1 files changed, 53 insertions, 31 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index a9f6d906f..b71d5ede9 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.292 2019/03/01 02:16:47 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.304 2019/09/13 04:52:34 djm Exp $
-.Dd $Mdocdate: March 1 2019 $
+.Dd $Mdocdate: September 13 2019 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -381,7 +381,7 @@ Specifies which algorithms are allowed for signing of certificates
 by certificate authorities (CAs).
 The default is:
 .Bd -literal -offset indent
-ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
@@ -442,14 +442,18 @@ the check will not be executed.
 .It Cm Ciphers
 Specifies the ciphers allowed and their order of preference.
 Multiple ciphers must be comma-separated.
-If the specified value begins with a
+If the specified list begins with a
 .Sq +
 character, then the specified ciphers will be appended to the default set
 instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified ciphers (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified ciphers will be placed at the head of the
+default set.
 .Pp
 The supported ciphers are:
 .Bd -literal -offset indent
@@ -505,8 +509,8 @@ The default is 1.
 .It Cm ConnectTimeout
 Specifies the timeout (in seconds) used when connecting to the
 SSH server, instead of using the default system TCP timeout.
-This value is used only when the target is down or really unreachable,
+This timeout is applied both to establishing the connection and to performing
-not when it refuses the connection.
+the initial SSH protocol handshake and key exchange.
 .It Cm ControlMaster
 Enables the sharing of multiple sessions over a single network connection.
 When set to
@@ -867,14 +871,18 @@ or
 .It Cm HostbasedKeyTypes
 Specifies the key types that will be used for hostbased authentication
 as a comma-separated list of patterns.
-Alternately if the specified value begins with a
+Alternately if the specified list begins with a
 .Sq +
 character, then the specified key types will be appended to the default set
 instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified key types (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -895,14 +903,18 @@ may be used to list supported key types.
 .It Cm HostKeyAlgorithms
 Specifies the host key algorithms
 that the client wants to use in order of preference.
-Alternately if the specified value begins with a
+Alternately if the specified list begins with a
 .Sq +
 character, then the specified key types will be appended to the default set
 instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified key types (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -926,28 +938,28 @@ real host name when looking up or saving the host key
 in the host key database files and when validating host certificates.
 This option is useful for tunneling SSH connections
 or for multiple servers running on a single host.
-.It Cm HostName
+.It Cm Hostname
 Specifies the real host name to log into.
 This can be used to specify nicknames or abbreviations for hosts.
 Arguments to
-.Cm HostName
+.Cm Hostname
 accept the tokens described in the
 .Sx TOKENS
 section.
 Numeric IP addresses are also permitted (both on the command line and in
-.Cm HostName
+.Cm Hostname
 specifications).
 The default is the name given on the command line.
 .It Cm IdentitiesOnly
 Specifies that
 .Xr ssh 1
-should only use the authentication identity and certificate files explicitly
+should only use the configured authentication identity and certificate files
-configured in the
+(either the default files, or those explicitly configured in the
 .Nm
 files
 or passed on the
 .Xr ssh 1
-command-line,
+command-line),
 even if
 .Xr ssh-agent 1
 or a
@@ -1122,14 +1134,18 @@ and
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
-Alternately if the specified value begins with a
+If the specified list begins with a
 .Sq +
 character, then the specified methods will be appended to the default set
 instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified methods (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified methods will be placed at the head of the
+default set.
 The default is:
 .Bd -literal -offset indent
 curve25519-sha256,curve25519-sha256@libssh.org,
@@ -1203,14 +1219,18 @@ Specifies the MAC (message authentication code) algorithms
 in order of preference.
 The MAC algorithm is used for data integrity protection.
 Multiple algorithms must be comma-separated.
-If the specified value begins with a
+If the specified list begins with a
 .Sq +
 character, then the specified algorithms will be appended to the default set
 instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified algorithms (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified algorithms will be placed at the head of the
+default set.
