1 files changed, 83 insertions, 33 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index f6c1b3b33..a9f6d906f 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.286 2018/10/03 06:38:35 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.292 2019/03/01 02:16:47 djm Exp $
-.Dd $Mdocdate: October 3 2018 $
+.Dd $Mdocdate: March 1 2019 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -155,6 +155,7 @@ or the single token
 which always matches.
 The available criteria keywords are:
 .Cm canonical ,
+.Cm final ,
 .Cm exec ,
 .Cm host ,
 .Cm originalhost ,
@@ -164,12 +165,15 @@ and
 The
 .Cm all
 criteria must appear alone or immediately after
-.Cm canonical .
+.Cm canonical
+or
+.Cm final .
 Other criteria may be combined arbitrarily.
 All criteria but
-.Cm all
+.Cm all ,
+.Cm canonical ,
 and
-.Cm canonical
+.Cm final
 require an argument.
 Criteria may be negated by prepending an exclamation mark
 .Pq Sq !\& .
@@ -179,9 +183,23 @@ The
 keyword matches only when the configuration file is being re-parsed
 after hostname canonicalization (see the
 .Cm CanonicalizeHostname
-option.)
+option).
 This may be useful to specify conditions that work with canonical host
 names only.
+.Pp
+The
+.Cm final
+keyword requests that the configuration be re-parsed (regardless of whether
+.Cm CanonicalizeHostname
+is enabled), and matches only during this final pass.
+If
+.Cm CanonicalizeHostname
+is enabled, then
+.Cm canonical
+and
+.Cm final
+match during the same pass.
+.Pp
 The
 .Cm exec
 keyword executes the specified command under the user's shell.
@@ -757,42 +775,67 @@ The default is
 Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Cm no .
-.It Cm GSSAPIKeyExchange
-Specifies whether key exchange based on GSSAPI may be used. When using
-GSSAPI key exchange the server need not have a host key.
-The default is
-.Cm no .
 .It Cm GSSAPIClientIdentity
-If set, specifies the GSSAPI client identity that ssh should use when 
+If set, specifies the GSSAPI client identity that ssh should use when
-connecting to the server. The default is unset, which means that the default 
+connecting to the server. The default is unset, which means that the default
 identity will be used.
-.It Cm GSSAPIServerIdentity
-If set, specifies the GSSAPI server identity that ssh should expect when 
-connecting to the server. The default is unset, which means that the
-expected GSSAPI server identity will be determined from the target
-hostname.
 .It Cm GSSAPIDelegateCredentials
 Forward (delegate) credentials to the server.
 The default is
 .Cm no .
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI may be used. When using
+GSSAPI key exchange the server need not have a host key.
+The default is
+.Dq no .
 .It Cm GSSAPIRenewalForcesRekey
-If set to 
+If set to
-.Cm yes
+.Dq yes
 then renewal of the client's GSSAPI credentials will force the rekeying of the
-ssh connection. With a compatible server, this can delegate the renewed 
+ssh connection. With a compatible server, this will delegate the renewed
 credentials to a session on the server.
+.Pp
+Checks are made to ensure that credentials are only propagated when the new
+credentials match the old ones on the originating client and where the
+receiving server still has the old set in its cache.
+.Pp
 The default is
-.Cm no .
+.Dq no .
+.Pp
+For this to work
+.Cm GSSAPIKeyExchange
+needs to be enabled in the server and also used by the client.
+.It Cm GSSAPIServerIdentity
+If set, specifies the GSSAPI server identity that ssh should expect when
+connecting to the server. The default is unset, which means that the
+expected GSSAPI server identity will be determined from the target
+hostname.
 .It Cm GSSAPITrustDns
-Set to 
+Set to
-.Cm yes
+.Dq yes
 to indicate that the DNS is trusted to securely canonicalize
-the name of the host being connected to. If 
+the name of the host being connected to. If
-.Cm no ,
+.Dq no ,
 the hostname entered on the
 command line will be passed untouched to the GSSAPI library.
 The default is
-.Cm no .
+.Dq no .
