1 files changed, 48 insertions, 89 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 532745b2f..eab8dd01c 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,16 +33,13 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.242 2017/02/27 14:30:33 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.256 2017/09/21 19:16:53 markus Exp $
-.Dd $Mdocdate: February 27 2017 $
+.Dd $Mdocdate: September 21 2017 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
 .Nm ssh_config
 .Nd OpenSSH SSH client configuration files
-.Sh SYNOPSIS
-.Nm ~/.ssh/config
-.Nm /etc/ssh/ssh_config
 .Sh DESCRIPTION
 .Xr ssh 1
 obtains configuration data from the following sources in
@@ -391,25 +388,8 @@ in the process, regardless of the setting of
 If the option is set to
 .Cm no ,
 the check will not be executed.
-.It Cm Cipher
-Specifies the cipher to use for encrypting the session
-in protocol version 1.
-Currently,
-.Cm blowfish ,
-.Cm 3des
-(the default),
-and
-.Cm des
-are supported,
-though
-.Cm des
-is only supported in the
-.Xr ssh 1
-client for interoperability with legacy protocol 1 implementations;
-its use is strongly discouraged due to cryptographic weaknesses.
 .It Cm Ciphers
-Specifies the ciphers allowed for protocol version 2
+Specifies the ciphers allowed and their order of preference.
-in order of preference.
 Multiple ciphers must be comma-separated.
 If the specified value begins with a
 .Sq +
@@ -431,11 +411,6 @@ aes192-ctr
 aes256-ctr
 aes128-gcm@openssh.com
 aes256-gcm@openssh.com
-arcfour
-arcfour128
-arcfour256
-blowfish-cbc
-cast128-cbc
 chacha20-poly1305@openssh.com
 .Ed
 .Pp
@@ -472,13 +447,6 @@ The argument must be
 or
 .Cm no
 (the default).
-.It Cm CompressionLevel
-Specifies the compression level to use if compression is enabled.
-The argument must be an integer from 1 (fast) to 9 (slow, best).
-The default level is 6, which is good for most applications.
-The meaning of the values is the same as in
-.Xr gzip 1 .
-Note that this option applies to protocol version 1 only.
 .It Cm ConnectionAttempts
 Specifies the number of tries (one per second) to make before exiting.
 The argument must be an integer.
@@ -838,7 +806,7 @@ The list of available key types may also be obtained using
 .It Cm HostKeyAlias
 Specifies an alias that should be used instead of the
 real host name when looking up or saving the host key
-in the host key database files.
+in the host key database files and when validating host certificates.
 This option is useful for tunneling SSH connections
 or for multiple servers running on a single host.
 .It Cm HostName
@@ -902,14 +870,11 @@ section.
 Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication
 identity is read.
 The default is
-.Pa ~/.ssh/identity
-for protocol version 1, and
 .Pa ~/.ssh/id_dsa ,
 .Pa ~/.ssh/id_ecdsa ,
 .Pa ~/.ssh/id_ed25519
 and
-.Pa ~/.ssh/id_rsa
+.Pa ~/.ssh/id_rsa .
-for protocol version 2.
 Additionally, any identities represented by the authentication agent
 will be used for authentication unless
 .Cm IdentitiesOnly
@@ -1004,7 +969,9 @@ Accepted values are
 .Cm lowdelay ,
 .Cm throughput ,
 .Cm reliability ,
-or a numeric value.
+a numeric value, or
+.Cm none
+to use the operating system default.
 This option may take one or two arguments, separated by whitespace.
 If one argument is specified, it is used as the packet class unconditionally.
 If two values are specified, the first is automatically selected for
@@ -1192,21 +1159,6 @@ The default is:
 gssapi-with-mic,hostbased,publickey,
 keyboard-interactive,password
 .Ed
-.It Cm Protocol
-Specifies the protocol versions
-.Xr ssh 1
-should support in order of preference.
-The possible values are 1 and 2.
-Multiple versions must be comma-separated.
-When this option is set to
-.Cm 2,1
-.Nm ssh
-will try version 2 and fall back to version 1
-if version 2 is not available.
-The default is version 2.
-Protocol 1 suffers from a number of cryptographic weaknesses and should
-not be used.
-It is only offered to support legacy devices.
 .It Cm ProxyCommand
 Specifies the command to use to connect to the server.
