1 files changed, 31 insertions, 61 deletions
diff --git a/ssh.1 b/ssh.1
index 4011c65aa..2ab1697f9 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.376 2016/07/16 06:57:55 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.384 2017/09/21 19:16:53 markus Exp $
-.Dd $Mdocdate: July 16 2016 $
+.Dd $Mdocdate: September 21 2017 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -43,7 +43,7 @@
 .Sh SYNOPSIS
 .Nm ssh
 .Bk -words
-.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
+.Op Fl 46AaCfGgKkMNnqsTtVvXxYy
 .Op Fl b Ar bind_address
 .Op Fl c Ar cipher_spec
 .Op Fl D Oo Ar bind_address : Oc Ns Ar port
@@ -95,16 +95,6 @@ it is executed on the remote host instead of a login shell.
 The options are as follows:
 .Pp
 .Bl -tag -width Ds -compact
-.It Fl 1
-Forces
-.Nm
-to try protocol version 1 only.
-.Pp
-.It Fl 2
-Forces
-.Nm
-to try protocol version 2 only.
-.Pp
 .It Fl 4
 Forces
 .Nm
@@ -144,12 +134,7 @@ data for forwarded X11, TCP and
 .Ux Ns -domain
 connections).
 The compression algorithm is the same used by
-.Xr gzip 1 ,
+.Xr gzip 1 .
-and the
-.Dq level
-can be controlled by the
-.Cm CompressionLevel
-option for protocol version 1.
 Compression is desirable on modem lines and other
 slow connections, but will only slow down things on fast networks.
 The default value can be set on a host-by-host basis in the
@@ -159,14 +144,6 @@ option.
 .Pp
 .It Fl c Ar cipher_spec
 Selects the cipher specification for encrypting the session.
-.Pp
-Protocol version 1 allows specification of a single cipher.
-The supported values are
-.Dq 3des ,
-.Dq blowfish ,
-and
-.Dq des .
-For protocol version 2,
 .Ar cipher_spec
 is a comma-separated list of ciphers
 listed in order of preference.
@@ -290,14 +267,11 @@ private RSA key.
 Selects a file from which the identity (private key) for
 public key authentication is read.
 The default is
-.Pa ~/.ssh/identity
-for protocol version 1, and
 .Pa ~/.ssh/id_dsa ,
 .Pa ~/.ssh/id_ecdsa ,
 .Pa ~/.ssh/id_ed25519
 and
-.Pa ~/.ssh/id_rsa
+.Pa ~/.ssh/id_rsa .
-for protocol version 2.
 Identity files may also be specified on
 a per-host basis in the configuration file.
 It is possible to have multiple
@@ -491,11 +465,9 @@ For full details of the options listed below, and their possible values, see
 .It CertificateFile
 .It ChallengeResponseAuthentication
 .It CheckHostIP
-.It Cipher
 .It Ciphers
 .It ClearAllForwardings
 .It Compression
-.It CompressionLevel
 .It ConnectionAttempts
 .It ConnectTimeout
 .It ControlMaster
@@ -540,17 +512,15 @@ For full details of the options listed below, and their possible values, see
 .It PKCS11Provider
 .It Port
 .It PreferredAuthentications
-.It Protocol
 .It ProxyCommand
 .It ProxyJump
 .It ProxyUseFdpass
 .It PubkeyAcceptedKeyTypes
 .It PubkeyAuthentication
 .It RekeyLimit
+.It RemoteCommand
 .It RemoteForward
 .It RequestTTY
-.It RhostsRSAAuthentication
-.It RSAAuthentication
 .It SendEnv
 .It ServerAliveInterval
 .It ServerAliveCountMax
@@ -622,21 +592,30 @@ Causes most warning and diagnostic messages to be suppressed.
