1 files changed, 52 insertions, 6 deletions
diff --git a/ssh.1 b/ssh.1
index 8b5c46c74..1229201da 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.270 2007/06/12 13:43:55 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.277 2008/07/02 13:47:39 djm Exp $
-.Dd $Mdocdate: June 12 2007 $
+.Dd $Mdocdate: July 2 2008 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -290,6 +290,15 @@ This implies
 The recommended way to start X11 programs at a remote site is with
 something like
 .Ic ssh -f host xterm .
+.Pp
+If the
+.Cm ExitOnForwardFailure
+configuration option is set to
+.Dq yes ,
+then a client started with
+.Fl f
+will wait for all remote port forwards to be successfully established
+before placing itself in the background.
 .It Fl g
 Allows remote hosts to connect to local forwarded ports.
 .It Fl I Ar smartcard_device
@@ -498,6 +507,7 @@ For full details of the options listed below, and their possible values, see
 .It User
 .It UserKnownHostsFile
 .It VerifyHostKeyDNS
+.It VisualHostKey
 .It XAuthLocation
 .El
 .It Fl p Ar port
@@ -506,7 +516,7 @@ This can be specified on a
 per-host basis in the configuration file.
 .It Fl q
 Quiet mode.
-Causes all warning and diagnostic messages to be suppressed.
+Causes most warning and diagnostic messages to be suppressed.
 Only fatal errors are displayed.
 If a second
 .Fl q
@@ -1035,9 +1045,31 @@ Fingerprints can be determined using
 .Pp
 .Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
 .Pp
-If the fingerprint is already known,
+If the fingerprint is already known, it can be matched
-it can be matched and verified,
+and the key can be accepted or rejected.
-and the key can be accepted.
+Because of the difficulty of comparing host keys
+just by looking at hex strings,
+there is also support to compare host keys visually,
+using
+.Em random art .
+By setting the
+.Cm VisualHostKey
+option to
+.Dq yes ,
+a small ASCII graphic gets displayed on every login to a server, no matter
+if the session itself is interactive or not.
+By learning the pattern a known server produces, a user can easily
+find out that the host key has changed when a completely different pattern
+is displayed.
+Because these patterns are not unambiguous however, a pattern that looks
+similar to the pattern remembered only gives a good probability that the
+host key is the same, not guaranteed proof.
+.Pp
+To get a listing of the fingerprints along with their random art for
+all known hosts, the following command line can be used:
+.Pp
+.Dl $ ssh-keygen -lv -f ~/.ssh/known_hosts
+.Pp
 If the fingerprint is unknown,
 an alternative method of verification is available:
 SSH fingerprints verified by DNS.
@@ -1253,6 +1285,13 @@ This file is used in exactly the same way as
 but allows host-based authentication without permitting login with
 rlogin/rsh.
 .Pp
+.It ~/.ssh/
+This directory is the default location for all user-specific configuration
+and authentication information.
+There is no general requirement to keep the entire contents of this directory
+secret, but the recommended permissions are read/write/execute for the user,
+and not accessible by others.
+.Pp
 .It ~/.ssh/authorized_keys
 Lists the public keys (RSA/DSA) that can be used for logging in as this user.
 The format of this file is described in the
@@ -1438,6 +1477,13 @@ manual page for more information.
 .%T "The Secure Shell (SSH) Public Key File Format"
 .%D 2006
 .Re
+.Rs
+.%T "Hash Visualization: a New Technique to improve Real-World Security"
+.%A A. Perrig
+.%A D. Song
+.%D 1999
+.%O "International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)"
+.Re
 .Sh AUTHORS
 OpenSSH is a derivative of the original and free
 ssh 1.2.12 release by Tatu Ylonen.

diff --git a/ssh.1 b/ssh.1 index 8b5c46c74..1229201da 100644 --- a/ssh.1 +++ b/ssh.1
@@ -34,8 +34,8 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh.1,v 1.270 2007/06/12 13:43:55 jmc Exp $	37	.\" $OpenBSD: ssh.1,v 1.277 2008/07/02 13:47:39 djm Exp $
38	.Dd $Mdocdate: June 12 2007 $	38	.Dd $Mdocdate: July 2 2008 $
39	.Dt SSH 1	39	.Dt SSH 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -290,6 +290,15 @@ This implies
290	The recommended way to start X11 programs at a remote site is with	290	The recommended way to start X11 programs at a remote site is with
291	something like	291	something like
292	.Ic ssh -f host xterm .	292	.Ic ssh -f host xterm .
		293	.Pp
		294	If the
		295	.Cm ExitOnForwardFailure
		296	configuration option is set to
		297	.Dq yes ,
		298	then a client started with
		299	.Fl f
		300	will wait for all remote port forwards to be successfully established
		301	before placing itself in the background.
