diff options
Diffstat (limited to 'ssh_config.0')
-rw-r--r-- | ssh_config.0 | 710 |
1 files changed, 710 insertions, 0 deletions
diff --git a/ssh_config.0 b/ssh_config.0 new file mode 100644 index 000000000..6c19de765 --- /dev/null +++ b/ssh_config.0 | |||
@@ -0,0 +1,710 @@ | |||
1 | SSH_CONFIG(5) OpenBSD Programmer's Manual SSH_CONFIG(5) | ||
2 | |||
3 | NAME | ||
4 | ssh_config - OpenSSH SSH client configuration files | ||
5 | |||
6 | SYNOPSIS | ||
7 | ~/.ssh/config | ||
8 | /etc/ssh/ssh_config | ||
9 | |||
10 | DESCRIPTION | ||
11 | ssh(1) obtains configuration data from the following sources in the | ||
12 | following order: | ||
13 | |||
14 | 1. command-line options | ||
15 | 2. user's configuration file (~/.ssh/config) | ||
16 | 3. system-wide configuration file (/etc/ssh/ssh_config) | ||
17 | |||
18 | For each parameter, the first obtained value will be used. The | ||
19 | configuration files contain sections separated by ``Host'' | ||
20 | specifications, and that section is only applied for hosts that match one | ||
21 | of the patterns given in the specification. The matched host name is the | ||
22 | one given on the command line. | ||
23 | |||
24 | Since the first obtained value for each parameter is used, more host- | ||
25 | specific declarations should be given near the beginning of the file, and | ||
26 | general defaults at the end. | ||
27 | |||
28 | The configuration file has the following format: | ||
29 | |||
30 | Empty lines and lines starting with `#' are comments. Otherwise a line | ||
31 | is of the format ``keyword arguments''. Configuration options may be | ||
32 | separated by whitespace or optional whitespace and exactly one `='; the | ||
33 | latter format is useful to avoid the need to quote whitespace when | ||
34 | specifying configuration options using the ssh, scp, and sftp -o option. | ||
35 | Arguments may optionally be enclosed in double quotes (") in order to | ||
36 | represent arguments containing spaces. | ||
37 | |||
38 | The possible keywords and their meanings are as follows (note that | ||
39 | keywords are case-insensitive and arguments are case-sensitive): | ||
40 | |||
41 | Host Restricts the following declarations (up to the next Host | ||
42 | keyword) to be only for those hosts that match one of the | ||
43 | patterns given after the keyword. If more than one pattern is | ||
44 | provided, they should be separated by whitespace. A single `*' | ||
45 | as a pattern can be used to provide global defaults for all | ||
46 | hosts. The host is the hostname argument given on the command | ||
47 | line (i.e. the name is not converted to a canonicalized host name | ||
48 | before matching). | ||
49 | |||
50 | See PATTERNS for more information on patterns. | ||
51 | |||
52 | AddressFamily | ||
53 | Specifies which address family to use when connecting. Valid | ||
54 | arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' | ||
55 | (use IPv6 only). | ||
56 | |||
57 | BatchMode | ||
58 | If set to ``yes'', passphrase/password querying will be disabled. | ||
59 | This option is useful in scripts and other batch jobs where no | ||
60 | user is present to supply the password. The argument must be | ||
61 | ``yes'' or ``no''. The default is ``no''. | ||
62 | |||
63 | BindAddress | ||
64 | Use the specified address on the local machine as the source | ||
65 | address of the connection. Only useful on systems with more than | ||
66 | one address. Note that this option does not work if | ||
67 | UsePrivilegedPort is set to ``yes''. | ||
68 | |||
69 | ChallengeResponseAuthentication | ||
70 | Specifies whether to use challenge-response authentication. The | ||
71 | argument to this keyword must be ``yes'' or ``no''. The default | ||
72 | is ``yes''. | ||
73 | |||
74 | CheckHostIP | ||
75 | If this flag is set to ``yes'', ssh(1) will additionally check | ||
76 | the host IP address in the known_hosts file. This allows ssh to | ||
77 | detect if a host key changed due to DNS spoofing. If the option | ||
78 | is set to ``no'', the check will not be executed. The default is | ||
79 | ``yes''. | ||
80 | |||
81 | Cipher Specifies the cipher to use for encrypting the session in | ||
82 | protocol version 1. Currently, ``blowfish'', ``3des'', and | ||
83 | ``des'' are supported. des is only supported in the ssh(1) | ||
84 | client for interoperability with legacy protocol 1 | ||
85 | implementations that do not support the 3des cipher. Its use is | ||
86 | strongly discouraged due to cryptographic weaknesses. The | ||
87 | default is ``3des''. | ||
88 | |||
89 | Ciphers | ||
90 | Specifies the ciphers allowed for protocol version 2 in order of | ||
91 | preference. Multiple ciphers must be comma-separated. The | ||
