1 files changed, 93 insertions, 43 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 06db04c27..9033185b1 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.47 2005/03/07 23:41:54 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.61 2005/07/08 12:53:10 jmc Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -43,7 +43,7 @@
 .Nd OpenSSH SSH client configuration files
 .Sh SYNOPSIS
 .Bl -tag -width Ds -compact
-.It Pa $HOME/.ssh/config
+.It Pa ~/.ssh/config
 .It Pa /etc/ssh/ssh_config
 .El
 .Sh DESCRIPTION
@@ -55,7 +55,7 @@ the following order:
 command-line options
 .It
 user's configuration file
-.Pq Pa $HOME/.ssh/config
+.Pq Pa ~/.ssh/config
 .It
 system-wide configuration file
 .Pq Pa /etc/ssh/ssh_config
@@ -136,8 +136,9 @@ or
 The default is
 .Dq no .
 .It Cm BindAddress
-Specify the interface to transmit from on machines with multiple
+Use the specified address on the local machine as the source address of
-interfaces or aliased addresses.
+the connection.
+Only useful on systems with more than one address.
 Note that this option does not work if
 .Cm UsePrivilegedPort
 is set to
@@ -193,14 +194,17 @@ The supported ciphers are
 .Dq aes128-ctr ,
 .Dq aes192-ctr ,
 .Dq aes256-ctr ,
+.Dq arcfour128 ,
+.Dq arcfour256 ,
 .Dq arcfour ,
 .Dq blowfish-cbc ,
 and
 .Dq cast128-cbc .
 The default is
 .Bd -literal
-  ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
+  ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
-    aes192-cbc,aes256-cbc''
+    arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
+    aes192-ctr,aes256-ctr''
 .Ed
 .It Cm ClearAllForwardings
 Specifies that all local, remote and dynamic port forwardings
@@ -270,11 +274,47 @@ to listen for control connections, but require confirmation using the
 program before they are accepted (see
 .Xr ssh-add 1
 for details).
+If the
+.Cm ControlPath
+can not be opened,
+.Nm ssh
+will continue without connecting to a master instance.
+.Pp
+X11 and
+.Xr ssh-agent 1
+forwarding is supported over these multiplexed connections, however the
+display and agent fowarded will be the one belonging to the master
+connection i.e. it is not possible to forward multiple displays or agents.
+.Pp
+Two additional options allow for opportunistic multiplexing: try to use a
+master connection but fall back to creating a new one if one does not already
+exist.
+These options are:
+.Dq auto
+and
+.Dq autoask .
+The latter requires confirmation like the
+.Dq ask
+option.
 .It Cm ControlPath
-Specify the path to the control socket used for connection sharing.
+Specify the path to the control socket used for connection sharing as described
-See
+in the
 .Cm ControlMaster
-above.
+section above or the string
+.Dq none
+to disable connection sharing.
+In the path,
+.Ql %h
+will be substituted by the target host name,
+.Ql %p
+the port and
+.Ql %r
+by the remote login username.
+It is recommended that any
+.Cm ControlPath
+used for opportunistic connection sharing include
+all three of these escape sequences.
+This ensures that shared connections are uniquely identified.
 .It Cm DynamicForward
 Specifies that a TCP/IP port on the local machine be forwarded
 over the secure channel, and the application
@@ -407,11 +447,21 @@ Forward (delegate) credentials to the server.
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPITrustDns
+Set to 
+.Dq yes to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If 
+.Dq no, the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
+.Dq no .
+This option only applies to protocol version 2 connections using GSSAPI 
+key exchange.
 .It Cm HashKnownHosts
 Indicates that
 .Nm ssh
 should hash host names and addresses when they are added to
-.Pa $HOME/.ssh/known_hosts .
+.Pa ~/.ssh/known_hosts .
 These hashed names may be used normally by
 .Nm ssh
 and
@@ -457,11 +507,11 @@ specifications).
 Specifies a file from which the user's RSA or DSA authentication identity
 is read.
 The default is
-.Pa $HOME/.ssh/identity
+.Pa ~/.ssh/identity
 for protocol version 1, and
-.Pa $HOME/.ssh/id_rsa
+.Pa ~/.ssh/id_rsa
 and
-.Pa $HOME/.ssh/id_dsa
+.Pa ~/.ssh/id_dsa
 for protocol version 2.
 Additionally, any identities represented by the authentication agent
 will be used for authentication.
