diff options
Diffstat (limited to 'ssh_config.5')
-rw-r--r-- | ssh_config.5 | 84 |
1 files changed, 53 insertions, 31 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index 412629637..02a87892d 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh_config.5,v 1.292 2019/03/01 02:16:47 djm Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.304 2019/09/13 04:52:34 djm Exp $ |
37 | .Dd $Mdocdate: March 1 2019 $ | 37 | .Dd $Mdocdate: September 13 2019 $ |
38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -361,7 +361,7 @@ Specifies which algorithms are allowed for signing of certificates | |||
361 | by certificate authorities (CAs). | 361 | by certificate authorities (CAs). |
362 | The default is: | 362 | The default is: |
363 | .Bd -literal -offset indent | 363 | .Bd -literal -offset indent |
364 | ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 364 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
365 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | 365 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa |
366 | .Ed | 366 | .Ed |
367 | .Pp | 367 | .Pp |
@@ -422,14 +422,18 @@ the check will not be executed. | |||
422 | .It Cm Ciphers | 422 | .It Cm Ciphers |
423 | Specifies the ciphers allowed and their order of preference. | 423 | Specifies the ciphers allowed and their order of preference. |
424 | Multiple ciphers must be comma-separated. | 424 | Multiple ciphers must be comma-separated. |
425 | If the specified value begins with a | 425 | If the specified list begins with a |
426 | .Sq + | 426 | .Sq + |
427 | character, then the specified ciphers will be appended to the default set | 427 | character, then the specified ciphers will be appended to the default set |
428 | instead of replacing them. | 428 | instead of replacing them. |
429 | If the specified value begins with a | 429 | If the specified list begins with a |
430 | .Sq - | 430 | .Sq - |
431 | character, then the specified ciphers (including wildcards) will be removed | 431 | character, then the specified ciphers (including wildcards) will be removed |
432 | from the default set instead of replacing them. | 432 | from the default set instead of replacing them. |
433 | If the specified list begins with a | ||
434 | .Sq ^ | ||
435 | character, then the specified ciphers will be placed at the head of the | ||
436 | default set. | ||
433 | .Pp | 437 | .Pp |
434 | The supported ciphers are: | 438 | The supported ciphers are: |
435 | .Bd -literal -offset indent | 439 | .Bd -literal -offset indent |
@@ -485,8 +489,8 @@ The default is 1. | |||
485 | .It Cm ConnectTimeout | 489 | .It Cm ConnectTimeout |
486 | Specifies the timeout (in seconds) used when connecting to the | 490 | Specifies the timeout (in seconds) used when connecting to the |
487 | SSH server, instead of using the default system TCP timeout. | 491 | SSH server, instead of using the default system TCP timeout. |
488 | This value is used only when the target is down or really unreachable, | 492 | This timeout is applied both to establishing the connection and to performing |
489 | not when it refuses the connection. | 493 | the initial SSH protocol handshake and key exchange. |
490 | .It Cm ControlMaster | 494 | .It Cm ControlMaster |
491 | Enables the sharing of multiple sessions over a single network connection. | 495 | Enables the sharing of multiple sessions over a single network connection. |
492 | When set to | 496 | When set to |
@@ -786,14 +790,18 @@ or | |||
786 | .It Cm HostbasedKeyTypes | 790 | .It Cm HostbasedKeyTypes |
787 | Specifies the key types that will be used for hostbased authentication | 791 | Specifies the key types that will be used for hostbased authentication |
788 | as a comma-separated list of patterns. | 792 | as a comma-separated list of patterns. |
789 | Alternately if the specified value begins with a | 793 | Alternately if the specified list begins with a |
790 | .Sq + | 794 | .Sq + |
791 | character, then the specified key types will be appended to the default set | 795 | character, then the specified key types will be appended to the default set |