92 | supported ciphers are ``3des-cbc'', ``aes128-cbc'', | ||
93 | ``aes192-cbc'', ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', | ||
94 | ``aes256-ctr'', ``arcfour128'', ``arcfour256'', ``arcfour'', | ||
95 | ``blowfish-cbc'', and ``cast128-cbc''. The default is: | ||
96 | |||
97 | aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, | ||
98 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, | ||
99 | aes256-cbc,arcfour | ||
100 | |||
101 | ClearAllForwardings | ||
102 | Specifies that all local, remote, and dynamic port forwardings | ||
103 | specified in the configuration files or on the command line be | ||
104 | cleared. This option is primarily useful when used from the | ||
105 | ssh(1) command line to clear port forwardings set in | ||
106 | configuration files, and is automatically set by scp(1) and | ||
107 | sftp(1). The argument must be ``yes'' or ``no''. The default is | ||
108 | ``no''. | ||
109 | |||
110 | Compression | ||
111 | Specifies whether to use compression. The argument must be | ||
112 | ``yes'' or ``no''. The default is ``no''. | ||
113 | |||
114 | CompressionLevel | ||
115 | Specifies the compression level to use if compression is enabled. | ||
116 | The argument must be an integer from 1 (fast) to 9 (slow, best). | ||
117 | The default level is 6, which is good for most applications. The | ||
118 | meaning of the values is the same as in gzip(1). Note that this | ||
119 | option applies to protocol version 1 only. | ||
120 | |||
121 | ConnectionAttempts | ||
122 | Specifies the number of tries (one per second) to make before | ||
123 | exiting. The argument must be an integer. This may be useful in | ||
124 | scripts if the connection sometimes fails. The default is 1. | ||
125 | |||
126 | ConnectTimeout | ||
127 | Specifies the timeout (in seconds) used when connecting to the | ||
128 | SSH server, instead of using the default system TCP timeout. | ||
129 | This value is used only when the target is down or really | ||
130 | unreachable, not when it refuses the connection. | ||
131 | |||
132 | ControlMaster | ||
133 | Enables the sharing of multiple sessions over a single network | ||
134 | connection. When set to ``yes'', ssh(1) will listen for | ||
135 | connections on a control socket specified using the ControlPath | ||
136 | argument. Additional sessions can connect to this socket using | ||
137 | the same ControlPath with ControlMaster set to ``no'' (the | ||
138 | default). These sessions will try to reuse the master instance's | ||
139 | network connection rather than initiating new ones, but will fall | ||
140 | back to connecting normally if the control socket does not exist, | ||
141 | or is not listening. | ||
142 | |||
143 | Setting this to ``ask'' will cause ssh to listen for control | ||
144 | connections, but require confirmation using the SSH_ASKPASS | ||
145 | program before they are accepted (see ssh-add(1) for details). | ||
146 | If the ControlPath cannot be opened, ssh will continue without | ||
147 | connecting to a master instance. | ||
148 | |||
149 | X11 and ssh-agent(1) forwarding is supported over these | ||
150 | multiplexed connections, however the display and agent forwarded | ||
151 | will be the one belonging to the master connection i.e. it is not | ||
152 | possible to forward multiple displays or agents. | ||
153 | |||
154 | Two additional options allow for opportunistic multiplexing: try | ||
155 | to use a master connection but fall back to creating a new one if | ||
156 | one does not already exist. These options are: ``auto'' and | ||
157 | ``autoask''. The latter requires confirmation like the ``ask'' | ||
158 | option. | ||
159 | |||
160 | ControlPath | ||
161 | Specify the path to the control socket used for connection | ||
162 | sharing as described in the ControlMaster section above or the | ||
163 | string ``none'' to disable connection sharing. In the path, `%l' | ||
164 | will be substituted by the local host name, `%h' will be | ||
165 | substituted by the target host name, `%p' the port, and `%r' by | ||
166 | the remote login username. It is recommended that any | ||
167 | ControlPath used for opportunistic connection sharing include at | ||
168 | least %h, %p, and %r. This ensures that shared connections are | ||
169 | uniquely identified. | ||
170 | |||
171 | ControlPersist | ||
172 | When used in conjunction with ControlMaster, specifies that the | ||
173 | master connection should remain open in the background (waiting | ||
174 | for future client connections) after the initial client | ||
175 | connection has been closed. If set to ``no'', then the master | ||
176 | connection will not be placed into the background, and will close | ||
177 | as soon as the initial client connection is closed. If set to | ||
