summaryrefslogtreecommitdiff
path: root/ssh_config.0
diff options
context:
space:
mode:
Diffstat (limited to 'ssh_config.0')
-rw-r--r--ssh_config.0509
1 files changed, 248 insertions, 261 deletions
diff --git a/ssh_config.0 b/ssh_config.0
index 8733281f5..4ca9a5ff8 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -16,25 +16,23 @@ DESCRIPTION
16 3. system-wide configuration file (/etc/ssh/ssh_config) 16 3. system-wide configuration file (/etc/ssh/ssh_config)
17 17
18 For each parameter, the first obtained value will be used. The 18 For each parameter, the first obtained value will be used. The
19 configuration files contain sections separated by M-bM-^@M-^\HostM-bM-^@M-^] specifications, 19 configuration files contain sections separated by Host specifications,
20 and that section is only applied for hosts that match one of the patterns 20 and that section is only applied for hosts that match one of the patterns
21 given in the specification. The matched host name is usually the one 21 given in the specification. The matched host name is usually the one
22 given on the command line (see the CanonicalizeHostname option for 22 given on the command line (see the CanonicalizeHostname option for
23 exceptions.) 23 exceptions).
24 24
25 Since the first obtained value for each parameter is used, more host- 25 Since the first obtained value for each parameter is used, more host-
26 specific declarations should be given near the beginning of the file, and 26 specific declarations should be given near the beginning of the file, and
27 general defaults at the end. 27 general defaults at the end.
28 28
29 The configuration file has the following format: 29 The file contains keyword-argument pairs, one per line. Lines starting
30 30 with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are interpreted as comments. Arguments may
31 Empty lines and lines starting with M-bM-^@M-^X#M-bM-^@M-^Y are comments. Otherwise a line 31 optionally be enclosed in double quotes (") in order to represent
32 is of the format M-bM-^@M-^\keyword argumentsM-bM-^@M-^]. Configuration options may be 32 arguments containing spaces. Configuration options may be separated by
33 separated by whitespace or optional whitespace and exactly one M-bM-^@M-^X=M-bM-^@M-^Y; the 33 whitespace or optional whitespace and exactly one M-bM-^@M-^X=M-bM-^@M-^Y; the latter format
34 latter format is useful to avoid the need to quote whitespace when 34 is useful to avoid the need to quote whitespace when specifying
35 specifying configuration options using the ssh, scp, and sftp -o option. 35 configuration options using the ssh, scp, and sftp -o option.
36 Arguments may optionally be enclosed in double quotes (") in order to
37 represent arguments containing spaces.
38 36
39 The possible keywords and their meanings are as follows (note that 37 The possible keywords and their meanings are as follows (note that
40 keywords are case-insensitive and arguments are case-sensitive): 38 keywords are case-insensitive and arguments are case-sensitive):
@@ -45,8 +43,8 @@ DESCRIPTION
45 provided, they should be separated by whitespace. A single M-bM-^@M-^X*M-bM-^@M-^Y 43 provided, they should be separated by whitespace. A single M-bM-^@M-^X*M-bM-^@M-^Y
46 as a pattern can be used to provide global defaults for all 44 as a pattern can be used to provide global defaults for all
47 hosts. The host is usually the hostname argument given on the 45 hosts. The host is usually the hostname argument given on the
48 command line (see the CanonicalizeHostname option for 46 command line (see the CanonicalizeHostname keyword for
49 exceptions.) 47 exceptions).
50 48
51 A pattern entry may be negated by prefixing it with an 49 A pattern entry may be negated by prefixing it with an
52 exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). If a negated entry is matched, then the 50 exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). If a negated entry is matched, then the
@@ -74,14 +72,8 @@ DESCRIPTION
74 keyword executes the specified command under the user's shell. 72 keyword executes the specified command under the user's shell.
75 If the command returns a zero exit status then the condition is 73 If the command returns a zero exit status then the condition is
76 considered true. Commands containing whitespace characters must 74 considered true. Commands containing whitespace characters must
77 be quoted. The following character sequences in the command will 75 be quoted. Arguments to exec accept the tokens described in the
78 be expanded prior to execution: M-bM-^@M-^X%LM-bM-^@M-^Y will be substituted by the 76 TOKENS section.
79 first component of the local host name, M-bM-^@M-^X%lM-bM-^@M-^Y will be substituted
80 by the local host name (including any domain name), M-bM-^@M-^X%hM-bM-^@M-^Y will be
81 substituted by the target host name, M-bM-^@M-^X%nM-bM-^@M-^Y will be substituted by
82 the original target host name specified on the command-line, M-bM-^@M-^X%pM-bM-^@M-^Y
83 the destination port, M-bM-^@M-^X%rM-bM-^@M-^Y by the remote login username, and M-bM-^@M-^X%uM-bM-^@M-^Y
84 by the username of the user running ssh(1).
85 77
86 The other keywords' criteria must be single entries or comma- 78 The other keywords' criteria must be single entries or comma-
87 separated lists and may use the wildcard and negation operators 79 separated lists and may use the wildcard and negation operators
@@ -96,33 +88,33 @@ DESCRIPTION
96 88
97 AddKeysToAgent 89 AddKeysToAgent
98 Specifies whether keys should be automatically added to a running 90 Specifies whether keys should be automatically added to a running
99 ssh-agent(1). If this option is set to M-bM-^@M-^\yesM-bM-^@M-^] and a key is loaded 91 ssh-agent(1). If this option is set to yes and a key is loaded
100 from a file, the key and its passphrase are added to the agent 92 from a file, the key and its passphrase are added to the agent
101 with the default lifetime, as if by ssh-add(1). If this option 93 with the default lifetime, as if by ssh-add(1). If this option
102 is set to M-bM-^@M-^\askM-bM-^@M-^], ssh will require confirmation using the 94 is set to ask, ssh(1) will require confirmation using the
103 SSH_ASKPASS program before adding a key (see ssh-add(1) for 95 SSH_ASKPASS program before adding a key (see ssh-add(1) for
104 details). If this option is set to M-bM-^@M-^\confirmM-bM-^@M-^], each use of the 96 details). If this option is set to confirm, each use of the key
105 key must be confirmed, as if the -c option was specified to 97 must be confirmed, as if the -c option was specified to
106 ssh-add(1). If this option is set to M-bM-^@M-^\noM-bM-^@M-^], no keys are added to 98 ssh-add(1). If this option is set to no, no keys are added to
107 the agent. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\confirmM-bM-^@M-^], M-bM-^@M-^\askM-bM-^@M-^], or 99 the agent. The argument must be yes, confirm, ask, or no (the
108 M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. 100 default).
109 101
110 AddressFamily 102 AddressFamily
111 Specifies which address family to use when connecting. Valid 103 Specifies which address family to use when connecting. Valid
112 arguments are M-bM-^@M-^\anyM-bM-^@M-^], M-bM-^@M-^\inetM-bM-^@M-^] (use IPv4 only), or M-bM-^@M-^\inet6M-bM-^@M-^] (use IPv6 104 arguments are any (the default), inet (use IPv4 only), or inet6
113 only). The default is M-bM-^@M-^\anyM-bM-^@M-^]. 105 (use IPv6 only).
114 106
115 BatchMode 107 BatchMode
116 If set to M-bM-^@M-^\yesM-bM-^@M-^], passphrase/password querying will be disabled. 108 If set to yes, passphrase/password querying will be disabled.
117 This option is useful in scripts and other batch jobs where no 109 This option is useful in scripts and other batch jobs where no
118 user is present to supply the password. The argument must be 110 user is present to supply the password. The argument must be yes
119 M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. 111 or no (the default).
120 112
121 BindAddress 113 BindAddress
122 Use the specified address on the local machine as the source 114 Use the specified address on the local machine as the source
123 address of the connection. Only useful on systems with more than 115 address of the connection. Only useful on systems with more than
124 one address. Note that this option does not work if 116 one address. Note that this option does not work if
125 UsePrivilegedPort is set to M-bM-^@M-^\yesM-bM-^@M-^]. 117 UsePrivilegedPort is set to yes.
126 118
127 CanonicalDomains 119 CanonicalDomains
128 When CanonicalizeHostname is enabled, this option specifies the 120 When CanonicalizeHostname is enabled, this option specifies the
@@ -131,21 +123,21 @@ DESCRIPTION
131 123
132 CanonicalizeFallbackLocal 124 CanonicalizeFallbackLocal
133 Specifies whether to fail with an error when hostname 125 Specifies whether to fail with an error when hostname
134 canonicalization fails. The default, M-bM-^@M-^\yesM-bM-^@M-^], will attempt to look 126 canonicalization fails. The default, yes, will attempt to look
135 up the unqualified hostname using the system resolver's search 127 up the unqualified hostname using the system resolver's search
136 rules. A value of M-bM-^@M-^\noM-bM-^@M-^] will cause ssh(1) to fail instantly if 128 rules. A value of no will cause ssh(1) to fail instantly if
137 CanonicalizeHostname is enabled and the target hostname cannot be 129 CanonicalizeHostname is enabled and the target hostname cannot be
138 found in any of the domains specified by CanonicalDomains. 130 found in any of the domains specified by CanonicalDomains.
