1 files changed, 84 insertions, 82 deletions
diff --git a/ssh.0 b/ssh.0
index 2397456b2..274fab8b5 100644
--- a/ssh.0
+++ b/ssh.0
@@ -30,16 +30,16 @@ DESCRIPTION
     bined with RSA-based host authentication.  If the machine the user logs
     in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote
     machine, and the user names are the same on both sides, or if the files
-     $HOME/.rhosts or $HOME/.shosts exist in the user's home directory on the
+     ~/.rhosts or ~/.shosts exist in the user's home directory on the remote
-     remote machine and contain a line containing the name of the client ma-
+     machine and contain a line containing the name of the client machine and
-     chine and the name of the user on that machine, the user is considered
+     the name of the user on that machine, the user is considered for log in.
-     for log in.  Additionally, if the server can verify the client's host key
+     Additionally, if the server can verify the client's host key (see
-     (see /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts in the FILES
+     /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts in the FILES section),
-     section), only then is login permitted.  This authentication method clos-
+     only then is login permitted.  This authentication method closes security
-     es security holes due to IP spoofing, DNS spoofing and routing spoofing.
+     holes due to IP spoofing, DNS spoofing and routing spoofing.  [Note to
-     [Note to the administrator: /etc/hosts.equiv, $HOME/.rhosts, and the
+     the administrator: /etc/hosts.equiv, ~/.rhosts, and the rlogin/rsh proto-
-     rlogin/rsh protocol in general, are inherently insecure and should be
+     col in general, are inherently insecure and should be disabled if securi-
-     disabled if security is desired.]
+     ty is desired.]
     As a second authentication method, ssh supports RSA based authentication.
     The scheme is based on public-key cryptography: there are cryptosystems
@@ -49,25 +49,25 @@ DESCRIPTION
     key pair for authentication purposes.  The server knows the public key,
     and only the user knows the private key.
-     The file $HOME/.ssh/authorized_keys lists the public keys that are per-
+     The file ~/.ssh/authorized_keys lists the public keys that are permitted
-     mitted for logging in.  When the user logs in, the ssh program tells the
+     for logging in.  When the user logs in, the ssh program tells the server
-     server which key pair it would like to use for authentication.  The serv-
+     which key pair it would like to use for authentication.  The server
-     er checks if this key is permitted, and if so, sends the user (actually
+     checks if this key is permitted, and if so, sends the user (actually the
-     the ssh program running on behalf of the user) a challenge, a random num-
+     ssh program running on behalf of the user) a challenge, a random number,
-     ber, encrypted by the user's public key.  The challenge can only be de-
+     encrypted by the user's public key.  The challenge can only be decrypted
-     crypted using the proper private key.  The user's client then decrypts
+     using the proper private key.  The user's client then decrypts the chal-
-     the challenge using the private key, proving that he/she knows the pri-
+     lenge using the private key, proving that he/she knows the private key
-     vate key but without disclosing it to the server.
+     but without disclosing it to the server.
     ssh implements the RSA authentication protocol automatically.  The user
     creates his/her RSA key pair by running ssh-keygen(1).  This stores the
-     private key in $HOME/.ssh/identity and stores the public key in
+     private key in ~/.ssh/identity and stores the public key in
-     $HOME/.ssh/identity.pub in the user's home directory.  The user should
+     ~/.ssh/identity.pub in the user's home directory.  The user should then
-     then copy the identity.pub to $HOME/.ssh/authorized_keys in his/her home
+     copy the identity.pub to ~/.ssh/authorized_keys in his/her home directory
-     directory on the remote machine (the authorized_keys file corresponds to
+     on the remote machine (the authorized_keys file corresponds to the con-
-     the conventional $HOME/.rhosts file, and has one key per line, though the
+     ventional ~/.rhosts file, and has one key per line, though the lines can
-     lines can be very long).  After this, the user can log in without giving
+     be very long).  After this, the user can log in without giving the pass-
-     the password.
