Import openssh_6.8p1.orig.tar.gz

1 files changed, 88 insertions, 81 deletions

diff --git a/ssh.0 b/ssh.0
index 70ea37733..5e5f3b5e9 100644
--- a/ssh.0
+++ b/ssh.0
@@ -1,15 +1,15 @@
 SSH(1)                      General Commands Manual                     SSH(1)
 
 NAME
-     ssh - OpenSSH SSH client (remote login program)
+     ssh M-bM-^@M-^S OpenSSH SSH client (remote login program)
 
 SYNOPSIS
-     ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
+     ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
          [-D [bind_address:]port] [-E log_file] [-e escape_char]
          [-F configfile] [-I pkcs11] [-i identity_file]
          [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
          [-O ctl_cmd] [-o option] [-p port]
-         [-Q cipher | cipher-auth | mac | kex | key]
+         [-Q cipher | cipher-auth | mac | kex | key | protocol-version]
          [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
          [-w local_tun[:remote_tun]] [user@]hostname [command]
 
@@ -61,7 +61,7 @@ DESCRIPTION
      -C      Requests compression of all data (including stdin, stdout,
              stderr, and data for forwarded X11, TCP and UNIX-domain
              connections).  The compression algorithm is the same used by
-             gzip(1), and the ``level'' can be controlled by the
+             gzip(1), and the M-bM-^@M-^\levelM-bM-^@M-^] can be controlled by the
              CompressionLevel option for protocol version 1.  Compression is
              desirable on modem lines and other slow connections, but will
              only slow down things on fast networks.  The default value can be
@@ -72,13 +72,13 @@ DESCRIPTION
              Selects the cipher specification for encrypting the session.
 
              Protocol version 1 allows specification of a single cipher.  The
-             supported values are ``3des'', ``blowfish'', and ``des''.  For
-             protocol version 2, cipher_spec is a comma-separated list of
-             ciphers listed in order of preference.  See the Ciphers keyword
-             in ssh_config(5) for more information.
+             supported values are M-bM-^@M-^\3desM-bM-^@M-^], M-bM-^@M-^\blowfishM-bM-^@M-^], and M-bM-^@M-^\desM-bM-^@M-^].  For protocol
+             version 2, cipher_spec is a comma-separated list of ciphers
+             listed in order of preference.  See the Ciphers keyword in
+             ssh_config(5) for more information.
 
      -D [bind_address:]port
-             Specifies a local ``dynamic'' application-level port forwarding.
+             Specifies a local M-bM-^@M-^\dynamicM-bM-^@M-^] application-level port forwarding.
              This works by allocating a socket to listen to port on the local
              side, optionally bound to the specified bind_address.  Whenever a
              connection is made to this port, the connection is forwarded over
@@ -94,20 +94,20 @@ DESCRIPTION
              ports.  By default, the local port is bound in accordance with
              the GatewayPorts setting.  However, an explicit bind_address may
              be used to bind the connection to a specific address.  The
-             bind_address of ``localhost'' indicates that the listening port
-             be bound for local use only, while an empty address or `*'
-             indicates that the port should be available from all interfaces.
+             bind_address of M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the listening port be
+             bound for local use only, while an empty address or M-bM-^@M-^X*M-bM-^@M-^Y indicates
+             that the port should be available from all interfaces.
 
      -E log_file
              Append debug logs to log_file instead of standard error.
 
      -e escape_char
-             Sets the escape character for sessions with a pty (default: `~').
+             Sets the escape character for sessions with a pty (default: M-bM-^@M-^X~M-bM-^@M-^Y).
              The escape character is only recognized at the beginning of a
-             line.  The escape character followed by a dot (`.') closes the
+             line.  The escape character followed by a dot (M-bM-^@M-^X.M-bM-^@M-^Y) closes the
              connection; followed by control-Z suspends the connection; and
              followed by itself sends the escape character once.  Setting the
-             character to ``none'' disables any escapes and makes the session
+             character to M-bM-^@M-^\noneM-bM-^@M-^] disables any escapes and makes the session
              fully transparent.
 
      -F configfile
@@ -122,10 +122,13 @@ DESCRIPTION
              implies -n.  The recommended way to start X11 programs at a
              remote site is with something like ssh -f host xterm.
 
