summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ssh_config.5566
1 files changed, 244 insertions, 322 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 1d5150080..591365f34 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh_config.5,v 1.239 2016/09/28 17:59:22 jmc Exp $ 36.\" $OpenBSD: ssh_config.5,v 1.240 2016/10/15 19:56:25 jmc Exp $
37.Dd $Mdocdate: September 28 2016 $ 37.Dd $Mdocdate: October 15 2016 $
38.Dt SSH_CONFIG 5 38.Dt SSH_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -62,25 +62,25 @@ system-wide configuration file
62For each parameter, the first obtained value 62For each parameter, the first obtained value
63will be used. 63will be used.
64The configuration files contain sections separated by 64The configuration files contain sections separated by
65.Dq Host 65.Cm Host
66specifications, and that section is only applied for hosts that 66specifications, and that section is only applied for hosts that
67match one of the patterns given in the specification. 67match one of the patterns given in the specification.
68The matched host name is usually the one given on the command line 68The matched host name is usually the one given on the command line
69(see the 69(see the
70.Cm CanonicalizeHostname 70.Cm CanonicalizeHostname
71option for exceptions.) 71option for exceptions).
72.Pp 72.Pp
73Since the first obtained value for each parameter is used, more 73Since the first obtained value for each parameter is used, more
74host-specific declarations should be given near the beginning of the 74host-specific declarations should be given near the beginning of the
75file, and general defaults at the end. 75file, and general defaults at the end.
76.Pp 76.Pp
77The configuration file has the following format: 77The file contains keyword-argument pairs, one per line.
78.Pp 78Lines starting with
79Empty lines and lines starting with
80.Ql # 79.Ql #
81are comments. 80and empty lines are interpreted as comments.
82Otherwise a line is of the format 81Arguments may optionally be enclosed in double quotes
83.Dq keyword arguments . 82.Pq \&"
83in order to represent arguments containing spaces.
84Configuration options may be separated by whitespace or 84Configuration options may be separated by whitespace or
85optional whitespace and exactly one 85optional whitespace and exactly one
86.Ql = ; 86.Ql = ;
@@ -92,9 +92,6 @@ and
92.Nm sftp 92.Nm sftp
93.Fl o 93.Fl o
94option. 94option.
95Arguments may optionally be enclosed in double quotes
96.Pq \&"
97in order to represent arguments containing spaces.
98.Pp 95.Pp
99The possible 96The possible
100keywords and their meanings are as follows (note that 97keywords and their meanings are as follows (note that
@@ -117,7 +114,7 @@ The host is usually the
117argument given on the command line 114argument given on the command line
118(see the 115(see the
119.Cm CanonicalizeHostname 116.Cm CanonicalizeHostname
120option for exceptions.) 117keyword for exceptions).
121.Pp 118.Pp
122A pattern entry may be negated by prefixing it with an exclamation mark 119A pattern entry may be negated by prefixing it with an exclamation mark
123.Pq Sq !\& . 120.Pq Sq !\& .
@@ -212,57 +209,54 @@ files).
212Specifies whether keys should be automatically added to a running 209Specifies whether keys should be automatically added to a running
213.Xr ssh-agent 1 . 210.Xr ssh-agent 1 .
214If this option is set to 211If this option is set to
215.Dq yes 212.Cm yes
216and a key is loaded from a file, the key and its passphrase are added to 213and a key is loaded from a file, the key and its passphrase are added to
217the agent with the default lifetime, as if by 214the agent with the default lifetime, as if by
218.Xr ssh-add 1 . 215.Xr ssh-add 1 .
219If this option is set to 216If this option is set to
220.Dq ask , 217.Cm ask ,
221.Nm ssh 218.Xr ssh 1
222will require confirmation using the 219will require confirmation using the
223.Ev SSH_ASKPASS 220.Ev SSH_ASKPASS
224program before adding a key (see 221program before adding a key (see
225.Xr ssh-add 1 222.Xr ssh-add 1
226for details). 223for details).
227If this option is set to 224If this option is set to
228.Dq confirm , 225.Cm confirm ,
229each use of the key must be confirmed, as if the 226each use of the key must be confirmed, as if the
230.Fl c 227.Fl c
231option was specified to 228option was specified to
232.Xr ssh-add 1 . 229.Xr ssh-add 1 .
233If this option is set to 230If this option is set to
234.Dq no , 231.Cm no ,
235no keys are added to the agent. 232no keys are added to the agent.
236The argument must be 233The argument must be
237.Dq yes , 234.Cm yes ,
238.Dq confirm , 235.Cm confirm ,
239.Dq ask , 236.Cm ask ,
240or 237or
241.Dq no . 238.Cm no
242The default is 239(the default).
243.Dq no .
244.It Cm AddressFamily 240.It Cm AddressFamily
245Specifies which address family to use when connecting. 241Specifies which address family to use when connecting.
246Valid arguments are 242Valid arguments are
247.Dq any , 243.Cm any
248.Dq inet 244(the default),
245.Cm inet
249(use IPv4 only), or 246(use IPv4 only), or
250.Dq inet6 247.Cm inet6
251(use IPv6 only). 248(use IPv6 only).
252The default is
253.Dq any .
254.It Cm BatchMode 249.It Cm BatchMode
255If set to 250If set to
256.Dq yes , 251.Cm yes ,
257passphrase/password querying will be disabled. 252passphrase/password querying will be disabled.
258This option is useful in scripts and other batch jobs where no user 253This option is useful in scripts and other batch jobs where no user
259is present to supply the password. 254is present to supply the password.
260The argument must be 255The argument must be
261.Dq yes 256.Cm yes
262or 257or
263.Dq no . 258.Cm no
264The default is 259(the default).
265.Dq no .
266.It Cm BindAddress 260.It Cm BindAddress
267Use the specified address on the local machine as the source address of 261Use the specified address on the local machine as the source address of
268the connection. 262the connection.
@@ -270,7 +264,7 @@ Only useful on systems with more than one address.
270Note that this option does not work if 264Note that this option does not work if
271.Cm UsePrivilegedPort 265.Cm UsePrivilegedPort
272is set to 266is set to
273.Dq yes . 267.Cm yes .
274.It Cm CanonicalDomains 268.It Cm CanonicalDomains
275When 269When
276.Cm CanonicalizeHostname 270.Cm CanonicalizeHostname
@@ -279,11 +273,11 @@ search for the specified destination host.
279.It Cm CanonicalizeFallbackLocal 273.It Cm CanonicalizeFallbackLocal
280Specifies whether to fail with an error when hostname canonicalization fails. 274Specifies whether to fail with an error when hostname canonicalization fails.
281The default, 275The default,
282.Dq yes , 276.Cm yes ,
283will attempt to look up the unqualified hostname using the system resolver's 277will attempt to look up the unqualified hostname using the system resolver's
284search rules. 278search rules.
285A value of 279A value of
286.Dq no 280.Cm no
287will cause 281will cause
288.Xr ssh 1 282.Xr ssh 1
289to fail instantly if 283to fail instantly if
@@ -294,11 +288,11 @@ specified by
294.It Cm CanonicalizeHostname 288.It Cm CanonicalizeHostname
295Controls whether explicit hostname canonicalization is performed. 289Controls whether explicit hostname canonicalization is performed.
