diff options
Diffstat (limited to 'crypto/openssh/ssh_config.0')
| -rw-r--r-- | crypto/openssh/ssh_config.0 | 1026 |
1 files changed, 0 insertions, 1026 deletions
diff --git a/crypto/openssh/ssh_config.0 b/crypto/openssh/ssh_config.0 deleted file mode 100644 index 6548077..0000000 --- a/crypto/openssh/ssh_config.0 +++ /dev/null @@ -1,1026 +0,0 @@ -SSH_CONFIG(5) File Formats Manual SSH_CONFIG(5) - -NAME - ssh_config M-bM-^@M-^S OpenSSH SSH client configuration files - -SYNOPSIS - ~/.ssh/config - /etc/ssh/ssh_config - -DESCRIPTION - ssh(1) obtains configuration data from the following sources in the - following order: - - 1. command-line options - 2. user's configuration file (~/.ssh/config) - 3. system-wide configuration file (/etc/ssh/ssh_config) - - For each parameter, the first obtained value will be used. The - configuration files contain sections separated by M-bM-^@M-^\HostM-bM-^@M-^] specifications, - and that section is only applied for hosts that match one of the patterns - given in the specification. The matched host name is usually the one - given on the command line (see the CanonicalizeHostname option for - exceptions.) - - Since the first obtained value for each parameter is used, more host- - specific declarations should be given near the beginning of the file, and - general defaults at the end. - - The configuration file has the following format: - - Empty lines and lines starting with M-bM-^@M-^X#M-bM-^@M-^Y are comments. Otherwise a line - is of the format M-bM-^@M-^\keyword argumentsM-bM-^@M-^]. Configuration options may be - separated by whitespace or optional whitespace and exactly one M-bM-^@M-^X=M-bM-^@M-^Y; the - latter format is useful to avoid the need to quote whitespace when - specifying configuration options using the ssh, scp, and sftp -o option. - Arguments may optionally be enclosed in double quotes (") in order to - represent arguments containing spaces. - - The possible keywords and their meanings are as follows (note that - keywords are case-insensitive and arguments are case-sensitive): - - Host Restricts the following declarations (up to the next Host or - Match keyword) to be only for those hosts that match one of the - patterns given after the keyword. If more than one pattern is - provided, they should be separated by whitespace. A single M-bM-^@M-^X*M-bM-^@M-^Y - as a pattern can be used to provide global defaults for all - hosts. The host is usually the hostname argument given on the - command line (see the CanonicalizeHostname option for - exceptions.) - - A pattern entry may be negated by prefixing it with an - exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). If a negated entry is matched, then the - Host entry is ignored, regardless of whether any other patterns - on the line match. Negated matches are therefore useful to - provide exceptions for wildcard matches. - - See PATTERNS for more information on patterns. - - Match Restricts the following declarations (up to the next Host or - Match keyword) to be used only when the conditions following the - Match keyword are satisfied. Match conditions are specified - using one or more critera or the single token all which always - matches. The available criteria keywords are: canonical, exec, - host, originalhost, user, and localuser. The all criteria must - appear alone or immediately after canonical. Other criteria may - be combined arbitrarily. All criteria but all and canonical - require an argument. Criteria may be negated by prepending an - exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). - - The canonical keyword matches only when the configuration file is - being re-parsed after hostname canonicalization (see the - CanonicalizeHostname option.) This may be useful to specify - conditions that work with canonical host names only. The exec - keyword executes the specified command under the user's shell. - If the command returns a zero exit status then the condition is - considered true. Commands containing whitespace characters must - be quoted. The following character sequences in the command will - be expanded prior to execution: M-bM-^@M-^X%LM-bM-^@M-^Y will be substituted by the - first component of the local host name, M-bM-^@M-^X%lM-bM-^@M-^Y will be substituted - by the local host name (including any domain name), M-bM-^@M-^X%hM-bM-^@M-^Y will be - substituted by the target host name, M-bM-^@M-^X%nM-bM-^@M-^Y will be substituted by - the original target host name specified on the command-line, M-bM-^@M-^X%pM-bM-^@M-^Y - the destination port, M-bM-^@M-^X%rM-bM-^@M-^Y by the remote login username, and M-bM-^@M-^X%uM-bM-^@M-^Y - by the username of the user running ssh(1). - - The other keywords' criteria must be single entries or comma- - separated lists and may use the wildcard and negation operators - described in the PATTERNS section. The criteria for the host - keyword are matched against the target hostname, after any - substitution by the Hostname or CanonicalizeHostname options. - The originalhost keyword matches against the hostname as it was - specified on the command-line. The user keyword matches against - the target username on the remote host. The localuser keyword - matches against the name of the local user running ssh(1) (this - keyword may be useful in system-wide ssh_config files). - - AddressFamily - Specifies which address family to use when connecting. Valid - arguments are M-bM-^@M-^\anyM-bM-^@M-^], M-bM-^@M-^\inetM-bM-^@M-^] (use IPv4 only), or M-bM-^@M-^\inet6M-bM-^@M-^] (use IPv6 - only). - - BatchMode - If set to M-bM-^@M-^\yesM-bM-^@M-^], passphrase/password querying will be disabled. - This option is useful in scripts and other batch jobs where no - user is present to supply the password. The argument must be - M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. - - BindAddress - Use the specified address on the local machine as the source - address of the connection. Only useful on systems with more than - one address. Note that this option does not work if - UsePrivilegedPort is set to M-bM-^@M-^\yesM-bM-^@M-^]. - - CanonicalDomains - When CanonicalizeHostname is enabled, this option specifies the - list of domain suffixes in which to search for the specified - destination host. - - CanonicalizeFallbackLocal - Specifies