1 files changed, 33 insertions, 34 deletions
diff --git a/ssh.1 b/ssh.1
index 1bcc8edab..4e298cb56 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.399 2018/09/20 06:58:48 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.402 2019/03/16 19:14:21 jmc Exp $
-.Dd $Mdocdate: September 20 2018 $
+.Dd $Mdocdate: March 16 2019 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -270,8 +270,8 @@ on the master process.
 .It Fl I Ar pkcs11
 Specify the PKCS#11 shared library
 .Nm
-should use to communicate with a PKCS#11 token providing the user's
+should use to communicate with a PKCS#11 token providing keys for user
-private RSA key.
+authentication.
 .Pp
 .It Fl i Ar identity_file
 Selects a file from which the identity (private key) for
@@ -308,6 +308,11 @@ Multiple jump hops may be specified separated by comma characters.
 This is a shortcut to specify a
 .Cm ProxyJump
 configuration directive.
+Note that configuration directives supplied on the command-line generally
+apply to the destination host and not any specified jump hosts.
+Use
+.Pa ~/.ssh/config
+to specify configuration for jump hosts.
 .Pp
 .It Fl K
 Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI
@@ -492,7 +497,13 @@ For full details of the options listed below, and their possible values, see
 .It GatewayPorts
 .It GlobalKnownHostsFile
 .It GSSAPIAuthentication
+.It GSSAPIKeyExchange
+.It GSSAPIClientIdentity
 .It GSSAPIDelegateCredentials
+.It GSSAPIKexAlgorithms
+.It GSSAPIRenewalForcesRekey
+.It GSSAPIServerIdentity
+.It GSSAPITrustDns
 .It HashKnownHosts
 .It Host
 .It HostbasedAuthentication
@@ -568,6 +579,8 @@ flag),
 (supported message integrity codes),
 .Ar kex
 (key exchange algorithms),
+.Ar kex-gss
+(GSSAPI key exchange algorithms),
 .Ar key
 (key types),
 .Ar key-cert
@@ -1110,49 +1123,35 @@ Increase the verbosity
 when errors are being written to stderr.
 .El
 .Sh TCP FORWARDING
-Forwarding of arbitrary TCP connections over the secure channel can
+Forwarding of arbitrary TCP connections over a secure channel
-be specified either on the command line or in a configuration file.
+can be specified either on the command line or in a configuration file.
 One possible application of TCP forwarding is a secure connection to a
 mail server; another is going through firewalls.
 .Pp
-In the example below, we look at encrypting communication between
+In the example below, we look at encrypting communication for an IRC client,
-an IRC client and server, even though the IRC server does not directly
+even though the IRC server it connects to does not directly
-support encrypted communications.
+support encrypted communication.
 This works as follows:
 the user connects to the remote host using
 .Nm ,
-specifying a port to be used to forward connections
+specifying the ports to be used to forward the connection.
-to the remote server.
+After that it is possible to start the program locally,
-After that it is possible to start the service which is to be encrypted
-on the client machine,
-connecting to the same local port,
 and
 .Nm
-will encrypt and forward the connection.
+will encrypt and forward the connection to the remote server.
 .Pp
-The following example tunnels an IRC session from client machine
+The following example tunnels an IRC session from the client
-.Dq 127.0.0.1
+to an IRC server at
-(localhost)
-to remote server
-.Dq server.example.com :
-.Bd -literal -offset 4n
-$ ssh -f -L 1234:localhost:6667 server.example.com sleep 10
-$ irc -c '#users' -p 1234 pinky 127.0.0.1
-.Ed
-.Pp
-This tunnels a connection to IRC server
 .Dq server.example.com ,
 joining channel
 .Dq #users ,
 nickname
 .Dq pinky ,
-using port 1234.
+using the standard IRC port, 6667:
-It doesn't matter which port is used,
+.Bd -literal -offset 4n
-as long as it's greater than 1023
+$ ssh -f -L 6667:localhost:6667 server.example.com sleep 10
-(remember, only root can open sockets on privileged ports)
+$ irc -c '#users' pinky IRC/127.0.0.1
-and doesn't conflict with any ports already in use.
+.Ed
-The connection is forwarded to port 6667 on the remote server,
-since that's the standard port for IRC services.
 .Pp
 The
 .Fl f
@@ -1162,7 +1161,7 @@ and the remote command
 .Dq sleep 10
 is specified to allow an amount of time
 (10 seconds, in the example)
-to start the service which is to be tunnelled.
+to start the program which is going to use the tunnel.
 If no connections are made within the time specified,
 .Nm
 will exit.

diff --git a/ssh.1 b/ssh.1 index 1bcc8edab..4e298cb56 100644 --- a/ssh.1 +++ b/ssh.1
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh.1,v 1.399 2018/09/20 06:58:48 jmc Exp $	36	.\" $OpenBSD: ssh.1,v 1.402 2019/03/16 19:14:21 jmc Exp $
37	.Dd $Mdocdate: September 20 2018 $	37	.Dd $Mdocdate: March 16 2019 $
38	.Dt SSH 1	38	.Dt SSH 1
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -270,8 +270,8 @@ on the master process.
270	.It Fl I Ar pkcs11	270	.It Fl I Ar pkcs11
271	Specify the PKCS#11 shared library	271	Specify the PKCS#11 shared library
272	.Nm	272	.Nm
273	should use to communicate with a PKCS#11 token providing the user's	273	should use to communicate with a PKCS#11 token providing keys for user
274	private RSA key.	274	authentication.
