1 files changed, 62 insertions, 10 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 9a103f22b..aaa435a9d 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.211 2015/06/02 09:10:40 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.214 2015/07/30 00:01:34 djm Exp $
-.Dd $Mdocdate: June 2 2015 $
+.Dd $Mdocdate: July 30 2015 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -393,6 +393,11 @@ The default is
 Specifies the ciphers allowed for protocol version 2
 in order of preference.
 Multiple ciphers must be comma-separated.
+If the specified value begins with a
+.Sq +
+character, then the specified ciphers will be appended to the default set
+instead of replacing them.
+.Pp
 The supported ciphers are:
 .Pp
 .Bl -item -compact -offset indent
@@ -839,9 +844,21 @@ is similar to
 .It Cm HostbasedKeyTypes
 Specifies the key types that will be used for hostbased authentication
 as a comma-separated pattern list.
-The default
+Alternately if the specified value begins with a
-.Dq *
+.Sq +
-will allow all key types.
+character, then the specified key types will be appended to the default set
+instead of replacing them.
+The default for this option is:
+.Bd -literal -offset 3n
+ecdsa-sha2-nistp256-cert-v01@openssh.com,
+ecdsa-sha2-nistp384-cert-v01@openssh.com,
+ecdsa-sha2-nistp521-cert-v01@openssh.com,
+ssh-ed25519-cert-v01@openssh.com,
+ssh-rsa-cert-v01@openssh.com,
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
+.Ed
+.Pp
 The
 .Fl Q
 option of
@@ -850,16 +867,19 @@ may be used to list supported key types.
 .It Cm HostKeyAlgorithms
 Specifies the protocol version 2 host key algorithms
 that the client wants to use in order of preference.
+Alternately if the specified value begins with a
+.Sq +
+character, then the specified key types will be appended to the default set
+instead of replacing them.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ecdsa-sha2-nistp384-cert-v01@openssh.com,
 ecdsa-sha2-nistp521-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
+ssh-rsa-cert-v01@openssh.com,
-ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa,ssh-dss
+ssh-ed25519,ssh-rsa
 .Ed
 .Pp
 If hostkeys are known for the destination host then this default is modified
@@ -1032,14 +1052,17 @@ and
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
+Alternately if the specified value begins with a
+.Sq +
+character, then the specified methods will be appended to the default set
+instead of replacing them.
 The default is:
 .Bd -literal -offset indent
 curve25519-sha256@libssh.org,
 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 diffie-hellman-group-exchange-sha256,
 diffie-hellman-group-exchange-sha1,
-diffie-hellman-group14-sha1,
+diffie-hellman-group14-sha1
-diffie-hellman-group1-sha1
 .Ed
 .Pp
 The list of available key exchange algorithms may also be obtained using the
@@ -1121,10 +1144,16 @@ in order of preference.
 The MAC algorithm is used in protocol version 2
 for data integrity protection.
 Multiple algorithms must be comma-separated.
+If the specified value begins with a
+.Sq +
+character, then the specified algorithms will be appended to the default set
+instead of replacing them.
+.Pp
 The algorithms that contain
 .Dq -etm
 calculate the MAC after encryption (encrypt-then-mac).
 These are considered safer and their use recommended.
+.Pp
 The default is:
 .Bd -literal -offset indent
 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
@@ -1265,6 +1294,29 @@ will pass a connected file descriptor back to
 instead of continuing to execute and pass data.
 The default is
 .Dq no .
+.It Cm PubkeyAcceptedKeyTypes
+Specifies the key types that will be used for public key authentication
+as a comma-separated pattern list.
+Alternately if the specified value begins with a
+.Sq +
+character, then the key types after it will be appended to the default
+instead of replacing it.
+The default for this option is:
+.Bd -literal -offset 3n
+ecdsa-sha2-nistp256-cert-v01@openssh.com,
+ecdsa-sha2-nistp384-cert-v01@openssh.com,
+ecdsa-sha2-nistp521-cert-v01@openssh.com,
+ssh-ed25519-cert-v01@openssh.com,
+ssh-rsa-cert-v01@openssh.com,
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
+.Ed
+.Pp
+The
+.Fl Q
+option of
+.Xr ssh 1
+may be used to list supported key types.
