diff options
Diffstat (limited to 'ssh_config.0')
-rw-r--r-- | ssh_config.0 | 323 |
1 files changed, 186 insertions, 137 deletions
diff --git a/ssh_config.0 b/ssh_config.0 index 46a0543c3..2ca4ee31b 100644 --- a/ssh_config.0 +++ b/ssh_config.0 | |||
@@ -8,8 +8,9 @@ SYNOPSIS | |||
8 | /etc/ssh/ssh_config | 8 | /etc/ssh/ssh_config |
9 | 9 | ||
10 | DESCRIPTION | 10 | DESCRIPTION |
11 | ssh obtains configuration data from the following sources in the follow- | 11 | ssh(1) obtains configuration data from the following sources in the fol- |
12 | ing order: | 12 | lowing order: |
13 | |||
13 | 1. command-line options | 14 | 1. command-line options |
14 | 2. user's configuration file (~/.ssh/config) | 15 | 2. user's configuration file (~/.ssh/config) |
15 | 3. system-wide configuration file (/etc/ssh/ssh_config) | 16 | 3. system-wide configuration file (/etc/ssh/ssh_config) |
@@ -26,28 +27,29 @@ DESCRIPTION | |||
26 | 27 | ||
27 | The configuration file has the following format: | 28 | The configuration file has the following format: |
28 | 29 | ||
29 | Empty lines and lines starting with `#' are comments. | 30 | Empty lines and lines starting with `#' are comments. Otherwise a line |
30 | 31 | is of the format ``keyword arguments''. Configuration options may be | |
31 | Otherwise a line is of the format ``keyword arguments''. Configuration | 32 | separated by whitespace or optional whitespace and exactly one `='; the |
32 | options may be separated by whitespace or optional whitespace and exactly | 33 | latter format is useful to avoid the need to quote whitespace when speci- |
33 | one `='; the latter format is useful to avoid the need to quote whites- | 34 | fying configuration options using the ssh, scp, and sftp -o option. Ar- |
34 | pace when specifying configuration options using the ssh, scp and sftp -o | 35 | guments may optionally be enclosed in double quotes (") in order to rep- |
35 | option. | 36 | resent arguments containing spaces. |
36 | 37 | ||
37 | The possible keywords and their meanings are as follows (note that key- | 38 | The possible keywords and their meanings are as follows (note that key- |
38 | words are case-insensitive and arguments are case-sensitive): | 39 | words are case-insensitive and arguments are case-sensitive): |
39 | 40 | ||
40 | Host Restricts the following declarations (up to the next Host key- | 41 | Host Restricts the following declarations (up to the next Host key- |
41 | word) to be only for those hosts that match one of the patterns | 42 | word) to be only for those hosts that match one of the patterns |
42 | given after the keyword. `*' and `?' can be used as wildcards in | 43 | given after the keyword. A single `*' as a pattern can be used |
43 | the patterns. A single `*' as a pattern can be used to provide | 44 | to provide global defaults for all hosts. The host is the |
44 | global defaults for all hosts. The host is the hostname argument | 45 | hostname argument given on the command line (i.e. the name is not |
45 | given on the command line (i.e., the name is not converted to a | 46 | converted to a canonicalized host name before matching). |
46 | canonicalized host name before matching). | 47 | |
48 | See PATTERNS for more information on patterns. | ||
47 | 49 | ||
48 | AddressFamily | 50 | AddressFamily |
49 | Specifies which address family to use when connecting. Valid ar- | 51 | Specifies which address family to use when connecting. Valid ar- |
50 | guments are ``any'', ``inet'' (use IPv4 only) or ``inet6'' (use | 52 | guments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' (use |
51 | IPv6 only). | 53 | IPv6 only). |
52 | 54 | ||
53 | BatchMode | 55 | BatchMode |
@@ -63,23 +65,23 @@ DESCRIPTION | |||
63 | UsePrivilegedPort is set to ``yes''. | 65 | UsePrivilegedPort is set to ``yes''. |
64 | 66 | ||
65 | ChallengeResponseAuthentication | 67 | ChallengeResponseAuthentication |
66 | Specifies whether to use challenge response authentication. The | 68 | Specifies whether to use challenge-response authentication. The |
67 | argument to this keyword must be ``yes'' or ``no''. The default | 69 | argument to this keyword must be ``yes'' or ``no''. The default |
68 | is ``yes''. | 70 | is ``yes''. |
69 | 71 | ||
70 | CheckHostIP | 72 | CheckHostIP |
71 | If this flag is set to ``yes'', ssh will additionally check the | 73 | If this flag is set to ``yes'', ssh(1) will additionally check |
72 | host IP address in the known_hosts file. This allows ssh to de- | 74 | the host IP address in the known_hosts file. This allows ssh to |
73 | tect if a host key changed due to DNS spoofing. If the option is | 75 | detect if a host key changed due to DNS spoofing. If the option |
74 | set to ``no'', the check will not be executed. The default is | 76 | is set to ``no'', the check will not be executed. The default is |
75 | ``yes''. | 77 | ``yes''. |
76 | 78 | ||
77 | Cipher Specifies the cipher to use for encrypting the session in proto- | 79 | Cipher Specifies the cipher to use for encrypting the session in proto- |
