diff options
Diffstat (limited to 'ssh_config.0')
-rw-r--r-- | ssh_config.0 | 149 |
1 files changed, 93 insertions, 56 deletions
diff --git a/ssh_config.0 b/ssh_config.0 index 94ef73676..692e5f6d5 100644 --- a/ssh_config.0 +++ b/ssh_config.0 | |||
@@ -1,7 +1,7 @@ | |||
1 | SSH_CONFIG(5) File Formats Manual SSH_CONFIG(5) | 1 | SSH_CONFIG(5) File Formats Manual SSH_CONFIG(5) |
2 | 2 | ||
3 | NAME | 3 | NAME |
4 | ssh_config M-bM-^@M-^S OpenSSH SSH client configuration files | 4 | ssh_config M-bM-^@M-^S OpenSSH client configuration file |
5 | 5 | ||
6 | DESCRIPTION | 6 | DESCRIPTION |
7 | ssh(1) obtains configuration data from the following sources in the | 7 | ssh(1) obtains configuration data from the following sources in the |
@@ -107,10 +107,11 @@ DESCRIPTION | |||
107 | (use IPv6 only). | 107 | (use IPv6 only). |
108 | 108 | ||
109 | BatchMode | 109 | BatchMode |
110 | If set to yes, passphrase/password querying will be disabled. | 110 | If set to yes, user interaction such as password prompts and host |
111 | This option is useful in scripts and other batch jobs where no | 111 | key confirmation requests will be disabled. This option is |
112 | user is present to supply the password. The argument must be yes | 112 | useful in scripts and other batch jobs where no user is present |
113 | or no (the default). | 113 | to interact with ssh(1). The argument must be yes or no (the |
114 | default). | ||
114 | 115 | ||
115 | BindAddress | 116 | BindAddress |
116 | Use the specified address on the local machine as the source | 117 | Use the specified address on the local machine as the source |
@@ -181,7 +182,8 @@ DESCRIPTION | |||
181 | Specifies a file from which the user's certificate is read. A | 182 | Specifies a file from which the user's certificate is read. A |
182 | corresponding private key must be provided separately in order to | 183 | corresponding private key must be provided separately in order to |
183 | use this certificate either from an IdentityFile directive or -i | 184 | use this certificate either from an IdentityFile directive or -i |
184 | flag to ssh(1), via ssh-agent(1), or via a PKCS11Provider. | 185 | flag to ssh(1), via ssh-agent(1), or via a PKCS11Provider or |
186 | SecurityKeyProvider. | ||
185 | 187 | ||
186 | Arguments to CertificateFile may use the tilde syntax to refer to | 188 | Arguments to CertificateFile may use the tilde syntax to refer to |
187 | a user's home directory or the tokens described in the TOKENS | 189 | a user's home directory or the tokens described in the TOKENS |
@@ -303,10 +305,10 @@ DESCRIPTION | |||
303 | When used in conjunction with ControlMaster, specifies that the | 305 | When used in conjunction with ControlMaster, specifies that the |
304 | master connection should remain open in the background (waiting | 306 | master connection should remain open in the background (waiting |
305 | for future client connections) after the initial client | 307 | for future client connections) after the initial client |
306 | connection has been closed. If set to no, then the master | 308 | connection has been closed. If set to no (the default), then the |
307 | connection will not be placed into the background, and will close | 309 | master connection will not be placed into the background, and |
308 | as soon as the initial client connection is closed. If set to | 310 | will close as soon as the initial client connection is closed. |
309 | yes or 0, then the master connection will remain in the | 311 | If set to yes or 0, then the master connection will remain in the |
310 | background indefinitely (until killed or closed via a mechanism | 312 | background indefinitely (until killed or closed via a mechanism |
311 | such as the "ssh -O exit"). If set to a time in seconds, or a | 313 | such as the "ssh -O exit"). If set to a time in seconds, or a |
312 | time in any of the formats documented in sshd_config(5), then the | 314 | time in any of the formats documented in sshd_config(5), then the |
@@ -364,8 +366,10 @@ DESCRIPTION | |||
364 | 366 | ||
365 | ForwardAgent | 367 | ForwardAgent |
366 | Specifies whether the connection to the authentication agent (if | 368 | Specifies whether the connection to the authentication agent (if |
367 | any) will be forwarded to the remote machine. The argument must | 369 | any) will be forwarded to the remote machine. The argument may |
368 | be yes or no (the default). | 370 | be yes, no (the default), an explicit path to an agent socket or |
371 | the name of an environment variable (beginning with M-bM-^@M-^X$M-bM-^@M-^Y) in which | ||
372 | to find the path. | ||
369 | 373 | ||
370 | Agent forwarding should be enabled with caution. Users with the | 374 | Agent forwarding should be enabled with caution. Users with the |
371 | ability to bypass file permissions on the remote host (for the | 375 | ability to bypass file permissions on the remote host (for the |
@@ -434,11 +438,11 @@ DESCRIPTION | |||