@@ -495,21 +545,17 @@ The default is to use the server specified list.
 .It Cm LocalForward
 Specifies that a TCP/IP port on the local machine be forwarded over
 the secure channel to the specified host and port from the remote machine.
-The first argument must be a port number, and the second must be
+The first argument must be
-.Xo
 .Sm off
-.Oo Ar bind_address : Oc
+.Oo Ar bind_address : Oc Ar port
-.Ar host : port
 .Sm on
-.Xc .
+and the second argument must be
+.Ar host : Ns Ar hostport .
 IPv6 addresses can be specified by enclosing addresses in square brackets or
 by using an alternative syntax:
-.Sm off
+.Oo Ar bind_address Ns / Oc Ns Ar port
-.Xo
+and
-.Op Ar bind_address No /
+.Ar host Ns / Ns Ar hostport .
-.Ar host No / Ar port
-.Xc .
-.Sm on
 Multiple forwardings may be specified, and additional forwardings can be
 given on the command line.
 Only the superuser can forward privileged ports.
@@ -571,9 +617,9 @@ Default is 22.
 .It Cm PreferredAuthentications
 Specifies the order in which the client should try protocol 2
 authentication methods.
-This allows a client to prefer one method (e.g.
+This allows a client to prefer one method (e.g.\&
 .Cm keyboard-interactive )
-over another method (e.g.
+over another method (e.g.\&
 .Cm password )
 The default for this option is:
 .Dq hostbased,publickey,keyboard-interactive,password .
@@ -620,6 +666,14 @@ Note that
 .Cm CheckHostIP
 is not available for connects with a proxy command.
 .Pp
+This directive is useful in conjunction with
+.Xr nc 1
+and its proxy support.
+For example, the following directive would connect via an HTTP proxy at
+192.0.2.0:
+.Bd -literal -offset 3n
+ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
+.Ed
 .It Cm PubkeyAuthentication
 Specifies whether to try public key authentication.
 The argument to this keyword must be
@@ -632,21 +686,17 @@ This option applies to protocol version 2 only.
 .It Cm RemoteForward
 Specifies that a TCP/IP port on the remote machine be forwarded over
 the secure channel to the specified host and port from the local machine.
-The first argument must be a port number, and the second must be
+The first argument must be
-.Xo
 .Sm off
-.Oo Ar bind_address : Oc
+.Oo Ar bind_address : Oc Ar port
-.Ar host : port
-.Sm on
-.Xc .
-IPv6 addresses can be specified by enclosing any addresses in square brackets
-or by using the alternative syntax:
-.Sm off
-.Xo
-.Op Ar bind_address No /
-.Ar host No / Ar port
-.Xc .
 .Sm on
+and the second argument must be
+.Ar host : Ns Ar hostport .
+IPv6 addresses can be specified by enclosing addresses in square brackets
+or by using an alternative syntax:
+.Oo Ar bind_address Ns / Oc Ns Ar port
+and
+.Ar host Ns / Ns Ar hostport .
 Multiple forwardings may be specified, and additional
 forwardings can be given on the command line.
 Only the superuser can forward privileged ports.
@@ -759,7 +809,7 @@ If this flag is set to
 .Dq yes ,
 .Nm ssh
 will never automatically add host keys to the
-.Pa $HOME/.ssh/known_hosts
+.Pa ~/.ssh/known_hosts
 file, and refuses to connect to hosts whose host key has changed.
 This provides maximum protection against trojan horse attacks,
 however, can be annoying when the
@@ -831,7 +881,7 @@ having to remember to give the user name on the command line.
 .It Cm UserKnownHostsFile
 Specifies a file to use for the user
 host key database instead of
-.Pa $HOME/.ssh/known_hosts .
+.Pa ~/.ssh/known_hosts .
 .It Cm VerifyHostKeyDNS
 Specifies whether to verify the remote key using DNS and SSHFP resource
 records.
@@ -864,7 +914,7 @@ The default is
 .El
 .Sh FILES
 .Bl -tag -width Ds
-.It Pa $HOME/.ssh/config
+.It Pa ~/.ssh/config
 This is the per-user configuration file.
 The format of this file is described above.
