* New upstream release (LP: #535029).

- After a transition period of about 10 years, this release disables SSH protocol 1 by default. Clients and servers that need to use the legacy protocol must explicitly enable it in ssh_config / sshd_config or on the command-line. - Remove the libsectok/OpenSC-based smartcard code and add support for PKCS#11 tokens. This support is enabled by default in the Debian packaging, since it now doesn't involve additional library dependencies (closes: #231472, LP: #16918). - Add support for certificate authentication of users and hosts using a new, minimal OpenSSH certificate format (closes: #482806). - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...". - Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian package, this overlaps with the key blacklisting facility added in openssh 1:4.7p1-9, but with different file formats and slightly different scopes; for the moment, I've roughly merged the two.) - Various multiplexing improvements, including support for requesting port-forwardings via the multiplex protocol (closes: #360151). - Allow setting an explicit umask on the sftp-server(8) commandline to override whatever default the user has (closes: #496843). - Many sftp client improvements, including tab-completion, more options, and recursive transfer support for get/put (LP: #33378). The old mget/mput commands never worked properly and have been removed (closes: #270399, #428082). - Do not prompt for a passphrase if we fail to open a keyfile, and log the reason why the open failed to debug (closes: #431538). - Prevent sftp from crashing when given a "-" without a command. Also, allow whitespace to follow a "-" (closes: #531561).
author: Colin Watson <cjwatson@debian.org> 2010-03-31 10:46:28 +0100
committer: Colin Watson <cjwatson@debian.org> 2010-03-31 10:46:28 +0100
commit: efd3d4522636ae029488c2e9730b60c88e257d2e (patch)
tree: 31e02ac3f16090ce8c53448677356b2b7f423683 /ssh_config.5
parent: bbec4db36d464ea1d464a707625125f9fd5c7b5e (diff)
parent: d1a87e462e1db89f19cd960588d0c6b287cb5ccc (diff)
1 files changed, 27 insertions, 13 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 76e451079..0ce851aa8 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.119 2009/02/22 23:50:57 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.129 2010/03/05 10:28:21 djm Exp $
-.Dd $Mdocdate: February 22 2009 $
+.Dd $Mdocdate: March 5 2010 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -610,6 +610,12 @@ and
 for protocol version 2.
 Additionally, any identities represented by the authentication agent
 will be used for authentication.
+.Xr ssh 1
+will try to load certificate information from the filename obtained by
+appending
+.Pa -cert.pub
+to the path of a specified
+.Cm IdentityFile .
 .Pp
 The file name may use the tilde
 syntax to refer to a user's home directory or one of the following
@@ -667,6 +673,13 @@ The following escape character substitutions will be performed:
 (remote user name) or
 .Ql %u
 (local user name).
+.Pp
+The command is run synchronously and does not have access to the
+session of the
+.Xr ssh 1
+that spawned it.
+It should not be used for interactive commands.
+.Pp
 This directive is ignored unless
 .Cm PermitLocalCommand
 has been enabled.
@@ -755,6 +768,12 @@ or
 .Dq no .
 The default is
 .Dq no .
+.It Cm PKCS11Provider
+Specifies which PKCS#11 provider to use.
+The argument to this keyword is the PKCS#11 shared libary
+.Xr ssh 1
+should use to communicate with a PKCS#11 token providing the user's
+private RSA key.
 .It Cm Port
 Specifies the port number to connect on the remote host.
 The default is 22.
@@ -781,11 +800,13 @@ The possible values are
 and
 .Sq 2 .
 Multiple versions must be comma-separated.
-The default is
+When this option is set to
-.Dq 2,1 .
+.Dq 2,1
-This means that ssh
+.Nm ssh
-tries version 2 and falls back to version 1
+will try version 2 and fall back to version 1
 if version 2 is not available.
+The default is
+.Sq 2 .
 .It Cm ProxyCommand
 Specifies the command to use to connect to the server.
 The command
@@ -979,13 +1000,6 @@ This option applies to protocol version 2 only.
 and
 .Cm SetupTimeOut
 are Debian-specific compatibility aliases for this option.
-.It Cm SmartcardDevice
-Specifies which smartcard device to use.
-The argument to this keyword is the device
-.Xr ssh 1
-should use to communicate with a smartcard used for storing the user's
-private RSA key.
-By default, no device is specified and smartcard support is not activated.