-             If the ExitOnForwardFailure configuration option is set to
-             ``yes'', then a client started with -f will wait for all remote
-             port forwards to be successfully established before placing
-             itself in the background.
+             If the ExitOnForwardFailure configuration option is set to M-bM-^@M-^\yesM-bM-^@M-^],
+             then a client started with -f will wait for all remote port
+             forwards to be successfully established before placing itself in
+             the background.
+
+     -G      Causes ssh to print its configuration after evaluating Host and
+             Match blocks and exit.
 
      -g      Allows remote hosts to connect to local forwarded ports.  If used
              on a multiplexed connection, then this option must be specified
@@ -166,17 +169,17 @@ DESCRIPTION
              port is bound in accordance with the GatewayPorts setting.
              However, an explicit bind_address may be used to bind the
              connection to a specific address.  The bind_address of
-             ``localhost'' indicates that the listening port be bound for
-             local use only, while an empty address or `*' indicates that the
-             port should be available from all interfaces.
+             M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the listening port be bound for local
+             use only, while an empty address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port
+             should be available from all interfaces.
 
      -l login_name
              Specifies the user to log in as on the remote machine.  This also
              may be specified on a per-host basis in the configuration file.
 
-     -M      Places the ssh client into ``master'' mode for connection
-             sharing.  Multiple -M options places ssh into ``master'' mode
-             with confirmation required before slave connections are accepted.
+     -M      Places the ssh client into M-bM-^@M-^\masterM-bM-^@M-^] mode for connection sharing.
+             Multiple -M options places ssh into M-bM-^@M-^\masterM-bM-^@M-^] mode with
+             confirmation required before slave connections are accepted.
              Refer to the description of ControlMaster in ssh_config(5) for
              details.
 
@@ -201,10 +204,10 @@ DESCRIPTION
      -O ctl_cmd
              Control an active connection multiplexing master process.  When
              the -O option is specified, the ctl_cmd argument is interpreted
-             and passed to the master process.  Valid commands are: ``check''
-             (check that the master process is running), ``forward'' (request
-             forwardings without command execution), ``cancel'' (cancel
-             forwardings), ``exit'' (request the master to exit), and ``stop''
+             and passed to the master process.  Valid commands are: M-bM-^@M-^\checkM-bM-^@M-^]
+             (check that the master process is running), M-bM-^@M-^\forwardM-bM-^@M-^] (request
+             forwardings without command execution), M-bM-^@M-^\cancelM-bM-^@M-^] (cancel
+             forwardings), M-bM-^@M-^\exitM-bM-^@M-^] (request the master to exit), and M-bM-^@M-^\stopM-bM-^@M-^]
              (request the master to stop accepting further multiplexing
              requests).
 
@@ -238,6 +241,7 @@ DESCRIPTION
                    DynamicForward
                    EscapeChar
                    ExitOnForwardFailure
+                   FingerprintHash
                    ForwardAgent
                    ForwardX11
                    ForwardX11Timeout
@@ -249,6 +253,7 @@ DESCRIPTION
                    HashKnownHosts
                    Host
                    HostbasedAuthentication
+                   HostbasedKeyTypes
                    HostKeyAlgorithms
                    HostKeyAlias
                    HostName
@@ -288,6 +293,7 @@ DESCRIPTION
                    TCPKeepAlive
                    Tunnel
                    TunnelDevice
+                   UpdateHostKeys
                    UsePrivilegedPort
                    User
                    UserKnownHostsFile
@@ -299,12 +305,13 @@ DESCRIPTION
              Port to connect to on the remote host.  This can be specified on
              a per-host basis in the configuration file.
 
-     -Q cipher | cipher-auth | mac | kex | key
+     -Q cipher | cipher-auth | mac | kex | key | protocol-version
              Queries ssh for the algorithms supported for the specified
              version 2.  The available features are: cipher (supported
              symmetric ciphers), cipher-auth (supported symmetric ciphers that
              support authenticated encryption), mac (supported message
-             integrity codes), kex (key exchange algorithms), key (key types).
+             integrity codes), kex (key exchange algorithms), key (key types)
+             and protocol-version (supported SSH protocol versions).
 
