1 files changed, 31 insertions, 61 deletions
diff --git a/ssh.1 b/ssh.1
index 6aa57c462..f1b01c566 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.376 2016/07/16 06:57:55 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.384 2017/09/21 19:16:53 markus Exp $
-.Dd $Mdocdate: July 16 2016 $
+.Dd $Mdocdate: September 21 2017 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -43,7 +43,7 @@
 .Sh SYNOPSIS
 .Nm ssh
 .Bk -words
-.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
+.Op Fl 46AaCfGgKkMNnqsTtVvXxYy
 .Op Fl b Ar bind_address
 .Op Fl c Ar cipher_spec
 .Op Fl D Oo Ar bind_address : Oc Ns Ar port
@@ -95,16 +95,6 @@ it is executed on the remote host instead of a login shell.
 The options are as follows:
 .Pp
 .Bl -tag -width Ds -compact
-.It Fl 1
-Forces
-.Nm
-to try protocol version 1 only.
-.Pp
-.It Fl 2
-Forces
-.Nm
-to try protocol version 2 only.
-.Pp
 .It Fl 4
 Forces
 .Nm
@@ -144,12 +134,7 @@ data for forwarded X11, TCP and
 .Ux Ns -domain
 connections).
 The compression algorithm is the same used by
-.Xr gzip 1 ,
+.Xr gzip 1 .
-and the
-.Dq level
-can be controlled by the
-.Cm CompressionLevel
-option for protocol version 1.
 Compression is desirable on modem lines and other
 slow connections, but will only slow down things on fast networks.
 The default value can be set on a host-by-host basis in the
@@ -159,14 +144,6 @@ option.
 .Pp
 .It Fl c Ar cipher_spec
 Selects the cipher specification for encrypting the session.
-.Pp
-Protocol version 1 allows specification of a single cipher.
-The supported values are
-.Dq 3des ,
-.Dq blowfish ,
-and
-.Dq des .
-For protocol version 2,
 .Ar cipher_spec
 is a comma-separated list of ciphers
 listed in order of preference.
@@ -290,14 +267,11 @@ private RSA key.
 Selects a file from which the identity (private key) for
 public key authentication is read.
 The default is
-.Pa ~/.ssh/identity
-for protocol version 1, and
 .Pa ~/.ssh/id_dsa ,
 .Pa ~/.ssh/id_ecdsa ,
 .Pa ~/.ssh/id_ed25519
 and
-.Pa ~/.ssh/id_rsa
+.Pa ~/.ssh/id_rsa .
-for protocol version 2.
 Identity files may also be specified on
 a per-host basis in the configuration file.
 It is possible to have multiple
@@ -491,11 +465,9 @@ For full details of the options listed below, and their possible values, see
 .It CertificateFile
 .It ChallengeResponseAuthentication
 .It CheckHostIP
-.It Cipher
 .It Ciphers
 .It ClearAllForwardings
 .It Compression
-.It CompressionLevel
 .It ConnectionAttempts
 .It ConnectTimeout
 .It ControlMaster
@@ -540,17 +512,15 @@ For full details of the options listed below, and their possible values, see
 .It PKCS11Provider
 .It Port
 .It PreferredAuthentications
-.It Protocol
 .It ProxyCommand
 .It ProxyJump
 .It ProxyUseFdpass
 .It PubkeyAcceptedKeyTypes
 .It PubkeyAuthentication
 .It RekeyLimit
+.It RemoteCommand
 .It RemoteForward
 .It RequestTTY
-.It RhostsRSAAuthentication
-.It RSAAuthentication
 .It SendEnv
 .It ServerAliveInterval
 .It ServerAliveCountMax
@@ -622,21 +592,30 @@ Causes most warning and diagnostic messages to be suppressed.