 .Pp
 The algorithms that contain
 .Qq -etm
@@ -1301,8 +1321,8 @@ server running on some machine, or execute
 .Ic sshd -i
 somewhere.
 Host key management will be done using the
-HostName of the host being connected (defaulting to the name typed by
+.Cm Hostname
-the user).
+of the host being connected (defaulting to the name typed by the user).
 Setting the command to
 .Cm none
 disables this option entirely.
@@ -1360,14 +1380,18 @@ The default is
 .It Cm PubkeyAcceptedKeyTypes
 Specifies the key types that will be used for public key authentication
 as a comma-separated list of patterns.
-Alternately if the specified value begins with a
+If the specified list begins with a
 .Sq +
 character, then the key types after it will be appended to the default
 instead of replacing it.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified key types (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -1405,9 +1429,7 @@ and
 .Sq 4G ,
 depending on the cipher.
 The optional second value is specified in seconds and may use any of the
-units documented in the
+units documented in the TIME FORMATS section of
-.Sx TIME FORMATS
-section of
 .Xr sshd_config 5 .
 The default value for
 .Cm RekeyLimit
@@ -1541,7 +1563,7 @@ The TCP keepalive option enabled by
 .Cm TCPKeepAlive
 is spoofable.
 The server alive mechanism is valuable when the client or
-server depend on knowing when a connection has become inactive.
+server depend on knowing when a connection has become unresponsive.
 .Pp
 The default value is 3.
 If, for example,
@@ -1879,7 +1901,7 @@ accepts the tokens %%, %d, %h, %i, %l, %r, and %u.
 .Cm ControlPath
 accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and %u.
 .Pp
-.Cm HostName
+.Cm Hostname
 accepts the tokens %% and %h.
 .Pp
 .Cm IdentityAgent
@@ -1891,7 +1913,7 @@ accept the tokens %%, %d, %h, %i, %l, %r, and %u.
 accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, %T, and %u.
 .Pp
 .Cm ProxyCommand
-accepts the tokens %%, %h, %p, and %r.
+accepts the tokens %%, %h, %n, %p, and %r.
 .Pp
 .Cm RemoteCommand
 accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, and %u.

diff --git a/ssh_config.5 b/ssh_config.5 index a9f6d906f..b71d5ede9 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.292 2019/03/01 02:16:47 djm Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.304 2019/09/13 04:52:34 djm Exp $
37	.Dd $Mdocdate: March 1 2019 $	37	.Dd $Mdocdate: September 13 2019 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -381,7 +381,7 @@ Specifies which algorithms are allowed for signing of certificates
381	by certificate authorities (CAs).	381	by certificate authorities (CAs).
382	The default is:	382	The default is:
383	.Bd -literal -offset indent	383	.Bd -literal -offset indent
384	ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,	384	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
385	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa	385	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
386	.Ed	386	.Ed
387	.Pp	387	.Pp
@@ -442,14 +442,18 @@ the check will not be executed.
442	.It Cm Ciphers	442	.It Cm Ciphers
443	Specifies the ciphers allowed and their order of preference.	443	Specifies the ciphers allowed and their order of preference.
444	Multiple ciphers must be comma-separated.	444	Multiple ciphers must be comma-separated.
445	If the specified value begins with a	445	If the specified list begins with a
446	.Sq +	446	.Sq +
447	character, then the specified ciphers will be appended to the default set	447	character, then the specified ciphers will be appended to the default set
448	instead of replacing them.	448	instead of replacing them.
449	If the specified value begins with a	449	If the specified list begins with a
450	.Sq -	450	.Sq -
451	character, then the specified ciphers (including wildcards) will be removed	451	character, then the specified ciphers (including wildcards) will be removed
452	from the default set instead of replacing them.	452	from the default set instead of replacing them.
		453	If the specified list begins with a
		454	.Sq ^
		455	character, then the specified ciphers will be placed at the head of the
		456	default set.
