Attachment #1811 for bug #1663





/* return 1 if user allows given key */
static int
user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw)
{
	char line[SSH_MAX_PUBKEY_BYTES];
	const char *reason;
	int found_key = 0;
	FILE *f;
	u_long linenum = 0;
	Key *found;
	char *fp;

	/* Temporarily use the user's uid. */
	temporarily_use_uid(pw);

	debug("trying public key file %s", file);
	f = auth_openkeyfile(file, pw, options.strict_modes);

	if (!f) {
		restore_uid();
		return 0;
	}

	found_key = 0;
	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);


			break;
		}
	}
	restore_uid();
	fclose(f);
	key_free(found);
	if (!found_key)
		debug2("key not found");

	return ret;
}

/* return 1 if user allows given key */
static int
user_key_allowed2(struct passwd *pw, Key *key, char *file)
{
	FILE *f;
	int found_key = 0;

	/* Temporarily use the user's uid. */
	temporarily_use_uid(pw);

	debug("trying public key file %s", file);
	f = auth_openkeyfile(file, pw, options.strict_modes);

 	if (f) {
 		found_key = user_search_key_in_file (f, file, key, pw);
		fclose(f);
	}

	restore_uid();
	return found_key;
}

#ifdef WITH_PUBKEY_AGENT

#define WHITESPACE " \t\r\n"

/* return 1 if user allows given key */
static int
user_key_via_agent_allowed2(struct passwd *pw, Key *key)
{
	FILE *f;
	int found_key = 0;
	char *pubkey_agent_string = NULL;
	char *tmp_pubkey_agent_string = NULL;
	char *progname;
	char *cp;
	struct passwd *runas_pw;
	struct stat st;

	if (options.pubkey_agent == NULL || options.pubkey_agent[0] != '/')
		return -1;

	/* get the run as identity from config */
	runas_pw = (options.pubkey_agent_runas == NULL)? pw
	    : getpwnam (options.pubkey_agent_runas);
	if (!runas_pw) {
		error("%s: getpwnam(\"%s\"): %s", __func__,
		    options.pubkey_agent_runas, strerror(errno));
		return 0;
	}

	/* Temporarily use the specified uid. */
	if (runas_pw->pw_uid != 0)
		temporarily_use_uid(runas_pw);

	pubkey_agent_string = percent_expand(options.pubkey_agent,
	    "h", pw->pw_dir, "u", pw->pw_name, (char *)NULL);

	/* Test whether agent can be modified by non root user */
	tmp_pubkey_agent_string = xstrdup (pubkey_agent_string);
	progname = strtok (tmp_pubkey_agent_string, WHITESPACE);

	debug3("%s: checking program '%s'", __func__, progname);

	if (stat (progname, &st) < 0) {
		error("%s: stat(\"%s\"): %s", __func__,
		    progname, strerror(errno));
		goto go_away;
	}

	if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
		error("bad ownership or modes for pubkey agent \"%s\"",
		    progname);
		goto go_away;
	}

	if (!S_ISREG(st.st_mode)) {
		error("pubkey agent \"%s\" is not a regular file",
		    progname);
		goto go_away;
	}

	/*
	 * Descend the path, checking that each component is a
	 * root-owned directory with strict permissions.
	 */
	do {
		if ((cp = strrchr(progname, '/')) == NULL)
			break;
		else 
			*cp = '\0';
	
		debug3("%s: checking component '%s'", __func__, progname);

		if (stat(progname, &st) != 0) {
			error("%s: stat(\"%s\"): %s", __func__,
			    progname, strerror(errno));
			goto go_away;
		}
		if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
			error("bad ownership or modes for pubkey agent path component \"%s\"",
			    progname);
			goto go_away;
		}
		if (!S_ISDIR(st.st_mode)) {
			error("pubkey agent path component \"%s\" is not a directory",
			    progname);
			goto go_away;
		}
	} while (0);