 The command
@@ -1334,15 +1286,31 @@ is
 .Cm default none ,
 which means that rekeying is performed after the cipher's default amount
 of data has been sent or received and no time based rekeying is done.
+.It Cm RemoteCommand
+Specifies a command to execute on the remote machine after successfully
+connecting to the server.
+The command string extends to the end of the line, and is executed with
+the user's shell.
+Arguments to
+.Cm RemoteCommand
+accept the tokens described in the
+.Sx TOKENS
+section.
 .It Cm RemoteForward
 Specifies that a TCP port on the remote machine be forwarded over
-the secure channel to the specified host and port from the local machine.
+the secure channel.
+The remote port may either be fowarded to a specified host and port
+from the local machine, or may act as a SOCKS 4/5 proxy that allows a remote
+client to connect to arbitrary destinations from the local machine.
 The first argument must be
 .Sm off
 .Oo Ar bind_address : Oc Ar port
 .Sm on
-and the second argument must be
+If forwarding to a specific destination then the second argument must be
-.Ar host : Ns Ar hostport .
+.Ar host : Ns Ar hostport ,
+otherwise if no destination argument is specified then the remote forwarding
+will be established as a SOCKS proxy.
+.Pp
 IPv6 addresses can be specified by enclosing addresses in square brackets.
 Multiple forwardings may be specified, and additional
 forwardings can be given on the command line.
@@ -1397,28 +1365,6 @@ an OpenSSH Key Revocation List (KRL) as generated by
 .Xr ssh-keygen 1 .
 For more information on KRLs, see the KEY REVOCATION LISTS section in
 .Xr ssh-keygen 1 .
-.It Cm RhostsRSAAuthentication
-Specifies whether to try rhosts based authentication with RSA host
-authentication.
-The argument must be
-.Cm yes
-or
-.Cm no
-(the default).
-This option applies to protocol version 1 only and requires
-.Xr ssh 1
-to be setuid root.
-.It Cm RSAAuthentication
-Specifies whether to try RSA authentication.
-The argument to this keyword must be
-.Cm yes
-(the default)
-or
-.Cm no .
-RSA authentication will only be
-attempted if the identity file exists, or an authentication agent is
-running.
-Note that this option applies to protocol version 1 only.
 .It Cm SendEnv
 Specifies what variables from the local
 .Xr environ 7
@@ -1518,10 +1464,19 @@ file is poorly maintained or when connections to new hosts are
 frequently made.
 This option forces the user to manually
 add all new hosts.
+.Pp
 If this flag is set to
-.Cm no ,
+.Dq accept-new
-ssh will automatically add new host keys to the
+then ssh will automatically add new host keys to the user
-user known hosts files.
+known hosts files, but will not permit connections to hosts with
+changed host keys.
+If this flag is set to
+.Dq no
+or
+.Dq off ,
+ssh will automatically add new host keys to the user known hosts files
+and allow connections to hosts with changed hostkeys to proceed,
+subject to some restrictions.
 If this flag is set to
 .Cm ask
 (the default),
@@ -1531,6 +1486,12 @@ has confirmed that is what they really want to do, and
 ssh will refuse to connect to hosts whose host key has changed.
 The host keys of
 known hosts will be verified automatically in all cases.
+.It Cm SyslogFacility
+Gives the facility code that is used when logging messages from
+.Xr ssh 1 .
+The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+The default is USER.
 .It Cm TCPKeepAlive
 Specifies whether the system should send TCP keepalive messages to the
 other side.
@@ -1627,11 +1588,6 @@ If set to
 .Cm yes ,
 .Xr ssh 1
 must be setuid root.
-Note that this option must be set to
-.Cm yes
-for
-.Cm RhostsRSAAuthentication
-with older servers.
 .It Cm User
 Specifies the user to log in as.
 This can be useful when a different user name is used on different machines.
@@ -1770,6 +1726,9 @@ accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u.
 .Pp
 .Cm ProxyCommand
 accepts the tokens %%, %h, %p, and %r.
+.Pp
+.Cm RemoteCommand
+accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u.
