diff options
author | Colin Watson <cjwatson@debian.org> | 2007-06-12 16:16:35 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2007-06-12 16:16:35 +0000 |
commit | b7e40fa9da0b5491534a429dadb321eab5a77558 (patch) | |
tree | bed1da11e9f829925797aa093e379fc0b5868ecd /ssh_config.5 | |
parent | 4f84beedf1005e44ff33c854abd6b711ffc0adb7 (diff) | |
parent | 086ea76990b1e6287c24b6db74adffd4605eb3b0 (diff) |
* New upstream release (closes: #395507, #397961, #420035). Important
changes not previously backported to 4.3p2:
- 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4):
+ On portable OpenSSH, fix a GSSAPI authentication abort that could be
used to determine the validity of usernames on some platforms.
+ Implemented conditional configuration in sshd_config(5) using the
"Match" directive. This allows some configuration options to be
selectively overridden if specific criteria (based on user, group,
hostname and/or address) are met. So far a useful subset of
post-authentication options are supported and more are expected to
be added in future releases.
+ Add support for Diffie-Hellman group exchange key agreement with a
final hash of SHA256.
+ Added a "ForceCommand" directive to sshd_config(5). Similar to the
command="..." option accepted in ~/.ssh/authorized_keys, this forces
the execution of the specified command regardless of what the user
requested. This is very useful in conjunction with the new "Match"
option.
+ Add a "PermitOpen" directive to sshd_config(5). This mirrors the
permitopen="..." authorized_keys option, allowing fine-grained
control over the port-forwardings that a user is allowed to
establish.
+ Add optional logging of transactions to sftp-server(8).
+ ssh(1) will now record port numbers for hosts stored in
~/.ssh/known_hosts when a non-standard port has been requested
(closes: #50612).
+ Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a
non-zero exit code) when requested port forwardings could not be
established.
+ Extend sshd_config(5) "SubSystem" declarations to allow the
specification of command-line arguments.
+ Replacement of all integer overflow susceptible invocations of
malloc(3) and realloc(3) with overflow-checking equivalents.
+ Many manpage fixes and improvements.
+ Add optional support for OpenSSL hardware accelerators (engines),
enabled using the --with-ssl-engine configure option.
+ Tokens in configuration files may be double-quoted in order to
contain spaces (closes: #319639).
+ Move a debug() call out of a SIGCHLD handler, fixing a hang when the
session exits very quickly (closes: #307890).
+ Fix some incorrect buffer allocation calculations (closes: #410599).
+ ssh-add doesn't ask for a passphrase if key file permissions are too
liberal (closes: #103677).
+ Likewise, ssh doesn't ask either (closes: #99675).
- 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6):
+ sshd now allows the enabling and disabling of authentication methods
on a per user, group, host and network basis via the Match directive
in sshd_config.
+ Fixed an inconsistent check for a terminal when displaying scp
progress meter (closes: #257524).
+ Fix "hang on exit" when background processes are running at the time
of exit on a ttyful/login session (closes: #88337).
* Update to current GSSAPI patch from
http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch;
install ChangeLog.gssapi.
Diffstat (limited to 'ssh_config.5')
-rw-r--r-- | ssh_config.5 | 325 |
1 files changed, 211 insertions, 114 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index 979f9282f..4c46c62cb 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh_config.5,v 1.76 2006/01/20 11:21:45 jmc Exp $ | 37 | .\" $OpenBSD: ssh_config.5,v 1.98 2007/01/10 13:23:22 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH_CONFIG 5 | 39 | .Dt SSH_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -42,14 +42,13 @@ | |||
42 | .Nm ssh_config | 42 | .Nm ssh_config |
43 | .Nd OpenSSH SSH client configuration files | 43 | .Nd OpenSSH SSH client configuration files |
44 | .Sh SYNOPSIS | 44 | .Sh SYNOPSIS |
45 | .Bl -tag -width Ds -compact | 45 | .Nm ~/.ssh/config |
46 | .It Pa ~/.ssh/config | 46 | .Nm /etc/ssh/ssh_config |
47 | .It Pa /etc/ssh/ssh_config | ||
48 | .El | ||
49 | .Sh DESCRIPTION | 47 | .Sh DESCRIPTION |
50 | .Nm ssh | 48 | .Xr ssh 1 |
51 | obtains configuration data from the following sources in | 49 | obtains configuration data from the following sources in |
52 | the following order: | 50 | the following order: |
51 | .Pp | ||
53 | .Bl -enum -offset indent -compact | 52 | .Bl -enum -offset indent -compact |
54 | .It | 53 | .It |
55 | command-line options | 54 | command-line options |
@@ -78,7 +77,6 @@ The configuration file has the following format: | |||
78 | Empty lines and lines starting with | 77 | Empty lines and lines starting with |
79 | .Ql # | 78 | .Ql # |
80 | are comments. | 79 | are comments. |
81 | .Pp | ||
82 | Otherwise a line is of the format | 80 | Otherwise a line is of the format |
83 | .Dq keyword arguments . | 81 | .Dq keyword arguments . |
84 | Configuration options may be separated by whitespace or | 82 | Configuration options may be separated by whitespace or |
@@ -87,11 +85,14 @@ optional whitespace and exactly one | |||
87 | the latter format is useful to avoid the need to quote whitespace | 85 | the latter format is useful to avoid the need to quote whitespace |
88 | when specifying configuration options using the | 86 | when specifying configuration options using the |
89 | .Nm ssh , | 87 | .Nm ssh , |
90 | .Nm scp | 88 | .Nm scp , |
91 | and | 89 | and |
92 | .Nm sftp | 90 | .Nm sftp |
93 | .Fl o | 91 | .Fl o |
