diff options
Diffstat (limited to 'ssh_config.0')
| -rw-r--r-- | ssh_config.0 | 82 |
1 files changed, 54 insertions, 28 deletions
diff --git a/ssh_config.0 b/ssh_config.0 index 92be76b6d..a2706b69c 100644 --- a/ssh_config.0 +++ b/ssh_config.0 | |||
| @@ -4,14 +4,14 @@ NAME | |||
| 4 | ssh_config - OpenSSH SSH client configuration files | 4 | ssh_config - OpenSSH SSH client configuration files |
| 5 | 5 | ||
| 6 | SYNOPSIS | 6 | SYNOPSIS |
| 7 | $HOME/.ssh/config | 7 | ~/.ssh/config |
| 8 | /etc/ssh/ssh_config | 8 | /etc/ssh/ssh_config |
| 9 | 9 | ||
| 10 | DESCRIPTION | 10 | DESCRIPTION |
| 11 | ssh obtains configuration data from the following sources in the follow- | 11 | ssh obtains configuration data from the following sources in the follow- |
| 12 | ing order: | 12 | ing order: |
| 13 | 1. command-line options | 13 | 1. command-line options |
| 14 | 2. user's configuration file ($HOME/.ssh/config) | 14 | 2. user's configuration file (~/.ssh/config) |
| 15 | 3. system-wide configuration file (/etc/ssh/ssh_config) | 15 | 3. system-wide configuration file (/etc/ssh/ssh_config) |
| 16 | 16 | ||
| 17 | For each parameter, the first obtained value will be used. The configu- | 17 | For each parameter, the first obtained value will be used. The configu- |
| @@ -57,9 +57,10 @@ DESCRIPTION | |||
| 57 | ``yes'' or ``no''. The default is ``no''. | 57 | ``yes'' or ``no''. The default is ``no''. |
| 58 | 58 | ||
| 59 | BindAddress | 59 | BindAddress |
| 60 | Specify the interface to transmit from on machines with multiple | 60 | Use the specified address on the local machine as the source ad- |
| 61 | interfaces or aliased addresses. Note that this option does not | 61 | dress of the connection. Only useful on systems with more than |
| 62 | work if UsePrivilegedPort is set to ``yes''. | 62 | one address. Note that this option does not work if |
| 63 | UsePrivilegedPort is set to ``yes''. | ||
| 63 | 64 | ||
| 64 | ChallengeResponseAuthentication | 65 | ChallengeResponseAuthentication |
| 65 | Specifies whether to use challenge response authentication. The | 66 | Specifies whether to use challenge response authentication. The |
| @@ -85,11 +86,12 @@ DESCRIPTION | |||
| 85 | preference. Multiple ciphers must be comma-separated. The sup- | 86 | preference. Multiple ciphers must be comma-separated. The sup- |
| 86 | ported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', | 87 | ported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', |
| 87 | ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', | 88 | ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', |
| 88 | ``arcfour'', ``blowfish-cbc'', and ``cast128-cbc''. The default | 89 | ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'', |
| 89 | is | 90 | and ``cast128-cbc''. The default is |
| 90 | 91 | ||
| 91 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, | 92 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, |
| 92 | aes192-cbc,aes256-cbc'' | 93 | arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, |
| 94 | aes192-ctr,aes256-ctr'' | ||
| 93 | 95 | ||
| 94 | ClearAllForwardings | 96 | ClearAllForwardings |
| 95 | Specifies that all local, remote and dynamic port forwardings | 97 | Specifies that all local, remote and dynamic port forwardings |
| @@ -131,11 +133,30 @@ DESCRIPTION | |||
| 131 | tion rather than initiating new ones. Setting this to ``ask'' | 133 | tion rather than initiating new ones. Setting this to ``ask'' |
| 132 | will cause ssh to listen for control connections, but require | 134 | will cause ssh to listen for control connections, but require |
| 133 | confirmation using the SSH_ASKPASS program before they are ac- | 135 | confirmation using the SSH_ASKPASS program before they are ac- |
| 134 | cepted (see ssh-add(1) for details). | 136 | cepted (see ssh-add(1) for details). If the ControlPath can not |
