diff options
Diffstat (limited to 'ssh_config.0')
-rw-r--r-- | ssh_config.0 | 889 |
1 files changed, 889 insertions, 0 deletions
diff --git a/ssh_config.0 b/ssh_config.0 new file mode 100644 index 000000000..6fbd10d61 --- /dev/null +++ b/ssh_config.0 | |||
@@ -0,0 +1,889 @@ | |||
1 | SSH_CONFIG(5) OpenBSD Programmer's Manual SSH_CONFIG(5) | ||
2 | |||
3 | NAME | ||
4 | ssh_config - OpenSSH SSH client configuration files | ||
5 | |||
6 | SYNOPSIS | ||
7 | ~/.ssh/config | ||
8 | /etc/ssh/ssh_config | ||
9 | |||
10 | DESCRIPTION | ||
11 | ssh(1) obtains configuration data from the following sources in the | ||
12 | following order: | ||
13 | |||
14 | 1. command-line options | ||
15 | 2. user's configuration file (~/.ssh/config) | ||
16 | 3. system-wide configuration file (/etc/ssh/ssh_config) | ||
17 | |||
18 | For each parameter, the first obtained value will be used. The | ||
19 | configuration files contain sections separated by ``Host'' | ||
20 | specifications, and that section is only applied for hosts that match one | ||
21 | of the patterns given in the specification. The matched host name is the | ||
22 | one given on the command line. | ||
23 | |||
24 | Since the first obtained value for each parameter is used, more host- | ||
25 | specific declarations should be given near the beginning of the file, and | ||
26 | general defaults at the end. | ||
27 | |||
28 | The configuration file has the following format: | ||
29 | |||
30 | Empty lines and lines starting with `#' are comments. Otherwise a line | ||
31 | is of the format ``keyword arguments''. Configuration options may be | ||
32 | separated by whitespace or optional whitespace and exactly one `='; the | ||
33 | latter format is useful to avoid the need to quote whitespace when | ||
34 | specifying configuration options using the ssh, scp, and sftp -o option. | ||
35 | Arguments may optionally be enclosed in double quotes (") in order to | ||
36 | represent arguments containing spaces. | ||
37 | |||
38 | The possible keywords and their meanings are as follows (note that | ||
39 | keywords are case-insensitive and arguments are case-sensitive): | ||
40 | |||
41 | Host Restricts the following declarations (up to the next Host or | ||
42 | Match keyword) to be only for those hosts that match one of the | ||
43 | patterns given after the keyword. If more than one pattern is | ||
44 | provided, they should be separated by whitespace. A single `*' | ||
45 | as a pattern can be used to provide global defaults for all | ||
46 | hosts. The host is the hostname argument given on the command | ||
47 | line (i.e. the name is not converted to a canonicalized host name | ||
48 | before matching). | ||
49 | |||
50 | A pattern entry may be negated by prefixing it with an | ||
51 | exclamation mark (`!'). If a negated entry is matched, then the | ||
52 | Host entry is ignored, regardless of whether any other patterns | ||
53 | on the line match. Negated matches are therefore useful to | ||
54 | provide exceptions for wildcard matches. | ||
55 | |||
56 | See PATTERNS for more information on patterns. | ||
57 | |||
58 | Match Restricts the following declarations (up to the next Host or | ||
59 | Match keyword) to be used only when the conditions following the | ||
60 | Match keyword are satisfied. Match conditions are specified | ||
61 | using one or more keyword/criteria pairs or the single token all | ||
62 | which matches all criteria. The available keywords are: exec, | ||
63 | host, originalhost, user, and localuser. | ||
64 | |||
65 | The exec keyword executes the specified command under the user's | ||
66 | shell. If the command returns a zero exit status then the | ||
67 | condition is considered true. Commands containing whitespace | ||
68 | characters must be quoted. The following character sequences in | ||
69 | the command will be expanded prior to execution: `%L' will be | ||
70 | substituted by the first component of the local host name, `%l' | ||
71 | will be substituted by the local host name (including any domain | ||
72 | name), `%h' will be substituted by the target host name, `%n' | ||
73 | will be substituted by the original target host name specified on | ||
74 | the command-line, `%p' the destination port, `%r' by the remote | ||
75 | login username, and `%u' by the username of the user running | ||
76 | ssh(1). | ||
77 | |||
78 | The other keywords' criteria must be single entries or comma- | ||
79 | separated lists and may use the wildcard and negation operators | ||
80 | described in the PATTERNS section. The criteria for the host | ||
81 | keyword are matched against the target hostname, after any | ||
82 | substitution by the Hostname option. The originalhost keyword | ||
83 | matches against the hostname as it was specified on the command- | ||
84 | line. The user keyword matches against the target username on | ||
85 | the remote host. The localuser keyword matches against the name | ||
86 | of the local user running ssh(1) (this keyword may be useful in | ||
87 | system-wide ssh_config files). | ||
88 | |||
89 | AddressFamily | ||
90 | Specifies which address family to use when connecting. Valid | ||
91 | arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' | ||
92 | (use IPv6 only). | ||
93 | |||
94 | BatchMode | ||
95 | If set to ``yes'', passphrase/password querying will be disabled. | ||
96 | This option is useful in scripts and other batch jobs where no | ||
97 | user is present to supply the password. The argument must be | ||
98 | ``yes'' or ``no''. The default is ``no''. | ||
99 | |||
100 | BindAddress | ||
101 | Use the specified address on the local machine as the source | ||
102 | address of the connection. Only useful on systems with more than | ||
103 | one address. Note that this option does not work if | ||
104 | UsePrivilegedPort is set to ``yes''. | ||
105 | |||
106 | CanonicalDomains | ||
107 | When CanonicalizeHostname is enabled, this option specifies the | ||
108 | list of domain suffixes in which to search for the specified | ||
