summaryrefslogtreecommitdiff
path: root/ssh_config.0
diff options
context:
space:
mode:
Diffstat (limited to 'ssh_config.0')
-rw-r--r--ssh_config.0147
1 files changed, 64 insertions, 83 deletions
diff --git a/ssh_config.0 b/ssh_config.0
index ade8e6562..9493953ab 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -3,10 +3,6 @@ SSH_CONFIG(5) File Formats Manual SSH_CONFIG(5)
3NAME 3NAME
4 ssh_config M-bM-^@M-^S OpenSSH SSH client configuration files 4 ssh_config M-bM-^@M-^S OpenSSH SSH client configuration files
5 5
6SYNOPSIS
7 ~/.ssh/config
8 /etc/ssh/ssh_config
9
10DESCRIPTION 6DESCRIPTION
11 ssh(1) obtains configuration data from the following sources in the 7 ssh(1) obtains configuration data from the following sources in the
12 following order: 8 following order:
@@ -189,21 +185,14 @@ DESCRIPTION
189 process, regardless of the setting of StrictHostKeyChecking. If 185 process, regardless of the setting of StrictHostKeyChecking. If
190 the option is set to no, the check will not be executed. 186 the option is set to no, the check will not be executed.
191 187
192 Cipher Specifies the cipher to use for encrypting the session in
193 protocol version 1. Currently, blowfish, 3des (the default), and
194 des are supported, though des is only supported in the ssh(1)
195 client for interoperability with legacy protocol 1
196 implementations; its use is strongly discouraged due to
197 cryptographic weaknesses.
198
199 Ciphers 188 Ciphers
200 Specifies the ciphers allowed for protocol version 2 in order of 189 Specifies the ciphers allowed and their order of preference.
201 preference. Multiple ciphers must be comma-separated. If the 190 Multiple ciphers must be comma-separated. If the specified value
202 specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified 191 begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified ciphers will be
203 ciphers will be appended to the default set instead of replacing 192 appended to the default set instead of replacing them. If the
204 them. If the specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then 193 specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified
205 the specified ciphers (including wildcards) will be removed from 194 ciphers (including wildcards) will be removed from the default
206 the default set instead of replacing them. 195 set instead of replacing them.
207 196
208 The supported ciphers are: 197 The supported ciphers are:
209 198
@@ -216,11 +205,6 @@ DESCRIPTION
216 aes256-ctr 205 aes256-ctr
217 aes128-gcm@openssh.com 206 aes128-gcm@openssh.com
218 aes256-gcm@openssh.com 207 aes256-gcm@openssh.com
219 arcfour
220 arcfour128
221 arcfour256
222 blowfish-cbc
223 cast128-cbc
224 chacha20-poly1305@openssh.com 208 chacha20-poly1305@openssh.com
225 209
226 The default is: 210 The default is:
@@ -245,13 +229,6 @@ DESCRIPTION
245 Specifies whether to use compression. The argument must be yes 229 Specifies whether to use compression. The argument must be yes
246 or no (the default). 230 or no (the default).
247 231
248 CompressionLevel
249 Specifies the compression level to use if compression is enabled.
250 The argument must be an integer from 1 (fast) to 9 (slow, best).
251 The default level is 6, which is good for most applications. The
252 meaning of the values is the same as in gzip(1). Note that this
253 option applies to protocol version 1 only.
254
255 ConnectionAttempts 232 ConnectionAttempts
256 Specifies the number of tries (one per second) to make before 233 Specifies the number of tries (one per second) to make before
257 exiting. The argument must be an integer. This may be useful in 234 exiting. The argument must be an integer. This may be useful in
@@ -491,8 +468,9 @@ DESCRIPTION
491 HostKeyAlias 468 HostKeyAlias
492 Specifies an alias that should be used instead of the real host 469 Specifies an alias that should be used instead of the real host
493 name when looking up or saving the host key in the host key 470 name when looking up or saving the host key in the host key
494 database files. This option is useful for tunneling SSH 471 database files and when validating host certificates. This
495 connections or for multiple servers running on a single host. 472 option is useful for tunneling SSH connections or for multiple
473 servers running on a single host.
496 474
497 HostName 475 HostName
498 Specifies the real host name to log into. This can be used to 476 Specifies the real host name to log into. This can be used to
@@ -526,9 +504,8 @@ DESCRIPTION
526 504
527 IdentityFile 505 IdentityFile
528 Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA 506 Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA
529 authentication identity is read. The default is ~/.ssh/identity 507 authentication identity is read. The default is ~/.ssh/id_dsa,
530 for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, 508 ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and ~/.ssh/id_rsa.
531 ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2.
