1 files changed, 102 insertions, 60 deletions
diff --git a/ssh_config.0 b/ssh_config.0
index a2706b69c..46a0543c3 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -129,16 +129,19 @@ DESCRIPTION
             on a control socket specified using the ControlPath argument.
             Additional sessions can connect to this socket using the same
             ControlPath with ControlMaster set to ``no'' (the default).
-             These sessions will reuse the master instance's network connec-
+             These sessions will try to reuse the master instance's network
-             tion rather than initiating new ones.  Setting this to ``ask''
+             connection rather than initiating new ones, but will fall back to
-             will cause ssh to listen for control connections, but require
+             connecting normally if the control socket does not exist, or is
-             confirmation using the SSH_ASKPASS program before they are ac-
+             not listening.
-             cepted (see ssh-add(1) for details).  If the ControlPath can not
-             be opened, ssh will continue without connecting to a master in-
+             Setting this to ``ask'' will cause ssh to listen for control con-
-             stance.
+             nections, but require confirmation using the SSH_ASKPASS program
+             before they are accepted (see ssh-add(1) for details).  If the
+             ControlPath can not be opened, ssh will continue without connect-
+             ing to a master instance.
             X11 and ssh-agent(1) forwarding is supported over these multi-
-             plexed connections, however the display and agent fowarded will
+             plexed connections, however the display and agent forwarded will
             be the one belonging to the master connection i.e. it is not pos-
             sible to forward multiple displays or agents.
@@ -159,14 +162,24 @@ DESCRIPTION
             nections are uniquely identified.
     DynamicForward
-             Specifies that a TCP/IP port on the local machine be forwarded
+             Specifies that a TCP port on the local machine be forwarded over
-             over the secure channel, and the application protocol is then
+             the secure channel, and the application protocol is then used to
-             used to determine where to connect to from the remote machine.
+             determine where to connect to from the remote machine.
-             The argument must be a port number.  Currently the SOCKS4 and
-             SOCKS5 protocols are supported, and ssh will act as a SOCKS serv-
+             The argument must be [bind_address:]port.  IPv6 addresses can be
-             er.  Multiple forwardings may be specified, and additional for-
+             specified by enclosing addresses in square brackets or by using
-             wardings can be given on the command line.  Only the superuser
+             an alternative syntax: [bind_address/]port.  By default, the lo-
-             can forward privileged ports.
+             cal port is bound in accordance with the GatewayPorts setting.
+             However, an explicit bind_address may be used to bind the connec-
+             tion to a specific address.  The bind_address of ``localhost''
+             indicates that the listening port be bound for local use only,
+             while an empty address or `*' indicates that the port should be
+             available from all interfaces.
+             Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh
+             will act as a SOCKS server.  Multiple forwardings may be speci-
+             fied, and additional forwardings can be given on the command
+             line.  Only the superuser can forward privileged ports.
     EnableSSHKeysign
             Setting this option to ``yes'' in the global client configuration
@@ -280,6 +293,14 @@ DESCRIPTION
             permitted (both on the command line and in HostName specifica-
             tions).
+     IdentitiesOnly
+             Specifies that ssh should only use the authentication identity
+             files configured in the ssh_config files, even if the ssh-agent
+             offers more identities.  The argument to this keyword must be
+             ``yes'' or ``no''.  This option is intended for situations where
+             ssh-agent offers many different identities.  The default is
+             ``no''.
     IdentityFile
             Specifies a file from which the user's RSA or DSA authentication
             identity is read.  The default is ~/.ssh/identity for protocol
@@ -290,35 +311,33 @@ DESCRIPTION
             is possible to have multiple identity files specified in configu-
             ration files; all these identities will be tried in sequence.
-     IdentitiesOnly
-             Specifies that ssh should only use the authentication identity
-             files configured in the ssh_config files, even if the ssh-agent
-             offers more identities.  The argument to this keyword must be
-             ``yes'' or ``no''.  This option is intented for situations where
-             ssh-agent offers many different identities.  The default is
-             ``no''.
