summaryrefslogtreecommitdiff
path: root/ssh_config.0
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2015-08-19 14:23:50 +0100
committerColin Watson <cjwatson@debian.org>2015-08-19 14:23:50 +0100
commitbaccdb349b31c47cd76fb63211f754ed33a9707e (patch)
treed03653f975fd4eb8bf71bb0c9d168614401202fa /ssh_config.0
parent487bdb3a5ef6075887b830ccb8a0b14f6da78e93 (diff)
parent9f82e5a9042f2d872e98f48a876fcab3e25dd9bb (diff)
Import openssh_6.8p1.orig.tar.gz
Diffstat (limited to 'ssh_config.0')
-rw-r--r--ssh_config.0513
1 files changed, 282 insertions, 231 deletions
diff --git a/ssh_config.0 b/ssh_config.0
index c40ce5f08..3bdd75237 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -1,7 +1,7 @@
1SSH_CONFIG(5) File Formats Manual SSH_CONFIG(5) 1SSH_CONFIG(5) File Formats Manual SSH_CONFIG(5)
2 2
3NAME 3NAME
4 ssh_config - OpenSSH SSH client configuration files 4 ssh_config M-bM-^@M-^S OpenSSH SSH client configuration files
5 5
6SYNOPSIS 6SYNOPSIS
7 ~/.ssh/config 7 ~/.ssh/config
@@ -16,10 +16,11 @@ DESCRIPTION
16 3. system-wide configuration file (/etc/ssh/ssh_config) 16 3. system-wide configuration file (/etc/ssh/ssh_config)
17 17
18 For each parameter, the first obtained value will be used. The 18 For each parameter, the first obtained value will be used. The
19 configuration files contain sections separated by ``Host'' 19 configuration files contain sections separated by M-bM-^@M-^\HostM-bM-^@M-^] specifications,
20 specifications, and that section is only applied for hosts that match one 20 and that section is only applied for hosts that match one of the patterns
21 of the patterns given in the specification. The matched host name is the 21 given in the specification. The matched host name is usually the one
22 one given on the command line. 22 given on the command line (see the CanonicalizeHostname option for
23 exceptions.)
23 24
24 Since the first obtained value for each parameter is used, more host- 25 Since the first obtained value for each parameter is used, more host-
25 specific declarations should be given near the beginning of the file, and 26 specific declarations should be given near the beginning of the file, and
@@ -27,9 +28,9 @@ DESCRIPTION
27 28
28 The configuration file has the following format: 29 The configuration file has the following format:
29 30
30 Empty lines and lines starting with `#' are comments. Otherwise a line 31 Empty lines and lines starting with M-bM-^@M-^X#M-bM-^@M-^Y are comments. Otherwise a line
31 is of the format ``keyword arguments''. Configuration options may be 32 is of the format M-bM-^@M-^\keyword argumentsM-bM-^@M-^]. Configuration options may be
32 separated by whitespace or optional whitespace and exactly one `='; the 33 separated by whitespace or optional whitespace and exactly one M-bM-^@M-^X=M-bM-^@M-^Y; the
33 latter format is useful to avoid the need to quote whitespace when 34 latter format is useful to avoid the need to quote whitespace when
34 specifying configuration options using the ssh, scp, and sftp -o option. 35 specifying configuration options using the ssh, scp, and sftp -o option.
35 Arguments may optionally be enclosed in double quotes (") in order to 36 Arguments may optionally be enclosed in double quotes (") in order to
@@ -41,14 +42,14 @@ DESCRIPTION
41 Host Restricts the following declarations (up to the next Host or 42 Host Restricts the following declarations (up to the next Host or
42 Match keyword) to be only for those hosts that match one of the 43 Match keyword) to be only for those hosts that match one of the
43 patterns given after the keyword. If more than one pattern is 44 patterns given after the keyword. If more than one pattern is
44 provided, they should be separated by whitespace. A single `*' 45 provided, they should be separated by whitespace. A single M-bM-^@M-^X*M-bM-^@M-^Y
45 as a pattern can be used to provide global defaults for all 46 as a pattern can be used to provide global defaults for all
46 hosts. The host is the hostname argument given on the command 47 hosts. The host is usually the hostname argument given on the
47 line (i.e. the name is not converted to a canonicalized host name 48 command line (see the CanonicalizeHostname option for
48 before matching). 49 exceptions.)
49 50
50 A pattern entry may be negated by prefixing it with an 51 A pattern entry may be negated by prefixing it with an
51 exclamation mark (`!'). If a negated entry is matched, then the 52 exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). If a negated entry is matched, then the
52 Host entry is ignored, regardless of whether any other patterns 53 Host entry is ignored, regardless of whether any other patterns
53 on the line match. Negated matches are therefore useful to 54 on the line match. Negated matches are therefore useful to
54 provide exceptions for wildcard matches. 55 provide exceptions for wildcard matches.
@@ -58,50 +59,57 @@ DESCRIPTION
58 Match Restricts the following declarations (up to the next Host or 59 Match Restricts the following declarations (up to the next Host or
59 Match keyword) to be used only when the conditions following the 60 Match keyword) to be used only when the conditions following the
60 Match keyword are satisfied. Match conditions are specified 61 Match keyword are satisfied. Match conditions are specified
61 using one or more keyword/criteria pairs or the single token all 62 using one or more critera or the single token all which always
62 which matches all criteria. The available keywords are: exec, 63 matches. The available criteria keywords are: canonical, exec,
63 host, originalhost, user, and localuser. 64 host, originalhost, user, and localuser. The all criteria must
64 65 appear alone or immediately after canonical. Other criteria may
65 The exec keyword executes the specified command under the user's 66 be combined arbitrarily. All criteria but all and canonical
66 shell. If the command returns a zero exit status then the 67 require an argument. Criteria may be negated by prepending an
67 condition is considered true. Commands containing whitespace 68 exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y).
68 characters must be quoted. The following character sequences in 69
69 the command will be expanded prior to execution: `%L' will be 70 The canonical keywork matches only when the configuration file is
70 substituted by the first component of the local host name, `%l' 71 being re-parsed after hostname canonicalization (see the
71 will be substituted by the local host name (including any domain 72 CanonicalizeHostname option.) This may be useful to specify
72 name), `%h' will be substituted by the target host name, `%n' 73 conditions that work with canonical host names only. The exec
73 will be substituted by the original target host name specified on 74 keyword executes the specified command under the user's shell.
74 the command-line, `%p' the destination port, `%r' by the remote 75 If the command returns a zero exit status then the condition is
75 login username, and `%u' by the username of the user running 76 considered true. Commands containing whitespace characters must
76 ssh(1). 77 be quoted. The following character sequences in the command will
78 be expanded prior to execution: M-bM-^@M-^X%LM-bM-^@M-^Y will be substituted by the
79 first component of the local host name, M-bM-^@M-^X%lM-bM-^@M-^Y will be substituted
80 by the local host name (including any domain name), M-bM-^@M-^X%hM-bM-^@M-^Y will be
81 substituted by the target host name, M-bM-^@M-^X%nM-bM-^@M-^Y will be substituted by
82 the original target host name specified on the command-line, M-bM-^@M-^X%pM-bM-^@M-^Y
83 the destination port, M-bM-^@M-^X%rM-bM-^@M-^Y by the remote login username, and M-bM-^@M-^X%uM-bM-^@M-^Y
84 by the username of the user running ssh(1).
77 85
78 The other keywords' criteria must be single entries or comma- 86 The other keywords' criteria must be single entries or comma-
79 separated lists and may use the wildcard and negation operators 87 separated lists and may use the wildcard and negation operators
80 described in the PATTERNS section. The criteria for the host 88 described in the PATTERNS section. The criteria for the host
81 keyword are matched against the target hostname, after any 89 keyword are matched against the target hostname, after any
82 substitution by the Hostname option. The originalhost keyword 90 substitution by the Hostname or CanonicalizeHostname options.
83 matches against the hostname as it was specified on the command- 91 The originalhost keyword matches against the hostname as it was
84 line. The user keyword matches against the target username on 92 specified on the command-line. The user keyword matches against
85 the remote host. The localuser keyword matches against the name 93 the target username on the remote host. The localuser keyword
86 of the local user running ssh(1) (this keyword may be useful in 94 matches against the name of the local user running ssh(1) (this
87 system-wide ssh_config files). 95 keyword may be useful in system-wide ssh_config files).