434 | HashKnownHosts | 438 | HashKnownHosts |
435 | Indicates that ssh(1) should hash host names and addresses when | 439 | Indicates that ssh(1) should hash host names and addresses when |
436 | they are added to ~/.ssh/known_hosts. These hashed names may be | 440 | they are added to ~/.ssh/known_hosts. These hashed names may be |
437 | used normally by ssh(1) and sshd(8), but they do not reveal | 441 | used normally by ssh(1) and sshd(8), but they do not visually |
438 | identifying information should the file's contents be disclosed. | 442 | reveal identifying information if the file's contents are |
439 | The default is no. Note that existing names and addresses in | 443 | disclosed. The default is no. Note that existing names and |
440 | known hosts files will not be converted automatically, but may be | 444 | addresses in known hosts files will not be converted |
441 | manually hashed using ssh-keygen(1). | 445 | automatically, but may be manually hashed using ssh-keygen(1). |
442 | 446 | ||
443 | HostbasedAuthentication | 447 | HostbasedAuthentication |
444 | Specifies whether to try rhosts based authentication with public | 448 | Specifies whether to try rhosts based authentication with public |
@@ -460,11 +464,16 @@ DESCRIPTION | |||
460 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 464 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
461 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 465 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
462 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 466 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
467 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
463 | ssh-ed25519-cert-v01@openssh.com, | 468 | ssh-ed25519-cert-v01@openssh.com, |
464 | rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, | 469 | sk-ssh-ed25519-cert-v01@openssh.com, |
470 | rsa-sha2-512-cert-v01@openssh.com, | ||
471 | rsa-sha2-256-cert-v01@openssh.com, | ||
465 | ssh-rsa-cert-v01@openssh.com, | 472 | ssh-rsa-cert-v01@openssh.com, |
466 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 473 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
467 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | 474 | sk-ecdsa-sha2-nistp256@openssh.com, |
475 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
476 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
468 | 477 | ||
469 | The -Q option of ssh(1) may be used to list supported key types. | 478 | The -Q option of ssh(1) may be used to list supported key types. |
470 | 479 | ||
@@ -482,17 +491,22 @@ DESCRIPTION | |||
482 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 491 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
483 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 492 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
484 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 493 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
494 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
485 | ssh-ed25519-cert-v01@openssh.com, | 495 | ssh-ed25519-cert-v01@openssh.com, |
486 | rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, | 496 | sk-ssh-ed25519-cert-v01@openssh.com, |
497 | rsa-sha2-512-cert-v01@openssh.com, | ||
498 | rsa-sha2-256-cert-v01@openssh.com, | ||
487 | ssh-rsa-cert-v01@openssh.com, | 499 | ssh-rsa-cert-v01@openssh.com, |
488 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 500 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
489 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | 501 | sk-ecdsa-sha2-nistp256@openssh.com, |
502 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
503 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
490 | 504 | ||
491 | If hostkeys are known for the destination host then this default | 505 | If hostkeys are known for the destination host then this default |
492 | is modified to prefer their algorithms. | 506 | is modified to prefer their algorithms. |
493 | 507 | ||
494 | The list of available key types may also be obtained using "ssh | 508 | The list of available key types may also be obtained using "ssh |
495 | -Q key". | 509 | -Q HostKeyAlgorithms". |
496 | 510 | ||
497 | HostKeyAlias | 511 | HostKeyAlias |
498 | Specifies an alias that should be used instead of the real host | 512 | Specifies an alias that should be used instead of the real host |
@@ -514,9 +528,10 @@ DESCRIPTION | |||
514 | authentication identity and certificate files (either the default | 528 | authentication identity and certificate files (either the default |
515 | files, or those explicitly configured in the ssh_config files or | 529 | files, or those explicitly configured in the ssh_config files or |
516 | passed on the ssh(1) command-line), even if ssh-agent(1) or a | 530 | passed on the ssh(1) command-line), even if ssh-agent(1) or a |
517 | PKCS11Provider offers more identities. The argument to this | 531 | PKCS11Provider or SecurityKeyProvider offers more identities. |