     KbdInteractiveDevices
             Specifies the list of methods to use in keyboard-interactive au-
             thentication.  Multiple method names must be comma-separated.
             The default is to use the server specified list.
+     LocalCommand
+             Specifies a command to execute on the local machine after suc-
+             cessfully connecting to the server.  The command string extends
+             to the end of the line, and is executed with /bin/sh.  This di-
+             rective is ignored unless PermitLocalCommand has been enabled.
     LocalForward
-             Specifies that a TCP/IP port on the local machine be forwarded
+             Specifies that a TCP port on the local machine be forwarded over
-             over the secure channel to the specified host and port from the
+             the secure channel to the specified host and port from the remote
-             remote machine.  The first argument must be [bind_address:]port
+             machine.  The first argument must be [bind_address:]port and the
-             and the second argument must be host:hostport.  IPv6 addresses
+             second argument must be host:hostport.  IPv6 addresses can be
-             can be specified by enclosing addresses in square brackets or by
+             specified by enclosing addresses in square brackets or by using
-             using an alternative syntax: [bind_address/]port and
+             an alternative syntax: [bind_address/]port and host/hostport.
-             host/hostport.  Multiple forwardings may be specified, and addi-
+             Multiple forwardings may be specified, and additional forwardings
-             tional forwardings can be given on the command line.  Only the
+             can be given on the command line.  Only the superuser can forward
-             superuser can forward privileged ports.  By default, the local
+             privileged ports.  By default, the local port is bound in accor-
-             port is bound in accordance with the GatewayPorts setting.  How-
+             dance with the GatewayPorts setting.  However, an explicit
-             ever, an explicit bind_address may be used to bind the connection
+             bind_address may be used to bind the connection to a specific ad-
-             to a specific address.  The bind_address of ``localhost'' indi-
+             dress.  The bind_address of ``localhost'' indicates that the lis-
-             cates that the listening port be bound for local use only, while
+             tening port be bound for local use only, while an empty address
-             an empty address or `*' indicates that the port should be avail-
+             or `*' indicates that the port should be available from all in-
-             able from all interfaces.
+             terfaces.
     LogLevel
             Gives the verbosity level that is used when logging messages from
@@ -351,6 +370,11 @@ DESCRIPTION
             to this keyword must be ``yes'' or ``no''.  The default is
             ``yes''.
+     PermitLocalCommand
+             Allow local command execution via the LocalCommand option or us-
+             ing the !command escape sequence in ssh(1).  The argument must be
+             ``yes'' or ``no''.  The default is ``no''.
     Port    Specifies the port number to connect on the remote host.  Default
             is 22.
@@ -393,16 +417,24 @@ DESCRIPTION
             to this keyword must be ``yes'' or ``no''.  The default is
             ``yes''.  This option applies to protocol version 2 only.
+     RekeyLimit
+             Specifies the maximum amount of data that may be transmitted be-
+             fore the session key is renegotiated.  The argument is the number
+             of bytes, with an optional suffix of `K', `M', or `G' to indicate
+             Kilobytes, Megabytes, or Gigabytes, respectively.  The default is
+             between ``1G'' and ``4G'', depending on the cipher.  This option
+             applies to protocol version 2 only.
     RemoteForward
-             Specifies that a TCP/IP port on the remote machine be forwarded
+             Specifies that a TCP port on the remote machine be forwarded over
-             over the secure channel to the specified host and port from the
+             the secure channel to the specified host and port from the local
-             local machine.  The first argument must be [bind_address:]port
+             machine.  The first argument must be [bind_address:]port and the
-             and the second argument must be host:hostport.  IPv6 addresses
+             second argument must be host:hostport.  IPv6 addresses can be
-             can be specified by enclosing addresses in square brackets or by
+             specified by enclosing addresses in square brackets or by using
-             using an alternative syntax: [bind_address/]port and
+             an alternative syntax: [bind_address/]port and host/hostport.
-             host/hostport.  Multiple forwardings may be specified, and addi-
+             Multiple forwardings may be specified, and additional forwardings
-             tional forwardings can be given on the command line.  Only the
+             can be given on the command line.  Only the superuser can forward
-             superuser can forward privileged ports.
