1 files changed, 71 insertions, 32 deletions
diff --git a/ssh.0 b/ssh.0
index 83c4b94eb..c31e17eaf 100644
--- a/ssh.0
+++ b/ssh.0
@@ -9,7 +9,7 @@ SYNOPSIS
         [-i identity_file] [-L [bind_address:]port:host:hostport]
         [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
         [-R [bind_address:]port:host:hostport] [-S ctl_path]
-         [-w tunnel:tunnel] [user@]hostname [command]
+         [-w local_tun[:remote_tun]] [user@]hostname [command]
 DESCRIPTION
     ssh (SSH client) is a program for logging into a remote machine and for
@@ -225,6 +225,7 @@ DESCRIPTION
                   ControlPath
                   DynamicForward
                   EscapeChar
+                   ExitOnForwardFailure
                   ForwardAgent
                   ForwardX11
                   ForwardX11Trusted
@@ -315,7 +316,7 @@ DESCRIPTION
     -t      Force pseudo-tty allocation.  This can be used to execute arbi-
             trary screen-based programs on a remote machine, which can be
-             very useful, e.g., when implementing menu services.  Multiple -t
+             very useful, e.g. when implementing menu services.  Multiple -t
             options force tty allocation, even if ssh has no local tty.
     -V      Display the version number and exit.
@@ -325,11 +326,16 @@ DESCRIPTION
             tion, and configuration problems.  Multiple -v options increase
             the verbosity.  The maximum is 3.
-     -w tunnel:tunnel
+     -w local_tun[:remote_tun]
-             Requests a tun(4) device on the client (first tunnel arg) and
+             Requests tunnel device forwarding with the specified tun(4) de-
-             server (second tunnel arg).  The devices may be specified by nu-
+             vices between the client (local_tun) and the server (remote_tun).
-             merical ID or the keyword ``any'', which uses the next available
-             tunnel device.  See also the Tunnel directive in ssh_config(5).
+             The devices may be specified by numerical ID or the keyword
+             ``any'', which uses the next available tunnel device.  If
+             remote_tun is not specified, it defaults to ``any''.  See also
+             the Tunnel and TunnelDevice directives in ssh_config(5).  If the
+             Tunnel directive is unset, it is set to the default tunnel mode,
+             which is ``point-to-point''.
     -X      Enables X11 forwarding.  This can also be specified on a per-host
             basis in a configuration file.
@@ -368,11 +374,11 @@ AUTHENTICATION
     integrity (hmac-md5, hmac-sha1, hmac-ripemd160).  Protocol 1 lacks a
     strong mechanism for ensuring the integrity of the connection.
-     The methods available for authentication are: host-based authentication,
+     The methods available for authentication are: GSSAPI-based authentica-
-     public key authentication, challenge-response authentication, and pass-
+     tion, host-based authentication, public key authentication, challenge-re-
-     word authentication.  Authentication methods are tried in the order spec-
+     sponse authentication, and password authentication.  Authentication meth-
-     ified above, though protocol 2 has a configuration option to change the
+     ods are tried in the order specified above, though protocol 2 has a con-
-     default order: PreferredAuthentications.
+     figuration option to change the default order: PreferredAuthentications.
     Host-based authentication works as follows: If the machine the user logs
     in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote
@@ -487,8 +493,8 @@ ESCAPE CHARACTERS
     ~C      Open command line.  Currently this allows the addition of port
             forwardings using the -L and -R options (see above).  It also al-
             lows the cancellation of existing remote port-forwardings using
-             -KR hostport.  !command allows the user to execute a local com-
+             -KR[bind_address:]port.  !command allows the user to execute a
-             mand if the PermitLocalCommand option is enabled in
+             local command if the PermitLocalCommand option is enabled in
             ssh_config(5).  Basic help is available, using the -h option.
     ~R      Request rekeying of the connection (only useful for SSH protocol
@@ -573,8 +579,7 @@ VERIFYING HOST KEYS
     ``host.example.com''.  The SSHFP resource records should first be added
     to the zonefile for host.example.com:
-           $ ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r host.example.com.
+           $ ssh-keygen -r host.example.com.
-           $ ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r host.example.com.
     The output lines will have to be added to the zonefile.  To check that
     the zone is answering fingerprint queries:
@@ -598,24 +603,34 @@ SSH-BASED VIRTUAL PRIVATE NETWORKS
     fic).
     The following example would connect client network 10.0.50.0/24 with re-
-     mote network 10.0.99.0/24, provided that the SSH server running on the
+     mote network 10.0.99.0/24 using a point-to-point connection from 10.1.1.1
-     gateway to the remote network, at 192.168.1.15, allows it:
+     to 10.1.1.2, provided that the SSH server running on the gateway to the
+     remote network, at 192.168.1.15, allows it.