 .Ar remote_socket : local_socket
 .Sm on
 .Xc
+.It Fl R Xo
+.Sm off
+.Oo Ar bind_address : Oc
+.Ar port
+.Sm on
+.Xc
 Specifies that connections to the given TCP port or Unix socket on the remote
-(server) host are to be forwarded to the given host and port, or Unix socket,
+(server) host are to be forwarded to the local side.
-on the local side.
+.Pp
 This works by allocating a socket to listen to either a TCP
 .Ar port
 or to a Unix socket on the remote side.
 Whenever a connection is made to this port or Unix socket, the
 connection is forwarded over the secure channel, and a connection
-is made to either
+is made from the local machine to either an explicit destination specified by
 .Ar host
 port
 .Ar hostport ,
 or
 .Ar local_socket ,
-from the local machine.
+or, if no explicit destination was specified,
+.Nm
+will act as a SOCKS 4/5 proxy and forward connections to the destinations
+requested by the remote SOCKS client.
 .Pp
 Port forwardings can also be specified in the configuration file.
 Privileged ports can be forwarded only when
@@ -806,21 +785,7 @@ a per-user configuration file and a system-wide configuration file.
 The file format and configuration options are described in
 .Xr ssh_config 5 .
 .Sh AUTHENTICATION
-The OpenSSH SSH client supports SSH protocols 1 and 2.
+The OpenSSH SSH client supports SSH protocol 2.
-The default is to use protocol 2 only,
-though this can be changed via the
-.Cm Protocol
-option in
-.Xr ssh_config 5
-or the
-.Fl 1
-and
-.Fl 2
-options (see above).
-Protocol 1 should not be used
-and is only offered to support legacy devices.
-It suffers from a number of cryptographic weaknesses
-and doesn't support many of the advanced features available for protocol 2.
 .Pp
 The methods available for authentication are:
 GSSAPI-based authentication,
@@ -890,11 +855,20 @@ The client proves that it has access to the private key
 and the server checks that the corresponding public key
 is authorized to accept the account.
 .Pp
+The server may inform the client of errors that prevented public key
+authentication from succeeding after authentication completes using a
+different method.
+These may be viewed by increasing the
+.Cm LogLevel
+to
+.Cm DEBUG
+or higher (e.g. by using the
+.Fl v
+flag).
+.Pp
 The user creates his/her key pair by running
 .Xr ssh-keygen 1 .
 This stores the private key in
-.Pa ~/.ssh/identity
-(protocol 1),
 .Pa ~/.ssh/id_dsa
 (DSA),
 .Pa ~/.ssh/id_ecdsa
@@ -905,8 +879,6 @@ or
 .Pa ~/.ssh/id_rsa
 (RSA)
 and stores the public key in
-.Pa ~/.ssh/identity.pub
-(protocol 1),
 .Pa ~/.ssh/id_dsa.pub
 (DSA),
 .Pa ~/.ssh/id_ecdsa.pub
@@ -1490,7 +1462,6 @@ Contains additional definitions for environment variables; see
 .Sx ENVIRONMENT ,
 above.
 .Pp
-.It Pa ~/.ssh/identity
 .It Pa ~/.ssh/id_dsa
 .It Pa ~/.ssh/id_ecdsa
 .It Pa ~/.ssh/id_ed25519
@@ -1505,7 +1476,6 @@ It is possible to specify a passphrase when
 generating the key which will be used to encrypt the
 sensitive part of this file using 3DES.
