Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1 | SSH_CONFIG(5) File Formats Manual SSH_CONFIG(5) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2 | |
| 3 | NAME |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 4 | ssh_config M-bM-^@M-^S OpenSSH SSH client configuration files |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 5 | |
| 6 | SYNOPSIS |
| 7 | ~/.ssh/config |
| 8 | /etc/ssh/ssh_config |
| 9 | |
| 10 | DESCRIPTION |
| 11 | ssh(1) obtains configuration data from the following sources in the |
| 12 | following order: |
| 13 | |
| 14 | 1. command-line options |
| 15 | 2. user's configuration file (~/.ssh/config) |
| 16 | 3. system-wide configuration file (/etc/ssh/ssh_config) |
| 17 | |
| 18 | For each parameter, the first obtained value will be used. The |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 19 | configuration files contain sections separated by M-bM-^@M-^\HostM-bM-^@M-^] specifications, |
| 20 | and that section is only applied for hosts that match one of the patterns |
| 21 | given in the specification. The matched host name is usually the one |
| 22 | given on the command line (see the CanonicalizeHostname option for |
| 23 | exceptions.) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 24 | |
| 25 | Since the first obtained value for each parameter is used, more host- |
| 26 | specific declarations should be given near the beginning of the file, and |
| 27 | general defaults at the end. |
| 28 | |
| 29 | The configuration file has the following format: |
| 30 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 31 | Empty lines and lines starting with M-bM-^@M-^X#M-bM-^@M-^Y are comments. Otherwise a line |
| 32 | is of the format M-bM-^@M-^\keyword argumentsM-bM-^@M-^]. Configuration options may be |
| 33 | separated by whitespace or optional whitespace and exactly one M-bM-^@M-^X=M-bM-^@M-^Y; the |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 34 | latter format is useful to avoid the need to quote whitespace when |
| 35 | specifying configuration options using the ssh, scp, and sftp -o option. |
| 36 | Arguments may optionally be enclosed in double quotes (") in order to |
| 37 | represent arguments containing spaces. |
| 38 | |
| 39 | The possible keywords and their meanings are as follows (note that |
| 40 | keywords are case-insensitive and arguments are case-sensitive): |
| 41 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 42 | Host Restricts the following declarations (up to the next Host or |
| 43 | Match keyword) to be only for those hosts that match one of the |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 44 | patterns given after the keyword. If more than one pattern is |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 45 | provided, they should be separated by whitespace. A single M-bM-^@M-^X*M-bM-^@M-^Y |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 46 | as a pattern can be used to provide global defaults for all |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 47 | hosts. The host is usually the hostname argument given on the |
| 48 | command line (see the CanonicalizeHostname option for |
| 49 | exceptions.) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 50 | |
| 51 | A pattern entry may be negated by prefixing it with an |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 52 | exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). If a negated entry is matched, then the |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 53 | Host entry is ignored, regardless of whether any other patterns |
| 54 | on the line match. Negated matches are therefore useful to |
| 55 | provide exceptions for wildcard matches. |
| 56 | |
| 57 | See PATTERNS for more information on patterns. |
| 58 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 59 | Match Restricts the following declarations (up to the next Host or |
| 60 | Match keyword) to be used only when the conditions following the |
| 61 | Match keyword are satisfied. Match conditions are specified |
| 62 | using one or more critera or the single token all which always |
| 63 | matches. The available criteria keywords are: canonical, exec, |
| 64 | host, originalhost, user, and localuser. The all criteria must |
| 65 | appear alone or immediately after canonical. Other criteria may |
| 66 | be combined arbitrarily. All criteria but all and canonical |
| 67 | require an argument. Criteria may be negated by prepending an |
| 68 | exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). |
| 69 | |
| 70 | The canonical keywork matches only when the configuration file is |
| 71 | being re-parsed after hostname canonicalization (see the |
| 72 | CanonicalizeHostname option.) This may be useful to specify |
| 73 | conditions that work with canonical host names only. The exec |
| 74 | keyword executes the specified command under the user's shell. |
| 75 | If the command returns a zero exit status then the condition is |
| 76 | considered true. Commands containing whitespace characters must |
| 77 | be quoted. The following character sequences in the command will |
| 78 | be expanded prior to execution: M-bM-^@M-^X%LM-bM-^@M-^Y will be substituted by the |
| 79 | first component of the local host name, M-bM-^@M-^X%lM-bM-^@M-^Y will be substituted |
| 80 | by the local host name (including any domain name), M-bM-^@M-^X%hM-bM-^@M-^Y will be |
| 81 | substituted by the target host name, M-bM-^@M-^X%nM-bM-^@M-^Y will be substituted by |
| 82 | the original target host name specified on the command-line, M-bM-^@M-^X%pM-bM-^@M-^Y |
| 83 | the destination port, M-bM-^@M-^X%rM-bM-^@M-^Y by the remote login username, and M-bM-^@M-^X%uM-bM-^@M-^Y |
| 84 | by the username of the user running ssh(1). |
| 85 | |
| 86 | The other keywords' criteria must be single entries or comma- |
| 87 | separated lists and may use the wildcard and negation operators |
| 88 | described in the PATTERNS section. The criteria for the host |
| 89 | keyword are matched against the target hostname, after any |
| 90 | substitution by the Hostname or CanonicalizeHostname options. |
| 91 | The originalhost keyword matches against the hostname as it was |
| 92 | specified on the command-line. The user keyword matches against |
| 93 | the target username on the remote host. The localuser keyword |
| 94 | matches against the name of the local user running ssh(1) (this |
| 95 | keyword may be useful in system-wide ssh_config files). |
| 96 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 97 | AddressFamily |
| 98 | Specifies which address family to use when connecting. Valid |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 99 | arguments are M-bM-^@M-^\anyM-bM-^@M-^], M-bM-^@M-^\inetM-bM-^@M-^] (use IPv4 only), or M-bM-^@M-^\inet6M-bM-^@M-^] (use IPv6 |
| 100 | only). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 101 | |
| 102 | BatchMode |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 103 | If set to M-bM-^@M-^\yesM-bM-^@M-^], passphrase/password querying will be disabled. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 104 | This option is useful in scripts and other batch jobs where no |
| 105 | user is present to supply the password. The argument must be |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 106 | M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 107 | |
| 108 | BindAddress |
| 109 | Use the specified address on the local machine as the source |
| 110 | address of the connection. Only useful on systems with more than |
| 111 | one address. Note that this option does not work if |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 112 | UsePrivilegedPort is set to M-bM-^@M-^\yesM-bM-^@M-^]. |
| 113 | |
| 114 | CanonicalDomains |
| 115 | When CanonicalizeHostname is enabled, this option specifies the |
| 116 | list of domain suffixes in which to search for the specified |
| 117 | destination host. |
| 118 | |
| 119 | CanonicalizeFallbackLocal |
| 120 | Specifies whether to fail with an error when hostname |
| 121 | canonicalization fails. The default, M-bM-^@M-^\yesM-bM-^@M-^], will attempt to look |
