diff options
Diffstat (limited to 'ssh_config.0')
-rw-r--r-- | ssh_config.0 | 251 |
1 files changed, 124 insertions, 127 deletions
diff --git a/ssh_config.0 b/ssh_config.0 index 8c84502cb..a8687ffc2 100644 --- a/ssh_config.0 +++ b/ssh_config.0 | |||
@@ -1,4 +1,4 @@ | |||
1 | SSH_CONFIG(5) OpenBSD Programmer's Manual SSH_CONFIG(5) | 1 | SSH_CONFIG(5) BSD File Formats Manual SSH_CONFIG(5) |
2 | 2 | ||
3 | NAME | 3 | NAME |
4 | ssh_config - OpenSSH SSH client configuration files | 4 | ssh_config - OpenSSH SSH client configuration files |
@@ -11,11 +11,11 @@ DESCRIPTION | |||
11 | ssh obtains configuration data from the following sources in the follow- | 11 | ssh obtains configuration data from the following sources in the follow- |
12 | ing order: | 12 | ing order: |
13 | 1. command-line options | 13 | 1. command-line options |
14 | 2. user's configuration file ($HOME/.ssh/config) | 14 | 2. userM-bM-^@M-^Ys configuration file ($HOME/.ssh/config) |
15 | 3. system-wide configuration file (/etc/ssh/ssh_config) | 15 | 3. system-wide configuration file (/etc/ssh/ssh_config) |
16 | 16 | ||
17 | For each parameter, the first obtained value will be used. The configu- | 17 | For each parameter, the first obtained value will be used. The configu- |
18 | ration files contain sections bracketed by ``Host'' specifications, and | 18 | ration files contain sections bracketed by M-bM-^@M-^\HostM-bM-^@M-^] specifications, and |
19 | that section is only applied for hosts that match one of the patterns | 19 | that section is only applied for hosts that match one of the patterns |
20 | given in the specification. The matched host name is the one given on | 20 | given in the specification. The matched host name is the one given on |
21 | the command line. | 21 | the command line. |
@@ -26,11 +26,11 @@ DESCRIPTION | |||
26 | 26 | ||
27 | The configuration file has the following format: | 27 | The configuration file has the following format: |
28 | 28 | ||
29 | Empty lines and lines starting with `#' are comments. | 29 | Empty lines and lines starting with M-bM-^@M-^X#M-bM-^@M-^Y are comments. |
30 | 30 | ||
31 | Otherwise a line is of the format ``keyword arguments''. Configuration | 31 | Otherwise a line is of the format M-bM-^@M-^\keyword argumentsM-bM-^@M-^]. Configuration |
32 | options may be separated by whitespace or optional whitespace and exactly | 32 | options may be separated by whitespace or optional whitespace and exactly |
33 | one `='; the latter format is useful to avoid the need to quote whites- | 33 | one M-bM-^@M-^X=M-bM-^@M-^Y; the latter format is useful to avoid the need to quote whites- |
34 | pace when specifying configuration options using the ssh, scp and sftp -o | 34 | pace when specifying configuration options using the ssh, scp and sftp -o |
35 | option. | 35 | option. |
36 | 36 | ||
@@ -39,54 +39,54 @@ DESCRIPTION | |||
39 | 39 | ||
40 | Host Restricts the following declarations (up to the next Host key- | 40 | Host Restricts the following declarations (up to the next Host key- |
41 | word) to be only for those hosts that match one of the patterns | 41 | word) to be only for those hosts that match one of the patterns |
42 | given after the keyword. `*' and `?' can be used as wildcards in | 42 | given after the keyword. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards in |
43 | the patterns. A single `*' as a pattern can be used to provide | 43 | the patterns. A single M-bM-^@M-^X*M-bM-^@M-^Y as a pattern can be used to provide |
44 | global defaults for all hosts. The host is the hostname argument | 44 | global defaults for all hosts. The host is the hostname argument |
45 | given on the command line (i.e., the name is not converted to a | 45 | given on the command line (i.e., the name is not converted to a |
46 | canonicalized host name before matching). | 46 | canonicalized host name before matching). |
47 | 47 | ||
48 | AddressFamily | 48 | AddressFamily |
49 | Specifies which address family to use when connecting. Valid ar- | 49 | Specifies which address family to use when connecting. Valid |
50 | guments are ``any'', ``inet'' (Use IPv4 only) or ``inet6'' (Use | 50 | arguments are M-bM-^@M-^\anyM-bM-^@M-^], M-bM-^@M-^\inetM-bM-^@M-^] (Use IPv4 only) or M-bM-^@M-^\inet6M-bM-^@M-^] (Use IPv6 |
51 | IPv6 only.) | 51 | only.) |
52 | 52 | ||
53 | BatchMode | 53 | BatchMode |
54 | If set to ``yes'', passphrase/password querying will be disabled. | 54 | If set to M-bM-^@M-^\yesM-bM-^@M-^], passphrase/password querying will be disabled. |
