Import OpenSSH 3.6.1p2.

1 files changed, 400 insertions, 0 deletions

diff --git a/ssh_config.0 b/ssh_config.0
new file mode 100644
index 000000000..74e516594
--- /dev/null
+++ b/ssh_config.0
@@ -0,0 +1,400 @@
+SSH_CONFIG(5)               BSD File Formats Manual              SSH_CONFIG(5)
+
+NAME
+     ssh_config - OpenSSH SSH client configuration files
+
+SYNOPSIS
+     $HOME/.ssh/config
+     /etc/ssh/ssh_config
+
+DESCRIPTION
+     ssh obtains configuration data from the following sources in the follow-
+     ing order:
+           1.   command-line options
+           2.   userM-bM-^@M-^Ys configuration file ($HOME/.ssh/config)
+           3.   system-wide configuration file (/etc/ssh/ssh_config)
+
+     For each parameter, the first obtained value will be used.  The configu-
+     ration files contain sections bracketed by M-bM-^@M-^\HostM-bM-^@M-^] specifications, and
+     that section is only applied for hosts that match one of the patterns
+     given in the specification.  The matched host name is the one given on
+     the command line.
+
+     Since the first obtained value for each parameter is used, more host-spe-
+     cific declarations should be given near the beginning of the file, and
+     general defaults at the end.
+
+     The configuration file has the following format:
+
+     Empty lines and lines starting with M-bM-^@M-^X#M-bM-^@M-^Y are comments.
+
+     Otherwise a line is of the format M-bM-^@M-^\keyword argumentsM-bM-^@M-^].  Configuration
+     options may be separated by whitespace or optional whitespace and exactly
+     one M-bM-^@M-^X=M-bM-^@M-^Y; the latter format is useful to avoid the need to quote whites-
+     pace when specifying configuration options using the ssh, scp and sftp -o
+     option.
+
+     The possible keywords and their meanings are as follows (note that key-
+     words are case-insensitive and arguments are case-sensitive):
+
+     Host    Restricts the following declarations (up to the next Host key-
+             word) to be only for those hosts that match one of the patterns
+             given after the keyword.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y?  can be used as wildcards
+             in the patterns.  A single M-bM-^@M-^X*M-bM-^@M-^Y as a pattern can be used to pro-
+             vide global defaults for all hosts.  The host is the hostname
+             argument given on the command line (i.e., the name is not con-
+             verted to a canonicalized host name before matching).
+
+     AFSTokenPassing
+             Specifies whether to pass AFS tokens to remote host.  The argu-
+             ment to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  This option applies
+             to protocol version 1 only.
+
+     BatchMode
+             If set to M-bM-^@M-^\yesM-bM-^@M-^], passphrase/password querying will be disabled.
+             This option is useful in scripts and other batch jobs where no
+             user is present to supply the password.  The argument must be
+             M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The default is M-bM-^@M-^\noM-bM-^@M-^].
+
+     BindAddress
+             Specify the interface to transmit from on machines with multiple
+             interfaces or aliased addresses.  Note that this option does not
+             work if UsePrivilegedPort is set to M-bM-^@M-^\yesM-bM-^@M-^].
+
+     ChallengeResponseAuthentication
+             Specifies whether to use challenge response authentication.  The
+             argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The default is
+             M-bM-^@M-^\yesM-bM-^@M-^].
+
+     CheckHostIP
+             If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ssh will additionally check the
+             host IP address in the known_hosts file.  This allows ssh to
+             detect if a host key changed due to DNS spoofing.  If the option
+             is set to M-bM-^@M-^\noM-bM-^@M-^], the check will not be executed.  The default is
+             M-bM-^@M-^\yesM-bM-^@M-^].
+
+     Cipher  Specifies the cipher to use for encrypting the session in proto-
+             col version 1.  Currently, M-bM-^@M-^\blowfishM-bM-^@M-^], M-bM-^@M-^\3desM-bM-^@M-^], and M-bM-^@M-^\desM-bM-^@M-^] are sup-
+             ported.  des is only supported in the ssh client for interoper-
+             ability with legacy protocol 1 implementations that do not sup-
+             port the 3des cipher.  Its use is strongly discouraged due to
+             cryptographic weaknesses.  The default is M-bM-^@M-^\3desM-bM-^@M-^].
+
+     Ciphers
+             Specifies the ciphers allowed for protocol version 2 in order of
+             preference.  Multiple ciphers must be comma-separated.  The
+             default is
+
+               M-bM-^@M-^XM-bM-^@M-^Xaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
+                 aes192-cbc,aes256-cbcM-bM-^@M-^YM-bM-^@M-^Y
+
+     ClearAllForwardings
+             Specifies that all local, remote and dynamic port forwardings
+             specified in the configuration files or on the command line be
+             cleared.  This option is primarily useful when used from the ssh
+             command line to clear port forwardings set in configuration
+             files, and is automatically set by scp(1) and sftp(1).  The argu-
+             ment must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The default is M-bM-^@M-^\noM-bM-^@M-^].
