New upstream release (7.7p1)

author: Colin Watson <cjwatson@debian.org> 2018-04-03 08:20:28 +0100
committer: Colin Watson <cjwatson@debian.org> 2018-04-03 08:57:25 +0100
commit: a0b2dce9bf518f561bbb5070c0fb0c38f49035dd (patch)
tree: 24298b823e93d4e6efe13f48f1512707ebd625f8 /ssh_config.5
parent: 9d4942dc192b6f1888c9ab73a512dd9b197b956c (diff)
parent: 76aa43d2298f322f0371b74462418d0461537131 (diff)
1 files changed, 42 insertions, 10 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 2da7029af..ed6e5d026 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.256 2017/09/21 19:16:53 markus Exp $
+.\" $OpenBSD: ssh_config.5,v 1.268 2018/02/23 07:38:09 jmc Exp $
-.Dd $Mdocdate: September 21 2017 $
+.Dd $Mdocdate: February 23 2018 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -282,6 +282,13 @@ Note that this option does not work if
 .Cm UsePrivilegedPort
 is set to
 .Cm yes .
+.It Cm BindInterface
+Use the address of the specified interface on the local machine as the
+source address of the connection.
+Note that this option does not work if
+.Cm UsePrivilegedPort
+is set to
+.Cm yes .
 .It Cm CanonicalDomains
 When
 .Cm CanonicalizeHostname
@@ -1071,7 +1078,10 @@ The default is:
 curve25519-sha256,curve25519-sha256@libssh.org,
 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 diffie-hellman-group-exchange-sha256,
+diffie-hellman-group16-sha512,
+diffie-hellman-group18-sha512,
 diffie-hellman-group-exchange-sha1,
+diffie-hellman-group14-sha256,
 diffie-hellman-group14-sha1
 .Ed
 .Pp
@@ -1163,10 +1173,7 @@ hmac-sha2-256,hmac-sha2-512,hmac-sha1
 The list of available MAC algorithms may also be obtained using
 .Qq ssh -Q mac .
 .It Cm NoHostAuthenticationForLocalhost
-This option can be used if the home directory is shared across machines.
+Disable host authentication for localhost (loopback addresses).
-In this case localhost will refer to a different machine on each of
-the machines and the user will get many warnings about changed host keys.
-However, this option disables host authentication for localhost.
 The argument to this keyword must be
 .Cm yes
 or
@@ -1254,13 +1261,14 @@ For example, the following directive would connect via an HTTP proxy at
 ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
 .Ed
 .It Cm ProxyJump
-Specifies one or more jump proxies as
+Specifies one or more jump proxies as either
 .Xo
 .Sm off
 .Op Ar user No @
 .Ar host
 .Op : Ns Ar port
 .Sm on
+or an ssh URI
 .Xc .
 Multiple proxies may be separated by comma characters and will be visited
 sequentially.
@@ -1520,7 +1528,7 @@ If this flag is set to
 will never automatically add host keys to the
 .Pa ~/.ssh/known_hosts
 file, and refuses to connect to hosts whose host key has changed.
-This provides maximum protection against trojan horse attacks,
+This provides maximum protection against man-in-the-middle (MITM) attacks,
 though it can be annoying when the
 .Pa /etc/ssh/ssh_known_hosts
 file is poorly maintained or when connections to new hosts are
@@ -1578,6 +1586,9 @@ This is important in scripts, and many users want it too.
 .Pp
 To disable TCP keepalive messages, the value should be set to
 .Cm no .
+See also
+.Cm ServerAliveInterval
+for protocol-level keepalives.
 .It Cm Tunnel
 Request
 .Xr tun 4
@@ -1743,6 +1754,18 @@ pool,
 the following entry (in authorized_keys) could be used:
 .Pp
 .Dl from=\&"!*.dialup.example.com,*.example.com\&"
+.Pp
+Note that a negated match will never produce a positive result by itself.
+For example, attempting to match
+.Qq host3
+against the following pattern-list will fail:
+.Pp
+.Dl from=\&"!host1,!host2\&"
+.Pp
+The solution here is to include a term that will yield a positive match,
+such as a wildcard:
+.Pp
+.Dl from=\&"!host1,!host2,*\&"
 .Sh TOKENS
 Arguments to some keywords can make use of tokens,
 which are expanded at runtime:
@@ -1752,7 +1775,7 @@ which are expanded at runtime:
 A literal
 .Sq % .
 .It \&%C
-Shorthand for %l%h%p%r.
