1 files changed, 31 insertions, 26 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 91beb6f50..2574b1004 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.322 2020/02/07 03:54:44 dtucker Exp $
+.\" $OpenBSD: ssh_config.5,v 1.325 2020/04/11 20:20:09 jmc Exp $
-.Dd $Mdocdate: February 7 2020 $
+.Dd $Mdocdate: April 11 2020 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -853,8 +853,8 @@ gss-curve25519-sha256-
 .Ed
 .Pp
 The default is
-.Dq gss-gex-sha1-,gss-group14-sha1- .
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- .
-This option only applies to protocol version 2 connections using GSSAPI.
+This option only applies to connections using GSSAPI.
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1
@@ -1211,12 +1211,15 @@ has been enabled.
 .It Cm LocalForward
 Specifies that a TCP port on the local machine be forwarded over
 the secure channel to the specified host and port from the remote machine.
-The first argument must be
+The first argument specifies the listener and may be
 .Sm off
 .Oo Ar bind_address : Oc Ar port
 .Sm on
-and the second argument must be
+or a Unix domain socket path.
-.Ar host : Ns Ar hostport .
+The second argument is the destination and may be
+.Ar host : Ns Ar hostport
+or a Unix domain socket path if the remote host supports it.
+.Pp
 IPv6 addresses can be specified by enclosing addresses in square brackets.
 Multiple forwardings may be specified, and additional forwardings can be
 given on the command line.
@@ -1235,6 +1238,9 @@ indicates that the listening port be bound for local use only, while an
 empty address or
 .Sq *
 indicates that the port should be available from all interfaces.
+Unix domain socket paths accept the tokens described in the
+.Sx TOKENS
+section.
 .It Cm LogLevel
 Gives the verbosity level that is used when logging messages from
 .Xr ssh 1 .
@@ -1487,12 +1493,14 @@ the secure channel.
 The remote port may either be forwarded to a specified host and port
 from the local machine, or may act as a SOCKS 4/5 proxy that allows a remote
 client to connect to arbitrary destinations from the local machine.
-The first argument must be
+The first argument is the listening specification and may be
 .Sm off
 .Oo Ar bind_address : Oc Ar port
 .Sm on
+or, if the remote host supports it, a Unix domain socket path.
 If forwarding to a specific destination then the second argument must be
-.Ar host : Ns Ar hostport ,
+.Ar host : Ns Ar hostport
+or a Unix domain socket path,
 otherwise if no destination argument is specified then the remote forwarding
 will be established as a SOCKS proxy.
 .Pp
@@ -1501,6 +1509,9 @@ Multiple forwardings may be specified, and additional
 forwardings can be given on the command line.
 Privileged ports can be forwarded only when
 logging in as root on the remote machine.
+Unix domain socket paths accept the tokens described in the
+.Sx TOKENS
+section.
 .Pp
 If the
 .Ar port
@@ -1944,31 +1955,25 @@ otherwise.
 The local username.
 .El
 .Pp
-.Cm Match exec
+.Cm CertificateFile ,
-accepts the tokens %%, %h, %i, %L, %l, %n, %p, %r, and %u.
+.Cm ControlPath ,
-.Pp
+.Cm IdentityAgent ,
-.Cm CertificateFile
+.Cm IdentityFile ,
-accepts the tokens %%, %d, %h, %i, %l, %r, and %u.
+.Cm LocalForward ,
-.Pp
+.Cm Match exec ,
-.Cm ControlPath
+.Cm RemoteCommand ,
-accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and %u.
+and
+.Cm RemoteForward
+accept the tokens %%, %C, %d, %h, %i, %L, %l, %n, %p, %r, and %u.
 .Pp
 .Cm Hostname
 accepts the tokens %% and %h.
 .Pp
-.Cm IdentityAgent
-and
-.Cm IdentityFile
-accept the tokens %%, %d, %h, %i, %l, %r, and %u.
-.Pp
 .Cm LocalCommand
-accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, %T, and %u.
+accepts all tokens.
 .Pp
 .Cm ProxyCommand
 accepts the tokens %%, %h, %n, %p, and %r.
-.Pp
-.Cm RemoteCommand
-accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, and %u.
 .Sh FILES
 .Bl -tag -width Ds
 .It Pa ~/.ssh/config

diff --git a/ssh_config.5 b/ssh_config.5 index 91beb6f50..2574b1004 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.322 2020/02/07 03:54:44 dtucker Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.325 2020/04/11 20:20:09 jmc Exp $
37	.Dd $Mdocdate: February 7 2020 $	37	.Dd $Mdocdate: April 11 2020 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -853,8 +853,8 @@ gss-curve25519-sha256-
853	.Ed	853	.Ed
854	.Pp	854	.Pp
855	The default is	855	The default is
856	.Dq gss-gex-sha1-,gss-group14-sha1- .	856	.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- .
857	This option only applies to protocol version 2 connections using GSSAPI.	857	This option only applies to connections using GSSAPI.
858	.It Cm HashKnownHosts	858	.It Cm HashKnownHosts
859	Indicates that	859	Indicates that
860	.Xr ssh 1	860	.Xr ssh 1
@@ -1211,12 +1211,15 @@ has been enabled.
1211	.It Cm LocalForward	1211	.It Cm LocalForward
1212	Specifies that a TCP port on the local machine be forwarded over	1212	Specifies that a TCP port on the local machine be forwarded over
1213	the secure channel to the specified host and port from the remote machine.	1213	the secure channel to the specified host and port from the remote machine.