+
+     Compression
+             Specifies whether to use compression.  The argument must be M-bM-^@M-^\yesM-bM-^@M-^]
+             or M-bM-^@M-^\noM-bM-^@M-^].  The default is M-bM-^@M-^\noM-bM-^@M-^].
+
+     CompressionLevel
+             Specifies the compression level to use if compression is enabled.
+             The argument must be an integer from 1 (fast) to 9 (slow, best).
+             The default level is 6, which is good for most applications.  The
+             meaning of the values is the same as in gzip(1).  Note that this
+             option applies to protocol version 1 only.
+
+     ConnectionAttempts
+             Specifies the number of tries (one per second) to make before
+             exiting.  The argument must be an integer.  This may be useful in
+             scripts if the connection sometimes fails.  The default is 1.
+
+     DynamicForward
+             Specifies that a TCP/IP port on the local machine be forwarded
+             over the secure channel, and the application protocol is then
+             used to determine where to connect to from the remote machine.
+             The argument must be a port number.  Currently the SOCKS4 proto-
+             col is supported, and ssh will act as a SOCKS4 server.  Multiple
+             forwardings may be specified, and additional forwardings can be
+             given on the command line.  Only the superuser can forward privi-
+             leged ports.
+
+     EscapeChar
+             Sets the escape character (default: M-bM-^@M-^X~M-bM-^@M-^Y).  The escape character
+             can also be set on the command line.  The argument should be a
+             single character, M-bM-^@M-^X^M-bM-^@M-^Y followed by a letter, or M-bM-^@M-^\noneM-bM-^@M-^] to disable
+             the escape character entirely (making the connection transparent
+             for binary data).
+
+     ForwardAgent
+             Specifies whether the connection to the authentication agent (if
+             any) will be forwarded to the remote machine.  The argument must
+             be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The default is M-bM-^@M-^\noM-bM-^@M-^].
+
+             Agent forwarding should be enabled with caution.  Users with the
+             ability to bypass file permissions on the remote host (for the
+             agentM-bM-^@M-^Ys Unix-domain socket) can access the local agent through
+             the forwarded connection.  An attacker cannot obtain key material
+             from the agent, however they can perform operations on the keys
+             that enable them to authenticate using the identities loaded into
+             the agent.
+
+     ForwardX11
+             Specifies whether X11 connections will be automatically redi-
+             rected over the secure channel and DISPLAY set.  The argument
+             must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The default is M-bM-^@M-^\noM-bM-^@M-^].
+
+             X11 forwarding should be enabled with caution.  Users with the
+             ability to bypass file permissions on the remote host (for the
+             userM-bM-^@M-^Ys X authorization database) can access the local X11 display
+             through the forwarded connection.  An attacker may then be able
+             to perform activities such as keystroke monitoring.
+
+     GatewayPorts
+             Specifies whether remote hosts are allowed to connect to local
+             forwarded ports.  By default, ssh binds local port forwardings to
+             the loopback address.  This prevents other remote hosts from con-
+             necting to forwarded ports.  GatewayPorts can be used to specify
+             that ssh should bind local port forwardings to the wildcard
+             address, thus allowing remote hosts to connect to forwarded
+             ports.  The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The default is M-bM-^@M-^\noM-bM-^@M-^].
+
+     GlobalKnownHostsFile
+             Specifies a file to use for the global host key database instead
+             of /etc/ssh/ssh_known_hosts.
+
+     HostbasedAuthentication
+             Specifies whether to try rhosts based authentication with public
+             key authentication.  The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The
+             default is M-bM-^@M-^\noM-bM-^@M-^].  This option applies to protocol version 2 only
+             and is similar to RhostsRSAAuthentication.
+
+     HostKeyAlgorithms
+             Specifies the protocol version 2 host key algorithms that the
+             client wants to use in order of preference.  The default for this
+             option is: M-bM-^@M-^\ssh-rsa,ssh-dssM-bM-^@M-^].
+
+     HostKeyAlias
+             Specifies an alias that should be used instead of the real host
+             name when looking up or saving the host key in the host key
+             database files.  This option is useful for tunneling ssh connec-
+             tions or for multiple servers running on a single host.
+
+     HostName
+             Specifies the real host name to log into.  This can be used to
+             specify nicknames or abbreviations for hosts.  Default is the
+             name given on the command line.  Numeric IP addresses are also
+             permitted (both on the command line and in HostName specifica-
+             tions).
