diff options
author | Colin Watson <cjwatson@debian.org> | 2010-08-23 23:52:36 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2010-08-23 23:52:36 +0100 |
commit | 78799892cb1858927be02be9737c594052e3f910 (patch) | |
tree | ac3dc2e848ab9dc62fe4252e01e52c3d456f628f /ssh_config.0 | |
parent | 3875951bb76a9ec62634ae4026c9cc885d933477 (diff) | |
parent | 31e30b835fd9695d3b6647cab4867001b092e28f (diff) |
* New upstream release (http://www.openssh.com/txt/release-5.6):
- Added a ControlPersist option to ssh_config(5) that automatically
starts a background ssh(1) multiplex master when connecting. This
connection can stay alive indefinitely, or can be set to automatically
close after a user-specified duration of inactivity (closes: #335697,
#350898, #454787, #500573, #550262).
- Support AuthorizedKeysFile, AuthorizedPrincipalsFile,
HostbasedUsesNameFromPacketOnly, and PermitTunnel in sshd_config(5)
Match blocks (closes: #549858).
- sftp(1): fix ls in working directories that contain globbing
characters in their pathnames (LP: #530714).
Diffstat (limited to 'ssh_config.0')
-rw-r--r-- | ssh_config.0 | 548 |
1 files changed, 291 insertions, 257 deletions
diff --git a/ssh_config.0 b/ssh_config.0 index 1a2c64ce1..6c19de765 100644 --- a/ssh_config.0 +++ b/ssh_config.0 | |||
@@ -8,21 +8,21 @@ SYNOPSIS | |||
8 | /etc/ssh/ssh_config | 8 | /etc/ssh/ssh_config |
9 | 9 | ||
10 | DESCRIPTION | 10 | DESCRIPTION |
11 | ssh(1) obtains configuration data from the following sources in the fol- | 11 | ssh(1) obtains configuration data from the following sources in the |
12 | lowing order: | 12 | following order: |
13 | 13 | ||
14 | 1. command-line options | 14 | 1. command-line options |
15 | 2. user's configuration file (~/.ssh/config) | 15 | 2. user's configuration file (~/.ssh/config) |
16 | 3. system-wide configuration file (/etc/ssh/ssh_config) | 16 | 3. system-wide configuration file (/etc/ssh/ssh_config) |
17 | 17 | ||
18 | For each parameter, the first obtained value will be used. The configu- | 18 | For each parameter, the first obtained value will be used. The |
19 | ration files contain sections separated by ``Host'' specifications, and | 19 | configuration files contain sections separated by ``Host'' |
20 | that section is only applied for hosts that match one of the patterns | 20 | specifications, and that section is only applied for hosts that match one |
21 | given in the specification. The matched host name is the one given on | 21 | of the patterns given in the specification. The matched host name is the |
22 | the command line. | 22 | one given on the command line. |
23 | 23 | ||
24 | Since the first obtained value for each parameter is used, more host-spe- | 24 | Since the first obtained value for each parameter is used, more host- |
25 | cific declarations should be given near the beginning of the file, and | 25 | specific declarations should be given near the beginning of the file, and |
26 | general defaults at the end. | 26 | general defaults at the end. |
27 | 27 | ||
28 | The configuration file has the following format: | 28 | The configuration file has the following format: |
@@ -30,29 +30,29 @@ DESCRIPTION | |||
30 | Empty lines and lines starting with `#' are comments. Otherwise a line | 30 | Empty lines and lines starting with `#' are comments. Otherwise a line |
31 | is of the format ``keyword arguments''. Configuration options may be | 31 | is of the format ``keyword arguments''. Configuration options may be |
32 | separated by whitespace or optional whitespace and exactly one `='; the | 32 | separated by whitespace or optional whitespace and exactly one `='; the |
33 | latter format is useful to avoid the need to quote whitespace when speci- | 33 | latter format is useful to avoid the need to quote whitespace when |
34 | fying configuration options using the ssh, scp, and sftp -o option. Ar- | 34 | specifying configuration options using the ssh, scp, and sftp -o option. |
35 | guments may optionally be enclosed in double quotes (") in order to rep- | 35 | Arguments may optionally be enclosed in double quotes (") in order to |
36 | resent arguments containing spaces. | 36 | represent arguments containing spaces. |
37 | 37 | ||
38 | The possible keywords and their meanings are as follows (note that key- | 38 | The possible keywords and their meanings are as follows (note that |
39 | words are case-insensitive and arguments are case-sensitive): | 39 | keywords are case-insensitive and arguments are case-sensitive): |
40 | 40 | ||
41 | Host Restricts the following declarations (up to the next Host key- | 41 | Host Restricts the following declarations (up to the next Host |
42 | word) to be only for those hosts that match one of the patterns | 42 | keyword) to be only for those hosts that match one of the |
43 | given after the keyword. If more than one pattern is provided, | 43 | patterns given after the keyword. If more than one pattern is |
44 | they should be separated by whitespace. A single `*' as a pat- | 44 | provided, they should be separated by whitespace. A single `*' |
45 | tern can be used to provide global defaults for all hosts. The | 45 | as a pattern can be used to provide global defaults for all |
46 | host is the hostname argument given on the command line (i.e. the | 46 | hosts. The host is the hostname argument given on the command |
47 | name is not converted to a canonicalized host name before match- | 47 | line (i.e. the name is not converted to a canonicalized host name |
48 | ing). | 48 | before matching). |
49 | 49 | ||
50 | See PATTERNS for more information on patterns. | 50 | See PATTERNS for more information on patterns. |
51 | 51 | ||
52 | AddressFamily | 52 | AddressFamily |
53 | Specifies which address family to use when connecting. Valid ar- | 53 | Specifies which address family to use when connecting. Valid |
54 | guments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' (use | 54 | arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' |
55 | IPv6 only). | 55 | (use IPv6 only). |
56 | 56 | ||
57 | BatchMode | 57 | BatchMode |
58 | If set to ``yes'', passphrase/password querying will be disabled. | 58 | If set to ``yes'', passphrase/password querying will be disabled. |
@@ -61,8 +61,8 @@ DESCRIPTION | |||
61 | ``yes'' or ``no''. The default is ``no''. | 61 | ``yes'' or ``no''. The default is ``no''. |
62 | 62 | ||
63 | BindAddress | 63 | BindAddress |
64 | Use the specified address on the local machine as the source ad- | 64 | Use the specified address on the local machine as the source |
65 | dress of the connection. Only useful on systems with more than | 65 | address of the connection. Only useful on systems with more than |
66 | one address. Note that this option does not work if | 66 | one address. Note that this option does not work if |
67 | UsePrivilegedPort is set to ``yes''. | 67 | UsePrivilegedPort is set to ``yes''. |
68 | 68 | ||
@@ -78,20 +78,21 @@ DESCRIPTION | |||
78 | is set to ``no'', the check will not be executed. The default is | 78 | is set to ``no'', the check will not be executed. The default is |
79 | ``yes''. | 79 | ``yes''. |
80 | 80 | ||
81 | Cipher Specifies the cipher to use for encrypting the session in proto- | 81 | Cipher Specifies the cipher to use for encrypting the session in |
82 | col version 1. Currently, ``blowfish'', ``3des'', and ``des'' | 82 | protocol version 1. Currently, ``blowfish'', ``3des'', and |
