Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1 | SSH_CONFIG(5) File Formats Manual SSH_CONFIG(5) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2 | |
| 3 | NAME |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 4 | ssh_config M-bM-^@M-^S OpenSSH SSH client configuration files |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 5 | |
| 6 | SYNOPSIS |
| 7 | ~/.ssh/config |
| 8 | /etc/ssh/ssh_config |
| 9 | |
| 10 | DESCRIPTION |
| 11 | ssh(1) obtains configuration data from the following sources in the |
| 12 | following order: |
| 13 | |
| 14 | 1. command-line options |
| 15 | 2. user's configuration file (~/.ssh/config) |
| 16 | 3. system-wide configuration file (/etc/ssh/ssh_config) |
| 17 | |
| 18 | For each parameter, the first obtained value will be used. The |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 19 | configuration files contain sections separated by M-bM-^@M-^\HostM-bM-^@M-^] specifications, |
| 20 | and that section is only applied for hosts that match one of the patterns |
| 21 | given in the specification. The matched host name is usually the one |
| 22 | given on the command line (see the CanonicalizeHostname option for |
| 23 | exceptions.) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 24 | |
| 25 | Since the first obtained value for each parameter is used, more host- |
| 26 | specific declarations should be given near the beginning of the file, and |
| 27 | general defaults at the end. |
| 28 | |
| 29 | The configuration file has the following format: |
| 30 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 31 | Empty lines and lines starting with M-bM-^@M-^X#M-bM-^@M-^Y are comments. Otherwise a line |
| 32 | is of the format M-bM-^@M-^\keyword argumentsM-bM-^@M-^]. Configuration options may be |
| 33 | separated by whitespace or optional whitespace and exactly one M-bM-^@M-^X=M-bM-^@M-^Y; the |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 34 | latter format is useful to avoid the need to quote whitespace when |
| 35 | specifying configuration options using the ssh, scp, and sftp -o option. |
| 36 | Arguments may optionally be enclosed in double quotes (") in order to |
| 37 | represent arguments containing spaces. |
| 38 | |
| 39 | The possible keywords and their meanings are as follows (note that |
| 40 | keywords are case-insensitive and arguments are case-sensitive): |
| 41 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 42 | Host Restricts the following declarations (up to the next Host or |
| 43 | Match keyword) to be only for those hosts that match one of the |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 44 | patterns given after the keyword. If more than one pattern is |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 45 | provided, they should be separated by whitespace. A single M-bM-^@M-^X*M-bM-^@M-^Y |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 46 | as a pattern can be used to provide global defaults for all |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 47 | hosts. The host is usually the hostname argument given on the |
| 48 | command line (see the CanonicalizeHostname option for |
| 49 | exceptions.) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 50 | |
| 51 | A pattern entry may be negated by prefixing it with an |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 52 | exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). If a negated entry is matched, then the |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 53 | Host entry is ignored, regardless of whether any other patterns |
| 54 | on the line match. Negated matches are therefore useful to |
| 55 | provide exceptions for wildcard matches. |
| 56 | |
| 57 | See PATTERNS for more information on patterns. |
| 58 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 59 | Match Restricts the following declarations (up to the next Host or |
| 60 | Match keyword) to be used only when the conditions following the |
| 61 | Match keyword are satisfied. Match conditions are specified |
| 62 | using one or more critera or the single token all which always |
| 63 | matches. The available criteria keywords are: canonical, exec, |
| 64 | host, originalhost, user, and localuser. The all criteria must |
| 65 | appear alone or immediately after canonical. Other criteria may |
| 66 | be combined arbitrarily. All criteria but all and canonical |
| 67 | require an argument. Criteria may be negated by prepending an |
| 68 | exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). |
| 69 | |
Greg Hartman | a2eb7b5 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 70 | The canonical keyword matches only when the configuration file is |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 71 | being re-parsed after hostname canonicalization (see the |
| 72 | CanonicalizeHostname option.) This may be useful to specify |
| 73 | conditions that work with canonical host names only. The exec |
| 74 | keyword executes the specified command under the user's shell. |
| 75 | If the command returns a zero exit status then the condition is |
| 76 | considered true. Commands containing whitespace characters must |
| 77 | be quoted. The following character sequences in the command will |
| 78 | be expanded prior to execution: M-bM-^@M-^X%LM-bM-^@M-^Y will be substituted by the |
| 79 | first component of the local host name, M-bM-^@M-^X%lM-bM-^@M-^Y will be substituted |
| 80 | by the local host name (including any domain name), M-bM-^@M-^X%hM-bM-^@M-^Y will be |
| 81 | substituted by the target host name, M-bM-^@M-^X%nM-bM-^@M-^Y will be substituted by |
| 82 | the original target host name specified on the command-line, M-bM-^@M-^X%pM-bM-^@M-^Y |
| 83 | the destination port, M-bM-^@M-^X%rM-bM-^@M-^Y by the remote login username, and M-bM-^@M-^X%uM-bM-^@M-^Y |
| 84 | by the username of the user running ssh(1). |
| 85 | |
| 86 | The other keywords' criteria must be single entries or comma- |
| 87 | separated lists and may use the wildcard and negation operators |
| 88 | described in the PATTERNS section. The criteria for the host |
| 89 | keyword are matched against the target hostname, after any |
| 90 | substitution by the Hostname or CanonicalizeHostname options. |
| 91 | The originalhost keyword matches against the hostname as it was |
| 92 | specified on the command-line. The user keyword matches against |
| 93 | the target username on the remote host. The localuser keyword |
| 94 | matches against the name of the local user running ssh(1) (this |
| 95 | keyword may be useful in system-wide ssh_config files). |
| 96 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 97 | AddressFamily |
| 98 | Specifies which address family to use when connecting. Valid |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 99 | arguments are M-bM-^@M-^\anyM-bM-^@M-^], M-bM-^@M-^\inetM-bM-^@M-^] (use IPv4 only), or M-bM-^@M-^\inet6M-bM-^@M-^] (use IPv6 |
| 100 | only). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 101 | |
| 102 | BatchMode |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 103 | If set to M-bM-^@M-^\yesM-bM-^@M-^], passphrase/password querying will be disabled. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 104 | This option is useful in scripts and other batch jobs where no |
| 105 | user is present to supply the password. The argument must be |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 106 | M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 107 | |
| 108 | BindAddress |
| 109 | Use the specified address on the local machine as the source |
| 110 | address of the connection. Only useful on systems with more than |
| 111 | one address. Note that this option does not work if |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 112 | UsePrivilegedPort is set to M-bM-^@M-^\yesM-bM-^@M-^]. |
| 113 | |
| 114 | CanonicalDomains |
| 115 | When CanonicalizeHostname is enabled, this option specifies the |
| 116 | list of domain suffixes in which to search for the specified |
| 117 | destination host. |
| 118 | |
| 119 | CanonicalizeFallbackLocal |
| 120 | Specifies whether to fail with an error when hostname |
| 121 | canonicalization fails. The default, M-bM-^@M-^\yesM-bM-^@M-^], will attempt to look |
| 122 | up the unqualified hostname using the system resolver's search |
| 123 | rules. A value of M-bM-^@M-^\noM-bM-^@M-^] will cause ssh(1) to fail instantly if |
| 124 | CanonicalizeHostname is enabled and the target hostname cannot be |
