diff options
Diffstat (limited to 'crypto/openssh/ssh_config.0')
-rw-r--r-- | crypto/openssh/ssh_config.0 | 985 |
1 files changed, 985 insertions, 0 deletions
diff --git a/crypto/openssh/ssh_config.0 b/crypto/openssh/ssh_config.0 new file mode 100644 index 0000000..b0a614b --- /dev/null +++ b/crypto/openssh/ssh_config.0 @@ -0,0 +1,985 @@ +SSH_CONFIG(5) File Formats Manual SSH_CONFIG(5) + +NAME + ssh_config M-bM-^@M-^S OpenSSH SSH client configuration files + +SYNOPSIS + ~/.ssh/config + /etc/ssh/ssh_config + +DESCRIPTION + ssh(1) obtains configuration data from the following sources in the + following order: + + 1. command-line options + 2. user's configuration file (~/.ssh/config) + 3. system-wide configuration file (/etc/ssh/ssh_config) + + For each parameter, the first obtained value will be used. The + configuration files contain sections separated by M-bM-^@M-^\HostM-bM-^@M-^] specifications, + and that section is only applied for hosts that match one of the patterns + given in the specification. The matched host name is usually the one + given on the command line (see the CanonicalizeHostname option for + exceptions.) + + Since the first obtained value for each parameter is used, more host- + specific declarations should be given near the beginning of the file, and + general defaults at the end. + + The configuration file has the following format: + + Empty lines and lines starting with M-bM-^@M-^X#M-bM-^@M-^Y are comments. Otherwise a line + is of the format M-bM-^@M-^\keyword argumentsM-bM-^@M-^]. Configuration options may be + separated by whitespace or optional whitespace and exactly one M-bM-^@M-^X=M-bM-^@M-^Y; the + latter format is useful to avoid the need to quote whitespace when + specifying configuration options using the ssh, scp, and sftp -o option. + Arguments may optionally be enclosed in double quotes (") in order to + represent arguments containing spaces. + + The possible keywords and their meanings are as follows (note that + keywords are case-insensitive and arguments are case-sensitive): + + Host Restricts the following declarations (up to the next Host or + Match keyword) to be only for those hosts that match one of the + patterns given after the keyword. If more than one pattern is + provided, they should be separated by whitespace. A single M-bM-^@M-^X*M-bM-^@M-^Y + as a pattern can be used to provide global defaults for all + hosts. The host is usually the hostname argument given on the + command line (see the CanonicalizeHostname option for + exceptions.) + + A pattern entry may be negated by prefixing it with an + exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). If a negated entry is matched, then the + Host entry is ignored, regardless of whether any other patterns + on the line match. Negated matches are therefore useful to + provide exceptions for wildcard matches. + + See PATTERNS for more information on patterns. + + Match Restricts the following declarations (up to the next Host or + Match keyword) to be used only when the conditions following the + Match keyword are satisfied. Match conditions are specified + using one or more critera or the single token all which always + matches. The available criteria keywords are: canonical, exec, + host, originalhost, user, and localuser. The all criteria must + appear alone or immediately after canonical. Other criteria may + be combined arbitrarily. All criteria but all and canonical + require an argument. Criteria may be negated by prepending an + exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). + + The canonical keyword matches only when the configuration file is + being re-parsed after hostname canonicalization (see the + CanonicalizeHostname option.) This may be useful to specify + conditions that work with canonical host names only. The exec + keyword executes the specified command under the user's shell. + If the command returns a zero exit status then the condition is + considered true. Commands containing whitespace characters must + be quoted. The following character sequences in the command will + be expanded prior to execution: M-bM-^@M-^X%LM-bM-^@M-^Y will be substituted by the + first component of the local host name, M-bM-^@M-^X%lM-bM-^@M-^Y will be substituted + by the local host name (including any domain name), M-bM-^@M-^X%hM-bM-^@M-^Y will be + substituted by the target host name, M-bM-^@M-^X%nM-bM-^@M-^Y will be substituted by + the original target host name specified on the command-line, M-bM-^@M-^X%pM-bM-^@M-^Y + the destination port, M-bM-^@M-^X%rM-bM-^@M-^Y by the remote login username, and M-bM-^@M-^X%uM-bM-^@M-^Y + by the username of the user running ssh(1). + + The other keywords' criteria must be single entries or comma- + separated lists and may use the wildcard and negation operators + described in the PATTERNS section. The criteria for the host + keyword are matched against the target hostname, after any + substitution by the Hostname or CanonicalizeHostname options. + The originalhost keyword matches against the hostname as it was + specified on the command-line. The user keyword matches against + the target username on the remote host. The localuser keyword + matches against the name of the local user running ssh(1) (this + keyword may be useful in system-wide ssh_config files). + + AddressFamily + Specifies which address family to use when connecting. Valid + arguments are M-bM-^@M-^\anyM-bM-^@M-^], M-bM-^@M-^\inetM-bM-^@M-^] (use IPv4 only), or M-bM-^@M-^\inet6M-bM-^@M-^] (use IPv6 + only). + + BatchMode + If set to M-bM-^@M-^\yesM-bM-^@M-^], passphrase/password querying will be disabled. + This option is useful in scripts and other batch jobs where no + user is present to supply the password. The argument must be + M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. + + BindAddress + Use the specified address on the local machine as the source + address of the connection. Only useful on systems with more than + one address. Note that this option does not work if + UsePrivilegedPort is set to M-bM-^@M-^\yesM-bM-^@M-^]. + + CanonicalDomains + When CanonicalizeHostname is enabled, this option specifies the + list of domain suffixes in which to search for the specified + destination host. + + CanonicalizeFallbackLocal + Specifies whether to fail with an error when hostname + canonicalization fails. The default, M-bM-^@M-^\yesM-bM-^@M-^], will attempt to look + up the unqualified hostname using the system resolver's search + rules. A value of M-bM-^@M-^\noM-bM-^@M-^] will cause ssh(1) to fail instantly if + CanonicalizeHostname is enabled and the target hostname cannot be + found in any of the domains specified by CanonicalDomains. + + CanonicalizeHostname + Controls whether explicit hostname canonicalization is performed. + The default, M-bM-^@M-^\noM-bM-^@M-^], is not to perform any name rewriting and let + the system resolver handle all hostname lookups. If set to M-bM-^@M-^\yesM-bM-^@M-^] + then, for connections that do not use a ProxyCommand, ssh(1) will + attempt to canonicalize the hostname specified on the command + line using the CanonicalDomains suffixes and + CanonicalizePermittedCNAMEs rules. If CanonicalizeHostname is + set to M-bM-^@M-^\alwaysM-bM-^@M-^], then canonicalization is applied to proxied + connections too. + + If this option is enabled, then the configuration files are + processed again using the new target name to pick up any new + configuration in matching Host and Match stanzas. + + CanonicalizeMaxDots + Specifies the maximum number of dot characters in a hostname + before canonicalization is disabled. The default, M-bM-^@M-^\1M-bM-^@M-^], allows a + single dot (i.e. hostname.subdomain). + + CanonicalizePermittedCNAMEs + Specifies rules to determine whether CNAMEs should be followed + when canonicalizing hostnames. The rules consist of one or more + arguments of source_domain_list:target_domain_list, where + source_domain_list is a pattern-list of domains that may follow + CNAMEs in canonicalization, and target_domain_list is a pattern- + list of domains that they may resolve to. + + For example, M-bM-^@M-^\*.a.example.com:*.b.example.com,*.c.example.comM-bM-^@M-^] + will allow hostnames matching M-bM-^@M-^\*.a.example.comM-bM-^@M-^] to be + canonicalized to names in the M-bM-^@M-^\*.b.example.comM-bM-^@M-^] or + M-bM-^@M-^\*.c.example.comM-bM-^@M-^] domains. + + ChallengeResponseAuthentication + Specifies whether to use challenge-response authentication. The + argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is + M-bM-^@M-^\yesM-bM-^@M-^]. + + CheckHostIP + If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will additionally check the + host IP address in the known_hosts file. This allows ssh to + detect if a host key changed due to DNS spoofing and will add + addresses of destination hosts to ~/.ssh/known_hosts in the + process, regardless of the setting of StrictHostKeyChecking. If + the option is set to M-bM-^@M-^\noM-bM-^@M-^], the check will not be executed. The + default is M-bM-^@M-^\yesM-bM-^@M-^]. + + Cipher Specifies the cipher to use for encrypting the session in + protocol version 1. Currently, M-bM-^@M-^\blowfishM-bM-^@M-^], M-bM-^@M-^\3desM-bM-^@M-^], and M-bM-^@M-^\desM-bM-^@M-^] are + supported. des is only supported in the ssh(1) client for + interoperability with legacy protocol 1 implementations that do + not support the 3des cipher. Its use is strongly discouraged due + to cryptographic weaknesses. The default is M-bM-^@M-^\3desM-bM-^@M-^]. + + Ciphers + Specifies the ciphers allowed for protocol version 2 in order of + preference. Multiple ciphers must be comma-separated. The + supported ciphers are: + + 3des-cbc + aes128-cbc + aes192-cbc + aes256-cbc + aes128-ctr + aes192-ctr + aes256-ctr + aes128-gcm@openssh.com + aes256-gcm@openssh.com + arcfour + arcfour128 + arcfour256 + blowfish-cbc + cast128-cbc + chacha20-poly1305@openssh.com + + The default is: + + aes128-ctr,aes192-ctr,aes256-ctr, + aes128-gcm@openssh.com,aes256-gcm@openssh.com, + chacha20-poly1305@openssh.com, + arcfour256,arcfour128, + aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, + aes192-cbc,aes256-cbc,arcfour + + The list of available ciphers may also be obtained using the -Q + option of ssh(1) with an argument of M-bM-^@M-^\cipherM-bM-^@M-^]. + + ClearAllForwardings + Specifies that all local, remote, and dynamic port forwardings + specified in the configuration files or on the command line be + cleared. This option is primarily useful when used from the + ssh(1) command line to clear port forwardings set in + configuration files, and is automatically set by scp(1) and + sftp(1). The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is + M-bM-^@M-^\noM-bM-^@M-^]. + + Compression + Specifies whether to use compression. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] + or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. + + CompressionLevel + Specifies the compression level to use if compression is enabled. + The argument must be an integer from 1 (fast) to 9 (slow, best). + The default level is 6, which is good for most applications. The + meaning of the values is the same as in gzip(1). Note that this + option applies to protocol version 1 only. + + ConnectionAttempts + Specifies the number of tries (one per second) to make before + exiting. The argument must be an integer. This may be useful in + scripts if the connection sometimes fails. The default is 1. + + ConnectTimeout + Specifies the timeout (in seconds) used when connecting to the + SSH server, instead of using the default system TCP timeout. + This value is used only when the target is down or really + unreachable, not when it refuses the connection. + + ControlMaster + Enables the sharing of multiple sessions over a single network + connection. When set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will listen for + connections on a control socket specified using the ControlPath + argument. Additional sessions can connect to this socket using + the same ControlPath with ControlMaster set to M-bM-^@M-^\noM-bM-^@M-^] (the + default). These sessions will try to reuse the master instance's + network connection rather than initiating new ones, but will fall + back to connecting normally if the control socket does not exist, + or is not listening. + + Setting this to M-bM-^@M-^\askM-bM-^@M-^] will cause ssh to listen for control + connections, but require confirmation using ssh-askpass(1). If + the ControlPath cannot be opened, ssh will continue without + connecting to a master instance. + + X11 and ssh-agent(1) forwarding is supported over these + multiplexed connections, however the display and agent forwarded + will be the one belonging to the master connection i.e. it is not + possible to forward multiple displays or agents. + + Two additional options allow for opportunistic multiplexing: try + to use a master connection but fall back to creating a new one if + one does not already exist. These options are: M-bM-^@M-^\autoM-bM-^@M-^] and + M-bM-^@M-^\autoaskM-bM-^@M-^]. The latter requires confirmation like the M-bM-^@M-^\askM-bM-^@M-^] + option. + + ControlPath + Specify the path to the control socket used for connection + sharing as described in the ControlMaster section above or the + string M-bM-^@M-^\noneM-bM-^@M-^] to disable connection sharing. In the path, M-bM-^@M-^X%LM-bM-^@M-^Y + will be substituted by the first component of the local host + name, M-bM-^@M-^X%lM-bM-^@M-^Y will be substituted by the local host name (including + any domain name), M-bM-^@M-^X%hM-bM-^@M-^Y will be substituted by the target host + name, M-bM-^@M-^X%nM-bM-^@M-^Y will be substituted by the original target host name + specified on the command line, M-bM-^@M-^X%pM-bM-^@M-^Y the destination port, M-bM-^@M-^X%rM-bM-^@M-^Y by + the remote login username, M-bM-^@M-^X%uM-bM-^@M-^Y by the username of the user + running ssh(1), and M-bM-^@M-^X%CM-bM-^@M-^Y by a hash of the concatenation: + %l%h%p%r. It is recommended that any ControlPath used for + opportunistic connection sharing include at least %h, %p, and %r + (or alternatively %C) and be placed in a directory that is not + writable by other users. This ensures that shared connections + are uniquely identified. + + ControlPersist + When used in conjunction with ControlMaster, specifies that the + master connection should remain open in the background (waiting + for future client connections) after the initial client + connection has been closed. If set to M-bM-^@M-^\noM-bM-^@M-^], then the master + connection will not be placed into the background, and will close + as soon as the initial client connection is closed. If set to + M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\0M-bM-^@M-^], then the master connection will remain in the + background indefinitely (until killed or closed via a mechanism + such as the ssh(1) M-bM-^@M-^\-O exitM-bM-^@M-^] option). If set to a time in + seconds, or a time in any of the formats documented in + sshd_config(5), then the backgrounded master connection will + automatically terminate after it has remained idle (with no + client connections) for the specified time. + + DynamicForward + Specifies that a TCP port on the local machine be forwarded over + the secure channel, and the application protocol is then used to + determine where to connect to from the remote machine. + + The argument must be [bind_address:]port. IPv6 addresses can be + specified by enclosing addresses in square brackets. By default, + the local port is bound in accordance with the GatewayPorts + setting. However, an explicit bind_address may be used to bind + the connection to a specific address. The bind_address of + M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the listening port be bound for local + use only, while an empty address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port + should be available from all interfaces. + + Currently the SOCKS4 and SOCKS5 protocols are supported, and + ssh(1) will act as a SOCKS server. Multiple forwardings may be + specified, and additional forwardings can be given on the command + line. Only the superuser can forward privileged ports. + + EnableSSHKeysign + Setting this option to M-bM-^@M-^\yesM-bM-^@M-^] in the global client configuration + file /etc/ssh/ssh_config enables the use of the helper program + ssh-keysign(8) during HostbasedAuthentication. The argument must + be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. This option should be + placed in the non-hostspecific section. See ssh-keysign(8) for + more information. + + EscapeChar + Sets the escape character (default: M-bM-^@M-^X~M-bM-^@M-^Y). The escape character + can also be set on the command line. The argument should be a + single character, M-bM-^@M-^X^M-bM-^@M-^Y followed by a letter, or M-bM-^@M-^\noneM-bM-^@M-^] to disable + the escape character entirely (making the connection transparent + for binary data). + + ExitOnForwardFailure + Specifies whether ssh(1) should terminate the connection if it + cannot set up all requested dynamic, tunnel, local, and remote + port forwardings. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The + default is M-bM-^@M-^\noM-bM-^@M-^]. + + FingerprintHash + Specifies the hash algorithm used when displaying key + fingerprints. Valid options are: M-bM-^@M-^\md5M-bM-^@M-^] and M-bM-^@M-^\sha256M-bM-^@M-^]. The + default is M-bM-^@M-^\sha256M-bM-^@M-^]. + + ForwardAgent + Specifies whether the connection to the authentication agent (if + any) will be forwarded to the remote machine. The argument must + be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. + + Agent forwarding should be enabled with caution. Users with the + ability to bypass file permissions on the remote host (for the + agent's Unix-domain socket) can access the local agent through + the forwarded connection. An attacker cannot obtain key material + from the agent, however they can perform operations on the keys + that enable them to authenticate using the identities loaded into + the agent. + + ForwardX11 + Specifies whether X11 connections will be automatically + redirected over the secure channel and DISPLAY set. The argument + must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. + + X11 