88 96
89 AddressFamily 97 AddressFamily
90 Specifies which address family to use when connecting. Valid 98 Specifies which address family to use when connecting. Valid
91 arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' 99 arguments are M-bM-^@M-^\anyM-bM-^@M-^], M-bM-^@M-^\inetM-bM-^@M-^] (use IPv4 only), or M-bM-^@M-^\inet6M-bM-^@M-^] (use IPv6
92 (use IPv6 only). 100 only).
93 101
94 BatchMode 102 BatchMode
95 If set to ``yes'', passphrase/password querying will be disabled. 103 If set to M-bM-^@M-^\yesM-bM-^@M-^], passphrase/password querying will be disabled.
96 This option is useful in scripts and other batch jobs where no 104 This option is useful in scripts and other batch jobs where no
97 user is present to supply the password. The argument must be 105 user is present to supply the password. The argument must be
98 ``yes'' or ``no''. The default is ``no''. 106 M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^].
99 107
100 BindAddress 108 BindAddress
101 Use the specified address on the local machine as the source 109 Use the specified address on the local machine as the source
102 address of the connection. Only useful on systems with more than 110 address of the connection. Only useful on systems with more than
103 one address. Note that this option does not work if 111 one address. Note that this option does not work if
104 UsePrivilegedPort is set to ``yes''. 112 UsePrivilegedPort is set to M-bM-^@M-^\yesM-bM-^@M-^].
105 113
106 CanonicalDomains 114 CanonicalDomains
107 When CanonicalizeHostname is enabled, this option specifies the 115 When CanonicalizeHostname is enabled, this option specifies the
@@ -110,33 +118,31 @@ DESCRIPTION
110 118
111 CanonicalizeFallbackLocal 119 CanonicalizeFallbackLocal
112 Specifies whether to fail with an error when hostname 120 Specifies whether to fail with an error when hostname
113 canonicalization fails. The default, ``yes'', will attempt to 121 canonicalization fails. The default, M-bM-^@M-^\yesM-bM-^@M-^], will attempt to look
114 look up the unqualified hostname using the system resolver's 122 up the unqualified hostname using the system resolver's search
115 search rules. A value of ``no'' will cause ssh(1) to fail 123 rules. A value of M-bM-^@M-^\noM-bM-^@M-^] will cause ssh(1) to fail instantly if
116 instantly if CanonicalizeHostname is enabled and the target 124 CanonicalizeHostname is enabled and the target hostname cannot be
117 hostname cannot be found in any of the domains specified by 125 found in any of the domains specified by CanonicalDomains.
118 CanonicalDomains.
119 126
120 CanonicalizeHostname 127 CanonicalizeHostname
121 Controls whether explicit hostname canonicalization is performed. 128 Controls whether explicit hostname canonicalization is performed.
122 The default, ``no'', is not to perform any name rewriting and let 129 The default, M-bM-^@M-^\noM-bM-^@M-^], is not to perform any name rewriting and let
123 the system resolver handle all hostname lookups. If set to 130 the system resolver handle all hostname lookups. If set to M-bM-^@M-^\yesM-bM-^@M-^]
124 ``yes'' then, for connections that do not use a ProxyCommand, 131 then, for connections that do not use a ProxyCommand, ssh(1) will
125 ssh(1) will attempt to canonicalize the hostname specified on the 132 attempt to canonicalize the hostname specified on the command
126 command line using the CanonicalDomains suffixes and 133 line using the CanonicalDomains suffixes and
127 CanonicalizePermittedCNAMEs rules. If CanonicalizeHostname is 134 CanonicalizePermittedCNAMEs rules. If CanonicalizeHostname is
128 set to ``always'', then canonicalization is applied to proxied 135 set to M-bM-^@M-^\alwaysM-bM-^@M-^], then canonicalization is applied to proxied
129 connections too. 136 connections too.
130 137
131 If this option is enabled and canonicalisation results in the 138 If this option is enabled, then the configuration files are
132 target hostname changing, then the configuration files are
133 processed again using the new target name to pick up any new 139 processed again using the new target name to pick up any new
134 configuration in matching Host stanzas. 140 configuration in matching Host and Match stanzas.
135 141
136 CanonicalizeMaxDots 142 CanonicalizeMaxDots
137 Specifies the maximum number of dot characters in a hostname 143 Specifies the maximum number of dot characters in a hostname
138 before canonicalization is disabled. The default, ``1'', allows 144 before canonicalization is disabled. The default, M-bM-^@M-^\1M-bM-^@M-^], allows a
139 a single dot (i.e. hostname.subdomain). 145 single dot (i.e. hostname.subdomain).
140 146
141 CanonicalizePermittedCNAMEs 147 CanonicalizePermittedCNAMEs
142 Specifies rules to determine whether CNAMEs should be followed 148 Specifies rules to determine whether CNAMEs should be followed
@@ -146,30 +152,29 @@ DESCRIPTION
146 CNAMEs in canonicalization, and target_domain_list is a pattern- 152 CNAMEs in canonicalization, and target_domain_list is a pattern-
147 list of domains that they may resolve to. 153 list of domains that they may resolve to.
148 154
149 For example, ``*.a.example.com:*.b.example.com,*.c.example.com'' 155 For example, M-bM-^@M-^\*.a.example.com:*.b.example.com,*.c.example.comM-bM-^@M-^]
150 will allow hostnames matching ``*.a.example.com'' to be 156 will allow hostnames matching M-bM-^@M-^\*.a.example.comM-bM-^@M-^] to be
151 canonicalized to names in the ``*.b.example.com'' or 157 canonicalized to names in the M-bM-^@M-^\*.b.example.comM-bM-^@M-^] or
152 ``*.c.example.com'' domains. 158 M-bM-^@M-^\*.c.example.comM-bM-^@M-^] domains.
153 159
154 ChallengeResponseAuthentication 160 ChallengeResponseAuthentication
155 Specifies whether to use challenge-response authentication. The 161 Specifies whether to use challenge-response authentication. The
156 argument to this keyword must be ``yes'' or ``no''. The default 162 argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is
157 is ``yes''. 163 M-bM-^@M-^\yesM-bM-^@M-^].
158 164
159 CheckHostIP 165 CheckHostIP
160 If this flag is set to ``yes'', ssh(1) will additionally check 166 If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will additionally check the
161 the host IP address in the known_hosts file. This allows ssh to 167 host IP address in the known_hosts file. This allows ssh to
162 detect if a host key changed due to DNS spoofing. If the option 168 detect if a host key changed due to DNS spoofing. If the option
163 is set to ``no'', the check will not be executed. The default is 169 is set to M-bM-^@M-^\noM-bM-^@M-^], the check will not be executed. The default is
164 ``yes''. 170 M-bM-^@M-^\yesM-bM-^@M-^].
165 171
166 Cipher Specifies the cipher to use for encrypting the session in 172 Cipher Specifies the cipher to use for encrypting the session in
167 protocol version 1. Currently, ``blowfish'', ``3des'', and 173 protocol version 1. Currently, M-bM-^@M-^\blowfishM-bM-^@M-^], M-bM-^@M-^\3desM-bM-^@M-^], and M-bM-^@M-^\desM-bM-^@M-^] are
168 ``des'' are supported. des is only supported in the ssh(1) 174 supported. des is only supported in the ssh(1) client for
169 client for interoperability with legacy protocol 1 175 interoperability with legacy protocol 1 implementations that do
170 implementations that do not support the 3des cipher. Its use is 176 not support the 3des cipher. Its use is strongly discouraged due
171 strongly discouraged due to cryptographic weaknesses. The 177 to cryptographic weaknesses. The default is M-bM-^@M-^\3desM-bM-^@M-^].
172 default is ``3des''.
173 178
174 Ciphers 179 Ciphers
175 Specifies the ciphers allowed for protocol version 2 in order of 180 Specifies the ciphers allowed for protocol version 2 in order of
@@ -202,7 +207,7 @@ DESCRIPTION
202 aes192-cbc,aes256-cbc,arcfour 207 aes192-cbc,aes256-cbc,arcfour
203 208
204 The list of available ciphers may also be obtained using the -Q 209 The list of available ciphers may also be obtained using the -Q
205 option of ssh(1). 210 option of ssh(1) with an argument of M-bM-^@M-^\cipherM-bM-^@M-^].