453	.Pp	457	.Pp
454	The supported ciphers are:	458	The supported ciphers are:
455	.Bd -literal -offset indent	459	.Bd -literal -offset indent
@@ -505,8 +509,8 @@ The default is 1.
505	.It Cm ConnectTimeout	509	.It Cm ConnectTimeout
506	Specifies the timeout (in seconds) used when connecting to the	510	Specifies the timeout (in seconds) used when connecting to the
507	SSH server, instead of using the default system TCP timeout.	511	SSH server, instead of using the default system TCP timeout.
508	This value is used only when the target is down or really unreachable,	512	This timeout is applied both to establishing the connection and to performing
509	not when it refuses the connection.	513	the initial SSH protocol handshake and key exchange.
510	.It Cm ControlMaster	514	.It Cm ControlMaster
511	Enables the sharing of multiple sessions over a single network connection.	515	Enables the sharing of multiple sessions over a single network connection.
512	When set to	516	When set to
@@ -867,14 +871,18 @@ or
867	.It Cm HostbasedKeyTypes	871	.It Cm HostbasedKeyTypes
868	Specifies the key types that will be used for hostbased authentication	872	Specifies the key types that will be used for hostbased authentication
869	as a comma-separated list of patterns.	873	as a comma-separated list of patterns.
870	Alternately if the specified value begins with a	874	Alternately if the specified list begins with a
871	.Sq +	875	.Sq +
872	character, then the specified key types will be appended to the default set	876	character, then the specified key types will be appended to the default set
873	instead of replacing them.	877	instead of replacing them.
874	If the specified value begins with a	878	If the specified list begins with a
875	.Sq -	879	.Sq -
876	character, then the specified key types (including wildcards) will be removed	880	character, then the specified key types (including wildcards) will be removed
877	from the default set instead of replacing them.	881	from the default set instead of replacing them.
		882	If the specified list begins with a
		883	.Sq ^
		884	character, then the specified key types will be placed at the head of the
		885	default set.
878	The default for this option is:	886	The default for this option is:
879	.Bd -literal -offset 3n	887	.Bd -literal -offset 3n
880	ecdsa-sha2-nistp256-cert-v01@openssh.com,	888	ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -895,14 +903,18 @@ may be used to list supported key types.
895	.It Cm HostKeyAlgorithms	903	.It Cm HostKeyAlgorithms
896	Specifies the host key algorithms	904	Specifies the host key algorithms
897	that the client wants to use in order of preference.	905	that the client wants to use in order of preference.
898	Alternately if the specified value begins with a	906	Alternately if the specified list begins with a
899	.Sq +	907	.Sq +
900	character, then the specified key types will be appended to the default set	908	character, then the specified key types will be appended to the default set
901	instead of replacing them.	909	instead of replacing them.
902	If the specified value begins with a	910	If the specified list begins with a
903	.Sq -	911	.Sq -
904	character, then the specified key types (including wildcards) will be removed	912	character, then the specified key types (including wildcards) will be removed
905	from the default set instead of replacing them.	913	from the default set instead of replacing them.
		914	If the specified list begins with a
		915	.Sq ^
		916	character, then the specified key types will be placed at the head of the
		917	default set.
906	The default for this option is:	918	The default for this option is:
907	.Bd -literal -offset 3n	919	.Bd -literal -offset 3n
908	ecdsa-sha2-nistp256-cert-v01@openssh.com,	920	ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -926,28 +938,28 @@ real host name when looking up or saving the host key
926	in the host key database files and when validating host certificates.	938	in the host key database files and when validating host certificates.
927	This option is useful for tunneling SSH connections	939	This option is useful for tunneling SSH connections
928	or for multiple servers running on a single host.	940	or for multiple servers running on a single host.
929	.It Cm HostName	941	.It Cm Hostname
930	Specifies the real host name to log into.	942	Specifies the real host name to log into.
931	This can be used to specify nicknames or abbreviations for hosts.	943	This can be used to specify nicknames or abbreviations for hosts.