178 | ``yes'', then the master connection will remain in the background | ||
179 | indefinitely (until killed or closed via a mechanism such as the | ||
180 | ssh(1) ``-O exit'' option). If set to a time in seconds, or a | ||
181 | time in any of the formats documented in sshd_config(5), then the | ||
182 | backgrounded master connection will automatically terminate after | ||
183 | it has remained idle (with no client connections) for the | ||
184 | specified time. | ||
185 | |||
186 | DynamicForward | ||
187 | Specifies that a TCP port on the local machine be forwarded over | ||
188 | the secure channel, and the application protocol is then used to | ||
189 | determine where to connect to from the remote machine. | ||
190 | |||
191 | The argument must be [bind_address:]port. IPv6 addresses can be | ||
192 | specified by enclosing addresses in square brackets. By default, | ||
193 | the local port is bound in accordance with the GatewayPorts | ||
194 | setting. However, an explicit bind_address may be used to bind | ||
195 | the connection to a specific address. The bind_address of | ||
196 | ``localhost'' indicates that the listening port be bound for | ||
197 | local use only, while an empty address or `*' indicates that the | ||
198 | port should be available from all interfaces. | ||
199 | |||
200 | Currently the SOCKS4 and SOCKS5 protocols are supported, and | ||
201 | ssh(1) will act as a SOCKS server. Multiple forwardings may be | ||
202 | specified, and additional forwardings can be given on the command | ||
203 | line. Only the superuser can forward privileged ports. | ||
204 | |||
205 | EnableSSHKeysign | ||
206 | Setting this option to ``yes'' in the global client configuration | ||
207 | file /etc/ssh/ssh_config enables the use of the helper program | ||
208 | ssh-keysign(8) during HostbasedAuthentication. The argument must | ||
209 | be ``yes'' or ``no''. The default is ``no''. This option should | ||
210 | be placed in the non-hostspecific section. See ssh-keysign(8) | ||
211 | for more information. | ||
212 | |||
213 | EscapeChar | ||
214 | Sets the escape character (default: `~'). The escape character | ||
215 | can also be set on the command line. The argument should be a | ||
216 | single character, `^' followed by a letter, or ``none'' to | ||
217 | disable the escape character entirely (making the connection | ||
218 | transparent for binary data). | ||
219 | |||
220 | ExitOnForwardFailure | ||
221 | Specifies whether ssh(1) should terminate the connection if it | ||
222 | cannot set up all requested dynamic, tunnel, local, and remote | ||
223 | port forwardings. The argument must be ``yes'' or ``no''. The | ||
224 | default is ``no''. | ||
225 | |||
226 | ForwardAgent | ||
227 | Specifies whether the connection to the authentication agent (if | ||
228 | any) will be forwarded to the remote machine. The argument must | ||
229 | be ``yes'' or ``no''. The default is ``no''. | ||
230 | |||
231 | Agent forwarding should be enabled with caution. Users with the | ||
232 | ability to bypass file permissions on the remote host (for the | ||
233 | agent's Unix-domain socket) can access the local agent through | ||
234 | the forwarded connection. An attacker cannot obtain key material | ||
235 | from the agent, however they can perform operations on the keys | ||
236 | that enable them to authenticate using the identities loaded into | ||
237 | the agent. | ||
238 | |||
239 | ForwardX11 | ||
240 | Specifies whether X11 connections will be automatically | ||
241 | redirected over the secure channel and DISPLAY set. The argument | ||
242 | must be ``yes'' or ``no''. The default is ``no''. | ||
243 | |||
244 | X11 forwarding should be enabled with caution. Users with the | ||
245 | ability to bypass file permissions on the remote host (for the | ||
246 | user's X11 authorization database) can access the local X11 | ||
247 | display through the forwarded connection. An attacker may then | ||
248 | be able to perform activities such as keystroke monitoring if the | ||
249 | ForwardX11Trusted option is also enabled. | ||
250 | |||
251 | ForwardX11Timeout | ||
252 | Specify a timeout for untrusted X11 forwarding using the format | ||
253 | described in the TIME FORMATS section of sshd_config(5). X11 | ||
254 | connections received by ssh(1) after this time will be refused. | ||
255 | The default is to disable untrusted X11 forwarding after twenty | ||
256 | minutes has elapsed. | ||
257 | |||
258 | ForwardX11Trusted | ||
259 | If this option is set to ``yes'', remote X11 clients will have | ||
260 | full access to the original X11 display. | ||
261 | |||
262 | If this option is set to ``no'', remote X11 clients will be | ||
