diff options
Diffstat (limited to 'ssh_config.5')
-rw-r--r-- | ssh_config.5 | 162 |
1 files changed, 121 insertions, 41 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index b232a0203..889def626 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh_config.5,v 1.61 2005/07/08 12:53:10 jmc Exp $ | 37 | .\" $OpenBSD: ssh_config.5,v 1.76 2006/01/20 11:21:45 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH_CONFIG 5 | 39 | .Dt SSH_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -270,8 +270,10 @@ with | |||
270 | set to | 270 | set to |
271 | .Dq no | 271 | .Dq no |
272 | (the default). | 272 | (the default). |
273 | These sessions will reuse the master instance's network connection rather | 273 | These sessions will try to reuse the master instance's network connection |
274 | than initiating new ones. | 274 | rather than initiating new ones, but will fall back to connecting normally |
275 | if the control socket does not exist, or is not listening. | ||
276 | .Pp | ||
275 | Setting this to | 277 | Setting this to |
276 | .Dq ask | 278 | .Dq ask |
277 | will cause | 279 | will cause |
@@ -290,7 +292,7 @@ will continue without connecting to a master instance. | |||
290 | X11 and | 292 | X11 and |
291 | .Xr ssh-agent 1 | 293 | .Xr ssh-agent 1 |
292 | forwarding is supported over these multiplexed connections, however the | 294 | forwarding is supported over these multiplexed connections, however the |
293 | display and agent fowarded will be the one belonging to the master | 295 | display and agent forwarded will be the one belonging to the master |
294 | connection i.e. it is not possible to forward multiple displays or agents. | 296 | connection i.e. it is not possible to forward multiple displays or agents. |
295 | .Pp | 297 | .Pp |
296 | Two additional options allow for opportunistic multiplexing: try to use a | 298 | Two additional options allow for opportunistic multiplexing: try to use a |
@@ -323,11 +325,33 @@ used for opportunistic connection sharing include | |||
323 | all three of these escape sequences. | 325 | all three of these escape sequences. |
324 | This ensures that shared connections are uniquely identified. | 326 | This ensures that shared connections are uniquely identified. |
325 | .It Cm DynamicForward | 327 | .It Cm DynamicForward |
326 | Specifies that a TCP/IP port on the local machine be forwarded | 328 | Specifies that a TCP port on the local machine be forwarded |
327 | over the secure channel, and the application | 329 | over the secure channel, and the application |
328 | protocol is then used to determine where to connect to from the | 330 | protocol is then used to determine where to connect to from the |
329 | remote machine. | 331 | remote machine. |
330 | The argument must be a port number. | 332 | .Pp |
333 | The argument must be | ||
334 | .Sm off | ||
335 | .Oo Ar bind_address : Oc Ar port . | ||
336 | .Sm on | ||
337 | IPv6 addresses can be specified by enclosing addresses in square brackets or | ||
338 | by using an alternative syntax: | ||
339 | .Oo Ar bind_address Ns / Oc Ns Ar port . | ||
340 | By default, the local port is bound in accordance with the | ||
341 | .Cm GatewayPorts | ||
342 | setting. | ||
343 | However, an explicit | ||
344 | .Ar bind_address | ||
345 | may be used to bind the connection to a specific address. | ||
346 | The | ||
347 | .Ar bind_address | ||
348 | of | ||
349 | .Dq localhost | ||
350 | indicates that the listening port be bound for local use only, while an | ||
351 | empty address or | ||
352 | .Sq * | ||
353 | indicates that the port should be available from all interfaces. | ||
354 | .Pp | ||
331 | Currently the SOCKS4 and SOCKS5 protocols are supported, and | 355 | Currently the SOCKS4 and SOCKS5 protocols are supported, and |
332 | .Nm ssh | 356 | .Nm ssh |
333 | will act as a SOCKS server. | 357 | will act as a SOCKS server. |
@@ -501,23 +525,6 @@ Default is the name given on the command line. | |||
501 | Numeric IP addresses are also permitted (both on the command line and in | 525 | Numeric IP addresses are also permitted (both on the command line and in |
502 | .Cm HostName | 526 | .Cm HostName |
503 | specifications). | 527 | specifications). |
504 | .It Cm IdentityFile | ||
505 | Specifies a file from which the user's RSA or DSA authentication identity | ||
506 | is read. | ||
507 | The default is | ||
508 | .Pa ~/.ssh/identity | ||
509 | for protocol version 1, and | ||
510 | .Pa ~/.ssh/id_rsa | ||
511 | and | ||
512 | .Pa ~/.ssh/id_dsa | ||
513 | for protocol version 2. | ||
514 | Additionally, any identities represented by the authentication agent | ||