932	Arguments to	944	Arguments to
933	.Cm HostName	945	.Cm Hostname
934	accept the tokens described in the	946	accept the tokens described in the
935	.Sx TOKENS	947	.Sx TOKENS
936	section.	948	section.
937	Numeric IP addresses are also permitted (both on the command line and in	949	Numeric IP addresses are also permitted (both on the command line and in
938	.Cm HostName	950	.Cm Hostname
939	specifications).	951	specifications).
940	The default is the name given on the command line.	952	The default is the name given on the command line.
941	.It Cm IdentitiesOnly	953	.It Cm IdentitiesOnly
942	Specifies that	954	Specifies that
943	.Xr ssh 1	955	.Xr ssh 1
944	should only use the authentication identity and certificate files explicitly	956	should only use the configured authentication identity and certificate files
945	configured in the	957	(either the default files, or those explicitly configured in the
946	.Nm	958	.Nm
947	files	959	files
948	or passed on the	960	or passed on the
949	.Xr ssh 1	961	.Xr ssh 1
950	command-line,	962	command-line),
951	even if	963	even if
952	.Xr ssh-agent 1	964	.Xr ssh-agent 1
953	or a	965	or a
@@ -1122,14 +1134,18 @@ and
1122	.It Cm KexAlgorithms	1134	.It Cm KexAlgorithms
1123	Specifies the available KEX (Key Exchange) algorithms.	1135	Specifies the available KEX (Key Exchange) algorithms.
1124	Multiple algorithms must be comma-separated.	1136	Multiple algorithms must be comma-separated.
1125	Alternately if the specified value begins with a	1137	If the specified list begins with a
1126	.Sq +	1138	.Sq +
1127	character, then the specified methods will be appended to the default set	1139	character, then the specified methods will be appended to the default set
1128	instead of replacing them.	1140	instead of replacing them.
1129	If the specified value begins with a	1141	If the specified list begins with a
1130	.Sq -	1142	.Sq -
1131	character, then the specified methods (including wildcards) will be removed	1143	character, then the specified methods (including wildcards) will be removed
1132	from the default set instead of replacing them.	1144	from the default set instead of replacing them.
		1145	If the specified list begins with a
		1146	.Sq ^
		1147	character, then the specified methods will be placed at the head of the
		1148	default set.
1133	The default is:	1149	The default is:
1134	.Bd -literal -offset indent	1150	.Bd -literal -offset indent
1135	curve25519-sha256,curve25519-sha256@libssh.org,	1151	curve25519-sha256,curve25519-sha256@libssh.org,
@@ -1203,14 +1219,18 @@ Specifies the MAC (message authentication code) algorithms
1203	in order of preference.	1219	in order of preference.
1204	The MAC algorithm is used for data integrity protection.	1220	The MAC algorithm is used for data integrity protection.
1205	Multiple algorithms must be comma-separated.	1221	Multiple algorithms must be comma-separated.
1206	If the specified value begins with a	1222	If the specified list begins with a
1207	.Sq +	1223	.Sq +
1208	character, then the specified algorithms will be appended to the default set	1224	character, then the specified algorithms will be appended to the default set
1209	instead of replacing them.	1225	instead of replacing them.
1210	If the specified value begins with a	1226	If the specified list begins with a
1211	.Sq -	1227	.Sq -
1212	character, then the specified algorithms (including wildcards) will be removed	1228	character, then the specified algorithms (including wildcards) will be removed
1213	from the default set instead of replacing them.	1229	from the default set instead of replacing them.
		1230	If the specified list begins with a
		1231	.Sq ^
		1232	character, then the specified algorithms will be placed at the head of the
		1233	default set.
1214	.Pp	1234	.Pp
1215	The algorithms that contain	1235	The algorithms that contain
1216	.Qq -etm	1236	.Qq -etm
@@ -1301,8 +1321,8 @@ server running on some machine, or execute
1301	.Ic sshd -i	1321	.Ic sshd -i
1302	somewhere.	1322	somewhere.
