diff options
Diffstat (limited to 'ssh_config.0')
-rw-r--r-- | ssh_config.0 | 1026 |
1 files changed, 1026 insertions, 0 deletions
diff --git a/ssh_config.0 b/ssh_config.0 new file mode 100644 index 000000000..67133cd4d --- /dev/null +++ b/ssh_config.0 | |||
@@ -0,0 +1,1026 @@ | |||
1 | SSH_CONFIG(5) File Formats Manual SSH_CONFIG(5) | ||
2 | |||
3 | NAME | ||
4 | ssh_config M-bM-^@M-^S OpenSSH SSH client configuration files | ||
5 | |||
6 | SYNOPSIS | ||
7 | ~/.ssh/config | ||
8 | /etc/ssh/ssh_config | ||
9 | |||
10 | DESCRIPTION | ||
11 | ssh(1) obtains configuration data from the following sources in the | ||
12 | following order: | ||
13 | |||
14 | 1. command-line options | ||
15 | 2. user's configuration file (~/.ssh/config) | ||
16 | 3. system-wide configuration file (/etc/ssh/ssh_config) | ||
17 | |||
18 | For each parameter, the first obtained value will be used. The | ||
19 | configuration files contain sections separated by M-bM-^@M-^\HostM-bM-^@M-^] specifications, | ||
20 | and that section is only applied for hosts that match one of the patterns | ||
21 | given in the specification. The matched host name is usually the one | ||
22 | given on the command line (see the CanonicalizeHostname option for | ||
23 | exceptions.) | ||
24 | |||
25 | Since the first obtained value for each parameter is used, more host- | ||
26 | specific declarations should be given near the beginning of the file, and | ||
27 | general defaults at the end. | ||
28 | |||
29 | The configuration file has the following format: | ||
30 | |||
31 | Empty lines and lines starting with M-bM-^@M-^X#M-bM-^@M-^Y are comments. Otherwise a line | ||
32 | is of the format M-bM-^@M-^\keyword argumentsM-bM-^@M-^]. Configuration options may be | ||
33 | separated by whitespace or optional whitespace and exactly one M-bM-^@M-^X=M-bM-^@M-^Y; the | ||
34 | latter format is useful to avoid the need to quote whitespace when | ||
35 | specifying configuration options using the ssh, scp, and sftp -o option. | ||
36 | Arguments may optionally be enclosed in double quotes (") in order to | ||
37 | represent arguments containing spaces. | ||
38 | |||
39 | The possible keywords and their meanings are as follows (note that | ||
40 | keywords are case-insensitive and arguments are case-sensitive): | ||
41 | |||
42 | Host Restricts the following declarations (up to the next Host or | ||
43 | Match keyword) to be only for those hosts that match one of the | ||
44 | patterns given after the keyword. If more than one pattern is | ||
45 | provided, they should be separated by whitespace. A single M-bM-^@M-^X*M-bM-^@M-^Y | ||
46 | as a pattern can be used to provide global defaults for all | ||
47 | hosts. The host is usually the hostname argument given on the | ||
48 | command line (see the CanonicalizeHostname option for | ||
49 | exceptions.) | ||
50 | |||
51 | A pattern entry may be negated by prefixing it with an | ||
52 | exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). If a negated entry is matched, then the | ||
53 | Host entry is ignored, regardless of whether any other patterns | ||
54 | on the line match. Negated matches are therefore useful to | ||
55 | provide exceptions for wildcard matches. | ||
56 | |||
57 | See PATTERNS for more information on patterns. | ||
58 | |||
59 | Match Restricts the following declarations (up to the next Host or | ||
60 | Match keyword) to be used only when the conditions following the | ||
61 | Match keyword are satisfied. Match conditions are specified | ||
62 | using one or more critera or the single token all which always | ||
63 | matches. The available criteria keywords are: canonical, exec, | ||
64 | host, originalhost, user, and localuser. The all criteria must | ||
65 | appear alone or immediately after canonical. Other criteria may | ||
66 | be combined arbitrarily. All criteria but all and canonical | ||
67 | require an argument. Criteria may be negated by prepending an | ||
68 | exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). | ||
69 | |||
70 | The canonical keyword matches only when the configuration file is | ||
71 | being re-parsed after hostname canonicalization (see the | ||
72 | CanonicalizeHostname option.) This may be useful to specify | ||
73 | conditions that work with canonical host names only. The exec | ||
74 | keyword executes the specified command under the user's shell. | ||
75 | If the command returns a zero exit status then the condition is | ||
76 | considered true. Commands containing whitespace characters must | ||
77 | be quoted. The following character sequences in the command will | ||
78 | be expanded prior to execution: M-bM-^@M-^X%LM-bM-^@M-^Y will be substituted by the | ||
79 | first component of the local host name, M-bM-^@M-^X%lM-bM-^@M-^Y will be substituted | ||
80 | by the local host name (including any domain name), M-bM-^@M-^X%hM-bM-^@M-^Y will be | ||
81 | substituted by the target host name, M-bM-^@M-^X%nM-bM-^@M-^Y will be substituted by | ||
82 | the original target host name specified on the command-line, M-bM-^@M-^X%pM-bM-^@M-^Y | ||
83 | the destination port, M-bM-^@M-^X%rM-bM-^@M-^Y by the remote login username, and M-bM-^@M-^X%uM-bM-^@M-^Y | ||
84 | by the username of the user running ssh(1). | ||
85 | |||
86 | The other keywords' criteria must be single entries or comma- | ||
87 | separated lists and may use the wildcard and negation operators | ||
88 | described in the PATTERNS section. The criteria for the host | ||
89 | keyword are matched against the target hostname, after any | ||
90 | substitution by the Hostname or CanonicalizeHostname options. | ||
91 | The originalhost keyword matches against the hostname as it was | ||
92 | specified on the command-line. The user keyword matches against | ||
93 | the target username on the remote host. The localuser keyword | ||
94 | matches against the name of the local user running ssh(1) (this | ||
95 | keyword may be useful in system-wide ssh_config files). | ||
96 | |||
97 | AddressFamily | ||
98 | Specifies which address family to use when connecting. Valid | ||
99 | arguments are M-bM-^@M-^\anyM-bM-^@M-^], M-bM-^@M-^\inetM-bM-^@M-^] (use IPv4 only), or M-bM-^@M-^\inet6M-bM-^@M-^] (use IPv6 | ||
100 | only). | ||
101 | |||
102 | BatchMode | ||
103 | If set to M-bM-^@M-^\yesM-bM-^@M-^], passphrase/password querying will be disabled. | ||
104 | This option is useful in scripts and other batch jobs where no | ||
105 | user is present to supply the password. The argument must be | ||
106 | M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. | ||
107 | |||
108 | BindAddress | ||
109 | Use the specified address on the local machine as the source | ||
110 | address of the connection. Only useful on systems with more than | ||
111 | one address. Note that this option does not work if | ||
112 | UsePrivilegedPort is set to M-bM-^@M-^\yesM-bM-^@M-^]. | ||
113 | |||
114 | CanonicalDomains | ||
115 | When CanonicalizeHostname is enabled, this option specifies the | ||
116 | list of domain suffixes in which to search for the specified | ||
117 | destination host. | ||
118 | |||
119 | CanonicalizeFallbackLocal | ||
120 | Specifies whether to fail with an error when hostname | ||
121 | canonicalization fails. The default, M-bM-^@M-^\yesM-bM-^@M-^], will attempt to look | ||
122 | up the unqualified hostname using the system resolver's search | ||
