summaryrefslogtreecommitdiff
path: root/ssh_config.5
diff options
context:
space:
mode:
Diffstat (limited to 'ssh_config.5')
-rw-r--r--ssh_config.5321
1 files changed, 210 insertions, 111 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 5c41189fa..83de2f7e4 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh_config.5,v 1.76 2006/01/20 11:21:45 jmc Exp $ 37.\" $OpenBSD: ssh_config.5,v 1.98 2007/01/10 13:23:22 jmc Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSH_CONFIG 5 39.Dt SSH_CONFIG 5
40.Os 40.Os
@@ -42,14 +42,13 @@
42.Nm ssh_config 42.Nm ssh_config
43.Nd OpenSSH SSH client configuration files 43.Nd OpenSSH SSH client configuration files
44.Sh SYNOPSIS 44.Sh SYNOPSIS
45.Bl -tag -width Ds -compact 45.Nm ~/.ssh/config
46.It Pa ~/.ssh/config 46.Nm /etc/ssh/ssh_config
47.It Pa /etc/ssh/ssh_config
48.El
49.Sh DESCRIPTION 47.Sh DESCRIPTION
50.Nm ssh 48.Xr ssh 1
51obtains configuration data from the following sources in 49obtains configuration data from the following sources in
52the following order: 50the following order:
51.Pp
53.Bl -enum -offset indent -compact 52.Bl -enum -offset indent -compact
54.It 53.It
55command-line options 54command-line options
@@ -78,7 +77,6 @@ The configuration file has the following format:
78Empty lines and lines starting with 77Empty lines and lines starting with
79.Ql # 78.Ql #
80are comments. 79are comments.
81.Pp
82Otherwise a line is of the format 80Otherwise a line is of the format
83.Dq keyword arguments . 81.Dq keyword arguments .
84Configuration options may be separated by whitespace or 82Configuration options may be separated by whitespace or
@@ -87,11 +85,14 @@ optional whitespace and exactly one
87the latter format is useful to avoid the need to quote whitespace 85the latter format is useful to avoid the need to quote whitespace
88when specifying configuration options using the 86when specifying configuration options using the
89.Nm ssh , 87.Nm ssh ,
90.Nm scp 88.Nm scp ,
91and 89and
92.Nm sftp 90.Nm sftp
93.Fl o 91.Fl o
94option. 92option.
93Arguments may optionally be enclosed in double quotes
94.Pq \&"
95in order to represent arguments containing spaces.
95.Pp 96.Pp
96The possible 97The possible
97keywords and their meanings are as follows (note that 98keywords and their meanings are as follows (note that
@@ -102,25 +103,24 @@ Restricts the following declarations (up to the next
102.Cm Host 103.Cm Host
103keyword) to be only for those hosts that match one of the patterns 104keyword) to be only for those hosts that match one of the patterns
104given after the keyword. 105given after the keyword.
105.Ql \&*
106and
107.Ql \&?
108can be used as wildcards in the
109patterns.
110A single 106A single
111.Ql \&* 107.Ql *
112as a pattern can be used to provide global 108as a pattern can be used to provide global
113defaults for all hosts. 109defaults for all hosts.
114The host is the 110The host is the
115.Ar hostname 111.Ar hostname
116argument given on the command line (i.e., the name is not converted to 112argument given on the command line (i.e. the name is not converted to
117a canonicalized host name before matching). 113a canonicalized host name before matching).
114.Pp
115See
116.Sx PATTERNS
117for more information on patterns.
118.It Cm AddressFamily 118.It Cm AddressFamily
119Specifies which address family to use when connecting. 119Specifies which address family to use when connecting.
120Valid arguments are 120Valid arguments are
121.Dq any , 121.Dq any ,
122.Dq inet 122.Dq inet
123(use IPv4 only) or 123(use IPv4 only), or
124.Dq inet6 124.Dq inet6
125(use IPv6 only). 125(use IPv6 only).
126.It Cm BatchMode 126.It Cm BatchMode
@@ -144,7 +144,7 @@ Note that this option does not work if
144is set to 144is set to
145.Dq yes . 145.Dq yes .
146.It Cm ChallengeResponseAuthentication 146.It Cm ChallengeResponseAuthentication
147Specifies whether to use challenge response authentication. 147Specifies whether to use challenge-response authentication.
