1 files changed, 84 insertions, 19 deletions
diff --git a/ssh.1 b/ssh.1
index d90951352..d08fb0e01 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.182 2004/03/05 10:53:58 markus Exp $
+.\" $OpenBSD: ssh.1,v 1.194 2004/08/12 21:41:13 jakob Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -43,14 +43,14 @@
 .Nd OpenSSH SSH client (remote login program)
 .Sh SYNOPSIS
 .Nm ssh
-.Op Fl 1246AaCfgkNnqsTtVvXxY
+.Op Fl 1246AaCfgkMNnqsTtVvXxY
 .Op Fl b Ar bind_address
 .Op Fl c Ar cipher_spec
+.Bk -words
 .Op Fl D Ar port
 .Op Fl e Ar escape_char
 .Op Fl F Ar configfile
 .Op Fl i Ar identity_file
-.Bk -words
 .Oo Fl L Xo
 .Sm off
 .Ar port :
@@ -74,6 +74,7 @@
 .Sm on
 .Xc
 .Oc
+.Op Fl S Ar ctl
 .Oo Ar user Ns @ Oc Ns Ar hostname
 .Op Ar command
 .Sh DESCRIPTION
@@ -241,8 +242,8 @@ Additionally,
 supports hostbased or challenge response authentication.
 .Pp
 Protocol 2 provides additional mechanisms for confidentiality
-(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour)
+(the traffic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour)
-and integrity (hmac-md5, hmac-sha1).
+and integrity (hmac-md5, hmac-sha1, hmac-ripemd160).
 Note that protocol 1 lacks a strong mechanism for ensuring the
 integrity of the connection.
 .Ss Login session and remote execution
@@ -302,11 +303,18 @@ Display a list of escape characters.
 Send a BREAK to the remote system
 (only useful for SSH protocol version 2 and if the peer supports it).
 .It Cm ~C
-Open command line (only useful for adding port forwardings using the
+Open command line.
+Currently this allows the addition of port forwardings using the
 .Fl L
 and
 .Fl R
-options).
+options (see below).
+It also allows the cancellation of existing remote port-forwardings
+using
+.Fl KR Ar hostport .
+Basic help is available, using the
+.Fl h
+option.
 .It Cm ~R
 Request rekeying of the connection
 (only useful for SSH protocol version 2 and if the peer supports it).
@@ -392,6 +400,15 @@ The
 option can be used to prevent logins to machines whose
 host key is not known or has changed.
 .Pp
+.Nm
+can be configured to verify host identification using fingerprint resource
+records (SSHFP) published in DNS.
+The
+.Cm VerifyHostKeyDNS
+option can be used to control how DNS lookups are performed.
+SSHFP resource records can be generated using
+.Xr ssh-keygen 1 .
+.Pp
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl 1
@@ -442,13 +459,18 @@ The default value can be set on a host-by-host basis in the
 configuration files; see the
 .Cm Compression
 option.
-.It Fl c Ar blowfish | 3des | des
+.It Fl c Ar cipher_spec
-Selects the cipher to use for encrypting the session.
+Selects the cipher specification for encrypting the session.
-.Ar 3des
+.Pp
-is used by default.
+Protocol version 1 allows specification of a single cipher.
-It is believed to be secure.
+The suported values are
+.Dq 3des ,
+.Dq blowfish
+and
+.Dq des .
 .Ar 3des
 (triple-des) is an encrypt-decrypt-encrypt triple with three different keys.
+It is believed to be secure.
 .Ar blowfish
 is a fast block cipher; it appears very secure and is much faster than
 .Ar 3des .
@@ -460,12 +482,30 @@ that do not support the
 .Ar 3des
 cipher.
 Its use is strongly discouraged due to cryptographic weaknesses.
-.It Fl c Ar cipher_spec
+The default is
-Additionally, for protocol version 2 a comma-separated list of ciphers can
+.Dq 3des .
-be specified in order of preference.
+.Pp
-See
+For protocol version 2
-.Cm Ciphers
+.Ar cipher_spec
-for more information.
+is a comma-separated list of ciphers
+listed in order of preference.
+The supported ciphers are
+.Dq 3des-cbc ,
+.Dq aes128-cbc ,
+.Dq aes192-cbc ,
+.Dq aes256-cbc ,
+.Dq aes128-ctr ,
+.Dq aes192-ctr ,
+.Dq aes256-ctr ,
+.Dq arcfour ,
+.Dq blowfish-cbc ,
+and
+.Dq cast128-cbc .
