1 files changed, 64 insertions, 5 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index de1c71765..0ce851aa8 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -72,6 +72,22 @@ Since the first obtained value for each parameter is used, more
 host-specific declarations should be given near the beginning of the
 file, and general defaults at the end.
 .Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm SendEnv No LANG LC_*
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
 The configuration file has the following format:
 .Pp
 Empty lines and lines starting with
@@ -128,8 +144,12 @@ Valid arguments are
 If set to
 .Dq yes ,
 passphrase/password querying will be disabled.
+In addition, the 
+.Cm ServerAliveInterval 
+option will be set to 300 seconds by default.
 This option is useful in scripts and other batch jobs where no user
-is present to supply the password.
+is present to supply the password,
+and where it is desirable to detect a broken network swiftly.
 The argument must be
 .Dq yes
 or
@@ -448,7 +468,8 @@ token used for the session will be set to expire after 20 minutes.
 Remote clients will be refused access after this time.
 .Pp
 The default is
-.Dq no .
+.Dq yes
+(Debian-specific).
 .Pp
 See the X11 SECURITY extension specification for full details on
 the restrictions imposed on untrusted clients.
@@ -527,6 +548,9 @@ Note that existing names and addresses in known hosts files
 will not be converted automatically,
 but may be manually hashed using
 .Xr ssh-keygen 1 .
+Use of this option may break facilities such as tab-completion that rely
+on being able to read unhashed host names from
+.Pa ~/.ssh/known_hosts .
 .It Cm HostbasedAuthentication
 Specifies whether to try rhosts based authentication with public key
 authentication.
@@ -694,7 +718,7 @@ indicates that the port should be available from all interfaces.
 Gives the verbosity level that is used when logging messages from
 .Xr ssh 1 .
 The possible values are:
-QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
+SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
 The default is INFO.
 DEBUG and DEBUG1 are equivalent.
 DEBUG2 and DEBUG3 each specify higher levels of verbose output.
@@ -956,7 +980,10 @@ If, for example,
 .Cm ServerAliveCountMax
 is left at the default, if the server becomes unresponsive,
 ssh will disconnect after approximately 45 seconds.
-This option applies to protocol version 2 only.
+This option applies to protocol version 2 only; in protocol version
+1 there is no mechanism to request a response from the server to the
+server alive messages, so disconnection is the responsibility of the TCP
+stack.
 .It Cm ServerAliveInterval
 Sets a timeout interval in seconds after which if no data has been received
 from the server,
@@ -964,8 +991,15 @@ from the server,
 will send a message through the encrypted
 channel to request a response from the server.
 The default
-is 0, indicating that these messages will not be sent to the server.
+is 0, indicating that these messages will not be sent to the server,
+or 300 if the
+.Cm BatchMode
+option is set.
 This option applies to protocol version 2 only.
+.Cm ProtocolKeepAlives
+and
+.Cm SetupTimeOut
+are Debian-specific compatibility aliases for this option.
 .It Cm StrictHostKeyChecking
 If this flag is set to
 .Dq yes ,
@@ -1004,6 +1038,12 @@ Specifies whether the system should send TCP keepalive messages to the
 other side.
 If they are sent, death of the connection or crash of one
 of the machines will be properly noticed.
+This option only uses TCP keepalives (as opposed to using ssh level
+keepalives), so takes a long time to notice when the connection dies.
+As such, you probably want
+the
+.Cm ServerAliveInterval
+option as well.
 However, this means that
 connections will die if the route is down temporarily, and some people
 find it annoying.
@@ -1055,6 +1095,23 @@ is not specified, it defaults to
 .Dq any .
 The default is
 .Dq any:any .
+.It Cm UseBlacklistedKeys
+Specifies whether
+.Xr ssh 1
+should use keys recorded in its blacklist of known-compromised keys (see
+.Xr ssh-vulnkey 1 )
+for authentication.
+If
+.Dq yes ,
+then attempts to use compromised keys for authentication will be logged but
+accepted.
+It is strongly recommended that this be used only to install new authorized
+keys on the remote system, and even then only with the utmost care.
+If
+.Dq no ,
+then attempts to use compromised keys for authentication will be prevented.
+The default is
+.Dq no .
