1 files changed, 121 insertions, 41 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index b232a0203..889def626 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.61 2005/07/08 12:53:10 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.76 2006/01/20 11:21:45 jmc Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -270,8 +270,10 @@ with
 set to
 .Dq no
 (the default).
-These sessions will reuse the master instance's network connection rather
+These sessions will try to reuse the master instance's network connection
-than initiating new ones.
+rather than initiating new ones, but will fall back to connecting normally
+if the control socket does not exist, or is not listening.
+.Pp
 Setting this to
 .Dq ask
 will cause
@@ -290,7 +292,7 @@ will continue without connecting to a master instance.
 X11 and
 .Xr ssh-agent 1
 forwarding is supported over these multiplexed connections, however the
-display and agent fowarded will be the one belonging to the master
+display and agent forwarded will be the one belonging to the master
 connection i.e. it is not possible to forward multiple displays or agents.
 .Pp
 Two additional options allow for opportunistic multiplexing: try to use a
@@ -323,11 +325,33 @@ used for opportunistic connection sharing include
 all three of these escape sequences.
 This ensures that shared connections are uniquely identified.
 .It Cm DynamicForward
-Specifies that a TCP/IP port on the local machine be forwarded
+Specifies that a TCP port on the local machine be forwarded
 over the secure channel, and the application
 protocol is then used to determine where to connect to from the
 remote machine.
-The argument must be a port number.
+.Pp
+The argument must be
+.Sm off
+.Oo Ar bind_address : Oc Ar port .
+.Sm on
+IPv6 addresses can be specified by enclosing addresses in square brackets or
+by using an alternative syntax:
+.Oo Ar bind_address Ns / Oc Ns Ar port .
+By default, the local port is bound in accordance with the
+.Cm GatewayPorts
+setting.
+However, an explicit
+.Ar bind_address
+may be used to bind the connection to a specific address.
+The
+.Ar bind_address
+of
+.Dq localhost
+indicates that the listening port be bound for local use only, while an
+empty address or
+.Sq *
+indicates that the port should be available from all interfaces.
+.Pp
 Currently the SOCKS4 and SOCKS5 protocols are supported, and
 .Nm ssh
 will act as a SOCKS server.
@@ -501,23 +525,6 @@ Default is the name given on the command line.
 Numeric IP addresses are also permitted (both on the command line and in
 .Cm HostName
 specifications).
-.It Cm IdentityFile
-Specifies a file from which the user's RSA or DSA authentication identity
-is read.
-The default is
-.Pa ~/.ssh/identity
-for protocol version 1, and
-.Pa ~/.ssh/id_rsa
-and
-.Pa ~/.ssh/id_dsa
-for protocol version 2.
-Additionally, any identities represented by the authentication agent
-will be used for authentication.
-The file name may use the tilde
-syntax to refer to a user's home directory.
-It is possible to have
-multiple identity files specified in configuration files; all these
-identities will be tried in sequence.
 .It Cm IdentitiesOnly
 Specifies that
 .Nm ssh
@@ -531,17 +538,42 @@ The argument to this keyword must be
 .Dq yes
 or
 .Dq no .
-This option is intented for situations where
+This option is intended for situations where
 .Nm ssh-agent
 offers many different identities.
 The default is
 .Dq no .
+.It Cm IdentityFile
+Specifies a file from which the user's RSA or DSA authentication identity
+is read.
+The default is
+.Pa ~/.ssh/identity
+for protocol version 1, and
+.Pa ~/.ssh/id_rsa
+and
+.Pa ~/.ssh/id_dsa
+for protocol version 2.
+Additionally, any identities represented by the authentication agent
+will be used for authentication.
+The file name may use the tilde
+syntax to refer to a user's home directory.
+It is possible to have
+multiple identity files specified in configuration files; all these
+identities will be tried in sequence.
 .It Cm KbdInteractiveDevices
 Specifies the list of methods to use in keyboard-interactive authentication.
 Multiple method names must be comma-separated.
 The default is to use the server specified list.
+.It Cm LocalCommand
+Specifies a command to execute on the local machine after successfully
+connecting to the server.
