summaryrefslogtreecommitdiff
path: root/ssh_config.5
diff options
context:
space:
mode:
Diffstat (limited to 'ssh_config.5')
-rw-r--r--ssh_config.5782
1 files changed, 343 insertions, 439 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 7630e7bcb..591365f34 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh_config.5,v 1.236 2016/07/22 07:00:46 djm Exp $ 36.\" $OpenBSD: ssh_config.5,v 1.240 2016/10/15 19:56:25 jmc Exp $
37.Dd $Mdocdate: July 22 2016 $ 37.Dd $Mdocdate: October 15 2016 $
38.Dt SSH_CONFIG 5 38.Dt SSH_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -62,25 +62,25 @@ system-wide configuration file
62For each parameter, the first obtained value 62For each parameter, the first obtained value
63will be used. 63will be used.
64The configuration files contain sections separated by 64The configuration files contain sections separated by
65.Dq Host 65.Cm Host
66specifications, and that section is only applied for hosts that 66specifications, and that section is only applied for hosts that
67match one of the patterns given in the specification. 67match one of the patterns given in the specification.
68The matched host name is usually the one given on the command line 68The matched host name is usually the one given on the command line
69(see the 69(see the
70.Cm CanonicalizeHostname 70.Cm CanonicalizeHostname
71option for exceptions.) 71option for exceptions).
72.Pp 72.Pp
73Since the first obtained value for each parameter is used, more 73Since the first obtained value for each parameter is used, more
74host-specific declarations should be given near the beginning of the 74host-specific declarations should be given near the beginning of the
75file, and general defaults at the end. 75file, and general defaults at the end.
76.Pp 76.Pp
77The configuration file has the following format: 77The file contains keyword-argument pairs, one per line.
78.Pp 78Lines starting with
79Empty lines and lines starting with
80.Ql # 79.Ql #
81are comments. 80and empty lines are interpreted as comments.
82Otherwise a line is of the format 81Arguments may optionally be enclosed in double quotes
83.Dq keyword arguments . 82.Pq \&"
83in order to represent arguments containing spaces.
84Configuration options may be separated by whitespace or 84Configuration options may be separated by whitespace or
85optional whitespace and exactly one 85optional whitespace and exactly one
86.Ql = ; 86.Ql = ;
@@ -92,9 +92,6 @@ and
92.Nm sftp 92.Nm sftp
93.Fl o 93.Fl o
94option. 94option.
95Arguments may optionally be enclosed in double quotes
96.Pq \&"
97in order to represent arguments containing spaces.
98.Pp 95.Pp
99The possible 96The possible
100keywords and their meanings are as follows (note that 97keywords and their meanings are as follows (note that
@@ -117,7 +114,7 @@ The host is usually the
117argument given on the command line 114argument given on the command line
118(see the 115(see the
119.Cm CanonicalizeHostname 116.Cm CanonicalizeHostname
120option for exceptions.) 117keyword for exceptions).
121.Pp 118.Pp
122A pattern entry may be negated by prefixing it with an exclamation mark 119A pattern entry may be negated by prefixing it with an exclamation mark
123.Pq Sq !\& . 120.Pq Sq !\& .
@@ -177,24 +174,11 @@ The
177keyword executes the specified command under the user's shell. 174keyword executes the specified command under the user's shell.
178If the command returns a zero exit status then the condition is considered true. 175If the command returns a zero exit status then the condition is considered true.
179Commands containing whitespace characters must be quoted. 176Commands containing whitespace characters must be quoted.
180The following character sequences in the command will be expanded prior to 177Arguments to
181execution: 178.Cm exec
182.Ql %L 179accept the tokens described in the
183will be substituted by the first component of the local host name, 180.Sx TOKENS
184.Ql %l 181section.
185will be substituted by the local host name (including any domain name),
186.Ql %h
187will be substituted by the target host name,
188.Ql %n
189will be substituted by the original target host name
190specified on the command-line,
191.Ql %p
192the destination port,
193.Ql %r
194by the remote login username, and
195.Ql %u
196by the username of the user running
197.Xr ssh 1 .
198.Pp 182.Pp
199The other keywords' criteria must be single entries or comma-separated 183The other keywords' criteria must be single entries or comma-separated
200lists and may use the wildcard and negation operators described in the 184lists and may use the wildcard and negation operators described in the
@@ -225,57 +209,54 @@ files).
225Specifies whether keys should be automatically added to a running 209Specifies whether keys should be automatically added to a running
226.Xr ssh-agent 1 . 210.Xr ssh-agent 1 .
227If this option is set to 211If this option is set to
228.Dq yes 212.Cm yes
229and a key is loaded from a file, the key and its passphrase are added to 213and a key is loaded from a file, the key and its passphrase are added to
230the agent with the default lifetime, as if by 214the agent with the default lifetime, as if by
231.Xr ssh-add 1 . 215.Xr ssh-add 1 .
232If this option is set to 216If this option is set to
233.Dq ask , 217.Cm ask ,
234.Nm ssh 218.Xr ssh 1
235will require confirmation using the 219will require confirmation using the
236.Ev SSH_ASKPASS 220.Ev SSH_ASKPASS
237program before adding a key (see 221program before adding a key (see
238.Xr ssh-add 1 222.Xr ssh-add 1
239for details). 223for details).
240If this option is set to 224If this option is set to
241.Dq confirm , 225.Cm confirm ,
242each use of the key must be confirmed, as if the 226each use of the key must be confirmed, as if the
243.Fl c 227.Fl c
244option was specified to 228option was specified to
245.Xr ssh-add 1 . 229.Xr ssh-add 1 .
246If this option is set to 230If this option is set to
247.Dq no , 231.Cm no ,
248no keys are added to the agent. 232no keys are added to the agent.
249The argument must be 233The argument must be
250.Dq yes , 234.Cm yes ,
251.Dq confirm , 235.Cm confirm ,
252.Dq ask , 236.Cm ask ,
253or 237or
254.Dq no . 238.Cm no
255The default is 239(the default).
256.Dq no .
257.It Cm AddressFamily 240.It Cm AddressFamily
258Specifies which address family to use when connecting. 241Specifies which address family to use when connecting.
259Valid arguments are 242Valid arguments are
260.Dq any , 243.Cm any
261.Dq inet 244(the default),
245.Cm inet
262(use IPv4 only), or 246(use IPv4 only), or
263.Dq inet6 247.Cm inet6
264(use IPv6 only). 248(use IPv6 only).
265The default is
266.Dq any .
267.It Cm BatchMode 249.It Cm BatchMode
268If set to 250If set to
269.Dq yes , 251.Cm yes ,
270passphrase/password querying will be disabled. 252passphrase/password querying will be disabled.
271This option is useful in scripts and other batch jobs where no user 253This option is useful in scripts and other batch jobs where no user
272is present to supply the password. 254is present to supply the password.
273The argument must be 255The argument must be
274.Dq yes 256.Cm yes
275or 257or
276.Dq no . 258.Cm no
277The default is 259(the default).
278.Dq no .
279.It Cm BindAddress 260.It Cm BindAddress
280Use the specified address on the local machine as the source address of 261Use the specified address on the local machine as the source address of
281the connection. 262the connection.
@@ -283,7 +264,7 @@ Only useful on systems with more than one address.
283Note that this option does not work if 264Note that this option does not work if
284.Cm UsePrivilegedPort 265.Cm UsePrivilegedPort
285is set to 266is set to
286.Dq yes . 267.Cm yes .
287.It Cm CanonicalDomains 268.It Cm CanonicalDomains
288When 269When
289.Cm CanonicalizeHostname 270.Cm CanonicalizeHostname
@@ -292,11 +273,11 @@ search for the specified destination host.
292.It Cm CanonicalizeFallbackLocal 273.It Cm CanonicalizeFallbackLocal
293Specifies whether to fail with an error when hostname canonicalization fails. 274Specifies whether to fail with an error when hostname canonicalization fails.
294The default, 275The default,
295.Dq yes , 276.Cm yes ,
296will attempt to look up the unqualified hostname using the system resolver's 277will attempt to look up the unqualified hostname using the system resolver's
297search rules. 278search rules.
298A value of 279A value of
299.Dq no 280.Cm no
300will cause 281will cause
301.Xr ssh 1 282.Xr ssh 1
302to fail instantly if 283to fail instantly if
@@ -307,11 +288,11 @@ specified by
307.It Cm CanonicalizeHostname 288.It Cm CanonicalizeHostname
308Controls whether explicit hostname canonicalization is performed. 289Controls whether explicit hostname canonicalization is performed.