 .Pp
-.It Pa ~/.ssh/identity.pub
 .It Pa ~/.ssh/id_dsa.pub
 .It Pa ~/.ssh/id_ecdsa.pub
 .It Pa ~/.ssh/id_ed25519.pub

diff --git a/ssh.1 b/ssh.1 index 4011c65aa..2ab1697f9 100644 --- a/ssh.1 +++ b/ssh.1
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh.1,v 1.376 2016/07/16 06:57:55 jmc Exp $	36	.\" $OpenBSD: ssh.1,v 1.384 2017/09/21 19:16:53 markus Exp $
37	.Dd $Mdocdate: July 16 2016 $	37	.Dd $Mdocdate: September 21 2017 $
38	.Dt SSH 1	38	.Dt SSH 1
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -43,7 +43,7 @@
43	.Sh SYNOPSIS	43	.Sh SYNOPSIS
44	.Nm ssh	44	.Nm ssh
45	.Bk -words	45	.Bk -words
46	.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy	46	.Op Fl 46AaCfGgKkMNnqsTtVvXxYy
47	.Op Fl b Ar bind_address	47	.Op Fl b Ar bind_address
48	.Op Fl c Ar cipher_spec	48	.Op Fl c Ar cipher_spec
49	.Op Fl D Oo Ar bind_address : Oc Ns Ar port	49	.Op Fl D Oo Ar bind_address : Oc Ns Ar port
@@ -95,16 +95,6 @@ it is executed on the remote host instead of a login shell.
95	The options are as follows:	95	The options are as follows:
96	.Pp	96	.Pp
97	.Bl -tag -width Ds -compact	97	.Bl -tag -width Ds -compact
98	.It Fl 1
99	Forces
100	.Nm
101	to try protocol version 1 only.
102	.Pp
103	.It Fl 2
104	Forces
105	.Nm
106	to try protocol version 2 only.
107	.Pp
108	.It Fl 4	98	.It Fl 4
109	Forces	99	Forces
110	.Nm	100	.Nm
@@ -144,12 +134,7 @@ data for forwarded X11, TCP and
144	.Ux Ns -domain	134	.Ux Ns -domain
145	connections).	135	connections).
146	The compression algorithm is the same used by	136	The compression algorithm is the same used by
147	.Xr gzip 1 ,	137	.Xr gzip 1 .
148	and the
149	.Dq level
150	can be controlled by the
151	.Cm CompressionLevel
152	option for protocol version 1.
153	Compression is desirable on modem lines and other	138	Compression is desirable on modem lines and other
154	slow connections, but will only slow down things on fast networks.	139	slow connections, but will only slow down things on fast networks.
155	The default value can be set on a host-by-host basis in the	140	The default value can be set on a host-by-host basis in the
@@ -159,14 +144,6 @@ option.
159	.Pp	144	.Pp
160	.It Fl c Ar cipher_spec	145	.It Fl c Ar cipher_spec
161	Selects the cipher specification for encrypting the session.	146	Selects the cipher specification for encrypting the session.
162	.Pp
163	Protocol version 1 allows specification of a single cipher.
164	The supported values are
165	.Dq 3des ,
166	.Dq blowfish ,
167	and
168	.Dq des .
169	For protocol version 2,
170	.Ar cipher_spec	147	.Ar cipher_spec
171	is a comma-separated list of ciphers	148	is a comma-separated list of ciphers
172	listed in order of preference.	149	listed in order of preference.
@@ -290,14 +267,11 @@ private RSA key.
290	Selects a file from which the identity (private key) for	267	Selects a file from which the identity (private key) for
291	public key authentication is read.	268	public key authentication is read.
292	The default is	269	The default is
293	.Pa ~/.ssh/identity
294	for protocol version 1, and
295	.Pa ~/.ssh/id_dsa ,	270	.Pa ~/.ssh/id_dsa ,
296	.Pa ~/.ssh/id_ecdsa ,	271	.Pa ~/.ssh/id_ecdsa ,
297	.Pa ~/.ssh/id_ed25519	272	.Pa ~/.ssh/id_ed25519
298	and	273	and
299	.Pa ~/.ssh/id_rsa	274	.Pa ~/.ssh/id_rsa .
300	for protocol version 2.
301	Identity files may also be specified on	275	Identity files may also be specified on
302	a per-host basis in the configuration file.	276	a per-host basis in the configuration file.