206 211
207 ClearAllForwardings 212 ClearAllForwardings
208 Specifies that all local, remote, and dynamic port forwardings 213 Specifies that all local, remote, and dynamic port forwardings
@@ -210,12 +215,12 @@ DESCRIPTION
210 cleared. This option is primarily useful when used from the 215 cleared. This option is primarily useful when used from the
211 ssh(1) command line to clear port forwardings set in 216 ssh(1) command line to clear port forwardings set in
212 configuration files, and is automatically set by scp(1) and 217 configuration files, and is automatically set by scp(1) and
213 sftp(1). The argument must be ``yes'' or ``no''. The default is 218 sftp(1). The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is
214 ``no''. 219 M-bM-^@M-^\noM-bM-^@M-^].
215 220
216 Compression 221 Compression
217 Specifies whether to use compression. The argument must be 222 Specifies whether to use compression. The argument must be M-bM-^@M-^\yesM-bM-^@M-^]
218 ``yes'' or ``no''. The default is ``no''. 223 or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^].
219 224
220 CompressionLevel 225 CompressionLevel
221 Specifies the compression level to use if compression is enabled. 226 Specifies the compression level to use if compression is enabled.
@@ -237,16 +242,16 @@ DESCRIPTION
237 242
238 ControlMaster 243 ControlMaster
239 Enables the sharing of multiple sessions over a single network 244 Enables the sharing of multiple sessions over a single network
240 connection. When set to ``yes'', ssh(1) will listen for 245 connection. When set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will listen for
241 connections on a control socket specified using the ControlPath 246 connections on a control socket specified using the ControlPath
242 argument. Additional sessions can connect to this socket using 247 argument. Additional sessions can connect to this socket using
243 the same ControlPath with ControlMaster set to ``no'' (the 248 the same ControlPath with ControlMaster set to M-bM-^@M-^\noM-bM-^@M-^] (the
244 default). These sessions will try to reuse the master instance's 249 default). These sessions will try to reuse the master instance's
245 network connection rather than initiating new ones, but will fall 250 network connection rather than initiating new ones, but will fall
246 back to connecting normally if the control socket does not exist, 251 back to connecting normally if the control socket does not exist,
247 or is not listening. 252 or is not listening.
248 253
249 Setting this to ``ask'' will cause ssh to listen for control 254 Setting this to M-bM-^@M-^\askM-bM-^@M-^] will cause ssh to listen for control
250 connections, but require confirmation using the SSH_ASKPASS 255 connections, but require confirmation using the SSH_ASKPASS
251 program before they are accepted (see ssh-add(1) for details). 256 program before they are accepted (see ssh-add(1) for details).
252 If the ControlPath cannot be opened, ssh will continue without 257 If the ControlPath cannot be opened, ssh will continue without
@@ -259,40 +264,41 @@ DESCRIPTION
259 264
260 Two additional options allow for opportunistic multiplexing: try 265 Two additional options allow for opportunistic multiplexing: try
261 to use a master connection but fall back to creating a new one if 266 to use a master connection but fall back to creating a new one if
262 one does not already exist. These options are: ``auto'' and 267 one does not already exist. These options are: M-bM-^@M-^\autoM-bM-^@M-^] and
263 ``autoask''. The latter requires confirmation like the ``ask'' 268 M-bM-^@M-^\autoaskM-bM-^@M-^]. The latter requires confirmation like the M-bM-^@M-^\askM-bM-^@M-^]
264 option. 269 option.
265 270
266 ControlPath 271 ControlPath
267 Specify the path to the control socket used for connection 272 Specify the path to the control socket used for connection
268 sharing as described in the ControlMaster section above or the 273 sharing as described in the ControlMaster section above or the
269 string ``none'' to disable connection sharing. In the path, `%L' 274 string M-bM-^@M-^\noneM-bM-^@M-^] to disable connection sharing. In the path, M-bM-^@M-^X%LM-bM-^@M-^Y
270 will be substituted by the first component of the local host 275 will be substituted by the first component of the local host
271 name, `%l' will be substituted by the local host name (including 276 name, M-bM-^@M-^X%lM-bM-^@M-^Y will be substituted by the local host name (including
272 any domain name), `%h' will be substituted by the target host 277 any domain name), M-bM-^@M-^X%hM-bM-^@M-^Y will be substituted by the target host
273 name, `%n' will be substituted by the original target host name 278 name, M-bM-^@M-^X%nM-bM-^@M-^Y will be substituted by the original target host name
274 specified on the command line, `%p' the destination port, `%r' by 279 specified on the command line, M-bM-^@M-^X%pM-bM-^@M-^Y the destination port, M-bM-^@M-^X%rM-bM-^@M-^Y by
275 the remote login username, `%u' by the username of the user 280 the remote login username, M-bM-^@M-^X%uM-bM-^@M-^Y by the username of the user
276 running ssh(1), and `%C' by a hash of the concatenation: 281 running ssh(1), and M-bM-^@M-^X%CM-bM-^@M-^Y by a hash of the concatenation:
277 %l%h%p%r. It is recommended that any ControlPath used for 282 %l%h%p%r. It is recommended that any ControlPath used for
278 opportunistic connection sharing include at least %h, %p, and %r 283 opportunistic connection sharing include at least %h, %p, and %r
279 (or alternatively %C). This ensures that shared connections are 284 (or alternatively %C) and be placed in a directory that is not
280 uniquely identified. 285 writable by other users. This ensures that shared connections
286 are uniquely identified.
281 287
282 ControlPersist 288 ControlPersist
283 When used in conjunction with ControlMaster, specifies that the 289 When used in conjunction with ControlMaster, specifies that the
284 master connection should remain open in the background (waiting 290 master connection should remain open in the background (waiting
285 for future client connections) after the initial client 291 for future client connections) after the initial client
286 connection has been closed. If set to ``no'', then the master 292 connection has been closed. If set to M-bM-^@M-^\noM-bM-^@M-^], then the master
287 connection will not be placed into the background, and will close 293 connection will not be placed into the background, and will close
288 as soon as the initial client connection is closed. If set to 294 as soon as the initial client connection is closed. If set to
289 ``yes'', then the master connection will remain in the background 295 M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\0M-bM-^@M-^], then the master connection will remain in the
290 indefinitely (until killed or closed via a mechanism such as the 296 background indefinitely (until killed or closed via a mechanism
291 ssh(1) ``-O exit'' option). If set to a time in seconds, or a 297 such as the ssh(1) M-bM-^@M-^\-O exitM-bM-^@M-^] option). If set to a time in
292 time in any of the formats documented in sshd_config(5), then the 298 seconds, or a time in any of the formats documented in
293 backgrounded master connection will automatically terminate after 299 sshd_config(5), then the backgrounded master connection will
294 it has remained idle (with no client connections) for the 300 automatically terminate after it has remained idle (with no
295 specified time. 301 client connections) for the specified time.
296 302
297 DynamicForward 303 DynamicForward
298 Specifies that a TCP port on the local machine be forwarded over 304 Specifies that a TCP port on the local machine be forwarded over
@@ -304,9 +310,9 @@ DESCRIPTION
304 the local port is bound in accordance with the GatewayPorts 310 the local port is bound in accordance with the GatewayPorts
305 setting. However, an explicit bind_address may be used to bind 311 setting. However, an explicit bind_address may be used to bind
306 the connection to a specific address. The bind_address of 312 the connection to a specific address. The bind_address of
307 ``localhost'' indicates that the listening port be bound for 313 M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the listening port be bound for local
308 local use only, while an empty address or `*' indicates that the 314 use only, while an empty address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port
309 port should be available from all interfaces. 315 should be available from all interfaces.
310 316
311 Currently the SOCKS4 and SOCKS5 protocols are supported, and 317 Currently the SOCKS4 and SOCKS5 protocols are supported, and
312 ssh(1) will act as a SOCKS server. Multiple forwardings may be 318 ssh(1) will act as a SOCKS server. Multiple forwardings may be
@@ -314,30 +320,35 @@ DESCRIPTION
314 line. Only the superuser can forward privileged ports. 320 line. Only the superuser can forward privileged ports.