139 131
140 CanonicalizeHostname 132 CanonicalizeHostname
141 Controls whether explicit hostname canonicalization is performed. 133 Controls whether explicit hostname canonicalization is performed.
142 The default, M-bM-^@M-^\noM-bM-^@M-^], is not to perform any name rewriting and let 134 The default, no, is not to perform any name rewriting and let the
143 the system resolver handle all hostname lookups. If set to M-bM-^@M-^\yesM-bM-^@M-^] 135 system resolver handle all hostname lookups. If set to yes then,
144 then, for connections that do not use a ProxyCommand, ssh(1) will 136 for connections that do not use a ProxyCommand, ssh(1) will
145 attempt to canonicalize the hostname specified on the command 137 attempt to canonicalize the hostname specified on the command
146 line using the CanonicalDomains suffixes and 138 line using the CanonicalDomains suffixes and
147 CanonicalizePermittedCNAMEs rules. If CanonicalizeHostname is 139 CanonicalizePermittedCNAMEs rules. If CanonicalizeHostname is
148 set to M-bM-^@M-^\alwaysM-bM-^@M-^], then canonicalization is applied to proxied 140 set to always, then canonicalization is applied to proxied
149 connections too. 141 connections too.
150 142
151 If this option is enabled, then the configuration files are 143 If this option is enabled, then the configuration files are
@@ -154,7 +146,7 @@ DESCRIPTION
154 146
155 CanonicalizeMaxDots 147 CanonicalizeMaxDots
156 Specifies the maximum number of dot characters in a hostname 148 Specifies the maximum number of dot characters in a hostname
157 before canonicalization is disabled. The default, M-bM-^@M-^\1M-bM-^@M-^], allows a 149 before canonicalization is disabled. The default, 1, allows a
158 single dot (i.e. hostname.subdomain). 150 single dot (i.e. hostname.subdomain).
159 151
160 CanonicalizePermittedCNAMEs 152 CanonicalizePermittedCNAMEs
@@ -165,10 +157,10 @@ DESCRIPTION
165 CNAMEs in canonicalization, and target_domain_list is a pattern- 157 CNAMEs in canonicalization, and target_domain_list is a pattern-
166 list of domains that they may resolve to. 158 list of domains that they may resolve to.
167 159
168 For example, M-bM-^@M-^\*.a.example.com:*.b.example.com,*.c.example.comM-bM-^@M-^] 160 For example, "*.a.example.com:*.b.example.com,*.c.example.com"
169 will allow hostnames matching M-bM-^@M-^\*.a.example.comM-bM-^@M-^] to be 161 will allow hostnames matching "*.a.example.com" to be
170 canonicalized to names in the M-bM-^@M-^\*.b.example.comM-bM-^@M-^] or 162 canonicalized to names in the "*.b.example.com" or
171 M-bM-^@M-^\*.c.example.comM-bM-^@M-^] domains. 163 "*.c.example.com" domains.
172 164
173 CertificateFile 165 CertificateFile
174 Specifies a file from which the user's certificate is read. A 166 Specifies a file from which the user's certificate is read. A
@@ -176,10 +168,9 @@ DESCRIPTION
176 use this certificate either from an IdentityFile directive or -i 168 use this certificate either from an IdentityFile directive or -i
177 flag to ssh(1), via ssh-agent(1), or via a PKCS11Provider. 169 flag to ssh(1), via ssh-agent(1), or via a PKCS11Provider.
178 170
179 The file name may use the tilde syntax to refer to a user's home 171 Arguments to CertificateFile may use the tilde syntax to refer to
180 directory or one of the following escape characters: M-bM-^@M-^X%dM-bM-^@M-^Y (local 172 a user's home directory or the tokens described in the TOKENS
181 user's home directory), M-bM-^@M-^X%uM-bM-^@M-^Y (local user name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host 173 section.
182 name), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host name) or M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name).
183 174
184 It is possible to have multiple certificate files specified in 175 It is possible to have multiple certificate files specified in
185 configuration files; these certificates will be tried in 176 configuration files; these certificates will be tried in
@@ -188,24 +179,22 @@ DESCRIPTION
188 179
189 ChallengeResponseAuthentication 180 ChallengeResponseAuthentication
190 Specifies whether to use challenge-response authentication. The 181 Specifies whether to use challenge-response authentication. The
191 argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is 182 argument to this keyword must be yes (the default) or no.
192 M-bM-^@M-^\yesM-bM-^@M-^].
193 183
194 CheckHostIP 184 CheckHostIP
195 If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will additionally check the 185 If set to yes (the default), ssh(1) will additionally check the
196 host IP address in the known_hosts file. This allows ssh to 186 host IP address in the known_hosts file. This allows it to
197 detect if a host key changed due to DNS spoofing and will add 187 detect if a host key changed due to DNS spoofing and will add
198 addresses of destination hosts to ~/.ssh/known_hosts in the 188 addresses of destination hosts to ~/.ssh/known_hosts in the
199 process, regardless of the setting of StrictHostKeyChecking. If 189 process, regardless of the setting of StrictHostKeyChecking. If
200 the option is set to M-bM-^@M-^\noM-bM-^@M-^], the check will not be executed. The 190 the option is set to no, the check will not be executed.
201 default is M-bM-^@M-^\yesM-bM-^@M-^].
202 191
203 Cipher Specifies the cipher to use for encrypting the session in 192 Cipher Specifies the cipher to use for encrypting the session in
204 protocol version 1. Currently, M-bM-^@M-^\blowfishM-bM-^@M-^], M-bM-^@M-^\3desM-bM-^@M-^], and M-bM-^@M-^\desM-bM-^@M-^] are 193 protocol version 1. Currently, blowfish, 3des (the default), and
205 supported. des is only supported in the ssh(1) client for 194 des are supported, though des is only supported in the ssh(1)
206 interoperability with legacy protocol 1 implementations that do 195 client for interoperability with legacy protocol 1
207 not support the 3des cipher. Its use is strongly discouraged due 196 implementations; its use is strongly discouraged due to
208 to cryptographic weaknesses. The default is M-bM-^@M-^\3desM-bM-^@M-^]. 197 cryptographic weaknesses.
209 198
210 Ciphers 199 Ciphers
211 Specifies the ciphers allowed for protocol version 2 in order of 200 Specifies the ciphers allowed for protocol version 2 in order of
@@ -237,10 +226,10 @@ DESCRIPTION
237 chacha20-poly1305@openssh.com, 226 chacha20-poly1305@openssh.com,
238 aes128-ctr,aes192-ctr,aes256-ctr, 227 aes128-ctr,aes192-ctr,aes256-ctr,
239 aes128-gcm@openssh.com,aes256-gcm@openssh.com, 228 aes128-gcm@openssh.com,aes256-gcm@openssh.com,
240 aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc 229 aes128-cbc,aes192-cbc,aes256-cbc
241 230
242 The list of available ciphers may also be obtained using the -Q 231 The list of available ciphers may also be obtained using "ssh -Q
243 option of ssh(1) with an argument of M-bM-^@M-^\cipherM-bM-^@M-^]. 232 cipher".
244 233
245 ClearAllForwardings 234 ClearAllForwardings
246 Specifies that all local, remote, and dynamic port forwardings 235 Specifies that all local, remote, and dynamic port forwardings
@@ -248,12 +237,11 @@ DESCRIPTION
248 cleared. This option is primarily useful when used from the 237 cleared. This option is primarily useful when used from the
249 ssh(1) command line to clear port forwardings set in 238 ssh(1) command line to clear port forwardings set in
250 configuration files, and is automatically set by scp(1) and 239 configuration files, and is automatically set by scp(1) and
251 sftp(1). The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is 240 sftp(1). The argument must be yes or no (the default).
