summaryrefslogtreecommitdiff
path: root/ssh_config.5
diff options
context:
space:
mode:
Diffstat (limited to 'ssh_config.5')
-rw-r--r--ssh_config.5152
1 files changed, 133 insertions, 19 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index da3c1771a..da8e54428 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh_config.5,v 1.191 2014/07/15 15:54:14 millert Exp $ 36.\" $OpenBSD: ssh_config.5,v 1.205 2015/02/20 22:17:21 djm Exp $
37.Dd $Mdocdate: July 15 2014 $ 37.Dd $Mdocdate: February 20 2015 $
38.Dt SSH_CONFIG 5 38.Dt SSH_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -65,7 +65,10 @@ The configuration files contain sections separated by
65.Dq Host 65.Dq Host
66specifications, and that section is only applied for hosts that 66specifications, and that section is only applied for hosts that
67match one of the patterns given in the specification. 67match one of the patterns given in the specification.
68The matched host name is the one given on the command line. 68The matched host name is usually the one given on the command line
69(see the
70.Cm CanonicalizeHostname
71option for exceptions.)
69.Pp 72.Pp
70Since the first obtained value for each parameter is used, more 73Since the first obtained value for each parameter is used, more
71host-specific declarations should be given near the beginning of the 74host-specific declarations should be given near the beginning of the
@@ -125,10 +128,12 @@ A single
125.Ql * 128.Ql *
126as a pattern can be used to provide global 129as a pattern can be used to provide global
127defaults for all hosts. 130defaults for all hosts.
128The host is the 131The host is usually the
129.Ar hostname 132.Ar hostname
130argument given on the command line (i.e. the name is not converted to 133argument given on the command line
131a canonicalized host name before matching). 134(see the
135.Cm CanonicalizeHostname
136option for exceptions.)
132.Pp 137.Pp
133A pattern entry may be negated by prefixing it with an exclamation mark 138A pattern entry may be negated by prefixing it with an exclamation mark
134.Pq Sq !\& . 139.Pq Sq !\& .
@@ -150,19 +155,40 @@ or
150keyword) to be used only when the conditions following the 155keyword) to be used only when the conditions following the
151.Cm Match 156.Cm Match
152keyword are satisfied. 157keyword are satisfied.
153Match conditions are specified using one or more keyword/criteria pairs 158Match conditions are specified using one or more critera
154or the single token 159or the single token
155.Cm all 160.Cm all
156which matches all criteria. 161which always matches.
157The available keywords are: 162The available criteria keywords are:
163.Cm canonical ,
158.Cm exec , 164.Cm exec ,
159.Cm host , 165.Cm host ,
160.Cm originalhost , 166.Cm originalhost ,
161.Cm user , 167.Cm user ,
162and 168and
163.Cm localuser . 169.Cm localuser .
170The
171.Cm all
172criteria must appear alone or immediately after
173.Cm canonical .
174Other criteria may be combined arbitrarily.
175All criteria but
176.Cm all
177and
178.Cm canonical
179require an argument.
180Criteria may be negated by prepending an exclamation mark
181.Pq Sq !\& .
164.Pp 182.Pp
165The 183The
184.Cm canonical
185keywork matches only when the configuration file is being re-parsed
186after hostname canonicalization (see the
187.Cm CanonicalizeHostname
188option.)
189This may be useful to specify conditions that work with canonical host
190names only.
191The
166.Cm exec 192.Cm exec
167keyword executes the specified command under the user's shell. 193keyword executes the specified command under the user's shell.
168If the command returns a zero exit status then the condition is considered true. 194If the command returns a zero exit status then the condition is considered true.
@@ -195,7 +221,9 @@ The criteria for the
195keyword are matched against the target hostname, after any substitution 221keyword are matched against the target hostname, after any substitution
196by the 222by the
197.Cm Hostname 223.Cm Hostname
198option. 224or
225.Cm CanonicalizeHostname
226options.
199The 227The
200.Cm originalhost 228.Cm originalhost
201keyword matches against the hostname as it was specified on the command-line. 229keyword matches against the hostname as it was specified on the command-line.
@@ -284,10 +312,11 @@ is set to
284.Dq always , 312.Dq always ,
285then canonicalization is applied to proxied connections too. 313then canonicalization is applied to proxied connections too.
286.Pp 314.Pp
287If this option is enabled and canonicalisation results in the target hostname 315If this option is enabled, then the configuration files are processed
288changing, then the configuration files are processed again using the new 316again using the new target name to pick up any new configuration in matching
289target name to pick up any new configuration in matching
290.Cm Host 317.Cm Host
318and
319.Cm Match
291stanzas. 320stanzas.