83 | are supported. des is only supported in the ssh(1) client for | 83 | ``des'' are supported. des is only supported in the ssh(1) |
84 | interoperability with legacy protocol 1 implementations that do | 84 | client for interoperability with legacy protocol 1 |
85 | not support the 3des cipher. Its use is strongly discouraged due | 85 | implementations that do not support the 3des cipher. Its use is |
86 | to cryptographic weaknesses. The default is ``3des''. | 86 | strongly discouraged due to cryptographic weaknesses. The |
87 | default is ``3des''. | ||
87 | 88 | ||
88 | Ciphers | 89 | Ciphers |
89 | Specifies the ciphers allowed for protocol version 2 in order of | 90 | Specifies the ciphers allowed for protocol version 2 in order of |
90 | preference. Multiple ciphers must be comma-separated. The sup- | 91 | preference. Multiple ciphers must be comma-separated. The |
91 | ported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', | 92 | supported ciphers are ``3des-cbc'', ``aes128-cbc'', |
92 | ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', | 93 | ``aes192-cbc'', ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', |
93 | ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'', | 94 | ``aes256-ctr'', ``arcfour128'', ``arcfour256'', ``arcfour'', |
94 | and ``cast128-cbc''. The default is: | 95 | ``blowfish-cbc'', and ``cast128-cbc''. The default is: |
95 | 96 | ||
96 | aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, | 97 | aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, |
97 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, | 98 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, |
@@ -101,9 +102,10 @@ DESCRIPTION | |||
101 | Specifies that all local, remote, and dynamic port forwardings | 102 | Specifies that all local, remote, and dynamic port forwardings |
102 | specified in the configuration files or on the command line be | 103 | specified in the configuration files or on the command line be |
103 | cleared. This option is primarily useful when used from the | 104 | cleared. This option is primarily useful when used from the |
104 | ssh(1) command line to clear port forwardings set in configura- | 105 | ssh(1) command line to clear port forwardings set in |
105 | tion files, and is automatically set by scp(1) and sftp(1). The | 106 | configuration files, and is automatically set by scp(1) and |
106 | argument must be ``yes'' or ``no''. The default is ``no''. | 107 | sftp(1). The argument must be ``yes'' or ``no''. The default is |
108 | ``no''. | ||
107 | 109 | ||
108 | Compression | 110 | Compression |
109 | Specifies whether to use compression. The argument must be | 111 | Specifies whether to use compression. The argument must be |
@@ -117,37 +119,37 @@ DESCRIPTION | |||
117 | option applies to protocol version 1 only. | 119 | option applies to protocol version 1 only. |
118 | 120 | ||
119 | ConnectionAttempts | 121 | ConnectionAttempts |
120 | Specifies the number of tries (one per second) to make before ex- | 122 | Specifies the number of tries (one per second) to make before |
121 | iting. The argument must be an integer. This may be useful in | 123 | exiting. The argument must be an integer. This may be useful in |
122 | scripts if the connection sometimes fails. The default is 1. | 124 | scripts if the connection sometimes fails. The default is 1. |
123 | 125 | ||
124 | ConnectTimeout | 126 | ConnectTimeout |
125 | Specifies the timeout (in seconds) used when connecting to the | 127 | Specifies the timeout (in seconds) used when connecting to the |
126 | SSH server, instead of using the default system TCP timeout. | 128 | SSH server, instead of using the default system TCP timeout. |
127 | This value is used only when the target is down or really un- | 129 | This value is used only when the target is down or really |
128 | reachable, not when it refuses the connection. | 130 | unreachable, not when it refuses the connection. |
129 | 131 | ||
130 | ControlMaster | 132 | ControlMaster |
131 | Enables the sharing of multiple sessions over a single network | 133 | Enables the sharing of multiple sessions over a single network |
132 | connection. When set to ``yes'', ssh(1) will listen for connec- | 134 | connection. When set to ``yes'', ssh(1) will listen for |
133 | tions on a control socket specified using the ControlPath argu- | 135 | connections on a control socket specified using the ControlPath |
134 | ment. Additional sessions can connect to this socket using the | 136 | argument. Additional sessions can connect to this socket using |
135 | same ControlPath with ControlMaster set to ``no'' (the default). | 137 | the same ControlPath with ControlMaster set to ``no'' (the |
136 | These sessions will try to reuse the master instance's network | 138 | default). These sessions will try to reuse the master instance's |
137 | connection rather than initiating new ones, but will fall back to | 139 | network connection rather than initiating new ones, but will fall |
138 | connecting normally if the control socket does not exist, or is | 140 | back to connecting normally if the control socket does not exist, |
139 | not listening. | 141 | or is not listening. |
140 | 142 | ||
141 | Setting this to ``ask'' will cause ssh to listen for control con- | 143 | Setting this to ``ask'' will cause ssh to listen for control |
142 | nections, but require confirmation using the SSH_ASKPASS program | 144 | connections, but require confirmation using the SSH_ASKPASS |
143 | before they are accepted (see ssh-add(1) for details). If the | 145 | program before they are accepted (see ssh-add(1) for details). |
144 | ControlPath cannot be opened, ssh will continue without connect- | 146 | If the ControlPath cannot be opened, ssh will continue without |
145 | ing to a master instance. | 147 | connecting to a master instance. |
146 | 148 | ||
147 | X11 and ssh-agent(1) forwarding is supported over these multi- | 149 | X11 and ssh-agent(1) forwarding is supported over these |
148 | plexed connections, however the display and agent forwarded will | 150 | multiplexed connections, however the display and agent forwarded |
149 | be the one belonging to the master connection i.e. it is not pos- | 151 | will be the one belonging to the master connection i.e. it is not |
150 | sible to forward multiple displays or agents. | 152 | possible to forward multiple displays or agents. |
151 | 153 | ||
152 | Two additional options allow for opportunistic multiplexing: try | 154 | Two additional options allow for opportunistic multiplexing: try |
153 | to use a master connection but fall back to creating a new one if | 155 | to use a master connection but fall back to creating a new one if |
@@ -156,14 +158,30 @@ DESCRIPTION | |||
156 | option. | 158 | option. |
157 | 159 | ||
158 | ControlPath | 160 | ControlPath |
159 | Specify the path to the control socket used for connection shar- | 161 | Specify the path to the control socket used for connection |
160 | ing as described in the ControlMaster section above or the string | 162 | sharing as described in the ControlMaster section above or the |
161 | ``none'' to disable connection sharing. In the path, `%l' will | 163 | string ``none'' to disable connection sharing. In the path, `%l' |
162 | be substituted by the local host name, `%h' will be substituted | 164 | will be substituted by the local host name, `%h' will be |