252 M-bM-^@M-^\noM-bM-^@M-^].
253 241
254 Compression 242 Compression
255 Specifies whether to use compression. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] 243 Specifies whether to use compression. The argument must be yes
256 or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. 244 or no (the default).
257 245
258 CompressionLevel 246 CompressionLevel
259 Specifies the compression level to use if compression is enabled. 247 Specifies the compression level to use if compression is enabled.
@@ -275,18 +263,18 @@ DESCRIPTION
275 263
276 ControlMaster 264 ControlMaster
277 Enables the sharing of multiple sessions over a single network 265 Enables the sharing of multiple sessions over a single network
278 connection. When set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will listen for 266 connection. When set to yes, ssh(1) will listen for connections
279 connections on a control socket specified using the ControlPath 267 on a control socket specified using the ControlPath argument.
280 argument. Additional sessions can connect to this socket using 268 Additional sessions can connect to this socket using the same
281 the same ControlPath with ControlMaster set to M-bM-^@M-^\noM-bM-^@M-^] (the 269 ControlPath with ControlMaster set to no (the default). These
282 default). These sessions will try to reuse the master instance's 270 sessions will try to reuse the master instance's network
283 network connection rather than initiating new ones, but will fall 271 connection rather than initiating new ones, but will fall back to
284 back to connecting normally if the control socket does not exist, 272 connecting normally if the control socket does not exist, or is
285 or is not listening. 273 not listening.
286 274
287 Setting this to M-bM-^@M-^\askM-bM-^@M-^] will cause ssh to listen for control 275 Setting this to ask will cause ssh(1) to listen for control
288 connections, but require confirmation using ssh-askpass(1). If 276 connections, but require confirmation using ssh-askpass(1). If
289 the ControlPath cannot be opened, ssh will continue without 277 the ControlPath cannot be opened, ssh(1) will continue without
290 connecting to a master instance. 278 connecting to a master instance.
291 279
292 X11 and ssh-agent(1) forwarding is supported over these 280 X11 and ssh-agent(1) forwarding is supported over these
@@ -296,41 +284,35 @@ DESCRIPTION
296 284
297 Two additional options allow for opportunistic multiplexing: try 285 Two additional options allow for opportunistic multiplexing: try
298 to use a master connection but fall back to creating a new one if 286 to use a master connection but fall back to creating a new one if
299 one does not already exist. These options are: M-bM-^@M-^\autoM-bM-^@M-^] and 287 one does not already exist. These options are: auto and autoask.
300 M-bM-^@M-^\autoaskM-bM-^@M-^]. The latter requires confirmation like the M-bM-^@M-^\askM-bM-^@M-^] 288 The latter requires confirmation like the ask option.
301 option.
302 289
303 ControlPath 290 ControlPath
304 Specify the path to the control socket used for connection 291 Specify the path to the control socket used for connection
305 sharing as described in the ControlMaster section above or the 292 sharing as described in the ControlMaster section above or the
306 string M-bM-^@M-^\noneM-bM-^@M-^] to disable connection sharing. In the path, M-bM-^@M-^X%LM-bM-^@M-^Y 293 string none to disable connection sharing. Arguments to
307 will be substituted by the first component of the local host 294 ControlPath may use the tilde syntax to refer to a user's home
308 name, M-bM-^@M-^X%lM-bM-^@M-^Y will be substituted by the local host name (including 295 directory or the tokens described in the TOKENS section. It is
309 any domain name), M-bM-^@M-^X%hM-bM-^@M-^Y will be substituted by the target host 296 recommended that any ControlPath used for opportunistic
310 name, M-bM-^@M-^X%nM-bM-^@M-^Y will be substituted by the original target host name 297 connection sharing include at least %h, %p, and %r (or
311 specified on the command line, M-bM-^@M-^X%pM-bM-^@M-^Y the destination port, M-bM-^@M-^X%rM-bM-^@M-^Y by 298 alternatively %C) and be placed in a directory that is not
312 the remote login username, M-bM-^@M-^X%uM-bM-^@M-^Y by the username and M-bM-^@M-^X%iM-bM-^@M-^Y by the 299 writable by other users. This ensures that shared connections
313 numeric user ID (uid) of the user running ssh(1), and M-bM-^@M-^X%CM-bM-^@M-^Y by a 300 are uniquely identified.
314 hash of the concatenation: %l%h%p%r. It is recommended that any
315 ControlPath used for opportunistic connection sharing include at
316 least %h, %p, and %r (or alternatively %C) and be placed in a
317 directory that is not writable by other users. This ensures that
318 shared connections are uniquely identified.
319 301
320 ControlPersist 302 ControlPersist
321 When used in conjunction with ControlMaster, specifies that the 303 When used in conjunction with ControlMaster, specifies that the
322 master connection should remain open in the background (waiting 304 master connection should remain open in the background (waiting
323 for future client connections) after the initial client 305 for future client connections) after the initial client
324 connection has been closed. If set to M-bM-^@M-^\noM-bM-^@M-^], then the master 306 connection has been closed. If set to no, then the master
325 connection will not be placed into the background, and will close 307 connection will not be placed into the background, and will close
326 as soon as the initial client connection is closed. If set to 308 as soon as the initial client connection is closed. If set to
327 M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\0M-bM-^@M-^], then the master connection will remain in the 309 yes or 0, then the master connection will remain in the
328 background indefinitely (until killed or closed via a mechanism 310 background indefinitely (until killed or closed via a mechanism
329 such as the ssh(1) M-bM-^@M-^\-O exitM-bM-^@M-^] option). If set to a time in 311 such as the "ssh -O exit"). If set to a time in seconds, or a
330 seconds, or a time in any of the formats documented in 312 time in any of the formats documented in sshd_config(5), then the
331 sshd_config(5), then the backgrounded master connection will 313 backgrounded master connection will automatically terminate after
332 automatically terminate after it has remained idle (with no 314 it has remained idle (with no client connections) for the
333 client connections) for the specified time. 315 specified time.
334 316
335 DynamicForward 317 DynamicForward
336 Specifies that a TCP port on the local machine be forwarded over 318 Specifies that a TCP port on the local machine be forwarded over
@@ -342,7 +324,7 @@ DESCRIPTION
342 the local port is bound in accordance with the GatewayPorts 324 the local port is bound in accordance with the GatewayPorts
343 setting. However, an explicit bind_address may be used to bind 325 setting. However, an explicit bind_address may be used to bind
344 the connection to a specific address. The bind_address of 326 the connection to a specific address. The bind_address of
345 M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the listening port be bound for local 327 localhost indicates that the listening port be bound for local
346 use only, while an empty address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port 328 use only, while an empty address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port
347 should be available from all interfaces. 329 should be available from all interfaces.
348 330
@@ -352,17 +334,17 @@ DESCRIPTION
352 line. Only the superuser can forward privileged ports. 334 line. Only the superuser can forward privileged ports.
353 335
354 EnableSSHKeysign 336 EnableSSHKeysign
355 Setting this option to M-bM-^@M-^\yesM-bM-^@M-^] in the global client configuration 337 Setting this option to yes in the global client configuration
356 file /etc/ssh/ssh_config enables the use of the helper program 338 file /etc/ssh/ssh_config enables the use of the helper program
357 ssh-keysign(8) during HostbasedAuthentication. The argument must 339 ssh-keysign(8) during HostbasedAuthentication. The argument must
358 be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. This option should be 340 be yes or no (the default). This option should be placed in the
359 placed in the non-hostspecific section. See ssh-keysign(8) for 341 non-hostspecific section. See ssh-keysign(8) for more
360 more information. 342 information.
361 343
362 EscapeChar 344 EscapeChar
363 Sets the escape character (default: M-bM-^@M-^X~M-bM-^@M-^Y). The escape character 345 Sets the escape character (default: M-bM-^@M-^X~M-bM-^@M-^Y). The escape character
364 can also be set on the command line. The argument should be a 346 can also be set on the command line. The argument should be a
365 single character, M-bM-^@M-^X^M-bM-^@M-^Y followed by a letter, or M-bM-^@M-^\noneM-bM-^@M-^] to disable 347 single character, M-bM-^@M-^X^M-bM-^@M-^Y followed by a letter, or none to disable
366 the escape character entirely (making the connection transparent 348 the escape character entirely (making the connection transparent
367 for binary data). 349 for binary data).
