1 files changed, 69 insertions, 16 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index dc010ccbd..6be1f1aa2 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.325 2020/04/11 20:20:09 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.332 2020/08/11 09:49:57 djm Exp $
-.Dd $Mdocdate: April 11 2020 $
+.Dd $Mdocdate: August 11 2020 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -245,13 +245,22 @@ option was specified to
 If this option is set to
 .Cm no ,
 no keys are added to the agent.
+Alternately, this option may be specified as a time interval
+using the format described in the
+.Sx TIME FORMATS
+section of
+.Xr sshd_config 5
+to specify the key's lifetime in
+.Xr ssh-agent 1 ,
+after which it will automatically be removed.
 The argument must be
-.Cm yes ,
-.Cm confirm ,
-.Cm ask ,
-or
 .Cm no
-(the default).
+(the default),
+.Cm yes ,
+.Cm confirm
+(optionally followed by a time interval),
+.Cm ask
+or a time interval.
 .It Cm AddressFamily
 Specifies which address family to use when connecting.
 Valid arguments are
@@ -389,9 +398,11 @@ or
 .Pp
 Arguments to
 .Cm CertificateFile
-may use the tilde syntax to refer to a user's home directory
+may use the tilde syntax to refer to a user's home directory,
-or the tokens described in the
+the tokens described in the
 .Sx TOKENS
+section and environment variables as described in the
+.Sx ENVIRONMENT VARIABLES
 section.
 .Pp
 It is possible to have multiple certificate files specified in
@@ -551,9 +562,11 @@ section above or the string
 to disable connection sharing.
 Arguments to
 .Cm ControlPath
-may use the tilde syntax to refer to a user's home directory
+may use the tilde syntax to refer to a user's home directory,
-or the tokens described in the
+the tokens described in the
 .Sx TOKENS
+section and environment variables as described in the
+.Sx ENVIRONMENT VARIABLES
 section.
 It is recommended that any
 .Cm ControlPath
@@ -934,9 +947,11 @@ the location of the socket.
 .Pp
 Arguments to
 .Cm IdentityAgent
-may use the tilde syntax to refer to a user's home directory
+may use the tilde syntax to refer to a user's home directory,
-or the tokens described in the
+the tokens described in the
 .Sx TOKENS
+section and environment variables as described in the
+.Sx ENVIRONMENT VARIABLES
 section.
 .It Cm IdentityFile
 Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA,
@@ -1004,6 +1019,7 @@ Multiple pathnames may be specified and each pathname may contain
 wildcards and, for user configurations, shell-like
 .Sq ~
 references to user home directories.
+Wildcards will be expanded and processed in lexical order.
 Files without absolute paths are assumed to be in
 .Pa ~/.ssh
 if included in a user configuration file or
@@ -1152,8 +1168,10 @@ indicates that the listening port be bound for local use only, while an
 empty address or
 .Sq *
 indicates that the port should be available from all interfaces.
-Unix domain socket paths accept the tokens described in the
+Unix domain socket paths may use the tokens described in the
 .Sx TOKENS
+section and environment variables as described in the
+.Sx ENVIRONMENT VARIABLES
 section.
 .It Cm LogLevel
 Gives the verbosity level that is used when logging messages from
@@ -1423,8 +1441,10 @@ Multiple forwardings may be specified, and additional
 forwardings can be given on the command line.
 Privileged ports can be forwarded only when
 logging in as root on the remote machine.
-Unix domain socket paths accept the tokens described in the
+Unix domain socket paths may use the tokens described in the
 .Sx TOKENS
+section and environment variables as described in the
+.Sx ENVIRONMENT VARIABLES
 section.
 .Pp
 If the
@@ -1727,6 +1747,12 @@ having to remember to give the user name on the command line.
 .It Cm UserKnownHostsFile
 Specifies one or more files to use for the user
 host key database, separated by whitespace.
+Each filename may use tilde notation to refer to the user's home directory,
+the tokens described in the
+.Sx TOKENS
+section and environment variables as described in the
+.Sx ENVIRONMENT VARIABLES
+section.
 The default is
 .Pa ~/.ssh/known_hosts ,
 .Pa ~/.ssh/known_hosts2 .
@@ -1833,6 +1859,9 @@ Local user's home directory.
 The remote hostname.
 .It %i
 The local user ID.
+.It %k
+The host key alias if specified, otherwise the orignal remote hostname given
+on the command line.
 .It %L
 The local hostname.
 .It %l
@@ -1863,8 +1892,9 @@ The local username.
 .Cm LocalForward ,
 .Cm Match exec ,
 .Cm RemoteCommand ,
+.Cm RemoteForward ,
 and
-.Cm RemoteForward
+.Cm UserKnownHostsFile
 accept the tokens %%, %C, %d, %h, %i, %L, %l, %n, %p, %r, and %u.
 .Pp
 .Cm Hostname
@@ -1875,6 +1905,29 @@ accepts all tokens.
