diff options
Diffstat (limited to 'ssh_config.0')
-rw-r--r-- | ssh_config.0 | 1167 |
1 files changed, 1167 insertions, 0 deletions
diff --git a/ssh_config.0 b/ssh_config.0 new file mode 100644 index 000000000..316b2e1ef --- /dev/null +++ b/ssh_config.0 | |||
@@ -0,0 +1,1167 @@ | |||
1 | SSH_CONFIG(5) File Formats Manual SSH_CONFIG(5) | ||
2 | |||
3 | NAME | ||
4 | ssh_config M-bM-^@M-^S OpenSSH client configuration file | ||
5 | |||
6 | DESCRIPTION | ||
7 | ssh(1) obtains configuration data from the following sources in the | ||
8 | following order: | ||
9 | |||
10 | 1. command-line options | ||
11 | 2. user's configuration file (~/.ssh/config) | ||
12 | 3. system-wide configuration file (/etc/ssh/ssh_config) | ||
13 | |||
14 | For each parameter, the first obtained value will be used. The | ||
15 | configuration files contain sections separated by Host specifications, | ||
16 | and that section is only applied for hosts that match one of the patterns | ||
17 | given in the specification. The matched host name is usually the one | ||
18 | given on the command line (see the CanonicalizeHostname option for | ||
19 | exceptions). | ||
20 | |||
21 | Since the first obtained value for each parameter is used, more host- | ||
22 | specific declarations should be given near the beginning of the file, and | ||
23 | general defaults at the end. | ||
24 | |||
25 | The file contains keyword-argument pairs, one per line. Lines starting | ||
26 | with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are interpreted as comments. Arguments may | ||
27 | optionally be enclosed in double quotes (") in order to represent | ||
28 | arguments containing spaces. Configuration options may be separated by | ||
29 | whitespace or optional whitespace and exactly one M-bM-^@M-^X=M-bM-^@M-^Y; the latter format | ||
30 | is useful to avoid the need to quote whitespace when specifying | ||
31 | configuration options using the ssh, scp, and sftp -o option. | ||
32 | |||
33 | The possible keywords and their meanings are as follows (note that | ||
34 | keywords are case-insensitive and arguments are case-sensitive): | ||
35 | |||
36 | Host Restricts the following declarations (up to the next Host or | ||
37 | Match keyword) to be only for those hosts that match one of the | ||
38 | patterns given after the keyword. If more than one pattern is | ||
39 | provided, they should be separated by whitespace. A single M-bM-^@M-^X*M-bM-^@M-^Y | ||
40 | as a pattern can be used to provide global defaults for all | ||
41 | hosts. The host is usually the hostname argument given on the | ||
42 | command line (see the CanonicalizeHostname keyword for | ||
43 | exceptions). | ||
44 | |||
45 | A pattern entry may be negated by prefixing it with an | ||
46 | exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). If a negated entry is matched, then the | ||
47 | Host entry is ignored, regardless of whether any other patterns | ||
48 | on the line match. Negated matches are therefore useful to | ||
49 | provide exceptions for wildcard matches. | ||
50 | |||
51 | See PATTERNS for more information on patterns. | ||
52 | |||
53 | Match Restricts the following declarations (up to the next Host or | ||
54 | Match keyword) to be used only when the conditions following the | ||
55 | Match keyword are satisfied. Match conditions are specified | ||
56 | using one or more criteria or the single token all which always | ||
57 | matches. The available criteria keywords are: canonical, final, | ||
58 | exec, host, originalhost, user, and localuser. The all criteria | ||
59 | must appear alone or immediately after canonical or final. Other | ||
60 | criteria may be combined arbitrarily. All criteria but all, | ||
61 | canonical, and final require an argument. Criteria may be | ||
62 | negated by prepending an exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). | ||
63 | |||
64 | The canonical keyword matches only when the configuration file is | ||
65 | being re-parsed after hostname canonicalization (see the | ||
66 | CanonicalizeHostname option). This may be useful to specify | ||
67 | conditions that work with canonical host names only. | ||
68 | |||
69 | The final keyword requests that the configuration be re-parsed | ||
70 | (regardless of whether CanonicalizeHostname is enabled), and | ||
71 | matches only during this final pass. If CanonicalizeHostname is | ||
72 | enabled, then canonical and final match during the same pass. | ||
73 | |||
74 | The exec keyword executes the specified command under the user's | ||
75 | shell. If the command returns a zero exit status then the | ||
76 | condition is considered true. Commands containing whitespace | ||
77 | characters must be quoted. Arguments to exec accept the tokens | ||
78 | described in the TOKENS section. | ||
79 | |||
80 | The other keywords' criteria must be single entries or comma- | ||
81 | separated lists and may use the wildcard and negation operators | ||
82 | described in the PATTERNS section. The criteria for the host | ||
83 | keyword are matched against the target hostname, after any | ||
84 | substitution by the Hostname or CanonicalizeHostname options. | ||
85 | The originalhost keyword matches against the hostname as it was | ||
86 | specified on the command-line. The user keyword matches against | ||
87 | the target username on the remote host. The localuser keyword | ||
88 | matches against the name of the local user running ssh(1) (this | ||
89 | keyword may be useful in system-wide ssh_config files). | ||
90 | |||
91 | AddKeysToAgent | ||
92 | Specifies whether keys should be automatically added to a running | ||
93 | ssh-agent(1). If this option is set to yes and a key is loaded | ||
94 | from a file, the key and its passphrase are added to the agent | ||
95 | with the default lifetime, as if by ssh-add(1). If this option | ||
96 | is set to ask, ssh(1) will require confirmation using the | ||
97 | SSH_ASKPASS program before adding a key (see ssh-add(1) for | ||
98 | details). If this option is set to confirm, each use of the key | ||
99 | must be confirmed, as if the -c option was specified to | ||
100 | ssh-add(1). If this option is set to no, no keys are added to | ||
101 | the agent. The argument must be yes, confirm, ask, or no (the | ||
102 | default). | ||
103 | |||
104 | AddressFamily | ||
105 | Specifies which address family to use when connecting. Valid | ||
106 | arguments are any (the default), inet (use IPv4 only), or inet6 | ||
107 | (use IPv6 only). | ||
108 | |||
109 | BatchMode | ||
110 | If set to yes, user interaction such as password prompts and host | ||
111 | key confirmation requests will be disabled. This option is | ||
112 | useful in scripts and other batch jobs where no user is present | ||
113 | to interact with ssh(1). The argument must be yes or no (the | ||
114 | default). | ||
115 | |||
116 | BindAddress | ||
117 | Use the specified address on the local machine as the source | ||
118 | address of the connection. Only useful on systems with more than | ||
119 | one address. | ||
120 | |||
121 | BindInterface | ||
122 | Use the address of the specified interface on the local machine | ||
123 | as the source address of the connection. | ||
124 | |||
125 | CanonicalDomains | ||
126 | When CanonicalizeHostname is enabled, this option specifies the | ||
127 | list of domain suffixes in which to search for the specified | ||
128 | destination host. | ||
129 | |||
130 | CanonicalizeFallbackLocal | ||
131 | Specifies whether to fail with an error when hostname | ||
132 | canonicalization fails. The default, yes, will attempt to look | ||
133 | up the unqualified hostname using the system resolver's search | ||
134 | rules. A value of no will cause ssh(1) to fail instantly if | ||
135 | CanonicalizeHostname is enabled and the target hostname cannot be | ||
136 | found in any of the domains specified by CanonicalDomains. | ||
137 | |||
