summaryrefslogtreecommitdiff
path: root/ssh_config.5
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2007-06-12 16:16:35 +0000
committerColin Watson <cjwatson@debian.org>2007-06-12 16:16:35 +0000
commitb7e40fa9da0b5491534a429dadb321eab5a77558 (patch)
treebed1da11e9f829925797aa093e379fc0b5868ecd /ssh_config.5
parent4f84beedf1005e44ff33c854abd6b711ffc0adb7 (diff)
parent086ea76990b1e6287c24b6db74adffd4605eb3b0 (diff)
* New upstream release (closes: #395507, #397961, #420035). Important
changes not previously backported to 4.3p2: - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4): + On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. + Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post-authentication options are supported and more are expected to be added in future releases. + Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. + Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. + Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. + Add optional logging of transactions to sftp-server(8). + ssh(1) will now record port numbers for hosts stored in ~/.ssh/known_hosts when a non-standard port has been requested (closes: #50612). + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. + Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. + Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. + Many manpage fixes and improvements. + Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option. + Tokens in configuration files may be double-quoted in order to contain spaces (closes: #319639). + Move a debug() call out of a SIGCHLD handler, fixing a hang when the session exits very quickly (closes: #307890). + Fix some incorrect buffer allocation calculations (closes: #410599). + ssh-add doesn't ask for a passphrase if key file permissions are too liberal (closes: #103677). + Likewise, ssh doesn't ask either (closes: #99675). - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6): + sshd now allows the enabling and disabling of authentication methods on a per user, group, host and network basis via the Match directive in sshd_config. + Fixed an inconsistent check for a terminal when displaying scp progress meter (closes: #257524). + Fix "hang on exit" when background processes are running at the time of exit on a ttyful/login session (closes: #88337). * Update to current GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch; install ChangeLog.gssapi.
Diffstat (limited to 'ssh_config.5')
-rw-r--r--ssh_config.5325
1 files changed, 211 insertions, 114 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 979f9282f..4c46c62cb 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh_config.5,v 1.76 2006/01/20 11:21:45 jmc Exp $ 37.\" $OpenBSD: ssh_config.5,v 1.98 2007/01/10 13:23:22 jmc Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSH_CONFIG 5 39.Dt SSH_CONFIG 5
40.Os 40.Os
@@ -42,14 +42,13 @@
42.Nm ssh_config 42.Nm ssh_config
43.Nd OpenSSH SSH client configuration files 43.Nd OpenSSH SSH client configuration files
44.Sh SYNOPSIS 44.Sh SYNOPSIS
45.Bl -tag -width Ds -compact 45.Nm ~/.ssh/config
46.It Pa ~/.ssh/config 46.Nm /etc/ssh/ssh_config
47.It Pa /etc/ssh/ssh_config
48.El
49.Sh DESCRIPTION 47.Sh DESCRIPTION
50.Nm ssh 48.Xr ssh 1
51obtains configuration data from the following sources in 49obtains configuration data from the following sources in
52the following order: 50the following order:
51.Pp
53.Bl -enum -offset indent -compact 52.Bl -enum -offset indent -compact
54.It 53.It
55command-line options 54command-line options
@@ -78,7 +77,6 @@ The configuration file has the following format:
78Empty lines and lines starting with 77Empty lines and lines starting with
79.Ql # 78.Ql #
80are comments. 79are comments.
81.Pp
82Otherwise a line is of the format 80Otherwise a line is of the format
83.Dq keyword arguments . 81.Dq keyword arguments .
84Configuration options may be separated by whitespace or 82Configuration options may be separated by whitespace or
@@ -87,11 +85,14 @@ optional whitespace and exactly one
87the latter format is useful to avoid the need to quote whitespace 85the latter format is useful to avoid the need to quote whitespace
88when specifying configuration options using the 86when specifying configuration options using the
89.Nm ssh , 87.Nm ssh ,
90.Nm scp 88.Nm scp ,
91and 89and
92.Nm sftp 90.Nm sftp
93.Fl o 91.Fl o
94option. 92option.
93Arguments may optionally be enclosed in double quotes
94.Pq \&"
95in order to represent arguments containing spaces.
95.Pp 96.Pp
96The possible 97The possible
97keywords and their meanings are as follows (note that 98keywords and their meanings are as follows (note that
@@ -102,25 +103,24 @@ Restricts the following declarations (up to the next
102.Cm Host 103.Cm Host
103keyword) to be only for those hosts that match one of the patterns 104keyword) to be only for those hosts that match one of the patterns
104given after the keyword. 105given after the keyword.
105.Ql \&*
106and
107.Ql \&?