94 | option. | 92 | option. |
93 | Arguments may optionally be enclosed in double quotes | ||
94 | .Pq \&" | ||
95 | in order to represent arguments containing spaces. | ||
95 | .Pp | 96 | .Pp |
96 | The possible | 97 | The possible |
97 | keywords and their meanings are as follows (note that | 98 | keywords and their meanings are as follows (note that |
@@ -102,25 +103,24 @@ Restricts the following declarations (up to the next | |||
102 | .Cm Host | 103 | .Cm Host |
103 | keyword) to be only for those hosts that match one of the patterns | 104 | keyword) to be only for those hosts that match one of the patterns |
104 | given after the keyword. | 105 | given after the keyword. |
105 | .Ql \&* | ||
106 | and | ||
107 | .Ql \&? | ||
108 | can be used as wildcards in the | ||
109 | patterns. | ||
110 | A single | 106 | A single |
111 | .Ql \&* | 107 | .Ql * |
112 | as a pattern can be used to provide global | 108 | as a pattern can be used to provide global |
113 | defaults for all hosts. | 109 | defaults for all hosts. |
114 | The host is the | 110 | The host is the |
115 | .Ar hostname | 111 | .Ar hostname |
116 | argument given on the command line (i.e., the name is not converted to | 112 | argument given on the command line (i.e. the name is not converted to |
117 | a canonicalized host name before matching). | 113 | a canonicalized host name before matching). |
114 | .Pp | ||
115 | See | ||
116 | .Sx PATTERNS | ||
117 | for more information on patterns. | ||
118 | .It Cm AddressFamily | 118 | .It Cm AddressFamily |
119 | Specifies which address family to use when connecting. | 119 | Specifies which address family to use when connecting. |
120 | Valid arguments are | 120 | Valid arguments are |
121 | .Dq any , | 121 | .Dq any , |
122 | .Dq inet | 122 | .Dq inet |
123 | (use IPv4 only) or | 123 | (use IPv4 only), or |
124 | .Dq inet6 | 124 | .Dq inet6 |
125 | (use IPv6 only). | 125 | (use IPv6 only). |
126 | .It Cm BatchMode | 126 | .It Cm BatchMode |
@@ -134,8 +134,7 @@ and | |||
134 | options will both be set to 300 seconds by default. | 134 | options will both be set to 300 seconds by default. |
135 | This option is useful in scripts and other batch jobs where no user | 135 | This option is useful in scripts and other batch jobs where no user |
136 | is present to supply the password, | 136 | is present to supply the password, |
137 | and where it is desirable to detect a | 137 | and where it is desirable to detect a broken network swiftly. |
138 | broken network swiftly. | ||
139 | The argument must be | 138 | The argument must be |
140 | .Dq yes | 139 | .Dq yes |
141 | or | 140 | or |
@@ -151,7 +150,7 @@ Note that this option does not work if | |||
151 | is set to | 150 | is set to |
152 | .Dq yes . | 151 | .Dq yes . |
153 | .It Cm ChallengeResponseAuthentication | 152 | .It Cm ChallengeResponseAuthentication |
154 | Specifies whether to use challenge response authentication. | 153 | Specifies whether to use challenge-response authentication. |
155 | The argument to this keyword must be | 154 | The argument to this keyword must be |
156 | .Dq yes | 155 | .Dq yes |
157 | or | 156 | or |
@@ -161,7 +160,8 @@ The default is | |||
161 | .It Cm CheckHostIP | 160 | .It Cm CheckHostIP |
162 | If this flag is set to | 161 | If this flag is set to |
163 | .Dq yes , | 162 | .Dq yes , |
164 | ssh will additionally check the host IP address in the | 163 | .Xr ssh 1 |
164 | will additionally check the host IP address in the | ||
165 | .Pa known_hosts | 165 | .Pa known_hosts |
166 | file. | 166 | file. |
167 | This allows ssh to detect if a host key changed due to DNS spoofing. | 167 | This allows ssh to detect if a host key changed due to DNS spoofing. |
@@ -181,7 +181,7 @@ and | |||
181 | are supported. | 181 | are supported. |
182 | .Ar des | 182 | .Ar des |
183 | is only supported in the | 183 | is only supported in the |
184 | .Nm ssh | 184 | .Xr ssh 1 |
185 | client for interoperability with legacy protocol 1 implementations | 185 | client for interoperability with legacy protocol 1 implementations |
186 | that do not support the | 186 | that do not support the |
187 | .Ar 3des | 187 | .Ar 3des |
@@ -207,18 +207,18 @@ The supported ciphers are | |||
207 | .Dq blowfish-cbc , | 207 | .Dq blowfish-cbc , |
208 | and | 208 | and |
209 | .Dq cast128-cbc . | 209 | .Dq cast128-cbc . |
210 | The default is | 210 | The default is: |
211 | .Bd -literal | 211 | .Bd -literal -offset 3n |
212 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, | 212 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, |
213 | arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, | 213 | arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, |
214 | aes192-ctr,aes256-ctr'' | 214 | aes192-ctr,aes256-ctr |
215 | .Ed | 215 | .Ed |
216 | .It Cm ClearAllForwardings | 216 | .It Cm ClearAllForwardings |
217 | Specifies that all local, remote and dynamic port forwardings | 217 | Specifies that all local, remote, and dynamic port forwardings |
218 | specified in the configuration files or on the command line be | 218 | specified in the configuration files or on the command line be |
219 | cleared. | 219 | cleared. |
220 | This option is primarily useful when used from the | 220 | This option is primarily useful when used from the |
221 | .Nm ssh | 221 | .Xr ssh 1 |
222 | command line to clear port forwardings set in | 222 | command line to clear port forwardings set in |
223 | configuration files, and is automatically set by | 223 | configuration files, and is automatically set by |
224 | .Xr scp 1 | 224 | .Xr scp 1 |
@@ -251,15 +251,15 @@ The argument must be an integer. | |||