163 | by the target host name, `%p' the port, and `%r' by the remote | 165 | substituted by the target host name, `%p' the port, and `%r' by |
164 | login username. It is recommended that any ControlPath used for | 166 | the remote login username. It is recommended that any |
165 | opportunistic connection sharing include at least %h, %p, and %r. | 167 | ControlPath used for opportunistic connection sharing include at |
166 | This ensures that shared connections are uniquely identified. | 168 | least %h, %p, and %r. This ensures that shared connections are |
169 | uniquely identified. | ||
170 | |||
171 | ControlPersist | ||
172 | When used in conjunction with ControlMaster, specifies that the | ||
173 | master connection should remain open in the background (waiting | ||
174 | for future client connections) after the initial client | ||
175 | connection has been closed. If set to ``no'', then the master | ||
176 | connection will not be placed into the background, and will close | ||
177 | as soon as the initial client connection is closed. If set to | ||
178 | ``yes'', then the master connection will remain in the background | ||
179 | indefinitely (until killed or closed via a mechanism such as the | ||
180 | ssh(1) ``-O exit'' option). If set to a time in seconds, or a | ||
181 | time in any of the formats documented in sshd_config(5), then the | ||
182 | backgrounded master connection will automatically terminate after | ||
183 | it has remained idle (with no client connections) for the | ||
184 | specified time. | ||
167 | 185 | ||
168 | DynamicForward | 186 | DynamicForward |
169 | Specifies that a TCP port on the local machine be forwarded over | 187 | Specifies that a TCP port on the local machine be forwarded over |
@@ -171,14 +189,13 @@ DESCRIPTION | |||
171 | determine where to connect to from the remote machine. | 189 | determine where to connect to from the remote machine. |
172 | 190 | ||
173 | The argument must be [bind_address:]port. IPv6 addresses can be | 191 | The argument must be [bind_address:]port. IPv6 addresses can be |
174 | specified by enclosing addresses in square brackets or by using | 192 | specified by enclosing addresses in square brackets. By default, |
175 | an alternative syntax: [bind_address/]port. By default, the lo- | 193 | the local port is bound in accordance with the GatewayPorts |
176 | cal port is bound in accordance with the GatewayPorts setting. | 194 | setting. However, an explicit bind_address may be used to bind |
177 | However, an explicit bind_address may be used to bind the connec- | 195 | the connection to a specific address. The bind_address of |
178 | tion to a specific address. The bind_address of ``localhost'' | 196 | ``localhost'' indicates that the listening port be bound for |
179 | indicates that the listening port be bound for local use only, | 197 | local use only, while an empty address or `*' indicates that the |
180 | while an empty address or `*' indicates that the port should be | 198 | port should be available from all interfaces. |
181 | available from all interfaces. | ||
182 | 199 | ||
183 | Currently the SOCKS4 and SOCKS5 protocols are supported, and | 200 | Currently the SOCKS4 and SOCKS5 protocols are supported, and |
184 | ssh(1) will act as a SOCKS server. Multiple forwardings may be | 201 | ssh(1) will act as a SOCKS server. Multiple forwardings may be |
@@ -196,9 +213,9 @@ DESCRIPTION | |||
196 | EscapeChar | 213 | EscapeChar |
197 | Sets the escape character (default: `~'). The escape character | 214 | Sets the escape character (default: `~'). The escape character |
198 | can also be set on the command line. The argument should be a | 215 | can also be set on the command line. The argument should be a |
199 | single character, `^' followed by a letter, or ``none'' to dis- | 216 | single character, `^' followed by a letter, or ``none'' to |
200 | able the escape character entirely (making the connection trans- | 217 | disable the escape character entirely (making the connection |
201 | parent for binary data). | 218 | transparent for binary data). |
202 | 219 | ||
203 | ExitOnForwardFailure | 220 | ExitOnForwardFailure |
204 | Specifies whether ssh(1) should terminate the connection if it | 221 | Specifies whether ssh(1) should terminate the connection if it |
@@ -220,26 +237,34 @@ DESCRIPTION | |||
220 | the agent. | 237 | the agent. |
221 | 238 | ||
222 | ForwardX11 | 239 | ForwardX11 |
223 | Specifies whether X11 connections will be automatically redirect- | 240 | Specifies whether X11 connections will be automatically |
224 | ed over the secure channel and DISPLAY set. The argument must be | 241 | redirected over the secure channel and DISPLAY set. The argument |
225 | ``yes'' or ``no''. The default is ``no''. | 242 | must be ``yes'' or ``no''. The default is ``no''. |
226 | 243 | ||
227 | X11 forwarding should be enabled with caution. Users with the | 244 | X11 forwarding should be enabled with caution. Users with the |
228 | ability to bypass file permissions on the remote host (for the | 245 | ability to bypass file permissions on the remote host (for the |
229 | user's X11 authorization database) can access the local X11 dis- | 246 | user's X11 authorization database) can access the local X11 |
230 | play through the forwarded connection. An attacker may then be | 247 | display through the forwarded connection. An attacker may then |
231 | able to perform activities such as keystroke monitoring if the | 248 | be able to perform activities such as keystroke monitoring if the |
232 | ForwardX11Trusted option is also enabled. | 249 | ForwardX11Trusted option is also enabled. |
233 | 250 | ||
251 | ForwardX11Timeout | ||
252 | Specify a timeout for untrusted X11 forwarding using the format | ||
253 | described in the TIME FORMATS section of sshd_config(5). X11 | ||
254 | connections received by ssh(1) after this time will be refused. | ||
255 | The default is to disable untrusted X11 forwarding after twenty | ||
256 | minutes has elapsed. | ||
257 | |||
234 | ForwardX11Trusted | 258 | ForwardX11Trusted |
235 | If this option is set to ``yes'', remote X11 clients will have | 259 | If this option is set to ``yes'', remote X11 clients will have |
236 | full access to the original X11 display. | 260 | full access to the original X11 display. |
237 | 261 | ||
238 | If this option is set to ``no'', remote X11 clients will be con- | 262 | If this option is set to ``no'', remote X11 clients will be |
239 | sidered untrusted and prevented from stealing or tampering with | 263 | considered untrusted and prevented from stealing or tampering |
240 | data belonging to trusted X11 clients. Furthermore, the xauth(1) | 264 | with data belonging to trusted X11 clients. Furthermore, the |
241 | token used for the session will be set to expire after 20 min- | 265 | xauth(1) token used for the session will be set to expire after |
242 | utes. Remote clients will be refused access after this time. | 266 | 20 minutes. Remote clients will be refused access after this |
267 | time. | ||
243 | 268 | ||
244 | The default is ``no''. | 269 | The default is ``no''. |
245 | 270 | ||
@@ -250,11 +275,11 @@ DESCRIPTION | |||
250 | Specifies whether remote hosts are allowed to connect to local | 275 | Specifies whether remote hosts are allowed to connect to local |
251 | forwarded ports. By default, ssh(1) binds local port forwardings | 276 | forwarded ports. By default, ssh(1) binds local port forwardings |
