summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog5
-rw-r--r--ssh_config.5152
2 files changed, 78 insertions, 79 deletions
diff --git a/ChangeLog b/ChangeLog
index b24ca1887..a24b2d025 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -169,6 +169,9 @@
169 - jmc@cvs.openbsd.org 2006/02/24 20:31:31 169 - jmc@cvs.openbsd.org 2006/02/24 20:31:31
170 [ssh.1 ssh_config.5 sshd.8 sshd_config.5] 170 [ssh.1 ssh_config.5 sshd.8 sshd_config.5]
171 more consistency fixes; 171 more consistency fixes;
172 - jmc@cvs.openbsd.org 2006/02/24 23:20:07
173 [ssh_config.5]
174 some grammar/wording fixes;
172 175
17320060313 17620060313
174 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) 177 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)
@@ -4070,4 +4073,4 @@
4070 - (djm) Trim deprecated options from INSTALL. Mention UsePAM 4073 - (djm) Trim deprecated options from INSTALL. Mention UsePAM
4071 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu 4074 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
4072 4075
4073$Id: ChangeLog,v 1.4187 2006/03/15 00:56:03 djm Exp $ 4076$Id: ChangeLog,v 1.4188 2006/03/15 00:56:18 djm Exp $
diff --git a/ssh_config.5 b/ssh_config.5
index 66c9ed3f5..40fef73cf 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh_config.5,v 1.83 2006/02/24 20:31:31 jmc Exp $ 37.\" $OpenBSD: ssh_config.5,v 1.84 2006/02/24 23:20:07 jmc Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSH_CONFIG 5 39.Dt SSH_CONFIG 5
40.Os 40.Os
@@ -47,7 +47,7 @@
47.It Pa /etc/ssh/ssh_config 47.It Pa /etc/ssh/ssh_config
48.El 48.El
49.Sh DESCRIPTION 49.Sh DESCRIPTION
50.Nm ssh 50.Xr ssh 1
51obtains configuration data from the following sources in 51obtains configuration data from the following sources in
52the following order: 52the following order:
53.Pp 53.Pp
@@ -154,7 +154,7 @@ Specifies which address family to use when connecting.
154Valid arguments are 154Valid arguments are
155.Dq any , 155.Dq any ,
156.Dq inet 156.Dq inet
157(use IPv4 only) or 157(use IPv4 only), or
158.Dq inet6 158.Dq inet6
159(use IPv6 only). 159(use IPv6 only).
160.It Cm BatchMode 160.It Cm BatchMode
@@ -188,7 +188,8 @@ The default is
188.It Cm CheckHostIP 188.It Cm CheckHostIP
189If this flag is set to 189If this flag is set to
190.Dq yes , 190.Dq yes ,
191ssh will additionally check the host IP address in the 191.Xr ssh 1
192will additionally check the host IP address in the
192.Pa known_hosts 193.Pa known_hosts
193file. 194file.
194This allows ssh to detect if a host key changed due to DNS spoofing. 195This allows ssh to detect if a host key changed due to DNS spoofing.
@@ -208,7 +209,7 @@ and
208are supported. 209are supported.
209.Ar des 210.Ar des
210is only supported in the 211is only supported in the
211.Nm ssh 212.Xr ssh 1
212client for interoperability with legacy protocol 1 implementations 213client for interoperability with legacy protocol 1 implementations
213that do not support the 214that do not support the
214.Ar 3des 215.Ar 3des
@@ -234,18 +235,18 @@ The supported ciphers are
234.Dq blowfish-cbc , 235.Dq blowfish-cbc ,
235and 236and
236.Dq cast128-cbc . 237.Dq cast128-cbc .