148The argument to this keyword must be 148The argument to this keyword must be
149.Dq yes 149.Dq yes
150or 150or
@@ -154,7 +154,8 @@ The default is
154.It Cm CheckHostIP 154.It Cm CheckHostIP
155If this flag is set to 155If this flag is set to
156.Dq yes , 156.Dq yes ,
157ssh will additionally check the host IP address in the 157.Xr ssh 1
158will additionally check the host IP address in the
158.Pa known_hosts 159.Pa known_hosts
159file. 160file.
160This allows ssh to detect if a host key changed due to DNS spoofing. 161This allows ssh to detect if a host key changed due to DNS spoofing.
@@ -174,7 +175,7 @@ and
174are supported. 175are supported.
175.Ar des 176.Ar des
176is only supported in the 177is only supported in the
177.Nm ssh 178.Xr ssh 1
178client for interoperability with legacy protocol 1 implementations 179client for interoperability with legacy protocol 1 implementations
179that do not support the 180that do not support the
180.Ar 3des 181.Ar 3des
@@ -200,18 +201,18 @@ The supported ciphers are
200.Dq blowfish-cbc , 201.Dq blowfish-cbc ,
201and 202and
202.Dq cast128-cbc . 203.Dq cast128-cbc .
203The default is 204The default is:
204.Bd -literal 205.Bd -literal -offset 3n
205 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, 206aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
206 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, 207arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
207 aes192-ctr,aes256-ctr'' 208aes192-ctr,aes256-ctr
208.Ed 209.Ed
209.It Cm ClearAllForwardings 210.It Cm ClearAllForwardings
210Specifies that all local, remote and dynamic port forwardings 211Specifies that all local, remote, and dynamic port forwardings
211specified in the configuration files or on the command line be 212specified in the configuration files or on the command line be
212cleared. 213cleared.
213This option is primarily useful when used from the 214This option is primarily useful when used from the
214.Nm ssh 215.Xr ssh 1
215command line to clear port forwardings set in 216command line to clear port forwardings set in
216configuration files, and is automatically set by 217configuration files, and is automatically set by
217.Xr scp 1 218.Xr scp 1
@@ -244,15 +245,15 @@ The argument must be an integer.
244This may be useful in scripts if the connection sometimes fails. 245This may be useful in scripts if the connection sometimes fails.
245The default is 1. 246The default is 1.
246.It Cm ConnectTimeout 247.It Cm ConnectTimeout
247Specifies the timeout (in seconds) used when connecting to the ssh 248Specifies the timeout (in seconds) used when connecting to the
248server, instead of using the default system TCP timeout. 249SSH server, instead of using the default system TCP timeout.
249This value is used only when the target is down or really unreachable, 250This value is used only when the target is down or really unreachable,
250not when it refuses the connection. 251not when it refuses the connection.
251.It Cm ControlMaster 252.It Cm ControlMaster
252Enables the sharing of multiple sessions over a single network connection. 253Enables the sharing of multiple sessions over a single network connection.
253When set to 254When set to
254.Dq yes 255.Dq yes ,
255.Nm ssh 256.Xr ssh 1
256will listen for connections on a control socket specified using the 257will listen for connections on a control socket specified using the
257.Cm ControlPath 258.Cm ControlPath
258argument. 259argument.
@@ -269,8 +270,7 @@ if the control socket does not exist, or is not listening.
269.Pp 270.Pp
270Setting this to 271Setting this to
271.Dq ask 272.Dq ask
272will cause 273will cause ssh
273.Nm ssh
274to listen for control connections, but require confirmation using the 274to listen for control connections, but require confirmation using the
275.Ev SSH_ASKPASS 275.Ev SSH_ASKPASS
276program before they are accepted (see 276program before they are accepted (see
@@ -278,9 +278,8 @@ program before they are accepted (see
278for details). 278for details).
279If the 279If the
280.Cm ControlPath 280.Cm ControlPath
281can not be opened, 281cannot be opened,
282.Nm ssh 282ssh will continue without connecting to a master instance.
283will continue without connecting to a master instance.
