1 files changed, 48 insertions, 21 deletions
diff --git a/ssh.1 b/ssh.1
index d84063487..48c11c733 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.283 2009/03/19 15:15:09 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.302 2010/03/05 10:28:21 djm Exp $
-.Dd $Mdocdate: March 19 2009 $
+.Dd $Mdocdate: March 5 2010 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -54,6 +54,7 @@
 .Oc
 .Op Fl e Ar escape_char
 .Op Fl F Ar configfile
+.Op Fl I Ar pkcs11
 .Bk -words
 .Op Fl i Ar identity_file
 .Ek
@@ -77,12 +78,11 @@
 .Sm on
 .Oc
 .Op Fl S Ar ctl_path
-.Bk -words
+.Op Fl W Ar host : Ns Ar port
 .Oo Fl w Ar local_tun Ns
 .Op : Ns Ar remote_tun Oc
 .Oo Ar user Ns @ Oc Ns Ar hostname
 .Op Ar command
-.Ek
 .Sh DESCRIPTION
 .Nm
 (SSH client) is a program for logging into a remote machine and for
@@ -132,8 +132,9 @@ This can also be specified on a per-host basis in a configuration file.
 .Pp
 Agent forwarding should be enabled with caution.
 Users with the ability to bypass file permissions on the remote host
-(for the agent's Unix-domain socket)
+(for the agent's
-can access the local agent through the forwarded connection.
+.Ux Ns -domain
+socket) can access the local agent through the forwarded connection.
 An attacker cannot obtain key material from the agent,
 however they can perform operations on the keys that enable them to
 authenticate using the identities loaded into the agent.
@@ -284,13 +285,11 @@ will wait for all remote port forwards to be successfully established
 before placing itself in the background.
 .It Fl g
 Allows remote hosts to connect to local forwarded ports.
-.It Fl I Ar smartcard_device
+.It Fl I Ar pkcs11
-Specify the device
+Specify the PKCS#11 shared library
 .Nm
-should use to communicate with a smartcard used for storing the user's
+should use to communicate with a PKCS#11 token providing the user's
 private RSA key.
-This option is only available if support for smartcard devices
-is compiled in (default is no support).
 .It Fl i Ar identity_file
 Selects a file from which the identity (private key) for
 RSA or DSA authentication is read.
@@ -307,6 +306,11 @@ It is possible to have multiple
 .Fl i
 options (and multiple identities specified in
 configuration files).
+.Nm
+will also try to load certificate information from the filename obtained
+by appending
+.Pa -cert.pub
+to identity filenames.
 .It Fl K
 Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI
 credentials to the server.
@@ -469,6 +473,7 @@ For full details of the options listed below, and their possible values, see
 .It NumberOfPasswordPrompts
 .It PasswordAuthentication
 .It PermitLocalCommand
+.It PKCS11Provider
 .It Port
 .It PreferredAuthentications
 .It Protocol
@@ -481,7 +486,6 @@ For full details of the options listed below, and their possible values, see
 .It SendEnv
 .It ServerAliveInterval
 .It ServerAliveCountMax
-.It SmartcardDevice
 .It StrictHostKeyChecking
 .It TCPKeepAlive
 .It Tunnel
@@ -601,6 +605,19 @@ Multiple
 .Fl v
 options increase the verbosity.
 The maximum is 3.
+.It Fl W Ar host : Ns Ar port
+Requests that standard input and output on the client be forwarded to
+.Ar host
+on
+.Ar port
+over the secure channel.
+Implies
+.Fl N ,
+.Fl T ,
+.Cm ExitOnForwardFailure
+and
+.Cm ClearAllForwardings
+and works with Protocol version 2 only.
 .It Fl w Xo
 .Ar local_tun Ns Op : Ns Ar remote_tun
 .Xc
@@ -674,20 +691,18 @@ exits with the exit status of the remote command or with 255
 if an error occurred.
 .Sh AUTHENTICATION
 The OpenSSH SSH client supports SSH protocols 1 and 2.
-Protocol 2 is the default, with
+The default is to use protocol 2 only,
-.Nm
+though this can be changed via the
-falling back to protocol 1 if it detects protocol 2 is unsupported.
-These settings may be altered using the
 .Cm Protocol
 option in
-.Xr ssh_config 5 ,
+.Xr ssh_config 5
-or enforced using the
+or the
 .Fl 1
 and
 .Fl 2
 options (see above).
 Both protocols support similar authentication methods,
-but protocol 2 is preferred since
+but protocol 2 is the default since
 it provides additional mechanisms for confidentiality
 (the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
 and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160).