| 122 | up the unqualified hostname using the system resolver's search |
| 123 | rules. A value of M-bM-^@M-^\noM-bM-^@M-^] will cause ssh(1) to fail instantly if |
| 124 | CanonicalizeHostname is enabled and the target hostname cannot be |
| 125 | found in any of the domains specified by CanonicalDomains. |
| 126 | |
| 127 | CanonicalizeHostname |
| 128 | Controls whether explicit hostname canonicalization is performed. |
| 129 | The default, M-bM-^@M-^\noM-bM-^@M-^], is not to perform any name rewriting and let |
| 130 | the system resolver handle all hostname lookups. If set to M-bM-^@M-^\yesM-bM-^@M-^] |
| 131 | then, for connections that do not use a ProxyCommand, ssh(1) will |
| 132 | attempt to canonicalize the hostname specified on the command |
| 133 | line using the CanonicalDomains suffixes and |
| 134 | CanonicalizePermittedCNAMEs rules. If CanonicalizeHostname is |
| 135 | set to M-bM-^@M-^\alwaysM-bM-^@M-^], then canonicalization is applied to proxied |
| 136 | connections too. |
| 137 | |
| 138 | If this option is enabled, then the configuration files are |
| 139 | processed again using the new target name to pick up any new |
| 140 | configuration in matching Host and Match stanzas. |
| 141 | |
| 142 | CanonicalizeMaxDots |
| 143 | Specifies the maximum number of dot characters in a hostname |
| 144 | before canonicalization is disabled. The default, M-bM-^@M-^\1M-bM-^@M-^], allows a |
| 145 | single dot (i.e. hostname.subdomain). |
| 146 | |
| 147 | CanonicalizePermittedCNAMEs |
| 148 | Specifies rules to determine whether CNAMEs should be followed |
| 149 | when canonicalizing hostnames. The rules consist of one or more |
| 150 | arguments of source_domain_list:target_domain_list, where |
| 151 | source_domain_list is a pattern-list of domains that may follow |
| 152 | CNAMEs in canonicalization, and target_domain_list is a pattern- |
| 153 | list of domains that they may resolve to. |
| 154 | |
| 155 | For example, M-bM-^@M-^\*.a.example.com:*.b.example.com,*.c.example.comM-bM-^@M-^] |
| 156 | will allow hostnames matching M-bM-^@M-^\*.a.example.comM-bM-^@M-^] to be |
| 157 | canonicalized to names in the M-bM-^@M-^\*.b.example.comM-bM-^@M-^] or |
| 158 | M-bM-^@M-^\*.c.example.comM-bM-^@M-^] domains. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 159 | |
| 160 | ChallengeResponseAuthentication |
| 161 | Specifies whether to use challenge-response authentication. The |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 162 | argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is |
| 163 | M-bM-^@M-^\yesM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 164 | |
| 165 | CheckHostIP |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 166 | If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will additionally check the |
| 167 | host IP address in the known_hosts file. This allows ssh to |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 168 | detect if a host key changed due to DNS spoofing. If the option |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 169 | is set to M-bM-^@M-^\noM-bM-^@M-^], the check will not be executed. The default is |
| 170 | M-bM-^@M-^\yesM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 171 | |
| 172 | Cipher Specifies the cipher to use for encrypting the session in |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 173 | protocol version 1. Currently, M-bM-^@M-^\blowfishM-bM-^@M-^], M-bM-^@M-^\3desM-bM-^@M-^], and M-bM-^@M-^\desM-bM-^@M-^] are |
| 174 | supported. des is only supported in the ssh(1) client for |
| 175 | interoperability with legacy protocol 1 implementations that do |
| 176 | not support the 3des cipher. Its use is strongly discouraged due |
| 177 | to cryptographic weaknesses. The default is M-bM-^@M-^\3desM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 178 | |
| 179 | Ciphers |
| 180 | Specifies the ciphers allowed for protocol version 2 in order of |
| 181 | preference. Multiple ciphers must be comma-separated. The |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 182 | supported ciphers are: |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 183 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 184 | 3des-cbc |
| 185 | aes128-cbc |
| 186 | aes192-cbc |
| 187 | aes256-cbc |
| 188 | aes128-ctr |
| 189 | aes192-ctr |
| 190 | aes256-ctr |
| 191 | aes128-gcm@openssh.com |
| 192 | aes256-gcm@openssh.com |
| 193 | arcfour |
| 194 | arcfour128 |
| 195 | arcfour256 |
| 196 | blowfish-cbc |
| 197 | cast128-cbc |
| 198 | chacha20-poly1305@openssh.com |
| 199 | |
| 200 | The default is: |
| 201 | |
| 202 | aes128-ctr,aes192-ctr,aes256-ctr, |
| 203 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, |
| 204 | chacha20-poly1305@openssh.com, |
| 205 | arcfour256,arcfour128, |
| 206 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, |
| 207 | aes192-cbc,aes256-cbc,arcfour |
| 208 | |
| 209 | The list of available ciphers may also be obtained using the -Q |
| 210 | option of ssh(1) with an argument of M-bM-^@M-^\cipherM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 211 | |
| 212 | ClearAllForwardings |
| 213 | Specifies that all local, remote, and dynamic port forwardings |
| 214 | specified in the configuration files or on the command line be |
| 215 | cleared. This option is primarily useful when used from the |
| 216 | ssh(1) command line to clear port forwardings set in |
| 217 | configuration files, and is automatically set by scp(1) and |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 218 | sftp(1). The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is |
| 219 | M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 220 | |
| 221 | Compression |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 222 | Specifies whether to use compression. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] |
| 223 | or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 224 | |
| 225 | CompressionLevel |
| 226 | Specifies the compression level to use if compression is enabled. |
| 227 | The argument must be an integer from 1 (fast) to 9 (slow, best). |
| 228 | The default level is 6, which is good for most applications. The |
| 229 | meaning of the values is the same as in gzip(1). Note that this |
| 230 | option applies to protocol version 1 only. |
| 231 | |
| 232 | ConnectionAttempts |
| 233 | Specifies the number of tries (one per second) to make before |
| 234 | exiting. The argument must be an integer. This may be useful in |
| 235 | scripts if the connection sometimes fails. The default is 1. |
| 236 | |
| 237 | ConnectTimeout |
| 238 | Specifies the timeout (in seconds) used when connecting to the |
| 239 | SSH server, instead of using the default system TCP timeout. |
| 240 | This value is used only when the target is down or really |
| 241 | unreachable, not when it refuses the connection. |
| 242 | |
| 243 | ControlMaster |
| 244 | Enables the sharing of multiple sessions over a single network |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 245 | connection. When set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will listen for |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 246 | connections on a control socket specified using the ControlPath |
| 247 | argument. Additional sessions can connect to this socket using |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 248 | the same ControlPath with ControlMaster set to M-bM-^@M-^\noM-bM-^@M-^] (the |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 249 | default). These sessions will try to reuse the master instance's |
| 250 | network connection rather than initiating new ones, but will fall |
| 251 | back to connecting normally if the control socket does not exist, |
| 252 | or is not listening. |
| 253 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 254 | Setting this to M-bM-^@M-^\askM-bM-^@M-^] will cause ssh to listen for control |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 255 | connections, but require confirmation using the SSH_ASKPASS |
| 256 | program before they are accepted (see ssh-add(1) for details). |
