* New upstream release (http://www.openssh.org/txt/release-5.7):

- Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. - sftp(1)/sftp-server(8): add a protocol extension to support a hard link operation. It is available through the "ln" command in the client. The old "ln" behaviour of creating a symlink is available using its "-s" option or through the preexisting "symlink" command. - scp(1): Add a new -3 option to scp: Copies between two remote hosts are transferred through the local host (closes: #508613). - ssh(1): "atomically" create the listening mux socket by binding it on a temporary name and then linking it into position after listen() has succeeded. This allows the mux clients to determine that the server socket is either ready or stale without races (closes: #454784). Stale server sockets are now automatically removed (closes: #523250). - ssh(1): install a SIGCHLD handler to reap expired child process (closes: #594687). - ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent temporary directories (closes: #357469, although only if you arrange for ssh-agent to actually see $TMPDIR since the setgid bit will cause it to be stripped off).
author: Colin Watson <cjwatson@debian.org> 2011-01-24 12:43:25 +0000
committer: Colin Watson <cjwatson@debian.org> 2011-01-24 12:43:25 +0000
commit: 626f1d986ff72aa514da63e34744e1de9cf21b9a (patch)
tree: d215a5280bc2e57251e4a9e08bfd3674ad824a94 /ssh_config.5
parent: 6ed622cb6fe8f71bbe0d998cdd12280410bfb420 (diff)
parent: 0970072c89b079b022538e3c366fbfa2c53fc821 (diff)
1 files changed, 73 insertions, 9 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 2f0cd8c83..fc994d482 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1,4 +1,3 @@
-.\"  -*- nroff -*-
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.138 2010/08/04 05:37:01 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.146 2010/12/08 04:02:47 djm Exp $
-.Dd $Mdocdate: August 4 2010 $
+.Dd $Mdocdate: December 8 2010 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -540,6 +539,11 @@ Note that this option applies to protocol version 2 only.
 If set, specifies the GSSAPI client identity that ssh should use when 
 connecting to the server. The default is unset, which means that the default 
 identity will be used.
+.It Cm GSSAPIServerIdentity
+If set, specifies the GSSAPI server identity that ssh should expect when 
+connecting to the server. The default is unset, which means that the
+expected GSSAPI server identity will be determined from the target
+hostname.
 .It Cm GSSAPIDelegateCredentials
 Forward (delegate) credentials to the server.
 The default is
@@ -598,7 +602,18 @@ is similar to
 Specifies the protocol version 2 host key algorithms
 that the client wants to use in order of preference.
 The default for this option is:
-.Dq ssh-rsa,ssh-dss .
+.Bd -literal -offset 3n
+ecdsa-sha2-nistp256-cert-v01@openssh.com,
+ecdsa-sha2-nistp384-cert-v01@openssh.com,
+ecdsa-sha2-nistp521-cert-v01@openssh.com,
+ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
+ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-rsa,ssh-dss
+.Ed
+.Pp
+If hostkeys are known for the destination host then this default is modified
+to prefer their algorithms.
 .It Cm HostKeyAlias
 Specifies an alias that should be used instead of the
 real host name when looking up or saving the host key
@@ -634,14 +649,15 @@ offers many different identities.
 The default is
 .Dq no .
 .It Cm IdentityFile
-Specifies a file from which the user's RSA or DSA authentication identity
+Specifies a file from which the user's DSA, ECDSA or DSA authentication
-is read.
+identity is read.
 The default is
 .Pa ~/.ssh/identity
 for protocol version 1, and
-.Pa ~/.ssh/id_rsa
+.Pa ~/.ssh/id_dsa ,
+.Pa ~/.ssh/id_ecdsa
 and
-.Pa ~/.ssh/id_dsa
+.Pa ~/.ssh/id_rsa
 for protocol version 2.
 Additionally, any identities represented by the authentication agent
 will be used for authentication.
@@ -669,6 +685,43 @@ escape characters:
 It is possible to have
 multiple identity files specified in configuration files; all these
 identities will be tried in sequence.
+.It Cm IPQoS
+Specifies the IPv4 type-of-service or DSCP class for connections.
+Accepted values are
+.Dq af11 ,
+.Dq af12 ,
+.Dq af13 ,
+.Dq af14 ,
+.Dq af22 ,
+.Dq af23 ,
+.Dq af31 ,
+.Dq af32 ,
+.Dq af33 ,
+.Dq af41 ,
+.Dq af42 ,
+.Dq af43 ,
+.Dq cs0 ,
+.Dq cs1 ,
+.Dq cs2 ,
+.Dq cs3 ,
+.Dq cs4 ,
+.Dq cs5 ,
+.Dq cs6 ,
+.Dq cs7 ,
+.Dq ef ,
+.Dq lowdelay ,
+.Dq throughput ,
+.Dq reliability ,
+or a numeric value.