| 125 | found in any of the domains specified by CanonicalDomains. |
| 126 | |
| 127 | CanonicalizeHostname |
| 128 | Controls whether explicit hostname canonicalization is performed. |
| 129 | The default, M-bM-^@M-^\noM-bM-^@M-^], is not to perform any name rewriting and let |
| 130 | the system resolver handle all hostname lookups. If set to M-bM-^@M-^\yesM-bM-^@M-^] |
| 131 | then, for connections that do not use a ProxyCommand, ssh(1) will |
| 132 | attempt to canonicalize the hostname specified on the command |
| 133 | line using the CanonicalDomains suffixes and |
| 134 | CanonicalizePermittedCNAMEs rules. If CanonicalizeHostname is |
| 135 | set to M-bM-^@M-^\alwaysM-bM-^@M-^], then canonicalization is applied to proxied |
| 136 | connections too. |
| 137 | |
| 138 | If this option is enabled, then the configuration files are |
| 139 | processed again using the new target name to pick up any new |
| 140 | configuration in matching Host and Match stanzas. |
| 141 | |
| 142 | CanonicalizeMaxDots |
| 143 | Specifies the maximum number of dot characters in a hostname |
| 144 | before canonicalization is disabled. The default, M-bM-^@M-^\1M-bM-^@M-^], allows a |
| 145 | single dot (i.e. hostname.subdomain). |
| 146 | |
| 147 | CanonicalizePermittedCNAMEs |
| 148 | Specifies rules to determine whether CNAMEs should be followed |
| 149 | when canonicalizing hostnames. The rules consist of one or more |
| 150 | arguments of source_domain_list:target_domain_list, where |
| 151 | source_domain_list is a pattern-list of domains that may follow |
| 152 | CNAMEs in canonicalization, and target_domain_list is a pattern- |
| 153 | list of domains that they may resolve to. |
| 154 | |
| 155 | For example, M-bM-^@M-^\*.a.example.com:*.b.example.com,*.c.example.comM-bM-^@M-^] |
| 156 | will allow hostnames matching M-bM-^@M-^\*.a.example.comM-bM-^@M-^] to be |
| 157 | canonicalized to names in the M-bM-^@M-^\*.b.example.comM-bM-^@M-^] or |
| 158 | M-bM-^@M-^\*.c.example.comM-bM-^@M-^] domains. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 159 | |
| 160 | ChallengeResponseAuthentication |
| 161 | Specifies whether to use challenge-response authentication. The |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 162 | argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is |
| 163 | M-bM-^@M-^\yesM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 164 | |
| 165 | CheckHostIP |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 166 | If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will additionally check the |
| 167 | host IP address in the known_hosts file. This allows ssh to |
Greg Hartman | a2eb7b5 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 168 | detect if a host key changed due to DNS spoofing and will add |
| 169 | addresses of destination hosts to ~/.ssh/known_hosts in the |
| 170 | process, regardless of the setting of StrictHostKeyChecking. If |
| 171 | the option is set to M-bM-^@M-^\noM-bM-^@M-^], the check will not be executed. The |
| 172 | default is M-bM-^@M-^\yesM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 173 | |
| 174 | Cipher Specifies the cipher to use for encrypting the session in |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 175 | protocol version 1. Currently, M-bM-^@M-^\blowfishM-bM-^@M-^], M-bM-^@M-^\3desM-bM-^@M-^], and M-bM-^@M-^\desM-bM-^@M-^] are |
| 176 | supported. des is only supported in the ssh(1) client for |
| 177 | interoperability with legacy protocol 1 implementations that do |
| 178 | not support the 3des cipher. Its use is strongly discouraged due |
| 179 | to cryptographic weaknesses. The default is M-bM-^@M-^\3desM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 180 | |
| 181 | Ciphers |
| 182 | Specifies the ciphers allowed for protocol version 2 in order of |
Greg Hartman | a2eb7b5 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 183 | preference. Multiple ciphers must be comma-separated. If the |
| 184 | specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified |
| 185 | ciphers will be appended to the default set instead of replacing |
| 186 | them. |
| 187 | |
| 188 | The supported ciphers are: |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 189 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 190 | 3des-cbc |
| 191 | aes128-cbc |
| 192 | aes192-cbc |
| 193 | aes256-cbc |
| 194 | aes128-ctr |
| 195 | aes192-ctr |
| 196 | aes256-ctr |
| 197 | aes128-gcm@openssh.com |
| 198 | aes256-gcm@openssh.com |
| 199 | arcfour |
| 200 | arcfour128 |
| 201 | arcfour256 |
| 202 | blowfish-cbc |
| 203 | cast128-cbc |
| 204 | chacha20-poly1305@openssh.com |
| 205 | |
| 206 | The default is: |
| 207 | |
Greg Hartman | a2eb7b5 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 208 | chacha20-poly1305@openssh.com, |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 209 | aes128-ctr,aes192-ctr,aes256-ctr, |
| 210 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 211 | arcfour256,arcfour128, |
| 212 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, |
| 213 | aes192-cbc,aes256-cbc,arcfour |
| 214 | |
| 215 | The list of available ciphers may also be obtained using the -Q |
| 216 | option of ssh(1) with an argument of M-bM-^@M-^\cipherM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 217 | |
| 218 | ClearAllForwardings |
| 219 | Specifies that all local, remote, and dynamic port forwardings |
| 220 | specified in the configuration files or on the command line be |
| 221 | cleared. This option is primarily useful when used from the |
| 222 | ssh(1) command line to clear port forwardings set in |
| 223 | configuration files, and is automatically set by scp(1) and |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 224 | sftp(1). The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is |
| 225 | M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 226 | |
| 227 | Compression |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 228 | Specifies whether to use compression. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] |
| 229 | or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 230 | |
| 231 | CompressionLevel |
| 232 | Specifies the compression level to use if compression is enabled. |
| 233 | The argument must be an integer from 1 (fast) to 9 (slow, best). |
| 234 | The default level is 6, which is good for most applications. The |
| 235 | meaning of the values is the same as in gzip(1). Note that this |
| 236 | option applies to protocol version 1 only. |
| 237 | |
| 238 | ConnectionAttempts |
| 239 | Specifies the number of tries (one per second) to make before |
| 240 | exiting. The argument must be an integer. This may be useful in |
| 241 | scripts if the connection sometimes fails. The default is 1. |
| 242 | |
| 243 | ConnectTimeout |
| 244 | Specifies the timeout (in seconds) used when connecting to the |
| 245 | SSH server, instead of using the default system TCP timeout. |
| 246 | This value is used only when the target is down or really |
| 247 | unreachable, not when it refuses the connection. |
| 248 | |
| 249 | ControlMaster |
| 250 | Enables the sharing of multiple sessions over a single network |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 251 | connection. When set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will listen for |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 252 | connections on a control socket specified using the ControlPath |
| 253 | argument. Additional sessions can connect to this socket using |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 254 | the same ControlPath with ControlMaster set to M-bM-^@M-^\noM-bM-^@M-^] (the |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 255 | default). These sessions will try to reuse the master instance's |
| 256 | network connection rather than initiating new ones, but will fall |
| 257 | back to connecting normally if the control socket does not exist, |
| 258 | or is not listening. |
| 259 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 260 | Setting this to M-bM-^@M-^\askM-bM-^@M-^] will cause ssh to listen for control |
Greg Hartman | a2eb7b5 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 261 | connections, but require confirmation using ssh-askpass(1). If |
| 262 | the ControlPath cannot be opened, ssh will continue without |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 263 | connecting to a master instance. |
| 264 | |
| 265 | X11 and ssh-agent(1) forwarding is supported over these |