+     On the client:
           # ssh -f -w 0:1 192.168.1.15 true
-           # ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252
+           # ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
+           # route add 10.0.99.0/24 10.1.1.2
+     On the server:
+           # ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
+           # route add 10.0.50.0/24 10.1.1.1
     Client access may be more finely tuned via the /root/.ssh/authorized_keys
     file (see below) and the PermitRootLogin server option.  The following
-     entry would permit connections on the first tun(4) device from user
+     entry would permit connections on tun(4) device 1 from user ``jane'' and
-     ``jane'' and on the second device from user ``john'', if PermitRootLogin
+     on tun device 2 from user ``john'', if PermitRootLogin is set to
-     is set to ``forced-commands-only'':
+     ``forced-commands-only'':
       tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
-       tunnel="2",command="sh /etc/netstart tun1" ssh-rsa ... john
+       tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
-     Since a SSH-based setup entails a fair amount of overhead, it may be more
+     Since an SSH-based setup entails a fair amount of overhead, it may be
-     suited to temporary setups, such as for wireless VPNs.  More permanent
+     more suited to temporary setups, such as for wireless VPNs.  More perma-
-     VPNs are better provided by tools such as ipsecctl(8) and isakmpd(8).
+     nent VPNs are better provided by tools such as ipsecctl(8) and
+     isakmpd(8).
 ENVIRONMENT
     ssh will normally set the following environment variables:
@@ -671,8 +686,8 @@ ENVIRONMENT
     TZ                    This variable is set to indicate the present time
                           zone if it was set when the daemon was started
-                           (i.e., the daemon passes the value on to new con-
+                           (i.e. the daemon passes the value on to new connec-
-                           nections).
+                           tions).
     USER                  Set to the name of the user logging in.
@@ -779,9 +794,33 @@ SEE ALSO
     scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1),
     tun(4), hosts.equiv(5), ssh_config(5), ssh-keysign(8), sshd(8)
-     T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH
+     The Secure Shell (SSH) Protocol Assigned Numbers, RFC 4250, 2006.
-     Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January
-     2002, work in progress material.
+     The Secure Shell (SSH) Protocol Architecture, RFC 4251, 2006.
+     The Secure Shell (SSH) Authentication Protocol, RFC 4252, 2006.
+     The Secure Shell (SSH) Transport Layer Protocol, RFC 4253, 2006.
+     The Secure Shell (SSH) Connection Protocol, RFC 4254, 2006.
+     Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints, RFC
+     4255, 2006.
+     Generic Message Exchange Authentication for the Secure Shell Protocol
+     (SSH), RFC 4256, 2006.
+     The Secure Shell (SSH) Session Channel Break Extension, RFC 4335, 2006.
+     The Secure Shell (SSH) Transport Layer Encryption Modes, RFC 4344, 2006.
+     Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer
+     Protocol, RFC 4345, 2006.
+     Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer
+     Protocol, RFC 4419, 2006.
+     The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006.
 AUTHORS
     OpenSSH is a derivative of the original and free ssh 1.2.12 release by
@@ -790,4 +829,4 @@ AUTHORS
     created OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.
-OpenBSD 3.9                   September 25, 1999                            12
+OpenBSD 4.1                   September 25, 1999                            13

diff --git a/ssh.0 b/ssh.0 index 83c4b94eb..c31e17eaf 100644 --- a/ssh.0 +++ b/ssh.0
@@ -9,7 +9,7 @@ SYNOPSIS
9	[-i identity_file] [-L [bind_address:]port:host:hostport]	9	[-i identity_file] [-L [bind_address:]port:host:hostport]
10	[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]	10	[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
11	[-R [bind_address:]port:host:hostport] [-S ctl_path]	11	[-R [bind_address:]port:host:hostport] [-S ctl_path]
12	[-w tunnel:tunnel] [user@]hostname [command]	12	[-w local_tun[:remote_tun]] [user@]hostname [command]
13		13
14	DESCRIPTION	14	DESCRIPTION
15	ssh (SSH client) is a program for logging into a remote machine and for	15	ssh (SSH client) is a program for logging into a remote machine and for
@@ -225,6 +225,7 @@ DESCRIPTION
225	ControlPath	225	ControlPath
226	DynamicForward	226	DynamicForward
227	EscapeChar	227	EscapeChar
		228	ExitOnForwardFailure
228	ForwardAgent	229	ForwardAgent
229	ForwardX11	230	ForwardX11
230	ForwardX11Trusted	231	ForwardX11Trusted
@@ -315,7 +316,7 @@ DESCRIPTION
315		316
316	-t Force pseudo-tty allocation. This can be used to execute arbi-	317	-t Force pseudo-tty allocation. This can be used to execute arbi-
317	trary screen-based programs on a remote machine, which can be	318	trary screen-based programs on a remote machine, which can be
318	very useful, e.g., when implementing menu services. Multiple -t	319	very useful, e.g. when implementing menu services. Multiple -t
319	options force tty allocation, even if ssh has no local tty.	320	options force tty allocation, even if ssh has no local tty.