+The command string extends to the end of the line, and is executed with
+.Pa /bin/sh .
+This directive is ignored unless
+.Cm PermitLocalCommand
+has been enabled.
 .It Cm LocalForward
-Specifies that a TCP/IP port on the local machine be forwarded over
+Specifies that a TCP port on the local machine be forwarded over
 the secure channel to the specified host and port from the remote machine.
 The first argument must be
 .Sm off
@@ -609,6 +641,19 @@ or
 .Dq no .
 The default is
 .Dq yes .
+.It Cm PermitLocalCommand
+Allow local command execution via the
+.Ic LocalCommand
+option or using the
+.Ic !\& Ns Ar command
+escape sequence in
+.Xr ssh 1 .
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
 .It Cm Port
 Specifies the port number to connect on the remote host.
 Default is 22.
@@ -681,8 +726,23 @@ or
 The default is
 .Dq yes .
 This option applies to protocol version 2 only.
+.It Cm RekeyLimit
+Specifies the maximum amount of data that may be transmitted before the
+session key is renegotiated.
+The argument is the number of bytes, with an optional suffix of
+.Sq K ,
+.Sq M ,
+or
+.Sq G
+to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
+The default is between
+.Dq 1G
+and
+.Dq 4G ,
+depending on the cipher.
+This option applies to protocol version 2 only.
 .It Cm RemoteForward
-Specifies that a TCP/IP port on the remote machine be forwarded over
+Specifies that a TCP port on the remote machine be forwarded over
 the secure channel to the specified host and port from the local machine.
 The first argument must be
 .Sm off
@@ -759,21 +819,8 @@ across multiple
 .Cm SendEnv
 directives.
 The default is not to send any environment variables.
-.It Cm ServerAliveInterval
-Sets a timeout interval in seconds after which if no data has been received
-from the server,
-.Nm ssh
-will send a message through the encrypted
-channel to request a response from the server.
-The default
-is 0, indicating that these messages will not be sent to the server,
-or 300 if the
-.Cm BatchMode
-option is set.
-.Cm ProtocolKeepAlives
-is a Debian-specific compatibility alias for this option.
 .It Cm ServerAliveCountMax
-Sets the number of server alive messages (see above) which may be
+Sets the number of server alive messages (see below) which may be
 sent without
 .Nm ssh
 receiving any messages back from the server.
@@ -795,7 +842,7 @@ server depend on knowing when a connection has become inactive.
 The default value is 3.
 If, for example,
 .Cm ServerAliveInterval
-(above) is set to 15, and
+(see below) is set to 15, and
 .Cm ServerAliveCountMax
 is left at the default, if the server becomes unresponsive ssh
 will disconnect after approximately 45 seconds.
@@ -803,6 +850,20 @@ This option works when using protocol version 2 only; in protocol version
 1 there is no mechanism to request a response from the server to the
 server alive messages, so disconnection is the responsibility of the TCP
 stack.
+.It Cm ServerAliveInterval
+Sets a timeout interval in seconds after which if no data has been received
+from the server,
+.Nm ssh
+will send a message through the encrypted
+channel to request a response from the server.
+The default
+is 0, indicating that these messages will not be sent to the server,
+or 300 if the
+.Cm BatchMode
+option is set.
+This option applies to protocol version 2 only.
+.Cm ProtocolKeepAlives
+is a Debian-specific compatibility alias for this option.
 .It Cm SetupTimeOut
 Normally,
 .Nm ssh
@@ -885,6 +946,25 @@ This is important in scripts, and many users want it too.
 .Pp
 To disable TCP keepalive messages, the value should be set to
 .Dq no .
+.It Cm Tunnel
+Request starting
+.Xr tun 4
+device forwarding between the client and the server.
+This option also allows requesting layer 2 (ethernet)
+instead of layer 3 (point-to-point) tunneling from the server.
+The argument must be
+.Dq yes ,
+.Dq point-to-point ,
+.Dq ethernet
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm TunnelDevice
+Force a specified
+.Xr tun 4
+device on the client.
+Without this option, the next available device will be used.
