1 files changed, 89 insertions, 12 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 0e1a031e5..06db04c27 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.38 2004/06/26 09:11:14 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.47 2005/03/07 23:41:54 jmc Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -63,7 +63,7 @@ system-wide configuration file
 .Pp
 For each parameter, the first obtained value
 will be used.
-The configuration files contain sections bracketed by
+The configuration files contain sections separated by
 .Dq Host
 specifications, and that section is only applied for hosts that
 match one of the patterns given in the specification.
@@ -120,9 +120,9 @@ Specifies which address family to use when connecting.
 Valid arguments are
 .Dq any ,
 .Dq inet
-(Use IPv4 only) or
+(use IPv4 only) or
 .Dq inet6
-(Use IPv6 only.)
+(use IPv6 only).
 .It Cm BatchMode
 If set to
 .Dq yes ,
@@ -359,11 +359,16 @@ option is also enabled.
 If this option is set to
 .Dq yes
 then remote X11 clients will have full access to the original X11 display.
+.Pp
 If this option is set to
 .Dq no
 then remote X11 clients will be considered untrusted and prevented
 from stealing or tampering with data belonging to trusted X11
 clients.
+Furthermore, the
+.Xr xauth 1
+token used for the session will be set to expire after 20 minutes.
+Remote clients will be refused access after this time.
 .Pp
 The default is
 .Dq no .
@@ -402,6 +407,22 @@ Forward (delegate) credentials to the server.
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
+.It Cm HashKnownHosts
+Indicates that
+.Nm ssh
+should hash host names and addresses when they are added to
+.Pa $HOME/.ssh/known_hosts .
+These hashed names may be used normally by
+.Nm ssh
+and
+.Nm sshd ,
+but they do not reveal identifying information should the file's contents
+be disclosed.
+The default is
+.Dq no .
+Note that hashing of names and addresses will not be retrospectively applied
+to existing known hosts files, but these may be manually hashed using
+.Xr ssh-keygen 1 .
 .It Cm HostbasedAuthentication
 Specifies whether to try rhosts based authentication with public key
 authentication.
@@ -467,16 +488,45 @@ This option is intented for situations where
 offers many different identities.
 The default is
 .Dq no .
+.It Cm KbdInteractiveDevices
+Specifies the list of methods to use in keyboard-interactive authentication.
+Multiple method names must be comma-separated.
+The default is to use the server specified list.
 .It Cm LocalForward
 Specifies that a TCP/IP port on the local machine be forwarded over
 the secure channel to the specified host and port from the remote machine.
 The first argument must be a port number, and the second must be
-.Ar host:port .
+.Xo
-IPv6 addresses can be specified with an alternative syntax:
+.Sm off
-.Ar host/port .
+.Oo Ar bind_address : Oc
-Multiple forwardings may be specified, and additional
+.Ar host : port
-forwardings can be given on the command line.
+.Sm on
+.Xc .
+IPv6 addresses can be specified by enclosing addresses in square brackets or
+by using an alternative syntax:
+.Sm off
+.Xo
+.Op Ar bind_address No /
+.Ar host No / Ar port
+.Xc .
+.Sm on
+Multiple forwardings may be specified, and additional forwardings can be
+given on the command line.
 Only the superuser can forward privileged ports.
+By default, the local port is bound in accordance with the
+.Cm GatewayPorts
+setting.
+However, an explicit
+.Ar bind_address
+may be used to bind the connection to a specific address.
+The
+.Ar bind_address
+of
+.Dq localhost
+indicates that the listening port be bound for local use only, while an
+empty address or
+.Sq *
+indicates that the port should be available from all interfaces.
 .It Cm LogLevel
 Gives the verbosity level that is used when logging messages from
 .Nm ssh .
@@ -583,12 +633,39 @@ This option applies to protocol version 2 only.
 Specifies that a TCP/IP port on the remote machine be forwarded over
 the secure channel to the specified host and port from the local machine.
 The first argument must be a port number, and the second must be
-.Ar host:port .
+.Xo
-IPv6 addresses can be specified with an alternative syntax:
+.Sm off
-.Ar host/port .
+.Oo Ar bind_address : Oc
+.Ar host : port
+.Sm on
+.Xc .
