1 files changed, 61 insertions, 4 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index c1ad53dcf..4c46c62cb 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -127,8 +127,14 @@ Valid arguments are
 If set to
 .Dq yes ,
 passphrase/password querying will be disabled.
+In addition, the 
+.Cm ServerAliveInterval 
+and
+.Cm SetupTimeOut
+options will both be set to 300 seconds by default.
 This option is useful in scripts and other batch jobs where no user
-is present to supply the password.
+is present to supply the password,
+and where it is desirable to detect a broken network swiftly.
 The argument must be
 .Dq yes
 or
@@ -447,7 +453,8 @@ token used for the session will be set to expire after 20 minutes.
 Remote clients will be refused access after this time.
 .Pp
 The default is
-.Dq no .
+.Dq yes
+(Debian-specific).
 .Pp
 See the X11 SECURITY extension specification for full details on
 the restrictions imposed on untrusted clients.
@@ -477,11 +484,28 @@ Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI may be used. When using
+GSSAPI key exchange the server need not have a host key.
+The default is
+.Dq no .
+Note that this option applies to protocol version 2 only.
 .It Cm GSSAPIDelegateCredentials
 Forward (delegate) credentials to the server.
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPITrustDns
+Set to 
+.Dq yes 
+to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If 
+.Dq no , 
+the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
+.Dq no .
+This option only applies to protocol version 2 connections using GSSAPI.
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1
@@ -873,7 +897,10 @@ If, for example,
 .Cm ServerAliveCountMax
 is left at the default, if the server becomes unresponsive,
 ssh will disconnect after approximately 45 seconds.
-This option applies to protocol version 2 only.
+This option applies to protocol version 2 only; in protocol version
+1 there is no mechanism to request a response from the server to the
+server alive messages, so disconnection is the responsibility of the TCP
+stack.
 .It Cm ServerAliveInterval
 Sets a timeout interval in seconds after which if no data has been received
 from the server,
@@ -881,8 +908,30 @@ from the server,
 will send a message through the encrypted
 channel to request a response from the server.
 The default
-is 0, indicating that these messages will not be sent to the server.
+is 0, indicating that these messages will not be sent to the server,
+or 300 if the
+.Cm BatchMode
+option is set.
 This option applies to protocol version 2 only.
+.Cm ProtocolKeepAlives
+is a Debian-specific compatibility alias for this option.
+.It Cm SetupTimeOut
+Normally,
+.Nm ssh
+blocks indefinitely whilst waiting to receive the ssh banner and other
+setup protocol from the server, during the session setup.
+This can cause
+.Nm ssh
+to hang under certain circumstances.
+If this option is set,
+.Nm ssh
+will give up if no data from the server is received for the specified
+number of seconds.
+The argument must be an integer.
+The default is 0 (disabled), or 300 if
+.Cm BatchMode
+is set.
+This is a Debian-specific option.
 .It Cm SmartcardDevice
 Specifies which smartcard device to use.
 The argument to this keyword is the device
@@ -928,6 +977,12 @@ Specifies whether the system should send TCP keepalive messages to the
 other side.
 If they are sent, death of the connection or crash of one
 of the machines will be properly noticed.
+This option only uses TCP keepalives (as opposed to using ssh level
+keepalives), so takes a long time to notice when the connection dies.
+As such, you probably want
+the
+.Cm ServerAliveInterval
+option as well.
 However, this means that
 connections will die if the route is down temporarily, and some people
 find it annoying.
@@ -1083,6 +1138,8 @@ The format of this file is described above.
 This file is used by the SSH client.
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not accessible by others.
+It may be group-writable provided that the group in question contains only
+the user.
 .It Pa /etc/ssh/ssh_config
 Systemwide configuration file.
 This file provides defaults for those

diff --git a/ssh_config.5 b/ssh_config.5 index c1ad53dcf..4c46c62cb 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -127,8 +127,14 @@ Valid arguments are
127	If set to	127	If set to
128	.Dq yes ,	128	.Dq yes ,
129	passphrase/password querying will be disabled.	129	passphrase/password querying will be disabled.
		130	In addition, the
		131	.Cm ServerAliveInterval
		132	and
		133	.Cm SetupTimeOut
		134	options will both be set to 300 seconds by default.
130	This option is useful in scripts and other batch jobs where no user	135	This option is useful in scripts and other batch jobs where no user
131	is present to supply the password.	136	is present to supply the password,
		137	and where it is desirable to detect a broken network swiftly.
132	The argument must be	138	The argument must be
133	.Dq yes	139	.Dq yes
134	or	140	or
@@ -447,7 +453,8 @@ token used for the session will be set to expire after 20 minutes.
447	Remote clients will be refused access after this time.	453	Remote clients will be refused access after this time.
448	.Pp	454	.Pp
449	The default is	455	The default is
450	.Dq no .	456	.Dq yes
		457	(Debian-specific).
451	.Pp	458	.Pp
452	See the X11 SECURITY extension specification for full details on	459	See the X11 SECURITY extension specification for full details on
453	the restrictions imposed on untrusted clients.	460	the restrictions imposed on untrusted clients.