284.Pp 283.Pp
285X11 and 284X11 and
286.Xr ssh-agent 1 285.Xr ssh-agent 1
@@ -306,16 +305,18 @@ section above or the string
306.Dq none 305.Dq none
307to disable connection sharing. 306to disable connection sharing.
308In the path, 307In the path,
308.Ql %l
309will be substituted by the local host name,
309.Ql %h 310.Ql %h
310will be substituted by the target host name, 311will be substituted by the target host name,
311.Ql %p 312.Ql %p
312the port and 313the port, and
313.Ql %r 314.Ql %r
314by the remote login username. 315by the remote login username.
315It is recommended that any 316It is recommended that any
316.Cm ControlPath 317.Cm ControlPath
317used for opportunistic connection sharing include 318used for opportunistic connection sharing include
318all three of these escape sequences. 319at least %h, %p, and %r.
319This ensures that shared connections are uniquely identified. 320This ensures that shared connections are uniquely identified.
320.It Cm DynamicForward 321.It Cm DynamicForward
321Specifies that a TCP port on the local machine be forwarded 322Specifies that a TCP port on the local machine be forwarded
@@ -346,7 +347,7 @@ empty address or
346indicates that the port should be available from all interfaces. 347indicates that the port should be available from all interfaces.
347.Pp 348.Pp
348Currently the SOCKS4 and SOCKS5 protocols are supported, and 349Currently the SOCKS4 and SOCKS5 protocols are supported, and
349.Nm ssh 350.Xr ssh 1
350will act as a SOCKS server. 351will act as a SOCKS server.
351Multiple forwardings may be specified, and 352Multiple forwardings may be specified, and
352additional forwardings can be given on the command line. 353additional forwardings can be given on the command line.
@@ -382,6 +383,17 @@ followed by a letter, or
382to disable the escape 383to disable the escape
383character entirely (making the connection transparent for binary 384character entirely (making the connection transparent for binary
384data). 385data).
386.It Cm ExitOnForwardFailure
387Specifies whether
388.Xr ssh 1
389should terminate the connection if it cannot set up all requested
390dynamic, local, and remote port forwardings.
391The argument must be
392.Dq yes
393or
394.Dq no .
395The default is
396.Dq no .
385.It Cm ForwardAgent 397.It Cm ForwardAgent
386Specifies whether the connection to the authentication agent (if any) 398Specifies whether the connection to the authentication agent (if any)
387will be forwarded to the remote machine. 399will be forwarded to the remote machine.
@@ -421,12 +433,12 @@ if the
421option is also enabled. 433option is also enabled.
422.It Cm ForwardX11Trusted 434.It Cm ForwardX11Trusted
423If this option is set to 435If this option is set to
424.Dq yes 436.Dq yes ,
425then remote X11 clients will have full access to the original X11 display. 437remote X11 clients will have full access to the original X11 display.
426.Pp 438.Pp
427If this option is set to 439If this option is set to
428.Dq no 440.Dq no ,
429then remote X11 clients will be considered untrusted and prevented 441remote X11 clients will be considered untrusted and prevented
430from stealing or tampering with data belonging to trusted X11 442from stealing or tampering with data belonging to trusted X11
431clients. 443clients.
432Furthermore, the 444Furthermore, the
@@ -443,12 +455,11 @@ the restrictions imposed on untrusted clients.
443Specifies whether remote hosts are allowed to connect to local 455Specifies whether remote hosts are allowed to connect to local
444forwarded ports. 456forwarded ports.
445By default, 457By default,
446.Nm ssh 458.Xr ssh 1
447binds local port forwardings to the loopback address. 459binds local port forwardings to the loopback address.
448This prevents other remote hosts from connecting to forwarded ports. 460This prevents other remote hosts from connecting to forwarded ports.
449.Cm GatewayPorts 461.Cm GatewayPorts
450can be used to specify that 462can be used to specify that ssh
451.Nm ssh
452should bind local port forwardings to the wildcard address, 463should bind local port forwardings to the wildcard address,
453thus allowing remote hosts to connect to forwarded ports. 464thus allowing remote hosts to connect to forwarded ports.
454The argument must be 465The argument must be
@@ -466,6 +477,12 @@ Specifies whether user authentication based on GSSAPI is allowed.
466The default is 477The default is
467.Dq no . 478.Dq no .
468Note that this option applies to protocol version 2 only. 479Note that this option applies to protocol version 2 only.
