* New upstream release (http://www.openssh.org/txt/release-5.9).

- Introduce sandboxing of the pre-auth privsep child using an optional sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables mandatory restrictions on the syscalls the privsep child can perform. - Add new SHA256-based HMAC transport integrity modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt. - The pre-authentication sshd(8) privilege separation slave process now logs via a socket shared with the master process, avoiding the need to maintain /dev/log inside the chroot (closes: #75043, #429243, #599240). - ssh(1) now warns when a server refuses X11 forwarding (closes: #504757). - sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths, separated by whitespace (closes: #76312). The authorized_keys2 fallback is deprecated but documented (closes: #560156). - ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4 ToS/DSCP (closes: #498297). - ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add - < /path/to/key" (closes: #229124). - Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691). - Say "required" rather than "recommended" in unprotected-private-key warning (LP: #663455).
author: Colin Watson <cjwatson@debian.org> 2011-09-06 14:56:29 +0100
committer: Colin Watson <cjwatson@debian.org> 2011-09-06 14:56:29 +0100
commit: 978e62d6f14c60747bddef2cc72d66a9c8b83b54 (patch)
tree: 89400a44e42d84937deba7864e4964d6c7734da5 /ssh_config.0
parent: 87c685b8c6a49814fd782288097b3093f975aa72 (diff)
parent: 3a7e89697ca363de0f64e0d5704c57219294e41c (diff)
1 files changed, 38 insertions, 15 deletions
diff --git a/ssh_config.0 b/ssh_config.0
index c4a12f7bb..7b9205681 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -47,6 +47,12 @@ DESCRIPTION
             line (i.e. the name is not converted to a canonicalized host name
             before matching).
+             A pattern entry may be negated by prefixing it with an
+             exclamation mark (`!').  If a negated entry is matched, then the
+             Host entry is ignored, regardless of whether any other patterns
+             on the line match.  Negated matches are therefore useful to
+             provide exceptions for wildcard matches.
             See PATTERNS for more information on patterns.
     AddressFamily
@@ -160,13 +166,16 @@ DESCRIPTION
     ControlPath
             Specify the path to the control socket used for connection
             sharing as described in the ControlMaster section above or the
-             string ``none'' to disable connection sharing.  In the path, `%l'
+             string ``none'' to disable connection sharing.  In the path, `%L'
-             will be substituted by the local host name, `%h' will be
+             will be substituted by the first component of the local host
-             substituted by the target host name, `%p' the port, and `%r' by
+             name, `%l' will be substituted by the local host name (including
-             the remote login username.  It is recommended that any
+             any domain name), `%h' will be substituted by the target host
-             ControlPath used for opportunistic connection sharing include at
+             name, `%n' will be substituted by the original target host name
-             least %h, %p, and %r.  This ensures that shared connections are
+             specified on the command line, `%p' the port, `%r' by the remote
-             uniquely identified.
+             login username, and `%u' by the username of the user running
+             ssh(1).  It is recommended that any ControlPath used for
+             opportunistic connection sharing include at least %h, %p, and %r.
+             This ensures that shared connections are uniquely identified.
     ControlPersist
             When used in conjunction with ControlMaster, specifies that the
@@ -282,8 +291,9 @@ DESCRIPTION
             default is ``no''.
     GlobalKnownHostsFile
-             Specifies a file to use for the global host key database instead
+             Specifies one or more files to use for the global host key
-             of /etc/ssh/ssh_known_hosts.
+             database, separated by whitespace.  The default is
+             /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2.
     GSSAPIAuthentication
             Specifies whether user authentication based on GSSAPI is allowed.
@@ -336,7 +346,7 @@ DESCRIPTION
             Specifies the real host name to log into.  This can be used to
             specify nicknames or abbreviations for hosts.  If the hostname
             contains the character sequence `%h', then this will be replaced
-             with the host name specified on the commandline (this is useful
+             with the host name specified on the command line (this is useful
             for manipulating unqualified names).  The default is the name
             given on the command line.  Numeric IP addresses are also
             permitted (both on the command line and in HostName
@@ -367,7 +377,9 @@ DESCRIPTION
             It is possible to have multiple identity files specified in
             configuration files; all these identities will be tried in
-             sequence.
+             sequence.  Multiple IdentityFile directives will add to the list
+             of identities tried (this behaviour differs from that of other
+             configuration directives).
     IPQoS   Specifies the IPv4 type-of-service or DSCP class for connections.
             Accepted values are ``af11'', ``af12'', ``af13'', ``af14'',
@@ -451,7 +463,9 @@ DESCRIPTION
             must be comma-separated.  The default is:
                   hmac-md5,hmac-sha1,umac-64@openssh.com,
-                   hmac-ripemd160,hmac-sha1-96,hmac-md5-96
+                   hmac-ripemd160,hmac-sha1-96,hmac-md5-96,
+                   hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,
+                   hmac-sha2-512-96
     NoHostAuthenticationForLocalhost
             This option can be used if the home directory is shared across
@@ -555,6 +569,14 @@ DESCRIPTION
             if the server's GatewayPorts option is enabled (see
             sshd_config(5)).
+     RequestTTY
+             Specifies whether to request a pseudo-tty for the session.  The
+             argument may be one of: ``no'' (never request a TTY), ``yes''
+             (always request a TTY when standard input is a TTY), ``force''
+             (always request a TTY) or ``auto'' (request a TTY when opening a
+             login session).  This option mirrors the -t and -T flags for
+             ssh(1).
     RhostsRSAAuthentication
             Specifies whether to try rhosts based authentication with RSA
             host authentication.  The argument must be ``yes'' or ``no''.
@@ -666,8 +688,9 @@ DESCRIPTION
             command line.
     UserKnownHostsFile
-             Specifies a file to use for the user host key database instead of
+             Specifies one or more files to use for the user host key
-             ~/.ssh/known_hosts.
+             database, separated by whitespace.  The default is
+             ~/.ssh/known_hosts, ~/.ssh/known_hosts2.
     VerifyHostKeyDNS
             Specifies whether to verify the remote key using DNS and SSHFP
@@ -741,4 +764,4 @@ AUTHORS
     created OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.
-OpenBSD 4.9                    December 8, 2010                    OpenBSD 4.9
+OpenBSD 5.0                     August 2, 2011                     OpenBSD 5.0
author	Colin Watson <cjwatson@debian.org>	2011-09-06 14:56:29 +0100
committer	Colin Watson <cjwatson@debian.org>	2011-09-06 14:56:29 +0100
commit	978e62d6f14c60747bddef2cc72d66a9c8b83b54 (patch)
tree	89400a44e42d84937deba7864e4964d6c7734da5 /ssh_config.0
parent	87c685b8c6a49814fd782288097b3093f975aa72 (diff)
parent	3a7e89697ca363de0f64e0d5704c57219294e41c (diff)