+     word.
     The most convenient way to use RSA authentication may be with an authen-
     tication agent.  See ssh-agent(1) for more information.
@@ -87,13 +87,12 @@ DESCRIPTION
     The public key method is similar to RSA authentication described in the
     previous section and allows the RSA or DSA algorithm to be used: The
-     client uses his private key, $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa, to
+     client uses his private key, ~/.ssh/id_dsa or ~/.ssh/id_rsa, to sign the
-     sign the session identifier and sends the result to the server.  The
+     session identifier and sends the result to the server.  The server checks
-     server checks whether the matching public key is listed in
+     whether the matching public key is listed in ~/.ssh/authorized_keys and
-     $HOME/.ssh/authorized_keys and grants access if both the key is found and
+     grants access if both the key is found and the signature is correct.  The
-     the signature is correct.  The session identifier is derived from a
+     session identifier is derived from a shared Diffie-Hellman value and is
-     shared Diffie-Hellman value and is only known to the client and the serv-
+     only known to the client and the server.
-     er.
     If public key authentication fails or is not available, a password can be
     sent encrypted to the remote host to prove the user's identity.
@@ -194,13 +193,13 @@ DESCRIPTION
   Server authentication
     ssh automatically maintains and checks a database containing identifica-
     tions for all hosts it has ever been used with.  Host keys are stored in
-     $HOME/.ssh/known_hosts in the user's home directory.  Additionally, the
+     ~/.ssh/known_hosts in the user's home directory.  Additionally, the file
-     file /etc/ssh/ssh_known_hosts is automatically checked for known hosts.
+     /etc/ssh/ssh_known_hosts is automatically checked for known hosts.  Any
-     Any new hosts are automatically added to the user's file.  If a host's
+     new hosts are automatically added to the user's file.  If a host's iden-
-     identification ever changes, ssh warns about this and disables password
+     tification ever changes, ssh warns about this and disables password au-
-     authentication to prevent a trojan horse from getting the user's pass-
+     thentication to prevent a trojan horse from getting the user's password.
-     word.  Another purpose of this mechanism is to prevent man-in-the-middle
+     Another purpose of this mechanism is to prevent man-in-the-middle attacks
-     attacks which could otherwise be used to circumvent the encryption.  The
+     which could otherwise be used to circumvent the encryption.  The
     StrictHostKeyChecking option can be used to prevent logins to machines
     whose host key is not known or has changed.
@@ -234,8 +233,9 @@ DESCRIPTION
     -a      Disables forwarding of the authentication agent connection.
     -b bind_address
-             Specify the interface to transmit from on machines with multiple
+             Use bind_address on the local machine as the source address of
-             interfaces or aliased addresses.
+             the connection.  Only useful on systems with more than one ad-
+             dress.
     -C      Requests compression of all data (including stdin, stdout,
             stderr, and data for forwarded X11 and TCP/IP connections).  The
@@ -262,11 +262,13 @@ DESCRIPTION
             For protocol version 2 cipher_spec is a comma-separated list of
             ciphers listed in order of preference.  The supported ciphers are
             ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
-             ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour'',
+             ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'',
-             ``blowfish-cbc'', and ``cast128-cbc''.  The default is
+             ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and
+             ``cast128-cbc''.  The default is
-               ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
+               ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
-                 aes192-cbc,aes256-cbc''
+                 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
+                 aes192-ctr,aes256-ctr''
     -D port
             Specifies a local ``dynamic'' application-level port forwarding.
@@ -292,7 +294,7 @@ DESCRIPTION
             Specifies an alternative per-user configuration file.  If a con-
             figuration file is given on the command line, the system-wide
             configuration file (/etc/ssh/ssh_config) will be ignored.  The
-             default for the per-user configuration file is $HOME/.ssh/config.
+             default for the per-user configuration file is ~/.ssh/config.
     -f      Requests ssh to go to background just before command execution.
