diff options
Diffstat (limited to 'ssh_config.5')
-rw-r--r-- | ssh_config.5 | 52 |
1 files changed, 42 insertions, 10 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index 2da7029af..ed6e5d026 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh_config.5,v 1.256 2017/09/21 19:16:53 markus Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.268 2018/02/23 07:38:09 jmc Exp $ |
37 | .Dd $Mdocdate: September 21 2017 $ | 37 | .Dd $Mdocdate: February 23 2018 $ |
38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -282,6 +282,13 @@ Note that this option does not work if | |||
282 | .Cm UsePrivilegedPort | 282 | .Cm UsePrivilegedPort |
283 | is set to | 283 | is set to |
284 | .Cm yes . | 284 | .Cm yes . |
285 | .It Cm BindInterface | ||
286 | Use the address of the specified interface on the local machine as the | ||
287 | source address of the connection. | ||
288 | Note that this option does not work if | ||
289 | .Cm UsePrivilegedPort | ||
290 | is set to | ||
291 | .Cm yes . | ||
285 | .It Cm CanonicalDomains | 292 | .It Cm CanonicalDomains |
286 | When | 293 | When |
287 | .Cm CanonicalizeHostname | 294 | .Cm CanonicalizeHostname |
@@ -1071,7 +1078,10 @@ The default is: | |||
1071 | curve25519-sha256,curve25519-sha256@libssh.org, | 1078 | curve25519-sha256,curve25519-sha256@libssh.org, |
1072 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, | 1079 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, |
1073 | diffie-hellman-group-exchange-sha256, | 1080 | diffie-hellman-group-exchange-sha256, |
1081 | diffie-hellman-group16-sha512, | ||
1082 | diffie-hellman-group18-sha512, | ||
1074 | diffie-hellman-group-exchange-sha1, | 1083 | diffie-hellman-group-exchange-sha1, |
1084 | diffie-hellman-group14-sha256, | ||
1075 | diffie-hellman-group14-sha1 | 1085 | diffie-hellman-group14-sha1 |
1076 | .Ed | 1086 | .Ed |
1077 | .Pp | 1087 | .Pp |
@@ -1163,10 +1173,7 @@ hmac-sha2-256,hmac-sha2-512,hmac-sha1 | |||
1163 | The list of available MAC algorithms may also be obtained using | 1173 | The list of available MAC algorithms may also be obtained using |
1164 | .Qq ssh -Q mac . | 1174 | .Qq ssh -Q mac . |
1165 | .It Cm NoHostAuthenticationForLocalhost | 1175 | .It Cm NoHostAuthenticationForLocalhost |
1166 | This option can be used if the home directory is shared across machines. | 1176 | Disable host authentication for localhost (loopback addresses). |
1167 | In this case localhost will refer to a different machine on each of | ||
1168 | the machines and the user will get many warnings about changed host keys. | ||
1169 | However, this option disables host authentication for localhost. | ||
1170 | The argument to this keyword must be | 1177 | The argument to this keyword must be |
1171 | .Cm yes | 1178 | .Cm yes |
1172 | or | 1179 | or |
@@ -1254,13 +1261,14 @@ For example, the following directive would connect via an HTTP proxy at | |||
1254 | ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p | 1261 | ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p |
1255 | .Ed | 1262 | .Ed |
1256 | .It Cm ProxyJump | 1263 | .It Cm ProxyJump |
1257 | Specifies one or more jump proxies as | 1264 | Specifies one or more jump proxies as either |
1258 | .Xo | 1265 | .Xo |
1259 | .Sm off | 1266 | .Sm off |
1260 | .Op Ar user No @ | 1267 | .Op Ar user No @ |
1261 | .Ar host | 1268 | .Ar host |
1262 | .Op : Ns Ar port | 1269 | .Op : Ns Ar port |
1263 | .Sm on | 1270 | .Sm on |
1271 | or an ssh URI | ||
1264 | .Xc . | 1272 | .Xc . |
1265 | Multiple proxies may be separated by comma characters and will be visited | 1273 | Multiple proxies may be separated by comma characters and will be visited |
1266 | sequentially. | 1274 | sequentially. |
@@ -1520,7 +1528,7 @@ If this flag is set to | |||
