blob: 17fc0ec668c938ed4e2063d68c128853cb203c33 [file] [log] [blame]
Ben Lindstrom9f049032002-06-21 00:59:05 +00001.\" -*- nroff -*-
2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\" All rights reserved
6.\"
7.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose. Any derived versions of this
9.\" software must be clearly marked as such, and if the derived work is
10.\" incompatible with the protocol description in the RFC file, it must be
11.\" called by a name other than "ssh" or "Secure Shell".
12.\"
13.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
14.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
15.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
16.\"
17.\" Redistribution and use in source and binary forms, with or without
18.\" modification, are permitted provided that the following conditions
19.\" are met:
20.\" 1. Redistributions of source code must retain the above copyright
21.\" notice, this list of conditions and the following disclaimer.
22.\" 2. Redistributions in binary form must reproduce the above copyright
23.\" notice, this list of conditions and the following disclaimer in the
24.\" documentation and/or other materials provided with the distribution.
25.\"
26.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\"
Darren Tucker63b31cb2007-12-02 23:09:30 +110037.\" $OpenBSD: ssh_config.5,v 1.105 2007/10/29 07:48:19 jmc Exp $
38.Dd $Mdocdate: December 2 2007 $
Ben Lindstrom9f049032002-06-21 00:59:05 +000039.Dt SSH_CONFIG 5
40.Os
41.Sh NAME
42.Nm ssh_config
43.Nd OpenSSH SSH client configuration files
44.Sh SYNOPSIS
Darren Tuckerbf6b3282007-02-19 22:08:17 +110045.Nm ~/.ssh/config
46.Nm /etc/ssh/ssh_config
Ben Lindstrom9f049032002-06-21 00:59:05 +000047.Sh DESCRIPTION
Damien Miller45ee2b92006-03-15 11:56:18 +110048.Xr ssh 1
Ben Lindstrom9f049032002-06-21 00:59:05 +000049obtains configuration data from the following sources in
50the following order:
Damien Miller5c853b52006-03-15 11:37:02 +110051.Pp
Ben Lindstrom479b4762002-08-20 19:04:51 +000052.Bl -enum -offset indent -compact
53.It
54command-line options
55.It
56user's configuration file
Damien Miller167ea5d2005-05-26 12:04:02 +100057.Pq Pa ~/.ssh/config
Ben Lindstrom479b4762002-08-20 19:04:51 +000058.It
59system-wide configuration file
60.Pq Pa /etc/ssh/ssh_config
61.El
Ben Lindstrom9f049032002-06-21 00:59:05 +000062.Pp
63For each parameter, the first obtained value
64will be used.
Darren Tucker43d8e282005-02-09 09:51:08 +110065The configuration files contain sections separated by
Ben Lindstrom9f049032002-06-21 00:59:05 +000066.Dq Host
67specifications, and that section is only applied for hosts that
68match one of the patterns given in the specification.
69The matched host name is the one given on the command line.
70.Pp
71Since the first obtained value for each parameter is used, more
72host-specific declarations should be given near the beginning of the
73file, and general defaults at the end.
74.Pp
75The configuration file has the following format:
76.Pp
77Empty lines and lines starting with
78.Ql #
79are comments.
Ben Lindstrom9f049032002-06-21 00:59:05 +000080Otherwise a line is of the format
81.Dq keyword arguments .
82Configuration options may be separated by whitespace or
83optional whitespace and exactly one
84.Ql = ;
85the latter format is useful to avoid the need to quote whitespace
86when specifying configuration options using the
87.Nm ssh ,
Damien Miller4aea9742006-03-15 11:59:39 +110088.Nm scp ,
Ben Lindstrom9f049032002-06-21 00:59:05 +000089and
90.Nm sftp
91.Fl o
92option.
Damien Miller306d1182006-03-15 12:05:59 +110093Arguments may optionally be enclosed in double quotes
94.Pq \&"
95in order to represent arguments containing spaces.
Ben Lindstrom9f049032002-06-21 00:59:05 +000096.Pp
97The possible
98keywords and their meanings are as follows (note that
99keywords are case-insensitive and arguments are case-sensitive):
100.Bl -tag -width Ds
101.It Cm Host
102Restricts the following declarations (up to the next
103.Cm Host
104keyword) to be only for those hosts that match one of the patterns
105given after the keyword.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000106A single
Damien Miller208f1ed2006-03-15 11:56:03 +1100107.Ql *
Ben Lindstrom9f049032002-06-21 00:59:05 +0000108as a pattern can be used to provide global
109defaults for all hosts.
110The host is the
111.Ar hostname
Damien Miller208f1ed2006-03-15 11:56:03 +1100112argument given on the command line (i.e. the name is not converted to
Ben Lindstrom9f049032002-06-21 00:59:05 +0000113a canonicalized host name before matching).
Damien Millerf54a4b92006-03-15 11:54:36 +1100114.Pp
115See
116.Sx PATTERNS
117for more information on patterns.
Damien Miller20a8f972003-05-18 20:50:30 +1000118.It Cm AddressFamily
Damien Millerfbf486b2003-05-23 18:44:23 +1000119Specifies which address family to use when connecting.
120Valid arguments are
Damien Miller20a8f972003-05-18 20:50:30 +1000121.Dq any ,
122.Dq inet
Damien Miller45ee2b92006-03-15 11:56:18 +1100123(use IPv4 only), or
Damien Miller20a8f972003-05-18 20:50:30 +1000124.Dq inet6
Darren Tucker79a7acf2005-02-09 09:48:57 +1100125(use IPv6 only).
Ben Lindstrom9f049032002-06-21 00:59:05 +0000126.It Cm BatchMode
127If set to
128.Dq yes ,
129passphrase/password querying will be disabled.
130This option is useful in scripts and other batch jobs where no user
131is present to supply the password.
132The argument must be
133.Dq yes
134or
135.Dq no .
136The default is
137.Dq no .
138.It Cm BindAddress
Darren Tucker89f4d472005-07-14 17:06:21 +1000139Use the specified address on the local machine as the source address of
Darren Tucker6c71d202005-07-14 17:06:50 +1000140the connection.
141Only useful on systems with more than one address.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000142Note that this option does not work if
143.Cm UsePrivilegedPort
144is set to
145.Dq yes .
146.It Cm ChallengeResponseAuthentication
Damien Miller1faa7132006-03-15 11:55:31 +1100147Specifies whether to use challenge-response authentication.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000148The argument to this keyword must be
149.Dq yes
150or
151.Dq no .
152The default is
153.Dq yes .
154.It Cm CheckHostIP
155If this flag is set to
156.Dq yes ,
Damien Miller45ee2b92006-03-15 11:56:18 +1100157.Xr ssh 1
158will additionally check the host IP address in the
Ben Lindstrom9f049032002-06-21 00:59:05 +0000159.Pa known_hosts
160file.