             This is useful if ssh is going to ask for passwords or passphras-
@@ -309,12 +311,12 @@ DESCRIPTION
     -i identity_file
             Selects a file from which the identity (private key) for RSA or
-             DSA authentication is read.  The default is $HOME/.ssh/identity
+             DSA authentication is read.  The default is ~/.ssh/identity for
-             for protocol version 1, and $HOME/.ssh/id_rsa and
+             protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for pro-
-             $HOME/.ssh/id_dsa for protocol version 2.  Identity files may al-
+             tocol version 2.  Identity files may also be specified on a per-
-             so be specified on a per-host basis in the configuration file.
+             host basis in the configuration file.  It is possible to have
-             It is possible to have multiple -i options (and multiple identi-
+             multiple -i options (and multiple identities specified in config-
-             ties specified in configuration files).
+             uration files).
     -k      Disables forwarding (delegation) of GSSAPI credentials to the
             server.
@@ -567,17 +569,17 @@ ENVIRONMENT
     USER     Set to the name of the user logging in.
-     Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the
+     Additionally, ssh reads ~/.ssh/environment, and adds lines of the format
-     format ``VARNAME=value'' to the environment if the file exists and if
+     ``VARNAME=value'' to the environment if the file exists and if users are
-     users are allowed to change their environment.  For more information, see
+     allowed to change their environment.  For more information, see the
-     the PermitUserEnvironment option in sshd_config(5).
+     PermitUserEnvironment option in sshd_config(5).
 FILES
-     $HOME/.ssh/known_hosts
+     ~/.ssh/known_hosts
             Records host keys for all hosts the user has logged into that are
             not in /etc/ssh/ssh_known_hosts.  See sshd(8).
-     $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa
+     ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa
             Contains the authentication identity of the user.  They are for
             protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively.
             These files contain sensitive data and should be readable by the
@@ -587,27 +589,27 @@ FILES
             key; the passphrase will be used to encrypt the sensitive part of
             this file using 3DES.
-     $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub
+     ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub
             Contains the public key for authentication (public part of the
             identity file in human-readable form).  The contents of the
-             $HOME/.ssh/identity.pub file should be added to the file
+             ~/.ssh/identity.pub file should be added to the file
-             $HOME/.ssh/authorized_keys on all machines where the user wishes
+             ~/.ssh/authorized_keys on all machines where the user wishes to
-             to log in using protocol version 1 RSA authentication.  The con-
+             log in using protocol version 1 RSA authentication.  The contents
-             tents of the $HOME/.ssh/id_dsa.pub and $HOME/.ssh/id_rsa.pub file
+             of the ~/.ssh/id_dsa.pub and ~/.ssh/id_rsa.pub file should be
-             should be added to $HOME/.ssh/authorized_keys on all machines
+             added to ~/.ssh/authorized_keys on all machines where the user
-             where the user wishes to log in using protocol version 2 DSA/RSA
+             wishes to log in using protocol version 2 DSA/RSA authentication.
-             authentication.  These files are not sensitive and can (but need
+             These files are not sensitive and can (but need not) be readable
-             not) be readable by anyone.  These files are never used automati-
+             by anyone.  These files are never used automatically and are not
-             cally and are not necessary; they are only provided for the con-
+             necessary; they are only provided for the convenience of the us-
-             venience of the user.
+             er.
-     $HOME/.ssh/config
+     ~/.ssh/config
             This is the per-user configuration file.  The file format and
             configuration options are described in ssh_config(5).  Because of
             the potential for abuse, this file must have strict permissions:
             read/write for the user, and not accessible by others.
-     $HOME/.ssh/authorized_keys
+     ~/.ssh/authorized_keys
             Lists the public keys (RSA/DSA) that can be used for logging in
             as this user.  The format of this file is described in the
             sshd(8) manual page.  In the simplest form the format is the same
@@ -648,7 +650,7 @@ FILES
             requirement that ssh be setuid root when that authentication
             method is used.  By default ssh is not setuid root.