309The default, 290The default,
310.Dq no , 291.Cm no ,
311is not to perform any name rewriting and let the system resolver handle all 292is not to perform any name rewriting and let the system resolver handle all
312hostname lookups. 293hostname lookups.
313If set to 294If set to
314.Dq yes 295.Cm yes
315then, for connections that do not use a 296then, for connections that do not use a
316.Cm ProxyCommand , 297.Cm ProxyCommand ,
317.Xr ssh 1 298.Xr ssh 1
@@ -324,7 +305,7 @@ rules.
324If 305If
325.Cm CanonicalizeHostname 306.Cm CanonicalizeHostname
326is set to 307is set to
327.Dq always , 308.Cm always ,
328then canonicalization is applied to proxied connections too. 309then canonicalization is applied to proxied connections too.
329.Pp 310.Pp
330If this option is enabled, then the configuration files are processed 311If this option is enabled, then the configuration files are processed
@@ -336,8 +317,7 @@ stanzas.
336.It Cm CanonicalizeMaxDots 317.It Cm CanonicalizeMaxDots
337Specifies the maximum number of dot characters in a hostname before 318Specifies the maximum number of dot characters in a hostname before
338canonicalization is disabled. 319canonicalization is disabled.
339The default, 320The default, 1,
340.Dq 1 ,
341allows a single dot (i.e. hostname.subdomain). 321allows a single dot (i.e. hostname.subdomain).
342.It Cm CanonicalizePermittedCNAMEs 322.It Cm CanonicalizePermittedCNAMEs
343Specifies rules to determine whether CNAMEs should be followed when 323Specifies rules to determine whether CNAMEs should be followed when
@@ -352,13 +332,13 @@ and
352is a pattern-list of domains that they may resolve to. 332is a pattern-list of domains that they may resolve to.
353.Pp 333.Pp
354For example, 334For example,
355.Dq *.a.example.com:*.b.example.com,*.c.example.com 335.Qq *.a.example.com:*.b.example.com,*.c.example.com
356will allow hostnames matching 336will allow hostnames matching
357.Dq *.a.example.com 337.Qq *.a.example.com
358to be canonicalized to names in the 338to be canonicalized to names in the
359.Dq *.b.example.com 339.Qq *.b.example.com
360or 340or
361.Dq *.c.example.com 341.Qq *.c.example.com
362domains. 342domains.
363.It Cm CertificateFile 343.It Cm CertificateFile
364Specifies a file from which the user's certificate is read. 344Specifies a file from which the user's certificate is read.
@@ -375,19 +355,12 @@ via
375or via a 355or via a
376.Cm PKCS11Provider . 356.Cm PKCS11Provider .
377.Pp 357.Pp
378The file name may use the tilde 358Arguments to
379syntax to refer to a user's home directory or one of the following 359.Cm CertificateFile
380escape characters: 360may use the tilde syntax to refer to a user's home directory
381.Ql %d 361or the tokens described in the
382(local user's home directory), 362.Sx TOKENS
383.Ql %u 363section.
384(local user name),
385.Ql %l
386(local host name),
387.Ql %h
388(remote host name) or
389.Ql %r
390(remote user name).
391.Pp 364.Pp
392It is possible to have multiple certificate files specified in 365It is possible to have multiple certificate files specified in
393configuration files; these certificates will be tried in sequence. 366configuration files; these certificates will be tried in sequence.
@@ -398,47 +371,42 @@ authentication.
398.It Cm ChallengeResponseAuthentication 371.It Cm ChallengeResponseAuthentication
399Specifies whether to use challenge-response authentication. 372Specifies whether to use challenge-response authentication.
400The argument to this keyword must be 373The argument to this keyword must be
401.Dq yes 374.Cm yes
375(the default)
402or 376or
403.Dq no . 377.Cm no .
404The default is
405.Dq yes .
406.It Cm CheckHostIP 378.It Cm CheckHostIP
407If this flag is set to 379If set to
408.Dq yes , 380.Cm yes
381(the default),
409.Xr ssh 1 382.Xr ssh 1
410will additionally check the host IP address in the 383will additionally check the host IP address in the
411.Pa known_hosts 384.Pa known_hosts
412file. 385file.
413This allows ssh to detect if a host key changed due to DNS spoofing 386This allows it to detect if a host key changed due to DNS spoofing
414and will add addresses of destination hosts to 387and will add addresses of destination hosts to
415.Pa ~/.ssh/known_hosts 388.Pa ~/.ssh/known_hosts
416in the process, regardless of the setting of 389in the process, regardless of the setting of
417.Cm StrictHostKeyChecking . 390.Cm StrictHostKeyChecking .
418If the option is set to 391If the option is set to
419.Dq no , 392.Cm no ,
420the check will not be executed. 393the check will not be executed.
421The default is
422.Dq yes .
423.It Cm Cipher 394.It Cm Cipher
424Specifies the cipher to use for encrypting the session 395Specifies the cipher to use for encrypting the session
425in protocol version 1. 396in protocol version 1.
426Currently, 397Currently,
427.Dq blowfish , 398.Cm blowfish ,
428.Dq 3des , 399.Cm 3des
400(the default),
429and 401and
430.Dq des 402.Cm des
431are supported. 403are supported,
432.Ar des 404though
405.Cm des
433is only supported in the 406is only supported in the
434.Xr ssh 1 407.Xr ssh 1
435client for interoperability with legacy protocol 1 implementations 408client for interoperability with legacy protocol 1 implementations;
436that do not support the 409its use is strongly discouraged due to cryptographic weaknesses.
437.Ar 3des
438cipher.
439Its use is strongly discouraged due to cryptographic weaknesses.
440The default is
441.Dq 3des .
442.It Cm Ciphers 410.It Cm Ciphers
443Specifies the ciphers allowed for protocol version 2 411Specifies the ciphers allowed for protocol version 2
444in order of preference. 412in order of preference.
@@ -449,54 +417,34 @@ character, then the specified ciphers will be appended to the default set
449instead of replacing them. 417instead of replacing them.
450.Pp 418.Pp
451The supported ciphers are: 419The supported ciphers are:
452.Pp 420.Bd -literal -offset indent
453.Bl -item -compact -offset indent
454.It
4553des-cbc 4213des-cbc
456.It
457aes128-cbc 422aes128-cbc
458.It
459aes192-cbc 423aes192-cbc
460.It
461aes256-cbc 424aes256-cbc
462.It
463aes128-ctr 425aes128-ctr
464.It
465aes192-ctr 426aes192-ctr
466.It
467aes256-ctr 427aes256-ctr
468.It
469aes128-gcm@openssh.com 428aes128-gcm@openssh.com
470.It
471aes256-gcm@openssh.com 429aes256-gcm@openssh.com
472.It
473arcfour 430arcfour
474.It
475arcfour128 431arcfour128
476.It
477arcfour256 432arcfour256
478.It
479blowfish-cbc 433blowfish-cbc
480.It
481cast128-cbc 434cast128-cbc
482.It
483chacha20-poly1305@openssh.com 435chacha20-poly1305@openssh.com
484.El 436.Ed
485.Pp 437.Pp
486The default is: 438The default is:
487.Bd -literal -offset indent 439.Bd -literal -offset indent
488chacha20-poly1305@openssh.com, 440chacha20-poly1305@openssh.com,
489aes128-ctr,aes192-ctr,aes256-ctr, 441aes128-ctr,aes192-ctr,aes256-ctr,
490aes128-gcm@openssh.com,aes256-gcm@openssh.com, 442aes128-gcm@openssh.com,aes256-gcm@openssh.com,
491aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc 443aes128-cbc,aes192-cbc,aes256-cbc
492.Ed 444.Ed
493.Pp 445.Pp
494The list of available ciphers may also be obtained using the 446The list of available ciphers may also be obtained using
495.Fl Q 447.Qq ssh -Q cipher .
496option of
497.Xr ssh 1
498with an argument of
499.Dq cipher .
500.It Cm ClearAllForwardings 448.It Cm ClearAllForwardings
501Specifies that all local, remote, and dynamic port forwardings 449Specifies that all local, remote, and dynamic port forwardings
502specified in the configuration files or on the command line be 450specified in the configuration files or on the command line be
@@ -509,19 +457,17 @@ configuration files, and is automatically set by
509and 457and
510.Xr sftp 1 . 458.Xr sftp 1 .