320		321
321	-V Display the version number and exit.	322	-V Display the version number and exit.
@@ -325,11 +326,16 @@ DESCRIPTION
325	tion, and configuration problems. Multiple -v options increase	326	tion, and configuration problems. Multiple -v options increase
326	the verbosity. The maximum is 3.	327	the verbosity. The maximum is 3.
327		328
328	-w tunnel:tunnel	329	-w local_tun[:remote_tun]
329	Requests a tun(4) device on the client (first tunnel arg) and	330	Requests tunnel device forwarding with the specified tun(4) de-
330	server (second tunnel arg). The devices may be specified by nu-	331	vices between the client (local_tun) and the server (remote_tun).
331	merical ID or the keyword ``any'', which uses the next available	332
332	tunnel device. See also the Tunnel directive in ssh_config(5).	333	The devices may be specified by numerical ID or the keyword
		334	``any'', which uses the next available tunnel device. If
		335	remote_tun is not specified, it defaults to ``any''. See also
		336	the Tunnel and TunnelDevice directives in ssh_config(5). If the
		337	Tunnel directive is unset, it is set to the default tunnel mode,
		338	which is ``point-to-point''.
333		339
334	-X Enables X11 forwarding. This can also be specified on a per-host	340	-X Enables X11 forwarding. This can also be specified on a per-host
335	basis in a configuration file.	341	basis in a configuration file.
@@ -368,11 +374,11 @@ AUTHENTICATION
368	integrity (hmac-md5, hmac-sha1, hmac-ripemd160). Protocol 1 lacks a	374	integrity (hmac-md5, hmac-sha1, hmac-ripemd160). Protocol 1 lacks a
369	strong mechanism for ensuring the integrity of the connection.	375	strong mechanism for ensuring the integrity of the connection.
370		376
371	The methods available for authentication are: host-based authentication,	377	The methods available for authentication are: GSSAPI-based authentica-
372	public key authentication, challenge-response authentication, and pass-	378	tion, host-based authentication, public key authentication, challenge-re-
373	word authentication. Authentication methods are tried in the order spec-	379	sponse authentication, and password authentication. Authentication meth-
374	ified above, though protocol 2 has a configuration option to change the	380	ods are tried in the order specified above, though protocol 2 has a con-
375	default order: PreferredAuthentications.	381	figuration option to change the default order: PreferredAuthentications.
376		382
377	Host-based authentication works as follows: If the machine the user logs	383	Host-based authentication works as follows: If the machine the user logs
378	in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote	384	in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote
@@ -487,8 +493,8 @@ ESCAPE CHARACTERS
487	~C Open command line. Currently this allows the addition of port	493	~C Open command line. Currently this allows the addition of port
488	forwardings using the -L and -R options (see above). It also al-	494	forwardings using the -L and -R options (see above). It also al-
489	lows the cancellation of existing remote port-forwardings using	495	lows the cancellation of existing remote port-forwardings using
490	-KR hostport. !command allows the user to execute a local com-	496	-KR[bind_address:]port. !command allows the user to execute a
491	mand if the PermitLocalCommand option is enabled in	497	local command if the PermitLocalCommand option is enabled in
492	ssh_config(5). Basic help is available, using the -h option.	498	ssh_config(5). Basic help is available, using the -h option.
493		499
494	~R Request rekeying of the connection (only useful for SSH protocol	500	~R Request rekeying of the connection (only useful for SSH protocol
@@ -573,8 +579,7 @@ VERIFYING HOST KEYS
573	``host.example.com''. The SSHFP resource records should first be added	579	``host.example.com''. The SSHFP resource records should first be added
574	to the zonefile for host.example.com:	580	to the zonefile for host.example.com:
575		581
576	$ ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r host.example.com.	582	$ ssh-keygen -r host.example.com.
577	$ ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r host.example.com.
578		583
579	The output lines will have to be added to the zonefile. To check that	584	The output lines will have to be added to the zonefile. To check that
580	the zone is answering fingerprint queries:	585	the zone is answering fingerprint queries:
@@ -598,24 +603,34 @@ SSH-BASED VIRTUAL PRIVATE NETWORKS
598	fic).	603	fic).