1303	Host key management will be done using the	1323	Host key management will be done using the
1304	HostName of the host being connected (defaulting to the name typed by	1324	.Cm Hostname
1305	the user).	1325	of the host being connected (defaulting to the name typed by the user).
1306	Setting the command to	1326	Setting the command to
1307	.Cm none	1327	.Cm none
1308	disables this option entirely.	1328	disables this option entirely.
@@ -1360,14 +1380,18 @@ The default is
1360	.It Cm PubkeyAcceptedKeyTypes	1380	.It Cm PubkeyAcceptedKeyTypes
1361	Specifies the key types that will be used for public key authentication	1381	Specifies the key types that will be used for public key authentication
1362	as a comma-separated list of patterns.	1382	as a comma-separated list of patterns.
1363	Alternately if the specified value begins with a	1383	If the specified list begins with a
1364	.Sq +	1384	.Sq +
1365	character, then the key types after it will be appended to the default	1385	character, then the key types after it will be appended to the default
1366	instead of replacing it.	1386	instead of replacing it.
1367	If the specified value begins with a	1387	If the specified list begins with a
1368	.Sq -	1388	.Sq -
1369	character, then the specified key types (including wildcards) will be removed	1389	character, then the specified key types (including wildcards) will be removed
1370	from the default set instead of replacing them.	1390	from the default set instead of replacing them.
		1391	If the specified list begins with a
		1392	.Sq ^
		1393	character, then the specified key types will be placed at the head of the
		1394	default set.
1371	The default for this option is:	1395	The default for this option is:
1372	.Bd -literal -offset 3n	1396	.Bd -literal -offset 3n
1373	ecdsa-sha2-nistp256-cert-v01@openssh.com,	1397	ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -1405,9 +1429,7 @@ and
1405	.Sq 4G ,	1429	.Sq 4G ,
1406	depending on the cipher.	1430	depending on the cipher.
1407	The optional second value is specified in seconds and may use any of the	1431	The optional second value is specified in seconds and may use any of the
1408	units documented in the	1432	units documented in the TIME FORMATS section of
1409	.Sx TIME FORMATS
1410	section of
1411	.Xr sshd_config 5 .	1433	.Xr sshd_config 5 .
1412	The default value for	1434	The default value for
1413	.Cm RekeyLimit	1435	.Cm RekeyLimit
@@ -1541,7 +1563,7 @@ The TCP keepalive option enabled by
1541	.Cm TCPKeepAlive	1563	.Cm TCPKeepAlive
1542	is spoofable.	1564	is spoofable.
1543	The server alive mechanism is valuable when the client or	1565	The server alive mechanism is valuable when the client or
1544	server depend on knowing when a connection has become inactive.	1566	server depend on knowing when a connection has become unresponsive.
1545	.Pp	1567	.Pp
1546	The default value is 3.	1568	The default value is 3.
1547	If, for example,	1569	If, for example,
@@ -1879,7 +1901,7 @@ accepts the tokens %%, %d, %h, %i, %l, %r, and %u.
1879	.Cm ControlPath	1901	.Cm ControlPath
1880	accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and %u.	1902	accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and %u.
1881	.Pp	1903	.Pp
1882	.Cm HostName	1904	.Cm Hostname
1883	accepts the tokens %% and %h.	1905	accepts the tokens %% and %h.
1884	.Pp	1906	.Pp
1885	.Cm IdentityAgent	1907	.Cm IdentityAgent
@@ -1891,7 +1913,7 @@ accept the tokens %%, %d, %h, %i, %l, %r, and %u.
1891	accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, %T, and %u.	1913	accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, %T, and %u.
1892	.Pp	1914	.Pp
1893	.Cm ProxyCommand	1915	.Cm ProxyCommand
1894	accepts the tokens %%, %h, %p, and %r.	1916	accepts the tokens %%, %h, %n, %p, and %r.
1895	.Pp	1917	.Pp
1896	.Cm RemoteCommand	1918	.Cm RemoteCommand
1897	accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, and %u.	1919	accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, and %u.