511The argument must be 459The argument must be
512.Dq yes 460.Cm yes
513or 461or
514.Dq no . 462.Cm no
515The default is 463(the default).
516.Dq no .
517.It Cm Compression 464.It Cm Compression
518Specifies whether to use compression. 465Specifies whether to use compression.
519The argument must be 466The argument must be
520.Dq yes 467.Cm yes
521or 468or
522.Dq no . 469.Cm no
523The default is 470(the default).
524.Dq no .
525.It Cm CompressionLevel 471.It Cm CompressionLevel
526Specifies the compression level to use if compression is enabled. 472Specifies the compression level to use if compression is enabled.
527The argument must be an integer from 1 (fast) to 9 (slow, best). 473The argument must be an integer from 1 (fast) to 9 (slow, best).
@@ -542,7 +488,7 @@ not when it refuses the connection.
542.It Cm ControlMaster 488.It Cm ControlMaster
543Enables the sharing of multiple sessions over a single network connection. 489Enables the sharing of multiple sessions over a single network connection.
544When set to 490When set to
545.Dq yes , 491.Cm yes ,
546.Xr ssh 1 492.Xr ssh 1
547will listen for connections on a control socket specified using the 493will listen for connections on a control socket specified using the
548.Cm ControlPath 494.Cm ControlPath
@@ -552,21 +498,23 @@ Additional sessions can connect to this socket using the same
552with 498with
553.Cm ControlMaster 499.Cm ControlMaster
554set to 500set to
555.Dq no 501.Cm no
556(the default). 502(the default).
557These sessions will try to reuse the master instance's network connection 503These sessions will try to reuse the master instance's network connection
558rather than initiating new ones, but will fall back to connecting normally 504rather than initiating new ones, but will fall back to connecting normally
559if the control socket does not exist, or is not listening. 505if the control socket does not exist, or is not listening.
560.Pp 506.Pp
561Setting this to 507Setting this to
562.Dq ask 508.Cm ask
563will cause ssh 509will cause
510.Xr ssh 1
564to listen for control connections, but require confirmation using 511to listen for control connections, but require confirmation using
565.Xr ssh-askpass 1 . 512.Xr ssh-askpass 1 .
566If the 513If the
567.Cm ControlPath 514.Cm ControlPath
568cannot be opened, 515cannot be opened,
569ssh will continue without connecting to a master instance. 516.Xr ssh 1
517will continue without connecting to a master instance.
570.Pp 518.Pp
571X11 and 519X11 and
572.Xr ssh-agent 1 520.Xr ssh-agent 1
@@ -578,41 +526,25 @@ Two additional options allow for opportunistic multiplexing: try to use a
578master connection but fall back to creating a new one if one does not already 526master connection but fall back to creating a new one if one does not already
579exist. 527exist.
580These options are: 528These options are:
581.Dq auto 529.Cm auto
582and 530and
583.Dq autoask . 531.Cm autoask .
584The latter requires confirmation like the 532The latter requires confirmation like the
585.Dq ask 533.Cm ask
586option. 534option.
587.It Cm ControlPath 535.It Cm ControlPath
588Specify the path to the control socket used for connection sharing as described 536Specify the path to the control socket used for connection sharing as described
589in the 537in the
590.Cm ControlMaster 538.Cm ControlMaster
591section above or the string 539section above or the string
592.Dq none 540.Cm none
593to disable connection sharing. 541to disable connection sharing.
594In the path, 542Arguments to
595.Ql %L 543.Cm ControlPath
596will be substituted by the first component of the local host name, 544may use the tilde syntax to refer to a user's home directory
597.Ql %l 545or the tokens described in the
598will be substituted by the local host name (including any domain name), 546.Sx TOKENS
599.Ql %h 547section.
600will be substituted by the target host name,
601.Ql %n
602will be substituted by the original target host name
603specified on the command line,
604.Ql %p
605the destination port,
606.Ql %r
607by the remote login username,
608.Ql %u
609by the username and
610.Ql %i
611by the numeric user ID (uid) of the user running
612.Xr ssh 1 ,
613and
614.Ql \&%C
615by a hash of the concatenation: %l%h%p%r.
616It is recommended that any 548It is recommended that any
617.Cm ControlPath 549.Cm ControlPath
618used for opportunistic connection sharing include 550used for opportunistic connection sharing include
@@ -626,18 +558,15 @@ specifies that the master connection should remain open
626in the background (waiting for future client connections) 558in the background (waiting for future client connections)
627after the initial client connection has been closed. 559after the initial client connection has been closed.
628If set to 560If set to
629.Dq no , 561.Cm no ,
630then the master connection will not be placed into the background, 562then the master connection will not be placed into the background,
631and will close as soon as the initial client connection is closed. 563and will close as soon as the initial client connection is closed.
632If set to 564If set to
633.Dq yes 565.Cm yes
634or 566or 0,
635.Dq 0 ,
636then the master connection will remain in the background indefinitely 567then the master connection will remain in the background indefinitely
637(until killed or closed via a mechanism such as the 568(until killed or closed via a mechanism such as the
638.Xr ssh 1 569.Qq ssh -O exit ) .
639.Dq Fl O No exit
640option).
641If set to a time in seconds, or a time in any of the formats documented in 570If set to a time in seconds, or a time in any of the formats documented in
642.Xr sshd_config 5 , 571.Xr sshd_config 5 ,
643then the backgrounded master connection will automatically terminate 572then the backgrounded master connection will automatically terminate
@@ -663,7 +592,7 @@ may be used to bind the connection to a specific address.
663The 592The
664.Ar bind_address 593.Ar bind_address
665of 594of
666.Dq localhost 595.Cm localhost
667indicates that the listening port be bound for local use only, while an 596indicates that the listening port be bound for local use only, while an
668empty address or 597empty address or
669.Sq * 598.Sq *
@@ -677,7 +606,7 @@ additional forwardings can be given on the command line.
677Only the superuser can forward privileged ports. 606Only the superuser can forward privileged ports.
678.It Cm EnableSSHKeysign 607.It Cm EnableSSHKeysign
679Setting this option to 608Setting this option to
680.Dq yes 609.Cm yes
681in the global client configuration file 610in the global client configuration file
682.Pa /etc/ssh/ssh_config 611.Pa /etc/ssh/ssh_config
683enables the use of the helper program 612enables the use of the helper program
@@ -685,11 +614,10 @@ enables the use of the helper program
685during 614during
686.Cm HostbasedAuthentication . 615.Cm HostbasedAuthentication .
687The argument must be 616The argument must be
688.Dq yes 617.Cm yes
689or 618or
690.Dq no . 619.Cm no
691The default is 620(the default).
692.Dq no .
693This option should be placed in the non-hostspecific section. 621This option should be placed in the non-hostspecific section.
694See 622See
695.Xr ssh-keysign 8 623.Xr ssh-keysign 8
@@ -702,7 +630,7 @@ be set on the command line.
702The argument should be a single character, 630The argument should be a single character,
703.Ql ^ 631.Ql ^
704followed by a letter, or 632followed by a letter, or
705.Dq none 633.Cm none
706to disable the escape 634to disable the escape
707character entirely (making the connection transparent for binary 635character entirely (making the connection transparent for binary
708data). 636data).
@@ -719,28 +647,25 @@ for example, cause
719.Xr ssh 1 647.Xr ssh 1
720to exit if TCP connections to the ultimate forwarding destination fail. 648to exit if TCP connections to the ultimate forwarding destination fail.
721The argument must be 649The argument must be
722.Dq yes 650.Cm yes
723or 651or
724.Dq no . 652.Cm no
725The default is 653(the default).
726.Dq no .
727.It Cm FingerprintHash 654.It Cm FingerprintHash
728Specifies the hash algorithm used when displaying key fingerprints. 655Specifies the hash algorithm used when displaying key fingerprints.
729Valid options are: 656Valid options are:
730.Dq md5 657.Cm md5
731and 658and
732.Dq sha256 . 659.Cm sha256
733The default is 660(the default).
734.Dq sha256 .
735.It Cm ForwardAgent 661.It Cm ForwardAgent
736Specifies whether the connection to the authentication agent (if any) 662Specifies whether the connection to the authentication agent (if any)
737will be forwarded to the remote machine. 663will be forwarded to the remote machine.