275	.Pp	275	.Pp
276	.It Fl i Ar identity_file	276	.It Fl i Ar identity_file
277	Selects a file from which the identity (private key) for	277	Selects a file from which the identity (private key) for
@@ -308,6 +308,11 @@ Multiple jump hops may be specified separated by comma characters.
308	This is a shortcut to specify a	308	This is a shortcut to specify a
309	.Cm ProxyJump	309	.Cm ProxyJump
310	configuration directive.	310	configuration directive.
		311	Note that configuration directives supplied on the command-line generally
		312	apply to the destination host and not any specified jump hosts.
		313	Use
		314	.Pa ~/.ssh/config
		315	to specify configuration for jump hosts.
311	.Pp	316	.Pp
312	.It Fl K	317	.It Fl K
313	Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI	318	Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI
@@ -492,7 +497,13 @@ For full details of the options listed below, and their possible values, see
492	.It GatewayPorts	497	.It GatewayPorts
493	.It GlobalKnownHostsFile	498	.It GlobalKnownHostsFile
494	.It GSSAPIAuthentication	499	.It GSSAPIAuthentication
		500	.It GSSAPIKeyExchange
		501	.It GSSAPIClientIdentity
495	.It GSSAPIDelegateCredentials	502	.It GSSAPIDelegateCredentials
		503	.It GSSAPIKexAlgorithms
		504	.It GSSAPIRenewalForcesRekey
		505	.It GSSAPIServerIdentity
		506	.It GSSAPITrustDns
496	.It HashKnownHosts	507	.It HashKnownHosts
497	.It Host	508	.It Host
498	.It HostbasedAuthentication	509	.It HostbasedAuthentication
@@ -568,6 +579,8 @@ flag),
568	(supported message integrity codes),	579	(supported message integrity codes),
569	.Ar kex	580	.Ar kex
570	(key exchange algorithms),	581	(key exchange algorithms),
		582	.Ar kex-gss
		583	(GSSAPI key exchange algorithms),
571	.Ar key	584	.Ar key
572	(key types),	585	(key types),
573	.Ar key-cert	586	.Ar key-cert
@@ -1110,49 +1123,35 @@ Increase the verbosity
1110	when errors are being written to stderr.	1123	when errors are being written to stderr.
1111	.El	1124	.El
1112	.Sh TCP FORWARDING	1125	.Sh TCP FORWARDING
1113	Forwarding of arbitrary TCP connections over the secure channel can	1126	Forwarding of arbitrary TCP connections over a secure channel
1114	be specified either on the command line or in a configuration file.	1127	can be specified either on the command line or in a configuration file.
1115	One possible application of TCP forwarding is a secure connection to a	1128	One possible application of TCP forwarding is a secure connection to a
1116	mail server; another is going through firewalls.	1129	mail server; another is going through firewalls.
1117	.Pp	1130	.Pp
1118	In the example below, we look at encrypting communication between	1131	In the example below, we look at encrypting communication for an IRC client,
1119	an IRC client and server, even though the IRC server does not directly	1132	even though the IRC server it connects to does not directly
1120	support encrypted communications.	1133	support encrypted communication.
1121	This works as follows:	1134	This works as follows:
1122	the user connects to the remote host using	1135	the user connects to the remote host using
1123	.Nm ,	1136	.Nm ,
1124	specifying a port to be used to forward connections	1137	specifying the ports to be used to forward the connection.
1125	to the remote server.	1138	After that it is possible to start the program locally,
1126	After that it is possible to start the service which is to be encrypted
1127	on the client machine,
1128	connecting to the same local port,
1129	and	1139	and
1130	.Nm	1140	.Nm
1131	will encrypt and forward the connection.	1141	will encrypt and forward the connection to the remote server.
1132	.Pp	1142	.Pp
1133	The following example tunnels an IRC session from client machine	1143	The following example tunnels an IRC session from the client
1134	.Dq 127.0.0.1	1144	to an IRC server at
1135	(localhost)
1136	to remote server
1137	.Dq server.example.com :
1138	.Bd -literal -offset 4n
1139	$ ssh -f -L 1234:localhost:6667 server.example.com sleep 10
1140	$ irc -c '#users' -p 1234 pinky 127.0.0.1
1141	.Ed
1142	.Pp
1143	This tunnels a connection to IRC server
1144	.Dq server.example.com ,	1145	.Dq server.example.com ,
1145	joining channel	1146	joining channel
1146	.Dq #users ,	1147	.Dq #users ,
1147	nickname	1148	nickname
1148	.Dq pinky ,	1149	.Dq pinky ,
1149	using port 1234.	1150	using the standard IRC port, 6667:
1150	It doesn't matter which port is used,	1151	.Bd -literal -offset 4n
1151	as long as it's greater than 1023	1152	$ ssh -f -L 6667:localhost:6667 server.example.com sleep 10
1152	(remember, only root can open sockets on privileged ports)	1153	$ irc -c '#users' pinky IRC/127.0.0.1
1153	and doesn't conflict with any ports already in use.	1154	.Ed
1154	The connection is forwarded to port 6667 on the remote server,
1155	since that's the standard port for IRC services.
1156	.Pp	1155	.Pp
1157	The	1156	The
1158	.Fl f	1157	.Fl f
@@ -1162,7 +1161,7 @@ and the remote command
1162	.Dq sleep 10	1161	.Dq sleep 10
1163	is specified to allow an amount of time	1162	is specified to allow an amount of time
1164	(10 seconds, in the example)	1163	(10 seconds, in the example)
1165	to start the service which is to be tunnelled.	1164	to start the program which is going to use the tunnel.
1166	If no connections are made within the time specified,	1165	If no connections are made within the time specified,
1167	.Nm	1166	.Nm
1168	will exit.	1167	will exit.