1 files changed, 42 insertions, 10 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index eab8dd01c..71705cabd 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.256 2017/09/21 19:16:53 markus Exp $
+.\" $OpenBSD: ssh_config.5,v 1.268 2018/02/23 07:38:09 jmc Exp $
-.Dd $Mdocdate: September 21 2017 $
+.Dd $Mdocdate: February 23 2018 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -262,6 +262,13 @@ Note that this option does not work if
 .Cm UsePrivilegedPort
 is set to
 .Cm yes .
+.It Cm BindInterface
+Use the address of the specified interface on the local machine as the
+source address of the connection.
+Note that this option does not work if
+.Cm UsePrivilegedPort
+is set to
+.Cm yes .
 .It Cm CanonicalDomains
 When
 .Cm CanonicalizeHostname
@@ -1015,7 +1022,10 @@ The default is:
 curve25519-sha256,curve25519-sha256@libssh.org,
 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 diffie-hellman-group-exchange-sha256,
+diffie-hellman-group16-sha512,
+diffie-hellman-group18-sha512,
 diffie-hellman-group-exchange-sha1,
+diffie-hellman-group14-sha256,
 diffie-hellman-group14-sha1
 .Ed
 .Pp
@@ -1107,10 +1117,7 @@ hmac-sha2-256,hmac-sha2-512,hmac-sha1
 The list of available MAC algorithms may also be obtained using
 .Qq ssh -Q mac .
 .It Cm NoHostAuthenticationForLocalhost
-This option can be used if the home directory is shared across machines.
+Disable host authentication for localhost (loopback addresses).
-In this case localhost will refer to a different machine on each of
-the machines and the user will get many warnings about changed host keys.
-However, this option disables host authentication for localhost.
 The argument to this keyword must be
 .Cm yes
 or
@@ -1198,13 +1205,14 @@ For example, the following directive would connect via an HTTP proxy at
 ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
 .Ed
 .It Cm ProxyJump
-Specifies one or more jump proxies as
+Specifies one or more jump proxies as either
 .Xo
 .Sm off
 .Op Ar user No @
 .Ar host
 .Op : Ns Ar port
 .Sm on
+or an ssh URI
 .Xc .
 Multiple proxies may be separated by comma characters and will be visited
 sequentially.
@@ -1457,7 +1465,7 @@ If this flag is set to
 will never automatically add host keys to the
 .Pa ~/.ssh/known_hosts
 file, and refuses to connect to hosts whose host key has changed.
-This provides maximum protection against trojan horse attacks,
+This provides maximum protection against man-in-the-middle (MITM) attacks,
 though it can be annoying when the
 .Pa /etc/ssh/ssh_known_hosts
 file is poorly maintained or when connections to new hosts are
@@ -1509,6 +1517,9 @@ This is important in scripts, and many users want it too.
 .Pp
 To disable TCP keepalive messages, the value should be set to
 .Cm no .
+See also
+.Cm ServerAliveInterval
+for protocol-level keepalives.
 .It Cm Tunnel
 Request
 .Xr tun 4
@@ -1674,6 +1685,18 @@ pool,
 the following entry (in authorized_keys) could be used:
 .Pp
 .Dl from=\&"!*.dialup.example.com,*.example.com\&"
+.Pp
+Note that a negated match will never produce a positive result by itself.
+For example, attempting to match
+.Qq host3
+against the following pattern-list will fail:
+.Pp
+.Dl from=\&"!host1,!host2\&"
+.Pp
+The solution here is to include a term that will yield a positive match,
+such as a wildcard:
+.Pp
+.Dl from=\&"!host1,!host2,*\&"
 .Sh TOKENS
 Arguments to some keywords can make use of tokens,
 which are expanded at runtime:
@@ -1683,7 +1706,7 @@ which are expanded at runtime:
 A literal
 .Sq % .
 .It \&%C
-Shorthand for %l%h%p%r.
+Hash of %l%h%p%r.
 .It %d
 Local user's home directory.
 .It %h
@@ -1700,6 +1723,15 @@ The original remote hostname, as given on the command line.
