diff options
Diffstat (limited to 'ssh_config.0')
-rw-r--r-- | ssh_config.0 | 123 |
1 files changed, 75 insertions, 48 deletions
diff --git a/ssh_config.0 b/ssh_config.0 index 9577abc48..a2706b69c 100644 --- a/ssh_config.0 +++ b/ssh_config.0 | |||
@@ -4,14 +4,14 @@ NAME | |||
4 | ssh_config - OpenSSH SSH client configuration files | 4 | ssh_config - OpenSSH SSH client configuration files |
5 | 5 | ||
6 | SYNOPSIS | 6 | SYNOPSIS |
7 | $HOME/.ssh/config | 7 | ~/.ssh/config |
8 | /etc/ssh/ssh_config | 8 | /etc/ssh/ssh_config |
9 | 9 | ||
10 | DESCRIPTION | 10 | DESCRIPTION |
11 | ssh obtains configuration data from the following sources in the follow- | 11 | ssh obtains configuration data from the following sources in the follow- |
12 | ing order: | 12 | ing order: |
13 | 1. command-line options | 13 | 1. command-line options |
14 | 2. user's configuration file ($HOME/.ssh/config) | 14 | 2. user's configuration file (~/.ssh/config) |
15 | 3. system-wide configuration file (/etc/ssh/ssh_config) | 15 | 3. system-wide configuration file (/etc/ssh/ssh_config) |
16 | 16 | ||
17 | For each parameter, the first obtained value will be used. The configu- | 17 | For each parameter, the first obtained value will be used. The configu- |
@@ -57,9 +57,10 @@ DESCRIPTION | |||
57 | ``yes'' or ``no''. The default is ``no''. | 57 | ``yes'' or ``no''. The default is ``no''. |
58 | 58 | ||
59 | BindAddress | 59 | BindAddress |
60 | Specify the interface to transmit from on machines with multiple | 60 | Use the specified address on the local machine as the source ad- |
61 | interfaces or aliased addresses. Note that this option does not | 61 | dress of the connection. Only useful on systems with more than |
62 | work if UsePrivilegedPort is set to ``yes''. | 62 | one address. Note that this option does not work if |
63 | UsePrivilegedPort is set to ``yes''. | ||
63 | 64 | ||
64 | ChallengeResponseAuthentication | 65 | ChallengeResponseAuthentication |
65 | Specifies whether to use challenge response authentication. The | 66 | Specifies whether to use challenge response authentication. The |
@@ -85,11 +86,12 @@ DESCRIPTION | |||
85 | preference. Multiple ciphers must be comma-separated. The sup- | 86 | preference. Multiple ciphers must be comma-separated. The sup- |
86 | ported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', | 87 | ported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', |
87 | ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', | 88 | ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', |
88 | ``arcfour'', ``blowfish-cbc'', and ``cast128-cbc''. The default | 89 | ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'', |
89 | is | 90 | and ``cast128-cbc''. The default is |
90 | 91 | ||
91 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, | 92 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, |
92 | aes192-cbc,aes256-cbc'' | 93 | arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, |
94 | aes192-ctr,aes256-ctr'' | ||
93 | 95 | ||
94 | ClearAllForwardings | 96 | ClearAllForwardings |
95 | Specifies that all local, remote and dynamic port forwardings | 97 | Specifies that all local, remote and dynamic port forwardings |
@@ -131,11 +133,30 @@ DESCRIPTION | |||
131 | tion rather than initiating new ones. Setting this to ``ask'' | 133 | tion rather than initiating new ones. Setting this to ``ask'' |
132 | will cause ssh to listen for control connections, but require | 134 | will cause ssh to listen for control connections, but require |
133 | confirmation using the SSH_ASKPASS program before they are ac- | 135 | confirmation using the SSH_ASKPASS program before they are ac- |
134 | cepted (see ssh-add(1) for details). | 136 | cepted (see ssh-add(1) for details). If the ControlPath can not |
137 | be opened, ssh will continue without connecting to a master in- | ||
138 | stance. | ||
139 | |||
140 | X11 and ssh-agent(1) forwarding is supported over these multi- | ||
141 | plexed connections, however the display and agent fowarded will | ||