| 266 | multiplexed connections, however the display and agent forwarded |
| 267 | will be the one belonging to the master connection i.e. it is not |
| 268 | possible to forward multiple displays or agents. |
| 269 | |
| 270 | Two additional options allow for opportunistic multiplexing: try |
| 271 | to use a master connection but fall back to creating a new one if |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 272 | one does not already exist. These options are: M-bM-^@M-^\autoM-bM-^@M-^] and |
| 273 | M-bM-^@M-^\autoaskM-bM-^@M-^]. The latter requires confirmation like the M-bM-^@M-^\askM-bM-^@M-^] |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 274 | option. |
| 275 | |
| 276 | ControlPath |
| 277 | Specify the path to the control socket used for connection |
| 278 | sharing as described in the ControlMaster section above or the |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 279 | string M-bM-^@M-^\noneM-bM-^@M-^] to disable connection sharing. In the path, M-bM-^@M-^X%LM-bM-^@M-^Y |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 280 | will be substituted by the first component of the local host |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 281 | name, M-bM-^@M-^X%lM-bM-^@M-^Y will be substituted by the local host name (including |
| 282 | any domain name), M-bM-^@M-^X%hM-bM-^@M-^Y will be substituted by the target host |
| 283 | name, M-bM-^@M-^X%nM-bM-^@M-^Y will be substituted by the original target host name |
| 284 | specified on the command line, M-bM-^@M-^X%pM-bM-^@M-^Y the destination port, M-bM-^@M-^X%rM-bM-^@M-^Y by |
| 285 | the remote login username, M-bM-^@M-^X%uM-bM-^@M-^Y by the username of the user |
| 286 | running ssh(1), and M-bM-^@M-^X%CM-bM-^@M-^Y by a hash of the concatenation: |
| 287 | %l%h%p%r. It is recommended that any ControlPath used for |
| 288 | opportunistic connection sharing include at least %h, %p, and %r |
| 289 | (or alternatively %C) and be placed in a directory that is not |
| 290 | writable by other users. This ensures that shared connections |
| 291 | are uniquely identified. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 292 | |
| 293 | ControlPersist |
| 294 | When used in conjunction with ControlMaster, specifies that the |
| 295 | master connection should remain open in the background (waiting |
| 296 | for future client connections) after the initial client |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 297 | connection has been closed. If set to M-bM-^@M-^\noM-bM-^@M-^], then the master |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 298 | connection will not be placed into the background, and will close |
| 299 | as soon as the initial client connection is closed. If set to |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 300 | M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\0M-bM-^@M-^], then the master connection will remain in the |
| 301 | background indefinitely (until killed or closed via a mechanism |
| 302 | such as the ssh(1) M-bM-^@M-^\-O exitM-bM-^@M-^] option). If set to a time in |
| 303 | seconds, or a time in any of the formats documented in |
| 304 | sshd_config(5), then the backgrounded master connection will |
| 305 | automatically terminate after it has remained idle (with no |
| 306 | client connections) for the specified time. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 307 | |
| 308 | DynamicForward |
| 309 | Specifies that a TCP port on the local machine be forwarded over |
| 310 | the secure channel, and the application protocol is then used to |
| 311 | determine where to connect to from the remote machine. |
| 312 | |
| 313 | The argument must be [bind_address:]port. IPv6 addresses can be |
| 314 | specified by enclosing addresses in square brackets. By default, |
| 315 | the local port is bound in accordance with the GatewayPorts |
| 316 | setting. However, an explicit bind_address may be used to bind |
| 317 | the connection to a specific address. The bind_address of |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 318 | M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the listening port be bound for local |
| 319 | use only, while an empty address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port |
| 320 | should be available from all interfaces. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 321 | |
| 322 | Currently the SOCKS4 and SOCKS5 protocols are supported, and |
| 323 | ssh(1) will act as a SOCKS server. Multiple forwardings may be |
| 324 | specified, and additional forwardings can be given on the command |
| 325 | line. Only the superuser can forward privileged ports. |
| 326 | |
| 327 | EnableSSHKeysign |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 328 | Setting this option to M-bM-^@M-^\yesM-bM-^@M-^] in the global client configuration |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 329 | file /etc/ssh/ssh_config enables the use of the helper program |
| 330 | ssh-keysign(8) during HostbasedAuthentication. The argument must |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 331 | be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. This option should be |
| 332 | placed in the non-hostspecific section. See ssh-keysign(8) for |
| 333 | more information. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 334 | |
| 335 | EscapeChar |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 336 | Sets the escape character (default: M-bM-^@M-^X~M-bM-^@M-^Y). The escape character |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 337 | can also be set on the command line. The argument should be a |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 338 | single character, M-bM-^@M-^X^M-bM-^@M-^Y followed by a letter, or M-bM-^@M-^\noneM-bM-^@M-^] to disable |
| 339 | the escape character entirely (making the connection transparent |
| 340 | for binary data). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 341 | |
| 342 | ExitOnForwardFailure |
| 343 | Specifies whether ssh(1) should terminate the connection if it |
| 344 | cannot set up all requested dynamic, tunnel, local, and remote |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 345 | port forwardings. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The |
| 346 | default is M-bM-^@M-^\noM-bM-^@M-^]. |
| 347 | |
| 348 | FingerprintHash |
| 349 | Specifies the hash algorithm used when displaying key |
| 350 | fingerprints. Valid options are: M-bM-^@M-^\md5M-bM-^@M-^] and M-bM-^@M-^\sha256M-bM-^@M-^]. The |
| 351 | default is M-bM-^@M-^\sha256M-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 352 | |
| 353 | ForwardAgent |
| 354 | Specifies whether the connection to the authentication agent (if |
| 355 | any) will be forwarded to the remote machine. The argument must |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 356 | be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 357 | |
| 358 | Agent forwarding should be enabled with caution. Users with the |
| 359 | ability to bypass file permissions on the remote host (for the |
| 360 | agent's Unix-domain socket) can access the local agent through |
| 361 | the forwarded connection. An attacker cannot obtain key material |
| 362 | from the agent, however they can perform operations on the keys |
| 363 | that enable them to authenticate using the identities loaded into |
| 364 | the agent. |
| 365 | |
| 366 | ForwardX11 |
| 367 | Specifies whether X11 connections will be automatically |
| 368 | redirected over the secure channel and DISPLAY set. The argument |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 369 | must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 370 | |
| 371 | X11 forwarding should be enabled with caution. Users with the |
| 372 | ability to bypass file permissions on the remote host (for the |
| 373 | user's X11 authorization database) can access the local X11 |
| 374 | display through the forwarded connection. An attacker may then |
| 375 | be able to perform activities such as keystroke monitoring if the |
| 376 | ForwardX11Trusted option is also enabled. |
| 377 | |
| 378 | ForwardX11Timeout |
| 379 | Specify a timeout for untrusted X11 forwarding using the format |
| 380 | described in the TIME FORMATS section of sshd_config(5). X11 |
| 381 | connections received by ssh(1) after this time will be refused. |
| 382 | The default is to disable untrusted X11 forwarding after twenty |
| 383 | minutes has elapsed. |
| 384 | |
