1 files changed, 110 insertions, 36 deletions
diff --git a/ssh.1 b/ssh.1
index f4c677628..b87ab4171 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.253 2006/01/30 13:37:49 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.266 2006/12/11 21:25:46 markus Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -78,7 +78,8 @@
 .Oc
 .Op Fl S Ar ctl_path
 .Bk -words
-.Op Fl w Ar tunnel : Ns Ar tunnel
+.Oo Fl w Ar local_tun Ns
+.Op : Ns Ar remote_tun Oc
 .Oo Ar user Ns @ Oc Ns Ar hostname
 .Op Ar command
 .Ek
@@ -448,6 +449,7 @@ For full details of the options listed below, and their possible values, see
 .It ControlPath
 .It DynamicForward
 .It EscapeChar
+.It ExitOnForwardFailure
 .It ForwardAgent
 .It ForwardX11
 .It ForwardX11Trusted
@@ -569,7 +571,7 @@ Disable pseudo-tty allocation.
 Force pseudo-tty allocation.
 This can be used to execute arbitrary
 screen-based programs on a remote machine, which can be very useful,
-e.g., when implementing menu services.
+e.g. when implementing menu services.
 Multiple
 .Fl t
 options force tty allocation, even if
@@ -588,24 +590,35 @@ Multiple
 .Fl v
 options increase the verbosity.
 The maximum is 3.
-.It Fl w Ar tunnel : Ns Ar tunnel
+.It Fl w Xo
-Requests a
+.Ar local_tun Ns Op : Ns Ar remote_tun
+.Xc
+Requests
+tunnel
+device forwarding with the specified
 .Xr tun 4
-device on the client
+devices between the client
-(first
+.Pq Ar local_tun
-.Ar tunnel
+and the server
-arg)
+.Pq Ar remote_tun .
-and server
+.Pp
-(second
-.Ar tunnel
-arg).
 The devices may be specified by numerical ID or the keyword
 .Dq any ,
 which uses the next available tunnel device.
+If
+.Ar remote_tun
+is not specified, it defaults to
+.Dq any .
 See also the
 .Cm Tunnel
-directive in
+and
+.Cm TunnelDevice
+directives in
 .Xr ssh_config 5 .
+If the
+.Cm Tunnel
+directive is unset, it is set to the default tunnel mode, which is
+.Dq point-to-point .
 .It Fl X
 Enables X11 forwarding.
 This can also be specified on a per-host basis in a configuration file.
@@ -666,6 +679,7 @@ Protocol 1 lacks a strong mechanism for ensuring the
 integrity of the connection.
 .Pp
 The methods available for authentication are:
+GSSAPI-based authentication,
 host-based authentication,
 public key authentication,
 challenge-response authentication,
@@ -872,7 +886,9 @@ and
 options (see above).
 It also allows the cancellation of existing remote port-forwardings
 using
-.Fl KR Ar hostport .
+.Sm off
+.Fl KR Oo Ar bind_address : Oc Ar port .
+.Sm on
 .Ic !\& Ns Ar command
 allows the user to execute a local command if the
 .Ic PermitLocalCommand
@@ -1025,8 +1041,7 @@ In this example, we are connecting a client to a server,
 The SSHFP resource records should first be added to the zonefile for
 host.example.com:
 .Bd -literal -offset indent
-$ ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r host.example.com.
+$ ssh-keygen -r host.example.com.
-$ ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r host.example.com.
 .Ed
 .Pp
 The output lines will have to be added to the zonefile.
@@ -1062,12 +1077,22 @@ controls whether the server supports this,
 and at what level (layer 2 or 3 traffic).
 .Pp
 The following example would connect client network 10.0.50.0/24
-with remote network 10.0.99.0/24, provided that the SSH server
+with remote network 10.0.99.0/24 using a point-to-point connection
-running on the gateway to the remote network,
+from 10.1.1.1 to 10.1.1.2,
-at 192.168.1.15, allows it:
+provided that the SSH server running on the gateway to the remote network,
+at 192.168.1.15, allows it.
+.Pp
+On the client:
 .Bd -literal -offset indent
 # ssh -f -w 0:1 192.168.1.15 true
-# ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252
+# ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
+# route add 10.0.99.0/24 10.1.1.2
+.Ed
+.Pp
+On the server:
+.Bd -literal -offset indent
+# ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
+# route add 10.0.50.0/24 10.1.1.1
 .Ed
 .Pp
 Client access may be more finely tuned via the
@@ -1075,11 +1100,11 @@ Client access may be more finely tuned via the
 file (see below) and the
 .Cm PermitRootLogin
 server option.