 .It Cm StrictHostKeyChecking
 If this flag is set to
 .Dq yes ,
author	Colin Watson <cjwatson@debian.org>	2010-03-31 10:46:28 +0100
committer	Colin Watson <cjwatson@debian.org>	2010-03-31 10:46:28 +0100
commit	efd3d4522636ae029488c2e9730b60c88e257d2e (patch)
tree	31e02ac3f16090ce8c53448677356b2b7f423683 /ssh_config.5
parent	bbec4db36d464ea1d464a707625125f9fd5c7b5e (diff)
parent	d1a87e462e1db89f19cd960588d0c6b287cb5ccc (diff)

diff --git a/ssh_config.5 b/ssh_config.5 index 76e451079..0ce851aa8 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -34,8 +34,8 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh_config.5,v 1.119 2009/02/22 23:50:57 djm Exp $	37	.\" $OpenBSD: ssh_config.5,v 1.129 2010/03/05 10:28:21 djm Exp $
38	.Dd $Mdocdate: February 22 2009 $	38	.Dd $Mdocdate: March 5 2010 $
39	.Dt SSH_CONFIG 5	39	.Dt SSH_CONFIG 5
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -610,6 +610,12 @@ and
610	for protocol version 2.	610	for protocol version 2.
611	Additionally, any identities represented by the authentication agent	611	Additionally, any identities represented by the authentication agent
612	will be used for authentication.	612	will be used for authentication.
		613	.Xr ssh 1
		614	will try to load certificate information from the filename obtained by
		615	appending
		616	.Pa -cert.pub
		617	to the path of a specified
		618	.Cm IdentityFile .
613	.Pp	619	.Pp
614	The file name may use the tilde	620	The file name may use the tilde
615	syntax to refer to a user's home directory or one of the following	621	syntax to refer to a user's home directory or one of the following
@@ -667,6 +673,13 @@ The following escape character substitutions will be performed:
667	(remote user name) or	673	(remote user name) or
668	.Ql %u	674	.Ql %u
669	(local user name).	675	(local user name).
		676	.Pp
		677	The command is run synchronously and does not have access to the
		678	session of the
		679	.Xr ssh 1
		680	that spawned it.
		681	It should not be used for interactive commands.
		682	.Pp
670	This directive is ignored unless	683	This directive is ignored unless
671	.Cm PermitLocalCommand	684	.Cm PermitLocalCommand
672	has been enabled.	685	has been enabled.
@@ -755,6 +768,12 @@ or
755	.Dq no .	768	.Dq no .
756	The default is	769	The default is
757	.Dq no .	770	.Dq no .
		771	.It Cm PKCS11Provider
		772	Specifies which PKCS#11 provider to use.
		773	The argument to this keyword is the PKCS#11 shared libary
		774	.Xr ssh 1
		775	should use to communicate with a PKCS#11 token providing the user's
		776	private RSA key.
758	.It Cm Port	777	.It Cm Port
759	Specifies the port number to connect on the remote host.	778	Specifies the port number to connect on the remote host.
760	The default is 22.	779	The default is 22.
@@ -781,11 +800,13 @@ The possible values are
781	and	800	and
782	.Sq 2 .	801	.Sq 2 .
783	Multiple versions must be comma-separated.	802	Multiple versions must be comma-separated.
784	The default is	803	When this option is set to
785	.Dq 2,1 .	804	.Dq 2,1
786	This means that ssh	805	.Nm ssh
787	tries version 2 and falls back to version 1	806	will try version 2 and fall back to version 1
788	if version 2 is not available.	807	if version 2 is not available.
		808	The default is
		809	.Sq 2 .
789	.It Cm ProxyCommand	810	.It Cm ProxyCommand
790	Specifies the command to use to connect to the server.	811	Specifies the command to use to connect to the server.
791	The command	812	The command
@@ -979,13 +1000,6 @@ This option applies to protocol version 2 only.
979	and	1000	and
980	.Cm SetupTimeOut	1001	.Cm SetupTimeOut
981	are Debian-specific compatibility aliases for this option.	1002	are Debian-specific compatibility aliases for this option.
982	.It Cm SmartcardDevice
983	Specifies which smartcard device to use.
984	The argument to this keyword is the device
985	.Xr ssh 1
986	should use to communicate with a smartcard used for storing the user's
987	private RSA key.
988	By default, no device is specified and smartcard support is not activated.
989	.It Cm StrictHostKeyChecking	1003	.It Cm StrictHostKeyChecking
990	If this flag is set to	1004	If this flag is set to
991	.Dq yes ,	1005	.Dq yes ,