1 files changed, 25 insertions, 34 deletions
diff --git a/ssh.1 b/ssh.1
index 7760c3075..9480eba8d 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.399 2018/09/20 06:58:48 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.402 2019/03/16 19:14:21 jmc Exp $
-.Dd $Mdocdate: September 20 2018 $
+.Dd $Mdocdate: March 16 2019 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -270,8 +270,8 @@ on the master process.
 .It Fl I Ar pkcs11
 Specify the PKCS#11 shared library
 .Nm
-should use to communicate with a PKCS#11 token providing the user's
+should use to communicate with a PKCS#11 token providing keys for user
-private RSA key.
+authentication.
 .Pp
 .It Fl i Ar identity_file
 Selects a file from which the identity (private key) for
@@ -308,6 +308,11 @@ Multiple jump hops may be specified separated by comma characters.
 This is a shortcut to specify a
 .Cm ProxyJump
 configuration directive.
+Note that configuration directives supplied on the command-line generally
+apply to the destination host and not any specified jump hosts.
+Use
+.Pa ~/.ssh/config
+to specify configuration for jump hosts.
 .Pp
 .It Fl K
 Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI
@@ -1085,49 +1090,35 @@ Increase the verbosity
 when errors are being written to stderr.
 .El
 .Sh TCP FORWARDING
-Forwarding of arbitrary TCP connections over the secure channel can
+Forwarding of arbitrary TCP connections over a secure channel
-be specified either on the command line or in a configuration file.
+can be specified either on the command line or in a configuration file.
 One possible application of TCP forwarding is a secure connection to a
 mail server; another is going through firewalls.
 .Pp
-In the example below, we look at encrypting communication between
+In the example below, we look at encrypting communication for an IRC client,
-an IRC client and server, even though the IRC server does not directly
+even though the IRC server it connects to does not directly
-support encrypted communications.
+support encrypted communication.
 This works as follows:
 the user connects to the remote host using
 .Nm ,
-specifying a port to be used to forward connections
+specifying the ports to be used to forward the connection.
-to the remote server.
+After that it is possible to start the program locally,
-After that it is possible to start the service which is to be encrypted
-on the client machine,
-connecting to the same local port,
 and
 .Nm
-will encrypt and forward the connection.
+will encrypt and forward the connection to the remote server.
 .Pp
-The following example tunnels an IRC session from client machine
+The following example tunnels an IRC session from the client
-.Dq 127.0.0.1
+to an IRC server at
-(localhost)
-to remote server
-.Dq server.example.com :
-.Bd -literal -offset 4n
-$ ssh -f -L 1234:localhost:6667 server.example.com sleep 10
-$ irc -c '#users' -p 1234 pinky 127.0.0.1
-.Ed
-.Pp
-This tunnels a connection to IRC server
 .Dq server.example.com ,
 joining channel
 .Dq #users ,
 nickname
 .Dq pinky ,
-using port 1234.
+using the standard IRC port, 6667:
-It doesn't matter which port is used,
+.Bd -literal -offset 4n
-as long as it's greater than 1023
+$ ssh -f -L 6667:localhost:6667 server.example.com sleep 10
-(remember, only root can open sockets on privileged ports)
+$ irc -c '#users' pinky IRC/127.0.0.1
-and doesn't conflict with any ports already in use.
+.Ed
-The connection is forwarded to port 6667 on the remote server,
-since that's the standard port for IRC services.
 .Pp
 The
 .Fl f
@@ -1137,7 +1128,7 @@ and the remote command
 .Dq sleep 10
 is specified to allow an amount of time
 (10 seconds, in the example)
-to start the service which is to be tunnelled.
+to start the program which is going to use the tunnel.
 If no connections are made within the time specified,
 .Nm
 will exit.

diff --git a/ssh.1 b/ssh.1 index 7760c3075..9480eba8d 100644 --- a/ssh.1 +++ b/ssh.1
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh.1,v 1.399 2018/09/20 06:58:48 jmc Exp $	36	.\" $OpenBSD: ssh.1,v 1.402 2019/03/16 19:14:21 jmc Exp $
37	.Dd $Mdocdate: September 20 2018 $	37	.Dd $Mdocdate: March 16 2019 $
38	.Dt SSH 1	38	.Dt SSH 1
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -270,8 +270,8 @@ on the master process.
270	.It Fl I Ar pkcs11	270	.It Fl I Ar pkcs11
271	Specify the PKCS#11 shared library	271	Specify the PKCS#11 shared library
272	.Nm	272	.Nm
273	should use to communicate with a PKCS#11 token providing the user's	273	should use to communicate with a PKCS#11 token providing keys for user
274	private RSA key.	274	authentication.