251 | This may be useful in scripts if the connection sometimes fails. | 251 | This may be useful in scripts if the connection sometimes fails. |
252 | The default is 1. | 252 | The default is 1. |
253 | .It Cm ConnectTimeout | 253 | .It Cm ConnectTimeout |
254 | Specifies the timeout (in seconds) used when connecting to the ssh | 254 | Specifies the timeout (in seconds) used when connecting to the |
255 | server, instead of using the default system TCP timeout. | 255 | SSH server, instead of using the default system TCP timeout. |
256 | This value is used only when the target is down or really unreachable, | 256 | This value is used only when the target is down or really unreachable, |
257 | not when it refuses the connection. | 257 | not when it refuses the connection. |
258 | .It Cm ControlMaster | 258 | .It Cm ControlMaster |
259 | Enables the sharing of multiple sessions over a single network connection. | 259 | Enables the sharing of multiple sessions over a single network connection. |
260 | When set to | 260 | When set to |
261 | .Dq yes | 261 | .Dq yes , |
262 | .Nm ssh | 262 | .Xr ssh 1 |
263 | will listen for connections on a control socket specified using the | 263 | will listen for connections on a control socket specified using the |
264 | .Cm ControlPath | 264 | .Cm ControlPath |
265 | argument. | 265 | argument. |
@@ -276,8 +276,7 @@ if the control socket does not exist, or is not listening. | |||
276 | .Pp | 276 | .Pp |
277 | Setting this to | 277 | Setting this to |
278 | .Dq ask | 278 | .Dq ask |
279 | will cause | 279 | will cause ssh |
280 | .Nm ssh | ||
281 | to listen for control connections, but require confirmation using the | 280 | to listen for control connections, but require confirmation using the |
282 | .Ev SSH_ASKPASS | 281 | .Ev SSH_ASKPASS |
283 | program before they are accepted (see | 282 | program before they are accepted (see |
@@ -285,9 +284,8 @@ program before they are accepted (see | |||
285 | for details). | 284 | for details). |
286 | If the | 285 | If the |
287 | .Cm ControlPath | 286 | .Cm ControlPath |
288 | can not be opened, | 287 | cannot be opened, |
289 | .Nm ssh | 288 | ssh will continue without connecting to a master instance. |
290 | will continue without connecting to a master instance. | ||
291 | .Pp | 289 | .Pp |
292 | X11 and | 290 | X11 and |
293 | .Xr ssh-agent 1 | 291 | .Xr ssh-agent 1 |
@@ -313,16 +311,18 @@ section above or the string | |||
313 | .Dq none | 311 | .Dq none |
314 | to disable connection sharing. | 312 | to disable connection sharing. |
315 | In the path, | 313 | In the path, |
314 | .Ql %l | ||
315 | will be substituted by the local host name, | ||
316 | .Ql %h | 316 | .Ql %h |
317 | will be substituted by the target host name, | 317 | will be substituted by the target host name, |
318 | .Ql %p | 318 | .Ql %p |
319 | the port and | 319 | the port, and |
320 | .Ql %r | 320 | .Ql %r |
321 | by the remote login username. | 321 | by the remote login username. |
322 | It is recommended that any | 322 | It is recommended that any |
323 | .Cm ControlPath | 323 | .Cm ControlPath |
324 | used for opportunistic connection sharing include | 324 | used for opportunistic connection sharing include |
325 | all three of these escape sequences. | 325 | at least %h, %p, and %r. |
326 | This ensures that shared connections are uniquely identified. | 326 | This ensures that shared connections are uniquely identified. |
327 | .It Cm DynamicForward | 327 | .It Cm DynamicForward |
328 | Specifies that a TCP port on the local machine be forwarded | 328 | Specifies that a TCP port on the local machine be forwarded |
@@ -353,7 +353,7 @@ empty address or | |||
353 | indicates that the port should be available from all interfaces. | 353 | indicates that the port should be available from all interfaces. |
354 | .Pp | 354 | .Pp |
355 | Currently the SOCKS4 and SOCKS5 protocols are supported, and | 355 | Currently the SOCKS4 and SOCKS5 protocols are supported, and |
356 | .Nm ssh | 356 | .Xr ssh 1 |
357 | will act as a SOCKS server. | 357 | will act as a SOCKS server. |
358 | Multiple forwardings may be specified, and | 358 | Multiple forwardings may be specified, and |
359 | additional forwardings can be given on the command line. | 359 | additional forwardings can be given on the command line. |
@@ -389,6 +389,17 @@ followed by a letter, or | |||
389 | to disable the escape | 389 | to disable the escape |
390 | character entirely (making the connection transparent for binary | 390 | character entirely (making the connection transparent for binary |
391 | data). | 391 | data). |
392 | .It Cm ExitOnForwardFailure | ||
393 | Specifies whether | ||
394 | .Xr ssh 1 | ||
395 | should terminate the connection if it cannot set up all requested | ||
396 | dynamic, local, and remote port forwardings. | ||
397 | The argument must be | ||
398 | .Dq yes | ||
399 | or | ||
400 | .Dq no . | ||
401 | The default is | ||
402 | .Dq no . | ||
392 | .It Cm ForwardAgent | 403 | .It Cm ForwardAgent |
393 | Specifies whether the connection to the authentication agent (if any) | 404 | Specifies whether the connection to the authentication agent (if any) |
394 | will be forwarded to the remote machine. | 405 | will be forwarded to the remote machine. |
@@ -428,12 +439,12 @@ if the | |||
428 | option is also enabled. | 439 | option is also enabled. |
429 | .It Cm ForwardX11Trusted | 440 | .It Cm ForwardX11Trusted |
430 | If this option is set to | 441 | If this option is set to |
431 | .Dq yes | 442 | .Dq yes , |
432 | then remote X11 clients will have full access to the original X11 display. | 443 | remote X11 clients will have full access to the original X11 display. |