161This allows ssh to detect if a host key changed due to DNS spoofing.
162If the option is set to
163.Dq no ,
164the check will not be executed.
165The default is
166.Dq yes .
167.It Cm Cipher
168Specifies the cipher to use for encrypting the session
169in protocol version 1.
170Currently,
171.Dq blowfish ,
172.Dq 3des ,
173and
174.Dq des
175are supported.
176.Ar des
177is only supported in the
Damien Miller45ee2b92006-03-15 11:56:18 +1100178.Xr ssh 1
Ben Lindstrom9f049032002-06-21 00:59:05 +0000179client for interoperability with legacy protocol 1 implementations
180that do not support the
181.Ar 3des
Damien Miller495dca32003-04-01 21:42:14 +1000182cipher.
183Its use is strongly discouraged due to cryptographic weaknesses.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000184The default is
185.Dq 3des .
186.It Cm Ciphers
187Specifies the ciphers allowed for protocol version 2
188in order of preference.
189Multiple ciphers must be comma-separated.
Damien Miller05202ff2004-06-15 10:30:39 +1000190The supported ciphers are
191.Dq 3des-cbc ,
192.Dq aes128-cbc ,
193.Dq aes192-cbc ,
194.Dq aes256-cbc ,
195.Dq aes128-ctr ,
196.Dq aes192-ctr ,
197.Dq aes256-ctr ,
Damien Miller3710f272005-05-26 12:19:17 +1000198.Dq arcfour128 ,
199.Dq arcfour256 ,
Damien Miller05202ff2004-06-15 10:30:39 +1000200.Dq arcfour ,
201.Dq blowfish-cbc ,
202and
203.Dq cast128-cbc .
Damien Miller45ee2b92006-03-15 11:56:18 +1100204The default is:
205.Bd -literal -offset 3n
206aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
207arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
208aes192-ctr,aes256-ctr
Ben Lindstrom9f049032002-06-21 00:59:05 +0000209.Ed
210.It Cm ClearAllForwardings
Damien Miller45ee2b92006-03-15 11:56:18 +1100211Specifies that all local, remote, and dynamic port forwardings
Ben Lindstrom9f049032002-06-21 00:59:05 +0000212specified in the configuration files or on the command line be
Damien Miller495dca32003-04-01 21:42:14 +1000213cleared.
214This option is primarily useful when used from the
Damien Miller45ee2b92006-03-15 11:56:18 +1100215.Xr ssh 1
Ben Lindstrom9f049032002-06-21 00:59:05 +0000216command line to clear port forwardings set in
217configuration files, and is automatically set by
218.Xr scp 1
219and
220.Xr sftp 1 .
221The argument must be
222.Dq yes
223or
224.Dq no .
225The default is
226.Dq no .
227.It Cm Compression
228Specifies whether to use compression.
229The argument must be
230.Dq yes
231or
232.Dq no .
233The default is
234.Dq no .
235.It Cm CompressionLevel
236Specifies the compression level to use if compression is enabled.
237The argument must be an integer from 1 (fast) to 9 (slow, best).
238The default level is 6, which is good for most applications.
239The meaning of the values is the same as in
240.Xr gzip 1 .
241Note that this option applies to protocol version 1 only.
242.It Cm ConnectionAttempts
243Specifies the number of tries (one per second) to make before exiting.
244The argument must be an integer.
245This may be useful in scripts if the connection sometimes fails.
246The default is 1.
Damien Millerb78d5eb2003-05-16 11:39:04 +1000247.It Cm ConnectTimeout
Damien Miller45ee2b92006-03-15 11:56:18 +1100248Specifies the timeout (in seconds) used when connecting to the
249SSH server, instead of using the default system TCP timeout.
Damien Millerfbf486b2003-05-23 18:44:23 +1000250This value is used only when the target is down or really unreachable,
251not when it refuses the connection.
Damien Miller0e220db2004-06-15 10:34:08 +1000252.It Cm ControlMaster
253Enables the sharing of multiple sessions over a single network connection.
254When set to
Damien Miller45ee2b92006-03-15 11:56:18 +1100255.Dq yes ,
256.Xr ssh 1
Damien Miller0e220db2004-06-15 10:34:08 +1000257will listen for connections on a control socket specified using the
258.Cm ControlPath
259argument.
260Additional sessions can connect to this socket using the same
261.Cm ControlPath
262with
263.Cm ControlMaster
264set to
265.Dq no
Damien Miller2234bac2004-06-30 22:38:52 +1000266(the default).
Damien Miller713de762005-11-05 15:13:49 +1100267These sessions will try to reuse the master instance's network connection
Damien Millerb3bfbb72005-11-05 15:11:48 +1100268rather than initiating new ones, but will fall back to connecting normally
269if the control socket does not exist, or is not listening.
270.Pp
Damien Miller23f07702004-06-18 01:19:03 +1000271Setting this to
272.Dq ask
Damien Miller45ee2b92006-03-15 11:56:18 +1100273will cause ssh
Damien Miller23f07702004-06-18 01:19:03 +1000274to listen for control connections, but require confirmation using the
275.Ev SSH_ASKPASS
276program before they are accepted (see
277.Xr ssh-add 1
Damien Miller2234bac2004-06-30 22:38:52 +1000278for details).
Damien Millerdadfd4d2005-05-26 12:07:13 +1000279If the
280.Cm ControlPath
Damien Miller45ee2b92006-03-15 11:56:18 +1100281cannot be opened,
282ssh will continue without connecting to a master instance.
Damien Millerd14b1e72005-06-16 13:19:41 +1000283.Pp
Damien Miller13390022005-07-06 09:44:19 +1000284X11 and
Damien Millerfd94fba2005-07-06 09:44:59 +1000285.Xr ssh-agent 1
Damien Miller13390022005-07-06 09:44:19 +1000286forwarding is supported over these multiplexed connections, however the
Darren Tucker63551872005-12-20 16:14:15 +1100287display and agent forwarded will be the one belonging to the master
Damien Millerfd94fba2005-07-06 09:44:59 +1000288connection i.e. it is not possible to forward multiple displays or agents.
Damien Miller13390022005-07-06 09:44:19 +1000289.Pp
Damien Millerd14b1e72005-06-16 13:19:41 +1000290Two additional options allow for opportunistic multiplexing: try to use a
291master connection but fall back to creating a new one if one does not already
292exist.
293These options are:
294.Dq auto
295and
296.Dq autoask .
297The latter requires confirmation like the
298.Dq ask
299option.