142 | be the one belonging to the master connection i.e. it is not pos- | ||
143 | sible to forward multiple displays or agents. | ||
144 | |||
145 | Two additional options allow for opportunistic multiplexing: try | ||
146 | to use a master connection but fall back to creating a new one if | ||
147 | one does not already exist. These options are: ``auto'' and | ||
148 | ``autoask''. The latter requires confirmation like the ``ask'' | ||
149 | option. | ||
135 | 150 | ||
136 | ControlPath | 151 | ControlPath |
137 | Specify the path to the control socket used for connection shar- | 152 | Specify the path to the control socket used for connection shar- |
138 | ing. See ControlMaster above. | 153 | ing as described in the ControlMaster section above or the string |
154 | ``none'' to disable connection sharing. In the path, `%h' will | ||
155 | be substituted by the target host name, `%p' the port and `%r' by | ||
156 | the remote login username. It is recommended that any | ||
157 | ControlPath used for opportunistic connection sharing include all | ||
158 | three of these escape sequences. This ensures that shared con- | ||
159 | nections are uniquely identified. | ||
139 | 160 | ||
140 | DynamicForward | 161 | DynamicForward |
141 | Specifies that a TCP/IP port on the local machine be forwarded | 162 | Specifies that a TCP/IP port on the local machine be forwarded |
@@ -228,9 +249,9 @@ DESCRIPTION | |||
228 | 249 | ||
229 | HashKnownHosts | 250 | HashKnownHosts |
230 | Indicates that ssh should hash host names and addresses when they | 251 | Indicates that ssh should hash host names and addresses when they |
231 | are added to $HOME/.ssh/known_hosts. These hashed names may be | 252 | are added to ~/.ssh/known_hosts. These hashed names may be used |
232 | used normally by ssh and sshd, but they do not reveal identifying | 253 | normally by ssh and sshd, but they do not reveal identifying in- |
233 | information should the file's contents be disclosed. The default | 254 | formation should the file's contents be disclosed. The default |
234 | is ``no''. Note that hashing of names and addresses will not be | 255 | is ``no''. Note that hashing of names and addresses will not be |
235 | retrospectively applied to existing known hosts files, but these | 256 | retrospectively applied to existing known hosts files, but these |
236 | may be manually hashed using ssh-keygen(1). | 257 | may be manually hashed using ssh-keygen(1). |
@@ -261,14 +282,13 @@ DESCRIPTION | |||
261 | 282 | ||
262 | IdentityFile | 283 | IdentityFile |
263 | Specifies a file from which the user's RSA or DSA authentication | 284 | Specifies a file from which the user's RSA or DSA authentication |
264 | identity is read. The default is $HOME/.ssh/identity for proto- | 285 | identity is read. The default is ~/.ssh/identity for protocol |
265 | col version 1, and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for | 286 | version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver- |
266 | protocol version 2. Additionally, any identities represented by | 287 | sion 2. Additionally, any identities represented by the authen- |
267 | the authentication agent will be used for authentication. The | 288 | tication agent will be used for authentication. The file name |
268 | file name may use the tilde syntax to refer to a user's home di- | 289 | may use the tilde syntax to refer to a user's home directory. It |
269 | rectory. It is possible to have multiple identity files speci- | 290 | is possible to have multiple identity files specified in configu- |
270 | fied in configuration files; all these identities will be tried | 291 | ration files; all these identities will be tried in sequence. |
271 | in sequence. | ||
272 | 292 | ||
273 | IdentitiesOnly | 293 | IdentitiesOnly |
274 | Specifies that ssh should only use the authentication identity | 294 | Specifies that ssh should only use the authentication identity |
@@ -286,18 +306,19 @@ DESCRIPTION | |||
286 | LocalForward | 306 | LocalForward |
