1 files changed, 43 insertions, 11 deletions
diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5
index 881aab69d19a..9dcb6a84754f 100644
--- a/crypto/openssh/ssh_config.5
+++ b/crypto/openssh/ssh_config.5
@@ -33,9 +33,9 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.256 2017/09/21 19:16:53 markus Exp $
+.\" $OpenBSD: ssh_config.5,v 1.268 2018/02/23 07:38:09 jmc Exp $
 .\" $FreeBSD$
-.Dd $Mdocdate: September 21 2017 $
+.Dd $Mdocdate: February 23 2018 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -263,6 +263,13 @@ Note that this option does not work if
 .Cm UsePrivilegedPort
 is set to
 .Cm yes .
+.It Cm BindInterface
+Use the address of the specified interface on the local machine as the
+source address of the connection.
+Note that this option does not work if
+.Cm UsePrivilegedPort
+is set to
+.Cm yes .
 .It Cm CanonicalDomains
 When
 .Cm CanonicalizeHostname
@@ -1017,7 +1024,10 @@ The default is:
 curve25519-sha256,curve25519-sha256@libssh.org,
 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 diffie-hellman-group-exchange-sha256,
+diffie-hellman-group16-sha512,
+diffie-hellman-group18-sha512,
 diffie-hellman-group-exchange-sha1,
+diffie-hellman-group14-sha256,
 diffie-hellman-group14-sha1
 .Ed
 .Pp
@@ -1109,10 +1119,7 @@ hmac-sha2-256,hmac-sha2-512,hmac-sha1
 The list of available MAC algorithms may also be obtained using
 .Qq ssh -Q mac .
 .It Cm NoHostAuthenticationForLocalhost
-This option can be used if the home directory is shared across machines.
-In this case localhost will refer to a different machine on each of
-the machines and the user will get many warnings about changed host keys.
-However, this option disables host authentication for localhost.
+Disable host authentication for localhost (loopback addresses).
 The argument to this keyword must be
 .Cm yes
 or
@@ -1200,13 +1207,14 @@ For example, the following directive would connect via an HTTP proxy at
 ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
 .Ed
 .It Cm ProxyJump
-Specifies one or more jump proxies as
+Specifies one or more jump proxies as either
 .Xo
 .Sm off
 .Op Ar user No @
 .Ar host
 .Op : Ns Ar port
 .Sm on
+or an ssh URI
 .Xc .
 Multiple proxies may be separated by comma characters and will be visited
 sequentially.
@@ -1459,7 +1467,7 @@ If this flag is set to
 will never automatically add host keys to the
 .Pa ~/.ssh/known_hosts
 file, and refuses to connect to hosts whose host key has changed.
-This provides maximum protection against trojan horse attacks,
+This provides maximum protection against man-in-the-middle (MITM) attacks,
 though it can be annoying when the
 .Pa /etc/ssh/ssh_known_hosts
 file is poorly maintained or when connections to new hosts are
@@ -1511,6 +1519,9 @@ This is important in scripts, and many users want it too.
 .Pp
 To disable TCP keepalive messages, the value should be set to
 .Cm no .
+See also
+.Cm ServerAliveInterval
+for protocol-level keepalives.
 .It Cm Tunnel
 Request
 .Xr tun 4
@@ -1630,7 +1641,7 @@ in
 Specifies a string to append to the regular version string to identify
 OS- or site-specific modifications.
 The default is
-.Dq FreeBSD-20180507 .
+.Dq FreeBSD-20180510 .
 The value
 .Cm none
 may be used to disable this.
@@ -1687,6 +1698,18 @@ pool,
 the following entry (in authorized_keys) could be used:
 .Pp
 .Dl from=\&"!*.dialup.example.com,*.example.com\&"
+.Pp
+Note that a negated match will never produce a positive result by itself.
+For example, attempting to match
+.Qq host3
+against the following pattern-list will fail:
+.Pp
+.Dl from=\&"!host1,!host2\&"
+.Pp
+The solution here is to include a term that will yield a positive match,
+such as a wildcard:
+.Pp
+.Dl from=\&"!host1,!host2,*\&"
 .Sh TOKENS
 Arguments to some keywords can make use of tokens,
 which are expanded at runtime:
@@ -1696,7 +1719,7 @@ which are expanded at runtime:
 A literal
 .Sq % .
 .It \&%C
-Shorthand for %l%h%p%r.
+Hash of %l%h%p%r.
 .It %d
 Local user's home directory.
 .It %h
@@ -1713,6 +1736,15 @@ The original remote hostname, as given on the command line.
 The remote port.
 .It %r
 The remote username.
+.It \&%T
+The local
+.Xr tun 4
+or
+.Xr tap 4
+network interface assigned if
+tunnel forwarding was requested, or
+.Qq NONE
+otherwise.
 .It %u
 The local username.
 .El
@@ -1735,7 +1767,7 @@ and
 accept the tokens %%, %d, %h, %l, %r, and %u.
 .Pp
 .Cm LocalCommand
-accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u.
+accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, %T, and %u.
 .Pp
 .Cm ProxyCommand
 accepts the tokens %%, %h, %p, and %r.