+IPv6 addresses can be specified by enclosing any addresses in square brackets
+or by using the alternative syntax:
+.Sm off
+.Xo
+.Op Ar bind_address No /
+.Ar host No / Ar port
+.Xc .
+.Sm on
 Multiple forwardings may be specified, and additional
 forwardings can be given on the command line.
 Only the superuser can forward privileged ports.
+.Pp
+If the
+.Ar bind_address
+is not specified, the default is to only bind to loopback addresses.
+If the
+.Ar bind_address
+is
+.Ql *
+or an empty string, then the forwarding is requested to listen on all
+interfaces.
+Specifying a remote
+.Ar bind_address
+will only succeed if the server's
+.Cm GatewayPorts
+option is enabled (see
+.Xr sshd_config 5 ) .
 .It Cm RhostsRSAAuthentication
 Specifies whether to try rhosts based authentication with RSA host
 authentication.

diff --git a/ssh_config.5 b/ssh_config.5 index 0e1a031e5..06db04c27 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh_config.5,v 1.38 2004/06/26 09:11:14 jmc Exp $	37	.\" $OpenBSD: ssh_config.5,v 1.47 2005/03/07 23:41:54 jmc Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH_CONFIG 5	39	.Dt SSH_CONFIG 5
40	.Os	40	.Os
@@ -63,7 +63,7 @@ system-wide configuration file
63	.Pp	63	.Pp
64	For each parameter, the first obtained value	64	For each parameter, the first obtained value
65	will be used.	65	will be used.
66	The configuration files contain sections bracketed by	66	The configuration files contain sections separated by
67	.Dq Host	67	.Dq Host
68	specifications, and that section is only applied for hosts that	68	specifications, and that section is only applied for hosts that
69	match one of the patterns given in the specification.	69	match one of the patterns given in the specification.
@@ -120,9 +120,9 @@ Specifies which address family to use when connecting.
120	Valid arguments are	120	Valid arguments are
121	.Dq any ,	121	.Dq any ,
122	.Dq inet	122	.Dq inet
123	(Use IPv4 only) or	123	(use IPv4 only) or
124	.Dq inet6	124	.Dq inet6
125	(Use IPv6 only.)	125	(use IPv6 only).
126	.It Cm BatchMode	126	.It Cm BatchMode
127	If set to	127	If set to
128	.Dq yes ,	128	.Dq yes ,
@@ -359,11 +359,16 @@ option is also enabled.
359	If this option is set to	359	If this option is set to
360	.Dq yes	360	.Dq yes
361	then remote X11 clients will have full access to the original X11 display.	361	then remote X11 clients will have full access to the original X11 display.
		362	.Pp
362	If this option is set to	363	If this option is set to
363	.Dq no	364	.Dq no
364	then remote X11 clients will be considered untrusted and prevented	365	then remote X11 clients will be considered untrusted and prevented
365	from stealing or tampering with data belonging to trusted X11	366	from stealing or tampering with data belonging to trusted X11
366	clients.	367	clients.
		368	Furthermore, the
		369	.Xr xauth 1
		370	token used for the session will be set to expire after 20 minutes.
		371	Remote clients will be refused access after this time.
367	.Pp	372	.Pp
368	The default is	373	The default is
369	.Dq no .	374	.Dq no .
@@ -402,6 +407,22 @@ Forward (delegate) credentials to the server.
402	The default is	407	The default is
403	.Dq no .	408	.Dq no .
404	Note that this option applies to protocol version 2 only.	409	Note that this option applies to protocol version 2 only.
		410	.It Cm HashKnownHosts
		411	Indicates that
		412	.Nm ssh
		413	should hash host names and addresses when they are added to
		414	.Pa $HOME/.ssh/known_hosts .
		415	These hashed names may be used normally by
		416	.Nm ssh
		417	and
		418	.Nm sshd ,
		419	but they do not reveal identifying information should the file's contents
		420	be disclosed.
		421	The default is
		422	.Dq no .
		423	Note that hashing of names and addresses will not be retrospectively applied
		424	to existing known hosts files, but these may be manually hashed using
		425	.Xr ssh-keygen 1 .
405	.It Cm HostbasedAuthentication	426	.It Cm HostbasedAuthentication
406	Specifies whether to try rhosts based authentication with public key	427	Specifies whether to try rhosts based authentication with public key
407	authentication.	428	authentication.
