diff options
Diffstat (limited to 'ssh_config.5')
-rw-r--r-- | ssh_config.5 | 176 |
1 files changed, 167 insertions, 9 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index 01e7b6f23..cc91a5c56 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh_config.5,v 1.166 2013/06/27 14:05:37 jmc Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.184 2014/01/19 04:48:08 djm Exp $ |
37 | .Dd $Mdocdate: June 27 2013 $ | 37 | .Dd $Mdocdate: January 19 2014 $ |
38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -116,6 +116,8 @@ keywords are case-insensitive and arguments are case-sensitive): | |||
116 | .It Cm Host | 116 | .It Cm Host |
117 | Restricts the following declarations (up to the next | 117 | Restricts the following declarations (up to the next |
118 | .Cm Host | 118 | .Cm Host |
119 | or | ||
120 | .Cm Match | ||
119 | keyword) to be only for those hosts that match one of the patterns | 121 | keyword) to be only for those hosts that match one of the patterns |
120 | given after the keyword. | 122 | given after the keyword. |
121 | If more than one pattern is provided, they should be separated by whitespace. | 123 | If more than one pattern is provided, they should be separated by whitespace. |
@@ -140,6 +142,73 @@ matches. | |||
140 | See | 142 | See |
141 | .Sx PATTERNS | 143 | .Sx PATTERNS |
142 | for more information on patterns. | 144 | for more information on patterns. |
145 | .It Cm Match | ||
146 | Restricts the following declarations (up to the next | ||
147 | .Cm Host | ||
148 | or | ||
149 | .Cm Match | ||
150 | keyword) to be used only when the conditions following the | ||
151 | .Cm Match | ||
152 | keyword are satisfied. | ||
153 | Match conditions are specified using one or more keyword/criteria pairs | ||
154 | or the single token | ||
155 | .Cm all | ||
156 | which matches all criteria. | ||
157 | The available keywords are: | ||
158 | .Cm exec , | ||
159 | .Cm host , | ||
160 | .Cm originalhost , | ||
161 | .Cm user , | ||
162 | and | ||
163 | .Cm localuser . | ||
164 | .Pp | ||
165 | The | ||
166 | .Cm exec | ||
167 | keyword executes the specified command under the user's shell. | ||
168 | If the command returns a zero exit status then the condition is considered true. | ||
169 | Commands containing whitespace characters must be quoted. | ||
170 | The following character sequences in the command will be expanded prior to | ||
171 | execution: | ||
172 | .Ql %L | ||
173 | will be substituted by the first component of the local host name, | ||
174 | .Ql %l | ||
175 | will be substituted by the local host name (including any domain name), | ||
176 | .Ql %h | ||
177 | will be substituted by the target host name, | ||
178 | .Ql %n | ||
179 | will be substituted by the original target host name | ||
180 | specified on the command-line, | ||
181 | .Ql %p | ||
182 | the destination port, | ||
183 | .Ql %r | ||
184 | by the remote login username, and | ||
185 | .Ql %u | ||
186 | by the username of the user running | ||
187 | .Xr ssh 1 . | ||
188 | .Pp | ||
189 | The other keywords' criteria must be single entries or comma-separated | ||
190 | lists and may use the wildcard and negation operators described in the | ||
191 | .Sx PATTERNS | ||
192 | section. | ||
193 | The criteria for the | ||
194 | .Cm host | ||
195 | keyword are matched against the target hostname, after any substitution | ||
196 | by the | ||
197 | .Cm Hostname | ||
198 | option. | ||
199 | The | ||
200 | .Cm originalhost | ||
201 | keyword matches against the hostname as it was specified on the command-line. | ||
202 | The | ||
203 | .Cm user | ||
204 | keyword matches against the target username on the remote host. | ||
205 | The | ||
206 | .Cm localuser | ||
207 | keyword matches against the name of the local user running | ||
208 | .Xr ssh 1 | ||
209 | (this keyword may be useful in system-wide | ||
210 | .Nm | ||
211 | files). | ||
143 | .It Cm AddressFamily | 212 | .It Cm AddressFamily |
144 | Specifies which address family to use when connecting. | 213 | Specifies which address family to use when connecting. |
145 | Valid arguments are | 214 | Valid arguments are |
@@ -172,6 +241,75 @@ Note that this option does not work if | |||
172 | .Cm UsePrivilegedPort | 241 | .Cm UsePrivilegedPort |
173 | is set to | 242 | is set to |
174 | .Dq yes . | 243 | .Dq yes . |
244 | .It Cm CanonicalDomains | ||
245 | When | ||
246 | .Cm CanonicalizeHostname | ||
247 | is enabled, this option specifies the list of domain suffixes in which to | ||
248 | search for the specified destination host. | ||
249 | .It Cm CanonicalizeFallbackLocal | ||