303	It is possible to have multiple	277	It is possible to have multiple
@@ -491,11 +465,9 @@ For full details of the options listed below, and their possible values, see
491	.It CertificateFile	465	.It CertificateFile
492	.It ChallengeResponseAuthentication	466	.It ChallengeResponseAuthentication
493	.It CheckHostIP	467	.It CheckHostIP
494	.It Cipher
495	.It Ciphers	468	.It Ciphers
496	.It ClearAllForwardings	469	.It ClearAllForwardings
497	.It Compression	470	.It Compression
498	.It CompressionLevel
499	.It ConnectionAttempts	471	.It ConnectionAttempts
500	.It ConnectTimeout	472	.It ConnectTimeout
501	.It ControlMaster	473	.It ControlMaster
@@ -540,17 +512,15 @@ For full details of the options listed below, and their possible values, see
540	.It PKCS11Provider	512	.It PKCS11Provider
541	.It Port	513	.It Port
542	.It PreferredAuthentications	514	.It PreferredAuthentications
543	.It Protocol
544	.It ProxyCommand	515	.It ProxyCommand
545	.It ProxyJump	516	.It ProxyJump
546	.It ProxyUseFdpass	517	.It ProxyUseFdpass
547	.It PubkeyAcceptedKeyTypes	518	.It PubkeyAcceptedKeyTypes
548	.It PubkeyAuthentication	519	.It PubkeyAuthentication
549	.It RekeyLimit	520	.It RekeyLimit
		521	.It RemoteCommand
550	.It RemoteForward	522	.It RemoteForward
551	.It RequestTTY	523	.It RequestTTY
552	.It RhostsRSAAuthentication
553	.It RSAAuthentication
554	.It SendEnv	524	.It SendEnv
555	.It ServerAliveInterval	525	.It ServerAliveInterval
556	.It ServerAliveCountMax	526	.It ServerAliveCountMax
@@ -622,21 +592,30 @@ Causes most warning and diagnostic messages to be suppressed.
622	.Ar remote_socket : local_socket	592	.Ar remote_socket : local_socket
623	.Sm on	593	.Sm on
624	.Xc	594	.Xc
		595	.It Fl R Xo
		596	.Sm off
		597	.Oo Ar bind_address : Oc
		598	.Ar port
		599	.Sm on
		600	.Xc
625	Specifies that connections to the given TCP port or Unix socket on the remote	601	Specifies that connections to the given TCP port or Unix socket on the remote
626	(server) host are to be forwarded to the given host and port, or Unix socket,	602	(server) host are to be forwarded to the local side.
627	on the local side.	603	.Pp
628	This works by allocating a socket to listen to either a TCP	604	This works by allocating a socket to listen to either a TCP
629	.Ar port	605	.Ar port
630	or to a Unix socket on the remote side.	606	or to a Unix socket on the remote side.
631	Whenever a connection is made to this port or Unix socket, the	607	Whenever a connection is made to this port or Unix socket, the
632	connection is forwarded over the secure channel, and a connection	608	connection is forwarded over the secure channel, and a connection
633	is made to either	609	is made from the local machine to either an explicit destination specified by
634	.Ar host	610	.Ar host
635	port	611	port
636	.Ar hostport ,	612	.Ar hostport ,
637	or	613	or
638	.Ar local_socket ,	614	.Ar local_socket ,
639	from the local machine.	615	or, if no explicit destination was specified,
		616	.Nm
		617	will act as a SOCKS 4/5 proxy and forward connections to the destinations
		618	requested by the remote SOCKS client.
640	.Pp	619	.Pp
641	Port forwardings can also be specified in the configuration file.	620	Port forwardings can also be specified in the configuration file.
642	Privileged ports can be forwarded only when	621	Privileged ports can be forwarded only when
@@ -806,21 +785,7 @@ a per-user configuration file and a system-wide configuration file.
806	The file format and configuration options are described in	785	The file format and configuration options are described in
807	.Xr ssh_config 5 .	786	.Xr ssh_config 5 .
