1 files changed, 167 insertions, 9 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 01e7b6f23..cc91a5c56 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.166 2013/06/27 14:05:37 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.184 2014/01/19 04:48:08 djm Exp $
-.Dd $Mdocdate: June 27 2013 $
+.Dd $Mdocdate: January 19 2014 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -116,6 +116,8 @@ keywords are case-insensitive and arguments are case-sensitive):
 .It Cm Host
 Restricts the following declarations (up to the next
 .Cm Host
+or
+.Cm Match
 keyword) to be only for those hosts that match one of the patterns
 given after the keyword.
 If more than one pattern is provided, they should be separated by whitespace.
@@ -140,6 +142,73 @@ matches.
 See
 .Sx PATTERNS
 for more information on patterns.
+.It Cm Match
+Restricts the following declarations (up to the next
+.Cm Host
+or
+.Cm Match
+keyword) to be used only when the conditions following the
+.Cm Match
+keyword are satisfied.
+Match conditions are specified using one or more keyword/criteria pairs
+or the single token
+.Cm all
+which matches all criteria.
+The available keywords are:
+.Cm exec ,
+.Cm host ,
+.Cm originalhost ,
+.Cm user ,
+and
+.Cm localuser .
+.Pp
+The
+.Cm exec
+keyword executes the specified command under the user's shell.
+If the command returns a zero exit status then the condition is considered true.
+Commands containing whitespace characters must be quoted.
+The following character sequences in the command will be expanded prior to
+execution:
+.Ql %L
+will be substituted by the first component of the local host name,
+.Ql %l
+will be substituted by the local host name (including any domain name),
+.Ql %h
+will be substituted by the target host name,
+.Ql %n
+will be substituted by the original target host name
+specified on the command-line,
+.Ql %p
+the destination port,
+.Ql %r
+by the remote login username, and
+.Ql %u
+by the username of the user running
+.Xr ssh 1 .
+.Pp
+The other keywords' criteria must be single entries or comma-separated
+lists and may use the wildcard and negation operators described in the
+.Sx PATTERNS
+section.
+The criteria for the
+.Cm host
+keyword are matched against the target hostname, after any substitution
+by the
+.Cm Hostname
+option.
+The
+.Cm originalhost
+keyword matches against the hostname as it was specified on the command-line.
+The
+.Cm user
+keyword matches against the target username on the remote host.
+The
+.Cm localuser
+keyword matches against the name of the local user running
+.Xr ssh 1
+(this keyword may be useful in system-wide
+.Nm
+files).
 .It Cm AddressFamily
 Specifies which address family to use when connecting.
 Valid arguments are
@@ -172,6 +241,75 @@ Note that this option does not work if
 .Cm UsePrivilegedPort
 is set to
 .Dq yes .
+.It Cm CanonicalDomains
+When
+.Cm CanonicalizeHostname
+is enabled, this option specifies the list of domain suffixes in which to
+search for the specified destination host.
+.It Cm CanonicalizeFallbackLocal
+Specifies whether to fail with an error when hostname canonicalization fails.
+The default,
+.Dq yes ,
+will attempt to look up the unqualified hostname using the system resolver's
+search rules.
+A value of
+.Dq no
+will cause
+.Xr ssh 1
+to fail instantly if
+.Cm CanonicalizeHostname
+is enabled and the target hostname cannot be found in any of the domains
+specified by
+.Cm CanonicalDomains .
+.It Cm CanonicalizeHostname
+Controls whether explicit hostname canonicalization is performed.
+The default,
+.Dq no ,
+is not to perform any name rewriting and let the system resolver handle all
+hostname lookups.
+If set to
+.Dq yes
+then, for connections that do not use a
+.Cm ProxyCommand ,
+.Xr ssh 1
+will attempt to canonicalize the hostname specified on the command line
+using the
+.Cm CanonicalDomains
+suffixes and
+.Cm CanonicalizePermittedCNAMEs
+rules.
+If
+.Cm CanonicalizeHostname
+is set to
+.Dq always ,
+then canonicalization is applied to proxied connections too.
+.It Cm CanonicalizeMaxDots
+Specifies the maximum number of dot characters in a hostname before
+canonicalization is disabled.
+The default,
+.Dq 1 ,
+allows a single dot (i.e. hostname.subdomain).