55 | This option is useful in scripts and other batch jobs where no | 55 | This option is useful in scripts and other batch jobs where no |
56 | user is present to supply the password. The argument must be | 56 | user is present to supply the password. The argument must be |
57 | ``yes'' or ``no''. The default is ``no''. | 57 | M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
58 | 58 | ||
59 | BindAddress | 59 | BindAddress |
60 | Specify the interface to transmit from on machines with multiple | 60 | Specify the interface to transmit from on machines with multiple |
61 | interfaces or aliased addresses. Note that this option does not | 61 | interfaces or aliased addresses. Note that this option does not |
62 | work if UsePrivilegedPort is set to ``yes''. | 62 | work if UsePrivilegedPort is set to M-bM-^@M-^\yesM-bM-^@M-^]. |
63 | 63 | ||
64 | ChallengeResponseAuthentication | 64 | ChallengeResponseAuthentication |
65 | Specifies whether to use challenge response authentication. The | 65 | Specifies whether to use challenge response authentication. The |
66 | argument to this keyword must be ``yes'' or ``no''. The default | 66 | argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is |
67 | is ``yes''. | 67 | M-bM-^@M-^\yesM-bM-^@M-^]. |
68 | 68 | ||
69 | CheckHostIP | 69 | CheckHostIP |
70 | If this flag is set to ``yes'', ssh will additionally check the | 70 | If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ssh will additionally check the |
71 | host IP address in the known_hosts file. This allows ssh to de- | 71 | host IP address in the known_hosts file. This allows ssh to |
72 | tect if a host key changed due to DNS spoofing. If the option is | 72 | detect if a host key changed due to DNS spoofing. If the option |
73 | set to ``no'', the check will not be executed. The default is | 73 | is set to M-bM-^@M-^\noM-bM-^@M-^], the check will not be executed. The default is |
74 | ``yes''. | 74 | M-bM-^@M-^\yesM-bM-^@M-^]. |
75 | 75 | ||
76 | Cipher Specifies the cipher to use for encrypting the session in proto- | 76 | Cipher Specifies the cipher to use for encrypting the session in proto- |
77 | col version 1. Currently, ``blowfish'', ``3des'', and ``des'' | 77 | col version 1. Currently, M-bM-^@M-^\blowfishM-bM-^@M-^], M-bM-^@M-^\3desM-bM-^@M-^], and M-bM-^@M-^\desM-bM-^@M-^] are sup- |
78 | are supported. des is only supported in the ssh client for in- | 78 | ported. des is only supported in the ssh client for interoper- |
79 | teroperability with legacy protocol 1 implementations that do not | 79 | ability with legacy protocol 1 implementations that do not sup- |
80 | support the 3des cipher. Its use is strongly discouraged due to | 80 | port the 3des cipher. Its use is strongly discouraged due to |
81 | cryptographic weaknesses. The default is ``3des''. | 81 | cryptographic weaknesses. The default is M-bM-^@M-^\3desM-bM-^@M-^]. |
82 | 82 | ||
83 | Ciphers | 83 | Ciphers |
84 | Specifies the ciphers allowed for protocol version 2 in order of | 84 | Specifies the ciphers allowed for protocol version 2 in order of |
85 | preference. Multiple ciphers must be comma-separated. The de- | 85 | preference. Multiple ciphers must be comma-separated. The |
86 | fault is | 86 | default is |
87 | 87 | ||
88 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, | 88 | M-bM-^@M-^XM-bM-^@M-^Xaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
89 | aes192-cbc,aes256-cbc'' | 89 | aes192-cbc,aes256-cbcM-bM-^@M-^YM-bM-^@M-^Y |
90 | 90 | ||
91 | ClearAllForwardings | 91 | ClearAllForwardings |
92 | Specifies that all local, remote and dynamic port forwardings | 92 | Specifies that all local, remote and dynamic port forwardings |
@@ -94,11 +94,11 @@ DESCRIPTION | |||
94 | cleared. This option is primarily useful when used from the ssh | 94 | cleared. This option is primarily useful when used from the ssh |
95 | command line to clear port forwardings set in configuration | 95 | command line to clear port forwardings set in configuration |
96 | files, and is automatically set by scp(1) and sftp(1). The argu- | 96 | files, and is automatically set by scp(1) and sftp(1). The argu- |
97 | ment must be ``yes'' or ``no''. The default is ``no''. | 97 | ment must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
98 | 98 | ||
99 | Compression | 99 | Compression |
100 | Specifies whether to use compression. The argument must be | 100 | Specifies whether to use compression. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] |
