1 files changed, 116 insertions, 37 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 9033185b1..5c41189fa 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.61 2005/07/08 12:53:10 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.76 2006/01/20 11:21:45 jmc Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -263,8 +263,10 @@ with
 set to
 .Dq no
 (the default).
-These sessions will reuse the master instance's network connection rather
+These sessions will try to reuse the master instance's network connection
-than initiating new ones.
+rather than initiating new ones, but will fall back to connecting normally
+if the control socket does not exist, or is not listening.
+.Pp
 Setting this to
 .Dq ask
 will cause
@@ -283,7 +285,7 @@ will continue without connecting to a master instance.
 X11 and
 .Xr ssh-agent 1
 forwarding is supported over these multiplexed connections, however the
-display and agent fowarded will be the one belonging to the master
+display and agent forwarded will be the one belonging to the master
 connection i.e. it is not possible to forward multiple displays or agents.
 .Pp
 Two additional options allow for opportunistic multiplexing: try to use a
@@ -316,11 +318,33 @@ used for opportunistic connection sharing include
 all three of these escape sequences.
 This ensures that shared connections are uniquely identified.
 .It Cm DynamicForward
-Specifies that a TCP/IP port on the local machine be forwarded
+Specifies that a TCP port on the local machine be forwarded
 over the secure channel, and the application
 protocol is then used to determine where to connect to from the
 remote machine.
-The argument must be a port number.
+.Pp
+The argument must be
+.Sm off
+.Oo Ar bind_address : Oc Ar port .
+.Sm on
+IPv6 addresses can be specified by enclosing addresses in square brackets or
+by using an alternative syntax:
+.Oo Ar bind_address Ns / Oc Ns Ar port .
+By default, the local port is bound in accordance with the
+.Cm GatewayPorts
+setting.
+However, an explicit
+.Ar bind_address
+may be used to bind the connection to a specific address.
+The
+.Ar bind_address
+of
+.Dq localhost
+indicates that the listening port be bound for local use only, while an
+empty address or
+.Sq *
+indicates that the port should be available from all interfaces.
+.Pp
 Currently the SOCKS4 and SOCKS5 protocols are supported, and
 .Nm ssh
 will act as a SOCKS server.
@@ -503,23 +527,6 @@ Default is the name given on the command line.
 Numeric IP addresses are also permitted (both on the command line and in
 .Cm HostName
 specifications).
-.It Cm IdentityFile
-Specifies a file from which the user's RSA or DSA authentication identity
-is read.
-The default is
-.Pa ~/.ssh/identity
-for protocol version 1, and
-.Pa ~/.ssh/id_rsa
-and
-.Pa ~/.ssh/id_dsa
-for protocol version 2.
-Additionally, any identities represented by the authentication agent
-will be used for authentication.
-The file name may use the tilde
-syntax to refer to a user's home directory.
-It is possible to have
-multiple identity files specified in configuration files; all these
-identities will be tried in sequence.
 .It Cm IdentitiesOnly
 Specifies that
 .Nm ssh
@@ -533,17 +540,42 @@ The argument to this keyword must be
 .Dq yes
 or
 .Dq no .
-This option is intented for situations where
+This option is intended for situations where
 .Nm ssh-agent
 offers many different identities.
 The default is
 .Dq no .
+.It Cm IdentityFile
+Specifies a file from which the user's RSA or DSA authentication identity
+is read.
+The default is
+.Pa ~/.ssh/identity
+for protocol version 1, and
+.Pa ~/.ssh/id_rsa
+and
+.Pa ~/.ssh/id_dsa
+for protocol version 2.
+Additionally, any identities represented by the authentication agent
+will be used for authentication.
+The file name may use the tilde
+syntax to refer to a user's home directory.
+It is possible to have
+multiple identity files specified in configuration files; all these
+identities will be tried in sequence.
 .It Cm KbdInteractiveDevices
 Specifies the list of methods to use in keyboard-interactive authentication.