 This file is used by the

diff --git a/ssh_config.5 b/ssh_config.5 index 06db04c27..9033185b1 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh_config.5,v 1.47 2005/03/07 23:41:54 jmc Exp $	37	.\" $OpenBSD: ssh_config.5,v 1.61 2005/07/08 12:53:10 jmc Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH_CONFIG 5	39	.Dt SSH_CONFIG 5
40	.Os	40	.Os
@@ -43,7 +43,7 @@
43	.Nd OpenSSH SSH client configuration files	43	.Nd OpenSSH SSH client configuration files
44	.Sh SYNOPSIS	44	.Sh SYNOPSIS
45	.Bl -tag -width Ds -compact	45	.Bl -tag -width Ds -compact
46	.It Pa $HOME/.ssh/config	46	.It Pa ~/.ssh/config
47	.It Pa /etc/ssh/ssh_config	47	.It Pa /etc/ssh/ssh_config
48	.El	48	.El
49	.Sh DESCRIPTION	49	.Sh DESCRIPTION
@@ -55,7 +55,7 @@ the following order:
55	command-line options	55	command-line options
56	.It	56	.It
57	user's configuration file	57	user's configuration file
58	.Pq Pa $HOME/.ssh/config	58	.Pq Pa ~/.ssh/config
59	.It	59	.It
60	system-wide configuration file	60	system-wide configuration file
61	.Pq Pa /etc/ssh/ssh_config	61	.Pq Pa /etc/ssh/ssh_config
@@ -136,8 +136,9 @@ or
136	The default is	136	The default is
137	.Dq no .	137	.Dq no .
138	.It Cm BindAddress	138	.It Cm BindAddress
139	Specify the interface to transmit from on machines with multiple	139	Use the specified address on the local machine as the source address of
140	interfaces or aliased addresses.	140	the connection.
		141	Only useful on systems with more than one address.
141	Note that this option does not work if	142	Note that this option does not work if
142	.Cm UsePrivilegedPort	143	.Cm UsePrivilegedPort
143	is set to	144	is set to
@@ -193,14 +194,17 @@ The supported ciphers are
193	.Dq aes128-ctr ,	194	.Dq aes128-ctr ,
194	.Dq aes192-ctr ,	195	.Dq aes192-ctr ,
195	.Dq aes256-ctr ,	196	.Dq aes256-ctr ,
		197	.Dq arcfour128 ,
		198	.Dq arcfour256 ,
196	.Dq arcfour ,	199	.Dq arcfour ,
197	.Dq blowfish-cbc ,	200	.Dq blowfish-cbc ,
198	and	201	and
199	.Dq cast128-cbc .	202	.Dq cast128-cbc .
200	The default is	203	The default is
201	.Bd -literal	204	.Bd -literal
202	``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,	205	``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
203	aes192-cbc,aes256-cbc''	206	arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
		207	aes192-ctr,aes256-ctr''
204	.Ed	208	.Ed
205	.It Cm ClearAllForwardings	209	.It Cm ClearAllForwardings
206	Specifies that all local, remote and dynamic port forwardings	210	Specifies that all local, remote and dynamic port forwardings
@@ -270,11 +274,47 @@ to listen for control connections, but require confirmation using the
270	program before they are accepted (see	274	program before they are accepted (see
271	.Xr ssh-add 1	275	.Xr ssh-add 1
272	for details).	276	for details).
		277	If the
		278	.Cm ControlPath
		279	can not be opened,
		280	.Nm ssh
		281	will continue without connecting to a master instance.
		282	.Pp
		283	X11 and
		284	.Xr ssh-agent 1
		285	forwarding is supported over these multiplexed connections, however the
		286	display and agent fowarded will be the one belonging to the master
		287	connection i.e. it is not possible to forward multiple displays or agents.
		288	.Pp
		289	Two additional options allow for opportunistic multiplexing: try to use a
		290	master connection but fall back to creating a new one if one does not already
		291	exist.
		292	These options are:
		293	.Dq auto
		294	and
		295	.Dq autoask .
		296	The latter requires confirmation like the
		297	.Dq ask
		298	option.
273	.It Cm ControlPath	299	.It Cm ControlPath
274	Specify the path to the control socket used for connection sharing.	300	Specify the path to the control socket used for connection sharing as described
275	See	301	in the
276	.Cm ControlMaster	302	.Cm ControlMaster
277	above.	303	section above or the string
		304	.Dq none
		305	to disable connection sharing.
		306	In the path,
		307	.Ql %h
		308	will be substituted by the target host name,
		309	.Ql %p
		310	the port and
		311	.Ql %r
		312	by the remote login username.