296The default, 290The default,
297.Dq no , 291.Cm no ,
298is not to perform any name rewriting and let the system resolver handle all 292is not to perform any name rewriting and let the system resolver handle all
299hostname lookups. 293hostname lookups.
300If set to 294If set to
301.Dq yes 295.Cm yes
302then, for connections that do not use a 296then, for connections that do not use a
303.Cm ProxyCommand , 297.Cm ProxyCommand ,
304.Xr ssh 1 298.Xr ssh 1
@@ -311,7 +305,7 @@ rules.
311If 305If
312.Cm CanonicalizeHostname 306.Cm CanonicalizeHostname
313is set to 307is set to
314.Dq always , 308.Cm always ,
315then canonicalization is applied to proxied connections too. 309then canonicalization is applied to proxied connections too.
316.Pp 310.Pp
317If this option is enabled, then the configuration files are processed 311If this option is enabled, then the configuration files are processed
@@ -323,8 +317,7 @@ stanzas.
323.It Cm CanonicalizeMaxDots 317.It Cm CanonicalizeMaxDots
324Specifies the maximum number of dot characters in a hostname before 318Specifies the maximum number of dot characters in a hostname before
325canonicalization is disabled. 319canonicalization is disabled.
326The default, 320The default, 1,
327.Dq 1 ,
328allows a single dot (i.e. hostname.subdomain). 321allows a single dot (i.e. hostname.subdomain).
329.It Cm CanonicalizePermittedCNAMEs 322.It Cm CanonicalizePermittedCNAMEs
330Specifies rules to determine whether CNAMEs should be followed when 323Specifies rules to determine whether CNAMEs should be followed when
@@ -339,13 +332,13 @@ and
339is a pattern-list of domains that they may resolve to. 332is a pattern-list of domains that they may resolve to.
340.Pp 333.Pp
341For example, 334For example,
342.Dq *.a.example.com:*.b.example.com,*.c.example.com 335.Qq *.a.example.com:*.b.example.com,*.c.example.com
343will allow hostnames matching 336will allow hostnames matching
344.Dq *.a.example.com 337.Qq *.a.example.com
345to be canonicalized to names in the 338to be canonicalized to names in the
346.Dq *.b.example.com 339.Qq *.b.example.com
347or 340or
348.Dq *.c.example.com 341.Qq *.c.example.com
349domains. 342domains.
350.It Cm CertificateFile 343.It Cm CertificateFile
351Specifies a file from which the user's certificate is read. 344Specifies a file from which the user's certificate is read.
@@ -378,47 +371,42 @@ authentication.
378.It Cm ChallengeResponseAuthentication 371.It Cm ChallengeResponseAuthentication
379Specifies whether to use challenge-response authentication. 372Specifies whether to use challenge-response authentication.
380The argument to this keyword must be 373The argument to this keyword must be
381.Dq yes 374.Cm yes
375(the default)
382or 376or
383.Dq no . 377.Cm no .
384The default is
385.Dq yes .
386.It Cm CheckHostIP 378.It Cm CheckHostIP
387If this flag is set to 379If set to
388.Dq yes , 380.Cm yes
381(the default),
389.Xr ssh 1 382.Xr ssh 1
390will additionally check the host IP address in the 383will additionally check the host IP address in the
391.Pa known_hosts 384.Pa known_hosts
392file. 385file.
393This allows ssh to detect if a host key changed due to DNS spoofing 386This allows it to detect if a host key changed due to DNS spoofing
394and will add addresses of destination hosts to 387and will add addresses of destination hosts to
395.Pa ~/.ssh/known_hosts 388.Pa ~/.ssh/known_hosts
396in the process, regardless of the setting of 389in the process, regardless of the setting of
397.Cm StrictHostKeyChecking . 390.Cm StrictHostKeyChecking .
398If the option is set to 391If the option is set to
399.Dq no , 392.Cm no ,
400the check will not be executed. 393the check will not be executed.
401The default is
402.Dq yes .
403.It Cm Cipher 394.It Cm Cipher
404Specifies the cipher to use for encrypting the session 395Specifies the cipher to use for encrypting the session
405in protocol version 1. 396in protocol version 1.
406Currently, 397Currently,
407.Dq blowfish , 398.Cm blowfish ,
408.Dq 3des , 399.Cm 3des
400(the default),
409and 401and
410.Dq des 402.Cm des
411are supported. 403are supported,
412.Ar des 404though
405.Cm des
413is only supported in the 406is only supported in the
414.Xr ssh 1 407.Xr ssh 1
415client for interoperability with legacy protocol 1 implementations 408client for interoperability with legacy protocol 1 implementations;
416that do not support the 409its use is strongly discouraged due to cryptographic weaknesses.
417.Ar 3des
418cipher.
419Its use is strongly discouraged due to cryptographic weaknesses.
420The default is
421.Dq 3des .
422.It Cm Ciphers 410.It Cm Ciphers
423Specifies the ciphers allowed for protocol version 2 411Specifies the ciphers allowed for protocol version 2
424in order of preference. 412in order of preference.
@@ -429,39 +417,23 @@ character, then the specified ciphers will be appended to the default set
429instead of replacing them. 417instead of replacing them.
430.Pp 418.Pp
431The supported ciphers are: 419The supported ciphers are:
432.Pp 420.Bd -literal -offset indent
433.Bl -item -compact -offset indent
434.It
4353des-cbc 4213des-cbc
436.It
437aes128-cbc 422aes128-cbc
438.It
439aes192-cbc 423aes192-cbc
440.It
441aes256-cbc 424aes256-cbc
442.It
443aes128-ctr 425aes128-ctr
444.It
445aes192-ctr 426aes192-ctr
446.It
447aes256-ctr 427aes256-ctr
448.It
449aes128-gcm@openssh.com 428aes128-gcm@openssh.com
450.It
451aes256-gcm@openssh.com 429aes256-gcm@openssh.com
452.It
453arcfour 430arcfour
454.It
455arcfour128 431arcfour128
456.It
457arcfour256 432arcfour256
458.It
459blowfish-cbc 433blowfish-cbc
460.It
461cast128-cbc 434cast128-cbc
462.It
463chacha20-poly1305@openssh.com 435chacha20-poly1305@openssh.com
464.El 436.Ed
465.Pp 437.Pp
466The default is: 438The default is:
467.Bd -literal -offset indent 439.Bd -literal -offset indent
@@ -471,12 +443,8 @@ aes128-gcm@openssh.com,aes256-gcm@openssh.com,
471aes128-cbc,aes192-cbc,aes256-cbc 443aes128-cbc,aes192-cbc,aes256-cbc
472.Ed 444.Ed
473.Pp 445.Pp
474The list of available ciphers may also be obtained using the 446The list of available ciphers may also be obtained using
475.Fl Q 447.Qq ssh -Q cipher .
476option of
477.Xr ssh 1
478with an argument of
479.Dq cipher .
480.It Cm ClearAllForwardings 448.It Cm ClearAllForwardings
481Specifies that all local, remote, and dynamic port forwardings 449Specifies that all local, remote, and dynamic port forwardings
482specified in the configuration files or on the command line be 450specified in the configuration files or on the command line be
@@ -489,19 +457,17 @@ configuration files, and is automatically set by
489and 457and
490.Xr sftp 1 . 458.Xr sftp 1 .