101 | ``yes'' or ``no''. The default is ``no''. | 101 | or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
102 | 102 | ||
103 | CompressionLevel | 103 | CompressionLevel |
104 | Specifies the compression level to use if compression is enabled. | 104 | Specifies the compression level to use if compression is enabled. |
@@ -108,61 +108,61 @@ DESCRIPTION | |||
108 | option applies to protocol version 1 only. | 108 | option applies to protocol version 1 only. |
109 | 109 | ||
110 | ConnectionAttempts | 110 | ConnectionAttempts |
111 | Specifies the number of tries (one per second) to make before ex- | 111 | Specifies the number of tries (one per second) to make before |
112 | iting. The argument must be an integer. This may be useful in | 112 | exiting. The argument must be an integer. This may be useful in |
113 | scripts if the connection sometimes fails. The default is 1. | 113 | scripts if the connection sometimes fails. The default is 1. |
114 | 114 | ||
115 | ConnectTimeout | 115 | ConnectTimeout |
116 | Specifies the timeout (in seconds) used when connecting to the | 116 | Specifies the timeout (in seconds) used when connecting to the |
117 | ssh server, instead of using the default system TCP timeout. | 117 | ssh server, instead of using the default system TCP timeout. |
118 | This value is used only when the target is down or really un- | 118 | This value is used only when the target is down or really |
119 | reachable, not when it refuses the connection. | 119 | unreachable, not when it refuses the connection. |
120 | 120 | ||
121 | DynamicForward | 121 | DynamicForward |
122 | Specifies that a TCP/IP port on the local machine be forwarded | 122 | Specifies that a TCP/IP port on the local machine be forwarded |
123 | over the secure channel, and the application protocol is then | 123 | over the secure channel, and the application protocol is then |
124 | used to determine where to connect to from the remote machine. | 124 | used to determine where to connect to from the remote machine. |
125 | The argument must be a port number. Currently the SOCKS4 and | 125 | The argument must be a port number. Currently the SOCKS4 and |
126 | SOCKS5 protocols are supported, and ssh will act as a SOCKS serv- | 126 | SOCKS5 protocols are supported, and ssh will act as a SOCKS |
127 | er. Multiple forwardings may be specified, and additional for- | 127 | server. Multiple forwardings may be specified, and additional |
128 | wardings can be given on the command line. Only the superuser | 128 | forwardings can be given on the command line. Only the superuser |
129 | can forward privileged ports. | 129 | can forward privileged ports. |
130 | 130 | ||
131 | EnableSSHKeysign | 131 | EnableSSHKeysign |
132 | Setting this option to ``yes'' in the global client configuration | 132 | Setting this option to M-bM-^@M-^\yesM-bM-^@M-^] in the global client configuration |
133 | file /etc/ssh/ssh_config enables the use of the helper program | 133 | file /etc/ssh/ssh_config enables the use of the helper program |
134 | ssh-keysign(8) during HostbasedAuthentication. The argument must | 134 | ssh-keysign(8) during HostbasedAuthentication. The argument must |
135 | be ``yes'' or ``no''. The default is ``no''. See ssh-keysign(8) | 135 | be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. See ssh-keysign(8) for |
136 | for more information. | 136 | more information. |
137 | 137 | ||
138 | EscapeChar | 138 | EscapeChar |
139 | Sets the escape character (default: `~'). The escape character | 139 | Sets the escape character (default: M-bM-^@M-^X~M-bM-^@M-^Y). The escape character |
140 | can also be set on the command line. The argument should be a | 140 | can also be set on the command line. The argument should be a |
141 | single character, `^' followed by a letter, or ``none'' to dis- | 141 | single character, M-bM-^@M-^X^M-bM-^@M-^Y followed by a letter, or M-bM-^@M-^\noneM-bM-^@M-^] to disable |
142 | able the escape character entirely (making the connection trans- | 142 | the escape character entirely (making the connection transparent |
143 | parent for binary data). | 143 | for binary data). |
144 | 144 | ||
145 | ForwardAgent | 145 | ForwardAgent |
146 | Specifies whether the connection to the authentication agent (if | 146 | Specifies whether the connection to the authentication agent (if |