237The default is 238The default is:
238.Bd -literal 239.Bd -literal -offset 3n
239 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, 240aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
240 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, 241arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
241 aes192-ctr,aes256-ctr'' 242aes192-ctr,aes256-ctr
242.Ed 243.Ed
243.It Cm ClearAllForwardings 244.It Cm ClearAllForwardings
244Specifies that all local, remote and dynamic port forwardings 245Specifies that all local, remote, and dynamic port forwardings
245specified in the configuration files or on the command line be 246specified in the configuration files or on the command line be
246cleared. 247cleared.
247This option is primarily useful when used from the 248This option is primarily useful when used from the
248.Nm ssh 249.Xr ssh 1
249command line to clear port forwardings set in 250command line to clear port forwardings set in
250configuration files, and is automatically set by 251configuration files, and is automatically set by
251.Xr scp 1 252.Xr scp 1
@@ -278,15 +279,15 @@ The argument must be an integer.
278This may be useful in scripts if the connection sometimes fails. 279This may be useful in scripts if the connection sometimes fails.
279The default is 1. 280The default is 1.
280.It Cm ConnectTimeout 281.It Cm ConnectTimeout
281Specifies the timeout (in seconds) used when connecting to the ssh 282Specifies the timeout (in seconds) used when connecting to the
282server, instead of using the default system TCP timeout. 283SSH server, instead of using the default system TCP timeout.
283This value is used only when the target is down or really unreachable, 284This value is used only when the target is down or really unreachable,
284not when it refuses the connection. 285not when it refuses the connection.
285.It Cm ControlMaster 286.It Cm ControlMaster
286Enables the sharing of multiple sessions over a single network connection. 287Enables the sharing of multiple sessions over a single network connection.
287When set to 288When set to
288.Dq yes 289.Dq yes ,
289.Nm ssh 290.Xr ssh 1
290will listen for connections on a control socket specified using the 291will listen for connections on a control socket specified using the
291.Cm ControlPath 292.Cm ControlPath
292argument. 293argument.
@@ -303,8 +304,7 @@ if the control socket does not exist, or is not listening.
303.Pp 304.Pp
304Setting this to 305Setting this to
305.Dq ask 306.Dq ask
306will cause 307will cause ssh
307.Nm ssh
308to listen for control connections, but require confirmation using the 308to listen for control connections, but require confirmation using the
309.Ev SSH_ASKPASS 309.Ev SSH_ASKPASS
310program before they are accepted (see 310program before they are accepted (see
@@ -312,9 +312,8 @@ program before they are accepted (see
312for details). 312for details).
313If the 313If the
314.Cm ControlPath 314.Cm ControlPath
315can not be opened, 315cannot be opened,
316.Nm ssh 316ssh will continue without connecting to a master instance.
317will continue without connecting to a master instance.
318.Pp 317.Pp
319X11 and 318X11 and
320.Xr ssh-agent 1 319.Xr ssh-agent 1
@@ -345,7 +344,7 @@ will be substituted by the local host name,
345.Ql %h 344.Ql %h
346will be substituted by the target host name, 345will be substituted by the target host name,
347.Ql %p 346.Ql %p
348the port and 347the port, and
349.Ql %r 348.Ql %r
350by the remote login username. 349by the remote login username.
351It is recommended that any 350It is recommended that any
@@ -382,7 +381,7 @@ empty address or
382indicates that the port should be available from all interfaces. 381indicates that the port should be available from all interfaces.
383.Pp 382.Pp
384Currently the SOCKS4 and SOCKS5 protocols are supported, and 383Currently the SOCKS4 and SOCKS5 protocols are supported, and
385.Nm ssh 384.Xr ssh 1
386will act as a SOCKS server. 385will act as a SOCKS server.
387Multiple forwardings may be specified, and 386Multiple forwardings may be specified, and
388additional forwardings can be given on the command line. 387additional forwardings can be given on the command line.
@@ -457,12 +456,12 @@ if the
457option is also enabled. 456option is also enabled.