433 | .Pp | 444 | .Pp |
434 | If this option is set to | 445 | If this option is set to |
435 | .Dq no | 446 | .Dq no , |
436 | then remote X11 clients will be considered untrusted and prevented | 447 | remote X11 clients will be considered untrusted and prevented |
437 | from stealing or tampering with data belonging to trusted X11 | 448 | from stealing or tampering with data belonging to trusted X11 |
438 | clients. | 449 | clients. |
439 | Furthermore, the | 450 | Furthermore, the |
@@ -451,12 +462,11 @@ the restrictions imposed on untrusted clients. | |||
451 | Specifies whether remote hosts are allowed to connect to local | 462 | Specifies whether remote hosts are allowed to connect to local |
452 | forwarded ports. | 463 | forwarded ports. |
453 | By default, | 464 | By default, |
454 | .Nm ssh | 465 | .Xr ssh 1 |
455 | binds local port forwardings to the loopback address. | 466 | binds local port forwardings to the loopback address. |
456 | This prevents other remote hosts from connecting to forwarded ports. | 467 | This prevents other remote hosts from connecting to forwarded ports. |
457 | .Cm GatewayPorts | 468 | .Cm GatewayPorts |
458 | can be used to specify that | 469 | can be used to specify that ssh |
459 | .Nm ssh | ||
460 | should bind local port forwardings to the wildcard address, | 470 | should bind local port forwardings to the wildcard address, |
461 | thus allowing remote hosts to connect to forwarded ports. | 471 | thus allowing remote hosts to connect to forwarded ports. |
462 | The argument must be | 472 | The argument must be |
@@ -474,6 +484,12 @@ Specifies whether user authentication based on GSSAPI is allowed. | |||
474 | The default is | 484 | The default is |
475 | .Dq no . | 485 | .Dq no . |
476 | Note that this option applies to protocol version 2 only. | 486 | Note that this option applies to protocol version 2 only. |
487 | .It Cm GSSAPIKeyExchange | ||
488 | Specifies whether key exchange based on GSSAPI may be used. When using | ||
489 | GSSAPI key exchange the server need not have a host key. | ||
490 | The default is | ||
491 | .Dq no . | ||
492 | Note that this option applies to protocol version 2 only. | ||
477 | .It Cm GSSAPIDelegateCredentials | 493 | .It Cm GSSAPIDelegateCredentials |
478 | Forward (delegate) credentials to the server. | 494 | Forward (delegate) credentials to the server. |
479 | The default is | 495 | The default is |
@@ -481,29 +497,31 @@ The default is | |||
481 | Note that this option applies to protocol version 2 only. | 497 | Note that this option applies to protocol version 2 only. |
482 | .It Cm GSSAPITrustDns | 498 | .It Cm GSSAPITrustDns |
483 | Set to | 499 | Set to |
484 | .Dq yes to indicate that the DNS is trusted to securely canonicalize | 500 | .Dq yes |
501 | to indicate that the DNS is trusted to securely canonicalize | ||
485 | the name of the host being connected to. If | 502 | the name of the host being connected to. If |
486 | .Dq no, the hostname entered on the | 503 | .Dq no , |
504 | the hostname entered on the | ||
487 | command line will be passed untouched to the GSSAPI library. | 505 | command line will be passed untouched to the GSSAPI library. |
488 | The default is | 506 | The default is |
489 | .Dq no . | 507 | .Dq no . |
490 | This option only applies to protocol version 2 connections using GSSAPI | 508 | This option only applies to protocol version 2 connections using GSSAPI. |
491 | key exchange. | ||
492 | .It Cm HashKnownHosts | 509 | .It Cm HashKnownHosts |
493 | Indicates that | 510 | Indicates that |
494 | .Nm ssh | 511 | .Xr ssh 1 |
495 | should hash host names and addresses when they are added to | 512 | should hash host names and addresses when they are added to |
496 | .Pa ~/.ssh/known_hosts . | 513 | .Pa ~/.ssh/known_hosts . |
497 | These hashed names may be used normally by | 514 | These hashed names may be used normally by |
498 | .Nm ssh | 515 | .Xr ssh 1 |
499 | and | 516 | and |
500 | .Nm sshd , | 517 | .Xr sshd 8 , |
501 | but they do not reveal identifying information should the file's contents | 518 | but they do not reveal identifying information should the file's contents |
502 | be disclosed. | 519 | be disclosed. |
503 | The default is | 520 | The default is |
504 | .Dq no . | 521 | .Dq no . |
505 | Note that hashing of names and addresses will not be retrospectively applied | 522 | Note that existing names and addresses in known hosts files |
506 | to existing known hosts files, but these may be manually hashed using | 523 | will not be converted automatically, |
524 | but may be manually hashed using | ||
507 | .Xr ssh-keygen 1 . | 525 | .Xr ssh-keygen 1 . |
508 | .It Cm HostbasedAuthentication | 526 | .It Cm HostbasedAuthentication |
509 | Specifies whether to try rhosts based authentication with public key | 527 | Specifies whether to try rhosts based authentication with public key |
@@ -526,30 +544,29 @@ The default for this option is: | |||
526 | Specifies an alias that should be used instead of the | 544 | Specifies an alias that should be used instead of the |
527 | real host name when looking up or saving the host key | 545 | real host name when looking up or saving the host key |
528 | in the host key database files. | 546 | in the host key database files. |
529 | This option is useful for tunneling ssh connections | 547 | This option is useful for tunneling SSH connections |
530 | or for multiple servers running on a single host. | 548 | or for multiple servers running on a single host. |
531 | .It Cm HostName | 549 | .It Cm HostName |
