diff options
Diffstat (limited to 'ssh_config.5')
-rw-r--r-- | ssh_config.5 | 137 |
1 files changed, 48 insertions, 89 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index fc13fa510..2da7029af 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -33,16 +33,13 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh_config.5,v 1.242 2017/02/27 14:30:33 jmc Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.256 2017/09/21 19:16:53 markus Exp $ |
37 | .Dd $Mdocdate: February 27 2017 $ | 37 | .Dd $Mdocdate: September 21 2017 $ |
38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
41 | .Nm ssh_config | 41 | .Nm ssh_config |
42 | .Nd OpenSSH SSH client configuration files | 42 | .Nd OpenSSH SSH client configuration files |
43 | .Sh SYNOPSIS | ||
44 | .Nm ~/.ssh/config | ||
45 | .Nm /etc/ssh/ssh_config | ||
46 | .Sh DESCRIPTION | 43 | .Sh DESCRIPTION |
47 | .Xr ssh 1 | 44 | .Xr ssh 1 |
48 | obtains configuration data from the following sources in | 45 | obtains configuration data from the following sources in |
@@ -411,25 +408,8 @@ in the process, regardless of the setting of | |||
411 | If the option is set to | 408 | If the option is set to |
412 | .Cm no , | 409 | .Cm no , |
413 | the check will not be executed. | 410 | the check will not be executed. |
414 | .It Cm Cipher | ||
415 | Specifies the cipher to use for encrypting the session | ||
416 | in protocol version 1. | ||
417 | Currently, | ||
418 | .Cm blowfish , | ||
419 | .Cm 3des | ||
420 | (the default), | ||
421 | and | ||
422 | .Cm des | ||
423 | are supported, | ||
424 | though | ||
425 | .Cm des | ||
426 | is only supported in the | ||
427 | .Xr ssh 1 | ||
428 | client for interoperability with legacy protocol 1 implementations; | ||
429 | its use is strongly discouraged due to cryptographic weaknesses. | ||
430 | .It Cm Ciphers | 411 | .It Cm Ciphers |
431 | Specifies the ciphers allowed for protocol version 2 | 412 | Specifies the ciphers allowed and their order of preference. |
432 | in order of preference. | ||
433 | Multiple ciphers must be comma-separated. | 413 | Multiple ciphers must be comma-separated. |
434 | If the specified value begins with a | 414 | If the specified value begins with a |
435 | .Sq + | 415 | .Sq + |
@@ -451,11 +431,6 @@ aes192-ctr | |||
451 | aes256-ctr | 431 | aes256-ctr |
452 | aes128-gcm@openssh.com | 432 | aes128-gcm@openssh.com |
453 | aes256-gcm@openssh.com | 433 | aes256-gcm@openssh.com |
454 | arcfour | ||
455 | arcfour128 | ||
456 | arcfour256 | ||
457 | blowfish-cbc | ||
458 | cast128-cbc | ||
459 | chacha20-poly1305@openssh.com | 434 | chacha20-poly1305@openssh.com |
460 | .Ed | 435 | .Ed |
461 | .Pp | 436 | .Pp |
@@ -492,13 +467,6 @@ The argument must be | |||
492 | or | 467 | or |
493 | .Cm no | 468 | .Cm no |
494 | (the default). | 469 | (the default). |
495 | .It Cm CompressionLevel | ||
496 | Specifies the compression level to use if compression is enabled. | ||
497 | The argument must be an integer from 1 (fast) to 9 (slow, best). | ||
498 | The default level is 6, which is good for most applications. | ||
499 | The meaning of the values is the same as in | ||
500 | .Xr gzip 1 . | ||
501 | Note that this option applies to protocol version 1 only. | ||
502 | .It Cm ConnectionAttempts | 470 | .It Cm ConnectionAttempts |
503 | Specifies the number of tries (one per second) to make before exiting. | 471 | Specifies the number of tries (one per second) to make before exiting. |
504 | The argument must be an integer. | 472 | The argument must be an integer. |
@@ -894,7 +862,7 @@ The list of available key types may also be obtained using | |||
894 | .It Cm HostKeyAlias | 862 | .It Cm HostKeyAlias |
895 | Specifies an alias that should be used instead of the | 863 | Specifies an alias that should be used instead of the |
896 | real host name when looking up or saving the host key | 864 | real host name when looking up or saving the host key |
897 | in the host key database files. | 865 | in the host key database files and when validating host certificates. |
898 | This option is useful for tunneling SSH connections | 866 | This option is useful for tunneling SSH connections |
899 | or for multiple servers running on a single host. | 867 | or for multiple servers running on a single host. |
900 | .It Cm HostName | 868 | .It Cm HostName |
@@ -958,14 +926,11 @@ section. | |||
958 | Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication | 926 | Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication |
959 | identity is read. | 927 | identity is read. |
960 | The default is | 928 | The default is |
961 | .Pa ~/.ssh/identity | ||
962 | for protocol version 1, and | ||
963 | .Pa ~/.ssh/id_dsa , | 929 | .Pa ~/.ssh/id_dsa , |
