1 files changed, 110 insertions, 36 deletions
diff --git a/ssh.1 b/ssh.1
index b1662d7ac..04326e654 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.253 2006/01/30 13:37:49 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.266 2006/12/11 21:25:46 markus Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -78,7 +78,8 @@
 .Oc
 .Op Fl S Ar ctl_path
 .Bk -words
-.Op Fl w Ar tunnel : Ns Ar tunnel
+.Oo Fl w Ar local_tun Ns
+.Op : Ns Ar remote_tun Oc
 .Oo Ar user Ns @ Oc Ns Ar hostname
 .Op Ar command
 .Ek
@@ -450,6 +451,7 @@ For full details of the options listed below, and their possible values, see
 .It ControlPath
 .It DynamicForward
 .It EscapeChar
+.It ExitOnForwardFailure
 .It ForwardAgent
 .It ForwardX11
 .It ForwardX11Trusted
@@ -575,7 +577,7 @@ Disable pseudo-tty allocation.
 Force pseudo-tty allocation.
 This can be used to execute arbitrary
 screen-based programs on a remote machine, which can be very useful,
-e.g., when implementing menu services.
+e.g. when implementing menu services.
 Multiple
 .Fl t
 options force tty allocation, even if
@@ -594,24 +596,35 @@ Multiple
 .Fl v
 options increase the verbosity.
 The maximum is 3.
-.It Fl w Ar tunnel : Ns Ar tunnel
+.It Fl w Xo
-Requests a
+.Ar local_tun Ns Op : Ns Ar remote_tun
+.Xc
+Requests
+tunnel
+device forwarding with the specified
 .Xr tun 4
-device on the client
+devices between the client
-(first
+.Pq Ar local_tun
-.Ar tunnel
+and the server
-arg)
+.Pq Ar remote_tun .
-and server
+.Pp
-(second
-.Ar tunnel
-arg).
 The devices may be specified by numerical ID or the keyword
 .Dq any ,
 which uses the next available tunnel device.
+If
+.Ar remote_tun
+is not specified, it defaults to
+.Dq any .
 See also the
 .Cm Tunnel
-directive in
+and
+.Cm TunnelDevice
+directives in
 .Xr ssh_config 5 .
+If the
+.Cm Tunnel
+directive is unset, it is set to the default tunnel mode, which is
+.Dq point-to-point .
 .It Fl X
 Enables X11 forwarding.
 This can also be specified on a per-host basis in a configuration file.
@@ -672,6 +685,7 @@ Protocol 1 lacks a strong mechanism for ensuring the
 integrity of the connection.
 .Pp
 The methods available for authentication are:
+GSSAPI-based authentication,
 host-based authentication,
 public key authentication,
 challenge-response authentication,
@@ -878,7 +892,9 @@ and
 options (see above).
 It also allows the cancellation of existing remote port-forwardings
 using
-.Fl KR Ar hostport .
+.Sm off
+.Fl KR Oo Ar bind_address : Oc Ar port .
+.Sm on
 .Ic !\& Ns Ar command
 allows the user to execute a local command if the
 .Ic PermitLocalCommand
@@ -1031,8 +1047,7 @@ In this example, we are connecting a client to a server,
 The SSHFP resource records should first be added to the zonefile for
 host.example.com:
 .Bd -literal -offset indent
-$ ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r host.example.com.
+$ ssh-keygen -r host.example.com.
-$ ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r host.example.com.
 .Ed
 .Pp
 The output lines will have to be added to the zonefile.
@@ -1068,12 +1083,22 @@ controls whether the server supports this,
 and at what level (layer 2 or 3 traffic).
 .Pp
 The following example would connect client network 10.0.50.0/24
-with remote network 10.0.99.0/24, provided that the SSH server
+with remote network 10.0.99.0/24 using a point-to-point connection
-running on the gateway to the remote network,
+from 10.1.1.1 to 10.1.1.2,
-at 192.168.1.15, allows it:
+provided that the SSH server running on the gateway to the remote network,
+at 192.168.1.15, allows it.
+.Pp
+On the client:
 .Bd -literal -offset indent
 # ssh -f -w 0:1 192.168.1.15 true
-# ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252
+# ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
+# route add 10.0.99.0/24 10.1.1.2
+.Ed
+.Pp
+On the server:
+.Bd -literal -offset indent
+# ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
+# route add 10.0.50.0/24 10.1.1.1
 .Ed
 .Pp
 Client access may be more finely tuned via the
@@ -1081,11 +1106,11 @@ Client access may be more finely tuned via the
 file (see below) and the
 .Cm PermitRootLogin
 server option.