275	.Pp	275	.Pp
276	.It Fl i Ar identity_file	276	.It Fl i Ar identity_file
277	Selects a file from which the identity (private key) for	277	Selects a file from which the identity (private key) for
@@ -308,6 +308,11 @@ Multiple jump hops may be specified separated by comma characters.
308	This is a shortcut to specify a	308	This is a shortcut to specify a
309	.Cm ProxyJump	309	.Cm ProxyJump
310	configuration directive.	310	configuration directive.
		311	Note that configuration directives supplied on the command-line generally
		312	apply to the destination host and not any specified jump hosts.
		313	Use
		314	.Pa ~/.ssh/config
		315	to specify configuration for jump hosts.
311	.Pp	316	.Pp
312	.It Fl K	317	.It Fl K
313	Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI	318	Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI
@@ -1085,49 +1090,35 @@ Increase the verbosity
1085	when errors are being written to stderr.	1090	when errors are being written to stderr.
1086	.El	1091	.El
1087	.Sh TCP FORWARDING	1092	.Sh TCP FORWARDING
1088	Forwarding of arbitrary TCP connections over the secure channel can	1093	Forwarding of arbitrary TCP connections over a secure channel
1089	be specified either on the command line or in a configuration file.	1094	can be specified either on the command line or in a configuration file.
1090	One possible application of TCP forwarding is a secure connection to a	1095	One possible application of TCP forwarding is a secure connection to a
1091	mail server; another is going through firewalls.	1096	mail server; another is going through firewalls.
1092	.Pp	1097	.Pp
1093	In the example below, we look at encrypting communication between	1098	In the example below, we look at encrypting communication for an IRC client,
1094	an IRC client and server, even though the IRC server does not directly	1099	even though the IRC server it connects to does not directly
1095	support encrypted communications.	1100	support encrypted communication.
1096	This works as follows:	1101	This works as follows:
1097	the user connects to the remote host using	1102	the user connects to the remote host using
1098	.Nm ,	1103	.Nm ,
1099	specifying a port to be used to forward connections	1104	specifying the ports to be used to forward the connection.
1100	to the remote server.	1105	After that it is possible to start the program locally,
1101	After that it is possible to start the service which is to be encrypted
1102	on the client machine,
1103	connecting to the same local port,
1104	and	1106	and
1105	.Nm	1107	.Nm
1106	will encrypt and forward the connection.	1108	will encrypt and forward the connection to the remote server.
1107	.Pp	1109	.Pp
1108	The following example tunnels an IRC session from client machine	1110	The following example tunnels an IRC session from the client
1109	.Dq 127.0.0.1	1111	to an IRC server at
1110	(localhost)
1111	to remote server
1112	.Dq server.example.com :
1113	.Bd -literal -offset 4n
1114	$ ssh -f -L 1234:localhost:6667 server.example.com sleep 10
1115	$ irc -c '#users' -p 1234 pinky 127.0.0.1
1116	.Ed
1117	.Pp
1118	This tunnels a connection to IRC server
1119	.Dq server.example.com ,	1112	.Dq server.example.com ,
1120	joining channel	1113	joining channel
1121	.Dq #users ,	1114	.Dq #users ,
1122	nickname	1115	nickname
1123	.Dq pinky ,	1116	.Dq pinky ,
1124	using port 1234.	1117	using the standard IRC port, 6667:
1125	It doesn't matter which port is used,	1118	.Bd -literal -offset 4n
1126	as long as it's greater than 1023	1119	$ ssh -f -L 6667:localhost:6667 server.example.com sleep 10
1127	(remember, only root can open sockets on privileged ports)	1120	$ irc -c '#users' pinky IRC/127.0.0.1
1128	and doesn't conflict with any ports already in use.	1121	.Ed
1129	The connection is forwarded to port 6667 on the remote server,
1130	since that's the standard port for IRC services.
1131	.Pp	1122	.Pp
1132	The	1123	The
1133	.Fl f	1124	.Fl f
@@ -1137,7 +1128,7 @@ and the remote command
1137	.Dq sleep 10	1128	.Dq sleep 10
1138	is specified to allow an amount of time	1129	is specified to allow an amount of time
1139	(10 seconds, in the example)	1130	(10 seconds, in the example)
1140	to start the service which is to be tunnelled.	1131	to start the program which is going to use the tunnel.
1141	If no connections are made within the time specified,	1132	If no connections are made within the time specified,
1142	.Nm	1133	.Nm
1143	will exit.	1134	will exit.