+The default is
+.Bd -literal
+  ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
+    aes192-cbc,aes256-cbc''
+.Ed
 .It Fl D Ar port
 Specifies a local
 .Dq dynamic
@@ -568,6 +608,17 @@ IPv6 addresses can be specified with an alternative syntax:
 .It Fl l Ar login_name
 Specifies the user to log in as on the remote machine.
 This also may be specified on a per-host basis in the configuration file.
+.It Fl M
+Places the
+.Nm
+client into
+.Dq master
+mode for connection sharing.
+Refer to the description of
+.Cm ControlMaster
+in
+.Xr ssh_config 5
+for details.
 .It Fl m Ar mac_spec
 Additionally, for protocol version 2 a comma-separated list of MAC
 (message authentication code) algorithms can
@@ -618,7 +669,9 @@ For full details of the options listed below, and their possible values, see
 .It Compression
 .It CompressionLevel
 .It ConnectionAttempts
-.It ConnectionTimeout
+.It ConnectTimeout
+.It ControlMaster
+.It ControlPath
 .It DynamicForward
 .It EscapeChar
 .It ForwardAgent
@@ -649,6 +702,7 @@ For full details of the options listed below, and their possible values, see
 .It RemoteForward
 .It RhostsRSAAuthentication
 .It RSAAuthentication
+.It SendEnv
 .It ServerAliveInterval
 .It ServerAliveCountMax
 .It SmartcardDevice
@@ -697,6 +751,15 @@ IPv6 addresses can be specified with an alternative syntax:
 .Ar hostport .
 .Xc
 .Sm on
+.It Fl S Ar ctl
+Specifies the location of a control socket for connection sharing.
+Refer to the description of
+.Cm ControlPath
+and
+.Cm ControlMaster
+in
+.Xr ssh_config 5
+for details.
 .It Fl s
 May be used to request invocation of a subsystem on the remote system.
 Subsystems are a feature of the SSH2 protocol which facilitate the use
@@ -889,6 +952,8 @@ the convenience of the user.
 This is the per-user configuration file.
 The file format and configuration options are described in
 .Xr ssh_config 5 .
+Because of the potential for abuse, this file must have strict permissions:
+read/write for the user, and not accessible by others.
 .It Pa $HOME/.ssh/authorized_keys
 Lists the public keys (RSA/DSA) that can be used for logging in as this user.
 The format of this file is described in the

diff --git a/ssh.1 b/ssh.1 index d90951352..d08fb0e01 100644 --- a/ssh.1 +++ b/ssh.1
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh.1,v 1.182 2004/03/05 10:53:58 markus Exp $	37	.\" $OpenBSD: ssh.1,v 1.194 2004/08/12 21:41:13 jakob Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH 1	39	.Dt SSH 1
40	.Os	40	.Os
@@ -43,14 +43,14 @@
43	.Nd OpenSSH SSH client (remote login program)	43	.Nd OpenSSH SSH client (remote login program)
44	.Sh SYNOPSIS	44	.Sh SYNOPSIS
45	.Nm ssh	45	.Nm ssh
46	.Op Fl 1246AaCfgkNnqsTtVvXxY	46	.Op Fl 1246AaCfgkMNnqsTtVvXxY
47	.Op Fl b Ar bind_address	47	.Op Fl b Ar bind_address
48	.Op Fl c Ar cipher_spec	48	.Op Fl c Ar cipher_spec
		49	.Bk -words
49	.Op Fl D Ar port	50	.Op Fl D Ar port
50	.Op Fl e Ar escape_char	51	.Op Fl e Ar escape_char
51	.Op Fl F Ar configfile	52	.Op Fl F Ar configfile
52	.Op Fl i Ar identity_file	53	.Op Fl i Ar identity_file
53	.Bk -words
54	.Oo Fl L Xo	54	.Oo Fl L Xo
55	.Sm off	55	.Sm off
56	.Ar port :	56	.Ar port :
@@ -74,6 +74,7 @@
74	.Sm on	74	.Sm on
75	.Xc	75	.Xc
76	.Oc	76	.Oc
		77	.Op Fl S Ar ctl
77	.Oo Ar user Ns @ Oc Ns Ar hostname	78	.Oo Ar user Ns @ Oc Ns Ar hostname
78	.Op Ar command	79	.Op Ar command
79	.Sh DESCRIPTION	80	.Sh DESCRIPTION
@@ -241,8 +242,8 @@ Additionally,
241	supports hostbased or challenge response authentication.	242	supports hostbased or challenge response authentication.