forwarding should be enabled with caution. Users with the + ability to bypass file permissions on the remote host (for the + user's X11 authorization database) can access the local X11 + display through the forwarded connection. An attacker may then + be able to perform activities such as keystroke monitoring if the + ForwardX11Trusted option is also enabled. + + ForwardX11Timeout + Specify a timeout for untrusted X11 forwarding using the format + described in the TIME FORMATS section of sshd_config(5). X11 + connections received by ssh(1) after this time will be refused. + The default is to disable untrusted X11 forwarding after twenty + minutes has elapsed. + + ForwardX11Trusted + If this option is set to M-bM-^@M-^\yesM-bM-^@M-^], remote X11 clients will have full + access to the original X11 display. + + If this option is set to M-bM-^@M-^\noM-bM-^@M-^], remote X11 clients will be + considered untrusted and prevented from stealing or tampering + with data belonging to trusted X11 clients. Furthermore, the + xauth(1) token used for the session will be set to expire after + 20 minutes. Remote clients will be refused access after this + time. + + The default is M-bM-^@M-^\noM-bM-^@M-^]. + + See the X11 SECURITY extension specification for full details on + the restrictions imposed on untrusted clients. + + GatewayPorts + Specifies whether remote hosts are allowed to connect to local + forwarded ports. By default, ssh(1) binds local port forwardings + to the loopback address. This prevents other remote hosts from + connecting to forwarded ports. GatewayPorts can be used to + specify that ssh should bind local port forwardings to the + wildcard address, thus allowing remote hosts to connect to + forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The + default is M-bM-^@M-^\noM-bM-^@M-^]. + + GlobalKnownHostsFile + Specifies one or more files to use for the global host key + database, separated by whitespace. The default is + /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2. + + GSSAPIAuthentication + Specifies whether user authentication based on GSSAPI is allowed. + The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol + version 2 only. + + GSSAPIDelegateCredentials + Forward (delegate) credentials to the server. The default is + M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol version 2 only. + + HashKnownHosts + Indicates that ssh(1) should hash host names and addresses when + they are added to ~/.ssh/known_hosts. These hashed names may be + used normally by ssh(1) and sshd(8), but they do not reveal + identifying information should the file's contents be disclosed. + The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that existing names and addresses in + known hosts files will not be converted automatically, but may be + manually hashed using ssh-keygen(1). + + HostbasedAuthentication + Specifies whether to try rhosts based authentication with public + key authentication. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The + default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 2 only + and is similar to RhostsRSAAuthentication. + + HostbasedKeyTypes + Specifies the key types that will be used for hostbased + authentication as a comma-separated pattern list. The default + M-bM-^@M-^\*M-bM-^@M-^] will allow all key types. The -Q option of ssh(1) may be + used to list supported key types. + + HostKeyAlgorithms + Specifies the protocol version 2 host key algorithms that the + client wants to use in order of preference. The default for this + option is: + + ecdsa-sha2-nistp256-cert-v01@openssh.com, + ecdsa-sha2-nistp384-cert-v01@openssh.com, + ecdsa-sha2-nistp521-cert-v01@openssh.com, + ssh-ed25519-cert-v01@openssh.com, + ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com, + ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com, + ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, + ssh-ed25519,ssh-rsa,ssh-dss + + If hostkeys are known for the destination host then this default + is modified to prefer their algorithms. + + The list of available key types may also be obtained using the -Q + option of ssh(1) with an argument of M-bM-^@M-^\keyM-bM-^@M-^]. + + HostKeyAlias + Specifies an alias that should be used instead of the real host + name when looking up or saving the host key in the host key + database files. This option is useful for tunneling SSH + connections or for multiple servers running on a single host. + + HostName + Specifies the real host name to log into. This can be used to + specify nicknames or abbreviations for hosts. If the hostname + contains the character sequence M-bM-^@M-^X%hM-bM-^@M-^Y, then this will be replaced + with the host name specified on the command line (this is useful + for manipulating unqualified names). The character sequence M-bM-^@M-^X%%M-bM-^@M-^Y + will be replaced by a single M-bM-^@M-^X%M-bM-^@M-^Y character, which may be used + when specifying IPv6 link-local addresses. + + The default is the name given on the command line. Numeric IP + addresses are also permitted (both on the command line and in + HostName specifications). + + IdentitiesOnly + Specifies that ssh(1) should only use the authentication identity + files configured in the ssh_config files, even if ssh-agent(1) or + a PKCS11Provider offers more identities. The argument to this + keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. This option is intended for + situations where ssh-agent offers many different identities. The + default is M-bM-^@M-^\noM-bM-^@M-^]. + + IdentityFile + Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA + authentication identity is read. The default is ~/.ssh/identity + for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, + ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2. + Additionally, any identities represented by the authentication + agent will be used for authentication unless IdentitiesOnly is + set. ssh(1) will try to load certificate information from the + filename obtained by appending -cert.pub to the path of a + specified