1 files changed, 62 insertions, 10 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 268a627b2..5b0975f87 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.211 2015/06/02 09:10:40 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.214 2015/07/30 00:01:34 djm Exp $
-.Dd $Mdocdate: June 2 2015 $
+.Dd $Mdocdate: July 30 2015 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -373,6 +373,11 @@ The default is
 Specifies the ciphers allowed for protocol version 2
 in order of preference.
 Multiple ciphers must be comma-separated.
+If the specified value begins with a
+.Sq +
+character, then the specified ciphers will be appended to the default set
+instead of replacing them.
+.Pp
 The supported ciphers are:
 .Pp
 .Bl -item -compact -offset indent
@@ -781,9 +786,21 @@ is similar to
 .It Cm HostbasedKeyTypes
 Specifies the key types that will be used for hostbased authentication
 as a comma-separated pattern list.
-The default
+Alternately if the specified value begins with a
-.Dq *
+.Sq +
-will allow all key types.
+character, then the specified key types will be appended to the default set
+instead of replacing them.
+The default for this option is:
+.Bd -literal -offset 3n
+ecdsa-sha2-nistp256-cert-v01@openssh.com,
+ecdsa-sha2-nistp384-cert-v01@openssh.com,
+ecdsa-sha2-nistp521-cert-v01@openssh.com,
+ssh-ed25519-cert-v01@openssh.com,
+ssh-rsa-cert-v01@openssh.com,
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
+.Ed
+.Pp
 The
 .Fl Q
 option of
@@ -792,16 +809,19 @@ may be used to list supported key types.
 .It Cm HostKeyAlgorithms
 Specifies the protocol version 2 host key algorithms
 that the client wants to use in order of preference.
+Alternately if the specified value begins with a
+.Sq +
+character, then the specified key types will be appended to the default set
+instead of replacing them.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ecdsa-sha2-nistp384-cert-v01@openssh.com,
 ecdsa-sha2-nistp521-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
+ssh-rsa-cert-v01@openssh.com,
-ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa,ssh-dss
+ssh-ed25519,ssh-rsa
 .Ed
 .Pp
 If hostkeys are known for the destination host then this default is modified
@@ -974,14 +994,17 @@ and
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
+Alternately if the specified value begins with a
+.Sq +
+character, then the specified methods will be appended to the default set
+instead of replacing them.
 The default is:
 .Bd -literal -offset indent
 curve25519-sha256@libssh.org,
 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 diffie-hellman-group-exchange-sha256,
 diffie-hellman-group-exchange-sha1,
-diffie-hellman-group14-sha1,
+diffie-hellman-group14-sha1
-diffie-hellman-group1-sha1
 .Ed
 .Pp
 The list of available key exchange algorithms may also be obtained using the
@@ -1063,10 +1086,16 @@ in order of preference.
 The MAC algorithm is used in protocol version 2
 for data integrity protection.
 Multiple algorithms must be comma-separated.
+If the specified value begins with a
+.Sq +
+character, then the specified algorithms will be appended to the default set
+instead of replacing them.
+.Pp
 The algorithms that contain
 .Dq -etm
 calculate the MAC after encryption (encrypt-then-mac).
 These are considered safer and their use recommended.
+.Pp
 The default is:
 .Bd -literal -offset indent
 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
@@ -1207,6 +1236,29 @@ will pass a connected file descriptor back to
 instead of continuing to execute and pass data.
 The default is
 .Dq no .
+.It Cm PubkeyAcceptedKeyTypes
+Specifies the key types that will be used for public key authentication
+as a comma-separated pattern list.
+Alternately if the specified value begins with a
+.Sq +
+character, then the key types after it will be appended to the default
+instead of replacing it.
+The default for this option is:
+.Bd -literal -offset 3n
+ecdsa-sha2-nistp256-cert-v01@openssh.com,
+ecdsa-sha2-nistp384-cert-v01@openssh.com,
+ecdsa-sha2-nistp521-cert-v01@openssh.com,
+ssh-ed25519-cert-v01@openssh.com,
+ssh-rsa-cert-v01@openssh.com,
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
+.Ed
+.Pp
+The
+.Fl Q
+option of
+.Xr ssh 1
+may be used to list supported key types.