	/* open the pipe and read the keys */
	f = popen (pubkey_agent_string, "r");
	if (!f) {
		error("%s: popen (\"%s\", \"r\"): %s", __func__,
		    pubkey_agent_string, strerror (errno));
		goto go_away;
	}

	found_key = user_search_key_in_file (f, options.pubkey_agent, key, pw);
	pclose (f);

go_away:
	if (tmp_pubkey_agent_string)
		xfree (tmp_pubkey_agent_string);
	if (pubkey_agent_string)
		xfree (pubkey_agent_string);

	if (runas_pw->pw_uid != 0)
		restore_uid();
	return found_key;
}
#endif

/* check whether given key is in <pkey_agent or .ssh/authorized_keys* */
int
user_key_allowed(struct passwd *pw, Key *key)
{
	int success;
	char *file;

#ifdef WITH_PUBKEY_AGENT
	success = user_key_via_agent_allowed2(pw, key);
	if (success >= 0)
		return success;
#endif

	if (auth_key_is_revoked(key))
		return 0;
	if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))




	esac ]
)

# Check whether user wants pubkey agent support
PKA_MSG="no"
AC_ARG_WITH(pka,
	[  --with-pka      Enable pubkey agent support],
	[
		if test "x$withval" != "xno" ; then
			AC_DEFINE([WITH_PUBKEY_AGENT], 1, [Enable pubkey agent support])
			PKA_MSG="yes"
		fi
	]
)

dnl    Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS( \
	arc4random \

echo "                 Smartcard support: $SCARD_MSG"
echo "                     S/KEY support: $SKEY_MSG"
echo "              TCP Wrappers support: $TCPW_MSG"
echo "                       PKA support: $PKA_MSG"
echo "              MD5 password support: $MD5_MSG"
echo "                   libedit support: $LIBEDIT_MSG"
echo "  Solaris process contract support: $SPC_MSG"

Lines 129-134 initialize_server_options(ServerOptions Link Here

(-)openssh-5.4p1/servconf.c.pka (+28 lines)
129	options->num_permitted_opens = -1;	129	options->num_permitted_opens = -1;
130	options->adm_forced_command = NULL;	130	options->adm_forced_command = NULL;
131	options->chroot_directory = NULL;	131	options->chroot_directory = NULL;
		132	options->pubkey_agent = NULL;
		133	options->pubkey_agent_runas = NULL;
132	options->zero_knowledge_password_authentication = -1;	134	options->zero_knowledge_password_authentication = -1;
133	options->revoked_keys_file = NULL;	135	options->revoked_keys_file = NULL;
134	options->trusted_user_ca_keys = NULL;	136	options->trusted_user_ca_keys = NULL;
Lines 315-320 typedef enum { Link Here
315	sUsePrivilegeSeparation, sAllowAgentForwarding,	317	sUsePrivilegeSeparation, sAllowAgentForwarding,
316	sZeroKnowledgePasswordAuthentication, sHostCertificate,	318	sZeroKnowledgePasswordAuthentication, sHostCertificate,
317	sRevokedKeys, sTrustedUserCAKeys,	319	sRevokedKeys, sTrustedUserCAKeys,
		320	sPubkeyAgent, sPubkeyAgentRunAs,
318	sDeprecated, sUnsupported	321	sDeprecated, sUnsupported
319	} ServerOpCodes;	322	} ServerOpCodes;
320		323
Lines 437-442 static struct { Link Here
437	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },	440	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
438	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },	441	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
439	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },	442	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
		443	#ifdef WITH_PUBKEY_AGENT
		444	{ "pubkeyagent", sPubkeyAgent, SSHCFG_ALL },
		445	{ "pubkeyagentrunas", sPubkeyAgentRunAs, SSHCFG_ALL },
		446	#else
		447	{ "pubkeyagent", sUnsupported, SSHCFG_ALL },
		448	{ "pubkeyagentrunas", sUnsupported, SSHCFG_ALL },
		449	#endif
440	{ NULL, sBadOption, 0 }	450	{ NULL, sBadOption, 0 }
441	};	451	};
442		452
Lines 1345-1350 process_server_config_line(ServerOptions Link Here
1345	charptr = &options->revoked_keys_file;	1355	charptr = &options->revoked_keys_file;
1346	goto parse_filename;	1356	goto parse_filename;
1347		1357
		1358	case sPubkeyAgent:
		1359	len = strspn(cp, WHITESPACE);
		1360	if (*activep && options->pubkey_agent == NULL)
		1361	options->pubkey_agent = xstrdup(cp + len);
		1362	return 0;
		1363
		1364	case sPubkeyAgentRunAs:
		1365	charptr = &options->pubkey_agent_runas;
		1366
		1367	arg = strdelim(&cp);
		1368	if (activep && charptr == NULL)
		1369	*charptr = xstrdup(arg);
		1370	break;
		1371
1348	case sDeprecated:	1372	case sDeprecated:
1349	logit("%s line %d: Deprecated option %s",	1373	logit("%s line %d: Deprecated option %s",
1350	filename, linenum, arg);	1374	filename, linenum, arg);
Lines 1438-1443 copy_set_server_options(ServerOptions *d Link Here
1438	M_CP_INTOPT(gss_authentication);	1462	M_CP_INTOPT(gss_authentication);
1439	M_CP_INTOPT(rsa_authentication);	1463	M_CP_INTOPT(rsa_authentication);
1440	M_CP_INTOPT(pubkey_authentication);	1464	M_CP_INTOPT(pubkey_authentication);
		1465	M_CP_STROPT(pubkey_agent);
		1466	M_CP_STROPT(pubkey_agent_runas);
1441	M_CP_INTOPT(kerberos_authentication);	1467	M_CP_INTOPT(kerberos_authentication);
1442	M_CP_INTOPT(hostbased_authentication);	1468	M_CP_INTOPT(hostbased_authentication);
1443	M_CP_INTOPT(kbd_interactive_authentication);	1469	M_CP_INTOPT(kbd_interactive_authentication);
Lines 1683-1688 dump_config(ServerOptions *o) Link Here
1683	dump_cfg_string(sChrootDirectory, o->chroot_directory);	1709	dump_cfg_string(sChrootDirectory, o->chroot_directory);
1684	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);	1710	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
1685	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);	1711	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
		1712	dump_cfg_string(sPubkeyAgent, o->pubkey_agent);
		1713	dump_cfg_string(sPubkeyAgentRunAs, o->pubkey_agent_runas);
1686		1714
1687	/* string arguments requiring a lookup */	1715	/* string arguments requiring a lookup */
1688	dump_cfg_string(sLogLevel, log_level_name(o->log_level));	1716	dump_cfg_string(sLogLevel, log_level_name(o->log_level));