+
+     IdentityFile
+             Specifies a file from which the userM-bM-^@M-^Ys RSA or DSA authentication
+             identity is read. The default is $HOME/.ssh/identity for protocol
+             version 1, and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for proto-
+             col version 2.  Additionally, any identities represented by the
+             authentication agent will be used for authentication.  The file
+             name may use the tilde syntax to refer to a userM-bM-^@M-^Ys home direc-
+             tory.  It is possible to have multiple identity files specified
+             in configuration files; all these identities will be tried in
+             sequence.
+
+     KeepAlive
+             Specifies whether the system should send TCP keepalive messages
+             to the other side.  If they are sent, death of the connection or
+             crash of one of the machines will be properly noticed.  However,
+             this means that connections will die if the route is down tem-
+             porarily, and some people find it annoying.
+
+             The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send keepalives), and the client will
+             notice if the network goes down or the remote host dies.  This is
+             important in scripts, and many users want it too.
+
+             To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^].
+
+     KerberosAuthentication
+             Specifies whether Kerberos authentication will be used.  The
+             argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].
+
+     KerberosTgtPassing
+             Specifies whether a Kerberos TGT will be forwarded to the server.
+             This will only work if the Kerberos server is actually an AFS
+             kaserver.  The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].
+
+     LocalForward
+             Specifies that a TCP/IP port on the local machine be forwarded
+             over the secure channel to the specified host and port from the
+             remote machine.  The first argument must be a port number, and
+             the second must be host:port.  IPv6 addresses can be specified
+             with an alternative syntax: host/port.  Multiple forwardings may
+             be specified, and additional forwardings can be given on the com-
+             mand line.  Only the superuser can forward privileged ports.
+
+     LogLevel
+             Gives the verbosity level that is used when logging messages from
+             ssh.  The possible values are: QUIET, FATAL, ERROR, INFO, VER-
+             BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.  The default is INFO.
+             DEBUG and DEBUG1 are equivalent.  DEBUG2 and DEBUG3 each specify
+             higher levels of verbose output.
+
+     MACs    Specifies the MAC (message authentication code) algorithms in
+             order of preference.  The MAC algorithm is used in protocol ver-
+             sion 2 for data integrity protection.  Multiple algorithms must
+             be comma-separated.  The default is
+             M-bM-^@M-^\hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96M-bM-^@M-^].
+
+     NoHostAuthenticationForLocalhost
+             This option can be used if the home directory is shared across
+             machines.  In this case localhost will refer to a different
+             machine on each of the machines and the user will get many warn-
+             ings about changed host keys.  However, this option disables host
+             authentication for localhost.  The argument to this keyword must
+             be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The default is to check the host key for
+             localhost.
+
+     NumberOfPasswordPrompts
+             Specifies the number of password prompts before giving up.  The
+             argument to this keyword must be an integer.  Default is 3.
+
+     PasswordAuthentication
+             Specifies whether to use password authentication.  The argument
+             to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The default is M-bM-^@M-^\yesM-bM-^@M-^].
+
+     Port    Specifies the port number to connect on the remote host.  Default
+             is 22.
+
+     PreferredAuthentications
+             Specifies the order in which the client should try protocol 2
+             authentication methods. This allows a client to prefer one method
+             (e.g.  keyboard-interactive) over another method (e.g.  password)
+             The default for this option is:
+             M-bM-^@M-^\hostbased,publickey,keyboard-interactive,passwordM-bM-^@M-^].
+
+     Protocol
+             Specifies the protocol versions ssh should support in order of
+             preference.  The possible values are M-bM-^@M-^\1M-bM-^@M-^] and M-bM-^@M-^\2M-bM-^@M-^].  Multiple ver-
+             sions must be comma-separated.  The default is M-bM-^@M-^\2,1M-bM-^@M-^].  This means
+             that ssh tries version 2 and falls back to version 1 if version 2
+             is not available.
+
+     ProxyCommand
+             Specifies the command to use to connect to the server.  The com-
+             mand string extends to the end of the line, and is executed with
+             /bin/sh.  In the command string, M-bM-^@M-^X%hM-bM-^@M-^Y will be substituted by the
+             host name to connect and M-bM-^@M-^X%pM-bM-^@M-^Y by the port.  The command can be
+             basically anything, and should read from its standard input and
+             write to its standard output.  It should eventually connect an
+             sshd(8) server running on some machine, or execute sshd -i some-
+             where.  Host key management will be done using the HostName of
+             the host being connected (defaulting to the name typed by the
+             user).  Setting the command to M-bM-^@M-^\noneM-bM-^@M-^] disables this option
+             entirely.  Note that CheckHostIP is not available for connects
+             with a proxy command.
+
+     PubkeyAuthentication
+             Specifies whether to try public key authentication.  The argument
+             to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The default is M-bM-^@M-^\yesM-bM-^@M-^].