 .It Cm PubkeyAuthentication
 Specifies whether to try public key authentication.
 The argument to this keyword must be

diff --git a/ssh_config.5 b/ssh_config.5 index 9a103f22b..aaa435a9d 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.211 2015/06/02 09:10:40 djm Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.214 2015/07/30 00:01:34 djm Exp $
37	.Dd $Mdocdate: June 2 2015 $	37	.Dd $Mdocdate: July 30 2015 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -393,6 +393,11 @@ The default is
393	Specifies the ciphers allowed for protocol version 2	393	Specifies the ciphers allowed for protocol version 2
394	in order of preference.	394	in order of preference.
395	Multiple ciphers must be comma-separated.	395	Multiple ciphers must be comma-separated.
		396	If the specified value begins with a
		397	.Sq +
		398	character, then the specified ciphers will be appended to the default set
		399	instead of replacing them.
		400	.Pp
396	The supported ciphers are:	401	The supported ciphers are:
397	.Pp	402	.Pp
398	.Bl -item -compact -offset indent	403	.Bl -item -compact -offset indent
@@ -839,9 +844,21 @@ is similar to
839	.It Cm HostbasedKeyTypes	844	.It Cm HostbasedKeyTypes
840	Specifies the key types that will be used for hostbased authentication	845	Specifies the key types that will be used for hostbased authentication
841	as a comma-separated pattern list.	846	as a comma-separated pattern list.
842	The default	847	Alternately if the specified value begins with a
843	.Dq *	848	.Sq +
844	will allow all key types.	849	character, then the specified key types will be appended to the default set
		850	instead of replacing them.
		851	The default for this option is:
		852	.Bd -literal -offset 3n
		853	ecdsa-sha2-nistp256-cert-v01@openssh.com,
		854	ecdsa-sha2-nistp384-cert-v01@openssh.com,
		855	ecdsa-sha2-nistp521-cert-v01@openssh.com,
		856	ssh-ed25519-cert-v01@openssh.com,
		857	ssh-rsa-cert-v01@openssh.com,
		858	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
		859	ssh-ed25519,ssh-rsa
		860	.Ed
		861	.Pp
845	The	862	The
846	.Fl Q	863	.Fl Q
847	option of	864	option of
@@ -850,16 +867,19 @@ may be used to list supported key types.
850	.It Cm HostKeyAlgorithms	867	.It Cm HostKeyAlgorithms
851	Specifies the protocol version 2 host key algorithms	868	Specifies the protocol version 2 host key algorithms
852	that the client wants to use in order of preference.	869	that the client wants to use in order of preference.
		870	Alternately if the specified value begins with a
		871	.Sq +
		872	character, then the specified key types will be appended to the default set
		873	instead of replacing them.
853	The default for this option is:	874	The default for this option is:
854	.Bd -literal -offset 3n	875	.Bd -literal -offset 3n
855	ecdsa-sha2-nistp256-cert-v01@openssh.com,	876	ecdsa-sha2-nistp256-cert-v01@openssh.com,
856	ecdsa-sha2-nistp384-cert-v01@openssh.com,	877	ecdsa-sha2-nistp384-cert-v01@openssh.com,
857	ecdsa-sha2-nistp521-cert-v01@openssh.com,	878	ecdsa-sha2-nistp521-cert-v01@openssh.com,
858	ssh-ed25519-cert-v01@openssh.com,	879	ssh-ed25519-cert-v01@openssh.com,
859	ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,	880	ssh-rsa-cert-v01@openssh.com,
860	ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,
861	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,	881	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
862	ssh-ed25519,ssh-rsa,ssh-dss	882	ssh-ed25519,ssh-rsa
863	.Ed	883	.Ed
864	.Pp	884	.Pp
865	If hostkeys are known for the destination host then this default is modified	885	If hostkeys are known for the destination host then this default is modified
@@ -1032,14 +1052,17 @@ and
1032	.It Cm KexAlgorithms	1052	.It Cm KexAlgorithms
1033	Specifies the available KEX (Key Exchange) algorithms.	1053	Specifies the available KEX (Key Exchange) algorithms.
1034	Multiple algorithms must be comma-separated.	1054	Multiple algorithms must be comma-separated.
		1055	Alternately if the specified value begins with a
		1056	.Sq +
		1057	character, then the specified methods will be appended to the default set
		1058	instead of replacing them.