 Multiple method names must be comma-separated.
 The default is to use the server specified list.
+.It Cm LocalCommand
+Specifies a command to execute on the local machine after successfully
+connecting to the server.
+The command string extends to the end of the line, and is executed with
+.Pa /bin/sh .
+This directive is ignored unless
+.Cm PermitLocalCommand
+has been enabled.
 .It Cm LocalForward
-Specifies that a TCP/IP port on the local machine be forwarded over
+Specifies that a TCP port on the local machine be forwarded over
 the secure channel to the specified host and port from the remote machine.
 The first argument must be
 .Sm off
@@ -611,6 +643,19 @@ or
 .Dq no .
 The default is
 .Dq yes .
+.It Cm PermitLocalCommand
+Allow local command execution via the
+.Ic LocalCommand
+option or using the
+.Ic !\& Ns Ar command
+escape sequence in
+.Xr ssh 1 .
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
 .It Cm Port
 Specifies the port number to connect on the remote host.
 Default is 22.
@@ -683,8 +728,23 @@ or
 The default is
 .Dq yes .
 This option applies to protocol version 2 only.
+.It Cm RekeyLimit
+Specifies the maximum amount of data that may be transmitted before the
+session key is renegotiated.
+The argument is the number of bytes, with an optional suffix of
+.Sq K ,
+.Sq M ,
+or
+.Sq G
+to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
+The default is between
+.Dq 1G
+and
+.Dq 4G ,
+depending on the cipher.
+This option applies to protocol version 2 only.
 .It Cm RemoteForward
-Specifies that a TCP/IP port on the remote machine be forwarded over
+Specifies that a TCP port on the remote machine be forwarded over
 the secure channel to the specified host and port from the local machine.
 The first argument must be
 .Sm off
@@ -761,17 +821,8 @@ across multiple
 .Cm SendEnv
 directives.
 The default is not to send any environment variables.
-.It Cm ServerAliveInterval
-Sets a timeout interval in seconds after which if no data has been received
-from the server,
-.Nm ssh
-will send a message through the encrypted
-channel to request a response from the server.
-The default
-is 0, indicating that these messages will not be sent to the server.
-This option applies to protocol version 2 only.
 .It Cm ServerAliveCountMax
-Sets the number of server alive messages (see above) which may be
+Sets the number of server alive messages (see below) which may be
 sent without
 .Nm ssh
 receiving any messages back from the server.
@@ -793,10 +844,19 @@ server depend on knowing when a connection has become inactive.
 The default value is 3.
 If, for example,
 .Cm ServerAliveInterval
-(above) is set to 15, and
+(see below) is set to 15, and
 .Cm ServerAliveCountMax
 is left at the default, if the server becomes unresponsive ssh
 will disconnect after approximately 45 seconds.
+.It Cm ServerAliveInterval
+Sets a timeout interval in seconds after which if no data has been received
+from the server,
+.Nm ssh
+will send a message through the encrypted
+channel to request a response from the server.
+The default
+is 0, indicating that these messages will not be sent to the server.
+This option applies to protocol version 2 only.
 .It Cm SmartcardDevice
 Specifies which smartcard device to use.
 The argument to this keyword is the device
@@ -856,6 +916,25 @@ This is important in scripts, and many users want it too.
 .Pp
 To disable TCP keepalive messages, the value should be set to
 .Dq no .
+.It Cm Tunnel
+Request starting
+.Xr tun 4
+device forwarding between the client and the server.
+This option also allows requesting layer 2 (ethernet)
+instead of layer 3 (point-to-point) tunneling from the server.
+The argument must be
+.Dq yes ,
+.Dq point-to-point ,
+.Dq ethernet
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm TunnelDevice
+Force a specified
+.Xr tun 4
+device on the client.
+Without this option, the next available device will be used.
 .It Cm UsePrivilegedPort
 Specifies whether to use a privileged port for outgoing connections.