138 | CanonicalizeHostname | ||
139 | Controls whether explicit hostname canonicalization is performed. | ||
140 | The default, no, is not to perform any name rewriting and let the | ||
141 | system resolver handle all hostname lookups. If set to yes then, | ||
142 | for connections that do not use a ProxyCommand or ProxyJump, | ||
143 | ssh(1) will attempt to canonicalize the hostname specified on the | ||
144 | command line using the CanonicalDomains suffixes and | ||
145 | CanonicalizePermittedCNAMEs rules. If CanonicalizeHostname is | ||
146 | set to always, then canonicalization is applied to proxied | ||
147 | connections too. | ||
148 | |||
149 | If this option is enabled, then the configuration files are | ||
150 | processed again using the new target name to pick up any new | ||
151 | configuration in matching Host and Match stanzas. | ||
152 | |||
153 | CanonicalizeMaxDots | ||
154 | Specifies the maximum number of dot characters in a hostname | ||
155 | before canonicalization is disabled. The default, 1, allows a | ||
156 | single dot (i.e. hostname.subdomain). | ||
157 | |||
158 | CanonicalizePermittedCNAMEs | ||
159 | Specifies rules to determine whether CNAMEs should be followed | ||
160 | when canonicalizing hostnames. The rules consist of one or more | ||
161 | arguments of source_domain_list:target_domain_list, where | ||
162 | source_domain_list is a pattern-list of domains that may follow | ||
163 | CNAMEs in canonicalization, and target_domain_list is a pattern- | ||
164 | list of domains that they may resolve to. | ||
165 | |||
166 | For example, "*.a.example.com:*.b.example.com,*.c.example.com" | ||
167 | will allow hostnames matching "*.a.example.com" to be | ||
168 | canonicalized to names in the "*.b.example.com" or | ||
169 | "*.c.example.com" domains. | ||
170 | |||
171 | CASignatureAlgorithms | ||
172 | Specifies which algorithms are allowed for signing of | ||
173 | certificates by certificate authorities (CAs). The default is: | ||
174 | |||
175 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
176 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
177 | |||
178 | ssh(1) will not accept host certificates signed using algorithms | ||
179 | other than those specified. | ||
180 | |||
181 | CertificateFile | ||
182 | Specifies a file from which the user's certificate is read. A | ||
183 | corresponding private key must be provided separately in order to | ||
184 | use this certificate either from an IdentityFile directive or -i | ||
185 | flag to ssh(1), via ssh-agent(1), or via a PKCS11Provider or | ||
186 | SecurityKeyProvider. | ||
187 | |||
188 | Arguments to CertificateFile may use the tilde syntax to refer to | ||
189 | a user's home directory or the tokens described in the TOKENS | ||
190 | section. | ||
191 | |||
192 | It is possible to have multiple certificate files specified in | ||
193 | configuration files; these certificates will be tried in | ||
194 | sequence. Multiple CertificateFile directives will add to the | ||
195 | list of certificates used for authentication. | ||
196 | |||
197 | ChallengeResponseAuthentication | ||
198 | Specifies whether to use challenge-response authentication. The | ||
199 | argument to this keyword must be yes (the default) or no. | ||
200 | |||
201 | CheckHostIP | ||
202 | If set to yes (the default), ssh(1) will additionally check the | ||
203 | host IP address in the known_hosts file. This allows it to | ||
204 | detect if a host key changed due to DNS spoofing and will add | ||
205 | addresses of destination hosts to ~/.ssh/known_hosts in the | ||
206 | process, regardless of the setting of StrictHostKeyChecking. If | ||
207 | the option is set to no, the check will not be executed. | ||
208 | |||
209 | Ciphers | ||
210 | Specifies the ciphers allowed and their order of preference. | ||
211 | Multiple ciphers must be comma-separated. If the specified list | ||
212 | begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified ciphers will be | ||
213 | appended to the default set instead of replacing them. If the | ||
214 | specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified | ||
215 | ciphers (including wildcards) will be removed from the default | ||
216 | set instead of replacing them. If the specified list begins with | ||
217 | a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified ciphers will be placed at the | ||
218 | head of the default set. | ||
219 | |||
220 | The supported ciphers are: | ||
221 | |||
222 | 3des-cbc | ||
223 | aes128-cbc | ||
224 | aes192-cbc | ||
225 | aes256-cbc | ||
226 | aes128-ctr | ||
227 | aes192-ctr | ||
228 | aes256-ctr | ||
229 | aes128-gcm@openssh.com | ||
230 | aes256-gcm@openssh.com | ||
231 | chacha20-poly1305@openssh.com | ||
232 | |||
233 | The default is: | ||
234 | |||
235 | chacha20-poly1305@openssh.com, | ||
236 | aes128-ctr,aes192-ctr,aes256-ctr, | ||
237 | aes128-gcm@openssh.com,aes256-gcm@openssh.com | ||
238 | |||
239 | The list of available ciphers may also be obtained using "ssh -Q | ||
240 | cipher". | ||
241 | |||
242 | ClearAllForwardings | ||
243 | Specifies that all local, remote, and dynamic port forwardings | ||
244 | specified in the configuration files or on the command line be | ||
245 | cleared. This option is primarily useful when used from the | ||
246 | ssh(1) command line to clear port forwardings set in | ||
247 | configuration files, and is automatically set by scp(1) and | ||
248 | sftp(1). The argument must be yes or no (the default). | ||
249 | |||
250 | Compression | ||
251 | Specifies whether to use compression. The argument must be yes | ||
252 | or no (the default). | ||
253 | |||
254 | ConnectionAttempts | ||
255 | Specifies the number of tries (one per second) to make before | ||
256 | exiting. The argument must be an integer. This may be useful in | ||
257 | scripts if the connection sometimes fails. The default is 1. | ||
258 | |||
259 | ConnectTimeout | ||
260 | Specifies the timeout (in seconds) used when connecting to the | ||
261 | SSH server, instead of using the default system TCP timeout. | ||
262 | This timeout is applied both to establishing the connection and | ||
263 | to performing the initial SSH protocol handshake and key | ||
264 | exchange. | ||
265 | |||
266 | ControlMaster | ||
267 | Enables the sharing of multiple sessions over a single network | ||
268 | connection. When set to yes, ssh(1) will listen for connections | ||
269 | on a control socket specified using the ControlPath argument. | ||
270 | Additional sessions can connect to this socket using the same | ||
271 | ControlPath with ControlMaster set to no (the default). These | ||
272 | sessions will try to reuse the master instance's network | ||
273 | connection rather than initiating new ones, but will fall back to | ||
274 | connecting normally if the control socket does not exist, or is | ||
275 | not listening. | ||
276 | |||
277 | Setting this to ask will cause ssh(1) to listen for control | ||
278 | connections, but require confirmation using ssh-askpass(1). If | ||
279 | the ControlPath cannot be opened, ssh(1) will continue without | ||
280 | connecting to a master instance. | ||
281 | |||
282 | X11 and ssh-agent(1) forwarding is supported over these | ||
283 | multiplexed connections, however the display and agent forwarded | ||
284 | will be the one belonging to the master connection i.e. it is not | ||
285 | possible to forward multiple displays or agents. | ||
286 | |||
287 | Two additional options allow for opportunistic multiplexing: try | ||
288 | to use a master connection but fall back to creating a new one if | ||
289 | one does not already exist. These options are: auto and autoask. | ||
290 | The latter requires confirmation like the ask option. | ||
291 | |||
292 | ControlPath | ||
293 | Specify the path to the control socket used for connection | ||
294 | sharing as described in the ControlMaster section above or the | ||