| 257 | If the ControlPath cannot be opened, ssh will continue without |
| 258 | connecting to a master instance. |
| 259 | |
| 260 | X11 and ssh-agent(1) forwarding is supported over these |
| 261 | multiplexed connections, however the display and agent forwarded |
| 262 | will be the one belonging to the master connection i.e. it is not |
| 263 | possible to forward multiple displays or agents. |
| 264 | |
| 265 | Two additional options allow for opportunistic multiplexing: try |
| 266 | to use a master connection but fall back to creating a new one if |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 267 | one does not already exist. These options are: M-bM-^@M-^\autoM-bM-^@M-^] and |
| 268 | M-bM-^@M-^\autoaskM-bM-^@M-^]. The latter requires confirmation like the M-bM-^@M-^\askM-bM-^@M-^] |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 269 | option. |
| 270 | |
| 271 | ControlPath |
| 272 | Specify the path to the control socket used for connection |
| 273 | sharing as described in the ControlMaster section above or the |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 274 | string M-bM-^@M-^\noneM-bM-^@M-^] to disable connection sharing. In the path, M-bM-^@M-^X%LM-bM-^@M-^Y |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 275 | will be substituted by the first component of the local host |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 276 | name, M-bM-^@M-^X%lM-bM-^@M-^Y will be substituted by the local host name (including |
| 277 | any domain name), M-bM-^@M-^X%hM-bM-^@M-^Y will be substituted by the target host |
| 278 | name, M-bM-^@M-^X%nM-bM-^@M-^Y will be substituted by the original target host name |
| 279 | specified on the command line, M-bM-^@M-^X%pM-bM-^@M-^Y the destination port, M-bM-^@M-^X%rM-bM-^@M-^Y by |
| 280 | the remote login username, M-bM-^@M-^X%uM-bM-^@M-^Y by the username of the user |
| 281 | running ssh(1), and M-bM-^@M-^X%CM-bM-^@M-^Y by a hash of the concatenation: |
| 282 | %l%h%p%r. It is recommended that any ControlPath used for |
| 283 | opportunistic connection sharing include at least %h, %p, and %r |
| 284 | (or alternatively %C) and be placed in a directory that is not |
| 285 | writable by other users. This ensures that shared connections |
| 286 | are uniquely identified. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 287 | |
| 288 | ControlPersist |
| 289 | When used in conjunction with ControlMaster, specifies that the |
| 290 | master connection should remain open in the background (waiting |
| 291 | for future client connections) after the initial client |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 292 | connection has been closed. If set to M-bM-^@M-^\noM-bM-^@M-^], then the master |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 293 | connection will not be placed into the background, and will close |
| 294 | as soon as the initial client connection is closed. If set to |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 295 | M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\0M-bM-^@M-^], then the master connection will remain in the |
| 296 | background indefinitely (until killed or closed via a mechanism |
| 297 | such as the ssh(1) M-bM-^@M-^\-O exitM-bM-^@M-^] option). If set to a time in |
| 298 | seconds, or a time in any of the formats documented in |
| 299 | sshd_config(5), then the backgrounded master connection will |
| 300 | automatically terminate after it has remained idle (with no |
| 301 | client connections) for the specified time. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 302 | |
| 303 | DynamicForward |
| 304 | Specifies that a TCP port on the local machine be forwarded over |
| 305 | the secure channel, and the application protocol is then used to |
| 306 | determine where to connect to from the remote machine. |
| 307 | |
| 308 | The argument must be [bind_address:]port. IPv6 addresses can be |
| 309 | specified by enclosing addresses in square brackets. By default, |
| 310 | the local port is bound in accordance with the GatewayPorts |
| 311 | setting. However, an explicit bind_address may be used to bind |
| 312 | the connection to a specific address. The bind_address of |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 313 | M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the listening port be bound for local |
| 314 | use only, while an empty address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port |
| 315 | should be available from all interfaces. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 316 | |
| 317 | Currently the SOCKS4 and SOCKS5 protocols are supported, and |
| 318 | ssh(1) will act as a SOCKS server. Multiple forwardings may be |
| 319 | specified, and additional forwardings can be given on the command |
| 320 | line. Only the superuser can forward privileged ports. |
| 321 | |
| 322 | EnableSSHKeysign |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 323 | Setting this option to M-bM-^@M-^\yesM-bM-^@M-^] in the global client configuration |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 324 | file /etc/ssh/ssh_config enables the use of the helper program |
| 325 | ssh-keysign(8) during HostbasedAuthentication. The argument must |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 326 | be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. This option should be |
| 327 | placed in the non-hostspecific section. See ssh-keysign(8) for |
| 328 | more information. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 329 | |
| 330 | EscapeChar |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 331 | Sets the escape character (default: M-bM-^@M-^X~M-bM-^@M-^Y). The escape character |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 332 | can also be set on the command line. The argument should be a |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 333 | single character, M-bM-^@M-^X^M-bM-^@M-^Y followed by a letter, or M-bM-^@M-^\noneM-bM-^@M-^] to disable |
| 334 | the escape character entirely (making the connection transparent |
| 335 | for binary data). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 336 | |
| 337 | ExitOnForwardFailure |
| 338 | Specifies whether ssh(1) should terminate the connection if it |
| 339 | cannot set up all requested dynamic, tunnel, local, and remote |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 340 | port forwardings. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The |
| 341 | default is M-bM-^@M-^\noM-bM-^@M-^]. |
| 342 | |
| 343 | FingerprintHash |
| 344 | Specifies the hash algorithm used when displaying key |
| 345 | fingerprints. Valid options are: M-bM-^@M-^\md5M-bM-^@M-^] and M-bM-^@M-^\sha256M-bM-^@M-^]. The |
| 346 | default is M-bM-^@M-^\sha256M-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 347 | |
| 348 | ForwardAgent |
| 349 | Specifies whether the connection to the authentication agent (if |
| 350 | any) will be forwarded to the remote machine. The argument must |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 351 | be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 352 | |
| 353 | Agent forwarding should be enabled with caution. Users with the |
| 354 | ability to bypass file permissions on the remote host (for the |
| 355 | agent's Unix-domain socket) can access the local agent through |
| 356 | the forwarded connection. An attacker cannot obtain key material |
| 357 | from the agent, however they can perform operations on the keys |
| 358 | that enable them to authenticate using the identities loaded into |
| 359 | the agent. |
| 360 | |
| 361 | ForwardX11 |
| 362 | Specifies whether X11 connections will be automatically |
| 363 | redirected over the secure channel and DISPLAY set. The argument |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 364 | must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 365 | |
| 366 | X11 forwarding should be enabled with caution. Users with the |
| 367 | ability to bypass file permissions on the remote host (for the |
| 368 | user's X11 authorization database) can access the local X11 |
