1 files changed, 64 insertions, 5 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 024491b90..76e451079 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -72,6 +72,22 @@ Since the first obtained value for each parameter is used, more
 host-specific declarations should be given near the beginning of the
 file, and general defaults at the end.
 .Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm SendEnv No LANG LC_*
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
 The configuration file has the following format:
 .Pp
 Empty lines and lines starting with
@@ -128,8 +144,12 @@ Valid arguments are
 If set to
 .Dq yes ,
 passphrase/password querying will be disabled.
+In addition, the 
+.Cm ServerAliveInterval 
+option will be set to 300 seconds by default.
 This option is useful in scripts and other batch jobs where no user
-is present to supply the password.
+is present to supply the password,
+and where it is desirable to detect a broken network swiftly.
 The argument must be
 .Dq yes
 or
@@ -448,7 +468,8 @@ token used for the session will be set to expire after 20 minutes.
 Remote clients will be refused access after this time.
 .Pp
 The default is
-.Dq no .
+.Dq yes
+(Debian-specific).
 .Pp
 See the X11 SECURITY extension specification for full details on
 the restrictions imposed on untrusted clients.
@@ -527,6 +548,9 @@ Note that existing names and addresses in known hosts files
 will not be converted automatically,
 but may be manually hashed using
 .Xr ssh-keygen 1 .
+Use of this option may break facilities such as tab-completion that rely
+on being able to read unhashed host names from
+.Pa ~/.ssh/known_hosts .
 .It Cm HostbasedAuthentication
 Specifies whether to try rhosts based authentication with public key
 authentication.
@@ -681,7 +705,7 @@ indicates that the port should be available from all interfaces.
 Gives the verbosity level that is used when logging messages from
 .Xr ssh 1 .
 The possible values are:
-QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
+SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
 The default is INFO.
 DEBUG and DEBUG1 are equivalent.
 DEBUG2 and DEBUG3 each specify higher levels of verbose output.
@@ -935,7 +959,10 @@ If, for example,
 .Cm ServerAliveCountMax
 is left at the default, if the server becomes unresponsive,
 ssh will disconnect after approximately 45 seconds.
-This option applies to protocol version 2 only.
+This option applies to protocol version 2 only; in protocol version
+1 there is no mechanism to request a response from the server to the
+server alive messages, so disconnection is the responsibility of the TCP
+stack.
 .It Cm ServerAliveInterval
 Sets a timeout interval in seconds after which if no data has been received
 from the server,
@@ -943,8 +970,15 @@ from the server,
 will send a message through the encrypted
 channel to request a response from the server.
 The default
-is 0, indicating that these messages will not be sent to the server.
+is 0, indicating that these messages will not be sent to the server,
+or 300 if the
+.Cm BatchMode
+option is set.
 This option applies to protocol version 2 only.
+.Cm ProtocolKeepAlives
+and
+.Cm SetupTimeOut
+are Debian-specific compatibility aliases for this option.
 .It Cm SmartcardDevice
 Specifies which smartcard device to use.
 The argument to this keyword is the device
@@ -990,6 +1024,12 @@ Specifies whether the system should send TCP keepalive messages to the
 other side.
 If they are sent, death of the connection or crash of one
 of the machines will be properly noticed.
+This option only uses TCP keepalives (as opposed to using ssh level
+keepalives), so takes a long time to notice when the connection dies.
+As such, you probably want
+the
+.Cm ServerAliveInterval
+option as well.
 However, this means that
 connections will die if the route is down temporarily, and some people
 find it annoying.
@@ -1041,6 +1081,23 @@ is not specified, it defaults to
 .Dq any .
 The default is
 .Dq any:any .
+.It Cm UseBlacklistedKeys
+Specifies whether
+.Xr ssh 1
+should use keys recorded in its blacklist of known-compromised keys (see
+.Xr ssh-vulnkey 1 )
+for authentication.
+If
+.Dq yes ,
+then attempts to use compromised keys for authentication will be logged but
+accepted.
+It is strongly recommended that this be used only to install new authorized
+keys on the remote system, and even then only with the utmost care.
+If
+.Dq no ,
+then attempts to use compromised keys for authentication will be prevented.
+The default is
+.Dq no .