250 | Specifies whether to fail with an error when hostname canonicalization fails. | ||
251 | The default, | ||
252 | .Dq yes , | ||
253 | will attempt to look up the unqualified hostname using the system resolver's | ||
254 | search rules. | ||
255 | A value of | ||
256 | .Dq no | ||
257 | will cause | ||
258 | .Xr ssh 1 | ||
259 | to fail instantly if | ||
260 | .Cm CanonicalizeHostname | ||
261 | is enabled and the target hostname cannot be found in any of the domains | ||
262 | specified by | ||
263 | .Cm CanonicalDomains . | ||
264 | .It Cm CanonicalizeHostname | ||
265 | Controls whether explicit hostname canonicalization is performed. | ||
266 | The default, | ||
267 | .Dq no , | ||
268 | is not to perform any name rewriting and let the system resolver handle all | ||
269 | hostname lookups. | ||
270 | If set to | ||
271 | .Dq yes | ||
272 | then, for connections that do not use a | ||
273 | .Cm ProxyCommand , | ||
274 | .Xr ssh 1 | ||
275 | will attempt to canonicalize the hostname specified on the command line | ||
276 | using the | ||
277 | .Cm CanonicalDomains | ||
278 | suffixes and | ||
279 | .Cm CanonicalizePermittedCNAMEs | ||
280 | rules. | ||
281 | If | ||
282 | .Cm CanonicalizeHostname | ||
283 | is set to | ||
284 | .Dq always , | ||
285 | then canonicalization is applied to proxied connections too. | ||
286 | .It Cm CanonicalizeMaxDots | ||
287 | Specifies the maximum number of dot characters in a hostname before | ||
288 | canonicalization is disabled. | ||
289 | The default, | ||
290 | .Dq 1 , | ||
291 | allows a single dot (i.e. hostname.subdomain). | ||
292 | .It Cm CanonicalizePermittedCNAMEs | ||
293 | Specifies rules to determine whether CNAMEs should be followed when | ||
294 | canonicalizing hostnames. | ||
295 | The rules consist of one or more arguments of | ||
296 | .Ar source_domain_list : Ns Ar target_domain_list , | ||
297 | where | ||
298 | .Ar source_domain_list | ||
299 | is a pattern-list of domains that may follow CNAMEs in canonicalization, | ||
300 | and | ||
301 | .Ar target_domain_list | ||
302 | is a pattern-list of domains that they may resolve to. | ||
303 | .Pp | ||
304 | For example, | ||
305 | .Dq *.a.example.com:*.b.example.com,*.c.example.com | ||
306 | will allow hostnames matching | ||
307 | .Dq *.a.example.com | ||
308 | to be canonicalized to names in the | ||
309 | .Dq *.b.example.com | ||
310 | or | ||
311 | .Dq *.c.example.com | ||
312 | domains. | ||
175 | .It Cm ChallengeResponseAuthentication | 313 | .It Cm ChallengeResponseAuthentication |
176 | Specifies whether to use challenge-response authentication. | 314 | Specifies whether to use challenge-response authentication. |
177 | The argument to this keyword must be | 315 | The argument to this keyword must be |
@@ -216,7 +354,8 @@ The default is | |||
216 | Specifies the ciphers allowed for protocol version 2 | 354 | Specifies the ciphers allowed for protocol version 2 |
217 | in order of preference. | 355 | in order of preference. |
218 | Multiple ciphers must be comma-separated. | 356 | Multiple ciphers must be comma-separated. |
219 | The supported ciphers are | 357 | The supported ciphers are: |
358 | .Pp | ||
220 | .Dq 3des-cbc , | 359 | .Dq 3des-cbc , |
221 | .Dq aes128-cbc , | 360 | .Dq aes128-cbc , |
222 | .Dq aes192-cbc , | 361 | .Dq aes192-cbc , |
@@ -230,15 +369,23 @@ The supported ciphers are | |||
230 | .Dq arcfour256 , | 369 | .Dq arcfour256 , |
231 | .Dq arcfour , | 370 | .Dq arcfour , |
232 | .Dq blowfish-cbc , | 371 | .Dq blowfish-cbc , |
372 | .Dq cast128-cbc , | ||
233 | and | 373 | and |
234 | .Dq cast128-cbc . | 374 | .Dq chacha20-poly1305@openssh.com . |
375 | .Pp | ||
235 | The default is: | 376 | The default is: |
236 | .Bd -literal -offset 3n | 377 | .Bd -literal -offset 3n |
237 | aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, | 378 | aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, |
238 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, | 379 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, |
380 | chacha20-poly1305@openssh.com, | ||
239 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, | 381 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, |
240 | aes256-cbc,arcfour | 382 | aes256-cbc,arcfour |
241 | .Ed | 383 | .Ed |
384 | .Pp | ||
385 | The list of available ciphers may also be obtained using the | ||
386 | .Fl Q | ||
387 | option of | ||
388 | .Xr ssh 1 . | ||
242 | .It Cm ClearAllForwardings | 389 | .It Cm ClearAllForwardings |
243 | Specifies that all local, remote, and dynamic port forwardings | 390 | Specifies that all local, remote, and dynamic port forwardings |