whether to fail with an error when hostname - canonicalization fails. The default, M-bM-^@M-^\yesM-bM-^@M-^], will attempt to look - up the unqualified hostname using the system resolver's search - rules. A value of M-bM-^@M-^\noM-bM-^@M-^] will cause ssh(1) to fail instantly if - CanonicalizeHostname is enabled and the target hostname cannot be - found in any of the domains specified by CanonicalDomains. - - CanonicalizeHostname - Controls whether explicit hostname canonicalization is performed. - The default, M-bM-^@M-^\noM-bM-^@M-^], is not to perform any name rewriting and let - the system resolver handle all hostname lookups. If set to M-bM-^@M-^\yesM-bM-^@M-^] - then, for connections that do not use a ProxyCommand, ssh(1) will - attempt to canonicalize the hostname specified on the command - line using the CanonicalDomains suffixes and - CanonicalizePermittedCNAMEs rules. If CanonicalizeHostname is - set to M-bM-^@M-^\alwaysM-bM-^@M-^], then canonicalization is applied to proxied - connections too. - - If this option is enabled, then the configuration files are - processed again using the new target name to pick up any new - configuration in matching Host and Match stanzas. - - CanonicalizeMaxDots - Specifies the maximum number of dot characters in a hostname - before canonicalization is disabled. The default, M-bM-^@M-^\1M-bM-^@M-^], allows a - single dot (i.e. hostname.subdomain). - - CanonicalizePermittedCNAMEs - Specifies rules to determine whether CNAMEs should be followed - when canonicalizing hostnames. The rules consist of one or more - arguments of source_domain_list:target_domain_list, where - source_domain_list is a pattern-list of domains that may follow - CNAMEs in canonicalization, and target_domain_list is a pattern- - list of domains that they may resolve to. - - For example, M-bM-^@M-^\*.a.example.com:*.b.example.com,*.c.example.comM-bM-^@M-^] - will allow hostnames matching M-bM-^@M-^\*.a.example.comM-bM-^@M-^] to be - canonicalized to names in the M-bM-^@M-^\*.b.example.comM-bM-^@M-^] or - M-bM-^@M-^\*.c.example.comM-bM-^@M-^] domains. - - ChallengeResponseAuthentication - Specifies whether to use challenge-response authentication. The - argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is - M-bM-^@M-^\yesM-bM-^@M-^]. - - CheckHostIP - If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will additionally check the - host IP address in the known_hosts file. This allows ssh to - detect if a host key changed due to DNS spoofing and will add - addresses of destination hosts to ~/.ssh/known_hosts in the - process, regardless of the setting of StrictHostKeyChecking. If - the option is set to M-bM-^@M-^\noM-bM-^@M-^], the check will not be executed. The - default is M-bM-^@M-^\yesM-bM-^@M-^]. - - Cipher Specifies the cipher to use for encrypting the session in - protocol version 1. Currently, M-bM-^@M-^\blowfishM-bM-^@M-^], M-bM-^@M-^\3desM-bM-^@M-^], and M-bM-^@M-^\desM-bM-^@M-^] are - supported. des is only supported in the ssh(1) client for - interoperability with legacy protocol 1 implementations that do - not support the 3des cipher. Its use is strongly discouraged due - to cryptographic weaknesses. The default is M-bM-^@M-^\3desM-bM-^@M-^]. - - Ciphers - Specifies the ciphers allowed for protocol version 2 in order of - preference. Multiple ciphers must be comma-separated. If the - specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified - ciphers will be appended to the default set instead of replacing - them. - - The supported ciphers are: - - 3des-cbc - aes128-cbc - aes192-cbc - aes256-cbc - aes128-ctr - aes192-ctr - aes256-ctr - aes128-gcm@openssh.com - aes256-gcm@openssh.com - arcfour - arcfour128 - arcfour256 - blowfish-cbc - cast128-cbc - chacha20-poly1305@openssh.com - - The default is: - - aes128-ctr,aes192-ctr,aes256-ctr, - aes128-gcm@openssh.com,aes256-gcm@openssh.com, - chacha20-poly1305@openssh.com, - arcfour256,arcfour128, - aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, - aes192-cbc,aes256-cbc,arcfour - - The list of available ciphers may also be obtained using the -Q - option of ssh(1) with an argument of M-bM-^@M-^\cipherM-bM-^@M-^]. - - ClearAllForwardings - Specifies that all local, remote, and dynamic port forwardings - specified in the configuration files or on the command line be - cleared. This option is primarily useful when used from the - ssh(1) command line to clear port forwardings set in - configuration files, and is automatically set by scp(1) and - sftp(1). The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is - M-bM-^@M-^\noM-bM-^@M-^]. - - Compression - Specifies whether to use compression. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] - or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. - - CompressionLevel - Specifies the compression level to use if compression is enabled. - The argument must be an integer from 1 (fast) to 9 (slow, best). - The default level is 6, which is good for most applications. The - meaning of the values is the same as in gzip(1). Note that this - option applies to protocol version 1 only. - - ConnectionAttempts - Specifies the number of tries (one per second) to make before - exiting. The argument must be an integer. This may be useful in - scripts if the connection sometimes fails. The default is 1. - - ConnectTimeout - Specifies the timeout (in seconds) used when connecting to the - SSH server, instead of using the default system TCP timeout. - This value is used only when the target is down or really - unreachable, not when it refuses the connection. - - ControlMaster - Enables the sharing of multiple sessions over a single network - connection. When set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will listen for - connections on a control socket specified using the ControlPath - argument. Additional sessions can connect to this socket using - the same ControlPath with ControlMaster set to M-bM-^@M-^\noM-bM-^@M-^] (the - default). These sessions will try to reuse the master instance's - network connection rather than initiating new ones, but will fall - back to connecting normally if the control socket does not exist, - or is not listening. - - Setting this to M-bM-^@M-^\askM-bM-^@M-^] will cause ssh to listen for control - connections, but