diff options
Diffstat (limited to 'ssh_config.5')
-rw-r--r-- | ssh_config.5 | 82 |
1 files changed, 65 insertions, 17 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index 03801f5ac..b232a0203 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh_config.5,v 1.49 2005/03/16 11:10:38 jmc Exp $ | 37 | .\" $OpenBSD: ssh_config.5,v 1.61 2005/07/08 12:53:10 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH_CONFIG 5 | 39 | .Dt SSH_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -43,7 +43,7 @@ | |||
43 | .Nd OpenSSH SSH client configuration files | 43 | .Nd OpenSSH SSH client configuration files |
44 | .Sh SYNOPSIS | 44 | .Sh SYNOPSIS |
45 | .Bl -tag -width Ds -compact | 45 | .Bl -tag -width Ds -compact |
46 | .It Pa $HOME/.ssh/config | 46 | .It Pa ~/.ssh/config |
47 | .It Pa /etc/ssh/ssh_config | 47 | .It Pa /etc/ssh/ssh_config |
48 | .El | 48 | .El |
49 | .Sh DESCRIPTION | 49 | .Sh DESCRIPTION |
@@ -55,7 +55,7 @@ the following order: | |||
55 | command-line options | 55 | command-line options |
56 | .It | 56 | .It |
57 | user's configuration file | 57 | user's configuration file |
58 | .Pq Pa $HOME/.ssh/config | 58 | .Pq Pa ~/.ssh/config |
59 | .It | 59 | .It |
60 | system-wide configuration file | 60 | system-wide configuration file |
61 | .Pq Pa /etc/ssh/ssh_config | 61 | .Pq Pa /etc/ssh/ssh_config |
@@ -143,8 +143,9 @@ or | |||
143 | The default is | 143 | The default is |
144 | .Dq no . | 144 | .Dq no . |
145 | .It Cm BindAddress | 145 | .It Cm BindAddress |
146 | Specify the interface to transmit from on machines with multiple | 146 | Use the specified address on the local machine as the source address of |
147 | interfaces or aliased addresses. | 147 | the connection. |
148 | Only useful on systems with more than one address. | ||
148 | Note that this option does not work if | 149 | Note that this option does not work if |
149 | .Cm UsePrivilegedPort | 150 | .Cm UsePrivilegedPort |
150 | is set to | 151 | is set to |
@@ -200,14 +201,17 @@ The supported ciphers are | |||
200 | .Dq aes128-ctr , | 201 | .Dq aes128-ctr , |
201 | .Dq aes192-ctr , | 202 | .Dq aes192-ctr , |
202 | .Dq aes256-ctr , | 203 | .Dq aes256-ctr , |
204 | .Dq arcfour128 , | ||
205 | .Dq arcfour256 , | ||
203 | .Dq arcfour , | 206 | .Dq arcfour , |
204 | .Dq blowfish-cbc , | 207 | .Dq blowfish-cbc , |
205 | and | 208 | and |
206 | .Dq cast128-cbc . | 209 | .Dq cast128-cbc . |
207 | The default is | 210 | The default is |
208 | .Bd -literal | 211 | .Bd -literal |
209 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, | 212 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, |
210 | aes192-cbc,aes256-cbc'' | 213 | arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, |
214 | aes192-ctr,aes256-ctr'' | ||
211 | .Ed | 215 | .Ed |
212 | .It Cm ClearAllForwardings | 216 | .It Cm ClearAllForwardings |
213 | Specifies that all local, remote and dynamic port forwardings | 217 | Specifies that all local, remote and dynamic port forwardings |
@@ -277,11 +281,47 @@ to listen for control connections, but require confirmation using the | |||
277 | program before they are accepted (see | 281 | program before they are accepted (see |
278 | .Xr ssh-add 1 | 282 | .Xr ssh-add 1 |
279 | for details). | 283 | for details). |
284 | If the | ||
285 | .Cm ControlPath | ||
286 | can not be opened, | ||
287 | .Nm ssh | ||
288 | will continue without connecting to a master instance. | ||
289 | .Pp | ||
290 | X11 and | ||
291 | .Xr ssh-agent 1 | ||
292 | forwarding is supported over these multiplexed connections, however the | ||
293 | display and agent fowarded will be the one belonging to the master | ||
294 | connection i.e. it is not possible to forward multiple displays or agents. | ||
295 | .Pp | ||
296 | Two additional options allow for opportunistic multiplexing: try to use a | ||
297 | master connection but fall back to creating a new one if one does not already | ||
298 | exist. | ||
299 | These options are: | ||
300 | .Dq auto | ||
301 | and | ||
302 | .Dq autoask . | ||
303 | The latter requires confirmation like the | ||
304 | .Dq ask | ||
305 | option. | ||
280 | .It Cm ControlPath | 306 | .It Cm ControlPath |
281 | Specify the path to the control socket used for connection sharing. | 307 | Specify the path to the control socket used for connection sharing as described |
282 | See | 308 | in the |
283 | .Cm ControlMaster | 309 | .Cm ControlMaster |
284 | above. | 310 | section above or the string |
311 | .Dq none | ||
312 | to disable connection sharing. | ||
313 | In the path, | ||
314 | .Ql %h | ||
315 | will be substituted by the target host name, | ||
316 | .Ql %p | ||
