1 files changed, 37 insertions, 2 deletions

diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5
index f23edeb62ac7..25fe95933c05 100644
--- a/crypto/openssh/ssh_config.5
+++ b/crypto/openssh/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.379 2023/03/10 02:32:04 djm Exp $
-.Dd $Mdocdate: March 10 2023 $
+.\" $OpenBSD: ssh_config.5,v 1.383 2023/07/17 05:36:14 jsg Exp $
+.Dd $Mdocdate: July 17 2023 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -141,8 +141,10 @@ The available criteria keywords are:
 .Cm canonical ,
 .Cm final ,
 .Cm exec ,
+.Cm localnetwork ,
 .Cm host ,
 .Cm originalhost ,
+.Cm Tag ,
 .Cm user ,
 and
 .Cm localuser .
@@ -195,6 +197,17 @@ accept the tokens described in the
 .Sx TOKENS
 section.
 .Pp
+The
+.Cm localnetwork
+keyword matches the addresses of active local network interfaces against the
+supplied list of networks in CIDR format.
+This may be convenient for varying the effective configuration on devices that
+roam between networks.
+Note that network address is not a trustworthy criteria in many
+situations (e.g. when the network is automatically configured using DHCP)
+and so caution should be applied if using it to control security-sensitive
+configuration.
+.Pp
 The other keywords' criteria must be single entries or comma-separated
 lists and may use the wildcard and negation operators described in the
 .Sx PATTERNS
@@ -211,6 +224,15 @@ The
 .Cm originalhost
 keyword matches against the hostname as it was specified on the command-line.
 The
+.Cm tagged
+keyword matches a tag name specified by a prior
+.Cm Tag
+directive or on the
+.Xr ssh 1
+command-line using the
+.Fl P
+flag.
+The
 .Cm user
 keyword matches against the target username on the remote host.
 The
@@ -1670,6 +1692,14 @@ an OpenSSH Key Revocation List (KRL) as generated by
 .Xr ssh-keygen 1 .
 For more information on KRLs, see the KEY REVOCATION LISTS section in
 .Xr ssh-keygen 1 .
+Arguments to
+.Cm RevokedHostKeys
+may use the tilde syntax to refer to a user's home directory,
+the tokens described in the
+.Sx TOKENS
+section and environment variables as described in the
+.Sx ENVIRONMENT VARIABLES
+section.
 .It Cm SecurityKeyProvider
 Specifies a path to a library that will be used when loading any
 FIDO authenticator-hosted keys, overriding the default of using
@@ -1871,6 +1901,10 @@ To disable TCP keepalive messages, the value should be set to
 See also
 .Cm ServerAliveInterval
 for protocol-level keepalives.
+.It Cm Tag
+Specify a configuration tag name that may be later used by a
+.Cm Match
+directive to select a block of configuration.
 .It Cm Tunnel
 Request
 .Xr tun 4
@@ -2148,6 +2182,7 @@ The local username.
 .Cm Match exec ,
 .Cm RemoteCommand ,
 .Cm RemoteForward ,
+.Cm RevokedHostKeys ,
 and
 .Cm UserKnownHostsFile
 accept the tokens %%, %C, %d, %h, %i, %k, %L, %l, %n, %p, %r, and %u.