summaryrefslogtreecommitdiff
path: root/ssh_config.5
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2016-02-29 12:15:15 +0000
committerColin Watson <cjwatson@debian.org>2016-02-29 12:15:15 +0000
commitc52a95cc4754e6630c96fe65ae0c65eb41d2c590 (patch)
tree793395934013923b7b2426382c0676edcd4be3d4 /ssh_config.5
parenteeff4de96f5d7365750dc56912c2c62b5c28db6b (diff)
parent72b061d4ba0f909501c595d709ea76e06b01e5c9 (diff)
Import openssh_7.2p1.orig.tar.gz
Diffstat (limited to 'ssh_config.5')
-rw-r--r--ssh_config.5143
1 files changed, 109 insertions, 34 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index a47f3ca9e..caf13a62d 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh_config.5,v 1.215 2015/08/14 15:32:41 jmc Exp $ 36.\" $OpenBSD: ssh_config.5,v 1.228 2016/02/20 23:01:46 sobrado Exp $
37.Dd $Mdocdate: August 14 2015 $ 37.Dd $Mdocdate: February 20 2016 $
38.Dt SSH_CONFIG 5 38.Dt SSH_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -139,7 +139,7 @@ or
139keyword) to be used only when the conditions following the 139keyword) to be used only when the conditions following the
140.Cm Match 140.Cm Match
141keyword are satisfied. 141keyword are satisfied.
142Match conditions are specified using one or more critera 142Match conditions are specified using one or more criteria
143or the single token 143or the single token
144.Cm all 144.Cm all
145which always matches. 145which always matches.
@@ -221,6 +221,39 @@ keyword matches against the name of the local user running
221(this keyword may be useful in system-wide 221(this keyword may be useful in system-wide
222.Nm 222.Nm
223files). 223files).
224.It Cm AddKeysToAgent
225Specifies whether keys should be automatically added to a running
226.Xr ssh-agent 1 .
227If this option is set to
228.Dq yes
229and a key is loaded from a file, the key and its passphrase are added to
230the agent with the default lifetime, as if by
231.Xr ssh-add 1 .
232If this option is set to
233.Dq ask ,
234.Nm ssh
235will require confirmation using the
236.Ev SSH_ASKPASS
237program before adding a key (see
238.Xr ssh-add 1
239for details).
240If this option is set to
241.Dq confirm ,
242each use of the key must be confirmed, as if the
243.Fl c
244option was specified to
245.Xr ssh-add 1 .
246If this option is set to
247.Dq no ,
248no keys are added to the agent.
249The argument must be
250.Dq yes ,
251.Dq confirm ,
252.Dq ask ,
253or
254.Dq no .
255The default is
256.Dq no .
224.It Cm AddressFamily 257.It Cm AddressFamily
225Specifies which address family to use when connecting. 258Specifies which address family to use when connecting.
226Valid arguments are 259Valid arguments are
@@ -229,6 +262,8 @@ Valid arguments are
229(use IPv4 only), or 262(use IPv4 only), or
230.Dq inet6 263.Dq inet6
231(use IPv6 only). 264(use IPv6 only).
265The default is
266.Dq any .
232.It Cm BatchMode 267.It Cm BatchMode
233If set to 268If set to
234.Dq yes , 269.Dq yes ,
@@ -325,6 +360,41 @@ to be canonicalized to names in the
325or 360or
326.Dq *.c.example.com 361.Dq *.c.example.com
327domains. 362domains.
363.It Cm CertificateFile
364Specifies a file from which the user's certificate is read.
365A corresponding private key must be provided separately in order
366to use this certificate either
367from an
368.Cm IdentityFile
369directive or
370.Fl i
371flag to
372.Xr ssh 1 ,
373via
374.Xr ssh-agent 1 ,
375or via a
376.Cm PKCS11Provider .
377.Pp
378The file name may use the tilde
379syntax to refer to a user's home directory or one of the following
380escape characters:
381.Ql %d
382(local user's home directory),
383.Ql %u
384(local user name),
385.Ql %l
386(local host name),
387.Ql %h
388(remote host name) or
389.Ql %r
390(remote user name).
391.Pp
392It is possible to have multiple certificate files specified in
393configuration files; these certificates will be tried in sequence.