532 Additionally, any identities represented by the authentication 509 Additionally, any identities represented by the authentication
533 agent will be used for authentication unless IdentitiesOnly is 510 agent will be used for authentication unless IdentitiesOnly is
534 set. If no certificates have been explicitly specified by 511 set. If no certificates have been explicitly specified by
@@ -573,13 +550,14 @@ DESCRIPTION
573 IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. 550 IPQoS Specifies the IPv4 type-of-service or DSCP class for connections.
574 Accepted values are af11, af12, af13, af21, af22, af23, af31, 551 Accepted values are af11, af12, af13, af21, af22, af23, af31,
575 af32, af33, af41, af42, af43, cs0, cs1, cs2, cs3, cs4, cs5, cs6, 552 af32, af33, af41, af42, af43, cs0, cs1, cs2, cs3, cs4, cs5, cs6,
576 cs7, ef, lowdelay, throughput, reliability, or a numeric value. 553 cs7, ef, lowdelay, throughput, reliability, a numeric value, or
577 This option may take one or two arguments, separated by 554 none to use the operating system default. This option may take
578 whitespace. If one argument is specified, it is used as the 555 one or two arguments, separated by whitespace. If one argument
579 packet class unconditionally. If two values are specified, the 556 is specified, it is used as the packet class unconditionally. If
580 first is automatically selected for interactive sessions and the 557 two values are specified, the first is automatically selected for
581 second for non-interactive sessions. The default is lowdelay for 558 interactive sessions and the second for non-interactive sessions.
582 interactive sessions and throughput for non-interactive sessions. 559 The default is lowdelay for interactive sessions and throughput
560 for non-interactive sessions.
583 561
584 KbdInteractiveAuthentication 562 KbdInteractiveAuthentication
585 Specifies whether to use keyboard-interactive authentication. 563 Specifies whether to use keyboard-interactive authentication.
@@ -712,15 +690,6 @@ DESCRIPTION
712 gssapi-with-mic,hostbased,publickey, 690 gssapi-with-mic,hostbased,publickey,
713 keyboard-interactive,password 691 keyboard-interactive,password
714 692
715 Protocol
716 Specifies the protocol versions ssh(1) should support in order of
717 preference. The possible values are 1 and 2. Multiple versions
718 must be comma-separated. When this option is set to 2,1 ssh will
719 try version 2 and fall back to version 1 if version 2 is not
720 available. The default is version 2. Protocol 1 suffers from a
721 number of cryptographic weaknesses and should not be used. It is
722 only offered to support legacy devices.
723
724 ProxyCommand 693 ProxyCommand
725 Specifies the command to use to connect to the server. The 694 Specifies the command to use to connect to the server. The
726 command string extends to the end of the line, and is executed 695 command string extends to the end of the line, and is executed
@@ -799,15 +768,29 @@ DESCRIPTION
799 rekeying is performed after the cipher's default amount of data 768 rekeying is performed after the cipher's default amount of data
800 has been sent or received and no time based rekeying is done. 769 has been sent or received and no time based rekeying is done.
801 770
771 RemoteCommand
772 Specifies a command to execute on the remote machine after
773 successfully connecting to the server. The command string
774 extends to the end of the line, and is executed with the user's
775 shell. Arguments to RemoteCommand accept the tokens described in
776 the TOKENS section.
777
802 RemoteForward 778 RemoteForward
803 Specifies that a TCP port on the remote machine be forwarded over 779 Specifies that a TCP port on the remote machine be forwarded over
804 the secure channel to the specified host and port from the local 780 the secure channel. The remote port may either be fowarded to a
805 machine. The first argument must be [bind_address:]port and the 781 specified host and port from the local machine, or may act as a
806 second argument must be host:hostport. IPv6 addresses can be 782 SOCKS 4/5 proxy that allows a remote client to connect to
807 specified by enclosing addresses in square brackets. Multiple 783 arbitrary destinations from the local machine. The first
808 forwardings may be specified, and additional forwardings can be 784 argument must be [bind_address:]port If forwarding to a specific
809 given on the command line. Privileged ports can be forwarded 785 destination then the second argument must be host:hostport,
810 only when logging in as root on the remote machine. 786 otherwise if no destination argument is specified then the remote
787 forwarding will be established as a SOCKS proxy.
788
789 IPv6 addresses can be specified by enclosing addresses in square
790 brackets. Multiple forwardings may be specified, and additional
791 forwardings can be given on the command line. Privileged ports
792 can be forwarded only when logging in as root on the remote
793 machine.
811 794
812 If the port argument is 0, the listen port will be dynamically 795 If the port argument is 0, the listen port will be dynamically
813 allocated on the server and reported to the client at run time. 796 allocated on the server and reported to the client at run time.
