summaryrefslogtreecommitdiff
path: root/ssh_config.0
diff options
context:
space:
mode:
Diffstat (limited to 'ssh_config.0')
-rw-r--r--ssh_config.0323
1 files changed, 186 insertions, 137 deletions
diff --git a/ssh_config.0 b/ssh_config.0
index 46a0543c3..2ca4ee31b 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -8,8 +8,9 @@ SYNOPSIS
8 /etc/ssh/ssh_config 8 /etc/ssh/ssh_config
9 9
10DESCRIPTION 10DESCRIPTION
11 ssh obtains configuration data from the following sources in the follow- 11 ssh(1) obtains configuration data from the following sources in the fol-
12 ing order: 12 lowing order:
13
13 1. command-line options 14 1. command-line options
14 2. user's configuration file (~/.ssh/config) 15 2. user's configuration file (~/.ssh/config)
15 3. system-wide configuration file (/etc/ssh/ssh_config) 16 3. system-wide configuration file (/etc/ssh/ssh_config)
@@ -26,28 +27,29 @@ DESCRIPTION
26 27
27 The configuration file has the following format: 28 The configuration file has the following format:
28 29
29 Empty lines and lines starting with `#' are comments. 30 Empty lines and lines starting with `#' are comments. Otherwise a line
30 31 is of the format ``keyword arguments''. Configuration options may be
31 Otherwise a line is of the format ``keyword arguments''. Configuration 32 separated by whitespace or optional whitespace and exactly one `='; the
32 options may be separated by whitespace or optional whitespace and exactly 33 latter format is useful to avoid the need to quote whitespace when speci-
33 one `='; the latter format is useful to avoid the need to quote whites- 34 fying configuration options using the ssh, scp, and sftp -o option. Ar-
34 pace when specifying configuration options using the ssh, scp and sftp -o 35 guments may optionally be enclosed in double quotes (") in order to rep-
35 option. 36 resent arguments containing spaces.
36 37
37 The possible keywords and their meanings are as follows (note that key- 38 The possible keywords and their meanings are as follows (note that key-
38 words are case-insensitive and arguments are case-sensitive): 39 words are case-insensitive and arguments are case-sensitive):
39 40
40 Host Restricts the following declarations (up to the next Host key- 41 Host Restricts the following declarations (up to the next Host key-
41 word) to be only for those hosts that match one of the patterns 42 word) to be only for those hosts that match one of the patterns
42 given after the keyword. `*' and `?' can be used as wildcards in 43 given after the keyword. A single `*' as a pattern can be used
43 the patterns. A single `*' as a pattern can be used to provide 44 to provide global defaults for all hosts. The host is the
44 global defaults for all hosts. The host is the hostname argument 45 hostname argument given on the command line (i.e. the name is not
45 given on the command line (i.e., the name is not converted to a 46 converted to a canonicalized host name before matching).
46 canonicalized host name before matching). 47
48 See PATTERNS for more information on patterns.
47 49
48 AddressFamily 50 AddressFamily
49 Specifies which address family to use when connecting. Valid ar- 51 Specifies which address family to use when connecting. Valid ar-
50 guments are ``any'', ``inet'' (use IPv4 only) or ``inet6'' (use 52 guments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' (use
51 IPv6 only). 53 IPv6 only).
52 54
53 BatchMode 55 BatchMode
@@ -63,23 +65,23 @@ DESCRIPTION
63 UsePrivilegedPort is set to ``yes''. 65 UsePrivilegedPort is set to ``yes''.
64 66
65 ChallengeResponseAuthentication 67 ChallengeResponseAuthentication
66 Specifies whether to use challenge response authentication. The 68 Specifies whether to use challenge-response authentication. The
67 argument to this keyword must be ``yes'' or ``no''. The default 69 argument to this keyword must be ``yes'' or ``no''. The default
68 is ``yes''. 70 is ``yes''.
69 71
70 CheckHostIP 72 CheckHostIP
71 If this flag is set to ``yes'', ssh will additionally check the 73 If this flag is set to ``yes'', ssh(1) will additionally check
72 host IP address in the known_hosts file. This allows ssh to de- 74 the host IP address in the known_hosts file. This allows ssh to
73 tect if a host key changed due to DNS spoofing. If the option is 75 detect if a host key changed due to DNS spoofing. If the option
74 set to ``no'', the check will not be executed. The default is 76 is set to ``no'', the check will not be executed. The default is
75 ``yes''. 77 ``yes''.
