2 files changed, 56 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index d550404a7..ea78b6504 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,9 @@
   - jmc@cvs.openbsd.org 2006/01/15 17:37:05
     [ssh.1]
     correction from deraadt
+   - jmc@cvs.openbsd.org 2006/01/18 10:53:29
+     [ssh.1]
+     add a section on ssh-based vpn, based on reyk's README.tun;
 20060114
 - (djm) OpenBSD CVS Sync
@@ -3711,4 +3714,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.4091 2006/01/20 00:30:14 dtucker Exp $
+$Id: ChangeLog,v 1.4092 2006/01/20 00:30:58 dtucker Exp $
diff --git a/ssh.1 b/ssh.1
index 59ec74b3f..661e8f962 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.249 2006/01/15 17:37:05 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.250 2006/01/18 10:53:29 jmc Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -1005,6 +1005,56 @@ and
 options above) and
 the user is using an authentication agent, the connection to the agent
 is automatically forwarded to the remote side.
+.Sh SSH-BASED VIRTUAL PRIVATE NETWORKS
+.Nm
+contains support for Virtual Private Network (VPN) tunnelling
+using the
+.Xr tun 4
+network pseudo-device,
+allowing two networks to be joined securely.
+The
+.Xr sshd_config 5
+configuration option
+.Cm PermitTunnel
+controls whether the server supports this,
+and at what level (layer 2 or 3 traffic).
+.Pp
+The following example would connect client network 10.0.50.0/24
+with remote network 10.0.99.0/24, provided that the SSH server
+running on the gateway to the remote network,
+at 192.168.1.15, allows it:
+.Bd -literal -offset indent
+# ssh -f -w 0:1 192.168.1.15 true
+# ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252
+.Ed
+.Pp
+Client access may be more finely tuned via the
+.Pa /root/.ssh/authorized_keys
+file (see below) and the
+.Cm PermitRootLogin
+server option.
+The following entry would permit connections on the first
+.Xr tun 4
+device from user
+.Dq jane
+and on the second device from user
+.Dq john ,
+if
+.Cm PermitRootLogin
+is set to
+.Dq forced-commands-only :
+.Bd -literal -offset 2n
+tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
+tunnel="2",command="sh /etc/netstart tun1" ssh-rsa ... john
+.Ed
+.Pp
+Since a SSH-based setup entails a fair amount of overhead,
+it may be more suited to temporary setups,
+such as for wireless VPNs.
+More permanent VPNs are better provided by tools such as
+.Xr ipsecctl 8
+and
+.Xr isakmpd 8 .
 .Sh ENVIRONMENT
 .Nm
 will normally set the following environment variables:
@@ -1244,6 +1294,7 @@ manual page for more information.
 .Xr ssh-agent 1 ,
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
+.Xr tun 4 ,
 .Xr hosts.equiv 5 ,
 .Xr ssh_config 5 ,
 .Xr ssh-keysign 8 ,

diff --git a/ChangeLog b/ChangeLog index d550404a7..ea78b6504 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -3,6 +3,9 @@
3	- jmc@cvs.openbsd.org 2006/01/15 17:37:05	3	- jmc@cvs.openbsd.org 2006/01/15 17:37:05
4	[ssh.1]	4	[ssh.1]
5	correction from deraadt	5	correction from deraadt
		6	- jmc@cvs.openbsd.org 2006/01/18 10:53:29
		7	[ssh.1]
		8	add a section on ssh-based vpn, based on reyk's README.tun;
6		9
7	20060114	10	20060114
8	- (djm) OpenBSD CVS Sync	11	- (djm) OpenBSD CVS Sync
@@ -3711,4 +3714,4 @@
3711	- (djm) Trim deprecated options from INSTALL. Mention UsePAM	3714	- (djm) Trim deprecated options from INSTALL. Mention UsePAM
3712	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu	3715	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
3713		3716
3714	$Id: ChangeLog,v 1.4091 2006/01/20 00:30:14 dtucker Exp $	3717	$Id: ChangeLog,v 1.4092 2006/01/20 00:30:58 dtucker Exp $


diff --git a/ssh.1 b/ssh.1 index 59ec74b3f..661e8f962 100644 --- a/ssh.1 +++ b/ssh.1
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh.1,v 1.249 2006/01/15 17:37:05 jmc Exp $	37	.\" $OpenBSD: ssh.1,v 1.250 2006/01/18 10:53:29 jmc Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH 1	39	.Dt SSH 1
40	.Os	40	.Os
@@ -1005,6 +1005,56 @@ and
1005	options above) and	1005	options above) and
1006	the user is using an authentication agent, the connection to the agent	1006	the user is using an authentication agent, the connection to the agent
1007	is automatically forwarded to the remote side.	1007	is automatically forwarded to the remote side.
		1008	.Sh SSH-BASED VIRTUAL PRIVATE NETWORKS
		1009	.Nm
		1010	contains support for Virtual Private Network (VPN) tunnelling
		1011	using the
		1012	.Xr tun 4
		1013	network pseudo-device,
		1014	allowing two networks to be joined securely.
		1015	The
		1016	.Xr sshd_config 5
		1017	configuration option
		1018	.Cm PermitTunnel
		1019	controls whether the server supports this,
		1020	and at what level (layer 2 or 3 traffic).
		1021	.Pp
		1022	The following example would connect client network 10.0.50.0/24
		1023	with remote network 10.0.99.0/24, provided that the SSH server
		1024	running on the gateway to the remote network,
		1025	at 192.168.1.15, allows it:
		1026	.Bd -literal -offset indent
		1027	# ssh -f -w 0:1 192.168.1.15 true
		1028	# ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252
		1029	.Ed
		1030	.Pp
		1031	Client access may be more finely tuned via the
		1032	.Pa /root/.ssh/authorized_keys
		1033	file (see below) and the
		1034	.Cm PermitRootLogin
		1035	server option.
		1036	The following entry would permit connections on the first
		1037	.Xr tun 4
		1038	device from user
		1039	.Dq jane
		1040	and on the second device from user
		1041	.Dq john ,
		1042	if
		1043	.Cm PermitRootLogin
		1044	is set to
		1045	.Dq forced-commands-only :
		1046	.Bd -literal -offset 2n
		1047	tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
		1048	tunnel="2",command="sh /etc/netstart tun1" ssh-rsa ... john
		1049	.Ed
		1050	.Pp
		1051	Since a SSH-based setup entails a fair amount of overhead,
		1052	it may be more suited to temporary setups,
		1053	such as for wireless VPNs.
		1054	More permanent VPNs are better provided by tools such as
		1055	.Xr ipsecctl 8
		1056	and
		1057	.Xr isakmpd 8 .
1008	.Sh ENVIRONMENT	1058	.Sh ENVIRONMENT
1009	.Nm	1059	.Nm
1010	will normally set the following environment variables:	1060	will normally set the following environment variables:
@@ -1244,6 +1294,7 @@ manual page for more information.
1244	.Xr ssh-agent 1 ,	1294	.Xr ssh-agent 1 ,
1245	.Xr ssh-keygen 1 ,	1295	.Xr ssh-keygen 1 ,
1246	.Xr ssh-keyscan 1 ,	1296	.Xr ssh-keyscan 1 ,
		1297	.Xr tun 4 ,
1247	.Xr hosts.equiv 5 ,	1298	.Xr hosts.equiv 5 ,
1248	.Xr ssh_config 5 ,	1299	.Xr ssh_config 5 ,
1249	.Xr ssh-keysign 8 ,	1300	.Xr ssh-keysign 8 ,