394Multiple
395.Cm CertificateFile
396directives will add to the list of certificates used for
397authentication.
328.It Cm ChallengeResponseAuthentication 398.It Cm ChallengeResponseAuthentication
329Specifies whether to use challenge-response authentication. 399Specifies whether to use challenge-response authentication.
330The argument to this keyword must be 400The argument to this keyword must be
@@ -418,9 +488,7 @@ The default is:
418chacha20-poly1305@openssh.com, 488chacha20-poly1305@openssh.com,
419aes128-ctr,aes192-ctr,aes256-ctr, 489aes128-ctr,aes192-ctr,aes256-ctr,
420aes128-gcm@openssh.com,aes256-gcm@openssh.com, 490aes128-gcm@openssh.com,aes256-gcm@openssh.com,
421arcfour256,arcfour128, 491aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
422aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
423aes192-cbc,aes256-cbc,arcfour
424.Ed 492.Ed
425.Pp 493.Pp
426The list of available ciphers may also be obtained using the 494The list of available ciphers may also be obtained using the
@@ -538,8 +606,11 @@ the destination port,
538.Ql %r 606.Ql %r
539by the remote login username, 607by the remote login username,
540.Ql %u 608.Ql %u
541by the username of the user running 609by the username and
542.Xr ssh 1 , and 610.Ql %i
611by the numeric user ID (uid) of the user running
612.Xr ssh 1 ,
613and
543.Ql \&%C 614.Ql \&%C
544by a hash of the concatenation: %l%h%p%r. 615by a hash of the concatenation: %l%h%p%r.
545It is recommended that any 616It is recommended that any
@@ -639,7 +710,14 @@ data).
639Specifies whether 710Specifies whether
640.Xr ssh 1 711.Xr ssh 1
641should terminate the connection if it cannot set up all requested 712should terminate the connection if it cannot set up all requested
642dynamic, tunnel, local, and remote port forwardings. 713dynamic, tunnel, local, and remote port forwardings, (e.g.\&
714if either end is unable to bind and listen on a specified port).
715Note that
716.Cm ExitOnForwardFailure
717does not apply to connections made over port forwardings and will not,
718for example, cause
719.Xr ssh 1
720to exit if TCP connections to the ultimate forwarding destination fail.
643The argument must be 721The argument must be
644.Dq yes 722.Dq yes
645or 723or
@@ -748,12 +826,10 @@ The default is
748Specifies whether user authentication based on GSSAPI is allowed. 826Specifies whether user authentication based on GSSAPI is allowed.
749The default is 827The default is
750.Dq no . 828.Dq no .
751Note that this option applies to protocol version 2 only.
752.It Cm GSSAPIDelegateCredentials 829.It Cm GSSAPIDelegateCredentials
753Forward (delegate) credentials to the server. 830Forward (delegate) credentials to the server.
754The default is 831The default is
755.Dq no . 832.Dq no .
756Note that this option applies to protocol version 2 only.
757.It Cm HashKnownHosts 833.It Cm HashKnownHosts
758Indicates that 834Indicates that
759.Xr ssh 1 835.Xr ssh 1
@@ -780,9 +856,6 @@ or
780.Dq no . 856.Dq no .
781The default is 857The default is
782.Dq no . 858.Dq no .
783This option applies to protocol version 2 only and
784is similar to
785.Cm RhostsRSAAuthentication .
786.It Cm HostbasedKeyTypes 859.It Cm HostbasedKeyTypes
787Specifies the key types that will be used for hostbased authentication 860Specifies the key types that will be used for hostbased authentication
788as a comma-separated pattern list. 861as a comma-separated pattern list.
@@ -807,7 +880,7 @@ option of
807.Xr ssh 1 880.Xr ssh 1
808may be used to list supported key types. 881may be used to list supported key types.
809.It Cm HostKeyAlgorithms 882.It Cm HostKeyAlgorithms
810Specifies the protocol version 2 host key algorithms 883Specifies the host key algorithms
811that the client wants to use in order of preference. 884that the client wants to use in order of preference.
812Alternately if the specified value begins with a 885Alternately if the specified value begins with a
813.Sq + 886.Sq +
@@ -859,9 +932,13 @@ specifications).
