diff options
author | Colin Watson <cjwatson@debian.org> | 2016-02-29 12:15:15 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2016-03-08 11:51:22 +0000 |
commit | 46961f5704f8e86cea3e99253faad55aef4d8f35 (patch) | |
tree | 0dd97fa4fb649a62b4639fe2674380872b1f3e98 /ssh_config.5 | |
parent | c753fe267efb1b027424fa8706cf0385fc3d14c1 (diff) | |
parent | 85e40e87a75fb80a0bf893ac05a417d6c353537d (diff) |
New upstream release (7.2).
Diffstat (limited to 'ssh_config.5')
-rw-r--r-- | ssh_config.5 | 145 |
1 files changed, 109 insertions, 36 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index 81b9b740f..51765c99e 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh_config.5,v 1.215 2015/08/14 15:32:41 jmc Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.228 2016/02/20 23:01:46 sobrado Exp $ |
37 | .Dd $Mdocdate: August 14 2015 $ | 37 | .Dd $Mdocdate: February 20 2016 $ |
38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -155,7 +155,7 @@ or | |||
155 | keyword) to be used only when the conditions following the | 155 | keyword) to be used only when the conditions following the |
156 | .Cm Match | 156 | .Cm Match |
157 | keyword are satisfied. | 157 | keyword are satisfied. |
158 | Match conditions are specified using one or more critera | 158 | Match conditions are specified using one or more criteria |
159 | or the single token | 159 | or the single token |
160 | .Cm all | 160 | .Cm all |
161 | which always matches. | 161 | which always matches. |
@@ -237,6 +237,39 @@ keyword matches against the name of the local user running | |||
237 | (this keyword may be useful in system-wide | 237 | (this keyword may be useful in system-wide |
238 | .Nm | 238 | .Nm |
239 | files). | 239 | files). |
240 | .It Cm AddKeysToAgent | ||
241 | Specifies whether keys should be automatically added to a running | ||
242 | .Xr ssh-agent 1 . | ||
243 | If this option is set to | ||
244 | .Dq yes | ||
245 | and a key is loaded from a file, the key and its passphrase are added to | ||
246 | the agent with the default lifetime, as if by | ||
247 | .Xr ssh-add 1 . | ||
248 | If this option is set to | ||
249 | .Dq ask , | ||
250 | .Nm ssh | ||
251 | will require confirmation using the | ||
252 | .Ev SSH_ASKPASS | ||
253 | program before adding a key (see | ||
254 | .Xr ssh-add 1 | ||
255 | for details). | ||
256 | If this option is set to | ||
257 | .Dq confirm , | ||
258 | each use of the key must be confirmed, as if the | ||
259 | .Fl c | ||
260 | option was specified to | ||
261 | .Xr ssh-add 1 . | ||
262 | If this option is set to | ||
263 | .Dq no , | ||
264 | no keys are added to the agent. | ||
265 | The argument must be | ||
266 | .Dq yes , | ||
267 | .Dq confirm , | ||
268 | .Dq ask , | ||
269 | or | ||
270 | .Dq no . | ||
271 | The default is | ||
272 | .Dq no . | ||
240 | .It Cm AddressFamily | 273 | .It Cm AddressFamily |
241 | Specifies which address family to use when connecting. | 274 | Specifies which address family to use when connecting. |
242 | Valid arguments are | 275 | Valid arguments are |
@@ -245,6 +278,8 @@ Valid arguments are | |||
245 | (use IPv4 only), or | 278 | (use IPv4 only), or |
246 | .Dq inet6 | 279 | .Dq inet6 |
247 | (use IPv6 only). | 280 | (use IPv6 only). |
281 | The default is | ||
282 | .Dq any . | ||
248 | .It Cm BatchMode | 283 | .It Cm BatchMode |
249 | If set to | 284 | If set to |
250 | .Dq yes , | 285 | .Dq yes , |
@@ -345,6 +380,41 @@ to be canonicalized to names in the | |||
345 | or | 380 | or |
346 | .Dq *.c.example.com | 381 | .Dq *.c.example.com |
347 | domains. | 382 | domains. |
383 | .It Cm CertificateFile | ||
384 | Specifies a file from which the user's certificate is read. | ||
385 | A corresponding private key must be provided separately in order | ||
386 | to use this certificate either | ||
387 | from an | ||
388 | .Cm IdentityFile | ||
389 | directive or | ||
390 | .Fl i | ||
391 | flag to | ||
392 | .Xr ssh 1 , | ||
393 | via | ||
394 | .Xr ssh-agent 1 , | ||
395 | or via a | ||
396 | .Cm PKCS11Provider . | ||
397 | .Pp | ||
398 | The file name may use the tilde | ||