require confirmation using ssh-askpass(1). If - the ControlPath cannot be opened, ssh will continue without - connecting to a master instance. - - X11 and ssh-agent(1) forwarding is supported over these - multiplexed connections, however the display and agent forwarded - will be the one belonging to the master connection i.e. it is not - possible to forward multiple displays or agents. - - Two additional options allow for opportunistic multiplexing: try - to use a master connection but fall back to creating a new one if - one does not already exist. These options are: M-bM-^@M-^\autoM-bM-^@M-^] and - M-bM-^@M-^\autoaskM-bM-^@M-^]. The latter requires confirmation like the M-bM-^@M-^\askM-bM-^@M-^] - option. - - ControlPath - Specify the path to the control socket used for connection - sharing as described in the ControlMaster section above or the - string M-bM-^@M-^\noneM-bM-^@M-^] to disable connection sharing. In the path, M-bM-^@M-^X%LM-bM-^@M-^Y - will be substituted by the first component of the local host - name, M-bM-^@M-^X%lM-bM-^@M-^Y will be substituted by the local host name (including - any domain name), M-bM-^@M-^X%hM-bM-^@M-^Y will be substituted by the target host - name, M-bM-^@M-^X%nM-bM-^@M-^Y will be substituted by the original target host name - specified on the command line, M-bM-^@M-^X%pM-bM-^@M-^Y the destination port, M-bM-^@M-^X%rM-bM-^@M-^Y by - the remote login username, M-bM-^@M-^X%uM-bM-^@M-^Y by the username of the user - running ssh(1), and M-bM-^@M-^X%CM-bM-^@M-^Y by a hash of the concatenation: - %l%h%p%r. It is recommended that any ControlPath used for - opportunistic connection sharing include at least %h, %p, and %r - (or alternatively %C) and be placed in a directory that is not - writable by other users. This ensures that shared connections - are uniquely identified. - - ControlPersist - When used in conjunction with ControlMaster, specifies that the - master connection should remain open in the background (waiting - for future client connections) after the initial client - connection has been closed. If set to M-bM-^@M-^\noM-bM-^@M-^], then the master - connection will not be placed into the background, and will close - as soon as the initial client connection is closed. If set to - M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\0M-bM-^@M-^], then the master connection will remain in the - background indefinitely (until killed or closed via a mechanism - such as the ssh(1) M-bM-^@M-^\-O exitM-bM-^@M-^] option). If set to a time in - seconds, or a time in any of the formats documented in - sshd_config(5), then the backgrounded master connection will - automatically terminate after it has remained idle (with no - client connections) for the specified time. - - DynamicForward - Specifies that a TCP port on the local machine be forwarded over - the secure channel, and the application protocol is then used to - determine where to connect to from the remote machine. - - The argument must be [bind_address:]port. IPv6 addresses can be - specified by enclosing addresses in square brackets. By default, - the local port is bound in accordance with the GatewayPorts - setting. However, an explicit bind_address may be used to bind - the connection to a specific address. The bind_address of - M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the listening port be bound for local - use only, while an empty address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port - should be available from all interfaces. - - Currently the SOCKS4 and SOCKS5 protocols are supported, and - ssh(1) will act as a SOCKS server. Multiple forwardings may be - specified, and additional forwardings can be given on the command - line. Only the superuser can forward privileged ports. - - EnableSSHKeysign - Setting this option to M-bM-^@M-^\yesM-bM-^@M-^] in the global client configuration - file /etc/ssh/ssh_config enables the use of the helper program - ssh-keysign(8) during HostbasedAuthentication. The argument must - be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. This option should be - placed in the non-hostspecific section. See ssh-keysign(8) for - more information. - - EscapeChar - Sets the escape character (default: M-bM-^@M-^X~M-bM-^@M-^Y). The escape character - can also be set on the command line. The argument should be a - single character, M-bM-^@M-^X^M-bM-^@M-^Y followed by a letter, or M-bM-^@M-^\noneM-bM-^@M-^] to disable - the escape character entirely (making the connection transparent - for binary data). - - ExitOnForwardFailure - Specifies whether ssh(1) should terminate the connection if it - cannot set up all requested dynamic, tunnel, local, and remote - port forwardings. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The - default is M-bM-^@M-^\noM-bM-^@M-^]. - - FingerprintHash - Specifies the hash algorithm used when displaying key - fingerprints. Valid options are: M-bM-^@M-^\md5M-bM-^@M-^] and M-bM-^@M-^\sha256M-bM-^@M-^]. The - default is M-bM-^@M-^\sha256M-bM-^@M-^]. - - ForwardAgent - Specifies whether the connection to the authentication agent (if - any) will be forwarded to the remote machine. The argument must - be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. - - Agent forwarding should be enabled with caution. Users with the - ability to bypass file permissions on the remote host (for the - agent's Unix-domain socket) can access the local agent through - the forwarded connection. An attacker cannot obtain key material - from the agent, however they can perform operations on the keys - that enable them to authenticate using the identities loaded into - the agent. - - ForwardX11 - Specifies whether X11 connections will be automatically - redirected over the secure channel and DISPLAY set. The argument - must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. - - X11 forwarding should be enabled with caution. Users with the - ability to bypass file permissions on the remote host (for the - user's X11 authorization database) can access the local X11 - display through the forwarded connection. An attacker may then - be able to perform activities such as keystroke monitoring if the - ForwardX11Trusted option is also enabled. - - ForwardX11Timeout - Specify a timeout for untrusted X11 forwarding