 .It Cm UsePrivilegedPort
 Specifies whether to use a privileged port for outgoing connections.
 The argument must be

diff --git a/ssh_config.5 b/ssh_config.5 index b232a0203..889def626 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh_config.5,v 1.61 2005/07/08 12:53:10 jmc Exp $	37	.\" $OpenBSD: ssh_config.5,v 1.76 2006/01/20 11:21:45 jmc Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH_CONFIG 5	39	.Dt SSH_CONFIG 5
40	.Os	40	.Os
@@ -270,8 +270,10 @@ with
270	set to	270	set to
271	.Dq no	271	.Dq no
272	(the default).	272	(the default).
273	These sessions will reuse the master instance's network connection rather	273	These sessions will try to reuse the master instance's network connection
274	than initiating new ones.	274	rather than initiating new ones, but will fall back to connecting normally
		275	if the control socket does not exist, or is not listening.
		276	.Pp
275	Setting this to	277	Setting this to
276	.Dq ask	278	.Dq ask
277	will cause	279	will cause
@@ -290,7 +292,7 @@ will continue without connecting to a master instance.
290	X11 and	292	X11 and
291	.Xr ssh-agent 1	293	.Xr ssh-agent 1
292	forwarding is supported over these multiplexed connections, however the	294	forwarding is supported over these multiplexed connections, however the
293	display and agent fowarded will be the one belonging to the master	295	display and agent forwarded will be the one belonging to the master
294	connection i.e. it is not possible to forward multiple displays or agents.	296	connection i.e. it is not possible to forward multiple displays or agents.
295	.Pp	297	.Pp
296	Two additional options allow for opportunistic multiplexing: try to use a	298	Two additional options allow for opportunistic multiplexing: try to use a
@@ -323,11 +325,33 @@ used for opportunistic connection sharing include
323	all three of these escape sequences.	325	all three of these escape sequences.
324	This ensures that shared connections are uniquely identified.	326	This ensures that shared connections are uniquely identified.
325	.It Cm DynamicForward	327	.It Cm DynamicForward
326	Specifies that a TCP/IP port on the local machine be forwarded	328	Specifies that a TCP port on the local machine be forwarded
327	over the secure channel, and the application	329	over the secure channel, and the application
328	protocol is then used to determine where to connect to from the	330	protocol is then used to determine where to connect to from the
329	remote machine.	331	remote machine.
330	The argument must be a port number.	332	.Pp
		333	The argument must be
		334	.Sm off
		335	.Oo Ar bind_address : Oc Ar port .
		336	.Sm on
		337	IPv6 addresses can be specified by enclosing addresses in square brackets or
		338	by using an alternative syntax:
		339	.Oo Ar bind_address Ns / Oc Ns Ar port .
		340	By default, the local port is bound in accordance with the
		341	.Cm GatewayPorts
		342	setting.
		343	However, an explicit
		344	.Ar bind_address
		345	may be used to bind the connection to a specific address.
		346	The
		347	.Ar bind_address
		348	of
		349	.Dq localhost
		350	indicates that the listening port be bound for local use only, while an
		351	empty address or
		352	.Sq *
		353	indicates that the port should be available from all interfaces.
		354	.Pp
331	Currently the SOCKS4 and SOCKS5 protocols are supported, and	355	Currently the SOCKS4 and SOCKS5 protocols are supported, and
332	.Nm ssh	356	.Nm ssh
333	will act as a SOCKS server.	357	will act as a SOCKS server.
@@ -501,23 +525,6 @@ Default is the name given on the command line.
501	Numeric IP addresses are also permitted (both on the command line and in	525	Numeric IP addresses are also permitted (both on the command line and in
502	.Cm HostName	526	.Cm HostName
503	specifications).	527	specifications).
504	.It Cm IdentityFile
505	Specifies a file from which the user's RSA or DSA authentication identity
506	is read.
507	The default is
508	.Pa ~/.ssh/identity
509	for protocol version 1, and
510	.Pa ~/.ssh/id_rsa
511	and
512	.Pa ~/.ssh/id_dsa
513	for protocol version 2.