792 | instead of replacing them. | 796 | instead of replacing them. |
793 | If the specified value begins with a | 797 | If the specified list begins with a |
794 | .Sq - | 798 | .Sq - |
795 | character, then the specified key types (including wildcards) will be removed | 799 | character, then the specified key types (including wildcards) will be removed |
796 | from the default set instead of replacing them. | 800 | from the default set instead of replacing them. |
801 | If the specified list begins with a | ||
802 | .Sq ^ | ||
803 | character, then the specified key types will be placed at the head of the | ||
804 | default set. | ||
797 | The default for this option is: | 805 | The default for this option is: |
798 | .Bd -literal -offset 3n | 806 | .Bd -literal -offset 3n |
799 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 807 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
@@ -814,14 +822,18 @@ may be used to list supported key types. | |||
814 | .It Cm HostKeyAlgorithms | 822 | .It Cm HostKeyAlgorithms |
815 | Specifies the host key algorithms | 823 | Specifies the host key algorithms |
816 | that the client wants to use in order of preference. | 824 | that the client wants to use in order of preference. |
817 | Alternately if the specified value begins with a | 825 | Alternately if the specified list begins with a |
818 | .Sq + | 826 | .Sq + |
819 | character, then the specified key types will be appended to the default set | 827 | character, then the specified key types will be appended to the default set |
820 | instead of replacing them. | 828 | instead of replacing them. |
821 | If the specified value begins with a | 829 | If the specified list begins with a |
822 | .Sq - | 830 | .Sq - |
823 | character, then the specified key types (including wildcards) will be removed | 831 | character, then the specified key types (including wildcards) will be removed |
824 | from the default set instead of replacing them. | 832 | from the default set instead of replacing them. |
833 | If the specified list begins with a | ||
834 | .Sq ^ | ||
835 | character, then the specified key types will be placed at the head of the | ||
836 | default set. | ||
825 | The default for this option is: | 837 | The default for this option is: |
826 | .Bd -literal -offset 3n | 838 | .Bd -literal -offset 3n |
827 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 839 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
@@ -845,28 +857,28 @@ real host name when looking up or saving the host key | |||
845 | in the host key database files and when validating host certificates. | 857 | in the host key database files and when validating host certificates. |
846 | This option is useful for tunneling SSH connections | 858 | This option is useful for tunneling SSH connections |
847 | or for multiple servers running on a single host. | 859 | or for multiple servers running on a single host. |
848 | .It Cm HostName | 860 | .It Cm Hostname |
849 | Specifies the real host name to log into. | 861 | Specifies the real host name to log into. |
850 | This can be used to specify nicknames or abbreviations for hosts. | 862 | This can be used to specify nicknames or abbreviations for hosts. |
851 | Arguments to | 863 | Arguments to |
852 | .Cm HostName | 864 | .Cm Hostname |
853 | accept the tokens described in the | 865 | accept the tokens described in the |
854 | .Sx TOKENS | 866 | .Sx TOKENS |
855 | section. | 867 | section. |
856 | Numeric IP addresses are also permitted (both on the command line and in | 868 | Numeric IP addresses are also permitted (both on the command line and in |
857 | .Cm HostName | 869 | .Cm Hostname |
858 | specifications). | 870 | specifications). |
859 | The default is the name given on the command line. | 871 | The default is the name given on the command line. |
860 | .It Cm IdentitiesOnly | 872 | .It Cm IdentitiesOnly |
861 | Specifies that | 873 | Specifies that |
862 | .Xr ssh 1 | 874 | .Xr ssh 1 |