532 | Specifies the real host name to log into. | 550 | Specifies the real host name to log into. |
533 | This can be used to specify nicknames or abbreviations for hosts. | 551 | This can be used to specify nicknames or abbreviations for hosts. |
534 | Default is the name given on the command line. | 552 | The default is the name given on the command line. |
535 | Numeric IP addresses are also permitted (both on the command line and in | 553 | Numeric IP addresses are also permitted (both on the command line and in |
536 | .Cm HostName | 554 | .Cm HostName |
537 | specifications). | 555 | specifications). |
538 | .It Cm IdentitiesOnly | 556 | .It Cm IdentitiesOnly |
539 | Specifies that | 557 | Specifies that |
540 | .Nm ssh | 558 | .Xr ssh 1 |
541 | should only use the authentication identity files configured in the | 559 | should only use the authentication identity files configured in the |
542 | .Nm | 560 | .Nm |
543 | files, | 561 | files, |
544 | even if the | 562 | even if |
545 | .Nm ssh-agent | 563 | .Xr ssh-agent 1 |
546 | offers more identities. | 564 | offers more identities. |
547 | The argument to this keyword must be | 565 | The argument to this keyword must be |
548 | .Dq yes | 566 | .Dq yes |
549 | or | 567 | or |
550 | .Dq no . | 568 | .Dq no . |
551 | This option is intended for situations where | 569 | This option is intended for situations where ssh-agent |
552 | .Nm ssh-agent | ||
553 | offers many different identities. | 570 | offers many different identities. |
554 | The default is | 571 | The default is |
555 | .Dq no . | 572 | .Dq no . |
@@ -565,8 +582,21 @@ and | |||
565 | for protocol version 2. | 582 | for protocol version 2. |
566 | Additionally, any identities represented by the authentication agent | 583 | Additionally, any identities represented by the authentication agent |
567 | will be used for authentication. | 584 | will be used for authentication. |
585 | .Pp | ||
568 | The file name may use the tilde | 586 | The file name may use the tilde |
569 | syntax to refer to a user's home directory. | 587 | syntax to refer to a user's home directory or one of the following |
588 | escape characters: | ||
589 | .Ql %d | ||
590 | (local user's home directory), | ||
591 | .Ql %u | ||
592 | (local user name), | ||
593 | .Ql %l | ||
594 | (local host name), | ||
595 | .Ql %h | ||
596 | (remote host name) or | ||
597 | .Ql %r | ||
598 | (remote user name). | ||
599 | .Pp | ||
570 | It is possible to have | 600 | It is possible to have |
571 | multiple identity files specified in configuration files; all these | 601 | multiple identity files specified in configuration files; all these |
572 | identities will be tried in sequence. | 602 | identities will be tried in sequence. |
@@ -574,6 +604,13 @@ identities will be tried in sequence. | |||
574 | Specifies the list of methods to use in keyboard-interactive authentication. | 604 | Specifies the list of methods to use in keyboard-interactive authentication. |
575 | Multiple method names must be comma-separated. | 605 | Multiple method names must be comma-separated. |
576 | The default is to use the server specified list. | 606 | The default is to use the server specified list. |
607 | The methods available vary depending on what the server supports. | ||
608 | For an OpenSSH server, | ||
609 | it may be zero or more of: | ||
610 | .Dq bsdauth , | ||
611 | .Dq pam , | ||
612 | and | ||
613 | .Dq skey . | ||
577 | .It Cm LocalCommand | 614 | .It Cm LocalCommand |
578 | Specifies a command to execute on the local machine after successfully | 615 | Specifies a command to execute on the local machine after successfully |
579 | connecting to the server. | 616 | connecting to the server. |
@@ -615,9 +652,9 @@ empty address or | |||
615 | indicates that the port should be available from all interfaces. | 652 | indicates that the port should be available from all interfaces. |
616 | .It Cm LogLevel | 653 | .It Cm LogLevel |
617 | Gives the verbosity level that is used when logging messages from | 654 | Gives the verbosity level that is used when logging messages from |
618 | .Nm ssh . | 655 | .Xr ssh 1 . |
619 | The possible values are: | 656 | The possible values are: |
620 | QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. | 657 | QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. |
621 | The default is INFO. | 658 | The default is INFO. |
622 | DEBUG and DEBUG1 are equivalent. | 659 | DEBUG and DEBUG1 are equivalent. |
623 | DEBUG2 and DEBUG3 each specify higher levels of verbose output. | 660 | DEBUG2 and DEBUG3 each specify higher levels of verbose output. |
@@ -627,7 +664,7 @@ in order of preference. | |||
627 | The MAC algorithm is used in protocol version 2 | 664 | The MAC algorithm is used in protocol version 2 |
628 | for data integrity protection. | 665 | for data integrity protection. |
629 | Multiple algorithms must be comma-separated. | 666 | Multiple algorithms must be comma-separated. |
630 | The default is | 667 | The default is: |
631 | .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . | 668 | .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . |
632 | .It Cm NoHostAuthenticationForLocalhost | 669 | .It Cm NoHostAuthenticationForLocalhost |
633 | This option can be used if the home directory is shared across machines. | 670 | This option can be used if the home directory is shared across machines. |
@@ -642,7 +679,7 @@ The default is to check the host key for localhost. | |||
642 | .It Cm NumberOfPasswordPrompts | 679 | .It Cm NumberOfPasswordPrompts |
643 | Specifies the number of password prompts before giving up. | 680 | Specifies the number of password prompts before giving up. |