1214	The first argument must be	1214	The first argument specifies the listener and may be
1215	.Sm off	1215	.Sm off
1216	.Oo Ar bind_address : Oc Ar port	1216	.Oo Ar bind_address : Oc Ar port
1217	.Sm on	1217	.Sm on
1218	and the second argument must be	1218	or a Unix domain socket path.
1219	.Ar host : Ns Ar hostport .	1219	The second argument is the destination and may be
		1220	.Ar host : Ns Ar hostport
		1221	or a Unix domain socket path if the remote host supports it.
		1222	.Pp
1220	IPv6 addresses can be specified by enclosing addresses in square brackets.	1223	IPv6 addresses can be specified by enclosing addresses in square brackets.
1221	Multiple forwardings may be specified, and additional forwardings can be	1224	Multiple forwardings may be specified, and additional forwardings can be
1222	given on the command line.	1225	given on the command line.
@@ -1235,6 +1238,9 @@ indicates that the listening port be bound for local use only, while an
1235	empty address or	1238	empty address or
1236	.Sq *	1239	.Sq *
1237	indicates that the port should be available from all interfaces.	1240	indicates that the port should be available from all interfaces.
		1241	Unix domain socket paths accept the tokens described in the
		1242	.Sx TOKENS
		1243	section.
1238	.It Cm LogLevel	1244	.It Cm LogLevel
1239	Gives the verbosity level that is used when logging messages from	1245	Gives the verbosity level that is used when logging messages from
1240	.Xr ssh 1 .	1246	.Xr ssh 1 .
@@ -1487,12 +1493,14 @@ the secure channel.
1487	The remote port may either be forwarded to a specified host and port	1493	The remote port may either be forwarded to a specified host and port
1488	from the local machine, or may act as a SOCKS 4/5 proxy that allows a remote	1494	from the local machine, or may act as a SOCKS 4/5 proxy that allows a remote
1489	client to connect to arbitrary destinations from the local machine.	1495	client to connect to arbitrary destinations from the local machine.
1490	The first argument must be	1496	The first argument is the listening specification and may be
1491	.Sm off	1497	.Sm off
1492	.Oo Ar bind_address : Oc Ar port	1498	.Oo Ar bind_address : Oc Ar port
1493	.Sm on	1499	.Sm on
		1500	or, if the remote host supports it, a Unix domain socket path.
1494	If forwarding to a specific destination then the second argument must be	1501	If forwarding to a specific destination then the second argument must be
1495	.Ar host : Ns Ar hostport ,	1502	.Ar host : Ns Ar hostport
		1503	or a Unix domain socket path,
1496	otherwise if no destination argument is specified then the remote forwarding	1504	otherwise if no destination argument is specified then the remote forwarding
1497	will be established as a SOCKS proxy.	1505	will be established as a SOCKS proxy.
1498	.Pp	1506	.Pp
@@ -1501,6 +1509,9 @@ Multiple forwardings may be specified, and additional
1501	forwardings can be given on the command line.	1509	forwardings can be given on the command line.
1502	Privileged ports can be forwarded only when	1510	Privileged ports can be forwarded only when
1503	logging in as root on the remote machine.	1511	logging in as root on the remote machine.
		1512	Unix domain socket paths accept the tokens described in the
		1513	.Sx TOKENS
		1514	section.
1504	.Pp	1515	.Pp
1505	If the	1516	If the
1506	.Ar port	1517	.Ar port
@@ -1944,31 +1955,25 @@ otherwise.
1944	The local username.	1955	The local username.
1945	.El	1956	.El
1946	.Pp	1957	.Pp
1947	.Cm Match exec	1958	.Cm CertificateFile ,
1948	accepts the tokens %%, %h, %i, %L, %l, %n, %p, %r, and %u.	1959	.Cm ControlPath ,
1949	.Pp	1960	.Cm IdentityAgent ,
1950	.Cm CertificateFile	1961	.Cm IdentityFile ,
1951	accepts the tokens %%, %d, %h, %i, %l, %r, and %u.	1962	.Cm LocalForward ,
1952	.Pp	1963	.Cm Match exec ,
1953	.Cm ControlPath	1964	.Cm RemoteCommand ,
1954	accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and %u.	1965	and
		1966	.Cm RemoteForward
		1967	accept the tokens %%, %C, %d, %h, %i, %L, %l, %n, %p, %r, and %u.
1955	.Pp	1968	.Pp
1956	.Cm Hostname	1969	.Cm Hostname
1957	accepts the tokens %% and %h.	1970	accepts the tokens %% and %h.
1958	.Pp	1971	.Pp
1959	.Cm IdentityAgent
1960	and
1961	.Cm IdentityFile
1962	accept the tokens %%, %d, %h, %i, %l, %r, and %u.
1963	.Pp
1964	.Cm LocalCommand	1972	.Cm LocalCommand
1965	accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, %T, and %u.	1973	accepts all tokens.
1966	.Pp	1974	.Pp
1967	.Cm ProxyCommand	1975	.Cm ProxyCommand
1968	accepts the tokens %%, %h, %n, %p, and %r.	1976	accepts the tokens %%, %h, %n, %p, and %r.
1969	.Pp
1970	.Cm RemoteCommand
1971	accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, and %u.
1972	.Sh FILES	1977	.Sh FILES
1973	.Bl -tag -width Ds	1978	.Bl -tag -width Ds
1974	.It Pa ~/.ssh/config	1979	.It Pa ~/.ssh/config