| 385 | ForwardX11Trusted |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 386 | If this option is set to M-bM-^@M-^\yesM-bM-^@M-^], remote X11 clients will have full |
| 387 | access to the original X11 display. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 388 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 389 | If this option is set to M-bM-^@M-^\noM-bM-^@M-^], remote X11 clients will be |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 390 | considered untrusted and prevented from stealing or tampering |
| 391 | with data belonging to trusted X11 clients. Furthermore, the |
| 392 | xauth(1) token used for the session will be set to expire after |
| 393 | 20 minutes. Remote clients will be refused access after this |
| 394 | time. |
| 395 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 396 | The default is M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 397 | |
| 398 | See the X11 SECURITY extension specification for full details on |
| 399 | the restrictions imposed on untrusted clients. |
| 400 | |
| 401 | GatewayPorts |
| 402 | Specifies whether remote hosts are allowed to connect to local |
| 403 | forwarded ports. By default, ssh(1) binds local port forwardings |
| 404 | to the loopback address. This prevents other remote hosts from |
| 405 | connecting to forwarded ports. GatewayPorts can be used to |
| 406 | specify that ssh should bind local port forwardings to the |
| 407 | wildcard address, thus allowing remote hosts to connect to |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 408 | forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The |
| 409 | default is M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 410 | |
| 411 | GlobalKnownHostsFile |
| 412 | Specifies one or more files to use for the global host key |
| 413 | database, separated by whitespace. The default is |
| 414 | /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2. |
| 415 | |
| 416 | GSSAPIAuthentication |
| 417 | Specifies whether user authentication based on GSSAPI is allowed. |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 418 | The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 419 | version 2 only. |
| 420 | |
| 421 | GSSAPIDelegateCredentials |
| 422 | Forward (delegate) credentials to the server. The default is |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 423 | M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol version 2 only. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 424 | |
| 425 | HashKnownHosts |
| 426 | Indicates that ssh(1) should hash host names and addresses when |
| 427 | they are added to ~/.ssh/known_hosts. These hashed names may be |
| 428 | used normally by ssh(1) and sshd(8), but they do not reveal |
| 429 | identifying information should the file's contents be disclosed. |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 430 | The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that existing names and addresses in |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 431 | known hosts files will not be converted automatically, but may be |
| 432 | manually hashed using ssh-keygen(1). |
| 433 | |
| 434 | HostbasedAuthentication |
| 435 | Specifies whether to try rhosts based authentication with public |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 436 | key authentication. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The |
| 437 | default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 2 only |
| 438 | and is similar to RhostsRSAAuthentication. |
| 439 | |
| 440 | HostbasedKeyTypes |
| 441 | Specifies the key types that will be used for hostbased |
Greg Hartman | a2eb7b5 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 442 | authentication as a comma-separated pattern list. Alternately if |
| 443 | the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the |
| 444 | specified key types will be appended to the default set instead |
| 445 | of replacing them. The default for this option is: |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 446 | |
| 447 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| 448 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| 449 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 450 | ssh-ed25519-cert-v01@openssh.com, |
Greg Hartman | a2eb7b5 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 451 | ssh-rsa-cert-v01@openssh.com, |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 452 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
Greg Hartman | a2eb7b5 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 453 | ssh-ed25519,ssh-rsa |
| 454 | |
| 455 | The -Q option of ssh(1) may be used to list supported key types. |
| 456 | |
| 457 | HostKeyAlgorithms |
| 458 | Specifies the protocol version 2 host key algorithms that the |
| 459 | client wants to use in order of preference. Alternately if the |
| 460 | specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified |
| 461 | key types will be appended to the default set instead of |
| 462 | replacing them. The default for this option is: |
| 463 | |
| 464 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| 465 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| 466 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| 467 | ssh-ed25519-cert-v01@openssh.com, |
| 468 | ssh-rsa-cert-v01@openssh.com, |
| 469 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| 470 | ssh-ed25519,ssh-rsa |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 471 | |
| 472 | If hostkeys are known for the destination host then this default |
| 473 | is modified to prefer their algorithms. |
| 474 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 475 | The list of available key types may also be obtained using the -Q |
| 476 | option of ssh(1) with an argument of M-bM-^@M-^\keyM-bM-^@M-^]. |
| 477 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 478 | HostKeyAlias |
| 479 | Specifies an alias that should be used instead of the real host |
| 480 | name when looking up or saving the host key in the host key |
| 481 | database files. This option is useful for tunneling SSH |
| 482 | connections or for multiple servers running on a single host. |
| 483 | |
| 484 | HostName |
| 485 | Specifies the real host name to log into. This can be used to |
| 486 | specify nicknames or abbreviations for hosts. If the hostname |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 487 | contains the character sequence M-bM-^@M-^X%hM-bM-^@M-^Y, then this will be replaced |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 488 | with the host name specified on the command line (this is useful |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 489 | for manipulating unqualified names). The character sequence M-bM-^@M-^X%%M-bM-^@M-^Y |
| 490 | will be replaced by a single M-bM-^@M-^X%M-bM-^@M-^Y character, which may be used |
| 491 | when specifying IPv6 link-local addresses. |
| 492 | |
| 493 | The default is the name given on the command line. Numeric IP |
| 494 | addresses are also permitted (both on the command line and in |
| 495 | HostName specifications). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 496 | |
| 497 | IdentitiesOnly |
| 498 | Specifies that ssh(1) should only use the authentication identity |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 499 | files configured in the ssh_config files, even if ssh-agent(1) or |
| 500 | a PKCS11Provider offers more identities. The argument to this |
| 501 | keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. This option is intended for |
| 502 | situations where ssh-agent offers many different identities. The |
| 503 | default is M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 504 | |
| 505 | IdentityFile |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 506 | Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 507 | authentication identity is read. The default is ~/.ssh/identity |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 508 | for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, |
| 509 | ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2. |
| 510 | Additionally, any identities represented by the authentication |
| 511 | agent will be used for authentication unless IdentitiesOnly is |
| 512 | set. ssh(1) will try to load certificate information from the |
| 513 | filename obtained by appending -cert.pub to the path of a |
| 514 | specified IdentityFile. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 515 | |