147 | any) will be forwarded to the remote machine. The argument must | 147 | any) will be forwarded to the remote machine. The argument must |
148 | be ``yes'' or ``no''. The default is ``no''. | 148 | be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
149 | 149 | ||
150 | Agent forwarding should be enabled with caution. Users with the | 150 | Agent forwarding should be enabled with caution. Users with the |
151 | ability to bypass file permissions on the remote host (for the | 151 | ability to bypass file permissions on the remote host (for the |
152 | agent's Unix-domain socket) can access the local agent through | 152 | agentM-bM-^@M-^Ys Unix-domain socket) can access the local agent through |
153 | the forwarded connection. An attacker cannot obtain key material | 153 | the forwarded connection. An attacker cannot obtain key material |
154 | from the agent, however they can perform operations on the keys | 154 | from the agent, however they can perform operations on the keys |
155 | that enable them to authenticate using the identities loaded into | 155 | that enable them to authenticate using the identities loaded into |
156 | the agent. | 156 | the agent. |
157 | 157 | ||
158 | ForwardX11 | 158 | ForwardX11 |
159 | Specifies whether X11 connections will be automatically redirect- | 159 | Specifies whether X11 connections will be automatically redi- |
160 | ed over the secure channel and DISPLAY set. The argument must be | 160 | rected over the secure channel and DISPLAY set. The argument |
161 | ``yes'' or ``no''. The default is ``no''. | 161 | must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
162 | 162 | ||
163 | X11 forwarding should be enabled with caution. Users with the | 163 | X11 forwarding should be enabled with caution. Users with the |
164 | ability to bypass file permissions on the remote host (for the | 164 | ability to bypass file permissions on the remote host (for the |
165 | user's X authorization database) can access the local X11 display | 165 | userM-bM-^@M-^Ys X authorization database) can access the local X11 display |
166 | through the forwarded connection. An attacker may then be able | 166 | through the forwarded connection. An attacker may then be able |
167 | to perform activities such as keystroke monitoring. | 167 | to perform activities such as keystroke monitoring. |
168 | 168 | ||
@@ -171,35 +171,34 @@ DESCRIPTION | |||
171 | forwarded ports. By default, ssh binds local port forwardings to | 171 | forwarded ports. By default, ssh binds local port forwardings to |
172 | the loopback address. This prevents other remote hosts from con- | 172 | the loopback address. This prevents other remote hosts from con- |
173 | necting to forwarded ports. GatewayPorts can be used to specify | 173 | necting to forwarded ports. GatewayPorts can be used to specify |
174 | that ssh should bind local port forwardings to the wildcard ad- | 174 | that ssh should bind local port forwardings to the wildcard |
175 | dress, thus allowing remote hosts to connect to forwarded ports. | 175 | address, thus allowing remote hosts to connect to forwarded |
176 | The argument must be ``yes'' or ``no''. The default is ``no''. | 176 | ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
177 | 177 | ||
178 | GlobalKnownHostsFile | 178 | GlobalKnownHostsFile |
179 | Specifies a file to use for the global host key database instead | 179 | Specifies a file to use for the global host key database instead |
180 | of /etc/ssh/ssh_known_hosts. | 180 | of /etc/ssh/ssh_known_hosts. |
181 | 181 | ||
182 | GSSAPIAuthentication | 182 | GSSAPIAuthentication |
183 | Specifies whether authentication based on GSSAPI may be used, ei- | 183 | Specifies whether authentication based on GSSAPI may be used, |
184 | ther using the result of a successful key exchange, or using GSS- | 184 | either using the result of a successful key exchange, or using |
185 | API user authentication. The default is ``yes''. Note that this | 185 | GSSAPI user authentication. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that |
186 | option applies to protocol version 2 only. | 186 | this option applies to protocol version 2 only. |
187 | 187 | ||
188 | GSSAPIDelegateCredentials | 188 | GSSAPIDelegateCredentials |
189 | Forward (delegate) credentials to the server. The default is | 189 | Forward (delegate) credentials to the server. The default is |
190 | ``no''. Note that this option applies to protocol version 2 on- | 190 | M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol version 2 only. |