Damien Miller0e220db2004-06-15 10:34:08 +1000300.It Cm ControlPath
Damien Miller6476cad2005-06-16 13:18:34 +1000301Specify the path to the control socket used for connection sharing as described
302in the
Damien Miller0e220db2004-06-15 10:34:08 +1000303.Cm ControlMaster
Damien Miller8f74c8f2005-06-26 08:56:03 +1000304section above or the string
305.Dq none
306to disable connection sharing.
Damien Miller6476cad2005-06-16 13:18:34 +1000307In the path,
Damien Miller3ec54c72006-03-15 11:30:13 +1100308.Ql %l
309will be substituted by the local host name,
Damien Miller6476cad2005-06-16 13:18:34 +1000310.Ql %h
311will be substituted by the target host name,
312.Ql %p
Damien Miller45ee2b92006-03-15 11:56:18 +1100313the port, and
Damien Miller6476cad2005-06-16 13:18:34 +1000314.Ql %r
315by the remote login username.
Damien Millerd14b1e72005-06-16 13:19:41 +1000316It is recommended that any
317.Cm ControlPath
318used for opportunistic connection sharing include
Damien Miller20c2ec42006-03-15 11:31:01 +1100319at least %h, %p, and %r.
Damien Millerd14b1e72005-06-16 13:19:41 +1000320This ensures that shared connections are uniquely identified.
Damien Miller2234bac2004-06-30 22:38:52 +1000321.It Cm DynamicForward
Damien Millere9d001e2006-01-14 10:10:17 +1100322Specifies that a TCP port on the local machine be forwarded
Damien Miller2234bac2004-06-30 22:38:52 +1000323over the secure channel, and the application
324protocol is then used to determine where to connect to from the
325remote machine.
Darren Tuckerc8d64212005-10-03 18:13:42 +1000326.Pp
327The argument must be
328.Sm off
329.Oo Ar bind_address : Oc Ar port .
330.Sm on
331IPv6 addresses can be specified by enclosing addresses in square brackets or
332by using an alternative syntax:
333.Oo Ar bind_address Ns / Oc Ns Ar port .
334By default, the local port is bound in accordance with the
335.Cm GatewayPorts
336setting.
337However, an explicit
338.Ar bind_address
339may be used to bind the connection to a specific address.
340The
341.Ar bind_address
342of
343.Dq localhost
344indicates that the listening port be bound for local use only, while an
345empty address or
346.Sq *
347indicates that the port should be available from all interfaces.
348.Pp
Damien Miller2234bac2004-06-30 22:38:52 +1000349Currently the SOCKS4 and SOCKS5 protocols are supported, and
Damien Miller45ee2b92006-03-15 11:56:18 +1100350.Xr ssh 1
Damien Miller2234bac2004-06-30 22:38:52 +1000351will act as a SOCKS server.
352Multiple forwardings may be specified, and
353additional forwardings can be given on the command line.
354Only the superuser can forward privileged ports.
Darren Tucker674f71d2003-06-28 12:33:12 +1000355.It Cm EnableSSHKeysign
356Setting this option to
357.Dq yes
358in the global client configuration file
359.Pa /etc/ssh/ssh_config
360enables the use of the helper program
361.Xr ssh-keysign 8
362during
363.Cm HostbasedAuthentication .
364The argument must be
365.Dq yes
366or
367.Dq no .
368The default is
369.Dq no .
Darren Tuckerf132c672003-10-15 15:58:18 +1000370This option should be placed in the non-hostspecific section.
Darren Tucker674f71d2003-06-28 12:33:12 +1000371See
372.Xr ssh-keysign 8
373for more information.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000374.It Cm EscapeChar
375Sets the escape character (default:
376.Ql ~ ) .
377The escape character can also
378be set on the command line.
379The argument should be a single character,
380.Ql ^
381followed by a letter, or
382.Dq none
383to disable the escape
384character entirely (making the connection transparent for binary
385data).
Darren Tuckere7d4b192006-07-12 22:17:10 +1000386.It Cm ExitOnForwardFailure
387Specifies whether
388.Xr ssh 1
389should terminate the connection if it cannot set up all requested
Darren Tuckerfc5d1882007-08-15 22:20:22 +1000390dynamic, tunnel, local, and remote port forwardings.
Darren Tuckere7d4b192006-07-12 22:17:10 +1000391The argument must be
392.Dq yes
393or
394.Dq no .
395The default is
396.Dq no .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000397.It Cm ForwardAgent
398Specifies whether the connection to the authentication agent (if any)
399will be forwarded to the remote machine.
400The argument must be
401.Dq yes
402or
403.Dq no .
404The default is
405.Dq no .
Damien Milleraf653042002-09-04 16:40:37 +1000406.Pp
Damien Miller495dca32003-04-01 21:42:14 +1000407Agent forwarding should be enabled with caution.
408Users with the ability to bypass file permissions on the remote host
409(for the agent's Unix-domain socket)
410can access the local agent through the forwarded connection.
411An attacker cannot obtain key material from the agent,
Damien Milleraf653042002-09-04 16:40:37 +1000412however they can perform operations on the keys that enable them to
413authenticate using the identities loaded into the agent.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000414.It Cm ForwardX11
415Specifies whether X11 connections will be automatically redirected
416over the secure channel and
417.Ev DISPLAY
418set.
419The argument must be
420.Dq yes
421or
422.Dq no .
423The default is
424.Dq no .
Damien Milleraf653042002-09-04 16:40:37 +1000425.Pp
Damien Miller495dca32003-04-01 21:42:14 +1000426X11 forwarding should be enabled with caution.
427Users with the ability to bypass file permissions on the remote host
Darren Tucker0a118da2003-10-15 15:54:32 +1000428(for the user's X11 authorization database)
Damien Miller495dca32003-04-01 21:42:14 +1000429can access the local X11 display through the forwarded connection.
Darren Tucker0a118da2003-10-15 15:54:32 +1000430An attacker may then be able to perform activities such as keystroke monitoring
431if the
432.Cm ForwardX11Trusted
433option is also enabled.
434.It Cm ForwardX11Trusted
Darren Tuckerdcf6ec42004-05-13 13:03:56 +1000435If this option is set to
Damien Miller45ee2b92006-03-15 11:56:18 +1100436.Dq yes ,
437remote X11 clients will have full access to the original X11 display.
Damien Miller1717fd42005-03-01 21:17:31 +1100438.Pp
Darren Tucker0a118da2003-10-15 15:54:32 +1000439If this option is set to
Damien Miller45ee2b92006-03-15 11:56:18 +1100440.Dq no ,
441remote X11 clients will be considered untrusted and prevented
Darren Tucker0a118da2003-10-15 15:54:32 +1000442from stealing or tampering with data belonging to trusted X11
443clients.
