diff options
Diffstat (limited to 'ssh_config.0')
-rw-r--r-- | ssh_config.0 | 117 |
1 files changed, 79 insertions, 38 deletions
diff --git a/ssh_config.0 b/ssh_config.0 index 6fbd10d61..c40ce5f08 100644 --- a/ssh_config.0 +++ b/ssh_config.0 | |||
@@ -1,4 +1,4 @@ | |||
1 | SSH_CONFIG(5) OpenBSD Programmer's Manual SSH_CONFIG(5) | 1 | SSH_CONFIG(5) File Formats Manual SSH_CONFIG(5) |
2 | 2 | ||
3 | NAME | 3 | NAME |
4 | ssh_config - OpenSSH SSH client configuration files | 4 | ssh_config - OpenSSH SSH client configuration files |
@@ -176,19 +176,30 @@ DESCRIPTION | |||
176 | preference. Multiple ciphers must be comma-separated. The | 176 | preference. Multiple ciphers must be comma-separated. The |
177 | supported ciphers are: | 177 | supported ciphers are: |
178 | 178 | ||
179 | ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', | 179 | 3des-cbc |
180 | ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', | 180 | aes128-cbc |
181 | ``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'', | 181 | aes192-cbc |
182 | ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'', | 182 | aes256-cbc |
183 | ``cast128-cbc'', and ``chacha20-poly1305@openssh.com''. | 183 | aes128-ctr |
184 | aes192-ctr | ||
185 | aes256-ctr | ||
186 | aes128-gcm@openssh.com | ||
187 | aes256-gcm@openssh.com | ||
188 | arcfour | ||
189 | arcfour128 | ||
190 | arcfour256 | ||
191 | blowfish-cbc | ||
192 | cast128-cbc | ||
193 | chacha20-poly1305@openssh.com | ||
184 | 194 | ||
185 | The default is: | 195 | The default is: |
186 | 196 | ||
187 | aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, | 197 | aes128-ctr,aes192-ctr,aes256-ctr, |
188 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, | 198 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, |
189 | chacha20-poly1305@openssh.com, | 199 | chacha20-poly1305@openssh.com, |
190 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, | 200 | arcfour256,arcfour128, |
191 | aes256-cbc,arcfour | 201 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, |
202 | aes192-cbc,aes256-cbc,arcfour | ||
192 | 203 | ||
193 | The list of available ciphers may also be obtained using the -Q | 204 | The list of available ciphers may also be obtained using the -Q |
194 | option of ssh(1). | 205 | option of ssh(1). |
@@ -261,10 +272,12 @@ DESCRIPTION | |||
261 | any domain name), `%h' will be substituted by the target host | 272 | any domain name), `%h' will be substituted by the target host |
262 | name, `%n' will be substituted by the original target host name | 273 | name, `%n' will be substituted by the original target host name |
263 | specified on the command line, `%p' the destination port, `%r' by | 274 | specified on the command line, `%p' the destination port, `%r' by |
264 | the remote login username, and `%u' by the username of the user | 275 | the remote login username, `%u' by the username of the user |
265 | running ssh(1). It is recommended that any ControlPath used for | 276 | running ssh(1), and `%C' by a hash of the concatenation: |
266 | opportunistic connection sharing include at least %h, %p, and %r. | 277 | %l%h%p%r. It is recommended that any ControlPath used for |
267 | This ensures that shared connections are uniquely identified. | 278 | opportunistic connection sharing include at least %h, %p, and %r |
279 | (or alternatively %C). This ensures that shared connections are | ||
280 | uniquely identified. | ||
268 | 281 | ||
269 | ControlPersist | 282 | ControlPersist |
270 | When used in conjunction with ControlMaster, specifies that the | 283 | When used in conjunction with ControlMaster, specifies that the |
@@ -437,10 +450,13 @@ DESCRIPTION | |||
437 | specify nicknames or abbreviations for hosts. If the hostname | 450 | specify nicknames or abbreviations for hosts. If the hostname |
438 | contains the character sequence `%h', then this will be replaced | 451 | contains the character sequence `%h', then this will be replaced |
439 | with the host name specified on the command line (this is useful | 452 | with the host name specified on the command line (this is useful |