252 | to the loopback address. This prevents other remote hosts from | 277 | to the loopback address. This prevents other remote hosts from |
253 | connecting to forwarded ports. GatewayPorts can be used to spec- | 278 | connecting to forwarded ports. GatewayPorts can be used to |
254 | ify that ssh should bind local port forwardings to the wildcard | 279 | specify that ssh should bind local port forwardings to the |
255 | address, thus allowing remote hosts to connect to forwarded | 280 | wildcard address, thus allowing remote hosts to connect to |
256 | ports. The argument must be ``yes'' or ``no''. The default is | 281 | forwarded ports. The argument must be ``yes'' or ``no''. The |
257 | ``no''. | 282 | default is ``no''. |
258 | 283 | ||
259 | GlobalKnownHostsFile | 284 | GlobalKnownHostsFile |
260 | Specifies a file to use for the global host key database instead | 285 | Specifies a file to use for the global host key database instead |
@@ -267,23 +292,23 @@ DESCRIPTION | |||
267 | 292 | ||
268 | GSSAPIDelegateCredentials | 293 | GSSAPIDelegateCredentials |
269 | Forward (delegate) credentials to the server. The default is | 294 | Forward (delegate) credentials to the server. The default is |
270 | ``no''. Note that this option applies to protocol version 2 on- | 295 | ``no''. Note that this option applies to protocol version 2 |
271 | ly. | 296 | only. |
272 | 297 | ||
273 | HashKnownHosts | 298 | HashKnownHosts |
274 | Indicates that ssh(1) should hash host names and addresses when | 299 | Indicates that ssh(1) should hash host names and addresses when |
275 | they are added to ~/.ssh/known_hosts. These hashed names may be | 300 | they are added to ~/.ssh/known_hosts. These hashed names may be |
276 | used normally by ssh(1) and sshd(8), but they do not reveal iden- | 301 | used normally by ssh(1) and sshd(8), but they do not reveal |
277 | tifying information should the file's contents be disclosed. The | 302 | identifying information should the file's contents be disclosed. |
278 | default is ``no''. Note that existing names and addresses in | 303 | The default is ``no''. Note that existing names and addresses in |
279 | known hosts files will not be converted automatically, but may be | 304 | known hosts files will not be converted automatically, but may be |
280 | manually hashed using ssh-keygen(1). | 305 | manually hashed using ssh-keygen(1). |
281 | 306 | ||
282 | HostbasedAuthentication | 307 | HostbasedAuthentication |
283 | Specifies whether to try rhosts based authentication with public | 308 | Specifies whether to try rhosts based authentication with public |
284 | key authentication. The argument must be ``yes'' or ``no''. The | 309 | key authentication. The argument must be ``yes'' or ``no''. The |
285 | default is ``no''. This option applies to protocol version 2 on- | 310 | default is ``no''. This option applies to protocol version 2 |
286 | ly and is similar to RhostsRSAAuthentication. | 311 | only and is similar to RhostsRSAAuthentication. |
287 | 312 | ||
288 | HostKeyAlgorithms | 313 | HostKeyAlgorithms |
289 | Specifies the protocol version 2 host key algorithms that the | 314 | Specifies the protocol version 2 host key algorithms that the |
@@ -293,15 +318,18 @@ DESCRIPTION | |||
293 | HostKeyAlias | 318 | HostKeyAlias |
294 | Specifies an alias that should be used instead of the real host | 319 | Specifies an alias that should be used instead of the real host |
295 | name when looking up or saving the host key in the host key | 320 | name when looking up or saving the host key in the host key |
296 | database files. This option is useful for tunneling SSH connec- | 321 | database files. This option is useful for tunneling SSH |
297 | tions or for multiple servers running on a single host. | 322 | connections or for multiple servers running on a single host. |
298 | 323 | ||
299 | HostName | 324 | HostName |
300 | Specifies the real host name to log into. This can be used to | 325 | Specifies the real host name to log into. This can be used to |
301 | specify nicknames or abbreviations for hosts. The default is the | 326 | specify nicknames or abbreviations for hosts. If the hostname |
302 | name given on the command line. Numeric IP addresses are also | 327 | contains the character sequence `%h', then this will be replaced |
303 | permitted (both on the command line and in HostName specifica- | 328 | with the host name specified on the commandline (this is useful |
304 | tions). | 329 | for manipulating unqualified names). The default is the name |
330 | given on the command line. Numeric IP addresses are also | ||
331 | permitted (both on the command line and in HostName | ||
332 | specifications). | ||
305 | 333 | ||
306 | IdentitiesOnly | 334 | IdentitiesOnly |
307 | Specifies that ssh(1) should only use the authentication identity | 335 | Specifies that ssh(1) should only use the authentication identity |
@@ -314,90 +342,91 @@ DESCRIPTION | |||
314 | IdentityFile | 342 | IdentityFile |
315 | Specifies a file from which the user's RSA or DSA authentication | 343 | Specifies a file from which the user's RSA or DSA authentication |
316 | identity is read. The default is ~/.ssh/identity for protocol | 344 | identity is read. The default is ~/.ssh/identity for protocol |
317 | version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver- | 345 | version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol |
318 | sion 2. Additionally, any identities represented by the authen- | 346 | version 2. Additionally, any identities represented by the |
319 | tication agent will be used for authentication. ssh(1) will try | 347 | authentication agent will be used for authentication. ssh(1) |
320 | to load certificate information from the filename obtained by ap- | 348 | will try to load certificate information from the filename |
321 | pending -cert.pub to the path of a specified IdentityFile. | 349 | obtained by appending -cert.pub to the path of a specified |
350 | IdentityFile. | ||
322 | 351 | ||
323 | The file name may use the tilde syntax to refer to a user's home | 352 | The file name may use the tilde syntax to refer to a user's home |
324 | directory or one of the following escape characters: `%d' (local | 353 | directory or one of the following escape characters: `%d' (local |
325 | user's home directory), `%u' (local user name), `%l' (local host | 354 | user's home directory), `%u' (local user name), `%l' (local host |
326 | name), `%h' (remote host name) or `%r' (remote user name). | 355 | name), `%h' (remote host name) or `%r' (remote user name). |
327 | 356 | ||
328 | It is possible to have multiple identity files specified in con- | 357 | It is possible to have multiple identity files specified in |
329 | figuration files; all these identities will be tried in sequence. | 358 | configuration files; all these identities will be tried in |
359 | sequence. | ||
330 | 360 | ||
331 | KbdInteractiveAuthentication | 361 | KbdInteractiveAuthentication |
332 | Specifies whether to use keyboard-interactive authentication. | 362 | Specifies whether to use keyboard-interactive authentication. |
333 | The argument to this keyword must be ``yes'' or ``no''. The de- | 363 | The argument to this keyword must be ``yes'' or ``no''. The |
334 | fault is ``yes''. | 364 | default is ``yes''. |
335 | 365 | ||
336 | KbdInteractiveDevices | 366 | KbdInteractiveDevices |