      -q      Quiet mode.  Causes most warning and diagnostic messages to be
              suppressed.
@@ -325,19 +332,19 @@ DESCRIPTION
              By default, the listening socket on the server will be bound to
              the loopback interface only.  This may be overridden by
              specifying a bind_address.  An empty bind_address, or the address
-             `*', indicates that the remote socket should listen on all
+             M-bM-^@M-^X*M-bM-^@M-^Y, indicates that the remote socket should listen on all
              interfaces.  Specifying a remote bind_address will only succeed
              if the server's GatewayPorts option is enabled (see
              sshd_config(5)).
 
-             If the port argument is `0', the listen port will be dynamically
+             If the port argument is M-bM-^@M-^X0M-bM-^@M-^Y, the listen port will be dynamically
              allocated on the server and reported to the client at run time.
              When used together with -O forward the allocated port will be
              printed to the standard output.
 
      -S ctl_path
              Specifies the location of a control socket for connection
-             sharing, or the string ``none'' to disable connection sharing.
+             sharing, or the string M-bM-^@M-^\noneM-bM-^@M-^] to disable connection sharing.
              Refer to the description of ControlPath and ControlMaster in
              ssh_config(5) for details.
 
@@ -373,11 +380,11 @@ DESCRIPTION
              (remote_tun).
 
              The devices may be specified by numerical ID or the keyword
-             ``any'', which uses the next available tunnel device.  If
-             remote_tun is not specified, it defaults to ``any''.  See also
-             the Tunnel and TunnelDevice directives in ssh_config(5).  If the
+             M-bM-^@M-^\anyM-bM-^@M-^], which uses the next available tunnel device.  If
+             remote_tun is not specified, it defaults to M-bM-^@M-^\anyM-bM-^@M-^].  See also the
+             Tunnel and TunnelDevice directives in ssh_config(5).  If the
              Tunnel directive is unset, it is set to the default tunnel mode,
-             which is ``point-to-point''.
+             which is M-bM-^@M-^\point-to-pointM-bM-^@M-^].
 
      -X      Enables X11 forwarding.  This can also be specified on a per-host
              basis in a configuration file.
@@ -444,7 +451,7 @@ AUTHENTICATION
      creates a public/private key pair for authentication purposes.  The
      server knows the public key, and only the user knows the private key.
      ssh implements public key authentication protocol automatically, using
-     one of the DSA, ECDSA, ED25519 or RSA algorithms.  Protocol 1 is
+     one of the DSA, ECDSA, Ed25519 or RSA algorithms.  Protocol 1 is
      restricted to using only RSA keys, but protocol 2 may use any.  The
      HISTORY section of ssl(8) contains a brief discussion of the DSA and RSA
      algorithms.
@@ -458,10 +465,10 @@ AUTHENTICATION
      The user creates his/her key pair by running ssh-keygen(1).  This stores
      the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol
      2 DSA), ~/.ssh/id_ecdsa (protocol 2 ECDSA), ~/.ssh/id_ed25519 (protocol 2
-     ED25519), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
+     Ed25519), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
      ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA),
      ~/.ssh/id_ecdsa.pub (protocol 2 ECDSA), ~/.ssh/id_ed25519.pub (protocol 2
-     ED25519), or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home
+     Ed25519), or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home
      directory.  The user should then copy the public key to
      ~/.ssh/authorized_keys in his/her home directory on the remote machine.
      The authorized_keys file corresponds to the conventional ~/.rhosts file,
@@ -512,8 +519,8 @@ AUTHENTICATION
 
      If no pseudo-tty has been allocated, the session is transparent and can
      be used to reliably transfer binary data.  On most systems, setting the
-     escape character to ``none'' will also make the session transparent even
-     if a tty is used.
+     escape character to M-bM-^@M-^\noneM-bM-^@M-^] will also make the session transparent even if
+     a tty is used.
 
      The session terminates when the command or shell on the remote machine
      exits and all X11 and TCP connections have been closed.
@@ -528,7 +535,7 @@ ESCAPE CHARACTERS
      character can be changed in configuration files using the EscapeChar
      configuration directive or on the command line by the -e option.
 
