1 files changed, 48 insertions, 21 deletions
diff --git a/ssh.1 b/ssh.1
index 6c6271ee4..3f815b8e7 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.283 2009/03/19 15:15:09 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.302 2010/03/05 10:28:21 djm Exp $
-.Dd $Mdocdate: March 19 2009 $
+.Dd $Mdocdate: March 5 2010 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -54,6 +54,7 @@
 .Oc
 .Op Fl e Ar escape_char
 .Op Fl F Ar configfile
+.Op Fl I Ar pkcs11
 .Bk -words
 .Op Fl i Ar identity_file
 .Ek
@@ -77,12 +78,11 @@
 .Sm on
 .Oc
 .Op Fl S Ar ctl_path
-.Bk -words
+.Op Fl W Ar host : Ns Ar port
 .Oo Fl w Ar local_tun Ns
 .Op : Ns Ar remote_tun Oc
 .Oo Ar user Ns @ Oc Ns Ar hostname
 .Op Ar command
-.Ek
 .Sh DESCRIPTION
 .Nm
 (SSH client) is a program for logging into a remote machine and for
@@ -132,8 +132,9 @@ This can also be specified on a per-host basis in a configuration file.
 .Pp
 Agent forwarding should be enabled with caution.
 Users with the ability to bypass file permissions on the remote host
-(for the agent's Unix-domain socket)
+(for the agent's
-can access the local agent through the forwarded connection.
+.Ux Ns -domain
+socket) can access the local agent through the forwarded connection.
 An attacker cannot obtain key material from the agent,
 however they can perform operations on the keys that enable them to
 authenticate using the identities loaded into the agent.
@@ -284,13 +285,11 @@ will wait for all remote port forwards to be successfully established
 before placing itself in the background.
 .It Fl g
 Allows remote hosts to connect to local forwarded ports.
-.It Fl I Ar smartcard_device
+.It Fl I Ar pkcs11
-Specify the device
+Specify the PKCS#11 shared library
 .Nm
-should use to communicate with a smartcard used for storing the user's
+should use to communicate with a PKCS#11 token providing the user's
 private RSA key.
-This option is only available if support for smartcard devices
-is compiled in (default is no support).
 .It Fl i Ar identity_file
 Selects a file from which the identity (private key) for
 RSA or DSA authentication is read.
@@ -307,6 +306,11 @@ It is possible to have multiple
 .Fl i
 options (and multiple identities specified in
 configuration files).
+.Nm
+will also try to load certificate information from the filename obtained
+by appending
+.Pa -cert.pub
+to identity filenames.
 .It Fl K
 Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI
 credentials to the server.
@@ -469,6 +473,7 @@ For full details of the options listed below, and their possible values, see
 .It NumberOfPasswordPrompts
 .It PasswordAuthentication
 .It PermitLocalCommand
+.It PKCS11Provider
 .It Port
 .It PreferredAuthentications
 .It Protocol
@@ -481,7 +486,6 @@ For full details of the options listed below, and their possible values, see
 .It SendEnv
 .It ServerAliveInterval
 .It ServerAliveCountMax
-.It SmartcardDevice
 .It StrictHostKeyChecking
 .It TCPKeepAlive
 .It Tunnel
@@ -593,6 +597,19 @@ Multiple
 .Fl v
 options increase the verbosity.
 The maximum is 3.
+.It Fl W Ar host : Ns Ar port
+Requests that standard input and output on the client be forwarded to
+.Ar host
+on
+.Ar port
+over the secure channel.
+Implies
+.Fl N ,
+.Fl T ,
+.Cm ExitOnForwardFailure
+and
+.Cm ClearAllForwardings
+and works with Protocol version 2 only.
 .It Fl w Xo
 .Ar local_tun Ns Op : Ns Ar remote_tun
 .Xc
@@ -666,20 +683,18 @@ exits with the exit status of the remote command or with 255
 if an error occurred.
 .Sh AUTHENTICATION
 The OpenSSH SSH client supports SSH protocols 1 and 2.
-Protocol 2 is the default, with
+The default is to use protocol 2 only,
-.Nm
+though this can be changed via the
-falling back to protocol 1 if it detects protocol 2 is unsupported.
-These settings may be altered using the
 .Cm Protocol
 option in
-.Xr ssh_config 5 ,
+.Xr ssh_config 5
-or enforced using the
+or the
 .Fl 1
 and
 .Fl 2
 options (see above).
 Both protocols support similar authentication methods,
-but protocol 2 is preferred since
+but protocol 2 is the default since
 it provides additional mechanisms for confidentiality
 (the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
 and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160).