| 516 | The file name may use the tilde syntax to refer to a user's home |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 517 | directory or one of the following escape characters: M-bM-^@M-^X%dM-bM-^@M-^Y (local |
| 518 | user's home directory), M-bM-^@M-^X%uM-bM-^@M-^Y (local user name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host |
| 519 | name), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host name) or M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 520 | |
| 521 | It is possible to have multiple identity files specified in |
| 522 | configuration files; all these identities will be tried in |
| 523 | sequence. Multiple IdentityFile directives will add to the list |
| 524 | of identities tried (this behaviour differs from that of other |
| 525 | configuration directives). |
| 526 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 527 | IdentityFile may be used in conjunction with IdentitiesOnly to |
| 528 | select which identities in an agent are offered during |
| 529 | authentication. |
| 530 | |
| 531 | IgnoreUnknown |
| 532 | Specifies a pattern-list of unknown options to be ignored if they |
| 533 | are encountered in configuration parsing. This may be used to |
| 534 | suppress errors if ssh_config contains options that are |
| 535 | unrecognised by ssh(1). It is recommended that IgnoreUnknown be |
| 536 | listed early in the configuration file as it will not be applied |
| 537 | to unknown options that appear before it. |
| 538 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 539 | IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 540 | Accepted values are M-bM-^@M-^\af11M-bM-^@M-^], M-bM-^@M-^\af12M-bM-^@M-^], M-bM-^@M-^\af13M-bM-^@M-^], M-bM-^@M-^\af21M-bM-^@M-^], M-bM-^@M-^\af22M-bM-^@M-^], |
| 541 | M-bM-^@M-^\af23M-bM-^@M-^], M-bM-^@M-^\af31M-bM-^@M-^], M-bM-^@M-^\af32M-bM-^@M-^], M-bM-^@M-^\af33M-bM-^@M-^], M-bM-^@M-^\af41M-bM-^@M-^], M-bM-^@M-^\af42M-bM-^@M-^], M-bM-^@M-^\af43M-bM-^@M-^], M-bM-^@M-^\cs0M-bM-^@M-^], |
| 542 | M-bM-^@M-^\cs1M-bM-^@M-^], M-bM-^@M-^\cs2M-bM-^@M-^], M-bM-^@M-^\cs3M-bM-^@M-^], M-bM-^@M-^\cs4M-bM-^@M-^], M-bM-^@M-^\cs5M-bM-^@M-^], M-bM-^@M-^\cs6M-bM-^@M-^], M-bM-^@M-^\cs7M-bM-^@M-^], M-bM-^@M-^\efM-bM-^@M-^], |
| 543 | M-bM-^@M-^\lowdelayM-bM-^@M-^], M-bM-^@M-^\throughputM-bM-^@M-^], M-bM-^@M-^\reliabilityM-bM-^@M-^], or a numeric value. |
| 544 | This option may take one or two arguments, separated by |
| 545 | whitespace. If one argument is specified, it is used as the |
| 546 | packet class unconditionally. If two values are specified, the |
| 547 | first is automatically selected for interactive sessions and the |
| 548 | second for non-interactive sessions. The default is M-bM-^@M-^\lowdelayM-bM-^@M-^] |
| 549 | for interactive sessions and M-bM-^@M-^\throughputM-bM-^@M-^] for non-interactive |
| 550 | sessions. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 551 | |
| 552 | KbdInteractiveAuthentication |
| 553 | Specifies whether to use keyboard-interactive authentication. |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 554 | The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default |
| 555 | is M-bM-^@M-^\yesM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 556 | |
| 557 | KbdInteractiveDevices |
| 558 | Specifies the list of methods to use in keyboard-interactive |
| 559 | authentication. Multiple method names must be comma-separated. |
| 560 | The default is to use the server specified list. The methods |
| 561 | available vary depending on what the server supports. For an |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 562 | OpenSSH server, it may be zero or more of: M-bM-^@M-^\bsdauthM-bM-^@M-^], M-bM-^@M-^\pamM-bM-^@M-^], and |
| 563 | M-bM-^@M-^\skeyM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 564 | |
| 565 | KexAlgorithms |
| 566 | Specifies the available KEX (Key Exchange) algorithms. Multiple |
Greg Hartman | a2eb7b5 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 567 | algorithms must be comma-separated. Alternately if the specified |
| 568 | value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods |
| 569 | will be appended to the default set instead of replacing them. |
| 570 | The default is: |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 571 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 572 | curve25519-sha256@libssh.org, |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 573 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, |
| 574 | diffie-hellman-group-exchange-sha256, |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 575 | diffie-hellman-group-exchange-sha1, |
Greg Hartman | a2eb7b5 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 576 | diffie-hellman-group14-sha1 |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 577 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 578 | The list of available key exchange algorithms may also be |
| 579 | obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^]. |
| 580 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 581 | LocalCommand |
| 582 | Specifies a command to execute on the local machine after |
| 583 | successfully connecting to the server. The command string |
| 584 | extends to the end of the line, and is executed with the user's |
| 585 | shell. The following escape character substitutions will be |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 586 | performed: M-bM-^@M-^X%dM-bM-^@M-^Y (local user's home directory), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host |
| 587 | name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host name), M-bM-^@M-^X%nM-bM-^@M-^Y (host name as provided on the |
| 588 | command line), M-bM-^@M-^X%pM-bM-^@M-^Y (remote port), M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name) or |
| 589 | M-bM-^@M-^X%uM-bM-^@M-^Y (local user name) or M-bM-^@M-^X%CM-bM-^@M-^Y by a hash of the concatenation: |
| 590 | %l%h%p%r. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 591 | |
| 592 | The command is run synchronously and does not have access to the |
| 593 | session of the ssh(1) that spawned it. It should not be used for |
| 594 | interactive commands. |
| 595 | |
| 596 | This directive is ignored unless PermitLocalCommand has been |
| 597 | enabled. |
| 598 | |
| 599 | LocalForward |
| 600 | Specifies that a TCP port on the local machine be forwarded over |
| 601 | the secure channel to the specified host and port from the remote |
| 602 | machine. The first argument must be [bind_address:]port and the |
| 603 | second argument must be host:hostport. IPv6 addresses can be |
| 604 | specified by enclosing addresses in square brackets. Multiple |
| 605 | forwardings may be specified, and additional forwardings can be |
| 606 | given on the command line. Only the superuser can forward |
| 607 | privileged ports. By default, the local port is bound in |
| 608 | accordance with the GatewayPorts setting. However, an explicit |
| 609 | bind_address may be used to bind the connection to a specific |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 610 | address. The bind_address of M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 611 | listening port be bound for local use only, while an empty |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 612 | address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port should be available from |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 613 | all interfaces. |
| 614 | |
| 615 | LogLevel |
| 616 | Gives the verbosity level that is used when logging messages from |
| 617 | ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, |
| 618 | VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. |
| 619 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify |
| 620 | higher levels of verbose output. |
| 621 | |
| 622 | MACs Specifies the MAC (message authentication code) algorithms in |
| 623 | order of preference. The MAC algorithm is used in protocol |
| 624 | version 2 for data integrity protection. Multiple algorithms |
Greg Hartman | a2eb7b5 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 625 | must be comma-separated. If the specified value begins with a |
| 626 | M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified algorithms will be appended to |
| 627 | the default set instead of replacing them. |
| 628 | |
| 629 | The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC after |
| 630 | encryption (encrypt-then-mac). These are considered safer and |
| 631 | their use recommended. |
| 632 | |
