===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh_config.5,v
retrieving revision 1.20.2.2
retrieving revision 1.21
diff -u -r1.20.2.2 -r1.21
--- src/usr.bin/ssh/ssh_config.5	2004/08/19 22:37:32	1.20.2.2
+++ src/usr.bin/ssh/ssh_config.5	2003/10/08 15:21:24	1.21
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.20.2.2 2004/08/19 22:37:32 brad Exp $
+.\" $OpenBSD: ssh_config.5,v 1.21 2003/10/08 15:21:24 markus Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -185,19 +185,8 @@
 Specifies the ciphers allowed for protocol version 2
 in order of preference.
 Multiple ciphers must be comma-separated.
-The supported ciphers are
-.Dq 3des-cbc ,
-.Dq aes128-cbc ,
-.Dq aes192-cbc ,
-.Dq aes256-cbc ,
-.Dq aes128-ctr ,
-.Dq aes192-ctr ,
-.Dq aes256-ctr ,
-.Dq arcfour ,
-.Dq blowfish-cbc ,
-and
-.Dq cast128-cbc .
 The default is
+.Pp
 .Bd -literal
   ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
     aes192-cbc,aes256-cbc''
@@ -244,37 +233,6 @@
 server, instead of using the default system TCP timeout.
 This value is used only when the target is down or really unreachable,
 not when it refuses the connection.
-.It Cm ControlMaster
-Enables the sharing of multiple sessions over a single network connection.
-When set to
-.Dq yes
-.Nm ssh
-will listen for connections on a control socket specified using the
-.Cm ControlPath
-argument.
-Additional sessions can connect to this socket using the same
-.Cm ControlPath
-with
-.Cm ControlMaster
-set to
-.Dq no
-(the default).
-These sessions will reuse the master instance's network connection rather
-than initiating new ones.
-Setting this to
-.Dq ask
-will cause
-.Nm ssh
-to listen for control connections, but require confirmation using the
-.Ev SSH_ASKPASS
-program before they are accepted (see
-.Xr ssh-add 1
-for details).
-.It Cm ControlPath
-Specify the path to the control socket used for connection sharing.
-See
-.Cm ControlMaster
-above.
 .It Cm DynamicForward
 Specifies that a TCP/IP port on the local machine be forwarded
 over the secure channel, and the application
@@ -302,7 +260,6 @@
 .Dq no .
 The default is
 .Dq no .
-This option should be placed in the non-hostspecific section.
 See
 .Xr ssh-keysign 8
 for more information.
@@ -349,27 +306,9 @@
 .Pp
 X11 forwarding should be enabled with caution.
 Users with the ability to bypass file permissions on the remote host
-(for the user's X11 authorization database)
+(for the user's X authorization database)
 can access the local X11 display through the forwarded connection.
-An attacker may then be able to perform activities such as keystroke monitoring
-if the
-.Cm ForwardX11Trusted
-option is also enabled.
-.It Cm ForwardX11Trusted
-If this option is set to
-.Dq yes
-then remote X11 clients will have full access to the original X11 display.
-If this option is set to
-.Dq no
-then remote X11 clients will be considered untrusted and prevented
-from stealing or tampering with data belonging to trusted X11
-clients.
-.Pp
-The default is
-.Dq no .
-.Pp
-See the X11 SECURITY extension specification for full details on
-the restrictions imposed on untrusted clients.
+An attacker may then be able to perform activities such as keystroke monitoring.
 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to local
 forwarded ports.
@@ -393,7 +332,9 @@
 host key database instead of
 .Pa /etc/ssh/ssh_known_hosts .
 .It Cm GSSAPIAuthentication
-Specifies whether user authentication based on GSSAPI is allowed.
+Specifies whether authentication based on GSSAPI may be used, either using
+the result of a successful key exchange, or using GSSAPI user
+authentication.
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
@@ -449,24 +390,23 @@
 It is possible to have
 multiple identity files specified in configuration files; all these
 identities will be tried in sequence.
-.It Cm IdentitiesOnly
-Specifies that
-.Nm ssh
-should only use the authentication identity files configured in the
-.Nm
-files,
-even if the
-.Nm ssh-agent
-offers more identities.
-The argument to this keyword must be
+.It Cm KeepAlive
+Specifies whether the system should send TCP keepalive messages to the
+other side.
+If they are sent, death of the connection or crash of one
+of the machines will be properly noticed.
+However, this means that
+connections will die if the route is down temporarily, and some people
+find it annoying.
