summaryrefslogtreecommitdiff
path: root/ssh_config.0
diff options
context:
space:
mode:
Diffstat (limited to 'ssh_config.0')
-rw-r--r--ssh_config.01109
1 files changed, 1109 insertions, 0 deletions
diff --git a/ssh_config.0 b/ssh_config.0
new file mode 100644
index 000000000..eb7f929e6
--- /dev/null
+++ b/ssh_config.0
@@ -0,0 +1,1109 @@
1SSH_CONFIG(5) File Formats Manual SSH_CONFIG(5)
2
3NAME
4 ssh_config M-bM-^@M-^S OpenSSH SSH client configuration files
5
6DESCRIPTION
7 ssh(1) obtains configuration data from the following sources in the
8 following order:
9
10 1. command-line options
11 2. user's configuration file (~/.ssh/config)
12 3. system-wide configuration file (/etc/ssh/ssh_config)
13
14 For each parameter, the first obtained value will be used. The
15 configuration files contain sections separated by Host specifications,
16 and that section is only applied for hosts that match one of the patterns
17 given in the specification. The matched host name is usually the one
18 given on the command line (see the CanonicalizeHostname option for
19 exceptions).
20
21 Since the first obtained value for each parameter is used, more host-
22 specific declarations should be given near the beginning of the file, and
23 general defaults at the end.
24
25 The file contains keyword-argument pairs, one per line. Lines starting
26 with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are interpreted as comments. Arguments may
27 optionally be enclosed in double quotes (") in order to represent
28 arguments containing spaces. Configuration options may be separated by
29 whitespace or optional whitespace and exactly one M-bM-^@M-^X=M-bM-^@M-^Y; the latter format
30 is useful to avoid the need to quote whitespace when specifying
31 configuration options using the ssh, scp, and sftp -o option.
32
33 The possible keywords and their meanings are as follows (note that
34 keywords are case-insensitive and arguments are case-sensitive):
35
36 Host Restricts the following declarations (up to the next Host or
37 Match keyword) to be only for those hosts that match one of the
38 patterns given after the keyword. If more than one pattern is
39 provided, they should be separated by whitespace. A single M-bM-^@M-^X*M-bM-^@M-^Y
40 as a pattern can be used to provide global defaults for all
41 hosts. The host is usually the hostname argument given on the
42 command line (see the CanonicalizeHostname keyword for
43 exceptions).
44
45 A pattern entry may be negated by prefixing it with an
46 exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). If a negated entry is matched, then the
47 Host entry is ignored, regardless of whether any other patterns
48 on the line match. Negated matches are therefore useful to
49 provide exceptions for wildcard matches.
50
51 See PATTERNS for more information on patterns.
52
53 Match Restricts the following declarations (up to the next Host or
54 Match keyword) to be used only when the conditions following the
55 Match keyword are satisfied. Match conditions are specified
56 using one or more criteria or the single token all which always
57 matches. The available criteria keywords are: canonical, exec,
58 host, originalhost, user, and localuser. The all criteria must
59 appear alone or immediately after canonical. Other criteria may
60 be combined arbitrarily. All criteria but all and canonical
61 require an argument. Criteria may be negated by prepending an
62 exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y).
63
64 The canonical keyword matches only when the configuration file is
65 being re-parsed after hostname canonicalization (see the
66 CanonicalizeHostname option.) This may be useful to specify
67 conditions that work with canonical host names only. The exec
68 keyword executes the specified command under the user's shell.
69 If the command returns a zero exit status then the condition is
70 considered true. Commands containing whitespace characters must
71 be quoted. Arguments to exec accept the tokens described in the
72 TOKENS section.
73
74 The other keywords' criteria must be single entries or comma-
75 separated lists and may use the wildcard and negation operators
76 described in the PATTERNS section. The criteria for the host
77 keyword are matched against the target hostname, after any
78 substitution by the Hostname or CanonicalizeHostname options.
79 The originalhost keyword matches against the hostname as it was
80 specified on the command-line. The user keyword matches against
81 the target username on the remote host. The localuser keyword
82 matches against the name of the local user running ssh(1) (this
83 keyword may be useful in system-wide ssh_config files).
84
85 AddKeysToAgent
86 Specifies whether keys should be automatically added to a running
87 ssh-agent(1). If this option is set to yes and a key is loaded
88 from a file, the key and its passphrase are added to the agent
89 with the default lifetime, as if by ssh-add(1). If this option
90 is set to ask, ssh(1) will require confirmation using the
91 SSH_ASKPASS program before adding a key (see ssh-add(1) for
92 details). If this option is set to confirm, each use of the key
93 must be confirmed, as if the -c option was specified to
94 ssh-add(1). If this option is set to no, no keys are added to
95 the agent. The argument must be yes, confirm, ask, or no (the
96 default).
97
98 AddressFamily
99 Specifies which address family to use when connecting. Valid
100 arguments are any (the default), inet (use IPv4 only), or inet6
101 (use IPv6 only).
102
103 BatchMode
104 If set to yes, passphrase/password querying will be disabled.
105 This option is useful in scripts and other batch jobs where no
106 user is present to supply the password. The argument must be yes
107 or no (the default).
108
109 BindAddress
110 Use the specified address on the local machine as the source
111 address of the connection. Only useful on systems with more than
112 one address.
113
114 BindInterface
115 Use the address of the specified interface on the local machine
116 as the source address of the connection.
117
118 CanonicalDomains
119 When CanonicalizeHostname is enabled, this option specifies the
120 list of domain suffixes in which to search for the specified
121 destination host.
122
123 CanonicalizeFallbackLocal
124 Specifies whether to fail with an error when hostname
125 canonicalization fails. The default, yes, will attempt to look
126 up the unqualified hostname using the system resolver's search
127 rules. A value of no will cause ssh(1) to fail instantly if
128 CanonicalizeHostname is enabled and the target hostname cannot be
129 found in any of the domains specified by CanonicalDomains.