295 | string none to disable connection sharing. Arguments to | ||
296 | ControlPath may use the tilde syntax to refer to a user's home | ||
297 | directory or the tokens described in the TOKENS section. It is | ||
298 | recommended that any ControlPath used for opportunistic | ||
299 | connection sharing include at least %h, %p, and %r (or | ||
300 | alternatively %C) and be placed in a directory that is not | ||
301 | writable by other users. This ensures that shared connections | ||
302 | are uniquely identified. | ||
303 | |||
304 | ControlPersist | ||
305 | When used in conjunction with ControlMaster, specifies that the | ||
306 | master connection should remain open in the background (waiting | ||
307 | for future client connections) after the initial client | ||
308 | connection has been closed. If set to no (the default), then the | ||
309 | master connection will not be placed into the background, and | ||
310 | will close as soon as the initial client connection is closed. | ||
311 | If set to yes or 0, then the master connection will remain in the | ||
312 | background indefinitely (until killed or closed via a mechanism | ||
313 | such as the "ssh -O exit"). If set to a time in seconds, or a | ||
314 | time in any of the formats documented in sshd_config(5), then the | ||
315 | backgrounded master connection will automatically terminate after | ||
316 | it has remained idle (with no client connections) for the | ||
317 | specified time. | ||
318 | |||
319 | DynamicForward | ||
320 | Specifies that a TCP port on the local machine be forwarded over | ||
321 | the secure channel, and the application protocol is then used to | ||
322 | determine where to connect to from the remote machine. | ||
323 | |||
324 | The argument must be [bind_address:]port. IPv6 addresses can be | ||
325 | specified by enclosing addresses in square brackets. By default, | ||
326 | the local port is bound in accordance with the GatewayPorts | ||
327 | setting. However, an explicit bind_address may be used to bind | ||
328 | the connection to a specific address. The bind_address of | ||
329 | localhost indicates that the listening port be bound for local | ||
330 | use only, while an empty address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port | ||
331 | should be available from all interfaces. | ||
332 | |||
333 | Currently the SOCKS4 and SOCKS5 protocols are supported, and | ||
334 | ssh(1) will act as a SOCKS server. Multiple forwardings may be | ||
335 | specified, and additional forwardings can be given on the command | ||
336 | line. Only the superuser can forward privileged ports. | ||
337 | |||
338 | EnableSSHKeysign | ||
339 | Setting this option to yes in the global client configuration | ||
340 | file /etc/ssh/ssh_config enables the use of the helper program | ||
341 | ssh-keysign(8) during HostbasedAuthentication. The argument must | ||
342 | be yes or no (the default). This option should be placed in the | ||
343 | non-hostspecific section. See ssh-keysign(8) for more | ||
344 | information. | ||
345 | |||
346 | EscapeChar | ||
347 | Sets the escape character (default: M-bM-^@M-^X~M-bM-^@M-^Y). The escape character | ||
348 | can also be set on the command line. The argument should be a | ||
349 | single character, M-bM-^@M-^X^M-bM-^@M-^Y followed by a letter, or none to disable | ||
350 | the escape character entirely (making the connection transparent | ||
351 | for binary data). | ||
352 | |||
353 | ExitOnForwardFailure | ||
354 | Specifies whether ssh(1) should terminate the connection if it | ||
355 | cannot set up all requested dynamic, tunnel, local, and remote | ||
356 | port forwardings, (e.g. if either end is unable to bind and | ||
357 | listen on a specified port). Note that ExitOnForwardFailure does | ||
358 | not apply to connections made over port forwardings and will not, | ||
359 | for example, cause ssh(1) to exit if TCP connections to the | ||
360 | ultimate forwarding destination fail. The argument must be yes | ||
361 | or no (the default). | ||
362 | |||
363 | FingerprintHash | ||
364 | Specifies the hash algorithm used when displaying key | ||
365 | fingerprints. Valid options are: md5 and sha256 (the default). | ||
366 | |||
367 | ForwardAgent | ||
368 | Specifies whether the connection to the authentication agent (if | ||
369 | any) will be forwarded to the remote machine. The argument may | ||
370 | be yes, no (the default), an explicit path to an agent socket or | ||
371 | the name of an environment variable (beginning with M-bM-^@M-^X$M-bM-^@M-^Y) in which | ||
372 | to find the path. | ||
373 | |||
374 | Agent forwarding should be enabled with caution. Users with the | ||
375 | ability to bypass file permissions on the remote host (for the | ||
376 | agent's Unix-domain socket) can access the local agent through | ||
377 | the forwarded connection. An attacker cannot obtain key material | ||
378 | from the agent, however they can perform operations on the keys | ||
379 | that enable them to authenticate using the identities loaded into | ||
380 | the agent. | ||
381 | |||
382 | ForwardX11 | ||
383 | Specifies whether X11 connections will be automatically | ||
384 | redirected over the secure channel and DISPLAY set. The argument | ||
385 | must be yes or no (the default). | ||
386 | |||
387 | X11 forwarding should be enabled with caution. Users with the | ||
388 | ability to bypass file permissions on the remote host (for the | ||
389 | user's X11 authorization database) can access the local X11 | ||
390 | display through the forwarded connection. An attacker may then | ||
391 | be able to perform activities such as keystroke monitoring if the | ||
392 | ForwardX11Trusted option is also enabled. | ||
393 | |||
394 | ForwardX11Timeout | ||
395 | Specify a timeout for untrusted X11 forwarding using the format | ||
396 | described in the TIME FORMATS section of sshd_config(5). X11 | ||
397 | connections received by ssh(1) after this time will be refused. | ||
398 | Setting ForwardX11Timeout to zero will disable the timeout and | ||
399 | permit X11 forwarding for the life of the connection. The | ||
400 | default is to disable untrusted X11 forwarding after twenty | ||
401 | minutes has elapsed. | ||
402 | |||
403 | ForwardX11Trusted | ||
404 | If this option is set to yes, remote X11 clients will have full | ||
405 | access to the original X11 display. | ||
406 | |||
407 | If this option is set to no (the default), remote X11 clients | ||
408 | will be considered untrusted and prevented from stealing or | ||
409 | tampering with data belonging to trusted X11 clients. | ||
410 | Furthermore, the xauth(1) token used for the session will be set | ||
411 | to expire after 20 minutes. Remote clients will be refused | ||
412 | access after this time. | ||
413 | |||
414 | See the X11 SECURITY extension specification for full details on | ||
415 | the restrictions imposed on untrusted clients. | ||
416 | |||
417 | GatewayPorts | ||
418 | Specifies whether remote hosts are allowed to connect to local | ||
419 | forwarded ports. By default, ssh(1) binds local port forwardings | ||
420 | to the loopback address. This prevents other remote hosts from | ||
421 | connecting to forwarded ports. GatewayPorts can be used to | ||
422 | specify that ssh should bind local port forwardings to the | ||
423 | wildcard address, thus allowing remote hosts to connect to | ||
424 | forwarded ports. The argument must be yes or no (the default). | ||
425 | |||
426 | GlobalKnownHostsFile | ||
427 | Specifies one or more files to use for the global host key | ||
428 | database, separated by whitespace. The default is | ||
429 | /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2. | ||
430 | |||
431 | GSSAPIAuthentication | ||
432 | Specifies whether user authentication based on GSSAPI is allowed. | ||
433 | The default is no. | ||
434 | |||
435 | GSSAPIDelegateCredentials | ||