+.It Cm GSSAPIKexAlgorithms
+The list of key exchange algorithms that are offered for GSSAPI
+key exchange. Possible values are
+.Bd -literal -offset 3n
+gss-gex-sha1-,
+gss-group1-sha1-,
+gss-group14-sha1-,
+gss-group14-sha256-,
+gss-group16-sha512-,
+gss-nistp256-sha256-,
+gss-curve25519-sha256-
+.Ed
+.Pp
+The default is
+.Dq gss-gex-sha1-,gss-group14-sha1- .
+This option only applies to protocol version 2 connections using GSSAPI.
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1
@@ -1094,7 +1137,6 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 diffie-hellman-group-exchange-sha256,
 diffie-hellman-group16-sha512,
 diffie-hellman-group18-sha512,
-diffie-hellman-group-exchange-sha1,
 diffie-hellman-group14-sha256,
 diffie-hellman-group14-sha1
 .Ed
@@ -1217,11 +1259,13 @@ or
 .Cm no
 (the default).
 .It Cm PKCS11Provider
-Specifies which PKCS#11 provider to use.
+Specifies which PKCS#11 provider to use or
-The argument to this keyword is the PKCS#11 shared library
+.Cm none
+to indicate that no provider should be used (the default).
+The argument to this keyword is a path to the PKCS#11 shared library
 .Xr ssh 1
-should use to communicate with a PKCS#11 token providing the user's
+should use to communicate with a PKCS#11 token providing keys for user
-private RSA key.
+authentication.
 .It Cm Port
 Specifies the port number to connect on the remote host.
 The default is 22.
@@ -1299,6 +1343,12 @@ Note that this option will compete with the
 .Cm ProxyCommand
 option - whichever is specified first will prevent later instances of the
 other from taking effect.
+.Pp
+Note also that the configuration for the destination host (either supplied
+via the command-line or the configuration file) is not generally applied
+to jump hosts.
+.Pa ~/.ssh/config
+should be used if specific configuration is required for jump hosts.
 .It Cm ProxyUseFdpass
 Specifies that
 .Cm ProxyCommand
@@ -1852,7 +1902,7 @@ This is the per-user configuration file.
 The format of this file is described above.
 This file is used by the SSH client.
 Because of the potential for abuse, this file must have strict permissions:
-read/write for the user, and not accessible by others.
+read/write for the user, and not writable by others.
 It may be group-writable provided that the group in question contains only
 the user.
 .It Pa /etc/ssh/ssh_config

diff --git a/ssh_config.5 b/ssh_config.5 index f6c1b3b33..a9f6d906f 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.286 2018/10/03 06:38:35 djm Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.292 2019/03/01 02:16:47 djm Exp $
37	.Dd $Mdocdate: October 3 2018 $	37	.Dd $Mdocdate: March 1 2019 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -155,6 +155,7 @@ or the single token
155	which always matches.	155	which always matches.
156	The available criteria keywords are:	156	The available criteria keywords are:
157	.Cm canonical ,	157	.Cm canonical ,
		158	.Cm final ,
158	.Cm exec ,	159	.Cm exec ,
159	.Cm host ,	160	.Cm host ,
160	.Cm originalhost ,	161	.Cm originalhost ,
@@ -164,12 +165,15 @@ and
164	The	165	The
165	.Cm all	166	.Cm all
166	criteria must appear alone or immediately after	167	criteria must appear alone or immediately after
167	.Cm canonical .	168	.Cm canonical
		169	or
		170	.Cm final .
168	Other criteria may be combined arbitrarily.	171	Other criteria may be combined arbitrarily.
169	All criteria but	172	All criteria but
170	.Cm all	173	.Cm all ,
		174	.Cm canonical ,
171	and	175	and
172	.Cm canonical	176	.Cm final
173	require an argument.	177	require an argument.
174	Criteria may be negated by prepending an exclamation mark	178	Criteria may be negated by prepending an exclamation mark
175	.Pq Sq !\& .	179	.Pq Sq !\& .
@@ -179,9 +183,23 @@ The
179	keyword matches only when the configuration file is being re-parsed	183	keyword matches only when the configuration file is being re-parsed
180	after hostname canonicalization (see the	184	after hostname canonicalization (see the
181	.Cm CanonicalizeHostname	185	.Cm CanonicalizeHostname
182	option.)	186	option).