| 369 | display through the forwarded connection. An attacker may then |
| 370 | be able to perform activities such as keystroke monitoring if the |
| 371 | ForwardX11Trusted option is also enabled. |
| 372 | |
| 373 | ForwardX11Timeout |
| 374 | Specify a timeout for untrusted X11 forwarding using the format |
| 375 | described in the TIME FORMATS section of sshd_config(5). X11 |
| 376 | connections received by ssh(1) after this time will be refused. |
| 377 | The default is to disable untrusted X11 forwarding after twenty |
| 378 | minutes has elapsed. |
| 379 | |
| 380 | ForwardX11Trusted |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 381 | If this option is set to M-bM-^@M-^\yesM-bM-^@M-^], remote X11 clients will have full |
| 382 | access to the original X11 display. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 383 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 384 | If this option is set to M-bM-^@M-^\noM-bM-^@M-^], remote X11 clients will be |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 385 | considered untrusted and prevented from stealing or tampering |
| 386 | with data belonging to trusted X11 clients. Furthermore, the |
| 387 | xauth(1) token used for the session will be set to expire after |
| 388 | 20 minutes. Remote clients will be refused access after this |
| 389 | time. |
| 390 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 391 | The default is M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 392 | |
| 393 | See the X11 SECURITY extension specification for full details on |
| 394 | the restrictions imposed on untrusted clients. |
| 395 | |
| 396 | GatewayPorts |
| 397 | Specifies whether remote hosts are allowed to connect to local |
| 398 | forwarded ports. By default, ssh(1) binds local port forwardings |
| 399 | to the loopback address. This prevents other remote hosts from |
| 400 | connecting to forwarded ports. GatewayPorts can be used to |
| 401 | specify that ssh should bind local port forwardings to the |
| 402 | wildcard address, thus allowing remote hosts to connect to |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 403 | forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The |
| 404 | default is M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 405 | |
| 406 | GlobalKnownHostsFile |
| 407 | Specifies one or more files to use for the global host key |
| 408 | database, separated by whitespace. The default is |
| 409 | /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2. |
| 410 | |
| 411 | GSSAPIAuthentication |
| 412 | Specifies whether user authentication based on GSSAPI is allowed. |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 413 | The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 414 | version 2 only. |
| 415 | |
| 416 | GSSAPIDelegateCredentials |
| 417 | Forward (delegate) credentials to the server. The default is |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 418 | M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol version 2 only. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 419 | |
| 420 | HashKnownHosts |
| 421 | Indicates that ssh(1) should hash host names and addresses when |
| 422 | they are added to ~/.ssh/known_hosts. These hashed names may be |
| 423 | used normally by ssh(1) and sshd(8), but they do not reveal |
| 424 | identifying information should the file's contents be disclosed. |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 425 | The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that existing names and addresses in |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 426 | known hosts files will not be converted automatically, but may be |
| 427 | manually hashed using ssh-keygen(1). |
| 428 | |
| 429 | HostbasedAuthentication |
| 430 | Specifies whether to try rhosts based authentication with public |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 431 | key authentication. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The |
| 432 | default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 2 only |
| 433 | and is similar to RhostsRSAAuthentication. |
| 434 | |
| 435 | HostbasedKeyTypes |
| 436 | Specifies the key types that will be used for hostbased |
| 437 | authentication as a comma-separated pattern list. The default |
| 438 | M-bM-^@M-^\*M-bM-^@M-^] will allow all key types. The -Q option of ssh(1) may be |
| 439 | used to list supported key types. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 440 | |
| 441 | HostKeyAlgorithms |
| 442 | Specifies the protocol version 2 host key algorithms that the |
| 443 | client wants to use in order of preference. The default for this |
| 444 | option is: |
| 445 | |
| 446 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| 447 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| 448 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 449 | ssh-ed25519-cert-v01@openssh.com, |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 450 | ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com, |
| 451 | ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com, |
| 452 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 453 | ssh-ed25519,ssh-rsa,ssh-dss |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 454 | |
| 455 | If hostkeys are known for the destination host then this default |
| 456 | is modified to prefer their algorithms. |
| 457 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 458 | The list of available key types may also be obtained using the -Q |
| 459 | option of ssh(1) with an argument of M-bM-^@M-^\keyM-bM-^@M-^]. |
| 460 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 461 | HostKeyAlias |
| 462 | Specifies an alias that should be used instead of the real host |
| 463 | name when looking up or saving the host key in the host key |
| 464 | database files. This option is useful for tunneling SSH |
| 465 | connections or for multiple servers running on a single host. |
| 466 | |
| 467 | HostName |
| 468 | Specifies the real host name to log into. This can be used to |
| 469 | specify nicknames or abbreviations for hosts. If the hostname |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 470 | contains the character sequence M-bM-^@M-^X%hM-bM-^@M-^Y, then this will be replaced |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 471 | with the host name specified on the command line (this is useful |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 472 | for manipulating unqualified names). The character sequence M-bM-^@M-^X%%M-bM-^@M-^Y |
| 473 | will be replaced by a single M-bM-^@M-^X%M-bM-^@M-^Y character, which may be used |
| 474 | when specifying IPv6 link-local addresses. |
| 475 | |
| 476 | The default is the name given on the command line. Numeric IP |
| 477 | addresses are also permitted (both on the command line and in |
| 478 | HostName specifications). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 479 | |
| 480 | IdentitiesOnly |
| 481 | Specifies that ssh(1) should only use the authentication identity |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 482 | files configured in the ssh_config files, even if ssh-agent(1) or |
| 483 | a PKCS11Provider offers more identities. The argument to this |
| 484 | keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. This option is intended for |
| 485 | situations where ssh-agent offers many different identities. The |
| 486 | default is M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 487 | |
| 488 | IdentityFile |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 489 | Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 490 | authentication identity is read. The default is ~/.ssh/identity |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 491 | for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, |
| 492 | ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2. |
| 493 | Additionally, any identities represented by the authentication |
| 494 | agent will be used for authentication unless IdentitiesOnly is |
| 495 | set. ssh(1) will try to load certificate information from the |