315 321
316 EnableSSHKeysign 322 EnableSSHKeysign
317 Setting this option to ``yes'' in the global client configuration 323 Setting this option to M-bM-^@M-^\yesM-bM-^@M-^] in the global client configuration
318 file /etc/ssh/ssh_config enables the use of the helper program 324 file /etc/ssh/ssh_config enables the use of the helper program
319 ssh-keysign(8) during HostbasedAuthentication. The argument must 325 ssh-keysign(8) during HostbasedAuthentication. The argument must
320 be ``yes'' or ``no''. The default is ``no''. This option should 326 be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. This option should be
321 be placed in the non-hostspecific section. See ssh-keysign(8) 327 placed in the non-hostspecific section. See ssh-keysign(8) for
322 for more information. 328 more information.
323 329
324 EscapeChar 330 EscapeChar
325 Sets the escape character (default: `~'). The escape character 331 Sets the escape character (default: M-bM-^@M-^X~M-bM-^@M-^Y). The escape character
326 can also be set on the command line. The argument should be a 332 can also be set on the command line. The argument should be a
327 single character, `^' followed by a letter, or ``none'' to 333 single character, M-bM-^@M-^X^M-bM-^@M-^Y followed by a letter, or M-bM-^@M-^\noneM-bM-^@M-^] to disable
328 disable the escape character entirely (making the connection 334 the escape character entirely (making the connection transparent
329 transparent for binary data). 335 for binary data).
330 336
331 ExitOnForwardFailure 337 ExitOnForwardFailure
332 Specifies whether ssh(1) should terminate the connection if it 338 Specifies whether ssh(1) should terminate the connection if it
333 cannot set up all requested dynamic, tunnel, local, and remote 339 cannot set up all requested dynamic, tunnel, local, and remote
334 port forwardings. The argument must be ``yes'' or ``no''. The 340 port forwardings. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The
335 default is ``no''. 341 default is M-bM-^@M-^\noM-bM-^@M-^].
342
343 FingerprintHash
344 Specifies the hash algorithm used when displaying key
345 fingerprints. Valid options are: M-bM-^@M-^\md5M-bM-^@M-^] and M-bM-^@M-^\sha256M-bM-^@M-^]. The
346 default is M-bM-^@M-^\sha256M-bM-^@M-^].
336 347
337 ForwardAgent 348 ForwardAgent
338 Specifies whether the connection to the authentication agent (if 349 Specifies whether the connection to the authentication agent (if
339 any) will be forwarded to the remote machine. The argument must 350 any) will be forwarded to the remote machine. The argument must
340 be ``yes'' or ``no''. The default is ``no''. 351 be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^].
341 352
342 Agent forwarding should be enabled with caution. Users with the 353 Agent forwarding should be enabled with caution. Users with the
343 ability to bypass file permissions on the remote host (for the 354 ability to bypass file permissions on the remote host (for the
@@ -350,7 +361,7 @@ DESCRIPTION
350 ForwardX11 361 ForwardX11
351 Specifies whether X11 connections will be automatically 362 Specifies whether X11 connections will be automatically
352 redirected over the secure channel and DISPLAY set. The argument 363 redirected over the secure channel and DISPLAY set. The argument
353 must be ``yes'' or ``no''. The default is ``no''. 364 must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^].
354 365
355 X11 forwarding should be enabled with caution. Users with the 366 X11 forwarding should be enabled with caution. Users with the
356 ability to bypass file permissions on the remote host (for the 367 ability to bypass file permissions on the remote host (for the
@@ -367,17 +378,17 @@ DESCRIPTION
367 minutes has elapsed. 378 minutes has elapsed.
368 379
369 ForwardX11Trusted 380 ForwardX11Trusted
370 If this option is set to ``yes'', remote X11 clients will have 381 If this option is set to M-bM-^@M-^\yesM-bM-^@M-^], remote X11 clients will have full
371 full access to the original X11 display. 382 access to the original X11 display.
372 383
373 If this option is set to ``no'', remote X11 clients will be 384 If this option is set to M-bM-^@M-^\noM-bM-^@M-^], remote X11 clients will be
374 considered untrusted and prevented from stealing or tampering 385 considered untrusted and prevented from stealing or tampering
375 with data belonging to trusted X11 clients. Furthermore, the 386 with data belonging to trusted X11 clients. Furthermore, the
376 xauth(1) token used for the session will be set to expire after 387 xauth(1) token used for the session will be set to expire after
377 20 minutes. Remote clients will be refused access after this 388 20 minutes. Remote clients will be refused access after this
378 time. 389 time.
379 390
380 The default is ``no''. 391 The default is M-bM-^@M-^\noM-bM-^@M-^].
381 392
382 See the X11 SECURITY extension specification for full details on 393 See the X11 SECURITY extension specification for full details on
383 the restrictions imposed on untrusted clients. 394 the restrictions imposed on untrusted clients.
@@ -389,8 +400,8 @@ DESCRIPTION
389 connecting to forwarded ports. GatewayPorts can be used to 400 connecting to forwarded ports. GatewayPorts can be used to
390 specify that ssh should bind local port forwardings to the 401 specify that ssh should bind local port forwardings to the
391 wildcard address, thus allowing remote hosts to connect to 402 wildcard address, thus allowing remote hosts to connect to
392 forwarded ports. The argument must be ``yes'' or ``no''. The 403 forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The
393 default is ``no''. 404 default is M-bM-^@M-^\noM-bM-^@M-^].
394 405
395 GlobalKnownHostsFile 406 GlobalKnownHostsFile
396 Specifies one or more files to use for the global host key 407 Specifies one or more files to use for the global host key
@@ -399,28 +410,33 @@ DESCRIPTION
399 410
400 GSSAPIAuthentication 411 GSSAPIAuthentication
401 Specifies whether user authentication based on GSSAPI is allowed. 412 Specifies whether user authentication based on GSSAPI is allowed.
402 The default is ``no''. Note that this option applies to protocol 413 The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol
403 version 2 only. 414 version 2 only.
404 415
405 GSSAPIDelegateCredentials 416 GSSAPIDelegateCredentials
406 Forward (delegate) credentials to the server. The default is 417 Forward (delegate) credentials to the server. The default is
407 ``no''. Note that this option applies to protocol version 2 418 M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol version 2 only.
408 only.
409 419
410 HashKnownHosts 420 HashKnownHosts
411 Indicates that ssh(1) should hash host names and addresses when 421 Indicates that ssh(1) should hash host names and addresses when
412 they are added to ~/.ssh/known_hosts. These hashed names may be 422 they are added to ~/.ssh/known_hosts. These hashed names may be
413 used normally by ssh(1) and sshd(8), but they do not reveal 423 used normally by ssh(1) and sshd(8), but they do not reveal
414 identifying information should the file's contents be disclosed. 424 identifying information should the file's contents be disclosed.
415 The default is ``no''. Note that existing names and addresses in 425 The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that existing names and addresses in
416 known hosts files will not be converted automatically, but may be 426 known hosts files will not be converted automatically, but may be
417 manually hashed using ssh-keygen(1). 427 manually hashed using ssh-keygen(1).
418 428
419 HostbasedAuthentication 429 HostbasedAuthentication
420 Specifies whether to try rhosts based authentication with public 430 Specifies whether to try rhosts based authentication with public
421 key authentication. The argument must be ``yes'' or ``no''. The 431 key authentication. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The
422 default is ``no''. This option applies to protocol version 2 432 default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 2 only
423 only and is similar to RhostsRSAAuthentication. 433 and is similar to RhostsRSAAuthentication.
434
435 HostbasedKeyTypes
436 Specifies the key types that will be used for hostbased
437 authentication as a comma-separated pattern list. The default
438 M-bM-^@M-^\*M-bM-^@M-^] will allow all key types. The -Q option of ssh(1) may be
439 used to list supported key types.
424 440
425 HostKeyAlgorithms 441 HostKeyAlgorithms
426 Specifies the protocol version 2 host key algorithms that the 442 Specifies the protocol version 2 host key algorithms that the
@@ -439,6 +455,9 @@ DESCRIPTION
439 If hostkeys are known for the destination host then this default 455 If hostkeys are known for the destination host then this default
440 is modified to prefer their algorithms. 456 is modified to prefer their algorithms.
441 457
458 The list of available key types may also be obtained using the -Q
459 option of ssh(1) with an argument of M-bM-^@M-^\keyM-bM-^@M-^].