76 78
77 Cipher Specifies the cipher to use for encrypting the session in proto- 79 Cipher Specifies the cipher to use for encrypting the session in proto-
78 col version 1. Currently, ``blowfish'', ``3des'', and ``des'' 80 col version 1. Currently, ``blowfish'', ``3des'', and ``des''
79 are supported. des is only supported in the ssh client for in- 81 are supported. des is only supported in the ssh(1) client for
80 teroperability with legacy protocol 1 implementations that do not 82 interoperability with legacy protocol 1 implementations that do
81 support the 3des cipher. Its use is strongly discouraged due to 83 not support the 3des cipher. Its use is strongly discouraged due
82 cryptographic weaknesses. The default is ``3des''. 84 to cryptographic weaknesses. The default is ``3des''.
83 85
84 Ciphers 86 Ciphers
85 Specifies the ciphers allowed for protocol version 2 in order of 87 Specifies the ciphers allowed for protocol version 2 in order of
@@ -87,19 +89,19 @@ DESCRIPTION
87 ported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', 89 ported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'',
88 ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', 90 ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
89 ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'', 91 ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'',
90 and ``cast128-cbc''. The default is 92 and ``cast128-cbc''. The default is:
91 93
92 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, 94 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
93 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, 95 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
94 aes192-ctr,aes256-ctr'' 96 aes192-ctr,aes256-ctr
95 97
96 ClearAllForwardings 98 ClearAllForwardings
97 Specifies that all local, remote and dynamic port forwardings 99 Specifies that all local, remote, and dynamic port forwardings
98 specified in the configuration files or on the command line be 100 specified in the configuration files or on the command line be
99 cleared. This option is primarily useful when used from the ssh 101 cleared. This option is primarily useful when used from the
100 command line to clear port forwardings set in configuration 102 ssh(1) command line to clear port forwardings set in configura-
101 files, and is automatically set by scp(1) and sftp(1). The argu- 103 tion files, and is automatically set by scp(1) and sftp(1). The
102 ment must be ``yes'' or ``no''. The default is ``no''. 104 argument must be ``yes'' or ``no''. The default is ``no''.
103 105
104 Compression 106 Compression
105 Specifies whether to use compression. The argument must be 107 Specifies whether to use compression. The argument must be
@@ -119,16 +121,16 @@ DESCRIPTION
119 121
120 ConnectTimeout 122 ConnectTimeout
121 Specifies the timeout (in seconds) used when connecting to the 123 Specifies the timeout (in seconds) used when connecting to the
122 ssh server, instead of using the default system TCP timeout. 124 SSH server, instead of using the default system TCP timeout.
123 This value is used only when the target is down or really un- 125 This value is used only when the target is down or really un-
124 reachable, not when it refuses the connection. 126 reachable, not when it refuses the connection.
125 127
126 ControlMaster 128 ControlMaster
127 Enables the sharing of multiple sessions over a single network 129 Enables the sharing of multiple sessions over a single network
128 connection. When set to ``yes'' ssh will listen for connections 130 connection. When set to ``yes'', ssh(1) will listen for connec-
129 on a control socket specified using the ControlPath argument. 131 tions on a control socket specified using the ControlPath argu-
130 Additional sessions can connect to this socket using the same 132 ment. Additional sessions can connect to this socket using the
131 ControlPath with ControlMaster set to ``no'' (the default). 133 same ControlPath with ControlMaster set to ``no'' (the default).
132 These sessions will try to reuse the master instance's network 134 These sessions will try to reuse the master instance's network
133 connection rather than initiating new ones, but will fall back to 135 connection rather than initiating new ones, but will fall back to
134 connecting normally if the control socket does not exist, or is 136 connecting normally if the control socket does not exist, or is
@@ -137,7 +139,7 @@ DESCRIPTION
137 Setting this to ``ask'' will cause ssh to listen for control con- 139 Setting this to ``ask'' will cause ssh to listen for control con-
138 nections, but require confirmation using the SSH_ASKPASS program 140 nections, but require confirmation using the SSH_ASKPASS program
139 before they are accepted (see ssh-add(1) for details). If the 141 before they are accepted (see ssh-add(1) for details). If the
140 ControlPath can not be opened, ssh will continue without connect- 142 ControlPath cannot be opened, ssh will continue without connect-
141 ing to a master instance. 143 ing to a master instance.