| 633 | The default is: |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 634 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 635 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, |
| 636 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, |
| 637 | umac-64@openssh.com,umac-128@openssh.com, |
| 638 | hmac-sha2-256,hmac-sha2-512, |
| 639 | hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, |
| 640 | hmac-ripemd160-etm@openssh.com, |
| 641 | hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com, |
| 642 | hmac-md5,hmac-sha1,hmac-ripemd160, |
| 643 | hmac-sha1-96,hmac-md5-96 |
| 644 | |
| 645 | The list of available MAC algorithms may also be obtained using |
| 646 | the -Q option of ssh(1) with an argument of M-bM-^@M-^\macM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 647 | |
| 648 | NoHostAuthenticationForLocalhost |
| 649 | This option can be used if the home directory is shared across |
| 650 | machines. In this case localhost will refer to a different |
| 651 | machine on each of the machines and the user will get many |
| 652 | warnings about changed host keys. However, this option disables |
| 653 | host authentication for localhost. The argument to this keyword |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 654 | must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is to check the host key for |
| 655 | localhost. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 656 | |
| 657 | NumberOfPasswordPrompts |
| 658 | Specifies the number of password prompts before giving up. The |
| 659 | argument to this keyword must be an integer. The default is 3. |
| 660 | |
| 661 | PasswordAuthentication |
| 662 | Specifies whether to use password authentication. The argument |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 663 | to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 664 | |
| 665 | PermitLocalCommand |
| 666 | Allow local command execution via the LocalCommand option or |
| 667 | using the !command escape sequence in ssh(1). The argument must |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 668 | be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 669 | |
| 670 | PKCS11Provider |
| 671 | Specifies which PKCS#11 provider to use. The argument to this |
| 672 | keyword is the PKCS#11 shared library ssh(1) should use to |
| 673 | communicate with a PKCS#11 token providing the user's private RSA |
| 674 | key. |
| 675 | |
| 676 | Port Specifies the port number to connect on the remote host. The |
| 677 | default is 22. |
| 678 | |
| 679 | PreferredAuthentications |
| 680 | Specifies the order in which the client should try protocol 2 |
| 681 | authentication methods. This allows a client to prefer one |
| 682 | method (e.g. keyboard-interactive) over another method (e.g. |
| 683 | password). The default is: |
| 684 | |
| 685 | gssapi-with-mic,hostbased,publickey, |
| 686 | keyboard-interactive,password |
| 687 | |
| 688 | Protocol |
| 689 | Specifies the protocol versions ssh(1) should support in order of |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 690 | preference. The possible values are M-bM-^@M-^X1M-bM-^@M-^Y and M-bM-^@M-^X2M-bM-^@M-^Y. Multiple |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 691 | versions must be comma-separated. When this option is set to |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 692 | M-bM-^@M-^\2,1M-bM-^@M-^] ssh will try version 2 and fall back to version 1 if |
| 693 | version 2 is not available. The default is M-bM-^@M-^X2M-bM-^@M-^Y. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 694 | |
| 695 | ProxyCommand |
| 696 | Specifies the command to use to connect to the server. The |
| 697 | command string extends to the end of the line, and is executed |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 698 | using the user's shell M-bM-^@M-^XexecM-bM-^@M-^Y directive to avoid a lingering |
| 699 | shell process. |
| 700 | |
| 701 | In the command string, any occurrence of M-bM-^@M-^X%hM-bM-^@M-^Y will be substituted |
| 702 | by the host name to connect, M-bM-^@M-^X%pM-bM-^@M-^Y by the port, and M-bM-^@M-^X%rM-bM-^@M-^Y by the |
| 703 | remote user name. The command can be basically anything, and |
| 704 | should read from its standard input and write to its standard |
| 705 | output. It should eventually connect an sshd(8) server running |
| 706 | on some machine, or execute sshd -i somewhere. Host key |
| 707 | management will be done using the HostName of the host being |
| 708 | connected (defaulting to the name typed by the user). Setting |
| 709 | the command to M-bM-^@M-^\noneM-bM-^@M-^] disables this option entirely. Note that |
| 710 | CheckHostIP is not available for connects with a proxy command. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 711 | |
| 712 | This directive is useful in conjunction with nc(1) and its proxy |
| 713 | support. For example, the following directive would connect via |
| 714 | an HTTP proxy at 192.0.2.0: |
| 715 | |
| 716 | ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p |
| 717 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 718 | ProxyUseFdpass |
| 719 | Specifies that ProxyCommand will pass a connected file descriptor |
| 720 | back to ssh(1) instead of continuing to execute and pass data. |
| 721 | The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| 722 | |
Greg Hartman | a2eb7b5 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 723 | PubkeyAcceptedKeyTypes |
| 724 | Specifies the key types that will be used for public key |
| 725 | authentication as a comma-separated pattern list. Alternately if |
| 726 | the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the key |
| 727 | types after it will be appended to the default instead of |
| 728 | replacing it. The default for this option is: |
| 729 | |
| 730 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| 731 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| 732 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| 733 | ssh-ed25519-cert-v01@openssh.com, |
| 734 | ssh-rsa-cert-v01@openssh.com, |
| 735 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| 736 | ssh-ed25519,ssh-rsa |
| 737 | |
| 738 | The -Q option of ssh(1) may be used to list supported key types. |
| 739 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 740 | PubkeyAuthentication |
| 741 | Specifies whether to try public key authentication. The argument |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 742 | to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
| 743 | This option applies to protocol version 2 only. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 744 | |
| 745 | RekeyLimit |
| 746 | Specifies the maximum amount of data that may be transmitted |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 747 | before the session key is renegotiated, optionally followed a |
| 748 | maximum amount of time that may pass before the session key is |
| 749 | renegotiated. The first argument is specified in bytes and may |
| 750 | have a suffix of M-bM-^@M-^XKM-bM-^@M-^Y, M-bM-^@M-^XMM-bM-^@M-^Y, or M-bM-^@M-^XGM-bM-^@M-^Y to indicate Kilobytes, |
| 751 | Megabytes, or Gigabytes, respectively. The default is between |
| 752 | M-bM-^@M-^X1GM-bM-^@M-^Y and M-bM-^@M-^X4GM-bM-^@M-^Y, depending on the cipher. The optional second |
| 753 | value is specified in seconds and may use any of the units |
| 754 | documented in the TIME FORMATS section of sshd_config(5). The |
| 755 | default value for RekeyLimit is M-bM-^@M-^\default noneM-bM-^@M-^], which means that |
| 756 | rekeying is performed after the cipher's default amount of data |
| 757 | has been sent or received and no time based rekeying is done. |
| 758 | This option applies to protocol version 2 only. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 759 | |
| 760 | RemoteForward |
| 761 | Specifies that a TCP port on the remote machine be forwarded over |
| 762 | the secure channel to the specified host and port from the local |
| 763 | machine. The first argument must be [bind_address:]port and the |
| 764 | second argument must be host:hostport. IPv6 addresses can be |
| 765 | specified by enclosing addresses in square brackets. Multiple |
| 766 | forwardings may be specified, and additional forwardings can be |
| 767 | given on the command line. Privileged ports can be forwarded |
| 768 | only when logging in as root on the remote machine. |