491The argument must be 459The argument must be
492.Dq yes 460.Cm yes
493or 461or
494.Dq no . 462.Cm no
495The default is 463(the default).
496.Dq no .
497.It Cm Compression 464.It Cm Compression
498Specifies whether to use compression. 465Specifies whether to use compression.
499The argument must be 466The argument must be
500.Dq yes 467.Cm yes
501or 468or
502.Dq no . 469.Cm no
503The default is 470(the default).
504.Dq no .
505.It Cm CompressionLevel 471.It Cm CompressionLevel
506Specifies the compression level to use if compression is enabled. 472Specifies the compression level to use if compression is enabled.
507The argument must be an integer from 1 (fast) to 9 (slow, best). 473The argument must be an integer from 1 (fast) to 9 (slow, best).
@@ -522,7 +488,7 @@ not when it refuses the connection.
522.It Cm ControlMaster 488.It Cm ControlMaster
523Enables the sharing of multiple sessions over a single network connection. 489Enables the sharing of multiple sessions over a single network connection.
524When set to 490When set to
525.Dq yes , 491.Cm yes ,
526.Xr ssh 1 492.Xr ssh 1
527will listen for connections on a control socket specified using the 493will listen for connections on a control socket specified using the
528.Cm ControlPath 494.Cm ControlPath
@@ -532,21 +498,23 @@ Additional sessions can connect to this socket using the same
532with 498with
533.Cm ControlMaster 499.Cm ControlMaster
534set to 500set to
535.Dq no 501.Cm no
536(the default). 502(the default).
537These sessions will try to reuse the master instance's network connection 503These sessions will try to reuse the master instance's network connection
538rather than initiating new ones, but will fall back to connecting normally 504rather than initiating new ones, but will fall back to connecting normally
539if the control socket does not exist, or is not listening. 505if the control socket does not exist, or is not listening.
540.Pp 506.Pp
541Setting this to 507Setting this to
542.Dq ask 508.Cm ask
543will cause ssh 509will cause
510.Xr ssh 1
544to listen for control connections, but require confirmation using 511to listen for control connections, but require confirmation using
545.Xr ssh-askpass 1 . 512.Xr ssh-askpass 1 .
546If the 513If the
547.Cm ControlPath 514.Cm ControlPath
548cannot be opened, 515cannot be opened,
549ssh will continue without connecting to a master instance. 516.Xr ssh 1
517will continue without connecting to a master instance.
550.Pp 518.Pp
551X11 and 519X11 and
552.Xr ssh-agent 1 520.Xr ssh-agent 1
@@ -558,18 +526,18 @@ Two additional options allow for opportunistic multiplexing: try to use a
558master connection but fall back to creating a new one if one does not already 526master connection but fall back to creating a new one if one does not already
559exist. 527exist.
560These options are: 528These options are:
561.Dq auto 529.Cm auto
562and 530and
563.Dq autoask . 531.Cm autoask .
564The latter requires confirmation like the 532The latter requires confirmation like the
565.Dq ask 533.Cm ask
566option. 534option.
567.It Cm ControlPath 535.It Cm ControlPath
568Specify the path to the control socket used for connection sharing as described 536Specify the path to the control socket used for connection sharing as described
569in the 537in the
570.Cm ControlMaster 538.Cm ControlMaster
571section above or the string 539section above or the string
572.Dq none 540.Cm none
573to disable connection sharing. 541to disable connection sharing.
574Arguments to 542Arguments to
575.Cm ControlPath 543.Cm ControlPath
@@ -590,18 +558,15 @@ specifies that the master connection should remain open
590in the background (waiting for future client connections) 558in the background (waiting for future client connections)
591after the initial client connection has been closed. 559after the initial client connection has been closed.
592If set to 560If set to
593.Dq no , 561.Cm no ,
594then the master connection will not be placed into the background, 562then the master connection will not be placed into the background,
595and will close as soon as the initial client connection is closed. 563and will close as soon as the initial client connection is closed.
596If set to 564If set to
597.Dq yes 565.Cm yes
598or 566or 0,
599.Dq 0 ,
600then the master connection will remain in the background indefinitely 567then the master connection will remain in the background indefinitely
601(until killed or closed via a mechanism such as the 568(until killed or closed via a mechanism such as the
602.Xr ssh 1 569.Qq ssh -O exit ) .
603.Dq Fl O No exit
604option).
605If set to a time in seconds, or a time in any of the formats documented in 570If set to a time in seconds, or a time in any of the formats documented in
606.Xr sshd_config 5 , 571.Xr sshd_config 5 ,
607then the backgrounded master connection will automatically terminate 572then the backgrounded master connection will automatically terminate
@@ -627,7 +592,7 @@ may be used to bind the connection to a specific address.
627The 592The
628.Ar bind_address 593.Ar bind_address
629of 594of
630.Dq localhost 595.Cm localhost
631indicates that the listening port be bound for local use only, while an 596indicates that the listening port be bound for local use only, while an
632empty address or 597empty address or
633.Sq * 598.Sq *
@@ -641,7 +606,7 @@ additional forwardings can be given on the command line.
641Only the superuser can forward privileged ports. 606Only the superuser can forward privileged ports.
642.It Cm EnableSSHKeysign 607.It Cm EnableSSHKeysign
643Setting this option to 608Setting this option to
644.Dq yes 609.Cm yes
645in the global client configuration file 610in the global client configuration file
646.Pa /etc/ssh/ssh_config 611.Pa /etc/ssh/ssh_config
647enables the use of the helper program 612enables the use of the helper program
@@ -649,11 +614,10 @@ enables the use of the helper program
649during 614during
650.Cm HostbasedAuthentication . 615.Cm HostbasedAuthentication .
651The argument must be 616The argument must be
652.Dq yes 617.Cm yes
653or 618or
654.Dq no . 619.Cm no
655The default is 620(the default).
656.Dq no .
657This option should be placed in the non-hostspecific section. 621This option should be placed in the non-hostspecific section.
658See 622See
659.Xr ssh-keysign 8 623.Xr ssh-keysign 8
@@ -666,7 +630,7 @@ be set on the command line.
666The argument should be a single character, 630The argument should be a single character,
667.Ql ^ 631.Ql ^
668followed by a letter, or 632followed by a letter, or
669.Dq none 633.Cm none
670to disable the escape 634to disable the escape
671character entirely (making the connection transparent for binary 635character entirely (making the connection transparent for binary
672data). 636data).
@@ -683,28 +647,25 @@ for example, cause
683.Xr ssh 1 647.Xr ssh 1
684to exit if TCP connections to the ultimate forwarding destination fail. 648to exit if TCP connections to the ultimate forwarding destination fail.
685The argument must be 649The argument must be
686.Dq yes 650.Cm yes
687or 651or
688.Dq no . 652.Cm no
689The default is 653(the default).
690.Dq no .
691.It Cm FingerprintHash 654.It Cm FingerprintHash
692Specifies the hash algorithm used when displaying key fingerprints. 655Specifies the hash algorithm used when displaying key fingerprints.