109 | destination host. | ||
110 | |||
111 | CanonicalizeFallbackLocal | ||
112 | Specifies whether to fail with an error when hostname | ||
113 | canonicalization fails. The default, ``yes'', will attempt to | ||
114 | look up the unqualified hostname using the system resolver's | ||
115 | search rules. A value of ``no'' will cause ssh(1) to fail | ||
116 | instantly if CanonicalizeHostname is enabled and the target | ||
117 | hostname cannot be found in any of the domains specified by | ||
118 | CanonicalDomains. | ||
119 | |||
120 | CanonicalizeHostname | ||
121 | Controls whether explicit hostname canonicalization is performed. | ||
122 | The default, ``no'', is not to perform any name rewriting and let | ||
123 | the system resolver handle all hostname lookups. If set to | ||
124 | ``yes'' then, for connections that do not use a ProxyCommand, | ||
125 | ssh(1) will attempt to canonicalize the hostname specified on the | ||
126 | command line using the CanonicalDomains suffixes and | ||
127 | CanonicalizePermittedCNAMEs rules. If CanonicalizeHostname is | ||
128 | set to ``always'', then canonicalization is applied to proxied | ||
129 | connections too. | ||
130 | |||
131 | If this option is enabled and canonicalisation results in the | ||
132 | target hostname changing, then the configuration files are | ||
133 | processed again using the new target name to pick up any new | ||
134 | configuration in matching Host stanzas. | ||
135 | |||
136 | CanonicalizeMaxDots | ||
137 | Specifies the maximum number of dot characters in a hostname | ||
138 | before canonicalization is disabled. The default, ``1'', allows | ||
139 | a single dot (i.e. hostname.subdomain). | ||
140 | |||
141 | CanonicalizePermittedCNAMEs | ||
142 | Specifies rules to determine whether CNAMEs should be followed | ||
143 | when canonicalizing hostnames. The rules consist of one or more | ||
144 | arguments of source_domain_list:target_domain_list, where | ||
145 | source_domain_list is a pattern-list of domains that may follow | ||
146 | CNAMEs in canonicalization, and target_domain_list is a pattern- | ||
147 | list of domains that they may resolve to. | ||
148 | |||
149 | For example, ``*.a.example.com:*.b.example.com,*.c.example.com'' | ||
150 | will allow hostnames matching ``*.a.example.com'' to be | ||
151 | canonicalized to names in the ``*.b.example.com'' or | ||
152 | ``*.c.example.com'' domains. | ||
153 | |||
154 | ChallengeResponseAuthentication | ||
155 | Specifies whether to use challenge-response authentication. The | ||
156 | argument to this keyword must be ``yes'' or ``no''. The default | ||
157 | is ``yes''. | ||
158 | |||
159 | CheckHostIP | ||
160 | If this flag is set to ``yes'', ssh(1) will additionally check | ||
161 | the host IP address in the known_hosts file. This allows ssh to | ||
162 | detect if a host key changed due to DNS spoofing. If the option | ||
163 | is set to ``no'', the check will not be executed. The default is | ||
164 | ``yes''. | ||
165 | |||
166 | Cipher Specifies the cipher to use for encrypting the session in | ||
167 | protocol version 1. Currently, ``blowfish'', ``3des'', and | ||
168 | ``des'' are supported. des is only supported in the ssh(1) | ||
169 | client for interoperability with legacy protocol 1 | ||
170 | implementations that do not support the 3des cipher. Its use is | ||
171 | strongly discouraged due to cryptographic weaknesses. The | ||
172 | default is ``3des''. | ||
173 | |||
174 | Ciphers | ||
175 | Specifies the ciphers allowed for protocol version 2 in order of | ||
176 | preference. Multiple ciphers must be comma-separated. The | ||
177 | supported ciphers are: | ||
178 | |||
179 | ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', | ||
180 | ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', | ||
181 | ``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'', | ||
182 | ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'', | ||
183 | ``cast128-cbc'', and ``chacha20-poly1305@openssh.com''. | ||
184 | |||
185 | The default is: | ||
186 | |||
187 | aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, | ||
188 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, | ||
189 | chacha20-poly1305@openssh.com, | ||
190 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, | ||
191 | aes256-cbc,arcfour | ||
192 | |||
193 | The list of available ciphers may also be obtained using the -Q | ||
194 | option of ssh(1). | ||
195 | |||
196 | ClearAllForwardings | ||
197 | Specifies that all local, remote, and dynamic port forwardings | ||
198 | specified in the configuration files or on the command line be | ||
199 | cleared. This option is primarily useful when used from the | ||
200 | ssh(1) command line to clear port forwardings set in | ||
201 | configuration files, and is automatically set by scp(1) and | ||
202 | sftp(1). The argument must be ``yes'' or ``no''. The default is | ||
203 | ``no''. | ||
204 | |||
205 | Compression | ||
206 | Specifies whether to use compression. The argument must be | ||
207 | ``yes'' or ``no''. The default is ``no''. | ||
208 | |||
209 | CompressionLevel | ||
210 | Specifies the compression level to use if compression is enabled. | ||
211 | The argument must be an integer from 1 (fast) to 9 (slow, best). | ||
212 | The default level is 6, which is good for most applications. The | ||
213 | meaning of the values is the same as in gzip(1). Note that this | ||
214 | option applies to protocol version 1 only. | ||
215 | |||
216 | ConnectionAttempts | ||
217 | Specifies the number of tries (one per second) to make before | ||
218 | exiting. The argument must be an integer. This may be useful in | ||
219 | scripts if the connection sometimes fails. The default is 1. | ||
220 | |||
221 | ConnectTimeout | ||
222 | Specifies the timeout (in seconds) used when connecting to the | ||
223 | SSH server, instead of using the default system TCP timeout. | ||
224 | This value is used only when the target is down or really | ||