 .Sh FILES
 .Bl -tag -width Ds
 .It Pa ~/.ssh/config

diff --git a/ssh_config.5 b/ssh_config.5 index 532745b2f..eab8dd01c 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,16 +33,13 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.242 2017/02/27 14:30:33 jmc Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.256 2017/09/21 19:16:53 markus Exp $
37	.Dd $Mdocdate: February 27 2017 $	37	.Dd $Mdocdate: September 21 2017 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
41	.Nm ssh_config	41	.Nm ssh_config
42	.Nd OpenSSH SSH client configuration files	42	.Nd OpenSSH SSH client configuration files
43	.Sh SYNOPSIS
44	.Nm ~/.ssh/config
45	.Nm /etc/ssh/ssh_config
46	.Sh DESCRIPTION	43	.Sh DESCRIPTION
47	.Xr ssh 1	44	.Xr ssh 1
48	obtains configuration data from the following sources in	45	obtains configuration data from the following sources in
@@ -391,25 +388,8 @@ in the process, regardless of the setting of
391	If the option is set to	388	If the option is set to
392	.Cm no ,	389	.Cm no ,
393	the check will not be executed.	390	the check will not be executed.
394	.It Cm Cipher
395	Specifies the cipher to use for encrypting the session
396	in protocol version 1.
397	Currently,
398	.Cm blowfish ,
399	.Cm 3des
400	(the default),
401	and
402	.Cm des
403	are supported,
404	though
405	.Cm des
406	is only supported in the
407	.Xr ssh 1
408	client for interoperability with legacy protocol 1 implementations;
409	its use is strongly discouraged due to cryptographic weaknesses.
410	.It Cm Ciphers	391	.It Cm Ciphers
411	Specifies the ciphers allowed for protocol version 2	392	Specifies the ciphers allowed and their order of preference.
412	in order of preference.
413	Multiple ciphers must be comma-separated.	393	Multiple ciphers must be comma-separated.
414	If the specified value begins with a	394	If the specified value begins with a
415	.Sq +	395	.Sq +
@@ -431,11 +411,6 @@ aes192-ctr
431	aes256-ctr	411	aes256-ctr
432	aes128-gcm@openssh.com	412	aes128-gcm@openssh.com
433	aes256-gcm@openssh.com	413	aes256-gcm@openssh.com
434	arcfour
435	arcfour128
436	arcfour256
437	blowfish-cbc
438	cast128-cbc
439	chacha20-poly1305@openssh.com	414	chacha20-poly1305@openssh.com
440	.Ed	415	.Ed
441	.Pp	416	.Pp
@@ -472,13 +447,6 @@ The argument must be
472	or	447	or
473	.Cm no	448	.Cm no
474	(the default).	449	(the default).
475	.It Cm CompressionLevel
476	Specifies the compression level to use if compression is enabled.
477	The argument must be an integer from 1 (fast) to 9 (slow, best).
478	The default level is 6, which is good for most applications.
479	The meaning of the values is the same as in
480	.Xr gzip 1 .
481	Note that this option applies to protocol version 1 only.
482	.It Cm ConnectionAttempts	450	.It Cm ConnectionAttempts
483	Specifies the number of tries (one per second) to make before exiting.	451	Specifies the number of tries (one per second) to make before exiting.
484	The argument must be an integer.	452	The argument must be an integer.
@@ -838,7 +806,7 @@ The list of available key types may also be obtained using
838	.It Cm HostKeyAlias	806	.It Cm HostKeyAlias
839	Specifies an alias that should be used instead of the	807	Specifies an alias that should be used instead of the
840	real host name when looking up or saving the host key	808	real host name when looking up or saving the host key
841	in the host key database files.	809	in the host key database files and when validating host certificates.
842	This option is useful for tunneling SSH connections	810	This option is useful for tunneling SSH connections
843	or for multiple servers running on a single host.	811	or for multiple servers running on a single host.
844	.It Cm HostName	812	.It Cm HostName
@@ -902,14 +870,11 @@ section.
902	Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication	870	Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication
903	identity is read.	871	identity is read.
904	The default is	872	The default is
905	.Pa ~/.ssh/identity
906	for protocol version 1, and
907	.Pa ~/.ssh/id_dsa ,	873	.Pa ~/.ssh/id_dsa ,
908	.Pa ~/.ssh/id_ecdsa ,	874	.Pa ~/.ssh/id_ecdsa ,
909	.Pa ~/.ssh/id_ed25519	875	.Pa ~/.ssh/id_ed25519
910	and	876	and
911	.Pa ~/.ssh/id_rsa	877	.Pa ~/.ssh/id_rsa .