108can be used as wildcards in the
109patterns.
110A single 106A single
111.Ql \&* 107.Ql *
112as a pattern can be used to provide global 108as a pattern can be used to provide global
113defaults for all hosts. 109defaults for all hosts.
114The host is the 110The host is the
115.Ar hostname 111.Ar hostname
116argument given on the command line (i.e., the name is not converted to 112argument given on the command line (i.e. the name is not converted to
117a canonicalized host name before matching). 113a canonicalized host name before matching).
114.Pp
115See
116.Sx PATTERNS
117for more information on patterns.
118.It Cm AddressFamily 118.It Cm AddressFamily
119Specifies which address family to use when connecting. 119Specifies which address family to use when connecting.
120Valid arguments are 120Valid arguments are
121.Dq any , 121.Dq any ,
122.Dq inet 122.Dq inet
123(use IPv4 only) or 123(use IPv4 only), or
124.Dq inet6 124.Dq inet6
125(use IPv6 only). 125(use IPv6 only).
126.It Cm BatchMode 126.It Cm BatchMode
@@ -134,8 +134,7 @@ and
134options will both be set to 300 seconds by default. 134options will both be set to 300 seconds by default.
135This option is useful in scripts and other batch jobs where no user 135This option is useful in scripts and other batch jobs where no user
136is present to supply the password, 136is present to supply the password,
137and where it is desirable to detect a 137and where it is desirable to detect a broken network swiftly.
138broken network swiftly.
139The argument must be 138The argument must be
140.Dq yes 139.Dq yes
141or 140or
@@ -151,7 +150,7 @@ Note that this option does not work if
151is set to 150is set to
152.Dq yes . 151.Dq yes .
153.It Cm ChallengeResponseAuthentication 152.It Cm ChallengeResponseAuthentication
154Specifies whether to use challenge response authentication. 153Specifies whether to use challenge-response authentication.
155The argument to this keyword must be 154The argument to this keyword must be
156.Dq yes 155.Dq yes
157or 156or
@@ -161,7 +160,8 @@ The default is
161.It Cm CheckHostIP 160.It Cm CheckHostIP
162If this flag is set to 161If this flag is set to
163.Dq yes , 162.Dq yes ,
164ssh will additionally check the host IP address in the 163.Xr ssh 1
164will additionally check the host IP address in the
165.Pa known_hosts 165.Pa known_hosts
166file. 166file.
167This allows ssh to detect if a host key changed due to DNS spoofing. 167This allows ssh to detect if a host key changed due to DNS spoofing.
@@ -181,7 +181,7 @@ and
181are supported. 181are supported.
182.Ar des 182.Ar des
183is only supported in the 183is only supported in the
184.Nm ssh 184.Xr ssh 1
185client for interoperability with legacy protocol 1 implementations 185client for interoperability with legacy protocol 1 implementations
186that do not support the 186that do not support the
187.Ar 3des 187.Ar 3des
@@ -207,18 +207,18 @@ The supported ciphers are
207.Dq blowfish-cbc , 207.Dq blowfish-cbc ,
208and 208and
209.Dq cast128-cbc . 209.Dq cast128-cbc .
210The default is 210The default is:
211.Bd -literal 211.Bd -literal -offset 3n
212 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, 212aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
213 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, 213arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
214 aes192-ctr,aes256-ctr'' 214aes192-ctr,aes256-ctr
215.Ed 215.Ed
216.It Cm ClearAllForwardings 216.It Cm ClearAllForwardings
217Specifies that all local, remote and dynamic port forwardings 217Specifies that all local, remote, and dynamic port forwardings
218specified in the configuration files or on the command line be 218specified in the configuration files or on the command line be
219cleared. 219cleared.
220This option is primarily useful when used from the 220This option is primarily useful when used from the
221.Nm ssh 221.Xr ssh 1
222command line to clear port forwardings set in 222command line to clear port forwardings set in
223configuration files, and is automatically set by 223configuration files, and is automatically set by
224.Xr scp 1 224.Xr scp 1
@@ -251,15 +251,15 @@ The argument must be an integer.
251This may be useful in scripts if the connection sometimes fails. 251This may be useful in scripts if the connection sometimes fails.
252The default is 1. 252The default is 1.
253.It Cm ConnectTimeout 253.It Cm ConnectTimeout
254Specifies the timeout (in seconds) used when connecting to the ssh 254Specifies the timeout (in seconds) used when connecting to the
255server, instead of using the default system TCP timeout. 255SSH server, instead of using the default system TCP timeout.