| 137 | be opened, ssh will continue without connecting to a master in- | ||
| 138 | stance. | ||
| 139 | |||
| 140 | X11 and ssh-agent(1) forwarding is supported over these multi- | ||
| 141 | plexed connections, however the display and agent fowarded will | ||
| 142 | be the one belonging to the master connection i.e. it is not pos- | ||
| 143 | sible to forward multiple displays or agents. | ||
| 144 | |||
| 145 | Two additional options allow for opportunistic multiplexing: try | ||
| 146 | to use a master connection but fall back to creating a new one if | ||
| 147 | one does not already exist. These options are: ``auto'' and | ||
| 148 | ``autoask''. The latter requires confirmation like the ``ask'' | ||
| 149 | option. | ||
| 135 | 150 | ||
| 136 | ControlPath | 151 | ControlPath |
| 137 | Specify the path to the control socket used for connection shar- | 152 | Specify the path to the control socket used for connection shar- |
| 138 | ing. See ControlMaster above. | 153 | ing as described in the ControlMaster section above or the string |
| 154 | ``none'' to disable connection sharing. In the path, `%h' will | ||
| 155 | be substituted by the target host name, `%p' the port and `%r' by | ||
| 156 | the remote login username. It is recommended that any | ||
| 157 | ControlPath used for opportunistic connection sharing include all | ||
| 158 | three of these escape sequences. This ensures that shared con- | ||
| 159 | nections are uniquely identified. | ||
| 139 | 160 | ||
| 140 | DynamicForward | 161 | DynamicForward |
| 141 | Specifies that a TCP/IP port on the local machine be forwarded | 162 | Specifies that a TCP/IP port on the local machine be forwarded |
| @@ -228,9 +249,9 @@ DESCRIPTION | |||
| 228 | 249 | ||
| 229 | HashKnownHosts | 250 | HashKnownHosts |
| 230 | Indicates that ssh should hash host names and addresses when they | 251 | Indicates that ssh should hash host names and addresses when they |
| 231 | are added to $HOME/.ssh/known_hosts. These hashed names may be | 252 | are added to ~/.ssh/known_hosts. These hashed names may be used |
| 232 | used normally by ssh and sshd, but they do not reveal identifying | 253 | normally by ssh and sshd, but they do not reveal identifying in- |
| 233 | information should the file's contents be disclosed. The default | 254 | formation should the file's contents be disclosed. The default |
| 234 | is ``no''. Note that hashing of names and addresses will not be | 255 | is ``no''. Note that hashing of names and addresses will not be |
| 235 | retrospectively applied to existing known hosts files, but these | 256 | retrospectively applied to existing known hosts files, but these |
| 236 | may be manually hashed using ssh-keygen(1). | 257 | may be manually hashed using ssh-keygen(1). |
| @@ -261,14 +282,13 @@ DESCRIPTION | |||
| 261 | 282 | ||
| 262 | IdentityFile | 283 | IdentityFile |
| 263 | Specifies a file from which the user's RSA or DSA authentication | 284 | Specifies a file from which the user's RSA or DSA authentication |
| 264 | identity is read. The default is $HOME/.ssh/identity for proto- | 285 | identity is read. The default is ~/.ssh/identity for protocol |
| 265 | col version 1, and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for | 286 | version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver- |
| 266 | protocol version 2. Additionally, any identities represented by | 287 | sion 2. Additionally, any identities represented by the authen- |
| 267 | the authentication agent will be used for authentication. The | 288 | tication agent will be used for authentication. The file name |
| 268 | file name may use the tilde syntax to refer to a user's home di- | 289 | may use the tilde syntax to refer to a user's home directory. It |
| 269 | rectory. It is possible to have multiple identity files speci- | 290 | is possible to have multiple identity files specified in configu- |