@@ -467,16 +488,45 @@ This option is intented for situations where
467	offers many different identities.	488	offers many different identities.
468	The default is	489	The default is
469	.Dq no .	490	.Dq no .
		491	.It Cm KbdInteractiveDevices
		492	Specifies the list of methods to use in keyboard-interactive authentication.
		493	Multiple method names must be comma-separated.
		494	The default is to use the server specified list.
470	.It Cm LocalForward	495	.It Cm LocalForward
471	Specifies that a TCP/IP port on the local machine be forwarded over	496	Specifies that a TCP/IP port on the local machine be forwarded over
472	the secure channel to the specified host and port from the remote machine.	497	the secure channel to the specified host and port from the remote machine.
473	The first argument must be a port number, and the second must be	498	The first argument must be a port number, and the second must be
474	.Ar host:port .	499	.Xo
475	IPv6 addresses can be specified with an alternative syntax:	500	.Sm off
476	.Ar host/port .	501	.Oo Ar bind_address : Oc
477	Multiple forwardings may be specified, and additional	502	.Ar host : port
478	forwardings can be given on the command line.	503	.Sm on
		504	.Xc .
		505	IPv6 addresses can be specified by enclosing addresses in square brackets or
		506	by using an alternative syntax:
		507	.Sm off
		508	.Xo
		509	.Op Ar bind_address No /
		510	.Ar host No / Ar port
		511	.Xc .
		512	.Sm on
		513	Multiple forwardings may be specified, and additional forwardings can be
		514	given on the command line.
479	Only the superuser can forward privileged ports.	515	Only the superuser can forward privileged ports.
		516	By default, the local port is bound in accordance with the
		517	.Cm GatewayPorts
		518	setting.
		519	However, an explicit
		520	.Ar bind_address
		521	may be used to bind the connection to a specific address.
		522	The
		523	.Ar bind_address
		524	of
		525	.Dq localhost
		526	indicates that the listening port be bound for local use only, while an
		527	empty address or
		528	.Sq *
		529	indicates that the port should be available from all interfaces.
480	.It Cm LogLevel	530	.It Cm LogLevel
481	Gives the verbosity level that is used when logging messages from	531	Gives the verbosity level that is used when logging messages from
482	.Nm ssh .	532	.Nm ssh .
@@ -583,12 +633,39 @@ This option applies to protocol version 2 only.
583	Specifies that a TCP/IP port on the remote machine be forwarded over	633	Specifies that a TCP/IP port on the remote machine be forwarded over
584	the secure channel to the specified host and port from the local machine.	634	the secure channel to the specified host and port from the local machine.
585	The first argument must be a port number, and the second must be	635	The first argument must be a port number, and the second must be
586	.Ar host:port .	636	.Xo
587	IPv6 addresses can be specified with an alternative syntax:	637	.Sm off
588	.Ar host/port .	638	.Oo Ar bind_address : Oc
		639	.Ar host : port
		640	.Sm on
		641	.Xc .
		642	IPv6 addresses can be specified by enclosing any addresses in square brackets
		643	or by using the alternative syntax:
		644	.Sm off
		645	.Xo
		646	.Op Ar bind_address No /
		647	.Ar host No / Ar port
		648	.Xc .
		649	.Sm on
589	Multiple forwardings may be specified, and additional	650	Multiple forwardings may be specified, and additional
590	forwardings can be given on the command line.	651	forwardings can be given on the command line.
591	Only the superuser can forward privileged ports.	652	Only the superuser can forward privileged ports.
		653	.Pp
		654	If the
		655	.Ar bind_address
		656	is not specified, the default is to only bind to loopback addresses.
		657	If the
		658	.Ar bind_address
		659	is
		660	.Ql *
		661	or an empty string, then the forwarding is requested to listen on all
		662	interfaces.
		663	Specifying a remote
		664	.Ar bind_address
		665	will only succeed if the server's
		666	.Cm GatewayPorts
		667	option is enabled (see
		668	.Xr sshd_config 5 ) .
592	.It Cm RhostsRSAAuthentication	669	.It Cm RhostsRSAAuthentication
593	Specifies whether to try rhosts based authentication with RSA host	670	Specifies whether to try rhosts based authentication with RSA host
594	authentication.	671	authentication.