1 files changed, 48 insertions, 89 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index fc13fa510..2da7029af 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,16 +33,13 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.242 2017/02/27 14:30:33 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.256 2017/09/21 19:16:53 markus Exp $
-.Dd $Mdocdate: February 27 2017 $
+.Dd $Mdocdate: September 21 2017 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
 .Nm ssh_config
 .Nd OpenSSH SSH client configuration files
-.Sh SYNOPSIS
-.Nm ~/.ssh/config
-.Nm /etc/ssh/ssh_config
 .Sh DESCRIPTION
 .Xr ssh 1
 obtains configuration data from the following sources in
@@ -411,25 +408,8 @@ in the process, regardless of the setting of
 If the option is set to
 .Cm no ,
 the check will not be executed.
-.It Cm Cipher
-Specifies the cipher to use for encrypting the session
-in protocol version 1.
-Currently,
-.Cm blowfish ,
-.Cm 3des
-(the default),
-and
-.Cm des
-are supported,
-though
-.Cm des
-is only supported in the
-.Xr ssh 1
-client for interoperability with legacy protocol 1 implementations;
-its use is strongly discouraged due to cryptographic weaknesses.
 .It Cm Ciphers
-Specifies the ciphers allowed for protocol version 2
+Specifies the ciphers allowed and their order of preference.
-in order of preference.
 Multiple ciphers must be comma-separated.
 If the specified value begins with a
 .Sq +
@@ -451,11 +431,6 @@ aes192-ctr
 aes256-ctr
 aes128-gcm@openssh.com
 aes256-gcm@openssh.com
-arcfour
-arcfour128
-arcfour256
-blowfish-cbc
-cast128-cbc
 chacha20-poly1305@openssh.com
 .Ed
 .Pp
@@ -492,13 +467,6 @@ The argument must be
 or
 .Cm no
 (the default).
-.It Cm CompressionLevel
-Specifies the compression level to use if compression is enabled.
-The argument must be an integer from 1 (fast) to 9 (slow, best).
-The default level is 6, which is good for most applications.
-The meaning of the values is the same as in
-.Xr gzip 1 .
-Note that this option applies to protocol version 1 only.
 .It Cm ConnectionAttempts
 Specifies the number of tries (one per second) to make before exiting.
 The argument must be an integer.
@@ -894,7 +862,7 @@ The list of available key types may also be obtained using
 .It Cm HostKeyAlias
 Specifies an alias that should be used instead of the
 real host name when looking up or saving the host key
-in the host key database files.
+in the host key database files and when validating host certificates.
 This option is useful for tunneling SSH connections
 or for multiple servers running on a single host.
 .It Cm HostName
@@ -958,14 +926,11 @@ section.
 Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication
 identity is read.
 The default is
-.Pa ~/.ssh/identity
-for protocol version 1, and
 .Pa ~/.ssh/id_dsa ,
 .Pa ~/.ssh/id_ecdsa ,
 .Pa ~/.ssh/id_ed25519
 and
-.Pa ~/.ssh/id_rsa
+.Pa ~/.ssh/id_rsa .
-for protocol version 2.
 Additionally, any identities represented by the authentication agent
 will be used for authentication unless
 .Cm IdentitiesOnly
@@ -1060,7 +1025,9 @@ Accepted values are
 .Cm lowdelay ,
 .Cm throughput ,
 .Cm reliability ,
-or a numeric value.
+a numeric value, or
+.Cm none
+to use the operating system default.
 This option may take one or two arguments, separated by whitespace.
 If one argument is specified, it is used as the packet class unconditionally.
 If two values are specified, the first is automatically selected for
@@ -1248,21 +1215,6 @@ The default is:
 gssapi-with-mic,hostbased,publickey,
 keyboard-interactive,password
 .Ed
-.It Cm Protocol
-Specifies the protocol versions
-.Xr ssh 1
-should support in order of preference.
-The possible values are 1 and 2.
-Multiple versions must be comma-separated.
-When this option is set to
-.Cm 2,1
-.Nm ssh
-will try version 2 and fall back to version 1
-if version 2 is not available.
-The default is version 2.
-Protocol 1 suffers from a number of cryptographic weaknesses and should
-not be used.
-It is only offered to support legacy devices.
 .It Cm ProxyCommand
 Specifies the command to use to connect to the server.