183	This may be useful to specify conditions that work with canonical host	187	This may be useful to specify conditions that work with canonical host
184	names only.	188	names only.
		189	.Pp
		190	The
		191	.Cm final
		192	keyword requests that the configuration be re-parsed (regardless of whether
		193	.Cm CanonicalizeHostname
		194	is enabled), and matches only during this final pass.
		195	If
		196	.Cm CanonicalizeHostname
		197	is enabled, then
		198	.Cm canonical
		199	and
		200	.Cm final
		201	match during the same pass.
		202	.Pp
185	The	203	The
186	.Cm exec	204	.Cm exec
187	keyword executes the specified command under the user's shell.	205	keyword executes the specified command under the user's shell.
@@ -757,42 +775,67 @@ The default is
757	Specifies whether user authentication based on GSSAPI is allowed.	775	Specifies whether user authentication based on GSSAPI is allowed.
758	The default is	776	The default is
759	.Cm no .	777	.Cm no .
760	.It Cm GSSAPIKeyExchange
761	Specifies whether key exchange based on GSSAPI may be used. When using
762	GSSAPI key exchange the server need not have a host key.
763	The default is
764	.Cm no .
765	.It Cm GSSAPIClientIdentity	778	.It Cm GSSAPIClientIdentity
766	If set, specifies the GSSAPI client identity that ssh should use when	779	If set, specifies the GSSAPI client identity that ssh should use when
767	connecting to the server. The default is unset, which means that the default	780	connecting to the server. The default is unset, which means that the default
768	identity will be used.	781	identity will be used.
769	.It Cm GSSAPIServerIdentity
770	If set, specifies the GSSAPI server identity that ssh should expect when
771	connecting to the server. The default is unset, which means that the
772	expected GSSAPI server identity will be determined from the target
773	hostname.
774	.It Cm GSSAPIDelegateCredentials	782	.It Cm GSSAPIDelegateCredentials
775	Forward (delegate) credentials to the server.	783	Forward (delegate) credentials to the server.
776	The default is	784	The default is
777	.Cm no .	785	.Cm no .
		786	.It Cm GSSAPIKeyExchange
		787	Specifies whether key exchange based on GSSAPI may be used. When using
		788	GSSAPI key exchange the server need not have a host key.
		789	The default is
		790	.Dq no .
778	.It Cm GSSAPIRenewalForcesRekey	791	.It Cm GSSAPIRenewalForcesRekey
779	If set to	792	If set to
780	.Cm yes	793	.Dq yes
781	then renewal of the client's GSSAPI credentials will force the rekeying of the	794	then renewal of the client's GSSAPI credentials will force the rekeying of the
782	ssh connection. With a compatible server, this can delegate the renewed	795	ssh connection. With a compatible server, this will delegate the renewed
783	credentials to a session on the server.	796	credentials to a session on the server.
		797	.Pp
		798	Checks are made to ensure that credentials are only propagated when the new
		799	credentials match the old ones on the originating client and where the
		800	receiving server still has the old set in its cache.
		801	.Pp
784	The default is	802	The default is
785	.Cm no .	803	.Dq no .
		804	.Pp
		805	For this to work
		806	.Cm GSSAPIKeyExchange
		807	needs to be enabled in the server and also used by the client.
		808	.It Cm GSSAPIServerIdentity
		809	If set, specifies the GSSAPI server identity that ssh should expect when
		810	connecting to the server. The default is unset, which means that the
		811	expected GSSAPI server identity will be determined from the target
		812	hostname.
786	.It Cm GSSAPITrustDns	813	.It Cm GSSAPITrustDns
787	Set to	814	Set to
788	.Cm yes	815	.Dq yes
789	to indicate that the DNS is trusted to securely canonicalize	816	to indicate that the DNS is trusted to securely canonicalize
790	the name of the host being connected to. If	817	the name of the host being connected to. If
791	.Cm no ,	818	.Dq no ,
792	the hostname entered on the	819	the hostname entered on the
793	command line will be passed untouched to the GSSAPI library.	820	command line will be passed untouched to the GSSAPI library.