263 | considered untrusted and prevented from stealing or tampering | ||
264 | with data belonging to trusted X11 clients. Furthermore, the | ||
265 | xauth(1) token used for the session will be set to expire after | ||
266 | 20 minutes. Remote clients will be refused access after this | ||
267 | time. | ||
268 | |||
269 | The default is ``no''. | ||
270 | |||
271 | See the X11 SECURITY extension specification for full details on | ||
272 | the restrictions imposed on untrusted clients. | ||
273 | |||
274 | GatewayPorts | ||
275 | Specifies whether remote hosts are allowed to connect to local | ||
276 | forwarded ports. By default, ssh(1) binds local port forwardings | ||
277 | to the loopback address. This prevents other remote hosts from | ||
278 | connecting to forwarded ports. GatewayPorts can be used to | ||
279 | specify that ssh should bind local port forwardings to the | ||
280 | wildcard address, thus allowing remote hosts to connect to | ||
281 | forwarded ports. The argument must be ``yes'' or ``no''. The | ||
282 | default is ``no''. | ||
283 | |||
284 | GlobalKnownHostsFile | ||
285 | Specifies a file to use for the global host key database instead | ||
286 | of /etc/ssh/ssh_known_hosts. | ||
287 | |||
288 | GSSAPIAuthentication | ||
289 | Specifies whether user authentication based on GSSAPI is allowed. | ||
290 | The default is ``no''. Note that this option applies to protocol | ||
291 | version 2 only. | ||
292 | |||
293 | GSSAPIDelegateCredentials | ||
294 | Forward (delegate) credentials to the server. The default is | ||
295 | ``no''. Note that this option applies to protocol version 2 | ||
296 | only. | ||
297 | |||
298 | HashKnownHosts | ||
299 | Indicates that ssh(1) should hash host names and addresses when | ||
300 | they are added to ~/.ssh/known_hosts. These hashed names may be | ||
301 | used normally by ssh(1) and sshd(8), but they do not reveal | ||
302 | identifying information should the file's contents be disclosed. | ||
303 | The default is ``no''. Note that existing names and addresses in | ||
304 | known hosts files will not be converted automatically, but may be | ||
305 | manually hashed using ssh-keygen(1). | ||
306 | |||
307 | HostbasedAuthentication | ||
308 | Specifies whether to try rhosts based authentication with public | ||
309 | key authentication. The argument must be ``yes'' or ``no''. The | ||
310 | default is ``no''. This option applies to protocol version 2 | ||
311 | only and is similar to RhostsRSAAuthentication. | ||
312 | |||
313 | HostKeyAlgorithms | ||
314 | Specifies the protocol version 2 host key algorithms that the | ||
315 | client wants to use in order of preference. The default for this | ||
316 | option is: ``ssh-rsa,ssh-dss''. | ||
317 | |||
318 | HostKeyAlias | ||
319 | Specifies an alias that should be used instead of the real host | ||
320 | name when looking up or saving the host key in the host key | ||
321 | database files. This option is useful for tunneling SSH | ||
322 | connections or for multiple servers running on a single host. | ||
323 | |||
324 | HostName | ||
325 | Specifies the real host name to log into. This can be used to | ||
326 | specify nicknames or abbreviations for hosts. If the hostname | ||
327 | contains the character sequence `%h', then this will be replaced | ||
328 | with the host name specified on the commandline (this is useful | ||
329 | for manipulating unqualified names). The default is the name | ||
330 | given on the command line. Numeric IP addresses are also | ||
331 | permitted (both on the command line and in HostName | ||
332 | specifications). | ||
333 | |||
334 | IdentitiesOnly | ||
335 | Specifies that ssh(1) should only use the authentication identity | ||
336 | files configured in the ssh_config files, even if ssh-agent(1) | ||
337 | offers more identities. The argument to this keyword must be | ||
338 | ``yes'' or ``no''. This option is intended for situations where | ||
339 | ssh-agent offers many different identities. The default is | ||
340 | ``no''. | ||
341 | |||
342 | IdentityFile | ||
343 | Specifies a file from which the user's RSA or DSA authentication | ||
344 | identity is read. The default is ~/.ssh/identity for protocol | ||
345 | version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol | ||
346 | version 2. Additionally, any identities represented by the | ||
347 | authentication agent will be used for authentication. ssh(1) | ||
348 | will try to load certificate information from the filename | ||
349 | obtained by appending -cert.pub to the path of a specified | ||
350 | IdentityFile. | ||
351 | |||
352 | The file name may use the tilde syntax to refer to a user's home | ||
353 | directory or one of the following escape characters: `%d' (local | ||