287 | Specifies that a TCP/IP port on the local machine be forwarded | 307 | Specifies that a TCP/IP port on the local machine be forwarded |
288 | over the secure channel to the specified host and port from the | 308 | over the secure channel to the specified host and port from the |
289 | remote machine. The first argument must be a port number, and | 309 | remote machine. The first argument must be [bind_address:]port |
290 | the second must be [bind_address:]host:port. IPv6 addresses can | 310 | and the second argument must be host:hostport. IPv6 addresses |
291 | be specified by enclosing addresses in square brackets or by us- | 311 | can be specified by enclosing addresses in square brackets or by |
292 | ing an alternative syntax: [bind_address/]host/port. Multiple | 312 | using an alternative syntax: [bind_address/]port and |
293 | forwardings may be specified, and additional forwardings can be | 313 | host/hostport. Multiple forwardings may be specified, and addi- |
294 | given on the command line. Only the superuser can forward privi- | 314 | tional forwardings can be given on the command line. Only the |
295 | leged ports. By default, the local port is bound in accordance | 315 | superuser can forward privileged ports. By default, the local |
296 | with the GatewayPorts setting. However, an explicit bind_address | 316 | port is bound in accordance with the GatewayPorts setting. How- |
297 | may be used to bind the connection to a specific address. The | 317 | ever, an explicit bind_address may be used to bind the connection |
298 | bind_address of ``localhost'' indicates that the listening port | 318 | to a specific address. The bind_address of ``localhost'' indi- |
299 | be bound for local use only, while an empty address or `*' indi- | 319 | cates that the listening port be bound for local use only, while |
300 | cates that the port should be available from all interfaces. | 320 | an empty address or `*' indicates that the port should be avail- |
321 | able from all interfaces. | ||
301 | 322 | ||
302 | LogLevel | 323 | LogLevel |
303 | Gives the verbosity level that is used when logging messages from | 324 | Gives the verbosity level that is used when logging messages from |
@@ -336,7 +357,7 @@ DESCRIPTION | |||
336 | PreferredAuthentications | 357 | PreferredAuthentications |
337 | Specifies the order in which the client should try protocol 2 au- | 358 | Specifies the order in which the client should try protocol 2 au- |
338 | thentication methods. This allows a client to prefer one method | 359 | thentication methods. This allows a client to prefer one method |
339 | (e.g. keyboard-interactive) over another method (e.g. password) | 360 | (e.g. keyboard-interactive) over another method (e.g. password) |
340 | The default for this option is: ``hostbased,publickey,keyboard- | 361 | The default for this option is: ``hostbased,publickey,keyboard- |
341 | interactive,password''. | 362 | interactive,password''. |
342 | 363 | ||
@@ -361,6 +382,12 @@ DESCRIPTION | |||
361 | tirely. Note that CheckHostIP is not available for connects with | 382 | tirely. Note that CheckHostIP is not available for connects with |
362 | a proxy command. | 383 | a proxy command. |
363 | 384 | ||
385 | This directive is useful in conjunction with nc(1) and its proxy | ||
386 | support. For example, the following directive would connect via | ||
387 | an HTTP proxy at 192.0.2.0: | ||
388 | |||
389 | ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p | ||
390 | |||
364 | PubkeyAuthentication | 391 | PubkeyAuthentication |
365 | Specifies whether to try public key authentication. The argument | 392 | Specifies whether to try public key authentication. The argument |
366 | to this keyword must be ``yes'' or ``no''. The default is | 393 | to this keyword must be ``yes'' or ``no''. The default is |
@@ -369,13 +396,13 @@ DESCRIPTION | |||
369 | RemoteForward | 396 | RemoteForward |
370 | Specifies that a TCP/IP port on the remote machine be forwarded | 397 | Specifies that a TCP/IP port on the remote machine be forwarded |