 The argument must be

diff --git a/ssh_config.5 b/ssh_config.5 index 9033185b1..5c41189fa 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh_config.5,v 1.61 2005/07/08 12:53:10 jmc Exp $	37	.\" $OpenBSD: ssh_config.5,v 1.76 2006/01/20 11:21:45 jmc Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH_CONFIG 5	39	.Dt SSH_CONFIG 5
40	.Os	40	.Os
@@ -263,8 +263,10 @@ with
263	set to	263	set to
264	.Dq no	264	.Dq no
265	(the default).	265	(the default).
266	These sessions will reuse the master instance's network connection rather	266	These sessions will try to reuse the master instance's network connection
267	than initiating new ones.	267	rather than initiating new ones, but will fall back to connecting normally
		268	if the control socket does not exist, or is not listening.
		269	.Pp
268	Setting this to	270	Setting this to
269	.Dq ask	271	.Dq ask
270	will cause	272	will cause
@@ -283,7 +285,7 @@ will continue without connecting to a master instance.
283	X11 and	285	X11 and
284	.Xr ssh-agent 1	286	.Xr ssh-agent 1
285	forwarding is supported over these multiplexed connections, however the	287	forwarding is supported over these multiplexed connections, however the
286	display and agent fowarded will be the one belonging to the master	288	display and agent forwarded will be the one belonging to the master
287	connection i.e. it is not possible to forward multiple displays or agents.	289	connection i.e. it is not possible to forward multiple displays or agents.
288	.Pp	290	.Pp
289	Two additional options allow for opportunistic multiplexing: try to use a	291	Two additional options allow for opportunistic multiplexing: try to use a
@@ -316,11 +318,33 @@ used for opportunistic connection sharing include
316	all three of these escape sequences.	318	all three of these escape sequences.
317	This ensures that shared connections are uniquely identified.	319	This ensures that shared connections are uniquely identified.
318	.It Cm DynamicForward	320	.It Cm DynamicForward
319	Specifies that a TCP/IP port on the local machine be forwarded	321	Specifies that a TCP port on the local machine be forwarded
320	over the secure channel, and the application	322	over the secure channel, and the application
321	protocol is then used to determine where to connect to from the	323	protocol is then used to determine where to connect to from the
322	remote machine.	324	remote machine.
323	The argument must be a port number.	325	.Pp
		326	The argument must be
		327	.Sm off
		328	.Oo Ar bind_address : Oc Ar port .
		329	.Sm on
		330	IPv6 addresses can be specified by enclosing addresses in square brackets or
		331	by using an alternative syntax:
		332	.Oo Ar bind_address Ns / Oc Ns Ar port .
		333	By default, the local port is bound in accordance with the
		334	.Cm GatewayPorts
		335	setting.
		336	However, an explicit
		337	.Ar bind_address
		338	may be used to bind the connection to a specific address.
		339	The
		340	.Ar bind_address
		341	of
		342	.Dq localhost
		343	indicates that the listening port be bound for local use only, while an
		344	empty address or
		345	.Sq *
		346	indicates that the port should be available from all interfaces.
		347	.Pp
324	Currently the SOCKS4 and SOCKS5 protocols are supported, and	348	Currently the SOCKS4 and SOCKS5 protocols are supported, and
325	.Nm ssh	349	.Nm ssh
326	will act as a SOCKS server.	350	will act as a SOCKS server.
@@ -503,23 +527,6 @@ Default is the name given on the command line.
503	Numeric IP addresses are also permitted (both on the command line and in	527	Numeric IP addresses are also permitted (both on the command line and in
504	.Cm HostName	528	.Cm HostName
505	specifications).	529	specifications).
506	.It Cm IdentityFile
507	Specifies a file from which the user's RSA or DSA authentication identity
508	is read.