460
442 HostKeyAlias 461 HostKeyAlias
443 Specifies an alias that should be used instead of the real host 462 Specifies an alias that should be used instead of the real host
444 name when looking up or saving the host key in the host key 463 name when looking up or saving the host key in the host key
@@ -448,10 +467,10 @@ DESCRIPTION
448 HostName 467 HostName
449 Specifies the real host name to log into. This can be used to 468 Specifies the real host name to log into. This can be used to
450 specify nicknames or abbreviations for hosts. If the hostname 469 specify nicknames or abbreviations for hosts. If the hostname
451 contains the character sequence `%h', then this will be replaced 470 contains the character sequence M-bM-^@M-^X%hM-bM-^@M-^Y, then this will be replaced
452 with the host name specified on the command line (this is useful 471 with the host name specified on the command line (this is useful
453 for manipulating unqualified names). The character sequence `%%' 472 for manipulating unqualified names). The character sequence M-bM-^@M-^X%%M-bM-^@M-^Y
454 will be replaced by a single `%' character, which may be used 473 will be replaced by a single M-bM-^@M-^X%M-bM-^@M-^Y character, which may be used
455 when specifying IPv6 link-local addresses. 474 when specifying IPv6 link-local addresses.
456 475
457 The default is the name given on the command line. Numeric IP 476 The default is the name given on the command line. Numeric IP
@@ -462,12 +481,12 @@ DESCRIPTION
462 Specifies that ssh(1) should only use the authentication identity 481 Specifies that ssh(1) should only use the authentication identity
463 files configured in the ssh_config files, even if ssh-agent(1) or 482 files configured in the ssh_config files, even if ssh-agent(1) or
464 a PKCS11Provider offers more identities. The argument to this 483 a PKCS11Provider offers more identities. The argument to this
465 keyword must be ``yes'' or ``no''. This option is intended for 484 keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. This option is intended for
466 situations where ssh-agent offers many different identities. The 485 situations where ssh-agent offers many different identities. The
467 default is ``no''. 486 default is M-bM-^@M-^\noM-bM-^@M-^].
468 487
469 IdentityFile 488 IdentityFile
470 Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA 489 Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA
471 authentication identity is read. The default is ~/.ssh/identity 490 authentication identity is read. The default is ~/.ssh/identity
472 for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, 491 for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa,
473 ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2. 492 ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2.
@@ -478,9 +497,9 @@ DESCRIPTION
478 specified IdentityFile. 497 specified IdentityFile.
479 498
480 The file name may use the tilde syntax to refer to a user's home 499 The file name may use the tilde syntax to refer to a user's home
481 directory or one of the following escape characters: `%d' (local 500 directory or one of the following escape characters: M-bM-^@M-^X%dM-bM-^@M-^Y (local
482 user's home directory), `%u' (local user name), `%l' (local host 501 user's home directory), M-bM-^@M-^X%uM-bM-^@M-^Y (local user name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host
483 name), `%h' (remote host name) or `%r' (remote user name). 502 name), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host name) or M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name).
484 503
485 It is possible to have multiple identity files specified in 504 It is possible to have multiple identity files specified in
486 configuration files; all these identities will be tried in 505 configuration files; all these identities will be tried in
@@ -501,30 +520,30 @@ DESCRIPTION
501 to unknown options that appear before it. 520 to unknown options that appear before it.
502 521
503 IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. 522 IPQoS Specifies the IPv4 type-of-service or DSCP class for connections.
504 Accepted values are ``af11'', ``af12'', ``af13'', ``af21'', 523 Accepted values are M-bM-^@M-^\af11M-bM-^@M-^], M-bM-^@M-^\af12M-bM-^@M-^], M-bM-^@M-^\af13M-bM-^@M-^], M-bM-^@M-^\af21M-bM-^@M-^], M-bM-^@M-^\af22M-bM-^@M-^],
505 ``af22'', ``af23'', ``af31'', ``af32'', ``af33'', ``af41'', 524 M-bM-^@M-^\af23M-bM-^@M-^], M-bM-^@M-^\af31M-bM-^@M-^], M-bM-^@M-^\af32M-bM-^@M-^], M-bM-^@M-^\af33M-bM-^@M-^], M-bM-^@M-^\af41M-bM-^@M-^], M-bM-^@M-^\af42M-bM-^@M-^], M-bM-^@M-^\af43M-bM-^@M-^], M-bM-^@M-^\cs0M-bM-^@M-^],
506 ``af42'', ``af43'', ``cs0'', ``cs1'', ``cs2'', ``cs3'', ``cs4'', 525 M-bM-^@M-^\cs1M-bM-^@M-^], M-bM-^@M-^\cs2M-bM-^@M-^], M-bM-^@M-^\cs3M-bM-^@M-^], M-bM-^@M-^\cs4M-bM-^@M-^], M-bM-^@M-^\cs5M-bM-^@M-^], M-bM-^@M-^\cs6M-bM-^@M-^], M-bM-^@M-^\cs7M-bM-^@M-^], M-bM-^@M-^\efM-bM-^@M-^],
507 ``cs5'', ``cs6'', ``cs7'', ``ef'', ``lowdelay'', ``throughput'', 526 M-bM-^@M-^\lowdelayM-bM-^@M-^], M-bM-^@M-^\throughputM-bM-^@M-^], M-bM-^@M-^\reliabilityM-bM-^@M-^], or a numeric value.
508 ``reliability'', or a numeric value. This option may take one or 527 This option may take one or two arguments, separated by
509 two arguments, separated by whitespace. If one argument is 528 whitespace. If one argument is specified, it is used as the
510 specified, it is used as the packet class unconditionally. If 529 packet class unconditionally. If two values are specified, the
511 two values are specified, the first is automatically selected for 530 first is automatically selected for interactive sessions and the
512 interactive sessions and the second for non-interactive sessions. 531 second for non-interactive sessions. The default is M-bM-^@M-^\lowdelayM-bM-^@M-^]
513 The default is ``lowdelay'' for interactive sessions and 532 for interactive sessions and M-bM-^@M-^\throughputM-bM-^@M-^] for non-interactive
514 ``throughput'' for non-interactive sessions. 533 sessions.
515 534
516 KbdInteractiveAuthentication 535 KbdInteractiveAuthentication
517 Specifies whether to use keyboard-interactive authentication. 536 Specifies whether to use keyboard-interactive authentication.
518 The argument to this keyword must be ``yes'' or ``no''. The 537 The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default
519 default is ``yes''. 538 is M-bM-^@M-^\yesM-bM-^@M-^].
520 539
521 KbdInteractiveDevices 540 KbdInteractiveDevices
522 Specifies the list of methods to use in keyboard-interactive 541 Specifies the list of methods to use in keyboard-interactive
523 authentication. Multiple method names must be comma-separated. 542 authentication. Multiple method names must be comma-separated.
524 The default is to use the server specified list. The methods 543 The default is to use the server specified list. The methods
525 available vary depending on what the server supports. For an 544 available vary depending on what the server supports. For an
526 OpenSSH server, it may be zero or more of: ``bsdauth'', ``pam'', 545 OpenSSH server, it may be zero or more of: M-bM-^@M-^\bsdauthM-bM-^@M-^], M-bM-^@M-^\pamM-bM-^@M-^], and
527 and ``skey''. 546 M-bM-^@M-^\skeyM-bM-^@M-^].
528 547
529 KexAlgorithms 548 KexAlgorithms
530 Specifies the available KEX (Key Exchange) algorithms. Multiple 549 Specifies the available KEX (Key Exchange) algorithms. Multiple
@@ -537,15 +556,18 @@ DESCRIPTION
537 diffie-hellman-group-exchange-sha1, 556 diffie-hellman-group-exchange-sha1,
538 diffie-hellman-group1-sha1 557 diffie-hellman-group1-sha1
539 558
559 The list of available key exchange algorithms may also be
560 obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^].
