diff options
| author | Colin Watson <cjwatson@debian.org> | 2010-03-31 10:46:28 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2010-03-31 10:46:28 +0100 |
| commit | efd3d4522636ae029488c2e9730b60c88e257d2e (patch) | |
| tree | 31e02ac3f16090ce8c53448677356b2b7f423683 /ssh_config.0 | |
| parent | bbec4db36d464ea1d464a707625125f9fd5c7b5e (diff) | |
| parent | d1a87e462e1db89f19cd960588d0c6b287cb5ccc (diff) | |
* New upstream release (LP: #535029).
- After a transition period of about 10 years, this release disables SSH
protocol 1 by default. Clients and servers that need to use the
legacy protocol must explicitly enable it in ssh_config / sshd_config
or on the command-line.
- Remove the libsectok/OpenSC-based smartcard code and add support for
PKCS#11 tokens. This support is enabled by default in the Debian
packaging, since it now doesn't involve additional library
dependencies (closes: #231472, LP: #16918).
- Add support for certificate authentication of users and hosts using a
new, minimal OpenSSH certificate format (closes: #482806).
- Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
- Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian
package, this overlaps with the key blacklisting facility added in
openssh 1:4.7p1-9, but with different file formats and slightly
different scopes; for the moment, I've roughly merged the two.)
- Various multiplexing improvements, including support for requesting
port-forwardings via the multiplex protocol (closes: #360151).
- Allow setting an explicit umask on the sftp-server(8) commandline to
override whatever default the user has (closes: #496843).
- Many sftp client improvements, including tab-completion, more options,
and recursive transfer support for get/put (LP: #33378). The old
mget/mput commands never worked properly and have been removed
(closes: #270399, #428082).
- Do not prompt for a passphrase if we fail to open a keyfile, and log
the reason why the open failed to debug (closes: #431538).
- Prevent sftp from crashing when given a "-" without a command. Also,
allow whitespace to follow a "-" (closes: #531561).
Diffstat (limited to 'ssh_config.0')
| -rw-r--r-- | ssh_config.0 | 34 |
1 files changed, 20 insertions, 14 deletions
diff --git a/ssh_config.0 b/ssh_config.0 index 756fc6dbb..48969a22a 100644 --- a/ssh_config.0 +++ b/ssh_config.0 | |||
| @@ -316,7 +316,9 @@ DESCRIPTION | |||
| 316 | identity is read. The default is ~/.ssh/identity for protocol | 316 | identity is read. The default is ~/.ssh/identity for protocol |
| 317 | version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver- | 317 | version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver- |
| 318 | sion 2. Additionally, any identities represented by the authen- | 318 | sion 2. Additionally, any identities represented by the authen- |
| 319 | tication agent will be used for authentication. | 319 | tication agent will be used for authentication. ssh(1) will try |
| 320 | to load certificate information from the filename obtained by ap- | ||
| 321 | pending -cert.pub to the path of a specified IdentityFile. | ||
| 320 | 322 | ||
| 321 | The file name may use the tilde syntax to refer to a user's home | 323 | The file name may use the tilde syntax to refer to a user's home |
| 322 | directory or one of the following escape characters: `%d' (local | 324 | directory or one of the following escape characters: `%d' (local |
| @@ -347,8 +349,14 @@ DESCRIPTION | |||
| 347 | `%d' (local user's home directory), `%h' (remote host name), `%l' | 349 | `%d' (local user's home directory), `%h' (remote host name), `%l' |
| 348 | (local host name), `%n' (host name as provided on the command | 350 | (local host name), `%n' (host name as provided on the command |
| 349 | line), `%p' (remote port), `%r' (remote user name) or `%u' (local | 351 | line), `%p' (remote port), `%r' (remote user name) or `%u' (local |