 .Ar remote_socket : local_socket
 .Sm on
 .Xc
+.It Fl R Xo
+.Sm off
+.Oo Ar bind_address : Oc
+.Ar port
+.Sm on
+.Xc
 Specifies that connections to the given TCP port or Unix socket on the remote
-(server) host are to be forwarded to the given host and port, or Unix socket,
+(server) host are to be forwarded to the local side.
-on the local side.
+.Pp
 This works by allocating a socket to listen to either a TCP
 .Ar port
 or to a Unix socket on the remote side.
 Whenever a connection is made to this port or Unix socket, the
 connection is forwarded over the secure channel, and a connection
-is made to either
+is made from the local machine to either an explicit destination specified by
 .Ar host
 port
 .Ar hostport ,
 or
 .Ar local_socket ,
-from the local machine.
+or, if no explicit destination was specified,
+.Nm
+will act as a SOCKS 4/5 proxy and forward connections to the destinations
+requested by the remote SOCKS client.
 .Pp
 Port forwardings can also be specified in the configuration file.
 Privileged ports can be forwarded only when
@@ -827,21 +806,7 @@ a per-user configuration file and a system-wide configuration file.
 The file format and configuration options are described in
 .Xr ssh_config 5 .
 .Sh AUTHENTICATION
-The OpenSSH SSH client supports SSH protocols 1 and 2.
+The OpenSSH SSH client supports SSH protocol 2.
-The default is to use protocol 2 only,
-though this can be changed via the
-.Cm Protocol
-option in
-.Xr ssh_config 5
-or the
-.Fl 1
-and
-.Fl 2
-options (see above).
-Protocol 1 should not be used
-and is only offered to support legacy devices.
-It suffers from a number of cryptographic weaknesses
-and doesn't support many of the advanced features available for protocol 2.
 .Pp
 The methods available for authentication are:
 GSSAPI-based authentication,
@@ -915,11 +880,20 @@ The client proves that it has access to the private key
 and the server checks that the corresponding public key
 is authorized to accept the account.
 .Pp
+The server may inform the client of errors that prevented public key
+authentication from succeeding after authentication completes using a
+different method.
+These may be viewed by increasing the
+.Cm LogLevel
+to
+.Cm DEBUG
+or higher (e.g. by using the
+.Fl v
+flag).
+.Pp
 The user creates his/her key pair by running
 .Xr ssh-keygen 1 .
 This stores the private key in
-.Pa ~/.ssh/identity
-(protocol 1),
 .Pa ~/.ssh/id_dsa
 (DSA),
 .Pa ~/.ssh/id_ecdsa
@@ -930,8 +904,6 @@ or
 .Pa ~/.ssh/id_rsa
 (RSA)
 and stores the public key in
-.Pa ~/.ssh/identity.pub
-(protocol 1),
 .Pa ~/.ssh/id_dsa.pub
 (DSA),
 .Pa ~/.ssh/id_ecdsa.pub
@@ -1517,7 +1489,6 @@ Contains additional definitions for environment variables; see
 .Sx ENVIRONMENT ,
 above.
 .Pp
-.It Pa ~/.ssh/identity
 .It Pa ~/.ssh/id_dsa
 .It Pa ~/.ssh/id_ecdsa
 .It Pa ~/.ssh/id_ed25519
@@ -1532,7 +1503,6 @@ It is possible to specify a passphrase when
 generating the key which will be used to encrypt the
 sensitive part of this file using 3DES.