399 | syntax to refer to a user's home directory or one of the following | ||
400 | escape characters: | ||
401 | .Ql %d | ||
402 | (local user's home directory), | ||
403 | .Ql %u | ||
404 | (local user name), | ||
405 | .Ql %l | ||
406 | (local host name), | ||
407 | .Ql %h | ||
408 | (remote host name) or | ||
409 | .Ql %r | ||
410 | (remote user name). | ||
411 | .Pp | ||
412 | It is possible to have multiple certificate files specified in | ||
413 | configuration files; these certificates will be tried in sequence. | ||
414 | Multiple | ||
415 | .Cm CertificateFile | ||
416 | directives will add to the list of certificates used for | ||
417 | authentication. | ||
348 | .It Cm ChallengeResponseAuthentication | 418 | .It Cm ChallengeResponseAuthentication |
349 | Specifies whether to use challenge-response authentication. | 419 | Specifies whether to use challenge-response authentication. |
350 | The argument to this keyword must be | 420 | The argument to this keyword must be |
@@ -438,9 +508,7 @@ The default is: | |||
438 | chacha20-poly1305@openssh.com, | 508 | chacha20-poly1305@openssh.com, |
439 | aes128-ctr,aes192-ctr,aes256-ctr, | 509 | aes128-ctr,aes192-ctr,aes256-ctr, |
440 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, | 510 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, |
441 | arcfour256,arcfour128, | 511 | aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc |
442 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, | ||
443 | aes192-cbc,aes256-cbc,arcfour | ||
444 | .Ed | 512 | .Ed |
445 | .Pp | 513 | .Pp |
446 | The list of available ciphers may also be obtained using the | 514 | The list of available ciphers may also be obtained using the |
@@ -558,8 +626,11 @@ the destination port, | |||
558 | .Ql %r | 626 | .Ql %r |
559 | by the remote login username, | 627 | by the remote login username, |
560 | .Ql %u | 628 | .Ql %u |
561 | by the username of the user running | 629 | by the username and |
562 | .Xr ssh 1 , and | 630 | .Ql %i |
631 | by the numeric user ID (uid) of the user running | ||
632 | .Xr ssh 1 , | ||
633 | and | ||
563 | .Ql \&%C | 634 | .Ql \&%C |
564 | by a hash of the concatenation: %l%h%p%r. | 635 | by a hash of the concatenation: %l%h%p%r. |
565 | It is recommended that any | 636 | It is recommended that any |
@@ -659,7 +730,14 @@ data). | |||
659 | Specifies whether | 730 | Specifies whether |
660 | .Xr ssh 1 | 731 | .Xr ssh 1 |
661 | should terminate the connection if it cannot set up all requested | 732 | should terminate the connection if it cannot set up all requested |
662 | dynamic, tunnel, local, and remote port forwardings. | 733 | dynamic, tunnel, local, and remote port forwardings, (e.g.\& |
734 | if either end is unable to bind and listen on a specified port). | ||
735 | Note that | ||
736 | .Cm ExitOnForwardFailure | ||
737 | does not apply to connections made over port forwardings and will not, | ||
738 | for example, cause | ||
739 | .Xr ssh 1 | ||
740 | to exit if TCP connections to the ultimate forwarding destination fail. | ||
663 | The argument must be | 741 | The argument must be |
664 | .Dq yes | 742 | .Dq yes |
665 | or | 743 | or |
@@ -769,13 +847,11 @@ The default is | |||
769 | Specifies whether user authentication based on GSSAPI is allowed. | 847 | Specifies whether user authentication based on GSSAPI is allowed. |
770 | The default is | 848 | The default is |
771 | .Dq no . | 849 | .Dq no . |
772 | Note that this option applies to protocol version 2 only. | ||
773 | .It Cm GSSAPIKeyExchange | 850 | .It Cm GSSAPIKeyExchange |
774 | Specifies whether key exchange based on GSSAPI may be used. When using | 851 | Specifies whether key exchange based on GSSAPI may be used. When using |
775 | GSSAPI key exchange the server need not have a host key. | 852 | GSSAPI key exchange the server need not have a host key. |
776 | The default is | 853 | The default is |
777 | .Dq no . | 854 | .Dq no . |
778 | Note that this option applies to protocol version 2 only. | ||
779 | .It Cm GSSAPIClientIdentity | 855 | .It Cm GSSAPIClientIdentity |
