===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh.1,v
retrieving revision 1.196.2.2
retrieving revision 1.197
diff -u -r1.196.2.2 -r1.197
--- src/usr.bin/ssh/ssh.1	2005/09/02 03:45:01	1.196.2.2
+++ src/usr.bin/ssh/ssh.1	2004/10/07 10:10:24	1.197
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.196.2.2 2005/09/02 03:45:01 brad Exp $
+.\" $OpenBSD: ssh.1,v 1.197 2004/10/07 10:10:24 djm Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -43,35 +43,40 @@
 .Nd OpenSSH SSH client (remote login program)
 .Sh SYNOPSIS
 .Nm ssh
-.Bk -words
 .Op Fl 1246AaCfgkMNnqsTtVvXxY
 .Op Fl b Ar bind_address
 .Op Fl c Ar cipher_spec
+.Bk -words
 .Op Fl D Ar port
 .Op Fl e Ar escape_char
 .Op Fl F Ar configfile
 .Op Fl i Ar identity_file
-.Oo Fl L\ \&
+.Oo Fl L Xo
 .Sm off
-.Oo Ar bind_address : Oc
-.Ar port : host : hostport
+.Ar port :
+.Ar host :
+.Ar hostport
 .Sm on
+.Xc
 .Oc
+.Ek
 .Op Fl l Ar login_name
 .Op Fl m Ar mac_spec
-.Op Fl O Ar ctl_cmd
 .Op Fl o Ar option
+.Bk -words
 .Op Fl p Ar port
-.Oo Fl R\ \&
+.Ek
+.Oo Fl R Xo
 .Sm off
-.Oo Ar bind_address : Oc
-.Ar port : host : hostport
+.Ar port :
+.Ar host :
+.Ar hostport
 .Sm on
+.Xc
 .Oc
-.Op Fl S Ar ctl_path
+.Op Fl S Ar ctl
 .Oo Ar user Ns @ Oc Ns Ar hostname
 .Op Ar command
-.Ek
 .Sh DESCRIPTION
 .Nm
 (SSH client) is a program for logging into a remote machine and for
@@ -109,9 +114,9 @@
 .Pa /etc/shosts.equiv
 on the remote machine, and the user names are
 the same on both sides, or if the files
-.Pa ~/.rhosts
+.Pa $HOME/.rhosts
 or
-.Pa ~/.shosts
+.Pa $HOME/.shosts
 exist in the user's home directory on the
 remote machine and contain a line containing the name of the client
 machine and the name of the user on that machine, the user is
@@ -120,7 +125,7 @@
 host key (see
 .Pa /etc/ssh/ssh_known_hosts
 and
-.Pa ~/.ssh/known_hosts
+.Pa $HOME/.ssh/known_hosts
 in the
 .Sx FILES
 section), only then is login permitted.
@@ -128,7 +133,7 @@
 spoofing, DNS spoofing and routing spoofing.
 [Note to the administrator:
 .Pa /etc/hosts.equiv ,
-.Pa ~/.rhosts ,
+.Pa $HOME/.rhosts ,
 and the rlogin/rsh protocol in general, are inherently insecure and should be
 disabled if security is desired.]
 .Pp
@@ -144,7 +149,7 @@
 The server knows the public key, and only the user knows the private key.
 .Pp
 The file
-.Pa ~/.ssh/authorized_keys
+.Pa $HOME/.ssh/authorized_keys
 lists the public keys that are permitted for logging in.
 When the user logs in, the
 .Nm
@@ -165,18 +170,18 @@
 The user creates his/her RSA key pair by running
 .Xr ssh-keygen 1 .
 This stores the private key in
-.Pa ~/.ssh/identity
+.Pa $HOME/.ssh/identity
 and stores the public key in
-.Pa ~/.ssh/identity.pub
+.Pa $HOME/.ssh/identity.pub
 in the user's home directory.
