diff options
Diffstat (limited to 'ssh_config.5')
-rw-r--r-- | ssh_config.5 | 126 |
1 files changed, 92 insertions, 34 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index b5803920f..f9ede7a31 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh_config.5,v 1.185 2014/02/23 20:11:36 djm Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.191 2014/07/15 15:54:14 millert Exp $ |
37 | .Dd $Mdocdate: February 23 2014 $ | 37 | .Dd $Mdocdate: July 15 2014 $ |
38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -342,30 +342,47 @@ in order of preference. | |||
342 | Multiple ciphers must be comma-separated. | 342 | Multiple ciphers must be comma-separated. |
343 | The supported ciphers are: | 343 | The supported ciphers are: |
344 | .Pp | 344 | .Pp |
345 | .Dq 3des-cbc , | 345 | .Bl -item -compact -offset indent |
346 | .Dq aes128-cbc , | 346 | .It |
347 | .Dq aes192-cbc , | 347 | 3des-cbc |
348 | .Dq aes256-cbc , | 348 | .It |
349 | .Dq aes128-ctr , | 349 | aes128-cbc |
350 | .Dq aes192-ctr , | 350 | .It |
351 | .Dq aes256-ctr , | 351 | aes192-cbc |
352 | .Dq aes128-gcm@openssh.com , | 352 | .It |
353 | .Dq aes256-gcm@openssh.com , | 353 | aes256-cbc |
354 | .Dq arcfour128 , | 354 | .It |
355 | .Dq arcfour256 , | 355 | aes128-ctr |
356 | .Dq arcfour , | 356 | .It |
357 | .Dq blowfish-cbc , | 357 | aes192-ctr |
358 | .Dq cast128-cbc , | 358 | .It |
359 | and | 359 | aes256-ctr |
360 | .Dq chacha20-poly1305@openssh.com . | 360 | .It |
361 | aes128-gcm@openssh.com | ||
362 | .It | ||
363 | aes256-gcm@openssh.com | ||
364 | .It | ||
365 | arcfour | ||
366 | .It | ||
367 | arcfour128 | ||
368 | .It | ||
369 | arcfour256 | ||
370 | .It | ||
371 | blowfish-cbc | ||
372 | .It | ||
373 | cast128-cbc | ||
374 | .It | ||
375 | chacha20-poly1305@openssh.com | ||
376 | .El | ||
361 | .Pp | 377 | .Pp |
362 | The default is: | 378 | The default is: |
363 | .Bd -literal -offset 3n | 379 | .Bd -literal -offset indent |
364 | aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, | 380 | aes128-ctr,aes192-ctr,aes256-ctr, |
365 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, | 381 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, |
366 | chacha20-poly1305@openssh.com, | 382 | chacha20-poly1305@openssh.com, |
367 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, | 383 | arcfour256,arcfour128, |
368 | aes256-cbc,arcfour | 384 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, |
385 | aes192-cbc,aes256-cbc,arcfour | ||
369 | .Ed | 386 | .Ed |
370 | .Pp | 387 | .Pp |
371 | The list of available ciphers may also be obtained using the | 388 | The list of available ciphers may also be obtained using the |
@@ -482,14 +499,16 @@ specified on the command line, | |||
482 | .Ql %p | 499 | .Ql %p |
483 | the destination port, | 500 | the destination port, |
484 | .Ql %r | 501 | .Ql %r |
485 | by the remote login username, and | 502 | by the remote login username, |
486 | .Ql %u | 503 | .Ql %u |
487 | by the username of the user running | 504 | by the username of the user running |
488 | .Xr ssh 1 . | 505 | .Xr ssh 1 , and |
506 | .Ql \&%C | ||
507 | by a hash of the concatenation: %l%h%p%r. | ||
489 | It is recommended that any | 508 | It is recommended that any |
490 | .Cm ControlPath | 509 | .Cm ControlPath |
491 | used for opportunistic connection sharing include | 510 | used for opportunistic connection sharing include |
492 | at least %h, %p, and %r. | 511 | at least %h, %p, and %r (or alternatively %C). |
493 | This ensures that shared connections are uniquely identified. | 512 | This ensures that shared connections are uniquely identified. |
494 | .It Cm ControlPersist | 513 | .It Cm ControlPersist |
495 | When used in conjunction with | 514 | When used in conjunction with |
@@ -746,6 +765,12 @@ If the hostname contains the character sequence | |||
746 | .Ql %h , | 765 | .Ql %h , |
747 | then this will be replaced with the host name specified on the command line | 766 | then this will be replaced with the host name specified on the command line |
748 | (this is useful for manipulating unqualified names). | 767 | (this is useful for manipulating unqualified names). |
768 | The character sequence | ||
769 | .Ql %% | ||
770 | will be replaced by a single | ||
771 | .Ql % | ||
772 | character, which may be used when specifying IPv6 link-local addresses. | ||
773 | .Pp | ||
749 | The default is the name given on the command line. | 774 | The default is the name given on the command line. |
750 | Numeric IP addresses are also permitted (both on the command line and in | 775 | Numeric IP addresses are also permitted (both on the command line and in |
751 | .Cm HostName | 776 | .Cm HostName |
@@ -893,8 +918,8 @@ The default is: | |||
893 | curve25519-sha256@libssh.org, | 918 | curve25519-sha256@libssh.org, |
894 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, | 919 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, |