123 | rules. A value of M-bM-^@M-^\noM-bM-^@M-^] will cause ssh(1) to fail instantly if | ||
124 | CanonicalizeHostname is enabled and the target hostname cannot be | ||
125 | found in any of the domains specified by CanonicalDomains. | ||
126 | |||
127 | CanonicalizeHostname | ||
128 | Controls whether explicit hostname canonicalization is performed. | ||
129 | The default, M-bM-^@M-^\noM-bM-^@M-^], is not to perform any name rewriting and let | ||
130 | the system resolver handle all hostname lookups. If set to M-bM-^@M-^\yesM-bM-^@M-^] | ||
131 | then, for connections that do not use a ProxyCommand, ssh(1) will | ||
132 | attempt to canonicalize the hostname specified on the command | ||
133 | line using the CanonicalDomains suffixes and | ||
134 | CanonicalizePermittedCNAMEs rules. If CanonicalizeHostname is | ||
135 | set to M-bM-^@M-^\alwaysM-bM-^@M-^], then canonicalization is applied to proxied | ||
136 | connections too. | ||
137 | |||
138 | If this option is enabled, then the configuration files are | ||
139 | processed again using the new target name to pick up any new | ||
140 | configuration in matching Host and Match stanzas. | ||
141 | |||
142 | CanonicalizeMaxDots | ||
143 | Specifies the maximum number of dot characters in a hostname | ||
144 | before canonicalization is disabled. The default, M-bM-^@M-^\1M-bM-^@M-^], allows a | ||
145 | single dot (i.e. hostname.subdomain). | ||
146 | |||
147 | CanonicalizePermittedCNAMEs | ||
148 | Specifies rules to determine whether CNAMEs should be followed | ||
149 | when canonicalizing hostnames. The rules consist of one or more | ||
150 | arguments of source_domain_list:target_domain_list, where | ||
151 | source_domain_list is a pattern-list of domains that may follow | ||
152 | CNAMEs in canonicalization, and target_domain_list is a pattern- | ||
153 | list of domains that they may resolve to. | ||
154 | |||
155 | For example, M-bM-^@M-^\*.a.example.com:*.b.example.com,*.c.example.comM-bM-^@M-^] | ||
156 | will allow hostnames matching M-bM-^@M-^\*.a.example.comM-bM-^@M-^] to be | ||
157 | canonicalized to names in the M-bM-^@M-^\*.b.example.comM-bM-^@M-^] or | ||
158 | M-bM-^@M-^\*.c.example.comM-bM-^@M-^] domains. | ||
159 | |||
160 | ChallengeResponseAuthentication | ||
161 | Specifies whether to use challenge-response authentication. The | ||
162 | argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is | ||
163 | M-bM-^@M-^\yesM-bM-^@M-^]. | ||
164 | |||
165 | CheckHostIP | ||
166 | If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will additionally check the | ||
167 | host IP address in the known_hosts file. This allows ssh to | ||
168 | detect if a host key changed due to DNS spoofing and will add | ||
169 | addresses of destination hosts to ~/.ssh/known_hosts in the | ||
170 | process, regardless of the setting of StrictHostKeyChecking. If | ||
171 | the option is set to M-bM-^@M-^\noM-bM-^@M-^], the check will not be executed. The | ||
172 | default is M-bM-^@M-^\yesM-bM-^@M-^]. | ||
173 | |||
174 | Cipher Specifies the cipher to use for encrypting the session in | ||
175 | protocol version 1. Currently, M-bM-^@M-^\blowfishM-bM-^@M-^], M-bM-^@M-^\3desM-bM-^@M-^], and M-bM-^@M-^\desM-bM-^@M-^] are | ||
176 | supported. des is only supported in the ssh(1) client for | ||
177 | interoperability with legacy protocol 1 implementations that do | ||
178 | not support the 3des cipher. Its use is strongly discouraged due | ||
179 | to cryptographic weaknesses. The default is M-bM-^@M-^\3desM-bM-^@M-^]. | ||
180 | |||
181 | Ciphers | ||
182 | Specifies the ciphers allowed for protocol version 2 in order of | ||
183 | preference. Multiple ciphers must be comma-separated. If the | ||
184 | specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified | ||
185 | ciphers will be appended to the default set instead of replacing | ||
186 | them. | ||
187 | |||
188 | The supported ciphers are: | ||
189 | |||
190 | 3des-cbc | ||
191 | aes128-cbc | ||
192 | aes192-cbc | ||
193 | aes256-cbc | ||
194 | aes128-ctr | ||
195 | aes192-ctr | ||
196 | aes256-ctr | ||
197 | aes128-gcm@openssh.com | ||
198 | aes256-gcm@openssh.com | ||
199 | arcfour | ||
200 | arcfour128 | ||
201 | arcfour256 | ||
202 | blowfish-cbc | ||
203 | cast128-cbc | ||
204 | chacha20-poly1305@openssh.com | ||
205 | |||
206 | The default is: | ||
207 | |||
208 | chacha20-poly1305@openssh.com, | ||
209 | aes128-ctr,aes192-ctr,aes256-ctr, | ||
210 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, | ||
211 | arcfour256,arcfour128, | ||
212 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, | ||
213 | aes192-cbc,aes256-cbc,arcfour | ||
214 | |||
215 | The list of available ciphers may also be obtained using the -Q | ||
216 | option of ssh(1) with an argument of M-bM-^@M-^\cipherM-bM-^@M-^]. | ||
217 | |||
218 | ClearAllForwardings | ||
219 | Specifies that all local, remote, and dynamic port forwardings | ||
220 | specified in the configuration files or on the command line be | ||
221 | cleared. This option is primarily useful when used from the | ||
222 | ssh(1) command line to clear port forwardings set in | ||
223 | configuration files, and is automatically set by scp(1) and | ||
224 | sftp(1). The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is | ||
225 | M-bM-^@M-^\noM-bM-^@M-^]. | ||
226 | |||
227 | Compression | ||
228 | Specifies whether to use compression. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] | ||
229 | or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. | ||
230 | |||
231 | CompressionLevel | ||
232 | Specifies the compression level to use if compression is enabled. | ||
233 | The argument must be an integer from 1 (fast) to 9 (slow, best). | ||
234 | The default level is 6, which is good for most applications. The | ||
235 | meaning of the values is the same as in gzip(1). Note that this | ||
236 | option applies to protocol version 1 only. | ||
237 | |||
238 | ConnectionAttempts | ||
239 | Specifies the number of tries (one per second) to make before | ||
240 | exiting. The argument must be an integer. This may be useful in | ||
241 | scripts if the connection sometimes fails. The default is 1. | ||
242 | |||
243 | ConnectTimeout | ||
244 | Specifies the timeout (in seconds) used when connecting to the | ||
245 | SSH server, instead of using the default system TCP timeout. | ||
246 | This value is used only when the target is down or really | ||
247 | unreachable, not when it refuses the connection. | ||
248 | |||
249 | ControlMaster | ||
250 | Enables the sharing of multiple sessions over a single network | ||
251 | connection. When set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will listen for | ||
252 | connections on a control socket specified using the ControlPath | ||
253 | argument. Additional sessions can connect to this socket using | ||
254 | the same ControlPath with ControlMaster set to M-bM-^@M-^\noM-bM-^@M-^] (the | ||
255 | default). These sessions will try to reuse the master instance's | ||
256 | network connection rather than initiating new ones, but will fall | ||
257 | back to connecting normally if the control socket does not exist, | ||
258 | or is not listening. | ||
259 | |||
260 | Setting this to M-bM-^@M-^\askM-bM-^@M-^] will cause ssh to listen for control | ||
261 | connections, but require confirmation using ssh-askpass(1). If | ||