130
131 CanonicalizeHostname
132 Controls whether explicit hostname canonicalization is performed.
133 The default, no, is not to perform any name rewriting and let the
134 system resolver handle all hostname lookups. If set to yes then,
135 for connections that do not use a ProxyCommand or ProxyJump,
136 ssh(1) will attempt to canonicalize the hostname specified on the
137 command line using the CanonicalDomains suffixes and
138 CanonicalizePermittedCNAMEs rules. If CanonicalizeHostname is
139 set to always, then canonicalization is applied to proxied
140 connections too.
141
142 If this option is enabled, then the configuration files are
143 processed again using the new target name to pick up any new
144 configuration in matching Host and Match stanzas.
145
146 CanonicalizeMaxDots
147 Specifies the maximum number of dot characters in a hostname
148 before canonicalization is disabled. The default, 1, allows a
149 single dot (i.e. hostname.subdomain).
150
151 CanonicalizePermittedCNAMEs
152 Specifies rules to determine whether CNAMEs should be followed
153 when canonicalizing hostnames. The rules consist of one or more
154 arguments of source_domain_list:target_domain_list, where
155 source_domain_list is a pattern-list of domains that may follow
156 CNAMEs in canonicalization, and target_domain_list is a pattern-
157 list of domains that they may resolve to.
158
159 For example, "*.a.example.com:*.b.example.com,*.c.example.com"
160 will allow hostnames matching "*.a.example.com" to be
161 canonicalized to names in the "*.b.example.com" or
162 "*.c.example.com" domains.
163
164 CASignatureAlgorithms
165 Specifies which algorithms are allowed for signing of
166 certificates by certificate authorities (CAs). The default is:
167
168 ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
169 ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
170
171 ssh(1) will not accept host certificates signed using algorithms
172 other than those specified.
173
174 CertificateFile
175 Specifies a file from which the user's certificate is read. A
176 corresponding private key must be provided separately in order to
177 use this certificate either from an IdentityFile directive or -i
178 flag to ssh(1), via ssh-agent(1), or via a PKCS11Provider.
179
180 Arguments to CertificateFile may use the tilde syntax to refer to
181 a user's home directory or the tokens described in the TOKENS
182 section.
183
184 It is possible to have multiple certificate files specified in
185 configuration files; these certificates will be tried in
186 sequence. Multiple CertificateFile directives will add to the
187 list of certificates used for authentication.
188
189 ChallengeResponseAuthentication
190 Specifies whether to use challenge-response authentication. The
191 argument to this keyword must be yes (the default) or no.
192
193 CheckHostIP
194 If set to yes (the default), ssh(1) will additionally check the
195 host IP address in the known_hosts file. This allows it to
196 detect if a host key changed due to DNS spoofing and will add
197 addresses of destination hosts to ~/.ssh/known_hosts in the
198 process, regardless of the setting of StrictHostKeyChecking. If
199 the option is set to no, the check will not be executed.
200
201 Ciphers
202 Specifies the ciphers allowed and their order of preference.
203 Multiple ciphers must be comma-separated. If the specified value
204 begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified ciphers will be
205 appended to the default set instead of replacing them. If the
206 specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified
207 ciphers (including wildcards) will be removed from the default
208 set instead of replacing them.
209
210 The supported ciphers are:
211
212 3des-cbc
213 aes128-cbc
214 aes192-cbc
215 aes256-cbc
216 aes128-ctr
217 aes192-ctr
218 aes256-ctr
219 aes128-gcm@openssh.com
220 aes256-gcm@openssh.com
221 chacha20-poly1305@openssh.com
222
223 The default is:
224
225 chacha20-poly1305@openssh.com,
226 aes128-ctr,aes192-ctr,aes256-ctr,
227 aes128-gcm@openssh.com,aes256-gcm@openssh.com
228
229 The list of available ciphers may also be obtained using "ssh -Q
230 cipher".
231
232 ClearAllForwardings
233 Specifies that all local, remote, and dynamic port forwardings
234 specified in the configuration files or on the command line be
235 cleared. This option is primarily useful when used from the
236 ssh(1) command line to clear port forwardings set in
237 configuration files, and is automatically set by scp(1) and
238 sftp(1). The argument must be yes or no (the default).
239
240 Compression
241 Specifies whether to use compression. The argument must be yes
242 or no (the default).
243
244 ConnectionAttempts
245 Specifies the number of tries (one per second) to make before
246 exiting. The argument must be an integer. This may be useful in
247 scripts if the connection sometimes fails. The default is 1.
248
249 ConnectTimeout
250 Specifies the timeout (in seconds) used when connecting to the
251 SSH server, instead of using the default system TCP timeout.
252 This value is used only when the target is down or really
253 unreachable, not when it refuses the connection.
254
255 ControlMaster
256 Enables the sharing of multiple sessions over a single network
257 connection. When set to yes, ssh(1) will listen for connections
258 on a control socket specified using the ControlPath argument.
259 Additional sessions can connect to this socket using the same
260 ControlPath with ControlMaster set to no (the default). These
261 sessions will try to reuse the master instance's network
262 connection rather than initiating new ones, but will fall back to
263 connecting normally if the control socket does not exist, or is
264 not listening.
265
266 Setting this to ask will cause ssh(1) to listen for control
267 connections, but require confirmation using ssh-askpass(1). If
268 the ControlPath cannot be opened, ssh(1) will continue without
269 connecting to a master instance.
270
271 X11 and ssh-agent(1) forwarding is supported over these
272 multiplexed connections, however the display and agent forwarded
273 will be the one belonging to the master connection i.e. it is not
274 possible to forward multiple displays or agents.
