1 files changed, 53 insertions, 31 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 412629637..02a87892d 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.292 2019/03/01 02:16:47 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.304 2019/09/13 04:52:34 djm Exp $
-.Dd $Mdocdate: March 1 2019 $
+.Dd $Mdocdate: September 13 2019 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -361,7 +361,7 @@ Specifies which algorithms are allowed for signing of certificates
 by certificate authorities (CAs).
 The default is:
 .Bd -literal -offset indent
-ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
@@ -422,14 +422,18 @@ the check will not be executed.
 .It Cm Ciphers
 Specifies the ciphers allowed and their order of preference.
 Multiple ciphers must be comma-separated.
-If the specified value begins with a
+If the specified list begins with a
 .Sq +
 character, then the specified ciphers will be appended to the default set
 instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified ciphers (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified ciphers will be placed at the head of the
+default set.
 .Pp
 The supported ciphers are:
 .Bd -literal -offset indent
@@ -485,8 +489,8 @@ The default is 1.
 .It Cm ConnectTimeout
 Specifies the timeout (in seconds) used when connecting to the
 SSH server, instead of using the default system TCP timeout.
-This value is used only when the target is down or really unreachable,
+This timeout is applied both to establishing the connection and to performing
-not when it refuses the connection.
+the initial SSH protocol handshake and key exchange.
 .It Cm ControlMaster
 Enables the sharing of multiple sessions over a single network connection.
 When set to
@@ -786,14 +790,18 @@ or
 .It Cm HostbasedKeyTypes
 Specifies the key types that will be used for hostbased authentication
 as a comma-separated list of patterns.
-Alternately if the specified value begins with a
+Alternately if the specified list begins with a
 .Sq +
 character, then the specified key types will be appended to the default set
 instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified key types (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -814,14 +822,18 @@ may be used to list supported key types.
 .It Cm HostKeyAlgorithms
 Specifies the host key algorithms
 that the client wants to use in order of preference.
-Alternately if the specified value begins with a
+Alternately if the specified list begins with a
 .Sq +
 character, then the specified key types will be appended to the default set
 instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified key types (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -845,28 +857,28 @@ real host name when looking up or saving the host key
 in the host key database files and when validating host certificates.
 This option is useful for tunneling SSH connections
 or for multiple servers running on a single host.
-.It Cm HostName
+.It Cm Hostname
 Specifies the real host name to log into.
 This can be used to specify nicknames or abbreviations for hosts.
 Arguments to
-.Cm HostName
+.Cm Hostname
 accept the tokens described in the
 .Sx TOKENS
 section.
 Numeric IP addresses are also permitted (both on the command line and in
-.Cm HostName
+.Cm Hostname
 specifications).
 The default is the name given on the command line.
 .It Cm IdentitiesOnly
 Specifies that
 .Xr ssh 1
-should only use the authentication identity and certificate files explicitly
+should only use the configured authentication identity and certificate files
-configured in the
+(either the default files, or those explicitly configured in the
 .Nm
 files
 or passed on the
 .Xr ssh 1
-command-line,
+command-line),
 even if
 .Xr ssh-agent 1
 or a
@@ -1043,14 +1055,18 @@ and
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
-Alternately if the specified value begins with a
+If the specified list begins with a
 .Sq +
 character, then the specified methods will be appended to the default set
 instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified methods (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified methods will be placed at the head of the
+default set.
 The default is:
 .Bd -literal -offset indent
 curve25519-sha256,curve25519-sha256@libssh.org,
@@ -1124,14 +1140,18 @@ Specifies the MAC (message authentication code) algorithms
 in order of preference.
 The MAC algorithm is used for data integrity protection.
 Multiple algorithms must be comma-separated.
-If the specified value begins with a
+If the specified list begins with a
 .Sq +
 character, then the specified algorithms will be appended to the default set
 instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified algorithms (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified algorithms will be placed at the head of the
+default set.