+             This option applies to protocol version 2 only.
+
+     RemoteForward
+             Specifies that a TCP/IP port on the remote machine be forwarded
+             over the secure channel to the specified host and port from the
+             local machine.  The first argument must be a port number, and the
+             second must be host:port.  IPv6 addresses can be specified with
+             an alternative syntax: host/port.  Multiple forwardings may be
+             specified, and additional forwardings can be given on the command
+             line.  Only the superuser can forward privileged ports.
+
+     RhostsAuthentication
+             Specifies whether to try rhosts based authentication.  Note that
+             this declaration only affects the client side and has no effect
+             whatsoever on security.  Most servers do not permit RhostsAuthen-
+             tication because it is not secure (see RhostsRSAAuthentication).
+             The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The default
+             is M-bM-^@M-^\noM-bM-^@M-^].  This option applies to protocol version 1 only and
+             requires ssh to be setuid root and UsePrivilegedPort to be set to
+             M-bM-^@M-^\yesM-bM-^@M-^].
+
+     RhostsRSAAuthentication
+             Specifies whether to try rhosts based authentication with RSA
+             host authentication.  The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The
+             default is M-bM-^@M-^\noM-bM-^@M-^].  This option applies to protocol version 1 only
+             and requires ssh to be setuid root.
+
+     RSAAuthentication
+             Specifies whether to try RSA authentication.  The argument to
+             this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  RSA authentication will only
+             be attempted if the identity file exists, or an authentication
+             agent is running.  The default is M-bM-^@M-^\yesM-bM-^@M-^].  Note that this option
+             applies to protocol version 1 only.
+
+     SmartcardDevice
+             Specifies which smartcard device to use. The argument to this
+             keyword is the device ssh should use to communicate with a smart-
+             card used for storing the userM-bM-^@M-^Ys private RSA key. By default, no
+             device is specified and smartcard support is not activated.
+
+     StrictHostKeyChecking
+             If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ssh will never automatically add
+             host keys to the $HOME/.ssh/known_hosts file, and refuses to con-
+             nect to hosts whose host key has changed.  This provides maximum
+             protection against trojan horse attacks, however, can be annoying
+             when the /etc/ssh/ssh_known_hosts file is poorly maintained, or
+             connections to new hosts are frequently made.  This option forces
+             the user to manually add all new hosts.  If this flag is set to
+             M-bM-^@M-^\noM-bM-^@M-^], ssh will automatically add new host keys to the user known
+             hosts files.  If this flag is set to M-bM-^@M-^\askM-bM-^@M-^], new host keys will be
+             added to the user known host files only after the user has con-
+             firmed that is what they really want to do, and ssh will refuse
+             to connect to hosts whose host key has changed.  The host keys of
+             known hosts will be verified automatically in all cases.  The
+             argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^] or M-bM-^@M-^\askM-bM-^@M-^].  The default is M-bM-^@M-^\askM-bM-^@M-^].
+
+     UsePrivilegedPort
+             Specifies whether to use a privileged port for outgoing connec-
+             tions.  The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The default is M-bM-^@M-^\noM-bM-^@M-^].
+             If set to M-bM-^@M-^\yesM-bM-^@M-^] ssh must be setuid root.  Note that this option
+             must be set to M-bM-^@M-^\yesM-bM-^@M-^] if RhostsAuthentication and
+             RhostsRSAAuthentication authentications are needed with older
+             servers.
+
+     User    Specifies the user to log in as.  This can be useful when a dif-
+             ferent user name is used on different machines.  This saves the
+             trouble of having to remember to give the user name on the com-
+             mand line.
+
+     UserKnownHostsFile
+             Specifies a file to use for the user host key database instead of
+             $HOME/.ssh/known_hosts.
+
+     XAuthLocation
+             Specifies the full pathname of the xauth(1) program.  The default
+             is /usr/X11R6/bin/xauth.
+
+FILES
+     $HOME/.ssh/config
+             This is the per-user configuration file.  The format of this file
+             is described above.  This file is used by the ssh client.  This
+             file does not usually contain any sensitive information, but the
+             recommended permissions are read/write for the user, and not
+             accessible by others.
+
+     /etc/ssh/ssh_config
+             Systemwide configuration file.  This file provides defaults for
+             those values that are not specified in the userM-bM-^@M-^Ys configuration
+             file, and for those users who do not have a configuration file.
+             This file must be world-readable.
+
+AUTHORS
+     OpenSSH is a derivative of the original and free ssh 1.2.12 release by
+     Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
+     de Raadt and Dug Song removed many bugs, re-added newer features and cre-
+     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
+     versions 1.5 and 2.0.
+
+SEE ALSO
+     ssh(1)
+
+BSD                           September 25, 1999                           BSD