275
276 Two additional options allow for opportunistic multiplexing: try
277 to use a master connection but fall back to creating a new one if
278 one does not already exist. These options are: auto and autoask.
279 The latter requires confirmation like the ask option.
280
281 ControlPath
282 Specify the path to the control socket used for connection
283 sharing as described in the ControlMaster section above or the
284 string none to disable connection sharing. Arguments to
285 ControlPath may use the tilde syntax to refer to a user's home
286 directory or the tokens described in the TOKENS section. It is
287 recommended that any ControlPath used for opportunistic
288 connection sharing include at least %h, %p, and %r (or
289 alternatively %C) and be placed in a directory that is not
290 writable by other users. This ensures that shared connections
291 are uniquely identified.
292
293 ControlPersist
294 When used in conjunction with ControlMaster, specifies that the
295 master connection should remain open in the background (waiting
296 for future client connections) after the initial client
297 connection has been closed. If set to no, then the master
298 connection will not be placed into the background, and will close
299 as soon as the initial client connection is closed. If set to
300 yes or 0, then the master connection will remain in the
301 background indefinitely (until killed or closed via a mechanism
302 such as the "ssh -O exit"). If set to a time in seconds, or a
303 time in any of the formats documented in sshd_config(5), then the
304 backgrounded master connection will automatically terminate after
305 it has remained idle (with no client connections) for the
306 specified time.
307
308 DynamicForward
309 Specifies that a TCP port on the local machine be forwarded over
310 the secure channel, and the application protocol is then used to
311 determine where to connect to from the remote machine.
312
313 The argument must be [bind_address:]port. IPv6 addresses can be
314 specified by enclosing addresses in square brackets. By default,
315 the local port is bound in accordance with the GatewayPorts
316 setting. However, an explicit bind_address may be used to bind
317 the connection to a specific address. The bind_address of
318 localhost indicates that the listening port be bound for local
319 use only, while an empty address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port
320 should be available from all interfaces.
321
322 Currently the SOCKS4 and SOCKS5 protocols are supported, and
323 ssh(1) will act as a SOCKS server. Multiple forwardings may be
324 specified, and additional forwardings can be given on the command
325 line. Only the superuser can forward privileged ports.
326
327 EnableSSHKeysign
328 Setting this option to yes in the global client configuration
329 file /etc/ssh/ssh_config enables the use of the helper program
330 ssh-keysign(8) during HostbasedAuthentication. The argument must
331 be yes or no (the default). This option should be placed in the
332 non-hostspecific section. See ssh-keysign(8) for more
333 information.
334
335 EscapeChar
336 Sets the escape character (default: M-bM-^@M-^X~M-bM-^@M-^Y). The escape character
337 can also be set on the command line. The argument should be a
338 single character, M-bM-^@M-^X^M-bM-^@M-^Y followed by a letter, or none to disable
339 the escape character entirely (making the connection transparent
340 for binary data).
341
342 ExitOnForwardFailure
343 Specifies whether ssh(1) should terminate the connection if it
344 cannot set up all requested dynamic, tunnel, local, and remote
345 port forwardings, (e.g. if either end is unable to bind and
346 listen on a specified port). Note that ExitOnForwardFailure does
347 not apply to connections made over port forwardings and will not,
348 for example, cause ssh(1) to exit if TCP connections to the
349 ultimate forwarding destination fail. The argument must be yes
350 or no (the default).
351
352 FingerprintHash
353 Specifies the hash algorithm used when displaying key
354 fingerprints. Valid options are: md5 and sha256 (the default).
355
356 ForwardAgent
357 Specifies whether the connection to the authentication agent (if
358 any) will be forwarded to the remote machine. The argument must
359 be yes or no (the default).
360
361 Agent forwarding should be enabled with caution. Users with the
362 ability to bypass file permissions on the remote host (for the
363 agent's Unix-domain socket) can access the local agent through
364 the forwarded connection. An attacker cannot obtain key material
365 from the agent, however they can perform operations on the keys
366 that enable them to authenticate using the identities loaded into
367 the agent.
368
369 ForwardX11
370 Specifies whether X11 connections will be automatically
371 redirected over the secure channel and DISPLAY set. The argument
372 must be yes or no (the default).
373
374 X11 forwarding should be enabled with caution. Users with the
375 ability to bypass file permissions on the remote host (for the
376 user's X11 authorization database) can access the local X11
377 display through the forwarded connection. An attacker may then
378 be able to perform activities such as keystroke monitoring if the
379 ForwardX11Trusted option is also enabled.
380
381 ForwardX11Timeout
382 Specify a timeout for untrusted X11 forwarding using the format
383 described in the TIME FORMATS section of sshd_config(5). X11
384 connections received by ssh(1) after this time will be refused.
385 Setting ForwardX11Timeout to zero will disable the timeout and
386 permit X11 forwarding for the life of the connection. The
387 default is to disable untrusted X11 forwarding after twenty
388 minutes has elapsed.
389
390 ForwardX11Trusted
391 If this option is set to yes, remote X11 clients will have full
392 access to the original X11 display.
393
394 If this option is set to no (the default), remote X11 clients
395 will be considered untrusted and prevented from stealing or
396 tampering with data belonging to trusted X11 clients.
397 Furthermore, the xauth(1) token used for the session will be set
398 to expire after 20 minutes. Remote clients will be refused
399 access after this time.
400
401 See the X11 SECURITY extension specification for full details on
402 the restrictions imposed on untrusted clients.
403
404 GatewayPorts
405 Specifies whether remote hosts are allowed to connect to local
406 forwarded ports. By default, ssh(1) binds local port forwardings
407 to the loopback address. This prevents other remote hosts from
408 connecting to forwarded ports. GatewayPorts can be used to
409 specify that ssh should bind local port forwardings to the
410 wildcard address, thus allowing remote hosts to connect to
411 forwarded ports. The argument must be yes or no (the default).