@@ -800,8 +815,20 @@ file, and has one key
 per line, though the lines can be very long.
 After this, the user can log in without giving the password.
 .Pp
-The most convenient way to use public key authentication may be with an
+A variation on public key authentication
-authentication agent.
+is available in the form of certificate authentication:
+instead of a set of public/private keys,
+signed certificates are used.
+This has the advantage that a single trusted certification authority
+can be used in place of many public/private keys.
+See the
+.Sx CERTIFICATES
+section of
+.Xr ssh-keygen 1
+for more information.
+.Pp
+The most convenient way to use public key or certificate authentication
+may be with an authentication agent.
 See
 .Xr ssh-agent 1
 for more information.

diff --git a/ssh.1 b/ssh.1 index d84063487..48c11c733 100644 --- a/ssh.1 +++ b/ssh.1
@@ -34,8 +34,8 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh.1,v 1.283 2009/03/19 15:15:09 jmc Exp $	37	.\" $OpenBSD: ssh.1,v 1.302 2010/03/05 10:28:21 djm Exp $
38	.Dd $Mdocdate: March 19 2009 $	38	.Dd $Mdocdate: March 5 2010 $
39	.Dt SSH 1	39	.Dt SSH 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -54,6 +54,7 @@
54	.Oc	54	.Oc
55	.Op Fl e Ar escape_char	55	.Op Fl e Ar escape_char
56	.Op Fl F Ar configfile	56	.Op Fl F Ar configfile
		57	.Op Fl I Ar pkcs11
57	.Bk -words	58	.Bk -words
58	.Op Fl i Ar identity_file	59	.Op Fl i Ar identity_file
59	.Ek	60	.Ek
@@ -77,12 +78,11 @@
77	.Sm on	78	.Sm on
78	.Oc	79	.Oc
79	.Op Fl S Ar ctl_path	80	.Op Fl S Ar ctl_path
80	.Bk -words	81	.Op Fl W Ar host : Ns Ar port
81	.Oo Fl w Ar local_tun Ns	82	.Oo Fl w Ar local_tun Ns
82	.Op : Ns Ar remote_tun Oc	83	.Op : Ns Ar remote_tun Oc
83	.Oo Ar user Ns @ Oc Ns Ar hostname	84	.Oo Ar user Ns @ Oc Ns Ar hostname
84	.Op Ar command	85	.Op Ar command
85	.Ek
86	.Sh DESCRIPTION	86	.Sh DESCRIPTION
87	.Nm	87	.Nm
88	(SSH client) is a program for logging into a remote machine and for	88	(SSH client) is a program for logging into a remote machine and for
@@ -132,8 +132,9 @@ This can also be specified on a per-host basis in a configuration file.
132	.Pp	132	.Pp
133	Agent forwarding should be enabled with caution.	133	Agent forwarding should be enabled with caution.
134	Users with the ability to bypass file permissions on the remote host	134	Users with the ability to bypass file permissions on the remote host
135	(for the agent's Unix-domain socket)	135	(for the agent's
136	can access the local agent through the forwarded connection.	136	.Ux Ns -domain
		137	socket) can access the local agent through the forwarded connection.
137	An attacker cannot obtain key material from the agent,	138	An attacker cannot obtain key material from the agent,
138	however they can perform operations on the keys that enable them to	139	however they can perform operations on the keys that enable them to
139	authenticate using the identities loaded into the agent.	140	authenticate using the identities loaded into the agent.
@@ -284,13 +285,11 @@ will wait for all remote port forwards to be successfully established
284	before placing itself in the background.	285	before placing itself in the background.
285	.It Fl g	286	.It Fl g
286	Allows remote hosts to connect to local forwarded ports.	287	Allows remote hosts to connect to local forwarded ports.
287	.It Fl I Ar smartcard_device	288	.It Fl I Ar pkcs11
288	Specify the device	289	Specify the PKCS#11 shared library
289	.Nm	290	.Nm
290	should use to communicate with a smartcard used for storing the user's	291	should use to communicate with a PKCS#11 token providing the user's
291	private RSA key.	292	private RSA key.
292	This option is only available if support for smartcard devices
293	is compiled in (default is no support).
294	.It Fl i Ar identity_file	293	.It Fl i Ar identity_file
295	Selects a file from which the identity (private key) for	294	Selects a file from which the identity (private key) for
296	RSA or DSA authentication is read.	295	RSA or DSA authentication is read.
@@ -307,6 +306,11 @@ It is possible to have multiple
307	.Fl i	306	.Fl i
308	options (and multiple identities specified in	307	options (and multiple identities specified in
309	configuration files).	308	configuration files).