225 | unreachable, not when it refuses the connection. | ||
226 | |||
227 | ControlMaster | ||
228 | Enables the sharing of multiple sessions over a single network | ||
229 | connection. When set to ``yes'', ssh(1) will listen for | ||
230 | connections on a control socket specified using the ControlPath | ||
231 | argument. Additional sessions can connect to this socket using | ||
232 | the same ControlPath with ControlMaster set to ``no'' (the | ||
233 | default). These sessions will try to reuse the master instance's | ||
234 | network connection rather than initiating new ones, but will fall | ||
235 | back to connecting normally if the control socket does not exist, | ||
236 | or is not listening. | ||
237 | |||
238 | Setting this to ``ask'' will cause ssh to listen for control | ||
239 | connections, but require confirmation using the SSH_ASKPASS | ||
240 | program before they are accepted (see ssh-add(1) for details). | ||
241 | If the ControlPath cannot be opened, ssh will continue without | ||
242 | connecting to a master instance. | ||
243 | |||
244 | X11 and ssh-agent(1) forwarding is supported over these | ||
245 | multiplexed connections, however the display and agent forwarded | ||
246 | will be the one belonging to the master connection i.e. it is not | ||
247 | possible to forward multiple displays or agents. | ||
248 | |||
249 | Two additional options allow for opportunistic multiplexing: try | ||
250 | to use a master connection but fall back to creating a new one if | ||
251 | one does not already exist. These options are: ``auto'' and | ||
252 | ``autoask''. The latter requires confirmation like the ``ask'' | ||
253 | option. | ||
254 | |||
255 | ControlPath | ||
256 | Specify the path to the control socket used for connection | ||
257 | sharing as described in the ControlMaster section above or the | ||
258 | string ``none'' to disable connection sharing. In the path, `%L' | ||
259 | will be substituted by the first component of the local host | ||
260 | name, `%l' will be substituted by the local host name (including | ||
261 | any domain name), `%h' will be substituted by the target host | ||
262 | name, `%n' will be substituted by the original target host name | ||
263 | specified on the command line, `%p' the destination port, `%r' by | ||
264 | the remote login username, and `%u' by the username of the user | ||
265 | running ssh(1). It is recommended that any ControlPath used for | ||
266 | opportunistic connection sharing include at least %h, %p, and %r. | ||
267 | This ensures that shared connections are uniquely identified. | ||
268 | |||
269 | ControlPersist | ||
270 | When used in conjunction with ControlMaster, specifies that the | ||
271 | master connection should remain open in the background (waiting | ||
272 | for future client connections) after the initial client | ||
273 | connection has been closed. If set to ``no'', then the master | ||
274 | connection will not be placed into the background, and will close | ||
275 | as soon as the initial client connection is closed. If set to | ||
276 | ``yes'', then the master connection will remain in the background | ||
277 | indefinitely (until killed or closed via a mechanism such as the | ||
278 | ssh(1) ``-O exit'' option). If set to a time in seconds, or a | ||
279 | time in any of the formats documented in sshd_config(5), then the | ||
280 | backgrounded master connection will automatically terminate after | ||
281 | it has remained idle (with no client connections) for the | ||
282 | specified time. | ||
283 | |||
284 | DynamicForward | ||
285 | Specifies that a TCP port on the local machine be forwarded over | ||
286 | the secure channel, and the application protocol is then used to | ||
287 | determine where to connect to from the remote machine. | ||
288 | |||
289 | The argument must be [bind_address:]port. IPv6 addresses can be | ||
290 | specified by enclosing addresses in square brackets. By default, | ||
291 | the local port is bound in accordance with the GatewayPorts | ||
292 | setting. However, an explicit bind_address may be used to bind | ||
293 | the connection to a specific address. The bind_address of | ||
294 | ``localhost'' indicates that the listening port be bound for | ||
295 | local use only, while an empty address or `*' indicates that the | ||
296 | port should be available from all interfaces. | ||
297 | |||
298 | Currently the SOCKS4 and SOCKS5 protocols are supported, and | ||
299 | ssh(1) will act as a SOCKS server. Multiple forwardings may be | ||
300 | specified, and additional forwardings can be given on the command | ||
301 | line. Only the superuser can forward privileged ports. | ||
302 | |||
303 | EnableSSHKeysign | ||
304 | Setting this option to ``yes'' in the global client configuration | ||
305 | file /etc/ssh/ssh_config enables the use of the helper program | ||
306 | ssh-keysign(8) during HostbasedAuthentication. The argument must | ||
307 | be ``yes'' or ``no''. The default is ``no''. This option should | ||
308 | be placed in the non-hostspecific section. See ssh-keysign(8) | ||
309 | for more information. | ||
310 | |||
311 | EscapeChar | ||
312 | Sets the escape character (default: `~'). The escape character | ||
313 | can also be set on the command line. The argument should be a | ||
314 | single character, `^' followed by a letter, or ``none'' to | ||
315 | disable the escape character entirely (making the connection | ||
316 | transparent for binary data). | ||
317 | |||
318 | ExitOnForwardFailure | ||
319 | Specifies whether ssh(1) should terminate the connection if it | ||
320 | cannot set up all requested dynamic, tunnel, local, and remote | ||
321 | port forwardings. The argument must be ``yes'' or ``no''. The | ||
322 | default is ``no''. | ||
323 | |||
324 | ForwardAgent | ||
325 | Specifies whether the connection to the authentication agent (if | ||
326 | any) will be forwarded to the remote machine. The argument must | ||
327 | be ``yes'' or ``no''. The default is ``no''. | ||
328 | |||
