1 files changed, 64 insertions, 5 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 15eecb6ff..1b8b8da5d 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -72,6 +72,22 @@ Since the first obtained value for each parameter is used, more
 host-specific declarations should be given near the beginning of the
 file, and general defaults at the end.
 .Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm SendEnv No LANG LC_*
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
 The configuration file has the following format:
 .Pp
 Empty lines and lines starting with
@@ -128,8 +144,12 @@ Valid arguments are
 If set to
 .Dq yes ,
 passphrase/password querying will be disabled.
+In addition, the 
+.Cm ServerAliveInterval 
+option will be set to 300 seconds by default.
 This option is useful in scripts and other batch jobs where no user
-is present to supply the password.
+is present to supply the password,
+and where it is desirable to detect a broken network swiftly.
 The argument must be
 .Dq yes
 or
@@ -448,7 +468,8 @@ token used for the session will be set to expire after 20 minutes.
 Remote clients will be refused access after this time.
 .Pp
 The default is
-.Dq no .
+.Dq yes
+(Debian-specific).
 .Pp
 See the X11 SECURITY extension specification for full details on
 the restrictions imposed on untrusted clients.
@@ -517,6 +538,9 @@ Note that existing names and addresses in known hosts files
 will not be converted automatically,
 but may be manually hashed using
 .Xr ssh-keygen 1 .
+Use of this option may break facilities such as tab-completion that rely
+on being able to read unhashed host names from
+.Pa ~/.ssh/known_hosts .
 .It Cm HostbasedAuthentication
 Specifies whether to try rhosts based authentication with public key
 authentication.
@@ -671,7 +695,7 @@ indicates that the port should be available from all interfaces.
 Gives the verbosity level that is used when logging messages from
 .Xr ssh 1 .
 The possible values are:
-QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
+SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
 The default is INFO.
 DEBUG and DEBUG1 are equivalent.
 DEBUG2 and DEBUG3 each specify higher levels of verbose output.
@@ -917,7 +941,10 @@ If, for example,
 .Cm ServerAliveCountMax
 is left at the default, if the server becomes unresponsive,
 ssh will disconnect after approximately 45 seconds.
-This option applies to protocol version 2 only.
+This option applies to protocol version 2 only; in protocol version
+1 there is no mechanism to request a response from the server to the
+server alive messages, so disconnection is the responsibility of the TCP
+stack.
 .It Cm ServerAliveInterval
 Sets a timeout interval in seconds after which if no data has been received
 from the server,
@@ -925,8 +952,15 @@ from the server,
 will send a message through the encrypted
 channel to request a response from the server.
 The default
-is 0, indicating that these messages will not be sent to the server.
+is 0, indicating that these messages will not be sent to the server,
+or 300 if the
+.Cm BatchMode
+option is set.
 This option applies to protocol version 2 only.
+.Cm ProtocolKeepAlives
+and
+.Cm SetupTimeOut
+are Debian-specific compatibility aliases for this option.
 .It Cm SmartcardDevice
 Specifies which smartcard device to use.
 The argument to this keyword is the device
@@ -972,6 +1006,12 @@ Specifies whether the system should send TCP keepalive messages to the
 other side.
 If they are sent, death of the connection or crash of one
 of the machines will be properly noticed.
+This option only uses TCP keepalives (as opposed to using ssh level
+keepalives), so takes a long time to notice when the connection dies.
+As such, you probably want
+the
+.Cm ServerAliveInterval
+option as well.
 However, this means that
 connections will die if the route is down temporarily, and some people
 find it annoying.
@@ -1023,6 +1063,23 @@ is not specified, it defaults to
 .Dq any .
 The default is
 .Dq any:any .
+.It Cm UseBlacklistedKeys
+Specifies whether
+.Xr ssh 1
+should use keys recorded in its blacklist of known-compromised keys (see
+.Xr ssh-vulnkey 1 )
+for authentication.
+If
+.Dq yes ,
+then attempts to use compromised keys for authentication will be logged but
+accepted.
+It is strongly recommended that this be used only to install new authorized
+keys on the remote system, and even then only with the utmost care.
+If
+.Dq no ,
+then attempts to use compromised keys for authentication will be prevented.