863 | should only use the authentication identity and certificate files explicitly | 875 | should only use the configured authentication identity and certificate files |
864 | configured in the | 876 | (either the default files, or those explicitly configured in the |
865 | .Nm | 877 | .Nm |
866 | files | 878 | files |
867 | or passed on the | 879 | or passed on the |
868 | .Xr ssh 1 | 880 | .Xr ssh 1 |
869 | command-line, | 881 | command-line), |
870 | even if | 882 | even if |
871 | .Xr ssh-agent 1 | 883 | .Xr ssh-agent 1 |
872 | or a | 884 | or a |
@@ -1043,14 +1055,18 @@ and | |||
1043 | .It Cm KexAlgorithms | 1055 | .It Cm KexAlgorithms |
1044 | Specifies the available KEX (Key Exchange) algorithms. | 1056 | Specifies the available KEX (Key Exchange) algorithms. |
1045 | Multiple algorithms must be comma-separated. | 1057 | Multiple algorithms must be comma-separated. |
1046 | Alternately if the specified value begins with a | 1058 | If the specified list begins with a |
1047 | .Sq + | 1059 | .Sq + |
1048 | character, then the specified methods will be appended to the default set | 1060 | character, then the specified methods will be appended to the default set |
1049 | instead of replacing them. | 1061 | instead of replacing them. |
1050 | If the specified value begins with a | 1062 | If the specified list begins with a |
1051 | .Sq - | 1063 | .Sq - |
1052 | character, then the specified methods (including wildcards) will be removed | 1064 | character, then the specified methods (including wildcards) will be removed |
1053 | from the default set instead of replacing them. | 1065 | from the default set instead of replacing them. |
1066 | If the specified list begins with a | ||
1067 | .Sq ^ | ||
1068 | character, then the specified methods will be placed at the head of the | ||
1069 | default set. | ||
1054 | The default is: | 1070 | The default is: |
1055 | .Bd -literal -offset indent | 1071 | .Bd -literal -offset indent |
1056 | curve25519-sha256,curve25519-sha256@libssh.org, | 1072 | curve25519-sha256,curve25519-sha256@libssh.org, |
@@ -1124,14 +1140,18 @@ Specifies the MAC (message authentication code) algorithms | |||
1124 | in order of preference. | 1140 | in order of preference. |
1125 | The MAC algorithm is used for data integrity protection. | 1141 | The MAC algorithm is used for data integrity protection. |
1126 | Multiple algorithms must be comma-separated. | 1142 | Multiple algorithms must be comma-separated. |
1127 | If the specified value begins with a | 1143 | If the specified list begins with a |
1128 | .Sq + | 1144 | .Sq + |
1129 | character, then the specified algorithms will be appended to the default set | 1145 | character, then the specified algorithms will be appended to the default set |
1130 | instead of replacing them. | 1146 | instead of replacing them. |
1131 | If the specified value begins with a | 1147 | If the specified list begins with a |
1132 | .Sq - | 1148 | .Sq - |
1133 | character, then the specified algorithms (including wildcards) will be removed | 1149 | character, then the specified algorithms (including wildcards) will be removed |
1134 | from the default set instead of replacing them. | 1150 | from the default set instead of replacing them. |
1151 | If the specified list begins with a | ||
1152 | .Sq ^ | ||
1153 | character, then the specified algorithms will be placed at the head of the | ||
1154 | default set. | ||
1135 | .Pp | 1155 | .Pp |
1136 | The algorithms that contain | 1156 | The algorithms that contain |
1137 | .Qq -etm | 1157 | .Qq -etm |
@@ -1222,8 +1242,8 @@ server running on some machine, or execute | |||
1222 | .Ic sshd -i | 1242 | .Ic sshd -i |
1223 | somewhere. | 1243 | somewhere. |
1224 | Host key management will be done using the | 1244 | Host key management will be done using the |
1225 | HostName of the host being connected (defaulting to the name typed by | 1245 | .Cm Hostname |
1226 | the user). | 1246 | of the host being connected (defaulting to the name typed by the user). |
1227 | Setting the command to | 1247 | Setting the command to |