693Valid options are: 656Valid options are:
694.Dq md5 657.Cm md5
695and 658and
696.Dq sha256 . 659.Cm sha256
697The default is 660(the default).
698.Dq sha256 .
699.It Cm ForwardAgent 661.It Cm ForwardAgent
700Specifies whether the connection to the authentication agent (if any) 662Specifies whether the connection to the authentication agent (if any)
701will be forwarded to the remote machine. 663will be forwarded to the remote machine.
702The argument must be 664The argument must be
703.Dq yes 665.Cm yes
704or 666or
705.Dq no . 667.Cm no
706The default is 668(the default).
707.Dq no .
708.Pp 669.Pp
709Agent forwarding should be enabled with caution. 670Agent forwarding should be enabled with caution.
710Users with the ability to bypass file permissions on the remote host 671Users with the ability to bypass file permissions on the remote host
@@ -719,11 +680,10 @@ over the secure channel and
719.Ev DISPLAY 680.Ev DISPLAY
720set. 681set.
721The argument must be 682The argument must be
722.Dq yes 683.Cm yes
723or 684or
724.Dq no . 685.Cm no
725The default is 686(the default).
726.Dq no .
727.Pp 687.Pp
728X11 forwarding should be enabled with caution. 688X11 forwarding should be enabled with caution.
729Users with the ability to bypass file permissions on the remote host 689Users with the ability to bypass file permissions on the remote host
@@ -736,7 +696,8 @@ option is also enabled.
736.It Cm ForwardX11Timeout 696.It Cm ForwardX11Timeout
737Specify a timeout for untrusted X11 forwarding 697Specify a timeout for untrusted X11 forwarding
738using the format described in the 698using the format described in the
739TIME FORMATS section of 699.Sx TIME FORMATS
700section of
740.Xr sshd_config 5 . 701.Xr sshd_config 5 .
741X11 connections received by 702X11 connections received by
742.Xr ssh 1 703.Xr ssh 1
@@ -745,11 +706,12 @@ The default is to disable untrusted X11 forwarding after twenty minutes has
745elapsed. 706elapsed.
746.It Cm ForwardX11Trusted 707.It Cm ForwardX11Trusted
747If this option is set to 708If this option is set to
748.Dq yes , 709.Cm yes ,
749remote X11 clients will have full access to the original X11 display. 710remote X11 clients will have full access to the original X11 display.
750.Pp 711.Pp
751If this option is set to 712If this option is set to
752.Dq no , 713.Cm no
714(the default),
753remote X11 clients will be considered untrusted and prevented 715remote X11 clients will be considered untrusted and prevented
754from stealing or tampering with data belonging to trusted X11 716from stealing or tampering with data belonging to trusted X11
755clients. 717clients.
@@ -758,9 +720,6 @@ Furthermore, the
758token used for the session will be set to expire after 20 minutes. 720token used for the session will be set to expire after 20 minutes.
759Remote clients will be refused access after this time. 721Remote clients will be refused access after this time.
760.Pp 722.Pp
761The default is
762.Dq no .
763.Pp
764See the X11 SECURITY extension specification for full details on 723See the X11 SECURITY extension specification for full details on
765the restrictions imposed on untrusted clients. 724the restrictions imposed on untrusted clients.
766.It Cm GatewayPorts 725.It Cm GatewayPorts
@@ -775,11 +734,10 @@ can be used to specify that ssh
775should bind local port forwardings to the wildcard address, 734should bind local port forwardings to the wildcard address,
776thus allowing remote hosts to connect to forwarded ports. 735thus allowing remote hosts to connect to forwarded ports.
777The argument must be 736The argument must be
778.Dq yes 737.Cm yes
779or 738or
780.Dq no . 739.Cm no
781The default is 740(the default).
782.Dq no .
783.It Cm GlobalKnownHostsFile 741.It Cm GlobalKnownHostsFile
784Specifies one or more files to use for the global 742Specifies one or more files to use for the global
785host key database, separated by whitespace. 743host key database, separated by whitespace.
@@ -789,11 +747,11 @@ The default is
789.It Cm GSSAPIAuthentication 747.It Cm GSSAPIAuthentication
790Specifies whether user authentication based on GSSAPI is allowed. 748Specifies whether user authentication based on GSSAPI is allowed.
791The default is 749The default is
792.Dq no . 750.Cm no .
793.It Cm GSSAPIDelegateCredentials 751.It Cm GSSAPIDelegateCredentials
794Forward (delegate) credentials to the server. 752Forward (delegate) credentials to the server.
795The default is 753The default is
796.Dq no . 754.Cm no .
797.It Cm HashKnownHosts 755.It Cm HashKnownHosts
798Indicates that 756Indicates that
799.Xr ssh 1 757.Xr ssh 1
@@ -806,7 +764,7 @@ and
806but they do not reveal identifying information should the file's contents 764but they do not reveal identifying information should the file's contents
807be disclosed. 765be disclosed.
808The default is 766The default is
809.Dq no . 767.Cm no .
810Note that existing names and addresses in known hosts files 768Note that existing names and addresses in known hosts files
811will not be converted automatically, 769will not be converted automatically,
812but may be manually hashed using 770but may be manually hashed using
@@ -815,11 +773,10 @@ but may be manually hashed using
815Specifies whether to try rhosts based authentication with public key 773Specifies whether to try rhosts based authentication with public key
816authentication. 774authentication.
817The argument must be 775The argument must be
818.Dq yes 776.Cm yes
819or 777or
820.Dq no . 778.Cm no
821The default is 779(the default).
822.Dq no .
823.It Cm HostbasedKeyTypes 780.It Cm HostbasedKeyTypes
824Specifies the key types that will be used for hostbased authentication 781Specifies the key types that will be used for hostbased authentication
825as a comma-separated pattern list. 782as a comma-separated pattern list.
@@ -864,12 +821,8 @@ ssh-ed25519,ssh-rsa
864If hostkeys are known for the destination host then this default is modified 821If hostkeys are known for the destination host then this default is modified
865to prefer their algorithms. 822to prefer their algorithms.
866.Pp 823.Pp
867The list of available key types may also be obtained using the 824The list of available key types may also be obtained using
868.Fl Q 825.Qq ssh -Q key .
869option of
870.Xr ssh 1
871with an argument of
872.Dq key .
873.It Cm HostKeyAlias 826.It Cm HostKeyAlias
874Specifies an alias that should be used instead of the 827Specifies an alias that should be used instead of the
875real host name when looking up or saving the host key 828real host name when looking up or saving the host key
@@ -904,26 +857,25 @@ or a
904.Cm PKCS11Provider 857.Cm PKCS11Provider
905offers more identities. 858offers more identities.
906The argument to this keyword must be 859The argument to this keyword must be
907.Dq yes 860.Cm yes
908or 861or
909.Dq no . 862.Cm no
863(the default).
910This option is intended for situations where ssh-agent 864This option is intended for situations where ssh-agent
911offers many different identities. 865offers many different identities.
912The default is
913.Dq no .
914.It Cm IdentityAgent 866.It Cm IdentityAgent
915Specifies the 867Specifies the
916.Ux Ns -domain 868.Ux Ns -domain
917socket used to communicate with the authentication agent. 869socket used to communicate with the authentication agent.