509	The default is
510	.Pa ~/.ssh/identity
511	for protocol version 1, and
512	.Pa ~/.ssh/id_rsa
513	and
514	.Pa ~/.ssh/id_dsa
515	for protocol version 2.
516	Additionally, any identities represented by the authentication agent
517	will be used for authentication.
518	The file name may use the tilde
519	syntax to refer to a user's home directory.
520	It is possible to have
521	multiple identity files specified in configuration files; all these
522	identities will be tried in sequence.
523	.It Cm IdentitiesOnly	530	.It Cm IdentitiesOnly
524	Specifies that	531	Specifies that
525	.Nm ssh	532	.Nm ssh
@@ -533,17 +540,42 @@ The argument to this keyword must be
533	.Dq yes	540	.Dq yes
534	or	541	or
535	.Dq no .	542	.Dq no .
536	This option is intented for situations where	543	This option is intended for situations where
537	.Nm ssh-agent	544	.Nm ssh-agent
538	offers many different identities.	545	offers many different identities.
539	The default is	546	The default is
540	.Dq no .	547	.Dq no .
		548	.It Cm IdentityFile
		549	Specifies a file from which the user's RSA or DSA authentication identity
		550	is read.
		551	The default is
		552	.Pa ~/.ssh/identity
		553	for protocol version 1, and
		554	.Pa ~/.ssh/id_rsa
		555	and
		556	.Pa ~/.ssh/id_dsa
		557	for protocol version 2.
		558	Additionally, any identities represented by the authentication agent
		559	will be used for authentication.
		560	The file name may use the tilde
		561	syntax to refer to a user's home directory.
		562	It is possible to have
		563	multiple identity files specified in configuration files; all these
		564	identities will be tried in sequence.
541	.It Cm KbdInteractiveDevices	565	.It Cm KbdInteractiveDevices
542	Specifies the list of methods to use in keyboard-interactive authentication.	566	Specifies the list of methods to use in keyboard-interactive authentication.
543	Multiple method names must be comma-separated.	567	Multiple method names must be comma-separated.
544	The default is to use the server specified list.	568	The default is to use the server specified list.
		569	.It Cm LocalCommand
		570	Specifies a command to execute on the local machine after successfully
		571	connecting to the server.
		572	The command string extends to the end of the line, and is executed with
		573	.Pa /bin/sh .
		574	This directive is ignored unless
		575	.Cm PermitLocalCommand
		576	has been enabled.
545	.It Cm LocalForward	577	.It Cm LocalForward
546	Specifies that a TCP/IP port on the local machine be forwarded over	578	Specifies that a TCP port on the local machine be forwarded over
547	the secure channel to the specified host and port from the remote machine.	579	the secure channel to the specified host and port from the remote machine.
548	The first argument must be	580	The first argument must be
549	.Sm off	581	.Sm off
@@ -611,6 +643,19 @@ or
611	.Dq no .	643	.Dq no .
612	The default is	644	The default is
613	.Dq yes .	645	.Dq yes .
		646	.It Cm PermitLocalCommand
		647	Allow local command execution via the
		648	.Ic LocalCommand
		649	option or using the
		650	.Ic !\& Ns Ar command
		651	escape sequence in
		652	.Xr ssh 1 .
		653	The argument must be
		654	.Dq yes
		655	or
		656	.Dq no .
		657	The default is
		658	.Dq no .
614	.It Cm Port	659	.It Cm Port
615	Specifies the port number to connect on the remote host.	660	Specifies the port number to connect on the remote host.
616	Default is 22.	661	Default is 22.
@@ -683,8 +728,23 @@ or
683	The default is	728	The default is
684	.Dq yes .	729	.Dq yes .
685	This option applies to protocol version 2 only.	730	This option applies to protocol version 2 only.
		731	.It Cm RekeyLimit
		732	Specifies the maximum amount of data that may be transmitted before the
		733	session key is renegotiated.