142 144
143 X11 and ssh-agent(1) forwarding is supported over these multi- 145 X11 and ssh-agent(1) forwarding is supported over these multi-
@@ -154,12 +156,12 @@ DESCRIPTION
154 ControlPath 156 ControlPath
155 Specify the path to the control socket used for connection shar- 157 Specify the path to the control socket used for connection shar-
156 ing as described in the ControlMaster section above or the string 158 ing as described in the ControlMaster section above or the string
157 ``none'' to disable connection sharing. In the path, `%h' will 159 ``none'' to disable connection sharing. In the path, `%l' will
158 be substituted by the target host name, `%p' the port and `%r' by 160 be substituted by the local host name, `%h' will be substituted
159 the remote login username. It is recommended that any 161 by the target host name, `%p' the port, and `%r' by the remote
160 ControlPath used for opportunistic connection sharing include all 162 login username. It is recommended that any ControlPath used for
161 three of these escape sequences. This ensures that shared con- 163 opportunistic connection sharing include at least %h, %p, and %r.
162 nections are uniquely identified. 164 This ensures that shared connections are uniquely identified.
163 165
164 DynamicForward 166 DynamicForward
165 Specifies that a TCP port on the local machine be forwarded over 167 Specifies that a TCP port on the local machine be forwarded over
@@ -176,9 +178,9 @@ DESCRIPTION
176 while an empty address or `*' indicates that the port should be 178 while an empty address or `*' indicates that the port should be
177 available from all interfaces. 179 available from all interfaces.
178 180
179 Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh 181 Currently the SOCKS4 and SOCKS5 protocols are supported, and
180 will act as a SOCKS server. Multiple forwardings may be speci- 182 ssh(1) will act as a SOCKS server. Multiple forwardings may be
181 fied, and additional forwardings can be given on the command 183 specified, and additional forwardings can be given on the command
182 line. Only the superuser can forward privileged ports. 184 line. Only the superuser can forward privileged ports.
183 185
184 EnableSSHKeysign 186 EnableSSHKeysign
@@ -196,6 +198,12 @@ DESCRIPTION
196 able the escape character entirely (making the connection trans- 198 able the escape character entirely (making the connection trans-
197 parent for binary data). 199 parent for binary data).
198 200
201 ExitOnForwardFailure
202 Specifies whether ssh(1) should terminate the connection if it
203 cannot set up all requested dynamic, local, and remote port for-
204 wardings. The argument must be ``yes'' or ``no''. The default
205 is ``no''.
206
199 ForwardAgent 207 ForwardAgent
200 Specifies whether the connection to the authentication agent (if 208 Specifies whether the connection to the authentication agent (if
201 any) will be forwarded to the remote machine. The argument must 209 any) will be forwarded to the remote machine. The argument must
@@ -222,15 +230,14 @@ DESCRIPTION
222 ForwardX11Trusted option is also enabled. 230 ForwardX11Trusted option is also enabled.
223 231
224 ForwardX11Trusted 232 ForwardX11Trusted
225 If this option is set to ``yes'' then remote X11 clients will 233 If this option is set to ``yes'', remote X11 clients will have
226 have full access to the original X11 display. 234 full access to the original X11 display.
227 235
228 If this option is set to ``no'' then remote X11 clients will be 236 If this option is set to ``no'', remote X11 clients will be con-
229 considered untrusted and prevented from stealing or tampering 237 sidered untrusted and prevented from stealing or tampering with
230 with data belonging to trusted X11 clients. Furthermore, the 238 data belonging to trusted X11 clients. Furthermore, the xauth(1)
231 xauth(1) token used for the session will be set to expire after 239 token used for the session will be set to expire after 20 min-
232 20 minutes. Remote clients will be refused access after this 240 utes. Remote clients will be refused access after this time.
233 time.