337 | Specifies the list of methods to use in keyboard-interactive au- | 367 | Specifies the list of methods to use in keyboard-interactive |
338 | thentication. Multiple method names must be comma-separated. | 368 | authentication. Multiple method names must be comma-separated. |
339 | The default is to use the server specified list. The methods | 369 | The default is to use the server specified list. The methods |
340 | available vary depending on what the server supports. For an | 370 | available vary depending on what the server supports. For an |
341 | OpenSSH server, it may be zero or more of: ``bsdauth'', ``pam'', | 371 | OpenSSH server, it may be zero or more of: ``bsdauth'', ``pam'', |
342 | and ``skey''. | 372 | and ``skey''. |
343 | 373 | ||
344 | LocalCommand | 374 | LocalCommand |
345 | Specifies a command to execute on the local machine after suc- | 375 | Specifies a command to execute on the local machine after |
346 | cessfully connecting to the server. The command string extends | 376 | successfully connecting to the server. The command string |
347 | to the end of the line, and is executed with the user's shell. | 377 | extends to the end of the line, and is executed with the user's |
348 | The following escape character substitutions will be performed: | 378 | shell. The following escape character substitutions will be |
349 | `%d' (local user's home directory), `%h' (remote host name), `%l' | 379 | performed: `%d' (local user's home directory), `%h' (remote host |
350 | (local host name), `%n' (host name as provided on the command | 380 | name), `%l' (local host name), `%n' (host name as provided on the |
351 | line), `%p' (remote port), `%r' (remote user name) or `%u' (local | 381 | command line), `%p' (remote port), `%r' (remote user name) or |
352 | user name). | 382 | `%u' (local user name). |
353 | 383 | ||
354 | The command is run synchronously and does not have access to the | 384 | The command is run synchronously and does not have access to the |
355 | session of the ssh(1) that spawned it. It should not be used for | 385 | session of the ssh(1) that spawned it. It should not be used for |
356 | interactive commands. | 386 | interactive commands. |
357 | 387 | ||
358 | This directive is ignored unless PermitLocalCommand has been en- | 388 | This directive is ignored unless PermitLocalCommand has been |
359 | abled. | 389 | enabled. |
360 | 390 | ||
361 | LocalForward | 391 | LocalForward |
362 | Specifies that a TCP port on the local machine be forwarded over | 392 | Specifies that a TCP port on the local machine be forwarded over |
363 | the secure channel to the specified host and port from the remote | 393 | the secure channel to the specified host and port from the remote |
364 | machine. The first argument must be [bind_address:]port and the | 394 | machine. The first argument must be [bind_address:]port and the |
365 | second argument must be host:hostport. IPv6 addresses can be | 395 | second argument must be host:hostport. IPv6 addresses can be |
366 | specified by enclosing addresses in square brackets or by using | 396 | specified by enclosing addresses in square brackets. Multiple |
367 | an alternative syntax: [bind_address/]port and host/hostport. | 397 | forwardings may be specified, and additional forwardings can be |
368 | Multiple forwardings may be specified, and additional forwardings | 398 | given on the command line. Only the superuser can forward |
369 | can be given on the command line. Only the superuser can forward | 399 | privileged ports. By default, the local port is bound in |
370 | privileged ports. By default, the local port is bound in accor- | 400 | accordance with the GatewayPorts setting. However, an explicit |
371 | dance with the GatewayPorts setting. However, an explicit | 401 | bind_address may be used to bind the connection to a specific |
372 | bind_address may be used to bind the connection to a specific ad- | 402 | address. The bind_address of ``localhost'' indicates that the |
373 | dress. The bind_address of ``localhost'' indicates that the lis- | 403 | listening port be bound for local use only, while an empty |
374 | tening port be bound for local use only, while an empty address | 404 | address or `*' indicates that the port should be available from |
375 | or `*' indicates that the port should be available from all in- | 405 | all interfaces. |
376 | terfaces. | ||
377 | 406 | ||
378 | LogLevel | 407 | LogLevel |
379 | Gives the verbosity level that is used when logging messages from | 408 | Gives the verbosity level that is used when logging messages from |
380 | ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, VER- | 409 | ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, |
381 | BOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. | 410 | VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. |
382 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify | 411 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify |
383 | higher levels of verbose output. | 412 | higher levels of verbose output. |
384 | 413 | ||
385 | MACs Specifies the MAC (message authentication code) algorithms in or- | 414 | MACs Specifies the MAC (message authentication code) algorithms in |
386 | der of preference. The MAC algorithm is used in protocol version | 415 | order of preference. The MAC algorithm is used in protocol |
387 | 2 for data integrity protection. Multiple algorithms must be | 416 | version 2 for data integrity protection. Multiple algorithms |
388 | comma-separated. The default is: | 417 | must be comma-separated. The default is: |
389 | 418 | ||
390 | hmac-md5,hmac-sha1,umac-64@openssh.com, | 419 | hmac-md5,hmac-sha1,umac-64@openssh.com, |
391 | hmac-ripemd160,hmac-sha1-96,hmac-md5-96 | 420 | hmac-ripemd160,hmac-sha1-96,hmac-md5-96 |
392 | 421 | ||
393 | NoHostAuthenticationForLocalhost | 422 | NoHostAuthenticationForLocalhost |
394 | This option can be used if the home directory is shared across | 423 | This option can be used if the home directory is shared across |
395 | machines. In this case localhost will refer to a different ma- | 424 | machines. In this case localhost will refer to a different |
396 | chine on each of the machines and the user will get many warnings | 425 | machine on each of the machines and the user will get many |
397 | about changed host keys. However, this option disables host au- | 426 | warnings about changed host keys. However, this option disables |
398 | thentication for localhost. The argument to this keyword must be | 427 | host authentication for localhost. The argument to this keyword |
399 | ``yes'' or ``no''. The default is to check the host key for lo- | 428 | must be ``yes'' or ``no''. The default is to check the host key |
400 | calhost. | 429 | for localhost. |
401 | 430 | ||
402 | NumberOfPasswordPrompts | 431 | NumberOfPasswordPrompts |
403 | Specifies the number of password prompts before giving up. The | 432 | Specifies the number of password prompts before giving up. The |
@@ -409,43 +438,47 @@ DESCRIPTION | |||
409 | ``yes''. | 438 | ``yes''. |
410 | 439 | ||
411 | PermitLocalCommand | 440 | PermitLocalCommand |
412 | Allow local command execution via the LocalCommand option or us- | 441 | Allow local command execution via the LocalCommand option or |
413 | ing the !command escape sequence in ssh(1). The argument must be | 442 | using the !command escape sequence in ssh(1). The argument must |