191 | ly. | ||
192 | 191 | ||
193 | HostbasedAuthentication | 192 | HostbasedAuthentication |
194 | Specifies whether to try rhosts based authentication with public | 193 | Specifies whether to try rhosts based authentication with public |
195 | key authentication. The argument must be ``yes'' or ``no''. The | 194 | key authentication. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The |
196 | default is ``no''. This option applies to protocol version 2 on- | 195 | default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 2 only |
197 | ly and is similar to RhostsRSAAuthentication. | 196 | and is similar to RhostsRSAAuthentication. |
198 | 197 | ||
199 | HostKeyAlgorithms | 198 | HostKeyAlgorithms |
200 | Specifies the protocol version 2 host key algorithms that the | 199 | Specifies the protocol version 2 host key algorithms that the |
201 | client wants to use in order of preference. The default for this | 200 | client wants to use in order of preference. The default for this |
202 | option is: ``ssh-rsa,ssh-dss''. | 201 | option is: M-bM-^@M-^\ssh-rsa,ssh-dssM-bM-^@M-^]. |
203 | 202 | ||
204 | HostKeyAlias | 203 | HostKeyAlias |
205 | Specifies an alias that should be used instead of the real host | 204 | Specifies an alias that should be used instead of the real host |
@@ -215,13 +214,13 @@ DESCRIPTION | |||
215 | tions). | 214 | tions). |
216 | 215 | ||
217 | IdentityFile | 216 | IdentityFile |
218 | Specifies a file from which the user's RSA or DSA authentication | 217 | Specifies a file from which the userM-bM-^@M-^Ys RSA or DSA authentication |
219 | identity is read. The default is $HOME/.ssh/identity for proto- | 218 | identity is read. The default is $HOME/.ssh/identity for proto- |
220 | col version 1, and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for | 219 | col version 1, and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for |
221 | protocol version 2. Additionally, any identities represented by | 220 | protocol version 2. Additionally, any identities represented by |
222 | the authentication agent will be used for authentication. The | 221 | the authentication agent will be used for authentication. The |
223 | file name may use the tilde syntax to refer to a user's home di- | 222 | file name may use the tilde syntax to refer to a userM-bM-^@M-^Ys home |
224 | rectory. It is possible to have multiple identity files speci- | 223 | directory. It is possible to have multiple identity files speci- |
225 | fied in configuration files; all these identities will be tried | 224 | fied in configuration files; all these identities will be tried |
226 | in sequence. | 225 | in sequence. |
227 | 226 | ||
@@ -232,11 +231,11 @@ DESCRIPTION | |||
232 | this means that connections will die if the route is down tem- | 231 | this means that connections will die if the route is down tem- |
233 | porarily, and some people find it annoying. | 232 | porarily, and some people find it annoying. |
234 | 233 | ||
235 | The default is ``yes'' (to send keepalives), and the client will | 234 | The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send keepalives), and the client will |
236 | notice if the network goes down or the remote host dies. This is | 235 | notice if the network goes down or the remote host dies. This is |
237 | important in scripts, and many users want it too. | 236 | important in scripts, and many users want it too. |
238 | 237 | ||
239 | To disable keepalives, the value should be set to ``no''. | 238 | To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^]. |
240 | 239 | ||
241 | LocalForward | 240 | LocalForward |
242 | Specifies that a TCP/IP port on the local machine be forwarded | 241 | Specifies that a TCP/IP port on the local machine be forwarded |
@@ -254,20 +253,20 @@ DESCRIPTION | |||
254 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify | 253 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify |
255 | higher levels of verbose output. | 254 | higher levels of verbose output. |
256 | 255 | ||
257 | MACs Specifies the MAC (message authentication code) algorithms in or- | 256 | MACs Specifies the MAC (message authentication code) algorithms in |
258 | der of preference. The MAC algorithm is used in protocol version | 257 | order of preference. The MAC algorithm is used in protocol ver- |
259 | 2 for data integrity protection. Multiple algorithms must be | 258 | sion 2 for data integrity protection. Multiple algorithms must |