 .It Cm UsePrivilegedPort
 Specifies whether to use a privileged port for outgoing connections.
 The argument must be
@@ -1157,6 +1214,8 @@ The format of this file is described above.
 This file is used by the SSH client.
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not accessible by others.
+It may be group-writable provided that the group in question contains only
+the user.
 .It Pa /etc/ssh/ssh_config
 Systemwide configuration file.
 This file provides defaults for those

diff --git a/ssh_config.5 b/ssh_config.5 index 024491b90..76e451079 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -72,6 +72,22 @@ Since the first obtained value for each parameter is used, more
72	host-specific declarations should be given near the beginning of the	72	host-specific declarations should be given near the beginning of the
73	file, and general defaults at the end.	73	file, and general defaults at the end.
74	.Pp	74	.Pp
		75	Note that the Debian
		76	.Ic openssh-client
		77	package sets several options as standard in
		78	.Pa /etc/ssh/ssh_config
		79	which are not the default in
		80	.Xr ssh 1 :
		81	.Pp
		82	.Bl -bullet -offset indent -compact
		83	.It
		84	.Cm SendEnv No LANG LC_*
		85	.It
		86	.Cm HashKnownHosts No yes
		87	.It
		88	.Cm GSSAPIAuthentication No yes
		89	.El
		90	.Pp
75	The configuration file has the following format:	91	The configuration file has the following format:
76	.Pp	92	.Pp
77	Empty lines and lines starting with	93	Empty lines and lines starting with
@@ -128,8 +144,12 @@ Valid arguments are
128	If set to	144	If set to
129	.Dq yes ,	145	.Dq yes ,
130	passphrase/password querying will be disabled.	146	passphrase/password querying will be disabled.
		147	In addition, the
		148	.Cm ServerAliveInterval
		149	option will be set to 300 seconds by default.
131	This option is useful in scripts and other batch jobs where no user	150	This option is useful in scripts and other batch jobs where no user
132	is present to supply the password.	151	is present to supply the password,
		152	and where it is desirable to detect a broken network swiftly.
133	The argument must be	153	The argument must be
134	.Dq yes	154	.Dq yes
135	or	155	or
@@ -448,7 +468,8 @@ token used for the session will be set to expire after 20 minutes.
448	Remote clients will be refused access after this time.	468	Remote clients will be refused access after this time.
449	.Pp	469	.Pp
450	The default is	470	The default is
451	.Dq no .	471	.Dq yes
		472	(Debian-specific).
452	.Pp	473	.Pp
453	See the X11 SECURITY extension specification for full details on	474	See the X11 SECURITY extension specification for full details on
454	the restrictions imposed on untrusted clients.	475	the restrictions imposed on untrusted clients.
@@ -527,6 +548,9 @@ Note that existing names and addresses in known hosts files
527	will not be converted automatically,	548	will not be converted automatically,
528	but may be manually hashed using	549	but may be manually hashed using
529	.Xr ssh-keygen 1 .	550	.Xr ssh-keygen 1 .
		551	Use of this option may break facilities such as tab-completion that rely
		552	on being able to read unhashed host names from
		553	.Pa ~/.ssh/known_hosts .
530	.It Cm HostbasedAuthentication	554	.It Cm HostbasedAuthentication
531	Specifies whether to try rhosts based authentication with public key	555	Specifies whether to try rhosts based authentication with public key
532	authentication.	556	authentication.
@@ -681,7 +705,7 @@ indicates that the port should be available from all interfaces.
681	Gives the verbosity level that is used when logging messages from	705	Gives the verbosity level that is used when logging messages from
682	.Xr ssh 1 .	706	.Xr ssh 1 .
683	The possible values are:	707	The possible values are:
684	QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.	708	SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
685	The default is INFO.	709	The default is INFO.
686	DEBUG and DEBUG1 are equivalent.	710	DEBUG and DEBUG1 are equivalent.
687	DEBUG2 and DEBUG3 each specify higher levels of verbose output.	711	DEBUG2 and DEBUG3 each specify higher levels of verbose output.
