1 files changed, 31 insertions, 21 deletions
diff --git a/ssh_config.0 b/ssh_config.0
index eb7f929e6..10f1c2e9d 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -54,22 +54,28 @@ DESCRIPTION
             Match keyword) to be used only when the conditions following the
             Match keyword are satisfied.  Match conditions are specified
             using one or more criteria or the single token all which always
-             matches.  The available criteria keywords are: canonical, exec,
+             matches.  The available criteria keywords are: canonical, final,
-             host, originalhost, user, and localuser.  The all criteria must
+             exec, host, originalhost, user, and localuser.  The all criteria
-             appear alone or immediately after canonical.  Other criteria may
+             must appear alone or immediately after canonical or final.  Other
-             be combined arbitrarily.  All criteria but all and canonical
+             criteria may be combined arbitrarily.  All criteria but all,
-             require an argument.  Criteria may be negated by prepending an
+             canonical, and final require an argument.  Criteria may be
-             exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y).
+             negated by prepending an exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y).
             The canonical keyword matches only when the configuration file is
             being re-parsed after hostname canonicalization (see the
-             CanonicalizeHostname option.)  This may be useful to specify
+             CanonicalizeHostname option).  This may be useful to specify
-             conditions that work with canonical host names only.  The exec
+             conditions that work with canonical host names only.
-             keyword executes the specified command under the user's shell.
-             If the command returns a zero exit status then the condition is
+             The final keyword requests that the configuration be re-parsed
-             considered true.  Commands containing whitespace characters must
+             (regardless of whether CanonicalizeHostname is enabled), and
-             be quoted.  Arguments to exec accept the tokens described in the
+             matches only during this final pass.  If CanonicalizeHostname is
-             TOKENS section.
+             enabled, then canonical and final match during the same pass.
+             The exec keyword executes the specified command under the user's
+             shell.  If the command returns a zero exit status then the
+             condition is considered true.  Commands containing whitespace
+             characters must be quoted.  Arguments to exec accept the tokens
+             described in the TOKENS section.
             The other keywords' criteria must be single entries or comma-
             separated lists and may use the wildcard and negation operators
@@ -603,7 +609,6 @@ DESCRIPTION
                   diffie-hellman-group-exchange-sha256,
                   diffie-hellman-group16-sha512,
                   diffie-hellman-group18-sha512,
-                   diffie-hellman-group-exchange-sha1,
                   diffie-hellman-group14-sha256,
                   diffie-hellman-group14-sha1
@@ -690,10 +695,11 @@ DESCRIPTION
             be yes or no (the default).
     PKCS11Provider
-             Specifies which PKCS#11 provider to use.  The argument to this
+             Specifies which PKCS#11 provider to use or none to indicate that
-             keyword is the PKCS#11 shared library ssh(1) should use to
+             no provider should be used (the default).  The argument to this
-             communicate with a PKCS#11 token providing the user's private RSA
+             keyword is a path to the PKCS#11 shared library ssh(1) should use
-             key.
+             to communicate with a PKCS#11 token providing keys for user
+             authentication.
     Port    Specifies the port number to connect on the remote host.  The
             default is 22.
@@ -741,6 +747,11 @@ DESCRIPTION
             whichever is specified first will prevent later instances of the
             other from taking effect.
+             Note also that the configuration for the destination host (either
+             supplied via the command-line or the configuration file) is not
+             generally applied to jump hosts.  ~/.ssh/config should be used if
+             specific configuration is required for jump hosts.
     ProxyUseFdpass
             Specifies that ProxyCommand will pass a connected file descriptor
             back to ssh(1) instead of continuing to execute and pass data.
@@ -1087,8 +1098,7 @@ FILES
             This is the per-user configuration file.  The format of this file
             is described above.  This file is used by the SSH client.
             Because of the potential for abuse, this file must have strict
-             permissions: read/write for the user, and not accessible by
+             permissions: read/write for the user, and not writable by others.
-             others.
     /etc/ssh/ssh_config
             Systemwide configuration file.  This file provides defaults for
@@ -1106,4 +1116,4 @@ AUTHORS
     created OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.
-OpenBSD 6.4                     October 3, 2018                    OpenBSD 6.4
+OpenBSD 6.5                      March 1, 2019                     OpenBSD 6.5

diff --git a/ssh_config.0 b/ssh_config.0 index eb7f929e6..10f1c2e9d 100644 --- a/ssh_config.0 +++ b/ssh_config.0
@@ -54,22 +54,28 @@ DESCRIPTION
54	Match keyword) to be used only when the conditions following the	54	Match keyword) to be used only when the conditions following the
55	Match keyword are satisfied. Match conditions are specified	55	Match keyword are satisfied. Match conditions are specified
56	using one or more criteria or the single token all which always	56	using one or more criteria or the single token all which always
57	matches. The available criteria keywords are: canonical, exec,	57	matches. The available criteria keywords are: canonical, final,
58	host, originalhost, user, and localuser. The all criteria must	58	exec, host, originalhost, user, and localuser. The all criteria
59	appear alone or immediately after canonical. Other criteria may	59	must appear alone or immediately after canonical or final. Other
60	be combined arbitrarily. All criteria but all and canonical	60	criteria may be combined arbitrarily. All criteria but all,
61	require an argument. Criteria may be negated by prepending an	61	canonical, and final require an argument. Criteria may be
62	exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y).	62	negated by prepending an exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y).