964 | .Pa ~/.ssh/id_ecdsa , | 930 | .Pa ~/.ssh/id_ecdsa , |
965 | .Pa ~/.ssh/id_ed25519 | 931 | .Pa ~/.ssh/id_ed25519 |
966 | and | 932 | and |
967 | .Pa ~/.ssh/id_rsa | 933 | .Pa ~/.ssh/id_rsa . |
968 | for protocol version 2. | ||
969 | Additionally, any identities represented by the authentication agent | 934 | Additionally, any identities represented by the authentication agent |
970 | will be used for authentication unless | 935 | will be used for authentication unless |
971 | .Cm IdentitiesOnly | 936 | .Cm IdentitiesOnly |
@@ -1060,7 +1025,9 @@ Accepted values are | |||
1060 | .Cm lowdelay , | 1025 | .Cm lowdelay , |
1061 | .Cm throughput , | 1026 | .Cm throughput , |
1062 | .Cm reliability , | 1027 | .Cm reliability , |
1063 | or a numeric value. | 1028 | a numeric value, or |
1029 | .Cm none | ||
1030 | to use the operating system default. | ||
1064 | This option may take one or two arguments, separated by whitespace. | 1031 | This option may take one or two arguments, separated by whitespace. |
1065 | If one argument is specified, it is used as the packet class unconditionally. | 1032 | If one argument is specified, it is used as the packet class unconditionally. |
1066 | If two values are specified, the first is automatically selected for | 1033 | If two values are specified, the first is automatically selected for |
@@ -1248,21 +1215,6 @@ The default is: | |||
1248 | gssapi-with-mic,hostbased,publickey, | 1215 | gssapi-with-mic,hostbased,publickey, |
1249 | keyboard-interactive,password | 1216 | keyboard-interactive,password |
1250 | .Ed | 1217 | .Ed |
1251 | .It Cm Protocol | ||
1252 | Specifies the protocol versions | ||
1253 | .Xr ssh 1 | ||
1254 | should support in order of preference. | ||
1255 | The possible values are 1 and 2. | ||
1256 | Multiple versions must be comma-separated. | ||
1257 | When this option is set to | ||
1258 | .Cm 2,1 | ||
1259 | .Nm ssh | ||
1260 | will try version 2 and fall back to version 1 | ||
1261 | if version 2 is not available. | ||
1262 | The default is version 2. | ||
1263 | Protocol 1 suffers from a number of cryptographic weaknesses and should | ||
1264 | not be used. | ||
1265 | It is only offered to support legacy devices. | ||
1266 | .It Cm ProxyCommand | 1218 | .It Cm ProxyCommand |
1267 | Specifies the command to use to connect to the server. | 1219 | Specifies the command to use to connect to the server. |
1268 | The command | 1220 | The command |
@@ -1390,15 +1342,31 @@ is | |||
1390 | .Cm default none , | 1342 | .Cm default none , |
1391 | which means that rekeying is performed after the cipher's default amount | 1343 | which means that rekeying is performed after the cipher's default amount |
1392 | of data has been sent or received and no time based rekeying is done. | 1344 | of data has been sent or received and no time based rekeying is done. |
1345 | .It Cm RemoteCommand | ||
1346 | Specifies a command to execute on the remote machine after successfully | ||
1347 | connecting to the server. | ||
1348 | The command string extends to the end of the line, and is executed with | ||
1349 | the user's shell. | ||
1350 | Arguments to | ||
1351 | .Cm RemoteCommand | ||
1352 | accept the tokens described in the | ||
1353 | .Sx TOKENS | ||
1354 | section. | ||
1393 | .It Cm RemoteForward | 1355 | .It Cm RemoteForward |
1394 | Specifies that a TCP port on the remote machine be forwarded over | 1356 | Specifies that a TCP port on the remote machine be forwarded over |
1395 | the secure channel to the specified host and port from the local machine. | 1357 | the secure channel. |
1358 | The remote port may either be fowarded to a specified host and port | ||
1359 | from the local machine, or may act as a SOCKS 4/5 proxy that allows a remote | ||
1360 | client to connect to arbitrary destinations from the local machine. | ||
1396 | The first argument must be | 1361 | The first argument must be |
1397 | .Sm off | 1362 | .Sm off |
1398 | .Oo Ar bind_address : Oc Ar port | 1363 | .Oo Ar bind_address : Oc Ar port |
1399 | .Sm on | 1364 | .Sm on |
1400 | and the second argument must be | 1365 | If forwarding to a specific destination then the second argument must be |
1401 | .Ar host : Ns Ar hostport . | 1366 | .Ar host : Ns Ar hostport , |
1367 | otherwise if no destination argument is specified then the remote forwarding | ||
1368 | will be established as a SOCKS proxy. | ||
1369 | .Pp | ||
1402 | IPv6 addresses can be specified by enclosing addresses in square brackets. | 1370 | IPv6 addresses can be specified by enclosing addresses in square brackets. |
1403 | Multiple forwardings may be specified, and additional | 1371 | Multiple forwardings may be specified, and additional |