@@ -935,7 +959,10 @@ If, for example,
935	.Cm ServerAliveCountMax	959	.Cm ServerAliveCountMax
936	is left at the default, if the server becomes unresponsive,	960	is left at the default, if the server becomes unresponsive,
937	ssh will disconnect after approximately 45 seconds.	961	ssh will disconnect after approximately 45 seconds.
938	This option applies to protocol version 2 only.	962	This option applies to protocol version 2 only; in protocol version
		963	1 there is no mechanism to request a response from the server to the
		964	server alive messages, so disconnection is the responsibility of the TCP
		965	stack.
939	.It Cm ServerAliveInterval	966	.It Cm ServerAliveInterval
940	Sets a timeout interval in seconds after which if no data has been received	967	Sets a timeout interval in seconds after which if no data has been received
941	from the server,	968	from the server,
@@ -943,8 +970,15 @@ from the server,
943	will send a message through the encrypted	970	will send a message through the encrypted
944	channel to request a response from the server.	971	channel to request a response from the server.
945	The default	972	The default
946	is 0, indicating that these messages will not be sent to the server.	973	is 0, indicating that these messages will not be sent to the server,
		974	or 300 if the
		975	.Cm BatchMode
		976	option is set.
947	This option applies to protocol version 2 only.	977	This option applies to protocol version 2 only.
		978	.Cm ProtocolKeepAlives
		979	and
		980	.Cm SetupTimeOut
		981	are Debian-specific compatibility aliases for this option.
948	.It Cm SmartcardDevice	982	.It Cm SmartcardDevice
949	Specifies which smartcard device to use.	983	Specifies which smartcard device to use.
950	The argument to this keyword is the device	984	The argument to this keyword is the device
@@ -990,6 +1024,12 @@ Specifies whether the system should send TCP keepalive messages to the
990	other side.	1024	other side.
991	If they are sent, death of the connection or crash of one	1025	If they are sent, death of the connection or crash of one
992	of the machines will be properly noticed.	1026	of the machines will be properly noticed.
		1027	This option only uses TCP keepalives (as opposed to using ssh level
		1028	keepalives), so takes a long time to notice when the connection dies.
		1029	As such, you probably want
		1030	the
		1031	.Cm ServerAliveInterval
		1032	option as well.
993	However, this means that	1033	However, this means that
994	connections will die if the route is down temporarily, and some people	1034	connections will die if the route is down temporarily, and some people
995	find it annoying.	1035	find it annoying.
@@ -1041,6 +1081,23 @@ is not specified, it defaults to
1041	.Dq any .	1081	.Dq any .
1042	The default is	1082	The default is
1043	.Dq any:any .	1083	.Dq any:any .
		1084	.It Cm UseBlacklistedKeys
		1085	Specifies whether
		1086	.Xr ssh 1
		1087	should use keys recorded in its blacklist of known-compromised keys (see
		1088	.Xr ssh-vulnkey 1 )
		1089	for authentication.
		1090	If
		1091	.Dq yes ,
		1092	then attempts to use compromised keys for authentication will be logged but
		1093	accepted.
		1094	It is strongly recommended that this be used only to install new authorized
		1095	keys on the remote system, and even then only with the utmost care.
		1096	If
		1097	.Dq no ,
		1098	then attempts to use compromised keys for authentication will be prevented.
		1099	The default is
		1100	.Dq no .
1044	.It Cm UsePrivilegedPort	1101	.It Cm UsePrivilegedPort
1045	Specifies whether to use a privileged port for outgoing connections.	1102	Specifies whether to use a privileged port for outgoing connections.
1046	The argument must be	1103	The argument must be
@@ -1157,6 +1214,8 @@ The format of this file is described above.
1157	This file is used by the SSH client.	1214	This file is used by the SSH client.
1158	Because of the potential for abuse, this file must have strict permissions:	1215	Because of the potential for abuse, this file must have strict permissions:
1159	read/write for the user, and not accessible by others.	1216	read/write for the user, and not accessible by others.
		1217	It may be group-writable provided that the group in question contains only
		1218	the user.
1160	.It Pa /etc/ssh/ssh_config	1219	.It Pa /etc/ssh/ssh_config
1161	Systemwide configuration file.	1220	Systemwide configuration file.
1162	This file provides defaults for those	1221	This file provides defaults for those