diff options
author | Colin Watson <cjwatson@debian.org> | 2016-02-29 12:15:15 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2016-02-29 12:15:15 +0000 |
commit | c52a95cc4754e6630c96fe65ae0c65eb41d2c590 (patch) | |
tree | 793395934013923b7b2426382c0676edcd4be3d4 /ssh_config.5 | |
parent | eeff4de96f5d7365750dc56912c2c62b5c28db6b (diff) | |
parent | 72b061d4ba0f909501c595d709ea76e06b01e5c9 (diff) |
Import openssh_7.2p1.orig.tar.gz
Diffstat (limited to 'ssh_config.5')
-rw-r--r-- | ssh_config.5 | 143 |
1 files changed, 109 insertions, 34 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index a47f3ca9e..caf13a62d 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh_config.5,v 1.215 2015/08/14 15:32:41 jmc Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.228 2016/02/20 23:01:46 sobrado Exp $ |
37 | .Dd $Mdocdate: August 14 2015 $ | 37 | .Dd $Mdocdate: February 20 2016 $ |
38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -139,7 +139,7 @@ or | |||
139 | keyword) to be used only when the conditions following the | 139 | keyword) to be used only when the conditions following the |
140 | .Cm Match | 140 | .Cm Match |
141 | keyword are satisfied. | 141 | keyword are satisfied. |
142 | Match conditions are specified using one or more critera | 142 | Match conditions are specified using one or more criteria |
143 | or the single token | 143 | or the single token |
144 | .Cm all | 144 | .Cm all |
145 | which always matches. | 145 | which always matches. |
@@ -221,6 +221,39 @@ keyword matches against the name of the local user running | |||
221 | (this keyword may be useful in system-wide | 221 | (this keyword may be useful in system-wide |
222 | .Nm | 222 | .Nm |
223 | files). | 223 | files). |
224 | .It Cm AddKeysToAgent | ||
225 | Specifies whether keys should be automatically added to a running | ||
226 | .Xr ssh-agent 1 . | ||
227 | If this option is set to | ||
228 | .Dq yes | ||
229 | and a key is loaded from a file, the key and its passphrase are added to | ||
230 | the agent with the default lifetime, as if by | ||
231 | .Xr ssh-add 1 . | ||
232 | If this option is set to | ||
233 | .Dq ask , | ||
234 | .Nm ssh | ||
235 | will require confirmation using the | ||
236 | .Ev SSH_ASKPASS | ||
237 | program before adding a key (see | ||
238 | .Xr ssh-add 1 | ||
239 | for details). | ||
240 | If this option is set to | ||
241 | .Dq confirm , | ||
242 | each use of the key must be confirmed, as if the | ||
243 | .Fl c | ||
244 | option was specified to | ||
245 | .Xr ssh-add 1 . | ||
246 | If this option is set to | ||
247 | .Dq no , | ||
248 | no keys are added to the agent. | ||
249 | The argument must be | ||
250 | .Dq yes , | ||
251 | .Dq confirm , | ||
252 | .Dq ask , | ||
253 | or | ||
254 | .Dq no . | ||
255 | The default is | ||
256 | .Dq no . | ||
224 | .It Cm AddressFamily | 257 | .It Cm AddressFamily |
225 | Specifies which address family to use when connecting. | 258 | Specifies which address family to use when connecting. |
226 | Valid arguments are | 259 | Valid arguments are |
@@ -229,6 +262,8 @@ Valid arguments are | |||
229 | (use IPv4 only), or | 262 | (use IPv4 only), or |
230 | .Dq inet6 | 263 | .Dq inet6 |
231 | (use IPv6 only). | 264 | (use IPv6 only). |
265 | The default is | ||
266 | .Dq any . | ||
232 | .It Cm BatchMode | 267 | .It Cm BatchMode |
233 | If set to | 268 | If set to |
234 | .Dq yes , | 269 | .Dq yes , |
@@ -325,6 +360,41 @@ to be canonicalized to names in the | |||
325 | or | 360 | or |
326 | .Dq *.c.example.com | 361 | .Dq *.c.example.com |
327 | domains. | 362 | domains. |
363 | .It Cm CertificateFile | ||
364 | Specifies a file from which the user's certificate is read. | ||
365 | A corresponding private key must be provided separately in order | ||
366 | to use this certificate either | ||
367 | from an | ||
368 | .Cm IdentityFile | ||
