1 files changed, 65 insertions, 17 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index b35753307..9ddb09480 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.49 2005/03/16 11:10:38 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.61 2005/07/08 12:53:10 jmc Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -43,7 +43,7 @@
 .Nd OpenSSH SSH client configuration files
 .Sh SYNOPSIS
 .Bl -tag -width Ds -compact
-.It Pa $HOME/.ssh/config
+.It Pa ~/.ssh/config
 .It Pa /etc/ssh/ssh_config
 .El
 .Sh DESCRIPTION
@@ -55,7 +55,7 @@ the following order:
 command-line options
 .It
 user's configuration file
-.Pq Pa $HOME/.ssh/config
+.Pq Pa ~/.ssh/config
 .It
 system-wide configuration file
 .Pq Pa /etc/ssh/ssh_config
@@ -136,8 +136,9 @@ or
 The default is
 .Dq no .
 .It Cm BindAddress
-Specify the interface to transmit from on machines with multiple
+Use the specified address on the local machine as the source address of
-interfaces or aliased addresses.
+the connection.
+Only useful on systems with more than one address.
 Note that this option does not work if
 .Cm UsePrivilegedPort
 is set to
@@ -193,14 +194,17 @@ The supported ciphers are
 .Dq aes128-ctr ,
 .Dq aes192-ctr ,
 .Dq aes256-ctr ,
+.Dq arcfour128 ,
+.Dq arcfour256 ,
 .Dq arcfour ,
 .Dq blowfish-cbc ,
 and
 .Dq cast128-cbc .
 The default is
 .Bd -literal
-  ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
+  ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
-    aes192-cbc,aes256-cbc''
+    arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
+    aes192-ctr,aes256-ctr''
 .Ed
 .It Cm ClearAllForwardings
 Specifies that all local, remote and dynamic port forwardings
@@ -270,11 +274,47 @@ to listen for control connections, but require confirmation using the
 program before they are accepted (see
 .Xr ssh-add 1
 for details).
+If the
+.Cm ControlPath
+can not be opened,
+.Nm ssh
+will continue without connecting to a master instance.
+.Pp
+X11 and
+.Xr ssh-agent 1
+forwarding is supported over these multiplexed connections, however the
+display and agent fowarded will be the one belonging to the master
+connection i.e. it is not possible to forward multiple displays or agents.
+.Pp
+Two additional options allow for opportunistic multiplexing: try to use a
+master connection but fall back to creating a new one if one does not already
+exist.
+These options are:
+.Dq auto
+and
+.Dq autoask .
+The latter requires confirmation like the
+.Dq ask
+option.
 .It Cm ControlPath
-Specify the path to the control socket used for connection sharing.
+Specify the path to the control socket used for connection sharing as described
-See
+in the
 .Cm ControlMaster
-above.
+section above or the string
+.Dq none
+to disable connection sharing.
+In the path,
+.Ql %h
+will be substituted by the target host name,
+.Ql %p
+the port and
+.Ql %r
+by the remote login username.
+It is recommended that any
+.Cm ControlPath
+used for opportunistic connection sharing include
+all three of these escape sequences.
+This ensures that shared connections are uniquely identified.
 .It Cm DynamicForward
 Specifies that a TCP/IP port on the local machine be forwarded
 over the secure channel, and the application
@@ -411,7 +451,7 @@ Note that this option applies to protocol version 2 only.
 Indicates that
 .Nm ssh
 should hash host names and addresses when they are added to
-.Pa $HOME/.ssh/known_hosts .
+.Pa ~/.ssh/known_hosts .
 These hashed names may be used normally by
 .Nm ssh
 and
@@ -457,11 +497,11 @@ specifications).
 Specifies a file from which the user's RSA or DSA authentication identity
 is read.
 The default is
-.Pa $HOME/.ssh/identity
+.Pa ~/.ssh/identity
 for protocol version 1, and
-.Pa $HOME/.ssh/id_rsa
+.Pa ~/.ssh/id_rsa
 and
-.Pa $HOME/.ssh/id_dsa
+.Pa ~/.ssh/id_dsa
 for protocol version 2.
 Additionally, any identities represented by the authentication agent
 will be used for authentication.
@@ -616,6 +656,14 @@ Note that
 .Cm CheckHostIP
 is not available for connects with a proxy command.
 .Pp
+This directive is useful in conjunction with
+.Xr nc 1
+and its proxy support.
+For example, the following directive would connect via an HTTP proxy at
+192.0.2.0:
+.Bd -literal -offset 3n
+ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
+.Ed
 .It Cm PubkeyAuthentication
 Specifies whether to try public key authentication.
 The argument to this keyword must be
@@ -751,7 +799,7 @@ If this flag is set to
 .Dq yes ,
 .Nm ssh
 will never automatically add host keys to the
-.Pa $HOME/.ssh/known_hosts
+.Pa ~/.ssh/known_hosts
 file, and refuses to connect to hosts whose host key has changed.