1404 | forwardings can be given on the command line. | 1372 | forwardings can be given on the command line. |
@@ -1453,28 +1421,6 @@ an OpenSSH Key Revocation List (KRL) as generated by | |||
1453 | .Xr ssh-keygen 1 . | 1421 | .Xr ssh-keygen 1 . |
1454 | For more information on KRLs, see the KEY REVOCATION LISTS section in | 1422 | For more information on KRLs, see the KEY REVOCATION LISTS section in |
1455 | .Xr ssh-keygen 1 . | 1423 | .Xr ssh-keygen 1 . |
1456 | .It Cm RhostsRSAAuthentication | ||
1457 | Specifies whether to try rhosts based authentication with RSA host | ||
1458 | authentication. | ||
1459 | The argument must be | ||
1460 | .Cm yes | ||
1461 | or | ||
1462 | .Cm no | ||
1463 | (the default). | ||
1464 | This option applies to protocol version 1 only and requires | ||
1465 | .Xr ssh 1 | ||
1466 | to be setuid root. | ||
1467 | .It Cm RSAAuthentication | ||
1468 | Specifies whether to try RSA authentication. | ||
1469 | The argument to this keyword must be | ||
1470 | .Cm yes | ||
1471 | (the default) | ||
1472 | or | ||
1473 | .Cm no . | ||
1474 | RSA authentication will only be | ||
1475 | attempted if the identity file exists, or an authentication agent is | ||
1476 | running. | ||
1477 | Note that this option applies to protocol version 1 only. | ||
1478 | .It Cm SendEnv | 1424 | .It Cm SendEnv |
1479 | Specifies what variables from the local | 1425 | Specifies what variables from the local |
1480 | .Xr environ 7 | 1426 | .Xr environ 7 |
@@ -1581,10 +1527,19 @@ file is poorly maintained or when connections to new hosts are | |||
1581 | frequently made. | 1527 | frequently made. |
1582 | This option forces the user to manually | 1528 | This option forces the user to manually |
1583 | add all new hosts. | 1529 | add all new hosts. |
1530 | .Pp | ||
1584 | If this flag is set to | 1531 | If this flag is set to |
1585 | .Cm no , | 1532 | .Dq accept-new |
1586 | ssh will automatically add new host keys to the | 1533 | then ssh will automatically add new host keys to the user |
1587 | user known hosts files. | 1534 | known hosts files, but will not permit connections to hosts with |
1535 | changed host keys. | ||
1536 | If this flag is set to | ||
1537 | .Dq no | ||
1538 | or | ||
1539 | .Dq off , | ||
1540 | ssh will automatically add new host keys to the user known hosts files | ||
1541 | and allow connections to hosts with changed hostkeys to proceed, | ||
1542 | subject to some restrictions. | ||
1588 | If this flag is set to | 1543 | If this flag is set to |
1589 | .Cm ask | 1544 | .Cm ask |
1590 | (the default), | 1545 | (the default), |
@@ -1594,6 +1549,12 @@ has confirmed that is what they really want to do, and | |||
1594 | ssh will refuse to connect to hosts whose host key has changed. | 1549 | ssh will refuse to connect to hosts whose host key has changed. |
1595 | The host keys of | 1550 | The host keys of |
1596 | known hosts will be verified automatically in all cases. | 1551 | known hosts will be verified automatically in all cases. |
1552 | .It Cm SyslogFacility | ||
1553 | Gives the facility code that is used when logging messages from | ||
1554 | .Xr ssh 1 . | ||
1555 | The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, | ||
1556 | LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. | ||
1557 | The default is USER. | ||
1597 | .It Cm TCPKeepAlive | 1558 | .It Cm TCPKeepAlive |
1598 | Specifies whether the system should send TCP keepalive messages to the | 1559 | Specifies whether the system should send TCP keepalive messages to the |
1599 | other side. | 1560 | other side. |
@@ -1696,11 +1657,6 @@ If set to | |||
1696 | .Cm yes , | 1657 | .Cm yes , |
1697 | .Xr ssh 1 | 1658 | .Xr ssh 1 |
1698 | must be setuid root. | 1659 | must be setuid root. |
1699 | Note that this option must be set to | ||
1700 | .Cm yes | ||
1701 | for | ||
1702 | .Cm RhostsRSAAuthentication | ||
1703 | with older servers. | ||
1704 | .It Cm User | 1660 | .It Cm User |
1705 | Specifies the user to log in as. | 1661 | Specifies the user to log in as. |
1706 | This can be useful when a different user name is used on different machines. | 1662 | This can be useful when a different user name is used on different machines. |
@@ -1839,6 +1795,9 @@ accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u. | |||
1839 | .Pp | 1795 | .Pp |
1840 | .Cm ProxyCommand | 1796 | .Cm ProxyCommand |
1841 | accepts the tokens %%, %h, %p, and %r. | 1797 | accepts the tokens %%, %h, %p, and %r. |
1798 | .Pp | ||
1799 | .Cm RemoteCommand | ||
1800 | accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u. | ||
1842 | .Sh FILES | 1801 | .Sh FILES |
1843 | .Bl -tag -width Ds | 1802 | .Bl -tag -width Ds |
1844 | .It Pa ~/.ssh/config | 1803 | .It Pa ~/.ssh/config |