 .Pp
 .Cm ProxyCommand
 accepts the tokens %%, %h, %n, %p, and %r.
+.Sh ENVIRONMENT VARIABLES
+Arguments to some keywords can be expanded at runtime from environment
+variables on the client by enclosing them in
+.Ic ${} ,
+for example
+.Ic ${HOME}/.ssh
+would refer to the user's .ssh directory.
+If a specified environment variable does not exist then an error will be
+returned and the setting for that keyword will be ignored.
+.Pp
+The keywords
+.Cm CertificateFile ,
+.Cm ControlPath ,
+.Cm IdentityAgent ,
+.Cm IdentityFile
+and
+.Cm UserKnownHostsFile
+support environment variables.
+The keywords
+.Cm LocalForward
+and
+.Cm RemoteForward
+support environment variables only for Unix domain socket paths.
 .Sh FILES
 .Bl -tag -width Ds
 .It Pa ~/.ssh/config

diff --git a/ssh_config.5 b/ssh_config.5 index dc010ccbd..6be1f1aa2 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.325 2020/04/11 20:20:09 jmc Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.332 2020/08/11 09:49:57 djm Exp $
37	.Dd $Mdocdate: April 11 2020 $	37	.Dd $Mdocdate: August 11 2020 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -245,13 +245,22 @@ option was specified to
245	If this option is set to	245	If this option is set to
246	.Cm no ,	246	.Cm no ,
247	no keys are added to the agent.	247	no keys are added to the agent.
		248	Alternately, this option may be specified as a time interval
		249	using the format described in the
		250	.Sx TIME FORMATS
		251	section of
		252	.Xr sshd_config 5
		253	to specify the key's lifetime in
		254	.Xr ssh-agent 1 ,
		255	after which it will automatically be removed.
248	The argument must be	256	The argument must be
249	.Cm yes ,
250	.Cm confirm ,
251	.Cm ask ,
252	or
253	.Cm no	257	.Cm no
254	(the default).	258	(the default),
		259	.Cm yes ,
		260	.Cm confirm
		261	(optionally followed by a time interval),
		262	.Cm ask
		263	or a time interval.
255	.It Cm AddressFamily	264	.It Cm AddressFamily
256	Specifies which address family to use when connecting.	265	Specifies which address family to use when connecting.
257	Valid arguments are	266	Valid arguments are
@@ -389,9 +398,11 @@ or
389	.Pp	398	.Pp
390	Arguments to	399	Arguments to
391	.Cm CertificateFile	400	.Cm CertificateFile
392	may use the tilde syntax to refer to a user's home directory	401	may use the tilde syntax to refer to a user's home directory,
393	or the tokens described in the	402	the tokens described in the
394	.Sx TOKENS	403	.Sx TOKENS
		404	section and environment variables as described in the
		405	.Sx ENVIRONMENT VARIABLES
395	section.	406	section.
396	.Pp	407	.Pp
397	It is possible to have multiple certificate files specified in	408	It is possible to have multiple certificate files specified in
@@ -551,9 +562,11 @@ section above or the string
551	to disable connection sharing.	562	to disable connection sharing.
552	Arguments to	563	Arguments to
553	.Cm ControlPath	564	.Cm ControlPath
554	may use the tilde syntax to refer to a user's home directory	565	may use the tilde syntax to refer to a user's home directory,
555	or the tokens described in the	566	the tokens described in the
556	.Sx TOKENS	567	.Sx TOKENS
		568	section and environment variables as described in the
		569	.Sx ENVIRONMENT VARIABLES
557	section.	570	section.
558	It is recommended that any	571	It is recommended that any
559	.Cm ControlPath	572	.Cm ControlPath
@@ -934,9 +947,11 @@ the location of the socket.
934	.Pp	947	.Pp
935	Arguments to	948	Arguments to
936	.Cm IdentityAgent	949	.Cm IdentityAgent
937	may use the tilde syntax to refer to a user's home directory	950	may use the tilde syntax to refer to a user's home directory,
938	or the tokens described in the	951	the tokens described in the
939	.Sx TOKENS	952	.Sx TOKENS
		953	section and environment variables as described in the
		954	.Sx ENVIRONMENT VARIABLES
940	section.	955	section.
941	.It Cm IdentityFile	956	.It Cm IdentityFile
942	Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA,	957	Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA,
@@ -1004,6 +1019,7 @@ Multiple pathnames may be specified and each pathname may contain
1004	wildcards and, for user configurations, shell-like	1019	wildcards and, for user configurations, shell-like
1005	.Sq ~	1020	.Sq ~
1006	references to user home directories.	1021	references to user home directories.
		1022	Wildcards will be expanded and processed in lexical order.
1007	Files without absolute paths are assumed to be in	1023	Files without absolute paths are assumed to be in
1008	.Pa ~/.ssh	1024	.Pa ~/.ssh
1009	if included in a user configuration file or	1025	if included in a user configuration file or
@@ -1152,8 +1168,10 @@ indicates that the listening port be bound for local use only, while an
1152	empty address or	1168	empty address or
1153	.Sq *	1169	.Sq *
1154	indicates that the port should be available from all interfaces.	1170	indicates that the port should be available from all interfaces.