 The user should then copy the
 .Pa identity.pub
 to
-.Pa ~/.ssh/authorized_keys
+.Pa $HOME/.ssh/authorized_keys
 in his/her home directory on the remote machine (the
 .Pa authorized_keys
 file corresponds to the conventional
-.Pa ~/.rhosts
+.Pa $HOME/.rhosts
 file, and has one key
 per line, though the lines can be very long).
 After this, the user can log in without giving the password.
@@ -206,12 +211,12 @@
 The public key method is similar to RSA authentication described
 in the previous section and allows the RSA or DSA algorithm to be used:
 The client uses his private key,
-.Pa ~/.ssh/id_dsa
+.Pa $HOME/.ssh/id_dsa
 or
-.Pa ~/.ssh/id_rsa ,
+.Pa $HOME/.ssh/id_rsa ,
 to sign the session identifier and sends the result to the server.
 The server checks whether the matching public key is listed in
-.Pa ~/.ssh/authorized_keys
+.Pa $HOME/.ssh/authorized_keys
 and grants access if both the key is found and the signature is correct.
 The session identifier is derived from a shared Diffie-Hellman value
 and is only known to the client and the server.
@@ -365,7 +370,7 @@
 automatically maintains and checks a database containing
 identifications for all hosts it has ever been used with.
 Host keys are stored in
-.Pa ~/.ssh/known_hosts
+.Pa $HOME/.ssh/known_hosts
 in the user's home directory.
 Additionally, the file
 .Pa /etc/ssh/ssh_known_hosts
@@ -423,11 +428,8 @@
 .It Fl a
 Disables forwarding of the authentication agent connection.
 .It Fl b Ar bind_address
-Use
-.Ar bind_address
-on the local machine as the source address
-of the connection.
-Only useful on systems with more than one address.
+Specify the interface to transmit from on machines with multiple
+interfaces or aliased addresses.
 .It Fl C
 Requests compression of all data (including stdin, stdout, stderr, and
 data for forwarded X11 and TCP/IP connections).
@@ -482,17 +484,14 @@
 .Dq aes128-ctr ,
 .Dq aes192-ctr ,
 .Dq aes256-ctr ,
-.Dq arcfour128 ,
-.Dq arcfour256 ,
 .Dq arcfour ,
 .Dq blowfish-cbc ,
 and
 .Dq cast128-cbc .
 The default is
 .Bd -literal
-  ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
-    arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
-    aes192-ctr,aes256-ctr''
+  ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
+    aes192-cbc,aes256-cbc''
 .Ed
 .It Fl D Ar port
 Specifies a local
@@ -528,7 +527,7 @@
 .Pq Pa /etc/ssh/ssh_config
 will be ignored.
 The default for the per-user configuration file is
-.Pa ~/.ssh/config .
+.Pa $HOME/.ssh/config .
 .It Fl f
 Requests
 .Nm
@@ -554,11 +553,11 @@
 Selects a file from which the identity (private key) for
 RSA or DSA authentication is read.
 The default is
-.Pa ~/.ssh/identity
+.Pa $HOME/.ssh/identity
 for protocol version 1, and
-.Pa ~/.ssh/id_rsa
+.Pa $HOME/.ssh/id_rsa
 and
-.Pa ~/.ssh/id_dsa
+.Pa $HOME/.ssh/id_dsa
 for protocol version 2.
 Identity files may also be specified on
 a per-host basis in the configuration file.
@@ -570,7 +569,6 @@
 Disables forwarding (delegation) of GSSAPI credentials to the server.
 .It Fl L Xo
 .Sm off
-.Oo Ar bind_address : Oc
 .Ar port : host : hostport
 .Sm on
 .Xc
@@ -578,9 +576,7 @@
 forwarded to the given host and port on the remote side.
 This works by allocating a socket to listen to
 .Ar port
-on the local side, optionally bound to the specified
-.Ar bind_address .
-Whenever a connection is made to this port, the
+on the local side, and whenever a connection is made to this port, the
 connection is forwarded over the secure channel, and a connection is
 made to
 .Ar host
@@ -588,30 +584,14 @@
 .Ar hostport
 from the remote machine.