-The following entry would permit connections on the first
+The following entry would permit connections on
 .Xr tun 4
-device from user
+device 1 from user
 .Dq jane
-and on the second device from user
+and on tun device 2 from user
 .Dq john ,
 if
 .Cm PermitRootLogin
@@ -1093,10 +1118,10 @@ is set to
 .Dq forced-commands-only :
 .Bd -literal -offset 2n
 tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
-tunnel="2",command="sh /etc/netstart tun1" ssh-rsa ... john
+tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
 .Ed
 .Pp
-Since a SSH-based setup entails a fair amount of overhead,
+Since an SSH-based setup entails a fair amount of overhead,
 it may be more suited to temporary setups,
 such as for wireless VPNs.
 More permanent VPNs are better provided by tools such as
@@ -1184,7 +1209,7 @@ If the current session has no tty,
 this variable is not set.
 .It Ev TZ
 This variable is set to indicate the present time zone if it
-was set when the daemon was started (i.e., the daemon passes the value
+was set when the daemon was started (i.e. the daemon passes the value
 on to new connections).
 .It Ev USER
 Set to the name of the user logging in.
@@ -1348,15 +1373,64 @@ manual page for more information.
 .Xr ssh-keysign 8 ,
 .Xr sshd 8
 .Rs
-.%A T. Ylonen
+.%R RFC 4250
-.%A T. Kivinen
+.%T "The Secure Shell (SSH) Protocol Assigned Numbers"
-.%A M. Saarinen
+.%D 2006
-.%A T. Rinne
+.Re
-.%A S. Lehtinen
+.Rs
-.%T "SSH Protocol Architecture"
+.%R RFC 4251
-.%N draft-ietf-secsh-architecture-12.txt
+.%T "The Secure Shell (SSH) Protocol Architecture"
-.%D January 2002
+.%D 2006
-.%O work in progress material
+.Re
+.Rs
+.%R RFC 4252
+.%T "The Secure Shell (SSH) Authentication Protocol"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4253
+.%T "The Secure Shell (SSH) Transport Layer Protocol"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4254
+.%T "The Secure Shell (SSH) Connection Protocol"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4255
+.%T "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4256
+.%T "Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4335
+.%T "The Secure Shell (SSH) Session Channel Break Extension"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4344
+.%T "The Secure Shell (SSH) Transport Layer Encryption Modes"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4345
+.%T "Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4419
+.%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4716
+.%T "The Secure Shell (SSH) Public Key File Format"
+.%D 2006
 .Re
 .Sh AUTHORS
 OpenSSH is a derivative of the original and free

diff --git a/ssh.1 b/ssh.1 index b1662d7ac..04326e654 100644 --- a/ssh.1 +++ b/ssh.1
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh.1,v 1.253 2006/01/30 13:37:49 jmc Exp $	37	.\" $OpenBSD: ssh.1,v 1.266 2006/12/11 21:25:46 markus Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH 1	39	.Dt SSH 1
40	.Os	40	.Os
@@ -78,7 +78,8 @@
78	.Oc	78	.Oc
79	.Op Fl S Ar ctl_path	79	.Op Fl S Ar ctl_path
80	.Bk -words	80	.Bk -words
81	.Op Fl w Ar tunnel : Ns Ar tunnel	81	.Oo Fl w Ar local_tun Ns
		82	.Op : Ns Ar remote_tun Oc
82	.Oo Ar user Ns @ Oc Ns Ar hostname	83	.Oo Ar user Ns @ Oc Ns Ar hostname
83	.Op Ar command	84	.Op Ar command
84	.Ek	85	.Ek
@@ -450,6 +451,7 @@ For full details of the options listed below, and their possible values, see
450	.It ControlPath	451	.It ControlPath
451	.It DynamicForward	452	.It DynamicForward
452	.It EscapeChar	453	.It EscapeChar
		454	.It ExitOnForwardFailure
453	.It ForwardAgent	455	.It ForwardAgent
454	.It ForwardX11	456	.It ForwardX11
455	.It ForwardX11Trusted	457	.It ForwardX11Trusted
@@ -575,7 +577,7 @@ Disable pseudo-tty allocation.
575	Force pseudo-tty allocation.	577	Force pseudo-tty allocation.
576	This can be used to execute arbitrary	578	This can be used to execute arbitrary
577	screen-based programs on a remote machine, which can be very useful,	579	screen-based programs on a remote machine, which can be very useful,
578	e.g., when implementing menu services.	580	e.g. when implementing menu services.
579	Multiple	581	Multiple
580	.Fl t	582	.Fl t
581	options force tty allocation, even if	583	options force tty allocation, even if
@@ -594,24 +596,35 @@ Multiple
594	.Fl v	596	.Fl v
595	options increase the verbosity.	597	options increase the verbosity.
