diff options
Diffstat (limited to 'ssh_config.0')
-rw-r--r-- | ssh_config.0 | 147 |
1 files changed, 64 insertions, 83 deletions
diff --git a/ssh_config.0 b/ssh_config.0 index ade8e6562..9493953ab 100644 --- a/ssh_config.0 +++ b/ssh_config.0 | |||
@@ -3,10 +3,6 @@ SSH_CONFIG(5) File Formats Manual SSH_CONFIG(5) | |||
3 | NAME | 3 | NAME |
4 | ssh_config M-bM-^@M-^S OpenSSH SSH client configuration files | 4 | ssh_config M-bM-^@M-^S OpenSSH SSH client configuration files |
5 | 5 | ||
6 | SYNOPSIS | ||
7 | ~/.ssh/config | ||
8 | /etc/ssh/ssh_config | ||
9 | |||
10 | DESCRIPTION | 6 | DESCRIPTION |
11 | ssh(1) obtains configuration data from the following sources in the | 7 | ssh(1) obtains configuration data from the following sources in the |
12 | following order: | 8 | following order: |
@@ -189,21 +185,14 @@ DESCRIPTION | |||
189 | process, regardless of the setting of StrictHostKeyChecking. If | 185 | process, regardless of the setting of StrictHostKeyChecking. If |
190 | the option is set to no, the check will not be executed. | 186 | the option is set to no, the check will not be executed. |
191 | 187 | ||
192 | Cipher Specifies the cipher to use for encrypting the session in | ||
193 | protocol version 1. Currently, blowfish, 3des (the default), and | ||
194 | des are supported, though des is only supported in the ssh(1) | ||
195 | client for interoperability with legacy protocol 1 | ||
196 | implementations; its use is strongly discouraged due to | ||
197 | cryptographic weaknesses. | ||
198 | |||
199 | Ciphers | 188 | Ciphers |
200 | Specifies the ciphers allowed for protocol version 2 in order of | 189 | Specifies the ciphers allowed and their order of preference. |
201 | preference. Multiple ciphers must be comma-separated. If the | 190 | Multiple ciphers must be comma-separated. If the specified value |
202 | specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified | 191 | begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified ciphers will be |
203 | ciphers will be appended to the default set instead of replacing | 192 | appended to the default set instead of replacing them. If the |
204 | them. If the specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then | 193 | specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified |
205 | the specified ciphers (including wildcards) will be removed from | 194 | ciphers (including wildcards) will be removed from the default |
206 | the default set instead of replacing them. | 195 | set instead of replacing them. |
207 | 196 | ||
208 | The supported ciphers are: | 197 | The supported ciphers are: |
209 | 198 | ||
@@ -216,11 +205,6 @@ DESCRIPTION | |||
216 | aes256-ctr | 205 | aes256-ctr |
217 | aes128-gcm@openssh.com | 206 | aes128-gcm@openssh.com |
218 | aes256-gcm@openssh.com | 207 | aes256-gcm@openssh.com |
219 | arcfour | ||
220 | arcfour128 | ||
221 | arcfour256 | ||
222 | blowfish-cbc | ||
223 | cast128-cbc | ||
224 | chacha20-poly1305@openssh.com | 208 | chacha20-poly1305@openssh.com |
225 | 209 | ||
226 | The default is: | 210 | The default is: |
@@ -245,13 +229,6 @@ DESCRIPTION | |||
245 | Specifies whether to use compression. The argument must be yes | 229 | Specifies whether to use compression. The argument must be yes |
246 | or no (the default). | 230 | or no (the default). |
247 | 231 | ||
248 | CompressionLevel | ||
249 | Specifies the compression level to use if compression is enabled. | ||
250 | The argument must be an integer from 1 (fast) to 9 (slow, best). | ||
251 | The default level is 6, which is good for most applications. The | ||
252 | meaning of the values is the same as in gzip(1). Note that this | ||
253 | option applies to protocol version 1 only. | ||
254 | |||
255 | ConnectionAttempts | 232 | ConnectionAttempts |
256 | Specifies the number of tries (one per second) to make before | 233 | Specifies the number of tries (one per second) to make before |
257 | exiting. The argument must be an integer. This may be useful in | 234 | exiting. The argument must be an integer. This may be useful in |
@@ -491,8 +468,9 @@ DESCRIPTION | |||
491 | HostKeyAlias | 468 | HostKeyAlias |