-     $HOME/.rhosts
+     ~/.rhosts
             This file is used in RhostsRSAAuthentication and
             HostbasedAuthentication authentication to list the host/user
             pairs that are permitted to log in.  (Note that this file is also
@@ -665,12 +667,12 @@ FILES
             Note that sshd(8) allows authentication only in combination with
             client host key authentication before permitting log in.  If the
             server machine does not have the client's host key in
-             /etc/ssh/ssh_known_hosts, it can be stored in
+             /etc/ssh/ssh_known_hosts, it can be stored in ~/.ssh/known_hosts.
-             $HOME/.ssh/known_hosts.  The easiest way to do this is to connect
+             The easiest way to do this is to connect back to the client from
-             back to the client from the server machine using ssh; this will
+             the server machine using ssh; this will automatically add the
-             automatically add the host key to $HOME/.ssh/known_hosts.
+             host key to ~/.ssh/known_hosts.
-     $HOME/.shosts
+     ~/.shosts
             This file is used exactly the same way as .rhosts.  The purpose
             for having this file is to be able to use RhostsRSAAuthentication
             and HostbasedAuthentication authentication without permitting lo-
@@ -696,12 +698,12 @@ FILES
             just before the user's shell (or command) is started.  See the
             sshd(8) manual page for more information.
-     $HOME/.ssh/rc
+     ~/.ssh/rc
             Commands in this file are executed by ssh when the user logs in
             just before the user's shell (or command) is started.  See the
             sshd(8) manual page for more information.
-     $HOME/.ssh/environment
+     ~/.ssh/environment
             Contains additional definitions for environment variables, see
             section ENVIRONMENT above.
@@ -725,4 +727,4 @@ AUTHORS
     created OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.
-OpenBSD 3.7                   September 25, 1999                            11
+OpenBSD 3.8                   September 25, 1999                            12

diff --git a/ssh.0 b/ssh.0 index 2397456b2..274fab8b5 100644 --- a/ssh.0 +++ b/ssh.0
@@ -30,16 +30,16 @@ DESCRIPTION
30	bined with RSA-based host authentication. If the machine the user logs	30	bined with RSA-based host authentication. If the machine the user logs
31	in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote	31	in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote
32	machine, and the user names are the same on both sides, or if the files	32	machine, and the user names are the same on both sides, or if the files
33	$HOME/.rhosts or $HOME/.shosts exist in the user's home directory on the	33	~/.rhosts or ~/.shosts exist in the user's home directory on the remote
34	remote machine and contain a line containing the name of the client ma-	34	machine and contain a line containing the name of the client machine and
35	chine and the name of the user on that machine, the user is considered	35	the name of the user on that machine, the user is considered for log in.
36	for log in. Additionally, if the server can verify the client's host key	36	Additionally, if the server can verify the client's host key (see
37	(see /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts in the FILES	37	/etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts in the FILES section),
38	section), only then is login permitted. This authentication method clos-	38	only then is login permitted. This authentication method closes security
39	es security holes due to IP spoofing, DNS spoofing and routing spoofing.	39	holes due to IP spoofing, DNS spoofing and routing spoofing. [Note to
40	[Note to the administrator: /etc/hosts.equiv, $HOME/.rhosts, and the	40	the administrator: /etc/hosts.equiv, ~/.rhosts, and the rlogin/rsh proto-
41	rlogin/rsh protocol in general, are inherently insecure and should be	41	col in general, are inherently insecure and should be disabled if securi-
42	disabled if security is desired.]	42	ty is desired.]
43		43
44	As a second authentication method, ssh supports RSA based authentication.	44	As a second authentication method, ssh supports RSA based authentication.
45	The scheme is based on public-key cryptography: there are cryptosystems	45	The scheme is based on public-key cryptography: there are cryptosystems
@@ -49,25 +49,25 @@ DESCRIPTION
49	key pair for authentication purposes. The server knows the public key,	49	key pair for authentication purposes. The server knows the public key,
50	and only the user knows the private key.	50	and only the user knows the private key.