 This provides maximum protection against trojan horse attacks,
 however, can be annoying when the
@@ -823,7 +871,7 @@ having to remember to give the user name on the command line.
 .It Cm UserKnownHostsFile
 Specifies a file to use for the user
 host key database instead of
-.Pa $HOME/.ssh/known_hosts .
+.Pa ~/.ssh/known_hosts .
 .It Cm VerifyHostKeyDNS
 Specifies whether to verify the remote key using DNS and SSHFP resource
 records.
@@ -856,7 +904,7 @@ The default is
 .El
 .Sh FILES
 .Bl -tag -width Ds
-.It Pa $HOME/.ssh/config
+.It Pa ~/.ssh/config
 This is the per-user configuration file.
 The format of this file is described above.
 This file is used by the

diff --git a/ssh_config.5 b/ssh_config.5 index b35753307..9ddb09480 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh_config.5,v 1.49 2005/03/16 11:10:38 jmc Exp $	37	.\" $OpenBSD: ssh_config.5,v 1.61 2005/07/08 12:53:10 jmc Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH_CONFIG 5	39	.Dt SSH_CONFIG 5
40	.Os	40	.Os
@@ -43,7 +43,7 @@
43	.Nd OpenSSH SSH client configuration files	43	.Nd OpenSSH SSH client configuration files
44	.Sh SYNOPSIS	44	.Sh SYNOPSIS
45	.Bl -tag -width Ds -compact	45	.Bl -tag -width Ds -compact
46	.It Pa $HOME/.ssh/config	46	.It Pa ~/.ssh/config
47	.It Pa /etc/ssh/ssh_config	47	.It Pa /etc/ssh/ssh_config
48	.El	48	.El
49	.Sh DESCRIPTION	49	.Sh DESCRIPTION
@@ -55,7 +55,7 @@ the following order:
55	command-line options	55	command-line options
56	.It	56	.It
57	user's configuration file	57	user's configuration file
58	.Pq Pa $HOME/.ssh/config	58	.Pq Pa ~/.ssh/config
59	.It	59	.It
60	system-wide configuration file	60	system-wide configuration file
61	.Pq Pa /etc/ssh/ssh_config	61	.Pq Pa /etc/ssh/ssh_config
@@ -136,8 +136,9 @@ or
136	The default is	136	The default is
137	.Dq no .	137	.Dq no .
138	.It Cm BindAddress	138	.It Cm BindAddress
139	Specify the interface to transmit from on machines with multiple	139	Use the specified address on the local machine as the source address of
140	interfaces or aliased addresses.	140	the connection.
		141	Only useful on systems with more than one address.
141	Note that this option does not work if	142	Note that this option does not work if
142	.Cm UsePrivilegedPort	143	.Cm UsePrivilegedPort
143	is set to	144	is set to
@@ -193,14 +194,17 @@ The supported ciphers are
193	.Dq aes128-ctr ,	194	.Dq aes128-ctr ,
194	.Dq aes192-ctr ,	195	.Dq aes192-ctr ,
195	.Dq aes256-ctr ,	196	.Dq aes256-ctr ,
		197	.Dq arcfour128 ,
		198	.Dq arcfour256 ,
196	.Dq arcfour ,	199	.Dq arcfour ,
197	.Dq blowfish-cbc ,	200	.Dq blowfish-cbc ,
198	and	201	and
199	.Dq cast128-cbc .	202	.Dq cast128-cbc .
200	The default is	203	The default is
201	.Bd -literal	204	.Bd -literal
202	``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,	205	``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
203	aes192-cbc,aes256-cbc''	206	arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
		207	aes192-ctr,aes256-ctr''
204	.Ed	208	.Ed
205	.It Cm ClearAllForwardings	209	.It Cm ClearAllForwardings
206	Specifies that all local, remote and dynamic port forwardings	210	Specifies that all local, remote and dynamic port forwardings
@@ -270,11 +274,47 @@ to listen for control connections, but require confirmation using the
270	program before they are accepted (see	274	program before they are accepted (see
271	.Xr ssh-add 1	275	.Xr ssh-add 1
272	for details).	276	for details).
		277	If the
		278	.Cm ControlPath
		279	can not be opened,
		280	.Nm ssh
		281	will continue without connecting to a master instance.
		282	.Pp
		283	X11 and
		284	.Xr ssh-agent 1
		285	forwarding is supported over these multiplexed connections, however the
		286	display and agent fowarded will be the one belonging to the master
		287	connection i.e. it is not possible to forward multiple displays or agents.
		288	.Pp
		289	Two additional options allow for opportunistic multiplexing: try to use a
		290	master connection but fall back to creating a new one if one does not already
		291	exist.
		292	These options are:
		293	.Dq auto
		294	and
		295	.Dq autoask .