Damien Miller1717fd42005-03-01 21:17:31 +1100444Furthermore, the
445.Xr xauth 1
446token used for the session will be set to expire after 20 minutes.
447Remote clients will be refused access after this time.
Darren Tucker0a118da2003-10-15 15:54:32 +1000448.Pp
449The default is
450.Dq no .
451.Pp
452See the X11 SECURITY extension specification for full details on
453the restrictions imposed on untrusted clients.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000454.It Cm GatewayPorts
455Specifies whether remote hosts are allowed to connect to local
456forwarded ports.
457By default,
Damien Miller45ee2b92006-03-15 11:56:18 +1100458.Xr ssh 1
Damien Miller495dca32003-04-01 21:42:14 +1000459binds local port forwardings to the loopback address.
460This prevents other remote hosts from connecting to forwarded ports.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000461.Cm GatewayPorts
Damien Miller45ee2b92006-03-15 11:56:18 +1100462can be used to specify that ssh
Ben Lindstrom9f049032002-06-21 00:59:05 +0000463should bind local port forwardings to the wildcard address,
464thus allowing remote hosts to connect to forwarded ports.
465The argument must be
466.Dq yes
467or
468.Dq no .
469The default is
470.Dq no .
471.It Cm GlobalKnownHostsFile
472Specifies a file to use for the global
473host key database instead of
474.Pa /etc/ssh/ssh_known_hosts .
Darren Tucker0efd1552003-08-26 11:49:55 +1000475.It Cm GSSAPIAuthentication
Damien Millerbaafb982003-12-17 16:32:23 +1100476Specifies whether user authentication based on GSSAPI is allowed.
Damien Millerc2b98272003-09-03 12:13:30 +1000477The default is
Darren Tuckera044f472003-10-15 15:52:03 +1000478.Dq no .
Darren Tucker0efd1552003-08-26 11:49:55 +1000479Note that this option applies to protocol version 2 only.
480.It Cm GSSAPIDelegateCredentials
481Forward (delegate) credentials to the server.
482The default is
483.Dq no .
484Note that this option applies to protocol version 2 only.
Damien Millere1776152005-03-01 21:47:37 +1100485.It Cm HashKnownHosts
486Indicates that
Damien Miller45ee2b92006-03-15 11:56:18 +1100487.Xr ssh 1
Damien Millere1776152005-03-01 21:47:37 +1100488should hash host names and addresses when they are added to
Damien Miller167ea5d2005-05-26 12:04:02 +1000489.Pa ~/.ssh/known_hosts .
Damien Millere1776152005-03-01 21:47:37 +1100490These hashed names may be used normally by
Damien Miller45ee2b92006-03-15 11:56:18 +1100491.Xr ssh 1
Damien Millere1776152005-03-01 21:47:37 +1100492and
Damien Miller45ee2b92006-03-15 11:56:18 +1100493.Xr sshd 8 ,
Damien Millere1776152005-03-01 21:47:37 +1100494but they do not reveal identifying information should the file's contents
495be disclosed.
496The default is
497.Dq no .
Damien Miller858bb7d2006-08-05 11:34:51 +1000498Note that existing names and addresses in known hosts files
499will not be converted automatically,
500but may be manually hashed using
Damien Miller4b42d7f2005-03-01 21:48:35 +1100501.Xr ssh-keygen 1 .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000502.It Cm HostbasedAuthentication
503Specifies whether to try rhosts based authentication with public key
504authentication.
505The argument must be
506.Dq yes
507or
508.Dq no .
509The default is
510.Dq no .
511This option applies to protocol version 2 only and
512is similar to
513.Cm RhostsRSAAuthentication .
514.It Cm HostKeyAlgorithms
515Specifies the protocol version 2 host key algorithms
516that the client wants to use in order of preference.
517The default for this option is:
518.Dq ssh-rsa,ssh-dss .
519.It Cm HostKeyAlias
520Specifies an alias that should be used instead of the
521real host name when looking up or saving the host key
522in the host key database files.
Damien Miller45ee2b92006-03-15 11:56:18 +1100523This option is useful for tunneling SSH connections
Ben Lindstrom9f049032002-06-21 00:59:05 +0000524or for multiple servers running on a single host.
525.It Cm HostName
526Specifies the real host name to log into.
527This can be used to specify nicknames or abbreviations for hosts.
Damien Miller45ee2b92006-03-15 11:56:18 +1100528The default is the name given on the command line.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000529Numeric IP addresses are also permitted (both on the command line and in
530.Cm HostName
531specifications).
Damien Millerbd394c32004-03-08 23:12:36 +1100532.It Cm IdentitiesOnly
533Specifies that
Damien Miller45ee2b92006-03-15 11:56:18 +1100534.Xr ssh 1
Damien Millerbd394c32004-03-08 23:12:36 +1100535should only use the authentication identity files configured in the
Damien Miller1a812582004-04-20 20:13:32 +1000536.Nm
Damien Millerbd394c32004-03-08 23:12:36 +1100537files,
Damien Miller45ee2b92006-03-15 11:56:18 +1100538even if
539.Xr ssh-agent 1
Damien Millerbd394c32004-03-08 23:12:36 +1100540offers more identities.
541The argument to this keyword must be
542.Dq yes
543or
544.Dq no .
Damien Miller45ee2b92006-03-15 11:56:18 +1100545This option is intended for situations where ssh-agent
Damien Millerbd394c32004-03-08 23:12:36 +1100546offers many different identities.
547The default is
548.Dq no .
Damien Miller957d4e42005-12-13 19:30:45 +1100549.It Cm IdentityFile
550Specifies a file from which the user's RSA or DSA authentication identity
551is read.
552The default is
553.Pa ~/.ssh/identity
554for protocol version 1, and
555.Pa ~/.ssh/id_rsa
556and
557.Pa ~/.ssh/id_dsa
558for protocol version 2.
559Additionally, any identities represented by the authentication agent
560will be used for authentication.
Damien Miller6b1d53c2006-03-31 23:13:21 +1100561.Pp
Damien Miller957d4e42005-12-13 19:30:45 +1100562The file name may use the tilde
Damien Millerc6437cf2006-03-31 23:14:41 +1100563syntax to refer to a user's home directory or one of the following
Damien Miller6b1d53c2006-03-31 23:13:21 +1100564escape characters:
565.Ql %d
566(local user's home directory),
567.Ql %u
568(local user name),
569.Ql %l
570(local host name),
571.Ql %h
572(remote host name) or
Damien Millerdfc61832006-03-31 23:14:57 +1100573.Ql %r
Damien Miller6b1d53c2006-03-31 23:13:21 +1100574(remote user name).