354 | user's home directory), `%u' (local user name), `%l' (local host | ||
355 | name), `%h' (remote host name) or `%r' (remote user name). | ||
356 | |||
357 | It is possible to have multiple identity files specified in | ||
358 | configuration files; all these identities will be tried in | ||
359 | sequence. | ||
360 | |||
361 | KbdInteractiveAuthentication | ||
362 | Specifies whether to use keyboard-interactive authentication. | ||
363 | The argument to this keyword must be ``yes'' or ``no''. The | ||
364 | default is ``yes''. | ||
365 | |||
366 | KbdInteractiveDevices | ||
367 | Specifies the list of methods to use in keyboard-interactive | ||
368 | authentication. Multiple method names must be comma-separated. | ||
369 | The default is to use the server specified list. The methods | ||
370 | available vary depending on what the server supports. For an | ||
371 | OpenSSH server, it may be zero or more of: ``bsdauth'', ``pam'', | ||
372 | and ``skey''. | ||
373 | |||
374 | LocalCommand | ||
375 | Specifies a command to execute on the local machine after | ||
376 | successfully connecting to the server. The command string | ||
377 | extends to the end of the line, and is executed with the user's | ||
378 | shell. The following escape character substitutions will be | ||
379 | performed: `%d' (local user's home directory), `%h' (remote host | ||
380 | name), `%l' (local host name), `%n' (host name as provided on the | ||
381 | command line), `%p' (remote port), `%r' (remote user name) or | ||
382 | `%u' (local user name). | ||
383 | |||
384 | The command is run synchronously and does not have access to the | ||
385 | session of the ssh(1) that spawned it. It should not be used for | ||
386 | interactive commands. | ||
387 | |||
388 | This directive is ignored unless PermitLocalCommand has been | ||
389 | enabled. | ||
390 | |||
391 | LocalForward | ||
392 | Specifies that a TCP port on the local machine be forwarded over | ||
393 | the secure channel to the specified host and port from the remote | ||
394 | machine. The first argument must be [bind_address:]port and the | ||
395 | second argument must be host:hostport. IPv6 addresses can be | ||
396 | specified by enclosing addresses in square brackets. Multiple | ||
397 | forwardings may be specified, and additional forwardings can be | ||
398 | given on the command line. Only the superuser can forward | ||
399 | privileged ports. By default, the local port is bound in | ||
400 | accordance with the GatewayPorts setting. However, an explicit | ||
401 | bind_address may be used to bind the connection to a specific | ||
402 | address. The bind_address of ``localhost'' indicates that the | ||
403 | listening port be bound for local use only, while an empty | ||
404 | address or `*' indicates that the port should be available from | ||
405 | all interfaces. | ||
406 | |||
407 | LogLevel | ||
408 | Gives the verbosity level that is used when logging messages from | ||
409 | ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, | ||
410 | VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. | ||
411 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify | ||
412 | higher levels of verbose output. | ||
413 | |||
414 | MACs Specifies the MAC (message authentication code) algorithms in | ||
415 | order of preference. The MAC algorithm is used in protocol | ||
416 | version 2 for data integrity protection. Multiple algorithms | ||
417 | must be comma-separated. The default is: | ||
418 | |||
419 | hmac-md5,hmac-sha1,umac-64@openssh.com, | ||
420 | hmac-ripemd160,hmac-sha1-96,hmac-md5-96 | ||
421 | |||
422 | NoHostAuthenticationForLocalhost | ||
423 | This option can be used if the home directory is shared across | ||
424 | machines. In this case localhost will refer to a different | ||
425 | machine on each of the machines and the user will get many | ||
426 | warnings about changed host keys. However, this option disables | ||
427 | host authentication for localhost. The argument to this keyword | ||
428 | must be ``yes'' or ``no''. The default is to check the host key | ||
429 | for localhost. | ||
430 | |||
431 | NumberOfPasswordPrompts | ||
432 | Specifies the number of password prompts before giving up. The | ||
433 | argument to this keyword must be an integer. The default is 3. | ||
434 | |||
435 | PasswordAuthentication | ||
436 | Specifies whether to use password authentication. The argument | ||
437 | to this keyword must be ``yes'' or ``no''. The default is | ||
438 | ``yes''. | ||
439 | |||
440 | PermitLocalCommand | ||
441 | Allow local command execution via the LocalCommand option or | ||
442 | using the !command escape sequence in ssh(1). The argument must | ||