1520 | will never automatically add host keys to the | 1528 | will never automatically add host keys to the |
1521 | .Pa ~/.ssh/known_hosts | 1529 | .Pa ~/.ssh/known_hosts |
1522 | file, and refuses to connect to hosts whose host key has changed. | 1530 | file, and refuses to connect to hosts whose host key has changed. |
1523 | This provides maximum protection against trojan horse attacks, | 1531 | This provides maximum protection against man-in-the-middle (MITM) attacks, |
1524 | though it can be annoying when the | 1532 | though it can be annoying when the |
1525 | .Pa /etc/ssh/ssh_known_hosts | 1533 | .Pa /etc/ssh/ssh_known_hosts |
1526 | file is poorly maintained or when connections to new hosts are | 1534 | file is poorly maintained or when connections to new hosts are |
@@ -1578,6 +1586,9 @@ This is important in scripts, and many users want it too. | |||
1578 | .Pp | 1586 | .Pp |
1579 | To disable TCP keepalive messages, the value should be set to | 1587 | To disable TCP keepalive messages, the value should be set to |
1580 | .Cm no . | 1588 | .Cm no . |
1589 | See also | ||
1590 | .Cm ServerAliveInterval | ||
1591 | for protocol-level keepalives. | ||
1581 | .It Cm Tunnel | 1592 | .It Cm Tunnel |
1582 | Request | 1593 | Request |
1583 | .Xr tun 4 | 1594 | .Xr tun 4 |
@@ -1743,6 +1754,18 @@ pool, | |||
1743 | the following entry (in authorized_keys) could be used: | 1754 | the following entry (in authorized_keys) could be used: |
1744 | .Pp | 1755 | .Pp |
1745 | .Dl from=\&"!*.dialup.example.com,*.example.com\&" | 1756 | .Dl from=\&"!*.dialup.example.com,*.example.com\&" |
1757 | .Pp | ||
1758 | Note that a negated match will never produce a positive result by itself. | ||
1759 | For example, attempting to match | ||
1760 | .Qq host3 | ||
1761 | against the following pattern-list will fail: | ||
1762 | .Pp | ||
1763 | .Dl from=\&"!host1,!host2\&" | ||
1764 | .Pp | ||
1765 | The solution here is to include a term that will yield a positive match, | ||
1766 | such as a wildcard: | ||
1767 | .Pp | ||
1768 | .Dl from=\&"!host1,!host2,*\&" | ||
1746 | .Sh TOKENS | 1769 | .Sh TOKENS |
1747 | Arguments to some keywords can make use of tokens, | 1770 | Arguments to some keywords can make use of tokens, |
1748 | which are expanded at runtime: | 1771 | which are expanded at runtime: |
@@ -1752,7 +1775,7 @@ which are expanded at runtime: | |||
1752 | A literal | 1775 | A literal |
1753 | .Sq % . | 1776 | .Sq % . |
1754 | .It \&%C | 1777 | .It \&%C |
1755 | Shorthand for %l%h%p%r. | 1778 | Hash of %l%h%p%r. |
1756 | .It %d | 1779 | .It %d |
1757 | Local user's home directory. | 1780 | Local user's home directory. |
1758 | .It %h | 1781 | .It %h |
@@ -1769,6 +1792,15 @@ The original remote hostname, as given on the command line. | |||
1769 | The remote port. | 1792 | The remote port. |
1770 | .It %r | 1793 | .It %r |
1771 | The remote username. | 1794 | The remote username. |
1795 | .It \&%T | ||
1796 | The local | ||
1797 | .Xr tun 4 | ||
1798 | or | ||
1799 | .Xr tap 4 | ||
1800 | network interface assigned if | ||
1801 | tunnel forwarding was requested, or | ||
1802 | .Qq NONE | ||
1803 | otherwise. | ||
1772 | .It %u | 1804 | .It %u |
1773 | The local username. | 1805 | The local username. |
1774 | .El | 1806 | .El |
@@ -1791,7 +1823,7 @@ and | |||
1791 | accept the tokens %%, %d, %h, %l, %r, and %u. | 1823 | accept the tokens %%, %d, %h, %l, %r, and %u. |
1792 | .Pp | 1824 | .Pp |
1793 | .Cm LocalCommand | 1825 | .Cm LocalCommand |
1794 | accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u. | 1826 | accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, %T, and %u. |
1795 | .Pp | 1827 | .Pp |
1796 | .Cm ProxyCommand | 1828 | .Cm ProxyCommand |
1797 | accepts the tokens %%, %h, %p, and %r. | 1829 | accepts the tokens %%, %h, %p, and %r. |