644 | The argument to this keyword must be an integer. | 681 | The argument to this keyword must be an integer. |
645 | Default is 3. | 682 | The default is 3. |
646 | .It Cm PasswordAuthentication | 683 | .It Cm PasswordAuthentication |
647 | Specifies whether to use password authentication. | 684 | Specifies whether to use password authentication. |
648 | The argument to this keyword must be | 685 | The argument to this keyword must be |
@@ -666,7 +703,7 @@ The default is | |||
666 | .Dq no . | 703 | .Dq no . |
667 | .It Cm Port | 704 | .It Cm Port |
668 | Specifies the port number to connect on the remote host. | 705 | Specifies the port number to connect on the remote host. |
669 | Default is 22. | 706 | The default is 22. |
670 | .It Cm PreferredAuthentications | 707 | .It Cm PreferredAuthentications |
671 | Specifies the order in which the client should try protocol 2 | 708 | Specifies the order in which the client should try protocol 2 |
672 | authentication methods. | 709 | authentication methods. |
@@ -675,20 +712,24 @@ This allows a client to prefer one method (e.g.\& | |||
675 | over another method (e.g.\& | 712 | over another method (e.g.\& |
676 | .Cm password ) | 713 | .Cm password ) |
677 | The default for this option is: | 714 | The default for this option is: |
678 | .Dq hostbased,publickey,keyboard-interactive,password . | 715 | .Do gssapi-with-mic , |
716 | hostbased, | ||
717 | publickey, | ||
718 | keyboard-interactive, | ||
719 | password | ||
720 | .Dc . | ||
679 | .It Cm Protocol | 721 | .It Cm Protocol |
680 | Specifies the protocol versions | 722 | Specifies the protocol versions |
681 | .Nm ssh | 723 | .Xr ssh 1 |
682 | should support in order of preference. | 724 | should support in order of preference. |
683 | The possible values are | 725 | The possible values are |
684 | .Dq 1 | 726 | .Sq 1 |
685 | and | 727 | and |
686 | .Dq 2 . | 728 | .Sq 2 . |
687 | Multiple versions must be comma-separated. | 729 | Multiple versions must be comma-separated. |
688 | The default is | 730 | The default is |
689 | .Dq 2,1 . | 731 | .Dq 2,1 . |
690 | This means that | 732 | This means that ssh |
691 | .Nm ssh | ||
692 | tries version 2 and falls back to version 1 | 733 | tries version 2 and falls back to version 1 |
693 | if version 2 is not available. | 734 | if version 2 is not available. |
694 | .It Cm ProxyCommand | 735 | .It Cm ProxyCommand |
@@ -746,9 +787,9 @@ or | |||
746 | .Sq G | 787 | .Sq G |
747 | to indicate Kilobytes, Megabytes, or Gigabytes, respectively. | 788 | to indicate Kilobytes, Megabytes, or Gigabytes, respectively. |
748 | The default is between | 789 | The default is between |
749 | .Dq 1G | 790 | .Sq 1G |
750 | and | 791 | and |
751 | .Dq 4G , | 792 | .Sq 4G , |
752 | depending on the cipher. | 793 | depending on the cipher. |
753 | This option applies to protocol version 2 only. | 794 | This option applies to protocol version 2 only. |
754 | .It Cm RemoteForward | 795 | .It Cm RemoteForward |
@@ -794,7 +835,7 @@ or | |||
794 | The default is | 835 | The default is |
795 | .Dq no . | 836 | .Dq no . |
796 | This option applies to protocol version 1 only and requires | 837 | This option applies to protocol version 1 only and requires |
797 | .Nm ssh | 838 | .Xr ssh 1 |
798 | to be setuid root. | 839 | to be setuid root. |
799 | .It Cm RSAAuthentication | 840 | .It Cm RSAAuthentication |
800 | Specifies whether to try RSA authentication. | 841 | Specifies whether to try RSA authentication. |
@@ -812,31 +853,31 @@ Note that this option applies to protocol version 1 only. | |||
812 | Specifies what variables from the local | 853 | Specifies what variables from the local |
813 | .Xr environ 7 | 854 | .Xr environ 7 |
814 | should be sent to the server. | 855 | should be sent to the server. |
815 | Note that environment passing is only supported for protocol 2, the | 856 | Note that environment passing is only supported for protocol 2. |
816 | server must also support it, and the server must be configured to | 857 | The server must also support it, and the server must be configured to |
817 | accept these environment variables. | 858 | accept these environment variables. |
818 | Refer to | 859 | Refer to |
819 | .Cm AcceptEnv | 860 | .Cm AcceptEnv |
820 | in | 861 | in |
821 | .Xr sshd_config 5 | 862 | .Xr sshd_config 5 |
822 | for how to configure the server. | 863 | for how to configure the server. |
823 | Variables are specified by name, which may contain the wildcard characters | 864 | Variables are specified by name, which may contain wildcard characters. |
824 | .Ql \&* | ||
825 | and | ||
826 | .Ql \&? . | ||
827 | Multiple environment variables may be separated by whitespace or spread | 865 | Multiple environment variables may be separated by whitespace or spread |
828 | across multiple | 866 | across multiple |
829 | .Cm SendEnv | 867 | .Cm SendEnv |
830 | directives. | 868 | directives. |
831 | The default is not to send any environment variables. | 869 | The default is not to send any environment variables. |
870 | .Pp | ||
871 | See | ||
872 | .Sx PATTERNS | ||
873 | for more information on patterns. | ||
832 | .It Cm ServerAliveCountMax | 874 | .It Cm ServerAliveCountMax |
833 | Sets the number of server alive messages (see below) which may be | 875 | Sets the number of server alive messages (see below) which may be |
834 | sent without | 876 | sent without |
835 | .Nm ssh | 877 | .Xr ssh 1 |
836 | receiving any messages back from the server. | 878 | receiving any messages back from the server. |