@@ -788,8 +803,20 @@ file, and has one key
 per line, though the lines can be very long.
 After this, the user can log in without giving the password.
 .Pp
-The most convenient way to use public key authentication may be with an
+A variation on public key authentication
-authentication agent.
+is available in the form of certificate authentication:
+instead of a set of public/private keys,
+signed certificates are used.
+This has the advantage that a single trusted certification authority
+can be used in place of many public/private keys.
+See the
+.Sx CERTIFICATES
+section of
+.Xr ssh-keygen 1
+for more information.
+.Pp
+The most convenient way to use public key or certificate authentication
+may be with an authentication agent.
 See
 .Xr ssh-agent 1
 for more information.

diff --git a/ssh.1 b/ssh.1 index 6c6271ee4..3f815b8e7 100644 --- a/ssh.1 +++ b/ssh.1
@@ -34,8 +34,8 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh.1,v 1.283 2009/03/19 15:15:09 jmc Exp $	37	.\" $OpenBSD: ssh.1,v 1.302 2010/03/05 10:28:21 djm Exp $
38	.Dd $Mdocdate: March 19 2009 $	38	.Dd $Mdocdate: March 5 2010 $
39	.Dt SSH 1	39	.Dt SSH 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -54,6 +54,7 @@
54	.Oc	54	.Oc
55	.Op Fl e Ar escape_char	55	.Op Fl e Ar escape_char
56	.Op Fl F Ar configfile	56	.Op Fl F Ar configfile
		57	.Op Fl I Ar pkcs11
57	.Bk -words	58	.Bk -words
58	.Op Fl i Ar identity_file	59	.Op Fl i Ar identity_file
59	.Ek	60	.Ek
@@ -77,12 +78,11 @@
77	.Sm on	78	.Sm on
78	.Oc	79	.Oc
79	.Op Fl S Ar ctl_path	80	.Op Fl S Ar ctl_path
80	.Bk -words	81	.Op Fl W Ar host : Ns Ar port
81	.Oo Fl w Ar local_tun Ns	82	.Oo Fl w Ar local_tun Ns
82	.Op : Ns Ar remote_tun Oc	83	.Op : Ns Ar remote_tun Oc
83	.Oo Ar user Ns @ Oc Ns Ar hostname	84	.Oo Ar user Ns @ Oc Ns Ar hostname
84	.Op Ar command	85	.Op Ar command
85	.Ek
86	.Sh DESCRIPTION	86	.Sh DESCRIPTION
87	.Nm	87	.Nm
88	(SSH client) is a program for logging into a remote machine and for	88	(SSH client) is a program for logging into a remote machine and for
@@ -132,8 +132,9 @@ This can also be specified on a per-host basis in a configuration file.
132	.Pp	132	.Pp
133	Agent forwarding should be enabled with caution.	133	Agent forwarding should be enabled with caution.
134	Users with the ability to bypass file permissions on the remote host	134	Users with the ability to bypass file permissions on the remote host
135	(for the agent's Unix-domain socket)	135	(for the agent's
136	can access the local agent through the forwarded connection.	136	.Ux Ns -domain
		137	socket) can access the local agent through the forwarded connection.
137	An attacker cannot obtain key material from the agent,	138	An attacker cannot obtain key material from the agent,
138	however they can perform operations on the keys that enable them to	139	however they can perform operations on the keys that enable them to
139	authenticate using the identities loaded into the agent.	140	authenticate using the identities loaded into the agent.
@@ -284,13 +285,11 @@ will wait for all remote port forwards to be successfully established
284	before placing itself in the background.	285	before placing itself in the background.
285	.It Fl g	286	.It Fl g
286	Allows remote hosts to connect to local forwarded ports.	287	Allows remote hosts to connect to local forwarded ports.
287	.It Fl I Ar smartcard_device	288	.It Fl I Ar pkcs11
288	Specify the device	289	Specify the PKCS#11 shared library
289	.Nm	290	.Nm
290	should use to communicate with a smartcard used for storing the user's	291	should use to communicate with a PKCS#11 token providing the user's
291	private RSA key.	292	private RSA key.
292	This option is only available if support for smartcard devices
293	is compiled in (default is no support).
294	.It Fl i Ar identity_file	293	.It Fl i Ar identity_file
295	Selects a file from which the identity (private key) for	294	Selects a file from which the identity (private key) for
296	RSA or DSA authentication is read.	295	RSA or DSA authentication is read.
@@ -307,6 +306,11 @@ It is possible to have multiple
307	.Fl i	306	.Fl i
308	options (and multiple identities specified in	307	options (and multiple identities specified in
309	configuration files).	308	configuration files).