443 | be ``yes'' or ``no''. The default is ``no''. | ||
444 | |||
445 | PKCS11Provider | ||
446 | Specifies which PKCS#11 provider to use. The argument to this | ||
447 | keyword is the PKCS#11 shared libary ssh(1) should use to | ||
448 | communicate with a PKCS#11 token providing the user's private RSA | ||
449 | key. | ||
450 | |||
451 | Port Specifies the port number to connect on the remote host. The | ||
452 | default is 22. | ||
453 | |||
454 | PreferredAuthentications | ||
455 | Specifies the order in which the client should try protocol 2 | ||
456 | authentication methods. This allows a client to prefer one | ||
457 | method (e.g. keyboard-interactive) over another method (e.g. | ||
458 | password). The default is: | ||
459 | |||
460 | gssapi-with-mic,hostbased,publickey, | ||
461 | keyboard-interactive,password | ||
462 | |||
463 | Protocol | ||
464 | Specifies the protocol versions ssh(1) should support in order of | ||
465 | preference. The possible values are `1' and `2'. Multiple | ||
466 | versions must be comma-separated. When this option is set to | ||
467 | ``2,1'' ssh will try version 2 and fall back to version 1 if | ||
468 | version 2 is not available. The default is `2'. | ||
469 | |||
470 | ProxyCommand | ||
471 | Specifies the command to use to connect to the server. The | ||
472 | command string extends to the end of the line, and is executed | ||
473 | with the user's shell. In the command string, any occurrence of | ||
474 | `%h' will be substituted by the host name to connect, `%p' by the | ||
475 | port, and `%r' by the remote user name. The command can be | ||
476 | basically anything, and should read from its standard input and | ||
477 | write to its standard output. It should eventually connect an | ||
478 | sshd(8) server running on some machine, or execute sshd -i | ||
479 | somewhere. Host key management will be done using the HostName | ||
480 | of the host being connected (defaulting to the name typed by the | ||
481 | user). Setting the command to ``none'' disables this option | ||
482 | entirely. Note that CheckHostIP is not available for connects | ||
483 | with a proxy command. | ||
484 | |||
485 | This directive is useful in conjunction with nc(1) and its proxy | ||
486 | support. For example, the following directive would connect via | ||
487 | an HTTP proxy at 192.0.2.0: | ||
488 | |||
489 | ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p | ||
490 | |||
491 | PubkeyAuthentication | ||
492 | Specifies whether to try public key authentication. The argument | ||
493 | to this keyword must be ``yes'' or ``no''. The default is | ||
494 | ``yes''. This option applies to protocol version 2 only. | ||
495 | |||
496 | RekeyLimit | ||
497 | Specifies the maximum amount of data that may be transmitted | ||
498 | before the session key is renegotiated. The argument is the | ||
499 | number of bytes, with an optional suffix of `K', `M', or `G' to | ||
500 | indicate Kilobytes, Megabytes, or Gigabytes, respectively. The | ||
501 | default is between `1G' and `4G', depending on the cipher. This | ||
502 | option applies to protocol version 2 only. | ||
503 | |||
504 | RemoteForward | ||
505 | Specifies that a TCP port on the remote machine be forwarded over | ||
506 | the secure channel to the specified host and port from the local | ||
507 | machine. The first argument must be [bind_address:]port and the | ||
508 | second argument must be host:hostport. IPv6 addresses can be | ||
509 | specified by enclosing addresses in square brackets. Multiple | ||
510 | forwardings may be specified, and additional forwardings can be | ||
511 | given on the command line. Privileged ports can be forwarded | ||
512 | only when logging in as root on the remote machine. | ||
513 | |||
514 | If the port argument is `0', the listen port will be dynamically | ||
515 | allocated on the server and reported to the client at run time. | ||
516 | |||
517 | If the bind_address is not specified, the default is to only bind | ||
518 | to loopback addresses. If the bind_address is `*' or an empty | ||
519 | string, then the forwarding is requested to listen on all | ||
520 | interfaces. Specifying a remote bind_address will only succeed | ||
521 | if the server's GatewayPorts option is enabled (see | ||
522 | sshd_config(5)). | ||
523 | |||
524 | RhostsRSAAuthentication | ||
525 | Specifies whether to try rhosts based authentication with RSA | ||
526 | host authentication. The argument must be ``yes'' or ``no''. | ||
527 | The default is ``no''. This option applies to protocol version 1 | ||
528 | only and requires ssh(1) to be setuid root. | ||
529 | |||
530 | RSAAuthentication | ||
531 | Specifies whether to try RSA authentication. The argument to | ||