78 | col version 1. Currently, ``blowfish'', ``3des'', and ``des'' | 80 | col version 1. Currently, ``blowfish'', ``3des'', and ``des'' |
79 | are supported. des is only supported in the ssh client for in- | 81 | are supported. des is only supported in the ssh(1) client for |
80 | teroperability with legacy protocol 1 implementations that do not | 82 | interoperability with legacy protocol 1 implementations that do |
81 | support the 3des cipher. Its use is strongly discouraged due to | 83 | not support the 3des cipher. Its use is strongly discouraged due |
82 | cryptographic weaknesses. The default is ``3des''. | 84 | to cryptographic weaknesses. The default is ``3des''. |
83 | 85 | ||
84 | Ciphers | 86 | Ciphers |
85 | Specifies the ciphers allowed for protocol version 2 in order of | 87 | Specifies the ciphers allowed for protocol version 2 in order of |
@@ -87,19 +89,19 @@ DESCRIPTION | |||
87 | ported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', | 89 | ported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', |
88 | ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', | 90 | ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', |
89 | ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'', | 91 | ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'', |
90 | and ``cast128-cbc''. The default is | 92 | and ``cast128-cbc''. The default is: |
91 | 93 | ||
92 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, | 94 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, |
93 | arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, | 95 | arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, |
94 | aes192-ctr,aes256-ctr'' | 96 | aes192-ctr,aes256-ctr |
95 | 97 | ||
96 | ClearAllForwardings | 98 | ClearAllForwardings |
97 | Specifies that all local, remote and dynamic port forwardings | 99 | Specifies that all local, remote, and dynamic port forwardings |
98 | specified in the configuration files or on the command line be | 100 | specified in the configuration files or on the command line be |
99 | cleared. This option is primarily useful when used from the ssh | 101 | cleared. This option is primarily useful when used from the |
100 | command line to clear port forwardings set in configuration | 102 | ssh(1) command line to clear port forwardings set in configura- |
101 | files, and is automatically set by scp(1) and sftp(1). The argu- | 103 | tion files, and is automatically set by scp(1) and sftp(1). The |
102 | ment must be ``yes'' or ``no''. The default is ``no''. | 104 | argument must be ``yes'' or ``no''. The default is ``no''. |
103 | 105 | ||
104 | Compression | 106 | Compression |
105 | Specifies whether to use compression. The argument must be | 107 | Specifies whether to use compression. The argument must be |
@@ -119,16 +121,16 @@ DESCRIPTION | |||
119 | 121 | ||
120 | ConnectTimeout | 122 | ConnectTimeout |
121 | Specifies the timeout (in seconds) used when connecting to the | 123 | Specifies the timeout (in seconds) used when connecting to the |
122 | ssh server, instead of using the default system TCP timeout. | 124 | SSH server, instead of using the default system TCP timeout. |
123 | This value is used only when the target is down or really un- | 125 | This value is used only when the target is down or really un- |
124 | reachable, not when it refuses the connection. | 126 | reachable, not when it refuses the connection. |
125 | 127 | ||
126 | ControlMaster | 128 | ControlMaster |
127 | Enables the sharing of multiple sessions over a single network | 129 | Enables the sharing of multiple sessions over a single network |
128 | connection. When set to ``yes'' ssh will listen for connections | 130 | connection. When set to ``yes'', ssh(1) will listen for connec- |
129 | on a control socket specified using the ControlPath argument. | 131 | tions on a control socket specified using the ControlPath argu- |
130 | Additional sessions can connect to this socket using the same | 132 | ment. Additional sessions can connect to this socket using the |
131 | ControlPath with ControlMaster set to ``no'' (the default). | 133 | same ControlPath with ControlMaster set to ``no'' (the default). |
132 | These sessions will try to reuse the master instance's network | 134 | These sessions will try to reuse the master instance's network |
133 | connection rather than initiating new ones, but will fall back to | 135 | connection rather than initiating new ones, but will fall back to |
134 | connecting normally if the control socket does not exist, or is | 136 | connecting normally if the control socket does not exist, or is |
@@ -137,7 +139,7 @@ DESCRIPTION | |||
137 | Setting this to ``ask'' will cause ssh to listen for control con- | 139 | Setting this to ``ask'' will cause ssh to listen for control con- |
138 | nections, but require confirmation using the SSH_ASKPASS program | 140 | nections, but require confirmation using the SSH_ASKPASS program |
139 | before they are accepted (see ssh-add(1) for details). If the | 141 | before they are accepted (see ssh-add(1) for details). If the |