| 769 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 770 | If the port argument is M-bM-^@M-^X0M-bM-^@M-^Y, the listen port will be dynamically |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 771 | allocated on the server and reported to the client at run time. |
| 772 | |
| 773 | If the bind_address is not specified, the default is to only bind |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 774 | to loopback addresses. If the bind_address is M-bM-^@M-^X*M-bM-^@M-^Y or an empty |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 775 | string, then the forwarding is requested to listen on all |
| 776 | interfaces. Specifying a remote bind_address will only succeed |
| 777 | if the server's GatewayPorts option is enabled (see |
| 778 | sshd_config(5)). |
| 779 | |
| 780 | RequestTTY |
| 781 | Specifies whether to request a pseudo-tty for the session. The |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 782 | argument may be one of: M-bM-^@M-^\noM-bM-^@M-^] (never request a TTY), M-bM-^@M-^\yesM-bM-^@M-^] (always |
| 783 | request a TTY when standard input is a TTY), M-bM-^@M-^\forceM-bM-^@M-^] (always |
| 784 | request a TTY) or M-bM-^@M-^\autoM-bM-^@M-^] (request a TTY when opening a login |
| 785 | session). This option mirrors the -t and -T flags for ssh(1). |
| 786 | |
| 787 | RevokedHostKeys |
| 788 | Specifies revoked host public keys. Keys listed in this file |
| 789 | will be refused for host authentication. Note that if this file |
| 790 | does not exist or is not readable, then host authentication will |
| 791 | be refused for all hosts. Keys may be specified as a text file, |
| 792 | listing one public key per line, or as an OpenSSH Key Revocation |
| 793 | List (KRL) as generated by ssh-keygen(1). For more information |
| 794 | on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 795 | |
| 796 | RhostsRSAAuthentication |
| 797 | Specifies whether to try rhosts based authentication with RSA |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 798 | host authentication. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The |
| 799 | default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only |
| 800 | and requires ssh(1) to be setuid root. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 801 | |
| 802 | RSAAuthentication |
| 803 | Specifies whether to try RSA authentication. The argument to |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 804 | this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. RSA authentication will only |
| 805 | be attempted if the identity file exists, or an authentication |
| 806 | agent is running. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option |
| 807 | applies to protocol version 1 only. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 808 | |
| 809 | SendEnv |
| 810 | Specifies what variables from the local environ(7) should be sent |
| 811 | to the server. Note that environment passing is only supported |
| 812 | for protocol 2. The server must also support it, and the server |
Greg Hartman | a2eb7b5 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 813 | must be configured to accept these environment variables. Note |
| 814 | that the TERM environment variable is always sent whenever a |
| 815 | pseudo-terminal is requested as it is required by the protocol. |
| 816 | Refer to AcceptEnv in sshd_config(5) for how to configure the |
| 817 | server. Variables are specified by name, which may contain |
| 818 | wildcard characters. Multiple environment variables may be |
| 819 | separated by whitespace or spread across multiple SendEnv |
| 820 | directives. The default is not to send any environment |
| 821 | variables. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 822 | |
| 823 | See PATTERNS for more information on patterns. |
| 824 | |
| 825 | ServerAliveCountMax |
| 826 | Sets the number of server alive messages (see below) which may be |
| 827 | sent without ssh(1) receiving any messages back from the server. |
| 828 | If this threshold is reached while server alive messages are |
| 829 | being sent, ssh will disconnect from the server, terminating the |
| 830 | session. It is important to note that the use of server alive |
| 831 | messages is very different from TCPKeepAlive (below). The server |
| 832 | alive messages are sent through the encrypted channel and |
| 833 | therefore will not be spoofable. The TCP keepalive option |
| 834 | enabled by TCPKeepAlive is spoofable. The server alive mechanism |
| 835 | is valuable when the client or server depend on knowing when a |
| 836 | connection has become inactive. |
| 837 | |
| 838 | The default value is 3. If, for example, ServerAliveInterval |
| 839 | (see below) is set to 15 and ServerAliveCountMax is left at the |
| 840 | default, if the server becomes unresponsive, ssh will disconnect |
| 841 | after approximately 45 seconds. This option applies to protocol |
| 842 | version 2 only. |
| 843 | |
| 844 | ServerAliveInterval |
| 845 | Sets a timeout interval in seconds after which if no data has |
| 846 | been received from the server, ssh(1) will send a message through |
| 847 | the encrypted channel to request a response from the server. The |
| 848 | default is 0, indicating that these messages will not be sent to |
| 849 | the server. This option applies to protocol version 2 only. |
| 850 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 851 | StreamLocalBindMask |
| 852 | Sets the octal file creation mode mask (umask) used when creating |
| 853 | a Unix-domain socket file for local or remote port forwarding. |
| 854 | This option is only used for port forwarding to a Unix-domain |
| 855 | socket file. |
| 856 | |
| 857 | The default value is 0177, which creates a Unix-domain socket |
| 858 | file that is readable and writable only by the owner. Note that |
| 859 | not all operating systems honor the file mode on Unix-domain |
| 860 | socket files. |
| 861 | |
| 862 | StreamLocalBindUnlink |
| 863 | Specifies whether to remove an existing Unix-domain socket file |
| 864 | for local or remote port forwarding before creating a new one. |
| 865 | If the socket file already exists and StreamLocalBindUnlink is |
| 866 | not enabled, ssh will be unable to forward the port to the Unix- |
| 867 | domain socket file. This option is only used for port forwarding |
| 868 | to a Unix-domain socket file. |
| 869 | |
| 870 | The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| 871 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 872 | StrictHostKeyChecking |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 873 | If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will never automatically add |
| 874 | host keys to the ~/.ssh/known_hosts file, and refuses to connect |
| 875 | to hosts whose host key has changed. This provides maximum |
| 876 | protection against trojan horse attacks, though it can be |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 877 | annoying when the /etc/ssh/ssh_known_hosts file is poorly |
| 878 | maintained or when connections to new hosts are frequently made. |
| 879 | This option forces the user to manually add all new hosts. If |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 880 | this flag is set to M-bM-^@M-^\noM-bM-^@M-^], ssh will automatically add new host |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 881 | keys to the user known hosts files. If this flag is set to |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 882 | M-bM-^@M-^\askM-bM-^@M-^], new host keys will be added to the user known host files |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 883 | only after the user has confirmed that is what they really want |
| 884 | to do, and ssh will refuse to connect to hosts whose host key has |
| 885 | changed. The host keys of known hosts will be verified |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 886 | automatically in all cases. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or |
| 887 | M-bM-^@M-^\askM-bM-^@M-^]. The default is M-bM-^@M-^\askM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 888 | |
| 889 | TCPKeepAlive |
| 890 | Specifies whether the system should send TCP keepalive messages |
| 891 | to the other side. If they are sent, death of the connection or |
| 892 | crash of one of the machines will be properly noticed. However, |
| 893 | this means that connections will die if the route is down |
| 894 | temporarily, and some people find it annoying. |
