summaryrefslogtreecommitdiff
path: root/ssh_config.5
diff options
context:
space:
mode:
Diffstat (limited to 'ssh_config.5')
-rw-r--r--ssh_config.5152
1 files changed, 133 insertions, 19 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index f9ede7a31..140d0ba98 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh_config.5,v 1.191 2014/07/15 15:54:14 millert Exp $ 36.\" $OpenBSD: ssh_config.5,v 1.205 2015/02/20 22:17:21 djm Exp $
37.Dd $Mdocdate: July 15 2014 $ 37.Dd $Mdocdate: February 20 2015 $
38.Dt SSH_CONFIG 5 38.Dt SSH_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -65,7 +65,10 @@ The configuration files contain sections separated by
65.Dq Host 65.Dq Host
66specifications, and that section is only applied for hosts that 66specifications, and that section is only applied for hosts that
67match one of the patterns given in the specification. 67match one of the patterns given in the specification.
68The matched host name is the one given on the command line. 68The matched host name is usually the one given on the command line
69(see the
70.Cm CanonicalizeHostname
71option for exceptions.)
69.Pp 72.Pp
70Since the first obtained value for each parameter is used, more 73Since the first obtained value for each parameter is used, more
71host-specific declarations should be given near the beginning of the 74host-specific declarations should be given near the beginning of the
@@ -109,10 +112,12 @@ A single
109.Ql * 112.Ql *
110as a pattern can be used to provide global 113as a pattern can be used to provide global
111defaults for all hosts. 114defaults for all hosts.
112The host is the 115The host is usually the
113.Ar hostname 116.Ar hostname
114argument given on the command line (i.e. the name is not converted to 117argument given on the command line
115a canonicalized host name before matching). 118(see the
119.Cm CanonicalizeHostname
120option for exceptions.)
116.Pp 121.Pp
117A pattern entry may be negated by prefixing it with an exclamation mark 122A pattern entry may be negated by prefixing it with an exclamation mark
118.Pq Sq !\& . 123.Pq Sq !\& .
@@ -134,19 +139,40 @@ or
134keyword) to be used only when the conditions following the 139keyword) to be used only when the conditions following the
135.Cm Match 140.Cm Match
136keyword are satisfied. 141keyword are satisfied.
137Match conditions are specified using one or more keyword/criteria pairs 142Match conditions are specified using one or more critera
138or the single token 143or the single token
139.Cm all 144.Cm all
140which matches all criteria. 145which always matches.
141The available keywords are: 146The available criteria keywords are:
147.Cm canonical ,
142.Cm exec , 148.Cm exec ,
143.Cm host , 149.Cm host ,
144.Cm originalhost , 150.Cm originalhost ,
145.Cm user , 151.Cm user ,
146and 152and
147.Cm localuser . 153.Cm localuser .
154The
155.Cm all
156criteria must appear alone or immediately after
157.Cm canonical .
158Other criteria may be combined arbitrarily.
159All criteria but
160.Cm all
161and
162.Cm canonical
163require an argument.
164Criteria may be negated by prepending an exclamation mark
165.Pq Sq !\& .
148.Pp 166.Pp
149The 167The
168.Cm canonical
169keywork matches only when the configuration file is being re-parsed
170after hostname canonicalization (see the
171.Cm CanonicalizeHostname
172option.)
173This may be useful to specify conditions that work with canonical host
174names only.
175The
150.Cm exec 176.Cm exec
151keyword executes the specified command under the user's shell. 177keyword executes the specified command under the user's shell.
152If the command returns a zero exit status then the condition is considered true. 178If the command returns a zero exit status then the condition is considered true.
@@ -179,7 +205,9 @@ The criteria for the
179keyword are matched against the target hostname, after any substitution 205keyword are matched against the target hostname, after any substitution
180by the 206by the
181.Cm Hostname 207.Cm Hostname
182option. 208or
209.Cm CanonicalizeHostname
210options.
183The 211The
184.Cm originalhost 212.Cm originalhost
185keyword matches against the hostname as it was specified on the command-line. 213keyword matches against the hostname as it was specified on the command-line.
@@ -264,10 +292,11 @@ is set to
264.Dq always , 292.Dq always ,
265then canonicalization is applied to proxied connections too. 293then canonicalization is applied to proxied connections too.
266.Pp 294.Pp
267If this option is enabled and canonicalisation results in the target hostname 295If this option is enabled, then the configuration files are processed
268changing, then the configuration files are processed again using the new 296again using the new target name to pick up any new configuration in matching
269target name to pick up any new configuration in matching
270.Cm Host 297.Cm Host
298and
299.Cm Match
271stanzas. 300stanzas.
