Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. =================================================================== RCS file: /ftp/cvs/cvsroot/src/crypto/external/bsd/openssh/dist/ssh_config.5,v rcsdiff: /ftp/cvs/cvsroot/src/crypto/external/bsd/openssh/dist/ssh_config.5,v: warning: Unknown phrases like `commitid ...;' are present. retrieving revision 1.1.1.20 retrieving revision 1.1.1.21 diff -u -p -r1.1.1.20 -r1.1.1.21 --- src/crypto/external/bsd/openssh/dist/ssh_config.5 2018/08/26 07:41:12 1.1.1.20 +++ src/crypto/external/bsd/openssh/dist/ssh_config.5 2019/04/20 17:13:54 1.1.1.21 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.281 2018/07/23 19:02:49 kn Exp $ -.Dd $Mdocdate: July 23 2018 $ +.\" $OpenBSD: ssh_config.5,v 1.292 2019/03/01 02:16:47 djm Exp $ +.Dd $Mdocdate: March 1 2019 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -139,6 +139,7 @@ or the single token which always matches. The available criteria keywords are: .Cm canonical , +.Cm final , .Cm exec , .Cm host , .Cm originalhost , @@ -148,12 +149,15 @@ and The .Cm all criteria must appear alone or immediately after -.Cm canonical . +.Cm canonical +or +.Cm final . Other criteria may be combined arbitrarily. All criteria but -.Cm all +.Cm all , +.Cm canonical , and -.Cm canonical +.Cm final require an argument. Criteria may be negated by prepending an exclamation mark .Pq Sq !\& . @@ -163,9 +167,23 @@ The keyword matches only when the configuration file is being re-parsed after hostname canonicalization (see the .Cm CanonicalizeHostname -option.) +option). This may be useful to specify conditions that work with canonical host names only. +.Pp +The +.Cm final +keyword requests that the configuration be re-parsed (regardless of whether +.Cm CanonicalizeHostname +is enabled), and matches only during this final pass. +If +.Cm CanonicalizeHostname +is enabled, then +.Cm canonical +and +.Cm final +match during the same pass. +.Pp The .Cm exec keyword executes the specified command under the user's shell. @@ -290,7 +308,9 @@ hostname lookups. If set to .Cm yes then, for connections that do not use a -.Cm ProxyCommand , +.Cm ProxyCommand +or +.Cm ProxyJump , .Xr ssh 1 will attempt to canonicalize the hostname specified on the command line using the @@ -336,6 +356,18 @@ to be canonicalized to names in the or .Qq *.c.example.com domains. +.It Cm CASignatureAlgorithms +Specifies which algorithms are allowed for signing of certificates +by certificate authorities (CAs). +The default is: +.Bd -literal -offset indent +ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa +.Ed +.Pp +.Xr ssh 1 +will not accept host certificates signed using algorithms other than those +specified. .It Cm CertificateFile Specifies a file from which the user's certificate is read. A corresponding private key must be provided separately in order @@ -672,6 +704,10 @@ section of X11 connections received by .Xr ssh 1 after this time will be refused. +Setting +.Cm ForwardX11Timeout +to zero will disable the timeout and permit X11 forwarding for the life +of the connection. The default is to disable untrusted X11 forwarding after twenty minutes has elapsed. .It Cm ForwardX11Trusted @@ -859,6 +895,10 @@ If the string is specified, the location of the socket will be read from the .Ev SSH_AUTH_SOCK environment variable. +Otherwise if the specified value begins with a +.Sq $ +character, then it will be treated as an environment variable containing +the location of the socket. .Pp Arguments to .Cm IdentityAgent @@ -1019,7 +1059,6 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, -diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1 .Ed @@ -1142,11 +1181,13 @@ or .Cm no (the default). .It Cm PKCS11Provider -Specifies which PKCS#11 provider to use. -The argument to this keyword is the PKCS#11 shared library +Specifies which PKCS#11 provider to use or +.Cm none +to indicate that no provider should be used (the default). +The argument to this keyword is a path to the PKCS#11 shared library .Xr ssh 1 -should use to communicate with a PKCS#11 token providing the user's -private RSA key. +should use to communicate with a PKCS#11 token providing keys for user +authentication. .It Cm Port Specifies the port number to connect on the remote host. The default is 22. @@ -1224,6 +1265,12 @@ Note that this option will compete with .Cm ProxyCommand option - whichever is specified first will prevent later instances of the other from taking effect. +.Pp +Note also that the configuration for the destination host (either supplied +via the command-line or the configuration file) is not generally applied +to jump hosts. +.Pa ~/.ssh/config +should be used if specific configuration is required for jump hosts. .It Cm ProxyUseFdpass Specifies that .Cm ProxyCommand @@ -1764,7 +1811,7 @@ This is the per-user configuration file. The format of this file is described above. This file is used by the SSH client. Because of the potential for abuse, this file must have strict permissions: -read/write for the user, and not accessible by others. +read/write for the user, and not writable by others. .It Pa /etc/ssh/ssh_config Systemwide configuration file. This file provides defaults for those