summaryrefslogtreecommitdiff
path: root/ssh_config.5
diff options
context:
space:
mode:
Diffstat (limited to 'ssh_config.5')
-rw-r--r--ssh_config.5137
1 files changed, 48 insertions, 89 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 532745b2f..eab8dd01c 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,16 +33,13 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh_config.5,v 1.242 2017/02/27 14:30:33 jmc Exp $ 36.\" $OpenBSD: ssh_config.5,v 1.256 2017/09/21 19:16:53 markus Exp $
37.Dd $Mdocdate: February 27 2017 $ 37.Dd $Mdocdate: September 21 2017 $
38.Dt SSH_CONFIG 5 38.Dt SSH_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
41.Nm ssh_config 41.Nm ssh_config
42.Nd OpenSSH SSH client configuration files 42.Nd OpenSSH SSH client configuration files
43.Sh SYNOPSIS
44.Nm ~/.ssh/config
45.Nm /etc/ssh/ssh_config
46.Sh DESCRIPTION 43.Sh DESCRIPTION
47.Xr ssh 1 44.Xr ssh 1
48obtains configuration data from the following sources in 45obtains configuration data from the following sources in
@@ -391,25 +388,8 @@ in the process, regardless of the setting of
391If the option is set to 388If the option is set to
392.Cm no , 389.Cm no ,
393the check will not be executed. 390the check will not be executed.
394.It Cm Cipher
395Specifies the cipher to use for encrypting the session
396in protocol version 1.
397Currently,
398.Cm blowfish ,
399.Cm 3des
400(the default),
401and
402.Cm des
403are supported,
404though
405.Cm des
406is only supported in the
407.Xr ssh 1
408client for interoperability with legacy protocol 1 implementations;
409its use is strongly discouraged due to cryptographic weaknesses.
410.It Cm Ciphers 391.It Cm Ciphers
411Specifies the ciphers allowed for protocol version 2 392Specifies the ciphers allowed and their order of preference.
412in order of preference.
413Multiple ciphers must be comma-separated. 393Multiple ciphers must be comma-separated.
414If the specified value begins with a 394If the specified value begins with a
415.Sq + 395.Sq +
@@ -431,11 +411,6 @@ aes192-ctr
431aes256-ctr 411aes256-ctr
432aes128-gcm@openssh.com 412aes128-gcm@openssh.com
433aes256-gcm@openssh.com 413aes256-gcm@openssh.com
434arcfour
435arcfour128
436arcfour256
437blowfish-cbc
438cast128-cbc
439chacha20-poly1305@openssh.com 414chacha20-poly1305@openssh.com
440.Ed 415.Ed
441.Pp 416.Pp
@@ -472,13 +447,6 @@ The argument must be
472or 447or
473.Cm no 448.Cm no
474(the default). 449(the default).
475.It Cm CompressionLevel
476Specifies the compression level to use if compression is enabled.
477The argument must be an integer from 1 (fast) to 9 (slow, best).
478The default level is 6, which is good for most applications.
479The meaning of the values is the same as in
480.Xr gzip 1 .
481Note that this option applies to protocol version 1 only.
482.It Cm ConnectionAttempts 450.It Cm ConnectionAttempts
483Specifies the number of tries (one per second) to make before exiting. 451Specifies the number of tries (one per second) to make before exiting.
484The argument must be an integer. 452The argument must be an integer.
@@ -838,7 +806,7 @@ The list of available key types may also be obtained using
838.It Cm HostKeyAlias 806.It Cm HostKeyAlias
839Specifies an alias that should be used instead of the 807Specifies an alias that should be used instead of the
840real host name when looking up or saving the host key 808real host name when looking up or saving the host key
841in the host key database files. 809in the host key database files and when validating host certificates.
842This option is useful for tunneling SSH connections 810This option is useful for tunneling SSH connections
843or for multiple servers running on a single host. 811or for multiple servers running on a single host.
844.It Cm HostName 812.It Cm HostName
@@ -902,14 +870,11 @@ section.
902Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication 870Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication
903identity is read. 871identity is read.
