diff options
| author | Colin Watson <cjwatson@debian.org> | 2018-04-03 08:20:28 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2018-04-03 08:57:25 +0100 |
| commit | a0b2dce9bf518f561bbb5070c0fb0c38f49035dd (patch) | |
| tree | 24298b823e93d4e6efe13f48f1512707ebd625f8 /ssh_config.0 | |
| parent | 9d4942dc192b6f1888c9ab73a512dd9b197b956c (diff) | |
| parent | 76aa43d2298f322f0371b74462418d0461537131 (diff) | |
New upstream release (7.7p1)
Diffstat (limited to 'ssh_config.0')
| -rw-r--r-- | ssh_config.0 | 53 |
1 files changed, 36 insertions, 17 deletions
diff --git a/ssh_config.0 b/ssh_config.0 index 9493953ab..4109b1909 100644 --- a/ssh_config.0 +++ b/ssh_config.0 | |||
| @@ -112,6 +112,11 @@ DESCRIPTION | |||
| 112 | one address. Note that this option does not work if | 112 | one address. Note that this option does not work if |
| 113 | UsePrivilegedPort is set to yes. | 113 | UsePrivilegedPort is set to yes. |
| 114 | 114 | ||
| 115 | BindInterface | ||
| 116 | Use the address of the specified interface on the local machine | ||
| 117 | as the source address of the connection. Note that this option | ||
| 118 | does not work if UsePrivilegedPort is set to yes. | ||
| 119 | |||
| 115 | CanonicalDomains | 120 | CanonicalDomains |
| 116 | When CanonicalizeHostname is enabled, this option specifies the | 121 | When CanonicalizeHostname is enabled, this option specifies the |
| 117 | list of domain suffixes in which to search for the specified | 122 | list of domain suffixes in which to search for the specified |
| @@ -583,7 +588,10 @@ DESCRIPTION | |||
| 583 | curve25519-sha256,curve25519-sha256@libssh.org, | 588 | curve25519-sha256,curve25519-sha256@libssh.org, |
| 584 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, | 589 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, |
| 585 | diffie-hellman-group-exchange-sha256, | 590 | diffie-hellman-group-exchange-sha256, |
| 591 | diffie-hellman-group16-sha512, | ||
| 592 | diffie-hellman-group18-sha512, | ||
| 586 | diffie-hellman-group-exchange-sha1, | 593 | diffie-hellman-group-exchange-sha1, |
| 594 | diffie-hellman-group14-sha256, | ||
| 587 | diffie-hellman-group14-sha1 | 595 | diffie-hellman-group14-sha1 |
| 588 | 596 | ||
| 589 | The list of available key exchange algorithms may also be | 597 | The list of available key exchange algorithms may also be |
| @@ -652,12 +660,8 @@ DESCRIPTION | |||
| 652 | "ssh -Q mac". | 660 | "ssh -Q mac". |
| 653 | 661 | ||
| 654 | NoHostAuthenticationForLocalhost | 662 | NoHostAuthenticationForLocalhost |
| 655 | This option can be used if the home directory is shared across | 663 | Disable host authentication for localhost (loopback addresses). |
| 656 | machines. In this case localhost will refer to a different | 664 | The argument to this keyword must be yes or no (the default). |
| 657 | machine on each of the machines and the user will get many | ||
| 658 | warnings about changed host keys. However, this option disables | ||
| 659 | host authentication for localhost. The argument to this keyword | ||
| 660 | must be yes or no (the default). | ||
| 661 | 665 | ||
| 662 | NumberOfPasswordPrompts | 666 | NumberOfPasswordPrompts |
| 663 | Specifies the number of password prompts before giving up. The | 667 | Specifies the number of password prompts before giving up. The |
| @@ -713,12 +717,12 @@ DESCRIPTION | |||
| 713 | ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p | 717 | ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p |
| 714 | 718 | ||
| 715 | ProxyJump | 719 | ProxyJump |
| 716 | Specifies one or more jump proxies as [user@]host[:port]. | 720 | Specifies one or more jump proxies as either [user@]host[:port] |
| 717 | Multiple proxies may be separated by comma characters and will be | 721 | or an ssh URI. Multiple proxies may be separated by comma |
| 718 | visited sequentially. Setting this option will cause ssh(1) to | 722 | characters and will be visited sequentially. Setting this option |
| 719 | connect to the target host by first making a ssh(1) connection to | 723 | will cause ssh(1) to connect to the target host by first making a |
| 720 | the specified ProxyJump host and then establishing a TCP | 724 | ssh(1) connection to the specified ProxyJump host and then |
| 721 | forwarding to the ultimate target from there. | 725 | establishing a TCP forwarding to the ultimate target from there. |
| 722 | 726 | ||
| 723 | Note that this option will compete with the ProxyCommand option - | 727 | Note that this option will compete with the ProxyCommand option - |
| 724 | whichever is specified first will prevent later instances of the | 728 | whichever is specified first will prevent later instances of the |
