From 5c3c37dc72918bf92726555a64d665466ee3500e Mon Sep 17 00:00:00 2001
From: djm <djm@openbsd.org>
Date: Fri, 3 Mar 2023 04:36:20 +0000
Subject: [PATCH] some options are not first-match-wins. Mention that there are
 exceptions at the start of the manpage and label some of them in the option
 description.

---
 usr.bin/ssh/sshd_config.5 | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5
index 51cf89e4bc4..f7cc6f1b61a 100644
--- a/usr.bin/ssh/sshd_config.5
+++ b/usr.bin/ssh/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.347 2023/01/18 06:55:32 jmc Exp $
-.Dd $Mdocdate: January 18 2023 $
+.\" $OpenBSD: sshd_config.5,v 1.348 2023/03/03 04:36:20 djm Exp $
+.Dd $Mdocdate: March 3 2023 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -48,7 +48,7 @@ reads configuration data from
 .Fl f
 on the command line).
 The file contains keyword-argument pairs, one per line.
-For each keyword, the first obtained value will be used.
+Unless noted otherwise, for each keyword, the first obtained value will be used.
 Lines starting with
 .Ql #
 and empty lines are interpreted as comments.
@@ -120,6 +120,9 @@ The allow/deny groups directives are processed in the following order:
 See PATTERNS in
 .Xr ssh_config 5
 for more information on patterns.
+This keyword may appear multiple times in
+.Nm
+with each instance appending to the list.
 .It Cm AllowStreamLocalForwarding
 Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
 The available options are
@@ -177,6 +180,9 @@ The allow/deny users directives are processed in the following order:
 See PATTERNS in
 .Xr ssh_config 5
 for more information on patterns.
+This keyword may appear multiple times in
+.Nm
+with each instance appending to the list.
 .It Cm AuthenticationMethods
 Specifies the authentication methods that must be successfully completed
 for a user to be granted access.
@@ -630,6 +636,9 @@ The allow/deny groups directives are processed in the following order:
 See PATTERNS in
 .Xr ssh_config 5
 for more information on patterns.
+This keyword may appear multiple times in
+.Nm
+with each instance appending to the list.
 .It Cm DenyUsers
 This keyword can be followed by a list of user name patterns, separated
 by spaces.
@@ -648,6 +657,9 @@ The allow/deny users directives are processed in the following order:
 See PATTERNS in
 .Xr ssh_config 5
 for more information on patterns.
+This keyword may appear multiple times in
+.Nm
+with each instance appending to the list.
 .It Cm DisableForwarding
 Disables all forwarding features, including X11,
 .Xr ssh-agent 1 ,
-- 
2.20.1