1 files changed, 20 insertions, 14 deletions
diff --git a/ssh.1 b/ssh.1
index 27808b1f3..fd822bb3d 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.167 2002/09/27 15:46:21 stevesk Exp $
+.\" $OpenBSD: ssh.1,v 1.168 2003/03/28 10:11:43 jmc Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -48,6 +48,7 @@
 .Op Ar command
 .Pp
 .Nm ssh
+.Bk -words
 .Op Fl afgknqstvxACNTX1246
 .Op Fl b Ar bind_address
 .Op Fl c Ar cipher_spec
@@ -66,6 +67,8 @@
 .Sm on
 .Xc
 .Oc
+.Ek
+.Bk -words
 .Oo Fl R Xo
 .Sm off
 .Ar port :
@@ -77,6 +80,7 @@
 .Op Fl D Ar port
 .Ar hostname | user@hostname
 .Op Ar command
+.Ek
 .Sh DESCRIPTION
 .Nm
 (SSH client) is a program for logging into a remote machine and for
@@ -361,7 +365,7 @@ variable is set to
 .Fl A
 and
 .Fl a
-options described later) and 
+options described later) and
 the user is using an authentication agent, the connection to the agent
 is automatically forwarded to the remote side.
 .Pp
@@ -403,10 +407,11 @@ Disables forwarding of the authentication agent connection.
 Enables forwarding of the authentication agent connection.
 This can also be specified on a per-host basis in a configuration file.
 .Pp
-Agent forwarding should be enabled with caution.  Users with the
+Agent forwarding should be enabled with caution.
-ability to bypass file permissions on the remote host (for the agent's
+Users with the ability to bypass file permissions on the remote host
-Unix-domain socket) can access the local agent through the forwarded
+(for the agent's Unix-domain socket)
-connection.  An attacker cannot obtain key material from the agent,
+can access the local agent through the forwarded connection.
+An attacker cannot obtain key material from the agent,
 however they can perform operations on the keys that enable them to
 authenticate using the identities loaded into the agent.
 .It Fl b Ar bind_address
@@ -428,8 +433,8 @@ is only supported in the
 client for interoperability with legacy protocol 1 implementations
 that do not support the
 .Ar 3des
-cipher.  Its use is strongly discouraged due to cryptographic
+cipher.
-weaknesses.
+Its use is strongly discouraged due to cryptographic weaknesses.
 .It Fl c Ar cipher_spec
 Additionally, for protocol version 2 a comma-separated list of ciphers can
 be specified in order of preference.
@@ -566,11 +571,11 @@ Disables X11 forwarding.
 Enables X11 forwarding.
 This can also be specified on a per-host basis in a configuration file.
 .Pp
-X11 forwarding should be enabled with caution.  Users with the ability
+X11 forwarding should be enabled with caution.
-to bypass file permissions on the remote host (for the user's X
+Users with the ability to bypass file permissions on the remote host
-authorization database) can access the local X11 display through the
+(for the user's X authorization database)
-forwarded connection.  An attacker may then be able to perform
+can access the local X11 display through the forwarded connection.
-activities such as keystroke monitoring.
+An attacker may then be able to perform activities such as keystroke monitoring.
 .It Fl C
 Requests compression of all data (including stdin, stdout, stderr, and
 data for forwarded X11 and TCP/IP connections).
@@ -637,7 +642,8 @@ This works by allocating a socket to listen to
 on the local side, and whenever a connection is made to this port, the
 connection is forwarded over the secure channel, and the application
 protocol is then used to determine where to connect to from the
-remote machine.  Currently the SOCKS4 protocol is supported, and
+remote machine.
+Currently the SOCKS4 protocol is supported, and
 .Nm
 will act as a SOCKS4 server.
 Only root can forward privileged ports.