 The command
@@ -1390,15 +1342,31 @@ is
 .Cm default none ,
 which means that rekeying is performed after the cipher's default amount
 of data has been sent or received and no time based rekeying is done.
+.It Cm RemoteCommand
+Specifies a command to execute on the remote machine after successfully
+connecting to the server.
+The command string extends to the end of the line, and is executed with
+the user's shell.
+Arguments to
+.Cm RemoteCommand
+accept the tokens described in the
+.Sx TOKENS
+section.
 .It Cm RemoteForward
 Specifies that a TCP port on the remote machine be forwarded over
-the secure channel to the specified host and port from the local machine.
+the secure channel.
+The remote port may either be fowarded to a specified host and port
+from the local machine, or may act as a SOCKS 4/5 proxy that allows a remote
+client to connect to arbitrary destinations from the local machine.
 The first argument must be
 .Sm off
 .Oo Ar bind_address : Oc Ar port
 .Sm on
-and the second argument must be
+If forwarding to a specific destination then the second argument must be
-.Ar host : Ns Ar hostport .
+.Ar host : Ns Ar hostport ,
+otherwise if no destination argument is specified then the remote forwarding
+will be established as a SOCKS proxy.
+.Pp
 IPv6 addresses can be specified by enclosing addresses in square brackets.
 Multiple forwardings may be specified, and additional
 forwardings can be given on the command line.
@@ -1453,28 +1421,6 @@ an OpenSSH Key Revocation List (KRL) as generated by
 .Xr ssh-keygen 1 .
 For more information on KRLs, see the KEY REVOCATION LISTS section in
 .Xr ssh-keygen 1 .
-.It Cm RhostsRSAAuthentication
-Specifies whether to try rhosts based authentication with RSA host
-authentication.
-The argument must be
-.Cm yes
-or
-.Cm no
-(the default).
-This option applies to protocol version 1 only and requires
-.Xr ssh 1
-to be setuid root.
-.It Cm RSAAuthentication
-Specifies whether to try RSA authentication.
-The argument to this keyword must be
-.Cm yes
-(the default)
-or
-.Cm no .
-RSA authentication will only be
-attempted if the identity file exists, or an authentication agent is
-running.
-Note that this option applies to protocol version 1 only.
 .It Cm SendEnv
 Specifies what variables from the local
 .Xr environ 7
@@ -1581,10 +1527,19 @@ file is poorly maintained or when connections to new hosts are
 frequently made.
 This option forces the user to manually
 add all new hosts.
+.Pp
 If this flag is set to
-.Cm no ,
+.Dq accept-new
-ssh will automatically add new host keys to the
+then ssh will automatically add new host keys to the user
-user known hosts files.
+known hosts files, but will not permit connections to hosts with
+changed host keys.
+If this flag is set to
+.Dq no
+or
+.Dq off ,
+ssh will automatically add new host keys to the user known hosts files
+and allow connections to hosts with changed hostkeys to proceed,
+subject to some restrictions.
 If this flag is set to
 .Cm ask
 (the default),
@@ -1594,6 +1549,12 @@ has confirmed that is what they really want to do, and
 ssh will refuse to connect to hosts whose host key has changed.
 The host keys of
 known hosts will be verified automatically in all cases.
+.It Cm SyslogFacility
+Gives the facility code that is used when logging messages from
+.Xr ssh 1 .
+The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+The default is USER.
 .It Cm TCPKeepAlive
 Specifies whether the system should send TCP keepalive messages to the
 other side.
@@ -1696,11 +1657,6 @@ If set to
 .Cm yes ,
 .Xr ssh 1
 must be setuid root.
-Note that this option must be set to
-.Cm yes
-for
-.Cm RhostsRSAAuthentication
-with older servers.
 .It Cm User
 Specifies the user to log in as.
 This can be useful when a different user name is used on different machines.
@@ -1839,6 +1795,9 @@ accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u.
 .Pp
 .Cm ProxyCommand
 accepts the tokens %%, %h, %p, and %r.
+.Pp
+.Cm RemoteCommand
+accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u.