561
540 LocalCommand 562 LocalCommand
541 Specifies a command to execute on the local machine after 563 Specifies a command to execute on the local machine after
542 successfully connecting to the server. The command string 564 successfully connecting to the server. The command string
543 extends to the end of the line, and is executed with the user's 565 extends to the end of the line, and is executed with the user's
544 shell. The following escape character substitutions will be 566 shell. The following escape character substitutions will be
545 performed: `%d' (local user's home directory), `%h' (remote host 567 performed: M-bM-^@M-^X%dM-bM-^@M-^Y (local user's home directory), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host
546 name), `%l' (local host name), `%n' (host name as provided on the 568 name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host name), M-bM-^@M-^X%nM-bM-^@M-^Y (host name as provided on the
547 command line), `%p' (remote port), `%r' (remote user name) or 569 command line), M-bM-^@M-^X%pM-bM-^@M-^Y (remote port), M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name) or
548 `%u' (local user name) or `%C' by a hash of the concatenation: 570 M-bM-^@M-^X%uM-bM-^@M-^Y (local user name) or M-bM-^@M-^X%CM-bM-^@M-^Y by a hash of the concatenation:
549 %l%h%p%r. 571 %l%h%p%r.
550 572
551 The command is run synchronously and does not have access to the 573 The command is run synchronously and does not have access to the
@@ -566,9 +588,9 @@ DESCRIPTION
566 privileged ports. By default, the local port is bound in 588 privileged ports. By default, the local port is bound in
567 accordance with the GatewayPorts setting. However, an explicit 589 accordance with the GatewayPorts setting. However, an explicit
568 bind_address may be used to bind the connection to a specific 590 bind_address may be used to bind the connection to a specific
569 address. The bind_address of ``localhost'' indicates that the 591 address. The bind_address of M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the
570 listening port be bound for local use only, while an empty 592 listening port be bound for local use only, while an empty
571 address or `*' indicates that the port should be available from 593 address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port should be available from
572 all interfaces. 594 all interfaces.
573 595
574 LogLevel 596 LogLevel
@@ -581,7 +603,7 @@ DESCRIPTION
581 MACs Specifies the MAC (message authentication code) algorithms in 603 MACs Specifies the MAC (message authentication code) algorithms in
582 order of preference. The MAC algorithm is used in protocol 604 order of preference. The MAC algorithm is used in protocol
583 version 2 for data integrity protection. Multiple algorithms 605 version 2 for data integrity protection. Multiple algorithms
584 must be comma-separated. The algorithms that contain ``-etm'' 606 must be comma-separated. The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^]
585 calculate the MAC after encryption (encrypt-then-mac). These are 607 calculate the MAC after encryption (encrypt-then-mac). These are
586 considered safer and their use recommended. The default is: 608 considered safer and their use recommended. The default is:
587 609
@@ -595,14 +617,17 @@ DESCRIPTION
595 hmac-md5,hmac-sha1,hmac-ripemd160, 617 hmac-md5,hmac-sha1,hmac-ripemd160,
596 hmac-sha1-96,hmac-md5-96 618 hmac-sha1-96,hmac-md5-96
597 619
620 The list of available MAC algorithms may also be obtained using
621 the -Q option of ssh(1) with an argument of M-bM-^@M-^\macM-bM-^@M-^].
622
598 NoHostAuthenticationForLocalhost 623 NoHostAuthenticationForLocalhost
599 This option can be used if the home directory is shared across 624 This option can be used if the home directory is shared across
600 machines. In this case localhost will refer to a different 625 machines. In this case localhost will refer to a different
601 machine on each of the machines and the user will get many 626 machine on each of the machines and the user will get many
602 warnings about changed host keys. However, this option disables 627 warnings about changed host keys. However, this option disables
603 host authentication for localhost. The argument to this keyword 628 host authentication for localhost. The argument to this keyword
604 must be ``yes'' or ``no''. The default is to check the host key 629 must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is to check the host key for
605 for localhost. 630 localhost.
606 631
607 NumberOfPasswordPrompts 632 NumberOfPasswordPrompts
608 Specifies the number of password prompts before giving up. The 633 Specifies the number of password prompts before giving up. The
@@ -610,13 +635,12 @@ DESCRIPTION
610 635
611 PasswordAuthentication 636 PasswordAuthentication
612 Specifies whether to use password authentication. The argument 637 Specifies whether to use password authentication. The argument
613 to this keyword must be ``yes'' or ``no''. The default is 638 to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^].
614 ``yes''.
615 639
616 PermitLocalCommand 640 PermitLocalCommand
617 Allow local command execution via the LocalCommand option or 641 Allow local command execution via the LocalCommand option or
618 using the !command escape sequence in ssh(1). The argument must 642 using the !command escape sequence in ssh(1). The argument must
619 be ``yes'' or ``no''. The default is ``no''. 643 be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^].
620 644
621 PKCS11Provider 645 PKCS11Provider
622 Specifies which PKCS#11 provider to use. The argument to this 646 Specifies which PKCS#11 provider to use. The argument to this
@@ -638,26 +662,26 @@ DESCRIPTION
638 662
639 Protocol 663 Protocol
640 Specifies the protocol versions ssh(1) should support in order of 664 Specifies the protocol versions ssh(1) should support in order of
641 preference. The possible values are `1' and `2'. Multiple 665 preference. The possible values are M-bM-^@M-^X1M-bM-^@M-^Y and M-bM-^@M-^X2M-bM-^@M-^Y. Multiple
642 versions must be comma-separated. When this option is set to 666 versions must be comma-separated. When this option is set to
643 ``2,1'' ssh will try version 2 and fall back to version 1 if 667 M-bM-^@M-^\2,1M-bM-^@M-^] ssh will try version 2 and fall back to version 1 if
644 version 2 is not available. The default is `2'. 668 version 2 is not available. The default is M-bM-^@M-^X2M-bM-^@M-^Y.
645 669
646 ProxyCommand 670 ProxyCommand
647 Specifies the command to use to connect to the server. The 671 Specifies the command to use to connect to the server. The
648 command string extends to the end of the line, and is executed 672 command string extends to the end of the line, and is executed
649 using the user's shell `exec' directive to avoid a lingering 673 using the user's shell M-bM-^@M-^XexecM-bM-^@M-^Y directive to avoid a lingering
650 shell process. 674 shell process.
651 675
652 In the command string, any occurrence of `%h' will be substituted 676 In the command string, any occurrence of M-bM-^@M-^X%hM-bM-^@M-^Y will be substituted
653 by the host name to connect, `%p' by the port, and `%r' by the 677 by the host name to connect, M-bM-^@M-^X%pM-bM-^@M-^Y by the port, and M-bM-^@M-^X%rM-bM-^@M-^Y by the
654 remote user name. The command can be basically anything, and 678 remote user name. The command can be basically anything, and
655 should read from its standard input and write to its standard 679 should read from its standard input and write to its standard
656 output. It should eventually connect an sshd(8) server running 680 output. It should eventually connect an sshd(8) server running
657 on some machine, or execute sshd -i somewhere. Host key 681 on some machine, or execute sshd -i somewhere. Host key
658 management will be done using the HostName of the host being 682 management will be done using the HostName of the host being
659 connected (defaulting to the name typed by the user). Setting 683 connected (defaulting to the name typed by the user). Setting
660 the command to ``none'' disables this option entirely. Note that 684 the command to M-bM-^@M-^\noneM-bM-^@M-^] disables this option entirely. Note that
661 CheckHostIP is not available for connects with a proxy command. 685 CheckHostIP is not available for connects with a proxy command.
662 686
663 This directive is useful in conjunction with nc(1) and its proxy 687 This directive is useful in conjunction with nc(1) and its proxy
@@ -669,27 +693,27 @@ DESCRIPTION
669 ProxyUseFdpass 693 ProxyUseFdpass
670 Specifies that ProxyCommand will pass a connected file descriptor 694 Specifies that ProxyCommand will pass a connected file descriptor
671 back to ssh(1) instead of continuing to execute and pass data. 695 back to ssh(1) instead of continuing to execute and pass data.
672 The default is ``no''. 696 The default is M-bM-^@M-^\noM-bM-^@M-^].
673 697
674 PubkeyAuthentication 698 PubkeyAuthentication
675 Specifies whether to try public key authentication. The argument 699 Specifies whether to try public key authentication. The argument
676 to this keyword must be ``yes'' or ``no''. The default is 700 to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^].
677 ``yes''. This option applies to protocol version 2 only. 701 This option applies to protocol version 2 only.