414 | ``yes'' or ``no''. The default is ``no''. | 443 | be ``yes'' or ``no''. The default is ``no''. |
415 | 444 | ||
416 | PKCS11Provider | 445 | PKCS11Provider |
417 | Specifies which PKCS#11 provider to use. The argument to this | 446 | Specifies which PKCS#11 provider to use. The argument to this |
418 | keyword is the PKCS#11 shared libary ssh(1) should use to commu- | 447 | keyword is the PKCS#11 shared libary ssh(1) should use to |
419 | nicate with a PKCS#11 token providing the user's private RSA key. | 448 | communicate with a PKCS#11 token providing the user's private RSA |
449 | key. | ||
420 | 450 | ||
421 | Port Specifies the port number to connect on the remote host. The de- | 451 | Port Specifies the port number to connect on the remote host. The |
422 | fault is 22. | 452 | default is 22. |
423 | 453 | ||
424 | PreferredAuthentications | 454 | PreferredAuthentications |
425 | Specifies the order in which the client should try protocol 2 au- | 455 | Specifies the order in which the client should try protocol 2 |
426 | thentication methods. This allows a client to prefer one method | 456 | authentication methods. This allows a client to prefer one |
427 | (e.g. keyboard-interactive) over another method (e.g. password) | 457 | method (e.g. keyboard-interactive) over another method (e.g. |
428 | The default for this option is: ``gssapi-with- | 458 | password). The default is: |
429 | mic,hostbased,publickey,keyboard-interactive,password''. | 459 | |
460 | gssapi-with-mic,hostbased,publickey, | ||
461 | keyboard-interactive,password | ||
430 | 462 | ||
431 | Protocol | 463 | Protocol |
432 | Specifies the protocol versions ssh(1) should support in order of | 464 | Specifies the protocol versions ssh(1) should support in order of |
433 | preference. The possible values are `1' and `2'. Multiple ver- | 465 | preference. The possible values are `1' and `2'. Multiple |
434 | sions must be comma-separated. When this option is set to | 466 | versions must be comma-separated. When this option is set to |
435 | ``2,1'' ssh will try version 2 and fall back to version 1 if ver- | 467 | ``2,1'' ssh will try version 2 and fall back to version 1 if |
436 | sion 2 is not available. The default is `2'. | 468 | version 2 is not available. The default is `2'. |
437 | 469 | ||
438 | ProxyCommand | 470 | ProxyCommand |
439 | Specifies the command to use to connect to the server. The com- | 471 | Specifies the command to use to connect to the server. The |
440 | mand string extends to the end of the line, and is executed with | 472 | command string extends to the end of the line, and is executed |
441 | the user's shell. In the command string, `%h' will be substitut- | 473 | with the user's shell. In the command string, any occurrence of |
442 | ed by the host name to connect and `%p' by the port. The command | 474 | `%h' will be substituted by the host name to connect, `%p' by the |
443 | can be basically anything, and should read from its standard in- | 475 | port, and `%r' by the remote user name. The command can be |
444 | put and write to its standard output. It should eventually con- | 476 | basically anything, and should read from its standard input and |
445 | nect an sshd(8) server running on some machine, or execute sshd | 477 | write to its standard output. It should eventually connect an |
446 | -i somewhere. Host key management will be done using the Host- | 478 | sshd(8) server running on some machine, or execute sshd -i |
447 | Name of the host being connected (defaulting to the name typed by | 479 | somewhere. Host key management will be done using the HostName |
448 | the user). Setting the command to ``none'' disables this option | 480 | of the host being connected (defaulting to the name typed by the |
481 | user). Setting the command to ``none'' disables this option | ||
449 | entirely. Note that CheckHostIP is not available for connects | 482 | entirely. Note that CheckHostIP is not available for connects |
450 | with a proxy command. | 483 | with a proxy command. |
451 | 484 | ||
@@ -461,32 +494,32 @@ DESCRIPTION | |||
461 | ``yes''. This option applies to protocol version 2 only. | 494 | ``yes''. This option applies to protocol version 2 only. |
462 | 495 | ||
463 | RekeyLimit | 496 | RekeyLimit |
464 | Specifies the maximum amount of data that may be transmitted be- | 497 | Specifies the maximum amount of data that may be transmitted |
465 | fore the session key is renegotiated. The argument is the number | 498 | before the session key is renegotiated. The argument is the |
466 | of bytes, with an optional suffix of `K', `M', or `G' to indicate | 499 | number of bytes, with an optional suffix of `K', `M', or `G' to |
467 | Kilobytes, Megabytes, or Gigabytes, respectively. The default is | 500 | indicate Kilobytes, Megabytes, or Gigabytes, respectively. The |
468 | between `1G' and `4G', depending on the cipher. This option ap- | 501 | default is between `1G' and `4G', depending on the cipher. This |
469 | plies to protocol version 2 only. | 502 | option applies to protocol version 2 only. |
470 | 503 | ||
471 | RemoteForward | 504 | RemoteForward |
472 | Specifies that a TCP port on the remote machine be forwarded over | 505 | Specifies that a TCP port on the remote machine be forwarded over |
473 | the secure channel to the specified host and port from the local | 506 | the secure channel to the specified host and port from the local |
474 | machine. The first argument must be [bind_address:]port and the | 507 | machine. The first argument must be [bind_address:]port and the |
475 | second argument must be host:hostport. IPv6 addresses can be | 508 | second argument must be host:hostport. IPv6 addresses can be |
476 | specified by enclosing addresses in square brackets or by using | 509 | specified by enclosing addresses in square brackets. Multiple |
477 | an alternative syntax: [bind_address/]port and host/hostport. | 510 | forwardings may be specified, and additional forwardings can be |
478 | Multiple forwardings may be specified, and additional forwardings | 511 | given on the command line. Privileged ports can be forwarded |
479 | can be given on the command line. Privileged ports can be for- | 512 | only when logging in as root on the remote machine. |
480 | warded only when logging in as root on the remote machine. | ||
481 | 513 | ||
482 | If the port argument is `0', the listen port will be dynamically | 514 | If the port argument is `0', the listen port will be dynamically |
483 | allocated on the server and reported to the client at run time. | 515 | allocated on the server and reported to the client at run time. |
484 | 516 | ||
485 | If the bind_address is not specified, the default is to only bind | 517 | If the bind_address is not specified, the default is to only bind |
486 | to loopback addresses. If the bind_address is `*' or an empty | 518 | to loopback addresses. If the bind_address is `*' or an empty |
487 | string, then the forwarding is requested to listen on all inter- | 519 | string, then the forwarding is requested to listen on all |
488 | faces. Specifying a remote bind_address will only succeed if the | 520 | interfaces. Specifying a remote bind_address will only succeed |
489 | server's GatewayPorts option is enabled (see sshd_config(5)). | 521 | if the server's GatewayPorts option is enabled (see |
522 | sshd_config(5)). | ||