| 496 | filename obtained by appending -cert.pub to the path of a |
| 497 | specified IdentityFile. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 498 | |
| 499 | The file name may use the tilde syntax to refer to a user's home |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 500 | directory or one of the following escape characters: M-bM-^@M-^X%dM-bM-^@M-^Y (local |
| 501 | user's home directory), M-bM-^@M-^X%uM-bM-^@M-^Y (local user name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host |
| 502 | name), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host name) or M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 503 | |
| 504 | It is possible to have multiple identity files specified in |
| 505 | configuration files; all these identities will be tried in |
| 506 | sequence. Multiple IdentityFile directives will add to the list |
| 507 | of identities tried (this behaviour differs from that of other |
| 508 | configuration directives). |
| 509 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 510 | IdentityFile may be used in conjunction with IdentitiesOnly to |
| 511 | select which identities in an agent are offered during |
| 512 | authentication. |
| 513 | |
| 514 | IgnoreUnknown |
| 515 | Specifies a pattern-list of unknown options to be ignored if they |
| 516 | are encountered in configuration parsing. This may be used to |
| 517 | suppress errors if ssh_config contains options that are |
| 518 | unrecognised by ssh(1). It is recommended that IgnoreUnknown be |
| 519 | listed early in the configuration file as it will not be applied |
| 520 | to unknown options that appear before it. |
| 521 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 522 | IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 523 | Accepted values are M-bM-^@M-^\af11M-bM-^@M-^], M-bM-^@M-^\af12M-bM-^@M-^], M-bM-^@M-^\af13M-bM-^@M-^], M-bM-^@M-^\af21M-bM-^@M-^], M-bM-^@M-^\af22M-bM-^@M-^], |
| 524 | M-bM-^@M-^\af23M-bM-^@M-^], M-bM-^@M-^\af31M-bM-^@M-^], M-bM-^@M-^\af32M-bM-^@M-^], M-bM-^@M-^\af33M-bM-^@M-^], M-bM-^@M-^\af41M-bM-^@M-^], M-bM-^@M-^\af42M-bM-^@M-^], M-bM-^@M-^\af43M-bM-^@M-^], M-bM-^@M-^\cs0M-bM-^@M-^], |
| 525 | M-bM-^@M-^\cs1M-bM-^@M-^], M-bM-^@M-^\cs2M-bM-^@M-^], M-bM-^@M-^\cs3M-bM-^@M-^], M-bM-^@M-^\cs4M-bM-^@M-^], M-bM-^@M-^\cs5M-bM-^@M-^], M-bM-^@M-^\cs6M-bM-^@M-^], M-bM-^@M-^\cs7M-bM-^@M-^], M-bM-^@M-^\efM-bM-^@M-^], |
| 526 | M-bM-^@M-^\lowdelayM-bM-^@M-^], M-bM-^@M-^\throughputM-bM-^@M-^], M-bM-^@M-^\reliabilityM-bM-^@M-^], or a numeric value. |
| 527 | This option may take one or two arguments, separated by |
| 528 | whitespace. If one argument is specified, it is used as the |
| 529 | packet class unconditionally. If two values are specified, the |
| 530 | first is automatically selected for interactive sessions and the |
| 531 | second for non-interactive sessions. The default is M-bM-^@M-^\lowdelayM-bM-^@M-^] |
| 532 | for interactive sessions and M-bM-^@M-^\throughputM-bM-^@M-^] for non-interactive |
| 533 | sessions. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 534 | |
| 535 | KbdInteractiveAuthentication |
| 536 | Specifies whether to use keyboard-interactive authentication. |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 537 | The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default |
| 538 | is M-bM-^@M-^\yesM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 539 | |
| 540 | KbdInteractiveDevices |
| 541 | Specifies the list of methods to use in keyboard-interactive |
| 542 | authentication. Multiple method names must be comma-separated. |
| 543 | The default is to use the server specified list. The methods |
| 544 | available vary depending on what the server supports. For an |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 545 | OpenSSH server, it may be zero or more of: M-bM-^@M-^\bsdauthM-bM-^@M-^], M-bM-^@M-^\pamM-bM-^@M-^], and |
| 546 | M-bM-^@M-^\skeyM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 547 | |
| 548 | KexAlgorithms |
| 549 | Specifies the available KEX (Key Exchange) algorithms. Multiple |
| 550 | algorithms must be comma-separated. The default is: |
| 551 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 552 | curve25519-sha256@libssh.org, |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 553 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, |
| 554 | diffie-hellman-group-exchange-sha256, |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 555 | diffie-hellman-group14-sha1, |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 556 | diffie-hellman-group-exchange-sha1, |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 557 | diffie-hellman-group1-sha1 |
| 558 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 559 | The list of available key exchange algorithms may also be |
| 560 | obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^]. |
| 561 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 562 | LocalCommand |
| 563 | Specifies a command to execute on the local machine after |
| 564 | successfully connecting to the server. The command string |
| 565 | extends to the end of the line, and is executed with the user's |
| 566 | shell. The following escape character substitutions will be |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 567 | performed: M-bM-^@M-^X%dM-bM-^@M-^Y (local user's home directory), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host |
| 568 | name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host name), M-bM-^@M-^X%nM-bM-^@M-^Y (host name as provided on the |
| 569 | command line), M-bM-^@M-^X%pM-bM-^@M-^Y (remote port), M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name) or |
| 570 | M-bM-^@M-^X%uM-bM-^@M-^Y (local user name) or M-bM-^@M-^X%CM-bM-^@M-^Y by a hash of the concatenation: |
| 571 | %l%h%p%r. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 572 | |
| 573 | The command is run synchronously and does not have access to the |
| 574 | session of the ssh(1) that spawned it. It should not be used for |
| 575 | interactive commands. |
| 576 | |
| 577 | This directive is ignored unless PermitLocalCommand has been |
| 578 | enabled. |
| 579 | |
| 580 | LocalForward |
| 581 | Specifies that a TCP port on the local machine be forwarded over |
| 582 | the secure channel to the specified host and port from the remote |
| 583 | machine. The first argument must be [bind_address:]port and the |
| 584 | second argument must be host:hostport. IPv6 addresses can be |
| 585 | specified by enclosing addresses in square brackets. Multiple |
| 586 | forwardings may be specified, and additional forwardings can be |
| 587 | given on the command line. Only the superuser can forward |
| 588 | privileged ports. By default, the local port is bound in |
| 589 | accordance with the GatewayPorts setting. However, an explicit |
| 590 | bind_address may be used to bind the connection to a specific |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 591 | address. The bind_address of M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 592 | listening port be bound for local use only, while an empty |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 593 | address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port should be available from |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 594 | all interfaces. |
| 595 | |
| 596 | LogLevel |
| 597 | Gives the verbosity level that is used when logging messages from |
| 598 | ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, |
| 599 | VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. |
| 600 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify |
| 601 | higher levels of verbose output. |
| 602 | |
| 603 | MACs Specifies the MAC (message authentication code) algorithms in |
| 604 | order of preference. The MAC algorithm is used in protocol |
| 605 | version 2 for data integrity protection. Multiple algorithms |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 606 | must be comma-separated. The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] |
| 607 | calculate the MAC after encryption (encrypt-then-mac). These are |