518 | keyword must be yes or no (the default). This option is intended | 532 | The argument to this keyword must be yes or no (the default). |
519 | for situations where ssh-agent offers many different identities. | 533 | This option is intended for situations where ssh-agent offers |
534 | many different identities. | ||
520 | 535 | ||
521 | IdentityAgent | 536 | IdentityAgent |
522 | Specifies the UNIX-domain socket used to communicate with the | 537 | Specifies the UNIX-domain socket used to communicate with the |
@@ -536,15 +551,17 @@ DESCRIPTION | |||
536 | section. | 551 | section. |
537 | 552 | ||
538 | IdentityFile | 553 | IdentityFile |
539 | Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA | 554 | Specifies a file from which the user's DSA, ECDSA, authenticator- |
555 | hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA | ||
540 | authentication identity is read. The default is ~/.ssh/id_dsa, | 556 | authentication identity is read. The default is ~/.ssh/id_dsa, |
541 | ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and ~/.ssh/id_rsa. | 557 | ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, |
542 | Additionally, any identities represented by the authentication | 558 | ~/.ssh/id_ed25519_sk and ~/.ssh/id_rsa. Additionally, any |
543 | agent will be used for authentication unless IdentitiesOnly is | 559 | identities represented by the authentication agent will be used |
544 | set. If no certificates have been explicitly specified by | 560 | for authentication unless IdentitiesOnly is set. If no |
545 | CertificateFile, ssh(1) will try to load certificate information | 561 | certificates have been explicitly specified by CertificateFile, |
546 | from the filename obtained by appending -cert.pub to the path of | 562 | ssh(1) will try to load certificate information from the filename |
547 | a specified IdentityFile. | 563 | obtained by appending -cert.pub to the path of a specified |
564 | IdentityFile. | ||
548 | 565 | ||
549 | Arguments to IdentityFile may use the tilde syntax to refer to a | 566 | Arguments to IdentityFile may use the tilde syntax to refer to a |
550 | user's home directory or the tokens described in the TOKENS | 567 | user's home directory or the tokens described in the TOKENS |
@@ -583,14 +600,15 @@ DESCRIPTION | |||
583 | IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. | 600 | IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. |
584 | Accepted values are af11, af12, af13, af21, af22, af23, af31, | 601 | Accepted values are af11, af12, af13, af21, af22, af23, af31, |
585 | af32, af33, af41, af42, af43, cs0, cs1, cs2, cs3, cs4, cs5, cs6, | 602 | af32, af33, af41, af42, af43, cs0, cs1, cs2, cs3, cs4, cs5, cs6, |
586 | cs7, ef, lowdelay, throughput, reliability, a numeric value, or | 603 | cs7, ef, le, lowdelay, throughput, reliability, a numeric value, |
587 | none to use the operating system default. This option may take | 604 | or none to use the operating system default. This option may |
588 | one or two arguments, separated by whitespace. If one argument | 605 | take one or two arguments, separated by whitespace. If one |
589 | is specified, it is used as the packet class unconditionally. If | 606 | argument is specified, it is used as the packet class |
590 | two values are specified, the first is automatically selected for | 607 | unconditionally. If two values are specified, the first is |
591 | interactive sessions and the second for non-interactive sessions. | 608 | automatically selected for interactive sessions and the second |
592 | The default is af21 (Low-Latency Data) for interactive sessions | 609 | for non-interactive sessions. The default is af21 (Low-Latency |
593 | and cs1 (Lower Effort) for non-interactive sessions. | 610 | Data) for interactive sessions and cs1 (Lower Effort) for non- |
611 | interactive sessions. | ||
594 | 612 | ||
595 | KbdInteractiveAuthentication | 613 | KbdInteractiveAuthentication |
596 | Specifies whether to use keyboard-interactive authentication. | 614 | Specifies whether to use keyboard-interactive authentication. |
@@ -619,8 +637,7 @@ DESCRIPTION | |||
619 | diffie-hellman-group-exchange-sha256, | 637 | diffie-hellman-group-exchange-sha256, |
620 | diffie-hellman-group16-sha512, | 638 | diffie-hellman-group16-sha512, |
621 | diffie-hellman-group18-sha512, | 639 | diffie-hellman-group18-sha512, |
622 | diffie-hellman-group14-sha256, | 640 | diffie-hellman-group14-sha256 |
623 | diffie-hellman-group14-sha1 | ||
624 | 641 | ||
625 | The list of available key exchange algorithms may also be | 642 | The list of available key exchange algorithms may also be |
626 | obtained using "ssh -Q kex". | 643 | obtained using "ssh -Q kex". |
@@ -784,14 +801,19 @@ DESCRIPTION | |||
784 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 801 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
785 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 802 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