575.Pp
Damien Miller957d4e42005-12-13 19:30:45 +1100576It is possible to have
577multiple identity files specified in configuration files; all these
578identities will be tried in sequence.
Damien Millercfb606c2007-10-26 14:24:48 +1000579.It Cm KbdInteractiveAuthentication
580Specifies whether to use keyboard-interactive authentication.
581The argument to this keyword must be
582.Dq yes
583or
584.Dq no .
585The default is
586.Dq yes .
Darren Tucker636ca902004-11-05 20:22:00 +1100587.It Cm KbdInteractiveDevices
588Specifies the list of methods to use in keyboard-interactive authentication.
589Multiple method names must be comma-separated.
590The default is to use the server specified list.
Damien Miller9cfbaec2006-03-15 11:57:55 +1100591The methods available vary depending on what the server supports.
592For an OpenSSH server,
593it may be zero or more of:
594.Dq bsdauth ,
595.Dq pam ,
596and
597.Dq skey .
Damien Millerd27b9472005-12-13 19:29:02 +1100598.It Cm LocalCommand
599Specifies a command to execute on the local machine after successfully
600connecting to the server.
601The command string extends to the end of the line, and is executed with
Darren Tucker63b31cb2007-12-02 23:09:30 +1100602the user's shell.
Damien Millerd27b9472005-12-13 19:29:02 +1100603This directive is ignored unless
604.Cm PermitLocalCommand
605has been enabled.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000606.It Cm LocalForward
Damien Millere9d001e2006-01-14 10:10:17 +1100607Specifies that a TCP port on the local machine be forwarded over
Ben Lindstrom9f049032002-06-21 00:59:05 +0000608the secure channel to the specified host and port from the remote machine.
Darren Tucker5ede2ad2005-03-31 21:31:10 +1000609The first argument must be
Damien Millerf91ee4c2005-03-01 21:24:33 +1100610.Sm off
Darren Tucker5ede2ad2005-03-31 21:31:10 +1000611.Oo Ar bind_address : Oc Ar port
Damien Millerf91ee4c2005-03-01 21:24:33 +1100612.Sm on
Darren Tucker5ede2ad2005-03-31 21:31:10 +1000613and the second argument must be
614.Ar host : Ns Ar hostport .
Damien Millerf8c55462005-03-02 12:03:05 +1100615IPv6 addresses can be specified by enclosing addresses in square brackets or
Damien Millerf91ee4c2005-03-01 21:24:33 +1100616by using an alternative syntax:
Darren Tucker5ede2ad2005-03-31 21:31:10 +1000617.Oo Ar bind_address Ns / Oc Ns Ar port
618and
619.Ar host Ns / Ns Ar hostport .
Damien Millerf8c55462005-03-02 12:03:05 +1100620Multiple forwardings may be specified, and additional forwardings can be
Damien Millerf91ee4c2005-03-01 21:24:33 +1100621given on the command line.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000622Only the superuser can forward privileged ports.
Damien Millerf91ee4c2005-03-01 21:24:33 +1100623By default, the local port is bound in accordance with the
624.Cm GatewayPorts
625setting.
626However, an explicit
627.Ar bind_address
628may be used to bind the connection to a specific address.
629The
630.Ar bind_address
631of
632.Dq localhost
Damien Millerf8c55462005-03-02 12:03:05 +1100633indicates that the listening port be bound for local use only, while an
634empty address or
635.Sq *
Damien Millerf91ee4c2005-03-01 21:24:33 +1100636indicates that the port should be available from all interfaces.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000637.It Cm LogLevel
638Gives the verbosity level that is used when logging messages from
Damien Miller45ee2b92006-03-15 11:56:18 +1100639.Xr ssh 1 .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000640The possible values are:
Damien Miller45ee2b92006-03-15 11:56:18 +1100641QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
Damien Miller495dca32003-04-01 21:42:14 +1000642The default is INFO.
643DEBUG and DEBUG1 are equivalent.
644DEBUG2 and DEBUG3 each specify higher levels of verbose output.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000645.It Cm MACs
646Specifies the MAC (message authentication code) algorithms
647in order of preference.
648The MAC algorithm is used in protocol version 2
649for data integrity protection.
650Multiple algorithms must be comma-separated.
Damien Miller45ee2b92006-03-15 11:56:18 +1100651The default is:
Damien Miller5e7c30b2007-06-11 14:06:32 +1000652.Bd -literal -offset indent
653hmac-md5,hmac-sha1,umac-64@openssh.com,
654hmac-ripemd160,hmac-sha1-96,hmac-md5-96
655.Ed
Ben Lindstrom9f049032002-06-21 00:59:05 +0000656.It Cm NoHostAuthenticationForLocalhost
657This option can be used if the home directory is shared across machines.
658In this case localhost will refer to a different machine on each of
659the machines and the user will get many warnings about changed host keys.
660However, this option disables host authentication for localhost.
661The argument to this keyword must be
662.Dq yes
663or
664.Dq no .
665The default is to check the host key for localhost.
666.It Cm NumberOfPasswordPrompts
667Specifies the number of password prompts before giving up.
668The argument to this keyword must be an integer.
Damien Miller45ee2b92006-03-15 11:56:18 +1100669The default is 3.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000670.It Cm PasswordAuthentication
671Specifies whether to use password authentication.
672The argument to this keyword must be
673.Dq yes
674or
675.Dq no .
676The default is
677.Dq yes .
Damien Millerd27b9472005-12-13 19:29:02 +1100678.It Cm PermitLocalCommand
679Allow local command execution via the
680.Ic LocalCommand
681option or using the
Damien Miller4b2319f2005-12-13 19:30:27 +1100682.Ic !\& Ns Ar command
Damien Millerd27b9472005-12-13 19:29:02 +1100683escape sequence in
684.Xr ssh 1 .
685The argument must be
686.Dq yes
687or
688.Dq no .
689The default is
690.Dq no .
Damien Miller957d4e42005-12-13 19:30:45 +1100691.It Cm Port
692Specifies the port number to connect on the remote host.
Damien Miller45ee2b92006-03-15 11:56:18 +1100693The default is 22.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000694.It Cm PreferredAuthentications
695Specifies the order in which the client should try protocol 2
Damien Millerfbf486b2003-05-23 18:44:23 +1000696authentication methods.
Darren Tucker1adc2bd2005-03-14 23:14:20 +1100697This allows a client to prefer one method (e.g.\&
Ben Lindstrom9f049032002-06-21 00:59:05 +0000698.Cm keyboard-interactive )
Darren Tucker1adc2bd2005-03-14 23:14:20 +1100699over another method (e.g.\&
Ben Lindstrom9f049032002-06-21 00:59:05 +0000700.Cm password )
701The default for this option is:
Damien Miller3c6ed7b2006-06-13 13:01:41 +1000702.Do gssapi-with-mic ,
703hostbased,
704publickey,
705keyboard-interactive,
706password
707.Dc .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000708.It Cm Protocol
709Specifies the protocol versions
Damien Miller45ee2b92006-03-15 11:56:18 +1100710.Xr ssh 1
Ben Lindstrom9f049032002-06-21 00:59:05 +0000711should support in order of preference.