diff --git a/ssh.1 b/ssh.1 index 27808b1f3..fd822bb3d 100644 --- a/ssh.1 +++ b/ssh.1
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh.1,v 1.167 2002/09/27 15:46:21 stevesk Exp $	37	.\" $OpenBSD: ssh.1,v 1.168 2003/03/28 10:11:43 jmc Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH 1	39	.Dt SSH 1
40	.Os	40	.Os
@@ -48,6 +48,7 @@
48	.Op Ar command	48	.Op Ar command
49	.Pp	49	.Pp
50	.Nm ssh	50	.Nm ssh
		51	.Bk -words
51	.Op Fl afgknqstvxACNTX1246	52	.Op Fl afgknqstvxACNTX1246
52	.Op Fl b Ar bind_address	53	.Op Fl b Ar bind_address
53	.Op Fl c Ar cipher_spec	54	.Op Fl c Ar cipher_spec
@@ -66,6 +67,8 @@
66	.Sm on	67	.Sm on
67	.Xc	68	.Xc
68	.Oc	69	.Oc
		70	.Ek
		71	.Bk -words
69	.Oo Fl R Xo	72	.Oo Fl R Xo
70	.Sm off	73	.Sm off
71	.Ar port :	74	.Ar port :
@@ -77,6 +80,7 @@
77	.Op Fl D Ar port	80	.Op Fl D Ar port
78	.Ar hostname \| user@hostname	81	.Ar hostname \| user@hostname
79	.Op Ar command	82	.Op Ar command
		83	.Ek
80	.Sh DESCRIPTION	84	.Sh DESCRIPTION
81	.Nm	85	.Nm
82	(SSH client) is a program for logging into a remote machine and for	86	(SSH client) is a program for logging into a remote machine and for
@@ -361,7 +365,7 @@ variable is set to
361	.Fl A	365	.Fl A
362	and	366	and
363	.Fl a	367	.Fl a
364	options described later) and	368	options described later) and
365	the user is using an authentication agent, the connection to the agent	369	the user is using an authentication agent, the connection to the agent
366	is automatically forwarded to the remote side.	370	is automatically forwarded to the remote side.
367	.Pp	371	.Pp
@@ -403,10 +407,11 @@ Disables forwarding of the authentication agent connection.
403	Enables forwarding of the authentication agent connection.	407	Enables forwarding of the authentication agent connection.
404	This can also be specified on a per-host basis in a configuration file.	408	This can also be specified on a per-host basis in a configuration file.
405	.Pp	409	.Pp
406	Agent forwarding should be enabled with caution. Users with the	410	Agent forwarding should be enabled with caution.
407	ability to bypass file permissions on the remote host (for the agent's	411	Users with the ability to bypass file permissions on the remote host
408	Unix-domain socket) can access the local agent through the forwarded	412	(for the agent's Unix-domain socket)
409	connection. An attacker cannot obtain key material from the agent,	413	can access the local agent through the forwarded connection.
		414	An attacker cannot obtain key material from the agent,
410	however they can perform operations on the keys that enable them to	415	however they can perform operations on the keys that enable them to
411	authenticate using the identities loaded into the agent.	416	authenticate using the identities loaded into the agent.
412	.It Fl b Ar bind_address	417	.It Fl b Ar bind_address
@@ -428,8 +433,8 @@ is only supported in the
428	client for interoperability with legacy protocol 1 implementations	433	client for interoperability with legacy protocol 1 implementations
429	that do not support the	434	that do not support the
430	.Ar 3des	435	.Ar 3des
431	cipher. Its use is strongly discouraged due to cryptographic	436	cipher.
432	weaknesses.	437	Its use is strongly discouraged due to cryptographic weaknesses.
433	.It Fl c Ar cipher_spec	438	.It Fl c Ar cipher_spec
434	Additionally, for protocol version 2 a comma-separated list of ciphers can	439	Additionally, for protocol version 2 a comma-separated list of ciphers can
435	be specified in order of preference.	440	be specified in order of preference.
@@ -566,11 +571,11 @@ Disables X11 forwarding.
566	Enables X11 forwarding.	571	Enables X11 forwarding.
567	This can also be specified on a per-host basis in a configuration file.	572	This can also be specified on a per-host basis in a configuration file.
568	.Pp	573	.Pp
569	X11 forwarding should be enabled with caution. Users with the ability	574	X11 forwarding should be enabled with caution.
570	to bypass file permissions on the remote host (for the user's X	575	Users with the ability to bypass file permissions on the remote host
571	authorization database) can access the local X11 display through the	576	(for the user's X authorization database)
572	forwarded connection. An attacker may then be able to perform	577	can access the local X11 display through the forwarded connection.
573	activities such as keystroke monitoring.	578	An attacker may then be able to perform activities such as keystroke monitoring.
574	.It Fl C	579	.It Fl C
575	Requests compression of all data (including stdin, stdout, stderr, and	580	Requests compression of all data (including stdin, stdout, stderr, and
576	data for forwarded X11 and TCP/IP connections).	581	data for forwarded X11 and TCP/IP connections).
@@ -637,7 +642,8 @@ This works by allocating a socket to listen to
637	on the local side, and whenever a connection is made to this port, the	642	on the local side, and whenever a connection is made to this port, the
638	connection is forwarded over the secure channel, and the application	643	connection is forwarded over the secure channel, and the application
639	protocol is then used to determine where to connect to from the	644	protocol is then used to determine where to connect to from the
640	remote machine. Currently the SOCKS4 protocol is supported, and	645	remote machine.
		646	Currently the SOCKS4 protocol is supported, and
641	.Nm	647	.Nm
642	will act as a SOCKS4 server.	648	will act as a SOCKS4 server.
643	Only root can forward privileged ports.	649	Only root can forward privileged ports.