368 350
@@ -373,18 +355,17 @@ DESCRIPTION
373 listen on a specified port). Note that ExitOnForwardFailure does 355 listen on a specified port). Note that ExitOnForwardFailure does
374 not apply to connections made over port forwardings and will not, 356 not apply to connections made over port forwardings and will not,
375 for example, cause ssh(1) to exit if TCP connections to the 357 for example, cause ssh(1) to exit if TCP connections to the
376 ultimate forwarding destination fail. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] 358 ultimate forwarding destination fail. The argument must be yes
377 or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. 359 or no (the default).
378 360
379 FingerprintHash 361 FingerprintHash
380 Specifies the hash algorithm used when displaying key 362 Specifies the hash algorithm used when displaying key
381 fingerprints. Valid options are: M-bM-^@M-^\md5M-bM-^@M-^] and M-bM-^@M-^\sha256M-bM-^@M-^]. The 363 fingerprints. Valid options are: md5 and sha256 (the default).
382 default is M-bM-^@M-^\sha256M-bM-^@M-^].
383 364
384 ForwardAgent 365 ForwardAgent
385 Specifies whether the connection to the authentication agent (if 366 Specifies whether the connection to the authentication agent (if
386 any) will be forwarded to the remote machine. The argument must 367 any) will be forwarded to the remote machine. The argument must
387 be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. 368 be yes or no (the default).
388 369
389 Agent forwarding should be enabled with caution. Users with the 370 Agent forwarding should be enabled with caution. Users with the
390 ability to bypass file permissions on the remote host (for the 371 ability to bypass file permissions on the remote host (for the
@@ -397,7 +378,7 @@ DESCRIPTION
397 ForwardX11 378 ForwardX11
398 Specifies whether X11 connections will be automatically 379 Specifies whether X11 connections will be automatically
399 redirected over the secure channel and DISPLAY set. The argument 380 redirected over the secure channel and DISPLAY set. The argument
400 must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. 381 must be yes or no (the default).
401 382
402 X11 forwarding should be enabled with caution. Users with the 383 X11 forwarding should be enabled with caution. Users with the
403 ability to bypass file permissions on the remote host (for the 384 ability to bypass file permissions on the remote host (for the
@@ -414,17 +395,15 @@ DESCRIPTION
414 minutes has elapsed. 395 minutes has elapsed.
415 396
416 ForwardX11Trusted 397 ForwardX11Trusted
417 If this option is set to M-bM-^@M-^\yesM-bM-^@M-^], remote X11 clients will have full 398 If this option is set to yes, remote X11 clients will have full
418 access to the original X11 display. 399 access to the original X11 display.
419 400
420 If this option is set to M-bM-^@M-^\noM-bM-^@M-^], remote X11 clients will be 401 If this option is set to no (the default), remote X11 clients
421 considered untrusted and prevented from stealing or tampering 402 will be considered untrusted and prevented from stealing or
422 with data belonging to trusted X11 clients. Furthermore, the 403 tampering with data belonging to trusted X11 clients.
423 xauth(1) token used for the session will be set to expire after 404 Furthermore, the xauth(1) token used for the session will be set
424 20 minutes. Remote clients will be refused access after this 405 to expire after 20 minutes. Remote clients will be refused
425 time. 406 access after this time.
426
427 The default is M-bM-^@M-^\noM-bM-^@M-^].
428 407
429 See the X11 SECURITY extension specification for full details on 408 See the X11 SECURITY extension specification for full details on
430 the restrictions imposed on untrusted clients. 409 the restrictions imposed on untrusted clients.
@@ -436,8 +415,7 @@ DESCRIPTION
436 connecting to forwarded ports. GatewayPorts can be used to 415 connecting to forwarded ports. GatewayPorts can be used to
437 specify that ssh should bind local port forwardings to the 416 specify that ssh should bind local port forwardings to the
438 wildcard address, thus allowing remote hosts to connect to 417 wildcard address, thus allowing remote hosts to connect to
439 forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The 418 forwarded ports. The argument must be yes or no (the default).
440 default is M-bM-^@M-^\noM-bM-^@M-^].
441 419
442 GlobalKnownHostsFile 420 GlobalKnownHostsFile
443 Specifies one or more files to use for the global host key 421 Specifies one or more files to use for the global host key
@@ -446,25 +424,24 @@ DESCRIPTION
446 424
447 GSSAPIAuthentication 425 GSSAPIAuthentication
448 Specifies whether user authentication based on GSSAPI is allowed. 426 Specifies whether user authentication based on GSSAPI is allowed.
449 The default is M-bM-^@M-^\noM-bM-^@M-^]. 427 The default is no.
450 428
451 GSSAPIDelegateCredentials 429 GSSAPIDelegateCredentials
452 Forward (delegate) credentials to the server. The default is 430 Forward (delegate) credentials to the server. The default is no.
453 M-bM-^@M-^\noM-bM-^@M-^].
454 431
455 HashKnownHosts 432 HashKnownHosts
456 Indicates that ssh(1) should hash host names and addresses when 433 Indicates that ssh(1) should hash host names and addresses when
457 they are added to ~/.ssh/known_hosts. These hashed names may be 434 they are added to ~/.ssh/known_hosts. These hashed names may be
458 used normally by ssh(1) and sshd(8), but they do not reveal 435 used normally by ssh(1) and sshd(8), but they do not reveal
459 identifying information should the file's contents be disclosed. 436 identifying information should the file's contents be disclosed.
460 The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that existing names and addresses in 437 The default is no. Note that existing names and addresses in
461 known hosts files will not be converted automatically, but may be 438 known hosts files will not be converted automatically, but may be
462 manually hashed using ssh-keygen(1). 439 manually hashed using ssh-keygen(1).
463 440
464 HostbasedAuthentication 441 HostbasedAuthentication
465 Specifies whether to try rhosts based authentication with public 442 Specifies whether to try rhosts based authentication with public
466 key authentication. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The 443 key authentication. The argument must be yes or no (the
467 default is M-bM-^@M-^\noM-bM-^@M-^]. 444 default).
468 445
469 HostbasedKeyTypes 446 HostbasedKeyTypes
470 Specifies the key types that will be used for hostbased 447 Specifies the key types that will be used for hostbased
@@ -501,8 +478,8 @@ DESCRIPTION
501 If hostkeys are known for the destination host then this default 478 If hostkeys are known for the destination host then this default
502 is modified to prefer their algorithms. 479 is modified to prefer their algorithms.
503 480
504 The list of available key types may also be obtained using the -Q 481 The list of available key types may also be obtained using "ssh
505 option of ssh(1) with an argument of M-bM-^@M-^\keyM-bM-^@M-^]. 482 -Q key".
506 483
507 HostKeyAlias 484 HostKeyAlias
508 Specifies an alias that should be used instead of the real host 485 Specifies an alias that should be used instead of the real host
@@ -512,41 +489,33 @@ DESCRIPTION
512 489
513 HostName 490 HostName
514 Specifies the real host name to log into. This can be used to 491 Specifies the real host name to log into. This can be used to
515 specify nicknames or abbreviations for hosts. If the hostname 492 specify nicknames or abbreviations for hosts. Arguments to
516 contains the character sequence M-bM-^@M-^X%hM-bM-^@M-^Y, then this will be replaced 493 HostName accept the tokens described in the TOKENS section.
517 with the host name specified on the command line (this is useful 494 Numeric IP addresses are also permitted (both on the command line
518 for manipulating unqualified names). The character sequence M-bM-^@M-^X%%M-bM-^@M-^Y 495 and in HostName specifications). The default is the name given
519 will be replaced by a single M-bM-^@M-^X%M-bM-^@M-^Y character, which may be used 496 on the command line.
520 when specifying IPv6 link-local addresses.
521
522 The default is the name given on the command line. Numeric IP
523 addresses are also permitted (both on the command line and in
524 HostName specifications).
525 497
526 IdentitiesOnly 498 IdentitiesOnly
527 Specifies that ssh(1) should only use the authentication identity 499 Specifies that ssh(1) should only use the authentication identity
528 and certificate files explicitly configured in the ssh_config 500 and certificate files explicitly configured in the ssh_config
529 files or passed on the ssh(1) command-line, even if ssh-agent(1) 501 files or passed on the ssh(1) command-line, even if ssh-agent(1)
530 or a PKCS11Provider offers more identities. The argument to this 502 or a PKCS11Provider offers more identities. The argument to this
531 keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. This option is intended for 503 keyword must be yes or no (the default). This option is intended
532 situations where ssh-agent offers many different identities. The 504 for situations where ssh-agent offers many different identities.
533 default is M-bM-^@M-^\noM-bM-^@M-^].
534 505
535 IdentityAgent 506 IdentityAgent
536 Specifies the UNIX-domain socket used to communicate with the 507 Specifies the UNIX-domain socket used to communicate with the
537 authentication agent. 508 authentication agent.