 .Pp
-.It Pa ~/.ssh/identity.pub
 .It Pa ~/.ssh/id_dsa.pub
 .It Pa ~/.ssh/id_ecdsa.pub
 .It Pa ~/.ssh/id_ed25519.pub

diff --git a/ssh.1 b/ssh.1 index 6aa57c462..f1b01c566 100644 --- a/ssh.1 +++ b/ssh.1
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh.1,v 1.376 2016/07/16 06:57:55 jmc Exp $	36	.\" $OpenBSD: ssh.1,v 1.384 2017/09/21 19:16:53 markus Exp $
37	.Dd $Mdocdate: July 16 2016 $	37	.Dd $Mdocdate: September 21 2017 $
38	.Dt SSH 1	38	.Dt SSH 1
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -43,7 +43,7 @@
43	.Sh SYNOPSIS	43	.Sh SYNOPSIS
44	.Nm ssh	44	.Nm ssh
45	.Bk -words	45	.Bk -words
46	.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy	46	.Op Fl 46AaCfGgKkMNnqsTtVvXxYy
47	.Op Fl b Ar bind_address	47	.Op Fl b Ar bind_address
48	.Op Fl c Ar cipher_spec	48	.Op Fl c Ar cipher_spec
49	.Op Fl D Oo Ar bind_address : Oc Ns Ar port	49	.Op Fl D Oo Ar bind_address : Oc Ns Ar port
@@ -95,16 +95,6 @@ it is executed on the remote host instead of a login shell.
95	The options are as follows:	95	The options are as follows:
96	.Pp	96	.Pp
97	.Bl -tag -width Ds -compact	97	.Bl -tag -width Ds -compact
98	.It Fl 1
99	Forces
100	.Nm
101	to try protocol version 1 only.
102	.Pp
103	.It Fl 2
104	Forces
105	.Nm
106	to try protocol version 2 only.
107	.Pp
108	.It Fl 4	98	.It Fl 4
109	Forces	99	Forces
110	.Nm	100	.Nm
@@ -144,12 +134,7 @@ data for forwarded X11, TCP and
144	.Ux Ns -domain	134	.Ux Ns -domain
145	connections).	135	connections).
146	The compression algorithm is the same used by	136	The compression algorithm is the same used by
147	.Xr gzip 1 ,	137	.Xr gzip 1 .
148	and the
149	.Dq level
150	can be controlled by the
151	.Cm CompressionLevel
152	option for protocol version 1.
153	Compression is desirable on modem lines and other	138	Compression is desirable on modem lines and other
154	slow connections, but will only slow down things on fast networks.	139	slow connections, but will only slow down things on fast networks.
155	The default value can be set on a host-by-host basis in the	140	The default value can be set on a host-by-host basis in the
@@ -159,14 +144,6 @@ option.
159	.Pp	144	.Pp
160	.It Fl c Ar cipher_spec	145	.It Fl c Ar cipher_spec
161	Selects the cipher specification for encrypting the session.	146	Selects the cipher specification for encrypting the session.
162	.Pp
163	Protocol version 1 allows specification of a single cipher.
164	The supported values are
165	.Dq 3des ,
166	.Dq blowfish ,
167	and
168	.Dq des .
169	For protocol version 2,
170	.Ar cipher_spec	147	.Ar cipher_spec
171	is a comma-separated list of ciphers	148	is a comma-separated list of ciphers
172	listed in order of preference.	149	listed in order of preference.
@@ -290,14 +267,11 @@ private RSA key.
290	Selects a file from which the identity (private key) for	267	Selects a file from which the identity (private key) for
291	public key authentication is read.	268	public key authentication is read.
292	The default is	269	The default is
293	.Pa ~/.ssh/identity
294	for protocol version 1, and
295	.Pa ~/.ssh/id_dsa ,	270	.Pa ~/.ssh/id_dsa ,
296	.Pa ~/.ssh/id_ecdsa ,	271	.Pa ~/.ssh/id_ecdsa ,
297	.Pa ~/.ssh/id_ed25519	272	.Pa ~/.ssh/id_ed25519
298	and	273	and
299	.Pa ~/.ssh/id_rsa	274	.Pa ~/.ssh/id_rsa .
300	for protocol version 2.
301	Identity files may also be specified on	275	Identity files may also be specified on
302	a per-host basis in the configuration file.	276	a per-host basis in the configuration file.
