1 files changed, 52 insertions, 6 deletions
diff --git a/ssh.1 b/ssh.1
index 1bf6b5e1c..1883578f2 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.270 2007/06/12 13:43:55 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.277 2008/07/02 13:47:39 djm Exp $
-.Dd $Mdocdate: June 12 2007 $
+.Dd $Mdocdate: July 2 2008 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -290,6 +290,15 @@ This implies
 The recommended way to start X11 programs at a remote site is with
 something like
 .Ic ssh -f host xterm .
+.Pp
+If the
+.Cm ExitOnForwardFailure
+configuration option is set to
+.Dq yes ,
+then a client started with
+.Fl f
+will wait for all remote port forwards to be successfully established
+before placing itself in the background.
 .It Fl g
 Allows remote hosts to connect to local forwarded ports.
 .It Fl I Ar smartcard_device
@@ -498,6 +507,7 @@ For full details of the options listed below, and their possible values, see
 .It User
 .It UserKnownHostsFile
 .It VerifyHostKeyDNS
+.It VisualHostKey
 .It XAuthLocation
 .El
 .It Fl p Ar port
@@ -506,7 +516,7 @@ This can be specified on a
 per-host basis in the configuration file.
 .It Fl q
 Quiet mode.
-Causes all warning and diagnostic messages to be suppressed.
+Causes most warning and diagnostic messages to be suppressed.
 .It Fl R Xo
 .Sm off
 .Oo Ar bind_address : Oc
@@ -1027,9 +1037,31 @@ Fingerprints can be determined using
 .Pp
 .Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
 .Pp
-If the fingerprint is already known,
+If the fingerprint is already known, it can be matched
-it can be matched and verified,
+and the key can be accepted or rejected.
-and the key can be accepted.
+Because of the difficulty of comparing host keys
+just by looking at hex strings,
+there is also support to compare host keys visually,
+using
+.Em random art .
+By setting the
+.Cm VisualHostKey
+option to
+.Dq yes ,
+a small ASCII graphic gets displayed on every login to a server, no matter
+if the session itself is interactive or not.
+By learning the pattern a known server produces, a user can easily
+find out that the host key has changed when a completely different pattern
+is displayed.
+Because these patterns are not unambiguous however, a pattern that looks
+similar to the pattern remembered only gives a good probability that the
+host key is the same, not guaranteed proof.
+.Pp
+To get a listing of the fingerprints along with their random art for
+all known hosts, the following command line can be used:
+.Pp
+.Dl $ ssh-keygen -lv -f ~/.ssh/known_hosts
+.Pp
 If the fingerprint is unknown,
 an alternative method of verification is available:
 SSH fingerprints verified by DNS.
@@ -1245,6 +1277,13 @@ This file is used in exactly the same way as
 but allows host-based authentication without permitting login with
 rlogin/rsh.
 .Pp
+.It ~/.ssh/
+This directory is the default location for all user-specific configuration
+and authentication information.
+There is no general requirement to keep the entire contents of this directory
+secret, but the recommended permissions are read/write/execute for the user,
+and not accessible by others.
+.Pp
 .It ~/.ssh/authorized_keys
 Lists the public keys (RSA/DSA) that can be used for logging in as this user.
 The format of this file is described in the
@@ -1426,6 +1465,13 @@ manual page for more information.
 .%T "The Secure Shell (SSH) Public Key File Format"
 .%D 2006
 .Re
+.Rs
+.%T "Hash Visualization: a New Technique to improve Real-World Security"
+.%A A. Perrig
+.%A D. Song
+.%D 1999
+.%O "International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)"
+.Re
 .Sh AUTHORS
 OpenSSH is a derivative of the original and free
 ssh 1.2.12 release by Tatu Ylonen.

diff --git a/ssh.1 b/ssh.1 index 1bf6b5e1c..1883578f2 100644 --- a/ssh.1 +++ b/ssh.1
@@ -34,8 +34,8 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh.1,v 1.270 2007/06/12 13:43:55 jmc Exp $	37	.\" $OpenBSD: ssh.1,v 1.277 2008/07/02 13:47:39 djm Exp $
38	.Dd $Mdocdate: June 12 2007 $	38	.Dd $Mdocdate: July 2 2008 $
39	.Dt SSH 1	39	.Dt SSH 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -290,6 +290,15 @@ This implies
290	The recommended way to start X11 programs at a remote site is with	290	The recommended way to start X11 programs at a remote site is with
291	something like	291	something like
292	.Ic ssh -f host xterm .	292	.Ic ssh -f host xterm .
		293	.Pp
		294	If the
		295	.Cm ExitOnForwardFailure
		296	configuration option is set to
		297	.Dq yes ,
		298	then a client started with
		299	.Fl f
		300	will wait for all remote port forwards to be successfully established
		301	before placing itself in the background.