780 | If set, specifies the GSSAPI client identity that ssh should use when | 856 | If set, specifies the GSSAPI client identity that ssh should use when |
781 | connecting to the server. The default is unset, which means that the default | 857 | connecting to the server. The default is unset, which means that the default |
@@ -789,7 +865,6 @@ hostname. | |||
789 | Forward (delegate) credentials to the server. | 865 | Forward (delegate) credentials to the server. |
790 | The default is | 866 | The default is |
791 | .Dq no . | 867 | .Dq no . |
792 | Note that this option applies to protocol version 2 connections using GSSAPI. | ||
793 | .It Cm GSSAPIRenewalForcesRekey | 868 | .It Cm GSSAPIRenewalForcesRekey |
794 | If set to | 869 | If set to |
795 | .Dq yes | 870 | .Dq yes |
@@ -808,7 +883,6 @@ the hostname entered on the | |||
808 | command line will be passed untouched to the GSSAPI library. | 883 | command line will be passed untouched to the GSSAPI library. |
809 | The default is | 884 | The default is |
810 | .Dq no . | 885 | .Dq no . |
811 | This option only applies to protocol version 2 connections using GSSAPI. | ||
812 | .It Cm HashKnownHosts | 886 | .It Cm HashKnownHosts |
813 | Indicates that | 887 | Indicates that |
814 | .Xr ssh 1 | 888 | .Xr ssh 1 |
@@ -838,9 +912,6 @@ or | |||
838 | .Dq no . | 912 | .Dq no . |
839 | The default is | 913 | The default is |
840 | .Dq no . | 914 | .Dq no . |
841 | This option applies to protocol version 2 only and | ||
842 | is similar to | ||
843 | .Cm RhostsRSAAuthentication . | ||
844 | .It Cm HostbasedKeyTypes | 915 | .It Cm HostbasedKeyTypes |
845 | Specifies the key types that will be used for hostbased authentication | 916 | Specifies the key types that will be used for hostbased authentication |
846 | as a comma-separated pattern list. | 917 | as a comma-separated pattern list. |
@@ -865,7 +936,7 @@ option of | |||
865 | .Xr ssh 1 | 936 | .Xr ssh 1 |
866 | may be used to list supported key types. | 937 | may be used to list supported key types. |
867 | .It Cm HostKeyAlgorithms | 938 | .It Cm HostKeyAlgorithms |
868 | Specifies the protocol version 2 host key algorithms | 939 | Specifies the host key algorithms |
869 | that the client wants to use in order of preference. | 940 | that the client wants to use in order of preference. |
870 | Alternately if the specified value begins with a | 941 | Alternately if the specified value begins with a |
871 | .Sq + | 942 | .Sq + |
@@ -917,9 +988,13 @@ specifications). | |||
917 | .It Cm IdentitiesOnly | 988 | .It Cm IdentitiesOnly |
918 | Specifies that | 989 | Specifies that |
919 | .Xr ssh 1 | 990 | .Xr ssh 1 |
920 | should only use the authentication identity files configured in the | 991 | should only use the authentication identity and certificate files explicitly |
992 | configured in the | ||
921 | .Nm | 993 | .Nm |
922 | files, | 994 | files |
995 | or passed on the | ||
996 | .Xr ssh 1 | ||
997 | command-line, | ||
923 | even if | 998 | even if |
924 | .Xr ssh-agent 1 | 999 | .Xr ssh-agent 1 |
925 | or a | 1000 | or a |
@@ -949,6 +1024,8 @@ Additionally, any identities represented by the authentication agent | |||
949 | will be used for authentication unless | 1024 | will be used for authentication unless |
950 | .Cm IdentitiesOnly | 1025 | .Cm IdentitiesOnly |
951 | is set. | 1026 | is set. |
1027 | If no certificates have been explicitly specified by | ||
1028 | .Cm CertificateFile , | ||
952 | .Xr ssh 1 | 1029 | .Xr ssh 1 |
953 | will try to load certificate information from the filename obtained by | 1030 | will try to load certificate information from the filename obtained by |
954 | appending | 1031 | appending |
@@ -982,6 +1059,11 @@ differs from that of other configuration directives). | |||
982 | may be used in conjunction with | 1059 | may be used in conjunction with |
983 | .Cm IdentitiesOnly | 1060 | .Cm IdentitiesOnly |
984 | to select which identities in an agent are offered during authentication. | 1061 | to select which identities in an agent are offered during authentication. |