458.It Cm ForwardX11Trusted 457.It Cm ForwardX11Trusted
459If this option is set to 458If this option is set to
460.Dq yes 459.Dq yes ,
461then remote X11 clients will have full access to the original X11 display. 460remote X11 clients will have full access to the original X11 display.
462.Pp 461.Pp
463If this option is set to 462If this option is set to
464.Dq no 463.Dq no ,
465then remote X11 clients will be considered untrusted and prevented 464remote X11 clients will be considered untrusted and prevented
466from stealing or tampering with data belonging to trusted X11 465from stealing or tampering with data belonging to trusted X11
467clients. 466clients.
468Furthermore, the 467Furthermore, the
@@ -479,12 +478,11 @@ the restrictions imposed on untrusted clients.
479Specifies whether remote hosts are allowed to connect to local 478Specifies whether remote hosts are allowed to connect to local
480forwarded ports. 479forwarded ports.
481By default, 480By default,
482.Nm ssh 481.Xr ssh 1
483binds local port forwardings to the loopback address. 482binds local port forwardings to the loopback address.
484This prevents other remote hosts from connecting to forwarded ports. 483This prevents other remote hosts from connecting to forwarded ports.
485.Cm GatewayPorts 484.Cm GatewayPorts
486can be used to specify that 485can be used to specify that ssh
487.Nm ssh
488should bind local port forwardings to the wildcard address, 486should bind local port forwardings to the wildcard address,
489thus allowing remote hosts to connect to forwarded ports. 487thus allowing remote hosts to connect to forwarded ports.
490The argument must be 488The argument must be
@@ -509,13 +507,13 @@ The default is
509Note that this option applies to protocol version 2 only. 507Note that this option applies to protocol version 2 only.
510.It Cm HashKnownHosts 508.It Cm HashKnownHosts
511Indicates that 509Indicates that
512.Nm ssh 510.Xr ssh 1
513should hash host names and addresses when they are added to 511should hash host names and addresses when they are added to
514.Pa ~/.ssh/known_hosts . 512.Pa ~/.ssh/known_hosts .
515These hashed names may be used normally by 513These hashed names may be used normally by
516.Nm ssh 514.Xr ssh 1
517and 515and
518.Nm sshd , 516.Xr sshd 8 ,
519but they do not reveal identifying information should the file's contents 517but they do not reveal identifying information should the file's contents
520be disclosed. 518be disclosed.
521The default is 519The default is
@@ -544,30 +542,29 @@ The default for this option is:
544Specifies an alias that should be used instead of the 542Specifies an alias that should be used instead of the
545real host name when looking up or saving the host key 543real host name when looking up or saving the host key
546in the host key database files. 544in the host key database files.
547This option is useful for tunneling ssh connections 545This option is useful for tunneling SSH connections
548or for multiple servers running on a single host. 546or for multiple servers running on a single host.
549.It Cm HostName 547.It Cm HostName
550Specifies the real host name to log into. 548Specifies the real host name to log into.
551This can be used to specify nicknames or abbreviations for hosts. 549This can be used to specify nicknames or abbreviations for hosts.
552Default is the name given on the command line. 550The default is the name given on the command line.
553Numeric IP addresses are also permitted (both on the command line and in 551Numeric IP addresses are also permitted (both on the command line and in
554.Cm HostName 552.Cm HostName
555specifications). 553specifications).
556.It Cm IdentitiesOnly 554.It Cm IdentitiesOnly
557Specifies that 555Specifies that
558.Nm ssh 556.Xr ssh 1
559should only use the authentication identity files configured in the 557should only use the authentication identity files configured in the
560.Nm 558.Nm
561files, 559files,
562even if the 560even if
563.Nm ssh-agent 561.Xr ssh-agent 1
564offers more identities. 562offers more identities.
565The argument to this keyword must be 563The argument to this keyword must be
566.Dq yes 564.Dq yes
567or 565or
568.Dq no . 566.Dq no .
569This option is intended for situations where 567This option is intended for situations where ssh-agent
570.Nm ssh-agent
571offers many different identities. 568offers many different identities.