912	for protocol version 2.
913	Additionally, any identities represented by the authentication agent	878	Additionally, any identities represented by the authentication agent
914	will be used for authentication unless	879	will be used for authentication unless
915	.Cm IdentitiesOnly	880	.Cm IdentitiesOnly
@@ -1004,7 +969,9 @@ Accepted values are
1004	.Cm lowdelay ,	969	.Cm lowdelay ,
1005	.Cm throughput ,	970	.Cm throughput ,
1006	.Cm reliability ,	971	.Cm reliability ,
1007	or a numeric value.	972	a numeric value, or
		973	.Cm none
		974	to use the operating system default.
1008	This option may take one or two arguments, separated by whitespace.	975	This option may take one or two arguments, separated by whitespace.
1009	If one argument is specified, it is used as the packet class unconditionally.	976	If one argument is specified, it is used as the packet class unconditionally.
1010	If two values are specified, the first is automatically selected for	977	If two values are specified, the first is automatically selected for
@@ -1192,21 +1159,6 @@ The default is:
1192	gssapi-with-mic,hostbased,publickey,	1159	gssapi-with-mic,hostbased,publickey,
1193	keyboard-interactive,password	1160	keyboard-interactive,password
1194	.Ed	1161	.Ed
1195	.It Cm Protocol
1196	Specifies the protocol versions
1197	.Xr ssh 1
1198	should support in order of preference.
1199	The possible values are 1 and 2.
1200	Multiple versions must be comma-separated.
1201	When this option is set to
1202	.Cm 2,1
1203	.Nm ssh
1204	will try version 2 and fall back to version 1
1205	if version 2 is not available.
1206	The default is version 2.
1207	Protocol 1 suffers from a number of cryptographic weaknesses and should
1208	not be used.
1209	It is only offered to support legacy devices.
1210	.It Cm ProxyCommand	1162	.It Cm ProxyCommand
1211	Specifies the command to use to connect to the server.	1163	Specifies the command to use to connect to the server.
1212	The command	1164	The command
@@ -1334,15 +1286,31 @@ is
1334	.Cm default none ,	1286	.Cm default none ,
1335	which means that rekeying is performed after the cipher's default amount	1287	which means that rekeying is performed after the cipher's default amount
1336	of data has been sent or received and no time based rekeying is done.	1288	of data has been sent or received and no time based rekeying is done.
		1289	.It Cm RemoteCommand
		1290	Specifies a command to execute on the remote machine after successfully
		1291	connecting to the server.
		1292	The command string extends to the end of the line, and is executed with
		1293	the user's shell.
		1294	Arguments to
		1295	.Cm RemoteCommand
		1296	accept the tokens described in the
		1297	.Sx TOKENS
		1298	section.
1337	.It Cm RemoteForward	1299	.It Cm RemoteForward
1338	Specifies that a TCP port on the remote machine be forwarded over	1300	Specifies that a TCP port on the remote machine be forwarded over
1339	the secure channel to the specified host and port from the local machine.	1301	the secure channel.
		1302	The remote port may either be fowarded to a specified host and port
		1303	from the local machine, or may act as a SOCKS 4/5 proxy that allows a remote
		1304	client to connect to arbitrary destinations from the local machine.
1340	The first argument must be	1305	The first argument must be
1341	.Sm off	1306	.Sm off
1342	.Oo Ar bind_address : Oc Ar port	1307	.Oo Ar bind_address : Oc Ar port
1343	.Sm on	1308	.Sm on
1344	and the second argument must be	1309	If forwarding to a specific destination then the second argument must be
1345	.Ar host : Ns Ar hostport .	1310	.Ar host : Ns Ar hostport ,
		1311	otherwise if no destination argument is specified then the remote forwarding
		1312	will be established as a SOCKS proxy.
		1313	.Pp
1346	IPv6 addresses can be specified by enclosing addresses in square brackets.	1314	IPv6 addresses can be specified by enclosing addresses in square brackets.
1347	Multiple forwardings may be specified, and additional	1315	Multiple forwardings may be specified, and additional
1348	forwardings can be given on the command line.	1316	forwardings can be given on the command line.
@@ -1397,28 +1365,6 @@ an OpenSSH Key Revocation List (KRL) as generated by
1397	.Xr ssh-keygen 1 .	1365	.Xr ssh-keygen 1 .