 .It Cm UsePrivilegedPort
 Specifies whether to use a privileged port for outgoing connections.
 The argument must be
@@ -1171,6 +1228,8 @@ The format of this file is described above.
 This file is used by the SSH client.
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not accessible by others.
+It may be group-writable provided that the group in question contains only
+the user.
 .It Pa /etc/ssh/ssh_config
 Systemwide configuration file.
 This file provides defaults for those

diff --git a/ssh_config.5 b/ssh_config.5 index de1c71765..0ce851aa8 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -72,6 +72,22 @@ Since the first obtained value for each parameter is used, more
72	host-specific declarations should be given near the beginning of the	72	host-specific declarations should be given near the beginning of the
73	file, and general defaults at the end.	73	file, and general defaults at the end.
74	.Pp	74	.Pp
		75	Note that the Debian
		76	.Ic openssh-client
		77	package sets several options as standard in
		78	.Pa /etc/ssh/ssh_config
		79	which are not the default in
		80	.Xr ssh 1 :
		81	.Pp
		82	.Bl -bullet -offset indent -compact
		83	.It
		84	.Cm SendEnv No LANG LC_*
		85	.It
		86	.Cm HashKnownHosts No yes
		87	.It
		88	.Cm GSSAPIAuthentication No yes
		89	.El
		90	.Pp
75	The configuration file has the following format:	91	The configuration file has the following format:
76	.Pp	92	.Pp
77	Empty lines and lines starting with	93	Empty lines and lines starting with
@@ -128,8 +144,12 @@ Valid arguments are
128	If set to	144	If set to
129	.Dq yes ,	145	.Dq yes ,
130	passphrase/password querying will be disabled.	146	passphrase/password querying will be disabled.
		147	In addition, the
		148	.Cm ServerAliveInterval
		149	option will be set to 300 seconds by default.
131	This option is useful in scripts and other batch jobs where no user	150	This option is useful in scripts and other batch jobs where no user
132	is present to supply the password.	151	is present to supply the password,
		152	and where it is desirable to detect a broken network swiftly.
133	The argument must be	153	The argument must be
134	.Dq yes	154	.Dq yes
135	or	155	or
@@ -448,7 +468,8 @@ token used for the session will be set to expire after 20 minutes.
448	Remote clients will be refused access after this time.	468	Remote clients will be refused access after this time.
449	.Pp	469	.Pp
450	The default is	470	The default is
451	.Dq no .	471	.Dq yes
		472	(Debian-specific).
452	.Pp	473	.Pp
453	See the X11 SECURITY extension specification for full details on	474	See the X11 SECURITY extension specification for full details on
454	the restrictions imposed on untrusted clients.	475	the restrictions imposed on untrusted clients.
@@ -527,6 +548,9 @@ Note that existing names and addresses in known hosts files
527	will not be converted automatically,	548	will not be converted automatically,
528	but may be manually hashed using	549	but may be manually hashed using
529	.Xr ssh-keygen 1 .	550	.Xr ssh-keygen 1 .
		551	Use of this option may break facilities such as tab-completion that rely
		552	on being able to read unhashed host names from
		553	.Pa ~/.ssh/known_hosts .
530	.It Cm HostbasedAuthentication	554	.It Cm HostbasedAuthentication
531	Specifies whether to try rhosts based authentication with public key	555	Specifies whether to try rhosts based authentication with public key
532	authentication.	556	authentication.
@@ -694,7 +718,7 @@ indicates that the port should be available from all interfaces.
694	Gives the verbosity level that is used when logging messages from	718	Gives the verbosity level that is used when logging messages from
695	.Xr ssh 1 .	719	.Xr ssh 1 .
696	The possible values are:	720	The possible values are:
697	QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.	721	SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
698	The default is INFO.	722	The default is INFO.
699	DEBUG and DEBUG1 are equivalent.	723	DEBUG and DEBUG1 are equivalent.
700	DEBUG2 and DEBUG3 each specify higher levels of verbose output.	724	DEBUG2 and DEBUG3 each specify higher levels of verbose output.