1062 | .Cm IdentityFile | ||
1063 | may also be used in conjunction with | ||
1064 | .Cm CertificateFile | ||
1065 | in order to provide any certificate also needed for authentication with | ||
1066 | the identity. | ||
985 | .It Cm IgnoreUnknown | 1067 | .It Cm IgnoreUnknown |
986 | Specifies a pattern-list of unknown options to be ignored if they are | 1068 | Specifies a pattern-list of unknown options to be ignored if they are |
987 | encountered in configuration parsing. | 1069 | encountered in configuration parsing. |
@@ -1141,8 +1223,7 @@ DEBUG2 and DEBUG3 each specify higher levels of verbose output. | |||
1141 | .It Cm MACs | 1223 | .It Cm MACs |
1142 | Specifies the MAC (message authentication code) algorithms | 1224 | Specifies the MAC (message authentication code) algorithms |
1143 | in order of preference. | 1225 | in order of preference. |
1144 | The MAC algorithm is used in protocol version 2 | 1226 | The MAC algorithm is used for data integrity protection. |
1145 | for data integrity protection. | ||
1146 | Multiple algorithms must be comma-separated. | 1227 | Multiple algorithms must be comma-separated. |
1147 | If the specified value begins with a | 1228 | If the specified value begins with a |
1148 | .Sq + | 1229 | .Sq + |
@@ -1158,13 +1239,9 @@ The default is: | |||
1158 | .Bd -literal -offset indent | 1239 | .Bd -literal -offset indent |
1159 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, | 1240 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, |
1160 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, | 1241 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, |
1242 | hmac-sha1-etm@openssh.com, | ||
1161 | umac-64@openssh.com,umac-128@openssh.com, | 1243 | umac-64@openssh.com,umac-128@openssh.com, |
1162 | hmac-sha2-256,hmac-sha2-512, | 1244 | hmac-sha2-256,hmac-sha2-512,hmac-sha1 |
1163 | hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, | ||
1164 | hmac-ripemd160-etm@openssh.com, | ||
1165 | hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com, | ||
1166 | hmac-md5,hmac-sha1,hmac-ripemd160, | ||
1167 | hmac-sha1-96,hmac-md5-96 | ||
1168 | .Ed | 1245 | .Ed |
1169 | .Pp | 1246 | .Pp |
1170 | The list of available MAC algorithms may also be obtained using the | 1247 | The list of available MAC algorithms may also be obtained using the |
@@ -1218,8 +1295,7 @@ private RSA key. | |||
1218 | Specifies the port number to connect on the remote host. | 1295 | Specifies the port number to connect on the remote host. |
1219 | The default is 22. | 1296 | The default is 22. |
1220 | .It Cm PreferredAuthentications | 1297 | .It Cm PreferredAuthentications |
1221 | Specifies the order in which the client should try protocol 2 | 1298 | Specifies the order in which the client should try authentication methods. |
1222 | authentication methods. | ||
1223 | This allows a client to prefer one method (e.g.\& | 1299 | This allows a client to prefer one method (e.g.\& |
1224 | .Cm keyboard-interactive ) | 1300 | .Cm keyboard-interactive ) |
1225 | over another method (e.g.\& | 1301 | over another method (e.g.\& |
@@ -1245,6 +1321,9 @@ will try version 2 and fall back to version 1 | |||
1245 | if version 2 is not available. | 1321 | if version 2 is not available. |
1246 | The default is | 1322 | The default is |
1247 | .Sq 2 . | 1323 | .Sq 2 . |
1324 | Protocol 1 suffers from a number of cryptographic weaknesses and should | ||
1325 | not be used. | ||
1326 | It is only offered to support legacy devices. | ||
1248 | .It Cm ProxyCommand | 1327 | .It Cm ProxyCommand |
1249 | Specifies the command to use to connect to the server. | 1328 | Specifies the command to use to connect to the server. |
1250 | The command | 1329 | The command |
@@ -1325,7 +1404,6 @@ or | |||
1325 | .Dq no . | 1404 | .Dq no . |
1326 | The default is | 1405 | The default is |
1327 | .Dq yes . | 1406 | .Dq yes . |
1328 | This option applies to protocol version 2 only. | ||
1329 | .It Cm RekeyLimit | 1407 | .It Cm RekeyLimit |
1330 | Specifies the maximum amount of data that may be transmitted before the | 1408 | Specifies the maximum amount of data that may be transmitted before the |