303	It is possible to have multiple	277	It is possible to have multiple
@@ -491,11 +465,9 @@ For full details of the options listed below, and their possible values, see
491	.It CertificateFile	465	.It CertificateFile
492	.It ChallengeResponseAuthentication	466	.It ChallengeResponseAuthentication
493	.It CheckHostIP	467	.It CheckHostIP
494	.It Cipher
495	.It Ciphers	468	.It Ciphers
496	.It ClearAllForwardings	469	.It ClearAllForwardings
497	.It Compression	470	.It Compression
498	.It CompressionLevel
499	.It ConnectionAttempts	471	.It ConnectionAttempts
500	.It ConnectTimeout	472	.It ConnectTimeout
501	.It ControlMaster	473	.It ControlMaster
@@ -540,17 +512,15 @@ For full details of the options listed below, and their possible values, see
540	.It PKCS11Provider	512	.It PKCS11Provider
541	.It Port	513	.It Port
542	.It PreferredAuthentications	514	.It PreferredAuthentications
543	.It Protocol
544	.It ProxyCommand	515	.It ProxyCommand
545	.It ProxyJump	516	.It ProxyJump
546	.It ProxyUseFdpass	517	.It ProxyUseFdpass
547	.It PubkeyAcceptedKeyTypes	518	.It PubkeyAcceptedKeyTypes
548	.It PubkeyAuthentication	519	.It PubkeyAuthentication
549	.It RekeyLimit	520	.It RekeyLimit
		521	.It RemoteCommand
550	.It RemoteForward	522	.It RemoteForward
551	.It RequestTTY	523	.It RequestTTY
552	.It RhostsRSAAuthentication
553	.It RSAAuthentication
554	.It SendEnv	524	.It SendEnv
555	.It ServerAliveInterval	525	.It ServerAliveInterval
556	.It ServerAliveCountMax	526	.It ServerAliveCountMax
@@ -622,21 +592,30 @@ Causes most warning and diagnostic messages to be suppressed.
622	.Ar remote_socket : local_socket	592	.Ar remote_socket : local_socket
623	.Sm on	593	.Sm on
624	.Xc	594	.Xc
		595	.It Fl R Xo
		596	.Sm off
		597	.Oo Ar bind_address : Oc
		598	.Ar port
		599	.Sm on
		600	.Xc
625	Specifies that connections to the given TCP port or Unix socket on the remote	601	Specifies that connections to the given TCP port or Unix socket on the remote
626	(server) host are to be forwarded to the given host and port, or Unix socket,	602	(server) host are to be forwarded to the local side.
627	on the local side.	603	.Pp
628	This works by allocating a socket to listen to either a TCP	604	This works by allocating a socket to listen to either a TCP
629	.Ar port	605	.Ar port
630	or to a Unix socket on the remote side.	606	or to a Unix socket on the remote side.
631	Whenever a connection is made to this port or Unix socket, the	607	Whenever a connection is made to this port or Unix socket, the
632	connection is forwarded over the secure channel, and a connection	608	connection is forwarded over the secure channel, and a connection
633	is made to either	609	is made from the local machine to either an explicit destination specified by
634	.Ar host	610	.Ar host
635	port	611	port
636	.Ar hostport ,	612	.Ar hostport ,
637	or	613	or
638	.Ar local_socket ,	614	.Ar local_socket ,
639	from the local machine.	615	or, if no explicit destination was specified,
		616	.Nm
		617	will act as a SOCKS 4/5 proxy and forward connections to the destinations
		618	requested by the remote SOCKS client.
640	.Pp	619	.Pp
641	Port forwardings can also be specified in the configuration file.	620	Port forwardings can also be specified in the configuration file.
642	Privileged ports can be forwarded only when	621	Privileged ports can be forwarded only when
@@ -827,21 +806,7 @@ a per-user configuration file and a system-wide configuration file.
827	The file format and configuration options are described in	806	The file format and configuration options are described in
828	.Xr ssh_config 5 .	807	.Xr ssh_config 5 .