532 | this keyword must be ``yes'' or ``no''. RSA authentication will | ||
533 | only be attempted if the identity file exists, or an | ||
534 | authentication agent is running. The default is ``yes''. Note | ||
535 | that this option applies to protocol version 1 only. | ||
536 | |||
537 | SendEnv | ||
538 | Specifies what variables from the local environ(7) should be sent | ||
539 | to the server. Note that environment passing is only supported | ||
540 | for protocol 2. The server must also support it, and the server | ||
541 | must be configured to accept these environment variables. Refer | ||
542 | to AcceptEnv in sshd_config(5) for how to configure the server. | ||
543 | Variables are specified by name, which may contain wildcard | ||
544 | characters. Multiple environment variables may be separated by | ||
545 | whitespace or spread across multiple SendEnv directives. The | ||
546 | default is not to send any environment variables. | ||
547 | |||
548 | See PATTERNS for more information on patterns. | ||
549 | |||
550 | ServerAliveCountMax | ||
551 | Sets the number of server alive messages (see below) which may be | ||
552 | sent without ssh(1) receiving any messages back from the server. | ||
553 | If this threshold is reached while server alive messages are | ||
554 | being sent, ssh will disconnect from the server, terminating the | ||
555 | session. It is important to note that the use of server alive | ||
556 | messages is very different from TCPKeepAlive (below). The server | ||
557 | alive messages are sent through the encrypted channel and | ||
558 | therefore will not be spoofable. The TCP keepalive option | ||
559 | enabled by TCPKeepAlive is spoofable. The server alive mechanism | ||
560 | is valuable when the client or server depend on knowing when a | ||
561 | connection has become inactive. | ||
562 | |||
563 | The default value is 3. If, for example, ServerAliveInterval | ||
564 | (see below) is set to 15 and ServerAliveCountMax is left at the | ||
565 | default, if the server becomes unresponsive, ssh will disconnect | ||
566 | after approximately 45 seconds. This option applies to protocol | ||
567 | version 2 only. | ||
568 | |||
569 | ServerAliveInterval | ||
570 | Sets a timeout interval in seconds after which if no data has | ||
571 | been received from the server, ssh(1) will send a message through | ||
572 | the encrypted channel to request a response from the server. The | ||
573 | default is 0, indicating that these messages will not be sent to | ||
574 | the server. This option applies to protocol version 2 only. | ||
575 | |||
576 | StrictHostKeyChecking | ||
577 | If this flag is set to ``yes'', ssh(1) will never automatically | ||
578 | add host keys to the ~/.ssh/known_hosts file, and refuses to | ||
579 | connect to hosts whose host key has changed. This provides | ||
580 | maximum protection against trojan horse attacks, though it can be | ||
581 | annoying when the /etc/ssh/ssh_known_hosts file is poorly | ||
582 | maintained or when connections to new hosts are frequently made. | ||
583 | This option forces the user to manually add all new hosts. If | ||
584 | this flag is set to ``no'', ssh will automatically add new host | ||
585 | keys to the user known hosts files. If this flag is set to | ||
586 | ``ask'', new host keys will be added to the user known host files | ||
587 | only after the user has confirmed that is what they really want | ||
588 | to do, and ssh will refuse to connect to hosts whose host key has | ||
589 | changed. The host keys of known hosts will be verified | ||
590 | automatically in all cases. The argument must be ``yes'', | ||
591 | ``no'', or ``ask''. The default is ``ask''. | ||
592 | |||
593 | TCPKeepAlive | ||
594 | Specifies whether the system should send TCP keepalive messages | ||
595 | to the other side. If they are sent, death of the connection or | ||
596 | crash of one of the machines will be properly noticed. However, | ||
597 | this means that connections will die if the route is down | ||
598 | temporarily, and some people find it annoying. | ||
599 | |||
600 | The default is ``yes'' (to send TCP keepalive messages), and the | ||
601 | client will notice if the network goes down or the remote host | ||
602 | dies. This is important in scripts, and many users want it too. | ||
603 | |||
604 | To disable TCP keepalive messages, the value should be set to | ||
605 | ``no''. | ||
606 | |||
607 | Tunnel Request tun(4) device forwarding between the client and the | ||
608 | server. The argument must be ``yes'', ``point-to-point'' (layer | ||
609 | 3), ``ethernet'' (layer 2), or ``no''. Specifying ``yes'' | ||
610 | requests the default tunnel mode, which is ``point-to-point''. | ||
611 | The default is ``no''. | ||