51		51
52	The file $HOME/.ssh/authorized_keys lists the public keys that are per-	52	The file ~/.ssh/authorized_keys lists the public keys that are permitted
53	mitted for logging in. When the user logs in, the ssh program tells the	53	for logging in. When the user logs in, the ssh program tells the server
54	server which key pair it would like to use for authentication. The serv-	54	which key pair it would like to use for authentication. The server
55	er checks if this key is permitted, and if so, sends the user (actually	55	checks if this key is permitted, and if so, sends the user (actually the
56	the ssh program running on behalf of the user) a challenge, a random num-	56	ssh program running on behalf of the user) a challenge, a random number,
57	ber, encrypted by the user's public key. The challenge can only be de-	57	encrypted by the user's public key. The challenge can only be decrypted
58	crypted using the proper private key. The user's client then decrypts	58	using the proper private key. The user's client then decrypts the chal-
59	the challenge using the private key, proving that he/she knows the pri-	59	lenge using the private key, proving that he/she knows the private key
60	vate key but without disclosing it to the server.	60	but without disclosing it to the server.
61		61
62	ssh implements the RSA authentication protocol automatically. The user	62	ssh implements the RSA authentication protocol automatically. The user
63	creates his/her RSA key pair by running ssh-keygen(1). This stores the	63	creates his/her RSA key pair by running ssh-keygen(1). This stores the
64	private key in $HOME/.ssh/identity and stores the public key in	64	private key in ~/.ssh/identity and stores the public key in
65	$HOME/.ssh/identity.pub in the user's home directory. The user should	65	~/.ssh/identity.pub in the user's home directory. The user should then
66	then copy the identity.pub to $HOME/.ssh/authorized_keys in his/her home	66	copy the identity.pub to ~/.ssh/authorized_keys in his/her home directory
67	directory on the remote machine (the authorized_keys file corresponds to	67	on the remote machine (the authorized_keys file corresponds to the con-
68	the conventional $HOME/.rhosts file, and has one key per line, though the	68	ventional ~/.rhosts file, and has one key per line, though the lines can
69	lines can be very long). After this, the user can log in without giving	69	be very long). After this, the user can log in without giving the pass-
70	the password.	70	word.
71		71
72	The most convenient way to use RSA authentication may be with an authen-	72	The most convenient way to use RSA authentication may be with an authen-
73	tication agent. See ssh-agent(1) for more information.	73	tication agent. See ssh-agent(1) for more information.
@@ -87,13 +87,12 @@ DESCRIPTION
87		87
88	The public key method is similar to RSA authentication described in the	88	The public key method is similar to RSA authentication described in the
89	previous section and allows the RSA or DSA algorithm to be used: The	89	previous section and allows the RSA or DSA algorithm to be used: The
90	client uses his private key, $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa, to	90	client uses his private key, ~/.ssh/id_dsa or ~/.ssh/id_rsa, to sign the
91	sign the session identifier and sends the result to the server. The	91	session identifier and sends the result to the server. The server checks
92	server checks whether the matching public key is listed in	92	whether the matching public key is listed in ~/.ssh/authorized_keys and
93	$HOME/.ssh/authorized_keys and grants access if both the key is found and	93	grants access if both the key is found and the signature is correct. The
94	the signature is correct. The session identifier is derived from a	94	session identifier is derived from a shared Diffie-Hellman value and is
95	shared Diffie-Hellman value and is only known to the client and the serv-	95	only known to the client and the server.
96	er.
97		96
98	If public key authentication fails or is not available, a password can be	97	If public key authentication fails or is not available, a password can be
99	sent encrypted to the remote host to prove the user's identity.	98	sent encrypted to the remote host to prove the user's identity.