 Port forwardings can also be specified in the configuration file.
+Only root can forward privileged ports.
 IPv6 addresses can be specified with an alternative syntax:
 .Sm off
 .Xo
-.Op Ar bind_address No /
 .Ar port No / Ar host No /
-.Ar hostport
+.Ar hostport .
 .Xc
 .Sm on
-or by enclosing the address in square brackets.
-Only the superuser can forward privileged ports.
-By default, the local port is bound in accordance with the
-.Cm GatewayPorts
-setting.
-However, an explicit
-.Ar bind_address
-may be used to bind the connection to a specific address.
-The
-.Ar bind_address
-of
-.Dq localhost
-indicates that the listening port be bound for local use only, while an
-empty address or
-.Sq *
-indicates that the port should be available from all interfaces.
 .It Fl l Ar login_name
 Specifies the user to log in as on the remote machine.
 This also may be specified on a per-host basis in the configuration file.
@@ -657,18 +637,6 @@
 needs to ask for a password or passphrase; see also the
 .Fl f
 option.)
-.It Fl O Ar ctl_cmd
-Control an active connection multiplexing master process.
-When the
-.Fl O
-option is specified, the
-.Ar ctl_cmd
-argument is interpreted and passed to the master process.
-Valid commands are:
-.Dq check
-(check that the master process is running) and
-.Dq exit
-(request the master to exit).
 .It Fl o Ar option
 Can be used to give options in the format used in the configuration file.
 This is useful for specifying options for which there is no separate
@@ -700,7 +668,6 @@
 .It GlobalKnownHostsFile
 .It GSSAPIAuthentication
 .It GSSAPIDelegateCredentials
-.It HashKnownHosts
 .It Host
 .It HostbasedAuthentication
 .It HostKeyAlgorithms
@@ -744,7 +711,6 @@
 Causes all warning and diagnostic messages to be suppressed.
 .It Fl R Xo
 .Sm off
-.Oo Ar bind_address : Oc
 .Ar port : host : hostport
 .Sm on
 .Xc
@@ -759,36 +725,17 @@
 port
 .Ar hostport
 from the local machine.
-.Pp
 Port forwardings can also be specified in the configuration file.
 Privileged ports can be forwarded only when
 logging in as root on the remote machine.
-IPv6 addresses can be specified by enclosing the address in square braces or
-using an alternative syntax:
+IPv6 addresses can be specified with an alternative syntax:
 .Sm off
 .Xo
-.Op Ar bind_address No /
-.Ar host No / Ar port No /
-.Ar hostport
-.Xc .
+.Ar port No / Ar host No /
+.Ar hostport .
+.Xc
 .Sm on
-.Pp
-By default, the listening socket on the server will be bound to the loopback
-interface only.
-This may be overriden by specifying a
-.Ar bind_address .
-An empty
-.Ar bind_address ,
-or the address
-.Ql * ,
-indicates that the remote socket should listen on all interfaces.
-Specifying a remote
-.Ar bind_address
-will only succeed if the server's
-.Cm GatewayPorts
-option is enabled (see
-.Xr sshd_config 5 ) .
-.It Fl S Ar ctl_path
+.It Fl S Ar ctl
 Specifies the location of a control socket for connection sharing.
 Refer to the description of
 .Cm ControlPath
@@ -837,23 +784,10 @@
 (for the user's X authorization database)
 can access the local X11 display through the forwarded connection.
 An attacker may then be able to perform activities such as keystroke monitoring.
-.Pp
-For this reason, X11 forwarding is subjected to X11 SECURITY extension
-restrictions by default.
-Please refer to the
-.Nm
-.Fl Y
-option and the
-.Cm ForwardX11Trusted
-directive in
-.Xr ssh_config 5
-for more information.
 .It Fl x
 Disables X11 forwarding.
 .It Fl Y
 Enables trusted X11 forwarding.
-Trusted X11 forwardings are not subjected to the X11 SECURITY extension
-controls.