572The default is 569The default is
573.Dq no . 570.Dq no .
@@ -633,9 +630,9 @@ empty address or
633indicates that the port should be available from all interfaces. 630indicates that the port should be available from all interfaces.
634.It Cm LogLevel 631.It Cm LogLevel
635Gives the verbosity level that is used when logging messages from 632Gives the verbosity level that is used when logging messages from
636.Nm ssh . 633.Xr ssh 1 .
637The possible values are: 634The possible values are:
638QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. 635QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
639The default is INFO. 636The default is INFO.
640DEBUG and DEBUG1 are equivalent. 637DEBUG and DEBUG1 are equivalent.
641DEBUG2 and DEBUG3 each specify higher levels of verbose output. 638DEBUG2 and DEBUG3 each specify higher levels of verbose output.
@@ -645,7 +642,7 @@ in order of preference.
645The MAC algorithm is used in protocol version 2 642The MAC algorithm is used in protocol version 2
646for data integrity protection. 643for data integrity protection.
647Multiple algorithms must be comma-separated. 644Multiple algorithms must be comma-separated.
648The default is 645The default is:
649.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . 646.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
650.It Cm NoHostAuthenticationForLocalhost 647.It Cm NoHostAuthenticationForLocalhost
651This option can be used if the home directory is shared across machines. 648This option can be used if the home directory is shared across machines.
@@ -660,7 +657,7 @@ The default is to check the host key for localhost.
660.It Cm NumberOfPasswordPrompts 657.It Cm NumberOfPasswordPrompts
661Specifies the number of password prompts before giving up. 658Specifies the number of password prompts before giving up.
662The argument to this keyword must be an integer. 659The argument to this keyword must be an integer.
663Default is 3. 660The default is 3.
664.It Cm PasswordAuthentication 661.It Cm PasswordAuthentication
665Specifies whether to use password authentication. 662Specifies whether to use password authentication.
666The argument to this keyword must be 663The argument to this keyword must be
@@ -684,7 +681,7 @@ The default is
684.Dq no . 681.Dq no .
685.It Cm Port 682.It Cm Port
686Specifies the port number to connect on the remote host. 683Specifies the port number to connect on the remote host.
687Default is 22. 684The default is 22.
688.It Cm PreferredAuthentications 685.It Cm PreferredAuthentications
689Specifies the order in which the client should try protocol 2 686Specifies the order in which the client should try protocol 2
690authentication methods. 687authentication methods.
@@ -696,17 +693,16 @@ The default for this option is:
696.Dq hostbased,publickey,keyboard-interactive,password . 693.Dq hostbased,publickey,keyboard-interactive,password .
697.It Cm Protocol 694.It Cm Protocol
698Specifies the protocol versions 695Specifies the protocol versions
699.Nm ssh 696.Xr ssh 1
700should support in order of preference. 697should support in order of preference.
701The possible values are 698The possible values are
702.Dq 1 699.Sq 1
703and 700and
704.Dq 2 . 701.Sq 2 .
705Multiple versions must be comma-separated. 702Multiple versions must be comma-separated.
706The default is 703The default is
707.Dq 2,1 . 704.Dq 2,1 .
708This means that 705This means that ssh
709.Nm ssh
710tries version 2 and falls back to version 1 706tries version 2 and falls back to version 1
711if version 2 is not available. 707if version 2 is not available.
712.It Cm ProxyCommand 708.It Cm ProxyCommand
@@ -764,9 +760,9 @@ or
764.Sq G 760.Sq G
765to indicate Kilobytes, Megabytes, or Gigabytes, respectively. 761to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
766The default is between 762The default is between
767.Dq 1G 763.Sq 1G
768and 764and
769.Dq 4G , 765.Sq 4G ,
770depending on the cipher. 766depending on the cipher.
771This option applies to protocol version 2 only. 767This option applies to protocol version 2 only.