		734	The argument is the number of bytes, with an optional suffix of
		735	.Sq K ,
		736	.Sq M ,
		737	or
		738	.Sq G
		739	to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
		740	The default is between
		741	.Dq 1G
		742	and
		743	.Dq 4G ,
		744	depending on the cipher.
		745	This option applies to protocol version 2 only.
686	.It Cm RemoteForward	746	.It Cm RemoteForward
687	Specifies that a TCP/IP port on the remote machine be forwarded over	747	Specifies that a TCP port on the remote machine be forwarded over
688	the secure channel to the specified host and port from the local machine.	748	the secure channel to the specified host and port from the local machine.
689	The first argument must be	749	The first argument must be
690	.Sm off	750	.Sm off
@@ -761,17 +821,8 @@ across multiple
761	.Cm SendEnv	821	.Cm SendEnv
762	directives.	822	directives.
763	The default is not to send any environment variables.	823	The default is not to send any environment variables.
764	.It Cm ServerAliveInterval
765	Sets a timeout interval in seconds after which if no data has been received
766	from the server,
767	.Nm ssh
768	will send a message through the encrypted
769	channel to request a response from the server.
770	The default
771	is 0, indicating that these messages will not be sent to the server.
772	This option applies to protocol version 2 only.
773	.It Cm ServerAliveCountMax	824	.It Cm ServerAliveCountMax
774	Sets the number of server alive messages (see above) which may be	825	Sets the number of server alive messages (see below) which may be
775	sent without	826	sent without
776	.Nm ssh	827	.Nm ssh
777	receiving any messages back from the server.	828	receiving any messages back from the server.
@@ -793,10 +844,19 @@ server depend on knowing when a connection has become inactive.
793	The default value is 3.	844	The default value is 3.
794	If, for example,	845	If, for example,
795	.Cm ServerAliveInterval	846	.Cm ServerAliveInterval
796	(above) is set to 15, and	847	(see below) is set to 15, and
797	.Cm ServerAliveCountMax	848	.Cm ServerAliveCountMax
798	is left at the default, if the server becomes unresponsive ssh	849	is left at the default, if the server becomes unresponsive ssh
799	will disconnect after approximately 45 seconds.	850	will disconnect after approximately 45 seconds.
		851	.It Cm ServerAliveInterval
		852	Sets a timeout interval in seconds after which if no data has been received
		853	from the server,
		854	.Nm ssh
		855	will send a message through the encrypted
		856	channel to request a response from the server.
		857	The default
		858	is 0, indicating that these messages will not be sent to the server.
		859	This option applies to protocol version 2 only.
800	.It Cm SmartcardDevice	860	.It Cm SmartcardDevice
801	Specifies which smartcard device to use.	861	Specifies which smartcard device to use.
802	The argument to this keyword is the device	862	The argument to this keyword is the device
@@ -856,6 +916,25 @@ This is important in scripts, and many users want it too.
856	.Pp	916	.Pp
857	To disable TCP keepalive messages, the value should be set to	917	To disable TCP keepalive messages, the value should be set to
858	.Dq no .	918	.Dq no .
		919	.It Cm Tunnel
		920	Request starting
		921	.Xr tun 4
		922	device forwarding between the client and the server.
		923	This option also allows requesting layer 2 (ethernet)
		924	instead of layer 3 (point-to-point) tunneling from the server.
		925	The argument must be
		926	.Dq yes ,
		927	.Dq point-to-point ,
		928	.Dq ethernet
		929	or
		930	.Dq no .
		931	The default is
		932	.Dq no .
		933	.It Cm TunnelDevice
		934	Force a specified
		935	.Xr tun 4
		936	device on the client.
		937	Without this option, the next available device will be used.
859	.It Cm UsePrivilegedPort	938	.It Cm UsePrivilegedPort
860	Specifies whether to use a privileged port for outgoing connections.	939	Specifies whether to use a privileged port for outgoing connections.
861	The argument must be	940	The argument must be