Lines 157-162 typedef struct { Link Here

(-)openssh-5.4p1/servconf.h.pka (+2 lines)
157	char *chroot_directory;	157	char *chroot_directory;
158	char *revoked_keys_file;	158	char *revoked_keys_file;
159	char *trusted_user_ca_keys;	159	char *trusted_user_ca_keys;
		160	char *pubkey_agent;
		161	char *pubkey_agent_runas;
160	} ServerOptions;	162	} ServerOptions;
161		163
162	void initialize_server_options(ServerOptions *);	164	void initialize_server_options(ServerOptions *);




             KbdInteractiveAuthentication, KerberosAuthentication,
             MaxAuthTries, MaxSessions, PasswordAuthentication,
             PermitEmptyPasswords, PermitOpen, PermitRootLogin,
             PubkeyAuthentication, PubkeyAgent, PubkeyAgentRunAs,
             RhostsRSAAuthentication, RSAAuthentication,
             X11DisplayOffset, X11Forwarding and X11UseLocalHost.

     MaxAuthTries

             this file is not readable, then public key authentication will be
             refused for all users.

     PubkeyAgent
             Specifies which agent is used for lookup of the user's public
             keys. Empty string means to use the authorized_keys file.  By
             default there is no PubkeyAgent set.  Note that this option has
             an effect only with PubkeyAuthentication switched on.

     PubkeyAgentRunAs
             Specifies the user under whose account the PubkeyAgent is run.
             Empty string (the default value) means the user being authorized
             is used.

     RhostsRSAAuthentication
             Specifies whether rhosts or /etc/hosts.equiv authentication to-
             gether with successful RSA host authentication is allowed.  The