514	Additionally, any identities represented by the authentication agent
515	will be used for authentication.
516	The file name may use the tilde
517	syntax to refer to a user's home directory.
518	It is possible to have
519	multiple identity files specified in configuration files; all these
520	identities will be tried in sequence.
521	.It Cm IdentitiesOnly	528	.It Cm IdentitiesOnly
522	Specifies that	529	Specifies that
523	.Nm ssh	530	.Nm ssh
@@ -531,17 +538,42 @@ The argument to this keyword must be
531	.Dq yes	538	.Dq yes
532	or	539	or
533	.Dq no .	540	.Dq no .
534	This option is intented for situations where	541	This option is intended for situations where
535	.Nm ssh-agent	542	.Nm ssh-agent
536	offers many different identities.	543	offers many different identities.
537	The default is	544	The default is
538	.Dq no .	545	.Dq no .
		546	.It Cm IdentityFile
		547	Specifies a file from which the user's RSA or DSA authentication identity
		548	is read.
		549	The default is
		550	.Pa ~/.ssh/identity
		551	for protocol version 1, and
		552	.Pa ~/.ssh/id_rsa
		553	and
		554	.Pa ~/.ssh/id_dsa
		555	for protocol version 2.
		556	Additionally, any identities represented by the authentication agent
		557	will be used for authentication.
		558	The file name may use the tilde
		559	syntax to refer to a user's home directory.
		560	It is possible to have
		561	multiple identity files specified in configuration files; all these
		562	identities will be tried in sequence.
539	.It Cm KbdInteractiveDevices	563	.It Cm KbdInteractiveDevices
540	Specifies the list of methods to use in keyboard-interactive authentication.	564	Specifies the list of methods to use in keyboard-interactive authentication.
541	Multiple method names must be comma-separated.	565	Multiple method names must be comma-separated.
542	The default is to use the server specified list.	566	The default is to use the server specified list.
		567	.It Cm LocalCommand
		568	Specifies a command to execute on the local machine after successfully
		569	connecting to the server.
		570	The command string extends to the end of the line, and is executed with
		571	.Pa /bin/sh .
		572	This directive is ignored unless
		573	.Cm PermitLocalCommand
		574	has been enabled.
543	.It Cm LocalForward	575	.It Cm LocalForward
544	Specifies that a TCP/IP port on the local machine be forwarded over	576	Specifies that a TCP port on the local machine be forwarded over
545	the secure channel to the specified host and port from the remote machine.	577	the secure channel to the specified host and port from the remote machine.
546	The first argument must be	578	The first argument must be
547	.Sm off	579	.Sm off
@@ -609,6 +641,19 @@ or
609	.Dq no .	641	.Dq no .
610	The default is	642	The default is
611	.Dq yes .	643	.Dq yes .
		644	.It Cm PermitLocalCommand
		645	Allow local command execution via the
		646	.Ic LocalCommand
		647	option or using the
		648	.Ic !\& Ns Ar command
		649	escape sequence in
		650	.Xr ssh 1 .
		651	The argument must be
		652	.Dq yes
		653	or
		654	.Dq no .
		655	The default is
		656	.Dq no .
612	.It Cm Port	657	.It Cm Port
613	Specifies the port number to connect on the remote host.	658	Specifies the port number to connect on the remote host.
614	Default is 22.	659	Default is 22.
@@ -681,8 +726,23 @@ or
681	The default is	726	The default is
682	.Dq yes .	727	.Dq yes .
683	This option applies to protocol version 2 only.	728	This option applies to protocol version 2 only.
		729	.It Cm RekeyLimit
		730	Specifies the maximum amount of data that may be transmitted before the
		731	session key is renegotiated.
		732	The argument is the number of bytes, with an optional suffix of
		733	.Sq K ,
		734	.Sq M ,
		735	or
		736	.Sq G
		737	to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
		738	The default is between
		739	.Dq 1G
		740	and
		741	.Dq 4G ,
		742	depending on the cipher.