+.It Cm CanonicalizePermittedCNAMEs
+Specifies rules to determine whether CNAMEs should be followed when
+canonicalizing hostnames.
+The rules consist of one or more arguments of
+.Ar source_domain_list : Ns Ar target_domain_list ,
+where
+.Ar source_domain_list
+is a pattern-list of domains that may follow CNAMEs in canonicalization,
+and
+.Ar target_domain_list
+is a pattern-list of domains that they may resolve to.
+.Pp
+For example,
+.Dq *.a.example.com:*.b.example.com,*.c.example.com
+will allow hostnames matching
+.Dq *.a.example.com
+to be canonicalized to names in the
+.Dq *.b.example.com
+or
+.Dq *.c.example.com
+domains.
 .It Cm ChallengeResponseAuthentication
 Specifies whether to use challenge-response authentication.
 The argument to this keyword must be
@@ -216,7 +354,8 @@ The default is
 Specifies the ciphers allowed for protocol version 2
 in order of preference.
 Multiple ciphers must be comma-separated.
-The supported ciphers are
+The supported ciphers are:
+.Pp
 .Dq 3des-cbc ,
 .Dq aes128-cbc ,
 .Dq aes192-cbc ,
@@ -230,15 +369,23 @@ The supported ciphers are
 .Dq arcfour256 ,
 .Dq arcfour ,
 .Dq blowfish-cbc ,
+.Dq cast128-cbc ,
 and
-.Dq cast128-cbc .
+.Dq chacha20-poly1305@openssh.com .
+.Pp
 The default is:
 .Bd -literal -offset 3n
 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
 aes128-gcm@openssh.com,aes256-gcm@openssh.com,
+chacha20-poly1305@openssh.com,
 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
 aes256-cbc,arcfour
 .Ed
+.Pp
+The list of available ciphers may also be obtained using the
+.Fl Q
+option of
+.Xr ssh 1 .
 .It Cm ClearAllForwardings
 Specifies that all local, remote, and dynamic port forwardings
 specified in the configuration files or on the command line be
@@ -347,7 +494,7 @@ will be substituted by the target host name,
 will be substituted by the original target host name
 specified on the command line,
 .Ql %p
-the port,
+the destination port,
 .Ql %r
 by the remote login username, and
 .Ql %u
@@ -627,10 +774,11 @@ The default for this option is:
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ecdsa-sha2-nistp384-cert-v01@openssh.com,
 ecdsa-sha2-nistp521-cert-v01@openssh.com,
+ssh-ed25519-cert-v01@openssh.com,
 ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
 ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-rsa,ssh-dss
+ssh-ed25519,ssh-rsa,ssh-dss
 .Ed
 .Pp
 If hostkeys are known for the destination host then this default is modified
@@ -672,13 +820,14 @@ offers many different identities.
 The default is
 .Dq no .
 .It Cm IdentityFile
-Specifies a file from which the user's DSA, ECDSA or RSA authentication
+Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA authentication
 identity is read.
 The default is
 .Pa ~/.ssh/identity
 for protocol version 1, and
 .Pa ~/.ssh/id_dsa ,
-.Pa ~/.ssh/id_ecdsa
+.Pa ~/.ssh/id_ecdsa ,
+.Pa ~/.ssh/id_ed25519
 and
 .Pa ~/.ssh/id_rsa
 for protocol version 2.
@@ -791,6 +940,7 @@ Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
 The default is:
 .Bd -literal -offset indent
+curve25519-sha256@libssh.org,
 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 diffie-hellman-group-exchange-sha256,
 diffie-hellman-group-exchange-sha1,
@@ -993,6 +1143,14 @@ For example, the following directive would connect via an HTTP proxy at
 .Bd -literal -offset 3n
 ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
 .Ed
+.It Cm ProxyUseFdpass
+Specifies that
+.Cm ProxyCommand
+will pass a connected file descriptor back to
+.Xr ssh 1
+instead of continuing to execute and pass data.
+The default is
+.Dq no .
 .It Cm PubkeyAuthentication
 Specifies whether to try public key authentication.
 The argument to this keyword must be
@@ -1370,7 +1528,7 @@ Patterns within pattern-lists may be negated
 by preceding them with an exclamation mark
 .Pq Sq !\& .