480.It Cm GSSAPIKeyExchange
481Specifies whether key exchange based on GSSAPI may be used. When using
482GSSAPI key exchange the server need not have a host key.
483The default is
484.Dq no .
485Note that this option applies to protocol version 2 only.
469.It Cm GSSAPIDelegateCredentials 486.It Cm GSSAPIDelegateCredentials
470Forward (delegate) credentials to the server. 487Forward (delegate) credentials to the server.
471The default is 488The default is
@@ -473,29 +490,31 @@ The default is
473Note that this option applies to protocol version 2 only. 490Note that this option applies to protocol version 2 only.
474.It Cm GSSAPITrustDns 491.It Cm GSSAPITrustDns
475Set to 492Set to
476.Dq yes to indicate that the DNS is trusted to securely canonicalize 493.Dq yes
494to indicate that the DNS is trusted to securely canonicalize
477the name of the host being connected to. If 495the name of the host being connected to. If
478.Dq no, the hostname entered on the 496.Dq no ,
497the hostname entered on the
479command line will be passed untouched to the GSSAPI library. 498command line will be passed untouched to the GSSAPI library.
480The default is 499The default is
481.Dq no . 500.Dq no .
482This option only applies to protocol version 2 connections using GSSAPI 501This option only applies to protocol version 2 connections using GSSAPI.
483key exchange.
484.It Cm HashKnownHosts 502.It Cm HashKnownHosts
485Indicates that 503Indicates that
486.Nm ssh 504.Xr ssh 1
487should hash host names and addresses when they are added to 505should hash host names and addresses when they are added to
488.Pa ~/.ssh/known_hosts . 506.Pa ~/.ssh/known_hosts .
489These hashed names may be used normally by 507These hashed names may be used normally by
490.Nm ssh 508.Xr ssh 1
491and 509and
492.Nm sshd , 510.Xr sshd 8 ,
493but they do not reveal identifying information should the file's contents 511but they do not reveal identifying information should the file's contents
494be disclosed. 512be disclosed.
495The default is 513The default is
496.Dq no . 514.Dq no .
497Note that hashing of names and addresses will not be retrospectively applied 515Note that existing names and addresses in known hosts files
498to existing known hosts files, but these may be manually hashed using 516will not be converted automatically,
517but may be manually hashed using
499.Xr ssh-keygen 1 . 518.Xr ssh-keygen 1 .
500.It Cm HostbasedAuthentication 519.It Cm HostbasedAuthentication
501Specifies whether to try rhosts based authentication with public key 520Specifies whether to try rhosts based authentication with public key
@@ -518,30 +537,29 @@ The default for this option is:
518Specifies an alias that should be used instead of the 537Specifies an alias that should be used instead of the
519real host name when looking up or saving the host key 538real host name when looking up or saving the host key
520in the host key database files. 539in the host key database files.
521This option is useful for tunneling ssh connections 540This option is useful for tunneling SSH connections
522or for multiple servers running on a single host. 541or for multiple servers running on a single host.
523.It Cm HostName 542.It Cm HostName
524Specifies the real host name to log into. 543Specifies the real host name to log into.
525This can be used to specify nicknames or abbreviations for hosts. 544This can be used to specify nicknames or abbreviations for hosts.
526Default is the name given on the command line. 545The default is the name given on the command line.
527Numeric IP addresses are also permitted (both on the command line and in 546Numeric IP addresses are also permitted (both on the command line and in
528.Cm HostName 547.Cm HostName
529specifications). 548specifications).
530.It Cm IdentitiesOnly 549.It Cm IdentitiesOnly
531Specifies that 550Specifies that
532.Nm ssh 551.Xr ssh 1
533should only use the authentication identity files configured in the 552should only use the authentication identity files configured in the
534.Nm 553.Nm
535files, 554files,
536even if the 555even if
537.Nm ssh-agent 556.Xr ssh-agent 1
538offers more identities. 557offers more identities.
539The argument to this keyword must be 558The argument to this keyword must be
540.Dq yes 559.Dq yes
541or 560or
542.Dq no . 561.Dq no .
543This option is intended for situations where 562This option is intended for situations where ssh-agent
544.Nm ssh-agent
545offers many different identities. 563offers many different identities.