440 | for manipulating unqualified names). The default is the name | 453 | for manipulating unqualified names). The character sequence `%%' |
441 | given on the command line. Numeric IP addresses are also | 454 | will be replaced by a single `%' character, which may be used |
442 | permitted (both on the command line and in HostName | 455 | when specifying IPv6 link-local addresses. |
443 | specifications). | 456 | |
457 | The default is the name given on the command line. Numeric IP | ||
458 | addresses are also permitted (both on the command line and in | ||
459 | HostName specifications). | ||
444 | 460 | ||
445 | IdentitiesOnly | 461 | IdentitiesOnly |
446 | Specifies that ssh(1) should only use the authentication identity | 462 | Specifies that ssh(1) should only use the authentication identity |
@@ -517,8 +533,8 @@ DESCRIPTION | |||
517 | curve25519-sha256@libssh.org, | 533 | curve25519-sha256@libssh.org, |
518 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, | 534 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, |
519 | diffie-hellman-group-exchange-sha256, | 535 | diffie-hellman-group-exchange-sha256, |
520 | diffie-hellman-group-exchange-sha1, | ||
521 | diffie-hellman-group14-sha1, | 536 | diffie-hellman-group14-sha1, |
537 | diffie-hellman-group-exchange-sha1, | ||
522 | diffie-hellman-group1-sha1 | 538 | diffie-hellman-group1-sha1 |
523 | 539 | ||
524 | LocalCommand | 540 | LocalCommand |
@@ -529,7 +545,8 @@ DESCRIPTION | |||
529 | performed: `%d' (local user's home directory), `%h' (remote host | 545 | performed: `%d' (local user's home directory), `%h' (remote host |
530 | name), `%l' (local host name), `%n' (host name as provided on the | 546 | name), `%l' (local host name), `%n' (host name as provided on the |
531 | command line), `%p' (remote port), `%r' (remote user name) or | 547 | command line), `%p' (remote port), `%r' (remote user name) or |
532 | `%u' (local user name). | 548 | `%u' (local user name) or `%C' by a hash of the concatenation: |
549 | %l%h%p%r. | ||
533 | 550 | ||
534 | The command is run synchronously and does not have access to the | 551 | The command is run synchronously and does not have access to the |
535 | session of the ssh(1) that spawned it. It should not be used for | 552 | session of the ssh(1) that spawned it. It should not be used for |
@@ -568,13 +585,14 @@ DESCRIPTION | |||
568 | calculate the MAC after encryption (encrypt-then-mac). These are | 585 | calculate the MAC after encryption (encrypt-then-mac). These are |
569 | considered safer and their use recommended. The default is: | 586 | considered safer and their use recommended. The default is: |
570 | 587 | ||
571 | hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, | ||
572 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, | 588 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, |
573 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, | 589 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, |
574 | hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com, | 590 | umac-64@openssh.com,umac-128@openssh.com, |
575 | hmac-md5-96-etm@openssh.com, | 591 | hmac-sha2-256,hmac-sha2-512, |
576 | hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, | 592 | hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, |
577 | hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, | 593 | hmac-ripemd160-etm@openssh.com, |
594 | hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com, | ||
595 | hmac-md5,hmac-sha1,hmac-ripemd160, | ||
578 | hmac-sha1-96,hmac-md5-96 | 596 | hmac-sha1-96,hmac-md5-96 |
579 | 597 | ||
580 | NoHostAuthenticationForLocalhost | 598 | NoHostAuthenticationForLocalhost |
@@ -628,17 +646,19 @@ DESCRIPTION | |||
628 | ProxyCommand | 646 | ProxyCommand |
629 | Specifies the command to use to connect to the server. The | 647 | Specifies the command to use to connect to the server. The |