 .Pp
 The algorithms that contain
 .Qq -etm
@@ -1222,8 +1242,8 @@ server running on some machine, or execute
 .Ic sshd -i
 somewhere.
 Host key management will be done using the
-HostName of the host being connected (defaulting to the name typed by
+.Cm Hostname
-the user).
+of the host being connected (defaulting to the name typed by the user).
 Setting the command to
 .Cm none
 disables this option entirely.
@@ -1281,14 +1301,18 @@ The default is
 .It Cm PubkeyAcceptedKeyTypes
 Specifies the key types that will be used for public key authentication
 as a comma-separated list of patterns.
-Alternately if the specified value begins with a
+If the specified list begins with a
 .Sq +
 character, then the key types after it will be appended to the default
 instead of replacing it.
-If the specified value begins with a
+If the specified list begins with a
 .Sq -
 character, then the specified key types (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -1326,9 +1350,7 @@ and
 .Sq 4G ,
 depending on the cipher.
 The optional second value is specified in seconds and may use any of the
-units documented in the
+units documented in the TIME FORMATS section of
-.Sx TIME FORMATS
-section of
 .Xr sshd_config 5 .
 The default value for
 .Cm RekeyLimit
@@ -1462,7 +1484,7 @@ The TCP keepalive option enabled by
 .Cm TCPKeepAlive
 is spoofable.
 The server alive mechanism is valuable when the client or
-server depend on knowing when a connection has become inactive.
+server depend on knowing when a connection has become unresponsive.
 .Pp
 The default value is 3.
 If, for example,
@@ -1787,7 +1809,7 @@ accepts the tokens %%, %d, %h, %i, %l, %r, and %u.
 .Cm ControlPath
 accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and %u.
 .Pp
-.Cm HostName
+.Cm Hostname
 accepts the tokens %% and %h.
 .Pp
 .Cm IdentityAgent
@@ -1799,7 +1821,7 @@ accept the tokens %%, %d, %h, %i, %l, %r, and %u.
 accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, %T, and %u.
 .Pp
 .Cm ProxyCommand
-accepts the tokens %%, %h, %p, and %r.
+accepts the tokens %%, %h, %n, %p, and %r.
 .Pp
 .Cm RemoteCommand
 accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, and %u.

diff --git a/ssh_config.5 b/ssh_config.5 index 412629637..02a87892d 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.292 2019/03/01 02:16:47 djm Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.304 2019/09/13 04:52:34 djm Exp $
37	.Dd $Mdocdate: March 1 2019 $	37	.Dd $Mdocdate: September 13 2019 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -361,7 +361,7 @@ Specifies which algorithms are allowed for signing of certificates
361	by certificate authorities (CAs).	361	by certificate authorities (CAs).
362	The default is:	362	The default is:
363	.Bd -literal -offset indent	363	.Bd -literal -offset indent
364	ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,	364	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
365	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa	365	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
366	.Ed	366	.Ed
367	.Pp	367	.Pp
@@ -422,14 +422,18 @@ the check will not be executed.
422	.It Cm Ciphers	422	.It Cm Ciphers
423	Specifies the ciphers allowed and their order of preference.	423	Specifies the ciphers allowed and their order of preference.
424	Multiple ciphers must be comma-separated.	424	Multiple ciphers must be comma-separated.
425	If the specified value begins with a	425	If the specified list begins with a
426	.Sq +	426	.Sq +
427	character, then the specified ciphers will be appended to the default set	427	character, then the specified ciphers will be appended to the default set
428	instead of replacing them.	428	instead of replacing them.
429	If the specified value begins with a	429	If the specified list begins with a
430	.Sq -	430	.Sq -
431	character, then the specified ciphers (including wildcards) will be removed	431	character, then the specified ciphers (including wildcards) will be removed
432	from the default set instead of replacing them.	432	from the default set instead of replacing them.
		433	If the specified list begins with a
		434	.Sq ^
		435	character, then the specified ciphers will be placed at the head of the
		436	default set.