808	.Sh AUTHENTICATION	787	.Sh AUTHENTICATION
809	The OpenSSH SSH client supports SSH protocols 1 and 2.	788	The OpenSSH SSH client supports SSH protocol 2.
810	The default is to use protocol 2 only,
811	though this can be changed via the
812	.Cm Protocol
813	option in
814	.Xr ssh_config 5
815	or the
816	.Fl 1
817	and
818	.Fl 2
819	options (see above).
820	Protocol 1 should not be used
821	and is only offered to support legacy devices.
822	It suffers from a number of cryptographic weaknesses
823	and doesn't support many of the advanced features available for protocol 2.
824	.Pp	789	.Pp
825	The methods available for authentication are:	790	The methods available for authentication are:
826	GSSAPI-based authentication,	791	GSSAPI-based authentication,
@@ -890,11 +855,20 @@ The client proves that it has access to the private key
890	and the server checks that the corresponding public key	855	and the server checks that the corresponding public key
891	is authorized to accept the account.	856	is authorized to accept the account.
892	.Pp	857	.Pp
		858	The server may inform the client of errors that prevented public key
		859	authentication from succeeding after authentication completes using a
		860	different method.
		861	These may be viewed by increasing the
		862	.Cm LogLevel
		863	to
		864	.Cm DEBUG
		865	or higher (e.g. by using the
		866	.Fl v
		867	flag).
		868	.Pp
893	The user creates his/her key pair by running	869	The user creates his/her key pair by running
894	.Xr ssh-keygen 1 .	870	.Xr ssh-keygen 1 .
895	This stores the private key in	871	This stores the private key in
896	.Pa ~/.ssh/identity
897	(protocol 1),
898	.Pa ~/.ssh/id_dsa	872	.Pa ~/.ssh/id_dsa
899	(DSA),	873	(DSA),
900	.Pa ~/.ssh/id_ecdsa	874	.Pa ~/.ssh/id_ecdsa
@@ -905,8 +879,6 @@ or
905	.Pa ~/.ssh/id_rsa	879	.Pa ~/.ssh/id_rsa
906	(RSA)	880	(RSA)
907	and stores the public key in	881	and stores the public key in
908	.Pa ~/.ssh/identity.pub
909	(protocol 1),
910	.Pa ~/.ssh/id_dsa.pub	882	.Pa ~/.ssh/id_dsa.pub
911	(DSA),	883	(DSA),
912	.Pa ~/.ssh/id_ecdsa.pub	884	.Pa ~/.ssh/id_ecdsa.pub
@@ -1490,7 +1462,6 @@ Contains additional definitions for environment variables; see
1490	.Sx ENVIRONMENT ,	1462	.Sx ENVIRONMENT ,
1491	above.	1463	above.
1492	.Pp	1464	.Pp
1493	.It Pa ~/.ssh/identity
1494	.It Pa ~/.ssh/id_dsa	1465	.It Pa ~/.ssh/id_dsa
1495	.It Pa ~/.ssh/id_ecdsa	1466	.It Pa ~/.ssh/id_ecdsa
1496	.It Pa ~/.ssh/id_ed25519	1467	.It Pa ~/.ssh/id_ed25519
@@ -1505,7 +1476,6 @@ It is possible to specify a passphrase when
1505	generating the key which will be used to encrypt the	1476	generating the key which will be used to encrypt the
1506	sensitive part of this file using 3DES.	1477	sensitive part of this file using 3DES.
1507	.Pp	1478	.Pp
1508	.It Pa ~/.ssh/identity.pub
1509	.It Pa ~/.ssh/id_dsa.pub	1479	.It Pa ~/.ssh/id_dsa.pub
1510	.It Pa ~/.ssh/id_ecdsa.pub	1480	.It Pa ~/.ssh/id_ecdsa.pub
1511	.It Pa ~/.ssh/id_ed25519.pub	1481	.It Pa ~/.ssh/id_ed25519.pub