859.It Cm IdentitiesOnly 932.It Cm IdentitiesOnly
860Specifies that 933Specifies that
861.Xr ssh 1 934.Xr ssh 1
862should only use the authentication identity files configured in the 935should only use the authentication identity and certificate files explicitly
936configured in the
863.Nm 937.Nm
864files, 938files
939or passed on the
940.Xr ssh 1
941command-line,
865even if 942even if
866.Xr ssh-agent 1 943.Xr ssh-agent 1
867or a 944or a
@@ -891,6 +968,8 @@ Additionally, any identities represented by the authentication agent
891will be used for authentication unless 968will be used for authentication unless
892.Cm IdentitiesOnly 969.Cm IdentitiesOnly
893is set. 970is set.
971If no certificates have been explicitly specified by
972.Cm CertificateFile ,
894.Xr ssh 1 973.Xr ssh 1
895will try to load certificate information from the filename obtained by 974will try to load certificate information from the filename obtained by
896appending 975appending
@@ -924,6 +1003,11 @@ differs from that of other configuration directives).
924may be used in conjunction with 1003may be used in conjunction with
925.Cm IdentitiesOnly 1004.Cm IdentitiesOnly
926to select which identities in an agent are offered during authentication. 1005to select which identities in an agent are offered during authentication.
1006.Cm IdentityFile
1007may also be used in conjunction with
1008.Cm CertificateFile
1009in order to provide any certificate also needed for authentication with
1010the identity.
927.It Cm IgnoreUnknown 1011.It Cm IgnoreUnknown
928Specifies a pattern-list of unknown options to be ignored if they are 1012Specifies a pattern-list of unknown options to be ignored if they are
929encountered in configuration parsing. 1013encountered in configuration parsing.
@@ -1083,8 +1167,7 @@ DEBUG2 and DEBUG3 each specify higher levels of verbose output.
1083.It Cm MACs 1167.It Cm MACs
1084Specifies the MAC (message authentication code) algorithms 1168Specifies the MAC (message authentication code) algorithms
1085in order of preference. 1169in order of preference.
1086The MAC algorithm is used in protocol version 2 1170The MAC algorithm is used for data integrity protection.
1087for data integrity protection.
1088Multiple algorithms must be comma-separated. 1171Multiple algorithms must be comma-separated.
1089If the specified value begins with a 1172If the specified value begins with a
1090.Sq + 1173.Sq +
@@ -1100,13 +1183,9 @@ The default is:
1100.Bd -literal -offset indent 1183.Bd -literal -offset indent
1101umac-64-etm@openssh.com,umac-128-etm@openssh.com, 1184umac-64-etm@openssh.com,umac-128-etm@openssh.com,
1102hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, 1185hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
1186hmac-sha1-etm@openssh.com,
1103umac-64@openssh.com,umac-128@openssh.com, 1187umac-64@openssh.com,umac-128@openssh.com,
1104hmac-sha2-256,hmac-sha2-512, 1188hmac-sha2-256,hmac-sha2-512,hmac-sha1
1105hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
1106hmac-ripemd160-etm@openssh.com,
1107hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,
1108hmac-md5,hmac-sha1,hmac-ripemd160,
1109hmac-sha1-96,hmac-md5-96
1110.Ed 1189.Ed
1111.Pp 1190.Pp
1112The list of available MAC algorithms may also be obtained using the 1191The list of available MAC algorithms may also be obtained using the
@@ -1160,8 +1239,7 @@ private RSA key.
1160Specifies the port number to connect on the remote host. 1239Specifies the port number to connect on the remote host.
1161The default is 22. 1240The default is 22.
1162.It Cm PreferredAuthentications 1241.It Cm PreferredAuthentications
1163Specifies the order in which the client should try protocol 2 1242Specifies the order in which the client should try authentication methods.
1164authentication methods.
1165This allows a client to prefer one method (e.g.\& 1243This allows a client to prefer one method (e.g.\&
1166.Cm keyboard-interactive ) 1244.Cm keyboard-interactive )
1167over another method (e.g.\& 1245over another method (e.g.\&
@@ -1187,6 +1265,9 @@ will try version 2 and fall back to version 1
1187if version 2 is not available. 1265if version 2 is not available.
1188The default is 1266The default is
1189.Sq 2 . 1267.Sq 2 .