678 702
679 RekeyLimit 703 RekeyLimit
680 Specifies the maximum amount of data that may be transmitted 704 Specifies the maximum amount of data that may be transmitted
681 before the session key is renegotiated, optionally followed a 705 before the session key is renegotiated, optionally followed a
682 maximum amount of time that may pass before the session key is 706 maximum amount of time that may pass before the session key is
683 renegotiated. The first argument is specified in bytes and may 707 renegotiated. The first argument is specified in bytes and may
684 have a suffix of `K', `M', or `G' to indicate Kilobytes, 708 have a suffix of M-bM-^@M-^XKM-bM-^@M-^Y, M-bM-^@M-^XMM-bM-^@M-^Y, or M-bM-^@M-^XGM-bM-^@M-^Y to indicate Kilobytes,
685 Megabytes, or Gigabytes, respectively. The default is between 709 Megabytes, or Gigabytes, respectively. The default is between
686 `1G' and `4G', depending on the cipher. The optional second 710 M-bM-^@M-^X1GM-bM-^@M-^Y and M-bM-^@M-^X4GM-bM-^@M-^Y, depending on the cipher. The optional second
687 value is specified in seconds and may use any of the units 711 value is specified in seconds and may use any of the units
688 documented in the TIME FORMATS section of sshd_config(5). The 712 documented in the TIME FORMATS section of sshd_config(5). The
689 default value for RekeyLimit is ``default none'', which means 713 default value for RekeyLimit is M-bM-^@M-^\default noneM-bM-^@M-^], which means that
690 that rekeying is performed after the cipher's default amount of 714 rekeying is performed after the cipher's default amount of data
691 data has been sent or received and no time based rekeying is 715 has been sent or received and no time based rekeying is done.
692 done. This option applies to protocol version 2 only. 716 This option applies to protocol version 2 only.
693 717
694 RemoteForward 718 RemoteForward
695 Specifies that a TCP port on the remote machine be forwarded over 719 Specifies that a TCP port on the remote machine be forwarded over
@@ -701,11 +725,11 @@ DESCRIPTION
701 given on the command line. Privileged ports can be forwarded 725 given on the command line. Privileged ports can be forwarded
702 only when logging in as root on the remote machine. 726 only when logging in as root on the remote machine.
703 727
704 If the port argument is `0', the listen port will be dynamically 728 If the port argument is M-bM-^@M-^X0M-bM-^@M-^Y, the listen port will be dynamically
705 allocated on the server and reported to the client at run time. 729 allocated on the server and reported to the client at run time.
706 730
707 If the bind_address is not specified, the default is to only bind 731 If the bind_address is not specified, the default is to only bind
708 to loopback addresses. If the bind_address is `*' or an empty 732 to loopback addresses. If the bind_address is M-bM-^@M-^X*M-bM-^@M-^Y or an empty
709 string, then the forwarding is requested to listen on all 733 string, then the forwarding is requested to listen on all
710 interfaces. Specifying a remote bind_address will only succeed 734 interfaces. Specifying a remote bind_address will only succeed
711 if the server's GatewayPorts option is enabled (see 735 if the server's GatewayPorts option is enabled (see
@@ -713,24 +737,32 @@ DESCRIPTION
713 737
714 RequestTTY 738 RequestTTY
715 Specifies whether to request a pseudo-tty for the session. The 739 Specifies whether to request a pseudo-tty for the session. The
716 argument may be one of: ``no'' (never request a TTY), ``yes'' 740 argument may be one of: M-bM-^@M-^\noM-bM-^@M-^] (never request a TTY), M-bM-^@M-^\yesM-bM-^@M-^] (always
717 (always request a TTY when standard input is a TTY), ``force'' 741 request a TTY when standard input is a TTY), M-bM-^@M-^\forceM-bM-^@M-^] (always
718 (always request a TTY) or ``auto'' (request a TTY when opening a 742 request a TTY) or M-bM-^@M-^\autoM-bM-^@M-^] (request a TTY when opening a login
719 login session). This option mirrors the -t and -T flags for 743 session). This option mirrors the -t and -T flags for ssh(1).
720 ssh(1). 744
745 RevokedHostKeys
746 Specifies revoked host public keys. Keys listed in this file
747 will be refused for host authentication. Note that if this file
748 does not exist or is not readable, then host authentication will
749 be refused for all hosts. Keys may be specified as a text file,
750 listing one public key per line, or as an OpenSSH Key Revocation
751 List (KRL) as generated by ssh-keygen(1). For more information
752 on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1).
721 753
722 RhostsRSAAuthentication 754 RhostsRSAAuthentication
723 Specifies whether to try rhosts based authentication with RSA 755 Specifies whether to try rhosts based authentication with RSA
724 host authentication. The argument must be ``yes'' or ``no''. 756 host authentication. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The
725 The default is ``no''. This option applies to protocol version 1 757 default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only
726 only and requires ssh(1) to be setuid root. 758 and requires ssh(1) to be setuid root.
727 759
728 RSAAuthentication 760 RSAAuthentication
729 Specifies whether to try RSA authentication. The argument to 761 Specifies whether to try RSA authentication. The argument to
730 this keyword must be ``yes'' or ``no''. RSA authentication will 762 this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. RSA authentication will only
731 only be attempted if the identity file exists, or an 763 be attempted if the identity file exists, or an authentication
732 authentication agent is running. The default is ``yes''. Note 764 agent is running. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option
733 that this option applies to protocol version 1 only. 765 applies to protocol version 1 only.
734 766
735 SendEnv 767 SendEnv
736 Specifies what variables from the local environ(7) should be sent 768 Specifies what variables from the local environ(7) should be sent
@@ -790,24 +822,24 @@ DESCRIPTION
790 domain socket file. This option is only used for port forwarding 822 domain socket file. This option is only used for port forwarding
791 to a Unix-domain socket file. 823 to a Unix-domain socket file.
792 824
793 The argument must be ``yes'' or ``no''. The default is ``no''. 825 The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^].
794 826
795 StrictHostKeyChecking 827 StrictHostKeyChecking
796 If this flag is set to ``yes'', ssh(1) will never automatically 828 If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will never automatically add
797 add host keys to the ~/.ssh/known_hosts file, and refuses to 829 host keys to the ~/.ssh/known_hosts file, and refuses to connect
798 connect to hosts whose host key has changed. This provides 830 to hosts whose host key has changed. This provides maximum
799 maximum protection against trojan horse attacks, though it can be 831 protection against trojan horse attacks, though it can be
800 annoying when the /etc/ssh/ssh_known_hosts file is poorly 832 annoying when the /etc/ssh/ssh_known_hosts file is poorly
801 maintained or when connections to new hosts are frequently made. 833 maintained or when connections to new hosts are frequently made.
802 This option forces the user to manually add all new hosts. If 834 This option forces the user to manually add all new hosts. If
803 this flag is set to ``no'', ssh will automatically add new host 835 this flag is set to M-bM-^@M-^\noM-bM-^@M-^], ssh will automatically add new host
804 keys to the user known hosts files. If this flag is set to 836 keys to the user known hosts files. If this flag is set to
805 ``ask'', new host keys will be added to the user known host files 837 M-bM-^@M-^\askM-bM-^@M-^], new host keys will be added to the user known host files
806 only after the user has confirmed that is what they really want 838 only after the user has confirmed that is what they really want
807 to do, and ssh will refuse to connect to hosts whose host key has 839 to do, and ssh will refuse to connect to hosts whose host key has
808 changed. The host keys of known hosts will be verified 840 changed. The host keys of known hosts will be verified
809 automatically in all cases. The argument must be ``yes'', 841 automatically in all cases. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or
810 ``no'', or ``ask''. The default is ``ask''. 842 M-bM-^@M-^\askM-bM-^@M-^]. The default is M-bM-^@M-^\askM-bM-^@M-^].
811 843
812 TCPKeepAlive 844 TCPKeepAlive
813 Specifies whether the system should send TCP keepalive messages 845 Specifies whether the system should send TCP keepalive messages
@@ -816,34 +848,53 @@ DESCRIPTION
816 this means that connections will die if the route is down 848 this means that connections will die if the route is down
817 temporarily, and some people find it annoying. 849 temporarily, and some people find it annoying.
818 850
819 The default is ``yes'' (to send TCP keepalive messages), and the 851 The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send TCP keepalive messages), and the
820 client will notice if the network goes down or the remote host 852 client will notice if the network goes down or the remote host
821 dies. This is important in scripts, and many users want it too. 853 dies. This is important in scripts, and many users want it too.
822 854
823 To disable TCP keepalive messages, the value should be set to 855 To disable TCP keepalive messages, the value should be set to
824 ``no''. 856 M-bM-^@M-^\noM-bM-^@M-^].