292.It Cm CanonicalizeMaxDots 321.It Cm CanonicalizeMaxDots
293Specifies the maximum number of dot characters in a hostname before 322Specifies the maximum number of dot characters in a hostname before
@@ -408,7 +437,9 @@ aes192-cbc,aes256-cbc,arcfour
408The list of available ciphers may also be obtained using the 437The list of available ciphers may also be obtained using the
409.Fl Q 438.Fl Q
410option of 439option of
411.Xr ssh 1 . 440.Xr ssh 1
441with an argument of
442.Dq cipher .
412.It Cm ClearAllForwardings 443.It Cm ClearAllForwardings
413Specifies that all local, remote, and dynamic port forwardings 444Specifies that all local, remote, and dynamic port forwardings
414specified in the configuration files or on the command line be 445specified in the configuration files or on the command line be
@@ -528,7 +559,8 @@ by a hash of the concatenation: %l%h%p%r.
528It is recommended that any 559It is recommended that any
529.Cm ControlPath 560.Cm ControlPath
530used for opportunistic connection sharing include 561used for opportunistic connection sharing include
531at least %h, %p, and %r (or alternatively %C). 562at least %h, %p, and %r (or alternatively %C) and be placed in a directory
563that is not writable by other users.
532This ensures that shared connections are uniquely identified. 564This ensures that shared connections are uniquely identified.
533.It Cm ControlPersist 565.It Cm ControlPersist
534When used in conjunction with 566When used in conjunction with
@@ -541,7 +573,9 @@ If set to
541then the master connection will not be placed into the background, 573then the master connection will not be placed into the background,
542and will close as soon as the initial client connection is closed. 574and will close as soon as the initial client connection is closed.
543If set to 575If set to
544.Dq yes , 576.Dq yes
577or
578.Dq 0 ,
545then the master connection will remain in the background indefinitely 579then the master connection will remain in the background indefinitely
546(until killed or closed via a mechanism such as the 580(until killed or closed via a mechanism such as the
547.Xr ssh 1 581.Xr ssh 1
@@ -626,6 +660,14 @@ or
626.Dq no . 660.Dq no .
627The default is 661The default is
628.Dq no . 662.Dq no .
663.It Cm FingerprintHash
664Specifies the hash algorithm used when displaying key fingerprints.
665Valid options are:
666.Dq md5
667and
668.Dq sha256 .
669The default is
670.Dq sha256 .
629.It Cm ForwardAgent 671.It Cm ForwardAgent
630Specifies whether the connection to the authentication agent (if any) 672Specifies whether the connection to the authentication agent (if any)
631will be forwarded to the remote machine. 673will be forwarded to the remote machine.
@@ -791,6 +833,17 @@ The default is
791This option applies to protocol version 2 only and 833This option applies to protocol version 2 only and
792is similar to 834is similar to
793.Cm RhostsRSAAuthentication . 835.Cm RhostsRSAAuthentication .
836.It Cm HostbasedKeyTypes
837Specifies the key types that will be used for hostbased authentication
838as a comma-separated pattern list.
839The default
840.Dq *
841will allow all key types.
842The
843.Fl Q
844option of
845.Xr ssh 1
846may be used to list supported key types.
794.It Cm HostKeyAlgorithms 847.It Cm HostKeyAlgorithms
795Specifies the protocol version 2 host key algorithms 848Specifies the protocol version 2 host key algorithms
796that the client wants to use in order of preference. 849that the client wants to use in order of preference.
@@ -808,6 +861,13 @@ ssh-ed25519,ssh-rsa,ssh-dss
808.Pp 861.Pp
809If hostkeys are known for the destination host then this default is modified 862If hostkeys are known for the destination host then this default is modified
810to prefer their algorithms. 863to prefer their algorithms.
864.Pp
865The list of available key types may also be obtained using the
866.Fl Q
867option of
868.Xr ssh 1
869with an argument of
870.Dq key .
811.It Cm HostKeyAlias 871.It Cm HostKeyAlias
812Specifies an alias that should be used instead of the 872Specifies an alias that should be used instead of the
813real host name when looking up or saving the host key 873real host name when looking up or saving the host key
@@ -851,7 +911,7 @@ offers many different identities.
851The default is 911The default is
852.Dq no . 912.Dq no .
853.It Cm IdentityFile 913.It Cm IdentityFile
854Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA authentication 914Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication
855identity is read. 915identity is read.
856The default is 916The default is
857.Pa ~/.ssh/identity 917.Pa ~/.ssh/identity
@@ -978,6 +1038,13 @@ diffie-hellman-group14-sha1,
978diffie-hellman-group-exchange-sha1, 1038diffie-hellman-group-exchange-sha1,
979diffie-hellman-group1-sha1 1039diffie-hellman-group1-sha1
980.Ed 1040.Ed
1041.Pp
1042The list of available key exchange algorithms may also be obtained using the
1043.Fl Q
1044option of
1045.Xr ssh 1
1046with an argument of
1047.Dq kex .
