diff options
Diffstat (limited to 'ssh_config.5')
-rw-r--r-- | ssh_config.5 | 152 |
1 files changed, 133 insertions, 19 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index f9ede7a31..140d0ba98 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh_config.5,v 1.191 2014/07/15 15:54:14 millert Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.205 2015/02/20 22:17:21 djm Exp $ |
37 | .Dd $Mdocdate: July 15 2014 $ | 37 | .Dd $Mdocdate: February 20 2015 $ |
38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -65,7 +65,10 @@ The configuration files contain sections separated by | |||
65 | .Dq Host | 65 | .Dq Host |
66 | specifications, and that section is only applied for hosts that | 66 | specifications, and that section is only applied for hosts that |
67 | match one of the patterns given in the specification. | 67 | match one of the patterns given in the specification. |
68 | The matched host name is the one given on the command line. | 68 | The matched host name is usually the one given on the command line |
69 | (see the | ||
70 | .Cm CanonicalizeHostname | ||
71 | option for exceptions.) | ||
69 | .Pp | 72 | .Pp |
70 | Since the first obtained value for each parameter is used, more | 73 | Since the first obtained value for each parameter is used, more |
71 | host-specific declarations should be given near the beginning of the | 74 | host-specific declarations should be given near the beginning of the |
@@ -109,10 +112,12 @@ A single | |||
109 | .Ql * | 112 | .Ql * |
110 | as a pattern can be used to provide global | 113 | as a pattern can be used to provide global |
111 | defaults for all hosts. | 114 | defaults for all hosts. |
112 | The host is the | 115 | The host is usually the |
113 | .Ar hostname | 116 | .Ar hostname |
114 | argument given on the command line (i.e. the name is not converted to | 117 | argument given on the command line |
115 | a canonicalized host name before matching). | 118 | (see the |
119 | .Cm CanonicalizeHostname | ||
120 | option for exceptions.) | ||
116 | .Pp | 121 | .Pp |
117 | A pattern entry may be negated by prefixing it with an exclamation mark | 122 | A pattern entry may be negated by prefixing it with an exclamation mark |
118 | .Pq Sq !\& . | 123 | .Pq Sq !\& . |
@@ -134,19 +139,40 @@ or | |||
134 | keyword) to be used only when the conditions following the | 139 | keyword) to be used only when the conditions following the |
135 | .Cm Match | 140 | .Cm Match |
136 | keyword are satisfied. | 141 | keyword are satisfied. |
137 | Match conditions are specified using one or more keyword/criteria pairs | 142 | Match conditions are specified using one or more critera |
138 | or the single token | 143 | or the single token |
139 | .Cm all | 144 | .Cm all |
140 | which matches all criteria. | 145 | which always matches. |
141 | The available keywords are: | 146 | The available criteria keywords are: |
147 | .Cm canonical , | ||
142 | .Cm exec , | 148 | .Cm exec , |
143 | .Cm host , | 149 | .Cm host , |
144 | .Cm originalhost , | 150 | .Cm originalhost , |
145 | .Cm user , | 151 | .Cm user , |
146 | and | 152 | and |
147 | .Cm localuser . | 153 | .Cm localuser . |
154 | The | ||
155 | .Cm all | ||
156 | criteria must appear alone or immediately after | ||
157 | .Cm canonical . | ||
158 | Other criteria may be combined arbitrarily. | ||
159 | All criteria but | ||
160 | .Cm all | ||
161 | and | ||
162 | .Cm canonical | ||
163 | require an argument. | ||
164 | Criteria may be negated by prepending an exclamation mark | ||
165 | .Pq Sq !\& . | ||
148 | .Pp | 166 | .Pp |
149 | The | 167 | The |
168 | .Cm canonical | ||
169 | keywork matches only when the configuration file is being re-parsed | ||
170 | after hostname canonicalization (see the | ||
171 | .Cm CanonicalizeHostname | ||
172 | option.) | ||
173 | This may be useful to specify conditions that work with canonical host | ||
174 | names only. | ||
175 | The | ||
150 | .Cm exec | 176 | .Cm exec |
151 | keyword executes the specified command under the user's shell. | 177 | keyword executes the specified command under the user's shell. |