825 857
826 Tunnel Request tun(4) device forwarding between the client and the 858 Tunnel Request tun(4) device forwarding between the client and the
827 server. The argument must be ``yes'', ``point-to-point'' (layer 859 server. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\point-to-pointM-bM-^@M-^] (layer 3),
828 3), ``ethernet'' (layer 2), or ``no''. Specifying ``yes'' 860 M-bM-^@M-^\ethernetM-bM-^@M-^] (layer 2), or M-bM-^@M-^\noM-bM-^@M-^]. Specifying M-bM-^@M-^\yesM-bM-^@M-^] requests the
829 requests the default tunnel mode, which is ``point-to-point''. 861 default tunnel mode, which is M-bM-^@M-^\point-to-pointM-bM-^@M-^]. The default is
830 The default is ``no''. 862 M-bM-^@M-^\noM-bM-^@M-^].
831 863
832 TunnelDevice 864 TunnelDevice
833 Specifies the tun(4) devices to open on the client (local_tun) 865 Specifies the tun(4) devices to open on the client (local_tun)
834 and the server (remote_tun). 866 and the server (remote_tun).
835 867
836 The argument must be local_tun[:remote_tun]. The devices may be 868 The argument must be local_tun[:remote_tun]. The devices may be
837 specified by numerical ID or the keyword ``any'', which uses the 869 specified by numerical ID or the keyword M-bM-^@M-^\anyM-bM-^@M-^], which uses the
838 next available tunnel device. If remote_tun is not specified, it 870 next available tunnel device. If remote_tun is not specified, it
839 defaults to ``any''. The default is ``any:any''. 871 defaults to M-bM-^@M-^\anyM-bM-^@M-^]. The default is M-bM-^@M-^\any:anyM-bM-^@M-^].
872
873 UpdateHostKeys
874 Specifies whether ssh(1) should accept notifications of
875 additional hostkeys from the server sent after authentication has
876 completed and add them to UserKnownHostsFile. The argument must
877 be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^] (the default) or M-bM-^@M-^\askM-bM-^@M-^]. Enabling this option
878 allows learning alternate hostkeys for a server and supports
879 graceful key rotation by allowing a server to send replacement
880 public keys before old ones are removed. Additional hostkeys are
881 only accepted if the key used to authenticate the host was
882 already trusted or explicity accepted by the user. If
883 UpdateHostKeys is set to M-bM-^@M-^\askM-bM-^@M-^], then the user is asked to confirm
884 the modifications to the known_hosts file. Confirmation is
885 currently incompatible with ControlPersist, and will be disabled
886 if it is enabled.
887
888 Presently, only sshd(8) from OpenSSH 6.8 and greater support the
889 M-bM-^@M-^\hostkeys@openssh.comM-bM-^@M-^] protocol extension used to inform the
890 client of all the server's hostkeys.
840 891
841 UsePrivilegedPort 892 UsePrivilegedPort
842 Specifies whether to use a privileged port for outgoing 893 Specifies whether to use a privileged port for outgoing
843 connections. The argument must be ``yes'' or ``no''. The 894 connections. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is
844 default is ``no''. If set to ``yes'', ssh(1) must be setuid 895 M-bM-^@M-^\noM-bM-^@M-^]. If set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) must be setuid root. Note that
845 root. Note that this option must be set to ``yes'' for 896 this option must be set to M-bM-^@M-^\yesM-bM-^@M-^] for RhostsRSAAuthentication with
846 RhostsRSAAuthentication with older servers. 897 older servers.
847 898
848 User Specifies the user to log in as. This can be useful when a 899 User Specifies the user to log in as. This can be useful when a
849 different user name is used on different machines. This saves 900 different user name is used on different machines. This saves
@@ -857,35 +908,35 @@ DESCRIPTION
857 908
858 VerifyHostKeyDNS 909 VerifyHostKeyDNS
859 Specifies whether to verify the remote key using DNS and SSHFP 910 Specifies whether to verify the remote key using DNS and SSHFP
860 resource records. If this option is set to ``yes'', the client 911 resource records. If this option is set to M-bM-^@M-^\yesM-bM-^@M-^], the client
861 will implicitly trust keys that match a secure fingerprint from 912 will implicitly trust keys that match a secure fingerprint from
862 DNS. Insecure fingerprints will be handled as if this option was 913 DNS. Insecure fingerprints will be handled as if this option was
863 set to ``ask''. If this option is set to ``ask'', information on 914 set to M-bM-^@M-^\askM-bM-^@M-^]. If this option is set to M-bM-^@M-^\askM-bM-^@M-^], information on
864 fingerprint match will be displayed, but the user will still need 915 fingerprint match will be displayed, but the user will still need
865 to confirm new host keys according to the StrictHostKeyChecking 916 to confirm new host keys according to the StrictHostKeyChecking
866 option. The argument must be ``yes'', ``no'', or ``ask''. The 917 option. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or M-bM-^@M-^\askM-bM-^@M-^]. The default
867 default is ``no''. Note that this option applies to protocol 918 is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol version 2
868 version 2 only. 919 only.
869 920
870 See also VERIFYING HOST KEYS in ssh(1). 921 See also VERIFYING HOST KEYS in ssh(1).
871 922
872 VisualHostKey 923 VisualHostKey
873 If this flag is set to ``yes'', an ASCII art representation of 924 If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], an ASCII art representation of the
874 the remote host key fingerprint is printed in addition to the hex 925 remote host key fingerprint is printed in addition to the
875 fingerprint string at login and for unknown host keys. If this 926 fingerprint string at login and for unknown host keys. If this
876 flag is set to ``no'', no fingerprint strings are printed at 927 flag is set to M-bM-^@M-^\noM-bM-^@M-^], no fingerprint strings are printed at login
877 login and only the hex fingerprint string will be printed for 928 and only the fingerprint string will be printed for unknown host
878 unknown host keys. The default is ``no''. 929 keys. The default is M-bM-^@M-^\noM-bM-^@M-^].
879 930
880 XAuthLocation 931 XAuthLocation
881 Specifies the full pathname of the xauth(1) program. The default 932 Specifies the full pathname of the xauth(1) program. The default
882 is /usr/X11R6/bin/xauth. 933 is /usr/X11R6/bin/xauth.
883 934
884PATTERNS 935PATTERNS
885 A pattern consists of zero or more non-whitespace characters, `*' (a 936 A pattern consists of zero or more non-whitespace characters, M-bM-^@M-^X*M-bM-^@M-^Y (a
886 wildcard that matches zero or more characters), or `?' (a wildcard that 937 wildcard that matches zero or more characters), or M-bM-^@M-^X?M-bM-^@M-^Y (a wildcard that
887 matches exactly one character). For example, to specify a set of 938 matches exactly one character). For example, to specify a set of
888 declarations for any host in the ``.co.uk'' set of domains, the following 939 declarations for any host in the M-bM-^@M-^\.co.ukM-bM-^@M-^] set of domains, the following
889 pattern could be used: 940 pattern could be used:
890 941
891 Host *.co.uk 942 Host *.co.uk
@@ -897,8 +948,8 @@ PATTERNS
897 948
898 A pattern-list is a comma-separated list of patterns. Patterns within 949 A pattern-list is a comma-separated list of patterns. Patterns within
899 pattern-lists may be negated by preceding them with an exclamation mark 950 pattern-lists may be negated by preceding them with an exclamation mark
900 (`!'). For example, to allow a key to be used from anywhere within an 951 (M-bM-^@M-^X!M-bM-^@M-^Y). For example, to allow a key to be used from anywhere within an
901 organization except from the ``dialup'' pool, the following entry (in 952 organization except from the M-bM-^@M-^\dialupM-bM-^@M-^] pool, the following entry (in
902 authorized_keys) could be used: 953 authorized_keys) could be used:
903 954
904 from="!*.dialup.example.com,*.example.com" 955 from="!*.dialup.example.com,*.example.com"
@@ -927,4 +978,4 @@ AUTHORS
927 created OpenSSH. Markus Friedl contributed the support for SSH protocol 978 created OpenSSH. Markus Friedl contributed the support for SSH protocol
928 versions 1.5 and 2.0. 979 versions 1.5 and 2.0.
929 980
930OpenBSD 5.6 July 15, 2014 OpenBSD 5.6 981OpenBSD 5.7 February 20, 2015 OpenBSD 5.7