summaryrefslogtreecommitdiff
path: root/ssh_config.5
diff options
context:
space:
mode:
Diffstat (limited to 'ssh_config.5')
-rw-r--r--ssh_config.584
1 files changed, 53 insertions, 31 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 412629637..02a87892d 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh_config.5,v 1.292 2019/03/01 02:16:47 djm Exp $ 36.\" $OpenBSD: ssh_config.5,v 1.304 2019/09/13 04:52:34 djm Exp $
37.Dd $Mdocdate: March 1 2019 $ 37.Dd $Mdocdate: September 13 2019 $
38.Dt SSH_CONFIG 5 38.Dt SSH_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -361,7 +361,7 @@ Specifies which algorithms are allowed for signing of certificates
361by certificate authorities (CAs). 361by certificate authorities (CAs).
362The default is: 362The default is:
363.Bd -literal -offset indent 363.Bd -literal -offset indent
364ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 364ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
365ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa 365ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
366.Ed 366.Ed
367.Pp 367.Pp
@@ -422,14 +422,18 @@ the check will not be executed.
422.It Cm Ciphers 422.It Cm Ciphers
423Specifies the ciphers allowed and their order of preference. 423Specifies the ciphers allowed and their order of preference.
424Multiple ciphers must be comma-separated. 424Multiple ciphers must be comma-separated.
425If the specified value begins with a 425If the specified list begins with a
426.Sq + 426.Sq +
427character, then the specified ciphers will be appended to the default set 427character, then the specified ciphers will be appended to the default set
428instead of replacing them. 428instead of replacing them.
429If the specified value begins with a 429If the specified list begins with a
430.Sq - 430.Sq -
431character, then the specified ciphers (including wildcards) will be removed 431character, then the specified ciphers (including wildcards) will be removed
432from the default set instead of replacing them. 432from the default set instead of replacing them.
433If the specified list begins with a
434.Sq ^
435character, then the specified ciphers will be placed at the head of the
436default set.
433.Pp 437.Pp
434The supported ciphers are: 438The supported ciphers are:
435.Bd -literal -offset indent 439.Bd -literal -offset indent
@@ -485,8 +489,8 @@ The default is 1.
485.It Cm ConnectTimeout 489.It Cm ConnectTimeout
486Specifies the timeout (in seconds) used when connecting to the 490Specifies the timeout (in seconds) used when connecting to the
487SSH server, instead of using the default system TCP timeout. 491SSH server, instead of using the default system TCP timeout.
488This value is used only when the target is down or really unreachable, 492This timeout is applied both to establishing the connection and to performing
489not when it refuses the connection. 493the initial SSH protocol handshake and key exchange.
490.It Cm ControlMaster 494.It Cm ControlMaster
491Enables the sharing of multiple sessions over a single network connection. 495Enables the sharing of multiple sessions over a single network connection.
492When set to 496When set to
@@ -786,14 +790,18 @@ or
786.It Cm HostbasedKeyTypes 790.It Cm HostbasedKeyTypes
787Specifies the key types that will be used for hostbased authentication 791Specifies the key types that will be used for hostbased authentication
788as a comma-separated list of patterns. 792as a comma-separated list of patterns.
789Alternately if the specified value begins with a 793Alternately if the specified list begins with a
790.Sq + 794.Sq +
791character, then the specified key types will be appended to the default set 795character, then the specified key types will be appended to the default set
792instead of replacing them. 796instead of replacing them.
793If the specified value begins with a 797If the specified list begins with a
794.Sq - 798.Sq -
795character, then the specified key types (including wildcards) will be removed 799character, then the specified key types (including wildcards) will be removed
796from the default set instead of replacing them. 800from the default set instead of replacing them.
801If the specified list begins with a
802.Sq ^
803character, then the specified key types will be placed at the head of the
804default set.
797The default for this option is: 805The default for this option is:
798.Bd -literal -offset 3n 806.Bd -literal -offset 3n
799ecdsa-sha2-nistp256-cert-v01@openssh.com, 807ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -814,14 +822,18 @@ may be used to list supported key types.
814.It Cm HostKeyAlgorithms 822.It Cm HostKeyAlgorithms
815Specifies the host key algorithms 823Specifies the host key algorithms
816that the client wants to use in order of preference. 824that the client wants to use in order of preference.