| 895 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 896 | The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send TCP keepalive messages), and the |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 897 | client will notice if the network goes down or the remote host |
| 898 | dies. This is important in scripts, and many users want it too. |
| 899 | |
| 900 | To disable TCP keepalive messages, the value should be set to |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 901 | M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 902 | |
| 903 | Tunnel Request tun(4) device forwarding between the client and the |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 904 | server. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\point-to-pointM-bM-^@M-^] (layer 3), |
| 905 | M-bM-^@M-^\ethernetM-bM-^@M-^] (layer 2), or M-bM-^@M-^\noM-bM-^@M-^]. Specifying M-bM-^@M-^\yesM-bM-^@M-^] requests the |
| 906 | default tunnel mode, which is M-bM-^@M-^\point-to-pointM-bM-^@M-^]. The default is |
| 907 | M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 908 | |
| 909 | TunnelDevice |
| 910 | Specifies the tun(4) devices to open on the client (local_tun) |
| 911 | and the server (remote_tun). |
| 912 | |
| 913 | The argument must be local_tun[:remote_tun]. The devices may be |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 914 | specified by numerical ID or the keyword M-bM-^@M-^\anyM-bM-^@M-^], which uses the |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 915 | next available tunnel device. If remote_tun is not specified, it |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 916 | defaults to M-bM-^@M-^\anyM-bM-^@M-^]. The default is M-bM-^@M-^\any:anyM-bM-^@M-^]. |
| 917 | |
| 918 | UpdateHostKeys |
| 919 | Specifies whether ssh(1) should accept notifications of |
| 920 | additional hostkeys from the server sent after authentication has |
| 921 | completed and add them to UserKnownHostsFile. The argument must |
| 922 | be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^] (the default) or M-bM-^@M-^\askM-bM-^@M-^]. Enabling this option |
| 923 | allows learning alternate hostkeys for a server and supports |
| 924 | graceful key rotation by allowing a server to send replacement |
| 925 | public keys before old ones are removed. Additional hostkeys are |
| 926 | only accepted if the key used to authenticate the host was |
| 927 | already trusted or explicity accepted by the user. If |
| 928 | UpdateHostKeys is set to M-bM-^@M-^\askM-bM-^@M-^], then the user is asked to confirm |
| 929 | the modifications to the known_hosts file. Confirmation is |
| 930 | currently incompatible with ControlPersist, and will be disabled |
| 931 | if it is enabled. |
| 932 | |
| 933 | Presently, only sshd(8) from OpenSSH 6.8 and greater support the |
| 934 | M-bM-^@M-^\hostkeys@openssh.comM-bM-^@M-^] protocol extension used to inform the |
| 935 | client of all the server's hostkeys. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 936 | |
| 937 | UsePrivilegedPort |
| 938 | Specifies whether to use a privileged port for outgoing |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 939 | connections. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is |
| 940 | M-bM-^@M-^\noM-bM-^@M-^]. If set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) must be setuid root. Note that |
| 941 | this option must be set to M-bM-^@M-^\yesM-bM-^@M-^] for RhostsRSAAuthentication with |
| 942 | older servers. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 943 | |
| 944 | User Specifies the user to log in as. This can be useful when a |
| 945 | different user name is used on different machines. This saves |
| 946 | the trouble of having to remember to give the user name on the |
| 947 | command line. |
| 948 | |
| 949 | UserKnownHostsFile |
| 950 | Specifies one or more files to use for the user host key |
| 951 | database, separated by whitespace. The default is |
| 952 | ~/.ssh/known_hosts, ~/.ssh/known_hosts2. |
| 953 | |
| 954 | VerifyHostKeyDNS |
| 955 | Specifies whether to verify the remote key using DNS and SSHFP |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 956 | resource records. If this option is set to M-bM-^@M-^\yesM-bM-^@M-^], the client |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 957 | will implicitly trust keys that match a secure fingerprint from |
| 958 | DNS. Insecure fingerprints will be handled as if this option was |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 959 | set to M-bM-^@M-^\askM-bM-^@M-^]. If this option is set to M-bM-^@M-^\askM-bM-^@M-^], information on |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 960 | fingerprint match will be displayed, but the user will still need |
| 961 | to confirm new host keys according to the StrictHostKeyChecking |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 962 | option. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or M-bM-^@M-^\askM-bM-^@M-^]. The default |
| 963 | is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol version 2 |
| 964 | only. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 965 | |
| 966 | See also VERIFYING HOST KEYS in ssh(1). |
| 967 | |
| 968 | VisualHostKey |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 969 | If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], an ASCII art representation of the |
| 970 | remote host key fingerprint is printed in addition to the |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 971 | fingerprint string at login and for unknown host keys. If this |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 972 | flag is set to M-bM-^@M-^\noM-bM-^@M-^], no fingerprint strings are printed at login |
| 973 | and only the fingerprint string will be printed for unknown host |
| 974 | keys. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 975 | |
| 976 | XAuthLocation |
| 977 | Specifies the full pathname of the xauth(1) program. The default |
| 978 | is /usr/X11R6/bin/xauth. |
| 979 | |
| 980 | PATTERNS |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 981 | A pattern consists of zero or more non-whitespace characters, M-bM-^@M-^X*M-bM-^@M-^Y (a |
| 982 | wildcard that matches zero or more characters), or M-bM-^@M-^X?M-bM-^@M-^Y (a wildcard that |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 983 | matches exactly one character). For example, to specify a set of |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 984 | declarations for any host in the M-bM-^@M-^\.co.ukM-bM-^@M-^] set of domains, the following |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 985 | pattern could be used: |
| 986 | |
| 987 | Host *.co.uk |
| 988 | |
| 989 | The following pattern would match any host in the 192.168.0.[0-9] network |
| 990 | range: |
| 991 | |
| 992 | Host 192.168.0.? |
| 993 | |
| 994 | A pattern-list is a comma-separated list of patterns. Patterns within |
| 995 | pattern-lists may be negated by preceding them with an exclamation mark |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 996 | (M-bM-^@M-^X!M-bM-^@M-^Y). For example, to allow a key to be used from anywhere within an |
| 997 | organization except from the M-bM-^@M-^\dialupM-bM-^@M-^] pool, the following entry (in |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 998 | authorized_keys) could be used: |
| 999 | |
| 1000 | from="!*.dialup.example.com,*.example.com" |
| 1001 | |
| 1002 | FILES |
| 1003 | ~/.ssh/config |
| 1004 | This is the per-user configuration file. The format of this file |
| 1005 | is described above. This file is used by the SSH client. |
| 1006 | Because of the potential for abuse, this file must have strict |
| 1007 | permissions: read/write for the user, and not accessible by |
| 1008 | others. |
| 1009 | |
| 1010 | /etc/ssh/ssh_config |
| 1011 | Systemwide configuration file. This file provides defaults for |
| 1012 | those values that are not specified in the user's configuration |
| 1013 | file, and for those users who do not have a configuration file. |
| 1014 | This file must be world-readable. |
| 1015 | |
| 1016 | SEE ALSO |
| 1017 | ssh(1) |
| 1018 | |
| 1019 | AUTHORS |
| 1020 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
| 1021 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo |
| 1022 | de Raadt and Dug Song removed many bugs, re-added newer features and |
| 1023 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
| 1024 | versions 1.5 and 2.0. |
| 1025 | |
Greg Hartman | a2eb7b5 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 1026 | OpenBSD 5.8 August 14, 2015 OpenBSD 5.8 |