433	.Pp	437	.Pp
434	The supported ciphers are:	438	The supported ciphers are:
435	.Bd -literal -offset indent	439	.Bd -literal -offset indent
@@ -485,8 +489,8 @@ The default is 1.
485	.It Cm ConnectTimeout	489	.It Cm ConnectTimeout
486	Specifies the timeout (in seconds) used when connecting to the	490	Specifies the timeout (in seconds) used when connecting to the
487	SSH server, instead of using the default system TCP timeout.	491	SSH server, instead of using the default system TCP timeout.
488	This value is used only when the target is down or really unreachable,	492	This timeout is applied both to establishing the connection and to performing
489	not when it refuses the connection.	493	the initial SSH protocol handshake and key exchange.
490	.It Cm ControlMaster	494	.It Cm ControlMaster
491	Enables the sharing of multiple sessions over a single network connection.	495	Enables the sharing of multiple sessions over a single network connection.
492	When set to	496	When set to
@@ -786,14 +790,18 @@ or
786	.It Cm HostbasedKeyTypes	790	.It Cm HostbasedKeyTypes
787	Specifies the key types that will be used for hostbased authentication	791	Specifies the key types that will be used for hostbased authentication
788	as a comma-separated list of patterns.	792	as a comma-separated list of patterns.
789	Alternately if the specified value begins with a	793	Alternately if the specified list begins with a
790	.Sq +	794	.Sq +
791	character, then the specified key types will be appended to the default set	795	character, then the specified key types will be appended to the default set
792	instead of replacing them.	796	instead of replacing them.
793	If the specified value begins with a	797	If the specified list begins with a
794	.Sq -	798	.Sq -
795	character, then the specified key types (including wildcards) will be removed	799	character, then the specified key types (including wildcards) will be removed
796	from the default set instead of replacing them.	800	from the default set instead of replacing them.
		801	If the specified list begins with a
		802	.Sq ^
		803	character, then the specified key types will be placed at the head of the
		804	default set.
797	The default for this option is:	805	The default for this option is:
798	.Bd -literal -offset 3n	806	.Bd -literal -offset 3n
799	ecdsa-sha2-nistp256-cert-v01@openssh.com,	807	ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -814,14 +822,18 @@ may be used to list supported key types.
814	.It Cm HostKeyAlgorithms	822	.It Cm HostKeyAlgorithms
815	Specifies the host key algorithms	823	Specifies the host key algorithms
816	that the client wants to use in order of preference.	824	that the client wants to use in order of preference.
817	Alternately if the specified value begins with a	825	Alternately if the specified list begins with a
818	.Sq +	826	.Sq +
819	character, then the specified key types will be appended to the default set	827	character, then the specified key types will be appended to the default set
820	instead of replacing them.	828	instead of replacing them.
821	If the specified value begins with a	829	If the specified list begins with a
822	.Sq -	830	.Sq -
823	character, then the specified key types (including wildcards) will be removed	831	character, then the specified key types (including wildcards) will be removed
824	from the default set instead of replacing them.	832	from the default set instead of replacing them.
		833	If the specified list begins with a
		834	.Sq ^
		835	character, then the specified key types will be placed at the head of the
		836	default set.
825	The default for this option is:	837	The default for this option is:
826	.Bd -literal -offset 3n	838	.Bd -literal -offset 3n
827	ecdsa-sha2-nistp256-cert-v01@openssh.com,	839	ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -845,28 +857,28 @@ real host name when looking up or saving the host key
845	in the host key database files and when validating host certificates.	857	in the host key database files and when validating host certificates.
846	This option is useful for tunneling SSH connections	858	This option is useful for tunneling SSH connections
847	or for multiple servers running on a single host.	859	or for multiple servers running on a single host.
848	.It Cm HostName	860	.It Cm Hostname
849	Specifies the real host name to log into.	861	Specifies the real host name to log into.
850	This can be used to specify nicknames or abbreviations for hosts.	862	This can be used to specify nicknames or abbreviations for hosts.