 .El
 .Sh CONFIGURATION FILES
 .Nm
@@ -947,7 +881,7 @@
 Additionally,
 .Nm
 reads
-.Pa ~/.ssh/environment ,
+.Pa $HOME/.ssh/environment ,
 and adds lines of the format
 .Dq VARNAME=value
 to the environment if the file exists and if users are allowed to
@@ -958,13 +892,13 @@
 .Xr sshd_config 5 .
 .Sh FILES
 .Bl -tag -width Ds
-.It Pa ~/.ssh/known_hosts
+.It Pa $HOME/.ssh/known_hosts
 Records host keys for all hosts the user has logged into that are not
 in
 .Pa /etc/ssh/ssh_known_hosts .
 See
 .Xr sshd 8 .
-.It Pa ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa
+.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa
 Contains the authentication identity of the user.
 They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively.
 These files
@@ -976,21 +910,21 @@
 It is possible to specify a passphrase when
 generating the key; the passphrase will be used to encrypt the
 sensitive part of this file using 3DES.
-.It Pa ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub
+.It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub
 Contains the public key for authentication (public part of the
 identity file in human-readable form).
 The contents of the
-.Pa ~/.ssh/identity.pub
+.Pa $HOME/.ssh/identity.pub
 file should be added to the file
-.Pa ~/.ssh/authorized_keys
+.Pa $HOME/.ssh/authorized_keys
 on all machines
 where the user wishes to log in using protocol version 1 RSA authentication.
 The contents of the
-.Pa ~/.ssh/id_dsa.pub
+.Pa $HOME/.ssh/id_dsa.pub
 and
-.Pa ~/.ssh/id_rsa.pub
+.Pa $HOME/.ssh/id_rsa.pub
 file should be added to
-.Pa ~/.ssh/authorized_keys
+.Pa $HOME/.ssh/authorized_keys
 on all machines
 where the user wishes to log in using protocol version 2 DSA/RSA authentication.
 These files are not
@@ -998,13 +932,13 @@
 These files are
 never used automatically and are not necessary; they are only provided for
 the convenience of the user.
-.It Pa ~/.ssh/config
+.It Pa $HOME/.ssh/config
 This is the per-user configuration file.
 The file format and configuration options are described in
 .Xr ssh_config 5 .
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not accessible by others.
-.It Pa ~/.ssh/authorized_keys
+.It Pa $HOME/.ssh/authorized_keys
 Lists the public keys (RSA/DSA) that can be used for logging in as this user.
 The format of this file is described in the
 .Xr sshd 8
@@ -1064,7 +998,7 @@
 By default
 .Nm
 is not setuid root.
-.It Pa ~/.rhosts
+.It Pa $HOME/.rhosts
 This file is used in
 .Cm RhostsRSAAuthentication
 and
@@ -1094,12 +1028,12 @@
 If the server machine does not have the client's host key in
 .Pa /etc/ssh/ssh_known_hosts ,
 it can be stored in
-.Pa ~/.ssh/known_hosts .
+.Pa $HOME/.ssh/known_hosts .
 The easiest way to do this is to
 connect back to the client from the server machine using ssh; this
 will automatically add the host key to
-.Pa ~/.ssh/known_hosts .
-.It Pa ~/.shosts
+.Pa $HOME/.ssh/known_hosts .
+.It Pa $HOME/.shosts
 This file is used exactly the same way as
 .Pa .rhosts .
 The purpose for
@@ -1139,7 +1073,7 @@
 See the
 .Xr sshd 8
 manual page for more information.
-.It Pa ~/.ssh/rc
+.It Pa $HOME/.ssh/rc
 Commands in this file are executed by
 .Nm
 when the user logs in just before the user's shell (or command) is
@@ -1147,7 +1081,7 @@
 See the
 .Xr sshd 8
 manual page for more information.
-.It Pa ~/.ssh/environment
+.It Pa $HOME/.ssh/environment
 Contains additional definitions for environment variables, see section
 .Sx ENVIRONMENT
 above.