244 | specified in the configuration files or on the command line be | 391 | specified in the configuration files or on the command line be |
@@ -347,7 +494,7 @@ will be substituted by the target host name, | |||
347 | will be substituted by the original target host name | 494 | will be substituted by the original target host name |
348 | specified on the command line, | 495 | specified on the command line, |
349 | .Ql %p | 496 | .Ql %p |
350 | the port, | 497 | the destination port, |
351 | .Ql %r | 498 | .Ql %r |
352 | by the remote login username, and | 499 | by the remote login username, and |
353 | .Ql %u | 500 | .Ql %u |
@@ -627,10 +774,11 @@ The default for this option is: | |||
627 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 774 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
628 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 775 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
629 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 776 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
777 | ssh-ed25519-cert-v01@openssh.com, | ||
630 | ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com, | 778 | ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com, |
631 | ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com, | 779 | ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com, |
632 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 780 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
633 | ssh-rsa,ssh-dss | 781 | ssh-ed25519,ssh-rsa,ssh-dss |
634 | .Ed | 782 | .Ed |
635 | .Pp | 783 | .Pp |
636 | If hostkeys are known for the destination host then this default is modified | 784 | If hostkeys are known for the destination host then this default is modified |
@@ -672,13 +820,14 @@ offers many different identities. | |||
672 | The default is | 820 | The default is |
673 | .Dq no . | 821 | .Dq no . |
674 | .It Cm IdentityFile | 822 | .It Cm IdentityFile |
675 | Specifies a file from which the user's DSA, ECDSA or RSA authentication | 823 | Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA authentication |
676 | identity is read. | 824 | identity is read. |
677 | The default is | 825 | The default is |
678 | .Pa ~/.ssh/identity | 826 | .Pa ~/.ssh/identity |
679 | for protocol version 1, and | 827 | for protocol version 1, and |
680 | .Pa ~/.ssh/id_dsa , | 828 | .Pa ~/.ssh/id_dsa , |
681 | .Pa ~/.ssh/id_ecdsa | 829 | .Pa ~/.ssh/id_ecdsa , |
830 | .Pa ~/.ssh/id_ed25519 | ||
682 | and | 831 | and |
683 | .Pa ~/.ssh/id_rsa | 832 | .Pa ~/.ssh/id_rsa |
684 | for protocol version 2. | 833 | for protocol version 2. |
@@ -791,6 +940,7 @@ Specifies the available KEX (Key Exchange) algorithms. | |||
791 | Multiple algorithms must be comma-separated. | 940 | Multiple algorithms must be comma-separated. |
792 | The default is: | 941 | The default is: |
793 | .Bd -literal -offset indent | 942 | .Bd -literal -offset indent |
943 | curve25519-sha256@libssh.org, | ||
794 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, | 944 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, |
795 | diffie-hellman-group-exchange-sha256, | 945 | diffie-hellman-group-exchange-sha256, |
796 | diffie-hellman-group-exchange-sha1, | 946 | diffie-hellman-group-exchange-sha1, |
@@ -993,6 +1143,14 @@ For example, the following directive would connect via an HTTP proxy at | |||
993 | .Bd -literal -offset 3n | 1143 | .Bd -literal -offset 3n |
994 | ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p | 1144 | ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p |
995 | .Ed | 1145 | .Ed |
1146 | .It Cm ProxyUseFdpass | ||
1147 | Specifies that | ||
1148 | .Cm ProxyCommand | ||
1149 | will pass a connected file descriptor back to | ||
1150 | .Xr ssh 1 | ||
1151 | instead of continuing to execute and pass data. | ||
1152 | The default is | ||
1153 | .Dq no . | ||
996 | .It Cm PubkeyAuthentication | 1154 | .It Cm PubkeyAuthentication |
997 | Specifies whether to try public key authentication. | 1155 | Specifies whether to try public key authentication. |
998 | The argument to this keyword must be | 1156 | The argument to this keyword must be |
@@ -1370,7 +1528,7 @@ Patterns within pattern-lists may be negated | |||
1370 | by preceding them with an exclamation mark | 1528 | by preceding them with an exclamation mark |
1371 | .Pq Sq !\& . | 1529 | .Pq Sq !\& . |
1372 | For example, | 1530 | For example, |
1373 | to allow a key to be used from anywhere within an organisation | 1531 | to allow a key to be used from anywhere within an organization |
1374 | except from the | 1532 | except from the |
1375 | .Dq dialup | 1533 | .Dq dialup |
1376 | pool, | 1534 | pool, |