712The possible values are
Damien Miller45ee2b92006-03-15 11:56:18 +1100713.Sq 1
Ben Lindstrom9f049032002-06-21 00:59:05 +0000714and
Damien Miller45ee2b92006-03-15 11:56:18 +1100715.Sq 2 .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000716Multiple versions must be comma-separated.
717The default is
718.Dq 2,1 .
Damien Miller45ee2b92006-03-15 11:56:18 +1100719This means that ssh
Ben Lindstrom9f049032002-06-21 00:59:05 +0000720tries version 2 and falls back to version 1
721if version 2 is not available.
722.It Cm ProxyCommand
723Specifies the command to use to connect to the server.
724The command
725string extends to the end of the line, and is executed with
Darren Tucker63b31cb2007-12-02 23:09:30 +1100726the user's shell.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000727In the command string,
728.Ql %h
729will be substituted by the host name to
730connect and
731.Ql %p
732by the port.
733The command can be basically anything,
734and should read from its standard input and write to its standard output.
735It should eventually connect an
736.Xr sshd 8
737server running on some machine, or execute
738.Ic sshd -i
739somewhere.
740Host key management will be done using the
741HostName of the host being connected (defaulting to the name typed by
742the user).
Damien Miller495dca32003-04-01 21:42:14 +1000743Setting the command to
744.Dq none
Damien Miller9f1e33a2003-02-24 11:57:32 +1100745disables this option entirely.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000746Note that
747.Cm CheckHostIP
748is not available for connects with a proxy command.
749.Pp
Damien Millerebcfedc2005-05-26 12:13:56 +1000750This directive is useful in conjunction with
751.Xr nc 1
752and its proxy support.
Damien Millerdfec2942005-05-26 12:14:32 +1000753For example, the following directive would connect via an HTTP proxy at
Damien Millerebcfedc2005-05-26 12:13:56 +1000754192.0.2.0:
755.Bd -literal -offset 3n
756ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
757.Ed
Ben Lindstrom9f049032002-06-21 00:59:05 +0000758.It Cm PubkeyAuthentication
759Specifies whether to try public key authentication.
760The argument to this keyword must be
761.Dq yes
762or
763.Dq no .
764The default is
765.Dq yes .
766This option applies to protocol version 2 only.
Darren Tucker62388b22006-01-20 11:31:47 +1100767.It Cm RekeyLimit
768Specifies the maximum amount of data that may be transmitted before the
Damien Millerddfddf12006-01-31 21:39:03 +1100769session key is renegotiated.
Darren Tucker62388b22006-01-20 11:31:47 +1100770The argument is the number of bytes, with an optional suffix of
Damien Millerddfddf12006-01-31 21:39:03 +1100771.Sq K ,
772.Sq M ,
Darren Tucker62388b22006-01-20 11:31:47 +1100773or
Damien Millerddfddf12006-01-31 21:39:03 +1100774.Sq G
Darren Tucker62388b22006-01-20 11:31:47 +1100775to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
776The default is between
Damien Miller45ee2b92006-03-15 11:56:18 +1100777.Sq 1G
Darren Tucker62388b22006-01-20 11:31:47 +1100778and
Damien Miller45ee2b92006-03-15 11:56:18 +1100779.Sq 4G ,
Darren Tucker62388b22006-01-20 11:31:47 +1100780depending on the cipher.
Damien Millerddfddf12006-01-31 21:39:03 +1100781This option applies to protocol version 2 only.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000782.It Cm RemoteForward
Damien Millere9d001e2006-01-14 10:10:17 +1100783Specifies that a TCP port on the remote machine be forwarded over
Ben Lindstrom9f049032002-06-21 00:59:05 +0000784the secure channel to the specified host and port from the local machine.
Darren Tucker5ede2ad2005-03-31 21:31:10 +1000785The first argument must be
Damien Millerf91ee4c2005-03-01 21:24:33 +1100786.Sm off
Darren Tucker5ede2ad2005-03-31 21:31:10 +1000787.Oo Ar bind_address : Oc Ar port
Damien Millerf91ee4c2005-03-01 21:24:33 +1100788.Sm on
Darren Tucker5ede2ad2005-03-31 21:31:10 +1000789and the second argument must be
790.Ar host : Ns Ar hostport .
791IPv6 addresses can be specified by enclosing addresses in square brackets
792or by using an alternative syntax:
793.Oo Ar bind_address Ns / Oc Ns Ar port
794and
795.Ar host Ns / Ns Ar hostport .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000796Multiple forwardings may be specified, and additional
797forwardings can be given on the command line.
798Only the superuser can forward privileged ports.
Damien Millerf91ee4c2005-03-01 21:24:33 +1100799.Pp
800If the
801.Ar bind_address
802is not specified, the default is to only bind to loopback addresses.
803If the
804.Ar bind_address
805is
806.Ql *
807or an empty string, then the forwarding is requested to listen on all
808interfaces.
809Specifying a remote
810.Ar bind_address
Damien Millerf8c55462005-03-02 12:03:05 +1100811will only succeed if the server's
812.Cm GatewayPorts
Damien Millerf91ee4c2005-03-01 21:24:33 +1100813option is enabled (see
Damien Millerf8c55462005-03-02 12:03:05 +1100814.Xr sshd_config 5 ) .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000815.It Cm RhostsRSAAuthentication
816Specifies whether to try rhosts based authentication with RSA host
817authentication.
818The argument must be
819.Dq yes
820or
821.Dq no .
822The default is
823.Dq no .
824This option applies to protocol version 1 only and requires
Damien Miller45ee2b92006-03-15 11:56:18 +1100825.Xr ssh 1
Ben Lindstrom9f049032002-06-21 00:59:05 +0000826to be setuid root.
827.It Cm RSAAuthentication
828Specifies whether to try RSA authentication.
829The argument to this keyword must be
830.Dq yes
831or
832.Dq no .
833RSA authentication will only be
834attempted if the identity file exists, or an authentication agent is
835running.
836The default is
837.Dq yes .
838Note that this option applies to protocol version 1 only.
Darren Tucker46bc0752004-05-02 22:11:30 +1000839.It Cm SendEnv
840Specifies what variables from the local
841.Xr environ 7
842should be sent to the server.