		743	This option applies to protocol version 2 only.
684	.It Cm RemoteForward	744	.It Cm RemoteForward
685	Specifies that a TCP/IP port on the remote machine be forwarded over	745	Specifies that a TCP port on the remote machine be forwarded over
686	the secure channel to the specified host and port from the local machine.	746	the secure channel to the specified host and port from the local machine.
687	The first argument must be	747	The first argument must be
688	.Sm off	748	.Sm off
@@ -759,21 +819,8 @@ across multiple
759	.Cm SendEnv	819	.Cm SendEnv
760	directives.	820	directives.
761	The default is not to send any environment variables.	821	The default is not to send any environment variables.
762	.It Cm ServerAliveInterval
763	Sets a timeout interval in seconds after which if no data has been received
764	from the server,
765	.Nm ssh
766	will send a message through the encrypted
767	channel to request a response from the server.
768	The default
769	is 0, indicating that these messages will not be sent to the server,
770	or 300 if the
771	.Cm BatchMode
772	option is set.
773	.Cm ProtocolKeepAlives
774	is a Debian-specific compatibility alias for this option.
775	.It Cm ServerAliveCountMax	822	.It Cm ServerAliveCountMax
776	Sets the number of server alive messages (see above) which may be	823	Sets the number of server alive messages (see below) which may be
777	sent without	824	sent without
778	.Nm ssh	825	.Nm ssh
779	receiving any messages back from the server.	826	receiving any messages back from the server.
@@ -795,7 +842,7 @@ server depend on knowing when a connection has become inactive.
795	The default value is 3.	842	The default value is 3.
796	If, for example,	843	If, for example,
797	.Cm ServerAliveInterval	844	.Cm ServerAliveInterval
798	(above) is set to 15, and	845	(see below) is set to 15, and
799	.Cm ServerAliveCountMax	846	.Cm ServerAliveCountMax
800	is left at the default, if the server becomes unresponsive ssh	847	is left at the default, if the server becomes unresponsive ssh
801	will disconnect after approximately 45 seconds.	848	will disconnect after approximately 45 seconds.
@@ -803,6 +850,20 @@ This option works when using protocol version 2 only; in protocol version
803	1 there is no mechanism to request a response from the server to the	850	1 there is no mechanism to request a response from the server to the
804	server alive messages, so disconnection is the responsibility of the TCP	851	server alive messages, so disconnection is the responsibility of the TCP
805	stack.	852	stack.
		853	.It Cm ServerAliveInterval
		854	Sets a timeout interval in seconds after which if no data has been received
		855	from the server,
		856	.Nm ssh
		857	will send a message through the encrypted
		858	channel to request a response from the server.
		859	The default
		860	is 0, indicating that these messages will not be sent to the server,
		861	or 300 if the
		862	.Cm BatchMode
		863	option is set.
		864	This option applies to protocol version 2 only.
		865	.Cm ProtocolKeepAlives
		866	is a Debian-specific compatibility alias for this option.
806	.It Cm SetupTimeOut	867	.It Cm SetupTimeOut
807	Normally,	868	Normally,
808	.Nm ssh	869	.Nm ssh
@@ -885,6 +946,25 @@ This is important in scripts, and many users want it too.
885	.Pp	946	.Pp
886	To disable TCP keepalive messages, the value should be set to	947	To disable TCP keepalive messages, the value should be set to
887	.Dq no .	948	.Dq no .
		949	.It Cm Tunnel
		950	Request starting
		951	.Xr tun 4
		952	device forwarding between the client and the server.
		953	This option also allows requesting layer 2 (ethernet)
		954	instead of layer 3 (point-to-point) tunneling from the server.
		955	The argument must be
		956	.Dq yes ,
		957	.Dq point-to-point ,
		958	.Dq ethernet
		959	or
		960	.Dq no .
		961	The default is
		962	.Dq no .
		963	.It Cm TunnelDevice
		964	Force a specified
		965	.Xr tun 4
		966	device on the client.
		967	Without this option, the next available device will be used.
888	.It Cm UsePrivilegedPort	968	.It Cm UsePrivilegedPort
889	Specifies whether to use a privileged port for outgoing connections.	969	Specifies whether to use a privileged port for outgoing connections.
890	The argument must be	970	The argument must be