1 files changed, 37 insertions, 12 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 4d5b01d3e..412629637 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.286 2018/10/03 06:38:35 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.292 2019/03/01 02:16:47 djm Exp $
-.Dd $Mdocdate: October 3 2018 $
+.Dd $Mdocdate: March 1 2019 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -139,6 +139,7 @@ or the single token
 which always matches.
 The available criteria keywords are:
 .Cm canonical ,
+.Cm final ,
 .Cm exec ,
 .Cm host ,
 .Cm originalhost ,
@@ -148,12 +149,15 @@ and
 The
 .Cm all
 criteria must appear alone or immediately after
-.Cm canonical .
+.Cm canonical
+or
+.Cm final .
 Other criteria may be combined arbitrarily.
 All criteria but
-.Cm all
+.Cm all ,
+.Cm canonical ,
 and
-.Cm canonical
+.Cm final
 require an argument.
 Criteria may be negated by prepending an exclamation mark
 .Pq Sq !\& .
@@ -163,9 +167,23 @@ The
 keyword matches only when the configuration file is being re-parsed
 after hostname canonicalization (see the
 .Cm CanonicalizeHostname
-option.)
+option).
 This may be useful to specify conditions that work with canonical host
 names only.
+.Pp
+The
+.Cm final
+keyword requests that the configuration be re-parsed (regardless of whether
+.Cm CanonicalizeHostname
+is enabled), and matches only during this final pass.
+If
+.Cm CanonicalizeHostname
+is enabled, then
+.Cm canonical
+and
+.Cm final
+match during the same pass.
+.Pp
 The
 .Cm exec
 keyword executes the specified command under the user's shell.
@@ -1040,7 +1058,6 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 diffie-hellman-group-exchange-sha256,
 diffie-hellman-group16-sha512,
 diffie-hellman-group18-sha512,
-diffie-hellman-group-exchange-sha1,
 diffie-hellman-group14-sha256,
 diffie-hellman-group14-sha1
 .Ed
@@ -1163,11 +1180,13 @@ or
 .Cm no
 (the default).
 .It Cm PKCS11Provider
-Specifies which PKCS#11 provider to use.
+Specifies which PKCS#11 provider to use or
-The argument to this keyword is the PKCS#11 shared library
+.Cm none
+to indicate that no provider should be used (the default).
+The argument to this keyword is a path to the PKCS#11 shared library
 .Xr ssh 1
-should use to communicate with a PKCS#11 token providing the user's
+should use to communicate with a PKCS#11 token providing keys for user
-private RSA key.
+authentication.
 .It Cm Port
 Specifies the port number to connect on the remote host.
 The default is 22.
@@ -1245,6 +1264,12 @@ Note that this option will compete with the
 .Cm ProxyCommand
 option - whichever is specified first will prevent later instances of the
 other from taking effect.
+.Pp
+Note also that the configuration for the destination host (either supplied
+via the command-line or the configuration file) is not generally applied
+to jump hosts.
+.Pa ~/.ssh/config
+should be used if specific configuration is required for jump hosts.
 .It Cm ProxyUseFdpass
 Specifies that
 .Cm ProxyCommand
@@ -1785,7 +1810,7 @@ This is the per-user configuration file.
 The format of this file is described above.
 This file is used by the SSH client.
 Because of the potential for abuse, this file must have strict permissions:
-read/write for the user, and not accessible by others.
+read/write for the user, and not writable by others.
 .It Pa /etc/ssh/ssh_config
 Systemwide configuration file.
 This file provides defaults for those

diff --git a/ssh_config.5 b/ssh_config.5 index 4d5b01d3e..412629637 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.286 2018/10/03 06:38:35 djm Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.292 2019/03/01 02:16:47 djm Exp $
37	.Dd $Mdocdate: October 3 2018 $	37	.Dd $Mdocdate: March 1 2019 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -139,6 +139,7 @@ or the single token
139	which always matches.	139	which always matches.
140	The available criteria keywords are:	140	The available criteria keywords are:
141	.Cm canonical ,	141	.Cm canonical ,
		142	.Cm final ,
142	.Cm exec ,	143	.Cm exec ,
143	.Cm host ,	144	.Cm host ,
144	.Cm originalhost ,	145	.Cm originalhost ,
@@ -148,12 +149,15 @@ and
148	The	149	The
149	.Cm all	150	.Cm all
150	criteria must appear alone or immediately after	151	criteria must appear alone or immediately after
151	.Cm canonical .	152	.Cm canonical
		153	or
		154	.Cm final .