@@ -477,11 +484,28 @@ Specifies whether user authentication based on GSSAPI is allowed.
477	The default is	484	The default is
478	.Dq no .	485	.Dq no .
479	Note that this option applies to protocol version 2 only.	486	Note that this option applies to protocol version 2 only.
		487	.It Cm GSSAPIKeyExchange
		488	Specifies whether key exchange based on GSSAPI may be used. When using
		489	GSSAPI key exchange the server need not have a host key.
		490	The default is
		491	.Dq no .
		492	Note that this option applies to protocol version 2 only.
480	.It Cm GSSAPIDelegateCredentials	493	.It Cm GSSAPIDelegateCredentials
481	Forward (delegate) credentials to the server.	494	Forward (delegate) credentials to the server.
482	The default is	495	The default is
483	.Dq no .	496	.Dq no .
484	Note that this option applies to protocol version 2 only.	497	Note that this option applies to protocol version 2 only.
		498	.It Cm GSSAPITrustDns
		499	Set to
		500	.Dq yes
		501	to indicate that the DNS is trusted to securely canonicalize
		502	the name of the host being connected to. If
		503	.Dq no ,
		504	the hostname entered on the
		505	command line will be passed untouched to the GSSAPI library.
		506	The default is
		507	.Dq no .
		508	This option only applies to protocol version 2 connections using GSSAPI.
485	.It Cm HashKnownHosts	509	.It Cm HashKnownHosts
486	Indicates that	510	Indicates that
487	.Xr ssh 1	511	.Xr ssh 1
@@ -873,7 +897,10 @@ If, for example,
873	.Cm ServerAliveCountMax	897	.Cm ServerAliveCountMax
874	is left at the default, if the server becomes unresponsive,	898	is left at the default, if the server becomes unresponsive,
875	ssh will disconnect after approximately 45 seconds.	899	ssh will disconnect after approximately 45 seconds.
876	This option applies to protocol version 2 only.	900	This option applies to protocol version 2 only; in protocol version
		901	1 there is no mechanism to request a response from the server to the
		902	server alive messages, so disconnection is the responsibility of the TCP
		903	stack.
877	.It Cm ServerAliveInterval	904	.It Cm ServerAliveInterval
878	Sets a timeout interval in seconds after which if no data has been received	905	Sets a timeout interval in seconds after which if no data has been received
879	from the server,	906	from the server,
@@ -881,8 +908,30 @@ from the server,
881	will send a message through the encrypted	908	will send a message through the encrypted
882	channel to request a response from the server.	909	channel to request a response from the server.
883	The default	910	The default
884	is 0, indicating that these messages will not be sent to the server.	911	is 0, indicating that these messages will not be sent to the server,
		912	or 300 if the
		913	.Cm BatchMode
		914	option is set.
885	This option applies to protocol version 2 only.	915	This option applies to protocol version 2 only.
		916	.Cm ProtocolKeepAlives
		917	is a Debian-specific compatibility alias for this option.
		918	.It Cm SetupTimeOut
		919	Normally,
		920	.Nm ssh
		921	blocks indefinitely whilst waiting to receive the ssh banner and other
		922	setup protocol from the server, during the session setup.
		923	This can cause
		924	.Nm ssh
		925	to hang under certain circumstances.
		926	If this option is set,
		927	.Nm ssh
		928	will give up if no data from the server is received for the specified
		929	number of seconds.
		930	The argument must be an integer.
		931	The default is 0 (disabled), or 300 if
		932	.Cm BatchMode
		933	is set.
		934	This is a Debian-specific option.
886	.It Cm SmartcardDevice	935	.It Cm SmartcardDevice
887	Specifies which smartcard device to use.	936	Specifies which smartcard device to use.
888	The argument to this keyword is the device	937	The argument to this keyword is the device
@@ -928,6 +977,12 @@ Specifies whether the system should send TCP keepalive messages to the
928	other side.	977	other side.
929	If they are sent, death of the connection or crash of one	978	If they are sent, death of the connection or crash of one
930	of the machines will be properly noticed.	979	of the machines will be properly noticed.
		980	This option only uses TCP keepalives (as opposed to using ssh level
		981	keepalives), so takes a long time to notice when the connection dies.
		982	As such, you probably want
		983	the
		984	.Cm ServerAliveInterval
		985	option as well.
931	However, this means that	986	However, this means that
932	connections will die if the route is down temporarily, and some people	987	connections will die if the route is down temporarily, and some people
933	find it annoying.	988	find it annoying.
@@ -1083,6 +1138,8 @@ The format of this file is described above.
1083	This file is used by the SSH client.	1138	This file is used by the SSH client.
1084	Because of the potential for abuse, this file must have strict permissions:	1139	Because of the potential for abuse, this file must have strict permissions:
1085	read/write for the user, and not accessible by others.	1140	read/write for the user, and not accessible by others.
		1141	It may be group-writable provided that the group in question contains only
		1142	the user.
1086	.It Pa /etc/ssh/ssh_config	1143	.It Pa /etc/ssh/ssh_config
1087	Systemwide configuration file.	1144	Systemwide configuration file.
1088	This file provides defaults for those	1145	This file provides defaults for those