436 | Forward (delegate) credentials to the server. The default is no. | ||
437 | |||
438 | HashKnownHosts | ||
439 | Indicates that ssh(1) should hash host names and addresses when | ||
440 | they are added to ~/.ssh/known_hosts. These hashed names may be | ||
441 | used normally by ssh(1) and sshd(8), but they do not visually | ||
442 | reveal identifying information if the file's contents are | ||
443 | disclosed. The default is no. Note that existing names and | ||
444 | addresses in known hosts files will not be converted | ||
445 | automatically, but may be manually hashed using ssh-keygen(1). | ||
446 | |||
447 | HostbasedAuthentication | ||
448 | Specifies whether to try rhosts based authentication with public | ||
449 | key authentication. The argument must be yes or no (the | ||
450 | default). | ||
451 | |||
452 | HostbasedKeyTypes | ||
453 | Specifies the key types that will be used for hostbased | ||
454 | authentication as a comma-separated list of patterns. | ||
455 | Alternately if the specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, | ||
456 | then the specified key types will be appended to the default set | ||
457 | instead of replacing them. If the specified list begins with a | ||
458 | M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified key types (including wildcards) | ||
459 | will be removed from the default set instead of replacing them. | ||
460 | If the specified list begins with a M-bM-^@M-^X^M-bM-^@M-^Y character, then the | ||
461 | specified key types will be placed at the head of the default | ||
462 | set. The default for this option is: | ||
463 | |||
464 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
465 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
466 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
467 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
468 | ssh-ed25519-cert-v01@openssh.com, | ||
469 | sk-ssh-ed25519-cert-v01@openssh.com, | ||
470 | rsa-sha2-512-cert-v01@openssh.com, | ||
471 | rsa-sha2-256-cert-v01@openssh.com, | ||
472 | ssh-rsa-cert-v01@openssh.com, | ||
473 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
474 | sk-ecdsa-sha2-nistp256@openssh.com, | ||
475 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
476 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
477 | |||
478 | The -Q option of ssh(1) may be used to list supported key types. | ||
479 | |||
480 | HostKeyAlgorithms | ||
481 | Specifies the host key algorithms that the client wants to use in | ||
482 | order of preference. Alternately if the specified list begins | ||
483 | with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified key types will be | ||
484 | appended to the default set instead of replacing them. If the | ||
485 | specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified | ||
486 | key types (including wildcards) will be removed from the default | ||
487 | set instead of replacing them. If the specified list begins with | ||
488 | a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified key types will be placed at | ||
489 | the head of the default set. The default for this option is: | ||
490 | |||
491 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
492 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
493 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
494 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
495 | ssh-ed25519-cert-v01@openssh.com, | ||
496 | sk-ssh-ed25519-cert-v01@openssh.com, | ||
497 | rsa-sha2-512-cert-v01@openssh.com, | ||
498 | rsa-sha2-256-cert-v01@openssh.com, | ||
499 | ssh-rsa-cert-v01@openssh.com, | ||
500 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
501 | sk-ecdsa-sha2-nistp256@openssh.com, | ||
502 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
503 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
504 | |||
505 | If hostkeys are known for the destination host then this default | ||
506 | is modified to prefer their algorithms. | ||
507 | |||
508 | The list of available key types may also be obtained using "ssh | ||
509 | -Q HostKeyAlgorithms". | ||
510 | |||
511 | HostKeyAlias | ||
512 | Specifies an alias that should be used instead of the real host | ||
513 | name when looking up or saving the host key in the host key | ||
514 | database files and when validating host certificates. This | ||
515 | option is useful for tunneling SSH connections or for multiple | ||
516 | servers running on a single host. | ||
517 | |||
518 | Hostname | ||
519 | Specifies the real host name to log into. This can be used to | ||
520 | specify nicknames or abbreviations for hosts. Arguments to | ||
521 | Hostname accept the tokens described in the TOKENS section. | ||
522 | Numeric IP addresses are also permitted (both on the command line | ||
523 | and in Hostname specifications). The default is the name given | ||
524 | on the command line. | ||
525 | |||
526 | IdentitiesOnly | ||
527 | Specifies that ssh(1) should only use the configured | ||
528 | authentication identity and certificate files (either the default | ||
529 | files, or those explicitly configured in the ssh_config files or | ||
530 | passed on the ssh(1) command-line), even if ssh-agent(1) or a | ||
531 | PKCS11Provider or SecurityKeyProvider offers more identities. | ||
532 | The argument to this keyword must be yes or no (the default). | ||
533 | This option is intended for situations where ssh-agent offers | ||
534 | many different identities. | ||
535 | |||
536 | IdentityAgent | ||
537 | Specifies the UNIX-domain socket used to communicate with the | ||
538 | authentication agent. | ||
539 | |||
540 | This option overrides the SSH_AUTH_SOCK environment variable and | ||
541 | can be used to select a specific agent. Setting the socket name | ||
542 | to none disables the use of an authentication agent. If the | ||
543 | string "SSH_AUTH_SOCK" is specified, the location of the socket | ||
544 | will be read from the SSH_AUTH_SOCK environment variable. | ||
545 | Otherwise if the specified value begins with a M-bM-^@M-^X$M-bM-^@M-^Y character, | ||
546 | then it will be treated as an environment variable containing the | ||
547 | location of the socket. | ||
548 | |||
549 | Arguments to IdentityAgent may use the tilde syntax to refer to a | ||
550 | user's home directory or the tokens described in the TOKENS | ||
551 | section. | ||
552 | |||
553 | IdentityFile | ||
554 | Specifies a file from which the user's DSA, ECDSA, authenticator- | ||
555 | hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA | ||
556 | authentication identity is read. The default is ~/.ssh/id_dsa, | ||
557 | ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, | ||
558 | ~/.ssh/id_ed25519_sk and ~/.ssh/id_rsa. Additionally, any | ||
559 | identities represented by the authentication agent will be used | ||
560 | for authentication unless IdentitiesOnly is set. If no | ||
561 | certificates have been explicitly specified by CertificateFile, | ||
562 | ssh(1) will try to load certificate information from the filename | ||
563 | obtained by appending -cert.pub to the path of a specified | ||
564 | IdentityFile. | ||
565 | |||
566 | Arguments to IdentityFile may use the tilde syntax to refer to a | ||
567 | user's home directory or the tokens described in the TOKENS | ||
568 | section. | ||
569 | |||
570 | It is possible to have multiple identity files specified in | ||
571 | configuration files; all these identities will be tried in | ||
572 | sequence. Multiple IdentityFile directives will add to the list | ||
573 | of identities tried (this behaviour differs from that of other | ||
574 | configuration directives). | ||
575 | |||
576 | IdentityFile may be used in conjunction with IdentitiesOnly to | ||
577 | select which identities in an agent are offered during | ||
578 | authentication. IdentityFile may also be used in conjunction | ||
579 | with CertificateFile in order to provide any certificate also | ||