918.Pp 870.Pp
919This option overrides the 871This option overrides the
920.Dq SSH_AUTH_SOCK 872.Ev SSH_AUTH_SOCK
921environment variable and can be used to select a specific agent. 873environment variable and can be used to select a specific agent.
922Setting the socket name to 874Setting the socket name to
923.Dq none 875.Cm none
924disables the use of an authentication agent. 876disables the use of an authentication agent.
925If the string 877If the string
926.Dq SSH_AUTH_SOCK 878.Qq SSH_AUTH_SOCK
927is specified, the location of the socket will be read from the 879is specified, the location of the socket will be read from the
928.Ev SSH_AUTH_SOCK 880.Ev SSH_AUTH_SOCK
929environment variable. 881environment variable.
@@ -999,7 +951,7 @@ Include the specified configuration file(s).
999Multiple pathnames may be specified and each pathname may contain 951Multiple pathnames may be specified and each pathname may contain
1000.Xr glob 3 952.Xr glob 3
1001wildcards and, for user configurations, shell-like 953wildcards and, for user configurations, shell-like
1002.Dq ~ 954.Sq ~
1003references to user home directories. 955references to user home directories.
1004Files without absolute paths are assumed to be in 956Files without absolute paths are assumed to be in
1005.Pa ~/.ssh 957.Pa ~/.ssh
@@ -1016,48 +968,47 @@ to perform conditional inclusion.
1016.It Cm IPQoS 968.It Cm IPQoS
1017Specifies the IPv4 type-of-service or DSCP class for connections. 969Specifies the IPv4 type-of-service or DSCP class for connections.
1018Accepted values are 970Accepted values are
1019.Dq af11 , 971.Cm af11 ,
1020.Dq af12 , 972.Cm af12 ,
1021.Dq af13 , 973.Cm af13 ,
1022.Dq af21 , 974.Cm af21 ,
1023.Dq af22 , 975.Cm af22 ,
1024.Dq af23 , 976.Cm af23 ,
1025.Dq af31 , 977.Cm af31 ,
1026.Dq af32 , 978.Cm af32 ,
1027.Dq af33 , 979.Cm af33 ,
1028.Dq af41 , 980.Cm af41 ,
1029.Dq af42 , 981.Cm af42 ,
1030.Dq af43 , 982.Cm af43 ,
1031.Dq cs0 , 983.Cm cs0 ,
1032.Dq cs1 , 984.Cm cs1 ,
1033.Dq cs2 , 985.Cm cs2 ,
1034.Dq cs3 , 986.Cm cs3 ,
1035.Dq cs4 , 987.Cm cs4 ,
1036.Dq cs5 , 988.Cm cs5 ,
1037.Dq cs6 , 989.Cm cs6 ,
1038.Dq cs7 , 990.Cm cs7 ,
1039.Dq ef , 991.Cm ef ,
1040.Dq lowdelay , 992.Cm lowdelay ,
1041.Dq throughput , 993.Cm throughput ,
1042.Dq reliability , 994.Cm reliability ,
1043or a numeric value. 995or a numeric value.
1044This option may take one or two arguments, separated by whitespace. 996This option may take one or two arguments, separated by whitespace.
1045If one argument is specified, it is used as the packet class unconditionally. 997If one argument is specified, it is used as the packet class unconditionally.
1046If two values are specified, the first is automatically selected for 998If two values are specified, the first is automatically selected for
1047interactive sessions and the second for non-interactive sessions. 999interactive sessions and the second for non-interactive sessions.
1048The default is 1000The default is
1049.Dq lowdelay 1001.Cm lowdelay
1050for interactive sessions and 1002for interactive sessions and
1051.Dq throughput 1003.Cm throughput
1052for non-interactive sessions. 1004for non-interactive sessions.
1053.It Cm KbdInteractiveAuthentication 1005.It Cm KbdInteractiveAuthentication
1054Specifies whether to use keyboard-interactive authentication. 1006Specifies whether to use keyboard-interactive authentication.
1055The argument to this keyword must be 1007The argument to this keyword must be
1056.Dq yes 1008.Cm yes
1009(the default)
1057or 1010or
1058.Dq no . 1011.Cm no .
1059The default is
1060.Dq yes .
1061.It Cm KbdInteractiveDevices 1012.It Cm KbdInteractiveDevices
1062Specifies the list of methods to use in keyboard-interactive authentication. 1013Specifies the list of methods to use in keyboard-interactive authentication.
1063Multiple method names must be comma-separated. 1014Multiple method names must be comma-separated.
@@ -1065,10 +1016,10 @@ The default is to use the server specified list.
1065The methods available vary depending on what the server supports. 1016The methods available vary depending on what the server supports.
1066For an OpenSSH server, 1017For an OpenSSH server,
1067it may be zero or more of: 1018it may be zero or more of:
1068.Dq bsdauth , 1019.Cm bsdauth ,
1069.Dq pam , 1020.Cm pam ,
1070and 1021and
1071.Dq skey . 1022.Cm skey .
1072.It Cm KexAlgorithms 1023.It Cm KexAlgorithms
1073Specifies the available KEX (Key Exchange) algorithms. 1024Specifies the available KEX (Key Exchange) algorithms.
1074Multiple algorithms must be comma-separated. 1025Multiple algorithms must be comma-separated.
@@ -1085,12 +1036,8 @@ diffie-hellman-group-exchange-sha1,
1085diffie-hellman-group14-sha1 1036diffie-hellman-group14-sha1
1086.Ed 1037.Ed
1087.Pp 1038.Pp
1088The list of available key exchange algorithms may also be obtained using the 1039The list of available key exchange algorithms may also be obtained using
1089.Fl Q 1040.Qq ssh -Q kex .
1090option of
1091.Xr ssh 1
1092with an argument of
1093.Dq kex .
1094.It Cm LocalCommand 1041.It Cm LocalCommand
1095Specifies a command to execute on the local machine after successfully 1042Specifies a command to execute on the local machine after successfully
1096connecting to the server. 1043connecting to the server.
@@ -1133,7 +1080,7 @@ may be used to bind the connection to a specific address.
1133The 1080The
1134.Ar bind_address 1081.Ar bind_address
1135of 1082of
1136.Dq localhost 1083.Cm localhost
1137indicates that the listening port be bound for local use only, while an 1084indicates that the listening port be bound for local use only, while an
1138empty address or 1085empty address or
1139.Sq * 1086.Sq *
@@ -1157,7 +1104,7 @@ character, then the specified algorithms will be appended to the default set
1157instead of replacing them. 1104instead of replacing them.
1158.Pp 1105.Pp
1159The algorithms that contain 1106The algorithms that contain
1160.Dq -etm 1107.Qq -etm
1161calculate the MAC after encryption (encrypt-then-mac). 1108calculate the MAC after encryption (encrypt-then-mac).
1162These are considered safer and their use recommended. 1109These are considered safer and their use recommended.
1163.Pp 1110.Pp
@@ -1170,22 +1117,18 @@ umac-64@openssh.com,umac-128@openssh.com,
1170hmac-sha2-256,hmac-sha2-512,hmac-sha1 1117hmac-sha2-256,hmac-sha2-512,hmac-sha1
1171.Ed 1118.Ed
1172.Pp 1119.Pp
1173The list of available MAC algorithms may also be obtained using the 1120The list of available MAC algorithms may also be obtained using
1174.Fl Q 1121.Qq ssh -Q mac .