895 | diffie-hellman-group-exchange-sha256, | 920 | diffie-hellman-group-exchange-sha256, |
896 | diffie-hellman-group-exchange-sha1, | ||
897 | diffie-hellman-group14-sha1, | 921 | diffie-hellman-group14-sha1, |
922 | diffie-hellman-group-exchange-sha1, | ||
898 | diffie-hellman-group1-sha1 | 923 | diffie-hellman-group1-sha1 |
899 | .Ed | 924 | .Ed |
900 | .It Cm LocalCommand | 925 | .It Cm LocalCommand |
@@ -916,7 +941,9 @@ The following escape character substitutions will be performed: | |||
916 | .Ql %r | 941 | .Ql %r |
917 | (remote user name) or | 942 | (remote user name) or |
918 | .Ql %u | 943 | .Ql %u |
919 | (local user name). | 944 | (local user name) or |
945 | .Ql \&%C | ||
946 | by a hash of the concatenation: %l%h%p%r. | ||
920 | .Pp | 947 | .Pp |
921 | The command is run synchronously and does not have access to the | 948 | The command is run synchronously and does not have access to the |
922 | session of the | 949 | session of the |
@@ -974,13 +1001,14 @@ calculate the MAC after encryption (encrypt-then-mac). | |||
974 | These are considered safer and their use recommended. | 1001 | These are considered safer and their use recommended. |
975 | The default is: | 1002 | The default is: |
976 | .Bd -literal -offset indent | 1003 | .Bd -literal -offset indent |
977 | hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, | ||
978 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, | 1004 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, |
979 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, | 1005 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, |
980 | hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com, | 1006 | umac-64@openssh.com,umac-128@openssh.com, |
981 | hmac-md5-96-etm@openssh.com, | 1007 | hmac-sha2-256,hmac-sha2-512, |
982 | hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, | 1008 | hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, |
983 | hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, | 1009 | hmac-ripemd160-etm@openssh.com, |
1010 | hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com, | ||
1011 | hmac-md5,hmac-sha1,hmac-ripemd160, | ||
984 | hmac-sha1-96,hmac-md5-96 | 1012 | hmac-sha1-96,hmac-md5-96 |
985 | .Ed | 1013 | .Ed |
986 | .It Cm NoHostAuthenticationForLocalhost | 1014 | .It Cm NoHostAuthenticationForLocalhost |
@@ -1058,8 +1086,11 @@ The default is | |||
1058 | .It Cm ProxyCommand | 1086 | .It Cm ProxyCommand |
1059 | Specifies the command to use to connect to the server. | 1087 | Specifies the command to use to connect to the server. |
1060 | The command | 1088 | The command |
1061 | string extends to the end of the line, and is executed with | 1089 | string extends to the end of the line, and is executed |
1062 | the user's shell. | 1090 | using the user's shell |
1091 | .Ql exec | ||
1092 | directive to avoid a lingering shell process. | ||
1093 | .Pp | ||
1063 | In the command string, any occurrence of | 1094 | In the command string, any occurrence of |
1064 | .Ql %h | 1095 | .Ql %h |
1065 | will be substituted by the host name to | 1096 | will be substituted by the host name to |
@@ -1272,6 +1303,33 @@ channel to request a response from the server. | |||
1272 | The default | 1303 | The default |
1273 | is 0, indicating that these messages will not be sent to the server. | 1304 | is 0, indicating that these messages will not be sent to the server. |
1274 | This option applies to protocol version 2 only. | 1305 | This option applies to protocol version 2 only. |
1306 | .It Cm StreamLocalBindMask | ||
1307 | Sets the octal file creation mode mask | ||
1308 | .Pq umask | ||
1309 | used when creating a Unix-domain socket file for local or remote | ||
1310 | port forwarding. | ||
1311 | This option is only used for port forwarding to a Unix-domain socket file. | ||
1312 | .Pp | ||
1313 | The default value is 0177, which creates a Unix-domain socket file that is | ||
1314 | readable and writable only by the owner. | ||
1315 | Note that not all operating systems honor the file mode on Unix-domain | ||
1316 | socket files. | ||
1317 | .It Cm StreamLocalBindUnlink | ||
1318 | Specifies whether to remove an existing Unix-domain socket file for local | ||
1319 | or remote port forwarding before creating a new one. | ||
1320 | If the socket file already exists and | ||
1321 | .Cm StreamLocalBindUnlink | ||
1322 | is not enabled, | ||
1323 | .Nm ssh | ||
1324 | will be unable to forward the port to the Unix-domain socket file. | ||
1325 | This option is only used for port forwarding to a Unix-domain socket file. | ||
1326 | .Pp | ||
1327 | The argument must be | ||
1328 | .Dq yes | ||
1329 | or | ||
1330 | .Dq no . | ||
1331 | The default is | ||
1332 | .Dq no . | ||
1275 | .It Cm StrictHostKeyChecking | 1333 | .It Cm StrictHostKeyChecking |
1276 | If this flag is set to | 1334 | If this flag is set to |
1277 | .Dq yes , | 1335 | .Dq yes , |