369 | directive or | ||
370 | .Fl i | ||
371 | flag to | ||
372 | .Xr ssh 1 , | ||
373 | via | ||
374 | .Xr ssh-agent 1 , | ||
375 | or via a | ||
376 | .Cm PKCS11Provider . | ||
377 | .Pp | ||
378 | The file name may use the tilde | ||
379 | syntax to refer to a user's home directory or one of the following | ||
380 | escape characters: | ||
381 | .Ql %d | ||
382 | (local user's home directory), | ||
383 | .Ql %u | ||
384 | (local user name), | ||
385 | .Ql %l | ||
386 | (local host name), | ||
387 | .Ql %h | ||
388 | (remote host name) or | ||
389 | .Ql %r | ||
390 | (remote user name). | ||
391 | .Pp | ||
392 | It is possible to have multiple certificate files specified in | ||
393 | configuration files; these certificates will be tried in sequence. | ||
394 | Multiple | ||
395 | .Cm CertificateFile | ||
396 | directives will add to the list of certificates used for | ||
397 | authentication. | ||
328 | .It Cm ChallengeResponseAuthentication | 398 | .It Cm ChallengeResponseAuthentication |
329 | Specifies whether to use challenge-response authentication. | 399 | Specifies whether to use challenge-response authentication. |
330 | The argument to this keyword must be | 400 | The argument to this keyword must be |
@@ -418,9 +488,7 @@ The default is: | |||
418 | chacha20-poly1305@openssh.com, | 488 | chacha20-poly1305@openssh.com, |
419 | aes128-ctr,aes192-ctr,aes256-ctr, | 489 | aes128-ctr,aes192-ctr,aes256-ctr, |
420 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, | 490 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, |
421 | arcfour256,arcfour128, | 491 | aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc |
422 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, | ||
423 | aes192-cbc,aes256-cbc,arcfour | ||
424 | .Ed | 492 | .Ed |
425 | .Pp | 493 | .Pp |
426 | The list of available ciphers may also be obtained using the | 494 | The list of available ciphers may also be obtained using the |
@@ -538,8 +606,11 @@ the destination port, | |||
538 | .Ql %r | 606 | .Ql %r |
539 | by the remote login username, | 607 | by the remote login username, |
540 | .Ql %u | 608 | .Ql %u |
541 | by the username of the user running | 609 | by the username and |
542 | .Xr ssh 1 , and | 610 | .Ql %i |
611 | by the numeric user ID (uid) of the user running | ||
612 | .Xr ssh 1 , | ||
613 | and | ||
543 | .Ql \&%C | 614 | .Ql \&%C |
544 | by a hash of the concatenation: %l%h%p%r. | 615 | by a hash of the concatenation: %l%h%p%r. |
545 | It is recommended that any | 616 | It is recommended that any |
@@ -639,7 +710,14 @@ data). | |||
639 | Specifies whether | 710 | Specifies whether |
640 | .Xr ssh 1 | 711 | .Xr ssh 1 |
641 | should terminate the connection if it cannot set up all requested | 712 | should terminate the connection if it cannot set up all requested |
642 | dynamic, tunnel, local, and remote port forwardings. | 713 | dynamic, tunnel, local, and remote port forwardings, (e.g.\& |
714 | if either end is unable to bind and listen on a specified port). | ||
715 | Note that | ||
716 | .Cm ExitOnForwardFailure | ||
717 | does not apply to connections made over port forwardings and will not, | ||
718 | for example, cause | ||
719 | .Xr ssh 1 | ||
720 | to exit if TCP connections to the ultimate forwarding destination fail. | ||
643 | The argument must be | 721 | The argument must be |
644 | .Dq yes | 722 | .Dq yes |
645 | or | 723 | or |
@@ -748,12 +826,10 @@ The default is | |||
748 | Specifies whether user authentication based on GSSAPI is allowed. | 826 | Specifies whether user authentication based on GSSAPI is allowed. |
749 | The default is | 827 | The default is |
750 | .Dq no . | 828 | .Dq no . |
751 | Note that this option applies to protocol version 2 only. | ||
752 | .It Cm GSSAPIDelegateCredentials | 829 | .It Cm GSSAPIDelegateCredentials |