+.Pp
+The default is
 .Dq yes
-or
+(to send keepalives), and the client will notice
+if the network goes down or the remote host dies.
+This is important in scripts, and many users want it too.
+.Pp
+To disable keepalives, the value should be set to
 .Dq no .
-This option is intented for situations where
-.Nm ssh-agent
-offers many different identities.
-The default is
-.Dq no .
 .It Cm LocalForward
 Specifies that a TCP/IP port on the local machine be forwarded over
 the secure channel to the specified host and port from the remote machine.
@@ -613,63 +553,6 @@
 The default is
 .Dq yes .
 Note that this option applies to protocol version 1 only.
-.It Cm SendEnv
-Specifies what variables from the local
-.Xr environ 7
-should be sent to the server.
-Note that environment passing is only supported for protocol 2, the
-server must also support it, and the server must be configured to
-accept these environment variables.
-Refer to
-.Cm AcceptEnv
-in
-.Xr sshd_config 5
-for how to configure the server.
-Variables are specified by name, which may contain the wildcard characters
-.Ql \&*
-and
-.Ql \&? .
-Multiple environment variables may be separated by whitespace or spread
-across multiple
-.Cm SendEnv
-directives.
-The default is not to send any environment variables.
-.It Cm ServerAliveInterval
-Sets a timeout interval in seconds after which if no data has been received
-from the server,
-.Nm ssh
-will send a message through the encrypted
-channel to request a response from the server.
-The default
-is 0, indicating that these messages will not be sent to the server.
-This option applies to protocol version 2 only.
-.It Cm ServerAliveCountMax
-Sets the number of server alive messages (see above) which may be
-sent without
-.Nm ssh
-receiving any messages back from the server.
-If this threshold is reached while server alive messages are being sent,
-.Nm ssh
-will disconnect from the server, terminating the session.
-It is important to note that the use of server alive messages is very
-different from
-.Cm TCPKeepAlive
-(below).
-The server alive messages are sent through the encrypted channel
-and therefore will not be spoofable.
-The TCP keepalive option enabled by
-.Cm TCPKeepAlive
-is spoofable.
-The server alive mechanism is valuable when the client or
-server depend on knowing when a connection has become inactive.
-.Pp
-The default value is 3.
-If, for example,
-.Cm ServerAliveInterval
-(above) is set to 15, and
-.Cm ServerAliveCountMax
-is left at the default, if the server becomes unresponsive ssh
-will disconnect after approximately 45 seconds.
 .It Cm SmartcardDevice
 Specifies which smartcard device to use.
 The argument to this keyword is the device
@@ -712,23 +595,6 @@
 .Dq ask .
 The default is
 .Dq ask .
-.It Cm TCPKeepAlive
-Specifies whether the system should send TCP keepalive messages to the
-other side.
-If they are sent, death of the connection or crash of one
-of the machines will be properly noticed.
-However, this means that
-connections will die if the route is down temporarily, and some people
-find it annoying.
-.Pp
-The default is
-.Dq yes
-(to send TCP keepalive messages), and the client will notice
-if the network goes down or the remote host dies.
-This is important in scripts, and many users want it too.
-.Pp
-To disable TCP keepalive messages, the value should be set to
-.Dq no .
 .It Cm UsePrivilegedPort
 Specifies whether to use a privileged port for outgoing connections.
 The argument must be
@@ -758,23 +624,6 @@
 .It Cm VerifyHostKeyDNS
 Specifies whether to verify the remote key using DNS and SSHFP resource
 records.
-If this option is set to
-.Dq yes ,
-the client will implicitly trust keys that match a secure fingerprint
-from DNS.
-Insecure fingerprints will be handled as if this option was set to
-.Dq ask .
-If this option is set to
-.Dq ask ,
-information on fingerprint match will be displayed, but the user will still
-need to confirm new host keys according to the
-.Cm StrictHostKeyChecking
-option.
-The argument must be
-.Dq yes ,
-.Dq no
-or
-.Dq ask .
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
@@ -793,8 +642,9 @@
 This file is used by the
 .Nm ssh
 client.
-Because of the potential for abuse, this file must have strict permissions:
-read/write for the user, and not accessible by others.
+This file does not usually contain any sensitive information,
+but the recommended permissions are read/write for the user, and not
+accessible by others.
 .It Pa /etc/ssh/ssh_config
 Systemwide configuration file.
 This file provides defaults for those