262 | the ControlPath cannot be opened, ssh will continue without | ||
263 | connecting to a master instance. | ||
264 | |||
265 | X11 and ssh-agent(1) forwarding is supported over these | ||
266 | multiplexed connections, however the display and agent forwarded | ||
267 | will be the one belonging to the master connection i.e. it is not | ||
268 | possible to forward multiple displays or agents. | ||
269 | |||
270 | Two additional options allow for opportunistic multiplexing: try | ||
271 | to use a master connection but fall back to creating a new one if | ||
272 | one does not already exist. These options are: M-bM-^@M-^\autoM-bM-^@M-^] and | ||
273 | M-bM-^@M-^\autoaskM-bM-^@M-^]. The latter requires confirmation like the M-bM-^@M-^\askM-bM-^@M-^] | ||
274 | option. | ||
275 | |||
276 | ControlPath | ||
277 | Specify the path to the control socket used for connection | ||
278 | sharing as described in the ControlMaster section above or the | ||
279 | string M-bM-^@M-^\noneM-bM-^@M-^] to disable connection sharing. In the path, M-bM-^@M-^X%LM-bM-^@M-^Y | ||
280 | will be substituted by the first component of the local host | ||
281 | name, M-bM-^@M-^X%lM-bM-^@M-^Y will be substituted by the local host name (including | ||
282 | any domain name), M-bM-^@M-^X%hM-bM-^@M-^Y will be substituted by the target host | ||
283 | name, M-bM-^@M-^X%nM-bM-^@M-^Y will be substituted by the original target host name | ||
284 | specified on the command line, M-bM-^@M-^X%pM-bM-^@M-^Y the destination port, M-bM-^@M-^X%rM-bM-^@M-^Y by | ||
285 | the remote login username, M-bM-^@M-^X%uM-bM-^@M-^Y by the username of the user | ||
286 | running ssh(1), and M-bM-^@M-^X%CM-bM-^@M-^Y by a hash of the concatenation: | ||
287 | %l%h%p%r. It is recommended that any ControlPath used for | ||
288 | opportunistic connection sharing include at least %h, %p, and %r | ||
289 | (or alternatively %C) and be placed in a directory that is not | ||
290 | writable by other users. This ensures that shared connections | ||
291 | are uniquely identified. | ||
292 | |||
293 | ControlPersist | ||
294 | When used in conjunction with ControlMaster, specifies that the | ||
295 | master connection should remain open in the background (waiting | ||
296 | for future client connections) after the initial client | ||
297 | connection has been closed. If set to M-bM-^@M-^\noM-bM-^@M-^], then the master | ||
298 | connection will not be placed into the background, and will close | ||
299 | as soon as the initial client connection is closed. If set to | ||
300 | M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\0M-bM-^@M-^], then the master connection will remain in the | ||
301 | background indefinitely (until killed or closed via a mechanism | ||
302 | such as the ssh(1) M-bM-^@M-^\-O exitM-bM-^@M-^] option). If set to a time in | ||
303 | seconds, or a time in any of the formats documented in | ||
304 | sshd_config(5), then the backgrounded master connection will | ||
305 | automatically terminate after it has remained idle (with no | ||
306 | client connections) for the specified time. | ||
307 | |||
308 | DynamicForward | ||
309 | Specifies that a TCP port on the local machine be forwarded over | ||
310 | the secure channel, and the application protocol is then used to | ||
311 | determine where to connect to from the remote machine. | ||
312 | |||
313 | The argument must be [bind_address:]port. IPv6 addresses can be | ||
314 | specified by enclosing addresses in square brackets. By default, | ||
315 | the local port is bound in accordance with the GatewayPorts | ||
316 | setting. However, an explicit bind_address may be used to bind | ||
317 | the connection to a specific address. The bind_address of | ||
318 | M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the listening port be bound for local | ||
319 | use only, while an empty address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port | ||
320 | should be available from all interfaces. | ||
321 | |||
322 | Currently the SOCKS4 and SOCKS5 protocols are supported, and | ||
323 | ssh(1) will act as a SOCKS server. Multiple forwardings may be | ||
324 | specified, and additional forwardings can be given on the command | ||
325 | line. Only the superuser can forward privileged ports. | ||
326 | |||
327 | EnableSSHKeysign | ||
328 | Setting this option to M-bM-^@M-^\yesM-bM-^@M-^] in the global client configuration | ||
329 | file /etc/ssh/ssh_config enables the use of the helper program | ||
330 | ssh-keysign(8) during HostbasedAuthentication. The argument must | ||
331 | be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. This option should be | ||
332 | placed in the non-hostspecific section. See ssh-keysign(8) for | ||
333 | more information. | ||
334 | |||
335 | EscapeChar | ||
336 | Sets the escape character (default: M-bM-^@M-^X~M-bM-^@M-^Y). The escape character | ||
337 | can also be set on the command line. The argument should be a | ||
338 | single character, M-bM-^@M-^X^M-bM-^@M-^Y followed by a letter, or M-bM-^@M-^\noneM-bM-^@M-^] to disable | ||
339 | the escape character entirely (making the connection transparent | ||
340 | for binary data). | ||
341 | |||
342 | ExitOnForwardFailure | ||
343 | Specifies whether ssh(1) should terminate the connection if it | ||
344 | cannot set up all requested dynamic, tunnel, local, and remote | ||
345 | port forwardings. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The | ||
346 | default is M-bM-^@M-^\noM-bM-^@M-^]. | ||
347 | |||
348 | FingerprintHash | ||
349 | Specifies the hash algorithm used when displaying key | ||
350 | fingerprints. Valid options are: M-bM-^@M-^\md5M-bM-^@M-^] and M-bM-^@M-^\sha256M-bM-^@M-^]. The | ||
351 | default is M-bM-^@M-^\sha256M-bM-^@M-^]. | ||
352 | |||
353 | ForwardAgent | ||
354 | Specifies whether the connection to the authentication agent (if | ||
355 | any) will be forwarded to the remote machine. The argument must | ||
356 | be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. | ||
357 | |||
358 | Agent forwarding should be enabled with caution. Users with the | ||
359 | ability to bypass file permissions on the remote host (for the | ||
360 | agent's Unix-domain socket) can access the local agent through | ||
361 | the forwarded connection. An attacker cannot obtain key material | ||
362 | from the agent, however they can perform operations on the keys | ||
363 | that enable them to authenticate using the identities loaded into | ||
364 | the agent. | ||
365 | |||
366 | ForwardX11 | ||
367 | Specifies whether X11 connections will be automatically | ||
368 | redirected over the secure channel and DISPLAY set. The argument | ||
369 | must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. | ||
370 | |||
371 | X11 forwarding should be enabled with caution. Users with the | ||
372 | ability to bypass file permissions on the remote host (for the | ||
373 | user's X11 authorization database) can access the local X11 | ||
374 | display through the forwarded connection. An attacker may then | ||
375 | be able to perform activities such as keystroke monitoring if the | ||
376 | ForwardX11Trusted option is also enabled. | ||
377 | |||
378 | ForwardX11Timeout | ||
379 | Specify a timeout for untrusted X11 forwarding using the format | ||
380 | described in the TIME FORMATS section of sshd_config(5). X11 | ||
381 | connections received by ssh(1) after this time will be refused. | ||