@@ -194,13 +193,13 @@ DESCRIPTION
194	Server authentication	193	Server authentication
195	ssh automatically maintains and checks a database containing identifica-	194	ssh automatically maintains and checks a database containing identifica-
196	tions for all hosts it has ever been used with. Host keys are stored in	195	tions for all hosts it has ever been used with. Host keys are stored in
197	$HOME/.ssh/known_hosts in the user's home directory. Additionally, the	196	~/.ssh/known_hosts in the user's home directory. Additionally, the file
198	file /etc/ssh/ssh_known_hosts is automatically checked for known hosts.	197	/etc/ssh/ssh_known_hosts is automatically checked for known hosts. Any
199	Any new hosts are automatically added to the user's file. If a host's	198	new hosts are automatically added to the user's file. If a host's iden-
200	identification ever changes, ssh warns about this and disables password	199	tification ever changes, ssh warns about this and disables password au-
201	authentication to prevent a trojan horse from getting the user's pass-	200	thentication to prevent a trojan horse from getting the user's password.
202	word. Another purpose of this mechanism is to prevent man-in-the-middle	201	Another purpose of this mechanism is to prevent man-in-the-middle attacks
203	attacks which could otherwise be used to circumvent the encryption. The	202	which could otherwise be used to circumvent the encryption. The
204	StrictHostKeyChecking option can be used to prevent logins to machines	203	StrictHostKeyChecking option can be used to prevent logins to machines
205	whose host key is not known or has changed.	204	whose host key is not known or has changed.
206		205
@@ -234,8 +233,9 @@ DESCRIPTION
234	-a Disables forwarding of the authentication agent connection.	233	-a Disables forwarding of the authentication agent connection.
235		234
236	-b bind_address	235	-b bind_address
237	Specify the interface to transmit from on machines with multiple	236	Use bind_address on the local machine as the source address of
238	interfaces or aliased addresses.	237	the connection. Only useful on systems with more than one ad-
		238	dress.
239		239
240	-C Requests compression of all data (including stdin, stdout,	240	-C Requests compression of all data (including stdin, stdout,
241	stderr, and data for forwarded X11 and TCP/IP connections). The	241	stderr, and data for forwarded X11 and TCP/IP connections). The
@@ -262,11 +262,13 @@ DESCRIPTION
262	For protocol version 2 cipher_spec is a comma-separated list of	262	For protocol version 2 cipher_spec is a comma-separated list of
263	ciphers listed in order of preference. The supported ciphers are	263	ciphers listed in order of preference. The supported ciphers are
264	``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',	264	``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
265	``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour'',	265	``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'',
266	``blowfish-cbc'', and ``cast128-cbc''. The default is	266	``arcfour256'', ``arcfour'', ``blowfish-cbc'', and
		267	``cast128-cbc''. The default is
267		268
268	``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,	269	``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
269	aes192-cbc,aes256-cbc''	270	arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
		271	aes192-ctr,aes256-ctr''
270		272
271	-D port	273	-D port
272	Specifies a local ``dynamic'' application-level port forwarding.	274	Specifies a local ``dynamic'' application-level port forwarding.
@@ -292,7 +294,7 @@ DESCRIPTION
292	Specifies an alternative per-user configuration file. If a con-	294	Specifies an alternative per-user configuration file. If a con-
293	figuration file is given on the command line, the system-wide	295	figuration file is given on the command line, the system-wide
294	configuration file (/etc/ssh/ssh_config) will be ignored. The	296	configuration file (/etc/ssh/ssh_config) will be ignored. The
295	default for the per-user configuration file is $HOME/.ssh/config.	297	default for the per-user configuration file is ~/.ssh/config.
296		298
297	-f Requests ssh to go to background just before command execution.	299	-f Requests ssh to go to background just before command execution.