817Alternately if the specified value begins with a 825Alternately if the specified list begins with a
818.Sq + 826.Sq +
819character, then the specified key types will be appended to the default set 827character, then the specified key types will be appended to the default set
820instead of replacing them. 828instead of replacing them.
821If the specified value begins with a 829If the specified list begins with a
822.Sq - 830.Sq -
823character, then the specified key types (including wildcards) will be removed 831character, then the specified key types (including wildcards) will be removed
824from the default set instead of replacing them. 832from the default set instead of replacing them.
833If the specified list begins with a
834.Sq ^
835character, then the specified key types will be placed at the head of the
836default set.
825The default for this option is: 837The default for this option is:
826.Bd -literal -offset 3n 838.Bd -literal -offset 3n
827ecdsa-sha2-nistp256-cert-v01@openssh.com, 839ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -845,28 +857,28 @@ real host name when looking up or saving the host key
845in the host key database files and when validating host certificates. 857in the host key database files and when validating host certificates.
846This option is useful for tunneling SSH connections 858This option is useful for tunneling SSH connections
847or for multiple servers running on a single host. 859or for multiple servers running on a single host.
848.It Cm HostName 860.It Cm Hostname
849Specifies the real host name to log into. 861Specifies the real host name to log into.
850This can be used to specify nicknames or abbreviations for hosts. 862This can be used to specify nicknames or abbreviations for hosts.
851Arguments to 863Arguments to
852.Cm HostName 864.Cm Hostname
853accept the tokens described in the 865accept the tokens described in the
854.Sx TOKENS 866.Sx TOKENS
855section. 867section.
856Numeric IP addresses are also permitted (both on the command line and in 868Numeric IP addresses are also permitted (both on the command line and in
857.Cm HostName 869.Cm Hostname
858specifications). 870specifications).
859The default is the name given on the command line. 871The default is the name given on the command line.
860.It Cm IdentitiesOnly 872.It Cm IdentitiesOnly
861Specifies that 873Specifies that
862.Xr ssh 1 874.Xr ssh 1
863should only use the authentication identity and certificate files explicitly 875should only use the configured authentication identity and certificate files
864configured in the 876(either the default files, or those explicitly configured in the
865.Nm 877.Nm
866files 878files
867or passed on the 879or passed on the
868.Xr ssh 1 880.Xr ssh 1
869command-line, 881command-line),
870even if 882even if
871.Xr ssh-agent 1 883.Xr ssh-agent 1
872or a 884or a
@@ -1043,14 +1055,18 @@ and
1043.It Cm KexAlgorithms 1055.It Cm KexAlgorithms
1044Specifies the available KEX (Key Exchange) algorithms. 1056Specifies the available KEX (Key Exchange) algorithms.
1045Multiple algorithms must be comma-separated. 1057Multiple algorithms must be comma-separated.
1046Alternately if the specified value begins with a 1058If the specified list begins with a
1047.Sq + 1059.Sq +
1048character, then the specified methods will be appended to the default set 1060character, then the specified methods will be appended to the default set
1049instead of replacing them. 1061instead of replacing them.
1050If the specified value begins with a 1062If the specified list begins with a
1051.Sq - 1063.Sq -
1052character, then the specified methods (including wildcards) will be removed 1064character, then the specified methods (including wildcards) will be removed
1053from the default set instead of replacing them. 1065from the default set instead of replacing them.
1066If the specified list begins with a
1067.Sq ^
1068character, then the specified methods will be placed at the head of the
1069default set.
1054The default is: 1070The default is:
1055.Bd -literal -offset indent 1071.Bd -literal -offset indent
1056curve25519-sha256,curve25519-sha256@libssh.org, 1072curve25519-sha256,curve25519-sha256@libssh.org,
@@ -1124,14 +1140,18 @@ Specifies the MAC (message authentication code) algorithms
1124in order of preference. 1140in order of preference.
1125The MAC algorithm is used for data integrity protection. 1141The MAC algorithm is used for data integrity protection.
1126Multiple algorithms must be comma-separated. 1142Multiple algorithms must be comma-separated.
1127If the specified value begins with a 1143If the specified list begins with a
1128.Sq + 1144.Sq +
1129character, then the specified algorithms will be appended to the default set 1145character, then the specified algorithms will be appended to the default set
1130instead of replacing them. 1146instead of replacing them.