546The default is 564The default is
547.Dq no . 565.Dq no .
@@ -557,8 +575,21 @@ and
557for protocol version 2. 575for protocol version 2.
558Additionally, any identities represented by the authentication agent 576Additionally, any identities represented by the authentication agent
559will be used for authentication. 577will be used for authentication.
578.Pp
560The file name may use the tilde 579The file name may use the tilde
561syntax to refer to a user's home directory. 580syntax to refer to a user's home directory or one of the following
581escape characters:
582.Ql %d
583(local user's home directory),
584.Ql %u
585(local user name),
586.Ql %l
587(local host name),
588.Ql %h
589(remote host name) or
590.Ql %r
591(remote user name).
592.Pp
562It is possible to have 593It is possible to have
563multiple identity files specified in configuration files; all these 594multiple identity files specified in configuration files; all these
564identities will be tried in sequence. 595identities will be tried in sequence.
@@ -566,6 +597,13 @@ identities will be tried in sequence.
566Specifies the list of methods to use in keyboard-interactive authentication. 597Specifies the list of methods to use in keyboard-interactive authentication.
567Multiple method names must be comma-separated. 598Multiple method names must be comma-separated.
568The default is to use the server specified list. 599The default is to use the server specified list.
600The methods available vary depending on what the server supports.
601For an OpenSSH server,
602it may be zero or more of:
603.Dq bsdauth ,
604.Dq pam ,
605and
606.Dq skey .
569.It Cm LocalCommand 607.It Cm LocalCommand
570Specifies a command to execute on the local machine after successfully 608Specifies a command to execute on the local machine after successfully
571connecting to the server. 609connecting to the server.
@@ -607,9 +645,9 @@ empty address or
607indicates that the port should be available from all interfaces. 645indicates that the port should be available from all interfaces.
608.It Cm LogLevel 646.It Cm LogLevel
609Gives the verbosity level that is used when logging messages from 647Gives the verbosity level that is used when logging messages from
610.Nm ssh . 648.Xr ssh 1 .
611The possible values are: 649The possible values are:
612QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. 650QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
613The default is INFO. 651The default is INFO.
614DEBUG and DEBUG1 are equivalent. 652DEBUG and DEBUG1 are equivalent.
615DEBUG2 and DEBUG3 each specify higher levels of verbose output. 653DEBUG2 and DEBUG3 each specify higher levels of verbose output.
@@ -619,7 +657,7 @@ in order of preference.
619The MAC algorithm is used in protocol version 2 657The MAC algorithm is used in protocol version 2
620for data integrity protection. 658for data integrity protection.
621Multiple algorithms must be comma-separated. 659Multiple algorithms must be comma-separated.
622The default is 660The default is:
623.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . 661.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
624.It Cm NoHostAuthenticationForLocalhost 662.It Cm NoHostAuthenticationForLocalhost
625This option can be used if the home directory is shared across machines. 663This option can be used if the home directory is shared across machines.
@@ -634,7 +672,7 @@ The default is to check the host key for localhost.
634.It Cm NumberOfPasswordPrompts 672.It Cm NumberOfPasswordPrompts
635Specifies the number of password prompts before giving up. 673Specifies the number of password prompts before giving up.
636The argument to this keyword must be an integer. 674The argument to this keyword must be an integer.
637Default is 3. 675The default is 3.
638.It Cm PasswordAuthentication 676.It Cm PasswordAuthentication
639Specifies whether to use password authentication. 677Specifies whether to use password authentication.
640The argument to this keyword must be 678The argument to this keyword must be
@@ -658,7 +696,7 @@ The default is
658.Dq no . 696.Dq no .
659.It Cm Port 697.It Cm Port
660Specifies the port number to connect on the remote host. 698Specifies the port number to connect on the remote host.
661Default is 22. 699The default is 22.
662.It Cm PreferredAuthentications 700.It Cm PreferredAuthentications
663Specifies the order in which the client should try protocol 2 701Specifies the order in which the client should try protocol 2
664authentication methods. 702authentication methods.
@@ -667,20 +705,24 @@ This allows a client to prefer one method (e.g.\&
667over another method (e.g.\& 705over another method (e.g.\&
668.Cm password ) 706.Cm password )
669The default for this option is: 707The default for this option is:
670.Dq hostbased,publickey,keyboard-interactive,password . 708.Do gssapi-with-mic ,
709hostbased,
710publickey,
711keyboard-interactive,
712password
713.Dc .