538 509
539 This option overrides the M-bM-^@M-^\SSH_AUTH_SOCKM-bM-^@M-^] environment variable 510 This option overrides the SSH_AUTH_SOCK environment variable and
540 and can be used to select a specific agent. Setting the socket 511 can be used to select a specific agent. Setting the socket name
541 name to M-bM-^@M-^\noneM-bM-^@M-^] disables the use of an authentication agent. If 512 to none disables the use of an authentication agent. If the
542 the string M-bM-^@M-^\SSH_AUTH_SOCKM-bM-^@M-^] is specified, the location of the 513 string "SSH_AUTH_SOCK" is specified, the location of the socket
543 socket will be read from the SSH_AUTH_SOCK environment variable. 514 will be read from the SSH_AUTH_SOCK environment variable.
544 515
545 The socket name may use the tilde syntax to refer to a user's 516 Arguments to IdentityAgent may use the tilde syntax to refer to a
546 home directory or one of the following escape characters: M-bM-^@M-^X%dM-bM-^@M-^Y 517 user's home directory or the tokens described in the TOKENS
547 (local user's home directory), M-bM-^@M-^X%uM-bM-^@M-^Y (local user name), M-bM-^@M-^X%lM-bM-^@M-^Y 518 section.
548 (local host name), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host name) or M-bM-^@M-^X%rM-bM-^@M-^Y (remote user
549 name).
550 519
551 IdentityFile 520 IdentityFile
552 Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA 521 Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA
@@ -560,10 +529,9 @@ DESCRIPTION
560 from the filename obtained by appending -cert.pub to the path of 529 from the filename obtained by appending -cert.pub to the path of
561 a specified IdentityFile. 530 a specified IdentityFile.
562 531
563 The file name may use the tilde syntax to refer to a user's home 532 Arguments to IdentityFile may use the tilde syntax to refer to a
564 directory or one of the following escape characters: M-bM-^@M-^X%dM-bM-^@M-^Y (local 533 user's home directory or the tokens described in the TOKENS
565 user's home directory), M-bM-^@M-^X%uM-bM-^@M-^Y (local user name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host 534 section.
566 name), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host name) or M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name).
567 535
568 It is possible to have multiple identity files specified in 536 It is possible to have multiple identity files specified in
569 configuration files; all these identities will be tried in 537 configuration files; all these identities will be tried in
@@ -588,7 +556,7 @@ DESCRIPTION
588 Include 556 Include
589 Include the specified configuration file(s). Multiple pathnames 557 Include the specified configuration file(s). Multiple pathnames
590 may be specified and each pathname may contain glob(3) wildcards 558 may be specified and each pathname may contain glob(3) wildcards
591 and, for user configurations, shell-like M-bM-^@M-^\~M-bM-^@M-^] references to user 559 and, for user configurations, shell-like M-bM-^@M-^X~M-bM-^@M-^Y references to user
592 home directories. Files without absolute paths are assumed to be 560 home directories. Files without absolute paths are assumed to be
593 in ~/.ssh if included in a user configuration file or /etc/ssh if 561 in ~/.ssh if included in a user configuration file or /etc/ssh if
594 included from the system configuration file. Include directive 562 included from the system configuration file. Include directive
@@ -596,30 +564,27 @@ DESCRIPTION
596 inclusion. 564 inclusion.
597 565
598 IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. 566 IPQoS Specifies the IPv4 type-of-service or DSCP class for connections.
599 Accepted values are M-bM-^@M-^\af11M-bM-^@M-^], M-bM-^@M-^\af12M-bM-^@M-^], M-bM-^@M-^\af13M-bM-^@M-^], M-bM-^@M-^\af21M-bM-^@M-^], M-bM-^@M-^\af22M-bM-^@M-^], 567 Accepted values are af11, af12, af13, af21, af22, af23, af31,
600 M-bM-^@M-^\af23M-bM-^@M-^], M-bM-^@M-^\af31M-bM-^@M-^], M-bM-^@M-^\af32M-bM-^@M-^], M-bM-^@M-^\af33M-bM-^@M-^], M-bM-^@M-^\af41M-bM-^@M-^], M-bM-^@M-^\af42M-bM-^@M-^], M-bM-^@M-^\af43M-bM-^@M-^], M-bM-^@M-^\cs0M-bM-^@M-^], 568 af32, af33, af41, af42, af43, cs0, cs1, cs2, cs3, cs4, cs5, cs6,
601 M-bM-^@M-^\cs1M-bM-^@M-^], M-bM-^@M-^\cs2M-bM-^@M-^], M-bM-^@M-^\cs3M-bM-^@M-^], M-bM-^@M-^\cs4M-bM-^@M-^], M-bM-^@M-^\cs5M-bM-^@M-^], M-bM-^@M-^\cs6M-bM-^@M-^], M-bM-^@M-^\cs7M-bM-^@M-^], M-bM-^@M-^\efM-bM-^@M-^], 569 cs7, ef, lowdelay, throughput, reliability, or a numeric value.
602 M-bM-^@M-^\lowdelayM-bM-^@M-^], M-bM-^@M-^\throughputM-bM-^@M-^], M-bM-^@M-^\reliabilityM-bM-^@M-^], or a numeric value.
603 This option may take one or two arguments, separated by 570 This option may take one or two arguments, separated by
604 whitespace. If one argument is specified, it is used as the 571 whitespace. If one argument is specified, it is used as the
605 packet class unconditionally. If two values are specified, the 572 packet class unconditionally. If two values are specified, the
606 first is automatically selected for interactive sessions and the 573 first is automatically selected for interactive sessions and the
607 second for non-interactive sessions. The default is M-bM-^@M-^\lowdelayM-bM-^@M-^] 574 second for non-interactive sessions. The default is lowdelay for
608 for interactive sessions and M-bM-^@M-^\throughputM-bM-^@M-^] for non-interactive 575 interactive sessions and throughput for non-interactive sessions.
609 sessions.
610 576
611 KbdInteractiveAuthentication 577 KbdInteractiveAuthentication
612 Specifies whether to use keyboard-interactive authentication. 578 Specifies whether to use keyboard-interactive authentication.
613 The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default 579 The argument to this keyword must be yes (the default) or no.
614 is M-bM-^@M-^\yesM-bM-^@M-^].
615 580
616 KbdInteractiveDevices 581 KbdInteractiveDevices
617 Specifies the list of methods to use in keyboard-interactive 582 Specifies the list of methods to use in keyboard-interactive
618 authentication. Multiple method names must be comma-separated. 583 authentication. Multiple method names must be comma-separated.
619 The default is to use the server specified list. The methods 584 The default is to use the server specified list. The methods
620 available vary depending on what the server supports. For an 585 available vary depending on what the server supports. For an
621 OpenSSH server, it may be zero or more of: M-bM-^@M-^\bsdauthM-bM-^@M-^], M-bM-^@M-^\pamM-bM-^@M-^], and 586 OpenSSH server, it may be zero or more of: bsdauth, pam, and
622 M-bM-^@M-^\skeyM-bM-^@M-^]. 587 skey.
623 588
624 KexAlgorithms 589 KexAlgorithms
625 Specifies the available KEX (Key Exchange) algorithms. Multiple 590 Specifies the available KEX (Key Exchange) algorithms. Multiple
@@ -628,25 +593,21 @@ DESCRIPTION
628 will be appended to the default set instead of replacing them. 593 will be appended to the default set instead of replacing them.
629 The default is: 594 The default is:
630 595
631 curve25519-sha256@libssh.org, 596 curve25519-sha256,curve25519-sha256@libssh.org,
632 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, 597 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
633 diffie-hellman-group-exchange-sha256, 598 diffie-hellman-group-exchange-sha256,
634 diffie-hellman-group-exchange-sha1, 599 diffie-hellman-group-exchange-sha1,
635 diffie-hellman-group14-sha1 600 diffie-hellman-group14-sha1
636 601
637 The list of available key exchange algorithms may also be 602 The list of available key exchange algorithms may also be
638 obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^]. 603 obtained using "ssh -Q kex".
639 604
640 LocalCommand 605 LocalCommand
641 Specifies a command to execute on the local machine after 606 Specifies a command to execute on the local machine after
642 successfully connecting to the server. The command string 607 successfully connecting to the server. The command string
643 extends to the end of the line, and is executed with the user's 608 extends to the end of the line, and is executed with the user's
644 shell. The following escape character substitutions will be 609 shell. Arguments to LocalCommand accept the tokens described in
645 performed: M-bM-^@M-^X%dM-bM-^@M-^Y (local user's home directory), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host 610 the TOKENS section.