140 | ControlPath can not be opened, ssh will continue without connect- | 142 | ControlPath cannot be opened, ssh will continue without connect- |
141 | ing to a master instance. | 143 | ing to a master instance. |
142 | 144 | ||
143 | X11 and ssh-agent(1) forwarding is supported over these multi- | 145 | X11 and ssh-agent(1) forwarding is supported over these multi- |
@@ -154,12 +156,12 @@ DESCRIPTION | |||
154 | ControlPath | 156 | ControlPath |
155 | Specify the path to the control socket used for connection shar- | 157 | Specify the path to the control socket used for connection shar- |
156 | ing as described in the ControlMaster section above or the string | 158 | ing as described in the ControlMaster section above or the string |
157 | ``none'' to disable connection sharing. In the path, `%h' will | 159 | ``none'' to disable connection sharing. In the path, `%l' will |
158 | be substituted by the target host name, `%p' the port and `%r' by | 160 | be substituted by the local host name, `%h' will be substituted |
159 | the remote login username. It is recommended that any | 161 | by the target host name, `%p' the port, and `%r' by the remote |
160 | ControlPath used for opportunistic connection sharing include all | 162 | login username. It is recommended that any ControlPath used for |
161 | three of these escape sequences. This ensures that shared con- | 163 | opportunistic connection sharing include at least %h, %p, and %r. |
162 | nections are uniquely identified. | 164 | This ensures that shared connections are uniquely identified. |
163 | 165 | ||
164 | DynamicForward | 166 | DynamicForward |
165 | Specifies that a TCP port on the local machine be forwarded over | 167 | Specifies that a TCP port on the local machine be forwarded over |
@@ -176,9 +178,9 @@ DESCRIPTION | |||
176 | while an empty address or `*' indicates that the port should be | 178 | while an empty address or `*' indicates that the port should be |
177 | available from all interfaces. | 179 | available from all interfaces. |
178 | 180 | ||
179 | Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh | 181 | Currently the SOCKS4 and SOCKS5 protocols are supported, and |
180 | will act as a SOCKS server. Multiple forwardings may be speci- | 182 | ssh(1) will act as a SOCKS server. Multiple forwardings may be |
181 | fied, and additional forwardings can be given on the command | 183 | specified, and additional forwardings can be given on the command |
182 | line. Only the superuser can forward privileged ports. | 184 | line. Only the superuser can forward privileged ports. |
183 | 185 | ||
184 | EnableSSHKeysign | 186 | EnableSSHKeysign |
@@ -196,6 +198,12 @@ DESCRIPTION | |||
196 | able the escape character entirely (making the connection trans- | 198 | able the escape character entirely (making the connection trans- |
197 | parent for binary data). | 199 | parent for binary data). |
198 | 200 | ||
201 | ExitOnForwardFailure | ||
202 | Specifies whether ssh(1) should terminate the connection if it | ||
203 | cannot set up all requested dynamic, local, and remote port for- | ||
204 | wardings. The argument must be ``yes'' or ``no''. The default | ||
205 | is ``no''. | ||
206 | |||
199 | ForwardAgent | 207 | ForwardAgent |
200 | Specifies whether the connection to the authentication agent (if | 208 | Specifies whether the connection to the authentication agent (if |
201 | any) will be forwarded to the remote machine. The argument must | 209 | any) will be forwarded to the remote machine. The argument must |
@@ -222,15 +230,14 @@ DESCRIPTION | |||
222 | ForwardX11Trusted option is also enabled. | 230 | ForwardX11Trusted option is also enabled. |
223 | 231 | ||
224 | ForwardX11Trusted | 232 | ForwardX11Trusted |
225 | If this option is set to ``yes'' then remote X11 clients will | 233 | If this option is set to ``yes'', remote X11 clients will have |
226 | have full access to the original X11 display. | 234 | full access to the original X11 display. |
227 | 235 | ||
228 | If this option is set to ``no'' then remote X11 clients will be | 236 | If this option is set to ``no'', remote X11 clients will be con- |
229 | considered untrusted and prevented from stealing or tampering | 237 | sidered untrusted and prevented from stealing or tampering with |
230 | with data belonging to trusted X11 clients. Furthermore, the | 238 | data belonging to trusted X11 clients. Furthermore, the xauth(1) |
231 | xauth(1) token used for the session will be set to expire after | 239 | token used for the session will be set to expire after 20 min- |
232 | 20 minutes. Remote clients will be refused access after this | 240 | utes. Remote clients will be refused access after this time. |
233 | time. | ||
234 | 241 | ||
235 | The default is ``no''. | 242 | The default is ``no''. |
236 | 243 | ||
@@ -239,12 +246,13 @@ DESCRIPTION | |||
239 | 246 | ||
240 | GatewayPorts | 247 | GatewayPorts |
241 | Specifies whether remote hosts are allowed to connect to local | 248 | Specifies whether remote hosts are allowed to connect to local |