1155	Unix domain socket paths accept the tokens described in the	1171	Unix domain socket paths may use the tokens described in the
1156	.Sx TOKENS	1172	.Sx TOKENS
		1173	section and environment variables as described in the
		1174	.Sx ENVIRONMENT VARIABLES
1157	section.	1175	section.
1158	.It Cm LogLevel	1176	.It Cm LogLevel
1159	Gives the verbosity level that is used when logging messages from	1177	Gives the verbosity level that is used when logging messages from
@@ -1423,8 +1441,10 @@ Multiple forwardings may be specified, and additional
1423	forwardings can be given on the command line.	1441	forwardings can be given on the command line.
1424	Privileged ports can be forwarded only when	1442	Privileged ports can be forwarded only when
1425	logging in as root on the remote machine.	1443	logging in as root on the remote machine.
1426	Unix domain socket paths accept the tokens described in the	1444	Unix domain socket paths may use the tokens described in the
1427	.Sx TOKENS	1445	.Sx TOKENS
		1446	section and environment variables as described in the
		1447	.Sx ENVIRONMENT VARIABLES
1428	section.	1448	section.
1429	.Pp	1449	.Pp
1430	If the	1450	If the
@@ -1727,6 +1747,12 @@ having to remember to give the user name on the command line.
1727	.It Cm UserKnownHostsFile	1747	.It Cm UserKnownHostsFile
1728	Specifies one or more files to use for the user	1748	Specifies one or more files to use for the user
1729	host key database, separated by whitespace.	1749	host key database, separated by whitespace.
		1750	Each filename may use tilde notation to refer to the user's home directory,
		1751	the tokens described in the
		1752	.Sx TOKENS
		1753	section and environment variables as described in the
		1754	.Sx ENVIRONMENT VARIABLES
		1755	section.
1730	The default is	1756	The default is
1731	.Pa ~/.ssh/known_hosts ,	1757	.Pa ~/.ssh/known_hosts ,
1732	.Pa ~/.ssh/known_hosts2 .	1758	.Pa ~/.ssh/known_hosts2 .
@@ -1833,6 +1859,9 @@ Local user's home directory.
1833	The remote hostname.	1859	The remote hostname.
1834	.It %i	1860	.It %i
1835	The local user ID.	1861	The local user ID.
		1862	.It %k
		1863	The host key alias if specified, otherwise the orignal remote hostname given
		1864	on the command line.
1836	.It %L	1865	.It %L
1837	The local hostname.	1866	The local hostname.
1838	.It %l	1867	.It %l
@@ -1863,8 +1892,9 @@ The local username.
1863	.Cm LocalForward ,	1892	.Cm LocalForward ,
1864	.Cm Match exec ,	1893	.Cm Match exec ,
1865	.Cm RemoteCommand ,	1894	.Cm RemoteCommand ,
		1895	.Cm RemoteForward ,
1866	and	1896	and
1867	.Cm RemoteForward	1897	.Cm UserKnownHostsFile
1868	accept the tokens %%, %C, %d, %h, %i, %L, %l, %n, %p, %r, and %u.	1898	accept the tokens %%, %C, %d, %h, %i, %L, %l, %n, %p, %r, and %u.
1869	.Pp	1899	.Pp
1870	.Cm Hostname	1900	.Cm Hostname
@@ -1875,6 +1905,29 @@ accepts all tokens.
1875	.Pp	1905	.Pp
1876	.Cm ProxyCommand	1906	.Cm ProxyCommand
1877	accepts the tokens %%, %h, %n, %p, and %r.	1907	accepts the tokens %%, %h, %n, %p, and %r.
		1908	.Sh ENVIRONMENT VARIABLES
		1909	Arguments to some keywords can be expanded at runtime from environment
		1910	variables on the client by enclosing them in
		1911	.Ic ${} ,
		1912	for example
		1913	.Ic ${HOME}/.ssh
		1914	would refer to the user's .ssh directory.
		1915	If a specified environment variable does not exist then an error will be
		1916	returned and the setting for that keyword will be ignored.
		1917	.Pp
		1918	The keywords
		1919	.Cm CertificateFile ,
		1920	.Cm ControlPath ,
		1921	.Cm IdentityAgent ,
		1922	.Cm IdentityFile
		1923	and
		1924	.Cm UserKnownHostsFile
		1925	support environment variables.
		1926	The keywords
		1927	.Cm LocalForward
		1928	and
		1929	.Cm RemoteForward
		1930	support environment variables only for Unix domain socket paths.
1878	.Sh FILES	1931	.Sh FILES
1879	.Bl -tag -width Ds	1932	.Bl -tag -width Ds
1880	.It Pa ~/.ssh/config	1933	.It Pa ~/.ssh/config