| 608 | considered safer and their use recommended. The default is: |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 609 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 610 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, |
| 611 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, |
| 612 | umac-64@openssh.com,umac-128@openssh.com, |
| 613 | hmac-sha2-256,hmac-sha2-512, |
| 614 | hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, |
| 615 | hmac-ripemd160-etm@openssh.com, |
| 616 | hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com, |
| 617 | hmac-md5,hmac-sha1,hmac-ripemd160, |
| 618 | hmac-sha1-96,hmac-md5-96 |
| 619 | |
| 620 | The list of available MAC algorithms may also be obtained using |
| 621 | the -Q option of ssh(1) with an argument of M-bM-^@M-^\macM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 622 | |
| 623 | NoHostAuthenticationForLocalhost |
| 624 | This option can be used if the home directory is shared across |
| 625 | machines. In this case localhost will refer to a different |
| 626 | machine on each of the machines and the user will get many |
| 627 | warnings about changed host keys. However, this option disables |
| 628 | host authentication for localhost. The argument to this keyword |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 629 | must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is to check the host key for |
| 630 | localhost. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 631 | |
| 632 | NumberOfPasswordPrompts |
| 633 | Specifies the number of password prompts before giving up. The |
| 634 | argument to this keyword must be an integer. The default is 3. |
| 635 | |
| 636 | PasswordAuthentication |
| 637 | Specifies whether to use password authentication. The argument |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 638 | to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 639 | |
| 640 | PermitLocalCommand |
| 641 | Allow local command execution via the LocalCommand option or |
| 642 | using the !command escape sequence in ssh(1). The argument must |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 643 | be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 644 | |
| 645 | PKCS11Provider |
| 646 | Specifies which PKCS#11 provider to use. The argument to this |
| 647 | keyword is the PKCS#11 shared library ssh(1) should use to |
| 648 | communicate with a PKCS#11 token providing the user's private RSA |
| 649 | key. |
| 650 | |
| 651 | Port Specifies the port number to connect on the remote host. The |
| 652 | default is 22. |
| 653 | |
| 654 | PreferredAuthentications |
| 655 | Specifies the order in which the client should try protocol 2 |
| 656 | authentication methods. This allows a client to prefer one |
| 657 | method (e.g. keyboard-interactive) over another method (e.g. |
| 658 | password). The default is: |
| 659 | |
| 660 | gssapi-with-mic,hostbased,publickey, |
| 661 | keyboard-interactive,password |
| 662 | |
| 663 | Protocol |
| 664 | Specifies the protocol versions ssh(1) should support in order of |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 665 | preference. The possible values are M-bM-^@M-^X1M-bM-^@M-^Y and M-bM-^@M-^X2M-bM-^@M-^Y. Multiple |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 666 | versions must be comma-separated. When this option is set to |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 667 | M-bM-^@M-^\2,1M-bM-^@M-^] ssh will try version 2 and fall back to version 1 if |
| 668 | version 2 is not available. The default is M-bM-^@M-^X2M-bM-^@M-^Y. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 669 | |
| 670 | ProxyCommand |
| 671 | Specifies the command to use to connect to the server. The |
| 672 | command string extends to the end of the line, and is executed |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 673 | using the user's shell M-bM-^@M-^XexecM-bM-^@M-^Y directive to avoid a lingering |
| 674 | shell process. |
| 675 | |
| 676 | In the command string, any occurrence of M-bM-^@M-^X%hM-bM-^@M-^Y will be substituted |
| 677 | by the host name to connect, M-bM-^@M-^X%pM-bM-^@M-^Y by the port, and M-bM-^@M-^X%rM-bM-^@M-^Y by the |
| 678 | remote user name. The command can be basically anything, and |
| 679 | should read from its standard input and write to its standard |
| 680 | output. It should eventually connect an sshd(8) server running |
| 681 | on some machine, or execute sshd -i somewhere. Host key |
| 682 | management will be done using the HostName of the host being |
| 683 | connected (defaulting to the name typed by the user). Setting |
| 684 | the command to M-bM-^@M-^\noneM-bM-^@M-^] disables this option entirely. Note that |
| 685 | CheckHostIP is not available for connects with a proxy command. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 686 | |
| 687 | This directive is useful in conjunction with nc(1) and its proxy |
| 688 | support. For example, the following directive would connect via |
| 689 | an HTTP proxy at 192.0.2.0: |
| 690 | |
| 691 | ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p |
| 692 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 693 | ProxyUseFdpass |
| 694 | Specifies that ProxyCommand will pass a connected file descriptor |
| 695 | back to ssh(1) instead of continuing to execute and pass data. |
| 696 | The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| 697 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 698 | PubkeyAuthentication |
| 699 | Specifies whether to try public key authentication. The argument |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 700 | to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
| 701 | This option applies to protocol version 2 only. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 702 | |
| 703 | RekeyLimit |
| 704 | Specifies the maximum amount of data that may be transmitted |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 705 | before the session key is renegotiated, optionally followed a |
| 706 | maximum amount of time that may pass before the session key is |
| 707 | renegotiated. The first argument is specified in bytes and may |
| 708 | have a suffix of M-bM-^@M-^XKM-bM-^@M-^Y, M-bM-^@M-^XMM-bM-^@M-^Y, or M-bM-^@M-^XGM-bM-^@M-^Y to indicate Kilobytes, |
| 709 | Megabytes, or Gigabytes, respectively. The default is between |
| 710 | M-bM-^@M-^X1GM-bM-^@M-^Y and M-bM-^@M-^X4GM-bM-^@M-^Y, depending on the cipher. The optional second |
| 711 | value is specified in seconds and may use any of the units |
| 712 | documented in the TIME FORMATS section of sshd_config(5). The |
| 713 | default value for RekeyLimit is M-bM-^@M-^\default noneM-bM-^@M-^], which means that |
| 714 | rekeying is performed after the cipher's default amount of data |
| 715 | has been sent or received and no time based rekeying is done. |
| 716 | This option applies to protocol version 2 only. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 717 | |
| 718 | RemoteForward |
| 719 | Specifies that a TCP port on the remote machine be forwarded over |
| 720 | the secure channel to the specified host and port from the local |
| 721 | machine. The first argument must be [bind_address:]port and the |
| 722 | second argument must be host:hostport. IPv6 addresses can be |
| 723 | specified by enclosing addresses in square brackets. Multiple |
| 724 | forwardings may be specified, and additional forwardings can be |
| 725 | given on the command line. Privileged ports can be forwarded |
| 726 | only when logging in as root on the remote machine. |
| 727 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 728 | If the port argument is M-bM-^@M-^X0M-bM-^@M-^Y, the listen port will be dynamically |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 729 | allocated on the server and reported to the client at run time. |
| 730 | |
| 731 | If the bind_address is not specified, the default is to only bind |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 732 | to loopback addresses. If the bind_address is M-bM-^@M-^X*M-bM-^@M-^Y or an empty |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 733 | string, then the forwarding is requested to listen on all |