Damien Miller45ee2b92006-03-15 11:56:18 +1100843Note that environment passing is only supported for protocol 2.
844The server must also support it, and the server must be configured to
Darren Tucker1e0c9bf2004-05-02 22:12:48 +1000845accept these environment variables.
Darren Tucker46bc0752004-05-02 22:11:30 +1000846Refer to
847.Cm AcceptEnv
848in
849.Xr sshd_config 5
850for how to configure the server.
Damien Miller6def5512006-03-15 11:54:05 +1100851Variables are specified by name, which may contain wildcard characters.
Darren Tucker1e0c9bf2004-05-02 22:12:48 +1000852Multiple environment variables may be separated by whitespace or spread
Darren Tucker46bc0752004-05-02 22:11:30 +1000853across multiple
854.Cm SendEnv
855directives.
856The default is not to send any environment variables.
Damien Millerf54a4b92006-03-15 11:54:36 +1100857.Pp
858See
859.Sx PATTERNS
860for more information on patterns.
Damien Miller509b0102003-12-17 16:33:10 +1100861.It Cm ServerAliveCountMax
Damien Millerb7977702006-01-03 18:47:31 +1100862Sets the number of server alive messages (see below) which may be
Damien Miller509b0102003-12-17 16:33:10 +1100863sent without
Damien Miller45ee2b92006-03-15 11:56:18 +1100864.Xr ssh 1
Damien Miller509b0102003-12-17 16:33:10 +1100865receiving any messages back from the server.
866If this threshold is reached while server alive messages are being sent,
Damien Miller45ee2b92006-03-15 11:56:18 +1100867ssh will disconnect from the server, terminating the session.
Damien Miller509b0102003-12-17 16:33:10 +1100868It is important to note that the use of server alive messages is very
869different from
870.Cm TCPKeepAlive
871(below).
872The server alive messages are sent through the encrypted channel
873and therefore will not be spoofable.
874The TCP keepalive option enabled by
875.Cm TCPKeepAlive
876is spoofable.
877The server alive mechanism is valuable when the client or
878server depend on knowing when a connection has become inactive.
879.Pp
880The default value is 3.
881If, for example,
882.Cm ServerAliveInterval
Damien Miller45ee2b92006-03-15 11:56:18 +1100883(see below) is set to 15 and
Damien Miller509b0102003-12-17 16:33:10 +1100884.Cm ServerAliveCountMax
Damien Miller45ee2b92006-03-15 11:56:18 +1100885is left at the default, if the server becomes unresponsive,
886ssh will disconnect after approximately 45 seconds.
Damien Millercc3e8ba2006-03-15 12:06:55 +1100887This option applies to protocol version 2 only.
Damien Miller957d4e42005-12-13 19:30:45 +1100888.It Cm ServerAliveInterval
889Sets a timeout interval in seconds after which if no data has been received
890from the server,
Damien Miller45ee2b92006-03-15 11:56:18 +1100891.Xr ssh 1
Damien Miller957d4e42005-12-13 19:30:45 +1100892will send a message through the encrypted
893channel to request a response from the server.
894The default
895is 0, indicating that these messages will not be sent to the server.
896This option applies to protocol version 2 only.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000897.It Cm SmartcardDevice
Damien Millerfbf486b2003-05-23 18:44:23 +1000898Specifies which smartcard device to use.
899The argument to this keyword is the device
Damien Miller45ee2b92006-03-15 11:56:18 +1100900.Xr ssh 1
Ben Lindstrom9f049032002-06-21 00:59:05 +0000901should use to communicate with a smartcard used for storing the user's
Damien Millerfbf486b2003-05-23 18:44:23 +1000902private RSA key.
903By default, no device is specified and smartcard support is not activated.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000904.It Cm StrictHostKeyChecking
905If this flag is set to
906.Dq yes ,
Damien Miller45ee2b92006-03-15 11:56:18 +1100907.Xr ssh 1
Ben Lindstrom9f049032002-06-21 00:59:05 +0000908will never automatically add host keys to the
Damien Miller167ea5d2005-05-26 12:04:02 +1000909.Pa ~/.ssh/known_hosts
Ben Lindstrom9f049032002-06-21 00:59:05 +0000910file, and refuses to connect to hosts whose host key has changed.
911This provides maximum protection against trojan horse attacks,
Damien Miller45ee2b92006-03-15 11:56:18 +1100912though it can be annoying when the
Ben Lindstrom9f049032002-06-21 00:59:05 +0000913.Pa /etc/ssh/ssh_known_hosts
Damien Miller45ee2b92006-03-15 11:56:18 +1100914file is poorly maintained or when connections to new hosts are
Ben Lindstrom9f049032002-06-21 00:59:05 +0000915frequently made.
916This option forces the user to manually
917add all new hosts.
918If this flag is set to
919.Dq no ,
Damien Miller45ee2b92006-03-15 11:56:18 +1100920ssh will automatically add new host keys to the
Ben Lindstrom9f049032002-06-21 00:59:05 +0000921user known hosts files.
922If this flag is set to
923.Dq ask ,
924new host keys
925will be added to the user known host files only after the user
926has confirmed that is what they really want to do, and
Damien Miller45ee2b92006-03-15 11:56:18 +1100927ssh will refuse to connect to hosts whose host key has changed.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000928The host keys of
929known hosts will be verified automatically in all cases.
930The argument must be
931.Dq yes ,
Damien Miller45ee2b92006-03-15 11:56:18 +1100932.Dq no ,
Ben Lindstrom9f049032002-06-21 00:59:05 +0000933or
934.Dq ask .
935The default is
936.Dq ask .
Damien Miller12c150e2003-12-17 16:31:10 +1100937.It Cm TCPKeepAlive
938Specifies whether the system should send TCP keepalive messages to the
939other side.
940If they are sent, death of the connection or crash of one
941of the machines will be properly noticed.
942However, this means that
943connections will die if the route is down temporarily, and some people
944find it annoying.
945.Pp
946The default is
947.Dq yes
948(to send TCP keepalive messages), and the client will notice
949if the network goes down or the remote host dies.
950This is important in scripts, and many users want it too.
951.Pp
952To disable TCP keepalive messages, the value should be set to
953.Dq no .
Damien Millerd27b9472005-12-13 19:29:02 +1100954.It Cm Tunnel
Damien Miller991dba42006-07-10 20:16:27 +1000955Request
Damien Millerd27b9472005-12-13 19:29:02 +1100956.Xr tun 4
Damien Miller7746c392005-12-13 19:33:37 +1100957device forwarding between the client and the server.