1398	For more information on KRLs, see the KEY REVOCATION LISTS section in	1366	For more information on KRLs, see the KEY REVOCATION LISTS section in
1399	.Xr ssh-keygen 1 .	1367	.Xr ssh-keygen 1 .
1400	.It Cm RhostsRSAAuthentication
1401	Specifies whether to try rhosts based authentication with RSA host
1402	authentication.
1403	The argument must be
1404	.Cm yes
1405	or
1406	.Cm no
1407	(the default).
1408	This option applies to protocol version 1 only and requires
1409	.Xr ssh 1
1410	to be setuid root.
1411	.It Cm RSAAuthentication
1412	Specifies whether to try RSA authentication.
1413	The argument to this keyword must be
1414	.Cm yes
1415	(the default)
1416	or
1417	.Cm no .
1418	RSA authentication will only be
1419	attempted if the identity file exists, or an authentication agent is
1420	running.
1421	Note that this option applies to protocol version 1 only.
1422	.It Cm SendEnv	1368	.It Cm SendEnv
1423	Specifies what variables from the local	1369	Specifies what variables from the local
1424	.Xr environ 7	1370	.Xr environ 7
@@ -1518,10 +1464,19 @@ file is poorly maintained or when connections to new hosts are
1518	frequently made.	1464	frequently made.
1519	This option forces the user to manually	1465	This option forces the user to manually
1520	add all new hosts.	1466	add all new hosts.
		1467	.Pp
1521	If this flag is set to	1468	If this flag is set to
1522	.Cm no ,	1469	.Dq accept-new
1523	ssh will automatically add new host keys to the	1470	then ssh will automatically add new host keys to the user
1524	user known hosts files.	1471	known hosts files, but will not permit connections to hosts with
		1472	changed host keys.
		1473	If this flag is set to
		1474	.Dq no
		1475	or
		1476	.Dq off ,
		1477	ssh will automatically add new host keys to the user known hosts files
		1478	and allow connections to hosts with changed hostkeys to proceed,
		1479	subject to some restrictions.
1525	If this flag is set to	1480	If this flag is set to
1526	.Cm ask	1481	.Cm ask
1527	(the default),	1482	(the default),
@@ -1531,6 +1486,12 @@ has confirmed that is what they really want to do, and
1531	ssh will refuse to connect to hosts whose host key has changed.	1486	ssh will refuse to connect to hosts whose host key has changed.
1532	The host keys of	1487	The host keys of
1533	known hosts will be verified automatically in all cases.	1488	known hosts will be verified automatically in all cases.
		1489	.It Cm SyslogFacility
		1490	Gives the facility code that is used when logging messages from
		1491	.Xr ssh 1 .
		1492	The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
		1493	LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
		1494	The default is USER.
1534	.It Cm TCPKeepAlive	1495	.It Cm TCPKeepAlive
1535	Specifies whether the system should send TCP keepalive messages to the	1496	Specifies whether the system should send TCP keepalive messages to the
1536	other side.	1497	other side.
@@ -1627,11 +1588,6 @@ If set to
1627	.Cm yes ,	1588	.Cm yes ,
1628	.Xr ssh 1	1589	.Xr ssh 1
1629	must be setuid root.	1590	must be setuid root.
1630	Note that this option must be set to
1631	.Cm yes
1632	for
1633	.Cm RhostsRSAAuthentication
1634	with older servers.
1635	.It Cm User	1591	.It Cm User
1636	Specifies the user to log in as.	1592	Specifies the user to log in as.
1637	This can be useful when a different user name is used on different machines.	1593	This can be useful when a different user name is used on different machines.
@@ -1770,6 +1726,9 @@ accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u.
1770	.Pp	1726	.Pp
1771	.Cm ProxyCommand	1727	.Cm ProxyCommand
1772	accepts the tokens %%, %h, %p, and %r.	1728	accepts the tokens %%, %h, %p, and %r.
		1729	.Pp
		1730	.Cm RemoteCommand
		1731	accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u.
1773	.Sh FILES	1732	.Sh FILES
1774	.Bl -tag -width Ds	1733	.Bl -tag -width Ds
1775	.It Pa ~/.ssh/config	1734	.It Pa ~/.ssh/config