596	The maximum is 3.	598	The maximum is 3.
597	.It Fl w Ar tunnel : Ns Ar tunnel	599	.It Fl w Xo
598	Requests a	600	.Ar local_tun Ns Op : Ns Ar remote_tun
		601	.Xc
		602	Requests
		603	tunnel
		604	device forwarding with the specified
599	.Xr tun 4	605	.Xr tun 4
600	device on the client	606	devices between the client
601	(first	607	.Pq Ar local_tun
602	.Ar tunnel	608	and the server
603	arg)	609	.Pq Ar remote_tun .
604	and server	610	.Pp
605	(second
606	.Ar tunnel
607	arg).
608	The devices may be specified by numerical ID or the keyword	611	The devices may be specified by numerical ID or the keyword
609	.Dq any ,	612	.Dq any ,
610	which uses the next available tunnel device.	613	which uses the next available tunnel device.
		614	If
		615	.Ar remote_tun
		616	is not specified, it defaults to
		617	.Dq any .
611	See also the	618	See also the
612	.Cm Tunnel	619	.Cm Tunnel
613	directive in	620	and
		621	.Cm TunnelDevice
		622	directives in
614	.Xr ssh_config 5 .	623	.Xr ssh_config 5 .
		624	If the
		625	.Cm Tunnel
		626	directive is unset, it is set to the default tunnel mode, which is
		627	.Dq point-to-point .
615	.It Fl X	628	.It Fl X
616	Enables X11 forwarding.	629	Enables X11 forwarding.
617	This can also be specified on a per-host basis in a configuration file.	630	This can also be specified on a per-host basis in a configuration file.
@@ -672,6 +685,7 @@ Protocol 1 lacks a strong mechanism for ensuring the
672	integrity of the connection.	685	integrity of the connection.
673	.Pp	686	.Pp
674	The methods available for authentication are:	687	The methods available for authentication are:
		688	GSSAPI-based authentication,
675	host-based authentication,	689	host-based authentication,
676	public key authentication,	690	public key authentication,
677	challenge-response authentication,	691	challenge-response authentication,
@@ -878,7 +892,9 @@ and
878	options (see above).	892	options (see above).
879	It also allows the cancellation of existing remote port-forwardings	893	It also allows the cancellation of existing remote port-forwardings
880	using	894	using
881	.Fl KR Ar hostport .	895	.Sm off
		896	.Fl KR Oo Ar bind_address : Oc Ar port .
		897	.Sm on
882	.Ic !\& Ns Ar command	898	.Ic !\& Ns Ar command
883	allows the user to execute a local command if the	899	allows the user to execute a local command if the
884	.Ic PermitLocalCommand	900	.Ic PermitLocalCommand
@@ -1031,8 +1047,7 @@ In this example, we are connecting a client to a server,
1031	The SSHFP resource records should first be added to the zonefile for	1047	The SSHFP resource records should first be added to the zonefile for
1032	host.example.com:	1048	host.example.com:
1033	.Bd -literal -offset indent	1049	.Bd -literal -offset indent
1034	$ ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r host.example.com.	1050	$ ssh-keygen -r host.example.com.
1035	$ ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r host.example.com.
1036	.Ed	1051	.Ed
1037	.Pp	1052	.Pp
1038	The output lines will have to be added to the zonefile.	1053	The output lines will have to be added to the zonefile.
@@ -1068,12 +1083,22 @@ controls whether the server supports this,
1068	and at what level (layer 2 or 3 traffic).	1083	and at what level (layer 2 or 3 traffic).
1069	.Pp	1084	.Pp
1070	The following example would connect client network 10.0.50.0/24	1085	The following example would connect client network 10.0.50.0/24
1071	with remote network 10.0.99.0/24, provided that the SSH server	1086	with remote network 10.0.99.0/24 using a point-to-point connection
1072	running on the gateway to the remote network,	1087	from 10.1.1.1 to 10.1.1.2,
1073	at 192.168.1.15, allows it:	1088	provided that the SSH server running on the gateway to the remote network,
		1089	at 192.168.1.15, allows it.
		1090	.Pp
		1091	On the client:
1074	.Bd -literal -offset indent	1092	.Bd -literal -offset indent
1075	# ssh -f -w 0:1 192.168.1.15 true	1093	# ssh -f -w 0:1 192.168.1.15 true
1076	# ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252	1094	# ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
		1095	# route add 10.0.99.0/24 10.1.1.2
		1096	.Ed
		1097	.Pp
		1098	On the server:
		1099	.Bd -literal -offset indent
		1100	# ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
		1101	# route add 10.0.50.0/24 10.1.1.1
1077	.Ed	1102	.Ed
1078	.Pp	1103	.Pp
1079	Client access may be more finely tuned via the	1104	Client access may be more finely tuned via the
@@ -1081,11 +1106,11 @@ Client access may be more finely tuned via the
1081	file (see below) and the	1106	file (see below) and the
1082	.Cm PermitRootLogin	1107	.Cm PermitRootLogin
1083	server option.	1108	server option.