 .Sh FILES
 .Bl -tag -width Ds
 .It Pa ~/.ssh/config

diff --git a/ssh_config.5 b/ssh_config.5 index fc13fa510..2da7029af 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,16 +33,13 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.242 2017/02/27 14:30:33 jmc Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.256 2017/09/21 19:16:53 markus Exp $
37	.Dd $Mdocdate: February 27 2017 $	37	.Dd $Mdocdate: September 21 2017 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
41	.Nm ssh_config	41	.Nm ssh_config
42	.Nd OpenSSH SSH client configuration files	42	.Nd OpenSSH SSH client configuration files
43	.Sh SYNOPSIS
44	.Nm ~/.ssh/config
45	.Nm /etc/ssh/ssh_config
46	.Sh DESCRIPTION	43	.Sh DESCRIPTION
47	.Xr ssh 1	44	.Xr ssh 1
48	obtains configuration data from the following sources in	45	obtains configuration data from the following sources in
@@ -411,25 +408,8 @@ in the process, regardless of the setting of
411	If the option is set to	408	If the option is set to
412	.Cm no ,	409	.Cm no ,
413	the check will not be executed.	410	the check will not be executed.
414	.It Cm Cipher
415	Specifies the cipher to use for encrypting the session
416	in protocol version 1.
417	Currently,
418	.Cm blowfish ,
419	.Cm 3des
420	(the default),
421	and
422	.Cm des
423	are supported,
424	though
425	.Cm des
426	is only supported in the
427	.Xr ssh 1
428	client for interoperability with legacy protocol 1 implementations;
429	its use is strongly discouraged due to cryptographic weaknesses.
430	.It Cm Ciphers	411	.It Cm Ciphers
431	Specifies the ciphers allowed for protocol version 2	412	Specifies the ciphers allowed and their order of preference.
432	in order of preference.
433	Multiple ciphers must be comma-separated.	413	Multiple ciphers must be comma-separated.
434	If the specified value begins with a	414	If the specified value begins with a
435	.Sq +	415	.Sq +
@@ -451,11 +431,6 @@ aes192-ctr
451	aes256-ctr	431	aes256-ctr
452	aes128-gcm@openssh.com	432	aes128-gcm@openssh.com
453	aes256-gcm@openssh.com	433	aes256-gcm@openssh.com
454	arcfour
455	arcfour128
456	arcfour256
457	blowfish-cbc
458	cast128-cbc
459	chacha20-poly1305@openssh.com	434	chacha20-poly1305@openssh.com
460	.Ed	435	.Ed
461	.Pp	436	.Pp
@@ -492,13 +467,6 @@ The argument must be
492	or	467	or
493	.Cm no	468	.Cm no
494	(the default).	469	(the default).
495	.It Cm CompressionLevel
496	Specifies the compression level to use if compression is enabled.
497	The argument must be an integer from 1 (fast) to 9 (slow, best).
498	The default level is 6, which is good for most applications.
499	The meaning of the values is the same as in
500	.Xr gzip 1 .
501	Note that this option applies to protocol version 1 only.
502	.It Cm ConnectionAttempts	470	.It Cm ConnectionAttempts
503	Specifies the number of tries (one per second) to make before exiting.	471	Specifies the number of tries (one per second) to make before exiting.
504	The argument must be an integer.	472	The argument must be an integer.
@@ -894,7 +862,7 @@ The list of available key types may also be obtained using
894	.It Cm HostKeyAlias	862	.It Cm HostKeyAlias
895	Specifies an alias that should be used instead of the	863	Specifies an alias that should be used instead of the
896	real host name when looking up or saving the host key	864	real host name when looking up or saving the host key
897	in the host key database files.	865	in the host key database files and when validating host certificates.
898	This option is useful for tunneling SSH connections	866	This option is useful for tunneling SSH connections
899	or for multiple servers running on a single host.	867	or for multiple servers running on a single host.
900	.It Cm HostName	868	.It Cm HostName
@@ -958,14 +926,11 @@ section.
958	Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication	926	Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication
959	identity is read.	927	identity is read.
960	The default is	928	The default is
961	.Pa ~/.ssh/identity
962	for protocol version 1, and
963	.Pa ~/.ssh/id_dsa ,	929	.Pa ~/.ssh/id_dsa ,
964	.Pa ~/.ssh/id_ecdsa ,	930	.Pa ~/.ssh/id_ecdsa ,
965	.Pa ~/.ssh/id_ed25519	931	.Pa ~/.ssh/id_ed25519
966	and	932	and
967	.Pa ~/.ssh/id_rsa	933	.Pa ~/.ssh/id_rsa .