580 | needed for authentication with the identity. | ||
581 | |||
582 | IgnoreUnknown | ||
583 | Specifies a pattern-list of unknown options to be ignored if they | ||
584 | are encountered in configuration parsing. This may be used to | ||
585 | suppress errors if ssh_config contains options that are | ||
586 | unrecognised by ssh(1). It is recommended that IgnoreUnknown be | ||
587 | listed early in the configuration file as it will not be applied | ||
588 | to unknown options that appear before it. | ||
589 | |||
590 | Include | ||
591 | Include the specified configuration file(s). Multiple pathnames | ||
592 | may be specified and each pathname may contain glob(7) wildcards | ||
593 | and, for user configurations, shell-like M-bM-^@M-^X~M-bM-^@M-^Y references to user | ||
594 | home directories. Files without absolute paths are assumed to be | ||
595 | in ~/.ssh if included in a user configuration file or /etc/ssh if | ||
596 | included from the system configuration file. Include directive | ||
597 | may appear inside a Match or Host block to perform conditional | ||
598 | inclusion. | ||
599 | |||
600 | IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. | ||
601 | Accepted values are af11, af12, af13, af21, af22, af23, af31, | ||
602 | af32, af33, af41, af42, af43, cs0, cs1, cs2, cs3, cs4, cs5, cs6, | ||
603 | cs7, ef, le, lowdelay, throughput, reliability, a numeric value, | ||
604 | or none to use the operating system default. This option may | ||
605 | take one or two arguments, separated by whitespace. If one | ||
606 | argument is specified, it is used as the packet class | ||
607 | unconditionally. If two values are specified, the first is | ||
608 | automatically selected for interactive sessions and the second | ||
609 | for non-interactive sessions. The default is af21 (Low-Latency | ||
610 | Data) for interactive sessions and cs1 (Lower Effort) for non- | ||
611 | interactive sessions. | ||
612 | |||
613 | KbdInteractiveAuthentication | ||
614 | Specifies whether to use keyboard-interactive authentication. | ||
615 | The argument to this keyword must be yes (the default) or no. | ||
616 | |||
617 | KbdInteractiveDevices | ||
618 | Specifies the list of methods to use in keyboard-interactive | ||
619 | authentication. Multiple method names must be comma-separated. | ||
620 | The default is to use the server specified list. The methods | ||
621 | available vary depending on what the server supports. For an | ||
622 | OpenSSH server, it may be zero or more of: bsdauth and pam. | ||
623 | |||
624 | KexAlgorithms | ||
625 | Specifies the available KEX (Key Exchange) algorithms. Multiple | ||
626 | algorithms must be comma-separated. If the specified list begins | ||
627 | with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods will be appended | ||
628 | to the default set instead of replacing them. If the specified | ||
629 | list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified methods | ||
630 | (including wildcards) will be removed from the default set | ||
631 | instead of replacing them. If the specified list begins with a | ||
632 | M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified methods will be placed at the | ||
633 | head of the default set. The default is: | ||
634 | |||
635 | curve25519-sha256,curve25519-sha256@libssh.org, | ||
636 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, | ||
637 | diffie-hellman-group-exchange-sha256, | ||
638 | diffie-hellman-group16-sha512, | ||
639 | diffie-hellman-group18-sha512, | ||
640 | diffie-hellman-group14-sha256 | ||
641 | |||
642 | The list of available key exchange algorithms may also be | ||
643 | obtained using "ssh -Q kex". | ||
644 | |||
645 | LocalCommand | ||
646 | Specifies a command to execute on the local machine after | ||
647 | successfully connecting to the server. The command string | ||
648 | extends to the end of the line, and is executed with the user's | ||
649 | shell. Arguments to LocalCommand accept the tokens described in | ||
650 | the TOKENS section. | ||
651 | |||
652 | The command is run synchronously and does not have access to the | ||
653 | session of the ssh(1) that spawned it. It should not be used for | ||
654 | interactive commands. | ||
655 | |||
656 | This directive is ignored unless PermitLocalCommand has been | ||
657 | enabled. | ||
658 | |||
659 | LocalForward | ||
660 | Specifies that a TCP port on the local machine be forwarded over | ||
661 | the secure channel to the specified host and port from the remote | ||
662 | machine. The first argument specifies the listener and may be | ||
663 | [bind_address:]port or a Unix domain socket path. The second | ||
664 | argument is the destination and may be host:hostport or a Unix | ||
665 | domain socket path if the remote host supports it. | ||
666 | |||
667 | IPv6 addresses can be specified by enclosing addresses in square | ||
668 | brackets. Multiple forwardings may be specified, and additional | ||
669 | forwardings can be given on the command line. Only the superuser | ||
670 | can forward privileged ports. By default, the local port is | ||
671 | bound in accordance with the GatewayPorts setting. However, an | ||
672 | explicit bind_address may be used to bind the connection to a | ||
673 | specific address. The bind_address of localhost indicates that | ||
674 | the listening port be bound for local use only, while an empty | ||
675 | address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port should be available from | ||
676 | all interfaces. Unix domain socket paths accept the tokens | ||
677 | described in the TOKENS section. | ||
678 | |||
679 | LogLevel | ||
680 | Gives the verbosity level that is used when logging messages from | ||
681 | ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, | ||
682 | VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. | ||
683 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify | ||
684 | higher levels of verbose output. | ||
685 | |||
686 | MACs Specifies the MAC (message authentication code) algorithms in | ||
687 | order of preference. The MAC algorithm is used for data | ||
688 | integrity protection. Multiple algorithms must be comma- | ||
689 | separated. If the specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, | ||
690 | then the specified algorithms will be appended to the default set | ||
691 | instead of replacing them. If the specified list begins with a | ||
692 | M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified algorithms (including | ||
693 | wildcards) will be removed from the default set instead of | ||
694 | replacing them. If the specified list begins with a M-bM-^@M-^X^M-bM-^@M-^Y | ||
695 | character, then the specified algorithms will be placed at the | ||
696 | head of the default set. | ||
697 | |||
698 | The algorithms that contain "-etm" calculate the MAC after | ||
699 | encryption (encrypt-then-mac). These are considered safer and | ||
700 | their use recommended. | ||
701 | |||
702 | The default is: | ||
703 | |||
704 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, | ||
705 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, | ||
706 | hmac-sha1-etm@openssh.com, | ||
707 | umac-64@openssh.com,umac-128@openssh.com, | ||
708 | hmac-sha2-256,hmac-sha2-512,hmac-sha1 | ||
709 | |||
710 | The list of available MAC algorithms may also be obtained using | ||
711 | "ssh -Q mac". | ||
712 | |||
713 | NoHostAuthenticationForLocalhost | ||
714 | Disable host authentication for localhost (loopback addresses). | ||
715 | The argument to this keyword must be yes or no (the default). | ||
716 | |||
717 | NumberOfPasswordPrompts | ||
718 | Specifies the number of password prompts before giving up. The | ||
719 | argument to this keyword must be an integer. The default is 3. | ||
720 | |||
721 | PasswordAuthentication | ||
722 | Specifies whether to use password authentication. The argument | ||