371 | over the secure channel to the specified host and port from the | 398 | over the secure channel to the specified host and port from the |
372 | local machine. The first argument must be a port number, and the | 399 | local machine. The first argument must be [bind_address:]port |
373 | second must be [bind_address:]host:port. IPv6 addresses can be | 400 | and the second argument must be host:hostport. IPv6 addresses |
374 | specified by enclosing any addresses in square brackets or by us- | 401 | can be specified by enclosing addresses in square brackets or by |
375 | ing the alternative syntax: [bind_address/]host/port. Multiple | 402 | using an alternative syntax: [bind_address/]port and |
376 | forwardings may be specified, and additional forwardings can be | 403 | host/hostport. Multiple forwardings may be specified, and addi- |
377 | given on the command line. Only the superuser can forward privi- | 404 | tional forwardings can be given on the command line. Only the |
378 | leged ports. | 405 | superuser can forward privileged ports. |
379 | 406 | ||
380 | If the bind_address is not specified, the default is to only bind | 407 | If the bind_address is not specified, the default is to only bind |
381 | to loopback addresses. If the bind_address is `*' or an empty | 408 | to loopback addresses. If the bind_address is `*' or an empty |
@@ -440,9 +467,9 @@ DESCRIPTION | |||
440 | 467 | ||
441 | StrictHostKeyChecking | 468 | StrictHostKeyChecking |
442 | If this flag is set to ``yes'', ssh will never automatically add | 469 | If this flag is set to ``yes'', ssh will never automatically add |
443 | host keys to the $HOME/.ssh/known_hosts file, and refuses to con- | 470 | host keys to the ~/.ssh/known_hosts file, and refuses to connect |
444 | nect to hosts whose host key has changed. This provides maximum | 471 | to hosts whose host key has changed. This provides maximum pro- |
445 | protection against trojan horse attacks, however, can be annoying | 472 | tection against trojan horse attacks, however, can be annoying |
446 | when the /etc/ssh/ssh_known_hosts file is poorly maintained, or | 473 | when the /etc/ssh/ssh_known_hosts file is poorly maintained, or |
447 | connections to new hosts are frequently made. This option forces | 474 | connections to new hosts are frequently made. This option forces |
448 | the user to manually add all new hosts. If this flag is set to | 475 | the user to manually add all new hosts. If this flag is set to |
@@ -483,7 +510,7 @@ DESCRIPTION | |||
483 | 510 | ||
484 | UserKnownHostsFile | 511 | UserKnownHostsFile |
485 | Specifies a file to use for the user host key database instead of | 512 | Specifies a file to use for the user host key database instead of |
486 | $HOME/.ssh/known_hosts. | 513 | ~/.ssh/known_hosts. |
487 | 514 | ||
488 | VerifyHostKeyDNS | 515 | VerifyHostKeyDNS |
489 | Specifies whether to verify the remote key using DNS and SSHFP | 516 | Specifies whether to verify the remote key using DNS and SSHFP |
@@ -502,7 +529,7 @@ DESCRIPTION | |||
502 | is /usr/X11R6/bin/xauth. | 529 | is /usr/X11R6/bin/xauth. |
503 | 530 | ||
504 | FILES | 531 | FILES |
505 | $HOME/.ssh/config | 532 | ~/.ssh/config |
506 | This is the per-user configuration file. The format of this file | 533 | This is the per-user configuration file. The format of this file |
507 | is described above. This file is used by the ssh client. Be- | 534 | is described above. This file is used by the ssh client. Be- |
508 | cause of the potential for abuse, this file must have strict per- | 535 | cause of the potential for abuse, this file must have strict per- |
@@ -524,4 +551,4 @@ AUTHORS | |||
524 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | 551 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol |
525 | versions 1.5 and 2.0. | 552 | versions 1.5 and 2.0. |
526 | 553 | ||
527 | OpenBSD 3.6 September 25, 1999 8 | 554 | OpenBSD 3.8 September 25, 1999 9 |