904The default is 872The default is
905.Pa ~/.ssh/identity
906for protocol version 1, and
907.Pa ~/.ssh/id_dsa , 873.Pa ~/.ssh/id_dsa ,
908.Pa ~/.ssh/id_ecdsa , 874.Pa ~/.ssh/id_ecdsa ,
909.Pa ~/.ssh/id_ed25519 875.Pa ~/.ssh/id_ed25519
910and 876and
911.Pa ~/.ssh/id_rsa 877.Pa ~/.ssh/id_rsa .
912for protocol version 2.
913Additionally, any identities represented by the authentication agent 878Additionally, any identities represented by the authentication agent
914will be used for authentication unless 879will be used for authentication unless
915.Cm IdentitiesOnly 880.Cm IdentitiesOnly
@@ -1004,7 +969,9 @@ Accepted values are
1004.Cm lowdelay , 969.Cm lowdelay ,
1005.Cm throughput , 970.Cm throughput ,
1006.Cm reliability , 971.Cm reliability ,
1007or a numeric value. 972a numeric value, or
973.Cm none
974to use the operating system default.
1008This option may take one or two arguments, separated by whitespace. 975This option may take one or two arguments, separated by whitespace.
1009If one argument is specified, it is used as the packet class unconditionally. 976If one argument is specified, it is used as the packet class unconditionally.
1010If two values are specified, the first is automatically selected for 977If two values are specified, the first is automatically selected for
@@ -1192,21 +1159,6 @@ The default is:
1192gssapi-with-mic,hostbased,publickey, 1159gssapi-with-mic,hostbased,publickey,
1193keyboard-interactive,password 1160keyboard-interactive,password
1194.Ed 1161.Ed
1195.It Cm Protocol
1196Specifies the protocol versions
1197.Xr ssh 1
1198should support in order of preference.
1199The possible values are 1 and 2.
1200Multiple versions must be comma-separated.
1201When this option is set to
1202.Cm 2,1
1203.Nm ssh
1204will try version 2 and fall back to version 1
1205if version 2 is not available.
1206The default is version 2.
1207Protocol 1 suffers from a number of cryptographic weaknesses and should
1208not be used.
1209It is only offered to support legacy devices.
1210.It Cm ProxyCommand 1162.It Cm ProxyCommand
1211Specifies the command to use to connect to the server. 1163Specifies the command to use to connect to the server.
1212The command 1164The command
@@ -1334,15 +1286,31 @@ is
1334.Cm default none , 1286.Cm default none ,
1335which means that rekeying is performed after the cipher's default amount 1287which means that rekeying is performed after the cipher's default amount
1336of data has been sent or received and no time based rekeying is done. 1288of data has been sent or received and no time based rekeying is done.
1289.It Cm RemoteCommand
1290Specifies a command to execute on the remote machine after successfully
1291connecting to the server.
1292The command string extends to the end of the line, and is executed with
1293the user's shell.
1294Arguments to
1295.Cm RemoteCommand
1296accept the tokens described in the
1297.Sx TOKENS
1298section.
1337.It Cm RemoteForward 1299.It Cm RemoteForward
1338Specifies that a TCP port on the remote machine be forwarded over 1300Specifies that a TCP port on the remote machine be forwarded over
1339the secure channel to the specified host and port from the local machine. 1301the secure channel.
1302The remote port may either be fowarded to a specified host and port
1303from the local machine, or may act as a SOCKS 4/5 proxy that allows a remote
1304client to connect to arbitrary destinations from the local machine.
1340The first argument must be 1305The first argument must be
1341.Sm off 1306.Sm off
1342.Oo Ar bind_address : Oc Ar port 1307.Oo Ar bind_address : Oc Ar port
1343.Sm on 1308.Sm on
1344and the second argument must be 1309If forwarding to a specific destination then the second argument must be
1345.Ar host : Ns Ar hostport . 1310.Ar host : Ns Ar hostport ,
1311otherwise if no destination argument is specified then the remote forwarding
1312will be established as a SOCKS proxy.
1313.Pp
1346IPv6 addresses can be specified by enclosing addresses in square brackets. 1314IPv6 addresses can be specified by enclosing addresses in square brackets.
1347Multiple forwardings may be specified, and additional 1315Multiple forwardings may be specified, and additional
1348forwardings can be given on the command line. 1316forwardings can be given on the command line.