1331 | session key is renegotiated, optionally followed a maximum amount of | 1409 | session key is renegotiated, optionally followed a maximum amount of |
@@ -1351,7 +1429,6 @@ is | |||
1351 | .Dq default none , | 1429 | .Dq default none , |
1352 | which means that rekeying is performed after the cipher's default amount | 1430 | which means that rekeying is performed after the cipher's default amount |
1353 | of data has been sent or received and no time based rekeying is done. | 1431 | of data has been sent or received and no time based rekeying is done. |
1354 | This option applies to protocol version 2 only. | ||
1355 | .It Cm RemoteForward | 1432 | .It Cm RemoteForward |
1356 | Specifies that a TCP port on the remote machine be forwarded over | 1433 | Specifies that a TCP port on the remote machine be forwarded over |
1357 | the secure channel to the specified host and port from the local machine. | 1434 | the secure channel to the specified host and port from the local machine. |
@@ -1444,7 +1521,6 @@ Note that this option applies to protocol version 1 only. | |||
1444 | Specifies what variables from the local | 1521 | Specifies what variables from the local |
1445 | .Xr environ 7 | 1522 | .Xr environ 7 |
1446 | should be sent to the server. | 1523 | should be sent to the server. |
1447 | Note that environment passing is only supported for protocol 2. | ||
1448 | The server must also support it, and the server must be configured to | 1524 | The server must also support it, and the server must be configured to |
1449 | accept these environment variables. | 1525 | accept these environment variables. |
1450 | Note that the | 1526 | Note that the |
@@ -1492,7 +1568,6 @@ If, for example, | |||
1492 | .Cm ServerAliveCountMax | 1568 | .Cm ServerAliveCountMax |
1493 | is left at the default, if the server becomes unresponsive, | 1569 | is left at the default, if the server becomes unresponsive, |
1494 | ssh will disconnect after approximately 45 seconds. | 1570 | ssh will disconnect after approximately 45 seconds. |
1495 | This option applies to protocol version 2 only. | ||
1496 | .It Cm ServerAliveInterval | 1571 | .It Cm ServerAliveInterval |
1497 | Sets a timeout interval in seconds after which if no data has been received | 1572 | Sets a timeout interval in seconds after which if no data has been received |
1498 | from the server, | 1573 | from the server, |
@@ -1504,7 +1579,6 @@ is 0, indicating that these messages will not be sent to the server, | |||
1504 | or 300 if the | 1579 | or 300 if the |
1505 | .Cm BatchMode | 1580 | .Cm BatchMode |
1506 | option is set. | 1581 | option is set. |
1507 | This option applies to protocol version 2 only. | ||
1508 | .Cm ProtocolKeepAlives | 1582 | .Cm ProtocolKeepAlives |
1509 | and | 1583 | and |
1510 | .Cm SetupTimeOut | 1584 | .Cm SetupTimeOut |
@@ -1646,7 +1720,7 @@ Enabling this option allows learning alternate hostkeys for a server | |||
1646 | and supports graceful key rotation by allowing a server to send replacement | 1720 | and supports graceful key rotation by allowing a server to send replacement |
1647 | public keys before old ones are removed. | 1721 | public keys before old ones are removed. |
1648 | Additional hostkeys are only accepted if the key used to authenticate the | 1722 | Additional hostkeys are only accepted if the key used to authenticate the |
1649 | host was already trusted or explicity accepted by the user. | 1723 | host was already trusted or explicitly accepted by the user. |
1650 | If | 1724 | If |
1651 | .Cm UpdateHostKeys | 1725 | .Cm UpdateHostKeys |
1652 | is set to | 1726 | is set to |
@@ -1711,7 +1785,6 @@ or | |||
1711 | .Dq ask . | 1785 | .Dq ask . |
1712 | The default is | 1786 | The default is |
1713 | .Dq no . | 1787 | .Dq no . |
1714 | Note that this option applies to protocol version 2 only. | ||
1715 | .Pp | 1788 | .Pp |
1716 | See also VERIFYING HOST KEYS in | 1789 | See also VERIFYING HOST KEYS in |
1717 | .Xr ssh 1 . | 1790 | .Xr ssh 1 . |