490 | 523 | ||
491 | RhostsRSAAuthentication | 524 | RhostsRSAAuthentication |
492 | Specifies whether to try rhosts based authentication with RSA | 525 | Specifies whether to try rhosts based authentication with RSA |
@@ -497,9 +530,9 @@ DESCRIPTION | |||
497 | RSAAuthentication | 530 | RSAAuthentication |
498 | Specifies whether to try RSA authentication. The argument to | 531 | Specifies whether to try RSA authentication. The argument to |
499 | this keyword must be ``yes'' or ``no''. RSA authentication will | 532 | this keyword must be ``yes'' or ``no''. RSA authentication will |
500 | only be attempted if the identity file exists, or an authentica- | 533 | only be attempted if the identity file exists, or an |
501 | tion agent is running. The default is ``yes''. Note that this | 534 | authentication agent is running. The default is ``yes''. Note |
502 | option applies to protocol version 1 only. | 535 | that this option applies to protocol version 1 only. |
503 | 536 | ||
504 | SendEnv | 537 | SendEnv |
505 | Specifies what variables from the local environ(7) should be sent | 538 | Specifies what variables from the local environ(7) should be sent |
@@ -507,25 +540,25 @@ DESCRIPTION | |||
507 | for protocol 2. The server must also support it, and the server | 540 | for protocol 2. The server must also support it, and the server |
508 | must be configured to accept these environment variables. Refer | 541 | must be configured to accept these environment variables. Refer |
509 | to AcceptEnv in sshd_config(5) for how to configure the server. | 542 | to AcceptEnv in sshd_config(5) for how to configure the server. |
510 | Variables are specified by name, which may contain wildcard char- | 543 | Variables are specified by name, which may contain wildcard |
511 | acters. Multiple environment variables may be separated by | 544 | characters. Multiple environment variables may be separated by |
512 | whitespace or spread across multiple SendEnv directives. The de- | 545 | whitespace or spread across multiple SendEnv directives. The |
513 | fault is not to send any environment variables. | 546 | default is not to send any environment variables. |
514 | 547 | ||
515 | See PATTERNS for more information on patterns. | 548 | See PATTERNS for more information on patterns. |
516 | 549 | ||
517 | ServerAliveCountMax | 550 | ServerAliveCountMax |
518 | Sets the number of server alive messages (see below) which may be | 551 | Sets the number of server alive messages (see below) which may be |
519 | sent without ssh(1) receiving any messages back from the server. | 552 | sent without ssh(1) receiving any messages back from the server. |
520 | If this threshold is reached while server alive messages are be- | 553 | If this threshold is reached while server alive messages are |
521 | ing sent, ssh will disconnect from the server, terminating the | 554 | being sent, ssh will disconnect from the server, terminating the |
522 | session. It is important to note that the use of server alive | 555 | session. It is important to note that the use of server alive |
523 | messages is very different from TCPKeepAlive (below). The server | 556 | messages is very different from TCPKeepAlive (below). The server |
524 | alive messages are sent through the encrypted channel and there- | 557 | alive messages are sent through the encrypted channel and |
525 | fore will not be spoofable. The TCP keepalive option enabled by | 558 | therefore will not be spoofable. The TCP keepalive option |
526 | TCPKeepAlive is spoofable. The server alive mechanism is valu- | 559 | enabled by TCPKeepAlive is spoofable. The server alive mechanism |
527 | able when the client or server depend on knowing when a connec- | 560 | is valuable when the client or server depend on knowing when a |
528 | tion has become inactive. | 561 | connection has become inactive. |
529 | 562 | ||
530 | The default value is 3. If, for example, ServerAliveInterval | 563 | The default value is 3. If, for example, ServerAliveInterval |
531 | (see below) is set to 15 and ServerAliveCountMax is left at the | 564 | (see below) is set to 15 and ServerAliveCountMax is left at the |
@@ -542,27 +575,27 @@ DESCRIPTION | |||
542 | 575 | ||
543 | StrictHostKeyChecking | 576 | StrictHostKeyChecking |
544 | If this flag is set to ``yes'', ssh(1) will never automatically | 577 | If this flag is set to ``yes'', ssh(1) will never automatically |
545 | add host keys to the ~/.ssh/known_hosts file, and refuses to con- | 578 | add host keys to the ~/.ssh/known_hosts file, and refuses to |
546 | nect to hosts whose host key has changed. This provides maximum | 579 | connect to hosts whose host key has changed. This provides |
547 | protection against trojan horse attacks, though it can be annoy- | 580 | maximum protection against trojan horse attacks, though it can be |
548 | ing when the /etc/ssh/ssh_known_hosts file is poorly maintained | 581 | annoying when the /etc/ssh/ssh_known_hosts file is poorly |
549 | or when connections to new hosts are frequently made. This op- | 582 | maintained or when connections to new hosts are frequently made. |
550 | tion forces the user to manually add all new hosts. If this flag | 583 | This option forces the user to manually add all new hosts. If |
551 | is set to ``no'', ssh will automatically add new host keys to the | 584 | this flag is set to ``no'', ssh will automatically add new host |
552 | user known hosts files. If this flag is set to ``ask'', new host | 585 | keys to the user known hosts files. If this flag is set to |
553 | keys will be added to the user known host files only after the | 586 | ``ask'', new host keys will be added to the user known host files |
554 | user has confirmed that is what they really want to do, and ssh | 587 | only after the user has confirmed that is what they really want |
555 | will refuse to connect to hosts whose host key has changed. The | 588 | to do, and ssh will refuse to connect to hosts whose host key has |
556 | host keys of known hosts will be verified automatically in all | 589 | changed. The host keys of known hosts will be verified |
557 | cases. The argument must be ``yes'', ``no'', or ``ask''. The | 590 | automatically in all cases. The argument must be ``yes'', |
558 | default is ``ask''. | 591 | ``no'', or ``ask''. The default is ``ask''. |
559 | 592 | ||
560 | TCPKeepAlive | 593 | TCPKeepAlive |
561 | Specifies whether the system should send TCP keepalive messages | 594 | Specifies whether the system should send TCP keepalive messages |
562 | to the other side. If they are sent, death of the connection or | 595 | to the other side. If they are sent, death of the connection or |
563 | crash of one of the machines will be properly noticed. However, | 596 | crash of one of the machines will be properly noticed. However, |
564 | this means that connections will die if the route is down tem- | 597 | this means that connections will die if the route is down |
565 | porarily, and some people find it annoying. | 598 | temporarily, and some people find it annoying. |
566 | 599 | ||
567 | The default is ``yes'' (to send TCP keepalive messages), and the | 600 | The default is ``yes'' (to send TCP keepalive messages), and the |
568 | client will notice if the network goes down or the remote host | 601 | client will notice if the network goes down or the remote host |
@@ -571,32 +604,32 @@ DESCRIPTION | |||