412
413 GlobalKnownHostsFile
414 Specifies one or more files to use for the global host key
415 database, separated by whitespace. The default is
416 /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2.
417
418 GSSAPIAuthentication
419 Specifies whether user authentication based on GSSAPI is allowed.
420 The default is no.
421
422 GSSAPIDelegateCredentials
423 Forward (delegate) credentials to the server. The default is no.
424
425 HashKnownHosts
426 Indicates that ssh(1) should hash host names and addresses when
427 they are added to ~/.ssh/known_hosts. These hashed names may be
428 used normally by ssh(1) and sshd(8), but they do not reveal
429 identifying information should the file's contents be disclosed.
430 The default is no. Note that existing names and addresses in
431 known hosts files will not be converted automatically, but may be
432 manually hashed using ssh-keygen(1).
433
434 HostbasedAuthentication
435 Specifies whether to try rhosts based authentication with public
436 key authentication. The argument must be yes or no (the
437 default).
438
439 HostbasedKeyTypes
440 Specifies the key types that will be used for hostbased
441 authentication as a comma-separated list of patterns.
442 Alternately if the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character,
443 then the specified key types will be appended to the default set
444 instead of replacing them. If the specified value begins with a
445 M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified key types (including wildcards)
446 will be removed from the default set instead of replacing them.
447 The default for this option is:
448
449 ecdsa-sha2-nistp256-cert-v01@openssh.com,
450 ecdsa-sha2-nistp384-cert-v01@openssh.com,
451 ecdsa-sha2-nistp521-cert-v01@openssh.com,
452 ssh-ed25519-cert-v01@openssh.com,
453 rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
454 ssh-rsa-cert-v01@openssh.com,
455 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
456 ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
457
458 The -Q option of ssh(1) may be used to list supported key types.
459
460 HostKeyAlgorithms
461 Specifies the host key algorithms that the client wants to use in
462 order of preference. Alternately if the specified value begins
463 with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified key types will be
464 appended to the default set instead of replacing them. If the
465 specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified
466 key types (including wildcards) will be removed from the default
467 set instead of replacing them. The default for this option is:
468
469 ecdsa-sha2-nistp256-cert-v01@openssh.com,
470 ecdsa-sha2-nistp384-cert-v01@openssh.com,
471 ecdsa-sha2-nistp521-cert-v01@openssh.com,
472 ssh-ed25519-cert-v01@openssh.com,
473 rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
474 ssh-rsa-cert-v01@openssh.com,
475 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
476 ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
477
478 If hostkeys are known for the destination host then this default
479 is modified to prefer their algorithms.
480
481 The list of available key types may also be obtained using "ssh
482 -Q key".
483
484 HostKeyAlias
485 Specifies an alias that should be used instead of the real host
486 name when looking up or saving the host key in the host key
487 database files and when validating host certificates. This
488 option is useful for tunneling SSH connections or for multiple
489 servers running on a single host.
490
491 HostName
492 Specifies the real host name to log into. This can be used to
493 specify nicknames or abbreviations for hosts. Arguments to
494 HostName accept the tokens described in the TOKENS section.
495 Numeric IP addresses are also permitted (both on the command line
496 and in HostName specifications). The default is the name given
497 on the command line.
498
499 IdentitiesOnly
500 Specifies that ssh(1) should only use the authentication identity
501 and certificate files explicitly configured in the ssh_config
502 files or passed on the ssh(1) command-line, even if ssh-agent(1)
503 or a PKCS11Provider offers more identities. The argument to this
504 keyword must be yes or no (the default). This option is intended
505 for situations where ssh-agent offers many different identities.
506
507 IdentityAgent
508 Specifies the UNIX-domain socket used to communicate with the
509 authentication agent.
510
511 This option overrides the SSH_AUTH_SOCK environment variable and
512 can be used to select a specific agent. Setting the socket name
513 to none disables the use of an authentication agent. If the
514 string "SSH_AUTH_SOCK" is specified, the location of the socket
515 will be read from the SSH_AUTH_SOCK environment variable.
516 Otherwise if the specified value begins with a M-bM-^@M-^X$M-bM-^@M-^Y character,
517 then it will be treated as an environment variable containing the
518 location of the socket.
519
520 Arguments to IdentityAgent may use the tilde syntax to refer to a
521 user's home directory or the tokens described in the TOKENS
522 section.
523
524 IdentityFile
525 Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA
526 authentication identity is read. The default is ~/.ssh/id_dsa,
527 ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and ~/.ssh/id_rsa.
528 Additionally, any identities represented by the authentication
529 agent will be used for authentication unless IdentitiesOnly is
530 set. If no certificates have been explicitly specified by
531 CertificateFile, ssh(1) will try to load certificate information
532 from the filename obtained by appending -cert.pub to the path of
533 a specified IdentityFile.
534
535 Arguments to IdentityFile may use the tilde syntax to refer to a
536 user's home directory or the tokens described in the TOKENS
537 section.
538
539 It is possible to have multiple identity files specified in
540 configuration files; all these identities will be tried in
541 sequence. Multiple IdentityFile directives will add to the list
542 of identities tried (this behaviour differs from that of other
543 configuration directives).
544
545 IdentityFile may be used in conjunction with IdentitiesOnly to
546 select which identities in an agent are offered during
547 authentication. IdentityFile may also be used in conjunction
548 with CertificateFile in order to provide any certificate also
549 needed for authentication with the identity.
550
551 IgnoreUnknown
552 Specifies a pattern-list of unknown options to be ignored if they
553 are encountered in configuration parsing. This may be used to
554 suppress errors if ssh_config contains options that are
555 unrecognised by ssh(1). It is recommended that IgnoreUnknown be
556 listed early in the configuration file as it will not be applied
557 to unknown options that appear before it.