Lines 618-623 Available keywords are Link Here

(-)openssh-5.4p1/sshd_config.5.pka (+13 lines)
618	.Cm KerberosAuthentication ,	618	.Cm KerberosAuthentication ,
619	.Cm MaxAuthTries ,	619	.Cm MaxAuthTries ,
620	.Cm MaxSessions ,	620	.Cm MaxSessions ,
		621	.Cm PubkeyAuthentication ,
		622	.Cm PubkeyAgent ,
		623	.Cm PubkeyAgentRunAs ,
621	.Cm PasswordAuthentication ,	624	.Cm PasswordAuthentication ,
622	.Cm PermitEmptyPasswords ,	625	.Cm PermitEmptyPasswords ,
623	.Cm PermitOpen ,	626	.Cm PermitOpen ,
Lines 819-824 Specifies a list of revoked public keys. Link Here
819	Keys listed in this file will be refused for public key authentication.	822	Keys listed in this file will be refused for public key authentication.
820	Note that if this file is not readable, then public key authentication will	823	Note that if this file is not readable, then public key authentication will
821	be refused for all users.	824	be refused for all users.
		825	+.It Cm PubkeyAgent
		826	+Specifies which agent is used for lookup of the user's public
		827	+keys. Empty string means to use the authorized_keys file.
		828	+By default there is no PubkeyAgent set.
		829	+Note that this option has an effect only with PubkeyAuthentication
		830	+switched on.
		831	+.It Cm PubkeyAgentRunAs
		832	+Specifies the user under whose account the PubkeyAgent is run. Empty
		833	+string (the default value) means the user being authorized is used.
		834	+.Dq
822	.It Cm RhostsRSAAuthentication	835	.It Cm RhostsRSAAuthentication
823	Specifies whether rhosts or /etc/hosts.equiv authentication together	836	Specifies whether rhosts or /etc/hosts.equiv authentication together
824	with successful RSA host authentication is allowed.	837	with successful RSA host authentication is allowed.

Lines 45-50 SyslogFacility AUTHPRIV Link Here

(-)openssh-5.4p1/sshd_config.pka (+2 lines)
45	#RSAAuthentication yes	45	#RSAAuthentication yes
46	#PubkeyAuthentication yes	46	#PubkeyAuthentication yes
47	#AuthorizedKeysFile .ssh/authorized_keys	47	#AuthorizedKeysFile .ssh/authorized_keys
		48	#PubkeyAgent none
		49	#PubkeyAgentRunAs nobody
48		50
49	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts	51	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
50	#RhostsRSAAuthentication no	52	#RhostsRSAAuthentication no

Return to bug 1663

Lines 1323-1328 AC_ARG_WITH(audit, Link Here

(-)openssh-5.4p1/configure.ac.pka (+13 lines)
1323	esac ]	1323	esac ]
1324	)	1324	)
1325		1325
		1326	# Check whether user wants pubkey agent support
		1327	PKA_MSG="no"
		1328	AC_ARG_WITH(pka,
		1329	[ --with-pka Enable pubkey agent support],
		1330	[
		1331	if test "x$withval" != "xno" ; then
		1332	AC_DEFINE([WITH_PUBKEY_AGENT], 1, [Enable pubkey agent support])
		1333	PKA_MSG="yes"
		1334	fi
		1335	]
		1336	)
		1337
1326	dnl Checks for library functions. Please keep in alphabetical order	1338	dnl Checks for library functions. Please keep in alphabetical order
1327	AC_CHECK_FUNCS( \	1339	AC_CHECK_FUNCS( \
1328	arc4random \	1340	arc4random \
Lines 4206-4211 echo " Linux audit support Link Here
4206	echo " Smartcard support: $SCARD_MSG"	4218	echo " Smartcard support: $SCARD_MSG"
4207	echo " S/KEY support: $SKEY_MSG"	4219	echo " S/KEY support: $SKEY_MSG"
4208	echo " TCP Wrappers support: $TCPW_MSG"	4220	echo " TCP Wrappers support: $TCPW_MSG"
		4221	echo " PKA support: $PKA_MSG"
4209	echo " MD5 password support: $MD5_MSG"	4222	echo " MD5 password support: $MD5_MSG"
4210	echo " libedit support: $LIBEDIT_MSG"	4223	echo " libedit support: $LIBEDIT_MSG"
4211	echo " Solaris process contract support: $SPC_MSG"	4224	echo " Solaris process contract support: $SPC_MSG"