-The following entry would permit connections on the first
+The following entry would permit connections on
 .Xr tun 4
-device from user
+device 1 from user
 .Dq jane
-and on the second device from user
+and on tun device 2 from user
 .Dq john ,
 if
 .Cm PermitRootLogin
@@ -1087,10 +1112,10 @@ is set to
 .Dq forced-commands-only :
 .Bd -literal -offset 2n
 tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
-tunnel="2",command="sh /etc/netstart tun1" ssh-rsa ... john
+tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
 .Ed
 .Pp
-Since a SSH-based setup entails a fair amount of overhead,
+Since an SSH-based setup entails a fair amount of overhead,
 it may be more suited to temporary setups,
 such as for wireless VPNs.
 More permanent VPNs are better provided by tools such as
@@ -1178,7 +1203,7 @@ If the current session has no tty,
 this variable is not set.
 .It Ev TZ
 This variable is set to indicate the present time zone if it
-was set when the daemon was started (i.e., the daemon passes the value
+was set when the daemon was started (i.e. the daemon passes the value
 on to new connections).
 .It Ev USER
 Set to the name of the user logging in.
@@ -1339,15 +1364,64 @@ manual page for more information.
 .Xr ssh-keysign 8 ,
 .Xr sshd 8
 .Rs
-.%A T. Ylonen
+.%R RFC 4250
-.%A T. Kivinen
+.%T "The Secure Shell (SSH) Protocol Assigned Numbers"
-.%A M. Saarinen
+.%D 2006
-.%A T. Rinne
+.Re
-.%A S. Lehtinen
+.Rs
-.%T "SSH Protocol Architecture"
+.%R RFC 4251
-.%N draft-ietf-secsh-architecture-12.txt
+.%T "The Secure Shell (SSH) Protocol Architecture"
-.%D January 2002
+.%D 2006
-.%O work in progress material
+.Re
+.Rs
+.%R RFC 4252
+.%T "The Secure Shell (SSH) Authentication Protocol"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4253
+.%T "The Secure Shell (SSH) Transport Layer Protocol"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4254
+.%T "The Secure Shell (SSH) Connection Protocol"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4255
+.%T "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4256
+.%T "Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4335
+.%T "The Secure Shell (SSH) Session Channel Break Extension"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4344
+.%T "The Secure Shell (SSH) Transport Layer Encryption Modes"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4345
+.%T "Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4419
+.%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4716
+.%T "The Secure Shell (SSH) Public Key File Format"
+.%D 2006
 .Re
 .Sh AUTHORS
 OpenSSH is a derivative of the original and free

diff --git a/ssh.1 b/ssh.1 index f4c677628..b87ab4171 100644 --- a/ssh.1 +++ b/ssh.1
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh.1,v 1.253 2006/01/30 13:37:49 jmc Exp $	37	.\" $OpenBSD: ssh.1,v 1.266 2006/12/11 21:25:46 markus Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH 1	39	.Dt SSH 1
40	.Os	40	.Os
@@ -78,7 +78,8 @@
78	.Oc	78	.Oc
79	.Op Fl S Ar ctl_path	79	.Op Fl S Ar ctl_path
80	.Bk -words	80	.Bk -words
81	.Op Fl w Ar tunnel : Ns Ar tunnel	81	.Oo Fl w Ar local_tun Ns
		82	.Op : Ns Ar remote_tun Oc
82	.Oo Ar user Ns @ Oc Ns Ar hostname	83	.Oo Ar user Ns @ Oc Ns Ar hostname
83	.Op Ar command	84	.Op Ar command
84	.Ek	85	.Ek
@@ -448,6 +449,7 @@ For full details of the options listed below, and their possible values, see
448	.It ControlPath	449	.It ControlPath
449	.It DynamicForward	450	.It DynamicForward
450	.It EscapeChar	451	.It EscapeChar
		452	.It ExitOnForwardFailure
451	.It ForwardAgent	453	.It ForwardAgent
452	.It ForwardX11	454	.It ForwardX11
453	.It ForwardX11Trusted	455	.It ForwardX11Trusted
@@ -569,7 +571,7 @@ Disable pseudo-tty allocation.
569	Force pseudo-tty allocation.	571	Force pseudo-tty allocation.
570	This can be used to execute arbitrary	572	This can be used to execute arbitrary
571	screen-based programs on a remote machine, which can be very useful,	573	screen-based programs on a remote machine, which can be very useful,
572	e.g., when implementing menu services.	574	e.g. when implementing menu services.
573	Multiple	575	Multiple
574	.Fl t	576	.Fl t
575	options force tty allocation, even if	577	options force tty allocation, even if
@@ -588,24 +590,35 @@ Multiple
588	.Fl v	590	.Fl v
589	options increase the verbosity.	591	options increase the verbosity.