+This option may take one or two arguments, separated by whitespace.
+If one argument is specified, it is used as the packet class unconditionally.
+If two values are specified, the first is automatically selected for
+interactive sessions and the second for non-interactive sessions.
+The default is
+.Dq lowdelay
+for interactive sessions and
+.Dq throughput
+for non-interactive sessions.
 .It Cm KbdInteractiveAuthentication
 Specifies whether to use keyboard-interactive authentication.
 The argument to this keyword must be
@@ -688,6 +741,17 @@ it may be zero or more of:
 .Dq pam ,
 and
 .Dq skey .
+.It Cm KexAlgorithms
+Specifies the available KEX (Key Exchange) algorithms.
+Multiple algorithms must be comma-separated.
+The default is:
+.Bd -literal -offset indent
+ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+diffie-hellman-group-exchange-sha256,
+diffie-hellman-group-exchange-sha1,
+diffie-hellman-group14-sha1,
+diffie-hellman-group1-sha1
+.Ed
 .It Cm LocalCommand
 Specifies a command to execute on the local machine after successfully
 connecting to the server.
@@ -801,7 +865,7 @@ The default is
 .Dq no .
 .It Cm PKCS11Provider
 Specifies which PKCS#11 provider to use.
-The argument to this keyword is the PKCS#11 shared libary
+The argument to this keyword is the PKCS#11 shared library
 .Xr ssh 1
 should use to communicate with a PKCS#11 token providing the user's
 private RSA key.
author	Colin Watson <cjwatson@debian.org>	2011-01-24 12:43:25 +0000
committer	Colin Watson <cjwatson@debian.org>	2011-01-24 12:43:25 +0000
commit	626f1d986ff72aa514da63e34744e1de9cf21b9a (patch)
tree	d215a5280bc2e57251e4a9e08bfd3674ad824a94 /ssh_config.5
parent	6ed622cb6fe8f71bbe0d998cdd12280410bfb420 (diff)
parent	0970072c89b079b022538e3c366fbfa2c53fc821 (diff)

diff --git a/ssh_config.5 b/ssh_config.5 index 2f0cd8c83..fc994d482 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -1,4 +1,3 @@
1	.\" -- nroff --
2	.\"	1	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	2	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	3	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,8 +33,8 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	35	.\"
37	.\" $OpenBSD: ssh_config.5,v 1.138 2010/08/04 05:37:01 djm Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.146 2010/12/08 04:02:47 djm Exp $
38	.Dd $Mdocdate: August 4 2010 $	37	.Dd $Mdocdate: December 8 2010 $
39	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
40	.Os	39	.Os
41	.Sh NAME	40	.Sh NAME
@@ -540,6 +539,11 @@ Note that this option applies to protocol version 2 only.
540	If set, specifies the GSSAPI client identity that ssh should use when	539	If set, specifies the GSSAPI client identity that ssh should use when
541	connecting to the server. The default is unset, which means that the default	540	connecting to the server. The default is unset, which means that the default
542	identity will be used.	541	identity will be used.
		542	.It Cm GSSAPIServerIdentity
		543	If set, specifies the GSSAPI server identity that ssh should expect when
		544	connecting to the server. The default is unset, which means that the
		545	expected GSSAPI server identity will be determined from the target
		546	hostname.
543	.It Cm GSSAPIDelegateCredentials	547	.It Cm GSSAPIDelegateCredentials
544	Forward (delegate) credentials to the server.	548	Forward (delegate) credentials to the server.
545	The default is	549	The default is
@@ -598,7 +602,18 @@ is similar to
598	Specifies the protocol version 2 host key algorithms	602	Specifies the protocol version 2 host key algorithms
599	that the client wants to use in order of preference.	603	that the client wants to use in order of preference.
600	The default for this option is:	604	The default for this option is:
601	.Dq ssh-rsa,ssh-dss .	605	.Bd -literal -offset 3n
		606	ecdsa-sha2-nistp256-cert-v01@openssh.com,
		607	ecdsa-sha2-nistp384-cert-v01@openssh.com,
		608	ecdsa-sha2-nistp521-cert-v01@openssh.com,
		609	ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
		610	ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,
		611	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
		612	ssh-rsa,ssh-dss
		613	.Ed
		614	.Pp
		615	If hostkeys are known for the destination host then this default is modified
		616	to prefer their algorithms.