329 | Agent forwarding should be enabled with caution. Users with the | ||
330 | ability to bypass file permissions on the remote host (for the | ||
331 | agent's Unix-domain socket) can access the local agent through | ||
332 | the forwarded connection. An attacker cannot obtain key material | ||
333 | from the agent, however they can perform operations on the keys | ||
334 | that enable them to authenticate using the identities loaded into | ||
335 | the agent. | ||
336 | |||
337 | ForwardX11 | ||
338 | Specifies whether X11 connections will be automatically | ||
339 | redirected over the secure channel and DISPLAY set. The argument | ||
340 | must be ``yes'' or ``no''. The default is ``no''. | ||
341 | |||
342 | X11 forwarding should be enabled with caution. Users with the | ||
343 | ability to bypass file permissions on the remote host (for the | ||
344 | user's X11 authorization database) can access the local X11 | ||
345 | display through the forwarded connection. An attacker may then | ||
346 | be able to perform activities such as keystroke monitoring if the | ||
347 | ForwardX11Trusted option is also enabled. | ||
348 | |||
349 | ForwardX11Timeout | ||
350 | Specify a timeout for untrusted X11 forwarding using the format | ||
351 | described in the TIME FORMATS section of sshd_config(5). X11 | ||
352 | connections received by ssh(1) after this time will be refused. | ||
353 | The default is to disable untrusted X11 forwarding after twenty | ||
354 | minutes has elapsed. | ||
355 | |||
356 | ForwardX11Trusted | ||
357 | If this option is set to ``yes'', remote X11 clients will have | ||
358 | full access to the original X11 display. | ||
359 | |||
360 | If this option is set to ``no'', remote X11 clients will be | ||
361 | considered untrusted and prevented from stealing or tampering | ||
362 | with data belonging to trusted X11 clients. Furthermore, the | ||
363 | xauth(1) token used for the session will be set to expire after | ||
364 | 20 minutes. Remote clients will be refused access after this | ||
365 | time. | ||
366 | |||
367 | The default is ``no''. | ||
368 | |||
369 | See the X11 SECURITY extension specification for full details on | ||
370 | the restrictions imposed on untrusted clients. | ||
371 | |||
372 | GatewayPorts | ||
373 | Specifies whether remote hosts are allowed to connect to local | ||
374 | forwarded ports. By default, ssh(1) binds local port forwardings | ||
375 | to the loopback address. This prevents other remote hosts from | ||
376 | connecting to forwarded ports. GatewayPorts can be used to | ||
377 | specify that ssh should bind local port forwardings to the | ||
378 | wildcard address, thus allowing remote hosts to connect to | ||
379 | forwarded ports. The argument must be ``yes'' or ``no''. The | ||
380 | default is ``no''. | ||
381 | |||
382 | GlobalKnownHostsFile | ||
383 | Specifies one or more files to use for the global host key | ||
384 | database, separated by whitespace. The default is | ||
385 | /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2. | ||
386 | |||
387 | GSSAPIAuthentication | ||
388 | Specifies whether user authentication based on GSSAPI is allowed. | ||
389 | The default is ``no''. Note that this option applies to protocol | ||
390 | version 2 only. | ||
391 | |||
392 | GSSAPIDelegateCredentials | ||
393 | Forward (delegate) credentials to the server. The default is | ||
394 | ``no''. Note that this option applies to protocol version 2 | ||
395 | only. | ||
396 | |||
397 | HashKnownHosts | ||
398 | Indicates that ssh(1) should hash host names and addresses when | ||
399 | they are added to ~/.ssh/known_hosts. These hashed names may be | ||
400 | used normally by ssh(1) and sshd(8), but they do not reveal | ||
401 | identifying information should the file's contents be disclosed. | ||
402 | The default is ``no''. Note that existing names and addresses in | ||
403 | known hosts files will not be converted automatically, but may be | ||
404 | manually hashed using ssh-keygen(1). | ||
405 | |||
406 | HostbasedAuthentication | ||
407 | Specifies whether to try rhosts based authentication with public | ||
408 | key authentication. The argument must be ``yes'' or ``no''. The | ||
409 | default is ``no''. This option applies to protocol version 2 | ||
410 | only and is similar to RhostsRSAAuthentication. | ||
411 | |||
412 | HostKeyAlgorithms | ||
413 | Specifies the protocol version 2 host key algorithms that the | ||
414 | client wants to use in order of preference. The default for this | ||
415 | option is: | ||
416 | |||
417 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
418 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
419 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
420 | ssh-ed25519-cert-v01@openssh.com, | ||
421 | ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com, | ||
422 | ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com, | ||
423 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
424 | ssh-ed25519,ssh-rsa,ssh-dss | ||
425 | |||
426 | If hostkeys are known for the destination host then this default | ||
427 | is modified to prefer their algorithms. | ||
428 | |||
429 | HostKeyAlias | ||
430 | Specifies an alias that should be used instead of the real host | ||
431 | name when looking up or saving the host key in the host key | ||
432 | database files. This option is useful for tunneling SSH | ||
433 | connections or for multiple servers running on a single host. | ||
434 | |||
435 | HostName | ||
436 | Specifies the real host name to log into. This can be used to | ||
437 | specify nicknames or abbreviations for hosts. If the hostname | ||
438 | contains the character sequence `%h', then this will be replaced | ||
439 | with the host name specified on the command line (this is useful | ||
440 | for manipulating unqualified names). The default is the name | ||
441 | given on the command line. Numeric IP addresses are also | ||
442 | permitted (both on the command line and in HostName | ||
443 | specifications). | ||