738The argument must be 664The argument must be
739.Dq yes 665.Cm yes
740or 666or
741.Dq no . 667.Cm no
742The default is 668(the default).
743.Dq no .
744.Pp 669.Pp
745Agent forwarding should be enabled with caution. 670Agent forwarding should be enabled with caution.
746Users with the ability to bypass file permissions on the remote host 671Users with the ability to bypass file permissions on the remote host
@@ -755,11 +680,10 @@ over the secure channel and
755.Ev DISPLAY 680.Ev DISPLAY
756set. 681set.
757The argument must be 682The argument must be
758.Dq yes 683.Cm yes
759or 684or
760.Dq no . 685.Cm no
761The default is 686(the default).
762.Dq no .
763.Pp 687.Pp
764X11 forwarding should be enabled with caution. 688X11 forwarding should be enabled with caution.
765Users with the ability to bypass file permissions on the remote host 689Users with the ability to bypass file permissions on the remote host
@@ -772,7 +696,8 @@ option is also enabled.
772.It Cm ForwardX11Timeout 696.It Cm ForwardX11Timeout
773Specify a timeout for untrusted X11 forwarding 697Specify a timeout for untrusted X11 forwarding
774using the format described in the 698using the format described in the
775TIME FORMATS section of 699.Sx TIME FORMATS
700section of
776.Xr sshd_config 5 . 701.Xr sshd_config 5 .
777X11 connections received by 702X11 connections received by
778.Xr ssh 1 703.Xr ssh 1
@@ -781,11 +706,12 @@ The default is to disable untrusted X11 forwarding after twenty minutes has
781elapsed. 706elapsed.
782.It Cm ForwardX11Trusted 707.It Cm ForwardX11Trusted
783If this option is set to 708If this option is set to
784.Dq yes , 709.Cm yes ,
785remote X11 clients will have full access to the original X11 display. 710remote X11 clients will have full access to the original X11 display.
786.Pp 711.Pp
787If this option is set to 712If this option is set to
788.Dq no , 713.Cm no
714(the default),
789remote X11 clients will be considered untrusted and prevented 715remote X11 clients will be considered untrusted and prevented
790from stealing or tampering with data belonging to trusted X11 716from stealing or tampering with data belonging to trusted X11
791clients. 717clients.
@@ -794,9 +720,6 @@ Furthermore, the
794token used for the session will be set to expire after 20 minutes. 720token used for the session will be set to expire after 20 minutes.
795Remote clients will be refused access after this time. 721Remote clients will be refused access after this time.
796.Pp 722.Pp
797The default is
798.Dq no .
799.Pp
800See the X11 SECURITY extension specification for full details on 723See the X11 SECURITY extension specification for full details on
801the restrictions imposed on untrusted clients. 724the restrictions imposed on untrusted clients.
802.It Cm GatewayPorts 725.It Cm GatewayPorts
@@ -811,11 +734,10 @@ can be used to specify that ssh
811should bind local port forwardings to the wildcard address, 734should bind local port forwardings to the wildcard address,
812thus allowing remote hosts to connect to forwarded ports. 735thus allowing remote hosts to connect to forwarded ports.
813The argument must be 736The argument must be
814.Dq yes 737.Cm yes
815or 738or
816.Dq no . 739.Cm no
817The default is 740(the default).
818.Dq no .
819.It Cm GlobalKnownHostsFile 741.It Cm GlobalKnownHostsFile
820Specifies one or more files to use for the global 742Specifies one or more files to use for the global
821host key database, separated by whitespace. 743host key database, separated by whitespace.
@@ -825,11 +747,11 @@ The default is
825.It Cm GSSAPIAuthentication 747.It Cm GSSAPIAuthentication
826Specifies whether user authentication based on GSSAPI is allowed. 748Specifies whether user authentication based on GSSAPI is allowed.
827The default is 749The default is
828.Dq no . 750.Cm no .
829.It Cm GSSAPIDelegateCredentials 751.It Cm GSSAPIDelegateCredentials
830Forward (delegate) credentials to the server. 752Forward (delegate) credentials to the server.
831The default is 753The default is
832.Dq no . 754.Cm no .
833.It Cm HashKnownHosts 755.It Cm HashKnownHosts
834Indicates that 756Indicates that
835.Xr ssh 1 757.Xr ssh 1
@@ -842,7 +764,7 @@ and
842but they do not reveal identifying information should the file's contents 764but they do not reveal identifying information should the file's contents
843be disclosed. 765be disclosed.
844The default is 766The default is
845.Dq no . 767.Cm no .
846Note that existing names and addresses in known hosts files 768Note that existing names and addresses in known hosts files
847will not be converted automatically, 769will not be converted automatically,
848but may be manually hashed using 770but may be manually hashed using
@@ -851,11 +773,10 @@ but may be manually hashed using
851Specifies whether to try rhosts based authentication with public key 773Specifies whether to try rhosts based authentication with public key
852authentication. 774authentication.
853The argument must be 775The argument must be
854.Dq yes 776.Cm yes
855or 777or
856.Dq no . 778.Cm no
857The default is 779(the default).
858.Dq no .
859.It Cm HostbasedKeyTypes 780.It Cm HostbasedKeyTypes
860Specifies the key types that will be used for hostbased authentication 781Specifies the key types that will be used for hostbased authentication
861as a comma-separated pattern list. 782as a comma-separated pattern list.
@@ -900,12 +821,8 @@ ssh-ed25519,ssh-rsa
900If hostkeys are known for the destination host then this default is modified 821If hostkeys are known for the destination host then this default is modified
901to prefer their algorithms. 822to prefer their algorithms.
902.Pp 823.Pp
903The list of available key types may also be obtained using the 824The list of available key types may also be obtained using
904.Fl Q 825.Qq ssh -Q key .
905option of
906.Xr ssh 1
907with an argument of
908.Dq key .
909.It Cm HostKeyAlias 826.It Cm HostKeyAlias
910Specifies an alias that should be used instead of the 827Specifies an alias that should be used instead of the
911real host name when looking up or saving the host key 828real host name when looking up or saving the host key
@@ -915,20 +832,15 @@ or for multiple servers running on a single host.
915.It Cm HostName 832.It Cm HostName
916Specifies the real host name to log into. 833Specifies the real host name to log into.
917This can be used to specify nicknames or abbreviations for hosts. 834This can be used to specify nicknames or abbreviations for hosts.
918If the hostname contains the character sequence 835Arguments to
919.Ql %h , 836.Cm HostName
920then this will be replaced with the host name specified on the command line 837accept the tokens described in the
921(this is useful for manipulating unqualified names). 838.Sx TOKENS
922The character sequence 839section.
923.Ql %%
924will be replaced by a single
925.Ql %
926character, which may be used when specifying IPv6 link-local addresses.
927.Pp
928The default is the name given on the command line.
929Numeric IP addresses are also permitted (both on the command line and in 840Numeric IP addresses are also permitted (both on the command line and in
930.Cm HostName 841.Cm HostName
931specifications). 842specifications).
843The default is the name given on the command line.
932.It Cm IdentitiesOnly 844.It Cm IdentitiesOnly
933Specifies that 845Specifies that
934.Xr ssh 1 846.Xr ssh 1
@@ -945,43 +857,35 @@ or a
945.Cm PKCS11Provider 857.Cm PKCS11Provider
946offers more identities. 858offers more identities.
947The argument to this keyword must be 859The argument to this keyword must be
948.Dq yes 860.Cm yes
949or 861or
950.Dq no . 862.Cm no
863(the default).
951This option is intended for situations where ssh-agent 864This option is intended for situations where ssh-agent
952offers many different identities. 865offers many different identities.
953The default is
954.Dq no .
955.It Cm IdentityAgent 866.It Cm IdentityAgent
956Specifies the 867Specifies the
957.Ux Ns -domain 868.Ux Ns -domain
958socket used to communicate with the authentication agent. 869socket used to communicate with the authentication agent.
959.Pp 870.Pp
960This option overrides the 871This option overrides the
961.Dq SSH_AUTH_SOCK 872.Ev SSH_AUTH_SOCK
962environment variable and can be used to select a specific agent. 873environment variable and can be used to select a specific agent.
963Setting the socket name to 874Setting the socket name to
964.Dq none 875.Cm none
965disables the use of an authentication agent. 876disables the use of an authentication agent.