590	The maximum is 3.	592	The maximum is 3.
591	.It Fl w Ar tunnel : Ns Ar tunnel	593	.It Fl w Xo
592	Requests a	594	.Ar local_tun Ns Op : Ns Ar remote_tun
		595	.Xc
		596	Requests
		597	tunnel
		598	device forwarding with the specified
593	.Xr tun 4	599	.Xr tun 4
594	device on the client	600	devices between the client
595	(first	601	.Pq Ar local_tun
596	.Ar tunnel	602	and the server
597	arg)	603	.Pq Ar remote_tun .
598	and server	604	.Pp
599	(second
600	.Ar tunnel
601	arg).
602	The devices may be specified by numerical ID or the keyword	605	The devices may be specified by numerical ID or the keyword
603	.Dq any ,	606	.Dq any ,
604	which uses the next available tunnel device.	607	which uses the next available tunnel device.
		608	If
		609	.Ar remote_tun
		610	is not specified, it defaults to
		611	.Dq any .
605	See also the	612	See also the
606	.Cm Tunnel	613	.Cm Tunnel
607	directive in	614	and
		615	.Cm TunnelDevice
		616	directives in
608	.Xr ssh_config 5 .	617	.Xr ssh_config 5 .
		618	If the
		619	.Cm Tunnel
		620	directive is unset, it is set to the default tunnel mode, which is
		621	.Dq point-to-point .
609	.It Fl X	622	.It Fl X
610	Enables X11 forwarding.	623	Enables X11 forwarding.
611	This can also be specified on a per-host basis in a configuration file.	624	This can also be specified on a per-host basis in a configuration file.
@@ -666,6 +679,7 @@ Protocol 1 lacks a strong mechanism for ensuring the
666	integrity of the connection.	679	integrity of the connection.
667	.Pp	680	.Pp
668	The methods available for authentication are:	681	The methods available for authentication are:
		682	GSSAPI-based authentication,
669	host-based authentication,	683	host-based authentication,
670	public key authentication,	684	public key authentication,
671	challenge-response authentication,	685	challenge-response authentication,
@@ -872,7 +886,9 @@ and
872	options (see above).	886	options (see above).
873	It also allows the cancellation of existing remote port-forwardings	887	It also allows the cancellation of existing remote port-forwardings
874	using	888	using
875	.Fl KR Ar hostport .	889	.Sm off
		890	.Fl KR Oo Ar bind_address : Oc Ar port .
		891	.Sm on
876	.Ic !\& Ns Ar command	892	.Ic !\& Ns Ar command
877	allows the user to execute a local command if the	893	allows the user to execute a local command if the
878	.Ic PermitLocalCommand	894	.Ic PermitLocalCommand
@@ -1025,8 +1041,7 @@ In this example, we are connecting a client to a server,
1025	The SSHFP resource records should first be added to the zonefile for	1041	The SSHFP resource records should first be added to the zonefile for
1026	host.example.com:	1042	host.example.com:
1027	.Bd -literal -offset indent	1043	.Bd -literal -offset indent
1028	$ ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r host.example.com.	1044	$ ssh-keygen -r host.example.com.
1029	$ ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r host.example.com.
1030	.Ed	1045	.Ed
1031	.Pp	1046	.Pp
1032	The output lines will have to be added to the zonefile.	1047	The output lines will have to be added to the zonefile.
@@ -1062,12 +1077,22 @@ controls whether the server supports this,
1062	and at what level (layer 2 or 3 traffic).	1077	and at what level (layer 2 or 3 traffic).
1063	.Pp	1078	.Pp
1064	The following example would connect client network 10.0.50.0/24	1079	The following example would connect client network 10.0.50.0/24
1065	with remote network 10.0.99.0/24, provided that the SSH server	1080	with remote network 10.0.99.0/24 using a point-to-point connection
1066	running on the gateway to the remote network,	1081	from 10.1.1.1 to 10.1.1.2,
1067	at 192.168.1.15, allows it:	1082	provided that the SSH server running on the gateway to the remote network,
		1083	at 192.168.1.15, allows it.
		1084	.Pp
		1085	On the client:
1068	.Bd -literal -offset indent	1086	.Bd -literal -offset indent
1069	# ssh -f -w 0:1 192.168.1.15 true	1087	# ssh -f -w 0:1 192.168.1.15 true
1070	# ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252	1088	# ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
		1089	# route add 10.0.99.0/24 10.1.1.2
		1090	.Ed
		1091	.Pp
		1092	On the server:
		1093	.Bd -literal -offset indent
		1094	# ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
		1095	# route add 10.0.50.0/24 10.1.1.1
1071	.Ed	1096	.Ed
1072	.Pp	1097	.Pp
1073	Client access may be more finely tuned via the	1098	Client access may be more finely tuned via the
@@ -1075,11 +1100,11 @@ Client access may be more finely tuned via the
1075	file (see below) and the	1100	file (see below) and the
1076	.Cm PermitRootLogin	1101	.Cm PermitRootLogin
1077	server option.	1102	server option.