492 | Specifies an alias that should be used instead of the real host | 469 | Specifies an alias that should be used instead of the real host |
493 | name when looking up or saving the host key in the host key | 470 | name when looking up or saving the host key in the host key |
494 | database files. This option is useful for tunneling SSH | 471 | database files and when validating host certificates. This |
495 | connections or for multiple servers running on a single host. | 472 | option is useful for tunneling SSH connections or for multiple |
473 | servers running on a single host. | ||
496 | 474 | ||
497 | HostName | 475 | HostName |
498 | Specifies the real host name to log into. This can be used to | 476 | Specifies the real host name to log into. This can be used to |
@@ -526,9 +504,8 @@ DESCRIPTION | |||
526 | 504 | ||
527 | IdentityFile | 505 | IdentityFile |
528 | Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA | 506 | Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA |
529 | authentication identity is read. The default is ~/.ssh/identity | 507 | authentication identity is read. The default is ~/.ssh/id_dsa, |
530 | for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, | 508 | ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and ~/.ssh/id_rsa. |
531 | ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2. | ||
532 | Additionally, any identities represented by the authentication | 509 | Additionally, any identities represented by the authentication |
533 | agent will be used for authentication unless IdentitiesOnly is | 510 | agent will be used for authentication unless IdentitiesOnly is |
534 | set. If no certificates have been explicitly specified by | 511 | set. If no certificates have been explicitly specified by |
@@ -573,13 +550,14 @@ DESCRIPTION | |||
573 | IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. | 550 | IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. |
574 | Accepted values are af11, af12, af13, af21, af22, af23, af31, | 551 | Accepted values are af11, af12, af13, af21, af22, af23, af31, |
575 | af32, af33, af41, af42, af43, cs0, cs1, cs2, cs3, cs4, cs5, cs6, | 552 | af32, af33, af41, af42, af43, cs0, cs1, cs2, cs3, cs4, cs5, cs6, |
576 | cs7, ef, lowdelay, throughput, reliability, or a numeric value. | 553 | cs7, ef, lowdelay, throughput, reliability, a numeric value, or |
577 | This option may take one or two arguments, separated by | 554 | none to use the operating system default. This option may take |
578 | whitespace. If one argument is specified, it is used as the | 555 | one or two arguments, separated by whitespace. If one argument |
579 | packet class unconditionally. If two values are specified, the | 556 | is specified, it is used as the packet class unconditionally. If |
580 | first is automatically selected for interactive sessions and the | 557 | two values are specified, the first is automatically selected for |
581 | second for non-interactive sessions. The default is lowdelay for | 558 | interactive sessions and the second for non-interactive sessions. |
582 | interactive sessions and throughput for non-interactive sessions. | 559 | The default is lowdelay for interactive sessions and throughput |
560 | for non-interactive sessions. | ||
583 | 561 | ||
584 | KbdInteractiveAuthentication | 562 | KbdInteractiveAuthentication |
585 | Specifies whether to use keyboard-interactive authentication. | 563 | Specifies whether to use keyboard-interactive authentication. |
@@ -712,15 +690,6 @@ DESCRIPTION | |||
712 | gssapi-with-mic,hostbased,publickey, | 690 | gssapi-with-mic,hostbased,publickey, |
713 | keyboard-interactive,password | 691 | keyboard-interactive,password |
714 | 692 | ||
715 | Protocol | ||
716 | Specifies the protocol versions ssh(1) should support in order of | ||
717 | preference. The possible values are 1 and 2. Multiple versions | ||
718 | must be comma-separated. When this option is set to 2,1 ssh will | ||
719 | try version 2 and fall back to version 1 if version 2 is not | ||
720 | available. The default is version 2. Protocol 1 suffers from a | ||
721 | number of cryptographic weaknesses and should not be used. It is | ||