444 | |||
445 | IdentitiesOnly | ||
446 | Specifies that ssh(1) should only use the authentication identity | ||
447 | files configured in the ssh_config files, even if ssh-agent(1) or | ||
448 | a PKCS11Provider offers more identities. The argument to this | ||
449 | keyword must be ``yes'' or ``no''. This option is intended for | ||
450 | situations where ssh-agent offers many different identities. The | ||
451 | default is ``no''. | ||
452 | |||
453 | IdentityFile | ||
454 | Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA | ||
455 | authentication identity is read. The default is ~/.ssh/identity | ||
456 | for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, | ||
457 | ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2. | ||
458 | Additionally, any identities represented by the authentication | ||
459 | agent will be used for authentication unless IdentitiesOnly is | ||
460 | set. ssh(1) will try to load certificate information from the | ||
461 | filename obtained by appending -cert.pub to the path of a | ||
462 | specified IdentityFile. | ||
463 | |||
464 | The file name may use the tilde syntax to refer to a user's home | ||
465 | directory or one of the following escape characters: `%d' (local | ||
466 | user's home directory), `%u' (local user name), `%l' (local host | ||
467 | name), `%h' (remote host name) or `%r' (remote user name). | ||
468 | |||
469 | It is possible to have multiple identity files specified in | ||
470 | configuration files; all these identities will be tried in | ||
471 | sequence. Multiple IdentityFile directives will add to the list | ||
472 | of identities tried (this behaviour differs from that of other | ||
473 | configuration directives). | ||
474 | |||
475 | IdentityFile may be used in conjunction with IdentitiesOnly to | ||
476 | select which identities in an agent are offered during | ||
477 | authentication. | ||
478 | |||
479 | IgnoreUnknown | ||
480 | Specifies a pattern-list of unknown options to be ignored if they | ||
481 | are encountered in configuration parsing. This may be used to | ||
482 | suppress errors if ssh_config contains options that are | ||
483 | unrecognised by ssh(1). It is recommended that IgnoreUnknown be | ||
484 | listed early in the configuration file as it will not be applied | ||
485 | to unknown options that appear before it. | ||
486 | |||
487 | IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. | ||
488 | Accepted values are ``af11'', ``af12'', ``af13'', ``af21'', | ||
489 | ``af22'', ``af23'', ``af31'', ``af32'', ``af33'', ``af41'', | ||
490 | ``af42'', ``af43'', ``cs0'', ``cs1'', ``cs2'', ``cs3'', ``cs4'', | ||
491 | ``cs5'', ``cs6'', ``cs7'', ``ef'', ``lowdelay'', ``throughput'', | ||
492 | ``reliability'', or a numeric value. This option may take one or | ||
493 | two arguments, separated by whitespace. If one argument is | ||
494 | specified, it is used as the packet class unconditionally. If | ||
495 | two values are specified, the first is automatically selected for | ||
496 | interactive sessions and the second for non-interactive sessions. | ||
497 | The default is ``lowdelay'' for interactive sessions and | ||
498 | ``throughput'' for non-interactive sessions. | ||
499 | |||
500 | KbdInteractiveAuthentication | ||
501 | Specifies whether to use keyboard-interactive authentication. | ||
502 | The argument to this keyword must be ``yes'' or ``no''. The | ||
503 | default is ``yes''. | ||
504 | |||
505 | KbdInteractiveDevices | ||
506 | Specifies the list of methods to use in keyboard-interactive | ||
507 | authentication. Multiple method names must be comma-separated. | ||
508 | The default is to use the server specified list. The methods | ||
509 | available vary depending on what the server supports. For an | ||
510 | OpenSSH server, it may be zero or more of: ``bsdauth'', ``pam'', | ||
511 | and ``skey''. | ||
512 | |||
513 | KexAlgorithms | ||
514 | Specifies the available KEX (Key Exchange) algorithms. Multiple | ||
515 | algorithms must be comma-separated. The default is: | ||
516 | |||
517 | curve25519-sha256@libssh.org, | ||
518 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, | ||
519 | diffie-hellman-group-exchange-sha256, | ||
520 | diffie-hellman-group-exchange-sha1, | ||
521 | diffie-hellman-group14-sha1, | ||
522 | diffie-hellman-group1-sha1 | ||
523 | |||
524 | LocalCommand | ||
525 | Specifies a command to execute on the local machine after | ||
526 | successfully connecting to the server. The command string | ||
527 | extends to the end of the line, and is executed with the user's | ||
528 | shell. The following escape character substitutions will be | ||
529 | performed: `%d' (local user's home directory), `%h' (remote host | ||
530 | name), `%l' (local host name), `%n' (host name as provided on the | ||
531 | command line), `%p' (remote port), `%r' (remote user name) or | ||
532 | `%u' (local user name). | ||
533 | |||
534 | The command is run synchronously and does not have access to the | ||
535 | session of the ssh(1) that spawned it. It should not be used for | ||
536 | interactive commands. | ||
537 | |||
538 | This directive is ignored unless PermitLocalCommand has been | ||
539 | enabled. | ||
540 | |||
541 | LocalForward | ||
542 | Specifies that a TCP port on the local machine be forwarded over | ||
543 | the secure channel to the specified host and port from the remote | ||
544 | machine. The first argument must be [bind_address:]port and the | ||
545 | second argument must be host:hostport. IPv6 addresses can be | ||
546 | specified by enclosing addresses in square brackets. Multiple | ||
547 | forwardings may be specified, and additional forwardings can be | ||
548 | given on the command line. Only the superuser can forward | ||
549 | privileged ports. By default, the local port is bound in | ||
550 | accordance with the GatewayPorts setting. However, an explicit | ||
551 | bind_address may be used to bind the connection to a specific | ||
552 | address. The bind_address of ``localhost'' indicates that the | ||