using the format - described in the TIME FORMATS section of sshd_config(5). X11 - connections received by ssh(1) after this time will be refused. - The default is to disable untrusted X11 forwarding after twenty - minutes has elapsed. - - ForwardX11Trusted - If this option is set to M-bM-^@M-^\yesM-bM-^@M-^], remote X11 clients will have full - access to the original X11 display. - - If this option is set to M-bM-^@M-^\noM-bM-^@M-^], remote X11 clients will be - considered untrusted and prevented from stealing or tampering - with data belonging to trusted X11 clients. Furthermore, the - xauth(1) token used for the session will be set to expire after - 20 minutes. Remote clients will be refused access after this - time. - - The default is M-bM-^@M-^\noM-bM-^@M-^]. - - See the X11 SECURITY extension specification for full details on - the restrictions imposed on untrusted clients. - - GatewayPorts - Specifies whether remote hosts are allowed to connect to local - forwarded ports. By default, ssh(1) binds local port forwardings - to the loopback address. This prevents other remote hosts from - connecting to forwarded ports. GatewayPorts can be used to - specify that ssh should bind local port forwardings to the - wildcard address, thus allowing remote hosts to connect to - forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The - default is M-bM-^@M-^\noM-bM-^@M-^]. - - GlobalKnownHostsFile - Specifies one or more files to use for the global host key - database, separated by whitespace. The default is - /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2. - - GSSAPIAuthentication - Specifies whether user authentication based on GSSAPI is allowed. - The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol - version 2 only. - - GSSAPIDelegateCredentials - Forward (delegate) credentials to the server. The default is - M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol version 2 only. - - HashKnownHosts - Indicates that ssh(1) should hash host names and addresses when - they are added to ~/.ssh/known_hosts. These hashed names may be - used normally by ssh(1) and sshd(8), but they do not reveal - identifying information should the file's contents be disclosed. - The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that existing names and addresses in - known hosts files will not be converted automatically, but may be - manually hashed using ssh-keygen(1). - - HostbasedAuthentication - Specifies whether to try rhosts based authentication with public - key authentication. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The - default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 2 only - and is similar to RhostsRSAAuthentication. - - HostbasedKeyTypes - Specifies the key types that will be used for hostbased - authentication as a comma-separated pattern list. Alternately if - the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the - specified key types will be appended to the default set instead - of replacing them. The default for this option is: - - ecdsa-sha2-nistp256-cert-v01@openssh.com, - ecdsa-sha2-nistp384-cert-v01@openssh.com, - ecdsa-sha2-nistp521-cert-v01@openssh.com, - ssh-ed25519-cert-v01@openssh.com, - ssh-rsa-cert-v01@openssh.com, - ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, - ssh-ed25519,ssh-rsa - - The -Q option of ssh(1) may be used to list supported key types. - - HostKeyAlgorithms - Specifies the protocol version 2 host key algorithms that the - client wants to use in order of preference. Alternately if the - specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified - key types will be appended to the default set instead of - replacing them. The default for this option is: - - ecdsa-sha2-nistp256-cert-v01@openssh.com, - ecdsa-sha2-nistp384-cert-v01@openssh.com, - ecdsa-sha2-nistp521-cert-v01@openssh.com, - ssh-ed25519-cert-v01@openssh.com, - ssh-rsa-cert-v01@openssh.com, - ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, - ssh-ed25519,ssh-rsa - - If hostkeys are known for the destination host then this default - is modified to prefer their algorithms. - - The list of available key types may also be obtained using the -Q - option of ssh(1) with an argument of M-bM-^@M-^\keyM-bM-^@M-^]. - - HostKeyAlias - Specifies an alias that should be used instead of the real host - name when looking up or saving the host key in the host key - database files. This option is useful for tunneling SSH - connections or for multiple servers running on a single host. - - HostName - Specifies the real host name to log into. This can be used to - specify nicknames or abbreviations for hosts. If the hostname - contains the character sequence M-bM-^@M-^X%hM-bM-^@M-^Y, then this will be replaced - with the host name specified on the command line (this is useful - for manipulating unqualified names). The character sequence M-bM-^@M-^X%%M-bM-^@M-^Y - will be replaced by a single M-bM-^@M-^X%M-bM-^@M-^Y character, which may be used - when specifying IPv6 link-local addresses. - - The default is the name given on the command line. Numeric IP - addresses are also permitted (both on the command line and in - HostName specifications). - - IdentitiesOnly - Specifies that ssh(1) should only use the authentication identity - files configured in the ssh_config files, even if ssh-agent(1) or - a PKCS11Provider offers more identities. The argument to this - keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. This option is intended for - situations where ssh-agent offers many different identities. The - default is M-bM-^@M-^\noM-bM-^@M-^]. - - IdentityFile - Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA - authentication identity is read. The default is ~/.ssh/identity - for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, - ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2. - Additionally, any identities represented by the authentication - agent will be used for authentication unless IdentitiesOnly is - set. ssh(1) will try to load certificate information from the - filename obtained by appending -cert.pub to the path of a - specified IdentityFile. - - The file name may use the tilde syntax to refer to a user's home - directory or one of the following escape characters: M-bM-^@M-^X%dM-bM-^@M-^Y (local - user's home