 .It Cm PubkeyAuthentication
 Specifies whether to try public key authentication.
 The argument to this keyword must be

diff --git a/ssh_config.5 b/ssh_config.5 index 268a627b2..5b0975f87 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.211 2015/06/02 09:10:40 djm Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.214 2015/07/30 00:01:34 djm Exp $
37	.Dd $Mdocdate: June 2 2015 $	37	.Dd $Mdocdate: July 30 2015 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -373,6 +373,11 @@ The default is
373	Specifies the ciphers allowed for protocol version 2	373	Specifies the ciphers allowed for protocol version 2
374	in order of preference.	374	in order of preference.
375	Multiple ciphers must be comma-separated.	375	Multiple ciphers must be comma-separated.
		376	If the specified value begins with a
		377	.Sq +
		378	character, then the specified ciphers will be appended to the default set
		379	instead of replacing them.
		380	.Pp
376	The supported ciphers are:	381	The supported ciphers are:
377	.Pp	382	.Pp
378	.Bl -item -compact -offset indent	383	.Bl -item -compact -offset indent
@@ -781,9 +786,21 @@ is similar to
781	.It Cm HostbasedKeyTypes	786	.It Cm HostbasedKeyTypes
782	Specifies the key types that will be used for hostbased authentication	787	Specifies the key types that will be used for hostbased authentication
783	as a comma-separated pattern list.	788	as a comma-separated pattern list.
784	The default	789	Alternately if the specified value begins with a
785	.Dq *	790	.Sq +
786	will allow all key types.	791	character, then the specified key types will be appended to the default set
		792	instead of replacing them.
		793	The default for this option is:
		794	.Bd -literal -offset 3n
		795	ecdsa-sha2-nistp256-cert-v01@openssh.com,
		796	ecdsa-sha2-nistp384-cert-v01@openssh.com,
		797	ecdsa-sha2-nistp521-cert-v01@openssh.com,
		798	ssh-ed25519-cert-v01@openssh.com,
		799	ssh-rsa-cert-v01@openssh.com,
		800	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
		801	ssh-ed25519,ssh-rsa
		802	.Ed
		803	.Pp
787	The	804	The
788	.Fl Q	805	.Fl Q
789	option of	806	option of
@@ -792,16 +809,19 @@ may be used to list supported key types.
792	.It Cm HostKeyAlgorithms	809	.It Cm HostKeyAlgorithms
793	Specifies the protocol version 2 host key algorithms	810	Specifies the protocol version 2 host key algorithms
794	that the client wants to use in order of preference.	811	that the client wants to use in order of preference.
		812	Alternately if the specified value begins with a
		813	.Sq +
		814	character, then the specified key types will be appended to the default set
		815	instead of replacing them.
795	The default for this option is:	816	The default for this option is:
796	.Bd -literal -offset 3n	817	.Bd -literal -offset 3n
797	ecdsa-sha2-nistp256-cert-v01@openssh.com,	818	ecdsa-sha2-nistp256-cert-v01@openssh.com,
798	ecdsa-sha2-nistp384-cert-v01@openssh.com,	819	ecdsa-sha2-nistp384-cert-v01@openssh.com,
799	ecdsa-sha2-nistp521-cert-v01@openssh.com,	820	ecdsa-sha2-nistp521-cert-v01@openssh.com,
800	ssh-ed25519-cert-v01@openssh.com,	821	ssh-ed25519-cert-v01@openssh.com,
801	ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,	822	ssh-rsa-cert-v01@openssh.com,
802	ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,
803	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,	823	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
804	ssh-ed25519,ssh-rsa,ssh-dss	824	ssh-ed25519,ssh-rsa
805	.Ed	825	.Ed
806	.Pp	826	.Pp
807	If hostkeys are known for the destination host then this default is modified	827	If hostkeys are known for the destination host then this default is modified
@@ -974,14 +994,17 @@ and
974	.It Cm KexAlgorithms	994	.It Cm KexAlgorithms
975	Specifies the available KEX (Key Exchange) algorithms.	995	Specifies the available KEX (Key Exchange) algorithms.
976	Multiple algorithms must be comma-separated.	996	Multiple algorithms must be comma-separated.
		997	Alternately if the specified value begins with a
		998	.Sq +
		999	character, then the specified methods will be appended to the default set
		1000	instead of replacing them.