256This value is used only when the target is down or really unreachable, 256This value is used only when the target is down or really unreachable,
257not when it refuses the connection. 257not when it refuses the connection.
258.It Cm ControlMaster 258.It Cm ControlMaster
259Enables the sharing of multiple sessions over a single network connection. 259Enables the sharing of multiple sessions over a single network connection.
260When set to 260When set to
261.Dq yes 261.Dq yes ,
262.Nm ssh 262.Xr ssh 1
263will listen for connections on a control socket specified using the 263will listen for connections on a control socket specified using the
264.Cm ControlPath 264.Cm ControlPath
265argument. 265argument.
@@ -276,8 +276,7 @@ if the control socket does not exist, or is not listening.
276.Pp 276.Pp
277Setting this to 277Setting this to
278.Dq ask 278.Dq ask
279will cause 279will cause ssh
280.Nm ssh
281to listen for control connections, but require confirmation using the 280to listen for control connections, but require confirmation using the
282.Ev SSH_ASKPASS 281.Ev SSH_ASKPASS
283program before they are accepted (see 282program before they are accepted (see
@@ -285,9 +284,8 @@ program before they are accepted (see
285for details). 284for details).
286If the 285If the
287.Cm ControlPath 286.Cm ControlPath
288can not be opened, 287cannot be opened,
289.Nm ssh 288ssh will continue without connecting to a master instance.
290will continue without connecting to a master instance.
291.Pp 289.Pp
292X11 and 290X11 and
293.Xr ssh-agent 1 291.Xr ssh-agent 1
@@ -313,16 +311,18 @@ section above or the string
313.Dq none 311.Dq none
314to disable connection sharing. 312to disable connection sharing.
315In the path, 313In the path,
314.Ql %l
315will be substituted by the local host name,
316.Ql %h 316.Ql %h
317will be substituted by the target host name, 317will be substituted by the target host name,
318.Ql %p 318.Ql %p
319the port and 319the port, and
320.Ql %r 320.Ql %r
321by the remote login username. 321by the remote login username.
322It is recommended that any 322It is recommended that any
323.Cm ControlPath 323.Cm ControlPath
324used for opportunistic connection sharing include 324used for opportunistic connection sharing include
325all three of these escape sequences. 325at least %h, %p, and %r.
326This ensures that shared connections are uniquely identified. 326This ensures that shared connections are uniquely identified.
327.It Cm DynamicForward 327.It Cm DynamicForward
328Specifies that a TCP port on the local machine be forwarded 328Specifies that a TCP port on the local machine be forwarded
@@ -353,7 +353,7 @@ empty address or
353indicates that the port should be available from all interfaces. 353indicates that the port should be available from all interfaces.
354.Pp 354.Pp
355Currently the SOCKS4 and SOCKS5 protocols are supported, and 355Currently the SOCKS4 and SOCKS5 protocols are supported, and
356.Nm ssh 356.Xr ssh 1
357will act as a SOCKS server. 357will act as a SOCKS server.
358Multiple forwardings may be specified, and 358Multiple forwardings may be specified, and
359additional forwardings can be given on the command line. 359additional forwardings can be given on the command line.
@@ -389,6 +389,17 @@ followed by a letter, or
389to disable the escape 389to disable the escape
390character entirely (making the connection transparent for binary 390character entirely (making the connection transparent for binary
391data). 391data).
392.It Cm ExitOnForwardFailure
393Specifies whether
394.Xr ssh 1
395should terminate the connection if it cannot set up all requested
396dynamic, local, and remote port forwardings.
397The argument must be
398.Dq yes
399or
400.Dq no .
401The default is
402.Dq no .
392.It Cm ForwardAgent 403.It Cm ForwardAgent
393Specifies whether the connection to the authentication agent (if any) 404Specifies whether the connection to the authentication agent (if any)
394will be forwarded to the remote machine. 405will be forwarded to the remote machine.
@@ -428,12 +439,12 @@ if the
428option is also enabled. 439option is also enabled.
429.It Cm ForwardX11Trusted 440.It Cm ForwardX11Trusted
430If this option is set to 441If this option is set to
431.Dq yes 442.Dq yes ,
432then remote X11 clients will have full access to the original X11 display. 443remote X11 clients will have full access to the original X11 display.
433.Pp 444.Pp
434If this option is set to 445If this option is set to
435.Dq no 446.Dq no ,
436then remote X11 clients will be considered untrusted and prevented 447remote X11 clients will be considered untrusted and prevented
437from stealing or tampering with data belonging to trusted X11 448from stealing or tampering with data belonging to trusted X11
438clients. 449clients.