272.It Cm CanonicalizeMaxDots 301.It Cm CanonicalizeMaxDots
273Specifies the maximum number of dot characters in a hostname before 302Specifies the maximum number of dot characters in a hostname before
@@ -388,7 +417,9 @@ aes192-cbc,aes256-cbc,arcfour
388The list of available ciphers may also be obtained using the 417The list of available ciphers may also be obtained using the
389.Fl Q 418.Fl Q
390option of 419option of
391.Xr ssh 1 . 420.Xr ssh 1
421with an argument of
422.Dq cipher .
392.It Cm ClearAllForwardings 423.It Cm ClearAllForwardings
393Specifies that all local, remote, and dynamic port forwardings 424Specifies that all local, remote, and dynamic port forwardings
394specified in the configuration files or on the command line be 425specified in the configuration files or on the command line be
@@ -508,7 +539,8 @@ by a hash of the concatenation: %l%h%p%r.
508It is recommended that any 539It is recommended that any
509.Cm ControlPath 540.Cm ControlPath
510used for opportunistic connection sharing include 541used for opportunistic connection sharing include
511at least %h, %p, and %r (or alternatively %C). 542at least %h, %p, and %r (or alternatively %C) and be placed in a directory
543that is not writable by other users.
512This ensures that shared connections are uniquely identified. 544This ensures that shared connections are uniquely identified.
513.It Cm ControlPersist 545.It Cm ControlPersist
514When used in conjunction with 546When used in conjunction with
@@ -521,7 +553,9 @@ If set to
521then the master connection will not be placed into the background, 553then the master connection will not be placed into the background,
522and will close as soon as the initial client connection is closed. 554and will close as soon as the initial client connection is closed.
523If set to 555If set to
524.Dq yes , 556.Dq yes
557or
558.Dq 0 ,
525then the master connection will remain in the background indefinitely 559then the master connection will remain in the background indefinitely
526(until killed or closed via a mechanism such as the 560(until killed or closed via a mechanism such as the
527.Xr ssh 1 561.Xr ssh 1
@@ -606,6 +640,14 @@ or
606.Dq no . 640.Dq no .
607The default is 641The default is
608.Dq no . 642.Dq no .
643.It Cm FingerprintHash
644Specifies the hash algorithm used when displaying key fingerprints.
645Valid options are:
646.Dq md5
647and
648.Dq sha256 .
649The default is
650.Dq sha256 .
609.It Cm ForwardAgent 651.It Cm ForwardAgent
610Specifies whether the connection to the authentication agent (if any) 652Specifies whether the connection to the authentication agent (if any)
611will be forwarded to the remote machine. 653will be forwarded to the remote machine.
@@ -735,6 +777,17 @@ The default is
735This option applies to protocol version 2 only and 777This option applies to protocol version 2 only and
736is similar to 778is similar to
737.Cm RhostsRSAAuthentication . 779.Cm RhostsRSAAuthentication .
780.It Cm HostbasedKeyTypes
781Specifies the key types that will be used for hostbased authentication
782as a comma-separated pattern list.
783The default
784.Dq *
785will allow all key types.
786The
787.Fl Q
788option of
789.Xr ssh 1
790may be used to list supported key types.
738.It Cm HostKeyAlgorithms 791.It Cm HostKeyAlgorithms
739Specifies the protocol version 2 host key algorithms 792Specifies the protocol version 2 host key algorithms
740that the client wants to use in order of preference. 793that the client wants to use in order of preference.
@@ -752,6 +805,13 @@ ssh-ed25519,ssh-rsa,ssh-dss
752.Pp 805.Pp
753If hostkeys are known for the destination host then this default is modified 806If hostkeys are known for the destination host then this default is modified
754to prefer their algorithms. 807to prefer their algorithms.
808.Pp
809The list of available key types may also be obtained using the
810.Fl Q
811option of
812.Xr ssh 1
813with an argument of
814.Dq key .
755.It Cm HostKeyAlias 815.It Cm HostKeyAlias
756Specifies an alias that should be used instead of the 816Specifies an alias that should be used instead of the
757real host name when looking up or saving the host key 817real host name when looking up or saving the host key
@@ -795,7 +855,7 @@ offers many different identities.
795The default is 855The default is
796.Dq no . 856.Dq no .
797.It Cm IdentityFile 857.It Cm IdentityFile
798Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA authentication 858Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication
799identity is read. 859identity is read.
800The default is 860The default is
801.Pa ~/.ssh/identity 861.Pa ~/.ssh/identity
@@ -922,6 +982,13 @@ diffie-hellman-group14-sha1,
922diffie-hellman-group-exchange-sha1, 982diffie-hellman-group-exchange-sha1,
923diffie-hellman-group1-sha1 983diffie-hellman-group1-sha1
924.Ed 984.Ed
985.Pp
986The list of available key exchange algorithms may also be obtained using the
987.Fl Q
988option of
989.Xr ssh 1
990with an argument of
991.Dq kex .