242 | forwarded ports. By default, ssh binds local port forwardings to | 249 | forwarded ports. By default, ssh(1) binds local port forwardings |
243 | the loopback address. This prevents other remote hosts from con- | 250 | to the loopback address. This prevents other remote hosts from |
244 | necting to forwarded ports. GatewayPorts can be used to specify | 251 | connecting to forwarded ports. GatewayPorts can be used to spec- |
245 | that ssh should bind local port forwardings to the wildcard ad- | 252 | ify that ssh should bind local port forwardings to the wildcard |
246 | dress, thus allowing remote hosts to connect to forwarded ports. | 253 | address, thus allowing remote hosts to connect to forwarded |
247 | The argument must be ``yes'' or ``no''. The default is ``no''. | 254 | ports. The argument must be ``yes'' or ``no''. The default is |
255 | ``no''. | ||
248 | 256 | ||
249 | GlobalKnownHostsFile | 257 | GlobalKnownHostsFile |
250 | Specifies a file to use for the global host key database instead | 258 | Specifies a file to use for the global host key database instead |
@@ -261,13 +269,13 @@ DESCRIPTION | |||
261 | ly. | 269 | ly. |
262 | 270 | ||
263 | HashKnownHosts | 271 | HashKnownHosts |
264 | Indicates that ssh should hash host names and addresses when they | 272 | Indicates that ssh(1) should hash host names and addresses when |
265 | are added to ~/.ssh/known_hosts. These hashed names may be used | 273 | they are added to ~/.ssh/known_hosts. These hashed names may be |
266 | normally by ssh and sshd, but they do not reveal identifying in- | 274 | used normally by ssh(1) and sshd(8), but they do not reveal iden- |
267 | formation should the file's contents be disclosed. The default | 275 | tifying information should the file's contents be disclosed. The |
268 | is ``no''. Note that hashing of names and addresses will not be | 276 | default is ``no''. Note that existing names and addresses in |
269 | retrospectively applied to existing known hosts files, but these | 277 | known hosts files will not be converted automatically, but may be |
270 | may be manually hashed using ssh-keygen(1). | 278 | manually hashed using ssh-keygen(1). |
271 | 279 | ||
272 | HostbasedAuthentication | 280 | HostbasedAuthentication |
273 | Specifies whether to try rhosts based authentication with public | 281 | Specifies whether to try rhosts based authentication with public |
@@ -283,19 +291,19 @@ DESCRIPTION | |||
283 | HostKeyAlias | 291 | HostKeyAlias |
284 | Specifies an alias that should be used instead of the real host | 292 | Specifies an alias that should be used instead of the real host |
285 | name when looking up or saving the host key in the host key | 293 | name when looking up or saving the host key in the host key |
286 | database files. This option is useful for tunneling ssh connec- | 294 | database files. This option is useful for tunneling SSH connec- |
287 | tions or for multiple servers running on a single host. | 295 | tions or for multiple servers running on a single host. |
288 | 296 | ||
289 | HostName | 297 | HostName |
290 | Specifies the real host name to log into. This can be used to | 298 | Specifies the real host name to log into. This can be used to |
291 | specify nicknames or abbreviations for hosts. Default is the | 299 | specify nicknames or abbreviations for hosts. The default is the |
292 | name given on the command line. Numeric IP addresses are also | 300 | name given on the command line. Numeric IP addresses are also |
293 | permitted (both on the command line and in HostName specifica- | 301 | permitted (both on the command line and in HostName specifica- |
294 | tions). | 302 | tions). |
295 | 303 | ||
296 | IdentitiesOnly | 304 | IdentitiesOnly |
297 | Specifies that ssh should only use the authentication identity | 305 | Specifies that ssh(1) should only use the authentication identity |
298 | files configured in the ssh_config files, even if the ssh-agent | 306 | files configured in the ssh_config files, even if ssh-agent(1) |
299 | offers more identities. The argument to this keyword must be | 307 | offers more identities. The argument to this keyword must be |
300 | ``yes'' or ``no''. This option is intended for situations where | 308 | ``yes'' or ``no''. This option is intended for situations where |
301 | ssh-agent offers many different identities. The default is | 309 | ssh-agent offers many different identities. The default is |
@@ -306,15 +314,23 @@ DESCRIPTION | |||
306 | identity is read. The default is ~/.ssh/identity for protocol | 314 | identity is read. The default is ~/.ssh/identity for protocol |
307 | version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver- | 315 | version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver- |
308 | sion 2. Additionally, any identities represented by the authen- | 316 | sion 2. Additionally, any identities represented by the authen- |