439Furthermore, the 450Furthermore, the
@@ -451,12 +462,11 @@ the restrictions imposed on untrusted clients.
451Specifies whether remote hosts are allowed to connect to local 462Specifies whether remote hosts are allowed to connect to local
452forwarded ports. 463forwarded ports.
453By default, 464By default,
454.Nm ssh 465.Xr ssh 1
455binds local port forwardings to the loopback address. 466binds local port forwardings to the loopback address.
456This prevents other remote hosts from connecting to forwarded ports. 467This prevents other remote hosts from connecting to forwarded ports.
457.Cm GatewayPorts 468.Cm GatewayPorts
458can be used to specify that 469can be used to specify that ssh
459.Nm ssh
460should bind local port forwardings to the wildcard address, 470should bind local port forwardings to the wildcard address,
461thus allowing remote hosts to connect to forwarded ports. 471thus allowing remote hosts to connect to forwarded ports.
462The argument must be 472The argument must be
@@ -474,6 +484,12 @@ Specifies whether user authentication based on GSSAPI is allowed.
474The default is 484The default is
475.Dq no . 485.Dq no .
476Note that this option applies to protocol version 2 only. 486Note that this option applies to protocol version 2 only.
487.It Cm GSSAPIKeyExchange
488Specifies whether key exchange based on GSSAPI may be used. When using
489GSSAPI key exchange the server need not have a host key.
490The default is
491.Dq no .
492Note that this option applies to protocol version 2 only.
477.It Cm GSSAPIDelegateCredentials 493.It Cm GSSAPIDelegateCredentials
478Forward (delegate) credentials to the server. 494Forward (delegate) credentials to the server.
479The default is 495The default is
@@ -481,29 +497,31 @@ The default is
481Note that this option applies to protocol version 2 only. 497Note that this option applies to protocol version 2 only.
482.It Cm GSSAPITrustDns 498.It Cm GSSAPITrustDns
483Set to 499Set to
484.Dq yes to indicate that the DNS is trusted to securely canonicalize 500.Dq yes
501to indicate that the DNS is trusted to securely canonicalize
485the name of the host being connected to. If 502the name of the host being connected to. If
486.Dq no, the hostname entered on the 503.Dq no ,
504the hostname entered on the
487command line will be passed untouched to the GSSAPI library. 505command line will be passed untouched to the GSSAPI library.
488The default is 506The default is
489.Dq no . 507.Dq no .
490This option only applies to protocol version 2 connections using GSSAPI 508This option only applies to protocol version 2 connections using GSSAPI.
491key exchange.
492.It Cm HashKnownHosts 509.It Cm HashKnownHosts
493Indicates that 510Indicates that
494.Nm ssh 511.Xr ssh 1
495should hash host names and addresses when they are added to 512should hash host names and addresses when they are added to
496.Pa ~/.ssh/known_hosts . 513.Pa ~/.ssh/known_hosts .
497These hashed names may be used normally by 514These hashed names may be used normally by
498.Nm ssh 515.Xr ssh 1
499and 516and
500.Nm sshd , 517.Xr sshd 8 ,
501but they do not reveal identifying information should the file's contents 518but they do not reveal identifying information should the file's contents
502be disclosed. 519be disclosed.
503The default is 520The default is
504.Dq no . 521.Dq no .
505Note that hashing of names and addresses will not be retrospectively applied 522Note that existing names and addresses in known hosts files
506to existing known hosts files, but these may be manually hashed using 523will not be converted automatically,
524but may be manually hashed using
507.Xr ssh-keygen 1 . 525.Xr ssh-keygen 1 .
508.It Cm HostbasedAuthentication 526.It Cm HostbasedAuthentication
509Specifies whether to try rhosts based authentication with public key 527Specifies whether to try rhosts based authentication with public key
@@ -526,30 +544,29 @@ The default for this option is:
526Specifies an alias that should be used instead of the 544Specifies an alias that should be used instead of the
527real host name when looking up or saving the host key 545real host name when looking up or saving the host key
528in the host key database files. 546in the host key database files.
529This option is useful for tunneling ssh connections 547This option is useful for tunneling SSH connections
530or for multiple servers running on a single host. 548or for multiple servers running on a single host.
531.It Cm HostName 549.It Cm HostName
532Specifies the real host name to log into. 550Specifies the real host name to log into.
533This can be used to specify nicknames or abbreviations for hosts. 551This can be used to specify nicknames or abbreviations for hosts.
534Default is the name given on the command line. 552The default is the name given on the command line.