260 | comma-separated. The default is ``hmac-md5,hmac-sha1,hmac- | 259 | be comma-separated. The default is |
261 | ripemd160,hmac-sha1-96,hmac-md5-96''. | 260 | M-bM-^@M-^\hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96M-bM-^@M-^]. |
262 | 261 | ||
263 | NoHostAuthenticationForLocalhost | 262 | NoHostAuthenticationForLocalhost |
264 | This option can be used if the home directory is shared across | 263 | This option can be used if the home directory is shared across |
265 | machines. In this case localhost will refer to a different ma- | 264 | machines. In this case localhost will refer to a different |
266 | chine on each of the machines and the user will get many warnings | 265 | machine on each of the machines and the user will get many warn- |
267 | about changed host keys. However, this option disables host au- | 266 | ings about changed host keys. However, this option disables host |
268 | thentication for localhost. The argument to this keyword must be | 267 | authentication for localhost. The argument to this keyword must |
269 | ``yes'' or ``no''. The default is to check the host key for lo- | 268 | be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is to check the host key for |
270 | calhost. | 269 | localhost. |
271 | 270 | ||
272 | NumberOfPasswordPrompts | 271 | NumberOfPasswordPrompts |
273 | Specifies the number of password prompts before giving up. The | 272 | Specifies the number of password prompts before giving up. The |
@@ -275,44 +274,43 @@ DESCRIPTION | |||
275 | 274 | ||
276 | PasswordAuthentication | 275 | PasswordAuthentication |
277 | Specifies whether to use password authentication. The argument | 276 | Specifies whether to use password authentication. The argument |
278 | to this keyword must be ``yes'' or ``no''. The default is | 277 | to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
279 | ``yes''. | ||
280 | 278 | ||
281 | Port Specifies the port number to connect on the remote host. Default | 279 | Port Specifies the port number to connect on the remote host. Default |
282 | is 22. | 280 | is 22. |
283 | 281 | ||
284 | PreferredAuthentications | 282 | PreferredAuthentications |
285 | Specifies the order in which the client should try protocol 2 au- | 283 | Specifies the order in which the client should try protocol 2 |
286 | thentication methods. This allows a client to prefer one method | 284 | authentication methods. This allows a client to prefer one |
287 | (e.g. keyboard-interactive) over another method (e.g. password) | 285 | method (e.g. keyboard-interactive) over another method (e.g. |
288 | The default for this option is: ``hostbased,publickey,keyboard- | 286 | password) The default for this option is: |
289 | interactive,password''. | 287 | M-bM-^@M-^\hostbased,publickey,keyboard-interactive,passwordM-bM-^@M-^]. |
290 | 288 | ||
291 | Protocol | 289 | Protocol |
292 | Specifies the protocol versions ssh should support in order of | 290 | Specifies the protocol versions ssh should support in order of |
293 | preference. The possible values are ``1'' and ``2''. Multiple | 291 | preference. The possible values are M-bM-^@M-^\1M-bM-^@M-^] and M-bM-^@M-^\2M-bM-^@M-^]. Multiple ver- |
294 | versions must be comma-separated. The default is ``2,1''. This | 292 | sions must be comma-separated. The default is M-bM-^@M-^\2,1M-bM-^@M-^]. This means |
295 | means that ssh tries version 2 and falls back to version 1 if | 293 | that ssh tries version 2 and falls back to version 1 if version 2 |
296 | version 2 is not available. | 294 | is not available. |
297 | 295 | ||
298 | ProxyCommand | 296 | ProxyCommand |
299 | Specifies the command to use to connect to the server. The com- | 297 | Specifies the command to use to connect to the server. The com- |
300 | mand string extends to the end of the line, and is executed with | 298 | mand string extends to the end of the line, and is executed with |
301 | /bin/sh. In the command string, `%h' will be substituted by the | 299 | /bin/sh. In the command string, M-bM-^@M-^X%hM-bM-^@M-^Y will be substituted by the |
302 | host name to connect and `%p' by the port. The command can be | 300 | host name to connect and M-bM-^@M-^X%pM-bM-^@M-^Y by the port. The command can be |
303 | basically anything, and should read from its standard input and | 301 | basically anything, and should read from its standard input and |
304 | write to its standard output. It should eventually connect an | 302 | write to its standard output. It should eventually connect an |