1228 | .Cm none | 1248 | .Cm none |
1229 | disables this option entirely. | 1249 | disables this option entirely. |
@@ -1281,14 +1301,18 @@ The default is | |||
1281 | .It Cm PubkeyAcceptedKeyTypes | 1301 | .It Cm PubkeyAcceptedKeyTypes |
1282 | Specifies the key types that will be used for public key authentication | 1302 | Specifies the key types that will be used for public key authentication |
1283 | as a comma-separated list of patterns. | 1303 | as a comma-separated list of patterns. |
1284 | Alternately if the specified value begins with a | 1304 | If the specified list begins with a |
1285 | .Sq + | 1305 | .Sq + |
1286 | character, then the key types after it will be appended to the default | 1306 | character, then the key types after it will be appended to the default |
1287 | instead of replacing it. | 1307 | instead of replacing it. |
1288 | If the specified value begins with a | 1308 | If the specified list begins with a |
1289 | .Sq - | 1309 | .Sq - |
1290 | character, then the specified key types (including wildcards) will be removed | 1310 | character, then the specified key types (including wildcards) will be removed |
1291 | from the default set instead of replacing them. | 1311 | from the default set instead of replacing them. |
1312 | If the specified list begins with a | ||
1313 | .Sq ^ | ||
1314 | character, then the specified key types will be placed at the head of the | ||
1315 | default set. | ||
1292 | The default for this option is: | 1316 | The default for this option is: |
1293 | .Bd -literal -offset 3n | 1317 | .Bd -literal -offset 3n |
1294 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 1318 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
@@ -1326,9 +1350,7 @@ and | |||
1326 | .Sq 4G , | 1350 | .Sq 4G , |
1327 | depending on the cipher. | 1351 | depending on the cipher. |
1328 | The optional second value is specified in seconds and may use any of the | 1352 | The optional second value is specified in seconds and may use any of the |
1329 | units documented in the | 1353 | units documented in the TIME FORMATS section of |
1330 | .Sx TIME FORMATS | ||
1331 | section of | ||
1332 | .Xr sshd_config 5 . | 1354 | .Xr sshd_config 5 . |
1333 | The default value for | 1355 | The default value for |
1334 | .Cm RekeyLimit | 1356 | .Cm RekeyLimit |
@@ -1462,7 +1484,7 @@ The TCP keepalive option enabled by | |||
1462 | .Cm TCPKeepAlive | 1484 | .Cm TCPKeepAlive |
1463 | is spoofable. | 1485 | is spoofable. |
1464 | The server alive mechanism is valuable when the client or | 1486 | The server alive mechanism is valuable when the client or |
1465 | server depend on knowing when a connection has become inactive. | 1487 | server depend on knowing when a connection has become unresponsive. |
1466 | .Pp | 1488 | .Pp |
1467 | The default value is 3. | 1489 | The default value is 3. |
1468 | If, for example, | 1490 | If, for example, |
@@ -1787,7 +1809,7 @@ accepts the tokens %%, %d, %h, %i, %l, %r, and %u. | |||
1787 | .Cm ControlPath | 1809 | .Cm ControlPath |
1788 | accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and %u. | 1810 | accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and %u. |
1789 | .Pp | 1811 | .Pp |
1790 | .Cm HostName | 1812 | .Cm Hostname |
1791 | accepts the tokens %% and %h. | 1813 | accepts the tokens %% and %h. |
1792 | .Pp | 1814 | .Pp |
1793 | .Cm IdentityAgent | 1815 | .Cm IdentityAgent |
@@ -1799,7 +1821,7 @@ accept the tokens %%, %d, %h, %i, %l, %r, and %u. | |||
1799 | accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, %T, and %u. | 1821 | accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, %T, and %u. |
1800 | .Pp | 1822 | .Pp |
1801 | .Cm ProxyCommand | 1823 | .Cm ProxyCommand |
1802 | accepts the tokens %%, %h, %p, and %r. | 1824 | accepts the tokens %%, %h, %n, %p, and %r. |
1803 | .Pp | 1825 | .Pp |
1804 | .Cm RemoteCommand | 1826 | .Cm RemoteCommand |
1805 | accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, and %u. | 1827 | accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, and %u. |