553 | listening port be bound for local use only, while an empty | ||
554 | address or `*' indicates that the port should be available from | ||
555 | all interfaces. | ||
556 | |||
557 | LogLevel | ||
558 | Gives the verbosity level that is used when logging messages from | ||
559 | ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, | ||
560 | VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. | ||
561 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify | ||
562 | higher levels of verbose output. | ||
563 | |||
564 | MACs Specifies the MAC (message authentication code) algorithms in | ||
565 | order of preference. The MAC algorithm is used in protocol | ||
566 | version 2 for data integrity protection. Multiple algorithms | ||
567 | must be comma-separated. The algorithms that contain ``-etm'' | ||
568 | calculate the MAC after encryption (encrypt-then-mac). These are | ||
569 | considered safer and their use recommended. The default is: | ||
570 | |||
571 | hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, | ||
572 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, | ||
573 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, | ||
574 | hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com, | ||
575 | hmac-md5-96-etm@openssh.com, | ||
576 | hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, | ||
577 | hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, | ||
578 | hmac-sha1-96,hmac-md5-96 | ||
579 | |||
580 | NoHostAuthenticationForLocalhost | ||
581 | This option can be used if the home directory is shared across | ||
582 | machines. In this case localhost will refer to a different | ||
583 | machine on each of the machines and the user will get many | ||
584 | warnings about changed host keys. However, this option disables | ||
585 | host authentication for localhost. The argument to this keyword | ||
586 | must be ``yes'' or ``no''. The default is to check the host key | ||
587 | for localhost. | ||
588 | |||
589 | NumberOfPasswordPrompts | ||
590 | Specifies the number of password prompts before giving up. The | ||
591 | argument to this keyword must be an integer. The default is 3. | ||
592 | |||
593 | PasswordAuthentication | ||
594 | Specifies whether to use password authentication. The argument | ||
595 | to this keyword must be ``yes'' or ``no''. The default is | ||
596 | ``yes''. | ||
597 | |||
598 | PermitLocalCommand | ||
599 | Allow local command execution via the LocalCommand option or | ||
600 | using the !command escape sequence in ssh(1). The argument must | ||
601 | be ``yes'' or ``no''. The default is ``no''. | ||
602 | |||
603 | PKCS11Provider | ||
604 | Specifies which PKCS#11 provider to use. The argument to this | ||
605 | keyword is the PKCS#11 shared library ssh(1) should use to | ||
606 | communicate with a PKCS#11 token providing the user's private RSA | ||
607 | key. | ||
608 | |||
609 | Port Specifies the port number to connect on the remote host. The | ||
610 | default is 22. | ||
611 | |||
612 | PreferredAuthentications | ||
613 | Specifies the order in which the client should try protocol 2 | ||
614 | authentication methods. This allows a client to prefer one | ||
615 | method (e.g. keyboard-interactive) over another method (e.g. | ||
616 | password). The default is: | ||
617 | |||
618 | gssapi-with-mic,hostbased,publickey, | ||
619 | keyboard-interactive,password | ||
620 | |||
621 | Protocol | ||
622 | Specifies the protocol versions ssh(1) should support in order of | ||
623 | preference. The possible values are `1' and `2'. Multiple | ||
624 | versions must be comma-separated. When this option is set to | ||
625 | ``2,1'' ssh will try version 2 and fall back to version 1 if | ||
626 | version 2 is not available. The default is `2'. | ||
627 | |||
628 | ProxyCommand | ||
629 | Specifies the command to use to connect to the server. The | ||
630 | command string extends to the end of the line, and is executed | ||
631 | with the user's shell. In the command string, any occurrence of | ||
632 | `%h' will be substituted by the host name to connect, `%p' by the | ||
633 | port, and `%r' by the remote user name. The command can be | ||
634 | basically anything, and should read from its standard input and | ||
635 | write to its standard output. It should eventually connect an | ||
636 | sshd(8) server running on some machine, or execute sshd -i | ||
637 | somewhere. Host key management will be done using the HostName | ||
638 | of the host being connected (defaulting to the name typed by the | ||
639 | user). Setting the command to ``none'' disables this option | ||
640 | entirely. Note that CheckHostIP is not available for connects | ||
641 | with a proxy command. | ||
642 | |||
643 | This directive is useful in conjunction with nc(1) and its proxy | ||
644 | support. For example, the following directive would connect via | ||
645 | an HTTP proxy at 192.0.2.0: | ||
646 | |||
647 | ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p | ||
648 | |||
649 | ProxyUseFdpass | ||
650 | Specifies that ProxyCommand will pass a connected file descriptor | ||
651 | back to ssh(1) instead of continuing to execute and pass data. | ||
652 | The default is ``no''. | ||
653 | |||
654 | PubkeyAuthentication | ||
655 | Specifies whether to try public key authentication. The argument | ||
656 | to this keyword must be ``yes'' or ``no''. The default is | ||
657 | ``yes''. This option applies to protocol version 2 only. | ||
658 | |||
659 | RekeyLimit | ||
660 | Specifies the maximum amount of data that may be transmitted | ||
661 | before the session key is renegotiated, optionally followed a | ||
662 | maximum amount of time that may pass before the session key is | ||
663 | renegotiated. The first argument is specified in bytes and may | ||
664 | have a suffix of `K', `M', or `G' to indicate Kilobytes, | ||
665 | Megabytes, or Gigabytes, respectively. The default is between | ||
666 | `1G' and `4G', depending on the cipher. The optional second | ||