772.It Cm RemoteForward 768.It Cm RemoteForward
@@ -812,7 +808,7 @@ or
812The default is 808The default is
813.Dq no . 809.Dq no .
814This option applies to protocol version 1 only and requires 810This option applies to protocol version 1 only and requires
815.Nm ssh 811.Xr ssh 1
816to be setuid root. 812to be setuid root.
817.It Cm RSAAuthentication 813.It Cm RSAAuthentication
818Specifies whether to try RSA authentication. 814Specifies whether to try RSA authentication.
@@ -830,8 +826,8 @@ Note that this option applies to protocol version 1 only.
830Specifies what variables from the local 826Specifies what variables from the local
831.Xr environ 7 827.Xr environ 7
832should be sent to the server. 828should be sent to the server.
833Note that environment passing is only supported for protocol 2, the 829Note that environment passing is only supported for protocol 2.
834server must also support it, and the server must be configured to 830The server must also support it, and the server must be configured to
835accept these environment variables. 831accept these environment variables.
836Refer to 832Refer to
837.Cm AcceptEnv 833.Cm AcceptEnv
@@ -851,11 +847,10 @@ for more information on patterns.
851.It Cm ServerAliveCountMax 847.It Cm ServerAliveCountMax
852Sets the number of server alive messages (see below) which may be 848Sets the number of server alive messages (see below) which may be
853sent without 849sent without
854.Nm ssh 850.Xr ssh 1
855receiving any messages back from the server. 851receiving any messages back from the server.
856If this threshold is reached while server alive messages are being sent, 852If this threshold is reached while server alive messages are being sent,
857.Nm ssh 853ssh will disconnect from the server, terminating the session.
858will disconnect from the server, terminating the session.
859It is important to note that the use of server alive messages is very 854It is important to note that the use of server alive messages is very
860different from 855different from
861.Cm TCPKeepAlive 856.Cm TCPKeepAlive
@@ -871,14 +866,14 @@ server depend on knowing when a connection has become inactive.
871The default value is 3. 866The default value is 3.
872If, for example, 867If, for example,
873.Cm ServerAliveInterval 868.Cm ServerAliveInterval
874(see below) is set to 15, and 869(see below) is set to 15 and
875.Cm ServerAliveCountMax 870.Cm ServerAliveCountMax
876is left at the default, if the server becomes unresponsive ssh 871is left at the default, if the server becomes unresponsive,
877will disconnect after approximately 45 seconds. 872ssh will disconnect after approximately 45 seconds.
878.It Cm ServerAliveInterval 873.It Cm ServerAliveInterval
879Sets a timeout interval in seconds after which if no data has been received 874Sets a timeout interval in seconds after which if no data has been received
880from the server, 875from the server,
881.Nm ssh 876.Xr ssh 1
882will send a message through the encrypted 877will send a message through the encrypted
883channel to request a response from the server. 878channel to request a response from the server.
884The default 879The default
@@ -887,41 +882,39 @@ This option applies to protocol version 2 only.
887.It Cm SmartcardDevice 882.It Cm SmartcardDevice
888Specifies which smartcard device to use. 883Specifies which smartcard device to use.
889The argument to this keyword is the device 884The argument to this keyword is the device
890.Nm ssh 885.Xr ssh 1
891should use to communicate with a smartcard used for storing the user's 886should use to communicate with a smartcard used for storing the user's
892private RSA key. 887private RSA key.
893By default, no device is specified and smartcard support is not activated. 888By default, no device is specified and smartcard support is not activated.
894.It Cm StrictHostKeyChecking 889.It Cm StrictHostKeyChecking
895If this flag is set to 890If this flag is set to
896.Dq yes , 891.Dq yes ,
897.Nm ssh 892.Xr ssh 1
898will never automatically add host keys to the 893will never automatically add host keys to the
899.Pa ~/.ssh/known_hosts 894.Pa ~/.ssh/known_hosts
900file, and refuses to connect to hosts whose host key has changed. 895file, and refuses to connect to hosts whose host key has changed.