| 734 | interfaces. Specifying a remote bind_address will only succeed |
| 735 | if the server's GatewayPorts option is enabled (see |
| 736 | sshd_config(5)). |
| 737 | |
| 738 | RequestTTY |
| 739 | Specifies whether to request a pseudo-tty for the session. The |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 740 | argument may be one of: M-bM-^@M-^\noM-bM-^@M-^] (never request a TTY), M-bM-^@M-^\yesM-bM-^@M-^] (always |
| 741 | request a TTY when standard input is a TTY), M-bM-^@M-^\forceM-bM-^@M-^] (always |
| 742 | request a TTY) or M-bM-^@M-^\autoM-bM-^@M-^] (request a TTY when opening a login |
| 743 | session). This option mirrors the -t and -T flags for ssh(1). |
| 744 | |
| 745 | RevokedHostKeys |
| 746 | Specifies revoked host public keys. Keys listed in this file |
| 747 | will be refused for host authentication. Note that if this file |
| 748 | does not exist or is not readable, then host authentication will |
| 749 | be refused for all hosts. Keys may be specified as a text file, |
| 750 | listing one public key per line, or as an OpenSSH Key Revocation |
| 751 | List (KRL) as generated by ssh-keygen(1). For more information |
| 752 | on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 753 | |
| 754 | RhostsRSAAuthentication |
| 755 | Specifies whether to try rhosts based authentication with RSA |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 756 | host authentication. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The |
| 757 | default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only |
| 758 | and requires ssh(1) to be setuid root. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 759 | |
| 760 | RSAAuthentication |
| 761 | Specifies whether to try RSA authentication. The argument to |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 762 | this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. RSA authentication will only |
| 763 | be attempted if the identity file exists, or an authentication |
| 764 | agent is running. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option |
| 765 | applies to protocol version 1 only. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 766 | |
| 767 | SendEnv |
| 768 | Specifies what variables from the local environ(7) should be sent |
| 769 | to the server. Note that environment passing is only supported |
| 770 | for protocol 2. The server must also support it, and the server |
| 771 | must be configured to accept these environment variables. Refer |
| 772 | to AcceptEnv in sshd_config(5) for how to configure the server. |
| 773 | Variables are specified by name, which may contain wildcard |
| 774 | characters. Multiple environment variables may be separated by |
| 775 | whitespace or spread across multiple SendEnv directives. The |
| 776 | default is not to send any environment variables. |
| 777 | |
| 778 | See PATTERNS for more information on patterns. |
| 779 | |
| 780 | ServerAliveCountMax |
| 781 | Sets the number of server alive messages (see below) which may be |
| 782 | sent without ssh(1) receiving any messages back from the server. |
| 783 | If this threshold is reached while server alive messages are |
| 784 | being sent, ssh will disconnect from the server, terminating the |
| 785 | session. It is important to note that the use of server alive |
| 786 | messages is very different from TCPKeepAlive (below). The server |
| 787 | alive messages are sent through the encrypted channel and |
| 788 | therefore will not be spoofable. The TCP keepalive option |
| 789 | enabled by TCPKeepAlive is spoofable. The server alive mechanism |
| 790 | is valuable when the client or server depend on knowing when a |
| 791 | connection has become inactive. |
| 792 | |
| 793 | The default value is 3. If, for example, ServerAliveInterval |
| 794 | (see below) is set to 15 and ServerAliveCountMax is left at the |
| 795 | default, if the server becomes unresponsive, ssh will disconnect |
| 796 | after approximately 45 seconds. This option applies to protocol |
| 797 | version 2 only. |
| 798 | |
| 799 | ServerAliveInterval |
| 800 | Sets a timeout interval in seconds after which if no data has |
| 801 | been received from the server, ssh(1) will send a message through |
| 802 | the encrypted channel to request a response from the server. The |
| 803 | default is 0, indicating that these messages will not be sent to |
| 804 | the server. This option applies to protocol version 2 only. |
| 805 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 806 | StreamLocalBindMask |
| 807 | Sets the octal file creation mode mask (umask) used when creating |
| 808 | a Unix-domain socket file for local or remote port forwarding. |
| 809 | This option is only used for port forwarding to a Unix-domain |
| 810 | socket file. |
| 811 | |
| 812 | The default value is 0177, which creates a Unix-domain socket |
| 813 | file that is readable and writable only by the owner. Note that |
| 814 | not all operating systems honor the file mode on Unix-domain |
| 815 | socket files. |
| 816 | |
| 817 | StreamLocalBindUnlink |
| 818 | Specifies whether to remove an existing Unix-domain socket file |
| 819 | for local or remote port forwarding before creating a new one. |
| 820 | If the socket file already exists and StreamLocalBindUnlink is |
| 821 | not enabled, ssh will be unable to forward the port to the Unix- |
| 822 | domain socket file. This option is only used for port forwarding |
| 823 | to a Unix-domain socket file. |
| 824 | |
| 825 | The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| 826 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 827 | StrictHostKeyChecking |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 828 | If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will never automatically add |
| 829 | host keys to the ~/.ssh/known_hosts file, and refuses to connect |
| 830 | to hosts whose host key has changed. This provides maximum |
| 831 | protection against trojan horse attacks, though it can be |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 832 | annoying when the /etc/ssh/ssh_known_hosts file is poorly |
| 833 | maintained or when connections to new hosts are frequently made. |
| 834 | This option forces the user to manually add all new hosts. If |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 835 | this flag is set to M-bM-^@M-^\noM-bM-^@M-^], ssh will automatically add new host |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 836 | keys to the user known hosts files. If this flag is set to |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 837 | M-bM-^@M-^\askM-bM-^@M-^], new host keys will be added to the user known host files |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 838 | only after the user has confirmed that is what they really want |
| 839 | to do, and ssh will refuse to connect to hosts whose host key has |
| 840 | changed. The host keys of known hosts will be verified |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 841 | automatically in all cases. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or |
| 842 | M-bM-^@M-^\askM-bM-^@M-^]. The default is M-bM-^@M-^\askM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 843 | |
| 844 | TCPKeepAlive |
| 845 | Specifies whether the system should send TCP keepalive messages |
| 846 | to the other side. If they are sent, death of the connection or |
| 847 | crash of one of the machines will be properly noticed. However, |
| 848 | this means that connections will die if the route is down |
| 849 | temporarily, and some people find it annoying. |
| 850 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 851 | The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send TCP keepalive messages), and the |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 852 | client will notice if the network goes down or the remote host |
| 853 | dies. This is important in scripts, and many users want it too. |
| 854 | |