602	.It Cm HostKeyAlias	617	.It Cm HostKeyAlias
603	Specifies an alias that should be used instead of the	618	Specifies an alias that should be used instead of the
604	real host name when looking up or saving the host key	619	real host name when looking up or saving the host key
@@ -634,14 +649,15 @@ offers many different identities.
634	The default is	649	The default is
635	.Dq no .	650	.Dq no .
636	.It Cm IdentityFile	651	.It Cm IdentityFile
637	Specifies a file from which the user's RSA or DSA authentication identity	652	Specifies a file from which the user's DSA, ECDSA or DSA authentication
638	is read.	653	identity is read.
639	The default is	654	The default is
640	.Pa ~/.ssh/identity	655	.Pa ~/.ssh/identity
641	for protocol version 1, and	656	for protocol version 1, and
642	.Pa ~/.ssh/id_rsa	657	.Pa ~/.ssh/id_dsa ,
		658	.Pa ~/.ssh/id_ecdsa
643	and	659	and
644	.Pa ~/.ssh/id_dsa	660	.Pa ~/.ssh/id_rsa
645	for protocol version 2.	661	for protocol version 2.
646	Additionally, any identities represented by the authentication agent	662	Additionally, any identities represented by the authentication agent
647	will be used for authentication.	663	will be used for authentication.
@@ -669,6 +685,43 @@ escape characters:
669	It is possible to have	685	It is possible to have
670	multiple identity files specified in configuration files; all these	686	multiple identity files specified in configuration files; all these
671	identities will be tried in sequence.	687	identities will be tried in sequence.
		688	.It Cm IPQoS
		689	Specifies the IPv4 type-of-service or DSCP class for connections.
		690	Accepted values are
		691	.Dq af11 ,
		692	.Dq af12 ,
		693	.Dq af13 ,
		694	.Dq af14 ,
		695	.Dq af22 ,
		696	.Dq af23 ,
		697	.Dq af31 ,
		698	.Dq af32 ,
		699	.Dq af33 ,
		700	.Dq af41 ,
		701	.Dq af42 ,
		702	.Dq af43 ,
		703	.Dq cs0 ,
		704	.Dq cs1 ,
		705	.Dq cs2 ,
		706	.Dq cs3 ,
		707	.Dq cs4 ,
		708	.Dq cs5 ,
		709	.Dq cs6 ,
		710	.Dq cs7 ,
		711	.Dq ef ,
		712	.Dq lowdelay ,
		713	.Dq throughput ,
		714	.Dq reliability ,
		715	or a numeric value.
		716	This option may take one or two arguments, separated by whitespace.
		717	If one argument is specified, it is used as the packet class unconditionally.
		718	If two values are specified, the first is automatically selected for
		719	interactive sessions and the second for non-interactive sessions.
		720	The default is
		721	.Dq lowdelay
		722	for interactive sessions and
		723	.Dq throughput
		724	for non-interactive sessions.
672	.It Cm KbdInteractiveAuthentication	725	.It Cm KbdInteractiveAuthentication
673	Specifies whether to use keyboard-interactive authentication.	726	Specifies whether to use keyboard-interactive authentication.
674	The argument to this keyword must be	727	The argument to this keyword must be
@@ -688,6 +741,17 @@ it may be zero or more of:
688	.Dq pam ,	741	.Dq pam ,
689	and	742	and
690	.Dq skey .	743	.Dq skey .
		744	.It Cm KexAlgorithms
		745	Specifies the available KEX (Key Exchange) algorithms.
		746	Multiple algorithms must be comma-separated.
		747	The default is:
		748	.Bd -literal -offset indent
		749	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
		750	diffie-hellman-group-exchange-sha256,
		751	diffie-hellman-group-exchange-sha1,
		752	diffie-hellman-group14-sha1,
		753	diffie-hellman-group1-sha1
		754	.Ed
691	.It Cm LocalCommand	755	.It Cm LocalCommand
692	Specifies a command to execute on the local machine after successfully	756	Specifies a command to execute on the local machine after successfully
693	connecting to the server.	757	connecting to the server.
@@ -801,7 +865,7 @@ The default is
801	.Dq no .	865	.Dq no .
802	.It Cm PKCS11Provider	866	.It Cm PKCS11Provider
803	Specifies which PKCS#11 provider to use.	867	Specifies which PKCS#11 provider to use.
804	The argument to this keyword is the PKCS#11 shared libary	868	The argument to this keyword is the PKCS#11 shared library
805	.Xr ssh 1	869	.Xr ssh 1
806	should use to communicate with a PKCS#11 token providing the user's	870	should use to communicate with a PKCS#11 token providing the user's
807	private RSA key.	871	private RSA key.