152 | If the command returns a zero exit status then the condition is considered true. | 178 | If the command returns a zero exit status then the condition is considered true. |
@@ -179,7 +205,9 @@ The criteria for the | |||
179 | keyword are matched against the target hostname, after any substitution | 205 | keyword are matched against the target hostname, after any substitution |
180 | by the | 206 | by the |
181 | .Cm Hostname | 207 | .Cm Hostname |
182 | option. | 208 | or |
209 | .Cm CanonicalizeHostname | ||
210 | options. | ||
183 | The | 211 | The |
184 | .Cm originalhost | 212 | .Cm originalhost |
185 | keyword matches against the hostname as it was specified on the command-line. | 213 | keyword matches against the hostname as it was specified on the command-line. |
@@ -264,10 +292,11 @@ is set to | |||
264 | .Dq always , | 292 | .Dq always , |
265 | then canonicalization is applied to proxied connections too. | 293 | then canonicalization is applied to proxied connections too. |
266 | .Pp | 294 | .Pp |
267 | If this option is enabled and canonicalisation results in the target hostname | 295 | If this option is enabled, then the configuration files are processed |
268 | changing, then the configuration files are processed again using the new | 296 | again using the new target name to pick up any new configuration in matching |
269 | target name to pick up any new configuration in matching | ||
270 | .Cm Host | 297 | .Cm Host |
298 | and | ||
299 | .Cm Match | ||
271 | stanzas. | 300 | stanzas. |
272 | .It Cm CanonicalizeMaxDots | 301 | .It Cm CanonicalizeMaxDots |
273 | Specifies the maximum number of dot characters in a hostname before | 302 | Specifies the maximum number of dot characters in a hostname before |
@@ -388,7 +417,9 @@ aes192-cbc,aes256-cbc,arcfour | |||
388 | The list of available ciphers may also be obtained using the | 417 | The list of available ciphers may also be obtained using the |
389 | .Fl Q | 418 | .Fl Q |
390 | option of | 419 | option of |
391 | .Xr ssh 1 . | 420 | .Xr ssh 1 |
421 | with an argument of | ||
422 | .Dq cipher . | ||
392 | .It Cm ClearAllForwardings | 423 | .It Cm ClearAllForwardings |
393 | Specifies that all local, remote, and dynamic port forwardings | 424 | Specifies that all local, remote, and dynamic port forwardings |
394 | specified in the configuration files or on the command line be | 425 | specified in the configuration files or on the command line be |
@@ -508,7 +539,8 @@ by a hash of the concatenation: %l%h%p%r. | |||
508 | It is recommended that any | 539 | It is recommended that any |
509 | .Cm ControlPath | 540 | .Cm ControlPath |
510 | used for opportunistic connection sharing include | 541 | used for opportunistic connection sharing include |
511 | at least %h, %p, and %r (or alternatively %C). | 542 | at least %h, %p, and %r (or alternatively %C) and be placed in a directory |
543 | that is not writable by other users. | ||
512 | This ensures that shared connections are uniquely identified. | 544 | This ensures that shared connections are uniquely identified. |
513 | .It Cm ControlPersist | 545 | .It Cm ControlPersist |
514 | When used in conjunction with | 546 | When used in conjunction with |
@@ -521,7 +553,9 @@ If set to | |||
521 | then the master connection will not be placed into the background, | 553 | then the master connection will not be placed into the background, |
522 | and will close as soon as the initial client connection is closed. | 554 | and will close as soon as the initial client connection is closed. |
523 | If set to | 555 | If set to |
524 | .Dq yes , | 556 | .Dq yes |
557 | or | ||
558 | .Dq 0 , | ||
525 | then the master connection will remain in the background indefinitely | 559 | then the master connection will remain in the background indefinitely |
526 | (until killed or closed via a mechanism such as the | 560 | (until killed or closed via a mechanism such as the |
527 | .Xr ssh 1 | 561 | .Xr ssh 1 |
@@ -606,6 +640,14 @@ or | |||
606 | .Dq no . | 640 | .Dq no . |
607 | The default is | 641 | The default is |
608 | .Dq no . | 642 | .Dq no . |
643 | .It Cm FingerprintHash | ||