925.It Cm LocalCommand 992.It Cm LocalCommand
926Specifies a command to execute on the local machine after successfully 993Specifies a command to execute on the local machine after successfully
927connecting to the server. 994connecting to the server.
@@ -1011,6 +1078,13 @@ hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,
1011hmac-md5,hmac-sha1,hmac-ripemd160, 1078hmac-md5,hmac-sha1,hmac-ripemd160,
1012hmac-sha1-96,hmac-md5-96 1079hmac-sha1-96,hmac-md5-96
1013.Ed 1080.Ed
1081.Pp
1082The list of available MAC algorithms may also be obtained using the
1083.Fl Q
1084option of
1085.Xr ssh 1
1086with an argument of
1087.Dq mac .
1014.It Cm NoHostAuthenticationForLocalhost 1088.It Cm NoHostAuthenticationForLocalhost
1015This option can be used if the home directory is shared across machines. 1089This option can be used if the home directory is shared across machines.
1016In this case localhost will refer to a different machine on each of 1090In this case localhost will refer to a different machine on each of
@@ -1221,6 +1295,16 @@ and
1221.Fl T 1295.Fl T
1222flags for 1296flags for
1223.Xr ssh 1 . 1297.Xr ssh 1 .
1298.It Cm RevokedHostKeys
1299Specifies revoked host public keys.
1300Keys listed in this file will be refused for host authentication.
1301Note that if this file does not exist or is not readable,
1302then host authentication will be refused for all hosts.
1303Keys may be specified as a text file, listing one public key per line, or as
1304an OpenSSH Key Revocation List (KRL) as generated by
1305.Xr ssh-keygen 1 .
1306For more information on KRLs, see the KEY REVOCATION LISTS section in
1307.Xr ssh-keygen 1 .
1224.It Cm RhostsRSAAuthentication 1308.It Cm RhostsRSAAuthentication
1225Specifies whether to try rhosts based authentication with RSA host 1309Specifies whether to try rhosts based authentication with RSA host
1226authentication. 1310authentication.
@@ -1419,6 +1503,36 @@ is not specified, it defaults to
1419.Dq any . 1503.Dq any .
1420The default is 1504The default is
1421.Dq any:any . 1505.Dq any:any .
1506.It Cm UpdateHostKeys
1507Specifies whether
1508.Xr ssh 1
1509should accept notifications of additional hostkeys from the server sent
1510after authentication has completed and add them to
1511.Cm UserKnownHostsFile .
1512The argument must be
1513.Dq yes ,
1514.Dq no
1515(the default) or
1516.Dq ask .
1517Enabling this option allows learning alternate hostkeys for a server
1518and supports graceful key rotation by allowing a server to send replacement
1519public keys before old ones are removed.
1520Additional hostkeys are only accepted if the key used to authenticate the
1521host was already trusted or explicity accepted by the user.
1522If
1523.Cm UpdateHostKeys
1524is set to
1525.Dq ask ,
1526then the user is asked to confirm the modifications to the known_hosts file.
1527Confirmation is currently incompatible with
1528.Cm ControlPersist ,
1529and will be disabled if it is enabled.
1530.Pp
1531Presently, only
1532.Xr sshd 8
1533from OpenSSH 6.8 and greater support the
1534.Dq hostkeys@openssh.com
1535protocol extension used to inform the client of all the server's hostkeys.
1422.It Cm UsePrivilegedPort 1536.It Cm UsePrivilegedPort
1423Specifies whether to use a privileged port for outgoing connections. 1537Specifies whether to use a privileged port for outgoing connections.
1424The argument must be 1538The argument must be
@@ -1477,12 +1591,12 @@ See also VERIFYING HOST KEYS in
1477If this flag is set to 1591If this flag is set to
1478.Dq yes , 1592.Dq yes ,
1479an ASCII art representation of the remote host key fingerprint is 1593an ASCII art representation of the remote host key fingerprint is
1480printed in addition to the hex fingerprint string at login and 1594printed in addition to the fingerprint string at login and
1481for unknown host keys. 1595for unknown host keys.
1482If this flag is set to 1596If this flag is set to
1483.Dq no , 1597.Dq no ,
1484no fingerprint strings are printed at login and 1598no fingerprint strings are printed at login and
1485only the hex fingerprint string will be printed for unknown host keys. 1599only the fingerprint string will be printed for unknown host keys.
1486The default is 1600The default is
1487.Dq no . 1601.Dq no .
1488.It Cm XAuthLocation 1602.It Cm XAuthLocation