+             privileged ports.
             If the bind_address is not specified, the default is to only bind
             to loopback addresses.  If the bind_address is `*' or an empty
@@ -434,15 +466,8 @@ DESCRIPTION
             separated by whitespace or spread across multiple SendEnv direc-
             tives.  The default is not to send any environment variables.
-     ServerAliveInterval
-             Sets a timeout interval in seconds after which if no data has
-             been received from the server, ssh will send a message through
-             the encrypted channel to request a response from the server.  The
-             default is 0, indicating that these messages will not be sent to
-             the server.  This option applies to protocol version 2 only.
     ServerAliveCountMax
-             Sets the number of server alive messages (see above) which may be
+             Sets the number of server alive messages (see below) which may be
             sent without ssh receiving any messages back from the server.  If
             this threshold is reached while server alive messages are being
             sent, ssh will disconnect from the server, terminating the ses-
@@ -455,9 +480,16 @@ DESCRIPTION
             tion has become inactive.
             The default value is 3.  If, for example, ServerAliveInterval
-             (above) is set to 15, and ServerAliveCountMax is left at the de-
+             (see below) is set to 15, and ServerAliveCountMax is left at the
-             fault, if the server becomes unresponsive ssh will disconnect af-
+             default, if the server becomes unresponsive ssh will disconnect
-             ter approximately 45 seconds.
+             after approximately 45 seconds.
+     ServerAliveInterval
+             Sets a timeout interval in seconds after which if no data has
+             been received from the server, ssh will send a message through
+             the encrypted channel to request a response from the server.  The
+             default is 0, indicating that these messages will not be sent to
+             the server.  This option applies to protocol version 2 only.
     SmartcardDevice
             Specifies which smartcard device to use.  The argument to this
@@ -496,6 +528,16 @@ DESCRIPTION
             To disable TCP keepalive messages, the value should be set to
             ``no''.
+     Tunnel  Request starting tun(4) device forwarding between the client and
+             the server.  This option also allows requesting layer 2 (ether-
+             net) instead of layer 3 (point-to-point) tunneling from the serv-
+             er.  The argument must be ``yes'', ``point-to-point'',
+             ``ethernet'' or ``no''.  The default is ``no''.
+     TunnelDevice
+             Force a specified tun(4) device on the client.  Without this op-
+             tion, the next available device will be used.
     UsePrivilegedPort
             Specifies whether to use a privileged port for outgoing connec-
             tions.  The argument must be ``yes'' or ``no''.  The default is
@@ -551,4 +593,4 @@ AUTHORS
     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.
-OpenBSD 3.8                   September 25, 1999                             9
+OpenBSD 3.9                   September 25, 1999                             9

diff --git a/ssh_config.0 b/ssh_config.0 index a2706b69c..46a0543c3 100644 --- a/ssh_config.0 +++ b/ssh_config.0
@@ -129,16 +129,19 @@ DESCRIPTION
129	on a control socket specified using the ControlPath argument.	129	on a control socket specified using the ControlPath argument.
130	Additional sessions can connect to this socket using the same	130	Additional sessions can connect to this socket using the same
131	ControlPath with ControlMaster set to ``no'' (the default).	131	ControlPath with ControlMaster set to ``no'' (the default).
132	These sessions will reuse the master instance's network connec-	132	These sessions will try to reuse the master instance's network
133	tion rather than initiating new ones. Setting this to ``ask''	133	connection rather than initiating new ones, but will fall back to
134	will cause ssh to listen for control connections, but require	134	connecting normally if the control socket does not exist, or is
135	confirmation using the SSH_ASKPASS program before they are ac-	135	not listening.
136	cepted (see ssh-add(1) for details). If the ControlPath can not	136
137	be opened, ssh will continue without connecting to a master in-	137	Setting this to ``ask'' will cause ssh to listen for control con-
138	stance.	138	nections, but require confirmation using the SSH_ASKPASS program
		139	before they are accepted (see ssh-add(1) for details). If the
		140	ControlPath can not be opened, ssh will continue without connect-
		141	ing to a master instance.
