summaryrefslogtreecommitdiff
path: root/usr.bin/ssh/ssh.1
AgeCommit message (Collapse)Author
2010-11-18add IPQoS to the various -o lists, and zap some trailing whitespace;Jason McIntyre
2010-10-28knock out some "-*- nroff -*-" lines;Jason McIntyre
2010-09-22ssh.1: add kexalgorithms to the -o listJason McIntyre
ssh_config.5: format the kexalgorithms in a more consistent (prettier!) way ok djm
2010-09-11mention RFC 5656 for ECC stuffDamien Miller
2010-09-04two more EXIT STATUS sections;Jason McIntyre
2010-08-31small text tweak to accommodate previous;Jason McIntyre
2010-08-31Implement Elliptic Curve Cryptography modes for key exchange (ECDH) andDamien Miller
host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented). Certificate host and user keys using the new ECDSA key types are supported. Note that this code has not been tested for interoperability and may be subject to change. feedback and ok markus@
2010-08-08use the same template for all FILES sections; i.e. -compact/.Pp where weJason McIntyre
have multiple items, and .Pa for path names;
2010-08-04Remove mentions of weird "addr/port" alternate address format for IPv6Damien Miller
addresses combinations. It hasn't worked for ages and we have supported the more commen "[addr]:port" format for a long time. ok jmc@ markus@
2010-07-23Ciphers is documented in ssh_config(5) these daysDarren Tucker
2010-07-14finally ssh synopsis looks nice again! this commit just removes a ton ofJason McIntyre
hacks we had in place to make it work with old groff;
2010-05-16mux support for remote forwarding with dynamic port allocation,Markus Friedl
use with LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost` feedback and ok djm@
2010-03-26tweak previous;Jason McIntyre
2010-03-26mention that -S none disables connection sharing; from Colin WatsonDamien Miller
2010-03-05mention loading of certificate files from [private]-cert.pub whenDamien Miller
they are present; feedback and ok jmc@
2010-03-05document certificate authentication; help/ok djmJason McIntyre
2010-03-05tweak previous;Jason McIntyre
2010-03-04move section on CA and revoked keys from ssh.1 to sshd.8's known hostsDamien Miller
format section and rework it a bit; requested by jmc@
2010-03-04tweak previous;Jason McIntyre
2010-03-04Add a TrustedUserCAKeys option to sshd_config to specify CA keys thatDamien Miller
are trusted to authenticate users (in addition than doing it per-user in authorized_keys). Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication. feedback and ok markus@
2010-02-26tweak previous;Jason McIntyre
2010-02-26Add support for certificate key types for users and hosts.Damien Miller
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
2010-02-11libarary -> library;Jason McIntyre
2010-02-10pkcs#11 is no longer optional; improve wording; ok jmc@Markus Friedl
2010-02-08tweak previous; ok markusJason McIntyre
2010-02-08replace our obsolete smartcard code with PKCS#11.Markus Friedl
ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11 provider (shared library) while ssh-agent(1) delegates PKCS#11 to a forked a ssh-pkcs11-helper process. PKCS#11 is currently a compile time option. feedback and ok djm@; inspired by patches from Alon Bar-Lev
2010-01-11Add a 'netcat mode' (ssh -W). This connects stdio on the client to a singleDarren Tucker
port forward on the server. This allows, for example, using ssh as a ProxyCommand to route connections via intermediate servers. bz #1618, man page help from jmc@, ok markus@
2010-01-09Remove RoutingDomain from ssh since it's now not needed. It can be replacedDarren Tucker
with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures that trafic such as DNS lookups stays withing the specified routingdomain. For example (from reyk): # route -T 2 exec /usr/sbin/sshd or inherited from the parent process $ route -T 2 exec sh $ ssh 10.1.2.3 ok deraadt@ markus@ stevesk@ reyk@
2009-12-29Rename RDomain config option to RoutingDomain to be more clear andKevin Steves
consistent with other options. NOTE: if you currently use RDomain in the ssh client or server config, or ssh/sshd -o, you must update to use RoutingDomain. ok markus@ djm@
2009-10-28Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.Reyk Floeter
ok markus@
2009-10-22write UNIX-domain in a more consistent way; while here, replace aIgor Sobrado
few remaining ".Tn UNIX" macros with ".Ux" ones. pointed out by ratchov@, thanks! ok jmc@
2009-10-22use the UNIX-related macros (.At and .Ux) where appropriate.Igor Sobrado
ok jmc@
2009-10-08some tweaks now that protocol 1 is not offered by default; ok markusJason McIntyre
2009-03-19for "Ciphers", just point the reader to the keyword in ssh_config(5), justJason McIntyre
as we do for "MACs": this stops us getting out of sync when the lists change; fixes documentation/6102, submitted by Peter J. Philipp alternative fix proposed by djm ok markus
2009-02-12consistency: Dq => QlDamien Miller
2009-02-12document -R0:... usageDamien Miller
2008-11-09typo fixed (overriden -> overridden)Tobias Stoeckmann
ok espie, jmc
2008-11-05add dynamic forward escape command line; ok djm@Kevin Steves
2008-10-08Add -y option to force logging via syslog rather than stderr.Damien Miller
Useful for daemonised ssh connection (ssh -f). Patch originally from and ok'd by markus@
2008-07-02When forking after authentication ("ssh -f") with ExitOnForwardFailureDamien Miller
enabled, delay the fork until after replies for any -R forwards have been seen. Allows for robust detection of -R forward failure when using -f (similar to bz#92); ok dtucker@
2008-06-26add VisualHostKey to the list of options listed in -o;Jason McIntyre
2008-06-26Move SSH Fingerprint Visualization away from sharing the config optionAlexander von Gernler
CheckHostIP to an own config option named VisualHostKey. While there, fix the behaviour that ssh would draw a random art picture on every newly seen host even when the option was not enabled. prodded by deraadt@, discussions, help and ok markus@ djm@ dtucker@
2008-06-13Explain the use of SSH fpr visualization using random art, and cite theAlexander von Gernler
original scientific paper inspiring that technique. Much help with English and nroff by jmc@, thanks.
2008-02-11bump Mdocdate for pages committed in "febuary", necessary becauseJason McIntyre
of a typo in rcs.c;
2008-02-09Document the correct permissions for the ~/.ssh/ directory.Ryan Thomas McBride
ok jmc
2008-01-19satisfy the pedants: -q does not suppress all diagnostic messages (e.g.Damien Miller
some commandline parsing warnings go unconditionally to stdout).
2007-06-12add -K to SYNOPSIS;Jason McIntyre
2007-06-12Add "-K" flag for ssh to set GSSAPIAuthentication=yes andDamien Miller
GSSAPIDelegateCredentials=yes. This is symmetric with -k (disable GSSAPI) and is useful for hosts with /home on Kerberised NFS; bz #1312 patch from Markus.Kuhn AT cl.cam.ac.uk; ok dtucker@ markus@
2007-06-07Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, mustPeter Valchev
specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt in conjunction with and OK djm@
2007-05-31convert to new .Dd format;Jason McIntyre