382 | The default is to disable untrusted X11 forwarding after twenty | ||
383 | minutes has elapsed. | ||
384 | |||
385 | ForwardX11Trusted | ||
386 | If this option is set to M-bM-^@M-^\yesM-bM-^@M-^], remote X11 clients will have full | ||
387 | access to the original X11 display. | ||
388 | |||
389 | If this option is set to M-bM-^@M-^\noM-bM-^@M-^], remote X11 clients will be | ||
390 | considered untrusted and prevented from stealing or tampering | ||
391 | with data belonging to trusted X11 clients. Furthermore, the | ||
392 | xauth(1) token used for the session will be set to expire after | ||
393 | 20 minutes. Remote clients will be refused access after this | ||
394 | time. | ||
395 | |||
396 | The default is M-bM-^@M-^\noM-bM-^@M-^]. | ||
397 | |||
398 | See the X11 SECURITY extension specification for full details on | ||
399 | the restrictions imposed on untrusted clients. | ||
400 | |||
401 | GatewayPorts | ||
402 | Specifies whether remote hosts are allowed to connect to local | ||
403 | forwarded ports. By default, ssh(1) binds local port forwardings | ||
404 | to the loopback address. This prevents other remote hosts from | ||
405 | connecting to forwarded ports. GatewayPorts can be used to | ||
406 | specify that ssh should bind local port forwardings to the | ||
407 | wildcard address, thus allowing remote hosts to connect to | ||
408 | forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The | ||
409 | default is M-bM-^@M-^\noM-bM-^@M-^]. | ||
410 | |||
411 | GlobalKnownHostsFile | ||
412 | Specifies one or more files to use for the global host key | ||
413 | database, separated by whitespace. The default is | ||
414 | /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2. | ||
415 | |||
416 | GSSAPIAuthentication | ||
417 | Specifies whether user authentication based on GSSAPI is allowed. | ||
418 | The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol | ||
419 | version 2 only. | ||
420 | |||
421 | GSSAPIDelegateCredentials | ||
422 | Forward (delegate) credentials to the server. The default is | ||
423 | M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol version 2 only. | ||
424 | |||
425 | HashKnownHosts | ||
426 | Indicates that ssh(1) should hash host names and addresses when | ||
427 | they are added to ~/.ssh/known_hosts. These hashed names may be | ||
428 | used normally by ssh(1) and sshd(8), but they do not reveal | ||
429 | identifying information should the file's contents be disclosed. | ||
430 | The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that existing names and addresses in | ||
431 | known hosts files will not be converted automatically, but may be | ||
432 | manually hashed using ssh-keygen(1). | ||
433 | |||
434 | HostbasedAuthentication | ||
435 | Specifies whether to try rhosts based authentication with public | ||
436 | key authentication. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The | ||
437 | default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 2 only | ||
438 | and is similar to RhostsRSAAuthentication. | ||
439 | |||
440 | HostbasedKeyTypes | ||
441 | Specifies the key types that will be used for hostbased | ||
442 | authentication as a comma-separated pattern list. Alternately if | ||
443 | the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the | ||
444 | specified key types will be appended to the default set instead | ||
445 | of replacing them. The default for this option is: | ||
446 | |||
447 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
448 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
449 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
450 | ssh-ed25519-cert-v01@openssh.com, | ||
451 | ssh-rsa-cert-v01@openssh.com, | ||
452 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
453 | ssh-ed25519,ssh-rsa | ||
454 | |||
455 | The -Q option of ssh(1) may be used to list supported key types. | ||
456 | |||
457 | HostKeyAlgorithms | ||
458 | Specifies the protocol version 2 host key algorithms that the | ||
459 | client wants to use in order of preference. Alternately if the | ||
460 | specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified | ||
461 | key types will be appended to the default set instead of | ||
462 | replacing them. The default for this option is: | ||
463 | |||
464 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
465 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
466 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
467 | ssh-ed25519-cert-v01@openssh.com, | ||
468 | ssh-rsa-cert-v01@openssh.com, | ||
469 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
470 | ssh-ed25519,ssh-rsa | ||
471 | |||
472 | If hostkeys are known for the destination host then this default | ||
473 | is modified to prefer their algorithms. | ||
474 | |||
475 | The list of available key types may also be obtained using the -Q | ||
476 | option of ssh(1) with an argument of M-bM-^@M-^\keyM-bM-^@M-^]. | ||
477 | |||
478 | HostKeyAlias | ||
479 | Specifies an alias that should be used instead of the real host | ||
480 | name when looking up or saving the host key in the host key | ||
481 | database files. This option is useful for tunneling SSH | ||
482 | connections or for multiple servers running on a single host. | ||
483 | |||
484 | HostName | ||
485 | Specifies the real host name to log into. This can be used to | ||
486 | specify nicknames or abbreviations for hosts. If the hostname | ||
487 | contains the character sequence M-bM-^@M-^X%hM-bM-^@M-^Y, then this will be replaced | ||
488 | with the host name specified on the command line (this is useful | ||
489 | for manipulating unqualified names). The character sequence M-bM-^@M-^X%%M-bM-^@M-^Y | ||
490 | will be replaced by a single M-bM-^@M-^X%M-bM-^@M-^Y character, which may be used | ||
491 | when specifying IPv6 link-local addresses. | ||
492 | |||
493 | The default is the name given on the command line. Numeric IP | ||
494 | addresses are also permitted (both on the command line and in | ||
495 | HostName specifications). | ||
496 | |||
497 | IdentitiesOnly | ||
498 | Specifies that ssh(1) should only use the authentication identity | ||
499 | files configured in the ssh_config files, even if ssh-agent(1) or | ||
500 | a PKCS11Provider offers more identities. The argument to this | ||
501 | keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. This option is intended for | ||
502 | situations where ssh-agent offers many different identities. The | ||
503 | default is M-bM-^@M-^\noM-bM-^@M-^]. | ||
504 | |||
505 | IdentityFile | ||
506 | Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA | ||
507 | authentication identity is read. The default is ~/.ssh/identity | ||
508 | for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, | ||
509 | ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2. | ||
510 | Additionally, any identities represented by the authentication | ||
511 | agent will be used for authentication unless IdentitiesOnly is | ||
512 | set. ssh(1) will try to load certificate information from the | ||
513 | filename obtained by appending -cert.pub to the path of a | ||
514 | specified IdentityFile. | ||
515 | |||
516 | The file name may use the tilde syntax to refer to a user's home | ||
517 | directory or one of the following escape characters: M-bM-^@M-^X%dM-bM-^@M-^Y (local | ||