630 | command string extends to the end of the line, and is executed | 648 | command string extends to the end of the line, and is executed |
631 | with the user's shell. In the command string, any occurrence of | 649 | using the user's shell `exec' directive to avoid a lingering |
632 | `%h' will be substituted by the host name to connect, `%p' by the | 650 | shell process. |
633 | port, and `%r' by the remote user name. The command can be | 651 | |
634 | basically anything, and should read from its standard input and | 652 | In the command string, any occurrence of `%h' will be substituted |
635 | write to its standard output. It should eventually connect an | 653 | by the host name to connect, `%p' by the port, and `%r' by the |
636 | sshd(8) server running on some machine, or execute sshd -i | 654 | remote user name. The command can be basically anything, and |
637 | somewhere. Host key management will be done using the HostName | 655 | should read from its standard input and write to its standard |
638 | of the host being connected (defaulting to the name typed by the | 656 | output. It should eventually connect an sshd(8) server running |
639 | user). Setting the command to ``none'' disables this option | 657 | on some machine, or execute sshd -i somewhere. Host key |
640 | entirely. Note that CheckHostIP is not available for connects | 658 | management will be done using the HostName of the host being |
641 | with a proxy command. | 659 | connected (defaulting to the name typed by the user). Setting |
660 | the command to ``none'' disables this option entirely. Note that | ||
661 | CheckHostIP is not available for connects with a proxy command. | ||
642 | 662 | ||
643 | This directive is useful in conjunction with nc(1) and its proxy | 663 | This directive is useful in conjunction with nc(1) and its proxy |
644 | support. For example, the following directive would connect via | 664 | support. For example, the following directive would connect via |
@@ -751,6 +771,27 @@ DESCRIPTION | |||
751 | default is 0, indicating that these messages will not be sent to | 771 | default is 0, indicating that these messages will not be sent to |
752 | the server. This option applies to protocol version 2 only. | 772 | the server. This option applies to protocol version 2 only. |
753 | 773 | ||
774 | StreamLocalBindMask | ||
775 | Sets the octal file creation mode mask (umask) used when creating | ||
776 | a Unix-domain socket file for local or remote port forwarding. | ||
777 | This option is only used for port forwarding to a Unix-domain | ||
778 | socket file. | ||
779 | |||
780 | The default value is 0177, which creates a Unix-domain socket | ||
781 | file that is readable and writable only by the owner. Note that | ||
782 | not all operating systems honor the file mode on Unix-domain | ||
783 | socket files. | ||
784 | |||
785 | StreamLocalBindUnlink | ||
786 | Specifies whether to remove an existing Unix-domain socket file | ||
787 | for local or remote port forwarding before creating a new one. | ||
788 | If the socket file already exists and StreamLocalBindUnlink is | ||
789 | not enabled, ssh will be unable to forward the port to the Unix- | ||
790 | domain socket file. This option is only used for port forwarding | ||
791 | to a Unix-domain socket file. | ||
792 | |||
793 | The argument must be ``yes'' or ``no''. The default is ``no''. | ||
794 | |||
754 | StrictHostKeyChecking | 795 | StrictHostKeyChecking |
755 | If this flag is set to ``yes'', ssh(1) will never automatically | 796 | If this flag is set to ``yes'', ssh(1) will never automatically |
756 | add host keys to the ~/.ssh/known_hosts file, and refuses to | 797 | add host keys to the ~/.ssh/known_hosts file, and refuses to |
@@ -886,4 +927,4 @@ AUTHORS | |||
886 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 927 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
887 | versions 1.5 and 2.0. | 928 | versions 1.5 and 2.0. |
888 | 929 | ||
889 | OpenBSD 5.5 February 23, 2014 OpenBSD 5.5 | 930 | OpenBSD 5.6 July 15, 2014 OpenBSD 5.6 |