966If the string 877If the string
967.Dq SSH_AUTH_SOCK 878.Qq SSH_AUTH_SOCK
968is specified, the location of the socket will be read from the 879is specified, the location of the socket will be read from the
969.Ev SSH_AUTH_SOCK 880.Ev SSH_AUTH_SOCK
970environment variable. 881environment variable.
971.Pp 882.Pp
972The socket name may use the tilde 883Arguments to
973syntax to refer to a user's home directory or one of the following 884.Cm IdentityAgent
974escape characters: 885may use the tilde syntax to refer to a user's home directory
975.Ql %d 886or the tokens described in the
976(local user's home directory), 887.Sx TOKENS
977.Ql %u 888section.
978(local user name),
979.Ql %l
980(local host name),
981.Ql %h
982(remote host name) or
983.Ql %r
984(remote user name).
985.It Cm IdentityFile 889.It Cm IdentityFile
986Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication 890Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication
987identity is read. 891identity is read.
@@ -1007,19 +911,12 @@ appending
1007to the path of a specified 911to the path of a specified
1008.Cm IdentityFile . 912.Cm IdentityFile .
1009.Pp 913.Pp
1010The file name may use the tilde 914Arguments to
1011syntax to refer to a user's home directory or one of the following 915.Cm IdentityFile
1012escape characters: 916may use the tilde syntax to refer to a user's home directory
1013.Ql %d 917or the tokens described in the
1014(local user's home directory), 918.Sx TOKENS
1015.Ql %u 919section.
1016(local user name),
1017.Ql %l
1018(local host name),
1019.Ql %h
1020(remote host name) or
1021.Ql %r
1022(remote user name).
1023.Pp 920.Pp
1024It is possible to have 921It is possible to have
1025multiple identity files specified in configuration files; all these 922multiple identity files specified in configuration files; all these
@@ -1054,7 +951,7 @@ Include the specified configuration file(s).
1054Multiple pathnames may be specified and each pathname may contain 951Multiple pathnames may be specified and each pathname may contain
1055.Xr glob 3 952.Xr glob 3
1056wildcards and, for user configurations, shell-like 953wildcards and, for user configurations, shell-like
1057.Dq ~ 954.Sq ~
1058references to user home directories. 955references to user home directories.
1059Files without absolute paths are assumed to be in 956Files without absolute paths are assumed to be in
1060.Pa ~/.ssh 957.Pa ~/.ssh
@@ -1071,48 +968,47 @@ to perform conditional inclusion.
1071.It Cm IPQoS 968.It Cm IPQoS
1072Specifies the IPv4 type-of-service or DSCP class for connections. 969Specifies the IPv4 type-of-service or DSCP class for connections.
1073Accepted values are 970Accepted values are
1074.Dq af11 , 971.Cm af11 ,
1075.Dq af12 , 972.Cm af12 ,
1076.Dq af13 , 973.Cm af13 ,
1077.Dq af21 , 974.Cm af21 ,
1078.Dq af22 , 975.Cm af22 ,
1079.Dq af23 , 976.Cm af23 ,
1080.Dq af31 , 977.Cm af31 ,
1081.Dq af32 , 978.Cm af32 ,
1082.Dq af33 , 979.Cm af33 ,
1083.Dq af41 , 980.Cm af41 ,
1084.Dq af42 , 981.Cm af42 ,
1085.Dq af43 , 982.Cm af43 ,
1086.Dq cs0 , 983.Cm cs0 ,
1087.Dq cs1 , 984.Cm cs1 ,
1088.Dq cs2 , 985.Cm cs2 ,
1089.Dq cs3 , 986.Cm cs3 ,
1090.Dq cs4 , 987.Cm cs4 ,
1091.Dq cs5 , 988.Cm cs5 ,
1092.Dq cs6 , 989.Cm cs6 ,
1093.Dq cs7 , 990.Cm cs7 ,
1094.Dq ef , 991.Cm ef ,
1095.Dq lowdelay , 992.Cm lowdelay ,
1096.Dq throughput , 993.Cm throughput ,
1097.Dq reliability , 994.Cm reliability ,
1098or a numeric value. 995or a numeric value.
1099This option may take one or two arguments, separated by whitespace. 996This option may take one or two arguments, separated by whitespace.
1100If one argument is specified, it is used as the packet class unconditionally. 997If one argument is specified, it is used as the packet class unconditionally.
1101If two values are specified, the first is automatically selected for 998If two values are specified, the first is automatically selected for
1102interactive sessions and the second for non-interactive sessions. 999interactive sessions and the second for non-interactive sessions.
1103The default is 1000The default is
1104.Dq lowdelay 1001.Cm lowdelay
1105for interactive sessions and 1002for interactive sessions and
1106.Dq throughput 1003.Cm throughput
1107for non-interactive sessions. 1004for non-interactive sessions.
1108.It Cm KbdInteractiveAuthentication 1005.It Cm KbdInteractiveAuthentication
1109Specifies whether to use keyboard-interactive authentication. 1006Specifies whether to use keyboard-interactive authentication.
1110The argument to this keyword must be 1007The argument to this keyword must be
1111.Dq yes 1008.Cm yes
1009(the default)
1112or 1010or
1113.Dq no . 1011.Cm no .
1114The default is
1115.Dq yes .
1116.It Cm KbdInteractiveDevices 1012.It Cm KbdInteractiveDevices
1117Specifies the list of methods to use in keyboard-interactive authentication. 1013Specifies the list of methods to use in keyboard-interactive authentication.
1118Multiple method names must be comma-separated. 1014Multiple method names must be comma-separated.
@@ -1120,10 +1016,10 @@ The default is to use the server specified list.
1120The methods available vary depending on what the server supports. 1016The methods available vary depending on what the server supports.
1121For an OpenSSH server, 1017For an OpenSSH server,
1122it may be zero or more of: 1018it may be zero or more of:
1123.Dq bsdauth , 1019.Cm bsdauth ,
1124.Dq pam , 1020.Cm pam ,
1125and 1021and
1126.Dq skey . 1022.Cm skey .
1127.It Cm KexAlgorithms 1023.It Cm KexAlgorithms
1128Specifies the available KEX (Key Exchange) algorithms. 1024Specifies the available KEX (Key Exchange) algorithms.
1129Multiple algorithms must be comma-separated. 1025Multiple algorithms must be comma-separated.
@@ -1133,41 +1029,25 @@ character, then the specified methods will be appended to the default set
1133instead of replacing them. 1029instead of replacing them.
1134The default is: 1030The default is:
1135.Bd -literal -offset indent 1031.Bd -literal -offset indent
1136curve25519-sha256@libssh.org, 1032curve25519-sha256,curve25519-sha256@libssh.org,
1137ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, 1033ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
1138diffie-hellman-group-exchange-sha256, 1034diffie-hellman-group-exchange-sha256,
1139diffie-hellman-group-exchange-sha1, 1035diffie-hellman-group-exchange-sha1,
1140diffie-hellman-group14-sha1 1036diffie-hellman-group14-sha1
1141.Ed 1037.Ed
1142.Pp 1038.Pp
1143The list of available key exchange algorithms may also be obtained using the 1039The list of available key exchange algorithms may also be obtained using
1144.Fl Q 1040.Qq ssh -Q kex .
1145option of
1146.Xr ssh 1
1147with an argument of
1148.Dq kex .
1149.It Cm LocalCommand 1041.It Cm LocalCommand
1150Specifies a command to execute on the local machine after successfully 1042Specifies a command to execute on the local machine after successfully
1151connecting to the server. 1043connecting to the server.
1152The command string extends to the end of the line, and is executed with 1044The command string extends to the end of the line, and is executed with
1153the user's shell. 1045the user's shell.
1154The following escape character substitutions will be performed: 1046Arguments to
1155.Ql %d 1047.Cm LocalCommand
1156(local user's home directory), 1048accept the tokens described in the
1157.Ql %h 1049.Sx TOKENS
1158(remote host name), 1050section.
1159.Ql %l
1160(local host name),
1161.Ql %n
1162(host name as provided on the command line),
1163.Ql %p
1164(remote port),
1165.Ql %r
1166(remote user name) or
1167.Ql %u
1168(local user name) or
1169.Ql \&%C
1170by a hash of the concatenation: %l%h%p%r.
1171.Pp 1051.Pp
1172The command is run synchronously and does not have access to the 1052The command is run synchronously and does not have access to the
1173session of the 1053session of the
@@ -1200,7 +1080,7 @@ may be used to bind the connection to a specific address.