837 | If this threshold is reached while server alive messages are being sent, | 879 | If this threshold is reached while server alive messages are being sent, |
838 | .Nm ssh | 880 | ssh will disconnect from the server, terminating the session. |
839 | will disconnect from the server, terminating the session. | ||
840 | It is important to note that the use of server alive messages is very | 881 | It is important to note that the use of server alive messages is very |
841 | different from | 882 | different from |
842 | .Cm TCPKeepAlive | 883 | .Cm TCPKeepAlive |
@@ -852,18 +893,18 @@ server depend on knowing when a connection has become inactive. | |||
852 | The default value is 3. | 893 | The default value is 3. |
853 | If, for example, | 894 | If, for example, |
854 | .Cm ServerAliveInterval | 895 | .Cm ServerAliveInterval |
855 | (see below) is set to 15, and | 896 | (see below) is set to 15 and |
856 | .Cm ServerAliveCountMax | 897 | .Cm ServerAliveCountMax |
857 | is left at the default, if the server becomes unresponsive ssh | 898 | is left at the default, if the server becomes unresponsive, |
858 | will disconnect after approximately 45 seconds. | 899 | ssh will disconnect after approximately 45 seconds. |
859 | This option works when using protocol version 2 only; in protocol version | 900 | This option applies to protocol version 2 only; in protocol version |
860 | 1 there is no mechanism to request a response from the server to the | 901 | 1 there is no mechanism to request a response from the server to the |
861 | server alive messages, so disconnection is the responsibility of the TCP | 902 | server alive messages, so disconnection is the responsibility of the TCP |
862 | stack. | 903 | stack. |
863 | .It Cm ServerAliveInterval | 904 | .It Cm ServerAliveInterval |
864 | Sets a timeout interval in seconds after which if no data has been received | 905 | Sets a timeout interval in seconds after which if no data has been received |
865 | from the server, | 906 | from the server, |
866 | .Nm ssh | 907 | .Xr ssh 1 |
867 | will send a message through the encrypted | 908 | will send a message through the encrypted |
868 | channel to request a response from the server. | 909 | channel to request a response from the server. |
869 | The default | 910 | The default |
@@ -894,41 +935,39 @@ This is a Debian-specific option. | |||
894 | .It Cm SmartcardDevice | 935 | .It Cm SmartcardDevice |
895 | Specifies which smartcard device to use. | 936 | Specifies which smartcard device to use. |
896 | The argument to this keyword is the device | 937 | The argument to this keyword is the device |
897 | .Nm ssh | 938 | .Xr ssh 1 |
898 | should use to communicate with a smartcard used for storing the user's | 939 | should use to communicate with a smartcard used for storing the user's |
899 | private RSA key. | 940 | private RSA key. |
900 | By default, no device is specified and smartcard support is not activated. | 941 | By default, no device is specified and smartcard support is not activated. |
901 | .It Cm StrictHostKeyChecking | 942 | .It Cm StrictHostKeyChecking |
902 | If this flag is set to | 943 | If this flag is set to |
903 | .Dq yes , | 944 | .Dq yes , |
904 | .Nm ssh | 945 | .Xr ssh 1 |
905 | will never automatically add host keys to the | 946 | will never automatically add host keys to the |
906 | .Pa ~/.ssh/known_hosts | 947 | .Pa ~/.ssh/known_hosts |
907 | file, and refuses to connect to hosts whose host key has changed. | 948 | file, and refuses to connect to hosts whose host key has changed. |
908 | This provides maximum protection against trojan horse attacks, | 949 | This provides maximum protection against trojan horse attacks, |
909 | however, can be annoying when the | 950 | though it can be annoying when the |
910 | .Pa /etc/ssh/ssh_known_hosts | 951 | .Pa /etc/ssh/ssh_known_hosts |
911 | file is poorly maintained, or connections to new hosts are | 952 | file is poorly maintained or when connections to new hosts are |
912 | frequently made. | 953 | frequently made. |
913 | This option forces the user to manually | 954 | This option forces the user to manually |
914 | add all new hosts. | 955 | add all new hosts. |
915 | If this flag is set to | 956 | If this flag is set to |
916 | .Dq no , | 957 | .Dq no , |
917 | .Nm ssh | 958 | ssh will automatically add new host keys to the |
918 | will automatically add new host keys to the | ||
919 | user known hosts files. | 959 | user known hosts files. |
920 | If this flag is set to | 960 | If this flag is set to |
921 | .Dq ask , | 961 | .Dq ask , |
922 | new host keys | 962 | new host keys |
923 | will be added to the user known host files only after the user | 963 | will be added to the user known host files only after the user |
924 | has confirmed that is what they really want to do, and | 964 | has confirmed that is what they really want to do, and |
925 | .Nm ssh | 965 | ssh will refuse to connect to hosts whose host key has changed. |
926 | will refuse to connect to hosts whose host key has changed. | ||
927 | The host keys of | 966 | The host keys of |
928 | known hosts will be verified automatically in all cases. | 967 | known hosts will be verified automatically in all cases. |
929 | The argument must be | 968 | The argument must be |
930 | .Dq yes , | 969 | .Dq yes , |
931 | .Dq no | 970 | .Dq no , |
932 | or | 971 | or |
933 | .Dq ask . | 972 | .Dq ask . |
934 | The default is | 973 | The default is |
@@ -957,24 +996,44 @@ This is important in scripts, and many users want it too. | |||
957 | To disable TCP keepalive messages, the value should be set to | 996 | To disable TCP keepalive messages, the value should be set to |