 For example,
-to allow a key to be used from anywhere within an organisation
+to allow a key to be used from anywhere within an organization
 except from the
 .Dq dialup
 pool,

diff --git a/ssh_config.5 b/ssh_config.5 index 01e7b6f23..cc91a5c56 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.166 2013/06/27 14:05:37 jmc Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.184 2014/01/19 04:48:08 djm Exp $
37	.Dd $Mdocdate: June 27 2013 $	37	.Dd $Mdocdate: January 19 2014 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -116,6 +116,8 @@ keywords are case-insensitive and arguments are case-sensitive):
116	.It Cm Host	116	.It Cm Host
117	Restricts the following declarations (up to the next	117	Restricts the following declarations (up to the next
118	.Cm Host	118	.Cm Host
		119	or
		120	.Cm Match
119	keyword) to be only for those hosts that match one of the patterns	121	keyword) to be only for those hosts that match one of the patterns
120	given after the keyword.	122	given after the keyword.
121	If more than one pattern is provided, they should be separated by whitespace.	123	If more than one pattern is provided, they should be separated by whitespace.
@@ -140,6 +142,73 @@ matches.
140	See	142	See
141	.Sx PATTERNS	143	.Sx PATTERNS
142	for more information on patterns.	144	for more information on patterns.
		145	.It Cm Match
		146	Restricts the following declarations (up to the next
		147	.Cm Host
		148	or
		149	.Cm Match
		150	keyword) to be used only when the conditions following the
		151	.Cm Match
		152	keyword are satisfied.
		153	Match conditions are specified using one or more keyword/criteria pairs
		154	or the single token
		155	.Cm all
		156	which matches all criteria.
		157	The available keywords are:
		158	.Cm exec ,
		159	.Cm host ,
		160	.Cm originalhost ,
		161	.Cm user ,
		162	and
		163	.Cm localuser .
		164	.Pp
		165	The
		166	.Cm exec
		167	keyword executes the specified command under the user's shell.
		168	If the command returns a zero exit status then the condition is considered true.
		169	Commands containing whitespace characters must be quoted.
		170	The following character sequences in the command will be expanded prior to
		171	execution:
		172	.Ql %L
		173	will be substituted by the first component of the local host name,
		174	.Ql %l
		175	will be substituted by the local host name (including any domain name),
		176	.Ql %h
		177	will be substituted by the target host name,
		178	.Ql %n
		179	will be substituted by the original target host name
		180	specified on the command-line,
		181	.Ql %p
		182	the destination port,
		183	.Ql %r
		184	by the remote login username, and
		185	.Ql %u
		186	by the username of the user running
		187	.Xr ssh 1 .
		188	.Pp
		189	The other keywords' criteria must be single entries or comma-separated
		190	lists and may use the wildcard and negation operators described in the
		191	.Sx PATTERNS
		192	section.
		193	The criteria for the
		194	.Cm host
		195	keyword are matched against the target hostname, after any substitution
		196	by the
		197	.Cm Hostname
		198	option.
		199	The
		200	.Cm originalhost
		201	keyword matches against the hostname as it was specified on the command-line.
		202	The
		203	.Cm user
		204	keyword matches against the target username on the remote host.
		205	The
		206	.Cm localuser
		207	keyword matches against the name of the local user running
		208	.Xr ssh 1
		209	(this keyword may be useful in system-wide
		210	.Nm
		211	files).
143	.It Cm AddressFamily	212	.It Cm AddressFamily
144	Specifies which address family to use when connecting.	213	Specifies which address family to use when connecting.
145	Valid arguments are	214	Valid arguments are
@@ -172,6 +241,75 @@ Note that this option does not work if
172	.Cm UsePrivilegedPort	241	.Cm UsePrivilegedPort
173	is set to	242	is set to
174	.Dq yes .	243	.Dq yes .
		244	.It Cm CanonicalDomains
		245	When
		246	.Cm CanonicalizeHostname
		247	is enabled, this option specifies the list of domain suffixes in which to
		248	search for the specified destination host.
		249	.It Cm CanonicalizeFallbackLocal
		250	Specifies whether to fail with an error when hostname canonicalization fails.
		251	The default,
		252	.Dq yes ,
		253	will attempt to look up the unqualified hostname using the system resolver's
		254	search rules.