139		142
140	X11 and ssh-agent(1) forwarding is supported over these multi-	143	X11 and ssh-agent(1) forwarding is supported over these multi-
141	plexed connections, however the display and agent fowarded will	144	plexed connections, however the display and agent forwarded will
142	be the one belonging to the master connection i.e. it is not pos-	145	be the one belonging to the master connection i.e. it is not pos-
143	sible to forward multiple displays or agents.	146	sible to forward multiple displays or agents.
144		147
@@ -159,14 +162,24 @@ DESCRIPTION
159	nections are uniquely identified.	162	nections are uniquely identified.
160		163
161	DynamicForward	164	DynamicForward
162	Specifies that a TCP/IP port on the local machine be forwarded	165	Specifies that a TCP port on the local machine be forwarded over
163	over the secure channel, and the application protocol is then	166	the secure channel, and the application protocol is then used to
164	used to determine where to connect to from the remote machine.	167	determine where to connect to from the remote machine.
165	The argument must be a port number. Currently the SOCKS4 and	168
166	SOCKS5 protocols are supported, and ssh will act as a SOCKS serv-	169	The argument must be [bind_address:]port. IPv6 addresses can be
167	er. Multiple forwardings may be specified, and additional for-	170	specified by enclosing addresses in square brackets or by using
168	wardings can be given on the command line. Only the superuser	171	an alternative syntax: [bind_address/]port. By default, the lo-
169	can forward privileged ports.	172	cal port is bound in accordance with the GatewayPorts setting.
		173	However, an explicit bind_address may be used to bind the connec-
		174	tion to a specific address. The bind_address of ``localhost''
		175	indicates that the listening port be bound for local use only,
		176	while an empty address or `*' indicates that the port should be
		177	available from all interfaces.
		178
		179	Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh
		180	will act as a SOCKS server. Multiple forwardings may be speci-
		181	fied, and additional forwardings can be given on the command
		182	line. Only the superuser can forward privileged ports.
170		183
171	EnableSSHKeysign	184	EnableSSHKeysign
172	Setting this option to ``yes'' in the global client configuration	185	Setting this option to ``yes'' in the global client configuration
@@ -280,6 +293,14 @@ DESCRIPTION
280	permitted (both on the command line and in HostName specifica-	293	permitted (both on the command line and in HostName specifica-
281	tions).	294	tions).
282		295
		296	IdentitiesOnly
		297	Specifies that ssh should only use the authentication identity
		298	files configured in the ssh_config files, even if the ssh-agent
		299	offers more identities. The argument to this keyword must be
		300	``yes'' or ``no''. This option is intended for situations where
		301	ssh-agent offers many different identities. The default is
		302	``no''.
		303
283	IdentityFile	304	IdentityFile
284	Specifies a file from which the user's RSA or DSA authentication	305	Specifies a file from which the user's RSA or DSA authentication
285	identity is read. The default is ~/.ssh/identity for protocol	306	identity is read. The default is ~/.ssh/identity for protocol
@@ -290,35 +311,33 @@ DESCRIPTION
290	is possible to have multiple identity files specified in configu-	311	is possible to have multiple identity files specified in configu-
291	ration files; all these identities will be tried in sequence.	312	ration files; all these identities will be tried in sequence.
292		313
293	IdentitiesOnly
294	Specifies that ssh should only use the authentication identity
295	files configured in the ssh_config files, even if the ssh-agent
296	offers more identities. The argument to this keyword must be
297	``yes'' or ``no''. This option is intented for situations where
298	ssh-agent offers many different identities. The default is
299	``no''.
300
301	KbdInteractiveDevices	314	KbdInteractiveDevices
302	Specifies the list of methods to use in keyboard-interactive au-	315	Specifies the list of methods to use in keyboard-interactive au-
303	thentication. Multiple method names must be comma-separated.	316	thentication. Multiple method names must be comma-separated.
304	The default is to use the server specified list.	317	The default is to use the server specified list.
305		318
		319	LocalCommand
		320	Specifies a command to execute on the local machine after suc-
		321	cessfully connecting to the server. The command string extends
		322	to the end of the line, and is executed with /bin/sh. This di-
		323	rective is ignored unless PermitLocalCommand has been enabled.