+Hash of %l%h%p%r.
 .It %d
 Local user's home directory.
 .It %h
@@ -1769,6 +1792,15 @@ The original remote hostname, as given on the command line.
 The remote port.
 .It %r
 The remote username.
+.It \&%T
+The local
+.Xr tun 4
+or
+.Xr tap 4
+network interface assigned if
+tunnel forwarding was requested, or
+.Qq NONE
+otherwise.
 .It %u
 The local username.
 .El
@@ -1791,7 +1823,7 @@ and
 accept the tokens %%, %d, %h, %l, %r, and %u.
 .Pp
 .Cm LocalCommand
-accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u.
+accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, %T, and %u.
 .Pp
 .Cm ProxyCommand
 accepts the tokens %%, %h, %p, and %r.
author	Colin Watson <cjwatson@debian.org>	2018-04-03 08:20:28 +0100
committer	Colin Watson <cjwatson@debian.org>	2018-04-03 08:57:25 +0100
commit	a0b2dce9bf518f561bbb5070c0fb0c38f49035dd (patch)
tree	24298b823e93d4e6efe13f48f1512707ebd625f8 /ssh_config.5
parent	9d4942dc192b6f1888c9ab73a512dd9b197b956c (diff)
parent	76aa43d2298f322f0371b74462418d0461537131 (diff)

diff --git a/ssh_config.5 b/ssh_config.5 index 2da7029af..ed6e5d026 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.256 2017/09/21 19:16:53 markus Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.268 2018/02/23 07:38:09 jmc Exp $
37	.Dd $Mdocdate: September 21 2017 $	37	.Dd $Mdocdate: February 23 2018 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -282,6 +282,13 @@ Note that this option does not work if
282	.Cm UsePrivilegedPort	282	.Cm UsePrivilegedPort
283	is set to	283	is set to
284	.Cm yes .	284	.Cm yes .
		285	.It Cm BindInterface
		286	Use the address of the specified interface on the local machine as the
		287	source address of the connection.
		288	Note that this option does not work if
		289	.Cm UsePrivilegedPort
		290	is set to
		291	.Cm yes .
285	.It Cm CanonicalDomains	292	.It Cm CanonicalDomains
286	When	293	When
287	.Cm CanonicalizeHostname	294	.Cm CanonicalizeHostname
@@ -1071,7 +1078,10 @@ The default is:
1071	curve25519-sha256,curve25519-sha256@libssh.org,	1078	curve25519-sha256,curve25519-sha256@libssh.org,
1072	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,	1079	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
1073	diffie-hellman-group-exchange-sha256,	1080	diffie-hellman-group-exchange-sha256,
		1081	diffie-hellman-group16-sha512,
		1082	diffie-hellman-group18-sha512,
1074	diffie-hellman-group-exchange-sha1,	1083	diffie-hellman-group-exchange-sha1,
		1084	diffie-hellman-group14-sha256,
1075	diffie-hellman-group14-sha1	1085	diffie-hellman-group14-sha1
1076	.Ed	1086	.Ed
1077	.Pp	1087	.Pp
@@ -1163,10 +1173,7 @@ hmac-sha2-256,hmac-sha2-512,hmac-sha1
1163	The list of available MAC algorithms may also be obtained using	1173	The list of available MAC algorithms may also be obtained using
1164	.Qq ssh -Q mac .	1174	.Qq ssh -Q mac .
1165	.It Cm NoHostAuthenticationForLocalhost	1175	.It Cm NoHostAuthenticationForLocalhost
1166	This option can be used if the home directory is shared across machines.	1176	Disable host authentication for localhost (loopback addresses).
1167	In this case localhost will refer to a different machine on each of
1168	the machines and the user will get many warnings about changed host keys.
1169	However, this option disables host authentication for localhost.
1170	The argument to this keyword must be	1177	The argument to this keyword must be
1171	.Cm yes	1178	.Cm yes
1172	or	1179	or
@@ -1254,13 +1261,14 @@ For example, the following directive would connect via an HTTP proxy at
1254	ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p	1261	ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
1255	.Ed	1262	.Ed
1256	.It Cm ProxyJump	1263	.It Cm ProxyJump
1257	Specifies one or more jump proxies as	1264	Specifies one or more jump proxies as either
1258	.Xo	1265	.Xo
1259	.Sm off	1266	.Sm off
1260	.Op Ar user No @	1267	.Op Ar user No @
1261	.Ar host	1268	.Ar host
1262	.Op : Ns Ar port	1269	.Op : Ns Ar port
1263	.Sm on	1270	.Sm on
		1271	or an ssh URI
1264	.Xc .	1272	.Xc .