644 | Specifies the hash algorithm used when displaying key fingerprints. | ||
645 | Valid options are: | ||
646 | .Dq md5 | ||
647 | and | ||
648 | .Dq sha256 . | ||
649 | The default is | ||
650 | .Dq sha256 . | ||
609 | .It Cm ForwardAgent | 651 | .It Cm ForwardAgent |
610 | Specifies whether the connection to the authentication agent (if any) | 652 | Specifies whether the connection to the authentication agent (if any) |
611 | will be forwarded to the remote machine. | 653 | will be forwarded to the remote machine. |
@@ -735,6 +777,17 @@ The default is | |||
735 | This option applies to protocol version 2 only and | 777 | This option applies to protocol version 2 only and |
736 | is similar to | 778 | is similar to |
737 | .Cm RhostsRSAAuthentication . | 779 | .Cm RhostsRSAAuthentication . |
780 | .It Cm HostbasedKeyTypes | ||
781 | Specifies the key types that will be used for hostbased authentication | ||
782 | as a comma-separated pattern list. | ||
783 | The default | ||
784 | .Dq * | ||
785 | will allow all key types. | ||
786 | The | ||
787 | .Fl Q | ||
788 | option of | ||
789 | .Xr ssh 1 | ||
790 | may be used to list supported key types. | ||
738 | .It Cm HostKeyAlgorithms | 791 | .It Cm HostKeyAlgorithms |
739 | Specifies the protocol version 2 host key algorithms | 792 | Specifies the protocol version 2 host key algorithms |
740 | that the client wants to use in order of preference. | 793 | that the client wants to use in order of preference. |
@@ -752,6 +805,13 @@ ssh-ed25519,ssh-rsa,ssh-dss | |||
752 | .Pp | 805 | .Pp |
753 | If hostkeys are known for the destination host then this default is modified | 806 | If hostkeys are known for the destination host then this default is modified |
754 | to prefer their algorithms. | 807 | to prefer their algorithms. |
808 | .Pp | ||
809 | The list of available key types may also be obtained using the | ||
810 | .Fl Q | ||
811 | option of | ||
812 | .Xr ssh 1 | ||
813 | with an argument of | ||
814 | .Dq key . | ||
755 | .It Cm HostKeyAlias | 815 | .It Cm HostKeyAlias |
756 | Specifies an alias that should be used instead of the | 816 | Specifies an alias that should be used instead of the |
757 | real host name when looking up or saving the host key | 817 | real host name when looking up or saving the host key |
@@ -795,7 +855,7 @@ offers many different identities. | |||
795 | The default is | 855 | The default is |
796 | .Dq no . | 856 | .Dq no . |
797 | .It Cm IdentityFile | 857 | .It Cm IdentityFile |
798 | Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA authentication | 858 | Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication |
799 | identity is read. | 859 | identity is read. |
800 | The default is | 860 | The default is |
801 | .Pa ~/.ssh/identity | 861 | .Pa ~/.ssh/identity |
@@ -922,6 +982,13 @@ diffie-hellman-group14-sha1, | |||
922 | diffie-hellman-group-exchange-sha1, | 982 | diffie-hellman-group-exchange-sha1, |
923 | diffie-hellman-group1-sha1 | 983 | diffie-hellman-group1-sha1 |
924 | .Ed | 984 | .Ed |
985 | .Pp | ||
986 | The list of available key exchange algorithms may also be obtained using the | ||
987 | .Fl Q | ||
988 | option of | ||
989 | .Xr ssh 1 | ||
990 | with an argument of | ||
991 | .Dq kex . | ||
925 | .It Cm LocalCommand | 992 | .It Cm LocalCommand |
926 | Specifies a command to execute on the local machine after successfully | 993 | Specifies a command to execute on the local machine after successfully |
927 | connecting to the server. | 994 | connecting to the server. |
@@ -1011,6 +1078,13 @@ hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com, | |||
1011 | hmac-md5,hmac-sha1,hmac-ripemd160, | 1078 | hmac-md5,hmac-sha1,hmac-ripemd160, |
1012 | hmac-sha1-96,hmac-md5-96 | 1079 | hmac-sha1-96,hmac-md5-96 |
1013 | .Ed | 1080 | .Ed |
1081 | .Pp | ||
1082 | The list of available MAC algorithms may also be obtained using the | ||
1083 | .Fl Q | ||
1084 | option of | ||
1085 | .Xr ssh 1 | ||
1086 | with an argument of | ||
1087 | .Dq mac . | ||
1014 | .It Cm NoHostAuthenticationForLocalhost | 1088 | .It Cm NoHostAuthenticationForLocalhost |