786 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 803 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
804 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
787 | ssh-ed25519-cert-v01@openssh.com, | 805 | ssh-ed25519-cert-v01@openssh.com, |
788 | rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, | 806 | sk-ssh-ed25519-cert-v01@openssh.com, |
807 | rsa-sha2-512-cert-v01@openssh.com, | ||
808 | rsa-sha2-256-cert-v01@openssh.com, | ||
789 | ssh-rsa-cert-v01@openssh.com, | 809 | ssh-rsa-cert-v01@openssh.com, |
790 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 810 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
791 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | 811 | sk-ecdsa-sha2-nistp256@openssh.com, |
812 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
813 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
792 | 814 | ||
793 | The list of available key types may also be obtained using "ssh | 815 | The list of available key types may also be obtained using "ssh |
794 | -Q key". | 816 | -Q PubkeyAcceptedKeyTypes". |
795 | 817 | ||
796 | PubkeyAuthentication | 818 | PubkeyAuthentication |
797 | Specifies whether to try public key authentication. The argument | 819 | Specifies whether to try public key authentication. The argument |
@@ -861,6 +883,15 @@ DESCRIPTION | |||
861 | List (KRL) as generated by ssh-keygen(1). For more information | 883 | List (KRL) as generated by ssh-keygen(1). For more information |
862 | on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1). | 884 | on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1). |
863 | 885 | ||
886 | SecurityKeyProvider | ||
887 | Specifies a path to a library that will be used when loading any | ||
888 | FIDO authenticator-hosted keys, overriding the default of using | ||
889 | the built-in USB HID support. | ||
890 | |||
891 | If the specified value begins with a M-bM-^@M-^X$M-bM-^@M-^Y character, then it will | ||
892 | be treated as an environment variable containing the path to the | ||
893 | library. | ||
894 | |||
864 | SendEnv | 895 | SendEnv |
865 | Specifies what variables from the local environ(7) should be sent | 896 | Specifies what variables from the local environ(7) should be sent |
866 | to the server. The server must also support it, and the server | 897 | to the server. The server must also support it, and the server |
@@ -988,15 +1019,21 @@ DESCRIPTION | |||
988 | Specifies whether ssh(1) should accept notifications of | 1019 | Specifies whether ssh(1) should accept notifications of |
989 | additional hostkeys from the server sent after authentication has | 1020 | additional hostkeys from the server sent after authentication has |
990 | completed and add them to UserKnownHostsFile. The argument must | 1021 | completed and add them to UserKnownHostsFile. The argument must |
991 | be yes, no (the default) or ask. Enabling this option allows | 1022 | be yes, no or ask. This option allows learning alternate |
992 | learning alternate hostkeys for a server and supports graceful | 1023 | hostkeys for a server and supports graceful key rotation by |
993 | key rotation by allowing a server to send replacement public keys | 1024 | allowing a server to send replacement public keys before old ones |
994 | before old ones are removed. Additional hostkeys are only | 1025 | are removed. Additional hostkeys are only accepted if the key |
995 | accepted if the key used to authenticate the host was already | 1026 | used to authenticate the host was already trusted or explicitly |
996 | trusted or explicitly accepted by the user. If UpdateHostKeys is | 1027 | accepted by the user. |
997 | set to ask, then the user is asked to confirm the modifications | 1028 | |
998 | to the known_hosts file. Confirmation is currently incompatible | 1029 | UpdateHostKeys is enabled by default if the user has not |
999 | with ControlPersist, and will be disabled if it is enabled. | 1030 | overridden the default UserKnownHostsFile setting, otherwise |
1031 | UpdateHostKeys will be set to ask. | ||
1032 | |||
1033 | If UpdateHostKeys is set to ask, then the user is asked to | ||
1034 | confirm the modifications to the known_hosts file. Confirmation | ||
1035 | is currently incompatible with ControlPersist, and will be | ||
1036 | disabled if it is enabled. | ||
1000 | 1037 | ||
1001 | Presently, only sshd(8) from OpenSSH 6.8 and greater support the | 1038 | Presently, only sshd(8) from OpenSSH 6.8 and greater support the |
1002 | "hostkeys@openssh.com" protocol extension used to inform the | 1039 | "hostkeys@openssh.com" protocol extension used to inform the |
@@ -1130,4 +1167,4 @@ AUTHORS | |||
1130 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 1167 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
1131 | versions 1.5 and 2.0. | 1168 | versions 1.5 and 2.0. |
1132 | 1169 | ||
1133 | OpenBSD 6.6 September 13, 2019 OpenBSD 6.6 | 1170 | OpenBSD 6.6 February 7, 2020 OpenBSD 6.6 |