298	This is useful if ssh is going to ask for passwords or passphras-	300	This is useful if ssh is going to ask for passwords or passphras-
@@ -309,12 +311,12 @@ DESCRIPTION
309		311
310	-i identity_file	312	-i identity_file
311	Selects a file from which the identity (private key) for RSA or	313	Selects a file from which the identity (private key) for RSA or
312	DSA authentication is read. The default is $HOME/.ssh/identity	314	DSA authentication is read. The default is ~/.ssh/identity for
313	for protocol version 1, and $HOME/.ssh/id_rsa and	315	protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for pro-
314	$HOME/.ssh/id_dsa for protocol version 2. Identity files may al-	316	tocol version 2. Identity files may also be specified on a per-
315	so be specified on a per-host basis in the configuration file.	317	host basis in the configuration file. It is possible to have
316	It is possible to have multiple -i options (and multiple identi-	318	multiple -i options (and multiple identities specified in config-
317	ties specified in configuration files).	319	uration files).
318		320
319	-k Disables forwarding (delegation) of GSSAPI credentials to the	321	-k Disables forwarding (delegation) of GSSAPI credentials to the
320	server.	322	server.
@@ -567,17 +569,17 @@ ENVIRONMENT
567		569
568	USER Set to the name of the user logging in.	570	USER Set to the name of the user logging in.
569		571
570	Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the	572	Additionally, ssh reads ~/.ssh/environment, and adds lines of the format
571	format ``VARNAME=value'' to the environment if the file exists and if	573	``VARNAME=value'' to the environment if the file exists and if users are
572	users are allowed to change their environment. For more information, see	574	allowed to change their environment. For more information, see the
573	the PermitUserEnvironment option in sshd_config(5).	575	PermitUserEnvironment option in sshd_config(5).
574		576
575	FILES	577	FILES
576	$HOME/.ssh/known_hosts	578	~/.ssh/known_hosts
577	Records host keys for all hosts the user has logged into that are	579	Records host keys for all hosts the user has logged into that are
578	not in /etc/ssh/ssh_known_hosts. See sshd(8).	580	not in /etc/ssh/ssh_known_hosts. See sshd(8).
579		581
580	$HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa	582	~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa
581	Contains the authentication identity of the user. They are for	583	Contains the authentication identity of the user. They are for
582	protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively.	584	protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively.
583	These files contain sensitive data and should be readable by the	585	These files contain sensitive data and should be readable by the
@@ -587,27 +589,27 @@ FILES
587	key; the passphrase will be used to encrypt the sensitive part of	589	key; the passphrase will be used to encrypt the sensitive part of
588	this file using 3DES.	590	this file using 3DES.
589		591
590	$HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub	592	~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub
591	Contains the public key for authentication (public part of the	593	Contains the public key for authentication (public part of the
592	identity file in human-readable form). The contents of the	594	identity file in human-readable form). The contents of the
593	$HOME/.ssh/identity.pub file should be added to the file	595	~/.ssh/identity.pub file should be added to the file
594	$HOME/.ssh/authorized_keys on all machines where the user wishes	596	~/.ssh/authorized_keys on all machines where the user wishes to
595	to log in using protocol version 1 RSA authentication. The con-	597	log in using protocol version 1 RSA authentication. The contents
596	tents of the $HOME/.ssh/id_dsa.pub and $HOME/.ssh/id_rsa.pub file	598	of the ~/.ssh/id_dsa.pub and ~/.ssh/id_rsa.pub file should be
597	should be added to $HOME/.ssh/authorized_keys on all machines	599	added to ~/.ssh/authorized_keys on all machines where the user
598	where the user wishes to log in using protocol version 2 DSA/RSA	600	wishes to log in using protocol version 2 DSA/RSA authentication.
599	authentication. These files are not sensitive and can (but need	601	These files are not sensitive and can (but need not) be readable
600	not) be readable by anyone. These files are never used automati-	602	by anyone. These files are never used automatically and are not
601	cally and are not necessary; they are only provided for the con-	603	necessary; they are only provided for the convenience of the us-
602	venience of the user.	604	er.
