1 files changed, 73 insertions, 2 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 3eaaa536a..3c1f87bef 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.170 2013/10/15 14:10:25 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.171 2013/10/16 02:31:46 djm Exp $
-.Dd $Mdocdate: October 15 2013 $
+.Dd $Mdocdate: October 16 2013 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -200,6 +200,77 @@ Note that this option does not work if
 .Cm UsePrivilegedPort
 is set to
 .Dq yes .
+.It Cm CanonicalDomains
+when
+.Cm CanonicaliseHostname
+is enabled, this option specifies the list of domain suffixes in which to
+search for the specified destination host.
+.It Cm CanonicaliseFallbackLocal
+specified whether to fail with an error when hostname canonicalisation fails.
+The default of
+.Dq no
+will attempt to lookup the unqualified hostname using the system resolver's
+search rules.
+A value of
+.Dq yes
+will cause
+.Xr ssh 1
+to fail instantly if
+.Cm CanonicaliseHostname
+is enabled and the target hostname cannot be found in any of the domains
+specified by
+.Cm CanonicalDomains .
+.It Cm CanonicaliseHostname
+controls whether explicit hostname canonicalisation is performed.
+The default
+.Dq no
+is not to perform any name rewriting and let the system resolver handle all
+hostname lookups.
+If set to
+.Dq yes
+then, for connections that do not use a
+.Cm ProxyCommand ,
+.Xr ssh 1
+will attempt to canonicalise the hostname specified on the command line
+using the
+.Cm CanonicalDomains
+suffixes and
+.Cm CanonicalisePermittedCNAMEs
+rules.
+If
+.Cm CanonicaliseHostname
+is set to
+.Dq always ,
+then canonicalisation is applied to proxied connections to.
+.It Cm CanonicaliseMaxDots
+specifies the maximum number of dot characters in a hostname name before
+canonicalisation is disabled.
+The default of
+.Dq 1
+allows a single dot (i.e. hostname.subdomain)
+.It Cm CanonicalisePermittedCNAMEs
+specifies rules to determine whether CNAMEs should be followed when
+canonicalising hostnames.
+The rules consist of one or more arguments of
+.Sm off
+.Ar source_domain_list : Ar target_domain_list
+.Sm on
+where
+.Ar source_domain_list
+is a pattern-list of domains that are may follow CNAMEs in canonicalisation
+and
+.Ar target_domain_list
+is a pattern-list of domains that they may resove to.
+.Pp
+For example,
+.Dq *.a.example.com:*.b.example.com,*.c.example.com
+will allow hostnames matching
+.Dq *.a.example.com
+to be canonicalised to names in the
+.Dq *.b.example.com
+or
+.Dq *.c.example.com
+domains.
 .It Cm ChallengeResponseAuthentication
 Specifies whether to use challenge-response authentication.
 The argument to this keyword must be

diff --git a/ssh_config.5 b/ssh_config.5 index 3eaaa536a..3c1f87bef 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.170 2013/10/15 14:10:25 jmc Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.171 2013/10/16 02:31:46 djm Exp $
37	.Dd $Mdocdate: October 15 2013 $	37	.Dd $Mdocdate: October 16 2013 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -200,6 +200,77 @@ Note that this option does not work if
200	.Cm UsePrivilegedPort	200	.Cm UsePrivilegedPort
201	is set to	201	is set to
202	.Dq yes .	202	.Dq yes .
		203	.It Cm CanonicalDomains
		204	when
		205	.Cm CanonicaliseHostname
		206	is enabled, this option specifies the list of domain suffixes in which to
		207	search for the specified destination host.
		208	.It Cm CanonicaliseFallbackLocal
		209	specified whether to fail with an error when hostname canonicalisation fails.
		210	The default of
		211	.Dq no
		212	will attempt to lookup the unqualified hostname using the system resolver's
		213	search rules.
		214	A value of
		215	.Dq yes
		216	will cause
		217	.Xr ssh 1
		218	to fail instantly if
		219	.Cm CanonicaliseHostname
		220	is enabled and the target hostname cannot be found in any of the domains
		221	specified by
		222	.Cm CanonicalDomains .
		223	.It Cm CanonicaliseHostname
		224	controls whether explicit hostname canonicalisation is performed.
		225	The default
		226	.Dq no
		227	is not to perform any name rewriting and let the system resolver handle all
		228	hostname lookups.
		229	If set to
		230	.Dq yes
		231	then, for connections that do not use a
		232	.Cm ProxyCommand ,
		233	.Xr ssh 1
		234	will attempt to canonicalise the hostname specified on the command line
		235	using the
		236	.Cm CanonicalDomains
		237	suffixes and
		238	.Cm CanonicalisePermittedCNAMEs
		239	rules.
		240	If
		241	.Cm CanonicaliseHostname
		242	is set to
		243	.Dq always ,
		244	then canonicalisation is applied to proxied connections to.
		245	.It Cm CanonicaliseMaxDots
		246	specifies the maximum number of dot characters in a hostname name before
		247	canonicalisation is disabled.
		248	The default of
		249	.Dq 1
		250	allows a single dot (i.e. hostname.subdomain)
		251	.It Cm CanonicalisePermittedCNAMEs
		252	specifies rules to determine whether CNAMEs should be followed when
		253	canonicalising hostnames.
		254	The rules consist of one or more arguments of
		255	.Sm off
		256	.Ar source_domain_list : Ar target_domain_list
		257	.Sm on
		258	where
		259	.Ar source_domain_list
		260	is a pattern-list of domains that are may follow CNAMEs in canonicalisation
		261	and
		262	.Ar target_domain_list
		263	is a pattern-list of domains that they may resove to.
		264	.Pp
		265	For example,
		266	.Dq .a.example.com:.b.example.com,*.c.example.com
		267	will allow hostnames matching
		268	.Dq *.a.example.com
		269	to be canonicalised to names in the
		270	.Dq *.b.example.com
		271	or
		272	.Dq *.c.example.com
		273	domains.
203	.It Cm ChallengeResponseAuthentication	274	.It Cm ChallengeResponseAuthentication
204	Specifies whether to use challenge-response authentication.	275	Specifies whether to use challenge-response authentication.
205	The argument to this keyword must be	276	The argument to this keyword must be