671.It Cm Protocol 714.It Cm Protocol
672Specifies the protocol versions 715Specifies the protocol versions
673.Nm ssh 716.Xr ssh 1
674should support in order of preference. 717should support in order of preference.
675The possible values are 718The possible values are
676.Dq 1 719.Sq 1
677and 720and
678.Dq 2 . 721.Sq 2 .
679Multiple versions must be comma-separated. 722Multiple versions must be comma-separated.
680The default is 723The default is
681.Dq 2,1 . 724.Dq 2,1 .
682This means that 725This means that ssh
683.Nm ssh
684tries version 2 and falls back to version 1 726tries version 2 and falls back to version 1
685if version 2 is not available. 727if version 2 is not available.
686.It Cm ProxyCommand 728.It Cm ProxyCommand
@@ -738,9 +780,9 @@ or
738.Sq G 780.Sq G
739to indicate Kilobytes, Megabytes, or Gigabytes, respectively. 781to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
740The default is between 782The default is between
741.Dq 1G 783.Sq 1G
742and 784and
743.Dq 4G , 785.Sq 4G ,
744depending on the cipher. 786depending on the cipher.
745This option applies to protocol version 2 only. 787This option applies to protocol version 2 only.
746.It Cm RemoteForward 788.It Cm RemoteForward
@@ -786,7 +828,7 @@ or
786The default is 828The default is
787.Dq no . 829.Dq no .
788This option applies to protocol version 1 only and requires 830This option applies to protocol version 1 only and requires
789.Nm ssh 831.Xr ssh 1
790to be setuid root. 832to be setuid root.
791.It Cm RSAAuthentication 833.It Cm RSAAuthentication
792Specifies whether to try RSA authentication. 834Specifies whether to try RSA authentication.
@@ -804,31 +846,31 @@ Note that this option applies to protocol version 1 only.
804Specifies what variables from the local 846Specifies what variables from the local
805.Xr environ 7 847.Xr environ 7
806should be sent to the server. 848should be sent to the server.
807Note that environment passing is only supported for protocol 2, the 849Note that environment passing is only supported for protocol 2.
808server must also support it, and the server must be configured to 850The server must also support it, and the server must be configured to
809accept these environment variables. 851accept these environment variables.
810Refer to 852Refer to
811.Cm AcceptEnv 853.Cm AcceptEnv
812in 854in
813.Xr sshd_config 5 855.Xr sshd_config 5
814for how to configure the server. 856for how to configure the server.
815Variables are specified by name, which may contain the wildcard characters 857Variables are specified by name, which may contain wildcard characters.
816.Ql \&*
817and
818.Ql \&? .
819Multiple environment variables may be separated by whitespace or spread 858Multiple environment variables may be separated by whitespace or spread
820across multiple 859across multiple
821.Cm SendEnv 860.Cm SendEnv
822directives. 861directives.
823The default is not to send any environment variables. 862The default is not to send any environment variables.
863.Pp
864See
865.Sx PATTERNS
866for more information on patterns.
824.It Cm ServerAliveCountMax 867.It Cm ServerAliveCountMax
825Sets the number of server alive messages (see below) which may be 868Sets the number of server alive messages (see below) which may be
826sent without 869sent without
827.Nm ssh 870.Xr ssh 1
828receiving any messages back from the server. 871receiving any messages back from the server.
829If this threshold is reached while server alive messages are being sent, 872If this threshold is reached while server alive messages are being sent,
830.Nm ssh 873ssh will disconnect from the server, terminating the session.
831will disconnect from the server, terminating the session.
832It is important to note that the use of server alive messages is very 874It is important to note that the use of server alive messages is very
833different from 875different from
834.Cm TCPKeepAlive 876.Cm TCPKeepAlive
@@ -844,14 +886,15 @@ server depend on knowing when a connection has become inactive.
844The default value is 3. 886The default value is 3.