		313	It is recommended that any
		314	.Cm ControlPath
		315	used for opportunistic connection sharing include
		316	all three of these escape sequences.
		317	This ensures that shared connections are uniquely identified.
278	.It Cm DynamicForward	318	.It Cm DynamicForward
279	Specifies that a TCP/IP port on the local machine be forwarded	319	Specifies that a TCP/IP port on the local machine be forwarded
280	over the secure channel, and the application	320	over the secure channel, and the application
@@ -407,11 +447,21 @@ Forward (delegate) credentials to the server.
407	The default is	447	The default is
408	.Dq no .	448	.Dq no .
409	Note that this option applies to protocol version 2 only.	449	Note that this option applies to protocol version 2 only.
		450	.It Cm GSSAPITrustDns
		451	Set to
		452	.Dq yes to indicate that the DNS is trusted to securely canonicalize
		453	the name of the host being connected to. If
		454	.Dq no, the hostname entered on the
		455	command line will be passed untouched to the GSSAPI library.
		456	The default is
		457	.Dq no .
		458	This option only applies to protocol version 2 connections using GSSAPI
		459	key exchange.
410	.It Cm HashKnownHosts	460	.It Cm HashKnownHosts
411	Indicates that	461	Indicates that
412	.Nm ssh	462	.Nm ssh
413	should hash host names and addresses when they are added to	463	should hash host names and addresses when they are added to
414	.Pa $HOME/.ssh/known_hosts .	464	.Pa ~/.ssh/known_hosts .
415	These hashed names may be used normally by	465	These hashed names may be used normally by
416	.Nm ssh	466	.Nm ssh
417	and	467	and
@@ -457,11 +507,11 @@ specifications).
457	Specifies a file from which the user's RSA or DSA authentication identity	507	Specifies a file from which the user's RSA or DSA authentication identity
458	is read.	508	is read.
459	The default is	509	The default is
460	.Pa $HOME/.ssh/identity	510	.Pa ~/.ssh/identity
461	for protocol version 1, and	511	for protocol version 1, and
462	.Pa $HOME/.ssh/id_rsa	512	.Pa ~/.ssh/id_rsa
463	and	513	and
464	.Pa $HOME/.ssh/id_dsa	514	.Pa ~/.ssh/id_dsa
465	for protocol version 2.	515	for protocol version 2.
466	Additionally, any identities represented by the authentication agent	516	Additionally, any identities represented by the authentication agent
467	will be used for authentication.	517	will be used for authentication.
@@ -495,21 +545,17 @@ The default is to use the server specified list.
495	.It Cm LocalForward	545	.It Cm LocalForward
496	Specifies that a TCP/IP port on the local machine be forwarded over	546	Specifies that a TCP/IP port on the local machine be forwarded over
497	the secure channel to the specified host and port from the remote machine.	547	the secure channel to the specified host and port from the remote machine.
498	The first argument must be a port number, and the second must be	548	The first argument must be
499	.Xo
500	.Sm off	549	.Sm off
501	.Oo Ar bind_address : Oc	550	.Oo Ar bind_address : Oc Ar port
502	.Ar host : port
503	.Sm on	551	.Sm on
504	.Xc .	552	and the second argument must be
		553	.Ar host : Ns Ar hostport .
505	IPv6 addresses can be specified by enclosing addresses in square brackets or	554	IPv6 addresses can be specified by enclosing addresses in square brackets or
506	by using an alternative syntax:	555	by using an alternative syntax:
507	.Sm off	556	.Oo Ar bind_address Ns / Oc Ns Ar port
508	.Xo	557	and
509	.Op Ar bind_address No /	558	.Ar host Ns / Ns Ar hostport .
510	.Ar host No / Ar port
511	.Xc .
512	.Sm on
513	Multiple forwardings may be specified, and additional forwardings can be	559	Multiple forwardings may be specified, and additional forwardings can be
514	given on the command line.	560	given on the command line.
515	Only the superuser can forward privileged ports.	561	Only the superuser can forward privileged ports.
@@ -571,9 +617,9 @@ Default is 22.
571	.It Cm PreferredAuthentications	617	.It Cm PreferredAuthentications
572	Specifies the order in which the client should try protocol 2	618	Specifies the order in which the client should try protocol 2
573	authentication methods.	619	authentication methods.