851	Arguments to	863	Arguments to
852	.Cm HostName	864	.Cm Hostname
853	accept the tokens described in the	865	accept the tokens described in the
854	.Sx TOKENS	866	.Sx TOKENS
855	section.	867	section.
856	Numeric IP addresses are also permitted (both on the command line and in	868	Numeric IP addresses are also permitted (both on the command line and in
857	.Cm HostName	869	.Cm Hostname
858	specifications).	870	specifications).
859	The default is the name given on the command line.	871	The default is the name given on the command line.
860	.It Cm IdentitiesOnly	872	.It Cm IdentitiesOnly
861	Specifies that	873	Specifies that
862	.Xr ssh 1	874	.Xr ssh 1
863	should only use the authentication identity and certificate files explicitly	875	should only use the configured authentication identity and certificate files
864	configured in the	876	(either the default files, or those explicitly configured in the
865	.Nm	877	.Nm
866	files	878	files
867	or passed on the	879	or passed on the
868	.Xr ssh 1	880	.Xr ssh 1
869	command-line,	881	command-line),
870	even if	882	even if
871	.Xr ssh-agent 1	883	.Xr ssh-agent 1
872	or a	884	or a
@@ -1043,14 +1055,18 @@ and
1043	.It Cm KexAlgorithms	1055	.It Cm KexAlgorithms
1044	Specifies the available KEX (Key Exchange) algorithms.	1056	Specifies the available KEX (Key Exchange) algorithms.
1045	Multiple algorithms must be comma-separated.	1057	Multiple algorithms must be comma-separated.
1046	Alternately if the specified value begins with a	1058	If the specified list begins with a
1047	.Sq +	1059	.Sq +
1048	character, then the specified methods will be appended to the default set	1060	character, then the specified methods will be appended to the default set
1049	instead of replacing them.	1061	instead of replacing them.
1050	If the specified value begins with a	1062	If the specified list begins with a
1051	.Sq -	1063	.Sq -
1052	character, then the specified methods (including wildcards) will be removed	1064	character, then the specified methods (including wildcards) will be removed
1053	from the default set instead of replacing them.	1065	from the default set instead of replacing them.
		1066	If the specified list begins with a
		1067	.Sq ^
		1068	character, then the specified methods will be placed at the head of the
		1069	default set.
1054	The default is:	1070	The default is:
1055	.Bd -literal -offset indent	1071	.Bd -literal -offset indent
1056	curve25519-sha256,curve25519-sha256@libssh.org,	1072	curve25519-sha256,curve25519-sha256@libssh.org,
@@ -1124,14 +1140,18 @@ Specifies the MAC (message authentication code) algorithms
1124	in order of preference.	1140	in order of preference.
1125	The MAC algorithm is used for data integrity protection.	1141	The MAC algorithm is used for data integrity protection.
1126	Multiple algorithms must be comma-separated.	1142	Multiple algorithms must be comma-separated.
1127	If the specified value begins with a	1143	If the specified list begins with a
1128	.Sq +	1144	.Sq +
1129	character, then the specified algorithms will be appended to the default set	1145	character, then the specified algorithms will be appended to the default set
1130	instead of replacing them.	1146	instead of replacing them.
1131	If the specified value begins with a	1147	If the specified list begins with a
1132	.Sq -	1148	.Sq -
1133	character, then the specified algorithms (including wildcards) will be removed	1149	character, then the specified algorithms (including wildcards) will be removed
1134	from the default set instead of replacing them.	1150	from the default set instead of replacing them.
		1151	If the specified list begins with a
		1152	.Sq ^
		1153	character, then the specified algorithms will be placed at the head of the
		1154	default set.
1135	.Pp	1155	.Pp
1136	The algorithms that contain	1156	The algorithms that contain
1137	.Qq -etm	1157	.Qq -etm
@@ -1222,8 +1242,8 @@ server running on some machine, or execute
1222	.Ic sshd -i	1242	.Ic sshd -i
1223	somewhere.	1243	somewhere.