242	.Pp	243	.Pp
243	Protocol 2 provides additional mechanisms for confidentiality	244	Protocol 2 provides additional mechanisms for confidentiality
244	(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour)	245	(the traffic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour)
245	and integrity (hmac-md5, hmac-sha1).	246	and integrity (hmac-md5, hmac-sha1, hmac-ripemd160).
246	Note that protocol 1 lacks a strong mechanism for ensuring the	247	Note that protocol 1 lacks a strong mechanism for ensuring the
247	integrity of the connection.	248	integrity of the connection.
248	.Ss Login session and remote execution	249	.Ss Login session and remote execution
@@ -302,11 +303,18 @@ Display a list of escape characters.
302	Send a BREAK to the remote system	303	Send a BREAK to the remote system
303	(only useful for SSH protocol version 2 and if the peer supports it).	304	(only useful for SSH protocol version 2 and if the peer supports it).
304	.It Cm ~C	305	.It Cm ~C
305	Open command line (only useful for adding port forwardings using the	306	Open command line.
		307	Currently this allows the addition of port forwardings using the
306	.Fl L	308	.Fl L
307	and	309	and
308	.Fl R	310	.Fl R
309	options).	311	options (see below).
		312	It also allows the cancellation of existing remote port-forwardings
		313	using
		314	.Fl KR Ar hostport .
		315	Basic help is available, using the
		316	.Fl h
		317	option.
310	.It Cm ~R	318	.It Cm ~R
311	Request rekeying of the connection	319	Request rekeying of the connection
312	(only useful for SSH protocol version 2 and if the peer supports it).	320	(only useful for SSH protocol version 2 and if the peer supports it).
@@ -392,6 +400,15 @@ The
392	option can be used to prevent logins to machines whose	400	option can be used to prevent logins to machines whose
393	host key is not known or has changed.	401	host key is not known or has changed.
394	.Pp	402	.Pp
		403	.Nm
		404	can be configured to verify host identification using fingerprint resource
		405	records (SSHFP) published in DNS.
		406	The
		407	.Cm VerifyHostKeyDNS
		408	option can be used to control how DNS lookups are performed.
		409	SSHFP resource records can be generated using
		410	.Xr ssh-keygen 1 .
		411	.Pp
395	The options are as follows:	412	The options are as follows:
396	.Bl -tag -width Ds	413	.Bl -tag -width Ds
397	.It Fl 1	414	.It Fl 1
@@ -442,13 +459,18 @@ The default value can be set on a host-by-host basis in the
442	configuration files; see the	459	configuration files; see the
443	.Cm Compression	460	.Cm Compression
444	option.	461	option.
445	.It Fl c Ar blowfish \| 3des \| des	462	.It Fl c Ar cipher_spec
446	Selects the cipher to use for encrypting the session.	463	Selects the cipher specification for encrypting the session.
447	.Ar 3des	464	.Pp
448	is used by default.	465	Protocol version 1 allows specification of a single cipher.
449	It is believed to be secure.	466	The suported values are
		467	.Dq 3des ,
		468	.Dq blowfish
		469	and
		470	.Dq des .
450	.Ar 3des	471	.Ar 3des
451	(triple-des) is an encrypt-decrypt-encrypt triple with three different keys.	472	(triple-des) is an encrypt-decrypt-encrypt triple with three different keys.
		473	It is believed to be secure.
452	.Ar blowfish	474	.Ar blowfish
453	is a fast block cipher; it appears very secure and is much faster than	475	is a fast block cipher; it appears very secure and is much faster than
454	.Ar 3des .	476	.Ar 3des .
@@ -460,12 +482,30 @@ that do not support the
460	.Ar 3des	482	.Ar 3des
461	cipher.	483	cipher.
462	Its use is strongly discouraged due to cryptographic weaknesses.	484	Its use is strongly discouraged due to cryptographic weaknesses.
463	.It Fl c Ar cipher_spec	485	The default is
464	Additionally, for protocol version 2 a comma-separated list of ciphers can	486	.Dq 3des .
465	be specified in order of preference.	487	.Pp
466	See	488	For protocol version 2
467	.Cm Ciphers	489	.Ar cipher_spec
468	for more information.	490	is a comma-separated list of ciphers
		491	listed in order of preference.
