Vendor import of OpenSSH 6.5p1.

1 files changed, 110 insertions, 21 deletions

diff --git a/ssh_config.0 b/ssh_config.0
index bd9e1ad..e9ac54b 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -38,8 +38,8 @@ DESCRIPTION
      The possible keywords and their meanings are as follows (note that
      keywords are case-insensitive and arguments are case-sensitive):
 
-     Host    Restricts the following declarations (up to the next Host
-             keyword) to be only for those hosts that match one of the
+     Host    Restricts the following declarations (up to the next Host or
+             Match keyword) to be only for those hosts that match one of the
              patterns given after the keyword.  If more than one pattern is
              provided, they should be separated by whitespace.  A single `*'
              as a pattern can be used to provide global defaults for all
@@ -55,6 +55,37 @@ DESCRIPTION
 
              See PATTERNS for more information on patterns.
 
+     Match   Restricts the following declarations (up to the next Host or
+             Match keyword) to be used only when the conditions following the
+             Match keyword are satisfied.  Match conditions are specified
+             using one or more keyword/criteria pairs or the single token all
+             which matches all criteria.  The available keywords are: exec,
+             host, originalhost, user, and localuser.
+
+             The exec keyword executes the specified command under the user's
+             shell.  If the command returns a zero exit status then the
+             condition is considered true.  Commands containing whitespace
+             characters must be quoted.  The following character sequences in
+             the command will be expanded prior to execution: `%L' will be
+             substituted by the first component of the local host name, `%l'
+             will be substituted by the local host name (including any domain
+             name), `%h' will be substituted by the target host name, `%n'
+             will be substituted by the original target host name specified on
+             the command-line, `%p' the destination port, `%r' by the remote
+             login username, and `%u' by the username of the user running
+             ssh(1).
+
+             The other keywords' criteria must be single entries or comma-
+             separated lists and may use the wildcard and negation operators
+             described in the PATTERNS section.  The criteria for the host
+             keyword are matched against the target hostname, after any
+             substitution by the Hostname option.  The originalhost keyword
+             matches against the hostname as it was specified on the command-
+             line.  The user keyword matches against the target username on
+             the remote host.  The localuser keyword matches against the name
+             of the local user running ssh(1) (this keyword may be useful in
+             system-wide ssh_config files).
+
      AddressFamily
              Specifies which address family to use when connecting.  Valid
              arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6''
@@ -72,6 +103,49 @@ DESCRIPTION
              one address.  Note that this option does not work if
              UsePrivilegedPort is set to ``yes''.
 
+     CanonicalDomains
+             When CanonicalizeHostname is enabled, this option specifies the
+             list of domain suffixes in which to search for the specified
+             destination host.
+
+     CanonicalizeFallbackLocal
+             Specifies whether to fail with an error when hostname
+             canonicalization fails.  The default, ``yes'', will attempt to
+             look up the unqualified hostname using the system resolver's
+             search rules.  A value of ``no'' will cause ssh(1) to fail
+             instantly if CanonicalizeHostname is enabled and the target
+             hostname cannot be found in any of the domains specified by
+             CanonicalDomains.
+
+     CanonicalizeHostname
+             Controls whether explicit hostname canonicalization is performed.
+             The default, ``no'', is not to perform any name rewriting and let
+             the system resolver handle all hostname lookups.  If set to
+             ``yes'' then, for connections that do not use a ProxyCommand,
+             ssh(1) will attempt to canonicalize the hostname specified on the
+             command line using the CanonicalDomains suffixes and
+             CanonicalizePermittedCNAMEs rules.  If CanonicalizeHostname is
+             set to ``always'', then canonicalization is applied to proxied
+             connections too.
+
+     CanonicalizeMaxDots
+             Specifies the maximum number of dot characters in a hostname
+             before canonicalization is disabled.  The default, ``1'', allows
+             a single dot (i.e. hostname.subdomain).
+
+     CanonicalizePermittedCNAMEs
+             Specifies rules to determine whether CNAMEs should be followed
+             when canonicalizing hostnames.  The rules consist of one or more
+             arguments of source_domain_list:target_domain_list, where
+             source_domain_list is a pattern-list of domains that may follow
+             CNAMEs in canonicalization, and target_domain_list is a pattern-
+             list of domains that they may resolve to.
+
+             For example, ``*.a.example.com:*.b.example.com,*.c.example.com''
+             will allow hostnames matching ``*.a.example.com'' to be
+             canonicalized to names in the ``*.b.example.com'' or
+             ``*.c.example.com'' domains.
+
      ChallengeResponseAuthentication
              Specifies whether to use challenge-response authentication.  The
              argument to this keyword must be ``yes'' or ``no''.  The default
@@ -95,18 +169,25 @@ DESCRIPTION
      Ciphers
              Specifies the ciphers allowed for protocol version 2 in order of
              preference.  Multiple ciphers must be comma-separated.  The
-             supported ciphers are ``3des-cbc'', ``aes128-cbc'',
-             ``aes192-cbc'', ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'',
-             ``aes256-ctr'', ``aes128-gcm@openssh.com'',
-             ``aes256-gcm@openssh.com'', ``arcfour128'', ``arcfour256'',
-             ``arcfour'', ``blowfish-cbc'', and ``cast128-cbc''.  The default
-             is:
+             supported ciphers are:
+
+             ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
+             ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
+             ``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'',
+             ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'',
+             ``cast128-cbc'', and ``chacha20-poly1305@openssh.com''.
+
+             The default is:
 