845If, for example, 887If, for example,
846.Cm ServerAliveInterval 888.Cm ServerAliveInterval
847(see below) is set to 15, and 889(see below) is set to 15 and
848.Cm ServerAliveCountMax 890.Cm ServerAliveCountMax
849is left at the default, if the server becomes unresponsive ssh 891is left at the default, if the server becomes unresponsive,
850will disconnect after approximately 45 seconds. 892ssh will disconnect after approximately 45 seconds.
893This option applies to protocol version 2 only.
851.It Cm ServerAliveInterval 894.It Cm ServerAliveInterval
852Sets a timeout interval in seconds after which if no data has been received 895Sets a timeout interval in seconds after which if no data has been received
853from the server, 896from the server,
854.Nm ssh 897.Xr ssh 1
855will send a message through the encrypted 898will send a message through the encrypted
856channel to request a response from the server. 899channel to request a response from the server.
857The default 900The default
@@ -860,41 +903,39 @@ This option applies to protocol version 2 only.
860.It Cm SmartcardDevice 903.It Cm SmartcardDevice
861Specifies which smartcard device to use. 904Specifies which smartcard device to use.
862The argument to this keyword is the device 905The argument to this keyword is the device
863.Nm ssh 906.Xr ssh 1
864should use to communicate with a smartcard used for storing the user's 907should use to communicate with a smartcard used for storing the user's
865private RSA key. 908private RSA key.
866By default, no device is specified and smartcard support is not activated. 909By default, no device is specified and smartcard support is not activated.
867.It Cm StrictHostKeyChecking 910.It Cm StrictHostKeyChecking
868If this flag is set to 911If this flag is set to
869.Dq yes , 912.Dq yes ,
870.Nm ssh 913.Xr ssh 1
871will never automatically add host keys to the 914will never automatically add host keys to the
872.Pa ~/.ssh/known_hosts 915.Pa ~/.ssh/known_hosts
873file, and refuses to connect to hosts whose host key has changed. 916file, and refuses to connect to hosts whose host key has changed.
874This provides maximum protection against trojan horse attacks, 917This provides maximum protection against trojan horse attacks,
875however, can be annoying when the 918though it can be annoying when the
876.Pa /etc/ssh/ssh_known_hosts 919.Pa /etc/ssh/ssh_known_hosts
877file is poorly maintained, or connections to new hosts are 920file is poorly maintained or when connections to new hosts are
878frequently made. 921frequently made.
879This option forces the user to manually 922This option forces the user to manually
880add all new hosts. 923add all new hosts.
881If this flag is set to 924If this flag is set to
882.Dq no , 925.Dq no ,
883.Nm ssh 926ssh will automatically add new host keys to the
884will automatically add new host keys to the
885user known hosts files. 927user known hosts files.
886If this flag is set to 928If this flag is set to
887.Dq ask , 929.Dq ask ,
888new host keys 930new host keys
889will be added to the user known host files only after the user 931will be added to the user known host files only after the user
890has confirmed that is what they really want to do, and 932has confirmed that is what they really want to do, and
891.Nm ssh 933ssh will refuse to connect to hosts whose host key has changed.
892will refuse to connect to hosts whose host key has changed.
893The host keys of 934The host keys of
894known hosts will be verified automatically in all cases. 935known hosts will be verified automatically in all cases.
895The argument must be 936The argument must be
896.Dq yes , 937.Dq yes ,
897.Dq no 938.Dq no ,
898or 939or
899.Dq ask . 940.Dq ask .
900The default is 941The default is
@@ -917,24 +958,44 @@ This is important in scripts, and many users want it too.
917To disable TCP keepalive messages, the value should be set to 958To disable TCP keepalive messages, the value should be set to
918.Dq no . 959.Dq no .
919.It Cm Tunnel 960.It Cm Tunnel
920Request starting 961Request
921.Xr tun 4 962.Xr tun 4
922device forwarding between the client and the server. 963device forwarding between the client and the server.
923This option also allows requesting layer 2 (ethernet)
924instead of layer 3 (point-to-point) tunneling from the server.
925The argument must be 964The argument must be
926.Dq yes , 965.Dq yes ,
927.Dq point-to-point , 966.Dq point-to-point
967(layer 3),
928.Dq ethernet 968.Dq ethernet
969(layer 2),
929or 970or
930.Dq no . 971.Dq no .
972Specifying
973.Dq yes
974requests the default tunnel mode, which is
975.Dq point-to-point .