| 270 | fied in configuration files; all these identities will be tried | 291 | ration files; all these identities will be tried in sequence. |
| 271 | in sequence. | ||
| 272 | 292 | ||
| 273 | IdentitiesOnly | 293 | IdentitiesOnly |
| 274 | Specifies that ssh should only use the authentication identity | 294 | Specifies that ssh should only use the authentication identity |
| @@ -362,6 +382,12 @@ DESCRIPTION | |||
| 362 | tirely. Note that CheckHostIP is not available for connects with | 382 | tirely. Note that CheckHostIP is not available for connects with |
| 363 | a proxy command. | 383 | a proxy command. |
| 364 | 384 | ||
| 385 | This directive is useful in conjunction with nc(1) and its proxy | ||
| 386 | support. For example, the following directive would connect via | ||
| 387 | an HTTP proxy at 192.0.2.0: | ||
| 388 | |||
| 389 | ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p | ||
| 390 | |||
| 365 | PubkeyAuthentication | 391 | PubkeyAuthentication |
| 366 | Specifies whether to try public key authentication. The argument | 392 | Specifies whether to try public key authentication. The argument |
| 367 | to this keyword must be ``yes'' or ``no''. The default is | 393 | to this keyword must be ``yes'' or ``no''. The default is |
| @@ -441,9 +467,9 @@ DESCRIPTION | |||
| 441 | 467 | ||
| 442 | StrictHostKeyChecking | 468 | StrictHostKeyChecking |
| 443 | If this flag is set to ``yes'', ssh will never automatically add | 469 | If this flag is set to ``yes'', ssh will never automatically add |
| 444 | host keys to the $HOME/.ssh/known_hosts file, and refuses to con- | 470 | host keys to the ~/.ssh/known_hosts file, and refuses to connect |
| 445 | nect to hosts whose host key has changed. This provides maximum | 471 | to hosts whose host key has changed. This provides maximum pro- |
| 446 | protection against trojan horse attacks, however, can be annoying | 472 | tection against trojan horse attacks, however, can be annoying |
| 447 | when the /etc/ssh/ssh_known_hosts file is poorly maintained, or | 473 | when the /etc/ssh/ssh_known_hosts file is poorly maintained, or |
| 448 | connections to new hosts are frequently made. This option forces | 474 | connections to new hosts are frequently made. This option forces |
| 449 | the user to manually add all new hosts. If this flag is set to | 475 | the user to manually add all new hosts. If this flag is set to |
| @@ -484,7 +510,7 @@ DESCRIPTION | |||
| 484 | 510 | ||
| 485 | UserKnownHostsFile | 511 | UserKnownHostsFile |
| 486 | Specifies a file to use for the user host key database instead of | 512 | Specifies a file to use for the user host key database instead of |
| 487 | $HOME/.ssh/known_hosts. | 513 | ~/.ssh/known_hosts. |
| 488 | 514 | ||
| 489 | VerifyHostKeyDNS | 515 | VerifyHostKeyDNS |
| 490 | Specifies whether to verify the remote key using DNS and SSHFP | 516 | Specifies whether to verify the remote key using DNS and SSHFP |
| @@ -503,7 +529,7 @@ DESCRIPTION | |||
| 503 | is /usr/X11R6/bin/xauth. | 529 | is /usr/X11R6/bin/xauth. |
| 504 | 530 | ||
| 505 | FILES | 531 | FILES |
| 506 | $HOME/.ssh/config | 532 | ~/.ssh/config |
| 507 | This is the per-user configuration file. The format of this file | 533 | This is the per-user configuration file. The format of this file |
| 508 | is described above. This file is used by the ssh client. Be- | 534 | is described above. This file is used by the ssh client. Be- |
| 509 | cause of the potential for abuse, this file must have strict per- | 535 | cause of the potential for abuse, this file must have strict per- |
| @@ -525,4 +551,4 @@ AUTHORS | |||
| 525 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | 551 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol |
| 526 | versions 1.5 and 2.0. | 552 | versions 1.5 and 2.0. |
| 527 | 553 | ||
| 528 | OpenBSD 3.7 September 25, 1999 8 | 554 | OpenBSD 3.8 September 25, 1999 9 |