-     The supported escapes (assuming the default `~') are:
+     The supported escapes (assuming the default M-bM-^@M-^X~M-bM-^@M-^Y) are:
 
      ~.      Disconnect.
 
@@ -577,26 +584,26 @@ TCP FORWARDING
      same local port, and ssh will encrypt and forward the connection.
 
      The following example tunnels an IRC session from client machine
-     ``127.0.0.1'' (localhost) to remote server ``server.example.com'':
+     M-bM-^@M-^\127.0.0.1M-bM-^@M-^] (localhost) to remote server M-bM-^@M-^\server.example.comM-bM-^@M-^]:
 
          $ ssh -f -L 1234:localhost:6667 server.example.com sleep 10
          $ irc -c '#users' -p 1234 pinky 127.0.0.1
 
-     This tunnels a connection to IRC server ``server.example.com'', joining
-     channel ``#users'', nickname ``pinky'', using port 1234.  It doesn't
-     matter which port is used, as long as it's greater than 1023 (remember,
-     only root can open sockets on privileged ports) and doesn't conflict with
-     any ports already in use.  The connection is forwarded to port 6667 on
-     the remote server, since that's the standard port for IRC services.
+     This tunnels a connection to IRC server M-bM-^@M-^\server.example.comM-bM-^@M-^], joining
+     channel M-bM-^@M-^\#usersM-bM-^@M-^], nickname M-bM-^@M-^\pinkyM-bM-^@M-^], using port 1234.  It doesn't matter
+     which port is used, as long as it's greater than 1023 (remember, only
+     root can open sockets on privileged ports) and doesn't conflict with any
+     ports already in use.  The connection is forwarded to port 6667 on the
+     remote server, since that's the standard port for IRC services.
 
-     The -f option backgrounds ssh and the remote command ``sleep 10'' is
+     The -f option backgrounds ssh and the remote command M-bM-^@M-^\sleep 10M-bM-^@M-^] is
      specified to allow an amount of time (10 seconds, in the example) to
      start the service which is to be tunnelled.  If no connections are made
      within the time specified, ssh will exit.
 
 X11 FORWARDING
-     If the ForwardX11 variable is set to ``yes'' (or see the description of
-     the -X, -x, and -Y options above) and the user is using X11 (the DISPLAY
+     If the ForwardX11 variable is set to M-bM-^@M-^\yesM-bM-^@M-^] (or see the description of the
+     -X, -x, and -Y options above) and the user is using X11 (the DISPLAY
      environment variable is set), the connection to the X11 display is
      automatically forwarded to the remote side in such a way that any X11
      programs started from the shell (or command) will go through the
@@ -607,7 +614,7 @@ X11 FORWARDING
 
      The DISPLAY value set by ssh will point to the server machine, but with a
      display number greater than zero.  This is normal, and happens because
-     ssh creates a ``proxy'' X server on the server machine for forwarding the
+     ssh creates a M-bM-^@M-^\proxyM-bM-^@M-^] X server on the server machine for forwarding the
      connections over the encrypted channel.
 
      ssh will also automatically set up Xauthority data on the server machine.
@@ -617,7 +624,7 @@ X11 FORWARDING
      is opened.  The real authentication cookie is never sent to the server
      machine (and no cookies are sent in the plain).
 
-     If the ForwardAgent variable is set to ``yes'' (or see the description of
+     If the ForwardAgent variable is set to M-bM-^@M-^\yesM-bM-^@M-^] (or see the description of
      the -A and -a options above) and the user is using an authentication
      agent, the connection to the agent is automatically forwarded to the
      remote side.
@@ -632,15 +639,15 @@ VERIFYING HOST KEYS
 
