===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh.1,v
retrieving revision 1.52.2.3
retrieving revision 1.52.2.4
diff -u -r1.52.2.3 -r1.52.2.4
--- src/usr.bin/ssh/ssh.1	2000/11/08 21:31:23	1.52.2.3
+++ src/usr.bin/ssh/ssh.1	2001/03/12 15:44:16	1.52.2.4
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.52.2.3 2000/11/08 21:31:23 jason Exp $
+.\" $OpenBSD: ssh.1,v 1.52.2.4 2001/03/12 15:44:16 jason Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -48,11 +48,12 @@
 .Op Ar command
 .Pp
 .Nm ssh
-.Op Fl afgknqtvxACNPTX246
+.Op Fl afgknqstvxACNPTX1246
 .Op Fl c Ar cipher_spec
 .Op Fl e Ar escape_char
 .Op Fl i Ar identity_file
 .Op Fl l Ar login_name
+.Op Fl m Ar mac_spec
 .Op Fl o Ar option
 .Op Fl p Ar port
 .Oo Fl L Xo
@@ -209,9 +210,9 @@
 If this method fails password authentication is tried.
 .Pp
 The public key method is similar to RSA authentication described
-in the previous section except that the DSA algorithm is used
-instead of the patented RSA algorithm.
-The client uses his private DSA key
+in the previous section except that the DSA or RSA algorithm is used
+instead.
+The client uses his private key
 .Pa $HOME/.ssh/id_dsa
 to sign the session identifier and sends the result to the server.
 The server checks whether the matching public key is listed in
@@ -272,7 +273,7 @@
 .Dq none
 will also make the session transparent even if a tty is used.
 .Pp
-The session terminates when the command or shell in on the remote
+The session terminates when the command or shell on the remote
 machine exists and all X11 and TCP/IP connections have been closed.
 The exit status of the remote program is returned as the exit status
 of
@@ -331,7 +332,7 @@
 RSA host keys are stored in
 .Pa $HOME/.ssh/known_hosts
 and
-DSA host keys are stored in
+host keys used in the protocol version 2 are stored in
 .Pa $HOME/.ssh/known_hosts2
 in the user's home directory.
 Additionally, the files
@@ -352,7 +353,8 @@
 .Cm StrictHostKeyChecking
 option (see below) can be used to prevent logins to machines whose
 host key is not known or has changed.
-.Sh OPTIONS
+.Pp
+The options are as follows:
 .Bl -tag -width Ds
 .It Fl a
 Disables forwarding of the authentication agent connection.
@@ -373,11 +375,12 @@
 .Ar blowfish
 is a fast block cipher, it appears very secure and is much faster than
 .Ar 3des .
-.It Fl c Ar "3des-cbc,blowfish-cbc,arcfour,cast128-cbc"
+.It Fl c Ar cipher_spec
 Additionally, for protocol version 2 a comma-separated list of ciphers can
 be specified in order of preference.
-Protocol version 2 supports 3DES, Blowfish, and CAST128 in CBC mode
-and Arcfour.
+See
+.Cm Ciphers
+for more information.
 .It Fl e Ar ch|^ch|none
 Sets the escape character for sessions with a pty (default:
 .Ql ~ ) .
@@ -407,7 +410,7 @@
 Allows remote hosts to connect to local forwarded ports.
 .It Fl i Ar identity_file
 Selects the file from which the identity (private key) for
-RSA authentication is read.
+RSA or DSA authentication is read.
 Default is
 .Pa $HOME/.ssh/identity
 in the user's home directory.
@@ -423,6 +426,13 @@
 .It Fl l Ar login_name
 Specifies the user to log in as on the remote machine.
 This also may be specified on a per-host basis in the configuration file.
+.It Fl m Ar mac_spec
+Additionally, for protocol version 2 a comma-separated list of MAC
+(message authentication code) algorithms can
+be specified in order of preference.
+See the
+.Cm MACs
+keyword for more information.
 .It Fl n
 Redirects stdin from
 .Pa /dev/null
@@ -445,7 +455,7 @@
 option.)
 .It Fl N
 Do not execute a remote command.
-This is usefull if you just want to forward ports
+This is useful if you just want to forward ports
 (protocol version 2 only).
 .It Fl o Ar option
 Can be used to give options in the format used in the config file.
@@ -463,18 +473,28 @@
 Note that this option turns off
 .Cm RhostsAuthentication
 and
-.Cm RhostsRSAAuthentication .
+.Cm RhostsRSAAuthentication
+for older servers.
 .It Fl q
 Quiet mode.
 Causes all warning and diagnostic messages to be suppressed.
 Only fatal errors are displayed.
+.It Fl s
+May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use 
+of SSH as a secure transport for other application (eg. sftp). The 
+subsystem is specified as the remote command.
 .It Fl t
 Force pseudo-tty allocation.