518 | user's home directory), M-bM-^@M-^X%uM-bM-^@M-^Y (local user name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host | ||
519 | name), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host name) or M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name). | ||
520 | |||
521 | It is possible to have multiple identity files specified in | ||
522 | configuration files; all these identities will be tried in | ||
523 | sequence. Multiple IdentityFile directives will add to the list | ||
524 | of identities tried (this behaviour differs from that of other | ||
525 | configuration directives). | ||
526 | |||
527 | IdentityFile may be used in conjunction with IdentitiesOnly to | ||
528 | select which identities in an agent are offered during | ||
529 | authentication. | ||
530 | |||
531 | IgnoreUnknown | ||
532 | Specifies a pattern-list of unknown options to be ignored if they | ||
533 | are encountered in configuration parsing. This may be used to | ||
534 | suppress errors if ssh_config contains options that are | ||
535 | unrecognised by ssh(1). It is recommended that IgnoreUnknown be | ||
536 | listed early in the configuration file as it will not be applied | ||
537 | to unknown options that appear before it. | ||
538 | |||
539 | IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. | ||
540 | Accepted values are M-bM-^@M-^\af11M-bM-^@M-^], M-bM-^@M-^\af12M-bM-^@M-^], M-bM-^@M-^\af13M-bM-^@M-^], M-bM-^@M-^\af21M-bM-^@M-^], M-bM-^@M-^\af22M-bM-^@M-^], | ||
541 | M-bM-^@M-^\af23M-bM-^@M-^], M-bM-^@M-^\af31M-bM-^@M-^], M-bM-^@M-^\af32M-bM-^@M-^], M-bM-^@M-^\af33M-bM-^@M-^], M-bM-^@M-^\af41M-bM-^@M-^], M-bM-^@M-^\af42M-bM-^@M-^], M-bM-^@M-^\af43M-bM-^@M-^], M-bM-^@M-^\cs0M-bM-^@M-^], | ||
542 | M-bM-^@M-^\cs1M-bM-^@M-^], M-bM-^@M-^\cs2M-bM-^@M-^], M-bM-^@M-^\cs3M-bM-^@M-^], M-bM-^@M-^\cs4M-bM-^@M-^], M-bM-^@M-^\cs5M-bM-^@M-^], M-bM-^@M-^\cs6M-bM-^@M-^], M-bM-^@M-^\cs7M-bM-^@M-^], M-bM-^@M-^\efM-bM-^@M-^], | ||
543 | M-bM-^@M-^\lowdelayM-bM-^@M-^], M-bM-^@M-^\throughputM-bM-^@M-^], M-bM-^@M-^\reliabilityM-bM-^@M-^], or a numeric value. | ||
544 | This option may take one or two arguments, separated by | ||
545 | whitespace. If one argument is specified, it is used as the | ||
546 | packet class unconditionally. If two values are specified, the | ||
547 | first is automatically selected for interactive sessions and the | ||
548 | second for non-interactive sessions. The default is M-bM-^@M-^\lowdelayM-bM-^@M-^] | ||
549 | for interactive sessions and M-bM-^@M-^\throughputM-bM-^@M-^] for non-interactive | ||
550 | sessions. | ||
551 | |||
552 | KbdInteractiveAuthentication | ||
553 | Specifies whether to use keyboard-interactive authentication. | ||
554 | The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default | ||
555 | is M-bM-^@M-^\yesM-bM-^@M-^]. | ||
556 | |||
557 | KbdInteractiveDevices | ||
558 | Specifies the list of methods to use in keyboard-interactive | ||
559 | authentication. Multiple method names must be comma-separated. | ||
560 | The default is to use the server specified list. The methods | ||
561 | available vary depending on what the server supports. For an | ||
562 | OpenSSH server, it may be zero or more of: M-bM-^@M-^\bsdauthM-bM-^@M-^], M-bM-^@M-^\pamM-bM-^@M-^], and | ||
563 | M-bM-^@M-^\skeyM-bM-^@M-^]. | ||
564 | |||
565 | KexAlgorithms | ||
566 | Specifies the available KEX (Key Exchange) algorithms. Multiple | ||
567 | algorithms must be comma-separated. Alternately if the specified | ||
568 | value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods | ||
569 | will be appended to the default set instead of replacing them. | ||
570 | The default is: | ||
571 | |||
572 | curve25519-sha256@libssh.org, | ||
573 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, | ||
574 | diffie-hellman-group-exchange-sha256, | ||
575 | diffie-hellman-group-exchange-sha1, | ||
576 | diffie-hellman-group14-sha1 | ||
577 | |||
578 | The list of available key exchange algorithms may also be | ||
579 | obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^]. | ||
580 | |||
581 | LocalCommand | ||
582 | Specifies a command to execute on the local machine after | ||
583 | successfully connecting to the server. The command string | ||
584 | extends to the end of the line, and is executed with the user's | ||
585 | shell. The following escape character substitutions will be | ||
586 | performed: M-bM-^@M-^X%dM-bM-^@M-^Y (local user's home directory), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host | ||
587 | name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host name), M-bM-^@M-^X%nM-bM-^@M-^Y (host name as provided on the | ||
588 | command line), M-bM-^@M-^X%pM-bM-^@M-^Y (remote port), M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name) or | ||
589 | M-bM-^@M-^X%uM-bM-^@M-^Y (local user name) or M-bM-^@M-^X%CM-bM-^@M-^Y by a hash of the concatenation: | ||
590 | %l%h%p%r. | ||
591 | |||
592 | The command is run synchronously and does not have access to the | ||
593 | session of the ssh(1) that spawned it. It should not be used for | ||
594 | interactive commands. | ||
595 | |||
596 | This directive is ignored unless PermitLocalCommand has been | ||
597 | enabled. | ||
598 | |||
599 | LocalForward | ||
600 | Specifies that a TCP port on the local machine be forwarded over | ||
601 | the secure channel to the specified host and port from the remote | ||
602 | machine. The first argument must be [bind_address:]port and the | ||
603 | second argument must be host:hostport. IPv6 addresses can be | ||
604 | specified by enclosing addresses in square brackets. Multiple | ||
605 | forwardings may be specified, and additional forwardings can be | ||
606 | given on the command line. Only the superuser can forward | ||
607 | privileged ports. By default, the local port is bound in | ||
608 | accordance with the GatewayPorts setting. However, an explicit | ||
609 | bind_address may be used to bind the connection to a specific | ||
610 | address. The bind_address of M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the | ||
611 | listening port be bound for local use only, while an empty | ||
612 | address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port should be available from | ||
613 | all interfaces. | ||
614 | |||
615 | LogLevel | ||
616 | Gives the verbosity level that is used when logging messages from | ||
617 | ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, | ||
618 | VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. | ||
619 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify | ||
620 | higher levels of verbose output. | ||
621 | |||
622 | MACs Specifies the MAC (message authentication code) algorithms in | ||
623 | order of preference. The MAC algorithm is used in protocol | ||
624 | version 2 for data integrity protection. Multiple algorithms | ||
625 | must be comma-separated. If the specified value begins with a | ||
626 | M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified algorithms will be appended to | ||
627 | the default set instead of replacing them. | ||
628 | |||
629 | The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC after | ||
630 | encryption (encrypt-then-mac). These are considered safer and | ||
631 | their use recommended. | ||
632 | |||
633 | The default is: | ||
634 | |||
635 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, | ||
636 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, | ||