1265	Multiple proxies may be separated by comma characters and will be visited	1273	Multiple proxies may be separated by comma characters and will be visited
1266	sequentially.	1274	sequentially.
@@ -1520,7 +1528,7 @@ If this flag is set to
1520	will never automatically add host keys to the	1528	will never automatically add host keys to the
1521	.Pa ~/.ssh/known_hosts	1529	.Pa ~/.ssh/known_hosts
1522	file, and refuses to connect to hosts whose host key has changed.	1530	file, and refuses to connect to hosts whose host key has changed.
1523	This provides maximum protection against trojan horse attacks,	1531	This provides maximum protection against man-in-the-middle (MITM) attacks,
1524	though it can be annoying when the	1532	though it can be annoying when the
1525	.Pa /etc/ssh/ssh_known_hosts	1533	.Pa /etc/ssh/ssh_known_hosts
1526	file is poorly maintained or when connections to new hosts are	1534	file is poorly maintained or when connections to new hosts are
@@ -1578,6 +1586,9 @@ This is important in scripts, and many users want it too.
1578	.Pp	1586	.Pp
1579	To disable TCP keepalive messages, the value should be set to	1587	To disable TCP keepalive messages, the value should be set to
1580	.Cm no .	1588	.Cm no .
		1589	See also
		1590	.Cm ServerAliveInterval
		1591	for protocol-level keepalives.
1581	.It Cm Tunnel	1592	.It Cm Tunnel
1582	Request	1593	Request
1583	.Xr tun 4	1594	.Xr tun 4
@@ -1743,6 +1754,18 @@ pool,
1743	the following entry (in authorized_keys) could be used:	1754	the following entry (in authorized_keys) could be used:
1744	.Pp	1755	.Pp
1745	.Dl from=\&"!.dialup.example.com,.example.com\&"	1756	.Dl from=\&"!.dialup.example.com,.example.com\&"
		1757	.Pp
		1758	Note that a negated match will never produce a positive result by itself.
		1759	For example, attempting to match
		1760	.Qq host3
		1761	against the following pattern-list will fail:
		1762	.Pp
		1763	.Dl from=\&"!host1,!host2\&"
		1764	.Pp
		1765	The solution here is to include a term that will yield a positive match,
		1766	such as a wildcard:
		1767	.Pp
		1768	.Dl from=\&"!host1,!host2,*\&"
1746	.Sh TOKENS	1769	.Sh TOKENS
1747	Arguments to some keywords can make use of tokens,	1770	Arguments to some keywords can make use of tokens,
1748	which are expanded at runtime:	1771	which are expanded at runtime:
@@ -1752,7 +1775,7 @@ which are expanded at runtime:
1752	A literal	1775	A literal
1753	.Sq % .	1776	.Sq % .
1754	.It \&%C	1777	.It \&%C
1755	Shorthand for %l%h%p%r.	1778	Hash of %l%h%p%r.
1756	.It %d	1779	.It %d
1757	Local user's home directory.	1780	Local user's home directory.
1758	.It %h	1781	.It %h
@@ -1769,6 +1792,15 @@ The original remote hostname, as given on the command line.
1769	The remote port.	1792	The remote port.
1770	.It %r	1793	.It %r
1771	The remote username.	1794	The remote username.
		1795	.It \&%T
		1796	The local
		1797	.Xr tun 4
		1798	or
		1799	.Xr tap 4
		1800	network interface assigned if
		1801	tunnel forwarding was requested, or
		1802	.Qq NONE
		1803	otherwise.
1772	.It %u	1804	.It %u
1773	The local username.	1805	The local username.
1774	.El	1806	.El
@@ -1791,7 +1823,7 @@ and
1791	accept the tokens %%, %d, %h, %l, %r, and %u.	1823	accept the tokens %%, %d, %h, %l, %r, and %u.
1792	.Pp	1824	.Pp
1793	.Cm LocalCommand	1825	.Cm LocalCommand
1794	accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u.	1826	accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, %T, and %u.
1795	.Pp	1827	.Pp
1796	.Cm ProxyCommand	1828	.Cm ProxyCommand
1797	accepts the tokens %%, %h, %p, and %r.	1829	accepts the tokens %%, %h, %p, and %r.