958 | .Dq no . | 997 | .Dq no . |
959 | .It Cm Tunnel | 998 | .It Cm Tunnel |
960 | Request starting | 999 | Request |
961 | .Xr tun 4 | 1000 | .Xr tun 4 |
962 | device forwarding between the client and the server. | 1001 | device forwarding between the client and the server. |
963 | This option also allows requesting layer 2 (ethernet) | ||
964 | instead of layer 3 (point-to-point) tunneling from the server. | ||
965 | The argument must be | 1002 | The argument must be |
966 | .Dq yes , | 1003 | .Dq yes , |
967 | .Dq point-to-point , | 1004 | .Dq point-to-point |
1005 | (layer 3), | ||
968 | .Dq ethernet | 1006 | .Dq ethernet |
1007 | (layer 2), | ||
969 | or | 1008 | or |
970 | .Dq no . | 1009 | .Dq no . |
1010 | Specifying | ||
1011 | .Dq yes | ||
1012 | requests the default tunnel mode, which is | ||
1013 | .Dq point-to-point . | ||
971 | The default is | 1014 | The default is |
972 | .Dq no . | 1015 | .Dq no . |
973 | .It Cm TunnelDevice | 1016 | .It Cm TunnelDevice |
974 | Force a specified | 1017 | Specifies the |
975 | .Xr tun 4 | 1018 | .Xr tun 4 |
976 | device on the client. | 1019 | devices to open on the client |
977 | Without this option, the next available device will be used. | 1020 | .Pq Ar local_tun |
1021 | and the server | ||
1022 | .Pq Ar remote_tun . | ||
1023 | .Pp | ||
1024 | The argument must be | ||
1025 | .Sm off | ||
1026 | .Ar local_tun Op : Ar remote_tun . | ||
1027 | .Sm on | ||
1028 | The devices may be specified by numerical ID or the keyword | ||
1029 | .Dq any , | ||
1030 | which uses the next available tunnel device. | ||
1031 | If | ||
1032 | .Ar remote_tun | ||
1033 | is not specified, it defaults to | ||
1034 | .Dq any . | ||
1035 | The default is | ||
1036 | .Dq any:any . | ||
978 | .It Cm UsePrivilegedPort | 1037 | .It Cm UsePrivilegedPort |
979 | Specifies whether to use a privileged port for outgoing connections. | 1038 | Specifies whether to use a privileged port for outgoing connections. |
980 | The argument must be | 1039 | The argument must be |
@@ -984,8 +1043,8 @@ or | |||
984 | The default is | 1043 | The default is |
985 | .Dq no . | 1044 | .Dq no . |
986 | If set to | 1045 | If set to |
987 | .Dq yes | 1046 | .Dq yes , |
988 | .Nm ssh | 1047 | .Xr ssh 1 |
989 | must be setuid root. | 1048 | must be setuid root. |
990 | Note that this option must be set to | 1049 | Note that this option must be set to |
991 | .Dq yes | 1050 | .Dq yes |
@@ -1018,12 +1077,17 @@ need to confirm new host keys according to the | |||
1018 | option. | 1077 | option. |
1019 | The argument must be | 1078 | The argument must be |
1020 | .Dq yes , | 1079 | .Dq yes , |
1021 | .Dq no | 1080 | .Dq no , |
1022 | or | 1081 | or |
1023 | .Dq ask . | 1082 | .Dq ask . |
1024 | The default is | 1083 | The default is |
1025 | .Dq no . | 1084 | .Dq no . |
1026 | Note that this option applies to protocol version 2 only. | 1085 | Note that this option applies to protocol version 2 only. |
1086 | .Pp | ||
1087 | See also | ||
1088 | .Sx VERIFYING HOST KEYS | ||
1089 | in | ||
1090 | .Xr ssh 1 . | ||
1027 | .It Cm XAuthLocation | 1091 | .It Cm XAuthLocation |
1028 | Specifies the full pathname of the | 1092 | Specifies the full pathname of the |
1029 | .Xr xauth 1 | 1093 | .Xr xauth 1 |
@@ -1031,14 +1095,47 @@ program. | |||
1031 | The default is | 1095 | The default is |
1032 | .Pa /usr/X11R6/bin/xauth . | 1096 | .Pa /usr/X11R6/bin/xauth . |
1033 | .El | 1097 | .El |
1098 | .Sh PATTERNS | ||
1099 | A | ||
1100 | .Em pattern | ||
1101 | consists of zero or more non-whitespace characters, | ||
1102 | .Sq * | ||
1103 | (a wildcard that matches zero or more characters), | ||
1104 | or | ||
1105 | .Sq ?\& | ||
1106 | (a wildcard that matches exactly one character). | ||
1107 | For example, to specify a set of declarations for any host in the | ||
1108 | .Dq .co.uk | ||
1109 | set of domains, | ||
1110 | the following pattern could be used: | ||
1111 | .Pp | ||
1112 | .Dl Host *.co.uk | ||
1113 | .Pp | ||
1114 | The following pattern | ||
1115 | would match any host in the 192.168.0.[0-9] network range: | ||
1116 | .Pp | ||
1117 | .Dl Host 192.168.0.? | ||
1118 | .Pp | ||
1119 | A | ||
1120 | .Em pattern-list | ||
1121 | is a comma-separated list of patterns. | ||
1122 | Patterns within pattern-lists may be negated | ||
1123 | by preceding them with an exclamation mark | ||
1124 | .Pq Sq !\& . | ||
1125 | For example, | ||
1126 | to allow a key to be used from anywhere within an organisation | ||
1127 | except from the | ||
1128 | .Dq dialup | ||
1129 | pool, | ||
1130 | the following entry (in authorized_keys) could be used: | ||
1131 | .Pp | ||
1132 | .Dl from=\&"!*.dialup.example.com,*.example.com\&" | ||
1034 | .Sh FILES | 1133 | .Sh FILES |
1035 | .Bl -tag -width Ds | 1134 | .Bl -tag -width Ds |
1036 | .It Pa ~/.ssh/config | 1135 | .It Pa ~/.ssh/config |
1037 | This is the per-user configuration file. | 1136 | This is the per-user configuration file. |
1038 | The format of this file is described above. | 1137 | The format of this file is described above. |
1039 | This file is used by the | 1138 | This file is used by the SSH client. |
1040 | .Nm ssh | ||
1041 | client. | ||
1042 | Because of the potential for abuse, this file must have strict permissions: | 1139 | Because of the potential for abuse, this file must have strict permissions: |
1043 | read/write for the user, and not accessible by others. | 1140 | read/write for the user, and not accessible by others. |
1044 | It may be group-writable provided that the group in question contains only | 1141 | It may be group-writable provided that the group in question contains only |