901This provides maximum protection against trojan horse attacks, 896This provides maximum protection against trojan horse attacks,
902however, can be annoying when the 897though it can be annoying when the
903.Pa /etc/ssh/ssh_known_hosts 898.Pa /etc/ssh/ssh_known_hosts
904file is poorly maintained, or connections to new hosts are 899file is poorly maintained or when connections to new hosts are
905frequently made. 900frequently made.
906This option forces the user to manually 901This option forces the user to manually
907add all new hosts. 902add all new hosts.
908If this flag is set to 903If this flag is set to
909.Dq no , 904.Dq no ,
910.Nm ssh 905ssh will automatically add new host keys to the
911will automatically add new host keys to the
912user known hosts files. 906user known hosts files.
913If this flag is set to 907If this flag is set to
914.Dq ask , 908.Dq ask ,
915new host keys 909new host keys
916will be added to the user known host files only after the user 910will be added to the user known host files only after the user
917has confirmed that is what they really want to do, and 911has confirmed that is what they really want to do, and
918.Nm ssh 912ssh will refuse to connect to hosts whose host key has changed.
919will refuse to connect to hosts whose host key has changed.
920The host keys of 913The host keys of
921known hosts will be verified automatically in all cases. 914known hosts will be verified automatically in all cases.
922The argument must be 915The argument must be
923.Dq yes , 916.Dq yes ,
924.Dq no 917.Dq no ,
925or 918or
926.Dq ask . 919.Dq ask .
927The default is 920The default is
@@ -952,7 +945,7 @@ instead of layer 3 (point-to-point) tunneling from the server.
952The argument must be 945The argument must be
953.Dq yes , 946.Dq yes ,
954.Dq point-to-point , 947.Dq point-to-point ,
955.Dq ethernet 948.Dq ethernet ,
956or 949or
957.Dq no . 950.Dq no .
958The default is 951The default is
@@ -971,8 +964,8 @@ or
971The default is 964The default is
972.Dq no . 965.Dq no .
973If set to 966If set to
974.Dq yes 967.Dq yes ,
975.Nm ssh 968.Xr ssh 1
976must be setuid root. 969must be setuid root.
977Note that this option must be set to 970Note that this option must be set to
978.Dq yes 971.Dq yes
@@ -1005,12 +998,17 @@ need to confirm new host keys according to the
1005option. 998option.
1006The argument must be 999The argument must be
1007.Dq yes , 1000.Dq yes ,
1008.Dq no 1001.Dq no ,
1009or 1002or
1010.Dq ask . 1003.Dq ask .
1011The default is 1004The default is
1012.Dq no . 1005.Dq no .
1013Note that this option applies to protocol version 2 only. 1006Note that this option applies to protocol version 2 only.
1007.Pp
1008See also
1009.Sx VERIFYING HOST KEYS
1010in
1011.Xr ssh 1 .
1014.It Cm XAuthLocation 1012.It Cm XAuthLocation
1015Specifies the full pathname of the 1013Specifies the full pathname of the
1016.Xr xauth 1 1014.Xr xauth 1
@@ -1023,9 +1021,7 @@ The default is
1023.It Pa ~/.ssh/config 1021.It Pa ~/.ssh/config
1024This is the per-user configuration file. 1022This is the per-user configuration file.
1025The format of this file is described above. 1023The format of this file is described above.
1026This file is used by the 1024This file is used by the SSH client.
1027.Nm ssh
1028client.
1029Because of the potential for abuse, this file must have strict permissions: 1025Because of the potential for abuse, this file must have strict permissions:
1030read/write for the user, and not accessible by others. 1026read/write for the user, and not accessible by others.
1031.It Pa /etc/ssh/ssh_config 1027.It Pa /etc/ssh/ssh_config