931The default is 976The default is
932.Dq no . 977.Dq no .
933.It Cm TunnelDevice 978.It Cm TunnelDevice
934Force a specified 979Specifies the
935.Xr tun 4 980.Xr tun 4
936device on the client. 981devices to open on the client
937Without this option, the next available device will be used. 982.Pq Ar local_tun
983and the server
984.Pq Ar remote_tun .
985.Pp
986The argument must be
987.Sm off
988.Ar local_tun Op : Ar remote_tun .
989.Sm on
990The devices may be specified by numerical ID or the keyword
991.Dq any ,
992which uses the next available tunnel device.
993If
994.Ar remote_tun
995is not specified, it defaults to
996.Dq any .
997The default is
998.Dq any:any .
938.It Cm UsePrivilegedPort 999.It Cm UsePrivilegedPort
939Specifies whether to use a privileged port for outgoing connections. 1000Specifies whether to use a privileged port for outgoing connections.
940The argument must be 1001The argument must be
@@ -944,8 +1005,8 @@ or
944The default is 1005The default is
945.Dq no . 1006.Dq no .
946If set to 1007If set to
947.Dq yes 1008.Dq yes ,
948.Nm ssh 1009.Xr ssh 1
949must be setuid root. 1010must be setuid root.
950Note that this option must be set to 1011Note that this option must be set to
951.Dq yes 1012.Dq yes
@@ -978,12 +1039,17 @@ need to confirm new host keys according to the
978option. 1039option.
979The argument must be 1040The argument must be
980.Dq yes , 1041.Dq yes ,
981.Dq no 1042.Dq no ,
982or 1043or
983.Dq ask . 1044.Dq ask .
984The default is 1045The default is
985.Dq no . 1046.Dq no .
986Note that this option applies to protocol version 2 only. 1047Note that this option applies to protocol version 2 only.
1048.Pp
1049See also
1050.Sx VERIFYING HOST KEYS
1051in
1052.Xr ssh 1 .
987.It Cm XAuthLocation 1053.It Cm XAuthLocation
988Specifies the full pathname of the 1054Specifies the full pathname of the
989.Xr xauth 1 1055.Xr xauth 1
@@ -991,14 +1057,47 @@ program.
991The default is 1057The default is
992.Pa /usr/X11R6/bin/xauth . 1058.Pa /usr/X11R6/bin/xauth .
993.El 1059.El
1060.Sh PATTERNS
1061A
1062.Em pattern
1063consists of zero or more non-whitespace characters,
1064.Sq *
1065(a wildcard that matches zero or more characters),
1066or
1067.Sq ?\&
1068(a wildcard that matches exactly one character).
1069For example, to specify a set of declarations for any host in the
1070.Dq .co.uk
1071set of domains,
1072the following pattern could be used:
1073.Pp
1074.Dl Host *.co.uk
1075.Pp
1076The following pattern
1077would match any host in the 192.168.0.[0-9] network range:
1078.Pp
1079.Dl Host 192.168.0.?
1080.Pp
1081A
1082.Em pattern-list
1083is a comma-separated list of patterns.
1084Patterns within pattern-lists may be negated
1085by preceding them with an exclamation mark
1086.Pq Sq !\& .
1087For example,
1088to allow a key to be used from anywhere within an organisation
1089except from the
1090.Dq dialup
1091pool,
1092the following entry (in authorized_keys) could be used:
1093.Pp
1094.Dl from=\&"!*.dialup.example.com,*.example.com\&"
994.Sh FILES 1095.Sh FILES
995.Bl -tag -width Ds 1096.Bl -tag -width Ds
996.It Pa ~/.ssh/config 1097.It Pa ~/.ssh/config
997This is the per-user configuration file. 1098This is the per-user configuration file.
998The format of this file is described above. 1099The format of this file is described above.
999This file is used by the 1100This file is used by the SSH client.
1000.Nm ssh
1001client.
1002Because of the potential for abuse, this file must have strict permissions: 1101Because of the potential for abuse, this file must have strict permissions:
1003read/write for the user, and not accessible by others. 1102read/write for the user, and not accessible by others.
1004.It Pa /etc/ssh/ssh_config 1103.It Pa /etc/ssh/ssh_config