1084	The following entry would permit connections on the first	1109	The following entry would permit connections on
1085	.Xr tun 4	1110	.Xr tun 4
1086	device from user	1111	device 1 from user
1087	.Dq jane	1112	.Dq jane
1088	and on the second device from user	1113	and on tun device 2 from user
1089	.Dq john ,	1114	.Dq john ,
1090	if	1115	if
1091	.Cm PermitRootLogin	1116	.Cm PermitRootLogin
@@ -1093,10 +1118,10 @@ is set to
1093	.Dq forced-commands-only :	1118	.Dq forced-commands-only :
1094	.Bd -literal -offset 2n	1119	.Bd -literal -offset 2n
1095	tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane	1120	tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
1096	tunnel="2",command="sh /etc/netstart tun1" ssh-rsa ... john	1121	tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
1097	.Ed	1122	.Ed
1098	.Pp	1123	.Pp
1099	Since a SSH-based setup entails a fair amount of overhead,	1124	Since an SSH-based setup entails a fair amount of overhead,
1100	it may be more suited to temporary setups,	1125	it may be more suited to temporary setups,
1101	such as for wireless VPNs.	1126	such as for wireless VPNs.
1102	More permanent VPNs are better provided by tools such as	1127	More permanent VPNs are better provided by tools such as
@@ -1184,7 +1209,7 @@ If the current session has no tty,
1184	this variable is not set.	1209	this variable is not set.
1185	.It Ev TZ	1210	.It Ev TZ
1186	This variable is set to indicate the present time zone if it	1211	This variable is set to indicate the present time zone if it
1187	was set when the daemon was started (i.e., the daemon passes the value	1212	was set when the daemon was started (i.e. the daemon passes the value
1188	on to new connections).	1213	on to new connections).
1189	.It Ev USER	1214	.It Ev USER
1190	Set to the name of the user logging in.	1215	Set to the name of the user logging in.
@@ -1348,15 +1373,64 @@ manual page for more information.
1348	.Xr ssh-keysign 8 ,	1373	.Xr ssh-keysign 8 ,
1349	.Xr sshd 8	1374	.Xr sshd 8
1350	.Rs	1375	.Rs
1351	.%A T. Ylonen	1376	.%R RFC 4250
1352	.%A T. Kivinen	1377	.%T "The Secure Shell (SSH) Protocol Assigned Numbers"
1353	.%A M. Saarinen	1378	.%D 2006
1354	.%A T. Rinne	1379	.Re
1355	.%A S. Lehtinen	1380	.Rs
1356	.%T "SSH Protocol Architecture"	1381	.%R RFC 4251
1357	.%N draft-ietf-secsh-architecture-12.txt	1382	.%T "The Secure Shell (SSH) Protocol Architecture"
1358	.%D January 2002	1383	.%D 2006
1359	.%O work in progress material	1384	.Re
		1385	.Rs
		1386	.%R RFC 4252
		1387	.%T "The Secure Shell (SSH) Authentication Protocol"
		1388	.%D 2006
		1389	.Re
		1390	.Rs
		1391	.%R RFC 4253
		1392	.%T "The Secure Shell (SSH) Transport Layer Protocol"
		1393	.%D 2006
		1394	.Re
		1395	.Rs
		1396	.%R RFC 4254
		1397	.%T "The Secure Shell (SSH) Connection Protocol"
		1398	.%D 2006
		1399	.Re
		1400	.Rs
		1401	.%R RFC 4255
		1402	.%T "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints"
		1403	.%D 2006
		1404	.Re
		1405	.Rs
		1406	.%R RFC 4256
		1407	.%T "Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)"
		1408	.%D 2006
		1409	.Re
		1410	.Rs
		1411	.%R RFC 4335
		1412	.%T "The Secure Shell (SSH) Session Channel Break Extension"
		1413	.%D 2006
		1414	.Re
		1415	.Rs
		1416	.%R RFC 4344
		1417	.%T "The Secure Shell (SSH) Transport Layer Encryption Modes"
		1418	.%D 2006
		1419	.Re
		1420	.Rs
		1421	.%R RFC 4345
		1422	.%T "Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol"
		1423	.%D 2006
		1424	.Re
		1425	.Rs
		1426	.%R RFC 4419
		1427	.%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol"
		1428	.%D 2006
		1429	.Re
		1430	.Rs
		1431	.%R RFC 4716
		1432	.%T "The Secure Shell (SSH) Public Key File Format"
		1433	.%D 2006
1360	.Re	1434	.Re
1361	.Sh AUTHORS	1435	.Sh AUTHORS
1362	OpenSSH is a derivative of the original and free	1436	OpenSSH is a derivative of the original and free