612 | |||
613 | TunnelDevice | ||
614 | Specifies the tun(4) devices to open on the client (local_tun) | ||
615 | and the server (remote_tun). | ||
616 | |||
617 | The argument must be local_tun [:remote_tun]. The devices may be | ||
618 | specified by numerical ID or the keyword ``any'', which uses the | ||
619 | next available tunnel device. If remote_tun is not specified, it | ||
620 | defaults to ``any''. The default is ``any:any''. | ||
621 | |||
622 | UsePrivilegedPort | ||
623 | Specifies whether to use a privileged port for outgoing | ||
624 | connections. The argument must be ``yes'' or ``no''. The | ||
625 | default is ``no''. If set to ``yes'', ssh(1) must be setuid | ||
626 | root. Note that this option must be set to ``yes'' for | ||
627 | RhostsRSAAuthentication with older servers. | ||
628 | |||
629 | User Specifies the user to log in as. This can be useful when a | ||
630 | different user name is used on different machines. This saves | ||
631 | the trouble of having to remember to give the user name on the | ||
632 | command line. | ||
633 | |||
634 | UserKnownHostsFile | ||
635 | Specifies a file to use for the user host key database instead of | ||
636 | ~/.ssh/known_hosts. | ||
637 | |||
638 | VerifyHostKeyDNS | ||
639 | Specifies whether to verify the remote key using DNS and SSHFP | ||
640 | resource records. If this option is set to ``yes'', the client | ||
641 | will implicitly trust keys that match a secure fingerprint from | ||
642 | DNS. Insecure fingerprints will be handled as if this option was | ||
643 | set to ``ask''. If this option is set to ``ask'', information on | ||
644 | fingerprint match will be displayed, but the user will still need | ||
645 | to confirm new host keys according to the StrictHostKeyChecking | ||
646 | option. The argument must be ``yes'', ``no'', or ``ask''. The | ||
647 | default is ``no''. Note that this option applies to protocol | ||
648 | version 2 only. | ||
649 | |||
650 | See also VERIFYING HOST KEYS in ssh(1). | ||
651 | |||
652 | VisualHostKey | ||
653 | If this flag is set to ``yes'', an ASCII art representation of | ||
654 | the remote host key fingerprint is printed in addition to the hex | ||
655 | fingerprint string at login and for unknown host keys. If this | ||
656 | flag is set to ``no'', no fingerprint strings are printed at | ||
657 | login and only the hex fingerprint string will be printed for | ||
658 | unknown host keys. The default is ``no''. | ||
659 | |||
660 | XAuthLocation | ||
661 | Specifies the full pathname of the xauth(1) program. The default | ||
662 | is /usr/X11R6/bin/xauth. | ||
663 | |||
664 | PATTERNS | ||
665 | A pattern consists of zero or more non-whitespace characters, `*' (a | ||
666 | wildcard that matches zero or more characters), or `?' (a wildcard that | ||
667 | matches exactly one character). For example, to specify a set of | ||
668 | declarations for any host in the ``.co.uk'' set of domains, the following | ||
669 | pattern could be used: | ||
670 | |||
671 | Host *.co.uk | ||
672 | |||
673 | The following pattern would match any host in the 192.168.0.[0-9] network | ||
674 | range: | ||
675 | |||
676 | Host 192.168.0.? | ||
677 | |||
678 | A pattern-list is a comma-separated list of patterns. Patterns within | ||
679 | pattern-lists may be negated by preceding them with an exclamation mark | ||
680 | (`!'). For example, to allow a key to be used from anywhere within an | ||
681 | organisation except from the ``dialup'' pool, the following entry (in | ||
682 | authorized_keys) could be used: | ||
683 | |||
684 | from="!*.dialup.example.com,*.example.com" | ||
685 | |||
686 | FILES | ||
687 | ~/.ssh/config | ||
688 | This is the per-user configuration file. The format of this file | ||
689 | is described above. This file is used by the SSH client. | ||
690 | Because of the potential for abuse, this file must have strict | ||
691 | permissions: read/write for the user, and not accessible by | ||
692 | others. | ||
693 | |||
694 | /etc/ssh/ssh_config | ||
695 | Systemwide configuration file. This file provides defaults for | ||
696 | those values that are not specified in the user's configuration | ||
697 | file, and for those users who do not have a configuration file. | ||
698 | This file must be world-readable. | ||
699 | |||
700 | SEE ALSO | ||
701 | ssh(1) | ||
702 | |||
703 | AUTHORS | ||
704 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | ||
705 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | ||
706 | de Raadt and Dug Song removed many bugs, re-added newer features and | ||
707 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | ||
708 | versions 1.5 and 2.0. | ||
709 | |||
710 | OpenBSD 4.8 August 4, 2010 OpenBSD 4.8 | ||