 This can be used to execute arbitrary
 screen-based programs on a remote machine, which can be very useful,
 e.g., when implementing menu services.
+Multiple
+.Fl t
+options force tty allocation, even if
+.Nm
+has no local tty.
 .It Fl T
-Disable pseudo-tty allocation (protocol version 2 only).
+Disable pseudo-tty allocation.
 .It Fl v
 Verbose mode.
 Causes
@@ -482,10 +502,9 @@
 to print debugging messages about its progress.
 This is helpful in
 debugging connection, authentication, and configuration problems.
-The verbose mode is also used to display
-.Xr skey 1
-challenges, if the user entered "s/key" as password.
-Multiple -v options increases the verbosity.
+Multiple
+.Fl v
+options increases the verbosity.
 Maximum is 3.
 .It Fl x
 Disables X11 forwarding.
@@ -539,6 +558,10 @@
 Port forwardings can also be specified in the configuration file.
 Privileged ports can be forwarded only when
 logging in as root on the remote machine.
+.It Fl 1
+Forces
+.Nm
+to try protocol version 1 only.
 .It Fl 2
 Forces
 .Nm
@@ -642,7 +665,12 @@
 in order of preference.
 Multiple ciphers must be comma-separated.
 The default is
-.Dq 3des-cbc,blowfish-cbc,cast128-cbc,arcfour .
+.Pp
+.Bd -literal
+  ``3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,
+    aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,
+    rijndael256-cbc,rijndael-cbc@lysator.liu.se''
+.Ed
 .It Cm Compression
 Specifies whether to use compression.
 The argument must be
@@ -660,14 +688,12 @@
 back to rsh or exiting.
 The argument must be an integer.
 This may be useful in scripts if the connection sometimes fails.
-.It Cm DSAAuthentication
-Specifies whether to try DSA authentication.
+.It Cm PubkeyAuthentication
+Specifies whether to try public key authentication.
 The argument to this keyword must be
 .Dq yes
 or
 .Dq no .
-DSA authentication will only be
-attempted if a DSA identity file exists.
 Note that this option applies to protocol version 2 only.
 .It Cm EscapeChar
 Sets the escape character (default:
@@ -726,6 +752,12 @@
 .It Cm GlobalKnownHostsFile
 Specifies a file to use instead of
 .Pa /etc/ssh_known_hosts .
+.It Cm HostKeyAlias
+Specifies an alias that should be used instead of the
+real host name when looking up or saving the host key
+in the known_hosts files.
+This option is useful for tunneling ssh connections
+or if you have multiple servers running on a single host.
 .It Cm HostName
 Specifies the real host name to log into.
 This can be used to specify nicknames or abbreviations for hosts.
@@ -745,16 +777,6 @@
 It is possible to have
 multiple identity files specified in configuration files; all these
 identities will be tried in sequence.
-.It Cm IdentityFile2
-Specifies the file from which the user's DSA authentication identity
-is read (default
-.Pa $HOME/.ssh/id_dsa
-in the user's home directory).
-The file name may use the tilde
-syntax to refer to a user's home directory.
-It is possible to have
-multiple identity files specified in configuration files; all these
-identities will be tried in sequence.
 .It Cm KeepAlive
 Specifies whether the system should send keepalive messages to the
 other side.
@@ -800,6 +822,18 @@
 The possible values are:
 QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG.
 The default is INFO.
+.It Cm MACs
+Specifies the MAC (message authentication code) algorithms 
+in order of preference.
+The MAC algorithm is used in protocol version 2
+for data integrity protection.
+Multiple algorithms must be comma-separated.
+The default is
+.Pp
+.Bd -literal
+  ``hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,
+    hmac-sha1-96,hmac-md5-96''
+.Ed
 .It Cm NumberOfPasswordPrompts
 Specifies the number of password prompts before giving up.
 The argument to this keyword must be an integer.
@@ -894,8 +928,9 @@
 attempted if the identity file exists, or an authentication agent is
 running.
 Note that this option applies to protocol version 1 only.
-.It Cm SkeyAuthentication
-Specifies whether to use
+.It Cm ChallengeResponseAuthentication
+Specifies whether to use challenge response authentication.
+Currently there is only support for
 .Xr skey 1
 authentication.
 The argument to this keyword must be
@@ -908,28 +943,41 @@
 If this flag is set to
 .Dq yes ,
 .Nm
-ssh will never automatically add host keys to the
+will never automatically add host keys to the
 .Pa $HOME/.ssh/known_hosts
 and
 .Pa $HOME/.ssh/known_hosts2
-files, and refuses to connect hosts whose host key has changed.
+files, and refuses to connect to hosts whose host key has changed.
 This provides maximum protection against trojan horse attacks.
 However, it can be somewhat annoying if you don't have good
 .Pa /etc/ssh_known_hosts
 and
 .Pa /etc/ssh_known_hosts2
 files installed and frequently
-connect new hosts.