293	.It Fl g	302	.It Fl g
294	Allows remote hosts to connect to local forwarded ports.	303	Allows remote hosts to connect to local forwarded ports.
295	.It Fl I Ar smartcard_device	304	.It Fl I Ar smartcard_device
@@ -498,6 +507,7 @@ For full details of the options listed below, and their possible values, see
498	.It User	507	.It User
499	.It UserKnownHostsFile	508	.It UserKnownHostsFile
500	.It VerifyHostKeyDNS	509	.It VerifyHostKeyDNS
		510	.It VisualHostKey
501	.It XAuthLocation	511	.It XAuthLocation
502	.El	512	.El
503	.It Fl p Ar port	513	.It Fl p Ar port
@@ -506,7 +516,7 @@ This can be specified on a
506	per-host basis in the configuration file.	516	per-host basis in the configuration file.
507	.It Fl q	517	.It Fl q
508	Quiet mode.	518	Quiet mode.
509	Causes all warning and diagnostic messages to be suppressed.	519	Causes most warning and diagnostic messages to be suppressed.
510	.It Fl R Xo	520	.It Fl R Xo
511	.Sm off	521	.Sm off
512	.Oo Ar bind_address : Oc	522	.Oo Ar bind_address : Oc
@@ -1027,9 +1037,31 @@ Fingerprints can be determined using
1027	.Pp	1037	.Pp
1028	.Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key	1038	.Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
1029	.Pp	1039	.Pp
1030	If the fingerprint is already known,	1040	If the fingerprint is already known, it can be matched
1031	it can be matched and verified,	1041	and the key can be accepted or rejected.
1032	and the key can be accepted.	1042	Because of the difficulty of comparing host keys
		1043	just by looking at hex strings,
		1044	there is also support to compare host keys visually,
		1045	using
		1046	.Em random art .
		1047	By setting the
		1048	.Cm VisualHostKey
		1049	option to
		1050	.Dq yes ,
		1051	a small ASCII graphic gets displayed on every login to a server, no matter
		1052	if the session itself is interactive or not.
		1053	By learning the pattern a known server produces, a user can easily
		1054	find out that the host key has changed when a completely different pattern
		1055	is displayed.
		1056	Because these patterns are not unambiguous however, a pattern that looks
		1057	similar to the pattern remembered only gives a good probability that the
		1058	host key is the same, not guaranteed proof.
		1059	.Pp
		1060	To get a listing of the fingerprints along with their random art for
		1061	all known hosts, the following command line can be used:
		1062	.Pp
		1063	.Dl $ ssh-keygen -lv -f ~/.ssh/known_hosts
		1064	.Pp
1033	If the fingerprint is unknown,	1065	If the fingerprint is unknown,
1034	an alternative method of verification is available:	1066	an alternative method of verification is available:
1035	SSH fingerprints verified by DNS.	1067	SSH fingerprints verified by DNS.
@@ -1245,6 +1277,13 @@ This file is used in exactly the same way as
1245	but allows host-based authentication without permitting login with	1277	but allows host-based authentication without permitting login with
1246	rlogin/rsh.	1278	rlogin/rsh.
1247	.Pp	1279	.Pp
		1280	.It ~/.ssh/
		1281	This directory is the default location for all user-specific configuration
		1282	and authentication information.
		1283	There is no general requirement to keep the entire contents of this directory
		1284	secret, but the recommended permissions are read/write/execute for the user,
		1285	and not accessible by others.
		1286	.Pp
1248	.It ~/.ssh/authorized_keys	1287	.It ~/.ssh/authorized_keys
1249	Lists the public keys (RSA/DSA) that can be used for logging in as this user.	1288	Lists the public keys (RSA/DSA) that can be used for logging in as this user.
1250	The format of this file is described in the	1289	The format of this file is described in the
@@ -1426,6 +1465,13 @@ manual page for more information.
1426	.%T "The Secure Shell (SSH) Public Key File Format"	1465	.%T "The Secure Shell (SSH) Public Key File Format"
1427	.%D 2006	1466	.%D 2006
1428	.Re	1467	.Re
		1468	.Rs
		1469	.%T "Hash Visualization: a New Technique to improve Real-World Security"
		1470	.%A A. Perrig
		1471	.%A D. Song
		1472	.%D 1999
		1473	.%O "International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)"
		1474	.Re
1429	.Sh AUTHORS	1475	.Sh AUTHORS
1430	OpenSSH is a derivative of the original and free	1476	OpenSSH is a derivative of the original and free
1431	ssh 1.2.12 release by Tatu Ylonen.	1477	ssh 1.2.12 release by Tatu Ylonen.