=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh_config.5,v retrieving revision 1.38.2.3 retrieving revision 1.39 diff -u -r1.38.2.3 -r1.39 --- src/usr.bin/ssh/ssh_config.5 2005/09/02 03:45:01 1.38.2.3 +++ src/usr.bin/ssh/ssh_config.5 2004/10/07 10:10:24 1.39 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.38.2.3 2005/09/02 03:45:01 brad Exp $ +.\" $OpenBSD: ssh_config.5,v 1.39 2004/10/07 10:10:24 djm Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -43,7 +43,7 @@ .Nd OpenSSH SSH client configuration files .Sh SYNOPSIS .Bl -tag -width Ds -compact -.It Pa ~/.ssh/config +.It Pa $HOME/.ssh/config .It Pa /etc/ssh/ssh_config .El .Sh DESCRIPTION @@ -55,7 +55,7 @@ command-line options .It user's configuration file -.Pq Pa ~/.ssh/config +.Pq Pa $HOME/.ssh/config .It system-wide configuration file .Pq Pa /etc/ssh/ssh_config @@ -63,7 +63,7 @@ .Pp For each parameter, the first obtained value will be used. -The configuration files contain sections separated by +The configuration files contain sections bracketed by .Dq Host specifications, and that section is only applied for hosts that match one of the patterns given in the specification. @@ -120,9 +120,9 @@ Valid arguments are .Dq any , .Dq inet -(use IPv4 only) or +(Use IPv4 only) or .Dq inet6 -(use IPv6 only). +(Use IPv6 only.) .It Cm BatchMode If set to .Dq yes , @@ -136,9 +136,8 @@ The default is .Dq no . .It Cm BindAddress -Use the specified address on the local machine as the source address of -the connection. -Only useful on systems with more than one address. +Specify the interface to transmit from on machines with multiple +interfaces or aliased addresses. Note that this option does not work if .Cm UsePrivilegedPort is set to @@ -194,17 +193,14 @@ .Dq aes128-ctr , .Dq aes192-ctr , .Dq aes256-ctr , -.Dq arcfour128 , -.Dq arcfour256 , .Dq arcfour , .Dq blowfish-cbc , and .Dq cast128-cbc . The default is .Bd -literal - ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, - arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, - aes192-ctr,aes256-ctr'' + ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, + aes192-cbc,aes256-cbc'' .Ed .It Cm ClearAllForwardings Specifies that all local, remote and dynamic port forwardings @@ -274,47 +270,11 @@ program before they are accepted (see .Xr ssh-add 1 for details). -If the -.Cm ControlPath -can not be opened, -.Nm ssh -will continue without connecting to a master instance. -.Pp -X11 and -.Xr ssh-agent 1 -forwarding is supported over these multiplexed connections, however the -display and agent fowarded will be the one belonging to the master -connection i.e. it is not possible to forward multiple displays or agents. -.Pp -Two additional options allow for opportunistic multiplexing: try to use a -master connection but fall back to creating a new one if one does not already -exist. -These options are: -.Dq auto -and -.Dq autoask . -The latter requires confirmation like the -.Dq ask -option. .It Cm ControlPath -Specify the path to the control socket used for connection sharing as described -in the +Specify the path to the control socket used for connection sharing. +See .Cm ControlMaster -section above or the string -.Dq none -to disable connection sharing. -In the path, -.Ql %h -will be substituted by the target host name, -.Ql %p -the port and -.Ql %r -by the remote login username. -It is recommended that any -.Cm ControlPath -used for opportunistic connection sharing include -all three of these escape sequences. -This ensures that shared connections are uniquely identified. +above. .It Cm DynamicForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel, and the application @@ -399,16 +359,11 @@ If this option is set to .Dq yes then remote X11 clients will have full access to the original X11 display. -.Pp If this option is set to .Dq no then remote X11 clients will be considered untrusted and prevented from stealing or tampering with data belonging to trusted X11 clients. -Furthermore, the -.Xr xauth 1 -token used for the session will be set to expire after 20 minutes. -Remote clients will be refused access after this time. .Pp The default is .Dq no . @@ -447,22 +402,6 @@ The default is .Dq no . Note that this option applies to protocol version 2 only. -.It Cm HashKnownHosts -Indicates that -.Nm ssh -should hash host names and addresses when they are added to -.Pa ~/.ssh/known_hosts . -These hashed names may be used normally by -.Nm ssh -and -.Nm sshd , -but they do not reveal identifying information should the file's contents -be disclosed. -The default is -.Dq no . -Note that hashing of names and addresses will not be retrospectively applied -to existing known