication);
		1452	M_CP_STROPT(pubkey_agent);
		1453	M_CP_STROPT(pubkey_agent_runas);
1428	M_CP_INTOPT(kerberos_authentication);	1454	M_CP_INTOPT(kerberos_authentication);
1429	M_CP_INTOPT(hostbased_authentication);	1455	M_CP_INTOPT(hostbased_authentication);
1430	M_CP_INTOPT(kbd_interactive_authentication);	1456	M_CP_INTOPT(kbd_interactive_authentication);
Lines 1666-1671 dump_config(ServerOptions *o) Link Here
1666	dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);	1692	dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
1667	dump_cfg_string(sForceCommand, o->adm_forced_command);	1693	dump_cfg_string(sForceCommand, o->adm_forced_command);
1668	dump_cfg_string(sChrootDirectory, o->chroot_directory);	1694	dump_cfg_string(sChrootDirectory, o->chroot_directory);
		1695	#ifdef WITH_PUBKEY_AGENT
		1696	dump_cfg_string(sPubkeyAgent, o->pubkey_agent);
		1697	dump_cfg_string(sPubkeyAgentRunAs, o->pubkey_agent_runas);
		1698	#endif
1669		1699
1670	/* string arguments requiring a lookup */	1700	/* string arguments requiring a lookup */
1671	dump_cfg_string(sLogLevel, log_level_name(o->log_level));	1701	dump_cfg_string(sLogLevel, log_level_name(o->log_level));

Lines 155-160 typedef struct { Link Here

(-)openssh-5.4p1/servconf.h.pka (+2 lines)
155	int num_permitted_opens;	155	int num_permitted_opens;
156		156
157	char *chroot_directory;	157	char *chroot_directory;
		158	char *pubkey_agent;
		159	char *pubkey_agent_runas;
158	} ServerOptions;	160	} ServerOptions;
159		161
160	void initialize_server_options(ServerOptions *);	162	void initialize_server_options(ServerOptions *);




             KbdInteractiveAuthentication, KerberosAuthentication,
             MaxAuthTries, MaxSessions, PasswordAuthentication,
             PermitEmptyPasswords, PermitOpen, PermitRootLogin,
             PubkeyAuthentication, PubkeyAgent, PubkeyAgentRunAs,
             RhostsRSAAuthentication, RSAAuthentication,
             X11DisplayOffset, X11Forwarding and X11UseLocalHost.

     MaxAuthTries

             fault is ``yes''.  Note that this option applies to protocol ver-
             sion 2 only.

     PubkeyAgent
             Specifies which agent is used for lookup of the user's public
             keys. Empty string means to use the authorized_keys file.  By
             default there is no PubkeyAgent set.  Note that this option has
             an effect only with PubkeyAuthentication switched on.

     PubkeyAgentRunAs
             Specifies the user under whose account the PubkeyAgent is run.
             Empty string (the default value) means the user being authorized
             is used.

     RhostsRSAAuthentication
             Specifies whether rhosts or /etc/hosts.equiv authentication to-
             gether with successful RSA host authentication is allowed.  The

Lines 618-623 Available keywords are Link Here

(-)openssh-5.4p1/sshd_config.5.pka (+13 lines)
618	.Cm KerberosAuthentication ,	618	.Cm KerberosAuthentication ,
619	.Cm MaxAuthTries ,	619	.Cm MaxAuthTries ,
620	.Cm MaxSessions ,	620	.Cm MaxSessions ,
		621	.Cm PubkeyAuthentication ,
		622	.Cm PubkeyAgent ,
		623	.Cm PubkeyAgentRunAs ,
621	.Cm PasswordAuthentication ,	624	.Cm PasswordAuthentication ,
622	.Cm PermitEmptyPasswords ,	625	.Cm PermitEmptyPasswords ,
623	.Cm PermitOpen ,	626	.Cm PermitOpen ,
Lines 814-819 Specifies whether public key authenticat Link Here
814	The default is	817	The default is
815	.Dq yes .	818	.Dq yes .
816	Note that this option applies to protocol version 2 only.	819	Note that this option applies to protocol version 2 only.
		820	.It Cm PubkeyAgent
		821	Specifies which agent is used for lookup of the user's public
		822	keys. Empty string means to use the authorized_keys file.
		823	By default there is no PubkeyAgent set.
		824	Note that this option has an effect only with PubkeyAuthentication
		825	switched on.
		826	.It Cm PubkeyAgentRunAs
		827	Specifies the user under whose account the PubkeyAgent is run. Empty
		828	string (the default value) means the user being authorized is used.
		829	.Dq
817	.It Cm RhostsRSAAuthentication	830	.It Cm RhostsRSAAuthentication
818	Specifies whether rhosts or /etc/hosts.equiv authentication together	831	Specifies whether rhosts or /etc/hosts.equiv authentication together
819	with successful RSA host authentication is allowed.	832	with successful RSA host authentication is allowed.