		324
306	LocalForward	325	LocalForward
307	Specifies that a TCP/IP port on the local machine be forwarded	326	Specifies that a TCP port on the local machine be forwarded over
308	over the secure channel to the specified host and port from the	327	the secure channel to the specified host and port from the remote
309	remote machine. The first argument must be [bind_address:]port	328	machine. The first argument must be [bind_address:]port and the
310	and the second argument must be host:hostport. IPv6 addresses	329	second argument must be host:hostport. IPv6 addresses can be
311	can be specified by enclosing addresses in square brackets or by	330	specified by enclosing addresses in square brackets or by using
312	using an alternative syntax: [bind_address/]port and	331	an alternative syntax: [bind_address/]port and host/hostport.
313	host/hostport. Multiple forwardings may be specified, and addi-	332	Multiple forwardings may be specified, and additional forwardings
314	tional forwardings can be given on the command line. Only the	333	can be given on the command line. Only the superuser can forward
315	superuser can forward privileged ports. By default, the local	334	privileged ports. By default, the local port is bound in accor-
316	port is bound in accordance with the GatewayPorts setting. How-	335	dance with the GatewayPorts setting. However, an explicit
317	ever, an explicit bind_address may be used to bind the connection	336	bind_address may be used to bind the connection to a specific ad-
318	to a specific address. The bind_address of ``localhost'' indi-	337	dress. The bind_address of ``localhost'' indicates that the lis-
319	cates that the listening port be bound for local use only, while	338	tening port be bound for local use only, while an empty address
320	an empty address or `*' indicates that the port should be avail-	339	or `*' indicates that the port should be available from all in-
321	able from all interfaces.	340	terfaces.
322		341
323	LogLevel	342	LogLevel
324	Gives the verbosity level that is used when logging messages from	343	Gives the verbosity level that is used when logging messages from
@@ -351,6 +370,11 @@ DESCRIPTION
351	to this keyword must be ``yes'' or ``no''. The default is	370	to this keyword must be ``yes'' or ``no''. The default is
352	``yes''.	371	``yes''.
353		372
		373	PermitLocalCommand
		374	Allow local command execution via the LocalCommand option or us-
		375	ing the !command escape sequence in ssh(1). The argument must be
		376	``yes'' or ``no''. The default is ``no''.
		377
354	Port Specifies the port number to connect on the remote host. Default	378	Port Specifies the port number to connect on the remote host. Default
355	is 22.	379	is 22.
356		380
@@ -393,16 +417,24 @@ DESCRIPTION
393	to this keyword must be ``yes'' or ``no''. The default is	417	to this keyword must be ``yes'' or ``no''. The default is
394	``yes''. This option applies to protocol version 2 only.	418	``yes''. This option applies to protocol version 2 only.
395		419
		420	RekeyLimit
		421	Specifies the maximum amount of data that may be transmitted be-
		422	fore the session key is renegotiated. The argument is the number
		423	of bytes, with an optional suffix of `K', `M', or `G' to indicate
		424	Kilobytes, Megabytes, or Gigabytes, respectively. The default is
		425	between ``1G'' and ``4G'', depending on the cipher. This option
		426	applies to protocol version 2 only.
		427
396	RemoteForward	428	RemoteForward
397	Specifies that a TCP/IP port on the remote machine be forwarded	429	Specifies that a TCP port on the remote machine be forwarded over
398	over the secure channel to the specified host and port from the	430	the secure channel to the specified host and port from the local
399	local machine. The first argument must be [bind_address:]port	431	machine. The first argument must be [bind_address:]port and the
400	and the second argument must be host:hostport. IPv6 addresses	432	second argument must be host:hostport. IPv6 addresses can be
401	can be specified by enclosing addresses in square brackets or by	433	specified by enclosing addresses in square brackets or by using
402	using an alternative syntax: [bind_address/]port and	434	an alternative syntax: [bind_address/]port and host/hostport.