hosts files, but these may be manually hashed using -.Xr ssh-keygen 1 . .It Cm HostbasedAuthentication Specifies whether to try rhosts based authentication with public key authentication. @@ -497,11 +436,11 @@ Specifies a file from which the user's RSA or DSA authentication identity is read. The default is -.Pa ~/.ssh/identity +.Pa $HOME/.ssh/identity for protocol version 1, and -.Pa ~/.ssh/id_rsa +.Pa $HOME/.ssh/id_rsa and -.Pa ~/.ssh/id_dsa +.Pa $HOME/.ssh/id_dsa for protocol version 2. Additionally, any identities represented by the authentication agent will be used for authentication. @@ -535,34 +474,13 @@ .It Cm LocalForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. -The first argument must be -.Sm off -.Oo Ar bind_address : Oc Ar port -.Sm on -and the second argument must be -.Ar host : Ns Ar hostport . -IPv6 addresses can be specified by enclosing addresses in square brackets or -by using an alternative syntax: -.Oo Ar bind_address Ns / Oc Ns Ar port -and -.Ar host Ns / Ns Ar hostport . -Multiple forwardings may be specified, and additional forwardings can be -given on the command line. +The first argument must be a port number, and the second must be +.Ar host:port . +IPv6 addresses can be specified with an alternative syntax: +.Ar host/port . +Multiple forwardings may be specified, and additional +forwardings can be given on the command line. Only the superuser can forward privileged ports. -By default, the local port is bound in accordance with the -.Cm GatewayPorts -setting. -However, an explicit -.Ar bind_address -may be used to bind the connection to a specific address. -The -.Ar bind_address -of -.Dq localhost -indicates that the listening port be bound for local use only, while an -empty address or -.Sq * -indicates that the port should be available from all interfaces. .It Cm LogLevel Gives the verbosity level that is used when logging messages from .Nm ssh . @@ -607,9 +525,9 @@ .It Cm PreferredAuthentications Specifies the order in which the client should try protocol 2 authentication methods. -This allows a client to prefer one method (e.g.\& +This allows a client to prefer one method (e.g. .Cm keyboard-interactive ) -over another method (e.g.\& +over another method (e.g. .Cm password ) The default for this option is: .Dq hostbased,publickey,keyboard-interactive,password . @@ -656,14 +574,6 @@ .Cm CheckHostIP is not available for connects with a proxy command. .Pp -This directive is useful in conjunction with -.Xr nc 1 -and its proxy support. -For example, the following directive would connect via an HTTP proxy at -192.0.2.0: -.Bd -literal -offset 3n -ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p -.Ed .It Cm PubkeyAuthentication Specifies whether to try public key authentication. The argument to this keyword must be @@ -676,36 +586,13 @@ .It Cm RemoteForward Specifies that a TCP/IP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine. -The first argument must be -.Sm off -.Oo Ar bind_address : Oc Ar port -.Sm on -and the second argument must be -.Ar host : Ns Ar hostport . -IPv6 addresses can be specified by enclosing addresses in square brackets -or by using an alternative syntax: -.Oo Ar bind_address Ns / Oc Ns Ar port -and -.Ar host Ns / Ns Ar hostport . +The first argument must be a port number, and the second must be +.Ar host:port . +IPv6 addresses can be specified with an alternative syntax: +.Ar host/port . Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. -.Pp -If the -.Ar bind_address -is not specified, the default is to only bind to loopback addresses. -If the -.Ar bind_address -is -.Ql * -or an empty string, then the forwarding is requested to listen on all -interfaces. -Specifying a remote -.Ar bind_address -will only succeed if the server's -.Cm GatewayPorts -option is enabled (see -.Xr sshd_config 5 ) . .It Cm RhostsRSAAuthentication Specifies whether to try rhosts based authentication with RSA host authentication. @@ -799,7 +686,7 @@ .Dq yes , .Nm ssh will never automatically add host keys to the -.Pa ~/.ssh/known_hosts +.Pa $HOME/.ssh/known_hosts file, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks, however, can be annoying when the @@ -871,7 +758,7 @@ .It Cm UserKnownHostsFile Specifies a file to use for the user host key database instead of -.Pa ~/.ssh/known_hosts . +.Pa $HOME/.ssh/known_hosts . .It Cm VerifyHostKeyDNS Specifies whether to verify the remote key using DNS and SSHFP resource records. @@ -904,7 +791,7 @@ .El .Sh FILES .Bl -tag -width Ds -.It Pa ~/.ssh/config +.It Pa $HOME/.ssh/config This is the per-user configuration file. The format of this file is described above. This file is used by the