309 | tication agent will be used for authentication. The file name | 317 | tication agent will be used for authentication. |
310 | may use the tilde syntax to refer to a user's home directory. It | 318 | |
311 | is possible to have multiple identity files specified in configu- | 319 | The file name may use the tilde syntax to refer to a user's home |
312 | ration files; all these identities will be tried in sequence. | 320 | directory or one of the following escape characters: `%d' (local |
321 | user's home directory), `%u' (local user name), `%l' (local host | ||
322 | name), `%h' (remote host name) or `%r' (remote user name). | ||
323 | |||
324 | It is possible to have multiple identity files specified in con- | ||
325 | figuration files; all these identities will be tried in sequence. | ||
313 | 326 | ||
314 | KbdInteractiveDevices | 327 | KbdInteractiveDevices |
315 | Specifies the list of methods to use in keyboard-interactive au- | 328 | Specifies the list of methods to use in keyboard-interactive au- |
316 | thentication. Multiple method names must be comma-separated. | 329 | thentication. Multiple method names must be comma-separated. |
317 | The default is to use the server specified list. | 330 | The default is to use the server specified list. The methods |
331 | available vary depending on what the server supports. For an | ||
332 | OpenSSH server, it may be zero or more of: ``bsdauth'', ``pam'', | ||
333 | and ``skey''. | ||
318 | 334 | ||
319 | LocalCommand | 335 | LocalCommand |
320 | Specifies a command to execute on the local machine after suc- | 336 | Specifies a command to execute on the local machine after suc- |
@@ -341,15 +357,15 @@ DESCRIPTION | |||
341 | 357 | ||
342 | LogLevel | 358 | LogLevel |
343 | Gives the verbosity level that is used when logging messages from | 359 | Gives the verbosity level that is used when logging messages from |
344 | ssh. The possible values are: QUIET, FATAL, ERROR, INFO, VER- | 360 | ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, VER- |
345 | BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. | 361 | BOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. |
346 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify | 362 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify |
347 | higher levels of verbose output. | 363 | higher levels of verbose output. |
348 | 364 | ||
349 | MACs Specifies the MAC (message authentication code) algorithms in or- | 365 | MACs Specifies the MAC (message authentication code) algorithms in or- |
350 | der of preference. The MAC algorithm is used in protocol version | 366 | der of preference. The MAC algorithm is used in protocol version |
351 | 2 for data integrity protection. Multiple algorithms must be | 367 | 2 for data integrity protection. Multiple algorithms must be |
352 | comma-separated. The default is ``hmac-md5,hmac-sha1,hmac- | 368 | comma-separated. The default is: ``hmac-md5,hmac-sha1,hmac- |
353 | ripemd160,hmac-sha1-96,hmac-md5-96''. | 369 | ripemd160,hmac-sha1-96,hmac-md5-96''. |
354 | 370 | ||
355 | NoHostAuthenticationForLocalhost | 371 | NoHostAuthenticationForLocalhost |
@@ -363,7 +379,7 @@ DESCRIPTION | |||
363 | 379 | ||
364 | NumberOfPasswordPrompts | 380 | NumberOfPasswordPrompts |
365 | Specifies the number of password prompts before giving up. The | 381 | Specifies the number of password prompts before giving up. The |
366 | argument to this keyword must be an integer. Default is 3. | 382 | argument to this keyword must be an integer. The default is 3. |
367 | 383 | ||
368 | PasswordAuthentication | 384 | PasswordAuthentication |
369 | Specifies whether to use password authentication. The argument | 385 | Specifies whether to use password authentication. The argument |
@@ -375,20 +391,20 @@ DESCRIPTION | |||
375 | ing the !command escape sequence in ssh(1). The argument must be | 391 | ing the !command escape sequence in ssh(1). The argument must be |
376 | ``yes'' or ``no''. The default is ``no''. | 392 | ``yes'' or ``no''. The default is ``no''. |
377 | 393 | ||
378 | Port Specifies the port number to connect on the remote host. Default | 394 | Port Specifies the port number to connect on the remote host. The de- |
379 | is 22. | 395 | fault is 22. |
380 | 396 | ||
381 | PreferredAuthentications | 397 | PreferredAuthentications |
382 | Specifies the order in which the client should try protocol 2 au- | 398 | Specifies the order in which the client should try protocol 2 au- |
383 | thentication methods. This allows a client to prefer one method | 399 | thentication methods. This allows a client to prefer one method |
384 | (e.g. keyboard-interactive) over another method (e.g. password) | 400 | (e.g. keyboard-interactive) over another method (e.g. password) |
385 | The default for this option is: ``hostbased,publickey,keyboard- | 401 | The default for this option is: ``gssapi-with-mic,hostbased, |
386 | interactive,password''. | 402 | publickey, keyboard-interactive, password''. |
387 | 403 | ||
388 | Protocol | 404 | Protocol |