317 | the port and | ||
318 | .Ql %r | ||
319 | by the remote login username. | ||
320 | It is recommended that any | ||
321 | .Cm ControlPath | ||
322 | used for opportunistic connection sharing include | ||
323 | all three of these escape sequences. | ||
324 | This ensures that shared connections are uniquely identified. | ||
285 | .It Cm DynamicForward | 325 | .It Cm DynamicForward |
286 | Specifies that a TCP/IP port on the local machine be forwarded | 326 | Specifies that a TCP/IP port on the local machine be forwarded |
287 | over the secure channel, and the application | 327 | over the secure channel, and the application |
@@ -419,7 +459,7 @@ Note that this option applies to protocol version 2 only. | |||
419 | Indicates that | 459 | Indicates that |
420 | .Nm ssh | 460 | .Nm ssh |
421 | should hash host names and addresses when they are added to | 461 | should hash host names and addresses when they are added to |
422 | .Pa $HOME/.ssh/known_hosts . | 462 | .Pa ~/.ssh/known_hosts . |
423 | These hashed names may be used normally by | 463 | These hashed names may be used normally by |
424 | .Nm ssh | 464 | .Nm ssh |
425 | and | 465 | and |
@@ -465,11 +505,11 @@ specifications). | |||
465 | Specifies a file from which the user's RSA or DSA authentication identity | 505 | Specifies a file from which the user's RSA or DSA authentication identity |
466 | is read. | 506 | is read. |
467 | The default is | 507 | The default is |
468 | .Pa $HOME/.ssh/identity | 508 | .Pa ~/.ssh/identity |
469 | for protocol version 1, and | 509 | for protocol version 1, and |
470 | .Pa $HOME/.ssh/id_rsa | 510 | .Pa ~/.ssh/id_rsa |
471 | and | 511 | and |
472 | .Pa $HOME/.ssh/id_dsa | 512 | .Pa ~/.ssh/id_dsa |
473 | for protocol version 2. | 513 | for protocol version 2. |
474 | Additionally, any identities represented by the authentication agent | 514 | Additionally, any identities represented by the authentication agent |
475 | will be used for authentication. | 515 | will be used for authentication. |
@@ -624,6 +664,14 @@ Note that | |||
624 | .Cm CheckHostIP | 664 | .Cm CheckHostIP |
625 | is not available for connects with a proxy command. | 665 | is not available for connects with a proxy command. |
626 | .Pp | 666 | .Pp |
667 | This directive is useful in conjunction with | ||
668 | .Xr nc 1 | ||
669 | and its proxy support. | ||
670 | For example, the following directive would connect via an HTTP proxy at | ||
671 | 192.0.2.0: | ||
672 | .Bd -literal -offset 3n | ||
673 | ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p | ||
674 | .Ed | ||
627 | .It Cm PubkeyAuthentication | 675 | .It Cm PubkeyAuthentication |
628 | Specifies whether to try public key authentication. | 676 | Specifies whether to try public key authentication. |
629 | The argument to this keyword must be | 677 | The argument to this keyword must be |
@@ -784,7 +832,7 @@ If this flag is set to | |||
784 | .Dq yes , | 832 | .Dq yes , |
785 | .Nm ssh | 833 | .Nm ssh |
786 | will never automatically add host keys to the | 834 | will never automatically add host keys to the |
787 | .Pa $HOME/.ssh/known_hosts | 835 | .Pa ~/.ssh/known_hosts |
788 | file, and refuses to connect to hosts whose host key has changed. | 836 | file, and refuses to connect to hosts whose host key has changed. |
789 | This provides maximum protection against trojan horse attacks, | 837 | This provides maximum protection against trojan horse attacks, |
790 | however, can be annoying when the | 838 | however, can be annoying when the |
@@ -862,7 +910,7 @@ having to remember to give the user name on the command line. | |||
862 | .It Cm UserKnownHostsFile | 910 | .It Cm UserKnownHostsFile |
863 | Specifies a file to use for the user | 911 | Specifies a file to use for the user |
864 | host key database instead of | 912 | host key database instead of |
865 | .Pa $HOME/.ssh/known_hosts . | 913 | .Pa ~/.ssh/known_hosts . |
866 | .It Cm VerifyHostKeyDNS | 914 | .It Cm VerifyHostKeyDNS |
867 | Specifies whether to verify the remote key using DNS and SSHFP resource | 915 | Specifies whether to verify the remote key using DNS and SSHFP resource |
868 | records. | 916 | records. |
@@ -895,7 +943,7 @@ The default is | |||
895 | .El | 943 | .El |
896 | .Sh FILES | 944 | .Sh FILES |
897 | .Bl -tag -width Ds | 945 | .Bl -tag -width Ds |
898 | .It Pa $HOME/.ssh/config | 946 | .It Pa ~/.ssh/config |
899 | This is the per-user configuration file. | 947 | This is the per-user configuration file. |
900 | The format of this file is described above. | 948 | The format of this file is described above. |
901 | This file is used by the | 949 | This file is used by the |