diff options
Diffstat (limited to 'ssh_config.5')
-rw-r--r-- | ssh_config.5 | 121 |
1 files changed, 65 insertions, 56 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index 44208b431..7a435a90e 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh_config.5,v 1.7 2003/03/28 10:11:43 jmc Exp $ | 37 | .\" $OpenBSD: ssh_config.5,v 1.20 2003/09/02 18:50:06 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH_CONFIG 5 | 39 | .Dt SSH_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -104,7 +104,7 @@ keyword) to be only for those hosts that match one of the patterns | |||
104 | given after the keyword. | 104 | given after the keyword. |
105 | .Ql \&* | 105 | .Ql \&* |
106 | and | 106 | and |
107 | .Ql ? | 107 | .Ql \&? |
108 | can be used as wildcards in the | 108 | can be used as wildcards in the |
109 | patterns. | 109 | patterns. |
110 | A single | 110 | A single |
@@ -115,13 +115,14 @@ The host is the | |||
115 | .Ar hostname | 115 | .Ar hostname |
116 | argument given on the command line (i.e., the name is not converted to | 116 | argument given on the command line (i.e., the name is not converted to |
117 | a canonicalized host name before matching). | 117 | a canonicalized host name before matching). |
118 | .It Cm AFSTokenPassing | 118 | .It Cm AddressFamily |
119 | Specifies whether to pass AFS tokens to remote host. | 119 | Specifies which address family to use when connecting. |
120 | The argument to this keyword must be | 120 | Valid arguments are |
121 | .Dq yes | 121 | .Dq any , |
122 | or | 122 | .Dq inet |
123 | .Dq no . | 123 | (Use IPv4 only) or |
124 | This option applies to protocol version 1 only. | 124 | .Dq inet6 |
125 | (Use IPv6 only.) | ||
125 | .It Cm BatchMode | 126 | .It Cm BatchMode |
126 | If set to | 127 | If set to |
127 | .Dq yes , | 128 | .Dq yes , |
@@ -227,18 +228,41 @@ Specifies the number of tries (one per second) to make before exiting. | |||
227 | The argument must be an integer. | 228 | The argument must be an integer. |
228 | This may be useful in scripts if the connection sometimes fails. | 229 | This may be useful in scripts if the connection sometimes fails. |
229 | The default is 1. | 230 | The default is 1. |
231 | .It Cm ConnectTimeout | ||
232 | Specifies the timeout (in seconds) used when connecting to the ssh | ||
233 | server, instead of using the default system TCP timeout. | ||
234 | This value is used only when the target is down or really unreachable, | ||
235 | not when it refuses the connection. | ||
230 | .It Cm DynamicForward | 236 | .It Cm DynamicForward |
231 | Specifies that a TCP/IP port on the local machine be forwarded | 237 | Specifies that a TCP/IP port on the local machine be forwarded |
232 | over the secure channel, and the application | 238 | over the secure channel, and the application |
233 | protocol is then used to determine where to connect to from the | 239 | protocol is then used to determine where to connect to from the |
234 | remote machine. | 240 | remote machine. |
235 | The argument must be a port number. | 241 | The argument must be a port number. |
236 | Currently the SOCKS4 protocol is supported, and | 242 | Currently the SOCKS4 and SOCKS5 protocols are supported, and |
237 | .Nm ssh | 243 | .Nm ssh |
238 | will act as a SOCKS4 server. | 244 | will act as a SOCKS server. |
239 | Multiple forwardings may be specified, and | 245 | Multiple forwardings may be specified, and |
240 | additional forwardings can be given on the command line. | 246 | additional forwardings can be given on the command line. |
241 | Only the superuser can forward privileged ports. | 247 | Only the superuser can forward privileged ports. |
248 | .It Cm EnableSSHKeysign | ||
249 | Setting this option to | ||
250 | .Dq yes | ||
251 | in the global client configuration file | ||
252 | .Pa /etc/ssh/ssh_config | ||
253 | enables the use of the helper program | ||
254 | .Xr ssh-keysign 8 | ||
255 | during | ||
256 | .Cm HostbasedAuthentication . | ||
257 | The argument must be | ||
258 | .Dq yes | ||
259 | or | ||
260 | .Dq no . | ||
261 | The default is | ||
262 | .Dq no . | ||
263 | See | ||
264 | .Xr ssh-keysign 8 | ||
265 | for more information. | ||
242 | .It Cm EscapeChar | 266 | .It Cm EscapeChar |
243 | Sets the escape character (default: | 267 | Sets the escape character (default: |