1224	Host key management will be done using the	1244	Host key management will be done using the
1225	HostName of the host being connected (defaulting to the name typed by	1245	.Cm Hostname
1226	the user).	1246	of the host being connected (defaulting to the name typed by the user).
1227	Setting the command to	1247	Setting the command to
1228	.Cm none	1248	.Cm none
1229	disables this option entirely.	1249	disables this option entirely.
@@ -1281,14 +1301,18 @@ The default is
1281	.It Cm PubkeyAcceptedKeyTypes	1301	.It Cm PubkeyAcceptedKeyTypes
1282	Specifies the key types that will be used for public key authentication	1302	Specifies the key types that will be used for public key authentication
1283	as a comma-separated list of patterns.	1303	as a comma-separated list of patterns.
1284	Alternately if the specified value begins with a	1304	If the specified list begins with a
1285	.Sq +	1305	.Sq +
1286	character, then the key types after it will be appended to the default	1306	character, then the key types after it will be appended to the default
1287	instead of replacing it.	1307	instead of replacing it.
1288	If the specified value begins with a	1308	If the specified list begins with a
1289	.Sq -	1309	.Sq -
1290	character, then the specified key types (including wildcards) will be removed	1310	character, then the specified key types (including wildcards) will be removed
1291	from the default set instead of replacing them.	1311	from the default set instead of replacing them.
		1312	If the specified list begins with a
		1313	.Sq ^
		1314	character, then the specified key types will be placed at the head of the
		1315	default set.
1292	The default for this option is:	1316	The default for this option is:
1293	.Bd -literal -offset 3n	1317	.Bd -literal -offset 3n
1294	ecdsa-sha2-nistp256-cert-v01@openssh.com,	1318	ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -1326,9 +1350,7 @@ and
1326	.Sq 4G ,	1350	.Sq 4G ,
1327	depending on the cipher.	1351	depending on the cipher.
1328	The optional second value is specified in seconds and may use any of the	1352	The optional second value is specified in seconds and may use any of the
1329	units documented in the	1353	units documented in the TIME FORMATS section of
1330	.Sx TIME FORMATS
1331	section of
1332	.Xr sshd_config 5 .	1354	.Xr sshd_config 5 .
1333	The default value for	1355	The default value for
1334	.Cm RekeyLimit	1356	.Cm RekeyLimit
@@ -1462,7 +1484,7 @@ The TCP keepalive option enabled by
1462	.Cm TCPKeepAlive	1484	.Cm TCPKeepAlive
1463	is spoofable.	1485	is spoofable.
1464	The server alive mechanism is valuable when the client or	1486	The server alive mechanism is valuable when the client or
1465	server depend on knowing when a connection has become inactive.	1487	server depend on knowing when a connection has become unresponsive.
1466	.Pp	1488	.Pp
1467	The default value is 3.	1489	The default value is 3.
1468	If, for example,	1490	If, for example,
@@ -1787,7 +1809,7 @@ accepts the tokens %%, %d, %h, %i, %l, %r, and %u.
1787	.Cm ControlPath	1809	.Cm ControlPath
1788	accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and %u.	1810	accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and %u.
1789	.Pp	1811	.Pp
1790	.Cm HostName	1812	.Cm Hostname
1791	accepts the tokens %% and %h.	1813	accepts the tokens %% and %h.
1792	.Pp	1814	.Pp
1793	.Cm IdentityAgent	1815	.Cm IdentityAgent
@@ -1799,7 +1821,7 @@ accept the tokens %%, %d, %h, %i, %l, %r, and %u.
1799	accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, %T, and %u.	1821	accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, %T, and %u.
1800	.Pp	1822	.Pp
1801	.Cm ProxyCommand	1823	.Cm ProxyCommand
1802	accepts the tokens %%, %h, %p, and %r.	1824	accepts the tokens %%, %h, %n, %p, and %r.
1803	.Pp	1825	.Pp
1804	.Cm RemoteCommand	1826	.Cm RemoteCommand
1805	accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, and %u.	1827	accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, and %u.