599		604
600	The following example would connect client network 10.0.50.0/24 with re-	605	The following example would connect client network 10.0.50.0/24 with re-
601	mote network 10.0.99.0/24, provided that the SSH server running on the	606	mote network 10.0.99.0/24 using a point-to-point connection from 10.1.1.1
602	gateway to the remote network, at 192.168.1.15, allows it:	607	to 10.1.1.2, provided that the SSH server running on the gateway to the
		608	remote network, at 192.168.1.15, allows it.
		609
		610	On the client:
603		611
604	# ssh -f -w 0:1 192.168.1.15 true	612	# ssh -f -w 0:1 192.168.1.15 true
605	# ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252	613	# ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
		614	# route add 10.0.99.0/24 10.1.1.2
		615
		616	On the server:
		617
		618	# ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
		619	# route add 10.0.50.0/24 10.1.1.1
606		620
607	Client access may be more finely tuned via the /root/.ssh/authorized_keys	621	Client access may be more finely tuned via the /root/.ssh/authorized_keys
608	file (see below) and the PermitRootLogin server option. The following	622	file (see below) and the PermitRootLogin server option. The following
609	entry would permit connections on the first tun(4) device from user	623	entry would permit connections on tun(4) device 1 from user ``jane'' and
610	``jane'' and on the second device from user ``john'', if PermitRootLogin	624	on tun device 2 from user ``john'', if PermitRootLogin is set to
611	is set to ``forced-commands-only'':	625	``forced-commands-only'':
612		626
613	tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane	627	tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
614	tunnel="2",command="sh /etc/netstart tun1" ssh-rsa ... john	628	tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
615		629
616	Since a SSH-based setup entails a fair amount of overhead, it may be more	630	Since an SSH-based setup entails a fair amount of overhead, it may be
617	suited to temporary setups, such as for wireless VPNs. More permanent	631	more suited to temporary setups, such as for wireless VPNs. More perma-
618	VPNs are better provided by tools such as ipsecctl(8) and isakmpd(8).	632	nent VPNs are better provided by tools such as ipsecctl(8) and
		633	isakmpd(8).
619		634
620	ENVIRONMENT	635	ENVIRONMENT
621	ssh will normally set the following environment variables:	636	ssh will normally set the following environment variables:
@@ -671,8 +686,8 @@ ENVIRONMENT
671		686
672	TZ This variable is set to indicate the present time	687	TZ This variable is set to indicate the present time
673	zone if it was set when the daemon was started	688	zone if it was set when the daemon was started
674	(i.e., the daemon passes the value on to new con-	689	(i.e. the daemon passes the value on to new connec-
675	nections).	690	tions).
676		691
677	USER Set to the name of the user logging in.	692	USER Set to the name of the user logging in.
678		693
@@ -779,9 +794,33 @@ SEE ALSO
779	scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1),	794	scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1),
780	tun(4), hosts.equiv(5), ssh_config(5), ssh-keysign(8), sshd(8)	795	tun(4), hosts.equiv(5), ssh_config(5), ssh-keysign(8), sshd(8)
781		796
782	T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH	797	The Secure Shell (SSH) Protocol Assigned Numbers, RFC 4250, 2006.
783	Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January	798
784	2002, work in progress material.	799	The Secure Shell (SSH) Protocol Architecture, RFC 4251, 2006.
		800
		801	The Secure Shell (SSH) Authentication Protocol, RFC 4252, 2006.
		802
		803	The Secure Shell (SSH) Transport Layer Protocol, RFC 4253, 2006.
		804
		805	The Secure Shell (SSH) Connection Protocol, RFC 4254, 2006.
		806
		807	Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints, RFC
		808	4255, 2006.
		809
		810	Generic Message Exchange Authentication for the Secure Shell Protocol
		811	(SSH), RFC 4256, 2006.
		812
		813	The Secure Shell (SSH) Session Channel Break Extension, RFC 4335, 2006.
		814
		815	The Secure Shell (SSH) Transport Layer Encryption Modes, RFC 4344, 2006.
		816
		817	Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer
		818	Protocol, RFC 4345, 2006.
		819
		820	Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer
		821	Protocol, RFC 4419, 2006.
		822
		823	The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006.
785		824
786	AUTHORS	825	AUTHORS
787	OpenSSH is a derivative of the original and free ssh 1.2.12 release by	826	OpenSSH is a derivative of the original and free ssh 1.2.12 release by
@@ -790,4 +829,4 @@ AUTHORS
790	created OpenSSH. Markus Friedl contributed the support for SSH protocol	829	created OpenSSH. Markus Friedl contributed the support for SSH protocol
791	versions 1.5 and 2.0.	830	versions 1.5 and 2.0.
792		831
793	OpenBSD 3.9 September 25, 1999 12	832	OpenBSD 4.1 September 25, 1999 13