+The default is
+.Dq no .
 .It Cm UsePrivilegedPort
 Specifies whether to use a privileged port for outgoing connections.
 The argument must be
@@ -1137,6 +1194,8 @@ The format of this file is described above.
 This file is used by the SSH client.
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not accessible by others.
+It may be group-writable provided that the group in question contains only
+the user.
 .It Pa /etc/ssh/ssh_config
 Systemwide configuration file.
 This file provides defaults for those

diff --git a/ssh_config.5 b/ssh_config.5 index 15eecb6ff..1b8b8da5d 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -72,6 +72,22 @@ Since the first obtained value for each parameter is used, more
72	host-specific declarations should be given near the beginning of the	72	host-specific declarations should be given near the beginning of the
73	file, and general defaults at the end.	73	file, and general defaults at the end.
74	.Pp	74	.Pp
		75	Note that the Debian
		76	.Ic openssh-client
		77	package sets several options as standard in
		78	.Pa /etc/ssh/ssh_config
		79	which are not the default in
		80	.Xr ssh 1 :
		81	.Pp
		82	.Bl -bullet -offset indent -compact
		83	.It
		84	.Cm SendEnv No LANG LC_*
		85	.It
		86	.Cm HashKnownHosts No yes
		87	.It
		88	.Cm GSSAPIAuthentication No yes
		89	.El
		90	.Pp
75	The configuration file has the following format:	91	The configuration file has the following format:
76	.Pp	92	.Pp
77	Empty lines and lines starting with	93	Empty lines and lines starting with
@@ -128,8 +144,12 @@ Valid arguments are
128	If set to	144	If set to
129	.Dq yes ,	145	.Dq yes ,
130	passphrase/password querying will be disabled.	146	passphrase/password querying will be disabled.
		147	In addition, the
		148	.Cm ServerAliveInterval
		149	option will be set to 300 seconds by default.
131	This option is useful in scripts and other batch jobs where no user	150	This option is useful in scripts and other batch jobs where no user
132	is present to supply the password.	151	is present to supply the password,
		152	and where it is desirable to detect a broken network swiftly.
133	The argument must be	153	The argument must be
134	.Dq yes	154	.Dq yes
135	or	155	or
@@ -448,7 +468,8 @@ token used for the session will be set to expire after 20 minutes.
448	Remote clients will be refused access after this time.	468	Remote clients will be refused access after this time.
449	.Pp	469	.Pp
450	The default is	470	The default is
451	.Dq no .	471	.Dq yes
		472	(Debian-specific).
452	.Pp	473	.Pp
453	See the X11 SECURITY extension specification for full details on	474	See the X11 SECURITY extension specification for full details on
454	the restrictions imposed on untrusted clients.	475	the restrictions imposed on untrusted clients.
@@ -517,6 +538,9 @@ Note that existing names and addresses in known hosts files
517	will not be converted automatically,	538	will not be converted automatically,
518	but may be manually hashed using	539	but may be manually hashed using
519	.Xr ssh-keygen 1 .	540	.Xr ssh-keygen 1 .
		541	Use of this option may break facilities such as tab-completion that rely
		542	on being able to read unhashed host names from
		543	.Pa ~/.ssh/known_hosts .
520	.It Cm HostbasedAuthentication	544	.It Cm HostbasedAuthentication
521	Specifies whether to try rhosts based authentication with public key	545	Specifies whether to try rhosts based authentication with public key
522	authentication.	546	authentication.
@@ -671,7 +695,7 @@ indicates that the port should be available from all interfaces.
671	Gives the verbosity level that is used when logging messages from	695	Gives the verbosity level that is used when logging messages from
672	.Xr ssh 1 .	696	.Xr ssh 1 .
673	The possible values are:	697	The possible values are:
674	QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.	698	SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
675	The default is INFO.	699	The default is INFO.
676	DEBUG and DEBUG1 are equivalent.	700	DEBUG and DEBUG1 are equivalent.
677	DEBUG2 and DEBUG3 each specify higher levels of verbose output.	701	DEBUG2 and DEBUG3 each specify higher levels of verbose output.