		296	The latter requires confirmation like the
		297	.Dq ask
		298	option.
273	.It Cm ControlPath	299	.It Cm ControlPath
274	Specify the path to the control socket used for connection sharing.	300	Specify the path to the control socket used for connection sharing as described
275	See	301	in the
276	.Cm ControlMaster	302	.Cm ControlMaster
277	above.	303	section above or the string
		304	.Dq none
		305	to disable connection sharing.
		306	In the path,
		307	.Ql %h
		308	will be substituted by the target host name,
		309	.Ql %p
		310	the port and
		311	.Ql %r
		312	by the remote login username.
		313	It is recommended that any
		314	.Cm ControlPath
		315	used for opportunistic connection sharing include
		316	all three of these escape sequences.
		317	This ensures that shared connections are uniquely identified.
278	.It Cm DynamicForward	318	.It Cm DynamicForward
279	Specifies that a TCP/IP port on the local machine be forwarded	319	Specifies that a TCP/IP port on the local machine be forwarded
280	over the secure channel, and the application	320	over the secure channel, and the application
@@ -411,7 +451,7 @@ Note that this option applies to protocol version 2 only.
411	Indicates that	451	Indicates that
412	.Nm ssh	452	.Nm ssh
413	should hash host names and addresses when they are added to	453	should hash host names and addresses when they are added to
414	.Pa $HOME/.ssh/known_hosts .	454	.Pa ~/.ssh/known_hosts .
415	These hashed names may be used normally by	455	These hashed names may be used normally by
416	.Nm ssh	456	.Nm ssh
417	and	457	and
@@ -457,11 +497,11 @@ specifications).
457	Specifies a file from which the user's RSA or DSA authentication identity	497	Specifies a file from which the user's RSA or DSA authentication identity
458	is read.	498	is read.
459	The default is	499	The default is
460	.Pa $HOME/.ssh/identity	500	.Pa ~/.ssh/identity
461	for protocol version 1, and	501	for protocol version 1, and
462	.Pa $HOME/.ssh/id_rsa	502	.Pa ~/.ssh/id_rsa
463	and	503	and
464	.Pa $HOME/.ssh/id_dsa	504	.Pa ~/.ssh/id_dsa
465	for protocol version 2.	505	for protocol version 2.
466	Additionally, any identities represented by the authentication agent	506	Additionally, any identities represented by the authentication agent
467	will be used for authentication.	507	will be used for authentication.
@@ -616,6 +656,14 @@ Note that
616	.Cm CheckHostIP	656	.Cm CheckHostIP
617	is not available for connects with a proxy command.	657	is not available for connects with a proxy command.
618	.Pp	658	.Pp
		659	This directive is useful in conjunction with
		660	.Xr nc 1
		661	and its proxy support.
		662	For example, the following directive would connect via an HTTP proxy at
		663	192.0.2.0:
		664	.Bd -literal -offset 3n
		665	ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
		666	.Ed
619	.It Cm PubkeyAuthentication	667	.It Cm PubkeyAuthentication
620	Specifies whether to try public key authentication.	668	Specifies whether to try public key authentication.
621	The argument to this keyword must be	669	The argument to this keyword must be
@@ -751,7 +799,7 @@ If this flag is set to
751	.Dq yes ,	799	.Dq yes ,
752	.Nm ssh	800	.Nm ssh
753	will never automatically add host keys to the	801	will never automatically add host keys to the
754	.Pa $HOME/.ssh/known_hosts	802	.Pa ~/.ssh/known_hosts
755	file, and refuses to connect to hosts whose host key has changed.	803	file, and refuses to connect to hosts whose host key has changed.
756	This provides maximum protection against trojan horse attacks,	804	This provides maximum protection against trojan horse attacks,
757	however, can be annoying when the	805	however, can be annoying when the
@@ -823,7 +871,7 @@ having to remember to give the user name on the command line.
823	.It Cm UserKnownHostsFile	871	.It Cm UserKnownHostsFile
824	Specifies a file to use for the user	872	Specifies a file to use for the user
825	host key database instead of	873	host key database instead of
826	.Pa $HOME/.ssh/known_hosts .	874	.Pa ~/.ssh/known_hosts .
827	.It Cm VerifyHostKeyDNS	875	.It Cm VerifyHostKeyDNS
828	Specifies whether to verify the remote key using DNS and SSHFP resource	876	Specifies whether to verify the remote key using DNS and SSHFP resource
829	records.	877	records.
@@ -856,7 +904,7 @@ The default is
856	.El	904	.El
857	.Sh FILES	905	.Sh FILES
858	.Bl -tag -width Ds	906	.Bl -tag -width Ds
859	.It Pa $HOME/.ssh/config	907	.It Pa ~/.ssh/config
860	This is the per-user configuration file.	908	This is the per-user configuration file.
861	The format of this file is described above.	909	The format of this file is described above.
862	This file is used by the	910	This file is used by the