244 | .Ql ~ ) . | 268 | .Ql ~ ) . |
@@ -307,6 +331,18 @@ The default is | |||
307 | Specifies a file to use for the global | 331 | Specifies a file to use for the global |
308 | host key database instead of | 332 | host key database instead of |
309 | .Pa /etc/ssh/ssh_known_hosts . | 333 | .Pa /etc/ssh/ssh_known_hosts . |
334 | .It Cm GSSAPIAuthentication | ||
335 | Specifies whether authentication based on GSSAPI may be used, either using | ||
336 | the result of a successful key exchange, or using GSSAPI user | ||
337 | authentication. | ||
338 | The default is | ||
339 | .Dq yes . | ||
340 | Note that this option applies to protocol version 2 only. | ||
341 | .It Cm GSSAPIDelegateCredentials | ||
342 | Forward (delegate) credentials to the server. | ||
343 | The default is | ||
344 | .Dq no . | ||
345 | Note that this option applies to protocol version 2 only. | ||
310 | .It Cm HostbasedAuthentication | 346 | .It Cm HostbasedAuthentication |
311 | Specifies whether to try rhosts based authentication with public key | 347 | Specifies whether to try rhosts based authentication with public key |
312 | authentication. | 348 | authentication. |
@@ -339,7 +375,8 @@ Numeric IP addresses are also permitted (both on the command line and in | |||
339 | specifications). | 375 | specifications). |
340 | .It Cm IdentityFile | 376 | .It Cm IdentityFile |
341 | Specifies a file from which the user's RSA or DSA authentication identity | 377 | Specifies a file from which the user's RSA or DSA authentication identity |
342 | is read. The default is | 378 | is read. |
379 | The default is | ||
343 | .Pa $HOME/.ssh/identity | 380 | .Pa $HOME/.ssh/identity |
344 | for protocol version 1, and | 381 | for protocol version 1, and |
345 | .Pa $HOME/.ssh/id_rsa | 382 | .Pa $HOME/.ssh/id_rsa |
@@ -370,19 +407,6 @@ This is important in scripts, and many users want it too. | |||
370 | .Pp | 407 | .Pp |
371 | To disable keepalives, the value should be set to | 408 | To disable keepalives, the value should be set to |
372 | .Dq no . | 409 | .Dq no . |
373 | .It Cm KerberosAuthentication | ||
374 | Specifies whether Kerberos authentication will be used. | ||
375 | The argument to this keyword must be | ||
376 | .Dq yes | ||
377 | or | ||
378 | .Dq no . | ||
379 | .It Cm KerberosTgtPassing | ||
380 | Specifies whether a Kerberos TGT will be forwarded to the server. | ||
381 | This will only work if the Kerberos server is actually an AFS kaserver. | ||
382 | The argument to this keyword must be | ||
383 | .Dq yes | ||
384 | or | ||
385 | .Dq no . | ||
386 | .It Cm LocalForward | 410 | .It Cm LocalForward |
387 | Specifies that a TCP/IP port on the local machine be forwarded over | 411 | Specifies that a TCP/IP port on the local machine be forwarded over |
388 | the secure channel to the specified host and port from the remote machine. | 412 | the secure channel to the specified host and port from the remote machine. |
@@ -436,7 +460,8 @@ Specifies the port number to connect on the remote host. | |||
436 | Default is 22. | 460 | Default is 22. |
437 | .It Cm PreferredAuthentications | 461 | .It Cm PreferredAuthentications |
438 | Specifies the order in which the client should try protocol 2 | 462 | Specifies the order in which the client should try protocol 2 |
439 | authentication methods. This allows a client to prefer one method (e.g. | 463 | authentication methods. |
464 | This allows a client to prefer one method (e.g. | ||
440 | .Cm keyboard-interactive ) | 465 | .Cm keyboard-interactive ) |
441 | over another method (e.g. | 466 | over another method (e.g. |
442 | .Cm password ) | 467 | .Cm password ) |
@@ -504,26 +529,6 @@ IPv6 addresses can be specified with an alternative syntax: | |||
504 | Multiple forwardings may be specified, and additional | 529 | Multiple forwardings may be specified, and additional |
505 | forwardings can be given on the command line. | 530 | forwardings can be given on the command line. |
506 | Only the superuser can forward privileged ports. | 531 | Only the superuser can forward privileged ports. |
507 | .It Cm RhostsAuthentication | ||
508 | Specifies whether to try rhosts based authentication. | ||
509 | Note that this | ||
510 | declaration only affects the client side and has no effect whatsoever | ||