574	This allows a client to prefer one method (e.g.	620	This allows a client to prefer one method (e.g.\&
575	.Cm keyboard-interactive )	621	.Cm keyboard-interactive )
576	over another method (e.g.	622	over another method (e.g.\&
577	.Cm password )	623	.Cm password )
578	The default for this option is:	624	The default for this option is:
579	.Dq hostbased,publickey,keyboard-interactive,password .	625	.Dq hostbased,publickey,keyboard-interactive,password .
@@ -620,6 +666,14 @@ Note that
620	.Cm CheckHostIP	666	.Cm CheckHostIP
621	is not available for connects with a proxy command.	667	is not available for connects with a proxy command.
622	.Pp	668	.Pp
		669	This directive is useful in conjunction with
		670	.Xr nc 1
		671	and its proxy support.
		672	For example, the following directive would connect via an HTTP proxy at
		673	192.0.2.0:
		674	.Bd -literal -offset 3n
		675	ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
		676	.Ed
623	.It Cm PubkeyAuthentication	677	.It Cm PubkeyAuthentication
624	Specifies whether to try public key authentication.	678	Specifies whether to try public key authentication.
625	The argument to this keyword must be	679	The argument to this keyword must be
@@ -632,21 +686,17 @@ This option applies to protocol version 2 only.
632	.It Cm RemoteForward	686	.It Cm RemoteForward
633	Specifies that a TCP/IP port on the remote machine be forwarded over	687	Specifies that a TCP/IP port on the remote machine be forwarded over
634	the secure channel to the specified host and port from the local machine.	688	the secure channel to the specified host and port from the local machine.
635	The first argument must be a port number, and the second must be	689	The first argument must be
636	.Xo
637	.Sm off	690	.Sm off
638	.Oo Ar bind_address : Oc	691	.Oo Ar bind_address : Oc Ar port
639	.Ar host : port
640	.Sm on
641	.Xc .
642	IPv6 addresses can be specified by enclosing any addresses in square brackets
643	or by using the alternative syntax:
644	.Sm off
645	.Xo
646	.Op Ar bind_address No /
647	.Ar host No / Ar port
648	.Xc .
649	.Sm on	692	.Sm on
		693	and the second argument must be
		694	.Ar host : Ns Ar hostport .
		695	IPv6 addresses can be specified by enclosing addresses in square brackets
		696	or by using an alternative syntax:
		697	.Oo Ar bind_address Ns / Oc Ns Ar port
		698	and
		699	.Ar host Ns / Ns Ar hostport .
650	Multiple forwardings may be specified, and additional	700	Multiple forwardings may be specified, and additional
651	forwardings can be given on the command line.	701	forwardings can be given on the command line.
652	Only the superuser can forward privileged ports.	702	Only the superuser can forward privileged ports.
@@ -759,7 +809,7 @@ If this flag is set to
759	.Dq yes ,	809	.Dq yes ,
760	.Nm ssh	810	.Nm ssh
761	will never automatically add host keys to the	811	will never automatically add host keys to the
762	.Pa $HOME/.ssh/known_hosts	812	.Pa ~/.ssh/known_hosts
763	file, and refuses to connect to hosts whose host key has changed.	813	file, and refuses to connect to hosts whose host key has changed.
764	This provides maximum protection against trojan horse attacks,	814	This provides maximum protection against trojan horse attacks,
765	however, can be annoying when the	815	however, can be annoying when the
@@ -831,7 +881,7 @@ having to remember to give the user name on the command line.
831	.It Cm UserKnownHostsFile	881	.It Cm UserKnownHostsFile
832	Specifies a file to use for the user	882	Specifies a file to use for the user
833	host key database instead of	883	host key database instead of
834	.Pa $HOME/.ssh/known_hosts .	884	.Pa ~/.ssh/known_hosts .
835	.It Cm VerifyHostKeyDNS	885	.It Cm VerifyHostKeyDNS
836	Specifies whether to verify the remote key using DNS and SSHFP resource	886	Specifies whether to verify the remote key using DNS and SSHFP resource
837	records.	887	records.
@@ -864,7 +914,7 @@ The default is
864	.El	914	.El
865	.Sh FILES	915	.Sh FILES
866	.Bl -tag -width Ds	916	.Bl -tag -width Ds
867	.It Pa $HOME/.ssh/config	917	.It Pa ~/.ssh/config
868	This is the per-user configuration file.	918	This is the per-user configuration file.
869	The format of this file is described above.	919	The format of this file is described above.
870	This file is used by the	920	This file is used by the