558
559 Include
560 Include the specified configuration file(s). Multiple pathnames
561 may be specified and each pathname may contain glob(7) wildcards
562 and, for user configurations, shell-like M-bM-^@M-^X~M-bM-^@M-^Y references to user
563 home directories. Files without absolute paths are assumed to be
564 in ~/.ssh if included in a user configuration file or /etc/ssh if
565 included from the system configuration file. Include directive
566 may appear inside a Match or Host block to perform conditional
567 inclusion.
568
569 IPQoS Specifies the IPv4 type-of-service or DSCP class for connections.
570 Accepted values are af11, af12, af13, af21, af22, af23, af31,
571 af32, af33, af41, af42, af43, cs0, cs1, cs2, cs3, cs4, cs5, cs6,
572 cs7, ef, lowdelay, throughput, reliability, a numeric value, or
573 none to use the operating system default. This option may take
574 one or two arguments, separated by whitespace. If one argument
575 is specified, it is used as the packet class unconditionally. If
576 two values are specified, the first is automatically selected for
577 interactive sessions and the second for non-interactive sessions.
578 The default is af21 (Low-Latency Data) for interactive sessions
579 and cs1 (Lower Effort) for non-interactive sessions.
580
581 KbdInteractiveAuthentication
582 Specifies whether to use keyboard-interactive authentication.
583 The argument to this keyword must be yes (the default) or no.
584
585 KbdInteractiveDevices
586 Specifies the list of methods to use in keyboard-interactive
587 authentication. Multiple method names must be comma-separated.
588 The default is to use the server specified list. The methods
589 available vary depending on what the server supports. For an
590 OpenSSH server, it may be zero or more of: bsdauth and pam.
591
592 KexAlgorithms
593 Specifies the available KEX (Key Exchange) algorithms. Multiple
594 algorithms must be comma-separated. Alternately if the specified
595 value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods
596 will be appended to the default set instead of replacing them.
597 If the specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the
598 specified methods (including wildcards) will be removed from the
599 default set instead of replacing them. The default is:
600
601 curve25519-sha256,curve25519-sha256@libssh.org,
602 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
603 diffie-hellman-group-exchange-sha256,
604 diffie-hellman-group16-sha512,
605 diffie-hellman-group18-sha512,
606 diffie-hellman-group-exchange-sha1,
607 diffie-hellman-group14-sha256,
608 diffie-hellman-group14-sha1
609
610 The list of available key exchange algorithms may also be
611 obtained using "ssh -Q kex".
612
613 LocalCommand
614 Specifies a command to execute on the local machine after
615 successfully connecting to the server. The command string
616 extends to the end of the line, and is executed with the user's
617 shell. Arguments to LocalCommand accept the tokens described in
618 the TOKENS section.
619
620 The command is run synchronously and does not have access to the
621 session of the ssh(1) that spawned it. It should not be used for
622 interactive commands.
623
624 This directive is ignored unless PermitLocalCommand has been
625 enabled.
626
627 LocalForward
628 Specifies that a TCP port on the local machine be forwarded over
629 the secure channel to the specified host and port from the remote
630 machine. The first argument must be [bind_address:]port and the
631 second argument must be host:hostport. IPv6 addresses can be
632 specified by enclosing addresses in square brackets. Multiple
633 forwardings may be specified, and additional forwardings can be
634 given on the command line. Only the superuser can forward
635 privileged ports. By default, the local port is bound in
636 accordance with the GatewayPorts setting. However, an explicit
637 bind_address may be used to bind the connection to a specific
638 address. The bind_address of localhost indicates that the
639 listening port be bound for local use only, while an empty
640 address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port should be available from
641 all interfaces.
642
643 LogLevel
644 Gives the verbosity level that is used when logging messages from
645 ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO,
646 VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.
647 DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
648 higher levels of verbose output.
649
650 MACs Specifies the MAC (message authentication code) algorithms in
651 order of preference. The MAC algorithm is used for data
652 integrity protection. Multiple algorithms must be comma-
653 separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character,
654 then the specified algorithms will be appended to the default set
655 instead of replacing them. If the specified value begins with a
656 M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified algorithms (including
657 wildcards) will be removed from the default set instead of
658 replacing them.
659
660 The algorithms that contain "-etm" calculate the MAC after
661 encryption (encrypt-then-mac). These are considered safer and
662 their use recommended.
663
664 The default is:
665
666 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
667 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
668 hmac-sha1-etm@openssh.com,
669 umac-64@openssh.com,umac-128@openssh.com,
670 hmac-sha2-256,hmac-sha2-512,hmac-sha1
671
672 The list of available MAC algorithms may also be obtained using
673 "ssh -Q mac".
674
675 NoHostAuthenticationForLocalhost
676 Disable host authentication for localhost (loopback addresses).
677 The argument to this keyword must be yes or no (the default).
678
679 NumberOfPasswordPrompts
680 Specifies the number of password prompts before giving up. The
681 argument to this keyword must be an integer. The default is 3.
682
683 PasswordAuthentication
684 Specifies whether to use password authentication. The argument
685 to this keyword must be yes (the default) or no.
686
687 PermitLocalCommand
688 Allow local command execution via the LocalCommand option or
689 using the !command escape sequence in ssh(1). The argument must
690 be yes or no (the default).
691
692 PKCS11Provider
693 Specifies which PKCS#11 provider to use. The argument to this
694 keyword is the PKCS#11 shared library ssh(1) should use to
695 communicate with a PKCS#11 token providing the user's private RSA
696 key.
697
698 Port Specifies the port number to connect on the remote host. The
699 default is 22.