directory), M-bM-^@M-^X%uM-bM-^@M-^Y (local user name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host - name), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host name) or M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name). - - It is possible to have multiple identity files specified in - configuration files; all these identities will be tried in - sequence. Multiple IdentityFile directives will add to the list - of identities tried (this behaviour differs from that of other - configuration directives). - - IdentityFile may be used in conjunction with IdentitiesOnly to - select which identities in an agent are offered during - authentication. - - IgnoreUnknown - Specifies a pattern-list of unknown options to be ignored if they - are encountered in configuration parsing. This may be used to - suppress errors if ssh_config contains options that are - unrecognised by ssh(1). It is recommended that IgnoreUnknown be - listed early in the configuration file as it will not be applied - to unknown options that appear before it. - - IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. - Accepted values are M-bM-^@M-^\af11M-bM-^@M-^], M-bM-^@M-^\af12M-bM-^@M-^], M-bM-^@M-^\af13M-bM-^@M-^], M-bM-^@M-^\af21M-bM-^@M-^], M-bM-^@M-^\af22M-bM-^@M-^], - M-bM-^@M-^\af23M-bM-^@M-^], M-bM-^@M-^\af31M-bM-^@M-^], M-bM-^@M-^\af32M-bM-^@M-^], M-bM-^@M-^\af33M-bM-^@M-^], M-bM-^@M-^\af41M-bM-^@M-^], M-bM-^@M-^\af42M-bM-^@M-^], M-bM-^@M-^\af43M-bM-^@M-^], M-bM-^@M-^\cs0M-bM-^@M-^], - M-bM-^@M-^\cs1M-bM-^@M-^], M-bM-^@M-^\cs2M-bM-^@M-^], M-bM-^@M-^\cs3M-bM-^@M-^], M-bM-^@M-^\cs4M-bM-^@M-^], M-bM-^@M-^\cs5M-bM-^@M-^], M-bM-^@M-^\cs6M-bM-^@M-^], M-bM-^@M-^\cs7M-bM-^@M-^], M-bM-^@M-^\efM-bM-^@M-^], - M-bM-^@M-^\lowdelayM-bM-^@M-^], M-bM-^@M-^\throughputM-bM-^@M-^], M-bM-^@M-^\reliabilityM-bM-^@M-^], or a numeric value. - This option may take one or two arguments, separated by - whitespace. If one argument is specified, it is used as the - packet class unconditionally. If two values are specified, the - first is automatically selected for interactive sessions and the - second for non-interactive sessions. The default is M-bM-^@M-^\lowdelayM-bM-^@M-^] - for interactive sessions and M-bM-^@M-^\throughputM-bM-^@M-^] for non-interactive - sessions. - - KbdInteractiveAuthentication - Specifies whether to use keyboard-interactive authentication. - The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default - is M-bM-^@M-^\yesM-bM-^@M-^]. - - KbdInteractiveDevices - Specifies the list of methods to use in keyboard-interactive - authentication. Multiple method names must be comma-separated. - The default is to use the server specified list. The methods - available vary depending on what the server supports. For an - OpenSSH server, it may be zero or more of: M-bM-^@M-^\bsdauthM-bM-^@M-^], M-bM-^@M-^\pamM-bM-^@M-^], and - M-bM-^@M-^\skeyM-bM-^@M-^]. - - KexAlgorithms - Specifies the available KEX (Key Exchange) algorithms. Multiple - algorithms must be comma-separated. Alternately if the specified - value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods - will be appended to the default set instead of replacing them. - The default is: - - curve25519-sha256@libssh.org, - ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, - diffie-hellman-group-exchange-sha256, - diffie-hellman-group-exchange-sha1, - diffie-hellman-group14-sha1 - - The list of available key exchange algorithms may also be - obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^]. - - LocalCommand - Specifies a command to execute on the local machine after - successfully connecting to the server. The command string - extends to the end of the line, and is executed with the user's - shell. The following escape character substitutions will be - performed: M-bM-^@M-^X%dM-bM-^@M-^Y (local user's home directory), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host - name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host name), M-bM-^@M-^X%nM-bM-^@M-^Y (host name as provided on the - command line), M-bM-^@M-^X%pM-bM-^@M-^Y (remote port), M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name) or - M-bM-^@M-^X%uM-bM-^@M-^Y (local user name) or M-bM-^@M-^X%CM-bM-^@M-^Y by a hash of the concatenation: - %l%h%p%r. - - The command is run synchronously and does not have access to the - session of the ssh(1) that spawned it. It should not be used for - interactive commands. - - This directive is ignored unless PermitLocalCommand has been - enabled. - - LocalForward - Specifies that a TCP port on the local machine be forwarded over - the secure channel to the specified host and port from the remote - machine. The first argument must be [bind_address:]port and the - second argument must be host:hostport. IPv6 addresses can be - specified by enclosing addresses in square brackets. Multiple - forwardings may be specified, and additional forwardings can be - given on the command line. Only the superuser can forward - privileged ports. By default, the local port is bound in - accordance with the GatewayPorts setting. However, an explicit - bind_address may be used to bind the connection to a specific - address. The bind_address of M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the - listening port be bound for local use only, while an empty - address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port should be available from - all interfaces. - - LogLevel - Gives the verbosity level that is used when logging messages from - ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, - VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. - DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify - higher levels of verbose output. - - MACs Specifies the MAC (message authentication code) algorithms in - order of preference. The MAC algorithm is used in protocol - version 2 for data integrity protection. Multiple algorithms - must be comma-separated. If the specified value begins with a - M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified algorithms will be appended to - the default set instead of replacing them. - - The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC after - encryption (encrypt-then-mac). These are considered safer and - their use recommended. - - The default is: - - umac-64-etm@openssh.com,umac-128-etm@openssh.com, - hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, - umac-64@openssh.com,umac-128@openssh.com, - hmac-sha2-256,hmac-sha2-512, - hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, - hmac-ripemd160-etm@openssh.com, - hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com, - hmac-md5,hmac-sha1,hmac-ripemd160, - hmac-sha1-96,hmac-md5-96 - - The list of available MAC algorithms may also be obtained using - the -Q option of ssh(1) with an argument of M-bM-^@M-^\macM-bM-^@M-^]. - - NoHostAuthenticationForLocalhost - This option can be used if the home directory is shared across - machines. In this case localhost will refer to a different - machine on each of the machines and the user will get many - warnings about changed host keys. However, this option disables - host authentication for localhost. The argument to this keyword - must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is to check the host key for - localhost. - - NumberOfPasswordPrompts - Specifies the number of password prompts before giving up. The - argument to this keyword must be an integer. The default is 3. - - PasswordAuthentication - Specifies whether to use password authentication. The argument - to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. - - PermitLocalCommand - Allow local command execution via the LocalCommand option or - using the !command escape sequence in ssh(1). The argument must - be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. - - PKCS11Provider - Specifies which PKCS#11 provider to use. The argument to this - keyword is the PKCS#11 shared library ssh(1) should use to - communicate with a PKCS#11 token providing the user's private RSA - key. - - Port Specifies the port number to connect on the remote host. The - default is 22. - - PreferredAuthentications - Specifies the order in which the client should try protocol 2 - authentication methods. This allows a client to prefer one - method (e.g. keyboard-interactive) over another method (e.g. - password). The default is: - - gssapi-with-mic,hostbased,publickey, - keyboard-interactive,password - - Protocol - Specifies the protocol versions ssh(1) should support in order of - preference. The possible values are M-bM-^@M-^X1M-bM-^@M-^Y and M-bM-^@M-^X2M-bM-^@M-^Y. Multiple - versions must be comma-separated. When this option is set to - M-bM-^@M-^\2,1M-bM-^@M-^] ssh will try version 2 and fall back to version 1 if - version 2 is not available. The default is M-bM-^@M-^X2M-bM-^@M-^Y. - - ProxyCommand - Specifies the command to use to connect to the server. The - command string extends to the end of the line, and is executed - using the user's shell M-bM-^@M-^XexecM-bM-^@M-^Y directive to avoid a lingering - shell process. - - In the command string, any occurrence of M-bM-^@M-^X%hM-bM-^@M-^Y will be substituted - by the host name to connect, M-bM-^@M-^X%pM-bM-^@M-^Y by the port, and M-bM-^@M-^X%rM-bM-^@M-^Y by the - remote user name. The command can be basically anything, and - should read from its standard input and write to its standard - output. It should eventually connect an sshd(8) server running - on some machine, or execute sshd -i somewhere. Host key - management will be done using the HostName of the host being - connected (defaulting to the name typed by the user). Setting - the command to M-bM-^@M-^\noneM-bM-^@M-^] disables this option entirely. Note that - CheckHostIP is not available for connects with a proxy command. - - This directive is useful in conjunction with nc(1) and its proxy - support. For example, the following directive would connect via - an HTTP proxy at 192.0.2.0: - - ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p - - ProxyUseFdpass - Specifies that ProxyCommand will pass a connected file descriptor - back to ssh(1) instead of continuing to execute and pass data. - The default is M-bM-^@M-^\noM-bM-^@M-^]. - - PubkeyAcceptedKeyTypes - Specifies the key types that will be used for public key - authentication as a comma-separated pattern list. Alternately if - the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the key - types after it will be appended to the default instead of - replacing it. The default for this option is: - - ecdsa-sha2-nistp256-cert-v01@openssh.com, - ecdsa-sha2-nistp384-cert-v01@openssh.com, - ecdsa-sha2-nistp521-cert-v01@openssh.com, - ssh-ed25519-cert-v01@openssh.com, - ssh-rsa-cert-v01@openssh.com, - ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, - ssh-ed25519,ssh-rsa - - The -Q option of ssh(1) may be used to list supported key types. - - PubkeyAuthentication - Specifies whether to try public key authentication. The argument - to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. - This option applies to protocol version 2 only. - - RekeyLimit - Specifies the maximum amount of data that may be transmitted - before the session key is renegotiated, optionally followed a - maximum amount of time that may pass before the session key is - renegotiated. The first argument is specified in bytes and may - have a suffix of M-bM-^@M-^XKM-bM-^@M-^Y, M-bM-^@M-^XMM-bM-^@M-^Y, or M-bM-^@M-^XGM-bM-^@M-^Y to indicate Kilobytes, - Megabytes, or Gigabytes, respectively. The default is between - M-bM-^@M-^X1GM-bM-^@M-^Y and M-bM-^@M-^X4GM-bM-^@M-^Y, depending on the cipher. The optional second - value is specified in seconds and may use any of the units - documented in the TIME FORMATS section of sshd_config(5). The - default value for RekeyLimit is M-bM-^@M-^\default noneM-bM-^@M-^], which means that - rekeying is performed after the cipher's default amount of data - has been sent or received and no time based rekeying is done. - This option applies to protocol version 2 only. - - RemoteForward - Specifies that a TCP port on the remote machine be forwarded over - the secure channel to the specified host and port from the local - machine. The first argument must be [bind_address:]port and the - second argument must be host:hostport. IPv6 addresses can be - specified by enclosing addresses in square brackets. Multiple - forwardings may be specified, and additional forwardings can be - given on the command line. Privileged ports can be forwarded - only when logging in as root on the remote machine. - - If