535Numeric IP addresses are also permitted (both on the command line and in 553Numeric IP addresses are also permitted (both on the command line and in
536.Cm HostName 554.Cm HostName
537specifications). 555specifications).
538.It Cm IdentitiesOnly 556.It Cm IdentitiesOnly
539Specifies that 557Specifies that
540.Nm ssh 558.Xr ssh 1
541should only use the authentication identity files configured in the 559should only use the authentication identity files configured in the
542.Nm 560.Nm
543files, 561files,
544even if the 562even if
545.Nm ssh-agent 563.Xr ssh-agent 1
546offers more identities. 564offers more identities.
547The argument to this keyword must be 565The argument to this keyword must be
548.Dq yes 566.Dq yes
549or 567or
550.Dq no . 568.Dq no .
551This option is intended for situations where 569This option is intended for situations where ssh-agent
552.Nm ssh-agent
553offers many different identities. 570offers many different identities.
554The default is 571The default is
555.Dq no . 572.Dq no .
@@ -565,8 +582,21 @@ and
565for protocol version 2. 582for protocol version 2.
566Additionally, any identities represented by the authentication agent 583Additionally, any identities represented by the authentication agent
567will be used for authentication. 584will be used for authentication.
585.Pp
568The file name may use the tilde 586The file name may use the tilde
569syntax to refer to a user's home directory. 587syntax to refer to a user's home directory or one of the following
588escape characters:
589.Ql %d
590(local user's home directory),
591.Ql %u
592(local user name),
593.Ql %l
594(local host name),
595.Ql %h
596(remote host name) or
597.Ql %r
598(remote user name).
599.Pp
570It is possible to have 600It is possible to have
571multiple identity files specified in configuration files; all these 601multiple identity files specified in configuration files; all these
572identities will be tried in sequence. 602identities will be tried in sequence.
@@ -574,6 +604,13 @@ identities will be tried in sequence.
574Specifies the list of methods to use in keyboard-interactive authentication. 604Specifies the list of methods to use in keyboard-interactive authentication.
575Multiple method names must be comma-separated. 605Multiple method names must be comma-separated.
576The default is to use the server specified list. 606The default is to use the server specified list.
607The methods available vary depending on what the server supports.
608For an OpenSSH server,
609it may be zero or more of:
610.Dq bsdauth ,
611.Dq pam ,
612and
613.Dq skey .
577.It Cm LocalCommand 614.It Cm LocalCommand
578Specifies a command to execute on the local machine after successfully 615Specifies a command to execute on the local machine after successfully
579connecting to the server. 616connecting to the server.
@@ -615,9 +652,9 @@ empty address or
615indicates that the port should be available from all interfaces. 652indicates that the port should be available from all interfaces.
616.It Cm LogLevel 653.It Cm LogLevel
617Gives the verbosity level that is used when logging messages from 654Gives the verbosity level that is used when logging messages from
618.Nm ssh . 655.Xr ssh 1 .
619The possible values are: 656The possible values are:
620QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. 657QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
621The default is INFO. 658The default is INFO.
622DEBUG and DEBUG1 are equivalent. 659DEBUG and DEBUG1 are equivalent.
623DEBUG2 and DEBUG3 each specify higher levels of verbose output. 660DEBUG2 and DEBUG3 each specify higher levels of verbose output.
@@ -627,7 +664,7 @@ in order of preference.
627The MAC algorithm is used in protocol version 2 664The MAC algorithm is used in protocol version 2
628for data integrity protection. 665for data integrity protection.
629Multiple algorithms must be comma-separated. 666Multiple algorithms must be comma-separated.
630The default is 667The default is:
631.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . 668.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
632.It Cm NoHostAuthenticationForLocalhost 669.It Cm NoHostAuthenticationForLocalhost
633This option can be used if the home directory is shared across machines. 670This option can be used if the home directory is shared across machines.
@@ -642,7 +679,7 @@ The default is to check the host key for localhost.
642.It Cm NumberOfPasswordPrompts 679.It Cm NumberOfPasswordPrompts
643Specifies the number of password prompts before giving up. 680Specifies the number of password prompts before giving up.
644The argument to this keyword must be an integer. 681The argument to this keyword must be an integer.
645Default is 3. 682The default is 3.
646.It Cm PasswordAuthentication 683.It Cm PasswordAuthentication
647Specifies whether to use password authentication. 684Specifies whether to use password authentication.
648The argument to this keyword must be 685The argument to this keyword must be
@@ -666,7 +703,7 @@ The default is
666.Dq no . 703.Dq no .
667.It Cm Port 704.It Cm Port
668Specifies the port number to connect on the remote host. 705Specifies the port number to connect on the remote host.