968	for protocol version 2.
969	Additionally, any identities represented by the authentication agent	934	Additionally, any identities represented by the authentication agent
970	will be used for authentication unless	935	will be used for authentication unless
971	.Cm IdentitiesOnly	936	.Cm IdentitiesOnly
@@ -1060,7 +1025,9 @@ Accepted values are
1060	.Cm lowdelay ,	1025	.Cm lowdelay ,
1061	.Cm throughput ,	1026	.Cm throughput ,
1062	.Cm reliability ,	1027	.Cm reliability ,
1063	or a numeric value.	1028	a numeric value, or
		1029	.Cm none
		1030	to use the operating system default.
1064	This option may take one or two arguments, separated by whitespace.	1031	This option may take one or two arguments, separated by whitespace.
1065	If one argument is specified, it is used as the packet class unconditionally.	1032	If one argument is specified, it is used as the packet class unconditionally.
1066	If two values are specified, the first is automatically selected for	1033	If two values are specified, the first is automatically selected for
@@ -1248,21 +1215,6 @@ The default is:
1248	gssapi-with-mic,hostbased,publickey,	1215	gssapi-with-mic,hostbased,publickey,
1249	keyboard-interactive,password	1216	keyboard-interactive,password
1250	.Ed	1217	.Ed
1251	.It Cm Protocol
1252	Specifies the protocol versions
1253	.Xr ssh 1
1254	should support in order of preference.
1255	The possible values are 1 and 2.
1256	Multiple versions must be comma-separated.
1257	When this option is set to
1258	.Cm 2,1
1259	.Nm ssh
1260	will try version 2 and fall back to version 1
1261	if version 2 is not available.
1262	The default is version 2.
1263	Protocol 1 suffers from a number of cryptographic weaknesses and should
1264	not be used.
1265	It is only offered to support legacy devices.
1266	.It Cm ProxyCommand	1218	.It Cm ProxyCommand
1267	Specifies the command to use to connect to the server.	1219	Specifies the command to use to connect to the server.
1268	The command	1220	The command
@@ -1390,15 +1342,31 @@ is
1390	.Cm default none ,	1342	.Cm default none ,
1391	which means that rekeying is performed after the cipher's default amount	1343	which means that rekeying is performed after the cipher's default amount
1392	of data has been sent or received and no time based rekeying is done.	1344	of data has been sent or received and no time based rekeying is done.
		1345	.It Cm RemoteCommand
		1346	Specifies a command to execute on the remote machine after successfully
		1347	connecting to the server.
		1348	The command string extends to the end of the line, and is executed with
		1349	the user's shell.
		1350	Arguments to
		1351	.Cm RemoteCommand
		1352	accept the tokens described in the
		1353	.Sx TOKENS
		1354	section.
1393	.It Cm RemoteForward	1355	.It Cm RemoteForward
1394	Specifies that a TCP port on the remote machine be forwarded over	1356	Specifies that a TCP port on the remote machine be forwarded over
1395	the secure channel to the specified host and port from the local machine.	1357	the secure channel.
		1358	The remote port may either be fowarded to a specified host and port
		1359	from the local machine, or may act as a SOCKS 4/5 proxy that allows a remote
		1360	client to connect to arbitrary destinations from the local machine.
1396	The first argument must be	1361	The first argument must be
1397	.Sm off	1362	.Sm off
1398	.Oo Ar bind_address : Oc Ar port	1363	.Oo Ar bind_address : Oc Ar port
1399	.Sm on	1364	.Sm on
1400	and the second argument must be	1365	If forwarding to a specific destination then the second argument must be
1401	.Ar host : Ns Ar hostport .	1366	.Ar host : Ns Ar hostport ,
		1367	otherwise if no destination argument is specified then the remote forwarding
		1368	will be established as a SOCKS proxy.
		1369	.Pp
1402	IPv6 addresses can be specified by enclosing addresses in square brackets.	1370	IPv6 addresses can be specified by enclosing addresses in square brackets.
1403	Multiple forwardings may be specified, and additional	1371	Multiple forwardings may be specified, and additional
1404	forwardings can be given on the command line.	1372	forwardings can be given on the command line.