305 | sshd(8) server running on some machine, or execute sshd -i some- | 303 | sshd(8) server running on some machine, or execute sshd -i some- |
306 | where. Host key management will be done using the HostName of | 304 | where. Host key management will be done using the HostName of |
307 | the host being connected (defaulting to the name typed by the us- | 305 | the host being connected (defaulting to the name typed by the |
308 | er). Setting the command to ``none'' disables this option en- | 306 | user). Setting the command to M-bM-^@M-^\noneM-bM-^@M-^] disables this option |
309 | tirely. Note that CheckHostIP is not available for connects with | 307 | entirely. Note that CheckHostIP is not available for connects |
310 | a proxy command. | 308 | with a proxy command. |
311 | 309 | ||
312 | PubkeyAuthentication | 310 | PubkeyAuthentication |
313 | Specifies whether to try public key authentication. The argument | 311 | Specifies whether to try public key authentication. The argument |
314 | to this keyword must be ``yes'' or ``no''. The default is | 312 | to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
315 | ``yes''. This option applies to protocol version 2 only. | 313 | This option applies to protocol version 2 only. |
316 | 314 | ||
317 | RemoteForward | 315 | RemoteForward |
318 | Specifies that a TCP/IP port on the remote machine be forwarded | 316 | Specifies that a TCP/IP port on the remote machine be forwarded |
@@ -325,46 +323,45 @@ DESCRIPTION | |||
325 | 323 | ||
326 | RhostsRSAAuthentication | 324 | RhostsRSAAuthentication |
327 | Specifies whether to try rhosts based authentication with RSA | 325 | Specifies whether to try rhosts based authentication with RSA |
328 | host authentication. The argument must be ``yes'' or ``no''. | 326 | host authentication. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The |
329 | The default is ``no''. This option applies to protocol version 1 | 327 | default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only |
330 | only and requires ssh to be setuid root. | 328 | and requires ssh to be setuid root. |
331 | 329 | ||
332 | RSAAuthentication | 330 | RSAAuthentication |
333 | Specifies whether to try RSA authentication. The argument to | 331 | Specifies whether to try RSA authentication. The argument to |
334 | this keyword must be ``yes'' or ``no''. RSA authentication will | 332 | this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. RSA authentication will only |
335 | only be attempted if the identity file exists, or an authentica- | 333 | be attempted if the identity file exists, or an authentication |
336 | tion agent is running. The default is ``yes''. Note that this | 334 | agent is running. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option |
337 | option applies to protocol version 1 only. | 335 | applies to protocol version 1 only. |
338 | 336 | ||
339 | SmartcardDevice | 337 | SmartcardDevice |
340 | Specifies which smartcard device to use. The argument to this | 338 | Specifies which smartcard device to use. The argument to this |
341 | keyword is the device ssh should use to communicate with a smart- | 339 | keyword is the device ssh should use to communicate with a smart- |
342 | card used for storing the user's private RSA key. By default, no | 340 | card used for storing the userM-bM-^@M-^Ys private RSA key. By default, no |
343 | device is specified and smartcard support is not activated. | 341 | device is specified and smartcard support is not activated. |
344 | 342 | ||
345 | StrictHostKeyChecking | 343 | StrictHostKeyChecking |
346 | If this flag is set to ``yes'', ssh will never automatically add | 344 | If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ssh will never automatically add |
347 | host keys to the $HOME/.ssh/known_hosts file, and refuses to con- | 345 | host keys to the $HOME/.ssh/known_hosts file, and refuses to con- |
348 | nect to hosts whose host key has changed. This provides maximum | 346 | nect to hosts whose host key has changed. This provides maximum |
349 | protection against trojan horse attacks, however, can be annoying | 347 | protection against trojan horse attacks, however, can be annoying |
350 | when the /etc/ssh/ssh_known_hosts file is poorly maintained, or | 348 | when the /etc/ssh/ssh_known_hosts file is poorly maintained, or |
351 | connections to new hosts are frequently made. This option forces | 349 | connections to new hosts are frequently made. This option forces |