646 name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host name), M-bM-^@M-^X%nM-bM-^@M-^Y (host name as provided on the
647 command line), M-bM-^@M-^X%pM-bM-^@M-^Y (remote port), M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name) or
648 M-bM-^@M-^X%uM-bM-^@M-^Y (local user name) or M-bM-^@M-^X%CM-bM-^@M-^Y by a hash of the concatenation:
649 %l%h%p%r.
650 611
651 The command is run synchronously and does not have access to the 612 The command is run synchronously and does not have access to the
652 session of the ssh(1) that spawned it. It should not be used for 613 session of the ssh(1) that spawned it. It should not be used for
@@ -666,7 +627,7 @@ DESCRIPTION
666 privileged ports. By default, the local port is bound in 627 privileged ports. By default, the local port is bound in
667 accordance with the GatewayPorts setting. However, an explicit 628 accordance with the GatewayPorts setting. However, an explicit
668 bind_address may be used to bind the connection to a specific 629 bind_address may be used to bind the connection to a specific
669 address. The bind_address of M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the 630 address. The bind_address of localhost indicates that the
670 listening port be bound for local use only, while an empty 631 listening port be bound for local use only, while an empty
671 address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port should be available from 632 address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port should be available from
672 all interfaces. 633 all interfaces.
@@ -685,7 +646,7 @@ DESCRIPTION
685 then the specified algorithms will be appended to the default set 646 then the specified algorithms will be appended to the default set
686 instead of replacing them. 647 instead of replacing them.
687 648
688 The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC after 649 The algorithms that contain "-etm" calculate the MAC after
689 encryption (encrypt-then-mac). These are considered safer and 650 encryption (encrypt-then-mac). These are considered safer and
690 their use recommended. 651 their use recommended.
691 652
@@ -698,7 +659,7 @@ DESCRIPTION
698 hmac-sha2-256,hmac-sha2-512,hmac-sha1 659 hmac-sha2-256,hmac-sha2-512,hmac-sha1
699 660
700 The list of available MAC algorithms may also be obtained using 661 The list of available MAC algorithms may also be obtained using
701 the -Q option of ssh(1) with an argument of M-bM-^@M-^\macM-bM-^@M-^]. 662 "ssh -Q mac".
702 663
703 NoHostAuthenticationForLocalhost 664 NoHostAuthenticationForLocalhost
704 This option can be used if the home directory is shared across 665 This option can be used if the home directory is shared across
@@ -706,8 +667,7 @@ DESCRIPTION
706 machine on each of the machines and the user will get many 667 machine on each of the machines and the user will get many
707 warnings about changed host keys. However, this option disables 668 warnings about changed host keys. However, this option disables
708 host authentication for localhost. The argument to this keyword 669 host authentication for localhost. The argument to this keyword
709 must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is to check the host key for 670 must be yes or no. (the default).
710 localhost.
711 671
712 NumberOfPasswordPrompts 672 NumberOfPasswordPrompts
713 Specifies the number of password prompts before giving up. The 673 Specifies the number of password prompts before giving up. The
@@ -715,12 +675,12 @@ DESCRIPTION
715 675
716 PasswordAuthentication 676 PasswordAuthentication
717 Specifies whether to use password authentication. The argument 677 Specifies whether to use password authentication. The argument
718 to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. 678 to this keyword must be yes (the default) or no.
719 679
720 PermitLocalCommand 680 PermitLocalCommand
721 Allow local command execution via the LocalCommand option or 681 Allow local command execution via the LocalCommand option or
722 using the !command escape sequence in ssh(1). The argument must 682 using the !command escape sequence in ssh(1). The argument must
723 be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. 683 be yes or no (the default).
724 684
725 PKCS11Provider 685 PKCS11Provider
726 Specifies which PKCS#11 provider to use. The argument to this 686 Specifies which PKCS#11 provider to use. The argument to this
@@ -742,12 +702,12 @@ DESCRIPTION
742 702
743 Protocol 703 Protocol
744 Specifies the protocol versions ssh(1) should support in order of 704 Specifies the protocol versions ssh(1) should support in order of
745 preference. The possible values are M-bM-^@M-^X1M-bM-^@M-^Y and M-bM-^@M-^X2M-bM-^@M-^Y. Multiple 705 preference. The possible values are 1 and 2. Multiple versions
746 versions must be comma-separated. When this option is set to 706 must be comma-separated. When this option is set to 2,1 ssh will
747 M-bM-^@M-^\2,1M-bM-^@M-^] ssh will try version 2 and fall back to version 1 if 707 try version 2 and fall back to version 1 if version 2 is not
748 version 2 is not available. The default is M-bM-^@M-^X2M-bM-^@M-^Y. Protocol 1 708 available. The default is version 2. Protocol 1 suffers from a
749 suffers from a number of cryptographic weaknesses and should not 709 number of cryptographic weaknesses and should not be used. It is
750 be used. It is only offered to support legacy devices. 710 only offered to support legacy devices.
751 711
752 ProxyCommand 712 ProxyCommand
753 Specifies the command to use to connect to the server. The 713 Specifies the command to use to connect to the server. The
@@ -755,15 +715,14 @@ DESCRIPTION
755 using the user's shell M-bM-^@M-^XexecM-bM-^@M-^Y directive to avoid a lingering 715 using the user's shell M-bM-^@M-^XexecM-bM-^@M-^Y directive to avoid a lingering
756 shell process. 716 shell process.
757 717
758 In the command string, any occurrence of M-bM-^@M-^X%hM-bM-^@M-^Y will be substituted 718 Arguments to ProxyCommand accept the tokens described in the
759 by the host name to connect, M-bM-^@M-^X%pM-bM-^@M-^Y by the port, and M-bM-^@M-^X%rM-bM-^@M-^Y by the 719 TOKENS section. The command can be basically anything, and
760 remote user name. The command can be basically anything, and
761 should read from its standard input and write to its standard 720 should read from its standard input and write to its standard
762 output. It should eventually connect an sshd(8) server running 721 output. It should eventually connect an sshd(8) server running
763 on some machine, or execute sshd -i somewhere. Host key 722 on some machine, or execute sshd -i somewhere. Host key
764 management will be done using the HostName of the host being 723 management will be done using the HostName of the host being
765 connected (defaulting to the name typed by the user). Setting 724 connected (defaulting to the name typed by the user). Setting
766 the command to M-bM-^@M-^\noneM-bM-^@M-^] disables this option entirely. Note that 725 the command to none disables this option entirely. Note that
767 CheckHostIP is not available for connects with a proxy command. 726 CheckHostIP is not available for connects with a proxy command.
768 727
769 This directive is useful in conjunction with nc(1) and its proxy 728 This directive is useful in conjunction with nc(1) and its proxy
@@ -787,7 +746,7 @@ DESCRIPTION
787 ProxyUseFdpass 746 ProxyUseFdpass
788 Specifies that ProxyCommand will pass a connected file descriptor 747 Specifies that ProxyCommand will pass a connected file descriptor
789 back to ssh(1) instead of continuing to execute and pass data. 748 back to ssh(1) instead of continuing to execute and pass data.
790 The default is M-bM-^@M-^\noM-bM-^@M-^]. 749 The default is no.
791 750
792 PubkeyAcceptedKeyTypes 751 PubkeyAcceptedKeyTypes
793 Specifies the key types that will be used for public key 752 Specifies the key types that will be used for public key
@@ -804,11 +763,12 @@ DESCRIPTION
804 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 763 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
805 ssh-ed25519,ssh-rsa 764 ssh-ed25519,ssh-rsa
806 765
807 The -Q option of ssh(1) may be used to list supported key types. 766 The list of available key types may also be obtained using "ssh
767 -Q key".
808 768
809 PubkeyAuthentication 769 PubkeyAuthentication
810 Specifies whether to try public key authentication. The argument 770 Specifies whether to try public key authentication. The argument
811 to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. 771 to this keyword must be yes (the default) or no.