829	.Sh AUTHENTICATION	808	.Sh AUTHENTICATION
830	The OpenSSH SSH client supports SSH protocols 1 and 2.	809	The OpenSSH SSH client supports SSH protocol 2.
831	The default is to use protocol 2 only,
832	though this can be changed via the
833	.Cm Protocol
834	option in
835	.Xr ssh_config 5
836	or the
837	.Fl 1
838	and
839	.Fl 2
840	options (see above).
841	Protocol 1 should not be used
842	and is only offered to support legacy devices.
843	It suffers from a number of cryptographic weaknesses
844	and doesn't support many of the advanced features available for protocol 2.
845	.Pp	810	.Pp
846	The methods available for authentication are:	811	The methods available for authentication are:
847	GSSAPI-based authentication,	812	GSSAPI-based authentication,
@@ -915,11 +880,20 @@ The client proves that it has access to the private key
915	and the server checks that the corresponding public key	880	and the server checks that the corresponding public key
916	is authorized to accept the account.	881	is authorized to accept the account.
917	.Pp	882	.Pp
		883	The server may inform the client of errors that prevented public key
		884	authentication from succeeding after authentication completes using a
		885	different method.
		886	These may be viewed by increasing the
		887	.Cm LogLevel
		888	to
		889	.Cm DEBUG
		890	or higher (e.g. by using the
		891	.Fl v
		892	flag).
		893	.Pp
918	The user creates his/her key pair by running	894	The user creates his/her key pair by running
919	.Xr ssh-keygen 1 .	895	.Xr ssh-keygen 1 .
920	This stores the private key in	896	This stores the private key in
921	.Pa ~/.ssh/identity
922	(protocol 1),
923	.Pa ~/.ssh/id_dsa	897	.Pa ~/.ssh/id_dsa
924	(DSA),	898	(DSA),
925	.Pa ~/.ssh/id_ecdsa	899	.Pa ~/.ssh/id_ecdsa
@@ -930,8 +904,6 @@ or
930	.Pa ~/.ssh/id_rsa	904	.Pa ~/.ssh/id_rsa
931	(RSA)	905	(RSA)
932	and stores the public key in	906	and stores the public key in
933	.Pa ~/.ssh/identity.pub
934	(protocol 1),
935	.Pa ~/.ssh/id_dsa.pub	907	.Pa ~/.ssh/id_dsa.pub
936	(DSA),	908	(DSA),
937	.Pa ~/.ssh/id_ecdsa.pub	909	.Pa ~/.ssh/id_ecdsa.pub
@@ -1517,7 +1489,6 @@ Contains additional definitions for environment variables; see
1517	.Sx ENVIRONMENT ,	1489	.Sx ENVIRONMENT ,
1518	above.	1490	above.
1519	.Pp	1491	.Pp
1520	.It Pa ~/.ssh/identity
1521	.It Pa ~/.ssh/id_dsa	1492	.It Pa ~/.ssh/id_dsa
1522	.It Pa ~/.ssh/id_ecdsa	1493	.It Pa ~/.ssh/id_ecdsa
1523	.It Pa ~/.ssh/id_ed25519	1494	.It Pa ~/.ssh/id_ed25519
@@ -1532,7 +1503,6 @@ It is possible to specify a passphrase when
1532	generating the key which will be used to encrypt the	1503	generating the key which will be used to encrypt the
1533	sensitive part of this file using 3DES.	1504	sensitive part of this file using 3DES.
1534	.Pp	1505	.Pp
1535	.It Pa ~/.ssh/identity.pub
1536	.It Pa ~/.ssh/id_dsa.pub	1506	.It Pa ~/.ssh/id_dsa.pub
1537	.It Pa ~/.ssh/id_ecdsa.pub	1507	.It Pa ~/.ssh/id_ecdsa.pub
1538	.It Pa ~/.ssh/id_ed25519.pub	1508	.It Pa ~/.ssh/id_ed25519.pub