1200The 1080The
1201.Ar bind_address 1081.Ar bind_address
1202of 1082of
1203.Dq localhost 1083.Cm localhost
1204indicates that the listening port be bound for local use only, while an 1084indicates that the listening port be bound for local use only, while an
1205empty address or 1085empty address or
1206.Sq * 1086.Sq *
@@ -1224,7 +1104,7 @@ character, then the specified algorithms will be appended to the default set
1224instead of replacing them. 1104instead of replacing them.
1225.Pp 1105.Pp
1226The algorithms that contain 1106The algorithms that contain
1227.Dq -etm 1107.Qq -etm
1228calculate the MAC after encryption (encrypt-then-mac). 1108calculate the MAC after encryption (encrypt-then-mac).
1229These are considered safer and their use recommended. 1109These are considered safer and their use recommended.
1230.Pp 1110.Pp
@@ -1237,22 +1117,18 @@ umac-64@openssh.com,umac-128@openssh.com,
1237hmac-sha2-256,hmac-sha2-512,hmac-sha1 1117hmac-sha2-256,hmac-sha2-512,hmac-sha1
1238.Ed 1118.Ed
1239.Pp 1119.Pp
1240The list of available MAC algorithms may also be obtained using the 1120The list of available MAC algorithms may also be obtained using
1241.Fl Q 1121.Qq ssh -Q mac .
1242option of
1243.Xr ssh 1
1244with an argument of
1245.Dq mac .
1246.It Cm NoHostAuthenticationForLocalhost 1122.It Cm NoHostAuthenticationForLocalhost
1247This option can be used if the home directory is shared across machines. 1123This option can be used if the home directory is shared across machines.
1248In this case localhost will refer to a different machine on each of 1124In this case localhost will refer to a different machine on each of
1249the machines and the user will get many warnings about changed host keys. 1125the machines and the user will get many warnings about changed host keys.
1250However, this option disables host authentication for localhost. 1126However, this option disables host authentication for localhost.
1251The argument to this keyword must be 1127The argument to this keyword must be
1252.Dq yes 1128.Cm yes
1253or 1129or
1254.Dq no . 1130.Cm no .
1255The default is to check the host key for localhost. 1131(the default).
1256.It Cm NumberOfPasswordPrompts 1132.It Cm NumberOfPasswordPrompts
1257Specifies the number of password prompts before giving up. 1133Specifies the number of password prompts before giving up.
1258The argument to this keyword must be an integer. 1134The argument to this keyword must be an integer.
@@ -1260,11 +1136,10 @@ The default is 3.
1260.It Cm PasswordAuthentication 1136.It Cm PasswordAuthentication
1261Specifies whether to use password authentication. 1137Specifies whether to use password authentication.
1262The argument to this keyword must be 1138The argument to this keyword must be
1263.Dq yes 1139.Cm yes
1140(the default)
1264or 1141or
1265.Dq no . 1142.Cm no .
1266The default is
1267.Dq yes .
1268.It Cm PermitLocalCommand 1143.It Cm PermitLocalCommand
1269Allow local command execution via the 1144Allow local command execution via the
1270.Ic LocalCommand 1145.Ic LocalCommand
@@ -1273,11 +1148,10 @@ option or using the
1273escape sequence in 1148escape sequence in
1274.Xr ssh 1 . 1149.Xr ssh 1 .
1275The argument must be 1150The argument must be
1276.Dq yes 1151.Cm yes
1277or 1152or
1278.Dq no . 1153.Cm no
1279The default is 1154(the default).
1280.Dq no .
1281.It Cm PKCS11Provider 1155.It Cm PKCS11Provider
1282Specifies which PKCS#11 provider to use. 1156Specifies which PKCS#11 provider to use.
1283The argument to this keyword is the PKCS#11 shared library 1157The argument to this keyword is the PKCS#11 shared library
@@ -1302,18 +1176,14 @@ keyboard-interactive,password
1302Specifies the protocol versions 1176Specifies the protocol versions
1303.Xr ssh 1 1177.Xr ssh 1
1304should support in order of preference. 1178should support in order of preference.
1305The possible values are 1179The possible values are 1 and 2.
1306.Sq 1
1307and
1308.Sq 2 .
1309Multiple versions must be comma-separated. 1180Multiple versions must be comma-separated.
1310When this option is set to 1181When this option is set to
1311.Dq 2,1 1182.Cm 2,1
1312.Nm ssh 1183.Nm ssh
1313will try version 2 and fall back to version 1 1184will try version 2 and fall back to version 1
1314if version 2 is not available. 1185if version 2 is not available.
1315The default is 1186The default is version 2.
1316.Sq 2 .
1317Protocol 1 suffers from a number of cryptographic weaknesses and should 1187Protocol 1 suffers from a number of cryptographic weaknesses and should
1318not be used. 1188not be used.
1319It is only offered to support legacy devices. 1189It is only offered to support legacy devices.
@@ -1325,14 +1195,11 @@ using the user's shell
1325.Ql exec 1195.Ql exec
1326directive to avoid a lingering shell process. 1196directive to avoid a lingering shell process.
1327.Pp 1197.Pp
1328In the command string, any occurrence of 1198Arguments to
1329.Ql %h 1199.Cm ProxyCommand
1330will be substituted by the host name to 1200accept the tokens described in the
1331connect, 1201.Sx TOKENS
1332.Ql %p 1202section.
1333by the port, and
1334.Ql %r
1335by the remote user name.
1336The command can be basically anything, 1203The command can be basically anything,
1337and should read from its standard input and write to its standard output. 1204and should read from its standard input and write to its standard output.
1338It should eventually connect an 1205It should eventually connect an
@@ -1344,7 +1211,7 @@ Host key management will be done using the
1344HostName of the host being connected (defaulting to the name typed by 1211HostName of the host being connected (defaulting to the name typed by
1345the user). 1212the user).
1346Setting the command to 1213Setting the command to
1347.Dq none 1214.Cm none
1348disables this option entirely. 1215disables this option entirely.
1349Note that 1216Note that
1350.Cm CheckHostIP 1217.Cm CheckHostIP
@@ -1389,7 +1256,7 @@ will pass a connected file descriptor back to
1389.Xr ssh 1 1256.Xr ssh 1
1390instead of continuing to execute and pass data. 1257instead of continuing to execute and pass data.
1391The default is 1258The default is
1392.Dq no . 1259.Cm no .
1393.It Cm PubkeyAcceptedKeyTypes 1260.It Cm PubkeyAcceptedKeyTypes
1394Specifies the key types that will be used for public key authentication 1261Specifies the key types that will be used for public key authentication
1395as a comma-separated pattern list. 1262as a comma-separated pattern list.
@@ -1408,19 +1275,15 @@ ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1408ssh-ed25519,ssh-rsa 1275ssh-ed25519,ssh-rsa
1409.Ed 1276.Ed
1410.Pp 1277.Pp
1411The 1278The list of available key types may also be obtained using
1412.Fl Q 1279.Qq ssh -Q key .
1413option of
1414.Xr ssh 1
1415may be used to list supported key types.
1416.It Cm PubkeyAuthentication 1280.It Cm PubkeyAuthentication
1417Specifies whether to try public key authentication. 1281Specifies whether to try public key authentication.
1418The argument to this keyword must be 1282The argument to this keyword must be
1419.Dq yes 1283.Cm yes
1284(the default)
1420or 1285or
1421.Dq no . 1286.Cm no .
1422The default is
1423.Dq yes .
1424.It Cm RekeyLimit 1287.It Cm RekeyLimit
1425Specifies the maximum amount of data that may be transmitted before the 1288Specifies the maximum amount of data that may be transmitted before the
1426session key is renegotiated, optionally followed a maximum amount of 1289session key is renegotiated, optionally followed a maximum amount of
@@ -1438,12 +1301,13 @@ and
1438depending on the cipher. 1301depending on the cipher.
1439The optional second value is specified in seconds and may use any of the 1302The optional second value is specified in seconds and may use any of the
1440units documented in the 1303units documented in the
1441TIME FORMATS section of 1304.Sx TIME FORMATS
1305section of
1442.Xr sshd_config 5 . 1306.Xr sshd_config 5 .
1443The default value for 1307The default value for
1444.Cm RekeyLimit 1308.Cm RekeyLimit
1445is 1309is
1446.Dq default none , 1310.Cm default none ,
1447which means that rekeying is performed after the cipher's default amount 1311which means that rekeying is performed after the cipher's default amount
1448of data has been sent or received and no time based rekeying is done. 1312of data has been sent or received and no time based rekeying is done.