		255	A value of
		256	.Dq no
		257	will cause
		258	.Xr ssh 1
		259	to fail instantly if
		260	.Cm CanonicalizeHostname
		261	is enabled and the target hostname cannot be found in any of the domains
		262	specified by
		263	.Cm CanonicalDomains .
		264	.It Cm CanonicalizeHostname
		265	Controls whether explicit hostname canonicalization is performed.
		266	The default,
		267	.Dq no ,
		268	is not to perform any name rewriting and let the system resolver handle all
		269	hostname lookups.
		270	If set to
		271	.Dq yes
		272	then, for connections that do not use a
		273	.Cm ProxyCommand ,
		274	.Xr ssh 1
		275	will attempt to canonicalize the hostname specified on the command line
		276	using the
		277	.Cm CanonicalDomains
		278	suffixes and
		279	.Cm CanonicalizePermittedCNAMEs
		280	rules.
		281	If
		282	.Cm CanonicalizeHostname
		283	is set to
		284	.Dq always ,
		285	then canonicalization is applied to proxied connections too.
		286	.It Cm CanonicalizeMaxDots
		287	Specifies the maximum number of dot characters in a hostname before
		288	canonicalization is disabled.
		289	The default,
		290	.Dq 1 ,
		291	allows a single dot (i.e. hostname.subdomain).
		292	.It Cm CanonicalizePermittedCNAMEs
		293	Specifies rules to determine whether CNAMEs should be followed when
		294	canonicalizing hostnames.
		295	The rules consist of one or more arguments of
		296	.Ar source_domain_list : Ns Ar target_domain_list ,
		297	where
		298	.Ar source_domain_list
		299	is a pattern-list of domains that may follow CNAMEs in canonicalization,
		300	and
		301	.Ar target_domain_list
		302	is a pattern-list of domains that they may resolve to.
		303	.Pp
		304	For example,
		305	.Dq .a.example.com:.b.example.com,*.c.example.com
		306	will allow hostnames matching
		307	.Dq *.a.example.com
		308	to be canonicalized to names in the
		309	.Dq *.b.example.com
		310	or
		311	.Dq *.c.example.com
		312	domains.
175	.It Cm ChallengeResponseAuthentication	313	.It Cm ChallengeResponseAuthentication
176	Specifies whether to use challenge-response authentication.	314	Specifies whether to use challenge-response authentication.
177	The argument to this keyword must be	315	The argument to this keyword must be
@@ -216,7 +354,8 @@ The default is
216	Specifies the ciphers allowed for protocol version 2	354	Specifies the ciphers allowed for protocol version 2
217	in order of preference.	355	in order of preference.
218	Multiple ciphers must be comma-separated.	356	Multiple ciphers must be comma-separated.
219	The supported ciphers are	357	The supported ciphers are:
		358	.Pp
220	.Dq 3des-cbc ,	359	.Dq 3des-cbc ,
221	.Dq aes128-cbc ,	360	.Dq aes128-cbc ,
222	.Dq aes192-cbc ,	361	.Dq aes192-cbc ,
@@ -230,15 +369,23 @@ The supported ciphers are
230	.Dq arcfour256 ,	369	.Dq arcfour256 ,
231	.Dq arcfour ,	370	.Dq arcfour ,
232	.Dq blowfish-cbc ,	371	.Dq blowfish-cbc ,
		372	.Dq cast128-cbc ,
233	and	373	and
234	.Dq cast128-cbc .	374	.Dq chacha20-poly1305@openssh.com .
		375	.Pp
235	The default is:	376	The default is:
236	.Bd -literal -offset 3n	377	.Bd -literal -offset 3n
237	aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,	378	aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
238	aes128-gcm@openssh.com,aes256-gcm@openssh.com,	379	aes128-gcm@openssh.com,aes256-gcm@openssh.com,
		380	chacha20-poly1305@openssh.com,
239	aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,	381	aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
240	aes256-cbc,arcfour	382	aes256-cbc,arcfour
241	.Ed	383	.Ed
		384	.Pp
		385	The list of available ciphers may also be obtained using the
		386	.Fl Q
		387	option of
		388	.Xr ssh 1 .