637 | umac-64@openssh.com,umac-128@openssh.com, | ||
638 | hmac-sha2-256,hmac-sha2-512, | ||
639 | hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, | ||
640 | hmac-ripemd160-etm@openssh.com, | ||
641 | hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com, | ||
642 | hmac-md5,hmac-sha1,hmac-ripemd160, | ||
643 | hmac-sha1-96,hmac-md5-96 | ||
644 | |||
645 | The list of available MAC algorithms may also be obtained using | ||
646 | the -Q option of ssh(1) with an argument of M-bM-^@M-^\macM-bM-^@M-^]. | ||
647 | |||
648 | NoHostAuthenticationForLocalhost | ||
649 | This option can be used if the home directory is shared across | ||
650 | machines. In this case localhost will refer to a different | ||
651 | machine on each of the machines and the user will get many | ||
652 | warnings about changed host keys. However, this option disables | ||
653 | host authentication for localhost. The argument to this keyword | ||
654 | must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is to check the host key for | ||
655 | localhost. | ||
656 | |||
657 | NumberOfPasswordPrompts | ||
658 | Specifies the number of password prompts before giving up. The | ||
659 | argument to this keyword must be an integer. The default is 3. | ||
660 | |||
661 | PasswordAuthentication | ||
662 | Specifies whether to use password authentication. The argument | ||
663 | to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. | ||
664 | |||
665 | PermitLocalCommand | ||
666 | Allow local command execution via the LocalCommand option or | ||
667 | using the !command escape sequence in ssh(1). The argument must | ||
668 | be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. | ||
669 | |||
670 | PKCS11Provider | ||
671 | Specifies which PKCS#11 provider to use. The argument to this | ||
672 | keyword is the PKCS#11 shared library ssh(1) should use to | ||
673 | communicate with a PKCS#11 token providing the user's private RSA | ||
674 | key. | ||
675 | |||
676 | Port Specifies the port number to connect on the remote host. The | ||
677 | default is 22. | ||
678 | |||
679 | PreferredAuthentications | ||
680 | Specifies the order in which the client should try protocol 2 | ||
681 | authentication methods. This allows a client to prefer one | ||
682 | method (e.g. keyboard-interactive) over another method (e.g. | ||
683 | password). The default is: | ||
684 | |||
685 | gssapi-with-mic,hostbased,publickey, | ||
686 | keyboard-interactive,password | ||
687 | |||
688 | Protocol | ||
689 | Specifies the protocol versions ssh(1) should support in order of | ||
690 | preference. The possible values are M-bM-^@M-^X1M-bM-^@M-^Y and M-bM-^@M-^X2M-bM-^@M-^Y. Multiple | ||
691 | versions must be comma-separated. When this option is set to | ||
692 | M-bM-^@M-^\2,1M-bM-^@M-^] ssh will try version 2 and fall back to version 1 if | ||
693 | version 2 is not available. The default is M-bM-^@M-^X2M-bM-^@M-^Y. | ||
694 | |||
695 | ProxyCommand | ||
696 | Specifies the command to use to connect to the server. The | ||
697 | command string extends to the end of the line, and is executed | ||
698 | using the user's shell M-bM-^@M-^XexecM-bM-^@M-^Y directive to avoid a lingering | ||
699 | shell process. | ||
700 | |||
701 | In the command string, any occurrence of M-bM-^@M-^X%hM-bM-^@M-^Y will be substituted | ||
702 | by the host name to connect, M-bM-^@M-^X%pM-bM-^@M-^Y by the port, and M-bM-^@M-^X%rM-bM-^@M-^Y by the | ||
703 | remote user name. The command can be basically anything, and | ||
704 | should read from its standard input and write to its standard | ||
705 | output. It should eventually connect an sshd(8) server running | ||
706 | on some machine, or execute sshd -i somewhere. Host key | ||
707 | management will be done using the HostName of the host being | ||
708 | connected (defaulting to the name typed by the user). Setting | ||
709 | the command to M-bM-^@M-^\noneM-bM-^@M-^] disables this option entirely. Note that | ||
710 | CheckHostIP is not available for connects with a proxy command. | ||
711 | |||
712 | This directive is useful in conjunction with nc(1) and its proxy | ||
713 | support. For example, the following directive would connect via | ||
714 | an HTTP proxy at 192.0.2.0: | ||
715 | |||
716 | ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p | ||
717 | |||
718 | ProxyUseFdpass | ||
719 | Specifies that ProxyCommand will pass a connected file descriptor | ||
720 | back to ssh(1) instead of continuing to execute and pass data. | ||
721 | The default is M-bM-^@M-^\noM-bM-^@M-^]. | ||
722 | |||
723 | PubkeyAcceptedKeyTypes | ||
724 | Specifies the key types that will be used for public key | ||
725 | authentication as a comma-separated pattern list. Alternately if | ||
726 | the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the key | ||
727 | types after it will be appended to the default instead of | ||
728 | replacing it. The default for this option is: | ||
729 | |||
730 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
731 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
732 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
733 | ssh-ed25519-cert-v01@openssh.com, | ||
734 | ssh-rsa-cert-v01@openssh.com, | ||
735 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
736 | ssh-ed25519,ssh-rsa | ||
737 | |||
738 | The -Q option of ssh(1) may be used to list supported key types. | ||
739 | |||
740 | PubkeyAuthentication | ||
741 | Specifies whether to try public key authentication. The argument | ||
742 | to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. | ||
743 | This option applies to protocol version 2 only. | ||
744 | |||
745 | RekeyLimit | ||
746 | Specifies the maximum amount of data that may be transmitted | ||
747 | before the session key is renegotiated, optionally followed a | ||
748 | maximum amount of time that may pass before the session key is | ||
749 | renegotiated. The first argument is specified in bytes and may | ||
750 | have a suffix of M-bM-^@M-^XKM-bM-^@M-^Y, M-bM-^@M-^XMM-bM-^@M-^Y, or M-bM-^@M-^XGM-bM-^@M-^Y to indicate Kilobytes, | ||
751 | Megabytes, or Gigabytes, respectively. The default is between | ||
752 | M-bM-^@M-^X1GM-bM-^@M-^Y and M-bM-^@M-^X4GM-bM-^@M-^Y, depending on the cipher. The optional second | ||
753 | value is specified in seconds and may use any of the units | ||
754 | documented in the TIME FORMATS section of sshd_config(5). The | ||
755 | default value for RekeyLimit is M-bM-^@M-^\default noneM-bM-^@M-^], which means that | ||
756 | rekeying is performed after the cipher's default amount of data | ||
757 | has been sent or received and no time based rekeying is done. | ||
758 | This option applies to protocol version 2 only. | ||
759 | |||
760 | RemoteForward | ||
761 | Specifies that a TCP port on the remote machine be forwarded over | ||
762 | the secure channel to the specified host and port from the local | ||
763 | machine. The first argument must be [bind_address:]port and the | ||
764 | second argument must be host:hostport. IPv6 addresses can be | ||
765 | specified by enclosing addresses in square brackets. Multiple | ||
766 | forwardings may be specified, and additional forwardings can be | ||
767 | given on the command line. Privileged ports can be forwarded | ||
768 | only when logging in as root on the remote machine. | ||
769 | |||