Damien Millerd27b9472005-12-13 19:29:02 +1100958The argument must be
Damien Miller7b58e802005-12-13 19:33:19 +1100959.Dq yes ,
Damien Miller991dba42006-07-10 20:16:27 +1000960.Dq point-to-point
961(layer 3),
962.Dq ethernet
963(layer 2),
Damien Millerd27b9472005-12-13 19:29:02 +1100964or
965.Dq no .
Damien Miller991dba42006-07-10 20:16:27 +1000966Specifying
967.Dq yes
968requests the default tunnel mode, which is
969.Dq point-to-point .
Damien Millerd27b9472005-12-13 19:29:02 +1100970The default is
971.Dq no .
972.It Cm TunnelDevice
Damien Miller991dba42006-07-10 20:16:27 +1000973Specifies the
Damien Millerd27b9472005-12-13 19:29:02 +1100974.Xr tun 4
Damien Miller991dba42006-07-10 20:16:27 +1000975devices to open on the client
976.Pq Ar local_tun
977and the server
978.Pq Ar remote_tun .
979.Pp
980The argument must be
981.Sm off
982.Ar local_tun Op : Ar remote_tun .
983.Sm on
984The devices may be specified by numerical ID or the keyword
985.Dq any ,
986which uses the next available tunnel device.
987If
988.Ar remote_tun
989is not specified, it defaults to
990.Dq any .
991The default is
992.Dq any:any .
Damien Millere8cd7412005-12-24 14:55:47 +1100993.It Cm UsePrivilegedPort
994Specifies whether to use a privileged port for outgoing connections.
995The argument must be
996.Dq yes
997or
998.Dq no .
999The default is
1000.Dq no .
1001If set to
Damien Miller45ee2b92006-03-15 11:56:18 +11001002.Dq yes ,
1003.Xr ssh 1
Damien Millere8cd7412005-12-24 14:55:47 +11001004must be setuid root.
1005Note that this option must be set to
1006.Dq yes
1007for
1008.Cm RhostsRSAAuthentication
1009with older servers.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001010.It Cm User
1011Specifies the user to log in as.
1012This can be useful when a different user name is used on different machines.
1013This saves the trouble of
1014having to remember to give the user name on the command line.
1015.It Cm UserKnownHostsFile
1016Specifies a file to use for the user
1017host key database instead of
Damien Miller167ea5d2005-05-26 12:04:02 +10001018.Pa ~/.ssh/known_hosts .
Damien Miller37876e92003-05-15 10:19:46 +10001019.It Cm VerifyHostKeyDNS
1020Specifies whether to verify the remote key using DNS and SSHFP resource
1021records.
Damien Miller150b5572003-11-17 21:19:29 +11001022If this option is set to
1023.Dq yes ,
Damien Millerfe448472003-11-17 21:19:49 +11001024the client will implicitly trust keys that match a secure fingerprint
Damien Miller150b5572003-11-17 21:19:29 +11001025from DNS.
1026Insecure fingerprints will be handled as if this option was set to
1027.Dq ask .
1028If this option is set to
1029.Dq ask ,
1030information on fingerprint match will be displayed, but the user will still
1031need to confirm new host keys according to the
1032.Cm StrictHostKeyChecking
1033option.
1034The argument must be
1035.Dq yes ,
Damien Miller45ee2b92006-03-15 11:56:18 +11001036.Dq no ,
Damien Millerfe448472003-11-17 21:19:49 +11001037or
1038.Dq ask .
Damien Miller37876e92003-05-15 10:19:46 +10001039The default is
1040.Dq no .
Damien Millereacbb4f2003-06-02 19:10:41 +10001041Note that this option applies to protocol version 2 only.
Damien Miller45ee2b92006-03-15 11:56:18 +11001042.Pp
1043See also
1044.Sx VERIFYING HOST KEYS
1045in
1046.Xr ssh 1 .
Ben Lindstrom9f049032002-06-21 00:59:05 +00001047.It Cm XAuthLocation
Damien Miller05913ba2002-09-04 16:51:03 +10001048Specifies the full pathname of the
Ben Lindstrom9f049032002-06-21 00:59:05 +00001049.Xr xauth 1
1050program.
1051The default is
1052.Pa /usr/X11R6/bin/xauth .
1053.El
Damien Millerb5282c22006-03-15 11:59:08 +11001054.Sh PATTERNS
1055A
1056.Em pattern
1057consists of zero or more non-whitespace characters,
1058.Sq *
1059(a wildcard that matches zero or more characters),
1060or
1061.Sq ?\&
1062(a wildcard that matches exactly one character).
1063For example, to specify a set of declarations for any host in the
1064.Dq .co.uk
1065set of domains,
1066the following pattern could be used:
1067.Pp
1068.Dl Host *.co.uk
1069.Pp
1070The following pattern
1071would match any host in the 192.168.0.[0-9] network range:
1072.Pp
1073.Dl Host 192.168.0.?
1074.Pp
1075A
1076.Em pattern-list
1077is a comma-separated list of patterns.
1078Patterns within pattern-lists may be negated
1079by preceding them with an exclamation mark
1080.Pq Sq !\& .
1081For example,
1082to allow a key to be used from anywhere within an organisation
1083except from the
1084.Dq dialup
1085pool,
1086the following entry (in authorized_keys) could be used:
1087.Pp
1088.Dl from=\&"!*.dialup.example.com,*.example.com\&"
Ben Lindstrom9f049032002-06-21 00:59:05 +00001089.Sh FILES
1090.Bl -tag -width Ds
Damien Miller167ea5d2005-05-26 12:04:02 +10001091.It Pa ~/.ssh/config
Ben Lindstrom9f049032002-06-21 00:59:05 +00001092This is the per-user configuration file.
1093The format of this file is described above.
Damien Miller45ee2b92006-03-15 11:56:18 +11001094This file is used by the SSH client.
Damien Millerc970cb92004-04-20 20:12:53 +10001095Because of the potential for abuse, this file must have strict permissions:
1096read/write for the user, and not accessible by others.
Ben Lindstrom9f049032002-06-21 00:59:05 +00001097.It Pa /etc/ssh/ssh_config
1098Systemwide configuration file.
1099This file provides defaults for those
1100values that are not specified in the user's configuration file, and
1101for those users who do not have a configuration file.
1102This file must be world-readable.
1103.El
Damien Millerf1ce5052003-06-11 22:04:39 +10001104.Sh SEE ALSO
1105.Xr ssh 1
Ben Lindstrom9f049032002-06-21 00:59:05 +00001106.Sh AUTHORS
1107OpenSSH is a derivative of the original and free
1108ssh 1.2.12 release by Tatu Ylonen.
1109Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
1110Theo de Raadt and Dug Song
1111removed many bugs, re-added newer features and
1112created OpenSSH.
1113Markus Friedl contributed the support for SSH
1114protocol versions 1.5 and 2.0.