234 241
235 The default is ``no''. 242 The default is ``no''.
236 243
@@ -239,12 +246,13 @@ DESCRIPTION
239 246
240 GatewayPorts 247 GatewayPorts
241 Specifies whether remote hosts are allowed to connect to local 248 Specifies whether remote hosts are allowed to connect to local
242 forwarded ports. By default, ssh binds local port forwardings to 249 forwarded ports. By default, ssh(1) binds local port forwardings
243 the loopback address. This prevents other remote hosts from con- 250 to the loopback address. This prevents other remote hosts from
244 necting to forwarded ports. GatewayPorts can be used to specify 251 connecting to forwarded ports. GatewayPorts can be used to spec-
245 that ssh should bind local port forwardings to the wildcard ad- 252 ify that ssh should bind local port forwardings to the wildcard
246 dress, thus allowing remote hosts to connect to forwarded ports. 253 address, thus allowing remote hosts to connect to forwarded
247 The argument must be ``yes'' or ``no''. The default is ``no''. 254 ports. The argument must be ``yes'' or ``no''. The default is
255 ``no''.
248 256
249 GlobalKnownHostsFile 257 GlobalKnownHostsFile
250 Specifies a file to use for the global host key database instead 258 Specifies a file to use for the global host key database instead
@@ -261,13 +269,13 @@ DESCRIPTION
261 ly. 269 ly.
262 270
263 HashKnownHosts 271 HashKnownHosts
264 Indicates that ssh should hash host names and addresses when they 272 Indicates that ssh(1) should hash host names and addresses when
265 are added to ~/.ssh/known_hosts. These hashed names may be used 273 they are added to ~/.ssh/known_hosts. These hashed names may be
266 normally by ssh and sshd, but they do not reveal identifying in- 274 used normally by ssh(1) and sshd(8), but they do not reveal iden-
267 formation should the file's contents be disclosed. The default 275 tifying information should the file's contents be disclosed. The
268 is ``no''. Note that hashing of names and addresses will not be 276 default is ``no''. Note that existing names and addresses in
269 retrospectively applied to existing known hosts files, but these 277 known hosts files will not be converted automatically, but may be
270 may be manually hashed using ssh-keygen(1). 278 manually hashed using ssh-keygen(1).
271 279
272 HostbasedAuthentication 280 HostbasedAuthentication
273 Specifies whether to try rhosts based authentication with public 281 Specifies whether to try rhosts based authentication with public
@@ -283,19 +291,19 @@ DESCRIPTION
283 HostKeyAlias 291 HostKeyAlias
284 Specifies an alias that should be used instead of the real host 292 Specifies an alias that should be used instead of the real host
285 name when looking up or saving the host key in the host key 293 name when looking up or saving the host key in the host key
286 database files. This option is useful for tunneling ssh connec- 294 database files. This option is useful for tunneling SSH connec-
287 tions or for multiple servers running on a single host. 295 tions or for multiple servers running on a single host.
288 296
289 HostName 297 HostName
290 Specifies the real host name to log into. This can be used to 298 Specifies the real host name to log into. This can be used to
291 specify nicknames or abbreviations for hosts. Default is the 299 specify nicknames or abbreviations for hosts. The default is the
292 name given on the command line. Numeric IP addresses are also 300 name given on the command line. Numeric IP addresses are also
293 permitted (both on the command line and in HostName specifica- 301 permitted (both on the command line and in HostName specifica-
294 tions). 302 tions).
295 303
296 IdentitiesOnly 304 IdentitiesOnly
297 Specifies that ssh should only use the authentication identity 305 Specifies that ssh(1) should only use the authentication identity
298 files configured in the ssh_config files, even if the ssh-agent 306 files configured in the ssh_config files, even if ssh-agent(1)
299 offers more identities. The argument to this keyword must be 307 offers more identities. The argument to this keyword must be
300 ``yes'' or ``no''. This option is intended for situations where 308 ``yes'' or ``no''. This option is intended for situations where
301 ssh-agent offers many different identities. The default is 309 ssh-agent offers many different identities. The default is
@@ -306,15 +314,23 @@ DESCRIPTION
306 identity is read. The default is ~/.ssh/identity for protocol 314 identity is read. The default is ~/.ssh/identity for protocol
307 version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver- 315 version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver-
308 sion 2. Additionally, any identities represented by the authen- 316 sion 2. Additionally, any identities represented by the authen-
309 tication agent will be used for authentication. The file name 317 tication agent will be used for authentication.