770 | If the port argument is M-bM-^@M-^X0M-bM-^@M-^Y, the listen port will be dynamically | ||
771 | allocated on the server and reported to the client at run time. | ||
772 | |||
773 | If the bind_address is not specified, the default is to only bind | ||
774 | to loopback addresses. If the bind_address is M-bM-^@M-^X*M-bM-^@M-^Y or an empty | ||
775 | string, then the forwarding is requested to listen on all | ||
776 | interfaces. Specifying a remote bind_address will only succeed | ||
777 | if the server's GatewayPorts option is enabled (see | ||
778 | sshd_config(5)). | ||
779 | |||
780 | RequestTTY | ||
781 | Specifies whether to request a pseudo-tty for the session. The | ||
782 | argument may be one of: M-bM-^@M-^\noM-bM-^@M-^] (never request a TTY), M-bM-^@M-^\yesM-bM-^@M-^] (always | ||
783 | request a TTY when standard input is a TTY), M-bM-^@M-^\forceM-bM-^@M-^] (always | ||
784 | request a TTY) or M-bM-^@M-^\autoM-bM-^@M-^] (request a TTY when opening a login | ||
785 | session). This option mirrors the -t and -T flags for ssh(1). | ||
786 | |||
787 | RevokedHostKeys | ||
788 | Specifies revoked host public keys. Keys listed in this file | ||
789 | will be refused for host authentication. Note that if this file | ||
790 | does not exist or is not readable, then host authentication will | ||
791 | be refused for all hosts. Keys may be specified as a text file, | ||
792 | listing one public key per line, or as an OpenSSH Key Revocation | ||
793 | List (KRL) as generated by ssh-keygen(1). For more information | ||
794 | on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1). | ||
795 | |||
796 | RhostsRSAAuthentication | ||
797 | Specifies whether to try rhosts based authentication with RSA | ||
798 | host authentication. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The | ||
799 | default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only | ||
800 | and requires ssh(1) to be setuid root. | ||
801 | |||
802 | RSAAuthentication | ||
803 | Specifies whether to try RSA authentication. The argument to | ||
804 | this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. RSA authentication will only | ||
805 | be attempted if the identity file exists, or an authentication | ||
806 | agent is running. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option | ||
807 | applies to protocol version 1 only. | ||
808 | |||
809 | SendEnv | ||
810 | Specifies what variables from the local environ(7) should be sent | ||
811 | to the server. Note that environment passing is only supported | ||
812 | for protocol 2. The server must also support it, and the server | ||
813 | must be configured to accept these environment variables. Note | ||
814 | that the TERM environment variable is always sent whenever a | ||
815 | pseudo-terminal is requested as it is required by the protocol. | ||
816 | Refer to AcceptEnv in sshd_config(5) for how to configure the | ||
817 | server. Variables are specified by name, which may contain | ||
818 | wildcard characters. Multiple environment variables may be | ||
819 | separated by whitespace or spread across multiple SendEnv | ||
820 | directives. The default is not to send any environment | ||
821 | variables. | ||
822 | |||
823 | See PATTERNS for more information on patterns. | ||
824 | |||
825 | ServerAliveCountMax | ||
826 | Sets the number of server alive messages (see below) which may be | ||
827 | sent without ssh(1) receiving any messages back from the server. | ||
828 | If this threshold is reached while server alive messages are | ||
829 | being sent, ssh will disconnect from the server, terminating the | ||
830 | session. It is important to note that the use of server alive | ||
831 | messages is very different from TCPKeepAlive (below). The server | ||
832 | alive messages are sent through the encrypted channel and | ||
833 | therefore will not be spoofable. The TCP keepalive option | ||
834 | enabled by TCPKeepAlive is spoofable. The server alive mechanism | ||
835 | is valuable when the client or server depend on knowing when a | ||
836 | connection has become inactive. | ||
837 | |||
838 | The default value is 3. If, for example, ServerAliveInterval | ||
839 | (see below) is set to 15 and ServerAliveCountMax is left at the | ||
840 | default, if the server becomes unresponsive, ssh will disconnect | ||
841 | after approximately 45 seconds. This option applies to protocol | ||
842 | version 2 only. | ||
843 | |||
844 | ServerAliveInterval | ||
845 | Sets a timeout interval in seconds after which if no data has | ||
846 | been received from the server, ssh(1) will send a message through | ||
847 | the encrypted channel to request a response from the server. The | ||
848 | default is 0, indicating that these messages will not be sent to | ||
849 | the server. This option applies to protocol version 2 only. | ||
850 | |||
851 | StreamLocalBindMask | ||
852 | Sets the octal file creation mode mask (umask) used when creating | ||
853 | a Unix-domain socket file for local or remote port forwarding. | ||
854 | This option is only used for port forwarding to a Unix-domain | ||
855 | socket file. | ||
856 | |||
857 | The default value is 0177, which creates a Unix-domain socket | ||
858 | file that is readable and writable only by the owner. Note that | ||
859 | not all operating systems honor the file mode on Unix-domain | ||
860 | socket files. | ||
861 | |||
862 | StreamLocalBindUnlink | ||
863 | Specifies whether to remove an existing Unix-domain socket file | ||
864 | for local or remote port forwarding before creating a new one. | ||
865 | If the socket file already exists and StreamLocalBindUnlink is | ||
866 | not enabled, ssh will be unable to forward the port to the Unix- | ||
867 | domain socket file. This option is only used for port forwarding | ||
868 | to a Unix-domain socket file. | ||
869 | |||
870 | The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. | ||
871 | |||
872 | StrictHostKeyChecking | ||
873 | If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will never automatically add | ||
874 | host keys to the ~/.ssh/known_hosts file, and refuses to connect | ||
875 | to hosts whose host key has changed. This provides maximum | ||
876 | protection against trojan horse attacks, though it can be | ||
877 | annoying when the /etc/ssh/ssh_known_hosts file is poorly | ||
878 | maintained or when connections to new hosts are frequently made. | ||
879 | This option forces the user to manually add all new hosts. If | ||
880 | this flag is set to M-bM-^@M-^\noM-bM-^@M-^], ssh will automatically add new host | ||
881 | keys to the user known hosts files. If this flag is set to | ||
882 | M-bM-^@M-^\askM-bM-^@M-^], new host keys will be added to the user known host files | ||
883 | only after the user has confirmed that is what they really want | ||
884 | to do, and ssh will refuse to connect to hosts whose host key has | ||
885 | changed. The host keys of known hosts will be verified | ||
886 | automatically in all cases. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or | ||
887 | M-bM-^@M-^\askM-bM-^@M-^]. The default is M-bM-^@M-^\askM-bM-^@M-^]. | ||
888 | |||
889 | TCPKeepAlive | ||
890 | Specifies whether the system should send TCP keepalive messages | ||
891 | to the other side. If they are sent, death of the connection or | ||
892 | crash of one of the machines will be properly noticed. However, | ||