722 | only offered to support legacy devices. | ||
723 | |||
724 | ProxyCommand | 693 | ProxyCommand |
725 | Specifies the command to use to connect to the server. The | 694 | Specifies the command to use to connect to the server. The |
726 | command string extends to the end of the line, and is executed | 695 | command string extends to the end of the line, and is executed |
@@ -799,15 +768,29 @@ DESCRIPTION | |||
799 | rekeying is performed after the cipher's default amount of data | 768 | rekeying is performed after the cipher's default amount of data |
800 | has been sent or received and no time based rekeying is done. | 769 | has been sent or received and no time based rekeying is done. |
801 | 770 | ||
771 | RemoteCommand | ||
772 | Specifies a command to execute on the remote machine after | ||
773 | successfully connecting to the server. The command string | ||
774 | extends to the end of the line, and is executed with the user's | ||
775 | shell. Arguments to RemoteCommand accept the tokens described in | ||
776 | the TOKENS section. | ||
777 | |||
802 | RemoteForward | 778 | RemoteForward |
803 | Specifies that a TCP port on the remote machine be forwarded over | 779 | Specifies that a TCP port on the remote machine be forwarded over |
804 | the secure channel to the specified host and port from the local | 780 | the secure channel. The remote port may either be fowarded to a |
805 | machine. The first argument must be [bind_address:]port and the | 781 | specified host and port from the local machine, or may act as a |
806 | second argument must be host:hostport. IPv6 addresses can be | 782 | SOCKS 4/5 proxy that allows a remote client to connect to |
807 | specified by enclosing addresses in square brackets. Multiple | 783 | arbitrary destinations from the local machine. The first |
808 | forwardings may be specified, and additional forwardings can be | 784 | argument must be [bind_address:]port If forwarding to a specific |
809 | given on the command line. Privileged ports can be forwarded | 785 | destination then the second argument must be host:hostport, |
810 | only when logging in as root on the remote machine. | 786 | otherwise if no destination argument is specified then the remote |
787 | forwarding will be established as a SOCKS proxy. | ||
788 | |||
789 | IPv6 addresses can be specified by enclosing addresses in square | ||
790 | brackets. Multiple forwardings may be specified, and additional | ||
791 | forwardings can be given on the command line. Privileged ports | ||
792 | can be forwarded only when logging in as root on the remote | ||
793 | machine. | ||
811 | 794 | ||
812 | If the port argument is 0, the listen port will be dynamically | 795 | If the port argument is 0, the listen port will be dynamically |
813 | allocated on the server and reported to the client at run time. | 796 | allocated on the server and reported to the client at run time. |
@@ -835,19 +818,6 @@ DESCRIPTION | |||
835 | List (KRL) as generated by ssh-keygen(1). For more information | 818 | List (KRL) as generated by ssh-keygen(1). For more information |
836 | on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1). | 819 | on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1). |
837 | 820 | ||
838 | RhostsRSAAuthentication | ||
839 | Specifies whether to try rhosts based authentication with RSA | ||
840 | host authentication. The argument must be yes or no (the | ||
841 | default). This option applies to protocol version 1 only and | ||
842 | requires ssh(1) to be setuid root. | ||
843 | |||
844 | RSAAuthentication | ||
845 | Specifies whether to try RSA authentication. The argument to | ||
846 | this keyword must be yes (the default) or no. RSA authentication | ||
847 | will only be attempted if the identity file exists, or an | ||
848 | authentication agent is running. Note that this option applies | ||
849 | to protocol version 1 only. | ||
850 | |||
851 | SendEnv | 821 | SendEnv |
852 | Specifies what variables from the local environ(7) should be sent | 822 | Specifies what variables from the local environ(7) should be sent |
853 | to the server. The server must also support it, and the server | 823 | to the server. The server must also support it, and the server |