| 855 | To disable TCP keepalive messages, the value should be set to |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 856 | M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 857 | |
| 858 | Tunnel Request tun(4) device forwarding between the client and the |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 859 | server. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\point-to-pointM-bM-^@M-^] (layer 3), |
| 860 | M-bM-^@M-^\ethernetM-bM-^@M-^] (layer 2), or M-bM-^@M-^\noM-bM-^@M-^]. Specifying M-bM-^@M-^\yesM-bM-^@M-^] requests the |
| 861 | default tunnel mode, which is M-bM-^@M-^\point-to-pointM-bM-^@M-^]. The default is |
| 862 | M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 863 | |
| 864 | TunnelDevice |
| 865 | Specifies the tun(4) devices to open on the client (local_tun) |
| 866 | and the server (remote_tun). |
| 867 | |
| 868 | The argument must be local_tun[:remote_tun]. The devices may be |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 869 | specified by numerical ID or the keyword M-bM-^@M-^\anyM-bM-^@M-^], which uses the |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 870 | next available tunnel device. If remote_tun is not specified, it |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 871 | defaults to M-bM-^@M-^\anyM-bM-^@M-^]. The default is M-bM-^@M-^\any:anyM-bM-^@M-^]. |
| 872 | |
| 873 | UpdateHostKeys |
| 874 | Specifies whether ssh(1) should accept notifications of |
| 875 | additional hostkeys from the server sent after authentication has |
| 876 | completed and add them to UserKnownHostsFile. The argument must |
| 877 | be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^] (the default) or M-bM-^@M-^\askM-bM-^@M-^]. Enabling this option |
| 878 | allows learning alternate hostkeys for a server and supports |
| 879 | graceful key rotation by allowing a server to send replacement |
| 880 | public keys before old ones are removed. Additional hostkeys are |
| 881 | only accepted if the key used to authenticate the host was |
| 882 | already trusted or explicity accepted by the user. If |
| 883 | UpdateHostKeys is set to M-bM-^@M-^\askM-bM-^@M-^], then the user is asked to confirm |
| 884 | the modifications to the known_hosts file. Confirmation is |
| 885 | currently incompatible with ControlPersist, and will be disabled |
| 886 | if it is enabled. |
| 887 | |
| 888 | Presently, only sshd(8) from OpenSSH 6.8 and greater support the |
| 889 | M-bM-^@M-^\hostkeys@openssh.comM-bM-^@M-^] protocol extension used to inform the |
| 890 | client of all the server's hostkeys. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 891 | |
| 892 | UsePrivilegedPort |
| 893 | Specifies whether to use a privileged port for outgoing |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 894 | connections. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is |
| 895 | M-bM-^@M-^\noM-bM-^@M-^]. If set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) must be setuid root. Note that |
| 896 | this option must be set to M-bM-^@M-^\yesM-bM-^@M-^] for RhostsRSAAuthentication with |
| 897 | older servers. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 898 | |
| 899 | User Specifies the user to log in as. This can be useful when a |
| 900 | different user name is used on different machines. This saves |
| 901 | the trouble of having to remember to give the user name on the |
| 902 | command line. |
| 903 | |
| 904 | UserKnownHostsFile |
| 905 | Specifies one or more files to use for the user host key |
| 906 | database, separated by whitespace. The default is |
| 907 | ~/.ssh/known_hosts, ~/.ssh/known_hosts2. |
| 908 | |
| 909 | VerifyHostKeyDNS |
| 910 | Specifies whether to verify the remote key using DNS and SSHFP |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 911 | resource records. If this option is set to M-bM-^@M-^\yesM-bM-^@M-^], the client |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 912 | will implicitly trust keys that match a secure fingerprint from |
| 913 | DNS. Insecure fingerprints will be handled as if this option was |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 914 | set to M-bM-^@M-^\askM-bM-^@M-^]. If this option is set to M-bM-^@M-^\askM-bM-^@M-^], information on |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 915 | fingerprint match will be displayed, but the user will still need |
| 916 | to confirm new host keys according to the StrictHostKeyChecking |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 917 | option. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or M-bM-^@M-^\askM-bM-^@M-^]. The default |
| 918 | is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol version 2 |
| 919 | only. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 920 | |
| 921 | See also VERIFYING HOST KEYS in ssh(1). |
| 922 | |
| 923 | VisualHostKey |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 924 | If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], an ASCII art representation of the |
| 925 | remote host key fingerprint is printed in addition to the |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 926 | fingerprint string at login and for unknown host keys. If this |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 927 | flag is set to M-bM-^@M-^\noM-bM-^@M-^], no fingerprint strings are printed at login |
| 928 | and only the fingerprint string will be printed for unknown host |
| 929 | keys. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 930 | |
| 931 | XAuthLocation |
| 932 | Specifies the full pathname of the xauth(1) program. The default |
| 933 | is /usr/X11R6/bin/xauth. |
| 934 | |
| 935 | PATTERNS |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 936 | A pattern consists of zero or more non-whitespace characters, M-bM-^@M-^X*M-bM-^@M-^Y (a |
| 937 | wildcard that matches zero or more characters), or M-bM-^@M-^X?M-bM-^@M-^Y (a wildcard that |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 938 | matches exactly one character). For example, to specify a set of |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 939 | declarations for any host in the M-bM-^@M-^\.co.ukM-bM-^@M-^] set of domains, the following |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 940 | pattern could be used: |
| 941 | |
| 942 | Host *.co.uk |
| 943 | |
| 944 | The following pattern would match any host in the 192.168.0.[0-9] network |
| 945 | range: |
| 946 | |
| 947 | Host 192.168.0.? |
| 948 | |
| 949 | A pattern-list is a comma-separated list of patterns. Patterns within |
| 950 | pattern-lists may be negated by preceding them with an exclamation mark |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 951 | (M-bM-^@M-^X!M-bM-^@M-^Y). For example, to allow a key to be used from anywhere within an |
| 952 | organization except from the M-bM-^@M-^\dialupM-bM-^@M-^] pool, the following entry (in |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 953 | authorized_keys) could be used: |
| 954 | |
| 955 | from="!*.dialup.example.com,*.example.com" |
| 956 | |
| 957 | FILES |
| 958 | ~/.ssh/config |
| 959 | This is the per-user configuration file. The format of this file |
| 960 | is described above. This file is used by the SSH client. |
| 961 | Because of the potential for abuse, this file must have strict |
| 962 | permissions: read/write for the user, and not accessible by |
| 963 | others. |
| 964 | |
| 965 | /etc/ssh/ssh_config |
| 966 | Systemwide configuration file. This file provides defaults for |
| 967 | those values that are not specified in the user's configuration |
| 968 | file, and for those users who do not have a configuration file. |
| 969 | This file must be world-readable. |
| 970 | |
| 971 | SEE ALSO |
| 972 | ssh(1) |
| 973 | |
| 974 | AUTHORS |
| 975 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
| 976 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo |
| 977 | de Raadt and Dug Song removed many bugs, re-added newer features and |
| 978 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
| 979 | versions 1.5 and 2.0. |
| 980 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 981 | OpenBSD 5.7 February 20, 2015 OpenBSD 5.7 |