603		605
604	$HOME/.ssh/config	606	~/.ssh/config
605	This is the per-user configuration file. The file format and	607	This is the per-user configuration file. The file format and
606	configuration options are described in ssh_config(5). Because of	608	configuration options are described in ssh_config(5). Because of
607	the potential for abuse, this file must have strict permissions:	609	the potential for abuse, this file must have strict permissions:
608	read/write for the user, and not accessible by others.	610	read/write for the user, and not accessible by others.
609		611
610	$HOME/.ssh/authorized_keys	612	~/.ssh/authorized_keys
611	Lists the public keys (RSA/DSA) that can be used for logging in	613	Lists the public keys (RSA/DSA) that can be used for logging in
612	as this user. The format of this file is described in the	614	as this user. The format of this file is described in the
613	sshd(8) manual page. In the simplest form the format is the same	615	sshd(8) manual page. In the simplest form the format is the same
@@ -648,7 +650,7 @@ FILES
648	requirement that ssh be setuid root when that authentication	650	requirement that ssh be setuid root when that authentication
649	method is used. By default ssh is not setuid root.	651	method is used. By default ssh is not setuid root.
650		652
651	$HOME/.rhosts	653	~/.rhosts
652	This file is used in RhostsRSAAuthentication and	654	This file is used in RhostsRSAAuthentication and
653	HostbasedAuthentication authentication to list the host/user	655	HostbasedAuthentication authentication to list the host/user
654	pairs that are permitted to log in. (Note that this file is also	656	pairs that are permitted to log in. (Note that this file is also
@@ -665,12 +667,12 @@ FILES
665	Note that sshd(8) allows authentication only in combination with	667	Note that sshd(8) allows authentication only in combination with
666	client host key authentication before permitting log in. If the	668	client host key authentication before permitting log in. If the
667	server machine does not have the client's host key in	669	server machine does not have the client's host key in
668	/etc/ssh/ssh_known_hosts, it can be stored in	670	/etc/ssh/ssh_known_hosts, it can be stored in ~/.ssh/known_hosts.
669	$HOME/.ssh/known_hosts. The easiest way to do this is to connect	671	The easiest way to do this is to connect back to the client from
670	back to the client from the server machine using ssh; this will	672	the server machine using ssh; this will automatically add the
671	automatically add the host key to $HOME/.ssh/known_hosts.	673	host key to ~/.ssh/known_hosts.
672		674
673	$HOME/.shosts	675	~/.shosts
674	This file is used exactly the same way as .rhosts. The purpose	676	This file is used exactly the same way as .rhosts. The purpose
675	for having this file is to be able to use RhostsRSAAuthentication	677	for having this file is to be able to use RhostsRSAAuthentication
676	and HostbasedAuthentication authentication without permitting lo-	678	and HostbasedAuthentication authentication without permitting lo-
@@ -696,12 +698,12 @@ FILES
696	just before the user's shell (or command) is started. See the	698	just before the user's shell (or command) is started. See the
697	sshd(8) manual page for more information.	699	sshd(8) manual page for more information.
698		700
699	$HOME/.ssh/rc	701	~/.ssh/rc
700	Commands in this file are executed by ssh when the user logs in	702	Commands in this file are executed by ssh when the user logs in
701	just before the user's shell (or command) is started. See the	703	just before the user's shell (or command) is started. See the
702	sshd(8) manual page for more information.	704	sshd(8) manual page for more information.
703		705
704	$HOME/.ssh/environment	706	~/.ssh/environment
705	Contains additional definitions for environment variables, see	707	Contains additional definitions for environment variables, see
706	section ENVIRONMENT above.	708	section ENVIRONMENT above.
707		709
@@ -725,4 +727,4 @@ AUTHORS
725	created OpenSSH. Markus Friedl contributed the support for SSH protocol	727	created OpenSSH. Markus Friedl contributed the support for SSH protocol
726	versions 1.5 and 2.0.	728	versions 1.5 and 2.0.
727		729
728	OpenBSD 3.7 September 25, 1999 11	730	OpenBSD 3.8 September 25, 1999 12