@@ -1397,28 +1365,6 @@ an OpenSSH Key Revocation List (KRL) as generated by
1397.Xr ssh-keygen 1 . 1365.Xr ssh-keygen 1 .
1398For more information on KRLs, see the KEY REVOCATION LISTS section in 1366For more information on KRLs, see the KEY REVOCATION LISTS section in
1399.Xr ssh-keygen 1 . 1367.Xr ssh-keygen 1 .
1400.It Cm RhostsRSAAuthentication
1401Specifies whether to try rhosts based authentication with RSA host
1402authentication.
1403The argument must be
1404.Cm yes
1405or
1406.Cm no
1407(the default).
1408This option applies to protocol version 1 only and requires
1409.Xr ssh 1
1410to be setuid root.
1411.It Cm RSAAuthentication
1412Specifies whether to try RSA authentication.
1413The argument to this keyword must be
1414.Cm yes
1415(the default)
1416or
1417.Cm no .
1418RSA authentication will only be
1419attempted if the identity file exists, or an authentication agent is
1420running.
1421Note that this option applies to protocol version 1 only.
1422.It Cm SendEnv 1368.It Cm SendEnv
1423Specifies what variables from the local 1369Specifies what variables from the local
1424.Xr environ 7 1370.Xr environ 7
@@ -1518,10 +1464,19 @@ file is poorly maintained or when connections to new hosts are
1518frequently made. 1464frequently made.
1519This option forces the user to manually 1465This option forces the user to manually
1520add all new hosts. 1466add all new hosts.
1467.Pp
1521If this flag is set to 1468If this flag is set to
1522.Cm no , 1469.Dq accept-new
1523ssh will automatically add new host keys to the 1470then ssh will automatically add new host keys to the user
1524user known hosts files. 1471known hosts files, but will not permit connections to hosts with
1472changed host keys.
1473If this flag is set to
1474.Dq no
1475or
1476.Dq off ,
1477ssh will automatically add new host keys to the user known hosts files
1478and allow connections to hosts with changed hostkeys to proceed,
1479subject to some restrictions.
1525If this flag is set to 1480If this flag is set to
1526.Cm ask 1481.Cm ask
1527(the default), 1482(the default),
@@ -1531,6 +1486,12 @@ has confirmed that is what they really want to do, and
1531ssh will refuse to connect to hosts whose host key has changed. 1486ssh will refuse to connect to hosts whose host key has changed.
1532The host keys of 1487The host keys of
1533known hosts will be verified automatically in all cases. 1488known hosts will be verified automatically in all cases.
1489.It Cm SyslogFacility
1490Gives the facility code that is used when logging messages from
1491.Xr ssh 1 .
1492The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
1493LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
1494The default is USER.
1534.It Cm TCPKeepAlive 1495.It Cm TCPKeepAlive
1535Specifies whether the system should send TCP keepalive messages to the 1496Specifies whether the system should send TCP keepalive messages to the
1536other side. 1497other side.
@@ -1627,11 +1588,6 @@ If set to
1627.Cm yes , 1588.Cm yes ,
1628.Xr ssh 1 1589.Xr ssh 1
1629must be setuid root. 1590must be setuid root.
1630Note that this option must be set to
1631.Cm yes
1632for
1633.Cm RhostsRSAAuthentication
1634with older servers.
1635.It Cm User 1591.It Cm User
1636Specifies the user to log in as. 1592Specifies the user to log in as.
1637This can be useful when a different user name is used on different machines. 1593This can be useful when a different user name is used on different machines.
@@ -1770,6 +1726,9 @@ accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u.
1770.Pp 1726.Pp
1771.Cm ProxyCommand 1727.Cm ProxyCommand
1772accepts the tokens %%, %h, %p, and %r. 1728accepts the tokens %%, %h, %p, and %r.
1729.Pp
1730.Cm RemoteCommand
1731accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u.
1773.Sh FILES 1732.Sh FILES
1774.Bl -tag -width Ds 1733.Bl -tag -width Ds
1775.It Pa ~/.ssh/config 1734.It Pa ~/.ssh/config