753 | Forward (delegate) credentials to the server. | 830 | Forward (delegate) credentials to the server. |
754 | The default is | 831 | The default is |
755 | .Dq no . | 832 | .Dq no . |
756 | Note that this option applies to protocol version 2 only. | ||
757 | .It Cm HashKnownHosts | 833 | .It Cm HashKnownHosts |
758 | Indicates that | 834 | Indicates that |
759 | .Xr ssh 1 | 835 | .Xr ssh 1 |
@@ -780,9 +856,6 @@ or | |||
780 | .Dq no . | 856 | .Dq no . |
781 | The default is | 857 | The default is |
782 | .Dq no . | 858 | .Dq no . |
783 | This option applies to protocol version 2 only and | ||
784 | is similar to | ||
785 | .Cm RhostsRSAAuthentication . | ||
786 | .It Cm HostbasedKeyTypes | 859 | .It Cm HostbasedKeyTypes |
787 | Specifies the key types that will be used for hostbased authentication | 860 | Specifies the key types that will be used for hostbased authentication |
788 | as a comma-separated pattern list. | 861 | as a comma-separated pattern list. |
@@ -807,7 +880,7 @@ option of | |||
807 | .Xr ssh 1 | 880 | .Xr ssh 1 |
808 | may be used to list supported key types. | 881 | may be used to list supported key types. |
809 | .It Cm HostKeyAlgorithms | 882 | .It Cm HostKeyAlgorithms |
810 | Specifies the protocol version 2 host key algorithms | 883 | Specifies the host key algorithms |
811 | that the client wants to use in order of preference. | 884 | that the client wants to use in order of preference. |
812 | Alternately if the specified value begins with a | 885 | Alternately if the specified value begins with a |
813 | .Sq + | 886 | .Sq + |
@@ -859,9 +932,13 @@ specifications). | |||
859 | .It Cm IdentitiesOnly | 932 | .It Cm IdentitiesOnly |
860 | Specifies that | 933 | Specifies that |
861 | .Xr ssh 1 | 934 | .Xr ssh 1 |
862 | should only use the authentication identity files configured in the | 935 | should only use the authentication identity and certificate files explicitly |
936 | configured in the | ||
863 | .Nm | 937 | .Nm |
864 | files, | 938 | files |
939 | or passed on the | ||
940 | .Xr ssh 1 | ||
941 | command-line, | ||
865 | even if | 942 | even if |
866 | .Xr ssh-agent 1 | 943 | .Xr ssh-agent 1 |
867 | or a | 944 | or a |
@@ -891,6 +968,8 @@ Additionally, any identities represented by the authentication agent | |||
891 | will be used for authentication unless | 968 | will be used for authentication unless |
892 | .Cm IdentitiesOnly | 969 | .Cm IdentitiesOnly |
893 | is set. | 970 | is set. |
971 | If no certificates have been explicitly specified by | ||
972 | .Cm CertificateFile , | ||
894 | .Xr ssh 1 | 973 | .Xr ssh 1 |
895 | will try to load certificate information from the filename obtained by | 974 | will try to load certificate information from the filename obtained by |
896 | appending | 975 | appending |
@@ -924,6 +1003,11 @@ differs from that of other configuration directives). | |||
924 | may be used in conjunction with | 1003 | may be used in conjunction with |
925 | .Cm IdentitiesOnly | 1004 | .Cm IdentitiesOnly |
926 | to select which identities in an agent are offered during authentication. | 1005 | to select which identities in an agent are offered during authentication. |
1006 | .Cm IdentityFile | ||
1007 | may also be used in conjunction with | ||
1008 | .Cm CertificateFile | ||
1009 | in order to provide any certificate also needed for authentication with | ||
1010 | the identity. | ||
927 | .It Cm IgnoreUnknown | 1011 | .It Cm IgnoreUnknown |
928 | Specifies a pattern-list of unknown options to be ignored if they are | 1012 | Specifies a pattern-list of unknown options to be ignored if they are |
929 | encountered in configuration parsing. | 1013 | encountered in configuration parsing. |
@@ -1083,8 +1167,7 @@ DEBUG2 and DEBUG3 each specify higher levels of verbose output. | |||
1083 | .It Cm MACs | 1167 | .It Cm MACs |
