1 files changed, 65 insertions, 5 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 95af3976a..585a36878 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -127,8 +127,14 @@ Valid arguments are
 If set to
 .Dq yes ,
 passphrase/password querying will be disabled.
+In addition, the 
+.Cm ServerAliveInterval 
+and
+.Cm SetupTimeOut
+options will both be set to 300 seconds by default.
 This option is useful in scripts and other batch jobs where no user
-is present to supply the password.
+is present to supply the password,
+and where it is desirable to detect a broken network swiftly.
 The argument must be
 .Dq yes
 or
@@ -447,7 +453,8 @@ token used for the session will be set to expire after 20 minutes.
 Remote clients will be refused access after this time.
 .Pp
 The default is
-.Dq no .
+.Dq yes
+(Debian-specific).
 .Pp
 See the X11 SECURITY extension specification for full details on
 the restrictions imposed on untrusted clients.
@@ -477,11 +484,28 @@ Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI may be used. When using
+GSSAPI key exchange the server need not have a host key.
+The default is
+.Dq no .
+Note that this option applies to protocol version 2 only.
 .It Cm GSSAPIDelegateCredentials
 Forward (delegate) credentials to the server.
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPITrustDns
+Set to 
+.Dq yes 
+to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If 
+.Dq no , 
+the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
+.Dq no .
+This option only applies to protocol version 2 connections using GSSAPI.
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1
@@ -499,6 +523,9 @@ Note that existing names and addresses in known hosts files
 will not be converted automatically,
 but may be manually hashed using
 .Xr ssh-keygen 1 .
+Use of this option may break facilities such as tab-completion that rely
+on being able to read unhashed host names from
+.Pa ~/.ssh/known_hosts .
 .It Cm HostbasedAuthentication
 Specifies whether to try rhosts based authentication with public key
 authentication.
@@ -630,7 +657,7 @@ indicates that the port should be available from all interfaces.
 Gives the verbosity level that is used when logging messages from
 .Xr ssh 1 .
 The possible values are:
-QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
+SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
 The default is INFO.
 DEBUG and DEBUG1 are equivalent.
 DEBUG2 and DEBUG3 each specify higher levels of verbose output.
@@ -876,7 +903,10 @@ If, for example,
 .Cm ServerAliveCountMax
 is left at the default, if the server becomes unresponsive,
 ssh will disconnect after approximately 45 seconds.
-This option applies to protocol version 2 only.
+This option applies to protocol version 2 only; in protocol version
+1 there is no mechanism to request a response from the server to the
+server alive messages, so disconnection is the responsibility of the TCP
+stack.
 .It Cm ServerAliveInterval
 Sets a timeout interval in seconds after which if no data has been received
 from the server,
@@ -884,8 +914,30 @@ from the server,
 will send a message through the encrypted
 channel to request a response from the server.
 The default
-is 0, indicating that these messages will not be sent to the server.
+is 0, indicating that these messages will not be sent to the server,
+or 300 if the
+.Cm BatchMode
+option is set.
 This option applies to protocol version 2 only.
+.Cm ProtocolKeepAlives
+is a Debian-specific compatibility alias for this option.
+.It Cm SetupTimeOut
+Normally,
+.Nm ssh
+blocks indefinitely whilst waiting to receive the ssh banner and other
+setup protocol from the server, during the session setup.
+This can cause
+.Nm ssh
+to hang under certain circumstances.
+If this option is set,
+.Nm ssh
+will give up if no data from the server is received for the specified
+number of seconds.
+The argument must be an integer.
+The default is 0 (disabled), or 300 if
+.Cm BatchMode
+is set.
+This is a Debian-specific option.
 .It Cm SmartcardDevice
 Specifies which smartcard device to use.
 The argument to this keyword is the device
@@ -931,6 +983,12 @@ Specifies whether the system should send TCP keepalive messages to the
 other side.
 If they are sent, death of the connection or crash of one
 of the machines will be properly noticed.
+This option only uses TCP keepalives (as opposed to using ssh level
+keepalives), so takes a long time to notice when the connection dies.
+As such, you probably want
+the
+.Cm ServerAliveInterval
+option as well.