511 | on security. | ||
512 | Most servers do not permit RhostsAuthentication because it | ||
513 | is not secure (see | ||
514 | .Cm RhostsRSAAuthentication ) . | ||
515 | The argument to this keyword must be | ||
516 | .Dq yes | ||
517 | or | ||
518 | .Dq no . | ||
519 | The default is | ||
520 | .Dq no . | ||
521 | This option applies to protocol version 1 only and requires | ||
522 | .Nm ssh | ||
523 | to be setuid root and | ||
524 | .Cm UsePrivilegedPort | ||
525 | to be set to | ||
526 | .Dq yes . | ||
527 | .It Cm RhostsRSAAuthentication | 532 | .It Cm RhostsRSAAuthentication |
528 | Specifies whether to try rhosts based authentication with RSA host | 533 | Specifies whether to try rhosts based authentication with RSA host |
529 | authentication. | 534 | authentication. |
@@ -549,12 +554,12 @@ The default is | |||
549 | .Dq yes . | 554 | .Dq yes . |
550 | Note that this option applies to protocol version 1 only. | 555 | Note that this option applies to protocol version 1 only. |
551 | .It Cm SmartcardDevice | 556 | .It Cm SmartcardDevice |
552 | Specifies which smartcard device to use. The argument to this keyword is | 557 | Specifies which smartcard device to use. |
553 | the device | 558 | The argument to this keyword is the device |
554 | .Nm ssh | 559 | .Nm ssh |
555 | should use to communicate with a smartcard used for storing the user's | 560 | should use to communicate with a smartcard used for storing the user's |
556 | private RSA key. By default, no device is specified and smartcard support | 561 | private RSA key. |
557 | is not activated. | 562 | By default, no device is specified and smartcard support is not activated. |
558 | .It Cm StrictHostKeyChecking | 563 | .It Cm StrictHostKeyChecking |
559 | If this flag is set to | 564 | If this flag is set to |
560 | .Dq yes , | 565 | .Dq yes , |
@@ -604,11 +609,9 @@ If set to | |||
604 | must be setuid root. | 609 | must be setuid root. |
605 | Note that this option must be set to | 610 | Note that this option must be set to |
606 | .Dq yes | 611 | .Dq yes |
607 | if | 612 | for |
608 | .Cm RhostsAuthentication | ||
609 | and | ||
610 | .Cm RhostsRSAAuthentication | 613 | .Cm RhostsRSAAuthentication |
611 | authentications are needed with older servers. | 614 | with older servers. |
612 | .It Cm User | 615 | .It Cm User |
613 | Specifies the user to log in as. | 616 | Specifies the user to log in as. |
614 | This can be useful when a different user name is used on different machines. | 617 | This can be useful when a different user name is used on different machines. |
@@ -618,6 +621,12 @@ having to remember to give the user name on the command line. | |||
618 | Specifies a file to use for the user | 621 | Specifies a file to use for the user |
619 | host key database instead of | 622 | host key database instead of |
620 | .Pa $HOME/.ssh/known_hosts . | 623 | .Pa $HOME/.ssh/known_hosts . |
624 | .It Cm VerifyHostKeyDNS | ||
625 | Specifies whether to verify the remote key using DNS and SSHFP resource | ||
626 | records. | ||
627 | The default is | ||
628 | .Dq no . | ||
629 | Note that this option applies to protocol version 2 only. | ||
621 | .It Cm XAuthLocation | 630 | .It Cm XAuthLocation |
622 | Specifies the full pathname of the | 631 | Specifies the full pathname of the |
623 | .Xr xauth 1 | 632 | .Xr xauth 1 |
@@ -643,6 +652,8 @@ values that are not specified in the user's configuration file, and | |||
643 | for those users who do not have a configuration file. | 652 | for those users who do not have a configuration file. |
644 | This file must be world-readable. | 653 | This file must be world-readable. |
645 | .El | 654 | .El |
655 | .Sh SEE ALSO | ||
656 | .Xr ssh 1 | ||
646 | .Sh AUTHORS | 657 | .Sh AUTHORS |
647 | OpenSSH is a derivative of the original and free | 658 | OpenSSH is a derivative of the original and free |
648 | ssh 1.2.12 release by Tatu Ylonen. | 659 | ssh 1.2.12 release by Tatu Ylonen. |
@@ -652,5 +663,3 @@ removed many bugs, re-added newer features and | |||
652 | created OpenSSH. | 663 | created OpenSSH. |
653 | Markus Friedl contributed the support for SSH | 664 | Markus Friedl contributed the support for SSH |
654 | protocol versions 1.5 and 2.0. | 665 | protocol versions 1.5 and 2.0. |
655 | .Sh SEE ALSO | ||
656 | .Xr ssh 1 | ||