| @@ -883,8 +887,8 @@ DESCRIPTION | |||
| 883 | If this flag is set to yes, ssh(1) will never automatically add | 887 | If this flag is set to yes, ssh(1) will never automatically add |
| 884 | host keys to the ~/.ssh/known_hosts file, and refuses to connect | 888 | host keys to the ~/.ssh/known_hosts file, and refuses to connect |
| 885 | to hosts whose host key has changed. This provides maximum | 889 | to hosts whose host key has changed. This provides maximum |
| 886 | protection against trojan horse attacks, though it can be | 890 | protection against man-in-the-middle (MITM) attacks, though it |
| 887 | annoying when the /etc/ssh/ssh_known_hosts file is poorly | 891 | can be annoying when the /etc/ssh/ssh_known_hosts file is poorly |
| 888 | maintained or when connections to new hosts are frequently made. | 892 | maintained or when connections to new hosts are frequently made. |
| 889 | This option forces the user to manually add all new hosts. | 893 | This option forces the user to manually add all new hosts. |
| 890 | 894 | ||
| @@ -918,6 +922,7 @@ DESCRIPTION | |||
| 918 | dies. This is important in scripts, and many users want it too. | 922 | dies. This is important in scripts, and many users want it too. |
| 919 | 923 | ||
| 920 | To disable TCP keepalive messages, the value should be set to no. | 924 | To disable TCP keepalive messages, the value should be set to no. |
| 925 | See also ServerAliveInterval for protocol-level keepalives. | ||
| 921 | 926 | ||
| 922 | Tunnel Request tun(4) device forwarding between the client and the | 927 | Tunnel Request tun(4) device forwarding between the client and the |
| 923 | server. The argument must be yes, point-to-point (layer 3), | 928 | server. The argument must be yes, point-to-point (layer 3), |
| @@ -1012,12 +1017,23 @@ PATTERNS | |||
| 1012 | 1017 | ||
| 1013 | from="!*.dialup.example.com,*.example.com" | 1018 | from="!*.dialup.example.com,*.example.com" |
| 1014 | 1019 | ||
| 1020 | Note that a negated match will never produce a positive result by itself. | ||
| 1021 | For example, attempting to match "host3" against the following pattern- | ||
| 1022 | list will fail: | ||
| 1023 | |||
| 1024 | from="!host1,!host2" | ||
| 1025 | |||
| 1026 | The solution here is to include a term that will yield a positive match, | ||
| 1027 | such as a wildcard: | ||
| 1028 | |||
| 1029 | from="!host1,!host2,*" | ||
| 1030 | |||
| 1015 | TOKENS | 1031 | TOKENS |
| 1016 | Arguments to some keywords can make use of tokens, which are expanded at | 1032 | Arguments to some keywords can make use of tokens, which are expanded at |
| 1017 | runtime: | 1033 | runtime: |
| 1018 | 1034 | ||
| 1019 | %% A literal M-bM-^@M-^X%M-bM-^@M-^Y. | 1035 | %% A literal M-bM-^@M-^X%M-bM-^@M-^Y. |
| 1020 | %C Shorthand for %l%h%p%r. | 1036 | %C Hash of %l%h%p%r. |
| 1021 | %d Local user's home directory. | 1037 | %d Local user's home directory. |
| 1022 | %h The remote hostname. | 1038 | %h The remote hostname. |
| 1023 | %i The local user ID. | 1039 | %i The local user ID. |
| @@ -1026,6 +1042,8 @@ TOKENS | |||
| 1026 | %n The original remote hostname, as given on the command line. | 1042 | %n The original remote hostname, as given on the command line. |
| 1027 | %p The remote port. | 1043 | %p The remote port. |
| 1028 | %r The remote username. | 1044 | %r The remote username. |
| 1045 | %T The local tun(4) or tap(4) network interface assigned if | ||
| 1046 | tunnel forwarding was requested, or "NONE" otherwise. | ||
| 1029 | %u The local username. | 1047 | %u The local username. |
| 1030 | 1048 | ||
| 1031 | Match exec accepts the tokens %%, %h, %L, %l, %n, %p, %r, and %u. | 1049 | Match exec accepts the tokens %%, %h, %L, %l, %n, %p, %r, and %u. |
| @@ -1040,7 +1058,8 @@ TOKENS | |||
| 1040 | IdentityAgent and IdentityFile accept the tokens %%, %d, %h, %l, %r, and | 1058 | IdentityAgent and IdentityFile accept the tokens %%, %d, %h, %l, %r, and |
| 1041 | %u. | 1059 | %u. |
| 1042 | 1060 | ||
| 1043 | LocalCommand accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u. | 1061 | LocalCommand accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, %T, and |
| 1062 | %u. | ||
| 1044 | 1063 | ||
| 1045 | ProxyCommand accepts the tokens %%, %h, %p, and %r. | 1064 | ProxyCommand accepts the tokens %%, %h, %p, and %r. |
| 1046 | 1065 | ||
| @@ -1070,4 +1089,4 @@ AUTHORS | |||
| 1070 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 1089 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
| 1071 | versions 1.5 and 2.0. | 1090 | versions 1.5 and 2.0. |
| 1072 | 1091 | ||
| 1073 | OpenBSD 6.2 September 21, 2017 OpenBSD 6.2 | 1092 | OpenBSD 6.2 February 23, 2018 OpenBSD 6.2 |