 However, this means that
 connections will die if the route is down temporarily, and some people
 find it annoying.
@@ -1086,6 +1144,8 @@ The format of this file is described above.
 This file is used by the SSH client.
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not accessible by others.
+It may be group-writable provided that the group in question contains only
+the user.
 .It Pa /etc/ssh/ssh_config
 Systemwide configuration file.
 This file provides defaults for those

diff --git a/ssh_config.5 b/ssh_config.5 index 95af3976a..585a36878 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -127,8 +127,14 @@ Valid arguments are
127	If set to	127	If set to
128	.Dq yes ,	128	.Dq yes ,
129	passphrase/password querying will be disabled.	129	passphrase/password querying will be disabled.
		130	In addition, the
		131	.Cm ServerAliveInterval
		132	and
		133	.Cm SetupTimeOut
		134	options will both be set to 300 seconds by default.
130	This option is useful in scripts and other batch jobs where no user	135	This option is useful in scripts and other batch jobs where no user
131	is present to supply the password.	136	is present to supply the password,
		137	and where it is desirable to detect a broken network swiftly.
132	The argument must be	138	The argument must be
133	.Dq yes	139	.Dq yes
134	or	140	or
@@ -447,7 +453,8 @@ token used for the session will be set to expire after 20 minutes.
447	Remote clients will be refused access after this time.	453	Remote clients will be refused access after this time.
448	.Pp	454	.Pp
449	The default is	455	The default is
450	.Dq no .	456	.Dq yes
		457	(Debian-specific).
451	.Pp	458	.Pp
452	See the X11 SECURITY extension specification for full details on	459	See the X11 SECURITY extension specification for full details on
453	the restrictions imposed on untrusted clients.	460	the restrictions imposed on untrusted clients.
@@ -477,11 +484,28 @@ Specifies whether user authentication based on GSSAPI is allowed.
477	The default is	484	The default is
478	.Dq no .	485	.Dq no .
479	Note that this option applies to protocol version 2 only.	486	Note that this option applies to protocol version 2 only.
		487	.It Cm GSSAPIKeyExchange
		488	Specifies whether key exchange based on GSSAPI may be used. When using
		489	GSSAPI key exchange the server need not have a host key.
		490	The default is
		491	.Dq no .
		492	Note that this option applies to protocol version 2 only.
480	.It Cm GSSAPIDelegateCredentials	493	.It Cm GSSAPIDelegateCredentials
481	Forward (delegate) credentials to the server.	494	Forward (delegate) credentials to the server.
482	The default is	495	The default is
483	.Dq no .	496	.Dq no .
484	Note that this option applies to protocol version 2 only.	497	Note that this option applies to protocol version 2 only.
		498	.It Cm GSSAPITrustDns
		499	Set to
		500	.Dq yes
		501	to indicate that the DNS is trusted to securely canonicalize
		502	the name of the host being connected to. If
		503	.Dq no ,
		504	the hostname entered on the
		505	command line will be passed untouched to the GSSAPI library.
		506	The default is
		507	.Dq no .
		508	This option only applies to protocol version 2 connections using GSSAPI.
485	.It Cm HashKnownHosts	509	.It Cm HashKnownHosts
486	Indicates that	510	Indicates that
487	.Xr ssh 1	511	.Xr ssh 1
@@ -499,6 +523,9 @@ Note that existing names and addresses in known hosts files
499	will not be converted automatically,	523	will not be converted automatically,
500	but may be manually hashed using	524	but may be manually hashed using
501	.Xr ssh-keygen 1 .	525	.Xr ssh-keygen 1 .
		526	Use of this option may break facilities such as tab-completion that rely
		527	on being able to read unhashed host names from
		528	.Pa ~/.ssh/known_hosts .
502	.It Cm HostbasedAuthentication	529	.It Cm HostbasedAuthentication
503	Specifies whether to try rhosts based authentication with public key	530	Specifies whether to try rhosts based authentication with public key
504	authentication.	531	authentication.
@@ -630,7 +657,7 @@ indicates that the port should be available from all interfaces.