667 | value is specified in seconds and may use any of the units | ||
668 | documented in the TIME FORMATS section of sshd_config(5). The | ||
669 | default value for RekeyLimit is ``default none'', which means | ||
670 | that rekeying is performed after the cipher's default amount of | ||
671 | data has been sent or received and no time based rekeying is | ||
672 | done. This option applies to protocol version 2 only. | ||
673 | |||
674 | RemoteForward | ||
675 | Specifies that a TCP port on the remote machine be forwarded over | ||
676 | the secure channel to the specified host and port from the local | ||
677 | machine. The first argument must be [bind_address:]port and the | ||
678 | second argument must be host:hostport. IPv6 addresses can be | ||
679 | specified by enclosing addresses in square brackets. Multiple | ||
680 | forwardings may be specified, and additional forwardings can be | ||
681 | given on the command line. Privileged ports can be forwarded | ||
682 | only when logging in as root on the remote machine. | ||
683 | |||
684 | If the port argument is `0', the listen port will be dynamically | ||
685 | allocated on the server and reported to the client at run time. | ||
686 | |||
687 | If the bind_address is not specified, the default is to only bind | ||
688 | to loopback addresses. If the bind_address is `*' or an empty | ||
689 | string, then the forwarding is requested to listen on all | ||
690 | interfaces. Specifying a remote bind_address will only succeed | ||
691 | if the server's GatewayPorts option is enabled (see | ||
692 | sshd_config(5)). | ||
693 | |||
694 | RequestTTY | ||
695 | Specifies whether to request a pseudo-tty for the session. The | ||
696 | argument may be one of: ``no'' (never request a TTY), ``yes'' | ||
697 | (always request a TTY when standard input is a TTY), ``force'' | ||
698 | (always request a TTY) or ``auto'' (request a TTY when opening a | ||
699 | login session). This option mirrors the -t and -T flags for | ||
700 | ssh(1). | ||
701 | |||
702 | RhostsRSAAuthentication | ||
703 | Specifies whether to try rhosts based authentication with RSA | ||
704 | host authentication. The argument must be ``yes'' or ``no''. | ||
705 | The default is ``no''. This option applies to protocol version 1 | ||
706 | only and requires ssh(1) to be setuid root. | ||
707 | |||
708 | RSAAuthentication | ||
709 | Specifies whether to try RSA authentication. The argument to | ||
710 | this keyword must be ``yes'' or ``no''. RSA authentication will | ||
711 | only be attempted if the identity file exists, or an | ||
712 | authentication agent is running. The default is ``yes''. Note | ||
713 | that this option applies to protocol version 1 only. | ||
714 | |||
715 | SendEnv | ||
716 | Specifies what variables from the local environ(7) should be sent | ||
717 | to the server. Note that environment passing is only supported | ||
718 | for protocol 2. The server must also support it, and the server | ||
719 | must be configured to accept these environment variables. Refer | ||
720 | to AcceptEnv in sshd_config(5) for how to configure the server. | ||
721 | Variables are specified by name, which may contain wildcard | ||
722 | characters. Multiple environment variables may be separated by | ||
723 | whitespace or spread across multiple SendEnv directives. The | ||
724 | default is not to send any environment variables. | ||
725 | |||
726 | See PATTERNS for more information on patterns. | ||
727 | |||
728 | ServerAliveCountMax | ||
729 | Sets the number of server alive messages (see below) which may be | ||
730 | sent without ssh(1) receiving any messages back from the server. | ||
731 | If this threshold is reached while server alive messages are | ||
732 | being sent, ssh will disconnect from the server, terminating the | ||
733 | session. It is important to note that the use of server alive | ||
734 | messages is very different from TCPKeepAlive (below). The server | ||
735 | alive messages are sent through the encrypted channel and | ||
736 | therefore will not be spoofable. The TCP keepalive option | ||
737 | enabled by TCPKeepAlive is spoofable. The server alive mechanism | ||
738 | is valuable when the client or server depend on knowing when a | ||
739 | connection has become inactive. | ||
740 | |||
741 | The default value is 3. If, for example, ServerAliveInterval | ||
742 | (see below) is set to 15 and ServerAliveCountMax is left at the | ||
743 | default, if the server becomes unresponsive, ssh will disconnect | ||
744 | after approximately 45 seconds. This option applies to protocol | ||
745 | version 2 only. | ||
746 | |||
747 | ServerAliveInterval | ||
748 | Sets a timeout interval in seconds after which if no data has | ||
749 | been received from the server, ssh(1) will send a message through | ||
750 | the encrypted channel to request a response from the server. The | ||
751 | default is 0, indicating that these messages will not be sent to | ||
752 | the server. This option applies to protocol version 2 only. | ||
753 | |||
754 | StrictHostKeyChecking | ||
755 | If this flag is set to ``yes'', ssh(1) will never automatically | ||
756 | add host keys to the ~/.ssh/known_hosts file, and refuses to | ||
757 | connect to hosts whose host key has changed. This provides | ||
758 | maximum protection against trojan horse attacks, though it can be | ||
759 | annoying when the /etc/ssh/ssh_known_hosts file is poorly | ||
760 | maintained or when connections to new hosts are frequently made. | ||
761 | This option forces the user to manually add all new hosts. If | ||
762 | this flag is set to ``no'', ssh will automatically add new host | ||
763 | keys to the user known hosts files. If this flag is set to | ||
764 | ``ask'', new host keys will be added to the user known host files | ||
765 | only after the user has confirmed that is what they really want | ||
766 | to do, and ssh will refuse to connect to hosts whose host key has | ||
767 | changed. The host keys of known hosts will be verified | ||