the port argument is M-bM-^@M-^X0M-bM-^@M-^Y, the listen port will be dynamically - allocated on the server and reported to the client at run time. - - If the bind_address is not specified, the default is to only bind - to loopback addresses. If the bind_address is M-bM-^@M-^X*M-bM-^@M-^Y or an empty - string, then the forwarding is requested to listen on all - interfaces. Specifying a remote bind_address will only succeed - if the server's GatewayPorts option is enabled (see - sshd_config(5)). - - RequestTTY - Specifies whether to request a pseudo-tty for the session. The - argument may be one of: M-bM-^@M-^\noM-bM-^@M-^] (never request a TTY), M-bM-^@M-^\yesM-bM-^@M-^] (always - request a TTY when standard input is a TTY), M-bM-^@M-^\forceM-bM-^@M-^] (always - request a TTY) or M-bM-^@M-^\autoM-bM-^@M-^] (request a TTY when opening a login - session). This option mirrors the -t and -T flags for ssh(1). - - RevokedHostKeys - Specifies revoked host public keys. Keys listed in this file - will be refused for host authentication. Note that if this file - does not exist or is not readable, then host authentication will - be refused for all hosts. Keys may be specified as a text file, - listing one public key per line, or as an OpenSSH Key Revocation - List (KRL) as generated by ssh-keygen(1). For more information - on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1). - - RhostsRSAAuthentication - Specifies whether to try rhosts based authentication with RSA - host authentication. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The - default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only - and requires ssh(1) to be setuid root. - - RSAAuthentication - Specifies whether to try RSA authentication. The argument to - this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. RSA authentication will only - be attempted if the identity file exists, or an authentication - agent is running. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option - applies to protocol version 1 only. - - SendEnv - Specifies what variables from the local environ(7) should be sent - to the server. Note that environment passing is only supported - for protocol 2. The server must also support it, and the server - must be configured to accept these environment variables. Note - that the TERM environment variable is always sent whenever a - pseudo-terminal is requested as it is required by the protocol. - Refer to AcceptEnv in sshd_config(5) for how to configure the - server. Variables are specified by name, which may contain - wildcard characters. Multiple environment variables may be - separated by whitespace or spread across multiple SendEnv - directives. The default is not to send any environment - variables. - - See PATTERNS for more information on patterns. - - ServerAliveCountMax - Sets the number of server alive messages (see below) which may be - sent without ssh(1) receiving any messages back from the server. - If this threshold is reached while server alive messages are - being sent, ssh will disconnect from the server, terminating the - session. It is important to note that the use of server alive - messages is very different from TCPKeepAlive (below). The server - alive messages are sent through the encrypted channel and - therefore will not be spoofable. The TCP keepalive option - enabled by TCPKeepAlive is spoofable. The server alive mechanism - is valuable when the client or server depend on knowing when a - connection has become inactive. - - The default value is 3. If, for example, ServerAliveInterval - (see below) is set to 15 and ServerAliveCountMax is left at the - default, if the server becomes unresponsive, ssh will disconnect - after approximately 45 seconds. This option applies to protocol - version 2 only. - - ServerAliveInterval - Sets a timeout interval in seconds after which if no data has - been received from the server, ssh(1) will send a message through - the encrypted channel to request a response from the server. The - default is 0, indicating that these messages will not be sent to - the server. This option applies to protocol version 2 only. - - StreamLocalBindMask - Sets the octal file creation mode mask (umask) used when creating - a Unix-domain socket file for local or remote port forwarding. - This option is only used for port forwarding to a Unix-domain - socket file. - - The default value is 0177, which creates a Unix-domain socket - file that is readable and writable only by the owner. Note that - not all operating systems honor the file mode on Unix-domain - socket files. - - StreamLocalBindUnlink - Specifies whether to remove an existing Unix-domain socket file - for local or remote port forwarding before creating a new one. - If the socket file already exists and StreamLocalBindUnlink is - not enabled, ssh will be unable to forward the port to the Unix- - domain socket file. This option is only used for port forwarding - to a Unix-domain socket file. - - The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. - - StrictHostKeyChecking - If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will never automatically add - host keys to the ~/.ssh/known_hosts file, and refuses to connect - to hosts whose host key has changed. This provides maximum - protection against trojan horse attacks, though it can be - annoying when the /etc/ssh/ssh_known_hosts file is poorly - maintained or when connections to new hosts are frequently made. - This option forces the user to manually add all new hosts. If - this flag is set to M-bM-^@M-^\noM-bM-^@M-^], ssh will automatically add new host - keys to the user known hosts files. If this flag is set to - M-bM-^@M-^\askM-bM-^@M-^], new host keys will be added to the user known host files - only after the user has confirmed that is what they really want - to do, and ssh will refuse to connect to hosts whose host key has - changed. The host keys of known hosts will be verified - automatically in all cases. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or - M-bM-^@M-^\askM-bM-^@M-^]. The default is M-bM-^@M-^\askM-bM-^@M-^]. - - TCPKeepAlive - Specifies whether the system should send TCP keepalive messages - to the other side. If they are sent, death of the connection or - crash of one of the machines will be properly noticed. However, - this means that connections will die if the route is down - temporarily, and some people find it annoying. - - The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send TCP keepalive messages), and the - client will notice if the network goes down or the remote host - dies. This is important in scripts, and many users want it too. - - To disable TCP keepalive messages, the value should be set to - M-bM-^@M-^\noM-bM-^@M-^]. - - Tunnel Request tun(4) device forwarding between the client and the - server. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\point-to-pointM-bM-^@M-^] (layer 3), - M-bM-^@M-^\ethernetM-bM-^@M-^] (layer 2), or M-bM-^@M-^\noM-bM-^@M-^]. Specifying M-bM-^@M-^\yesM-bM-^@M-^] requests the - default tunnel mode, which is M-bM-^@M-^\point-to-pointM-bM-^@M-^]. The default is - M-bM-^@M-^\noM-bM-^@M-^]. - - TunnelDevice - Specifies the tun(4) devices to open on the client (local_tun) - and the server (remote_tun). - - The argument must be local_tun[:remote_tun]. The devices may be - specified by numerical ID or the keyword M-bM-^@M-^\anyM-bM-^@M-^], which uses the - next available tunnel device. If remote_tun is not specified, it - defaults to M-bM-^@M-^\anyM-bM-^@M-^]. The default is M-bM-^@M-^\any:anyM-bM-^@M-^]. - - UpdateHostKeys - Specifies whether ssh(1) should accept notifications of - additional hostkeys from the server sent after authentication has - completed and add them to UserKnownHostsFile. The argument must - be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^] (the default) or M-bM-^@M-^\askM-bM-^@M-^]. Enabling this option - allows learning alternate hostkeys for a server and supports - graceful key rotation by allowing a server to send replacement - public keys before old ones are removed. Additional hostkeys are - only accepted if the key used to authenticate the host was - already trusted or explicity accepted by the user. If - UpdateHostKeys is set to M-bM-^@M-^\askM-bM-^@M-^], then the user is asked to confirm - the modifications to the known_hosts file. Confirmation is - currently incompatible with ControlPersist, and will be disabled - if it is enabled. - - Presently, only sshd(8) from OpenSSH 6.8 and greater support the - M-bM-^@M-^\hostkeys@openssh.comM-bM-^@M-^] protocol extension used to inform the - client of all the server's hostkeys. - - UsePrivilegedPort - Specifies whether to use a privileged port for outgoing - connections. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is - M-bM-^@M-^\noM-bM-^@M-^]. If set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) must be setuid root. Note that - this option must be set to M-bM-^@M-^\yesM-bM-^@M-^] for RhostsRSAAuthentication with - older servers. - - User Specifies the user to log in as. This can be useful when a - different user name is used on different machines. This saves - the trouble of having to remember to give the user name on the - command line. - - UserKnownHostsFile - Specifies one or more files to use for the user host key - database, separated by whitespace. The default is - ~/.ssh/known_hosts, ~/.ssh/known_hosts2. - - VerifyHostKeyDNS - Specifies whether to verify the remote key using DNS and SSHFP - resource records. If this option is set to M-bM-^@M-^\yesM-bM-^@M-^], the client - will implicitly trust keys that match a secure fingerprint from - DNS. Insecure fingerprints will be handled as if this option was - set to M-bM-^@M-^\askM-bM-^@M-^]. If this option is set to M-bM-^@M-^\askM-bM-^@M-^], information on - fingerprint match will be displayed, but the user will still need - to confirm new host keys according to the StrictHostKeyChecking - option. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or M-bM-^@M-^\askM-bM-^@M-^]. The default - is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol version 2 - only. - - See also VERIFYING HOST KEYS in ssh(1). - - VisualHostKey - If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], an ASCII art representation of the - remote host key fingerprint is printed in addition to the - fingerprint string at login and for unknown host keys. If this - flag is set to M-bM-^@M-^\noM-bM-^@M-^], no fingerprint strings are printed at login - and only the fingerprint string will be printed for unknown host - keys. The default is M-bM-^@M-^\noM-bM-^@M-^]. - - XAuthLocation - Specifies the full pathname of the xauth(1) program. The default - is /usr/X11R6/bin/xauth. - -PATTERNS - A pattern consists of zero or more non-whitespace characters, M-bM-^@M-^X*M-bM-^@M-^Y (a - wildcard that matches zero or more characters), or M-bM-^@M-^X?M-bM-^@M-^Y (a wildcard that - matches exactly one character). For example, to specify a set of - declarations for any host in the M-bM-^@M-^\.co.ukM-bM-^@M-^] set of domains, the following - pattern could be used: - - Host *.co.uk - - The following pattern would match any host in the 192.168.0.[0-9] network - range: - - Host 192.168.0.? - - A pattern-list is a comma-separated list of patterns. Patterns within - pattern-lists may be negated by preceding them with an exclamation mark - (M-bM-^@M-^X!M-bM-^@M-^Y). For example, to allow a key to be used from anywhere within an - organization except from the M-bM-^@M-^\dialupM-bM-^@M-^] pool, the following entry (in - authorized_keys) could be used: - - from="!*.dialup.example.com,*.example.com" - -FILES - ~/.ssh/config - This is the per-user configuration file. The format of this file - is described above. This file is used by the SSH client. - Because of the potential for abuse, this file must have strict - permissions: read/write for the user, and not accessible by - others. - - /etc/ssh/ssh_config - Systemwide configuration file. This file provides defaults for - those values that are not specified in the user's configuration - file, and for those users who do not have a configuration file. - This file must be world-readable. - -SEE ALSO - ssh(1) - -AUTHORS - OpenSSH is a derivative of the original and free ssh 1.2.12 release by - Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo - de Raadt and Dug Song removed many bugs, re-added newer features and - created OpenSSH. Markus Friedl contributed the support for SSH protocol - versions 1.5 and 2.0. - -OpenBSD 5.8 July 30, 2015 OpenBSD 5.8 |