1035	The default is:	1059	The default is:
1036	.Bd -literal -offset indent	1060	.Bd -literal -offset indent
1037	curve25519-sha256@libssh.org,	1061	curve25519-sha256@libssh.org,
1038	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,	1062	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
1039	diffie-hellman-group-exchange-sha256,	1063	diffie-hellman-group-exchange-sha256,
1040	diffie-hellman-group-exchange-sha1,	1064	diffie-hellman-group-exchange-sha1,
1041	diffie-hellman-group14-sha1,	1065	diffie-hellman-group14-sha1
1042	diffie-hellman-group1-sha1
1043	.Ed	1066	.Ed
1044	.Pp	1067	.Pp
1045	The list of available key exchange algorithms may also be obtained using the	1068	The list of available key exchange algorithms may also be obtained using the
@@ -1121,10 +1144,16 @@ in order of preference.
1121	The MAC algorithm is used in protocol version 2	1144	The MAC algorithm is used in protocol version 2
1122	for data integrity protection.	1145	for data integrity protection.
1123	Multiple algorithms must be comma-separated.	1146	Multiple algorithms must be comma-separated.
		1147	If the specified value begins with a
		1148	.Sq +
		1149	character, then the specified algorithms will be appended to the default set
		1150	instead of replacing them.
		1151	.Pp
1124	The algorithms that contain	1152	The algorithms that contain
1125	.Dq -etm	1153	.Dq -etm
1126	calculate the MAC after encryption (encrypt-then-mac).	1154	calculate the MAC after encryption (encrypt-then-mac).
1127	These are considered safer and their use recommended.	1155	These are considered safer and their use recommended.
		1156	.Pp
1128	The default is:	1157	The default is:
1129	.Bd -literal -offset indent	1158	.Bd -literal -offset indent
1130	umac-64-etm@openssh.com,umac-128-etm@openssh.com,	1159	umac-64-etm@openssh.com,umac-128-etm@openssh.com,
@@ -1265,6 +1294,29 @@ will pass a connected file descriptor back to
1265	instead of continuing to execute and pass data.	1294	instead of continuing to execute and pass data.
1266	The default is	1295	The default is
1267	.Dq no .	1296	.Dq no .
		1297	.It Cm PubkeyAcceptedKeyTypes
		1298	Specifies the key types that will be used for public key authentication
		1299	as a comma-separated pattern list.
		1300	Alternately if the specified value begins with a
		1301	.Sq +
		1302	character, then the key types after it will be appended to the default
		1303	instead of replacing it.
		1304	The default for this option is:
		1305	.Bd -literal -offset 3n
		1306	ecdsa-sha2-nistp256-cert-v01@openssh.com,
		1307	ecdsa-sha2-nistp384-cert-v01@openssh.com,
		1308	ecdsa-sha2-nistp521-cert-v01@openssh.com,
		1309	ssh-ed25519-cert-v01@openssh.com,
		1310	ssh-rsa-cert-v01@openssh.com,
		1311	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
		1312	ssh-ed25519,ssh-rsa
		1313	.Ed
		1314	.Pp
		1315	The
		1316	.Fl Q
		1317	option of
		1318	.Xr ssh 1
		1319	may be used to list supported key types.
1268	.It Cm PubkeyAuthentication	1320	.It Cm PubkeyAuthentication
1269	Specifies whether to try public key authentication.	1321	Specifies whether to try public key authentication.
1270	The argument to this keyword must be	1322	The argument to this keyword must be