723 | to this keyword must be yes (the default) or no. | ||
724 | |||
725 | PermitLocalCommand | ||
726 | Allow local command execution via the LocalCommand option or | ||
727 | using the !command escape sequence in ssh(1). The argument must | ||
728 | be yes or no (the default). | ||
729 | |||
730 | PKCS11Provider | ||
731 | Specifies which PKCS#11 provider to use or none to indicate that | ||
732 | no provider should be used (the default). The argument to this | ||
733 | keyword is a path to the PKCS#11 shared library ssh(1) should use | ||
734 | to communicate with a PKCS#11 token providing keys for user | ||
735 | authentication. | ||
736 | |||
737 | Port Specifies the port number to connect on the remote host. The | ||
738 | default is 22. | ||
739 | |||
740 | PreferredAuthentications | ||
741 | Specifies the order in which the client should try authentication | ||
742 | methods. This allows a client to prefer one method (e.g. | ||
743 | keyboard-interactive) over another method (e.g. password). The | ||
744 | default is: | ||
745 | |||
746 | gssapi-with-mic,hostbased,publickey, | ||
747 | keyboard-interactive,password | ||
748 | |||
749 | ProxyCommand | ||
750 | Specifies the command to use to connect to the server. The | ||
751 | command string extends to the end of the line, and is executed | ||
752 | using the user's shell M-bM-^@M-^XexecM-bM-^@M-^Y directive to avoid a lingering | ||
753 | shell process. | ||
754 | |||
755 | Arguments to ProxyCommand accept the tokens described in the | ||
756 | TOKENS section. The command can be basically anything, and | ||
757 | should read from its standard input and write to its standard | ||
758 | output. It should eventually connect an sshd(8) server running | ||
759 | on some machine, or execute sshd -i somewhere. Host key | ||
760 | management will be done using the Hostname of the host being | ||
761 | connected (defaulting to the name typed by the user). Setting | ||
762 | the command to none disables this option entirely. Note that | ||
763 | CheckHostIP is not available for connects with a proxy command. | ||
764 | |||
765 | This directive is useful in conjunction with nc(1) and its proxy | ||
766 | support. For example, the following directive would connect via | ||
767 | an HTTP proxy at 192.0.2.0: | ||
768 | |||
769 | ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p | ||
770 | |||
771 | ProxyJump | ||
772 | Specifies one or more jump proxies as either [user@]host[:port] | ||
773 | or an ssh URI. Multiple proxies may be separated by comma | ||
774 | characters and will be visited sequentially. Setting this option | ||
775 | will cause ssh(1) to connect to the target host by first making a | ||
776 | ssh(1) connection to the specified ProxyJump host and then | ||
777 | establishing a TCP forwarding to the ultimate target from there. | ||
778 | |||
779 | Note that this option will compete with the ProxyCommand option - | ||
780 | whichever is specified first will prevent later instances of the | ||
781 | other from taking effect. | ||
782 | |||
783 | Note also that the configuration for the destination host (either | ||
784 | supplied via the command-line or the configuration file) is not | ||
785 | generally applied to jump hosts. ~/.ssh/config should be used if | ||
786 | specific configuration is required for jump hosts. | ||
787 | |||
788 | ProxyUseFdpass | ||
789 | Specifies that ProxyCommand will pass a connected file descriptor | ||
790 | back to ssh(1) instead of continuing to execute and pass data. | ||
791 | The default is no. | ||
792 | |||
793 | PubkeyAcceptedKeyTypes | ||
794 | Specifies the key types that will be used for public key | ||
795 | authentication as a comma-separated list of patterns. If the | ||
796 | specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the key types | ||
797 | after it will be appended to the default instead of replacing it. | ||
798 | If the specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the | ||
799 | specified key types (including wildcards) will be removed from | ||
800 | the default set instead of replacing them. If the specified list | ||
801 | begins with a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified key types will be | ||
802 | placed at the head of the default set. The default for this | ||
803 | option is: | ||
804 | |||
805 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
806 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
807 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
808 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
809 | ssh-ed25519-cert-v01@openssh.com, | ||
810 | sk-ssh-ed25519-cert-v01@openssh.com, | ||
811 | rsa-sha2-512-cert-v01@openssh.com, | ||
812 | rsa-sha2-256-cert-v01@openssh.com, | ||
813 | ssh-rsa-cert-v01@openssh.com, | ||
814 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
815 | sk-ecdsa-sha2-nistp256@openssh.com, | ||
816 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
817 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
818 | |||
819 | The list of available key types may also be obtained using "ssh | ||
820 | -Q PubkeyAcceptedKeyTypes". | ||
821 | |||
822 | PubkeyAuthentication | ||
823 | Specifies whether to try public key authentication. The argument | ||
824 | to this keyword must be yes (the default) or no. | ||
825 | |||
826 | RekeyLimit | ||
827 | Specifies the maximum amount of data that may be transmitted | ||
828 | before the session key is renegotiated, optionally followed a | ||
829 | maximum amount of time that may pass before the session key is | ||
830 | renegotiated. The first argument is specified in bytes and may | ||
831 | have a suffix of M-bM-^@M-^XKM-bM-^@M-^Y, M-bM-^@M-^XMM-bM-^@M-^Y, or M-bM-^@M-^XGM-bM-^@M-^Y to indicate Kilobytes, | ||
832 | Megabytes, or Gigabytes, respectively. The default is between | ||
833 | M-bM-^@M-^X1GM-bM-^@M-^Y and M-bM-^@M-^X4GM-bM-^@M-^Y, depending on the cipher. The optional second | ||
834 | value is specified in seconds and may use any of the units | ||
835 | documented in the TIME FORMATS section of sshd_config(5). The | ||
836 | default value for RekeyLimit is default none, which means that | ||
837 | rekeying is performed after the cipher's default amount of data | ||
838 | has been sent or received and no time based rekeying is done. | ||
839 | |||
840 | RemoteCommand | ||
841 | Specifies a command to execute on the remote machine after | ||
842 | successfully connecting to the server. The command string | ||
843 | extends to the end of the line, and is executed with the user's | ||
844 | shell. Arguments to RemoteCommand accept the tokens described in | ||
845 | the TOKENS section. | ||
846 | |||
847 | RemoteForward | ||
848 | Specifies that a TCP port on the remote machine be forwarded over | ||
849 | the secure channel. The remote port may either be forwarded to a | ||
850 | specified host and port from the local machine, or may act as a | ||
851 | SOCKS 4/5 proxy that allows a remote client to connect to | ||
852 | arbitrary destinations from the local machine. The first | ||
853 | argument is the listening specification and may be | ||
854 | [bind_address:]port or, if the remote host supports it, a Unix | ||
855 | domain socket path. If forwarding to a specific destination then | ||
856 | the second argument must be host:hostport or a Unix domain socket | ||
857 | path, otherwise if no destination argument is specified then the | ||
858 | remote forwarding will be established as a SOCKS proxy. | ||
859 | |||
860 | IPv6 addresses can be specified by enclosing addresses in square | ||
861 | brackets. Multiple forwardings may be specified, and additional | ||
862 | forwardings can be given on the command line. Privileged ports | ||
863 | can be forwarded only when logging in as root on the remote | ||
864 | machine. Unix domain socket paths accept the tokens described in | ||