515 | will be used for authentication. | ||
516 | The file name may use the tilde | ||
517 | syntax to refer to a user's home directory. | ||
518 | It is possible to have | ||
519 | multiple identity files specified in configuration files; all these | ||
520 | identities will be tried in sequence. | ||
521 | .It Cm IdentitiesOnly | 528 | .It Cm IdentitiesOnly |
522 | Specifies that | 529 | Specifies that |
523 | .Nm ssh | 530 | .Nm ssh |
@@ -531,17 +538,42 @@ The argument to this keyword must be | |||
531 | .Dq yes | 538 | .Dq yes |
532 | or | 539 | or |
533 | .Dq no . | 540 | .Dq no . |
534 | This option is intented for situations where | 541 | This option is intended for situations where |
535 | .Nm ssh-agent | 542 | .Nm ssh-agent |
536 | offers many different identities. | 543 | offers many different identities. |
537 | The default is | 544 | The default is |
538 | .Dq no . | 545 | .Dq no . |
546 | .It Cm IdentityFile | ||
547 | Specifies a file from which the user's RSA or DSA authentication identity | ||
548 | is read. | ||
549 | The default is | ||
550 | .Pa ~/.ssh/identity | ||
551 | for protocol version 1, and | ||
552 | .Pa ~/.ssh/id_rsa | ||
553 | and | ||
554 | .Pa ~/.ssh/id_dsa | ||
555 | for protocol version 2. | ||
556 | Additionally, any identities represented by the authentication agent | ||
557 | will be used for authentication. | ||
558 | The file name may use the tilde | ||
559 | syntax to refer to a user's home directory. | ||
560 | It is possible to have | ||
561 | multiple identity files specified in configuration files; all these | ||
562 | identities will be tried in sequence. | ||
539 | .It Cm KbdInteractiveDevices | 563 | .It Cm KbdInteractiveDevices |
540 | Specifies the list of methods to use in keyboard-interactive authentication. | 564 | Specifies the list of methods to use in keyboard-interactive authentication. |
541 | Multiple method names must be comma-separated. | 565 | Multiple method names must be comma-separated. |
542 | The default is to use the server specified list. | 566 | The default is to use the server specified list. |
567 | .It Cm LocalCommand | ||
568 | Specifies a command to execute on the local machine after successfully | ||
569 | connecting to the server. | ||
570 | The command string extends to the end of the line, and is executed with | ||
571 | .Pa /bin/sh . | ||
572 | This directive is ignored unless | ||
573 | .Cm PermitLocalCommand | ||
574 | has been enabled. | ||
543 | .It Cm LocalForward | 575 | .It Cm LocalForward |
544 | Specifies that a TCP/IP port on the local machine be forwarded over | 576 | Specifies that a TCP port on the local machine be forwarded over |
545 | the secure channel to the specified host and port from the remote machine. | 577 | the secure channel to the specified host and port from the remote machine. |
546 | The first argument must be | 578 | The first argument must be |
547 | .Sm off | 579 | .Sm off |
@@ -609,6 +641,19 @@ or | |||
609 | .Dq no . | 641 | .Dq no . |
610 | The default is | 642 | The default is |
611 | .Dq yes . | 643 | .Dq yes . |
644 | .It Cm PermitLocalCommand | ||
645 | Allow local command execution via the | ||
646 | .Ic LocalCommand | ||
647 | option or using the | ||
648 | .Ic !\& Ns Ar command | ||
649 | escape sequence in | ||
650 | .Xr ssh 1 . | ||
651 | The argument must be | ||
652 | .Dq yes | ||
653 | or | ||
654 | .Dq no . | ||
655 | The default is | ||
656 | .Dq no . | ||
612 | .It Cm Port | 657 | .It Cm Port |
613 | Specifies the port number to connect on the remote host. | 658 | Specifies the port number to connect on the remote host. |
614 | Default is 22. | 659 | Default is 22. |
@@ -681,8 +726,23 @@ or | |||
681 | The default is | 726 | The default is |
682 | .Dq yes . | 727 | .Dq yes . |
683 | This option applies to protocol version 2 only. | 728 | This option applies to protocol version 2 only. |
729 | .It Cm RekeyLimit | ||
730 | Specifies the maximum amount of data that may be transmitted before the | ||
731 | session key is renegotiated. | ||
732 | The argument is the number of bytes, with an optional suffix of | ||
733 | .Sq K , | ||
734 | .Sq M , | ||
735 | or | ||
736 | .Sq G | ||
737 | to indicate Kilobytes, Megabytes, or Gigabytes, respectively. | ||
738 | The default is between | ||
739 | .Dq 1G | ||
740 | and | ||
741 | .Dq 4G , | ||
742 | depending on the cipher. | ||
743 | This option applies to protocol version 2 only. | ||
684 | .It Cm RemoteForward | 744 | .It Cm RemoteForward |
685 | Specifies that a TCP/IP port on the remote machine be forwarded over | 745 | Specifies that a TCP port on the remote machine be forwarded over |