		309	.Nm
		310	will also try to load certificate information from the filename obtained
		311	by appending
		312	.Pa -cert.pub
		313	to identity filenames.
310	.It Fl K	314	.It Fl K
311	Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI	315	Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI
312	credentials to the server.	316	credentials to the server.
@@ -469,6 +473,7 @@ For full details of the options listed below, and their possible values, see
469	.It NumberOfPasswordPrompts	473	.It NumberOfPasswordPrompts
470	.It PasswordAuthentication	474	.It PasswordAuthentication
471	.It PermitLocalCommand	475	.It PermitLocalCommand
		476	.It PKCS11Provider
472	.It Port	477	.It Port
473	.It PreferredAuthentications	478	.It PreferredAuthentications
474	.It Protocol	479	.It Protocol
@@ -481,7 +486,6 @@ For full details of the options listed below, and their possible values, see
481	.It SendEnv	486	.It SendEnv
482	.It ServerAliveInterval	487	.It ServerAliveInterval
483	.It ServerAliveCountMax	488	.It ServerAliveCountMax
484	.It SmartcardDevice
485	.It StrictHostKeyChecking	489	.It StrictHostKeyChecking
486	.It TCPKeepAlive	490	.It TCPKeepAlive
487	.It Tunnel	491	.It Tunnel
@@ -601,6 +605,19 @@ Multiple
601	.Fl v	605	.Fl v
602	options increase the verbosity.	606	options increase the verbosity.
603	The maximum is 3.	607	The maximum is 3.
		608	.It Fl W Ar host : Ns Ar port
		609	Requests that standard input and output on the client be forwarded to
		610	.Ar host
		611	on
		612	.Ar port
		613	over the secure channel.
		614	Implies
		615	.Fl N ,
		616	.Fl T ,
		617	.Cm ExitOnForwardFailure
		618	and
		619	.Cm ClearAllForwardings
		620	and works with Protocol version 2 only.
604	.It Fl w Xo	621	.It Fl w Xo
605	.Ar local_tun Ns Op : Ns Ar remote_tun	622	.Ar local_tun Ns Op : Ns Ar remote_tun
606	.Xc	623	.Xc
@@ -674,20 +691,18 @@ exits with the exit status of the remote command or with 255
674	if an error occurred.	691	if an error occurred.
675	.Sh AUTHENTICATION	692	.Sh AUTHENTICATION
676	The OpenSSH SSH client supports SSH protocols 1 and 2.	693	The OpenSSH SSH client supports SSH protocols 1 and 2.
677	Protocol 2 is the default, with	694	The default is to use protocol 2 only,
678	.Nm	695	though this can be changed via the
679	falling back to protocol 1 if it detects protocol 2 is unsupported.
680	These settings may be altered using the
681	.Cm Protocol	696	.Cm Protocol
682	option in	697	option in
683	.Xr ssh_config 5 ,	698	.Xr ssh_config 5
684	or enforced using the	699	or the
685	.Fl 1	700	.Fl 1
686	and	701	and
687	.Fl 2	702	.Fl 2
688	options (see above).	703	options (see above).
689	Both protocols support similar authentication methods,	704	Both protocols support similar authentication methods,
690	but protocol 2 is preferred since	705	but protocol 2 is the default since
691	it provides additional mechanisms for confidentiality	706	it provides additional mechanisms for confidentiality
692	(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)	707	(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
693	and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160).	708	and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160).
@@ -800,8 +815,20 @@ file, and has one key
800	per line, though the lines can be very long.	815	per line, though the lines can be very long.
801	After this, the user can log in without giving the password.	816	After this, the user can log in without giving the password.
802	.Pp	817	.Pp
803	The most convenient way to use public key authentication may be with an	818	A variation on public key authentication
804	authentication agent.	819	is available in the form of certificate authentication:
		820	instead of a set of public/private keys,
		821	signed certificates are used.
		822	This has the advantage that a single trusted certification authority
		823	can be used in place of many public/private keys.
		824	See the
		825	.Sx CERTIFICATES
		826	section of
		827	.Xr ssh-keygen 1
		828	for more information.
		829	.Pp
		830	The most convenient way to use public key or certificate authentication
		831	may be with an authentication agent.
805	See	832	See
806	.Xr ssh-agent 1	833	.Xr ssh-agent 1
807	for more information.	834	for more information.