1084 | Specifies the MAC (message authentication code) algorithms | 1168 | Specifies the MAC (message authentication code) algorithms |
1085 | in order of preference. | 1169 | in order of preference. |
1086 | The MAC algorithm is used in protocol version 2 | 1170 | The MAC algorithm is used for data integrity protection. |
1087 | for data integrity protection. | ||
1088 | Multiple algorithms must be comma-separated. | 1171 | Multiple algorithms must be comma-separated. |
1089 | If the specified value begins with a | 1172 | If the specified value begins with a |
1090 | .Sq + | 1173 | .Sq + |
@@ -1100,13 +1183,9 @@ The default is: | |||
1100 | .Bd -literal -offset indent | 1183 | .Bd -literal -offset indent |
1101 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, | 1184 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, |
1102 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, | 1185 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, |
1186 | hmac-sha1-etm@openssh.com, | ||
1103 | umac-64@openssh.com,umac-128@openssh.com, | 1187 | umac-64@openssh.com,umac-128@openssh.com, |
1104 | hmac-sha2-256,hmac-sha2-512, | 1188 | hmac-sha2-256,hmac-sha2-512,hmac-sha1 |
1105 | hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, | ||
1106 | hmac-ripemd160-etm@openssh.com, | ||
1107 | hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com, | ||
1108 | hmac-md5,hmac-sha1,hmac-ripemd160, | ||
1109 | hmac-sha1-96,hmac-md5-96 | ||
1110 | .Ed | 1189 | .Ed |
1111 | .Pp | 1190 | .Pp |
1112 | The list of available MAC algorithms may also be obtained using the | 1191 | The list of available MAC algorithms may also be obtained using the |
@@ -1160,8 +1239,7 @@ private RSA key. | |||
1160 | Specifies the port number to connect on the remote host. | 1239 | Specifies the port number to connect on the remote host. |
1161 | The default is 22. | 1240 | The default is 22. |
1162 | .It Cm PreferredAuthentications | 1241 | .It Cm PreferredAuthentications |
1163 | Specifies the order in which the client should try protocol 2 | 1242 | Specifies the order in which the client should try authentication methods. |
1164 | authentication methods. | ||
1165 | This allows a client to prefer one method (e.g.\& | 1243 | This allows a client to prefer one method (e.g.\& |
1166 | .Cm keyboard-interactive ) | 1244 | .Cm keyboard-interactive ) |
1167 | over another method (e.g.\& | 1245 | over another method (e.g.\& |
@@ -1187,6 +1265,9 @@ will try version 2 and fall back to version 1 | |||
1187 | if version 2 is not available. | 1265 | if version 2 is not available. |
1188 | The default is | 1266 | The default is |
1189 | .Sq 2 . | 1267 | .Sq 2 . |
1268 | Protocol 1 suffers from a number of cryptographic weaknesses and should | ||
1269 | not be used. | ||
1270 | It is only offered to support legacy devices. | ||
1190 | .It Cm ProxyCommand | 1271 | .It Cm ProxyCommand |
1191 | Specifies the command to use to connect to the server. | 1272 | Specifies the command to use to connect to the server. |
1192 | The command | 1273 | The command |
@@ -1267,7 +1348,6 @@ or | |||
1267 | .Dq no . | 1348 | .Dq no . |
1268 | The default is | 1349 | The default is |
1269 | .Dq yes . | 1350 | .Dq yes . |
1270 | This option applies to protocol version 2 only. | ||
1271 | .It Cm RekeyLimit | 1351 | .It Cm RekeyLimit |
1272 | Specifies the maximum amount of data that may be transmitted before the | 1352 | Specifies the maximum amount of data that may be transmitted before the |
1273 | session key is renegotiated, optionally followed a maximum amount of | 1353 | session key is renegotiated, optionally followed a maximum amount of |
@@ -1293,7 +1373,6 @@ is | |||
1293 | .Dq default none , | 1373 | .Dq default none , |
1294 | which means that rekeying is performed after the cipher's default amount | 1374 | which means that rekeying is performed after the cipher's default amount |