310 may use the tilde syntax to refer to a user's home directory. It 318
311 is possible to have multiple identity files specified in configu- 319 The file name may use the tilde syntax to refer to a user's home
312 ration files; all these identities will be tried in sequence. 320 directory or one of the following escape characters: `%d' (local
321 user's home directory), `%u' (local user name), `%l' (local host
322 name), `%h' (remote host name) or `%r' (remote user name).
323
324 It is possible to have multiple identity files specified in con-
325 figuration files; all these identities will be tried in sequence.
313 326
314 KbdInteractiveDevices 327 KbdInteractiveDevices
315 Specifies the list of methods to use in keyboard-interactive au- 328 Specifies the list of methods to use in keyboard-interactive au-
316 thentication. Multiple method names must be comma-separated. 329 thentication. Multiple method names must be comma-separated.
317 The default is to use the server specified list. 330 The default is to use the server specified list. The methods
331 available vary depending on what the server supports. For an
332 OpenSSH server, it may be zero or more of: ``bsdauth'', ``pam'',
333 and ``skey''.
318 334
319 LocalCommand 335 LocalCommand
320 Specifies a command to execute on the local machine after suc- 336 Specifies a command to execute on the local machine after suc-
@@ -341,15 +357,15 @@ DESCRIPTION
341 357
342 LogLevel 358 LogLevel
343 Gives the verbosity level that is used when logging messages from 359 Gives the verbosity level that is used when logging messages from
344 ssh. The possible values are: QUIET, FATAL, ERROR, INFO, VER- 360 ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, VER-
345 BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. 361 BOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.
346 DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify 362 DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
347 higher levels of verbose output. 363 higher levels of verbose output.
348 364
349 MACs Specifies the MAC (message authentication code) algorithms in or- 365 MACs Specifies the MAC (message authentication code) algorithms in or-
350 der of preference. The MAC algorithm is used in protocol version 366 der of preference. The MAC algorithm is used in protocol version
351 2 for data integrity protection. Multiple algorithms must be 367 2 for data integrity protection. Multiple algorithms must be
352 comma-separated. The default is ``hmac-md5,hmac-sha1,hmac- 368 comma-separated. The default is: ``hmac-md5,hmac-sha1,hmac-
353 ripemd160,hmac-sha1-96,hmac-md5-96''. 369 ripemd160,hmac-sha1-96,hmac-md5-96''.
354 370
355 NoHostAuthenticationForLocalhost 371 NoHostAuthenticationForLocalhost
@@ -363,7 +379,7 @@ DESCRIPTION
363 379
364 NumberOfPasswordPrompts 380 NumberOfPasswordPrompts
365 Specifies the number of password prompts before giving up. The 381 Specifies the number of password prompts before giving up. The
366 argument to this keyword must be an integer. Default is 3. 382 argument to this keyword must be an integer. The default is 3.
367 383
368 PasswordAuthentication 384 PasswordAuthentication
369 Specifies whether to use password authentication. The argument 385 Specifies whether to use password authentication. The argument
@@ -375,20 +391,20 @@ DESCRIPTION
375 ing the !command escape sequence in ssh(1). The argument must be 391 ing the !command escape sequence in ssh(1). The argument must be
376 ``yes'' or ``no''. The default is ``no''. 392 ``yes'' or ``no''. The default is ``no''.
377 393
378 Port Specifies the port number to connect on the remote host. Default 394 Port Specifies the port number to connect on the remote host. The de-
379 is 22. 395 fault is 22.
380 396
381 PreferredAuthentications 397 PreferredAuthentications
382 Specifies the order in which the client should try protocol 2 au- 398 Specifies the order in which the client should try protocol 2 au-
383 thentication methods. This allows a client to prefer one method 399 thentication methods. This allows a client to prefer one method
384 (e.g. keyboard-interactive) over another method (e.g. password) 400 (e.g. keyboard-interactive) over another method (e.g. password)
385 The default for this option is: ``hostbased,publickey,keyboard- 401 The default for this option is: ``gssapi-with-mic,hostbased,
386 interactive,password''. 402 publickey, keyboard-interactive, password''.
387 403
388 Protocol 404 Protocol
389 Specifies the protocol versions ssh should support in order of 405 Specifies the protocol versions ssh(1) should support in order of
390 preference. The possible values are ``1'' and ``2''. Multiple 406 preference. The possible values are `1' and `2'. Multiple ver-
391 versions must be comma-separated. The default is ``2,1''. This 407 sions must be comma-separated. The default is ``2,1''. This
392 means that ssh tries version 2 and falls back to version 1 if 408 means that ssh tries version 2 and falls back to version 1 if
393 version 2 is not available. 409 version 2 is not available.