700
701 PreferredAuthentications
702 Specifies the order in which the client should try authentication
703 methods. This allows a client to prefer one method (e.g.
704 keyboard-interactive) over another method (e.g. password). The
705 default is:
706
707 gssapi-with-mic,hostbased,publickey,
708 keyboard-interactive,password
709
710 ProxyCommand
711 Specifies the command to use to connect to the server. The
712 command string extends to the end of the line, and is executed
713 using the user's shell M-bM-^@M-^XexecM-bM-^@M-^Y directive to avoid a lingering
714 shell process.
715
716 Arguments to ProxyCommand accept the tokens described in the
717 TOKENS section. The command can be basically anything, and
718 should read from its standard input and write to its standard
719 output. It should eventually connect an sshd(8) server running
720 on some machine, or execute sshd -i somewhere. Host key
721 management will be done using the HostName of the host being
722 connected (defaulting to the name typed by the user). Setting
723 the command to none disables this option entirely. Note that
724 CheckHostIP is not available for connects with a proxy command.
725
726 This directive is useful in conjunction with nc(1) and its proxy
727 support. For example, the following directive would connect via
728 an HTTP proxy at 192.0.2.0:
729
730 ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
731
732 ProxyJump
733 Specifies one or more jump proxies as either [user@]host[:port]
734 or an ssh URI. Multiple proxies may be separated by comma
735 characters and will be visited sequentially. Setting this option
736 will cause ssh(1) to connect to the target host by first making a
737 ssh(1) connection to the specified ProxyJump host and then
738 establishing a TCP forwarding to the ultimate target from there.
739
740 Note that this option will compete with the ProxyCommand option -
741 whichever is specified first will prevent later instances of the
742 other from taking effect.
743
744 ProxyUseFdpass
745 Specifies that ProxyCommand will pass a connected file descriptor
746 back to ssh(1) instead of continuing to execute and pass data.
747 The default is no.
748
749 PubkeyAcceptedKeyTypes
750 Specifies the key types that will be used for public key
751 authentication as a comma-separated list of patterns.
752 Alternately if the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character,
753 then the key types after it will be appended to the default
754 instead of replacing it. If the specified value begins with a
755 M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified key types (including wildcards)
756 will be removed from the default set instead of replacing them.
757 The default for this option is:
758
759 ecdsa-sha2-nistp256-cert-v01@openssh.com,
760 ecdsa-sha2-nistp384-cert-v01@openssh.com,
761 ecdsa-sha2-nistp521-cert-v01@openssh.com,
762 ssh-ed25519-cert-v01@openssh.com,
763 rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
764 ssh-rsa-cert-v01@openssh.com,
765 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
766 ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
767
768 The list of available key types may also be obtained using "ssh
769 -Q key".
770
771 PubkeyAuthentication
772 Specifies whether to try public key authentication. The argument
773 to this keyword must be yes (the default) or no.
774
775 RekeyLimit
776 Specifies the maximum amount of data that may be transmitted
777 before the session key is renegotiated, optionally followed a
778 maximum amount of time that may pass before the session key is
779 renegotiated. The first argument is specified in bytes and may
780 have a suffix of M-bM-^@M-^XKM-bM-^@M-^Y, M-bM-^@M-^XMM-bM-^@M-^Y, or M-bM-^@M-^XGM-bM-^@M-^Y to indicate Kilobytes,
781 Megabytes, or Gigabytes, respectively. The default is between
782 M-bM-^@M-^X1GM-bM-^@M-^Y and M-bM-^@M-^X4GM-bM-^@M-^Y, depending on the cipher. The optional second
783 value is specified in seconds and may use any of the units
784 documented in the TIME FORMATS section of sshd_config(5). The
785 default value for RekeyLimit is default none, which means that
786 rekeying is performed after the cipher's default amount of data
787 has been sent or received and no time based rekeying is done.
788
789 RemoteCommand
790 Specifies a command to execute on the remote machine after
791 successfully connecting to the server. The command string
792 extends to the end of the line, and is executed with the user's
793 shell. Arguments to RemoteCommand accept the tokens described in
794 the TOKENS section.
795
796 RemoteForward
797 Specifies that a TCP port on the remote machine be forwarded over
798 the secure channel. The remote port may either be forwarded to a
799 specified host and port from the local machine, or may act as a
800 SOCKS 4/5 proxy that allows a remote client to connect to
801 arbitrary destinations from the local machine. The first
802 argument must be [bind_address:]port If forwarding to a specific
803 destination then the second argument must be host:hostport,
804 otherwise if no destination argument is specified then the remote
805 forwarding will be established as a SOCKS proxy.
806
807 IPv6 addresses can be specified by enclosing addresses in square
808 brackets. Multiple forwardings may be specified, and additional
809 forwardings can be given on the command line. Privileged ports
810 can be forwarded only when logging in as root on the remote
811 machine.
812
813 If the port argument is 0, the listen port will be dynamically
814 allocated on the server and reported to the client at run time.
815
816 If the bind_address is not specified, the default is to only bind
817 to loopback addresses. If the bind_address is M-bM-^@M-^X*M-bM-^@M-^Y or an empty
818 string, then the forwarding is requested to listen on all
819 interfaces. Specifying a remote bind_address will only succeed
820 if the server's GatewayPorts option is enabled (see
821 sshd_config(5)).
822
823 RequestTTY
824 Specifies whether to request a pseudo-tty for the session. The
825 argument may be one of: no (never request a TTY), yes (always
826 request a TTY when standard input is a TTY), force (always
827 request a TTY) or auto (request a TTY when opening a login
828 session). This option mirrors the -t and -T flags for ssh(1).