669Default is 22. 706The default is 22.
670.It Cm PreferredAuthentications 707.It Cm PreferredAuthentications
671Specifies the order in which the client should try protocol 2 708Specifies the order in which the client should try protocol 2
672authentication methods. 709authentication methods.
@@ -675,20 +712,24 @@ This allows a client to prefer one method (e.g.\&
675over another method (e.g.\& 712over another method (e.g.\&
676.Cm password ) 713.Cm password )
677The default for this option is: 714The default for this option is:
678.Dq hostbased,publickey,keyboard-interactive,password . 715.Do gssapi-with-mic ,
716hostbased,
717publickey,
718keyboard-interactive,
719password
720.Dc .
679.It Cm Protocol 721.It Cm Protocol
680Specifies the protocol versions 722Specifies the protocol versions
681.Nm ssh 723.Xr ssh 1
682should support in order of preference. 724should support in order of preference.
683The possible values are 725The possible values are
684.Dq 1 726.Sq 1
685and 727and
686.Dq 2 . 728.Sq 2 .
687Multiple versions must be comma-separated. 729Multiple versions must be comma-separated.
688The default is 730The default is
689.Dq 2,1 . 731.Dq 2,1 .
690This means that 732This means that ssh
691.Nm ssh
692tries version 2 and falls back to version 1 733tries version 2 and falls back to version 1
693if version 2 is not available. 734if version 2 is not available.
694.It Cm ProxyCommand 735.It Cm ProxyCommand
@@ -746,9 +787,9 @@ or
746.Sq G 787.Sq G
747to indicate Kilobytes, Megabytes, or Gigabytes, respectively. 788to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
748The default is between 789The default is between
749.Dq 1G 790.Sq 1G
750and 791and
751.Dq 4G , 792.Sq 4G ,
752depending on the cipher. 793depending on the cipher.
753This option applies to protocol version 2 only. 794This option applies to protocol version 2 only.
754.It Cm RemoteForward 795.It Cm RemoteForward
@@ -794,7 +835,7 @@ or
794The default is 835The default is
795.Dq no . 836.Dq no .
796This option applies to protocol version 1 only and requires 837This option applies to protocol version 1 only and requires
797.Nm ssh 838.Xr ssh 1
798to be setuid root. 839to be setuid root.
799.It Cm RSAAuthentication 840.It Cm RSAAuthentication
800Specifies whether to try RSA authentication. 841Specifies whether to try RSA authentication.
@@ -812,31 +853,31 @@ Note that this option applies to protocol version 1 only.
812Specifies what variables from the local 853Specifies what variables from the local
813.Xr environ 7 854.Xr environ 7
814should be sent to the server. 855should be sent to the server.
815Note that environment passing is only supported for protocol 2, the 856Note that environment passing is only supported for protocol 2.
816server must also support it, and the server must be configured to 857The server must also support it, and the server must be configured to
817accept these environment variables. 858accept these environment variables.
818Refer to 859Refer to
819.Cm AcceptEnv 860.Cm AcceptEnv
820in 861in
821.Xr sshd_config 5 862.Xr sshd_config 5
822for how to configure the server. 863for how to configure the server.
823Variables are specified by name, which may contain the wildcard characters 864Variables are specified by name, which may contain wildcard characters.
824.Ql \&*
825and
826.Ql \&? .
827Multiple environment variables may be separated by whitespace or spread 865Multiple environment variables may be separated by whitespace or spread
828across multiple 866across multiple
829.Cm SendEnv 867.Cm SendEnv
830directives. 868directives.
831The default is not to send any environment variables. 869The default is not to send any environment variables.
870.Pp
871See
872.Sx PATTERNS
873for more information on patterns.
832.It Cm ServerAliveCountMax 874.It Cm ServerAliveCountMax
833Sets the number of server alive messages (see below) which may be 875Sets the number of server alive messages (see below) which may be
834sent without 876sent without
835.Nm ssh 877.Xr ssh 1
836receiving any messages back from the server. 878receiving any messages back from the server.
837If this threshold is reached while server alive messages are being sent, 879If this threshold is reached while server alive messages are being sent,
838.Nm ssh 880ssh will disconnect from the server, terminating the session.
839will disconnect from the server, terminating the session.
840It is important to note that the use of server alive messages is very 881It is important to note that the use of server alive messages is very
841different from 882different from
842.Cm TCPKeepAlive 883.Cm TCPKeepAlive
@@ -852,18 +893,18 @@ server depend on knowing when a connection has become inactive.