242	.It Cm ClearAllForwardings	389	.It Cm ClearAllForwardings
243	Specifies that all local, remote, and dynamic port forwardings	390	Specifies that all local, remote, and dynamic port forwardings
244	specified in the configuration files or on the command line be	391	specified in the configuration files or on the command line be
@@ -347,7 +494,7 @@ will be substituted by the target host name,
347	will be substituted by the original target host name	494	will be substituted by the original target host name
348	specified on the command line,	495	specified on the command line,
349	.Ql %p	496	.Ql %p
350	the port,	497	the destination port,
351	.Ql %r	498	.Ql %r
352	by the remote login username, and	499	by the remote login username, and
353	.Ql %u	500	.Ql %u
@@ -627,10 +774,11 @@ The default for this option is:
627	ecdsa-sha2-nistp256-cert-v01@openssh.com,	774	ecdsa-sha2-nistp256-cert-v01@openssh.com,
628	ecdsa-sha2-nistp384-cert-v01@openssh.com,	775	ecdsa-sha2-nistp384-cert-v01@openssh.com,
629	ecdsa-sha2-nistp521-cert-v01@openssh.com,	776	ecdsa-sha2-nistp521-cert-v01@openssh.com,
		777	ssh-ed25519-cert-v01@openssh.com,
630	ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,	778	ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
631	ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,	779	ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,
632	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,	780	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
633	ssh-rsa,ssh-dss	781	ssh-ed25519,ssh-rsa,ssh-dss
634	.Ed	782	.Ed
635	.Pp	783	.Pp
636	If hostkeys are known for the destination host then this default is modified	784	If hostkeys are known for the destination host then this default is modified
@@ -672,13 +820,14 @@ offers many different identities.
672	The default is	820	The default is
673	.Dq no .	821	.Dq no .
674	.It Cm IdentityFile	822	.It Cm IdentityFile
675	Specifies a file from which the user's DSA, ECDSA or RSA authentication	823	Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA authentication
676	identity is read.	824	identity is read.
677	The default is	825	The default is
678	.Pa ~/.ssh/identity	826	.Pa ~/.ssh/identity
679	for protocol version 1, and	827	for protocol version 1, and
680	.Pa ~/.ssh/id_dsa ,	828	.Pa ~/.ssh/id_dsa ,
681	.Pa ~/.ssh/id_ecdsa	829	.Pa ~/.ssh/id_ecdsa ,
		830	.Pa ~/.ssh/id_ed25519
682	and	831	and
683	.Pa ~/.ssh/id_rsa	832	.Pa ~/.ssh/id_rsa
684	for protocol version 2.	833	for protocol version 2.
@@ -791,6 +940,7 @@ Specifies the available KEX (Key Exchange) algorithms.
791	Multiple algorithms must be comma-separated.	940	Multiple algorithms must be comma-separated.
792	The default is:	941	The default is:
793	.Bd -literal -offset indent	942	.Bd -literal -offset indent
		943	curve25519-sha256@libssh.org,
794	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,	944	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
795	diffie-hellman-group-exchange-sha256,	945	diffie-hellman-group-exchange-sha256,
796	diffie-hellman-group-exchange-sha1,	946	diffie-hellman-group-exchange-sha1,
@@ -993,6 +1143,14 @@ For example, the following directive would connect via an HTTP proxy at
993	.Bd -literal -offset 3n	1143	.Bd -literal -offset 3n
994	ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p	1144	ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
995	.Ed	1145	.Ed
		1146	.It Cm ProxyUseFdpass
		1147	Specifies that
		1148	.Cm ProxyCommand
		1149	will pass a connected file descriptor back to
		1150	.Xr ssh 1
		1151	instead of continuing to execute and pass data.
		1152	The default is
		1153	.Dq no .
996	.It Cm PubkeyAuthentication	1154	.It Cm PubkeyAuthentication
997	Specifies whether to try public key authentication.	1155	Specifies whether to try public key authentication.
998	The argument to this keyword must be	1156	The argument to this keyword must be
@@ -1370,7 +1528,7 @@ Patterns within pattern-lists may be negated
1370	by preceding them with an exclamation mark	1528	by preceding them with an exclamation mark
1371	.Pq Sq !\& .	1529	.Pq Sq !\& .
1372	For example,	1530	For example,
1373	to allow a key to be used from anywhere within an organisation	1531	to allow a key to be used from anywhere within an organization
1374	except from the	1532	except from the
1375	.Dq dialup	1533	.Dq dialup
1376	pool,	1534	pool,