 The remote port.
 .It %r
 The remote username.
+.It \&%T
+The local
+.Xr tun 4
+or
+.Xr tap 4
+network interface assigned if
+tunnel forwarding was requested, or
+.Qq NONE
+otherwise.
 .It %u
 The local username.
 .El
@@ -1722,7 +1754,7 @@ and
 accept the tokens %%, %d, %h, %l, %r, and %u.
 .Pp
 .Cm LocalCommand
-accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u.
+accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, %T, and %u.
 .Pp
 .Cm ProxyCommand
 accepts the tokens %%, %h, %p, and %r.

diff --git a/ssh_config.5 b/ssh_config.5 index eab8dd01c..71705cabd 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.256 2017/09/21 19:16:53 markus Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.268 2018/02/23 07:38:09 jmc Exp $
37	.Dd $Mdocdate: September 21 2017 $	37	.Dd $Mdocdate: February 23 2018 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -262,6 +262,13 @@ Note that this option does not work if
262	.Cm UsePrivilegedPort	262	.Cm UsePrivilegedPort
263	is set to	263	is set to
264	.Cm yes .	264	.Cm yes .
		265	.It Cm BindInterface
		266	Use the address of the specified interface on the local machine as the
		267	source address of the connection.
		268	Note that this option does not work if
		269	.Cm UsePrivilegedPort
		270	is set to
		271	.Cm yes .
265	.It Cm CanonicalDomains	272	.It Cm CanonicalDomains
266	When	273	When
267	.Cm CanonicalizeHostname	274	.Cm CanonicalizeHostname
@@ -1015,7 +1022,10 @@ The default is:
1015	curve25519-sha256,curve25519-sha256@libssh.org,	1022	curve25519-sha256,curve25519-sha256@libssh.org,
1016	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,	1023	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
1017	diffie-hellman-group-exchange-sha256,	1024	diffie-hellman-group-exchange-sha256,
		1025	diffie-hellman-group16-sha512,
		1026	diffie-hellman-group18-sha512,
1018	diffie-hellman-group-exchange-sha1,	1027	diffie-hellman-group-exchange-sha1,
		1028	diffie-hellman-group14-sha256,
1019	diffie-hellman-group14-sha1	1029	diffie-hellman-group14-sha1
1020	.Ed	1030	.Ed
1021	.Pp	1031	.Pp
@@ -1107,10 +1117,7 @@ hmac-sha2-256,hmac-sha2-512,hmac-sha1
1107	The list of available MAC algorithms may also be obtained using	1117	The list of available MAC algorithms may also be obtained using
1108	.Qq ssh -Q mac .	1118	.Qq ssh -Q mac .
1109	.It Cm NoHostAuthenticationForLocalhost	1119	.It Cm NoHostAuthenticationForLocalhost
1110	This option can be used if the home directory is shared across machines.	1120	Disable host authentication for localhost (loopback addresses).
1111	In this case localhost will refer to a different machine on each of
1112	the machines and the user will get many warnings about changed host keys.
1113	However, this option disables host authentication for localhost.
1114	The argument to this keyword must be	1121	The argument to this keyword must be
1115	.Cm yes	1122	.Cm yes
1116	or	1123	or
@@ -1198,13 +1205,14 @@ For example, the following directive would connect via an HTTP proxy at
1198	ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p	1205	ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
1199	.Ed	1206	.Ed
1200	.It Cm ProxyJump	1207	.It Cm ProxyJump
1201	Specifies one or more jump proxies as	1208	Specifies one or more jump proxies as either
1202	.Xo	1209	.Xo
1203	.Sm off	1210	.Sm off
1204	.Op Ar user No @	1211	.Op Ar user No @
1205	.Ar host	1212	.Ar host
1206	.Op : Ns Ar port	1213	.Op : Ns Ar port
1207	.Sm on	1214	.Sm on
		1215	or an ssh URI
1208	.Xc .	1216	.Xc .
1209	Multiple proxies may be separated by comma characters and will be visited	1217	Multiple proxies may be separated by comma characters and will be visited
1210	sequentially.	1218	sequentially.