1449.It Cm RemoteForward 1313.It Cm RemoteForward
@@ -1463,8 +1327,7 @@ logging in as root on the remote machine.
1463.Pp 1327.Pp
1464If the 1328If the
1465.Ar port 1329.Ar port
1466argument is 1330argument is 0,
1467.Ql 0 ,
1468the listen port will be dynamically allocated on the server and reported 1331the listen port will be dynamically allocated on the server and reported
1469to the client at run time. 1332to the client at run time.
1470.Pp 1333.Pp
@@ -1486,13 +1349,13 @@ option is enabled (see
1486.It Cm RequestTTY 1349.It Cm RequestTTY
1487Specifies whether to request a pseudo-tty for the session. 1350Specifies whether to request a pseudo-tty for the session.
1488The argument may be one of: 1351The argument may be one of:
1489.Dq no 1352.Cm no
1490(never request a TTY), 1353(never request a TTY),
1491.Dq yes 1354.Cm yes
1492(always request a TTY when standard input is a TTY), 1355(always request a TTY when standard input is a TTY),
1493.Dq force 1356.Cm force
1494(always request a TTY) or 1357(always request a TTY) or
1495.Dq auto 1358.Cm auto
1496(request a TTY when opening a login session). 1359(request a TTY when opening a login session).
1497This option mirrors the 1360This option mirrors the
1498.Fl t 1361.Fl t
@@ -1514,25 +1377,23 @@ For more information on KRLs, see the KEY REVOCATION LISTS section in
1514Specifies whether to try rhosts based authentication with RSA host 1377Specifies whether to try rhosts based authentication with RSA host
1515authentication. 1378authentication.
1516The argument must be 1379The argument must be
1517.Dq yes 1380.Cm yes
1518or 1381or
1519.Dq no . 1382.Cm no
1520The default is 1383(the default).
1521.Dq no .
1522This option applies to protocol version 1 only and requires 1384This option applies to protocol version 1 only and requires
1523.Xr ssh 1 1385.Xr ssh 1
1524to be setuid root. 1386to be setuid root.
1525.It Cm RSAAuthentication 1387.It Cm RSAAuthentication
1526Specifies whether to try RSA authentication. 1388Specifies whether to try RSA authentication.
1527The argument to this keyword must be 1389The argument to this keyword must be
1528.Dq yes 1390.Cm yes
1391(the default)
1529or 1392or
1530.Dq no . 1393.Cm no .
1531RSA authentication will only be 1394RSA authentication will only be
1532attempted if the identity file exists, or an authentication agent is 1395attempted if the identity file exists, or an authentication agent is
1533running. 1396running.
1534The default is
1535.Dq yes .
1536Note that this option applies to protocol version 1 only. 1397Note that this option applies to protocol version 1 only.
1537.It Cm SendEnv 1398.It Cm SendEnv
1538Specifies what variables from the local 1399Specifies what variables from the local
@@ -1615,14 +1476,13 @@ will be unable to forward the port to the Unix-domain socket file.
1615This option is only used for port forwarding to a Unix-domain socket file. 1476This option is only used for port forwarding to a Unix-domain socket file.
1616.Pp 1477.Pp
1617The argument must be 1478The argument must be
1618.Dq yes 1479.Cm yes
1619or 1480or
1620.Dq no . 1481.Cm no
1621The default is 1482(the default).
1622.Dq no .
1623.It Cm StrictHostKeyChecking 1483.It Cm StrictHostKeyChecking
1624If this flag is set to 1484If this flag is set to
1625.Dq yes , 1485.Cm yes ,
1626.Xr ssh 1 1486.Xr ssh 1
1627will never automatically add host keys to the 1487will never automatically add host keys to the
1628.Pa ~/.ssh/known_hosts 1488.Pa ~/.ssh/known_hosts
@@ -1635,24 +1495,18 @@ frequently made.
1635This option forces the user to manually 1495This option forces the user to manually
1636add all new hosts. 1496add all new hosts.
1637If this flag is set to 1497If this flag is set to
1638.Dq no , 1498.Cm no ,
1639ssh will automatically add new host keys to the 1499ssh will automatically add new host keys to the
1640user known hosts files. 1500user known hosts files.
1641If this flag is set to 1501If this flag is set to
1642.Dq ask , 1502.Cm ask
1503(the default),
1643new host keys 1504new host keys
1644will be added to the user known host files only after the user 1505will be added to the user known host files only after the user
1645has confirmed that is what they really want to do, and 1506has confirmed that is what they really want to do, and
1646ssh will refuse to connect to hosts whose host key has changed. 1507ssh will refuse to connect to hosts whose host key has changed.
1647The host keys of 1508The host keys of
1648known hosts will be verified automatically in all cases. 1509known hosts will be verified automatically in all cases.
1649The argument must be
1650.Dq yes ,
1651.Dq no ,
1652or
1653.Dq ask .
1654The default is
1655.Dq ask .
1656.It Cm TCPKeepAlive 1510.It Cm TCPKeepAlive
1657Specifies whether the system should send TCP keepalive messages to the 1511Specifies whether the system should send TCP keepalive messages to the
1658other side. 1512other side.
@@ -1663,31 +1517,30 @@ connections will die if the route is down temporarily, and some people
1663find it annoying. 1517find it annoying.
1664.Pp 1518.Pp
1665The default is 1519The default is
1666.Dq yes 1520.Cm yes
1667(to send TCP keepalive messages), and the client will notice 1521(to send TCP keepalive messages), and the client will notice
1668if the network goes down or the remote host dies. 1522if the network goes down or the remote host dies.
1669This is important in scripts, and many users want it too. 1523This is important in scripts, and many users want it too.
1670.Pp 1524.Pp
1671To disable TCP keepalive messages, the value should be set to 1525To disable TCP keepalive messages, the value should be set to
1672.Dq no . 1526.Cm no .
1673.It Cm Tunnel 1527.It Cm Tunnel
1674Request 1528Request
1675.Xr tun 4 1529.Xr tun 4
1676device forwarding between the client and the server. 1530device forwarding between the client and the server.
1677The argument must be 1531The argument must be
1678.Dq yes , 1532.Cm yes ,
1679.Dq point-to-point 1533.Cm point-to-point
1680(layer 3), 1534(layer 3),
1681.Dq ethernet 1535.Cm ethernet
1682(layer 2), 1536(layer 2),
1683or 1537or
1684.Dq no . 1538.Cm no
1539(the default).
1685Specifying 1540Specifying
1686.Dq yes 1541.Cm yes
1687requests the default tunnel mode, which is 1542requests the default tunnel mode, which is
1688.Dq point-to-point . 1543.Cm point-to-point .
1689The default is
1690.Dq no .
1691.It Cm TunnelDevice 1544.It Cm TunnelDevice
1692Specifies the 1545Specifies the
1693.Xr tun 4 1546.Xr tun 4
@@ -1701,14 +1554,14 @@ The argument must be
1701.Ar local_tun Op : Ar remote_tun . 1554.Ar local_tun Op : Ar remote_tun .
1702.Sm on 1555.Sm on
1703The devices may be specified by numerical ID or the keyword 1556The devices may be specified by numerical ID or the keyword
1704.Dq any , 1557.Cm any ,
1705which uses the next available tunnel device. 1558which uses the next available tunnel device.
1706If 1559If
1707.Ar remote_tun 1560.Ar remote_tun
1708is not specified, it defaults to 1561is not specified, it defaults to
1709.Dq any . 1562.Cm any .
1710The default is 1563The default is
1711.Dq any:any . 1564.Cm any:any .
1712.It Cm UpdateHostKeys 1565.It Cm UpdateHostKeys
1713Specifies whether 1566Specifies whether
1714.Xr ssh 1 1567.Xr ssh 1
@@ -1716,10 +1569,10 @@ should accept notifications of additional hostkeys from the server sent
1716after authentication has completed and add them to 1569after authentication has completed and add them to
1717.Cm UserKnownHostsFile . 1570.Cm UserKnownHostsFile .
1718The argument must be 1571The argument must be
1719.Dq yes , 1572.Cm yes ,
1720.Dq no 1573.Cm no
1721(the default) or 1574(the default) or
1722.Dq ask . 1575.Cm ask .