Lines 45-50 SyslogFacility AUTHPRIV Link Here

(-)openssh-5.4p1/sshd_config.pka (+2 lines)
45	#RSAAuthentication yes	45	#RSAAuthentication yes
46	#PubkeyAuthentication yes	46	#PubkeyAuthentication yes
47	#AuthorizedKeysFile .ssh/authorized_keys	47	#AuthorizedKeysFile .ssh/authorized_keys
		48	#PubkeyAgent none
		49	#PubkeyAgentRunAs nobody
48		50
49	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts	51	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
50	#RhostsRSAAuthentication no	52	#RhostsRSAAuthentication no

Return to bug 1663

Lines 186-212 done: Link Here

(-)openssh-5.4p1/auth2-pubkey.c.pka (-16 / +143 lines)
186		186
187	/* return 1 if user allows given key */	187	/* return 1 if user allows given key */
188	static int	188	static int
189	user_key_allowed2(struct passwd pw, Key key, char *file)	189	user_search_key_in_file(FILE f, char file, Key* key, struct passwd *pw)
190	{	190	{
191	char line[SSH_MAX_PUBKEY_BYTES];	191	char line[SSH_MAX_PUBKEY_BYTES];
192	const char *reason;	192	const char *reason;
193	int found_key = 0;	193	int found_key = 0;
194	FILE *f;
195	u_long linenum = 0;	194	u_long linenum = 0;
196	Key *found;	195	Key *found;
197	char *fp;	196	char *fp;
198		197
199	/* Temporarily use the user's uid. */
200	temporarily_use_uid(pw);
201
202	debug("trying public key file %s", file);
203	f = auth_openkeyfile(file, pw, options.strict_modes);
204
205	if (!f) {
206	restore_uid();
207	return 0;
208	}
209
210	found_key = 0;	198	found_key = 0;
211	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);	199	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
212		200
Lines 277-297 user_key_allowed2(struct passwd *pw, Key Link Here
277	break;	265	break;
278	}	266	}
279	}	267	}
280	restore_uid();
281	fclose(f);
282	key_free(found);	268	key_free(found);
283	if (!found_key)	269	if (!found_key)
284	debug2("key not found");	270	debug2("key not found");
285	return found_key;	271	return found_key;
286	}	272	}
287		273
288	/* check whether given key is in .ssh/authorized_keys* */	274
		275	/* return 1 if user allows given key */
		276	static int
		277	user_key_allowed2(struct passwd pw, Key key, char *file)
		278	{
		279	FILE *f;
		280	int found_key = 0;
		281
		282	/* Temporarily use the user's uid. */
		283	temporarily_use_uid(pw);
		284
		285	debug("trying public key file %s", file);
		286	f = auth_openkeyfile(file, pw, options.strict_modes);
		287
		288	if (f) {
		289	found_key = user_search_key_in_file (f, file, key, pw);
		290	fclose(f);
		291	}
		292
		293	restore_uid();
		294	return found_key;
		295	}
		296
		297	#ifdef WITH_PUBKEY_AGENT
		298
		299	#define WHITESPACE " \t\r\n"
		300
		301	/* return 1 if user allows given key */
		302	static int
		303	user_key_via_agent_allowed2(struct passwd pw, Key key)
		304	{
		305	FILE *f;
		306	int found_key = 0;
		307	char *pubkey_agent_string = NULL;
		308	char *tmp_pubkey_agent_string = NULL;
		309	char *progname;
		310	char *cp;
		311	struct passwd *runas_pw;
		312	struct stat st;
		313
		314	if (options.pubkey_agent == NULL \|\| options.pubkey_agent[0] != '/')
		315	return -1;
		316
		317	/* get the run as identity from config */