571 | To disable TCP keepalive messages, the value should be set to | 604 | To disable TCP keepalive messages, the value should be set to |
572 | ``no''. | 605 | ``no''. |
573 | 606 | ||
574 | Tunnel Request tun(4) device forwarding between the client and the serv- | 607 | Tunnel Request tun(4) device forwarding between the client and the |
575 | er. The argument must be ``yes'', ``point-to-point'' (layer 3), | 608 | server. The argument must be ``yes'', ``point-to-point'' (layer |
576 | ``ethernet'' (layer 2), or ``no''. Specifying ``yes'' requests | 609 | 3), ``ethernet'' (layer 2), or ``no''. Specifying ``yes'' |
577 | the default tunnel mode, which is ``point-to-point''. The de- | 610 | requests the default tunnel mode, which is ``point-to-point''. |
578 | fault is ``no''. | 611 | The default is ``no''. |
579 | 612 | ||
580 | TunnelDevice | 613 | TunnelDevice |
581 | Specifies the tun(4) devices to open on the client (local_tun) | 614 | Specifies the tun(4) devices to open on the client (local_tun) |
582 | and the server (remote_tun). | 615 | and the server (remote_tun). |
583 | 616 | ||
584 | The argument must be local_tun[:remote_tun]. The devices may be | 617 | The argument must be local_tun [:remote_tun]. The devices may be |
585 | specified by numerical ID or the keyword ``any'', which uses the | 618 | specified by numerical ID or the keyword ``any'', which uses the |
586 | next available tunnel device. If remote_tun is not specified, it | 619 | next available tunnel device. If remote_tun is not specified, it |
587 | defaults to ``any''. The default is ``any:any''. | 620 | defaults to ``any''. The default is ``any:any''. |
588 | 621 | ||
589 | UsePrivilegedPort | 622 | UsePrivilegedPort |
590 | Specifies whether to use a privileged port for outgoing connec- | 623 | Specifies whether to use a privileged port for outgoing |
591 | tions. The argument must be ``yes'' or ``no''. The default is | 624 | connections. The argument must be ``yes'' or ``no''. The |
592 | ``no''. If set to ``yes'', ssh(1) must be setuid root. Note | 625 | default is ``no''. If set to ``yes'', ssh(1) must be setuid |
593 | that this option must be set to ``yes'' for | 626 | root. Note that this option must be set to ``yes'' for |
594 | RhostsRSAAuthentication with older servers. | 627 | RhostsRSAAuthentication with older servers. |
595 | 628 | ||
596 | User Specifies the user to log in as. This can be useful when a dif- | 629 | User Specifies the user to log in as. This can be useful when a |
597 | ferent user name is used on different machines. This saves the | 630 | different user name is used on different machines. This saves |
598 | trouble of having to remember to give the user name on the com- | 631 | the trouble of having to remember to give the user name on the |
599 | mand line. | 632 | command line. |
600 | 633 | ||
601 | UserKnownHostsFile | 634 | UserKnownHostsFile |
602 | Specifies a file to use for the user host key database instead of | 635 | Specifies a file to use for the user host key database instead of |
@@ -620,9 +653,9 @@ DESCRIPTION | |||
620 | If this flag is set to ``yes'', an ASCII art representation of | 653 | If this flag is set to ``yes'', an ASCII art representation of |
621 | the remote host key fingerprint is printed in addition to the hex | 654 | the remote host key fingerprint is printed in addition to the hex |
622 | fingerprint string at login and for unknown host keys. If this | 655 | fingerprint string at login and for unknown host keys. If this |
623 | flag is set to ``no'', no fingerprint strings are printed at lo- | 656 | flag is set to ``no'', no fingerprint strings are printed at |
624 | gin and only the hex fingerprint string will be printed for un- | 657 | login and only the hex fingerprint string will be printed for |
625 | known host keys. The default is ``no''. | 658 | unknown host keys. The default is ``no''. |
626 | 659 | ||
627 | XAuthLocation | 660 | XAuthLocation |
628 | Specifies the full pathname of the xauth(1) program. The default | 661 | Specifies the full pathname of the xauth(1) program. The default |
@@ -631,9 +664,9 @@ DESCRIPTION | |||
631 | PATTERNS | 664 | PATTERNS |
632 | A pattern consists of zero or more non-whitespace characters, `*' (a | 665 | A pattern consists of zero or more non-whitespace characters, `*' (a |
633 | wildcard that matches zero or more characters), or `?' (a wildcard that | 666 | wildcard that matches zero or more characters), or `?' (a wildcard that |
634 | matches exactly one character). For example, to specify a set of decla- | 667 | matches exactly one character). For example, to specify a set of |
635 | rations for any host in the ``.co.uk'' set of domains, the following pat- | 668 | declarations for any host in the ``.co.uk'' set of domains, the following |
636 | tern could be used: | 669 | pattern could be used: |
637 | 670 | ||
638 | Host *.co.uk | 671 | Host *.co.uk |
639 | 672 | ||
@@ -645,17 +678,18 @@ PATTERNS | |||
645 | A pattern-list is a comma-separated list of patterns. Patterns within | 678 | A pattern-list is a comma-separated list of patterns. Patterns within |
646 | pattern-lists may be negated by preceding them with an exclamation mark | 679 | pattern-lists may be negated by preceding them with an exclamation mark |
647 | (`!'). For example, to allow a key to be used from anywhere within an | 680 | (`!'). For example, to allow a key to be used from anywhere within an |
648 | organisation except from the ``dialup'' pool, the following entry (in au- | 681 | organisation except from the ``dialup'' pool, the following entry (in |
649 | thorized_keys) could be used: | 682 | authorized_keys) could be used: |
650 | 683 | ||
651 | from="!*.dialup.example.com,*.example.com" | 684 | from="!*.dialup.example.com,*.example.com" |
652 | 685 | ||
653 | FILES | 686 | FILES |
654 | ~/.ssh/config | 687 | ~/.ssh/config |
655 | This is the per-user configuration file. The format of this file | 688 | This is the per-user configuration file. The format of this file |
656 | is described above. This file is used by the SSH client. Be- | 689 | is described above. This file is used by the SSH client. |
657 | cause of the potential for abuse, this file must have strict per- | 690 | Because of the potential for abuse, this file must have strict |
658 | missions: read/write for the user, and not accessible by others. | 691 | permissions: read/write for the user, and not accessible by |
692 | others. | ||
659 | 693 | ||
660 | /etc/ssh/ssh_config | 694 | /etc/ssh/ssh_config |
661 | Systemwide configuration file. This file provides defaults for | 695 | Systemwide configuration file. This file provides defaults for |
@@ -669,8 +703,8 @@ SEE ALSO | |||
669 | AUTHORS | 703 | AUTHORS |
670 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | 704 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
671 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | 705 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo |
672 | de Raadt and Dug Song removed many bugs, re-added newer features and cre- | 706 | de Raadt and Dug Song removed many bugs, re-added newer features and |
673 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | 707 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
674 | versions 1.5 and 2.0. | 708 | versions 1.5 and 2.0. |
675 | 709 | ||
676 | OpenBSD 4.7 March 26, 2010 11 | 710 | OpenBSD 4.8 August 4, 2010 OpenBSD 4.8 |