1175option of
1176.Xr ssh 1
1177with an argument of
1178.Dq mac .
1179.It Cm NoHostAuthenticationForLocalhost 1122.It Cm NoHostAuthenticationForLocalhost
1180This option can be used if the home directory is shared across machines. 1123This option can be used if the home directory is shared across machines.
1181In this case localhost will refer to a different machine on each of 1124In this case localhost will refer to a different machine on each of
1182the machines and the user will get many warnings about changed host keys. 1125the machines and the user will get many warnings about changed host keys.
1183However, this option disables host authentication for localhost. 1126However, this option disables host authentication for localhost.
1184The argument to this keyword must be 1127The argument to this keyword must be
1185.Dq yes 1128.Cm yes
1186or 1129or
1187.Dq no . 1130.Cm no .
1188The default is to check the host key for localhost. 1131(the default).
1189.It Cm NumberOfPasswordPrompts 1132.It Cm NumberOfPasswordPrompts
1190Specifies the number of password prompts before giving up. 1133Specifies the number of password prompts before giving up.
1191The argument to this keyword must be an integer. 1134The argument to this keyword must be an integer.
@@ -1193,11 +1136,10 @@ The default is 3.
1193.It Cm PasswordAuthentication 1136.It Cm PasswordAuthentication
1194Specifies whether to use password authentication. 1137Specifies whether to use password authentication.
1195The argument to this keyword must be 1138The argument to this keyword must be
1196.Dq yes 1139.Cm yes
1140(the default)
1197or 1141or
1198.Dq no . 1142.Cm no .
1199The default is
1200.Dq yes .
1201.It Cm PermitLocalCommand 1143.It Cm PermitLocalCommand
1202Allow local command execution via the 1144Allow local command execution via the
1203.Ic LocalCommand 1145.Ic LocalCommand
@@ -1206,11 +1148,10 @@ option or using the
1206escape sequence in 1148escape sequence in
1207.Xr ssh 1 . 1149.Xr ssh 1 .
1208The argument must be 1150The argument must be
1209.Dq yes 1151.Cm yes
1210or 1152or
1211.Dq no . 1153.Cm no
1212The default is 1154(the default).
1213.Dq no .
1214.It Cm PKCS11Provider 1155.It Cm PKCS11Provider
1215Specifies which PKCS#11 provider to use. 1156Specifies which PKCS#11 provider to use.
1216The argument to this keyword is the PKCS#11 shared library 1157The argument to this keyword is the PKCS#11 shared library
@@ -1235,18 +1176,14 @@ keyboard-interactive,password
1235Specifies the protocol versions 1176Specifies the protocol versions
1236.Xr ssh 1 1177.Xr ssh 1
1237should support in order of preference. 1178should support in order of preference.
1238The possible values are 1179The possible values are 1 and 2.
1239.Sq 1
1240and
1241.Sq 2 .
1242Multiple versions must be comma-separated. 1180Multiple versions must be comma-separated.
1243When this option is set to 1181When this option is set to
1244.Dq 2,1 1182.Cm 2,1
1245.Nm ssh 1183.Nm ssh
1246will try version 2 and fall back to version 1 1184will try version 2 and fall back to version 1
1247if version 2 is not available. 1185if version 2 is not available.
1248The default is 1186The default is version 2.
1249.Sq 2 .
1250Protocol 1 suffers from a number of cryptographic weaknesses and should 1187Protocol 1 suffers from a number of cryptographic weaknesses and should
1251not be used. 1188not be used.
1252It is only offered to support legacy devices. 1189It is only offered to support legacy devices.
@@ -1274,7 +1211,7 @@ Host key management will be done using the
1274HostName of the host being connected (defaulting to the name typed by 1211HostName of the host being connected (defaulting to the name typed by
1275the user). 1212the user).
1276Setting the command to 1213Setting the command to
1277.Dq none 1214.Cm none
1278disables this option entirely. 1215disables this option entirely.
1279Note that 1216Note that
1280.Cm CheckHostIP 1217.Cm CheckHostIP
@@ -1319,7 +1256,7 @@ will pass a connected file descriptor back to
1319.Xr ssh 1 1256.Xr ssh 1
1320instead of continuing to execute and pass data. 1257instead of continuing to execute and pass data.
1321The default is 1258The default is
1322.Dq no . 1259.Cm no .
1323.It Cm PubkeyAcceptedKeyTypes 1260.It Cm PubkeyAcceptedKeyTypes
1324Specifies the key types that will be used for public key authentication 1261Specifies the key types that will be used for public key authentication
1325as a comma-separated pattern list. 1262as a comma-separated pattern list.
@@ -1338,19 +1275,15 @@ ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1338ssh-ed25519,ssh-rsa 1275ssh-ed25519,ssh-rsa
1339.Ed 1276.Ed
1340.Pp 1277.Pp
1341The 1278The list of available key types may also be obtained using
1342.Fl Q 1279.Qq ssh -Q key .
1343option of
1344.Xr ssh 1
1345may be used to list supported key types.
1346.It Cm PubkeyAuthentication 1280.It Cm PubkeyAuthentication
1347Specifies whether to try public key authentication. 1281Specifies whether to try public key authentication.
1348The argument to this keyword must be 1282The argument to this keyword must be
1349.Dq yes 1283.Cm yes
1284(the default)
1350or 1285or
1351.Dq no . 1286.Cm no .
1352The default is
1353.Dq yes .
1354.It Cm RekeyLimit 1287.It Cm RekeyLimit
1355Specifies the maximum amount of data that may be transmitted before the 1288Specifies the maximum amount of data that may be transmitted before the
1356session key is renegotiated, optionally followed a maximum amount of 1289session key is renegotiated, optionally followed a maximum amount of
@@ -1368,12 +1301,13 @@ and
1368depending on the cipher. 1301depending on the cipher.
1369The optional second value is specified in seconds and may use any of the 1302The optional second value is specified in seconds and may use any of the
1370units documented in the 1303units documented in the
1371TIME FORMATS section of 1304.Sx TIME FORMATS
1305section of
1372.Xr sshd_config 5 . 1306.Xr sshd_config 5 .
1373The default value for 1307The default value for
1374.Cm RekeyLimit 1308.Cm RekeyLimit
1375is 1309is
1376.Dq default none , 1310.Cm default none ,
1377which means that rekeying is performed after the cipher's default amount 1311which means that rekeying is performed after the cipher's default amount
1378of data has been sent or received and no time based rekeying is done. 1312of data has been sent or received and no time based rekeying is done.
1379.It Cm RemoteForward 1313.It Cm RemoteForward
@@ -1393,8 +1327,7 @@ logging in as root on the remote machine.
1393.Pp 1327.Pp
1394If the 1328If the
1395.Ar port 1329.Ar port
1396argument is 1330argument is 0,
1397.Ql 0 ,
1398the listen port will be dynamically allocated on the server and reported 1331the listen port will be dynamically allocated on the server and reported
1399to the client at run time. 1332to the client at run time.