		318	runas_pw = (options.pubkey_agent_runas == NULL)? pw
		319	: getpwnam (options.pubkey_agent_runas);
		320	if (!runas_pw) {
		321	error("%s: getpwnam(\"%s\"): %s", __func__,
		322	options.pubkey_agent_runas, strerror(errno));
		323	return 0;
		324	}
		325
		326	/* Temporarily use the specified uid. */
		327	if (runas_pw->pw_uid != 0)
		328	temporarily_use_uid(runas_pw);
		329
		330	pubkey_agent_string = percent_expand(options.pubkey_agent,
		331	"h", pw->pw_dir, "u", pw->pw_name, (char *)NULL);
		332
		333	/* Test whether agent can be modified by non root user */
		334	tmp_pubkey_agent_string = xstrdup (pubkey_agent_string);
		335	progname = strtok (tmp_pubkey_agent_string, WHITESPACE);
		336
		337	debug3("%s: checking program '%s'", __func__, progname);
		338
339	if (stat (progname, &st) < 0) {
340	error("%s: stat(\"%s\"): %s", __func__,
341	progname, strerror(errno));
342	goto go_away;
343	}
344
345	if (st.st_uid != 0 \|\| (st.st_mode & 022) != 0) {
346	error("bad ownership or modes for pubkey agent \"%s\"",
347	progname);
348	goto go_away;
349	}
350
351	if (!S_ISREG(st.st_mode)) {
352	error("pubkey agent \"%s\" is not a regular file",
353	progname);
354	goto go_away;
355	}
356
357	/*
358	* Descend the path, checking that each component is a
359	* root-owned directory with strict permissions.
360	*/
361	do {
362	if ((cp = strrchr(progname, '/')) == NULL)
363	break;
364	else
365	*cp = '\0';
366
367	debug3("%s: checking component '%s'", __func__, progname);
368
369	if (stat(progname, &st) != 0) {
370	error("%s: stat(\"%s\"): %s", __func__,
371	progname, strerror(errno));
372	goto go_away;
373	}
374	if (st.st_uid != 0 \|\| (st.st_mode & 022) != 0) {
375	error("bad ownership or modes for pubkey agent path component \"%s\"",
376	progname);
377	goto go_away;
378	}
379	if (!S_ISDIR(st.st_mode)) {
380	error("pubkey agent path component \"%s\" is not a directory",
381	progname);
382	goto go_away;
383	}
384	} while (0);
385
386	/* open the pipe and read the keys */
387	f = popen (pubkey_agent_string, "r");
388	if (!f) {
389	error("%s: popen (\"%s\", \"r\"): %s", __func__,
390	pubkey_agent_string, strerror (errno));
391	goto go_away;
392	}
393
394	found_key = user_search_key_in_file (f, options.pubkey_agent, key, pw);
395	pclose (f);
396
397	go_away:
398	if (tmp_pubkey_agent_string)
399	xfree (tmp_pubkey_agent_string);
400	if (pubkey_agent_string)
401	xfree (pubkey_agent_string);
402
403	if (runas_pw->pw_uid != 0)
404	restore_uid();
405	return found_key;
406	}
407	#endif
408
409	/* check whether given key is in <pkey_agent or .ssh/authorized_keys* */
289	int	410	int
290	user_key_allowed(struct passwd pw, Key key)	411	user_key_allowed(struct passwd pw, Key key)
291	{	412	{
292	int success;	413	int success;
293	char *file;	414	char *file;
294		415
		416	#ifdef WITH_PUBKEY_AGENT
		417	success = user_key_via_agent_allowed2(pw, key);
		418	if (success >= 0)
		419	return success;
		420	#endif
		421
295	file = authorized_keys_file(pw);	422	file = authorized_keys_file(pw);
296	success = user_key_allowed2(pw, key, file);	423	success = user_key_allowed2(pw, key, file);
297	xfree(file);	424	xfree(file);