794	The default is	821	The default is
795	.Cm no .	822	.Dq no .
		823	.It Cm GSSAPIKexAlgorithms
		824	The list of key exchange algorithms that are offered for GSSAPI
		825	key exchange. Possible values are
		826	.Bd -literal -offset 3n
		827	gss-gex-sha1-,
		828	gss-group1-sha1-,
		829	gss-group14-sha1-,
		830	gss-group14-sha256-,
		831	gss-group16-sha512-,
		832	gss-nistp256-sha256-,
		833	gss-curve25519-sha256-
		834	.Ed
		835	.Pp
		836	The default is
		837	.Dq gss-gex-sha1-,gss-group14-sha1- .
		838	This option only applies to protocol version 2 connections using GSSAPI.
796	.It Cm HashKnownHosts	839	.It Cm HashKnownHosts
797	Indicates that	840	Indicates that
798	.Xr ssh 1	841	.Xr ssh 1
@@ -1094,7 +1137,6 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
1094	diffie-hellman-group-exchange-sha256,	1137	diffie-hellman-group-exchange-sha256,
1095	diffie-hellman-group16-sha512,	1138	diffie-hellman-group16-sha512,
1096	diffie-hellman-group18-sha512,	1139	diffie-hellman-group18-sha512,
1097	diffie-hellman-group-exchange-sha1,
1098	diffie-hellman-group14-sha256,	1140	diffie-hellman-group14-sha256,
1099	diffie-hellman-group14-sha1	1141	diffie-hellman-group14-sha1
1100	.Ed	1142	.Ed
@@ -1217,11 +1259,13 @@ or
1217	.Cm no	1259	.Cm no
1218	(the default).	1260	(the default).
1219	.It Cm PKCS11Provider	1261	.It Cm PKCS11Provider
1220	Specifies which PKCS#11 provider to use.	1262	Specifies which PKCS#11 provider to use or
1221	The argument to this keyword is the PKCS#11 shared library	1263	.Cm none
		1264	to indicate that no provider should be used (the default).
		1265	The argument to this keyword is a path to the PKCS#11 shared library
1222	.Xr ssh 1	1266	.Xr ssh 1
1223	should use to communicate with a PKCS#11 token providing the user's	1267	should use to communicate with a PKCS#11 token providing keys for user
1224	private RSA key.	1268	authentication.
1225	.It Cm Port	1269	.It Cm Port
1226	Specifies the port number to connect on the remote host.	1270	Specifies the port number to connect on the remote host.
1227	The default is 22.	1271	The default is 22.
@@ -1299,6 +1343,12 @@ Note that this option will compete with the
1299	.Cm ProxyCommand	1343	.Cm ProxyCommand
1300	option - whichever is specified first will prevent later instances of the	1344	option - whichever is specified first will prevent later instances of the
1301	other from taking effect.	1345	other from taking effect.
		1346	.Pp
		1347	Note also that the configuration for the destination host (either supplied
		1348	via the command-line or the configuration file) is not generally applied
		1349	to jump hosts.
		1350	.Pa ~/.ssh/config
		1351	should be used if specific configuration is required for jump hosts.
1302	.It Cm ProxyUseFdpass	1352	.It Cm ProxyUseFdpass
1303	Specifies that	1353	Specifies that
1304	.Cm ProxyCommand	1354	.Cm ProxyCommand
@@ -1852,7 +1902,7 @@ This is the per-user configuration file.
1852	The format of this file is described above.	1902	The format of this file is described above.
1853	This file is used by the SSH client.	1903	This file is used by the SSH client.
1854	Because of the potential for abuse, this file must have strict permissions:	1904	Because of the potential for abuse, this file must have strict permissions:
1855	read/write for the user, and not accessible by others.	1905	read/write for the user, and not writable by others.
1856	It may be group-writable provided that the group in question contains only	1906	It may be group-writable provided that the group in question contains only
1857	the user.	1907	the user.
1858	.It Pa /etc/ssh/ssh_config	1908	.It Pa /etc/ssh/ssh_config