403	host/hostport. Multiple forwardings may be specified, and addi-	435	Multiple forwardings may be specified, and additional forwardings
404	tional forwardings can be given on the command line. Only the	436	can be given on the command line. Only the superuser can forward
405	superuser can forward privileged ports.	437	privileged ports.
406		438
407	If the bind_address is not specified, the default is to only bind	439	If the bind_address is not specified, the default is to only bind
408	to loopback addresses. If the bind_address is `*' or an empty	440	to loopback addresses. If the bind_address is `*' or an empty
@@ -434,15 +466,8 @@ DESCRIPTION
434	separated by whitespace or spread across multiple SendEnv direc-	466	separated by whitespace or spread across multiple SendEnv direc-
435	tives. The default is not to send any environment variables.	467	tives. The default is not to send any environment variables.
436		468
437	ServerAliveInterval
438	Sets a timeout interval in seconds after which if no data has
439	been received from the server, ssh will send a message through
440	the encrypted channel to request a response from the server. The
441	default is 0, indicating that these messages will not be sent to
442	the server. This option applies to protocol version 2 only.
443
444	ServerAliveCountMax	469	ServerAliveCountMax
445	Sets the number of server alive messages (see above) which may be	470	Sets the number of server alive messages (see below) which may be
446	sent without ssh receiving any messages back from the server. If	471	sent without ssh receiving any messages back from the server. If
447	this threshold is reached while server alive messages are being	472	this threshold is reached while server alive messages are being
448	sent, ssh will disconnect from the server, terminating the ses-	473	sent, ssh will disconnect from the server, terminating the ses-
@@ -455,9 +480,16 @@ DESCRIPTION
455	tion has become inactive.	480	tion has become inactive.
456		481
457	The default value is 3. If, for example, ServerAliveInterval	482	The default value is 3. If, for example, ServerAliveInterval
458	(above) is set to 15, and ServerAliveCountMax is left at the de-	483	(see below) is set to 15, and ServerAliveCountMax is left at the
459	fault, if the server becomes unresponsive ssh will disconnect af-	484	default, if the server becomes unresponsive ssh will disconnect
460	ter approximately 45 seconds.	485	after approximately 45 seconds.
		486
		487	ServerAliveInterval
		488	Sets a timeout interval in seconds after which if no data has
		489	been received from the server, ssh will send a message through
		490	the encrypted channel to request a response from the server. The
		491	default is 0, indicating that these messages will not be sent to
		492	the server. This option applies to protocol version 2 only.
461		493
462	SmartcardDevice	494	SmartcardDevice
463	Specifies which smartcard device to use. The argument to this	495	Specifies which smartcard device to use. The argument to this
@@ -496,6 +528,16 @@ DESCRIPTION
496	To disable TCP keepalive messages, the value should be set to	528	To disable TCP keepalive messages, the value should be set to
497	``no''.	529	``no''.
498		530
		531	Tunnel Request starting tun(4) device forwarding between the client and
		532	the server. This option also allows requesting layer 2 (ether-
		533	net) instead of layer 3 (point-to-point) tunneling from the serv-
		534	er. The argument must be ``yes'', ``point-to-point'',
		535	``ethernet'' or ``no''. The default is ``no''.
		536
		537	TunnelDevice
		538	Force a specified tun(4) device on the client. Without this op-
		539	tion, the next available device will be used.
		540
499	UsePrivilegedPort	541	UsePrivilegedPort
500	Specifies whether to use a privileged port for outgoing connec-	542	Specifies whether to use a privileged port for outgoing connec-
501	tions. The argument must be ``yes'' or ``no''. The default is	543	tions. The argument must be ``yes'' or ``no''. The default is
@@ -551,4 +593,4 @@ AUTHORS
551	ated OpenSSH. Markus Friedl contributed the support for SSH protocol	593	ated OpenSSH. Markus Friedl contributed the support for SSH protocol
552	versions 1.5 and 2.0.	594	versions 1.5 and 2.0.
553		595
554	OpenBSD 3.8 September 25, 1999 9	596	OpenBSD 3.9 September 25, 1999 9