389 | Specifies the protocol versions ssh should support in order of | 405 | Specifies the protocol versions ssh(1) should support in order of |
390 | preference. The possible values are ``1'' and ``2''. Multiple | 406 | preference. The possible values are `1' and `2'. Multiple ver- |
391 | versions must be comma-separated. The default is ``2,1''. This | 407 | sions must be comma-separated. The default is ``2,1''. This |
392 | means that ssh tries version 2 and falls back to version 1 if | 408 | means that ssh tries version 2 and falls back to version 1 if |
393 | version 2 is not available. | 409 | version 2 is not available. |
394 | 410 | ||
@@ -422,8 +438,8 @@ DESCRIPTION | |||
422 | fore the session key is renegotiated. The argument is the number | 438 | fore the session key is renegotiated. The argument is the number |
423 | of bytes, with an optional suffix of `K', `M', or `G' to indicate | 439 | of bytes, with an optional suffix of `K', `M', or `G' to indicate |
424 | Kilobytes, Megabytes, or Gigabytes, respectively. The default is | 440 | Kilobytes, Megabytes, or Gigabytes, respectively. The default is |
425 | between ``1G'' and ``4G'', depending on the cipher. This option | 441 | between `1G' and `4G', depending on the cipher. This option ap- |
426 | applies to protocol version 2 only. | 442 | plies to protocol version 2 only. |
427 | 443 | ||
428 | RemoteForward | 444 | RemoteForward |
429 | Specifies that a TCP port on the remote machine be forwarded over | 445 | Specifies that a TCP port on the remote machine be forwarded over |
@@ -446,7 +462,7 @@ DESCRIPTION | |||
446 | Specifies whether to try rhosts based authentication with RSA | 462 | Specifies whether to try rhosts based authentication with RSA |
447 | host authentication. The argument must be ``yes'' or ``no''. | 463 | host authentication. The argument must be ``yes'' or ``no''. |
448 | The default is ``no''. This option applies to protocol version 1 | 464 | The default is ``no''. This option applies to protocol version 1 |
449 | only and requires ssh to be setuid root. | 465 | only and requires ssh(1) to be setuid root. |
450 | 466 | ||
451 | RSAAuthentication | 467 | RSAAuthentication |
452 | Specifies whether to try RSA authentication. The argument to | 468 | Specifies whether to try RSA authentication. The argument to |
@@ -458,21 +474,23 @@ DESCRIPTION | |||
458 | SendEnv | 474 | SendEnv |
459 | Specifies what variables from the local environ(7) should be sent | 475 | Specifies what variables from the local environ(7) should be sent |
460 | to the server. Note that environment passing is only supported | 476 | to the server. Note that environment passing is only supported |
461 | for protocol 2, the server must also support it, and the server | 477 | for protocol 2. The server must also support it, and the server |
462 | must be configured to accept these environment variables. Refer | 478 | must be configured to accept these environment variables. Refer |
463 | to AcceptEnv in sshd_config(5) for how to configure the server. | 479 | to AcceptEnv in sshd_config(5) for how to configure the server. |
464 | Variables are specified by name, which may contain the wildcard | 480 | Variables are specified by name, which may contain wildcard char- |
465 | characters `*' and `?'. Multiple environment variables may be | 481 | acters. Multiple environment variables may be separated by |
466 | separated by whitespace or spread across multiple SendEnv direc- | 482 | whitespace or spread across multiple SendEnv directives. The de- |
467 | tives. The default is not to send any environment variables. | 483 | fault is not to send any environment variables. |
484 | |||
485 | See PATTERNS for more information on patterns. | ||
468 | 486 | ||
469 | ServerAliveCountMax | 487 | ServerAliveCountMax |
470 | Sets the number of server alive messages (see below) which may be | 488 | Sets the number of server alive messages (see below) which may be |
471 | sent without ssh receiving any messages back from the server. If | 489 | sent without ssh(1) receiving any messages back from the server. |
472 | this threshold is reached while server alive messages are being | 490 | If this threshold is reached while server alive messages are be- |
473 | sent, ssh will disconnect from the server, terminating the ses- | 491 | ing sent, ssh will disconnect from the server, terminating the |
474 | sion. It is important to note that the use of server alive mes- | 492 | session. It is important to note that the use of server alive |
475 | sages is very different from TCPKeepAlive (below). The server | 493 | messages is very different from TCPKeepAlive (below). The server |
476 | alive messages are sent through the encrypted channel and there- | 494 | alive messages are sent through the encrypted channel and there- |
477 | fore will not be spoofable. The TCP keepalive option enabled by | 495 | fore will not be spoofable. The TCP keepalive option enabled by |
478 | TCPKeepAlive is spoofable. The server alive mechanism is valu- | 496 | TCPKeepAlive is spoofable. The server alive mechanism is valu- |