352 | the user to manually add all new hosts. If this flag is set to | 350 | the user to manually add all new hosts. If this flag is set to |
353 | ``no'', ssh will automatically add new host keys to the user | 351 | M-bM-^@M-^\noM-bM-^@M-^], ssh will automatically add new host keys to the user known |
354 | known hosts files. If this flag is set to ``ask'', new host keys | 352 | hosts files. If this flag is set to M-bM-^@M-^\askM-bM-^@M-^], new host keys will be |
355 | will be added to the user known host files only after the user | 353 | added to the user known host files only after the user has con- |
356 | has confirmed that is what they really want to do, and ssh will | 354 | firmed that is what they really want to do, and ssh will refuse |
357 | refuse to connect to hosts whose host key has changed. The host | 355 | to connect to hosts whose host key has changed. The host keys of |
358 | keys of known hosts will be verified automatically in all cases. | 356 | known hosts will be verified automatically in all cases. The |
359 | The argument must be ``yes'', ``no'' or ``ask''. The default is | 357 | argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^] or M-bM-^@M-^\askM-bM-^@M-^]. The default is M-bM-^@M-^\askM-bM-^@M-^]. |
360 | ``ask''. | ||
361 | 358 | ||
362 | UsePrivilegedPort | 359 | UsePrivilegedPort |
363 | Specifies whether to use a privileged port for outgoing connec- | 360 | Specifies whether to use a privileged port for outgoing connec- |
364 | tions. The argument must be ``yes'' or ``no''. The default is | 361 | tions. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
365 | ``no''. If set to ``yes'' ssh must be setuid root. Note that | 362 | If set to M-bM-^@M-^\yesM-bM-^@M-^] ssh must be setuid root. Note that this option |
366 | this option must be set to ``yes'' for RhostsRSAAuthentication | 363 | must be set to M-bM-^@M-^\yesM-bM-^@M-^] for RhostsRSAAuthentication with older |
367 | with older servers. | 364 | servers. |
368 | 365 | ||
369 | User Specifies the user to log in as. This can be useful when a dif- | 366 | User Specifies the user to log in as. This can be useful when a dif- |
370 | ferent user name is used on different machines. This saves the | 367 | ferent user name is used on different machines. This saves the |
@@ -377,7 +374,7 @@ DESCRIPTION | |||
377 | 374 | ||
378 | VerifyHostKeyDNS | 375 | VerifyHostKeyDNS |
379 | Specifies whether to verify the remote key using DNS and SSHFP | 376 | Specifies whether to verify the remote key using DNS and SSHFP |
380 | resource records. The default is ``no''. Note that this option | 377 | resource records. The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option |
381 | applies to protocol version 2 only. | 378 | applies to protocol version 2 only. |
382 | 379 | ||
383 | XAuthLocation | 380 | XAuthLocation |
@@ -389,12 +386,12 @@ FILES | |||
389 | This is the per-user configuration file. The format of this file | 386 | This is the per-user configuration file. The format of this file |
390 | is described above. This file is used by the ssh client. This | 387 | is described above. This file is used by the ssh client. This |
391 | file does not usually contain any sensitive information, but the | 388 | file does not usually contain any sensitive information, but the |
392 | recommended permissions are read/write for the user, and not ac- | 389 | recommended permissions are read/write for the user, and not |
393 | cessible by others. | 390 | accessible by others. |
394 | 391 | ||
395 | /etc/ssh/ssh_config | 392 | /etc/ssh/ssh_config |
396 | Systemwide configuration file. This file provides defaults for | 393 | Systemwide configuration file. This file provides defaults for |
397 | those values that are not specified in the user's configuration | 394 | those values that are not specified in the userM-bM-^@M-^Ys configuration |
398 | file, and for those users who do not have a configuration file. | 395 | file, and for those users who do not have a configuration file. |
399 | This file must be world-readable. | 396 | This file must be world-readable. |
400 | 397 | ||
@@ -408,4 +405,4 @@ AUTHORS | |||
408 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | 405 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol |
409 | versions 1.5 and 2.0. | 406 | versions 1.5 and 2.0. |
410 | 407 | ||
411 | OpenBSD 3.4 September 25, 1999 7 | 408 | BSD September 25, 1999 BSD |