1131If the specified value begins with a 1147If the specified list begins with a
1132.Sq - 1148.Sq -
1133character, then the specified algorithms (including wildcards) will be removed 1149character, then the specified algorithms (including wildcards) will be removed
1134from the default set instead of replacing them. 1150from the default set instead of replacing them.
1151If the specified list begins with a
1152.Sq ^
1153character, then the specified algorithms will be placed at the head of the
1154default set.
1135.Pp 1155.Pp
1136The algorithms that contain 1156The algorithms that contain
1137.Qq -etm 1157.Qq -etm
@@ -1222,8 +1242,8 @@ server running on some machine, or execute
1222.Ic sshd -i 1242.Ic sshd -i
1223somewhere. 1243somewhere.
1224Host key management will be done using the 1244Host key management will be done using the
1225HostName of the host being connected (defaulting to the name typed by 1245.Cm Hostname
1226the user). 1246of the host being connected (defaulting to the name typed by the user).
1227Setting the command to 1247Setting the command to
1228.Cm none 1248.Cm none
1229disables this option entirely. 1249disables this option entirely.
@@ -1281,14 +1301,18 @@ The default is
1281.It Cm PubkeyAcceptedKeyTypes 1301.It Cm PubkeyAcceptedKeyTypes
1282Specifies the key types that will be used for public key authentication 1302Specifies the key types that will be used for public key authentication
1283as a comma-separated list of patterns. 1303as a comma-separated list of patterns.
1284Alternately if the specified value begins with a 1304If the specified list begins with a
1285.Sq + 1305.Sq +
1286character, then the key types after it will be appended to the default 1306character, then the key types after it will be appended to the default
1287instead of replacing it. 1307instead of replacing it.
1288If the specified value begins with a 1308If the specified list begins with a
1289.Sq - 1309.Sq -
1290character, then the specified key types (including wildcards) will be removed 1310character, then the specified key types (including wildcards) will be removed
1291from the default set instead of replacing them. 1311from the default set instead of replacing them.
1312If the specified list begins with a
1313.Sq ^
1314character, then the specified key types will be placed at the head of the
1315default set.
1292The default for this option is: 1316The default for this option is:
1293.Bd -literal -offset 3n 1317.Bd -literal -offset 3n
1294ecdsa-sha2-nistp256-cert-v01@openssh.com, 1318ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -1326,9 +1350,7 @@ and
1326.Sq 4G , 1350.Sq 4G ,
1327depending on the cipher. 1351depending on the cipher.
1328The optional second value is specified in seconds and may use any of the 1352The optional second value is specified in seconds and may use any of the
1329units documented in the 1353units documented in the TIME FORMATS section of
1330.Sx TIME FORMATS
1331section of
1332.Xr sshd_config 5 . 1354.Xr sshd_config 5 .
1333The default value for 1355The default value for
1334.Cm RekeyLimit 1356.Cm RekeyLimit
@@ -1462,7 +1484,7 @@ The TCP keepalive option enabled by
1462.Cm TCPKeepAlive 1484.Cm TCPKeepAlive
1463is spoofable. 1485is spoofable.
1464The server alive mechanism is valuable when the client or 1486The server alive mechanism is valuable when the client or
1465server depend on knowing when a connection has become inactive. 1487server depend on knowing when a connection has become unresponsive.
1466.Pp 1488.Pp
1467The default value is 3. 1489The default value is 3.
1468If, for example, 1490If, for example,
@@ -1787,7 +1809,7 @@ accepts the tokens %%, %d, %h, %i, %l, %r, and %u.
1787.Cm ControlPath 1809.Cm ControlPath
1788accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and %u. 1810accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and %u.
1789.Pp 1811.Pp
1790.Cm HostName 1812.Cm Hostname
1791accepts the tokens %% and %h. 1813accepts the tokens %% and %h.
1792.Pp 1814.Pp
1793.Cm IdentityAgent 1815.Cm IdentityAgent
@@ -1799,7 +1821,7 @@ accept the tokens %%, %d, %h, %i, %l, %r, and %u.
1799accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, %T, and %u. 1821accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, %T, and %u.
1800.Pp 1822.Pp
1801.Cm ProxyCommand 1823.Cm ProxyCommand
1802accepts the tokens %%, %h, %p, and %r. 1824accepts the tokens %%, %h, %n, %p, and %r.
1803.Pp 1825.Pp
1804.Cm RemoteCommand 1826.Cm RemoteCommand
1805accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, and %u. 1827accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, and %u.