@@ -917,7 +941,10 @@ If, for example,
917	.Cm ServerAliveCountMax	941	.Cm ServerAliveCountMax
918	is left at the default, if the server becomes unresponsive,	942	is left at the default, if the server becomes unresponsive,
919	ssh will disconnect after approximately 45 seconds.	943	ssh will disconnect after approximately 45 seconds.
920	This option applies to protocol version 2 only.	944	This option applies to protocol version 2 only; in protocol version
		945	1 there is no mechanism to request a response from the server to the
		946	server alive messages, so disconnection is the responsibility of the TCP
		947	stack.
921	.It Cm ServerAliveInterval	948	.It Cm ServerAliveInterval
922	Sets a timeout interval in seconds after which if no data has been received	949	Sets a timeout interval in seconds after which if no data has been received
923	from the server,	950	from the server,
@@ -925,8 +952,15 @@ from the server,
925	will send a message through the encrypted	952	will send a message through the encrypted
926	channel to request a response from the server.	953	channel to request a response from the server.
927	The default	954	The default
928	is 0, indicating that these messages will not be sent to the server.	955	is 0, indicating that these messages will not be sent to the server,
		956	or 300 if the
		957	.Cm BatchMode
		958	option is set.
929	This option applies to protocol version 2 only.	959	This option applies to protocol version 2 only.
		960	.Cm ProtocolKeepAlives
		961	and
		962	.Cm SetupTimeOut
		963	are Debian-specific compatibility aliases for this option.
930	.It Cm SmartcardDevice	964	.It Cm SmartcardDevice
931	Specifies which smartcard device to use.	965	Specifies which smartcard device to use.
932	The argument to this keyword is the device	966	The argument to this keyword is the device
@@ -972,6 +1006,12 @@ Specifies whether the system should send TCP keepalive messages to the
972	other side.	1006	other side.
973	If they are sent, death of the connection or crash of one	1007	If they are sent, death of the connection or crash of one
974	of the machines will be properly noticed.	1008	of the machines will be properly noticed.
		1009	This option only uses TCP keepalives (as opposed to using ssh level
		1010	keepalives), so takes a long time to notice when the connection dies.
		1011	As such, you probably want
		1012	the
		1013	.Cm ServerAliveInterval
		1014	option as well.
975	However, this means that	1015	However, this means that
976	connections will die if the route is down temporarily, and some people	1016	connections will die if the route is down temporarily, and some people
977	find it annoying.	1017	find it annoying.
@@ -1023,6 +1063,23 @@ is not specified, it defaults to
1023	.Dq any .	1063	.Dq any .
1024	The default is	1064	The default is
1025	.Dq any:any .	1065	.Dq any:any .
		1066	.It Cm UseBlacklistedKeys
		1067	Specifies whether
		1068	.Xr ssh 1
		1069	should use keys recorded in its blacklist of known-compromised keys (see
		1070	.Xr ssh-vulnkey 1 )
		1071	for authentication.
		1072	If
		1073	.Dq yes ,
		1074	then attempts to use compromised keys for authentication will be logged but
		1075	accepted.
		1076	It is strongly recommended that this be used only to install new authorized
		1077	keys on the remote system, and even then only with the utmost care.
		1078	If
		1079	.Dq no ,
		1080	then attempts to use compromised keys for authentication will be prevented.
		1081	The default is
		1082	.Dq no .
1026	.It Cm UsePrivilegedPort	1083	.It Cm UsePrivilegedPort
1027	Specifies whether to use a privileged port for outgoing connections.	1084	Specifies whether to use a privileged port for outgoing connections.
1028	The argument must be	1085	The argument must be
@@ -1137,6 +1194,8 @@ The format of this file is described above.
1137	This file is used by the SSH client.	1194	This file is used by the SSH client.
1138	Because of the potential for abuse, this file must have strict permissions:	1195	Because of the potential for abuse, this file must have strict permissions:
1139	read/write for the user, and not accessible by others.	1196	read/write for the user, and not accessible by others.
		1197	It may be group-writable provided that the group in question contains only
		1198	the user.
1140	.It Pa /etc/ssh/ssh_config	1199	.It Pa /etc/ssh/ssh_config
1141	Systemwide configuration file.	1200	Systemwide configuration file.
1142	This file provides defaults for those	1201	This file provides defaults for those