152	Other criteria may be combined arbitrarily.	155	Other criteria may be combined arbitrarily.
153	All criteria but	156	All criteria but
154	.Cm all	157	.Cm all ,
		158	.Cm canonical ,
155	and	159	and
156	.Cm canonical	160	.Cm final
157	require an argument.	161	require an argument.
158	Criteria may be negated by prepending an exclamation mark	162	Criteria may be negated by prepending an exclamation mark
159	.Pq Sq !\& .	163	.Pq Sq !\& .
@@ -163,9 +167,23 @@ The
163	keyword matches only when the configuration file is being re-parsed	167	keyword matches only when the configuration file is being re-parsed
164	after hostname canonicalization (see the	168	after hostname canonicalization (see the
165	.Cm CanonicalizeHostname	169	.Cm CanonicalizeHostname
166	option.)	170	option).
167	This may be useful to specify conditions that work with canonical host	171	This may be useful to specify conditions that work with canonical host
168	names only.	172	names only.
		173	.Pp
		174	The
		175	.Cm final
		176	keyword requests that the configuration be re-parsed (regardless of whether
		177	.Cm CanonicalizeHostname
		178	is enabled), and matches only during this final pass.
		179	If
		180	.Cm CanonicalizeHostname
		181	is enabled, then
		182	.Cm canonical
		183	and
		184	.Cm final
		185	match during the same pass.
		186	.Pp
169	The	187	The
170	.Cm exec	188	.Cm exec
171	keyword executes the specified command under the user's shell.	189	keyword executes the specified command under the user's shell.
@@ -1040,7 +1058,6 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
1040	diffie-hellman-group-exchange-sha256,	1058	diffie-hellman-group-exchange-sha256,
1041	diffie-hellman-group16-sha512,	1059	diffie-hellman-group16-sha512,
1042	diffie-hellman-group18-sha512,	1060	diffie-hellman-group18-sha512,
1043	diffie-hellman-group-exchange-sha1,
1044	diffie-hellman-group14-sha256,	1061	diffie-hellman-group14-sha256,
1045	diffie-hellman-group14-sha1	1062	diffie-hellman-group14-sha1
1046	.Ed	1063	.Ed
@@ -1163,11 +1180,13 @@ or
1163	.Cm no	1180	.Cm no
1164	(the default).	1181	(the default).
1165	.It Cm PKCS11Provider	1182	.It Cm PKCS11Provider
1166	Specifies which PKCS#11 provider to use.	1183	Specifies which PKCS#11 provider to use or
1167	The argument to this keyword is the PKCS#11 shared library	1184	.Cm none
		1185	to indicate that no provider should be used (the default).
		1186	The argument to this keyword is a path to the PKCS#11 shared library
1168	.Xr ssh 1	1187	.Xr ssh 1
1169	should use to communicate with a PKCS#11 token providing the user's	1188	should use to communicate with a PKCS#11 token providing keys for user
1170	private RSA key.	1189	authentication.
1171	.It Cm Port	1190	.It Cm Port
1172	Specifies the port number to connect on the remote host.	1191	Specifies the port number to connect on the remote host.
1173	The default is 22.	1192	The default is 22.
@@ -1245,6 +1264,12 @@ Note that this option will compete with the
1245	.Cm ProxyCommand	1264	.Cm ProxyCommand
1246	option - whichever is specified first will prevent later instances of the	1265	option - whichever is specified first will prevent later instances of the
1247	other from taking effect.	1266	other from taking effect.
		1267	.Pp
		1268	Note also that the configuration for the destination host (either supplied
		1269	via the command-line or the configuration file) is not generally applied
		1270	to jump hosts.
		1271	.Pa ~/.ssh/config
		1272	should be used if specific configuration is required for jump hosts.
1248	.It Cm ProxyUseFdpass	1273	.It Cm ProxyUseFdpass
1249	Specifies that	1274	Specifies that
1250	.Cm ProxyCommand	1275	.Cm ProxyCommand
@@ -1785,7 +1810,7 @@ This is the per-user configuration file.
1785	The format of this file is described above.	1810	The format of this file is described above.
1786	This file is used by the SSH client.	1811	This file is used by the SSH client.
1787	Because of the potential for abuse, this file must have strict permissions:	1812	Because of the potential for abuse, this file must have strict permissions:
1788	read/write for the user, and not accessible by others.	1813	read/write for the user, and not writable by others.
1789	.It Pa /etc/ssh/ssh_config	1814	.It Pa /etc/ssh/ssh_config
1790	Systemwide configuration file.	1815	Systemwide configuration file.
1791	This file provides defaults for those	1816	This file provides defaults for those