@@ -956,7 +980,10 @@ If, for example,
956	.Cm ServerAliveCountMax	980	.Cm ServerAliveCountMax
957	is left at the default, if the server becomes unresponsive,	981	is left at the default, if the server becomes unresponsive,
958	ssh will disconnect after approximately 45 seconds.	982	ssh will disconnect after approximately 45 seconds.
959	This option applies to protocol version 2 only.	983	This option applies to protocol version 2 only; in protocol version
		984	1 there is no mechanism to request a response from the server to the
		985	server alive messages, so disconnection is the responsibility of the TCP
		986	stack.
960	.It Cm ServerAliveInterval	987	.It Cm ServerAliveInterval
961	Sets a timeout interval in seconds after which if no data has been received	988	Sets a timeout interval in seconds after which if no data has been received
962	from the server,	989	from the server,
@@ -964,8 +991,15 @@ from the server,
964	will send a message through the encrypted	991	will send a message through the encrypted
965	channel to request a response from the server.	992	channel to request a response from the server.
966	The default	993	The default
967	is 0, indicating that these messages will not be sent to the server.	994	is 0, indicating that these messages will not be sent to the server,
		995	or 300 if the
		996	.Cm BatchMode
		997	option is set.
968	This option applies to protocol version 2 only.	998	This option applies to protocol version 2 only.
		999	.Cm ProtocolKeepAlives
		1000	and
		1001	.Cm SetupTimeOut
		1002	are Debian-specific compatibility aliases for this option.
969	.It Cm StrictHostKeyChecking	1003	.It Cm StrictHostKeyChecking
970	If this flag is set to	1004	If this flag is set to
971	.Dq yes ,	1005	.Dq yes ,
@@ -1004,6 +1038,12 @@ Specifies whether the system should send TCP keepalive messages to the
1004	other side.	1038	other side.
1005	If they are sent, death of the connection or crash of one	1039	If they are sent, death of the connection or crash of one
1006	of the machines will be properly noticed.	1040	of the machines will be properly noticed.
		1041	This option only uses TCP keepalives (as opposed to using ssh level
		1042	keepalives), so takes a long time to notice when the connection dies.
		1043	As such, you probably want
		1044	the
		1045	.Cm ServerAliveInterval
		1046	option as well.
1007	However, this means that	1047	However, this means that
1008	connections will die if the route is down temporarily, and some people	1048	connections will die if the route is down temporarily, and some people
1009	find it annoying.	1049	find it annoying.
@@ -1055,6 +1095,23 @@ is not specified, it defaults to
1055	.Dq any .	1095	.Dq any .
1056	The default is	1096	The default is
1057	.Dq any:any .	1097	.Dq any:any .
		1098	.It Cm UseBlacklistedKeys
		1099	Specifies whether
		1100	.Xr ssh 1
		1101	should use keys recorded in its blacklist of known-compromised keys (see
		1102	.Xr ssh-vulnkey 1 )
		1103	for authentication.
		1104	If
		1105	.Dq yes ,
		1106	then attempts to use compromised keys for authentication will be logged but
		1107	accepted.
		1108	It is strongly recommended that this be used only to install new authorized
		1109	keys on the remote system, and even then only with the utmost care.
		1110	If
		1111	.Dq no ,
		1112	then attempts to use compromised keys for authentication will be prevented.
		1113	The default is
		1114	.Dq no .
1058	.It Cm UsePrivilegedPort	1115	.It Cm UsePrivilegedPort
1059	Specifies whether to use a privileged port for outgoing connections.	1116	Specifies whether to use a privileged port for outgoing connections.
1060	The argument must be	1117	The argument must be
@@ -1171,6 +1228,8 @@ The format of this file is described above.
1171	This file is used by the SSH client.	1228	This file is used by the SSH client.
1172	Because of the potential for abuse, this file must have strict permissions:	1229	Because of the potential for abuse, this file must have strict permissions:
1173	read/write for the user, and not accessible by others.	1230	read/write for the user, and not accessible by others.
		1231	It may be group-writable provided that the group in question contains only
		1232	the user.
1174	.It Pa /etc/ssh/ssh_config	1233	.It Pa /etc/ssh/ssh_config
1175	Systemwide configuration file.	1234	Systemwide configuration file.
1176	This file provides defaults for those	1235	This file provides defaults for those