1400.Pp 1333.Pp
@@ -1416,13 +1349,13 @@ option is enabled (see
1416.It Cm RequestTTY 1349.It Cm RequestTTY
1417Specifies whether to request a pseudo-tty for the session. 1350Specifies whether to request a pseudo-tty for the session.
1418The argument may be one of: 1351The argument may be one of:
1419.Dq no 1352.Cm no
1420(never request a TTY), 1353(never request a TTY),
1421.Dq yes 1354.Cm yes
1422(always request a TTY when standard input is a TTY), 1355(always request a TTY when standard input is a TTY),
1423.Dq force 1356.Cm force
1424(always request a TTY) or 1357(always request a TTY) or
1425.Dq auto 1358.Cm auto
1426(request a TTY when opening a login session). 1359(request a TTY when opening a login session).
1427This option mirrors the 1360This option mirrors the
1428.Fl t 1361.Fl t
@@ -1444,25 +1377,23 @@ For more information on KRLs, see the KEY REVOCATION LISTS section in
1444Specifies whether to try rhosts based authentication with RSA host 1377Specifies whether to try rhosts based authentication with RSA host
1445authentication. 1378authentication.
1446The argument must be 1379The argument must be
1447.Dq yes 1380.Cm yes
1448or 1381or
1449.Dq no . 1382.Cm no
1450The default is 1383(the default).
1451.Dq no .
1452This option applies to protocol version 1 only and requires 1384This option applies to protocol version 1 only and requires
1453.Xr ssh 1 1385.Xr ssh 1
1454to be setuid root. 1386to be setuid root.
1455.It Cm RSAAuthentication 1387.It Cm RSAAuthentication
1456Specifies whether to try RSA authentication. 1388Specifies whether to try RSA authentication.
1457The argument to this keyword must be 1389The argument to this keyword must be
1458.Dq yes 1390.Cm yes
1391(the default)
1459or 1392or
1460.Dq no . 1393.Cm no .
1461RSA authentication will only be 1394RSA authentication will only be
1462attempted if the identity file exists, or an authentication agent is 1395attempted if the identity file exists, or an authentication agent is
1463running. 1396running.
1464The default is
1465.Dq yes .
1466Note that this option applies to protocol version 1 only. 1397Note that this option applies to protocol version 1 only.
1467.It Cm SendEnv 1398.It Cm SendEnv
1468Specifies what variables from the local 1399Specifies what variables from the local
@@ -1545,14 +1476,13 @@ will be unable to forward the port to the Unix-domain socket file.
1545This option is only used for port forwarding to a Unix-domain socket file. 1476This option is only used for port forwarding to a Unix-domain socket file.
1546.Pp 1477.Pp
1547The argument must be 1478The argument must be
1548.Dq yes 1479.Cm yes
1549or 1480or
1550.Dq no . 1481.Cm no
1551The default is 1482(the default).
1552.Dq no .
1553.It Cm StrictHostKeyChecking 1483.It Cm StrictHostKeyChecking
1554If this flag is set to 1484If this flag is set to
1555.Dq yes , 1485.Cm yes ,
1556.Xr ssh 1 1486.Xr ssh 1
1557will never automatically add host keys to the 1487will never automatically add host keys to the
1558.Pa ~/.ssh/known_hosts 1488.Pa ~/.ssh/known_hosts
@@ -1565,24 +1495,18 @@ frequently made.
1565This option forces the user to manually 1495This option forces the user to manually
1566add all new hosts. 1496add all new hosts.
1567If this flag is set to 1497If this flag is set to
1568.Dq no , 1498.Cm no ,
1569ssh will automatically add new host keys to the 1499ssh will automatically add new host keys to the
1570user known hosts files. 1500user known hosts files.
1571If this flag is set to 1501If this flag is set to
1572.Dq ask , 1502.Cm ask
1503(the default),
1573new host keys 1504new host keys
1574will be added to the user known host files only after the user 1505will be added to the user known host files only after the user
1575has confirmed that is what they really want to do, and 1506has confirmed that is what they really want to do, and
1576ssh will refuse to connect to hosts whose host key has changed. 1507ssh will refuse to connect to hosts whose host key has changed.
1577The host keys of 1508The host keys of
1578known hosts will be verified automatically in all cases. 1509known hosts will be verified automatically in all cases.
1579The argument must be
1580.Dq yes ,
1581.Dq no ,
1582or
1583.Dq ask .
1584The default is
1585.Dq ask .
1586.It Cm TCPKeepAlive 1510.It Cm TCPKeepAlive
1587Specifies whether the system should send TCP keepalive messages to the 1511Specifies whether the system should send TCP keepalive messages to the
1588other side. 1512other side.
@@ -1593,31 +1517,30 @@ connections will die if the route is down temporarily, and some people
1593find it annoying. 1517find it annoying.
1594.Pp 1518.Pp
1595The default is 1519The default is
1596.Dq yes 1520.Cm yes
1597(to send TCP keepalive messages), and the client will notice 1521(to send TCP keepalive messages), and the client will notice
1598if the network goes down or the remote host dies. 1522if the network goes down or the remote host dies.
1599This is important in scripts, and many users want it too. 1523This is important in scripts, and many users want it too.
1600.Pp 1524.Pp
1601To disable TCP keepalive messages, the value should be set to 1525To disable TCP keepalive messages, the value should be set to
1602.Dq no . 1526.Cm no .
1603.It Cm Tunnel 1527.It Cm Tunnel
1604Request 1528Request
1605.Xr tun 4 1529.Xr tun 4
1606device forwarding between the client and the server. 1530device forwarding between the client and the server.
1607The argument must be 1531The argument must be
1608.Dq yes , 1532.Cm yes ,
1609.Dq point-to-point 1533.Cm point-to-point
1610(layer 3), 1534(layer 3),
1611.Dq ethernet 1535.Cm ethernet
1612(layer 2), 1536(layer 2),
1613or 1537or
1614.Dq no . 1538.Cm no
1539(the default).
1615Specifying 1540Specifying
1616.Dq yes 1541.Cm yes
1617requests the default tunnel mode, which is 1542requests the default tunnel mode, which is
1618.Dq point-to-point . 1543.Cm point-to-point .
1619The default is
1620.Dq no .
1621.It Cm TunnelDevice 1544.It Cm TunnelDevice
1622Specifies the 1545Specifies the
1623.Xr tun 4 1546.Xr tun 4
@@ -1631,14 +1554,14 @@ The argument must be
1631.Ar local_tun Op : Ar remote_tun . 1554.Ar local_tun Op : Ar remote_tun .
1632.Sm on 1555.Sm on
1633The devices may be specified by numerical ID or the keyword 1556The devices may be specified by numerical ID or the keyword
1634.Dq any , 1557.Cm any ,
1635which uses the next available tunnel device. 1558which uses the next available tunnel device.
1636If 1559If
1637.Ar remote_tun 1560.Ar remote_tun
1638is not specified, it defaults to 1561is not specified, it defaults to
1639.Dq any . 1562.Cm any .
1640The default is 1563The default is
1641.Dq any:any . 1564.Cm any:any .