@@ -835,19 +818,6 @@ DESCRIPTION
835 List (KRL) as generated by ssh-keygen(1). For more information 818 List (KRL) as generated by ssh-keygen(1). For more information
836 on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1). 819 on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1).
837 820
838 RhostsRSAAuthentication
839 Specifies whether to try rhosts based authentication with RSA
840 host authentication. The argument must be yes or no (the
841 default). This option applies to protocol version 1 only and
842 requires ssh(1) to be setuid root.
843
844 RSAAuthentication
845 Specifies whether to try RSA authentication. The argument to
846 this keyword must be yes (the default) or no. RSA authentication
847 will only be attempted if the identity file exists, or an
848 authentication agent is running. Note that this option applies
849 to protocol version 1 only.
850
851 SendEnv 821 SendEnv
852 Specifies what variables from the local environ(7) should be sent 822 Specifies what variables from the local environ(7) should be sent
853 to the server. The server must also support it, and the server 823 to the server. The server must also support it, and the server
@@ -916,14 +886,25 @@ DESCRIPTION
916 protection against trojan horse attacks, though it can be 886 protection against trojan horse attacks, though it can be
917 annoying when the /etc/ssh/ssh_known_hosts file is poorly 887 annoying when the /etc/ssh/ssh_known_hosts file is poorly
918 maintained or when connections to new hosts are frequently made. 888 maintained or when connections to new hosts are frequently made.
919 This option forces the user to manually add all new hosts. If 889 This option forces the user to manually add all new hosts.
920 this flag is set to no, ssh will automatically add new host keys 890
921 to the user known hosts files. If this flag is set to ask (the 891 If this flag is set to M-bM-^@M-^\accept-newM-bM-^@M-^] then ssh will automatically
922 default), new host keys will be added to the user known host 892 add new host keys to the user known hosts files, but will not
923 files only after the user has confirmed that is what they really 893 permit connections to hosts with changed host keys. If this flag
924 want to do, and ssh will refuse to connect to hosts whose host 894 is set to M-bM-^@M-^\noM-bM-^@M-^] or M-bM-^@M-^\offM-bM-^@M-^], ssh will automatically add new host keys
925 key has changed. The host keys of known hosts will be verified 895 to the user known hosts files and allow connections to hosts with
926 automatically in all cases. 896 changed hostkeys to proceed, subject to some restrictions. If
897 this flag is set to ask (the default), new host keys will be
898 added to the user known host files only after the user has
899 confirmed that is what they really want to do, and ssh will
900 refuse to connect to hosts whose host key has changed. The host
901 keys of known hosts will be verified automatically in all cases.
902
903 SyslogFacility
904 Gives the facility code that is used when logging messages from
905 ssh(1). The possible values are: DAEMON, USER, AUTH, LOCAL0,
906 LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
907 default is USER.
927 908
928 TCPKeepAlive 909 TCPKeepAlive
929 Specifies whether the system should send TCP keepalive messages 910 Specifies whether the system should send TCP keepalive messages
@@ -973,9 +954,7 @@ DESCRIPTION
973 UsePrivilegedPort 954 UsePrivilegedPort
974 Specifies whether to use a privileged port for outgoing 955 Specifies whether to use a privileged port for outgoing
975 connections. The argument must be yes or no (the default). If 956 connections. The argument must be yes or no (the default). If
976 set to yes, ssh(1) must be setuid root. Note that this option 957 set to yes, ssh(1) must be setuid root.
977 must be set to yes for RhostsRSAAuthentication with older
978 servers.
979 958
980 User Specifies the user to log in as. This can be useful when a 959 User Specifies the user to log in as. This can be useful when a
981 different user name is used on different machines. This saves 960 different user name is used on different machines. This saves
@@ -1065,6 +1044,8 @@ TOKENS
1065 1044
1066 ProxyCommand accepts the tokens %%, %h, %p, and %r. 1045 ProxyCommand accepts the tokens %%, %h, %p, and %r.
1067 1046
1047 RemoteCommand accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u.
1048
1068FILES 1049FILES
1069 ~/.ssh/config 1050 ~/.ssh/config
1070 This is the per-user configuration file. The format of this file 1051 This is the per-user configuration file. The format of this file
@@ -1089,4 +1070,4 @@ AUTHORS
1089 created OpenSSH. Markus Friedl contributed the support for SSH protocol 1070 created OpenSSH. Markus Friedl contributed the support for SSH protocol
1090 versions 1.5 and 2.0. 1071 versions 1.5 and 2.0.
1091 1072
1092OpenBSD 6.0 February 27, 2017 OpenBSD 6.0 1073OpenBSD 6.2 September 21, 2017 OpenBSD 6.2