865 | the TOKENS section. | ||
866 | |||
867 | If the port argument is 0, the listen port will be dynamically | ||
868 | allocated on the server and reported to the client at run time. | ||
869 | |||
870 | If the bind_address is not specified, the default is to only bind | ||
871 | to loopback addresses. If the bind_address is M-bM-^@M-^X*M-bM-^@M-^Y or an empty | ||
872 | string, then the forwarding is requested to listen on all | ||
873 | interfaces. Specifying a remote bind_address will only succeed | ||
874 | if the server's GatewayPorts option is enabled (see | ||
875 | sshd_config(5)). | ||
876 | |||
877 | RequestTTY | ||
878 | Specifies whether to request a pseudo-tty for the session. The | ||
879 | argument may be one of: no (never request a TTY), yes (always | ||
880 | request a TTY when standard input is a TTY), force (always | ||
881 | request a TTY) or auto (request a TTY when opening a login | ||
882 | session). This option mirrors the -t and -T flags for ssh(1). | ||
883 | |||
884 | RevokedHostKeys | ||
885 | Specifies revoked host public keys. Keys listed in this file | ||
886 | will be refused for host authentication. Note that if this file | ||
887 | does not exist or is not readable, then host authentication will | ||
888 | be refused for all hosts. Keys may be specified as a text file, | ||
889 | listing one public key per line, or as an OpenSSH Key Revocation | ||
890 | List (KRL) as generated by ssh-keygen(1). For more information | ||
891 | on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1). | ||
892 | |||
893 | SecurityKeyProvider | ||
894 | Specifies a path to a library that will be used when loading any | ||
895 | FIDO authenticator-hosted keys, overriding the default of using | ||
896 | the built-in USB HID support. | ||
897 | |||
898 | If the specified value begins with a M-bM-^@M-^X$M-bM-^@M-^Y character, then it will | ||
899 | be treated as an environment variable containing the path to the | ||
900 | library. | ||
901 | |||
902 | SendEnv | ||
903 | Specifies what variables from the local environ(7) should be sent | ||
904 | to the server. The server must also support it, and the server | ||
905 | must be configured to accept these environment variables. Note | ||
906 | that the TERM environment variable is always sent whenever a | ||
907 | pseudo-terminal is requested as it is required by the protocol. | ||
908 | Refer to AcceptEnv in sshd_config(5) for how to configure the | ||
909 | server. Variables are specified by name, which may contain | ||
910 | wildcard characters. Multiple environment variables may be | ||
911 | separated by whitespace or spread across multiple SendEnv | ||
912 | directives. | ||
913 | |||
914 | See PATTERNS for more information on patterns. | ||
915 | |||
916 | It is possible to clear previously set SendEnv variable names by | ||
917 | prefixing patterns with -. The default is not to send any | ||
918 | environment variables. | ||
919 | |||
920 | ServerAliveCountMax | ||
921 | Sets the number of server alive messages (see below) which may be | ||
922 | sent without ssh(1) receiving any messages back from the server. | ||
923 | If this threshold is reached while server alive messages are | ||
924 | being sent, ssh will disconnect from the server, terminating the | ||
925 | session. It is important to note that the use of server alive | ||
926 | messages is very different from TCPKeepAlive (below). The server | ||
927 | alive messages are sent through the encrypted channel and | ||
928 | therefore will not be spoofable. The TCP keepalive option | ||
929 | enabled by TCPKeepAlive is spoofable. The server alive mechanism | ||
930 | is valuable when the client or server depend on knowing when a | ||
931 | connection has become unresponsive. | ||
932 | |||
933 | The default value is 3. If, for example, ServerAliveInterval | ||
934 | (see below) is set to 15 and ServerAliveCountMax is left at the | ||
935 | default, if the server becomes unresponsive, ssh will disconnect | ||
936 | after approximately 45 seconds. | ||
937 | |||
938 | ServerAliveInterval | ||
939 | Sets a timeout interval in seconds after which if no data has | ||
940 | been received from the server, ssh(1) will send a message through | ||
941 | the encrypted channel to request a response from the server. The | ||
942 | default is 0, indicating that these messages will not be sent to | ||
943 | the server. | ||
944 | |||
945 | SetEnv Directly specify one or more environment variables and their | ||
946 | contents to be sent to the server. Similarly to SendEnv, the | ||
947 | server must be prepared to accept the environment variable. | ||
948 | |||
949 | StreamLocalBindMask | ||
950 | Sets the octal file creation mode mask (umask) used when creating | ||
951 | a Unix-domain socket file for local or remote port forwarding. | ||
952 | This option is only used for port forwarding to a Unix-domain | ||
953 | socket file. | ||
954 | |||
955 | The default value is 0177, which creates a Unix-domain socket | ||
956 | file that is readable and writable only by the owner. Note that | ||
957 | not all operating systems honor the file mode on Unix-domain | ||
958 | socket files. | ||
959 | |||
960 | StreamLocalBindUnlink | ||
961 | Specifies whether to remove an existing Unix-domain socket file | ||
962 | for local or remote port forwarding before creating a new one. | ||
963 | If the socket file already exists and StreamLocalBindUnlink is | ||
964 | not enabled, ssh will be unable to forward the port to the Unix- | ||
965 | domain socket file. This option is only used for port forwarding | ||
966 | to a Unix-domain socket file. | ||
967 | |||
968 | The argument must be yes or no (the default). | ||
969 | |||
970 | StrictHostKeyChecking | ||
971 | If this flag is set to yes, ssh(1) will never automatically add | ||
972 | host keys to the ~/.ssh/known_hosts file, and refuses to connect | ||
973 | to hosts whose host key has changed. This provides maximum | ||
974 | protection against man-in-the-middle (MITM) attacks, though it | ||
975 | can be annoying when the /etc/ssh/ssh_known_hosts file is poorly | ||
976 | maintained or when connections to new hosts are frequently made. | ||
977 | This option forces the user to manually add all new hosts. | ||
978 | |||
979 | If this flag is set to M-bM-^@M-^\accept-newM-bM-^@M-^] then ssh will automatically | ||
980 | add new host keys to the user known hosts files, but will not | ||
981 | permit connections to hosts with changed host keys. If this flag | ||
982 | is set to M-bM-^@M-^\noM-bM-^@M-^] or M-bM-^@M-^\offM-bM-^@M-^], ssh will automatically add new host keys | ||
983 | to the user known hosts files and allow connections to hosts with | ||
984 | changed hostkeys to proceed, subject to some restrictions. If | ||
985 | this flag is set to ask (the default), new host keys will be | ||
986 | added to the user known host files only after the user has | ||
987 | confirmed that is what they really want to do, and ssh will | ||
988 | refuse to connect to hosts whose host key has changed. The host | ||
989 | keys of known hosts will be verified automatically in all cases. | ||
990 | |||
991 | SyslogFacility | ||
992 | Gives the facility code that is used when logging messages from | ||
993 | ssh(1). The possible values are: DAEMON, USER, AUTH, LOCAL0, | ||
994 | LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The | ||
995 | default is USER. | ||
996 | |||
997 | TCPKeepAlive | ||
998 | Specifies whether the system should send TCP keepalive messages | ||
999 | to the other side. If they are sent, death of the connection or | ||
1000 | crash of one of the machines will be properly noticed. However, | ||
1001 | this means that connections will die if the route is down | ||
1002 | temporarily, and some people find it annoying. | ||
1003 | |||
1004 | The default is yes (to send TCP keepalive messages), and the | ||