1642.It Cm UpdateHostKeys 1565.It Cm UpdateHostKeys
1643Specifies whether 1566Specifies whether
1644.Xr ssh 1 1567.Xr ssh 1
@@ -1646,10 +1569,10 @@ should accept notifications of additional hostkeys from the server sent
1646after authentication has completed and add them to 1569after authentication has completed and add them to
1647.Cm UserKnownHostsFile . 1570.Cm UserKnownHostsFile .
1648The argument must be 1571The argument must be
1649.Dq yes , 1572.Cm yes ,
1650.Dq no 1573.Cm no
1651(the default) or 1574(the default) or
1652.Dq ask . 1575.Cm ask .
1653Enabling this option allows learning alternate hostkeys for a server 1576Enabling this option allows learning alternate hostkeys for a server
1654and supports graceful key rotation by allowing a server to send replacement 1577and supports graceful key rotation by allowing a server to send replacement
1655public keys before old ones are removed. 1578public keys before old ones are removed.
@@ -1658,7 +1581,7 @@ host was already trusted or explicitly accepted by the user.
1658If 1581If
1659.Cm UpdateHostKeys 1582.Cm UpdateHostKeys
1660is set to 1583is set to
1661.Dq ask , 1584.Cm ask ,
1662then the user is asked to confirm the modifications to the known_hosts file. 1585then the user is asked to confirm the modifications to the known_hosts file.
1663Confirmation is currently incompatible with 1586Confirmation is currently incompatible with
1664.Cm ControlPersist , 1587.Cm ControlPersist ,
@@ -1667,22 +1590,21 @@ and will be disabled if it is enabled.
1667Presently, only 1590Presently, only
1668.Xr sshd 8 1591.Xr sshd 8
1669from OpenSSH 6.8 and greater support the 1592from OpenSSH 6.8 and greater support the
1670.Dq hostkeys@openssh.com 1593.Qq hostkeys@openssh.com
1671protocol extension used to inform the client of all the server's hostkeys. 1594protocol extension used to inform the client of all the server's hostkeys.
1672.It Cm UsePrivilegedPort 1595.It Cm UsePrivilegedPort
1673Specifies whether to use a privileged port for outgoing connections. 1596Specifies whether to use a privileged port for outgoing connections.
1674The argument must be 1597The argument must be
1675.Dq yes 1598.Cm yes
1676or 1599or
1677.Dq no . 1600.Cm no
1678The default is 1601(the default).
1679.Dq no .
1680If set to 1602If set to
1681.Dq yes , 1603.Cm yes ,
1682.Xr ssh 1 1604.Xr ssh 1
1683must be setuid root. 1605must be setuid root.
1684Note that this option must be set to 1606Note that this option must be set to
1685.Dq yes 1607.Cm yes
1686for 1608for
1687.Cm RhostsRSAAuthentication 1609.Cm RhostsRSAAuthentication
1688with older servers. 1610with older servers.
@@ -1701,39 +1623,35 @@ The default is
1701Specifies whether to verify the remote key using DNS and SSHFP resource 1623Specifies whether to verify the remote key using DNS and SSHFP resource
1702records. 1624records.
1703If this option is set to 1625If this option is set to
1704.Dq yes , 1626.Cm yes ,
1705the client will implicitly trust keys that match a secure fingerprint 1627the client will implicitly trust keys that match a secure fingerprint
1706from DNS. 1628from DNS.
1707Insecure fingerprints will be handled as if this option was set to 1629Insecure fingerprints will be handled as if this option was set to
1708.Dq ask . 1630.Cm ask .
1709If this option is set to 1631If this option is set to
1710.Dq ask , 1632.Cm ask ,
1711information on fingerprint match will be displayed, but the user will still 1633information on fingerprint match will be displayed, but the user will still
1712need to confirm new host keys according to the 1634need to confirm new host keys according to the
1713.Cm StrictHostKeyChecking 1635.Cm StrictHostKeyChecking
1714option. 1636option.
1715The argument must be
1716.Dq yes ,
1717.Dq no ,
1718or
1719.Dq ask .
1720The default is 1637The default is
1721.Dq no . 1638.Cm no .
1722.Pp 1639.Pp
1723See also VERIFYING HOST KEYS in 1640See also
1641.Sx VERIFYING HOST KEYS
1642in
1724.Xr ssh 1 . 1643.Xr ssh 1 .
1725.It Cm VisualHostKey 1644.It Cm VisualHostKey
1726If this flag is set to 1645If this flag is set to
1727.Dq yes , 1646.Cm yes ,
1728an ASCII art representation of the remote host key fingerprint is 1647an ASCII art representation of the remote host key fingerprint is
1729printed in addition to the fingerprint string at login and 1648printed in addition to the fingerprint string at login and
1730for unknown host keys. 1649for unknown host keys.
1731If this flag is set to 1650If this flag is set to
1732.Dq no , 1651.Cm no
1652(the default),
1733no fingerprint strings are printed at login and 1653no fingerprint strings are printed at login and
1734only the fingerprint string will be printed for unknown host keys. 1654only the fingerprint string will be printed for unknown host keys.
1735The default is
1736.Dq no .
1737.It Cm XAuthLocation 1655.It Cm XAuthLocation
1738Specifies the full pathname of the 1656Specifies the full pathname of the
1739.Xr xauth 1 1657.Xr xauth 1
@@ -1751,7 +1669,7 @@ or
1751.Sq ?\& 1669.Sq ?\&
1752(a wildcard that matches exactly one character). 1670(a wildcard that matches exactly one character).
1753For example, to specify a set of declarations for any host in the 1671For example, to specify a set of declarations for any host in the
1754.Dq .co.uk 1672.Qq .co.uk
1755set of domains, 1673set of domains,
1756the following pattern could be used: 1674the following pattern could be used:
1757.Pp 1675.Pp
@@ -1771,7 +1689,7 @@ by preceding them with an exclamation mark
1771For example, 1689For example,
1772to allow a key to be used from anywhere within an organization 1690to allow a key to be used from anywhere within an organization
1773except from the 1691except from the
1774.Dq dialup 1692.Qq dialup
1775pool, 1693pool,
1776the following entry (in authorized_keys) could be used: 1694the following entry (in authorized_keys) could be used:
1777.Pp 1695.Pp
@@ -1846,11 +1764,15 @@ This file must be world-readable.
1846.Sh SEE ALSO 1764.Sh SEE ALSO
1847.Xr ssh 1 1765.Xr ssh 1
1848.Sh AUTHORS 1766.Sh AUTHORS
1767.An -nosplit
1849OpenSSH is a derivative of the original and free 1768OpenSSH is a derivative of the original and free
1850ssh 1.2.12 release by Tatu Ylonen. 1769ssh 1.2.12 release by
1851Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 1770.An Tatu Ylonen .
1852Theo de Raadt and Dug Song 1771.An Aaron Campbell , Bob Beck , Markus Friedl ,
1772.An Niels Provos , Theo de Raadt
1773and
1774.An Dug Song
1853removed many bugs, re-added newer features and 1775removed many bugs, re-added newer features and
1854created OpenSSH. 1776created OpenSSH.
1855Markus Friedl contributed the support for SSH 1777.An Markus Friedl
1856protocol versions 1.5 and 2.0. 1778contributed the support for SSH protocol versions 1.5 and 2.0.