1268Protocol 1 suffers from a number of cryptographic weaknesses and should
1269not be used.
1270It is only offered to support legacy devices.
1190.It Cm ProxyCommand 1271.It Cm ProxyCommand
1191Specifies the command to use to connect to the server. 1272Specifies the command to use to connect to the server.
1192The command 1273The command
@@ -1267,7 +1348,6 @@ or
1267.Dq no . 1348.Dq no .
1268The default is 1349The default is
1269.Dq yes . 1350.Dq yes .
1270This option applies to protocol version 2 only.
1271.It Cm RekeyLimit 1351.It Cm RekeyLimit
1272Specifies the maximum amount of data that may be transmitted before the 1352Specifies the maximum amount of data that may be transmitted before the
1273session key is renegotiated, optionally followed a maximum amount of 1353session key is renegotiated, optionally followed a maximum amount of
@@ -1293,7 +1373,6 @@ is
1293.Dq default none , 1373.Dq default none ,
1294which means that rekeying is performed after the cipher's default amount 1374which means that rekeying is performed after the cipher's default amount
1295of data has been sent or received and no time based rekeying is done. 1375of data has been sent or received and no time based rekeying is done.
1296This option applies to protocol version 2 only.
1297.It Cm RemoteForward 1376.It Cm RemoteForward
1298Specifies that a TCP port on the remote machine be forwarded over 1377Specifies that a TCP port on the remote machine be forwarded over
1299the secure channel to the specified host and port from the local machine. 1378the secure channel to the specified host and port from the local machine.
@@ -1386,7 +1465,6 @@ Note that this option applies to protocol version 1 only.
1386Specifies what variables from the local 1465Specifies what variables from the local
1387.Xr environ 7 1466.Xr environ 7
1388should be sent to the server. 1467should be sent to the server.
1389Note that environment passing is only supported for protocol 2.
1390The server must also support it, and the server must be configured to 1468The server must also support it, and the server must be configured to
1391accept these environment variables. 1469accept these environment variables.
1392Note that the 1470Note that the
@@ -1434,7 +1512,6 @@ If, for example,
1434.Cm ServerAliveCountMax 1512.Cm ServerAliveCountMax
1435is left at the default, if the server becomes unresponsive, 1513is left at the default, if the server becomes unresponsive,
1436ssh will disconnect after approximately 45 seconds. 1514ssh will disconnect after approximately 45 seconds.
1437This option applies to protocol version 2 only.
1438.It Cm ServerAliveInterval 1515.It Cm ServerAliveInterval
1439Sets a timeout interval in seconds after which if no data has been received 1516Sets a timeout interval in seconds after which if no data has been received
1440from the server, 1517from the server,
@@ -1443,7 +1520,6 @@ will send a message through the encrypted
1443channel to request a response from the server. 1520channel to request a response from the server.
1444The default 1521The default
1445is 0, indicating that these messages will not be sent to the server. 1522is 0, indicating that these messages will not be sent to the server.
1446This option applies to protocol version 2 only.
1447.It Cm StreamLocalBindMask 1523.It Cm StreamLocalBindMask
1448Sets the octal file creation mode mask 1524Sets the octal file creation mode mask
1449.Pq umask 1525.Pq umask
@@ -1575,7 +1651,7 @@ Enabling this option allows learning alternate hostkeys for a server
1575and supports graceful key rotation by allowing a server to send replacement 1651and supports graceful key rotation by allowing a server to send replacement
1576public keys before old ones are removed. 1652public keys before old ones are removed.
1577Additional hostkeys are only accepted if the key used to authenticate the 1653Additional hostkeys are only accepted if the key used to authenticate the
1578host was already trusted or explicity accepted by the user. 1654host was already trusted or explicitly accepted by the user.
1579If 1655If
1580.Cm UpdateHostKeys 1656.Cm UpdateHostKeys
1581is set to 1657is set to
@@ -1640,7 +1716,6 @@ or
1640.Dq ask . 1716.Dq ask .
1641The default is 1717The default is
1642.Dq no . 1718.Dq no .
1643Note that this option applies to protocol version 2 only.
1644.Pp 1719.Pp
1645See also VERIFYING HOST KEYS in 1720See also VERIFYING HOST KEYS in
1646.Xr ssh 1 . 1721.Xr ssh 1 .