1 files changed, 63 insertions, 4 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index bd3a7127a..fa852acb1 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
 host-specific declarations should be given near the beginning of the
 file, and general defaults at the end.
 .Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm SendEnv No LANG LC_*
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
 The configuration file has the following format:
 .Pp
 Empty lines and lines starting with
@@ -136,8 +152,12 @@ Valid arguments are
 If set to
 .Dq yes ,
 passphrase/password querying will be disabled.
+In addition, the
+.Cm ServerAliveInterval
+option will be set to 300 seconds by default.
 This option is useful in scripts and other batch jobs where no user
-is present to supply the password.
+is present to supply the password,
+and where it is desirable to detect a broken network swiftly.
 The argument must be
 .Dq yes
 or
@@ -498,7 +518,8 @@ token used for the session will be set to expire after 20 minutes.
 Remote clients will be refused access after this time.
 .Pp
 The default is
-.Dq no .
+.Dq yes
+(Debian-specific).
 .Pp
 See the X11 SECURITY extension specification for full details on
 the restrictions imposed on untrusted clients.
@@ -584,6 +605,9 @@ Note that existing names and addresses in known hosts files
 will not be converted automatically,
 but may be manually hashed using
 .Xr ssh-keygen 1 .
+Use of this option may break facilities such as tab-completion that rely
+on being able to read unhashed host names from
+.Pa ~/.ssh/known_hosts .
 .It Cm HostbasedAuthentication
 Specifies whether to try rhosts based authentication with public key
 authentication.
@@ -1102,7 +1126,10 @@ If, for example,
 .Cm ServerAliveCountMax
 is left at the default, if the server becomes unresponsive,
 ssh will disconnect after approximately 45 seconds.
-This option applies to protocol version 2 only.
+This option applies to protocol version 2 only; in protocol version
+1 there is no mechanism to request a response from the server to the
+server alive messages, so disconnection is the responsibility of the TCP
+stack.
 .It Cm ServerAliveInterval
 Sets a timeout interval in seconds after which if no data has been received
 from the server,
@@ -1110,8 +1137,15 @@ from the server,
 will send a message through the encrypted
 channel to request a response from the server.
 The default
-is 0, indicating that these messages will not be sent to the server.
+is 0, indicating that these messages will not be sent to the server,
+or 300 if the
+.Cm BatchMode
+option is set.
 This option applies to protocol version 2 only.
+.Cm ProtocolKeepAlives
+and
+.Cm SetupTimeOut
+are Debian-specific compatibility aliases for this option.
 .It Cm StrictHostKeyChecking
 If this flag is set to
 .Dq yes ,
@@ -1150,6 +1184,12 @@ Specifies whether the system should send TCP keepalive messages to the
 other side.
 If they are sent, death of the connection or crash of one
 of the machines will be properly noticed.
+This option only uses TCP keepalives (as opposed to using ssh level
+keepalives), so takes a long time to notice when the connection dies.
+As such, you probably want
+the
+.Cm ServerAliveInterval
+option as well.
 However, this means that
 connections will die if the route is down temporarily, and some people
 find it annoying.
@@ -1201,6 +1241,23 @@ is not specified, it defaults to
 .Dq any .
 The default is
 .Dq any:any .
+.It Cm UseBlacklistedKeys
+Specifies whether
+.Xr ssh 1
+should use keys recorded in its blacklist of known-compromised keys (see
+.Xr ssh-vulnkey 1 )
+for authentication.
+If
+.Dq yes ,
+then attempts to use compromised keys for authentication will be logged but
+accepted.
+It is strongly recommended that this be used only to install new authorized
+keys on the remote system, and even then only with the utmost care.
+If
+.Dq no ,
+then attempts to use compromised keys for authentication will be prevented.
+The default is
+.Dq no .
 .It Cm UsePrivilegedPort
 Specifies whether to use a privileged port for outgoing connections.
 The argument must be
@@ -1319,6 +1376,8 @@ The format of this file is described above.
 This file is used by the SSH client.
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not accessible by others.
+It may be group-writable provided that the group in question contains only
+the user.
 .It Pa /etc/ssh/ssh_config
 Systemwide configuration file.
 This file provides defaults for those

diff --git a/ssh_config.5 b/ssh_config.5 index bd3a7127a..fa852acb1 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
71	host-specific declarations should be given near the beginning of the	71	host-specific declarations should be given near the beginning of the
72	file, and general defaults at the end.	72	file, and general defaults at the end.
73	.Pp	73	.Pp
		74	Note that the Debian
		75	.Ic openssh-client
		76	package sets several options as standard in
		77	.Pa /etc/ssh/ssh_config
		78	which are not the default in
		79	.Xr ssh 1 :
		80	.Pp
		81	.Bl -bullet -offset indent -compact
		82	.It
		83	.Cm SendEnv No LANG LC_*
		84	.It
		85	.Cm HashKnownHosts No yes
		86	.It
		87	.Cm GSSAPIAuthentication No yes
		88	.El
		89	.Pp
74	The configuration file has the following format:	90	The configuration file has the following format:
75	.Pp	91	.Pp
76	Empty lines and lines starting with	92	Empty lines and lines starting with
@@ -136,8 +152,12 @@ Valid arguments are
136	If set to	152	If set to
137	.Dq yes ,	153	.Dq yes ,
138	passphrase/password querying will be disabled.	154	passphrase/password querying will be disabled.
		155	In addition, the
		156	.Cm ServerAliveInterval
		157	option will be set to 300 seconds by default.
139	This option is useful in scripts and other batch jobs where no user	158	This option is useful in scripts and other batch jobs where no user
140	is present to supply the password.	159	is present to supply the password,
		160	and where it is desirable to detect a broken network swiftly.