852The default value is 3. 893The default value is 3.
853If, for example, 894If, for example,
854.Cm ServerAliveInterval 895.Cm ServerAliveInterval
855(see below) is set to 15, and 896(see below) is set to 15 and
856.Cm ServerAliveCountMax 897.Cm ServerAliveCountMax
857is left at the default, if the server becomes unresponsive ssh 898is left at the default, if the server becomes unresponsive,
858will disconnect after approximately 45 seconds. 899ssh will disconnect after approximately 45 seconds.
859This option works when using protocol version 2 only; in protocol version 900This option applies to protocol version 2 only; in protocol version
8601 there is no mechanism to request a response from the server to the 9011 there is no mechanism to request a response from the server to the
861server alive messages, so disconnection is the responsibility of the TCP 902server alive messages, so disconnection is the responsibility of the TCP
862stack. 903stack.
863.It Cm ServerAliveInterval 904.It Cm ServerAliveInterval
864Sets a timeout interval in seconds after which if no data has been received 905Sets a timeout interval in seconds after which if no data has been received
865from the server, 906from the server,
866.Nm ssh 907.Xr ssh 1
867will send a message through the encrypted 908will send a message through the encrypted
868channel to request a response from the server. 909channel to request a response from the server.
869The default 910The default
@@ -894,41 +935,39 @@ This is a Debian-specific option.
894.It Cm SmartcardDevice 935.It Cm SmartcardDevice
895Specifies which smartcard device to use. 936Specifies which smartcard device to use.
896The argument to this keyword is the device 937The argument to this keyword is the device
897.Nm ssh 938.Xr ssh 1
898should use to communicate with a smartcard used for storing the user's 939should use to communicate with a smartcard used for storing the user's
899private RSA key. 940private RSA key.
900By default, no device is specified and smartcard support is not activated. 941By default, no device is specified and smartcard support is not activated.
901.It Cm StrictHostKeyChecking 942.It Cm StrictHostKeyChecking
902If this flag is set to 943If this flag is set to
903.Dq yes , 944.Dq yes ,
904.Nm ssh 945.Xr ssh 1
905will never automatically add host keys to the 946will never automatically add host keys to the
906.Pa ~/.ssh/known_hosts 947.Pa ~/.ssh/known_hosts
907file, and refuses to connect to hosts whose host key has changed. 948file, and refuses to connect to hosts whose host key has changed.
908This provides maximum protection against trojan horse attacks, 949This provides maximum protection against trojan horse attacks,
909however, can be annoying when the 950though it can be annoying when the
910.Pa /etc/ssh/ssh_known_hosts 951.Pa /etc/ssh/ssh_known_hosts
911file is poorly maintained, or connections to new hosts are 952file is poorly maintained or when connections to new hosts are
912frequently made. 953frequently made.
913This option forces the user to manually 954This option forces the user to manually
914add all new hosts. 955add all new hosts.
915If this flag is set to 956If this flag is set to
916.Dq no , 957.Dq no ,
917.Nm ssh 958ssh will automatically add new host keys to the
918will automatically add new host keys to the
919user known hosts files. 959user known hosts files.
920If this flag is set to 960If this flag is set to
921.Dq ask , 961.Dq ask ,
922new host keys 962new host keys
923will be added to the user known host files only after the user 963will be added to the user known host files only after the user
924has confirmed that is what they really want to do, and 964has confirmed that is what they really want to do, and
925.Nm ssh 965ssh will refuse to connect to hosts whose host key has changed.
926will refuse to connect to hosts whose host key has changed.
927The host keys of 966The host keys of
928known hosts will be verified automatically in all cases. 967known hosts will be verified automatically in all cases.
929The argument must be 968The argument must be
930.Dq yes , 969.Dq yes ,
931.Dq no 970.Dq no ,
932or 971or
933.Dq ask . 972.Dq ask .
934The default is 973The default is
@@ -957,24 +996,44 @@ This is important in scripts, and many users want it too.
957To disable TCP keepalive messages, the value should be set to 996To disable TCP keepalive messages, the value should be set to
958.Dq no . 997.Dq no .
959.It Cm Tunnel 998.It Cm Tunnel
960Request starting 999Request
961.Xr tun 4 1000.Xr tun 4
962device forwarding between the client and the server. 1001device forwarding between the client and the server.
963This option also allows requesting layer 2 (ethernet)
964instead of layer 3 (point-to-point) tunneling from the server.
965The argument must be 1002The argument must be
966.Dq yes , 1003.Dq yes ,
967.Dq point-to-point , 1004.Dq point-to-point
1005(layer 3),
968.Dq ethernet 1006.Dq ethernet
1007(layer 2),
969or 1008or
970.Dq no . 1009.Dq no .