1015 | This option can be used if the home directory is shared across machines. | 1089 | This option can be used if the home directory is shared across machines. |
1016 | In this case localhost will refer to a different machine on each of | 1090 | In this case localhost will refer to a different machine on each of |
@@ -1221,6 +1295,16 @@ and | |||
1221 | .Fl T | 1295 | .Fl T |
1222 | flags for | 1296 | flags for |
1223 | .Xr ssh 1 . | 1297 | .Xr ssh 1 . |
1298 | .It Cm RevokedHostKeys | ||
1299 | Specifies revoked host public keys. | ||
1300 | Keys listed in this file will be refused for host authentication. | ||
1301 | Note that if this file does not exist or is not readable, | ||
1302 | then host authentication will be refused for all hosts. | ||
1303 | Keys may be specified as a text file, listing one public key per line, or as | ||
1304 | an OpenSSH Key Revocation List (KRL) as generated by | ||
1305 | .Xr ssh-keygen 1 . | ||
1306 | For more information on KRLs, see the KEY REVOCATION LISTS section in | ||
1307 | .Xr ssh-keygen 1 . | ||
1224 | .It Cm RhostsRSAAuthentication | 1308 | .It Cm RhostsRSAAuthentication |
1225 | Specifies whether to try rhosts based authentication with RSA host | 1309 | Specifies whether to try rhosts based authentication with RSA host |
1226 | authentication. | 1310 | authentication. |
@@ -1419,6 +1503,36 @@ is not specified, it defaults to | |||
1419 | .Dq any . | 1503 | .Dq any . |
1420 | The default is | 1504 | The default is |
1421 | .Dq any:any . | 1505 | .Dq any:any . |
1506 | .It Cm UpdateHostKeys | ||
1507 | Specifies whether | ||
1508 | .Xr ssh 1 | ||
1509 | should accept notifications of additional hostkeys from the server sent | ||
1510 | after authentication has completed and add them to | ||
1511 | .Cm UserKnownHostsFile . | ||
1512 | The argument must be | ||
1513 | .Dq yes , | ||
1514 | .Dq no | ||
1515 | (the default) or | ||
1516 | .Dq ask . | ||
1517 | Enabling this option allows learning alternate hostkeys for a server | ||
1518 | and supports graceful key rotation by allowing a server to send replacement | ||
1519 | public keys before old ones are removed. | ||
1520 | Additional hostkeys are only accepted if the key used to authenticate the | ||
1521 | host was already trusted or explicity accepted by the user. | ||
1522 | If | ||
1523 | .Cm UpdateHostKeys | ||
1524 | is set to | ||
1525 | .Dq ask , | ||
1526 | then the user is asked to confirm the modifications to the known_hosts file. | ||
1527 | Confirmation is currently incompatible with | ||
1528 | .Cm ControlPersist , | ||
1529 | and will be disabled if it is enabled. | ||
1530 | .Pp | ||
1531 | Presently, only | ||
1532 | .Xr sshd 8 | ||
1533 | from OpenSSH 6.8 and greater support the | ||
1534 | .Dq hostkeys@openssh.com | ||
1535 | protocol extension used to inform the client of all the server's hostkeys. | ||
1422 | .It Cm UsePrivilegedPort | 1536 | .It Cm UsePrivilegedPort |
1423 | Specifies whether to use a privileged port for outgoing connections. | 1537 | Specifies whether to use a privileged port for outgoing connections. |
1424 | The argument must be | 1538 | The argument must be |
@@ -1477,12 +1591,12 @@ See also VERIFYING HOST KEYS in | |||
1477 | If this flag is set to | 1591 | If this flag is set to |
1478 | .Dq yes , | 1592 | .Dq yes , |
1479 | an ASCII art representation of the remote host key fingerprint is | 1593 | an ASCII art representation of the remote host key fingerprint is |
1480 | printed in addition to the hex fingerprint string at login and | 1594 | printed in addition to the fingerprint string at login and |
1481 | for unknown host keys. | 1595 | for unknown host keys. |
1482 | If this flag is set to | 1596 | If this flag is set to |
1483 | .Dq no , | 1597 | .Dq no , |
1484 | no fingerprint strings are printed at login and | 1598 | no fingerprint strings are printed at login and |
1485 | only the hex fingerprint string will be printed for unknown host keys. | 1599 | only the fingerprint string will be printed for unknown host keys. |
1486 | The default is | 1600 | The default is |
1487 | .Dq no . | 1601 | .Dq no . |
1488 | .It Cm XAuthLocation | 1602 | .It Cm XAuthLocation |