sync with OpenBSD -current

usr.bin/ssh/sshd_config.5

@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.358 2024/06/06 21:14:49 jmc Exp $
-.Dd $Mdocdate: June 6 2024 $
+.\" $OpenBSD: sshd_config.5,v 1.360 2024/06/11 05:24:39 jmc Exp $
+.Dd $Mdocdate: June 11 2024 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1562,45 +1562,51 @@ which means each address is considered individually.
 Controls penalties for various conditions that may represent attacks on
 .Xr sshd 8 .
 If a penalty is enforced against a client then its source address and any
-others in the
-.Cm PerSourceNetBlockSize
+others in the same network, as defined by
+.Cm PerSourceNetBlockSize ,
 will be refused connection for a period.
+.Pp
 A penalty doesn't affect concurrent connections in progress, but multiple
 penalties from the same source from concurrent connections will accumulate
 up to a maximum.
 Conversely, penalties are not applied until a minimum threshold time has been
 accumulated.
-Penalties are off by default but may be enabled using default settings using the
-.Cm yes
-keyword or by specifying one or more of the keywords below.
 .Pp
-Penalties are controlled using the following keywords, all of which accept
-arguments, e.g.\&
+Penalties are enabled by default with the default settings listed below
+but may disabled using the
+.Cm off
+keyword.
+The defaults may be overridden by specifying one or more of the keywords below,
+separated by whitespace.
+All keywords accept arguments, e.g.\&
 .Qq crash:2m .
 .Bl -tag -width Ds
 .It Cm crash:duration
 Specifies how long to refuse clients that cause a crash of
-.Xr sshd 8 .
+.Xr sshd 8 (default: 90s).
 .It Cm authfail:duration
 Specifies how long to refuse clients that disconnect after making one or more
-unsuccessful authentication attempts.
+unsuccessful authentication attempts (default: 5s).
 .It Cm noauth:duration
 Specifies how long to refuse clients that disconnect without attempting
-authentication.
+authentication (default: 1s).
 This timeout should be used cautiously otherwise it may penalise legitimate
 scanning tools such as
 .Xr ssh-keyscan 1 .
 .It Cm grace-exceeded:duration
 Specifies how long to refuse clients that fail to authenticate after
-.Cm LoginGraceTime .
+.Cm LoginGraceTime
+(default: 20s).
 .It Cm max:duration
 Specifies the maximum time a particular source address range will be refused
-access for.
+access for (default: 10m).
 Repeated penalties will accumulate up to this maximum.
 .It Cm min:duration
-Specifies the minimum penalty that must accrue before enforcement begins.
+Specifies the minimum penalty that must accrue before enforcement begins
+(default: 15s).
 .It Cm max-sources:number
-Specifies the maximum number of penalise client address ranges to track.
+Specifies the maximum number of penalise client address ranges to track
+(default: 65536).
 .It Cm overflow:mode
 Controls how the server behaves when
 .Cm max-sources
@@ -1611,7 +1617,8 @@ which denies all incoming connections other than those exempted via
 .Cm PerSourcePenaltyExemptList
 until a penalty expires, and
 .Cm permissive ,
-which allows new connections by removing existing penalties early.
+which allows new connections by removing existing penalties early
+(default: permissive).
 .El
 .It Cm PerSourcePenaltyExemptList
 Specifies a comma-separated list of addresses to exempt from penalties.