394 410
@@ -422,8 +438,8 @@ DESCRIPTION
422 fore the session key is renegotiated. The argument is the number 438 fore the session key is renegotiated. The argument is the number
423 of bytes, with an optional suffix of `K', `M', or `G' to indicate 439 of bytes, with an optional suffix of `K', `M', or `G' to indicate
424 Kilobytes, Megabytes, or Gigabytes, respectively. The default is 440 Kilobytes, Megabytes, or Gigabytes, respectively. The default is
425 between ``1G'' and ``4G'', depending on the cipher. This option 441 between `1G' and `4G', depending on the cipher. This option ap-
426 applies to protocol version 2 only. 442 plies to protocol version 2 only.
427 443
428 RemoteForward 444 RemoteForward
429 Specifies that a TCP port on the remote machine be forwarded over 445 Specifies that a TCP port on the remote machine be forwarded over
@@ -446,7 +462,7 @@ DESCRIPTION
446 Specifies whether to try rhosts based authentication with RSA 462 Specifies whether to try rhosts based authentication with RSA
447 host authentication. The argument must be ``yes'' or ``no''. 463 host authentication. The argument must be ``yes'' or ``no''.
448 The default is ``no''. This option applies to protocol version 1 464 The default is ``no''. This option applies to protocol version 1
449 only and requires ssh to be setuid root. 465 only and requires ssh(1) to be setuid root.
450 466
451 RSAAuthentication 467 RSAAuthentication
452 Specifies whether to try RSA authentication. The argument to 468 Specifies whether to try RSA authentication. The argument to
@@ -458,21 +474,23 @@ DESCRIPTION
458 SendEnv 474 SendEnv
459 Specifies what variables from the local environ(7) should be sent 475 Specifies what variables from the local environ(7) should be sent
460 to the server. Note that environment passing is only supported 476 to the server. Note that environment passing is only supported
461 for protocol 2, the server must also support it, and the server 477 for protocol 2. The server must also support it, and the server
462 must be configured to accept these environment variables. Refer 478 must be configured to accept these environment variables. Refer
463 to AcceptEnv in sshd_config(5) for how to configure the server. 479 to AcceptEnv in sshd_config(5) for how to configure the server.
464 Variables are specified by name, which may contain the wildcard 480 Variables are specified by name, which may contain wildcard char-
465 characters `*' and `?'. Multiple environment variables may be 481 acters. Multiple environment variables may be separated by
466 separated by whitespace or spread across multiple SendEnv direc- 482 whitespace or spread across multiple SendEnv directives. The de-
467 tives. The default is not to send any environment variables. 483 fault is not to send any environment variables.
484
485 See PATTERNS for more information on patterns.
468 486
469 ServerAliveCountMax 487 ServerAliveCountMax
470 Sets the number of server alive messages (see below) which may be 488 Sets the number of server alive messages (see below) which may be
471 sent without ssh receiving any messages back from the server. If 489 sent without ssh(1) receiving any messages back from the server.
472 this threshold is reached while server alive messages are being 490 If this threshold is reached while server alive messages are be-
473 sent, ssh will disconnect from the server, terminating the ses- 491 ing sent, ssh will disconnect from the server, terminating the
474 sion. It is important to note that the use of server alive mes- 492 session. It is important to note that the use of server alive
475 sages is very different from TCPKeepAlive (below). The server 493 messages is very different from TCPKeepAlive (below). The server
476 alive messages are sent through the encrypted channel and there- 494 alive messages are sent through the encrypted channel and there-
477 fore will not be spoofable. The TCP keepalive option enabled by 495 fore will not be spoofable. The TCP keepalive option enabled by
478 TCPKeepAlive is spoofable. The server alive mechanism is valu- 496 TCPKeepAlive is spoofable. The server alive mechanism is valu-
@@ -480,39 +498,41 @@ DESCRIPTION
480 tion has become inactive. 498 tion has become inactive.