1295 | of data has been sent or received and no time based rekeying is done. | 1375 | of data has been sent or received and no time based rekeying is done. |
1296 | This option applies to protocol version 2 only. | ||
1297 | .It Cm RemoteForward | 1376 | .It Cm RemoteForward |
1298 | Specifies that a TCP port on the remote machine be forwarded over | 1377 | Specifies that a TCP port on the remote machine be forwarded over |
1299 | the secure channel to the specified host and port from the local machine. | 1378 | the secure channel to the specified host and port from the local machine. |
@@ -1386,7 +1465,6 @@ Note that this option applies to protocol version 1 only. | |||
1386 | Specifies what variables from the local | 1465 | Specifies what variables from the local |
1387 | .Xr environ 7 | 1466 | .Xr environ 7 |
1388 | should be sent to the server. | 1467 | should be sent to the server. |
1389 | Note that environment passing is only supported for protocol 2. | ||
1390 | The server must also support it, and the server must be configured to | 1468 | The server must also support it, and the server must be configured to |
1391 | accept these environment variables. | 1469 | accept these environment variables. |
1392 | Note that the | 1470 | Note that the |
@@ -1434,7 +1512,6 @@ If, for example, | |||
1434 | .Cm ServerAliveCountMax | 1512 | .Cm ServerAliveCountMax |
1435 | is left at the default, if the server becomes unresponsive, | 1513 | is left at the default, if the server becomes unresponsive, |
1436 | ssh will disconnect after approximately 45 seconds. | 1514 | ssh will disconnect after approximately 45 seconds. |
1437 | This option applies to protocol version 2 only. | ||
1438 | .It Cm ServerAliveInterval | 1515 | .It Cm ServerAliveInterval |
1439 | Sets a timeout interval in seconds after which if no data has been received | 1516 | Sets a timeout interval in seconds after which if no data has been received |
1440 | from the server, | 1517 | from the server, |
@@ -1443,7 +1520,6 @@ will send a message through the encrypted | |||
1443 | channel to request a response from the server. | 1520 | channel to request a response from the server. |
1444 | The default | 1521 | The default |
1445 | is 0, indicating that these messages will not be sent to the server. | 1522 | is 0, indicating that these messages will not be sent to the server. |
1446 | This option applies to protocol version 2 only. | ||
1447 | .It Cm StreamLocalBindMask | 1523 | .It Cm StreamLocalBindMask |
1448 | Sets the octal file creation mode mask | 1524 | Sets the octal file creation mode mask |
1449 | .Pq umask | 1525 | .Pq umask |
@@ -1575,7 +1651,7 @@ Enabling this option allows learning alternate hostkeys for a server | |||
1575 | and supports graceful key rotation by allowing a server to send replacement | 1651 | and supports graceful key rotation by allowing a server to send replacement |
1576 | public keys before old ones are removed. | 1652 | public keys before old ones are removed. |
1577 | Additional hostkeys are only accepted if the key used to authenticate the | 1653 | Additional hostkeys are only accepted if the key used to authenticate the |
1578 | host was already trusted or explicity accepted by the user. | 1654 | host was already trusted or explicitly accepted by the user. |
1579 | If | 1655 | If |
1580 | .Cm UpdateHostKeys | 1656 | .Cm UpdateHostKeys |
1581 | is set to | 1657 | is set to |
@@ -1640,7 +1716,6 @@ or | |||
1640 | .Dq ask . | 1716 | .Dq ask . |
1641 | The default is | 1717 | The default is |
1642 | .Dq no . | 1718 | .Dq no . |
1643 | Note that this option applies to protocol version 2 only. | ||
1644 | .Pp | 1719 | .Pp |
1645 | See also VERIFYING HOST KEYS in | 1720 | See also VERIFYING HOST KEYS in |
1646 | .Xr ssh 1 . | 1721 | .Xr ssh 1 . |