893 | this means that connections will die if the route is down | ||
894 | temporarily, and some people find it annoying. | ||
895 | |||
896 | The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send TCP keepalive messages), and the | ||
897 | client will notice if the network goes down or the remote host | ||
898 | dies. This is important in scripts, and many users want it too. | ||
899 | |||
900 | To disable TCP keepalive messages, the value should be set to | ||
901 | M-bM-^@M-^\noM-bM-^@M-^]. | ||
902 | |||
903 | Tunnel Request tun(4) device forwarding between the client and the | ||
904 | server. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\point-to-pointM-bM-^@M-^] (layer 3), | ||
905 | M-bM-^@M-^\ethernetM-bM-^@M-^] (layer 2), or M-bM-^@M-^\noM-bM-^@M-^]. Specifying M-bM-^@M-^\yesM-bM-^@M-^] requests the | ||
906 | default tunnel mode, which is M-bM-^@M-^\point-to-pointM-bM-^@M-^]. The default is | ||
907 | M-bM-^@M-^\noM-bM-^@M-^]. | ||
908 | |||
909 | TunnelDevice | ||
910 | Specifies the tun(4) devices to open on the client (local_tun) | ||
911 | and the server (remote_tun). | ||
912 | |||
913 | The argument must be local_tun[:remote_tun]. The devices may be | ||
914 | specified by numerical ID or the keyword M-bM-^@M-^\anyM-bM-^@M-^], which uses the | ||
915 | next available tunnel device. If remote_tun is not specified, it | ||
916 | defaults to M-bM-^@M-^\anyM-bM-^@M-^]. The default is M-bM-^@M-^\any:anyM-bM-^@M-^]. | ||
917 | |||
918 | UpdateHostKeys | ||
919 | Specifies whether ssh(1) should accept notifications of | ||
920 | additional hostkeys from the server sent after authentication has | ||
921 | completed and add them to UserKnownHostsFile. The argument must | ||
922 | be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^] (the default) or M-bM-^@M-^\askM-bM-^@M-^]. Enabling this option | ||
923 | allows learning alternate hostkeys for a server and supports | ||
924 | graceful key rotation by allowing a server to send replacement | ||
925 | public keys before old ones are removed. Additional hostkeys are | ||
926 | only accepted if the key used to authenticate the host was | ||
927 | already trusted or explicity accepted by the user. If | ||
928 | UpdateHostKeys is set to M-bM-^@M-^\askM-bM-^@M-^], then the user is asked to confirm | ||
929 | the modifications to the known_hosts file. Confirmation is | ||
930 | currently incompatible with ControlPersist, and will be disabled | ||
931 | if it is enabled. | ||
932 | |||
933 | Presently, only sshd(8) from OpenSSH 6.8 and greater support the | ||
934 | M-bM-^@M-^\hostkeys@openssh.comM-bM-^@M-^] protocol extension used to inform the | ||
935 | client of all the server's hostkeys. | ||
936 | |||
937 | UsePrivilegedPort | ||
938 | Specifies whether to use a privileged port for outgoing | ||
939 | connections. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is | ||
940 | M-bM-^@M-^\noM-bM-^@M-^]. If set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) must be setuid root. Note that | ||
941 | this option must be set to M-bM-^@M-^\yesM-bM-^@M-^] for RhostsRSAAuthentication with | ||
942 | older servers. | ||
943 | |||
944 | User Specifies the user to log in as. This can be useful when a | ||
945 | different user name is used on different machines. This saves | ||
946 | the trouble of having to remember to give the user name on the | ||
947 | command line. | ||
948 | |||
949 | UserKnownHostsFile | ||
950 | Specifies one or more files to use for the user host key | ||
951 | database, separated by whitespace. The default is | ||
952 | ~/.ssh/known_hosts, ~/.ssh/known_hosts2. | ||
953 | |||
954 | VerifyHostKeyDNS | ||
955 | Specifies whether to verify the remote key using DNS and SSHFP | ||
956 | resource records. If this option is set to M-bM-^@M-^\yesM-bM-^@M-^], the client | ||
957 | will implicitly trust keys that match a secure fingerprint from | ||
958 | DNS. Insecure fingerprints will be handled as if this option was | ||
959 | set to M-bM-^@M-^\askM-bM-^@M-^]. If this option is set to M-bM-^@M-^\askM-bM-^@M-^], information on | ||
960 | fingerprint match will be displayed, but the user will still need | ||
961 | to confirm new host keys according to the StrictHostKeyChecking | ||
962 | option. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or M-bM-^@M-^\askM-bM-^@M-^]. The default | ||
963 | is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol version 2 | ||
964 | only. | ||
965 | |||
966 | See also VERIFYING HOST KEYS in ssh(1). | ||
967 | |||
968 | VisualHostKey | ||
969 | If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], an ASCII art representation of the | ||
970 | remote host key fingerprint is printed in addition to the | ||
971 | fingerprint string at login and for unknown host keys. If this | ||
972 | flag is set to M-bM-^@M-^\noM-bM-^@M-^], no fingerprint strings are printed at login | ||
973 | and only the fingerprint string will be printed for unknown host | ||
974 | keys. The default is M-bM-^@M-^\noM-bM-^@M-^]. | ||
975 | |||
976 | XAuthLocation | ||
977 | Specifies the full pathname of the xauth(1) program. The default | ||
978 | is /usr/X11R6/bin/xauth. | ||
979 | |||
980 | PATTERNS | ||
981 | A pattern consists of zero or more non-whitespace characters, M-bM-^@M-^X*M-bM-^@M-^Y (a | ||
982 | wildcard that matches zero or more characters), or M-bM-^@M-^X?M-bM-^@M-^Y (a wildcard that | ||
983 | matches exactly one character). For example, to specify a set of | ||
984 | declarations for any host in the M-bM-^@M-^\.co.ukM-bM-^@M-^] set of domains, the following | ||
985 | pattern could be used: | ||
986 | |||
987 | Host *.co.uk | ||
988 | |||
989 | The following pattern would match any host in the 192.168.0.[0-9] network | ||
990 | range: | ||
991 | |||
992 | Host 192.168.0.? | ||
993 | |||
994 | A pattern-list is a comma-separated list of patterns. Patterns within | ||
995 | pattern-lists may be negated by preceding them with an exclamation mark | ||
996 | (M-bM-^@M-^X!M-bM-^@M-^Y). For example, to allow a key to be used from anywhere within an | ||
997 | organization except from the M-bM-^@M-^\dialupM-bM-^@M-^] pool, the following entry (in | ||
998 | authorized_keys) could be used: | ||
999 | |||
1000 | from="!*.dialup.example.com,*.example.com" | ||
1001 | |||
1002 | FILES | ||
1003 | ~/.ssh/config | ||
1004 | This is the per-user configuration file. The format of this file | ||
1005 | is described above. This file is used by the SSH client. | ||
1006 | Because of the potential for abuse, this file must have strict | ||
1007 | permissions: read/write for the user, and not accessible by | ||
1008 | others. | ||
1009 | |||
1010 | /etc/ssh/ssh_config | ||
1011 | Systemwide configuration file. This file provides defaults for | ||
1012 | those values that are not specified in the user's configuration | ||
1013 | file, and for those users who do not have a configuration file. | ||
1014 | This file must be world-readable. | ||
1015 | |||
1016 | SEE ALSO | ||
1017 | ssh(1) | ||
1018 | |||
1019 | AUTHORS | ||
1020 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | ||
1021 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | ||
1022 | de Raadt and Dug Song removed many bugs, re-added newer features and | ||
1023 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | ||
1024 | versions 1.5 and 2.0. | ||
1025 | |||
1026 | OpenBSD 5.8 August 14, 2015 OpenBSD 5.8 | ||