1723Enabling this option allows learning alternate hostkeys for a server 1576Enabling this option allows learning alternate hostkeys for a server
1724and supports graceful key rotation by allowing a server to send replacement 1577and supports graceful key rotation by allowing a server to send replacement
1725public keys before old ones are removed. 1578public keys before old ones are removed.
@@ -1728,7 +1581,7 @@ host was already trusted or explicitly accepted by the user.
1728If 1581If
1729.Cm UpdateHostKeys 1582.Cm UpdateHostKeys
1730is set to 1583is set to
1731.Dq ask , 1584.Cm ask ,
1732then the user is asked to confirm the modifications to the known_hosts file. 1585then the user is asked to confirm the modifications to the known_hosts file.
1733Confirmation is currently incompatible with 1586Confirmation is currently incompatible with
1734.Cm ControlPersist , 1587.Cm ControlPersist ,
@@ -1737,22 +1590,21 @@ and will be disabled if it is enabled.
1737Presently, only 1590Presently, only
1738.Xr sshd 8 1591.Xr sshd 8
1739from OpenSSH 6.8 and greater support the 1592from OpenSSH 6.8 and greater support the
1740.Dq hostkeys@openssh.com 1593.Qq hostkeys@openssh.com
1741protocol extension used to inform the client of all the server's hostkeys. 1594protocol extension used to inform the client of all the server's hostkeys.
1742.It Cm UsePrivilegedPort 1595.It Cm UsePrivilegedPort
1743Specifies whether to use a privileged port for outgoing connections. 1596Specifies whether to use a privileged port for outgoing connections.
1744The argument must be 1597The argument must be
1745.Dq yes 1598.Cm yes
1746or 1599or
1747.Dq no . 1600.Cm no
1748The default is 1601(the default).
1749.Dq no .
1750If set to 1602If set to
1751.Dq yes , 1603.Cm yes ,
1752.Xr ssh 1 1604.Xr ssh 1
1753must be setuid root. 1605must be setuid root.
1754Note that this option must be set to 1606Note that this option must be set to
1755.Dq yes 1607.Cm yes
1756for 1608for
1757.Cm RhostsRSAAuthentication 1609.Cm RhostsRSAAuthentication
1758with older servers. 1610with older servers.
@@ -1771,39 +1623,35 @@ The default is
1771Specifies whether to verify the remote key using DNS and SSHFP resource 1623Specifies whether to verify the remote key using DNS and SSHFP resource
1772records. 1624records.
1773If this option is set to 1625If this option is set to
1774.Dq yes , 1626.Cm yes ,
1775the client will implicitly trust keys that match a secure fingerprint 1627the client will implicitly trust keys that match a secure fingerprint
1776from DNS. 1628from DNS.
1777Insecure fingerprints will be handled as if this option was set to 1629Insecure fingerprints will be handled as if this option was set to
1778.Dq ask . 1630.Cm ask .
1779If this option is set to 1631If this option is set to
1780.Dq ask , 1632.Cm ask ,
1781information on fingerprint match will be displayed, but the user will still 1633information on fingerprint match will be displayed, but the user will still
1782need to confirm new host keys according to the 1634need to confirm new host keys according to the
1783.Cm StrictHostKeyChecking 1635.Cm StrictHostKeyChecking
1784option. 1636option.
1785The argument must be
1786.Dq yes ,
1787.Dq no ,
1788or
1789.Dq ask .
1790The default is 1637The default is
1791.Dq no . 1638.Cm no .
1792.Pp 1639.Pp
1793See also VERIFYING HOST KEYS in 1640See also
1641.Sx VERIFYING HOST KEYS
1642in
1794.Xr ssh 1 . 1643.Xr ssh 1 .
1795.It Cm VisualHostKey 1644.It Cm VisualHostKey
1796If this flag is set to 1645If this flag is set to
1797.Dq yes , 1646.Cm yes ,
1798an ASCII art representation of the remote host key fingerprint is 1647an ASCII art representation of the remote host key fingerprint is
1799printed in addition to the fingerprint string at login and 1648printed in addition to the fingerprint string at login and
1800for unknown host keys. 1649for unknown host keys.
1801If this flag is set to 1650If this flag is set to
1802.Dq no , 1651.Cm no
1652(the default),
1803no fingerprint strings are printed at login and 1653no fingerprint strings are printed at login and
1804only the fingerprint string will be printed for unknown host keys. 1654only the fingerprint string will be printed for unknown host keys.
1805The default is
1806.Dq no .
1807.It Cm XAuthLocation 1655.It Cm XAuthLocation
1808Specifies the full pathname of the 1656Specifies the full pathname of the
1809.Xr xauth 1 1657.Xr xauth 1
@@ -1821,7 +1669,7 @@ or
1821.Sq ?\& 1669.Sq ?\&
1822(a wildcard that matches exactly one character). 1670(a wildcard that matches exactly one character).
1823For example, to specify a set of declarations for any host in the 1671For example, to specify a set of declarations for any host in the
1824.Dq .co.uk 1672.Qq .co.uk
1825set of domains, 1673set of domains,
1826the following pattern could be used: 1674the following pattern could be used:
1827.Pp 1675.Pp
@@ -1841,11 +1689,63 @@ by preceding them with an exclamation mark
1841For example, 1689For example,
1842to allow a key to be used from anywhere within an organization 1690to allow a key to be used from anywhere within an organization
1843except from the 1691except from the
1844.Dq dialup 1692.Qq dialup
1845pool, 1693pool,
1846the following entry (in authorized_keys) could be used: 1694the following entry (in authorized_keys) could be used:
1847.Pp 1695.Pp
1848.Dl from=\&"!*.dialup.example.com,*.example.com\&" 1696.Dl from=\&"!*.dialup.example.com,*.example.com\&"
1697.Sh TOKENS
1698Arguments to some keywords can make use of tokens,
1699which are expanded at runtime:
1700.Pp
1701.Bl -tag -width XXXX -offset indent -compact
1702.It %%
1703A literal
1704.Sq % .
1705.It \&%C
1706Shorthand for %l%h%p%r.
1707.It %d
1708Local user's home directory.
1709.It %h
1710The remote hostname.
1711.It %i
1712The local user ID.
1713.It %L
1714The local hostname.
1715.It %l
1716The local hostname, including the domain name.
1717.It %n
1718The original remote hostname, as given on the command line.
1719.It %p
1720The remote port.
1721.It %r
1722The remote username.
1723.It %u
1724The local username.
1725.El
1726.Pp
1727.Cm Match exec
1728accepts the tokens %%, %h, %L, %l, %n, %p, %r, and %u.
1729.Pp
1730.Cm CertificateFile
1731accepts the tokens %%, %d, %h, %l, %r, and %u.
1732.Pp
1733.Cm ControlPath
1734accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and %u.
1735.Pp
1736.Cm HostName
1737accepts the tokens %% and %h.
1738.Pp
1739.Cm IdentityAgent
1740and
1741.Cm IdentityFile
1742accept the tokens %%, %d, %h, %l, %r, and %u.
1743.Pp
1744.Cm LocalCommand
1745accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u.
1746.Pp
1747.Cm ProxyCommand
1748accepts the tokens %%, %h, %p, and %r.
1849.Sh FILES 1749.Sh FILES
1850.Bl -tag -width Ds 1750.Bl -tag -width Ds
1851.It Pa ~/.ssh/config 1751.It Pa ~/.ssh/config
@@ -1864,11 +1764,15 @@ This file must be world-readable.
1864.Sh SEE ALSO 1764.Sh SEE ALSO
1865.Xr ssh 1 1765.Xr ssh 1
1866.Sh AUTHORS 1766.Sh AUTHORS
1767.An -nosplit
1867OpenSSH is a derivative of the original and free 1768OpenSSH is a derivative of the original and free
1868ssh 1.2.12 release by Tatu Ylonen. 1769ssh 1.2.12 release by
1869Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 1770.An Tatu Ylonen .
1870Theo de Raadt and Dug Song 1771.An Aaron Campbell , Bob Beck , Markus Friedl ,
1772.An Niels Provos , Theo de Raadt
1773and
1774.An Dug Song
1871removed many bugs, re-added newer features and 1775removed many bugs, re-added newer features and
1872created OpenSSH. 1776created OpenSSH.
1873Markus Friedl contributed the support for SSH 1777.An Markus Friedl
1874protocol versions 1.5 and 2.0. 1778contributed the support for SSH protocol versions 1.5 and 2.0.