141	The argument must be	161	The argument must be
142	.Dq yes	162	.Dq yes
143	or	163	or
@@ -498,7 +518,8 @@ token used for the session will be set to expire after 20 minutes.
498	Remote clients will be refused access after this time.	518	Remote clients will be refused access after this time.
499	.Pp	519	.Pp
500	The default is	520	The default is
501	.Dq no .	521	.Dq yes
		522	(Debian-specific).
502	.Pp	523	.Pp
503	See the X11 SECURITY extension specification for full details on	524	See the X11 SECURITY extension specification for full details on
504	the restrictions imposed on untrusted clients.	525	the restrictions imposed on untrusted clients.
@@ -584,6 +605,9 @@ Note that existing names and addresses in known hosts files
584	will not be converted automatically,	605	will not be converted automatically,
585	but may be manually hashed using	606	but may be manually hashed using
586	.Xr ssh-keygen 1 .	607	.Xr ssh-keygen 1 .
		608	Use of this option may break facilities such as tab-completion that rely
		609	on being able to read unhashed host names from
		610	.Pa ~/.ssh/known_hosts .
587	.It Cm HostbasedAuthentication	611	.It Cm HostbasedAuthentication
588	Specifies whether to try rhosts based authentication with public key	612	Specifies whether to try rhosts based authentication with public key
589	authentication.	613	authentication.
@@ -1102,7 +1126,10 @@ If, for example,
1102	.Cm ServerAliveCountMax	1126	.Cm ServerAliveCountMax
1103	is left at the default, if the server becomes unresponsive,	1127	is left at the default, if the server becomes unresponsive,
1104	ssh will disconnect after approximately 45 seconds.	1128	ssh will disconnect after approximately 45 seconds.
1105	This option applies to protocol version 2 only.	1129	This option applies to protocol version 2 only; in protocol version
		1130	1 there is no mechanism to request a response from the server to the
		1131	server alive messages, so disconnection is the responsibility of the TCP
		1132	stack.
1106	.It Cm ServerAliveInterval	1133	.It Cm ServerAliveInterval
1107	Sets a timeout interval in seconds after which if no data has been received	1134	Sets a timeout interval in seconds after which if no data has been received
1108	from the server,	1135	from the server,
@@ -1110,8 +1137,15 @@ from the server,
1110	will send a message through the encrypted	1137	will send a message through the encrypted
1111	channel to request a response from the server.	1138	channel to request a response from the server.
1112	The default	1139	The default
1113	is 0, indicating that these messages will not be sent to the server.	1140	is 0, indicating that these messages will not be sent to the server,
		1141	or 300 if the
		1142	.Cm BatchMode
		1143	option is set.
1114	This option applies to protocol version 2 only.	1144	This option applies to protocol version 2 only.
		1145	.Cm ProtocolKeepAlives
		1146	and
		1147	.Cm SetupTimeOut
		1148	are Debian-specific compatibility aliases for this option.
1115	.It Cm StrictHostKeyChecking	1149	.It Cm StrictHostKeyChecking
1116	If this flag is set to	1150	If this flag is set to
1117	.Dq yes ,	1151	.Dq yes ,
@@ -1150,6 +1184,12 @@ Specifies whether the system should send TCP keepalive messages to the
1150	other side.	1184	other side.
1151	If they are sent, death of the connection or crash of one	1185	If they are sent, death of the connection or crash of one
1152	of the machines will be properly noticed.	1186	of the machines will be properly noticed.
		1187	This option only uses TCP keepalives (as opposed to using ssh level
		1188	keepalives), so takes a long time to notice when the connection dies.
		1189	As such, you probably want
		1190	the
		1191	.Cm ServerAliveInterval
		1192	option as well.
1153	However, this means that	1193	However, this means that
1154	connections will die if the route is down temporarily, and some people	1194	connections will die if the route is down temporarily, and some people
1155	find it annoying.	1195	find it annoying.
@@ -1201,6 +1241,23 @@ is not specified, it defaults to
1201	.Dq any .	1241	.Dq any .
1202	The default is	1242	The default is
1203	.Dq any:any .	1243	.Dq any:any .
		1244	.It Cm UseBlacklistedKeys
		1245	Specifies whether
		1246	.Xr ssh 1
		1247	should use keys recorded in its blacklist of known-compromised keys (see
		1248	.Xr ssh-vulnkey 1 )
		1249	for authentication.
		1250	If
		1251	.Dq yes ,
		1252	then attempts to use compromised keys for authentication will be logged but
		1253	accepted.
		1254	It is strongly recommended that this be used only to install new authorized
		1255	keys on the remote system, and even then only with the utmost care.
		1256	If
		1257	.Dq no ,
		1258	then attempts to use compromised keys for authentication will be prevented.
		1259	The default is
		1260	.Dq no .
1204	.It Cm UsePrivilegedPort	1261	.It Cm UsePrivilegedPort
1205	Specifies whether to use a privileged port for outgoing connections.	1262	Specifies whether to use a privileged port for outgoing connections.
1206	The argument must be	1263	The argument must be
@@ -1319,6 +1376,8 @@ The format of this file is described above.
1319	This file is used by the SSH client.	1376	This file is used by the SSH client.
1320	Because of the potential for abuse, this file must have strict permissions:	1377	Because of the potential for abuse, this file must have strict permissions:
1321	read/write for the user, and not accessible by others.	1378	read/write for the user, and not accessible by others.
		1379	It may be group-writable provided that the group in question contains only
		1380	the user.
1322	.It Pa /etc/ssh/ssh_config	1381	.It Pa /etc/ssh/ssh_config
1323	Systemwide configuration file.	1382	Systemwide configuration file.
1324	This file provides defaults for those	1383	This file provides defaults for those