481 499
482 The default value is 3. If, for example, ServerAliveInterval 500 The default value is 3. If, for example, ServerAliveInterval
483 (see below) is set to 15, and ServerAliveCountMax is left at the 501 (see below) is set to 15 and ServerAliveCountMax is left at the
484 default, if the server becomes unresponsive ssh will disconnect 502 default, if the server becomes unresponsive, ssh will disconnect
485 after approximately 45 seconds. 503 after approximately 45 seconds. This option applies to protocol
504 version 2 only.
486 505
487 ServerAliveInterval 506 ServerAliveInterval
488 Sets a timeout interval in seconds after which if no data has 507 Sets a timeout interval in seconds after which if no data has
489 been received from the server, ssh will send a message through 508 been received from the server, ssh(1) will send a message through
490 the encrypted channel to request a response from the server. The 509 the encrypted channel to request a response from the server. The
491 default is 0, indicating that these messages will not be sent to 510 default is 0, indicating that these messages will not be sent to
492 the server. This option applies to protocol version 2 only. 511 the server. This option applies to protocol version 2 only.
493 512
494 SmartcardDevice 513 SmartcardDevice
495 Specifies which smartcard device to use. The argument to this 514 Specifies which smartcard device to use. The argument to this
496 keyword is the device ssh should use to communicate with a smart- 515 keyword is the device ssh(1) should use to communicate with a
497 card used for storing the user's private RSA key. By default, no 516 smartcard used for storing the user's private RSA key. By de-
498 device is specified and smartcard support is not activated. 517 fault, no device is specified and smartcard support is not acti-
518 vated.
499 519
500 StrictHostKeyChecking 520 StrictHostKeyChecking
501 If this flag is set to ``yes'', ssh will never automatically add 521 If this flag is set to ``yes'', ssh(1) will never automatically
502 host keys to the ~/.ssh/known_hosts file, and refuses to connect 522 add host keys to the ~/.ssh/known_hosts file, and refuses to con-
503 to hosts whose host key has changed. This provides maximum pro- 523 nect to hosts whose host key has changed. This provides maximum
504 tection against trojan horse attacks, however, can be annoying 524 protection against trojan horse attacks, though it can be annoy-
505 when the /etc/ssh/ssh_known_hosts file is poorly maintained, or 525 ing when the /etc/ssh/ssh_known_hosts file is poorly maintained
506 connections to new hosts are frequently made. This option forces 526 or when connections to new hosts are frequently made. This op-
507 the user to manually add all new hosts. If this flag is set to 527 tion forces the user to manually add all new hosts. If this flag
508 ``no'', ssh will automatically add new host keys to the user 528 is set to ``no'', ssh will automatically add new host keys to the
509 known hosts files. If this flag is set to ``ask'', new host keys 529 user known hosts files. If this flag is set to ``ask'', new host
510 will be added to the user known host files only after the user 530 keys will be added to the user known host files only after the
511 has confirmed that is what they really want to do, and ssh will 531 user has confirmed that is what they really want to do, and ssh
512 refuse to connect to hosts whose host key has changed. The host 532 will refuse to connect to hosts whose host key has changed. The
513 keys of known hosts will be verified automatically in all cases. 533 host keys of known hosts will be verified automatically in all
514 The argument must be ``yes'', ``no'' or ``ask''. The default is 534 cases. The argument must be ``yes'', ``no'', or ``ask''. The
515 ``ask''. 535 default is ``ask''.
516 536
517 TCPKeepAlive 537 TCPKeepAlive
518 Specifies whether the system should send TCP keepalive messages 538 Specifies whether the system should send TCP keepalive messages
@@ -528,22 +548,27 @@ DESCRIPTION
528 To disable TCP keepalive messages, the value should be set to 548 To disable TCP keepalive messages, the value should be set to
529 ``no''. 549 ``no''.
530 550
531 Tunnel Request starting tun(4) device forwarding between the client and 551 Tunnel Request tun(4) device forwarding between the client and the serv-
532 the server. This option also allows requesting layer 2 (ether- 552 er. The argument must be ``yes'', ``point-to-point'' (layer 3),
533 net) instead of layer 3 (point-to-point) tunneling from the serv- 553 ``ethernet'' (layer 2), or ``no''. Specifying ``yes'' requests
534 er. The argument must be ``yes'', ``point-to-point'', 554 the default tunnel mode, which is ``point-to-point''. The de-
535 ``ethernet'' or ``no''. The default is ``no''. 555 fault is ``no''.