1010Specifying
1011.Dq yes
1012requests the default tunnel mode, which is
1013.Dq point-to-point .
971The default is 1014The default is
972.Dq no . 1015.Dq no .
973.It Cm TunnelDevice 1016.It Cm TunnelDevice
974Force a specified 1017Specifies the
975.Xr tun 4 1018.Xr tun 4
976device on the client. 1019devices to open on the client
977Without this option, the next available device will be used. 1020.Pq Ar local_tun
1021and the server
1022.Pq Ar remote_tun .
1023.Pp
1024The argument must be
1025.Sm off
1026.Ar local_tun Op : Ar remote_tun .
1027.Sm on
1028The devices may be specified by numerical ID or the keyword
1029.Dq any ,
1030which uses the next available tunnel device.
1031If
1032.Ar remote_tun
1033is not specified, it defaults to
1034.Dq any .
1035The default is
1036.Dq any:any .
978.It Cm UsePrivilegedPort 1037.It Cm UsePrivilegedPort
979Specifies whether to use a privileged port for outgoing connections. 1038Specifies whether to use a privileged port for outgoing connections.
980The argument must be 1039The argument must be
@@ -984,8 +1043,8 @@ or
984The default is 1043The default is
985.Dq no . 1044.Dq no .
986If set to 1045If set to
987.Dq yes 1046.Dq yes ,
988.Nm ssh 1047.Xr ssh 1
989must be setuid root. 1048must be setuid root.
990Note that this option must be set to 1049Note that this option must be set to
991.Dq yes 1050.Dq yes
@@ -1018,12 +1077,17 @@ need to confirm new host keys according to the
1018option. 1077option.
1019The argument must be 1078The argument must be
1020.Dq yes , 1079.Dq yes ,
1021.Dq no 1080.Dq no ,
1022or 1081or
1023.Dq ask . 1082.Dq ask .
1024The default is 1083The default is
1025.Dq no . 1084.Dq no .
1026Note that this option applies to protocol version 2 only. 1085Note that this option applies to protocol version 2 only.
1086.Pp
1087See also
1088.Sx VERIFYING HOST KEYS
1089in
1090.Xr ssh 1 .
1027.It Cm XAuthLocation 1091.It Cm XAuthLocation
1028Specifies the full pathname of the 1092Specifies the full pathname of the
1029.Xr xauth 1 1093.Xr xauth 1
@@ -1031,14 +1095,47 @@ program.
1031The default is 1095The default is
1032.Pa /usr/X11R6/bin/xauth . 1096.Pa /usr/X11R6/bin/xauth .
1033.El 1097.El
1098.Sh PATTERNS
1099A
1100.Em pattern
1101consists of zero or more non-whitespace characters,
1102.Sq *
1103(a wildcard that matches zero or more characters),
1104or
1105.Sq ?\&
1106(a wildcard that matches exactly one character).
1107For example, to specify a set of declarations for any host in the
1108.Dq .co.uk
1109set of domains,
1110the following pattern could be used:
1111.Pp
1112.Dl Host *.co.uk
1113.Pp
1114The following pattern
1115would match any host in the 192.168.0.[0-9] network range:
1116.Pp
1117.Dl Host 192.168.0.?
1118.Pp
1119A
1120.Em pattern-list
1121is a comma-separated list of patterns.
1122Patterns within pattern-lists may be negated
1123by preceding them with an exclamation mark
1124.Pq Sq !\& .
1125For example,
1126to allow a key to be used from anywhere within an organisation
1127except from the
1128.Dq dialup
1129pool,
1130the following entry (in authorized_keys) could be used:
1131.Pp
1132.Dl from=\&"!*.dialup.example.com,*.example.com\&"
1034.Sh FILES 1133.Sh FILES
1035.Bl -tag -width Ds 1134.Bl -tag -width Ds
1036.It Pa ~/.ssh/config 1135.It Pa ~/.ssh/config
1037This is the per-user configuration file. 1136This is the per-user configuration file.
1038The format of this file is described above. 1137The format of this file is described above.
1039This file is used by the 1138This file is used by the SSH client.
1040.Nm ssh
1041client.
1042Because of the potential for abuse, this file must have strict permissions: 1139Because of the potential for abuse, this file must have strict permissions:
1043read/write for the user, and not accessible by others. 1140read/write for the user, and not accessible by others.
1044It may be group-writable provided that the group in question contains only 1141It may be group-writable provided that the group in question contains only