Lines 187-213 done: Link Here

(-)openssh-5.4p1/auth2-pubkey.c.pka (-16 / +142 lines)
187		187
188	/* return 1 if user allows given key */	188	/* return 1 if user allows given key */
189	static int	189	static int
190	user_key_allowed2(struct passwd pw, Key key, char *file)	190	user_search_key_in_file(FILE f, char file, Key* key, struct passwd *pw)
191	{	191	{
192	char line[SSH_MAX_PUBKEY_BYTES];	192	char line[SSH_MAX_PUBKEY_BYTES];
193	const char *reason;	193	const char *reason;
194	int found_key = 0;	194	int found_key = 0;
195	FILE *f;
196	u_long linenum = 0;	195	u_long linenum = 0;
197	Key *found;	196	Key *found;
198	char *fp;	197	char *fp;
199		198
200	/* Temporarily use the user's uid. */
201	temporarily_use_uid(pw);
202
203	debug("trying public key file %s", file);
204	f = auth_openkeyfile(file, pw, options.strict_modes);
205
206	if (!f) {
207	restore_uid();
208	return 0;
209	}
210
211	found_key = 0;	199	found_key = 0;
212	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);	200	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
213		201
Lines 278-285 user_key_allowed2(struct passwd *pw, Key Link Here
278	break;	266	break;
279	}	267	}
280	}	268	}
281	restore_uid();
282	fclose(f);
283	key_free(found);	269	key_free(found);
284	if (!found_key)	270	if (!found_key)
285	debug2("key not found");	271	debug2("key not found");
Lines 327-339 user_cert_trusted_ca(struct passwd *pw, Link Here
327	return ret;	313	return ret;
328	}	314	}
329		315
330	/* check whether given key is in .ssh/authorized_keys* */	316	/* return 1 if user allows given key */
		317	static int
		318	user_key_allowed2(struct passwd pw, Key key, char *file)
		319	{
		320	FILE *f;
		321	int found_key = 0;
		322
		323	/* Temporarily use the user's uid. */
		324	temporarily_use_uid(pw);
		325
		326	debug("trying public key file %s", file);
		327	f = auth_openkeyfile(file, pw, options.strict_modes);
		328
		329	if (f) {
		330	found_key = user_search_key_in_file (f, file, key, pw);
		331	fclose(f);
		332	}
		333
		334	restore_uid();
		335	return found_key;
		336	}
		337
		338	#ifdef WITH_PUBKEY_AGENT
		339
		340	#define WHITESPACE " \t\r\n"
		341
		342	/* return 1 if user allows given key */
		343	static int
		344	user_key_via_agent_allowed2(struct passwd pw, Key key)
		345	{
		346	FILE *f;
		347	int found_key = 0;
		348	char *pubkey_agent_string = NULL;
		349	char *tmp_pubkey_agent_string = NULL;
		350	char *progname;
		351	char *cp;
		352	struct passwd *runas_pw;
		353	struct stat st;
		354
		355	if (options.pubkey_agent == NULL \|\| options.pubkey_agent[0] != '/')
		356	return -1;
		357
		358	/* get the run as identity from config */
		359	runas_pw = (options.pubkey_agent_runas == NULL)? pw
		360	: getpwnam (options.pubkey_agent_runas);
		361	if (!runas_pw) {
		362	error("%s: getpwnam(\"%s\"): %s", __func__,
		363	options.pubkey_agent_runas, strerror(errno));
		364	return 0;
		365	}
		366
		367	/* Temporarily use the specified uid. */
		368	if (runas_pw->pw_uid != 0)
		369	temporarily_use_uid(runas_pw);
		370
		371	pubkey_agent_string = percent_expand(options.pubkey_agent,
		372	"h", pw->pw_dir, "u", pw->pw_name, (char *)NULL);
		373
		374	/* Test whether agent can be modified by non root user */
		375	tmp_pubkey_agent_string = xstrdup (pubkey_agent_string);
		376	progname = strtok (tmp_pubkey_agent_string, WHITESPACE);
		377
		378	debug3("%s: checking program '%s'", __func__, progname);
		379
		380	if (stat (progname, &st) < 0) {
381	error("%s: stat(\"%s\"): %s", __func__,
382	progname, strerror(errno));
383	goto go_away;
384	}
385
386	if (st.st_uid != 0 \|\| (st.st_mode & 022) != 0) {
387	error("bad ownership or modes for pubkey agent \"%s\"",
388	progname);
389	goto go_away;
390	}
391
392	if (!S_ISREG(st.st_mode)) {
393	error("pubkey agent \"%s\" is not a regular file",
394	progname);
395	goto go_away;
396	}
397
398	/*
399	* Descend the path, checking that each component is a
400	* root-owned directory with strict permissions.
401	*/
402	do {
403	if ((cp = strrchr(progname, '/')) == NULL)
404	break;
405	else
406	*cp = '\0';
407
408	debug3("%s: checking component '%s'", __func__, progname);
409
410	if (stat(progname, &st) != 0) {
411	error("%s: stat(\"%s\"): %s", __func__,
412	progname, strerror(errno));
413	goto go_away;
414	}
415	if (st.st_uid != 0 \|\| (st.st_mode & 022) != 0) {
416	error("bad ownership or modes for pubkey agent path component \"%s\"",
417	progname);
418	goto go_away;
419	}
420	if (!S_ISDIR(st.st_mode)) {
421	error("pubkey agent path component \"%s\" is not a directory",
422	progname);
423	goto go_away;
424	}
425	} while (0);
426
427	/* open the pipe and read the keys */
428	f = popen (pubkey_agent_string, "r");
429	if (!f) {
430	error("%s: popen (\"%s\", \"r\"): %s", __func__,
431	pubkey_agent_string, strerror (errno));
432	goto go_away;
433	}
434
435	found_key = user_search_key_in_file (f, options.pubkey_agent, key, pw);
436	pclose (f);
437
438	go_away:
439	if (tmp_pubkey_agent_string)
440	xfree (tmp_pubkey_agent_string);
441	if (pubkey_agent_string)
442	xfree (pubkey_agent_string);
443
444	if (runas_pw->pw_uid != 0)
445	restore_uid();
446	return found_key;
447	}
448	#endif
449
450	/* check whether given key is in <pkey_agent or .ssh/authorized_keys* */
331	int	451	int
332	user_key_allowed(struct passwd pw, Key key)	452	user_key_allowed(struct passwd pw, Key key)
333	{	453	{
334	int success;	454	int success;
335	char *file;	455	char *file;
336		456
		457	#ifdef WITH_PUBKEY_AGENT
		458	success = user_key_via_agent_allowed2(pw, key);
		459	if (success >= 0)
		460	return success;
		461	#endif
		462
337	if (auth_key_is_revoked(key))	463	if (auth_key_is_revoked(key))
338	return 0;	464	return 0;
339	if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))	465	if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))