| 350 | user name). This directive is ignored unless PermitLocalCommand | 352 | user name). |
| 351 | has been enabled. | 353 | |
| 354 | The command is run synchronously and does not have access to the | ||
| 355 | session of the ssh(1) that spawned it. It should not be used for | ||
| 356 | interactive commands. | ||
| 357 | |||
| 358 | This directive is ignored unless PermitLocalCommand has been en- | ||
| 359 | abled. | ||
| 352 | 360 | ||
| 353 | LocalForward | 361 | LocalForward |
| 354 | Specifies that a TCP port on the local machine be forwarded over | 362 | Specifies that a TCP port on the local machine be forwarded over |
| @@ -405,6 +413,11 @@ DESCRIPTION | |||
| 405 | ing the !command escape sequence in ssh(1). The argument must be | 413 | ing the !command escape sequence in ssh(1). The argument must be |
| 406 | ``yes'' or ``no''. The default is ``no''. | 414 | ``yes'' or ``no''. The default is ``no''. |
| 407 | 415 | ||
| 416 | PKCS11Provider | ||
| 417 | Specifies which PKCS#11 provider to use. The argument to this | ||
| 418 | keyword is the PKCS#11 shared libary ssh(1) should use to commu- | ||
| 419 | nicate with a PKCS#11 token providing the user's private RSA key. | ||
| 420 | |||
| 408 | Port Specifies the port number to connect on the remote host. The de- | 421 | Port Specifies the port number to connect on the remote host. The de- |
| 409 | fault is 22. | 422 | fault is 22. |
| 410 | 423 | ||
| @@ -418,9 +431,9 @@ DESCRIPTION | |||
| 418 | Protocol | 431 | Protocol |
| 419 | Specifies the protocol versions ssh(1) should support in order of | 432 | Specifies the protocol versions ssh(1) should support in order of |
| 420 | preference. The possible values are `1' and `2'. Multiple ver- | 433 | preference. The possible values are `1' and `2'. Multiple ver- |
| 421 | sions must be comma-separated. The default is ``2,1''. This | 434 | sions must be comma-separated. When this option is set to |
| 422 | means that ssh tries version 2 and falls back to version 1 if | 435 | ``2,1'' ssh will try version 2 and fall back to version 1 if ver- |
| 423 | version 2 is not available. | 436 | sion 2 is not available. The default is `2'. |
| 424 | 437 | ||
| 425 | ProxyCommand | 438 | ProxyCommand |
| 426 | Specifies the command to use to connect to the server. The com- | 439 | Specifies the command to use to connect to the server. The com- |
| @@ -527,13 +540,6 @@ DESCRIPTION | |||
| 527 | default is 0, indicating that these messages will not be sent to | 540 | default is 0, indicating that these messages will not be sent to |
| 528 | the server. This option applies to protocol version 2 only. | 541 | the server. This option applies to protocol version 2 only. |
| 529 | 542 | ||
| 530 | SmartcardDevice | ||
| 531 | Specifies which smartcard device to use. The argument to this | ||
| 532 | keyword is the device ssh(1) should use to communicate with a | ||
| 533 | smartcard used for storing the user's private RSA key. By de- | ||
| 534 | fault, no device is specified and smartcard support is not acti- | ||
| 535 | vated. | ||
| 536 | |||
| 537 | StrictHostKeyChecking | 543 | StrictHostKeyChecking |
| 538 | If this flag is set to ``yes'', ssh(1) will never automatically | 544 | If this flag is set to ``yes'', ssh(1) will never automatically |
| 539 | add host keys to the ~/.ssh/known_hosts file, and refuses to con- | 545 | add host keys to the ~/.ssh/known_hosts file, and refuses to con- |
| @@ -667,4 +673,4 @@ AUTHORS | |||
| 667 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | 673 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol |
| 668 | versions 1.5 and 2.0. | 674 | versions 1.5 and 2.0. |
| 669 | 675 | ||
| 670 | OpenBSD 4.6 February 22, 2009 11 | 676 | OpenBSD 4.6 March 5, 2010 11 |