@@ -480,39 +498,41 @@ DESCRIPTION | |||
480 | tion has become inactive. | 498 | tion has become inactive. |
481 | 499 | ||
482 | The default value is 3. If, for example, ServerAliveInterval | 500 | The default value is 3. If, for example, ServerAliveInterval |
483 | (see below) is set to 15, and ServerAliveCountMax is left at the | 501 | (see below) is set to 15 and ServerAliveCountMax is left at the |
484 | default, if the server becomes unresponsive ssh will disconnect | 502 | default, if the server becomes unresponsive, ssh will disconnect |
485 | after approximately 45 seconds. | 503 | after approximately 45 seconds. This option applies to protocol |
504 | version 2 only. | ||
486 | 505 | ||
487 | ServerAliveInterval | 506 | ServerAliveInterval |
488 | Sets a timeout interval in seconds after which if no data has | 507 | Sets a timeout interval in seconds after which if no data has |
489 | been received from the server, ssh will send a message through | 508 | been received from the server, ssh(1) will send a message through |
490 | the encrypted channel to request a response from the server. The | 509 | the encrypted channel to request a response from the server. The |
491 | default is 0, indicating that these messages will not be sent to | 510 | default is 0, indicating that these messages will not be sent to |
492 | the server. This option applies to protocol version 2 only. | 511 | the server. This option applies to protocol version 2 only. |
493 | 512 | ||
494 | SmartcardDevice | 513 | SmartcardDevice |
495 | Specifies which smartcard device to use. The argument to this | 514 | Specifies which smartcard device to use. The argument to this |
496 | keyword is the device ssh should use to communicate with a smart- | 515 | keyword is the device ssh(1) should use to communicate with a |
497 | card used for storing the user's private RSA key. By default, no | 516 | smartcard used for storing the user's private RSA key. By de- |
498 | device is specified and smartcard support is not activated. | 517 | fault, no device is specified and smartcard support is not acti- |
518 | vated. | ||
499 | 519 | ||
500 | StrictHostKeyChecking | 520 | StrictHostKeyChecking |
501 | If this flag is set to ``yes'', ssh will never automatically add | 521 | If this flag is set to ``yes'', ssh(1) will never automatically |
502 | host keys to the ~/.ssh/known_hosts file, and refuses to connect | 522 | add host keys to the ~/.ssh/known_hosts file, and refuses to con- |
503 | to hosts whose host key has changed. This provides maximum pro- | 523 | nect to hosts whose host key has changed. This provides maximum |
504 | tection against trojan horse attacks, however, can be annoying | 524 | protection against trojan horse attacks, though it can be annoy- |
505 | when the /etc/ssh/ssh_known_hosts file is poorly maintained, or | 525 | ing when the /etc/ssh/ssh_known_hosts file is poorly maintained |
506 | connections to new hosts are frequently made. This option forces | 526 | or when connections to new hosts are frequently made. This op- |
507 | the user to manually add all new hosts. If this flag is set to | 527 | tion forces the user to manually add all new hosts. If this flag |
508 | ``no'', ssh will automatically add new host keys to the user | 528 | is set to ``no'', ssh will automatically add new host keys to the |
509 | known hosts files. If this flag is set to ``ask'', new host keys | 529 | user known hosts files. If this flag is set to ``ask'', new host |
510 | will be added to the user known host files only after the user | 530 | keys will be added to the user known host files only after the |
511 | has confirmed that is what they really want to do, and ssh will | 531 | user has confirmed that is what they really want to do, and ssh |
512 | refuse to connect to hosts whose host key has changed. The host | 532 | will refuse to connect to hosts whose host key has changed. The |
513 | keys of known hosts will be verified automatically in all cases. | 533 | host keys of known hosts will be verified automatically in all |
514 | The argument must be ``yes'', ``no'' or ``ask''. The default is | 534 | cases. The argument must be ``yes'', ``no'', or ``ask''. The |
515 | ``ask''. | 535 | default is ``ask''. |
516 | 536 | ||
517 | TCPKeepAlive | 537 | TCPKeepAlive |
518 | Specifies whether the system should send TCP keepalive messages | 538 | Specifies whether the system should send TCP keepalive messages |
@@ -528,22 +548,27 @@ DESCRIPTION | |||
528 | To disable TCP keepalive messages, the value should be set to | 548 | To disable TCP keepalive messages, the value should be set to |
529 | ``no''. | 549 | ``no''. |
530 | 550 | ||
531 | Tunnel Request starting tun(4) device forwarding between the client and | 551 | Tunnel Request tun(4) device forwarding between the client and the serv- |
532 | the server. This option also allows requesting layer 2 (ether- | 552 | er. The argument must be ``yes'', ``point-to-point'' (layer 3), |