@@ -1453,28 +1421,6 @@ an OpenSSH Key Revocation List (KRL) as generated by
1453	.Xr ssh-keygen 1 .	1421	.Xr ssh-keygen 1 .
1454	For more information on KRLs, see the KEY REVOCATION LISTS section in	1422	For more information on KRLs, see the KEY REVOCATION LISTS section in
1455	.Xr ssh-keygen 1 .	1423	.Xr ssh-keygen 1 .
1456	.It Cm RhostsRSAAuthentication
1457	Specifies whether to try rhosts based authentication with RSA host
1458	authentication.
1459	The argument must be
1460	.Cm yes
1461	or
1462	.Cm no
1463	(the default).
1464	This option applies to protocol version 1 only and requires
1465	.Xr ssh 1
1466	to be setuid root.
1467	.It Cm RSAAuthentication
1468	Specifies whether to try RSA authentication.
1469	The argument to this keyword must be
1470	.Cm yes
1471	(the default)
1472	or
1473	.Cm no .
1474	RSA authentication will only be
1475	attempted if the identity file exists, or an authentication agent is
1476	running.
1477	Note that this option applies to protocol version 1 only.
1478	.It Cm SendEnv	1424	.It Cm SendEnv
1479	Specifies what variables from the local	1425	Specifies what variables from the local
1480	.Xr environ 7	1426	.Xr environ 7
@@ -1581,10 +1527,19 @@ file is poorly maintained or when connections to new hosts are
1581	frequently made.	1527	frequently made.
1582	This option forces the user to manually	1528	This option forces the user to manually
1583	add all new hosts.	1529	add all new hosts.
		1530	.Pp
1584	If this flag is set to	1531	If this flag is set to
1585	.Cm no ,	1532	.Dq accept-new
1586	ssh will automatically add new host keys to the	1533	then ssh will automatically add new host keys to the user
1587	user known hosts files.	1534	known hosts files, but will not permit connections to hosts with
		1535	changed host keys.
		1536	If this flag is set to
		1537	.Dq no
		1538	or
		1539	.Dq off ,
		1540	ssh will automatically add new host keys to the user known hosts files
		1541	and allow connections to hosts with changed hostkeys to proceed,
		1542	subject to some restrictions.
1588	If this flag is set to	1543	If this flag is set to
1589	.Cm ask	1544	.Cm ask
1590	(the default),	1545	(the default),
@@ -1594,6 +1549,12 @@ has confirmed that is what they really want to do, and
1594	ssh will refuse to connect to hosts whose host key has changed.	1549	ssh will refuse to connect to hosts whose host key has changed.
1595	The host keys of	1550	The host keys of
1596	known hosts will be verified automatically in all cases.	1551	known hosts will be verified automatically in all cases.
		1552	.It Cm SyslogFacility
		1553	Gives the facility code that is used when logging messages from
		1554	.Xr ssh 1 .
		1555	The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
		1556	LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
		1557	The default is USER.
1597	.It Cm TCPKeepAlive	1558	.It Cm TCPKeepAlive
1598	Specifies whether the system should send TCP keepalive messages to the	1559	Specifies whether the system should send TCP keepalive messages to the
1599	other side.	1560	other side.
@@ -1696,11 +1657,6 @@ If set to
1696	.Cm yes ,	1657	.Cm yes ,
1697	.Xr ssh 1	1658	.Xr ssh 1
1698	must be setuid root.	1659	must be setuid root.
1699	Note that this option must be set to
1700	.Cm yes
1701	for
1702	.Cm RhostsRSAAuthentication
1703	with older servers.
1704	.It Cm User	1660	.It Cm User
1705	Specifies the user to log in as.	1661	Specifies the user to log in as.
1706	This can be useful when a different user name is used on different machines.	1662	This can be useful when a different user name is used on different machines.
@@ -1839,6 +1795,9 @@ accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u.
1839	.Pp	1795	.Pp
1840	.Cm ProxyCommand	1796	.Cm ProxyCommand
1841	accepts the tokens %%, %h, %p, and %r.	1797	accepts the tokens %%, %h, %p, and %r.
		1798	.Pp
		1799	.Cm RemoteCommand
		1800	accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u.
1842	.Sh FILES	1801	.Sh FILES
1843	.Bl -tag -width Ds	1802	.Bl -tag -width Ds
1844	.It Pa ~/.ssh/config	1803	.It Pa ~/.ssh/config