812 772
813 RekeyLimit 773 RekeyLimit
814 Specifies the maximum amount of data that may be transmitted 774 Specifies the maximum amount of data that may be transmitted
@@ -820,7 +780,7 @@ DESCRIPTION
820 M-bM-^@M-^X1GM-bM-^@M-^Y and M-bM-^@M-^X4GM-bM-^@M-^Y, depending on the cipher. The optional second 780 M-bM-^@M-^X1GM-bM-^@M-^Y and M-bM-^@M-^X4GM-bM-^@M-^Y, depending on the cipher. The optional second
821 value is specified in seconds and may use any of the units 781 value is specified in seconds and may use any of the units
822 documented in the TIME FORMATS section of sshd_config(5). The 782 documented in the TIME FORMATS section of sshd_config(5). The
823 default value for RekeyLimit is M-bM-^@M-^\default noneM-bM-^@M-^], which means that 783 default value for RekeyLimit is default none, which means that
824 rekeying is performed after the cipher's default amount of data 784 rekeying is performed after the cipher's default amount of data
825 has been sent or received and no time based rekeying is done. 785 has been sent or received and no time based rekeying is done.
826 786
@@ -834,7 +794,7 @@ DESCRIPTION
834 given on the command line. Privileged ports can be forwarded 794 given on the command line. Privileged ports can be forwarded
835 only when logging in as root on the remote machine. 795 only when logging in as root on the remote machine.
836 796
837 If the port argument is M-bM-^@M-^X0M-bM-^@M-^Y, the listen port will be dynamically 797 If the port argument is 0, the listen port will be dynamically
838 allocated on the server and reported to the client at run time. 798 allocated on the server and reported to the client at run time.
839 799
840 If the bind_address is not specified, the default is to only bind 800 If the bind_address is not specified, the default is to only bind
@@ -846,9 +806,9 @@ DESCRIPTION
846 806
847 RequestTTY 807 RequestTTY
848 Specifies whether to request a pseudo-tty for the session. The 808 Specifies whether to request a pseudo-tty for the session. The
849 argument may be one of: M-bM-^@M-^\noM-bM-^@M-^] (never request a TTY), M-bM-^@M-^\yesM-bM-^@M-^] (always 809 argument may be one of: no (never request a TTY), yes (always
850 request a TTY when standard input is a TTY), M-bM-^@M-^\forceM-bM-^@M-^] (always 810 request a TTY when standard input is a TTY), force (always
851 request a TTY) or M-bM-^@M-^\autoM-bM-^@M-^] (request a TTY when opening a login 811 request a TTY) or auto (request a TTY when opening a login
852 session). This option mirrors the -t and -T flags for ssh(1). 812 session). This option mirrors the -t and -T flags for ssh(1).
853 813
854 RevokedHostKeys 814 RevokedHostKeys
@@ -862,16 +822,16 @@ DESCRIPTION
862 822
863 RhostsRSAAuthentication 823 RhostsRSAAuthentication
864 Specifies whether to try rhosts based authentication with RSA 824 Specifies whether to try rhosts based authentication with RSA
865 host authentication. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The 825 host authentication. The argument must be yes or no (the
866 default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only 826 default). This option applies to protocol version 1 only and
867 and requires ssh(1) to be setuid root. 827 requires ssh(1) to be setuid root.
868 828
869 RSAAuthentication 829 RSAAuthentication
870 Specifies whether to try RSA authentication. The argument to 830 Specifies whether to try RSA authentication. The argument to
871 this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. RSA authentication will only 831 this keyword must be yes (the default) or no. RSA authentication
872 be attempted if the identity file exists, or an authentication 832 will only be attempted if the identity file exists, or an
873 agent is running. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option 833 authentication agent is running. Note that this option applies
874 applies to protocol version 1 only. 834 to protocol version 1 only.
875 835
876 SendEnv 836 SendEnv
877 Specifies what variables from the local environ(7) should be sent 837 Specifies what variables from the local environ(7) should be sent
@@ -932,24 +892,23 @@ DESCRIPTION
932 domain socket file. This option is only used for port forwarding 892 domain socket file. This option is only used for port forwarding
933 to a Unix-domain socket file. 893 to a Unix-domain socket file.
934 894
935 The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. 895 The argument must be yes or no (the default).
936 896
937 StrictHostKeyChecking 897 StrictHostKeyChecking
938 If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will never automatically add 898 If this flag is set to yes, ssh(1) will never automatically add
939 host keys to the ~/.ssh/known_hosts file, and refuses to connect 899 host keys to the ~/.ssh/known_hosts file, and refuses to connect
940 to hosts whose host key has changed. This provides maximum 900 to hosts whose host key has changed. This provides maximum
941 protection against trojan horse attacks, though it can be 901 protection against trojan horse attacks, though it can be
942 annoying when the /etc/ssh/ssh_known_hosts file is poorly 902 annoying when the /etc/ssh/ssh_known_hosts file is poorly
943 maintained or when connections to new hosts are frequently made. 903 maintained or when connections to new hosts are frequently made.
944 This option forces the user to manually add all new hosts. If 904 This option forces the user to manually add all new hosts. If
945 this flag is set to M-bM-^@M-^\noM-bM-^@M-^], ssh will automatically add new host 905 this flag is set to no, ssh will automatically add new host keys
946 keys to the user known hosts files. If this flag is set to 906 to the user known hosts files. If this flag is set to ask (the
947 M-bM-^@M-^\askM-bM-^@M-^], new host keys will be added to the user known host files 907 default), new host keys will be added to the user known host
948 only after the user has confirmed that is what they really want 908 files only after the user has confirmed that is what they really
949 to do, and ssh will refuse to connect to hosts whose host key has 909 want to do, and ssh will refuse to connect to hosts whose host
950 changed. The host keys of known hosts will be verified 910 key has changed. The host keys of known hosts will be verified
951 automatically in all cases. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or 911 automatically in all cases.
952 M-bM-^@M-^\askM-bM-^@M-^]. The default is M-bM-^@M-^\askM-bM-^@M-^].
953 912
954 TCPKeepAlive 913 TCPKeepAlive
955 Specifies whether the system should send TCP keepalive messages 914 Specifies whether the system should send TCP keepalive messages
@@ -958,53 +917,50 @@ DESCRIPTION
958 this means that connections will die if the route is down 917 this means that connections will die if the route is down
959 temporarily, and some people find it annoying. 918 temporarily, and some people find it annoying.
960 919
961 The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send TCP keepalive messages), and the 920 The default is yes (to send TCP keepalive messages), and the
962 client will notice if the network goes down or the remote host 921 client will notice if the network goes down or the remote host
963 dies. This is important in scripts, and many users want it too. 922 dies. This is important in scripts, and many users want it too.
964 923
965 To disable TCP keepalive messages, the value should be set to 924 To disable TCP keepalive messages, the value should be set to no.
966 M-bM-^@M-^\noM-bM-^@M-^].
967 925
968 Tunnel Request tun(4) device forwarding between the client and the 926 Tunnel Request tun(4) device forwarding between the client and the
969 server. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\point-to-pointM-bM-^@M-^] (layer 3), 927 server. The argument must be yes, point-to-point (layer 3),
970 M-bM-^@M-^\ethernetM-bM-^@M-^] (layer 2), or M-bM-^@M-^\noM-bM-^@M-^]. Specifying M-bM-^@M-^\yesM-bM-^@M-^] requests the 928 ethernet (layer 2), or no (the default). Specifying yes requests
971 default tunnel mode, which is M-bM-^@M-^\point-to-pointM-bM-^@M-^]. The default is 929 the default tunnel mode, which is point-to-point.
972 M-bM-^@M-^\noM-bM-^@M-^].
973 930
974 TunnelDevice 931 TunnelDevice
975 Specifies the tun(4) devices to open on the client (local_tun) 932 Specifies the tun(4) devices to open on the client (local_tun)
976 and the server (remote_tun). 933 and the server (remote_tun).
977 934
978 The argument must be local_tun[:remote_tun]. The devices may be 935 The argument must be local_tun[:remote_tun]. The devices may be
979 specified by numerical ID or the keyword M-bM-^@M-^\anyM-bM-^@M-^], which uses the 936 specified by numerical ID or the keyword any, which uses the next
980 next available tunnel device. If remote_tun is not specified, it 937 available tunnel device. If remote_tun is not specified, it
981 defaults to M-bM-^@M-^\anyM-bM-^@M-^]. The default is M-bM-^@M-^\any:anyM-bM-^@M-^]. 938 defaults to any. The default is any:any.