      If the fingerprint is already known, it can be matched and the key can be
      accepted or rejected.  Because of the difficulty of comparing host keys
-     just by looking at hex strings, there is also support to compare host
-     keys visually, using random art.  By setting the VisualHostKey option to
-     ``yes'', a small ASCII graphic gets displayed on every login to a server,
-     no matter if the session itself is interactive or not.  By learning the
-     pattern a known server produces, a user can easily find out that the host
-     key has changed when a completely different pattern is displayed.
-     Because these patterns are not unambiguous however, a pattern that looks
-     similar to the pattern remembered only gives a good probability that the
-     host key is the same, not guaranteed proof.
+     just by looking at fingerprint strings, there is also support to compare
+     host keys visually, using random art.  By setting the VisualHostKey
+     option to M-bM-^@M-^\yesM-bM-^@M-^], a small ASCII graphic gets displayed on every login to a
+     server, no matter if the session itself is interactive or not.  By
+     learning the pattern a known server produces, a user can easily find out
+     that the host key has changed when a completely different pattern is
+     displayed.  Because these patterns are not unambiguous however, a pattern
+     that looks similar to the pattern remembered only gives a good
+     probability that the host key is the same, not guaranteed proof.
 
      To get a listing of the fingerprints along with their random art for all
      known hosts, the following command line can be used:
@@ -653,8 +660,8 @@ VERIFYING HOST KEYS
      able to match the fingerprint with that of the key presented.
 
      In this example, we are connecting a client to a server,
-     ``host.example.com''.  The SSHFP resource records should first be added
-     to the zonefile for host.example.com:
+     M-bM-^@M-^\host.example.comM-bM-^@M-^].  The SSHFP resource records should first be added to
+     the zonefile for host.example.com:
 
            $ ssh-keygen -r host.example.com.
 
@@ -697,9 +704,9 @@ SSH-BASED VIRTUAL PRIVATE NETWORKS
 
      Client access may be more finely tuned via the /root/.ssh/authorized_keys
      file (see below) and the PermitRootLogin server option.  The following
-     entry would permit connections on tun(4) device 1 from user ``jane'' and
-     on tun device 2 from user ``john'', if PermitRootLogin is set to
-     ``forced-commands-only'':
+     entry would permit connections on tun(4) device 1 from user M-bM-^@M-^\janeM-bM-^@M-^] and on
+     tun device 2 from user M-bM-^@M-^\johnM-bM-^@M-^], if PermitRootLogin is set to
+     M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^]:
 
        tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
        tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
@@ -714,14 +721,14 @@ ENVIRONMENT
 
      DISPLAY               The DISPLAY variable indicates the location of the
                            X11 server.  It is automatically set by ssh to
-                           point to a value of the form ``hostname:n'', where
-                           ``hostname'' indicates the host where the shell
-                           runs, and `n' is an integer >= 1.  ssh uses this
-                           special value to forward X11 connections over the
-                           secure channel.  The user should normally not set
-                           DISPLAY explicitly, as that will render the X11
-                           connection insecure (and will require the user to
-                           manually copy any required authorization cookies).
+                           point to a value of the form M-bM-^@M-^\hostname:nM-bM-^@M-^], where
+                           M-bM-^@M-^\hostnameM-bM-^@M-^] indicates the host where the shell runs,
+                           and M-bM-^@M-^XnM-bM-^@M-^Y is an integer M-bM-^IM-% 1.  ssh uses this special
+                           value to forward X11 connections over the secure
+                           channel.  The user should normally not set DISPLAY
+                           explicitly, as that will render the X11 connection
+                           insecure (and will require the user to manually
+                           copy any required authorization cookies).
 
      HOME                  Set to the path of the user's home directory.
 
@@ -770,7 +777,7 @@ ENVIRONMENT
      USER                  Set to the name of the user logging in.
 
      Additionally, ssh reads ~/.ssh/environment, and adds lines of the format
-     ``VARNAME=value'' to the environment if the file exists and users are
+     M-bM-^@M-^\VARNAME=valueM-bM-^@M-^] to the environment if the file exists and users are
      allowed to change their environment.  For more information, see the
      PermitUserEnvironment option in sshd_config(5).
 
@@ -797,7 +804,7 @@ FILES
              for the user, and not accessible by others.
 
      ~/.ssh/authorized_keys
-             Lists the public keys (DSA, ECDSA, ED25519, RSA) that can be used
+             Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used
              for logging in as this user.  The format of this file is
              described in the sshd(8) manual page.  This file is not highly
              sensitive, but the recommended permissions are read/write for the
@@ -941,4 +948,4 @@ AUTHORS
      created OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 5.6                      July 24, 2014                     OpenBSD 5.6
+OpenBSD 5.7                      March 3, 2015                     OpenBSD 5.7