533 | net) instead of layer 3 (point-to-point) tunneling from the serv- | 553 | ``ethernet'' (layer 2), or ``no''. Specifying ``yes'' requests |
534 | er. The argument must be ``yes'', ``point-to-point'', | 554 | the default tunnel mode, which is ``point-to-point''. The de- |
535 | ``ethernet'' or ``no''. The default is ``no''. | 555 | fault is ``no''. |
536 | 556 | ||
537 | TunnelDevice | 557 | TunnelDevice |
538 | Force a specified tun(4) device on the client. Without this op- | 558 | Specifies the tun(4) devices to open on the client (local_tun) |
539 | tion, the next available device will be used. | 559 | and the server (remote_tun). |
560 | |||
561 | The argument must be local_tun[:remote_tun]. The devices may be | ||
562 | specified by numerical ID or the keyword ``any'', which uses the | ||
563 | next available tunnel device. If remote_tun is not specified, it | ||
564 | defaults to ``any''. The default is ``any:any''. | ||
540 | 565 | ||
541 | UsePrivilegedPort | 566 | UsePrivilegedPort |
542 | Specifies whether to use a privileged port for outgoing connec- | 567 | Specifies whether to use a privileged port for outgoing connec- |
543 | tions. The argument must be ``yes'' or ``no''. The default is | 568 | tions. The argument must be ``yes'' or ``no''. The default is |
544 | ``no''. If set to ``yes'' ssh must be setuid root. Note that | 569 | ``no''. If set to ``yes'', ssh(1) must be setuid root. Note |
545 | this option must be set to ``yes'' for RhostsRSAAuthentication | 570 | that this option must be set to ``yes'' for |
546 | with older servers. | 571 | RhostsRSAAuthentication with older servers. |
547 | 572 | ||
548 | User Specifies the user to log in as. This can be useful when a dif- | 573 | User Specifies the user to log in as. This can be useful when a dif- |
549 | ferent user name is used on different machines. This saves the | 574 | ferent user name is used on different machines. This saves the |
@@ -562,18 +587,42 @@ DESCRIPTION | |||
562 | set to ``ask''. If this option is set to ``ask'', information on | 587 | set to ``ask''. If this option is set to ``ask'', information on |
563 | fingerprint match will be displayed, but the user will still need | 588 | fingerprint match will be displayed, but the user will still need |
564 | to confirm new host keys according to the StrictHostKeyChecking | 589 | to confirm new host keys according to the StrictHostKeyChecking |
565 | option. The argument must be ``yes'', ``no'' or ``ask''. The | 590 | option. The argument must be ``yes'', ``no'', or ``ask''. The |
566 | default is ``no''. Note that this option applies to protocol | 591 | default is ``no''. Note that this option applies to protocol |
567 | version 2 only. | 592 | version 2 only. |
568 | 593 | ||
594 | See also VERIFYING HOST KEYS in ssh(1). | ||
595 | |||
569 | XAuthLocation | 596 | XAuthLocation |
570 | Specifies the full pathname of the xauth(1) program. The default | 597 | Specifies the full pathname of the xauth(1) program. The default |
571 | is /usr/X11R6/bin/xauth. | 598 | is /usr/X11R6/bin/xauth. |
572 | 599 | ||
600 | PATTERNS | ||
601 | A pattern consists of zero or more non-whitespace characters, `*' (a | ||
602 | wildcard that matches zero or more characters), or `?' (a wildcard that | ||
603 | matches exactly one character). For example, to specify a set of decla- | ||
604 | rations for any host in the ``.co.uk'' set of domains, the following pat- | ||
605 | tern could be used: | ||
606 | |||
607 | Host *.co.uk | ||
608 | |||
609 | The following pattern would match any host in the 192.168.0.[0-9] network | ||
610 | range: | ||
611 | |||
612 | Host 192.168.0.? | ||
613 | |||
614 | A pattern-list is a comma-separated list of patterns. Patterns within | ||
615 | pattern-lists may be negated by preceding them with an exclamation mark | ||
616 | (`!'). For example, to allow a key to be used from anywhere within an | ||
617 | organisation except from the ``dialup'' pool, the following entry (in au- | ||
618 | thorized_keys) could be used: | ||
619 | |||
620 | from="!*.dialup.example.com,*.example.com" | ||
621 | |||
573 | FILES | 622 | FILES |
574 | ~/.ssh/config | 623 | ~/.ssh/config |
575 | This is the per-user configuration file. The format of this file | 624 | This is the per-user configuration file. The format of this file |
576 | is described above. This file is used by the ssh client. Be- | 625 | is described above. This file is used by the SSH client. Be- |
577 | cause of the potential for abuse, this file must have strict per- | 626 | cause of the potential for abuse, this file must have strict per- |
578 | missions: read/write for the user, and not accessible by others. | 627 | missions: read/write for the user, and not accessible by others. |
579 | 628 | ||
@@ -593,4 +642,4 @@ AUTHORS | |||
593 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | 642 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol |
594 | versions 1.5 and 2.0. | 643 | versions 1.5 and 2.0. |
595 | 644 | ||
596 | OpenBSD 3.9 September 25, 1999 9 | 645 | OpenBSD 4.1 September 25, 1999 10 |