829
830 RevokedHostKeys
831 Specifies revoked host public keys. Keys listed in this file
832 will be refused for host authentication. Note that if this file
833 does not exist or is not readable, then host authentication will
834 be refused for all hosts. Keys may be specified as a text file,
835 listing one public key per line, or as an OpenSSH Key Revocation
836 List (KRL) as generated by ssh-keygen(1). For more information
837 on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1).
838
839 SendEnv
840 Specifies what variables from the local environ(7) should be sent
841 to the server. The server must also support it, and the server
842 must be configured to accept these environment variables. Note
843 that the TERM environment variable is always sent whenever a
844 pseudo-terminal is requested as it is required by the protocol.
845 Refer to AcceptEnv in sshd_config(5) for how to configure the
846 server. Variables are specified by name, which may contain
847 wildcard characters. Multiple environment variables may be
848 separated by whitespace or spread across multiple SendEnv
849 directives.
850
851 See PATTERNS for more information on patterns.
852
853 It is possible to clear previously set SendEnv variable names by
854 prefixing patterns with -. The default is not to send any
855 environment variables.
856
857 ServerAliveCountMax
858 Sets the number of server alive messages (see below) which may be
859 sent without ssh(1) receiving any messages back from the server.
860 If this threshold is reached while server alive messages are
861 being sent, ssh will disconnect from the server, terminating the
862 session. It is important to note that the use of server alive
863 messages is very different from TCPKeepAlive (below). The server
864 alive messages are sent through the encrypted channel and
865 therefore will not be spoofable. The TCP keepalive option
866 enabled by TCPKeepAlive is spoofable. The server alive mechanism
867 is valuable when the client or server depend on knowing when a
868 connection has become inactive.
869
870 The default value is 3. If, for example, ServerAliveInterval
871 (see below) is set to 15 and ServerAliveCountMax is left at the
872 default, if the server becomes unresponsive, ssh will disconnect
873 after approximately 45 seconds.
874
875 ServerAliveInterval
876 Sets a timeout interval in seconds after which if no data has
877 been received from the server, ssh(1) will send a message through
878 the encrypted channel to request a response from the server. The
879 default is 0, indicating that these messages will not be sent to
880 the server.
881
882 SetEnv Directly specify one or more environment variables and their
883 contents to be sent to the server. Similarly to SendEnv, the
884 server must be prepared to accept the environment variable.
885
886 StreamLocalBindMask
887 Sets the octal file creation mode mask (umask) used when creating
888 a Unix-domain socket file for local or remote port forwarding.
889 This option is only used for port forwarding to a Unix-domain
890 socket file.
891
892 The default value is 0177, which creates a Unix-domain socket
893 file that is readable and writable only by the owner. Note that
894 not all operating systems honor the file mode on Unix-domain
895 socket files.
896
897 StreamLocalBindUnlink
898 Specifies whether to remove an existing Unix-domain socket file
899 for local or remote port forwarding before creating a new one.
900 If the socket file already exists and StreamLocalBindUnlink is
901 not enabled, ssh will be unable to forward the port to the Unix-
902 domain socket file. This option is only used for port forwarding
903 to a Unix-domain socket file.
904
905 The argument must be yes or no (the default).
906
907 StrictHostKeyChecking
908 If this flag is set to yes, ssh(1) will never automatically add
909 host keys to the ~/.ssh/known_hosts file, and refuses to connect
910 to hosts whose host key has changed. This provides maximum
911 protection against man-in-the-middle (MITM) attacks, though it
912 can be annoying when the /etc/ssh/ssh_known_hosts file is poorly
913 maintained or when connections to new hosts are frequently made.
914 This option forces the user to manually add all new hosts.
915
916 If this flag is set to M-bM-^@M-^\accept-newM-bM-^@M-^] then ssh will automatically
917 add new host keys to the user known hosts files, but will not
918 permit connections to hosts with changed host keys. If this flag
919 is set to M-bM-^@M-^\noM-bM-^@M-^] or M-bM-^@M-^\offM-bM-^@M-^], ssh will automatically add new host keys
920 to the user known hosts files and allow connections to hosts with
921 changed hostkeys to proceed, subject to some restrictions. If
922 this flag is set to ask (the default), new host keys will be
923 added to the user known host files only after the user has
924 confirmed that is what they really want to do, and ssh will
925 refuse to connect to hosts whose host key has changed. The host
926 keys of known hosts will be verified automatically in all cases.
927
928 SyslogFacility
929 Gives the facility code that is used when logging messages from
930 ssh(1). The possible values are: DAEMON, USER, AUTH, LOCAL0,
931 LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
932 default is USER.
933
934 TCPKeepAlive
935 Specifies whether the system should send TCP keepalive messages
936 to the other side. If they are sent, death of the connection or
937 crash of one of the machines will be properly noticed. However,
938 this means that connections will die if the route is down
939 temporarily, and some people find it annoying.
940
941 The default is yes (to send TCP keepalive messages), and the
942 client will notice if the network goes down or the remote host
943 dies. This is important in scripts, and many users want it too.
944
945 To disable TCP keepalive messages, the value should be set to no.
946 See also ServerAliveInterval for protocol-level keepalives.
947
948 Tunnel Request tun(4) device forwarding between the client and the
949 server. The argument must be yes, point-to-point (layer 3),
950 ethernet (layer 2), or no (the default). Specifying yes requests
951 the default tunnel mode, which is point-to-point.
952
953 TunnelDevice
954 Specifies the tun(4) devices to open on the client (local_tun)
955 and the server (remote_tun).
956
957 The argument must be local_tun[:remote_tun]. The devices may be
958 specified by numerical ID or the keyword any, which uses the next
959 available tunnel device. If remote_tun is not specified, it
960 defaults to any. The default is any:any.