630	Gives the verbosity level that is used when logging messages from	657	Gives the verbosity level that is used when logging messages from
631	.Xr ssh 1 .	658	.Xr ssh 1 .
632	The possible values are:	659	The possible values are:
633	QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.	660	SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
634	The default is INFO.	661	The default is INFO.
635	DEBUG and DEBUG1 are equivalent.	662	DEBUG and DEBUG1 are equivalent.
636	DEBUG2 and DEBUG3 each specify higher levels of verbose output.	663	DEBUG2 and DEBUG3 each specify higher levels of verbose output.
@@ -876,7 +903,10 @@ If, for example,
876	.Cm ServerAliveCountMax	903	.Cm ServerAliveCountMax
877	is left at the default, if the server becomes unresponsive,	904	is left at the default, if the server becomes unresponsive,
878	ssh will disconnect after approximately 45 seconds.	905	ssh will disconnect after approximately 45 seconds.
879	This option applies to protocol version 2 only.	906	This option applies to protocol version 2 only; in protocol version
		907	1 there is no mechanism to request a response from the server to the
		908	server alive messages, so disconnection is the responsibility of the TCP
		909	stack.
880	.It Cm ServerAliveInterval	910	.It Cm ServerAliveInterval
881	Sets a timeout interval in seconds after which if no data has been received	911	Sets a timeout interval in seconds after which if no data has been received
882	from the server,	912	from the server,
@@ -884,8 +914,30 @@ from the server,
884	will send a message through the encrypted	914	will send a message through the encrypted
885	channel to request a response from the server.	915	channel to request a response from the server.
886	The default	916	The default
887	is 0, indicating that these messages will not be sent to the server.	917	is 0, indicating that these messages will not be sent to the server,
		918	or 300 if the
		919	.Cm BatchMode
		920	option is set.
888	This option applies to protocol version 2 only.	921	This option applies to protocol version 2 only.
		922	.Cm ProtocolKeepAlives
		923	is a Debian-specific compatibility alias for this option.
		924	.It Cm SetupTimeOut
		925	Normally,
		926	.Nm ssh
		927	blocks indefinitely whilst waiting to receive the ssh banner and other
		928	setup protocol from the server, during the session setup.
		929	This can cause
		930	.Nm ssh
		931	to hang under certain circumstances.
		932	If this option is set,
		933	.Nm ssh
		934	will give up if no data from the server is received for the specified
		935	number of seconds.
		936	The argument must be an integer.
		937	The default is 0 (disabled), or 300 if
		938	.Cm BatchMode
		939	is set.
		940	This is a Debian-specific option.
889	.It Cm SmartcardDevice	941	.It Cm SmartcardDevice
890	Specifies which smartcard device to use.	942	Specifies which smartcard device to use.
891	The argument to this keyword is the device	943	The argument to this keyword is the device
@@ -931,6 +983,12 @@ Specifies whether the system should send TCP keepalive messages to the
931	other side.	983	other side.
932	If they are sent, death of the connection or crash of one	984	If they are sent, death of the connection or crash of one
933	of the machines will be properly noticed.	985	of the machines will be properly noticed.
		986	This option only uses TCP keepalives (as opposed to using ssh level
		987	keepalives), so takes a long time to notice when the connection dies.
		988	As such, you probably want
		989	the
		990	.Cm ServerAliveInterval
		991	option as well.
934	However, this means that	992	However, this means that
935	connections will die if the route is down temporarily, and some people	993	connections will die if the route is down temporarily, and some people
936	find it annoying.	994	find it annoying.
@@ -1086,6 +1144,8 @@ The format of this file is described above.
1086	This file is used by the SSH client.	1144	This file is used by the SSH client.
1087	Because of the potential for abuse, this file must have strict permissions:	1145	Because of the potential for abuse, this file must have strict permissions:
1088	read/write for the user, and not accessible by others.	1146	read/write for the user, and not accessible by others.
		1147	It may be group-writable provided that the group in question contains only
		1148	the user.
1089	.It Pa /etc/ssh/ssh_config	1149	.It Pa /etc/ssh/ssh_config
1090	Systemwide configuration file.	1150	Systemwide configuration file.
1091	This file provides defaults for those	1151	This file provides defaults for those