- (dtucker) [regress/multiplex.sh] Use "kill -0 $pid" to check for the

[openssh.git] / ssh_config.5

diff --git a/ssh_config.5 b/ssh_config.5
index 0e1a031e5da5a8e6cff685a0a2dc8fcc259b1967..b35753307a5a957378eb1d2b9f09d75c09f7b6c9 100644 (file)
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"

-.\" $OpenBSD: ssh_config.5,v 1.38 2004/06/26 09:11:14 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.49 2005/03/16 11:10:38 jmc Exp $

 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os


@@ -63,7 +63,7 @@ system-wide configuration file
 .Pp
 For each parameter, the first obtained value
 will be used.
 .Pp
 For each parameter, the first obtained value
 will be used.

-The configuration files contain sections bracketed by
+The configuration files contain sections separated by

 .Dq Host
 specifications, and that section is only applied for hosts that
 match one of the patterns given in the specification.
 .Dq Host
 specifications, and that section is only applied for hosts that
 match one of the patterns given in the specification.


@@ -120,9 +120,9 @@ Specifies which address family to use when connecting.
 Valid arguments are
 .Dq any ,
 .Dq inet
 Valid arguments are
 .Dq any ,
 .Dq inet

-(Use IPv4 only) or
+(use IPv4 only) or

 .Dq inet6
 .Dq inet6

-(Use IPv6 only.)
+(use IPv6 only).

 .It Cm BatchMode
 If set to
 .Dq yes ,
 .It Cm BatchMode
 If set to
 .Dq yes ,


@@ -359,11 +359,16 @@ option is also enabled.
 If this option is set to
 .Dq yes
 then remote X11 clients will have full access to the original X11 display.
 If this option is set to
 .Dq yes
 then remote X11 clients will have full access to the original X11 display.

+.Pp

 If this option is set to
 .Dq no
 then remote X11 clients will be considered untrusted and prevented
 from stealing or tampering with data belonging to trusted X11
 clients.
 If this option is set to
 .Dq no
 then remote X11 clients will be considered untrusted and prevented
 from stealing or tampering with data belonging to trusted X11
 clients.

+Furthermore, the
+.Xr xauth 1
+token used for the session will be set to expire after 20 minutes.
+Remote clients will be refused access after this time.

 .Pp
 The default is
 .Dq no .
 .Pp
 The default is
 .Dq no .


@@ -402,6 +407,22 @@ Forward (delegate) credentials to the server.
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.

+.It Cm HashKnownHosts
+Indicates that
+.Nm ssh
+should hash host names and addresses when they are added to
+.Pa $HOME/.ssh/known_hosts .
+These hashed names may be used normally by
+.Nm ssh
+and
+.Nm sshd ,
+but they do not reveal identifying information should the file's contents
+be disclosed.
+The default is
+.Dq no .
+Note that hashing of names and addresses will not be retrospectively applied
+to existing known hosts files, but these may be manually hashed using
+.Xr ssh-keygen 1 .

 .It Cm HostbasedAuthentication
 Specifies whether to try rhosts based authentication with public key
 authentication.
 .It Cm HostbasedAuthentication
 Specifies whether to try rhosts based authentication with public key
 authentication.


@@ -467,16 +488,41 @@ This option is intented for situations where
 offers many different identities.
 The default is
 .Dq no .
 offers many different identities.
 The default is
 .Dq no .

+.It Cm KbdInteractiveDevices
+Specifies the list of methods to use in keyboard-interactive authentication.
+Multiple method names must be comma-separated.
+The default is to use the server specified list.

 .It Cm LocalForward
 Specifies that a TCP/IP port on the local machine be forwarded over
 the secure channel to the specified host and port from the remote machine.
 .It Cm LocalForward
 Specifies that a TCP/IP port on the local machine be forwarded over
 the secure channel to the specified host and port from the remote machine.