686 | the secure channel to the specified host and port from the local machine. | 746 | the secure channel to the specified host and port from the local machine. |
687 | The first argument must be | 747 | The first argument must be |
688 | .Sm off | 748 | .Sm off |
@@ -759,21 +819,8 @@ across multiple | |||
759 | .Cm SendEnv | 819 | .Cm SendEnv |
760 | directives. | 820 | directives. |
761 | The default is not to send any environment variables. | 821 | The default is not to send any environment variables. |
762 | .It Cm ServerAliveInterval | ||
763 | Sets a timeout interval in seconds after which if no data has been received | ||
764 | from the server, | ||
765 | .Nm ssh | ||
766 | will send a message through the encrypted | ||
767 | channel to request a response from the server. | ||
768 | The default | ||
769 | is 0, indicating that these messages will not be sent to the server, | ||
770 | or 300 if the | ||
771 | .Cm BatchMode | ||
772 | option is set. | ||
773 | .Cm ProtocolKeepAlives | ||
774 | is a Debian-specific compatibility alias for this option. | ||
775 | .It Cm ServerAliveCountMax | 822 | .It Cm ServerAliveCountMax |
776 | Sets the number of server alive messages (see above) which may be | 823 | Sets the number of server alive messages (see below) which may be |
777 | sent without | 824 | sent without |
778 | .Nm ssh | 825 | .Nm ssh |
779 | receiving any messages back from the server. | 826 | receiving any messages back from the server. |
@@ -795,7 +842,7 @@ server depend on knowing when a connection has become inactive. | |||
795 | The default value is 3. | 842 | The default value is 3. |
796 | If, for example, | 843 | If, for example, |
797 | .Cm ServerAliveInterval | 844 | .Cm ServerAliveInterval |
798 | (above) is set to 15, and | 845 | (see below) is set to 15, and |
799 | .Cm ServerAliveCountMax | 846 | .Cm ServerAliveCountMax |
800 | is left at the default, if the server becomes unresponsive ssh | 847 | is left at the default, if the server becomes unresponsive ssh |
801 | will disconnect after approximately 45 seconds. | 848 | will disconnect after approximately 45 seconds. |
@@ -803,6 +850,20 @@ This option works when using protocol version 2 only; in protocol version | |||
803 | 1 there is no mechanism to request a response from the server to the | 850 | 1 there is no mechanism to request a response from the server to the |
804 | server alive messages, so disconnection is the responsibility of the TCP | 851 | server alive messages, so disconnection is the responsibility of the TCP |
805 | stack. | 852 | stack. |
853 | .It Cm ServerAliveInterval | ||
854 | Sets a timeout interval in seconds after which if no data has been received | ||
855 | from the server, | ||
856 | .Nm ssh | ||
857 | will send a message through the encrypted | ||
858 | channel to request a response from the server. | ||
859 | The default | ||
860 | is 0, indicating that these messages will not be sent to the server, | ||
861 | or 300 if the | ||
862 | .Cm BatchMode | ||
863 | option is set. | ||
864 | This option applies to protocol version 2 only. | ||
865 | .Cm ProtocolKeepAlives | ||
866 | is a Debian-specific compatibility alias for this option. | ||
806 | .It Cm SetupTimeOut | 867 | .It Cm SetupTimeOut |
807 | Normally, | 868 | Normally, |
808 | .Nm ssh | 869 | .Nm ssh |
@@ -885,6 +946,25 @@ This is important in scripts, and many users want it too. | |||
885 | .Pp | 946 | .Pp |
886 | To disable TCP keepalive messages, the value should be set to | 947 | To disable TCP keepalive messages, the value should be set to |
887 | .Dq no . | 948 | .Dq no . |
949 | .It Cm Tunnel | ||
950 | Request starting | ||
951 | .Xr tun 4 | ||
952 | device forwarding between the client and the server. | ||
953 | This option also allows requesting layer 2 (ethernet) | ||
954 | instead of layer 3 (point-to-point) tunneling from the server. | ||
955 | The argument must be | ||
956 | .Dq yes , | ||
957 | .Dq point-to-point , | ||
958 | .Dq ethernet | ||
959 | or | ||
960 | .Dq no . | ||
961 | The default is | ||
962 | .Dq no . | ||
963 | .It Cm TunnelDevice | ||
964 | Force a specified | ||
965 | .Xr tun 4 | ||
966 | device on the client. | ||
967 | Without this option, the next available device will be used. | ||
888 | .It Cm UsePrivilegedPort | 968 | .It Cm UsePrivilegedPort |
889 | Specifies whether to use a privileged port for outgoing connections. | 969 | Specifies whether to use a privileged port for outgoing connections. |
890 | The argument must be | 970 | The argument must be |