977	The default is:	1001	The default is:
978	.Bd -literal -offset indent	1002	.Bd -literal -offset indent
979	curve25519-sha256@libssh.org,	1003	curve25519-sha256@libssh.org,
980	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,	1004	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
981	diffie-hellman-group-exchange-sha256,	1005	diffie-hellman-group-exchange-sha256,
982	diffie-hellman-group-exchange-sha1,	1006	diffie-hellman-group-exchange-sha1,
983	diffie-hellman-group14-sha1,	1007	diffie-hellman-group14-sha1
984	diffie-hellman-group1-sha1
985	.Ed	1008	.Ed
986	.Pp	1009	.Pp
987	The list of available key exchange algorithms may also be obtained using the	1010	The list of available key exchange algorithms may also be obtained using the
@@ -1063,10 +1086,16 @@ in order of preference.
1063	The MAC algorithm is used in protocol version 2	1086	The MAC algorithm is used in protocol version 2
1064	for data integrity protection.	1087	for data integrity protection.
1065	Multiple algorithms must be comma-separated.	1088	Multiple algorithms must be comma-separated.
		1089	If the specified value begins with a
		1090	.Sq +
		1091	character, then the specified algorithms will be appended to the default set
		1092	instead of replacing them.
		1093	.Pp
1066	The algorithms that contain	1094	The algorithms that contain
1067	.Dq -etm	1095	.Dq -etm
1068	calculate the MAC after encryption (encrypt-then-mac).	1096	calculate the MAC after encryption (encrypt-then-mac).
1069	These are considered safer and their use recommended.	1097	These are considered safer and their use recommended.
		1098	.Pp
1070	The default is:	1099	The default is:
1071	.Bd -literal -offset indent	1100	.Bd -literal -offset indent
1072	umac-64-etm@openssh.com,umac-128-etm@openssh.com,	1101	umac-64-etm@openssh.com,umac-128-etm@openssh.com,
@@ -1207,6 +1236,29 @@ will pass a connected file descriptor back to
1207	instead of continuing to execute and pass data.	1236	instead of continuing to execute and pass data.
1208	The default is	1237	The default is
1209	.Dq no .	1238	.Dq no .
		1239	.It Cm PubkeyAcceptedKeyTypes
		1240	Specifies the key types that will be used for public key authentication
		1241	as a comma-separated pattern list.
		1242	Alternately if the specified value begins with a
		1243	.Sq +
		1244	character, then the key types after it will be appended to the default
		1245	instead of replacing it.
		1246	The default for this option is:
		1247	.Bd -literal -offset 3n
		1248	ecdsa-sha2-nistp256-cert-v01@openssh.com,
		1249	ecdsa-sha2-nistp384-cert-v01@openssh.com,
		1250	ecdsa-sha2-nistp521-cert-v01@openssh.com,
		1251	ssh-ed25519-cert-v01@openssh.com,
		1252	ssh-rsa-cert-v01@openssh.com,
		1253	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
		1254	ssh-ed25519,ssh-rsa
		1255	.Ed
		1256	.Pp
		1257	The
		1258	.Fl Q
		1259	option of
		1260	.Xr ssh 1
		1261	may be used to list supported key types.
1210	.It Cm PubkeyAuthentication	1262	.It Cm PubkeyAuthentication
1211	Specifies whether to try public key authentication.	1263	Specifies whether to try public key authentication.
1212	The argument to this keyword must be	1264	The argument to this keyword must be