Lines 1323-1328 AC_ARG_WITH(audit, Link Here

(-)openssh-5.4p1/configure.ac.pka (+13 lines)
1323	esac ]	1323	esac ]
1324	)	1324	)
1325		1325
		1326	# Check whether user wants pubkey agent support
		1327	PKA_MSG="no"
		1328	AC_ARG_WITH(pka,
		1329	[ --with-pka Enable pubkey agent support],
		1330	[
		1331	if test "x$withval" != "xno" ; then
		1332	AC_DEFINE([WITH_PUBKEY_AGENT], 1, [Enable pubkey agent support])
		1333	PKA_MSG="yes"
		1334	fi
		1335	]
		1336	)
		1337
1326	dnl Checks for library functions. Please keep in alphabetical order	1338	dnl Checks for library functions. Please keep in alphabetical order
1327	AC_CHECK_FUNCS( \	1339	AC_CHECK_FUNCS( \
1328	arc4random \	1340	arc4random \
Lines 4206-4211 echo " Linux audit support Link Here
4206	echo " Smartcard support: $SCARD_MSG"	4218	echo " Smartcard support: $SCARD_MSG"
4207	echo " S/KEY support: $SKEY_MSG"	4219	echo " S/KEY support: $SKEY_MSG"
4208	echo " TCP Wrappers support: $TCPW_MSG"	4220	echo " TCP Wrappers support: $TCPW_MSG"
		4221	echo " PKA support: $PKA_MSG"
4209	echo " MD5 password support: $MD5_MSG"	4222	echo " MD5 password support: $MD5_MSG"
4210	echo " libedit support: $LIBEDIT_MSG"	4223	echo " libedit support: $LIBEDIT_MSG"
4211	echo " Solaris process contract support: $SPC_MSG"	4224	echo " Solaris process contract support: $SPC_MSG"

Lines 352-358 DESCRIPTION Link Here

(-)openssh-5.4p1/sshd_config.0.pka (-1 / +13 lines)
352	KbdInteractiveAuthentication, KerberosAuthentication,	352	KbdInteractiveAuthentication, KerberosAuthentication,
353	MaxAuthTries, MaxSessions, PasswordAuthentication,	353	MaxAuthTries, MaxSessions, PasswordAuthentication,
354	PermitEmptyPasswords, PermitOpen, PermitRootLogin,	354	PermitEmptyPasswords, PermitOpen, PermitRootLogin,
355	PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication,	355	PubkeyAuthentication, PubkeyAgent, PubkeyAgentRunAs,
		356	RhostsRSAAuthentication, RSAAuthentication,
356	X11DisplayOffset, X11Forwarding and X11UseLocalHost.	357	X11DisplayOffset, X11Forwarding and X11UseLocalHost.
357		358
358	MaxAuthTries	359	MaxAuthTries
Lines 461-466 DESCRIPTION Link Here
461	fault is ``yes''. Note that this option applies to protocol ver-	462	fault is ``yes''. Note that this option applies to protocol ver-
462	sion 2 only.	463	sion 2 only.
463		464
		465	PubkeyAgent
		466	Specifies which agent is used for lookup of the user's public
		467	keys. Empty string means to use the authorized_keys file. By
		468	default there is no PubkeyAgent set. Note that this option has
		469	an effect only with PubkeyAuthentication switched on.
		470
		471	PubkeyAgentRunAs
		472	Specifies the user under whose account the PubkeyAgent is run.
		473	Empty string (the default value) means the user being authorized
		474	is used.
		475
464	RhostsRSAAuthentication	476	RhostsRSAAuthentication
465	Specifies whether rhosts or /etc/hosts.equiv authentication to-	477	Specifies whether rhosts or /etc/hosts.equiv authentication to-
466	gether with successful RSA host authentication is allowed. The	478	gether with successful RSA host authentication is allowed. The