982 939
983 UpdateHostKeys 940 UpdateHostKeys
984 Specifies whether ssh(1) should accept notifications of 941 Specifies whether ssh(1) should accept notifications of
985 additional hostkeys from the server sent after authentication has 942 additional hostkeys from the server sent after authentication has
986 completed and add them to UserKnownHostsFile. The argument must 943 completed and add them to UserKnownHostsFile. The argument must
987 be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^] (the default) or M-bM-^@M-^\askM-bM-^@M-^]. Enabling this option 944 be yes, no (the default) or ask. Enabling this option allows
988 allows learning alternate hostkeys for a server and supports 945 learning alternate hostkeys for a server and supports graceful
989 graceful key rotation by allowing a server to send replacement 946 key rotation by allowing a server to send replacement public keys
990 public keys before old ones are removed. Additional hostkeys are 947 before old ones are removed. Additional hostkeys are only
991 only accepted if the key used to authenticate the host was 948 accepted if the key used to authenticate the host was already
992 already trusted or explicitly accepted by the user. If 949 trusted or explicitly accepted by the user. If UpdateHostKeys is
993 UpdateHostKeys is set to M-bM-^@M-^\askM-bM-^@M-^], then the user is asked to confirm 950 set to ask, then the user is asked to confirm the modifications
994 the modifications to the known_hosts file. Confirmation is 951 to the known_hosts file. Confirmation is currently incompatible
995 currently incompatible with ControlPersist, and will be disabled 952 with ControlPersist, and will be disabled if it is enabled.
996 if it is enabled.
997 953
998 Presently, only sshd(8) from OpenSSH 6.8 and greater support the 954 Presently, only sshd(8) from OpenSSH 6.8 and greater support the
999 M-bM-^@M-^\hostkeys@openssh.comM-bM-^@M-^] protocol extension used to inform the 955 "hostkeys@openssh.com" protocol extension used to inform the
1000 client of all the server's hostkeys. 956 client of all the server's hostkeys.
1001 957
1002 UsePrivilegedPort 958 UsePrivilegedPort
1003 Specifies whether to use a privileged port for outgoing 959 Specifies whether to use a privileged port for outgoing
1004 connections. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is 960 connections. The argument must be yes or no (the default). If
1005 M-bM-^@M-^\noM-bM-^@M-^]. If set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) must be setuid root. Note that 961 set to yes, ssh(1) must be setuid root. Note that this option
1006 this option must be set to M-bM-^@M-^\yesM-bM-^@M-^] for RhostsRSAAuthentication with 962 must be set to yes for RhostsRSAAuthentication with older
1007 older servers. 963 servers.
1008 964
1009 User Specifies the user to log in as. This can be useful when a 965 User Specifies the user to log in as. This can be useful when a
1010 different user name is used on different machines. This saves 966 different user name is used on different machines. This saves
@@ -1018,24 +974,23 @@ DESCRIPTION
1018 974
1019 VerifyHostKeyDNS 975 VerifyHostKeyDNS
1020 Specifies whether to verify the remote key using DNS and SSHFP 976 Specifies whether to verify the remote key using DNS and SSHFP
1021 resource records. If this option is set to M-bM-^@M-^\yesM-bM-^@M-^], the client 977 resource records. If this option is set to yes, the client will
1022 will implicitly trust keys that match a secure fingerprint from 978 implicitly trust keys that match a secure fingerprint from DNS.
1023 DNS. Insecure fingerprints will be handled as if this option was 979 Insecure fingerprints will be handled as if this option was set
1024 set to M-bM-^@M-^\askM-bM-^@M-^]. If this option is set to M-bM-^@M-^\askM-bM-^@M-^], information on 980 to ask. If this option is set to ask, information on fingerprint
1025 fingerprint match will be displayed, but the user will still need 981 match will be displayed, but the user will still need to confirm
1026 to confirm new host keys according to the StrictHostKeyChecking 982 new host keys according to the StrictHostKeyChecking option. The
1027 option. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or M-bM-^@M-^\askM-bM-^@M-^]. The default 983 default is no.
1028 is M-bM-^@M-^\noM-bM-^@M-^].
1029 984
1030 See also VERIFYING HOST KEYS in ssh(1). 985 See also VERIFYING HOST KEYS in ssh(1).
1031 986
1032 VisualHostKey 987 VisualHostKey
1033 If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], an ASCII art representation of the 988 If this flag is set to yes, an ASCII art representation of the
1034 remote host key fingerprint is printed in addition to the 989 remote host key fingerprint is printed in addition to the
1035 fingerprint string at login and for unknown host keys. If this 990 fingerprint string at login and for unknown host keys. If this
1036 flag is set to M-bM-^@M-^\noM-bM-^@M-^], no fingerprint strings are printed at login 991 flag is set to no (the default), no fingerprint strings are
1037 and only the fingerprint string will be printed for unknown host 992 printed at login and only the fingerprint string will be printed
1038 keys. The default is M-bM-^@M-^\noM-bM-^@M-^]. 993 for unknown host keys.
1039 994
1040 XAuthLocation 995 XAuthLocation
1041 Specifies the full pathname of the xauth(1) program. The default 996 Specifies the full pathname of the xauth(1) program. The default
@@ -1045,7 +1000,7 @@ PATTERNS
1045 A pattern consists of zero or more non-whitespace characters, M-bM-^@M-^X*M-bM-^@M-^Y (a 1000 A pattern consists of zero or more non-whitespace characters, M-bM-^@M-^X*M-bM-^@M-^Y (a
1046 wildcard that matches zero or more characters), or M-bM-^@M-^X?M-bM-^@M-^Y (a wildcard that 1001 wildcard that matches zero or more characters), or M-bM-^@M-^X?M-bM-^@M-^Y (a wildcard that
1047 matches exactly one character). For example, to specify a set of 1002 matches exactly one character). For example, to specify a set of
1048 declarations for any host in the M-bM-^@M-^\.co.ukM-bM-^@M-^] set of domains, the following 1003 declarations for any host in the ".co.uk" set of domains, the following
1049 pattern could be used: 1004 pattern could be used:
1050 1005
1051 Host *.co.uk 1006 Host *.co.uk
@@ -1058,11 +1013,43 @@ PATTERNS
1058 A pattern-list is a comma-separated list of patterns. Patterns within 1013 A pattern-list is a comma-separated list of patterns. Patterns within
1059 pattern-lists may be negated by preceding them with an exclamation mark 1014 pattern-lists may be negated by preceding them with an exclamation mark
1060 (M-bM-^@M-^X!M-bM-^@M-^Y). For example, to allow a key to be used from anywhere within an 1015 (M-bM-^@M-^X!M-bM-^@M-^Y). For example, to allow a key to be used from anywhere within an
1061 organization except from the M-bM-^@M-^\dialupM-bM-^@M-^] pool, the following entry (in 1016 organization except from the "dialup" pool, the following entry (in
1062 authorized_keys) could be used: 1017 authorized_keys) could be used:
1063 1018
1064 from="!*.dialup.example.com,*.example.com" 1019 from="!*.dialup.example.com,*.example.com"
1065 1020
1021TOKENS
1022 Arguments to some keywords can make use of tokens, which are expanded at
1023 runtime:
1024
1025 %% A literal M-bM-^@M-^X%M-bM-^@M-^Y.
1026 %C Shorthand for %l%h%p%r.
1027 %d Local user's home directory.
1028 %h The remote hostname.
1029 %i The local user ID.
1030 %L The local hostname.
1031 %l The local hostname, including the domain name.
1032 %n The original remote hostname, as given on the command line.
1033 %p The remote port.
1034 %r The remote username.
1035 %u The local username.
1036
1037 Match exec accepts the tokens %%, %h, %L, %l, %n, %p, %r, and %u.
1038
1039 CertificateFile accepts the tokens %%, %d, %h, %l, %r, and %u.
1040
1041 ControlPath accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and
1042 %u.
1043
1044 HostName accepts the tokens %% and %h.
1045
1046 IdentityAgent and IdentityFile accept the tokens %%, %d, %h, %l, %r, and
1047 %u.
1048
1049 LocalCommand accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u.
1050
1051 ProxyCommand accepts the tokens %%, %h, %p, and %r.
1052
1066FILES 1053FILES
1067 ~/.ssh/config 1054 ~/.ssh/config
1068 This is the per-user configuration file. The format of this file 1055 This is the per-user configuration file. The format of this file
@@ -1087,4 +1074,4 @@ AUTHORS
1087 created OpenSSH. Markus Friedl contributed the support for SSH protocol 1074 created OpenSSH. Markus Friedl contributed the support for SSH protocol
1088 versions 1.5 and 2.0. 1075 versions 1.5 and 2.0.
1089 1076
1090OpenBSD 6.0 July 22, 2016 OpenBSD 6.0 1077OpenBSD 6.0 October 15, 2016 OpenBSD 6.0