63		63
64	The canonical keyword matches only when the configuration file is	64	The canonical keyword matches only when the configuration file is
65	being re-parsed after hostname canonicalization (see the	65	being re-parsed after hostname canonicalization (see the
66	CanonicalizeHostname option.) This may be useful to specify	66	CanonicalizeHostname option). This may be useful to specify
67	conditions that work with canonical host names only. The exec	67	conditions that work with canonical host names only.
68	keyword executes the specified command under the user's shell.	68
69	If the command returns a zero exit status then the condition is	69	The final keyword requests that the configuration be re-parsed
70	considered true. Commands containing whitespace characters must	70	(regardless of whether CanonicalizeHostname is enabled), and
71	be quoted. Arguments to exec accept the tokens described in the	71	matches only during this final pass. If CanonicalizeHostname is
72	TOKENS section.	72	enabled, then canonical and final match during the same pass.
		73
		74	The exec keyword executes the specified command under the user's
		75	shell. If the command returns a zero exit status then the
		76	condition is considered true. Commands containing whitespace
		77	characters must be quoted. Arguments to exec accept the tokens
		78	described in the TOKENS section.
73		79
74	The other keywords' criteria must be single entries or comma-	80	The other keywords' criteria must be single entries or comma-
75	separated lists and may use the wildcard and negation operators	81	separated lists and may use the wildcard and negation operators
@@ -603,7 +609,6 @@ DESCRIPTION
603	diffie-hellman-group-exchange-sha256,	609	diffie-hellman-group-exchange-sha256,
604	diffie-hellman-group16-sha512,	610	diffie-hellman-group16-sha512,
605	diffie-hellman-group18-sha512,	611	diffie-hellman-group18-sha512,
606	diffie-hellman-group-exchange-sha1,
607	diffie-hellman-group14-sha256,	612	diffie-hellman-group14-sha256,
608	diffie-hellman-group14-sha1	613	diffie-hellman-group14-sha1
609		614
@@ -690,10 +695,11 @@ DESCRIPTION
690	be yes or no (the default).	695	be yes or no (the default).
691		696
692	PKCS11Provider	697	PKCS11Provider
693	Specifies which PKCS#11 provider to use. The argument to this	698	Specifies which PKCS#11 provider to use or none to indicate that
694	keyword is the PKCS#11 shared library ssh(1) should use to	699	no provider should be used (the default). The argument to this
695	communicate with a PKCS#11 token providing the user's private RSA	700	keyword is a path to the PKCS#11 shared library ssh(1) should use
696	key.	701	to communicate with a PKCS#11 token providing keys for user
		702	authentication.
697		703
698	Port Specifies the port number to connect on the remote host. The	704	Port Specifies the port number to connect on the remote host. The
699	default is 22.	705	default is 22.
@@ -741,6 +747,11 @@ DESCRIPTION
741	whichever is specified first will prevent later instances of the	747	whichever is specified first will prevent later instances of the
742	other from taking effect.	748	other from taking effect.
743		749
		750	Note also that the configuration for the destination host (either
		751	supplied via the command-line or the configuration file) is not
		752	generally applied to jump hosts. ~/.ssh/config should be used if
		753	specific configuration is required for jump hosts.
		754
744	ProxyUseFdpass	755	ProxyUseFdpass
745	Specifies that ProxyCommand will pass a connected file descriptor	756	Specifies that ProxyCommand will pass a connected file descriptor
746	back to ssh(1) instead of continuing to execute and pass data.	757	back to ssh(1) instead of continuing to execute and pass data.
@@ -1087,8 +1098,7 @@ FILES
1087	This is the per-user configuration file. The format of this file	1098	This is the per-user configuration file. The format of this file
1088	is described above. This file is used by the SSH client.	1099	is described above. This file is used by the SSH client.
1089	Because of the potential for abuse, this file must have strict	1100	Because of the potential for abuse, this file must have strict
1090	permissions: read/write for the user, and not accessible by	1101	permissions: read/write for the user, and not writable by others.
1091	others.
1092		1102
1093	/etc/ssh/ssh_config	1103	/etc/ssh/ssh_config
1094	Systemwide configuration file. This file provides defaults for	1104	Systemwide configuration file. This file provides defaults for
@@ -1106,4 +1116,4 @@ AUTHORS
1106	created OpenSSH. Markus Friedl contributed the support for SSH protocol	1116	created OpenSSH. Markus Friedl contributed the support for SSH protocol
1107	versions 1.5 and 2.0.	1117	versions 1.5 and 2.0.
1108		1118
1109	OpenBSD 6.4 October 3, 2018 OpenBSD 6.4	1119	OpenBSD 6.5 March 1, 2019 OpenBSD 6.5