@@ -1457,7 +1465,7 @@ If this flag is set to
1457	will never automatically add host keys to the	1465	will never automatically add host keys to the
1458	.Pa ~/.ssh/known_hosts	1466	.Pa ~/.ssh/known_hosts
1459	file, and refuses to connect to hosts whose host key has changed.	1467	file, and refuses to connect to hosts whose host key has changed.
1460	This provides maximum protection against trojan horse attacks,	1468	This provides maximum protection against man-in-the-middle (MITM) attacks,
1461	though it can be annoying when the	1469	though it can be annoying when the
1462	.Pa /etc/ssh/ssh_known_hosts	1470	.Pa /etc/ssh/ssh_known_hosts
1463	file is poorly maintained or when connections to new hosts are	1471	file is poorly maintained or when connections to new hosts are
@@ -1509,6 +1517,9 @@ This is important in scripts, and many users want it too.
1509	.Pp	1517	.Pp
1510	To disable TCP keepalive messages, the value should be set to	1518	To disable TCP keepalive messages, the value should be set to
1511	.Cm no .	1519	.Cm no .
		1520	See also
		1521	.Cm ServerAliveInterval
		1522	for protocol-level keepalives.
1512	.It Cm Tunnel	1523	.It Cm Tunnel
1513	Request	1524	Request
1514	.Xr tun 4	1525	.Xr tun 4
@@ -1674,6 +1685,18 @@ pool,
1674	the following entry (in authorized_keys) could be used:	1685	the following entry (in authorized_keys) could be used:
1675	.Pp	1686	.Pp
1676	.Dl from=\&"!.dialup.example.com,.example.com\&"	1687	.Dl from=\&"!.dialup.example.com,.example.com\&"
		1688	.Pp
		1689	Note that a negated match will never produce a positive result by itself.
		1690	For example, attempting to match
		1691	.Qq host3
		1692	against the following pattern-list will fail:
		1693	.Pp
		1694	.Dl from=\&"!host1,!host2\&"
		1695	.Pp
		1696	The solution here is to include a term that will yield a positive match,
		1697	such as a wildcard:
		1698	.Pp
		1699	.Dl from=\&"!host1,!host2,*\&"
1677	.Sh TOKENS	1700	.Sh TOKENS
1678	Arguments to some keywords can make use of tokens,	1701	Arguments to some keywords can make use of tokens,
1679	which are expanded at runtime:	1702	which are expanded at runtime:
@@ -1683,7 +1706,7 @@ which are expanded at runtime:
1683	A literal	1706	A literal
1684	.Sq % .	1707	.Sq % .
1685	.It \&%C	1708	.It \&%C
1686	Shorthand for %l%h%p%r.	1709	Hash of %l%h%p%r.
1687	.It %d	1710	.It %d
1688	Local user's home directory.	1711	Local user's home directory.
1689	.It %h	1712	.It %h
@@ -1700,6 +1723,15 @@ The original remote hostname, as given on the command line.
1700	The remote port.	1723	The remote port.
1701	.It %r	1724	.It %r
1702	The remote username.	1725	The remote username.
		1726	.It \&%T
		1727	The local
		1728	.Xr tun 4
		1729	or
		1730	.Xr tap 4
		1731	network interface assigned if
		1732	tunnel forwarding was requested, or
		1733	.Qq NONE
		1734	otherwise.
1703	.It %u	1735	.It %u
1704	The local username.	1736	The local username.
1705	.El	1737	.El
@@ -1722,7 +1754,7 @@ and
1722	accept the tokens %%, %d, %h, %l, %r, and %u.	1754	accept the tokens %%, %d, %h, %l, %r, and %u.
1723	.Pp	1755	.Pp
1724	.Cm LocalCommand	1756	.Cm LocalCommand
1725	accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u.	1757	accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, %T, and %u.
1726	.Pp	1758	.Pp
1727	.Cm ProxyCommand	1759	.Cm ProxyCommand
1728	accepts the tokens %%, %h, %p, and %r.	1760	accepts the tokens %%, %h, %p, and %r.