Lines 352-358 DESCRIPTION Link Here

(-)openssh-5.4p1/sshd_config.0.pka (-1 / +13 lines)
352	KbdInteractiveAuthentication, KerberosAuthentication,	352	KbdInteractiveAuthentication, KerberosAuthentication,
353	MaxAuthTries, MaxSessions, PasswordAuthentication,	353	MaxAuthTries, MaxSessions, PasswordAuthentication,
354	PermitEmptyPasswords, PermitOpen, PermitRootLogin,	354	PermitEmptyPasswords, PermitOpen, PermitRootLogin,
355	PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication,	355	PubkeyAuthentication, PubkeyAgent, PubkeyAgentRunAs,
		356	RhostsRSAAuthentication, RSAAuthentication,
356	X11DisplayOffset, X11Forwarding and X11UseLocalHost.	357	X11DisplayOffset, X11Forwarding and X11UseLocalHost.
357		358
358	MaxAuthTries	359	MaxAuthTries
Lines 467-472 DESCRIPTION Link Here
467	this file is not readable, then public key authentication will be	468	this file is not readable, then public key authentication will be
468	refused for all users.	469	refused for all users.
469		470
		471	PubkeyAgent
		472	Specifies which agent is used for lookup of the user's public
		473	keys. Empty string means to use the authorized_keys file. By
		474	default there is no PubkeyAgent set. Note that this option has
		475	an effect only with PubkeyAuthentication switched on.
		476
		477	PubkeyAgentRunAs
		478	Specifies the user under whose account the PubkeyAgent is run.
		479	Empty string (the default value) means the user being authorized
		480	is used.
		481
470	RhostsRSAAuthentication	482	RhostsRSAAuthentication
471	Specifies whether rhosts or /etc/hosts.equiv authentication to-	483	Specifies whether rhosts or /etc/hosts.equiv authentication to-
472	gether with successful RSA host authentication is allowed. The	484	gether with successful RSA host authentication is allowed. The