1005 | client will notice if the network goes down or the remote host | ||
1006 | dies. This is important in scripts, and many users want it too. | ||
1007 | |||
1008 | To disable TCP keepalive messages, the value should be set to no. | ||
1009 | See also ServerAliveInterval for protocol-level keepalives. | ||
1010 | |||
1011 | Tunnel Request tun(4) device forwarding between the client and the | ||
1012 | server. The argument must be yes, point-to-point (layer 3), | ||
1013 | ethernet (layer 2), or no (the default). Specifying yes requests | ||
1014 | the default tunnel mode, which is point-to-point. | ||
1015 | |||
1016 | TunnelDevice | ||
1017 | Specifies the tun(4) devices to open on the client (local_tun) | ||
1018 | and the server (remote_tun). | ||
1019 | |||
1020 | The argument must be local_tun[:remote_tun]. The devices may be | ||
1021 | specified by numerical ID or the keyword any, which uses the next | ||
1022 | available tunnel device. If remote_tun is not specified, it | ||
1023 | defaults to any. The default is any:any. | ||
1024 | |||
1025 | UpdateHostKeys | ||
1026 | Specifies whether ssh(1) should accept notifications of | ||
1027 | additional hostkeys from the server sent after authentication has | ||
1028 | completed and add them to UserKnownHostsFile. The argument must | ||
1029 | be yes, no or ask. This option allows learning alternate | ||
1030 | hostkeys for a server and supports graceful key rotation by | ||
1031 | allowing a server to send replacement public keys before old ones | ||
1032 | are removed. Additional hostkeys are only accepted if the key | ||
1033 | used to authenticate the host was already trusted or explicitly | ||
1034 | accepted by the user. | ||
1035 | |||
1036 | UpdateHostKeys is enabled by default if the user has not | ||
1037 | overridden the default UserKnownHostsFile setting, otherwise | ||
1038 | UpdateHostKeys will be set to ask. | ||
1039 | |||
1040 | If UpdateHostKeys is set to ask, then the user is asked to | ||
1041 | confirm the modifications to the known_hosts file. Confirmation | ||
1042 | is currently incompatible with ControlPersist, and will be | ||
1043 | disabled if it is enabled. | ||
1044 | |||
1045 | Presently, only sshd(8) from OpenSSH 6.8 and greater support the | ||
1046 | "hostkeys@openssh.com" protocol extension used to inform the | ||
1047 | client of all the server's hostkeys. | ||
1048 | |||
1049 | User Specifies the user to log in as. This can be useful when a | ||
1050 | different user name is used on different machines. This saves | ||
1051 | the trouble of having to remember to give the user name on the | ||
1052 | command line. | ||
1053 | |||
1054 | UserKnownHostsFile | ||
1055 | Specifies one or more files to use for the user host key | ||
1056 | database, separated by whitespace. The default is | ||
1057 | ~/.ssh/known_hosts, ~/.ssh/known_hosts2. | ||
1058 | |||
1059 | VerifyHostKeyDNS | ||
1060 | Specifies whether to verify the remote key using DNS and SSHFP | ||
1061 | resource records. If this option is set to yes, the client will | ||
1062 | implicitly trust keys that match a secure fingerprint from DNS. | ||
1063 | Insecure fingerprints will be handled as if this option was set | ||
1064 | to ask. If this option is set to ask, information on fingerprint | ||
1065 | match will be displayed, but the user will still need to confirm | ||
1066 | new host keys according to the StrictHostKeyChecking option. The | ||
1067 | default is no. | ||
1068 | |||
1069 | See also VERIFYING HOST KEYS in ssh(1). | ||
1070 | |||
1071 | VisualHostKey | ||
1072 | If this flag is set to yes, an ASCII art representation of the | ||
1073 | remote host key fingerprint is printed in addition to the | ||
1074 | fingerprint string at login and for unknown host keys. If this | ||
1075 | flag is set to no (the default), no fingerprint strings are | ||
1076 | printed at login and only the fingerprint string will be printed | ||
1077 | for unknown host keys. | ||
1078 | |||
1079 | XAuthLocation | ||
1080 | Specifies the full pathname of the xauth(1) program. The default | ||
1081 | is /usr/X11R6/bin/xauth. | ||
1082 | |||
1083 | PATTERNS | ||
1084 | A pattern consists of zero or more non-whitespace characters, M-bM-^@M-^X*M-bM-^@M-^Y (a | ||
1085 | wildcard that matches zero or more characters), or M-bM-^@M-^X?M-bM-^@M-^Y (a wildcard that | ||
1086 | matches exactly one character). For example, to specify a set of | ||
1087 | declarations for any host in the ".co.uk" set of domains, the following | ||
1088 | pattern could be used: | ||
1089 | |||
1090 | Host *.co.uk | ||
1091 | |||
1092 | The following pattern would match any host in the 192.168.0.[0-9] network | ||
1093 | range: | ||
1094 | |||
1095 | Host 192.168.0.? | ||
1096 | |||
1097 | A pattern-list is a comma-separated list of patterns. Patterns within | ||
1098 | pattern-lists may be negated by preceding them with an exclamation mark | ||
1099 | (M-bM-^@M-^X!M-bM-^@M-^Y). For example, to allow a key to be used from anywhere within an | ||
1100 | organization except from the "dialup" pool, the following entry (in | ||
1101 | authorized_keys) could be used: | ||
1102 | |||
1103 | from="!*.dialup.example.com,*.example.com" | ||
1104 | |||
1105 | Note that a negated match will never produce a positive result by itself. | ||
1106 | For example, attempting to match "host3" against the following pattern- | ||
1107 | list will fail: | ||
1108 | |||
1109 | from="!host1,!host2" | ||
1110 | |||
1111 | The solution here is to include a term that will yield a positive match, | ||
1112 | such as a wildcard: | ||
1113 | |||
1114 | from="!host1,!host2,*" | ||
1115 | |||
1116 | TOKENS | ||
1117 | Arguments to some keywords can make use of tokens, which are expanded at | ||
1118 | runtime: | ||
1119 | |||
1120 | %% A literal M-bM-^@M-^X%M-bM-^@M-^Y. | ||
1121 | %C Hash of %l%h%p%r. | ||
1122 | %d Local user's home directory. | ||
1123 | %h The remote hostname. | ||
1124 | %i The local user ID. | ||
1125 | %L The local hostname. | ||
1126 | %l The local hostname, including the domain name. | ||
1127 | %n The original remote hostname, as given on the command line. | ||
1128 | %p The remote port. | ||
1129 | %r The remote username. | ||
1130 | %T The local tun(4) or tap(4) network interface assigned if | ||
1131 | tunnel forwarding was requested, or "NONE" otherwise. | ||
1132 | %u The local username. | ||
1133 | |||
1134 | CertificateFile, ControlPath, IdentityAgent, IdentityFile, LocalForward, | ||
1135 | Match exec, RemoteCommand, and RemoteForward accept the tokens %%, %C, | ||
1136 | %d, %h, %i, %L, %l, %n, %p, %r, and %u. | ||
1137 | |||
1138 | Hostname accepts the tokens %% and %h. | ||
1139 | |||
1140 | LocalCommand accepts all tokens. | ||
1141 | |||
1142 | ProxyCommand accepts the tokens %%, %h, %n, %p, and %r. | ||
1143 | |||
1144 | FILES | ||
1145 | ~/.ssh/config | ||
1146 | This is the per-user configuration file. The format of this file | ||
1147 | is described above. This file is used by the SSH client. | ||
1148 | Because of the potential for abuse, this file must have strict | ||
1149 | permissions: read/write for the user, and not writable by others. | ||
1150 | |||
1151 | /etc/ssh/ssh_config | ||
1152 | Systemwide configuration file. This file provides defaults for | ||
1153 | those values that are not specified in the user's configuration | ||
1154 | file, and for those users who do not have a configuration file. | ||
1155 | This file must be world-readable. | ||
1156 | |||
1157 | SEE ALSO | ||
1158 | ssh(1) | ||
1159 | |||
1160 | AUTHORS | ||
1161 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | ||
1162 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | ||
1163 | de Raadt and Dug Song removed many bugs, re-added newer features and | ||
1164 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | ||
1165 | versions 1.5 and 2.0. | ||
1166 | |||
1167 | OpenBSD 6.7 April 11, 2020 OpenBSD 6.7 | ||