                 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
                 aes128-gcm@openssh.com,aes256-gcm@openssh.com,
+                chacha20-poly1305@openssh.com,
                 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
                 aes256-cbc,arcfour
 
+             The list of available ciphers may also be obtained using the -Q
+             option of ssh(1).
+
      ClearAllForwardings
              Specifies that all local, remote, and dynamic port forwardings
              specified in the configuration files or on the command line be
@@ -174,9 +255,9 @@ DESCRIPTION
              name, `%l' will be substituted by the local host name (including
              any domain name), `%h' will be substituted by the target host
              name, `%n' will be substituted by the original target host name
-             specified on the command line, `%p' the port, `%r' by the remote
-             login username, and `%u' by the username of the user running
-             ssh(1).  It is recommended that any ControlPath used for
+             specified on the command line, `%p' the destination port, `%r' by
+             the remote login username, and `%u' by the username of the user
+             running ssh(1).  It is recommended that any ControlPath used for
              opportunistic connection sharing include at least %h, %p, and %r.
              This ensures that shared connections are uniquely identified.
 
@@ -331,10 +412,11 @@ DESCRIPTION
                 ecdsa-sha2-nistp256-cert-v01@openssh.com,
                 ecdsa-sha2-nistp384-cert-v01@openssh.com,
                 ecdsa-sha2-nistp521-cert-v01@openssh.com,
+                ssh-ed25519-cert-v01@openssh.com,
                 ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
                 ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,
                 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-                ssh-rsa,ssh-dss
+                ssh-ed25519,ssh-rsa,ssh-dss
 
              If hostkeys are known for the destination host then this default
              is modified to prefer their algorithms.
@@ -364,14 +446,15 @@ DESCRIPTION
              default is ``no''.
 
      IdentityFile
-             Specifies a file from which the user's DSA, ECDSA or RSA
+             Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA
              authentication identity is read.  The default is ~/.ssh/identity
-             for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and
-             ~/.ssh/id_rsa for protocol version 2.  Additionally, any
-             identities represented by the authentication agent will be used
-             for authentication unless IdentitiesOnly is set.  ssh(1) will try
-             to load certificate information from the filename obtained by
-             appending -cert.pub to the path of a specified IdentityFile.
+             for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa,
+             ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2.
+             Additionally, any identities represented by the authentication
+             agent will be used for authentication unless IdentitiesOnly is
+             set.  ssh(1) will try to load certificate information from the
+             filename obtained by appending -cert.pub to the path of a
+             specified IdentityFile.
 
              The file name may use the tilde syntax to refer to a user's home
              directory or one of the following escape characters: `%d' (local
@@ -426,6 +509,7 @@ DESCRIPTION
              Specifies the available KEX (Key Exchange) algorithms.  Multiple
              algorithms must be comma-separated.  The default is:
 
+                   curve25519-sha256@libssh.org,
                    ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
                    diffie-hellman-group-exchange-sha256,
                    diffie-hellman-group-exchange-sha1,
@@ -557,6 +641,11 @@ DESCRIPTION
 
                 ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
 
+     ProxyUseFdpass
+             Specifies that ProxyCommand will pass a connected file descriptor
+             back to ssh(1) instead of continuing to execute and pass data.
+             The default is ``no''.
+
      PubkeyAuthentication
              Specifies whether to try public key authentication.  The argument
              to this keyword must be ``yes'' or ``no''.  The default is
@@ -763,7 +852,7 @@ PATTERNS
      A pattern-list is a comma-separated list of patterns.  Patterns within
      pattern-lists may be negated by preceding them with an exclamation mark
      (`!').  For example, to allow a key to be used from anywhere within an
-     organisation except from the ``dialup'' pool, the following entry (in
+     organization except from the ``dialup'' pool, the following entry (in
      authorized_keys) could be used:
 
            from="!*.dialup.example.com,*.example.com"
@@ -792,4 +881,4 @@ AUTHORS
      created OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 5.4                      June 27, 2013                     OpenBSD 5.4
+OpenBSD 5.4                    January 19, 2014                    OpenBSD 5.4