961
962 UpdateHostKeys
963 Specifies whether ssh(1) should accept notifications of
964 additional hostkeys from the server sent after authentication has
965 completed and add them to UserKnownHostsFile. The argument must
966 be yes, no (the default) or ask. Enabling this option allows
967 learning alternate hostkeys for a server and supports graceful
968 key rotation by allowing a server to send replacement public keys
969 before old ones are removed. Additional hostkeys are only
970 accepted if the key used to authenticate the host was already
971 trusted or explicitly accepted by the user. If UpdateHostKeys is
972 set to ask, then the user is asked to confirm the modifications
973 to the known_hosts file. Confirmation is currently incompatible
974 with ControlPersist, and will be disabled if it is enabled.
975
976 Presently, only sshd(8) from OpenSSH 6.8 and greater support the
977 "hostkeys@openssh.com" protocol extension used to inform the
978 client of all the server's hostkeys.
979
980 User Specifies the user to log in as. This can be useful when a
981 different user name is used on different machines. This saves
982 the trouble of having to remember to give the user name on the
983 command line.
984
985 UserKnownHostsFile
986 Specifies one or more files to use for the user host key
987 database, separated by whitespace. The default is
988 ~/.ssh/known_hosts, ~/.ssh/known_hosts2.
989
990 VerifyHostKeyDNS
991 Specifies whether to verify the remote key using DNS and SSHFP
992 resource records. If this option is set to yes, the client will
993 implicitly trust keys that match a secure fingerprint from DNS.
994 Insecure fingerprints will be handled as if this option was set
995 to ask. If this option is set to ask, information on fingerprint
996 match will be displayed, but the user will still need to confirm
997 new host keys according to the StrictHostKeyChecking option. The
998 default is no.
999
1000 See also VERIFYING HOST KEYS in ssh(1).
1001
1002 VisualHostKey
1003 If this flag is set to yes, an ASCII art representation of the
1004 remote host key fingerprint is printed in addition to the
1005 fingerprint string at login and for unknown host keys. If this
1006 flag is set to no (the default), no fingerprint strings are
1007 printed at login and only the fingerprint string will be printed
1008 for unknown host keys.
1009
1010 XAuthLocation
1011 Specifies the full pathname of the xauth(1) program. The default
1012 is /usr/X11R6/bin/xauth.
1013
1014PATTERNS
1015 A pattern consists of zero or more non-whitespace characters, M-bM-^@M-^X*M-bM-^@M-^Y (a
1016 wildcard that matches zero or more characters), or M-bM-^@M-^X?M-bM-^@M-^Y (a wildcard that
1017 matches exactly one character). For example, to specify a set of
1018 declarations for any host in the ".co.uk" set of domains, the following
1019 pattern could be used:
1020
1021 Host *.co.uk
1022
1023 The following pattern would match any host in the 192.168.0.[0-9] network
1024 range:
1025
1026 Host 192.168.0.?
1027
1028 A pattern-list is a comma-separated list of patterns. Patterns within
1029 pattern-lists may be negated by preceding them with an exclamation mark
1030 (M-bM-^@M-^X!M-bM-^@M-^Y). For example, to allow a key to be used from anywhere within an
1031 organization except from the "dialup" pool, the following entry (in
1032 authorized_keys) could be used:
1033
1034 from="!*.dialup.example.com,*.example.com"
1035
1036 Note that a negated match will never produce a positive result by itself.
1037 For example, attempting to match "host3" against the following pattern-
1038 list will fail:
1039
1040 from="!host1,!host2"
1041
1042 The solution here is to include a term that will yield a positive match,
1043 such as a wildcard:
1044
1045 from="!host1,!host2,*"
1046
1047TOKENS
1048 Arguments to some keywords can make use of tokens, which are expanded at
1049 runtime:
1050
1051 %% A literal M-bM-^@M-^X%M-bM-^@M-^Y.
1052 %C Hash of %l%h%p%r.
1053 %d Local user's home directory.
1054 %h The remote hostname.
1055 %i The local user ID.
1056 %L The local hostname.
1057 %l The local hostname, including the domain name.
1058 %n The original remote hostname, as given on the command line.
1059 %p The remote port.
1060 %r The remote username.
1061 %T The local tun(4) or tap(4) network interface assigned if
1062 tunnel forwarding was requested, or "NONE" otherwise.
1063 %u The local username.
1064
1065 Match exec accepts the tokens %%, %h, %i, %L, %l, %n, %p, %r, and %u.
1066
1067 CertificateFile accepts the tokens %%, %d, %h, %i, %l, %r, and %u.
1068
1069 ControlPath accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and
1070 %u.
1071
1072 HostName accepts the tokens %% and %h.
1073
1074 IdentityAgent and IdentityFile accept the tokens %%, %d, %h, %i, %l, %r,
1075 and %u.
1076
1077 LocalCommand accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, %T,
1078 and %u.
1079
1080 ProxyCommand accepts the tokens %%, %h, %p, and %r.
1081
1082 RemoteCommand accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, and
1083 %u.
1084
1085FILES
1086 ~/.ssh/config
1087 This is the per-user configuration file. The format of this file
1088 is described above. This file is used by the SSH client.
1089 Because of the potential for abuse, this file must have strict
1090 permissions: read/write for the user, and not accessible by
1091 others.
1092
1093 /etc/ssh/ssh_config
1094 Systemwide configuration file. This file provides defaults for
1095 those values that are not specified in the user's configuration
1096 file, and for those users who do not have a configuration file.
1097 This file must be world-readable.
1098
1099SEE ALSO
1100 ssh(1)
1101
1102AUTHORS
1103 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
1104 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
1105 de Raadt and Dug Song removed many bugs, re-added newer features and
1106 created OpenSSH. Markus Friedl contributed the support for SSH protocol
1107 versions 1.5 and 2.0.
1108
1109OpenBSD 6.4 October 3, 2018 OpenBSD 6.4
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 08:44:25 +0000