		492	The supported ciphers are
		493	.Dq 3des-cbc ,
		494	.Dq aes128-cbc ,
		495	.Dq aes192-cbc ,
		496	.Dq aes256-cbc ,
		497	.Dq aes128-ctr ,
		498	.Dq aes192-ctr ,
		499	.Dq aes256-ctr ,
		500	.Dq arcfour ,
		501	.Dq blowfish-cbc ,
		502	and
		503	.Dq cast128-cbc .
		504	The default is
		505	.Bd -literal
		506	``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
		507	aes192-cbc,aes256-cbc''
		508	.Ed
469	.It Fl D Ar port	509	.It Fl D Ar port
470	Specifies a local	510	Specifies a local
471	.Dq dynamic	511	.Dq dynamic
@@ -568,6 +608,17 @@ IPv6 addresses can be specified with an alternative syntax:
568	.It Fl l Ar login_name	608	.It Fl l Ar login_name
569	Specifies the user to log in as on the remote machine.	609	Specifies the user to log in as on the remote machine.
570	This also may be specified on a per-host basis in the configuration file.	610	This also may be specified on a per-host basis in the configuration file.
		611	.It Fl M
		612	Places the
		613	.Nm
		614	client into
		615	.Dq master
		616	mode for connection sharing.
		617	Refer to the description of
		618	.Cm ControlMaster
		619	in
		620	.Xr ssh_config 5
		621	for details.
571	.It Fl m Ar mac_spec	622	.It Fl m Ar mac_spec
572	Additionally, for protocol version 2 a comma-separated list of MAC	623	Additionally, for protocol version 2 a comma-separated list of MAC
573	(message authentication code) algorithms can	624	(message authentication code) algorithms can
@@ -618,7 +669,9 @@ For full details of the options listed below, and their possible values, see
618	.It Compression	669	.It Compression
619	.It CompressionLevel	670	.It CompressionLevel
620	.It ConnectionAttempts	671	.It ConnectionAttempts
621	.It ConnectionTimeout	672	.It ConnectTimeout
		673	.It ControlMaster
		674	.It ControlPath
622	.It DynamicForward	675	.It DynamicForward
623	.It EscapeChar	676	.It EscapeChar
624	.It ForwardAgent	677	.It ForwardAgent
@@ -649,6 +702,7 @@ For full details of the options listed below, and their possible values, see
649	.It RemoteForward	702	.It RemoteForward
650	.It RhostsRSAAuthentication	703	.It RhostsRSAAuthentication
651	.It RSAAuthentication	704	.It RSAAuthentication
		705	.It SendEnv
652	.It ServerAliveInterval	706	.It ServerAliveInterval
653	.It ServerAliveCountMax	707	.It ServerAliveCountMax
654	.It SmartcardDevice	708	.It SmartcardDevice
@@ -697,6 +751,15 @@ IPv6 addresses can be specified with an alternative syntax:
697	.Ar hostport .	751	.Ar hostport .
698	.Xc	752	.Xc
699	.Sm on	753	.Sm on
		754	.It Fl S Ar ctl
		755	Specifies the location of a control socket for connection sharing.
		756	Refer to the description of
		757	.Cm ControlPath
		758	and
		759	.Cm ControlMaster
		760	in
		761	.Xr ssh_config 5
		762	for details.
700	.It Fl s	763	.It Fl s
701	May be used to request invocation of a subsystem on the remote system.	764	May be used to request invocation of a subsystem on the remote system.
702	Subsystems are a feature of the SSH2 protocol which facilitate the use	765	Subsystems are a feature of the SSH2 protocol which facilitate the use
@@ -889,6 +952,8 @@ the convenience of the user.
889	This is the per-user configuration file.	952	This is the per-user configuration file.
890	The file format and configuration options are described in	953	The file format and configuration options are described in
891	.Xr ssh_config 5 .	954	.Xr ssh_config 5 .
		955	Because of the potential for abuse, this file must have strict permissions:
		956	read/write for the user, and not accessible by others.
892	.It Pa $HOME/.ssh/authorized_keys	957	.It Pa $HOME/.ssh/authorized_keys
893	Lists the public keys (RSA/DSA) that can be used for logging in as this user.	958	Lists the public keys (RSA/DSA) that can be used for logging in as this user.
894	The format of this file is described in the	959	The format of this file is described in the