IdentityFile. + + The file name may use the tilde syntax to refer to a user's home + directory or one of the following escape characters: M-bM-^@M-^X%dM-bM-^@M-^Y (local + user's home directory), M-bM-^@M-^X%uM-bM-^@M-^Y (local user name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host + name), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host name) or M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name). + + It is possible to have multiple identity files specified in + configuration files; all these identities will be tried in + sequence. Multiple IdentityFile directives will add to the list + of identities tried (this behaviour differs from that of other + configuration directives). + + IdentityFile may be used in conjunction with IdentitiesOnly to + select which identities in an agent are offered during + authentication. + + IgnoreUnknown + Specifies a pattern-list of unknown options to be ignored if they + are encountered in configuration parsing. This may be used to + suppress errors if ssh_config contains options that are + unrecognised by ssh(1). It is recommended that IgnoreUnknown be + listed early in the configuration file as it will not be applied + to unknown options that appear before it. + + IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. + Accepted values are M-bM-^@M-^\af11M-bM-^@M-^], M-bM-^@M-^\af12M-bM-^@M-^], M-bM-^@M-^\af13M-bM-^@M-^], M-bM-^@M-^\af21M-bM-^@M-^], M-bM-^@M-^\af22M-bM-^@M-^], + M-bM-^@M-^\af23M-bM-^@M-^], M-bM-^@M-^\af31M-bM-^@M-^], M-bM-^@M-^\af32M-bM-^@M-^], M-bM-^@M-^\af33M-bM-^@M-^], M-bM-^@M-^\af41M-bM-^@M-^], M-bM-^@M-^\af42M-bM-^@M-^], M-bM-^@M-^\af43M-bM-^@M-^], M-bM-^@M-^\cs0M-bM-^@M-^], + M-bM-^@M-^\cs1M-bM-^@M-^], M-bM-^@M-^\cs2M-bM-^@M-^], M-bM-^@M-^\cs3M-bM-^@M-^], M-bM-^@M-^\cs4M-bM-^@M-^], M-bM-^@M-^\cs5M-bM-^@M-^], M-bM-^@M-^\cs6M-bM-^@M-^], M-bM-^@M-^\cs7M-bM-^@M-^], M-bM-^@M-^\efM-bM-^@M-^], + M-bM-^@M-^\lowdelayM-bM-^@M-^], M-bM-^@M-^\throughputM-bM-^@M-^], M-bM-^@M-^\reliabilityM-bM-^@M-^], or a numeric value. + This option may take one or two arguments, separated by + whitespace. If one argument is specified, it is used as the + packet class unconditionally. If two values are specified, the + first is automatically selected for interactive sessions and the + second for non-interactive sessions. The default is M-bM-^@M-^\lowdelayM-bM-^@M-^] + for interactive sessions and M-bM-^@M-^\throughputM-bM-^@M-^] for non-interactive + sessions. + + KbdInteractiveAuthentication + Specifies whether to use keyboard-interactive authentication. + The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default + is M-bM-^@M-^\yesM-bM-^@M-^]. + + KbdInteractiveDevices + Specifies the list of methods to use in keyboard-interactive + authentication. Multiple method names must be comma-separated. + The default is to use the server specified list. The methods + available vary depending on what the server supports. For an + OpenSSH server, it may be zero or more of: M-bM-^@M-^\bsdauthM-bM-^@M-^], M-bM-^@M-^\pamM-bM-^@M-^], and + M-bM-^@M-^\skeyM-bM-^@M-^]. + + KexAlgorithms + Specifies the available KEX (Key Exchange) algorithms. Multiple + algorithms must be comma-separated. The default is: + + curve25519-sha256@libssh.org, + ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, + diffie-hellman-group-exchange-sha256, + diffie-hellman-group-exchange-sha1, + diffie-hellman-group14-sha1, + diffie-hellman-group1-sha1 + + The list of available key exchange algorithms may also be + obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^]. + + LocalCommand + Specifies a command to execute on the local machine after + successfully connecting to the server. The command string + extends to the end of the line, and is executed with the user's + shell. The following escape character substitutions will be + performed: M-bM-^@M-^X%dM-bM-^@M-^Y (local user's home directory), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host + name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host name), M-bM-^@M-^X%nM-bM-^@M-^Y (host name as provided on the + command line), M-bM-^@M-^X%pM-bM-^@M-^Y (remote port), M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name) or + M-bM-^@M-^X%uM-bM-^@M-^Y (local user name) or M-bM-^@M-^X%CM-bM-^@M-^Y by a hash of the concatenation: + %l%h%p%r. + + The command is run synchronously and does not have access to the + session of the ssh(1) that spawned it. It should not be used for + interactive commands. + + This directive is ignored unless PermitLocalCommand has been + enabled. + + LocalForward + Specifies that a TCP port on the local machine be forwarded over + the secure channel to the specified host and port from the remote + machine. The first argument must be [bind_address:]port and the + second argument must be host:hostport. IPv6 addresses can be + specified by enclosing addresses in square brackets. Multiple + forwardings may be specified, and additional forwardings can be + given on the command line. Only the superuser can forward + privileged ports. By default, the local port is bound in + accordance with the GatewayPorts setting. However, an explicit + bind_address may be used to bind the connection to a specific + address. The bind_address of M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the + listening port be bound for local use only, while an empty + address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port should be available from + all interfaces. + + LogLevel + Gives the verbosity level that is used when logging messages from + ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, + VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. + DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify + higher levels of verbose output. + + MACs Specifies the MAC (message authentication code) algorithms in + order of preference. The MAC algorithm is used in protocol + version 2 for data integrity protection. Multiple algorithms + must be comma-separated. The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] + calculate the MAC after