-Basically this option forces the user to manually
-add any new hosts.
-Normally this option is disabled, and new hosts
-will automatically be added to the known host files.
+connect to new hosts.
+This option forces the user to manually
+add all new hosts.
+If this flag is set to
+.Dq no ,
+.Nm
+will automatically add new host keys to the
+user known hosts files.
+If this flag is set to
+.Dq ask ,
+new host keys
+will be added to the user known host files only after the user
+has confirmed that is what they really want to do, and
+.Nm
+will refuse to connect to hosts whose host key has changed.
 The host keys of
-known hosts will be verified automatically in either case.
+known hosts will be verified automatically in all cases.
 The argument must be
-.Dq yes
+.Dq yes ,
+.Dq no
 or
-.Dq no .
+.Dq ask .
+The default is
+.Dq ask .
 .It Cm UsePrivilegedPort
 Specifies whether to use a privileged port for outgoing connections.
 The argument must be
@@ -943,7 +991,8 @@
 turns off
 .Cm RhostsAuthentication
 and
-.Cm RhostsRSAAuthentication .
+.Cm RhostsRSAAuthentication
+for older servers.
 .It Cm User
 Specifies the user to log in as.
 This can be useful if you have a different user name on different machines.
@@ -1016,6 +1065,10 @@
 The variable contains
 three space-separated values: client ip-address, client port number,
 and server port number.
+.It Ev SSH_ORIGINAL_COMMAND
+The variable contains the original command line if a forced command
+is executed.
+It can be used to extract the original arguments.
 .It Ev SSH_TTY
 This is set to the name of the tty (path to the device) associated
 with the current shell or command.
@@ -1073,7 +1126,7 @@
 These files are not
 sensitive and can (but need not) be readable by anyone.
 These files are
-never used automatically and are not necessary; they is only provided for
+never used automatically and are not necessary; they are only provided for
 the convenience of the user.
 .It Pa $HOME/.ssh/config
 This is the per-user configuration file.
@@ -1096,7 +1149,7 @@
 This file is not highly sensitive, but the recommended
 permissions are read/write for the user, and not accessible by others.
 .It Pa $HOME/.ssh/authorized_keys2
-Lists the DSA keys that can be used for logging in as this user.
+Lists the public keys (DSA/RSA) that can be used for logging in as this user.
 This file is not highly sensitive, but the recommended
 permissions are read/write for the user, and not accessible by others.
 .It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2
@@ -1104,7 +1157,7 @@
 .Pa /etc/ssh_known_hosts
 contains RSA and
 .Pa /etc/ssh_known_hosts2
-contains DSA keys.
+contains DSA or RSA keys for protocol version 2.
 These files should be prepared by the
 system administrator to contain the public host keys of all machines in the
 organization.
@@ -1219,45 +1272,22 @@
 A version of this library which includes support for the RSA algorithm
 is required for proper operation.
 .El
-.Sh AUTHOR
-OpenSSH
-is a derivative of the original (free) ssh 1.2.12 release by Tatu Ylonen,
-but with bugs removed and newer features re-added.
-Rapidly after the
-1.2.12 release, newer versions of the original ssh bore successively
-more restrictive licenses, and thus demand for a free version was born.
-.Pp
-This version of OpenSSH
-.Bl -bullet
-.It
-has all components of a restrictive nature (i.e., patents, see
-.Xr ssl 8 )
-directly removed from the source code; any licensed or patented components
-are chosen from
-external libraries.
-.It
-has been updated to support SSH protocol 1.5 and 2, making it compatible with
-all other SSH clients and servers.
-.It
-contains added support for
-.Xr kerberos 8
-authentication and ticket passing.
-.It
-supports one-time password authentication with
-.Xr skey 1 .
-.El
-.Pp
-OpenSSH has been created by Aaron Campbell, Bob Beck, Markus Friedl,
-Niels Provos, Theo de Raadt, and Dug Song.
-.Pp
-The support for SSH protocol 2 was written by Markus Friedl.
+.Sh AUTHORS
+OpenSSH is a derivative of the original and free
+ssh 1.2.12 release by Tatu Ylonen.
+Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
+Theo de Raadt and Dug Song
+removed many bugs, re-added newer features and
+created OpenSSH.
+Markus Friedl contributed the support for SSH
+protocol versions 1.5 and 2.0.
 .Sh SEE ALSO
 .Xr rlogin 1 ,
 .Xr rsh 1 ,
 .Xr scp 1 ,
+.Xr sftp 1 ,
 .Xr ssh-add 1 ,
 .Xr ssh-agent 1 ,
 .Xr ssh-keygen 1 ,
 .Xr telnet 1 ,
-.Xr sshd 8 ,
-.Xr ssl 8
+.Xr sshd 8