536 556
537 TunnelDevice 557 TunnelDevice
538 Force a specified tun(4) device on the client. Without this op- 558 Specifies the tun(4) devices to open on the client (local_tun)
539 tion, the next available device will be used. 559 and the server (remote_tun).
560
561 The argument must be local_tun[:remote_tun]. The devices may be
562 specified by numerical ID or the keyword ``any'', which uses the
563 next available tunnel device. If remote_tun is not specified, it
564 defaults to ``any''. The default is ``any:any''.
540 565
541 UsePrivilegedPort 566 UsePrivilegedPort
542 Specifies whether to use a privileged port for outgoing connec- 567 Specifies whether to use a privileged port for outgoing connec-
543 tions. The argument must be ``yes'' or ``no''. The default is 568 tions. The argument must be ``yes'' or ``no''. The default is
544 ``no''. If set to ``yes'' ssh must be setuid root. Note that 569 ``no''. If set to ``yes'', ssh(1) must be setuid root. Note
545 this option must be set to ``yes'' for RhostsRSAAuthentication 570 that this option must be set to ``yes'' for
546 with older servers. 571 RhostsRSAAuthentication with older servers.
547 572
548 User Specifies the user to log in as. This can be useful when a dif- 573 User Specifies the user to log in as. This can be useful when a dif-
549 ferent user name is used on different machines. This saves the 574 ferent user name is used on different machines. This saves the
@@ -562,18 +587,42 @@ DESCRIPTION
562 set to ``ask''. If this option is set to ``ask'', information on 587 set to ``ask''. If this option is set to ``ask'', information on
563 fingerprint match will be displayed, but the user will still need 588 fingerprint match will be displayed, but the user will still need
564 to confirm new host keys according to the StrictHostKeyChecking 589 to confirm new host keys according to the StrictHostKeyChecking
565 option. The argument must be ``yes'', ``no'' or ``ask''. The 590 option. The argument must be ``yes'', ``no'', or ``ask''. The
566 default is ``no''. Note that this option applies to protocol 591 default is ``no''. Note that this option applies to protocol
567 version 2 only. 592 version 2 only.
568 593
594 See also VERIFYING HOST KEYS in ssh(1).
595
569 XAuthLocation 596 XAuthLocation
570 Specifies the full pathname of the xauth(1) program. The default 597 Specifies the full pathname of the xauth(1) program. The default
571 is /usr/X11R6/bin/xauth. 598 is /usr/X11R6/bin/xauth.
572 599
600PATTERNS
601 A pattern consists of zero or more non-whitespace characters, `*' (a
602 wildcard that matches zero or more characters), or `?' (a wildcard that
603 matches exactly one character). For example, to specify a set of decla-
604 rations for any host in the ``.co.uk'' set of domains, the following pat-
605 tern could be used:
606
607 Host *.co.uk
608
609 The following pattern would match any host in the 192.168.0.[0-9] network
610 range:
611
612 Host 192.168.0.?
613
614 A pattern-list is a comma-separated list of patterns. Patterns within
615 pattern-lists may be negated by preceding them with an exclamation mark
616 (`!'). For example, to allow a key to be used from anywhere within an
617 organisation except from the ``dialup'' pool, the following entry (in au-
618 thorized_keys) could be used:
619
620 from="!*.dialup.example.com,*.example.com"
621
573FILES 622FILES
574 ~/.ssh/config 623 ~/.ssh/config
575 This is the per-user configuration file. The format of this file 624 This is the per-user configuration file. The format of this file
576 is described above. This file is used by the ssh client. Be- 625 is described above. This file is used by the SSH client. Be-
577 cause of the potential for abuse, this file must have strict per- 626 cause of the potential for abuse, this file must have strict per-
578 missions: read/write for the user, and not accessible by others. 627 missions: read/write for the user, and not accessible by others.
579 628
@@ -593,4 +642,4 @@ AUTHORS
593 ated OpenSSH. Markus Friedl contributed the support for SSH protocol 642 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
594 versions 1.5 and 2.0. 643 versions 1.5 and 2.0.
595 644
596OpenBSD 3.9 September 25, 1999 9 645OpenBSD 4.1 September 25, 1999 10
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-08 22:40:56 +0000