encryption (encrypt-then-mac). These are + considered safer and their use recommended. The default is: + + umac-64-etm@openssh.com,umac-128-etm@openssh.com, + hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, + umac-64@openssh.com,umac-128@openssh.com, + hmac-sha2-256,hmac-sha2-512, + hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, + hmac-ripemd160-etm@openssh.com, + hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com, + hmac-md5,hmac-sha1,hmac-ripemd160, + hmac-sha1-96,hmac-md5-96 + + The list of available MAC algorithms may also be obtained using + the -Q option of ssh(1) with an argument of M-bM-^@M-^\macM-bM-^@M-^]. + + NoHostAuthenticationForLocalhost + This option can be used if the home directory is shared across + machines. In this case localhost will refer to a different + machine on each of the machines and the user will get many + warnings about changed host keys. However, this option disables + host authentication for localhost. The argument to this keyword + must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is to check the host key for + localhost. + + NumberOfPasswordPrompts + Specifies the number of password prompts before giving up. The + argument to this keyword must be an integer. The default is 3. + + PasswordAuthentication + Specifies whether to use password authentication. The argument + to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. + + PermitLocalCommand + Allow local command execution via the LocalCommand option or + using the !command escape sequence in ssh(1). The argument must + be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. + + PKCS11Provider + Specifies which PKCS#11 provider to use. The argument to this + keyword is the PKCS#11 shared library ssh(1) should use to + communicate with a PKCS#11 token providing the user's private RSA + key. + + Port Specifies the port number to connect on the remote host. The + default is 22. + + PreferredAuthentications + Specifies the order in which the client should try protocol 2 + authentication methods. This allows a client to prefer one + method (e.g. keyboard-interactive) over another method (e.g. + password). The default is: + + gssapi-with-mic,hostbased,publickey, + keyboard-interactive,password + + Protocol + Specifies the protocol versions ssh(1) should support in order of + preference. The possible values are M-bM-^@M-^X1M-bM-^@M-^Y and M-bM-^@M-^X2M-bM-^@M-^Y. Multiple + versions must be comma-separated. When this option is set to + M-bM-^@M-^\2,1M-bM-^@M-^] ssh will try version 2 and fall back to version 1 if + version 2 is not available. The default is M-bM-^@M-^X2M-bM-^@M-^Y. + + ProxyCommand + Specifies the command to use to connect to the server. The + command string extends to the end of the line, and is executed + using the user's shell M-bM-^@M-^XexecM-bM-^@M-^Y directive to avoid a lingering + shell process. + + In the command string, any occurrence of M-bM-^@M-^X%hM-bM-^@M-^Y will be substituted + by the host name to connect, M-bM-^@M-^X%pM-bM-^@M-^Y by the port, and M-bM-^@M-^X%rM-bM-^@M-^Y by the + remote user name. The command can be basically anything, and + should read from its standard input and write to its standard + output. It should eventually connect an sshd(8) server running + on some machine, or execute sshd -i somewhere. Host key + management will be done using the HostName of the host being + connected (defaulting to the name typed by the user). Setting + the command to M-bM-^@M-^\noneM-bM-^@M-^] disables this option entirely. Note that + CheckHostIP is not available for connects with a proxy command. + + This directive is useful in conjunction with nc(1) and its proxy + support. For example, the following directive would connect via + an HTTP proxy at 192.0.2.0: + + ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p + + ProxyUseFdpass + Specifies that ProxyCommand will pass a connected file descriptor + back to ssh(1) instead of continuing to execute and pass data. + The default is M-bM-^@M-^\noM-bM-^@M-^]. + + PubkeyAuthentication + Specifies whether to try public key authentication. The argument + to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. + This option applies to protocol version 2 only. + + RekeyLimit + Specifies the maximum amount of data that may be transmitted + before the session key is renegotiated, optionally followed a + maximum amount of time that may pass before the session key is + renegotiated. The first argument is specified in bytes and may + have a suffix of M-bM-^@M-^XKM-bM-^@M-^Y, M-bM-^@M-^XMM-bM-^@M-^Y, or M-bM-^@M-^XGM-bM-^@M-^Y to indicate Kilobytes, + Megabytes, or Gigabytes, respectively. The default is between + M-bM-^@M-^X1GM-bM-^@M-^Y and M-bM-^@M-^X4GM-bM-^@M-^Y, depending on the cipher. The optional second + value is specified in seconds and may use any of the units + documented in the TIME FORMATS section of sshd_config(5). The + default value for RekeyLimit is M-bM-^@M-^\default noneM-bM-^@M-^], which means that + rekeying is performed after the cipher's default amount of data + has been sent or received and no time based rekeying is done. + This option applies to protocol version 2 only. + + RemoteForward + Specifies that a TCP port on the remote machine be forwarded over + the secure channel to the specified host and port from the local + machine. The first argument must be [bind_address:]port and the + second argument must be host:hostport. IPv6 addresses can be + specified by enclosing addresses in square brackets. Multiple + forwardings may be specified, and additional forwardings can be + given on the command line. Privileged ports can be forwarded + only when logging in as root on the remote machine. + + If the port argument is M-bM-^@M-^X0M-bM-^@M-^Y, the listen port will be dynamically + allocated on the server and reported to the client at run time. + + If the bind_address is not specified, the default is to only bind + to loopback addresses. If the bind_address is M-bM-^@M-^X*M-bM-^@M-^Y or an empty + string, then the forwarding is requested to listen on all + interfaces. Specifying a remote bind_address will only succeed + if the server's GatewayPorts option is enabled (see + sshd_config(5)). + + RequestTTY + Specifies whether to request a pseudo-tty for the session. The + argument may be one of: M-bM-^@M-^\noM-bM-^@M-^] (never request a TTY), M-bM-^@M-^\yesM-bM-^@M-^] (always + request a TTY when standard input is a TTY), M-bM-^@M-^\forceM-bM-^@M-^] (always + request a TTY) or M-bM-^@M-^\autoM-bM-^@M-^] (request a TTY when opening a login + session). This option mirrors the -t and -T flags for ssh(1). + + RevokedHostKeys + Specifies revoked host public keys. Keys listed in this file + will be refused for host authentication. Note that if this file + does not exist or is not readable, then host authentication will + be refused for all hosts. Keys may be specified as a text file, + listing one public key per line, or as an OpenSSH Key Revocation + List (KRL) as generated by ssh-keygen(1). For more information + on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1). + + RhostsRSAAuthentication + Specifies whether to try rhosts based authentication with RSA + host authentication. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The + default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only + and requires ssh(1) to be setuid root. + + RSAAuthentication + Specifies whether to try RSA authentication. The argument to + this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. RSA authentication will only + be attempted if the identity file exists, or an authentication + agent is running. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option + applies to protocol version 1 only. + + SendEnv + Specifies what variables from the local environ(7) should be sent + to the server. Note that environment passing is only supported + for protocol 2. The server must also support it, and the server + must be configured to accept these environment variables. Note + that the TERM environment variable is always sent whenever a + pseudo-terminal is requested as it is required by the protocol. + Refer to AcceptEnv in sshd_config(5) for how to configure the + server. Variables are specified by name, which may contain + wildcard characters. Multiple environment variables may be + separated by whitespace or spread across multiple SendEnv + directives. The default is not to send any environment + variables. + + See PATTERNS for more information on patterns. + + ServerAliveCountMax + Sets the number of server alive messages (see below) which may be + sent without ssh(1) receiving any messages back from the server. + If this threshold is reached while server alive messages are + being sent, ssh will disconnect from the server, terminating the + session. It is important to note that the use of server alive + messages is very different from TCPKeepAlive (below). The server + alive messages are sent through the encrypted channel and + therefore will not be spoofable. The TCP keepalive option + enabled by TCPKeepAlive is spoofable. The server alive mechanism + is valuable when the client or server depend on knowing when a + connection has become inactive. + + The default value is 3. If, for example, ServerAliveInterval + (see below) is set to 15 and ServerAliveCountMax is left at the + default, if the server becomes unresponsive, ssh will disconnect + after approximately 45 seconds. This option applies to protocol + version 2 only. + + ServerAliveInterval + Sets a timeout interval in seconds after which if no data has + been received from the server, ssh(1) will send a message through + the encrypted channel to request a response from the server. The + default is 0, indicating that these messages will not be sent to + the server. This option applies to protocol version 2 only. + + StreamLocalBindMask + Sets the octal file creation mode mask (umask) used when creating + a Unix-domain socket file for local or remote port forwarding. + This option is only used for port forwarding to a Unix-domain + socket file. + + The default value is 0177, which creates a Unix-domain socket + file that is readable and writable only by the owner. Note that + not all operating systems honor the file mode on Unix-domain + socket files. + + StreamLocalBindUnlink + Specifies whether to remove an existing Unix-domain socket file + for local or remote port forwarding before creating a new one. + If the socket file already exists and StreamLocalBindUnlink is + not enabled, ssh will be unable to forward the port to the Unix- + domain socket file. This option is only used for port forwarding + to a Unix-domain socket file. + + The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. + + StrictHostKeyChecking + If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will never automatically add + host keys to the ~/.ssh/known_hosts file, and refuses to connect + to hosts whose host key has changed. This provides maximum + protection against trojan horse attacks, though it can be + annoying when the /etc/ssh/ssh_known_hosts file is poorly + maintained or when connections to new hosts are frequently made. + This option forces the user to manually add all new hosts. If + this flag is set to M-bM-^@M-^\noM-bM-^@M-^], ssh will automatically add new host + keys to the user known hosts files. If this flag is set to + M-bM-^@M-^\askM-bM-^@M-^], new host keys will be added to the user known host files + only after the user has confirmed that is what they really want + to do, and ssh will refuse to connect to hosts whose host key has + changed. The host keys of known hosts will be verified + automatically in all cases. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or + M-bM-^@M-^\askM-bM-^@M-^]. The default is M-bM-^@M-^\askM-bM-^@M-^]. + + TCPKeepAlive + Specifies whether the system should send TCP keepalive messages + to the other side. If they are sent, death of the connection or + crash of one of the machines will be properly noticed. However, + this means that connections will die if the route is down + temporarily, and some people find it annoying. + + The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send TCP keepalive messages), and the + client will notice if the network goes down or the remote host + dies. This is important in scripts, and many users want it too. + + To disable TCP keepalive messages, the value should be set to + M-bM-^@M-^\noM-bM-^@M-^]. + + Tunnel Request tun(4) device forwarding between the client and the + server. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\point-to-pointM-bM-^@M-^] (layer 3), + M-bM-^@M-^\ethernetM-bM-^@M-^] (layer 2), or M-bM-^@M-^\noM-bM-^@M-^]. Specifying M-bM-^@M-^\yesM-bM-^@M-^] requests the + default tunnel mode, which is M-bM-^@M-^\point-to-pointM-bM-^@M-^]. The default is + M-bM-^@M-^\noM-bM-^@M-^]. + + TunnelDevice + Specifies the tun(4) devices to open on the client (local_tun) + and the server (remote_tun). + + The argument must be local_tun[:remote_tun]. The devices may be + specified by numerical ID or the keyword M-bM-^@M-^\anyM-bM-^@M-^], which uses the + next available tunnel device. If remote_tun is not specified, it + defaults to M-bM-^@M-^\anyM-bM-^@M-^]. The default is M-bM-^@M-^\any:anyM-bM-^@M-^]. + + UpdateHostKeys + Specifies whether ssh(1) should accept notifications of + additional hostkeys from the server sent after authentication has + completed and add them to UserKnownHostsFile. The argument must + be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^] (the default) or M-bM-^@M-^\askM-bM-^@M-^]. Enabling this option + allows learning alternate hostkeys for a server and supports + graceful key rotation by allowing a server to send replacement + public keys before old ones are removed. Additional hostkeys are + only accepted if the key used to authenticate the host was + already trusted or explicity accepted by the user. If + UpdateHostKeys is set to M-bM-^@M-^\askM-bM-^@M-^], then the user is asked to confirm + the modifications to the known_hosts file. Confirmation is + currently incompatible with ControlPersist, and will be disabled + if it is enabled. + + Presently, only sshd(8) from OpenSSH 6.8 and greater support the + M-bM-^@M-^\hostkeys@openssh.comM-bM-^@M-^] protocol extension used to inform the + client of all the server's hostkeys. + + UsePrivilegedPort + Specifies whether to use a privileged port for outgoing + connections. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is + M-bM-^@M-^\noM-bM-^@M-^]. If set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) must be setuid root. Note that + this option must be set to M-bM-^@M-^\yesM-bM-^@M-^] for RhostsRSAAuthentication with + older servers. + + User Specifies the user to log in as. This can be useful when a + different user name is used on different machines. This saves + the trouble of having to remember to give the user name on the + command line. + + UserKnownHostsFile + Specifies one or more files to use for the user host key + database, separated by whitespace. The default is + ~/.ssh/known_hosts, ~/.ssh/known_hosts2. + + VerifyHostKeyDNS + Specifies whether to verify the remote key using DNS and SSHFP + resource records. If this option is set to M-bM-^@M-^\yesM-bM-^@M-^], the client + will implicitly trust keys that match a secure fingerprint from + DNS. Insecure fingerprints will be handled as if this option was + set to M-bM-^@M-^\askM-bM-^@M-^]. If this option is set to M-bM-^@M-^\askM-bM-^@M-^], information on + fingerprint match will be displayed, but the user will still need + to confirm new host keys according to the StrictHostKeyChecking + option. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or M-bM-^@M-^\askM-bM-^@M-^]. The default + is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol version 2 + only. + + See also VERIFYING HOST KEYS in ssh(1). + + VisualHostKey + If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], an ASCII art representation of the + remote host key fingerprint is printed in addition to the + fingerprint string at login and for unknown host keys. If this + flag is set to M-bM-^@M-^\noM-bM-^@M-^], no fingerprint strings are printed at login + and only the fingerprint string will be printed for unknown host + keys. The default is M-bM-^@M-^\noM-bM-^@M-^]. + + XAuthLocation + Specifies the full pathname of the xauth(1) program. The default + is /usr/X11R6/bin/xauth. + +PATTERNS + A pattern consists of zero or more non-whitespace characters, M-bM-^@M-^X*M-bM-^@M-^Y (a + wildcard that matches zero or more characters), or M-bM-^@M-^X?M-bM-^@M-^Y (a wildcard that + matches exactly one character). For example, to specify a set of + declarations for any host in the M-bM-^@M-^\.co.ukM-bM-^@M-^] set of domains, the following + pattern could be used: + + Host *.co.uk + + The following pattern would match any host in the 192.168.0.[0-9] network + range: + + Host 192.168.0.? + + A pattern-list is a comma-separated list of patterns. Patterns within + pattern-lists may be negated by preceding them with an exclamation mark + (M-bM-^@M-^X!M-bM-^@M-^Y). For example, to allow a key to be used from anywhere within an + organization except from the M-bM-^@M-^\dialupM-bM-^@M-^] pool, the following entry (in + authorized_keys) could be used: + + from="!*.dialup.example.com,*.example.com" + +FILES + ~/.ssh/config + This is the per-user configuration file. The format of this file + is described above. This file is used by the SSH client. + Because of the potential for abuse, this file must have strict + permissions: read/write for the user, and not accessible by + others. + + /etc/ssh/ssh_config + Systemwide configuration file. This file provides defaults for + those values that are not specified in the user's configuration + file, and for those users who do not have a configuration file. + This file must be world-readable. + +SEE ALSO + ssh(1) + +AUTHORS + OpenSSH is a derivative of the original and free ssh 1.2.12 release by + Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo + de Raadt and Dug Song removed many bugs, re-added newer features and + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +OpenBSD 5.7 June 2, 2015 OpenBSD 5.7 |