1078	The following entry would permit connections on the first	1103	The following entry would permit connections on
1079	.Xr tun 4	1104	.Xr tun 4
1080	device from user	1105	device 1 from user
1081	.Dq jane	1106	.Dq jane
1082	and on the second device from user	1107	and on tun device 2 from user
1083	.Dq john ,	1108	.Dq john ,
1084	if	1109	if
1085	.Cm PermitRootLogin	1110	.Cm PermitRootLogin
@@ -1087,10 +1112,10 @@ is set to
1087	.Dq forced-commands-only :	1112	.Dq forced-commands-only :
1088	.Bd -literal -offset 2n	1113	.Bd -literal -offset 2n
1089	tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane	1114	tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
1090	tunnel="2",command="sh /etc/netstart tun1" ssh-rsa ... john	1115	tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
1091	.Ed	1116	.Ed
1092	.Pp	1117	.Pp
1093	Since a SSH-based setup entails a fair amount of overhead,	1118	Since an SSH-based setup entails a fair amount of overhead,
1094	it may be more suited to temporary setups,	1119	it may be more suited to temporary setups,
1095	such as for wireless VPNs.	1120	such as for wireless VPNs.
1096	More permanent VPNs are better provided by tools such as	1121	More permanent VPNs are better provided by tools such as
@@ -1178,7 +1203,7 @@ If the current session has no tty,
1178	this variable is not set.	1203	this variable is not set.
1179	.It Ev TZ	1204	.It Ev TZ
1180	This variable is set to indicate the present time zone if it	1205	This variable is set to indicate the present time zone if it
1181	was set when the daemon was started (i.e., the daemon passes the value	1206	was set when the daemon was started (i.e. the daemon passes the value
1182	on to new connections).	1207	on to new connections).
1183	.It Ev USER	1208	.It Ev USER
1184	Set to the name of the user logging in.	1209	Set to the name of the user logging in.
@@ -1339,15 +1364,64 @@ manual page for more information.
1339	.Xr ssh-keysign 8 ,	1364	.Xr ssh-keysign 8 ,
1340	.Xr sshd 8	1365	.Xr sshd 8
1341	.Rs	1366	.Rs
1342	.%A T. Ylonen	1367	.%R RFC 4250
1343	.%A T. Kivinen	1368	.%T "The Secure Shell (SSH) Protocol Assigned Numbers"
1344	.%A M. Saarinen	1369	.%D 2006
1345	.%A T. Rinne	1370	.Re
1346	.%A S. Lehtinen	1371	.Rs
1347	.%T "SSH Protocol Architecture"	1372	.%R RFC 4251
1348	.%N draft-ietf-secsh-architecture-12.txt	1373	.%T "The Secure Shell (SSH) Protocol Architecture"
1349	.%D January 2002	1374	.%D 2006
1350	.%O work in progress material	1375	.Re
		1376	.Rs
		1377	.%R RFC 4252
		1378	.%T "The Secure Shell (SSH) Authentication Protocol"
		1379	.%D 2006
		1380	.Re
		1381	.Rs
		1382	.%R RFC 4253
		1383	.%T "The Secure Shell (SSH) Transport Layer Protocol"
		1384	.%D 2006
		1385	.Re
		1386	.Rs
		1387	.%R RFC 4254
		1388	.%T "The Secure Shell (SSH) Connection Protocol"
		1389	.%D 2006
		1390	.Re
		1391	.Rs
		1392	.%R RFC 4255
		1393	.%T "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints"
		1394	.%D 2006
		1395	.Re
		1396	.Rs
		1397	.%R RFC 4256
		1398	.%T "Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)"
		1399	.%D 2006
		1400	.Re
		1401	.Rs
		1402	.%R RFC 4335
		1403	.%T "The Secure Shell (SSH) Session Channel Break Extension"
		1404	.%D 2006
		1405	.Re
		1406	.Rs
		1407	.%R RFC 4344
		1408	.%T "The Secure Shell (SSH) Transport Layer Encryption Modes"
		1409	.%D 2006
		1410	.Re
		1411	.Rs
		1412	.%R RFC 4345
		1413	.%T "Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol"
		1414	.%D 2006
		1415	.Re
		1416	.Rs
		1417	.%R RFC 4419
		1418	.%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol"
		1419	.%D 2006
		1420	.Re
		1421	.Rs
		1422	.%R RFC 4716
		1423	.%T "The Secure Shell (SSH) Public Key File Format"
		1424	.%D 2006
1351	.Re	1425	.Re
1352	.Sh AUTHORS	1426	.Sh AUTHORS
1353	OpenSSH is a derivative of the original and free	1427	OpenSSH is a derivative of the original and free