		309	.Nm
		310	will also try to load certificate information from the filename obtained
		311	by appending
		312	.Pa -cert.pub
		313	to identity filenames.
310	.It Fl K	314	.It Fl K
311	Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI	315	Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI
312	credentials to the server.	316	credentials to the server.
@@ -469,6 +473,7 @@ For full details of the options listed below, and their possible values, see
469	.It NumberOfPasswordPrompts	473	.It NumberOfPasswordPrompts
470	.It PasswordAuthentication	474	.It PasswordAuthentication
471	.It PermitLocalCommand	475	.It PermitLocalCommand
		476	.It PKCS11Provider
472	.It Port	477	.It Port
473	.It PreferredAuthentications	478	.It PreferredAuthentications
474	.It Protocol	479	.It Protocol
@@ -481,7 +486,6 @@ For full details of the options listed below, and their possible values, see
481	.It SendEnv	486	.It SendEnv
482	.It ServerAliveInterval	487	.It ServerAliveInterval
483	.It ServerAliveCountMax	488	.It ServerAliveCountMax
484	.It SmartcardDevice
485	.It StrictHostKeyChecking	489	.It StrictHostKeyChecking
486	.It TCPKeepAlive	490	.It TCPKeepAlive
487	.It Tunnel	491	.It Tunnel
@@ -593,6 +597,19 @@ Multiple
593	.Fl v	597	.Fl v
594	options increase the verbosity.	598	options increase the verbosity.
595	The maximum is 3.	599	The maximum is 3.
		600	.It Fl W Ar host : Ns Ar port
		601	Requests that standard input and output on the client be forwarded to
		602	.Ar host
		603	on
		604	.Ar port
		605	over the secure channel.
		606	Implies
		607	.Fl N ,
		608	.Fl T ,
		609	.Cm ExitOnForwardFailure
		610	and
		611	.Cm ClearAllForwardings
		612	and works with Protocol version 2 only.
596	.It Fl w Xo	613	.It Fl w Xo
597	.Ar local_tun Ns Op : Ns Ar remote_tun	614	.Ar local_tun Ns Op : Ns Ar remote_tun
598	.Xc	615	.Xc
@@ -666,20 +683,18 @@ exits with the exit status of the remote command or with 255
666	if an error occurred.	683	if an error occurred.
667	.Sh AUTHENTICATION	684	.Sh AUTHENTICATION
668	The OpenSSH SSH client supports SSH protocols 1 and 2.	685	The OpenSSH SSH client supports SSH protocols 1 and 2.
669	Protocol 2 is the default, with	686	The default is to use protocol 2 only,
670	.Nm	687	though this can be changed via the
671	falling back to protocol 1 if it detects protocol 2 is unsupported.
672	These settings may be altered using the
673	.Cm Protocol	688	.Cm Protocol
674	option in	689	option in
675	.Xr ssh_config 5 ,	690	.Xr ssh_config 5
676	or enforced using the	691	or the
677	.Fl 1	692	.Fl 1
678	and	693	and
679	.Fl 2	694	.Fl 2
680	options (see above).	695	options (see above).
681	Both protocols support similar authentication methods,	696	Both protocols support similar authentication methods,
682	but protocol 2 is preferred since	697	but protocol 2 is the default since
683	it provides additional mechanisms for confidentiality	698	it provides additional mechanisms for confidentiality
684	(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)	699	(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
685	and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160).	700	and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160).
@@ -788,8 +803,20 @@ file, and has one key
788	per line, though the lines can be very long.	803	per line, though the lines can be very long.
789	After this, the user can log in without giving the password.	804	After this, the user can log in without giving the password.
790	.Pp	805	.Pp
791	The most convenient way to use public key authentication may be with an	806	A variation on public key authentication
792	authentication agent.	807	is available in the form of certificate authentication:
		808	instead of a set of public/private keys,
		809	signed certificates are used.
		810	This has the advantage that a single trusted certification authority
		811	can be used in place of many public/private keys.
		812	See the
		813	.Sx CERTIFICATES
		814	section of
		815	.Xr ssh-keygen 1
		816	for more information.
		817	.Pp
		818	The most convenient way to use public key or certificate authentication
		819	may be with an authentication agent.
793	See	820	See
794	.Xr ssh-agent 1	821	.Xr ssh-agent 1
795	for more information.	822	for more information.