@@ -916,14 +886,25 @@ DESCRIPTION | |||
916 | protection against trojan horse attacks, though it can be | 886 | protection against trojan horse attacks, though it can be |
917 | annoying when the /etc/ssh/ssh_known_hosts file is poorly | 887 | annoying when the /etc/ssh/ssh_known_hosts file is poorly |
918 | maintained or when connections to new hosts are frequently made. | 888 | maintained or when connections to new hosts are frequently made. |
919 | This option forces the user to manually add all new hosts. If | 889 | This option forces the user to manually add all new hosts. |
920 | this flag is set to no, ssh will automatically add new host keys | 890 | |
921 | to the user known hosts files. If this flag is set to ask (the | 891 | If this flag is set to M-bM-^@M-^\accept-newM-bM-^@M-^] then ssh will automatically |
922 | default), new host keys will be added to the user known host | 892 | add new host keys to the user known hosts files, but will not |
923 | files only after the user has confirmed that is what they really | 893 | permit connections to hosts with changed host keys. If this flag |
924 | want to do, and ssh will refuse to connect to hosts whose host | 894 | is set to M-bM-^@M-^\noM-bM-^@M-^] or M-bM-^@M-^\offM-bM-^@M-^], ssh will automatically add new host keys |
925 | key has changed. The host keys of known hosts will be verified | 895 | to the user known hosts files and allow connections to hosts with |
926 | automatically in all cases. | 896 | changed hostkeys to proceed, subject to some restrictions. If |
897 | this flag is set to ask (the default), new host keys will be | ||
898 | added to the user known host files only after the user has | ||
899 | confirmed that is what they really want to do, and ssh will | ||
900 | refuse to connect to hosts whose host key has changed. The host | ||
901 | keys of known hosts will be verified automatically in all cases. | ||
902 | |||
903 | SyslogFacility | ||
904 | Gives the facility code that is used when logging messages from | ||
905 | ssh(1). The possible values are: DAEMON, USER, AUTH, LOCAL0, | ||
906 | LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The | ||
907 | default is USER. | ||
927 | 908 | ||
928 | TCPKeepAlive | 909 | TCPKeepAlive |
929 | Specifies whether the system should send TCP keepalive messages | 910 | Specifies whether the system should send TCP keepalive messages |
@@ -973,9 +954,7 @@ DESCRIPTION | |||
973 | UsePrivilegedPort | 954 | UsePrivilegedPort |
974 | Specifies whether to use a privileged port for outgoing | 955 | Specifies whether to use a privileged port for outgoing |
975 | connections. The argument must be yes or no (the default). If | 956 | connections. The argument must be yes or no (the default). If |
976 | set to yes, ssh(1) must be setuid root. Note that this option | 957 | set to yes, ssh(1) must be setuid root. |
977 | must be set to yes for RhostsRSAAuthentication with older | ||
978 | servers. | ||
979 | 958 | ||
980 | User Specifies the user to log in as. This can be useful when a | 959 | User Specifies the user to log in as. This can be useful when a |
981 | different user name is used on different machines. This saves | 960 | different user name is used on different machines. This saves |
@@ -1065,6 +1044,8 @@ TOKENS | |||
1065 | 1044 | ||
1066 | ProxyCommand accepts the tokens %%, %h, %p, and %r. | 1045 | ProxyCommand accepts the tokens %%, %h, %p, and %r. |
1067 | 1046 | ||
1047 | RemoteCommand accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u. | ||
1048 | |||
1068 | FILES | 1049 | FILES |
1069 | ~/.ssh/config | 1050 | ~/.ssh/config |
1070 | This is the per-user configuration file. The format of this file | 1051 | This is the per-user configuration file. The format of this file |
@@ -1089,4 +1070,4 @@ AUTHORS | |||
1089 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 1070 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
1090 | versions 1.5 and 2.0. | 1071 | versions 1.5 and 2.0. |
1091 | 1072 | ||
1092 | OpenBSD 6.0 February 27, 2017 OpenBSD 6.0 | 1073 | OpenBSD 6.2 September 21, 2017 OpenBSD 6.2 |