-The first argument must be a port number, and the second must be
-.Ar host:port .
-IPv6 addresses can be specified with an alternative syntax:
-.Ar host/port .
-Multiple forwardings may be specified, and additional
-forwardings can be given on the command line.
+The first argument must be
+.Sm off
+.Oo Ar bind_address : Oc Ar port
+.Sm on
+and the second argument must be
+.Ar host : Ns Ar hostport .
+IPv6 addresses can be specified by enclosing addresses in square brackets or
+by using an alternative syntax:
+.Oo Ar bind_address Ns / Oc Ns Ar port
+and
+.Ar host Ns / Ns Ar hostport .
+Multiple forwardings may be specified, and additional forwardings can be
+given on the command line.

 Only the superuser can forward privileged ports.
 Only the superuser can forward privileged ports.

+By default, the local port is bound in accordance with the
+.Cm GatewayPorts
+setting.
+However, an explicit
+.Ar bind_address
+may be used to bind the connection to a specific address.
+The
+.Ar bind_address
+of
+.Dq localhost
+indicates that the listening port be bound for local use only, while an
+empty address or
+.Sq *
+indicates that the port should be available from all interfaces.

 .It Cm LogLevel
 Gives the verbosity level that is used when logging messages from
 .Nm ssh .
 .It Cm LogLevel
 Gives the verbosity level that is used when logging messages from
 .Nm ssh .


@@ -521,9 +567,9 @@ Default is 22.
 .It Cm PreferredAuthentications
 Specifies the order in which the client should try protocol 2
 authentication methods.
 .It Cm PreferredAuthentications
 Specifies the order in which the client should try protocol 2
 authentication methods.

-This allows a client to prefer one method (e.g.
+This allows a client to prefer one method (e.g.\&

 .Cm keyboard-interactive )
 .Cm keyboard-interactive )

-over another method (e.g.
+over another method (e.g.\&

 .Cm password )
 The default for this option is:
 .Dq hostbased,publickey,keyboard-interactive,password .
 .Cm password )
 The default for this option is:
 .Dq hostbased,publickey,keyboard-interactive,password .


@@ -582,13 +628,36 @@ This option applies to protocol version 2 only.
 .It Cm RemoteForward
 Specifies that a TCP/IP port on the remote machine be forwarded over
 the secure channel to the specified host and port from the local machine.
 .It Cm RemoteForward
 Specifies that a TCP/IP port on the remote machine be forwarded over
 the secure channel to the specified host and port from the local machine.

-The first argument must be a port number, and the second must be
-.Ar host:port .
-IPv6 addresses can be specified with an alternative syntax:
-.Ar host/port .
+The first argument must be
+.Sm off
+.Oo Ar bind_address : Oc Ar port
+.Sm on
+and the second argument must be
+.Ar host : Ns Ar hostport .
+IPv6 addresses can be specified by enclosing addresses in square brackets
+or by using an alternative syntax:
+.Oo Ar bind_address Ns / Oc Ns Ar port
+and
+.Ar host Ns / Ns Ar hostport .

 Multiple forwardings may be specified, and additional
 forwardings can be given on the command line.
 Only the superuser can forward privileged ports.
 Multiple forwardings may be specified, and additional
 forwardings can be given on the command line.
 Only the superuser can forward privileged ports.

+.Pp
+If the
+.Ar bind_address
+is not specified, the default is to only bind to loopback addresses.
+If the
+.Ar bind_address
+is
+.Ql *
+or an empty string, then the forwarding is requested to listen on all
+interfaces.
+Specifying a remote
+.Ar bind_address
+will only succeed if the server's
+.Cm GatewayPorts
+option is enabled (see
+.Xr sshd_config 5 ) .

 .It Cm RhostsRSAAuthentication
 Specifies whether to try rhosts based authentication with RSA host
 authentication.
 .It Cm RhostsRSAAuthentication
 Specifies whether to try rhosts based authentication with RSA host
 authentication.