293	.It Fl g	302	.It Fl g
294	Allows remote hosts to connect to local forwarded ports.	303	Allows remote hosts to connect to local forwarded ports.
295	.It Fl I Ar smartcard_device	304	.It Fl I Ar smartcard_device
@@ -498,6 +507,7 @@ For full details of the options listed below, and their possible values, see
498	.It User	507	.It User
499	.It UserKnownHostsFile	508	.It UserKnownHostsFile
500	.It VerifyHostKeyDNS	509	.It VerifyHostKeyDNS
		510	.It VisualHostKey
501	.It XAuthLocation	511	.It XAuthLocation
502	.El	512	.El
503	.It Fl p Ar port	513	.It Fl p Ar port
@@ -506,7 +516,7 @@ This can be specified on a
506	per-host basis in the configuration file.	516	per-host basis in the configuration file.
507	.It Fl q	517	.It Fl q
508	Quiet mode.	518	Quiet mode.
509	Causes all warning and diagnostic messages to be suppressed.	519	Causes most warning and diagnostic messages to be suppressed.
510	Only fatal errors are displayed.	520	Only fatal errors are displayed.
511	If a second	521	If a second
512	.Fl q	522	.Fl q
@@ -1035,9 +1045,31 @@ Fingerprints can be determined using
1035	.Pp	1045	.Pp
1036	.Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key	1046	.Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
1037	.Pp	1047	.Pp
1038	If the fingerprint is already known,	1048	If the fingerprint is already known, it can be matched
1039	it can be matched and verified,	1049	and the key can be accepted or rejected.
1040	and the key can be accepted.	1050	Because of the difficulty of comparing host keys
		1051	just by looking at hex strings,
		1052	there is also support to compare host keys visually,
		1053	using
		1054	.Em random art .
		1055	By setting the
		1056	.Cm VisualHostKey
		1057	option to
		1058	.Dq yes ,
		1059	a small ASCII graphic gets displayed on every login to a server, no matter
		1060	if the session itself is interactive or not.
		1061	By learning the pattern a known server produces, a user can easily
		1062	find out that the host key has changed when a completely different pattern
		1063	is displayed.
		1064	Because these patterns are not unambiguous however, a pattern that looks
		1065	similar to the pattern remembered only gives a good probability that the
		1066	host key is the same, not guaranteed proof.
		1067	.Pp
		1068	To get a listing of the fingerprints along with their random art for
		1069	all known hosts, the following command line can be used:
		1070	.Pp
		1071	.Dl $ ssh-keygen -lv -f ~/.ssh/known_hosts
		1072	.Pp
1041	If the fingerprint is unknown,	1073	If the fingerprint is unknown,
1042	an alternative method of verification is available:	1074	an alternative method of verification is available:
1043	SSH fingerprints verified by DNS.	1075	SSH fingerprints verified by DNS.
@@ -1253,6 +1285,13 @@ This file is used in exactly the same way as
1253	but allows host-based authentication without permitting login with	1285	but allows host-based authentication without permitting login with
1254	rlogin/rsh.	1286	rlogin/rsh.
1255	.Pp	1287	.Pp
		1288	.It ~/.ssh/
		1289	This directory is the default location for all user-specific configuration
		1290	and authentication information.
		1291	There is no general requirement to keep the entire contents of this directory
		1292	secret, but the recommended permissions are read/write/execute for the user,
		1293	and not accessible by others.
		1294	.Pp
1256	.It ~/.ssh/authorized_keys	1295	.It ~/.ssh/authorized_keys
1257	Lists the public keys (RSA/DSA) that can be used for logging in as this user.	1296	Lists the public keys (RSA/DSA) that can be used for logging in as this user.
1258	The format of this file is described in the	1297	The format of this file is described in the
@@ -1438,6 +1477,13 @@ manual page for more information.
1438	.%T "The Secure Shell (SSH) Public Key File Format"	1477	.%T "The Secure Shell (SSH) Public Key File Format"
1439	.%D 2006	1478	.%D 2006
1440	.Re	1479	.Re
		1480	.Rs
		1481	.%T "Hash Visualization: a New Technique to improve Real-World Security"
		1482	.%A A. Perrig
		1483	.%A D. Song
		1484	.%D 1999
		1485	.%O "International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)"
		1486	.Re
1441	.Sh AUTHORS	1487	.Sh AUTHORS
1442	OpenSSH is a derivative of the original and free	1488	OpenSSH is a derivative of the original and free
1443	ssh 1.2.12 release by Tatu Ylonen.	1489	ssh 1.2.12 release by Tatu Ylonen.