768 | automatically in all cases. The argument must be ``yes'', | ||
769 | ``no'', or ``ask''. The default is ``ask''. | ||
770 | |||
771 | TCPKeepAlive | ||
772 | Specifies whether the system should send TCP keepalive messages | ||
773 | to the other side. If they are sent, death of the connection or | ||
774 | crash of one of the machines will be properly noticed. However, | ||
775 | this means that connections will die if the route is down | ||
776 | temporarily, and some people find it annoying. | ||
777 | |||
778 | The default is ``yes'' (to send TCP keepalive messages), and the | ||
779 | client will notice if the network goes down or the remote host | ||
780 | dies. This is important in scripts, and many users want it too. | ||
781 | |||
782 | To disable TCP keepalive messages, the value should be set to | ||
783 | ``no''. | ||
784 | |||
785 | Tunnel Request tun(4) device forwarding between the client and the | ||
786 | server. The argument must be ``yes'', ``point-to-point'' (layer | ||
787 | 3), ``ethernet'' (layer 2), or ``no''. Specifying ``yes'' | ||
788 | requests the default tunnel mode, which is ``point-to-point''. | ||
789 | The default is ``no''. | ||
790 | |||
791 | TunnelDevice | ||
792 | Specifies the tun(4) devices to open on the client (local_tun) | ||
793 | and the server (remote_tun). | ||
794 | |||
795 | The argument must be local_tun[:remote_tun]. The devices may be | ||
796 | specified by numerical ID or the keyword ``any'', which uses the | ||
797 | next available tunnel device. If remote_tun is not specified, it | ||
798 | defaults to ``any''. The default is ``any:any''. | ||
799 | |||
800 | UsePrivilegedPort | ||
801 | Specifies whether to use a privileged port for outgoing | ||
802 | connections. The argument must be ``yes'' or ``no''. The | ||
803 | default is ``no''. If set to ``yes'', ssh(1) must be setuid | ||
804 | root. Note that this option must be set to ``yes'' for | ||
805 | RhostsRSAAuthentication with older servers. | ||
806 | |||
807 | User Specifies the user to log in as. This can be useful when a | ||
808 | different user name is used on different machines. This saves | ||
809 | the trouble of having to remember to give the user name on the | ||
810 | command line. | ||
811 | |||
812 | UserKnownHostsFile | ||
813 | Specifies one or more files to use for the user host key | ||
814 | database, separated by whitespace. The default is | ||
815 | ~/.ssh/known_hosts, ~/.ssh/known_hosts2. | ||
816 | |||
817 | VerifyHostKeyDNS | ||
818 | Specifies whether to verify the remote key using DNS and SSHFP | ||
819 | resource records. If this option is set to ``yes'', the client | ||
820 | will implicitly trust keys that match a secure fingerprint from | ||
821 | DNS. Insecure fingerprints will be handled as if this option was | ||
822 | set to ``ask''. If this option is set to ``ask'', information on | ||
823 | fingerprint match will be displayed, but the user will still need | ||
824 | to confirm new host keys according to the StrictHostKeyChecking | ||
825 | option. The argument must be ``yes'', ``no'', or ``ask''. The | ||
826 | default is ``no''. Note that this option applies to protocol | ||
827 | version 2 only. | ||
828 | |||
829 | See also VERIFYING HOST KEYS in ssh(1). | ||
830 | |||
831 | VisualHostKey | ||
832 | If this flag is set to ``yes'', an ASCII art representation of | ||
833 | the remote host key fingerprint is printed in addition to the hex | ||
834 | fingerprint string at login and for unknown host keys. If this | ||
835 | flag is set to ``no'', no fingerprint strings are printed at | ||
836 | login and only the hex fingerprint string will be printed for | ||
837 | unknown host keys. The default is ``no''. | ||
838 | |||
839 | XAuthLocation | ||
840 | Specifies the full pathname of the xauth(1) program. The default | ||
841 | is /usr/X11R6/bin/xauth. | ||
842 | |||
843 | PATTERNS | ||
844 | A pattern consists of zero or more non-whitespace characters, `*' (a | ||
845 | wildcard that matches zero or more characters), or `?' (a wildcard that | ||
846 | matches exactly one character). For example, to specify a set of | ||
847 | declarations for any host in the ``.co.uk'' set of domains, the following | ||
848 | pattern could be used: | ||
849 | |||
850 | Host *.co.uk | ||
851 | |||
852 | The following pattern would match any host in the 192.168.0.[0-9] network | ||
853 | range: | ||
854 | |||
855 | Host 192.168.0.? | ||
856 | |||
857 | A pattern-list is a comma-separated list of patterns. Patterns within | ||
858 | pattern-lists may be negated by preceding them with an exclamation mark | ||
859 | (`!'). For example, to allow a key to be used from anywhere within an | ||
860 | organization except from the ``dialup'' pool, the following entry (in | ||
861 | authorized_keys) could be used: | ||
862 | |||
863 | from="!*.dialup.example.com,*.example.com" | ||
864 | |||
865 | FILES | ||
866 | ~/.ssh/config | ||
867 | This is the per-user configuration file. The format of this file | ||
868 | is described above. This file is used by the SSH client. | ||
869 | Because of the potential for abuse, this file must have strict | ||
870 | permissions: read/write for the user, and not accessible by | ||
871 | others. | ||
872 | |||
873 | /etc/ssh/ssh_config | ||
874 | Systemwide configuration file. This file provides defaults for | ||
875 | those values that are not specified in the user's configuration | ||
876 | file, and for those users who do not have a configuration file. | ||
877 | This file must be world-readable. | ||
878 | |||
879 | SEE ALSO | ||
880 | ssh(1) | ||
881 | |||
882 | AUTHORS | ||
883 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | ||
884 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | ||
885 | de Raadt and Dug Song removed many bugs, re-added newer features and | ||
886 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | ||
887 | versions 1.5 and 2.0. | ||
888 | |||
889 | OpenBSD 5.5 February 23, 2014 OpenBSD 5.5 | ||