981.It Cm LocalCommand 1048.It Cm LocalCommand
982Specifies a command to execute on the local machine after successfully 1049Specifies a command to execute on the local machine after successfully
983connecting to the server. 1050connecting to the server.
@@ -1067,6 +1134,13 @@ hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,
1067hmac-md5,hmac-sha1,hmac-ripemd160, 1134hmac-md5,hmac-sha1,hmac-ripemd160,
1068hmac-sha1-96,hmac-md5-96 1135hmac-sha1-96,hmac-md5-96
1069.Ed 1136.Ed
1137.Pp
1138The list of available MAC algorithms may also be obtained using the
1139.Fl Q
1140option of
1141.Xr ssh 1
1142with an argument of
1143.Dq mac .
1070.It Cm NoHostAuthenticationForLocalhost 1144.It Cm NoHostAuthenticationForLocalhost
1071This option can be used if the home directory is shared across machines. 1145This option can be used if the home directory is shared across machines.
1072In this case localhost will refer to a different machine on each of 1146In this case localhost will refer to a different machine on each of
@@ -1277,6 +1351,16 @@ and
1277.Fl T 1351.Fl T
1278flags for 1352flags for
1279.Xr ssh 1 . 1353.Xr ssh 1 .
1354.It Cm RevokedHostKeys
1355Specifies revoked host public keys.
1356Keys listed in this file will be refused for host authentication.
1357Note that if this file does not exist or is not readable,
1358then host authentication will be refused for all hosts.
1359Keys may be specified as a text file, listing one public key per line, or as
1360an OpenSSH Key Revocation List (KRL) as generated by
1361.Xr ssh-keygen 1 .
1362For more information on KRLs, see the KEY REVOCATION LISTS section in
1363.Xr ssh-keygen 1 .
1280.It Cm RhostsRSAAuthentication 1364.It Cm RhostsRSAAuthentication
1281Specifies whether to try rhosts based authentication with RSA host 1365Specifies whether to try rhosts based authentication with RSA host
1282authentication. 1366authentication.
@@ -1491,6 +1575,36 @@ is not specified, it defaults to
1491.Dq any . 1575.Dq any .
1492The default is 1576The default is
1493.Dq any:any . 1577.Dq any:any .
1578.It Cm UpdateHostKeys
1579Specifies whether
1580.Xr ssh 1
1581should accept notifications of additional hostkeys from the server sent
1582after authentication has completed and add them to
1583.Cm UserKnownHostsFile .
1584The argument must be
1585.Dq yes ,
1586.Dq no
1587(the default) or
1588.Dq ask .
1589Enabling this option allows learning alternate hostkeys for a server
1590and supports graceful key rotation by allowing a server to send replacement
1591public keys before old ones are removed.
1592Additional hostkeys are only accepted if the key used to authenticate the
1593host was already trusted or explicity accepted by the user.
1594If
1595.Cm UpdateHostKeys
1596is set to
1597.Dq ask ,
1598then the user is asked to confirm the modifications to the known_hosts file.
1599Confirmation is currently incompatible with
1600.Cm ControlPersist ,
1601and will be disabled if it is enabled.
1602.Pp
1603Presently, only
1604.Xr sshd 8
1605from OpenSSH 6.8 and greater support the
1606.Dq hostkeys@openssh.com
1607protocol extension used to inform the client of all the server's hostkeys.
1494.It Cm UsePrivilegedPort 1608.It Cm UsePrivilegedPort
1495Specifies whether to use a privileged port for outgoing connections. 1609Specifies whether to use a privileged port for outgoing connections.
1496The argument must be 1610The argument must be
@@ -1549,12 +1663,12 @@ See also VERIFYING HOST KEYS in
1549If this flag is set to 1663If this flag is set to
1550.Dq yes , 1664.Dq yes ,
1551an ASCII art representation of the remote host key fingerprint is 1665an ASCII art representation of the remote host key fingerprint is
1552printed in addition to the hex fingerprint string at login and 1666printed in addition to the fingerprint string at login and
1553for unknown host keys. 1667for unknown host keys.
1554If this flag is set to 1668If this flag is set to
1555.Dq no , 1669.Dq no ,
1556no fingerprint strings are printed at login and 1670no fingerprint strings are printed at login and
1557only the hex fingerprint string will be printed for unknown host keys. 1671only the fingerprint string will be printed for unknown host keys.
1558The default is 1672The default is
1559.Dq no . 1673.Dq no .
1560.It Cm XAuthLocation 1674.It Cm XAuthLocation